diff --git a/4.0/32bit/Dockerfile b/4.0/32bit/Dockerfile
index b1f28ad14..e2feb033d 100644
--- a/4.0/32bit/Dockerfile
+++ b/4.0/32bit/Dockerfile
@@ -39,11 +39,6 @@ RUN set -eux; \
 	gosu --version; \
 	gosu nobody true
 
-RUN set -eux; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends libc6-i386; \
-	rm -rf /var/lib/apt/lists/*
-
 ENV REDIS_VERSION 4.0.14
 ENV REDIS_DOWNLOAD_URL http://download.redis.io/releases/redis-4.0.14.tar.gz
 ENV REDIS_DOWNLOAD_SHA 1e1e18420a86cfb285933123b04a82e1ebda20bfb0a289472745a087587e93a7
@@ -57,8 +52,7 @@ RUN set -eux; \
 		wget \
 		\
 		gcc \
-		gcc-multilib \
-		libc6-dev-i386 \
+		libc6-dev-i386 gcc-multilib \
 		make \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
@@ -97,6 +91,14 @@ RUN set -eux; \
 	\
 	apt-mark auto '.*' > /dev/null; \
 	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+	find /usr/local -type f -executable -exec ldd '{}' ';' \
+		| awk '/=>/ { print $(NF-1) }' \
+		| sort -u \
+		| xargs -r dpkg-query --search \
+		| cut -d: -f1 \
+		| sort -u \
+		| xargs -r apt-mark manual \
+	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	\
 	redis-cli --version; \
diff --git a/4.0/Dockerfile b/4.0/Dockerfile
index 0a46cf42a..152bfd797 100644
--- a/4.0/Dockerfile
+++ b/4.0/Dockerfile
@@ -73,7 +73,7 @@ RUN set -eux; \
 # see also https://github.com/docker-library/redis/issues/4#issuecomment-50780840
 # (more exactly, this makes sure the default behavior of "save on SIGTERM" stays functional by default)
 	\
-	make -C /usr/src/redis -j "$(nproc)"; \
+	make -C /usr/src/redis -j "$(nproc)" all; \
 	make -C /usr/src/redis install; \
 	\
 # TODO https://github.com/antirez/redis/pull/3494 (deduplicate "redis-server" copies)
@@ -91,6 +91,14 @@ RUN set -eux; \
 	\
 	apt-mark auto '.*' > /dev/null; \
 	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+	find /usr/local -type f -executable -exec ldd '{}' ';' \
+		| awk '/=>/ { print $(NF-1) }' \
+		| sort -u \
+		| xargs -r dpkg-query --search \
+		| cut -d: -f1 \
+		| sort -u \
+		| xargs -r apt-mark manual \
+	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	\
 	redis-cli --version; \
diff --git a/4.0/alpine/Dockerfile b/4.0/alpine/Dockerfile
index 983ff5259..3caf81098 100644
--- a/4.0/alpine/Dockerfile
+++ b/4.0/alpine/Dockerfile
@@ -22,6 +22,7 @@ RUN set -eux; \
 		linux-headers \
 		make \
 		musl-dev \
+		openssl-dev \
 	; \
 	\
 	wget -O redis.tar.gz "$REDIS_DOWNLOAD_URL"; \
@@ -40,7 +41,7 @@ RUN set -eux; \
 # see also https://github.com/docker-library/redis/issues/4#issuecomment-50780840
 # (more exactly, this makes sure the default behavior of "save on SIGTERM" stays functional by default)
 	\
-	make -C /usr/src/redis -j "$(nproc)"; \
+	make -C /usr/src/redis -j "$(nproc)" all; \
 	make -C /usr/src/redis install; \
 	\
 # TODO https://github.com/antirez/redis/pull/3494 (deduplicate "redis-server" copies)
diff --git a/5.0/32bit/Dockerfile b/5.0/32bit/Dockerfile
index 15c935aad..071843a4d 100644
--- a/5.0/32bit/Dockerfile
+++ b/5.0/32bit/Dockerfile
@@ -39,11 +39,6 @@ RUN set -eux; \
 	gosu --version; \
 	gosu nobody true
 
-RUN set -eux; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends libc6-i386; \
-	rm -rf /var/lib/apt/lists/*
-
 ENV REDIS_VERSION 5.0.7
 ENV REDIS_DOWNLOAD_URL http://download.redis.io/releases/redis-5.0.7.tar.gz
 ENV REDIS_DOWNLOAD_SHA 61db74eabf6801f057fd24b590232f2f337d422280fd19486eca03be87d3a82b
@@ -57,8 +52,7 @@ RUN set -eux; \
 		wget \
 		\
 		gcc \
-		gcc-multilib \
-		libc6-dev-i386 \
+		libc6-dev-i386 gcc-multilib \
 		make \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
@@ -97,6 +91,14 @@ RUN set -eux; \
 	\
 	apt-mark auto '.*' > /dev/null; \
 	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+	find /usr/local -type f -executable -exec ldd '{}' ';' \
+		| awk '/=>/ { print $(NF-1) }' \
+		| sort -u \
+		| xargs -r dpkg-query --search \
+		| cut -d: -f1 \
+		| sort -u \
+		| xargs -r apt-mark manual \
+	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	\
 	redis-cli --version; \
diff --git a/5.0/Dockerfile b/5.0/Dockerfile
index 5edef312b..51c1ceaed 100644
--- a/5.0/Dockerfile
+++ b/5.0/Dockerfile
@@ -73,7 +73,7 @@ RUN set -eux; \
 # see also https://github.com/docker-library/redis/issues/4#issuecomment-50780840
 # (more exactly, this makes sure the default behavior of "save on SIGTERM" stays functional by default)
 	\
-	make -C /usr/src/redis -j "$(nproc)"; \
+	make -C /usr/src/redis -j "$(nproc)" all; \
 	make -C /usr/src/redis install; \
 	\
 # TODO https://github.com/antirez/redis/pull/3494 (deduplicate "redis-server" copies)
@@ -91,6 +91,14 @@ RUN set -eux; \
 	\
 	apt-mark auto '.*' > /dev/null; \
 	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+	find /usr/local -type f -executable -exec ldd '{}' ';' \
+		| awk '/=>/ { print $(NF-1) }' \
+		| sort -u \
+		| xargs -r dpkg-query --search \
+		| cut -d: -f1 \
+		| sort -u \
+		| xargs -r apt-mark manual \
+	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	\
 	redis-cli --version; \
diff --git a/5.0/alpine/Dockerfile b/5.0/alpine/Dockerfile
index 3e9ef1305..e13491efd 100644
--- a/5.0/alpine/Dockerfile
+++ b/5.0/alpine/Dockerfile
@@ -22,6 +22,7 @@ RUN set -eux; \
 		linux-headers \
 		make \
 		musl-dev \
+		openssl-dev \
 	; \
 	\
 	wget -O redis.tar.gz "$REDIS_DOWNLOAD_URL"; \
@@ -40,7 +41,7 @@ RUN set -eux; \
 # see also https://github.com/docker-library/redis/issues/4#issuecomment-50780840
 # (more exactly, this makes sure the default behavior of "save on SIGTERM" stays functional by default)
 	\
-	make -C /usr/src/redis -j "$(nproc)"; \
+	make -C /usr/src/redis -j "$(nproc)" all; \
 	make -C /usr/src/redis install; \
 	\
 # TODO https://github.com/antirez/redis/pull/3494 (deduplicate "redis-server" copies)
diff --git a/6.0-rc/32bit/Dockerfile b/6.0-rc/32bit/Dockerfile
index c05038d59..21a1bc997 100644
--- a/6.0-rc/32bit/Dockerfile
+++ b/6.0-rc/32bit/Dockerfile
@@ -39,11 +39,6 @@ RUN set -eux; \
 	gosu --version; \
 	gosu nobody true
 
-RUN set -eux; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends libc6-i386; \
-	rm -rf /var/lib/apt/lists/*
-
 ENV REDIS_VERSION 6.0-rc1
 ENV REDIS_DOWNLOAD_URL https://github.com/antirez/redis/archive/6.0-rc1.tar.gz
 ENV REDIS_DOWNLOAD_SHA 2676012e2fcfe8d41e594b2ae8a05d0a050d2d84c38a0471ae5fe0143e4b0eca
@@ -57,8 +52,7 @@ RUN set -eux; \
 		wget \
 		\
 		gcc \
-		gcc-multilib \
-		libc6-dev-i386 \
+		libc6-dev-i386 gcc-multilib \
 		make \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
@@ -97,6 +91,14 @@ RUN set -eux; \
 	\
 	apt-mark auto '.*' > /dev/null; \
 	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+	find /usr/local -type f -executable -exec ldd '{}' ';' \
+		| awk '/=>/ { print $(NF-1) }' \
+		| sort -u \
+		| xargs -r dpkg-query --search \
+		| cut -d: -f1 \
+		| sort -u \
+		| xargs -r apt-mark manual \
+	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	\
 	redis-cli --version; \
diff --git a/6.0-rc/Dockerfile b/6.0-rc/Dockerfile
index d5d63aeac..05c7034ec 100644
--- a/6.0-rc/Dockerfile
+++ b/6.0-rc/Dockerfile
@@ -53,6 +53,7 @@ RUN set -eux; \
 		\
 		gcc \
 		libc6-dev \
+		libssl-dev \
 		make \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
@@ -73,7 +74,8 @@ RUN set -eux; \
 # see also https://github.com/docker-library/redis/issues/4#issuecomment-50780840
 # (more exactly, this makes sure the default behavior of "save on SIGTERM" stays functional by default)
 	\
-	make -C /usr/src/redis -j "$(nproc)"; \
+	export BUILD_TLS=yes; \
+	make -C /usr/src/redis -j "$(nproc)" all; \
 	make -C /usr/src/redis install; \
 	\
 # TODO https://github.com/antirez/redis/pull/3494 (deduplicate "redis-server" copies)
@@ -91,6 +93,14 @@ RUN set -eux; \
 	\
 	apt-mark auto '.*' > /dev/null; \
 	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+	find /usr/local -type f -executable -exec ldd '{}' ';' \
+		| awk '/=>/ { print $(NF-1) }' \
+		| sort -u \
+		| xargs -r dpkg-query --search \
+		| cut -d: -f1 \
+		| sort -u \
+		| xargs -r apt-mark manual \
+	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	\
 	redis-cli --version; \
diff --git a/6.0-rc/alpine/Dockerfile b/6.0-rc/alpine/Dockerfile
index 58dc6914a..6f0df606b 100644
--- a/6.0-rc/alpine/Dockerfile
+++ b/6.0-rc/alpine/Dockerfile
@@ -22,6 +22,7 @@ RUN set -eux; \
 		linux-headers \
 		make \
 		musl-dev \
+		openssl-dev \
 	; \
 	\
 	wget -O redis.tar.gz "$REDIS_DOWNLOAD_URL"; \
@@ -40,7 +41,8 @@ RUN set -eux; \
 # see also https://github.com/docker-library/redis/issues/4#issuecomment-50780840
 # (more exactly, this makes sure the default behavior of "save on SIGTERM" stays functional by default)
 	\
-	make -C /usr/src/redis -j "$(nproc)"; \
+	export BUILD_TLS=yes; \
+	make -C /usr/src/redis -j "$(nproc)" all; \
 	make -C /usr/src/redis install; \
 	\
 # TODO https://github.com/antirez/redis/pull/3494 (deduplicate "redis-server" copies)
diff --git a/Dockerfile-32bit.template b/Dockerfile-32bit.template
deleted file mode 100644
index d909ddd6c..000000000
--- a/Dockerfile-32bit.template
+++ /dev/null
@@ -1,115 +0,0 @@
-FROM debian:buster-slim
-
-# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
-RUN groupadd -r -g 999 redis && useradd -r -g redis -u 999 redis
-
-# grab gosu for easy step-down from root
-# https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.11
-RUN set -eux; \
-# save list of currently installed packages for later so we can clean up
-	savedAptMark="$(apt-mark showmanual)"; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends \
-		ca-certificates \
-		dirmngr \
-		gnupg \
-		wget \
-	; \
-	rm -rf /var/lib/apt/lists/*; \
-	\
-	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
-	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
-	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
-	\
-# verify the signature
-	export GNUPGHOME="$(mktemp -d)"; \
-	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
-	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-	gpgconf --kill all; \
-	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
-	\
-# clean up fetch dependencies
-	apt-mark auto '.*' > /dev/null; \
-	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
-	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
-	\
-	chmod +x /usr/local/bin/gosu; \
-# verify that the binary works
-	gosu --version; \
-	gosu nobody true
-
-RUN set -eux; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends libc6-i386; \
-	rm -rf /var/lib/apt/lists/*
-
-ENV REDIS_VERSION placeholder
-ENV REDIS_DOWNLOAD_URL placeholder
-ENV REDIS_DOWNLOAD_SHA placeholder
-
-RUN set -eux; \
-	\
-	savedAptMark="$(apt-mark showmanual)"; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends \
-		ca-certificates \
-		wget \
-		\
-		gcc \
-		gcc-multilib \
-		libc6-dev-i386 \
-		make \
-	; \
-	rm -rf /var/lib/apt/lists/*; \
-	\
-	wget -O redis.tar.gz "$REDIS_DOWNLOAD_URL"; \
-	echo "$REDIS_DOWNLOAD_SHA *redis.tar.gz" | sha256sum -c -; \
-	mkdir -p /usr/src/redis; \
-	tar -xzf redis.tar.gz -C /usr/src/redis --strip-components=1; \
-	rm redis.tar.gz; \
-	\
-# disable Redis protected mode [1] as it is unnecessary in context of Docker
-# (ports are not automatically exposed when running inside Docker, but rather explicitly by specifying -p / -P)
-# [1]: https://github.com/antirez/redis/commit/edd4d555df57dc84265fdfb4ef59a4678832f6da
-##<protected-mode-sed>##
-	grep -E '^ *createBoolConfig[(]"protected-mode",.*, *1 *,.*[)],$' /usr/src/redis/src/config.c; \
-	sed -ri 's!^( *createBoolConfig[(]"protected-mode",.*, *)1( *,.*[)],)$!\10\2!' /usr/src/redis/src/config.c; \
-	grep -E '^ *createBoolConfig[(]"protected-mode",.*, *0 *,.*[)],$' /usr/src/redis/src/config.c; \
-##</protected-mode-sed>##
-# for future reference, we modify this directly in the source instead of just supplying a default configuration flag because apparently "if you specify any argument to redis-server, [it assumes] you are going to specify everything"
-# see also https://github.com/docker-library/redis/issues/4#issuecomment-50780840
-# (more exactly, this makes sure the default behavior of "save on SIGTERM" stays functional by default)
-	\
-	make -C /usr/src/redis -j "$(nproc)" 32bit; \
-	make -C /usr/src/redis install; \
-	\
-# TODO https://github.com/antirez/redis/pull/3494 (deduplicate "redis-server" copies)
-	serverMd5="$(md5sum /usr/local/bin/redis-server | cut -d' ' -f1)"; export serverMd5; \
-	find /usr/local/bin/redis* -maxdepth 0 \
-		-type f -not -name redis-server \
-		-exec sh -eux -c ' \
-			md5="$(md5sum "$1" | cut -d" " -f1)"; \
-			test "$md5" = "$serverMd5"; \
-		' -- '{}' ';' \
-		-exec ln -svfT 'redis-server' '{}' ';' \
-	; \
-	\
-	rm -r /usr/src/redis; \
-	\
-	apt-mark auto '.*' > /dev/null; \
-	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
-	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
-	\
-	redis-cli --version; \
-	redis-server --version
-
-RUN mkdir /data && chown redis:redis /data
-VOLUME /data
-WORKDIR /data
-
-COPY docker-entrypoint.sh /usr/local/bin/
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-EXPOSE 6379
-CMD ["redis-server"]
diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template
index 966d9008a..8bcc03320 100644
--- a/Dockerfile-alpine.template
+++ b/Dockerfile-alpine.template
@@ -22,6 +22,7 @@ RUN set -eux; \
 		linux-headers \
 		make \
 		musl-dev \
+		openssl-dev \
 	; \
 	\
 	wget -O redis.tar.gz "$REDIS_DOWNLOAD_URL"; \
@@ -42,7 +43,8 @@ RUN set -eux; \
 # see also https://github.com/docker-library/redis/issues/4#issuecomment-50780840
 # (more exactly, this makes sure the default behavior of "save on SIGTERM" stays functional by default)
 	\
-	make -C /usr/src/redis -j "$(nproc)"; \
+	export BUILD_TLS=yes; \
+	make -C /usr/src/redis -j "$(nproc)" all; \
 	make -C /usr/src/redis install; \
 	\
 # TODO https://github.com/antirez/redis/pull/3494 (deduplicate "redis-server" copies)
diff --git a/Dockerfile.template b/Dockerfile.template
index a4d8384d2..7c3c48148 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -53,6 +53,7 @@ RUN set -eux; \
 		\
 		gcc \
 		libc6-dev \
+		libssl-dev \
 		make \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
@@ -75,7 +76,8 @@ RUN set -eux; \
 # see also https://github.com/docker-library/redis/issues/4#issuecomment-50780840
 # (more exactly, this makes sure the default behavior of "save on SIGTERM" stays functional by default)
 	\
-	make -C /usr/src/redis -j "$(nproc)"; \
+	export BUILD_TLS=yes; \
+	make -C /usr/src/redis -j "$(nproc)" all; \
 	make -C /usr/src/redis install; \
 	\
 # TODO https://github.com/antirez/redis/pull/3494 (deduplicate "redis-server" copies)
@@ -93,6 +95,14 @@ RUN set -eux; \
 	\
 	apt-mark auto '.*' > /dev/null; \
 	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+	find /usr/local -type f -executable -exec ldd '{}' ';' \
+		| awk '/=>/ { print $(NF-1) }' \
+		| sort -u \
+		| xargs -r dpkg-query --search \
+		| cut -d: -f1 \
+		| sort -u \
+		| xargs -r apt-mark manual \
+	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	\
 	redis-cli --version; \
diff --git a/update.sh b/update.sh
index b233d270a..edc00602a 100755
--- a/update.sh
+++ b/update.sh
@@ -55,7 +55,10 @@ for version in "${versions[@]}"; do
 	; do
 		dir="$version${variant:+/$variant}"
 		[ -d "$dir" ] || continue
-		template="Dockerfile${variant:+-$variant}.template"
+		case "$variant" in
+			32bit) template='Dockerfile.template' ;;
+			*) template="Dockerfile${variant:+-$variant}.template" ;;
+		esac
 
 		sed -r \
 			-e 's/^(ENV REDIS_VERSION) .*/\1 '"$fullVersion"'/' \
@@ -64,6 +67,13 @@ for version in "${versions[@]}"; do
 			-e 's!sha[0-9]+sum!'"$shaType"'sum!g' \
 			"$template" > "$dir/Dockerfile"
 
+		if [ "$variant" = '32bit' ]; then
+			sed -ri \
+				-e 's/(make.*) all;/\1 32bit;/' \
+				-e 's/libc6-dev/libc6-dev-i386 gcc-multilib/' \
+				"$dir/Dockerfile"
+		fi
+
 		case "$version" in
 			4.0 | 5.0)
 				gawk -i inplace '
@@ -77,6 +87,14 @@ for version in "${versions[@]}"; do
 		esac
 		sed -ri -e '/protected-mode-sed/d' "$dir/Dockerfile"
 
+		# TLS support was added in 6.0, and we can't link 32bit Redis against 64bit OpenSSL (and it isn't worth going to a full foreign architecture -- just use i386/redis instead)
+		if [ "$version" = '4.0' ] || [ "$version" = '5.0' ] || [ "$variant" = '32bit' ]; then
+			sed -ri \
+				-e '/libssl/d' \
+				-e '/BUILD_TLS/d' \
+				"$dir/Dockerfile"
+		fi
+
 		travisEnv='\n  - VERSION='"$version VARIANT=$variant$travisEnv"
 	done
 done