Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Updated set DH parameters for servers for OpenSSL 3.0+ APIs. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk | main | tls-2.0 |
| Files: | files | file ages | folders |
| SHA3-256: |
014250ffb8dc62c8a3cd9537f474b618 |
| User & Date: | bohagan 2025-10-16 18:20:17 |
Context
|
2025-10-16
| ||
| 21:21 | Updated set ssl/tls protocol version logic for cipher and import commands to use new APIs. check-in: e383f27192 user: bohagan tags: trunk, main, tls-2.0 | |
| 18:20 | Updated set DH parameters for servers for OpenSSL 3.0+ APIs. check-in: 014250ffb8 user: bohagan tags: trunk, main, tls-2.0 | |
| 17:22 | Added more error info to documentation check-in: 2a7487c3bf user: bohagan tags: trunk, main, tls-2.0 | |
Changes
Changes to generic/tls.c.
| ︙ | ︙ | |||
2181 2182 2183 2184 2185 2186 2187 |
/* Set user defined ciphers, cipher suites, and security level */
if ((ciphers != NULL) && !SSL_CTX_set_cipher_list(ctx, ciphers)) {
Tcl_AppendResult(interp, "Set ciphers failed: No valid ciphers", (char *)NULL);
SSL_CTX_free(ctx);
return NULL;
}
if ((ciphersuites != NULL) && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) {
| | | > < > | | > > > > > > > > > > > > > > > > > > > > > > > > > > | | | 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262 2263 2264 2265 2266 2267 2268 2269 2270 2271 2272 2273 |
/* Set user defined ciphers, cipher suites, and security level */
if ((ciphers != NULL) && !SSL_CTX_set_cipher_list(ctx, ciphers)) {
Tcl_AppendResult(interp, "Set ciphers failed: No valid ciphers", (char *)NULL);
SSL_CTX_free(ctx);
return NULL;
}
if ((ciphersuites != NULL) && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) {
Tcl_AppendResult(interp, "Set cipher suites failed: No valid cipher suites", (char *)NULL);
SSL_CTX_free(ctx);
return NULL;
}
/* set automatic curve selection */
#if OPENSSL_VERSION_NUMBER < 0x10101000L
SSL_CTX_set_ecdh_auto(ctx, 1);
#endif
/* Set security level */
if (level > -1 && level < 6) {
/* SSL_set_security_level */
SSL_CTX_set_security_level(ctx, level);
}
/* set some callbacks */
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallback);
SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)statePtr);
/* Set Diffie-Hellman parameters from file, or use the built-in one.
* Used by servers requiring ephemeral DH keys. */
Tcl_DStringInit(&ds);
#ifdef OPENSSL_NO_DH
if (DHparams != NULL) {
Tcl_AppendResult(interp, "DH parameter support not available", (char *)NULL);
SSL_CTX_free(ctx);
return NULL;
}
#else
{
if (DHparams != NULL) {
BIO *bio;
bio = BIO_new_file(F2N(DHparams, &ds), "r");
if (!bio) {
Tcl_DStringFree(&ds);
Tcl_AppendResult(interp, "Could not find DH parameters file", (char *)NULL);
SSL_CTX_free(ctx);
return NULL;
}
#if OPENSSL_VERSION_NUMBER < 0x30000000L
DH* dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
Tcl_DStringFree(&ds);
if (!dh) {
Tcl_AppendResult(interp, "Could not read DH parameters from file: ",
GET_ERR_REASON(), (char *)NULL);
SSL_CTX_free(ctx);
return NULL;
}
if (!SSL_CTX_set_tmp_dh(ctx, dh)) {
Tcl_AppendResult(interp, "Could not set DH parameters from file: ",
GET_ERR_REASON(), (char *)NULL);
DH_free(dh);
SSL_CTX_free(ctx);
return NULL;
}
DH_free(dh);
dprintf("Diffie-Hellman initialized with %d bit key", 8 * DH_size(dh));
#else
EVP_PKEY *dh = PEM_read_bio_Parameters(bio, NULL);
BIO_free(bio);
Tcl_DStringFree(&ds);
if (!dh) {
Tcl_AppendResult(interp, "Could not read DH parameters from file: ",
GET_ERR_REASON(), (char *)NULL);
SSL_CTX_free(ctx);
return NULL;
}
if (!SSL_CTX_set0_tmp_dh_pkey(ctx, dh)) {
Tcl_AppendResult(interp, "Could not set DH parameters from file: ",
GET_ERR_REASON(), (char *)NULL);
SSL_CTX_free(ctx);
return NULL;
}
dprintf("Diffie-Hellman initialized with %d bit key", 8 * EVP_PKEY_get_size(dh));
#endif
} else {
/* Use well known DH parameters that have built-in support in OpenSSL */
if (!SSL_CTX_set_dh_auto(ctx, 1)) {
Tcl_AppendResult(interp, "Could not enable set DH auto: ", GET_ERR_REASON(),
(char *)NULL);
SSL_CTX_free(ctx);
|
| ︙ | ︙ | |||
2480 2481 2482 2483 2484 2485 2486 2487 2488 2489 2490 2491 2492 2493 2494 |
Tcl_SetErrorCode(interp, "TLS", "STATUS", "CHANNEL", "INVALID", (char *)NULL);
return TCL_ERROR;
}
statePtr = (State *) Tcl_GetChannelInstanceData(chan);
/* Get certificate for peer or self */
if (objc == 2) {
peer = SSL_get_peer_certificate(statePtr->ssl);
} else {
peer = SSL_get_certificate(statePtr->ssl);
}
/* Get X509 certificate info */
if (peer) {
objPtr = Tls_NewX509Obj(interp, peer, 1);
if (objc == 2) {
| > > > > | 2507 2508 2509 2510 2511 2512 2513 2514 2515 2516 2517 2518 2519 2520 2521 2522 2523 2524 2525 |
Tcl_SetErrorCode(interp, "TLS", "STATUS", "CHANNEL", "INVALID", (char *)NULL);
return TCL_ERROR;
}
statePtr = (State *) Tcl_GetChannelInstanceData(chan);
/* Get certificate for peer or self */
if (objc == 2) {
#if OPENSSL_VERSION_NUMBER < 0x30000000L
peer = SSL_get_peer_certificate(statePtr->ssl);
#else
peer = SSL_get1_peer_certificate(statePtr->ssl);
#endif
} else {
peer = SSL_get_certificate(statePtr->ssl);
}
/* Get X509 certificate info */
if (peer) {
objPtr = Tls_NewX509Obj(interp, peer, 1);
if (objc == 2) {
|
| ︙ | ︙ |