diff --git a/Network/Wai/Handler/WarpTLS.hs b/Network/Wai/Handler/WarpTLS.hs
--- a/Network/Wai/Handler/WarpTLS.hs
+++ b/Network/Wai/Handler/WarpTLS.hs
@@ -31,6 +31,7 @@
     , tlsWantClientCert
     , tlsServerHooks
     , tlsServerDHEParams
+    , tlsSessionManagerConfig
     , onInsecure
     , OnInsecure (..)
     -- * Runner
@@ -60,6 +61,7 @@
 import qualified Network.TLS as TLS
 import qualified Crypto.PubKey.DH as DH
 import qualified Network.TLS.Extra as TLSExtra
+import qualified Network.TLS.SessionManager as SM
 import Network.Wai (Application)
 import Network.Wai.Handler.Warp
 import Network.Wai.Handler.Warp.Internal
@@ -102,7 +104,7 @@
     -- ^ The TLS ciphers this server accepts.
     --
     -- >>> tlsCiphers defaultTlsSettings
-    -- [ECDHE-RSA-AES128GCM-SHA256,DHE-RSA-AES128GCM-SHA256,DHE-RSA-AES256-SHA256,DHE-RSA-AES128-SHA256,DHE-RSA-AES256-SHA1,DHE-RSA-AES128-SHA1,DHE-DSA-AES128-SHA1,DHE-DSA-AES256-SHA1,RSA-aes128-sha1,RSA-aes256-sha1]
+    -- [ECDHE-ECDSA-AES256GCM-SHA384,ECDHE-ECDSA-AES128GCM-SHA256,ECDHE-RSA-AES256GCM-SHA384,ECDHE-RSA-AES128GCM-SHA256,DHE-RSA-AES256GCM-SHA384,DHE-RSA-AES128GCM-SHA256,ECDHE-ECDSA-AES256CBC-SHA384,ECDHE-RSA-AES256CBC-SHA384,DHE-RSA-AES256-SHA256,ECDHE-ECDSA-AES256CBC-SHA,ECDHE-RSA-AES256CBC-SHA,DHE-RSA-AES256-SHA1,RSA-AES256GCM-SHA384,RSA-AES256-SHA256,RSA-AES256-SHA1]
     --
     -- Since 1.4.2
   , tlsWantClientCert :: Bool
@@ -129,6 +131,15 @@
     -- Default: Nothing
     --
     -- Since 3.2.2
+  , tlsSessionManagerConfig :: Maybe SM.Config
+    -- ^ Configuration for in-memory TLS session manager.
+    -- If Nothing, 'TLS.noSessionManager' is used.
+    -- Otherwise, an in-memory TLS session manager is created
+    -- according to 'Config'.
+    --
+    -- Default: Nothing
+    --
+    -- Since 3.2.4
   }
 
 -- | Default 'TLSSettings'. Use this to create 'TLSSettings' with the field record name (aka accessors).
@@ -147,24 +158,12 @@
   , tlsWantClientCert = False
   , tlsServerHooks = def
   , tlsServerDHEParams = Nothing
+  , tlsSessionManagerConfig = Nothing
   }
 
 -- taken from stunnel example in tls-extra
 ciphers :: [TLS.Cipher]
-ciphers =
-    [ TLSExtra.cipher_ECDHE_RSA_AES128GCM_SHA256
-    , TLSExtra.cipher_ECDHE_RSA_AES128CBC_SHA256
-    , TLSExtra.cipher_ECDHE_RSA_AES128CBC_SHA
-    , TLSExtra.cipher_DHE_RSA_AES128GCM_SHA256
-    , TLSExtra.cipher_DHE_RSA_AES256_SHA256
-    , TLSExtra.cipher_DHE_RSA_AES128_SHA256
-    , TLSExtra.cipher_DHE_RSA_AES256_SHA1
-    , TLSExtra.cipher_DHE_RSA_AES128_SHA1
-    , TLSExtra.cipher_DHE_DSS_AES128_SHA1
-    , TLSExtra.cipher_DHE_DSS_AES256_SHA1
-    , TLSExtra.cipher_AES128_SHA1
-    , TLSExtra.cipher_AES256_SHA1
-    ]
+ciphers = TLSExtra.ciphersuite_strong
 
 ----------------------------------------------------------------
 
@@ -252,10 +251,13 @@
             key <- maybe (S.readFile keyFile) return mkey
             either error return $
               TLS.credentialLoadX509ChainFromMemory cert chainCertsMemory key
-    runTLSSocket' tlsset set credential sock app
+    mgr <- case tlsSessionManagerConfig of
+      Nothing     -> return TLS.noSessionManager
+      Just config -> SM.newSessionManager config
+    runTLSSocket' tlsset set credential mgr sock app
 
-runTLSSocket' :: TLSSettings -> Settings -> TLS.Credential -> Socket -> Application -> IO ()
-runTLSSocket' tlsset@TLSSettings{..} set credential sock app =
+runTLSSocket' :: TLSSettings -> Settings -> TLS.Credential -> TLS.SessionManager -> Socket -> Application -> IO ()
+runTLSSocket' tlsset@TLSSettings{..} set credential mgr sock app =
     runSettingsConnectionMakerSecure set get app
   where
     get = getter tlsset sock params
@@ -273,20 +275,13 @@
           (if settingsHTTP2Enabled set then Just alpn else Nothing)
       }
     shared = def {
-        TLS.sharedCredentials = TLS.Credentials [credential]
+        TLS.sharedCredentials    = TLS.Credentials [credential]
+      , TLS.sharedSessionManager = mgr
       }
     supported = def { -- TLS.Supported
         TLS.supportedVersions       = tlsAllowedVersions
       , TLS.supportedCiphers        = tlsCiphers
       , TLS.supportedCompressions   = [TLS.nullCompression]
-      , TLS.supportedHashSignatures = [
-          -- Safari 8 and go tls have bugs on SHA 512 and SHA 384.
-          -- So, we don't specify them here at this moment.
-          (TLS.HashSHA256, TLS.SignatureRSA)
-        , (TLS.HashSHA224, TLS.SignatureRSA)
-        , (TLS.HashSHA1,   TLS.SignatureRSA)
-        , (TLS.HashSHA1,   TLS.SignatureDSS)
-        ]
       , TLS.supportedSecureRenegotiation = True
       , TLS.supportedClientInitiatedRenegotiation = False
       , TLS.supportedSession             = True
@@ -296,9 +291,6 @@
 alpn :: [S.ByteString] -> IO S.ByteString
 alpn xs
   | "h2"    `elem` xs = return "h2"
-  | "h2-16" `elem` xs = return "h2-16"
-  | "h2-15" `elem` xs = return "h2-15"
-  | "h2-14" `elem` xs = return "h2-14"
   | otherwise         = return "http/1.1"
 
 ----------------------------------------------------------------
diff --git a/warp-tls.cabal b/warp-tls.cabal
--- a/warp-tls.cabal
+++ b/warp-tls.cabal
@@ -1,5 +1,5 @@
 Name:                warp-tls
-Version:             3.2.3
+Version:             3.2.4
 Synopsis:            HTTP over TLS support for Warp via the TLS package
 License:             MIT
 License-file:        LICENSE
@@ -23,10 +23,11 @@
                    , wai                           >= 3.2      && < 3.3
                    , warp                          >= 3.2.10   && < 3.3
                    , data-default-class            >= 0.0.1
-                   , tls                           >= 1.3.5
+                   , tls                           >= 1.3.10
                    , cryptonite                    >= 0.12
                    , network                       >= 2.2.1
                    , streaming-commons
+                   , tls-session-manager
   Exposed-modules:   Network.Wai.Handler.WarpTLS
   ghc-options:       -Wall
 
