diff --git a/bufferevent_mbedtls.c b/bufferevent_mbedtls.c
index f42da2ae..ca96f723 100644
--- a/bufferevent_mbedtls.c
+++ b/bufferevent_mbedtls.c
@@ -24,8 +24,15 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+
+/* Mbed-TLS 3.x does not currently expose a function to retrieve
+   the bio parameters from the SSL object. When the above issue has been
+   fixed, remove the MBEDTLS_ALLOW_PRIVATE_ACCESS define and use the
+   appropriate getter function in bufferevent_mbedtls_socket_new rather than
+   accessing the struct fields directly. */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
 #include "mbedtls-compat.h"
-#include <mbedtls/config.h>
+#include <mbedtls/version.h>
 #include <mbedtls/ssl.h>
 #include <mbedtls/error.h>
 
diff --git a/cmake/FindMbedTLS.cmake b/cmake/FindMbedTLS.cmake
index ee46bf28..39ff8204 100644
--- a/cmake/FindMbedTLS.cmake
+++ b/cmake/FindMbedTLS.cmake
@@ -75,16 +75,29 @@ find_path(MBEDTLS_INCLUDE_DIR
           ${_EXTRA_FIND_ARGS})
 
 # based on https://github.com/ARMmbed/mbedtls/issues/298
-if(MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h")
-    file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h" VERSION_STRING_LINE REGEX "^#define MBEDTLS_VERSION_STRING[ \\t\\n\\r]+\"[^\"]*\"$")
-    file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h" VERSION_MAJOR_LINE REGEX "^#define MBEDTLS_VERSION_MAJOR[ \\t\\n\\r]+[0-9]+$")
-    file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h" VERSION_MINOR_LINE REGEX "^#define MBEDTLS_VERSION_MINOR[ \\t\\n\\r]+[0-9]+$")
-    file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h" VERSION_PATCH_LINE REGEX "^#define MBEDTLS_VERSION_PATCH[ \\t\\n\\r]+[0-9]+$")
+function(mbedtls_get_version_numbers FILE)
+    file(STRINGS "${MBEDTLS_INCLUDE_DIR}/${FILE}" VERSION_STRING_LINE REGEX "^#define MBEDTLS_VERSION_STRING[ \\t\\n\\r]+\"[^\"]*\"$")
+    file(STRINGS "${MBEDTLS_INCLUDE_DIR}/${FILE}" VERSION_MAJOR_LINE REGEX "^#define MBEDTLS_VERSION_MAJOR[ \\t\\n\\r]+[0-9]+$")
+    file(STRINGS "${MBEDTLS_INCLUDE_DIR}/${FILE}" VERSION_MINOR_LINE REGEX "^#define MBEDTLS_VERSION_MINOR[ \\t\\n\\r]+[0-9]+$")
+    file(STRINGS "${MBEDTLS_INCLUDE_DIR}/${FILE}" VERSION_PATCH_LINE REGEX "^#define MBEDTLS_VERSION_PATCH[ \\t\\n\\r]+[0-9]+$")
 
     string(REGEX REPLACE "^#define MBEDTLS_VERSION_STRING[ \\t\\n\\r]+\"([^\"]*)\"$" "\\1" MBEDTLS_VERSION "${VERSION_STRING_LINE}")
     string(REGEX REPLACE "^#define MBEDTLS_VERSION_MAJOR[ \\t\\n\\r]+([0-9]+)$" "\\1" MBEDTLS_VERSION_MAJOR "${VERSION_MAJOR_LINE}")
     string(REGEX REPLACE "^#define MBEDTLS_VERSION_MINOR[ \\t\\n\\r]+([0-9]+)$" "\\1" MBEDTLS_VERSION_MINOR "${VERSION_MINOR_LINE}")
     string(REGEX REPLACE "^#define MBEDTLS_VERSION_PATCH[ \\t\\n\\r]+([0-9]+)$" "\\1" MBEDTLS_VERSION_PATCH "${VERSION_PATCH_LINE}")
+
+    set(MBEDTLS_VERSION "${MBEDTLS_VERSION}" PARENT_SCOPE)
+    set(MBEDTLS_VERSION_MAJOR "${MBEDTLS_VERSION_MAJOR}" PARENT_SCOPE)
+    set(MBEDTLS_VERSION_MINOR "${MBEDTLS_VERSION_MINOR}" PARENT_SCOPE)
+    set(MBEDTLS_VERSION_PATCH "${MBEDTLS_VERSION_PATCH}" PARENT_SCOPE)
+endfunction()
+
+if(MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h")
+    mbedtls_get_version_numbers("mbedtls/version.h")
+
+    if ("${MBEDTLS_VERSION}" STREQUAL "")
+        mbedtls_get_version_numbers("mbedtls/build_info.h")
+    endif()
 endif()
 
 
diff --git a/mbedtls-compat.h b/mbedtls-compat.h
index 34148e5b..b50ccd23 100644
--- a/mbedtls-compat.h
+++ b/mbedtls-compat.h
@@ -2,10 +2,29 @@
 #define MBEDTLS_COMPAT_H
 
 #include <mbedtls/version.h>
+
+#if MBEDTLS_VERSION_MAJOR >= 3
+# if defined(__clang__)
+#  pragma clang diagnostic push
+#  pragma clang diagnostic ignored "-Wcpp"
+# elif defined(__GNUC__)
+#  pragma GCC diagnostic push
+#  pragma GCC diagnostic ignored "-Wcpp"
+# endif
+
+# include <mbedtls/compat-2.x.h>
+
+# if defined(__clang__)
+#  pragma clang diagnostic pop
+# elif defined(__GNUC__)
+#  pragma GCC diagnostic pop
+# endif
+#endif // MBEDTLS_VERSION_MAJOR >= 3
+
 #if MBEDTLS_VERSION_MAJOR < 2 || (MBEDTLS_VERSION_MAJOR == 2 && MBEDTLS_VERSION_MINOR < 4)
-#include <mbedtls/net.h>
+# include <mbedtls/net.h>
 #else
-#include <mbedtls/net_sockets.h>
+# include <mbedtls/net_sockets.h>
 #endif
 
 #endif // LIBEVENT_MBEDTLS_COMPAT_H
diff --git a/test/regress_mbedtls.c b/test/regress_mbedtls.c
index f9286fca..6822fece 100644
--- a/test/regress_mbedtls.c
+++ b/test/regress_mbedtls.c
@@ -27,6 +27,7 @@
 #define EVENT_VISIBILITY_WANT_DLLIMPORT
 
 #include "event2/util.h"
+#include <mbedtls/version.h>
 #include <mbedtls/ssl.h>
 #include <mbedtls/entropy.h>
 #include <mbedtls/ctr_drbg.h>
@@ -94,6 +95,20 @@ mbedtls_debug(
 		line, loglen, str));
 }
 
+static int
+mbedtls_rng(void* ctx, unsigned char* buffer, size_t len)
+{
+	int rc;
+
+	(void)ctx;
+
+	rc = evutil_secure_rng_init();
+	if (rc != 0)
+		return rc;
+	evutil_secure_rng_get_bytes(buffer, len);
+	return 0;
+}
+
 static mbedtls_pk_context *
 mbedtls_getkey(void)
 {
@@ -101,8 +116,13 @@ mbedtls_getkey(void)
 	mbedtls_pk_context *pk = malloc(sizeof(mbedtls_pk_context));
 	tt_assert(pk);
 	mbedtls_pk_init(pk);
-	ret = mbedtls_pk_parse_key(
-		pk, (const unsigned char *)KEY, sizeof(KEY), NULL, 0);
+	ret = mbedtls_pk_parse_key(pk,
+		(const unsigned char *)KEY, sizeof(KEY),
+		NULL, 0
+#if MBEDTLS_VERSION_MAJOR >= 3
+		, mbedtls_rng, NULL
+#endif
+		);
 	tt_assert(ret == 0);
 	return pk;
 end:
@@ -214,10 +234,13 @@ get_mbedtls_config(int endpoint)
 		MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
 	mbedtls_ssl_conf_rng(
 		the_mbedtls_conf[endpoint], mbedtls_ctr_drbg_random, &ctr_drbg);
+#if MBEDTLS_VERSION_MAJOR < 3
+	/* Mbed-TLS 3 doesn't support anything below TLS v1.2 */
 	if (disable_tls_11_and_12) {
 		mbedtls_ssl_conf_max_version(the_mbedtls_conf[endpoint],
 			MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1);
 	}
+#endif
 	if (endpoint == MBEDTLS_SSL_IS_SERVER) {
 		mbedtls_ssl_conf_own_cert(
 			the_mbedtls_conf[endpoint], the_cert, the_key);