diff --git a/ChangeLog.md b/ChangeLog.md
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -1,5 +1,10 @@
 # Changelog for http-client-tls
 
+## 0.4.0
+
+* For MD5 hashes in Base16 format, depend on packages `cryptohash-md5` and
+  `base16` rather than `crypton` and `memory` (the latter is unmaintained).
+
 ## 0.3.6.4
 
 * data-default-class -> data-default [#546](https://github.com/snoyberg/http-client/pull/546/files)
diff --git a/Network/HTTP/Client/TLS.hs b/Network/HTTP/Client/TLS.hs
--- a/Network/HTTP/Client/TLS.hs
+++ b/Network/HTTP/Client/TLS.hs
@@ -41,9 +41,10 @@
 import qualified Data.CaseInsensitive as CI
 import Data.Maybe (fromMaybe, isJust)
 import Network.HTTP.Types (status401)
-import Crypto.Hash (hash, Digest, MD5)
+import qualified Crypto.Hash.MD5 as MD5
 import Control.Arrow ((***))
-import Data.ByteArray.Encoding (convertToBase, Base (Base16))
+import Data.Base16.Types (extractBase16)
+import Data.ByteString.Base16 (encodeBase16')
 import Data.Typeable (Typeable)
 import Control.Monad.Catch (MonadThrow, throwM)
 import qualified Data.Map as Map
@@ -361,7 +362,7 @@
                 -- we always use no qop or qop=auth
                 ha2 = md5 $ S.concat [method req, ":", path req]
 
-                md5 bs = convertToBase Base16 (hash bs :: Digest MD5)
+                md5 = extractBase16 . encodeBase16' . MD5.hash
             key = "Authorization"
             val = S.concat
                 [ "Digest username=\""
diff --git a/http-client-tls.cabal b/http-client-tls.cabal
--- a/http-client-tls.cabal
+++ b/http-client-tls.cabal
@@ -1,5 +1,5 @@
 name:                http-client-tls
-version:             0.3.6.4
+version:             0.4.0
 synopsis:            http-client backend using the connection package and tls library
 description:         Hackage documentation generation is not reliable. For up to date documentation, please see: <https://www.stackage.org/package/http-client-tls>.
 homepage:            https://github.com/snoyberg/http-client
@@ -17,17 +17,17 @@
   exposed-modules:     Network.HTTP.Client.TLS
   other-extensions:    ScopedTypeVariables
   build-depends:       base >= 4.10 && < 5
+                     , base16 >= 1.0
+                     , cryptohash-md5
                      , data-default
                      , http-client >= 0.7.11
                      , crypton-connection
                      , network
-                     , tls >= 1.2
+                     , tls >= 2.1.2
                      , bytestring
                      , case-insensitive
                      , transformers
                      , http-types
-                     , crypton
-                     , memory
                      , exceptions
                      , containers
                      , text
@@ -46,6 +46,8 @@
                      , http-client-tls
                      , http-types
                      , crypton-connection
+                     , data-default
+                     , tls
 
 benchmark benchmark
   main-is:             Bench.hs
diff --git a/test/Spec.hs b/test/Spec.hs
--- a/test/Spec.hs
+++ b/test/Spec.hs
@@ -1,13 +1,28 @@
+{-# LANGUAGE CPP #-}
 {-# LANGUAGE OverloadedStrings #-}
 import Test.Hspec
 import Network.Connection
 import Network.HTTP.Client
-import Network.HTTP.Client.TLS
+import Network.HTTP.Client.TLS hiding (tlsManagerSettings)
 import Network.HTTP.Types
 import Control.Monad (join)
+import Data.Default
+import qualified Network.TLS as TLS
 
 main :: IO ()
 main = hspec $ do
+    let tlsSettings = def
+    -- Since the release of v2.0.0 of the `tls` package , the default value of
+    -- the `supportedExtendedMainSecret` parameter `is `RequireEMS`, this means
+    -- that all the connections to a server not supporting TLS1.2+EMS will fail.
+    -- The badssl.com service does not yet support TLS1.2+EMS connections, so
+    -- let's switch to the value `AllowEMS`, ie: TLS1.2 conenctions without EMS.
+#if MIN_VERSION_crypton_connection(0,4,0)
+            {settingClientSupported = def {TLS.supportedExtendedMainSecret = TLS.AllowEMS}}
+#endif
+
+    let tlsManagerSettings = mkManagerSettings tlsSettings Nothing
+
     it "make a TLS connection" $ do
         manager <- newManager tlsManagerSettings
         withResponse "https://httpbin.org/status/418" manager $ \res ->
@@ -52,13 +67,13 @@
     -- https://github.com/snoyberg/http-client/issues/289
     it "accepts TLS settings" $ do
         let
-          tlsSettings = TLSSettingsSimple
+          tlsSettings' = tlsSettings
             { settingDisableCertificateValidation = True
             , settingDisableSession = False
             , settingUseServerName = False
             }
           socketSettings = Nothing
-          managerSettings = mkManagerSettings tlsSettings socketSettings
+          managerSettings = mkManagerSettings tlsSettings' socketSettings
         manager <- newTlsManagerWith managerSettings
         let url = "https://wrong.host.badssl.com"
         request <- parseRequest url
