TLS version?

[FourthWorld]

How can I determine which TLS version is used in a given LiveCode build?

For the moment it would be enough to know which TLS version is used in the most recent Stable build.

[stam]

How can I determine which TLS version is used in a given LiveCode build?

I’ve not come across this before, so I asked chatGPT. The response is below - I have not tested/confirmed any of this, interpret with care:

LiveCode doesn’t itself implement TLS, it relies on the OpenSSL (or platform TLS libraries on mobile) that the engine is built against.
So the supported TLS version in a given LiveCode build depends on which SSL/TLS library version is bundled (or linked) at build time.

Here’s how you can determine it:

⸻

1. From within LiveCode (Desktop/Server)

LiveCode exposes the SSL library version via the sslVersion:

Code: Select all

put the sslVersion

This will return something like:

Code: Select all

OpenSSL 1.1.1w  11 Sep 2023

From that you can look up what TLS versions that OpenSSL release supports.
• OpenSSL 1.0.2 → TLS 1.0, 1.1, 1.2
• OpenSSL 1.1.1 → TLS 1.0–1.3
• OpenSSL 3.x → TLS 1.0–1.3 (TLS 1.0 and 1.1 disabled by default)

⸻

At runtime (to see the actual negotiated TLS version)

If you need to check which TLS protocol version was actually used in a connection (say, with libURLDownloadToFile or revMail), LiveCode does not provide that directly. The common approaches are:
• Run LiveCode with socket debug logging (e.g. using set the sslVerification to false and catching errors). But this won’t explicitly tell you the TLS version.
• Use an external tool (like openssl s_client -connect host:443) to confirm what protocol the server and your LiveCode build negotiate.
• On macOS/Linux, you can run LiveCode under Wireshark or tcpdump to inspect the TLS handshake.

[FourthWorld]

Unfortunate that it required an LLM burning thru half a gallon of water to find the answer, but the detail on the SSLversion is very useful. Thank you.

[bobcole]

Stam:
I was curious about this so I tried it out.

put the sslVersion

No such command in my dictionary.
Bob

[FourthWorld]

Thanks, Bob. Same here.

And that's why I use regenerative software for personal entertainment only.

https://youtu.be/1A6uPztchXk

[stam]

Stam:
I was curious about this so I tried it out.

put the sslVersion

No such command in my dictionary.
Bob

I did say it was untested and use with care, because AI does this sort of thing all the time…

[stam]

I find that chatGPT generally confabulates a lot when it comes to coding.
Claude AI less so, but still does as well. Claude Code is said to be better but it’s a paid product (and I haven’t paid )

According to Claude AI:

Platform-Specific Considerations
Desktop builds: Use the system's TLS implementation

Windows: Uses Windows' Secure Channel (SChannel)
macOS: Uses macOS Security Framework
Linux: Uses OpenSSL

Mobile builds:
iOS: Uses iOS native TLS implementation
Android: Uses Android's TLS implementation

Check LiveCode Version and Documentation
The TLS version support depends on your LiveCode version:

LiveCode 9.x and later: Generally supports TLS 1.2 and 1.3
LiveCode 8.x: Typically supports up to TLS 1.2
Earlier versions: May be limited to TLS 1.0 or 1.1

This obviously suggests that TLS is not “built into” LC but that LC uses what is there.

Claude also recommends:

Runtime Detection Methods
1. Use libURLVersion() Function

Code: Select all

put libURLVersion() into tVersionInfo
-- This returns information about the underlying URL library 

2. Test SSL/TLS Connection

Code: Select all

put "https://www.howsmyssl.com/a/check" into tURL
put URL tURL into tResult
-- This service returns JSON with TLS information about your connection 

3. Check SSL Cipher Information

Code: Select all

put the sslCertificates into tCerts
-- Check what SSL/TLS capabilities are available 

and again, none of this has been tested/confirmed - use with care…