While TclHttpd can support SSL, you will need to add a number of
software components to complete your SSL server.

At the base is either RSAREF or OpenSSL.  Within the United States there are
patent restrictions that limit you to using RSAREF from RSA Inc.  Actually,
you can also build OpenSSL with a "no patents" option.  Both of these packages
create a crypto library with the same interface.
	http://www.rsa.com
	http://www.openssl.org

Next comes the "TLS" Tcl extension, which uses the crypto library.
The development home page for TLS is
        http://sourceforge.net/projects/tls/
I have used the 1.4.1 version for a number of years, although
there is a recent 1.5.0 version.  At SourceForge there are
binary releases for Linux and Solaris that save you the chore
of building OpenSSL.

If you can run tclsh and
        package require tls
then you are almost ready to go.

Finally you need keys and certificates for your server.  OpenSSL comes with
a command-line utility called "openssl" that you can use to generate keys
and certificates.  The RSFREF utility is "sslc", but provides essentially
the same features.  The general process is that you generate a public-private
key pair (using the "genrsa" command for sslc or openssl)
    sslc genrsa -out skey.pem
Next you create a certificate request
    sslc req -config /path/to/ssl.cnf -new -nodex -out ./server.pem -key ./skey.pem
and send this to a certificate authority for signing. 
One example Certificate Authority is
    http://www.verisign.com

Once you get the signed certificate back, edit the tclhttpd.rc file so they
accurately record the location of your keyfile and certificate.
The server should then be able to listen for SSL connections on the https port.

You can also bootstrap yourself into your own CA by following the steps
outlined below.  This lets you sign your own certificate requests to
make valid certificates, but browsers will prompt users to validate the
key when they visit your site.

You'll need the "openssl" command line utility that's
built when you build openssl.  Here is what I did with
openssl-0.9.7d

0. Build and install openssl.  It installs into /usr/local/ssl
   I left the openssl.cnf file unchanged, and created a sub-directory
   to hold all the CA (certificate authority) stuff, as
   /usr/local/ssl/demoCA.

1. Use the "misc/CA.sh" script as a front-end for the "openssl ca"
   command, which needs to be set up correctly.
   First, we initialize the CA:
   misc/CA.sh -newca

  The -newca script does two things, approximately:
  (If you ran misc/CA.sh -newca, then you don't need to do 1(a, b, c)
  1(a). generate a private key for your test CA
     cd /usr/local/ssl
     bin/openssl genrsa -out demoCA/private/cakey.pem

  1(b). build a certificate request
     bin/openssl req -x509 -nodes -out demoCA/cacert.pem -key demoCA/private/cakey.pem -new

  1(c). create a serial, index.txt, and other empty directories expected
    by the ca subcommand of openssl


  You've now got a CA certificate "cacert.pem".
  It's "self-signed".
  Its private key is "private/cakey.pem".

We'll now make a server key, certificate request,
and we'll use the CA cert we just made to sign it
and generate our final certificate. (I couldn't get the
CA.sh front-end to work for me in this case, so I did
the following commands directly.)

2. generate a server key
   bin/openssl genrsa -out key1.pem

3. generate a certificate request
   bin/openssl req -nodes -out req.pem -key key1.pem -new

4. generate the server certificate
   bin/openssl ca -keyfile demoCA/private/cakey.pem \
        -cert demoCA/cacert.pem -in req.pem

Because I didn't use "-out", the cert was generated into
demoCA/newcerts as 01.pem (or 02.pem, ...)

You've now got a server certificate "demoCA/newcerts/01.pem".
Its private key is key1.pem.
It's signed by your own CA.

You can make any number of certs by repeating steps
two through four again with different file names.

To set up tclhttpd, copy the key and the cert into the
tclhttpd/certs subdirectory.  E.g., 
cd /usr/local/tclhttpd-3.5.1/
mkdir certs
cp /usr/local/ssl/key1.pem certs/skey.pem
cp /usr/local/ssl/demoCA/newcerts/02.pem certs/server.pem

It appears that the default location for the certs directory
is a "bin/certs", a subdirectory of the bin directory.  If
you want to change that, edit bin/tclhttpd.rc and fix
the SSL_CADIR setting.
