diff --git a/conduit-lwt-unix.opam b/conduit-lwt-unix.opam
index ff512daa..70c4a228 100644
--- a/conduit-lwt-unix.opam
+++ b/conduit-lwt-unix.opam
@@ -25,7 +25,7 @@ depends: [
 ]
 depopts: ["tls" "lwt_ssl" "launchd"]
 conflicts: [
-  "tls" {< "0.13.0"}
+  "tls" {< "0.14.0"}
   "ssl" {< "0.5.9"}
 ]
 build: [
diff --git a/src/conduit-lwt-unix/conduit_lwt_tls.dummy.mli b/src/conduit-lwt-unix/conduit_lwt_tls.dummy.mli
index 14c5474a..bed1b289 100644
--- a/src/conduit-lwt-unix/conduit_lwt_tls.dummy.mli
+++ b/src/conduit-lwt-unix/conduit_lwt_tls.dummy.mli
@@ -30,7 +30,7 @@ module Client : sig
     ?src:Lwt_unix.sockaddr ->
     ?certificates:'a ->
     authenticator:X509.authenticator ->
-    string ->
+    [ `host ] Domain_name.t ->
     Lwt_unix.sockaddr ->
     (Lwt_unix.file_descr * Lwt_io.input_channel * Lwt_io.output_channel) Lwt.t
 end
diff --git a/src/conduit-lwt-unix/conduit_lwt_tls.real.mli b/src/conduit-lwt-unix/conduit_lwt_tls.real.mli
index 8eba4d40..1ad51ed2 100644
--- a/src/conduit-lwt-unix/conduit_lwt_tls.real.mli
+++ b/src/conduit-lwt-unix/conduit_lwt_tls.real.mli
@@ -31,7 +31,7 @@ module Client : sig
     ?src:Lwt_unix.sockaddr ->
     ?certificates:Tls.Config.own_cert ->
     authenticator:X509.authenticator ->
-    string ->
+    [ `host ] Domain_name.t ->
     Lwt_unix.sockaddr ->
     (Lwt_unix.file_descr * Lwt_io.input_channel * Lwt_io.output_channel) Lwt.t
 end
diff --git a/src/conduit-lwt-unix/conduit_lwt_unix.ml b/src/conduit-lwt-unix/conduit_lwt_unix.ml
index 208d202b..33deaebc 100644
--- a/src/conduit-lwt-unix/conduit_lwt_unix.ml
+++ b/src/conduit-lwt-unix/conduit_lwt_unix.ml
@@ -264,6 +264,15 @@ let connect_with_tls_native ~ctx (`Hostname hostname, `IP ip, `Port port) =
       Conduit_lwt_tls.X509.private_of_pems ~cert ~priv_key
       >|= fun certificate -> Some (`Single certificate))
   >>= fun certificates ->
+  let hostname =
+    try Domain_name.(host_exn (of_string_exn hostname))
+    with Invalid_argument msg ->
+      let s =
+        Printf.sprintf "couldn't convert %s to a [`host] Domain_name.t: %s"
+          hostname msg
+      in
+      invalid_arg s
+  in
   Conduit_lwt_tls.Client.connect ?src:ctx.src ?certificates
     ~authenticator:ctx.tls_authenticator hostname sa
   >|= fun (fd, ic, oc) ->