@@ -28,11 +28,11 @@
             <dd><b>tls::status </b> <em>?-local? channel</em></dd>
             <dd><b>tls::connection </b> <em>channel</em></dd>
             <dd><b>tls::import</b> <em>channel ?options?</em></dd>
             <dd><b>tls::unimport</b> <em>channel</em></dd>
             <dt>&nbsp;</dt>
-            <dd><b>tls::ciphers </b> <em>protocol ?verbose?</em></dd>
+            <dd><b>tls::ciphers </b> <em>protocol ?verbose? ?supported?</em></dd>
             <dd><b>tls::protocols</b></dd>
             <dd><b>tls::version</b></dd>
         </dl>
     </dd>
     <dd><a href="#COMMANDS">COMMANDS</a></dd>
@@ -61,11 +61,11 @@
 <a href="#tls::connection"><b>tls::connection</b> <i>channel</i></a><br>
 <a href="#tls::handshake"><b>tls::handshake</b> <i>channel</i></a><br>
 <a href="#tls::import"><b>tls::import</b> <i>channel ?options?</i></a><br>
 <a href="#tls::unimport"><b>tls::unimport</b> <i>channel</i></a><br>
 <br>
-<a href="#tls::ciphers"><b>tls::ciphers</b> <i>protocol ?verbose?</i></a><br>
+<a href="#tls::ciphers"><b>tls::ciphers</b> <i>protocol ?verbose? ?supported?</i></a><br>
 <a href="#tls::protocols"><b>tls::protocols</b></a>
 <a href="#tls::version"><b>tls::version</b></a>
 </p>
 
 <h3><a name="DESCRIPTION">DESCRIPTION</a></h3>
@@ -135,12 +135,19 @@
 	    the <b>SSL_CERT_FILE</b> environment variable.</dd>
         <dt><strong>-cert</strong> <em>filename</em></dt>
         <dd>Specify the contents of a certificate to use, as a DER
 	    encoded binary value (X.509 DER).</dd>
         <dt><strong>-cipher</strong> <em>string</em></dt>
-        <dd>List of ciphers to use. See OpenSSL documentation for the full
-	    list of valid values.</dd>
+        <dd>List of ciphers to use. String is a colon (":") separated list
+	    of ciphers or cipher suites. Cipher suites can be combined
+	    using the <b>+</b> character. Prefixes can be used to permanently
+	    remove ("!"), delete ("-"), or move a cypher to the end of
+	    the list ("+"). Keywords <b>@STRENGTH</b> (sort by algorithm
+	    key length), <b>@SECLEVEL=</b><i>n</i> (set security level to
+	    n), and <b>DEFAULT</b> (use default cipher list, at start only)
+	    can also be specified. See OpenSSL documentation for the full
+	    list of valid values. (TLS 1.2 and earlier only)</dd>
         <dt><strong>-command</strong> <em>callback</em></dt>
         <dd>Callback to invoke at several points during the handshake.
 	    This is used to pass errors and tracing information, and
 	    it can allow Tcl scripts to perform their own certificate
 	    validation in place of the default validation provided by
@@ -283,16 +290,18 @@
         <dd>Whether the session has been reused or not.</dd>
     </dl>
 </blockquote>
 
     <dt><a name="tls::ciphers"><strong>tls::ciphers</strong> 
-    <em>protocol ?verbose?</em></a></dt>
+    <em>protocol ?verbose? ?supported?</em></a></dt>
     <dd>Returns a list of supported ciphers available for <em>protocol</em>,
         where protocol must be one of <b>ssl2, ssl3, tls1, tls1.1,
 	tls1.2,</b> or <b>tls1.3</b>. If <em>verbose</em> is specified as
 	true then a verbose, human readable list is returned with
-	additional information on the cipher.</dd>
+	additional information on the cipher. If <em>supported</em>
+	is specified as true, then only the ciphers supported for protocol
+	will be listed.</dd>
 
     <dt><a name="tls::protocols"><strong>tls::protocols</strong></a></dt>
     <dd>Returns a list of supported protocols. Valid values are:
 	<b>ssl2</b>, <b>ssl3</b>, <b>tls1</b>, <b>tls1.1</b>, <b>tls1.2</b>,
 	and <b>tls1.3</b>.</dd>