I know little about this but AFAIK MbedTLS calls LWIP via the BSD socket interface, not via the Netconn interface.
Netconn is specific to LWIP but MbedTLS is usable with other TCP/IP stacks.
Almost nobody is using Netconn. I wrote a whole (simple) HTTP server using the Netconn API but found almost no help with it. Should have used the socket API instead. It is built on top of the Netconn API anyway.
Getting MbedTLS working properly is a long job - on top of getting LWIP working properly
Quick demos are easy enough...