tls
TLS protocol native implementation
https://github.com/haskell-tls/hs-tls
| LTS Haskell 24.16: | 2.1.8 | 
| Stackage Nightly 2025-10-25: | 2.1.12 | 
| Latest on Hackage: | 2.1.12 | 
BSD-3-Clause licensed by Vincent Hanquez
Maintained by Kazu Yamamoto
This version can be pinned in stack with:
tls-2.1.12@sha256:2df4338b03eebb05f391edd0e942e4d7e627cdb606f2a0ac2e1b5f5458b904f4,7254Module documentation for 2.1.12
- Network- Network.TLS
- Network.TLS.Cipher
- Network.TLS.Compression
- Network.TLS.Extra
- Network.TLS.Internal
- Network.TLS.QUIC
 
 
- Network.TLS
Depends on 25 packages(full list with versions):
Used by 16 packages in nightly-2025-10-25(full list with versions):
Native Haskell TLS 1.2/1.3 protocol implementation for servers and clients.
Changes
Change log for “tls”
Version 2.1.12
- Restore benchmarks. #509
- Supporting random 1.2. #508
- Add –trusted-anchor cli option to tls-client. #505
Version 2.1.11
- Removing OVERLAPS instances.
Version 2.1.10
- Supporting the SSLKEYLOGFILE environment variable. #499
Version 2.1.9
- Providing ECH(Encrypted Client Hello). See sharedECHConfigList,clientUseECHandserverECHKey. Note that theech-gencommand,loadECHConfigListandloadECHSecretKeysare provided by theech-configpackage.
Version 2.1.8
- Moving LimittoSharedto maintain backward compatibility ofTLSParamsclass.
- Deprecating 2.1.7.
Version 2.1.7
- Introducing Limitparameter.
- Implementing “Record Size Limit Extension for TLS” (RFC8449).
Set limitRecordSizeuse it.
- Implementing “TLS Certificate Compression” (RFC 8879). This feature is automatically used if the peer supports it.
- More tests with tlsfuzzerespecially for client authentication and 0-RTT.
- Implementing a utility funcation, validateClientCertificate, for client authentication.
- Bug fix for echo back logic of Cookie extension.
- More pretty show for the internal Handshakestructure for debugging.
Version 2.1.6
- Testing with “tlsfuzzer” again. Now don’t send an alert agaist to peer’s alert. Double locking (aka self dead-lock) is fixed. Sending an alert for known-but-cannot-parse extensions. Other corner cases are also fixed.
- tls-client -dand- tls-server -dpretty-prints- Handshake.
Version 2.1.5
- Removing the dependency on the async package.
- Restore a few DHE_RSA ciphers. #493
Version 2.1.4
- Exporting defaultValidationCache.
Version 2.1.3
Version 2.1.2
- Using data-default instead of data-default-class.
Version 2.1.1
- byedirectly calls- timeout recvHS13, not spawning a thread for- timeout recvHS13. So,- byecan receive an exception if thrown.
Version 2.1.0
- Breaking change: stop exporting constructors to maintain future
compatibilities. Field names are still exported, and values can be updated
with them using record syntax. Use defandnoSessionManageras initial values.
- onServerFinishedis added to- ClientHooks.
- clientWantSessionResumeListis added to- ClientParamsto support multiple tickets for TLS 1.3.
Version 2.0.6
- Setting supportedCiphersindefaultSupportedtociphersuite_default. So, users don’t have to override this value anymore by exportingNetwork.TLS.Extra.Cipher. #471
- ciphersuite_defaultis the same as- ciphersuite_strong. So, the duplicated definition is removed.
- Add missing modules for util/tls-client and util/tls-server.
Version 2.0.5
- Fixing handshake13_0rtt_fallback
- Client checks if the group of PSK is contained in Supported_Groups.
- HRR is not allowed for 0-RTT.
Version 2.0.4
- More fix for 0-RTT when application data is available while receiving CF.
- New util/tls-client and util/tls-server.
Version 2.0.3
- Fixing a bug where timeoutinbyedoes not work.
- util/client -> util/tls-client
- util/server -> util/tls-server
Version 2.0.2
- Client checks sessionMaxEarlyDataSize to decide 0-RTT
- Client checks the resumption cipher properly.
Version 2.0.1
- Fix a leak of pending data to be sent.
Version 2.0.0
- tlsnow only supports TLS 1.2 and TLS 1.3 with safe cipher suites.
- Security: BREAKING CHANGE: TLS 1.0 and TLS 1.1 are removed.
- Security: BREAKING CHANGE: all CBC cipher suite are removed.
- Security: BREAKING CHANGE: RC4 and 3DES are removed.
- Security: BREAKING CHANGE: DSS(digital signature standard) is removed.
- Security: BREAKING CHANGE: TLS 1.2 servers require
EMS(extended main secret) by default.
supportedExtendedMasterSecis renamed tosupportedExtendedMainSecret.
- BREAKING CHANGE: the package is now complied with StrictandStrictData.
- BREAKING CHANGE: Many data structures are re-defined with
PatternSynonymsfor extensibility.
- BREAKING CHANGE: the structure of SessionManageris changed to support session tickets.
- API: BREAKING CHANGE: sendDatacan send early data (0-RTT).clientEarlyDatais removed. To send early data viasendData, setclientUseEarlyDatatoTrue. #466
- API: handshakecan receive an alert of client authentication failure for TLS 1.3. #463
- API: byecan receive NewSessionTicket for TLS 1.3.
- Channel binding: getFinishedandgetPeerFinishedare deprecated. UsegetTLSUniqueinstead. #462
- Channel binding: getTLSExporterandgetTLSServerEndPointare provided. #462
- Refactoring: the monolithic handshakeis divided to follow the diagram of TLS 1.2 and 1.3 for readability.
- Refactoring: test cases are refactored for maintenability
and readablity. hspecis used instead oftasty.
- Code format: fourmoluis used as an official formatter.
- Catching up RFC8446bis-09. #467
Version 1.9.0
- BREAKING CHANGE: The type of the Error_Protocolconstructor ofTLSErrorhas changed. The “warning” case has been split off into a newError_Protocol_Warningconstructor. #460
Version 1.8.0
- BREAKING CHANGE: Remove Exceptioninstance forTLSError. The library now throwsTLSExceptiononly. If you need to change your code, please refer to this example first. #457
Version 1.7.1
- NOP on UserCanceled event #454
Version 1.7.0
- Major version up because “crypton” is used instead of “cryptonite”
Version 1.6.0
- Major version up because of disabling SSL3
- Some fixes against tlsfuzzer
Version 1.5.8
- Require mtl-2.2.1 or newer #448
Version 1.5.7
- New APIs: getFinished and getPeerFinished #445
Version 1.5.6
- Dynamically setting enctypted extensions #444
Version 1.5.5
- QUIC support #419 #427 #428 #430 #433 #441
- Server ECDSA for P-256 #436
- Sort ciphersuites based on hardware-acceleration support #439
- Sending no_application_protocol #440
- Internal improvements #426 #431
Version 1.5.4
Version 1.5.3
- Additional verification regarding EC signatures #412
- Fixing ALPN #411
- Check SSLv3 padding length #410
- Exposing getClientCertificateChain #407
- Extended Master Secret #406
- Brushing up the documentation #404 #408
- Improving tests #403
- Avoid calling onServerNameIndication twice with HRR #402
- Enable X448 and FFDHE groups #401
- Refactoring #400 #399
Version 1.5.2
NOTES:
- Starting with tls-1.5.0, the parameter supportedVersionscontains values ordered by decreasing preference, so typically the higher versions first. This departs from code samples previously available. For maximum interoperability, users overriding the default value should verify and adapt their code.
Version 1.5.1
- Post-handshake authentication #363
- Middlebox compatibility #386
- Verification and configuration of session-ticket lifetime #373
- Fixing memory leak #366
- Don’t send 0-RTT data when ticket is expired #370
- Handshake packet fragmentation #371
- Fix SSLv2 deprecated header #383
- Other improvements to TLS 1.3 and RFC conformance #368 #372 #375 #376 #377 #378 #380 #382 #385 #387 #388
Version 1.5.0
- Add and enable AES CCM ciphers #271 #287
- Verify certificate key usage #274 #301
- TLS 1.3 support #278 #279 #280 #283 #298 #331 #290 #314
- Enable RSASSA-PSS #280 #353
- Add and enable ChaCha20-Poly1305 ciphers #287 #340
- Certificate selection with extension “signature_algorithms_cert” #302
- Preventing Logjam attack #300
- Downgrade protection #308
- Support for EdDSA certificates #328 #353
- Key logging #317
- Thread safety for writes #329
- Verify signature schemes and (EC)DHE groups received #337 #338
- Throw BadRecordMac when the decrypted record has invalid format #347
- Improve documentation format #341 #343
- Fix recvClientData with single Handshake packet #352
- Decrease memory footprint of SessionData values #354
FEATURES:
- TLS version 1.3 is available with most features but is not enabled by default.
One notable omission is post-handshake authentication.  Scenarios where
servers previously used renegotiation to conditionally request a certificate
are not possible yet when TLS13is negotiated. Users may enable the version insupportedVersionsonly when sure post-handshake authentication is not required.
API CHANGES:
- SessionManagerimplementations need to provide a- sessionResumeOnlyOncefunction to accomodate resumption scenarios with 0-RTT data. The function is called only on the server side.
- Data type SessionDatais extended with four new fields for TLS version 1.3.SessionManagerimplementations that serializes/deserializesSessionDatavalues must deal with the new fields.
- New configuration parameters and constructors are added for TLS version 1.3 but the API change should be backward compatible for most use-cases.
- Function cipherExchangeNeedMoreDatahas been removed.
Version 1.4.1
- Enable X25519 in default parameters #265
- Checking EOF in bye #262
- Improving validation in DH key exchange #256
- Handle TCP reset during handshake #251
- Accepting hlint suggestions.
Version 1.4.0
- Wrap renegotiation failures with HandshakeFailed #237
- Improve selection of server certificate and use “signature_algorithms” extension #236
- Change Bytes to ByteString and deprecate the Bytes type alias #230
- Session compression and SNI #223
- Deprecating ciphersuite_medium. Putting WARNING to ciphersuite_all since this includes RC4 #153 #222
- Removing NPN #214
- Supporting RSAPSS defined in TLS 1.3 #207
- Supporting X25519 and X448 in the IES style. #205
- Strip leading zeros in DHE premaster secret #201
FEATURES:
- RSASSA-PSS signatures can be enabled with supportedHashSignatures. This uses assignments from TLS 1.3, for example(HashIntrinsic, SignatureRSApssSHA256).
- Diffie-Hellman with elliptic curves X25519 and X448: This can be enabled with
supportedGroups, which also gives control over curve preference.
- ECDH with curve P-256 now uses optimized C implementation from package cryptonite.
API CHANGES:
- Cipher list ciphersuite_mediumis now deprecated, users are advised to useciphersuite_defaultorciphersuite_strong. Listciphersuite_allis kept for compatibility with old servers but this is discouraged and generates a warning (this includes RC4 ciphers, see #153 for reference).
- Support for NPN (Next Protocol Negotiation) has been removed. The replacement is ALPN (Application-Layer Protocol Negotiation).
- Data type SessionDatanow contains fields for compression algorithm and client SNI. ASessionManagerimplementation that serializes/deserializesSessionDatavalues must deal with the new fields.
- Module Network.TLSexports a type alias namedByteswhich is now deprecated. The replacement is to use strictByteStringdirectly.
Version 1.3.11
- Using reliable versions of dependent libraries.
Version 1.3.10
- Selecting a cipher based on “signature_algorithms” #193
- Respecting the “signature_algorithms” extension #137
- Fix RSA signature in CertificateVerify with TLS < 1.2 #189
- Fix ECDSA with TLS 1.0 / TLS 1.1 #187
- Sending an empty server name from a server if necessary. #175
- Network.TLS.Extraprovides Finite Field Diffie-Hellman Ephemeral Parameters in RFC 7919 #174
- Restore ability to renegotiate#164
Version 1.3.9
- Drop support for old GHC.
- Enable sha384 ciphers and provide ciphersuite_defaultas default set of ciphers for common needs #168
- SNI late checks #147
- Expose the HasBackend(..) class fully, so that developers can use TLS over their own channels #149
Version 1.3.8
- Fix older GHC builds
Version 1.3.7
- Disable SHA384 based cipher, as they don’t work properly yet.
Version 1.3.6
- Add new ciphers
- Improve some debugging and outputs
Version 1.3.5
- Fix a bug with ECDHE based cipher where serialization
- Debugging: Add a way to print random seed and a way to side-load a seed for replayability
- Improve tests
Version 1.3.4
- Fix tests on 32 bits time_tmachines (time not within bound)
- VirtualHost: Add a way to load credentials related to the hostname used by the client (Julian Beaumont)
- VirtualHost: Expose an API to query which hostname the client has contacted (Julian Beaumont)
- Add a way to disable empty packet that are use for security when using old versions + old CBC based cipher (Anton Dessiatov)
Version 1.3.3
- Add support for Hans (Haskell Network Stack) (Adam Wick)
- Add support for ECDSA signature
- Add support for ECDSA-ECDHE Cipher
- Improve parsing of ECC related structure
Version 1.3.2
- Add cipher suites for forward secrecy on more clients (Aaron Friel)
- Maintain more handshake information to be queried by protocol (Adam Wick)
- handle SCSV on client and server side (Kazu Yamamoto)
- Cleanup renegotiation logic (Kazu Yamamoto)
- Various testing improvements with the openssl test parts
- Cleanup AEAD handling for future support of other ciphers
Version 1.3.1
- Repair DHE RSA handling on the cipher by creating signature properly
Version 1.3.0
- modernize the crypto stack by using cryptonite.
Version 1.2.18
- add more tests (network, local)
- cleanup cipher / bulk code, certificate verify / creation, and digitall signed handling
- fix handling of DHE ciphers with MS SSL stack that serialize leading zero.
Version 1.2.17
- Fix an issue of type of key / hash that prevented connection with SChannel.
Version 1.2.16
- Fix an issue with stream cipher not correctly calculating the internal state, resulting systematically in bad record mac failure during handshake
Version 1.2.15
- support chain certificate in credentials
Version 1.2.14
- adding ALPN extension
- adding support for AEAD, and particularly AES128-GCM
- Adding support for ECDH
- Do not support SSL3 by default for security reason.
- add EnumSafe8 and 16 for specific sized Enum instance that are safer
- export signatureAndHash parser/encoder
- add a “known” list of extensions
- add SignatureAlgorithms extension
- add Heartbeat extension
- add support for EC curves and point format extensions
- add preliminary SessionTicket extension
- Debug: Add the ability to choose arbitrary cipher in the client hello.
Version 1.2.13
- Fix compilation with old mtl version
Version 1.2.12
- Propagate asynchronous exception
Version 1.2.11
- use hourglass instead of time
- use tasty instead of test-framework
- add travis file
- remove old de-optimisation flag as the bytestring bug is old now and it conflict with cabal check
Version 1.2.10
- Update x509 dependencies
Version 1.2.9
- Export TLSParams and HasBackend type names
- Added FlexibleContexts flag required by ghc-7.9
- debug: add support for specifying the timeout length in milliseconds.
- debug: add support for 3DES in simple client
Version 1.2.8
- add support for 3DES-EDE-CBC-SHA1 (cipher 0xa)
Version 1.2.7
- repair retrieve certificate validation, and improve fingerprints
- remove groom from dependency
- make RecordM an instance of Applicative
- Fixes the Error_EOF partial pattern match error in exception handling
Version 1.2.6 (23 Mar 2014)
- Fixed socket backend endless loop when the server does not close connection properly at the TLS level with the close notify alert.
- Catch Error_EOF in recvData and return empty data.
Version 1.2.5 (23 Mar 2014)
- Fixed Server key exchange data being parsed without the correct context, leading to not knowing how to parse the structure. The bug happens on efficient server that happens to send the ServerKeyXchg message together with the ServerHello in the same handshake packet. This trigger parsing of all the messages without having set the pending cipher. Delay parsing, when this happen, until we know what to do with it.
Version 1.2.4 (23 Mar 2014)
- Fixed unrecognized name non-fatal alert after client hello.
- Add SSL3 to the supported list of version by default.
- Fix cereal lower bound to 0.4.0 minimum
Version 1.2.3 (22 Mar 2014)
- Fixed handshake records not being able to span multiples records.
