Index: configure.in
==================================================================
--- configure.in
+++ configure.in
@@ -9,18 +9,18 @@
 dnl to use the RSA BSAFE libraries for any product developed for
 dnl commercial use. Licensing information for BSAFE SSL-C may be
 dnl obtained from RSA Data Scurity Inc., San Mateo, California, USA.
 dnl Their home page on the web is "www.rsasecurity.com". 
 #
-# RCS: @(#) $Id: configure.in,v 1.29 2015/05/01 18:44:34 andreas_kupries Exp $
+# RCS: @(#) $Id: configure.in,v 1.30 2015/06/06 09:07:08 apnadkarni Exp $
 
 
 #--------------------------------------------------------------------
 # macro used to verify that the configure script can find the sources
 #--------------------------------------------------------------------
 
-AC_INIT([tls], [1.6.5])
+AC_INIT([tls], [1.6.6])
 
 TEA_INIT([3.8])
 
 AC_CONFIG_AUX_DIR(tclconfig)
 

Index: tests/tlsIO.test
==================================================================
--- tests/tlsIO.test
+++ tests/tlsIO.test
@@ -8,11 +8,11 @@
 # Copyright (c) 1998-2000 Ajuba Solutions. 
 #
 # See the file "license.terms" for information on usage and redistribution
 # of this file, and for a DISCLAIMER OF ALL WARRANTIES.
 #
-# RCS: @(#) $Id: tlsIO.test,v 1.23 2008/03/19 22:06:13 hobbs2 Exp $
+# RCS: @(#) $Id: tlsIO.test,v 1.24 2015/06/06 09:07:08 apnadkarni Exp $
 
 # Running socket tests with a remote server:
 # ------------------------------------------
 # 
 # Some tests in socket.test depend on the existence of a remote server to
@@ -2025,10 +2025,42 @@
     # only the client gets tls::import
     set res [tls::unimport $c]
     list $res [catch {close $c} err] $err \
 	[catch {close $s} err] $err
 } {{} 0 {} 0 {}}
+
+test tls-bug58-1.0 {test protocol negotiation failure} {socket} {
+    # Following code is based on what was reported in bug #58. Prior
+    # to fix the program would crash with a segfault.
+    proc Accept {sock args} {
+        fconfigure $sock -blocking 0;
+        fileevent $sock readable [list Handshake $sock]
+    } 
+    proc Handshake {sock} {
+        set ::done HAND
+        catch {tls::handshake $sock} msg
+        set ::done $msg
+    } 
+    # NOTE: when doing an in-process client/server test, both sides need
+    # to be non-blocking for the TLS handshake
+
+    # Server - Only accept TLS 1 or higher
+    set s [tls::socket \
+               -certfile $serverCert -cafile $caCert -keyfile $serverKey \
+               -request 0 -require 0 -ssl2 0 -ssl3 0 -tls1 1 -tls1.1 1 -tls1.2 1 \
+               -server Accept 8831]
+    # Client - Only propose SSL3
+    set c [tls::socket -async \
+               -cafile $caCert \
+               -request 0 -require 0 -ssl2 0 -ssl3 1 -tls1 0 -tls1.1 0 -tls1.2 0 \
+               [info hostname] 8831]
+    fconfigure $c -blocking 0
+    puts $c a ; flush $c
+    after 5000 [list set ::done timeout]
+    vwait ::done
+    set ::done
+} {handshake failed: wrong version number}
 
 # cleanup
 if {[string match sock* $commandSocket] == 1} {
    puts $commandSocket exit
    flush $commandSocket

Index: tlsIO.c
==================================================================
--- tlsIO.c
+++ tlsIO.c
@@ -1,10 +1,10 @@
 /*
  * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com>
  * Copyright (C) 2000 Ajuba Solutions
  *
- * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsIO.c,v 1.18 2015/05/01 18:44:34 andreas_kupries Exp $
+ * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsIO.c,v 1.19 2015/06/06 09:07:08 apnadkarni Exp $
  *
  * TLS (aka SSL) Channel - can be layered on any bi-directional
  * Tcl_Channel (Note: Requires Trf Core Patch)
  *
  * This was built from scratch based upon observation of OpenSSL 0.9.2B
@@ -886,10 +886,24 @@
     int *errorCodePtr;		/* Where to store error code. */
 {
     int err;
 
     dprintf(stderr,"\nWaitForConnect(0x%x)", (unsigned int) statePtr);
+
+    if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) {
+        /*
+         * We choose ECONNRESET over ECONNABORTED here because some server
+         * side code, on the wiki for example, sets up a read handler that
+         * does a read and if eof closes the channel. There is no catch/try
+         * around the reads so exceptions will result in potentially many
+         * dangling channels hanging around that should have been closed.
+         * (Backgroun: ECONNABORTED maps to a Tcl exception and 
+         * ECONNRESET maps to graceful EOF).
+         */
+        *errorCodePtr = ECONNRESET;
+        return -1;
+    }
 
     for (;;) {
 	/* Not initialized yet! */
 	if (statePtr->flags & TLS_TCL_SERVER) {
 	    err = SSL_accept(statePtr->ssl);
@@ -905,10 +919,11 @@
 	    int rc = SSL_get_error(statePtr->ssl, err);
 
 	    if (rc == SSL_ERROR_SSL) {
 		Tls_Error(statePtr,
 			(char *)ERR_reason_error_string(ERR_get_error()));
+                statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
 		*errorCodePtr = ECONNABORTED;
 		return -1;
 	    } else if (BIO_should_retry(statePtr->bio)) {
 		if (statePtr->flags & TLS_TCL_ASYNC) {
 		    dprintf(stderr,"E! ");
@@ -925,10 +940,11 @@
 	    if (statePtr->flags & TLS_TCL_SERVER) {
 		err = SSL_get_verify_result(statePtr->ssl);
 		if (err != X509_V_OK) {
 		    Tls_Error(statePtr,
 			    (char *)X509_verify_cert_error_string(err));
+                    statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
 		    *errorCodePtr = ECONNABORTED;
 		    return -1;
 		}
 	    }
 	    *errorCodePtr = Tcl_GetErrno();

Index: tlsInt.h
==================================================================
--- tlsInt.h
+++ tlsInt.h
@@ -1,9 +1,9 @@
 /*
  * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com>
  *
- * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsInt.h,v 1.16 2014/12/08 19:09:06 andreas_kupries Exp $
+ * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsInt.h,v 1.17 2015/06/06 09:07:08 apnadkarni Exp $
  *
  * TLS (aka SSL) Channel - can be layered on any bi-directional
  * Tcl_Channel (Note: Requires Trf Core Patch)
  *
  * This was built from scratch based upon observation of OpenSSL 0.9.2B
@@ -98,10 +98,13 @@
 #define TLS_TCL_SERVER	(1<<1)	/* Server-Side */
 #define TLS_TCL_INIT	(1<<2)	/* Initializing connection */
 #define TLS_TCL_DEBUG	(1<<3)	/* Show debug tracing */
 #define TLS_TCL_CALLBACK	(1<<4)	/* In a callback, prevent update
 					 * looping problem. [Bug 1652380] */
+#define TLS_TCL_HANDSHAKE_FAILED (1<<5) /* Set on handshake failures and once
+                                         * set, all further I/O will result
+                                         * in ECONNABORTED errors. */
 
 #define TLS_TCL_DELAY (5)
 
 /*
  * This structure describes the per-instance state

Index: win/makefile.vc
==================================================================
--- win/makefile.vc
+++ win/makefile.vc
@@ -16,11 +16,11 @@
 # Copyright (c) 2001 ActiveState Corporation.
 # Copyright (c) 2001-2002 David Gravereaux.
 # Copyright (c) 2003-2006 Pat Thoyts
 #
 #-------------------------------------------------------------------------
-# RCS: @(#)$Id: makefile.vc,v 1.13 2015/06/06 07:03:32 apnadkarni Exp $
+# RCS: @(#)$Id: makefile.vc,v 1.14 2015/06/06 09:07:08 apnadkarni Exp $
 #-------------------------------------------------------------------------
 
 # Check to see we are configured to build with MSVC (MSDEVDIR or MSVCDIR)
 # or with the MS Platform SDK (MSSDK). Visual Studio .NET 2003 and 2005 define
 # VCINSTALLDIR instead. The MSVC Toolkit release defines yet another.
@@ -162,11 +162,11 @@
 
 # Uncomment the following line if this is a Tk extension.
 #PROJECT_REQUIRES_TK=1
 !include "rules.vc"
 
-DOTVERSION      = 1.6.5
+DOTVERSION      = 1.6.6
 VERSION         = $(DOTVERSION:.=)
 STUBPREFIX      = $(PROJECT)stub
 
 DLLOBJS = \
 	$(TMP_DIR)\tls.obj \