diff --git a/openconnect-2.01-disconn.patch b/openconnect-2.01-disconn.patch
new file mode 100644
index 0000000..f3b9f8c
--- /dev/null
+++ b/openconnect-2.01-disconn.patch
@@ -0,0 +1,43 @@
+commit 7edf904a62c822ba47318761ab915291db836643
+Author: David Woodhouse <David.Woodhouse@intel.com>
+Date:   Sat Oct 3 09:59:25 2009 +0100
+
+    Fix bye packet length
+    
+    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+
+commit ba5e72ace013b15325d022c08f9006995d2f928e
+Author: David Woodhouse <David.Woodhouse@intel.com>
+Date:   Thu Sep 17 13:48:45 2009 +0100
+
+    Fix disconnect packet
+    
+    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+
+--- a/cstp.c
++++ b/cstp.c
+@@ -678,18 +678,19 @@ int cstp_bye(struct openconnect_info *vpninfo, char *reason)
+ 		return 0;
+ 
+ 	reason_len = strlen(reason);
+-	bye_pkt = malloc(reason_len + 8);
++	bye_pkt = malloc(reason_len + 9);
+ 	if (!bye_pkt)
+ 		return -ENOMEM;
+ 
+ 	memcpy(bye_pkt, data_hdr, 8);
+-	memcpy(bye_pkt + 8, reason, reason_len);
++	memcpy(bye_pkt + 9, reason, reason_len);
+ 
+-	bye_pkt[4] = reason_len >> 8;
+-	bye_pkt[5] = reason_len & 0xff;
++	bye_pkt[4] = (reason_len + 1) >> 8;
++	bye_pkt[5] = (reason_len + 1) & 0xff;
+ 	bye_pkt[6] = AC_PKT_DISCONN;
++	bye_pkt[8] = 0xb0;
+ 
+-	SSL_write(vpninfo->https_ssl, bye_pkt, reason_len + 8);
++	SSL_write(vpninfo->https_ssl, bye_pkt, reason_len + 9);
+ 	free(bye_pkt);
+ 
+ 	vpninfo->progress(vpninfo, PRG_INFO,
diff --git a/openconnect-2.01-newcerts.patch b/openconnect-2.01-newcerts.patch
new file mode 100644
index 0000000..c6f9fed
--- /dev/null
+++ b/openconnect-2.01-newcerts.patch
@@ -0,0 +1,24 @@
+commit 2d96b7bf2d927127ed0f56838b070e8e7693258d
+Author: David Woodhouse <David.Woodhouse@intel.com>
+Date:   Sat Oct 3 09:50:24 2009 +0100
+
+    Recognise private keys generated with OpenSSL 1.0.0 (Fedora 12)
+    
+    These say '-----BEGIN ENCRYPTED PRIVATE KEY-----'.
+    
+    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+
+diff --git a/ssl.c b/ssl.c
+index 5c2baef..2e67634 100644
+--- a/ssl.c
++++ b/ssl.c
+@@ -297,7 +297,8 @@ static int load_certificate(struct openconnect_info *vpninfo)
+ 				vpninfo->cert_type = CERT_TYPE_TPM;
+ 				break;
+ 			} else if (!strcmp(buf, "-----BEGIN RSA PRIVATE KEY-----\n") ||
+-				   !strcmp(buf, "-----BEGIN DSA PRIVATE KEY-----\n")) {
++				   !strcmp(buf, "-----BEGIN DSA PRIVATE KEY-----\n") ||
++				   !strcmp(buf, "-----BEGIN ENCRYPTED PRIVATE KEY-----\n")) {
+ 				vpninfo->cert_type = CERT_TYPE_PEM;
+ 				break;
+ 			}
diff --git a/openconnect.spec b/openconnect.spec
index 8dc5c74..566e487 100644
--- a/openconnect.spec
+++ b/openconnect.spec
@@ -1,6 +1,6 @@
 Name:		openconnect
 Version:	2.01
-Release:	3%{?dist}
+Release:	4%{?dist}
 Summary:	Open client for Cisco AnyConnect VPN
 
 Group:		Applications/Internet
@@ -15,6 +15,8 @@ Requires:	openssl >= 0.9.8k-4
 # The "lasthost" and "autoconnect" gconf keys will cause older versions of
 # NetworkManager-openconnect to barf. As will the 'gwcert' secret.
 Conflicts:	NetworkManager-openconnect < 0.7.0.99-4
+Patch0:		openconnect-2.01-newcerts.patch
+Patch1:		openconnect-2.01-disconn.patch
 
 %description
 This package provides a client for Cisco's "AnyConnect" VPN, which uses
@@ -22,6 +24,8 @@ HTTPS and DTLS protocols.
 
 %prep
 %setup -q
+%patch0 -p1
+%patch1 -p1
 
 %build
 make %{?_smp_mflags}
@@ -47,6 +51,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Sat Oct 03 2009 David Woodhouse <David.Woodhouse@intel.com> - 2.01-4
+- Fix disconnect packet, work with new certificates from OpenSSL 1.0.0
+
 * Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 2.01-3
 - rebuilt with new openssl