Posted to tcl by kostix at Wed May 30 17:11:47 GMT 2007view pretty
Issue: -cafile works while -cadir for the directory contaning the same cert does not. Test script: #! /usr/bin/tclsh package require tls proc tlscmd args { puts [info level 0] } set cacertdir c:/tmp/certs set server jabber.org set port 5223 puts [glob -dir $cacertdir *] puts "Case 1: -cafile" set s [::tls::socket \ -cafile [file join $cacertdir ca.pem] \ -command ::tlscmd \ $server $port] ::tls::handshake $s close $s puts "Case 2: -cadir" set s [::tls::socket \ -cadir $cacertdir \ -command ::tlscmd \ $server $port] ::tls::handshake $s close $s Output of running C:\tmp>tclsh testcase.tcl >testcase.log 2>&1 c:/tmp/certs/ca.pem Case 1: -cafile ::tlscmd info sock1852 handshake start {before/connect initialization} ::tlscmd info sock1852 connect loop {before/connect initialization} ::tlscmd info sock1852 connect loop {SSLv2/v3 write client hello A} ::tlscmd info sock1852 connect loop {SSLv3 read server hello A} ::tlscmd verify sock1852 2 {sha1_hash 95E6ADF8D77146024DD56A21B2E73FCDF23B35FF subject {/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org} issuer {/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org} notBefore {Mar 17 17:37:48 2005 GMT} notAfter {Mar 10 17:37:48 2035 GMT} serial 0} 1 {} ::tlscmd verify sock1852 1 {sha1_hash E5ACE77D87EF8B6C61ACB625AD5912156385C49F subject {/C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber Software Foundation/emailAddress=certmaster@jabber.org} issuer {/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org} notBefore {Dec 2 23:55:21 2006 GMT} notAfter {Dec 2 23:55:21 2011 GMT} serial 20} 1 {} ::tlscmd verify sock1852 0 {sha1_hash 669BDB4F85B7A2264D7601C114ED0AA924158C85 subject {/C=US/ST=Colorado/L=Denver/O=Peter Saint-andre/OU=Domain validated only/CN=*.jabber.org/CN=jabber.org/emailAddress=hostmaster@jabber.org} issuer {/C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber Software Foundation/emailAddress=certmaster@jabber.org} notBefore {Dec 22 17:42:54 2006 GMT} notAfter {Dec 22 17:42:54 2007 GMT} serial 100} 1 {} ::tlscmd info sock1852 connect loop {SSLv3 read server certificate A} ::tlscmd info sock1852 connect loop {SSLv3 read server certificate request A} ::tlscmd info sock1852 connect loop {SSLv3 read server done A} ::tlscmd info sock1852 alert write {no certificate} ::tlscmd info sock1852 connect loop {SSLv3 write client certificate A} ::tlscmd info sock1852 connect loop {SSLv3 write client key exchange A} ::tlscmd info sock1852 connect loop {SSLv3 write change cipher spec A} ::tlscmd info sock1852 connect loop {SSLv3 write finished A} ::tlscmd info sock1852 connect loop {SSLv3 flush data} ::tlscmd info sock1852 connect loop {SSLv3 read finished A} ::tlscmd info sock1852 handshake done {SSL negotiation finished successfully} ::tlscmd info sock1852 connect exit {SSL negotiation finished successfully} ::tlscmd info sock1852 alert write {close notify} Case 2: -cadir ::tlscmd info sock1848 handshake start {before/connect initialization} ::tlscmd info sock1848 connect loop {before/connect initialization} ::tlscmd info sock1848 connect loop {SSLv2/v3 write client hello A} ::tlscmd info sock1848 connect loop {SSLv3 read server hello A} ::tlscmd verify sock1848 2 {sha1_hash 95E6ADF8D77146024DD56A21B2E73FCDF23B35FF subject {/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org} issuer {/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org} notBefore {Mar 17 17:37:48 2005 GMT} notAfter {Mar 10 17:37:48 2035 GMT} serial 0} 0 {self signed certificate in certificate chain} ::tlscmd info sock1848 alert write {bad certificate} ::tlscmd info sock1848 connect exit {SSLv3 read server certificate B} ::tlscmd info sock1848 connect exit {SSLv3 read server certificate B} ::tlscmd error sock1848 {certificate verify failed} handshake failed: certificate verify failed while executing "::tls::handshake $s" (file "testcase.tcl" line 29)