One last thing. tls_read and tls_write respectively return TLS_READ_AGAIN and TLS_WRITE_AGAIN as well as the documented 0 and -1.
You might consider returning a value that represents EOF rather then just putting the string into an error message and returning -1 from tls_read. It would help in efficiently checking for an unexpected EOF. Thanks for taking on the effort of cleaning up OpenSSL. It's an important piece of software that needs the help. I was very pleased that a program I had written for OpenSSL rebuilt and ran without a problem simply by linking to the LibreSSL libraries. I think the simplifications of libtsl are also worthwhile. Regards, Greg Martin
