package module
v1.5.0 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Oct 28, 2023 License: Apache-2.0, MIT Imports: 7 Imported by: 0



Secure Client for exposing TLS (aka SSL) secured services as plain-text connections locally.

Also ideal for multiplexing a single port with multiple protocols using SNI.

Unwrap a TLS connection:

sclient localhost:3000

> [listening] <= localhost:3000

Connect via Telnet

telnet localhost 3000

Connect via netcat (nc)

nc localhost 3000


curl http://localhost:3000 -H 'Host:'

A poor man's (or Windows user's) makeshift replacement for openssl s_client, stunnel, or socat.

Table of Contents


Mac, Linux
curl -sS | bash
curl.exe -A MS | powershell

Check the Github Releases for

  • macOS (x64) Apple Silicon coming soon
  • Linux (x64, i386, arm64, arm6, arm7)
  • Windows 10 (x64, i386)


sclient [flags] <remote> <local>
  • flags

    • -s, --silent less verbose logging
    • -k, --insecure ignore invalid TLS (SSL/HTTPS) certificates
    • --servername <domain> spoof SNI (to disable use IP as <remote> and do not use this option)
    • --alpn <protocol-list>
  • remote

    • must have servername (i.e.
    • port is optional (default is 443)
  • local

    • address is optional (default is localhost)
    • must have port (i.e. 3000)

    -alpn string acceptable protocols, ex: 'h2,http/1.1' 'http/1.1' (default) 'ssh' (default "http/1.1") -insecure ignore bad TLS/SSL/HTTPS certificates -k alias for --insecure -s alias of --silent -servername string specify a servername different from (to disable SNI use an IP as and do use this option) -silent less verbose output


Bridge between and local port 3000.

sclient 3000

Same as above, but more explicit

sclient localhost:3000

Ignore a bad TLS/SSL/HTTPS certificate and connect anyway.

sclient -k localhost:3000

Reading from stdin

sclient -
sclient - </path/to/file


printf "GET / HTTP/1.1\r\nHost:\r\n\r\n" | sclient

Testing for security vulnerabilities on the remote:

sclient --servername "Robert'); DROP TABLE Students;" -k localhost:3000
sclient --servername "../../../.hidden/private.txt" -k localhost:3000


See Go Docs.

Build from source

You'll need to install Go. See for install instructions.

curl -sS | bash

Then you can install and run as per usual.

git clone

pushd sclient.go
  go build -o dist/sclient cmd/sclient/main.go
  sudo rsync -av dist/sclient /usr/local/bin/sclient

sclient localhost:3000

Install or Run with Go

go get
go run localhost:3000



sclient unwraps SSL.

It makes secure remote connections (such as HTTPS) available locally as plain-text connections - similar to `stunnel` or `openssl s_client`.

There are a variety of reasons that you might want to do that, but we created it specifically to be able to upgrade applications with legacy security protocols - like SSH, OpenVPN, and Postgres - to take advantage of the features of modern TLS, such as ALPN and SNI (which makes them routable through almost every type of firewall).

See for more info.

Package Basics

In the simplest case you'll just be setting a ServerName and connection info:

servername := ""

sclient := &sclient.Tunnel{
	ServerName:         servername,
	RemoteAddress:      servername,
	RemotePort:         443,
	LocalAddress:       "localhost",
	LocalPort:          3000,

err := sclient.DialAndListen()

Try the CLI

If you'd like to better understand what sclient does, you can try it out with `go run`:

go get
go run localhost:3000
curl http://localhost:3000 -H "Host:"

Pre-built versions for various platforms are also available at



This section is empty.


This section is empty.


This section is empty.


type Tunnel added in v1.3.0

type Tunnel struct {
	RemoteAddress      string
	RemotePort         int
	LocalAddress       string
	LocalPort          int
	InsecureSkipVerify bool
	NextProtos         []string
	ServerName         string
	Silent             bool

Tunnel specifies which remote encrypted connection to make available as a plain connection locally.

func (*Tunnel) DialAndListen added in v1.3.0

func (t *Tunnel) DialAndListen() error

DialAndListen will create a test TLS connection to the remote address and then begin listening locally. Each local connection will result in a separate remote connection.


Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL