In tls.c there is a call to SSL_load_client_CA_file() which may be involved with a NULL pointer; this in turn invokes fopen(NULL, mode). POSIX behaviour of fopen(NULL, mode) is undefined, but most implementations quietly return NULL. If building with MSVC 2008 or higher you will link against a C Runtime that has parameter validation https://msdn.microsoft.com/en-us/library/ksazx244.aspx which will throw an exception for fopen(NULL, mode).
Fix is to replace the line with:
if ( CAfile != NULL ) { STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file( F2N(CAfile, &ds) ); if ( certNames != NULL ) { SSL_CTX_set_client_CA_list(ctx, certNames ); } }
Put into my local TLS checkout, doing a test rebuild over night.
Accepted and applied to CVS, together with the fix for
http://core.tcl.tk/tcl/tktview?name=0f94f855cafed92d0e174b7d835453a02831b4dd
The TLS version was bumped to 1.6.5.