diff --git a/Network/HTTP/Conduit/ConnInfo.hs b/Network/HTTP/Conduit/ConnInfo.hs
--- a/Network/HTTP/Conduit/ConnInfo.hs
+++ b/Network/HTTP/Conduit/ConnInfo.hs
@@ -9,8 +9,8 @@
     , connSource
     , sslClientConn
     , socketConn
-    , TLSCertificateRejectReason(..)
-    , TLSCertificateUsage(..)
+    , CertificateRejectReason(..)
+    , CertificateUsage(..)
     , getSocket
 #if DEBUG
     , printOpenSockets
@@ -119,19 +119,19 @@
             sClose sock
         }
 
-sslClientConn :: String -> ([X509] -> IO TLSCertificateUsage) -> Handle -> IO ConnInfo
+sslClientConn :: String -> ([X509] -> IO CertificateUsage) -> Handle -> IO ConnInfo
 sslClientConn _desc onCerts h = do
 #if DEBUG
     i <- addSocket _desc
 #endif
-    let tcp = defaultParams
+    let tcp = defaultParamsClient
             { pConnectVersion = TLS10
             , pAllowedVersions = [ TLS10, TLS11, TLS12 ]
             , pCiphers = ciphersuite_all
             , onCertificatesRecv = onCerts
             }
     gen <- makeSystem
-    istate <- client tcp gen h
+    istate <- contextNewOnHandle h tcp gen
     handshake istate
     return ConnInfo
         { connRead = recvD istate
diff --git a/Network/HTTP/Conduit/Manager.hs b/Network/HTTP/Conduit/Manager.hs
--- a/Network/HTTP/Conduit/Manager.hs
+++ b/Network/HTTP/Conduit/Manager.hs
@@ -48,6 +48,8 @@
 import Network (connectTo, PortID (PortNumber), HostName)
 import Network.Socket (socketToHandle)
 import Data.Certificate.X509 (X509, encodeCertificate)
+import Data.CertificateStore (CertificateStore)
+import System.Certificate.X509 (getSystemCertificateStore)
 
 import Network.TLS.Extra (certificateVerifyChain, certificateVerifyDomain)
 
@@ -65,7 +67,7 @@
 data ManagerSettings = ManagerSettings
     { managerConnCount :: Int
       -- ^ Number of connections to a single host to keep alive. Default: 10.
-    , managerCheckCerts :: S8.ByteString -> [X509] -> IO TLSCertificateUsage
+    , managerCheckCerts :: CertificateStore -> S8.ByteString -> [X509] -> IO CertificateUsage
       -- ^ Check if the server certificate is valid. Only relevant for HTTPS.
     }
 
@@ -78,10 +80,10 @@
         }
 
 -- | Check certificates using the operating system's certificate checker.
-defaultCheckCerts :: S8.ByteString -> [X509] -> IO TLSCertificateUsage
-defaultCheckCerts host' certs =
+defaultCheckCerts :: CertificateStore -> S8.ByteString -> [X509] -> IO CertificateUsage
+defaultCheckCerts certStore host' certs =
     case certificateVerifyDomain (S8.unpack host') certs of
-        CertificateUsageAccept -> certificateVerifyChain certs
+        CertificateUsageAccept -> certificateVerifyChain certStore certs
         rejected               -> return rejected
 
 -- | Keeps track of open connections for keep-alive.  May be used
@@ -91,7 +93,7 @@
     -- ^ @Nothing@ indicates that the manager is closed.
     , mMaxConns :: !Int
     -- ^ This is a per-@ConnKey@ value.
-    , mCheckCerts :: S8.ByteString -> [X509] -> IO TLSCertificateUsage
+    , mCheckCerts :: S8.ByteString -> [X509] -> IO CertificateUsage
     -- ^ Check if a certificate is valid.
     , mCertCache :: !(I.IORef (Map.Map S8.ByteString (Map.Map X509Encoded UTCTime)))
     -- ^ Cache of validated certificates. The @UTCTime@ gives the expiration
@@ -144,10 +146,11 @@
 -- | Create a 'Manager'. You must manually call 'closeManager' to shut it down.
 newManager :: ManagerSettings -> IO Manager
 newManager ms = do
+    certStore <- getSystemCertificateStore
     mapRef <- I.newIORef (Just Map.empty)
     certCache <- I.newIORef Map.empty
     _ <- forkIO $ reap mapRef certCache
-    return $ Manager mapRef (managerConnCount ms) (managerCheckCerts ms) certCache
+    return $ Manager mapRef (managerConnCount ms) (managerCheckCerts ms $ certStore) certCache
 
 -- | Collect and destroy any stale connections.
 reap :: I.IORef (Maybe (Map.Map ConnKey (NonEmptyList ConnInfo)))
@@ -280,7 +283,7 @@
 socketDesc h p t = unwords [h, show p, t]
 
 getSslConn :: MonadResource m
-            => ([X509] -> IO TLSCertificateUsage)
+            => ([X509] -> IO CertificateUsage)
             -> Manager
             -> String -- ^ host
             -> Int -- ^ port
@@ -294,7 +297,7 @@
 
 getSslProxyConn
             :: MonadResource m
-            => ([X509] -> IO TLSCertificateUsage)
+            => ([X509] -> IO CertificateUsage)
             -> S8.ByteString -- ^ Target host
             -> Int -- ^ Target port
             -> Manager
@@ -396,7 +399,7 @@
             (True, False) -> getSslConn $ checkCerts m h
             (True, True) -> getSslProxyConn (checkCerts m h) h (port req)
 
-checkCerts :: Manager -> S8.ByteString -> [X509] -> IO TLSCertificateUsage
+checkCerts :: Manager -> S8.ByteString -> [X509] -> IO CertificateUsage
 checkCerts man host' certs = do
 #if DEBUG
     putStrLn $ "checkCerts for host: " ++ show host'
diff --git a/http-conduit.cabal b/http-conduit.cabal
--- a/http-conduit.cabal
+++ b/http-conduit.cabal
@@ -1,5 +1,5 @@
 name:            http-conduit
-version:         1.7.0
+version:         1.8.0
 license:         BSD3
 license-file:    LICENSE
 author:          Michael Snoyman <michael@snoyman.com>
@@ -32,11 +32,11 @@
                  , blaze-builder         >= 0.2.1   && < 0.4
                  , http-types            >= 0.6     && < 0.8
                  , cprng-aes             >= 0.2     && < 0.3
-                 , tls                   >= 0.9.3   && < 0.10
-                 , tls-extra             >= 0.4.5   && < 0.5
+                 , tls                   >= 1.0.0   && < 1.1
+                 , tls-extra             >= 0.5.0   && < 0.6
                  , monad-control         >= 0.3     && < 0.4
                  , containers            >= 0.2
-                 , certificate           >= 1.2     && < 1.3
+                 , certificate           >= 1.3     && < 1.4
                  , case-insensitive      >= 0.2
                  , base64-bytestring     >= 0.1     && < 1.1
                  , asn1-data             >= 0.5.1   && < 0.8
