diff --git a/edk2.spec b/edk2.spec
index 67a759e..b6621bc 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -29,7 +29,7 @@
 
 Name:           edk2
 Version:        %{edk2_date}git%{edk2_githash}
-Release:        2%{dist}
+Release:        3%{dist}
 Summary:        EFI Development Kit II
 
 Group:          Applications/Emulators
@@ -78,6 +78,12 @@ Patch0024: 0024-OvmfPkg-save-on-I-O-port-accesses-when-the-debug-por.patch
 Patch0099: 0099-Tweak-the-tools_def-to-support-cross-compiling.patch
 %endif
 
+# openssl patches from Fedora
+Patch1021: openssl-1.1.0-issuer-hash.patch
+Patch1039: openssl-1.1.0-cc-reqs.patch
+Patch1040: openssl-1.1.0-disable-ssl3.patch
+Patch1044: openssl-1.1.0-bio-fd-preserve-nl.patch
+
 %if 0%{?fedora:1}
 #
 # actual firmware builds support cross-compiling.  edk2-tools
@@ -179,7 +185,6 @@ armv7 UEFI Firmware
 
 %prep
 %setup -q -n tianocore-%{name}-%{edk2_githash}
-%autopatch -p1
 
 
 # Ensure old shell and binary packages are not used
@@ -193,6 +198,8 @@ cp -a -- %{SOURCE2} .
 # add openssl
 (cd .. && tar -xvf %{SOURCE1})
 cp CryptoPkg/Library/OpensslLib/openssl/LICENSE LICENSE.openssl
+
+%autopatch -p1
 base64 --decode < MdeModulePkg/Logo/Logo-OpenSSL.bmp.b64 > MdeModulePkg/Logo/Logo-OpenSSL.bmp
 
 %build
@@ -214,6 +221,7 @@ CC_FLAGS="${CC_FLAGS} --cmd-len=65536"
 
 # ovmf features
 OVMF_FLAGS="${CC_FLAGS}"
+OVMF_FLAGS="${OVMF_FLAGS} -D TLS_ENABLE"
 OVMF_FLAGS="${OVMF_FLAGS} -D HTTP_BOOT_ENABLE"
 OVMF_FLAGS="${OVMF_FLAGS} -D NETWORK_IP6_ENABLE"
 OVMF_FLAGS="${OVMF_FLAGS} -D FD_SIZE_2MB"
@@ -439,6 +447,10 @@ ln -sf ../%{name}/arm/QEMU_EFI-pflash.raw          %{buildroot}/usr/share/AAVMF/
 
 
 %changelog
+* Fri Jan 19 2018 Paolo Bonzini <pbonzini@redhat.com> - 20170209git296153c5-3
+- Add OpenSSL patches from Fedora
+- Enable TLS_MODE
+
 * Fri Nov 17 2017 Paolo Bonzini <pbonzini@redhat.com> - 20170209git296153c5-2
 - Backport patches 19-21 from RHEL
 - Add patches 22-24 to fix SEV slowness
diff --git a/openssl-1.1.0-bio-fd-preserve-nl.patch b/openssl-1.1.0-bio-fd-preserve-nl.patch
new file mode 100644
index 0000000..fd032a1
--- /dev/null
+++ b/openssl-1.1.0-bio-fd-preserve-nl.patch
@@ -0,0 +1,29 @@
+diff -up a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c.preserve-nl a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c.preserve-nl	2016-11-10 15:03:44.000000000 +0100
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c	2016-12-22 14:36:16.730740423 +0100
+@@ -202,8 +202,10 @@ static int fd_gets(BIO *bp, char *buf, i
+     char *ptr = buf;
+     char *end = buf + size - 1;
+ 
+-    while ((ptr < end) && (fd_read(bp, ptr, 1) > 0) && (ptr[0] != '\n'))
+-        ptr++;
++    while (ptr < end && fd_read(bp, ptr, 1) > 0) {
++        if (*ptr++ == '\n')
++           break;
++    }
+ 
+     ptr[0] = '\0';
+ 
+diff -up a/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod.preserve-nl a/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod
+--- a/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod.preserve-nl	2016-11-10 15:03:45.000000000 +0100
++++ b/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod	2016-12-22 14:37:22.731245197 +0100
+@@ -23,7 +23,8 @@ in B<buf>. Usually this operation will a
+ from the BIO of maximum length B<len-1>. There are exceptions to this,
+ however; for example, BIO_gets() on a digest BIO will calculate and
+ return the digest and other BIOs may not support BIO_gets() at all.
+-The returned string is always NUL-terminated.
++The returned string is always NUL-terminated and the '\n' is preserved
++if present in the input data.
+ 
+ BIO_write() attempts to write B<len> bytes from B<buf> to BIO B<b>.
+ 
diff --git a/openssl-1.1.0-cc-reqs.patch b/openssl-1.1.0-cc-reqs.patch
new file mode 100644
index 0000000..74521c6
--- /dev/null
+++ b/openssl-1.1.0-cc-reqs.patch
@@ -0,0 +1,27 @@
+diff -up a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c.cc-reqs b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c.cc-reqs	2017-01-26 14:10:23.000000000 +0100
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c	2017-01-26 16:01:52.622308528 +0100
+@@ -75,6 +75,12 @@ static int rsa_builtin_keygen(RSA *rsa,
+     if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
+         goto err;
+ 
++    /* prepare minimum p and q difference */
++    if (!BN_one(r3))
++        goto err;
++    if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100))
++        goto err;
++
+     if (BN_copy(rsa->e, e_value) == NULL)
+         goto err;
+ 
+@@ -103,7 +109,9 @@ static int rsa_builtin_keygen(RSA *rsa,
+         do {
+             if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
+                 goto err;
+-        } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
++            if (!BN_sub(r2, rsa->q, rsa->p))
++                goto err;
++        } while ((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3));
+         if (degenerate == 3) {
+             ok = 0;             /* we set our own err */
+             RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
diff --git a/openssl-1.1.0-disable-ssl3.patch b/openssl-1.1.0-disable-ssl3.patch
new file mode 100644
index 0000000..b0906fe
--- /dev/null
+++ b/openssl-1.1.0-disable-ssl3.patch
@@ -0,0 +1,59 @@
+diff -up a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c.disable-ssl3 b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c.disable-ssl3	2016-08-25 17:29:22.000000000 +0200
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c	2016-09-08 11:08:05.252082263 +0200
+@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+      * or by using the SSL_CONF library.
+      */
+     ret->options |= SSL_OP_NO_COMPRESSION;
++    /*
++     * Disable SSLv3 by default.  Applications can
++     * re-enable it by configuring
++     * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
++     * or by using the SSL_CONF library.
++     */
++    ret->options |= SSL_OP_NO_SSLv3;
+ 
+     ret->tlsext_status_type = -1;
+ 
+diff -up a/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c.disable-ssl3 b/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c.disable-ssl3	2016-09-08 11:08:05.252082263 +0200
++++ b/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c	2016-09-08 11:11:44.802005886 +0200
+@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
+             SSL_TEST_SERVERNAME_CB_NONE) {
+             server2_ctx = SSL_CTX_new(TLS_server_method());
+             TEST_check(server2_ctx != NULL);
++            SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
+         }
+         client_ctx = SSL_CTX_new(TLS_client_method());
+ 
+@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
+             resume_client_ctx = SSL_CTX_new(TLS_client_method());
+             TEST_check(resume_server_ctx != NULL);
+             TEST_check(resume_client_ctx != NULL);
++            SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
++            SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
+         }
+     }
+ 
+     TEST_check(server_ctx != NULL);
+     TEST_check(client_ctx != NULL);
++    SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
++    SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
+ 
+     TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
+ 
+diff -up a/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c.disable-ssl3 b/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c.disable-ssl3	2016-08-25 17:29:23.000000000 +0200
++++ b/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c	2016-09-08 11:08:05.253082286 +0200
+@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
+         ERR_print_errors(bio_err);
+         goto end;
+     }
++
++    SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
++    SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
++    SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
++
+     /*
+      * Since we will use low security ciphersuites and keys for testing set
+      * security level to zero by default. Tests can override this by adding
diff --git a/openssl-1.1.0-issuer-hash.patch b/openssl-1.1.0-issuer-hash.patch
new file mode 100644
index 0000000..791a62d
--- /dev/null
+++ b/openssl-1.1.0-issuer-hash.patch
@@ -0,0 +1,11 @@
+diff -up a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c.issuer-hash b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c.issuer-hash	2016-07-18 15:16:32.788881100 +0200
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c	2016-07-18 15:17:16.671871840 +0200
+@@ -87,6 +87,7 @@ unsigned long X509_issuer_and_serial_has
+ 
+     if (ctx == NULL)
+         goto err;
++    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+     f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
+     if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
+         goto err;