Server code: proc accept {so args} { puts $so $args; flush $so; close $so } socket -server accept 10001;# Plain old Tcl socket tls::socket -server accept 10002;# TLS socket

On client side: Plain old sockets work % set so [socket localhost 10001]; gets $so ::1 58824

TLS sockets get an error: % set so [tls::socket localhost 10002]; gets $so error reading "sock0000019561DCF4C0": software caused connection abort

errorInfo shows: SSL channel "sock0000019561DCF4C0": error: sslv3 alert handshake failure

Note that if the client initiates data flow, everything works fine. However, I do not believe this is a requirement for TLS. Client side has to initiate negotiation but the data flow may begin from either end.

My feeling is that the server side accept procedure should not be called until TLS negotiation is done AND client should initiate handshake without waiting for application to push user data.

/Ashok

Forgot to mention - tls 1.7.22, Tcl 8.6.11, Windows

The TCL socket command and its server accept callback happen independent of the TLS negotiation. This needs to occur before we can establish the TLS connection since only the accept callback knows what the new channel handle is for use by tls::import. So the best method is to have the socket accept callback call tls::import on the new channel, then do a tls::handshake on it to ensure it is set up.