diff --git a/SOURCES/stunnel-5.48-failover-crash.patch b/SOURCES/stunnel-5.48-failover-crash.patch
new file mode 100644
index 0000000..87f25f7
--- /dev/null
+++ b/SOURCES/stunnel-5.48-failover-crash.patch
@@ -0,0 +1,83 @@
+diff -up stunnel-5.48/src/client.c.failover-crash stunnel-5.48/src/client.c
+--- stunnel-5.48/src/client.c.failover-crash	2018-07-02 23:30:10.000000000 +0200
++++ stunnel-5.48/src/client.c	2019-04-03 08:53:22.350538002 +0200
+@@ -1431,10 +1431,14 @@ NOEXPORT void idx_cache_save(SSL_SESSION
+ 
+     CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_ADDR]);
+     old_addr=SSL_SESSION_get_ex_data(sess, index_session_connect_address);
+-    /* we can safely ignore the SSL_SESSION_set_ex_data() failure */
+-    SSL_SESSION_set_ex_data(sess, index_session_connect_address, new_addr);
+-    CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]);
+-    str_free(old_addr); /* NULL pointers are ignored */
++    if(SSL_SESSION_set_ex_data(sess, index_session_connect_address, new_addr)) {
++        CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]);
++        str_free(old_addr); /* NULL pointers are ignored */
++    } else { /* failed to store new_addr -> remove it */
++        sslerror("SSL_SESSION_set_ex_data");
++        CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]);
++        str_free(new_addr); /* NULL pointers are ignored */
++    }
+ }
+ 
+ NOEXPORT unsigned idx_cache_retrieve(CLI *c) {
+diff -up stunnel-5.48/src/ssl.c.failover-crash stunnel-5.48/src/ssl.c
+--- stunnel-5.48/src/ssl.c.failover-crash	2018-04-06 16:25:10.000000000 +0200
++++ stunnel-5.48/src/ssl.c	2019-04-03 09:07:05.586306038 +0200
+@@ -39,7 +39,14 @@
+ #include "prototypes.h"
+ 
+     /* global OpenSSL initialization: compression, engine, entropy */
+-NOEXPORT void cb_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
++#if OPENSSL_VERSION_NUMBER>=0x10100000L
++NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
++    void *from_d, int idx, long argl, void *argp);
++#else
++NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from,
++    void *from_d, int idx, long argl, void *argp);
++#endif
++NOEXPORT void cb_free_addr(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+     int idx, long argl, void *argp);
+ #ifndef OPENSSL_NO_COMP
+ NOEXPORT int compression_init(GLOBAL_OPTIONS *);
+@@ -67,7 +74,7 @@ int ssl_init(void) { /* init TLS before
+     index_session_authenticated=SSL_SESSION_get_ex_new_index(0,
+         "session authenticated", NULL, NULL, NULL);
+     index_session_connect_address=SSL_SESSION_get_ex_new_index(0,
+-        "session connect address", NULL, NULL, cb_free);
++        "session connect address", NULL, cb_dup_addr, cb_free_addr);
+     if(index_ssl_cli<0 || index_ssl_ctx_opt<0 ||
+             index_session_authenticated<0 ||
+             index_session_connect_address<0) {
+@@ -107,7 +114,31 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU
+ #endif
+ #endif
+ 
+-NOEXPORT void cb_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
++#if OPENSSL_VERSION_NUMBER>=0x10100000L
++NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
++        void *from_d, int idx, long argl, void *argp) {
++#else
++NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from,
++        void *from_d, int idx, long argl, void *argp) {
++#endif
++    SOCKADDR_UNION *src, *dst;
++    socklen_t len;
++
++    (void)to; /* squash the unused parameter warning */
++    (void)from; /* squash the unused parameter warning */
++    (void)idx; /* squash the unused parameter warning */
++    (void)argl; /* squash the unused parameter warning */
++    s_log(LOG_DEBUG, "Duplicating application specific data for %s",
++        (char *)argp);
++    src=*(void **)from_d;
++    len=addr_len(src);
++    dst=str_alloc_detached((size_t)len);
++    memcpy(dst, src, (size_t)len);
++    *(void **)from_d=dst;
++    return 1;
++}
++
++NOEXPORT void cb_free_addr(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+         int idx, long argl, void *argp) {
+     (void)parent; /* squash the unused parameter warning */
+     (void)ad; /* squash the unused parameter warning */
diff --git a/SPECS/stunnel.spec b/SPECS/stunnel.spec
index a8660d6..a506a13 100644
--- a/SPECS/stunnel.spec
+++ b/SPECS/stunnel.spec
@@ -10,7 +10,7 @@
 Summary: A TLS-encrypting socket wrapper
 Name: stunnel
 Version: 5.48
-Release: 5%{?dist}
+Release: 5%{?dist}.0.1
 License: GPLv2
 Group: Applications/Internet
 URL: http://www.stunnel.org/
@@ -26,6 +26,8 @@ Patch0: stunnel-5.40-authpriv.patch
 Patch1: stunnel-5.40-systemd-service.patch
 Patch3: stunnel-5.46-system-ciphers.patch
 Patch4: stunnel-5.48-coverity.patch
+Patch999: stunnel-5.48-failover-crash.patch 
+
 # util-linux is needed for rename
 BuildRequires: gcc
 BuildRequires: openssl-devel, pkgconfig, util-linux
@@ -52,7 +54,7 @@ conjunction with imapd to create a TLS secure IMAP server.
 %patch1 -p1 -b .systemd-service
 %patch3 -p1 -b .system-ciphers
 %patch4 -p1 -b .coverity
-
+%patch999 -p1 -b .failover
 # Fix the configure script output for FIPS mode and stack protector flag
 sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
 
@@ -137,6 +139,9 @@ make test
 %systemd_postun_with_restart %{name}.service
 
 %changelog
+* Wed Apr  3 2019 Johnny Hughes <johnny@centos.org> -  5.48-5.0.1
+- fix RH bugzilla bug 1665899
+
 * Tue Sep  4 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-5
 - Fix -fstack-protector-strong build flag application
 - Fix bugs from Coverity scan