diff --git a/package/libs/mbedtls/Config.in b/package/libs/mbedtls/Config.in
index ad0ecb6e61..e80c342636 100644
--- a/package/libs/mbedtls/Config.in
+++ b/package/libs/mbedtls/Config.in
@@ -187,6 +187,43 @@ config MBEDTLS_VERSION_FEATURES
 	bool "MBEDTLS_VERSION_FEATURES"
 	default n
 
+config MBEDTLS_PSA_CRYPTO_CLIENT
+	bool "MBEDTLS_PSA_CRYPTO_CLIENT"
+
+config MBEDTLS_DEPRECATED_WARNING
+	bool "MBEDTLS_DEPRECATED_WARNING"
+	default n
+
+config MBEDTLS_SSL_PROTO_TLS1_2
+	bool "MBEDTLS_SSL_PROTO_TLS1_2"
+	default y
+
+config MBEDTLS_SSL_PROTO_TLS1_3
+	bool "MBEDTLS_SSL_PROTO_TLS1_3"
+	select MBEDTLS_PSA_CRYPTO_CLIENT
+	select MBEDTLS_HKDF_C
+	default y
+
+config MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+	bool "MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE"
+	depends on MBEDTLS_SSL_PROTO_TLS1_3
+	default y
+
+config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+	bool "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED"
+	depends on MBEDTLS_SSL_PROTO_TLS1_3
+	default y
+
+config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+	bool "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED"
+	depends on MBEDTLS_SSL_PROTO_TLS1_3
+	default y
+
+config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+	bool "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED"
+	depends on MBEDTLS_SSL_PROTO_TLS1_3
+	default y
+
 comment "Build Options"
 
 config MBEDTLS_ENTROPY_FORCE_SHA256
@@ -195,6 +232,7 @@ config MBEDTLS_ENTROPY_FORCE_SHA256
 
 config MBEDTLS_SSL_RENEGOTIATION
 	bool "MBEDTLS_SSL_RENEGOTIATION"
+	depends on MBEDTLS_SSL_PROTO_TLS1_2
 	default n
 
 endif
diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
index 459c9924bd..f6713f42f5 100644
--- a/package/libs/mbedtls/Makefile
+++ b/package/libs/mbedtls/Makefile
@@ -8,13 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.28.8
+PKG_VERSION:=3.6.0
 PKG_RELEASE:=1
 PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=4fef7de0d8d542510d726d643350acb3cdb9dc76ad45611b59c9aa08372b4213
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL=https://github.com/Mbed-TLS/mbedtls.git
+PKG_SOURCE_VERSION:=2ca6c285a0dd3f33982dd57299012dacab1ff206
+PKG_MIRROR_HASH:=a684012126590b4e0b6ab41e244cc2af0d2bcfc4b6c94bf42fc37d2d08f0553e
 
 PKG_LICENSE:=GPL-2.0-or-later
 PKG_LICENSE_FILES:=gpl-2.0.txt
@@ -55,7 +56,10 @@ MBEDTLS_BUILD_OPTS_CIPHERS= \
   CONFIG_MBEDTLS_NIST_KW_C \
   CONFIG_MBEDTLS_RIPEMD160_C \
   CONFIG_MBEDTLS_RSA_NO_CRT \
-  CONFIG_MBEDTLS_XTEA_C
+  CONFIG_MBEDTLS_XTEA_C \
+  CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+  CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+  CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 
 MBEDTLS_BUILD_OPTS= \
   $(MBEDTLS_BUILD_OPTS_CURVES) \
@@ -73,7 +77,12 @@ MBEDTLS_BUILD_OPTS= \
   CONFIG_MBEDTLS_THREADING_C \
   CONFIG_MBEDTLS_THREADING_PTHREAD \
   CONFIG_MBEDTLS_VERSION_C \
-  CONFIG_MBEDTLS_VERSION_FEATURES
+  CONFIG_MBEDTLS_VERSION_FEATURES \
+  CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT \
+  CONFIG_MBEDTLS_DEPRECATED_WARNING \
+  CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 \
+  CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 \
+  CONFIG_MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 
 PKG_CONFIG_DEPENDS := $(MBEDTLS_BUILD_OPTS)
 
@@ -96,7 +105,7 @@ $(call Package/mbedtls/Default)
   CATEGORY:=Libraries
   SUBMENU:=SSL
   TITLE+= (library)
-  ABI_VERSION:=13
+  ABI_VERSION:=21
   MENU:=1
 endef
 
@@ -137,7 +146,7 @@ define Build/Prepare
        $(if $(strip $(foreach opt,$(MBEDTLS_BUILD_OPTS),$($(opt)))),
 	 $(foreach opt,$(MBEDTLS_BUILD_OPTS),
 	 $(PKG_BUILD_DIR)/scripts/config.py \
-	 -f $(PKG_BUILD_DIR)/include/mbedtls/config.h \
+	 -f $(PKG_BUILD_DIR)/include/mbedtls/mbedtls_config.h \
 	 $(if $($(opt)),set,unset) $(patsubst CONFIG_%,%,$(opt))),)
 endef
 
@@ -150,6 +159,12 @@ define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so* $(1)/usr/lib/
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.a $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+	$(CP) \
+		$(PKG_INSTALL_DIR)/usr/lib/pkgconfig/mbedcrypto.pc \
+		$(PKG_INSTALL_DIR)/usr/lib/pkgconfig/mbedtls.pc \
+		$(PKG_INSTALL_DIR)/usr/lib/pkgconfig/mbedx509.pc \
+		$(1)/usr/lib/pkgconfig/
 endef
 
 define Package/libmbedtls/install
diff --git a/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch b/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch
deleted file mode 100644
index 808450c0dd..0000000000
--- a/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch
+++ /dev/null
@@ -1,197 +0,0 @@
-From eb9d4fdf1846e688d51d86a9a50f0312aca2af25 Mon Sep 17 00:00:00 2001
-From: Glenn Strauss <gstrauss@gluelogic.com>
-Date: Sun, 23 Oct 2022 19:48:18 -0400
-Subject: [PATCH] x509 crt verify SAN iPAddress
-
-Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
----
- include/mbedtls/x509_crt.h |   2 +-
- library/x509_crt.c         | 126 ++++++++++++++++++++++++++++++-------
- 2 files changed, 103 insertions(+), 25 deletions(-)
-
---- a/include/mbedtls/x509_crt.h
-+++ b/include/mbedtls/x509_crt.h
-@@ -596,7 +596,7 @@ int mbedtls_x509_crt_verify_info(char *b
-  * \param cn       The expected Common Name. This will be checked to be
-  *                 present in the certificate's subjectAltNames extension or,
-  *                 if this extension is absent, as a CN component in its
-- *                 Subject name. Currently only DNS names are supported. This
-+ *                 Subject name. DNS names and IP addresses are supported. This
-  *                 may be \c NULL if the CN need not be verified.
-  * \param flags    The address at which to store the result of the verification.
-  *                 If the verification couldn't be completed, the flag value is
---- a/library/x509_crt.c
-+++ b/library/x509_crt.c
-@@ -45,6 +45,10 @@
- 
- #if defined(MBEDTLS_HAVE_TIME)
- #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
-+#define WIN32_LEAN_AND_MEAN
-+#ifndef _WIN32_WINNT
-+#define _WIN32_WINNT 0x0600
-+#endif
- #include <windows.h>
- #else
- #include <time.h>
-@@ -2990,6 +2994,61 @@ find_parent:
-     }
- }
- 
-+#ifdef _WIN32
-+#ifdef _MSC_VER
-+#pragma comment(lib, "ws2_32.lib")
-+#include <winsock2.h>
-+#include <ws2tcpip.h>
-+#elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600
-+#include <winsock2.h>
-+#include <ws2tcpip.h>
-+#endif
-+#elif defined(__sun)
-+/* Solaris requires -lsocket -lnsl for inet_pton() */
-+#elif defined(__has_include)
-+#if __has_include(<sys/socket.h>)
-+#include <sys/socket.h>
-+#endif
-+#if __has_include(<arpa/inet.h>)
-+#include <arpa/inet.h>
-+#endif
-+#endif
-+
-+/* Use whether or not AF_INET6 is defined to indicate whether or not to use
-+ * the platform inet_pton() or a local implementation (below).  The local
-+ * implementation may be used even in cases where the platform provides
-+ * inet_pton(), e.g. when there are different includes required and/or the
-+ * platform implementation requires dependencies on additional libraries.
-+ * Specifically, Windows requires custom includes and additional link
-+ * dependencies, and Solaris requires additional link dependencies.
-+ * Also, as a coarse heuristic, use the local implementation if the compiler
-+ * does not support __has_include(), or if the definition of AF_INET6 is not
-+ * provided by headers included (or not) via __has_include() above. */
-+#ifndef AF_INET6
-+
-+#define x509_cn_inet_pton(cn, dst) (0)
-+
-+#else
-+
-+static int x509_inet_pton_ipv6(const char *src, void *dst)
-+{
-+    return inet_pton(AF_INET6, src, dst) == 1 ? 0 : -1;
-+}
-+
-+static int x509_inet_pton_ipv4(const char *src, void *dst)
-+{
-+    return inet_pton(AF_INET, src, dst) == 1 ? 0 : -1;
-+}
-+
-+#endif /* AF_INET6 */
-+
-+static size_t x509_cn_inet_pton(const char *cn, void *dst)
-+{
-+    return strchr(cn, ':') == NULL
-+            ? x509_inet_pton_ipv4(cn, dst) == 0 ? 4 : 0
-+            : x509_inet_pton_ipv6(cn, dst) == 0 ? 16 : 0;
-+}
-+
- /*
-  * Check for CN match
-  */
-@@ -3010,24 +3069,51 @@ static int x509_crt_check_cn(const mbedt
-     return -1;
- }
- 
-+static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san,
-+                                 const char *cn, size_t cn_len)
-+{
-+    uint32_t ip[4];
-+    cn_len = x509_cn_inet_pton(cn, ip);
-+    if (cn_len == 0) {
-+        return -1;
-+    }
-+
-+    for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
-+        const unsigned char san_type = (unsigned char) cur->buf.tag &
-+                                       MBEDTLS_ASN1_TAG_VALUE_MASK;
-+        if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
-+            cur->buf.len == cn_len && memcmp(cur->buf.p, ip, cn_len) == 0) {
-+            return 0;
-+        }
-+    }
-+
-+    return -1;
-+}
-+
- /*
-  * Check for SAN match, see RFC 5280 Section 4.2.1.6
-  */
--static int x509_crt_check_san(const mbedtls_x509_buf *name,
-+static int x509_crt_check_san(const mbedtls_x509_sequence *san,
-                               const char *cn, size_t cn_len)
- {
--    const unsigned char san_type = (unsigned char) name->tag &
--                                   MBEDTLS_ASN1_TAG_VALUE_MASK;
--
--    /* dNSName */
--    if (san_type == MBEDTLS_X509_SAN_DNS_NAME) {
--        return x509_crt_check_cn(name, cn, cn_len);
-+    int san_ip = 0;
-+    for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
-+        switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) {
-+            case MBEDTLS_X509_SAN_DNS_NAME:                /* dNSName */
-+                if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) {
-+                    return 0;
-+                }
-+                break;
-+            case MBEDTLS_X509_SAN_IP_ADDRESS:              /* iPAddress */
-+                san_ip = 1;
-+                break;
-+            /* (We may handle other types here later.) */
-+            default: /* Unrecognized type */
-+                break;
-+        }
-     }
- 
--    /* (We may handle other types here later.) */
--
--    /* Unrecognized type */
--    return -1;
-+    return san_ip ? x509_crt_check_san_ip(san, cn, cn_len) : -1;
- }
- 
- /*
-@@ -3038,31 +3124,23 @@ static void x509_crt_verify_name(const m
-                                  uint32_t *flags)
- {
-     const mbedtls_x509_name *name;
--    const mbedtls_x509_sequence *cur;
-     size_t cn_len = strlen(cn);
- 
-     if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
--        for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) {
--            if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) {
--                break;
--            }
--        }
--
--        if (cur == NULL) {
--            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
-+        if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) {
-+            return;
-         }
-     } else {
-         for (name = &crt->subject; name != NULL; name = name->next) {
-             if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 &&
-                 x509_crt_check_cn(&name->val, cn, cn_len) == 0) {
--                break;
-+                return;
-             }
-         }
- 
--        if (name == NULL) {
--            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
--        }
-     }
-+
-+    *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
- }
- 
- /*
diff --git a/package/libs/mbedtls/patches/101-remove-test.patch b/package/libs/mbedtls/patches/101-remove-test.patch
index e43f8757d7..5ac5e7c1e8 100644
--- a/package/libs/mbedtls/patches/101-remove-test.patch
+++ b/package/libs/mbedtls/patches/101-remove-test.patch
@@ -1,7 +1,8 @@
 --- a/programs/CMakeLists.txt
 +++ b/programs/CMakeLists.txt
-@@ -1,12 +1,8 @@
+@@ -1,13 +1,9 @@
  add_subdirectory(aes)
+ add_subdirectory(cipher)
 -if (NOT WIN32)
 -    add_subdirectory(fuzz)
 -endif()