Just a little update on this. I pinged the author of publicsuffixlist (necessary for proper cookie domain handling) about removing the data-default dependency, and after discussion we decided to just merge the code into http-client instead. With that change, the full dependency list for http-client-openssl is in fact smaller that http-streams:

cabal install --dry-run --package-db=clear --package-db=global http-client-openssl
Resolving dependencies...
In order, the following would be installed (use -v for more details):
base64-bytestring-1.0.0.1
data-default-class-0.0.1
network-2.6.0.2
HsOpenSSL-0.11.1.1
random-1.1
stm-2.4.4
text-1.2.0.4
blaze-builder-0.4.0.1
cookie-0.4.1.5
hashable-1.2.3.2
case-insensitive-1.2.0.4
http-types-0.8.6
mime-types-0.1.0.6
transformers-0.4.3.0
mtl-2.2.1
parsec-3.1.9
network-uri-2.6.0.3
transformers-compat-0.4.0.4
exceptions-0.8.0.2
zlib-0.6.1.0
streaming-commons-0.1.12
http-client-0.4.11.2
http-client-openssl-0.2.0.1

On Tue, Apr 28, 2015 at 11:08 AM Herbert Valerio Riedel <hvriedel@gmail.com> wrote:
On 2015-04-28 at 06:08:38 +0200, Michael Snoyman wrote:

[...]

> I offered Duncan last week that I'd port cabal-install over to
> http-client/http-client-tls to add SSL support. That offer still stands.

I did a quick check trying to find out the additional dependencies
(relative to what 'cabal-install' currently depends on) http-client-tls
would pull in (it seems http-client and tls each roughly account for
half the ~50 deps below):

  async-2.0.2
  base64-bytestring-1.0.0.1
  blaze-builder-0.4.0.1
  byteable-0.1.1
  cereal-0.4.1.1
  clock-0.4.5.0
  cryptohash-0.11.6
  data-default-class-0.0.1
  data-default-instances-base-0.0.1
  data-default-instances-containers-0.0.1
  data-default-instances-old-locale-0.0.1
  dlist-0.7.1.1
  data-default-instances-dlist-0.0.1
  data-default-0.5.3
  cookie-0.4.1.4
  hashable-1.2.3.2
  case-insensitive-1.2.0.4
  hourglass-0.2.9
  asn1-types-0.3.0
  asn1-encoding-0.9.0
  asn1-parse-0.9.0
  crypto-pubkey-types-0.4.3
  http-types-0.8.6
  mime-types-0.1.0.6
  pem-0.2.2
  primitive-0.6
  securemem-0.1.7
  crypto-cipher-types-0.0.9
  cipher-aes-0.2.10
  cipher-des-0.0.6
  cipher-rc4-0.1.4
  socks-0.5.4
  streaming-commons-0.1.12
  transformers-compat-0.4.0.4
  exceptions-0.8.0.2
  utf8-string-1
  publicsuffixlist-0.1
  http-client-0.4.11.1
  vector-0.10.12.3
  crypto-random-0.0.9
  crypto-numbers-0.2.7
  crypto-pubkey-0.2.8
  x509-1.5.0.1
  x509-store-1.5.0
  x509-system-1.5.0
  x509-validation-1.5.1
  tls-1.2.17
  connection-0.2.4
  http-client-tls-0.2.2

In contrast, I was surprised to see, that extending the HTTP package (or
maybe just writing a 'HTTPS'-companion package) to use HsOpenSSL seems
to pull in 'HsOpenSSL' as the only additional package...

For comparision here's what http-streams (which I'm not suggesting right
now, as I think going the 'HTTP'+'HsOpenSSL'-route would be better
currently) would pull in (which could have a few deps less if it didn't
pull in 'aeson'...):

  HsOpenSSL-0.11.1.1
  base64-bytestring-1.0.0.1
  blaze-builder-0.4.0.1
  bytestring-builder-0.10.6.0.0
  dlist-0.7.1.1
  hashable-1.2.3.2
  case-insensitive-1.2.0.4
  primitive-0.6
  scientific-0.3.3.8
  attoparsec-0.12.1.6
  syb-0.4.4
  unordered-containers-0.2.5.1
  http-common-0.8.2.0
  vector-0.10.12.3
  aeson-0.8.0.2
  zlib-bindings-0.1.1.5
  io-streams-1.3.0.0
  openssl-streams-1.2.1.0
  http-streams-0.8.3.1

Cheers,
  hvr