Newsgrouper 🗨 💬 🗯 💭

Article with message-id: <[email protected]>

From: Brian <[email protected]>
Newsgroups: comp.lang.tcl
Subject: ANNOUNCE: TclTLS 2.0b2 Release
Date: Sat, 11 Oct 2025 20:13:47 -0500
This is the beta 2 release of the TclTLS v2.0 package. There have been 
numerous bug fixes since the beta 1 release. The plan is to do the final 
release in a week, so please test and file any bug reports at the below 
sites. See below for links to the files and the release notes. Thanks.


    TclTLS 2.0 Release Notes:


      *Notable New Features:*

- Fully TEA compliant build system has been added back. Supports 
Windows, Linux, Mac, BSD, etc.
- Compatible with OpenSSL 3.0+ and TCL 9.0 including build-info command.
- Can use MS Windows Certificate Store on OpenSSL 3.2 or later.
- Greatly expanded the status returned by the tls::status command and 
also added the new tls::connection command. The former returns SSL and 
certificate status while the latter returns the SSL status, cipher, and 
session info.
- Added missing TLS 1.3 functionality, set cipher suites, ALPN, SNI, 
security level, etc.
- Error handing improvements, more specific error status, more 
connection status via callbacks.
- Replaced separate Diffie-Hellman (DH) header file build process with 
auto select.
- Add new tls::protocols command to list available SSL and TLS protocols.
- Now can load CA certificates, key files, etc. from virtual file 
systems (VFS).

See https://chiselapp.com/user/bohagan/repository/TCLTLS/home for more info.


      *Documentation Updates:*

- Documentation was extensively updated and converted to man page and 
HTML format.
- Updated the examples in the documentation and added an examples directory.
- Expanded the documentation and added a Certificate Validation section 
with info on how PKI and certificates work and the related TclTLS args.
- Extensive code documentation updates.


      *Notable Bug Fixes:*

(Some of these issues have been around for 15-20 years.)
- Many bugs, patches, etc. submitted to sourceforge.net and core.tcl.tk 
have been fixed or implemented.
- Unexpected EOF: Added fix to correct OpenSSL issue where some sessions 
can result in an unexpected EOF.
- Empty reads: These have been eliminated the extent possible, but may 
still occur. See demos for how to handle this.
- Lock-ups and Stalling connections: These have been fixed to the extent 
possible with a more robust event checking process.
- Manual certificate validation is no longer needed. OpenSSL will do 
this for you if -require 1 is specified. You can see results via 
-validatecommand callback and in tls::status verifyResult.
- Will only call bgerror if the -command, -password, or -validatecommand 
callbacks throw an error.
- Will send proper close_notify message to peer on channel closure.

See the documentation for a complete list of changes.


      *Tested with: *

  * TCL 8.6.14 and 9.0.2
  * OpenSSL 1.1.1w, 3.0.18, 3.5.4, and 3.6.0
  * Windows 7, Windows 10, Msys64, OpenSuSE Linux Leap 15.6 and 16.0,
    and FreeBSD



    *Potential Compatibility Issues:*


      *Option default changes:*

- The -autoservername option defaults to true if -servername is not 
specified.
- The -castore option defaults to "org.openssl.winstore://" on MS 
Windows with OpenSSL 3.2+ if-cadir, -cadir, and -castore are not specified.
- The -request option defaults to true for clients.
- The -require option defaults to true for clients. This may be an issue 
if the Certificate Authority (CA) certificates are not available.
- The -servername option defaults to socket host when used with 
tls::socket. So -autoservername is no longer required.
- The -ssl2 option is no longer supported by OpenSSL 1.1+.
- The -ssl3 option doesn't have any effect by default. Use --enable-ssl3 
compile time option to enable SSL3 first.
- The -tls1 and tls1.1 options default to false (not enabled).
- The -tls1.2 and tls1.3 options default to true (enabled).


      *Callback changes:*

- Only status/error message use the -command handler now. There are 
several new types and the 'verify' type was moved to -validatecommand.
- Validation of certificates, client values, etc. use the new 
-validatecommand handler.
- Password inputs use -password handler, but it now passes 3 arguments.

See the documentation for all compatibility changes.


      *Open Issues:*

- May not be compatible with LibreSSL anymore.
- Warnings for deprecated OpenSSL API usage. Will be fixed in a future 
release.
- Some BadSSL test cases may still fail due to platform specific 
certificate checking defaults.


    *Download links:*


Source code is available at https://core.tcl-lang.org/tcltls/home in the 
tls-2.0 branch or in the following release files:

  * https://core.tcl-lang.org/tcltls/uv/tcltls-2.0b2.tar.gz
  * https://github.com/bohagan1/TclTLS/archive/refs/tags/tls-2.0b2.tar.gz


Windows library file link (TCL 8.6 & 9.0 with OpenSSL 3.6.0):

  * https://chiselapp.com/user/bohagan/repository/TCLTLS/uv/tls2.0b2_win64_msvc.zip
  * https://github.com/bohagan1/TclTLS/releases/download/tls-2.0b2/tls2.0b2_win64_msvc.zip


Certificate Authority (CA) certificates:

Please read the documentation "Certificate Validation" section if you 
don't have OpenSSL or the Certificate Authority (CA) certificates in PEM 
format installed on your system. If not, they can be obtained from:
https://core.tcl-lang.org/tcltls/file?name=doc/tls.html&ci=tls-2.0 
<https://core.tcl-lang.org/tcltls/file?name=doc/tls.html&ci=tls-2.0>


    How to use this release:


package prefer latest
package require tls ?2.0b2?

See the README.txt file for the build steps.
See the documentation "Examples" section for usage examples.
More detailed examples can be found in the demos directory.