Posted to tcl by kostix at Wed May 30 17:11:47 GMT 2007view raw

  1. Issue: -cafile works while -cadir for the directory contaning the same cert does not.
  2.  
  3. Test script:
  4.  
  5. #! /usr/bin/tclsh
  6.  
  7. package require tls
  8.  
  9. proc tlscmd args { puts [info level 0] }
  10.  
  11. set cacertdir c:/tmp/certs
  12. set server jabber.org
  13. set port 5223
  14.  
  15. puts [glob -dir $cacertdir *]
  16.  
  17. puts "Case 1: -cafile"
  18. set s [::tls::socket \
  19. -cafile [file join $cacertdir ca.pem] \
  20. -command ::tlscmd \
  21. $server $port]
  22.  
  23. ::tls::handshake $s
  24.  
  25. close $s
  26.  
  27. puts "Case 2: -cadir"
  28. set s [::tls::socket \
  29. -cadir $cacertdir \
  30. -command ::tlscmd \
  31. $server $port]
  32.  
  33. ::tls::handshake $s
  34.  
  35. close $s
  36.  
  37. Output of running C:\tmp>tclsh testcase.tcl >testcase.log 2>&1
  38.  
  39. c:/tmp/certs/ca.pem
  40. Case 1: -cafile
  41. ::tlscmd info sock1852 handshake start {before/connect initialization}
  42. ::tlscmd info sock1852 connect loop {before/connect initialization}
  43. ::tlscmd info sock1852 connect loop {SSLv2/v3 write client hello A}
  44. ::tlscmd info sock1852 connect loop {SSLv3 read server hello A}
  45. ::tlscmd verify sock1852 2 {sha1_hash 95E6ADF8D77146024DD56A21B2E73FCDF23B35FF subject {/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org} issuer {/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org} notBefore {Mar 17 17:37:48 2005 GMT} notAfter {Mar 10 17:37:48 2035 GMT} serial 0} 1 {}
  46. ::tlscmd verify sock1852 1 {sha1_hash E5ACE77D87EF8B6C61ACB625AD5912156385C49F subject {/C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber Software Foundation/emailAddress=certmaster@jabber.org} issuer {/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org} notBefore {Dec 2 23:55:21 2006 GMT} notAfter {Dec 2 23:55:21 2011 GMT} serial 20} 1 {}
  47. ::tlscmd verify sock1852 0 {sha1_hash 669BDB4F85B7A2264D7601C114ED0AA924158C85 subject {/C=US/ST=Colorado/L=Denver/O=Peter Saint-andre/OU=Domain validated only/CN=*.jabber.org/CN=jabber.org/emailAddress=hostmaster@jabber.org} issuer {/C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber Software Foundation/emailAddress=certmaster@jabber.org} notBefore {Dec 22 17:42:54 2006 GMT} notAfter {Dec 22 17:42:54 2007 GMT} serial 100} 1 {}
  48. ::tlscmd info sock1852 connect loop {SSLv3 read server certificate A}
  49. ::tlscmd info sock1852 connect loop {SSLv3 read server certificate request A}
  50. ::tlscmd info sock1852 connect loop {SSLv3 read server done A}
  51. ::tlscmd info sock1852 alert write {no certificate}
  52. ::tlscmd info sock1852 connect loop {SSLv3 write client certificate A}
  53. ::tlscmd info sock1852 connect loop {SSLv3 write client key exchange A}
  54. ::tlscmd info sock1852 connect loop {SSLv3 write change cipher spec A}
  55. ::tlscmd info sock1852 connect loop {SSLv3 write finished A}
  56. ::tlscmd info sock1852 connect loop {SSLv3 flush data}
  57. ::tlscmd info sock1852 connect loop {SSLv3 read finished A}
  58. ::tlscmd info sock1852 handshake done {SSL negotiation finished successfully}
  59. ::tlscmd info sock1852 connect exit {SSL negotiation finished successfully}
  60. ::tlscmd info sock1852 alert write {close notify}
  61. Case 2: -cadir
  62. ::tlscmd info sock1848 handshake start {before/connect initialization}
  63. ::tlscmd info sock1848 connect loop {before/connect initialization}
  64. ::tlscmd info sock1848 connect loop {SSLv2/v3 write client hello A}
  65. ::tlscmd info sock1848 connect loop {SSLv3 read server hello A}
  66. ::tlscmd verify sock1848 2 {sha1_hash 95E6ADF8D77146024DD56A21B2E73FCDF23B35FF subject {/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org} issuer {/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org} notBefore {Mar 17 17:37:48 2005 GMT} notAfter {Mar 10 17:37:48 2035 GMT} serial 0} 0 {self signed certificate in certificate chain}
  67. ::tlscmd info sock1848 alert write {bad certificate}
  68. ::tlscmd info sock1848 connect exit {SSLv3 read server certificate B}
  69. ::tlscmd info sock1848 connect exit {SSLv3 read server certificate B}
  70. ::tlscmd error sock1848 {certificate verify failed}
  71. handshake failed: certificate verify failed
  72. while executing
  73. "::tls::handshake $s"
  74. (file "testcase.tcl" line 29)
  75.