diff --git a/wpa_supplicant-allow-legacy-renegotiation.patch b/wpa_supplicant-allow-legacy-renegotiation.patch
new file mode 100644
index 0000000..cbfd9ca
--- /dev/null
+++ b/wpa_supplicant-allow-legacy-renegotiation.patch
@@ -0,0 +1,20 @@
+diff -up wpa_supplicant-2.10/src/crypto/tls_openssl.c.legacy-server-connect wpa_supplicant-2.10/src/crypto/tls_openssl.c
+--- wpa_supplicant-2.10/src/crypto/tls_openssl.c.legacy-server-connect  2022-01-16 15:51:29.000000000 -0500
++++ wpa_supplicant-2.10/src/crypto/tls_openssl.c        2022-04-28 02:47:26.863529683 -0400
+@@ -1049,6 +1049,16 @@
+ 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
+ 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
+ 
++	/* Many enterprise PEAP server implementations (e.g. used in large
++	 corporations and universities) do not support RFC5746 secure
++	 renegotiation, and starting with OpenSSL 3.0,
++	 SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.
++	 So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT
++	 only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT
++	 globally. */
++
++	SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
++
+ 	SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+ 
+ #ifdef SSL_MODE_NO_AUTO_CHAIN
diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec
index b5d5e03..c2a646b 100644
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@@ -9,7 +9,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
 Name: wpa_supplicant
 Epoch: 1
 Version: 2.10
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: BSD
 Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz
 Source1: wpa_supplicant.conf
@@ -34,6 +34,11 @@ Patch6: wpa_supplicant-defconfig-keep-CONFIG_WEP-enabled.patch
 # FIXME: Explain why are these two here
 Patch7: wpa_supplicant-defconfig-enable-WPA-EAP-SUITE-B-192-ciphers.patch
 Patch8: wpa_supplicant-defconfig-enable-OCV-support.patch
+# Allow legacy renegotiation with openssl 3.0 to fix connection to
+# PEAP/Radius servers that don't support secure renegotiation:
+# https://bugzilla.redhat.com/show_bug.cgi?id=2072070
+# From James Ralston in comment #24, thanks to James
+Patch9: wpa_supplicant-allow-legacy-renegotiation.patch
 
 URL: http://w1.fi/wpa_supplicant/
 
@@ -194,6 +199,9 @@ chmod -R 0644 wpa_supplicant/examples/*.py
 
 
 %changelog
+* Mon May 02 2022 Adam Williamson <awilliam@redhat.com> - 1:2.10-4
+- Allow legacy renegotiation for bad PEAP servers (James Ralston) (#2072070)
+
 * Wed Jan 26 2022 Michael Yartys <michael.yartys@protonmail.com> - 1:2.10-3
 - Enable Operating Channel Validation (OCV) support