The main issue here is TLS.
haskell-tls is questionable: there’s no audit, we don’t have sufficient research that explores how vulnerable haskell GC/RTS is to side channel attacks, how memory secure, how it plays with laziness, etc. etc.
If you use HsOpenSSL instead, you’ll get into trouble distributing your binary, if you link dynamically. If you link statically, you’ll have a security hazard.
The solution is bindings (HsOpenSSL or botan or whatever), but the shipping/distribution issue will remain: dynamic linking causes portability issues, static linking causes security issues. That’s why shelling out to curl is the most portable and easiest solution, in fact.