diff --git security/openvpn/files/patch-libressl2 security/openvpn/files/patch-libressl2
new file mode 100644
index 000000000000..252321c63f5c
--- /dev/null
+++ security/openvpn/files/patch-libressl2
@@ -0,0 +1,50 @@
+--- src/openvpn/ssl_openssl.c.orig	2019-03-28 10:54:48.193458000 +0100
++++ src/openvpn/ssl_openssl.c	2019-03-28 11:01:56.818429000 +0100
+@@ -459,7 +459,7 @@
+         return;
+     }
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x1010100fL)
++#if !defined(TLS1_3_VERSION)
+         crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. "
+                        "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
+                         ciphers);
+@@ -520,7 +520,8 @@
+ 
+     ASSERT(ctx);
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)) \
++	|| LIBRESSL_VERSION_NUMBER >= 0x2070000fL
+     /* OpenSSL 1.0.2 and up */
+     cert = SSL_CTX_get0_certificate(ctx->ctx);
+ #else
+@@ -555,7 +556,8 @@
+     }
+ 
+ cleanup:
+-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER < 0x10002000L \
++	|| (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
+     SSL_free(ssl);
+ #endif
+     return;
+@@ -1846,7 +1848,7 @@
+         crypto_msg(M_FATAL, "Cannot create SSL_CTX object");
+     }
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL)
++#if defined(TLS1_3_VERSION)
+     if (tls13)
+     {
+         SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION);
+@@ -1867,7 +1869,8 @@
+         crypto_msg(M_FATAL, "Cannot create SSL object");
+     }
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL)
++#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || \
++	(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x2090000fL)
+     STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
+ #else
+     STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);