Posted to tcl by kostix at Wed May 30 17:11:47 GMT 2007view pretty

Issue: -cafile works while -cadir for the directory contaning the same cert does not.

Test script:

#! /usr/bin/tclsh

package require tls

proc tlscmd args { puts [info level 0] }

set cacertdir c:/tmp/certs
set server jabber.org
set port 5223

puts [glob -dir $cacertdir *]

puts "Case 1: -cafile"
set s [::tls::socket \
	-cafile [file join $cacertdir ca.pem] \
	-command ::tlscmd \
	$server $port]

::tls::handshake $s

close $s

puts "Case 2: -cadir"
set s [::tls::socket \
	-cadir $cacertdir \
	-command ::tlscmd \
	$server $port]

::tls::handshake $s

close $s

Output of running C:\tmp>tclsh testcase.tcl >testcase.log 2>&1

c:/tmp/certs/ca.pem
Case 1: -cafile
::tlscmd info sock1852 handshake start {before/connect initialization}
::tlscmd info sock1852 connect loop {before/connect initialization}
::tlscmd info sock1852 connect loop {SSLv2/v3 write client hello A}
::tlscmd info sock1852 connect loop {SSLv3 read server hello A}
::tlscmd verify sock1852 2 {sha1_hash 95E6ADF8D77146024DD56A21B2E73FCDF23B35FF subject {/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org} issuer {/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org} notBefore {Mar 17 17:37:48 2005 GMT} notAfter {Mar 10 17:37:48 2035 GMT} serial 0} 1 {}
::tlscmd verify sock1852 1 {sha1_hash E5ACE77D87EF8B6C61ACB625AD5912156385C49F subject {/C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber Software Foundation/emailAddress=certmaster@jabber.org} issuer {/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org} notBefore {Dec  2 23:55:21 2006 GMT} notAfter {Dec  2 23:55:21 2011 GMT} serial 20} 1 {}
::tlscmd verify sock1852 0 {sha1_hash 669BDB4F85B7A2264D7601C114ED0AA924158C85 subject {/C=US/ST=Colorado/L=Denver/O=Peter Saint-andre/OU=Domain validated only/CN=*.jabber.org/CN=jabber.org/emailAddress=hostmaster@jabber.org} issuer {/C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber Software Foundation/emailAddress=certmaster@jabber.org} notBefore {Dec 22 17:42:54 2006 GMT} notAfter {Dec 22 17:42:54 2007 GMT} serial 100} 1 {}
::tlscmd info sock1852 connect loop {SSLv3 read server certificate A}
::tlscmd info sock1852 connect loop {SSLv3 read server certificate request A}
::tlscmd info sock1852 connect loop {SSLv3 read server done A}
::tlscmd info sock1852 alert write {no certificate}
::tlscmd info sock1852 connect loop {SSLv3 write client certificate A}
::tlscmd info sock1852 connect loop {SSLv3 write client key exchange A}
::tlscmd info sock1852 connect loop {SSLv3 write change cipher spec A}
::tlscmd info sock1852 connect loop {SSLv3 write finished A}
::tlscmd info sock1852 connect loop {SSLv3 flush data}
::tlscmd info sock1852 connect loop {SSLv3 read finished A}
::tlscmd info sock1852 handshake done {SSL negotiation finished successfully}
::tlscmd info sock1852 connect exit {SSL negotiation finished successfully}
::tlscmd info sock1852 alert write {close notify}
Case 2: -cadir
::tlscmd info sock1848 handshake start {before/connect initialization}
::tlscmd info sock1848 connect loop {before/connect initialization}
::tlscmd info sock1848 connect loop {SSLv2/v3 write client hello A}
::tlscmd info sock1848 connect loop {SSLv3 read server hello A}
::tlscmd verify sock1848 2 {sha1_hash 95E6ADF8D77146024DD56A21B2E73FCDF23B35FF subject {/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org} issuer {/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org} notBefore {Mar 17 17:37:48 2005 GMT} notAfter {Mar 10 17:37:48 2035 GMT} serial 0} 0 {self signed certificate in certificate chain}
::tlscmd info sock1848 alert write {bad certificate}
::tlscmd info sock1848 connect exit {SSLv3 read server certificate B}
::tlscmd info sock1848 connect exit {SSLv3 read server certificate B}
::tlscmd error sock1848 {certificate verify failed}
handshake failed: certificate verify failed
    while executing
"::tls::handshake $s"
    (file "testcase.tcl" line 29)

Recent Posts

• tcl by schelte
  7 days ago
• tcl by Bombo
  11 days ago
• tcl by egavilan
  20 days ago
• tcl by bch
  26 days ago
• tcl by Bradipo
  26 days ago
• tcl by aspect
  26 days ago
• tcl by Bradipo
  26 days ago
• tcl by Bradipo
  26 days ago
• tcl by Bradipo
  26 days ago
• lilypond by Bradipo
  27 days ago

Submit

• New paste

Documentation

• From Jabber