fixes #166 Websocket TLS mapping

This introduces the wss:// scheme, which is available and works like
the ws:// scheme if TLS is enabled in the library.

The library modularization is refactored somewhat, to make it easier
to use.  There is now a single NNG_ENABLE_TLS that enables TLS support
under the hood.

This also adds a new option for the TLS transport, NNG_OPT_TLS_CONFIG
(and a similar one for WSS, NNG_OPT_TLS_WSS_CONFIG) that offer access
to the underlying TLS configuration object, which now has a public API
to go with it as well.

Note that it is also possible to use pure HTTPS using the *private*
API, which will be exposed in a public form soon.

6 files changed, 407 insertions, 113 deletions

diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 7f37c589..5f1a834f 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -46,19 +46,21 @@ if (NNG_TESTS)
     list (APPEND all_tests convey_test) 
 
     set (TEST_PORT 12100)
-    macro (add_nng_test NAME TIMEOUT)
-        list (APPEND all_tests ${NAME})
-        add_executable (${NAME} ${NAME}.c convey.c)
-        target_link_libraries (${NAME} ${PROJECT_NAME}_static)
-        target_link_libraries (${NAME} ${NNG_REQUIRED_LIBRARIES})
-        target_compile_definitions(${NAME} PUBLIC -DNNG_STATIC_LIB)
-        if (CMAKE_THREAD_LIBS_INIT)
-            target_link_libraries (${NAME} "${CMAKE_THREAD_LIBS_INIT}")
-        endif()
+    macro (add_nng_test NAME TIMEOUT COND)
+        if (${COND})
+            list (APPEND all_tests ${NAME})
+            add_executable (${NAME} ${NAME}.c convey.c)
+            target_link_libraries (${NAME} ${PROJECT_NAME}_static)
+            target_link_libraries (${NAME} ${NNG_REQUIRED_LIBRARIES})
+            target_compile_definitions(${NAME} PUBLIC -DNNG_STATIC_LIB)
+            if (CMAKE_THREAD_LIBS_INIT)
+                target_link_libraries (${NAME} "${CMAKE_THREAD_LIBS_INIT}")
+            endif()
 
-        add_test (NAME ${NAME} COMMAND ${NAME} -v -p TEST_PORT=${TEST_PORT})
-        set_tests_properties (${NAME} PROPERTIES TIMEOUT ${TIMEOUT})
-        math (EXPR TEST_PORT "${TEST_PORT}+20")
+            add_test (NAME ${NAME} COMMAND ${NAME} -v -p TEST_PORT=${TEST_PORT})
+            set_tests_properties (${NAME} PROPERTIES TIMEOUT ${TIMEOUT})
+            math (EXPR TEST_PORT "${TEST_PORT}+20")
+        endif()
     endmacro (add_nng_test)
 
     # Compatibility tests are only added if all of the legacy protocols
@@ -111,57 +113,61 @@ if (NNG_TESTS)
         endif()
     endmacro (add_nng_cpp_test)
 
+    macro (add_nng_proto_test NAME TIMEOUT P1 P2)
+        if (${P1} AND ${P2})
+            add_nng_test(${NAME} ${TIMEOUT} ON)
+        else()
+            message (STATUS "Protocol test ${NAME} disabled (unconfigured)")
+        endif()
+    endmacro()
 
 else ()
-    macro (add_nng_test NAME TIMEOUT)
+    macro (add_nng_test NAME TIMEOUT COND)
     endmacro (add_nng_test)
     macro (add_nng_compat_test NAME TIMEOUT)
     endmacro (add_nng_compat_test)
     macro (add_nng_cpp_test NAME TIMEOUT)
     endmacro (add_nng_cpp_test)
+    macro (add_nng_proto_test NAME TIMEOUT P1 P2)
+    endmacro()
 endif ()
 
-add_nng_test(aio 5)
-add_nng_test(bus 5)
-add_nng_test(files 5)
-add_nng_test(idhash 5)
-add_nng_test(inproc 5)
-add_nng_test(ipc 5)
-add_nng_test(list 5)
-add_nng_test(platform 5)
-add_nng_test(reqrep 5)
-add_nng_test(pipeline 5)
-add_nng_test(pollfd 5)
-add_nng_test(pubsub 5)
-add_nng_test(reconnect 5)
-add_nng_test(resolv 10)
-add_nng_test(sock 5)
-add_nng_test(survey 5)
-add_nng_test(synch 5)
-add_nng_test(transport 5)
-add_nng_test(tls 10)
-add_nng_test(tcp 5)
-add_nng_test(tcp6 5)
-add_nng_test(scalability 20)
-add_nng_test(message 5)
-add_nng_test(device 5)
-add_nng_test(errors 2)
-add_nng_test(pair1 5)
-add_nng_test(udp 5)
-add_nng_test(zt 60)
-add_nng_test(multistress 60)
-add_nng_test(ws 30)
-
-if (NNG_SUPP_BASE64)
-    add_nng_test(base64 5)
-endif()
-if (NNG_SUPP_HTTP)
-    add_nng_test(httpclient 30)
-    add_nng_test(httpserver 30)
-endif()
-if (NNG_SUPP_SHA1)
-    add_nng_test(sha1 5)
-endif()
+add_nng_test(aio 5 ON)
+add_nng_test(base64 5 NNG_SUPP_BASE64)
+add_nng_test(device 5 ON)
+add_nng_test(errors 2 ON)
+add_nng_test(files 5 ON)
+add_nng_test(httpclient 30 NNG_SUPP_HTTP)
+add_nng_test(httpserver 30 NNG_SUPP_HTTP)
+add_nng_test(idhash 5 ON)
+add_nng_test(inproc 5 NNG_TRANSPORT_INPROC)
+add_nng_test(ipc 5 NNG_TRANSPORT_IPC)
+add_nng_test(list 5 ON)
+add_nng_test(message 5 ON)
+add_nng_test(multistress 60 ON)
+add_nng_test(platform 5 ON)
+add_nng_test(pollfd 5 ON)
+add_nng_test(reconnect 5 ON)
+add_nng_test(resolv 10 ON)
+add_nng_test(scalability 20 ON)
+add_nng_test(sha1 5 NNG_SUPP_SHA1)
+add_nng_test(sock 5 ON)
+add_nng_test(synch 5 ON)
+add_nng_test(tls 10 NNG_TRANSPORT_TLS)
+add_nng_test(tcp 5 NNG_TRANSPORT_TCP)
+add_nng_test(tcp6 5 NNG_TRANSPORT_TCP)
+add_nng_test(transport 5 ON)
+add_nng_test(udp 5 ON)
+add_nng_test(ws 30 NNG_TRANSPORT_WS)
+add_nng_test(wss 30 NNG_TRANSPORT_WSS)
+add_nng_test(zt 60 NNG_TRANSPORT_ZEROTIER)
+
+add_nng_proto_test(bus 5 NNG_PROTO_BUS0 NNG_PROTO_BUS0)
+add_nng_test(pipeline 5 NNG_PROTO_PULL0 NNG_PROTO_PIPELINE0)
+add_nng_proto_test(pair1 5 NNG_PROTO_PAIR1 NNG_PROTO_PAIR1)
+add_nng_proto_test(pubsub 5 NNG_PROTO_PUB0 NNG_PROTO_SUB0)
+add_nng_proto_test(reqrep 5 NNG_PROTO_REQ0 NNG_PROTO_REP0)
+add_nng_test(survey 5 NNG_PROTO_SURVEYOR0 NNG_PROTO_RESPONDENT0)
 
 # compatbility tests
 # We only support these if ALL the legacy protocols are supported.  This
diff --git a/tests/multistress.c b/tests/multistress.c
index 7088ac14..6a41a551 100644
--- a/tests/multistress.c
+++ b/tests/multistress.c
@@ -44,7 +44,7 @@ const char *inproc_template = "inproc://nng_multistress_%d";
 const char *ipc_template    = "ipc:///tmp/nng_multistress_%d";
 
 const char *templates[] = {
-#ifdef NNG_HAVE_TCP
+#ifdef NNG_TRANSPORT_TCP
 	"tcp://127.0.0.1:%d",
 #endif
 // It would be nice to test TCPv6, but CI doesn't support it.
@@ -52,10 +52,10 @@ const char *templates[] = {
 #ifdef NNG_TEST_TCPV6
 	"tcp://[::1]:%d",
 #endif
-#ifdef NNG_HAVE_INPROC
+#ifdef NNG_TRANSPORT_INPROC
 	"inproc://nng_multistress_%d",
 #endif
-#ifdef NNG_HAVE_IPC
+#ifdef NNG_TRANSPORT_IPC
 	"ipc:///tmp/nng_multistress_%d",
 #endif
 };
diff --git a/tests/tls.c b/tests/tls.c
index fa44d9c9..70b22fea 100644
--- a/tests/tls.c
+++ b/tests/tls.c
@@ -105,20 +105,54 @@ check_props_v4(nng_msg *msg, nng_listener l, nng_dialer d)
 }
 
 static int
-init_tls(trantest *tt)
+init_dialer_tls(trantest *tt, nng_dialer d)
 {
-	const char *own[3];
-
-	So(nng_setopt(tt->reqsock, NNG_OPT_TLS_CA_CERT, server_cert,
-	       sizeof(server_cert)) == 0);
-	own[0] = server_cert;
-	own[1] = server_key;
-	own[2] = NULL;
-	So(nng_setopt(tt->repsock, NNG_OPT_TLS_CERT, server_cert,
-	       sizeof(server_cert)) == 0);
-	So(nng_setopt(tt->repsock, NNG_OPT_TLS_PRIVATE_KEY, server_key,
-	       sizeof(server_key)) == 0);
+	nng_tls_config *cfg;
+	int             rv;
+
+	if ((rv = nng_tls_config_init(&cfg, NNG_TLS_MODE_CLIENT)) != 0) {
+		return (rv);
+	}
+	if ((rv = nng_tls_config_ca_cert(
+	         cfg, (void *) server_cert, sizeof(server_cert))) != 0) {
+		goto out;
+	}
+	if ((rv = nng_tls_config_server_name(cfg, "127.0.0.1")) != 0) {
+		goto out;
+	}
+	nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_NONE);
+	rv = nng_dialer_setopt_ptr(d, NNG_OPT_TLS_CONFIG, cfg);
+
+out:
+	nng_tls_config_fini(cfg);
+	return (rv);
+}
 
+static int
+init_listener_tls(trantest *tt, nng_listener l)
+{
+	nng_tls_config *cfg;
+	int             rv;
+
+	if ((rv = nng_tls_config_init(&cfg, NNG_TLS_MODE_SERVER)) != 0) {
+		return (rv);
+	}
+	if ((rv = nng_tls_config_cert(
+	         cfg, (void *) server_cert, sizeof(server_cert))) != 0) {
+		nng_tls_config_fini(cfg);
+		return (rv);
+	}
+	if ((rv = nng_tls_config_key(
+	         cfg, (void *) server_key, sizeof(server_key))) != 0) {
+		nng_tls_config_fini(cfg);
+		return (rv);
+	}
+
+	if ((rv = nng_listener_setopt_ptr(l, NNG_OPT_TLS_CONFIG, cfg)) != 0) {
+		nng_tls_config_fini(cfg);
+		return (rv);
+	}
+	nng_tls_config_fini(cfg);
 	return (0);
 }
 
@@ -126,8 +160,10 @@ TestMain("TLS Transport", {
 
 	static trantest tt;
 
-	tt.init = init_tls;
-	tt.tmpl = "tls+tcp://127.0.0.1:%u";
+	tt.dialer_init   = init_dialer_tls;
+	tt.listener_init = init_listener_tls;
+	tt.tmpl          = "tls+tcp://127.0.0.1:%u";
+	tt.proptest      = check_props_v4;
 	atexit(nng_fini);
 
 	trantest_test(&tt);
diff --git a/tests/trantest.h b/tests/trantest.h
index b1b0ff80..324668dd 100644
--- a/tests/trantest.h
+++ b/tests/trantest.h
@@ -26,41 +26,42 @@ typedef int (*trantest_proptest_t)(nng_msg *, nng_listener, nng_dialer);
 typedef struct trantest trantest;
 
 struct trantest {
-	const char * tmpl;
-	char         addr[NNG_MAXADDRLEN + 1];
-	nng_socket   reqsock;
-	nng_socket   repsock;
-	nni_tran *   tran;
-	nng_dialer   dialer;
-	nng_listener listener;
+	const char *tmpl;
+	char        addr[NNG_MAXADDRLEN + 1];
+	nng_socket  reqsock;
+	nng_socket  repsock;
+	nni_tran *  tran;
 	int (*init)(struct trantest *);
 	void (*fini)(struct trantest *);
-	int (*dialer_init)(struct trantest *);
-	int (*listener_init)(struct trantest *);
+	int (*dialer_init)(struct trantest *, nng_dialer);
+	int (*listener_init)(struct trantest *, nng_listener);
 	int (*proptest)(nng_msg *, nng_listener, nng_dialer);
 	void *private; // transport specific private data
 };
 
 unsigned trantest_port = 0;
 
-#ifndef NNG_HAVE_ZEROTIER
+#ifndef NNG_TRANSPORT_ZEROTIER
 #define nng_zt_register notransport
 #endif
-#ifndef NNG_HAVE_INPROC
+#ifndef NNG_TRANSPORT_INPROC
 #define nng_inproc_register notransport
 #endif
-#ifndef NNG_HAVE_IPC
+#ifndef NNG_TRANSPORT_IPC
 #define nng_ipc_register notransport
 #endif
-#ifndef NNG_HAVE_TCP
+#ifndef NNG_TRANSPORT_TCP
 #define nng_tcp_register notransport
 #endif
-#ifndef NNG_HAVE_TLS
+#ifndef NNG_TRANSPORT_TLS
 #define nng_tls_register notransport
 #endif
-#ifndef NNG_HAVE_WEBSOCKET
+#ifndef NNG_TRANSPORT_WS
 #define nng_ws_register notransport
 #endif
+#ifndef NNG_TRANSPORT_WSS
+#define nng_wss_register notransport
+#endif
 
 int
 notransport(void)
@@ -76,24 +77,27 @@ notransport(void)
 void
 trantest_checktran(const char *url)
 {
-#ifndef NNG_HAVE_ZEROTIER
-	CHKTRAN(url, "zt:");
-#endif
-#ifndef NNG_HAVE_INPROC
+#ifndef NNG_TRANSPORT_INPROC
 	CHKTRAN(url, "inproc:");
 #endif
-#ifndef NNG_HAVE_IPC
+#ifndef NNG_TRANSPORT_IPC
 	CHKTRAN(url, "ipc:");
 #endif
-#ifndef NNG_HAVE_TCP
+#ifndef NNG_TRANSPORT_TCP
 	CHKTRAN(url, "tcp:");
 #endif
-#ifndef NNG_HAVE_TLS
+#ifndef NNG_TRANSPORT_TLS
 	CHKTRAN(url, "tls+tcp:");
 #endif
-#ifndef NNG_HAVE_WEBSOCKET
+#ifndef NNG_TRANSPORT_WS
 	CHKTRAN(url, "ws:");
 #endif
+#ifndef NNG_TRANSPORT_WSS
+	CHKTRAN(url, "wss:");
+#endif
+#ifndef NNG_TRANSPORT_ZEROTIER
+	CHKTRAN(url, "zt:");
+#endif
 
 	(void) url;
 }
@@ -149,13 +153,53 @@ trantest_fini(trantest *tt)
 }
 
 int
-trantest_dial(trantest *tt)
+trantest_dial(trantest *tt, nng_dialer *dp)
 {
-	So(nng_dialer_create(&tt->dialer, tt->reqsock, tt->addr) == 0);
+	nng_dialer d;
+	int        rv;
+	*dp = 0;
+
+	rv = nng_dialer_create(&d, tt->reqsock, tt->addr);
+	if (rv != 0) {
+		return (rv);
+	}
 	if (tt->dialer_init != NULL) {
-		So(tt->dialer_init(tt) == 0);
+		if ((rv = tt->dialer_init(tt, d)) != 0) {
+			nng_dialer_close(d);
+			return (rv);
+		}
+	}
+	if ((rv = nng_dialer_start(d, 0)) != 0) {
+		nng_dialer_close(d);
+		return (rv);
 	}
-	return (nng_dialer_start(tt->dialer, 0));
+	*dp = d;
+	return (0);
+}
+
+int
+trantest_listen(trantest *tt, nng_listener *lp)
+{
+	int          rv;
+	nng_listener l;
+	*lp = 0;
+
+	rv = nng_listener_create(&l, tt->repsock, tt->addr);
+	if (rv != 0) {
+		return (rv);
+	}
+	if (tt->listener_init != NULL) {
+		if ((rv = tt->listener_init(tt, l)) != 0) {
+			nng_listener_close(l);
+			return (rv);
+		}
+	}
+	if ((rv = nng_listener_start(l, 0)) != 0) {
+		nng_listener_close(l);
+		return (rv);
+	}
+	*lp = l;
+	return (rv);
 }
 
 void
@@ -174,11 +218,11 @@ trantest_conn_refused(trantest *tt)
 	Convey("Connection refused works", {
 		nng_dialer d = 0;
 
-		So(nng_dial(tt->reqsock, tt->addr, &d, 0) == NNG_ECONNREFUSED);
+		So(trantest_dial(tt, &d) == NNG_ECONNREFUSED);
 		So(d == 0);
-		So(nng_dial(tt->repsock, tt->addr, &d, 0) == NNG_ECONNREFUSED);
+		So(trantest_dial(tt, &d) == NNG_ECONNREFUSED);
 		So(d == 0);
-	})
+	});
 }
 
 void
@@ -187,13 +231,13 @@ trantest_duplicate_listen(trantest *tt)
 	Convey("Duplicate listen rejected", {
 		nng_listener l;
 		int          rv;
-		rv = nng_listen(tt->repsock, tt->addr, &l, 0);
+		rv = trantest_listen(tt, &l);
 		So(rv == 0);
 		So(l != 0);
 		l = 0;
-		So(nng_listen(tt->repsock, tt->addr, &l, 0) == NNG_EADDRINUSE);
+		So(trantest_listen(tt, &l) == NNG_EADDRINUSE);
 		So(l == 0);
-	})
+	});
 }
 
 void
@@ -202,11 +246,11 @@ trantest_listen_accept(trantest *tt)
 	Convey("Listen and accept", {
 		nng_listener l;
 		nng_dialer   d;
-		So(nng_listen(tt->repsock, tt->addr, &l, 0) == 0);
+		So(trantest_listen(tt, &l) == 0);
 		So(l != 0);
 
 		d = 0;
-		So(nng_dial(tt->reqsock, tt->addr, &d, 0) == 0);
+		So(trantest_dial(tt, &d) == 0);
 		So(d != 0);
 	})
 }
@@ -216,6 +260,7 @@ trantest_send_recv(trantest *tt)
 {
 	Convey("Send and recv", {
 		nng_listener l;
+		nng_dialer   d;
 		nng_msg *    send;
 		nng_msg *    recv;
 		size_t       len;
@@ -223,9 +268,10 @@ trantest_send_recv(trantest *tt)
 		char         url[NNG_MAXADDRLEN];
 		size_t       sz;
 
-		So(nng_listen(tt->repsock, tt->addr, &l, 0) == 0);
+		So(trantest_listen(tt, &l) == 0);
 		So(l != 0);
-		So(trantest_dial(tt) == 0);
+		So(trantest_dial(tt, &d) == 0);
+		So(d != 0);
 
 		nng_msleep(200); // listener may be behind slightly
 
@@ -269,9 +315,9 @@ trantest_check_properties(trantest *tt, trantest_proptest_t f)
 		nng_msg *    recv;
 		int          rv;
 
-		So(nng_listen(tt->repsock, tt->addr, &l, 0) == 0);
+		So(trantest_listen(tt, &l) == 0);
 		So(l != 0);
-		So(nng_dial(tt->reqsock, tt->addr, &d, 0) == 0);
+		So(trantest_dial(tt, &d) == 0);
 		So(d != 0);
 
 		nng_msleep(200); // listener may be behind slightly
@@ -311,9 +357,9 @@ trantest_send_recv_large(trantest *tt)
 			data[i] = nni_random() & 0xff;
 		}
 
-		So(nng_listen(tt->repsock, tt->addr, &l, 0) == 0);
+		So(trantest_listen(tt, &l) == 0);
 		So(l != 0);
-		So(nng_dial(tt->reqsock, tt->addr, &d, 0) == 0);
+		So(trantest_dial(tt, &d) == 0);
 		So(d != 0);
 
 		nng_msleep(200); // listener may be behind slightly
diff --git a/tests/wss.c b/tests/wss.c
new file mode 100644
index 00000000..2f701117
--- /dev/null
+++ b/tests/wss.c
@@ -0,0 +1,206 @@
+//
+// Copyright 2017 Garrett D'Amore <garrett@damore.org>
+// Copyright 2017 Capitar IT Group BV <info@capitar.com>
+//
+// This software is supplied under the terms of the MIT License, a
+// copy of which should be located in the distribution where this
+// file was obtained (LICENSE.txt).  A copy of the license may also be
+// found online at https://opensource.org/licenses/MIT.
+//
+
+#include "convey.h"
+#include "nng.h"
+#include "protocol/pair1/pair.h"
+#include "transport/ws/websocket.h"
+#include "trantest.h"
+
+#include "stubs.h"
+// TCP tests.
+
+#ifndef _WIN32
+#include <arpa/inet.h>
+#endif
+
+// These keys are for demonstration purposes ONLY.  DO NOT USE.
+// The certificate is valid for 100 years, because I don't want to
+// have to regenerate it ever again. The CN is 127.0.0.1, and self-signed.
+//
+// Generated using openssl:
+//
+// % openssl ecparam -name secp521r1 -noout -genkey -out key.key
+// % openssl req -new -key key.key -out cert.csr
+// % openssl x509 -req -in cert.csr -days 36500 -out cert.crt -signkey key.key
+//
+// Relevant metadata:
+//
+// Certificate:
+//     Data:
+//        Version: 1 (0x0)
+//        Serial Number: 9808857926806240008 (0x882010509b8f7b08)
+//    Signature Algorithm: ecdsa-with-SHA1
+//        Issuer: C=US, ST=CA, L=San Diego, O=nanomsg, CN=127.0.0.1
+//        Validity
+//            Not Before: Nov 17 20:08:06 2017 GMT
+//            Not After : Oct 24 20:08:06 2117 GMT
+//        Subject: C=US, ST=CA, L=San Diego, O=nanomsg, CN=127.0.0.1
+//
+static const char server_cert[] =
+    "-----BEGIN CERTIFICATE-----\n"
+    "MIICIjCCAYMCCQDaC9ARg31kIjAKBggqhkjOPQQDAjBUMQswCQYDVQQGEwJVUzEL\n"
+    "MAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNhbiBEaWVnbzEQMA4GA1UECgwHbmFub21z\n"
+    "ZzESMBAGA1UEAwwJMTI3LjAuMC4xMCAXDTE3MTExNzIwMjczMloYDzIxMTcxMDI0\n"
+    "MjAyNzMyWjBUMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNh\n"
+    "biBEaWVnbzEQMA4GA1UECgwHbmFub21zZzESMBAGA1UEAwwJMTI3LjAuMC4xMIGb\n"
+    "MBAGByqGSM49AgEGBSuBBAAjA4GGAAQAN7vDK6GEiSguMsOuhfOvGyiVc37Sog0b\n"
+    "UkpaiS6+SagTmXFSN1Rgh9isxKFYJvcCtAko3v0I8rAVQucdhf5B3hEBMQlbBIuM\n"
+    "rMKT6ZQJ+eiwyb4O3Scgd7DoL3tc/kOqijwB/5hJ4sZdquDKP5DDFe5fAf4MNtzY\n"
+    "4C+iApWlKq/LoXkwCgYIKoZIzj0EAwIDgYwAMIGIAkIBOuJAWmNSdd6Ovmr6Ebg3\n"
+    "UF9ZrsNwARd9BfYbBk5OQhUOjCLB6d8aLi49WOm1WoRvOS5PaVvmvSfNhaw8b5nV\n"
+    "hnYCQgC+EmJ6C3bEcZrndhfbqvCaOGkc7/SrKhC6fS7mJW4wL90QUV9WjQ2Ll6X5\n"
+    "PxkSj7s0SvD6T8j7rju5LDgkdZc35A==\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char server_key[] =
+    "-----BEGIN EC PRIVATE KEY-----\n"
+    "MIHcAgEBBEIB20OHMntU2UJW2yuQn2f+bLsuhTT5KRGorcocnqxatWLvxuF1cfUA\n"
+    "TjQxRRS6BIUvFt1fMIklp9qedJF00JHy4qWgBwYFK4EEACOhgYkDgYYABAA3u8Mr\n"
+    "oYSJKC4yw66F868bKJVzftKiDRtSSlqJLr5JqBOZcVI3VGCH2KzEoVgm9wK0CSje\n"
+    "/QjysBVC5x2F/kHeEQExCVsEi4yswpPplAn56LDJvg7dJyB3sOgve1z+Q6qKPAH/\n"
+    "mEnixl2q4Mo/kMMV7l8B/gw23NjgL6IClaUqr8uheQ==\n"
+    "-----END EC PRIVATE KEY-----\n";
+
+static int
+check_props_v4(nng_msg *msg, nng_listener l, nng_dialer d)
+{
+	nng_pipe p;
+	size_t   z;
+	p = nng_msg_get_pipe(msg);
+	So(p > 0);
+
+	Convey("Local address property works", {
+		nng_sockaddr la;
+		z = sizeof(nng_sockaddr);
+		So(nng_pipe_getopt(p, NNG_OPT_LOCADDR, &la, &z) == 0);
+		So(z == sizeof(la));
+		So(la.s_un.s_family == NNG_AF_INET);
+		So(la.s_un.s_in.sa_port == htons(trantest_port - 1));
+		So(la.s_un.s_in.sa_port != 0);
+		So(la.s_un.s_in.sa_addr == htonl(0x7f000001));
+	});
+
+	Convey("Remote address property works", {
+		nng_sockaddr ra;
+		z = sizeof(nng_sockaddr);
+		So(nng_pipe_getopt(p, NNG_OPT_REMADDR, &ra, &z) == 0);
+		So(z == sizeof(ra));
+		So(ra.s_un.s_family == NNG_AF_INET);
+		So(ra.s_un.s_in.sa_port != 0);
+		So(ra.s_un.s_in.sa_addr == htonl(0x7f000001));
+	});
+
+	Convey("Request header property works", {
+		char * buf;
+		size_t len;
+		z   = 0;
+		buf = NULL;
+		So(nng_pipe_getopt(p, NNG_OPT_WS_REQUEST_HEADERS, buf, &z) ==
+		    0);
+		So(z > 0);
+		len = z;
+		So((buf = nni_alloc(len)) != NULL);
+		So(nng_pipe_getopt(p, NNG_OPT_WS_REQUEST_HEADERS, buf, &z) ==
+		    0);
+		So(strstr(buf, "Sec-WebSocket-Key") != NULL);
+		So(z == len);
+		nni_free(buf, len);
+	});
+
+	Convey("Response header property works", {
+		char * buf;
+		size_t len;
+		z   = 0;
+		buf = NULL;
+		So(nng_pipe_getopt(p, NNG_OPT_WS_RESPONSE_HEADERS, buf, &z) ==
+		    0);
+		So(z > 0);
+		len = z;
+		So((buf = nni_alloc(len)) != NULL);
+		So(nng_pipe_getopt(p, NNG_OPT_WS_RESPONSE_HEADERS, buf, &z) ==
+		    0);
+		So(strstr(buf, "Sec-WebSocket-Accept") != NULL);
+		So(z == len);
+		nni_free(buf, len);
+	});
+
+	return (0);
+}
+
+static int
+init_dialer_wss(trantest *tt, nng_dialer d)
+{
+	nng_tls_config *cfg;
+	int             rv;
+
+	if ((rv = nng_tls_config_init(&cfg, NNG_TLS_MODE_CLIENT)) != 0) {
+		return (rv);
+	}
+	if ((rv = nng_tls_config_ca_cert(
+	         cfg, (void *) server_cert, sizeof(server_cert))) != 0) {
+		goto out;
+	}
+	if ((rv = nng_tls_config_server_name(cfg, "127.0.0.1")) != 0) {
+		goto out;
+	}
+	nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_NONE);
+	rv = nng_dialer_setopt_ptr(d, NNG_OPT_WSS_TLS_CONFIG, cfg);
+
+out:
+	nng_tls_config_fini(cfg);
+	return (rv);
+}
+
+static int
+init_listener_wss(trantest *tt, nng_listener l)
+{
+	nng_tls_config *cfg;
+	int             rv;
+
+	if ((rv = nng_tls_config_init(&cfg, NNG_TLS_MODE_SERVER)) != 0) {
+		return (rv);
+	}
+	if ((rv = nng_tls_config_cert(
+	         cfg, (void *) server_cert, sizeof(server_cert))) != 0) {
+		nng_tls_config_fini(cfg);
+		return (rv);
+	}
+	if ((rv = nng_tls_config_key(
+	         cfg, (void *) server_key, sizeof(server_key))) != 0) {
+		nng_tls_config_fini(cfg);
+		return (rv);
+	}
+
+	if ((rv = nng_listener_setopt_ptr(l, NNG_OPT_WSS_TLS_CONFIG, cfg)) !=
+	    0) {
+		// We can wind up with EBUSY from the server
+		// already running.
+		if (rv != NNG_EBUSY) {
+			nng_tls_config_fini(cfg);
+			return (rv);
+		}
+	}
+	nng_tls_config_fini(cfg);
+	return (0);
+}
+
+TestMain("WebSocket Secure (TLS) Transport", {
+	static trantest tt;
+
+	tt.dialer_init   = init_dialer_wss;
+	tt.listener_init = init_listener_wss;
+	tt.tmpl          = "wss://127.0.0.1:%u/test";
+	tt.proptest      = check_props_v4;
+
+	trantest_test(&tt);
+
+	nng_fini();
+})
diff --git a/tests/zt.c b/tests/zt.c
index 52f535c9..6c7b35e8 100644
--- a/tests/zt.c
+++ b/tests/zt.c
@@ -39,7 +39,7 @@ mkdir(const char *path, int mode)
 #include <unistd.h>
 #endif // WIN32
 
-#ifndef NNG_HAVE_ZEROTIER
+#ifndef NNG_TRANSPORT_ZEROTIER
 #define nng_zt_network_status_ok 0
 #endif