diff --git a/conf/include/package_revisions_oss.inc b/conf/include/package_revisions_oss.inc
index f6c0f920..bf0d12aa 100644
--- a/conf/include/package_revisions_oss.inc
+++ b/conf/include/package_revisions_oss.inc
@@ -838,7 +838,7 @@ PACKAGE_ARCH:pn-sqlite3 ?= "${OSS_LAYER_ARCH}"
 PR:pn-strace ?= "r0"
 PACKAGE_ARCH:pn-strace ?= "${OSS_LAYER_ARCH}"
 
-PR:pn-stunnel ?= "r2"
+PR:pn-stunnel ?= "r3"
 PACKAGE_ARCH:pn-stunnel ?= "${OSS_LAYER_ARCH}"
 
 PR:pn-sysfsutils ?= "r6"
@@ -921,7 +921,7 @@ PACKAGE_ARCH:pn-wireless-tools ?= "${OSS_LAYER_ARCH}"
 PR:pn-woff2 ?= "r0"
 PACKAGE_ARCH:pn-woff2 ?= "${OSS_LAYER_ARCH}"
 
-PR:pn-wpa-supplicant ?= "r9"
+PR:pn-wpa-supplicant ?= "r10"
 PACKAGE_ARCH:pn-wpa-supplicant ?= "${OSS_LAYER_ARCH}"
 
 PR:pn-xkeyboard-config ?= "r0"
diff --git a/recipes-connectivity/wpa-supplicant/files/roaming_threshold.patch b/recipes-connectivity/wpa-supplicant/files/roaming_threshold.patch
new file mode 100644
index 00000000..5f1c1ed5
--- /dev/null
+++ b/recipes-connectivity/wpa-supplicant/files/roaming_threshold.patch
@@ -0,0 +1,82 @@
+Index: wpa_supplicant-2.10/wpa_supplicant/bgscan_simple.c
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/bgscan_simple.c
++++ wpa_supplicant-2.10/wpa_supplicant/bgscan_simple.c
+@@ -27,6 +27,7 @@ struct bgscan_simple_data {
+ 	int short_interval; /* use if signal < threshold */
+ 	int long_interval; /* use if signal > threshold */
+ 	struct os_reltime last_bgscan;
++	int roaming_threshold_db; /* min RSSI gain (dB) required to allow roam */
+ };
+ 
+ 
+@@ -95,6 +96,11 @@ static int bgscan_simple_get_params(stru
+ 	}
+ 	pos++;
+ 	data->long_interval = atoi(pos);
++	pos = os_strchr(pos, ':');
++	if (pos == NULL)
++		return 0;
++	pos++;
++	data->roaming_threshold_db = atoi(pos);
+ 
+ 	return 0;
+ }
+@@ -119,11 +125,16 @@ static void * bgscan_simple_init(struct
+ 		data->short_interval = 30;
+ 	if (data->long_interval <= 0)
+ 		data->long_interval = 30;
++	if (data->roaming_threshold_db < 0)
++		data->roaming_threshold_db = 0;
++
++	wpa_s->roaming_threshold_db = data->roaming_threshold_db;
+ 
+ 	wpa_printf(MSG_DEBUG, "bgscan simple: Signal strength threshold %d  "
+-		   "Short bgscan interval %d  Long bgscan interval %d",
++		   "Short bgscan interval %d  Long bgscan interval %d  "
++		   "Roaming threshold %d",
+ 		   data->signal_threshold, data->short_interval,
+-		   data->long_interval);
++		   data->long_interval, data->roaming_threshold_db);
+ 
+ 	if (data->signal_threshold &&
+ 	    wpa_drv_signal_monitor(wpa_s, data->signal_threshold, 4) < 0) {
+Index: wpa_supplicant-2.10/wpa_supplicant/events.c
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/events.c
++++ wpa_supplicant-2.10/wpa_supplicant/events.c
+@@ -1927,6 +1927,22 @@ int wpa_supplicant_need_to_roam_within_e
+ 			cur_level, cur_snr, cur_est);
+ 	}
+ 
++	/* Enforce RSSI delta >= roaming_threshold_db before allowing reassociation */
++	if (wpa_s->roaming_threshold_db > 0) {
++		int delta_db = selected->level - cur_level; /* dBm; delta>0 => candidate stronger */
++		if (delta_db < wpa_s->roaming_threshold_db) {
++			wpa_dbg(wpa_s, MSG_DEBUG,
++				"Skip roam - RSSI delta=%d dB < threshold=%d dB",
++				delta_db, wpa_s->roaming_threshold_db);
++			/* Prevent the reassociation for this scan */
++			return 0;
++			/* Option A: clear candidate … */
++//			selected = NULL;
++			/* Option B: or ensure the local 'allow_reassoc' variable stays false */
++			/* allow_reassoc = 0; */
++			}
++	}
++
+ 	if (sel_est > cur_est + 5000) {
+ 		wpa_dbg(wpa_s, MSG_DEBUG,
+ 			"Allow reassociation - selected BSS has better estimated throughput");
+Index: wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant_i.h
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/wpa_supplicant_i.h
++++ wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant_i.h
+@@ -1178,6 +1178,7 @@ struct wpa_supplicant {
+ 	struct wpa_ssid *bgscan_ssid;
+ 	const struct bgscan_ops *bgscan;
+ 	void *bgscan_priv;
++	int roaming_threshold_db; /* >=0: required RSSI delta (dB) to allow roam */
+ 
+ 	const struct autoscan_ops *autoscan;
+ 	struct wpa_driver_scan_params *autoscan_params;
diff --git a/recipes-connectivity/wpa-supplicant/wpa-supplicant_%.bbappend b/recipes-connectivity/wpa-supplicant/wpa-supplicant_%.bbappend
index 3ba8db02..de6d0f15 100644
--- a/recipes-connectivity/wpa-supplicant/wpa-supplicant_%.bbappend
+++ b/recipes-connectivity/wpa-supplicant/wpa-supplicant_%.bbappend
@@ -7,6 +7,7 @@ SRC_URI += "file://openssl_no_md4_2.10.patch"
 SRC_URI += "file://fix_HS20_build_with_INTERWORKING.patch"
 SRC_URI += "file://increase_wpa_ctrl_return_buffer.patch"
 SRC_URI += "file://suppress_no_eap_session_id_log.patch"
+SRC_URI += "file://roaming_threshold.patch"
 
 inherit syslog-ng-config-gen logrotate_config
 #inherit breakpad-logmapper
@@ -38,7 +39,6 @@ do_configure:append () {
    fi
 
    sed -i -- 's/CONFIG_DRIVER_HOSTAP=y/\#CONFIG_DRIVER_HOSTAPAP=y/' wpa_supplicant/.config
-   sed -i -- 's/#CONFIG_NO_ROAMING=y/\CONFIG_NO_ROAMING=y/' wpa_supplicant/.config
    sed -i -- 's/#CONFIG_IEEE80211W=y/\CONFIG_IEEE80211W=y/' wpa_supplicant/.config
 
    #Enable the following supplicant options:
diff --git a/recipes-support/libp11/libp11_0.4.16.bbappend b/recipes-support/libp11/libp11_%.bbappend
similarity index 100%
rename from recipes-support/libp11/libp11_0.4.16.bbappend
rename to recipes-support/libp11/libp11_%.bbappend
diff --git a/recipes-support/libp11/libp11_0.4.17.bb b/recipes-support/libp11/libp11_0.4.17.bb
new file mode 100644
index 00000000..9dcbada3
--- /dev/null
+++ b/recipes-support/libp11/libp11_0.4.17.bb
@@ -0,0 +1,40 @@
+SUMMARY = "Library for using PKCS"
+DESCRIPTION = "\
+Libp11 is a library implementing a small layer on top of PKCS \
+make using PKCS"
+HOMEPAGE = "https://github.com/OpenSC/libp11"
+BUGTRACKER = "https://github.com/OpenSC/libp11/issues"
+SECTION = "Development/Libraries"
+LICENSE = "LGPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://COPYING;md5=fad9b3332be894bab9bc501572864b29"
+DEPENDS = "libtool openssl"
+
+SRC_URI = "git://github.com/OpenSC/libp11.git;branch=master;protocol=https"
+
+SRCREV = "1ad1efdffc90df5dcd69822f3f593898acc1aa78"
+
+UPSTREAM_CHECK_GITTAGREGEX = "libp11-(?P<pver>\d+(\.\d+)+)"
+
+
+inherit autotools pkgconfig
+
+EXTRA_OECONF = "--disable-static"
+EXTRA_OECONF:append:class-native = "\
+    --with-enginesdir=${RECIPE_SYSROOT_NATIVE}/usr/lib/engines-3 \
+    --with-modulesdir=${RECIPE_SYSROOT_NATIVE}/usr/lib/ossl-modules \
+"
+
+do_install:append () {
+    rm -rf ${D}${docdir}/${BPN}
+}
+
+FILES:${PN} += "\
+    ${libdir}/engines*/pkcs11.so \
+    ${libdir}/ossl-modules/pkcs11prov.so \
+"
+FILES:${PN}-dev += "\
+    ${libdir}/engines*/libpkcs11${SOLIBSDEV} \
+    ${libdir}/ossl-modules/libpkcs11${SOLIBSDEV} \
+"
+
+BBCLASSEXTEND = "native"
diff --git a/recipes-support/stunnel/stunnel/fd_credential.patch b/recipes-support/stunnel/stunnel/fd_credential.patch
new file mode 100644
index 00000000..83ac366b
--- /dev/null
+++ b/recipes-support/stunnel/stunnel/fd_credential.patch
@@ -0,0 +1,121 @@
+From 91880074f52d9392dac8d658a9b48dca3f824ea0 Mon Sep 17 00:00:00 2001
+From: ldonth501 <LasyaPrakarsha_DonthiVenkata@comcast.com>
+Date: Sat, 5 Oct 2024 15:32:26 +0000
+
+Subject: [PATCH] stunnel: Non-interactive passcode for p12 cert
+
+Upstream-Status: Pending
+
+Recognize .pk12 extension as p12 cert.
+Attempt to obtain the passcode for p12 cert from fd environment variable.
+
+Signed-off-by: ldonth501 <LasyaPrakarsha_DonthiVenkata@comcast.com>
+---
+ src/ctx.c | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 66 insertions(+), 2 deletions(-)
+
+Index: stunnel-5.65/src/ctx.c
+===================================================================
+--- stunnel-5.65.orig/src/ctx.c
++++ stunnel-5.65/src/ctx.c
+@@ -767,12 +767,14 @@ PSK_KEYS *psk_find(const PSK_TABLE *tabl
+ 
+ NOEXPORT int pkcs12_extension(const char *filename) {
+     const char *ext=strrchr(filename, '.');
+-    return ext && (!strcasecmp(ext, ".p12") || !strcasecmp(ext, ".pfx"));
++    return ext && (!strcasecmp(ext, ".p12") || !strcasecmp(ext, ".pfx") || !strcasecmp(ext, ".pk12"));
+ }
+ 
++#define FD_READ_TIMEOUT_SECONDS 5
++
+ NOEXPORT int load_pkcs12_file(SERVICE_OPTIONS *section) {
+     size_t len;
+-    int i, success;
++    int i, success = 0;
+     BIO *bio=NULL;
+     PKCS12 *p12=NULL;
+     X509 *cert=NULL;
+@@ -798,6 +800,74 @@ NOEXPORT int load_pkcs12_file(SERVICE_OP
+     }
+     BIO_free(bio);
+ 
++    const char *fd_str = getenv("FD_NUMBER");
++    if (!fd_str) {
++         s_log(LOG_ERR, "FD_NUMBER environment variable not set");
++         goto interactive_start;
++    }
++
++    int fd = atoi(fd_str);
++    s_log(LOG_INFO,"FD_NUMBER is %d", fd);
++
++    /* Ensure the file descriptor is greater than or equal to 3, since 0, 1, and 2 are standard streams */
++    /* Validate FD range for select()/FD_SET() */
++    if (fd < 3 || fd >= FD_SETSIZE) {
++        s_log(LOG_ERR, "Invalid FD_NUMBER %d (must be >= 3 and < FD_SETSIZE=%d)", fd, FD_SETSIZE);
++        goto interactive_start;
++    }
++
++    /* Set up the file descriptor set for select() */
++    fd_set read_fds;
++    FD_ZERO(&read_fds);
++    FD_SET(fd, &read_fds);
++
++    /* Set a timeout for select() to avoid waiting indefinitely; use FD_READ_TIMEOUT_SECONDS to handle problems during high load averages */
++    struct timeval timeout;
++    timeout.tv_sec = FD_READ_TIMEOUT_SECONDS;
++    timeout.tv_usec = 0;
++
++    /* Wait until the file descriptor is ready for reading */
++    int result = select(fd + 1, &read_fds, NULL, NULL, &timeout);
++    if (result == -1) {
++        s_log(LOG_ERR, "select error: %s", strerror(errno));
++        goto interactive_start;
++    }
++    else if (result == 0) {
++        /* Timeout occurred, file descriptor not ready */
++        s_log(LOG_ERR, "Timeout: File descriptor not ready for reading");
++        goto interactive_start;
++    }
++
++    char p12_passcode[64] = {0};
++    ssize_t bytes_read = read(fd, p12_passcode, sizeof(p12_passcode) - 1);
++    if (bytes_read > 0) {
++        if (p12_passcode[bytes_read - 1] == '\n') {
++            p12_passcode[bytes_read - 1] = '\0';
++        } else {
++            p12_passcode[bytes_read] = '\0';
++        }
++    } else if (bytes_read == 0) {
++        s_log(LOG_INFO, "EOF encountered, no more data to read.");
++    } else {
++        s_log(LOG_ERR, "read error: %s", strerror(errno));
++        goto interactive_start;
++    }
++    close(fd);
++
++    /* try obtaining the passcode non-interactively*/
++    if(p12_passcode[0] != '\0') {
++       success=PKCS12_parse(p12, p12_passcode, &pkey, &cert, &ca);
++    }
++    /* clear sensitive passcode data */
++    memset(p12_passcode, 0, sizeof(p12_passcode));
++
++    if(!success) {
++        goto interactive_start;
++    }
++    goto interactive_end;
++
++interactive_start:
++    s_log(LOG_ERR, "Unable to obtain passcode non-interactively");
+     /* try the cached value first */
+     set_prompt(section->cert);
+     len=(size_t)cache_passwd_get_cb(pass, sizeof pass, 0, NULL);
+@@ -828,7 +898,7 @@ NOEXPORT int load_pkcs12_file(SERVICE_OP
+         PKCS12_free(p12);
+         return 1; /* FAILED */
+     }
+-
++interactive_end:
+     PKCS12_free(p12);
+ 
+     if(!SSL_CTX_use_certificate(section->ctx, cert)) {
diff --git a/recipes-support/stunnel/stunnel_%.bbappend b/recipes-support/stunnel/stunnel_%.bbappend
index d33bd51f..e3676b2a 100644
--- a/recipes-support/stunnel/stunnel_%.bbappend
+++ b/recipes-support/stunnel/stunnel_%.bbappend
@@ -10,6 +10,7 @@ do_install:append() {
 
 FILESEXTRAPATHS:prepend := "${THISDIR}/${BPN}:"
 SRC_URI += "file://separate_keying_for_dev_prod_vm_stunnel.patch"
+SRC_URI += "file://fd_credential.patch"
 
 inherit logrotate_config