Seems that this field must not be private(or must have read-only property) as it is supposed to use outside of class.

I catched that, when implemented STARTTLS smtp process, when you must start SSL connection over existing socket connection. Currently it is not hard, its easy to add SSL layer as loop do:

self._tls_protocol = sslproto.SSLProtocol()
socket_transport = self.transport
socket_transport._protocol = self._tls_protocol
self.transport = self._tls_protocol._app_transport
self._tls_protocol.connection_made(socket_transport)

But here you must access to private property "app_transport". It must be public because its purpose to public "result" of SSL layer implementation. 

From class BaseSelectorEventLoop:

def _make_ssl_transport(...):
    ...
    return ssl_protocol._app_transport

-1 on exposing app_protocol. It's an implementation detail, starttls should be implemented in asyncio (and while it's not, it's ok to use '_app_protocol'.

-1, agree with Yury.
As an option it's possible to wrap `sslproto.SSLProtocol` by custom derived class which overrides `connection_made()` for storing a transport somewhere.
The solution looks like sub-optimal but it's backward-compatible.
The other problem is: `sslproto` is a very private module for working with SSL if `ssl.MemoryBIO` is available.
I believe that third-party code shouldn't rely on `sslproto.SSLProtocol` and even on `asyncio.sslproto` existence.

Closing this one. I don't think we want to expose/document _app_transport.