diff --git a/contrib/src/gnutls/SHA512SUMS b/contrib/src/gnutls/SHA512SUMS
index 7f13fd81a233f9a710bfbac1044343d00ca3e8ed..e867f5235a111b334c52bf693dec37b52cc4bcc6 100644
--- a/contrib/src/gnutls/SHA512SUMS
+++ b/contrib/src/gnutls/SHA512SUMS
@@ -1,4 +1 @@
-
-60fc3409ee81932bc2672c68eb65748b88da4b9307764fb395dbadc06120e1011207a04d5f540e77a4d07649ffaed0789c04d57692eeca6ab24ac79d72418906  gnutls-3.5.10.tar.xz
-1f2bd3203ea96844c531be700b44623b79f46743143edf97011aab07895ca18d62f1659c7fafc5e1c4b0686fde490836f00358bdd60d6ac0b842526db002da23  gnutls-3.6.1.tar.xz
-6a574d355226bdff6198ab3f70633ff2a3cff4b5d06793bdaf19d007063bd4dd515d1bd3f331a9eb1a9ad01f83007801cfa55e5fd16c1cd3461ac33d1813fb06  gnutls-3.6.2.tar.xz
+4ff34f38d7dc543bc5750d8fdfe9be84af60c66e8d41da45f6cffc11d6c6c726784fd2d471b3416604ca1f3f9efb22ff7a290d5c92c96deda38df6ae3e794cc1  gnutls-3.6.6.tar.xz
diff --git a/contrib/src/gnutls/rules.mak b/contrib/src/gnutls/rules.mak
index 8d7a98d9634ff31a68b73a58525f5dec0921f60c..d2ece68d346729bd2c81e9789c2ec7bfb2591acb 100644
--- a/contrib/src/gnutls/rules.mak
+++ b/contrib/src/gnutls/rules.mak
@@ -1,6 +1,6 @@
 # GnuTLS
 
-GNUTLS_VERSION := 3.6.2
+GNUTLS_VERSION := 3.6.6
 GNUTLS_URL := https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-$(GNUTLS_VERSION).tar.xz
 
 PKGS += gnutls
diff --git a/contrib/src/nettle/SHA512SUMS b/contrib/src/nettle/SHA512SUMS
index 21dbece88dc125bb66d0ba26d82f6ae145891f15..f457bad162396bdc95589419e1d4e04f172eb7a3 100644
--- a/contrib/src/nettle/SHA512SUMS
+++ b/contrib/src/nettle/SHA512SUMS
@@ -1 +1 @@
-3bea3aabd2c99cc42d084a94fd6b0b5dbdb24cd6c7020271a6ee87a81a904b21b21756f590cb1afdf2e85fd1cb59e5c3651c5c4032e30204e7ea6f8801d1ea3b  nettle-3.4.tar.gz
+26aefbbe9927e90e28f271e56d2ba876611831222d0e1e1a58bdb75bbd50934fcd84418a4fe47b845f557e60a9786a72a4de2676c930447b104f2256aca7a54f  nettle-3.4.1.tar.gz
diff --git a/contrib/src/nettle/rules.mak b/contrib/src/nettle/rules.mak
index 2f1ddfb3b37ff833507e653574f3f87cf5fb4b1d..2dc2b99fa94ff7f90817fe9fef36836e779dab9e 100644
--- a/contrib/src/nettle/rules.mak
+++ b/contrib/src/nettle/rules.mak
@@ -1,6 +1,6 @@
 # Nettle
 
-NETTLE_VERSION := 3.4
+NETTLE_VERSION := 3.4.1
 NETTLE_URL := $(GNU)/nettle/nettle-$(NETTLE_VERSION).tar.gz
 
 PKGS += nettle
diff --git a/src/security/tls_session.cpp b/src/security/tls_session.cpp
index b3d2c69144b3fcd4a09e64946ed3135c9b6640ca..9375f5af9057faf0e5602136e293e0f6bdeedf6e 100644
--- a/src/security/tls_session.cpp
+++ b/src/security/tls_session.cpp
@@ -855,10 +855,20 @@ TlsSession::TlsSessionImpl::handleStateHandshake(TlsSessionState state)
     }
 
     // Safe-Renegotiation status shall always be true to prevent MiM attack
-    if (!gnutls_safe_renegotiation_status(session_)) {
-        RING_ERR("[TLS] server identity changed! MiM attack?");
-        return TlsSessionState::SHUTDOWN;
+    // Following https://www.gnutls.org/manual/html_node/Safe-renegotiation.html
+    // "Unlike TLS 1.2, the server is not allowed to change identities"
+    // So, we don't have to check the status if we are the client
+#ifndef _WIN32 // For now, windows use GNUTLS < 3.6.5
+    bool isTLS1_3 = gnutls_protocol_get_version(session_) == GNUTLS_TLS1_3;
+    if (!isTLS1_3 || (isTLS1_3 && isServer_)) {
+#endif
+        if (!gnutls_safe_renegotiation_status(session_)) {
+            RING_ERR("[TLS] server identity changed! MiM attack?");
+            return TlsSessionState::SHUTDOWN;
+        }
+#ifndef _WIN32
     }
+#endif
 
     auto desc = gnutls_session_get_desc(session_);
     RING_DBG("[TLS] session established: %s", desc);