The s6-ucspitlsd program

s6-ucspitlsd is a server-side program that establishes communication channels according to the UCSPI-TLS protocol, then execs into an application. Later, if the application sends a command, a TLS tunnel will be started and the application will be able to use it instead of communicating with the network via cleartext.

The point of this protocol, and this program, is to make it easy to implement commands like SMTP's STARTTLS without embedding a TLS stack in the server itself.


     s6-ucspitlsd [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -Z | -z ] [ -v verbosity ] [ -K kimeout ] [ -k snilevel ] [ -- ] prog...

Exit codes

Normally the parent s6-ucspitlsd process execs into prog... and the child process execs into s6-tlsd-io. If the parent dies or closes its control socket before sending a command to start TLS, the child exits 0.

Environment variables


s6-ucspitlsd does not expect to have any particular environment variables, but it spawns a s6-tlsd-io program that does. So it should pay attention to the following variables:


By default, prog... is run with all these variables unset: CADIR, CAFILE, KEYFILE, CERTFILE, KEYFILE:x and CERTFILE:x for every x, TLS_UID and TLS_GID. The variables are passed to the s6-tlsd-io child but not to prog.... The -Z option prevents that behaviour and keeps them accessible in the child.

However, prog... is run with the following additional environment variables, following the UCSPI-TLS protocol:

Since prog is exec'ed before the TLS handshake takes place, it cannot get information about the TLS connection via environment variables. However, if it starts the TLS connection via a Y command (as opposed to a y command), it will receive this information as a string sent over the control socket.