[wereHamster]

On one side I see the flaws in the existing openssl and other C-based libraries and when written languages such as OCaml or Haskell those just would not happen.

On the other hand those existing libraries work. Which can not be said of the new ones. At least the Haskell TLS library has logic flaws in it that I'm wondering why it works at all. And a lot of Haskell projects use the native tls package instead of the openssl bindings. It is not fun at all having to spend two days to debug something that just works in literally every mainstream language. I hope ocaml-tls doesn't make the same mistake.

[avsm]

The Conduit I/O library that we're building in Mirage/OCaml allows the application to select which SSL transport layer implementation that it's linking with. Both Lwt_ssl (which binds to OpenSSL) and OCaml-TLS will be supported when it's released for exactly this reason. There's a blog post due about this next week.

As to your other complaint that OpenSSL "just works", note that numerous issues have been swept under the rug over the years (see the LibreSSL CVS logs for more pointers). I'd suggest reading this paper about the most dangerous code in the world for more background: http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-b...

So when you're using the Haskell library and running into bugs, think of the time you're spending bugfixing and filing patches as a little social tax that contributes to fixing an important technical issue that threatens the stability of the Internet if it's not comprehensively addressed.