Sujet : Re: Announce: TclTLS 2.0b1 Release
De : wortkarg3 (at) *nospam* yahoo.com (Harald Oehlmann)
Groupes : comp.lang.tclDate : 09. Feb 2025, 11:19:03
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <vo9vem$i6o1$1@dont-email.me>
References : 1
User-Agent : Mozilla Thunderbird
Hi Brian,
that is a leap jump, thank you !
I am particallary interested in the error callback.
That is great. I was always annoyed, that bgerror was called on any TLS negociation error.
Also the Windows cert usage is great.
This means, that we can use TclTLS for all platforms in an unified manner.
Monday is the biweekly Tcl/Tk telco. Maybe, this may be elaborated.
I see TclTLS as possible bundled package for TCL.
Thanks for all,
Harald
Am 09.02.2025 um 00:35 schrieb bohagan:
Announcement of TclTLS 2.0b1 release
This is the beta 1 release of the TclTLS v2.0 package. There have been
numerous changes since the v1.7 release. See below for links to the
files and the release notes.
TclTLS 2.0 Release Notes:
Notable New Features:
- Fully TEA compliant build system has been added back. Supports
Windows, Linux, Max, BSD, etc.
- Compatible with OpenSSL 3.0+ and TCL 9.0 including build-info command.
- Can use MS Windows Cert Store on OpenSSL 3.2 or later.
- Greatly expanded the status returned by the tls::status command and
also added the new tls::connection command. The former returns SSL and
certificate status while the latter returns the SSL status, cipher, and
session info.
- Added missing TLS 1.3 functionality, set cipher suites, ALPN, SNI,
security level, etc.
- Error handing improvements, more specific error status, more
connection status via callbacks.
- Replaced separate Diffie-Hellman (DH) header file build process with
auto select.
- Add new tls::protocols command to list available SSL and TLS
protocols.
- Now can load CA certificates, key files, etc. from virtual file
systems (VFS).
Documentation Updates:
- Documentation was extensively updated and converted to man page and
HTML format.
- Added more examples to documentation and an examples directory.
- Expanded the documentation and added a Certificate Validation section
with info on how PKI and certificates work and the related TclTLS args.
- Extensive code documentation updates.
Notable Bug Fixes:
(Some of these issues have been around for 15-20 years.)
- Many bugs, patches, etc. submitted to sourceforge.net and core.tcl.tk
have been fixed or implemented.
- Unexpected EOF: Added fix to correct OpenSSL issue where some sessions
can result in an unexpected EOF.
- Empty reads: These have been eliminated the extent possible, but may
still occur. See demos for how to handle this.
- Stalling connections: These have been fixed to the extent possible
with a more robust event checking process.
- Manual certificate validation is no longer needed. OpenSSL will do
this for you if -require 1 is specified. You can see results via
-validatecommand callback and in tls::status verifyResult.
- Will only call bgerror if the -command, -password, or -validatecommand
callbacks throw an error.
- Will send proper close_notify message to peer on channel closure.
See the documentation for a complete list of changes.
Potential Compatibility Issues:
Option default changes:
- The -autoservername option defaults to true if -servername is not
specified.
- The -castore option defaults to "org.openssl.winstore://" on MS
Windows with OpenSSL 3.2+ if -cadir, -cadir, and -castore are not
specified.
- The -request option defaults to true.
- The -require option defaults to true. This may be an issue if CA
certificates are not available.
- The -servername option defaults to host value. So -autoservername is
no longer required.
- The -ssl2 option is no longer supported by OpenSSL 1.1+.
- The -ssl3 option doesn't have any effect by default. Use --enable-ssl3
compile time option to enable SSL3 first.
- The -tls1 and tls1.1 options default to false.
- The -tls1.2 and tls1.3 options default to true.
Callback changes:
- Only status/error message use the -command handler now. There are
several new types and the 'verify' type was moved to -validatecommand.
- Validation of certificates, client values, etc. use the new
-validatecommand handler.
- Password inputs use -password handler, but it now passes 3 arguments.
See the documentation for all compatibility changes.
Open Issues:
- May not be compatible with LibreSSL anymore.
- Warnings for deprecated OpenSSL API usage. Will be fixed in a future
release.
Download links:
Source code is available at either:
https://core.tcl-lang.org/tcltls/home
or
https://chiselapp.com/user/bohagan/repository/TCLTLS/home
or
https://github.com/bohagan1/TclTLS
Distribution file link:
https://chiselapp.com/user/bohagan/repository/TCLTLS/uv/tcltls-2.0b1.tar.gz
or
https://github.com/bohagan1/TclTLS/releases/download/tls-2.0b1/ tcltls-2.0b1.tar.gz
Windows library file link:
https://chiselapp.com/user/bohagan/repository/TCLTLS/uv/ tls2.0b1_win64_msvc.zip
or
https://github.com/bohagan1/TclTLS/releases/download/tls-2.0b1/ tls2.0b1_win64_msvc.zip
Certificate Authority (CA) certificates:
Please read the documentation "Certificate Validation" section if you
don't have OpenSSL or the Certificate Authority (CA) certificates in PEM
format installed on your system.
https://chiselapp.com/user/bohagan/repository/TCLTLS/file?name=doc/tls.html
How to use this release:
package prefer latest
package require tls 2.0b1
See documentation "Examples" section for more details.
https://chiselapp.com/user/bohagan/repository/TCLTLS/file?name=doc/tls.html
Announce: TclTLS 2.0b1 Release
Re: Announce: TclTLS 2.0b1 Release
