diff --git a/CHANGELOG.md b/CHANGELOG.md
index e039403b2..e1f734311 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - `tt pack `: added TCM file packaging.
 - `tt aeon connect`: add connection from the cluster config.
 - `tt aeon connect`: add connection from the `app:insance_name`.
+- `tt` can be built without linking to OpenSSL.
 
 ### Changed
 
diff --git a/cli/cluster/cluster.go b/cli/cluster/cluster.go
index b0d430755..03e40acb9 100644
--- a/cli/cluster/cluster.go
+++ b/cli/cluster/cluster.go
@@ -8,9 +8,9 @@ import (
 	"time"
 
 	"github.com/tarantool/go-tarantool/v2"
-	"github.com/tarantool/go-tlsdialer"
 	libcluster "github.com/tarantool/tt/lib/cluster"
 	"github.com/tarantool/tt/lib/connect"
+	"github.com/tarantool/tt/lib/dial"
 )
 
 const (
@@ -96,35 +96,29 @@ func collectTarantoolConfig(collectors libcluster.CollectorFactory,
 			network, address = connect.ParseBaseURI(endpoint.Uri)
 		}
 		addr := fmt.Sprintf("%s://%s", network, address)
-		if endpoint.Params.Transport == "" || endpoint.Params.Transport != "ssl" {
-			opts = append(opts, tarantoolOpts{
-				addr: addr,
-				dialer: tarantool.NetDialer{
-					Address:  addr,
-					User:     endpoint.Login,
-					Password: endpoint.Password,
-				},
-				opts: tarantool.Opts{
-					SkipSchema: true,
-				},
-			})
-		} else {
-			opts = append(opts, tarantoolOpts{
-				addr: addr,
-				dialer: tlsdialer.OpenSSLDialer{
-					Address:     addr,
-					User:        endpoint.Login,
-					Password:    endpoint.Password,
-					SslKeyFile:  endpoint.Params.SslKeyFile,
-					SslCertFile: endpoint.Params.SslCertFile,
-					SslCaFile:   endpoint.Params.SslCaFile,
-					SslCiphers:  endpoint.Params.SslCiphers,
-				},
-				opts: tarantool.Opts{
-					SkipSchema: true,
-				},
-			})
+
+		dialer, err := dial.New(dial.Opts{
+			Address:         addr,
+			User:            endpoint.Login,
+			Password:        endpoint.Password,
+			SslKeyFile:      endpoint.Params.SslKeyFile,
+			SslCertFile:     endpoint.Params.SslCertFile,
+			SslCaFile:       endpoint.Params.SslCaFile,
+			SslCiphers:      endpoint.Params.SslCiphers,
+			SslPassword:     endpoint.Params.SslPassword,
+			SslPasswordFile: endpoint.Params.SslPasswordFile,
+			Transport:       endpoint.Params.Transport, // [ssl|plain]
+		})
+		if err != nil {
+			return nil, err
 		}
+		opts = append(opts, tarantoolOpts{
+			addr:   addr,
+			dialer: dialer,
+			opts: tarantool.Opts{
+				SkipSchema: true,
+			},
+		})
 	}
 
 	var connectionErrors []error
diff --git a/cli/cluster/cmd/uri.go b/cli/cluster/cmd/uri.go
index bc08c67d2..15a572637 100644
--- a/cli/cluster/cmd/uri.go
+++ b/cli/cluster/cmd/uri.go
@@ -8,9 +8,9 @@ import (
 	"time"
 
 	"github.com/tarantool/go-tarantool/v2"
-	"github.com/tarantool/go-tlsdialer"
 
 	libcluster "github.com/tarantool/tt/lib/cluster"
+	"github.com/tarantool/tt/lib/dial"
 )
 
 const (
@@ -149,25 +149,15 @@ func MakeEtcdOptsFromUriOpts(src UriOpts) libcluster.EtcdOpts {
 func MakeConnectOptsFromUriOpts(src UriOpts) (tarantool.Dialer, tarantool.Opts) {
 	address := fmt.Sprintf("tcp://%s", src.Host)
 
-	var dialer tarantool.Dialer
-
-	if src.KeyFile != "" || src.CertFile != "" || src.CaFile != "" || src.Ciphers != "" {
-		dialer = tlsdialer.OpenSSLDialer{
-			Address:     address,
-			User:        src.Username,
-			Password:    src.Password,
-			SslKeyFile:  src.KeyFile,
-			SslCertFile: src.CertFile,
-			SslCaFile:   src.CaFile,
-			SslCiphers:  src.Ciphers,
-		}
-	} else {
-		dialer = tarantool.NetDialer{
-			Address:  address,
-			User:     src.Username,
-			Password: src.Password,
-		}
-	}
+	var dialer, _ = dial.New(dial.Opts{
+		Address:     address,
+		User:        src.Username,
+		Password:    src.Password,
+		SslKeyFile:  src.KeyFile,
+		SslCertFile: src.CertFile,
+		SslCaFile:   src.CaFile,
+		SslCiphers:  src.Ciphers,
+	})
 
 	opts := tarantool.Opts{
 		Timeout: src.Timeout,
diff --git a/golangci-lint.yml b/golangci-lint.yml
index 77e7777eb..c513cbda2 100644
--- a/golangci-lint.yml
+++ b/golangci-lint.yml
@@ -2,6 +2,7 @@ run:
   timeout: 3m
   build-tags:
     - go_tarantool_ssl_disable
+    - tt_ssl_disable
 
 linters:
   disable-all: true
diff --git a/lib/dial/dial.go b/lib/dial/dial.go
new file mode 100644
index 000000000..d64515773
--- /dev/null
+++ b/lib/dial/dial.go
@@ -0,0 +1,33 @@
+package dial
+
+import (
+	"fmt"
+
+	"github.com/tarantool/go-tarantool/v2"
+)
+
+func New(opts Opts) (tarantool.Dialer, error) {
+	transport := ConvertTransport(opts.Transport)
+
+	if transport == TransportDefault {
+		if opts.SslKeyFile != "" || opts.SslCaFile != "" || opts.SslCertFile != "" ||
+			opts.SslCiphers != "" || opts.SslPassword != "" || opts.SslPasswordFile != "" {
+			transport = TransportSSL
+		} else {
+			transport = TransportPlain
+		}
+	}
+
+	switch transport {
+	case TransportPlain:
+		return tarantool.NetDialer{
+			Address:  opts.Address,
+			User:     opts.User,
+			Password: opts.Password,
+		}, nil
+	case TransportSSL:
+		return ssl(opts)
+	default:
+		return nil, fmt.Errorf("unsupported transport type: %s", opts.Transport)
+	}
+}
diff --git a/lib/dial/opts.go b/lib/dial/opts.go
new file mode 100644
index 000000000..fcc91579e
--- /dev/null
+++ b/lib/dial/opts.go
@@ -0,0 +1,41 @@
+package dial
+
+// Transport is a type, with a restriction on the list of supported connection modes.
+type Transport string
+
+func (t Transport) String() string {
+	return string(t)
+}
+
+const (
+	TransportDefault Transport = ""
+	TransportPlain   Transport = "plain"
+	TransportSSL     Transport = "ssl"
+	TransportInvalid Transport = "invalid"
+)
+
+func ConvertTransport(tr string) Transport {
+	switch tr {
+	case "":
+		return TransportDefault
+	case "plain":
+		return TransportPlain
+	case "ssl":
+		return TransportSSL
+	default:
+		return TransportInvalid
+	}
+}
+
+type Opts struct {
+	Address         string
+	User            string
+	Password        string
+	SslKeyFile      string
+	SslCertFile     string
+	SslCaFile       string
+	SslCiphers      string
+	SslPassword     string
+	SslPasswordFile string
+	Transport       string
+}
diff --git a/lib/dial/ssl.go b/lib/dial/ssl.go
new file mode 100644
index 000000000..0f9b3b848
--- /dev/null
+++ b/lib/dial/ssl.go
@@ -0,0 +1,23 @@
+//go:build !tt_ssl_disable
+// +build !tt_ssl_disable
+
+package dial
+
+import (
+	"github.com/tarantool/go-tarantool/v2"
+	"github.com/tarantool/go-tlsdialer"
+)
+
+func ssl(opts Opts) (tarantool.Dialer, error) {
+	return tlsdialer.OpenSSLDialer{
+		Address:         opts.Address,
+		User:            opts.User,
+		Password:        opts.Password,
+		SslKeyFile:      opts.SslKeyFile,
+		SslCertFile:     opts.SslCertFile,
+		SslCaFile:       opts.SslCaFile,
+		SslCiphers:      opts.SslCiphers,
+		SslPassword:     opts.SslPassword,
+		SslPasswordFile: opts.SslPasswordFile,
+	}, nil
+}
diff --git a/lib/dial/ssl_disable.go b/lib/dial/ssl_disable.go
new file mode 100644
index 000000000..532e95ea9
--- /dev/null
+++ b/lib/dial/ssl_disable.go
@@ -0,0 +1,14 @@
+//go:build tt_ssl_disable
+// +build tt_ssl_disable
+
+package dial
+
+import (
+	"errors"
+
+	"github.com/tarantool/go-tarantool/v2"
+)
+
+func ssl(opts Opts) (tarantool.Dialer, error) {
+	return nil, errors.New("SSL support is disabled")
+}
diff --git a/magefile.go b/magefile.go
index f539c9a79..c0d16aa80 100644
--- a/magefile.go
+++ b/magefile.go
@@ -202,7 +202,7 @@ func appendTags(args []string) ([]string, error) {
 	case BuildTypeDefault:
 		fallthrough
 	case BuildTypeNoCgo:
-		tags = append(tags, "go_tarantool_ssl_disable")
+		tags = append(tags, "go_tarantool_ssl_disable", "tt_ssl_disable")
 	case BuildTypeStatic:
 		tags = append(tags, "openssl_static")
 	case BuildTypeShared: