TLS on Windows

223 views
Skip to first unread message

JonoK

unread,
Mar 23, 2015, 8:00:01 PM3/23/15
to
Hi,

I'm currently using an old WinTcl build, but I need to upgrade to TLS instead of using SSL.

I have built TCL/TK 8.6.4 using the cygwin mingw 32 bit tools and that seems to work well, no problems. I use this build for other things with no problems.

I have downloaded and compiled openssl-1.0.2 and tls-1.6.4 but I'm getting no luck.

I can get a http page so the infracture is working, but when I try to use tls it gives me and EOF error.

same error whether I use the -tls1 option or not.

Any help tracking down the problem, greatly appreciated.

===
#!tclsh86

package require http
package require tls

#::http::register https 443 [list ::tls::socket -tls1 true]
::http::register https 443 ::tls::socket

set tok [::http::geturl https://www.afleventoffice.com.au/2010.asp]
puts "[http::data $tok]"

===
$ tclsh86.exe tt1.tcl
connect failed due to unexpected EOF
while executing
"::http::geturl https://www.afleventoffice.com.au/2010.asp"
invoked from within
"set tok [::http::geturl https://www.afleventoffice.com.au/2010.asp]"
(file "tt1.tcl" line 9)

Gerald W. Lester

unread,
Mar 23, 2015, 9:00:54 PM3/23/15
to
On 3/23/15 6:59 PM, JonoK wrote:
> package require http
> package require tls
>
> #::http::register https 443 [list ::tls::socket -tls1 true]
> ::http::register https 443 ::tls::socket
>
> set tok [::http::geturlhttps://www.afleventoffice.com.au/2010.asp]
> puts "[http::data $tok]"

Tried this on OSX with 8.6 (ActiveState build of 8.6.3) and 8.5 (8.5.5).

8.6 fails but 8.5 works.


--
+------------------------------------------------------------------------+
| Gerald W. Lester, President, KNG Consulting LLC |
| Email: Gerald...@kng-consulting.net |
+------------------------------------------------------------------------+

JonoK

unread,
Mar 24, 2015, 1:59:24 AM3/24/15
to
On Tuesday, 24 March 2015 12:00:54 UTC+11, Gerald W. Lester wrote:
> On 3/23/15 6:59 PM, JonoK wrote:
> > package require http
> > package require tls
> >
> > #::http::register https 443 [list ::tls::socket -tls1 true]
> > ::http::register https 443 ::tls::socket
> >
> > set tok [::http::geturlhttps://www.afleventoffice.com.au/2010.asp]
> > puts "[http::data $tok]"
>
> Tried this on OSX with 8.6 (ActiveState build of 8.6.3) and 8.5 (8.5.5).
>
> 8.6 fails but 8.5 works.
>
>
> --

Well, I tried rebuilding with 8.5, but get the same result. :(

I'll give Active state build a go... which I did. I got it to work using 8.6.3.

pal...@yahoo.com

unread,
Mar 24, 2015, 8:19:37 AM3/24/15
to
It appears TLS 1.6.4 is broken in some form. Trying various combinations,

With TLS 1.6,

Tcl 8.6.0 works with http 2.8.5 (part of Tcl 8.6.0) AND http 2.8.8 (part of Tcl 8.6.4). Same is true with Tcl 8.6.4

With TLS 1.6.4,

Using Tcl 8.6.0 http 2.8.5 results in a CPU spin (I suspect an EOF condition is not handled). Tcl 8.6.4 + http 2.8.8 results in connect failed due to EOF (which is what you saw).

I don't know what version of TLS you have with Active Tcl 8.6.3. It might still be TLS 1.6 which is why it works.

Dunno who the TLS maintainer is (or even if there is one...)

/Ashok

Gerald W. Lester

unread,
Mar 24, 2015, 8:27:27 AM3/24/15
to
On 3/24/15 7:19 AM, pal...@yahoo.com wrote:
> On Tuesday, March 24, 2015 at 11:29:24 AM UTC+5:30, JonoK wrote:
>> On Tuesday, 24 March 2015 12:00:54 UTC+11, Gerald W. Lester wrote:
>>> On 3/23/15 6:59 PM, JonoK wrote:
>>>> package require http
>>>> package require tls
>>>>
>>>> #::http::register https 443 [list ::tls::socket -tls1 true]
>>>> ::http::register https 443 ::tls::socket
>>>>
>>>> set tok [::http::geturlhttps://www.afleventoffice.com.au/2010.asp]
>>>> puts "[http::data $tok]"
>>>
>>> Tried this on OSX with 8.6 (ActiveState build of 8.6.3) and 8.5 (8.5.5).
>>>
>>> 8.6 fails but 8.5 works.
>>>
>>>
>>> --
>>
>> Well, I tried rebuilding with 8.5, but get the same result. :(
>>
>> I'll give Active state build a go... which I did. I got it to work using 8.6.3.
> It appears TLS 1.6.4 is broken in some form. Trying various combinations,
>
> With TLS 1.6,
>
> Tcl 8.6.0 works with http 2.8.5 (part of Tcl 8.6.0) AND http 2.8.8 (part
of Tcl 8.6.4). Same is true with Tcl 8.6.4
>
> With TLS 1.6.4,
>
> Using Tcl 8.6.0 http 2.8.5 results in a CPU spin (I suspect an EOF
condition is not handled). Tcl 8.6.4 + http 2.8.8 results in connect failed
due to EOF (which is what you saw).
>
> I don't know what version of TLS you have with Active Tcl 8.6.3. It might
> still be TLS 1.6 which is why it works.

The 8.6.3 did not work, it is using TLS 1.6.4.

As soon as I get a chance I'll do a "teacup update" and see if there is a
newer tls version.

pal...@yahoo.com

unread,
Mar 25, 2015, 2:14:20 AM3/25/15
to
OK, here is the magic incantation with TLS 1.6.4. ALL protocols other than TLS1 must be set to 0. I had already tried with setting the SSL options to 0 since many web sites have turned off those protocols due to heartbleed. But for afleventoffice, even tls1.1 and 1.2 must be explicitly set to 0 (they default to 1). Then it all works as evinced by the session below. I verified this behaviour using the openssl command line client as well. Not sure why that particular site behaves in this manner since other https sites have no issues with newer tls versions being enabled. My guess is their version sees these unknown versions in the negotiation and rejects immediately. TLS 1.6 had no such issues because it did not have support for 1.1 and 1.2 protocol versions.

The infinite loops etc. I described earlier are triggered by the protocol resets and something that still needs fixing in Tcl or TLS. But that was a red herring - they were triggered by the actual connect failures not the other way around.

/Ashok

% http::register https 443 tls::socket
443 tls::socket
% tls::init -tls1 1 -ssl2 0 -ssl3 0 -tls1.1 0 -tls1.2 0
-tls1 1 -ssl2 0 -ssl3 0 -tls1.1 0 -tls1.2 0
% set tok [::http::geturl https://www.afleventoffice.com.au/2010.asp]
::http::2
% http::status $tok
ok
% http::data $tok
<html>
<head>
<title>AFL Event Office</title>
<meta http-equiv="REFRESH" content="0;url='grand_final_packages.asp'">
</head>
<body>
</body>
</html>

Don Porter

unread,
Mar 25, 2015, 8:16:09 AM3/25/15
to
On 03/25/2015 02:14 AM, pal...@yahoo.com wrote:
> OK, here is the magic incantation with TLS 1.6.4....

> The infinite loops etc. I described earlier are triggered by the protocol
> resets and something that still needs fixing in Tcl or TLS. ...

You've worked hard to gain useful knowledge. Please don't let it
disappear into the mist.

Create a ticket here:

http://core.tcl.tk/tcl/tktnew

with detailed instructions on how to reproduce the problems that need
fixing.

If the trouble's really in tls, we'll pass that on.

--
| Don Porter Applied and Computational Mathematics Division |
| donald...@nist.gov Information Technology Laboratory |
| http://math.nist.gov/~DPorter/ NIST |
|______________________________________________________________________|

JonoK

unread,
Mar 25, 2015, 9:31:39 PM3/25/15
to
Thanks Ashok for your work on this!!

I can confirm this fix/workaround(?) works with my cygwin mingw (i686-pc-mingw32) compiled version.

tcl-8.6.4
tls-1.6.4
openssl-1.0.2

Jon
Reply all
Reply to author
Forward
0 new messages