Thanks to Ilaia's email, I looked into using s6-tlsd, but I'm a bit confused about what libraries are needed, and hopefully not libressl?
s6-networking can be built against either bearssl or libressl; it's a choice you make at configure time. LibreSSL was chosen, you guessed it, because of libtls, which is a half-decent, workable API, whereas the OpenSSL API is just not. There will never be an OpenSSL version. If you won't use LibreSSL, then you should build s6-networking against BearSSL instead; it is by far the best choice anyway, and if you're already using it in boot code, there's no reason why you can't use it in userland code. :) -- Laurent