Thanks to Moritz Agerman for sharing his code. Here is the complete Haskell module that can use the crt.pem and key.pem to provide a client-side certificate upon server request:
{-# LANGUAGE OverloadedStrings #-} module TLS where import Data.Default import Network.Connection import Network.HTTP.Client import Network.HTTP.Client.TLS import Network.TLS import Network.TLS.Extra.Cipher import Servant.Client makeClientManager :: String -> Scheme -> IO Manager makeClientManager hostname Https = mkMngr hostname "crt.pem" "key.pem" makeClientManager _ Http = newManager defaultManagerSettings mkMngr :: String -> FilePath -> FilePath -> IO Manager mkMngr hostName crtFile keyFile = do creds <- either error Just `fmap` credentialLoadX509 crtFile keyFile let hooks = def { onCertificateRequest = \_ -> return creds , onServerCertificate = \_ _ _ _ -> return [] } clientParams = (defaultParamsClient hostName "") { clientHooks = hooks , clientSupported = def { supportedCiphers = ciphersuite_all } } tlsSettings = TLSSettings clientParams newManager $ mkManagerSettings tlsSettings Nothing
Not sure if this bypasses server certificate verification or not, since onServerCertificate hook is a constant [] .