diff --git a/srcpkgs/stunnel/patches/stunnel-libressl.patch b/srcpkgs/stunnel/patches/stunnel-libressl.patch
index 1ac5ad50a37..7fdda8f7386 100644
--- a/srcpkgs/stunnel/patches/stunnel-libressl.patch
+++ b/srcpkgs/stunnel/patches/stunnel-libressl.patch
@@ -1,14 +1,32 @@
---- src/ctx.c	2015-11-26 13:32:51.458101892 +0100
-+++ src/ctx.c	2015-11-26 13:36:05.918181575 +0100
-@@ -349,7 +349,7 @@
- /**************************************** initialize OpenSSL CONF */
- 
- NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
+--- src/verify.c	2015-11-26 13:32:51.458101892 +0100
++++ src/verify.c	2015-11-26 13:37:51.442682192 +0100
+@@ -51,7 +51,7 @@
+ NOEXPORT int verify_callback(int, X509_STORE_CTX *);
+ NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *);
+ NOEXPORT int cert_check(CLI *, X509_STORE_CTX *, int);
 -#if OPENSSL_VERSION_NUMBER>=0x10002000L
 +#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
-     SSL_CONF_CTX *cctx;
-     NAME_LIST *curr;
-     char *cmd, *param;
+ NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *);
+ #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
+ NOEXPORT int cert_check_local(X509_STORE_CTX *);
+@@ -280,7 +280,7 @@
+     }
+ 
+     if(depth==0) { /* additional peer certificate checks */
+-#if OPENSSL_VERSION_NUMBER>=0x10002000L
++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+         if(!cert_check_subject(c, callback_ctx))
+             return 0; /* reject */
+ #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
+@@ -291,7 +291,7 @@
+     return 1; /* accept */
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER>=0x10002000L
++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) {
+     X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);
+     NAME_LIST *ptr;
 --- src/options.c	2015-11-26 13:32:51.457101897 +0100
 +++ src/options.c	2015-11-26 13:39:04.422336822 +0100
 @@ -1261,7 +1261,7 @@
@@ -29,70 +47,3 @@
  
      /* config */
      switch(cmd) {
-@@ -2539,7 +2539,7 @@
-     /* sslVersion */
-     switch(cmd) {
-     case CMD_BEGIN:
--#if OPENSSL_VERSION_NUMBER>=0x10100000L
-+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-         section->client_method=(SSL_METHOD *)TLS_client_method();
-         section->server_method=(SSL_METHOD *)TLS_server_method();
- #else
-@@ -2551,7 +2551,7 @@
-         if(strcasecmp(opt, "sslVersion"))
-             break;
-         if(!strcasecmp(arg, "all")) {
--#if OPENSSL_VERSION_NUMBER>=0x10100000L
-+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-             section->client_method=(SSL_METHOD *)TLS_client_method();
-             section->server_method=(SSL_METHOD *)TLS_server_method();
- #else
---- src/prototypes.h	2015-11-26 13:32:51.459101887 +0100
-+++ src/prototypes.h	2015-11-26 13:38:04.814618905 +0100
-@@ -207,7 +207,7 @@
-     char *ocsp_url;
-     unsigned long ocsp_flags;
- #endif /* !defined(OPENSSL_NO_OCSP) */
--#if OPENSSL_VERSION_NUMBER>=0x10002000L
-+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
-     NAME_LIST *check_host, *check_email, *check_ip;   /* cert subject checks */
-     NAME_LIST *config;                               /* OpenSSL CONF options */
- #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
---- src/verify.c	2015-11-26 13:32:51.458101892 +0100
-+++ src/verify.c	2015-11-26 13:37:51.442682192 +0100
-@@ -51,7 +51,7 @@
- NOEXPORT int verify_callback(int, X509_STORE_CTX *);
- NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *);
- NOEXPORT int cert_check(CLI *, X509_STORE_CTX *, int);
--#if OPENSSL_VERSION_NUMBER>=0x10002000L
-+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
- NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *);
- #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
- NOEXPORT int cert_check_local(X509_STORE_CTX *);
-@@ -185,7 +185,7 @@
-     }
-     if(section->verify_level>=3) /* levels>=3 don't rely on PKI */
-         return;
--#if OPENSSL_VERSION_NUMBER>=0x10002000L
-+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
-     if(section->check_email || section->check_host || section->check_ip)
-         return;
- #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
-@@ -280,7 +280,7 @@
-     }
- 
-     if(depth==0) { /* additional peer certificate checks */
--#if OPENSSL_VERSION_NUMBER>=0x10002000L
-+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
-         if(!cert_check_subject(c, callback_ctx))
-             return 0; /* reject */
- #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
-@@ -291,7 +291,7 @@
-     return 1; /* accept */
- }
- 
--#if OPENSSL_VERSION_NUMBER>=0x10002000L
-+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
- NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) {
-     X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);
-     NAME_LIST *ptr;
diff --git a/srcpkgs/stunnel/patches/stunnel-openbsd.patch b/srcpkgs/stunnel/patches/stunnel-openbsd.patch
new file mode 100644
index 00000000000..1c9bf5b690d
--- /dev/null
+++ b/srcpkgs/stunnel/patches/stunnel-openbsd.patch
@@ -0,0 +1,130 @@
+$OpenBSD: patch-src_verify_c,v 1.5 2016/11/10 10:10:50 gsoares Exp $
+--- src/verify.c.orig	Wed Jul  6 13:18:17 2016
++++ src/verify.c	Thu Nov 10 07:00:09 2016
+@@ -349,7 +349,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback
+     subject=X509_get_subject_name(cert);
+ 
+ #if OPENSSL_VERSION_NUMBER>=0x10000000L
+-#if OPENSSL_VERSION_NUMBER<0x10100006L
++#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER)
+ #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs
+ #endif
+     /* modern API allows retrieving multiple matching certificates */
+
+
+$OpenBSD: patch-src_sthreads_c,v 1.2 2016/11/10 10:10:50 gsoares Exp $
+--- src/sthreads.c.orig	Sat Oct 29 05:25:37 2016
++++ src/sthreads.c	Wed Nov  9 20:22:39 2016
+@@ -47,7 +47,7 @@
+ STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ #define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid()
+ #endif
+
+
+$OpenBSD: patch-src_ssl_c,v 1.4 2016/11/09 23:14:31 gsoares Exp $
+--- src/ssl.c.orig	Fri Aug  5 06:39:57 2016
++++ src/ssl.c	Thu Nov  3 23:50:50 2016
+@@ -50,7 +50,7 @@ NOEXPORT int add_rand_file(GLOBAL_OPTIONS *, const cha
+ int index_cli, index_opt, index_redirect, index_addr;
+ 
+ int ssl_init(void) { /* init SSL before parsing configuration file */
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+     OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS |
+         OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+ #else
+@@ -83,7 +83,7 @@ int ssl_init(void) { /* init SSL before parsing config
+ }
+ 
+ #ifndef OPENSSL_NO_DH
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ /* this is needed for dhparam.c generated with OpenSSL >= 1.1.0
+  * to be linked against the older versions */
+ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
+
+$OpenBSD: patch-src_prototypes_h,v 1.2 2016/11/10 10:10:50 gsoares Exp $
+--- src/prototypes.h.orig	Sat Oct 29 05:25:37 2016
++++ src/prototypes.h	Wed Nov  9 20:22:39 2016
+@@ -660,13 +660,13 @@ typedef enum {
+ #endif /* OPENSSL_NO_DH */
+     STUNNEL_LOCKS                           /* number of locks */
+ } LOCK_TYPE;
+-#if OPENSSL_VERSION_NUMBER < 0x10100004L
++#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ typedef int STUNNEL_RWLOCK;
+ #else
+ typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK;
+ #endif
+ extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];
+-#if OPENSSL_VERSION_NUMBER>=0x10100004L
++#if OPENSSL_VERSION_NUMBER>=0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
+ #define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type)
+ #define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type)
+ #else
+
+$OpenBSD: patch-src_options_c,v 1.7 2016/11/09 23:14:31 gsoares Exp $
+
+use SSLv23_client_method() required to build with libressl since that it haven't
+TLS_client_method()  for now.
+
+--- src/options.c.orig	Fri Aug  5 06:39:57 2016
++++ src/options.c	Thu Nov  3 23:13:15 2016
+@@ -2617,7 +2617,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O
+     /* sslVersion */
+     switch(cmd) {
+     case CMD_BEGIN:
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+         section->client_method=(SSL_METHOD *)TLS_client_method();
+         section->server_method=(SSL_METHOD *)TLS_server_method();
+ #else
+@@ -2629,7 +2629,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O
+         if(strcasecmp(opt, "sslVersion"))
+             break;
+         if(!strcasecmp(arg, "all")) {
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+             section->client_method=(SSL_METHOD *)TLS_client_method();
+             section->server_method=(SSL_METHOD *)TLS_server_method();
+ #else
+
+$OpenBSD: patch-src_ctx_c,v 1.4 2016/11/09 23:14:31 gsoares Exp $
+--- src/ctx.c.orig	Tue Jun 21 12:06:14 2016
++++ src/ctx.c	Thu Nov  3 23:13:15 2016
+@@ -366,7 +366,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) {
+ /**************************************** initialize OpenSSL CONF */
+ 
+ NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
+-#if OPENSSL_VERSION_NUMBER>=0x10002000L
++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+     SSL_CONF_CTX *cctx;
+     NAME_LIST *curr;
+     char *cmd, *param;
+
+$OpenBSD: patch-src_common_h,v 1.1 2016/11/09 23:14:31 gsoares Exp $
+--- src/common.h.orig	Mon Jun 27 04:29:32 2016
++++ src/common.h	Thu Nov  3 23:57:29 2016
+@@ -448,7 +448,7 @@ extern char *sys_errlist[];
+ #define OPENSSL_NO_TLS1_2
+ #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
+ 
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ #ifndef OPENSSL_NO_SSL2
+ #define OPENSSL_NO_SSL2
+ #endif /* !defined(OPENSSL_NO_SSL2) */
+@@ -474,7 +474,7 @@ extern char *sys_errlist[];
+ #include <openssl/des.h>
+ #ifndef OPENSSL_NO_DH
+ #include <openssl/dh.h>
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
+ #endif /* OpenSSL older than 1.1.0 */
+ #endif /* !defined(OPENSSL_NO_DH) */
+
diff --git a/srcpkgs/stunnel/template b/srcpkgs/stunnel/template
index d2ad1ae204b..89a7ee2c1b1 100644
--- a/srcpkgs/stunnel/template
+++ b/srcpkgs/stunnel/template
@@ -1,7 +1,7 @@
 # Template file for 'stunnel'
 pkgname=stunnel
-version=5.31
-revision=3
+version=5.37
+revision=1
 build_style=gnu-configure
 configure_args="--enable-ipv6 --with-ssl=${XBPS_CROSS_BASE}/usr"
 hostmakedepends="perl"
@@ -11,7 +11,7 @@ maintainer="Toyam Cox <Vaelatern@gmail.com>"
 license="GPL-2"
 homepage="https://www.stunnel.org/"
 distfiles="https://www.stunnel.org/downloads/archive/5.x/${pkgname}-${version}.tar.gz"
-checksum=a746b71ab3dc6c23eacb0daf7342467870e43ac933430905eb1b1d050bbae0b7
+checksum=d0e3530e3effc64fdec792c71791d4937c6b8bd3b9ea4895c6bb6526dcd0d241
 
 post_install() {
 	rm ${DESTDIR}/usr/share/man/man8/stunnel.??.8
@@ -24,3 +24,6 @@ post_install() {
 # Using the archive is the only way to get builds to keep working after the
 # new version is out.  LibreSSL patches for stunnel 5.35 don't yet work. Not
 # enough is made conditional.
+# Significant thanks to the OpenBSD project for creating patch sets for 5.37
+# One thing OpenBSD does that we don't do here is add a _stunnel user/group and
+# modify the configuration samples to chroot and use this by default.