# `Quiver.Transport.SSL`
[🔗](https://github.com/edlontech/quiver/blob/main/lib/quiver/transport/ssl.ex#L1)

SSL/TLS transport wrapping `:ssl`.

Uses the OS certificate store via `:public_key.cacerts_get/0` and
OTP's built-in hostname verification with wildcard SAN support.

# `t`

```elixir
@type t() :: %Quiver.Transport.SSL{
  negotiated_protocol: binary() | nil,
  socket: :ssl.sslsocket()
}
```

# `negotiated_protocol`

```elixir
@spec negotiated_protocol(t()) :: binary() | nil
```

Returns the ALPN protocol negotiated during the TLS handshake.

Returns `nil` if no protocol was negotiated (e.g. no ALPN extension
was advertised, or the server did not select one).

# `upgrade`

```elixir
@spec upgrade(:gen_tcp.socket(), String.t(), :inet.port_number(), keyword()) ::
  {:ok, t()} | {:error, term()}
```

Upgrades an existing TCP socket to TLS.

Takes a raw `:gen_tcp` socket and performs TLS negotiation on it.
Used for CONNECT tunneling where a TCP connection to a proxy
is upgraded to TLS for the target host.

---

*Consult [api-reference.md](api-reference.md) for complete listing*