diff --git a/lib/sockets/sock.js b/lib/sockets/sock.js
index 881c34a..a24fbdd 100644
--- a/lib/sockets/sock.js
+++ b/lib/sockets/sock.js
@@ -11,7 +11,7 @@ var Parser = require('amp').Stream;
 var url = require('url');
 var net = require('net');
 var fs = require('fs');
-
+var tls = require('tls');
 /**
  * Errors to ignore.
  */
@@ -144,7 +144,7 @@ Socket.prototype.closeServer = function(fn){
 Socket.prototype.address = function(){
   if (!this.server) return;
   var addr = this.server.address();
-  addr.string = 'tcp://' + addr.address + ':' + addr.port;
+  addr.string = (this.get('tls') ? 'tls://' : 'tcp://') + addr.address + ':' + addr.port;
   return addr;
 };
 
@@ -261,13 +261,37 @@ Socket.prototype.connect = function(port, host, fn){
   }
 
   var max = self.get('retry max timeout');
-  var sock = new net.Socket;
-  sock.setNoDelay();
   this.type = 'client';
+  var sock;
+  var tlsOpts = this.get('tls');
+
+  var onConnect = function() {
+    debug('%s connect', self.type);
+    self.connected = true;
+    self.addSocket(sock);
+    self.retry = self.get('retry timeout');
+    self.emit('connect', sock);
+    fn && fn();
+  };
+
+  if (tlsOpts) {
+    tlsOpts.host = host;
+    tlsOpts.port = port;
+    debug('%s connect attempt %s:%s', self.type, host, port);
+    sock = tls.connect(tlsOpts);
+    sock.on('secureConnect', onConnect);
+  } else {
+    sock = new net.Socket();
+    debug('%s connect attempt %s:%s', self.type, host, port);
+    sock.connect(port, host);
+    sock.on('connect', onConnect);
+  }
+
+  sock.setNoDelay();
 
   this.handleErrors(sock);
 
-  sock.on('close', function(){
+  sock.on('close', function() {
     self.emit('socket close', sock);
     self.connected = false;
     self.removeSocket(sock);
@@ -282,17 +306,6 @@ Socket.prototype.connect = function(port, host, fn){
     }, retry);
   });
 
-  sock.on('connect', function(){
-    debug('%s connect', self.type);
-    self.connected = true;
-    self.addSocket(sock);
-    self.retry = self.get('retry timeout');
-    self.emit('connect', sock);
-    fn && fn();
-  });
-
-  debug('%s connect attempt %s:%s', self.type, host, port);
-  sock.connect(port, host);
   return this;
 };
 
@@ -306,11 +319,15 @@ Socket.prototype.connect = function(port, host, fn){
 Socket.prototype.onconnect = function(sock){
   var self = this;
   var addr = sock.remoteAddress + ':' + sock.remotePort;
+  var tlsOptions = self.get('tls');
+  if (tlsOptions && !sock.authorized) {
+    debug('%s denied %s for authorizationError %s', self.type, addr, sock.authorizationError);
+  }
   debug('%s accept %s', self.type, addr);
   this.addSocket(sock);
   this.handleErrors(sock);
   this.emit('connect', sock);
-  sock.on('close', function(){
+  sock.on('close', function() {
     debug('%s disconnect %s', self.type, addr);
     self.emit('disconnect', sock);
     self.removeSocket(sock);
@@ -362,7 +379,14 @@ Socket.prototype.bind = function(port, host, fn){
 
   this.type = 'server';
 
-  this.server = net.createServer(this.onconnect.bind(this));
+  var tlsOptions = this.get('tls');
+  if (tlsOptions) {
+    tlsOptions.requestCert = tlsOptions.requestCert !== false;
+    tlsOptions.rejectUnauthorized = tlsOptions.rejectUnauthorized !== false;
+    this.server = tls.createServer(tlsOptions, this.onconnect.bind(this));
+  } else {
+    this.server = net.createServer(this.onconnect.bind(this));
+  }
 
   debug('%s bind %s:%s', this.type, host, port);
   this.server.on('listening', this.emit.bind(this, 'bind'));