Overview
Comment: | Applied patches #12 and #13 for Server Name Indication (SNI) support, and TLS 1.1, 1.2 support. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA1: |
54d14de805b3571afcaae91c406aee62 |
User & Date: | andreas_kupries on 2014-12-08 19:09:05 |
Other Links: | manifest | tags |
Context
2015-02-26
| ||
17:38 | Updated ChangeLog with info about another patch which got committed in December. check-in: 9cdfbcc18f user: andreas_kupries tags: trunk | |
2014-12-08
| ||
19:09 | Applied patches #12 and #13 for Server Name Indication (SNI) support, and TLS 1.1, 1.2 support. check-in: 54d14de805 user: andreas_kupries tags: trunk | |
2014-04-16
| ||
18:33 | Ticket 47, applied patch with last suggested change by Jeff (moving setting of "initialization"-flag). check-in: d248bc5f5e user: andreas_kupries tags: trunk | |
Changes
Modified ChangeLog
from [7cad739648]
to [6f6a7c06d2].
|
Modified configure
from [2a39b43567]
to [9e769ed855].
1 2 | 1 2 3 4 5 6 7 8 9 10 | - + | #! /bin/sh # Guess values for system-dependent variables and create Makefiles. |
︙ | |||
263 264 265 266 267 268 269 | 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 | - - + + | # This variable seems obsolete. It should probably be removed, and # only ac_max_sed_lines should be used. : ${ac_max_here_lines=38} # Identity of this package. PACKAGE_NAME='tls' PACKAGE_TARNAME='tls' |
︙ | |||
773 774 775 776 777 778 779 | 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 | - + | # # Report the --help message. # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF |
︙ | |||
830 831 832 833 834 835 836 | 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 | - + | cat <<\_ACEOF _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in |
︙ | |||
966 967 968 969 970 971 972 | 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 | - + - + | cd $ac_popdir done fi test -n "$ac_init_help" && exit 0 if $ac_init_version; then cat <<\_ACEOF |
︙ | |||
10807 10808 10809 10810 10811 10812 10813 | 10807 10808 10809 10810 10811 10812 10813 10814 10815 10816 10817 10818 10819 10820 10821 | - + | echo sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX ## Running $as_me. ## _ASBOX } >&5 cat >&5 <<_CSEOF |
︙ | |||
10862 10863 10864 10865 10866 10867 10868 | 10862 10863 10864 10865 10866 10867 10868 10869 10870 10871 10872 10873 10874 10875 10876 | - + | $config_files Report bugs to <bug-autoconf@gnu.org>." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ |
︙ |
Modified configure.in
from [dc7c0619a3]
to [0fa0bd0d20].
1 2 3 4 5 6 7 8 9 10 11 12 13 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | - + - + | #!/bin/bash -norc dnl This file is an input file used by the GNU "autoconf" program to dnl generate the file "configure", which is run during Tcl installation dnl to configure the system for the local environment. dnl dnl This file contains code to generate "tls" using either the dnl OpenSSL libraries or libraries from the commercial BSAFE SSL-C dnl product from RSA Security. In the United States, it is necessary dnl to use the RSA BSAFE libraries for any product developed for dnl commercial use. Licensing information for BSAFE SSL-C may be dnl obtained from RSA Data Scurity Inc., San Mateo, California, USA. dnl Their home page on the web is "www.rsasecurity.com". # |
︙ |
Modified tls.c
from [34519f36fc]
to [343f6572a7].
1 2 3 4 5 6 7 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | - + | /* * Copyright (C) 1997-1999 Matt Newman <matt@novadigm.com> * some modifications: * Copyright (C) 2000 Ajuba Solutions * Copyright (C) 2002 ActiveState Corporation * Copyright (C) 2004 Starfish Systems * |
︙ | |||
64 65 66 67 68 69 70 | 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 | - - - + + + + + | Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[])); static SSL_CTX *CTX_Init _ANSI_ARGS_((State *statePtr, int proto, char *key, char *cert, char *CAdir, char *CAfile, char *ciphers)); static int TlsLibInit _ANSI_ARGS_ (()) ; |
︙ | |||
504 505 506 507 508 509 510 | 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 | - + - + | CiphersObjCmd(clientData, interp, objc, objv) ClientData clientData; /* Not used. */ Tcl_Interp *interp; int objc; Tcl_Obj *CONST objv[]; { static CONST84 char *protocols[] = { |
︙ | |||
550 551 552 553 554 555 556 557 558 559 560 561 562 563 | 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 | + + + + + + + + + + + + + + | case TLS_TLS1: #if defined(NO_TLS1) Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_method()); break; #endif case TLS_TLS1_1: #if defined(NO_TLS1_1) Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_1_method()); break; #endif case TLS_TLS1_2: #if defined(NO_TLS1_2) Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_2_method()); break; #endif default: break; } if (ctx == NULL) { Tcl_AppendResult(interp, REASON(), (char *) NULL); return TCL_ERROR; } |
︙ | |||
712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 | 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 | + + + - - - + + - | int server = 0; /* is connection incoming or outgoing? */ char *key = NULL; char *cert = NULL; char *ciphers = NULL; char *CAfile = NULL; char *CAdir = NULL; char *model = NULL; #ifndef OPENSSL_NO_TLSEXT char *servername = NULL; /* hostname for Server Name Indication */ #endif #if defined(NO_SSL2) int ssl2 = 0; #else int ssl2 = 1; #endif #if defined(NO_SSL3) int ssl3 = 0; #else int ssl3 = 1; #endif |
︙ | |||
763 764 765 766 767 768 769 770 771 772 773 774 | 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 | + + + + + - + + + | OPTOBJ( "-command", script); OPTSTR( "-keyfile", key); OPTSTR( "-model", model); OPTOBJ( "-password", password); OPTBOOL( "-require", require); OPTBOOL( "-request", request); OPTBOOL( "-server", server); #ifndef OPENSSL_NO_TLSEXT OPTSTR( "-servername", servername); #endif OPTBOOL( "-ssl2", ssl2); OPTBOOL( "-ssl3", ssl3); OPTBOOL( "-tls1", tls1); OPTBOOL( "-tls1.1", tls1_1); OPTBOOL( "-tls1.2", tls1_2); |
︙ | |||
884 885 886 887 888 889 890 891 892 893 894 895 896 897 | 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 | + + + + + + + + + + + | if (!statePtr->ssl) { /* SSL library error */ Tcl_AppendResult(interp, "couldn't construct ssl session: ", REASON(), (char *) NULL); Tls_Free((char *) statePtr); return TCL_ERROR; } #ifndef OPENSSL_NO_TLSEXT if (servername) { if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) { Tcl_AppendResult(interp, "setting TLS host name extension failed", (char *) NULL); Tls_Free((char *) statePtr); return TCL_ERROR; } } #endif /* * SSL Callbacks */ SSL_set_app_data(statePtr->ssl, (VOID *)statePtr); /* point back to us */ |
︙ | |||
1000 1001 1002 1003 1004 1005 1006 1007 | 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 | + - - - - - - - + - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + | char *ciphers; { Tcl_Interp *interp = statePtr->interp; SSL_CTX *ctx = NULL; Tcl_DString ds; Tcl_DString ds1; int off = 0; const SSL_METHOD *method; |
︙ |
Modified tls.htm
from [7d8a6ea6de]
to [efffb774bc].
︙ | |||
196 197 198 199 200 201 202 203 204 205 206 207 208 209 | 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 | + + + + + | <dt><strong>-require</strong> <em>bool</em></dt> <dd>Require a valid certificate from peer during SSL handshake. If this is set to true then <strong>-request</strong> must also be set to true. (<strong>default</strong>: <em>false</em>)</dd> <dt><strong>-server</strong> <em>bool</em></dt> <dd>Handshake as server if true, else handshake as client.(<strong>default</strong>: <em>false</em>)</dd> <dt><strong>-servername</strong> <em>host</em></dt> <dd>Only available if the OpenSSL library the package is linked against supports the TLS hostname extension for 'Server Name Indication' (SNI). Use to name the logical host we are talking to and expecting a certificate for</dd> <dt><strong>-ssl2</strong> <em>bool</em></dt> <dd>Enable use of SSL v2. (<strong>default</strong>: <em>true</em> unless -DNO_PATENTS was specified in build)</dd> <dt><strong>-ssl3 </strong><em>bool</em></dt> <dd>Enable use of SSL v3. (<strong>default</strong>: <em>true</em>)</dd> <dt>-<strong>tls1</strong> <em>bool</em></dt> <dd>Enable use of TLS v1. (<strong>default</strong>: <em>false</em>)</dd> |
︙ |
Modified tls.tcl
from [a03810957e]
to [83a8992c6a].
1 2 3 | 1 2 3 4 5 6 7 8 9 10 11 | - + | # # Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com> # |
︙ | |||
67 68 69 70 71 72 73 | 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 | - + - + | set idx [lsearch $args -server] if {$idx != -1} { set server 1 set callback [lindex $args [expr {$idx+1}]] set args [lreplace $args $idx [expr {$idx+1}]] set usage "wrong # args: should be \"tls::socket -server command ?options? port\"" |
︙ | |||
94 95 96 97 98 99 100 101 102 | 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 | + + + - + | *,-certfile - *,-cipher - *,-command - *,-keyfile - *,-password - *,-request - *,-require - *,-servername - *,-ssl2 - *,-ssl3 - *,-tls1 - *,-tls1.1 - |
︙ |
Modified tlsIO.c
from [208b82b4d8]
to [8be3b6411f].
1 2 3 4 | 1 2 3 4 5 6 7 8 9 10 11 12 | - + | /* * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com> * Copyright (C) 2000 Ajuba Solutions * |
︙ | |||
724 725 726 727 728 729 730 731 732 733 734 735 736 737 | 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 | + + + + + + + + + + + + + | * execution of channel handlers will eventually cause us to * recreate the timer (in WatchProc). */ Tcl_DeleteTimerHandler(statePtr->timer); statePtr->timer = (Tcl_TimerToken) NULL; } if (statePtr->flags & TLS_TCL_CALLBACK) { return 0; } if (statePtr->flags & TLS_TCL_INIT && !SSL_is_init_finished(statePtr->ssl)) { int errorCode; if (Tls_WaitForConnect(statePtr, &errorCode) <= 0 && errorCode == EAGAIN) { return 0; } } return mask; } /* *------------------------------------------------------* * |
︙ | |||
896 897 898 899 900 901 902 903 904 905 906 907 908 909 | 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 | + + + | dprintf(stderr,"E! "); *errorCodePtr = EAGAIN; return -1; } else { continue; } } else if (err == 0) { if (Tcl_Eof(statePtr->self)) { return 0; } dprintf(stderr,"CR! "); *errorCodePtr = ECONNRESET; return -1; } if (statePtr->flags & TLS_TCL_SERVER) { err = SSL_get_verify_result(statePtr->ssl); if (err != X509_V_OK) { |
︙ |
Modified tlsInt.h
from [1edd2e699c]
to [810dac65b4].
1 2 3 | 1 2 3 4 5 6 7 8 9 10 11 | - + | /* * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com> * |
︙ | |||
49 50 51 52 53 54 55 56 57 58 59 60 61 62 | 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 | + + + + + + + + | #include <err.h> #include <rand.h> #else #include <openssl/ssl.h> #include <openssl/err.h> #include <openssl/rand.h> #endif #ifndef SSL_OP_NO_TLSv1_1 #define NO_TLS1_1 #endif #ifndef SSL_OP_NO_TLSv1_2 #define NO_TLS1_2 #endif #ifdef TCL_STORAGE_CLASS # undef TCL_STORAGE_CLASS #endif #ifdef BUILD_tls # define TCL_STORAGE_CLASS DLLEXPORT #else |
︙ |
Modified win/makefile.vc
from [8713e89984]
to [98bc811491].
︙ | |||
14 15 16 17 18 19 20 | 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | - + | # Copyright (c) 1995-1996 Sun Microsystems, Inc. # Copyright (c) 1998-2000 Ajuba Solutions. # Copyright (c) 2001 ActiveState Corporation. # Copyright (c) 2001-2002 David Gravereaux. # Copyright (c) 2003-2006 Pat Thoyts # #------------------------------------------------------------------------- |
︙ | |||
160 161 162 163 164 165 166 | 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 | - + | PROJECT = tls # Uncomment the following line if this is a Tk extension. #PROJECT_REQUIRES_TK=1 !include "rules.vc" |
︙ |