diff --git a/hitch-1.4.3_fix_ssl11.patch b/hitch-1.4.3_fix_ssl11.patch
new file mode 100644
index 0000000..606c49d
--- /dev/null
+++ b/hitch-1.4.3_fix_ssl11.patch
@@ -0,0 +1,63 @@
+From 53b731b290a1c625c79b5e6463916b4ea719c9a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?P=C3=A5l=20Hermunn=20Johansen?=
+ <hermunn@varnish-software.com>
+Date: Tue, 15 Nov 2016 16:25:54 +0100
+Subject: [PATCH] Make Hitch compatible with OpenSSL 1.1.0
+
+This should address #100. Most of the work is thanks to #sesse.
+
+Advice on https://wiki.openssl.org/index.php/1.1_API_Changes was
+helpful when doing this work.
+---
+ src/hitch.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/src/hitch.c b/src/hitch.c
+index 81acb2b..e5e432a 100644
+--- a/src/hitch.c
++++ b/src/hitch.c
+@@ -683,9 +683,13 @@ load_privatekey(SSL_CTX *ctx, const char *file)
+ 		return NULL;
+ 	}
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#define SSL_CTX_get_default_passwd_cb(ctx) (ctx->default_passwd_callback)
++#define SSL_CTX_get_default_passwd_cb_userdata(ctx) (ctx->default_passwd_callback_userdata)
++#endif
+ 	pkey = PEM_read_bio_PrivateKey(bio, NULL,
+-	    ctx->default_passwd_callback,
+-	    ctx->default_passwd_callback_userdata);
++	    SSL_CTX_get_default_passwd_cb(ctx),
++	    SSL_CTX_get_default_passwd_cb_userdata(ctx));
+ 	BIO_free(bio);
+ 
+ 	return (pkey);
+@@ -1091,8 +1095,11 @@ load_cert_ctx(sslctx *so)
+ 		return (1);
+ 	}
+ 	x509_entry = X509_NAME_get_entry(x509_name, i);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#define X509_NAME_ENTRY_get_data(e) (e->value)
++#endif
+ 	AN(x509_entry);
+-	PUSH_CTX(x509_entry->value, ctx);
++	PUSH_CTX(X509_NAME_ENTRY_get_data(x509_entry), ctx);
+ 
+ 	return (0);
+ }
+@@ -1883,9 +1890,15 @@ static void end_handshake(proxystate *ps) {
+ #endif
+ 	LOGPROXY(ps,"ssl end handshake\n");
+ 	/* Disable renegotiation (CVE-2009-3555) */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++	/* For OpenSSL 1.1, setting the following flag does not seem
++	 * to be possible. This is OK, since SSLv3 negotiation will
++	 * not happen in OpenSSL 0.9.8m or later unless
++	 * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is set. */
+ 	if (ps->ssl->s3) {
+ 		ps->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+ 	}
++#endif
+ 	ps->handshaked = 1;
+ 
+ 	/* Check if clear side is connected */