>What I've done is recreated a stdio-like interface sitting beneath all
>command/data I/O in ftpd, which is responsible for all encryption/
>decryption.  This layer sits on top of another net-layer, responsible
>for all socket I/O...  Incidentally, the socket part fixes those
>XXXLUKEM's about adding ratelimit support to ASCII mode transfers
>(though I have my own XXX's about ferror).

Interesting - sounds like my libsslfd - though I actually use stdio.
[it does include a stdio like api for boxes that have totally weird
stdio/syscall implementations].
I've neglected all this stuff since I moved to the U.S. since I didn't
want to run foul of the govt here (used to sell libsslfd).

I've contemplated simply integrating some/all of this into netbsd, but 
ENOTIME as usual.  If you have the time & interest, take a look at 

http://www.crufty.net/ftp/pub/sjg/SSLrsh-2.3.3.tar.gz

which contains the source for libsslfd as well as SSLrshd et al.
[I even have a simple SSLrcmd.java that can use it though JDK < 1.3.1
does not have shutdown semantics so the usefulness is limited]

Install/help stuff can be found at:

http://www.crufty.net/ftp/pub/sjg/help/SSLrsh.html

Let me know if you find it interesting.

Thanks
--sjg