February 22, 2024

Tcl package for the TLS protocol is deprecated

CCS5
TSC

This announcement affects only users of the TclTLS package. TSC and CCS5 installers do not include this package and the OpenSSL library anymore due to the following.

TclTLS is 3rd-party open source software that has been long abandoned. It doesn’t work with current releases of OpenSSL 3.x. Moreover, there’s a 6 years old bug that the package can’t verify the certificate subject name (X509v3 Subject Alternative Name) against a server’s hostname. Therefore, it is impossible to verify the server’s authenticity, and it defies the whole point of using TLS.
Given that over recent years our customers have placed increased emphasis on cybersecurity, we are making effort in reducing potential attack vectors in CCS5 and issues in security audits. One of the decisions that we had to make was to exclude TclTLS and OpenSSL from our deliveries. CCS5 doesn’t require TLS for its own functioning. And if users need OpenSSL, they take responsibility for installing OpenSSL on their platform and keeping it up to date.

If you really need to connect to external systems using TLS in Tcl/TOPE on Windows, you have 2 options that are much better than TclTLS both from security PoV and long-term maintenance:

  1. If you need to perform an HTTPS GET request, you can use the utope::ingest function, documented in CCS/TSC UM vol.2. It is based on Qt implementation, and Qt is fundamental to our system, so we do our best to keep it up to date.
  2. In all other cases you can use the twapi package that can wrap any Tcl channel with TLS. It is a well-supported package, and CCS5 itself relies on it for various functions.

In both cases the low-level TLS implementation is based not on OpenSSL but on the Windows Schannel technology, which provides at least 2 advantages over OpenSSL:

This blog post provides more details on the state of TLS on Windows and examples of using twapi.

If you need TLS on Linux, your options depend on a use case:

Another language-independent option is to use a TLS proxy like stunnel that works on both Linux and Windows.

.

.