Definitely harder than I thought…
After looking through the TDS specification, I see that the TLS handshake works differently than in most protocols. The client first has to reach out with a normal TDS “client hello” packet. Then the server responds with a TDS “server hello” packet, and then if they agree that they should use encryption, the TLS handshake starts. However, all TLS handshake packets are encapsulated in TDS packets.
However, the erlang :ssl module doesn’t seem like it’s designed to work this way. It wants to own the tcp port and directly send the TLS handshake packets without giving anybody an opportunity to wrap them.
Does anybody have thoughts on the best way to make this work without writing a custom TLS implementation?