Index: generic/tls.c
==================================================================
--- generic/tls.c
+++ generic/tls.c
@@ -43,11 +43,10 @@
  */
 
 #define F2N(key, dsp) \
 	(((key) == NULL) ? (char *) NULL : \
 		Tcl_TranslateFileName(interp, (key), (dsp)))
-#define REASON()	ERR_reason_error_string(ERR_get_error())
 
 static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key,
 		char *certfile, unsigned char *key_asn1, unsigned char *cert_asn1,
 		int key_asn1_len, int cert_asn1_len, char *CAdir, char *CAfile,
 		char *ciphers, char *ciphersuites, int level, char *DHparams);
@@ -109,25 +108,30 @@
  *-------------------------------------------------------------------
  */
 static int
 EvalCallback(Tcl_Interp *interp, State *statePtr, Tcl_Obj *cmdPtr) {
     int code, ok = 0;
+
+    dprintf("Called");
 
     Tcl_Preserve((ClientData) interp);
     Tcl_Preserve((ClientData) statePtr);
 
     /* Eval callback with success for ok or return value 1, fail for error or return value 0 */
     Tcl_ResetResult(interp);
     code = Tcl_EvalObjEx(interp, cmdPtr, TCL_EVAL_GLOBAL);
+    dprintf("EvalCallback: %d", code);
     if (code == TCL_OK) {
 	/* Check result for return value */
 	Tcl_Obj *result = Tcl_GetObjResult(interp);
 	if (result == NULL || Tcl_GetIntFromObj(interp, result, &ok) != TCL_OK) {
 	    ok = 1;
 	}
+	dprintf("Result: %d", ok);
     } else {
 	/* Error - reject the certificate */
+	dprintf("Tcl_BackgroundError");
 #if (TCL_MAJOR_VERSION == 8) && (TCL_MINOR_VERSION < 6)
 	Tcl_BackgroundError(interp);
 #else
 	Tcl_BackgroundException(interp, code);
 #endif
@@ -368,11 +372,12 @@
     State *statePtr	= (State*)SSL_get_app_data(ssl);
     Tcl_Interp *interp	= statePtr->interp;
     int depth		= X509_STORE_CTX_get_error_depth(ctx);
     int err		= X509_STORE_CTX_get_error(ctx);
 
-    dprintf("Verify: %d", ok);
+    dprintf("Called");
+    dprintf("VerifyCallback: %d", ok);
 
     if (statePtr->vcmd == (Tcl_Obj*)NULL) {
 	if (statePtr->vflags & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
 	    return ok;
 	} else {
@@ -1020,17 +1025,17 @@
 	    break;
     }
 
     ctx = SSL_CTX_new(method);
     if (ctx == NULL) {
-	Tcl_AppendResult(interp, REASON(), NULL);
+	Tcl_AppendResult(interp, GET_ERR_REASON(), NULL);
 	return TCL_ERROR;
     }
 
     ssl = SSL_new(ctx);
     if (ssl == NULL) {
-	Tcl_AppendResult(interp, REASON(), NULL);
+	Tcl_AppendResult(interp, GET_ERR_REASON(), NULL);
 	SSL_CTX_free(ctx);
 	return TCL_ERROR;
     }
 
     /* Use list and order as would be sent in a ClientHello or all available ciphers */
@@ -1443,11 +1448,12 @@
     Tcl_GetChannelOption(interp, chan, "-translation", &upperChannelTranslation);
     Tcl_GetChannelOption(interp, chan, "-blocking", &upperChannelBlocking);
     Tcl_SetChannelOption(interp, chan, "-translation", "binary");
     Tcl_SetChannelOption(interp, chan, "-blocking", "true");
     dprintf("Consuming Tcl channel %s", Tcl_GetChannelName(chan));
-    statePtr->self = Tcl_StackChannel(interp, Tls_ChannelType(), (ClientData) statePtr, (TCL_READABLE | TCL_WRITABLE), chan);
+    statePtr->self = Tcl_StackChannel(interp, Tls_ChannelType(), (ClientData) statePtr,
+	(TCL_READABLE | TCL_WRITABLE), chan);
     dprintf("Created channel named %s", Tcl_GetChannelName(statePtr->self));
     if (statePtr->self == (Tcl_Channel) NULL) {
 	/*
 	 * No use of Tcl_EventuallyFree because no possible Tcl_Preserve.
 	 */
@@ -1464,11 +1470,11 @@
      * SSL Initialization
      */
     statePtr->ssl = SSL_new(statePtr->ctx);
     if (!statePtr->ssl) {
 	/* SSL library error */
-	Tcl_AppendResult(interp, "couldn't construct ssl session: ", REASON(), (char *) NULL);
+	Tcl_AppendResult(interp, "couldn't construct ssl session: ", GET_ERR_REASON(), (char *) NULL);
 	    Tcl_SetErrorCode(interp, "TLS", "IMPORT", "INIT", "FAILED", (char *) NULL);
 	Tls_Free((char *) statePtr);
 	return TCL_ERROR;
     }
 
@@ -1475,20 +1481,20 @@
     /* Set host server name */
     if (servername) {
 	/* Sets the server name indication (SNI) in ClientHello extension */
 	/* Per RFC 6066, hostname is a ASCII encoded string, though RFC 4366 says UTF-8. */
 	if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) {
-	    Tcl_AppendResult(interp, "setting TLS host name extension failed", (char *) NULL);
+	    Tcl_AppendResult(interp, "Set SNI extension failed: ", GET_ERR_REASON(), (char *) NULL);
 	    Tcl_SetErrorCode(interp, "TLS", "IMPORT", "SNI", "FAILED", (char *) NULL);
 	    Tls_Free((char *) statePtr);
 	    return TCL_ERROR;
 	}
 
 	/* Set hostname for peer certificate hostname verification in clients.
 	   Don't use SSL_set1_host since it has limitations. */
 	if (!SSL_add1_host(statePtr->ssl, servername)) {
-	    Tcl_AppendResult(interp, "setting DNS host name failed", (char *) NULL);
+	    Tcl_AppendResult(interp, "Set DNS hostname failed: ", GET_ERR_REASON(), (char *) NULL);
 	    Tcl_SetErrorCode(interp, "TLS", "IMPORT", "HOSTNAME", "FAILED", (char *) NULL);
 	    Tls_Free((char *) statePtr);
 	    return TCL_ERROR;
 	}
     }
@@ -1495,11 +1501,11 @@
 
     /* Resume session id */
     if (session_id && strlen(session_id) <= SSL_MAX_SID_CTX_LENGTH) {
 	/* SSL_set_session() */
 	if (!SSL_SESSION_set1_id_context(SSL_get_session(statePtr->ssl), session_id, (unsigned int) strlen(session_id))) {
-	    Tcl_AppendResult(interp, "Resume session id ", session_id, " failed", (char *) NULL);
+	    Tcl_AppendResult(interp, "Resume session failed: ", GET_ERR_REASON(), (char *) NULL);
 	    Tcl_SetErrorCode(interp, "TLS", "IMPORT", "SESSION", "FAILED", (char *) NULL);
 	    Tls_Free((char *) statePtr);
 	    return TCL_ERROR;
 	}
     }
@@ -1521,11 +1527,11 @@
 
 	/* Determine the memory required for the protocol-list */
 	for (i = 0; i < cnt; i++) {
 	    Tcl_GetStringFromObj(list[i], &len);
 	    if (len > 255) {
-		Tcl_AppendResult(interp, "ALPN protocol name too long", (char *) NULL);
+		Tcl_AppendResult(interp, "ALPN protocol names too long", (char *) NULL);
 		Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char *) NULL);
 		Tls_Free((char *) statePtr);
 		return TCL_ERROR;
 	    }
 	    protos_len += 1 + (int) len;
@@ -1542,11 +1548,11 @@
 	}
 
 	/* SSL_set_alpn_protos makes a copy of the protocol-list */
 	/* Note: This functions reverses the return value convention */
 	if (SSL_set_alpn_protos(statePtr->ssl, protos, protos_len)) {
-	    Tcl_AppendResult(interp, "failed to set ALPN protocols", (char *) NULL);
+	    Tcl_AppendResult(interp, "Set ALPN protocols failed: ", GET_ERR_REASON(), (char *) NULL);
 	    Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char *) NULL);
 	    Tls_Free((char *) statePtr);
 	    ckfree(protos);
 	    return TCL_ERROR;
 	}
@@ -1908,11 +1914,11 @@
 	    DH_free(dh);
 
 	} else {
 	    /* Use well known DH parameters that have built-in support in OpenSSL */
 	    if (!SSL_CTX_set_dh_auto(ctx, 1)) {
-		Tcl_AppendResult(interp, "Could not enable set DH auto: ", REASON(), (char *) NULL);
+		Tcl_AppendResult(interp, "Could not enable set DH auto: ", GET_ERR_REASON(), (char *) NULL);
 		SSL_CTX_free(ctx);
 		return NULL;
 	    }
 	}
     }
@@ -1926,20 +1932,20 @@
 	Tcl_DStringInit(&ds);
 
 	if (SSL_CTX_use_certificate_file(ctx, F2N(certfile, &ds), SSL_FILETYPE_PEM) <= 0) {
 	    Tcl_DStringFree(&ds);
 	    Tcl_AppendResult(interp, "unable to set certificate file ", certfile, ": ",
-			     REASON(), (char *) NULL);
+		GET_ERR_REASON(), (char *) NULL);
 	    SSL_CTX_free(ctx);
 	    return NULL;
 	}
     } else if (cert != NULL) {
 	load_private_key = 1;
 	if (SSL_CTX_use_certificate_ASN1(ctx, cert_len, cert) <= 0) {
 	    Tcl_DStringFree(&ds);
 	    Tcl_AppendResult(interp, "unable to set certificate: ",
-			     REASON(), (char *) NULL);
+		GET_ERR_REASON(), (char *) NULL);
 	    SSL_CTX_free(ctx);
 	    return NULL;
 	}
     } else {
 	certfile = (char*)X509_get_default_cert_file();
@@ -1946,11 +1952,11 @@
 
 	if (SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM) <= 0) {
 #if 0
 	    Tcl_DStringFree(&ds);
 	    Tcl_AppendResult(interp, "unable to use default certificate file ", certfile, ": ",
-			     REASON(), (char *) NULL);
+		GET_ERR_REASON(), (char *) NULL);
 	    SSL_CTX_free(ctx);
 	    return NULL;
 #endif
 	}
     }
@@ -1970,11 +1976,11 @@
 	    if (SSL_CTX_use_PrivateKey_file(ctx, F2N(keyfile, &ds), SSL_FILETYPE_PEM) <= 0) {
 		Tcl_DStringFree(&ds);
 		/* flush the passphrase which might be left in the result */
 		Tcl_SetResult(interp, NULL, TCL_STATIC);
 		Tcl_AppendResult(interp, "unable to set public key file ", keyfile, " ",
-			         REASON(), (char *) NULL);
+		    GET_ERR_REASON(), (char *) NULL);
 		SSL_CTX_free(ctx);
 		return NULL;
 	    }
 	    Tcl_DStringFree(&ds);
 
@@ -1981,11 +1987,11 @@
 	} else if (key != NULL) {
 	    if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, ctx, key,key_len) <= 0) {
 		Tcl_DStringFree(&ds);
 		/* flush the passphrase which might be left in the result */
 		Tcl_SetResult(interp, NULL, TCL_STATIC);
-		Tcl_AppendResult(interp, "unable to set public key: ", REASON(), (char *) NULL);
+		Tcl_AppendResult(interp, "unable to set public key: ", GET_ERR_REASON(), (char *) NULL);
 		SSL_CTX_free(ctx);
 		return NULL;
 	    }
 	}
 	/* Now we know that a key and cert have been set against
@@ -2011,11 +2017,11 @@
 	!SSL_CTX_set_default_verify_paths(ctx)) {
 #if 0
 	Tcl_DStringFree(&ds);
 	Tcl_DStringFree(&ds1);
 	/* Don't currently care if this fails */
-	Tcl_AppendResult(interp, "SSL default verify paths: ", REASON(), (char *) NULL);
+	Tcl_AppendResult(interp, "SSL default verify paths: ", GET_ERR_REASON(), (char *) NULL);
 	SSL_CTX_free(ctx);
 	return NULL;
 #endif
     }
 

Index: generic/tlsIO.c
==================================================================
--- generic/tlsIO.c
+++ generic/tlsIO.c
@@ -181,16 +181,14 @@
 	if (bioShouldRetry) {
 	    dprintf("The I/O did not complete -- but we should try it again");
 
 	    if (statePtr->flags & TLS_TCL_ASYNC) {
 		dprintf("Returning EAGAIN so that it can be retried later");
-
 		*errorCodePtr = EAGAIN;
 		return(-1);
 	    } else {
 		dprintf("Doing so now");
-
 		continue;
 	    }
 	}
 
 	dprintf("We have either completely established the session or completely failed it -- there is no more need to ever retry it though");
@@ -201,14 +199,16 @@
 	case SSL_ERROR_NONE:
 	    /* The connection is up, we are done here */
 	    dprintf("The connection is up");
 	    *errorCodePtr = 0;
 	    break;
+
 	case SSL_ERROR_ZERO_RETURN:
 	    dprintf("SSL_ERROR_ZERO_RETURN: Connect returned an invalid value...");
 	    *errorCodePtr = EINVAL;
 	    return(-1);
+
 	case SSL_ERROR_SYSCALL:
 	    backingError = ERR_get_error();
 
 	    if (backingError == 0 && err == 0) {
 		dprintf("EOF reached")

Index: generic/tlsInt.h
==================================================================
--- generic/tlsInt.h
+++ generic/tlsInt.h
@@ -102,10 +102,11 @@
 #define dprintBuffer(bufferName, bufferLength) /**/
 #define dprintFlags(statePtr) /**/
 #endif
 
 #define TCLTLS_SSL_ERROR(ssl,err) ((char*)ERR_reason_error_string((unsigned long)SSL_get_error((ssl),(err))))
+#define GET_ERR_REASON()	ERR_reason_error_string(ERR_get_error())
 
 /* Common list append macros */
 #define LAPPEND_BARRAY(interp, obj, text, value, size) {\
     if (text != NULL) Tcl_ListObjAppendElement(interp, obj, Tcl_NewStringObj(text, -1)); \
     Tcl_ListObjAppendElement(interp, obj, Tcl_NewByteArrayObj(value, size)); \