Introduce DTLS transport for NNG.

This introduces a new experimental transport for DTLS, that
provides encryption over UDP.  It has a simpler protocol than
the current UDP SP protocol (but we intend to fix that by making
the UDP transport simpler in a follow up!)

There are a few other fixes in the TLS layer itself, and in
the build, that were needed to accomplish this work.

Also there was an endianness bug in the UDP protocol handling, which
is fixed here.

21 files changed, 2275 insertions, 40 deletions

diff --git a/src/sp/transport.c b/src/sp/transport.c
index e1c2737e..1f2e0021 100644
--- a/src/sp/transport.c
+++ b/src/sp/transport.c
@@ -105,6 +105,9 @@ extern void nni_sp_wss_register(void);
 #ifdef NNG_TRANSPORT_FDC
 extern void nni_sp_sfd_register(void);
 #endif
+#ifdef NNG_TRANSPORT_DTLS
+extern void nni_sp_dtls_register(void);
+#endif
 
 void
 nni_sp_tran_sys_init(void)
@@ -133,6 +136,9 @@ nni_sp_tran_sys_init(void)
 #ifdef NNG_TRANSPORT_FDC
 	nni_sp_sfd_register();
 #endif
+#ifdef NNG_TRANSPORT_DTLS
+	nni_sp_dtls_register();
+#endif
 }
 
 // nni_sp_tran_sys_fini finalizes the entire transport system, including all
diff --git a/src/sp/transport.h b/src/sp/transport.h
index 9d67b7c2..6aa2086b 100644
--- a/src/sp/transport.h
+++ b/src/sp/transport.h
@@ -139,7 +139,12 @@ struct nni_sp_pipe_ops {
 	// p_init initializes the pipe data structures.  The main
 	// purpose of this is so that the pipe will see the upper
 	// layer nni_pipe and get a chance to register stats and such.
-	size_t p_size;
+	// size_t p_size;
+
+	// p_size returns the size of the transport data needed for a pipe.
+	// This allows for dynamic registration of context size to allow for
+	// different tunings or different runtimes.
+	size_t (*p_size)(void);
 
 	// p_init initializes the transport's pipe data structure.
 	// The pipe MUST be left in a state that p_fini can be safely
diff --git a/src/sp/transport/CMakeLists.txt b/src/sp/transport/CMakeLists.txt
index d0875e57..5b1c9b17 100644
--- a/src/sp/transport/CMakeLists.txt
+++ b/src/sp/transport/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright 2024 Staysail Systems, Inc. <info@staystail.tech>
+# Copyright 2025 Staysail Systems, Inc. <info@staystail.tech>
 #
 # This software is supplied under the terms of the MIT License, a
 # copy of which should be located in the distribution where this
@@ -15,5 +15,6 @@ add_subdirectory(inproc)
 add_subdirectory(ipc)
 add_subdirectory(tcp)
 add_subdirectory(tls)
+add_subdirectory(dtls)
 add_subdirectory(udp)
 add_subdirectory(ws)
diff --git a/src/sp/transport/dtls/CMakeLists.txt b/src/sp/transport/dtls/CMakeLists.txt
new file mode 100644
index 00000000..e1472345
--- /dev/null
+++ b/src/sp/transport/dtls/CMakeLists.txt
@@ -0,0 +1,17 @@
+#
+# Copyright 2025 Staysail Systems, Inc. <info@staysail.tech>
+#
+# This software is supplied under the terms of the MIT License, a
+# copy of which should be located in the distribution where this
+# file was obtained (LICENSE.txt).  A copy of the license may also be
+# found online at https://opensource.org/licenses/MIT.
+#
+
+# DTLS transport
+nng_directory(dtls)
+
+if (NNG_TRANSPORT_DTLS)
+    nng_sources(dtls.c)
+    nng_defines(NNG_TRANSPORT_DTLS)
+    nng_test(dtls_tran_test)
+endif()
diff --git a/src/sp/transport/dtls/dtls.c b/src/sp/transport/dtls/dtls.c
new file mode 100644
index 00000000..02961a56
--- /dev/null
+++ b/src/sp/transport/dtls/dtls.c
@@ -0,0 +1,1802 @@
+// Copyright 2025 Staysail Systems, Inc. <info@staysail.tech>
+//
+// This software is supplied under the terms of the MIT License, a
+// copy of which should be located in the distribution where this
+// file was obtained (LICENSE.txt).  A copy of the license may also be
+// found online at https://opensource.org/licenses/MIT.
+//
+
+#include "core/aio.h"
+#include "core/defs.h"
+#include "core/idhash.h"
+#include "core/message.h"
+#include "core/nng_impl.h"
+#include "core/options.h"
+#include "core/pipe.h"
+#include "core/platform.h"
+#include "core/socket.h"
+#include "core/stats.h"
+#include "nng/nng.h"
+#include "supplemental/tls/tls_common.h"
+
+#include <string.h>
+
+// Experimental DTLS transport.  Unicast only.
+//
+typedef struct dtls_pipe dtls_pipe;
+typedef struct dtls_ep   dtls_ep;
+typedef struct dtls_conn dtls_conn;
+
+const uint8_t PROTO_VERSION = 1;
+
+// OP code, 8 bits
+enum dtls_opcode {
+	OPCODE_DATA = 0,
+	OPCODE_CREQ = 1,
+	OPCODE_CACK = 2,
+	OPCODE_DISC = 3,
+};
+
+// Disconnect reason, must be 16 bits
+typedef enum dtls_disc_reason {
+	DISC_CLOSED   = 0, // normal close
+	DISC_TYPE     = 1, // bad SP type
+	DISC_NOTCONN  = 2, // no such connection
+	DISC_REFUSED  = 3, // refused by policy
+	DISC_MSGSIZE  = 4, // message too large
+	DISC_NEGO     = 5, // neogtiation failed
+	DISC_INACTIVE = 6, // closed due to inactivity
+	DISC_PROTO    = 7, // other protocol error
+	DISC_NOBUF    = 8, // resources exhausted
+} dtls_disc_reason;
+
+#ifndef NNG_DTLS_TXQUEUE_LEN
+#define NNG_DTLS_TXQUEUE_LEN 32
+#endif
+
+#ifndef NNG_DTLS_RXQUEUE_LEN
+#define NNG_DTLS_RXQUEUE_LEN 16
+#endif
+
+// The maximum TLS record size
+#define DTLS_MAX_RECORD 16384
+
+// For DTLS we use a maximum record size of 16384,
+// but we reserve some space for headers.  DTLS needs
+// 13 bytes, and the transport layer needs 8 bytes.
+// To leave some room for the future, we just trim to 64 bytes.
+#ifndef NNG_DTLS_RECVMAX
+#define NNG_DTLS_RECVMAX (DTLS_MAX_RECORD - 64)
+#endif
+
+#ifndef NNG_DTLS_REFRESH
+#define NNG_DTLS_REFRESH (5 * NNI_SECOND)
+#endif
+
+#ifndef NNG_DTLS_CONNRETRY
+#define NNG_DTLS_CONNRETRY (NNI_SECOND / 5)
+#endif
+
+// 64-bit protocol header
+typedef struct dtls_sp_hdr {
+	uint8_t  us_ver;
+	uint8_t  us_op_code;
+	uint16_t us_type;
+	uint16_t us_params[2];
+} dtls_sp_hdr;
+
+// DTLS pipe resend (CREQ) in msec (nng_duration)
+#define DTLS_PIPE_REFRESH(p) ((p)->refresh)
+
+// DTLS pipe timeout in msec (nng_duration)
+#define DTLS_PIPE_TIMEOUT(p) ((p)->refresh * 5)
+
+struct dtls_pipe {
+	dtls_ep      *ep;
+	nni_pipe     *npipe;
+	nng_sockaddr  peer_addr;
+	uint64_t      id; // hash of peer address
+	uint16_t      peer;
+	uint16_t      proto;
+	bool          matched; // true if have matched and given this to SP
+	bool          closed;  // true if we are closed (no more send or recv!)
+	bool          dialer;  // true if we are dialer
+	nng_duration  refresh; // seconds, for the protocol
+	nng_time      next_wake;
+	nng_time      expire; // inactivity expiration time
+	nng_time      next_refresh;
+	nni_list_node node;
+	nni_lmq       rx_mq;
+
+	// Upper layer queues.  These are between the PIPE and SP.
+	bool     send_busy; // true if send is in process
+	uint16_t send_max;  // peer's max recv size
+	nni_list send_aios;
+	uint8_t *send_buf;
+	size_t   send_bufsz;
+	nng_aio  send_tls_aio;
+
+	bool     recv_busy;
+	bool     recv_rdy; // receive is done and data in recvbuf
+	uint16_t recv_max; // max recv size
+	nni_list recv_aios;
+	uint8_t *recv_buf;
+	size_t   recv_bufsz;
+	nng_aio  recv_tls_aio;
+
+	// Lower layer queues.  These are between the
+
+	uint8_t  send_op; // usually OPCODE_DATA
+	uint8_t  last_op; // last op code we sent
+	uint16_t reason;  // only for disconnect
+
+	nni_mtx lower_mtx; // protects the lower rx_q, etc.
+
+	// This is the lower level RX buffer, which contains only
+	// received ciphertext (content before passed to TLS layer for
+	// decrypt).  The actual pointers may change, as we "swap"
+	// buffers between the endpoint and the pipe to avoid copying.
+	nni_list rx_q; // lower aio from the TLS layer
+
+	nni_tls_conn tls;
+};
+
+struct dtls_ep {
+	nng_udp        *udp;
+	nni_mtx         mtx;
+	uint16_t        proto;
+	uint16_t        peer;
+	uint16_t        af; // address family
+	bool            fini;
+	bool            started;
+	bool            closed;
+	nng_url        *url;
+	const char     *host; // for dialers
+	nni_aio        *useraio;
+	nni_aio        *connaio;
+	nni_aio         timeaio;
+	nni_aio         resaio;
+	bool            dialer;
+	nni_listener   *nlistener;
+	nni_dialer     *ndialer;
+	nni_msg        *rx_payload; // current receive message
+	nng_sockaddr    rx_sa;      // addr for last message
+	nni_aio         tx_aio;     // aio for TX handling
+	nni_aio         rx_aio;     // aio for RX handling
+	nni_id_map      pipes;      // pipes (indexed by id)
+	nni_sockaddr    self_sa;    // our address
+	nni_sockaddr    peer_sa;    // peer address, only for dialer;
+	nni_list        connaios; // aios from accept waiting for a client peer
+	nni_list        connpipes; // pipes waiting to be connected
+	nng_duration    refresh; // refresh interval for connections in seconds
+	uint16_t        rcvmax;  // max payload, trimmed to uint16_t
+	nni_resolv_item resolv;
+
+	nng_tls_config *tlscfg;
+
+	size_t rx_size; // size of the rx buffer
+	void  *rx_buf;
+
+	nni_stat_item st_rcv_max;
+	nni_stat_item st_rcv_reorder;
+	nni_stat_item st_rcv_toobig;
+	nni_stat_item st_rcv_nomatch;
+	nni_stat_item st_rcv_copy;
+	nni_stat_item st_rcv_nocopy;
+	nni_stat_item st_rcv_nobuf;
+	nni_stat_item st_snd_toobig;
+	nni_stat_item st_snd_nobuf;
+	nni_stat_item st_peer_inactive;
+	nni_stat_item st_copy_max;
+};
+
+static void dtls_ep_start(dtls_ep *);
+static void dtls_resolv_cb(void *);
+static void dtls_rx_cb(void *);
+
+static void dtls_ep_match(dtls_ep *ep);
+static void dtls_remove_pipe(dtls_pipe *p);
+
+// BIO send/recv functions for use by the common TLS layer.
+
+static void
+dtls_bio_cancel(nng_aio *aio, void *arg, nng_err rv)
+{
+	dtls_pipe *p = arg;
+	nni_mtx_lock(&p->lower_mtx);
+	if (nni_aio_list_active(aio)) {
+		nni_aio_list_remove(aio);
+	}
+	nni_aio_finish_error(aio, rv);
+	nni_mtx_unlock(&p->lower_mtx);
+}
+
+static void
+dtls_bio_recv_done(dtls_pipe *p)
+{
+	nng_aio *aio;
+	uint8_t *ptr;
+	size_t   resid;
+	nni_msg *msg;
+
+	while ((!nni_lmq_empty(&p->rx_mq)) &&
+	    ((aio = nni_list_first(&p->rx_q)) != NULL)) {
+
+		nni_aio_list_remove(aio);
+		nni_lmq_get(&p->rx_mq, &msg);
+
+		// assumption we only have a body, because we don't bother to
+		// fill in the header for raw UDP.
+
+		resid = nni_msg_len(msg);
+		ptr   = nni_msg_body(msg);
+
+		for (unsigned i = 0; i < aio->a_nio && resid > 0; i++) {
+			size_t num = resid > aio->a_iov[i].iov_len
+			    ? aio->a_iov[i].iov_len
+			    : resid;
+			memcpy(aio->a_iov[i].iov_buf, ptr, num);
+			ptr += num;
+			resid -= num;
+		}
+		nni_aio_finish(aio, NNG_OK, nni_msg_len(msg));
+		nni_msg_free(msg);
+	}
+}
+
+static void
+dtls_bio_recv(void *arg, nng_aio *aio)
+{
+	dtls_pipe *p = arg;
+
+	nni_mtx_lock(&p->lower_mtx);
+	if (!nni_aio_start(aio, dtls_bio_cancel, p)) {
+		nni_mtx_unlock(&p->lower_mtx);
+		return;
+	}
+
+	nni_aio_list_append(&p->rx_q, aio);
+	dtls_bio_recv_done(p);
+	nni_mtx_unlock(&p->lower_mtx);
+}
+
+static void
+dtls_bio_send(void *arg, nng_aio *aio)
+{
+	dtls_pipe *p = arg;
+
+	nni_mtx_lock(&p->lower_mtx);
+	if (!p->closed) {
+		nni_aio_set_input(aio, 0, &p->peer_addr);
+		nng_udp_send(p->ep->udp, aio);
+	}
+	nni_mtx_unlock(&p->lower_mtx);
+}
+
+static void
+dtls_bio_free(void *arg)
+{
+	NNI_ARG_UNUSED(arg);
+}
+
+static void
+dtls_bio_close(void *arg)
+{
+	NNI_ARG_UNUSED(arg);
+}
+
+static void
+dtls_bio_stop(void *arg)
+{
+	dtls_pipe *p = arg;
+	nni_aio_stop(&p->recv_tls_aio);
+	nni_aio_stop(&p->send_tls_aio);
+}
+
+static nni_tls_bio_ops dtls_bio_ops = {
+	.bio_send  = dtls_bio_send,
+	.bio_recv  = dtls_bio_recv,
+	.bio_close = dtls_bio_close,
+	.bio_stop  = dtls_bio_stop,
+	.bio_free  = dtls_bio_free,
+};
+
+static void
+dtls_tran_init(void)
+{
+}
+
+static void
+dtls_tran_fini(void)
+{
+}
+
+//
+// Upper layer functions - moving data between TLS and SP.
+// TLS acts as kind of a stream for us, so we only see the
+// data that is meant for us, but we will send and receive
+// control messages that are not just data payloads.
+//
+
+static void dtls_pipe_send_cancel(nng_aio *, void *, nng_err);
+static void dtls_pipe_send_tls(dtls_pipe *);
+static void dtls_pipe_send_tls_cb(void *arg);
+
+static void
+dtls_pipe_send(void *arg, nni_aio *aio)
+{
+	dtls_pipe *p = arg;
+	dtls_ep   *ep;
+	nng_msg   *msg;
+	size_t     count = 0;
+	size_t     sndmax;
+
+	msg = nni_aio_get_msg(aio);
+	ep  = p->ep;
+
+	if (msg != NULL) {
+		count = nni_msg_len(msg) + nni_msg_header_len(msg);
+	}
+
+	nni_mtx_lock(&ep->mtx);
+	sndmax = p->send_max;
+	if (!nni_aio_start(aio, dtls_pipe_send_cancel, p)) {
+		nni_mtx_unlock(&ep->mtx);
+		return;
+	}
+
+	nni_aio_reset(aio);
+	if ((nni_msg_len(msg) + nni_msg_header_len(msg)) > sndmax) {
+		// rather failing this with an error, we just drop it
+		// on the floor. this is on the sender, so there isn't
+		// a compelling need to disconnect the pipe, since it
+		// we're not being "ill-behaved" to our peer.
+		nni_stat_inc(&ep->st_snd_toobig, 1);
+		nni_mtx_unlock(&ep->mtx);
+		nni_aio_finish(aio, 0, count);
+		nni_msg_free(msg);
+		return;
+	}
+
+	nni_aio_list_append(&p->send_aios, aio);
+	dtls_pipe_send_tls(p);
+	nni_mtx_unlock(&ep->mtx);
+}
+
+static void
+dtls_pipe_send_cancel(nng_aio *aio, void *arg, nng_err err)
+{
+	dtls_pipe *p = arg;
+	nni_mtx_lock(&p->ep->mtx);
+	if (nni_aio_list_active(aio)) {
+		nni_aio_list_remove(aio);
+		nni_aio_finish_error(aio, err);
+	}
+	nni_mtx_unlock(&p->ep->mtx);
+}
+
+// Lower layer send/recv functions, used by the pipe layer.
+
+static void
+dtls_pipe_send_tls(dtls_pipe *p)
+{
+	nni_aio     *aio;
+	nng_msg     *msg;
+	uint8_t      opcode;
+	nng_iov      iov;
+	dtls_sp_hdr *hdr = (void *) p->send_buf;
+
+	if (p->send_busy || p->closed) {
+		return;
+	}
+
+	opcode = p->send_op;
+	// reset the last op
+	p->send_op = OPCODE_DATA;
+
+	hdr->us_ver     = PROTO_VERSION;
+	hdr->us_op_code = opcode;
+	NNI_PUT16LE(&hdr->us_type, p->proto);
+	hdr->us_params[0] = 0;
+	hdr->us_params[1] = 0;
+
+	iov.iov_buf = hdr;
+	iov.iov_len = sizeof(*hdr);
+
+	switch (opcode) {
+	case OPCODE_DATA:
+		for (;;) {
+			if ((aio = nni_list_first(&p->send_aios)) == NULL) {
+				// no work for us!
+				return;
+			}
+			nni_aio_list_remove(aio);
+			msg = nni_aio_get_msg(aio);
+			if (nni_msg_header_len(msg) + nni_msg_len(msg) +
+			        sizeof(*hdr) >
+			    p->send_bufsz) {
+				nng_msg_free(msg);
+				nni_aio_finish_error(aio, NNG_EMSGSIZE);
+				continue;
+			}
+			break; // for loop
+		}
+
+		size_t   len  = nni_msg_header_len(msg);
+		uint8_t *data = (void *) (hdr + 1);
+		memcpy(data, nni_msg_header(msg), len);
+		data += len;
+		memcpy(data, nni_msg_body(msg), nni_msg_len(msg));
+		len += nni_msg_len(msg);
+
+		NNI_PUT16LE(&hdr->us_params[0], (uint16_t) len);
+		iov.iov_len += len;
+
+		nni_msg_free(msg);
+		nni_aio_set_msg(aio, NULL);
+		nni_aio_finish(aio, 0, len);
+		break;
+
+	case OPCODE_CREQ:
+	case OPCODE_CACK:
+		NNI_PUT16LE(&hdr->us_params[0], p->recv_max);
+		NNI_PUT16LE(&hdr->us_params[1], p->refresh);
+		break;
+
+	case OPCODE_DISC:
+		NNI_PUT16LE(&hdr->us_params[0], p->reason);
+		p->closed = true;
+		break;
+	default:
+		NNI_ASSERT(false); // this should never happen!
+		// fall back to sending a disconnect
+		hdr->us_op_code = OPCODE_DISC;
+		NNI_PUT16LE(&hdr->us_params[0], DISC_PROTO);
+	}
+
+	p->last_op   = opcode;
+	p->send_busy = true;
+	nni_aio_set_iov(&p->send_tls_aio, 1, &iov);
+	nni_tls_send(&p->tls, &p->send_tls_aio);
+}
+
+static void
+dtls_pipe_send_tls_cb(void *arg)
+{
+	dtls_pipe *p = arg;
+
+	nni_mtx_lock(&p->ep->mtx);
+
+	p->send_busy = false;
+	if (nni_aio_result(&p->send_tls_aio) != NNG_OK ||
+	    p->last_op == OPCODE_DISC) {
+		nni_pipe_close(p->npipe);
+		if (p->matched == 0) {
+			dtls_remove_pipe(p);
+		}
+		nni_mtx_unlock(&p->ep->mtx);
+		return;
+	}
+	dtls_pipe_send_tls(p);
+	nni_mtx_unlock(&p->ep->mtx);
+}
+
+// RECV SIDE
+
+static void dtls_pipe_recv_cancel(nni_aio *, void *, nng_err);
+static void dtls_pipe_recv_tls(dtls_pipe *);
+
+static void
+dtls_pipe_recv(void *arg, nni_aio *aio)
+{
+	dtls_pipe *p  = arg;
+	dtls_ep   *ep = p->ep;
+
+	nni_aio_reset(aio);
+	nni_mtx_lock(&ep->mtx);
+	if (p->closed) {
+		nni_mtx_unlock(&ep->mtx);
+		nni_aio_finish_error(aio, NNG_ECLOSED);
+		return;
+	}
+	if (!nni_aio_start(aio, dtls_pipe_recv_cancel, p)) {
+		nni_mtx_unlock(&ep->mtx);
+		return;
+	}
+
+	nni_list_append(&p->recv_aios, aio);
+	dtls_pipe_recv_tls(p);
+	nni_mtx_unlock(&ep->mtx);
+}
+
+static void
+dtls_pipe_recv_cancel(nni_aio *aio, void *arg, nng_err rv)
+{
+	dtls_pipe *p  = arg;
+	dtls_ep   *ep = p->ep;
+
+	nni_mtx_lock(&ep->mtx);
+	if (!nni_aio_list_active(aio)) {
+		nni_mtx_unlock(&ep->mtx);
+		return;
+	}
+	nni_aio_list_remove(aio);
+	nni_mtx_unlock(&ep->mtx);
+	nni_aio_finish_error(aio, rv);
+}
+
+static void
+dtls_pipe_recv_tls_start(dtls_pipe *p)
+{
+	nng_iov iov;
+	if (p->recv_busy || p->closed) {
+		return;
+	}
+	p->recv_busy = true;
+	iov.iov_buf  = p->recv_buf;
+	iov.iov_len  = p->recv_bufsz;
+
+	nni_aio_set_iov(&p->recv_tls_aio, 1, &iov);
+	nni_tls_recv(&p->tls, &p->recv_tls_aio);
+}
+
+static void
+dtls_pipe_recv_tls(dtls_pipe *p)
+{
+	nng_aio *aio = nni_list_first(&p->recv_aios);
+	size_t   len;
+	nng_msg *msg;
+	int      rv;
+
+	if (aio == NULL) {
+		return;
+	}
+	if (!p->recv_rdy) {
+		dtls_pipe_recv_tls_start(p);
+		return;
+	}
+
+	p->recv_rdy = false;
+
+	nni_aio_list_remove(aio);
+	len = nng_aio_count(&p->recv_tls_aio);
+	NNI_ASSERT(len >= sizeof(dtls_sp_hdr));
+	len -= sizeof(dtls_sp_hdr);
+
+	if ((rv = nni_msg_alloc(&msg, len)) != NNG_OK) {
+		nni_aio_finish_error(aio, rv);
+		return;
+	}
+
+	memcpy(nng_msg_body(msg), p->recv_buf + sizeof(dtls_sp_hdr), len);
+	nni_aio_finish_msg(aio, msg);
+}
+
+static void
+dtls_pipe_recv_tls_cb(void *arg)
+{
+	dtls_pipe   *p   = arg;
+	dtls_ep     *ep  = p->ep;
+	dtls_sp_hdr *hdr = (void *) p->recv_buf;
+	nng_aio     *aio = &p->recv_tls_aio;
+	uint16_t     proto;
+	uint16_t     refresh;
+	uint16_t     rcvmax;
+	nng_err      rv;
+
+	nni_mtx_lock(&ep->mtx);
+	p->recv_busy = false;
+
+	if ((rv = nni_aio_result(aio)) != NNG_OK) {
+
+		// If we didn't connect yet, issue an error so the peer can see
+		// a connection failure (e.g. if we failed the TLS handshake.)
+		if (p->dialer && !p->matched) {
+			nni_aio *caio;
+			if ((caio = nni_list_first(&ep->connaios)) != NULL) {
+				nni_aio_list_remove(caio);
+				nni_aio_finish_error(caio, rv);
+			}
+		}
+
+		// Bump a bad receive stat (e.g. someone may have sent us
+		// garbage.)  We do not acknowledge or handle garbage frames
+		// sent to an open session.
+		nni_pipe_close(p->npipe);
+		nni_mtx_unlock(&ep->mtx);
+		return;
+	}
+
+	// We had a "good" receive (TLS passed at least) from the peer.
+
+	if (nni_aio_count(aio) < sizeof(*hdr)) {
+		// Runt frame.
+		p->send_op = OPCODE_DISC;
+		p->reason  = DISC_PROTO;
+		goto bad;
+	}
+
+	if (nni_aio_count(aio) > sizeof(*hdr) + p->recv_max) {
+		p->send_op = OPCODE_DISC;
+		p->reason  = DISC_MSGSIZE;
+		goto bad;
+	}
+
+	if (hdr->us_ver != PROTO_VERSION) {
+		// Bad protocol version
+		p->send_op = OPCODE_DISC;
+		p->reason  = DISC_PROTO;
+		goto bad;
+	}
+	NNI_GET16LE(&hdr->us_type, proto);
+	if (proto != p->peer) {
+		// Bad SP protocol type
+		p->send_op = OPCODE_DISC;
+		p->reason  = DISC_TYPE;
+		goto bad;
+	}
+
+	p->expire = nni_clock() + DTLS_PIPE_TIMEOUT(p);
+
+	if (!p->matched) {
+		p->matched = true;
+		nni_list_append(&p->ep->connpipes, p);
+		dtls_ep_match(p->ep);
+	}
+
+	switch (hdr->us_op_code) {
+	case OPCODE_CREQ:
+		if (p->dialer) {
+			// dialers don't accept requests
+			goto bad;
+		}
+		NNI_GET16LE(&hdr->us_params[0], rcvmax);
+		NNI_GET16LE(&hdr->us_params[1], refresh);
+		if ((refresh > 0) && ((refresh * NNI_SECOND) < p->refresh)) {
+			p->refresh = refresh * NNI_SECOND;
+		}
+		if ((rcvmax > 0) && (rcvmax < NNG_DTLS_RECVMAX)) {
+			p->send_max = rcvmax;
+		}
+		// schedule the CACK reply
+		p->send_op = OPCODE_CACK;
+		break;
+
+	case OPCODE_CACK:
+		if (!p->dialer) {
+			goto bad;
+		}
+		NNI_GET16LE(&hdr->us_params[0], rcvmax);
+		NNI_GET16LE(&hdr->us_params[0], refresh);
+
+		if ((refresh > 0) && ((refresh * NNI_SECOND) < p->refresh)) {
+			p->refresh = refresh * NNI_SECOND;
+		}
+		if ((rcvmax > 0) && (rcvmax < NNG_DTLS_RECVMAX)) {
+			p->send_max = rcvmax;
+		}
+		break;
+
+	case OPCODE_DISC:
+		p->closed = true;
+		nni_mtx_unlock(&ep->mtx);
+		nni_pipe_close(p->npipe);
+		return;
+
+	case OPCODE_DATA:
+		p->recv_rdy = true;
+		dtls_pipe_recv_tls(p);
+		nni_mtx_unlock(&ep->mtx);
+		return;
+	}
+bad:
+	if (p->send_op != OPCODE_DATA) {
+		dtls_pipe_send_tls(p);
+	}
+	dtls_pipe_recv_tls_start(p);
+	nni_mtx_unlock(&ep->mtx);
+}
+
+static void
+dtls_pipe_close(void *arg)
+{
+	dtls_pipe *p  = arg;
+	dtls_ep   *ep = p->ep;
+	nni_aio   *aio;
+
+	nni_mtx_lock(&ep->mtx);
+	while ((aio = nni_list_first(&p->recv_aios)) != NULL) {
+		nni_aio_list_remove(aio);
+		nni_aio_finish_error(aio, NNG_ECLOSED);
+	}
+	while ((aio = nni_list_first(&p->send_aios)) != NULL) {
+		nni_aio_list_remove(aio);
+		nni_aio_finish_error(aio, NNG_ECLOSED);
+	}
+	if (!p->matched) {
+		dtls_remove_pipe(p);
+	} else {
+		p->send_op = OPCODE_DISC;
+		p->reason  = DISC_CLOSED;
+		dtls_pipe_send_tls(p);
+	}
+	nni_mtx_unlock(&ep->mtx);
+}
+
+static nng_err dtls_add_pipe(dtls_ep *ep, dtls_pipe *p);
+
+static void
+dtls_pipe_stop(void *arg)
+{
+	dtls_pipe *p  = arg;
+	dtls_ep   *ep = p->ep;
+
+	dtls_pipe_close(arg);
+
+	nni_mtx_lock(&ep->mtx);
+	dtls_remove_pipe(p);
+	nni_list_node_remove(&p->node);
+	nni_mtx_unlock(&ep->mtx);
+}
+
+static int
+dtls_pipe_alloc(dtls_ep *ep, dtls_pipe **pp, const nng_sockaddr *sa)
+{
+	dtls_pipe *p;
+	nng_err    rv;
+
+	if (ep->dialer) {
+		rv = nni_pipe_alloc_dialer((void **) &p, ep->ndialer);
+	} else {
+		rv = nni_pipe_alloc_listener((void *) &p, ep->nlistener);
+	}
+	if (rv != NNG_OK) {
+		nng_log_err("NNG-DTLS-PIPE-ALLOC-FAIL",
+		    "Failed allocating pipe for DTLS: %s", nng_strerror(rv));
+		return (rv);
+	}
+	p->dialer    = ep->dialer;
+	p->ep        = ep;
+	p->proto     = ep->proto;
+	p->peer      = ep->peer;
+	p->peer_addr = *sa;
+	p->id        = nng_sockaddr_hash(sa);
+	p->refresh   = ep->refresh;
+	p->send_max  = NNG_DTLS_RECVMAX;
+	p->recv_max  = ep->rcvmax;
+	*pp          = p;
+
+	if (((rv = dtls_add_pipe(ep, p)) != NNG_OK) ||
+	    ((rv = nni_tls_init(&p->tls, ep->tlscfg)) != NNG_OK) ||
+	    ((rv = nni_tls_start(&p->tls, &dtls_bio_ops, p, sa)) != NNG_OK)) {
+		nni_pipe_close(p->npipe);
+		nng_log_err("NNG-DTLS-PIPE-ADD-FAIL",
+		    "Failed adding pipe for DTLS: %s", nng_strerror(rv));
+		return (rv);
+	}
+
+	// We need to start a receiver on the pipe.
+	dtls_pipe_recv_tls_start(p);
+
+	// Also start TLS up and running.
+	switch (nni_tls_run(&p->tls)) {
+	case NNG_OK:
+	case NNG_EAGAIN:
+		break;
+	default:
+		nni_pipe_close(p->npipe);
+		break;
+	}
+
+	// wake the timer so it knows to resubmit
+	nni_aio_abort(&ep->timeaio, NNG_ETIMEDOUT);
+
+	return (NNG_OK);
+}
+
+static size_t
+dtls_pipe_size(void)
+{
+	return (NNI_ALIGN_UP(sizeof(dtls_pipe)) +
+	    NNI_ALIGN_UP(nni_tls_engine_conn_size()));
+}
+
+static int
+dtls_pipe_init(void *arg, nni_pipe *npipe)
+{
+	dtls_pipe *p = arg;
+	p->npipe     = npipe;
+
+	size_t bufsz = DTLS_MAX_RECORD; // TODO: Make this a tunable.
+
+	if ((p->recv_buf = nni_alloc(bufsz)) == NULL) {
+		return (NNG_ENOMEM);
+	}
+	if ((p->send_buf = nni_alloc(bufsz)) == NULL) {
+		return (NNG_ENOMEM);
+	}
+	p->recv_bufsz = bufsz;
+	p->send_bufsz = bufsz;
+	nni_mtx_init(&p->lower_mtx);
+	nni_aio_init(&p->recv_tls_aio, dtls_pipe_recv_tls_cb, p);
+	nni_aio_init(&p->send_tls_aio, dtls_pipe_send_tls_cb, p);
+	nni_aio_list_init(&p->rx_q);
+	nni_aio_list_init(&p->recv_aios);
+	nni_aio_list_init(&p->send_aios);
+	nni_lmq_init(&p->rx_mq, NNG_DTLS_RXQUEUE_LEN);
+
+	return (0);
+}
+
+static void
+dtls_pipe_fini(void *arg)
+{
+	dtls_pipe *p = arg;
+	nng_msg   *m;
+
+	nni_tls_fini(&p->tls);
+	nni_aio_fini(&p->recv_tls_aio);
+	nni_aio_fini(&p->send_tls_aio);
+	if (p->recv_buf != NULL) {
+		nni_free(p->recv_buf, p->recv_bufsz);
+	}
+	if (p->send_buf != NULL) {
+		nni_free(p->send_buf, p->send_bufsz);
+	}
+	nni_mtx_lock(&p->lower_mtx);
+	while (!nni_lmq_empty(&p->rx_mq)) {
+		nni_lmq_get(&p->rx_mq, &m);
+		nni_msg_free(m);
+	}
+	nni_mtx_unlock(&p->lower_mtx);
+	nni_mtx_fini(&p->lower_mtx);
+	nni_lmq_fini(&p->rx_mq);
+	NNI_ASSERT(nni_list_empty(&p->recv_aios));
+	NNI_ASSERT(nni_list_empty(&p->send_aios));
+}
+
+static dtls_pipe *
+dtls_find_pipe(dtls_ep *ep, const nng_sockaddr *peer_addr)
+{
+	uint64_t   id = nng_sockaddr_hash(peer_addr);
+	dtls_pipe *p;
+
+	// we'll keep incrementing id until we conclusively match
+	// or we get a NULL.  This is another level of rehashing, but
+	// it keeps us from having to look up.
+	for (;;) {
+		if ((p = nni_id_get(&ep->pipes, id)) == NULL) {
+			return (NULL);
+		}
+		if (nng_sockaddr_equal(&p->peer_addr, peer_addr)) {
+			return (p);
+		}
+		id++;
+		if (id == 0) {
+			id = 1;
+		}
+	}
+}
+
+static void
+dtls_remove_pipe(dtls_pipe *p)
+{
+	// ep locked
+	dtls_ep *ep      = p->ep;
+	uint64_t id      = p->id;
+	bool     matched = p->matched;
+	if (id == 0) {
+		return;
+	}
+	p->id = 0;
+	for (;;) {
+		dtls_pipe *srch;
+		if ((srch = nni_id_get(&ep->pipes, id)) == NULL) {
+			break;
+		}
+		if (srch == p) {
+			nni_id_remove(&ep->pipes, id);
+			break;
+		}
+		id++;
+		if (id == 0) {
+			id = 1;
+		}
+	}
+	if (!matched) {
+		nni_pipe_rele(p->npipe);
+	}
+}
+
+static nng_err
+dtls_add_pipe(dtls_ep *ep, dtls_pipe *p)
+{
+	// Id must be part of the hash
+	uint64_t id = p->id;
+	while (nni_id_get(&ep->pipes, id) != NULL) {
+		id++;
+		if (id == 0) {
+			id = 1;
+		}
+	}
+	return (nni_id_set(&ep->pipes, id, p));
+}
+
+static void
+dtls_start_rx(dtls_ep *ep)
+{
+	nni_iov iov;
+
+	iov.iov_buf = ep->rx_buf;
+	iov.iov_len = ep->rx_size;
+
+	nni_aio_reset(&ep->rx_aio);
+	nni_aio_set_input(&ep->rx_aio, 0, &ep->rx_sa);
+	nni_aio_set_iov(&ep->rx_aio, 1, &iov);
+	nng_udp_recv(ep->udp, &ep->rx_aio);
+}
+
+static void
+dtls_rx_cb(void *arg)
+{
+	dtls_ep   *ep = arg;
+	dtls_pipe *p;
+	nni_aio   *aio = &ep->rx_aio;
+	int        rv;
+	nni_msg   *msg;
+
+	nni_mtx_lock(&ep->mtx);
+	if ((rv = nni_aio_result(aio)) != 0) {
+		// something bad happened on RX... which is unexpected.
+		// sleep a little bit and hope for recovery.
+		switch (nni_aio_result(aio)) {
+		case NNG_ECLOSED:
+		case NNG_ECANCELED:
+		case NNG_ESTOPPED:
+			nni_mtx_unlock(&ep->mtx);
+			return;
+		case NNG_ETIMEDOUT:
+		case NNG_EAGAIN:
+		case NNG_EINTR:
+		default:
+			goto fail;
+		}
+	}
+
+	// If this came from another host, and we are a dialer, we discard.
+	// Dialers only talk to the party they explicitly dialed.
+	if (ep->dialer && !nng_sockaddr_equal(&ep->rx_sa, &ep->peer_sa)) {
+		goto fail;
+	}
+
+	if ((p = dtls_find_pipe(ep, &ep->rx_sa)) == NULL) {
+		if (dtls_pipe_alloc(ep, &p, &ep->rx_sa) != NNG_OK) {
+			goto fail;
+		}
+	}
+	if (p->closed) {
+		goto fail;
+	}
+	NNI_ASSERT(p != NULL);
+
+	if (nni_msg_alloc(&msg, nni_aio_count(aio)) != NNG_OK) {
+		// TODO BUMP A NO RECV ALLOC STAT
+		goto fail;
+	}
+	memcpy(nni_msg_body(msg), ep->rx_buf, nni_aio_count(aio));
+	dtls_start_rx(ep);
+	nni_mtx_unlock(&ep->mtx);
+
+	nni_mtx_lock(&p->lower_mtx);
+
+	if (nni_lmq_put(&p->rx_mq, msg) != NNG_OK) {
+		// TODO: BUMP TXQ FULL STAT
+		nng_msg_free(msg);
+	}
+	dtls_bio_recv_done(p);
+	nni_mtx_unlock(&p->lower_mtx);
+
+	// Run the TLS state machine.
+	switch (nni_tls_run(&p->tls)) {
+	case NNG_OK:
+	case NNG_EAGAIN:
+		break;
+	default:
+		nni_pipe_close(p->npipe);
+	}
+	return;
+
+fail:
+	// start another receive
+	dtls_start_rx(ep);
+
+	nni_mtx_unlock(&ep->mtx);
+}
+
+static uint16_t
+dtls_pipe_peer(void *arg)
+{
+	dtls_pipe *p = arg;
+
+	return (p->peer);
+}
+
+static nng_err
+dtls_pipe_get_recvmax(void *arg, void *v, size_t *szp, nni_type t)
+{
+	dtls_pipe *p  = arg;
+	dtls_ep   *ep = p->ep;
+	nng_err    rv;
+	nni_mtx_lock(&ep->mtx);
+	rv = nni_copyout_size(p->recv_max, v, szp, t);
+	nni_mtx_unlock(&ep->mtx);
+	return (rv);
+}
+
+static nng_err
+dtls_pipe_get_remaddr(void *arg, void *v, size_t *szp, nni_type t)
+{
+	dtls_pipe *p  = arg;
+	dtls_ep   *ep = p->ep;
+	nng_err    rv;
+	nni_mtx_lock(&ep->mtx);
+	rv = nni_copyout_sockaddr(&p->peer_addr, v, szp, t);
+	nni_mtx_unlock(&ep->mtx);
+	return (rv);
+}
+
+static nni_option dtls_pipe_options[] = {
+	{
+	    .o_name = NNG_OPT_RECVMAXSZ,
+	    .o_get  = dtls_pipe_get_recvmax,
+	},
+	{
+	    .o_name = NNG_OPT_REMADDR,
+	    .o_get  = dtls_pipe_get_remaddr,
+	},
+	{
+	    .o_name = NULL,
+	},
+};
+
+static nng_err
+dtls_pipe_getopt(
+    void *arg, const char *name, void *buf, size_t *szp, nni_type t)
+{
+	dtls_pipe *p = arg;
+	int        rv;
+
+	rv = nni_getopt(dtls_pipe_options, name, p, buf, szp, t);
+	return (rv);
+}
+
+static void
+dtls_ep_fini(void *arg)
+{
+	dtls_ep *ep = arg;
+
+	nni_aio_fini(&ep->timeaio);
+	nni_aio_fini(&ep->resaio);
+	nni_aio_fini(&ep->tx_aio);
+	nni_aio_fini(&ep->rx_aio);
+
+	if (ep->udp != NULL) {
+		nng_udp_close(ep->udp);
+	}
+	if (ep->rx_size != 0) {
+		nni_free(ep->rx_buf, ep->rx_size);
+	}
+
+	nni_msg_free(ep->rx_payload); // safe even if msg is null
+	nni_id_map_fini(&ep->pipes);
+	nni_mtx_fini(&ep->mtx);
+}
+
+static void
+dtls_ep_close(void *arg)
+{
+	dtls_ep   *ep = arg;
+	nni_aio   *aio;
+	dtls_pipe *p;
+	uint64_t   key;
+	uint32_t   cursor;
+
+	nni_aio_close(&ep->resaio);
+	nni_aio_close(&ep->rx_aio);
+	nni_aio_close(&ep->timeaio);
+
+	// leave tx open so we can send disconnects
+
+	nni_mtx_lock(&ep->mtx);
+	ep->closed = true;
+	while ((aio = nni_list_first(&ep->connaios)) != NULL) {
+		nni_aio_list_remove(aio);
+		nni_aio_finish_error(aio, NNG_ECONNABORTED);
+	}
+	cursor = 0;
+	key    = 0;
+	while (nni_id_visit(&ep->pipes, &key, (void **) &p, &cursor)) {
+		nni_pipe_close(p->npipe);
+	}
+	nni_mtx_unlock(&ep->mtx);
+}
+
+static void
+dtls_ep_stop(void *arg)
+{
+	dtls_ep *ep = arg;
+
+	nni_aio_stop(&ep->resaio);
+	nni_aio_stop(&ep->rx_aio);
+	nni_aio_stop(&ep->timeaio);
+
+	nni_mtx_lock(&ep->mtx);
+	ep->fini = true;
+	nni_mtx_unlock(&ep->mtx);
+}
+
+// timer handler - sends out additional creqs as needed,
+// reaps stale connections, and handles linger.
+static void
+dtls_timer_cb(void *arg)
+{
+	dtls_ep   *ep = arg;
+	dtls_pipe *p;
+	int        rv;
+
+	nni_mtx_lock(&ep->mtx);
+	rv = nni_aio_result(&ep->timeaio);
+	switch (rv) {
+	case NNG_ECLOSED:
+	case NNG_ECANCELED:
+	case NNG_ESTOPPED:
+		nni_mtx_unlock(&ep->mtx);
+		return;
+	default:
+		if (ep->closed) {
+			nni_mtx_unlock(&ep->mtx);
+			return;
+		}
+		break;
+	}
+
+	uint32_t     cursor  = 0;
+	nni_time     now     = nni_clock();
+	nng_duration refresh = NNG_DURATION_INFINITE;
+
+	while (nni_id_visit(&ep->pipes, NULL, (void **) &p, &cursor)) {
+
+		if (p->closed) {
+			continue;
+		}
+		NNI_ASSERT(p->refresh > 0);
+		if (p->expire > 0 && now > p->expire) {
+			char buf[128];
+			nng_log_info("NNG-DTLS-INACTIVE",
+			    "Pipe peer %s timed out due to inactivity",
+			    nng_str_sockaddr(&p->peer_addr, buf, sizeof(buf)));
+
+			nni_stat_inc(&ep->st_peer_inactive, 1);
+			nni_pipe_close(p->npipe);
+			continue;
+		}
+
+		if (p->dialer && now > p->next_refresh) {
+			p->send_op      = OPCODE_CREQ;
+			p->next_refresh = p->expire + p->refresh;
+			dtls_pipe_send_tls(p);
+		}
+		if (refresh == NNG_DURATION_INFINITE && p->refresh > 0) {
+			refresh = p->refresh;
+		} else if ((p->refresh > 0) && (p->refresh < refresh)) {
+			refresh = p->refresh;
+		}
+	}
+	nni_sleep_aio(refresh, &ep->timeaio);
+
+	nni_mtx_unlock(&ep->mtx);
+}
+
+static nng_err
+dtls_ep_init(
+    dtls_ep *ep, nng_url *url, nni_sock *sock, nni_dialer *d, nni_listener *l)
+{
+	nni_mtx_init(&ep->mtx);
+	nni_id_map_init(&ep->pipes, 1, 0xFFFFFFFF, true);
+	NNI_LIST_INIT(&ep->connpipes, dtls_pipe, node);
+	nni_aio_list_init(&ep->connaios);
+
+	nni_aio_init(&ep->rx_aio, dtls_rx_cb, ep);
+	nni_aio_init(&ep->timeaio, dtls_timer_cb, ep);
+	nni_aio_init(&ep->resaio, dtls_resolv_cb, ep);
+
+	if (strcmp(url->u_scheme, "dtls") == 0) {
+		ep->af = NNG_AF_UNSPEC;
+	} else if (strcmp(url->u_scheme, "dtls4") == 0) {
+		ep->af = NNG_AF_INET;
+	} else if (strcmp(url->u_scheme, "dtls6") == 0) {
+		ep->af = NNG_AF_INET6;
+	} else {
+		return (NNG_EADDRINVAL);
+	}
+
+	ep->self_sa.s_family = ep->af;
+	ep->proto            = nni_sock_proto_id(sock);
+	ep->peer             = nni_sock_peer_id(sock);
+	ep->url              = url;
+	ep->refresh          = NNG_DTLS_REFRESH; // one minute by default
+	ep->rcvmax           = NNG_DTLS_RECVMAX;
+
+	// receive buffer plus some extra for UDP and TLS headers
+	if ((ep->rx_buf = nni_alloc(DTLS_MAX_RECORD)) == NULL) {
+		return (NNG_ENOMEM);
+	}
+	ep->rx_size = DTLS_MAX_RECORD;
+
+	NNI_STAT_LOCK(rcv_max_info, "rcv_max", "maximum receive size",
+	    NNG_STAT_LEVEL, NNG_UNIT_BYTES);
+	NNI_STAT_LOCK(rcv_nomatch_info, "rcv_nomatch",
+	    "messages without a matching connection", NNG_STAT_COUNTER,
+	    NNG_UNIT_MESSAGES);
+	NNI_STAT_LOCK(rcv_toobig_info, "rcv_toobig",
+	    "received messages rejected because too big", NNG_STAT_COUNTER,
+	    NNG_UNIT_MESSAGES);
+	NNI_STAT_LOCK(rcv_nobuf_info, "rcv_nobuf",
+	    "received messages dropped no buffer", NNG_STAT_COUNTER,
+	    NNG_UNIT_MESSAGES);
+	NNI_STAT_LOCK(snd_toobig_info, "snd_toobig",
+	    "sent messages rejected because too big", NNG_STAT_COUNTER,
+	    NNG_UNIT_MESSAGES);
+	NNI_STAT_LOCK(snd_nobuf_info, "snd_nobuf",
+	    "sent messages dropped no buffer", NNG_STAT_COUNTER,
+	    NNG_UNIT_MESSAGES);
+	NNI_STAT_LOCK(peer_inactive_info, "peer_inactive",
+	    "connections closed due to inactive peer", NNG_STAT_COUNTER,
+	    NNG_UNIT_EVENTS);
+
+	nni_stat_init_lock(&ep->st_rcv_max, &rcv_max_info, &ep->mtx);
+	nni_stat_init_lock(&ep->st_rcv_toobig, &rcv_toobig_info, &ep->mtx);
+	nni_stat_init_lock(&ep->st_rcv_nomatch, &rcv_nomatch_info, &ep->mtx);
+	nni_stat_init_lock(&ep->st_rcv_nobuf, &rcv_nobuf_info, &ep->mtx);
+	nni_stat_init_lock(&ep->st_snd_toobig, &snd_toobig_info, &ep->mtx);
+	nni_stat_init_lock(&ep->st_snd_nobuf, &snd_nobuf_info, &ep->mtx);
+	nni_stat_init_lock(
+	    &ep->st_peer_inactive, &peer_inactive_info, &ep->mtx);
+
+	if (l) {
+		NNI_ASSERT(d == NULL);
+		nni_listener_add_stat(l, &ep->st_rcv_max);
+
+		nni_listener_add_stat(l, &ep->st_rcv_toobig);
+		nni_listener_add_stat(l, &ep->st_rcv_nomatch);
+		nni_listener_add_stat(l, &ep->st_rcv_nobuf);
+		nni_listener_add_stat(l, &ep->st_snd_toobig);
+		nni_listener_add_stat(l, &ep->st_snd_nobuf);
+	}
+	if (d) {
+		NNI_ASSERT(l == NULL);
+		nni_dialer_add_stat(d, &ep->st_rcv_max);
+		nni_dialer_add_stat(d, &ep->st_rcv_toobig);
+		nni_dialer_add_stat(d, &ep->st_rcv_nomatch);
+		nni_dialer_add_stat(d, &ep->st_rcv_nobuf);
+		nni_dialer_add_stat(d, &ep->st_snd_toobig);
+		nni_dialer_add_stat(d, &ep->st_snd_nobuf);
+	}
+
+	// schedule our timer callback - forever for now
+	// adjusted automatically as we add pipes or other
+	// actions which require earlier wakeup.
+	nni_sleep_aio(NNG_DURATION_INFINITE, &ep->timeaio);
+	// nni_sleep_aio(100, &ep->timeaio);
+
+	return (NNG_OK);
+}
+
+static nng_err
+dtls_check_url(nng_url *url, bool listen)
+{
+	// Check for invalid URL components.
+	if ((strlen(url->u_path) != 0) && (strcmp(url->u_path, "/") != 0)) {
+		return (NNG_EADDRINVAL);
+	}
+	if ((url->u_fragment != NULL) || (url->u_userinfo != NULL) ||
+	    (url->u_query != NULL)) {
+		return (NNG_EADDRINVAL);
+	}
+	if (!listen) {
+		if ((strlen(url->u_hostname) == 0) || (url->u_port == 0)) {
+			return (NNG_EADDRINVAL);
+		}
+	}
+	return (NNG_OK);
+}
+
+static nng_err
+dtls_dialer_init(void *arg, nng_url *url, nni_dialer *ndialer)
+{
+	dtls_ep  *ep = arg;
+	nng_err   rv;
+	nni_sock *sock = nni_dialer_sock(ndialer);
+
+	if ((rv = dtls_check_url(url, false)) != NNG_OK) {
+		return (rv);
+	}
+
+	ep->ndialer = ndialer;
+	if ((rv = dtls_ep_init(ep, url, sock, ndialer, NULL)) != NNG_OK) {
+		return (rv);
+	}
+
+	return (NNG_OK);
+}
+
+static nng_err
+dtls_listener_init(void *arg, nng_url *url, nni_listener *nlistener)
+{
+	dtls_ep  *ep = arg;
+	nng_err   rv;
+	nni_sock *sock = nni_listener_sock(nlistener);
+
+	ep->nlistener = nlistener;
+	if ((rv = dtls_ep_init(ep, url, sock, NULL, nlistener)) != NNG_OK) {
+		return (rv);
+	}
+	// Check for invalid URL components.
+	if (((rv = dtls_check_url(url, true)) != NNG_OK) ||
+	    ((rv = nni_url_to_address(&ep->self_sa, url)) != NNG_OK)) {
+		return (rv);
+	}
+
+	return (NNG_OK);
+}
+
+static void
+dtls_ep_cancel(nni_aio *aio, void *arg, nng_err rv)
+{
+	dtls_ep *ep = arg;
+	nni_mtx_lock(&ep->mtx);
+	if (nni_aio_list_active(aio)) {
+		nni_aio_list_remove(aio);
+		nni_aio_finish_error(aio, rv);
+		nni_aio_abort(&ep->resaio, rv);
+	}
+	nni_mtx_unlock(&ep->mtx);
+}
+
+static void
+dtls_resolv_cb(void *arg)
+{
+	dtls_ep   *ep = arg;
+	dtls_pipe *p;
+	nni_aio   *aio;
+	int        rv;
+
+	nni_mtx_lock(&ep->mtx);
+	if ((aio = nni_list_first(&ep->connaios)) == NULL) {
+		nni_mtx_unlock(&ep->mtx);
+		return;
+	}
+	if (ep->closed) {
+		nni_aio_list_remove(aio);
+		nni_aio_finish_error(aio, NNG_ECLOSED);
+		nni_mtx_unlock(&ep->mtx);
+		return;
+	}
+	if ((rv = nni_aio_result(&ep->resaio)) != 0) {
+		nni_aio_list_remove(aio);
+		nni_aio_finish_error(aio, rv);
+		nni_mtx_unlock(&ep->mtx);
+		nng_log_warn("NNG-RESOLV", "Failed resolving IP address: %s",
+		    nng_strerror(rv));
+		return;
+	}
+
+	// Choose the right port to bind to. The family must match.
+	if (ep->self_sa.s_family == NNG_AF_UNSPEC) {
+		ep->self_sa.s_family = ep->peer_sa.s_family;
+	}
+
+	if (ep->udp == NULL) {
+		if ((rv = nng_udp_open(&ep->udp, &ep->self_sa)) != NNG_OK) {
+			nni_aio_list_remove(aio);
+			nni_aio_finish_error(aio, rv);
+			nni_mtx_unlock(&ep->mtx);
+			return;
+		}
+	}
+
+	if ((rv = dtls_pipe_alloc(ep, &p, &ep->peer_sa)) != NNG_OK) {
+		nni_aio_list_remove(aio);
+		nni_aio_finish_error(aio, rv);
+		nni_mtx_unlock(&ep->mtx);
+		return;
+	}
+	dtls_ep_start(ep);
+
+	// Send out the connection request.  We don't complete
+	// the user aio until we confirm a connection, so that
+	// we can supply details like maximum receive message size
+	// and the protocol the peer is using.
+	p->send_op = OPCODE_CREQ;
+	dtls_pipe_send_tls(p);
+	nni_mtx_unlock(&ep->mtx);
+}
+
+static void
+dtls_ep_connect(void *arg, nni_aio *aio)
+{
+	dtls_ep *ep = arg;
+
+	nni_mtx_lock(&ep->mtx);
+	if (!nni_aio_start(aio, dtls_ep_cancel, ep)) {
+		nni_mtx_unlock(&ep->mtx);
+		return;
+	}
+	if (ep->closed) {
+		nni_aio_finish_error(aio, NNG_ECLOSED);
+		nni_mtx_unlock(&ep->mtx);
+		return;
+	}
+	if (ep->started) {
+		nni_aio_finish_error(aio, NNG_EBUSY);
+		nni_mtx_unlock(&ep->mtx);
+		return;
+	}
+	NNI_ASSERT(nni_list_empty(&ep->connaios));
+	ep->dialer = true;
+
+	nni_list_append(&ep->connaios, aio);
+
+	// lookup the IP address
+
+	memset(&ep->resolv, 0, sizeof(ep->resolv));
+	ep->resolv.ri_family  = ep->af;
+	ep->resolv.ri_host    = ep->url->u_hostname;
+	ep->resolv.ri_port    = ep->url->u_port;
+	ep->resolv.ri_passive = false;
+	ep->resolv.ri_sa      = &ep->peer_sa;
+	nni_aio_set_timeout(&ep->resaio, NNI_SECOND * 5);
+	nni_resolv(&ep->resolv, &ep->resaio);
+
+	// wake up for retries
+	nni_aio_abort(&ep->timeaio, NNG_EINTR);
+
+	nni_mtx_unlock(&ep->mtx);
+}
+
+static nng_err
+dtls_ep_get_port(void *arg, void *buf, size_t *szp, nni_type t)
+{
+	dtls_ep     *ep = arg;
+	nng_sockaddr sa;
+	int          port;
+	uint8_t     *paddr;
+
+	nni_mtx_lock(&ep->mtx);
+	if (ep->udp != NULL) {
+		(void) nng_udp_sockname(ep->udp, &sa);
+	} else {
+		sa = ep->self_sa;
+	}
+	switch (sa.s_family) {
+	case NNG_AF_INET:
+		paddr = (void *) &sa.s_in.sa_port;
+		break;
+
+	case NNG_AF_INET6:
+		paddr = (void *) &sa.s_in6.sa_port;
+		break;
+
+	default:
+		paddr = NULL;
+		break;
+	}
+	nni_mtx_unlock(&ep->mtx);
+
+	if (paddr == NULL) {
+		return (NNG_ESTATE);
+	}
+
+	NNI_GET16(paddr, port);
+	return (nni_copyout_int(port, buf, szp, t));
+}
+
+static nng_err
+dtls_ep_get_locaddr(void *arg, void *v, size_t *szp, nni_opt_type t)
+{
+	dtls_ep     *ep = arg;
+	nng_sockaddr sa;
+
+	nni_mtx_lock(&ep->mtx);
+	if (ep->udp != NULL) {
+		(void) nng_udp_sockname(ep->udp, &sa);
+	} else {
+		sa = ep->self_sa;
+	}
+	nni_mtx_unlock(&ep->mtx);
+
+	return (nni_copyout_sockaddr(&sa, v, szp, t));
+}
+
+static nng_err
+dtls_ep_get_remaddr(void *arg, void *v, size_t *szp, nni_opt_type t)
+{
+	dtls_ep *ep = arg;
+	nng_err  rv;
+
+	if (!ep->dialer) {
+		return (NNG_ENOTSUP);
+	}
+	nni_mtx_lock(&ep->mtx);
+	rv = nni_copyout_sockaddr(&ep->peer_sa, v, szp, t);
+	nni_mtx_unlock(&ep->mtx);
+	return (rv);
+}
+
+static nng_err
+dtls_ep_get_recvmaxsz(void *arg, void *v, size_t *szp, nni_opt_type t)
+{
+	dtls_ep *ep = arg;
+	nng_err  rv;
+
+	nni_mtx_lock(&ep->mtx);
+	rv = nni_copyout_size(ep->rcvmax, v, szp, t);
+	nni_mtx_unlock(&ep->mtx);
+	return (rv);
+}
+
+static nng_err
+dtls_ep_set_recvmaxsz(void *arg, const void *v, size_t sz, nni_opt_type t)
+{
+	dtls_ep *ep = arg;
+	size_t   val;
+	nng_err  rv;
+	if ((rv = nni_copyin_size(&val, v, sz, 0, NNG_DTLS_RECVMAX, t)) == 0) {
+		if ((val == 0) || (val > NNG_DTLS_RECVMAX)) {
+			val = NNG_DTLS_RECVMAX;
+		}
+		nni_mtx_lock(&ep->mtx);
+		if (ep->started) {
+			nni_mtx_unlock(&ep->mtx);
+			return (NNG_EBUSY);
+		}
+		ep->rcvmax = (uint16_t) val;
+		nni_stat_set_value(&ep->st_rcv_max, val);
+		nni_mtx_unlock(&ep->mtx);
+	}
+	return (rv);
+}
+
+static nng_err
+dtls_ep_set_tls(void *arg, nng_tls_config *cfg)
+{
+	dtls_ep *ep = arg;
+	nni_mtx_lock(&ep->mtx);
+	if (ep->started) {
+		nni_mtx_unlock(&ep->mtx);
+		return (NNG_EBUSY);
+	}
+	ep->tlscfg = cfg;
+	nni_mtx_unlock(&ep->mtx);
+	return (NNG_OK);
+}
+
+static nng_err
+dtls_ep_get_tls(void *arg, nng_tls_config **cfgp)
+{
+	dtls_ep *ep = arg;
+	nni_mtx_lock(&ep->mtx);
+	*cfgp = ep->tlscfg;
+	nni_mtx_unlock(&ep->mtx);
+	return (NNG_OK);
+}
+
+// this just looks for pipes waiting for an aio, and aios waiting for
+// a connection, and matches them together.
+static void
+dtls_ep_match(dtls_ep *ep)
+{
+	nng_aio   *aio = nni_list_first(&ep->connaios);
+	dtls_pipe *p   = nni_list_first(&ep->connpipes);
+
+	if ((aio == NULL) || (p == NULL)) {
+		return;
+	}
+
+	nni_aio_list_remove(aio);
+	nni_list_remove(&ep->connpipes, p);
+	nni_aio_set_output(aio, 0, p->npipe);
+	nni_aio_finish(aio, 0, 0);
+}
+
+static void
+dtls_ep_start(dtls_ep *ep)
+{
+	ep->started = true;
+	dtls_start_rx(ep);
+}
+
+static nng_err
+dtls_ep_bind(void *arg, nng_url *url)
+{
+	dtls_ep *ep = arg;
+	nng_err  rv;
+
+	nni_mtx_lock(&ep->mtx);
+	if (ep->started) {
+		nni_mtx_unlock(&ep->mtx);
+		return (NNG_EBUSY);
+	}
+
+	rv = nng_udp_open(&ep->udp, &ep->self_sa);
+	if (rv != NNG_OK) {
+		nni_mtx_unlock(&ep->mtx);
+		return (rv);
+	}
+	nng_sockaddr sa;
+	nng_udp_sockname(ep->udp, &sa);
+	url->u_port = nng_sockaddr_port(&sa);
+	dtls_ep_start(ep);
+	nni_mtx_unlock(&ep->mtx);
+
+	return (rv);
+}
+
+static void
+dtls_ep_accept(void *arg, nni_aio *aio)
+{
+	dtls_ep *ep = arg;
+
+	nni_aio_reset(aio);
+	nni_mtx_lock(&ep->mtx);
+	if (ep->closed) {
+		nni_aio_finish_error(aio, NNG_ECLOSED);
+		nni_mtx_unlock(&ep->mtx);
+		return;
+	}
+	if (!nni_aio_start(aio, dtls_ep_cancel, ep)) {
+		nni_mtx_unlock(&ep->mtx);
+		return;
+	}
+	nni_aio_list_append(&ep->connaios, aio);
+	dtls_ep_match(ep);
+	nni_mtx_unlock(&ep->mtx);
+}
+
+static nni_sp_pipe_ops dtls_pipe_ops = {
+	.p_size   = dtls_pipe_size,
+	.p_init   = dtls_pipe_init,
+	.p_fini   = dtls_pipe_fini,
+	.p_stop   = dtls_pipe_stop,
+	.p_send   = dtls_pipe_send,
+	.p_recv   = dtls_pipe_recv,
+	.p_close  = dtls_pipe_close,
+	.p_peer   = dtls_pipe_peer,
+	.p_getopt = dtls_pipe_getopt,
+};
+
+static const nni_option dtls_ep_opts[] = {
+	{
+	    .o_name = NNG_OPT_RECVMAXSZ,
+	    .o_get  = dtls_ep_get_recvmaxsz,
+	    .o_set  = dtls_ep_set_recvmaxsz,
+	},
+	{
+	    .o_name = NNG_OPT_LOCADDR,
+	    .o_get  = dtls_ep_get_locaddr,
+	},
+	{
+	    .o_name = NNG_OPT_REMADDR,
+	    .o_get  = dtls_ep_get_remaddr,
+	},
+	{
+	    .o_name = NNG_OPT_TCP_BOUND_PORT,
+	    .o_get  = dtls_ep_get_port,
+	},
+	// terminate list
+	{
+	    .o_name = NULL,
+	},
+};
+
+static nng_err
+dtls_dialer_getopt(
+    void *arg, const char *name, void *buf, size_t *szp, nni_type t)
+{
+	dtls_ep *ep = arg;
+
+	return (nni_getopt(dtls_ep_opts, name, ep, buf, szp, t));
+}
+
+static nng_err
+dtls_dialer_setopt(
+    void *arg, const char *name, const void *buf, size_t sz, nni_type t)
+{
+	dtls_ep *ep = arg;
+
+	return (nni_setopt(dtls_ep_opts, name, ep, buf, sz, t));
+}
+
+static nng_err
+dtls_listener_getopt(
+    void *arg, const char *name, void *buf, size_t *szp, nni_type t)
+{
+	dtls_ep *ep = arg;
+
+	return (nni_getopt(dtls_ep_opts, name, ep, buf, szp, t));
+}
+
+static nng_err
+dtls_listener_setopt(
+    void *arg, const char *name, const void *buf, size_t sz, nni_type t)
+{
+	dtls_ep *ep = arg;
+
+	return (nni_setopt(dtls_ep_opts, name, ep, buf, sz, t));
+}
+
+static nni_sp_dialer_ops dtls_dialer_ops = {
+	.d_size    = sizeof(dtls_ep),
+	.d_init    = dtls_dialer_init,
+	.d_fini    = dtls_ep_fini,
+	.d_connect = dtls_ep_connect,
+	.d_close   = dtls_ep_close,
+	.d_stop    = dtls_ep_stop,
+	.d_set_tls = dtls_ep_set_tls,
+	.d_get_tls = dtls_ep_get_tls,
+	.d_getopt  = dtls_dialer_getopt,
+	.d_setopt  = dtls_dialer_setopt,
+};
+
+static nni_sp_listener_ops dtls_listener_ops = {
+	.l_size    = sizeof(dtls_ep),
+	.l_init    = dtls_listener_init,
+	.l_fini    = dtls_ep_fini,
+	.l_bind    = dtls_ep_bind,
+	.l_accept  = dtls_ep_accept,
+	.l_close   = dtls_ep_close,
+	.l_stop    = dtls_ep_stop,
+	.l_set_tls = dtls_ep_set_tls,
+	.l_get_tls = dtls_ep_get_tls,
+	.l_getopt  = dtls_listener_getopt,
+	.l_setopt  = dtls_listener_setopt,
+};
+
+static nni_sp_tran dtls_tran = {
+	.tran_scheme   = "dtls",
+	.tran_dialer   = &dtls_dialer_ops,
+	.tran_listener = &dtls_listener_ops,
+	.tran_pipe     = &dtls_pipe_ops,
+	.tran_init     = dtls_tran_init,
+	.tran_fini     = dtls_tran_fini,
+};
+
+static nni_sp_tran dtls4_tran = {
+	.tran_scheme   = "dtls4",
+	.tran_dialer   = &dtls_dialer_ops,
+	.tran_listener = &dtls_listener_ops,
+	.tran_pipe     = &dtls_pipe_ops,
+	.tran_init     = dtls_tran_init,
+	.tran_fini     = dtls_tran_fini,
+};
+
+#ifdef NNG_ENABLE_IPV6
+static nni_sp_tran dtls6_tran = {
+	.tran_scheme   = "dtls6",
+	.tran_dialer   = &dtls_dialer_ops,
+	.tran_listener = &dtls_listener_ops,
+	.tran_pipe     = &dtls_pipe_ops,
+	.tran_init     = dtls_tran_init,
+	.tran_fini     = dtls_tran_fini,
+};
+#endif
+
+void
+nni_sp_dtls_register(void)
+{
+	nni_sp_tran_register(&dtls_tran);
+	nni_sp_tran_register(&dtls4_tran);
+#ifdef NNG_ENABLE_IPV6
+	nni_sp_tran_register(&dtls6_tran);
+#endif
+}
diff --git a/src/sp/transport/dtls/dtls_tran_test.c b/src/sp/transport/dtls/dtls_tran_test.c
new file mode 100644
index 00000000..1dcfeb49
--- /dev/null
+++ b/src/sp/transport/dtls/dtls_tran_test.c
@@ -0,0 +1,345 @@
+//
+// Copyright 2025 Staysail Systems, Inc. <info@staysail.tech>
+// Copyright 2018 Capitar IT Group BV <info@capitar.com>
+// Copyright 2018 Devolutions <info@devolutions.net>
+// Copyright 2018 Cody Piersall <cody.piersall@gmail.com>
+//
+// This software is supplied under the terms of the MIT License, a
+// copy of which should be located in the distribution where this
+// file was obtained (LICENSE.txt).  A copy of the license may also be
+// found online at https://opensource.org/licenses/MIT.
+//
+
+#include "nng/nng.h"
+#include <nuts.h>
+
+// TLS tests.
+
+static nng_tls_config *
+tls_server_config(void)
+{
+	nng_tls_config *c;
+	NUTS_PASS(nng_tls_config_alloc(&c, NNG_TLS_MODE_SERVER));
+	NUTS_PASS(nng_tls_config_own_cert(
+	    c, nuts_server_crt, nuts_server_key, NULL));
+	return (c);
+}
+
+static nng_tls_config *
+tls_server_config_ecdsa(void)
+{
+	nng_tls_config *c;
+	NUTS_PASS(nng_tls_config_alloc(&c, NNG_TLS_MODE_SERVER));
+	NUTS_PASS(nng_tls_config_own_cert(
+	    c, nuts_ecdsa_server_crt, nuts_ecdsa_server_key, NULL));
+	return (c);
+}
+
+static nng_tls_config *
+tls_config_psk(nng_tls_mode mode, const char *name, uint8_t *key, size_t len)
+{
+	nng_tls_config *c;
+	NUTS_PASS(nng_tls_config_alloc(&c, mode));
+	NUTS_PASS(nng_tls_config_psk(c, name, key, len));
+	return (c);
+}
+
+static nng_tls_config *
+tls_client_config(void)
+{
+	nng_tls_config *c;
+	NUTS_PASS(nng_tls_config_alloc(&c, NNG_TLS_MODE_CLIENT));
+	NUTS_PASS(nng_tls_config_own_cert(
+	    c, nuts_client_crt, nuts_client_key, NULL));
+	NUTS_PASS(nng_tls_config_ca_chain(c, nuts_server_crt, NULL));
+	NUTS_PASS(nng_tls_config_server_name(c, "localhost"));
+	return (c);
+}
+
+static nng_tls_config *
+tls_client_config_ecdsa(void)
+{
+	nng_tls_config *c;
+	NUTS_PASS(nng_tls_config_alloc(&c, NNG_TLS_MODE_CLIENT));
+	NUTS_PASS(nng_tls_config_own_cert(
+	    c, nuts_ecdsa_client_crt, nuts_ecdsa_client_key, NULL));
+	NUTS_PASS(nng_tls_config_ca_chain(c, nuts_ecdsa_server_crt, NULL));
+	NUTS_PASS(nng_tls_config_server_name(c, "localhost"));
+	return (c);
+}
+
+void
+test_dtls_port_zero_bind(void)
+{
+	nng_socket      s1;
+	nng_socket      s2;
+	nng_tls_config *c1, *c2;
+	nng_sockaddr    sa;
+	nng_listener    l;
+	nng_dialer      d;
+	const nng_url  *url;
+
+	NUTS_ENABLE_LOG(NNG_LOG_DEBUG);
+	c1 = tls_server_config();
+	c2 = tls_client_config();
+	NUTS_OPEN(s1);
+	NUTS_OPEN(s2);
+	NUTS_PASS(nng_listener_create(&l, s1, "dtls://127.0.0.1:0"));
+	NUTS_PASS(nng_listener_set_tls(l, c1));
+	NUTS_PASS(nng_listener_start(l, 0));
+	NUTS_PASS(nng_listener_get_url(l, &url));
+	NUTS_MATCH(nng_url_scheme(url), "dtls");
+	NUTS_PASS(nng_listener_get_addr(l, NNG_OPT_LOCADDR, &sa));
+	NUTS_TRUE(sa.s_in.sa_family == NNG_AF_INET);
+	NUTS_TRUE(sa.s_in.sa_port != 0);
+	NUTS_TRUE(sa.s_in.sa_addr = nuts_be32(0x7f000001));
+	NUTS_PASS(nng_dialer_create_url(&d, s2, url));
+	NUTS_PASS(nng_dialer_set_tls(d, c2));
+	// NUTS_PASS(nng_dialer_start(d, NNG_FLAG_NONBLOCK));
+	NUTS_PASS(nng_dialer_start(d, 0));
+	nng_msleep(1000);
+	NUTS_CLOSE(s2);
+	NUTS_CLOSE(s1);
+	nng_tls_config_free(c1);
+	nng_tls_config_free(c2);
+}
+
+void
+test_dtls_bad_cert_mutual(void)
+{
+	nng_socket      s1;
+	nng_socket      s2;
+	nng_tls_config *c1, *c2;
+	nng_sockaddr    sa;
+	nng_listener    l;
+	nng_dialer      d;
+	const nng_url  *url;
+
+	c1 = tls_server_config();
+	c2 = tls_client_config();
+
+	NUTS_ENABLE_LOG(NNG_LOG_DEBUG);
+	NUTS_OPEN(s1);
+	NUTS_OPEN(s2);
+	NUTS_PASS(nng_tls_config_auth_mode(c1, NNG_TLS_AUTH_MODE_REQUIRED));
+	// a valid cert, but not the one that signed the config!
+	NUTS_PASS(nng_tls_config_ca_chain(c1, nuts_ecdsa_server_crt, NULL));
+	NUTS_PASS(nng_listener_create(&l, s1, "dtls://127.0.0.1:0"));
+	NUTS_PASS(nng_listener_set_tls(l, c1));
+	NUTS_PASS(nng_listener_start(l, 0));
+	NUTS_PASS(nng_listener_get_url(l, &url));
+	NUTS_MATCH(nng_url_scheme(url), "dtls");
+	NUTS_PASS(nng_listener_get_addr(l, NNG_OPT_LOCADDR, &sa));
+	NUTS_TRUE(sa.s_in.sa_family == NNG_AF_INET);
+	NUTS_TRUE(sa.s_in.sa_port != 0);
+	NUTS_TRUE(sa.s_in.sa_addr = nuts_be32(0x7f000001));
+	NUTS_PASS(nng_dialer_create_url(&d, s2, url));
+	NUTS_PASS(nng_dialer_set_tls(d, c2));
+	// With DTLS we are not guaranteed to get the connection failure.
+	nng_dialer_start(d, NNG_FLAG_NONBLOCK);
+	nng_msleep(500);
+	NUTS_CLOSE(s2);
+	NUTS_CLOSE(s1);
+	nng_tls_config_free(c1);
+	nng_tls_config_free(c2);
+}
+
+void
+test_dtls_cert_mutual(void)
+{
+	nng_socket      s1;
+	nng_socket      s2;
+	nng_tls_config *c1, *c2;
+	nng_sockaddr    sa;
+	nng_listener    l;
+	nng_dialer      d;
+	const nng_url  *url;
+
+	c1 = tls_server_config_ecdsa();
+	c2 = tls_client_config_ecdsa();
+
+	NUTS_ENABLE_LOG(NNG_LOG_DEBUG);
+	NUTS_OPEN(s1);
+	NUTS_OPEN(s2);
+	NUTS_PASS(nng_tls_config_auth_mode(c1, NNG_TLS_AUTH_MODE_REQUIRED));
+	NUTS_PASS(nng_tls_config_ca_chain(c1, nuts_ecdsa_server_crt, NULL));
+	NUTS_PASS(nng_tls_config_ca_chain(c2, nuts_ecdsa_server_crt, NULL));
+	NUTS_PASS(nng_listener_create(&l, s1, "dtls://127.0.0.1:0"));
+	NUTS_PASS(nng_listener_set_tls(l, c1));
+	NUTS_PASS(nng_listener_start(l, 0));
+	NUTS_PASS(nng_listener_get_url(l, &url));
+	NUTS_MATCH(nng_url_scheme(url), "dtls");
+	NUTS_PASS(nng_listener_get_addr(l, NNG_OPT_LOCADDR, &sa));
+	NUTS_TRUE(sa.s_in.sa_family == NNG_AF_INET);
+	NUTS_TRUE(sa.s_in.sa_port != 0);
+	NUTS_TRUE(sa.s_in.sa_addr = nuts_be32(0x7f000001));
+	NUTS_PASS(nng_dialer_create_url(&d, s2, url));
+	NUTS_PASS(nng_dialer_set_tls(d, c2));
+	NUTS_PASS(nng_dialer_start(d, 0));
+	nng_msleep(50);
+	NUTS_CLOSE(s2);
+	NUTS_CLOSE(s1);
+	nng_tls_config_free(c1);
+	nng_tls_config_free(c2);
+}
+
+void
+test_dtls_malformed_address(void)
+{
+	nng_socket s1;
+
+	NUTS_OPEN(s1);
+	NUTS_FAIL(nng_dial(s1, "dtls://127.0.0.1", NULL, 0), NNG_EADDRINVAL);
+	NUTS_FAIL(
+	    nng_dial(s1, "dtls://127.0.0.1.32", NULL, 0), NNG_EADDRINVAL);
+	NUTS_FAIL(
+	    nng_dial(s1, "dtls://127.0.x.1.32", NULL, 0), NNG_EADDRINVAL);
+	NUTS_FAIL(
+	    nng_listen(s1, "dtls://127.0.0.1.32", NULL, 0), NNG_EADDRINVAL);
+	NUTS_FAIL(
+	    nng_listen(s1, "dtls://127.0.x.1.32", NULL, 0), NNG_EADDRINVAL);
+	NUTS_CLOSE(s1);
+}
+
+// DTLS does not support TCP_NODELAY because it's based on UDP.
+void
+test_dtls_no_delay_option(void)
+{
+	nng_socket      s;
+	nng_dialer      d;
+	nng_listener    l;
+	bool            v;
+	char           *addr;
+	nng_tls_config *dc, *lc;
+
+	NUTS_ADDR(addr, "dtls");
+	dc = tls_client_config();
+	lc = tls_server_config();
+
+	NUTS_OPEN(s);
+	NUTS_PASS(nng_dialer_create(&d, s, addr));
+	NUTS_PASS(nng_dialer_set_tls(d, dc));
+	NUTS_FAIL(
+	    nng_dialer_get_bool(d, NNG_OPT_TCP_NODELAY, &v), NNG_ENOTSUP);
+	NUTS_FAIL(nng_dialer_set_bool(d, NNG_OPT_TCP_NODELAY, v), NNG_ENOTSUP);
+
+	NUTS_PASS(nng_listener_create(&l, s, addr));
+	NUTS_PASS(nng_listener_set_tls(l, lc));
+	NUTS_FAIL(
+	    nng_listener_get_bool(l, NNG_OPT_TCP_NODELAY, &v), NNG_ENOTSUP);
+	NUTS_FAIL(
+	    nng_listener_set_bool(l, NNG_OPT_TCP_NODELAY, v), NNG_ENOTSUP);
+
+	NUTS_PASS(nng_dialer_close(d));
+	NUTS_PASS(nng_listener_close(l));
+
+	NUTS_CLOSE(s);
+	nng_tls_config_free(lc);
+	nng_tls_config_free(dc);
+}
+
+void
+test_dtls_recv_max(void)
+{
+	char            msg[256];
+	char            buf[256];
+	nng_socket      s0;
+	nng_socket      s1;
+	nng_tls_config *c0, *c1;
+	nng_listener    l;
+	nng_dialer      d;
+	size_t          sz;
+	char           *addr;
+	const nng_url  *url;
+
+	NUTS_ADDR_ZERO(addr, "dtls");
+
+	c0 = tls_server_config();
+	c1 = tls_client_config();
+	NUTS_OPEN(s0);
+	NUTS_PASS(nng_socket_set_ms(s0, NNG_OPT_RECVTIMEO, 100));
+	NUTS_PASS(nng_socket_set_size(s0, NNG_OPT_RECVMAXSZ, 200));
+	NUTS_PASS(nng_listener_create(&l, s0, addr));
+	NUTS_PASS(nng_listener_set_tls(l, c0));
+	NUTS_PASS(nng_socket_get_size(s0, NNG_OPT_RECVMAXSZ, &sz));
+	NUTS_TRUE(sz == 200);
+	NUTS_PASS(nng_listener_set_size(l, NNG_OPT_RECVMAXSZ, 100));
+	NUTS_PASS(nng_listener_start(l, 0));
+	NUTS_PASS(nng_listener_get_url(l, &url));
+
+	NUTS_OPEN(s1);
+	NUTS_PASS(nng_dialer_create_url(&d, s1, url));
+	NUTS_PASS(nng_dialer_set_tls(d, c1));
+	NUTS_PASS(nng_dialer_start(d, 0));
+	NUTS_PASS(nng_send(s1, msg, 95, 0));
+	NUTS_PASS(nng_socket_set_ms(s1, NNG_OPT_SENDTIMEO, 100));
+	NUTS_PASS(nng_recv(s0, buf, &sz, 0));
+	NUTS_TRUE(sz == 95);
+	NUTS_PASS(nng_send(s1, msg, 150, 0));
+	NUTS_FAIL(nng_recv(s0, buf, &sz, 0), NNG_ETIMEDOUT);
+	NUTS_CLOSE(s0);
+	NUTS_CLOSE(s1);
+	nng_tls_config_free(c0);
+	nng_tls_config_free(c1);
+}
+
+void
+test_dtls_psk(void)
+{
+#ifdef NNG_SUPP_TLS_PSK
+	char            msg[256];
+	char            buf[256];
+	nng_socket      s0;
+	nng_socket      s1;
+	nng_tls_config *c0, *c1;
+	nng_listener    l;
+	nng_dialer      d;
+	size_t          sz;
+	char           *addr;
+	uint8_t         key[32];
+	const nng_url  *url;
+
+	for (unsigned i = 0; i < sizeof(key); i++) {
+		key[i] = rand() % 0xff;
+	}
+
+	NUTS_ADDR_ZERO(addr, "dtls");
+	NUTS_ENABLE_LOG(NNG_LOG_DEBUG);
+
+	c0 = tls_config_psk(NNG_TLS_MODE_SERVER, "identity", key, sizeof key);
+	c1 = tls_config_psk(NNG_TLS_MODE_CLIENT, "identity", key, sizeof key);
+	NUTS_OPEN(s0);
+	NUTS_PASS(nng_socket_set_ms(s0, NNG_OPT_RECVTIMEO, 100));
+	NUTS_PASS(nng_listener_create(&l, s0, addr));
+	NUTS_PASS(nng_listener_set_tls(l, c0));
+	NUTS_PASS(nng_listener_start(l, 0));
+	NUTS_PASS(nng_listener_get_url(l, &url));
+
+	NUTS_OPEN(s1);
+	NUTS_PASS(nng_dialer_create_url(&d, s1, url));
+	NUTS_PASS(nng_dialer_set_tls(d, c1));
+	NUTS_PASS(nng_dialer_start(d, 0));
+	NUTS_SLEEP(1000); // make sure connection has time to form!
+	NUTS_PASS(nng_send(s1, msg, 95, 0));
+	NUTS_PASS(nng_recv(s0, buf, &sz, 0));
+	NUTS_TRUE(sz == 95);
+	NUTS_CLOSE(s0);
+	NUTS_CLOSE(s1);
+	nng_tls_config_free(c0);
+	nng_tls_config_free(c1);
+#else
+	NUTS_SKIP("no PSK support");
+#endif
+}
+
+NUTS_TESTS = {
+
+	{ "dtls port zero bind", test_dtls_port_zero_bind },
+	{ "dtls malformed address", test_dtls_malformed_address },
+	{ "dtls no delay option", test_dtls_no_delay_option },
+	{ "dtls recv max", test_dtls_recv_max },
+	{ "dtls pre-shared key", test_dtls_psk },
+	{ "dtls bad cert mutual", test_dtls_bad_cert_mutual },
+	{ "dtls cert mutual", test_dtls_cert_mutual },
+	{ NULL, NULL },
+};
diff --git a/src/sp/transport/inproc/CMakeLists.txt b/src/sp/transport/inproc/CMakeLists.txt
index 2132e8d7..42f4d824 100644
--- a/src/sp/transport/inproc/CMakeLists.txt
+++ b/src/sp/transport/inproc/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright 2024 Staysail Systems, Inc. <info@staysail.tech>
+# Copyright 2025 Staysail Systems, Inc. <info@staysail.tech>
 # Copyright 2018 Capitar IT Group BV <info@capitar.com>
 #
 # This software is supplied under the terms of the MIT License, a
@@ -11,6 +11,8 @@
 # inproc protocol
 nng_directory(inproc)
 
-nng_sources_if(NNG_TRANSPORT_INPROC inproc.c)
-nng_defines_if(NNG_TRANSPORT_INPROC NNG_TRANSPORT_INPROC)
-nng_test_if(NNG_TRANSPORT_INPROC inproc_test)
+if (NNG_TRANSPORT_INPROC)
+    nng_sources(inproc.c)
+    nng_defines(NNG_TRANSPORT_INPROC)
+    nng_test(inproc_test)
+endif()
diff --git a/src/sp/transport/inproc/inproc.c b/src/sp/transport/inproc/inproc.c
index 24c0f1ad..22fe619b 100644
--- a/src/sp/transport/inproc/inproc.c
+++ b/src/sp/transport/inproc/inproc.c
@@ -584,8 +584,14 @@ inproc_pipe_getopt(
 	return (nni_getopt(inproc_pipe_options, name, arg, v, szp, t));
 }
 
+static size_t
+inproc_pipe_size(void)
+{
+	return (sizeof(inproc_pipe));
+}
+
 static nni_sp_pipe_ops inproc_pipe_ops = {
-	.p_size   = sizeof(inproc_pipe),
+	.p_size   = inproc_pipe_size,
 	.p_init   = inproc_pipe_init,
 	.p_fini   = inproc_pipe_fini,
 	.p_send   = inproc_pipe_send,
diff --git a/src/sp/transport/ipc/CMakeLists.txt b/src/sp/transport/ipc/CMakeLists.txt
index 7353c4f3..8cd78941 100644
--- a/src/sp/transport/ipc/CMakeLists.txt
+++ b/src/sp/transport/ipc/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright 2024 Staysail Systems, Inc. <info@staysail.tech>
+# Copyright 2025 Staysail Systems, Inc. <info@staysail.tech>
 # Copyright 2018 Capitar IT Group BV <info@capitar.com>
 #
 # This software is supplied under the terms of the MIT License, a
@@ -11,6 +11,8 @@
 # ipc protocol
 nng_directory(ipc)
 
-nng_sources_if(NNG_TRANSPORT_IPC ipc.c)
-nng_defines_if(NNG_TRANSPORT_IPC NNG_TRANSPORT_IPC)
-nng_test_if(NNG_TRANSPORT_IPC ipc_test)
+if (NNG_TRANSPORT_IPC)
+    nng_sources(ipc.c)
+    nng_defines(NNG_TRANSPORT_IPC)
+    nng_test(ipc_test)
+endif()
diff --git a/src/sp/transport/ipc/ipc.c b/src/sp/transport/ipc/ipc.c
index 67038e2e..6bf4445b 100644
--- a/src/sp/transport/ipc/ipc.c
+++ b/src/sp/transport/ipc/ipc.c
@@ -1,5 +1,5 @@
 //
-// Copyright 2024 Staysail Systems, Inc. <info@staysail.tech>
+// Copyright 2025 Staysail Systems, Inc. <info@staysail.tech>
 // Copyright 2018 Capitar IT Group BV <info@capitar.com>
 // Copyright 2019 Devolutions <info@devolutions.net>
 //
@@ -956,8 +956,14 @@ ipc_pipe_get(void *arg, const char *name, void *buf, size_t *szp, nni_type t)
 	return (nni_stream_get(p->conn, name, buf, szp, t));
 }
 
+static size_t
+ipc_pipe_size(void)
+{
+	return (sizeof(ipc_pipe));
+}
+
 static nni_sp_pipe_ops ipc_tran_pipe_ops = {
-	.p_size   = sizeof(ipc_pipe),
+	.p_size   = ipc_pipe_size,
 	.p_init   = ipc_pipe_init,
 	.p_fini   = ipc_pipe_fini,
 	.p_stop   = ipc_pipe_stop,
diff --git a/src/sp/transport/socket/CMakeLists.txt b/src/sp/transport/socket/CMakeLists.txt
index d79b261e..4c7e8b58 100644
--- a/src/sp/transport/socket/CMakeLists.txt
+++ b/src/sp/transport/socket/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright 2023 Staysail Systems, Inc. <info@staysail.tech>
+# Copyright 2025 Staysail Systems, Inc. <info@staysail.tech>
 #
 # This software is supplied under the terms of the MIT License, a
 # copy of which should be located in the distribution where this
@@ -10,6 +10,8 @@
 # File Descriptor (or Handle) based connections
 nng_directory(socket)
 
-nng_sources_if(NNG_TRANSPORT_FDC sockfd.c)
-nng_defines_if(NNG_TRANSPORT_FDC NNG_TRANSPORT_FDC)
-nng_test(sockfd_test)
\ No newline at end of file
+if (NNG_TRANSPORT_FDC)
+    nng_sources(sockfd.c)
+    nng_defines(NNG_TRANSPORT_FDC)
+    nng_test(sockfd_test)
+endif()
diff --git a/src/sp/transport/socket/sockfd.c b/src/sp/transport/socket/sockfd.c
index 37debc85..57693088 100644
--- a/src/sp/transport/socket/sockfd.c
+++ b/src/sp/transport/socket/sockfd.c
@@ -807,8 +807,14 @@ sfd_tran_ep_accept(void *arg, nni_aio *aio)
 	nni_mtx_unlock(&ep->mtx);
 }
 
+static size_t
+sfd_tran_pipe_size(void)
+{
+	return (sizeof(sfd_tran_pipe));
+}
+
 static nni_sp_pipe_ops sfd_tran_pipe_ops = {
-	.p_size   = sizeof(sfd_tran_pipe),
+	.p_size   = sfd_tran_pipe_size,
 	.p_init   = sfd_tran_pipe_init,
 	.p_fini   = sfd_tran_pipe_fini,
 	.p_stop   = sfd_tran_pipe_stop,
diff --git a/src/sp/transport/tcp/CMakeLists.txt b/src/sp/transport/tcp/CMakeLists.txt
index fea821c2..e611a502 100644
--- a/src/sp/transport/tcp/CMakeLists.txt
+++ b/src/sp/transport/tcp/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright 2024 Staysail Systems, Inc. <info@staysail.tech>
+# Copyright 2025 Staysail Systems, Inc. <info@staysail.tech>
 # Copyright 2018 Capitar IT Group BV <info@capitar.com>
 #
 # This software is supplied under the terms of the MIT License, a
@@ -11,6 +11,8 @@
 # TCP protocol
 nng_directory(tcp)
 
-nng_sources_if(NNG_TRANSPORT_TCP tcp.c)
-nng_defines_if(NNG_TRANSPORT_TCP NNG_TRANSPORT_TCP)
-nng_test(tcp_test)
+if (NNG_TRANSPORT_TCP)
+    nng_sources(tcp.c)
+    nng_defines(NNG_TRANSPORT_TCP)
+    nng_test(tcp_test)
+endif()
diff --git a/src/sp/transport/tcp/tcp.c b/src/sp/transport/tcp/tcp.c
index d77e7b2f..096d2e24 100644
--- a/src/sp/transport/tcp/tcp.c
+++ b/src/sp/transport/tcp/tcp.c
@@ -964,8 +964,14 @@ tcptran_ep_accept(void *arg, nni_aio *aio)
 	nni_mtx_unlock(&ep->mtx);
 }
 
+static size_t
+tcptran_pipe_size(void)
+{
+	return (sizeof(tcptran_pipe));
+}
+
 static nni_sp_pipe_ops tcptran_pipe_ops = {
-	.p_size   = sizeof(tcptran_pipe),
+	.p_size   = tcptran_pipe_size,
 	.p_init   = tcptran_pipe_init,
 	.p_fini   = tcptran_pipe_fini,
 	.p_stop   = tcptran_pipe_stop,
diff --git a/src/sp/transport/tls/CMakeLists.txt b/src/sp/transport/tls/CMakeLists.txt
index f55340a9..0ba9a235 100644
--- a/src/sp/transport/tls/CMakeLists.txt
+++ b/src/sp/transport/tls/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright 2024 Staysail Systems, Inc. <info@staysail.tech>
+# Copyright 2025 Staysail Systems, Inc. <info@staysail.tech>
 # Copyright 2018 Capitar IT Group BV <info@capitar.com>
 #
 # This software is supplied under the terms of the MIT License, a
@@ -11,6 +11,8 @@
 # TLS transport
 nng_directory(tls)
 
-nng_sources_if(NNG_TRANSPORT_TLS tls.c)
-nng_defines_if(NNG_TRANSPORT_TLS NNG_TRANSPORT_TLS)
-nng_test_if(NNG_ENABLE_TLS tls_tran_test)
+if (NNG_TRANSPORT_TLS)
+    nng_sources(tls.c)
+    nng_defines(NNG_TRANSPORT_TLS)
+    nng_test(tls_tran_test)
+endif()
diff --git a/src/sp/transport/tls/tls.c b/src/sp/transport/tls/tls.c
index 5c567692..fd983c67 100644
--- a/src/sp/transport/tls/tls.c
+++ b/src/sp/transport/tls/tls.c
@@ -952,8 +952,14 @@ tlstran_pipe_getopt(
 	return (rv);
 }
 
+static size_t
+tlstran_pipe_size(void)
+{
+	return (sizeof(tlstran_pipe)); // TODO add engine data size
+}
+
 static nni_sp_pipe_ops tlstran_pipe_ops = {
-	.p_size   = sizeof(tlstran_pipe),
+	.p_size   = tlstran_pipe_size,
 	.p_init   = tlstran_pipe_init,
 	.p_fini   = tlstran_pipe_fini,
 	.p_stop   = tlstran_pipe_stop,
diff --git a/src/sp/transport/tls/tls_tran_test.c b/src/sp/transport/tls/tls_tran_test.c
index 5b38d733..3c43b36e 100644
--- a/src/sp/transport/tls/tls_tran_test.c
+++ b/src/sp/transport/tls/tls_tran_test.c
@@ -35,6 +35,7 @@ tls_server_config_ecdsa(void)
 	return (c);
 }
 
+#ifdef NNG_SUPP_TLS_PSK
 static nng_tls_config *
 tls_config_psk(nng_tls_mode mode, const char *name, uint8_t *key, size_t len)
 {
@@ -43,6 +44,7 @@ tls_config_psk(nng_tls_mode mode, const char *name, uint8_t *key, size_t len)
 	NUTS_PASS(nng_tls_config_psk(c, name, key, len));
 	return (c);
 }
+#endif
 
 static nng_tls_config *
 tls_client_config(void)
diff --git a/src/sp/transport/udp/CMakeLists.txt b/src/sp/transport/udp/CMakeLists.txt
index b08cd861..391888fe 100644
--- a/src/sp/transport/udp/CMakeLists.txt
+++ b/src/sp/transport/udp/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright 2024 Staysail Systems, Inc. <info@staysail.tech>
+# Copyright 2025 Staysail Systems, Inc. <info@staysail.tech>
 #
 # This software is supplied under the terms of the MIT License, a
 # copy of which should be located in the distribution where this
@@ -10,6 +10,8 @@
 # UDP transport
 nng_directory(udp)
 
-nng_sources_if(NNG_TRANSPORT_UDP udp.c)
-nng_defines_if(NNG_TRANSPORT_UDP NNG_TRANSPORT_UDP)
-nng_test_if(NNG_TRANSPORT_UDP udp_tran_test)
+if (NNG_TRANSPORT_UDP)
+    nng_sources(udp.c)
+    nng_defines(NNG_TRANSPORT_UDP)
+    nng_test(udp_tran_test)
+endif()
diff --git a/src/sp/transport/udp/udp.c b/src/sp/transport/udp/udp.c
index 0aa46767..e19a5684 100644
--- a/src/sp/transport/udp/udp.c
+++ b/src/sp/transport/udp/udp.c
@@ -1756,8 +1756,14 @@ udp_ep_accept(void *arg, nni_aio *aio)
 	nni_mtx_unlock(&ep->mtx);
 }
 
+static size_t
+udp_pipe_size(void)
+{
+	return (sizeof(udp_pipe));
+}
+
 static nni_sp_pipe_ops udp_pipe_ops = {
-	.p_size   = sizeof(udp_pipe),
+	.p_size   = udp_pipe_size,
 	.p_init   = udp_pipe_init,
 	.p_fini   = udp_pipe_fini,
 	.p_stop   = udp_pipe_stop,
diff --git a/src/sp/transport/ws/CMakeLists.txt b/src/sp/transport/ws/CMakeLists.txt
index 437d0919..2b477c27 100644
--- a/src/sp/transport/ws/CMakeLists.txt
+++ b/src/sp/transport/ws/CMakeLists.txt
@@ -12,11 +12,14 @@
 nng_directory(ws)
 
 if (NNG_TRANSPORT_WS OR NNG_TRANSPORT_WSS)
-    set(WS_ON ON)
+    nng_sources(websocket.c)
 endif()
 
-nng_defines_if(NNG_TRANSPORT_WS NNG_TRANSPORT_WS)
-nng_defines_if(NNG_TRANSPORT_WSS NNG_TRANSPORT_WSS)
-nng_sources_if(WS_ON websocket.c)
-nng_test_if(WS_ON ws_test)
-nng_test_if(NNG_TRANSPORT_WSS wss_test)
+if (NNG_TRANSPORT_WS)
+    nng_defines(NNG_TRANSPORT_WS)
+    nng_test(ws_test)
+endif()
+if (NNG_TRANSPORT_WSS)
+    nng_defines(NNG_TRANSPORT_WSS)
+    nng_test(wss_test)
+endif()
diff --git a/src/sp/transport/ws/websocket.c b/src/sp/transport/ws/websocket.c
index b6045306..515f7b65 100644
--- a/src/sp/transport/ws/websocket.c
+++ b/src/sp/transport/ws/websocket.c
@@ -328,8 +328,14 @@ wstran_pipe_getopt(
 	return (rv);
 }
 
+static size_t
+wstran_pipe_size(void)
+{
+	return (sizeof(ws_pipe));
+}
+
 static nni_sp_pipe_ops ws_pipe_ops = {
-	.p_size   = sizeof(ws_pipe),
+	.p_size   = wstran_pipe_size,
 	.p_init   = wstran_pipe_init,
 	.p_fini   = wstran_pipe_fini,
 	.p_stop   = wstran_pipe_stop,