diff --git a/changelog.md b/changelog.md
--- a/changelog.md
+++ b/changelog.md
@@ -1,3 +1,13 @@
+# Version 0.4.2
+
+* Use `crypton-x509`, `crypton-x509-store`, `crypton-x509-system`,
+  `crypton-x509-validation`.
+
+* Require `tls>=1.8`
+
+* Fix compiler warnings.
+
+
 # Version 0.4.1
 
 * Fix compiler warnings.
diff --git a/network-simple-tls.cabal b/network-simple-tls.cabal
--- a/network-simple-tls.cabal
+++ b/network-simple-tls.cabal
@@ -1,6 +1,6 @@
 cabal-version:       2.4
 name:                network-simple-tls
-version:             0.4.1
+version:             0.4.2
 synopsis:            Simple interface to TLS secured network sockets.
 description:         Simple interface to TLS secured network sockets.
 homepage:            https://hackage.haskell.org/package/network-simple-tls
@@ -29,12 +29,12 @@
                    , network
                    , network-simple >=0.4.3
                    , safe-exceptions
-                   , tls >=1.5
+                   , tls >=1.8
                    , tls-session-manager
                    , transformers
-                   , x509
-                   , x509-store
-                   , x509-system
-                   , x509-validation
+                   , crypton-x509
+                   , crypton-x509-store
+                   , crypton-x509-system
+                   , crypton-x509-validation
   ghc-options:      -Wall -O2
 
diff --git a/src/Network/Simple/TCP/TLS.hs b/src/Network/Simple/TCP/TLS.hs
--- a/src/Network/Simple/TCP/TLS.hs
+++ b/src/Network/Simple/TCP/TLS.hs
@@ -287,7 +287,9 @@
                             ("Unacceptable client cert: " ++ show errs')))
     -- Ciphers prefered by the server take precedence.
     chooseCipher :: T.Version -> [T.Cipher] -> T.Cipher
-    chooseCipher _ cCiphs = head (intersect TE.ciphersuite_strong cCiphs)
+    chooseCipher _ cCiphs = case intersect TE.ciphersuite_strong cCiphs of
+                              c : _ -> c
+                              _ -> error "chooseCipher: no ciphers"
 
 -- | Obtain new default 'T.ServerParams' for a particular server 'T.Credential'.
 --
@@ -560,12 +562,10 @@
 -- Up to @16384@ decrypted bytes will be received at once.
 recv :: MonadIO m => T.Context -> m (Maybe B.ByteString)
 recv ctx = liftIO $ do
-    E.handle (\case T.Error_EOF -> return Nothing
-                    e -> E.throwM e)
-             (do bs <- T.recvData ctx
-                 if B.null bs
-                    then return Nothing -- I think this never happens
-                    else return (Just bs))
+   bs <- T.recvData ctx
+   if B.null bs
+      then return Nothing
+      else return (Just bs)
 {-# INLINABLE recv #-}
 
 -- | Encrypts the given strict 'B.ByteString' and sends it through the
@@ -604,4 +604,3 @@
                   } | Errno ioe == ePIPE
           -> return ()
         _ -> E.throwIO e
-
