diff --git a/SOURCES/libvirt-qemu-migration-Don-t-use-empty-string-for-tls-hostname-NBD-blockdev.patch b/SOURCES/libvirt-qemu-migration-Don-t-use-empty-string-for-tls-hostname-NBD-blockdev.patch
new file mode 100644
index 0000000..3496729
--- /dev/null
+++ b/SOURCES/libvirt-qemu-migration-Don-t-use-empty-string-for-tls-hostname-NBD-blockdev.patch
@@ -0,0 +1,80 @@
+From 5d48c5d215071526383b8fc50d81ecde62e4111b Mon Sep 17 00:00:00 2001
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Fri, 19 Apr 2024 15:51:35 +0200
+Subject: [PATCH] qemu: migration: Don't use empty string for 'tls-hostname'
+ NBD blockdev
+
+While QEMU accepts and interprets an empty string in the tls-hostname
+field in migration parametes as if it's unset, the same does not apply
+for the 'tls-hostname' field when 'blockdev-add'-ing a NBD backend for
+non-shared storage migration.
+
+When libvirt sets up migation with TLS in 'qemuMigrationParamsEnableTLS'
+the QEMU_MIGRATION_PARAM_TLS_HOSTNAME migration parameter will be set to
+empty string in case when the 'hostname' argument is passed as NULL.
+
+Later on when setting up the NBD connections for non-shared storage
+migration 'qemuMigrationParamsGetTLSHostname', which fetches the value
+of the aforementioned TLS parameter.
+
+This bug was mostly latent until recently as libvirt used
+MIGRATION_DEST_CONNECT_HOST mode in most cases which required the
+hostname to be passed, thus the parameter was set properly.
+
+This changed with 8d693d79c40 for post-copy migration, where libvirt now
+instructs qemu to connect and thus passes NULL hostname to
+qemuMigrationParamsEnableTLS, which in turn causes libvirt to try to
+add NBD connection with empty string as tls-hostname resulting in:
+
+  error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname
+
+To address this modify 'qemuMigrationParamsGetTLSHostname' to undo the
+weird semantics the migration code uses to handle TLS hostname and make
+it return NULL if the hostname is an empty string.
+
+Fixes: e8fa09d66bc
+Resolves: https://issues.redhat.com/browse/RHEL-32880
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/qemu/qemu_migration_params.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c
+index e955822f68f..48f8657f716 100644
+--- a/src/qemu/qemu_migration_params.c
++++ b/src/qemu/qemu_migration_params.c
+@@ -1158,6 +1158,7 @@ qemuMigrationParamsEnableTLS(virQEMUDriver *driver,
+                                      *tlsAlias) < 0)
+         return -1;
+ 
++    /* QEMU interprets an empty string for hostname as if it is not populated */
+     if (!migParams->params[QEMU_MIGRATION_PARAM_TLS_HOSTNAME].set &&
+         qemuMigrationParamsSetString(migParams,
+                                      QEMU_MIGRATION_PARAM_TLS_HOSTNAME,
+@@ -1659,13 +1660,23 @@ qemuMigrationCapsGet(virDomainObj *vm,
+  * @migParams: Migration params object
+  *
+  * Fetches the value of the QEMU_MIGRATION_PARAM_TLS_HOSTNAME parameter which is
+- * passed from the user as VIR_MIGRATE_PARAM_TLS_DESTINATION
++ * passed from the user as VIR_MIGRATE_PARAM_TLS_DESTINATION.
++ *
++ * In contrast with the migration parameter semantics, where an empty string
++ * is considered as if the hostname was not provided, this function will return
++ * NULL instead of an empty string as other parts of QEMU expect that the
++ * hostname is not provided at all.
+  */
+ const char *
+ qemuMigrationParamsGetTLSHostname(qemuMigrationParams *migParams)
+ {
++    const char *hostname = migParams->params[QEMU_MIGRATION_PARAM_TLS_HOSTNAME].value.s;
++
+     if (!migParams->params[QEMU_MIGRATION_PARAM_TLS_HOSTNAME].set)
+         return NULL;
+ 
+-    return migParams->params[QEMU_MIGRATION_PARAM_TLS_HOSTNAME].value.s;
++    if (STREQ(hostname, ""))
++        return NULL;
++
++    return hostname;
+ }
diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec
index be26685..b761366 100644
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@@ -270,7 +270,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 10.0.0
-Release: 6.2%{?dist}%{?extra_release}.alma.1
+Release: 6.3%{?dist}%{?extra_release}.alma.1
 License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1
 URL: https://libvirt.org/
 
@@ -388,9 +388,10 @@ Patch81: qemu-virtiofs-set-correct-label-when-creating-the-socket.patch
 Patch82: qemu-virtiofs-error-out-if-getting-the-group-or-user-namefails.patch
 # https://gitlab.com/redhat/centos-stream/rpms/libvirt/-/commit/89e6bcfe8fba470f675af3d3da0d85b78abc0214
 Patch83: libvirt-Fix-off-by-one-error-in-udevListInterfacesByStatus.patch
-Patch85: libvirt-remote-check-for-negative-array-lengths-before-allocation.patch
 Patch84: libvirt-qemu-Fix-migration-with-custom-XML.patch
-
+Patch85: libvirt-remote-check-for-negative-array-lengths-before-allocation.patch
+# https://github.com/libvirt/libvirt/commit/5d48c5d215071526383b8fc50d81ecde62e4111b
+Patch86: libvirt-qemu-migration-Don-t-use-empty-string-for-tls-hostname-NBD-blockdev.patch
 
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -2693,6 +2694,10 @@ exit 0
 %endif
 
 %changelog
+* Thu Jun 13 2024 Eduard Abdullin <eabdullin@almalinu.org> - 10.0.0-6.3.el9_4.alma.1
+- qemu: migration: Don't use empty string for 'tls-hostname'
+ NBD blockdev
+
 * Tue Apr 30 2024 Eduard Abdullin <eabdullin@almalinu.org> - 10.0.0-6.2.el9_4.alma.1
 - Fix off-by-one error in udevListInterfacesByStatus
 - remote: check for negative array lengths before allocation