diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index 9c3fe656a7ce80..778afa732869f3 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -129,7 +129,7 @@ function loadSession(hello) {
   );
   const owner = this[owner_symbol];
 
-  var once = false;
+  let once = false;
   function onSession(err, session) {
     debug('server resumeSession callback(err %j, sess? %s)', err, !!session);
     if (once)
@@ -263,7 +263,7 @@ function onnewsession(sessionId, session) {
   if (!owner.server)
     return;
 
-  var once = false;
+  let once = false;
   const done = () => {
     debug('onnewsession done');
     if (once)
@@ -345,7 +345,7 @@ function initRead(tlsSocket, socket) {
 
   // Socket already has some buffered data - emulate receiving it
   if (socket && socket.readableLength) {
-    var buf;
+    let buf;
     while ((buf = socket.read()) !== null)
       tlsSocket._handle.receive(buf);
   }
@@ -389,7 +389,7 @@ function TLSSocket(socket, opts) {
   this.authorizationError = null;
   this[kRes] = null;
 
-  var wrap;
+  let wrap;
   if ((socket instanceof net.Socket && socket._handle) || !socket) {
     // 1. connected socket
     // 2. no socket, one will be created with net.Socket().connect
@@ -455,7 +455,7 @@ function makeMethodProxy(name) {
       return this._parent[name].apply(this._parent, args);
   };
 }
-for (var n = 0; n < proxiedMethods.length; n++) {
+for (let n = 0; n < proxiedMethods.length; n++) {
   tls_wrap.TLSWrap.prototype[proxiedMethods[n]] =
     makeMethodProxy(proxiedMethods[n]);
 }
@@ -493,7 +493,7 @@ TLSSocket.prototype.disableRenegotiation = function disableRenegotiation() {
 };
 
 TLSSocket.prototype._wrapHandle = function(wrap) {
-  var handle;
+  let handle;
 
   if (wrap)
     handle = wrap._handle;
@@ -1259,7 +1259,7 @@ Server.prototype.addContext = function(servername, context) {
 function SNICallback(servername, callback) {
   const contexts = this.server._contexts;
 
-  for (var i = 0; i < contexts.length; i++) {
+  for (let i = 0; i < contexts.length; i++) {
     const elem = contexts[i];
     if (elem[0].test(servername)) {
       callback(null, elem[1]);
@@ -1273,7 +1273,7 @@ function SNICallback(servername, callback) {
 
 // Target API:
 //
-//  var s = tls.connect({port: 8000, host: "google.com"}, function() {
+//  let s = tls.connect({port: 8000, host: "google.com"}, function() {
 //    if (!s.authorized) {
 //      s.destroy();
 //      return;
@@ -1374,7 +1374,7 @@ let warnOnAllowUnauthorized = true;
 // Arguments: [port,] [host,] [options,] [cb]
 exports.connect = function connect(...args) {
   args = normalizeConnectArgs(args);
-  var options = args[0];
+  let options = args[0];
   const cb = args[1];
   const allowUnauthorized = process.env.NODE_TLS_REJECT_UNAUTHORIZED === '0';