While TclHttpd can support SSL, you will need to add a number of software components to complete your SSL server. At the base is either RSAREF or OpenSSL. Within the United States there are patent restrictions that limit you to using RSAREF from RSA Inc. Actually, you can also build OpenSSL with a "no patents" option. Both of these packages create a crypto library with the same interface. http://www.rsa.com http://www.openssl.org Next comes the "TLS" Tcl extension, which uses the crypto library. The development home page for TLS is http://sourceforge.net/projects/tls/ I have used the 1.4.1 version for a number of years, although there is a recent 1.5.0 version. At SourceForge there are binary releases for Linux and Solaris that save you the chore of building OpenSSL. If you can run tclsh and package require tls then you are almost ready to go. Finally you need keys and certificates for your server. OpenSSL comes with a command-line utility called "openssl" that you can use to generate keys and certificates. The RSFREF utility is "sslc", but provides essentially the same features. The general process is that you generate a public-private key pair (using the "genrsa" command for sslc or openssl) sslc genrsa -out skey.pem Next you create a certificate request sslc req -config /path/to/ssl.cnf -new -nodex -out ./server.pem -key ./skey.pem and send this to a certificate authority for signing. One example Certificate Authority is http://www.verisign.com Once you get the signed certificate back, edit the tclhttpd.rc file so they accurately record the location of your keyfile and certificate. The server should then be able to listen for SSL connections on the https port. You can also bootstrap yourself into your own CA by following the steps outlined below. This lets you sign your own certificate requests to make valid certificates, but browsers will prompt users to validate the key when they visit your site. You'll need the "openssl" command line utility that's built when you build openssl. Here is what I did with openssl-0.9.7d 0. Build and install openssl. It installs into /usr/local/ssl I left the openssl.cnf file unchanged, and created a sub-directory to hold all the CA (certificate authority) stuff, as /usr/local/ssl/demoCA. 1. Use the "misc/CA.sh" script as a front-end for the "openssl ca" command, which needs to be set up correctly. First, we initialize the CA: misc/CA.sh -newca The -newca script does two things, approximately: (If you ran misc/CA.sh -newca, then you don't need to do 1(a, b, c) 1(a). generate a private key for your test CA cd /usr/local/ssl bin/openssl genrsa -out demoCA/private/cakey.pem 1(b). build a certificate request bin/openssl req -x509 -nodes -out demoCA/cacert.pem -key demoCA/private/cakey.pem -new 1(c). create a serial, index.txt, and other empty directories expected by the ca subcommand of openssl You've now got a CA certificate "cacert.pem". It's "self-signed". Its private key is "private/cakey.pem". We'll now make a server key, certificate request, and we'll use the CA cert we just made to sign it and generate our final certificate. (I couldn't get the CA.sh front-end to work for me in this case, so I did the following commands directly.) 2. generate a server key bin/openssl genrsa -out key1.pem 3. generate a certificate request bin/openssl req -nodes -out req.pem -key key1.pem -new 4. generate the server certificate bin/openssl ca -keyfile demoCA/private/cakey.pem \ -cert demoCA/cacert.pem -in req.pem Because I didn't use "-out", the cert was generated into demoCA/newcerts as 01.pem (or 02.pem, ...) You've now got a server certificate "demoCA/newcerts/01.pem". Its private key is key1.pem. It's signed by your own CA. You can make any number of certs by repeating steps two through four again with different file names. To set up tclhttpd, copy the key and the cert into the tclhttpd/certs subdirectory. E.g., cd /usr/local/tclhttpd-3.5.3/ mkdir certs cp /usr/local/ssl/key1.pem certs/skey.pem cp /usr/local/ssl/demoCA/newcerts/02.pem certs/server.pem It appears that the default location for the certs directory is a "bin/certs", a subdirectory of the bin directory. If you want to change that, edit bin/tclhttpd.rc and fix the SSL_CADIR setting.