diff --git a/cabal.project b/cabal.project
index 924f09c9e..78e1e14d3 100644
--- a/cabal.project
+++ b/cabal.project
@@ -13,7 +13,7 @@ packages: .
    -- coverage: False
    -- library-coverage: False
 
-index-state: 2023-12-12T00:00:00Z
+index-state: 2025-07-01T00:00:00Z
 
 package cryptostore
     flags: +use_crypton
@@ -51,3 +51,11 @@ source-repository-package
     location: https://github.com/simplex-chat/wai.git
     tag: 2f6e5aa5f05ba9140ac99e195ee647b4f7d926b0
     subdir: warp
+
+source-repository-package
+    type: git
+    location: https://github.com/haskell-tls/hs-tls.git
+    tag: 7f060799ea762c5d7ff058d264dae5f0294fac79
+-- passes 7f060799ea762c5d7ff058d264dae5f0294fac79
+-- fails 1927590272ada1e0a32c29ca29ae9cc8d5ed3595
+    subdir: tls
diff --git a/simplexmq.cabal b/simplexmq.cabal
index e4845924a..df9d47ce8 100644
--- a/simplexmq.cabal
+++ b/simplexmq.cabal
@@ -294,7 +294,7 @@ library
     , composition ==1.0.*
     , constraints >=0.12 && <0.14
     , containers ==0.6.*
-    , crypton ==0.34.*
+    , crypton ==1.0.*
     , crypton-x509 ==1.7.*
     , crypton-x509-store ==1.6.*
     , crypton-x509-validation ==1.6.*
@@ -320,7 +320,7 @@ library
     , stm ==2.5.*
     , time ==1.12.*
     , time-manager ==0.0.*
-    , tls >=1.9.0 && <1.10
+    , tls ==2.1.6.*
     , transformers ==0.6.*
     , unliftio ==0.2.*
     , unliftio-core ==0.2.*
diff --git a/src/Simplex/Messaging/Transport.hs b/src/Simplex/Messaging/Transport.hs
index 0b2eb3b75..a95b68280 100644
--- a/src/Simplex/Messaging/Transport.hs
+++ b/src/Simplex/Messaging/Transport.hs
@@ -132,6 +132,7 @@ import GHC.IO.Handle.Internals (ioe_EOF)
 import Network.Socket
 import qualified Network.TLS as T
 import qualified Network.TLS.Extra as TE
+import qualified Network.TLS.Internal as TI
 import qualified Paths_simplexmq as SMQ
 import qualified Simplex.Messaging.Crypto as C
 import Simplex.Messaging.Encoding
@@ -369,7 +370,7 @@ getTLS cfg tlsCertSent tlsPeerCert cxt = withTlsUnique @TLS @p cxt newTLS
 withTlsUnique :: forall c p. TransportPeerI p => T.Context -> (ByteString -> IO (c p)) -> IO (c p)
 withTlsUnique cxt f =
   cxtFinished cxt
-    >>= maybe (closeTLS cxt >> ioe_EOF) f
+    >>= maybe (closeTLS cxt >> ioe_EOF) (\(TI.VerifyData d) -> f d)
   where
     cxtFinished = case sTransportPeer @p of
       STServer -> T.getPeerFinished