diff --git a/contrib/src/gnutls/SHA512SUMS b/contrib/src/gnutls/SHA512SUMS
new file mode 100644
index 0000000000000000000000000000000000000000..d6b2d98fe4565cdf18a562009057b1432dd7f30e
--- /dev/null
+++ b/contrib/src/gnutls/SHA512SUMS
@@ -0,0 +1 @@
+3205fcfe3344f777f5c8d2162de2ac338cfdfabaa55d7b829e59160cfec434651f704a9bac355f5003d1841448c4b0303dc6e06a935801aa922504b297bdd093  gnutls-3.1.25.tar.xz
diff --git a/contrib/src/gnutls/downgrade-automake-requirement.patch b/contrib/src/gnutls/downgrade-automake-requirement.patch
new file mode 100644
index 0000000000000000000000000000000000000000..62b156d98834898384667a2fed83f3eb1d6c0bc2
--- /dev/null
+++ b/contrib/src/gnutls/downgrade-automake-requirement.patch
@@ -0,0 +1,11 @@
+--- gnutls-3.1.14/configure.ac.orig	2013-09-17 18:17:09.840217108 +0200
++++ gnutls-3.1.14/configure.ac	2013-09-17 18:19:36.609535012 +0200
+@@ -26,7 +26,7 @@
+ AC_CONFIG_MACRO_DIR([m4])
+ AC_CANONICAL_HOST
+ 
+-AM_INIT_AUTOMAKE([1.12.2 no-dist-gzip dist-xz dist-lzip -Wall -Wno-override])
++AM_INIT_AUTOMAKE([1.11.1 no-dist-gzip dist-xz -Wall -Wno-override])
+ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
+ AC_CONFIG_HEADERS([config.h])
+ 
diff --git a/contrib/src/gnutls/gnutls-no-egd.patch b/contrib/src/gnutls/gnutls-no-egd.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c0e3407570a641c479d38b1bd22c01473b4aebec
--- /dev/null
+++ b/contrib/src/gnutls/gnutls-no-egd.patch
@@ -0,0 +1,81 @@
+diff -ru gnutls.orig/lib/nettle/rnd.c gnutls/lib/nettle/rnd.c
+--- gnutls-3.1.10/lib/nettle/Makefile.am.orig	2013-03-25 14:41:50.265377296 +0100
++++ gnutls-3.1.10/lib/nettle/Makefile.am	2013-03-25 14:50:17.436084975 +0100
+@@ -33,7 +33,7 @@
+ 
+ noinst_LTLIBRARIES = libcrypto.la
+ 
+-libcrypto_la_SOURCES = pk.c mpi.c mac.c cipher.c rnd.c init.c egd.c egd.h \
++libcrypto_la_SOURCES = pk.c mpi.c mac.c cipher.c rnd.c init.c \
+ 	multi.c wmnaf.c ecc_free.c ecc.h ecc_make_key.c ecc_shared_secret.c \
+ 	ecc_map.c ecc_mulmod.c ecc_mulmod_cached.c \
+ 	ecc_points.c ecc_projective_dbl_point_3.c ecc_projective_isneutral.c \
+--- gnutls-3.1.10/lib/nettle/Makefile.in.orig	2013-03-25 14:41:50.268710655 +0100
++++ gnutls-3.1.10/lib/nettle/Makefile.in	2013-03-25 14:51:42.180123726 +0100
+@@ -219,7 +219,7 @@
+ LTLIBRARIES = $(noinst_LTLIBRARIES)
+ libcrypto_la_LIBADD =
+ am_libcrypto_la_OBJECTS = pk.lo mpi.lo mac.lo cipher.lo rnd.lo init.lo \
+-	egd.lo multi.lo wmnaf.lo ecc_free.lo ecc_make_key.lo \
++	multi.lo wmnaf.lo ecc_free.lo ecc_make_key.lo \
+ 	ecc_shared_secret.lo ecc_map.lo ecc_mulmod.lo \
+ 	ecc_mulmod_cached.lo ecc_points.lo \
+ 	ecc_projective_dbl_point_3.lo ecc_projective_isneutral.lo \
+@@ -1536,7 +1536,7 @@
+ 	-I$(srcdir)/../includes -I$(builddir)/../includes \
+ 	-I$(builddir)/../../gl -I$(srcdir)/.. $(am__append_1)
+ noinst_LTLIBRARIES = libcrypto.la
+-libcrypto_la_SOURCES = pk.c mpi.c mac.c cipher.c rnd.c init.c egd.c egd.h \
++libcrypto_la_SOURCES = pk.c mpi.c mac.c cipher.c rnd.c init.c \
+ 	multi.c wmnaf.c ecc_free.c ecc.h ecc_make_key.c ecc_shared_secret.c \
+ 	ecc_map.c ecc_mulmod.c ecc_mulmod_cached.c \
+ 	ecc_points.c ecc_projective_dbl_point_3.c ecc_projective_isneutral.c \
+@@ -1610,7 +1610,6 @@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ecc_shared_secret.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ecc_sign_hash.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ecc_verify_hash.Plo@am__quote@
+-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/egd.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/init.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mac.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mpi.Plo@am__quote@
+--- gnutls-3.1.10/lib/nettle/rnd.c.orig	2013-03-21 21:42:28.000000000 +0100
++++ gnutls-3.1.10/lib/nettle/rnd.c	2013-03-25 14:52:50.004027534 +0100
+@@ -205,7 +205,7 @@
+ #include <sys/time.h>
+ #include <fcntl.h>
+ #include <locks.h>
+-#include "egd.h"
++//#include "egd.h"
+ 
+ #define DEVICE_READ_SIZE 16
+ #define DEVICE_READ_SIZE_MAX 32
+@@ -276,6 +276,7 @@
+   return 0;
+ }
+ 
++#if 0
+ static int
+ do_device_source_egd (int init)
+ {
+@@ -329,6 +330,7 @@
+     }
+   return 0;
+ }
++#endif
+ 
+ static int
+ do_device_source (int init)
+@@ -346,11 +348,13 @@
+ 
+       do_source = do_device_source_urandom;
+       ret = do_source (init);
++#if 0
+       if (ret < 0)
+         {
+           do_source = do_device_source_egd;
+           ret = do_source (init);
+         }
++#endif
+ 
+       if (ret < 0)
+         {
diff --git a/contrib/src/gnutls/gnutls-pkgconfig-osx.patch b/contrib/src/gnutls/gnutls-pkgconfig-osx.patch
new file mode 100644
index 0000000000000000000000000000000000000000..37cbc670e82ab096380a63908679e75f106b32f4
--- /dev/null
+++ b/contrib/src/gnutls/gnutls-pkgconfig-osx.patch
@@ -0,0 +1,51 @@
+--- a/m4/intlmacosx.m4.orig	2014-06-25 17:40:22.000000000 -0400
++++ b/m4/intlmacosx.m4	2014-06-25 17:40:29.000000000 -0400
+@@ -43,9 +43,25 @@
+     AC_DEFINE([HAVE_CFLOCALECOPYCURRENT], [1],
+       [Define to 1 if you have the MacOS X function CFLocaleCopyCurrent in the CoreFoundation framework.])
+   fi
++  AC_CACHE_CHECK([for SecTrustCopyAnchorCertificates],
++    [SecTrustCopyAnchorCertificates],
++    [gt_save_LIBS="$LIBS"
++     LIBS="$LIBS -Wl,-framework -Wl,Security"
++     AC_TRY_LINK([#include <Security/SecTrust.h>],
++       [SecTrustCopyAnchorCertificates(NULL)],
++       [gt_cv_func_SecTrustCopyAnchorCertificates=yes],
++       [gt_cv_func_SecTrustCopyAnchorCertificates=no])
++     LIBS="$gt_save_LIBS"])
++  if test $gt_cv_func_SecTrustCopyAnchorCertificates = yes; then
++    AC_DEFINE([HAVE_SecTrustCopyAnchorCertificates], [1],
++      [Define to 1 if you have the MacOS X function SecTrustCopyAnchorCertificates in the Security framework.])
++  fi
+   INTL_MACOSX_LIBS=
+   if test $gt_cv_func_CFPreferencesCopyAppValue = yes || test $gt_cv_func_CFLocaleCopyCurrent = yes; then
+-    INTL_MACOSX_LIBS="-Wl,-framework -Wl,CoreFoundation"
++    INTL_MACOSX_LIBS+="-Wl,-framework -Wl,CoreFoundation "
++  fi
++  if test $gt_cv_func_SecTrustCopyAnchorCertificates = yes; then
++    INTL_MACOSX_LIBS+="-Wl,-framework -Wl,Security "
+   fi
+   AC_SUBST([INTL_MACOSX_LIBS])
+ ])
+
+--- a/lib/gnutls.pc.in.orig	2014-06-25 17:42:26.000000000 -0400
++++ b/lib/gnutls.pc.in	2014-06-25 17:42:35.000000000 -0400
+@@ -19,6 +19,6 @@
+ Version: @VERSION@
+ Libs: -L${libdir} -lgnutls
+-Libs.private: @LTLIBNETTLE@ @LTLIBZ@ @LTLIBINTL@ @LIBSOCKET@ @LTLIBPTHREAD@ @LTLIBICONV@ @P11_KIT_LIBS@ @LIB_SELECT@ @TSS_LIBS@ @LIB_CLOCK_GETTIME@ @GMP_LIBS@
++Libs.private: @LTLIBNETTLE@ @LTLIBZ@ @LTLIBINTL@ @LIBSOCKET@ @LTLIBPTHREAD@ @LTLIBICONV@ @P11_KIT_LIBS@ @LIB_SELECT@ @TSS_LIBS@ @LIB_CLOCK_GETTIME@ @GMP_LIBS@ @INTL_MACOSX_LIBS@
+ @GNUTLS_REQUIRES_PRIVATE@
+ Cflags: -I${includedir}
+
+--- a/libdane/gnutls-dane.pc.in.orig	2014-06-25 17:57:29.000000000 -0400
++++ b/libdane/gnutls-dane.pc.in	2014-06-25 17:57:39.000000000 -0400
+@@ -19,7 +19,7 @@
+ Description: DANE security library for the GNU system
+ URL: http://www.gnu.org/software/gnutls/
+ Version: @VERSION@
+-Libs: -L${libdir} -lgnutls-dane
++Libs: -L${libdir} -lgnutls-dane @INTL_MACOSX_LIBS@
+ Libs.private: @UNBOUND_LIBS@
+ Requires.private: gnutls
+ Cflags: -I${includedir}
diff --git a/contrib/src/gnutls/gnutls-win32.patch b/contrib/src/gnutls/gnutls-win32.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c0c540ab4322d7c5e26a91b70bd3c09cf99bb9d2
--- /dev/null
+++ b/contrib/src/gnutls/gnutls-win32.patch
@@ -0,0 +1,28 @@
+--- gnutls-2.12.20/gl/gai_strerror.c.orig	2012-03-01 16:45:12.000000000 +0100
++++ gnutls-2.12.20/gl/gai_strerror.c	2012-09-27 14:39:30.273584236 +0200
+@@ -75,7 +75,7 @@
+     { EAI_IDN_ENCODE, N_("Parameter string not correctly encoded") }
+ #endif
+   };
+-
++#ifndef _WIN32
+ const char *
+ gai_strerror (int code)
+ {
+@@ -89,4 +89,5 @@
+ # ifdef _LIBC
+ libc_hidden_def (gai_strerror)
+ # endif
++#endif
+ #endif /* !HAVE_DECL_GAI_STRERROR */
+--- gnutls-3.1.14/lib/gnutls.pc.in.orig	2013-09-17 18:14:16.270374773 +0200
++++ gnutls-3.1.14/lib/gnutls.pc.in	2013-09-17 18:16:10.232464936 +0200
+@@ -18,7 +18,7 @@
+ Description: Transport Security Layer implementation for the GNU system
+ URL: http://www.gnutls.org/
+ Version: @VERSION@
+-Libs: -L${libdir} -lgnutls
++Libs: -L${libdir} -lgnutls -lws2_32 -lcrypt32 @LTLIBINTL@
+ Libs.private: @LTLIBNETTLE@ @LTLIBZ@ @LTLIBINTL@ @LIBSOCKET@ @LTLIBPTHREAD@ @LTLIBICONV@ @P11_KIT_LIBS@ @LIB_SELECT@ @TSS_LIBS@ @LIB_CLOCK_GETTIME@ @GMP_LIBS@
+ @GNUTLS_REQUIRES_PRIVATE@
+ Cflags: -I${includedir}
diff --git a/contrib/src/gnutls/mac-keychain-lookup.patch b/contrib/src/gnutls/mac-keychain-lookup.patch
new file mode 100644
index 0000000000000000000000000000000000000000..81e21c215b5fcc8baa6cf8e189653feadf248fc8
--- /dev/null
+++ b/contrib/src/gnutls/mac-keychain-lookup.patch
@@ -0,0 +1,74 @@
+diff -ru gnutls-old/lib/Makefile.am gnutls/lib/Makefile.am
+--- gnutls-old/lib/Makefile.am	2013-06-02 19:33:57.000000000 +0200
++++ gnutls/lib/Makefile.am	2013-11-10 13:28:18.000000000 +0100
+@@ -152,6 +152,10 @@
+ DISTCLEANFILES += $(defexec_DATA)
+ endif
+ 
++if MACOSX
++libgnutls_la_LDFLAGS +=  -Wl,-framework,Security,-framework,CoreFoundation
++endif
++
+ if WINDOWS
+ thirdparty_libadd += -lcrypt32
+ endif
+diff -ru gnutls-old/lib/system.c gnutls/lib/system.c
+--- gnutls-old/lib/system.c	2013-04-10 22:25:51.000000000 +0200
++++ gnutls/lib/system.c	2013-11-10 13:30:31.000000000 +0100
+@@ -57,6 +57,15 @@
+ #undef send
+ #undef select
+ 
++#ifdef __APPLE__
++#include "TargetConditionals.h"
++#ifdef TARGET_OS_MAC
++#define _UINT64
++#include <Security/Security.h>
++#include <Security/SecCertificate.h>
++#endif
++#endif
++
+ /* System specific function wrappers.
+  */
+ 
+@@ -550,6 +559,40 @@
+ 
+   return r;
+ }
++#elif defined(__APPLE__)
++#if TARGET_OS_MAC
++static
++int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, unsigned int tl_vflags)
++{
++    CFArrayRef anchors;
++    int ret = 0;
++    if (SecTrustCopyAnchorCertificates(&anchors) != 0)
++        return -1;
++
++    CFIndex count = CFArrayGetCount(anchors);
++    for (int i = 0; i < count; i++) {
++        SecCertificateRef certref = (SecCertificateRef)CFArrayGetValueAtIndex(anchors, i);
++
++        CSSM_DATA certData;
++        SecCertificateGetData(certref, &certData);
++        gnutls_datum data = {
++            .data = certData.Data,
++            .size = certData.Length,
++        };
++
++        if (!gnutls_x509_trust_list_add_trust_mem(list, &data, NULL, GNUTLS_X509_FMT_DER, tl_flags, tl_vflags))
++            printf("cannot add x509 credentials\n");
++        else
++            ret++;
++    }
++    CFRelease(anchors);
++
++    return ret;
++}
++
++#else
++#define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE
++#endif
+ #else
+ 
+ #define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE
diff --git a/contrib/src/gnutls/no-create-time-h.patch b/contrib/src/gnutls/no-create-time-h.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d355c7cc6b3603e17c465dd51bee517b70ddf756
--- /dev/null
+++ b/contrib/src/gnutls/no-create-time-h.patch
@@ -0,0 +1,11 @@
+--- gnutls/gl/Makefile.am	2011-04-07 17:30:44.000000000 -0700
++++ gnutls/gl/Makefile.am	2012-03-02 19:51:53.576555217 -0800
+@@ -891,7 +891,7 @@ EXTRA_DIST += sys_stat.in.h
+ 
+ ## begin gnulib module time
+ 
+-BUILT_SOURCES += time.h
++#BUILT_SOURCES += time.h
+ 
+ # We need the following in order to create <time.h> when the system
+ # doesn't have one that works with the given compiler.
diff --git a/contrib/src/gnutls/read-file-limits.h.patch b/contrib/src/gnutls/read-file-limits.h.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b13b1a88f482bce0d18cb239132237313b5cfd0b
--- /dev/null
+++ b/contrib/src/gnutls/read-file-limits.h.patch
@@ -0,0 +1,12 @@
+--- gnutls/gl/read-file.c.orig	2012-03-06 20:59:29.600593329 -0500
++++ gnutls/gl/read-file.c	2012-03-06 20:59:44.568593328 -0500
+@@ -35,6 +35,9 @@
+ /* Get errno. */
+ #include <errno.h>
+ 
++/* Get SIZE_MAX */
++#include <limits.h>
++
+ /* Read a STREAM and return a newly allocated string with the content,
+    and set *LENGTH to the length of the string.  The string is
+    zero-terminated, but the terminating zero byte is not counted in
diff --git a/contrib/src/gnutls/rules.mak b/contrib/src/gnutls/rules.mak
new file mode 100644
index 0000000000000000000000000000000000000000..c61b5feb40f7518d3ec040bf6fe39eff07c8ffc3
--- /dev/null
+++ b/contrib/src/gnutls/rules.mak
@@ -0,0 +1,57 @@
+# GnuTLS
+
+GNUTLS_VERSION := 3.1.25
+GNUTLS_URL := ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-$(GNUTLS_VERSION).tar.xz
+
+PKGS += gnutls
+ifeq ($(call need_pkg,"gnutls >= 3.0.20"),)
+PKGS_FOUND += gnutls
+endif
+
+$(TARBALLS)/gnutls-$(GNUTLS_VERSION).tar.xz:
+	$(call download,$(GNUTLS_URL))
+
+.sum-gnutls: gnutls-$(GNUTLS_VERSION).tar.xz
+
+gnutls: gnutls-$(GNUTLS_VERSION).tar.xz .sum-gnutls
+	$(UNPACK)
+ifdef HAVE_WIN32
+	$(APPLY) $(SRC)/gnutls/gnutls-win32.patch
+endif
+ifdef HAVE_ANDROID
+	$(APPLY) $(SRC)/gnutls/no-create-time-h.patch
+endif
+	$(APPLY) $(SRC)/gnutls/gnutls-no-egd.patch
+	$(APPLY) $(SRC)/gnutls/read-file-limits.h.patch
+	$(APPLY) $(SRC)/gnutls/downgrade-automake-requirement.patch
+	$(APPLY) $(SRC)/gnutls/mac-keychain-lookup.patch
+	$(APPLY) $(SRC)/gnutls/gnutls-pkgconfig-osx.patch
+	$(call pkg_static,"lib/gnutls.pc.in")
+	$(UPDATE_AUTOCONFIG)
+	$(MOVE)
+
+GNUTLS_CONF := \
+	--disable-gtk-doc \
+	--without-p11-kit \
+	--disable-cxx \
+	--disable-srp-authentication \
+	--disable-psk-authentication-FIXME \
+	--disable-openpgp-authentication \
+	--disable-openssl-compatibility \
+	--disable-guile \
+	--disable-nls \
+	--without-libintl-prefix \
+	$(HOSTCONF)
+
+DEPS_gnutls = nettle $(DEPS_nettle)
+
+.gnutls: gnutls
+	$(RECONF)
+ifdef HAVE_ANDROID
+	cd $< && $(HOSTVARS) gl_cv_header_working_stdint_h=yes ./configure $(GNUTLS_CONF)
+else
+	cd $< && $(HOSTVARS) ./configure $(GNUTLS_CONF)
+endif
+	cd $</gl && $(MAKE) install
+	cd $</lib && $(MAKE) install
+	touch $@