TCLTLS Redux

TclTLS-2.0
Login

TclTLS-2.0

Help 
Announcement of TclTLS 2.0b1 release

This is the beta 1 release of the TclTLS v2.0 package. There have been numerous changes since the v1.7 release. See below for links to the files and the release notes.


TclTLS 2.0 Release Notes:

Notable New Features:
- Fully TEA compliant build system has been added back. Supports Windows, Linux, Max, BSD, etc.
- Compatible with OpenSSL 3.0+ and TCL 9.0 including build-info command.
- Can use MS Windows Cert Store on OpenSSL 3.2 or later.
- Greatly expanded the status returned by the tls::status command and also added the new tls::connection command. The former returns SSL and certificate status while the latter returns the SSL status, cipher, and session info.
- Added missing TLS 1.3 functionality, set cipher suites, ALPN, SNI, security level, etc.
- Error handing improvements, more specific error status, more connection status via callbacks.
- Replaced separate Diffie-Hellman (DH) header file build process with auto select.
- Add new tls::protocols command to list available SSL and TLS protocols.
- Now can load CA certificates, key files, etc. from virtual file systems (VFS).

Documentation Updates:
- Documentation was extensively updated and converted to man page and HTML format.
- Added more examples to documentation and an examples directory.
- Expanded the documentation and added a Certificate Validation section with info on how PKI and certificates work and the related TclTLS args.
- Extensive code documentation updates.

Notable Bug Fixes:
(Some of these issues have been around for 15-20 years.)
- Many bugs, patches, etc. submitted to sourceforge.net and core.tcl.tk have been fixed or implemented.
- Unexpected EOF: Added fix to correct OpenSSL issue where some sessions can result in an unexpected EOF.
- Empty reads: These have been eliminated the extent possible, but may still occur. See demos for how to handle this.
- Stalling connections: These have been fixed to the extent possible with a more robust event checking process.
- Manual certificate validation is no longer needed. OpenSSL will do this for you if -require 1 is specified. You can see results via -validatecommand callback and in tls::status verifyResult.
- Will only call bgerror if the -command, -password, or -validatecommand callbacks throw an error.
- Will send proper close_notify message to peer on channel closure.

See the documentation for a complete list of changes.


Potential Compatibility Issues:

Option default changes:
- The -autoservername option defaults to true if -servername is not specified.
- The -castore option defaults to "org.openssl.winstore://" on MS Windows with OpenSSL 3.2+.
- The -request option defaults to true.
- The -require option defaults to true. This may be an issue if CA certificates are not available.
- The -servername option defaults to host value. So -autoservername is no longer required.
- The -ssl2 option is no longer supported by OpenSSL 1.1+.
- The -ssl3 option doesn't have any effect by default. Use --enable-ssl3 compile time option to enable SSL3 first.
- The -tls1 and tls1.1 options default to false.
- The -tls1.2 and tls1.3 options default to true.

Callback changes:
- Only status/error message use the -command handler now. There are several new types and the 'verify' type was moved to -validatecommand.
- Validation of certificates, client values, etc. use the new -validatecommand handler.
- Password inputs use -password handler, but it now passes 3 arguments.

See the documentation for all compatibility changes.


Open Issues:
- May not be compatible with LibreSSL anymore.
- Warnings for deprecated OpenSSL API usage. Will be fixed in a future release.


How to use this release:

package prefer latest
package require tls 2.0b1

See documentation "Examples" section for more details.