A way to upgrade connections to TLS / support STARTTLS?

[brendanlong]

I'm trying to implement STARTTLS for Pgx and I was hoping I could use Conduit for this.

The PostgreSQL documentation says I need to send a few packets, check a response, and then:

To continue after S, perform an SSL startup handshake (not described here, part of the SSL specification) with the server.

The problem I'm having is that Conduit's interface seems to only let me select TLS at startup with no way upgrade a connection.

Looking through the code, I suspect I just need to call Ssl.connect with my already-open reader and writer and then use the result, but this is part of the private interface.

Could something like this be exposed in the public interface? The only change I would suggest is renaming Ssl.connect to Ssl.upgrade_existing_connection or something like that.

[brendanlong]

Hm I just noticed this is exposed in V1: https://github.com/mirage/ocaml-conduit/blob/master/src/conduit-async/s.ml#L73 but it was removed in V2 and V3?

[brendanlong]

I confirmed that I can make STARTTLS work using the V1 interface: https://github.com/arenadotio/pgx/pull/108

I'm guessing I shouldn't rely on V1 though?

[brendanlong]

I'm also not finding any way to do this in the Lwt versions of Conduit. Is it possible to expose an SSL upgrade function for Lwt?