From Newsgroup: comp.lang.tcl

Hi,

Consider the following script

package require tls
package require http

puts stdout [format {using tls v%s} [package present tls]]

http::register https 443 {tls::socket -tls1 1}

set tok [http::geturl https://www.ebu.co.uk/members/api-3.1/ngs/search?forenames=Mike&surname=Lewis] puts stdout [http::data $tok]
http::cleanup $tok

(there should be no newline between "?" and "forenames" in the above url)

It runs fine on tls 2.0b2 but fails with tls 2.0

using tls v2.0b2 {"response":{"player":[{"Position":1,"Surname":"Lewis","Forenames":"Mike","Grade":"56.69","GradeBand":"Jack
","Maturity":"M","Region":"GLO","Partners":[{"Surname":"Green","Forenames":"Malcolm","Grade":"58.64","GradeBand":"Queen","Maturity":"M"},{"Surname":"Williams","Forenames":"Roger","Grade":"57.16","GradeBand":"Queen","Maturity":"M"},{"Surname":"Nicolson","Forenames":"Alison","Grade":"53.95","GradeBand":"Ten
","Maturity":"M"}]}],"process_time":"0.1338s"}}

and

using tls v2.0
failed to use socket
while executing
"http::geturl https://www.ebu.co.uk/members/api-3.1/ngs/search?forenames=Mike&surname=Lewis"
invoked from within
"set tok [http::geturl https://www.ebu.co.uk/members/api-3.1/ngs/search?forenames=Mike&surname=Lewis]"
(file "tlsError.tcl" line 10)

I had a poke around the http package (2.10.1 in both cases) to see what
causes the "failed to use socket" but made no progress other than
finding that its around line 2463, near a comment that says the code is handling https handshake errors.


Any suggestions, anyone?
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: comp.lang.tcl

Alan,
I think best is to file a bug report.
Wizard Brian did a great job and probably has a lot other to do, so a
bit patient may be required...

https://core.tcl-lang.org/tcltls/reportlist

or

https://github.com/bohagan1/TclTLS/issues

Take care,
Harald
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: comp.lang.tcl

On 29/01/2026 15:37, Harald Oehlmann wrote:

Alan,
I think best is to file a bug report.
Wizard Brian did a great job and probably has a lot other to do, so a
bit patient may be required...

https://core.tcl-lang.org/tcltls/reportlist

or

https://github.com/bohagan1/TclTLS/issues

Take care,
Harald

I'll do that Harald. There's no hurry as far as I'm concerned - Ive
simply reverted to tls 2.0b2.

Alan
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: comp.lang.tcl

On 1/29/26 2:55 PM, Alan Grunwald wrote:

On 29/01/2026 15:37, Harald Oehlmann wrote:

Alan,
I think best is to file a bug report.
Wizard Brian did a great job and probably has a lot other to do, so a
bit patient may be required...

https://core.tcl-lang.org/tcltls/reportlist

or

https://github.com/bohagan1/TclTLS/issues

Take care,
Harald

I'll do that Harald. There's no hurry as far as I'm concerned - Ive
simply reverted to tls 2.0b2.

Alan

Remove the "-tls1 1" argument from your tls::socket command and it
should work (it did for me on 2.0 and 2.0b2).

The reason it worked for 2.0b2, but not 2.0 is I simplified the logic
for setting which TLS protocols to use. For 2.0, with just the "-tls1 1" argument, you told it to only offer TLS 1.0 and not 1.1, 1.2, or 1.3.
Most web servers will refuse connections for anything less than 1.2
nowadays. That's the error you got. In 2.0b2, I always forced TLS 1.2
and 1.3 to be allowed unless you used "-tls1.2 0 -tls1.3 0" to turn them
off. Why the change? OpenSSL prefers we specify ranges of allowed
protocols now instead of them individually.

As a rule of thumb, in TLS 2.0 you don't need to specify which TLS
protocols to use anymore. In fact, it's discouraged unless you really
need one of the older protocols.

--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: comp.lang.tcl

On 30/01/2026 01:58, Brian wrote:

On 1/29/26 2:55 PM, Alan Grunwald wrote:

On 29/01/2026 15:37, Harald Oehlmann wrote:

Alan,
I think best is to file a bug report.
Wizard Brian did a great job and probably has a lot other to do, so a
bit patient may be required...

https://core.tcl-lang.org/tcltls/reportlist

or

https://github.com/bohagan1/TclTLS/issues

Take care,
Harald

I'll do that Harald. There's no hurry as far as I'm concerned - Ive
simply reverted to tls 2.0b2.

Alan

Remove the "-tls1 1" argument from your tls::socket command and it
should work (it did for me on 2.0 and 2.0b2).

The reason it worked for 2.0b2, but not 2.0 is I simplified the logic
for setting which TLS protocols to use. For 2.0, with just the "-tls1 1" argument, you told it to only offer TLS 1.0 and not 1.1, 1.2, or 1.3.
Most web servers will refuse connections for anything less than 1.2 nowadays. That's the error you got. In 2.0b2, I always forced TLS 1.2
and 1.3 to be allowed unless you used "-tls1.2 0 -tls1.3 0" to turn them off. Why the change? OpenSSL prefers we specify ranges of allowed
protocols now instead of them individually.

As a rule of thumb, in TLS 2.0 you don't need to specify which TLS
protocols to use anymore. In fact, it's discouraged unless you really
need one of the older protocols.

Thanks Brian.

I can (and indeed do) now register the https protocol with

http::register https 443 ::tls::socket

which is vastly simpler than it has been with previous incarnations of
the (tcl)tls package. I seem to have plagued you with questions about
this package recently, thank you very much for the speedy and always
accurate and relevant support.

Alan
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: comp.lang.tcl

Am 30.01.2026 um 14:34 schrieb Alan Grunwald:

Thanks Brian.

I can (and indeed do) now register the https protocol with

    http::register https 443 ::tls::socket

which is vastly simpler than it has been with previous incarnations of
the (tcl)tls package. I seem to have plagued you with questions about
this package recently, thank you very much for the speedy and always accurate and relevant support.

Alan

Seeing the above command, it resonated in my mind.
I remember having a lot of stability issues trying to implement TLS communication for my app from different locations in different
companies. Some of the issues I hat was due to the presence of proxy
servers.

In my code I meanwhile use Twapi to initialize the TLS socket, when no
proxy is available:

http::register https 443 twapi::tls_socket

When proxy is detected, I use

set tlssocket [::http::register https 443 [list
autoproxy::tls_socket {*}$options]]

where "options" is build like below. If you need more informations on
this last point, just let me know.

variable proxy_host
variable proxy_port
variable proxy_prot
variable proxy_CAfile
variable proxy_ssl2
variable proxy_ssl3
variable proxy_tls1
variable proxy_tls1.1
variable proxy_tls1.2
# Apply proxy settings if available
::ProxyApply

set options [list]
set cafile [string map {\\ /} $proxy_CAfile]
if {$cafile!=""} {
lappend options -request 1
lappend options -require 1
}
if {$proxy_prot=="HTTPS"} {
if {$proxy_ssl2==1} {
lappend options -ssl2 $proxy_ssl2
}
if {$proxy_ssl3==1} {
lappend options -ssl3 $proxy_ssl3
}
if {$proxy_tls1==1} {
lappend options -tls1 $proxy_tls1
}
if {${proxy_tls1.1}==1} {
lappend options -tls1.1 ${proxy_tls1.1}
}
if {${proxy_tls1.2}==1} {
lappend options -tls1.2 ${proxy_tls1.2}
}
}

--- Synchronet 3.21b-Linux NewsLink 1.2