Index: aclocal/tcltls_openssl.m4 ================================================================== --- aclocal/tcltls_openssl.m4 +++ aclocal/tcltls_openssl.m4 @@ -159,10 +159,14 @@ TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl3], [SSLv3_method], [sslv3], [NO_SSL3]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_0], [TLSv1_method], [tlsv1.0], [NO_TLS1]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_1], [TLSv1_1_method], [tlsv1.1], [NO_TLS1_1]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_2], [TLSv1_2_method], [tlsv1.2], [NO_TLS1_2]) + dnl XXX:TODO: Note that OpenSSL 1.1.1 does not export this, still need to figure out how to + dnl talk only TLSv1.3 + TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_3], [TLSv1_3_method], [tlsv1.3], [NO_TLS1_3]) + AC_CACHE_VAL([tcltls_cv_func_tlsext_hostname], [ AC_LANG_PUSH(C) AC_MSG_CHECKING([for SSL_set_tlsext_host_name]) AC_LINK_IFELSE([AC_LANG_PROGRAM([ #include Index: configure.ac ================================================================== --- configure.ac +++ configure.ac @@ -108,19 +108,30 @@ else tcltls_ssl_tls1_1='false' fi ]) -dnl ## TLSv1.1: Enabled by default +dnl ## TLSv1.2: Enabled by default tcltls_ssl_tls1_2='true' AC_ARG_ENABLE([tlsv1.2], AS_HELP_STRING([--disable-tlsv1.2], [disable TLSv1.2 protocol]), [ if test "$enableval" = "yes"; then tcltls_ssl_tls1_2='force' else tcltls_ssl_tls1_2='false' fi ]) + +dnl ## TLSv1.3: Enabled by default +tcltls_ssl_tls1_3='true' +AC_ARG_ENABLE([tlsv1.3], AS_HELP_STRING([--disable-tlsv1.3], [disable TLSv1.3 protocol]), [ + if test "$enableval" = "yes"; then + tcltls_ssl_tls1_3='force' + else + tcltls_ssl_tls1_3='false' + fi +]) + dnl Enable support for a debugging build tcltls_debug='false' AC_ARG_ENABLE([debug], AS_HELP_STRING([--enable-debug], [enable debugging parameters]), [ if test "$enableval" = "yes"; then Index: tls.c ================================================================== --- tls.c +++ tls.c @@ -496,14 +496,14 @@ Tcl_Interp *interp; int objc; Tcl_Obj *CONST objv[]; { static CONST84 char *protocols[] = { - "ssl2", "ssl3", "tls1", "tls1.1", "tls1.2", NULL + "ssl2", "ssl3", "tls1", "tls1.1", "tls1.2", "tls1.3", NULL }; enum protocol { - TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_NONE + TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_TLS1_3, TLS_NONE }; Tcl_Obj *objPtr; SSL_CTX *ctx = NULL; SSL *ssl = NULL; STACK_OF(SSL_CIPHER) *sk; @@ -558,10 +558,17 @@ Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_2_method()); break; #endif + case TLS_TLS1_3: +#if defined(NO_TLS1_3) + Tcl_AppendResult(interp, "protocol not supported", NULL); + return TCL_ERROR; +#else + ctx = SSL_CTX_new(TLSv1_3_method()); break; +#endif default: break; } if (ctx == NULL) { Tcl_AppendResult(interp, REASON(), (char *) NULL); @@ -735,11 +742,11 @@ char *model = NULL; #ifndef OPENSSL_NO_TLSEXT char *servername = NULL; /* hostname for Server Name Indication */ #endif int ssl2 = 0, ssl3 = 0; - int tls1 = 1, tls1_1 = 1, tls1_2 = 1; + int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1; int proto = 0; int verify = 0, require = 0, request = 1; dprintf("Called"); @@ -755,10 +762,13 @@ #if defined(NO_TLS1_1) tls1_1 = 0; #endif #if defined(NO_TLS1_2) tls1_2 = 0; +#endif +#if defined(NO_TLS1_3) + tls1_3 = 0; #endif if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); return TCL_ERROR; @@ -799,12 +809,13 @@ OPTBOOL( "-ssl2", ssl2); OPTBOOL( "-ssl3", ssl3); OPTBOOL( "-tls1", tls1); OPTBOOL( "-tls1.1", tls1_1); OPTBOOL( "-tls1.2", tls1_2); + OPTBOOL( "-tls1.3", tls1_3); - OPTBAD( "option", "-cadir, -cafile, -certfile, -cipher, -command, -dhparams, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2"); + OPTBAD( "option", "-cadir, -cafile, -certfile, -cipher, -command, -dhparams, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, or tls1.3"); return TCL_ERROR; } if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER; if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; Index: tls.htm ================================================================== --- tls.htm +++ tls.htm @@ -219,10 +219,12 @@
Enable use of TLS v1. (default: true)
-tls1.1 bool
Enable use of TLS v1.1 (default: true)
-tls1.2 bool
Enable use of TLS v1.2 (default: true)
+
-tls1.3 bool
+
Enable use of TLS v1.3 (default: true)
tls::unimport channel
Index: tls.tcl ================================================================== --- tls.tcl +++ tls.tcl @@ -47,10 +47,11 @@ {* -ssl2 iopts 1} {* -ssl3 iopts 1} {* -tls1 iopts 1} {* -tls1.1 iopts 1} {* -tls1.2 iopts 1} + {* -tls1.3 iopts 1} } # tls::socket and tls::init options as a humane readable string variable socketOptionsNoServer variable socketOptionsServer