I'm curious, its pretty unusual to not know which side of a TCP connection is the client or server, not just TLS, HTTP, SMTP, .... etc. Its almost always the side that makes the accept() call that's the server, but that doesn't have to be.
Why is it that you do not in this context? Without it, you are fairly far off the beaten path. A normal TLS client would not be able to connect to your "accept()" side if it tried to be a client, and a normal TLS server would never initiate a connection to your "accept()" in the hopes that the acceptor would turn around and be a client. The 1/0 isn't so terrible (well, maybe the protocol is terrible :-). To do a custom negotiation, then "step up" to TLS is done by other protocols. You could also sniff the TCP after accept, and wait a while to see if a client hello arrives to know if the other side is a client (or wait for any data, I don't think a server starts sending data until it gets something, but its been a while since I looked). Hope thats helpful, and even if not, it'd be interesting to know what apple is doing that is pushing you down this path. Sam
