Open a client byte stream to ep, wrapping the raw TCP connection in a vibe
TLS tunnel when ep.tls is set (https/wss). Returns a ProxyStream so the
five raw-TCP request paths share ONE TLS-handling site and treat the plaintext
and TLS cases uniformly. The TLS context uses
TLSContextKind.client with peer-certificate verification (checkPeer) and
sets the SNI/peer name to ep.host, so the server certificate and hostname are
validated; the underlying conn must outlive the returned stream (callers keep
it in scope and close() it). On a plaintext endpoint the raw connection is
returned unwrapped (still as a ProxyStream for a single static type).
Remove the surrounding brackets from a bracketed IPv6 literal host
([::1] -> ::1), leaving any other host untouched. The TLS SNI/peer name
and the SSRF/connect resolver both want the bare address, while the Host
header keeps the brackets.
Open a client byte stream to ep, wrapping the raw TCP connection in a vibe TLS tunnel when ep.tls is set (https/wss). Returns a ProxyStream so the five raw-TCP request paths share ONE TLS-handling site and treat the plaintext and TLS cases uniformly. The TLS context uses TLSContextKind.client with peer-certificate verification (checkPeer) and sets the SNI/peer name to ep.host, so the server certificate and hostname are validated; the underlying conn must outlive the returned stream (callers keep it in scope and close() it). On a plaintext endpoint the raw connection is returned unwrapped (still as a ProxyStream for a single static type). Remove the surrounding brackets from a bracketed IPv6 literal host ([::1] -> ::1), leaving any other host untouched. The TLS SNI/peer name and the SSRF/connect resolver both want the bare address, while the Host header keeps the brackets.