SSL/TLS

[Massimo MANGHI <ma...@unipr.it>]

good day, fellow Tcl'ers

does anyone of you have experience with SSL/TLS on Tcl? A couple of
weeks ago I happily added to a project the ability of getting citations
through a DOI (Digital Object Identification) resolver and serve them
with a Rivet web service and Ajax to the clients. It was really cool.
Yesterday it stopped working with this protocol handshake error

error flushing "sock55f49a92e3e0": connection reset by peer
while evaluating {source doi.tcl }
SSL channel "sock55f49a92e3e0": error: sslv3 alert handshake failure

As a matter of fact it stopped working outside Rivet and on every
machine I could test it on (suggesting something had changed on the
server side). This a simple standalone test script


package require http
package require tls

::http::register https 443 [list ::tls::socket -ssl3 false \
               -ssl2 false \
                                                -tls1 true]

set doi "https://dx.doi.org/10.1073/pnas.0910249107"

set token [::http::geturl $doi -headers "Accept application/x-bibtex"]

  The error occurs with both tls 1.6 and 1.7 (the latter has SSL3
disabled by default). I gather from what I read on the internet that
debugging SSL/TLS negotiations is often hard and error messages are
often misleading. This might be the case because ssl3 is disabled.
Furthermore testing the resolver with curl works as expected, so at the
moment I'm clueless.

really disappointing. Any suggestion?

  -- Massimo

Firma il tuo 5 per mille all’Università di Parma e aiuta così i nostri studenti che vogliono realizzare un’esperienza di studio all’estero - Indica 00308780345 nella tua denuncia dei redditi.

Re: SSL/TLS

[Brice Hamon <no...@gmail.com>]

Hi Massimo,

We do things like that:

http::register https 443 [list ::tls::socket -require 1 -cadir
$data_(cert_) -ssl2 0 -ssl3 0 -tls1 1]

I hope it helps.
Brice.


On Thu, Sep 5, 2019 at 12:41 PM Massimo MANGHI <ma...@unipr.it>
wrote:

> good day, fellow Tcl'ers
>
> does anyone of you have experience with SSL/TLS on Tcl? A couple of
> weeks ago I happily added to a project the ability of getting citations
> through a DOI (Digital Object Identification) resolver and serve them
> with a Rivet web service and Ajax to the clients. It was really cool.
> Yesterday it stopped working with this protocol handshake error
>
> error flushing "sock55f49a92e3e0": connection reset by peer
> while evaluating {source doi.tcl }
> SSL channel "sock55f49a92e3e0": error: sslv3 alert handshake failure
>
> As a matter of fact it stopped working outside Rivet and on every
> machine I could test it on (suggesting something had changed on the
> server side). This a simple standalone test script
>
>
> package require http
> package require tls
>
> ::http::register https 443 [list ::tls::socket -ssl3 false \
>                -ssl2 false \
>                                                 -tls1 true]
>
> set doi "https://dx.doi.org/10.1073/pnas.0910249107"
>
> set token [::http::geturl $doi -headers "Accept application/x-bibtex"]
>
>   The error occurs with both tls 1.6 and 1.7 (the latter has SSL3
> disabled by default). I gather from what I read on the internet that
> debugging SSL/TLS negotiations is often hard and error messages are
> often misleading. This might be the case because ssl3 is disabled.
> Furthermore testing the resolver with curl works as expected, so at the
> moment I'm clueless.
>
> really disappointing. Any suggestion?
>
>   -- Massimo
>
> Firma il tuo 5 per mille all’Università di Parma e aiuta così i nostri
> studenti che vogliono realizzare un’esperienza di studio all’estero -
> Indica 00308780345 nella tua denuncia dei redditi.
>

Re: SSL/TLS

[Harald Oehlmann <ha...@elmicron.de>]

Hi Massimo,

yes, TLS is no fun if it doesn't work.

I always look to:

https://wiki.tcl-lang.org/page/tls

so try:

::tls::init -tls1 1 -tls1.2 0 -tls1.1 0 -ssl3 0 -ssl2 0

Not more from my side, soory,
Harald

---------------------------------------------------------------------
To unsubscribe, e-mail: rivet-dev-unsubscribe@tcl.apache.org
For additional commands, e-mail: rivet-dev-help@tcl.apache.org