diff --git a/ClientSessionManager.hs b/ClientSessionManager.hs
--- a/ClientSessionManager.hs
+++ b/ClientSessionManager.hs
@@ -38,6 +38,7 @@
     (\_ -> return Nothing)
     insert
     delete
+    True
     where
     insert sid sd@SessionData{ sessionClientSNI = Just sni } = do
         now <- timeCurrent
@@ -45,7 +46,8 @@
         modifyMVar_ sess $ return .
             Map.insert (sni, fp) (expire,(sid,sd)) .
             fromAscList . filter (\(_,(t,(_,_))) -> t >= now) . toAscList
-    insert _ _ = return ()
+        return Nothing
+    insert _ _ = return Nothing
     delete sid =
         modifyMVar_ sess $ return .
             fromAscList . filter (\(_,(_,(sid',_))) -> sid /= sid') . toAscList
diff --git a/GeminiProtocol.hs b/GeminiProtocol.hs
--- a/GeminiProtocol.hs
+++ b/GeminiProtocol.hs
@@ -214,11 +214,11 @@
                 , clientShared = def
                     { sharedCAStore = certStore
                     , sharedSessionManager = sessionManager }
-                , clientEarlyData = Just requestBytes  -- ^Send early data (RTT0) if server session allows it
+                , clientUseEarlyData = True  -- ^Send early data (RTT0) if server session allows it
                 , clientWantSessionResume = session
                 }
         (sock,context) <- do
-            let retryNoResume (HandshakeFailed (Error_Protocol (_,_,HandshakeFailure)))
+            let retryNoResume (HandshakeFailed (Error_Protocol _ HandshakeFailure))
                         | isJust session = do
                     -- Work around a mysterious problem seen with dezhemini+libssl:
                     displayWarning [ "Handshake failure when resuming TLS session; retrying with full handshake." ]
@@ -229,8 +229,7 @@
             sock <- openSocket
             c <- TLS.contextNew sock params
             handle retryNoResume $ handshake c >> return (sock,c)
-        sentEarly <- (== Just True) . (infoIsEarlyDataAccepted <$>) <$> contextGetInformation context
-        unless sentEarly . sendData context $ BL.fromStrict requestBytes
+        sendData context $ BL.fromStrict requestBytes
         when verboseConnection . void . runMaybeT $ do
             info <- MaybeT $ contextGetInformation context
             lift . displayInfo $ [ "TLS version " ++ show (infoVersion info) ++
@@ -456,6 +455,8 @@
     -- |those ciphers from ciphersuite_default fitting the requirements
     -- recommended by the gemini "best practices" document:
     -- require ECDHE/DHE (for PFS), and >=SHA2, and AES/CHACHA20.
+    -- Some of these were subsequently commented out once tls-2.0 dropped
+    -- support for them.
     gemini_ciphersuite :: [Cipher]
     gemini_ciphersuite =
         [        -- First the PFS + GCM + SHA2 ciphers
@@ -463,15 +464,15 @@
         , cipher_ECDHE_ECDSA_CHACHA20POLY1305_SHA256
         , cipher_ECDHE_RSA_AES128GCM_SHA256, cipher_ECDHE_RSA_AES256GCM_SHA384
         , cipher_ECDHE_RSA_CHACHA20POLY1305_SHA256
-        , cipher_DHE_RSA_AES128GCM_SHA256, cipher_DHE_RSA_AES256GCM_SHA384
-        , cipher_DHE_RSA_CHACHA20POLY1305_SHA256
+        --, cipher_DHE_RSA_AES128GCM_SHA256, cipher_DHE_RSA_AES256GCM_SHA384
+        --, cipher_DHE_RSA_CHACHA20POLY1305_SHA256
         ,        -- Next the PFS + CCM + SHA2 ciphers
           cipher_ECDHE_ECDSA_AES128CCM_SHA256, cipher_ECDHE_ECDSA_AES256CCM_SHA256
-        , cipher_DHE_RSA_AES128CCM_SHA256, cipher_DHE_RSA_AES256CCM_SHA256
+        --, cipher_DHE_RSA_AES128CCM_SHA256, cipher_DHE_RSA_AES256CCM_SHA256
                  -- Next the PFS + CBC + SHA2 ciphers
-        , cipher_ECDHE_ECDSA_AES128CBC_SHA256, cipher_ECDHE_ECDSA_AES256CBC_SHA384
-        , cipher_ECDHE_RSA_AES128CBC_SHA256, cipher_ECDHE_RSA_AES256CBC_SHA384
-        , cipher_DHE_RSA_AES128_SHA256, cipher_DHE_RSA_AES256_SHA256
+        --, cipher_ECDHE_ECDSA_AES128CBC_SHA256, cipher_ECDHE_ECDSA_AES256CBC_SHA384
+        --, cipher_ECDHE_RSA_AES128CBC_SHA256, cipher_ECDHE_RSA_AES256CBC_SHA384
+        --, cipher_DHE_RSA_AES128_SHA256, cipher_DHE_RSA_AES256_SHA256
                 -- TLS13 (listed at the end but version is negotiated first)
         , cipher_TLS13_AES128GCM_SHA256
         , cipher_TLS13_AES256GCM_SHA384
diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-VERSION=0.1.14.6
+VERSION=0.1.14.7
 
 GHCOPTS=-threaded -DICONV -DMAGIC -ignore-package regex-compat-tdfa
 
diff --git a/Version.hs b/Version.hs
--- a/Version.hs
+++ b/Version.hs
@@ -16,4 +16,4 @@
 programName = "diohsc"
 
 version :: String
-version = "0.1.14.6"
+version = "0.1.14.7"
diff --git a/diohsc.cabal b/diohsc.cabal
--- a/diohsc.cabal
+++ b/diohsc.cabal
@@ -1,6 +1,6 @@
 cabal-version:      1.18
 name:               diohsc
-version:            0.1.14.6
+version:            0.1.14.7
 license:            GPL-3
 license-file:       COPYING
 maintainer:         mbays@sdf.org
@@ -104,7 +104,7 @@
         mime >=0.4.0.2 && <0.5,
         mtl >=2.1.3.1 && <2.4,
         memory >=0.14 && <0.19,
-        network >=2.4.2.3 && <3.2,
+        network >=2.4.2.3 && <3.3,
         network-simple >=0.4.3 && <0.5,
         network-uri >=2.6.3.0 && <2.8,
         parsec >=3.1.5 && <3.2,
@@ -116,7 +116,7 @@
         temporary ==1.3.*,
         terminal-size >=0.3.2.1 && <0.4,
         text >=1.1.0.0 && <2.2,
-        tls >=1.5.4 && <1.10,
+        tls >=1.5.4 && <2.1,
         transformers >=0.3.0.0 && <0.7,
         crypton-x509 >=1.7.5 && <1.8,
         crypton-x509-store >=1.6.7 && <1.7,
