Announcement of TclTLS 2.0b1 release
This is the beta 1 release of the TclTLS v2.0 package. There have been numerous changes since the v1.7 release. See below for links to the
files and the release notes.
TclTLS 2.0 Release Notes:
Notable New Features:
- Fully TEA compliant build system has been added back. Supports
Windows, Linux, Max, BSD, etc.
- Compatible with OpenSSL 3.0+ and TCL 9.0 including build-info command.
- Can use MS Windows Cert Store on OpenSSL 3.2 or later.
- Greatly expanded the status returned by the tls::status command and
also added the new tls::connection command. The former returns SSL and certificate status while the latter returns the SSL status, cipher, and session info.
- Added missing TLS 1.3 functionality, set cipher suites, ALPN, SNI,
security level, etc.
- Error handing improvements, more specific error status, more
connection status via callbacks.
- Replaced separate Diffie-Hellman (DH) header file build process with
auto select.
- Add new tls::protocols command to list available SSL and TLS
protocols.
- Now can load CA certificates, key files, etc. from virtual file
systems (VFS).
Documentation Updates:
- Documentation was extensively updated and converted to man page and
HTML format.
- Added more examples to documentation and an examples directory.
- Expanded the documentation and added a Certificate Validation section
with info on how PKI and certificates work and the related TclTLS args.
- Extensive code documentation updates.
Notable Bug Fixes:
(Some of these issues have been around for 15-20 years.)
- Many bugs, patches, etc. submitted to sourceforge.net and core.tcl.tk
have been fixed or implemented.
- Unexpected EOF: Added fix to correct OpenSSL issue where some sessions
can result in an unexpected EOF.
- Empty reads: These have been eliminated the extent possible, but may
still occur. See demos for how to handle this.
- Stalling connections: These have been fixed to the extent possible
with a more robust event checking process.
- Manual certificate validation is no longer needed. OpenSSL will do
this for you if -require 1 is specified. You can see results via -validatecommand callback and in tls::status verifyResult.
- Will only call bgerror if the -command, -password, or -validatecommand callbacks throw an error.
- Will send proper close_notify message to peer on channel closure.
See the documentation for a complete list of changes.
Potential Compatibility Issues:
Option default changes:
- The -autoservername option defaults to true if -servername is not specified.
- The -castore option defaults to "org.openssl.winstore://" on MS
Windows with OpenSSL 3.2+ if -cadir, -cadir, and -castore are not
specified.
- The -request option defaults to true.
- The -require option defaults to true. This may be an issue if CA certificates are not available.
- The -servername option defaults to host value. So -autoservername is
no longer required.
- The -ssl2 option is no longer supported by OpenSSL 1.1+.
- The -ssl3 option doesn't have any effect by default. Use --enable-ssl3 compile time option to enable SSL3 first.
- The -tls1 and tls1.1 options default to false.
- The -tls1.2 and tls1.3 options default to true.
Callback changes:
- Only status/error message use the -command handler now. There are
several new types and the 'verify' type was moved to -validatecommand.
- Validation of certificates, client values, etc. use the new -validatecommand handler.
- Password inputs use -password handler, but it now passes 3 arguments.
See the documentation for all compatibility changes.
Open Issues:
- May not be compatible with LibreSSL anymore.
- Warnings for deprecated OpenSSL API usage. Will be fixed in a future release.
Download links:
Source code is available at either:
https://core.tcl-lang.org/tcltls/home
or
https://chiselapp.com/user/bohagan/repository/TCLTLS/home
or
https://github.com/bohagan1/TclTLS
Distribution file link: https://chiselapp.com/user/bohagan/repository/TCLTLS/uv/tcltls-2.0b1.tar.gz or
https://github.com/bohagan1/TclTLS/releases/download/tls-2.0b1/ tcltls-2.0b1.tar.gz
Windows library file link: https://chiselapp.com/user/bohagan/repository/TCLTLS/uv/ tls2.0b1_win64_msvc.zip
or
https://github.com/bohagan1/TclTLS/releases/download/tls-2.0b1/ tls2.0b1_win64_msvc.zip
Certificate Authority (CA) certificates:
Please read the documentation "Certificate Validation" section if you
don't have OpenSSL or the Certificate Authority (CA) certificates in PEM format installed on your system. https://chiselapp.com/user/bohagan/repository/TCLTLS/file?name=doc/tls.html
How to use this release:
package prefer latest
package require tls 2.0b1
See documentation "Examples" section for more details. https://chiselapp.com/user/bohagan/repository/TCLTLS/file?name=doc/tls.html
Announcement of TclTLS 2.0b1 release
This is the beta 1 release of the TclTLS v2.0 package. There have been numerous changes since the v1.7 release. See below for links to the
files and the release notes.
TclTLS 2.0 Release Notes:
Notable New Features:
- Fully TEA compliant build system has been added back. Supports
Windows, Linux, Max, BSD, etc.
- Compatible with OpenSSL 3.0+ and TCL 9.0 including build-info command.
- Can use MS Windows Cert Store on OpenSSL 3.2 or later.
- Greatly expanded the status returned by the tls::status command and
also added the new tls::connection command. The former returns SSL and certificate status while the latter returns the SSL status, cipher, and session info.
- Added missing TLS 1.3 functionality, set cipher suites, ALPN, SNI,
security level, etc.
- Error handing improvements, more specific error status, more
connection status via callbacks.
- Replaced separate Diffie-Hellman (DH) header file build process with
auto select.
- Add new tls::protocols command to list available SSL and TLS
protocols.
- Now can load CA certificates, key files, etc. from virtual file
systems (VFS).
Documentation Updates:
- Documentation was extensively updated and converted to man page and
HTML format.
- Added more examples to documentation and an examples directory.
- Expanded the documentation and added a Certificate Validation section
with info on how PKI and certificates work and the related TclTLS args.
- Extensive code documentation updates.
Notable Bug Fixes:
(Some of these issues have been around for 15-20 years.)
- Many bugs, patches, etc. submitted to sourceforge.net and core.tcl.tk
have been fixed or implemented.
- Unexpected EOF: Added fix to correct OpenSSL issue where some sessions
can result in an unexpected EOF.
- Empty reads: These have been eliminated the extent possible, but may
still occur. See demos for how to handle this.
- Stalling connections: These have been fixed to the extent possible
with a more robust event checking process.
- Manual certificate validation is no longer needed. OpenSSL will do
this for you if -require 1 is specified. You can see results via -validatecommand callback and in tls::status verifyResult.
- Will only call bgerror if the -command, -password, or -validatecommand callbacks throw an error.
- Will send proper close_notify message to peer on channel closure.
See the documentation for a complete list of changes.
Potential Compatibility Issues:
Option default changes:
- The -autoservername option defaults to true if -servername is not specified.
- The -castore option defaults to "org.openssl.winstore://" on MS
Windows with OpenSSL 3.2+ if -cadir, -cadir, and -castore are not
specified.
- The -request option defaults to true.
- The -require option defaults to true. This may be an issue if CA certificates are not available.
- The -servername option defaults to host value. So -autoservername is
no longer required.
- The -ssl2 option is no longer supported by OpenSSL 1.1+.
- The -ssl3 option doesn't have any effect by default. Use --enable-ssl3 compile time option to enable SSL3 first.
- The -tls1 and tls1.1 options default to false.
- The -tls1.2 and tls1.3 options default to true.
Callback changes:
- Only status/error message use the -command handler now. There are
several new types and the 'verify' type was moved to -validatecommand.
- Validation of certificates, client values, etc. use the new -validatecommand handler.
- Password inputs use -password handler, but it now passes 3 arguments.
See the documentation for all compatibility changes.
Open Issues:
- May not be compatible with LibreSSL anymore.
- Warnings for deprecated OpenSSL API usage. Will be fixed in a future release.
Download links:
Source code is available at either:
https://core.tcl-lang.org/tcltls/home
or
https://chiselapp.com/user/bohagan/repository/TCLTLS/home
or
https://github.com/bohagan1/TclTLS
Distribution file link: https://chiselapp.com/user/bohagan/repository/TCLTLS/uv/tcltls-2.0b1.tar.gz or https://github.com/bohagan1/TclTLS/releases/download/tls-2.0b1/tcltls-2.0b1.tar.gz
Windows library file link: https://chiselapp.com/user/bohagan/repository/TCLTLS/uv/tls2.0b1_win64_msvc.zip
or https://github.com/bohagan1/TclTLS/releases/download/tls-2.0b1/tls2.0b1_win64_msvc.zip
Certificate Authority (CA) certificates:
Please read the documentation "Certificate Validation" section if you
don't have OpenSSL or the Certificate Authority (CA) certificates in PEM format installed on your system. https://chiselapp.com/user/bohagan/repository/TCLTLS/file?name=doc/tls.html
How to use this release:
package prefer latest
package require tls 2.0b1
See documentation "Examples" section for more details. https://chiselapp.com/user/bohagan/repository/TCLTLS/file?name=doc/tls.html
I've just downloaded from https://chiselapp.com/user/bohagan/repository/TCLTLS/uv/tcltls-2.0b1.tar.gz
After
../configure --prefix=/opt/tcl9.0.1 -with-tcl=/opt/tcl9.0.1/opt
make eventually executes this line
gcc -DPACKAGE_NAME=\"tls\" -DPACKAGE_TARNAME=\"tls\" -DPACKAGE_VERSION=\"2.0b1\" -DPACKAGE_STRING=\"tls\ 2.0b1\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE_URL=\"\" -DBUILD_tls=/\*\*/ -DHAVE_STDIO_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_STRINGS_H=1 -DHAVE_SYS_STAT_H=1
-DHAVE_SYS_TYPES_H=1 -DHAVE_UNISTD_H=1 -DSTDC_HEADERS=1
-DUSE_THREAD_ALLOC=1 -D_REENTRANT=1 -D_THREAD_SAFE=1 -DTCL_THREADS=1 -DUSE_TCL_STUBS=1 -DUSE_TCLOO_STUBS=1 -DMODULE_SCOPE=extern\ __attribute__\(\(__visibility__\(\"hidden\"\)\)\) -DHAVE_HIDDEN=1 -DHAVE_CAST_TO_UNION=1 -DHAVE_STDBOOL_H=1 -DTCL_WIDE_INT_IS_LONG=1 -DTCL_CFG_OPTIMIZED=1 -DUSE_TCL_STUBS=1 -DNO_SSL3=1 -D_FORTIFY_SOURCE=2 -fstack-protector-all -fno-strict-overflow -Wno-deprecated-declarations -I/usr/local/include -I"/opt/tcl9.0.1/include" -I. -O2 -fomit-frame-pointer -DNDEBUG -Wall -fPIC -pipe -O2 -fomit-frame-pointer -DNDEBUG -Wall -fPIC -c `echo ./generic/tlsBIO.c` -o tlsBIO.o
which fails with a compilation error saying BIO_FLAGS_IN_EOF is
undefined.
I've had a bit of a poke around but am mystified by this error. As far
as I can make out, tlsBIO.c includes <openssl/bio.h>, which defines BIO_FLAGS_IN_EOF, so I am thoroughly confused.
I can't guarantee that I don't have another SSL package installed which
might be getting in the way. How can I check, or what else might be
causing my problem? More to the point, what can I do to fix it?
Alan
Announcement of TclTLS 2.0b1 release
This is the beta 1 release of the TclTLS v2.0 package. There have been numerous changes since the v1.7 release. See below for links to the
files and the release notes.
TclTLS 2.0 Release Notes:
Notable New Features:
- Fully TEA compliant build system has been added back. Supports
Windows, Linux, Max, BSD, etc.
- Compatible with OpenSSL 3.0+ and TCL 9.0 including build-info command.
- Can use MS Windows Cert Store on OpenSSL 3.2 or later.
- Greatly expanded the status returned by the tls::status command and
also added the new tls::connection command. The former returns SSL and certificate status while the latter returns the SSL status, cipher, and session info.
- Added missing TLS 1.3 functionality, set cipher suites, ALPN, SNI,
security level, etc.
- Error handing improvements, more specific error status, more
connection status via callbacks.
- Replaced separate Diffie-Hellman (DH) header file build process with
auto select.
- Add new tls::protocols command to list available SSL and TLS
protocols.
- Now can load CA certificates, key files, etc. from virtual file
systems (VFS).
Documentation Updates:
- Documentation was extensively updated and converted to man page and
HTML format.
- Added more examples to documentation and an examples directory.
- Expanded the documentation and added a Certificate Validation section
with info on how PKI and certificates work and the related TclTLS args.
- Extensive code documentation updates.
Notable Bug Fixes:
(Some of these issues have been around for 15-20 years.)
- Many bugs, patches, etc. submitted to sourceforge.net and core.tcl.tk
have been fixed or implemented.
- Unexpected EOF: Added fix to correct OpenSSL issue where some sessions
can result in an unexpected EOF.
- Empty reads: These have been eliminated the extent possible, but may
still occur. See demos for how to handle this.
- Stalling connections: These have been fixed to the extent possible
with a more robust event checking process.
- Manual certificate validation is no longer needed. OpenSSL will do
this for you if -require 1 is specified. You can see results via -validatecommand callback and in tls::status verifyResult.
- Will only call bgerror if the -command, -password, or -validatecommand callbacks throw an error.
- Will send proper close_notify message to peer on channel closure.
See the documentation for a complete list of changes.
Potential Compatibility Issues:
Option default changes:
- The -autoservername option defaults to true if -servername is not specified.
- The -castore option defaults to "org.openssl.winstore://" on MS
Windows with OpenSSL 3.2+ if -cadir, -cadir, and -castore are not
specified.
- The -request option defaults to true.
- The -require option defaults to true. This may be an issue if CA certificates are not available.
- The -servername option defaults to host value. So -autoservername is
no longer required.
- The -ssl2 option is no longer supported by OpenSSL 1.1+.
- The -ssl3 option doesn't have any effect by default. Use --enable-ssl3 compile time option to enable SSL3 first.
- The -tls1 and tls1.1 options default to false.
- The -tls1.2 and tls1.3 options default to true.
Callback changes:
- Only status/error message use the -command handler now. There are
several new types and the 'verify' type was moved to -validatecommand.
- Validation of certificates, client values, etc. use the new -validatecommand handler.
- Password inputs use -password handler, but it now passes 3 arguments.
See the documentation for all compatibility changes.
Open Issues:
- May not be compatible with LibreSSL anymore.
- Warnings for deprecated OpenSSL API usage. Will be fixed in a future release.
Download links:
Source code is available at either:
https://core.tcl-lang.org/tcltls/home
or
https://chiselapp.com/user/bohagan/repository/TCLTLS/home
or
https://github.com/bohagan1/TclTLS
Distribution file link: https://chiselapp.com/user/bohagan/repository/TCLTLS/uv/tcltls-2.0b1.tar.gz or
https://github.com/bohagan1/TclTLS/releases/download/tls-2.0b1/ tcltls-2.0b1.tar.gz
Windows library file link: https://chiselapp.com/user/bohagan/repository/TCLTLS/uv/ tls2.0b1_win64_msvc.zip
or
https://github.com/bohagan1/TclTLS/releases/download/tls-2.0b1/ tls2.0b1_win64_msvc.zip
Certificate Authority (CA) certificates:
Please read the documentation "Certificate Validation" section if you
don't have OpenSSL or the Certificate Authority (CA) certificates in PEM format installed on your system. https://chiselapp.com/user/bohagan/repository/TCLTLS/file?name=doc/tls.html
How to use this release:
package prefer latest
package require tls 2.0b1
See documentation "Examples" section for more details. https://chiselapp.com/user/bohagan/repository/TCLTLS/file?name=doc/tls.html
On Sun, 9 Feb 2025 16:31:19 +0000, Alan Grunwald wrote:
I've just downloaded from
https://chiselapp.com/user/bohagan/repository/TCLTLS/uv/tcltls-2.0b1.tar.gz >>
After
../configure --prefix=/opt/tcl9.0.1 -with-tcl=/opt/tcl9.0.1/opt
make eventually executes this line
gcc -DPACKAGE_NAME=\"tls\" -DPACKAGE_TARNAME=\"tls\"
-DPACKAGE_VERSION=\"2.0b1\" -DPACKAGE_STRING=\"tls\ 2.0b1\"
-DPACKAGE_BUGREPORT=\"\" -DPACKAGE_URL=\"\" -DBUILD_tls=/\*\*/
-DHAVE_STDIO_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_INTTYPES_H=1
-DHAVE_STDINT_H=1 -DHAVE_STRINGS_H=1 -DHAVE_SYS_STAT_H=1
-DHAVE_SYS_TYPES_H=1 -DHAVE_UNISTD_H=1 -DSTDC_HEADERS=1
-DUSE_THREAD_ALLOC=1 -D_REENTRANT=1 -D_THREAD_SAFE=1 -DTCL_THREADS=1
-DUSE_TCL_STUBS=1 -DUSE_TCLOO_STUBS=1 -DMODULE_SCOPE=extern\
__attribute__\(\(__visibility__\(\"hidden\"\)\)\) -DHAVE_HIDDEN=1
-DHAVE_CAST_TO_UNION=1 -DHAVE_STDBOOL_H=1 -DTCL_WIDE_INT_IS_LONG=1
-DTCL_CFG_OPTIMIZED=1 -DUSE_TCL_STUBS=1 -DNO_SSL3=1 -D_FORTIFY_SOURCE=2
-fstack-protector-all -fno-strict-overflow -Wno-deprecated-declarations
-I/usr/local/include -I"/opt/tcl9.0.1/include" -I. -O2
-fomit-frame-pointer -DNDEBUG -Wall -fPIC -pipe -O2 -fomit-frame-pointer
-DNDEBUG -Wall -fPIC -c `echo ./generic/tlsBIO.c` -o tlsBIO.o
which fails with a compilation error saying BIO_FLAGS_IN_EOF is
undefined.
I've had a bit of a poke around but am mystified by this error. As far
as I can make out, tlsBIO.c includes <openssl/bio.h>, which defines
BIO_FLAGS_IN_EOF, so I am thoroughly confused.
I can't guarantee that I don't have another SSL package installed which
might be getting in the way. How can I check, or what else might be
causing my problem? More to the point, what can I do to fix it?
Alan
This is one of the not advertised things OpenSSl is famous for leaving
out of its documentation. Yes it's in the openssl/bio.h file. So it's
likely you have more than one version installed. Some OS/platforms
default to LibreSSL or maybe you also have a much older version of
OpenSSL. If you have pkgconfig on your system, that will define which
version gets used.
When you run the configure script, it should output where it found the OpenSSL header files. The solution is to use the --with-openssl-libdir
and --with-openssl-includedir options to force it to find the right
version. Look at the README.txt file for more info.
On 09/02/2025 18:19, bohagan wrote:
On Sun, 9 Feb 2025 16:31:19 +0000, Alan Grunwald wrote:
I've just downloaded from
https://chiselapp.com/user/bohagan/repository/TCLTLS/uv/tcltls-2.0b1.tar.gz >>>
After
../configure --prefix=/opt/tcl9.0.1 -with-tcl=/opt/tcl9.0.1/opt
make eventually executes this line
gcc -DPACKAGE_NAME=\"tls\" -DPACKAGE_TARNAME=\"tls\"
-DPACKAGE_VERSION=\"2.0b1\" -DPACKAGE_STRING=\"tls\ 2.0b1\"
-DPACKAGE_BUGREPORT=\"\" -DPACKAGE_URL=\"\" -DBUILD_tls=/\*\*/
-DHAVE_STDIO_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_INTTYPES_H=1 >>> -DHAVE_STDINT_H=1 -DHAVE_STRINGS_H=1 -DHAVE_SYS_STAT_H=1
-DHAVE_SYS_TYPES_H=1 -DHAVE_UNISTD_H=1 -DSTDC_HEADERS=1
-DUSE_THREAD_ALLOC=1 -D_REENTRANT=1 -D_THREAD_SAFE=1 -DTCL_THREADS=1
-DUSE_TCL_STUBS=1 -DUSE_TCLOO_STUBS=1 -DMODULE_SCOPE=extern\
__attribute__\(\(__visibility__\(\"hidden\"\)\)\) -DHAVE_HIDDEN=1
-DHAVE_CAST_TO_UNION=1 -DHAVE_STDBOOL_H=1 -DTCL_WIDE_INT_IS_LONG=1
-DTCL_CFG_OPTIMIZED=1 -DUSE_TCL_STUBS=1 -DNO_SSL3=1 -D_FORTIFY_SOURCE=2
-fstack-protector-all -fno-strict-overflow -Wno-deprecated-declarations >>> -I/usr/local/include -I"/opt/tcl9.0.1/include" -I. -O2
-fomit-frame-pointer -DNDEBUG -Wall -fPIC -pipe -O2 -fomit-frame-pointer >>> -DNDEBUG -Wall -fPIC -c `echo ./generic/tlsBIO.c` -o tlsBIO.o
which fails with a compilation error saying BIO_FLAGS_IN_EOF is
undefined.
I've had a bit of a poke around but am mystified by this error. As far
as I can make out, tlsBIO.c includes <openssl/bio.h>, which defines
BIO_FLAGS_IN_EOF, so I am thoroughly confused.
I can't guarantee that I don't have another SSL package installed which
might be getting in the way. How can I check, or what else might be
causing my problem? More to the point, what can I do to fix it?
Alan
This is one of the not advertised things OpenSSl is famous for leaving
out of its documentation. Yes it's in the openssl/bio.h file. So it's
likely you have more than one version installed. Some OS/platforms
default to LibreSSL or maybe you also have a much older version of
OpenSSL. If you have pkgconfig on your system, that will define which
version gets used.
When you run the configure script, it should output where it found the
OpenSSL header files. The solution is to use the --with-openssl-libdir
and --with-openssl-includedir options to force it to find the right
version. Look at the README.txt file for more info.
Thanks for the quick response. Sadly it doesn't help me all that much.
If I try
../configure --prefix=/opt/tcl9.0.1 --with-tcl=/opt/tcl9.0.1/lib --with-openssl-libdir=/usr/local/bin/ --with-openssl-includedir=/usr/local/include/openssl/
the last few lines output to the console are
checking for OpenSSL directory...
checking for OpenSSL include directory... /usr/local/include/openssl/ checking for ssl.h... no
configure: error: Unable to locate ssl.h
which is very strange, since /usr/local/include/openssl/ssl.h certainly exists.
(If I leave out the --with-openssl-xxx flags, then this section of the console output doesn't mention ssl.h, and looks like this
checking for OpenSSL directory...
checking for OpenSSL include directory...
checking for OpenSSL lib directory...
I'm ashamed to notice that I didn't say originally that I'm running
Linux Mint 21.3 with a homebrew Tcl9.0.1
I am currently running tcltls 1.7.23 built from https://www.tcl3d.org/bawt/download/InputLibs/tcltls-1.7.23.7z and
configured using the configure command line I posted originally
(although starting ./configure rather than ".." as mis-typed).
Alan
| Sysop: | DaiTengu |
|---|---|
| Location: | Appleton, WI |
| Users: | 1,029 |
| Nodes: | 10 (1 / 9) |
| Uptime: | 147:49:24 |
| Calls: | 13,332 |
| Calls today: | 2 |
| Files: | 186,574 |
| D/L today: |
2,492 files (655M bytes) |
| Messages: | 3,355,708 |