diff --git a/srcpkgs/retroarch/patches/mbedtls3.patch b/srcpkgs/retroarch/patches/mbedtls3.patch
new file mode 100644
index 00000000000..17d4b75fed9
--- /dev/null
+++ b/srcpkgs/retroarch/patches/mbedtls3.patch
@@ -0,0 +1,76 @@
+From 4683e83d9a51c0229fff23400a6a19542aa523b7 Mon Sep 17 00:00:00 2001
+From: Keith Bowes <keithbowes@users.noreply.github.com>
+Date: Thu, 18 Jul 2024 09:25:29 -0400
+Subject: [PATCH] Add support for mbedtls v3 (#16763)
+
+v2 is not going to receive security fixes after 2024
+
+Fixes #16672
+---
+ Makefile.common                           |  3 ++-
+ libretro-common/net/net_socket_ssl_mbed.c |  5 +++++
+ qb/config.libs.sh                         | 19 +++++++++----------
+ 3 files changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/Makefile.common b/Makefile.common
+index a550c791462..ee4fa1c4ccc 100644
+--- a/Makefile.common
++++ b/Makefile.common
+@@ -753,7 +753,8 @@ else ifeq ($(HAVE_BUILTINMBEDTLS), 1)
+    OBJ += $(OBJS_TLS_CRYPTO) $(OBJS_TLS_X509) $(OBJS_TLS)
+ else ifeq ($(HAVE_SSL), 1)
+    DEFINES += -DHAVE_SSL
+-   LIBS += $(SYSTEMMBEDTLS_LIBS)
++   LIBS += $(SYSTEMMBEDTLS_LIBS) $(SYSTEMMBEDX509_LIBS) $(SYSTEMMBEDCRYPTO_LIBS)
++   DEF_FLAGS += $(SYSTEMMBEDTLS_CFLAGS) $(SYSTEMMBEDX509_CFLAGS) $(SYSTEMMBEDCRYPTO_CFLAGS)
+ endif
+ 
+ # Miscellaneous
+diff --git a/libretro-common/net/net_socket_ssl_mbed.c b/libretro-common/net/net_socket_ssl_mbed.c
+index a0a524f3559..69c2239002e 100644
+--- a/libretro-common/net/net_socket_ssl_mbed.c
++++ b/libretro-common/net/net_socket_ssl_mbed.c
+@@ -35,8 +35,13 @@
+ #include "../../deps/mbedtls/mbedtls/ctr_drbg.h"
+ #include "../../deps/mbedtls/mbedtls/entropy.h"
+ #else
++#include <mbedtls/version.h>
++#if MBEDTLS_VERSION_MAJOR < 3
+ #include <mbedtls/config.h>
+ #include <mbedtls/certs.h>
++#else
++#include <mbedtls/build_info.h>
++#endif
+ #include <mbedtls/debug.h>
+ #include <mbedtls/platform.h>
+ #include <mbedtls/net_sockets.h>
+diff --git a/qb/config.libs.sh b/qb/config.libs.sh
+index 1c845375186..06ca062f0cc 100644
+--- a/qb/config.libs.sh
++++ b/qb/config.libs.sh
+@@ -316,16 +316,15 @@ check_enabled SSL BUILTINMBEDTLS 'builtin mbedtls' 'ssl is' false
+ check_enabled SSL BUILTINBEARSSL 'builtin bearssl' 'ssl is' false
+ 
+ if [ "$HAVE_SYSTEMMBEDTLS" = "auto" ]; then SYSTEMMBEDTLS_IS_AUTO=yes; else SYSTEMMBEDTLS_IS_AUTO=no; fi
+-check_lib '' SYSTEMMBEDTLS '-lmbedtls -lmbedx509 -lmbedcrypto'
+-check_header '' SYSTEMMBEDTLS \
+-   mbedtls/config.h \
+-   mbedtls/certs.h \
+-   mbedtls/debug.h \
+-   mbedtls/platform.h \
+-   mbedtls/net_sockets.h \
+-   mbedtls/ssl.h \
+-   mbedtls/ctr_drbg.h \
+-   mbedtls/entropy.h
++check_val '' SYSTEMMBEDTLS '-lmbedtls' 'mbedtls' mbedtls 2.5.1 '' true
++check_val '' SYSTEMMBEDX509 '-lmbedx509' 'mbedtls' mbedx509 2.5.1 '' true
++check_val '' SYSTEMMBEDCRYPTO '-lmbedcrypto' 'mbedtls' mbedcrypto 2.5.1 '' true
++if [ "$HAVE_SYSTEMMBEDTLS" = 'yes' ] && [ -z "$SYSTEMMBEDTLS_VERSION" ]; then
++  # Ancient versions (such as the one included in the Ubuntu version used for
++  # build checks) don't have this header
++  check_header '' SYSTEMMBEDTLS mbedtls/net_sockets.h
++fi
++if [ "$HAVE_SYSTEMMBEDX509" = 'no' ] || [ "$HAVE_SYSTEMMBEDCRYPTO" = 'no' ]; then HAVE_SYSTEMMBEDTLS=no; fi
+ if [ "$SYSTEMMBEDTLS_IS_AUTO" = "yes" ] && [ "$HAVE_SYSTEMMBEDTLS" = "yes" ]; then HAVE_SYSTEMMBEDTLS=auto; fi
+ 
+ SSL_BACKEND_CHOSEN=no
diff --git a/srcpkgs/retroarch/template b/srcpkgs/retroarch/template
index 072d719ce28..7292681e4e3 100644
--- a/srcpkgs/retroarch/template
+++ b/srcpkgs/retroarch/template
@@ -1,11 +1,11 @@
 # Template file for 'retroarch'
 pkgname=retroarch
 version=1.19.1
-revision=2
+revision=3
 build_style=configure
 configure_args="--prefix=/usr --sysconfdir=/etc --enable-networking
  --enable-udev --disable-builtinflac --disable-builtinglslang
- --disable-builtinmbedtls --disable-builtinzlib
+ --enable-systemmbedtls --disable-builtinbearssl --disable-builtinzlib
  $(vopt_enable ffmpeg) $(vopt_enable flac) $(vopt_enable glslang) $(vopt_enable jack)
  $(vopt_enable pulseaudio pulse) $(vopt_enable qt5 qt)
  $(vopt_enable sdl2) $(vopt_enable vulkan) $(vopt_enable wayland) $(vopt_enable x11)"