The CDC protocol should support TLS encryption.
The TLS session should be established after the connection is created and before doing authentication. This simplifies the TLS handshake process by removing the possibility of accidental reads of encrypted data.
If TLS encryption is enabled, all clients must use it. This also simplifies the connection processing and removes all possibilities for accidental misuse of unencrypted connections.