diff --git a/conduit-async.opam b/conduit-async.opam
index 7edd074f..32b10aed 100644
--- a/conduit-async.opam
+++ b/conduit-async.opam
@@ -8,7 +8,7 @@ tags: "org:mirage"
 homepage: "https://github.com/mirage/ocaml-conduit"
 bug-reports: "https://github.com/mirage/ocaml-conduit/issues"
 depends: [
-  "ocaml" {>= "4.08.0"}
+  "ocaml" {>= "4.13.0"}
   "dune" {>= "2.0"}
   "core" {>= "v0.15.0"}
   "uri" {>= "4.0.0"}
diff --git a/conduit-lwt-unix.opam b/conduit-lwt-unix.opam
index 4ecee02b..875439e8 100644
--- a/conduit-lwt-unix.opam
+++ b/conduit-lwt-unix.opam
@@ -8,13 +8,13 @@ tags: "org:mirage"
 homepage: "https://github.com/mirage/ocaml-conduit"
 bug-reports: "https://github.com/mirage/ocaml-conduit/issues"
 depends: [
-  "ocaml" {>= "4.08.0"}
+  "ocaml" {>= "4.13.0"}
   "dune" {>= "2.0"}
   "base-unix"
   "logs"
   "ppx_sexp_conv" {>="v0.13.0"}
   "conduit-lwt" {=version}
-  "lwt" {>= "3.0.0"}
+  "lwt" {>= "5.7.0"}
   "uri" {>= "1.9.4"}
   "ipaddr" {>= "4.0.0"}
   "ipaddr-sexp"
@@ -25,7 +25,7 @@ depends: [
 ]
 depopts: ["tls-lwt" "lwt_ssl" "launchd"]
 conflicts: [
-  "tls-lwt" {< "0.16.0"}
+  "tls-lwt" {< "1.0.0"}
   "ssl" {< "0.5.12"}
 ]
 build: [
diff --git a/conduit-lwt.opam b/conduit-lwt.opam
index fdbd8dad..8141e60c 100644
--- a/conduit-lwt.opam
+++ b/conduit-lwt.opam
@@ -8,13 +8,13 @@ tags: "org:mirage"
 homepage: "https://github.com/mirage/ocaml-conduit"
 bug-reports: "https://github.com/mirage/ocaml-conduit/issues"
 depends: [
-  "ocaml" {>= "4.08.0"}
+  "ocaml" {>= "4.13.0"}
   "dune" {>= "2.0"}
   "base-unix"
   "ppx_sexp_conv" {>="v0.13.0"}
   "sexplib0"
   "conduit" {=version}
-  "lwt" {>= "3.0.0"}
+  "lwt" {>= "5.7.0"}
 ]
 build: [
   ["dune" "subst"] {dev}
diff --git a/conduit-mirage.opam b/conduit-mirage.opam
index e02524fd..03b92126 100644
--- a/conduit-mirage.opam
+++ b/conduit-mirage.opam
@@ -6,7 +6,7 @@ tags: "org:mirage"
 homepage: "https://github.com/mirage/ocaml-conduit"
 bug-reports: "https://github.com/mirage/ocaml-conduit/issues"
 depends: [
-  "ocaml" {>= "4.08.0"}
+  "ocaml" {>= "4.13.0"}
   "dune" {>= "2.0"}
   "ppx_sexp_conv" {>="v0.13.0"}
   "sexplib0"
@@ -15,14 +15,14 @@ depends: [
   "mirage-clock" {>= "3.0.0"}
   "mirage-flow" {>= "4.0.0"}
   "mirage-flow-combinators" {>= "2.0.0"}
-  "mirage-random" {>= "2.0.0"}
+  "mirage-crypto-rng-mirage" {>= "1.0.0"}
   "mirage-time" {>= "2.0.0"}
   "dns-client-mirage" {>= "8.0.0"}
   "conduit-lwt" {=version}
   "vchan" {>= "5.0.0"}
   "xenstore"
-  "tls" {>= "0.11.0"}
-  "tls-mirage" {>= "0.17.4"}
+  "tls" {>= "1.0.0"}
+  "tls-mirage" {>= "1.0.0"}
   "ca-certs-nss"
   "ipaddr" {>= "3.0.0"}
   "ipaddr-sexp"
diff --git a/conduit.opam b/conduit.opam
index 108c17ac..bf827674 100644
--- a/conduit.opam
+++ b/conduit.opam
@@ -9,7 +9,7 @@ homepage: "https://github.com/mirage/ocaml-conduit"
 doc: "https://mirage.github.io/ocaml-conduit/"
 bug-reports: "https://github.com/mirage/ocaml-conduit/issues"
 depends: [
-  "ocaml" {>= "4.08.0"}
+  "ocaml" {>= "4.13.0"}
   "dune" {>= "2.0"}
   "ppx_sexp_conv" {>="v0.13.0"}
   "sexplib0"
diff --git a/src/conduit-lwt-unix/conduit_lwt_tls.real.ml b/src/conduit-lwt-unix/conduit_lwt_tls.real.ml
index fce178c7..eb0be641 100644
--- a/src/conduit-lwt-unix/conduit_lwt_tls.real.ml
+++ b/src/conduit-lwt-unix/conduit_lwt_tls.real.ml
@@ -36,11 +36,13 @@ module Client = struct
         | None -> Lwt.return_unit
         | Some src_sa -> Lwt_unix.bind fd src_sa)
         >>= fun () ->
-        let config = Tls.Config.client ~authenticator ?certificates () in
-        Lwt_unix.connect fd sa >>= fun () ->
-        Tls_lwt.Unix.client_of_fd config ~host fd >|= fun t ->
-        let ic, oc = Tls_lwt.of_t t in
-        (fd, ic, oc))
+        match Tls.Config.client ~authenticator ?certificates () with
+        | Error (`Msg msg) -> failwith ("tls configuration problem: " ^ msg)
+        | Ok config ->
+            Lwt_unix.connect fd sa >>= fun () ->
+            Tls_lwt.Unix.client_of_fd config ~host fd >|= fun t ->
+            let ic, oc = Tls_lwt.of_t t in
+            (fd, ic, oc))
 end
 
 module Server = struct
@@ -59,8 +61,9 @@ module Server = struct
   let init ?backlog ~certfile ~keyfile ?stop ?timeout sa callback =
     X509_lwt.private_of_pems ~cert:certfile ~priv_key:keyfile
     >>= fun certificate ->
-    let config = Tls.Config.server ~certificates:(`Single certificate) () in
-    init' ?backlog ?stop ?timeout config sa callback
+    match Tls.Config.server ~certificates:(`Single certificate) () with
+    | Error (`Msg msg) -> failwith ("tls configuration problem: " ^ msg)
+    | Ok config -> init' ?backlog ?stop ?timeout config sa callback
 end
 
 let available = true
diff --git a/src/conduit-mirage/conduit_mirage.ml b/src/conduit-mirage/conduit_mirage.ml
index f9d636fc..0605c2f5 100644
--- a/src/conduit-mirage/conduit_mirage.ml
+++ b/src/conduit-mirage/conduit_mirage.ml
@@ -177,9 +177,14 @@ let tls_client ~host ~authenticator x =
   let peer_name =
     Result.to_option (Result.bind (Domain_name.of_string host) Domain_name.host)
   in
-  `TLS (Tls.Config.client ?peer_name ~authenticator (), x)
-
-let tls_server ?authenticator x = `TLS (Tls.Config.server ?authenticator (), x)
+  match Tls.Config.client ?peer_name ~authenticator () with
+  | Error (`Msg msg) -> failwith ("tls configuration problem: " ^ msg)
+  | Ok cfg -> `TLS (cfg, x)
+
+let tls_server ?authenticator x =
+  match Tls.Config.server ?authenticator () with
+  | Error (`Msg msg) -> failwith ("tls configuration problem: " ^ msg)
+  | Ok cfg -> `TLS (cfg, x)
 
 module TLS (S : S) = struct
   module TLS = Tls_mirage.Make (S.Flow)
diff --git a/src/conduit-mirage/dune b/src/conduit-mirage/dune
index 8643aef7..d93033b1 100644
--- a/src/conduit-mirage/dune
+++ b/src/conduit-mirage/dune
@@ -5,6 +5,7 @@
   (pps ppx_sexp_conv))
  (modules conduit_mirage resolver_mirage conduit_xenstore)
  (wrapped false)
- (libraries conduit conduit-lwt tcpip mirage-clock mirage-random mirage-time
-   mirage-flow mirage-flow-combinators dns-client-mirage ipaddr-sexp vchan
-   tls tls-mirage xenstore.client uri.services ca-certs-nss fmt))
+ (libraries conduit conduit-lwt tcpip mirage-clock mirage-crypto-rng-mirage
+   mirage-time mirage-flow mirage-flow-combinators dns-client-mirage
+   ipaddr-sexp vchan tls tls-mirage xenstore.client uri.services ca-certs-nss
+   fmt))
diff --git a/src/conduit-mirage/resolver_mirage.ml b/src/conduit-mirage/resolver_mirage.ml
index e80cd910..8c4972b0 100644
--- a/src/conduit-mirage/resolver_mirage.ml
+++ b/src/conduit-mirage/resolver_mirage.ml
@@ -25,7 +25,7 @@ module type S = sig
 end
 
 module Make
-    (R : Mirage_random.S)
+    (R : Mirage_crypto_rng_mirage.S)
     (T : Mirage_time.S)
     (C : Mirage_clock.MCLOCK)
     (P : Mirage_clock.PCLOCK)
diff --git a/src/conduit-mirage/resolver_mirage.mli b/src/conduit-mirage/resolver_mirage.mli
index 070b2c62..0c166820 100644
--- a/src/conduit-mirage/resolver_mirage.mli
+++ b/src/conduit-mirage/resolver_mirage.mli
@@ -31,7 +31,7 @@ end
 
 (** Provides a DNS-enabled {!Resolver_lwt} given a network stack. *)
 module Make
-    (R : Mirage_random.S)
+    (R : Mirage_crypto_rng_mirage.S)
     (T : Mirage_time.S)
     (C : Mirage_clock.MCLOCK)
     (P : Mirage_clock.PCLOCK)