@@ -168,10 +168,13 @@
 
     dprintf("TlsCloseProc(%p)", (void *) statePtr);
 
     Tls_Clean(statePtr);
     Tcl_EventuallyFree((ClientData)statePtr, Tls_Free);
+
+    dprintf("Returning TCL_OK");
+
     return TCL_OK;
 }
 
 /*
  *-------------------------------------------------------------------
@@ -245,27 +248,30 @@
      * correctly.  Similar fix in TlsOutputProc. - hobbs
      */
     ERR_clear_error();
     bytesRead = BIO_read(statePtr->bio, buf, bufSize);
     dprintf("BIO_read -> %d", bytesRead);
+    dprintBuffer(buf, bytesRead);
 
-    if (bytesRead < 0) {
+    if (bytesRead <= 0) {
 	int err = SSL_get_error(statePtr->ssl, bytesRead);
 
 	if (err == SSL_ERROR_SSL) {
 	    Tls_Error(statePtr, TCLTLS_SSL_ERROR(statePtr->ssl, bytesRead));
 	    *errorCodePtr = ECONNABORTED;
 	} else if (BIO_should_retry(statePtr->bio)) {
-	    dprintf("RE! ");
+	    dprintf("retry based on EAGAIN");
 	    *errorCodePtr = EAGAIN;
 	} else {
 	    *errorCodePtr = Tcl_GetErrno();
 	    if (*errorCodePtr == ECONNRESET) {
 		/* Soft EOF */
 		*errorCodePtr = 0;
 		bytesRead = 0;
-	    }
+	    } else {
+                dprintf("Got an unexpected error: %i", *errorCodePtr);
+            }
 	}
     }
     input:
     dprintf("Input(%d) -> %d [%d]", bufSize, bytesRead, *errorCodePtr);
     return bytesRead;
@@ -299,10 +305,11 @@
     int written, err;
 
     *errorCodePtr = 0;
 
     dprintf("BIO_write(%p, %d)", (void *) statePtr, toWrite);
+    dprintBuffer(buf, toWrite);
 
     if (statePtr->flags & TLS_TCL_CALLBACK) {
        /* don't process any bytes while verify callback is running */
        written = -1;
        *errorCodePtr = EAGAIN;
@@ -460,11 +467,29 @@
 
     dprintf("TlsWatchProc(0x%x)", mask);
 
     /* Pretend to be dead as long as the verify callback is running. 
      * Otherwise that callback could be invoked recursively. */
-    if (statePtr->flags & TLS_TCL_CALLBACK) { return; }
+    if (statePtr->flags & TLS_TCL_CALLBACK) {
+        dprintf("Callback is on-going, doing nothing");
+        return;
+    }
+
+    dprintFlags(statePtr);
+
+    downChan = Tls_GetParent(statePtr);
+
+    if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) {
+        dprintf("Asked to watch a socket with a failed handshake -- nothing can happen here");
+
+	dprintf("Unregistering interest in the lower channel");
+	(Tcl_GetChannelType(downChan))->watchProc(Tcl_GetChannelInstanceData(downChan), 0);
+
+	statePtr->watchMask = 0;
+
+        return;
+    }
 
 	statePtr->watchMask = mask;
 
 	/* No channel handlers any more. We will be notified automatically
 	 * about events on the channel below via a call to our
@@ -472,28 +497,31 @@
 	 * We are allowed to add additional 'interest' to the mask if we want
 	 * to. But this transformation has no such interest. It just passes
 	 * the request down, unchanged.
 	 */
 
-	downChan = Tls_GetParent(statePtr);
 
+        dprintf("Registering our interest in the lower channel (chan=%p)", (void *) downChan);
 	(Tcl_GetChannelType(downChan))
 	    ->watchProc(Tcl_GetChannelInstanceData(downChan), mask);
 
 	/*
 	 * Management of the internal timer.
 	 */
 
 	if (statePtr->timer != (Tcl_TimerToken) NULL) {
+            dprintf("A timer was found, deleting it");
 	    Tcl_DeleteTimerHandler(statePtr->timer);
 	    statePtr->timer = (Tcl_TimerToken) NULL;
 	}
+
 	if ((mask & TCL_READABLE) && Tcl_InputBuffered(statePtr->self) > 0) {
 	    /*
 	     * There is interest in readable events and we actually have
 	     * data waiting, so generate a timer to flush that.
 	     */
+            dprintf("Creating a new timer since data appears to be waiting");
 	    statePtr->timer = Tcl_CreateTimerHandler(TLS_TCL_DELAY,
 		    TlsChannelHandlerTimer, (ClientData) statePtr);
 	}
 }