diff --git a/srcpkgs/wpa_supplicant/patches/libressl.patch b/srcpkgs/wpa_supplicant/patches/libressl.patch
index 0037a9fdcbc..507227f2267 100644
--- a/srcpkgs/wpa_supplicant/patches/libressl.patch
+++ b/srcpkgs/wpa_supplicant/patches/libressl.patch
@@ -1,49 +1,76 @@
---- src/crypto/crypto_openssl.c.orig
-+++ src/crypto/crypto_openssl.c
-@@ -611,7 +611,7 @@
+--- ./src/crypto/crypto_openssl.c.orig	2016-10-02 20:51:11.000000000 +0200
++++ ./src/crypto/crypto_openssl.c	2018-04-25 07:45:26.063040958 +0200
+@@ -33,7 +33,7 @@
+ #include "aes_wrap.h"
+ #include "crypto.h"
  
- void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
+ /* Compatibility wrappers for older versions. */
+ 
+ static HMAC_CTX * HMAC_CTX_new(void)
+@@ -79,7 +79,7 @@ static void EVP_MD_CTX_free(EVP_MD_CTX *
+ 
+ static BIGNUM * get_group5_prime(void)
  {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- 	DH *dh;
- 	struct wpabuf *pubkey = NULL, *privkey = NULL;
- 	size_t publen, privlen;
-@@ -712,7 +712,7 @@
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
+ 	return BN_get_rfc3526_prime_1536(NULL);
+ #elif !defined(OPENSSL_IS_BORINGSSL)
+ 	return get_rfc3526_prime_1536(NULL);
+--- ./src/crypto/tls_openssl.c.orig	2016-10-02 20:51:11.000000000 +0200
++++ ./src/crypto/tls_openssl.c	2018-04-25 07:45:26.087040994 +0200
+@@ -59,7 +59,7 @@ typedef int stack_index_t;
+ #endif /* SSL_set_tlsext_status_type */
  
- void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
+ #if (OPENSSL_VERSION_NUMBER < 0x10100000L || \
+-     defined(LIBRESSL_VERSION_NUMBER)) &&    \
++     (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)) &&    \
+     !defined(BORINGSSL_API_VERSION)
+ /*
+  * SSL_get_client_random() and SSL_get_server_random() were added in OpenSSL
+@@ -3105,7 +3105,7 @@ int tls_connection_get_random(void *ssl_
+ #ifdef OPENSSL_NEED_EAP_FAST_PRF
+ static int openssl_get_keyblock_size(SSL *ssl)
  {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- 	DH *dh;
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
+ 	const EVP_CIPHER *c;
+ 	const EVP_MD *h;
+ 	int md_size;
+@@ -3562,7 +3562,7 @@ int tls_connection_set_cipher_list(void
  
- 	dh = DH_new();
---- src/crypto/tls_openssl.c.orig
-+++ src/crypto/tls_openssl.c
-@@ -919,7 +919,7 @@
- 		}
- #endif /* OPENSSL_FIPS */
- #endif /* CONFIG_FIPS */
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- 		SSL_load_error_strings();
- 		SSL_library_init();
- #ifndef OPENSSL_NO_SHA256
-@@ -1043,7 +1043,7 @@
+ 	wpa_printf(MSG_DEBUG, "OpenSSL: cipher suites: %s", buf + 1);
  
- 	tls_openssl_ref_count--;
- 	if (tls_openssl_ref_count == 0) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- #ifndef OPENSSL_NO_ENGINE
- 		ENGINE_cleanup();
- #endif /* OPENSSL_NO_ENGINE */
-@@ -2334,7 +2334,7 @@
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
+ #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
+ 	if (os_strstr(buf, ":ADH-")) {
+ 		/*
+@@ -4146,7 +4146,7 @@ int tls_global_set_params(void *tls_ctx,
+  * commented out unless explicitly needed for EAP-FAST in order to be able to
+  * build this file with unmodified openssl. */
+ 
+-#if (defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
++#if (defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER >= 0x10100000L) && !(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
+ static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
+ 			   STACK_OF(SSL_CIPHER) *peer_ciphers,
+ 			   const SSL_CIPHER **cipher, void *arg)
+@@ -4159,7 +4159,7 @@ static int tls_sess_sec_cb(SSL *s, void
+ 	struct tls_connection *conn = arg;
+ 	int ret;
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
+ 	if (conn == NULL || conn->session_ticket_cb == NULL)
  		return 0;
  
- #ifdef PKCS12_FUNCS
--#if OPENSSL_VERSION_NUMBER < 0x10002000L
-+#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
- 	/*
- 	 * Clear previously set extra chain certificates, if any, from PKCS#12
- 	 * processing in tls_parse_pkcs12() to allow OpenSSL to build a new
+@@ -4254,7 +4254,7 @@ int tls_connection_set_session_ticket_cb
+ 
+ int tls_get_library_version(char *buf, size_t buf_len)
+ {
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
+ 	return os_snprintf(buf, buf_len, "OpenSSL build=%s run=%s",
+ 			   OPENSSL_VERSION_TEXT,
+ 			   OpenSSL_version(OPENSSL_VERSION));
diff --git a/srcpkgs/wpa_supplicant/template b/srcpkgs/wpa_supplicant/template
index c767e73e82a..ca9891859ee 100644
--- a/srcpkgs/wpa_supplicant/template
+++ b/srcpkgs/wpa_supplicant/template
@@ -1,7 +1,7 @@
 # Template file for 'wpa_supplicant'
 pkgname=wpa_supplicant
 version=2.6
-revision=8
+revision=9
 build_wrksrc=$pkgname
 short_desc="WPA/WPA2/IEEE 802.1X Supplicant"
 maintainer="Juan RP <xtraeme@voidlinux.eu>"