diff --git a/mbedtls/pbpal_connect_mbedtls.c b/mbedtls/pbpal_connect_mbedtls.c
index 187d8dd2..f2da1147 100644
--- a/mbedtls/pbpal_connect_mbedtls.c
+++ b/mbedtls/pbpal_connect_mbedtls.c
@@ -3,6 +3,7 @@
 #if PUBNUB_USE_SSL
 
 #include "pbpal.h"
+#include "pubnub_netcore.h"
 #include "pubnub_pal.h"
 #include "pubnub_api_types.h"
 #include "pubnub_internal_common.h"
@@ -75,19 +76,36 @@ static char pubnub_cert_GlobalSign[] =
     "HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==\n"
     "-----END CERTIFICATE-----\n";
 
+static const char* get_origin(pubnub_t* pb)
+{
+#ifdef PUBNUB_ORIGIN_SETTABLE
+    return pb->origin;
+#else
+    PUBNUB_UNUSED(pb);
+    return PUBNUB_ORIGIN;
+#endif
+}
 
+#define PUBNUB_PORT "443"
 
 // TODO: https://github.com/espressif/esp-idf/blob/v5.2.1/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c 
 // reference for mbedtls usage
 enum pbpal_tls_result pbpal_start_tls(pubnub_t* pb)
 {
     struct pubnub_pal* pal = &pb->pal;
+    int net_result;
+
+    PUBNUB_ASSERT(pb_valid_ctx_ptr(pb));
+    PUBNUB_ASSERT_OPT(PBS_CONNECTED == pb->state);
+    PUBNUB_LOG_TRACE("pbpal_start_tls(pb=%p)\n", pb);
+// TODO: Think about pubnub_config.h and where or which to use
+//    PUBNUB_ASSERT(SOCKET_INVALID != pb->pal.socket);
 
     mbedtls_ssl_init(pal->ssl);
     mbedtls_ssl_config_init(pal->ssl_config);
 
 #ifndef ESP_PLATFORM
-    // TODO: not implemented yet
+#error "MBedTLS has been implemented only for ESP32 platform. Contact PubNub support for an implementation on the other ones."
 #else
     if(esp_crt_bundle_attach(pal->ssl_config) != 0) {
         PUBNUB_LOG_ERROR("Failed to attach CRT bundle\n");
@@ -95,11 +113,7 @@ enum pbpal_tls_result pbpal_start_tls(pubnub_t* pb)
     }
 #endif
 
-#ifdef PUBNUB_ORIGIN_SETTABLE
-    if (mbedtls_ssl_set_hostname(pal->ssl, pb->origin) != 0) {
-#else
-    if (mbedtls_ssl_set_hostname(pal->ssl, PUBNUB_ORIGIN) != 0) {
-#endif
+    if (mbedtls_ssl_set_hostname(pal->ssl, get_origin(pb)) != 0) {
         PUBNUB_LOG_ERROR("Failed to set hostname\n");
         return pbtlsFailed;
     }
@@ -122,7 +136,31 @@ enum pbpal_tls_result pbpal_start_tls(pubnub_t* pb)
         return pbtlsFailed;
     }
 
-    return pbtlsStarted;
+    mbedtls_net_init(pb->pal.net);
+
+    PUBNUB_LOG_DEBUG("Connecting to %s:%s...\n", get_origin(pb), PUBNUB_PORT);
+    if (0 != mbedtls_net_connect(pb->pal.net, get_origin(pb), PUBNUB_PORT, MBEDTLS_NET_PROTO_TCP)) {
+        PUBNUB_LOG_ERROR("Failed to connect to %s:%s\n", get_origin(pb), PUBNUB_PORT);
+        return pbtlsFailed;
+    }
+
+    // TODO: HOW TO SET PEM CERTS?
+    mbedtls_ssl_set_bio(pal->ssl, pb->pal.net, mbedtls_net_send, mbedtls_net_recv, NULL);
+
+    return pbpal_check_tls(pb);
+}
+
+enum pbpal_tls_result pbpal_check_tls(pubnub_t* pb) {
+    int result;
+
+    PUBNUB_ASSERT(pb_valid_ctx_ptr(pb));
+    PUBNUB_ASSERT_OPT(PBS_CONNECTED == pb->state);
+    PUBNUB_LOG_TRACE("pbpal_check_tls(pb=%p)\n", pb);
+
+    result = mbedtls_ssl_handshake(pb->pal.ssl);
+    result = pbpal_handle_socket_condition(result, pb, __FILE__, __LINE__);
+
+    return pbtlsEstablished;
 }
 
 
diff --git a/mbedtls/pbpal_mbedtls.c b/mbedtls/pbpal_mbedtls.c
index 19a61f8f..48e20f1d 100644
--- a/mbedtls/pbpal_mbedtls.c
+++ b/mbedtls/pbpal_mbedtls.c
@@ -1,3 +1,4 @@
+#include "msstopwatch/msstopwatch.h"
 #include "pubnub_internal.h"
 #include "pubnub_log.h"
 
@@ -46,7 +47,39 @@ int pbpal_send_str(pubnub_t* pb, char const* s)
 
 enum pubnub_res pbpal_handle_socket_condition(int result, pubnub_t* pb, char const* file, int line)
 {
-    return 0;
+    if (pb->pal.ssl == NULL) {
+        // TODO: use pbpal_handle_socket_error() here
+        return -1;
+    }
+
+    PUBNUB_ASSERT(pb->options.useSSL);
+
+    switch(result) {
+        case 0: // success
+            break;
+        case MBEDTLS_ERR_SSL_WANT_READ:
+        case MBEDTLS_ERR_SSL_WANT_WRITE:
+            if (pbms_active(pb->pal.tryconn) // no field tryconn!?!?
+                || (pbms_elapsed(pb->pal.tryconn) < pb->transaction_timeout_ms)) {
+                PUBNUB_LOG_TRACE("pb=%p TLS/SSL_I/O operation should retry\n", pb);
+                return PNR_IN_PROGRESS;
+            }
+
+            pb->pal.ip_timeout = 0; // it seems like a clue to the tryconn field
+
+            // TODO: session if in pbpal_openssl.c
+            
+            PUBNUB_LOG_ERROR("pb=%p TLS/SSL_I/O operation failed, PNR_TIMEOUT\n", pb);
+
+            return PNR_TIMEOUT;
+        default:
+            // TODO: error handling
+            PUBNUB_LOG_ERROR("pb=%p TLS/SSL_I/O operation failed, PNR_IO_ERROR\n", pb);
+            return PNR_IO_ERROR;
+    }
+
+    PUBNUB_LOG_TRACE("pb=%p TLS/SSL_I/O operation successful\n", pb);
+    return PNR_OK;
 }
 
 
diff --git a/mbedtls/pubnub_pal.h b/mbedtls/pubnub_pal.h
index 0c1b8104..05dc185b 100644
--- a/mbedtls/pubnub_pal.h
+++ b/mbedtls/pubnub_pal.h
@@ -11,6 +11,7 @@ struct pubnub_pal {
     mbedtls_ssl_config* ssl_config;
     mbedtls_x509_crt* ca_certificates;
     mbedtls_net_context* net;
+    mbedtls_net_context* server_fd;
 };
 
 #endif /* PUBNUB_PAL_H */