diff --git a/pkgs/development/libraries/wolfssl/default.nix b/pkgs/development/libraries/wolfssl/default.nix
index aeef5a8c4705..0a8202839c36 100644
--- a/pkgs/development/libraries/wolfssl/default.nix
+++ b/pkgs/development/libraries/wolfssl/default.nix
@@ -10,23 +10,22 @@
 # requiring to build a special variant for that software. Example: 'haproxy'
 , variant ? "all"
 , extraConfigureFlags ? []
+, enableARMCryptoExtensions ? stdenv.hostPlatform.isAarch64 && ((builtins.match "^.*\\+crypto.*$" stdenv.hostPlatform.gcc.arch) != null)
 , enableLto ? !(stdenv.hostPlatform.isStatic || stdenv.cc.isClang)
 }:
 stdenv.mkDerivation (finalAttrs: {
   pname = "wolfssl-${variant}";
-  version = "5.7.2";
+  version = "5.7.4";
 
   src = fetchFromGitHub {
     owner = "wolfSSL";
     repo = "wolfssl";
     rev = "refs/tags/v${finalAttrs.version}-stable";
-    hash = "sha256-VTMVgBSDL6pw1eEKnxGzTdyQYWVbMd3mAnOnpAOKVhk=";
+    hash = "sha256-/dtW1E1wYfQEuotclUEOK5+Vg4S7vt1xWhr1lEtu60w=";
   };
 
   postPatch = ''
     patchShebangs ./scripts
-    # ocsp stapling tests require network access, so skip them
-    sed -i -e'2s/.*/exit 77/' scripts/ocsp-stapling.test
     # ensure test detects musl-based systems too
     substituteInPlace scripts/ocsp-stapling2.test \
       --replace '"linux-gnu"' '"linux-"'
@@ -54,10 +53,11 @@ stdenv.mkDerivation (finalAttrs: {
     # Enable AVX/AVX2/AES-NI instructions, gated by runtime detection via CPUID.
     "--enable-intelasm"
     "--enable-aesni"
-  ] ++ lib.optionals (stdenv.hostPlatform.isAarch64 && stdenv.hostPlatform.isDarwin) [
+  ] ++ lib.optionals (stdenv.hostPlatform.isAarch64) [
     # No runtime detection under ARM and no platform function checks like for X86.
-    # However, all ARM macOS systems have the supported extensions autodetected in the configure script.
-    "--enable-armasm=inline"
+    (if enableARMCryptoExtensions
+     then "--enable-armasm=inline"
+     else "--disable-armasm")
   ] ++ extraConfigureFlags;
 
   # Breaks tls13 tests on aarch64-darwin.
@@ -67,6 +67,9 @@ stdenv.mkDerivation (finalAttrs: {
   env.NIX_CFLAGS_COMPILE = lib.optionalString enableLto "-flto";
   env.NIX_LDFLAGS_COMPILE = lib.optionalString enableLto "-flto";
 
+  # Don't attempt connections to external services in the test suite.
+  env.WOLFSSL_EXTERNAL_TEST = "0";
+
   outputs = [
     "dev"
     "doc"