Index: Makefile.in
==================================================================
--- Makefile.in
+++ Makefile.in
@@ -22,10 +22,12 @@
 	mv @TCLEXT_BUILD@-@EXTENSION_TARGET@ @EXTENSION_TARGET@
 
 # The shared object target
 shared-@EXTENSION_TARGET@: tls.o tlsBIO.o tlsIO.o tlsX509.o Makefile
 	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o shared-@EXTENSION_TARGET@ tls.o tlsBIO.o tlsIO.o tlsX509.o $(LIBS)
+	-@WEAKENSYMS@ shared-@EXTENSION_TARGET@
+	-@REMOVESYMS@ shared-@EXTENSION_TARGET@
 
 # The static target
 static-@EXTENSION_TARGET@: tls.o tlsBIO.o tlsIO.o tlsX509.o Makefile
 	$(AR) rcu static-@EXTENSION_TARGET@ tls.o tlsBIO.o tlsIO.o tlsX509.o
 	-$(RANLIB) static-@EXTENSION_TARGET@

Index: aclocal/ax_check_compile_flag.m4
==================================================================
--- aclocal/ax_check_compile_flag.m4
+++ aclocal/ax_check_compile_flag.m4
@@ -1,7 +1,7 @@
 # ===========================================================================
-#   http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
+#  https://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
 # ===========================================================================
 #
 # SYNOPSIS
 #
 #   AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT])
@@ -27,37 +27,16 @@
 # LICENSE
 #
 #   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
 #   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
 #
-#   This program is free software: you can redistribute it and/or modify it
-#   under the terms of the GNU General Public License as published by the
-#   Free Software Foundation, either version 3 of the License, or (at your
-#   option) any later version.
-#
-#   This program is distributed in the hope that it will be useful, but
-#   WITHOUT ANY WARRANTY; without even the implied warranty of
-#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
-#   Public License for more details.
-#
-#   You should have received a copy of the GNU General Public License along
-#   with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-#   As a special exception, the respective Autoconf Macro's copyright owner
-#   gives unlimited permission to copy, distribute and modify the configure
-#   scripts that are the output of Autoconf when processing the Macro. You
-#   need not follow the terms of the GNU General Public License when using
-#   or distributing such scripts, even though portions of the text of the
-#   Macro appear in them. The GNU General Public License (GPL) does govern
-#   all other use of the material that constitutes the Autoconf Macro.
-#
-#   This special exception to the GPL applies to versions of the Autoconf
-#   Macro released by the Autoconf Archive. When you make and distribute a
-#   modified version of the Autoconf Macro, you may extend this special
-#   exception to the GPL to apply to your modified version as well.
-
-#serial 4
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved.  This file is offered as-is, without any
+#   warranty.
+
+#serial 6
 
 AC_DEFUN([AX_CHECK_COMPILE_FLAG],
 [AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
 AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
 AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [

Index: aclocal/shobj.m4
==================================================================
--- aclocal/shobj.m4
+++ aclocal/shobj.m4
@@ -112,22 +112,24 @@
 		])
 
 		LDFLAGS="$OLD_LDFLAGS"
 		unset OLD_LDFLAGS
 
-		ADDLDFLAGS=""
-		for opt in $LDFLAGS $LIBS; do
-			if echo "$opt" | grep '^-L' >/dev/null; then
-				rpathdir="`echo "$opt" | sed 's@^-L *@@'`"
-				ADDLDFLAGS="$ADDLDFLAGS $rsk_cv_link_set_rpath -Wl,$rpathdir"
-			fi
-		done
-		unset opt
-
-		LDFLAGS="$LDFLAGS $ADDLDFLAGS"
-
-		unset ADDLDFLAGS
+		if test -n "$rsk_cv_link_set_rpath"; then
+			ADDLDFLAGS=""
+			for opt in $LDFLAGS $LIBS; do
+				if echo "$opt" | grep '^-L' >/dev/null; then
+					rpathdir="`echo "$opt" | sed 's@^-L *@@'`"
+					ADDLDFLAGS="$ADDLDFLAGS $rsk_cv_link_set_rpath -Wl,$rpathdir"
+				fi
+			done
+			unset opt
+
+			LDFLAGS="$LDFLAGS $ADDLDFLAGS"
+
+			unset ADDLDFLAGS
+		fi
 	fi
 ])
 
 AC_DEFUN([DC_CHK_OS_INFO], [
 	AC_CANONICAL_HOST
@@ -162,11 +164,10 @@
 						;;
 				esac
 				;;
 			mingw32|mingw32msvc*)
 				SHOBJEXT="dll"
-				AREXT='lib'
 				CFLAGS="$CFLAGS -mms-bitfields"
 				CPPFLAGS="$CPPFLAGS -mms-bitfields"
 				SHOBJCPPFLAGS="-DPIC"
 				SHOBJLDFLAGS='-shared -Wl,--dll -Wl,--enable-auto-image-base -Wl,--output-def,$[@].def,--out-implib,$[@].a'
 				;;

Index: aclocal/tcltls_openssl.m4
==================================================================
--- aclocal/tcltls_openssl.m4
+++ aclocal/tcltls_openssl.m4
@@ -117,12 +117,12 @@
 	fi
 	PKG_CONFIG_PATH="${PKG_CONFIG_PATH_SAVE}"
 
 	if test "$TCLEXT_BUILD" = "static"; then
 		dnl If we are doing a static build, save the linker flags for other programs to consume
-		rm -f tcltls.a.linkadd
-		AS_ECHO(["$TCLTLS_SSL_LIBS"]) > tcltls.a.linkadd
+		rm -f tcltls.${AREXT}.linkadd
+		AS_ECHO(["$TCLTLS_SSL_LIBS"]) > tcltls.${AREXT}.linkadd
 	fi
 
 	dnl If we have been asked to statically link to the SSL library, specifically tell the linker to do so
 	if test "$TCLEXT_TLS_STATIC_SSL" = 'yes'; then
 		dnl Don't bother doing this if we aren't actually doing the runtime linking

Index: configure.ac
==================================================================
--- configure.ac
+++ configure.ac
@@ -1,7 +1,7 @@
 dnl Define ourselves
-AC_INIT(tcltls, 1.7.18)
+AC_INIT(tcltls, 1.7.19)
 
 dnl Checks for programs.
 AC_PROG_CC
 AC_PROG_MAKE_SET
 AC_PROG_INSTALL
@@ -179,13 +179,29 @@
 	CFLAGS="$CFLAGS -W"
 	AX_CHECK_COMPILE_FLAG([-Wno-self-assign], [CFLAGS="$CFLAGS -Wno-self-assign"])
 ])
 
 dnl Enable hardening
-AX_CHECK_COMPILE_FLAG([-fstack-protector-all], [CFLAGS="$CFLAGS -fstack-protector-all"])
-AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CFLAGS="$CFLAGS -fno-strict-overflow"])
-AC_DEFINE([_FORTIFY_SOURCE], [2], [Enable fortification])
+tcltls_enable_hardening='auto'
+AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable hardening attempts]), [
+	tcltls_enable_hardening="$enableval"
+])
+if test "$tcltls_enable_hardening" = 'auto'; then
+	tcltls_enable_hardening='true'
+	if test "$TCLEXT_BUILD" = 'static'; then
+		tcltls_enable_hardening='false'
+	fi
+elif test "$tcltls_enable_hardening" = 'yes'; then
+	tcltls_enable_hardening='true'
+else
+	tcltls_enable_hardening='false'
+fi
+if test "$tcltls_enable_hardening" = 'true'; then
+	AX_CHECK_COMPILE_FLAG([-fstack-protector-all], [CFLAGS="$CFLAGS -fstack-protector-all"])
+	AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CFLAGS="$CFLAGS -fno-strict-overflow"])
+	AC_DEFINE([_FORTIFY_SOURCE], [2], [Enable fortification])
+fi
 
 dnl XXX:TODO: Automatically determine the SSL library to use
 dnl           defaulting to OpenSSL for compatibility reasons
 if test "$tcltls_ssl_lib" = 'auto'; then
 	tcltls_ssl_lib='openssl'
@@ -226,8 +242,15 @@
 		DC_SYNC_RPATH([no])
 	else
 		DC_SYNC_RPATH([yes])
 	fi
 fi
+
+dnl Enable a stable ABI
+DC_SETUP_STABLE_API([${srcdir}/tcltls.vers], tcltls.syms)
+if test "$tcltls_debug" = 'true'; then
+	WEAKENSYMS=':'
+	REMOVESYMS=':'
+fi
 
 dnl Produce output
-AC_OUTPUT(Makefile pkgIndex.tcl)
+AC_OUTPUT(Makefile pkgIndex.tcl tcltls.syms)

ADDED   tcltls.syms.in
Index: tcltls.syms.in
==================================================================
--- /dev/null
+++ tcltls.syms.in
@@ -0,0 +1,1 @@
+@SYMPREFIX@Tls_Init

ADDED   tcltls.vers
Index: tcltls.vers
==================================================================
--- /dev/null
+++ tcltls.vers
@@ -0,0 +1,6 @@
+{
+	global:
+		Tls_Init;
+	local:
+		*;
+};