diff --git a/srcpkgs/stunnel/patches/stunnel-CRYPTO_set_mem_functions.patch b/srcpkgs/stunnel/patches/stunnel-CRYPTO_set_mem_functions.patch
new file mode 100644
index 00000000000..8959e513f42
--- /dev/null
+++ b/srcpkgs/stunnel/patches/stunnel-CRYPTO_set_mem_functions.patch
@@ -0,0 +1,29 @@
+--- src/tls.c	2016-12-09 06:15:59.000000000 -0500
++++ src/tls.c.new	2017-01-25 01:11:44.264271049 -0500
+@@ -41,7 +41,7 @@
+ volatile int tls_initialized=0;
+
+ NOEXPORT void tls_platform_init();
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT void free_function(void *);
+ #endif
+
+@@ -52,7 +52,7 @@
+     tls_platform_init();
+     tls_initialized=1;
+     ui_tls=tls_alloc(NULL, NULL, "ui");
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+     CRYPTO_set_mem_functions(str_alloc_detached_debug,
+         str_realloc_detached_debug, str_free_debug);
+ #else
+@@ -184,7 +184,7 @@
+
+ /**************************************** OpenSSL allocator hook */
+
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT void free_function(void *ptr) {
+     /* CRYPTO_set_mem_ex_functions() needs a function rather than a macro */
+     /* unfortunately, OpenSSL provides no file:line information here */
diff --git a/srcpkgs/stunnel/template b/srcpkgs/stunnel/template
index d61ff5435d3..dcdc6132fed 100644
--- a/srcpkgs/stunnel/template
+++ b/srcpkgs/stunnel/template
@@ -1,7 +1,7 @@
 # Template file for 'stunnel'
 pkgname=stunnel
 version=5.39
-revision=1
+revision=2
 build_style=gnu-configure
 configure_args="--enable-ipv6 --with-ssl=${XBPS_CROSS_BASE}/usr"
 hostmakedepends="perl"
@@ -22,7 +22,7 @@ post_install() {
 # REMARKS:
 # What. A. Pain. What a total pain.
 # Using the archive is the only way to get builds to keep working after the
-# new version is out.  LibreSSL patches for stunnel 5.35 don't yet work. Not
+# new version is out. LibreSSL patches for stunnel 5.35 don't yet work. Not
 # enough is made conditional.
 # Significant thanks to the OpenBSD project for creating patch sets for 5.37
 # One thing OpenBSD does that we don't do here is add a _stunnel user/group and
@@ -31,3 +31,6 @@ post_install() {
 # be out of line with what libressl provides.
 # LibreSSL wants 'void (*)(void *)' but argument is of type 'void (*)(void *, const char *, int)'
 # This is probably not a security problem.
+# As of 5.39_2 it is patched to avoid the function call if using LibreSSL,
+# and a different call to SSL_CTX_sess_set_get_cb gets a const unsigned char
+# * instead of an unsigned char *