TCL and the SSL security issues: sslv3 alert handshake failure

Update 2016-01-15: With tcl-tls 1.6.7, it works out of the box without any need to configure cyphers.

If you have reconfigured your OpenSSL to take care of the current security issues, you’ve disabled SSLv3 since POODLE discovery.

Then, you could find unexpected behavior of TCL code. The package http isn’t the best to intercept and report errors, so it could be as non descriptive as software caused connection abort. If you’re luck you’ll get the actual cause of the error sslv3 alert handshake failure.

So, without any surprise, we disabled SSLv3, code still want to use SSLv3, and… that fails:

[sourcecode language=”plain” highlight=”9-10″]
/home/dereckson ] tclsh8.6
% package require http
2.8.8
% package require tls
1.6
% http::register https 443 ::tls::socket
443 ::tls::socket
% http::geturl https://fr.wikipedia.org/
SSL channel "sock801eacd10": error: sslv3 alert handshake failure
error reading "sock801eacd10": software caused connection abort
[/sourcecode]

The solution is to explicitly request to use TLS.

[sourcecode language=”plain” highlight=”6″]
% /home/dereckson ] tclsh8.6
% package require http
2.8.8
% package require tls
1.6
% tls::init -tls1 true -ssl2 false -ssl3 false
-tls1 true -ssl2 false -ssl3 false
% http::register https 443 ::tls::socket
443 ::tls::socket
% http::geturl https://fr.wikipedia.org/
::http::1
% http::cleanup ::http::1
%
[/sourcecode]

In your TCL application, register once for all the https as preconfigured TLS socket sounds a good idea:

[sourcecode language=”plain”]
#
# HTTP support
#

package require http
package require tls
::tls::init -ssl2 false -ssl3 false -tls1 true
::http::register https 443 ::tls::socket
[/sourcecode]

Thank you to rkeene from Freenode #tcl for his help to track this issue.