Thanks for your review and the comments, Simon!

I've prepared another patchset (on top of base commit: 14323edcc37d9efaae2491cf5f57ea0621412d7e).  Since there are so many applications relying on mbedtls v2 I figured it would be best to introduce mbedtls-apache3 to allow gradually upgrading the packages affected -- MbedTLS breaks parts of its old API.