diff --git security/openvpn/files/patch-src_openvpn_ssl_openssl_c security/openvpn/files/patch-src_openvpn_ssl_openssl_c
new file mode 100644
index 000000000000..9eee1c7bfdf3
--- /dev/null
+++ security/openvpn/files/patch-src_openvpn_ssl_openssl_c
@@ -0,0 +1,41 @@
+$OpenBSD: patch-src_openvpn_ssl_openssl_c,v 1.5 2019/02/21 23:32:23 jca Exp $
+
+Index: src/openvpn/ssl_openssl.c
+--- src/openvpn/ssl_openssl.c.orig
++++ src/openvpn/ssl_openssl.c
+@@ -206,7 +206,7 @@ info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int wher
+ int
+ tls_version_max(void)
+ {
+-#if defined(TLS1_3_VERSION)
++#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3)
+     return TLS_VER_1_3;
+ #elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2)
+     return TLS_VER_1_2;
+@@ -233,7 +233,7 @@ openssl_tls_version(int ver)
+     {
+         return TLS1_2_VERSION;
+     }
+-#if defined(TLS1_3_VERSION)
++#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3)
+     else if (ver == TLS_VER_1_3)
+     {
+         return TLS1_3_VERSION;
+@@ -459,7 +459,7 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ct
+         return;
+     }
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x1010100fL)
++#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) || defined(OPENSSL_NO_TLS1_3)
+         crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. "
+                        "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
+                         ciphers);
+@@ -1846,7 +1846,7 @@ show_available_tls_ciphers_list(const char *cipher_lis
+         crypto_msg(M_FATAL, "Cannot create SSL_CTX object");
+     }
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL)
++#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) && !defined(OPENSSL_NO_TLS1_3)
+     if (tls13)
+     {
+         SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION);