Hi Everyone!

I am pleased to announce the release of the first version of the mtls
package, which provides TLS support for Tcl sockets.

Here are its features:

* uses the [mbedTLS](https://github.com/Mbed-TLS/mbedtls) library with
minimal size
* interface is compatible with tcltls, most of the existing code will
work as is, without modifications
* uses CA certificates from the operating system on Linux/Windows/MacOS
platforms
* uses only modern TLS1.2/TLS1.3 protocols, which are more than
sufficient for successful connections to most services
* certificate and hostname verification, SNI are enabled by default
* multi-platform, Linux/Windows/MacOS supported
* possibility to exclude the client or server part to minimize the size
even more
* easy to build, no 3rd-party libraries, everything you need to build is
in this repository
* was created as a base for the use of SSL/TLS alternative backends

The homepage is at: https://github.com/chpock/tclmtls

Please fill free to check/build/use it. Any feedback is welcome!

--
Best regards,
Konstantin Kushnir

Am 28.04.2024 um 23:39 schrieb Kushnir Konstantin:
> Hi Everyone!
>
> I am pleased to announce the release of the first version of the mtls
> package, which provides TLS support for Tcl sockets.
>
> Here are its features:
>
> * uses the [mbedTLS](https://github.com/Mbed-TLS/mbedtls) library with
> minimal size
> * interface is compatible with tcltls, most of the existing code will
> work as is, without modifications
> * uses CA certificates from the operating system on Linux/Windows/MacOS
> platforms
> * uses only modern TLS1.2/TLS1.3 protocols, which are more than
> sufficient for successful connections to most services
> * certificate and hostname verification, SNI are enabled by default
> * multi-platform, Linux/Windows/MacOS supported
> * possibility to exclude the client or server part to minimize the size
> even more
> * easy to build, no 3rd-party libraries, everything you need to build is
> in this repository
> * was created as a base for the use of SSL/TLS alternative backends
>
> The homepage is at: https://github.com/chpock/tclmtls
>
> Please fill free to check/build/use it. Any feedback is welcome!
>

Great !
Would that be a candidate to be included in the TCL Core?
Take care,
Harald

Am 29.04.24 um 07:17 schrieb Harald Oehlmann:
> Am 28.04.2024 um 23:39 schrieb Kushnir Konstantin:
>> Hi Everyone!
>>
>> I am pleased to announce the release of the first version of the mtls
>> package, which provides TLS support for Tcl sockets.
>
> Great !
> Would that be a candidate to be included in the TCL Core?

While I like core features, I think this is a bad idea, given the pace
of Tcl development. If a security hole emerges, how long will it take
Tcl to release a fix??

Christian

On 4/29/2024 2:48 AM, Christian Gollwitzer wrote:
>
> While I like core features, I think this is a bad idea, given the pace
> of Tcl development. If a security hole emerges, how long will it take
> Tcl to release a fix??
>
>     Christian
>

Very good point. Perhaps a good candidate for tcllib?

On 29.04.2024 19:40, saito wrote:
> On 4/29/2024 2:48 AM, Christian Gollwitzer wrote:
>>
>> While I like core features, I think this is a bad idea, given the pace
>> of Tcl development. If a security hole emerges, how long will it take
>> Tcl to release a fix??
> Very good point.  Perhaps a good candidate for tcllib?

I don't think it's possible to add things like TLS support to the Tcl
core. There is a wide range of issues: optimized encryption routines are
platform-specific, overly sensitive to security, and must be carefully
updated. And the main issue is license. The mtls module uses mbedTLS
library which is distributed under Apache2.0 and GPL, but Tcl uses own
BSD-like license.

For tcllib it is also not suitable. The main issue is the license
incompatibility. And also, tcllib is mainly for Tcl modules written in
Tcl, but this module is written in C.

I doubt that the TLS solution will be "official" someday. It looks like
it will always be out-of-box provided by semi-official and custom Tcl
distributions.

--
Best regards,
Konstantin Kushnir

On 29.04.2024 19:40, saito wrote:
> On 4/29/2024 2:48 AM, Christian Gollwitzer wrote:
>>
>> While I like core features, I think this is a bad idea, given the pace
>> of Tcl development. If a security hole emerges, how long will it take
>> Tcl to release a fix??
> Very good point.  Perhaps a good candidate for tcllib?

I don't think it's possible to add things like TLS support to the Tcl
core. There is a wide range of issues: optimized encryption routines are
platform-specific, overly sensitive to security, and must be carefully
updated. And the main issue is license. The mtls module uses mbedTLS
library which is distributed under Apache2.0 and GPL, but Tcl uses own
BSD-like license.

For tcllib it is also not suitable. The main issue is the license
incompatibility. And also, tcllib is mainly for Tcl modules written in
Tcl, but this module is written in C.

I doubt that the TLS solution will be "official" someday. It looks like
it will always be out-of-box provided by semi-official and custom Tcl
distributions.

--
Best regards,
Konstantin Kushnir

Am 29.04.2024 um 21:48 schrieb Konstantin Kushnir:
> On 29.04.2024 19:40, saito wrote:
>> On 4/29/2024 2:48 AM, Christian Gollwitzer wrote:
>>>
>>> While I like core features, I think this is a bad idea, given the
>>> pace of Tcl development. If a security hole emerges, how long will it
>>> take Tcl to release a fix??
>> Very good point.  Perhaps a good candidate for tcllib?
>
> I don't think it's possible to add things like TLS support to the Tcl
> core. There is a wide range of issues: optimized encryption routines are
> platform-specific, overly sensitive to security, and must be carefully
> updated. And the main issue is license. The mtls module uses mbedTLS
> library which is distributed under Apache2.0 and GPL, but Tcl uses own
> BSD-like license.
>
> For tcllib it is also not suitable. The main issue is the license
> incompatibility. And also, tcllib is mainly for Tcl modules written in
> Tcl, but this module is written in C.
>
> I doubt that the TLS solution will be "official" someday. It looks like
> it will always be out-of-box provided by semi-official and custom Tcl
> distributions.
>

Thanks, Konstantin, for your valuable contribution.
I thought about that, as TLS support is practically always required and
it would enable many applications out of the box.

The plugging of svgnano into Tk was a big success. We are now able to
have scalable images and a scalable gui. To have a difficult feature
always available is just a win, even in a restraint manner.

Thank you for all,
Harald

Great work Konstantin.

Just a heads up that I had to include stdarg.h in mtlsInt.h to get it to work for me. Here's how I built it:

git clone https://github.com/chpock/tclmtls.git
cd tclmtls
git submodule update --init --recursive

cd mbedtls
mkdir build
cd build
cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On ..
cmake --build .
sudo cmake --install .
cd ../..

/configure
make
sudo make install

Just a heads up that "-require false" option does not seem to work for me. I confirmed that it is set but self-signed certificate verification still fails. Works with latest tcltls from fossil.

package require http
package require tls
::http::register https 4433 [list ::tls::socket -require false -autoservername true]

Please note that I still have to include stdarg.h while building with TCL 9 on linux to work for me. It compiles but when you try to load the package it complains about va_start.

Again, great work!

On Fri, 10 May 2024 07:18:40 +0000
neophytos@gmail.com (neophytos) wrote:

> Just a heads up that "-require false" option does not seem to work for me. I confirmed that it is set but self-signed certificate verification still fails. Works with latest tcltls from fossil.

This issue is not so trivial and depends on TLS implementation in
TLS-backend. I had to fix it by patching mbedTLS source code.

There is now file INTERNAL.txt with description of files related to
the supplied mbedTLS.

> Please note that I still have to include stdarg.h while building with TCL 9 on linux to work for me. It compiles but when you try to load the package it complains about va_start.

Honestly, I haven't tried to build it with Tcl9. But now I have added
changes for a successful build with Tcl9. The current main branch
should work with Tcl9 without modifications.

> Again, great work!

Thanks for testing!

--
Best regards,
Konstantin Kushnir

Not sure if my last message went through. I said that both issues have been fixed and great documentation with INTERNAL.txt. Thanks again.

> This issue is not so trivial and depends on TLS implementation in TLS-backend. I had to fix it by patching mbedTLS source code.

"-require 0" option works now. Thanks.

> There is now file INTERNAL.txt with description of files related to
the supplied mbedTLS.

That's nice, cool.

> I have added changes for a successful build with Tcl9. The current main branch should work with Tcl9 without modifications.

It does work now. Thanks again.