I’m working on a project involving Socket.IO that I’d like to add encryption to. It seems kinda wrong, but being able to add a standard way to tunnel a TLS socket through my protocol would be really helpful since mine is transport agnostic, and TLS is great for negotiating and creating secure sessions (a wheel I really don’t want to have to reinvent).
Ultimately, you would have BCP inside TLS inside BCP (BCP is the name of my protocol). As ugly as that is, it would guarantee that any transport medium could easily upgrade to an encrypted connection within BCP, which is great considering I don’t know ahead of time which transport Socket.IO will pick (also, futureproofing and providing options for other people using BCP, etc). I understand if this is a bad idea, or impossible from TLS being too low-level, but if it can be done or you have better alternatives I’d be happy to hear your thoughts.
In general, SSL/TLS doesn’t care about transport and can work even on pigeon mail (if you have enough pigeons in the cage ;). Consequently you can run it over some transport other than TCP, and you can run anything over SSL/TLS.
If I got your problem right, look at how Explicit SSL mode is done in FTPS and in SMTP. Initially non-secured session is established, then STARTTLS command is sent, then SSL handshake takes place and finally the rest of communication goes on top of SSL. And all of this happens within single socket connection.