Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

TLS on Windows

138 views
Skip to first unread message

Jonathan Kelly

unread,
Apr 11, 2018, 11:11:18 PM4/11/18
to
Hi,

a long time ago ... I raised an issue with TLS on windows...

https://groups.google.com/forum/#!searchin/comp.lang.tcl/TLS$20Windows%7Csort:date/comp.lang.tcl/GOMEWChoGjI/1SgS4qBohH0J

sorry for the google groups reference ... but that was the only way to
reference it

Anyway, I have been using the work around since then to access our
bank's credit card payment system using this ...

::http::register https 443 [list ::tls::socket -tls1 1 -tls1.1 0 -tls1.2
0 -ssl2 0 -ssl3 0 ]

Now, of course, the bank is going to disable tls1 access.

Does anyone know if this is fixed?

I just downloaded MagicSplat Windows distribution but that doesn't
include TLS. bleugh.

Does anyone know where I can get a compiled version of the latest
TLS-1.7.16 for Windows 64? I can compile TCL using cygwin tools ... but
never had much luck compiling lib packages that have code in them ... I
just digging into this in the meantime.

thanks
Jonathan.

Ashok

unread,
Apr 12, 2018, 12:49:28 AM4/12/18
to
You have two alternatives.

One is to use the tls_socket command from TWAPI (which comes with
the magicsplat distribution) instead of the TLS extension.

For example,

(ashok) 1 % package require twapi
4.2.13
(ashok) 2 % package require http
2.8.12
(ashok) 3 % http::register https 443 twapi::tls_socket
443 twapi::tls_socket
(ashok) 4 % set tok [http::geturl https://www.example.com]
::http::1
(ashok) 5 % ::http::data $tok
<!doctype html>
<html>
....

The advantage of twapi::tls_socket over the TLS extension is that
it uses the Windows certificate store and thus automatically takes into
account new root certificates, expired certs etc. With the TLS extension
on Windows, you need to keep root certs updated yourself by some means
and explicitly check server certs are valid, not expired etc. You may or
may not care :-) The disadvantage of TWAPI is of course that it is
Windows only. (Full disclosure - I am the author of both twapi and the
magicsplat distro).

The other alternative, if you want to stick to the TLS extension, I
believe the BAWT Windows distribution will have what you need. In fact,
it also makes it easy to build the whole enchilada yourself with the
MingW tools.

/Ashok

Jonathan Kelly

unread,
Apr 12, 2018, 2:13:53 AM4/12/18
to
Thanks Ashok,

I got close to compiling tcltls myself... just getting the dreaded "a
dependent library could not be loaded". I'm going to try and get that
working, partly as a challenge, and partly because it would be good to
know I can build all my dependencies myself.

If that doesn't sort out, I'll try twapi for sure.

Jonathan.

Jonathan Kelly

unread,
Apr 12, 2018, 2:52:55 AM4/12/18
to
So, I have compiled tcl-8.6.8 and tcltls-1.7.6 and the result seems to
be the same...

##
package require https
package require tls

::http:register https 443 [list ::tls::socket -tls1 0 -tls1.1 1 -tls1.2
0 -ssl2 0 -ssl3 0 ]

set tok [::http::geturl "https://afleventoffice.com.au/contact.asp"]
##
gives ...

connect failed due to unexpected EOF
while executing ...

I get the same result for "-tls1.2 1" and the ssl2 and ssl3 options give
"protocol not supported"

I note that using wget-ing the url it works (that's cygwin wget).

Jonathan.

Ashok

unread,
Apr 12, 2018, 9:37:48 AM4/12/18
to
twapi::tls_socket works as well so the issue is probably with tls 1.7.6

The current version at http://core.tcl.tk/tcltls/wiki/Download is 1.7.16
so perhaps you could give that a go.

/Ashok

Jonathan Kelly

unread,
Apr 12, 2018, 5:03:00 PM4/12/18
to
On 12/04/18 23:37, Ashok wrote:
> twapi::tls_socket works as well so the issue is probably with tls 1.7.6
>

Yes, and I can confirm the twapi binary package works with my cygwin
compiled tcl.

I going to see I can get tls to compile using libressl - no promises. :)

Jonathan

Jonathan Kelly

unread,
Apr 12, 2018, 11:47:51 PM4/12/18
to
On 12/04/18 14:49, Ashok wrote:
Hi Ashok,

do we know for certain that that is NOT using TLS1.0 ...

thanks
Jonathan.

Ashok

unread,
Apr 13, 2018, 4:00:20 AM4/13/18
to
I'm not sure what "that" refers to here but if you are referring to the
BAWT distribution, no, I'm not sure what version is in there.

I'm afraid I've stopped tracking the TLS extension since the 1.6.x
releases as I've switched to twapi so can't offer any suggestions other
than to try the latest 1.7.16 version to see if the issue is resolved.
If not, log a bug or look for rkeene on the Tcl'ers chat. He is usually
very responsive if he is available. But check 1.7.16 first so as to not
waste time chasing what's been already fixed.

/Ashok

Jonathan Kelly

unread,
Apr 13, 2018, 7:01:13 AM4/13/18
to
No, the "that" I was asking about was twapi. Do we know it's using 1.1
or 1.2 for certain. (It could be using 1.0, and that works, even with
tls - it's unclear - to me at least - if the issue is with tls or tcl).

Thanks
Jonathan.

Alexandru

unread,
Apr 13, 2018, 8:25:06 AM4/13/18
to
Hi Ashok,

You might just made my day. I wasn't aware of this advantage of TWAPI. I just tested id, end indeed, I don't have to specify the CA file anymore. Furthermore, I also don't have to specify the usual options -tls1, -tls1.1, -tls1.2, -ssl2, -ssl3, right?

May I raise one question more? I'm having trubles comunicating with my server through a proxy. Seems to be a protcol problem (unknown protocol). I tried all possible combinations of -tls and -ssl. Dou you have a solution using twapi for this?

Ashok

unread,
Apr 13, 2018, 11:41:21 AM4/13/18
to
On 4/13/2018 4:31 PM, Jonathan Kelly wrote:
>
> No, the "that" I was asking about was twapi. Do we know it's using 1.1
> or 1.2 for certain. (It could be using 1.0, and that works, even with
> tls - it's unclear - to me at least - if the issue is with tls or tcl).
>
> Thanks
> Jonathan.

twapi's tls_socket uses the schannel CSP on Windows. SSL/TLS version
selection is controlled on a per-system basis through the registry (and
also dependent on OS version). See
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-10

/Ashok

Ashok

unread,
Apr 13, 2018, 11:48:48 AM4/13/18
to
On 4/13/2018 5:55 PM, Alexandru wrote:
> May I raise one question more? I'm having trubles comunicating with my server through a proxy. Seems to be a protcol problem (unknown protocol). I tried all possible combinations of -tls and -ssl. Dou you have a solution using twapi for this?
>

I would strongly suggest that this is not a twapi or tls issue but
rather lack of some redirection or similar in the http package. I am
actually not even sure how https proxying would work. My guess is the
browser actually uses the HTTP CONNECT method to the proxy and then
tunnels https through the proxy server to the remote server. But I don't
know much about this but if that is the case I'm fairly sure the http
package does not support this.

I would suggest looking at the network trace in Chrome developer tools
window to see the sequence of connections the browser is making.

/Ashok

Jonathan Kelly

unread,
Apr 14, 2018, 12:56:48 AM4/14/18
to
for completeness ... I disabled TLS 1.0 and explicitly enabled TLS 1.1
and 1.2 as per Ashok's link and various google searches ... I hate windows.

Anyway, I found this site https://www.howsmyssl.com/

and assuming it is doing what it appears to do, the twapi is using TLS
1.2 now.

from the https get

<p><span class="label okay">Good</span> Your client is using
TLS 1.2, the most modern version of the encryption
protocol. It gives you access to the fastest, most secure
encryption possible on the web.</p>

Jonathan.
0 new messages