The Mandos server announces itself as a Zeroconf service of type
"_mandos._tcp". The Mandos client sends a line of text where the first
whitespace-separated field is the protocol version, which currently is
"1".  The client and server then start a TLS protocol handshake with a
slight quirk: the Mandos server program acts as a TLS "client" while
the connecting Mandos client acts as a TLS "server".  The Mandos
client must supply an OpenPGP certificate, and the fingerprint of this
certificate is used by the Mandos server to look up (in a list read
from a file at start time) which binary blob to give the client.  No
other authentication or authorization is done by the server.

| Mandos Client                              |     | Mandos Server |
|--------------------------------------------+-----+---------------|
| Connect                                    |     |               |
| "1\r\n"                                    | ->  |               |
| TLS handshake                              | <-> | TLS handshake |
| OpenPGP public key (part of TLS handshake) | ->  |               |
|                                            | <-  | Binary blob   |
|                                            |     | Close         |