diff --git a/.gitmodules b/.gitmodules
index 0dc945b63..2703cecb6 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +1,6 @@
 [submodule "lwip2"]
 	path = tools/sdk/lwip2/builder
 	url = https://github.com/d-a-v/esp82xx-nonos-linklayer.git
+[submodule "tools/sdk/ssl/bearssl"]
+	path = tools/sdk/ssl/bearssl
+	url = https://github.com/earlephilhower/bearssl-esp8266
diff --git a/cores/esp8266/Esp-version.cpp b/cores/esp8266/Esp-version.cpp
index a60616561..866d5d297 100644
--- a/cores/esp8266/Esp-version.cpp
+++ b/cores/esp8266/Esp-version.cpp
@@ -23,6 +23,7 @@
 #include <core_version.h>
 #include <lwip/init.h>      // LWIP_VERSION_*
 #include <lwipopts.h>       // LWIP_HASH_STR (lwip2)
+#include <bearssl/bearssl_git.h>  // BEARSSL_GIT short hash
 
 #define STRHELPER(x) #x
 #define STR(x) STRHELPER(x) // stringifier
@@ -31,6 +32,7 @@ static const char arduino_esp8266_git_ver [] PROGMEM = STR(ARDUINO_ESP8266_GIT_D
 #if LWIP_VERSION_MAJOR != 1
 static const char lwip2_version [] PROGMEM = "/lwIP:" STR(LWIP_VERSION_MAJOR) "." STR(LWIP_VERSION_MINOR) "." STR(LWIP_VERSION_REVISION);
 #endif
+static const char bearssl_version [] PROGMEM = "/BearSSL:" STR(BEARSSL_GIT);
 
 String EspClass::getFullVersion()
 {
@@ -50,5 +52,6 @@ String EspClass::getFullVersion()
 #ifdef LWIP_HASH_STR
              + "(" + F(LWIP_HASH_STR) + ")"
 #endif
+             + FPSTR(bearssl_version)
            ;
 }
diff --git a/tools/sdk/include/bearssl/bearssl_git.h b/tools/sdk/include/bearssl/bearssl_git.h
new file mode 100644
index 000000000..22f0c2915
--- /dev/null
+++ b/tools/sdk/include/bearssl/bearssl_git.h
@@ -0,0 +1,2 @@
+// Do not edit -- Automatically generated by tools/sdk/ssl/bearssl/Makefile
+#define BEARSSL_GIT 94e9704
diff --git a/tools/sdk/lib/libbearssl.a b/tools/sdk/lib/libbearssl.a
index 3a350c9a4..d145f0996 100644
Binary files a/tools/sdk/lib/libbearssl.a and b/tools/sdk/lib/libbearssl.a differ
diff --git a/tools/sdk/ssl/Makefile b/tools/sdk/ssl/Makefile
new file mode 100644
index 000000000..bc9126f9f
--- /dev/null
+++ b/tools/sdk/ssl/Makefile
@@ -0,0 +1,22 @@
+
+
+VER_H=../include/bearssl/bearssl_git.h
+
+all T0 clean: bearssl/README.txt
+	PATH=$(PATH):$(PWD)/../../xtensa-lx106-elf/bin/ && cd bearssl && make CONF=esp8266 $@
+
+install: all version-header
+	cp bearssl/esp8266/libbearssl.a ../lib/.
+	cp bearssl/inc/bearssl*.h ../include/bearssl/.
+
+bearssl/README.txt:
+	git submodule update --init --recursive bearssl
+	cd bearssl && git remote add bearssl https://www.bearssl.org/git/BearSSL
+
+merge-upstream:
+	cd bearssl && git pull bearssl master
+
+version-header:
+	echo "// Do not edit -- Automatically generated by tools/sdk/ssl/bearssl/Makefile" > $(VER_H)
+	echo -n "#define BEARSSL_GIT " >> $(VER_H)
+	cd bearssl && git rev-parse --short HEAD >> ../$(VER_H)
diff --git a/tools/sdk/ssl/README.md b/tools/sdk/ssl/README.md
new file mode 100644
index 000000000..14dc71a12
--- /dev/null
+++ b/tools/sdk/ssl/README.md
@@ -0,0 +1,45 @@
+# BearSSL ESP8266 builder
+
+This directory contains the git submodule for the ESP8266 ported bearssl low-level library, a port of [BearSSL](https://www.bearssl.org)
+
+If you are only working on the `BearSSL::` namespace functions in the
+Arduino `ESP8266WiFi` library (`BearSSL::WiFiClientSecure`,
+`BearSSL::WiFiServerSecure`, etc.) you do _NOT_ need to work in this
+directory.  
+
+Normal users can simply use the libbearssl.a file already included in
+the `Arduino` repo.  Experienced users looking to work on the underlying
+BearSSL-ESP8266 ported library can use this directory to automate the
+build flow.
+
+
+## Prerequisites
+The tools directory needs to be populated (i.e. Arduino IDE should be able
+to compile an executable probect. `get.py` should ensure this).
+
+### UNIX-like system (Linux, Mac):
+If you need to change the *.t0 (Forth-like language) you will need a
+.NET-compatible runtime (such as `mono` under Linux) to rebuild the
+resulant `.c` files.
+
+### For Windows (untested)
+Microsoft's .NET runtime must be installed to run the `.t0`->`.c` workflow.
+
+
+## Building
+* `make all`: Init the submodule, if needed, then build _but do not install_ the library
+* `make install`: Init the submodule, if needed, then build and copy the library to the standard location in `tools/sdk/lib`
+
+## Editing the library
+`https://github.com/earlephilhower/bearssl-esp8266` is the current repository
+for this library.  A `git remote` to the original BearSSL sources from
+`https://bearssl.org/git/BearSSL` is added on submodule init.  You can either
+manually do pulls, or `make merge-upstream` to bring in any BearSSL upstream
+changes.
+
+Documentation in the library README-esp8266 and git log describes the changes done.
+
+
+Feel free to drop me a line at <earlephilhower@yahoo.com> if you have questions.
+
+-Earle F. Philhower, III
diff --git a/tools/sdk/ssl/bearssl b/tools/sdk/ssl/bearssl
new file mode 160000
index 000000000..94e97043b
--- /dev/null
+++ b/tools/sdk/ssl/bearssl
@@ -0,0 +1 @@
+Subproject commit 94e97043bbdebed43ecd9372bd7fd21d45bd789f