diff --git a/cli/flags/options.go b/cli/flags/options.go
index 03c1f2db2a..6c21b74f8d 100644
--- a/cli/flags/options.go
+++ b/cli/flags/options.go
@@ -14,6 +14,18 @@ import (
 )
 
 const (
+	// EnvEnableTLS is the name of the environment variable that can be used
+	// to enable TLS for client connections. When set to a non-empty value, TLS
+	// is enabled for API connections using TCP. For backward-compatibility, this
+	// environment-variable can only be used to enable TLS, not to disable.
+	//
+	// Note that TLS is always enabled implicitly if the "--tls-verify" option
+	// or "DOCKER_TLS_VERIFY" ([github.com/docker/docker/client.EnvTLSVerify])
+	// env var is set to, which could be to either enable or disable TLS certification
+	// validation. In both cases, TLS is enabled but, depending on the setting,
+	// with verification disabled.
+	EnvEnableTLS = "DOCKER_TLS"
+
 	// DefaultCaFile is the default filename for the CA pem file
 	DefaultCaFile = "ca.pem"
 	// DefaultKeyFile is the default filename for the key pem file
@@ -39,8 +51,7 @@ Refer to https://docs.docker.com/go/formatting/ for more information about forma
 var (
 	dockerCertPath  = os.Getenv(client.EnvOverrideCertPath)
 	dockerTLSVerify = os.Getenv(client.EnvTLSVerify) != ""
-	// TODO(thaJeztah) the 'DOCKER_TLS' environment variable is not documented, and does not have a const.
-	dockerTLS = os.Getenv("DOCKER_TLS") != ""
+	dockerTLS       = os.Getenv(EnvEnableTLS) != ""
 )
 
 // ClientOptions are the options used to configure the client cli.