diff --git a/libreswan-4.2-openssl3.patch b/libreswan-4.2-openssl3.patch
new file mode 100644
index 0000000..3feb776
--- /dev/null
+++ b/libreswan-4.2-openssl3.patch
@@ -0,0 +1,31 @@
+diff -up ./programs/pluto/ikev2_ipseckey.c.openssl3 ./programs/pluto/ikev2_ipseckey.c
+--- ./programs/pluto/ikev2_ipseckey.c.openssl3	2021-02-03 02:36:01.000000000 +0100
++++ ./programs/pluto/ikev2_ipseckey.c	2021-06-24 17:55:04.863636517 +0200
+@@ -25,13 +25,25 @@
+ #include <arpa/nameser.h>
+ #include <ldns/ldns.h>	/* from ldns-devel */
+ #include <ldns/rr.h>
++/*
++ * avoid name clash between OpenSSL headers (included through
++ * <ldns/ldns.h>) and NSS headers (included below through <pk11pub.h>)
++ */
++#undef KU_DIGITAL_SIGNATURE
++#undef KU_NON_REPUDIATION
++#undef KU_KEY_ENCIPHERMENT
++#undef KU_DATA_ENCIPHERMENT
++#undef KU_KEY_AGREEMENT
++#undef KU_KEY_CERT_SIGN
++#undef KU_CRL_SIGN
++#undef KU_ENCIPHER_ONLY
+ #include <unbound.h>
+ #include "unbound-event.h"
+ #include "defs.h"
+ #include "log.h"
++#include "state.h"
+ #include "constants.h"	/* for demux.h */
+ #include "demux.h"	/* to get struct msg_digest */
+-#include "state.h"
+ #include "connections.h"
+ #include "dnssec.h"	/* includes unbound.h */
+ #include "id.h"
+diff -up ./programs/pluto/ikev2_rsa.c.openssl3 ./programs/pluto/ikev2_rsa.c
diff --git a/libreswan.spec b/libreswan.spec
index 3748e61..cb385ca 100644
--- a/libreswan.spec
+++ b/libreswan.spec
@@ -31,7 +31,7 @@ Name: libreswan
 Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
 # version is generated in the release script
 Version: 4.2
-Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}.2
+Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}.3
 License: GPLv2
 Url: https://libreswan.org/
 Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
@@ -40,6 +40,7 @@ Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
 Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif
+Patch0: libreswan-4.2-openssl3.patch
 
 BuildRequires: audit-libs-devel
 BuildRequires: bison
@@ -93,6 +94,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
 
 %prep
 %setup -q -n libreswan-%{version}%{?prever}
+%patch0 -b .openssl3
 # enable crypto-policies support
 sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
 
@@ -194,6 +196,9 @@ certutil -N -d sql:$tmpdir --empty-password
 %doc %{_mandir}/*/*
 
 %changelog
+* Thu Jun 24 2021 Daiki Ueno <dueno@redhat.com> - 4.2-1.3
+- Fix FTBFS with OpenSSL 3.0 (rhbz#1975439)
+
 * Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 4.2-1.2
 - Rebuilt for RHEL 9 BETA for openssl 3.0
   Related: rhbz#1971065