diff --git a/0006-openssl-authentication.patch b/0006-openssl-authentication.patch
new file mode 100644
index 0000000..c864610
--- /dev/null
+++ b/0006-openssl-authentication.patch
@@ -0,0 +1,101 @@
+diff --git a/src/iperf_auth.c b/src/iperf_auth.c
+index a183c26..6edcd03 100644
+--- a/src/iperf_auth.c
++++ b/src/iperf_auth.c
+@@ -131,9 +131,9 @@ int Base64Encode(const unsigned char* buffer, const size_t length, char** b64tex
+ 
+ size_t calcDecodeLength(const char* b64input) { //Calculates the length of a decoded string
+     size_t len = strlen(b64input), padding = 0;
+-    if (b64input[len-1] == '=' && b64input[len-2] == '=') //last two chars are =
++    if (len >= 2 && b64input[len-1] == '=' && b64input[len-2] == '=') //last two chars are =
+         padding = 2;
+-    else if (b64input[len-1] == '=') //last char is =
++    else if (len >= 1 && b64input[len-1] == '=') //last char is =
+         padding = 1;
+ 
+     return (len*3)/4 - padding;
+@@ -235,26 +235,31 @@ int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned ch
+     RSA *rsa = NULL;
+ #endif
+     unsigned char *rsa_buffer = NULL;
+-    size_t encryptedtext_len = 0;
+-    int rsa_buffer_len, keysize;
++    size_t encryptedtext_len = 0, plaintext_len = 0;
++    int rsa_buffer_len, output_buffer_len;
+ 
+ #if OPENSSL_VERSION_MAJOR >= 3
+     int rc;
+     ctx = EVP_PKEY_CTX_new_from_pkey(NULL, public_key, "");
+     /* See evp_pkey_rsa(7) and provider-keymgmt(7) */
+-    rc = EVP_PKEY_get_int_param(public_key, OSSL_PKEY_PARAM_MAX_SIZE, &keysize); /* XXX not really keysize */
++    rc = EVP_PKEY_get_int_param(public_key, OSSL_PKEY_PARAM_MAX_SIZE, &output_buffer_len); /* XXX not really keysize */
+     if (!rc) {
+         goto errreturn;
+     }
+ #else
+     rsa = EVP_PKEY_get1_RSA(public_key);
+-    keysize = RSA_size(rsa);
++    output_buffer_len = RSA_size(rsa);
+ #endif
+-    rsa_buffer  = OPENSSL_malloc(keysize * 2);
+-    *encryptedtext = (unsigned char*)OPENSSL_malloc(keysize);
++    plaintext_len = strlen(plaintext);
++    if (plaintext_len > output_buffer_len) {
++        fprintf(stderr, "Plaintext of size %zd truncated to %d; data is lost.\n", plaintext_len, output_buffer_len);
++    }
++    rsa_buffer  = OPENSSL_malloc(output_buffer_len);
++    *encryptedtext = (unsigned char*)OPENSSL_malloc(output_buffer_len);
++    encryptedtext_len = output_buffer_len;
+ 
+-    BIO *bioBuff   = BIO_new_mem_buf((void*)plaintext, (int)strlen(plaintext));
+-    rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
++    BIO *bioBuff   = BIO_new_mem_buf((void*)plaintext, (int)plaintext_len);
++    rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, plaintext_len);
+ 
+     int padding = RSA_PKCS1_OAEP_PADDING;
+     if (use_pkcs1_padding){
+@@ -293,26 +298,29 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
+ #endif
+     unsigned char *rsa_buffer = NULL;
+     size_t plaintext_len = 0;
+-    int rsa_buffer_len, keysize;
++    int rsa_buffer_len, output_buffer_len;
+     
+ #if OPENSSL_VERSION_MAJOR >= 3
+     int rc;
+     ctx = EVP_PKEY_CTX_new_from_pkey(NULL, private_key, "");
+     /* See evp_pkey_rsa(7) and provider-keymgmt(7) */
+-    rc = EVP_PKEY_get_int_param(private_key, OSSL_PKEY_PARAM_MAX_SIZE, &keysize); /* XXX not really keysize */
++    rc = EVP_PKEY_get_int_param(private_key, OSSL_PKEY_PARAM_MAX_SIZE, &output_buffer_len); /* XXX not really keysize */
+     if (!rc) {
+         goto errreturn;
+     }
+ #else
+     rsa = EVP_PKEY_get1_RSA(private_key);
+-    keysize = RSA_size(rsa);
++    output_buffer_len = RSA_size(rsa);
+ #endif
+-    rsa_buffer  = OPENSSL_malloc(keysize * 2);
++    if (encryptedtext_len > output_buffer_len) {
++        fprintf(stderr, "Encrypted text of size %d truncated to %d; likely invalid input.\n", encryptedtext_len, output_buffer_len);
++    }
++    rsa_buffer  = OPENSSL_malloc(output_buffer_len);
+     // Note: +1 for NULL
+-    *plaintext = (unsigned char*)OPENSSL_malloc(keysize + 1);
++    *plaintext = (unsigned char*)OPENSSL_malloc(output_buffer_len + 1);
+ 
+     BIO *bioBuff   = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len);
+-    rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
++    rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, encryptedtext_len);
+ 
+     int padding = RSA_PKCS1_OAEP_PADDING;
+     if (use_pkcs1_padding){
+@@ -320,7 +328,7 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
+     }
+ #if OPENSSL_VERSION_MAJOR >= 3
+ 
+-    plaintext_len = keysize;
++    plaintext_len = output_buffer_len;
+     EVP_PKEY_decrypt_init(ctx);
+ 
+     ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
diff --git a/iperf3.spec b/iperf3.spec
index 0ac8235..9fee05b 100644
--- a/iperf3.spec
+++ b/iperf3.spec
@@ -1,6 +1,6 @@
 Name:           iperf3
 Version:        3.9
-Release:        16%{?dist}
+Release:        17%{?dist}
 Summary:        Measurement tool for TCP/UDP bandwidth performance
 
 License:        BSD
@@ -12,6 +12,7 @@ Patch0002:	0002-cve-2024-26306.patch
 Patch0003:	0003-cve-2024-53580.patch
 Patch0004:	0004-cve-2025-54349.patch
 Patch0005:	0005-logfile-image-mode.patch
+Patch0006:	0006-openssl-authentication.patch
 
 BuildRequires:  libuuid-devel
 BuildRequires:  gcc
@@ -59,6 +60,9 @@ rm -f %{buildroot}%{_libdir}/libiperf.la
 %{_libdir}/*.so
 
 %changelog
+* Mon Apr 13 2026 Michal Ruprich <mruprich@redhat.com> - 3.9-17
+- Resolves: RHEL-151875 - authentication no longer works with the new openssl
+
 * Tue Jan 20 2026 Michal Ruprich <mruprich@redhat.com> - 3.9-16
 - Resolves: RHEL-132941 - iperf3 broken once "--logfile" is specified on server side