diff --git a/contrib/src/gnutls/SHA512SUMS b/contrib/src/gnutls/SHA512SUMS
index 3586dbcca488cadf19dda63f2804bd02b4fb21ab..a86cbcbc70a3381bf5e8d09adf9fe445891f8a5c 100644
--- a/contrib/src/gnutls/SHA512SUMS
+++ b/contrib/src/gnutls/SHA512SUMS
@@ -1,2 +1 @@
-ae9b8996eb9b7269d28213f0aca3a4a17890ba8d47e3dc3b8e754ab8e2b4251e9412aaaa161a8bf56167f04cc169b4cada46f55a7bde92b955eb36cd717a99f3  gnutls-3.6.7.tar.xz
-fe0481f9e4219e983b01b91e69ffd95819a4c0d0c09028509106d561967e9c5d900bc5e3a48140a34fa4467feda2a619085adf3fa8fdade96c8debf125e91ae8  gnutls-3.6.10.tar.xz
\ No newline at end of file
+dbf6766131496f66d712cf3a8f042e93eea057d843972c7cc0376c25b6f3802f51af4fe9b38fbb07e8194748a185055a2bd26c1fabd234d330b892466061462a  gnutls-3.6.11.tar.xz
\ No newline at end of file
diff --git a/contrib/src/gnutls/rules.mak b/contrib/src/gnutls/rules.mak
index 0b455ac4fa952665cddc795e8fad40f65b39f3ab..29eefd5455e1a106c9bc7679a74db1c1e40fea63 100644
--- a/contrib/src/gnutls/rules.mak
+++ b/contrib/src/gnutls/rules.mak
@@ -1,14 +1,6 @@
 # GnuTLS
 
-ifdef HAVE_ANDROID
-GNUTLS_VERSION := 3.6.7
-else
-ifdef HAVE_IOS
-GNUTLS_VERSION := 3.6.7
-else
-GNUTLS_VERSION := 3.6.10
-endif
-endif
+GNUTLS_VERSION := 3.6.11
 
 GNUTLS_URL := https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-$(GNUTLS_VERSION).tar.xz
 
diff --git a/src/security/tls_session.cpp b/src/security/tls_session.cpp
index 17fe4e68bb3b59c02796f5d8b5c2171b702f0e5e..d2fa9beea169ddd962aea7e6bbf136089575f0e4 100644
--- a/src/security/tls_session.cpp
+++ b/src/security/tls_session.cpp
@@ -56,8 +56,20 @@ namespace jami { namespace tls {
 
 static constexpr const char* DTLS_CERT_PRIORITY_STRING {"SECURE192:-VERS-TLS-ALL:+VERS-DTLS-ALL:-RSA:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION"};
 static constexpr const char* DTLS_FULL_PRIORITY_STRING {"SECURE192:-KX-ALL:+ANON-ECDH:+ANON-DH:+SECURE192:-VERS-TLS-ALL:+VERS-DTLS-ALL:-RSA:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION"};
-static constexpr const char* TLS_CERT_PRIORITY_STRING {"SECURE192:-RSA:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION"};
-static constexpr const char* TLS_FULL_PRIORITY_STRING {"SECURE192:-KX-ALL:+ANON-ECDH:+ANON-DH:+SECURE192:-RSA:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION"};
+// Note: -GROUP-FFDHE4096:-GROUP-FFDHE6144:-GROUP-FFDHE8192:+GROUP-X25519:
+// is added after gnutls 3.6.7, because some safety checks were introduced for FFDHE resulting in a performance drop for our usage (2/3s of delay)
+// This performance drop is visible on mobiles devices.
+
+// Benchmark result (on a computer)
+// $gnutls-cli --benchmark-tls-kx
+// (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)  20.48 transactions/sec
+//            (avg. handshake time: 48.45 ms, sample variance: 0.68)
+// (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)  208.14 transactions/sec
+//            (avg. handshake time: 4.01 ms, sample variance: 0.01)
+// (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)  240.93 transactions/sec
+//            (avg. handshake time: 4.00 ms, sample variance: 0.00)
+static constexpr const char* TLS_CERT_PRIORITY_STRING {"SECURE192:-RSA:-GROUP-FFDHE4096:-GROUP-FFDHE6144:-GROUP-FFDHE8192:+GROUP-X25519:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION"};
+static constexpr const char* TLS_FULL_PRIORITY_STRING {"SECURE192:-KX-ALL:+ANON-ECDH:+ANON-DH:+SECURE192:-RSA:-GROUP-FFDHE4096:-GROUP-FFDHE6144:-GROUP-FFDHE8192:+GROUP-X25519:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION"};
 static constexpr uint32_t RX_MAX_SIZE {64*1024}; // 64k = max size of a UDP packet
 static constexpr std::size_t INPUT_MAX_SIZE {1000}; // Maximum number of packets to store before dropping (pkt size = DTLS_MTU)
 static constexpr ssize_t FLOOD_THRESHOLD {4*1024};