diff --git a/crypto-Handle-EVP-changes-in-OpenSSL-3.patch b/crypto-Handle-EVP-changes-in-OpenSSL-3.patch
new file mode 100644
index 0000000..b0774f4
--- /dev/null
+++ b/crypto-Handle-EVP-changes-in-OpenSSL-3.patch
@@ -0,0 +1,36 @@
+From 74fd6dc6c3ba65e48c625d4724878721c46a5e6f Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 24 Aug 2021 15:04:13 -0400
+Subject: [PATCH] crypto: Handle EVP changes in OpenSSL 3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+OpenSSL 3 changes the padding behavior of EVP_DecryptFinal_ex(), which
+causes our decryption to fail.  It is the opnion of the OpenSSL
+developers that mod_auth_gssapi's use of this function was incorrect.
+
+Patch suggested by Tomáš Mráz.
+
+Related: https://github.com/openssl/openssl/issues/16351
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit 06d1f7d36d2455747e6e8231d28e6524ea1181f1)
+(cherry picked from commit 915a3d7fca3beefadd751562abe2d481354a2a9c)
+---
+ src/crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/crypto.c b/src/crypto.c
+index 3f372a0..b3f7fd9 100644
+--- a/src/crypto.c
++++ b/src/crypto.c
+@@ -262,7 +262,7 @@ apr_status_t UNSEAL_BUFFER(apr_pool_t *p, struct seal_key *skey,
+ 
+     totlen += outlen;
+     outlen = plain->length - totlen;
+-    ret = EVP_DecryptFinal_ex(ctx, plain->value, &outlen);
++    ret = EVP_DecryptFinal_ex(ctx, plain->value + totlen, &outlen);
+     if (ret == 0) goto done;
+ 
+     totlen += outlen;
diff --git a/mod_auth_gssapi.spec b/mod_auth_gssapi.spec
index 5b0f0b7..3f5b292 100644
--- a/mod_auth_gssapi.spec
+++ b/mod_auth_gssapi.spec
@@ -1,6 +1,6 @@
 Name:           mod_auth_gssapi
 Version:        1.6.3
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        A GSSAPI Authentication module for Apache
 
 License:        MIT
@@ -13,6 +13,8 @@ BuildRequires:  git
 Requires:       httpd-mmn = %{_httpd_mmn}
 Requires:       krb5-libs >= 1.11.5
 
+Patch0: crypto-Handle-EVP-changes-in-OpenSSL-3.patch
+
 # If you're reading this: NTLM is insecure.  Migrate off it.
 %if 0%{?rhel}
 %else
@@ -24,7 +26,7 @@ The mod_auth_gssapi module is an authentication service that implements the
 SPNEGO based HTTP Authentication protocol defined in RFC4559.
 
 %prep
-%autosetup -S git
+%autosetup -S git_am
 
 %build
 export APXS=%{_httpd_apxs}
@@ -49,6 +51,10 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
 %{_httpd_moddir}/mod_auth_gssapi.so
 
 %changelog
+* Wed Aug 25 2021 Robbie Harwood <rharwood@redhat.com> - 1.6.3-7
+- crypto: Handle EVP changes in OpenSSL 3
+- Resolves: #1992648
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.3-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688