Index: lang/python27/files/patch-issue33127
===================================================================
--- /dev/null
+++ lang/python27/files/patch-issue33127
@@ -0,0 +1,59 @@
+diff --git Misc/NEWS.d/next/Library/2018-03-24-15-08-24.bpo-33127.olJmHv.rst Misc/NEWS.d/next/Library/2018-03-24-15-08-24.bpo-33127.olJmHv.rst
+new file mode 100644
+index 0000000000..635aabbde0
+--- /dev/null
++++ Misc/NEWS.d/next/Library/2018-03-24-15-08-24.bpo-33127.olJmHv.rst
+@@ -0,0 +1 @@
++The ssl module now compiles with LibreSSL 2.7.1.
+diff --git Modules/_ssl.c Modules/_ssl.c
+index da8b20f54f..d0ce913d3d 100644
+--- Modules/_ssl.c
++++ Modules/_ssl.c
+@@ -102,6 +102,12 @@ struct py_ssl_library_code {
+ 
+ #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
+ #  define OPENSSL_VERSION_1_1 1
++#  define PY_OPENSSL_1_1_API 1
++#endif
++
++/* LibreSSL 2.7.0 provides necessary OpenSSL 1.1.0 APIs */
++#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL
++#  define PY_OPENSSL_1_1_API 1
+ #endif
+ 
+ /* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1
+@@ -149,16 +155,18 @@ struct py_ssl_library_code {
+ #define INVALID_SOCKET (-1)
+ #endif
+ 
+-#ifdef OPENSSL_VERSION_1_1
+-/* OpenSSL 1.1.0+ */
+-#ifndef OPENSSL_NO_SSL2
+-#define OPENSSL_NO_SSL2
+-#endif
+-#else /* OpenSSL < 1.1.0 */
+-#if defined(WITH_THREAD)
++/* OpenSSL 1.0.2 and LibreSSL needs extra code for locking */
++#if !defined(OPENSSL_VERSION_1_1) && defined(WITH_THREAD)
+ #define HAVE_OPENSSL_CRYPTO_LOCK
+ #endif
+ 
++#if defined(OPENSSL_VERSION_1_1) && !defined(OPENSSL_NO_SSL2)
++#define OPENSSL_NO_SSL2
++#endif
++
++#ifndef PY_OPENSSL_1_1_API
++/* OpenSSL 1.1 API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7.0 */
++
+ #define TLS_method SSLv23_method
+ 
+ static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne)
+@@ -201,7 +209,7 @@ static X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store)
+ {
+     return store->param;
+ }
+-#endif /* OpenSSL < 1.1.0 or LibreSSL */
++#endif /* OpenSSL < 1.1.0 or LibreSSL < 2.7.0 */
+ 
+ 
+ enum py_ssl_error {
Index: lang/python35/files/patch-issue33127
===================================================================
--- /dev/null
+++ lang/python35/files/patch-issue33127
@@ -0,0 +1,74 @@
+diff --git Lib/test/test_ssl.py Lib/test/test_ssl.py
+index 8dd3b41450..9785a59a7e 100644
+--- Lib/test/test_ssl.py
++++ Lib/test/test_ssl.py
+@@ -1687,6 +1687,7 @@ class SimpleBackgroundTests(unittest.TestCase):
+         self.assertEqual(len(ctx.get_ca_certs()), 1)
+
+     @needs_sni
++    @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_2"), "needs TLS 1.2")
+     def test_context_setget(self):
+         # Check that the context of a connected socket can be replaced.
+         ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
+diff --git Misc/NEWS.d/next/Library/2018-03-24-15-08-24.bpo-33127.olJmHv.rst Misc/NEWS.d/next/Library/2018-03-24-15-08-24.bpo-33127.
+olJmHv.rst
+new file mode 100644
+index 0000000000..635aabbde0
+--- /dev/null
++++ Misc/NEWS.d/next/Library/2018-03-24-15-08-24.bpo-33127.olJmHv.rst
+@@ -0,0 +1 @@
++The ssl module now compiles with LibreSSL 2.7.1.
+diff --git Modules/_ssl.c Modules/_ssl.c
+index c54e43c2b4..5e007da858 100644
+--- Modules/_ssl.c
++++ Modules/_ssl.c
+@@ -101,8 +101,14 @@
+ 
+ #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
+ #  define OPENSSL_VERSION_1_1 1
++#  define PY_OPENSSL_1_1_API 1
+ #endif
+ 
++/* LibreSSL 2.7.0 provides necessary OpenSSL 1.1.0 APIs */
++#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL
++#  define PY_OPENSSL_1_1_API 1
++#endif
++
+ /* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1
+     http://www.openssl.org/news/changelog.html
+  */
+@@ -129,16 +135,18 @@
+ #define INVALID_SOCKET (-1)
+ #endif
+ 
+-#ifdef OPENSSL_VERSION_1_1
+-/* OpenSSL 1.1.0+ */
+-#ifndef OPENSSL_NO_SSL2
+-#define OPENSSL_NO_SSL2
+-#endif
+-#else /* OpenSSL < 1.1.0 */
+-#if defined(WITH_THREAD)
++/* OpenSSL 1.0.2 and LibreSSL needs extra code for locking */
++#if !defined(OPENSSL_VERSION_1_1) && defined(WITH_THREAD)
+ #define HAVE_OPENSSL_CRYPTO_LOCK
+ #endif
+ 
++#if defined(OPENSSL_VERSION_1_1) && !defined(OPENSSL_NO_SSL2)
++#define OPENSSL_NO_SSL2
++#endif
++
++#ifndef PY_OPENSSL_1_1_API
++/* OpenSSL 1.1 API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7.0 */
++
+ #define TLS_method SSLv23_method
+ 
+ static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne)
+@@ -187,7 +195,7 @@
+ {
+     return store->param;
+ }
+-#endif /* OpenSSL < 1.1.0 or LibreSSL */
++#endif /* OpenSSL < 1.1.0 or or LibreSSL < 2.7.0 */
+ 
+ 
+ enum py_ssl_error {
Index: lang/python36/files/patch-issue33127
===================================================================
--- /dev/null
+++ lang/python36/files/patch-issue33127
@@ -0,0 +1,86 @@
+diff --git Lib/test/test_ssl.py Lib/test/test_ssl.py
+index 8dd3b41450..9785a59a7e 100644
+--- Lib/test/test_ssl.py
++++ Lib/test/test_ssl.py
+@@ -1687,6 +1687,7 @@ class SimpleBackgroundTests(unittest.TestCase):
+         self.assertEqual(len(ctx.get_ca_certs()), 1)
+ 
+     @needs_sni
++    @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_2"), "needs TLS 1.2")
+     def test_context_setget(self):
+         # Check that the context of a connected socket can be replaced.
+         ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
+diff --git Misc/NEWS.d/next/Library/2018-03-24-15-08-24.bpo-33127.olJmHv.rst Misc/NEWS.d/next/Library/2018-03-24-15-08-24.bpo-33127.olJmHv.rst
+new file mode 100644
+index 0000000000..635aabbde0
+--- /dev/null
++++ Misc/NEWS.d/next/Library/2018-03-24-15-08-24.bpo-33127.olJmHv.rst
+@@ -0,0 +1 @@
++The ssl module now compiles with LibreSSL 2.7.1.
+diff --git Modules/_ssl.c Modules/_ssl.c
+index c54e43c2b4..5e007da858 100644
+--- Modules/_ssl.c
++++ Modules/_ssl.c
+@@ -106,6 +106,12 @@ struct py_ssl_library_code {
+ 
+ #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
+ #  define OPENSSL_VERSION_1_1 1
++#  define PY_OPENSSL_1_1_API 1
++#endif
++
++/* LibreSSL 2.7.0 provides necessary OpenSSL 1.1.0 APIs */
++#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL
++#  define PY_OPENSSL_1_1_API 1
+ #endif
+ 
+ /* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1
+@@ -152,16 +158,18 @@ struct py_ssl_library_code {
+ #define INVALID_SOCKET (-1)
+ #endif
+ 
+-#ifdef OPENSSL_VERSION_1_1
+-/* OpenSSL 1.1.0+ */
+-#ifndef OPENSSL_NO_SSL2
+-#define OPENSSL_NO_SSL2
+-#endif
+-#else /* OpenSSL < 1.1.0 */
+-#if defined(WITH_THREAD)
++/* OpenSSL 1.0.2 and LibreSSL needs extra code for locking */
++#if !defined(OPENSSL_VERSION_1_1) && defined(WITH_THREAD)
+ #define HAVE_OPENSSL_CRYPTO_LOCK
+ #endif
+ 
++#if defined(OPENSSL_VERSION_1_1) && !defined(OPENSSL_NO_SSL2)
++#define OPENSSL_NO_SSL2
++#endif
++
++#ifndef PY_OPENSSL_1_1_API
++/* OpenSSL 1.1 API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7.0 */
++
+ #define TLS_method SSLv23_method
+ #define TLS_client_method SSLv23_client_method
+ #define TLS_server_method SSLv23_server_method
+@@ -227,7 +235,7 @@ SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)
+     return s->tlsext_tick_lifetime_hint;
+ }
+ 
+-#endif /* OpenSSL < 1.1.0 or LibreSSL */
++#endif /* OpenSSL < 1.1.0 or LibreSSL < 2.7.0 */
+ 
+ 
+ enum py_ssl_error {
+diff --git Tools/ssl/multissltests.py Tools/ssl/multissltests.py
+index ce5bbd8530..ba4529ae06 100755
+--- Tools/ssl/multissltests.py
++++ Tools/ssl/multissltests.py
+@@ -57,8 +57,9 @@ LIBRESSL_OLD_VERSIONS = [
+ ]
+ 
+ LIBRESSL_RECENT_VERSIONS = [
+-    "2.5.3",
+     "2.5.5",
++    "2.6.4",
++    "2.7.1",
+ ]
+ 
+ # store files in ../multissl