Verify Transport is TLS

src/error.rs

@@ -142,6 +142,12 @@ pub enum Error {
     /// Attempt to connect to a CONNECT proxy failed.
     ConnectProxyFailed(String),
 
+    /// The protocol requires TLS (https), but the connector did not
+    /// create a TLS secured transport.
+    ///
+    /// This typically indicates a fault in bespoke `Connector` chains.
+    TlsRequired,
+
     /// hoot made no progress and there is no more input to read.
     ///
     /// We should never see this value.
@@ -230,6 +236,7 @@ impl fmt::Display for Error {
             #[cfg(feature = "json")]
             Error::Json(v) => write!(f, "json: {}", v),
             Error::ConnectProxyFailed(v) => write!(f, "CONNECT proxy failed: {}", v),
+            Error::TlsRequired => write!(f, "TLS required, but transport is unsecured"),
             Error::BodyStalled => write!(f, "body data reading stalled"),
         }
     }

src/pool.rs

@@ -140,6 +140,10 @@ impl Connection {
         pool.purge(now);
     }
 
+    pub fn is_tls(&self) -> bool {
+        self.transport.is_tls()
+    }
+
     fn age(&self, now: Instant) -> Duration {
         now.duration_since(now)
     }

src/run.rs

@@ -377,6 +377,10 @@ fn connect(
 
     let connection = agent.pool.connect(&details, config.max_idle_age().into())?;
 
+    if details.needs_tls() && !connection.is_tls() {
+        return Err(Error::TlsRequired);
+    }
+
     timings.record_time(Timeout::Connect);
 
     Ok(connection)

src/unversioned/transport/mod.rs

@@ -486,4 +486,8 @@ where
     fn is_open(&mut self) -> bool {
         (**self).is_open()
     }
+
+    fn is_tls(&self) -> bool {
+        (**self).is_tls()
+    }
 }