Overview
Comment: | Applied patches #12 and #13 for Server Name Indication (SNI) support, and TLS 1.1, 1.2 support. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA1: |
54d14de805b3571afcaae91c406aee62 |
User & Date: | andreas_kupries on 2014-12-08 19:09:05 |
Other Links: | manifest | tags |
Context
2015-02-26
| ||
17:38 | Updated ChangeLog with info about another patch which got committed in December. check-in: 9cdfbcc18f user: andreas_kupries tags: trunk | |
2014-12-08
| ||
19:09 | Applied patches #12 and #13 for Server Name Indication (SNI) support, and TLS 1.1, 1.2 support. check-in: 54d14de805 user: andreas_kupries tags: trunk | |
2014-04-16
| ||
18:33 | Ticket 47, applied patch with last suggested change by Jeff (moving setting of "initialization"-flag). check-in: d248bc5f5e user: andreas_kupries tags: trunk | |
Changes
Modified ChangeLog
from [7cad739648]
to [6f6a7c06d2].
1 2 3 4 5 6 7 | 2012-07-09 Andreas Kupries <andreask@activestate.com> * configure.in: Bump to version 1.6.3. * win/makefile.vc: * configure: regen with ac-2.59 * tls.c (MiscObjCmd): Fixed non-static string array used in call | > > > > > > > > > > > | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | 2014-12-05 Andreas Kupries <andreask@activestate.com> * configure.in: Bump to version 1.6.4. * win/makefile.vc: * configure: regen with ac-2.59 * tls.c: Accepted SF TLS patches #12 and #13 implementing * tls.htm: support for SNI, and TLS 1.1 + 1.2 * tlsInt.h: * tlsIO.c: * tls.tcl: 2012-07-09 Andreas Kupries <andreask@activestate.com> * configure.in: Bump to version 1.6.3. * win/makefile.vc: * configure: regen with ac-2.59 * tls.c (MiscObjCmd): Fixed non-static string array used in call |
︙ | ︙ |
Modified configure
from [2a39b43567]
to [9e769ed855].
1 2 | #! /bin/sh # Guess values for system-dependent variables and create Makefiles. | | | 1 2 3 4 5 6 7 8 9 10 | #! /bin/sh # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59 for tls 1.6.4. # # Copyright (C) 2003 Free Software Foundation, Inc. # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. ## --------------------- ## ## M4sh Initialization. ## ## --------------------- ## |
︙ | ︙ | |||
263 264 265 266 267 268 269 | # This variable seems obsolete. It should probably be removed, and # only ac_max_sed_lines should be used. : ${ac_max_here_lines=38} # Identity of this package. PACKAGE_NAME='tls' PACKAGE_TARNAME='tls' | | | | 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 | # This variable seems obsolete. It should probably be removed, and # only ac_max_sed_lines should be used. : ${ac_max_here_lines=38} # Identity of this package. PACKAGE_NAME='tls' PACKAGE_TARNAME='tls' PACKAGE_VERSION='1.6.4' PACKAGE_STRING='tls 1.6.4' PACKAGE_BUGREPORT='' # Factoring default headers for most tests. ac_includes_default="\ #include <stdio.h> #if HAVE_SYS_TYPES_H # include <sys/types.h> |
︙ | ︙ | |||
773 774 775 776 777 778 779 | # # Report the --help message. # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF | | | 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 | # # Report the --help message. # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF \`configure' configures tls 1.6.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. Defaults for the options are specified in brackets. |
︙ | ︙ | |||
830 831 832 833 834 835 836 | cat <<\_ACEOF _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in | | | 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 | cat <<\_ACEOF _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in short | recursive ) echo "Configuration of tls 1.6.4:";; esac cat <<\_ACEOF Optional Features: --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-threads build with threads |
︙ | ︙ | |||
966 967 968 969 970 971 972 | cd $ac_popdir done fi test -n "$ac_init_help" && exit 0 if $ac_init_version; then cat <<\_ACEOF | | | | 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 | cd $ac_popdir done fi test -n "$ac_init_help" && exit 0 if $ac_init_version; then cat <<\_ACEOF tls configure 1.6.4 generated by GNU Autoconf 2.59 Copyright (C) 2003 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF exit 0 fi exec 5>config.log cat >&5 <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by tls $as_me 1.6.4, which was generated by GNU Autoconf 2.59. Invocation command line was $ $0 $@ _ACEOF { cat <<_ASUNAME |
︙ | ︙ | |||
10807 10808 10809 10810 10811 10812 10813 | echo sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX ## Running $as_me. ## _ASBOX } >&5 cat >&5 <<_CSEOF | | | 10807 10808 10809 10810 10811 10812 10813 10814 10815 10816 10817 10818 10819 10820 10821 | echo sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX ## Running $as_me. ## _ASBOX } >&5 cat >&5 <<_CSEOF This file was extended by tls $as_me 1.6.4, which was generated by GNU Autoconf 2.59. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS CONFIG_LINKS = $CONFIG_LINKS CONFIG_COMMANDS = $CONFIG_COMMANDS $ $0 $@ |
︙ | ︙ | |||
10862 10863 10864 10865 10866 10867 10868 | $config_files Report bugs to <bug-autoconf@gnu.org>." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ | | | 10862 10863 10864 10865 10866 10867 10868 10869 10870 10871 10872 10873 10874 10875 10876 | $config_files Report bugs to <bug-autoconf@gnu.org>." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ tls config.status 1.6.4 configured by $0, generated by GNU Autoconf 2.59, with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\" Copyright (C) 2003 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." srcdir=$srcdir |
︙ | ︙ |
Modified configure.in
from [dc7c0619a3]
to [0fa0bd0d20].
1 2 3 4 5 6 7 8 9 10 11 12 13 | #!/bin/bash -norc dnl This file is an input file used by the GNU "autoconf" program to dnl generate the file "configure", which is run during Tcl installation dnl to configure the system for the local environment. dnl dnl This file contains code to generate "tls" using either the dnl OpenSSL libraries or libraries from the commercial BSAFE SSL-C dnl product from RSA Security. In the United States, it is necessary dnl to use the RSA BSAFE libraries for any product developed for dnl commercial use. Licensing information for BSAFE SSL-C may be dnl obtained from RSA Data Scurity Inc., San Mateo, California, USA. dnl Their home page on the web is "www.rsasecurity.com". # | | | | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | #!/bin/bash -norc dnl This file is an input file used by the GNU "autoconf" program to dnl generate the file "configure", which is run during Tcl installation dnl to configure the system for the local environment. dnl dnl This file contains code to generate "tls" using either the dnl OpenSSL libraries or libraries from the commercial BSAFE SSL-C dnl product from RSA Security. In the United States, it is necessary dnl to use the RSA BSAFE libraries for any product developed for dnl commercial use. Licensing information for BSAFE SSL-C may be dnl obtained from RSA Data Scurity Inc., San Mateo, California, USA. dnl Their home page on the web is "www.rsasecurity.com". # # RCS: @(#) $Id: configure.in,v 1.28 2014/12/08 19:09:06 andreas_kupries Exp $ #-------------------------------------------------------------------- # macro used to verify that the configure script can find the sources #-------------------------------------------------------------------- AC_INIT([tls], [1.6.4]) TEA_INIT([3.8]) AC_CONFIG_AUX_DIR(tclconfig) #-------------------------------------------------------------------- # Load the tclConfig.sh file |
︙ | ︙ |
Modified tls.c
from [34519f36fc]
to [343f6572a7].
1 2 3 4 5 6 7 | /* * Copyright (C) 1997-1999 Matt Newman <matt@novadigm.com> * some modifications: * Copyright (C) 2000 Ajuba Solutions * Copyright (C) 2002 ActiveState Corporation * Copyright (C) 2004 Starfish Systems * | | | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | /* * Copyright (C) 1997-1999 Matt Newman <matt@novadigm.com> * some modifications: * Copyright (C) 2000 Ajuba Solutions * Copyright (C) 2002 ActiveState Corporation * Copyright (C) 2004 Starfish Systems * * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tls.c,v 1.35 2014/12/08 19:09:06 andreas_kupries Exp $ * * TLS (aka SSL) Channel - can be layered on any bi-directional * Tcl_Channel (Note: Requires Trf Core Patch) * * This was built (almost) from scratch based upon observation of * OpenSSL 0.9.2B * |
︙ | ︙ | |||
64 65 66 67 68 69 70 | Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[])); static SSL_CTX *CTX_Init _ANSI_ARGS_((State *statePtr, int proto, char *key, char *cert, char *CAdir, char *CAfile, char *ciphers)); static int TlsLibInit _ANSI_ARGS_ (()) ; | | > > | | | 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 | Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[])); static SSL_CTX *CTX_Init _ANSI_ARGS_((State *statePtr, int proto, char *key, char *cert, char *CAdir, char *CAfile, char *ciphers)); static int TlsLibInit _ANSI_ARGS_ (()) ; #define TLS_PROTO_SSL2 0x01 #define TLS_PROTO_SSL3 0x02 #define TLS_PROTO_TLS1 0x04 #define TLS_PROTO_TLS1_1 0x08 #define TLS_PROTO_TLS1_2 0x10 #define ENABLED(flag, mask) (((flag) & (mask)) == (mask)) /* * Static data structures */ #ifndef NO_DH |
︙ | ︙ | |||
504 505 506 507 508 509 510 | CiphersObjCmd(clientData, interp, objc, objv) ClientData clientData; /* Not used. */ Tcl_Interp *interp; int objc; Tcl_Obj *CONST objv[]; { static CONST84 char *protocols[] = { | | | | 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 | CiphersObjCmd(clientData, interp, objc, objv) ClientData clientData; /* Not used. */ Tcl_Interp *interp; int objc; Tcl_Obj *CONST objv[]; { static CONST84 char *protocols[] = { "ssl2", "ssl3", "tls1", "tls1.1", "tls1.2", NULL }; enum protocol { TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_NONE }; Tcl_Obj *objPtr; SSL_CTX *ctx = NULL; SSL *ssl = NULL; STACK_OF(SSL_CIPHER) *sk; char *cp, buf[BUFSIZ]; int index, verbose = 0; |
︙ | ︙ | |||
550 551 552 553 554 555 556 557 558 559 560 561 562 563 | case TLS_TLS1: #if defined(NO_TLS1) Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_method()); break; #endif default: break; } if (ctx == NULL) { Tcl_AppendResult(interp, REASON(), (char *) NULL); return TCL_ERROR; } | > > > > > > > > > > > > > > | 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 | case TLS_TLS1: #if defined(NO_TLS1) Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_method()); break; #endif case TLS_TLS1_1: #if defined(NO_TLS1_1) Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_1_method()); break; #endif case TLS_TLS1_2: #if defined(NO_TLS1_2) Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_2_method()); break; #endif default: break; } if (ctx == NULL) { Tcl_AppendResult(interp, REASON(), (char *) NULL); return TCL_ERROR; } |
︙ | ︙ | |||
712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 | int server = 0; /* is connection incoming or outgoing? */ char *key = NULL; char *cert = NULL; char *ciphers = NULL; char *CAfile = NULL; char *CAdir = NULL; char *model = NULL; #if defined(NO_SSL2) int ssl2 = 0; #else int ssl2 = 1; #endif #if defined(NO_SSL3) int ssl3 = 0; #else int ssl3 = 1; #endif | > > > < | | < | 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 | int server = 0; /* is connection incoming or outgoing? */ char *key = NULL; char *cert = NULL; char *ciphers = NULL; char *CAfile = NULL; char *CAdir = NULL; char *model = NULL; #ifndef OPENSSL_NO_TLSEXT char *servername = NULL; /* hostname for Server Name Indication */ #endif #if defined(NO_SSL2) int ssl2 = 0; #else int ssl2 = 1; #endif #if defined(NO_SSL3) int ssl3 = 0; #else int ssl3 = 1; #endif int tls1 = 1; int tls1_1 = 1; int tls1_2 = 1; int proto = 0; int verify = 0, require = 0, request = 1; if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); return TCL_ERROR; } |
︙ | ︙ | |||
763 764 765 766 767 768 769 770 771 772 773 774 | OPTOBJ( "-command", script); OPTSTR( "-keyfile", key); OPTSTR( "-model", model); OPTOBJ( "-password", password); OPTBOOL( "-require", require); OPTBOOL( "-request", request); OPTBOOL( "-server", server); OPTBOOL( "-ssl2", ssl2); OPTBOOL( "-ssl3", ssl3); OPTBOOL( "-tls1", tls1); | > > > > > | > > | 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 | OPTOBJ( "-command", script); OPTSTR( "-keyfile", key); OPTSTR( "-model", model); OPTOBJ( "-password", password); OPTBOOL( "-require", require); OPTBOOL( "-request", request); OPTBOOL( "-server", server); #ifndef OPENSSL_NO_TLSEXT OPTSTR( "-servername", servername); #endif OPTBOOL( "-ssl2", ssl2); OPTBOOL( "-ssl3", ssl3); OPTBOOL( "-tls1", tls1); OPTBOOL( "-tls1.1", tls1_1); OPTBOOL( "-tls1.2", tls1_2); OPTBAD( "option", "-cadir, -cafile, -certfile, -cipher, -command, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2"); return TCL_ERROR; } if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER; if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; if (verify == 0) verify = SSL_VERIFY_NONE; proto |= (ssl2 ? TLS_PROTO_SSL2 : 0); proto |= (ssl3 ? TLS_PROTO_SSL3 : 0); proto |= (tls1 ? TLS_PROTO_TLS1 : 0); proto |= (tls1_1 ? TLS_PROTO_TLS1_1 : 0); proto |= (tls1_2 ? TLS_PROTO_TLS1_2 : 0); /* reset to NULL if blank string provided */ if (cert && !*cert) cert = NULL; if (key && !*key) key = NULL; if (ciphers && !*ciphers) ciphers = NULL; if (CAfile && !*CAfile) CAfile = NULL; if (CAdir && !*CAdir) CAdir = NULL; |
︙ | ︙ | |||
884 885 886 887 888 889 890 891 892 893 894 895 896 897 | if (!statePtr->ssl) { /* SSL library error */ Tcl_AppendResult(interp, "couldn't construct ssl session: ", REASON(), (char *) NULL); Tls_Free((char *) statePtr); return TCL_ERROR; } /* * SSL Callbacks */ SSL_set_app_data(statePtr->ssl, (VOID *)statePtr); /* point back to us */ | > > > > > > > > > > > | 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 | if (!statePtr->ssl) { /* SSL library error */ Tcl_AppendResult(interp, "couldn't construct ssl session: ", REASON(), (char *) NULL); Tls_Free((char *) statePtr); return TCL_ERROR; } #ifndef OPENSSL_NO_TLSEXT if (servername) { if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) { Tcl_AppendResult(interp, "setting TLS host name extension failed", (char *) NULL); Tls_Free((char *) statePtr); return TCL_ERROR; } } #endif /* * SSL Callbacks */ SSL_set_app_data(statePtr->ssl, (VOID *)statePtr); /* point back to us */ |
︙ | ︙ | |||
1000 1001 1002 1003 1004 1005 1006 1007 | char *ciphers; { Tcl_Interp *interp = statePtr->interp; SSL_CTX *ctx = NULL; Tcl_DString ds; Tcl_DString ds1; int off = 0; | > < < < < < < | < < < < < < < < < < < < < < < < < > > > > > > > > > > > > > > > | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | > > | > > > > > > > > > > > | > > > | 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 | char *ciphers; { Tcl_Interp *interp = statePtr->interp; SSL_CTX *ctx = NULL; Tcl_DString ds; Tcl_DString ds1; int off = 0; const SSL_METHOD *method; if (!proto) { Tcl_AppendResult(interp, "no valid protocol selected", NULL); return (SSL_CTX *)0; } /* create SSL context */ #if defined(NO_SSL2) if (ENABLED(proto, TLS_PROTO_SSL2)) { Tcl_AppendResult(interp, "protocol not supported", NULL); return (SSL_CTX *)0; } #endif #if defined(NO_SSL3) if (ENABLED(proto, TLS_PROTO_SSL3)) { Tcl_AppendResult(interp, "protocol not supported", NULL); return (SSL_CTX *)0; } #endif #if defined(NO_TLS1) if (ENABLED(proto, TLS_PROTO_TLS1)) { Tcl_AppendResult(interp, "protocol not supported", NULL); return (SSL_CTX *)0; } #endif #if defined(NO_TLS1_1) if (ENABLED(proto, TLS_PROTO_TLS1_1)) { Tcl_AppendResult(interp, "protocol not supported", NULL); return (SSL_CTX *)0; } #endif #if defined(NO_TLS1_2) if (ENABLED(proto, TLS_PROTO_TLS1_2)) { Tcl_AppendResult(interp, "protocol not supported", NULL); return (SSL_CTX *)0; } #endif switch (proto) { #if !defined(NO_SSL2) case TLS_PROTO_SSL2: method = SSLv2_method (); break; #endif #if !defined(NO_SSL3) case TLS_PROTO_SSL3: method = SSLv3_method (); break; #endif #if !defined(NO_TLS1) case TLS_PROTO_TLS1: method = TLSv1_method (); break; #endif #if !defined(NO_TLS1_1) case TLS_PROTO_TLS1_1: method = TLSv1_1_method (); break; #endif #if !defined(NO_TLS1_2) case TLS_PROTO_TLS1_2: method = TLSv1_2_method (); break; #endif default: method = SSLv23_method (); #if !defined(NO_SSL2) off |= (ENABLED(proto, TLS_PROTO_SSL2) ? 0 : SSL_OP_NO_SSLv2); #endif #if !defined(NO_SSL3) off |= (ENABLED(proto, TLS_PROTO_SSL3) ? 0 : SSL_OP_NO_SSLv3); #endif #if !defined(NO_TLS1) off |= (ENABLED(proto, TLS_PROTO_TLS1) ? 0 : SSL_OP_NO_TLSv1); #endif #if !defined(NO_TLS1_1) off |= (ENABLED(proto, TLS_PROTO_TLS1_1) ? 0 : SSL_OP_NO_TLSv1_1); #endif #if !defined(NO_TLS1_2) off |= (ENABLED(proto, TLS_PROTO_TLS1_2) ? 0 : SSL_OP_NO_TLSv1_2); #endif break; } ctx = SSL_CTX_new (method); SSL_CTX_set_app_data( ctx, (VOID*)interp); /* remember the interpreter */ SSL_CTX_set_options( ctx, SSL_OP_ALL); /* all SSL bug workarounds */ SSL_CTX_set_options( ctx, off); /* all SSL bug workarounds */ SSL_CTX_sess_set_cache_size( ctx, 128); if (ciphers != NULL) SSL_CTX_set_cipher_list(ctx, ciphers); |
︙ | ︙ |
Modified tls.htm
from [7d8a6ea6de]
to [efffb774bc].
︙ | ︙ | |||
196 197 198 199 200 201 202 203 204 205 206 207 208 209 | <dt><strong>-require</strong> <em>bool</em></dt> <dd>Require a valid certificate from peer during SSL handshake. If this is set to true then <strong>-request</strong> must also be set to true. (<strong>default</strong>: <em>false</em>)</dd> <dt><strong>-server</strong> <em>bool</em></dt> <dd>Handshake as server if true, else handshake as client.(<strong>default</strong>: <em>false</em>)</dd> <dt><strong>-ssl2</strong> <em>bool</em></dt> <dd>Enable use of SSL v2. (<strong>default</strong>: <em>true</em> unless -DNO_PATENTS was specified in build)</dd> <dt><strong>-ssl3 </strong><em>bool</em></dt> <dd>Enable use of SSL v3. (<strong>default</strong>: <em>true</em>)</dd> <dt>-<strong>tls1</strong> <em>bool</em></dt> <dd>Enable use of TLS v1. (<strong>default</strong>: <em>false</em>)</dd> | > > > > > | 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 | <dt><strong>-require</strong> <em>bool</em></dt> <dd>Require a valid certificate from peer during SSL handshake. If this is set to true then <strong>-request</strong> must also be set to true. (<strong>default</strong>: <em>false</em>)</dd> <dt><strong>-server</strong> <em>bool</em></dt> <dd>Handshake as server if true, else handshake as client.(<strong>default</strong>: <em>false</em>)</dd> <dt><strong>-servername</strong> <em>host</em></dt> <dd>Only available if the OpenSSL library the package is linked against supports the TLS hostname extension for 'Server Name Indication' (SNI). Use to name the logical host we are talking to and expecting a certificate for</dd> <dt><strong>-ssl2</strong> <em>bool</em></dt> <dd>Enable use of SSL v2. (<strong>default</strong>: <em>true</em> unless -DNO_PATENTS was specified in build)</dd> <dt><strong>-ssl3 </strong><em>bool</em></dt> <dd>Enable use of SSL v3. (<strong>default</strong>: <em>true</em>)</dd> <dt>-<strong>tls1</strong> <em>bool</em></dt> <dd>Enable use of TLS v1. (<strong>default</strong>: <em>false</em>)</dd> |
︙ | ︙ |
Modified tls.tcl
from [a03810957e]
to [83a8992c6a].
1 2 3 | # # Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com> # | | | 1 2 3 4 5 6 7 8 9 10 11 | # # Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com> # # $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tls.tcl,v 1.13 2014/12/08 19:09:06 andreas_kupries Exp $ # namespace eval tls { variable logcmd tclLog variable debug 0 # Default flags passed to tls::import variable defaults {} |
︙ | ︙ | |||
67 68 69 70 71 72 73 | set idx [lsearch $args -server] if {$idx != -1} { set server 1 set callback [lindex $args [expr {$idx+1}]] set args [lreplace $args $idx [expr {$idx+1}]] set usage "wrong # args: should be \"tls::socket -server command ?options? port\"" | | | | 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 | set idx [lsearch $args -server] if {$idx != -1} { set server 1 set callback [lindex $args [expr {$idx+1}]] set args [lreplace $args $idx [expr {$idx+1}]] set usage "wrong # args: should be \"tls::socket -server command ?options? port\"" set options "-cadir, -cafile, -certfile, -cipher, -command, -keyfile, -myaddr, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2" } else { set server 0 set usage "wrong # args: should be \"tls::socket ?options? host port\"" set options "-async, -cadir, -cafile, -certfile, -cipher, -command, -keyfile, -myaddr, -myport, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2" } set argc [llength $args] set sopts {} set iopts [concat [list -server $server] $defaults] ;# Import options for {set idx 0} {$idx < $argc} {incr idx} { set arg [lindex $args $idx] |
︙ | ︙ | |||
94 95 96 97 98 99 100 101 102 | *,-certfile - *,-cipher - *,-command - *,-keyfile - *,-password - *,-request - *,-require - *,-ssl2 - *,-ssl3 - | > > > | | 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 | *,-certfile - *,-cipher - *,-command - *,-keyfile - *,-password - *,-request - *,-require - *,-servername - *,-ssl2 - *,-ssl3 - *,-tls1 - *,-tls1.1 - *,-tls1.2 {lappend iopts $arg [lindex $args [incr idx]]} -* {return -code error "bad option \"$arg\": must be one of $options"} default {break} } } if {$server} { if {($idx + 1) != $argc} { return -code error $usage |
︙ | ︙ |
Modified tlsIO.c
from [208b82b4d8]
to [8be3b6411f].
1 2 3 4 | /* * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com> * Copyright (C) 2000 Ajuba Solutions * | | | 1 2 3 4 5 6 7 8 9 10 11 12 | /* * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com> * Copyright (C) 2000 Ajuba Solutions * * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsIO.c,v 1.17 2014/12/08 19:09:06 andreas_kupries Exp $ * * TLS (aka SSL) Channel - can be layered on any bi-directional * Tcl_Channel (Note: Requires Trf Core Patch) * * This was built from scratch based upon observation of OpenSSL 0.9.2B * * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for |
︙ | ︙ | |||
724 725 726 727 728 729 730 731 732 733 734 735 736 737 | * execution of channel handlers will eventually cause us to * recreate the timer (in WatchProc). */ Tcl_DeleteTimerHandler(statePtr->timer); statePtr->timer = (Tcl_TimerToken) NULL; } return mask; } /* *------------------------------------------------------* * | > > > > > > > > > > > > > | 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 | * execution of channel handlers will eventually cause us to * recreate the timer (in WatchProc). */ Tcl_DeleteTimerHandler(statePtr->timer); statePtr->timer = (Tcl_TimerToken) NULL; } if (statePtr->flags & TLS_TCL_CALLBACK) { return 0; } if (statePtr->flags & TLS_TCL_INIT && !SSL_is_init_finished(statePtr->ssl)) { int errorCode; if (Tls_WaitForConnect(statePtr, &errorCode) <= 0 && errorCode == EAGAIN) { return 0; } } return mask; } /* *------------------------------------------------------* * |
︙ | ︙ | |||
896 897 898 899 900 901 902 903 904 905 906 907 908 909 | dprintf(stderr,"E! "); *errorCodePtr = EAGAIN; return -1; } else { continue; } } else if (err == 0) { dprintf(stderr,"CR! "); *errorCodePtr = ECONNRESET; return -1; } if (statePtr->flags & TLS_TCL_SERVER) { err = SSL_get_verify_result(statePtr->ssl); if (err != X509_V_OK) { | > > > | 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 | dprintf(stderr,"E! "); *errorCodePtr = EAGAIN; return -1; } else { continue; } } else if (err == 0) { if (Tcl_Eof(statePtr->self)) { return 0; } dprintf(stderr,"CR! "); *errorCodePtr = ECONNRESET; return -1; } if (statePtr->flags & TLS_TCL_SERVER) { err = SSL_get_verify_result(statePtr->ssl); if (err != X509_V_OK) { |
︙ | ︙ |
Modified tlsInt.h
from [1edd2e699c]
to [810dac65b4].
1 2 3 | /* * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com> * | | | 1 2 3 4 5 6 7 8 9 10 11 | /* * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com> * * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsInt.h,v 1.16 2014/12/08 19:09:06 andreas_kupries Exp $ * * TLS (aka SSL) Channel - can be layered on any bi-directional * Tcl_Channel (Note: Requires Trf Core Patch) * * This was built from scratch based upon observation of OpenSSL 0.9.2B * * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for |
︙ | ︙ | |||
49 50 51 52 53 54 55 56 57 58 59 60 61 62 | #include <err.h> #include <rand.h> #else #include <openssl/ssl.h> #include <openssl/err.h> #include <openssl/rand.h> #endif #ifdef TCL_STORAGE_CLASS # undef TCL_STORAGE_CLASS #endif #ifdef BUILD_tls # define TCL_STORAGE_CLASS DLLEXPORT #else | > > > > > > > > | 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 | #include <err.h> #include <rand.h> #else #include <openssl/ssl.h> #include <openssl/err.h> #include <openssl/rand.h> #endif #ifndef SSL_OP_NO_TLSv1_1 #define NO_TLS1_1 #endif #ifndef SSL_OP_NO_TLSv1_2 #define NO_TLS1_2 #endif #ifdef TCL_STORAGE_CLASS # undef TCL_STORAGE_CLASS #endif #ifdef BUILD_tls # define TCL_STORAGE_CLASS DLLEXPORT #else |
︙ | ︙ |
Modified win/makefile.vc
from [8713e89984]
to [98bc811491].
︙ | ︙ | |||
14 15 16 17 18 19 20 | # Copyright (c) 1995-1996 Sun Microsystems, Inc. # Copyright (c) 1998-2000 Ajuba Solutions. # Copyright (c) 2001 ActiveState Corporation. # Copyright (c) 2001-2002 David Gravereaux. # Copyright (c) 2003-2006 Pat Thoyts # #------------------------------------------------------------------------- | | | 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | # Copyright (c) 1995-1996 Sun Microsystems, Inc. # Copyright (c) 1998-2000 Ajuba Solutions. # Copyright (c) 2001 ActiveState Corporation. # Copyright (c) 2001-2002 David Gravereaux. # Copyright (c) 2003-2006 Pat Thoyts # #------------------------------------------------------------------------- # RCS: @(#)$Id: makefile.vc,v 1.11 2014/12/08 19:09:06 andreas_kupries Exp $ #------------------------------------------------------------------------- # Check to see we are configured to build with MSVC (MSDEVDIR or MSVCDIR) # or with the MS Platform SDK (MSSDK). Visual Studio .NET 2003 and 2005 define # VCINSTALLDIR instead. The MSVC Toolkit release defines yet another. !if !defined(MSDEVDIR) && !defined(MSVCDIR) && !defined(MSSDK) && !defined(VCINSTALLDIR) && !defined(VCToolkitInstallDir) MSG = ^ |
︙ | ︙ | |||
160 161 162 163 164 165 166 | PROJECT = tls # Uncomment the following line if this is a Tk extension. #PROJECT_REQUIRES_TK=1 !include "rules.vc" | | | 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 | PROJECT = tls # Uncomment the following line if this is a Tk extension. #PROJECT_REQUIRES_TK=1 !include "rules.vc" DOTVERSION = 1.6.4 VERSION = $(DOTVERSION:.=) STUBPREFIX = $(PROJECT)stub DLLOBJS = \ $(TMP_DIR)\tls.obj \ $(TMP_DIR)\tlsBIO.obj \ $(TMP_DIR)\tlsIO.obj \ |
︙ | ︙ |