Index: generic/tls.c
==================================================================
--- generic/tls.c
+++ generic/tls.c
@@ -1475,20 +1475,20 @@
     }
 
     /* Set host server name */
     if (servername) {
 	/* Sets the server name indication (SNI) in ClientHello extension */
-	/* Per RFC 6066, hostname is a ASCII encoded string. */
+	/* Per RFC 6066, hostname is a ASCII encoded string, though RFC 4366 says UTF-8. */
 	if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) {
 	    Tcl_AppendResult(interp, "setting TLS host name extension failed", (char *) NULL);
 	    Tcl_SetErrorCode(interp, "TLS", "IMPORT", "SNI", "FAILED", (char *) NULL);
 	    Tls_Free((char *) statePtr);
 	    return TCL_ERROR;
 	}
 
-	/* Configure server host name checks in the SSL client. Set DNS hostname to
-	   name for peer certificate checks. SSL_set1_host has limitations. */
+	/* Set hostname for peer certificate hostname verification in clients.
+	   Don't use SSL_set1_host since it has limitations. */
 	if (!SSL_add1_host(statePtr->ssl, servername)) {
 	    Tcl_AppendResult(interp, "setting DNS host name failed", (char *) NULL);
 	    Tcl_SetErrorCode(interp, "TLS", "IMPORT", "HOSTNAME", "FAILED", (char *) NULL);
 	    Tls_Free((char *) statePtr);
 	    return TCL_ERROR;
@@ -1504,10 +1504,12 @@
             Tls_Free((char *) statePtr);
             return TCL_ERROR;
 	}
     }
 
+    /* Enable Application-Layer Protocol Negotiation. Examples are: http/1.0,
+	http/1.1, h2, h3, ftp, imap, pop3, xmpp-client, xmpp-server, mqtt, irc, etc. */
     if (alpn) {
 	/* Convert a TCL list into a protocol-list in wire-format */
 	unsigned char *protos, *p;
 	unsigned int protos_len = 0;
 	int i, len, cnt;
@@ -1592,14 +1594,17 @@
 	}
 
 	/* Enable server to send cert request after handshake (TLS 1.3 only) */
 	/* A write operation must take place for the Certificate Request to be
 	   sent to the client, this can be done with SSL_do_handshake(). */
-	if (request && post_handshake) {
+	if (request && post_handshake && tls1_3) {
 	    SSL_verify_client_post_handshake(statePtr->ssl);
 	}
 
+	/* set automatic curve selection */
+	SSL_set_ecdh_auto(statePtr->ssl, 1);
+
 	/* Set server mode */
 	statePtr->flags |= TLS_TCL_SERVER;
 	SSL_set_accept_state(statePtr->ssl);
     } else {
 	/* Client callbacks */
@@ -1837,10 +1842,11 @@
 	SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
     }
 
     SSL_CTX_set_app_data(ctx, (void*)interp);	/* remember the interpreter */
     SSL_CTX_set_options(ctx, SSL_OP_ALL);	/* all SSL bug workarounds */
+    SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);	/* disable compression even if supported */
     SSL_CTX_set_options(ctx, off);		/* disable protocol versions */
 #if OPENSSL_VERSION_NUMBER < 0x10101000L
     SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);	/* handle new handshakes in background. On by default in OpenSSL 1.1.1. */
 #endif
     SSL_CTX_sess_set_cache_size(ctx, 128);