diff --git a/postgresql-openssl3-tests.patch b/postgresql-openssl3-tests.patch
deleted file mode 100644
index d7f16bf..0000000
--- a/postgresql-openssl3-tests.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff -up postgresql-13.3/contrib/pgcrypto/Makefile.ssl30-tests-off postgresql-13.3/contrib/pgcrypto/Makefile
---- postgresql-13.3/contrib/pgcrypto/Makefile.ssl30-tests-off	2021-06-29 16:08:03.203650968 +0200
-+++ postgresql-13.3/contrib/pgcrypto/Makefile	2021-06-30 08:58:01.665202733 +0200
-@@ -5,7 +5,7 @@ INT_SRCS = md5.c sha1.c internal.c inter
- INT_TESTS = sha2
- 
- OSSL_SRCS = openssl.c pgp-mpi-openssl.c
--OSSL_TESTS = sha2 des 3des cast5
-+OSSL_TESTS = sha2
- 
- ZLIB_TST = pgp-compression
- ZLIB_OFF_TST = pgp-zlib-DISABLED
-@@ -49,11 +49,10 @@ DATA = pgcrypto--1.3.sql pgcrypto--1.2--
- 	pgcrypto--1.0--1.1.sql
- PGFILEDESC = "pgcrypto - cryptographic functions"
- 
--REGRESS = init md5 sha1 hmac-md5 hmac-sha1 blowfish rijndael \
-+REGRESS = init md5 sha1 hmac-md5 hmac-sha1 \
- 	$(CF_TESTS) \
- 	crypt-des crypt-md5 crypt-blowfish crypt-xdes \
--	pgp-armor pgp-decrypt pgp-encrypt $(CF_PGP_TESTS) \
--	pgp-pubkey-decrypt pgp-pubkey-encrypt pgp-info
-+	pgp-armor $(CF_PGP_TESTS)
- 
- EXTRA_CLEAN = gen-rtab
- 
diff --git a/postgresql-pgcrypto-openssl3-init.patch b/postgresql-pgcrypto-openssl3-init.patch
new file mode 100644
index 0000000..7656ba5
--- /dev/null
+++ b/postgresql-pgcrypto-openssl3-init.patch
@@ -0,0 +1,33 @@
+Upstream patch: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=135d8687ad
+author	Daniel Gustafsson <dgustafsson@postgresql.org>
+
+The PX layer in pgcrypto is handling digest padding on its own uniformly
+for all backend implementations. Starting with OpenSSL 3.0.0, DecryptUpdate
+doesn't flush the last block in case padding is enabled so explicitly
+disable it as we don't use it.
+
+This will be backpatched to all supported version once there is sufficient
+testing in the buildfarm of OpenSSL 3.
+
+diff -ur postgresql-14rc1/contrib/pgcrypto/openssl.c postgresql-p/contrib/pgcrypto/openssl.c
+--- postgresql-14rc1/contrib/pgcrypto/openssl.c	2021-09-20 17:33:01.000000000 -0400
++++ postgresql-p/contrib/pgcrypto/openssl.c	2021-10-06 04:07:24.628836908 -0400
+@@ -379,6 +379,8 @@
+ 	{
+ 		if (!EVP_DecryptInit_ex(od->evp_ctx, od->evp_ciph, NULL, NULL, NULL))
+ 			return PXE_CIPHER_INIT;
++		 if (!EVP_CIPHER_CTX_set_padding(od->evp_ctx, 0))
++           		return PXE_CIPHER_INIT;
+ 		if (!EVP_CIPHER_CTX_set_key_length(od->evp_ctx, od->klen))
+ 			return PXE_CIPHER_INIT;
+ 		if (!EVP_DecryptInit_ex(od->evp_ctx, NULL, NULL, od->key, od->iv))
+@@ -403,6 +405,8 @@
+ 	{
+ 		if (!EVP_EncryptInit_ex(od->evp_ctx, od->evp_ciph, NULL, NULL, NULL))
+ 			return PXE_CIPHER_INIT;
++		if (!EVP_CIPHER_CTX_set_padding(od->evp_ctx, 0))
++           		return PXE_CIPHER_INIT;
+ 		if (!EVP_CIPHER_CTX_set_key_length(od->evp_ctx, od->klen))
+ 			return PXE_CIPHER_INIT;
+ 		if (!EVP_EncryptInit_ex(od->evp_ctx, NULL, NULL, od->key, od->iv))
+
diff --git a/postgresql-pgcrypto-openssl3-tests.patch b/postgresql-pgcrypto-openssl3-tests.patch
new file mode 100644
index 0000000..16399a4
--- /dev/null
+++ b/postgresql-pgcrypto-openssl3-tests.patch
@@ -0,0 +1,102 @@
+diff -ur postgresql-13.4/contrib/pgcrypto/expected/pgp-decrypt.out postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-decrypt.out
+--- postgresql-13.4/contrib/pgcrypto/expected/pgp-decrypt.out	2021-08-09 16:49:05.000000000 -0400
++++ postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-decrypt.out	2021-09-01 08:16:48.138600886 -0400
+@@ -4,20 +4,6 @@
+ --  Checking ciphers
+ select pgp_sym_decrypt(dearmor('
+ -----BEGIN PGP MESSAGE-----
+-Comment: dat1.blowfish.sha1.mdc.s2k3.z0
+-
+-jA0EBAMCfFNwxnvodX9g0jwB4n4s26/g5VmKzVab1bX1SmwY7gvgvlWdF3jKisvS
+-yA6Ce1QTMK3KdL2MPfamsTUSAML8huCJMwYQFfE=
+-=JcP+
+------END PGP MESSAGE-----
+-'), 'foobar');
+- pgp_sym_decrypt 
+------------------
+- Secret message.
+-(1 row)
+-
+-select pgp_sym_decrypt(dearmor('
+------BEGIN PGP MESSAGE-----
+ Comment: dat1.aes.sha1.mdc.s2k3.z0
+ 
+ jA0EBwMCci97v0Q6Z0Zg0kQBsVf5Oe3iC+FBzUmuMV9KxmAyOMyjCc/5i8f1Eest
+diff -ur postgresql-13.4/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out
+--- postgresql-13.4/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out	2021-08-09 16:49:05.000000000 -0400
++++ postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out	2021-09-01 08:05:27.750172653 -0400
+@@ -594,13 +594,6 @@
+ (1 row)
+ 
+ select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+-from keytbl, encdata where keytbl.id=2 and encdata.id=2;
+- pgp_pub_decrypt 
+------------------
+- Secret msg
+-(1 row)
+-
+-select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+ from keytbl, encdata where keytbl.id=3 and encdata.id=3;
+  pgp_pub_decrypt 
+ -----------------
+diff -ur postgresql-13.4/contrib/pgcrypto/Makefile postgresql-13.4.patched/contrib/pgcrypto/Makefile
+--- postgresql-13.4/contrib/pgcrypto/Makefile	2021-08-09 16:49:05.000000000 -0400
++++ postgresql-13.4.patched/contrib/pgcrypto/Makefile	2021-09-01 08:26:47.207164873 -0400
+@@ -5,7 +5,7 @@
+ INT_TESTS = sha2
+ 
+ OSSL_SRCS = openssl.c pgp-mpi-openssl.c
+-OSSL_TESTS = sha2 des 3des cast5
++OSSL_TESTS = sha2
+ 
+ ZLIB_TST = pgp-compression
+ ZLIB_OFF_TST = pgp-zlib-DISABLED
+@@ -49,12 +49,13 @@
+ 	pgcrypto--1.0--1.1.sql
+ PGFILEDESC = "pgcrypto - cryptographic functions"
+ 
+-REGRESS = init md5 sha1 hmac-md5 hmac-sha1 blowfish rijndael \
++REGRESS = init md5 sha1 hmac-md5 hmac-sha1 rijndael \
+ 	$(CF_TESTS) \
+-	crypt-des crypt-md5 crypt-blowfish crypt-xdes \
++	crypt-md5 \
+ 	pgp-armor pgp-decrypt pgp-encrypt $(CF_PGP_TESTS) \
+ 	pgp-pubkey-decrypt pgp-pubkey-encrypt pgp-info
+ 
++#REGRESS = init pgp-pubkey-decrypt pgp-decrypt \
+ EXTRA_CLEAN = gen-rtab
+ 
+ ifdef USE_PGXS
+diff -ur postgresql-13.4/contrib/pgcrypto/sql/pgp-decrypt.sql postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-decrypt.sql
+--- postgresql-13.4/contrib/pgcrypto/sql/pgp-decrypt.sql	2021-08-09 16:49:05.000000000 -0400
++++ postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-decrypt.sql	2021-09-01 08:16:12.525212175 -0400
+@@ -5,16 +5,6 @@
+ --  Checking ciphers
+ select pgp_sym_decrypt(dearmor('
+ -----BEGIN PGP MESSAGE-----
+-Comment: dat1.blowfish.sha1.mdc.s2k3.z0
+-
+-jA0EBAMCfFNwxnvodX9g0jwB4n4s26/g5VmKzVab1bX1SmwY7gvgvlWdF3jKisvS
+-yA6Ce1QTMK3KdL2MPfamsTUSAML8huCJMwYQFfE=
+-=JcP+
+------END PGP MESSAGE-----
+-'), 'foobar');
+-
+-select pgp_sym_decrypt(dearmor('
+------BEGIN PGP MESSAGE-----
+ Comment: dat1.aes.sha1.mdc.s2k3.z0
+ 
+ jA0EBwMCci97v0Q6Z0Zg0kQBsVf5Oe3iC+FBzUmuMV9KxmAyOMyjCc/5i8f1Eest
+diff -ur postgresql-13.4/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql
+--- postgresql-13.4/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql	2021-08-09 16:49:05.000000000 -0400
++++ postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql	2021-09-01 08:06:18.963732342 -0400
+@@ -606,9 +606,6 @@
+ from keytbl, encdata where keytbl.id=1 and encdata.id=1;
+ 
+ select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+-from keytbl, encdata where keytbl.id=2 and encdata.id=2;
+-
+-select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+ from keytbl, encdata where keytbl.id=3 and encdata.id=3;
+ 
+ select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
diff --git a/postgresql.spec b/postgresql.spec
index e52475c..8b1b2f6 100644
--- a/postgresql.spec
+++ b/postgresql.spec
@@ -63,7 +63,7 @@ Summary: PostgreSQL client programs
 Name: postgresql
 %global majorversion 13
 Version: %{majorversion}.3
-Release: 8%{?dist}
+Release: 9%{?dist}
 
 # The PostgreSQL license is very similar to other MIT licenses, but the OSI
 # recognizes it as an independent license, so we do as well.
@@ -111,7 +111,8 @@ Patch5: postgresql-var-run-socket.patch
 Patch8: postgresql-external-libpq.patch
 Patch9: postgresql-server-pg_config.patch
 Patch12: postgresql-no-libecpg.patch
-Patch13: postgresql-openssl3-tests.patch
+Patch13: postgresql-pgcrypto-openssl3-init.patch
+Patch14: postgresql-pgcrypto-openssl3-tests.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -427,6 +428,7 @@ goal of accelerating analytics queries.
 %endif
 %patch9 -p1
 %patch13 -p1
+%patch14 -p1
 
 # We used to run autoconf here, but there's no longer any real need to,
 # since Postgres ships with a reasonably modern configure script.
@@ -1219,6 +1221,15 @@ make -C postgresql-setup-%{setup_version} check
 
 
 %changelog
+* Tue Sep 21 2021 Filip Januš <fjanus@redhat.com> - 13.3-9
+- Remove tests failing with openssl3, now pgp is tested only with
+  supported ciphers
+  Add postgresql-pgcrypto-openssl3-init.patch - Correctly init ciphers
+  Add postgresql-pgcrypto-openssl3-tests.patch - disable unsupported
+  ciphers in the test suite
+  Related discussion: #2008773
+  Resolves: #1964848
+
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com>
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688
@@ -1297,7 +1308,7 @@ make -C postgresql-setup-%{setup_version} check
   Fixes CVE-2020-25695
   Fixes CVE-2020-25696
 
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 12.4-5
+* Wed Jan 13 2021 Fedora Release Engineering <releng@fedoraproject.org> - 12.4-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
 * Mon Nov 16 2020 Honza Horak <hhorak@redhat.com> - 12.4-4