{"id":499,"date":"2014-11-17T12:03:59","date_gmt":"2014-11-17T11:03:59","guid":{"rendered":"http:\/\/www.dereckson.be\/blog\/?p=499"},"modified":"2016-01-15T21:50:44","modified_gmt":"2016-01-15T20:50:44","slug":"tcl-and-the-ssl-security-issues-sslv3-alert-handshake-failure","status":"publish","type":"post","link":"https:\/\/www.dereckson.be\/blog\/2014\/11\/17\/tcl-and-the-ssl-security-issues-sslv3-alert-handshake-failure\/","title":{"rendered":"TCL and the SSL security issues: sslv3 alert handshake failure"},"content":{"rendered":"<p><strong>Update 2016-01-15: <\/strong>With tcl-tls 1.6.7, it works out of the box without any need to configure cyphers.<\/p>\n<p>If you have reconfigured your OpenSSL to take care of the current security issues, <a href=\"http:\/\/disablessl3.com\/\">you&#8217;ve disabled SSLv3<\/a> since <a href=\"https:\/\/en.wikipedia.org\/wiki\/POODLE\">POODLE<\/a> discovery.<\/p>\n<p>Then, you could find unexpected behavior of TCL code. The package http isn&#8217;t the best to intercept and report errors, so it could be as non descriptive as\u00a0<em>software caused connection abort<\/em>. If you&#8217;re luck you&#8217;ll get the actual cause of the error <em>sslv3 alert handshake failure<\/em>.<\/p>\n<p>So, without any surprise, we disabled SSLv3, code still want to use SSLv3, and&#8230; that fails:<\/p>\n<pre class=\"brush: plain; highlight: [9,10]; title: ; notranslate\" title=\"\">\r\n\/home\/dereckson ] tclsh8.6\r\n% package require http\r\n2.8.8\r\n% package require tls\r\n1.6\r\n% http::register https 443 ::tls::socket\r\n443 ::tls::socket\r\n% http::geturl https:\/\/fr.wikipedia.org\/\r\nSSL channel &quot;sock801eacd10&quot;: error: sslv3 alert handshake failure\r\nerror reading &quot;sock801eacd10&quot;: software caused connection abort\r\n<\/pre>\n<p>The solution is to explicitly request to use TLS.<\/p>\n<pre class=\"brush: plain; highlight: [6]; title: ; notranslate\" title=\"\">\r\n% \/home\/dereckson ] tclsh8.6\r\n% package require http\r\n2.8.8\r\n% package require tls\r\n1.6\r\n% tls::init -tls1 true -ssl2 false -ssl3 false\r\n-tls1 true -ssl2 false -ssl3 false\r\n% http::register https 443 ::tls::socket\r\n443 ::tls::socket\r\n% http::geturl https:\/\/fr.wikipedia.org\/\r\n::http::1\r\n% http::cleanup ::http::1\r\n%\r\n<\/pre>\n<p>In your TCL application, register once for all the https as preconfigured TLS socket sounds a good idea:<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n#\r\n# HTTP support\r\n#\r\n\r\npackage require http\r\npackage require tls\r\n::tls::init -ssl2 false -ssl3 false -tls1 true\r\n::http::register https 443 ::tls::socket\r\n<\/pre>\n<p>Thank you to rkeene from Freenode #tcl for his help to track this issue.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update 2016-01-15: With tcl-tls 1.6.7, it works out of the box without any need to configure cyphers. If you have reconfigured your OpenSSL to take care of the current security issues, you&#8217;ve disabled SSLv3 since POODLE discovery. Then, you could find unexpected behavior of TCL code. The package http isn&#8217;t the best to intercept and [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[49],"tags":[264,20],"class_list":["post-499","post","type-post","status-publish","format-standard","hentry","category-dev","tag-ssl","tag-tcl"],"_links":{"self":[{"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/posts\/499","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/comments?post=499"}],"version-history":[{"count":8,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/posts\/499\/revisions"}],"predecessor-version":[{"id":543,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/posts\/499\/revisions\/543"}],"wp:attachment":[{"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/media?parent=499"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/categories?post=499"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/tags?post=499"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}