HTTPS stands for [|%HyperText Transfer Protocol Secure]. It's running HTTP over (a profile of) a SSL or TLS secured socket, and it means that the client can talk confidentially with the server and the client can know for sure the identity of the server that it is talking to.

**http package**

The [http] core package itself does not feature https support but contains a plugin interface to delegate the TLS communication to another package.
The following packages may be used:

***tls package***

The [http] package also can do secure HTTP (HTTPS) with the help of the [tls] package, as [Michael A. Cleverly]'s example from the http manual illustrates:
package require http 2
package require tls 1.7
http::register https 443 [list ::tls::socket -autoservername true]
set token [http::geturl]
Also see [Matt Newman]'s example:

[dbohdan] 2015-01-02: Many websites are disabling SSLv3 these days because the protocol is [|%vulnerable]. This means you will run into the error message `sslv3 alert handshake failure` when trying to connect unless you have support for the newer TLS protocol enabled. Despite what the package is called you have to enable support for TLS 1.x in `::tls::socket` manually like so: `::tls::socket -tls1 1`. I've updated the example at the top of the page to reflect this.  [RoyKeene] I removed the mentions to -tls1 1 since newer versions of TclTLS (1.7+) deal with this correctly, I also added "-autoservername" which enables SNI, which is typically desirable.


[HaO] 2016-05-24: 
On windows, [twapi] (thanks Ashok!) may be used instead of the tls package as described above.
For me, the main point are security fixes.
Using [twapi], fixes are installed with the operating system.
With the [tls] package, the openssl library is statically linked and the application programmer must care about a current version.
On Unix, this issue is not present if the openssl library is dynamically linked to the tls package.

Here is an extension of the upper example using twapi if present:
package require http 2
if {[catch {package require twapi_crypto}]} {
    package require tls 1.7
    http::register https 443 [list ::tls::socket -autoservername true]
} else {
    http::register https 443 [list ::twapi::tls_socket]
set token [http::geturl]

I tested successfully twapi version 4.0.61 with http 2.8.9 (tcl 8.6.5).

To use self-signed certificates, one may switch-off certificate verification also for TWAPI:

package require http 2
if {[catch {package require twapi_crypto}]} {
    package require tls 1.7
    http::register https 443 [list ::tls::socket -autoservername true]
} else {
    proc ::twapi_verify args {return 1}
    http::register https 443 [list ::twapi::tls_socket -verifier twapi_verifier]
set token [http::geturl]

*** Stunnel ***

[stunnel] can be used as a secure layer over an existing socket.


[HaO] 2018-04-17:
The tcllib command '::autoproxy::tunnel_connect' allows to tunnel by proxies using the tls package.
This command falls back to '::tls::socket', if no proxy host is set or the currently requested URL is within the excluded hosts.

Here is my code, which uses:
   *  twapi if loadable, tls package otherwise
   *  only routes via autoproxy, if a proxy host is set. This is only required for performance reasons. The direct calls may be removed without functional issues.

package require tls
package require http
package require autoproxy 1.7+ ; # autoproxy 1.7 supports twapi tls
if { I have program-internal proxy settings } {
    ::autoproxy::configure -proxy_host -proxy_port 880
    ::autoproxy::configure -basic -username sampleuser -password samplepassword
} else {
if { [catch {package require twapi_crypto}] } {
    # No TWAPI -> use tls
    package require tls
    if {[::autoproxy::cget -host] ne ""} {
        # Proxy set -> use autoproxy        http::register https 443 [list autoproxy::tls_socket -autoservername true]
    } else {
        # Proxy set -> use direct call to tls package        http::register https 443 [list ::tls::socket -autoservername true]
} else {
    # TWAPI present
    if {[::autoproxy::cget -host] ne ""} {
        # Switch autoconf tls to twapi mode
        autoproxy::configure -tls_package twapi
        http::register https 443 autoproxy::tls_socket
    } else {
        # Direct twapi call
        http::register https 443 [list ::twapi::tls_socket]
Alexandru has remarked on clt that the parameter "-tls 1" is ignored for "autoproxy::tls_socket".
I looked to the source code and was not convinced.
Any comments welcome.


[TclCurl] features https queries.

**Checking your TLS protocol version**

[dbohdan] 2017-02-02: The following code will tell you what version of the TLS protocol your HTTPS client uses when it talks to an up-to-date server. It should work with any TLS protocol handler, which in practice means either [tls] or [twapi], as long as the|%free service%|% it relies on is up.

package require http
package require json

# Register a TLS protocol handler and configure it as you wish here.
package require tls
::http::register https 443 [list ::tls::socket]

# Make a request to the API.
set token [::http::geturl]
puts [dict get [::json::json2dict [::http::data $token]] tls_version]
::http::cleanup $token


