diff --git a/.gitmodules b/.gitmodules
index ae336344..5ef4a9b1 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -37,3 +37,6 @@
 [submodule "client/3rd/SortFilterProxyModel"]
 	path = client/3rd/SortFilterProxyModel
 	url = https://github.com/mitchcurtis/SortFilterProxyModel.git
+[submodule "client/3rd/mbedtls"]
+	path = client/3rd/mbedtls
+	url = https://github.com/Mbed-TLS/mbedtls.git
diff --git a/client/3rd/mbedtls b/client/3rd/mbedtls
new file mode 160000
index 00000000..8c892249
--- /dev/null
+++ b/client/3rd/mbedtls
@@ -0,0 +1 @@
+Subproject commit 8c89224991adff88d53cd380f42a2baa36f91454
diff --git a/client/CMakeLists.txt b/client/CMakeLists.txt
index 16da9032..1085d4dc 100644
--- a/client/CMakeLists.txt
+++ b/client/CMakeLists.txt
@@ -483,7 +483,6 @@ if(IOS)
     set_target_properties("networkextension" PROPERTIES XCODE_ATTRIBUTE_CODE_SIGN_STYLE Manual)
     set_target_properties("networkextension" PROPERTIES XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER "match AppStore org.amnezia.AmneziaVPN.network-extension")
     set_target_properties("networkextension" PROPERTIES XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER[variant=Debug] "match Development org.amnezia.AmneziaVPN.network-extension")
-
 endif()
 
 if(ANDROID)
diff --git a/client/cmake/3rdparty.cmake b/client/cmake/3rdparty.cmake
index d159f8f5..da50978e 100644
--- a/client/cmake/3rdparty.cmake
+++ b/client/cmake/3rdparty.cmake
@@ -1,5 +1,7 @@
 set(CLIENT_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/..)
 
+set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_LIST_DIR}/Modules;${CMAKE_MODULE_PATH}")
+
 if(NOT IOS AND NOT ANDROID)
    include(${CLIENT_ROOT_DIR}/3rd/SingleApplication/singleapplication.cmake)
 endif()
@@ -21,52 +23,74 @@ set(ZLIB_INCLUDE_DIR "${CLIENT_ROOT_DIR}/3rd/zlib" "${CMAKE_CURRENT_BINARY_DIR}/
 link_directories(${CMAKE_CURRENT_BINARY_DIR}/3rd/zlib)
 link_libraries(${ZLIB_LIBRARY})
 
-if(NOT LINUX)
-    set(OPENSSL_ROOT_DIR "${CMAKE_CURRENT_BINARY_DIR}/3rd/OpenSSL")
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/include")
-    set(OPENSSL_LIBRARIES_DIR "${OPENSSL_ROOT_DIR}/lib")
-    set(OPENSSL_LIBRARIES "ssl" "crypto")
+if(IOS)
+    add_subdirectory(${CLIENT_ROOT_DIR}/3rd/mbedtls)
+    set(WITH_MBEDTLS ON CACHE BOOL "" FORCE)
+    set(WITH_GCRYPT OFF CACHE BOOL "" FORCE)
+    set(WITH_EXAMPLES OFF CACHE BOOL "" FORCE)
+    set(ENABLE_PROGRAMS OFF CACHE BOOL "" FORCE)
+    set(ENABLE_TESTING OFF CACHE BOOL "" FORCE)
+    set(HAVE_LIBCRYPTO OFF CACHE BOOL "" FORCE)
+    set(MBEDTLS_ROOT_DIR "${CMAKE_CURRENT_BINARY_DIR}/3rd/mbedtls" CACHE PATH "" FORCE)
+    set(MBEDTLS_INCLUDE_DIR "${CLIENT_ROOT_DIR}/3rd/mbedtls/include" CACHE PATH "" FORCE)
+    set(MBEDTLS_LIBRARIES "mbedtls" "mbedx509" "mbedcrypto" CACHE STRING "" FORCE)
+    set(MBEDTLS_FOUND TRUE CACHE BOOL "" FORCE)
+    set(MBEDTLS_CRYPTO_LIBRARY "mbedcrypto" CACHE STRING "" FORCE)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DMBEDTLS_ALLOW_PRIVATE_ACCESS")
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DMBEDTLS_ALLOW_PRIVATE_ACCESS")
+    set(BUILD_SHARED_LIBS OFF CACHE BOOL "" FORCE)
+    set(WITH_STATIC_LIB ON CACHE BOOL "" FORCE)
+    set(WITH_SYMBOL_VERSIONING OFF CACHE BOOL "" FORCE)
 
-    set(OPENSSL_PATH "${CLIENT_ROOT_DIR}/3rd/OpenSSL")
-    if(WIN32)
-        if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
-            set(OPENSSL_LIB_SSL_PATH "${OPENSSL_PATH}/lib/windows/x86_64/libssl.lib")
-            set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_PATH}/lib/windows/x86_64/libcrypto.lib")
-        else()
-            set(OPENSSL_LIB_SSL_PATH "${OPENSSL_PATH}/lib/windows/x86/libssl.lib")
-            set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_PATH}/lib/windows/x86/libcrypto.lib")
+    include_directories(${CLIENT_ROOT_DIR}/3rd/mbedtls/include)
+else(IOS)
+    if(NOT LINUX)
+        set(OPENSSL_ROOT_DIR "${CMAKE_CURRENT_BINARY_DIR}/3rd/OpenSSL")
+        set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/include")
+        set(OPENSSL_LIBRARIES_DIR "${OPENSSL_ROOT_DIR}/lib")
+        set(OPENSSL_LIBRARIES "ssl" "crypto")
+
+        set(OPENSSL_PATH "${CLIENT_ROOT_DIR}/3rd/OpenSSL")
+        if(WIN32)
+            if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
+                set(OPENSSL_LIB_SSL_PATH "${OPENSSL_PATH}/lib/windows/x86_64/libssl.lib")
+                set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_PATH}/lib/windows/x86_64/libcrypto.lib")
+            else()
+                set(OPENSSL_LIB_SSL_PATH "${OPENSSL_PATH}/lib/windows/x86/libssl.lib")
+                set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_PATH}/lib/windows/x86/libcrypto.lib")
+            endif()
+        elseif(APPLE AND NOT IOS)
+            set(OPENSSL_LIB_SSL_PATH "${OPENSSL_PATH}/lib/macos/x86_64/libssl.a")
+            set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_PATH}/lib/macos/x86_64/libcrypto.a")
+        elseif(IOS)
+            set(OPENSSL_CRYPTO_LIBRARY "${OPENSSL_LIBRARIES_DIR}/libcrypto.a")
+            set(OPENSSL_SSL_LIBRARY "${OPENSSL_LIBRARIES_DIR}/libssl.a")
+            set(OPENSSL_LIB_SSL_PATH "${OPENSSL_PATH}/lib/ios/iphone/libssl.a")
+            set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_PATH}/lib/ios/iphone/libcrypto.a")
+        elseif(ANDROID)
+            set(abi ${CMAKE_ANDROID_ARCH_ABI})
+
+            set(OPENSSL_CRYPTO_LIBRARY "${OPENSSL_LIBRARIES_DIR}/android/${abi}/libcrypto.a")
+            set(OPENSSL_SSL_LIBRARY "${OPENSSL_LIBRARIES_DIR}/android/${abi}/libssl.a")
+            set(OPENSSL_LIB_SSL_PATH "${OPENSSL_PATH}/lib/android/${abi}/libssl.a")
+            set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_PATH}/lib/android/${abi}/libcrypto.a")
+
+            set(OPENSSL_LIBRARIES_DIR "${OPENSSL_LIBRARIES_DIR}/android/${abi}")
         endif()
-    elseif(APPLE AND NOT IOS)
-        set(OPENSSL_LIB_SSL_PATH "${OPENSSL_PATH}/lib/macos/x86_64/libssl.a")
-        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_PATH}/lib/macos/x86_64/libcrypto.a")
-    elseif(IOS)
-        set(OPENSSL_CRYPTO_LIBRARY "${OPENSSL_LIBRARIES_DIR}/libcrypto.a")
-        set(OPENSSL_SSL_LIBRARY "${OPENSSL_LIBRARIES_DIR}/libssl.a")
-        set(OPENSSL_LIB_SSL_PATH "${OPENSSL_PATH}/lib/ios/iphone/libssl.a")
-        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_PATH}/lib/ios/iphone/libcrypto.a")
-    elseif(ANDROID)
-        set(abi ${CMAKE_ANDROID_ARCH_ABI})
 
-        set(OPENSSL_CRYPTO_LIBRARY "${OPENSSL_LIBRARIES_DIR}/android/${abi}/libcrypto.a")
-        set(OPENSSL_SSL_LIBRARY "${OPENSSL_LIBRARIES_DIR}/android/${abi}/libssl.a")
-        set(OPENSSL_LIB_SSL_PATH "${OPENSSL_PATH}/lib/android/${abi}/libssl.a")
-        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_PATH}/lib/android/${abi}/libcrypto.a")
-
-        set(OPENSSL_LIBRARIES_DIR "${OPENSSL_LIBRARIES_DIR}/android/${abi}")
+        file(COPY ${OPENSSL_LIB_SSL_PATH} ${OPENSSL_LIB_CRYPTO_PATH}
+            DESTINATION ${OPENSSL_LIBRARIES_DIR})
+        file(COPY "${OPENSSL_PATH}/include"
+            DESTINATION ${OPENSSL_ROOT_DIR})
     endif()
 
-    file(COPY ${OPENSSL_LIB_SSL_PATH} ${OPENSSL_LIB_CRYPTO_PATH}
-        DESTINATION ${OPENSSL_LIBRARIES_DIR})
-    file(COPY "${OPENSSL_PATH}/include"
-        DESTINATION ${OPENSSL_ROOT_DIR})
-endif()
-
-set(OPENSSL_USE_STATIC_LIBS TRUE)
-find_package(OpenSSL REQUIRED)
-set(LIBS ${LIBS}
-    OpenSSL::Crypto
-    OpenSSL::SSL
-)
+    set(OPENSSL_USE_STATIC_LIBS TRUE)
+    find_package(OpenSSL REQUIRED)
+    set(LIBS ${LIBS}
+        OpenSSL::Crypto
+        OpenSSL::SSL
+    )
+endif(IOS)
 
 set(WITH_GSSAPI OFF CACHE BOOL "" FORCE)
 set(WITH_EXAMPLES OFF CACHE BOOL "" FORCE)
diff --git a/client/cmake/Modules/FindMbedTLS.cmake b/client/cmake/Modules/FindMbedTLS.cmake
new file mode 100644
index 00000000..e1c58f46
--- /dev/null
+++ b/client/cmake/Modules/FindMbedTLS.cmake
@@ -0,0 +1,25 @@
+
+set(MBEDTLS_ROOT_DIR "${CMAKE_CURRENT_BINARY_DIR}/3rd/mbedtls" CACHE PATH "" FORCE)
+set(MBEDTLS_INCLUDE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/3rd/mbedtls/include" CACHE PATH "" FORCE)
+set(MBEDTLS_LIBRARIES "mbedtls" "mbedx509" "mbedcrypto" CACHE STRING "" FORCE)
+set(MBEDTLS_FOUND TRUE CACHE BOOL "" FORCE)
+set(MBEDTLS_CRYPTO_LIBRARY "mbedcrypto" CACHE STRING "" FORCE)
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DMBEDTLS_ALLOW_PRIVATE_ACCESS -DMBEDTLS_THREADING_C -DMBEDTLS_THREADING_PTHREAD")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DMBEDTLS_ALLOW_PRIVATE_ACCESS -DMBEDTLS_THREADING_C -DMBEDTLS_THREADING_PTHREAD")
+set(BUILD_SHARED_LIBS OFF CACHE BOOL "" FORCE)
+set(WITH_STATIC_LIB ON CACHE BOOL "" FORCE)
+
+include_directories(${MBEDTLS_INCLUDE_DIR})
+
+# show the MBEDTLS_INCLUDE_DIRS and MBEDTLS_LIBRARIES variables only in the advanced view
+mark_as_advanced(MBEDTLS_INCLUDE_DIR MBEDTLS_LIBRARIES)
+
+install(TARGETS mbedtls mbedx509 mbedcrypto
+        EXPORT mbedtls-config
+        RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
+        LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}
+        ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}
+        COMPONENT libraries)
+
+install(EXPORT mbedtls-config
+        DESTINATION ${CMAKE_INSTALL_LIBDIR}/cmake/${PROJECT_NAME})