diff -Nru tcltls-1.6.4+dfsg/ChangeLog tcltls-1.6.7+dfsg/ChangeLog --- tcltls-1.6.4+dfsg/ChangeLog 2015-02-26 17:36:30.000000000 +0000 +++ tcltls-1.6.7+dfsg/ChangeLog 2015-05-01 18:44:34.000000000 +0000 @@ -1,3 +1,11 @@ +2015-05-01 Andreas Kupries + + * configure.in: Bump to version 1.6.5. + * win/makefile.vc: + * configure: regen with ac-2.59 + * tls.c: Accepted SF TLS [bug/patch #57](https://sourceforge.net/p/tls/bugs/57/). + * tlsIO.c: Accepted core Tcl patch in [ticket](http://core.tcl.tk/tcl/tktview/0f94f855cafed92d0e174b7d835453a02831b4dd). + 2014-12-05 Andreas Kupries * configure.in: Bump to version 1.6.4. diff -Nru tcltls-1.6.4+dfsg/configure tcltls-1.6.7+dfsg/configure --- tcltls-1.6.4+dfsg/configure 2014-12-08 19:10:28.000000000 +0000 +++ tcltls-1.6.7+dfsg/configure 2015-07-07 17:16:02.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.59 for tls 1.6.4. +# Generated by GNU Autoconf 2.59 for tls 1.6.7. # # Copyright (C) 2003 Free Software Foundation, Inc. # This configure script is free software; the Free Software Foundation @@ -267,8 +267,8 @@ # Identity of this package. PACKAGE_NAME='tls' PACKAGE_TARNAME='tls' -PACKAGE_VERSION='1.6.4' -PACKAGE_STRING='tls 1.6.4' +PACKAGE_VERSION='1.6.7' +PACKAGE_STRING='tls 1.6.7' PACKAGE_BUGREPORT='' # Factoring default headers for most tests. @@ -777,7 +777,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures tls 1.6.4 to adapt to many kinds of systems. +\`configure' configures tls 1.6.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -834,7 +834,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of tls 1.6.4:";; + short | recursive ) echo "Configuration of tls 1.6.7:";; esac cat <<\_ACEOF @@ -970,7 +970,7 @@ test -n "$ac_init_help" && exit 0 if $ac_init_version; then cat <<\_ACEOF -tls configure 1.6.4 +tls configure 1.6.7 generated by GNU Autoconf 2.59 Copyright (C) 2003 Free Software Foundation, Inc. @@ -984,7 +984,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by tls $as_me 1.6.4, which was +It was created by tls $as_me 1.6.7, which was generated by GNU Autoconf 2.59. Invocation command line was $ $0 $@ @@ -10811,7 +10811,7 @@ } >&5 cat >&5 <<_CSEOF -This file was extended by tls $as_me 1.6.4, which was +This file was extended by tls $as_me 1.6.7, which was generated by GNU Autoconf 2.59. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -10866,7 +10866,7 @@ cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -tls config.status 1.6.4 +tls config.status 1.6.7 configured by $0, generated by GNU Autoconf 2.59, with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\" diff -Nru tcltls-1.6.4+dfsg/configure.in tcltls-1.6.7+dfsg/configure.in --- tcltls-1.6.4+dfsg/configure.in 2014-12-08 19:10:28.000000000 +0000 +++ tcltls-1.6.7+dfsg/configure.in 2015-07-07 17:16:02.000000000 +0000 @@ -11,14 +11,14 @@ dnl obtained from RSA Data Scurity Inc., San Mateo, California, USA. dnl Their home page on the web is "www.rsasecurity.com". # -# RCS: @(#) $Id: configure.in,v 1.28 2014/12/08 19:09:06 andreas_kupries Exp $ +# RCS: @(#) $Id: configure.in,v 1.31 2015/07/07 17:16:02 andreas_kupries Exp $ #-------------------------------------------------------------------- # macro used to verify that the configure script can find the sources #-------------------------------------------------------------------- -AC_INIT([tls], [1.6.4]) +AC_INIT([tls], [1.6.7]) TEA_INIT([3.8]) diff -Nru tcltls-1.6.4+dfsg/debian/changelog tcltls-1.6.7+dfsg/debian/changelog --- tcltls-1.6.4+dfsg/debian/changelog 2015-06-19 13:23:51.000000000 +0000 +++ tcltls-1.6.7+dfsg/debian/changelog 2015-12-26 18:20:04.000000000 +0000 @@ -1,3 +1,11 @@ +tcltls (1.6.7+dfsg-1) unstable; urgency=low + + * New upstream release. + * The debhelper version was changed to >= 9. + * Package now is built using hardening options. + + -- Muammar El Khatib Sat, 26 Dec 2015 19:19:49 +0100 + tcltls (1.6.4+dfsg-1) unstable; urgency=medium * New upstream release. diff -Nru tcltls-1.6.4+dfsg/debian/compat tcltls-1.6.7+dfsg/debian/compat --- tcltls-1.6.4+dfsg/debian/compat 2011-08-09 15:03:23.000000000 +0000 +++ tcltls-1.6.7+dfsg/debian/compat 2015-12-26 18:05:15.000000000 +0000 @@ -1 +1 @@ -7 +9 diff -Nru tcltls-1.6.4+dfsg/debian/control tcltls-1.6.7+dfsg/debian/control --- tcltls-1.6.4+dfsg/debian/control 2015-06-19 13:17:29.000000000 +0000 +++ tcltls-1.6.7+dfsg/debian/control 2015-12-26 18:05:10.000000000 +0000 @@ -2,7 +2,7 @@ Section: libs Priority: optional Maintainer: Muammar El Khatib -Build-Depends: debhelper (>= 7), libssl-dev, tcl-dev (>= 8.5), quilt, chrpath +Build-Depends: debhelper (>= 9), libssl-dev, tcl-dev (>= 8.5), quilt, chrpath Standards-Version: 3.9.6 Homepage: http://tls.sourceforge.net diff -Nru tcltls-1.6.4+dfsg/debian/rules tcltls-1.6.7+dfsg/debian/rules --- tcltls-1.6.4+dfsg/debian/rules 2015-06-19 13:12:56.000000000 +0000 +++ tcltls-1.6.7+dfsg/debian/rules 2015-12-26 18:18:19.000000000 +0000 @@ -5,13 +5,15 @@ # Uncomment this to turn on verbose mode. +export DEB_BUILD_MAINT_OPTIONS = hardening=+all +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk # These are used for cross-compiling and for saving the configure script # from having to guess our platform (since we know it already) DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) - ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) CFLAGS += -O0 else @@ -67,8 +69,8 @@ # install -D -m 0644 debian/tcl-tls.override \ $(CURDIR)/debian/tcl-tls/usr/share/lintian/overrides/tcl-tls # Removing rpath - chrpath -d $(CURDIR)/debian/tmp/usr/lib/tls1.6.4/libtls1.6.4.so - sed -i -e '/tls::initlib/s!\$$dir!/usr/lib!' $(CURDIR)/debian/tmp/usr/lib/tls1.6.4/pkgIndex.tcl + chrpath -d $(CURDIR)/debian/tmp/usr/lib/tls1.6.7/libtls1.6.7.so + sed -i -e '/tls::initlib/s!\$$dir!/usr/lib!' $(CURDIR)/debian/tmp/usr/lib/tls1.6.7/pkgIndex.tcl dh_install # Build architecture-independent files here. @@ -82,7 +84,7 @@ dh_installdocs tls.htm dh_installexamples tests/* dh_installman - dh_link usr/lib/libtls1.6.4.so usr/lib/libtls.so.0 + dh_link usr/lib/libtls1.6.7.so usr/lib/libtls.so.0 dh_strip dh_compress dh_fixperms diff -Nru tcltls-1.6.4+dfsg/debian/tcl-tls.dirs tcltls-1.6.7+dfsg/debian/tcl-tls.dirs --- tcltls-1.6.4+dfsg/debian/tcl-tls.dirs 2015-06-19 13:17:18.000000000 +0000 +++ tcltls-1.6.7+dfsg/debian/tcl-tls.dirs 2015-12-26 18:02:05.000000000 +0000 @@ -1,3 +1,3 @@ -usr/share/tcltk/tls1.6.4 +usr/share/tcltk/tls1.6.7 usr/include usr/lib diff -Nru tcltls-1.6.4+dfsg/debian/tcl-tls.install tcltls-1.6.7+dfsg/debian/tcl-tls.install --- tcltls-1.6.4+dfsg/debian/tcl-tls.install 2015-06-19 13:14:02.000000000 +0000 +++ tcltls-1.6.7+dfsg/debian/tcl-tls.install 2015-12-26 18:02:14.000000000 +0000 @@ -1,3 +1,3 @@ debian/tmp/usr/include/tls.h usr/include/ -debian/tmp/usr/lib/tls1.6.4/*.tcl usr/share/tcltk/tls1.6.4/ -debian/tmp/usr/lib/tls1.6.4/libtls1.6.4.so usr/lib/ +debian/tmp/usr/lib/tls1.6.7/*.tcl usr/share/tcltk/tls1.6.7/ +debian/tmp/usr/lib/tls1.6.7/libtls1.6.7.so usr/lib/ diff -Nru tcltls-1.6.4+dfsg/tests/tlsIO.test tcltls-1.6.7+dfsg/tests/tlsIO.test --- tcltls-1.6.4+dfsg/tests/tlsIO.test 2014-12-05 22:58:12.000000000 +0000 +++ tcltls-1.6.7+dfsg/tests/tlsIO.test 2015-06-06 09:07:08.000000000 +0000 @@ -10,7 +10,7 @@ # See the file "license.terms" for information on usage and redistribution # of this file, and for a DISCLAIMER OF ALL WARRANTIES. # -# RCS: @(#) $Id: tlsIO.test,v 1.23 2008/03/19 22:06:13 hobbs2 Exp $ +# RCS: @(#) $Id: tlsIO.test,v 1.24 2015/06/06 09:07:08 apnadkarni Exp $ # Running socket tests with a remote server: # ------------------------------------------ @@ -2028,6 +2028,38 @@ [catch {close $s} err] $err } {{} 0 {} 0 {}} +test tls-bug58-1.0 {test protocol negotiation failure} {socket} { + # Following code is based on what was reported in bug #58. Prior + # to fix the program would crash with a segfault. + proc Accept {sock args} { + fconfigure $sock -blocking 0; + fileevent $sock readable [list Handshake $sock] + } + proc Handshake {sock} { + set ::done HAND + catch {tls::handshake $sock} msg + set ::done $msg + } + # NOTE: when doing an in-process client/server test, both sides need + # to be non-blocking for the TLS handshake + + # Server - Only accept TLS 1 or higher + set s [tls::socket \ + -certfile $serverCert -cafile $caCert -keyfile $serverKey \ + -request 0 -require 0 -ssl2 0 -ssl3 0 -tls1 1 -tls1.1 1 -tls1.2 1 \ + -server Accept 8831] + # Client - Only propose SSL3 + set c [tls::socket -async \ + -cafile $caCert \ + -request 0 -require 0 -ssl2 0 -ssl3 1 -tls1 0 -tls1.1 0 -tls1.2 0 \ + [info hostname] 8831] + fconfigure $c -blocking 0 + puts $c a ; flush $c + after 5000 [list set ::done timeout] + vwait ::done + set ::done +} {handshake failed: wrong version number} + # cleanup if {[string match sock* $commandSocket] == 1} { puts $commandSocket exit diff -Nru tcltls-1.6.4+dfsg/tls.c tcltls-1.6.7+dfsg/tls.c --- tcltls-1.6.4+dfsg/tls.c 2014-12-08 19:10:28.000000000 +0000 +++ tcltls-1.6.7+dfsg/tls.c 2015-07-07 17:16:02.000000000 +0000 @@ -5,7 +5,7 @@ * Copyright (C) 2002 ActiveState Corporation * Copyright (C) 2004 Starfish Systems * - * $Header: /cvsroot/tls/tls/tls.c,v 1.35 2014/12/08 19:09:06 andreas_kupries Exp $ + * $Header: /cvsroot/tls/tls/tls.c,v 1.37 2015/07/07 17:16:02 andreas_kupries Exp $ * * TLS (aka SSL) Channel - can be layered on any bi-directional * Tcl_Channel (Note: Requires Trf Core Patch) @@ -64,7 +64,8 @@ Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[])); static SSL_CTX *CTX_Init _ANSI_ARGS_((State *statePtr, int proto, char *key, - char *cert, char *CAdir, char *CAfile, char *ciphers)); + char *cert, char *CAdir, char *CAfile, char *ciphers, + char *DHparams)); static int TlsLibInit _ANSI_ARGS_ (()) ; @@ -79,29 +80,46 @@ * Static data structures */ -#ifndef NO_DH -/* from openssl/apps/s_server.c */ +#ifndef OPENSSL_NO_DH +/* code derived from output of 'openssl dhparam -C 2048' */ -static unsigned char dh512_p[]={ - 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, - 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, - 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, - 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, - 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, - 0x47,0x74,0xE8,0x33, +static unsigned char dh2048_p[]={ + 0xEC,0xFD,0x6F,0x66,0xD8,0xBC,0xB4,0xCB,0xD7,0xE7,0xB4,0xAE, + 0xEC,0xC0,0x06,0x25,0x40,0x9F,0x3F,0xC4,0xAC,0x34,0x19,0x36, + 0x8A,0xAB,0xA9,0xF6,0x45,0x36,0x87,0x1F,0x10,0x35,0x3F,0x90, + 0x00,0xC6,0x7A,0xE8,0x51,0xF4,0x7F,0x50,0x0F,0xC2,0x82,0x91, + 0xAD,0x60,0x1B,0x49,0xB1,0x0B,0x23,0xC3,0x37,0xAE,0x0D,0x2C, + 0x49,0xC6,0xFB,0x60,0x9D,0x50,0x2F,0x8C,0x2F,0xDE,0xE6,0x5F, + 0x53,0x8B,0x5F,0xF9,0x70,0x16,0xEE,0x51,0xD1,0xAB,0x02,0x48, + 0x61,0xF1,0xA0,0xD7,0xBD,0x04,0x24,0xF0,0xE4,0xD1,0x0A,0x4C, + 0x28,0xDC,0x22,0x78,0x7C,0xED,0x2A,0xFA,0xF4,0x57,0x7C,0xAE, + 0xDF,0x52,0xC6,0xA2,0x11,0x28,0xC5,0x3B,0xB8,0x2F,0x95,0x3F, + 0x1E,0x05,0x66,0xFE,0x7D,0x1A,0x73,0xA0,0x45,0xF8,0xBB,0x8C, + 0x64,0xB9,0xA9,0x4D,0x23,0xBE,0x20,0x60,0xA2,0xF7,0xC7,0xD8, + 0xD8,0x49,0x28,0x9A,0x81,0xAC,0xF9,0x7F,0x3C,0xFC,0xBE,0x25, + 0x5B,0x1D,0xB6,0xAB,0x08,0x06,0x11,0x8D,0x94,0x69,0x3C,0x68, + 0x98,0x5A,0x90,0xF8,0xEB,0x19,0xCA,0x9F,0x1C,0x50,0x96,0x53, + 0xEF,0xEC,0x1B,0x93,0x4F,0x53,0xB7,0xD9,0x04,0x8E,0x48,0x99, + 0x6E,0x24,0xFF,0x66,0xF5,0xB0,0xDF,0x00,0xBA,0x22,0xE2,0xB6, + 0xE3,0x3A,0xC2,0x95,0xB1,0x14,0x68,0xFB,0xA5,0x37,0x22,0x78, + 0x56,0x5C,0xA4,0x23,0x31,0x02,0x97,0x7D,0xA9,0x84,0x0B,0x12, + 0x26,0x58,0x2F,0x86,0x10,0xAD,0xB0,0xAB,0xB9,0x7B,0x05,0x9A, + 0xDE,0x11,0xF1,0xE7,0x34,0xC7,0x95,0x42,0x1C,0x4F,0xA9,0xA8, + 0x92,0xDF,0x3F,0x7B, }; -static unsigned char dh512_g[]={ +static unsigned char dh2048_g[]={ 0x02, }; -static DH *get_dh512() + +static DH *get_dh2048() { DH *dh=NULL; if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); - dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); + dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); + dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); if ((dh->p == NULL) || (dh->g == NULL)) return(NULL); @@ -731,6 +749,7 @@ char *ciphers = NULL; char *CAfile = NULL; char *CAdir = NULL; + char *DHparams = NULL; char *model = NULL; #ifndef OPENSSL_NO_TLSEXT char *servername = NULL; /* hostname for Server Name Indication */ @@ -778,6 +797,7 @@ OPTSTR( "-certfile", cert); OPTSTR( "-cipher", ciphers); OPTOBJ( "-command", script); + OPTSTR( "-dhparams", DHparams); OPTSTR( "-keyfile", key); OPTSTR( "-model", model); OPTOBJ( "-password", password); @@ -794,7 +814,7 @@ OPTBOOL( "-tls1.1", tls1_1); OPTBOOL( "-tls1.2", tls1_2); - OPTBAD( "option", "-cadir, -cafile, -certfile, -cipher, -command, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2"); + OPTBAD( "option", "-cadir, -cafile, -certfile, -cipher, -command, -dhparams, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2"); return TCL_ERROR; } @@ -809,11 +829,12 @@ proto |= (tls1_2 ? TLS_PROTO_TLS1_2 : 0); /* reset to NULL if blank string provided */ - if (cert && !*cert) cert = NULL; - if (key && !*key) key = NULL; - if (ciphers && !*ciphers) ciphers = NULL; - if (CAfile && !*CAfile) CAfile = NULL; - if (CAdir && !*CAdir) CAdir = NULL; + if (cert && !*cert) cert = NULL; + if (key && !*key) key = NULL; + if (ciphers && !*ciphers) ciphers = NULL; + if (CAfile && !*CAfile) CAfile = NULL; + if (CAdir && !*CAdir) CAdir = NULL; + if (DHparams && !*DHparams) DHparams = NULL; /* new SSL state */ statePtr = (State *) ckalloc((unsigned) sizeof(State)); @@ -864,8 +885,8 @@ } ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx; } else { - if ((ctx = CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers)) - == (SSL_CTX*)0) { + if ((ctx = CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers, + DHparams)) == (SSL_CTX*)0) { Tls_Free((char *) statePtr); return TCL_ERROR; } @@ -1025,7 +1046,7 @@ */ static SSL_CTX * -CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers) +CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers, DHparams) State *statePtr; int proto; char *key; @@ -1033,6 +1054,7 @@ char *CAdir; char *CAfile; char *ciphers; + char *DHparams; { Tcl_Interp *interp = statePtr->interp; SSL_CTX *ctx = NULL; @@ -1123,7 +1145,7 @@ #endif break; } - + ctx = SSL_CTX_new (method); SSL_CTX_set_app_data( ctx, (VOID*)interp); /* remember the interpreter */ @@ -1141,9 +1163,41 @@ SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)statePtr); #endif -#ifndef NO_DH + /* read a Diffie-Hellman parameters file, or use the built-in one */ +#ifdef OPENSSL_NO_DH + if (DHparams != NULL) { + Tcl_AppendResult(interp, + "DH parameter support not available", (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } +#else { - DH* dh = get_dh512(); + DH* dh; + if (DHparams != NULL) { + BIO *bio; + Tcl_DStringInit(&ds); + bio = BIO_new_file(F2N(DHparams, &ds), "r"); + if (!bio) { + Tcl_DStringFree(&ds); + Tcl_AppendResult(interp, + "Could not find DH parameters file", (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } + + dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); + BIO_free(bio); + Tcl_DStringFree(&ds); + if (!dh) { + Tcl_AppendResult(interp, + "Could not read DH parameters from file", (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } + } else { + dh = get_dh2048(); + } SSL_CTX_set_tmp_dh(ctx, dh); DH_free(dh); } @@ -1217,7 +1271,14 @@ return (SSL_CTX *)0; #endif } - SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file( F2N(CAfile, &ds) )); + + /* https://sourceforge.net/p/tls/bugs/57/ */ + if ( CAfile != NULL ) { + STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file( F2N(CAfile, &ds) ); + if ( certNames != NULL ) { + SSL_CTX_set_client_CA_list(ctx, certNames ); + } + } Tcl_DStringFree(&ds); Tcl_DStringFree(&ds1); diff -Nru tcltls-1.6.4+dfsg/tls.htm tcltls-1.6.7+dfsg/tls.htm --- tcltls-1.6.4+dfsg/tls.htm 2014-12-08 19:10:28.000000000 +0000 +++ tcltls-1.6.7+dfsg/tls.htm 2015-07-07 17:16:03.000000000 +0000 @@ -19,8 +19,8 @@
SYNOPSIS
-
package require Tcl ?8.2?
-
package require tls ?1.5?
+
package require Tcl ?8.4?
+
package require tls ?1.6?
 
tls::init ?options?
tls::socket ?options? host port
@@ -50,7 +50,7 @@

SYNOPSIS

-

package require Tcl 8.2
+

package require Tcl 8.4
package require tls 1.6

tls::init ?options?
@@ -75,11 +75,8 @@ API for Tcl 8.2 and higher. The sockets behave exactly the same as channels created using Tcl's built-in socket command with additional options for controlling the SSL session. -To use TLS with an earlier version of Tcl than 8.2, please obtain -TLS 1.3. Please note that there are known limitations with the -stacked channel implementation prior to 8.3.2, so it is recommended -that TLS is used with an 8.3.2+ interpreter. The current version -of TLS will work with Tcl 8.2+, it is just more stable with 8.3.2+. +To use TLS with an earlier version of Tcl than 8.4, please obtain +TLS 1.3.

COMMANDS

@@ -174,6 +171,8 @@
See CALLBACK OPTIONS for further discussion.
+
-dhparams filename
+
Provide a Diffie-Hellman parameters file.
-keyfile filename
Provide the private key file. (default: value of -certfile)
@@ -391,10 +390,7 @@

HTTPS EXAMPLE

-

This example requires a patch to the http -module that ships with Tcl - this patch has been submitted for -inclusion in Tcl 8.2.1, but is also provided in the tls directory -if needed. A sample server.pem is provided with the TLS release, +

This example uses a sample server.pem provided with the TLS release, courtesy of the OpenSSL project.


diff -Nru tcltls-1.6.4+dfsg/tlsInt.h tcltls-1.6.7+dfsg/tlsInt.h
--- tcltls-1.6.4+dfsg/tlsInt.h	2014-12-08 19:10:28.000000000 +0000
+++ tcltls-1.6.7+dfsg/tlsInt.h	2015-06-06 09:07:08.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 1997-2000 Matt Newman 
  *
- * $Header: /cvsroot/tls/tls/tlsInt.h,v 1.16 2014/12/08 19:09:06 andreas_kupries Exp $
+ * $Header: /cvsroot/tls/tls/tlsInt.h,v 1.17 2015/06/06 09:07:08 apnadkarni Exp $
  *
  * TLS (aka SSL) Channel - can be layered on any bi-directional
  * Tcl_Channel (Note: Requires Trf Core Patch)
@@ -100,6 +100,9 @@
 #define TLS_TCL_DEBUG	(1<<3)	/* Show debug tracing */
 #define TLS_TCL_CALLBACK	(1<<4)	/* In a callback, prevent update
 					 * looping problem. [Bug 1652380] */
+#define TLS_TCL_HANDSHAKE_FAILED (1<<5) /* Set on handshake failures and once
+                                         * set, all further I/O will result
+                                         * in ECONNABORTED errors. */
 
 #define TLS_TCL_DELAY (5)
 
diff -Nru tcltls-1.6.4+dfsg/tlsIO.c tcltls-1.6.7+dfsg/tlsIO.c
--- tcltls-1.6.4+dfsg/tlsIO.c	2014-12-08 19:10:28.000000000 +0000
+++ tcltls-1.6.7+dfsg/tlsIO.c	2015-06-06 09:07:08.000000000 +0000
@@ -2,7 +2,7 @@
  * Copyright (C) 1997-2000 Matt Newman 
  * Copyright (C) 2000 Ajuba Solutions
  *
- * $Header: /cvsroot/tls/tls/tlsIO.c,v 1.17 2014/12/08 19:09:06 andreas_kupries Exp $
+ * $Header: /cvsroot/tls/tls/tlsIO.c,v 1.19 2015/06/06 09:07:08 apnadkarni Exp $
  *
  * TLS (aka SSL) Channel - can be layered on any bi-directional
  * Tcl_Channel (Note: Requires Trf Core Patch)
@@ -345,6 +345,11 @@
     if (!SSL_is_init_finished(statePtr->ssl)) {
 	bytesRead = Tls_WaitForConnect(statePtr, errorCodePtr);
 	if (bytesRead <= 0) {
+	    if (*errorCodePtr == ECONNRESET) {
+		/* Soft EOF */
+		*errorCodePtr = 0;
+		bytesRead = 0;
+	    }
 	    goto input;
 	}
     }
@@ -884,6 +889,20 @@
 
     dprintf(stderr,"\nWaitForConnect(0x%x)", (unsigned int) statePtr);
 
+    if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) {
+        /*
+         * We choose ECONNRESET over ECONNABORTED here because some server
+         * side code, on the wiki for example, sets up a read handler that
+         * does a read and if eof closes the channel. There is no catch/try
+         * around the reads so exceptions will result in potentially many
+         * dangling channels hanging around that should have been closed.
+         * (Backgroun: ECONNABORTED maps to a Tcl exception and 
+         * ECONNRESET maps to graceful EOF).
+         */
+        *errorCodePtr = ECONNRESET;
+        return -1;
+    }
+
     for (;;) {
 	/* Not initialized yet! */
 	if (statePtr->flags & TLS_TCL_SERVER) {
@@ -902,6 +921,7 @@
 	    if (rc == SSL_ERROR_SSL) {
 		Tls_Error(statePtr,
 			(char *)ERR_reason_error_string(ERR_get_error()));
+                statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
 		*errorCodePtr = ECONNABORTED;
 		return -1;
 	    } else if (BIO_should_retry(statePtr->bio)) {
@@ -913,9 +933,6 @@
 		    continue;
 		}
 	    } else if (err == 0) {
-		if (Tcl_Eof(statePtr->self)) {
-		    return 0;
-		}
 		dprintf(stderr,"CR! ");
 		*errorCodePtr = ECONNRESET;
 		return -1;
@@ -925,6 +942,7 @@
 		if (err != X509_V_OK) {
 		    Tls_Error(statePtr,
 			    (char *)X509_verify_cert_error_string(err));
+                    statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
 		    *errorCodePtr = ECONNABORTED;
 		    return -1;
 		}
diff -Nru tcltls-1.6.4+dfsg/tls.tcl tcltls-1.6.7+dfsg/tls.tcl
--- tcltls-1.6.4+dfsg/tls.tcl	2014-12-08 19:10:28.000000000 +0000
+++ tcltls-1.6.7+dfsg/tls.tcl	2015-07-07 17:16:03.000000000 +0000
@@ -1,7 +1,7 @@
 #
 # Copyright (C) 1997-2000 Matt Newman  
 #
-# $Header: /cvsroot/tls/tls/tls.tcl,v 1.13 2014/12/08 19:09:06 andreas_kupries Exp $
+# $Header: /cvsroot/tls/tls/tls.tcl,v 1.14 2015/07/07 17:16:03 andreas_kupries Exp $
 #
 namespace eval tls {
     variable logcmd tclLog
@@ -71,12 +71,12 @@
 	set args [lreplace $args $idx [expr {$idx+1}]]
 
 	set usage "wrong # args: should be \"tls::socket -server command ?options? port\""
-	set options "-cadir, -cafile, -certfile, -cipher, -command, -keyfile, -myaddr, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2"
+	set options "-cadir, -cafile, -certfile, -cipher, -command, -dhparams, -keyfile, -myaddr, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2"
     } else {
 	set server 0
 
 	set usage "wrong # args: should be \"tls::socket ?options? host port\""
-	set options "-async, -cadir, -cafile, -certfile, -cipher, -command, -keyfile, -myaddr, -myport, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2"
+	set options "-async, -cadir, -cafile, -certfile, -cipher, -command, -dhparams, -keyfile, -myaddr, -myport, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2"
     }
     set argc [llength $args]
     set sopts {}
@@ -94,6 +94,7 @@
 	    *,-certfile	-
 	    *,-cipher	-
 	    *,-command	-
+	    *,-dhparams -
 	    *,-keyfile	-
 	    *,-password	-
 	    *,-request	-
diff -Nru tcltls-1.6.4+dfsg/win/makefile.vc tcltls-1.6.7+dfsg/win/makefile.vc
--- tcltls-1.6.4+dfsg/win/makefile.vc	2014-12-08 19:10:28.000000000 +0000
+++ tcltls-1.6.7+dfsg/win/makefile.vc	2015-06-06 09:07:08.000000000 +0000
@@ -18,7 +18,7 @@
 # Copyright (c) 2003-2006 Pat Thoyts
 #
 #-------------------------------------------------------------------------
-# RCS: @(#)$Id: makefile.vc,v 1.11 2014/12/08 19:09:06 andreas_kupries Exp $
+# RCS: @(#)$Id: makefile.vc,v 1.14 2015/06/06 09:07:08 apnadkarni Exp $
 #-------------------------------------------------------------------------
 
 # Check to see we are configured to build with MSVC (MSDEVDIR or MSVCDIR)
@@ -164,7 +164,7 @@
 #PROJECT_REQUIRES_TK=1
 !include "rules.vc"
 
-DOTVERSION      = 1.6.4
+DOTVERSION      = 1.6.6
 VERSION         = $(DOTVERSION:.=)
 STUBPREFIX      = $(PROJECT)stub
 
@@ -192,13 +192,13 @@
 SSL_LIB_DIR     = $(OPENSSL)\lib
 !endif
 
-SSL_LIBS        =-libpath:"$(SSL_LIB_DIR)" ssleay32s.lib libeay32s.lib
+SSL_LIBS        =-libpath:"$(SSL_LIB_DIR)" ssleay32.lib libeay32.lib
 
 SSL_CFLAGS      =-DNO_IDEA=1 -DNO_RC5=1
 
-!if !exist("$(SSL_LIB_DIR)\ssleay32s.lib")
+!if !exist("$(SSL_LIB_DIR)\ssleay32.lib")
 MSG = ^
-Failed to locate "$(SSL_LIB_DIR)\ssleay32s.lib"
+Failed to locate "$(SSL_LIB_DIR)\ssleay32.lib"
 You must provide the path to your OpenSSL library....
 !error $(MSG)
 !endif