TLS endpoint wrappers

[glyph]

If I construct my own stream client or stream server endpoint, in addition to whatever interesting routing or shuttling-around of I'm doing with the bytes, I might want to encrypt them because they go over some public network as part of the process. There should be something so I can do TLSify(someEndpoint, contextFactory) and get back a new endpoint that does TLS without necessarily doing TCP.

(One example use-case is an endpoint that forwards a port via SSH, or opens a unix socket that some routing software eventually connects to a TCP socket.)

[glyph]

Since you're working on endpoints. (It would be neat, but no worries, no particular high priority.)

[tom.prince]

#6308 is a duplicate of this:

The current way of doing SSL with endpoints involves using listenSSL/connectSSL. This means you need one for each of TCPv4 and TCPv6, and we'll need one for the hostname endpoint too. And, you can't use it with e.g. a SOCKS endpoint.

Better would be an endpoint (or maybe I mean pair of endpoints, one client one server) that wrap an existing endpoint. Ideally this wouldn't even call transport.startTLS, but rather use the TLS protocol implementation directly.