diff --git a/cmake/patch_mbedtls.cmake b/cmake/patch_mbedtls.cmake
index e0efea7f..d60c5a8c 100644
--- a/cmake/patch_mbedtls.cmake
+++ b/cmake/patch_mbedtls.cmake
@@ -1,60 +1,5 @@
-# Apply config adjustments similer to Debian's
-# https://anonscm.debian.org/cgit/collab-maint/mbedtls.git/tree/debian/patches/01_config.patch
-
-set(config ${MbedTLS_source}/include/mbedtls/config.h)
-
-file(READ ${config} content)
-
 if (WIN32)
-	# allow alternate threading implementation
-	string(REPLACE
-		"//#define MBEDTLS_THREADING_ALT"
-		"#define MBEDTLS_THREADING_ALT"
-		content "${content}"
-	)
-	# disable the TCP/IP networking routines
-	# such that it wouldn't interfere with the #include <windows.h> in our threading_alt.h
-	string(REPLACE
-		"#define MBEDTLS_NET_C"
-		"//#define MBEDTLS_NET_C"
-		content "${content}"
-	)
-
 	file(COPY ${source}/libs/ssl/threading_alt.h
 		DESTINATION ${MbedTLS_source}/include/mbedtls/
 	)
-else()
-	# enable pthread mutexes
-	string(REPLACE
-		"//#define MBEDTLS_THREADING_PTHREAD"
-		"#define MBEDTLS_THREADING_PTHREAD"
-		content "${content}"
-	)
 endif()
-
-# enable the HAVEGE random generator
-string(REPLACE
-	"//#define MBEDTLS_HAVEGE_C"
-	"#define MBEDTLS_HAVEGE_C"
-	content "${content}"
-)
-# enable support for (rare) MD2-signed X.509 certs
-string(REPLACE
-	"//#define MBEDTLS_MD2_C"
-	"#define MBEDTLS_MD2_C"
-	content "${content}"
-)
-# enable support for (rare) MD4-signed X.509 certs
-string(REPLACE
-	"//#define MBEDTLS_MD4_C"
-	"#define MBEDTLS_MD4_C"
-	content "${content}"
-)
-# allow use of mutexes within mbed TLS
-string(REPLACE
-	"//#define MBEDTLS_THREADING_C"
-	"#define MBEDTLS_THREADING_C"
-	content "${content}"
-)
-
-file(WRITE ${config} "${content}")
diff --git a/libs/ssl/CMakeLists.txt b/libs/ssl/CMakeLists.txt
index 5e09e5ea..6710937e 100644
--- a/libs/ssl/CMakeLists.txt
+++ b/libs/ssl/CMakeLists.txt
@@ -10,6 +10,7 @@ if (STATIC_MBEDTLS)
 		-DENABLE_PROGRAMS=OFF
 		-DENABLE_TESTING=OFF
 		-DUSE_STATIC_MBEDTLS_LIBRARY=ON
+		-DMBEDTLS_USER_CONFIG_FILE=${CMAKE_CURRENT_SOURCE_DIR}/mbedtls_config.h
 	)
 	if (UNIX)
 		list(APPEND MBEDTLS_CMAKE_ARGS
@@ -35,8 +36,8 @@ if (STATIC_MBEDTLS)
 	endif()
 	ExternalProject_Add(MbedTLS
 		${EP_CONFIGS}
-		URL https://github.com/Mbed-TLS/mbedtls/archive/refs/tags/v2.28.3.tar.gz
-		URL_HASH SHA256=bdf7c5bbdc338da3edad89b2885d4f8668f9a6fffeba6ec17a60333e36dade6f
+		URL https://github.com/Mbed-TLS/mbedtls/releases/download/v3.6.0/mbedtls-3.6.0.tar.bz2
+		URL_HASH SHA256=3ecf94fcfdaacafb757786a01b7538a61750ebd85c4b024f56ff8ba1490fcd38
 		CMAKE_ARGS ${MBEDTLS_CMAKE_ARGS}
 		PATCH_COMMAND ${CMAKE_COMMAND} -Dsource=${CMAKE_SOURCE_DIR} -DMbedTLS_source=${CMAKE_BINARY_DIR}/libs/src/MbedTLS -P ${CMAKE_SOURCE_DIR}/cmake/patch_mbedtls.cmake
 		INSTALL_COMMAND echo skip install
diff --git a/libs/ssl/mbedtls_config.h b/libs/ssl/mbedtls_config.h
new file mode 100644
index 00000000..cf924b75
--- /dev/null
+++ b/libs/ssl/mbedtls_config.h
@@ -0,0 +1,10 @@
+#ifdef _WIN32
+#define MBEDTLS_THREADING_ALT
+#endif
+#ifndef _WIN32
+#define MBEDTLS_THREADING_PTHREAD
+#endif
+
+#undef MBEDTLS_NET_C
+
+#define MBEDTLS_THREADING_C