Index: src/Makefile
==================================================================
--- src/Makefile
+++ src/Makefile
@@ -137,10 +137,11 @@
 	       OFHTTPServer.m			\
 	       OFSequencedPacketSocket.m	\
 	       OFSocket.m			\
 	       OFStreamSocket.m			\
 	       OFTCPSocket.m			\
+	       OFTLSSocket.m			\
 	       OFUDPSocket.m			\
 	       ${USE_SRCS_IPX}			\
 	       ${USE_SRCS_UNIX_SOCKETS}
 SRCS_IPX = OFIPXSocket.m	\
 	   OFSPXSocket.m	\
@@ -170,11 +171,10 @@
 	    OFJSONRepresentation.h		\
 	    OFKernelEventObserver.h		\
 	    OFKeyValueCoding.h			\
 	    OFLocking.h				\
 	    OFMessagePackRepresentation.h	\
-	    OFTLSSocket.h			\
 	    ObjFW.h				\
 	    macros.h				\
 	    objfw-defs.h			\
 	    platform.h				\
 	    ${USE_INCLUDES_ATOMIC}
@@ -207,15 +207,15 @@
 	${RUNTIME_INSTANCE_M}		\
        ${UNICODE_M}
 SRCS_FILES += OFFileURLHandler.m	\
 	      OFINIFileSettings.m
 SRCS_SOCKETS += OFDNSResolverSettings.m			\
+		${OF_EPOLL_KERNEL_EVENT_OBSERVER_M}	\
 		OFHTTPURLHandler.m			\
 		OFHostAddressResolver.m			\
 		OFIPSocketAsyncConnector.m		\
 		OFKernelEventObserver.m			\
-		${OF_EPOLL_KERNEL_EVENT_OBSERVER_M}	\
 		${OF_KQUEUE_KERNEL_EVENT_OBSERVER_M}	\
 		${OF_POLL_KERNEL_EVENT_OBSERVER_M}	\
 		${OF_SELECT_KERNEL_EVENT_OBSERVER_M}	\
 		OFTCPSocketSOCKS5Connector.m
 

Index: src/OFHTTPClient.m
==================================================================
--- src/OFHTTPClient.m
+++ src/OFHTTPClient.m
@@ -29,10 +29,11 @@
 #import "OFNumber.h"
 #import "OFRunLoop.h"
 #import "OFSocket+Private.h"
 #import "OFString.h"
 #import "OFTCPSocket.h"
+#import "OFTLSSocket.h"
 #import "OFURL.h"
 
 #import "OFAlreadyConnectedException.h"
 #import "OFHTTPRequestFailedException.h"
 #import "OFInvalidArgumentException.h"
@@ -697,16 +698,17 @@
 
 		[_client close];
 
 		if ([URL.scheme caseInsensitiveCompare: @"https"] ==
 		    OFOrderedSame) {
-			if (OFTLSSocketClass == Nil)
+			@try {
+				sock = [OFTLSSocket socket];
+				port = 443;
+			} @catch (OFNotImplementedException *e) {
 				@throw [OFUnsupportedProtocolException
 				    exceptionWithURL: URL];
-
-			sock = [[[OFTLSSocketClass alloc] init] autorelease];
-			port = 443;
+			}
 		} else {
 			sock = [OFTCPSocket socket];
 			port = 80;
 		}
 

Index: src/OFTCPSocket.h
==================================================================
--- src/OFTCPSocket.h
+++ src/OFTCPSocket.h
@@ -208,14 +208,6 @@
  * @return The port the socket was bound to
  */
 - (uint16_t)bindToHost: (OFString *)host port: (uint16_t)port;
 @end
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-extern Class _Nullable OFTLSSocketClass;
-#ifdef __cplusplus
-}
-#endif
-
 OF_ASSUME_NONNULL_END

Index: src/OFTLSSocket.h
==================================================================
--- src/OFTLSSocket.h
+++ src/OFTLSSocket.h
@@ -11,21 +11,53 @@
  * Public License, either version 2 or 3, which can be found in the file
  * LICENSE.GPLv2 or LICENSE.GPLv3 respectively included in the packaging of this
  * file.
  */
 
-#import "OFObject.h"
+#import "OFTCPSocket.h"
 
 OF_ASSUME_NONNULL_BEGIN
 
 /**
- * @protocol OFTLSSocket OFTLSSocket.h ObjFW/OFTLSSocket.h
+ * @protocol OFTLSSocketDelegate OFTLSSocket.h ObjFW/OFTLSSocket.h
+ *
+ * A delegate for OFTLSSocket.
+ */
+@protocol OFTLSSocketDelegate <OFTCPSocketDelegate>
+@end
+
+/**
+ * @class OFTLSSocket OFTLSSocket.h ObjFW/OFTLSSocket.h
+ *
+ * @brief A class that provides Transport Layer Security on top of a TCP socket.
+ *
+ * This class is a class cluster and returns a suitable OFTLSSocket subclass,
+ * if available.
+ *
+ * Subclasses need to override @ref accept, @ref lowlevelReadIntoBuffer:length:,
+ * @ref lowlevelWriteBuffer:length:, @ref lowlevelIsAtEndOfStream and
+ * @ref startTLSForHost:port:. In order to get access to the lowlevel TCP
+ * methods (you cannot call `super`, as the class is abstract), the private
+ * methods @ref TCPAccept, @ref lowlevelTCPReadIntoBuffer:length:,
+ * @ref lowlevelTCPWriteBuffer:length: and @ref lowlevelTCPIsAtEndOfStream are
+ * provided.
+ */
+@interface OFTLSSocket: OFTCPSocket
+{
+	bool _verifiesCertificates;
+	OF_RESERVE_IVARS(OFTLSSocket, 4)
+}
+
+/**
+ * @brief The delegate for asynchronous operations on the socket.
  *
- * @brief A protocol that should be implemented by 3rd-party libraries
- *	  implementing TLS.
+ * @note The delegate is retained for as long as asynchronous operations are
+ *	 still ongoing.
  */
-@protocol OFTLSSocket
+@property OF_NULLABLE_PROPERTY (assign, nonatomic)
+    id <OFTLSSocketDelegate> delegate;
+
 /**
  * @brief Whether certificates are verified.
  *
  * The default is enabled.
  */
@@ -36,8 +68,53 @@
  *	  underlying socket.
  *
  * @param socket The TCP socket to use as underlying socket
  */
 - (instancetype)initWithSocket: (OFTCPSocket *)socket;
+
+/**
+ * @brief Start TLS on the underlying socket with the assumption that it is
+ *	  connected to the specified host and port.
+ *
+ * @param host The host the socket is connected to, which is also used for
+ *	       verification
+ * @param port The port the socket is connected to
+ */
+- (void)startTLSForHost: (OFString *)host port: (uint16_t)port;
+
+/**
+ * @brief This method should never be called directly. Only subclasses of
+ *	  @ref OFTLSSocket are allowed to call it.
+ */
+- (instancetype)TCPAccept;
+
+/**
+ * @brief This method should never be called directly. Only subclasses of
+ *	  @ref OFTLSSocket are allowed to call it.
+ */
+- (size_t)lowlevelTCPReadIntoBuffer: (void *)buffer length: (size_t)length;
+
+/**
+ * @brief This method should never be called directly. Only subclasses of
+ *	  @ref OFTLSSocket are allowed to call it.
+ */
+- (size_t)lowlevelTCPWriteBuffer: (const void *)buffer length: (size_t)length;
+
+/**
+ * @brief This method should never be called directly. Only subclasses of
+ *	  @ref OFTLSSocket are allowed to call it.
+ */
+- (bool)lowlevelTCPIsAtEndOfStream;
 @end
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+/**
+ * @brief The concrete subclass of OFTLSSocket that should be used.
+ */
+extern Class _Nullable OFTLSSocketImplementation;
+#ifdef __cplusplus
+}
+#endif
 
 OF_ASSUME_NONNULL_END

ADDED   src/OFTLSSocket.m
Index: src/OFTLSSocket.m
==================================================================
--- src/OFTLSSocket.m
+++ src/OFTLSSocket.m
@@ -0,0 +1,230 @@
+/*
+ * Copyright (c) 2008-2021 Jonathan Schleifer <js@nil.im>
+ *
+ * All rights reserved.
+ *
+ * This file is part of ObjFW. It may be distributed under the terms of the
+ * Q Public License 1.0, which can be found in the file LICENSE.QPL included in
+ * the packaging of this file.
+ *
+ * Alternatively, it may be distributed under the terms of the GNU General
+ * Public License, either version 2 or 3, which can be found in the file
+ * LICENSE.GPLv2 or LICENSE.GPLv3 respectively included in the packaging of this
+ * file.
+ */
+
+#include "config.h"
+
+#import "OFTLSSocket.h"
+#import "OFSocket.h"
+#import "OFSocket+Private.h"
+
+#import "OFInitializationFailedException.h"
+#import "OFInvalidArgumentException.h"
+#import "OFNotImplementedException.h"
+
+Class OFTLSSocketImplementation = Nil;
+
+@interface OFTLSSocketAsyncConnector: OFObject <OFTLSSocketDelegate>
+{
+	OFTLSSocket *_socket;
+	OFString *_host;
+	uint16_t _port;
+	id <OFTLSSocketDelegate> _delegate;
+}
+
+- (instancetype)initWithSocket: (OFTLSSocket *)sock
+			  host: (OFString *)host
+			  port: (uint16_t)port
+		      delegate: (id <OFTLSSocketDelegate>)delegate;
+@end
+
+@implementation OFTLSSocketAsyncConnector
+- (instancetype)initWithSocket: (OFTLSSocket *)sock
+			  host: (OFString *)host
+			  port: (uint16_t)port
+		      delegate: (id <OFTLSSocketDelegate>)delegate
+{
+	self = [super init];
+
+	@try {
+		_socket = [sock retain];
+		_host = [host copy];
+		_port = port;
+		_delegate = [delegate retain];
+
+		_socket.delegate = self;
+	} @catch (id e) {
+		[self release];
+		@throw e;
+	}
+
+	return self;
+}
+
+- (void)dealloc
+{
+	if (_socket.delegate == self)
+		_socket.delegate = _delegate;
+
+	[_socket release];
+	[_delegate release];
+
+	[super dealloc];
+}
+
+-     (void)socket: (OFTCPSocket *)sock
+  didConnectToHost: (OFString *)host
+	      port: (uint16_t)port
+	 exception: (id)exception
+{
+	if (exception == nil) {
+		@try {
+			[(OFTLSSocket *)sock startTLSForHost: _host
+							port: _port];
+		} @catch (id e) {
+			[self release];
+			@throw e;
+		}
+	}
+
+	_socket.delegate = _delegate;
+	[_delegate    socket: sock
+	    didConnectToHost: host
+			port: port
+		   exception: exception];
+}
+@end
+
+@implementation OFTLSSocket
+@dynamic delegate;
+@synthesize verifiesCertificates = _verifiesCertificates;
+
++ (instancetype)alloc
+{
+	if (self == [OFTLSSocket class]) {
+		if (OFTLSSocketImplementation == nil)
+			@throw [OFNotImplementedException
+			    exceptionWithSelector: _cmd
+					   object: self];
+
+		return [OFTLSSocketImplementation alloc];
+	}
+
+	return [super alloc];
+}
+
+- (instancetype)init
+{
+	self = [super init];
+
+	_verifiesCertificates = true;
+
+	return self;
+}
+
+- (instancetype)initWithSocket: (OFTCPSocket *)socket
+{
+	self = [super init];
+
+	@try {
+		if ([socket isKindOfClass: [OFTLSSocket class]])
+			@throw [OFInvalidArgumentException exception];
+
+		if ((_socket = dup(socket->_socket)) == OFInvalidSocketHandle)
+			@throw [OFInitializationFailedException exception];
+
+		_verifiesCertificates = true;
+	} @catch (id e) {
+		[self release];
+		@throw e;
+	}
+
+	return self;
+}
+
+- (void)startTLSForHost: (OFString *)host port: (uint16_t)port
+{
+	OF_UNRECOGNIZED_SELECTOR
+}
+
+- (void)asyncConnectToHost: (OFString *)host
+		      port: (uint16_t)port
+	       runLoopMode: (OFRunLoopMode)runLoopMode
+{
+	void *pool = objc_autoreleasePoolPush();
+
+	[[[OFTLSSocketAsyncConnector alloc]
+	    initWithSocket: self
+		      host: host
+		      port: port
+		  delegate: _delegate] autorelease];
+	[super asyncConnectToHost: host port: port runLoopMode: runLoopMode];
+
+	objc_autoreleasePoolPop(pool);
+}
+
+#ifdef OF_HAVE_BLOCKS
+- (void)asyncConnectToHost: (OFString *)host
+		      port: (uint16_t)port
+	       runLoopMode: (OFRunLoopMode)runLoopMode
+		     block: (OFTCPSocketAsyncConnectBlock)block
+{
+	[super asyncConnectToHost: host
+			     port: port
+		      runLoopMode: runLoopMode
+			    block: ^ (id exception) {
+		if (exception == nil) {
+			@try {
+				[self startTLSForHost: host port: port];
+			} @catch (id e) {
+				block(e);
+				return;
+			}
+		}
+
+		block(exception);
+	}];
+}
+#endif
+
+- (instancetype)accept
+{
+	OF_UNRECOGNIZED_SELECTOR
+}
+
+- (size_t)lowlevelReadIntoBuffer: (void *)buffer length: (size_t)length
+{
+	OF_UNRECOGNIZED_SELECTOR
+}
+
+- (size_t)lowlevelWriteBuffer: (const void *)buffer length: (size_t)length
+{
+	OF_UNRECOGNIZED_SELECTOR
+}
+
+- (bool)lowlevelIsAtEndOfStream
+{
+	OF_UNRECOGNIZED_SELECTOR
+}
+
+- (instancetype)TCPAccept
+{
+	return [super accept];
+}
+
+- (size_t)lowlevelTCPReadIntoBuffer: (void *)buffer length: (size_t)length
+{
+	return [super lowlevelReadIntoBuffer: buffer length: length];
+}
+
+- (size_t)lowlevelTCPWriteBuffer: (const void *)buffer length: (size_t)length
+{
+	return [super lowlevelWriteBuffer: buffer length: length];
+}
+
+- (bool)lowlevelTCPIsAtEndOfStream
+{
+	return [super lowlevelIsAtEndOfStream];
+}
+@end

Index: utils/ofhttp/OFHTTP.m
==================================================================
--- utils/ofhttp/OFHTTP.m
+++ utils/ofhttp/OFHTTP.m
@@ -585,13 +585,12 @@
 
 -    (void)client: (OFHTTPClient *)client
   didCreateSocket: (OFTCPSocket *)sock
 	  request: (OFHTTPRequest *)request
 {
-	if (_insecure && [sock respondsToSelector:
-	    @selector(setVerifiesCertificates:)])
-		((id <OFTLSSocket>)sock).verifiesCertificates = false;
+	if (_insecure && [sock isKindOfClass: [OFTLSSocket class]])
+		((OFTLSSocket *)sock).verifiesCertificates = false;
 }
 
 -     (void)client: (OFHTTPClient *)client
   wantsRequestBody: (OFStream *)body
 	   request: (OFHTTPRequest *)request