The s6-tlsclient program

s6-tlsclient is an UCSPI client tool for TLS/SSL connections over INET domain sockets. It establishes a TCP connection to a server and a TLS transport over it, then executes into a program.


     s6-tlsclient [ options ] [ -- ] host port prog...

prog is expected to read from its peer on descriptor 6 and write to its peer on descriptor 7. Since there will be a s6-tlsc-io program between prog and the network to perform the TLS encryption/decryption, those descriptors will not be a network socket - they will be pipes.

Server name determination for SNI

If the -H option is not given to s6-tlsclient, then host will be used as the server name to verify. You can use the -k option to override this default. Please note that if you use the -H option and do not provide a server name via -k, SNI will not be used, which may be a security risk.

Environment variables


The following variables should be set before invoking s6-tlsclient, because they will be used by s6-tlsc-io:

Setting either CADIR or CAFILE is mandatory.


prog... is run with the following variables added to, or removed from, its environment by s6-tcpclient:

Unless the -Z option is given to s6-tlsclient, the CADIR, CAFILE, KEYFILE, CERTFILE, TLS_UID and TLS_GID variables will not appear in prog's environment.


s6-tlsclient accepts a myriad of options, most of which are passed as is to the correct executable. Not giving any options will generally work: the defaults are sensible.

Options passed as is to s6-tcpclient

Options passed as is to s6-tlsc


CADIR=/etc/ssl/certs s6-tlsclient skarnet.org 443 s6-ioconnect

This will open a connection to the skarnet.org web server over TLS and verify its certificate via the trust anchors listed in the /etc/ssl/certs directory. It will then branch your terminal to it: try typing GET / HTTP/1.0 then hitting return twice.