Index: README.txt
==================================================================
--- README.txt
+++ README.txt
@@ -6,11 +6,11 @@
 This package provides an extension which implements Secure Socket Layer (SSL)
 and Transport Layer Security (TLS) over Transmission Control Protocol (TCP)
 network communication channels. It utilizes either the OpenSSL or LibreSSL
 software library.
  
-Version 2.0 also provides a cryptography library providing TCL scripts access
+Version 1.9 also provides a cryptography library providing TCL scripts access
 to the crypto capabilities of the OpenSSL library.
 
 
 Description
 ===========
@@ -60,15 +60,13 @@
 
   --disable-tls1          disable TLS1 protocol
   --disable-tls1_1        disable TLS1.1 protocol
   --disable-tls1_2        disable TLS1.2 protocol
   --disable-tls1_3        disable TLS1.3 protocol
-  --enable-deterministic  enable deterministic DH parameters
   --enable-ssl-fastpath   enable using the underlying file descriptor for talking directly to the SSL library
   --enable-hardening      enable hardening attempts
   --enable-static-ssl     enable static linking to the SSL library
-  --with-builtin-dh-params-size=<bits>	specify the size of the built-in, precomputed, DH params
 
 If either TCL or OpenSSL are installed in non-standard locations, the following
 configure options are available. For all options, see ./configure --help.
 
   --with-tcl=<dir>			path to where tclCondig.sh file resides
@@ -106,11 +104,11 @@
 Original TLS Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com>
 TLS 1.4.1    Copyright (C) 2000 Ajuba Solutions
 TLS 1.6      Copyright (C) 2008 ActiveState Software Inc.
 TLS 1.7      Copyright (C) 2016 Matt Newman, Ajuba Solutions, ActiveState
                                 Software Inc, Roy Keene <tcltls@rkeene.org>
-TLS 1.9-2.0  Copyright (C) 2023 Brian O'Hagan
+TLS 1.8      Copyright (C) 2023 Brian O'Hagan
 
 Acknowledgments
 ===============
 
 Non-exclusive credits for TLS are:

Index: configure
==================================================================
--- configure
+++ configure
@@ -9326,11 +9326,11 @@
 #--------------------------------------------------------------------
 
 if test "${TEA_PLATFORM}" = "windows" ; then
     if test "$GCC" = "yes"; then
 
-    PKG_CFLAGS="$PKG_CFLAGS ${TCLTLS_SSL_CFLAGS}"
+    PKG_CFLAGS="$PKG_CFLAGS ${TCLTLS_SSL_CFLAGS} -Wno-deprecated-declarations"
 
 
 
     vars="${TCLTLS_SSL_INCLUDES}"
     for i in $vars; do
@@ -9350,11 +9350,11 @@
 
 
     fi
 else
 
-    PKG_CFLAGS="$PKG_CFLAGS ${TCLTLS_SSL_CFLAGS}"
+    PKG_CFLAGS="$PKG_CFLAGS ${TCLTLS_SSL_CFLAGS} -Wno-deprecated-declarations"
 
 
 
     vars="${TCLTLS_SSL_INCLUDES}"
     for i in $vars; do

Index: configure.ac
==================================================================
--- configure.ac
+++ configure.ac
@@ -175,16 +175,16 @@
 # OpenSSL uses as its default names.
 #--------------------------------------------------------------------
 
 if test "${TEA_PLATFORM}" = "windows" ; then
     if test "$GCC" = "yes"; then
-	TEA_ADD_CFLAGS([${TCLTLS_SSL_CFLAGS}])
+	TEA_ADD_CFLAGS([${TCLTLS_SSL_CFLAGS} -Wno-deprecated-declarations])
 	TEA_ADD_INCLUDES([${TCLTLS_SSL_INCLUDES}])
 	TEA_ADD_LIBS([${TCLTLS_SSL_LIBS}])
     fi
 else
-	TEA_ADD_CFLAGS([${TCLTLS_SSL_CFLAGS}])
+	TEA_ADD_CFLAGS([${TCLTLS_SSL_CFLAGS} -Wno-deprecated-declarations])
 	TEA_ADD_INCLUDES([${TCLTLS_SSL_INCLUDES}])
 	TEA_ADD_LIBS([${TCLTLS_SSL_LIBS}])
 fi
 
 #--------------------------------------------------------------------

Index: doc/tls.html
==================================================================
--- doc/tls.html
+++ doc/tls.html
@@ -1,10 +1,9 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
-<meta http-equiv="Content-Type"
-content="text/html; charset=iso-8859-1">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <meta name="Copyright" content="1999 Matt Newman / 2004 Starfish Systems">
 <title>TLS (SSL) TCL Commands</title>
 <link rel="stylesheet" href="docs.css" type="text/css" media="all">
 </head>
 

Index: generic/tls.c
==================================================================
--- generic/tls.c
+++ generic/tls.c
@@ -416,11 +416,11 @@
     Tcl_DecrRefCount(cmdPtr);
 
     dprintf("VerifyCallback: command result = %d", ok);
 
     /* statePtr->flags &= ~(TLS_TCL_CALLBACK); */
-    return(ok);	/* By default, leave verification unchanged. */
+    return ok;	/* By default, leave verification unchanged. */
 }
 
 /*
  *-------------------------------------------------------------------
  *
@@ -452,11 +452,11 @@
     Tcl_ListObjAppendElement(interp, cmdPtr,
 	    Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1));
     if (msg != NULL) {
 	Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1));
 
-    } else if ((msg = Tcl_GetStringFromObj(Tcl_GetObjResult(interp), (Tcl_Size *) NULL)) != NULL) {
+    } else if ((msg = Tcl_GetString(Tcl_GetObjResult(interp))) != NULL) {
 	Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1));
 
     } else {
 	listPtr = Tcl_NewListObj(0, NULL);
 	while ((err = ERR_get_error()) != 0) {
@@ -567,11 +567,11 @@
 	    len = (Tcl_Size) size-1;
 	}
 	strncpy(buf, ret, (size_t) len);
 	buf[len] = '\0';
 	Tcl_Release((ClientData) interp);
-	return((int) len);
+	return (int) len;
     }
     Tcl_Release((ClientData) interp);
     return -1;
 }
 
@@ -959,27 +959,27 @@
 
     dprintf("Called");
 
     if (objc != 2) {
 	Tcl_WrongNumArgs(interp, 1, objv, "channel");
-	return(TCL_ERROR);
+	return TCL_ERROR;
     }
 
     ERR_clear_error();
 
-    chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], (Tcl_Size *) NULL), NULL);
+    chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL);
     if (chan == (Tcl_Channel) NULL) {
-	return(TCL_ERROR);
+	return TCL_ERROR;
     }
 
     /* Make sure to operate on the topmost channel */
     chan = Tcl_GetTopChannel(chan);
     if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
 	Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan),
-	    "\": not a TLS channel", NULL);
+	    "\": not a TLS channel", (char *) NULL);
 	Tcl_SetErrorCode(interp, "TLS", "HANDSHAKE", "CHANNEL", "INVALID", (char *) NULL);
-	return(TCL_ERROR);
+	return TCL_ERROR;
     }
     statePtr = (State *)Tcl_GetChannelInstanceData(chan);
 
     dprintf("Calling Tls_WaitForConnect");
     ret = Tls_WaitForConnect(statePtr, &err, 1);
@@ -1002,21 +1002,21 @@
 	if ((result = SSL_get_verify_result(statePtr->ssl)) != X509_V_OK) {
 	    Tcl_AppendResult(interp, " due to \"", X509_verify_cert_error_string(result), "\"", (char *) NULL);
 	}
 	Tcl_SetErrorCode(interp, "TLS", "HANDSHAKE", "FAILED", (char *) NULL);
 	dprintf("Returning TCL_ERROR with handshake failed: %s", errStr);
-	return(TCL_ERROR);
+	return TCL_ERROR;
     } else {
 	if (err != 0) {
 	    dprintf("Got an error with a completed handshake: err = %i", err);
 	}
 	ret = 1;
     }
 
     dprintf("Returning TCL_OK with data \"%i\"", ret);
     Tcl_SetObjResult(interp, Tcl_NewIntObj(ret));
-    return(TCL_OK);
+    return TCL_OK;
 }
 
 static const char *command_opts [] = {
     "-alpn", "-cadir", "-cafile", "-cert", "-certfile", "-cipher", "-ciphers", "-ciphersuites",
     "-command", "-dhparams", "-key", "-keyfile", "-model", "-password", "-post_handshake",
@@ -1103,11 +1103,11 @@
 	return TCL_ERROR;
     }
 
     ERR_clear_error();
 
-    chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], (Tcl_Size *) NULL), NULL);
+    chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL);
     if (chan == (Tcl_Channel) NULL) {
 	return TCL_ERROR;
     }
 
     /* Make sure to operate on the topmost channel */
@@ -1283,11 +1283,11 @@
 	 * Make sure to operate on the topmost channel
 	 */
 	chan = Tcl_GetTopChannel(chan);
 	if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
 	    Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan),
-		"\": not a TLS channel", NULL);
+		"\": not a TLS channel", (char *) NULL);
 	    Tcl_SetErrorCode(interp, "TLS", "IMPORT", "CHANNEL", "INVALID", (char *) NULL);
 	    Tls_Free((char *) statePtr);
 	    return TCL_ERROR;
 	}
 	ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx;
@@ -1551,11 +1551,11 @@
     /* Make sure to operate on the topmost channel */
     chan = Tcl_GetTopChannel(chan);
 
     if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
 	Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan),
-		"\": not a TLS channel", NULL);
+		"\": not a TLS channel", (char *) NULL);
 	    Tcl_SetErrorCode(interp, "TLS", "UNIMPORT", "CHANNEL", "INVALID", (char *) NULL);
 	return TCL_ERROR;
     }
 
     if (Tcl_UnstackChannel(interp, chan) == TCL_ERROR) {
@@ -1697,11 +1697,11 @@
 
     ERR_clear_error();
 
     ctx = SSL_CTX_new(method);
     if (!ctx) {
-	return(NULL);
+	return NULL;
     }
 
     if (getenv(SSLKEYLOGFILE)) {
 	SSL_CTX_set_keylog_callback(ctx, KeyLogCallback);
     }
@@ -1763,10 +1763,12 @@
 #else
     {
 	DH* dh;
 	if (DHparams != NULL) {
 	    BIO *bio;
+
+	    Tcl_DStringInit(&ds);
 	    bio = BIO_new_file(F2N(DHparams, &ds), "r");
 	    if (!bio) {
 		Tcl_DStringFree(&ds);
 		Tcl_AppendResult(interp, "Could not find DH parameters file", (char *) NULL);
 		SSL_CTX_free(ctx);
@@ -1798,10 +1800,11 @@
     /* set our certificate */
     load_private_key = 0;
     if (certfile != NULL) {
 	load_private_key = 1;
 
+	Tcl_DStringInit(&ds);
 	if (SSL_CTX_use_certificate_file(ctx, F2N(certfile, &ds), SSL_FILETYPE_PEM) <= 0) {
 	    Tcl_DStringFree(&ds);
 	    Tcl_AppendResult(interp, "unable to set certificate file ", certfile, ": ",
 		GET_ERR_REASON(), (char *) NULL);
 	    SSL_CTX_free(ctx);
@@ -1841,10 +1844,11 @@
 	    /* get the private key associated with this certificate */
 	    if (keyfile == NULL) {
 		keyfile = certfile;
 	    }
 
+	    Tcl_DStringInit(&ds);
 	    if (SSL_CTX_use_PrivateKey_file(ctx, F2N(keyfile, &ds), SSL_FILETYPE_PEM) <= 0) {
 		Tcl_DStringFree(&ds);
 		/* flush the passphrase which might be left in the result */
 		Tcl_SetResult(interp, NULL, TCL_STATIC);
 		Tcl_AppendResult(interp, "unable to set public key file ", keyfile, " ",
@@ -1883,40 +1887,47 @@
     /* Overrides for the CA verify path and file */
     {
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
 	if (CApath != NULL || CAfile != NULL) {
 	    Tcl_DString ds1;
+	    Tcl_DStringInit(&ds);
+	    Tcl_DStringInit(&ds1);
+
 	    if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CApath, &ds1))) {
 		abort++;
 	    }
 	    Tcl_DStringFree(&ds);
 	    Tcl_DStringFree(&ds1);
 
 	    /* Set list of CAs to send to client when requesting a client certificate */
 	    /* https://sourceforge.net/p/tls/bugs/57/ */
 	    /* XXX:TODO: Let the user supply values here instead of something that exists on the filesystem */
+	    Tcl_DStringInit(&ds);
 	    STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds));
 	    if (certNames != NULL) {
 		SSL_CTX_set_client_CA_list(ctx, certNames);
 	    }
 	    Tcl_DStringFree(&ds);
 	}
 
 #else
 	if (CApath != NULL) {
+	    Tcl_DStringInit(&ds);
 	    if (!SSL_CTX_load_verify_dir(ctx, F2N(CApath, &ds))) {
 		abort++;
 	    }
 	    Tcl_DStringFree(&ds);
 	}
 	if (CAfile != NULL) {
+	    Tcl_DStringInit(&ds);
 	    if (!SSL_CTX_load_verify_file(ctx, F2N(CAfile, &ds))) {
 		abort++;
 	    }
 	    Tcl_DStringFree(&ds);
 
 	    /* Set list of CAs to send to client when requesting a client certificate */
+	    Tcl_DStringInit(&ds);
 	    STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds));
 	    if (certNames != NULL) {
 		SSL_CTX_set_client_CA_list(ctx, certNames);
 	    }
 	    Tcl_DStringFree(&ds);
@@ -1959,21 +1970,21 @@
 	Tcl_WrongNumArgs(interp, 1, objv, "?-local? channel");
 	return TCL_ERROR;
     }
 
     /* Get channel Id */
-    channelName = Tcl_GetStringFromObj(objv[(objc == 2 ? 1 : 2)], (Tcl_Size *) NULL);
+    channelName = Tcl_GetString(objv[(objc == 2 ? 1 : 2)]);
     chan = Tcl_GetChannel(interp, channelName, &mode);
     if (chan == (Tcl_Channel) NULL) {
 	return TCL_ERROR;
     }
 
     /* Make sure to operate on the topmost channel */
     chan = Tcl_GetTopChannel(chan);
     if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
 	Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan),
-		"\": not a TLS channel", NULL);
+		"\": not a TLS channel", (char *) NULL);
 	Tcl_SetErrorCode(interp, "TLS", "STATUS", "CHANNEL", "INVALID", (char *) NULL);
 	return TCL_ERROR;
     }
     statePtr = (State *) Tcl_GetChannelInstanceData(chan);
 
@@ -2077,25 +2088,25 @@
     const EVP_MD *md;
     (void) clientData;
 
     if (objc != 2) {
 	Tcl_WrongNumArgs(interp, 1, objv, "channel");
-	return(TCL_ERROR);
+	return TCL_ERROR;
     }
 
-    chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], (Tcl_Size *) NULL), NULL);
+    chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL);
     if (chan == (Tcl_Channel) NULL) {
-	return(TCL_ERROR);
+	return TCL_ERROR;
     }
 
     /* Make sure to operate on the topmost channel */
     chan = Tcl_GetTopChannel(chan);
     if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
 	Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan),
-	    "\": not a TLS channel", NULL);
+	    "\": not a TLS channel", (char *) NULL);
 	Tcl_SetErrorCode(interp, "TLS", "CONNECTION", "CHANNEL", "INVALID", (char *) NULL);
-	return(TCL_ERROR);
+	return TCL_ERROR;
     }
 
     objPtr = Tcl_NewListObj(0, NULL);
 
     /* Connection info */
@@ -2446,11 +2457,11 @@
 		    Tcl_SetResult(interp,"Error generating certificate request",NULL);
 		    EVP_PKEY_free(pkey);
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
 		    BN_free(bne);
 #endif
-		    return(TCL_ERROR);
+		    return TCL_ERROR;
 		}
 
 		X509_set_version(cert,2);
 		ASN1_INTEGER_set(X509_get_serialNumber(cert),serial);
 		X509_gmtime_adj(X509_getm_notBefore(cert),0);
@@ -2684,11 +2695,11 @@
  *
  *------------------------------------------------------*
  */
 DLLEXPORT int Tls_SafeInit(Tcl_Interp *interp) {
     dprintf("Called");
-    return(Tls_Init(interp));
+    return Tls_Init(interp);
 }
 
 /*
  *------------------------------------------------------*
  *
@@ -2715,11 +2726,11 @@
 
     if (uninitialize) {
 	if (!initialized) {
 	    dprintf("Asked to uninitialize, but we are not initialized");
 
-	    return(TCL_OK);
+	    return TCL_OK;
 	}
 
 	dprintf("Asked to uninitialize");
 
 #if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
@@ -2735,16 +2746,16 @@
 
 #if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
 	Tcl_MutexUnlock(&init_mx);
 #endif
 
-	return(TCL_OK);
+	return TCL_OK;
     }
 
     if (initialized) {
 	dprintf("Called, but using cached value");
-	return(status);
+	return status;
     }
 
     dprintf("Called");
 
 #if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
@@ -2792,7 +2803,7 @@
 
 #if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
     Tcl_MutexUnlock(&init_mx);
 #endif
 
-    return(status);
+    return status;
 }

Index: generic/tlsBIO.c
==================================================================
--- generic/tlsBIO.c
+++ generic/tlsBIO.c
@@ -54,11 +54,11 @@
 	    dprintf("Setting should retry read flag");
 
 	    BIO_set_retry_read(bio);
 	}
     }
-    return((int) ret);
+    return (int) ret;
 }
 
 /* Called by SSL_read()*/
 static int BioRead(BIO *bio, char *buf, int bufLen) {
     Tcl_Channel chan;
@@ -115,17 +115,17 @@
     }
 
     dprintf("BioRead(%p, <buf>, %d) [%p] returning %" TCL_SIZE_MODIFIER "d", (void *) bio,
 	bufLen, (void *) chan, ret);
 
-    return((int) ret);
+    return (int) ret;
 }
 
 static int BioPuts(BIO *bio, const char *str) {
     dprintf("BioPuts(%p, <string:%p>) called", bio, str);
 
-    return(BioWrite(bio, str, (int) strlen(str)));
+    return BioWrite(bio, str, (int) strlen(str));
 }
 
 static long BioCtrl(BIO *bio, int cmd, long num, void *ptr) {
     Tcl_Channel chan;
     long ret = 1;
@@ -135,11 +135,10 @@
     dprintf("BioCtrl(%p, 0x%x, 0x%lx, %p)", (void *) bio, cmd, num, ptr);
 
     switch (cmd) {
 	case BIO_CTRL_RESET:
 		dprintf("Got BIO_CTRL_RESET");
-		num = 0;
 		ret = 0;
 		break;
 	case BIO_C_FILE_SEEK:
 		dprintf("Got BIO_C_FILE_SEEK");
 		ret = 0;
@@ -220,25 +219,25 @@
 	default:
 		dprintf("Got unknown control command (%i)", cmd);
 		ret = 0;
 		break;
     }
-    return(ret);
+    return ret;
 }
 
 static int BioNew(BIO *bio) {
     dprintf("BioNew(%p) called", bio);
 
     BIO_set_init(bio, 0);
     BIO_set_data(bio, NULL);
     BIO_clear_flags(bio, -1);
-    return(1);
+    return 1;
 }
 
 static int BioFree(BIO *bio) {
     if (bio == NULL) {
-	return(0);
+	return 0;
     }
 
     dprintf("BioFree(%p) called", bio);
 
     if (BIO_get_shutdown(bio)) {
@@ -248,11 +247,11 @@
 	}
 
 	BIO_set_init(bio, 0);
 	BIO_clear_flags(bio, -1);
     }
-    return(1);
+    return 1;
 }
 
 BIO *BIO_new_tcl(State *statePtr, int flags) {
     BIO *bio;
     static BIO_METHOD *BioMethods = NULL;
@@ -278,11 +277,11 @@
     }
 
     if (statePtr == NULL) {
 	dprintf("Asked to setup a NULL state, just creating the initial configuration");
 
-	return(NULL);
+	return NULL;
     }
 
 #ifdef TCLTLS_SSL_USE_FASTPATH
     /*
      * If the channel can be mapped back to a file descriptor, just use the file descriptor
@@ -309,17 +308,17 @@
 
     if (validParentChannelFd) {
 	dprintf("We found a shortcut, this channel is backed by a socket: %i", parentChannelFdIn);
 	bio = BIO_new_socket(parentChannelFd, flags);
 	statePtr->flags |= TLS_TCL_FASTPATH;
-	return(bio);
+	return bio;
     }
 
     dprintf("Falling back to Tcl I/O for this channel");
 #endif
 
     bio = BIO_new(BioMethods);
     BIO_set_data(bio, statePtr);
     BIO_set_shutdown(bio, flags);
     BIO_set_init(bio, 1);
-    return(bio);
+    return bio;
 }

Index: generic/tlsIO.c
==================================================================
--- generic/tlsIO.c
+++ generic/tlsIO.c
@@ -47,11 +47,11 @@
     if (mode == TCL_MODE_NONBLOCKING) {
 	statePtr->flags |= TLS_TCL_ASYNC;
     } else {
 	statePtr->flags &= ~(TLS_TCL_ASYNC);
     }
-    return(0);
+    return 0;
 }
 
 /*
  *-------------------------------------------------------------------
  *
@@ -76,11 +76,11 @@
 
     dprintf("TlsCloseProc(%p)", (void *) statePtr);
 
     Tls_Clean(statePtr);
     Tcl_EventuallyFree((ClientData)statePtr, Tls_Free);
-    return(0);
+    return 0;
 }
 
 static int TlsClose2Proc(ClientData instanceData,    /* The socket state. */
     Tcl_Interp *interp,		/* For errors - can be NULL. */
     int flags)			/* Flags to close read and/or write side of channel */
@@ -117,11 +117,11 @@
     dprintf("WaitForConnect(%p)", (void *) statePtr);
     dprintFlags(statePtr);
 
     if (!(statePtr->flags & TLS_TCL_INIT)) {
 	dprintf("Tls_WaitForConnect called on already initialized channel -- returning with immediate success");
-	return(0);
+	return 0;
     }
 
     if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) {
 	/*
 	 * Different types of operations have different requirements
@@ -133,11 +133,11 @@
 	} else {
 	    dprintf("Asked to wait for a TLS handshake that has already failed.  Returning soft error");
 	    *errorCodePtr = ECONNRESET;
 	}
 	Tls_Error(statePtr, "Wait for failed handshake");
-	return(-1);
+	return -1;
     }
 
     for (;;) {
 	ERR_clear_error();
 
@@ -188,11 +188,11 @@
 
 	    if (statePtr->flags & TLS_TCL_ASYNC) {
 		dprintf("Returning EAGAIN so that it can be retried later");
 		*errorCodePtr = EAGAIN;
 		Tls_Error(statePtr, "Handshake not complete, will retry later");
-		return(-1);
+		return -1;
 	    } else {
 		dprintf("Doing so now");
 		continue;
 	    }
 	}
@@ -211,11 +211,11 @@
 	case SSL_ERROR_ZERO_RETURN:
 	    /* The TLS/SSL peer has closed the connection for writing by sending the close_notify alert */
 	    dprintf("SSL_ERROR_ZERO_RETURN: Connect returned an invalid value...");
 	    *errorCodePtr = EINVAL;
 	    Tls_Error(statePtr, "Peer has closed the connection for writing by sending the close_notify alert");
-	    return(-1);
+	    return -1;
 
 	case SSL_ERROR_SYSCALL:
 	    /* Some non-recoverable, fatal I/O error occurred */
 	    dprintf("SSL_ERROR_SYSCALL");
 	    if (backingError == 0 && err == 0) {
@@ -239,11 +239,11 @@
 		}
 		Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError));
 	    }
 
 	    statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
-	    return(-1);
+	    return -1;
 
 	case SSL_ERROR_SSL:
 	    /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */
 	    dprintf("SSL_ERROR_SSL: Got permanent fatal SSL error, aborting immediately");
 	    if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) {
@@ -252,11 +252,11 @@
 	    if (backingError != 0) {
 		Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError));
 	    }
 	    statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
 	    *errorCodePtr = ECONNABORTED;
-	    return(-1);
+	    return -1;
 
 	case SSL_ERROR_WANT_READ:
 	case SSL_ERROR_WANT_WRITE:
 	case SSL_ERROR_WANT_X509_LOOKUP:
 	case SSL_ERROR_WANT_CONNECT:
@@ -268,19 +268,19 @@
 	    /* The operation did not complete and should be retried later. */
 	    dprintf("Operation did not complete, call function again later: %i", rc);
 	    *errorCodePtr = EAGAIN;
 	    dprintf("ERR(%d, %d) ", rc, *errorCodePtr);
 	    Tls_Error(statePtr, "Operation did not complete, call function again later");
-	    return(-1);
+	    return -1;
     }
 
     dprintf("Removing the \"TLS_TCL_INIT\" flag since we have completed the handshake");
     statePtr->flags &= ~TLS_TCL_INIT;
 
     dprintf("Returning in success");
     *errorCodePtr = 0;
-    return(0);
+    return 0;
 }
 
 /*
  *-------------------------------------------------------------------
  *
@@ -310,11 +310,11 @@
     dprintf("BIO_read(%d)", bufSize);
 
     if (statePtr->flags & TLS_TCL_CALLBACK) {
 	/* don't process any bytes while verify callback is running */
 	dprintf("Callback is running, reading 0 bytes");
-	return(0);
+	return 0;
     }
 
     dprintf("Calling Tls_WaitForConnect");
     tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 0);
     if (tlsConnect < 0) {
@@ -326,11 +326,11 @@
 	    dprintf("Got connection reset");
 	    /* Soft EOF */
 	    *errorCodePtr = 0;
 	    bytesRead = 0;
 	}
-	return(bytesRead);
+	return bytesRead;
     }
 
     /*
      * We need to clear the SSL error stack now because we sometimes reach
      * this function with leftover errors in the stack.  If BIO_read
@@ -431,11 +431,11 @@
 	    Tls_Error(statePtr, "Unknown error");
 	    break;
     }
 
     dprintf("Input(%d) -> %d [%d]", bufSize, bytesRead, *errorCodePtr);
-    return(bytesRead);
+    return bytesRead;
 }
 
 /*
  *-------------------------------------------------------------------
  *
@@ -466,11 +466,11 @@
 
     if (statePtr->flags & TLS_TCL_CALLBACK) {
 	dprintf("Don't process output while callbacks are running");
 	written = -1;
 	*errorCodePtr = EAGAIN;
-	return(-1);
+	return -1;
     }
 
     dprintf("Calling Tls_WaitForConnect");
     tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 1);
     if (tlsConnect < 0) {
@@ -482,11 +482,11 @@
 	    dprintf("Got connection reset");
 	    /* Soft EOF */
 	    *errorCodePtr = 0;
 	    written = 0;
 	}
-	return(written);
+	return written;
     }
 
     if (toWrite == 0) {
 	dprintf("zero-write");
 	err = BIO_flush(statePtr->bio);
@@ -495,16 +495,16 @@
 	    dprintf("Flushing failed");
 	    Tls_Error(statePtr, "Flush failed");
 
 	    *errorCodePtr = EIO;
 	    written = 0;
-	    return(-1);
+	    return -1;
 	}
 
 	written = 0;
 	*errorCodePtr = 0;
-	return(0);
+	return 0;
     }
 
     /*
      * We need to clear the SSL error stack now because we sometimes reach
      * this function with leftover errors in the stack.  If BIO_write
@@ -595,11 +595,11 @@
 	    Tls_Error(statePtr, "Unknown error");
 	    break;
     }
 
     dprintf("Output(%d) -> %d", toWrite, written);
-    return(written);
+    return written;
 }
 
 /*
  *-------------------------------------------------------------------
  *
@@ -790,11 +790,11 @@
     int direction,		/* TCL_READABLE or TCL_WRITABLE */
     ClientData *handlePtr)	/* Handle associated with the channel */
 {
     State *statePtr = (State *) instanceData;
 
-    return(Tcl_GetChannelHandle(Tls_GetParent(statePtr, TLS_TCL_FASTPATH), direction, handlePtr));
+    return Tcl_GetChannelHandle(Tls_GetParent(statePtr, TLS_TCL_FASTPATH), direction, handlePtr);
 }
 
 /*
  *-------------------------------------------------------------------
  *
@@ -853,11 +853,11 @@
 	dprintf("Tls_WaitForConnect returned an error");
     }
 
     dprintf("Returning %i", mask);
 
-    return(mask);
+    return mask;
 }
 
 /*
  *------------------------------------------------------*
  *
@@ -907,13 +907,13 @@
 Tcl_Channel Tls_GetParent(State *statePtr, int maskFlags) {
     dprintf("Requested to get parent of channel %p", statePtr->self);
 
     if ((statePtr->flags & ~maskFlags) & TLS_TCL_FASTPATH) {
 	dprintf("Asked to get the parent channel while we are using FastPath -- returning NULL");
-	return(NULL);
+	return NULL;
     }
-    return(Tcl_GetStackedChannel(statePtr->self));
+    return Tcl_GetStackedChannel(statePtr->self);
 }
 
 /*
  *-------------------------------------------------------------------
  *

Index: pkgIndex.tcl.in
==================================================================
--- pkgIndex.tcl.in
+++ pkgIndex.tcl.in
@@ -9,13 +9,15 @@
 	source -encoding utf-8 $initScript
     }
 } else {
     if {![package vsatisfies [package provide Tcl] 8.5]} {return}
     package ifneeded @PACKAGE_NAME@ @PACKAGE_VERSION@ [list apply {{dir} {
-	if {[string tolower [file extension @PKG_LIB_FILE8@]] in [list ".dll" ".so"]} {
+	if {[string tolower [file extension @PKG_LIB_FILE8@]] in [list .dll .dylib .so]} {
+	    # Load dynamic library
 	    load [file join $dir @PKG_LIB_FILE8@] [string totitle @PACKAGE_NAME@]
 	} else {
+	    # Static library
 	    load {} [string totitle @PACKAGE_NAME@]
 	}
 	set initScript [file join $dir @PACKAGE_NAME@.tcl]
 	if {[file exists $initScript]} {
 	    source -encoding utf-8 $initScript

Index: win/README.txt
==================================================================
--- win/README.txt
+++ win/README.txt
@@ -32,46 +32,56 @@
 (1c) Install NASM Assembler from https://www.nasm.us/
 
   https://www.nasm.us/pub/nasm/releasebuilds/2.16.01/win64/nasm-2.16.01-installer-x64.exe
   Install to: C:\Program Files\NASM
 
-(1d) Configure
+(1d) Configure Open SSL 1.1.1
 
-  At Visual Studio x86 native prompt:
+  At Visual Studio x64 native prompt:
 
   set Path=%PATH%;C:\Program Files\NASM;C:\Strawberry\perl\bin
   perl ..\Configure VC-WIN64A no-shared no-filenames threads no-ssl2 no-ssl3 --api=1.1.0 --prefix="%SSLINSTALL%" --openssldir="%SSLCOMMON%" -DOPENSSL_NO_DEPRECATED
   # Not used options: no-asm no-zlib no-comp no-ui-console no-autoload-config
 
-(1e) Build OpenSSL
+(1e) Configure Open SSL 3.0+
+
+  At Visual Studio x64 native prompt:
+
+  set Path=%PATH%;C:\Program Files\NASM;C:\Strawberry\perl\bin
+  perl ..\Configure VC-WIN64A no-shared no-filenames threads no-ssl2 no-ssl3 --prefix="%SSLINSTALL%" --openssldir="%SSLCOMMON%"
+  # Not used options: no-asm no-zlib no-comp no-ui-console no-autoload-config
+
+(1f) Build OpenSSL
 
   nmake
   nmake test
   nmake install
 
 -----------------------------
 
 2) Build TclTLS
 
-set BUILDDIR=\path\to\build\dir
-set TCLINSTALL=\path\to\tcl\dir
+  set BUILDDIR=\path\to\build\dir
+  set TCLINSTALL=\path\to\tcl\dir
 
 2a) Unzip distribution to %BUILDDIR%
 
 2b) Start BASH shell (MinGW62 Git shell)
 
-cd %BUILDDIR%
-od -A n -v -t xC < 'library/tls.tcl' > tls.tcl.h.new.1
-sed 's@[^0-9A-Fa-f]@@g;s@..@0x&, @g' < tls.tcl.h.new.1 > generic/tls.tcl.h
-rm -f tls.tcl.h.new.1
+  cd %BUILDDIR%
+  od -A n -v -t xC < 'library/tls.tcl' > tls.tcl.h.new.1
+  sed 's@[^0-9A-Fa-f]@@g;s@..@0x&, @g' < tls.tcl.h.new.1 > generic/tls.tcl.h
+  rm -f tls.tcl.h.new.1
 
 2c) Start Visual Studio shell
 
-cd %BUILDDIR%\win
+  At Visual Studio x64 native prompt:
+
+  cd %BUILDDIR%\win
 
-nmake -f makefile.vc TCLDIR=%TCLINSTALL% SSL_INSTALL_FOLDER=%SSLINSTALL%
-nmake -f makefile.vc install TCLDIR=c:\test\tcl8610 INSTALLDIR=%TCLINSTALL% SSL_INSTALL_FOLDER=%SSLINSTALL%
+  nmake -f makefile.vc TCLDIR=%TCLINSTALL% SSL_INSTALL_FOLDER=%SSLINSTALL%
+  nmake -f makefile.vc install TCLDIR=c:\test\tcl8610 INSTALLDIR=%TCLINSTALL% SSL_INSTALL_FOLDER=%SSLINSTALL%
 
 -----------------------------
 
 3) Test
 

Index: win/makefile.vc
==================================================================
--- win/makefile.vc
+++ win/makefile.vc
@@ -74,8 +74,14 @@
 # The default install target only installs binaries and scripts so add
 # an additional target for our documentation. Note this *adds* a target
 # since no commands are listed after it. The original targets for
 # install (from targets.vc) will remain.
 install: default-pkgindex-tea default-install default-install-docs-html
+    if exist "$(SSL_INSTALL_FOLDER)\bin\libcrypto-*-x64.dll" (
+        xcopy /c /y "$(SSL_INSTALL_FOLDER)\bin\libcrypto-*-x64.dll" "$(PRJ_INSTALL_DIR)"
+    )
+    if exist "$(SSL_INSTALL_FOLDER)\bin\libssl-*-x64.dll" (
+        xcopy /c /y "$(SSL_INSTALL_FOLDER)\bin\libssl-*-x64.dll" "$(PRJ_INSTALL_DIR)"
+    )
 
 # Test package
 test: default-test