<!doctype html><html lang="en">
 <head>
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
  <title>D1861R0: Secure Connections in Networking TS</title>
<style data-fill-with="stylesheet">/******************************************************************************
 *                   Style sheet for the W3C specifications                   *
 *
 * Special classes handled by this style sheet include:
 *
 * Indices
 *   - .toc for the Table of Contents (<ol class="toc">)
 *     + <span class="secno"> for the section numbers
 *   - #toc for the Table of Contents (<nav id="toc">)
 *   - ul.index for Indices (<a href="#ref">term</a><span>, in §N.M</span>)
 *   - table.index for Index Tables (e.g. for properties or elements)
 *
 * Structural Markup
 *   - table.data for general data tables
 *     -> use 'scope' attribute, <colgroup>, <thead>, and <tbody> for best results !
 *     -> use <table class='complex data'> for extra-complex tables
 *     -> use <td class='long'> for paragraph-length cell content
 *     -> use <td class='pre'> when manual line breaks/indentation would help readability
 *   - dl.switch for switch statements
 *   - ol.algorithm for algorithms (helps to visualize nesting)
 *   - .figure and .caption (HTML4) and figure and figcaption (HTML5)
 *     -> .sidefigure for right-floated figures
 *   - ins/del
 *
 * Code
 *   - pre and code
 *
 * Special Sections
 *   - .note       for informative notes             (div, p, span, aside, details)
 *   - .example    for informative examples          (div, p, pre, span)
 *   - .issue      for issues                        (div, p, span)
 *   - .assertion  for assertions                    (div, p, span)
 *   - .advisement for loud normative statements     (div, p, strong)
 *   - .annoying-warning for spec obsoletion notices (div, aside, details)
 *
 * Definition Boxes
 *   - pre.def   for WebIDL definitions
 *   - table.def for tables that define other entities (e.g. CSS properties)
 *   - dl.def    for definition lists that define other entitles (e.g. HTML elements)
 *
 * Numbering
 *   - .secno for section numbers in .toc and headings (<span class='secno'>3.2</span>)
 *   - .marker for source-inserted example/figure/issue numbers (<span class='marker'>Issue 4</span>)
 *   - ::before styled for CSS-generated issue/example/figure numbers:
 *     -> Documents wishing to use this only need to add
 *        figcaption::before,
 *        .caption::before { content: "Figure "  counter(figure) " ";  }
 *        .example::before { content: "Example " counter(example) " "; }
 *        .issue::before   { content: "Issue "   counter(issue) " ";   }
 *
 * Header Stuff (ignore, just don't conflict with these classes)
 *   - .head for the header
 *   - .copyright for the copyright
 *
 * Miscellaneous
 *   - .overlarge for things that should be as wide as possible, even if
 *     that overflows the body text area. This can be used on an item or
 *     on its container, depending on the effect desired.
 *     Note that this styling basically doesn't help at all when printing,
 *     since A4 paper isn't much wider than the max-width here.
 *     It's better to design things to fit into a narrower measure if possible.
 *   - js-added ToC jump links (see fixup.js)
 *
 ******************************************************************************/

/******************************************************************************/
/*                                   Body                                     */
/******************************************************************************/

	body {
		counter-reset: example figure issue;

		/* Layout */
		max-width: 50em;               /* limit line length to 50em for readability   */
		margin: 0 auto;                /* center text within page                     */
		padding: 1.6em 1.5em 2em 50px; /* assume 16px font size for downlevel clients */
		padding: 1.6em 1.5em 2em calc(26px + 1.5em); /* leave space for status flag     */

		/* Typography */
		line-height: 1.5;
		font-family: sans-serif;
		widows: 2;
		orphans: 2;
		word-wrap: break-word;
		overflow-wrap: break-word;
		hyphens: auto;

		/* Colors */
		color: black;
		background: white top left fixed no-repeat;
		background-size: 25px auto;
	}


/******************************************************************************/
/*                         Front Matter & Navigation                          */
/******************************************************************************/

/** Header ********************************************************************/

	div.head { margin-bottom: 1em }
	div.head hr { border-style: solid; }

	div.head h1 {
		font-weight: bold;
		margin: 0 0 .1em;
		font-size: 220%;
	}

	div.head h2 { margin-bottom: 1.5em;}

/** W3C Logo ******************************************************************/

	.head .logo {
		float: right;
		margin: 0.4rem 0 0.2rem .4rem;
	}

	.head img[src*="logos/W3C"] {
		display: block;
		border: solid #1a5e9a;
		border-width: .65rem .7rem .6rem;
		border-radius: .4rem;
		background: #1a5e9a;
		color: white;
		font-weight: bold;
	}

	.head a:hover > img[src*="logos/W3C"],
	.head a:focus > img[src*="logos/W3C"] {
		opacity: .8;
	}

	.head a:active > img[src*="logos/W3C"] {
		background: #c00;
		border-color: #c00;
	}

	/* see also additional rules in Link Styling section */

/** Copyright *****************************************************************/

	p.copyright,
	p.copyright small { font-size: small }

/** Back to Top / ToC Toggle **************************************************/

	@media print {
		#toc-nav {
			display: none;
		}
	}
	@media not print {
		#toc-nav {
			position: fixed;
			z-index: 2;
			bottom: 0; left: 0;
			margin: 0;
			min-width: 1.33em;
			border-top-right-radius: 2rem;
			box-shadow: 0 0 2px;
			font-size: 1.5em;
			color: black;
		}
		#toc-nav > a {
			display: block;
			white-space: nowrap;

			height: 1.33em;
			padding: .1em 0.3em;
			margin: 0;

			background: white;
			box-shadow: 0 0 2px;
			border: none;
			border-top-right-radius: 1.33em;
			background: white;
		}
		#toc-nav > #toc-jump {
			padding-bottom: 2em;
			margin-bottom: -1.9em;
		}

		#toc-nav > a:hover,
		#toc-nav > a:focus {
			background: #f8f8f8;
		}
		#toc-nav > a:not(:hover):not(:focus) {
			color: #707070;
		}

		/* statusbar gets in the way on keyboard focus; remove once browsers fix */
		#toc-nav > a[href="#toc"]:not(:hover):focus:last-child {
			padding-bottom: 1.5rem;
		}

		#toc-nav:not(:hover) > a:not(:focus) > span + span {
			/* Ideally this uses :focus-within on #toc-nav */
			display: none;
		}
		#toc-nav > a > span + span {
			padding-right: 0.2em;
		}

		#toc-toggle-inline {
			vertical-align: 0.05em;
			font-size: 80%;
			color: gray;
			color: hsla(203,20%,40%,.7);
			border-style: none;
			background: transparent;
			position: relative;
		}
		#toc-toggle-inline:hover:not(:active),
		#toc-toggle-inline:focus:not(:active) {
			text-shadow: 1px 1px silver;
			top: -1px;
			left: -1px;
		}

		#toc-nav :active {
			color: #C00;
		}
	}

/** ToC Sidebar ***************************************************************/

	/* Floating sidebar */
	@media screen {
		body.toc-sidebar #toc {
			position: fixed;
			top: 0; bottom: 0;
			left: 0;
			width: 23.5em;
			max-width: 80%;
			max-width: calc(100% - 2em - 26px);
			overflow: auto;
			padding: 0 1em;
			padding-left: 42px;
			padding-left: calc(1em + 26px);
			background: inherit;
			background-color: #f7f8f9;
			z-index: 1;
			box-shadow: -.1em 0 .25em rgba(0,0,0,.1) inset;
		}
		body.toc-sidebar #toc h2 {
			margin-top: .8rem;
			font-variant: small-caps;
			font-variant: all-small-caps;
			text-transform: lowercase;
			font-weight: bold;
			color: gray;
			color: hsla(203,20%,40%,.7);
		}
		body.toc-sidebar #toc-jump:not(:focus) {
			width: 0;
			height: 0;
			padding: 0;
			position: absolute;
			overflow: hidden;
		}
	}
	/* Hide main scroller when only the ToC is visible anyway */
	@media screen and (max-width: 28em) {
		body.toc-sidebar {
			overflow: hidden;
		}
	}

	/* Sidebar with its own space */
	@media screen and (min-width: 78em) {
		body:not(.toc-inline) #toc {
			position: fixed;
			top: 0; bottom: 0;
			left: 0;
			width: 23.5em;
			overflow: auto;
			padding: 0 1em;
			padding-left: 42px;
			padding-left: calc(1em + 26px);
			background: inherit;
			background-color: #f7f8f9;
			z-index: 1;
			box-shadow: -.1em 0 .25em rgba(0,0,0,.1) inset;
		}
		body:not(.toc-inline) #toc h2 {
			margin-top: .8rem;
			font-variant: small-caps;
			font-variant: all-small-caps;
			text-transform: lowercase;
			font-weight: bold;
			color: gray;
			color: hsla(203,20%,40%,.7);
		}

		body:not(.toc-inline) {
			padding-left: 29em;
		}
		/* See also Overflow section at the bottom */

		body:not(.toc-inline) #toc-jump:not(:focus) {
			width: 0;
			height: 0;
			padding: 0;
			position: absolute;
			overflow: hidden;
		}
	}
	@media screen and (min-width: 90em) {
		body:not(.toc-inline) {
			margin: 0 4em;
		}
	}

/******************************************************************************/
/*                                Sectioning                                  */
/******************************************************************************/

/** Headings ******************************************************************/

	h1, h2, h3, h4, h5, h6, dt {
		page-break-after: avoid;
		page-break-inside: avoid;
		font: 100% sans-serif;   /* Reset all font styling to clear out UA styles */
		font-family: inherit;    /* Inherit the font family. */
		line-height: 1.2;        /* Keep wrapped headings compact */
		hyphens: manual;         /* Hyphenated headings look weird */
	}

	h2, h3, h4, h5, h6 {
		margin-top: 3rem;
	}

	h1, h2, h3 {
		color: #005A9C;
		background: transparent;
	}

	h1 { font-size: 170%; }
	h2 { font-size: 140%; }
	h3 { font-size: 120%; }
	h4 { font-weight: bold; }
	h5 { font-style: italic; }
	h6 { font-variant: small-caps; }
	dt { font-weight: bold; }

/** Subheadings ***************************************************************/

	h1 + h2,
	#subtitle {
		/* #subtitle is a subtitle in an H2 under the H1 */
		margin-top: 0;
	}
	h2 + h3,
	h3 + h4,
	h4 + h5,
	h5 + h6 {
		margin-top: 1.2em; /* = 1 x line-height */
	}

/** Section divider ***********************************************************/

	:not(.head) > hr {
		font-size: 1.5em;
		text-align: center;
		margin: 1em auto;
		height: auto;
		border: transparent solid 0;
		background: transparent;
	}
	:not(.head) > hr::before {
		content: "\2727\2003\2003\2727\2003\2003\2727";
	}

/******************************************************************************/
/*                            Paragraphs and Lists                            */
/******************************************************************************/

	p {
		margin: 1em 0;
	}

	dd > p:first-child,
	li > p:first-child {
		margin-top: 0;
	}

	ul, ol {
		margin-left: 0;
		padding-left: 2em;
	}

	li {
		margin: 0.25em 0 0.5em;
		padding: 0;
	}

	dl dd {
		margin: 0 0 .5em 2em;
	}

	.head dd + dd { /* compact for header */
		margin-top: -.5em;
	}

	/* Style for algorithms */
	ol.algorithm ol:not(.algorithm),
	.algorithm > ol ol:not(.algorithm) {
	 border-left: 0.5em solid #DEF;
	}

	/* Put nice boxes around each algorithm. */
	[data-algorithm]:not(.heading) {
	  padding: .5em;
	  border: thin solid #ddd; border-radius: .5em;
	  margin: .5em calc(-0.5em - 1px);
	}
	[data-algorithm]:not(.heading) > :first-child {
	  margin-top: 0;
	}
	[data-algorithm]:not(.heading) > :last-child {
	  margin-bottom: 0;
	}

	/* Style for switch/case <dl>s */
	dl.switch > dd > ol.only,
	dl.switch > dd > .only > ol {
	 margin-left: 0;
	}
	dl.switch > dd > ol.algorithm,
	dl.switch > dd > .algorithm > ol {
	 margin-left: -2em;
	}
	dl.switch {
	 padding-left: 2em;
	}
	dl.switch > dt {
	 text-indent: -1.5em;
	 margin-top: 1em;
	}
	dl.switch > dt + dt {
	 margin-top: 0;
	}
	dl.switch > dt::before {
	 content: '\21AA';
	 padding: 0 0.5em 0 0;
	 display: inline-block;
	 width: 1em;
	 text-align: right;
	 line-height: 0.5em;
	}

/** Terminology Markup ********************************************************/


/******************************************************************************/
/*                                 Inline Markup                              */
/******************************************************************************/

/** Terminology Markup ********************************************************/
	dfn   { /* Defining instance */
		font-weight: bolder;
	}
	a > i { /* Instance of term */
		font-style: normal;
	}
	dt dfn code, code.idl {
		font-size: medium;
	}
	dfn var {
		font-style: normal;
	}

/** Change Marking ************************************************************/

	del { color: red;  text-decoration: line-through; }
	ins { color: #080; text-decoration: underline;    }

/** Miscellaneous improvements to inline formatting ***************************/

	sup {
		vertical-align: super;
		font-size: 80%
	}

/******************************************************************************/
/*                                    Code                                    */
/******************************************************************************/

/** General monospace/pre rules ***********************************************/

	pre, code, samp {
		font-family: Menlo, Consolas, "DejaVu Sans Mono", Monaco, monospace;
		font-size: .9em;
		page-break-inside: avoid;
		hyphens: none;
		text-transform: none;
	}
	pre code,
	code code {
		font-size: 100%;
	}

	pre {
		margin-top: 1em;
		margin-bottom: 1em;
		overflow: auto;
	}

/** Inline Code fragments *****************************************************/

  /* Do something nice. */

/******************************************************************************/
/*                                    Links                                   */
/******************************************************************************/

/** General Hyperlinks ********************************************************/

	/* We hyperlink a lot, so make it less intrusive */
	a[href] {
		color: #034575;
		text-decoration: none;
		border-bottom: 1px solid #707070;
		/* Need a bit of extending for it to look okay */
		padding: 0 1px 0;
		margin: 0 -1px 0;
	}
	a:visited {
		border-bottom-color: #BBB;
	}

	/* Use distinguishing colors when user is interacting with the link */
	a[href]:focus,
	a[href]:hover {
		background: #f8f8f8;
		background: rgba(75%, 75%, 75%, .25);
		border-bottom-width: 3px;
		margin-bottom: -2px;
	}
	a[href]:active {
		color: #C00;
		border-color: #C00;
	}

	/* Backout above styling for W3C logo */
	.head .logo,
	.head .logo a {
		border: none;
		text-decoration: none;
		background: transparent;
	}

/******************************************************************************/
/*                                    Images                                  */
/******************************************************************************/

	img {
		border-style: none;
	}

	/* For autogen numbers, add
	   .caption::before, figcaption::before { content: "Figure " counter(figure) ". "; }
	*/

	figure, .figure, .sidefigure {
		page-break-inside: avoid;
		text-align: center;
		margin: 2.5em 0;
	}
	.figure img,    .sidefigure img,    figure img,
	.figure object, .sidefigure object, figure object {
		max-width: 100%;
		margin: auto;
	}
	.figure pre, .sidefigure pre, figure pre {
		text-align: left;
		display: table;
		margin: 1em auto;
	}
	.figure table, figure table {
		margin: auto;
	}
	@media screen and (min-width: 20em) {
		.sidefigure {
			float: right;
			width: 50%;
			margin: 0 0 0.5em 0.5em
		}
	}
	.caption, figcaption, caption {
		font-style: italic;
		font-size: 90%;
	}
	.caption::before, figcaption::before, figcaption > .marker {
		font-weight: bold;
	}
	.caption, figcaption {
		counter-increment: figure;
	}

	/* DL list is indented 2em, but figure inside it is not */
	dd > .figure, dd > figure { margin-left: -2em }

/******************************************************************************/
/*                             Colored Boxes                                  */
/******************************************************************************/

	.issue, .note, .example, .assertion, .advisement, blockquote {
		padding: .5em;
		border: .5em;
		border-left-style: solid;
		page-break-inside: avoid;
	}
	span.issue, span.note {
		padding: .1em .5em .15em;
		border-right-style: solid;
	}

	.issue,
	.note,
	.example,
	.advisement,
	.assertion,
	blockquote {
		margin: 1em auto;
	}
	.note  > p:first-child,
	.issue > p:first-child,
	blockquote > :first-child {
		margin-top: 0;
	}
	blockquote > :last-child {
		margin-bottom: 0;
	}

/** Blockquotes ***************************************************************/

	blockquote {
		border-color: silver;
	}

/** Open issue ****************************************************************/

	.issue {
		border-color: #E05252;
		background: #FBE9E9;
		counter-increment: issue;
		overflow: auto;
	}
	.issue::before, .issue > .marker {
		text-transform: uppercase;
		color: #AE1E1E;
		padding-right: 1em;
		text-transform: uppercase;
	}
	/* Add .issue::before { content: "Issue " counter(issue) " "; } for autogen numbers,
	   or use class="marker" to mark up the issue number in source. */

/** Example *******************************************************************/

	.example {
		border-color: #E0CB52;
		background: #FCFAEE;
		counter-increment: example;
		overflow: auto;
		clear: both;
	}
	.example::before, .example > .marker {
		text-transform: uppercase;
		color: #827017;
		min-width: 7.5em;
		display: block;
	}
	/* Add .example::before { content: "Example " counter(example) " "; } for autogen numbers,
	   or use class="marker" to mark up the example number in source. */

/** Non-normative Note ********************************************************/

	.note {
		border-color: #52E052;
		background: #E9FBE9;
		overflow: auto;
	}

	.note::before, .note > .marker,
	details.note > summary::before,
	details.note > summary > .marker {
		text-transform: uppercase;
		display: block;
		color: hsl(120, 70%, 30%);
	}
	/* Add .note::before { content: "Note"; } for autogen label,
	   or use class="marker" to mark up the label in source. */

	details.note > summary {
		display: block;
		color: hsl(120, 70%, 30%);
	}
	details.note[open] > summary {
		border-bottom: 1px silver solid;
	}

/** Assertion Box *************************************************************/
	/*  for assertions in algorithms */

	.assertion {
		border-color: #AAA;
		background: #EEE;
	}

/** Advisement Box ************************************************************/
	/*  for attention-grabbing normative statements */

	.advisement {
		border-color: orange;
		border-style: none solid;
		background: #FFEECC;
	}
	strong.advisement {
		display: block;
		text-align: center;
	}
	.advisement > .marker {
		color: #B35F00;
	}

/** Spec Obsoletion Notice ****************************************************/
	/* obnoxious obsoletion notice for older/abandoned specs. */

	details {
		display: block;
	}
	summary {
		font-weight: bolder;
	}

	.annoying-warning:not(details),
	details.annoying-warning:not([open]) > summary,
	details.annoying-warning[open] {
		background: #fdd;
		color: red;
		font-weight: bold;
		padding: .75em 1em;
		border: thick red;
		border-style: solid;
		border-radius: 1em;
	}
	.annoying-warning :last-child {
		margin-bottom: 0;
	}

@media not print {
	details.annoying-warning[open] {
		position: fixed;
		left: 1em;
		right: 1em;
		bottom: 1em;
		z-index: 1000;
	}
}

	details.annoying-warning:not([open]) > summary {
		text-align: center;
	}

/** Entity Definition Boxes ***************************************************/

	.def {
		padding: .5em 1em;
		background: #DEF;
		margin: 1.2em 0;
		border-left: 0.5em solid #8CCBF2;
	}

/******************************************************************************/
/*                                    Tables                                  */
/******************************************************************************/

	th, td {
		text-align: left;
		text-align: start;
	}

/** Property/Descriptor Definition Tables *************************************/

	table.def {
		/* inherits .def box styling, see above */
		width: 100%;
		border-spacing: 0;
	}

	table.def td,
	table.def th {
		padding: 0.5em;
		vertical-align: baseline;
		border-bottom: 1px solid #bbd7e9;
	}

	table.def > tbody > tr:last-child th,
	table.def > tbody > tr:last-child td {
		border-bottom: 0;
	}

	table.def th {
		font-style: italic;
		font-weight: normal;
		padding-left: 1em;
		width: 3em;
	}

	/* For when values are extra-complex and need formatting for readability */
	table td.pre {
		white-space: pre-wrap;
	}

	/* A footnote at the bottom of a def table */
	table.def           td.footnote {
		padding-top: 0.6em;
	}
	table.def           td.footnote::before {
		content: " ";
		display: block;
		height: 0.6em;
		width: 4em;
		border-top: thin solid;
	}

/** Data tables (and properly marked-up index tables) *************************/
	/*
		 <table class="data"> highlights structural relationships in a table
		 when correct markup is used (e.g. thead/tbody, th vs. td, scope attribute)

		 Use class="complex data" for particularly complicated tables --
		 (This will draw more lines: busier, but clearer.)

		 Use class="long" on table cells with paragraph-like contents
		 (This will adjust text alignment accordingly.)
		 Alternately use class="longlastcol" on tables, to have the last column assume "long".
	*/

	table {
		word-wrap: normal;
		overflow-wrap: normal;
		hyphens: manual;
	}

	table.data,
	table.index {
		margin: 1em auto;
		border-collapse: collapse;
		border: hidden;
		width: 100%;
	}
	table.data caption,
	table.index caption {
		max-width: 50em;
		margin: 0 auto 1em;
	}

	table.data td,  table.data th,
	table.index td, table.index th {
		padding: 0.5em 1em;
		border-width: 1px;
		border-color: silver;
		border-top-style: solid;
	}

	table.data thead td:empty {
		padding: 0;
		border: 0;
	}

	table.data  thead,
	table.index thead,
	table.data  tbody,
	table.index tbody {
		border-bottom: 2px solid;
	}

	table.data colgroup,
	table.index colgroup {
		border-left: 2px solid;
	}

	table.data  tbody th:first-child,
	table.index tbody th:first-child  {
		border-right: 2px solid;
		border-top: 1px solid silver;
		padding-right: 1em;
	}

	table.data th[colspan],
	table.data td[colspan] {
		text-align: center;
	}

	table.complex.data th,
	table.complex.data td {
		border: 1px solid silver;
		text-align: center;
	}

	table.data.longlastcol td:last-child,
	table.data td.long {
	 vertical-align: baseline;
	 text-align: left;
	}

	table.data img {
		vertical-align: middle;
	}


/*
Alternate table alignment rules

	table.data,
	table.index {
		text-align: center;
	}

	table.data  thead th[scope="row"],
	table.index thead th[scope="row"] {
		text-align: right;
	}

	table.data  tbody th:first-child,
	table.index tbody th:first-child  {
		text-align: right;
	}

Possible extra rowspan handling

	table.data  tbody th[rowspan]:not([rowspan='1']),
	table.index tbody th[rowspan]:not([rowspan='1']),
	table.data  tbody td[rowspan]:not([rowspan='1']),
	table.index tbody td[rowspan]:not([rowspan='1']) {
		border-left: 1px solid silver;
	}

	table.data  tbody th[rowspan]:first-child,
	table.index tbody th[rowspan]:first-child,
	table.data  tbody td[rowspan]:first-child,
	table.index tbody td[rowspan]:first-child{
		border-left: 0;
		border-right: 1px solid silver;
	}
*/

/******************************************************************************/
/*                                  Indices                                   */
/******************************************************************************/


/** Table of Contents *********************************************************/

	.toc a {
		/* More spacing; use padding to make it part of the click target. */
		padding-top: 0.1rem;
		/* Larger, more consistently-sized click target */
		display: block;
		/* Reverse color scheme */
		color: black;
		border-color: #3980B5;
		border-bottom-width: 3px !important;
		margin-bottom: 0px !important;
	}
	.toc a:visited {
		border-color: #054572;
	}
	.toc a:not(:focus):not(:hover) {
		/* Allow colors to cascade through from link styling */
		border-bottom-color: transparent;
	}

	.toc, .toc ol, .toc ul, .toc li {
		list-style: none; /* Numbers must be inlined into source */
		/* because generated content isn't search/selectable and markers can't do multilevel yet */
		margin:  0;
		padding: 0;
		line-height: 1.1rem; /* consistent spacing */
	}

	/* ToC not indented until third level, but font style & margins show hierarchy */
	.toc > li             { font-weight: bold;   }
	.toc > li li          { font-weight: normal; }
	.toc > li li li       { font-size:   95%;    }
	.toc > li li li li    { font-size:   90%;    }
	.toc > li li li li .secno { font-size: 85%; }
	.toc > li li li li li { font-size:   85%;    }
	.toc > li li li li li .secno { font-size: 100%; }

	/* @supports not (display:grid) { */
		.toc > li             { margin: 1.5rem 0;    }
		.toc > li li          { margin: 0.3rem 0;    }
		.toc > li li li       { margin-left: 2rem;   }

		/* Section numbers in a column of their own */
		.toc .secno {
			float: left;
			width: 4rem;
			white-space: nowrap;
		}

		.toc li {
			clear: both;
		}

		:not(li) > .toc              { margin-left:  5rem; }
		.toc .secno                  { margin-left: -5rem; }
		.toc > li li li .secno       { margin-left: -7rem; }
		.toc > li li li li .secno    { margin-left: -9rem; }
		.toc > li li li li li .secno { margin-left: -11rem; }

		/* Tighten up indentation in narrow ToCs */
		@media (max-width: 30em) {
			:not(li) > .toc              { margin-left:  4rem; }
			.toc .secno                  { margin-left: -4rem; }
			.toc > li li li              { margin-left:  1rem; }
			.toc > li li li .secno       { margin-left: -5rem; }
			.toc > li li li li .secno    { margin-left: -6rem; }
			.toc > li li li li li .secno { margin-left: -7rem; }
		}
	/* } */

	@supports (display:grid) and (display:contents) {
		/* Use #toc over .toc to override non-@supports rules. */
		#toc {
			display: grid;
			align-content: start;
			grid-template-columns: auto 1fr;
			grid-column-gap: 1rem;
			column-gap: 1rem;
			grid-row-gap: .6rem;
			row-gap: .6rem;
		}
		#toc h2 {
			grid-column: 1 / -1;
			margin-bottom: 0;
		}
		#toc ol,
		#toc li,
		#toc a {
			display: contents;
			/* Switch <a> to subgrid when supported */
		}
		#toc span {
			margin: 0;
		}
		#toc > .toc > li > a > span {
			/* The spans of the top-level list,
			   comprising the first items of each top-level section. */
			margin-top: 1.1rem;
		}
		#toc#toc .secno { /* Ugh, need more specificity to override base.css */
			grid-column: 1;
			width: auto;
			margin-left: 0;
		}
		#toc .content {
			grid-column: 2;
			width: auto;
			margin-right: 1rem;
		}
		#toc .content:hover {
			background: rgba(75%, 75%, 75%, .25);
			border-bottom: 3px solid #054572;
			margin-bottom: -3px;
		}
		#toc li li li .content {
			margin-left: 1rem;
		}
		#toc li li li li .content {
			margin-left: 2rem;
		}
	}


/** Index *********************************************************************/

	/* Index Lists: Layout */
	ul.index       { margin-left: 0; columns: 15em; text-indent: 1em hanging; }
	ul.index li    { margin-left: 0; list-style: none; break-inside: avoid; }
	ul.index li li { margin-left: 1em }
	ul.index dl    { margin-top: 0; }
	ul.index dt    { margin: .2em 0 .2em 20px;}
	ul.index dd    { margin: .2em 0 .2em 40px;}
	/* Index Lists: Typography */
	ul.index ul,
	ul.index dl { font-size: smaller; }
	@media not print {
		ul.index li span {
			white-space: nowrap;
			color: transparent; }
		ul.index li a:hover + span,
		ul.index li a:focus + span {
			color: #707070;
		}
	}

/** Index Tables *****************************************************/
	/* See also the data table styling section, which this effectively subclasses */

	table.index {
		font-size: small;
		border-collapse: collapse;
		border-spacing: 0;
		text-align: left;
		margin: 1em 0;
	}

	table.index td,
	table.index th {
		padding: 0.4em;
	}

	table.index tr:hover td:not([rowspan]),
	table.index tr:hover th:not([rowspan]) {
		background: #f7f8f9;
	}

	/* The link in the first column in the property table (formerly a TD) */
	table.index th:first-child a {
		font-weight: bold;
	}

/******************************************************************************/
/*                                    Print                                   */
/******************************************************************************/

	@media print {
		/* Pages have their own margins. */
		html {
			margin: 0;
		}
		/* Serif for print. */
		body {
			font-family: serif;
		}
	}
	@page {
		margin: 1.5cm 1.1cm;
	}

/******************************************************************************/
/*                                    Legacy                                  */
/******************************************************************************/

	/* This rule is inherited from past style sheets. No idea what it's for. */
	.hide { display: none }



/******************************************************************************/
/*                             Overflow Control                               */
/******************************************************************************/

	.figure .caption, .sidefigure .caption, figcaption {
		/* in case figure is overlarge, limit caption to 50em */
		max-width: 50rem;
		margin-left: auto;
		margin-right: auto;
	}
	.overlarge > table {
		/* limit preferred width of table */
		max-width: 50em;
		margin-left: auto;
		margin-right: auto;
	}

	@media (min-width: 55em) {
		.overlarge {
			margin-left: calc(13px + 26.5rem - 50vw);
			margin-right: calc(13px + 26.5rem - 50vw);
			max-width: none;
		}
	}
	@media screen and (min-width: 78em) {
		body:not(.toc-inline) .overlarge {
			/* 30.5em body padding 50em content area */
			margin-left: calc(40em - 50vw) !important;
			margin-right: calc(40em - 50vw) !important;
		}
	}
	@media screen and (min-width: 90em) {
		body:not(.toc-inline) .overlarge {
			/* 4em html margin 30.5em body padding 50em content area */
			margin-left: 0 !important;
			margin-right: calc(84.5em - 100vw) !important;
		}
	}

	@media not print {
		.overlarge {
			overflow-x: auto;
			/* See Lea Verou's explanation background-attachment:
			 * http://lea.verou.me/2012/04/background-attachment-local/
			 *
			background: top left  / 4em 100% linear-gradient(to right,  #ffffff, rgba(255, 255, 255, 0)) local,
			            top right / 4em 100% linear-gradient(to left, #ffffff, rgba(255, 255, 255, 0)) local,
			            top left  / 1em 100% linear-gradient(to right,  #c3c3c5, rgba(195, 195, 197, 0)) scroll,
			            top right / 1em 100% linear-gradient(to left, #c3c3c5, rgba(195, 195, 197, 0)) scroll,
			            white;
			background-repeat: no-repeat;
			*/
		}
	}
</style>
<style type="text/css">
    table, th, td {
      border: 1px solid black;
      border-collapse: collapse;
      vertical-align: top;
    }
    th, td {
      border-left: none;
      border-right: none;
      padding: 0px 10px;
    }
    th {
      text-align: center;
    }

    del { background: #fcc; color: #000; text-decoration: line-through; }
    ins { background: #cfc; color: #000; }
    blockquote .highlight:not(.idl) { background: initial; margin: initial; padding: 0.5em }
    blockquote ul { background: inherit; }
    blockquote code.highlight:not(.idl) { padding: initial; }
    blockquote c-[a] { color: inherit; } /* Keyword.Declaration */
    blockquote c-[b] { color: inherit; } /* Keyword.Type */
    blockquote c-[c] { color: inherit; } /* Comment */
    blockquote c-[d] { color: inherit; } /* Comment.Multiline */
    blockquote c-[e] { color: inherit; } /* Name.Attribute */
    blockquote c-[f] { color: inherit; } /* Name.Tag */
    blockquote c-[g] { color: inherit; } /* Name.Variable */
    blockquote c-[k] { color: inherit; } /* Keyword */
    blockquote c-[l] { color: inherit; } /* Literal */
    blockquote c-[m] { color: inherit; } /* Literal.Number */
    blockquote c-[n] { color: inherit; } /* Name */
    blockquote c-[o] { color: inherit; } /* Operator */
    blockquote c-[p] { color: inherit; } /* Punctuation */
    blockquote c-[s] { color: inherit; } /* Literal.String */
    blockquote c-[t] { color: inherit; } /* Literal.String.Single */
    blockquote c-[u] { color: inherit; } /* Literal.String.Double */
    blockquote c-[cp] { color: inherit; } /* Comment.Preproc */
    blockquote c-[c1] { color: inherit; } /* Comment.Single */
    blockquote c-[cs] { color: inherit; } /* Comment.Special */
    blockquote c-[kc] { color: inherit; } /* Keyword.Constant */
    blockquote c-[kn] { color: inherit; } /* Keyword.Namespace */
    blockquote c-[kp] { color: inherit; } /* Keyword.Pseudo */
    blockquote c-[kr] { color: inherit; } /* Keyword.Reserved */
    blockquote c-[ld] { color: inherit; } /* Literal.Date */
    blockquote c-[nc] { color: inherit; } /* Name.Class */
    blockquote c-[no] { color: inherit; } /* Name.Constant */
    blockquote c-[nd] { color: inherit; } /* Name.Decorator */
    blockquote c-[ni] { color: inherit; } /* Name.Entity */
    blockquote c-[ne] { color: inherit; } /* Name.Exception */
    blockquote c-[nf] { color: inherit; } /* Name.Function */
    blockquote c-[nl] { color: inherit; } /* Name.Label */
    blockquote c-[nn] { color: inherit; } /* Name.Namespace */
    blockquote c-[py] { color: inherit; } /* Name.Property */
    blockquote c-[ow] { color: inherit; } /* Operator.Word */
    blockquote c-[mb] { color: inherit; } /* Literal.Number.Bin */
    blockquote c-[mf] { color: inherit; } /* Literal.Number.Float */
    blockquote c-[mh] { color: inherit; } /* Literal.Number.Hex */
    blockquote c-[mi] { color: inherit; } /* Literal.Number.Integer */
    blockquote c-[mo] { color: inherit; } /* Literal.Number.Oct */
    blockquote c-[sb] { color: inherit; } /* Literal.String.Backtick */
    blockquote c-[sc] { color: inherit; } /* Literal.String.Char */
    blockquote c-[sd] { color: inherit; } /* Literal.String.Doc */
    blockquote c-[se] { color: inherit; } /* Literal.String.Escape */
    blockquote c-[sh] { color: inherit; } /* Literal.String.Heredoc */
    blockquote c-[si] { color: inherit; } /* Literal.String.Interpol */
    blockquote c-[sx] { color: inherit; } /* Literal.String.Other */
    blockquote c-[sr] { color: inherit; } /* Literal.String.Regex */
    blockquote c-[ss] { color: inherit; } /* Literal.String.Symbol */
    blockquote c-[vc] { color: inherit; } /* Name.Variable.Class */
    blockquote c-[vg] { color: inherit; } /* Name.Variable.Global */
    blockquote c-[vi] { color: inherit; } /* Name.Variable.Instance */
    blockquote c-[il] { color: inherit; } /* Literal.Number.Integer.Long */
  </style>
  <meta content="Bikeshed version 5a2c04fbf9f3418b378c5d733b60fe6fc575091b" name="generator">
  <link href="http://wg21.link/P1861R0" rel="canonical">
  <link href="https://isocpp.org/favicon.ico" rel="icon">
  <meta content="9645b4579ddc749c394e605eb6263ed6946a506d" name="document-revision">
<style>/* style-md-lists */

/* This is a weird hack for me not yet following the commonmark spec
   regarding paragraph and lists. */
[data-md] > :first-child {
    margin-top: 0;
}
[data-md] > :last-child {
    margin-bottom: 0;
}</style>
<style>/* style-counters */

body {
    counter-reset: example figure issue;
}
.issue {
    counter-increment: issue;
}
.issue:not(.no-marker)::before {
    content: "Issue " counter(issue);
}

.example {
    counter-increment: example;
}
.example:not(.no-marker)::before {
    content: "Example " counter(example);
}
.invalid.example:not(.no-marker)::before,
.illegal.example:not(.no-marker)::before {
    content: "Invalid Example" counter(example);
}

figcaption {
    counter-increment: figure;
}
figcaption:not(.no-marker)::before {
    content: "Figure " counter(figure) " ";
}</style>
<style>/* style-syntax-highlighting */

.highlight:not(.idl) { background: hsl(24, 20%, 95%); }
code.highlight { padding: .1em; border-radius: .3em; }
pre.highlight, pre > code.highlight { display: block; padding: 1em; margin: .5em 0; overflow: auto; border-radius: 0; }
c-[a] { color: #990055 } /* Keyword.Declaration */
c-[b] { color: #990055 } /* Keyword.Type */
c-[c] { color: #708090 } /* Comment */
c-[d] { color: #708090 } /* Comment.Multiline */
c-[e] { color: #0077aa } /* Name.Attribute */
c-[f] { color: #669900 } /* Name.Tag */
c-[g] { color: #222222 } /* Name.Variable */
c-[k] { color: #990055 } /* Keyword */
c-[l] { color: #000000 } /* Literal */
c-[m] { color: #000000 } /* Literal.Number */
c-[n] { color: #0077aa } /* Name */
c-[o] { color: #999999 } /* Operator */
c-[p] { color: #999999 } /* Punctuation */
c-[s] { color: #a67f59 } /* Literal.String */
c-[t] { color: #a67f59 } /* Literal.String.Single */
c-[u] { color: #a67f59 } /* Literal.String.Double */
c-[cp] { color: #708090 } /* Comment.Preproc */
c-[c1] { color: #708090 } /* Comment.Single */
c-[cs] { color: #708090 } /* Comment.Special */
c-[kc] { color: #990055 } /* Keyword.Constant */
c-[kn] { color: #990055 } /* Keyword.Namespace */
c-[kp] { color: #990055 } /* Keyword.Pseudo */
c-[kr] { color: #990055 } /* Keyword.Reserved */
c-[ld] { color: #000000 } /* Literal.Date */
c-[nc] { color: #0077aa } /* Name.Class */
c-[no] { color: #0077aa } /* Name.Constant */
c-[nd] { color: #0077aa } /* Name.Decorator */
c-[ni] { color: #0077aa } /* Name.Entity */
c-[ne] { color: #0077aa } /* Name.Exception */
c-[nf] { color: #0077aa } /* Name.Function */
c-[nl] { color: #0077aa } /* Name.Label */
c-[nn] { color: #0077aa } /* Name.Namespace */
c-[py] { color: #0077aa } /* Name.Property */
c-[ow] { color: #999999 } /* Operator.Word */
c-[mb] { color: #000000 } /* Literal.Number.Bin */
c-[mf] { color: #000000 } /* Literal.Number.Float */
c-[mh] { color: #000000 } /* Literal.Number.Hex */
c-[mi] { color: #000000 } /* Literal.Number.Integer */
c-[mo] { color: #000000 } /* Literal.Number.Oct */
c-[sb] { color: #a67f59 } /* Literal.String.Backtick */
c-[sc] { color: #a67f59 } /* Literal.String.Char */
c-[sd] { color: #a67f59 } /* Literal.String.Doc */
c-[se] { color: #a67f59 } /* Literal.String.Escape */
c-[sh] { color: #a67f59 } /* Literal.String.Heredoc */
c-[si] { color: #a67f59 } /* Literal.String.Interpol */
c-[sx] { color: #a67f59 } /* Literal.String.Other */
c-[sr] { color: #a67f59 } /* Literal.String.Regex */
c-[ss] { color: #a67f59 } /* Literal.String.Symbol */
c-[vc] { color: #0077aa } /* Name.Variable.Class */
c-[vg] { color: #0077aa } /* Name.Variable.Global */
c-[vi] { color: #0077aa } /* Name.Variable.Instance */
c-[il] { color: #000000 } /* Literal.Number.Integer.Long */
</style>
<style>/* style-selflinks */

.heading, .issue, .note, .example, li, dt {
    position: relative;
}
a.self-link {
    position: absolute;
    top: 0;
    left: calc(-1 * (3.5rem - 26px));
    width: calc(3.5rem - 26px);
    height: 2em;
    text-align: center;
    border: none;
    transition: opacity .2s;
    opacity: .5;
}
a.self-link:hover {
    opacity: 1;
}
.heading > a.self-link {
    font-size: 83%;
}
li > a.self-link {
    left: calc(-1 * (3.5rem - 26px) - 2em);
}
dfn > a.self-link {
    top: auto;
    left: auto;
    opacity: 0;
    width: 1.5em;
    height: 1.5em;
    background: gray;
    color: white;
    font-style: normal;
    transition: opacity .2s, background-color .2s, color .2s;
}
dfn:hover > a.self-link {
    opacity: 1;
}
dfn > a.self-link:hover {
    color: black;
}

a.self-link::before            { content: "¶"; }
.heading > a.self-link::before { content: "§"; }
dfn > a.self-link::before      { content: "#"; }</style>
<style>/* style-autolinks */

.css.css, .property.property, .descriptor.descriptor {
    color: #005a9c;
    font-size: inherit;
    font-family: inherit;
}
.css::before, .property::before, .descriptor::before {
    content: "‘";
}
.css::after, .property::after, .descriptor::after {
    content: "’";
}
.property, .descriptor {
    /* Don't wrap property and descriptor names */
    white-space: nowrap;
}
.type { /* CSS value <type> */
    font-style: italic;
}
pre .property::before, pre .property::after {
    content: "";
}
[data-link-type="property"]::before,
[data-link-type="propdesc"]::before,
[data-link-type="descriptor"]::before,
[data-link-type="value"]::before,
[data-link-type="function"]::before,
[data-link-type="at-rule"]::before,
[data-link-type="selector"]::before,
[data-link-type="maybe"]::before {
    content: "‘";
}
[data-link-type="property"]::after,
[data-link-type="propdesc"]::after,
[data-link-type="descriptor"]::after,
[data-link-type="value"]::after,
[data-link-type="function"]::after,
[data-link-type="at-rule"]::after,
[data-link-type="selector"]::after,
[data-link-type="maybe"]::after {
    content: "’";
}

[data-link-type].production::before,
[data-link-type].production::after,
.prod [data-link-type]::before,
.prod [data-link-type]::after {
    content: "";
}

[data-link-type=element],
[data-link-type=element-attr] {
    font-family: Menlo, Consolas, "DejaVu Sans Mono", monospace;
    font-size: .9em;
}
[data-link-type=element]::before { content: "<" }
[data-link-type=element]::after  { content: ">" }

[data-link-type=biblio] {
    white-space: pre;
}</style>
 <body class="h-entry">
  <div class="head">
   <p data-fill-with="logo"></p>
   <h1 class="p-name no-ref" id="title">D1861R0<br>Secure Connections in Networking TS</h1>
   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Draft Proposal, <time class="dt-updated" datetime="2018-09-05">2018-09-05</time></span></h2>
   <div data-fill-with="spec-metadata">
    <dl>
     <dt>This version:
     <dd><a class="u-url" href="http://wg21.link/P1861R0">http://wg21.link/P1861R0</a>
     <dt>Authors:
     <dd>
      <dd class="editor p-author h-card vcard"><a class="p-name fn u-email email" href="mailto:achristensen@apple.com">Alex Christensen</a> (<span class="p-org org">Apple</span>)
     <dd>
      <dd class="editor p-author h-card vcard"><a class="p-name fn u-email email" href="mailto:jfbastien@apple.com">JF Bastien</a> (<span class="p-org org">Apple</span>)
     <dt>Audience:
     <dd>LEWG
     <dt>Project:
     <dd>ISO/IEC JTC1/SC22/WG21 14882: Programming Language — C++
     <dt>Source:
     <dd><a href="https://github.com/achristensen07/papers/blob/master/source/p1861r0.bs">https://github.com/achristensen07/papers/blob/master/source/p1861r0.bs</a>
    </dl>
   </div>
   <div data-fill-with="warning"></div>
   <hr title="Separator for header">
  </div>
  <nav data-fill-with="table-of-contents" id="toc">
   <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
   <ol class="toc" role="directory">
    <li><a href="#abstract"><span class="secno">1</span> <span class="content">Abstract</span></a>
    <li><a href="#intro"><span class="secno">2</span> <span class="content">Introduction</span></a>
    <li><a href="#changes"><span class="secno">3</span> <span class="content">Minimal Changes</span></a>
    <li><a href="#client"><span class="secno">4</span> <span class="content">TLS Client Example</span></a>
    <li><a href="#server"><span class="secno">5</span> <span class="content">TLS Server Example</span></a>
    <li>
     <a href="#references"><span class="secno"></span> <span class="content">References</span></a>
     <ol class="toc">
      <li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
     </ol>
   </ol>
  </nav>
  <main>
   <h2 class="heading settled" data-level="1" id="abstract"><span class="secno">1. </span><span class="content">Abstract</span><a class="self-link" href="#abstract"></a></h2>
   <p>This paper shows a minimal change to the existing <a data-link-type="biblio" href="#biblio-n4771">[N4771]</a> Networking TS to support TLS and DTLS.</p>
   <h2 class="heading settled" data-level="2" id="intro"><span class="secno">2. </span><span class="content">Introduction</span><a class="self-link" href="#intro"></a></h2>
   <p>In <a data-link-type="biblio" href="#biblio-p1860r0">[P1860R0]</a> we make the case that C++ networking should be secure by default,
motivating the addition of TLS and DTLS support to the Networking TS. This paper
describes minimal changes necessary to implement secure connections for use on the
internet.</p>
   <p>This paper does not claim to contain everything that would
be required to support secure connections, but rather it is a glimpse into what
it would look like if we decided to take the existing Networking TS and add security
without any further reshaping.</p>
   <p>The changes in this paper are not intended to be accepted by the C++ committee.  They are
rather an exploration into what it would look like if TLS and DTLS were added without further changes.</p>
   <p>The examples in this paper are based on using <a href="https://github.com/chriskohlhoff/networking-ts-impl">Chris Kohlhoff’s networking TS implementation</a> with checkout <code class="highlight"><c- n>c97570e7ceef436581be3c138868a19ad96e025b</c-></code>. As an implementation detail, we use <a href="https://boringssl.googlesource.com/boringssl/">BoringSSL</a> and a few APIs from <a href="https://developer.apple.com/documentation/security"><code class="highlight"><c- n>Security</c-><c- p>.</c-><c- n>framework</c-></code></a> to access the platform’s root store.
An implementation of the changes have been published <a href="https://lists.boost.org/Archives/boost/2019/09/246967.php">on the boost mailing list</a>.</p>
   <h2 class="heading settled" data-level="3" id="changes"><span class="secno">3. </span><span class="content">Minimal Changes</span><a class="self-link" href="#changes"></a></h2>
   <p>The following changes are based on <a data-link-type="biblio" href="#biblio-n4771">[N4771]</a>.</p>
   <p>In Section 18.6, one new method should be added to Class template <code class="highlight"><c- n>basic_socket</c-></code>:</p>
<pre class="highlight"><code class="highlight"><ins><c- k><c- k>class</c-></c-> <c- nc><c- nc>security_properties</c-></c-><c- o><c- o>&amp;</c-></c-> <c- n><c- n>security_properties</c-></c-><c- p><c- p>();</c-></c->
</ins></code></pre>
   <p>Likewise in Section 18.9, one new method should be added to Class template <code class="highlight"><c- n>basic_socket_acceptor</c-></code>:</p>
<pre class="highlight"><code class="highlight"><ins><c- k><c- k>class</c-></c-> <c- nc><c- nc>security_properties</c-></c-><c- o><c- o>&amp;</c-></c-> <c- n><c- n>security_properties</c-></c-><c- p><c- p>();</c-></c->
<ins></ins></ins></code></pre>
   <p>A new section should be added, Section 22, entitled "Security", and containing initially just one class in Section 22.1 (entitled Class <code class="highlight"><c- n>security_properties</c-></code>):</p>
<pre class="highlight"><code class="highlight"><ins><c- k><c- k>class</c-></c-> <c- nc><c- nc>security_properties</c-></c-> <c- p><c- p>{</c-></c->
<c- k><c- k>public</c-></c-><c- o><c- o>:</c-></c->
    <c- k><c- k>using</c-></c-> <c- n><c- n>certificate_chain</c-></c-> <c- o><c- o>=</c-></c-> <c- n><c- n>std</c-></c-><c- o><c- o>::</c-></c-><c- n><c- n>vector</c-></c-><c- o><c- o>&lt;</c-></c-><c- n><c- n>std</c-></c-><c- o><c- o>::</c-></c-><c- n><c- n>string_view</c-></c-><c- o><c- o>></c-></c-><c- p><c- p>;</c-></c->

    <c- n><c- n>security_properties</c-></c-><c- o><c- o>&amp;</c-></c-> <c- n><c- n>disable_security</c-></c-><c- p><c- p>();</c-></c->
    <c- n><c- n>security_properties</c-></c-><c- o><c- o>&amp;</c-></c-> <c- n><c- n>set_host</c-></c-><c- p><c- p>(</c-></c-><c- n><c- n>std</c-></c-><c- o><c- o>::</c-></c-><c- n><c- n>string_view</c-></c-><c- p><c- p>);</c-></c->
    <c- n><c- n>security_properties</c-></c-><c- o><c- o>&amp;</c-></c-> <c- n><c- n>use_private_key</c-></c-><c- p><c- p>(</c-></c-><c- n><c- n>std</c-></c-><c- o><c- o>::</c-></c-><c- n><c- n>string_view</c-></c-><c- p><c- p>);</c-></c->
    <c- n><c- n>security_properties</c-></c-><c- o><c- o>&amp;</c-></c-> <c- n><c- n>use_certificates</c-></c-><c- p><c- p>(</c-></c-><c- k><c- k>const</c-></c-> <c- n><c- n>certificate_chain</c-></c-><c- o><c- o>&amp;</c-></c-><c- p><c- p>);</c-></c->

    <c- k><c- k>template</c-></c-> <c- o><c- o>&lt;</c-></c-><c- k><c- k>typename</c-></c-> <c- n><c- n>Verifier</c-></c-><c- o><c- o>></c-></c->
        <c- n><c- n>requires</c-></c-> <c- n><c- n>invocable</c-></c-><c- o><c- o>&lt;</c-></c-><c- b><c- b>bool</c-></c-><c- p><c- p>,</c-></c-> <c- n><c- n>Verifier</c-></c-><c- p><c- p>,</c-></c-> <c- k><c- k>const</c-></c-> <c- n><c- n>certificate_chain</c-></c-><c- o><c- o>></c-></c->
    <c- n><c- n>security_properties</c-></c-><c- o><c- o>&amp;</c-></c-> <c- n><c- n>use_certificate_verifier</c-></c-><c- p><c- p>(</c-></c-><c- n><c- n>Verifier</c-></c-><c- p><c- p>);</c-></c->
<c- p><c- p>};</c-></c->
<ins></ins></ins></code></pre>
   <p>The initial implementation uses PEM encoding from <a data-link-type="biblio" href="#biblio-rfc7468">[RFC7468]</a> for the <code class="highlight"><c- n>private_key</c-></code> (in the <code class="highlight"><c- n>string_view</c-></code>) and DER encoding for <a data-link-type="biblio" href="#biblio-x690">[X690]</a> certificate chains (in the <code class="highlight"><c- n>vector</c-></code>). A consistent and
well-defined format for certificates and keys should be developed. The intent is to
expand <code class="highlight"><c- n>security_properties</c-></code> in future revisions of this paper so that it
contains most if not all of the properties from a mature networking library,
such as in <a href="https://developer.apple.com/documentation/network/security_options"><code class="highlight"><c- n>Network</c-><c- p>.</c-><c- n>framework</c-></code>'s security options</a>.</p>
   <h2 class="heading settled" data-level="4" id="client"><span class="secno">4. </span><span class="content">TLS Client Example</span><a class="self-link" href="#client"></a></h2>
   <p>Consider a simple TCP client that wants to fetch some data from the internet. It
must first do a DNS lookup to get an IP address, then it should establish a
connection, send a request, and receive a response:</p>
<pre class="highlight"><c- cp>#include</c-> &lt;array>
<c- cp>#include</c-> &lt;experimental/net>
<c- cp>#include</c-> &lt;iostream>
<c- cp>#include</c-> &lt;string>

<c- b>int</c-> <c- nf>main</c-><c- p>()</c-> <c- p>{</c->
    <c- k>using</c-> <c- k>namespace</c-> <c- n>std</c-><c- o>::</c-><c- n>experimental</c-><c- o>::</c-><c- n>net</c-><c- p>;</c->
    <c- n>io_context</c-> <c- n>io_context</c-><c- p>;</c->

    <c- c1>// DNS lookup to get IP address</c->
    <c- n>ip</c-><c- o>::</c-><c- n>tcp</c-><c- o>::</c-><c- n>resolver</c-> <c- n>resolver</c-><c- p>(</c-><c- n>io_context</c-><c- p>);</c->
    <c- k>const</c-> <c- b>uint16_t</c-> <c- n>port</c-> <c- o>=</c-> <c- mi>80</c-><c- p>;</c->
    <c- n>ip</c-><c- o>::</c-><c- n>basic_resolver</c-><c- o>&lt;</c-><c- n>ip</c-><c- o>::</c-><c- n>tcp</c-><c- o>>::</c-><c- n>results_type</c-> <c- n>results</c-> <c- o>=</c->
        <c- n>resolver</c-><c- p>.</c-><c- n>resolve</c-><c- p>(</c-><c- s>"www.apple.com"</c-><c- p>,</c-> <c- n>std</c-><c- o>::</c-><c- n>to_string</c-><c- p>(</c-><c- n>port</c-><c- p>));</c->
    <c- k>if</c-> <c- p>(</c-><c- n>results</c-><c- p>.</c-><c- n>begin</c-><c- p>()</c-> <c- o>==</c-> <c- n>results</c-><c- p>.</c-><c- n>end</c-><c- p>())</c-> <c- p>{</c->
        <c- n>std</c-><c- o>::</c-><c- n>cerr</c-> <c- o>&lt;&lt;</c-> <c- s>"error in DNS lookup</c-><c- se>\n</c-><c- s>"</c-><c- p>;</c->
        <c- k>return</c-> <c- mi>1</c-><c- p>;</c->
    <c- p>}</c->
    <c- n>ip</c-><c- o>::</c-><c- n>tcp</c-><c- o>::</c-><c- n>endpoint</c-> <c- n>endpoint</c-> <c- o>=</c-> <c- n>results</c-><c- p>.</c-><c- n>begin</c-><c- p>()</c-><c- o>-></c-><c- n>endpoint</c-><c- p>();</c->

    <c- c1>// Create TCP connection</c->
    <c- n>ip</c-><c- o>::</c-><c- n>tcp</c-><c- o>::</c-><c- n>socket</c-> <c- n>socket</c-><c- p>(</c-><c- n>io_context</c-><c- p>);</c->
    <c- n>socket</c-><c- p>.</c-><c- n>connect</c-><c- p>(</c-><c- n>endpoint</c-><c- p>);</c->

    <c- c1>// Send request</c->
    <c- n>std</c-><c- o>::</c-><c- n>string_view</c-> <c- n>request</c-> <c- o>=</c-> <c- s>"GET / HTTP/1.1</c-><c- se>\r\n</c-><c- s>Host: www.apple.com</c-><c- se>\r\n\r\n</c-><c- s>"</c-><c- p>;</c->
    <c- n>std</c-><c- o>::</c-><c- n>error_code</c-> <c- n>error</c-><c- p>;</c->
    <c- n>write</c-><c- p>(</c-><c- n>socket</c-><c- p>,</c-> <c- n>buffer</c-><c- p>(</c-><c- n>request</c-><c- p>),</c-> <c- n>error</c-><c- p>);</c->
    <c- k>if</c-> <c- p>(</c-><c- n>error</c-><c- p>)</c-> <c- p>{</c->
        <c- n>std</c-><c- o>::</c-><c- n>cerr</c-> <c- o>&lt;&lt;</c-> <c- s>"error sending request</c-><c- se>\n</c-><c- s>"</c-><c- p>;</c->
        <c- k>return</c-> <c- mi>1</c-><c- p>;</c->
    <c- p>}</c->

    <c- c1>// Receive response</c->
    <c- n>std</c-><c- o>::</c-><c- n>array</c-><c- o>&lt;</c-><c- b>char</c-><c- p>,</c-> <c- mi>1000</c-><c- o>></c-> <c- n>buffer</c-><c- p>;</c->
    <c- n>read</c-><c- p>(</c-><c- n>socket</c-><c- p>,</c-> <c- n>std</c-><c- o>::</c-><c- n>experimental</c-><c- o>::</c-><c- n>net</c-><c- o>::</c-><c- n>buffer</c-><c- p>(</c-><c- n>buffer</c-><c- p>),</c-> <c- n>transfer_at_least</c-><c- p>(</c-><c- mi>1</c-><c- p>),</c-> <c- n>error</c-><c- p>);</c->
    <c- k>if</c-> <c- p>(</c-><c- n>error</c-> <c- o>&amp;&amp;</c-> <c- n>error</c-> <c- o>!=</c-> <c- n>error</c-><c- o>::</c-><c- n>eof</c-><c- p>)</c-> <c- p>{</c->
        <c- n>std</c-><c- o>::</c-><c- n>cerr</c-> <c- o>&lt;&lt;</c-> <c- s>"error receiving response: "</c-> <c- o>&lt;&lt;</c-> <c- n>error</c-><c- p>.</c-><c- n>message</c-><c- p>()</c-> <c- o>&lt;&lt;</c-> <c- sc>'\n'</c-><c- p>;</c->
        <c- k>return</c-> <c- mi>1</c-><c- p>;</c->
    <c- p>}</c->

    <c- n>std</c-><c- o>::</c-><c- n>cout</c-> <c- o>&lt;&lt;</c-> <c- s>"received response:</c-><c- se>\n</c-><c- s>"</c-> <c- o>&lt;&lt;</c-> <c- n>buffer</c-><c- p>.</c-><c- n>data</c-><c- p>()</c-> <c- o>&lt;&lt;</c-> <c- sc>'\n'</c-><c- p>;</c->
    <c- k>return</c-> <c- mi>0</c-><c- p>;</c->
<c- p>}</c->
</pre>
   <p>The changes in this paper would require one additional line of code in order to make a plaintext request:</p>
<pre class="highlight"><code class="highlight"><c- n><c- n>ip</c-></c-><c- o><c- o>::</c-></c-><c- n><c- n>tcp</c-></c-><c- o><c- o>::</c-></c-><c- n><c- n>socket</c-></c-> <c- n><c- n>socket</c-></c-><c- p><c- p>(</c-></c-><c- n><c- n>io_context</c-></c-><c- p><c- p>);</c-></c->
<ins><c- n><c- n>socket</c-></c-><c- p><c- p>.</c-></c-><c- n><c- n>security_properties</c-></c-><c- p><c- p>().</c-></c-><c- n><c- n>disable_security</c-></c-><c- p><c- p>();</c-></c-></ins>
<c- n><c- n>socket</c-></c-><c- p><c- p>.</c-></c-><c- n><c- n>connect</c-></c-><c- p><c- p>(</c-></c-><c- n><c- n>endpoint</c-></c-><c- p><c- p>);</c-></c->
</code></pre>
   <p>This particular server, <code class="highlight"><c- n>www</c-><c- p>.</c-><c- n>apple</c-><c- p>.</c-><c- n>com</c-></code>, responds in plaintext only to redirect
to the HTTPS version of the website. In order to make a secure request over TLS,
two small changes are necessary: the port would need to be changed from <code class="highlight"><c- mi>80</c-></code> (the default port for HTTP) to <code class="highlight"><c- mi>443</c-></code> (the default port of HTTPS) and the <code class="highlight"><c- n>security_properties</c-></code> would need to know what the intended host is in order to
evaluate whether the TLS certificate used in the handshake is valid for this
host:</p>
<pre class="highlight"><code class="highlight"><c- k><c- k>const</c-></c-> <c- b><c- b>uint16_t</c-></c-> <c- n><c- n>port</c-></c-> <c- o><c- o>=</c-></c-> <del><c- mi><c- mi>80</c-></c-></del><ins><c- mi><c- mi>443</c-></c-></ins><c- p><c- p>;</c-></c->
<c- n><c- n>ip</c-></c-><c- o><c- o>::</c-></c-><c- n><c- n>basic_resolver</c-></c-><c- o><c- o>&lt;</c-></c-><c- n><c- n>ip</c-></c-><c- o><c- o>::</c-></c-><c- n><c- n>tcp</c-></c-><c- o><c- o>>::</c-></c-><c- n><c- n>results_type</c-></c-> <c- n><c- n>results</c-></c-> <c- o><c- o>=</c-></c->
    <c- n><c- n>resolver</c-></c-><c- p><c- p>.</c-></c-><c- n><c- n>resolve</c-></c-><c- p><c- p>(</c-></c-><c- s><c- s>"www.apple.com"</c-></c-><c- p><c- p>,</c-></c-> <c- n><c- n>std</c-></c-><c- o><c- o>::</c-></c-><c- n><c- n>to_string</c-></c-><c- p><c- p>(</c-></c-><c- n><c- n>port</c-></c-><c- p><c- p>));</c-></c->
<c- c1><c- c1>// ...</c-></c->
<c- n><c- n>ip</c-></c-><c- o><c- o>::</c-></c-><c- n><c- n>tcp</c-></c-><c- o><c- o>::</c-></c-><c- n><c- n>socket</c-></c-> <c- n><c- n>socket</c-></c-><c- p><c- p>(</c-></c-><c- n><c- n>io_context</c-></c-><c- p><c- p>);</c-></c->
<ins><c- n><c- n>socket</c-></c-><c- p><c- p>.</c-></c-><c- n><c- n>security_properties</c-></c-><c- p><c- p>().</c-></c-><c- n><c- n>set_host</c-></c-><c- p><c- p>(</c-></c-><c- s><c- s>"www.apple.com"</c-></c-><c- p><c- p>);</c-></c-></ins>
<c- n><c- n>socket</c-></c-><c- p><c- p>.</c-></c-><c- n><c- n>connect</c-></c-><c- p><c- p>(</c-></c-><c- n><c- n>endpoint</c-></c-><c- p><c- p>);</c-></c->
</code></pre>
   <p>By default, the validity of the certificates will be evaluated by comparing the
roots with the trusted roots on the system. This is the behavior most developers
connecting to the internet would use. If a developer wants to allow deviations
from this, they must use their own certificate verification function. This will
allow use of self-signed certificates on the server, or connections to sites
such as <code class="highlight"><c- n>wrong</c-><c- p>.</c-><c- n>host</c-><c- p>.</c-><c- n>badssl</c-><c- p>.</c-><c- n>com</c-></code> which do not have trusted certificates that
match the intended host:</p>
<pre class="highlight"><code class="highlight"><c- n><c- n>socket</c-></c-><c- p><c- p>.</c-></c-><c- n><c- n>security_properties</c-></c-><c- p><c- p>().</c-></c-><c- n><c- n>use_certificate_verifier</c-></c-><c- p><c- p>([]</c-></c-> <c- p><c- p>(</c-></c-><c- k><c- k>const</c-></c-> <c- k><c- k>auto</c-></c-><c- o><c- o>&amp;</c-></c-> <c- n><c- n>chain</c-></c-><c- p><c- p>)</c-></c-> <c- p><c- p>{</c-></c->
    <c- k><c- k>return</c-></c-> <c- n><c- n>customCertificateVerifier</c-></c-><c- p><c- p>(</c-></c-><c- n><c- n>chain</c-></c-><c- p><c- p>);</c-></c->
<c- p><c- p>});</c-></c->
</code></pre>
   <p>It should be understood that the use of custom certificate verification
capability likely allows <a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle
attacks</a>, it should therefore be done with caution.</p>
   <h2 class="heading settled" data-level="5" id="server"><span class="secno">5. </span><span class="content">TLS Server Example</span><a class="self-link" href="#server"></a></h2>
   <p>Consider a simple TCP server that responds to one request with a fixed response.
It must listen for a connection to a certain port, then when a client has connected
it must read the request then send the response:</p>
<pre class="highlight"><c- cp>#include</c-> &lt;array>
<c- cp>#include</c-> &lt;experimental/net>
<c- cp>#include</c-> &lt;iostream>
<c- cp>#include</c-> &lt;string>

<c- b>int</c-> <c- nf>main</c-><c- p>()</c-> <c- p>{</c->
    <c- k>using</c-> <c- k>namespace</c-> <c- n>std</c-><c- o>::</c-><c- n>experimental</c-><c- o>::</c-><c- n>net</c-><c- p>;</c->
    <c- k>using</c-> <c- k>namespace</c-> <c- n>std</c-><c- o>::</c-><c- n>experimental</c-><c- o>::</c-><c- n>net</c-><c- o>::</c-><c- n>ip</c-><c- p>;</c->

    <c- n>io_context</c-> <c- n>context</c-><c- p>;</c->

    <c- n>ip</c-><c- o>::</c-><c- n>tcp</c-><c- o>::</c-><c- n>acceptor</c-> <c- n>acceptor</c-><c- p>(</c-><c- n>context</c-><c- p>);</c->
    <c- n>ip</c-><c- o>::</c-><c- n>tcp</c-><c- o>::</c-><c- n>resolver</c-> <c- n>resolver</c-><c- p>(</c-><c- n>context</c-><c- p>);</c->
    <c- k>const</c-> <c- b>uint16_t</c-> <c- n>port</c-> <c- o>=</c-> <c- mi>50000</c-><c- p>;</c-> <c- c1>// An unallocated port, likely to be unused.</c->
    <c- n>ip</c-><c- o>::</c-><c- n>basic_resolver</c-><c- o>&lt;</c-><c- n>ip</c-><c- o>::</c-><c- n>tcp</c-><c- o>>::</c-><c- n>results_type</c-> <c- n>results</c-> <c- o>=</c->
        <c- n>resolver</c-><c- p>.</c-><c- n>resolve</c-><c- p>(</c-><c- s>"0.0.0.0"</c-><c- p>,</c-> <c- n>std</c-><c- o>::</c-><c- n>to_string</c-><c- p>(</c-><c- n>port</c-><c- p>));</c->
    <c- n>ip</c-><c- o>::</c-><c- n>tcp</c-><c- o>::</c-><c- n>endpoint</c-> <c- n>endpoint</c-> <c- o>=</c-> <c- n>results</c-><c- p>.</c-><c- n>begin</c-><c- p>()</c-><c- o>-></c-><c- n>endpoint</c-><c- p>();</c->

    <c- n>acceptor</c-><c- p>.</c-><c- n>open</c-><c- p>(</c-><c- n>endpoint</c-><c- p>.</c-><c- n>protocol</c-><c- p>());</c->
    <c- k>try</c-> <c- p>{</c->
        <c- n>acceptor</c-><c- p>.</c-><c- n>bind</c-><c- p>(</c-><c- n>endpoint</c-><c- p>);</c->
    <c- p>}</c-> <c- k>catch</c-> <c- p>(...)</c-> <c- p>{</c->
        <c- n>std</c-><c- o>::</c-><c- n>cerr</c-> <c- o>&lt;&lt;</c-> <c- s>"binding failed</c-><c- se>\n</c-><c- s>"</c-><c- p>;</c->
    <c- p>}</c->
    <c- n>acceptor</c-><c- p>.</c-><c- n>listen</c-><c- p>();</c->
    <c- n>std</c-><c- o>::</c-><c- n>cout</c-> <c- o>&lt;&lt;</c-> <c- s>"try running 'curl http://127.0.0.1:"</c-> <c- o>&lt;&lt;</c-> <c- n>endpoint</c-><c- p>.</c-><c- n>port</c-><c- p>()</c->
        <c- o>&lt;&lt;</c-> <c- s>"' in a terminal &lt;&lt; std::endl;</c->
    <c- n>std</c-><c- o>::</c-><c- n>cout</c-> <c- o>&lt;&lt;</c-> <c- n>waiting</c-> <c- k>for</c-> <c- n>connection</c-><c- s>" &lt;&lt; std::endl;</c->
    <c- n>tcp</c-><c- o>::</c-><c- n>socket</c-> <c- n>socket</c-> <c- o>=</c-> <c- n>acceptor</c-><c- p>.</c-><c- n>accept</c-><c- p>(</c-><c- n>context</c-><c- p>);</c->

    <c- n>std</c-><c- o>::</c-><c- n>cout</c-> <c- o>&lt;&lt;</c-> <c- s>"waiting for request"</c-> <c- o>&lt;&lt;</c-> <c- n>std</c-><c- o>::</c-><c- n>endl</c-><c- p>;</c->
    <c- n>std</c-><c- o>::</c-><c- n>error_code</c-> <c- n>error</c-><c- p>;</c->
    <c- n>std</c-><c- o>::</c-><c- n>array</c-><c- o>&lt;</c-><c- b>char</c-><c- p>,</c-> <c- mi>1000</c-><c- o>></c-> <c- n>buffer</c-><c- p>;</c->
    <c- n>read</c-><c- p>(</c-><c- n>socket</c-><c- p>,</c-> <c- n>std</c-><c- o>::</c-><c- n>experimental</c-><c- o>::</c-><c- n>net</c-><c- o>::</c-><c- n>buffer</c-><c- p>(</c-><c- n>buffer</c-><c- p>),</c-> <c- n>transfer_at_least</c-><c- p>(</c-><c- mi>1</c-><c- p>),</c-> <c- n>error</c-><c- p>);</c->

    <c- n>std</c-><c- o>::</c-><c- n>cout</c-> <c- o>&lt;&lt;</c-> <c- s>"writing response"</c-> <c- o>&lt;&lt;</c-> <c- n>std</c-><c- o>::</c-><c- n>endl</c-><c- p>;</c->
    <c- n>std</c-><c- o>::</c-><c- n>string_view</c-> <c- n>msg</c-> <c- o>=</c->
        <c- s>"HTTP/1.1 200 OK</c-><c- se>\r\n</c-><c- s>"</c->
        <c- s>"Content-Length: 28</c-><c- se>\r\n</c-><c- s>"</c->
        <c- s>"</c-><c- se>\r\n</c-><c- s>"</c->
        <c- s>"&lt;html>&lt;h1>hello!&lt;/h1>&lt;/html>"</c-><c- p>;</c->
    <c- n>write</c-><c- p>(</c-><c- n>socket</c-><c- p>,</c-> <c- n>std</c-><c- o>::</c-><c- n>experimental</c-><c- o>::</c-><c- n>net</c-><c- o>::</c-><c- n>buffer</c-><c- p>(</c-><c- n>msg</c-><c- p>),</c-> <c- n>error</c-><c- p>);</c->

    <c- k>return</c-> <c- mi>0</c-><c- p>;</c->
<c- p>}</c->
</pre>
   <p>With these proposed changes, there will be one more required line of code to
continue using plaintext:</p>
<pre class="highlight"><code class="highlight"><c- n><c- n>ip</c-></c-><c- o><c- o>::</c-></c-><c- n><c- n>tcp</c-></c-><c- o><c- o>::</c-></c-><c- n><c- n>acceptor</c-></c-> <c- n><c- n>acceptor</c-></c-><c- p><c- p>(</c-></c-><c- n><c- n>context</c-></c-><c- p><c- p>);</c-></c->
<ins><c- n><c- n>acceptor</c-></c-><c- p><c- p>.</c-></c-><c- n><c- n>security_properties</c-></c-><c- p><c- p>().</c-></c-><c- n><c- n>disable_security</c-></c-><c- p><c- p>();</c-></c-></ins>
<c- n><c- n>ip</c-></c-><c- o><c- o>::</c-></c-><c- n><c- n>tcp</c-></c-><c- o><c- o>::</c-></c-><c- n><c- n>resolver</c-></c-> <c- n><c- n>resolver</c-></c-><c- p><c- p>(</c-></c-><c- n><c- n>context</c-></c-><c- p><c- p>);</c-></c->
</code></pre>
   <p>This is of course a bad idea: all connections to the server are now insecure. To
set up a secure server, the only necessary steps are to add a certificate and a
private key for the server to use in the TLS handshake:</p>
<pre class="highlight">    <c- n>ip</c-><c- o>::</c-><c- n>tcp</c-><c- o>::</c-><c- n>acceptor</c-> <c- n>acceptor</c-><c- p>(</c-><c- n>context</c-><c- p>);</c->
<ins>
    <c- c1>// This is a test certificate from</c->
    <c- c1>// https://boringssl.googlesource.com/boringssl/+/2661/ssl/ssl_test.cc#987</c->
    <c- c1>// It is not signed by a trusted CA, which is why curl needs an</c->
    <c- c1>// --insecure flag when communicating with it.</c->
    <c- n>acceptor</c-><c- p>.</c-><c- n>security_properties</c-><c- p>().</c-><c- n>use_certificates</c-><c- p>({</c-> <c- n>base64_decode</c-><c- p>(</c->
        <c- s>"MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV"</c->
        <c- s>"BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX"</c->
        <c- s>"aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF"</c->
        <c- s>"MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50"</c->
        <c- s>"ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB"</c->
        <c- s>"gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci"</c->
        <c- s>"HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV"</c->
        <c- s>"W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV"</c->
        <c- s>"HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f"</c->
        <c- s>"Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht"</c->
        <c- s>"ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr"</c->
        <c- s>"T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f"</c->
        <c- s>"j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg=="</c-><c- p>)</c-> <c- p>})</c->

    <c- c1>// This is a test key from</c->
    <c- c1>// https://boringssl.googlesource.com/boringssl/+/2661/ssl/ssl_test.cc#1009</c->
    <c- p>.</c-><c- n>use_private_key</c-><c- p>(</c->
        <c- s>"-----BEGIN RSA PRIVATE KEY-----</c-><c- se>\n</c-><c- s>"</c->
        <c- s>"MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92</c-><c- se>\n</c-><c- s>"</c->
        <c- s>"kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF</c-><c- se>\n</c-><c- s>"</c->
        <c- s>"KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB</c-><c- se>\n</c-><c- s>"</c->
        <c- s>"AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe</c-><c- se>\n</c-><c- s>"</c->
        <c- s>"i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+</c-><c- se>\n</c-><c- s>"</c->
        <c- s>"WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ</c-><c- se>\n</c-><c- s>"</c->
        <c- s>"m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj</c-><c- se>\n</c-><c- s>"</c->
        <c- s>"QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk</c-><c- se>\n</c-><c- s>"</c->
        <c- s>"aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj</c-><c- se>\n</c-><c- s>"</c->
        <c- s>"LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk</c-><c- se>\n</c-><c- s>"</c->
        <c- s>"104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/</c-><c- se>\n</c-><c- s>"</c->
        <c- s>"tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd</c-><c- se>\n</c-><c- s>"</c->
        <c- s>"moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==</c-><c- se>\n</c-><c- s>"</c->
        <c- s>"-----END RSA PRIVATE KEY-----</c-><c- se>\n</c-><c- s>"</c-><c- p>);</c->
</ins>
    <c- n>ip</c-><c- o>::</c-><c- n>tcp</c-><c- o>::</c-><c- n>resolver</c-> <c- n>resolver</c-><c- p>(</c-><c- n>context</c-><c- p>);</c->

    <c- c1>// ...</c->

    <c- n>std</c-><c- o>::</c-><c- n>cout</c-> <c- o>&lt;&lt;</c-> <c- s>"try running 'curl http</c-><ins><c- s>s</c-></ins><c- s>://127.0.0.1:"</c-> <c- o>&lt;&lt;</c-> <c- n>endpoint</c-><c- p>.</c-><c- n>port</c-><c- p>()</c->
        <c- o>&lt;&lt;</c-> <c- s>"</c-><ins><c- s> --insecure</c-></ins><c- s>' in a terminal"</c-> <c- o>&lt;&lt;</c-> <c- n>std</c-><c- o>::</c-><c- n>endl</c-><c- p>;</c->
</pre>
   <p>A real server wouldn’t use test keys. One would instead obtain certificates from
a certificate authority such as <a href="https://letsencrypt.org">Let’s Encrypt</a>.</p>
  </main>
<script>
(function() {
  "use strict";
  var collapseSidebarText = '<span aria-hidden="true">←</span> '
                          + '<span>Collapse Sidebar</span>';
  var expandSidebarText   = '<span aria-hidden="true">→</span> '
                          + '<span>Pop Out Sidebar</span>';
  var tocJumpText         = '<span aria-hidden="true">↑</span> '
                          + '<span>Jump to Table of Contents</span>';

  var sidebarMedia = window.matchMedia('screen and (min-width: 78em)');
  var autoToggle   = function(e){ toggleSidebar(e.matches) };
  if(sidebarMedia.addListener) {
    sidebarMedia.addListener(autoToggle);
  }

  function toggleSidebar(on) {
    if (on == undefined) {
      on = !document.body.classList.contains('toc-sidebar');
    }

    /* Don’t scroll to compensate for the ToC if we’re above it already. */
    var headY = 0;
    var head = document.querySelector('.head');
    if (head) {
      // terrible approx of "top of ToC"
      headY += head.offsetTop + head.offsetHeight;
    }
    var skipScroll = window.scrollY < headY;

    var toggle = document.getElementById('toc-toggle');
    var tocNav = document.getElementById('toc');
    if (on) {
      var tocHeight = tocNav.offsetHeight;
      document.body.classList.add('toc-sidebar');
      document.body.classList.remove('toc-inline');
      toggle.innerHTML = collapseSidebarText;
      if (!skipScroll) {
        window.scrollBy(0, 0 - tocHeight);
      }
      tocNav.focus();
      sidebarMedia.addListener(autoToggle); // auto-collapse when out of room
    }
    else {
      document.body.classList.add('toc-inline');
      document.body.classList.remove('toc-sidebar');
      toggle.innerHTML = expandSidebarText;
      if (!skipScroll) {
        window.scrollBy(0, tocNav.offsetHeight);
      }
      if (toggle.matches(':hover')) {
        /* Unfocus button when not using keyboard navigation,
           because I don’t know where else to send the focus. */
        toggle.blur();
      }
    }
  }

  function createSidebarToggle() {
    /* Create the sidebar toggle in JS; it shouldn’t exist when JS is off. */
    var toggle = document.createElement('a');
      /* This should probably be a button, but appearance isn’t standards-track.*/
    toggle.id = 'toc-toggle';
    toggle.class = 'toc-toggle';
    toggle.href = '#toc';
    toggle.innerHTML = collapseSidebarText;

    sidebarMedia.addListener(autoToggle);
    var toggler = function(e) {
      e.preventDefault();
      sidebarMedia.removeListener(autoToggle); // persist explicit off states
      toggleSidebar();
      return false;
    }
    toggle.addEventListener('click', toggler, false);


    /* Get <nav id=toc-nav>, or make it if we don’t have one. */
    var tocNav = document.getElementById('toc-nav');
    if (!tocNav) {
      tocNav = document.createElement('p');
      tocNav.id = 'toc-nav';
      /* Prepend for better keyboard navigation */
      document.body.insertBefore(tocNav, document.body.firstChild);
    }
    /* While we’re at it, make sure we have a Jump to Toc link. */
    var tocJump = document.getElementById('toc-jump');
    if (!tocJump) {
      tocJump = document.createElement('a');
      tocJump.id = 'toc-jump';
      tocJump.href = '#toc';
      tocJump.innerHTML = tocJumpText;
      tocNav.appendChild(tocJump);
    }

    tocNav.appendChild(toggle);
  }

  var toc = document.getElementById('toc');
  if (toc) {
    createSidebarToggle();
    toggleSidebar(sidebarMedia.matches);

    /* If the sidebar has been manually opened and is currently overlaying the text
       (window too small for the MQ to add the margin to body),
       then auto-close the sidebar once you click on something in there. */
    toc.addEventListener('click', function(e) {
      if(e.target.tagName.toLowerCase() == "a" && document.body.classList.contains('toc-sidebar') && !sidebarMedia.matches) {
        toggleSidebar(false);
      }
    }, false);
  }
  else {
    console.warn("Can’t find Table of Contents. Please use <nav id='toc'> around the ToC.");
  }

  /* Wrap tables in case they overflow */
  var tables = document.querySelectorAll(':not(.overlarge) > table.data, :not(.overlarge) > table.index');
  var numTables = tables.length;
  for (var i = 0; i < numTables; i++) {
    var table = tables[i];
    var wrapper = document.createElement('div');
    wrapper.className = 'overlarge';
    table.parentNode.insertBefore(wrapper, table);
    wrapper.appendChild(table);
  }

})();
</script>
  <h2 class="no-num no-ref heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
  <h3 class="no-num no-ref heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
  <dl>
   <dt id="biblio-n4771">[N4771]
   <dd>Jonathan Wakely. <a href="https://wg21.link/n4771">Working Draft, C++ Extensions for Networking</a>. 8 October 2018. URL: <a href="https://wg21.link/n4771">https://wg21.link/n4771</a>
   <dt id="biblio-p1860r0">[P1860R0]
   <dd><a href="https://wg21.link/P1860R0">C++ Networking Must Be Secure By Default</a>. 2019-09-05. URL: <a href="https://wg21.link/P1860R0">https://wg21.link/P1860R0</a>
   <dt id="biblio-rfc7468">[RFC7468]
   <dd>S. Josefsson; S. Leonard. <a href="https://tools.ietf.org/html/rfc7468">Textual Encodings of PKIX, PKCS, and CMS Structures</a>. April 2015. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7468">https://tools.ietf.org/html/rfc7468</a>
   <dt id="biblio-x690">[X690]
   <dd><a href="https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf">Recommendation X.690 — Information Technology — ASN.1 Encoding Rules — Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER), and Distinguished Encoding Rules (DER)</a>. URL: <a href="https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf">https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf</a>
  </dl>