diff --git a/SOURCES/rh1868740-cryptoki_access_to_sunjce.patch b/SOURCES/rh1868740-cryptoki_access_to_sunjce.patch
new file mode 100644
index 0000000..d673434
--- /dev/null
+++ b/SOURCES/rh1868740-cryptoki_access_to_sunjce.patch
@@ -0,0 +1,12 @@
+diff -r eba0f976c468 -r 1fceafb49be5 src/java.base/share/classes/module-info.java
+--- openjdk/src/java.base/share/classes/module-info.java	Thu Jul 30 15:05:22 2020 +0200
++++ openjdk/src/java.base/share/classes/module-info.java	Thu Aug 13 15:17:59 2020 +0200
+@@ -132,6 +132,8 @@
+     // additional qualified exports may be inserted at build time
+     // see make/gensrc/GenModuleInfo.gmk
+ 
++    exports com.sun.crypto.provider to
++        jdk.crypto.cryptoki;
+     exports com.sun.security.ntlm to
+         java.security.sasl;
+     exports jdk.internal to
diff --git a/SOURCES/rh1868754-pkcs11_cancel_on_failure.patch b/SOURCES/rh1868754-pkcs11_cancel_on_failure.patch
new file mode 100644
index 0000000..1c47913
--- /dev/null
+++ b/SOURCES/rh1868754-pkcs11_cancel_on_failure.patch
@@ -0,0 +1,21 @@
+diff -r e10f558e1df5 openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
+--- openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java	Mon Aug 31 16:12:32 2020 +0100
++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java	Mon Aug 31 15:17:50 2020 -0300
+@@ -628,7 +628,7 @@
+                 throw (ShortBufferException)
+                         (new ShortBufferException().initCause(e));
+             }
+-            reset(false);
++            reset(true);
+             throw new ProviderException("update() failed", e);
+         }
+     }
+@@ -746,7 +746,7 @@
+                 throw (ShortBufferException)
+                         (new ShortBufferException().initCause(e));
+             }
+-            reset(false);
++            reset(true);
+             throw new ProviderException("update() failed", e);
+         }
+     }
diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec
index fc0c07b..f28e61d 100644
--- a/SPECS/java-11-openjdk.spec
+++ b/SPECS/java-11-openjdk.spec
@@ -264,7 +264,7 @@
 %global top_level_dir_name   %{origin}
 %global minorver        0
 %global buildver        10
-%global rpmrelease      5
+%global rpmrelease      6
 #%%global tagsuffix     %%{nil}
 # priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit
 %if %is_system_jdk
@@ -1148,6 +1148,8 @@ Patch1002: rh1818909-fips_default_keystore_type.patch
 Patch1003: rh1842572-rsa_default_for_keytool.patch
 # RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
 Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
+# RH1868740: FIPS: IllegalAccessException by pkcs11 provider
+Patch1005: rh1868740-cryptoki_access_to_sunjce.patch
 
 #############################################
 #
@@ -1175,8 +1177,8 @@ Patch6:    rh1566890-CVE_2018_3639-speculative_store_bypass.patch
 Patch7: pr3695-toggle_system_crypto_policy.patch
 # S390 ambiguous log2_intptr call
 Patch8: s390-8214206_fix.patch
-# JDK-8252258, RH1868406: [11u] JDK-8242154 changes the default vendor
-Patch10: jdk8252258-rh1868406-fix_bad_vendor.patch
+# RH1868754: FIPS: Ciphers remain in broken state (unusable), after being supplied with wrongly sized buffer
+Patch11: rh1868754-pkcs11_cancel_on_failure.patch
 
 #############################################
 #
@@ -1189,6 +1191,8 @@ Patch10: jdk8252258-rh1868406-fix_bad_vendor.patch
 #############################################
 # JDK-8251117, RH1860990: Cannot check P11Key size in P11Cipher and P11AEADCipher
 Patch9: jdk8251117-rh1860990-pkcs11_key_length.patch
+# JDK-8252258, RH1868406: [11u] JDK-8242154 changes the default vendor
+Patch10: jdk8252258-rh1868406-fix_bad_vendor.patch
 
 #############################################
 #
@@ -1559,6 +1563,7 @@ pushd %{top_level_dir_name}
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
 popd # openjdk
 
 %patch1000
@@ -1566,6 +1571,7 @@ popd # openjdk
 %patch1002
 %patch1003
 %patch1004
+%patch1005
 
 # Extract systemtap tapsets
 %if %{with_systemtap}
@@ -2212,6 +2218,12 @@ end
 %endif
 
 %changelog
+* Thu Sep 17 2020 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.8.10-6
+- Add patch to cancel PKCS#11 operations on failure (RH1868754)
+- Add patch to allow the PKCS11 provider access to the SunJCE provider (RH1868740)
+- Resolves: rhbz#1868740
+- Resolves: rhbz#1868754
+
 * Fri Aug 28 2020 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.8.10-5
 - Use 'oj_' prefix on new vendor globals to avoid a conflict with RPM's vendor value.
 - Resolves: rhbz#1868406