View Ticket
Ticket Hash: 581d50e6cdc97b0bb5f0e5516086ac469e077f04
Title: Callback wrongly reports SSL3
Status: Closed Type: Documentation
Severity: Important Priority: Low
Subsystem: Resolution: Rejected
Last Modified: 2019-04-09 19:35:39
Version Found In: 1.7.16
User Comments:
anonymous added on 2018-04-05 13:49:27:
The -command callback reports handshake by SSL3, when in fact TLS1.2 was used.

Accurate information would be useful - can the callback report the protocol actually used?


In this example, TclTLS was built with --disable-sslv2 --disable-sslv3, libressl,
and tls::socket was called with -ssl2 0 -ssl3 0 -tls1 1 -tls1.1 1 -tls1.2 1

The actual protocol version TLS1.2 was verified by wireshark.

tlsMonitor info sock12678a0 handshake start {before/connect initialization}
tlsMonitor info sock12678a0 connect loop {before/connect initialization}
tlsMonitor info sock12678a0 connect loop {SSLv3 write client hello A}
tlsMonitor info sock12678a0 connect loop {SSLv3 read server hello A}
tlsMonitor verify sock12678a0 2 <<snip>>
tlsMonitor verify sock12678a0 1 <<snip>
tlsMonitor verify sock12678a0 0 <<snip>>
tlsMonitor info sock12678a0 connect loop {SSLv3 read server certificate A}
tlsMonitor info sock12678a0 connect loop {SSLv3 read server key exchange A}
tlsMonitor info sock12678a0 connect loop {SSLv3 read server done A}
tlsMonitor info sock12678a0 connect loop {SSLv3 write client key exchange A}
tlsMonitor info sock12678a0 connect loop {SSLv3 write change cipher spec A}
tlsMonitor info sock12678a0 connect loop {SSLv3 write finished A}
tlsMonitor info sock12678a0 connect loop {SSLv3 flush data}
tlsMonitor info sock12678a0 connect loop {SSLv3 read finished A}
tlsMonitor info sock12678a0 handshake done {SSL negotiation finished successfully}
tlsMonitor info sock12678a0 connect exit {SSL negotiation finished successfully}

rkeene added on 2019-04-09 19:35:39:

The data being reported is documented to contain an informational string returned from OpenSSL:

> The message argument is a descriptive string which may be generated either by SSL_state_string_long() or by SSL_alert_desc_string_long(), depending on context

It does not indicate the version of SSL or TLS being used.