The s6-tlsd program

s6-tlsd is a program that performs the server side of a TLS or SSL connection over an existing TCP connection, then execs into an application. It is meant to make network communications secure even for applications that do not natively support TLS/SSL.

s6-networking does not include cryptographic software. All the crypto used in s6-tlsd is provided by the chosen SSL backend: BearSSL or LibreSSL, depending on the options given when configuring s6-networking.


     s6-tlsd [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -Z | -z ] [ -v verbosity ] [ -K kimeout ] [ -k snilevel ] [ -- ] prog...

Exit codes

If everything goes smoothly, s6-tlsd does not exit, but execs into prog... instead.

Environment variables


s6-tlsd does not expect to have any particular environment variables, but it spawns a s6-tlsd-io program that does. So it should pay attention to the following variables:


By default, prog... is run with all these variables unset: CADIR, CAFILE, KEYFILE, CERTFILE, KEYFILE:x and CERTFILE:x for every x, TLS_UID and TLS_GID. They're passed to the s6-tlsd-io child but not to prog...; the -Z option keeps them accessible in prog... as well.

However, prog... is run with the following additional environment variables: