|
2024-05-28
| ||
| 00:17 | • Ticket [2c7b748796] Control TLS socket server errors status still Closed with 3 other changes artifact: a09a07e554 user: bohagan | |
|
2024-01-23
| ||
| 21:44 | • Closed ticket [2c7b748796]. artifact: afbdc4ab60 user: oehhar | |
| 21:43 | • Deferred ticket [2c7b748796]. artifact: 4fad39455e user: oehhar | |
|
2021-05-12
| ||
| 10:12 | • Ticket [2c7b748796]: 3 changes artifact: 582c343024 user: tombert | |
|
2021-03-02
| ||
| 05:34 | • Ticket [2c7b748796]: 5 changes artifact: d28e12627d user: aspect | |
|
2020-09-28
| ||
| 15:26 | • New ticket [2c7b748796]. artifact: ba04940b5b user: oehhar | |
| Ticket Hash: | 2c7b7487966f65976f46c44fe7c4b5aafd93d9ae | ||
| Title: | Control TLS socket server errors | ||
| Status: | Closed | Type: | Feature Request |
| Severity: | Minor | Priority: | Medium |
| Subsystem: | Resolution: | External_Bug | |
| Last Modified: |
2024-05-28 00:17:12 1.43 years ago |
Created: |
2020-09-28 15:26:46 5.09 years ago |
| Version Found In: | trunk | ||
| User Comments: | ||||
oehhar added on 2020-09-28 15:26:46:
Currently, a failed TLS negociation for a server socket calles bgerror. I would appreciate, if there would be an option to pass a command prefix to be called in case of an error: ::tcltls::tls_socket -errorcmd [namespace code TLSError] More information and proposal may be seen in the linked TWAPI ticket: [https://sourceforge.net/p/twapi/bugs/189/] Thank you, Harald aspect added on 2021-03-02 05:34:06:
This was discussed on the chat yesterday. Errors in negotiation can be received
by [tls::handshake], but a bgerror is still produced. This short example
demonstrates:
package require tls
tls::init -cadir /etc/ssl/certs -require true -ssl2 0 -ssl3 0 -tls1 0 -tls1.1 0
proc bgerror {err} {
puts "bgerror: $err"
}
proc do_connect {} {
set chan [tls::socket irc.choopa.net 9999]
# ensure handshake completes
try {
while {![tls::handshake $chan]} {puts handshake}
} on error {err opts} {
puts "handshake error: $err"
return false
}
return true
}
do_connect
puts "synchronous code done"
update
Output:
handshake error: handshake failed: certificate verify failed
synchronous code done
bgerror: SSL channel "sock556449741e30": error: certificate verify failed
Note that without the call to tls::handshake, the same error will be produced
on first attempt to read or write the socket.
There are calls to Tcl_BackgroundError() in both Tls_Error() and
VerifyCallback(). The Tls_Error() invocations all come through stacked channel
machinery, so it *may* be possible to instead pass the error back to Tcl. Note
the twapi ticket says this isn't an option there, but refers to reflected
channels. I'm not sure if transchans will propagate errors from callbacks
VerifyCallback() is called by openssl so probably not so simple.
If extra plumbing is needed, one suggestion was to use a hash table keyed by
the channel ID to mark the presence of a synchronous operation that can return
the error. This may need mutex protection.
Another question when looking at the code: it seems like tcltls requires/assumes
that the tls channel is the top of a channel stack. I'm not sure this is
correct, since it might make sense to push another transform on top of tls. It
may be worth investigating this.
tombert added on 2021-05-12 10:12:24:
I can confirm. The BGERROR messages also appear when running the original test examples simpleClient.tcl and simpleServer.tcl. oehhar added on 2024-01-23 21:43:56:
As currently not solvable due to the stacked channel architecture -> Close bohagan added on 2024-05-28 00:17:12:
This should be resolved by the changes in [6a11f1215890a7c3]. | ||||