diff --git a/SOURCES/bz1963163-fence_zvmip-add-ssl-tls-support.patch b/SOURCES/bz1963163-fence_zvmip-add-ssl-tls-support.patch
new file mode 100644
index 0000000..1e43aa3
--- /dev/null
+++ b/SOURCES/bz1963163-fence_zvmip-add-ssl-tls-support.patch
@@ -0,0 +1,100 @@
+From 81be3c529ec1165f3135b4f14fbec2a19403cfbe Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Fri, 27 Aug 2021 08:53:36 +0200
+Subject: [PATCH] fence_zvmip: add ssl/tls support
+
+---
+ agents/zvm/fence_zvmip.py | 20 ++++++++++++++++----
+ tests/data/metadata/fence_zvmip.xml | 19 +++++++++++++++++++
+ 2 files changed, 35 insertions(+), 4 deletions(-)
+
+diff --git a/agents/zvm/fence_zvmip.py b/agents/zvm/fence_zvmip.py
+index 001106a44..874eb699f 100644
+--- a/agents/zvm/fence_zvmip.py
++++ b/agents/zvm/fence_zvmip.py
+@@ -26,12 +26,22 @@ def open_socket(options):
+ except socket.gaierror:
+ fail(EC_LOGIN_DENIED)
+
+- conn = socket.socket()
++ if "--ssl" in options:
++ import ssl
++ sock = socket.socket()
++ sslcx = ssl.create_default_context()
++ if "--ssl-insecure" in options:
++ sslcx.check_hostname = False
++ sslcx.verify_mode = ssl.CERT_NONE
++ conn = sslcx.wrap_socket(sock, server_hostname=options["--ip"])
++ else:
++ conn = socket.socket()
+ conn.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+ conn.settimeout(float(options["--shell-timeout"]) or None)
+ try:
+ conn.connect(addr)
+- except socket.error:
++ except socket.error as e:
++ logging.debug(e)
+ fail(EC_LOGIN_DENIED)
+
+ return conn
+@@ -122,11 +132,12 @@ def get_list_of_images(options, command, data_as_plug):
+ images = set()
+
+ if output_len > 3*INT4:
++ recvflag = socket.MSG_WAITALL if "--ssl" not in options else 0
+ array_len = struct.unpack("!i", conn.recv(INT4))[0]
+ data = ""
+
+ while True:
+- read_data = conn.recv(1024, socket.MSG_WAITALL).decode("UTF-8")
++ read_data = conn.recv(1024, recvflag).decode("UTF-8")
+ data += read_data
+ if array_len == len(data):
+ break
+@@ -146,7 +157,8 @@ def get_list_of_images(options, command, data_as_plug):
+ return (return_code, reason_code, images)
+
+ def main():
+- device_opt = ["ipaddr", "login", "passwd", "port", "method", "missing_as_off", "inet4_only", "inet6_only"]
++ device_opt = ["ipaddr", "login", "passwd", "port", "method", "missing_as_off",
++ "inet4_only", "inet6_only", "ssl"]
+
+ atexit.register(atexit_handler)
+
+diff --git a/tests/data/metadata/fence_zvmip.xml b/tests/data/metadata/fence_zvmip.xml
+index f84115c08..d91192946 100644
+--- a/tests/data/metadata/fence_zvmip.xml
++++ b/tests/data/metadata/fence_zvmip.xml
+@@ -91,6 +91,21 @@ to access the system's directory manager.
+ <content type="string" />
+ <shortdesc lang="en">Physical plug number on device, UUID or identification of machine</shortdesc>
+ </parameter>
++ <parameter name="ssl" unique="0" required="0">
++ <getopt mixed="-z, --ssl" />
++ <content type="boolean" />
++ <shortdesc lang="en">Use SSL connection with verifying certificate</shortdesc>
++ </parameter>
++ <parameter name="ssl_insecure" unique="0" required="0">
++ <getopt mixed="--ssl-insecure" />
++ <content type="boolean" />
++ <shortdesc lang="en">Use SSL connection without verifying certificate</shortdesc>
++ </parameter>
++ <parameter name="ssl_secure" unique="0" required="0">
++ <getopt mixed="--ssl-secure" />
++ <content type="boolean" />
++ <shortdesc lang="en">Use SSL connection with verifying certificate</shortdesc>
++ </parameter>
+ <parameter name="username" unique="0" required="1" obsoletes="login">
+ <getopt mixed="-l, --username=[name]" />
+ <content type="string" />
+@@ -181,6 +196,10 @@ to access the system's directory manager.
+ <content type="integer" default="1" />
+ <shortdesc lang="en">Count of attempts to retry power on</shortdesc>
+ </parameter>
++ <parameter name="gnutlscli_path" unique="0" required="0">
++ <getopt mixed="--gnutlscli-path=[path]" />
++ <shortdesc lang="en">Path to gnutls-cli binary</shortdesc>
++ </parameter>
+ </parameters>
+ <actions>
+ <action name="on" automatic="0"/>
diff --git a/SPECS/fence-agents.spec b/SPECS/fence-agents.spec
index 4658625..7eff500 100644
--- a/SPECS/fence-agents.spec
+++ b/SPECS/fence-agents.spec
@@ -79,7 +79,7 @@
Name: fence-agents
Summary: Set of unified programs capable of host isolation ("fencing")
Version: 4.2.1
-Release: 82%{?alphatag:.%{alphatag}}%{?dist}
+Release: 83%{?alphatag:.%{alphatag}}%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Base
URL: https://github.com/ClusterLabs/fence-agents
@@ -234,6 +234,7 @@ Patch102: bz1977588-1-fencing-add-EC_FETCH_VM_UUID.patch
Patch103: bz1977588-2-fence_kubevirt.patch
Patch104: bz1977588-3-fence_kubevirt-fix-status.patch
Patch105: bz1977588-4-fence_kubevirt-power-timeout-40s.patch
+Patch106: bz1963163-fence_zvmip-add-ssl-tls-support.patch
%if 0%{?fedora} || 0%{?rhel} > 7
%global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hds_cb hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
@@ -423,6 +424,7 @@ BuildRequires: python3-pip
%patch103 -p1
%patch104 -p1 -F1
%patch105 -p1
+%patch106 -p1
# prevent compilation of something that won't get used anyway
sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac
@@ -1368,6 +1370,10 @@ Fence agent for IBM z/VM over IP.
%endif
%changelog
+* Thu Nov 11 2021 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-83
+- fence_zvmip: add SSL/TLS support
+ Resolves: rhbz#1963163
+
* Thu Nov 4 2021 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-82
- fence_kubevirt: new fence agent
Resolves: rhbz#1977588