diff --git a/pkgs/applications/emulators/dolphin-emu/default.nix b/pkgs/applications/emulators/dolphin-emu/default.nix
index b27937a6b838..ad9c470bf427 100644
--- a/pkgs/applications/emulators/dolphin-emu/default.nix
+++ b/pkgs/applications/emulators/dolphin-emu/default.nix
@@ -24,7 +24,7 @@
 , wxGTK30
 , soundtouch
 , miniupnpc
-, mbedtls
+, mbedtls_2
 , curl
 , lzo
 , sfml
@@ -104,7 +104,7 @@ stdenv.mkDerivation rec {
     wxGTK30
     soundtouch
     miniupnpc
-    mbedtls
+    mbedtls_2
     curl
     lzo
     sfml
diff --git a/pkgs/applications/emulators/dolphin-emu/master.nix b/pkgs/applications/emulators/dolphin-emu/master.nix
index eee0213ea12b..17a3049ea4f0 100644
--- a/pkgs/applications/emulators/dolphin-emu/master.nix
+++ b/pkgs/applications/emulators/dolphin-emu/master.nix
@@ -20,7 +20,7 @@
 , alsa-lib
 , miniupnpc
 , enet
-, mbedtls
+, mbedtls_2
 , soundtouch
 , sfml
 , xz
@@ -90,7 +90,7 @@ stdenv.mkDerivation rec {
     hidapi
     miniupnpc
     enet
-    mbedtls
+    mbedtls_2
     soundtouch
     sfml
     xz
diff --git a/pkgs/applications/emulators/dolphin-emu/primehack.nix b/pkgs/applications/emulators/dolphin-emu/primehack.nix
index 93ed03097be9..73a4485af260 100644
--- a/pkgs/applications/emulators/dolphin-emu/primehack.nix
+++ b/pkgs/applications/emulators/dolphin-emu/primehack.nix
@@ -29,7 +29,7 @@
 , alsa-lib
 , miniupnpc
 , enet
-, mbedtls
+, mbedtls_2
 , soundtouch
 , sfml
 , fmt
@@ -87,7 +87,7 @@ stdenv.mkDerivation rec {
     hidapi
     miniupnpc
     enet
-    mbedtls
+    mbedtls_2
     soundtouch
     sfml
     fmt
diff --git a/pkgs/applications/misc/lutris/fhsenv.nix b/pkgs/applications/misc/lutris/fhsenv.nix
index 5c39576ac6f3..075755bf217d 100644
--- a/pkgs/applications/misc/lutris/fhsenv.nix
+++ b/pkgs/applications/misc/lutris/fhsenv.nix
@@ -30,7 +30,7 @@ in buildFHSUserEnv {
     # DGen // TODO: libarchive is broken
 
     # Dolphin
-    bluez ffmpeg gettext portaudio wxGTK30 miniupnpc mbedtls lzo sfml gsm
+    bluez ffmpeg gettext portaudio wxGTK30 miniupnpc mbedtls_2 lzo sfml gsm
     wavpack orc nettle gmp pcre vulkan-loader
 
     # DOSBox
diff --git a/pkgs/applications/misc/openrgb/default.nix b/pkgs/applications/misc/openrgb/default.nix
index 6de5736e9ac8..ab8415a18823 100644
--- a/pkgs/applications/misc/openrgb/default.nix
+++ b/pkgs/applications/misc/openrgb/default.nix
@@ -1,4 +1,4 @@
-{ lib, mkDerivation, fetchFromGitLab, qmake, libusb1, hidapi, pkg-config, coreutils, mbedtls }:
+{ lib, mkDerivation, fetchFromGitLab, qmake, libusb1, hidapi, pkg-config, coreutils, mbedtls_2 }:
 
 mkDerivation rec {
   pname = "openrgb";
@@ -12,7 +12,7 @@ mkDerivation rec {
   };
 
   nativeBuildInputs = [ qmake pkg-config ];
-  buildInputs = [ libusb1 hidapi mbedtls ];
+  buildInputs = [ libusb1 hidapi mbedtls_2 ];
 
   installPhase = ''
     runHook preInstall
diff --git a/pkgs/applications/networking/browsers/dillo/default.nix b/pkgs/applications/networking/browsers/dillo/default.nix
index 9c409c29818c..aff0042ded30 100644
--- a/pkgs/applications/networking/browsers/dillo/default.nix
+++ b/pkgs/applications/networking/browsers/dillo/default.nix
@@ -8,7 +8,7 @@
 , libXinerama
 , libjpeg
 , libpng
-, mbedtls
+, mbedtls_2
 , openssl
 , perl
 , pkg-config
@@ -38,7 +38,7 @@ stdenv.mkDerivation {
     libXinerama
     libjpeg
     libpng
-    mbedtls
+    mbedtls_2
     openssl
     perl
   ];
diff --git a/pkgs/applications/networking/browsers/dillong/default.nix b/pkgs/applications/networking/browsers/dillong/default.nix
index 2d12134caadd..7fc7cc07121d 100644
--- a/pkgs/applications/networking/browsers/dillong/default.nix
+++ b/pkgs/applications/networking/browsers/dillong/default.nix
@@ -5,7 +5,7 @@
 , pkg-config
 , which
 , fltk
-, mbedtls
+, mbedtls_2
 }:
 
 stdenv.mkDerivation {
@@ -27,7 +27,7 @@ stdenv.mkDerivation {
 
   buildInputs = [
     fltk
-    mbedtls
+    mbedtls_2
   ];
 
   # The start_page and home settings refer to /usr.
diff --git a/pkgs/development/compilers/haxe/default.nix b/pkgs/development/compilers/haxe/default.nix
index 7a6c019c16da..58370c1a15a2 100644
--- a/pkgs/development/compilers/haxe/default.nix
+++ b/pkgs/development/compilers/haxe/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, coreutils, ocaml-ng, zlib, pcre, neko, mbedtls, Security }:
+{ lib, stdenv, fetchFromGitHub, coreutils, ocaml-ng, zlib, pcre, neko, mbedtls_2, Security }:
 
 let
   ocamlDependencies = version:
@@ -42,7 +42,7 @@ let
       inherit version;
 
       buildInputs = [ zlib pcre neko ]
-        ++ lib.optional (lib.versionAtLeast version "4.1") mbedtls
+        ++ lib.optional (lib.versionAtLeast version "4.1") mbedtls_2
         ++ lib.optional (lib.versionAtLeast version "4.1" && stdenv.isDarwin) Security
         ++ ocamlDependencies version;
 
diff --git a/pkgs/development/compilers/julia/1.8.nix b/pkgs/development/compilers/julia/1.8.nix
index 1c614103bdec..f975b39773d5 100644
--- a/pkgs/development/compilers/julia/1.8.nix
+++ b/pkgs/development/compilers/julia/1.8.nix
@@ -15,7 +15,7 @@
 , libgit2
 , curl
 , nghttp2
-, mbedtls
+, mbedtls_2
 , libssh2
 , gmp
 , mpfr
@@ -80,7 +80,7 @@ stdenv.mkDerivation rec {
     libgit2
     curl
     nghttp2
-    mbedtls
+    mbedtls_2
     libssh2
     gmp
     mpfr
diff --git a/pkgs/development/compilers/neko/default.nix b/pkgs/development/compilers/neko/default.nix
index 96bf06e41ea0..40e39d411d69 100644
--- a/pkgs/development/compilers/neko/default.nix
+++ b/pkgs/development/compilers/neko/default.nix
@@ -1,5 +1,5 @@
 { lib, stdenv, fetchFromGitHub, fetchpatch, boehmgc, zlib, sqlite, pcre, cmake, pkg-config
-, git, apacheHttpd, apr, aprutil, libmysqlclient, mbedtls, openssl, pkgs, gtk2, libpthreadstubs
+, git, apacheHttpd, apr, aprutil, libmysqlclient, mbedtls_2, openssl, pkgs, gtk2, libpthreadstubs
 }:
 
 stdenv.mkDerivation rec {
@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ cmake pkg-config git ];
   buildInputs =
     [ boehmgc zlib sqlite pcre apacheHttpd apr aprutil
-      libmysqlclient mbedtls openssl libpthreadstubs ]
+      libmysqlclient mbedtls_2 openssl libpthreadstubs ]
       ++ lib.optional stdenv.isLinux gtk2
       ++ lib.optionals stdenv.isDarwin [ pkgs.darwin.apple_sdk.frameworks.Security
                                                 pkgs.darwin.apple_sdk.frameworks.Carbon];
diff --git a/pkgs/development/interpreters/hashlink/default.nix b/pkgs/development/interpreters/hashlink/default.nix
index 1af48cba55ab..e24742ac136e 100644
--- a/pkgs/development/interpreters/hashlink/default.nix
+++ b/pkgs/development/interpreters/hashlink/default.nix
@@ -7,7 +7,7 @@
 , libjpeg_turbo
 , libuv
 , libvorbis
-, mbedtls
+, mbedtls_2
 , openal
 , pcre
 , SDL2
@@ -37,7 +37,7 @@ stdenv.mkDerivation rec {
     libpng
     libuv
     libvorbis
-    mbedtls
+    mbedtls_2
     openal
     pcre
     SDL2
diff --git a/pkgs/development/libraries/bctoolbox/default.nix b/pkgs/development/libraries/bctoolbox/default.nix
index 6c1c2cdefb9c..2bc457cac18e 100644
--- a/pkgs/development/libraries/bctoolbox/default.nix
+++ b/pkgs/development/libraries/bctoolbox/default.nix
@@ -2,7 +2,7 @@
 , cmake
 , bc-decaf
 , fetchFromGitLab
-, mbedtls
+, mbedtls_2
 , lib
 , stdenv
 }:
@@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
     # Vendored by BC
     bc-decaf
 
-    mbedtls
+    mbedtls_2
   ];
 
   src = fetchFromGitLab {
diff --git a/pkgs/development/libraries/belle-sip/default.nix b/pkgs/development/libraries/belle-sip/default.nix
index 22817feadeda..187264caed19 100644
--- a/pkgs/development/libraries/belle-sip/default.nix
+++ b/pkgs/development/libraries/belle-sip/default.nix
@@ -4,7 +4,7 @@
 , fetchFromGitLab
 , lib
 , libantlr3c
-, mbedtls
+, mbedtls_2
 , stdenv
 , zlib
 }:
@@ -36,7 +36,7 @@ stdenv.mkDerivation rec {
     "-Wno-error=stringop-overflow"
   ];
 
-  propagatedBuildInputs = [ libantlr3c mbedtls bctoolbox belr ];
+  propagatedBuildInputs = [ libantlr3c mbedtls_2 bctoolbox belr ];
 
   meta = with lib; {
     homepage = "https://linphone.org/technical-corner/belle-sip";
diff --git a/pkgs/development/libraries/mbedtls/2.nix b/pkgs/development/libraries/mbedtls/2.nix
new file mode 100644
index 000000000000..ba1f520b08cf
--- /dev/null
+++ b/pkgs/development/libraries/mbedtls/2.nix
@@ -0,0 +1,6 @@
+{ callPackage }:
+
+callPackage ./generic.nix {
+  version = "2.28.1";
+  hash = "sha256-brbZB3fINDeVWXf50ct4bxYkoBVyD6bBBijZyFQSnyw=";
+}
diff --git a/pkgs/development/libraries/mbedtls/3.nix b/pkgs/development/libraries/mbedtls/3.nix
new file mode 100644
index 000000000000..d6f53feb086b
--- /dev/null
+++ b/pkgs/development/libraries/mbedtls/3.nix
@@ -0,0 +1,6 @@
+{ callPackage }:
+
+callPackage ./generic.nix {
+  version = "3.2.1";
+  hash = "sha256-+M36NvFe4gw2PRbld/2JV3yBGrqK6soWcmrSEkUNcrc=";
+}
diff --git a/pkgs/development/libraries/mbedtls/default.nix b/pkgs/development/libraries/mbedtls/generic.nix
similarity index 68%
rename from pkgs/development/libraries/mbedtls/default.nix
rename to pkgs/development/libraries/mbedtls/generic.nix
index 2bd924d870c7..bb87c6dbc8ad 100644
--- a/pkgs/development/libraries/mbedtls/default.nix
+++ b/pkgs/development/libraries/mbedtls/generic.nix
@@ -1,4 +1,7 @@
-{ lib, stdenv
+{ lib
+, stdenv
+, version
+, hash
 , fetchFromGitHub
 
 , cmake
@@ -11,17 +14,13 @@
 
 stdenv.mkDerivation rec {
   pname = "mbedtls";
-  # Auto updates are disabled due to repology listing dev releases as release
-  # versions. See
-  #  * https://github.com/NixOS/nixpkgs/pull/119838#issuecomment-822100428
-  #  * https://github.com/NixOS/nixpkgs/commit/0ee02a9d42b5fe1825b0f7cee7a9986bb4ba975d
-  version = "2.28.1"; # nixpkgs-update: no auto update
+  inherit version;
 
   src = fetchFromGitHub {
-    owner = "ARMmbed";
+    owner = "Mbed-TLS";
     repo = "mbedtls";
     rev = "${pname}-${version}";
-    sha256 = "sha256-brbZB3fINDeVWXf50ct4bxYkoBVyD6bBBijZyFQSnyw=";
+    inherit hash;
   };
 
   nativeBuildInputs = [ cmake ninja perl python3 ];
@@ -40,10 +39,11 @@ stdenv.mkDerivation rec {
   ];
 
   meta = with lib; {
-    homepage = "https://tls.mbed.org/";
+    homepage = "https://www.trustedfirmware.org/projects/mbed-tls/";
+    changelog = "https://github.com/Mbed-TLS/mbedtls/blob/${pname}-${version}/ChangeLog";
     description = "Portable cryptographic and TLS library, formerly known as PolarSSL";
     license = licenses.asl20;
     platforms = platforms.all;
-    maintainers = with maintainers; [ ];
+    maintainers = with maintainers; [ raphaelr ];
   };
 }
diff --git a/pkgs/development/libraries/yojimbo/default.nix b/pkgs/development/libraries/yojimbo/default.nix
index b72820c77a68..d8c29e56aaab 100644
--- a/pkgs/development/libraries/yojimbo/default.nix
+++ b/pkgs/development/libraries/yojimbo/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, premake5, doxygen, libsodium, mbedtls }:
+{ lib, stdenv, fetchFromGitHub, premake5, doxygen, libsodium, mbedtls_2 }:
 
 stdenv.mkDerivation {
   pname = "yojimbo";
@@ -13,7 +13,7 @@ stdenv.mkDerivation {
   };
 
   nativeBuildInputs = [ premake5 doxygen ];
-  propagatedBuildInputs = [ libsodium mbedtls ];
+  propagatedBuildInputs = [ libsodium mbedtls_2 ];
 
   postBuild = ''
     premake5 docs
diff --git a/pkgs/servers/http/hiawatha/default.nix b/pkgs/servers/http/hiawatha/default.nix
index 2ab0b12c483f..d92d5d51a4f8 100644
--- a/pkgs/servers/http/hiawatha/default.nix
+++ b/pkgs/servers/http/hiawatha/default.nix
@@ -3,7 +3,7 @@
 
 , cmake
 , ninja
-, mbedtls
+, mbedtls_2
 , libxcrypt
 
 , enableCache     ? true     # Internal cache support.
@@ -28,7 +28,7 @@ stdenv.mkDerivation rec {
   };
 
   nativeBuildInputs = [ cmake ninja ];
-  buildInputs = [ mbedtls libxcrypt ] ++ lib.optionals enableXslt [ libxslt libxml2 ];
+  buildInputs = [ mbedtls_2 libxcrypt ] ++ lib.optionals enableXslt [ libxslt libxml2 ];
 
   prePatch = ''
     substituteInPlace CMakeLists.txt --replace SETUID ""
diff --git a/pkgs/tools/filesystems/dislocker/default.nix b/pkgs/tools/filesystems/dislocker/default.nix
index 10559985f867..396f8142ba93 100644
--- a/pkgs/tools/filesystems/dislocker/default.nix
+++ b/pkgs/tools/filesystems/dislocker/default.nix
@@ -3,7 +3,7 @@
 , fetchpatch
 , cmake
 , pkg-config
-, mbedtls
+, mbedtls_2
 , fuse
 }:
 
@@ -33,7 +33,7 @@ stdenv.mkDerivation rec {
   ];
 
   nativeBuildInputs = [ cmake pkg-config ];
-  buildInputs = [ fuse mbedtls ];
+  buildInputs = [ fuse mbedtls_2 ];
 
   meta = with lib; {
     description = "Read BitLocker encrypted partitions in Linux";
diff --git a/pkgs/tools/networking/shadowsocks-libev/default.nix b/pkgs/tools/networking/shadowsocks-libev/default.nix
index 6018e77e5e43..4b268213c94c 100644
--- a/pkgs/tools/networking/shadowsocks-libev/default.nix
+++ b/pkgs/tools/networking/shadowsocks-libev/default.nix
@@ -1,5 +1,5 @@
 { lib, stdenv, fetchFromGitHub, cmake
-, libsodium, mbedtls, libev, c-ares, pcre
+, libsodium, mbedtls_2, libev, c-ares, pcre
 , asciidoc, xmlto, docbook_xml_dtd_45, docbook_xsl, libxslt
 }:
 
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
     fetchSubmodules = true;
   };
 
-  buildInputs = [ libsodium mbedtls libev c-ares pcre ];
+  buildInputs = [ libsodium mbedtls_2 libev c-ares pcre ];
   nativeBuildInputs = [ cmake asciidoc xmlto docbook_xml_dtd_45
                         docbook_xsl libxslt ];
 
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index a5b66dd4bc25..9956e9af4ee1 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -21487,7 +21487,8 @@ with pkgs;
 
   maxflow = callPackage ../development/libraries/maxflow { };
 
-  mbedtls = callPackage ../development/libraries/mbedtls { };
+  mbedtls_2 = callPackage ../development/libraries/mbedtls/2.nix { };
+  mbedtls = callPackage ../development/libraries/mbedtls/3.nix { };
 
   mdctags = callPackage ../development/tools/misc/mdctags { };