diff --git a/3rdparty/CMakeLists.txt b/3rdparty/CMakeLists.txt
index 978a249982..402c0cddfc 100644
--- a/3rdparty/CMakeLists.txt
+++ b/3rdparty/CMakeLists.txt
@@ -313,22 +313,45 @@ if(USE_SYSTEM_WOLFSSL)
 	add_library(wolfssl INTERFACE)
 	target_link_libraries(wolfssl INTERFACE PkgConfig::WolfSSL)
 else()
-	SET(BUILD_TESTS NO CACHE BOOL "Build test applications")
-	add_compile_definitions(HAVE_FFDHE_2048 TFM_TIMING_RESISTANT ECC_TIMING_RESISTANT
-					WC_RSA_BLINDING HAVE_AESGCM WOLFSSL_SHA512 WOLFSSL_SHA384 NO_DSA HAVE_ECC TFM_ECC256 ECC_SHAMIR
-					NO_RC4 NO_HC128 NO_RABBIT WOLFSSL_SHA224 WOLFSSL_SHA3 WOLFSSL_SHAKE256 HAVE_POLY1305
-					HAVE_ONE_TIME_AUTH HAVE_CHACHA HAVE_HASHDRBG HAVE_TLS_EXTENSIONS HAVE_SNI HAVE_SUPPORTED_CURVES
-					HAVE_EXTENDED_MASTER NO_RC4 HAVE_ENCRYPT_THEN_MAC NO_PSK NO_MD4
-					WC_NO_ASYNC_THREADING OPENSSL_EXTRA WOLFSSL_DES_ECB WC_NO_HARDEN)
-	set(ENABLED_HARDEN OFF CACHE BOOL "Disable Harden")
+	# TODO(cjj19970505@live.cn)
+	# OPENSSL_EXTRA, WOLFSSL_DES_ECB and HAVE_SNI are unconfigurable from CMake cache.
+	# but they do have it in a TODO list (wolfssl/CMakeList, 1021)
+	add_compile_definitions(OPENSSL_EXTRA WOLFSSL_DES_ECB HAVE_SNI)
+
+	set(WOLFSSL_TLS13 "no" CACHE INTERNAL "")
+	set(WOLFSSL_SHA224 "yes" CACHE INTERNAL "")
+	set(WOLFSSL_SHA3 "yes" CACHE INTERNAL "")
+	set(WOLFSSL_SHAKE256 "yes" CACHE INTERNAL "")
+	set(WOLFSSL_BASE64_ENCODE "no" CACHE INTERNAL "")
+	set(WOLFSSL_DES3 "yes" CACHE INTERNAL "")
+	set(WOLFSSL_POLY1305 "yes" CACHE INTERNAL "")
+	set(WOLFSSL_CHACHA "yes" CACHE INTERNAL "")
+	set(WOLFSSL_FILESYSTEM "yes" CACHE INTERNAL "")
+	set(WOLFSSL_PWDBASED "yes" CACHE INTERNAL "")
+	set(WOLFSSL_FAST_MATH "no" CACHE INTERNAL "")
+	set(WOLFSSL_EXAMPLES "no" CACHE INTERNAL "")
+	set(WOLFSSL_CRYPT_TESTS "no" CACHE INTERNAL "")
+	set(WOLFSSL_ASYNC_THREADS "no" CACHE INTERNAL "")
+	set(WOLFSSL_CONFIG_H "no" CACHE INTERNAL "")
+
 	add_subdirectory(wolfssl EXCLUDE_FROM_ALL)
-	target_include_directories(wolfssl INTERFACE "wolfssl/")
-	# This is needed for CURL
-	configure_file(${CMAKE_CURRENT_SOURCE_DIR}/wolfssl/wolfssl/options.h.in ${CMAKE_CURRENT_BINARY_DIR}/wolfssl/wolfssl/options.h)
-	set(WolfSSL_LIBRARY "${CMAKE_CURRENT_BINARY_DIR}/wolfssl/libwolfssl.a")
-	set(WolfSSL_LIBRARIES "${CMAKE_CURRENT_BINARY_DIR}/wolfssl/libwolfssl.a")
-	set(WolfSSL_INCLUDE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/wolfssl/" "${CMAKE_CURRENT_BINARY_DIR}/wolfssl/")
-	set(WolfSSL_INCLUDE_DIRS "${CMAKE_CURRENT_SOURCE_DIR}/wolfssl/" "${CMAKE_CURRENT_BINARY_DIR}/wolfssl/")
+
+	# TODO(cjj19970505@live.cn)
+	# This only works in single-config generator
+	# For a multi-config generator, we need to provide different wolfssl binaries for different config
+	if (GENERATOR_IS_MULTI_CONFIG)
+		message( FATAL_ERROR "RPCS3 can only be configured using single-config generator." )
+	endif()
+
+	if(MSVC)
+		set(WolfSSL_LIBRARY "${CMAKE_CURRENT_BINARY_DIR}/wolfssl/wolfssl.lib")
+	else()
+		set(WolfSSL_LIBRARY "${CMAKE_CURRENT_BINARY_DIR}/wolfssl/libwolfssl.a")
+	endif()
+
+	# "${CMAKE_CURRENT_SOURCE_DIR}/wolfssl/wolfssl/" provides openssl headers
+	# So that curl can be built on an environment where openssl headers are not provided
+	set(WolfSSL_INCLUDE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/wolfssl/" "${CMAKE_CURRENT_SOURCE_DIR}/wolfssl/wolfssl/" "${CMAKE_CURRENT_BINARY_DIR}/wolfssl/")
 endif()
 
 # CURL
diff --git a/3rdparty/wolfssl b/3rdparty/wolfssl
index 39b5448601..723ed009ae 160000
--- a/3rdparty/wolfssl
+++ b/3rdparty/wolfssl
@@ -1 +1 @@
-Subproject commit 39b5448601271b8d1deabde8a0d33dc64d2a94bd
+Subproject commit 723ed009ae5dc68acc14cd7664f93503d64cd51d