+/**
+ * IO callback for new SSL-enabled client and server connections.
+ *
+ * @param sock Socket descriptor.
+ * @param what IO specification (IO_WANTREAD/IO_WANTWRITE/...).
+ */
+static void
+cb_clientserver_ssl(int sock, UNUSED short what)
+{
+ CONN_ID idx = Socket2Index(sock);
+
+ if (idx <= NONE) {
+ io_close(sock);
+ return;
+ }
+
+ switch (ConnSSL_Accept(&My_Connections[idx])) {
+ case 1:
+ break; /* OK */
+ case 0:
+ return; /* EAGAIN: callback will be invoked again by IO layer */
+ default:
+ Conn_Close(idx,
+ "SSL accept error, closing socket", "SSL accept error",
+ false);
+ return;
+ }
+
+ io_event_setcb(sock, cb_clientserver); /* SSL handshake completed */
+}
+
+/**
+ * IO callback for listening SSL sockets: handle new connections. This callback
+ * gets called when a new SSL-enabled connection should be accepted.
+ *
+ * @param sock Socket descriptor.
+ * @param irrelevant (ignored IO specification)
+ */
+static void
+cb_listen_ssl(int sock, short irrelevant)
+{
+ int fd;
+
+ (void) irrelevant;
+ fd = New_Connection(sock, true);
+ if (fd < 0)
+ return;
+ io_event_setcb(My_Connections[fd].sock, cb_clientserver_ssl);
+}
+
+/**
+ * IO callback for new outgoing SSL-enabled server connections.
+ *
+ * @param sock Socket descriptor.
+ * @param unused (ignored IO specification)
+ */
+static void
+cb_connserver_login_ssl(int sock, short unused)
+{
+ CONN_ID idx = Socket2Index(sock);
+
+ (void) unused;
+
+ if (idx <= NONE) {
+ io_close(sock);
+ return;
+ }
+
+ switch (ConnSSL_Connect( &My_Connections[idx])) {
+ case 1: break;
+ case 0: LogDebug("ConnSSL_Connect: not ready");
+ return;
+ case -1:
+ Log(LOG_ERR, "SSL connection on socket %d failed!", sock);
+ Conn_Close(idx, "Can't connect", NULL, false);
+ return;
+ }
+
+ Log( LOG_INFO, "SSL connection %d with \"%s:%d\" established.", idx,
+ My_Connections[idx].host, Conf_Server[Conf_GetServer( idx )].port );
+
+ server_login(idx);
+}
+
+
+/**
+ * Check if SSL library needs to read SSL-protocol related data.
+ *
+ * SSL/TLS connections require extra treatment:
+ * When either CONN_SSL_WANT_WRITE or CONN_SSL_WANT_READ is set, we
+ * need to take care of that first, before checking read/write buffers.
+ * For instance, while we might have data in our write buffer, the
+ * TLS/SSL protocol might need to read internal data first for TLS/SSL
+ * writes to succeed.
+ *
+ * If this function returns true, such a condition is met and we have
+ * to reverse the condition (check for read even if we've data to write,
+ * do not check for read but writeability even if write-buffer is empty).
+ *
+ * @param c Connection to check.
+ * @returns true if SSL-library has to read protocol data.
+ */
+static bool
+SSL_WantRead(const CONNECTION *c)
+{
+ if (Conn_OPTION_ISSET(c, CONN_SSL_WANT_READ)) {
+ io_event_add(c->sock, IO_WANTREAD);
+ return true;
+ }
+ return false;
+}
+
+/**
+ * Check if SSL library needs to write SSL-protocol related data.
+ *
+ * Please see description of SSL_WantRead() for full description!
+ *
+ * @param c Connection to check.
+ * @returns true if SSL-library has to write protocol data.
+ */
+static bool
+SSL_WantWrite(const CONNECTION *c)
+{
+ if (Conn_OPTION_ISSET(c, CONN_SSL_WANT_WRITE)) {
+ io_event_add(c->sock, IO_WANTWRITE);
+ return true;
+ }
+ return false;
+}
+