(I am not a lawyer; do not interpret this as legal advice, opinions are my own and do not represent the views of my employer, etc.)

NUT is in a similar situation as cURL, in that NUT uses the GPL "version 2 or (at your option) any later version" text. (I would nitpick and call that GPL 2+ or 2.0+; I don't think there is a version 2.1 aside from the LGPL, which is a different animal.) There is no OpenSSL exception clause for NUT, and I don't think it would be practical to relicense all of NUT just for the SSL code.

https://curl.haxx.se/legal/licmix.html
A quick read of https://tls.mbed.org/openssl-alternative seems to indicate that while the GPL version of mbedTLS solves the license incompatibility with NUT, it does not address API compatibility.

To be honest, if I were setting up NUT in an environment where I needed TLS/SSL, I would probably want to put a bit more distance between the TLS code and NUT. An external TLS proxy (like stunnel) or a VPN should accomplish this. Because it is a network connection and not internal program linkage, that opens up far more license possibilities for the TLS code.

also: https://github.com/networkupstools/nut/pull/504#issuecomment-349985126

Splitting the NUT code into separate files seems like the best way forward.