diff --git a/src/tls_stream.c b/src/tls_stream.c
new file mode 100644
index 000000000..d44709af4
--- /dev/null
+++ b/src/tls_stream.c
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) the libgit2 contributors. All rights reserved.
+ *
+ * This file is part of libgit2, distributed under the GNU GPL v2 with
+ * a Linking Exception. For full terms see the included COPYING file.
+ */
+
+#include "git2/errors.h"
+#include "common.h"
+
+#include "openssl_stream.h"
+#include "stransport_stream.h"
+
+int git_tls_stream_new(git_stream **out, const char *host, const char *port)
+{
+#ifdef GIT_SECURE_TRANSPORT
+	return git_stransport_stream_new(out, host, port);
+#elif defined(GIT_SSL)
+	return git_openssl_stream_new(out, host, port);
+#else
+	GIT_UNUSED(out);
+	GIT_UNUSED(host);
+	GIT_UNUSED(port);
+
+	giterr_set(GITERR_SSL, "there is no TLS stream available");
+	return -1;
+#endif
+}
diff --git a/src/tls_stream.h b/src/tls_stream.h
new file mode 100644
index 000000000..98a704174
--- /dev/null
+++ b/src/tls_stream.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) the libgit2 contributors. All rights reserved.
+ *
+ * This file is part of libgit2, distributed under the GNU GPL v2 with
+ * a Linking Exception. For full terms see the included COPYING file.
+ */
+#ifndef INCLUDE_tls_stream_h__
+#define INCLUDE_tls_stream_h__
+
+#include "git2/sys/stream.h"
+
+/**
+ * Create a TLS stream with the most appropriate backend available for
+ * the current platform.
+ *
+ * This allows us to ask for a SecureTransport or OpenSSL stream
+ * according to being on general Unix vs OS X.
+ */
+extern int git_tls_stream_new(git_stream **out, const char *host, const char *port);
+
+#endif
diff --git a/src/transports/http.c b/src/transports/http.c
index 264c9c512..bad7e2594 100644
--- a/src/transports/http.c
+++ b/src/transports/http.c
@@ -13,7 +13,7 @@
 #include "smart.h"
 #include "auth.h"
 #include "auth_negotiate.h"
-#include "openssl_stream.h"
+#include "tls_stream.h"
 #include "socket_stream.h"
 
 git_http_auth_scheme auth_schemes[] = {
@@ -545,7 +545,7 @@ static int http_connect(http_subtransport *t)
 	}
 
 	if (t->connection_data.use_ssl) {
-		error = git_openssl_stream_new(&t->io, t->connection_data.host, t->connection_data.port);
+		error = git_tls_stream_new(&t->io, t->connection_data.host, t->connection_data.port);
 	} else {
 		error = git_socket_stream_new(&t->io,  t->connection_data.host, t->connection_data.port);
 	}