@@ -133,14 +133,17 @@
 	    *errorCodePtr = ECONNABORTED;
 	} else {
 	    dprintf("Asked to wait for a TLS handshake that has already failed.  Returning soft error");
 	    *errorCodePtr = ECONNRESET;
 	}
+	Tls_Error(statePtr, "Wait for failed handshake");
 	return(-1);
     }
 
     for (;;) {
+	ERR_clear_error();
+
 	/* Not initialized yet! Also calls SSL_do_handshake. */
 	if (statePtr->flags & TLS_TCL_SERVER) {
 	    dprintf("Calling SSL_accept()");
 	    err = SSL_accept(statePtr->ssl);
 
@@ -148,22 +151,26 @@
 	    dprintf("Calling SSL_connect()");
 	    err = SSL_connect(statePtr->ssl);
 	}
 
 	if (err > 0) {
-	    dprintf("That seems to have gone okay");
+	    dprintf("Accept or connect was successful");
 
 	    err = BIO_flush(statePtr->bio);
 	    if (err <= 0) {
 		dprintf("Flushing the lower layers failed, this will probably terminate this session");
 	    }
+	} else {
+	    dprintf("Accept or connect failed");
 	}
 
 	rc = SSL_get_error(statePtr->ssl, err);
-
-	dprintf("Got error: %i (rc = %i)", err, rc);
-	dprintf("Got error: %s", ERR_reason_error_string(ERR_get_error()));
+	backingError = ERR_get_error();
+	if (rc != SSL_ERROR_NONE) {
+	    dprintf("Got error: %i (rc = %i)", err, rc);
+	    dprintf("Got error: %s", GET_ERR_REASON());
+	}
 
 	bioShouldRetry = 0;
 	if (err <= 0) {
 	    if (rc == SSL_ERROR_WANT_CONNECT || rc == SSL_ERROR_WANT_ACCEPT || rc == SSL_ERROR_WANT_READ || rc == SSL_ERROR_WANT_WRITE) {
 		bioShouldRetry = 1;
@@ -195,75 +202,78 @@
 	break;
     }
 
     switch (rc) {
 	case SSL_ERROR_NONE:
-	    /* The connection is up, we are done here */
-	    dprintf("The connection is up");
+	    /* The TLS/SSL I/O operation completed */
+	    dprintf("The connection is good");
 	    *errorCodePtr = 0;
 	    break;
 
 	case SSL_ERROR_ZERO_RETURN:
+	    /* The TLS/SSL peer has closed the connection for writing by sending the close_notify alert */
 	    dprintf("SSL_ERROR_ZERO_RETURN: Connect returned an invalid value...");
 	    *errorCodePtr = EINVAL;
+	    Tls_Error(statePtr, "Peer has closed the connection for writing by sending the close_notify alert");
 	    return(-1);
 
 	case SSL_ERROR_SYSCALL:
-	    backingError = ERR_get_error();
+	    /* Some non-recoverable, fatal I/O error occurred */
+	    dprintf("SSL_ERROR_SYSCALL");
 
 	    if (backingError == 0 && err == 0) {
 		dprintf("EOF reached")
 		*errorCodePtr = ECONNRESET;
+		Tls_Error(statePtr, "(unexpected) EOF reached");
+
 	    } else if (backingError == 0 && err == -1) {
 		dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno());
 		*errorCodePtr = Tcl_GetErrno();
 		if (*errorCodePtr == ECONNRESET) {
 		    *errorCodePtr = ECONNABORTED;
 		}
+		Tls_Error(statePtr, Tcl_ErrnoMsg(Tcl_GetErrno()));
+
 	    } else {
 		dprintf("I/O error occurred (backingError = %lu)", backingError);
 		*errorCodePtr = backingError;
 		if (*errorCodePtr == ECONNRESET) {
 		    *errorCodePtr = ECONNABORTED;
 		}
+		Tls_Error(statePtr, ERR_reason_error_string(backingError));
 	    }
 
 	    statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
 	    return(-1);
 
 	case SSL_ERROR_SSL:
-	    dprintf("Got permanent fatal SSL error, aborting immediately");
-	    Tls_Error(statePtr, (char *)ERR_reason_error_string(ERR_get_error()));
+	    /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */
+	    dprintf("SSL_ERROR_SSL: Got permanent fatal SSL error, aborting immediately");
+	    if (backingError != 0) {
+		Tls_Error(statePtr, ERR_reason_error_string(backingError));
+	    }
+	    if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) {
+		Tls_Error(statePtr, X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl)));
+	    }
 	    statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
 	    *errorCodePtr = ECONNABORTED;
 	    return(-1);
 
 	case SSL_ERROR_WANT_CONNECT:
 	case SSL_ERROR_WANT_ACCEPT:
 	case SSL_ERROR_WANT_X509_LOOKUP:
-	default:
-	    dprintf("We got a confusing reply: %i", rc);
-	    *errorCodePtr = Tcl_GetErrno();
-	    dprintf("ERR(%d, %d) ", rc, *errorCodePtr);
-	    return(-1);
-    }
-
-#if 0
-    if (statePtr->flags & TLS_TCL_SERVER) {
-	dprintf("This is an TLS server, checking the certificate for the peer");
-
-	err = SSL_get_verify_result(statePtr->ssl);
-	if (err != X509_V_OK) {
-	    dprintf("Invalid certificate, returning in failure");
-
-	    Tls_Error(statePtr, (char *)X509_verify_cert_error_string(err));
-	    statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
-	    *errorCodePtr = ECONNABORTED;
-	    return(-1);
-	}
-    }
-#endif
+	case SSL_ERROR_WANT_ASYNC:
+	case SSL_ERROR_WANT_ASYNC_JOB:
+	case SSL_ERROR_WANT_CLIENT_HELLO_CB:
+	default:
+	    /* The operation did not complete and can be retried later. */
+	    dprintf("Operation did not complete, call function again later: %i", rc);
+	    *errorCodePtr = EAGAIN;
+	    dprintf("ERR(%d, %d) ", rc, *errorCodePtr);
+	    Tls_Error(statePtr, "Operation did not complete, call function again later");
+	    return(-1);
+    }
 
     dprintf("Removing the \"TLS_TCL_INIT\" flag since we have completed the handshake");
     statePtr->flags &= ~TLS_TCL_INIT;
 
     dprintf("Returning in success");
@@ -335,10 +345,11 @@
     ERR_clear_error();
     bytesRead = BIO_read(statePtr->bio, buf, bufSize);
     dprintf("BIO_read -> %d", bytesRead);
 
     err = SSL_get_error(statePtr->ssl, bytesRead);
+    backingError = ERR_get_error();
 
 #if 0
     if (bytesRead <= 0) {
 	if (BIO_should_retry(statePtr->bio)) {
 	    dprintf("I/O failed, will retry based on EAGAIN");
@@ -351,45 +362,55 @@
 	case SSL_ERROR_NONE:
 	    dprintBuffer(buf, bytesRead);
 	    break;
 
 	case SSL_ERROR_SSL:
-	    dprintf("SSL negotiation error, indicating that the connection has been aborted");
-
-	    Tls_Error(statePtr, TCLTLS_SSL_ERROR(statePtr->ssl, bytesRead));
+	    /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */
+	    dprintf("SSL error, indicating that the connection has been aborted");
+	    if (backingError != 0) {
+		Tls_Error(statePtr, ERR_reason_error_string(backingError));
+	    }
 	    *errorCodePtr = ECONNABORTED;
 	    bytesRead = -1;
 	    break;
 
 	case SSL_ERROR_SYSCALL:
-	    backingError = ERR_get_error();
+	    /* Some non-recoverable, fatal I/O error occurred */
 
 	    if (backingError == 0 && bytesRead == 0) {
-		dprintf("EOF reached")
+		/* Unexpected EOF from the peer for OpenSSL 1.1 */
+		dprintf("(Unexpected) EOF reached")
 		*errorCodePtr = 0;
 		bytesRead = 0;
+		Tls_Error(statePtr, "EOF reached");
+
 	    } else if (backingError == 0 && bytesRead == -1) {
 		dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno());
 		*errorCodePtr = Tcl_GetErrno();
 		bytesRead = -1;
+		Tls_Error(statePtr, Tcl_ErrnoMsg(Tcl_GetErrno()));
+
 	    } else {
 		dprintf("I/O error occurred (backingError = %lu)", backingError);
 		*errorCodePtr = backingError;
 		bytesRead = -1;
+		Tls_Error(statePtr, ERR_reason_error_string(backingError));
 	    }
 	    break;
 
 	case SSL_ERROR_ZERO_RETURN:
 	    dprintf("Got SSL_ERROR_ZERO_RETURN, this means an EOF has been reached");
 	    bytesRead = 0;
 	    *errorCodePtr = 0;
+	    Tls_Error(statePtr, "Peer has closed the connection for writing by sending the close_notify alert");
 	    break;
 
 	case SSL_ERROR_WANT_READ:
 	    dprintf("Got SSL_ERROR_WANT_READ, mapping this to EAGAIN");
 	    bytesRead = -1;
 	    *errorCodePtr = EAGAIN;
+	    Tls_Error(statePtr, "SSL_ERROR_WANT_READ");
 	    break;
 
 	default:
 	    dprintf("Unknown error (err = %i), mapping to EOF", err);
 	    *errorCodePtr = 0;
@@ -486,10 +507,12 @@
     ERR_clear_error();
     written = BIO_write(statePtr->bio, buf, toWrite);
     dprintf("BIO_write(%p, %d) -> [%d]", (void *) statePtr, toWrite, written);
 
     err = SSL_get_error(statePtr->ssl, written);
+    backingError = ERR_get_error();
+
     switch (err) {
 	case SSL_ERROR_NONE:
 	    if (written < 0) {
 		written = 0;
 	    }
@@ -497,52 +520,65 @@
 
 	case SSL_ERROR_WANT_WRITE:
 	    dprintf("Got SSL_ERROR_WANT_WRITE, mapping it to EAGAIN");
 	    *errorCodePtr = EAGAIN;
 	    written = -1;
+	    Tls_Error(statePtr, "SSL_ERROR_WANT_WRITE");
 	    break;
 
 	case SSL_ERROR_WANT_READ:
 	    dprintf(" write R BLOCK");
+	    Tls_Error(statePtr, "SSL_ERROR_WANT_READ");
 	    break;
 
 	case SSL_ERROR_WANT_X509_LOOKUP:
 	    dprintf(" write X BLOCK");
+	    Tls_Error(statePtr, "SSL_ERROR_WANT_X509_LOOKUP");
 	    break;
 
 	case SSL_ERROR_ZERO_RETURN:
 	    dprintf(" closed");
 	    written = 0;
 	    *errorCodePtr = 0;
+	    Tls_Error(statePtr, "Peer has closed the connection for writing by sending the close_notify alert");
 	    break;
 
 	case SSL_ERROR_SYSCALL:
-	    backingError = ERR_get_error();
+	    /* Some non-recoverable, fatal I/O error occurred */
 
 	    if (backingError == 0 && written == 0) {
 		dprintf("EOF reached")
 		*errorCodePtr = 0;
 		written = 0;
+		Tls_Error(statePtr, "EOF reached");
+
 	    } else if (backingError == 0 && written == -1) {
 		dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno());
 		*errorCodePtr = Tcl_GetErrno();
 		written = -1;
+		Tls_Error(statePtr, Tcl_ErrnoMsg(Tcl_GetErrno()));
+
 	    } else {
 		dprintf("I/O error occurred (backingError = %lu)", backingError);
 		*errorCodePtr = backingError;
 		written = -1;
+		Tls_Error(statePtr, ERR_reason_error_string(backingError));
 	    }
 	    break;
 
 	case SSL_ERROR_SSL:
-	    Tls_Error(statePtr, TCLTLS_SSL_ERROR(statePtr->ssl, written));
+	    /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */
+	    dprintf("SSL error, indicating that the connection has been aborted");
+	    if (backingError != 0) {
+		Tls_Error(statePtr, ERR_reason_error_string(backingError));
+	    }
 	    *errorCodePtr = ECONNABORTED;
 	    written = -1;
 	    break;
 
 	default:
-	    dprintf(" unknown err: %d", err);
+	    dprintf("unknown error: %d", err);
 	    break;
     }
 
     if (*errorCodePtr < 0) {
 	Tls_Error(statePtr, strerror(*errorCodePtr));