This is what we have implemented. It works so far, but it is far from optimal. Open a raw client connection (which I'll call RCC) that connects to the remote without TLS. Speak to the remote whatever protocol you need with RCC, until you need TLS. Create a listener that listens on "127.0.0.1" port "0" (it will select a free port). Only accept the first connection to that listener (which I'll call BLC for "bridge listener connection"). Bridge everything from BLC to RCC and from RCC to BLC. Get the port P used by the listener (with nw_listener_get_port). Open a secure client connection (which I'll call SCC) on port P with TLS enabled (but you need to set sec_protocol_options_set_peer_authentication_required(secOptions, false) to its security options. Speak to the remote whatever protocol over TLS you need with SCC. SCC <-----> BLC <-----> RCC &#9;&#9;&#9;tls&#9;&#9;&#9;&#9; raw We do know that disabling authentication on security options does lower TLS security significantly, but at least it's working.

We need this to enable a TLS connection through a Socks5 proxy (more specifically a Tor Socks5 proxy). As the Socks5 protocol is very simple, it is no trouble creating our own implementation of its handshake. However, when connecting to an SSL secured TCP socket through a Socks5 proxy, we need to start TLS after the Socks5 handshake. As this is not currently supported by Network.framework, is there any community library, or alternative way of achieving this ?