An overview of the tls-related programs

The s6-*tls* programs are organized in a way that minimizes the amount of code, and in particular that keeps the crypto code as encapsulated as possible.

They are divided in two sets: client programs, which have client or c in their name, and server programs, which have server or d in their name. The sets are symmetrical: the same functionality is available whether you're interested in using a client or a server.

Of course, they do not have to be used together. You can run a TLS-enabled super-server via s6-tlsserver and it will work with any client speaking the correct TLS-enabled protocol, not only s6-tlsclient.

The core TLS engine: s6-tlsc-io and s6-tlsd-io

Other programs in the s6-tls set perform various operations such as Unix file descriptor plumbing in order to provide a specific interface, but they always end up spawning a s6-tlsc-io or s6-tlsd-io child that will handle the actual TLS management for them.

Regular TLSification of a service: s6-tlsc and s6-tlsd

Opportunistic TLS: s6-ucspitlsc and s6-ucspitlsd

High-level client connections and super-servers: s6-tlsclient and s6-tlsserver