ESP32 SPIRAM and mbedtls

What is the best way to make use of the 4MB of PSRAM (SPIRAM) on ESP32 WROVER when using mbedtls to open TLS sockets to servers?

I have set these variables in order to use SPIRAM:
CONFIG_SPIRAM_SUPPORT=y
CONFIG_SPIRAM_BOOT_INIT=y
CONFIG_SPIRAM_CACHE_WORKAROUND=y
CONFIG_SPI_MASTER_IN_IRAM=y
CONFIG_SPIRAM_USE_MALLOC=y
CONFIG_SPIRAM_MEMTEST=y

If I set this too low, mbedtls cannot complete a TLS handshake with a server, and mbedtls shows many errors in the console:
CONFIG_SPIRAM_MALLOC_ALWAYSINTERNAL=1024

Is setting this variable a good idea?
MBEDTLS_MEM_ALLOC_MODE=MBEDTLS_DEFAULT_MEM_ALLOC

These are working for me to connect to mdash:

build_vars:
  # enable 16MB flash size + PSRAM
  ESP_IDF_SDKCONFIG_OPTS: >
    ${build_vars.ESP_IDF_SDKCONFIG_OPTS} 
      CONFIG_ESPTOOLPY_FLASHSIZE_4MB=
      CONFIG_ESPTOOLPY_FLASHSIZE_16MB=y
      CONFIG_ESPTOOLPY_FLASHSIZE=16MB
      CONFIG_SPIRAM_SUPPORT=y
      CONFIG_SPIRAM_BOOT_INIT=y
      CONFIG_SPIRAM_CACHE_WORKAROUND=y
      CONFIG_SPI_MASTER_IN_IRAM=y

I am assuming since mbedtls is a closed source binary with mongoose-os, there is no option to specify MBEDTLS_MEM_ALLOC_MODE during the build, correct?

I tried CONFIG_SPIRAM_MALLOC_ALWAYSINTERNAL=256 to make all malloc/callocs prefer SPIRAM, and it seriously broke my app.

It just streams this constantly:

E:M 1692
Heap summary for capabilities 0x00001800:
  At 0x3ffae6e0 len 6432 free 0 allocated 6292 min_free 0
    largest_free_block 0 alloc_blocks 27 free_blocks 0 total_blocks 27
  At 0x3ffc2c78 len 119688 free 24 allocated 118792 min_free 0
    largest_free_block 12 alloc_blocks 207 free_blocks 3 total_blocks 210
  At 0x3ffe0440 len 129984 free 1876 allocated 126236 min_free 348
    largest_free_block 1688 alloc_blocks 448 free_blocks 12 total_blocks 460
  Totals:
    free 1900 allocated 251320 min_free 348 largest_free_block 1688
mgos_mongoose.c:66      New heap free LWM: 4192916
E:M 1692
Heap summary for capabilities 0x00001800:
  At 0x3ffae6e0 len 6432 free 0 allocated 6292 min_free 0
    largest_free_block 0 alloc_blocks 27 free_blocks 0 total_blocks 27
  At 0x3ffc2c78 len 119688 free 24 allocated 118792 min_free 0
    largest_free_block 12 alloc_blocks 207 free_blocks 3 total_blocks 210
  At 0x3ffe0440 len 129984 free 1876 allocated 126236 min_free 348
    largest_free_block 1688 alloc_blocks 448 free_blocks 12 total_blocks 460
  Totals:
    free 1900 allocated 251320 min_free 348 largest_free_block 1688
E:M 1692
... 
etc

So does Cesanta have an mbedtls ESP32 binary that has CONFIG_MBEDTLS_EXTERNAL_MEM_ALLOC=y enabled?