Secure Sockets Layer and Transport Layer Security Channels
starttls CHAN ?-server? ?options? |
tls_close CHAN ?DIRECTION? |
tls_handshake CHAN |
tls_socket ?options? REMOTEADDR PORT |
tls_socket -server SERVERCALLBACK ?options? PORT |
tls_state CHAN |
This module is still experimental and liable to change.
This package provides a Tcl channel facility that implements the Secure Sockets Layer / Transport Layer Security (collectively referred to as TLS) on top of the Windows Security Service Provider Interface (SSPI) interface.
The tls_socket command creates a new TCP/IP based client connection or a listening server socket. The starttls command wraps an existing Tcl bidirectional channel into a TLS channel. The tls_handshake command completes negotiation on a TLS channel. The current channel state can be retrieved with tls_state. Channels are closed using either the tls_close command or the Tcl close command. The former permits half-closing of the output side of the channel which the latter does not allow for reflected channels.
-credentials CREDENTIALS | Specifies the credentials to be used for the connection. See tls_socket for details. |
-peersubject PEERNAME | Specifies the subject name to be verified on the remote certificate. Must be specified for client side connections and must not be specified for server-side connections. |
-verifier VERIFYCOMMAND | Specifies a callback to invoke to verify remote credentials. See tls_socket for details. |
-credentials CREDENTIALS | Specifies the credentials to be used for the connection. CREDENTIALS should be credentials returned from a call to sspi_acquire_credentials using the -package unisp option. For client-side connections, this option only needs to be specified when connecting to servers that require clients to be authenticated. For server-side connections, this option is usually required for the connection to complete as most remote clients will require validation of server certificates. |
-peersubject PEERNAME | Specifies the subject name to be verified on the remote certificate. Only used for client-side connections to verify the name in the certificate returned by the remote server. If unspecified, defaults to REMOTEADDR. This option is silently ignored for server-side connections. |
-requestclientcert | Indicates that the client should be asked to send its certificate. Only applicable to server side sockets and is ignored if -server is not specified. Note that this option only results in the client being requested for its certificate. Unlike server certificates, client certificates are not validated by default. Applications must themselves check that a certificate was received and validate it, generally by specifying a verification callback via the -verifier option. |
-verifier VERIFYCOMMAND | Specifies a callback to invoke to verify remote
credentials. The VERIFYCOMMAND command prefix is
invoked with two additional parameters - the channel and a handle
to the security context for the connection.
If the command returns a true value,
the connection is completed. For any other values or errors, the
connection is aborted. The callback can retrieve the remote
certificate from the passed security context with the sspi_remote_cert command and use cert_tls_verify to validate it. For client-side connections, if this option is specified and is not empty, automatic verification of the server certificate is not done. For server-side connections, automatic verification of client certificates is never done and must be done through this callback. |
-credentials | Returns the handle to the local credentials for the channel. |
-context | Returns the handle to the security context for the channel. |
-verifier | Returns the verification callback for the channel. |
Copyright © 2013 Ashok P. Nadkarni