over the last month I worked on upgrading the cryptography stack for OCaml and MirageOS. I just published a blog post. Enhancments of OCaml-TLS (usenix security paper from 2015) and X.509 are in place.
The main achievement after TLS 1.3 support (since May 2020, 0.12.0) is that elliptic curve certificates are now supported. Elliptic curve cryptography uses fiat. The X509 implementation now supports PKCS 12 (used by browsers and other software (e.g. OpenVPN) to bundle certificates and private keys).
Get mirage-crypto-ec, x509 0.13.0 and tls 0.13.1 (all available in the opam-repository). Discussion and feedback appreciated.