This is an updated version of the TCL TLS package.
The trunk branch contains all of the planned changed for the v1.8 release. The crypto branch is the start of a cryptography package using OpenSSL. This is planned for v1.9. I only test with MS Windows and Linux using TCL 8.6 and TCL 9.0. So these should work. Since I only use OpenSSL, I likely broke compatibility with LibreSSL and others.
Status of planned changes:
TLS 1.8 (done)
- Added more certificate and connection status
- Add missing TLS 1.3 functionality, Cipher suites, etc.
- Error handing improvements, more connect status via callbacks
- Fixed OpenSSL 3.0 unexpected EOF issue
- Fixed build system to be TEA compliant, restructured repo, and fixed missing TCL Config files
- Added TCL 9.0 support
- OpenSSL 3 compatibility updates
- Replaced set DH build args and file with auto select
- When -require 1 is used, will auto validate server certificate
- Fixed IO test cases [open]
- Fixed many open tickets on sourceforge and core.tcl.tk sites
TLS 1.9 (in work)
- Cryptography functions: digest/hash, MACs, Key Derivation Functions, random, and symmetric encryption [done]
- Cryptography functions: Asymmetric encryption, AEAD
- Key functions: key gen (rsa, dsa, ec), key info, sign file, verify file
- Certificate functions: x509 info, x509 create, CSR
- Server functions
- Session resumption
- Restore LibreSSL compatibility
- OpenSSL 3.2 changes: security level from 1 to 2; new ciphers Ed25519ctx, Ed25519ph, Ed448ph, deterministic ECDSA, and Brainpool Standard Curves; etc.
TLS 2.0 - breaking changes (future work)
- Disable TLS 1 and 1.1 by default
- Remove SSL 2 and 3? code
- OpenSSL 3.0 API updates
- OpenSSL 3.2 and Windows system certificate store as a source of trusted root certificates
- Use -require 1 as default
- UDP, DTLS, HTTP 3 support
- OpenSSL 3.2 and QUIC for clients