TclTLS: History Of Ticket 82560343da66fe8a8914bda22c4575bdf00d4f30

Artifacts Associated With Ticket 82560343da66fe8a8914bda22c4575bdf00d4f30

Ticket change [ba6c48b689] (rid 3982) by anonymous on 2025-07-08 20:28:20:

foundin initialized to: "2.0b1"

icomment:

Mananged to build tcltls with Tcl/Tk 9.0.2 on Windows using gcc 14.2.0:

1. Configured and compiled OpenSSL 3.5.1 with default settings.

2. Added ws2_32.lib and Crypt32.lib in configure.ac and regenerated configure.

    `if test "${TEA_PLATFORM}" = "windows" ; then
        if test "$GCC" = "yes"; then
            TEA_ADD_CFLAGS([${TCLTLS_SSL_CFLAGS} -Wno-deprecated-declarations])
            TEA_ADD_INCLUDES([${TCLTLS_SSL_INCLUDES}])
            TEA_ADD_LIBS([${TCLTLS_SSL_LIBS} ws2_32.lib Crypt32.lib])
        fi
    ...
`

3. Configured and compiled tcltls 2.0 using the following configure options:

    `--with-openssl-dir
    --enable-static-ssl
    --enable-hardening
`
4. Several tests failed. The results of the test-suite are contained in file tls.log.

   I also was not able to run the keytest tests:

    > tclsh keytest1.tcl
    Now run keytest2.tcl
    unable to set certificate file C:/Temp/certfile56986.TMP: ee key too small
        while executing
    "tls::import sock26f2630 -server 1 -keyfile C:/Temp/keyfile56530.TMP -certfile C:/Temp/certfile56986.TMP"
        ("eval" body line 1)
        invoked from within
    "eval [list tls::import $chan] $iopts"
        (procedure "tls::_accept" line 4)
        invoked from within
    "tls::_accept {-server 1 -keyfile C:/Temp/keyfile56530.TMP -certfile C:/Temp/certfile56986.TMP} myserv sock26f2630 127.0.0.1 63081"

    > tclsh keytest2.tcl
    error flushing "sock344b4c0": software caused connection abort
        while executing
    "flush $s"
        (file "keytest2.tcl" line 8)

login: "anonymous"
mimetype: "text/x-markdown"
severity initialized to: "Important"
status initialized to: "Open"
title initialized to: "Test-suite errors on Windows"
type initialized to: "Code Defect"

Ticket change [1d3be743ba] (rid 3983) by anonymous on 2025-07-08 20:32:37:

icomment:

Did not find a way to attach a file, so here is the content of tls.log:

Tests running in interp:  c:/opt/Tcl/bin/tclsh.exe
Tests located in:  D:/tmp/openssl/tcltls-2.0.0/tests
Tests running in:  D:/tmp/openssl/tcltls-2.0.0/tests
Temporary files stored in D:/tmp/openssl/tcltls-2.0.0/tests
Test files run in separate interpreters
Running tests that match:  *
Skipping test files that match:  l.*.test
Only running test files that match:  *.test
Tests began at Tue Jul 08 21:23:42 CEST 2025
badssl.test


==== BadSSL-1.47 sha1-2016 FAILED
==== Contents of test case:

	badssl sha1-2016.badssl.com
    
---- Result was:
handshake failed: certificate verify failed due to "CA signature digest algorithm too weak"
---- Result should have been (exact matching):
handshake failed: certificate verify failed due to "unable to get local issuer certificate"
==== BadSSL-1.47 FAILED



==== BadSSL-1.50 sha1-intermediate FAILED
==== Contents of test case:

	badssl sha1-intermediate.badssl.com
    
---- Result was:
handshake failed: certificate verify failed due to "CA signature digest algorithm too weak"
---- Result should have been (exact matching):
handshake failed: certificate verify failed due to "unable to get local issuer certificate"
==== BadSSL-1.50 FAILED

ciphers.test


==== Ciphers_Protocol_Specific-4.3 TLS1.0 FAILED
==== Contents of test case:

	lcompare [exec_get ":" ciphers -tls1 -s] [::tls::ciphers tls1 0 1]
    
---- Result was:
missing {} unexpected {ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA}
---- Result should have been (exact matching):
missing {} unexpected {}
==== Ciphers_Protocol_Specific-4.3 FAILED



==== Ciphers_Protocol_Specific-4.4 TLS1.1 FAILED
==== Contents of test case:

	lcompare [exec_get ":" ciphers -tls1_1 -s] [::tls::ciphers tls1.1 0 1]
    
---- Result was:
missing {} unexpected {ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA}
---- Result should have been (exact matching):
missing {} unexpected {}
==== Ciphers_Protocol_Specific-4.4 FAILED



==== Ciphers_Protocol_Specific-4.6 TLS1.3 FAILED
==== Contents of test case:

	lcompare [exec_get ":" ciphers -tls1_3 -s] [::tls::ciphers tls1.3 0 1]
    
---- Result was:
missing {} unexpected {ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA}
---- Result should have been (exact matching):
missing {} unexpected {}
==== Ciphers_Protocol_Specific-4.6 FAILED



Note, that I could not get test tlsIO.test running:

I started the server in one command shell:
> tclsh remote.tcl -port 8048 -address paulslegion

Then started test tlsIO.test in another window, which issued the following error message:
(Set env. variables: remoteServerIP=paulslegion remoteServerPort=8048)

> tclsh tlsIO.test
remote server disappeared: error writing "sock00000249F28A7630": software caused connection abort
    while executing
"error "remote server disappeared: $msg""
    (procedure "sendCommand" line 9)
    invoked from within
"sendCommand [list proc dputs [info args dputs] [info body dputs]]"
    invoked from within
"if {$doTestsWithRemoteServer == 1} {
    proc sendCommand {c} {
        global commandSocket

        if {[eof $commandSocket]} {
            error "remote server disappea..."
    (file "tlsIO.test" line 205)

The following error message was issued on the server side:

handshake failed: tlsv1 alert unknown ca
    while executing
"tls::handshake $s"
    (procedure "__accept__" line 7)
    invoked from within
"__accept__ sock000002A244A3BC00 fe80::b77b:6f81:4359:a9c6%12 64811"
    ("uplevel" body line 1)
    invoked from within
"uplevel #0 $callback"
    (procedure "tls::_accept" line 8)
    invoked from within
"tls::_accept {-server 1 -cafile ./certs/cacert.pem -certfile ./certs/server.pem -keyfile ./certs/server.key} __accept__ sock000002A244A3BC00 fe80::b77..."

login: "anonymous"
mimetype: "text/plain"
priority changed to: "Immediate"
resolution changed to: "Open"

Ticket change [a39a84d666] (rid 3984) by anonymous on 2025-07-08 20:42:51:

icomment:

Thanks, Paul, great that you tried it!
File attach is disabled for anonymous.
You may create a login or magic-Schelte may change the fossil settings.

Sorry,
Harald

login: "anonymous"
mimetype: "text/x-markdown"
username: "oehhar"

Ticket change [936fa83f67] (rid 3988) by bohagan on 2025-09-05 22:32:15:

icomment:

The missing libs from the configure.ac file is a bug. I'll fix that.

You shouldn't need to run those scripts directly from the command line. All you need to do is either "make test" or "tclsh all.tcl". Those will run all of the tests with the correct args to those scripts. The BadSSL and Ciphers test case failures are expected for now.

login: "bohagan"
mimetype: "text/x-markdown"

Ticket change [6a0cf3a1d5] (rid 4100) by bohagan on 2025-10-11 21:42:20:
1. icomment: "Missing libraries are fixed in [bfc8b5b54b06d1d8]."
2. login: "bohagan"
3. mimetype: "text/x-fossil-plain"
Ticket change [2f58296dcc] (rid 4109) by bohagan on 2025-10-11 22:04:59:
1. login: "bohagan"
2. mimetype: "text/x-markdown"
3. resolution changed to: "Fixed"