From c8ca5e14650a77446a6577eb356ddd09c3928bac Mon Sep 17 00:00:00 2001
From: Ben Millwood <thebenmachine+git@gmail.com>
Date: Tue, 17 Jun 2025 16:39:07 +0100
Subject: [PATCH] Fix TLS connection to package.elm-lang.org

It seems like the server hosting https://package.elm-lang.org has an old
enough SSL library that it doesn't support EMS. Reconfigure the https
client so that it will still connect in this case.
---
 builder/src/Http.hs | 21 +++++++++++++++++++--
 elm.cabal           |  3 +++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/builder/src/Http.hs b/builder/src/Http.hs
index 6105263fa..fd8b87bba 100644
--- a/builder/src/Http.hs
+++ b/builder/src/Http.hs
@@ -29,15 +29,19 @@ import qualified Data.Binary as Binary
 import qualified Data.Binary.Get as Binary
 import qualified Data.ByteString.Builder as B
 import qualified Data.ByteString.Char8 as BS
+import Data.Default (def)
 import qualified Data.Digest.Pure.SHA as SHA
 import qualified Data.String as String
+import qualified Network.Connection as NC
 import Network.HTTP (urlEncodeVars)
 import Network.HTTP.Client
-import Network.HTTP.Client.TLS (tlsManagerSettings)
+import Network.HTTP.Client.TLS (mkManagerSettings)
 import Network.HTTP.Types.Header (Header, hAccept, hAcceptEncoding, hUserAgent)
 import Network.HTTP.Types.Method (Method, methodGet, methodPost)
 import qualified Network.HTTP.Client as Multi (RequestBody(RequestBodyLBS))
 import qualified Network.HTTP.Client.MultipartFormData as Multi
+import qualified Network.TLS as TLS
+import Network.TLS.Extra.Cipher (ciphersuite_default)
 
 import qualified Json.Encode as Encode
 import qualified Elm.Version as V
@@ -49,7 +53,20 @@ import qualified Elm.Version as V
 
 getManager :: IO Manager
 getManager =
-  newManager tlsManagerSettings
+  newManager (mkManagerSettings dontRequireEMS Nothing)
+  where
+    -- See https://github.com/NixOS/nixpkgs/pull/414495
+    dontRequireEMS =
+      NC.TLSSettingsSimple
+        { NC.settingDisableCertificateValidation = False
+        , NC.settingDisableSession = False
+        , NC.settingUseServerName = False
+        , NC.settingClientSupported =
+            def
+              { TLS.supportedCiphers = ciphersuite_default
+              , TLS.supportedExtendedMainSecret = TLS.AllowEMS
+              }
+        }
 
 
 
diff --git a/elm.cabal b/elm.cabal
index 144fada90..0bd1eb5dc 100644
--- a/elm.cabal
+++ b/elm.cabal
@@ -206,6 +206,8 @@ Executable elm
         binary,
         bytestring,
         containers,
+        crypton-connection,
+        data-default,
         directory,
         edit-distance,
         file-embed,
@@ -229,6 +231,7 @@ Executable elm
         snap-server,
         template-haskell,
         time,
+        tls,
         unordered-containers,
         utf8-string,
         vector,