From 1715f09d85846041936494b89a16cc5149dc64c6 Mon Sep 17 00:00:00 2001
From: Adrian Cruceru <adrian.cruceru@fortanix.com>
Date: Mon, 30 Nov 2020 21:14:27 +0000
Subject: [PATCH] Moving from referene counting allows simpler move to
 native-tls / hyper.

Arc Changes:
-    Each Config/Context/... will hold Arcs towards items it holds pointers to.
-    This forces objects to live as long as needed, once no longer used they get destroyed by reference counting.

This allows passing the objects to multiple threads without worrying about lifetime.
I've also added notes why classes are Sync where used. Let me know if I missed any classes.

Usage example of an intermediate mbed-hyper integration is at:
-    https://github.com/fortanix/rust-mbedtls/tree/acruceru/wip-mbed-hyper-v2/mbedtls-hyper/examples/integrations

There I added a crate to wrap hyper - similar to native-tls. (that will be moved to native-tls layer soon)
That crate can be considered an integration test that I will raise a separate PR for.

Changes after initial review:
-    Added forward_mbedtls_calloc / forward_mbedtls_free functions so we can pass certificates to and from mbedtls without allocator mismatches/corruptions.
-    Switched to MbedtlsList<Certificate> and Certificate. A MbedtlsBox is pending for this PR as well.
-    Fixed most comments.

Still pending:
-    Update define! macros
-    Add MbedtlsBox<Certificate>
---
 Cargo.lock                       |  164 +++++
 mbedtls-sys/Cargo.toml           |    1 +
 mbedtls-sys/build/cmake.rs       |    3 +
 mbedtls/Cargo.toml               |    9 +
 mbedtls/build.rs                 |    6 +
 mbedtls/examples/client.rs       |   21 +-
 mbedtls/examples/server.rs       |   23 +-
 mbedtls/src/alloc.rs             |   60 ++
 mbedtls/src/lib.rs               |    9 +
 mbedtls/src/pk/mod.rs            |   92 ++-
 mbedtls/src/pk/rfc6979.rs        |   10 +-
 mbedtls/src/pkcs12/mod.rs        |    3 +-
 mbedtls/src/rng/ctr_drbg.rs      |  212 +++---
 mbedtls/src/rng/hmac_drbg.rs     |   67 +-
 mbedtls/src/rng/mod.rs           |    6 +-
 mbedtls/src/rng/os_entropy.rs    |   80 ++-
 mbedtls/src/rng/rdrand.rs        |   35 +-
 mbedtls/src/rust_malloc.c        |   31 +
 mbedtls/src/self_test.rs         |    7 +-
 mbedtls/src/ssl/ciphersuites.rs  |    1 +
 mbedtls/src/ssl/config.rs        |  568 +++++++++------
 mbedtls/src/ssl/context.rs       |  358 ++++++----
 mbedtls/src/ssl/mod.rs           |    4 +-
 mbedtls/src/ssl/ticket.rs        |   52 +-
 mbedtls/src/wrapper_macros.rs    |  133 +++-
 mbedtls/src/x509/certificate.rs  | 1133 ++++++++++++++++++++++--------
 mbedtls/src/x509/mod.rs          |    2 +-
 mbedtls/tests/client_server.rs   |   89 ++-
 mbedtls/tests/hyper.rs           |  525 ++++++++++++++
 mbedtls/tests/ssl_conf_ca_cb.rs  |   50 +-
 mbedtls/tests/ssl_conf_verify.rs |   47 +-
 mbedtls/tests/support/entropy.rs |    2 +-
 mbedtls/tests/support/rand.rs    |   18 +-
 mbedtls/valgrind_unittests.sh    |    6 +
 34 files changed, 2835 insertions(+), 992 deletions(-)
 create mode 100644 mbedtls/src/alloc.rs
 create mode 100644 mbedtls/src/rust_malloc.c
 create mode 100644 mbedtls/tests/hyper.rs
 create mode 100755 mbedtls/valgrind_unittests.sh

diff --git a/Cargo.lock b/Cargo.lock
index faeb7fbea..441be4813 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -13,6 +13,15 @@ name = "autocfg"
 version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "base64"
+version = "0.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "safemem 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "bindgen"
 version = "0.19.2"
@@ -171,11 +180,52 @@ name = "glob"
 version = "0.2.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "hermit-abi"
+version = "0.1.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "hex"
 version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "httparse"
+version = "1.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
+[[package]]
+name = "hyper"
+version = "0.10.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "base64 0.9.3 (registry+https://github.com/rust-lang/crates.io-index)",
+ "httparse 1.3.4 (registry+https://github.com/rust-lang/crates.io-index)",
+ "language-tags 0.2.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "log 0.3.9 (registry+https://github.com/rust-lang/crates.io-index)",
+ "mime 0.2.6 (registry+https://github.com/rust-lang/crates.io-index)",
+ "num_cpus 1.13.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "time 0.1.42 (registry+https://github.com/rust-lang/crates.io-index)",
+ "traitobject 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "typeable 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "unicase 1.4.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "url 1.7.2 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
+name = "idna"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "matches 0.1.8 (registry+https://github.com/rust-lang/crates.io-index)",
+ "unicode-bidi 0.3.4 (registry+https://github.com/rust-lang/crates.io-index)",
+ "unicode-normalization 0.1.16 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "kernel32-sys"
 version = "0.2.2"
@@ -185,6 +235,11 @@ dependencies = [
  "winapi-build 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "language-tags"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
 [[package]]
 name = "lazy_static"
 version = "0.2.11"
@@ -238,6 +293,7 @@ dependencies = [
  "chrono 0.4.9 (registry+https://github.com/rust-lang/crates.io-index)",
  "core_io 0.1.20190701 (registry+https://github.com/rust-lang/crates.io-index)",
  "hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "hyper 0.10.16 (registry+https://github.com/rust-lang/crates.io-index)",
  "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
  "matches 0.1.8 (registry+https://github.com/rust-lang/crates.io-index)",
  "mbedtls-sys-auto 2.24.0",
@@ -277,6 +333,14 @@ dependencies = [
  "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "mime"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "log 0.3.9 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "nom"
 version = "3.2.1"
@@ -302,11 +366,25 @@ dependencies = [
  "autocfg 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "num_cpus"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "hermit-abi 0.1.17 (registry+https://github.com/rust-lang/crates.io-index)",
+ "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "opaque-debug"
 version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "percent-encoding"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
 [[package]]
 name = "pkg-config"
 version = "0.3.16"
@@ -413,6 +491,11 @@ dependencies = [
  "semver 0.1.20 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "safemem"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
 [[package]]
 name = "semver"
 version = "0.1.20"
@@ -543,11 +626,58 @@ dependencies = [
  "winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "tinyvec"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "tinyvec_macros 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
+name = "tinyvec_macros"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
+[[package]]
+name = "traitobject"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
+[[package]]
+name = "typeable"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
 [[package]]
 name = "typenum"
 version = "1.11.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "unicase"
+version = "1.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "version_check 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
+name = "unicode-bidi"
+version = "0.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "matches 0.1.8 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
+name = "unicode-normalization"
+version = "0.1.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "tinyvec 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "unicode-xid"
 version = "0.0.3"
@@ -558,6 +688,16 @@ name = "unicode-xid"
 version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "url"
+version = "1.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "idna 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
+ "matches 0.1.8 (registry+https://github.com/rust-lang/crates.io-index)",
+ "percent-encoding 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "utf8-ranges"
 version = "0.1.3"
@@ -568,6 +708,11 @@ name = "vcpkg"
 version = "0.2.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "version_check"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
 [[package]]
 name = "winapi"
 version = "0.2.8"
@@ -605,6 +750,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 [metadata]
 "checksum aho-corasick 0.5.3 (registry+https://github.com/rust-lang/crates.io-index)" = "ca972c2ea5f742bfce5687b9aef75506a764f61d37f8f649047846a9686ddb66"
 "checksum autocfg 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)" = "b671c8fb71b457dd4ae18c4ba1e59aa81793daacc361d82fcd410cef0d491875"
+"checksum base64 0.9.3 (registry+https://github.com/rust-lang/crates.io-index)" = "489d6c0ed21b11d038c31b6ceccca973e65d73ba3bd8ecb9a2babf5546164643"
 "checksum bindgen 0.19.2 (registry+https://github.com/rust-lang/crates.io-index)" = "003f95e0fb6cf3d1fee8c62b2ec35135509477989fab15c358e0efa3972bdef6"
 "checksum bitflags 0.5.0 (registry+https://github.com/rust-lang/crates.io-index)" = "4f67931368edf3a9a51d29886d245f1c3db2f1ef0dcc9e35ff70341b78c10d23"
 "checksum bitflags 0.7.0 (registry+https://github.com/rust-lang/crates.io-index)" = "aad18937a628ec6abcd26d1489012cc0e18c21798210f491af69ded9b881106d"
@@ -626,8 +772,13 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum fuchsia-cprng 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "a06f77d526c1a601b7c4cdd98f54b5eaabffc14d5f2f0296febdc7f357c6d3ba"
 "checksum generic-array 0.12.3 (registry+https://github.com/rust-lang/crates.io-index)" = "c68f0274ae0e023facc3c97b2e00f076be70e254bc851d972503b328db79b2ec"
 "checksum glob 0.2.11 (registry+https://github.com/rust-lang/crates.io-index)" = "8be18de09a56b60ed0edf84bc9df007e30040691af7acd1c41874faac5895bfb"
+"checksum hermit-abi 0.1.17 (registry+https://github.com/rust-lang/crates.io-index)" = "5aca5565f760fb5b220e499d72710ed156fdb74e631659e99377d9ebfbd13ae8"
 "checksum hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "805026a5d0141ffc30abb3be3173848ad46a1b1664fe632428479619a3644d77"
+"checksum httparse 1.3.4 (registry+https://github.com/rust-lang/crates.io-index)" = "cd179ae861f0c2e53da70d892f5f3029f9594be0c41dc5269cd371691b1dc2f9"
+"checksum hyper 0.10.16 (registry+https://github.com/rust-lang/crates.io-index)" = "0a0652d9a2609a968c14be1a9ea00bf4b1d64e2e1f53a1b51b6fff3a6e829273"
+"checksum idna 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)" = "38f09e0f0b1fb55fdee1f17470ad800da77af5186a1a76c026b679358b7e844e"
 "checksum kernel32-sys 0.2.2 (registry+https://github.com/rust-lang/crates.io-index)" = "7507624b29483431c0ba2d82aece8ca6cdba9382bff4ddd0f7490560c056098d"
+"checksum language-tags 0.2.2 (registry+https://github.com/rust-lang/crates.io-index)" = "a91d884b6667cd606bb5a69aa0c99ba811a115fc68915e7056ec08a46e93199a"
 "checksum lazy_static 0.2.11 (registry+https://github.com/rust-lang/crates.io-index)" = "76f033c7ad61445c5b347c7382dd1237847eb1bce590fe50365dcb33d546be73"
 "checksum libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)" = "34fcd2c08d2f832f376f4173a231990fa5aef4e99fb569867318a227ef4c06ba"
 "checksum libz-sys 1.0.25 (registry+https://github.com/rust-lang/crates.io-index)" = "2eb5e43362e38e2bca2fd5f5134c4d4564a23a5c28e9b95411652021a8675ebe"
@@ -636,10 +787,13 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum matches 0.1.8 (registry+https://github.com/rust-lang/crates.io-index)" = "7ffc5c5338469d4d3ea17d269fa8ea3512ad247247c30bd2df69e68309ed0a08"
 "checksum memchr 0.1.11 (registry+https://github.com/rust-lang/crates.io-index)" = "d8b629fb514376c675b98c1421e80b151d3817ac42d7c667717d282761418d20"
 "checksum memchr 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)" = "148fab2e51b4f1cfc66da2a7c32981d1d3c083a803978268bb11fe4b86925e7a"
+"checksum mime 0.2.6 (registry+https://github.com/rust-lang/crates.io-index)" = "ba626b8a6de5da682e1caa06bdb42a335aee5a84db8e5046a3e8ab17ba0a3ae0"
 "checksum nom 3.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "05aec50c70fd288702bcd93284a8444607f3292dbdf2a30de5ea5dcdbe72287b"
 "checksum num-integer 0.1.41 (registry+https://github.com/rust-lang/crates.io-index)" = "b85e541ef8255f6cf42bbfe4ef361305c6c135d10919ecc26126c4e5ae94bc09"
 "checksum num-traits 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)" = "6ba9a427cfca2be13aa6f6403b0b7e7368fe982bfa16fccc450ce74c46cd9b32"
+"checksum num_cpus 1.13.0 (registry+https://github.com/rust-lang/crates.io-index)" = "05499f3756671c15885fee9034446956fff3f243d6077b91e5767df161f766b3"
 "checksum opaque-debug 0.2.3 (registry+https://github.com/rust-lang/crates.io-index)" = "2839e79665f131bdb5782e51f2c6c9599c133c6098982a54c794358bf432529c"
+"checksum percent-encoding 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)" = "31010dd2e1ac33d5b46a5b413495239882813e0369f8ed8a5e266f173602f831"
 "checksum pkg-config 0.3.16 (registry+https://github.com/rust-lang/crates.io-index)" = "72d5370d90f49f70bd033c3d75e87fc529fbfff9d6f7cccef07d6170079d91ea"
 "checksum proc-macro2 0.4.30 (registry+https://github.com/rust-lang/crates.io-index)" = "cf3d2011ab5c909338f7887f4fc896d35932e29146c12c8d01da6b22a80ba759"
 "checksum quote 0.6.13 (registry+https://github.com/rust-lang/crates.io-index)" = "6ce23b6b870e8f94f81fb0a363d65d86675884b34a09043c81e5562f11c1f8e1"
@@ -654,6 +808,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum rs-libc 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "80a671d6c4696a49b78e0a271c99bc58bc1a17a64893a3684a1ba1a944b26ca9"
 "checksum rustc-serialize 0.3.24 (registry+https://github.com/rust-lang/crates.io-index)" = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
 "checksum rustc_version 0.1.7 (registry+https://github.com/rust-lang/crates.io-index)" = "c5f5376ea5e30ce23c03eb77cbe4962b988deead10910c372b226388b594c084"
+"checksum safemem 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "ef703b7cb59335eae2eb93ceb664c0eb7ea6bf567079d843e09420219668e072"
 "checksum semver 0.1.20 (registry+https://github.com/rust-lang/crates.io-index)" = "d4f410fedcf71af0345d7607d246e7ad15faaadd49d240ee3b24e5dc21a820ac"
 "checksum serde 1.0.101 (registry+https://github.com/rust-lang/crates.io-index)" = "9796c9b7ba2ffe7a9ce53c2287dfc48080f4b2b362fcc245a259b3a7201119dd"
 "checksum serde_bytes 0.10.5 (registry+https://github.com/rust-lang/crates.io-index)" = "defbb8a83d7f34cc8380751eeb892b825944222888aff18996ea7901f24aec88"
@@ -669,11 +824,20 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum thread-id 2.0.0 (registry+https://github.com/rust-lang/crates.io-index)" = "a9539db560102d1cef46b8b78ce737ff0bb64e7e18d35b2a5688f7d097d0ff03"
 "checksum thread_local 0.2.7 (registry+https://github.com/rust-lang/crates.io-index)" = "8576dbbfcaef9641452d5cf0df9b0e7eeab7694956dd33bb61515fb8f18cfdd5"
 "checksum time 0.1.42 (registry+https://github.com/rust-lang/crates.io-index)" = "db8dcfca086c1143c9270ac42a2bbd8a7ee477b78ac8e45b19abfb0cbede4b6f"
+"checksum tinyvec 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ccf8dbc19eb42fba10e8feaaec282fb50e2c14b2726d6301dbfeed0f73306a6f"
+"checksum tinyvec_macros 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c"
+"checksum traitobject 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "efd1f82c56340fdf16f2a953d7bda4f8fdffba13d93b00844c25572110b26079"
+"checksum typeable 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "1410f6f91f21d1612654e7cc69193b0334f909dcf2c790c4826254fbb86f8887"
 "checksum typenum 1.11.2 (registry+https://github.com/rust-lang/crates.io-index)" = "6d2783fe2d6b8c1101136184eb41be8b1ad379e4657050b8aaff0c79ee7575f9"
+"checksum unicase 1.4.2 (registry+https://github.com/rust-lang/crates.io-index)" = "7f4765f83163b74f957c797ad9253caf97f103fb064d3999aea9568d09fc8a33"
+"checksum unicode-bidi 0.3.4 (registry+https://github.com/rust-lang/crates.io-index)" = "49f2bd0c6468a8230e1db229cff8029217cf623c767ea5d60bfbd42729ea54d5"
+"checksum unicode-normalization 0.1.16 (registry+https://github.com/rust-lang/crates.io-index)" = "a13e63ab62dbe32aeee58d1c5408d35c36c392bba5d9d3142287219721afe606"
 "checksum unicode-xid 0.0.3 (registry+https://github.com/rust-lang/crates.io-index)" = "36dff09cafb4ec7c8cf0023eb0b686cb6ce65499116a12201c9e11840ca01beb"
 "checksum unicode-xid 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
+"checksum url 1.7.2 (registry+https://github.com/rust-lang/crates.io-index)" = "dd4e7c0d531266369519a4aa4f399d748bd37043b00bde1e4ff1f60a120b355a"
 "checksum utf8-ranges 0.1.3 (registry+https://github.com/rust-lang/crates.io-index)" = "a1ca13c08c41c9c3e04224ed9ff80461d97e121589ff27c753a16cb10830ae0f"
 "checksum vcpkg 0.2.7 (registry+https://github.com/rust-lang/crates.io-index)" = "33dd455d0f96e90a75803cfeb7f948768c08d70a6de9a8d2362461935698bf95"
+"checksum version_check 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)" = "914b1a6776c4c929a602fafd8bc742e06365d4bcbe48c30f9cca5824f70dc9dd"
 "checksum winapi 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)" = "167dc9d6949a9b857f3451275e911c3f44255842c1f7a76f33c55103a909087a"
 "checksum winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)" = "8093091eeb260906a183e6ae1abdba2ef5ef2257a21801128899c3fc699229c6"
 "checksum winapi-build 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "2d315eee3b34aca4797b2da6b13ed88266e6d612562a0c46390af8299fc699bc"
diff --git a/mbedtls-sys/Cargo.toml b/mbedtls-sys/Cargo.toml
index 6b1ab3505..90d90ce57 100644
--- a/mbedtls-sys/Cargo.toml
+++ b/mbedtls-sys/Cargo.toml
@@ -12,6 +12,7 @@ This version generates the correct bindings at compile time using bindgen."""
 readme = "../README.md"
 repository = "https://github.com/fortanix/rust-mbedtls"
 documentation = "https://docs.rs/mbedtls-sys-auto/"
+links = "mbedtls"
 
 [lib]
 name = "mbedtls_sys"
diff --git a/mbedtls-sys/build/cmake.rs b/mbedtls-sys/build/cmake.rs
index 673ed3903..767684ba1 100644
--- a/mbedtls-sys/build/cmake.rs
+++ b/mbedtls-sys/build/cmake.rs
@@ -49,5 +49,8 @@ impl super::BuildConfig {
         println!("cargo:rustc-link-lib=mbedtls");
         println!("cargo:rustc-link-lib=mbedx509");
         println!("cargo:rustc-link-lib=mbedcrypto");
+
+        println!("cargo:include={}/{}", ::std::env::current_dir().unwrap().display(), self.mbedtls_src.join("include").display());
+        println!("cargo:config_h={}", self.config_h.to_str().expect("config.h UTF-8 error"));
     }
 }
diff --git a/mbedtls/Cargo.toml b/mbedtls/Cargo.toml
index f9605a243..ced7080c0 100644
--- a/mbedtls/Cargo.toml
+++ b/mbedtls/Cargo.toml
@@ -38,12 +38,15 @@ default-features = false
 features = ["custom_printf", "trusted_cert_callback"]
 path = "../mbedtls-sys"
 
+
+
 [dev-dependencies]
 libc = "0.2.0"
 rand = "0.4.0"
 serde_cbor = "0.6"
 hex = "0.3"
 matches = "0.1.8"
+hyper = { version = "0.10.16", default-features = false }
 
 [build-dependencies]
 cc = "1.0"
@@ -119,3 +122,9 @@ required-features = ["std"]
 name = "ssl_conf_verify"
 path = "tests/ssl_conf_verify.rs"
 required-features = ["std"]
+
+
+[[test]]
+name = "hyper"
+path = "tests/hyper.rs"
+required-features = ["default", "pthread"]
diff --git a/mbedtls/build.rs b/mbedtls/build.rs
index 004c8a9c1..1d7ba4b39 100644
--- a/mbedtls/build.rs
+++ b/mbedtls/build.rs
@@ -12,6 +12,12 @@ use std::env;
 
 fn main() {
     let mut b = cc::Build::new();
+    b.include(env::var_os("DEP_MBEDTLS_INCLUDE").expect("Links was not properly set in mbedtls-sys package, missing DEP_MBEDTLS_INCLUDE"));
+    let config_file = format!("\"{}\"", env::var_os("DEP_MBEDTLS_CONFIG_H").expect("Links was not properly set in mbedtls-sys package, missing DEP_MBEDTLS_CONFIG_H").to_str().unwrap());
+    b.define("MBEDTLS_CONFIG_FILE",
+             Some(config_file.as_str()));
+    
+    b.file("src/rust_malloc.c");
     b.file("src/rust_printf.c");
     if env::var_os("CARGO_FEATURE_STD").is_none()
         || ::std::env::var("TARGET")
diff --git a/mbedtls/examples/client.rs b/mbedtls/examples/client.rs
index 9dcb907a6..18de85ba7 100644
--- a/mbedtls/examples/client.rs
+++ b/mbedtls/examples/client.rs
@@ -10,6 +10,7 @@ extern crate mbedtls;
 
 use std::io::{self, stdin, stdout, Write};
 use std::net::TcpStream;
+use std::sync::Arc;
 
 use mbedtls::rng::CtrDrbg;
 use mbedtls::ssl::config::{Endpoint, Preset, Transport};
@@ -23,21 +24,21 @@ use support::entropy::entropy_new;
 use support::keys;
 
 fn result_main(addr: &str) -> TlsResult<()> {
-    let mut entropy = entropy_new();
-    let mut rng = CtrDrbg::new(&mut entropy, None)?;
-    let mut cert = Certificate::from_pem(keys::ROOT_CA_CERT)?;
+    let entropy = Arc::new(entropy_new());
+    let rng = Arc::new(CtrDrbg::new(entropy, None)?);
+    let cert = Arc::new(Certificate::from_pem_multiple(keys::PEM_CERT)?);
     let mut config = Config::new(Endpoint::Client, Transport::Stream, Preset::Default);
-    config.set_rng(Some(&mut rng));
-    config.set_ca_list(Some(&mut *cert), None);
-    let mut ctx = Context::new(&config)?;
+    config.set_rng(rng);
+    config.set_ca_list(cert, None);
+    let mut ctx = Context::new(Arc::new(config));
 
-    let mut conn = TcpStream::connect(addr).unwrap();
-    let mut session = ctx.establish(&mut conn, None)?;
+    let conn = TcpStream::connect(addr).unwrap();
+    ctx.establish(conn, None)?;
 
     let mut line = String::new();
     stdin().read_line(&mut line).unwrap();
-    session.write_all(line.as_bytes()).unwrap();
-    io::copy(&mut session, &mut stdout()).unwrap();
+    ctx.write_all(line.as_bytes()).unwrap();
+    io::copy(&mut ctx, &mut stdout()).unwrap();
     Ok(())
 }
 
diff --git a/mbedtls/examples/server.rs b/mbedtls/examples/server.rs
index 59f8d7597..1ff5c5a5a 100644
--- a/mbedtls/examples/server.rs
+++ b/mbedtls/examples/server.rs
@@ -10,6 +10,7 @@ extern crate mbedtls;
 
 use std::io::{BufRead, BufReader, Write};
 use std::net::{TcpListener, TcpStream};
+use std::sync::Arc;
 
 use mbedtls::pk::Pk;
 use mbedtls::rng::CtrDrbg;
@@ -29,21 +30,25 @@ fn listen<E, F: FnMut(TcpStream) -> Result<(), E>>(mut handle_client: F) -> Resu
         println!("Connection from {}", conn.peer_addr().unwrap());
         handle_client(conn)?;
     }
+
     Ok(())
 }
 
 fn result_main() -> TlsResult<()> {
-    let mut entropy = entropy_new();
-    let mut rng = CtrDrbg::new(&mut entropy, None)?;
-    let mut cert = Certificate::from_pem(keys::PEM_CERT)?;
-    let mut key = Pk::from_private_key(keys::PEM_KEY, None)?;
+    let entropy = entropy_new();
+    let rng = Arc::new(CtrDrbg::new(Arc::new(entropy), None)?);
+    let cert = Arc::new(Certificate::from_pem_multiple(keys::PEM_CERT)?);
+    let key = Arc::new(Pk::from_private_key(keys::PEM_KEY, None)?);
     let mut config = Config::new(Endpoint::Server, Transport::Stream, Preset::Default);
-    config.set_rng(Some(&mut rng));
-    config.push_cert(&mut *cert, &mut key)?;
-    let mut ctx = Context::new(&config)?;
+    config.set_rng(rng);
+    config.push_cert(cert, key)?;
+
+    let rc_config = Arc::new(config);
 
-    listen(|mut conn| {
-        let mut session = BufReader::new(ctx.establish(&mut conn, None)?);
+    listen(move |conn| {
+        let mut ctx = Context::new(rc_config.clone());
+        ctx.establish(conn, None)?;
+        let mut session = BufReader::new(ctx);
         let mut line = Vec::new();
         session.read_until(b'\n', &mut line).unwrap();
         session.get_mut().write_all(&line).unwrap();
diff --git a/mbedtls/src/alloc.rs b/mbedtls/src/alloc.rs
new file mode 100644
index 000000000..c836afa4e
--- /dev/null
+++ b/mbedtls/src/alloc.rs
@@ -0,0 +1,60 @@
+/* Copyright (c) Fortanix, Inc.
+ *
+ * Licensed under the GNU General Public License, version 2 <LICENSE-GPL or
+ * https://www.gnu.org/licenses/gpl-2.0.html> or the Apache License, Version
+ * 2.0 <LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0>, at your
+ * option. This file may not be copied, modified, or distributed except
+ * according to those terms. */
+
+#[cfg(not(feature = "std"))]
+use crate::alloc_prelude::*;
+
+use core::fmt;
+use core::ops::{Deref, DerefMut};
+use core::ptr::NonNull;
+use core::ptr::drop_in_place;
+
+use mbedtls_sys::types::raw_types::c_void;
+
+extern "C" {
+    pub fn forward_mbedtls_free(n: *mut mbedtls_sys::types::raw_types::c_void);
+}
+
+#[repr(transparent)]
+pub struct Box<T> {
+    pub(crate) inner: NonNull<T>
+}
+
+impl<T> Deref for Box<T> {
+    type Target = T;
+    fn deref(&self) -> &T {
+        unsafe { self.inner.as_ref() }
+    }
+}
+
+impl<T> DerefMut for Box<T> {
+    fn deref_mut(&mut self) -> &mut T {
+        unsafe { self.inner.as_mut() }
+    }
+}
+
+impl<T: fmt::Debug> fmt::Debug for Box<T> {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        fmt::Debug::fmt(&**self, f)
+    }
+}
+
+impl<T> Drop for Box<T> {
+    fn drop(&mut self) {
+        unsafe {
+            drop_in_place(self.inner.as_ptr());
+            forward_mbedtls_free(self.inner.as_ptr() as *mut c_void)
+        }
+    }
+}
+
+#[repr(transparent)]
+pub struct List<T> {
+    pub(crate) inner: Option<Box<T>>
+}
+
diff --git a/mbedtls/src/lib.rs b/mbedtls/src/lib.rs
index a5e15df43..59eda7bab 100644
--- a/mbedtls/src/lib.rs
+++ b/mbedtls/src/lib.rs
@@ -59,6 +59,7 @@ pub mod rng;
 pub mod self_test;
 pub mod ssl;
 pub mod x509;
+pub mod alloc;
 
 #[cfg(feature = "pkcs12")]
 pub mod pkcs12;
@@ -163,3 +164,11 @@ pub unsafe extern "C" fn mbedtls_time(tp: *mut time_t) -> time_t {
     }
     timestamp
 }
+
+// Debug not available in SGX
+#[cfg(not(target_env = "sgx"))]
+pub unsafe fn set_global_debug_threshold(threshold: i32) {
+    mbedtls_sys::debug_set_threshold(threshold);
+}
+
+
diff --git a/mbedtls/src/pk/mod.rs b/mbedtls/src/pk/mod.rs
index 28cb6086f..3676b4a2c 100644
--- a/mbedtls/src/pk/mod.rs
+++ b/mbedtls/src/pk/mod.rs
@@ -132,6 +132,7 @@ const CUSTOM_PK_INFO: pk_info_t = {
     }
 };
 
+// If this changes then certificate.rs unsafe code in public_key needs to also change.
 define!(
     #[c_ty(pk_context)]
     #[repr(C)]
@@ -142,6 +143,91 @@ define!(
     impl<'a> UnsafeFrom<ptr> {}
 );
 
+// # Safety
+//
+// Thread safety analysis for Pk.
+//
+// A. Usage example of Pk.
+//
+// 1.1. Common use case is to to pass it as parameter to the SSL Config class.
+// 1.2. SSL Config class is then used by multiple Context classes (one for each connection)
+// 1.3. Context classes, handled by different threads will do calls towards Pk.
+//
+// Since this is a common use case for MbedTLS it should be thread safe if threading is enabled.
+//
+// B. Verifying thread safety.
+//
+// 1. Calls towards the specific Pk implementation are done via function pointers.
+// 
+// - Example call towards Pk:
+//    ../../../mbedtls-sys/vendor/library/ssl_srv.c:3707 - mbedtls_pk_decrypt( private_key, p, len, ...
+// - This calls a generic function pointer via:
+//    ../../../mbedtls-sys/vendor/crypto/library/pk.c:475 - return( ctx->pk_info->decrypt_func( ctx->pk_ctx, input, ilen,
+//
+// 2. Pk implementation types.
+//
+// - The function pointers are defined via function:
+//      ../../../mbedtls-sys/vendor/crypto/library/pk.c:115 - mbedtls_pk_info_from_type
+// - They are as follows: mbedtls_rsa_info / mbedtls_eckey_info / mbedtls_ecdsa_info
+// - These are defined in: 
+//       ../../../mbedtls-sys/vendor/crypto/library/pk_wrap.c:196
+//
+// C. Checking types one by one.
+//
+// 1. RSA: mbedtls_rsa_info at ../../../mbedtls-sys/vendor/crypto/library/pk_wrap.c:196
+// This uses internal locks in: ../../../mbedtls-sys/vendor/crypto/library/rsa.c:718
+//
+// 2. ECKEY: mbedtls_eckey_info at ../../../mbedtls-sys/vendor/crypto/library/pk_wrap.c:418
+// This does not use internal locks but avoids interior mutability.
+//
+// Function checks one by one:
+// - Only const access to context: eckey_check_pair, eckey_get_bitlen, eckey_can_do, eckey_check_pair
+//
+// - Const acccess / copies context to a stack based variable
+//   eckey_verify_wrap, eckey_sign_wrap: ../../../mbedtls-sys/vendor/crypto/library/pk_wrap.c:251
+//       creates a stack ecdsa variable and uses ctx to initialize it.
+//       ctx is passed as 'key', a const pointer to mbedtls_ecdsa_from_keypair( &ecdsa, ctx )
+//           ../../../mbedtls-sys/vendor/crypto/library/ecdsa.c:819
+//           int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key )
+//           key does not mutate.
+//
+// - Ignored due to not defined: eckey_verify_rs_wrap, eckey_sign_rs_wrap
+//   (Undefined - MBEDTLS_ECP_RESTARTABLE - ../../../mbedtls-sys/build/config.rs:173)
+//
+// - Only used when creating/freeing - which is safe by design - eckey_alloc_wrap / eckey_free_wrap
+//
+// 3. ECDSA: mbedtls_ecdsa_info at ../../../mbedtls-sys/vendor/crypto/library/pk_wrap.c:729
+// This does not use internal locks but avoids interior mutability.
+//
+// - Const access / copies context to stack based variables:
+//   ecdsa_verify_wrap: ../../../mbedtls-sys/vendor/crypto/library/pk_wrap.c:544
+//       This copies the public key on the stack - in buf[] and copies the group id and nbits.
+//       That is done via: mbedtls_pk_write_pubkey( &p, buf, &key ) where key.pk_ctx = ctx;
+//       And the key is a const parameter to mbedtls_pk_write_pubkey - ../../../mbedtls-sys/vendor/crypto/library/pkwrite.c:158
+//
+// - Const access with additional notes due to call stacks involved.
+//
+//   ecdsa_sign_wrap: ../../../mbedtls-sys/vendor/crypto/library/pk_wrap.c:657
+//       mbedtls_ecdsa_write_signature ../../../mbedtls-sys/vendor/crypto/library/ecdsa.c:688
+//           mbedtls_ecdsa_write_signature_restartable ../../../mbedtls-sys/vendor/crypto/library/ecdsa.c:640
+//               MBEDTLS_ECDSA_DETERMINISTIC is not defined.
+//               MBEDTLS_ECDSA_SIGN_ALT is not defined.
+//               Passes grp to: ecdsa_sign_restartable: ../../../mbedtls-sys/vendor/crypto/library/ecdsa.c:253
+//                    Const access to group - reads parameters, passed as const to mbedtls_ecp_gen_privkey,
+//                    mbedtls_ecp_mul_restartable: ../../../mbedtls-sys/vendor/crypto/library/ecp.c:2351
+//                        MBEDTLS_ECP_INTERNAL_ALT is not defined. (otherwise it might not be safe depending on ecp_init/ecp_free) ../../../mbedtls-sys/build/config.rs:131
+//                        Passes as const to: mbedtls_ecp_check_privkey / mbedtls_ecp_check_pubkey / mbedtls_ecp_get_type( grp
+//        
+// - Ignored due to not defined: ecdsa_verify_rs_wrap, ecdsa_sign_rs_wrap, ecdsa_rs_alloc, ecdsa_rs_free
+//   (Undefined - MBEDTLS_ECP_RESTARTABLE - ../../../mbedtls-sys/build/config.rs:173)
+//
+// - Only const access to context: eckey_check_pair
+//
+// - Only used when creating/freeing - which is safe by design: ecdsa_alloc_wrap, ecdsa_free_wrap
+//
+#[cfg(feature = "threading")]
+unsafe impl Sync for Pk {}
+
 impl Pk {
     /// Takes both DER and PEM forms of PKCS#1 or PKCS#8 encoded keys.
     ///
@@ -778,7 +864,7 @@ impl Pk {
         sig: &mut [u8],
         rng: &mut F,
     ) -> Result<usize> {
-        use crate::rng::RngCallback;
+        use crate::rng::RngCallbackMut;
 
         if self.pk_type() == Type::Ecdsa || self.pk_type() == Type::Eckey {
             if sig.len() < ECDSA_MAX_LEN {
@@ -803,8 +889,8 @@ impl Pk {
                     hash.len(),
                     sig.as_mut_ptr(),
                     &mut ret,
-                    Some(Rfc6979Rng::call),
-                    rng.data_ptr(),
+                    Some(Rfc6979Rng::call_mut),
+                    rng.data_ptr_mut(),
                 ).into_result()?;
             };
             Ok(ret)
diff --git a/mbedtls/src/pk/rfc6979.rs b/mbedtls/src/pk/rfc6979.rs
index 1bc42f134..30da45d62 100644
--- a/mbedtls/src/pk/rfc6979.rs
+++ b/mbedtls/src/pk/rfc6979.rs
@@ -12,7 +12,7 @@ use crate::alloc_prelude::*;
 use mbedtls_sys::types::raw_types::{c_int, c_uchar, c_void};
 use mbedtls_sys::types::size_t;
 
-use crate::rng::{HmacDrbg, Random, RngCallback};
+use crate::rng::{HmacDrbg, Random, RngCallbackMut};
 
 use crate::error::Result;
 use crate::bignum::Mpi;
@@ -67,7 +67,7 @@ fn generate_rfc6979_nonce(md: &MdInfo, x: &Mpi, q: &Mpi, digest_bytes: &[u8]) ->
 pub(crate) struct Rfc6979Rng {
     pub k: Vec<u8>,
     pub k_read: usize,
-    pub rng: HmacDrbg<'static>,
+    pub rng: HmacDrbg,
 }
 
 /// An RNG which first outputs the k for RFC 6797 followed by random data
@@ -110,8 +110,8 @@ impl Rfc6979Rng {
     }
 }
 
-impl RngCallback for Rfc6979Rng {
-    unsafe extern "C" fn call(
+impl RngCallbackMut for Rfc6979Rng {
+    unsafe extern "C" fn call_mut(
         user_data: *mut c_void,
         data_ptr: *mut c_uchar,
         len: size_t,
@@ -126,7 +126,7 @@ impl RngCallback for Rfc6979Rng {
         }
     }
 
-    fn data_ptr(&mut self) -> *mut c_void {
+    fn data_ptr_mut(&mut self) -> *mut c_void {
         self as *const _ as *mut _
     }
 }
diff --git a/mbedtls/src/pkcs12/mod.rs b/mbedtls/src/pkcs12/mod.rs
index 7d7507996..a70e98cfd 100644
--- a/mbedtls/src/pkcs12/mod.rs
+++ b/mbedtls/src/pkcs12/mod.rs
@@ -39,6 +39,7 @@ use crate::cipher::{Cipher, Decryption, Fresh, Traditional};
 use crate::hash::{pbkdf_pkcs12, Md, MdInfo, Type as MdType};
 use crate::pk::Pk;
 use crate::x509::Certificate;
+use crate::alloc::{Box as MbedtlsBox};
 use crate::Error as MbedtlsError;
 
 // Constants for various object identifiers used in PKCS12:
@@ -836,7 +837,7 @@ impl Pfx {
     /// of "friendly names" which are associated with said certificate.
     /// Some or all of the certificates stored in a Pfx may be encrypted in which case
     /// decrypt must be called to access them.
-    pub fn certificates<'a>(&'a self) -> impl Iterator<Item=(Result<Certificate, crate::Error>, Vec<String>)> + 'a {
+    pub fn certificates<'a>(&'a self) -> impl Iterator<Item=(Result<MbedtlsBox<Certificate>, crate::Error>, Vec<String>)> + 'a {
         self.authsafe_decrypted_contents()
             .filter_map(|sb| if let Pkcs12BagSet::Cert(CertBag(Some(cert))) = &sb.bag_value {
                 Some((Certificate::from_der(cert), sb.friendly_name()))
diff --git a/mbedtls/src/rng/ctr_drbg.rs b/mbedtls/src/rng/ctr_drbg.rs
index 1b4184ba2..444a9ec25 100644
--- a/mbedtls/src/rng/ctr_drbg.rs
+++ b/mbedtls/src/rng/ctr_drbg.rs
@@ -6,126 +6,77 @@
  * option. This file may not be copied, modified, or distributed except
  * according to those terms. */
 
+use mbedtls_sys::*;
+use std::sync::Arc;
 use mbedtls_sys::types::raw_types::{c_int, c_uchar, c_void};
 use mbedtls_sys::types::size_t;
 pub use mbedtls_sys::CTR_DRBG_RESEED_INTERVAL as RESEED_INTERVAL;
-use mbedtls_sys::{
-    ctr_drbg_random, ctr_drbg_reseed, ctr_drbg_seed, ctr_drbg_set_prediction_resistance,
-    ctr_drbg_update, CTR_DRBG_PR_OFF, CTR_DRBG_PR_ON,
-};
-
-use super::{EntropyCallback, RngCallback};
 use crate::error::{IntoResult, Result};
+use crate::rng::{EntropyCallback, RngCallback, RngCallbackMut};
+
+define!(
+    // Moving data causes dangling pointers: https://github.com/ARMmbed/mbedtls/issues/2147
+    // Storing data in heap and forcing rust move to only move the pointer (box) referencing it.
+    // The move will be faster. Access to data will be slower due to additional indirection.
+    #[c_box_ty(ctr_drbg_context)]
+    #[repr(C)]
+    struct CtrDrbg {
+        entropy: Arc<dyn EntropyCallback + 'static>,
+    };
+    const drop: fn(&mut Self) = ctr_drbg_free;
+);
+
+///
+/// Class has interior mutability via function called 'call'.
+/// That function has an internal mutex to guarantee thread safety.
+///
+/// The other potential conflict is a mutable reference changing class.
+/// That is avoided by having any users of the callback hold an 'Arc' to this class.
+/// Rust will then ensure that a mutable reference cannot be aquired if more then 1 Arc exists to the same class.
+///
+#[cfg(feature = "threading")]
+unsafe impl Sync for CtrDrbg {}
 
-// ==== BEGIN IMMOVABLE TYPE KLUDGE ====
-// `ctr_drbg_context` inlines an `aes_context`, which is immovable. See
-// https://github.com/ARMmbed/mbedtls/issues/2147. We work around this
-// by always boxing up the context, which requires this module to depend on
-// std/alloc.
-//
-// If `ctr_drbg_context` were moveable, this entire section could be replaced
-// by basically:
-// ```
-// define!(
-//     #[c_ty(ctr_drbg_context)]
-//     struct CtrDrbg<'entropy>;
-//     fn init() {
-//         ctr_drbg_init
-//     }
-//     fn drop() {
-//         ctr_drbg_free
-//     }
-// );
-// ```
-
-use self::private::CtrDrbgInner;
-#[cfg(not(feature = "std"))]
-use crate::alloc_prelude::*;
-use core::ops::{Deref, DerefMut};
-
-mod private {
-    use core::marker::PhantomData;
-    use mbedtls_sys::{ctr_drbg_context, ctr_drbg_free, ctr_drbg_init};
-
-    pub struct CtrDrbgInner<'entropy> {
-        pub(super) inner: ctr_drbg_context,
-        r: PhantomData<&'entropy ()>,
-    }
-
-    impl<'entropy> CtrDrbgInner<'entropy> {
-        pub(super) fn init() -> Self {
-            let mut inner = ::core::mem::MaybeUninit::uninit();
-            let inner = unsafe {
-                ctr_drbg_init(inner.as_mut_ptr());
-                inner.assume_init()
-            };
-            CtrDrbgInner {
-                inner,
-                r: PhantomData,
-            }
-        }
-    }
-
-    impl<'entropy> Drop for CtrDrbgInner<'entropy> {
-        fn drop(&mut self) {
-            unsafe { ctr_drbg_free(&mut self.inner) };
-        }
-    }
-}
+#[allow(dead_code)]
+impl CtrDrbg {
 
-pub struct CtrDrbg<'entropy> {
-    boxed: Box<CtrDrbgInner<'entropy>>,
-}
+    // If threading enabled - we are Sync, but for that to be true we need entropy to also be sync.
+    #[cfg(feature = "threading")]
+    pub fn new<T: EntropyCallback + Send + Sync + 'static>(entropy: Arc<T>, additional_entropy: Option<&[u8]>) -> Result<Self> {
+        let mut inner = Box::new(ctr_drbg_context::default());
 
-impl<'entropy> CtrDrbg<'entropy> {
-    fn init() -> Self {
-        CtrDrbg {
-            boxed: Box::new(CtrDrbgInner::init()),
+        unsafe {
+            ctr_drbg_init(&mut *inner);
+            ctr_drbg_seed(
+                &mut *inner,
+                Some(T::call),
+                entropy.data_ptr(),
+                additional_entropy.map(<[_]>::as_ptr).unwrap_or(::core::ptr::null()),
+                additional_entropy.map(<[_]>::len).unwrap_or(0)
+            ).into_result()?;
         }
-    }
-}
 
-#[doc(hidden)]
-impl<'entropy> Deref for CtrDrbg<'entropy> {
-    type Target = CtrDrbgInner<'entropy>;
-    fn deref(&self) -> &Self::Target {
-        &self.boxed
+        Ok(CtrDrbg { inner, entropy })
     }
-}
 
-#[doc(hidden)]
-impl<'entropy> DerefMut for CtrDrbg<'entropy> {
-    fn deref_mut(&mut self) -> &mut Self::Target {
-        &mut self.boxed
-    }
-}
-
-// ==== END IMMOVABLE TYPE KLUDGE ====
+    #[cfg(not(feature = "threading"))]
+    pub fn new<T: EntropyCallback + 'static>(entropy: Arc<T>, additional_entropy: Option<&[u8]>) -> Result<Self> {
+        let mut inner = Box::new(ctr_drbg_context::default());
 
-#[cfg(feature = "threading")]
-unsafe impl<'entropy> Sync for CtrDrbg<'entropy> {}
-
-impl<'entropy> CtrDrbg<'entropy> {
-    pub fn new<F: EntropyCallback>(
-        source: &'entropy mut F,
-        additional_entropy: Option<&[u8]>,
-    ) -> Result<CtrDrbg<'entropy>> {
-        let mut ret = Self::init();
         unsafe {
+            ctr_drbg_init(&mut *inner);
             ctr_drbg_seed(
-                &mut ret.inner,
-                Some(F::call),
-                source.data_ptr(),
-                additional_entropy
-                    .map(<[_]>::as_ptr)
-                    .unwrap_or(::core::ptr::null()),
+                &mut *inner,
+                Some(T::call),
+                entropy.data_ptr(),
+                additional_entropy.map(<[_]>::as_ptr).unwrap_or(::core::ptr::null()),
                 additional_entropy.map(<[_]>::len).unwrap_or(0)
-            )
-            .into_result()?
-        };
-        Ok(ret)
-    }
+            ).into_result()?;
+        }
 
+        Ok(CtrDrbg { inner, entropy })
+    }
+    
     pub fn prediction_resistance(&self) -> bool {
         if self.inner.prediction_resistance == CTR_DRBG_PR_OFF {
             false
@@ -137,21 +88,32 @@ impl<'entropy> CtrDrbg<'entropy> {
     pub fn set_prediction_resistance(&mut self, pr: bool) {
         unsafe {
             ctr_drbg_set_prediction_resistance(
-                &mut self.inner,
+                &mut *self.inner,
                 if pr { CTR_DRBG_PR_ON } else { CTR_DRBG_PR_OFF },
             )
         }
     }
 
-    getter!(entropy_len() -> size_t = .entropy_len);
-    setter!(set_entropy_len(len: size_t) = ctr_drbg_set_entropy_len);
-    getter!(reseed_interval() -> c_int = .reseed_interval);
-    setter!(set_reseed_interval(i: c_int) = ctr_drbg_set_reseed_interval);
+    pub fn entropy_len(&self) -> size_t {
+        self.inner.entropy_len
+    }
+
+    pub fn set_entropy_len(&mut self, len: size_t) {
+        unsafe { ctr_drbg_set_entropy_len(&mut *self.inner, len); }
+    }
+
+    pub fn reseed_interval(&self) -> c_int {
+        self.inner.reseed_interval
+    }
+
+    pub fn set_reseed_interval(&mut self, i: c_int) {
+        unsafe { ctr_drbg_set_reseed_interval(&mut *self.inner, i); }
+    }
 
     pub fn reseed(&mut self, additional_entropy: Option<&[u8]>) -> Result<()> {
         unsafe {
             ctr_drbg_reseed(
-                &mut self.inner,
+                &mut *self.inner,
                 additional_entropy
                     .map(<[_]>::as_ptr)
                     .unwrap_or(::core::ptr::null()),
@@ -163,24 +125,30 @@ impl<'entropy> CtrDrbg<'entropy> {
     }
 
     pub fn update(&mut self, entropy: &[u8]) {
-        unsafe { ctr_drbg_update(&mut self.inner, entropy.as_ptr(), entropy.len()) };
+        unsafe { ctr_drbg_update(&mut *self.inner, entropy.as_ptr(), entropy.len()) };
     }
-
-    // TODO:
-    //
-    // ctr_drbg_random_with_add
-    // ctr_drbg_write_seed_file
-    // ctr_drbg_update_seed_file
-    //
 }
 
-impl<'entropy> RngCallback for CtrDrbg<'entropy> {
+impl RngCallbackMut for CtrDrbg {
     #[inline(always)]
-    unsafe extern "C" fn call(user_data: *mut c_void, data: *mut c_uchar, len: size_t) -> c_int {
+    unsafe extern "C" fn call_mut(user_data: *mut c_void, data: *mut c_uchar, len: size_t) -> c_int where Self: std::marker::Sized {
+        // Mutex used in ctr_drbg_random at: ../../../mbedtls-sys/vendor/crypto/library/ctr_drbg.c:546
         ctr_drbg_random(user_data, data, len)
     }
 
-    fn data_ptr(&mut self) -> *mut c_void {
-        &mut self.inner as *mut _ as *mut _
+    fn data_ptr_mut(&mut self) -> *mut c_void {
+        self.handle_mut() as *const _ as *mut _
+    }
+}
+
+impl RngCallback for CtrDrbg {
+    #[inline(always)]
+    unsafe extern "C" fn call(user_data: *mut c_void, data: *mut c_uchar, len: size_t) -> c_int where Self: std::marker::Sized {
+        // Mutex used in ctr_drbg_random at: ../../../mbedtls-sys/vendor/crypto/library/ctr_drbg.c:546
+        ctr_drbg_random(user_data, data, len)
+    }
+    
+    fn data_ptr(&self) -> *mut c_void {
+        self.handle() as *const _ as *mut _
     }
 }
diff --git a/mbedtls/src/rng/hmac_drbg.rs b/mbedtls/src/rng/hmac_drbg.rs
index 5320dd672..76263573d 100644
--- a/mbedtls/src/rng/hmac_drbg.rs
+++ b/mbedtls/src/rng/hmac_drbg.rs
@@ -9,41 +9,44 @@
 use mbedtls_sys::types::raw_types::{c_int, c_uchar, c_void};
 use mbedtls_sys::types::size_t;
 pub use mbedtls_sys::HMAC_DRBG_RESEED_INTERVAL as RESEED_INTERVAL;
-use mbedtls_sys::{
-    hmac_drbg_random, hmac_drbg_reseed, hmac_drbg_seed, hmac_drbg_seed_buf,
-    hmac_drbg_set_prediction_resistance, hmac_drbg_update, HMAC_DRBG_PR_OFF, HMAC_DRBG_PR_ON,
-};
+use mbedtls_sys::*;
 
-use super::{EntropyCallback, RngCallback};
+use crate::rng::{EntropyCallback, RngCallback, RngCallbackMut};
 use crate::error::{IntoResult, Result};
 use crate::hash::MdInfo;
+use std::sync::Arc;
 
 define!(
     #[c_ty(hmac_drbg_context)]
-    struct HmacDrbg<'entropy>;
-    const init: fn() -> Self = hmac_drbg_init;
+    struct HmacDrbg {
+        entropy: Option<Arc<dyn EntropyCallback + 'static>>,
+    };
     const drop: fn(&mut Self) = hmac_drbg_free;
 );
 
 #[cfg(feature = "threading")]
-unsafe impl<'entropy> Sync for HmacDrbg<'entropy> {}
+unsafe impl Sync for HmacDrbg {}
 
-impl<'entropy> HmacDrbg<'entropy> {
-    pub fn new<F: EntropyCallback>(
+impl HmacDrbg {
+    pub fn new<T: EntropyCallback + Send + Sync + 'static>(
         md_info: MdInfo,
-        source: &'entropy mut F,
+        entropy: Arc<T>,
         additional_entropy: Option<&[u8]>,
-    ) -> Result<HmacDrbg<'entropy>> {
-        let mut ret = Self::init();
+    ) -> Result<HmacDrbg> {
+
+        let mut ret = HmacDrbg {
+            inner: hmac_drbg_context::default(),
+            entropy: Some(entropy),
+        };
+        
         unsafe {
+            hmac_drbg_init(&mut ret.inner);
             hmac_drbg_seed(
                 &mut ret.inner,
                 md_info.into(),
-                Some(F::call),
-                source.data_ptr(),
-                additional_entropy
-                    .map(<[_]>::as_ptr)
-                    .unwrap_or(::core::ptr::null()),
+                Some(T::call),
+                ret.entropy.as_ref().unwrap().data_ptr(),
+                additional_entropy.map(<[_]>::as_ptr).unwrap_or(::core::ptr::null()),
                 additional_entropy.map(<[_]>::len).unwrap_or(0)
             )
             .into_result()?
@@ -51,9 +54,15 @@ impl<'entropy> HmacDrbg<'entropy> {
         Ok(ret)
     }
 
-    pub fn from_buf(md_info: MdInfo, entropy: &[u8]) -> Result<HmacDrbg<'entropy>> {
-        let mut ret = Self::init();
+    
+    pub fn from_buf(md_info: MdInfo, entropy: &[u8]) -> Result<HmacDrbg> {
+        let mut ret = HmacDrbg {
+            inner: hmac_drbg_context::default(),
+            entropy: None,
+        };
+
         unsafe {
+            hmac_drbg_init(&mut ret.inner);
             hmac_drbg_seed_buf(
                 &mut ret.inner,
                 md_info.into(),
@@ -117,13 +126,25 @@ impl<'entropy> HmacDrbg<'entropy> {
     //
 }
 
-impl<'entropy> RngCallback for HmacDrbg<'entropy> {
+impl RngCallbackMut for HmacDrbg {
+    #[inline(always)]
+    unsafe extern "C" fn call_mut(user_data: *mut c_void, data: *mut c_uchar, len: size_t) -> c_int {
+        hmac_drbg_random(user_data, data, len)
+    }
+
+    fn data_ptr_mut(&mut self) -> *mut c_void {
+        self.handle_mut() as *const _ as *mut _
+    }
+}
+
+impl RngCallback for HmacDrbg {
     #[inline(always)]
     unsafe extern "C" fn call(user_data: *mut c_void, data: *mut c_uchar, len: size_t) -> c_int {
+        // Mutex used in hmac_drbg_random: ../../../mbedtls-sys/vendor/crypto/library/hmac_drbg.c:363
         hmac_drbg_random(user_data, data, len)
     }
 
-    fn data_ptr(&mut self) -> *mut c_void {
-        &mut self.inner as *mut _ as *mut _
+    fn data_ptr(&self) -> *mut c_void {
+        self.handle() as *const _ as *mut _
     }
 }
diff --git a/mbedtls/src/rng/mod.rs b/mbedtls/src/rng/mod.rs
index 364ac3b7a..99ff169d1 100644
--- a/mbedtls/src/rng/mod.rs
+++ b/mbedtls/src/rng/mod.rs
@@ -27,11 +27,11 @@ use crate::error::{Result, IntoResult};
 use mbedtls_sys::types::raw_types::{c_int, c_uchar};
 use mbedtls_sys::types::size_t;
 
-callback!(EntropyCallback:Sync(data: *mut c_uchar, len: size_t) -> c_int);
-callback!(RngCallback:Sync(data: *mut c_uchar, len: size_t) -> c_int);
+callback!(EntropyCallbackMut,EntropyCallback:Sync(data: *mut c_uchar, len: size_t) -> c_int);
+callback!(RngCallbackMut,RngCallback:Sync(data: *mut c_uchar, len: size_t) -> c_int);
 
 pub trait Random: RngCallback {
-    fn random(&mut self, data: &mut [u8]) -> Result<()> {
+    fn random(&mut self, data: &mut [u8]) -> Result<()> where Self: std::marker::Sized {
         unsafe { Self::call(self.data_ptr(), data.as_mut_ptr(), data.len()) }.into_result()?;
         Ok(())
     }
diff --git a/mbedtls/src/rng/os_entropy.rs b/mbedtls/src/rng/os_entropy.rs
index ec1e333d4..2593a2911 100644
--- a/mbedtls/src/rng/os_entropy.rs
+++ b/mbedtls/src/rng/os_entropy.rs
@@ -6,71 +6,107 @@
  * option. This file may not be copied, modified, or distributed except
  * according to those terms. */
 
+use crate::error::{IntoResult, Result};
+use crate::rng::EntropyCallback;
+use mbedtls_sys::*;
 use mbedtls_sys::types::raw_types::{c_int, c_uchar, c_void};
 use mbedtls_sys::types::size_t;
-use mbedtls_sys::*;
+use std::sync::Arc;
 
-use crate::error::{IntoResult, Result};
-
-callback!(EntropySourceCallback(data: *mut c_uchar, size: size_t, out: *mut size_t) -> c_int);
+callback!(EntropySourceCallbackMut,EntropySourceCallback(data: *mut c_uchar, size: size_t, out: *mut size_t) -> c_int);
 
 define!(
-    #[c_ty(entropy_context)]
-    struct OsEntropy<'source>;
-    pub const new: fn() -> Self = entropy_init;
+    // Moving data causes dangling pointers: https://github.com/ARMmbed/mbedtls/issues/2147
+    // Storing data in heap and forcing rust move to only move the pointer (box) referencing it.
+    // The move will be faster. Access to data will be slower due to additional indirection.
+    #[c_box_ty(entropy_context)]
+    #[repr(C)]
+    struct OsEntropy {
+        sources: Vec<Arc<dyn EntropySourceCallback + Send + Sync + 'static>>,
+    };
+    impl<'a> Into<ptr> {}
     const drop: fn(&mut Self) = entropy_free;
 );
 
+///
+/// Class has interior mutability via function called 'call'.
+/// That function has an internal mutex to guarantee thread safety.
+///
+/// The other potential conflict is a mutable reference changing class.
+/// That is avoided by having any users of the callback hold an 'Arc' to this class.
+/// Rust will then ensure that a mutable reference cannot be aquired if more then 1 Arc exists to the same class.
+///
 #[cfg(feature = "threading")]
-unsafe impl<'source> Sync for OsEntropy<'source> {}
+unsafe impl Sync for OsEntropy {}
+
+#[allow(dead_code)]
+impl OsEntropy {
+    
+    pub fn new() -> Self {
+        let mut inner = Box::new(entropy_context::default());
 
-impl<'source> OsEntropy<'source> {
-    pub fn add_source<F: EntropySourceCallback>(
+        unsafe {
+            entropy_init(&mut *inner);
+        };
+
+        OsEntropy {
+            inner,
+            sources: vec![],
+        }
+    }
+
+    pub fn add_source<F: EntropySourceCallback + Send + Sync + 'static>(
         &mut self,
-        source: &'source mut F,
+        source: Arc<F>,
         threshold: size_t,
         strong: bool,
     ) -> Result<()> {
         unsafe {
+            // add_source is guarded with internal mutex: mbedtls-sys/vendor/crypto/library/entropy.c:143
+            // all sources are called at later points via 'entropy_gather_internal' which in turn is called with internal mutex locked.
             entropy_add_source(
-                &mut self.inner,
+                self.into(),
                 Some(F::call),
                 source.data_ptr(),
                 threshold,
-                if strong {
-                    ENTROPY_SOURCE_STRONG
-                } else {
-                    ENTROPY_SOURCE_WEAK
-                }
+                if strong { ENTROPY_SOURCE_STRONG } else { ENTROPY_SOURCE_WEAK }
             )
             .into_result()?
         };
+
+        // Rust ensures only one mutable reference is currently in use.
+        self.sources.push(source);
         Ok(())
     }
 
     pub fn gather(&mut self) -> Result<()> {
-        unsafe { entropy_gather(&mut self.inner) }.into_result()?;
+        // function is guarded with internal mutex: mbedtls-sys/vendor/crypto/library/entropy.c:310
+        unsafe { entropy_gather(self.into()) }.into_result()?;
         Ok(())
     }
 
     pub fn update_manual(&mut self, data: &[u8]) -> Result<()> {
-        unsafe { entropy_update_manual(&mut self.inner, data.as_ptr(), data.len()) }.into_result()?;
+        // function is guarded with internal mutex: mbedtls-sys/vendor/crypto/library/entropy.c:241
+        unsafe { entropy_update_manual(self.into(), data.as_ptr(), data.len()) }.into_result()?;
         Ok(())
     }
 
+
     // TODO
     // entropy_write_seed_file
     // entropy_update_seed_file
     //
 }
 
-impl<'source> super::EntropyCallback for OsEntropy<'source> {
+impl EntropyCallback for OsEntropy {
     #[inline(always)]
     unsafe extern "C" fn call(user_data: *mut c_void, data: *mut c_uchar, len: size_t) -> c_int {
+        // mutex used in entropy_func: ../../../mbedtls-sys/vendor/crypto/library/entropy.c:348
+        // note: we're not using MBEDTLS_ENTROPY_NV_SEED so the initialization is not present or a race condition.
         entropy_func(user_data, data, len)
     }
 
-    fn data_ptr(&mut self) -> *mut c_void {
-        &mut self.inner as *mut _ as *mut _
+    fn data_ptr(&self) -> *mut c_void {
+        &*self.inner as *const _ as *mut _
     }
 }
diff --git a/mbedtls/src/rng/rdrand.rs b/mbedtls/src/rng/rdrand.rs
index 9b734a6b7..6ca4936f1 100644
--- a/mbedtls/src/rng/rdrand.rs
+++ b/mbedtls/src/rng/rdrand.rs
@@ -64,7 +64,7 @@ fn write_rng_to_slice(outbuf: &mut [u8], rng: fn() -> Option<usize>) -> c_int {
     0
 }
 
-use super::{EntropyCallback, RngCallback};
+use super::{EntropyCallback, EntropyCallbackMut, RngCallback, RngCallbackMut};
 
 pub struct Entropy;
 
@@ -74,20 +74,49 @@ impl EntropyCallback for Entropy {
         write_rng_to_slice(&mut outbuf, rdseed)
     }
 
-    fn data_ptr(&mut self) -> *mut c_void {
+    fn data_ptr(&self) -> *mut c_void {
+        ::core::ptr::null_mut()
+    }
+}
+
+impl EntropyCallbackMut for Entropy {
+    unsafe extern "C" fn call_mut(_: *mut c_void, data: *mut c_uchar, len: size_t) -> c_int {
+        let mut outbuf = from_raw_parts_mut(data, len);
+        write_rng_to_slice(&mut outbuf, rdseed)
+    }
+
+    fn data_ptr_mut(&mut self) -> *mut c_void {
         ::core::ptr::null_mut()
     }
 }
 
 pub struct Nrbg;
 
+impl RngCallbackMut for Nrbg {
+    unsafe extern "C" fn call_mut(_: *mut c_void, data: *mut c_uchar, len: size_t) -> c_int {
+        // outbuf data/len are stack variables
+        let mut outbuf = from_raw_parts_mut(data, len);
+        
+        // rdrand function is thread safe
+        write_rng_to_slice(&mut outbuf, rdrand)
+    }
+
+    fn data_ptr_mut(&mut self) -> *mut c_void {
+        ::core::ptr::null_mut()
+    }
+}
+
 impl RngCallback for Nrbg {
     unsafe extern "C" fn call(_: *mut c_void, data: *mut c_uchar, len: size_t) -> c_int {
+        // outbuf data/len are stack variables
         let mut outbuf = from_raw_parts_mut(data, len);
+        
+        // rdrand function is thread safe
         write_rng_to_slice(&mut outbuf, rdrand)
     }
 
-    fn data_ptr(&mut self) -> *mut c_void {
+    fn data_ptr(&self) -> *mut c_void {
         ::core::ptr::null_mut()
     }
 }
+
diff --git a/mbedtls/src/rust_malloc.c b/mbedtls/src/rust_malloc.c
new file mode 100644
index 000000000..a7f051f7a
--- /dev/null
+++ b/mbedtls/src/rust_malloc.c
@@ -0,0 +1,31 @@
+/* Copyright (c) Fortanix, Inc.
+ *
+ * Licensed under the GNU General Public License, version 2 <LICENSE-GPL or
+ * https://www.gnu.org/licenses/gpl-2.0.html> or the Apache License, Version
+ * 2.0 <LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0>, at your
+ * option. This file may not be copied, modified, or distributed except
+ * according to those terms. */
+
+// Follow same pattern for config and alloc/free as everywhere in mbedtls
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+extern void *forward_mbedtls_calloc( size_t n, size_t size ) {
+    return mbedtls_calloc(n, size);
+}
+
+extern void forward_mbedtls_free( void *ptr ) {
+    mbedtls_free(ptr);
+}
+
diff --git a/mbedtls/src/self_test.rs b/mbedtls/src/self_test.rs
index 3a97b2244..940a92cea 100644
--- a/mbedtls/src/self_test.rs
+++ b/mbedtls/src/self_test.rs
@@ -44,20 +44,23 @@ pub unsafe extern "C" fn mbedtls_log(msg: *const c_char) {
     log_f.expect("Called self-test log without enabling self-test")(msg)
 }
 
-// unsafe since unsynchronized
+/// unsafe since unsynchronized
 #[cfg(any(target_os = "none", target_env = "sgx", not(feature = "std")))]
 pub unsafe fn enable(rand: fn() -> c_int, log: unsafe fn(*const c_char)) {
     rand_f = Some(rand);
     log_f = Some(log);
 }
 
-// unsafe since unsynchronized
+/// unsafe since unsynchronized
 #[cfg(any(target_os = "none", target_env = "sgx", not(feature = "std")))]
 pub unsafe fn disable() {
     rand_f = None;
     log_f = None;
 }
 
+/// NOTE: The following functions if used in a multithreaded or async environment will fail.
+///       Self test functions rely on global variables to track operations and anything non-self-test related will stomp over variables.
+///       While using these, make sure no other code uses mbedtls. Multiple self test operations done asynchronously may also return failures.
 pub use mbedtls_sys::{
     aes_self_test as aes, arc4_self_test as arc4, base64_self_test as base64,
     camellia_self_test as camellia, ccm_self_test as ccm, ctr_drbg_self_test as ctr_drbg,
diff --git a/mbedtls/src/ssl/ciphersuites.rs b/mbedtls/src/ssl/ciphersuites.rs
index 20cbeaac8..a0b39df03 100644
--- a/mbedtls/src/ssl/ciphersuites.rs
+++ b/mbedtls/src/ssl/ciphersuites.rs
@@ -9,6 +9,7 @@
 use mbedtls_sys::types::raw_types::c_int;
 use mbedtls_sys::*;
 
+/// Always use into() to convert to i32, do not use 'as i32'. (until issue is fixed: https://github.com/fortanix/rust-mbedtls/issues/129)
 define!(
     #[non_exhaustive]
     #[c_ty(c_int)]
diff --git a/mbedtls/src/ssl/config.rs b/mbedtls/src/ssl/config.rs
index 936d047db..a15f4d710 100644
--- a/mbedtls/src/ssl/config.rs
+++ b/mbedtls/src/ssl/config.rs
@@ -6,20 +6,23 @@
  * option. This file may not be copied, modified, or distributed except
  * according to those terms. */
 
-use core::slice::from_raw_parts;
-
-use mbedtls_sys::types::raw_types::{c_char, c_int, c_uchar, c_uint, c_void};
-use mbedtls_sys::types::size_t;
-use mbedtls_sys::*;
-
-use crate::error::{Error, IntoResult, Result};
-use core::result::Result as StdResult;
-use crate::pk::dhparam::Dhm;
+use crate::error::{Error, Result, IntoResult};
 use crate::pk::Pk;
-use crate::private::UnsafeFrom;
+use crate::rng::RngCallback;
+use mbedtls_sys::*;
+use mbedtls_sys::types::raw_types::{c_int, c_void, c_char, c_uchar, c_uint};
+use std::sync::Arc;
+use crate::x509::Crl;
+use crate::x509::Certificate;
+use crate::x509::VerifyError;
 use crate::ssl::context::HandshakeContext;
+use mbedtls_sys::types::size_t;
+use std::slice::from_raw_parts;
 use crate::ssl::ticket::TicketCallback;
-use crate::x509::{certificate, Crl, LinkedCertificate, Profile, VerifyError};
+use crate::pk::dhparam::Dhm;
+use crate::x509::Profile;
+use crate::private::UnsafeFrom;
+use crate::alloc::{List as MbedtlsList};
 
 extern "C" {
     fn calloc(n: usize, size: usize) -> *mut c_void;
@@ -83,57 +86,147 @@ define!(
     }
 );
 
-callback!(DbgCallback:Sync(level: c_int, file: *const c_char, line: c_int, message: *const c_char) -> ());
+define!(
+    #[c_ty(c_int)]
+    enum Renegotiation {
+        Enabled = SSL_RENEGOTIATION_ENABLED,
+        Disabled = SSL_RENEGOTIATION_DISABLED,
+    }
+);
 
 define!(
-    #[c_ty(ssl_config)]
-    struct Config<'c>;
-    const init: fn() -> Self = ssl_config_init;
-    const drop: fn(&mut Self) = ssl_config_free;
-    impl<'q> Into<ptr> {}
-    impl<'q> UnsafeFrom<ptr> {}
+    // Moving data may cause dangling pointers: https://github.com/ARMmbed/mbedtls/issues/2147
+    // Storing data in heap and forcing rust move to only move the pointer (box) referencing it.
+    #[c_box_ty(ssl_config)]
+    #[repr(C)]
+    struct Config {
+        // Holding reference counters against any structures that ssl_config might hold pointer to.
+        // This allows caller to share structure on multiple configs if needed.
+        own_cert: Vec<Arc<MbedtlsList<Certificate>>>,
+        own_pk: Vec<Arc<Pk>>,
+    
+        ca_cert: Option<Arc<MbedtlsList<Certificate>>>,
+        crl: Option<Arc<Crl>>,
+        
+        // If we are sync we need all members to be sync, as such need to use cfg feature on all callbacks.
+        #[cfg(feature = "threading")]
+        rng: Option<Arc<dyn RngCallback + Send + Sync + 'static>>,
+        #[cfg(not (feature = "threading"))]
+        rng: Option<Arc<dyn RngCallback + 'static>>,
+        
+        ciphersuites: Vec<Arc<Vec<c_int>>>,
+        curves: Option<Arc<Vec<ecp_group_id>>>,
+        
+        #[allow(dead_code)]
+        dhm: Option<Arc<Dhm>>,
+        
+        #[cfg(feature = "threading")]
+        verify_callback: Option<Arc<dyn (Fn(&Certificate, i32, &mut VerifyError) -> Result<()>) + Send + Sync + 'static>>,
+        #[cfg(not (feature = "threading"))]
+        verify_callback: Option<Arc<dyn (Fn(&Certificate, i32, &mut VerifyError) -> Result<()>) + 'static>>,
+        
+        #[cfg(feature = "threading")]
+        dbg_callback: Option<Arc<dyn (Fn(i32, &str, i32, &str) -> ()) + Send + Sync + 'static>>,
+        #[cfg(not (feature = "threading"))]
+        dbg_callback: Option<Arc<dyn (Fn(i32, &str, i32, &str) -> ()) + 'static>>,
+        
+        #[cfg(feature = "threading")]
+        sni_callback: Option<Arc<dyn (Fn(&mut HandshakeContext, &[u8]) -> Result<()>) + Send + Sync + 'static>>,
+        #[cfg(not (feature = "threading"))]
+        sni_callback: Option<Arc<dyn (Fn(&mut HandshakeContext, &[u8]) -> Result<()>) + 'static>>,
+        
+        #[cfg(feature = "threading")]
+        ticket_callback: Option<Arc<dyn TicketCallback + Send + Sync + 'static>>,
+        #[cfg(not (feature = "threading"))]
+        ticket_callback: Option<Arc<dyn TicketCallback + 'static>>,
+        
+        #[cfg(feature = "threading")]
+        ca_callback: Option<Arc<dyn (Fn(&Certificate, &mut ForeignOwnedCertListBuilder) -> Result<()>) + Send + Sync + 'static>>,
+        #[cfg(not (feature = "threading"))]
+        ca_callback: Option<Arc<dyn (Fn(&Certificate, &mut ForeignOwnedCertListBuilder) -> Result<()>) + 'static>>,
+    };
+    impl<'a> Into<ptr> {}
 );
 
 #[cfg(feature = "threading")]
-unsafe impl<'c> Sync for Config<'c> {}
+unsafe impl Sync for Config {}
 
-impl<'c> Config<'c> {
+impl Config {
     pub fn new(e: Endpoint, t: Transport, p: Preset) -> Self {
-        let mut c = Config::init();
+        let mut inner = Box::new(ssl_config::default());
+
         unsafe {
-            ssl_config_defaults(&mut c.inner, e.into(), t.into(), p.into());
+            // This is just a memset to 0.
+            ssl_config_init(&mut *inner);
+
+            // Set default values - after this point we will need ssl_config_free to be called.
+            ssl_config_defaults(&mut *inner, e as c_int, t as c_int, p as c_int);
+        };
+
+        Config {
+            inner,
+            own_cert: vec![],
+            own_pk: vec![],
+            ca_cert: None,
+            crl: None,
+            rng: None,
+            ciphersuites: vec![],
+            curves: None,
+            dhm: None,
+            verify_callback: None,
+            dbg_callback: None,
+            sni_callback: None,
+            ticket_callback: None,
+            ca_callback: None,
         }
-        c
     }
 
-    // need bitfield support getter!(endpoint() -> Endpoint = field endpoint);
-    setter!(set_endpoint(e: Endpoint) = ssl_conf_endpoint);
-    // need bitfield support getter!(transport() -> Transport = field transport);
-    setter!(set_transport(t: Transport) = ssl_conf_transport);
-    // need bitfield support getter!(authmode() -> AuthMode = field authmode);
-    setter!(set_authmode(am: AuthMode) = ssl_conf_authmode);
-    getter!(read_timeout() -> u32 = .read_timeout);
-    setter!(set_read_timeout(t: u32) = ssl_conf_read_timeout);
+    pub fn set_authmode(&mut self, authmode: AuthMode) {
+        unsafe { ssl_conf_authmode(self.into(), authmode as c_int); }
+    }
+
+    pub fn read_timeout(&self) -> u32 {
+        self.inner.read_timeout
+    }
+
+    pub fn set_read_timeout(&mut self, t: u32) {
+        unsafe { ssl_conf_read_timeout(self.into(), t); }
+    }
 
     fn check_c_list<T: Default + Eq>(list: &[T]) {
         assert!(list.last() == Some(&T::default()));
     }
 
-    pub fn set_ciphersuites(&mut self, list: &'c [c_int]) {
-        Self::check_c_list(list);
-        unsafe { ssl_conf_ciphersuites(&mut self.inner, list.as_ptr()) }
+    pub fn set_ciphersuites(&mut self, list: Arc<Vec<c_int>>) {
+        Self::check_c_list(&list);
+
+        unsafe { ssl_conf_ciphersuites(self.into(), list.as_ptr()) }
+        self.ciphersuites.push(list);
     }
 
-    pub fn set_ciphersuites_for_version(&mut self, list: &'c [c_int], major: c_int, minor: c_int) {
-        Self::check_c_list(list);
-        unsafe { ssl_conf_ciphersuites_for_version(&mut self.inner, list.as_ptr(), major, minor) }
+    pub fn set_ciphersuites_for_version(&mut self, list: Arc<Vec<c_int>>, major: c_int, minor: c_int) {
+        Self::check_c_list(&list);
+        unsafe { ssl_conf_ciphersuites_for_version(self.into(), list.as_ptr(), major, minor) }
+        self.ciphersuites.push(list);
     }
 
-    pub fn set_curves(&mut self, list: &'c [ecp_group_id]) {
-        Self::check_c_list(list);
-        unsafe { ssl_conf_curves(&mut self.inner, list.as_ptr()) }
+    pub fn set_curves(&mut self, list: Arc<Vec<ecp_group_id>>) {
+        Self::check_c_list(&list);
+        unsafe { ssl_conf_curves(self.into(), list.as_ptr()) }
+        self.curves = Some(list);
     }
 
+    #[cfg(feature = "threading")]
+    pub fn set_rng<T: RngCallback + Send + Sync + 'static>(&mut self, rng: Arc<T>) {
+        unsafe { ssl_conf_rng(self.into(), Some(T::call), rng.data_ptr()) };
+        self.rng = Some(rng);
+    }
+    #[cfg(not (feature = "threading"))]
+    pub fn set_rng<T: RngCallback + 'static>(&mut self, rng: Arc<T>) {
+        unsafe { ssl_conf_rng(self.into(), Some(T::call), rng.data_ptr()) };
+        self.rng = Some(rng);
+    }
+    
     pub fn set_min_version(&mut self, version: Version) -> Result<()> {
         let minor = match version {
             Version::Ssl3 => 0,
@@ -143,7 +236,7 @@ impl<'c> Config<'c> {
             _ => { return Err(Error::SslBadHsProtocolVersion); }
         };
 
-        unsafe { ssl_conf_min_version(&mut self.inner, 3, minor) };
+        unsafe { ssl_conf_min_version(self.into(), 3, minor) };
         Ok(())
     }
 
@@ -155,186 +248,165 @@ impl<'c> Config<'c> {
             Version::Tls1_2 => 3,
             _ => { return Err(Error::SslBadHsProtocolVersion); }
         };
-        unsafe { ssl_conf_max_version(&mut self.inner, 3, minor) };
+        unsafe { ssl_conf_max_version(self.into(), 3, minor) };
         Ok(())
     }
 
-    setter!(set_cert_profile(p: &'c Profile) = ssl_conf_cert_profile);
+    // Profile as implemented in profile.rs can only point to global variables from mbedtls which would have 'static lifetime
+    pub fn set_cert_profile(&mut self, p: &'static Profile) {
+        unsafe { ssl_conf_cert_profile(self.into(), p.into()) };
+    }
 
     /// Takes both DER and PEM forms of FFDH parameters in `DHParams` format.
     ///
     /// When calling on PEM-encoded data, `params` must be NULL-terminated
     pub fn set_dh_params(&mut self, params: &[u8]) -> Result<()> {
-        let mut ctx = Dhm::from_params(params)?;
+        let dhm = Arc::new(Dhm::from_params(params)?);
         unsafe {
-            ssl_conf_dh_param_ctx(&mut self.inner, (&mut ctx).into())
+            ssl_conf_dh_param_ctx(self.into(), dhm.inner_ffi_mut())
                 .into_result()
-                .map(|_| ())
+                .map(|_| ())?;
         }
+        self.dhm = Some(dhm);
+        Ok(())
     }
 
-    pub fn set_ca_list<C: Into<&'c mut LinkedCertificate>>(
-        &mut self,
-        list: Option<C>,
-        crl: Option<&'c mut Crl>,
-    ) {
-        unsafe {
-            ssl_conf_ca_chain(
-                &mut self.inner,
-                list.map(Into::into)
-                    .map(Into::into)
-                    .unwrap_or(::core::ptr::null_mut()),
-                crl.map(Into::into).unwrap_or(::core::ptr::null_mut()),
-            )
-        }
-    }
+    pub fn set_ca_list(&mut self, ca_cert: Arc<MbedtlsList<Certificate>>, crl: Option<Arc<Crl>>) {
+        // This will override internal pointers to what we provide.
+        
+        unsafe { ssl_conf_ca_chain(self.into(), ca_cert.inner_ffi_mut(), crl.as_ref().map(|crl| crl.inner_ffi_mut()).unwrap_or(::core::ptr::null_mut())); }
 
-    pub fn push_cert<C: Into<&'c mut LinkedCertificate>>(
-        &mut self,
-        chain: C,
-        key: &'c mut Pk,
-    ) -> Result<()> {
-        unsafe {
-            ssl_conf_own_cert(&mut self.inner, chain.into().into(), key.into())
-                .into_result()
-                .map(|_| ())
-        }
+        self.ca_cert = Some(ca_cert);
+        self.crl = crl;        
     }
 
-    pub fn certs(&'c self) -> KeyCertIter<'c> {
-        KeyCertIter {
-            key_cert: unsafe { UnsafeFrom::from(self.inner.key_cert as *const _) },
+    pub fn push_cert(&mut self, own_cert: Arc<MbedtlsList<Certificate>>, own_pk: Arc<Pk>) -> Result<()> {
+        // Need to ensure own_cert/pk_key outlive the config.
+        self.own_cert.push(own_cert.clone());
+        self.own_pk.push(own_pk.clone());
+
+        // This will append pointers to our certificates inside mbedtls
+        unsafe { ssl_conf_own_cert(self.into(), own_cert.inner_ffi_mut(), own_pk.inner_ffi_mut())
+                 .into_result()
+                 .map(|_| ())
         }
     }
-
+    
     /// Server only: configure callback to use for generating/interpreting session tickets.
-    pub fn set_session_tickets_callback<F: TicketCallback>(&mut self, cb: &'c mut F) {
+    pub fn set_session_tickets_callback<T: TicketCallback + Send + Sync + 'static>(&mut self, cb: Arc<T>) {
         unsafe {
             ssl_conf_session_tickets_cb(
-                &mut self.inner,
-                Some(F::call_write),
-                Some(F::call_parse),
+                self.into(),
+                Some(T::call_write),
+                Some(T::call_parse),
                 cb.data_ptr(),
             )
         };
+
+        self.ticket_callback = Some(cb);
     }
 
-    setter!(
-        /// Client only: whether to remember and use session tickets
-        set_session_tickets(u: UseSessionTickets) = ssl_conf_session_tickets
-    );
-
-    setter!(
-        /// Client only: minimal FFDH group size
-        set_ffdh_min_bitlen(bitlen: c_uint) = ssl_conf_dhm_min_bitlen
-    );
-
-    // TODO: The lifetime restrictions on HandshakeContext here are too strict.
-    // Once we need something else, we might fix it.
-    pub fn set_sni_callback<F: FnMut(&mut HandshakeContext, &[u8]) -> StdResult<(), ()>>(
-        &mut self,
-        cb: &'c mut F,
-    ) {
-        unsafe extern "C" fn sni_callback<
-            F: FnMut(&mut HandshakeContext, &[u8]) -> StdResult<(), ()>,
-        >(
-            closure: *mut c_void,
-            ctx: *mut ssl_context,
-            name: *const c_uchar,
-            name_len: size_t,
-        ) -> c_int {
-            let cb = &mut *(closure as *mut F);
-            let mut ctx = UnsafeFrom::from(ctx).expect("valid context");
-            let name = from_raw_parts(name, name_len);
-            match cb(&mut ctx, name) {
-                Ok(()) => 0,
-                Err(()) => -1,
-            }
-        }
+    pub fn set_session_tickets(&mut self, u: UseSessionTickets) {
+        unsafe { ssl_conf_session_tickets(self.into(), u.into()); }
+    }
+
+    pub fn set_renegotiation(&mut self, u: Renegotiation) {
+        unsafe { ssl_conf_renegotiation(self.into(), u.into()); }
+    }
+
+    /// Client only: minimal FFDH group size
+    pub fn set_ffdh_min_bitlen(&mut self, bitlen: c_uint) {
+        unsafe { ssl_conf_dhm_min_bitlen(self.into(), bitlen); }
+    }
+    
+    #[cfg(feature = "threading")]
+    pub fn set_sni_callback<F>(&mut self, cb: F)
+    where
+        F: Fn(&mut HandshakeContext, &[u8]) -> Result<()> + Send + Sync + 'static,
+    {
+        self.sni_callback = Some(Arc::new(cb));
+        unsafe { ssl_conf_sni(self.into(), Some(sni_callback::<F>), &**self.sni_callback.as_mut().unwrap() as *const _ as *mut c_void) }
+    }
 
-        unsafe { ssl_conf_sni(&mut self.inner, Some(sni_callback::<F>), cb as *mut F as _) }
+    #[cfg(not(feature = "threading"))]
+    pub fn set_sni_callback<F>(&mut self, cb: F)
+    where
+        F: Fn(&mut HandshakeContext, &[u8]) -> Result<()> + 'static,
+    {
+        self.sni_callback = Some(Arc::new(cb));
+        unsafe { ssl_conf_sni(self.into(), Some(sni_callback::<F>), &**self.sni_callback.as_mut().unwrap() as *const _ as *mut c_void) }
     }
 
     // The docs for mbedtls_x509_crt_verify say "The [callback] should return 0 for anything but a
     // fatal error.", so verify callbacks should return Ok(()) for anything but a fatal error.
     // Report verification errors by updating the flags in VerifyError.
-    pub fn set_verify_callback<F>(&mut self, cb: &'c mut F)
+    #[cfg(feature = "threading")]
+    pub fn set_verify_callback<F>(&mut self, cb: F)
     where
-        F: FnMut(&mut LinkedCertificate, i32, &mut VerifyError) -> Result<()>,
+        F: Fn(&Certificate, i32, &mut VerifyError) -> Result<()> + Send + Sync + 'static,
     {
-        unsafe extern "C" fn verify_callback<F>(
-            closure: *mut c_void,
-            crt: *mut x509_crt,
-            depth: c_int,
-            flags: *mut u32,
-        ) -> c_int
-        where
-            F: FnMut(&mut LinkedCertificate, i32, &mut VerifyError) -> Result<()>,
-        {
-            let cb = &mut *(closure as *mut F);
-            let crt: &mut LinkedCertificate =
-                UnsafeFrom::from(crt).expect("valid certificate");
-            let mut verify_error = match VerifyError::from_bits(*flags) {
-                Some(ve) => ve,
-                // This can only happen if mbedtls is setting flags in VerifyError that are
-                // missing from our definition.
-                None => return ::mbedtls_sys::ERR_X509_BAD_INPUT_DATA,
-            };
-            let res = cb(crt, depth, &mut verify_error);
-            *flags = verify_error.bits();
-            match res {
-                Ok(()) => 0,
-                Err(e) => e.to_int(),
-            }
-        }
+        self.verify_callback = Some(Arc::new(cb));
+        unsafe { ssl_conf_verify(self.into(), Some(verify_callback::<F>), &**self.verify_callback.as_mut().unwrap() as *const _ as *mut c_void) }
+    }
 
-        unsafe {
-            ssl_conf_verify(
-                &mut self.inner,
-                Some(verify_callback::<F>),
-                cb as *mut F as _,
-            )
-        }
+    #[cfg(not(feature = "threading"))]
+    pub fn set_verify_callback<F>(&mut self, cb: F)
+    where
+        F: Fn(&Certificate, i32, &mut VerifyError) -> Result<()> + 'static,
+    {
+        self.verify_callback = Some(Arc::new(cb));
+        unsafe { ssl_conf_verify(self.into(), Some(verify_callback::<F>), &**self.verify_callback.as_ref().unwrap() as *const _ as *mut c_void) }
     }
 
-    pub fn set_ca_callback<F>(&mut self, cb: &'c mut F)
-        where
-            F: FnMut(&LinkedCertificate, &mut ForeignOwnedCertListBuilder) -> Result<()>,
+    #[cfg(feature = "threading")]
+    pub fn set_ca_callback<F>(&mut self, cb: F)
+    where
+        F: Fn(&Certificate, &mut ForeignOwnedCertListBuilder) -> Result<()> + Send + Sync + 'static,
     {
-        unsafe extern "C" fn ca_callback<F>(
-            closure: *mut c_void,
-            child: *const x509_crt,
-            candidate_cas: *mut *mut x509_crt
-        ) -> c_int
-            where
-                F: FnMut(&LinkedCertificate, &mut ForeignOwnedCertListBuilder) -> Result<()>,
-        {
-            let cb = &mut *(closure as *mut F);
-            let child: &LinkedCertificate = UnsafeFrom::from(child).expect("valid child certificate");
-            let mut cert_builder = ForeignOwnedCertListBuilder::new();
-            match cb(child, &mut cert_builder) {
-                Ok(()) => {
-                    *candidate_cas = cert_builder.to_x509_crt_ptr();
-                    0
-                },
-                Err(e) => e.to_int(),
-            }
-        }
+        self.ca_callback = Some(Arc::new(cb));
+        unsafe { ssl_conf_ca_cb( self.into(), Some(ca_callback::<F>), &**self.ca_callback.as_mut().unwrap() as *const _ as *mut c_void) }
+    }
 
-        unsafe {
-            ssl_conf_ca_cb(
-                &mut self.inner,
-                Some(ca_callback::<F>),
-                cb as *mut F as _,
-            )
-        }
+    #[cfg(not(feature = "threading"))]
+    pub fn set_ca_callback<F>(&mut self, cb: F)
+    where
+        F: Fn(&Certificate, &mut ForeignOwnedCertListBuilder) -> Result<()> + 'static,
+    {
+        self.ca_callback = Some(Arc::new(cb));
+        unsafe { ssl_conf_ca_cb( self.into(), Some(ca_callback::<F>), &**self.ca_callback.as_mut().unwrap() as *const _ as *mut c_void) }
+    }
+
+    #[cfg(feature = "threading")]
+    pub fn set_dbg_callback<F>(&mut self, cb: F)
+    where
+        F: (Fn(i32, &str, i32, &str) -> ()) + Send + Sync + 'static,
+    {
+        self.dbg_callback = Some(Arc::new(cb));
+        unsafe { ssl_conf_dbg(self.into(), Some(dbg_callback::<F>), &**self.dbg_callback.as_mut().unwrap() as *const _ as *mut c_void) }
+    }
+
+    #[cfg(not(feature = "threading"))]
+    pub fn set_dbg_callback<F>(&mut self, cb: F)
+    where
+        F: (Fn(i32, &str, i32, &str) -> ()) + 'static,
+    {
+        self.dbg_callback = Some(Arc::new(cb));
+        unsafe { ssl_conf_dbg(self.into(), Some(dbg_callback::<F>), &**self.dbg_callback.as_mut().unwrap() as *const _ as *mut c_void) }
+    }
+
+}
+
+
+impl Drop for Config {
+    fn drop(&mut self) {
+        unsafe { ssl_config_free(self.into()); }
     }
 }
 
 /// Builds a linked list of x509_crt instances, all of which are owned by mbedtls. That is, the
 /// memory for these certificates has been allocated by mbedtls, on the C heap. This is needed for
 /// situations in which an mbedtls function takes ownership of a list of certs. The problem with
-/// handing such functions a "normal" cert list such as certificate::LinkedCertificate or
+/// handing such functions a "normal" cert list such as certificate::Certificate or
 /// certificate::List, is that those lists (at least partly) consist of memory allocated on the
 /// rust-side and hence cannot be freed on the c-side.
 pub struct ForeignOwnedCertListBuilder {
@@ -354,10 +426,16 @@ impl ForeignOwnedCertListBuilder {
         }
     }
 
-    pub fn push_back(&mut self, cert: &LinkedCertificate) {
+    pub fn push_back(&mut self, cert: &Certificate) {
         self.try_push_back(cert.as_der()).expect("cert is a valid DER-encoded certificate");
     }
 
+    pub fn try_push_back_pem(&mut self, cert: &[u8]) -> Result<()> {
+        // x509_crt_parse will allocate memory for the cert on the C heap
+        unsafe { x509_crt_parse(self.cert_list, cert.as_ptr(), cert.len()) }.into_result()?;
+        Ok(())
+    }
+
     pub fn try_push_back(&mut self, cert: &[u8]) -> Result<()> {
         // x509_crt_parse_der will allocate memory for the cert on the C heap
         unsafe { x509_crt_parse_der(self.cert_list, cert.as_ptr(), cert.len()) }.into_result()?;
@@ -383,33 +461,131 @@ impl Drop for ForeignOwnedCertListBuilder {
     }
 }
 
-setter_callback!(Config<'c>::set_rng(f: crate::rng::Random) = ssl_conf_rng);
-setter_callback!(Config<'c>::set_dbg(f: DbgCallback) = ssl_conf_dbg);
+unsafe extern "C" fn verify_callback<F>(
+    closure: *mut c_void,
+    crt: *mut x509_crt,
+    depth: c_int,
+    flags: *mut u32,
+) -> c_int
+where
+    F: Fn(&Certificate, i32, &mut VerifyError) -> Result<()> + 'static,
+{
+    if crt == ::core::ptr::null_mut() || closure == ::core::ptr::null_mut() || flags == ::core::ptr::null_mut() {
+        return ::mbedtls_sys::ERR_X509_BAD_INPUT_DATA;
+    }
 
-define!(
-    #[c_ty(ssl_key_cert)]
-    struct KeyCert;
-    impl<'a> UnsafeFrom<ptr> {}
-);
+    let cb = &mut *(closure as *mut F);
+    let crt: &mut Certificate = UnsafeFrom::from(crt).expect("valid certificate");
+    
+    let mut verify_error = match VerifyError::from_bits(*flags) {
+        Some(ve) => ve,
+        // This can only happen if mbedtls is setting flags in VerifyError that are
+        // missing from our definition.
+        None => return ::mbedtls_sys::ERR_X509_BAD_INPUT_DATA,
+    };
+    
+    let res = cb(crt, depth, &mut verify_error);
+    *flags = verify_error.bits();
+    match res {
+        Ok(()) => 0,
+        Err(e) => e.to_int(),
+    }
+}
+
+
+unsafe extern "C" fn ca_callback<F>(
+    closure: *mut c_void,
+    child: *const x509_crt,
+    candidate_cas: *mut *mut x509_crt
+) -> c_int
+where
+    F: Fn(&Certificate, &mut ForeignOwnedCertListBuilder) -> Result<()> + 'static,
+{
+    if child == ::core::ptr::null_mut() || closure == ::core::ptr::null_mut() || candidate_cas == ::core::ptr::null_mut() {
+        return ::mbedtls_sys::ERR_X509_BAD_INPUT_DATA;
+    }
+
+    let cb = &mut *(closure as *mut F);
+    let crt: &Certificate = UnsafeFrom::from(child).expect("valid certificate");
+    let mut cert_builder = ForeignOwnedCertListBuilder::new();
+    match cb(&crt, &mut cert_builder) {
+        Ok(()) => {
+            *candidate_cas = cert_builder.to_x509_crt_ptr();
+            0
+        },
+        Err(e) => e.to_int(),
+    }
+}
+
+unsafe extern "C" fn dbg_callback<F>(
+    closure: *mut c_void,
+    level: c_int,
+    file: *const c_char,
+    line: c_int,
+    message: *const c_char
+) -> ()
+where
+    F: (Fn(i32, &str, i32, &str) -> ()) + 'static,
+{
+    if file == ::core::ptr::null_mut() || message == ::core::ptr::null_mut() {
+        return ();
+    }
 
-pub struct KeyCertIter<'a> {
-    key_cert: Option<&'a KeyCert>,
+    let cb = &mut *(closure as *mut F);
+
+    let file = match std::ffi::CStr::from_ptr(file).to_str() {
+        Ok(text) => text,
+        Err(_) => return (),
+    };
+    
+    let message = match std::ffi::CStr::from_ptr(message).to_str() {
+        Ok(text) => text,
+        Err(_) => return (),
+    };
+    
+    
+    cb(level, file, line, message);
 }
 
-impl<'a> Iterator for KeyCertIter<'a> {
-    type Item = (certificate::Iter<'a>, &'a Pk);
+unsafe extern "C" fn sni_callback<F>(
+    closure: *mut c_void,
+    ctx: *mut ssl_context,
+    name: *const c_uchar,
+    name_len: size_t,
+) -> c_int
+where
+    F: Fn(&mut HandshakeContext, &[u8]) -> Result<()> + 'static,
+{
+    // This is called from:
+    //
+    // mbedtls/src/ssl/context.rs           - establish
+    // mbedtls-sys/vendor/library/ssl_tls.c - mbedtls_ssl_handshake
+    // mbedtls-sys/vendor/library/ssl_tls.c - mbedtls_ssl_handshake_step
+    // mbedtls-sys/vendor/library/ssl_srv.c - mbedtls_ssl_handshake_server_step
+    // mbedtls-sys/vendor/library/ssl_srv.c - ssl_parse_client_hello
+    // mbedtls-sys/vendor/library/ssl_srv.c - ssl_parse_servername_ext
+    //
+    // As such:
+    // - The ssl_context is a rust 'Context' structure that we have a mutable reference to via 'establish'
+    // - We can pointer cast to it to allow storing additional objects.
+    //
+    if closure == ::core::ptr::null_mut() || ctx == ::core::ptr::null_mut() || name == ::core::ptr::null_mut() {
+        return ::mbedtls_sys::ERR_X509_BAD_INPUT_DATA;
+    }
 
-    fn next(&mut self) -> Option<Self::Item> {
-        self.key_cert.take().map(|key_cert| unsafe {
-            self.key_cert = UnsafeFrom::from(key_cert.inner.next as *const _);
-            (
-                UnsafeFrom::from(key_cert.inner.cert as *const _).expect("not null"),
-                UnsafeFrom::from(key_cert.inner.key as *const _).expect("not null"),
-            )
-        })
+    let cb = &mut *(closure as *mut F);
+    let context = UnsafeFrom::from(ctx).unwrap();
+    
+    let mut ctx = HandshakeContext::init(context);
+    
+    let name = from_raw_parts(name, name_len);
+    match cb(&mut ctx, name) {
+        Ok(()) => 0,
+        Err(_) => -1,
     }
 }
 
+
 // TODO
 // ssl_conf_export_keys_cb
 // ssl_conf_dtls_cookies
diff --git a/mbedtls/src/ssl/context.rs b/mbedtls/src/ssl/context.rs
index cbc17534a..f9f61c88a 100644
--- a/mbedtls/src/ssl/context.rs
+++ b/mbedtls/src/ssl/context.rs
@@ -6,42 +6,31 @@
  * option. This file may not be copied, modified, or distributed except
  * according to those terms. */
 
-#[cfg(not(feature = "std"))]
-use core_io::{self as io, Read, Write};
-#[cfg(feature = "std")]
-use std::io::{self, Read, Write};
-
 use mbedtls_sys::types::raw_types::{c_int, c_uchar, c_void};
 use mbedtls_sys::types::size_t;
 use mbedtls_sys::*;
-
-use crate::error::{Error, IntoResult, Result};
+use std::io::{Read, Write};
+use crate::error::{Error, Result, IntoResult};
+use std::sync::Arc;
+use crate::ssl::config::{Config, Version, AuthMode};
 use core::result::Result as StdResult;
+use crate::x509::VerifyError;
+use crate::pk::Pk;
+use crate::x509::Crl;
+use std::any::Any;
+use crate::alloc::{List as MbedtlsList};
+use crate::x509::Certificate;
 use crate::private::UnsafeFrom;
-use crate::ssl::config::{AuthMode, Config, Version};
-use crate::x509::{Crl, LinkedCertificate, VerifyError};
 
 pub trait IoCallback {
-    unsafe extern "C" fn call_recv(
-        user_data: *mut c_void,
-        data: *mut c_uchar,
-        len: size_t,
-    ) -> c_int;
-    unsafe extern "C" fn call_send(
-        user_data: *mut c_void,
-        data: *const c_uchar,
-        len: size_t,
-    ) -> c_int;
-
+    unsafe extern "C" fn call_recv(user_data: *mut c_void, data: *mut c_uchar, len: size_t) -> c_int where Self: Sized;
+    unsafe extern "C" fn call_send(user_data: *mut c_void, data: *const c_uchar, len: size_t) -> c_int where Self: Sized;
     fn data_ptr(&mut self) -> *mut c_void;
+    fn as_any(&mut self) -> &mut dyn Any;
 }
 
-impl<IO: Read + Write> IoCallback for IO {
-    unsafe extern "C" fn call_recv(
-        user_data: *mut c_void,
-        data: *mut c_uchar,
-        len: size_t,
-    ) -> c_int {
+impl<IO: Read + Write + 'static> IoCallback for IO {
+    unsafe extern "C" fn call_recv(user_data: *mut c_void, data: *mut c_uchar, len: size_t) -> c_int {
         let len = if len > (c_int::max_value() as size_t) {
             c_int::max_value() as size_t
         } else {
@@ -53,11 +42,7 @@ impl<IO: Read + Write> IoCallback for IO {
         }
     }
 
-    unsafe extern "C" fn call_send(
-        user_data: *mut c_void,
-        data: *const c_uchar,
-        len: size_t,
-    ) -> c_int {
+    unsafe extern "C" fn call_send(user_data: *mut c_void, data: *const c_uchar, len: size_t) -> c_int {
         let len = if len > (c_int::max_value() as size_t) {
             c_int::max_value() as size_t
         } else {
@@ -72,65 +57,98 @@ impl<IO: Read + Write> IoCallback for IO {
     fn data_ptr(&mut self) -> *mut c_void {
         self as *mut IO as *mut _
     }
+
+    fn as_any(&mut self) -> &mut dyn Any {
+        self
+    }
 }
 
+
 define!(
     #[c_ty(ssl_context)]
-    struct Context<'config>;
-    const init: fn() -> Self = ssl_init;
-    const drop: fn(&mut Self) = ssl_free;
+    #[repr(C)]
+    struct Context {
+        // config is used read-only for mutliple contexts and is immutable once configured.
+        config: Option<Arc<Config>>, 
+
+        // Must be held in heap and pointer to it as pointer is sent to MbedSSL and can't be re-allocated.
+        io: Option<Box<dyn IoCallback>>,
+        
+        handshake_ca_cert: Option<Arc<MbedtlsList<Certificate>>>,
+        handshake_crl: Option<Arc<Crl>>,
+        
+        handshake_cert: Vec<Arc<MbedtlsList<Certificate>>>,
+        handshake_pk: Vec<Arc<Pk>>,
+    };
     impl<'a> Into<ptr> {}
+
+    // Only use this when you know the type you are casting is originally a rust allocated 'Context'.
     impl<'a> UnsafeFrom<ptr> {}
 );
 
-pub struct Session<'ctx> {
-    inner: &'ctx mut ssl_context,
-}
+#[allow(dead_code)]
+impl Context {
+    pub fn new(config: Arc<Config>) -> Self {
+        let mut inner = ssl_context::default();
+        
+        unsafe {
+            ssl_init(&mut inner);
+            ssl_setup(&mut inner, (&*config).into());
+        };
 
-#[cfg(feature = "threading")]
-unsafe impl<'ctx> Send for Session<'ctx> {}
+        Context {
+            inner,
+            config: Some(config.clone()),
+            io: None,
 
-pub struct HandshakeContext<'ctx> {
-    inner: &'ctx mut ssl_context,
-}
-
-impl<'config> Context<'config> {
-    pub fn new(config: &'config Config) -> Result<Context<'config>> {
-        let mut ret = Self::init();
-        unsafe { ssl_setup(&mut ret.inner, config.into()) }
-            .into_result()
-            .map(|_| ret)
+            handshake_ca_cert: None,
+            handshake_crl: None,
+            
+            handshake_cert: vec![],
+            handshake_pk: vec![],
+        }
     }
 
-    pub fn establish<'c, F: IoCallback>(
-        &'c mut self,
-        io: &'c mut F,
-        hostname: Option<&str>,
-    ) -> Result<Session<'c>> {
+    pub fn establish<T: IoCallback + Send + Sync + 'static>(&mut self, io: T, hostname: Option<&str>) -> Result<()> {
+        self.handshake_cert.clear();
+        self.handshake_pk.clear();
+        self.handshake_ca_cert = None;
+        self.handshake_crl = None;
+
         unsafe {
-            ssl_session_reset(&mut self.inner).into_result()?;
+            let mut io = Box::new(io);
+            
+            ssl_session_reset(self.into()).into_result()?;
             self.set_hostname(hostname)?;
 
+            let ptr = &mut *io as *mut _ as *mut c_void;
             ssl_set_bio(
-                &mut self.inner,
-                io.data_ptr(),
-                Some(F::call_send),
-                Some(F::call_recv),
+                self.into(),
+                ptr,
+                Some(T::call_send),
+                Some(T::call_recv),
                 None,
             );
-            match ssl_handshake(&mut self.inner).into_result() {
+
+            self.io = Some(io);
+
+            match ssl_handshake(self.into()).into_result() {
                 Err(e) => {
                     // safely end borrow of io
-                    ssl_set_bio(&mut self.inner, ::core::ptr::null_mut(), None, None, None);
+                    ssl_set_bio(self.into(), ::core::ptr::null_mut(), None, None, None);
+                    self.io = None;
                     Err(e)
+                },
+                Ok(_) => {
+                    Ok(())
                 }
-                Ok(_) => Ok(Session {
-                    inner: &mut self.inner,
-                }),
             }
         }
     }
+}
 
+impl Context {
+    #[allow(dead_code)]
     #[cfg(not(feature = "std"))]
     fn set_hostname(&mut self, hostname: Option<&str>) -> Result<()> {
         match hostname {
@@ -139,16 +157,13 @@ impl<'config> Context<'config> {
         }
     }
 
+    #[allow(dead_code)]
     #[cfg(feature = "std")]
     fn set_hostname(&mut self, hostname: Option<&str>) -> Result<()> {
-        if self.inner.hostname != ::core::ptr::null_mut() {
-            // potential MEMORY LEAK! See https://github.com/ARMmbed/mbedtls/issues/836
-            self.inner.hostname = ::core::ptr::null_mut();
-        }
         if let Some(s) = hostname {
             let cstr = ::std::ffi::CString::new(s).map_err(|_| Error::SslBadInputData)?;
             unsafe {
-                ssl_set_hostname(&mut self.inner, cstr.as_ptr())
+                ssl_set_hostname(self.into(), cstr.as_ptr())
                     .into_result()
                     .map(|_| ())
             }
@@ -158,70 +173,37 @@ impl<'config> Context<'config> {
     }
 
     pub fn verify_result(&self) -> StdResult<(), VerifyError> {
-        match unsafe { ssl_get_verify_result(&self.inner) } {
+        match unsafe { ssl_get_verify_result(self.into()) } {
             0 => Ok(()),
             flags => Err(VerifyError::from_bits_truncate(flags)),
         }
     }
 
-    pub fn config(&self) -> &'config Config {
-        unsafe { UnsafeFrom::from(self.inner.conf).expect("not null") }
-    }
-}
-
-impl<'ctx> HandshakeContext<'ctx> {
-    pub fn set_authmode(&mut self, am: AuthMode) {
-        unsafe { ssl_set_hs_authmode(self.inner, am.into()) }
+    pub fn config(&self) -> &Option<Arc<Config>> {
+        &self.config
     }
-
-    pub fn set_ca_list<C: Into<&'ctx mut LinkedCertificate>>(
-        &mut self,
-        list: Option<C>,
-        crl: Option<&'ctx mut Crl>,
-    ) {
+    
+    #[allow(dead_code)]
+    pub fn close(&mut self) {
         unsafe {
-            ssl_set_hs_ca_chain(
-                self.inner,
-                list.map(Into::into)
-                    .map(Into::into)
-                    .unwrap_or(::core::ptr::null_mut()),
-                crl.map(Into::into).unwrap_or(::core::ptr::null_mut()),
-            )
+            ssl_close_notify(self.into());
+            ssl_set_bio(self.into(), ::core::ptr::null_mut(), None, None, None);
+            self.io = None;
         }
     }
 
-    /// If this is never called, will use the set of private keys and
-    /// certificates configured in the `Config` associated with this `Context`.
-    /// If this is called at least once, all those are ignored and the set
-    /// specified using this function is used.
-    pub fn push_cert<C: Into<&'ctx mut LinkedCertificate>>(
-        &mut self,
-        chain: C,
-        key: &'ctx mut crate::pk::Pk,
-    ) -> Result<()> {
-        unsafe {
-            ssl_set_hs_own_cert(self.inner, chain.into().into(), key.into())
-                .into_result()
-                .map(|_| ())
+    pub fn get_mut_io<T: IoCallback + 'static>(&mut self) -> std::io::Result<&mut T> {
+        match self.io.as_mut() {
+            Some(stream) => {
+                match stream.as_any().downcast_mut::<T>() {
+                    Some(s) => Ok(s),
+                    None => Err(std::io::Error::new(std::io::ErrorKind::NotFound, "Peer kind is not expected")),
+                }
+            }
+            None => Err(std::io::Error::new(std::io::ErrorKind::NotFound, "No peer available")),
         }
     }
-}
-
-impl<'ctx> ::core::ops::Deref for HandshakeContext<'ctx> {
-    type Target = Context<'ctx>;
-
-    fn deref(&self) -> &Context<'ctx> {
-        unsafe { UnsafeFrom::from(&*self.inner as *const _).expect("not null") }
-    }
-}
-
-impl<'ctx> UnsafeFrom<*mut ssl_context> for HandshakeContext<'ctx> {
-    unsafe fn from(ctx: *mut ssl_context) -> Option<HandshakeContext<'ctx>> {
-        ctx.as_mut().map(|ctx| HandshakeContext { inner: ctx })
-    }
-}
-
-impl<'a> Session<'a> {
+    
     /// Return the minor number of the negotiated TLS version
     pub fn minor_version(&self) -> i32 {
         self.inner.minor_ver
@@ -235,7 +217,7 @@ impl<'a> Session<'a> {
     /// Return the number of bytes currently available to read that
     /// are stored in the Session's internal read buffer
     pub fn bytes_available(&self) -> usize {
-        unsafe { ssl_get_bytes_avail(self.inner) }
+        unsafe { ssl_get_bytes_avail(self.into()) }
     }
 
     pub fn version(&self) -> Version {
@@ -251,32 +233,46 @@ impl<'a> Session<'a> {
         }
     }
 
+
+    // Session specific functions
+    
     /// Return the 16-bit ciphersuite identifier.
     /// All assigned ciphersuites are listed by the IANA in
     /// https://www.iana.org/assignments/tls-parameters/tls-parameters.txt
-    pub fn ciphersuite(&self) -> u16 {
+    pub fn ciphersuite(&self) -> Result<u16> {
         if self.inner.session == ::core::ptr::null_mut() {
-            0
-        } else {
-            unsafe { self.inner.session.as_ref().unwrap().ciphersuite as u16 }
+            return Err(Error::SslBadInputData);
         }
+        
+        Ok(unsafe { self.inner.session.as_ref().unwrap().ciphersuite as u16 })
     }
 
-    pub fn peer_cert(&self) -> Option<crate::x509::certificate::Iter> {
-        unsafe { UnsafeFrom::from(ssl_get_peer_cert(self.inner)) }
+    // This makes a copy of the certificate as peer_cert may be destroyed outside our control.
+    pub fn peer_cert(&self) -> Result<Option<&MbedtlsList<Certificate>>> {
+        if self.inner.session == ::core::ptr::null_mut() {
+            return Err(Error::SslBadInputData);
+        }
+
+        unsafe {
+            let peer_cert : &MbedtlsList<Certificate> = UnsafeFrom::from(&((*self.inner.session).peer_cert) as *const *mut x509_crt as *const *const x509_crt).ok_or(Error::SslBadInputData)?;
+            Ok(Some(peer_cert))
+        }
     }
+}
 
-    pub fn verify_result(&self) -> StdResult<(), VerifyError> {
-        match unsafe { ssl_get_verify_result(self.inner) } {
-            0 => Ok(()),
-            flags => Err(VerifyError::from_bits_truncate(flags)),
+impl Drop for Context {
+    fn drop(&mut self) {
+        unsafe {
+            ssl_close_notify(self.into());
+            ssl_set_bio(self.into(), ::core::ptr::null_mut(), None, None, None);
+            ssl_free(self.into());
         }
     }
 }
 
-impl<'a> Read for Session<'a> {
-    fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
-        match unsafe { ssl_read(self.inner, buf.as_mut_ptr(), buf.len()).into_result() } {
+impl Read for Context {
+    fn read(&mut self, buf: &mut [u8]) -> std::io::Result<usize> {
+        match unsafe { ssl_read(self.into(), buf.as_mut_ptr(), buf.len()).into_result() } {
             Err(Error::SslPeerCloseNotify) => Ok(0),
             Err(e) => Err(crate::private::error_to_io_error(e)),
             Ok(i) => Ok(i as usize),
@@ -284,29 +280,105 @@ impl<'a> Read for Session<'a> {
     }
 }
 
-impl<'a> Write for Session<'a> {
-    fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
-        match unsafe { ssl_write(self.inner, buf.as_ptr(), buf.len()).into_result() } {
+impl Write for Context {
+    fn write(&mut self, buf: &[u8]) -> std::io::Result<usize> {
+        match unsafe { ssl_write(self.into(), buf.as_ptr(), buf.len()).into_result() } {
             Err(Error::SslPeerCloseNotify) => Ok(0),
             Err(e) => Err(crate::private::error_to_io_error(e)),
             Ok(i) => Ok(i as usize),
         }
     }
 
-    fn flush(&mut self) -> io::Result<()> {
+    fn flush(&mut self) -> std::io::Result<()> {
         Ok(())
     }
 }
 
-impl<'a> Drop for Session<'a> {
-    fn drop(&mut self) {
+
+pub struct HandshakeContext<'ctx> {
+    pub context: &'ctx mut Context,
+}
+
+///
+/// Class exists only during SNI callback that is configured from Config.
+/// SNI Callback must provide input whos lifetime exceed the SNI closure to avoid memory corruptions.
+/// That can be achieved easily by storing certificate chains/crls inside the closure for the lifetime of the closure.
+///
+/// That is due to SNI being held by an Arc inside Config.
+/// Config lives longer then Context. Context lives longer then Handshake.
+///
+/// Alternatives are not possible due to:
+/// - mbedtls not providing any callbacks on handshake finish.
+/// - no reasonable way to obtain a storage within the sni callback tied to the handshake or to the rust Context. (without resorting to a unscalable map or pointer magic that mbedtls may invalidate)
+///
+impl<'ctx> HandshakeContext<'ctx> {
+
+    pub fn init(context: &'ctx mut Context) -> Self {
+        HandshakeContext { context }
+    }
+    
+    pub fn set_authmode(&mut self, am: AuthMode) -> Result<()> {
+        if self.context.inner.handshake as *const _ == ::core::ptr::null() {
+            return Err(Error::SslBadInputData);
+        }
+        
+        unsafe { ssl_set_hs_authmode(self.context.into(), am as i32) }
+        Ok(())
+    }
+
+    /// @warning: chain/crl must live the same as the SNI callback otherwise risk of dangling pointers.
+    pub fn set_ca_list(
+        &mut self,
+        chain: Arc<MbedtlsList<Certificate>>,
+        crl: Option<Arc<Crl>>,
+    ) -> Result<()> {
+        // mbedtls_ssl_set_hs_ca_chain does not check for NULL handshake.
+        if self.context.inner.handshake as *const _ == ::core::ptr::null() {
+            return Err(Error::SslBadInputData);
+        }
+
+        // This will override current handshake CA chain.
         unsafe {
-            ssl_close_notify(self.inner);
-            ssl_set_bio(self.inner, ::core::ptr::null_mut(), None, None, None);
+            ssl_set_hs_ca_chain(
+                self.context.into(),
+                chain.inner_ffi_mut(),
+                crl.as_ref().map(|crl| crl.inner_ffi_mut()).unwrap_or(::core::ptr::null_mut()),
+            );
         }
+
+        self.context.handshake_ca_cert = Some(chain);
+        self.context.handshake_crl = crl;
+        Ok(())
+    }
+
+    /// If this is never called, will use the set of private keys and
+    /// certificates configured in the `Config` associated with this `Context`.
+    /// If this is called at least once, all those are ignored and the set
+    /// specified using this function is used.
+    ///
+    /// @warning: chain/key must live the same as the SNI callback otherwise risk of dangling pointers.
+    pub fn push_cert(
+        &mut self,
+        chain: Arc<MbedtlsList<Certificate>>,
+        key: Arc<Pk>,
+    ) -> Result<()> {
+        // mbedtls_ssl_set_hs_own_cert does not check for NULL handshake.
+        if self.context.inner.handshake as *const _ == ::core::ptr::null() {
+            return Err(Error::SslBadInputData);
+        }
+
+        // This will append provided certificate pointers in internal structures.
+        unsafe {
+            ssl_set_hs_own_cert(self.context.into(), chain.inner_ffi_mut(), key.inner_ffi_mut()).into_result()?;
+        }
+        self.context.handshake_cert.push(chain);
+        self.context.handshake_pk.push(key);
+
+        Ok(())
     }
 }
 
+
 // ssl_get_alpn_protocol
 // ssl_get_max_frag_len
 // ssl_get_record_expansion
diff --git a/mbedtls/src/ssl/mod.rs b/mbedtls/src/ssl/mod.rs
index ea79153b1..430d439ea 100644
--- a/mbedtls/src/ssl/mod.rs
+++ b/mbedtls/src/ssl/mod.rs
@@ -14,8 +14,8 @@ pub mod ticket;
 #[doc(inline)]
 pub use self::ciphersuites::CipherSuite;
 #[doc(inline)]
-pub use self::config::{Config, Version};
+pub use self::config::{Config, Version, UseSessionTickets};
 #[doc(inline)]
-pub use self::context::{Context, HandshakeContext, Session};
+pub use self::context::Context;
 #[doc(inline)]
 pub use self::ticket::TicketContext;
diff --git a/mbedtls/src/ssl/ticket.rs b/mbedtls/src/ssl/ticket.rs
index 77ce26777..8710edf07 100644
--- a/mbedtls/src/ssl/ticket.rs
+++ b/mbedtls/src/ssl/ticket.rs
@@ -11,6 +11,8 @@ use crate::error::{IntoResult, Result};
 use mbedtls_sys::types::raw_types::{c_int, c_uchar, c_void};
 use mbedtls_sys::types::size_t;
 use mbedtls_sys::*;
+use std::sync::Arc;
+use crate::rng::RngCallback;
 
 pub trait TicketCallback {
     unsafe extern "C" fn call_write(
@@ -20,46 +22,58 @@ pub trait TicketCallback {
         end: *const c_uchar,
         tlen: *mut size_t,
         lifetime: *mut u32,
-    ) -> c_int;
+    ) -> c_int where Self: Sized;
     unsafe extern "C" fn call_parse(
         p_ticket: *mut c_void,
         session: *mut ssl_session,
         buf: *mut c_uchar,
         len: size_t,
-    ) -> c_int;
+    ) -> c_int where Self: Sized;
 
-    fn data_ptr(&mut self) -> *mut c_void;
+    fn data_ptr(&self) -> *mut c_void;
 }
 
+
 define!(
-    #[c_ty(ssl_ticket_context)]
-    struct TicketContext<'rng>;
-    const init: fn() -> Self = ssl_ticket_init;
+    #[c_box_ty(ssl_ticket_context)]
+    #[repr(C)]
+    struct TicketContext {
+        // We set rng from constructur, we never read it directly. It is only used to ensure rng lives as long as we need.
+        #[allow(dead_code)]
+        rng: Arc<dyn RngCallback + Send + Sync + 'static>,
+    };
     const drop: fn(&mut Self) = ssl_ticket_free;
+    impl<'a> Into<ptr> {}
 );
 
-impl<'rng> TicketContext<'rng> {
-    pub fn new<F: crate::rng::Random>(
-        rng: &'rng mut F,
+#[cfg(feature = "threading")]
+unsafe impl Sync for TicketContext {}
+
+impl TicketContext {
+    pub fn new<T: RngCallback + Send + Sync + 'static>(
+        rng: Arc<T>,
         cipher: CipherType,
         lifetime: u32,
-    ) -> Result<TicketContext<'rng>> {
-        let mut ret = Self::init();
+    ) -> Result<TicketContext> {
+
+        let mut inner = Box::new(ssl_ticket_context::default());
+        
         unsafe {
+            ssl_ticket_init(&mut *inner);
             ssl_ticket_setup(
-                &mut ret.inner,
-                Some(F::call),
+                &mut *inner,
+                Some(T::call),
                 rng.data_ptr(),
                 cipher.into(),
                 lifetime,
-            )
+            ).into_result()?;
         }
-        .into_result()
-        .map(|_| ret)
+
+        Ok(TicketContext { inner, rng })
     }
 }
 
-impl<'rng> TicketCallback for TicketContext<'rng> {
+impl TicketCallback for TicketContext {
     unsafe extern "C" fn call_write(
         p_ticket: *mut c_void,
         session: *const ssl_session,
@@ -80,7 +94,7 @@ impl<'rng> TicketCallback for TicketContext<'rng> {
         ssl_ticket_parse(p_ticket, session, buf, len)
     }
 
-    fn data_ptr(&mut self) -> *mut c_void {
-        &mut self.inner as *mut _ as *mut _
+    fn data_ptr(&self) -> *mut c_void {
+        self.handle() as *const _ as *mut _
     }
 }
diff --git a/mbedtls/src/wrapper_macros.rs b/mbedtls/src/wrapper_macros.rs
index dba58ea33..b777b1e3c 100644
--- a/mbedtls/src/wrapper_macros.rs
+++ b/mbedtls/src/wrapper_macros.rs
@@ -15,48 +15,90 @@ macro_rules! as_item {
 macro_rules! callback {
     //{ ($($arg:ident: $ty:ty),*) -> $ret:ty } => {
     //};
-    { $n:ident$( : $sync:ident )*($($arg:ident: $ty:ty),*) -> $ret:ty } => {
+    { $n:ident, $m:ident$( : $sync:ident )*($($arg:ident: $ty:ty),*) -> $ret:ty } => {
         #[cfg(not(feature="threading"))]
         pub trait $n {
-            unsafe extern "C" fn call(user_data: *mut ::mbedtls_sys::types::raw_types::c_void, $($arg:$ty),*) -> $ret;
+            unsafe extern "C" fn call_mut(user_data: *mut ::mbedtls_sys::types::raw_types::c_void, $($arg:$ty),*) -> $ret where Self: Sized;
 
-            fn data_ptr(&mut self) -> *mut ::mbedtls_sys::types::raw_types::c_void;
+            fn data_ptr_mut(&mut self) -> *mut ::mbedtls_sys::types::raw_types::c_void;
         }
 
         #[cfg(feature="threading")]
         pub trait $n $( : $sync )* {
-            unsafe extern "C" fn call(user_data: *mut ::mbedtls_sys::types::raw_types::c_void, $($arg:$ty),*) -> $ret;
+            unsafe extern "C" fn call_mut(user_data: *mut ::mbedtls_sys::types::raw_types::c_void, $($arg:$ty),*) -> $ret where Self: Sized;
 
-            fn data_ptr(&mut self) -> *mut ::mbedtls_sys::types::raw_types::c_void;
+            fn data_ptr_mut(&mut self) -> *mut ::mbedtls_sys::types::raw_types::c_void;
         }
 
         #[cfg(not(feature="threading"))]
         impl<F> $n for F where F: FnMut($($ty),*) -> $ret {
-            unsafe extern "C" fn call(user_data: *mut ::mbedtls_sys::types::raw_types::c_void, $($arg:$ty),*) -> $ret {
+            unsafe extern "C" fn call_mut(user_data: *mut ::mbedtls_sys::types::raw_types::c_void, $($arg:$ty),*) -> $ret where Self: Sized {
                 (&mut*(user_data as *mut F))($($arg),*)
             }
 
-            fn data_ptr(&mut self) -> *mut ::mbedtls_sys::types::raw_types::c_void {
+            fn data_ptr_mut(&mut self) -> *mut ::mbedtls_sys::types::raw_types::c_void {
                 self as *mut F as *mut _
             }
         }
 
         #[cfg(feature="threading")]
         impl<F> $n for F where F: Sync + FnMut($($ty),*) -> $ret {
-            unsafe extern "C" fn call(user_data: *mut ::mbedtls_sys::types::raw_types::c_void, $($arg:$ty),*) -> $ret {
+            unsafe extern "C" fn call_mut(user_data: *mut ::mbedtls_sys::types::raw_types::c_void, $($arg:$ty),*) -> $ret where Self: Sized {
                 (&mut*(user_data as *mut F))($($arg),*)
             }
 
-            fn data_ptr(&mut self) -> *mut ::mbedtls_sys::types::raw_types::c_void {
-                self as *mut F as *mut _
+            fn data_ptr_mut(&mut self) -> *mut ::mbedtls_sys::types::raw_types::c_void {
+                self as *const F as *mut _
+            }
+        }
+
+        #[cfg(not(feature="threading"))]
+        pub trait $m {
+            unsafe extern "C" fn call(user_data: *mut ::mbedtls_sys::types::raw_types::c_void, $($arg:$ty),*) -> $ret where Self: Sized;
+            
+            fn data_ptr(&self) -> *mut ::mbedtls_sys::types::raw_types::c_void;
+        }
+
+        #[cfg(feature="threading")]
+        pub trait $m $( : $sync )* {
+            unsafe extern "C" fn call(user_data: *mut ::mbedtls_sys::types::raw_types::c_void, $($arg:$ty),*) -> $ret where Self: Sized;
+            
+            fn data_ptr(&self) -> *mut ::mbedtls_sys::types::raw_types::c_void;
+        }
+
+        #[cfg(not(feature="threading"))]
+        impl<F> $m for F where F: $n + Fn($($ty),*) -> $ret {
+            unsafe extern "C" fn call(user_data: *mut ::mbedtls_sys::types::raw_types::c_void, $($arg:$ty),*) -> $ret where Self: Sized {
+                (&mut*(user_data as *mut F))($($arg),*)
+            }
+            
+            fn data_ptr(&self) -> *mut ::mbedtls_sys::types::raw_types::c_void {
+                self as *const F as *mut F as *mut _
+            }
+        }
+
+        #[cfg(feature="threading")]
+        impl<F> $m for F where F: $n + Sync + Fn($($ty),*) -> $ret {
+            unsafe extern "C" fn call(user_data: *mut ::mbedtls_sys::types::raw_types::c_void, $($arg:$ty),*) -> $ret where Self: Sized {
+                (&mut*(user_data as *mut F))($($arg),*)
+            }
+
+            fn data_ptr(&self) -> *mut ::mbedtls_sys::types::raw_types::c_void {
+                self as *const F as *mut _
             }
         }
     };
 }
 
 macro_rules! define {
-    { #[c_ty($inner:ident)] $(#[$m:meta])* struct $name:ident$(<$l:tt>)*; $($defs:tt)* } => {
-        define_struct!(define $(#[$m])* struct $name $(lifetime $l)* inner $inner);
+    // When using members, careful with UnsafeFrom, the data casted back must have been allocated on rust side.
+    { #[c_ty($inner:ident)] $(#[$m:meta])* struct $name:ident$(<$l:tt>)* $({ $($(#[$mm:meta])* $member:ident: $member_type:ty,)* })?; $($defs:tt)* } => {
+        define_struct!(define $(#[$m])* struct $name $(lifetime $l)* inner $inner members $($($(#[$mm])* $member: $member_type,)*)*);
+        define_struct!(<< $name $(lifetime $l)* inner $inner >> $($defs)*);
+    };
+    // Do not use UnsafeFrom with 'c_box_ty'. That is currently not supported as its not needed anywhere, support may be added in the future if needed anywhere.
+    { #[c_box_ty($inner:ident)] $(#[$m:meta])* struct $name:ident$(<$l:tt>)* $({ $($(#[$mm:meta])* $member:ident: $member_type:ty,)* })?; $($defs:tt)* } => {
+        define_struct!(define_box $(#[$m])* struct $name $(lifetime $l)* inner $inner members $($($(#[$mm])* $member: $member_type,)*)*);
         define_struct!(<< $name $(lifetime $l)* inner $inner >> $($defs)*);
     };
     {                   #[c_ty($raw:ty)] $(#[$m:meta])* enum $n:ident { $(#[$doc:meta] $rust:ident = $c:ident,)* } } => { define_enum!(                  $(#[$m])* enum $n ty $raw : $(doc ($doc) rust $rust c $c),*); };
@@ -102,13 +144,14 @@ macro_rules! define_enum {
 }
 
 macro_rules! define_struct {
-    { define $(#[$m:meta])* struct $name:ident $(lifetime $l:tt)* inner $inner:ident } => {
+    { define $(#[$m:meta])* struct $name:ident $(lifetime $l:tt)* inner $inner:ident members $($(#[$mm:meta])* $member:ident: $member_type:ty,)* } => {
         as_item!(
         #[allow(dead_code)]
         $(#[$m])*
         pub struct $name<$($l)*> {
             inner: ::mbedtls_sys::$inner,
             $(r: ::core::marker::PhantomData<&$l ()>,)*
+            $($(#[$mm])* $member: $member_type,)*
         }
         );
 
@@ -137,6 +180,36 @@ macro_rules! define_struct {
         );
     };
 
+    { define_box $(#[$m:meta])* struct $name:ident $(lifetime $l:tt)* inner $inner:ident members $($(#[$mm:meta])* $member:ident: $member_type:ty,)* } => {
+        as_item!(
+        #[allow(dead_code)]
+        $(#[$m])*
+        pub struct $name<$($l)*> {
+            inner: Box<::mbedtls_sys::$inner>,
+            $(r: ::core::marker::PhantomData<&$l ()>,)*
+            $($(#[$mm])* $member: $member_type,)*
+        }
+        );
+
+        as_item!(
+        #[allow(dead_code)]
+        impl<$($l)*> $name<$($l)*> {
+            pub(crate) fn handle(&self) -> &::mbedtls_sys::$inner {
+                &*self.inner
+            }
+
+            pub(crate) fn handle_mut(&mut self) -> &mut ::mbedtls_sys::$inner {
+                &mut *self.inner
+            }
+        }
+        );
+
+        as_item!(
+        #[cfg(feature="threading")]
+        unsafe impl<$($l)*> Send for $name<$($l)*> {}
+        );
+    };
+    
     { << $name:ident $(lifetime $l:tt)* inner $inner:ident >> const init: fn() -> Self = $ctor:ident; $($defs:tt)* } => {
         define_struct!(init $name () init $ctor $(lifetime $l)* );
         define_struct!(<< $name $(lifetime $l)* inner $inner >> $($defs)*);
@@ -172,7 +245,7 @@ macro_rules! define_struct {
         as_item!(
         impl<$($l)*> Drop for $name<$($l)*> {
             fn drop(&mut self) {
-                unsafe{::mbedtls_sys::$dtor(&mut self.inner)};
+                unsafe{::mbedtls_sys::$dtor(self.handle_mut())};
             }
         }
         );
@@ -186,7 +259,7 @@ macro_rules! define_struct {
         as_item!(
         impl<$l2,$($l),*> Into<*const $inner> for &$l2 $name<$($l)*> {
             fn into(self) -> *const $inner {
-                &self.inner
+                self.handle()
             }
         }
         );
@@ -194,7 +267,17 @@ macro_rules! define_struct {
         as_item!(
         impl<$l2,$($l),*> Into<*mut $inner> for &$l2 mut $name<$($l)*> {
             fn into(self) -> *mut $inner {
-                &mut self.inner
+                self.handle_mut()
+            }
+        }
+        );
+        as_item!(
+        impl<$($l),*> $name<$($l)*> {
+            /// Needed for compatibility with mbedtls - where we could pass
+            /// `*const` but function signature requires `*mut`
+            #[allow(dead_code)]
+            pub(crate) unsafe fn inner_ffi_mut(&self) -> *mut $inner {
+                self.handle() as *const _ as *mut $inner
             }
         }
         );
@@ -235,24 +318,6 @@ macro_rules! setter {
     }
 }
 
-// can't make this work without as as_XXX! macro, and there is no as_method!...
-macro_rules! setter_callback {
-    { $(#[$m:meta])* $s:ident<$l:tt>::$rfn:ident($n:ident : $($rty:tt)+) = $cfn:ident } => {
-        as_item!(
-        impl<$l> $s<$l> {
-            $(#[$m])*
-            pub fn $rfn<F: $($rty)+>(&mut self, $n: Option<&$l mut F>) {
-                unsafe{::mbedtls_sys::$cfn(
-                    &mut self.inner,
-                    $n.as_ref().map(|_|F::call as _),
-                    $n.map(|f|f.data_ptr()).unwrap_or(::core::ptr::null_mut())
-                )}
-            }
-        }
-        );
-    }
-}
-
 macro_rules! getter {
     { $(#[$m:meta])* $rfn:ident() -> $rty:ty = .$cfield:ident } => {
         $(#[$m])*
diff --git a/mbedtls/src/x509/certificate.rs b/mbedtls/src/x509/certificate.rs
index 65506557f..8a466b35c 100644
--- a/mbedtls/src/x509/certificate.rs
+++ b/mbedtls/src/x509/certificate.rs
@@ -7,25 +7,30 @@
  * according to those terms. */
 
 use core::fmt;
-use core::marker::PhantomData;
-use core::ops::{Deref, DerefMut};
-use core::ptr;
+use core::ptr::NonNull;
+use std::fmt::Debug;
 
+use crate::alloc::{List as MbedtlsList, Box as MbedtlsBox};
 #[cfg(not(feature = "std"))]
 use crate::alloc_prelude::*;
+use crate::error::{Error, IntoResult, Result};
+use crate::hash::Type as MdType;
+use crate::pk::Pk;
+use crate::private::UnsafeFrom;
+use crate::rng::Random;
+use crate::x509::Time;
+use core::iter::FromIterator;
 
-use mbedtls_sys::types::raw_types::c_char;
 use mbedtls_sys::*;
+use mbedtls_sys::types::raw_types::c_char;
+
+extern "C" {
+    pub fn forward_mbedtls_calloc(n: mbedtls_sys::types::size_t, size: mbedtls_sys::types::size_t) -> *mut mbedtls_sys::types::raw_types::c_void;
+}
 
 #[cfg(feature = "std")]
 use yasna::{BERDecodable, BERReader, ASN1Result, ASN1Error, ASN1ErrorKind, models::ObjectIdentifier};
 
-use crate::pk::Pk;
-use crate::error::{Error, IntoResult, Result};
-use crate::private::UnsafeFrom;
-use crate::rng::Random;
-use crate::hash::Type as MdType;
-
 #[derive(Debug,Copy,Clone,Eq,PartialEq)]
 pub enum CertificateVersion {
     V1,
@@ -33,13 +38,6 @@ pub enum CertificateVersion {
     V3
 }
 
-define!(
-    #[c_ty(x509_crt)]
-    struct Certificate;
-    const init: fn() -> Self = x509_crt_init;
-    const drop: fn(&mut Self) = x509_crt_free;
-);
-
 #[cfg(feature = "std")]
 #[derive(Debug, Clone, Eq, PartialEq)]
 pub struct Extension {
@@ -60,92 +58,18 @@ impl BERDecodable for Extension {
     }
 }
 
-impl Certificate {
-    pub fn from_der(der: &[u8]) -> Result<Certificate> {
-        let mut ret = Self::init();
-        unsafe { x509_crt_parse_der(&mut ret.inner, der.as_ptr(), der.len()) }.into_result()?;
-        Ok(ret)
-    }
-
-    /// Input must be NULL-terminated
-    pub fn from_pem(pem: &[u8]) -> Result<Certificate> {
-        let mut ret = Self::init();
-        unsafe { x509_crt_parse(&mut ret.inner, pem.as_ptr(), pem.len()) }.into_result()?;
-        let mut fake = Self::init();
-        ::core::mem::swap(&mut fake.inner.next, &mut ret.inner.next);
-        Ok(ret)
-    }
-
-    /// Input must be NULL-terminated
-    #[cfg(buggy)]
-    pub fn from_pem_multiple(pem: &[u8]) -> Result<Vec<Certificate>> {
-        let mut vec;
-        unsafe {
-            // first, find out how many certificates we're parsing
-            let mut dummy = Certificate::init();
-            x509_crt_parse(&mut dummy.inner, pem.as_ptr(), pem.len()).into_result()?;
-
-            // then allocate enough certs with our allocator
-            vec = Vec::new();
-            let mut cur: *mut _ = &mut dummy.inner;
-            while cur != ::core::ptr::null_mut() {
-                vec.push(Certificate::init());
-                cur = (*cur).next;
-            }
-
-            // link them together, they will become unlinked again when List drops
-            let list = List::from_vec(&mut vec).unwrap();
-
-            // load the data again but into our allocated list
-            x509_crt_parse(&mut list.head.inner, pem.as_ptr(), pem.len()).into_result()?;
-        };
-        Ok(vec)
-    }
-}
-
-impl fmt::Debug for Certificate {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        match crate::private::alloc_string_repeat(|buf, size| unsafe {
-            x509_crt_info(buf, size, b"\0".as_ptr() as *const _, &self.inner)
-        }) {
-            Err(_) => Err(fmt::Error),
-            Ok(s) => f.write_str(&s),
-        }
-    }
-}
-
-impl Clone for Certificate {
-    fn clone(&self) -> Certificate {
-        let mut ret = Self::init();
-        unsafe {
-            x509_crt_parse_der(&mut ret.inner, self.inner.raw.p, self.inner.raw.len)
-                .into_result()
-                .unwrap()
-        };
-        ret
-    }
-}
-
-impl Deref for Certificate {
-    type Target = LinkedCertificate;
-    fn deref(&self) -> &LinkedCertificate {
-        unsafe { UnsafeFrom::from(&self.inner as *const _).unwrap() }
-    }
-}
-
-impl DerefMut for Certificate {
-    fn deref_mut(&mut self) -> &mut LinkedCertificate {
-        unsafe { UnsafeFrom::from(&mut self.inner as *mut _).unwrap() }
-    }
-}
 
-#[repr(C)]
-pub struct LinkedCertificate {
-    inner: x509_crt,
-}
+define!(
+    #[c_ty(x509_crt)]
+    #[repr(transparent)]
+    struct Certificate;
+    const drop: fn(&mut Self) = x509_crt_free;
+    impl<'a> Into<ptr> {}
+    impl<'a> UnsafeFrom<ptr> {}
+);
 
 fn x509_buf_to_vec(buf: &x509_buf) -> Vec<u8> {
-    if buf.p == core::ptr::null_mut() || buf.len == 0 {
+    if buf.p.is_null() || buf.len == 0 {
         return vec![];
     }
 
@@ -153,16 +77,46 @@ fn x509_buf_to_vec(buf: &x509_buf) -> Vec<u8> {
     slice.to_owned()
 }
 
-fn x509_time_to_time(tm: &x509_time) -> Result<super::Time> {
+fn x509_time_to_time(tm: &x509_time) -> Result<Time> {
     // ensure casts don't underflow
     if tm.year < 0 || tm.mon < 0 || tm.day < 0 || tm.hour < 0 || tm.min < 0 || tm.sec < 0 {
         return Err(Error::X509InvalidDate);
     }
 
-    super::Time::new(tm.year as u16, tm.mon as u8, tm.day as u8, tm.hour as u8, tm.min as u8, tm.sec as u8).ok_or(Error::X509InvalidDate)
+    Time::new(tm.year as u16, tm.mon as u8, tm.day as u8, tm.hour as u8, tm.min as u8, tm.sec as u8).ok_or(Error::X509InvalidDate)
 }
 
-impl LinkedCertificate {
+
+impl Certificate {
+    pub fn from_der(der: &[u8]) -> Result<MbedtlsBox<Certificate>> {
+        let mut cert = MbedtlsBox::<Certificate>::init()?;
+        unsafe { x509_crt_parse_der((&mut (*cert)).into(), der.as_ptr(), der.len()) }.into_result()?;
+        Ok(cert)
+    }
+
+    /// Input must be NULL-terminated
+    pub fn from_pem(pem: &[u8]) -> Result<MbedtlsBox<Certificate>> {
+        let mut cert = MbedtlsBox::<Certificate>::init()?;
+        unsafe { x509_crt_parse((&mut (*cert)).into(), pem.as_ptr(), pem.len()) }.into_result()?;
+        
+        if !(*cert).inner.next.is_null() {
+            // Use from_pem_multiple for parsing multiple certificates in a pem.
+            return Err(Error::X509BadInputData);
+        }
+
+        Ok(cert)
+    }
+    
+    /// Input must be NULL-terminated
+    pub fn from_pem_multiple(pem: &[u8]) -> Result<MbedtlsList<Certificate>> {
+        let mut cert = MbedtlsBox::<Certificate>::init()?;
+        unsafe { x509_crt_parse((&mut (*cert)).into(), pem.as_ptr(), pem.len()) }.into_result()?;
+
+        let mut list = MbedtlsList::<Certificate>::new();
+        list.push(cert);
+        Ok(list)
+    }
+    
     pub fn check_key_usage(&self, usage: super::KeyUsage) -> bool {
         unsafe { x509_crt_check_key_usage(&self.inner, usage.bits()) }
             .into_result()
@@ -269,20 +223,20 @@ impl LinkedCertificate {
     }
 
     pub fn verify(
-        &mut self,
-        trust_ca: &mut Certificate,
+        chain: &MbedtlsList<Certificate>,
+        trust_ca: &MbedtlsList<Certificate>,
         err_info: Option<&mut String>,
     ) -> Result<()> {
         let mut flags = 0;
         let result = unsafe {
             x509_crt_verify(
-                &mut self.inner,
-                &mut trust_ca.inner,
-                ptr::null_mut(),
-                ptr::null(),
+                chain.inner_ffi_mut(),
+                trust_ca.inner_ffi_mut(),
+                ::core::ptr::null_mut(),
+                ::core::ptr::null(),
                 &mut flags,
                 None,
-                ptr::null_mut(),
+                ::core::ptr::null_mut(),
             )
         }
         .into_result();
@@ -311,7 +265,7 @@ impl LinkedCertificate {
 // x509_crt_parse_path
 //
 
-impl fmt::Debug for LinkedCertificate {
+impl fmt::Debug for Certificate {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         match crate::private::alloc_string_repeat(|buf, size| unsafe {
             x509_crt_info(buf, size, b"\0".as_ptr() as *const _, &self.inner)
@@ -322,171 +276,6 @@ impl fmt::Debug for LinkedCertificate {
     }
 }
 
-impl<'r> Into<*const x509_crt> for &'r LinkedCertificate {
-    fn into(self) -> *const x509_crt {
-        &self.inner
-    }
-}
-
-impl<'r> Into<*mut x509_crt> for &'r mut LinkedCertificate {
-    fn into(self) -> *mut x509_crt {
-        &mut self.inner
-    }
-}
-
-impl<'r> UnsafeFrom<*const x509_crt> for &'r LinkedCertificate {
-    unsafe fn from(ptr: *const x509_crt) -> Option<&'r LinkedCertificate> {
-        (ptr as *const LinkedCertificate).as_ref()
-    }
-}
-
-impl<'r> UnsafeFrom<*mut x509_crt> for &'r mut LinkedCertificate {
-    unsafe fn from(ptr: *mut x509_crt) -> Option<&'r mut LinkedCertificate> {
-        (ptr as *mut LinkedCertificate).as_mut()
-    }
-}
-
-pub struct Iter<'a> {
-    next: *const x509_crt,
-    r: PhantomData<&'a x509_crt>,
-}
-
-impl<'a> Iterator for Iter<'a> {
-    type Item = &'a LinkedCertificate;
-
-    fn next(&mut self) -> Option<&'a LinkedCertificate> {
-        unsafe {
-            match self.next {
-                p if p == ::core::ptr::null() => None,
-                p => {
-                    self.next = (*p).next as *const _;
-                    Some(UnsafeFrom::from(p).unwrap())
-                }
-            }
-        }
-    }
-}
-
-impl<'r> UnsafeFrom<*const x509_crt> for Iter<'r> {
-    unsafe fn from(ptr: *const x509_crt) -> Option<Iter<'r>> {
-        if ptr.is_null() {
-            None
-        } else {
-            Some(Iter {
-                next: ptr,
-                r: PhantomData,
-            })
-        }
-    }
-}
-
-pub struct IterMut<'a> {
-    next: *mut x509_crt,
-    r: PhantomData<&'a mut x509_crt>,
-}
-
-impl<'a> Iterator for IterMut<'a> {
-    type Item = &'a mut LinkedCertificate;
-
-    fn next(&mut self) -> Option<&'a mut LinkedCertificate> {
-        unsafe {
-            match self.next {
-                p if p == ::core::ptr::null_mut() => None,
-                p => {
-                    self.next = (*p).next;
-                    Some(UnsafeFrom::from(p).unwrap())
-                }
-            }
-        }
-    }
-}
-
-impl<'r> UnsafeFrom<*mut x509_crt> for IterMut<'r> {
-    unsafe fn from(ptr: *mut x509_crt) -> Option<IterMut<'r>> {
-        if ptr.is_null() {
-            None
-        } else {
-            Some(IterMut {
-                next: ptr,
-                r: PhantomData,
-            })
-        }
-    }
-}
-
-pub struct List<'c> {
-    head: &'c mut Certificate,
-}
-
-impl<'c> List<'c> {
-    pub fn iter<'i>(&'i self) -> Iter<'i> {
-        unsafe { UnsafeFrom::from(&self.head.inner as *const _).expect("not null") }
-    }
-
-    pub fn iter_mut<'i>(&'i mut self) -> IterMut<'i> {
-        unsafe { UnsafeFrom::from(&mut self.head.inner as *mut _).expect("not null") }
-    }
-
-    pub fn push_front(&mut self, cert: &'c mut Certificate) {
-        assert!(cert.inner.next == ::core::ptr::null_mut());
-        cert.inner.next = &mut self.head.inner;
-        self.head = cert;
-    }
-
-    pub fn push_back(&mut self, cert: &'c mut Certificate) {
-        assert!(cert.inner.next == ::core::ptr::null_mut());
-        for c in self.iter_mut() {
-            if c.inner.next == ::core::ptr::null_mut() {
-                c.inner.next = &mut cert.inner;
-                break;
-            }
-        }
-    }
-
-    pub fn append(&mut self, list: List<'c>) {
-        assert!(list.head.inner.next == ::core::ptr::null_mut());
-        for c in self.iter_mut() {
-            if c.inner.next == ::core::ptr::null_mut() {
-                c.inner.next = &mut list.head.inner;
-                break;
-            }
-        }
-        ::core::mem::forget(list);
-    }
-
-    pub fn from_vec(vec: &'c mut Vec<Certificate>) -> Option<List<'c>> {
-        vec.split_first_mut().map(|(first, rest)| {
-            let mut list = List::from(first);
-            for c in rest {
-                list.push_back(c);
-            }
-            list
-        })
-    }
-}
-
-impl<'c> Drop for List<'c> {
-    fn drop(&mut self) {
-        // we don't own the certificates, we just need to make sure that
-        // x509_crt_free isn't going to try to deallocate our linked certs
-        for c in self.iter_mut() {
-            c.inner.next = ::core::ptr::null_mut();
-        }
-    }
-}
-
-impl<'c> From<&'c mut Certificate> for List<'c> {
-    fn from(cert: &'c mut Certificate) -> List<'c> {
-        List { head: cert }
-    }
-}
-
-impl<'c, 'r> From<&'c mut List<'r>> for &'c mut LinkedCertificate {
-    fn from(list: &'c mut List<'r>) -> &'c mut LinkedCertificate {
-        list.head
-    }
-}
-
 define!(
     #[c_ty(x509write_cert)]
     struct Builder<'a>;
@@ -676,6 +465,287 @@ impl<'a> Builder<'a> {
 // x509write_crt_set_subject_key_identifier
 //
 
+#[cfg(feature = "threading")]
+unsafe impl Send for MbedtlsBox<Certificate> {}
+
+#[cfg(feature = "threading")]
+unsafe impl Sync for MbedtlsBox<Certificate> {}
+
+impl MbedtlsBox<Certificate> {
+    fn init() -> Result<Self> {
+        unsafe {
+            let inner = forward_mbedtls_calloc(1, core::mem::size_of::<x509_crt>()) as *mut x509_crt;
+
+            // If alignment is wrong it means someone pushed their own allocator to mbedtls and that is not functioning correctly.
+            assert_eq!(inner.align_offset(core::mem::align_of::<x509_crt>()), 0);
+
+            let inner = NonNull::new(inner).ok_or(Error::X509AllocFailed)?;
+            x509_crt_init(inner.as_ptr());
+            
+            Ok(MbedtlsBox { inner: inner.cast() })
+        }
+    }
+    
+    fn list_next(&self) -> Option<&MbedtlsBox<Certificate>> {
+        unsafe {
+            <&Option<MbedtlsBox<_>> as UnsafeFrom<_>>::from(&(**self).inner.next).unwrap().as_ref()
+        }
+    }
+
+    fn list_next_mut(&mut self) -> &mut Option<MbedtlsBox<Certificate>> {
+        unsafe {
+            <&mut Option<MbedtlsBox<_>> as UnsafeFrom<_>>::from(&mut(**self).inner.next).unwrap()
+        }
+    }
+}
+
+impl Clone for MbedtlsBox<Certificate> {
+    fn clone(&self) -> MbedtlsBox<Certificate> {
+        unsafe {
+            let len = (**self).inner.raw.len;
+            if len == 0 {
+                // We have a certificate that was never initialized.
+                //
+                // This is not possible from 'mbedtls' side as all certificates are first init then they parse a der/pem.
+                // This is also not possible from rust side as all init() calls are followed by parsing.
+                panic!("Trying to clone an uninitialized certificate.");
+            } else {
+                // We have a certificate that was already created once, failing the re-parse is a possible memory corruption or bad usage of mbedtls internals.
+                Certificate::from_der(std::slice::from_raw_parts((**self).inner.raw.p, len)).expect("Failed re-parsing existing DER")
+            }
+        }
+    }
+}
+
+impl<'a> UnsafeFrom<*const *mut x509_crt> for &'a Option<MbedtlsBox<Certificate>> {
+    unsafe fn from(ptr: *const *mut x509_crt) -> Option<&'a Option<MbedtlsBox<Certificate>>> {
+        (ptr as *const Option<MbedtlsBox<Certificate>>).as_ref()
+    }
+}
+
+impl<'a> UnsafeFrom<*mut *mut x509_crt> for &'a mut Option<MbedtlsBox<Certificate>> {
+    unsafe fn from(ptr: *mut *mut x509_crt) -> Option<&'a mut Option<MbedtlsBox<Certificate>>> {
+        (ptr as *mut Option<MbedtlsBox<Certificate>>).as_mut()
+    }
+}
+
+impl<'a> UnsafeFrom<*const *const x509_crt> for &'a MbedtlsBox<Certificate> {
+    unsafe fn from(ptr: *const *const x509_crt) -> Option<&'a MbedtlsBox<Certificate>> {
+        if ptr.is_null() || (*ptr).is_null() {
+            return None;
+        }
+
+        (ptr as *const MbedtlsBox<Certificate>).as_ref()
+    }
+}
+
+impl<'a> UnsafeFrom<*mut *mut x509_crt> for &'a mut MbedtlsBox<Certificate> {
+    unsafe fn from(ptr: *mut *mut x509_crt) -> Option<&'a mut MbedtlsBox<Certificate>> {
+        if ptr.is_null() || (*ptr).is_null() {
+            return None;
+        }
+
+        (ptr as *mut MbedtlsBox<Certificate>).as_mut()
+    }
+}
+
+#[cfg(feature = "threading")]
+unsafe impl Send for MbedtlsList<Certificate> {}
+
+#[cfg(feature = "threading")]
+unsafe impl Sync for MbedtlsList<Certificate> {}
+
+impl MbedtlsList<Certificate> {
+    pub fn new() -> Self {
+        Self { inner: None }
+    }
+
+    pub fn is_empty(&self) -> bool {
+        self.inner.is_none()
+    }
+    
+    pub fn push(&mut self, certificate: MbedtlsBox<Certificate>) -> () {
+        self.append(MbedtlsList::<Certificate> { inner: Some(certificate) });
+    }
+
+    pub fn pop_back(&mut self) -> Option<MbedtlsBox<Certificate>> {
+        let mut iter = self.iter_mut();
+
+        let mut prev = iter.next()?;
+        for cur in &mut iter {
+            if cur.list_next().is_none() {
+                return prev.list_next_mut().take();
+            }
+            prev = cur;
+        }
+        
+        // no iterations in for loop: head equals tail
+        self.inner.take()
+    }
+
+    
+    pub fn pop_front(&mut self) -> Option<MbedtlsBox<Certificate>> {
+        let mut ret = self.inner.take()?;
+        self.inner = ret.list_next_mut().take();
+        Some(ret)
+    }
+
+
+    pub fn append(&mut self, list: MbedtlsList<Certificate>) {
+        let tail = match self.iter_mut().last() {
+            None => &mut self.inner,
+            Some(last) => last.list_next_mut(),
+        };
+        *tail = list.inner;
+    }
+    
+    pub fn iter(&self) -> Iter<'_> {
+        Iter { next: self.inner.as_ref() }
+    }
+
+    pub fn iter_mut(&mut self) -> IterMut<'_> {
+        IterMut { next: self.inner.as_mut() }
+    }
+
+    pub(crate) unsafe fn inner_ffi_mut(&self) -> *mut x509_crt {
+        self.inner.as_ref().map_or(::core::ptr::null_mut(), |c| c.inner.as_ptr() as *mut x509_crt)
+    }
+}
+
+impl Clone for MbedtlsList<Certificate> {
+    fn clone(&self) -> MbedtlsList<Certificate> {
+        self.iter().cloned().collect()
+    }
+}
+
+impl Into<*const x509_crt> for &MbedtlsList<Certificate> {
+    fn into(self) -> *const x509_crt {
+        self.inner.as_ref().map_or(::core::ptr::null_mut(), |c| c.inner.as_ptr() as *const x509_crt)
+    }
+}
+
+impl Into<*mut x509_crt> for &mut MbedtlsList<Certificate> {
+    fn into(self) -> *mut x509_crt {
+        self.inner.as_ref().map_or(::core::ptr::null_mut(), |c| c.inner.as_ptr() as *mut x509_crt)
+    }
+}
+
+impl<'a> UnsafeFrom<*const *const x509_crt> for &'a MbedtlsList<Certificate> {
+    unsafe fn from(ptr: *const *const x509_crt) -> Option<&'a MbedtlsList<Certificate>> {
+        if ptr == ::core::ptr::null_mut() {
+            return None;
+        }
+        if *ptr == ::core::ptr::null_mut() {
+            return None;
+        }
+        
+        (ptr as *const MbedtlsList<Certificate>).as_ref()
+    }
+}
+
+impl<'a> UnsafeFrom<*mut *mut x509_crt> for &'a mut MbedtlsList<Certificate> {
+    unsafe fn from(ptr: *mut *mut x509_crt) -> Option<&'a mut MbedtlsList<Certificate>> {
+        if ptr == ::core::ptr::null_mut() {
+            return None;
+        }
+        if *ptr == ::core::ptr::null_mut() {
+            return None;
+        }
+
+        (ptr as *mut MbedtlsList<Certificate>).as_mut()
+    }
+}
+
+
+pub struct Iter<'a> {
+    next: Option<&'a MbedtlsBox::<Certificate>>,
+}
+
+impl<'a> Iterator for Iter<'a> {
+    type Item = &'a MbedtlsBox<Certificate>;
+
+    fn next(&mut self) -> Option<&'a MbedtlsBox::<Certificate>> {
+        let ret = self.next.take()?;
+        self.next = ret.list_next();
+        Some(ret)
+    }
+}
+
+pub struct IterMut<'a> {
+    next: Option<&'a mut MbedtlsBox::<Certificate>>,
+}
+
+impl<'a> Iterator for IterMut<'a> {
+    type Item = &'a mut MbedtlsBox<Certificate>;
+
+    fn next(&mut self) -> Option<&'a mut MbedtlsBox::<Certificate>> {
+        let ret = self.next.take()?;
+        unsafe {
+            self.next = <&mut Option<MbedtlsBox<_>> as UnsafeFrom<_>>::from(&mut (**ret).inner.next).and_then(|v| v.as_mut());
+        }
+        Some(ret)
+    }
+}
+
+// Follows same pattern as IntoIter from rust-lang's linked_list.rs
+// - line 108: https://github.com/rust-lang/rust/blob/master/library/alloc/src/collections/linked_list.rs
+pub struct IntoIter {
+    list: MbedtlsList<Certificate>,
+}
+
+impl Iterator for IntoIter {
+    type Item = MbedtlsBox<Certificate>;
+
+    #[inline]
+    fn next(&mut self) -> Option<MbedtlsBox<Certificate>> {
+        self.list.pop_front()
+    }
+}
+
+impl IntoIterator for MbedtlsList<Certificate> {
+    type Item = MbedtlsBox<Certificate>;
+    type IntoIter = IntoIter;
+
+    /// Consumes the list into an iterator yielding elements by value.
+    #[inline]
+    fn into_iter(self) -> IntoIter {
+        IntoIter { list: self }
+    }
+}
+
+impl<'a> IntoIterator for &'a MbedtlsList<Certificate> {
+    type Item = &'a MbedtlsBox::<Certificate>;
+    type IntoIter = Iter<'a>;
+
+    fn into_iter(self) -> Iter<'a> {
+        self.iter()
+    }
+}
+
+impl<'a> IntoIterator for &'a mut MbedtlsList<Certificate> {
+    type Item = &'a mut MbedtlsBox<Certificate>;
+    type IntoIter = IterMut<'a>;
+
+    fn into_iter(self) -> IterMut<'a> {
+        self.iter_mut()
+    }
+}
+
+impl FromIterator<MbedtlsBox::<Certificate>> for MbedtlsList<Certificate> {
+    fn from_iter<I: IntoIterator<Item = MbedtlsBox::<Certificate>>>(iter: I) -> Self {
+        let mut list = Self::new();
+        list.extend(iter);
+        list
+    }
+}
+
+impl Extend<MbedtlsBox::<Certificate>> for MbedtlsList<Certificate> {
+    fn extend<I: IntoIterator<Item = MbedtlsBox::<Certificate>>>(&mut self, iter: I) {
+        iter.into_iter().for_each(move |elt| self.push(elt));
+    }
+}
+
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -694,8 +764,6 @@ mod tests {
         }
 
         fn builder<'a>(&'a mut self) -> Builder<'a> {
-            use crate::x509::Time;
-
             let mut b = Builder::new();
             b.subject_key(&mut self.key1)
                 .subject_with_nul("CN=mbedtls.example\0")
@@ -805,9 +873,8 @@ JS7pkcufTIoN0Yj0SxAWLW711FgB
         assert_eq!(output, TEST_PEM);
     }
 
-    #[test]
-    fn cert_field_access() {
-        const TEST_CERT_PEM: &'static str = "-----BEGIN CERTIFICATE-----
+    
+    const TEST_CERT_PEM: &'static str = "-----BEGIN CERTIFICATE-----
 MIIDLDCCAhSgAwIBAgIRALY0SS5pY9Yb/aIHvSAvmOswDQYJKoZIhvcNAQELBQAw
 HzEQMA4GA1UEAxMHVGVzdCBDQTELMAkGA1UEBhMCVVMwHhcNMTkwMTA4MDAxODM1
 WhcNMjkwMTA1MDAxODM1WjAjMRIwEAYDVQQDEwlUZXN0IENlcnQxDTALBgNVBAoT
@@ -827,8 +894,10 @@ lWyWBGzVgSbzripmaAzMyKrsvmgPpfx5aE7zP2QVOzGXE/QuoXqj/bmblNlUZu11
 cYp0bH/RcPTC0Z+ZaqSWMtfxRrk63MJQF9EXpDCdvQRcTMD9D85DJrMKn8aumq0M
 -----END CERTIFICATE-----\0";
 
-        let cert = Certificate::from_pem(&TEST_CERT_PEM.as_bytes()).unwrap();
-
+    #[test]
+    fn cert_field_access() {
+        let cert = Certificate::from_pem(TEST_CERT_PEM.as_bytes()).unwrap();
+        
         assert_eq!(cert.version().unwrap(), CertificateVersion::V3);
         assert_eq!(cert.issuer().unwrap(), "CN=Test CA, C=US");
         assert_eq!(cert.subject().unwrap(), "CN=Test Cert, O=Test");
@@ -844,7 +913,6 @@ cYp0bH/RcPTC0Z+ZaqSWMtfxRrk63MJQF9EXpDCdvQRcTMD9D85DJrMKn8aumq0M
         assert_eq!(hex::encode(cert.signature().unwrap()), "4a4b2638e636a0c0121b0334e04b342ac17b178b1a3000d5dc84c0612941519e3ac99da72823809e643f9d1c0ff7ca2734c63974215879f6286532d43b0da6086fb212a96c8f573de4230c9ab3ae09d621719d2e35b3e91963d5e763a273f0e25d6bbc5fcd0cd7ace688821df1724fb3956c96046cd58126f3ae2a66680cccc8aaecbe680fa5fc79684ef33f64153b319713f42ea17aa3fdb99b94d95466ed75e572789d2c7388a49d35a6590429fe9b6959896e8658aee276f3474ff315051e6633be236d2acf552164ea6936122f9d718a746c7fd170f4c2d19f996aa49632d7f146b93adcc25017d117a4309dbd045c4cc0fd0fce4326b30a9fc6ae9aad0c");
         assert_eq!(hex::encode(cert.extensions_raw().unwrap()), "30819f30210603551d0e041a04186839fad57e6544121cc6bc421953cc9620655c57cfac060230320603551d11042b302981117465737440666f7274616e69782e636f6d82146578616d706c652e666f7274616e69782e636f6d300c0603551d130101ff0402300030230603551d23041c301a801879076bcc8da0077e4116f84b8e4c9c5c6af7ec4fa000d98730130603551d25040c300a06082b06010505070302");
 
-        use crate::x509::Time;
         assert_eq!(cert.not_before().unwrap(), Time::new(2019,1,8,0,18,35).unwrap());
         assert_eq!(cert.not_after().unwrap(), Time::new(2029,1,5,0,18,35).unwrap());
 
@@ -902,8 +970,11 @@ lWyWBGzVgSbzripmaAzMyKrsvmgPpfx5aE7zP2QVOzGXE/QuoXqj/bmblNlUZu11
 cYp0bH/RcPTC0Z+ZaqSWMtfxRrk63MJQF9EXpDCdvQRcTMD9D85DJrMKn8aumq0M
 -----END CERTIFICATE-----\0";
 
-        let cert = Certificate::from_pem(&TEST_CERT_PEM.as_bytes()).unwrap();
+        let list = Certificate::from_pem_multiple(&TEST_CERT_PEM.as_bytes()).unwrap();
 
+        let mut iter = list.iter();
+        let cert = iter.next().unwrap();
+        
         let pk = cert.public_key();
 
         assert_eq!(pk.pk_type(), crate::pk::Type::Rsa);
@@ -935,28 +1006,492 @@ cYp0bH/RcPTC0Z+ZaqSWMtfxRrk63MJQF9EXpDCdvQRcTMD9D85DJrMKn8aumq0M
         const C_INT2: &'static str = concat!(include_str!("../../tests/data/chain-int2.crt"),"\0");
         const C_ROOT: &'static str = concat!(include_str!("../../tests/data/chain-root.crt"),"\0");
 
-        let mut c_leaf = Certificate::from_pem(C_LEAF.as_bytes()).unwrap();
-        let mut c_int1 = Certificate::from_pem(C_INT1.as_bytes()).unwrap();
-        let mut c_int2 = Certificate::from_pem(C_INT2.as_bytes()).unwrap();
-        let mut c_root = Certificate::from_pem(C_ROOT.as_bytes()).unwrap();
-
+        let c_leaf = Certificate::from_pem(C_LEAF.as_bytes()).unwrap();
+        let c_int1 = Certificate::from_pem(C_INT1.as_bytes()).unwrap();
+        let c_int2 = Certificate::from_pem(C_INT2.as_bytes()).unwrap();
+        let mut c_root = Certificate::from_pem_multiple(C_ROOT.as_bytes()).unwrap();
+        
         {
-            let mut chain = List::from(&mut c_leaf);
-            chain.push_back(&mut c_int1);
+            let mut chain = MbedtlsList::<Certificate>::new();
+            chain.push(c_leaf.clone());
+            chain.push(c_int1.clone());
 
-            // incomplete chain
-            let err = LinkedCertificate::verify((&mut chain).into(), &mut c_root, None).unwrap_err();
+            let err = Certificate::verify(&chain, &mut c_root, None).unwrap_err();
             assert_eq!(err, Error::X509CertVerifyFailed);
 
             // try again after fixing the chain
-            chain.push_back(&mut c_int2);
-            LinkedCertificate::verify((&mut chain).into(), &mut c_root, None).unwrap();
+            chain.push(c_int2.clone());
+            Certificate::verify(&chain, &mut c_root, None).unwrap();
+        }
+
+        {
+            let mut chain = MbedtlsList::<Certificate>::new();
+            chain.push(c_leaf.clone());
+            chain.push(c_int1.clone());
+            chain.push(c_int2.clone());
+
+            Certificate::verify(&chain, &mut c_root, None).unwrap();
+        }
+    }
+
+    
+    
+    #[test]
+    fn clone_test() {
+        let cert_chain = Certificate::from_pem(TEST_CERT_PEM.as_bytes()).unwrap();
+
+        let mut chain = MbedtlsList::<Certificate>::new();
+        chain.push(cert_chain.clone());
+        chain.push(cert_chain.clone());
+        chain.push(cert_chain);
+        
+        let clone = chain.clone();
+        let mut it = clone.iter();
+
+        assert!(it.next().is_some());
+        assert!(it.next().is_some());
+        assert!(it.next().is_some());
+        assert!(it.next().is_none());
+        assert!(it.next().is_none());
+
+        let mut it = chain.iter();
+        assert!(it.next().is_some());
+        assert!(it.next().is_some());
+        assert!(it.next().is_some());
+        assert!(it.next().is_none());
+        assert!(it.next().is_none());
+    }
+
+
+    #[test]
+    fn list_pop_back_test() {
+        const C_LEAF: &'static str = concat!(include_str!("../../tests/data/chain-leaf.crt"),"\0");
+        const C_INT1: &'static str = concat!(include_str!("../../tests/data/chain-int1.crt"),"\0");
+        const C_INT2: &'static str = concat!(include_str!("../../tests/data/chain-int2.crt"),"\0");
+
+        let mut chain = MbedtlsList::<Certificate>::new();
+
+        let c1 = Certificate::from_pem_multiple(C_LEAF.as_bytes()).unwrap();
+        let c2 = Certificate::from_pem_multiple(C_INT1.as_bytes()).unwrap();
+        let c3 = Certificate::from_pem_multiple(C_INT2.as_bytes()).unwrap();
+
+        // Using debug strings so failing unit tests can identify any issue with contents.
+        let c1_info = format!("{:?}", c1.iter().next().unwrap());
+        let c2_info = format!("{:?}", c2.iter().next().unwrap());
+        let c3_info = format!("{:?}", c3.iter().next().unwrap());
+        
+        chain.append(c1.clone());
+        chain.append(c2.clone());
+        chain.append(c3.clone());
+
+        {
+            let mut it = chain.iter();
+            assert_eq!(c1_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c2_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c3_info, format!("{:?}", it.next().unwrap()));
+            assert!(it.next().is_none());
+        }
+
+        assert_eq!(c3_info, format!("{:?}", chain.pop_back().unwrap()));
+        {
+            let mut it = chain.iter();
+            assert_eq!(c1_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c2_info, format!("{:?}", it.next().unwrap()));
+            assert!(it.next().is_none());
+        }
+        
+        chain.append(c3.clone());
+        chain.append(c1.clone());
+        {
+            let mut it = chain.iter();
+            assert_eq!(c1_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c2_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c3_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c1_info, format!("{:?}", it.next().unwrap()));
+            assert!(it.next().is_none());
+        }
+
+        assert_eq!(c1_info, format!("{:?}", chain.pop_back().unwrap()));
+        assert_eq!(c3_info, format!("{:?}", chain.pop_back().unwrap()));
+        assert_eq!(c2_info, format!("{:?}", chain.pop_back().unwrap()));
+
+        {
+            let mut it = chain.iter();
+            assert_eq!(c1_info, format!("{:?}", it.next().unwrap()));
+            assert!(it.next().is_none());
+        }
+
+        assert_eq!(c1_info, format!("{:?}", chain.pop_back().unwrap()));
+
+        {
+            let mut it = chain.iter();
+            assert!(it.next().is_none());
+        }
+        
+        assert!(chain.pop_back().is_none());
+        {
+            let mut it = chain.iter();
+            assert!(it.next().is_none());
+        }
+
+        chain.append(c3.clone());
+        chain.append(c1.clone());
+        {
+            let mut it = chain.iter();
+            assert_eq!(c3_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c1_info, format!("{:?}", it.next().unwrap()));
+            assert!(it.next().is_none());
+        }
+    }
+
+
+    #[test]
+    fn list_pop_front_test() {
+        const C_LEAF: &'static str = concat!(include_str!("../../tests/data/chain-leaf.crt"),"\0");
+        const C_INT1: &'static str = concat!(include_str!("../../tests/data/chain-int1.crt"),"\0");
+        const C_INT2: &'static str = concat!(include_str!("../../tests/data/chain-int2.crt"),"\0");
+
+        let mut chain = MbedtlsList::<Certificate>::new();
+
+        let c1 = Certificate::from_pem(C_LEAF.as_bytes()).unwrap();
+        let c2 = Certificate::from_pem(C_INT1.as_bytes()).unwrap();
+        let c3 = Certificate::from_pem(C_INT2.as_bytes()).unwrap();
+
+        // Using debug strings so failing unit tests can identify any issue with contents.
+        let c1_info = format!("{:?}", c1);
+        let c2_info = format!("{:?}", c2);
+        let c3_info = format!("{:?}", c3);
+        
+        chain.push(c1.clone());
+        chain.push(c2.clone());
+        chain.push(c3.clone());
+
+        {
+            let mut it = chain.iter();
+            assert_eq!(c1_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c2_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c3_info, format!("{:?}", it.next().unwrap()));
+            assert!(it.next().is_none());
         }
 
-        #[cfg(feature = "std")]
+        assert_eq!(c1_info, format!("{:?}", chain.pop_front().unwrap()));
         {
-            let mut chain = vec![c_leaf, c_int1, c_int2];
-            LinkedCertificate::verify((&mut List::from_vec(&mut chain).unwrap()).into(), &mut c_root, None).unwrap();
+            let mut it = chain.iter();
+            assert_eq!(c2_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c3_info, format!("{:?}", it.next().unwrap()));
+            assert!(it.next().is_none());
+        }
+        
+        chain.push(c3.clone());
+        chain.push(c1.clone());
+        {
+            let mut it = chain.iter();
+            assert_eq!(c2_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c3_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c3_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c1_info, format!("{:?}", it.next().unwrap()));
+            assert!(it.next().is_none());
+        }
+
+        assert_eq!(c2_info, format!("{:?}", chain.pop_front().unwrap()));
+        assert_eq!(c3_info, format!("{:?}", chain.pop_front().unwrap()));
+        assert_eq!(c3_info, format!("{:?}", chain.pop_front().unwrap()));
+
+        {
+            let mut it = chain.iter();
+            assert_eq!(c1_info, format!("{:?}", it.next().unwrap()));
+            assert!(it.next().is_none());
+        }
+
+        assert_eq!(c1_info, format!("{:?}", chain.pop_front().unwrap()));
+
+        {
+            let mut it = chain.iter();
+            assert!(it.next().is_none());
+        }
+        
+        assert!(chain.pop_front().is_none());
+        {
+            let mut it = chain.iter();
+            assert!(it.next().is_none());
+        }
+
+        chain.push(c3.clone());
+        chain.push(c1.clone());
+        {
+            let mut it = chain.iter();
+            assert_eq!(c3_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c1_info, format!("{:?}", it.next().unwrap()));
+            assert!(it.next().is_none());
         }
     }
+
+
+    #[test]
+    fn list_clone_test1() {
+        const C_LEAF: &'static str = concat!(include_str!("../../tests/data/chain-leaf.crt"),"\0");
+        const C_INT1: &'static str = concat!(include_str!("../../tests/data/chain-int1.crt"),"\0");
+        const C_INT2: &'static str = concat!(include_str!("../../tests/data/chain-int2.crt"),"\0");
+
+        let mut chain = MbedtlsList::<Certificate>::new();
+
+        let c1 = Certificate::from_pem_multiple(C_LEAF.as_bytes()).unwrap();
+        let c2 = Certificate::from_pem_multiple(C_INT1.as_bytes()).unwrap();
+        let c3 = Certificate::from_pem_multiple(C_INT2.as_bytes()).unwrap();
+
+        // Using debug strings so failing unit tests can identify any issue with contents.
+        let c1_info = format!("{:?}", c1.iter().next().unwrap());
+        let c2_info = format!("{:?}", c2.iter().next().unwrap());
+        let c3_info = format!("{:?}", c3.iter().next().unwrap());
+
+        println!("c1: {:?}", c1_info);
+        println!("c2: {:?}", c2_info);
+        println!("c3: {:?}", c3_info);
+        
+        chain.append(c1.clone());
+        chain.append(c2.clone());
+        chain.append(c3.clone());
+
+        chain.append(chain.clone());
+        {
+            let it_clone = chain.clone();
+            let mut it = it_clone.iter();
+
+            assert_eq!(c1_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c2_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c3_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c1_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c2_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c3_info, format!("{:?}", it.next().unwrap()));
+
+            assert!(it.next().is_none());
+            assert!(it.next().is_none());
+            assert!(it.next().is_none());
+        }
+    }
+
+    #[test]
+    fn list_into_iter() {
+        const C_LEAF: &'static str = concat!(include_str!("../../tests/data/chain-leaf.crt"),"\0");
+        const C_INT1: &'static str = concat!(include_str!("../../tests/data/chain-int1.crt"),"\0");
+        const C_INT2: &'static str = concat!(include_str!("../../tests/data/chain-int2.crt"),"\0");
+
+        let mut chain = MbedtlsList::<Certificate>::new();
+
+        let c1 = Certificate::from_pem_multiple(C_LEAF.as_bytes()).unwrap();
+        let c2 = Certificate::from_pem_multiple(C_INT1.as_bytes()).unwrap();
+        let c3 = Certificate::from_pem_multiple(C_INT2.as_bytes()).unwrap();
+
+        // Using debug strings so failing unit tests can identify any issue with contents.
+        let c1_info = format!("{:?}", c1.iter().next().unwrap());
+        let c2_info = format!("{:?}", c2.iter().next().unwrap());
+        let c3_info = format!("{:?}", c3.iter().next().unwrap());
+
+        println!("c1: {:?}", c1_info);
+        println!("c2: {:?}", c2_info);
+        println!("c3: {:?}", c3_info);
+        
+        chain.append(c1.clone());
+        chain.append(c2.clone());
+        chain.append(c3.clone());
+
+        {
+            let mut it = chain.clone().into_iter();
+            assert_eq!(c1_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c2_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c3_info, format!("{:?}", it.next().unwrap()));
+            assert!(it.next().is_none());
+        }
+
+        let clone = chain.clone();
+        
+        {
+            let mut it = chain.into_iter();
+            assert_eq!(c1_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c2_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c3_info, format!("{:?}", it.next().unwrap()));
+            assert!(it.next().is_none());
+        }
+
+        {
+            let mut it = clone.into_iter();
+            assert_eq!(c1_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c2_info, format!("{:?}", it.next().unwrap()));
+            assert_eq!(c3_info, format!("{:?}", it.next().unwrap()));
+            assert!(it.next().is_none());
+        }
+    }
+
+
+    #[test]
+    fn empty_certificate_test() {
+        let mut x : x509_crt = Default::default();
+        let mut ptr : *mut x509_crt = &mut x as *mut _;
+        let cert : &mut MbedtlsBox<Certificate> = unsafe { UnsafeFrom::from(&mut ptr as *mut *mut x509_crt).unwrap() };
+
+        // now try all functions on a default empty certificate.
+
+        assert_eq!(cert.digest_type(), MdType::None);
+        assert_eq!(cert.signature().unwrap(), vec![]);
+        cert.extensions().unwrap_err();
+        assert_eq!(cert.extensions_raw().unwrap(), vec![]);
+        cert.not_after().unwrap_err();
+        cert.not_before().unwrap_err();
+        cert.version().unwrap_err();
+
+        {
+            let pk = cert.public_key_mut();
+            
+            assert_eq!(pk.pk_type(), crate::pk::Type::None);
+            pk.rsa_public_exponent().unwrap_err();
+            
+            let pk_const = cert.public_key();
+            assert_eq!(pk_const.pk_type(), crate::pk::Type::None);
+            pk_const.rsa_public_exponent().unwrap_err();
+
+        }
+
+        assert_eq!(cert.serial_raw().unwrap(), vec![]);
+        assert_eq!(cert.serial().unwrap(), "");
+        assert_eq!(cert.subject_raw().unwrap(), vec![]);
+        assert_eq!(cert.subject().unwrap(), "");
+        assert_eq!(cert.issuer_raw().unwrap(), vec![]);
+        assert_eq!(cert.issuer().unwrap(), "");
+        
+        let usage_oid : Vec::<c_char> = vec![];
+        assert_eq!(cert.check_extended_key_usage(&usage_oid), true);
+
+        let key_usage = crate::x509::KeyUsage::DIGITAL_SIGNATURE;
+        assert_eq!(cert.check_key_usage(key_usage), true);
+    }
+
+    #[test]
+    fn unsafefrom_ptr_checks_test() {
+        let mut ptr : *mut x509_crt = ::core::ptr::null_mut() as *mut x509_crt;
+        let ptr_test : *mut *mut x509_crt = &mut ptr as *mut *mut x509_crt;
+
+        let option = unsafe {
+            <&mut Option<MbedtlsBox<_>> as UnsafeFrom<_>>::from(ptr_test).unwrap()
+        };
+        assert!(option.is_none());
+        
+        let cert : Option<&mut MbedtlsBox<Certificate>> = unsafe { UnsafeFrom::from(ptr_test) };
+        assert!(cert.is_none());
+        
+        let cert_list : Option<&mut MbedtlsList<Certificate>> = unsafe { UnsafeFrom::from(ptr_test) };
+        assert!(cert_list.is_none());
+
+
+        let ptr_test : *mut *mut x509_crt = ::core::ptr::null_mut() as *mut *mut x509_crt;
+        let cert : Option<&mut MbedtlsBox<Certificate>> = unsafe { UnsafeFrom::from(ptr_test) };
+        assert!(cert.is_none());
+
+        let cert_list : Option<&mut MbedtlsList<Certificate>> = unsafe { UnsafeFrom::from(ptr_test) };
+        assert!(cert_list.is_none());
+
+
+        
+    }
+
+    #[test]
+    fn mbedtls_list_to_box_iter_clone() {
+        const C_LEAF: &'static str = concat!(include_str!("../../tests/data/chain-leaf.crt"),"\0");
+        const C_INT1: &'static str = concat!(include_str!("../../tests/data/chain-int1.crt"),"\0");
+        const C_INT2: &'static str = concat!(include_str!("../../tests/data/chain-int2.crt"),"\0");
+
+        let mut chain = MbedtlsList::<Certificate>::new();
+
+        let c1 = Certificate::from_pem(C_LEAF.as_bytes()).unwrap();
+        let c2 = Certificate::from_pem(C_INT1.as_bytes()).unwrap();
+        let c3 = Certificate::from_pem(C_INT2.as_bytes()).unwrap();
+
+        // Using debug strings so failing unit tests can identify any issue with contents.
+        let c1_info = format!("{:?}", c1);
+        
+        chain.push(c1.clone());
+        chain.push(c2.clone());
+        chain.push(c3.clone());
+
+        let cert : &MbedtlsBox::<Certificate> = chain.iter().next().unwrap();
+
+        // First item reference within a list of 3 elements still has next set.
+        assert_ne!((**cert).inner.next, ::core::ptr::null_mut());
+        assert_eq!(c1_info, format!("{:?}", cert));
+
+        let cert = cert.clone();
+
+        // Cloning it strips it away from the list and forces the next to be null
+        assert_eq!((*cert).inner.next, ::core::ptr::null_mut());
+        assert_eq!(c1_info, format!("{:?}", cert));
+
+        
+        let cert = chain.clone().into_iter().next().unwrap();
+
+        // Using into_iter and extracting a certificate must have its next set to null
+        assert_eq!((*cert).inner.next, ::core::ptr::null_mut());
+        assert_eq!(c1_info, format!("{:?}", cert));
+    }
+
+    #[test]
+    fn mbedtls_list_into_test() {
+        const C_LEAF: &'static str = concat!(include_str!("../../tests/data/chain-leaf.crt"),"\0");
+
+        let mut chain = MbedtlsList::<Certificate>::new();
+
+        let ptr : *const x509_crt = (&chain).into();
+        assert_eq!(ptr, ::core::ptr::null());
+
+        let ptr : *mut x509_crt = (&mut chain).into();
+        assert_eq!(ptr, ::core::ptr::null_mut());
+
+        let c1 = Certificate::from_pem(C_LEAF.as_bytes()).unwrap();
+
+        // Using debug strings so failing unit tests can identify any issue with contents.
+        let c1_info = format!("{:?}", *c1);
+        chain.push(c1.clone());
+
+        let ptr : *const x509_crt = (&chain).into();
+        assert_ne!(ptr, ::core::ptr::null());
+
+        let cert : &Certificate = unsafe { UnsafeFrom::from(ptr).unwrap() };
+        assert_eq!(c1_info, format!("{:?}", cert));
+        
+        let ptr : *mut x509_crt = (&mut chain).into();
+        assert_ne!(ptr, ::core::ptr::null_mut());
+
+        let cert : &mut Certificate = unsafe { UnsafeFrom::from(ptr).unwrap() };
+        assert_eq!(c1_info, format!("{:?}", cert));
+    }
+
+    #[test]
+    fn mbedtls_new_iter_test() {
+        const C_LEAF: &'static str = concat!(include_str!("../../tests/data/chain-leaf.crt"),"\0");
+        const C_INT1: &'static str = concat!(include_str!("../../tests/data/chain-int1.crt"),"\0");
+        const C_INT2: &'static str = concat!(include_str!("../../tests/data/chain-int2.crt"),"\0");
+
+        let mut chain = MbedtlsList::<Certificate>::new();
+
+        let c1 = Certificate::from_pem(C_LEAF.as_bytes()).unwrap();
+        let c2 = Certificate::from_pem(C_INT1.as_bytes()).unwrap();
+        let c3 = Certificate::from_pem(C_INT2.as_bytes()).unwrap();
+        
+        chain.push(c1.clone());
+        chain.push(c2.clone());
+        chain.push(c3.clone());
+
+        println!("{:?}", chain.pop_back());
+        println!("{:?}", chain.pop_back());
+        println!("{:?}", chain.pop_back());
+        println!("{:?}", chain.pop_back());
+        
+        /*loop {
+            match (it.next(), it.peek()) {
+                (Some(cur), Some(next)) => println!("- {:?} {:?}", format!("{:?}", cur), format!("{:?}", next)),
+                (Some(cur), None) => println!("- last {:?}", format!("{:?}", cur)),
+                _ => break,                
+            }
+        }*/
+        
+    }
+
 }
diff --git a/mbedtls/src/x509/mod.rs b/mbedtls/src/x509/mod.rs
index cc63fcc7d..56d626337 100644
--- a/mbedtls/src/x509/mod.rs
+++ b/mbedtls/src/x509/mod.rs
@@ -18,7 +18,7 @@ pub mod profile;
 // write_csr
 
 #[doc(inline)]
-pub use self::certificate::{Certificate, LinkedCertificate};
+pub use self::certificate::Certificate;
 pub use self::crl::Crl;
 #[doc(inline)]
 pub use self::csr::Csr;
diff --git a/mbedtls/tests/client_server.rs b/mbedtls/tests/client_server.rs
index 2246c3740..1fb304500 100644
--- a/mbedtls/tests/client_server.rs
+++ b/mbedtls/tests/client_server.rs
@@ -17,48 +17,50 @@ use mbedtls::pk::Pk;
 use mbedtls::rng::CtrDrbg;
 use mbedtls::ssl::config::{Endpoint, Preset, Transport};
 use mbedtls::ssl::{Config, Context, Version};
-use mbedtls::x509::{Certificate, LinkedCertificate, VerifyError};
+use mbedtls::x509::{Certificate, VerifyError};
 use mbedtls::Error;
 use mbedtls::Result as TlsResult;
+use std::sync::Arc;
 
 mod support;
 use support::entropy::entropy_new;
 use support::keys;
 
 fn client(
-    mut conn: TcpStream,
+    conn: TcpStream,
     min_version: Version,
     max_version: Version,
     exp_version: Option<Version>) -> TlsResult<()> {
-    let mut entropy = entropy_new();
-    let mut rng = CtrDrbg::new(&mut entropy, None)?;
-    let mut cacert = Certificate::from_pem(keys::ROOT_CA_CERT)?;
+    let entropy = Arc::new(entropy_new());
+    let rng = Arc::new(CtrDrbg::new(entropy, None)?);
+    let cacert = Arc::new(Certificate::from_pem_multiple(keys::ROOT_CA_CERT)?);
     let expected_flags = VerifyError::empty();
     #[cfg(feature = "time")]
     let expected_flags = expected_flags | VerifyError::CERT_EXPIRED;
-    let mut verify_args = None;
     {
-        let verify_callback =
-            &mut |crt: &mut LinkedCertificate, depth, verify_flags: &mut VerifyError| {
-                verify_args = Some((crt.subject().unwrap(), depth, *verify_flags));
-                verify_flags.remove(VerifyError::CERT_EXPIRED); //we check the flags at the end,
-                //so removing this flag here prevents the connections from failing with VerifyError
-                Ok(())
+        let verify_callback = move |crt: &Certificate, depth: i32, verify_flags: &mut VerifyError| {
+
+            match (crt.subject().unwrap().as_str(), depth, &verify_flags) {
+                ("CN=RootCA", 1, _) => (),
+                (keys::EXPIRED_CERT_SUBJECT, 0, flags) => assert_eq!(**flags, expected_flags),
+                _ => assert!(false),
             };
+            
+            verify_flags.remove(VerifyError::CERT_EXPIRED); //we check the flags at the end,
+            //so removing this flag here prevents the connections from failing with VerifyError
+            Ok(())
+        };
         let mut config = Config::new(Endpoint::Client, Transport::Stream, Preset::Default);
-        config.set_rng(Some(&mut rng));
+        config.set_rng(rng);
         config.set_verify_callback(verify_callback);
-        config.set_ca_list(Some(&mut *cacert), None);
+        config.set_ca_list(cacert, None);
         config.set_min_version(min_version)?;
         config.set_max_version(max_version)?;
-        let mut ctx = Context::new(&config)?;
-
-        let session = ctx.establish(&mut conn, None);
+        let mut ctx = Context::new(Arc::new(config));
 
-        let mut session = match session {
-            Ok(s) => {
-                assert_eq!(s.version(), exp_version.unwrap());
-                s
+        match ctx.establish(conn, None) {
+            Ok(()) => {
+                assert_eq!(ctx.version(), exp_version.unwrap());
             }
             Err(e) => {
                 match e {
@@ -70,40 +72,35 @@ fn client(
             }
         };
 
-        let ciphersuite = session.ciphersuite();
-        session
-            .write_all(format!("Client2Server {:4x}", ciphersuite).as_bytes())
-            .unwrap();
+        let ciphersuite = ctx.ciphersuite().unwrap();
+        ctx.write_all(format!("Client2Server {:4x}", ciphersuite).as_bytes()).unwrap();
         let mut buf = [0u8; 13 + 4 + 1];
-        session.read_exact(&mut buf).unwrap();
+        ctx.read_exact(&mut buf).unwrap();
         assert_eq!(&buf, format!("Server2Client {:4x}", ciphersuite).as_bytes());
-    } // drop verify_callback, releasing borrow of verify_args
-    assert_eq!(verify_args, Some((keys::EXPIRED_CERT_SUBJECT.to_owned(), 0, expected_flags)));
+    }
     Ok(())
 }
 
 fn server(
-    mut conn: TcpStream,
+    conn: TcpStream,
     min_version: Version,
     max_version: Version,
     exp_version: Option<Version>,
 ) -> TlsResult<()> {
-    let mut entropy = entropy_new();
-    let mut rng = CtrDrbg::new(&mut entropy, None)?;
-    let mut cert = Certificate::from_pem(keys::EXPIRED_CERT)?;
-    let mut key = Pk::from_private_key(keys::EXPIRED_KEY, None)?;
+    let entropy = entropy_new();
+    let rng = Arc::new(CtrDrbg::new(Arc::new(entropy), None)?);
+    let cert = Arc::new(Certificate::from_pem_multiple(keys::EXPIRED_CERT)?);
+    let key = Arc::new(Pk::from_private_key(keys::EXPIRED_KEY, None)?);
     let mut config = Config::new(Endpoint::Server, Transport::Stream, Preset::Default);
-    config.set_rng(Some(&mut rng));
+    config.set_rng(rng);
     config.set_min_version(min_version)?;
     config.set_max_version(max_version)?;
-    config.push_cert(&mut *cert, &mut key)?;
-    let mut ctx = Context::new(&config)?;
-
-    let session = ctx.establish(&mut conn, None);
-    let mut session = match session {
-        Ok(s) => {
-            assert_eq!(s.version(), exp_version.unwrap());
-            s
+    config.push_cert(cert, key)?;
+    let mut ctx = Context::new(Arc::new(config));
+
+    match ctx.establish(conn, None) {
+        Ok(()) => {
+            assert_eq!(ctx.version(), exp_version.unwrap());
         }
         Err(e) => {
             match e {
@@ -116,12 +113,10 @@ fn server(
         }
     };
 
-    let ciphersuite = session.ciphersuite();
-    session
-        .write_all(format!("Server2Client {:4x}", ciphersuite).as_bytes())
-        .unwrap();
+    let ciphersuite = ctx.ciphersuite().unwrap();
+    ctx.write_all(format!("Server2Client {:4x}", ciphersuite).as_bytes()).unwrap();
     let mut buf = [0u8; 13 + 1 + 4];
-    session.read_exact(&mut buf).unwrap();
+    ctx.read_exact(&mut buf).unwrap();
 
     assert_eq!(&buf, format!("Client2Server {:4x}", ciphersuite).as_bytes());
     Ok(())
diff --git a/mbedtls/tests/hyper.rs b/mbedtls/tests/hyper.rs
new file mode 100644
index 000000000..40a5cc580
--- /dev/null
+++ b/mbedtls/tests/hyper.rs
@@ -0,0 +1,525 @@
+use hyper::net::{NetworkStream, SslClient, SslServer};
+use std::fmt;
+use std::io;
+use std::marker::PhantomData;
+use std::net::SocketAddr;
+use std::sync::{Arc, Mutex};
+use std::time::Duration;
+
+use mbedtls::ssl::{Config, Context};
+
+// Native TLS compatibility - to move to native tls client in the future
+#[derive(Clone)]
+pub struct TlsStream<T> {
+    context: Arc<Mutex<Context>>,
+    phantom: PhantomData<T>,
+}
+
+impl<T> TlsStream<T> {
+    pub fn new(context: Arc<Mutex<Context>>) -> Self {
+        TlsStream {
+            context: context,
+            phantom: PhantomData,
+        }
+    }
+}
+
+unsafe impl<T> Send for TlsStream<T> {}
+unsafe impl<T> Sync for TlsStream<T> {}
+
+impl<T> io::Read for TlsStream<T>
+{
+    fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
+        self.context.lock().unwrap().read(buf)
+    }
+}
+
+impl<T> io::Write for TlsStream<T>
+{
+    fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
+        self.context.lock().unwrap().write(buf)
+    }
+
+    fn flush(&mut self) -> io::Result<()> {
+        self.context.lock().unwrap().flush()
+    }
+}
+
+impl<T> NetworkStream for TlsStream<T>
+    where T: NetworkStream
+{
+    fn peer_addr(&mut self) -> io::Result<SocketAddr> {
+        self.context.lock().unwrap().get_mut_io::<T>()?.peer_addr()
+    }
+
+    fn set_read_timeout(&self, dur: Option<Duration>) -> io::Result<()> {
+        self.context.lock().unwrap().get_mut_io::<T>()?.set_read_timeout(dur)
+    }
+
+    fn set_write_timeout(&self, dur: Option<Duration>) -> io::Result<()> {
+        self.context.lock().unwrap().get_mut_io::<T>()?.set_write_timeout(dur)
+    }
+}
+
+
+#[derive(Clone)]
+pub struct MbedSSLServer {
+    rc_config: Arc<Config>,
+}
+
+impl MbedSSLServer {
+    pub fn new(rc_config: Arc<Config>) -> Self {
+        MbedSSLServer {
+            rc_config,
+        }
+    }
+}
+
+unsafe impl Send for MbedSSLServer {}
+
+/// An abstraction to allow any SSL implementation to be used with server-side HttpsStreams.
+impl<T> SslServer<T> for MbedSSLServer
+    where T: NetworkStream + Send + Clone + fmt::Debug + Sync
+{
+    /// The protected stream.
+    type Stream = TlsStream<T>;
+    
+    /// Wrap a server stream with SSL.
+    fn wrap_server(&self, stream: T) -> Result<Self::Stream, hyper::Error> {
+        let mut ctx = Context::new(self.rc_config.clone());
+        ctx.establish(stream, None).map_err(|e| hyper::error::Error::Ssl(e.into()))?;
+        Ok(TlsStream::new(Arc::new(Mutex::new(ctx))))
+    }
+}
+
+#[derive(Clone)]
+pub struct MbedSSLClient {
+    rc_config: Arc<Config>,
+    verify_hostname: bool,
+
+    // This can be used when verify_hostname is set to true.
+    // It will force ssl client to send this specific SNI on all established connections disregarding any host provided by hyper.
+    override_sni: Option<String>,
+}
+
+impl MbedSSLClient {
+    #[allow(dead_code)]
+    pub fn new(rc_config: Arc<Config>, verify_hostname: bool) -> Self {
+        MbedSSLClient {
+            rc_config,
+            verify_hostname,
+            override_sni: None,
+        }
+    }
+    
+    #[allow(dead_code)]
+    pub fn new_with_sni(rc_config: Arc<Config>, verify_hostname: bool, override_sni: Option<String>) -> Self {
+        MbedSSLClient {
+            rc_config,
+            verify_hostname,
+            override_sni,
+        }
+    }
+}
+
+impl<T> SslClient<T> for MbedSSLClient
+    where T: NetworkStream + Send + Clone + fmt::Debug + Sync
+{
+    type Stream = TlsStream<T>;
+
+    fn wrap_client(&self, stream: T, host: &str) -> hyper::Result<TlsStream<T>> {
+        let mut context = Context::new(self.rc_config.clone());
+
+        let verify_hostname = match self.verify_hostname {
+            true => Some(self.override_sni.as_ref().map(|v| v.as_str()).unwrap_or(host)),
+            false => None,
+        };
+        
+        match context.establish(stream, verify_hostname) {
+            Ok(()) => Ok(TlsStream::new(Arc::new(Mutex::new(context)))),
+            Err(e) => Err(hyper::Error::Ssl(Box::new(e))),
+        }
+    }
+}
+
+// To implement SSL tickets and have faster connections to the same remote server:
+// - implement Drop for TlsStream -> it should store the context into a cache.
+// - update wrap_client to use TlsStream cache
+//
+// This is similar to what hyper does for keep alive connections: hyper/src/client/pool.rs
+
+#[cfg(test)]
+mod tests {
+    // Note this useful idiom: importing names from outer (for mod tests) scope.
+    use super::*;
+
+    use hyper::client::Pool;
+    use hyper::net::{HttpListener, HttpsConnector, HttpsListener, NetworkListener};
+    use hyper::status::StatusCode;
+    use mbedtls::pk::Pk;
+    use mbedtls::ssl::Config;
+    use mbedtls::ssl::config::{Endpoint, Preset, Transport, AuthMode, Version, UseSessionTickets, Renegotiation};
+    use mbedtls::ssl::context::HandshakeContext;
+    use mbedtls::x509::{Certificate, VerifyError};
+    use std::sync::Arc;
+    use mbedtls::ssl::CipherSuite::*;
+    use std::io::Write;
+    use mbedtls::ssl::TicketContext;
+    
+    #[cfg(not(target_env = "sgx"))]
+    use mbedtls::set_global_debug_threshold;
+    
+    #[cfg(not(target_env = "sgx"))]
+    use mbedtls::rng::{OsEntropy, CtrDrbg};
+
+    #[cfg(target_env = "sgx")]
+    use mbedtls::rng::{Rdrand};
+
+    #[cfg(not(target_env = "sgx"))]
+    pub fn rng_new() -> Arc<CtrDrbg> {
+        let entropy = Arc::new(OsEntropy::new());
+        let rng = Arc::new(CtrDrbg::new(entropy, None).unwrap());
+        rng
+    }
+
+    #[cfg(target_env = "sgx")]
+    pub fn rng_new() -> Arc<Rdrand> {
+        Arc::new(Rdrand)
+    }
+    
+    #[test]
+    fn test_simple_request() {
+        let mut config = Config::new(Endpoint::Client, Transport::Stream, Preset::Default);
+
+        config.set_authmode(AuthMode::None);
+        config.set_rng(rng_new());
+        config.set_min_version(Version::Tls1_2).unwrap();
+
+        let ssl = MbedSSLClient::new(Arc::new(config), false);
+        let connector = HttpsConnector::new(ssl);
+        let client = hyper::Client::with_connector(Pool::with_connector(Default::default(), connector));
+
+        let response = client.get("https://www.google.com/").send().unwrap();
+
+        assert_eq!(response.status, hyper::status::StatusCode::Ok);
+    }
+
+
+    #[test]
+    fn test_multiple_request() {
+        let mut config = Config::new(Endpoint::Client, Transport::Stream, Preset::Default);
+
+        config.set_rng(rng_new());
+        config.set_authmode(AuthMode::None);
+        config.set_min_version(Version::Tls1_2).unwrap();
+        
+        // Immutable from this point on
+        let ssl = MbedSSLClient::new(Arc::new(config), false);
+
+        let client1 = hyper::Client::with_connector(Pool::with_connector(Default::default(), HttpsConnector::new(ssl.clone())));
+        let response = client1.get("https://www.google.com/").send().unwrap();
+        assert_eq!(response.status, hyper::status::StatusCode::Ok);
+
+        let client2 = hyper::Client::with_connector(Pool::with_connector(Default::default(), HttpsConnector::new(ssl.clone())));
+        let response = client2.get("https://www.google.com/").send().unwrap();
+        assert_eq!(response.status, hyper::status::StatusCode::Ok);
+
+        let client3 = hyper::Client::with_connector(Pool::with_connector(Default::default(), HttpsConnector::new(ssl.clone())));
+        let response = client3.get("https://www.google.com/").send().unwrap();
+        assert_eq!(response.status, hyper::status::StatusCode::Ok);
+    }
+
+    #[test]
+    fn test_hyper_multithread() {
+        let mut config = Config::new(Endpoint::Client, Transport::Stream, Preset::Default);
+
+        config.set_authmode(AuthMode::None);
+        config.set_rng(rng_new());
+        config.set_min_version(Version::Tls1_2).unwrap();
+        
+        let ssl = MbedSSLClient::new(Arc::new(config), false);
+        let client = Arc::new(hyper::Client::with_connector(Pool::with_connector(Default::default(), HttpsConnector::new(ssl.clone()))));
+
+        let clone1 = client.clone();
+        let clone2 = client.clone();
+        let t1 = std::thread::spawn(move || {
+            let response = clone1.get("https://google.com").send().unwrap();
+            assert_eq!(response.status, hyper::status::StatusCode::Ok);
+        });
+        
+        let t2 = std::thread::spawn(move || {
+            clone2.post("https://google.com").body("foo=bar").send().unwrap();
+        });
+
+        t1.join().unwrap();
+        t2.join().unwrap();
+    }
+
+
+    #[test]
+    fn test_verify() {
+        let mut config = Config::new(Endpoint::Client, Transport::Stream, Preset::Default);
+
+        config.set_authmode(AuthMode::Required);
+        config.set_rng(rng_new());
+        config.set_min_version(Version::Tls1_2).unwrap();
+
+        let verify_callback = |_crt: &Certificate, _depth: i32, verify_flags: &mut VerifyError| {
+            *verify_flags = VerifyError::CERT_OTHER;
+            Ok(())
+        };
+        config.set_verify_callback(verify_callback);
+
+        // This is mostly as an example - how to debug mbedtls
+        let dbg_callback = |level: i32, file: &str, line: i32, message: &str| {
+            println!("{} {}:{} {}", level, file, line, message);
+        };
+        config.set_dbg_callback(dbg_callback);
+
+        #[cfg(not(target_env = "sgx"))]
+        unsafe { set_global_debug_threshold(1); }
+        
+        config.set_ca_list(Arc::new(Certificate::from_pem_multiple(ROOT_CA_CERT).unwrap()), None);
+        
+        let ssl = MbedSSLClient::new(Arc::new(config), false);
+        let connector = HttpsConnector::new(ssl.clone());
+        let client = Arc::new(hyper::Client::with_connector(Pool::with_connector(Default::default(), connector)));
+
+        match client.get("https://google.com").send() {
+            Err(hyper::Error::Ssl(_)) => (),
+            _ => assert!(false),
+        };
+    }
+
+    
+    #[test]
+    fn test_hyper_server() {
+        std::env::set_var("RUST_BACKTRACE", "full");
+
+        let mut config = Config::new(Endpoint::Server, Transport::Stream, Preset::Default);
+
+        config.set_rng(rng_new());
+        config.set_authmode(AuthMode::None);
+        config.set_min_version(Version::Tls1_2).unwrap();
+
+        let cert = Arc::new(Certificate::from_pem_multiple(PEM_CERT).unwrap());
+        let key = Arc::new(Pk::from_private_key(PEM_KEY, None).unwrap());
+        config.push_cert(cert, key).unwrap();
+        
+        let ssl = MbedSSLServer { rc_config: Arc::new(config) };
+
+        // Random port is intentional
+        let mut listener = HttpListener::new("127.0.0.1:0").unwrap();
+        let local_addr = listener.local_addr().unwrap();
+
+        let server = hyper::Server::new(HttpsListener::with_listener(listener, ssl));
+
+        let mut handler = server.handle_threads(move |mut _req: hyper::server::Request, mut res: hyper::server::Response| {
+            *res.status_mut() = StatusCode::MethodNotAllowed;
+        }, 3).unwrap();
+
+        std::thread::sleep(core::time::Duration::from_millis(10));
+        
+        let mut config = Config::new(Endpoint::Client, Transport::Stream, Preset::Default);
+
+        config.set_authmode(AuthMode::Required);
+        config.set_rng(rng_new());
+        config.set_min_version(Version::Tls1_2).unwrap();
+        config.set_ca_list(Arc::new(Certificate::from_pem_multiple(ROOT_CA_CERT).unwrap()), None);
+        
+        let ssl = MbedSSLClient::new(Arc::new(config), false);
+        let client = Arc::new(hyper::Client::with_connector(Pool::with_connector(Default::default(), HttpsConnector::new(ssl.clone()))));
+
+        let client1 = client.clone();
+
+        // If this fails due to EWOULDBLOCK it means not enough threads were created.
+        let t1 = std::thread::Builder::new().spawn(move || {
+            let response = client1.post(&format!("https://{}/path", local_addr)).body("foo=bar").send();
+            println!("{:?}", response);
+        }).unwrap();
+
+        t1.join().unwrap();
+        handler.close().unwrap();
+    }
+
+    #[test]
+    fn test_sni_hyper_server() {
+        std::env::set_var("RUST_BACKTRACE", "full");
+
+        // This is mostly as an example - how to debug mbedtls
+        let dbg_callback = |level: i32, file: &str, line: i32, message: &str| {
+            println!("{} {}:{} {}", level, file, line, message);
+        };
+
+        // Enable as needed for debug
+        //set_global_debug_threshold(4);
+
+        let rng = rng_new();
+        
+        let (local_addr, server) = {
+            let mut config = Config::new(Endpoint::Server, Transport::Stream, Preset::Default);
+
+            config.set_rng(rng.clone());
+            config.set_min_version(Version::Tls1_2).unwrap();
+            config.set_dbg_callback(dbg_callback.clone());
+
+            let cert = Arc::new(Certificate::from_pem_multiple(PEM_CERT).unwrap());
+            let key = Arc::new(Pk::from_private_key(PEM_KEY, None).unwrap());
+
+            let cipher_suites : Vec<i32> = vec![RsaWithAes128GcmSha256.into(), DheRsaWithAes128GcmSha256.into(), PskWithAes128GcmSha256.into(), DhePskWithAes128GcmSha256.into(), RsaPskWithAes128GcmSha256.into(), 0];
+
+            config.set_ciphersuites(Arc::new(cipher_suites));
+            
+            let sni_callback = move |ctx: &mut HandshakeContext, name: &[u8]| -> Result<(), mbedtls::Error> {
+                let name = std::str::from_utf8(name).unwrap();
+                if name == "mbedtls.example" {
+                    ctx.set_authmode(AuthMode::None).unwrap();
+                    ctx.push_cert(cert.clone(), key.clone()).unwrap();
+                    Ok(())
+                } else {
+                    return Err(mbedtls::Error::SslNoClientCertificate);
+                }
+            };
+
+            config.set_sni_callback(sni_callback);                                    
+
+            let tctx = TicketContext::new(rng.clone(), mbedtls::cipher::raw::CipherType::Aes128Gcm, 300).unwrap();
+            config.set_session_tickets_callback(Arc::new(tctx));
+
+            let ssl = MbedSSLServer { rc_config: Arc::new(config) };
+
+            // Random port is intentional
+            let mut listener = HttpListener::new("127.0.0.1:0").unwrap();
+
+            (listener.local_addr().unwrap(), hyper::Server::new(HttpsListener::with_listener(listener, ssl)))
+        };
+
+        let mut handler = server.handle_threads(move |mut _req: hyper::server::Request, mut res: hyper::server::Response| {
+            *res.status_mut() = StatusCode::MethodNotAllowed;
+        }, 3).unwrap();
+
+        std::thread::sleep(core::time::Duration::from_millis(10));
+        
+        let client = {
+            let mut config = Config::new(Endpoint::Client, Transport::Stream, Preset::Default);
+
+            config.set_authmode(AuthMode::Required);
+            config.set_rng(rng.clone());
+            config.set_min_version(Version::Tls1_2).unwrap();
+            config.set_ca_list(Arc::new(Certificate::from_pem_multiple(ROOT_CA_CERT).unwrap()), None);
+
+            config.set_dbg_callback(dbg_callback.clone());
+            
+            config.set_session_tickets(UseSessionTickets::Enabled);
+            config.set_renegotiation(Renegotiation::Enabled);
+            
+            let ssl = MbedSSLClient::new_with_sni(Arc::new(config), true, Some("mbedtls.example".to_string()));
+            Arc::new(hyper::Client::with_connector(Pool::with_connector(Default::default(), HttpsConnector::new(ssl))))
+        };
+        
+        {
+            let response = client.post(&format!("https://{}/path", local_addr)).body("foo=bar").send().unwrap();
+            println!("Response: {}", response.status);
+            assert_eq!(response.status, StatusCode::MethodNotAllowed);
+        }
+        {
+            let response = client.post(&format!("https://{}/path", local_addr)).body("foo=bar").send().unwrap();
+            println!("Response: {}", response.status);
+            assert_eq!(response.status, StatusCode::MethodNotAllowed);
+        }
+        {
+            let response = client.post(&format!("https://{}/path", local_addr)).body("foo=bar").send().unwrap();
+            println!("Response: {}", response.status);
+            assert_eq!(response.status, StatusCode::MethodNotAllowed);
+        }
+
+        handler.close().unwrap();
+        std::io::stdout().flush().unwrap();
+    }
+
+
+// Signed by ROOT_CA below
+    pub const PEM_CERT: &'static [u8] = b"-----BEGIN CERTIFICATE-----
+MIIEGzCCAgOgAwIBAgIKElgwWDKDQhBIOTANBgkqhkiG9w0BAQsFADARMQ8wDQYD
+VQQDEwZSb290Q0EwIBcNMjAwNTA4MDkxNDMwWhgPMjEwMDA0MTkwOTE0MzBaMBox
+GDAWBgNVBAMMD21iZWR0bHMuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAN/SZjoB4zxaOxgtCjC6c88Y8twUUtNoNJu+D2X1vjoEEmeh0CCA
+x6fvyDbZE7kad5pTVHWdiaepodWzTf4GcuGKa0qP0jwitDuqBoqraDxYT9saQd4I
+rh8tPanoDQO2V6iewJT59EFxwC6pry+EWPox1UuKzd66x5a+yTq4d7ybkgBjoico
++0I4m+4BxZNPmZDSdIZpgfMANGvTZCLt/x4gypqotHH//8sssucJJgMwD+YybYis
+wtRCt+Atw2YUQe0JhLs8nMTRQXqREBpz250hITpNsior4PhNsjiMElEFqx0ZmT84
+tQW6lpJ5Yz297xAeUXrdVl+DrvvdhfrqJJ8CAwEAAaNqMGgwHQYDVR0OBBYEFJvl
+m+3MJ2eYR9dGydOY0QNRRMaAMDkGA1UdIwQyMDCAFIkuNd0n1URsu71cJCyBnQwO
+MsqLoRWkEzARMQ8wDQYDVQQDEwZSb290Q0GCAQEwDAYDVR0TAQH/BAIwADANBgkq
+hkiG9w0BAQsFAAOCAgEAGbkSdZL5BC46GTGSR09lEh+cZ2o4fP6uSbkyT4xEPRWx
+fNMLZeEJPVzZkar5tVDnpBb3gAoArHIn6ePPiTssYUD/3yN7ZL6YFn4Bg0VBig8e
+ZWzQT6BiAmXKRY7JtDdgnhggxfo1x1bwW0r3qz/BYeC1cdqbC9CRmTPFNIKFhZyY
+fC1BQ49dI/prfiBlgGO/bIDZfzMNC9b5b7g5aKVQH1e1ViGkRKL4l6tIKp/pL7Nx
+1e1H/f2cl33rm+kTvkH5H02Z+Fg2tVnx2xPxMIkpGOnhtrh5H48xT1oxqcZ/ySmp
+W7xiCt4QAW7DafRLwhsMhKSxcBxHEl4mRTX2pz5BV5yyq/rTGDRFQAlzBUEteLh3
+fCPsdYOQEQMdPUzx3VAieaHSbR424kcd5Iw3uMBCk2NzyLxbIWKA4Q+9XFIacEdh
+TFO2Z/pvkTWMOo1yKzC8NM26QT/o0USgtHBIc2F8FlGEYBLZXvqtOeKJ5mneyLR/
+jnAr18OJv+/DPPSv4qB6LpF+CAQFm0pZisqZdwsMBRgWQ3wml/A+lOLmiajNB3gk
+XfzmCVga7Kik6cjP0ExV7rRvvQ9akWgsMLYJm28Ck6k3Nl3AsfiAGf5kFj5VlBrd
+Ecs4CTdh5ZsL2pDU+QmWsqRNdN+Kz1IVX7fLvR48MgpKZhK+d97/P37e1kEtXoo=
+-----END CERTIFICATE-----\0";
+
+    pub const PEM_KEY: &'static [u8] = b"-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDf0mY6AeM8WjsY
+LQowunPPGPLcFFLTaDSbvg9l9b46BBJnodAggMen78g22RO5GneaU1R1nYmnqaHV
+s03+BnLhimtKj9I8IrQ7qgaKq2g8WE/bGkHeCK4fLT2p6A0DtleonsCU+fRBccAu
+qa8vhFj6MdVLis3euseWvsk6uHe8m5IAY6InKPtCOJvuAcWTT5mQ0nSGaYHzADRr
+02Qi7f8eIMqaqLRx///LLLLnCSYDMA/mMm2IrMLUQrfgLcNmFEHtCYS7PJzE0UF6
+kRAac9udISE6TbIqK+D4TbI4jBJRBasdGZk/OLUFupaSeWM9ve8QHlF63VZfg677
+3YX66iSfAgMBAAECggEAL/Pq9Picj7yhNo/HxCLeVvt4ZNBx4ltMEiYJNIYO6G0g
+6FURuzT8Ea3czmt5v0m9YDIEQWKsMGC2jItq5UbKbCn0zLe9iibBSJsn5aPNpEgj
+a8TXYdOoQoO112YhC6+QXk8M4Z4fx7mwPA8cumh3i7sLgLDPZK3Nvy1G/a6x8JVZ
+g3W1Oyrbn29z1XANTAj2Q0NrdTogKUgNOLYRWB9SeONCnWQmxtzx3jlUIGSn5J9T
+RBQo5ZIhRqOOe8Td3coU+OJ+Z2g7XETTlU3hYmi70/PeXaRxq3k9sX95LtnjgduK
+r2H0KNxyhCmC8cdXL5ogBfnnLColW4Ya1/vyN7sAIQKBgQDwPYJcz3636j8xh1Pt
+U4kxfA4ozqDOXK6jnl6ujhYfwhAghEEFqV2yWYkQbLkkQu2ewRuQxNYLCT+O6WBH
+DF8uoYBtbdH47MLM+TuLUnglHEC1qwwaO62Eb+2cn5f1i5Z/mLQOG3uxlnSPbIC5
+2mEpKmWqdFJAGwOF3/rbVr+88QKBgQDugSqpXgIg4RR3rRzUZog/ReieoG+cf2WO
+rHfmIXBSACktfoQMlrgO/sD2zq1sjQXSUNbQCzMV7kIrLrb+Y7xtZljFJj3wSG/k
+LQBJy1qk7uVfoFfndmYgrkb7+aNkMR0KrqEZPuS3bmXcD2BUzzgYsD9LoC5nD55U
+EAnKGRE6jwKBgQCmtpiLnXZbXJQj47xrGig/jc4ppVJUQl7yrkkYKwPRYBNe7UhO
+DH038gg6vKgyMLvDClD9woqit/VCUFN+mmhG7M45ohcu/eYk5ePbSAyV/CgvqZZJ
+chZ0rFOg9+M1A3wZ6bcxfwL0dutGSE6AKrp4HbLVeclGMTjdo1Pq+CUwkQKBgQDU
+MWEGTFgybm4qR38lzY8cVBMwxeZm4sU1GWaW/VsT6Ya5Lh1HofRhiu+c5aZPtGvg
+gQGNGNm7gj2mc6plS9DBuFP0GyDyHVBHPm5KOT0NDmpOGLb8fE9Cdis7VQ+0PSns
+bg9wCY+tTvAayCdZbP8on+3AV+PQ14lyms5K2uCEKwKBgQCrpoMycTrB2KOczWNp
+kZouBK4tU5rGjBj3/0p+wHszyCOtiX5sdBT66eRHYY/t9YcOTWA8w3OO/8sj4X4d
+nMsuXM/jD/NWW9JD9+vPUQz4db5evhQBNIkOG4FIRnSh15pDIcEeLxEamNV82fRS
+26jlsLNCILTT9RsfswR3U+1GuA==
+-----END PRIVATE KEY-----\0";
+
+pub const ROOT_CA_CERT: &'static [u8] = b"-----BEGIN CERTIFICATE-----
+MIIE4jCCAsqgAwIBAgIBATANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSb290
+Q0EwHhcNMTkwOTA1MTg0NTMyWhcNMjEwMzA1MTg0NTI2WjARMQ8wDQYDVQQDEwZS
+b290Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQD6AOBz7HbIi8w3
+Wjjk16oglHRQcICTkvgfl6gbGuSjOoVHmOAn2EWT9AuXtcyNcVFyk90h0dsadqkJ
+Enrk3BkTJQmtGW0u5UvcI+famYjZDvYQpGcgXBFmrH7/g/BN4v5VvdrXxUVy6Uyv
+Ql60yG7JxlMY8K2OMV13bOpABXhnG/zNr1hCPLQWu52Mn3M1nudFBZff7tZz4dBo
+YoMeXkIWQ3t2wypD3WunlQcuGxNOCcXONZRDzeUidh/Yv/4tTggZe8KAnEngKb86
+KwKAhVjinGIN2C+ISpKsDurDxhExA2Na6+EbtLEgkI9AeoBz6tIjt/yv/inil+Du
+fEDSmG+P97oY1GNcZMkftjjJd0u57YWz0Ck5bfHdgploh/1VHGdoC677MDWJOb31
+O3mGdpTiBHP2Gh6Xwm8NuZc+tQSPVr/GaYg7slLBl/7GWU9QGjr9DGj/qYozD8tT
+cazIHFh9zDP4XC+a+D+3lMA5EMfvVmDmr2QZJoiKBrxbNXXZ0QQcc+Wr9jFBBx/i
+BRlpnxr+EDG+Q7nFnbG6x1DkvKhc1KDGBhq/HDb5bBVSr7Pjl2FMNh8HVX64mDbA
+7clQJHa1rIjB+HxtZB5DNKQbRobyrWgkTpi5XHPhMw966zrhBWgOdAh+PSeq9FEf
+Y0w328/EBWGqIg3rRMOvDAQpbojNdwIDAQABo0UwQzAOBgNVHQ8BAf8EBAMCAQYw
+EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUiS413SfVRGy7vVwkLIGdDA4y
+yoswDQYJKoZIhvcNAQELBQADggIBAHcRzQhesOTpFG4KINJyzZf7a5lrc8kayTaL
+lzSXW1pEl3/OFiMvOayjDq+yVAJB+5j3WZu8AOTFuZ4pBjz2I1hdIt5F2asqnVN3
+8ymuC7t4gNAQGhWJldnsL58iTYGlxFciiT/8QSHJJjYRkKxyhF08Oj3Zbs13J4xc
+ENLmwCZMFait+qm7aX3idnUa1XMGO26ioQOi0uEVqu9N4p62OQKd/76vmnaqmIAw
+5s47DaaUi7DeiBguLZrNzfZcJTAHNM5VxCjsXW4PieN6mJhQSar40794n7HLHxtG
+Xc5UdxT3nLclEAviDJFubA1N/szWtu4vdfehdAKCXkIjwoUEVEOpPYEeYr27JFlP
+kaxezxswwxY2UD0MZq21FhO7SpVQdmmvfoJvjQwIsiyoa9UNzC6mTqsJPjln+2mK
+p6WHzX+E6GeA7Ng6CyvJsHRsqbQdJ0OXHm4GIG2Z05r4AgBtvI6hkhSfAotBt3Xi
+lo5BEO6SbUnPYo03zD4x/76c4j/uZLYxy2n+Qrlm2KTQIUu7KEsKdUnLAxjWYePH
+VxcYz0/9Z5H4OzhW4J1Qd6OBW0dqETLlMJauPX5DV/slyYQQasPStEJGgiDiKG+B
+Jpjv6PefPTqZawP6gPoGmhF4UyMRWZ+NgqLft1uXTHhrHdnrZFag1oPLjxWFs5hx
+pElsC4v+
+-----END CERTIFICATE-----\0";
+}
diff --git a/mbedtls/tests/ssl_conf_ca_cb.rs b/mbedtls/tests/ssl_conf_ca_cb.rs
index 9340628fe..be7304b7a 100644
--- a/mbedtls/tests/ssl_conf_ca_cb.rs
+++ b/mbedtls/tests/ssl_conf_ca_cb.rs
@@ -15,36 +15,38 @@ use mbedtls::pk::Pk;
 use mbedtls::rng::CtrDrbg;
 use mbedtls::ssl::config::{Endpoint, Preset, Transport, ForeignOwnedCertListBuilder};
 use mbedtls::ssl::{Config, Context};
-use mbedtls::x509::{Certificate, LinkedCertificate};
+use mbedtls::x509::{Certificate};
 use mbedtls::Result as TlsResult;
+use std::sync::Arc;
 
 mod support;
 use support::entropy::entropy_new;
 
 
-fn client<F>(mut conn: TcpStream, mut ca_callback: F) -> TlsResult<()>
+fn client<F>(conn: TcpStream, ca_callback: F) -> TlsResult<()>
     where
-        F: FnMut(&LinkedCertificate, &mut ForeignOwnedCertListBuilder) -> TlsResult<()> {
-    let mut entropy = entropy_new();
-    let mut rng = CtrDrbg::new(&mut entropy, None)?;
+        F: Fn(&Certificate, &mut ForeignOwnedCertListBuilder) -> TlsResult<()> + Send + Sync + 'static,
+{
+    let entropy = entropy_new();
+    let rng = Arc::new(CtrDrbg::new(Arc::new(entropy), None)?);
     let mut config = Config::new(Endpoint::Client, Transport::Stream, Preset::Default);
-    config.set_rng(Some(&mut rng));
-    config.set_ca_callback(&mut ca_callback);
-    let mut ctx = Context::new(&config)?;
-    ctx.establish(&mut conn, None).map(|_| ())
+    config.set_rng(rng);
+    config.set_ca_callback(ca_callback);
+    let mut ctx = Context::new(Arc::new(config));
+    ctx.establish(conn, None).map(|_| ())
 }
 
-fn server(mut conn: TcpStream, cert: &[u8], key: &[u8]) -> TlsResult<()> {
-    let mut entropy = entropy_new();
-    let mut rng = CtrDrbg::new(&mut entropy, None)?;
-    let mut cert = Certificate::from_pem(cert)?;
-    let mut key = Pk::from_private_key(key, None)?;
+fn server(conn: TcpStream, cert: &[u8], key: &[u8]) -> TlsResult<()> {
+    let entropy = entropy_new();
+    let rng = Arc::new(CtrDrbg::new(Arc::new(entropy), None)?);
+    let cert = Arc::new(Certificate::from_pem_multiple(cert)?);
+    let key = Arc::new(Pk::from_private_key(key, None)?);
     let mut config = Config::new(Endpoint::Server, Transport::Stream, Preset::Default);
-    config.set_rng(Some(&mut rng));
-    config.push_cert(&mut *cert, &mut key)?;
-    let mut ctx = Context::new(&config)?;
+    config.set_rng(rng);
+    config.push_cert(cert, key)?;
+    let mut ctx = Context::new(Arc::new(config));
 
-    let _ = ctx.establish(&mut conn, None);
+    let _ = ctx.establish(conn, None);
     Ok(())
 }
 
@@ -54,11 +56,11 @@ mod test {
     use std::thread;
     use crate::support::net::create_tcp_pair;
     use crate::support::keys;
-    use mbedtls::x509::{LinkedCertificate, Certificate};
+    use mbedtls::x509::{Certificate};
     use mbedtls::Error;
 
     // This callback should accept any valid self-signed certificate
-    fn self_signed_ca_callback(child: &LinkedCertificate, cert_builder: &mut ForeignOwnedCertListBuilder) -> TlsResult<()> {
+    fn self_signed_ca_callback(child: &Certificate, cert_builder: &mut ForeignOwnedCertListBuilder) -> TlsResult<()> {
         cert_builder.push_back(child);
         Ok(())
     }
@@ -68,8 +70,8 @@ mod test {
         let (c, s) = create_tcp_pair().unwrap();
 
         let ca_callback =
-            |_: &LinkedCertificate, cert_builder: &mut ForeignOwnedCertListBuilder| -> TlsResult<()> {
-                cert_builder.push_back(&*Certificate::from_pem(keys::ROOT_CA_CERT).unwrap());
+            |_: &Certificate, cert_builder: &mut ForeignOwnedCertListBuilder| -> TlsResult<()> {
+                cert_builder.try_push_back_pem(keys::ROOT_CA_CERT).unwrap();
                 Ok(())
             };
         let c = thread::spawn(move || super::client(c, ca_callback).unwrap());
@@ -82,7 +84,7 @@ mod test {
     fn callback_no_ca() {
         let (c, s) = create_tcp_pair().unwrap();
         let ca_callback =
-            |_: &LinkedCertificate, _: &mut ForeignOwnedCertListBuilder| -> TlsResult<()> {
+            |_: &Certificate, _: &mut ForeignOwnedCertListBuilder| -> TlsResult<()> {
                 Ok(())
             };
         let c = thread::spawn(move || assert!(matches!(super::client(c, ca_callback), Err(Error::X509CertVerifyFailed))));
@@ -122,4 +124,4 @@ mod test {
         c.join().unwrap();
         s.join().unwrap();
     }
-}
+}
\ No newline at end of file
diff --git a/mbedtls/tests/ssl_conf_verify.rs b/mbedtls/tests/ssl_conf_verify.rs
index d6168fe18..fe75dc9d6 100644
--- a/mbedtls/tests/ssl_conf_verify.rs
+++ b/mbedtls/tests/ssl_conf_verify.rs
@@ -16,13 +16,14 @@ use mbedtls::pk::Pk;
 use mbedtls::rng::CtrDrbg;
 use mbedtls::ssl::config::{Endpoint, Preset, Transport};
 use mbedtls::ssl::{Config, Context};
-use mbedtls::x509::{Certificate, LinkedCertificate, VerifyError};
+use mbedtls::x509::{Certificate, VerifyError};
 use mbedtls::Error;
 use mbedtls::Result as TlsResult;
 
 mod support;
 use support::entropy::entropy_new;
 use support::keys;
+use std::sync::Arc;
 
 #[derive(Copy, Clone, Debug, Eq, PartialEq)]
 enum Test {
@@ -30,27 +31,31 @@ enum Test {
     CallbackError,
 }
 
-fn client(mut conn: TcpStream, test: Test) -> TlsResult<()> {
-    let mut entropy = entropy_new();
-    let mut rng = CtrDrbg::new(&mut entropy, None)?;
-    let mut cert = Certificate::from_pem(keys::PEM_CERT)?;
-    let verify_callback =
-        &mut |_: &mut LinkedCertificate, _, verify_flags: &mut VerifyError| match test {
+fn client(conn: TcpStream, test: Test) -> TlsResult<()> {
+    let entropy = entropy_new();
+    let rng = Arc::new(CtrDrbg::new(Arc::new(entropy), None)?);
+    let cert = Arc::new(Certificate::from_pem_multiple(keys::PEM_CERT)?);
+
+    let verify_test = test.clone();
+    let verify_callback = move |_crt: &Certificate, _depth: i32, verify_flags: &mut VerifyError| {
+        match verify_test {
             Test::CallbackSetVerifyFlags => {
                 *verify_flags |= VerifyError::CERT_OTHER;
                 Ok(())
             }
             Test::CallbackError => Err(Error::Asn1InvalidData),
-        };
+        }
+    };
+    
     let mut config = Config::new(Endpoint::Client, Transport::Stream, Preset::Default);
-    config.set_rng(Some(&mut rng));
+    config.set_rng(rng);
     config.set_verify_callback(verify_callback);
-    config.set_ca_list(Some(&mut *cert), None);
-    let mut ctx = Context::new(&config)?;
+    config.set_ca_list(cert, None);
+    let mut ctx = Context::new(Arc::new(config));
 
     match (
         test,
-        ctx.establish(&mut conn, None)
+        ctx.establish(conn, None)
             .err()
             .expect("should have failed"),
     ) {
@@ -67,17 +72,17 @@ fn client(mut conn: TcpStream, test: Test) -> TlsResult<()> {
     Ok(())
 }
 
-fn server(mut conn: TcpStream) -> TlsResult<()> {
-    let mut entropy = entropy_new();
-    let mut rng = CtrDrbg::new(&mut entropy, None)?;
-    let mut cert = Certificate::from_pem(keys::PEM_CERT)?;
-    let mut key = Pk::from_private_key(keys::PEM_KEY, None)?;
+fn server(conn: TcpStream) -> TlsResult<()> {
+    let entropy = entropy_new();
+    let rng = Arc::new(CtrDrbg::new(Arc::new(entropy), None)?);
+    let cert = Arc::new(Certificate::from_pem_multiple(keys::PEM_CERT)?);
+    let key = Arc::new(Pk::from_private_key(keys::PEM_KEY, None)?);
     let mut config = Config::new(Endpoint::Server, Transport::Stream, Preset::Default);
-    config.set_rng(Some(&mut rng));
-    config.push_cert(&mut *cert, &mut key)?;
-    let mut ctx = Context::new(&config)?;
+    config.set_rng(rng);
+    config.push_cert(cert, key)?;
+    let mut ctx = Context::new(Arc::new(config));
 
-    let _ = ctx.establish(&mut conn, None);
+    let _ = ctx.establish(conn, None);
     Ok(())
 }
 
diff --git a/mbedtls/tests/support/entropy.rs b/mbedtls/tests/support/entropy.rs
index 524f96482..0ba629cdb 100644
--- a/mbedtls/tests/support/entropy.rs
+++ b/mbedtls/tests/support/entropy.rs
@@ -7,7 +7,7 @@
  * according to those terms. */
 
 #[cfg(all(feature = "std", not(feature = "rdrand")))]
-pub fn entropy_new<'a>() -> crate::mbedtls::rng::OsEntropy<'a> {
+pub fn entropy_new() -> crate::mbedtls::rng::OsEntropy {
     crate::mbedtls::rng::OsEntropy::new()
 }
 
diff --git a/mbedtls/tests/support/rand.rs b/mbedtls/tests/support/rand.rs
index fd8a629d5..78ae57fe4 100644
--- a/mbedtls/tests/support/rand.rs
+++ b/mbedtls/tests/support/rand.rs
@@ -18,6 +18,19 @@ use self::rand::{Rng, XorShiftRng};
 /// Not cryptographically secure!!! Use for testing only!!!
 pub struct TestRandom(XorShiftRng);
 
+impl crate::mbedtls::rng::RngCallbackMut for TestRandom {
+    unsafe extern "C" fn call_mut(p_rng: *mut c_void, data: *mut c_uchar, len: size_t) -> c_int {
+        (*(p_rng as *mut TestRandom))
+            .0
+            .fill_bytes(self::core::slice::from_raw_parts_mut(data, len));
+        0
+    }
+
+    fn data_ptr_mut(&mut self) -> *mut c_void {
+        self as *const _ as *mut _
+    }
+}
+
 impl crate::mbedtls::rng::RngCallback for TestRandom {
     unsafe extern "C" fn call(p_rng: *mut c_void, data: *mut c_uchar, len: size_t) -> c_int {
         (*(p_rng as *mut TestRandom))
@@ -26,11 +39,12 @@ impl crate::mbedtls::rng::RngCallback for TestRandom {
         0
     }
 
-    fn data_ptr(&mut self) -> *mut c_void {
-        self as *mut _ as *mut _
+    fn data_ptr(&self) -> *mut c_void {
+        self as *const _ as *mut _
     }
 }
 
+
 /// Not cryptographically secure!!! Use for testing only!!!
 pub fn test_rng() -> TestRandom {
     TestRandom(XorShiftRng::new_unseeded())
diff --git a/mbedtls/valgrind_unittests.sh b/mbedtls/valgrind_unittests.sh
new file mode 100755
index 000000000..09a8181f2
--- /dev/null
+++ b/mbedtls/valgrind_unittests.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+#
+# This is to quickly run unit tests before delivery.
+# Output is verbose on purpose, there must be no memory errors before reviews/merges.
+#
+CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUNNER="valgrind --num-callers=100 --track-origins=yes --leak-check=full --track-fds=yes --time-stamp=yes --malloc-fill=fd --free-fill=fd" cargo test --features=default,pthread
\ No newline at end of file