This code will reproduce the problem:
<pre>
#!/usr/bin/env tclsh
package require Tcl 8.6-
package require tls
package require http
 
set url "https://pinacnews.com"
set port 443
set protocol "http/1.1"
 
# Register https protocol handler with http package
http::register https 443 [list ::tls::socket -autoservername 1 -require 1 -alpn [list [string tolower $protocol]]]
 
# Get webpage
set token [::http::geturl $url -blocksize 16384]
if {[http::status $token] ne "ok"} {
    puts [format "Error: \"%s\"" [http::status $token]]
    ::http::cleanup $token
    exit
}
 
# Get web page
set data [http::data $token]
 
# Cleanup
::http::cleanup $token
 
# Save data to file
set ch [open "tcl_tk_home.html" wb]
puts $ch $data
close $ch
</pre>

Although the configure script has the <i>--enable-ssl-fastpath</i> option the source never includes confdefs.h. By hacking <pre>#define TCLTLS_SSL_USE_FASTPATH 1</pre> into generic/tlsBIO.c I was able to get past the bug.

The site https://pinacnews.com only responds with RST to the SYN sent. 
By running
<pre>
% set sock [tls::socket -autoservername 1 -require 1 -alpn [list [string tolower {http/1.1}]] pinacnews.com 443]
couldn't open socket: connection refused
</pre> 
I could see that it wasn't a problem with the socket but for whatever reason the socket was being passed to tlsIO.c even though it had already failed.

The error handling in tlsIO.c thinks the error should have a retry and ends up looping forever getting the same error each time.