Besides metadata buckets, should the EOC semantic really apply to the ssl output filter?
It's not really an issue by now because we never send "data" buckets after an EOC, but should this happen do we really want to send them out in clear, after the TLS close notify? I'd rather be safe here and return an error up the filters' stack. Actually this is what is done already if the data come in the same brigade as the EOC (ssl_filter_write() in the same loop will fail when the TLS connection is shutdown), but for subsequent brigade(s) we'd pass through (per EOC semantic). This at least requires a consistency "fix" (for the theory, I can't think of any pratical/reasonable use of data buckets after EOC, e.g. an Upgrade from TLS to clear looks really hazardous...). Is it unacceptable to add an exception to the EOC semantic (for data) here and fail (as sanity check)?
