diff --git a/httpd-2.4.59-engine-finish.patch b/httpd-2.4.59-engine-finish.patch
new file mode 100644
index 0000000..35d1970
--- /dev/null
+++ b/httpd-2.4.59-engine-finish.patch
@@ -0,0 +1,109 @@
+
+https://issues.redhat.com/browse/RHEL-36755
+
+--- httpd-2.4.59/modules/ssl/ssl_engine_init.c.24	2024-05-22 08:13:42.478057351 +0100
++++ httpd-2.4.59/modules/ssl/ssl_engine_init.c	2024-05-22 08:13:42.489057431 +0100
+@@ -1460,7 +1460,7 @@
+         if (modssl_is_engine_id(keyfile)) {
+             apr_status_t rv;
+ 
+-            if ((rv = modssl_load_engine_keypair(s, ptemp, vhost_id,
++            if ((rv = modssl_load_engine_keypair(s, p, ptemp, vhost_id,
+                                                  engine_certfile, keyfile,
+                                                  &cert, &pkey))) {
+                 return rv;
+--- httpd-2.4.59/modules/ssl/ssl_engine_pphrase.c.24	2024-05-22 08:13:42.443057094 +0100
++++ httpd-2.4.59/modules/ssl/ssl_engine_pphrase.c	2024-05-22 08:18:55.179844757 +0100
+@@ -830,8 +830,19 @@
+ #endif
+ 
+ #if MODSSL_HAVE_ENGINE_API
+-static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *p,
+-                                        const char *vhostid,
++
++static apr_status_t modssl_engine_cleanup(void *engine)
++{
++    ENGINE *e = engine;
++
++    ENGINE_finish(e);
++
++    return APR_SUCCESS;
++}
++
++static apr_status_t modssl_load_keypair_engine(server_rec *s,
++                                               apr_pool_t *pconf, apr_pool_t *ptemp,
++                                               const char *vhostid,
+                                                const char *certid,
+                                                const char *keyid,
+                                                X509 **pubkey,
+@@ -839,12 +850,12 @@
+ {
+     const char *c, *scheme;
+     ENGINE *e;
+-    UI_METHOD *ui_method = get_passphrase_ui(p);
++    UI_METHOD *ui_method = get_passphrase_ui(ptemp);
+     pphrase_cb_arg_t ppcb;
+ 
+     memset(&ppcb, 0, sizeof ppcb);
+     ppcb.s = s;
+-    ppcb.p = p;
++    ppcb.p = ptemp;
+     ppcb.bPassPhraseDialogOnce = TRUE;
+     ppcb.key_id = vhostid;
+     ppcb.pkey_file = keyid;
+@@ -857,7 +868,7 @@
+         return ssl_die(s);
+     }
+ 
+-    scheme = apr_pstrmemdup(p, keyid, c - keyid);
++    scheme = apr_pstrmemdup(ptemp, keyid, c - keyid);
+     if (!(e = ENGINE_by_id(scheme))) {
+         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132)
+                      "Init: Failed to load engine for private key %s",
+@@ -906,7 +917,8 @@
+         return ssl_die(s);
+     }
+ 
+-    ENGINE_finish(e);
++    apr_pool_cleanup_register(pconf, e, modssl_engine_cleanup, modssl_engine_cleanup);
++
+     ENGINE_free(e);
+ 
+     return APR_SUCCESS;
+@@ -1007,7 +1019,8 @@
+ }
+ #endif
+ 
+-apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
++apr_status_t modssl_load_engine_keypair(server_rec *s,
++                                        apr_pool_t *pconf, apr_pool_t *ptemp,
+                                         const char *vhostid,
+                                         const char *certid, const char *keyid,
+                                         X509 **pubkey, EVP_PKEY **privkey)
+@@ -1016,11 +1029,11 @@
+     SSLModConfigRec *mc = myModConfig(s);
+ 
+     if (!mc->szCryptoDevice)
+-        return modssl_load_keypair_store(s, p, vhostid, certid, keyid,
++        return modssl_load_keypair_store(s, ptemp, vhostid, certid, keyid,
+                                          pubkey, privkey);
+ #endif
+ #if MODSSL_HAVE_ENGINE_API
+-    return modssl_load_keypair_engine(s, p, vhostid, certid, keyid,
++    return modssl_load_keypair_engine(s, pconf, ptemp, vhostid, certid, keyid,
+                                       pubkey, privkey);
+ #else
+     return APR_ENOTIMPL;
+diff -uap httpd-2.4.59/modules/ssl/ssl_private.h.24 httpd-2.4.59/modules/ssl/ssl_private.h
+--- httpd-2.4.59/modules/ssl/ssl_private.h.24	2024-05-22 08:13:42.479057358 +0100
++++ httpd-2.4.59/modules/ssl/ssl_private.h	2024-05-22 08:13:42.489057431 +0100
+@@ -1090,7 +1090,8 @@
+ /* Load public and/or private key from the configured ENGINE. Private
+  * key returned as *pkey.  certid can be NULL, in which case *pubkey
+  * is not altered.  Errors logged on failure. */
+-apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
++apr_status_t modssl_load_engine_keypair(server_rec *s,
++                                        apr_pool_t *pconf, apr_pool_t *ptemp,
+                                         const char *vhostid,
+                                         const char *certid, const char *keyid,
+                                         X509 **pubkey, EVP_PKEY **privkey);
diff --git a/httpd.spec b/httpd.spec
index 8e5edcd..2ed69dd 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -25,7 +25,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.59
-Release: 3.2%{?dist}
+Release: 3.3%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -105,6 +105,7 @@ Patch37: httpd-2.4.54-selinux.patch
 Patch60: httpd-2.4.43-enable-sslv3.patch
 Patch61: httpd-2.4.59-r1916863.patch
 Patch62: httpd-2.4.59-pr426.patch
+Patch63: httpd-2.4.59-engine-finish.patch
 
 # Security fixes
 # Patch200: ...
@@ -828,6 +829,10 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Tue May 21 2024 Joe Orton <jorton@redhat.com> - 2.4.59-3.3
+- mod_ssl: defer ENGINE_finish() calls to a cleanup
+  Resolves: RHEL-36755
+
 * Fri May 17 2024 Joe Orton <jorton@redhat.com> - 2.4.59-3.2
 - mod_ssl: use SSL_OP_NO_RENEGOTIATION