CocoaAsyncSocket (https://github.com/robbiehanson/CocoaAsyncSocket) code for where/how to run -startTLS: method. We are connecting to server with self-signed certificate and don't include the certificate (public key .pem) in the client.

CocoaAsyncSocket startTLS_without_cert.m

#pragma mark - GCDAsyncSocketDelegate
- (void)socket:(GCDAsyncSocket *)sock didConnectToHost:(NSString *)host port:(uint16_t)port {
    [self secureSocket:sock];
}
// We are connecting to server with self-signed certificate and don't include the certificate
// (public key .pem) in the client. So we skip all the cert checking. To actually check, see
// http://stackoverflow.com/questions/9874932/ssl-identity-certificate-to-run-an-https-server-on-ios
- (void)secureSocket:(GCDAsyncSocket *)sock {
    // It has been changed in CocoaAsyncSocket v7.4, some old option keys are now unavailable and will throw exception.
    // Use GCDAsyncSocketManuallyEvaluateTrust and evaluate in -socket:didReceiveTrust: delegate instead.
    NSMutableDictionary *settings = [NSMutableDictionary dictionary];
    [settings setObject:@YES forKey:GCDAsyncSocketManuallyEvaluateTrust]; // see GCDAsyncSocket.h
    [sock startTLS:settings];
}

- (void)socket:(GCDAsyncSocket *)sock didReceiveTrust:(SecTrustRef)trust completionHandler:(void (^)(BOOL shouldTrustPeer))completionHandler {
    if (completionHandler) completionHandler(YES);
}

- (void)socketDidSecure:(GCDAsyncSocket *)sock {
    // start receiving messages
    [_socket readDataWithTimeout:-1 tag:kTagMsg_default];
}

Is there any way to know within -socket:didConnectToHost:port: if the socket needs to be secured? Or does it need to have external context of if it should be secured, such as from the callee?