--- /dev/null
+++ b/package/libs/mbedtls/patches/102-extended_key_usage.patch
@@ -0,0 +1,72 @@
+--- a/include/mbedtls/x509_crt.h
++++ b/include/mbedtls/x509_crt.h
+@@ -1034,6 +1034,19 @@ int mbedtls_x509write_crt_set_key_usage(
+                                         unsigned int key_usage);
+ 
+ /**
++ * \brief           Set the Extended Key Usage Extension
++ *                  (e.g. MBEDTLS_OID_SERVER_AUTH)
++ *
++ * \param ctx       CRT context to use
++ * \param exts      extended key usage extensions to set, a sequence of
++ *                  MBEDTLS_ASN1_OID objects
++ *
++ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
++ */
++int mbedtls_x509write_crt_set_ext_key_usage( mbedtls_x509write_cert *ctx,
++                                             const mbedtls_asn1_sequence *exts );
++
++/**
+  * \brief           Set the Netscape Cert Type flags
+  *                  (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
+  *
+--- a/library/x509write_crt.c
++++ b/library/x509write_crt.c
+@@ -276,6 +276,47 @@ int mbedtls_x509write_crt_set_key_usage(
+     return 0;
+ }
+ 
++int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx,
++                                            const mbedtls_asn1_sequence *exts)
++{
++    unsigned char buf[256];
++    unsigned char *c = buf + sizeof(buf);
++    int ret;
++    size_t len = 0;
++    const mbedtls_asn1_sequence *last_ext = NULL;
++    const mbedtls_asn1_sequence *ext;
++
++    memset(buf, 0, sizeof(buf));
++
++    /* We need at least one extension: SEQUENCE SIZE (1..MAX) OF KeyPurposeId */
++    if (exts == NULL) {
++        return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
++    }
++
++    /* Iterate over exts backwards, so we write them out in the requested order */
++    while (last_ext != exts) {
++        for (ext = exts; ext->next != last_ext; ext = ext->next) {
++        }
++        if (ext->buf.tag != MBEDTLS_ASN1_OID) {
++            return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
++        }
++        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(&c, buf, ext->buf.p, ext->buf.len));
++        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, ext->buf.len));
++        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_OID));
++        last_ext = ext;
++    }
++
++    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
++    MBEDTLS_ASN1_CHK_ADD(len,
++                         mbedtls_asn1_write_tag(&c, buf,
++                                                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
++
++    return mbedtls_x509write_crt_set_extension(ctx,
++                                               MBEDTLS_OID_EXTENDED_KEY_USAGE,
++                                               MBEDTLS_OID_SIZE(MBEDTLS_OID_EXTENDED_KEY_USAGE),
++                                               1, c, len);
++}
++
+ int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx,
+                                            unsigned char ns_cert_type)
+ {
+