TCL and the SSL security issues: sslv3 alert handshake failure

Update 2016-01-15: With tcl-tls 1.6.7, it works out of the box without any need to configure cyphers.

If you have reconfigured your OpenSSL to take care of the current security issues, you’ve disabled SSLv3 since POODLE discovery.

Then, you could find unexpected behavior of TCL code. The package http isn’t the best to intercept and report errors, so it could be as non descriptive as software caused connection abort. If you’re luck you’ll get the actual cause of the error sslv3 alert handshake failure.

So, without any surprise, we disabled SSLv3, code still want to use SSLv3, and… that fails:

[sourcecode language=”plain” highlight=”9-10″]
/home/dereckson ] tclsh8.6
% package require http
2.8.8
% package require tls
1.6
% http::register https 443 ::tls::socket
443 ::tls::socket
% http::geturl https://fr.wikipedia.org/
SSL channel "sock801eacd10": error: sslv3 alert handshake failure
error reading "sock801eacd10": software caused connection abort
[/sourcecode]

The solution is to explicitly request to use TLS.

[sourcecode language=”plain” highlight=”6″]
% /home/dereckson ] tclsh8.6
% package require http
2.8.8
% package require tls
1.6
% tls::init -tls1 true -ssl2 false -ssl3 false
-tls1 true -ssl2 false -ssl3 false
% http::register https 443 ::tls::socket
443 ::tls::socket
% http::geturl https://fr.wikipedia.org/
::http::1
% http::cleanup ::http::1
%
[/sourcecode]

In your TCL application, register once for all the https as preconfigured TLS socket sounds a good idea:

[sourcecode language=”plain”]
#
# HTTP support
#

package require http
package require tls
::tls::init -ssl2 false -ssl3 false -tls1 true
::http::register https 443 ::tls::socket
[/sourcecode]

Thank you to rkeene from Freenode #tcl for his help to track this issue.

2 Replies to “TCL and the SSL security issues: sslv3 alert handshake failure”

  1. Unfortunately, this no longer helps. I am no longer capable of creating a TLS/SSL connection between two Tcl scripts, let alone setting up communication between other systems (Android in this case) and Tcl.

    I tried all possible combinations of enabling and disabling all versions of ssl and tls.

    When I add “-cipher md5”, there is no longer the message “sslv3 alert handshake failure” on the server, but it still doesn’t work, the client still gets “software caused connection abort”.

  2. There is clearly the need of more debug message in the library, both http and tcl-tls are not enough verbose about errors.

    Try to add at strategy points some debug messages, or just before this “software…” message a puts $errorInfo?

    For regular HTTPS, recent TCL packages versions seem to work out of the box, tested on Debian Stretch and FreeBSD 10:


    /home/dereckson ] tclsh8.6
    % package require http
    2.8.8
    % package require tls
    1.6.7
    % http::register https 443 ::tls::socket
    443 ::tls::socket
    % http::geturl https://fr.wikipedia.org/
    ::http::1
    %

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.