diff --git a/Makefile.common b/Makefile.common
index 34320a2991..af43d28b56 100644
--- a/Makefile.common
+++ b/Makefile.common
@@ -536,8 +536,7 @@ ifeq ($(HAVE_LIBRETRODB), 1)
    endif
 endif
 
-HAVE_BEARSSL := 0
-ifeq ($(HAVE_BEARSSL), 1)
+ifeq ($(HAVE_BUILTINBEARSSL), 1)
    HAVE_SSL = 1
    DEFINES += -DHAVE_SSL -DHAVE_BEARSSL
 
@@ -2017,7 +2016,7 @@ ifeq ($(HAVE_NETWORKING), 1)
       OBJ += tasks/task_core_updater.o
    endif
 
-   ifeq ($(HAVE_BEARSSL), 1)
+   ifeq ($(HAVE_BUILTINBEARSSL), 1)
       OBJ += $(LIBRETRO_COMM_DIR)/net/net_socket_ssl_bear.o
    else ifeq ($(HAVE_SSL), 1)
       OBJ += $(LIBRETRO_COMM_DIR)/net/net_socket_ssl_mbed.o
diff --git a/qb/config.libs.sh b/qb/config.libs.sh
index 866dbdc799..6c472e5135 100644
--- a/qb/config.libs.sh
+++ b/qb/config.libs.sh
@@ -300,34 +300,56 @@ check_enabled FLAC BUILTINFLAC 'builtin flac' 'flac is' true
 
 check_val '' FLAC '-lFLAC' '' flac '' '' false
 
-check_enabled SSL BUILTINMBEDTLS 'builtin mbedtls' 'ssl is' true
 
-if [ "$HAVE_SSL" != 'no' ]; then
-   check_header '' MBEDTLS \
-      mbedtls/config.h \
-      mbedtls/certs.h \
-      mbedtls/debug.h \
-      mbedtls/platform.h \
-      mbedtls/net_sockets.h \
-      mbedtls/ssl.h \
-      mbedtls/ctr_drbg.h \
-      mbedtls/entropy.h
+check_enabled SSL SYSTEMMBEDTLS 'system mbedtls' 'ssl is' false
+check_enabled SSL BUILTINMBEDTLS 'builtin mbedtls' 'ssl is' false
+check_enabled SSL BUILTINBEARSSL 'builtin bearssl' 'ssl is' false
 
-   check_lib '' MBEDTLS -lmbedtls
-   check_lib '' MBEDX509 -lmbedx509
-   check_lib '' MBEDCRYPTO -lmbedcrypto
+if [ "$HAVE_SYSTEMMBEDTLS" = "auto" ]; then SYSTEMMBEDTLS_IS_AUTO=yes; else SYSTEMMBEDTLS_IS_AUTO=no; fi
+check_lib '' SYSTEMMBEDTLS '-lmbedtls -lmbedx509 -lmbedcrypto'
+check_header '' SYSTEMMBEDTLS \
+   mbedtls/config.h \
+   mbedtls/certs.h \
+   mbedtls/debug.h \
+   mbedtls/platform.h \
+   mbedtls/net_sockets.h \
+   mbedtls/ssl.h \
+   mbedtls/ctr_drbg.h \
+   mbedtls/entropy.h
+if [ "$SYSTEMMBEDTLS_IS_AUTO" = "yes" ] && [ "$HAVE_SYSTEMMBEDTLS" = "yes" ]; then HAVE_SYSTEMMBEDTLS=auto; fi
 
-   if [ "$HAVE_MBEDTLS" = 'no' ] ||
-      [ "$HAVE_MBEDX509" = 'no' ] ||
-      [ "$HAVE_MBEDCRYPTO" = 'no' ]; then
-      if [ "$HAVE_BUILTINMBEDTLS" != 'yes' ]; then
-         die : 'Notice: System mbedtls libraries not found, disabling SSL support.'
-         HAVE_SSL=no
-      fi
-   else
-      HAVE_SSL=yes
-   fi
+SSL_BACKEND_CHOSEN=no
+if [ "$HAVE_SYSTEMMBEDTLS" = "yes" ]; then
+  if [ "$SSL_BACKEND_CHOSEN" = "yes" ]; then die 1 "Can't enable multiple SSL backends"; fi
+  SSL_BACKEND_CHOSEN=yes
 fi
+if [ "$HAVE_BUILTINMBEDTLS" = "yes" ]; then
+  if [ "$SSL_BACKEND_CHOSEN" = "yes" ]; then die 1 "Can't enable multiple SSL backends"; fi
+  SSL_BACKEND_CHOSEN=yes
+fi
+if [ "$HAVE_BUILTINBEARSSL" = "yes" ]; then
+  if [ "$SSL_BACKEND_CHOSEN" = "yes" ]; then die 1 "Can't enable multiple SSL backends"; fi
+  SSL_BACKEND_CHOSEN=yes
+fi
+if [ "$SSL_BACKEND_CHOSEN" = "no" ] && [ "$HAVE_SYSTEMMBEDTLS" = "auto" ]; then
+  HAVE_SYSTEMMBEDTLS=yes
+  SSL_BACKEND_CHOSEN=yes
+fi
+if [ "$SSL_BACKEND_CHOSEN" = "no" ] && [ "$HAVE_BUILTINMBEDTLS" = "auto" ]; then
+  HAVE_BUILTINMBEDTLS=yes
+  SSL_BACKEND_CHOSEN=yes
+fi
+if [ "$SSL_BACKEND_CHOSEN" = "no" ] && [ "$HAVE_BUILTINBEARSSL" = "auto" ]; then
+  HAVE_BUILTINBEARSSL=yes
+  SSL_BACKEND_CHOSEN=yes
+fi
+if [ "$HAVE_SYSTEMMBEDTLS" = "auto" ]; then HAVE_SYSTEMMBEDTLS=no; fi
+if [ "$HAVE_BUILTINMBEDTLS" = "auto" ]; then HAVE_BUILTINMBEDTLS=no; fi
+if [ "$HAVE_BUILTINBEARSSL" = "auto" ]; then HAVE_BUILTINBEARSSL=no; fi
+
+if [ "$HAVE_SSL" = "auto" ]; then HAVE_SSL=$SSL_BACKEND_CHOSEN; fi
+if [ "$HAVE_SSL" = "yes" ] && [ "$SSL_BACKEND_CHOSEN" = "no" ]; then die 1 "error: SSL enabled, but all backends disabled"; fi
+
 
 check_enabled THREADS LIBUSB libusb 'Threads are' false
 check_enabled HID LIBUSB libusb 'HID is' false
diff --git a/qb/config.params.sh b/qb/config.params.sh
index 821e5b58b0..e19b9610d5 100644
--- a/qb/config.params.sh
+++ b/qb/config.params.sh
@@ -30,10 +30,14 @@ HAVE_WASAPI=auto           # WASAPI support
 HAVE_WINMM=auto            # WinMM support
 HAVE_NEAREST_RESAMPLER=yes # Nearest resampler
 HAVE_CC_RESAMPLER=yes      # CC Resampler
-HAVE_SSL=auto              # SSL/mbedtls support
+HAVE_SSL=auto              # SSL support
 C89_SSL=no
-HAVE_BUILTINMBEDTLS=auto   # Bake in the mbedtls library
+HAVE_SYSTEMMBEDTLS=auto    # Use system mbedTLS
+C89_SYSTEMMBEDTLS=no
+HAVE_BUILTINMBEDTLS=auto   # Use builtin mbedTLS
 C89_BUILTINMBEDTLS=no
+HAVE_BUILTINBEARSSL=auto   # Use builtin BearSSL
+C89_BUILTINBEARSSL=no
 HAVE_OVERLAY=yes           # Overlay support
 HAVE_VIDEO_LAYOUT=yes      # Layout support
 HAVE_DYNAMIC=yes           # Dynamic loading of libretro library
diff --git a/qb/qb.libs.sh b/qb/qb.libs.sh
index 658487750b..f784160d5d 100644
--- a/qb/qb.libs.sh
+++ b/qb/qb.libs.sh
@@ -54,6 +54,9 @@ check_compiler()
 # $3 = lib
 # $4 = feature
 # $5 = enable lib when true, disable errors with 'user' [checked only if non-empty]
+# if any HAVE_$1 is true, HAVE_$2 is enabled
+# if USER_$2 is false, HAVE_$2 is disabled
+# if neither of the above, it's an error
 check_enabled()
 {	add_opt "$2"
 	setval="$(eval "printf %s \"\$HAVE_$2\"")"