Overview
Comment: | Added new option -ciphersuites to set ciphers suites for TLS 1.3. Addresses defect: https://core.tcl-lang.org/tcltls/tktview/d0518a5645 |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | status_x509 |
Files: | files | file ages | folders |
SHA3-256: |
cd11c125e83b2546b45a8ae7fac1dd3a |
User & Date: | bohagan on 2023-05-24 02:40:35 |
Other Links: | branch diff | manifest | tags |
Context
2023-05-24
| ||
23:26 | Fixed test cases to run under Windows and added TLS 1.3 support check-in: 69314245a1 user: bohagan tags: status_x509 | |
02:40 | Added new option -ciphersuites to set ciphers suites for TLS 1.3. Addresses defect: https://core.tcl-lang.org/tcltls/tktview/d0518a5645 check-in: cd11c125e8 user: bohagan tags: status_x509 | |
01:18 | Updated ciphers command to use current APIs and added an option to return only ciphers as would be sent in ClientHello. Updated test suite to use OpenSSL executable to get ciphers comparison data. Added more test cases. Addresses defects: https://core.tcl-lang.org/tcltls/tktview/688788a45c and https://sourceforge.net/p/tls/bugs/36/ check-in: 05b2dd47be user: bohagan tags: status_x509 | |
Changes
Modified doc/tls.html
from [d2eae2e68e]
to [4d412f0a7a].
︙ | |||
142 143 144 145 146 147 148 149 150 151 152 153 154 155 | 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 | + + + | using the <b>+</b> character. Prefixes can be used to permanently remove ("!"), delete ("-"), or move a cypher to the end of the list ("+"). Keywords <b>@STRENGTH</b> (sort by algorithm key length), <b>@SECLEVEL=</b><i>n</i> (set security level to n), and <b>DEFAULT</b> (use default cipher list, at start only) can also be specified. See OpenSSL documentation for the full list of valid values. (TLS 1.2 and earlier only)</dd> <dt><strong>-ciphersuites</strong> <em>string</em></dt> <dd>List of cipher suites to use. String is a colon (":") separated list of cipher suite names. (TLS 1.3 only)</dd> <dt><strong>-command</strong> <em>callback</em></dt> <dd>Callback to invoke at several points during the handshake. This is used to pass errors and tracing information, and it can allow Tcl scripts to perform their own certificate validation in place of the default validation provided by OpenSSL. See <a href="#CALLBACK OPTIONS">CALLBACK OPTIONS</a> for further discussion.</dd> |
︙ |
Modified generic/tls.c
from [f33536e873]
to [57a6f16cff].
︙ | |||
40 41 42 43 44 45 46 | 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 | - + | (((key) == NULL) ? (char *) NULL : \ Tcl_TranslateFileName(interp, (key), (dsp))) #define REASON() ERR_reason_error_string(ERR_get_error()) static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key, char *certfile, unsigned char *key_asn1, unsigned char *cert_asn1, int key_asn1_len, int cert_asn1_len, char *CAdir, char *CAfile, |
︙ | |||
791 792 793 794 795 796 797 798 799 800 801 802 803 804 | 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 | + | char *keyfile = NULL; char *certfile = NULL; unsigned char *key = NULL; int key_len = 0; unsigned char *cert = NULL; int cert_len = 0; char *ciphers = NULL; char *ciphersuites = NULL; char *CAfile = NULL; char *CAdir = NULL; char *DHparams = NULL; char *model = NULL; #ifndef OPENSSL_NO_TLSEXT char *servername = NULL; /* hostname for Server Name Indication */ Tcl_Obj *alpn = NULL; |
︙ | |||
850 851 852 853 854 855 856 857 858 859 860 861 862 863 | 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 | + | if (opt[0] != '-') break; OPTSTR("-cadir", CAdir); OPTSTR("-cafile", CAfile); OPTSTR("-certfile", certfile); OPTSTR("-cipher", ciphers); OPTSTR("-ciphersuites", ciphersuites); OPTOBJ("-command", script); OPTSTR("-dhparams", DHparams); OPTSTR("-keyfile", keyfile); OPTSTR("-model", model); OPTOBJ("-password", password); OPTBOOL("-require", require); OPTBOOL("-request", request); |
︙ | |||
872 873 874 875 876 877 878 | 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 | - + + | OPTBOOL("-tls1", tls1); OPTBOOL("-tls1.1", tls1_1); OPTBOOL("-tls1.2", tls1_2); OPTBOOL("-tls1.3", tls1_3); OPTBYTE("-cert", cert, cert_len); OPTBYTE("-key", key, key_len); |
︙ | |||
946 947 948 949 950 951 952 | 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 | - + | "\": not a TLS channel", NULL); Tls_Free((char *) statePtr); return TCL_ERROR; } ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx; } else { if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, cert, |
︙ | |||
1142 1143 1144 1145 1146 1147 1148 | 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 | - + - + | * constructs SSL context (CTX) * *------------------------------------------------------------------- */ static SSL_CTX * CTX_Init(State *statePtr, int isServer, int proto, char *keyfile, char *certfile, unsigned char *key, unsigned char *cert, int key_len, int cert_len, char *CAdir, |
︙ | |||
1197 1198 1199 1200 1201 1202 1203 | 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 | - + | if (ENABLED(proto, TLS_PROTO_TLS1_3)) { Tcl_AppendResult(interp, "TLS 1.3 protocol not supported", NULL); return (SSL_CTX *)0; } #endif switch (proto) { |
︙ | |||
1289 1290 1291 1292 1293 1294 1295 | 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 | - - + + + + + + + | SSL_CTX_set_options(ctx, SSL_OP_ALL); /* all SSL bug workarounds */ SSL_CTX_set_options(ctx, off); /* disable protocol versions */ #if OPENSSL_VERSION_NUMBER < 0x10101000L SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); /* handle new handshakes in background */ #endif SSL_CTX_sess_set_cache_size(ctx, 128); |
︙ |
Modified library/tls.tcl
from [3524eca483]
to [cf23128cc4].
︙ | |||
33 34 35 36 37 38 39 40 41 42 43 44 45 46 | 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | + | {0 -myport sopts 1} {* -type sopts 1} {* -cadir iopts 1} {* -cafile iopts 1} {* -cert iopts 1} {* -certfile iopts 1} {* -cipher iopts 1} {* -ciphersuites iopts 1} {* -command iopts 1} {* -dhparams iopts 1} {* -key iopts 1} {* -keyfile iopts 1} {* -password iopts 1} {* -request iopts 1} {* -require iopts 1} |
︙ |