diff --git a/www/hiawatha/files/patch-CMakeLists.txt b/www/hiawatha/files/patch-CMakeLists.txt
deleted file mode 100644
index fc0ccada759f..000000000000
--- a/www/hiawatha/files/patch-CMakeLists.txt
+++ /dev/null
@@ -1,12 +0,0 @@
---- CMakeLists.txt.orig	2022-06-01 21:01:35 UTC
-+++ CMakeLists.txt
-@@ -36,7 +36,8 @@ include(cmake/CopyIfNotExists.cmake)
- include(cmake/CopyIfNotExists.cmake)
- 
- # Settings
--if(EXISTS "/proc/loadavg")
-+check_function_exists(getloadavg HAVE_GETLOADAVG)
-+if(HAVE_GETLOADAVG OR EXISTS "/proc/loadavg")
- 	option(ENABLE_LOADCHECK "Enable the ability to check for server load." on)
- endif()
- set(CONFIG_DIR ${CMAKE_INSTALL_FULL_SYSCONFDIR}/hiawatha CACHE STRING "Configuration directory")
diff --git a/www/hiawatha/files/patch-src_hiawatha.c b/www/hiawatha/files/patch-src_hiawatha.c
deleted file mode 100644
index 4aa62c339cf9..000000000000
--- a/www/hiawatha/files/patch-src_hiawatha.c
+++ /dev/null
@@ -1,45 +0,0 @@
---- src/hiawatha.c.orig	2021-07-22 15:18:13 UTC
-+++ src/hiawatha.c
-@@ -141,8 +141,12 @@ void task_runner(t_config *config) {
- 	int delay = 0;
- 	time_t now;
- #ifdef ENABLE_LOADCHECK
-+#ifdef HAVE_GETLOADAVG
-+	double loadavg[1];
-+#else
- 	FILE *load_fp = NULL;
- 	char load_str[50], *c;
-+#endif
- #ifdef ENABLE_MONITOR
- 	int  load_monitor_timer = 0;
- #endif
-@@ -213,6 +217,21 @@ void task_runner(t_config *config) {
- 
- #ifdef ENABLE_LOADCHECK
- 		if (config->max_server_load > 0) {
-+#ifdef HAVE_GETLOADAVG
-+			if (getloadavg(loadavg, 1) >= 1) {
-+				current_server_load = loadavg[0];
-+#ifdef ENABLE_MONITOR
-+				if (config->monitor_enabled) {
-+					if ((current_server_load > config->max_server_load) && (load_monitor_timer == 0)) {
-+						monitor_event("High server load (%0.2f)", current_server_load);
-+						load_monitor_timer = 60;
-+					}
-+				}
-+#endif
-+			} else {
-+				current_server_load = 0;
-+			}
-+#else
- 			if ((load_fp = fopen("/proc/loadavg", "r")) != NULL) {
- 				if (fgets(load_str, 49, load_fp) != NULL) {
- 					load_str[49] = '\0';
-@@ -238,6 +257,7 @@ void task_runner(t_config *config) {
- 			} else {
- 				current_server_load = 0;
- 			}
-+#endif
- 
- #ifdef ENABLE_MONITOR
- 			if (load_monitor_timer > 0) {
diff --git a/www/hiawatha/files/patch-src_session.c b/www/hiawatha/files/patch-src_session.c
deleted file mode 100644
index f095434683f9..000000000000
--- a/www/hiawatha/files/patch-src_session.c
+++ /dev/null
@@ -1,27 +0,0 @@
---- src/session.c.orig	2021-04-27 07:15:50 UTC
-+++ src/session.c
-@@ -33,15 +33,15 @@
- static const struct {
- 	const char *text;
- } sqli_detection[] = {
--	{"'\\s*(;\\s*)?--(\\s|')"},
--	{"\\s+(and|or|xor|&&|\\|\\|)\\s*\\(?\\s*('|[0-9]|`?[a-z\\._-]+`?\\s*(=|like)|[a-z]+\\s*\\()"},
--	{"\\s+(not\\s+)?in\\s*\\(\\s*['0-9]"},
--	{"union(\\s+all)?(\\s*\\(\\s*|\\s+)select(`|\\s)"},
--	{"select(\\s*`|\\s+)(\\*|[a-z0-9_\\, ]*)(`\\s*|\\s+)from(\\s*`|\\s+)[a-z0-9_\\.]*"},
--	{"insert\\s+into(\\s*`|\\s+).*(`\\s*|\\s+)(values\\s*)?\\(.*\\)"},
--	{"update(\\s*`|\\s+)[a-z0-9_\\.]*(`\\s*|\\s+)set(\\s*`|\\s+).*="},
--	{"delete\\s+from(\\s*`|\\s+)[a-z0-9_\\.]*`?"},
--	{"extractvalue\\s*\\(\\s*[0-9'\"@]"},
-+	{"'[[:space:]]*(;[[:space:]]*)?--([[:space:]]|')"},
-+	{"[[:space:]]+(and|or|xor|&&|\\|\\|)[[:space:]]*\\(?[[:space:]]*('|[0-9]|`?[a-z\\._-]+`?[[:space:]]*(=|like)|[a-z]+[[:space:]]*\\()"},
-+	{"[[:space:]]+(not[[:space:]]+)?in[[:space:]]*\\([[:space:]]*['0-9]"},
-+	{"union([[:space:]]+all)?([[:space:]]*\\([[:space:]]*|[[:space:]]+)select(`|[[:space:]])"},
-+	{"select([[:space:]]*`|[[:space:]]+)(\\*|[a-z0-9_\\, ]*)(`[[:space:]]*|[[:space:]]+)from([[:space:]]*`|[[:space:]]+)[a-z0-9_\\.]*"},
-+	{"insert[[:space:]]+into([[:space:]]*`|[[:space:]]+).*(`[[:space:]]*|[[:space:]]+)(values[[:space:]]*)?\\(.*\\)"},
-+	{"update([[:space:]]*`|[[:space:]]+)[a-z0-9_\\.]*(`[[:space:]]*|[[:space:]]+)set([[:space:]]*`|[[:space:]]+).*="},
-+	{"delete[[:space:]]+from([[:space:]]*`|[[:space:]]+)[a-z0-9_\\.]*`?"},
-+	{"extractvalue[[:space:]]*\\([[:space:]]*[0-9'\"@]"},
- 	{NULL}
- };
- 
diff --git a/www/hiawatha/files/patch-src_tls.c b/www/hiawatha/files/patch-src_tls.c
deleted file mode 100644
index d549f8bc366c..000000000000
--- a/www/hiawatha/files/patch-src_tls.c
+++ /dev/null
@@ -1,29 +0,0 @@
---- src/tls.c.orig	2022-01-22 12:16:26 UTC
-+++ src/tls.c
-@@ -161,7 +161,7 @@ int init_tls_module(mbedtls_x509_crt *ca_certificates)
- int init_tls_module(mbedtls_x509_crt *ca_certificates) {
- 	char version[16];
- 
--	if (mbedtls_version_get_number() < 0x03000000) {
-+	if (mbedtls_version_get_number() < 0x021c0000) {
- 		mbedtls_version_get_string(version);
- 		fprintf(stderr, "This Hiawatha installation requires at least mbed TLS v3.0.0 and you have v%s.\n", version);
- 		return -1;
-@@ -322,7 +322,7 @@ int tls_load_key_cert(char *file, mbedtls_pk_context *
- 	}
- 	mbedtls_pk_init(*private_key);
- 
--	if ((result = mbedtls_pk_parse_keyfile(*private_key, file, NULL, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE)) != 0) {
-+	if ((result = mbedtls_pk_parse_keyfile(*private_key, file, NULL)) != 0) {
- 		print_tls_error(result, "Error loading private key from %s", file);
- 		return -1;
- 	}
-@@ -436,7 +436,7 @@ int tls_accept(int *sock, mbedtls_ssl_context *context
- 
- 	result = TLS_HANDSHAKE_OKE;
- 	while ((handshake = mbedtls_ssl_handshake(context)) != 0) {
--		if (handshake == MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE) {
-+		if (handshake == MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION) {
- 			mbedtls_ssl_free(context);
- 			result = TLS_HANDSHAKE_NO_MATCH;
- 			break;
diff --git a/www/hiawatha/files/patch-src_wigwam.c b/www/hiawatha/files/patch-src_wigwam.c
deleted file mode 100644
index cefa70ecc49f..000000000000
--- a/www/hiawatha/files/patch-src_wigwam.c
+++ /dev/null
@@ -1,20 +0,0 @@
---- src/wigwam.c.orig	2022-06-29 09:42:42 UTC
-+++ src/wigwam.c
-@@ -582,7 +582,7 @@ int check_main_config(char *config_dir) {
- 		/* Private key check
- 		 */
- 		mbedtls_pk_init(&private_key);
--		if (mbedtls_pk_parse_keyfile(&private_key, needle->value, NULL, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE) != 0) {
-+		if (mbedtls_pk_parse_keyfile(&private_key, needle->value, NULL) != 0) {
- 			printf("Error loading private key from %s.\n", needle->value);
- 			errors++;
- 			goto next_crt;
-@@ -601,7 +601,7 @@ int check_main_config(char *config_dir) {
- 			goto next_crt;
- 		}
- 
--		if (certificate.MBEDTLS_PRIVATE(sig_md) < MBEDTLS_MD_SHA256) {
-+		if (certificate.sig_md < MBEDTLS_MD_SHA256) {
- 			printf("Warning: the certificate signature algoritm in %s should at least be SHA256.\n", needle->value);
- 		}
- 
diff --git a/www/hiawatha/Makefile b/www/hiawatha/Makefile
index 334e8a9cb649..35a2695cfa7f 100644
--- a/www/hiawatha/Makefile
+++ b/www/hiawatha/Makefile
@@ -1,6 +1,5 @@
 PORTNAME=	hiawatha
-PORTVERSION=	11.2
-PORTREVISION=	1
+PORTVERSION=	11.3
 CATEGORIES=	www
 MASTER_SITES=	https://www.hiawatha-webserver.org/files/
 
@@ -11,17 +10,15 @@ WWW=		https://www.hiawatha-webserver.org/
 LICENSE=	GPLv2
 LICENSE_FILE=	${WRKSRC}/LICENSE
 
-LIB_DEPENDS=	libmbedtls.so:security/mbedtls
-
 USES=		cmake:insource compiler:c11 cpe localbase:ldflags shebangfix
 CPE_VENDOR=	${PORTNAME}-webserver
 USE_RC_SUBR=	hiawatha
+USE_LDCONFIG=	yes
 SHEBANG_FILES=	extra/letsencrypt/lefh.in
 
 CMAKE_ARGS=	-DCMAKE_INSTALL_LOCALSTATEDIR=/var \
 		-DWEBROOT_DIR=${WWWDIR} \
 		-DWORK_DIR=/var/db/${PORTNAME}
-CMAKE_ON=	USE_SYSTEM_MBEDTLS
 
 OPTIONS_DEFINE=		CACHE CGIWRAPPER LEFH LOADCHECK MONITOR RPROXY TOMAHAWK \
 			TOOLKIT XSLT
diff --git a/www/hiawatha/distinfo b/www/hiawatha/distinfo
index 3352a5fbd423..f7b1205d4e82 100644
--- a/www/hiawatha/distinfo
+++ b/www/hiawatha/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1661965966
-SHA256 (hiawatha-11.2.tar.gz) = 99c64f76927f93469f062ab76b74eb79a397ea4be12da86bf746b2bb57cf1bc5
-SIZE (hiawatha-11.2.tar.gz) = 1583611
+TIMESTAMP = 1675038439
+SHA256 (hiawatha-11.3.tar.gz) = d564349661bf86005cea5b0697183bcf61802ec3d53722746474ef7e05a6385a
+SIZE (hiawatha-11.3.tar.gz) = 1669963
diff --git a/www/hiawatha/pkg-plist b/www/hiawatha/pkg-plist
index e367f60d400b..4fad6b1099b7 100644
--- a/www/hiawatha/pkg-plist
+++ b/www/hiawatha/pkg-plist
@@ -1,4 +1,95 @@
 bin/ssi-cgi
+include/mbedtls/aes.h
+include/mbedtls/aria.h
+include/mbedtls/asn1.h
+include/mbedtls/asn1write.h
+include/mbedtls/base64.h
+include/mbedtls/bignum.h
+include/mbedtls/build_info.h
+include/mbedtls/camellia.h
+include/mbedtls/ccm.h
+include/mbedtls/chacha20.h
+include/mbedtls/chachapoly.h
+include/mbedtls/check_config.h
+include/mbedtls/cipher.h
+include/mbedtls/cmac.h
+include/mbedtls/compat-2.x.h
+include/mbedtls/config_psa.h
+include/mbedtls/constant_time.h
+include/mbedtls/ctr_drbg.h
+include/mbedtls/debug.h
+include/mbedtls/des.h
+include/mbedtls/dhm.h
+include/mbedtls/ecdh.h
+include/mbedtls/ecdsa.h
+include/mbedtls/ecjpake.h
+include/mbedtls/ecp.h
+include/mbedtls/entropy.h
+include/mbedtls/error.h
+include/mbedtls/gcm.h
+include/mbedtls/hkdf.h
+include/mbedtls/hmac_drbg.h
+include/mbedtls/legacy_or_psa.h
+include/mbedtls/lms.h
+include/mbedtls/mbedtls_config.h
+include/mbedtls/md.h
+include/mbedtls/md5.h
+include/mbedtls/memory_buffer_alloc.h
+include/mbedtls/net_sockets.h
+include/mbedtls/nist_kw.h
+include/mbedtls/oid.h
+include/mbedtls/pem.h
+include/mbedtls/pk.h
+include/mbedtls/pkcs12.h
+include/mbedtls/pkcs5.h
+include/mbedtls/pkcs7.h
+include/mbedtls/platform.h
+include/mbedtls/platform_time.h
+include/mbedtls/platform_util.h
+include/mbedtls/poly1305.h
+include/mbedtls/private_access.h
+include/mbedtls/psa_util.h
+include/mbedtls/ripemd160.h
+include/mbedtls/rsa.h
+include/mbedtls/sha1.h
+include/mbedtls/sha256.h
+include/mbedtls/sha512.h
+include/mbedtls/ssl.h
+include/mbedtls/ssl_cache.h
+include/mbedtls/ssl_ciphersuites.h
+include/mbedtls/ssl_cookie.h
+include/mbedtls/ssl_ticket.h
+include/mbedtls/threading.h
+include/mbedtls/timing.h
+include/mbedtls/version.h
+include/mbedtls/x509.h
+include/mbedtls/x509_crl.h
+include/mbedtls/x509_crt.h
+include/mbedtls/x509_csr.h
+include/psa/crypto.h
+include/psa/crypto_builtin_composites.h
+include/psa/crypto_builtin_primitives.h
+include/psa/crypto_compat.h
+include/psa/crypto_config.h
+include/psa/crypto_driver_common.h
+include/psa/crypto_driver_contexts_composites.h
+include/psa/crypto_driver_contexts_primitives.h
+include/psa/crypto_extra.h
+include/psa/crypto_platform.h
+include/psa/crypto_se_driver.h
+include/psa/crypto_sizes.h
+include/psa/crypto_struct.h
+include/psa/crypto_types.h
+include/psa/crypto_values.h
+lib/hiawatha/libmbedcrypto.so
+lib/hiawatha/libmbedcrypto.so.13
+lib/hiawatha/libmbedcrypto.so.3.3.0
+lib/hiawatha/libmbedtls.so
+lib/hiawatha/libmbedtls.so.19
+lib/hiawatha/libmbedtls.so.3.3.0
+lib/hiawatha/libmbedx509.so
+lib/hiawatha/libmbedx509.so.3.3.0
+lib/hiawatha/libmbedx509.so.4
 @sample %%ETCDIR%%/cgi-wrapper.conf.sample
 @sample %%ETCDIR%%/error.xslt.sample
 @sample %%ETCDIR%%/hiawatha.conf.sample