diff --git a/ChangeLog.md b/ChangeLog.md
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -1,3 +1,8 @@
+## 3.3.2
+
+* Providing the Internal module.
+  [#841](https://github.com/yesodweb/wai/issues/841)
+
 ## 3.3.1
 
 * Move exception handling over to `unliftio` for better async exception support [#845](https://github.com/yesodweb/wai/issues/845)
diff --git a/Network/Wai/Handler/WarpTLS.hs b/Network/Wai/Handler/WarpTLS.hs
--- a/Network/Wai/Handler/WarpTLS.hs
+++ b/Network/Wai/Handler/WarpTLS.hs
@@ -29,6 +29,7 @@
     -- ** From references
     , tlsSettingsRef
     , tlsSettingsChainRef
+    , CertSettings
     -- * Accessors
     , tlsCredentials
     , tlsLogging
@@ -74,123 +75,15 @@
 import Network.Wai (Application)
 import Network.Wai.Handler.Warp
 import Network.Wai.Handler.Warp.Internal
+import Network.Wai.Handler.WarpTLS.Internal(CertSettings(..), TLSSettings(..), OnInsecure(..))
 import System.IO.Error (isEOFError, ioeGetErrorType)
 
-----------------------------------------------------------------
-
--- | Determines where to load the certificate, chain 
--- certificates, and key from.
-data CertSettings 
-  = CertFromFile !FilePath ![FilePath] !FilePath
-  | CertFromMemory !S.ByteString ![S.ByteString] !S.ByteString
-  | CertFromRef !(I.IORef S.ByteString) ![I.IORef S.ByteString] !(I.IORef S.ByteString)
-
 -- | The default 'CertSettings'.
 defaultCertSettings :: CertSettings
 defaultCertSettings = CertFromFile "certificate.pem" [] "key.pem"
 
 ----------------------------------------------------------------
 
--- | Settings for WarpTLS.
-data TLSSettings = TLSSettings {
-    certSettings :: CertSettings
-    -- ^ Where are the certificate, chain certificates, and key
-    -- loaded from?
-    --
-    -- >>> certSettings defaultTlsSettings
-    -- tlsSettings "certificate.pem" "key.pem"
-    -- 
-    -- @since 3.3.0
-  , onInsecure :: OnInsecure
-    -- ^ Do we allow insecure connections with this server as well?
-    --
-    -- >>> onInsecure defaultTlsSettings
-    -- DenyInsecure "This server only accepts secure HTTPS connections."
-    --
-    -- Since 1.4.0
-  , tlsLogging :: TLS.Logging
-    -- ^ The level of logging to turn on.
-    --
-    -- Default: 'TLS.defaultLogging'.
-    --
-    -- Since 1.4.0
-  , tlsAllowedVersions :: [TLS.Version]
-#if MIN_VERSION_tls(1,5,0)
-    -- ^ The TLS versions this server accepts.
-    --
-    -- >>> tlsAllowedVersions defaultTlsSettings
-    -- [TLS13,TLS12,TLS11,TLS10]
-    --
-    -- Since 1.4.2
-#else
-    -- ^ The TLS versions this server accepts.
-    --
-    -- >>> tlsAllowedVersions defaultTlsSettings
-    -- [TLS12,TLS11,TLS10]
-    --
-    -- Since 1.4.2
-#endif
-  , tlsCiphers :: [TLS.Cipher]
-#if MIN_VERSION_tls(1,5,0)
-    -- ^ The TLS ciphers this server accepts.
-    --
-    -- >>> tlsCiphers defaultTlsSettings
-    -- [ECDHE-ECDSA-AES256GCM-SHA384,ECDHE-ECDSA-AES128GCM-SHA256,ECDHE-RSA-AES256GCM-SHA384,ECDHE-RSA-AES128GCM-SHA256,DHE-RSA-AES256GCM-SHA384,DHE-RSA-AES128GCM-SHA256,ECDHE-ECDSA-AES256CBC-SHA384,ECDHE-RSA-AES256CBC-SHA384,DHE-RSA-AES256-SHA256,ECDHE-ECDSA-AES256CBC-SHA,ECDHE-RSA-AES256CBC-SHA,DHE-RSA-AES256-SHA1,RSA-AES256GCM-SHA384,RSA-AES256-SHA256,RSA-AES256-SHA1,AES128GCM-SHA256,AES256GCM-SHA384]
-    --
-    -- Since 1.4.2
-#else
-    -- ^ The TLS ciphers this server accepts.
-    --
-    -- >>> tlsCiphers defaultTlsSettings
-    -- [ECDHE-ECDSA-AES256GCM-SHA384,ECDHE-ECDSA-AES128GCM-SHA256,ECDHE-RSA-AES256GCM-SHA384,ECDHE-RSA-AES128GCM-SHA256,DHE-RSA-AES256GCM-SHA384,DHE-RSA-AES128GCM-SHA256,ECDHE-ECDSA-AES256CBC-SHA384,ECDHE-RSA-AES256CBC-SHA384,DHE-RSA-AES256-SHA256,ECDHE-ECDSA-AES256CBC-SHA,ECDHE-RSA-AES256CBC-SHA,DHE-RSA-AES256-SHA1,RSA-AES256GCM-SHA384,RSA-AES256-SHA256,RSA-AES256-SHA1]
-    --
-    -- Since 1.4.2
-#endif
-  , tlsWantClientCert :: Bool
-    -- ^ Whether or not to demand a certificate from the client.  If this
-    -- is set to True, you must handle received certificates in a server hook
-    -- or all connections will fail.
-    --
-    -- >>> tlsWantClientCert defaultTlsSettings
-    -- False
-    --
-    -- Since 3.0.2
-  , tlsServerHooks :: TLS.ServerHooks
-    -- ^ The server-side hooks called by the tls package, including actions
-    -- to take when a client certificate is received.  See the "Network.TLS"
-    -- module for details.
-    --
-    -- Default: def
-    --
-    -- Since 3.0.2
-  , tlsServerDHEParams :: Maybe DH.Params
-    -- ^ Configuration for ServerDHEParams
-    -- more function lives in `cryptonite` package
-    --
-    -- Default: Nothing
-    --
-    -- Since 3.2.2
-  , tlsSessionManagerConfig :: Maybe SM.Config
-    -- ^ Configuration for in-memory TLS session manager.
-    -- If Nothing, 'TLS.noSessionManager' is used.
-    -- Otherwise, an in-memory TLS session manager is created
-    -- according to 'Config'.
-    --
-    -- Default: Nothing
-    --
-    -- Since 3.2.4
-  , tlsCredentials :: Maybe TLS.Credentials
-    -- ^ Specifying 'TLS.Credentials' directly.  If this value is
-    --   specified, other fields such as 'certFile' are ignored.
-    --
-    --   Since 3.2.12
-  , tlsSessionManager :: Maybe TLS.SessionManager
-    -- ^ Specifying 'TLS.SessionManager' directly. If this value is
-    --   specified, 'tlsSessionManagerConfig' is ignored.
-    --
-    --   Since 3.2.12
-  }
-
 -- | Default 'TLSSettings'. Use this to create 'TLSSettings' with the field record name (aka accessors).
 defaultTlsSettings :: TLSSettings
 defaultTlsSettings = TLSSettings {
@@ -214,13 +107,6 @@
 -- taken from stunnel example in tls-extra
 ciphers :: [TLS.Cipher]
 ciphers = TLSExtra.ciphersuite_strong
-
-----------------------------------------------------------------
-
--- | An action when a plain HTTP comes to HTTP over TLS/SSL port.
-data OnInsecure = DenyInsecure L.ByteString
-                | AllowInsecure
-                deriving (Show)
 
 ----------------------------------------------------------------
 
diff --git a/Network/Wai/Handler/WarpTLS/Internal.hs b/Network/Wai/Handler/WarpTLS/Internal.hs
new file mode 100644
--- /dev/null
+++ b/Network/Wai/Handler/WarpTLS/Internal.hs
@@ -0,0 +1,141 @@
+{-# LANGUAGE CPP #-}
+
+module Network.Wai.Handler.WarpTLS.Internal (
+      CertSettings(..)
+    , TLSSettings(..)
+    , OnInsecure(..)
+    -- * Accessors
+    , getCertSettings
+    ) where
+
+import qualified Crypto.PubKey.DH as DH
+import qualified Data.ByteString as S
+import qualified Data.ByteString.Lazy as L
+import qualified Data.IORef as I
+import qualified Network.TLS as TLS
+import qualified Network.TLS.SessionManager as SM
+
+----------------------------------------------------------------
+
+-- | Determines where to load the certificate, chain 
+-- certificates, and key from.
+data CertSettings 
+  = CertFromFile !FilePath ![FilePath] !FilePath
+  | CertFromMemory !S.ByteString ![S.ByteString] !S.ByteString
+  | CertFromRef !(I.IORef S.ByteString) ![I.IORef S.ByteString] !(I.IORef S.ByteString)
+
+----------------------------------------------------------------
+
+-- | An action when a plain HTTP comes to HTTP over TLS/SSL port.
+data OnInsecure = DenyInsecure L.ByteString
+                | AllowInsecure
+                deriving (Show)
+
+----------------------------------------------------------------
+
+-- | Settings for WarpTLS.
+data TLSSettings = TLSSettings {
+    certSettings :: CertSettings
+    -- ^ Where are the certificate, chain certificates, and key
+    -- loaded from?
+    --
+    -- >>> certSettings defaultTlsSettings
+    -- tlsSettings "certificate.pem" "key.pem"
+    -- 
+    -- @since 3.3.0
+  , onInsecure :: OnInsecure
+    -- ^ Do we allow insecure connections with this server as well?
+    --
+    -- >>> onInsecure defaultTlsSettings
+    -- DenyInsecure "This server only accepts secure HTTPS connections."
+    --
+    -- Since 1.4.0
+  , tlsLogging :: TLS.Logging
+    -- ^ The level of logging to turn on.
+    --
+    -- Default: 'TLS.defaultLogging'.
+    --
+    -- Since 1.4.0
+  , tlsAllowedVersions :: [TLS.Version]
+#if MIN_VERSION_tls(1,5,0)
+    -- ^ The TLS versions this server accepts.
+    --
+    -- >>> tlsAllowedVersions defaultTlsSettings
+    -- [TLS13,TLS12,TLS11,TLS10]
+    --
+    -- Since 1.4.2
+#else
+    -- ^ The TLS versions this server accepts.
+    --
+    -- >>> tlsAllowedVersions defaultTlsSettings
+    -- [TLS12,TLS11,TLS10]
+    --
+    -- Since 1.4.2
+#endif
+  , tlsCiphers :: [TLS.Cipher]
+#if MIN_VERSION_tls(1,5,0)
+    -- ^ The TLS ciphers this server accepts.
+    --
+    -- >>> tlsCiphers defaultTlsSettings
+    -- [ECDHE-ECDSA-AES256GCM-SHA384,ECDHE-ECDSA-AES128GCM-SHA256,ECDHE-RSA-AES256GCM-SHA384,ECDHE-RSA-AES128GCM-SHA256,DHE-RSA-AES256GCM-SHA384,DHE-RSA-AES128GCM-SHA256,ECDHE-ECDSA-AES256CBC-SHA384,ECDHE-RSA-AES256CBC-SHA384,DHE-RSA-AES256-SHA256,ECDHE-ECDSA-AES256CBC-SHA,ECDHE-RSA-AES256CBC-SHA,DHE-RSA-AES256-SHA1,RSA-AES256GCM-SHA384,RSA-AES256-SHA256,RSA-AES256-SHA1,AES128GCM-SHA256,AES256GCM-SHA384]
+    --
+    -- Since 1.4.2
+#else
+    -- ^ The TLS ciphers this server accepts.
+    --
+    -- >>> tlsCiphers defaultTlsSettings
+    -- [ECDHE-ECDSA-AES256GCM-SHA384,ECDHE-ECDSA-AES128GCM-SHA256,ECDHE-RSA-AES256GCM-SHA384,ECDHE-RSA-AES128GCM-SHA256,DHE-RSA-AES256GCM-SHA384,DHE-RSA-AES128GCM-SHA256,ECDHE-ECDSA-AES256CBC-SHA384,ECDHE-RSA-AES256CBC-SHA384,DHE-RSA-AES256-SHA256,ECDHE-ECDSA-AES256CBC-SHA,ECDHE-RSA-AES256CBC-SHA,DHE-RSA-AES256-SHA1,RSA-AES256GCM-SHA384,RSA-AES256-SHA256,RSA-AES256-SHA1]
+    --
+    -- Since 1.4.2
+#endif
+  , tlsWantClientCert :: Bool
+    -- ^ Whether or not to demand a certificate from the client.  If this
+    -- is set to True, you must handle received certificates in a server hook
+    -- or all connections will fail.
+    --
+    -- >>> tlsWantClientCert defaultTlsSettings
+    -- False
+    --
+    -- Since 3.0.2
+  , tlsServerHooks :: TLS.ServerHooks
+    -- ^ The server-side hooks called by the tls package, including actions
+    -- to take when a client certificate is received.  See the "Network.TLS"
+    -- module for details.
+    --
+    -- Default: def
+    --
+    -- Since 3.0.2
+  , tlsServerDHEParams :: Maybe DH.Params
+    -- ^ Configuration for ServerDHEParams
+    -- more function lives in `cryptonite` package
+    --
+    -- Default: Nothing
+    --
+    -- Since 3.2.2
+  , tlsSessionManagerConfig :: Maybe SM.Config
+    -- ^ Configuration for in-memory TLS session manager.
+    -- If Nothing, 'TLS.noSessionManager' is used.
+    -- Otherwise, an in-memory TLS session manager is created
+    -- according to 'Config'.
+    --
+    -- Default: Nothing
+    --
+    -- Since 3.2.4
+  , tlsCredentials :: Maybe TLS.Credentials
+    -- ^ Specifying 'TLS.Credentials' directly.  If this value is
+    --   specified, other fields such as 'certFile' are ignored.
+    --
+    --   Since 3.2.12
+  , tlsSessionManager :: Maybe TLS.SessionManager
+    -- ^ Specifying 'TLS.SessionManager' directly. If this value is
+    --   specified, 'tlsSessionManagerConfig' is ignored.
+    --
+    --   Since 3.2.12
+  }
+
+
+-- Since 3.3.1
+-- | Some programs need access to cert settings
+getCertSettings :: TLSSettings -> CertSettings
+getCertSettings tlsSetgs = certSettings tlsSetgs
+
diff --git a/warp-tls.cabal b/warp-tls.cabal
--- a/warp-tls.cabal
+++ b/warp-tls.cabal
@@ -1,5 +1,5 @@
 Name:                warp-tls
-Version:             3.3.1
+Version:             3.3.2
 Synopsis:            HTTP over TLS support for Warp via the TLS package
 License:             MIT
 License-file:        LICENSE
@@ -29,7 +29,7 @@
                    , streaming-commons
                    , tls-session-manager           >= 0.0.4
                    , unliftio
-  Exposed-modules:   Network.Wai.Handler.WarpTLS
+  Exposed-modules:   Network.Wai.Handler.WarpTLS, Network.Wai.Handler.WarpTLS.Internal
   ghc-options:       -Wall
   if os(windows)
       Cpp-Options:   -DWINDOWS
