s2n is not intended for use as a TLS client. Setting the mode to S2N_CLIENT should fail except in clear test scenarios.

Tentative idea: require an S2N_INSECURE_CLIENT environment variable be set to enable client mode processing.