From Newsgroup: comp.lang.tcl

This announcement is for the release of the TclTLS v2.0 package.


*TclTLS 2.0 Release Notes:*


**Notable New Features:**

- Fully TEA compliant build system has been added back. Supports
Windows, Linux, Mac, BSD, etc.
- Compatible with OpenSSL 3.0+ and TCL 9.0 including build-info command.
- Can use MS Windows Certificate Store on OpenSSL 3.2 and later
releases. See documentation for more info.
- Greatly expanded the status returned by the tls::status command and
also added the new tls::connection command. The former returns SSL and certificate status while the latter returns the SSL status, cipher, and session info.
- Added missing TLS 1.3 functionality, set cipher suites, ALPN, SNI,
security level, etc.
- Error handing improvements, more specific error status, more
connection status via callbacks.
- Replaced separate Diffie-Hellman (DH) header file build process with
auto select.
- Add new tls::protocols command to list available SSL and TLS protocols.
- Now can load CA certificates, key files, etc. from virtual file
systems (VFS).

See https://chiselapp.com/user/bohagan/repository/TCLTLS/home for more info.


**Documentation Updates:**

- Documentation was extensively updated and converted to man page and
HTML format.
- Updated the examples in the documentation and demos directory.
- Expanded the documentation and added a Certificate Validation section
with info on how PKI and certificates work and the related TclTLS args.
- Extensive code documentation updates.


**Notable Bug Fixes:**

(Some of these issues have been around for 15-20 years.)
- Many bugs, patches, etc. submitted to sourceforge.net and core.tcl.tk
have been fixed or implemented.
- OpenSSL 3.0 unexpected EOF: Added fix to correct OpenSSL issue where
some sessions can result in an unexpected EOF.
- Empty reads: These have been eliminated the extent possible, but may
still occur. See demos for how to handle this.
- Lock-ups and Stalling connections: These have been fixed to the extent possible with a more robust event checking process.
- Manual certificate validation is no longer needed. OpenSSL will do
this for you if -require 1 is specified. You can see results via -validatecommand callback and in tls::status verifyResult.
- Will only call bgerror if the -command, -password, or -validatecommand callbacks throw an error.
- Will send proper close_notify message to peer on channel closure.

See the documentation for a complete list of changes.


**Tested with: **

* TCL 8.6.14 and 9.0.3
* OpenSSL 1.1.1w, 3.0.18, 3.1.8, 3.2.6, 3.3.5, 3.4.3, 3.5.4, and 3.6.0
* Windows 7, Windows 10, Msys64, OpenSuSE Linux Leap 15.6 and 16.0, FreeBSD, and MacOS with MacPorts



*Potential Compatibility Issues:*


**Option default changes:**

- The -autoservername option defaults to true if -servername is not
specified.
- The -castore option defaults to "org.openssl.winstore://" on MS
Windows with OpenSSL 3.2+ if -cadir, -cafile, or -castore are not specified.
- The -request option defaults to true for clients.
- The -require option defaults to true for clients. This may be an issue
if the Certificate Authority (CA) certificates are not available or are out-of-date.
- The -servername option defaults to socket host when used with
tls::socket. So -autoservername is no longer required.
- The -ssl2 option is no longer supported by OpenSSL 1.1+.
- The -ssl3 option doesn't have any effect by default. Use --enable-ssl3 compile time option to enable SSL3 first.
- The -tls1 and tls1.1 options default to false (not enabled).
- The -tls1.2 and tls1.3 options default to true (enabled).


**Callback changes:**

- Only status/error message use the -command handler now. There are
several new types and the 'verify' type was moved to -validatecommand.
- Validation of certificates, client values, etc. use the new
-validatecommand handler.
- Password inputs use -password handler, but it now passes 3 arguments.

See the documentation for all compatibility changes.


*Open Issues:*

- May not be compatible with LibreSSL anymore.
- Warnings for deprecated OpenSSL API usage. Will be fixed in a future release.


*Download links:*


Source code is available at https://core.tcl-lang.org/tcltls/ or in the following release files:

* https://core.tcl-lang.org/tcltls/uv/tcltls-2.0-src.tar.gz
* https://github.com/bohagan1/TclTLS/releases/download/tls-2.0/tcltls-2.0-src.tar.gz


Windows library file link (TCL 8.6 & 9.0 with OpenSSL 3.6.0):

* https://core.tcl-lang.org/tcltls/uv/tcltls-2.0-win64-msvc.tar.gz
* https://github.com/bohagan1/TclTLS/releases/download/tls-2.0/tcltls-2.0-win64-msvc.zip


*Certificate Authority (CA) certificates:*

Please read the documentation "Certificate Validation" section if you
don't have OpenSSL or the Certificate Authority (CA) certificates in PEM format installed on your system. If not, they can be obtained from: https://core.tcl-lang.org/tcltls/file?name=doc/tls.html&ci=tip


*How to use this release:*


package require tls ?2.0?

See the README.txt file for the build steps.
See the documentation "Examples" section for usage examples.
More detailed examples can be found in the demos directory.



--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: comp.lang.tcl

Brian,
this is a time warp step bringing TCL in the next centura.
Highly appreciated!
Take care,
Harald

Am 21.01.2026 um 06:48 schrieb Brian:

This announcement is for the release of the TclTLS v2.0 package.

*TclTLS 2.0 Release Notes:*

**Notable New Features:**

- Fully TEA compliant build system has been added back. Supports
Windows, Linux, Mac, BSD, etc.
- Compatible with OpenSSL 3.0+ and TCL 9.0 including build-info command.
- Can use MS Windows Certificate Store on OpenSSL 3.2 and later
releases. See documentation for more info.
- Greatly expanded the status returned by the tls::status command and
also added the new tls::connection command. The former returns SSL and certificate status while the latter returns the SSL status, cipher, and session info.
- Added missing TLS 1.3 functionality, set cipher suites, ALPN, SNI, security level, etc.
- Error handing improvements, more specific error status, more
connection status via callbacks.
- Replaced separate Diffie-Hellman (DH) header file build process with
auto select.
- Add new tls::protocols command to list available SSL and TLS protocols.
- Now can load CA certificates, key files, etc. from virtual file
systems (VFS).

See https://chiselapp.com/user/bohagan/repository/TCLTLS/home for more
info.

**Documentation Updates:**

- Documentation was extensively updated and converted to man page and
HTML format.
- Updated the examples in the documentation and demos directory.
- Expanded the documentation and added a Certificate Validation section
with info on how PKI and certificates work and the related TclTLS args.
- Extensive code documentation updates.

**Notable Bug Fixes:**

(Some of these issues have been around for 15-20 years.)
- Many bugs, patches, etc. submitted to sourceforge.net and core.tcl.tk
have been fixed or implemented.
- OpenSSL 3.0 unexpected EOF: Added fix to correct OpenSSL issue where
some sessions can result in an unexpected EOF.
- Empty reads: These have been eliminated the extent possible, but may
still occur. See demos for how to handle this.
- Lock-ups and Stalling connections: These have been fixed to the extent possible with a more robust event checking process.
- Manual certificate validation is no longer needed. OpenSSL will do
this for you if -require 1 is specified. You can see results via - validatecommand callback and in tls::status verifyResult.
- Will only call bgerror if the -command, -password, or -validatecommand callbacks throw an error.
- Will send proper close_notify message to peer on channel closure.

See the documentation for a complete list of changes.

**Tested with: **

  * TCL 8.6.14 and 9.0.3
  * OpenSSL 1.1.1w, 3.0.18, 3.1.8, 3.2.6, 3.3.5, 3.4.3, 3.5.4, and 3.6.0
  * Windows 7, Windows 10, Msys64, OpenSuSE Linux Leap 15.6 and 16.0, FreeBSD, and MacOS with MacPorts

*Potential Compatibility Issues:*

**Option default changes:**

- The -autoservername option defaults to true if -servername is not specified.
- The -castore option defaults to "org.openssl.winstore://" on MS
Windows with OpenSSL 3.2+ if -cadir, -cafile, or -castore are not
specified.
- The -request option defaults to true for clients.
- The -require option defaults to true for clients. This may be an issue
if the Certificate Authority (CA) certificates are not available or are out-of-date.
- The -servername option defaults to socket host when used with
tls::socket. So -autoservername is no longer required.
- The -ssl2 option is no longer supported by OpenSSL 1.1+.
- The -ssl3 option doesn't have any effect by default. Use --enable-ssl3 compile time option to enable SSL3 first.
- The -tls1 and tls1.1 options default to false (not enabled).
- The -tls1.2 and tls1.3 options default to true (enabled).

**Callback changes:**

- Only status/error message use the -command handler now. There are
several new types and the 'verify' type was moved to -validatecommand.
- Validation of certificates, client values, etc. use the new - validatecommand handler.
- Password inputs use -password handler, but it now passes 3 arguments.

See the documentation for all compatibility changes.

*Open Issues:*

- May not be compatible with LibreSSL anymore.
- Warnings for deprecated OpenSSL API usage. Will be fixed in a future release.

*Download links:*

Source code is available at https://core.tcl-lang.org/tcltls/ or in the following release files:

  * https://core.tcl-lang.org/tcltls/uv/tcltls-2.0-src.tar.gz
  * https://github.com/bohagan1/TclTLS/releases/download/tls-2.0/ tcltls-2.0-src.tar.gz

Windows library file link (TCL 8.6 & 9.0 with OpenSSL 3.6.0):

  * https://core.tcl-lang.org/tcltls/uv/tcltls-2.0-win64-msvc.tar.gz
  * https://github.com/bohagan1/TclTLS/releases/download/tls-2.0/ tcltls-2.0-win64-msvc.zip

*Certificate Authority (CA) certificates:*

Please read the documentation "Certificate Validation" section if you
don't have OpenSSL or the Certificate Authority (CA) certificates in PEM format installed on your system. If not, they can be obtained from: https://core.tcl-lang.org/tcltls/file?name=doc/tls.html&ci=tip

*How to use this release:*

package require tls ?2.0?

See the README.txt file for the build steps.
See the documentation "Examples" section for usage examples.
More detailed examples can be found in the demos directory.

--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: comp.lang.tcl

In article <10kppaq$1rlon$1@dont-email.me>,
Brian <brian199@comcast.net> wrote:

This announcement is for the release of the TclTLS v2.0 package.

*TclTLS 2.0 Release Notes:*

Sounds great -- Thanks so much!

Any idea when this will start hitting distro package managers on the
Linux side?
--
columbiaclosings.com
What's not in Columbia anymore..
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: comp.lang.tcl

Am 21.01.2026 um 15:29 schrieb Ted Nolan <tednolan>:

In article <10kppaq$1rlon$1@dont-email.me>,
Brian <brian199@comcast.net> wrote:

This announcement is for the release of the TclTLS v2.0 package.


*TclTLS 2.0 Release Notes:*

Sounds great -- Thanks so much!

Any idea when this will start hitting distro package managers on the
Linux side?

At least, it is very important, that they get aware of it.
It would be great to post the message on the core list.
Brian, shall I take care?

Thanks,
Harald
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: comp.lang.tcl

Am 21.01.2026 um 06:48 schrieb Brian:

This announcement is for the release of the TclTLS v2.0 package.

Hi Brian,
thanks for making an official 2.0 release.

Two remarks / questions from a Tcl-BI maintainer:
1. What is the official tcltls site?
https://chiselapp.com/user/bohagan/repository/TCLTLS/home or
https://core.tcl-lang.org/tcltls/home
2. Tag tls-2-0 does not show in tab "Tags" on both sites.

Will try to build the new version with BAWT the next days.

Paul
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: comp.lang.tcl

On 1/21/26 11:19 AM, Harald Oehlmann wrote:

Am 21.01.2026 um 15:29 schrieb Ted Nolan <tednolan>:

In article <10kppaq$1rlon$1@dont-email.me>,
Brian  <brian199@comcast.net> wrote:

This announcement is for the release of the TclTLS v2.0 package.


*TclTLS 2.0 Release Notes:*

Sounds great -- Thanks so much!

Any idea when this will start hitting distro package managers on the
Linux side?

At least, it is very important, that they get aware of it.
It would be great to post the message on the core list.
Brian, shall I take care?

Thanks,
Harald

Yes, please do. Since I'm old school, I mainly use comp.lang.tcl as the notification method, but with fewer people having access nowadays maybe
we need a more modern process.

--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: comp.lang.tcl

On 1/21/26 12:49 PM, Paul Obermeier wrote:

Am 21.01.2026 um 06:48 schrieb Brian:

This announcement is for the release of the TclTLS v2.0 package.

Hi Brian,
thanks for making an official 2.0 release.

Two remarks / questions from a Tcl-BI maintainer:
1. What is the official tcltls site?
  https://chiselapp.com/user/bohagan/repository/TCLTLS/home or
  https://core.tcl-lang.org/tcltls/home
2. Tag tls-2-0 does not show in tab "Tags" on both sites.

Will try to build the new version with BAWT the next days.

Paul

The official repo is https://core.tcl-lang.org/tcltls/home. Since I
started with my repo, my process is I update my Github site first, then
the chiselapp site, then the core site. So I think the tags seem to get
lost in the export process. I'll try to add them back. The main reason
to stick with this process is eventually I'll implement git actions to automate more of the build and tests.
--- Synchronet 3.21b-Linux NewsLink 1.2