diff --git a/pkgs/stdenv/linux/make-bootstrap-tools.nix b/pkgs/stdenv/linux/make-bootstrap-tools.nix
index 7f7f4c6a2bd14..8e99cf0503faa 100644
--- a/pkgs/stdenv/linux/make-bootstrap-tools.nix
+++ b/pkgs/stdenv/linux/make-bootstrap-tools.nix
@@ -10,12 +10,27 @@ rec {
     aclSupport = false;
   });
 
-  curlMinimal = curl.override {
+  # We use wolfssl rather than openssl as it is much smaller and does
+  # not bring in any extra dependencies, but we must enable extra
+  # features of wolfssl that are required by curl.
+  wolfsslExtra = wolfssl.overrideDerivation (oldAttrs: {
+    configureFlags = [
+      "--enable-sslv3" # wolfSSLv3_client_method
+      "--enable-sep"  # wolfSSL_get_peer_certificate wolfSSL_X509_get_der
+    ];
+  });
+
+  # Minimal version of curl, with https support via wolfssl.
+  curlMinimal = (curl.override {
     http2Support = false;
     zlibSupport = false;
     sslSupport = false;
     scpSupport = false;
-  };
+  }).overrideDerivation (oldAttrs: {
+    configureFlags = oldAttrs.configureFlags ++ [
+      "--with-cyassl=${wolfsslExtra}"
+    ];
+  });
 
   busyboxMinimal = busybox.override {
     useMusl = true;
@@ -85,9 +100,10 @@ rec {
         cp -d ${patch}/bin/* $out/bin
         cp ${patchelf}/bin/* $out/bin
         cp ${curlMinimal}/bin/curl $out/bin
-        cp -d ${curlMinimal}/lib/libcurl* $out/lib
+        cp -d ${curlMinimal}/lib/libcurl.so* $out/lib
 
         cp -d ${gnugrep.pcre}/lib/libpcre*.so* $out/lib # needed by grep
+        cp -d ${wolfsslExtra}/lib/libwolfssl.so* $out/lib # needed by curl
 
         # Copy what we need of GCC.
         cp -d ${gcc.cc}/bin/gcc $out/bin
diff --git a/pkgs/stdenv/linux/scripts/unpack-bootstrap-tools.sh b/pkgs/stdenv/linux/scripts/unpack-bootstrap-tools.sh
index efec363c5c791..8908d953f1c7e 100644
--- a/pkgs/stdenv/linux/scripts/unpack-bootstrap-tools.sh
+++ b/pkgs/stdenv/linux/scripts/unpack-bootstrap-tools.sh
@@ -18,6 +18,7 @@ fi
 # use a copy of patchelf.
 LD_LIBRARY_PATH=$out/lib $LD_BINARY $out/bin/cp $out/bin/patchelf .
 
+# Patch elf executables.
 for i in $out/bin/* $out/libexec/gcc/*/*/*; do
     if [ -L "$i" ]; then continue; fi
     if [ -z "${i##*/liblto*}" ]; then continue; fi
@@ -26,13 +27,20 @@ for i in $out/bin/* $out/libexec/gcc/*/*/*; do
         $out/bin/patchelf --set-interpreter $LD_BINARY --set-rpath $out/lib --force-rpath "$i"
 done
 
-for i in $out/lib/librt-*.so $out/lib/libpcre*; do
+# Patch elf shared libraries.
+for i in $out/lib/librt-*.so $out/lib/libpcre* $out/lib/libcurl.so* $out/lib/libwolfssl.so*; do
+    # the next line ensures that the file $i actually exists
+    # so the script keeps working on both old and new packages
+    # in case the new package adds new libraries
+    # (the old bootstrap is used to create the new bootstrap!)
+    if [ ! -f "$i" ]; then continue; fi
+    # skip symbolic links
     if [ -L "$i" ]; then continue; fi
     echo patching "$i"
     $out/bin/patchelf --set-rpath $out/lib --force-rpath "$i"
 done
 
-# Fix the libc linker script.
+# Fix linker scripts.
 export PATH=$out/bin
 cat $out/lib/libc.so | sed "s|/nix/store/e*-[^/]*/|$out/|g" > $out/lib/libc.so.tmp
 mv $out/lib/libc.so.tmp $out/lib/libc.so