I notice the posted patch includes a change to tasn_dec.c that doesn't work. - if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) - return *pval; + if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE) + ptmpval = *pval; + if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) { This will, among other things, prevent nginx 1.6 from loading keys. The diff was included in the preannouncement material, but is not part of the any of the final openssl releases.