diff --git a/ChangeLog.d/secp256k1-removal.txt b/ChangeLog.d/secp256k1-removal.txt
new file mode 100644
index 0000000000..9933b8e7a9
--- /dev/null
+++ b/ChangeLog.d/secp256k1-removal.txt
@@ -0,0 +1,3 @@
+Removals
+   * Support for secp192k1, secp192r1, secp224k1 and secp224r1 EC curves is
+     removed from TLS.
diff --git a/framework b/framework
index 87dbfb290f..3f2ef1ecf6 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit 87dbfb290fa42ca2ccfb403e8c2fa7334fa4f1dd
+Subproject commit 3f2ef1ecf6d70b1e6bb7ad587f9a5bd6eaf65a2a
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 7ea0174612..55d832c354 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -229,10 +229,6 @@
 
 /* Elliptic Curve Groups (ECDHE) */
 #define MBEDTLS_SSL_IANA_TLS_GROUP_NONE               0
-#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1     0x0012
-#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1     0x0013
-#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1     0x0014
-#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1     0x0015
 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1     0x0016
 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1     0x0017
 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1     0x0018
diff --git a/library/mbedtls_check_config.h b/library/mbedtls_check_config.h
index 5e5a5b31db..cf5e981da0 100644
--- a/library/mbedtls_check_config.h
+++ b/library/mbedtls_check_config.h
@@ -45,7 +45,6 @@
     defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \
     defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \
     defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \
-    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \
     defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \
     defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384) || \
     defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521)
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 72dc9418f2..b635fd9d0c 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2243,10 +2243,6 @@ static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)
            named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1   ||
            named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448      ||
            /* Below deprecated curves should be removed with notice to users */
-           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 ||
-           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 ||
-           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 ||
-           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 ||
            named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 ||
            named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
            named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index dee80292e2..a997e41f32 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5893,15 +5893,6 @@ static const struct {
 #if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
     { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 },
 #endif
-#if defined(PSA_WANT_ECC_SECP_R1_224)
-    { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_192)
-    { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
-#endif
-#if defined(PSA_WANT_ECC_SECP_K1_192)
-    { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 },
-#endif
 #if defined(PSA_WANT_ECC_MONTGOMERY_255)
     { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 },
 #endif
@@ -5966,10 +5957,6 @@ static const struct {
     { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" },
     { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" },
     { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" },
-    { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" },
-    { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" },
-    { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" },
-    { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" },
     { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" },
     { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" },
     { 0, NULL },
diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c
index ad3feb65b8..79d3059306 100644
--- a/programs/ssl/ssl_test_lib.c
+++ b/programs/ssl/ssl_test_lib.c
@@ -505,21 +505,6 @@ static const struct {
 #else
     { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1", 0 },
 #endif
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224)
-    { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1", 1 },
-#else
-    { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1", 0 },
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192)
-    { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1", 1 },
-#else
-    { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1", 0 },
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192)
-    { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1", 1 },
-#else
-    { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1", 0 },
-#endif
 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255)
     { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519", 1 },
 #else
diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py
index 679f05af1b..513c6413a5 100755
--- a/tests/scripts/depends.py
+++ b/tests/scripts/depends.py
@@ -257,20 +257,27 @@ REVERSE_DEPENDENCIES = {
     'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG'],
     'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'],
 
+    # These reverse dependencies can be removed as part of issue
+    # tf-psa-crypto#364.
     'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'],
     'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'],
     'PSA_WANT_ECC_BRAINPOOL_P_R1_512': ['MBEDTLS_ECP_DP_BP512R1_ENABLED'],
     'PSA_WANT_ECC_MONTGOMERY_255': ['MBEDTLS_ECP_DP_CURVE25519_ENABLED'],
     'PSA_WANT_ECC_MONTGOMERY_448': ['MBEDTLS_ECP_DP_CURVE448_ENABLED'],
-    'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'],
-    'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'],
     'PSA_WANT_ECC_SECP_R1_256': ['PSA_WANT_ALG_JPAKE',
                                  'MBEDTLS_ECP_DP_SECP256R1_ENABLED'],
     'PSA_WANT_ECC_SECP_R1_384': ['MBEDTLS_ECP_DP_SECP384R1_ENABLED'],
     'PSA_WANT_ECC_SECP_R1_521': ['MBEDTLS_ECP_DP_SECP521R1_ENABLED'],
-    'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'],
     'PSA_WANT_ECC_SECP_K1_256': ['MBEDTLS_ECP_DP_SECP256K1_ENABLED'],
 
+    # Support for secp224[k|r]1 was removed in tfpsacrypto#408 while
+    # secp192[k|r]1 were kept only for internal testing (hidden to the end
+    # user). We need to keep these reverse dependencies here until
+    # symbols are hidden/removed from crypto_config.h.
+    'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'],
+    'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'],
+    'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'],
+
     'PSA_WANT_ALG_ECDSA': ['PSA_WANT_ALG_DETERMINISTIC_ECDSA',
                            'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED',
                            'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED',
@@ -482,9 +489,7 @@ class DomainData:
                         if alg.can_do(crypto_knowledge.AlgorithmCategory.HASH)}
 
         # Find elliptic curve enabling macros by name.
-        # MBEDTLS_ECP_DP_SECP224K1_ENABLED added to disable it for all curves
-        curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z|'
-                                                     r'MBEDTLS_ECP_DP_SECP224K1_ENABLED')
+        curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z')
 
         # Find key exchange enabling macros by name.
         key_exchange_symbols = self.config_symbols_matching(r'MBEDTLS_KEY_EXCHANGE_\w+_ENABLED\Z')
diff --git a/tests/scripts/set_psa_test_dependencies.py b/tests/scripts/set_psa_test_dependencies.py
index 2267311e44..0be8ac5e4e 100755
--- a/tests/scripts/set_psa_test_dependencies.py
+++ b/tests/scripts/set_psa_test_dependencies.py
@@ -27,13 +27,9 @@ CLASSIC_DEPENDENCIES = frozenset([
     'MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS',
     'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN',
     'MBEDTLS_CIPHER_PADDING_ZEROS',
-    #curve#'MBEDTLS_ECP_DP_SECP192R1_ENABLED',
-    #curve#'MBEDTLS_ECP_DP_SECP224R1_ENABLED',
     #curve#'MBEDTLS_ECP_DP_SECP256R1_ENABLED',
     #curve#'MBEDTLS_ECP_DP_SECP384R1_ENABLED',
     #curve#'MBEDTLS_ECP_DP_SECP521R1_ENABLED',
-    #curve#'MBEDTLS_ECP_DP_SECP192K1_ENABLED',
-    #curve#'MBEDTLS_ECP_DP_SECP224K1_ENABLED',
     #curve#'MBEDTLS_ECP_DP_SECP256K1_ENABLED',
     #curve#'MBEDTLS_ECP_DP_BP256R1_ENABLED',
     #curve#'MBEDTLS_ECP_DP_BP384R1_ENABLED',
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 60b970aefb..d0278b123c 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2659,12 +2659,6 @@ requires_config_enabled PSA_WANT_ECC_SECP_K1_256
 run_test_psa_force_curve "secp256k1"
 requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_256
 run_test_psa_force_curve "brainpoolP256r1"
-requires_config_enabled PSA_WANT_ECC_SECP_R1_224
-run_test_psa_force_curve "secp224r1"
-requires_config_enabled PSA_WANT_ECC_SECP_R1_192
-run_test_psa_force_curve "secp192r1"
-requires_config_enabled PSA_WANT_ECC_SECP_K1_192
-run_test_psa_force_curve "secp192k1"
 
 # Test current time in ServerHello
 requires_config_enabled MBEDTLS_HAVE_TIME
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index c70080317c..3335e5c84e 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -3537,9 +3537,9 @@ exit:
 /* BEGIN_CASE */
 void conf_group()
 {
-    uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1,
-                                       MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1,
-                                       MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+    uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+                                       MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
+                                       MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
                                        MBEDTLS_SSL_IANA_TLS_GROUP_NONE };
 
     mbedtls_ssl_config conf;
@@ -4050,21 +4050,6 @@ void elliptic_curve_get_properties()
 #else
     TEST_UNAVAILABLE_ECC(26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256);
 #endif
-#if defined(PSA_WANT_ECC_SECP_R1_224)
-    TEST_AVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224);
-#else
-    TEST_UNAVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224);
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_192)
-    TEST_AVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192);
-#else
-    TEST_UNAVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192);
-#endif
-#if defined(PSA_WANT_ECC_SECP_K1_192)
-    TEST_AVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192);
-#else
-    TEST_UNAVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192);
-#endif
 #if defined(PSA_WANT_ECC_MONTGOMERY_255)
     TEST_AVAILABLE_ECC(29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255);
 #else