4 files changed, 41 insertions, 94 deletions

diff --git a/src/transport/tls/tls.c b/src/transport/tls/tls.c
index 408ff50c..05d477b5 100644
--- a/src/transport/tls/tls.c
+++ b/src/transport/tls/tls.c
@@ -855,7 +855,7 @@ tls_getopt_verified(void *arg, void *v, size_t *szp)
 static nni_tran_pipe_option nni_tls_pipe_options[] = {
 	{ NNG_OPT_LOCADDR, nni_tls_pipe_getopt_locaddr },
 	{ NNG_OPT_REMADDR, nni_tls_pipe_getopt_remaddr },
-	{ NNG_OPT_TLS_AUTH_VERIFIED, tls_getopt_verified },
+	{ NNG_OPT_TLS_VERIFIED, tls_getopt_verified },
 	// terminate list
 	{ NULL, NULL }
 };
diff --git a/src/transport/tls/tls.h b/src/transport/tls/tls.h
index 25edfa3a..a3fa0eb9 100644
--- a/src/transport/tls/tls.h
+++ b/src/transport/tls/tls.h
@@ -15,16 +15,4 @@
 
 NNG_DECL int nng_tls_register(void);
 
-// TLS options.  Note that these can only be set *before* the endpoint is
-// started.  Once started, it is no longer possible to alter the TLS
-// configuration.
-
-// NNG_OPT_TLS_AUTH_VERIFIED is a boolean that can be read on pipes,
-// indicating whether the peer certificate is verified.
-#define NNG_OPT_TLS_AUTH_VERIFIED "tls:auth-verified"
-
-// NNG_OPT_TLS_CONFIG is used to access the underlying configuration
-// (an nng_tls_config *).
-#define NNG_OPT_TLS_CONFIG "tls:config"
-
 #endif // NNG_TRANSPORT_TLS_TLS_H
diff --git a/src/transport/ws/websocket.c b/src/transport/ws/websocket.c
index 16cdf47b..a06910d3 100644
--- a/src/transport/ws/websocket.c
+++ b/src/transport/ws/websocket.c
@@ -43,6 +43,7 @@ struct ws_ep {
 	nni_ws_listener *listener;
 	nni_ws_dialer *  dialer;
 	nni_list         headers; // to send, res or req
+	bool             started;
 };
 
 struct ws_pipe {
@@ -261,16 +262,13 @@ ws_hook(void *arg, nni_http_req *req, nni_http_res *res)
 	// Eventually we'll want user customizable hooks.
 	// For now we just set the headers we want.
 
-	nni_mtx_lock(&ep->mtx);
 	NNI_LIST_FOREACH (&ep->headers, h) {
 		int rv;
-		rv = nni_http_req_set_header(req, h->name, h->value);
+		rv = nni_http_res_set_header(res, h->name, h->value);
 		if (rv != 0) {
-			nni_mtx_unlock(&ep->mtx);
 			return (rv);
 		}
 	}
-	nni_mtx_unlock(&ep->mtx);
 	return (0);
 }
 
@@ -278,9 +276,13 @@ static int
 ws_ep_bind(void *arg)
 {
 	ws_ep *ep = arg;
+	int    rv;
 
 	nni_ws_listener_hook(ep->listener, ws_hook, ep);
-	return (nni_ws_listener_listen(ep->listener));
+	if ((rv = nni_ws_listener_listen(ep->listener)) == 0) {
+		ep->started = true;
+	}
+	return (rv);
 }
 
 static void
@@ -320,28 +322,29 @@ static void
 ws_ep_connect(void *arg, nni_aio *aio)
 {
 	ws_ep * ep = arg;
-	int     rv;
+	int     rv = 0;
 	ws_hdr *h;
 
+	if (!ep->started) {
+		NNI_LIST_FOREACH (&ep->headers, h) {
+			rv = nni_ws_dialer_header(
+			    ep->dialer, h->name, h->value);
+			if (rv != 0) {
+				nni_aio_finish_error(aio, rv);
+				return;
+			}
+		}
+	}
+
 	nni_mtx_lock(&ep->mtx);
 	NNI_ASSERT(nni_list_empty(&ep->aios));
 
-	// If we can't start, then its dying and we can't report
-	// either.
+	// If we can't start, then its dying and we can't report either.
 	if ((rv = nni_aio_start(aio, ws_ep_cancel, ep)) != 0) {
 		nni_mtx_unlock(&ep->mtx);
 		return;
 	}
-
-	NNI_LIST_FOREACH (&ep->headers, h) {
-		rv = nni_ws_dialer_header(ep->dialer, h->name, h->value);
-		if (rv != 0) {
-			nni_aio_finish_error(aio, rv);
-			nni_mtx_unlock(&ep->mtx);
-			return;
-		}
-	}
-
+	ep->started = true;
 	nni_list_append(&ep->aios, aio);
 	nni_ws_dialer_dial(ep->dialer, ep->connaio);
 	nni_mtx_unlock(&ep->mtx);
@@ -374,6 +377,10 @@ ws_ep_setopt_headers(ws_ep *ep, const void *v, size_t sz)
 		return (0);
 	}
 
+	if (ep->started) {
+		return (NNG_EBUSY);
+	}
+
 	NNI_LIST_INIT(&l, ws_hdr, node);
 	if ((dupstr = nni_strdup(v)) == NULL) {
 		return (NNG_ENOMEM);
@@ -418,7 +425,6 @@ ws_ep_setopt_headers(ws_ep *ep, const void *v, size_t sz)
 		name = nl;
 	}
 
-	nni_mtx_lock(&ep->mtx);
 	while ((h = nni_list_first(&ep->headers)) != NULL) {
 		nni_list_remove(&ep->headers, h);
 		nni_strfree(h->name);
@@ -429,7 +435,6 @@ ws_ep_setopt_headers(ws_ep *ep, const void *v, size_t sz)
 		nni_list_remove(&l, h);
 		nni_list_append(&ep->headers, h);
 	}
-	nni_mtx_unlock(&ep->mtx);
 	rv = 0;
 
 done:
@@ -532,6 +537,13 @@ ws_pipe_getopt_reqhdrs(void *arg, void *v, size_t *szp)
 	return (nni_getopt_str(s, v, szp));
 }
 
+static int
+ws_pipe_getopt_tls_verified(void *arg, void *v, size_t *szp)
+{
+	ws_pipe *p = arg;
+	return (nni_getopt_int(nni_ws_tls_verified(p->ws) ? 1 : 0, v, szp));
+}
+
 static nni_tran_pipe_option ws_pipe_options[] = {
 
 	// clang-format off
@@ -539,6 +551,7 @@ static nni_tran_pipe_option ws_pipe_options[] = {
 	{ NNG_OPT_REMADDR, ws_pipe_getopt_remaddr },
 	{ NNG_OPT_WS_REQUEST_HEADERS, ws_pipe_getopt_reqhdrs },
 	{ NNG_OPT_WS_RESPONSE_HEADERS, ws_pipe_getopt_reshdrs },
+	{ NNG_OPT_TLS_VERIFIED, ws_pipe_getopt_tls_verified },
 	// clang-format on
 
 	// terminate list
@@ -931,37 +944,37 @@ static nni_tran_ep_option wss_ep_options[] = {
 	    .eo_setopt = ws_ep_setopt_recvmaxsz,
 	},
 	{
-	    .eo_name   = NNG_OPT_WSS_REQUEST_HEADERS,
+	    .eo_name   = NNG_OPT_WS_REQUEST_HEADERS,
 	    .eo_getopt = NULL,
 	    .eo_setopt = ws_ep_setopt_reqhdrs,
 	},
 	{
-	    .eo_name   = NNG_OPT_WSS_RESPONSE_HEADERS,
+	    .eo_name   = NNG_OPT_WS_RESPONSE_HEADERS,
 	    .eo_getopt = NULL,
 	    .eo_setopt = ws_ep_setopt_reshdrs,
 	},
 	{
-	    .eo_name   = NNG_OPT_WSS_TLS_CONFIG,
+	    .eo_name   = NNG_OPT_TLS_CONFIG,
 	    .eo_getopt = wss_ep_getopt_tlsconfig,
 	    .eo_setopt = wss_ep_setopt_tlsconfig,
 	},
 	{
-	    .eo_name   = NNG_OPT_WSS_TLS_CERT_KEY_FILE,
+	    .eo_name   = NNG_OPT_TLS_CERT_KEY_FILE,
 	    .eo_getopt = NULL,
 	    .eo_setopt = wss_ep_setopt_tls_cert_key_file,
 	},
 	{
-	    .eo_name   = NNG_OPT_WSS_TLS_CA_FILE,
+	    .eo_name   = NNG_OPT_TLS_CA_FILE,
 	    .eo_getopt = NULL,
 	    .eo_setopt = wss_ep_setopt_tls_ca_file,
 	},
 	{
-	    .eo_name   = NNG_OPT_WSS_TLS_AUTH_MODE,
+	    .eo_name   = NNG_OPT_TLS_AUTH_MODE,
 	    .eo_getopt = NULL,
 	    .eo_setopt = wss_ep_setopt_tls_auth_mode,
 	},
 	{
-	    .eo_name   = NNG_OPT_WSS_TLS_SERVER_NAME,
+	    .eo_name   = NNG_OPT_TLS_SERVER_NAME,
 	    .eo_getopt = NULL,
 	    .eo_setopt = wss_ep_setopt_tls_server_name,
 	},
diff --git a/src/transport/ws/websocket.h b/src/transport/ws/websocket.h
index 1f261067..76e94c3e 100644
--- a/src/transport/ws/websocket.h
+++ b/src/transport/ws/websocket.h
@@ -23,60 +23,6 @@ NNG_DECL int nng_ws_register(void);
 // response headers, formatted as CRLF terminated lines.
 #define NNG_OPT_WS_RESPONSE_HEADERS "ws:response-headers"
 
-// NNG_OPT_WSS_TLS_CONFIG is a pointer to a an nng_tls_config
-// object.  This property is only available for wss:// style
-// endpoints.  Note that when configuring the object, a hold
-// is placed on the TLS configuration.  When retrieving the
-// object, no hold is placed, and so the caller must take care
-// not to use the configuration object after the endpoint it
-// is associated with is removed.  Furthermore, as this is a
-// pointer, applications must take care to pass only valid
-// data -- incorrect pointer values will lead to undefined
-// behavior.
-#define NNG_OPT_WSS_TLS_CONFIG "wss:tls-config"
-
-// NNG_OPT_WSS_TLS_CERT_KEY_FILE names a single file that
-// contains a certificate and key identifying ourself.  This
-// is a write-only value.  Listeners can call this multiple
-// times for different keys/certs corresponding to different
-// algorithms, whereas clients only get one.  The file must
-// contain both cert and key as PEM blocks, and the key must
-// not be encrypted.  (If more flexibility is needed, use the
-// TLS configuration directly.)  Note that TLS configuration
-// cannot be changed if the listener, or any other from the same
-// server and port, is already started.
-#define NNG_OPT_WSS_TLS_CERT_KEY_FILE "wss:tls-cert-key-file"
-
-// NNG_OPT_WSS_TLS_CA_FILE names a single file that
-// contains certificate(s) for a CA, and optinally CRLs.  This
-// is a write-only value.  Listeners can call this multiple
-// times for different keys/certs corresponding to different
-// algorithms, whereas clients only get one.  The file must
-// contain certs as PEM blocks, and may contain CRLs as PEM
-// as well.  (If more flexibility is needed, use the
-// TLS configuration directly.)  Note that TLS configuration
-// cannot be changed if the listener, or any other from the same
-// server and port, is already started.
-#define NNG_OPT_WSS_TLS_CA_FILE "wss:tls-ca-file"
-
-// NNG_OPT_WSS_TLS_AUTH_MODE is a write-only integer (int) option
-// that specifies whether the peer is verified or not.  The option
-// can take one of the values of NNG_TLS_AUTH_MODE_NONE,
-// NNG_TLS_AUTH_MODE_OPTIONAL, or NNG_TLS_AUTH_MODE_REQUIRED.
-// The default is NNG_TLS_AUTH_MODE_NONE for listeners, and
-// NNG_TLS_AUTH_MODE_REQUIRED for dialers.
-#define NNG_OPT_WSS_TLS_AUTH_MODE "wss:tls-auth-mode"
-
-// NNG_OPT_WSS_TLS_SERVER_NAME is a write-only string that can be
-// set on dialers to check the CN of the server for a match.  This
-// can also affect SNI (server name indication).
-#define NNG_OPT_WSS_TLS_SERVER_NAME "wss:tls-server-name"
-
-// NNG_OPT_WSS_TLS_VERIFIED returns a single integer, indicating
-// whether the peer was verified or not.  This is a read-only value
-// available only on pipes.
-#define NNT_OPT_WSS_TLS_VERIFIED "wss:tls-verified"
-
 // These aliases are for WSS naming consistency.
 #define NNG_OPT_WSS_REQUEST_HEADERS NNG_OPT_WS_REQUEST_HEADERS
 #define NNG_OPT_WSS_RESPONSE_HEADERS NNG_OPT_WS_RESPONSE_HEADERS