#13 Support for TLSv1.1 and TLSv1.2 for Tls package

[Wojciech Kocjan]

This is a patch that allows using TLS protocol versions 1.1 and 1.2 with the Tls package.

I have also made TLS be enabled by default. Given that SSLv3 is going to be disabled in most cases after POODLE security issue, I think it is reasonable to not disable it if SSLv2 or SSLv3 is enabled.

I have tested that it works properly with servers that support SSLv3, TLS 1.0, 1.1 and 1.2.

I can commit it on my own (just realized I think I have commit rights), but wanted to send for review and ensure Tls is still using CVS repository from SF.

[Wojciech Kocjan]

Updated patch that checks if TLS is present to allow compiling against older OpenSSL (such as on OS X).

[Anonymous]

What is your opinion on disabling SSLv2 and SSLv3 by default now in light of the recent POODLE exploit? I have found that I have had to "::tls::init -ssl2 0 -ssl3 0 -tls1 1" in many of my scripts now that sites have begun to disable SSLv3. Without disabling ssl2 and ssl3 connections fail.

[Jeremy Sowden]

Note that the SSLv23_method is only used if ssl2 and ssl3 are both enabled. This means that if one enables just tls1+:

tls::import $sock -ssl2 0 -ssl3 0 -tls1 1 -tls1.1 1 -tls1.2 1

fall-back is not available.

I have created a patch to remedy this. The first patch ensures that SSLv23_method is used if more than one protocol is enabled, and the second patch adds support for tls1.1 and tls1.2 as before.

[Andreas Kupries]

Committed to CVS, under version 1.6.4.