How to upgrade non-TLS connection to TLS

[tpisto]

Hi! I think this is wonderful socket library and it's ejoyable to use. I have now faced trouble when trying to "upgrade" non-TLS connection to TLS. The scenario for example with psql clients is following (I'm here the psql server):

1. Client sends non-TLS 8 byte header to the server
2. Server sends back 1 byte 'S'
3. Client now does the TLS handshake and continues using TLS

How my "psql server" here could switch the socket to TLS after sending the "S" byte. I have tried us_socket_context_adopt_socket without success. Seems this kind of TLS/SSL explicit mode is pretty common for many protocols...

Thank you for all the help!

[ghost]

What you are describing is not TLS; it is some kind of non-standard mix of TLS and some kind of other protocol. If you want to mix them you have to implement SSL yourself. This library is about doing something simple, fast. This use case you describe sounds very particular and specific for one edge case.

[tpisto]

Thank you for the quick response! Unfortunately seems that this is not very uncommon scenario.

What I described above was how PostgreSQL connection and TLS initialization goes: https://www.postgresql.org/docs/8.4/protocol-flow.html. "To initiate an SSL-encrypted connection, the frontend initially sends an SSLRequest message rather than a StartupMessage. The server then responds with a single byte containing S or N, indicating that it is willing or unwilling to perform SSL, respectively."

With MySQL the case is just the same, you start with unencrypted communication: https://dev.mysql.com/doc/internals/en/ssl.html https://dev.mysql.com/doc/internals/en/ssl-handshake.html https://mariadb.com/kb/en/connection/

If somebody could give me any pointers that what would be best way to start listening TLS handshake (and then switch to encrypted communication) after exchanging few unencrypted messages, that would be wondeful!

[ghost]

It's not supported here

[tpisto]

Ok, thank you