Go to file
AJ ONeal 8ba42a09a4 silence more output, fix minor output bugs 2021-06-21 23:22:34 -06:00
cmd/sclient silence more output, fix minor output bugs 2021-06-21 23:22:34 -06:00
tests support pipes and stdin 2018-08-08 00:16:52 -06:00
.gitignore ignore builds 2020-12-02 15:05:10 -07:00
.goreleaser.yml add .goreleaser.yml 2020-12-02 14:05:25 -07:00
LICENSE v1.0.0: first working version 2018-08-06 16:55:45 -06:00
README.md update build / install instructions 2020-12-02 14:23:07 -07:00
doc.go doc updates 2019-05-21 19:25:06 -06:00
go.mod update to be more go-ish 2019-05-21 18:54:02 -06:00
sclient.go silence more output, fix minor output bugs 2021-06-21 23:22:34 -06:00
staticcheck.conf -q => -s (to be curl-like), make staticcheck happy 2021-06-21 23:05:27 -06:00



Secure Client for exposing TLS (aka SSL) secured services as plain-text connections locally.

Also ideal for multiplexing a single port with multiple protocols using SNI.

Unwrap a TLS connection:

sclient whatever.com:443 localhost:3000

> [listening] whatever.com:443 <= localhost:3000

Connect via Telnet

telnet localhost 3000

Connect via netcat (nc)

nc localhost 3000


curl http://localhost:3000 -H 'Host: whatever.com'

A poor man's (or Windows user's) makeshift replacement for openssl s_client, stunnel, or socat.

Table of Contents


Mac, Linux

curl -sS https://webinstall.dev/sclient | bash
curl.exe -A MS https://webinstall.dev/sclient | powershell


Check the Github Releases for

  • macOS (x64) Apple Silicon coming soon
  • Linux (x64, i386, arm64, arm6, arm7)
  • Windows 10 (x64, i386)


sclient [flags] <remote> <local>
  • flags
    • -k, --insecure ignore invalid TLS (SSL/HTTPS) certificates
    • --servername spoof SNI (to disable use IP as <remote> and do not use this option)
  • remote
    • must have servername (i.e. example.com)
    • port is optional (default is 443)
  • local
    • address is optional (default is localhost)
    • must have port (i.e. 3000)


Bridge between telebit.cloud and local port 3000.

sclient telebit.cloud 3000

Same as above, but more explicit

sclient telebit.cloud:443 localhost:3000

Ignore a bad TLS/SSL/HTTPS certificate and connect anyway.

sclient -k badtls.telebit.cloud:443 localhost:3000

Reading from stdin

sclient telebit.cloud:443 -
sclient telebit.cloud:443 - </path/to/file


printf "GET / HTTP/1.1\r\nHost: telebit.cloud\r\n\r\n" | sclient telebit.cloud:443

Testing for security vulnerabilities on the remote:

sclient --servername "Robert'); DROP TABLE Students;" -k example.com localhost:3000
sclient --servername "../../../.hidden/private.txt" -k example.com localhost:3000

Build from source

You'll need to install Go. See webinstall.dev/golang for install instructions.

curl -sS https://webinstall.dev/golang | bash

Then you can install and run as per usual.

git clone https://git.rootprojects.org/root/sclient.go.git

pushd sclient.go
  go build -o dist/sclient cmd/sclient/main.go
  sudo rsync -av dist/sclient /usr/local/bin/sclient

sclient example.com:443 localhost:3000

Install or Run with Go

go get git.rootprojects.org/root/sclient.go/cmd/sclient
go run git.rootprojects.org/root/sclient.go/cmd/sclient example.com:443 localhost:3000