diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index decfe7200b..9090ca194d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -149,8 +149,6 @@ jobs:
             - true
             - false
           library:
-            - name: boringssl
-              version: master
             - name: boringssl
               version: 5697a9202615925696f8dc7f4e286d44d474769e
             - name: openssl
@@ -180,12 +178,12 @@ jobs:
               bindgen: true
               library:
                 name: libressl
-                version: 3.4.3
+                version: 3.5.3
             - target: x86_64-unknown-linux-gnu
               bindgen: true
               library:
                 name: libressl
-                version: 3.5.2
+                version: 3.6.1
             - target: x86_64-unknown-linux-gnu
               bindgen: false
               library:
@@ -195,12 +193,12 @@ jobs:
               bindgen: false
               library:
                 name: libressl
-                version: 3.4.3
+                version: 3.5.3
             - target: x86_64-unknown-linux-gnu
               bindgen: false
               library:
                 name: libressl
-                version: 3.5.2
+                version: 3.6.1
           exclude:
             - library:
                 name: boringssl
diff --git a/Cargo.toml b/Cargo.toml
index 63e983aef2..c33c3475a7 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -6,6 +6,3 @@ members = [
     "openssl-sys",
     "systest",
 ]
-
-[patch.crates-io]
-bindgen = { git = "https://github.com/daviddrysdale/rust-bindgen", branch = "allowlist-file" }
diff --git a/openssl-errors/tests/test.rs b/openssl-errors/tests/test.rs
index 12e79b830e..98259b9b08 100644
--- a/openssl-errors/tests/test.rs
+++ b/openssl-errors/tests/test.rs
@@ -32,7 +32,7 @@ fn basic() {
     cfg_if! {
         if #[cfg(ossl300)] {
             // https://github.com/openssl/openssl/issues/12530
-            assert!(error.data() == None || error.data() == Some(""));
+            assert!(error.data().is_none() || error.data() == Some(""));
         } else {
             assert_eq!(error.data(), None);
         }
diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md
index 6c53d813ee..0c549f6117 100644
--- a/openssl-sys/CHANGELOG.md
+++ b/openssl-sys/CHANGELOG.md
@@ -2,6 +2,27 @@
 
 ## [Unreleased]
 
+## [v0.9.78] - 2022-11-23
+
+### Added
+
+* Added support for LibreSSL 3.6.x.
+* Added `NID_brainpoolP256r1`, `NID_brainpoolP384r1`, and `NID_brainpool512r1`.
+* Added `EVP_camellia_128_cfb128`, `EVP_camellia_128_ecb`, `EVP_camellia_192_cfb128`, `EVP_camellia_192_ecb`,
+    `EVP_camellia_256_cfb128`, and `EVP_camellia_256_ecb`.
+* Added `EVP_cast5_cfb64` and `EVP_cast5_ecb`.
+* Added `EVP_idea_cfb64` and `EVP_idea_ecb`.
+* Added `DSA_SIG`, `d2i_DSA_SIG`, `i2d_DSA_SIG`, `DSA_SIG_new`, `DSA_SIG_free`, `DSA_SIG_get0`, and `DSA_SIG_set0`.
+* Added `X509_STORE_set1_param`, `X509_VERIFY_PARAM_new`, `X509_VERIFY_PARAM_set_time`, and
+    `X509_VERIFY_PARAM_set_depth`.
+
+## [v0.9.77] - 2022-10-22
+
+### Added
+
+* Added support for LibreSSL 3.6.0
+* Added `assume_init`.
+
 ## [v0.9.76] - 2022-09-26
 
 ### Added
@@ -329,7 +350,8 @@
 * Added `X509_verify` and `X509_REQ_verify`.
 * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`.
 
-[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.76..master
+[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.77..master
+[v0.9.77]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.76...openssl-sys-v0.9.77
 [v0.9.76]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.75...openssl-sys-v0.9.76
 [v0.9.75]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.74...openssl-sys-v0.9.75
 [v0.9.74]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.73...openssl-sys-v0.9.74
diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml
index 62cc6428ed..ee1a57cd19 100644
--- a/openssl-sys/Cargo.toml
+++ b/openssl-sys/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "openssl-sys"
-version = "0.9.76"
+version = "0.9.78"
 authors = [
     "Alex Crichton <alex@alexcrichton.com>",
     "Steven Fackler <sfackler@gmail.com>",
@@ -22,7 +22,7 @@ libc = "0.2"
 bssl-sys = { version = "0.1.0", optional = true }
 
 [build-dependencies]
-bindgen = { version = "0.59.2", optional = true }
+bindgen = { version = "0.60.1", optional = true }
 cc = "1.0"
 openssl-src = { version = "111", optional = true }
 pkg-config = "0.3.9"
diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c
index c150dcd51f..2ec63ec046 100644
--- a/openssl-sys/build/expando.c
+++ b/openssl-sys/build/expando.c
@@ -27,6 +27,14 @@ RUST_CONF_OPENSSL_NO_BUF_FREELISTS
 RUST_CONF_OPENSSL_NO_CHACHA
 #endif
 
+#ifdef OPENSSL_NO_IDEA
+RUST_CONF_OPENSSL_NO_IDEA
+#endif
+
+#ifdef OPENSSL_NO_CAMELLIA
+RUST_CONF_OPENSSL_NO_CAMELLIA
+#endif
+
 #ifdef OPENSSL_NO_CMS
 RUST_CONF_OPENSSL_NO_CMS
 #endif
diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs
index a8911e7b14..71b36c2309 100644
--- a/openssl-sys/build/main.rs
+++ b/openssl-sys/build/main.rs
@@ -202,9 +202,9 @@ specific to your distribution:
     # On Alpine Linux
     apk add openssl-dev
 
-See rust-openssl README for more information:
+See rust-openssl documentation for more information:
 
-    https://github.com/sfackler/rust-openssl#linux
+    https://docs.rs/openssl
 ",
                 e
             );
@@ -280,6 +280,8 @@ See rust-openssl README for more information:
             (3, 4, 0) => ('3', '4', '0'),
             (3, 4, _) => ('3', '4', 'x'),
             (3, 5, _) => ('3', '5', 'x'),
+            (3, 6, 0) => ('3', '6', '0'),
+            (3, 6, _) => ('3', '6', 'x'),
             _ => version_error(),
         };
 
@@ -322,7 +324,7 @@ fn version_error() -> ! {
         "
 
 This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5
-through 3.5, but a different version of OpenSSL was found. The build is now aborting
+through 3.6.x, but a different version of OpenSSL was found. The build is now aborting
 due to this version mismatch.
 
 "
diff --git a/openssl-sys/src/handwritten/dsa.rs b/openssl-sys/src/handwritten/dsa.rs
index 604c68f032..c676c6b0ad 100644
--- a/openssl-sys/src/handwritten/dsa.rs
+++ b/openssl-sys/src/handwritten/dsa.rs
@@ -2,6 +2,18 @@ use libc::*;
 
 use *;
 
+cfg_if! {
+    if #[cfg(any(ossl110, libressl280))] {
+        pub enum DSA_SIG {}
+    } else {
+      #[repr(C)]
+      pub struct DSA_SIG {
+          pub r: *mut BIGNUM,
+          pub s: *mut BIGNUM,
+      }
+    }
+}
+
 extern "C" {
     pub fn DSA_new() -> *mut DSA;
     pub fn DSA_free(dsa: *mut DSA);
@@ -55,4 +67,19 @@ extern "C" {
     pub fn DSA_get0_key(d: *const DSA, pub_key: *mut *const BIGNUM, priv_key: *mut *const BIGNUM);
     #[cfg(any(ossl110, libressl273))]
     pub fn DSA_set0_key(d: *mut DSA, pub_key: *mut BIGNUM, priv_key: *mut BIGNUM) -> c_int;
+    pub fn d2i_DSA_SIG(
+        sig: *mut *mut DSA_SIG,
+        pp: *mut *const c_uchar,
+        length: c_long,
+    ) -> *mut DSA_SIG;
+    pub fn i2d_DSA_SIG(a: *const DSA_SIG, pp: *mut *mut c_uchar) -> c_int;
+
+    pub fn DSA_SIG_new() -> *mut DSA_SIG;
+    pub fn DSA_SIG_free(sig: *mut DSA_SIG);
+
+    #[cfg(any(ossl110, libressl273))]
+    pub fn DSA_SIG_get0(sig: *const DSA_SIG, pr: *mut *const BIGNUM, ps: *mut *const BIGNUM);
+
+    #[cfg(any(ossl110, libressl273))]
+    pub fn DSA_SIG_set0(sig: *mut DSA_SIG, pr: *mut BIGNUM, ps: *mut BIGNUM) -> c_int;
 }
diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs
index 86487e13bb..ffb0a0819d 100644
--- a/openssl-sys/src/handwritten/evp.rs
+++ b/openssl-sys/src/handwritten/evp.rs
@@ -364,6 +364,29 @@ extern "C" {
     #[cfg(all(any(ossl111, libressl291), not(osslconf = "OPENSSL_NO_SM4")))]
     pub fn EVP_sm4_ctr() -> *const EVP_CIPHER;
 
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))]
+    pub fn EVP_camellia_128_cfb128() -> *const EVP_CIPHER;
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))]
+    pub fn EVP_camellia_128_ecb() -> *const EVP_CIPHER;
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))]
+    pub fn EVP_camellia_192_cfb128() -> *const EVP_CIPHER;
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))]
+    pub fn EVP_camellia_192_ecb() -> *const EVP_CIPHER;
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))]
+    pub fn EVP_camellia_256_cfb128() -> *const EVP_CIPHER;
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))]
+    pub fn EVP_camellia_256_ecb() -> *const EVP_CIPHER;
+
+    #[cfg(not(boringssl))]
+    pub fn EVP_cast5_cfb64() -> *const EVP_CIPHER;
+    #[cfg(not(boringssl))]
+    pub fn EVP_cast5_ecb() -> *const EVP_CIPHER;
+
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))]
+    pub fn EVP_idea_cfb64() -> *const EVP_CIPHER;
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))]
+    pub fn EVP_idea_ecb() -> *const EVP_CIPHER;
+
     #[cfg(not(ossl110))]
     pub fn OPENSSL_add_all_algorithms_noconf();
 
diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs
index d8768d7c8c..ef2a6aac94 100644
--- a/openssl-sys/src/handwritten/x509_vfy.rs
+++ b/openssl-sys/src/handwritten/x509_vfy.rs
@@ -47,6 +47,12 @@ extern "C" {
     pub fn X509_STORE_set_flags(store: *mut X509_STORE, flags: c_ulong) -> c_int;
 }
 
+const_ptr_api! {
+    extern "C" {
+        pub fn X509_STORE_set1_param(store: *mut X509_STORE, pm: #[const_ptr_if(ossl300)] X509_VERIFY_PARAM) -> c_int;
+    }
+}
+
 const_ptr_api! {
     extern "C" {
         pub fn X509_STORE_CTX_get_ex_data(ctx: #[const_ptr_if(ossl300)] X509_STORE_CTX, idx: c_int) -> *mut c_void;
@@ -73,6 +79,8 @@ cfg_if! {
 }
 
 extern "C" {
+    #[cfg(any(ossl102, libressl261))]
+    pub fn X509_VERIFY_PARAM_new() -> *mut X509_VERIFY_PARAM;
     #[cfg(any(ossl102, libressl261))]
     pub fn X509_VERIFY_PARAM_free(param: *mut X509_VERIFY_PARAM);
 
@@ -80,6 +88,12 @@ extern "C" {
     pub fn X509_VERIFY_PARAM_set_flags(param: *mut X509_VERIFY_PARAM, flags: c_ulong) -> c_int;
     #[cfg(any(ossl102, libressl261))]
     pub fn X509_VERIFY_PARAM_clear_flags(param: *mut X509_VERIFY_PARAM, flags: c_ulong) -> c_int;
+
+    #[cfg(any(ossl102, libressl261))]
+    pub fn X509_VERIFY_PARAM_set_time(param: *mut X509_VERIFY_PARAM, t: time_t);
+
+    #[cfg(any(ossl102, libressl261))]
+    pub fn X509_VERIFY_PARAM_set_depth(param: *mut X509_VERIFY_PARAM, depth: c_int);
 }
 const_ptr_api! {
     extern "C" {
diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs
index 1d36a104fe..0d6676827e 100644
--- a/openssl-sys/src/lib.rs
+++ b/openssl-sys/src/lib.rs
@@ -85,6 +85,10 @@ mod openssl {
     mod x509_vfy;
     mod x509v3;
 
+    use std::sync::Once;
+    // explicitly initialize to work around https://github.com/openssl/openssl/issues/3505
+    static INIT: Once = Once::new();
+
     // FIXME remove
     pub type PasswordCallback = unsafe extern "C" fn(
         buf: *mut c_char,
@@ -96,10 +100,6 @@ mod openssl {
     #[cfg(ossl110)]
     pub fn init() {
         use std::ptr;
-        use std::sync::Once;
-
-        // explicitly initialize to work around https://github.com/openssl/openssl/issues/3505
-        static INIT: Once = Once::new();
 
         #[cfg(not(ossl111b))]
         let init_options = OPENSSL_INIT_LOAD_SSL_STRINGS;
@@ -116,7 +116,7 @@ mod openssl {
         use std::io::{self, Write};
         use std::mem;
         use std::process;
-        use std::sync::{Mutex, MutexGuard, Once};
+        use std::sync::{Mutex, MutexGuard};
 
         static mut MUTEXES: *mut Vec<Mutex<()>> = 0 as *mut Vec<Mutex<()>>;
         static mut GUARDS: *mut Vec<Option<MutexGuard<'static, ()>>> =
@@ -160,8 +160,6 @@ mod openssl {
             }
         }
 
-        static INIT: Once = Once::new();
-
         INIT.call_once(|| unsafe {
             SSL_library_init();
             SSL_load_error_strings();
@@ -181,6 +179,19 @@ mod openssl {
             set_id_callback();
         })
     }
+
+    /// Disable explicit initialization of the openssl libs.
+    ///
+    /// This is only appropriate to use if the openssl crate is being consumed by an application
+    /// that will be performing the initialization explicitly.
+    ///
+    /// # Safety
+    ///
+    /// In some versions of openssl, skipping initialization will fall back to the default procedure
+    /// while other will cause difficult to debug errors so care must be taken when calling this.
+    pub unsafe fn assume_init() {
+        INIT.call_once(|| {});
+    }
 }
 #[cfg(openssl)]
 pub use openssl::*;
diff --git a/openssl-sys/src/macros.rs b/openssl-sys/src/macros.rs
index 2f8bf77c39..cb675f6e41 100644
--- a/openssl-sys/src/macros.rs
+++ b/openssl-sys/src/macros.rs
@@ -38,7 +38,7 @@ macro_rules! cfg_if {
     // semicolon is all the remaining items
     (@__items ($($not:meta,)*) ; ) => {};
     (@__items ($($not:meta,)*) ; ( ($($m:meta),*) ($($it:item)*) ), $($rest:tt)*) => {
-        // Emit all items within one block, applying an approprate #[cfg]. The
+        // Emit all items within one block, applying an appropriate #[cfg]. The
         // #[cfg] will require all `$m` matchers specified and must also negate
         // all previous matchers.
         cfg_if! { @__apply cfg(all($($m,)* not(any($($not),*)))), $($it)* }
diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs
index 6237afa6c8..ed50ebcc5f 100644
--- a/openssl-sys/src/obj_mac.rs
+++ b/openssl-sys/src/obj_mac.rs
@@ -94,6 +94,12 @@ pub const NID_sect409k1: c_int = 731;
 pub const NID_sect409r1: c_int = 732;
 pub const NID_sect571k1: c_int = 733;
 pub const NID_sect571r1: c_int = 734;
+#[cfg(ossl110)]
+pub const NID_brainpoolP256r1: c_int = 927;
+#[cfg(ossl110)]
+pub const NID_brainpoolP384r1: c_int = 931;
+#[cfg(ossl110)]
+pub const NID_brainpoolP512r1: c_int = 933;
 pub const NID_wap_wsg_idm_ecid_wtls1: c_int = 735;
 pub const NID_wap_wsg_idm_ecid_wtls3: c_int = 736;
 pub const NID_wap_wsg_idm_ecid_wtls4: c_int = 737;
diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md
index ba28a5a383..31564986e0 100644
--- a/openssl/CHANGELOG.md
+++ b/openssl/CHANGELOG.md
@@ -2,6 +2,17 @@
 
 ## [Unreleased]
 
+## [v0.10.43] - 2022-11-23
+
+### Added
+
+* Added `Nid::BRAINPOOL_P256R1`, `Nid::BRAINPOOL_P384R1`, `Nid::BRAINPOOL_P512R1`.
+* Added `BigNumRef::copy_from_slice`.
+* Added `Cipher` constructors for Camellia, CAST5, and IDEA ciphers.
+* Added `DsaSig`.
+* Added `X509StoreBuilderRef::set_param`.
+* Added `X509VerifyParam::new`, `X509VerifyParamRef::set_time`, and `X509VerifyParamRef::set_depth`.
+
 ## [v0.10.42] - 2022-09-26
 
 ### Added
@@ -630,7 +641,8 @@
 
 Look at the [release tags] for information about older releases.
 
-[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.42...master
+[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.43...master
+[v0.10.43]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.42...openssl-v0.10.43
 [v0.10.42]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.41...openssl-v0.10.42
 [v0.10.41]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.40...openssl-v0.10.41
 [v0.10.40]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.39...openssl-v0.10.40
diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml
index 41bd0fdb2f..b6204e4490 100644
--- a/openssl/Cargo.toml
+++ b/openssl/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "openssl"
-version = "0.10.42"
+version = "0.10.43"
 authors = ["Steven Fackler <sfackler@gmail.com>"]
 license = "Apache-2.0"
 description = "OpenSSL bindings"
@@ -30,7 +30,7 @@ libc = "0.2"
 once_cell = "1.5.2"
 
 openssl-macros = { version = "0.1.0", path = "../openssl-macros" }
-ffi = { package = "openssl-sys", version = "0.9.76", path = "../openssl-sys" }
+ffi = { package = "openssl-sys", version = "0.9.78", path = "../openssl-sys" }
 
 [dev-dependencies]
 hex = "0.3"
diff --git a/openssl/build.rs b/openssl/build.rs
index 81bae9d9bf..fc6492292c 100644
--- a/openssl/build.rs
+++ b/openssl/build.rs
@@ -94,5 +94,13 @@ fn main() {
         if version >= 0x3_05_00_00_0 {
             println!("cargo:rustc-cfg=libressl350");
         }
+
+        if version >= 0x3_06_00_00_0 {
+            println!("cargo:rustc-cfg=libressl360");
+        }
+
+        if version >= 0x3_06_01_00_0 {
+            println!("cargo:rustc-cfg=libressl361");
+        }
     }
 }
diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs
index 5de7f7cb38..2619b5ba63 100644
--- a/openssl/src/bn.rs
+++ b/openssl/src/bn.rs
@@ -1070,7 +1070,7 @@ impl BigNum {
     pub fn from_slice(n: &[u8]) -> Result<BigNum, ErrorStack> {
         unsafe {
             ffi::init();
-            assert!(n.len() <= c_int::max_value() as usize);
+            assert!(n.len() <= LenType::max_value() as usize);
 
             cvt_p(ffi::BN_bin2bn(
                 n.as_ptr(),
@@ -1080,6 +1080,30 @@ impl BigNum {
             .map(|p| BigNum::from_ptr(p))
         }
     }
+
+    /// Copies data from a slice overwriting what was in the BigNum.
+    ///
+    /// This function can be used to copy data from a slice to a
+    /// [secure BigNum][`BigNum::new_secure`].
+    ///
+    /// # Examples
+    ///
+    /// ```
+    /// # use openssl::bn::BigNum;
+    /// let mut bignum = BigNum::new().unwrap();
+    /// bignum.copy_from_slice(&[0x12, 0x00, 0x34]).unwrap();
+    ///
+    /// assert_eq!(bignum, BigNum::from_u32(0x120034).unwrap());
+    /// ```
+    #[corresponds(BN_bin2bn)]
+    pub fn copy_from_slice(&mut self, n: &[u8]) -> Result<(), ErrorStack> {
+        unsafe {
+            assert!(n.len() <= LenType::max_value() as usize);
+
+            cvt_p(ffi::BN_bin2bn(n.as_ptr(), n.len() as LenType, self.0))?;
+            Ok(())
+        }
+    }
 }
 
 impl fmt::Debug for BigNumRef {
diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs
index 0e5d85dd15..ab5f49d22f 100644
--- a/openssl/src/cipher.rs
+++ b/openssl/src/cipher.rs
@@ -328,6 +328,56 @@ impl Cipher {
         unsafe { CipherRef::from_ptr(ffi::EVP_rc4() as *mut _) }
     }
 
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))]
+    pub fn camellia128_cfb128() -> &'static CipherRef {
+        unsafe { CipherRef::from_ptr(ffi::EVP_camellia_128_cfb128() as *mut _) }
+    }
+
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))]
+    pub fn camellia128_ecb() -> &'static CipherRef {
+        unsafe { CipherRef::from_ptr(ffi::EVP_camellia_128_ecb() as *mut _) }
+    }
+
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))]
+    pub fn camellia192_cfb128() -> &'static CipherRef {
+        unsafe { CipherRef::from_ptr(ffi::EVP_camellia_192_cfb128() as *mut _) }
+    }
+
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))]
+    pub fn camellia192_ecb() -> &'static CipherRef {
+        unsafe { CipherRef::from_ptr(ffi::EVP_camellia_192_ecb() as *mut _) }
+    }
+
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))]
+    pub fn camellia256_cfb128() -> &'static CipherRef {
+        unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_cfb128() as *mut _) }
+    }
+
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))]
+    pub fn camellia256_ecb() -> &'static CipherRef {
+        unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_ecb() as *mut _) }
+    }
+
+    #[cfg(not(boringssl))]
+    pub fn cast5_cfb64() -> &'static CipherRef {
+        unsafe { CipherRef::from_ptr(ffi::EVP_cast5_cfb64() as *mut _) }
+    }
+
+    #[cfg(not(boringssl))]
+    pub fn cast5_ecb() -> &'static CipherRef {
+        unsafe { CipherRef::from_ptr(ffi::EVP_cast5_ecb() as *mut _) }
+    }
+
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))]
+    pub fn idea_cfb64() -> &'static CipherRef {
+        unsafe { CipherRef::from_ptr(ffi::EVP_idea_cfb64() as *mut _) }
+    }
+
+    #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))]
+    pub fn idea_ecb() -> &'static CipherRef {
+        unsafe { CipherRef::from_ptr(ffi::EVP_idea_ecb() as *mut _) }
+    }
+
     #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))]
     pub fn chacha20() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_chacha20() as *mut _) }
diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs
index 46492566f9..8e017115b1 100644
--- a/openssl/src/cipher_ctx.rs
+++ b/openssl/src/cipher_ctx.rs
@@ -407,7 +407,7 @@ impl CipherCtxRef {
 
     /// Retrieves the calculated authentication tag from the context.
     ///
-    /// This should be called after `[Self::cipher_final]`, and is only supported by authenticated ciphers.
+    /// This should be called after [`Self::cipher_final`], and is only supported by authenticated ciphers.
     ///
     /// The size of the buffer indicates the size of the tag. While some ciphers support a range of tag sizes, it is
     /// recommended to pick the maximum size.
diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs
index 78fa1c25dc..5f59ba8acd 100644
--- a/openssl/src/dsa.rs
+++ b/openssl/src/dsa.rs
@@ -344,6 +344,159 @@ cfg_if! {
     }
 }
 
+foreign_type_and_impl_send_sync! {
+    type CType = ffi::DSA_SIG;
+    fn drop = ffi::DSA_SIG_free;
+
+    /// Object representing DSA signature.
+    ///
+    /// DSA signatures consist of two components: `r` and `s`.
+    ///
+    /// # Examples
+    ///
+    /// ```
+    /// use std::convert::TryInto;
+    ///
+    /// use openssl::bn::BigNum;
+    /// use openssl::dsa::{Dsa, DsaSig};
+    /// use openssl::hash::MessageDigest;
+    /// use openssl::pkey::PKey;
+    /// use openssl::sign::{Signer, Verifier};
+    ///
+    /// const TEST_DATA: &[u8] = &[0, 1, 2, 3, 4, 5, 6, 7, 8, 9];
+    /// let dsa_ref = Dsa::generate(1024).unwrap();
+    ///
+    /// let pub_key: PKey<_> = dsa_ref.clone().try_into().unwrap();
+    /// let priv_key: PKey<_> = dsa_ref.try_into().unwrap();
+    ///
+    /// let mut signer = if let Ok(signer) = Signer::new(MessageDigest::sha256(), &priv_key) {
+    ///     signer
+    /// } else {
+    ///     // DSA signing is not supported (eg. BoringSSL)
+    ///     return;
+    /// };
+    ///
+    /// signer.update(TEST_DATA).unwrap();
+    ///
+    /// let signature = signer.sign_to_vec().unwrap();
+    /// // Parse DER-encoded DSA signature
+    /// let signature = DsaSig::from_der(&signature).unwrap();
+    ///
+    /// // Extract components `r` and `s`
+    /// let r = BigNum::from_slice(&signature.r().to_vec()).unwrap();
+    /// let s = BigNum::from_slice(&signature.s().to_vec()).unwrap();
+    ///
+    /// // Construct new DSA signature from components
+    /// let signature = DsaSig::from_private_components(r, s).unwrap();
+    ///
+    /// // Serialize DSA signature to DER
+    /// let signature = signature.to_der().unwrap();
+    ///
+    /// let mut verifier = Verifier::new(MessageDigest::sha256(), &pub_key).unwrap();
+    /// verifier.update(TEST_DATA).unwrap();
+    /// assert!(verifier.verify(&signature[..]).unwrap());
+    /// ```
+    pub struct DsaSig;
+
+    /// Reference to a [`DsaSig`].
+    pub struct DsaSigRef;
+}
+
+impl DsaSig {
+    /// Returns a new `DsaSig` by setting the `r` and `s` values associated with an DSA signature.
+    #[corresponds(DSA_SIG_set0)]
+    pub fn from_private_components(r: BigNum, s: BigNum) -> Result<Self, ErrorStack> {
+        unsafe {
+            let sig = cvt_p(ffi::DSA_SIG_new())?;
+            DSA_SIG_set0(sig, r.as_ptr(), s.as_ptr());
+            mem::forget((r, s));
+            Ok(DsaSig::from_ptr(sig))
+        }
+    }
+
+    from_der! {
+        /// Decodes a DER-encoded DSA signature.
+        #[corresponds(d2i_DSA_SIG)]
+        from_der,
+        DsaSig,
+        ffi::d2i_DSA_SIG
+    }
+}
+
+impl fmt::Debug for DsaSig {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("DsaSig")
+            .field("r", self.r())
+            .field("s", self.s())
+            .finish()
+    }
+}
+
+impl DsaSigRef {
+    to_der! {
+        /// Serializes the DSA signature into a DER-encoded `DSASignature` structure.
+        #[corresponds(i2d_DSA_SIG)]
+        to_der,
+        ffi::i2d_DSA_SIG
+    }
+
+    /// Returns internal component `r` of an `DsaSig`.
+    #[corresponds(DSA_SIG_get0)]
+    pub fn r(&self) -> &BigNumRef {
+        unsafe {
+            let mut r = ptr::null();
+            DSA_SIG_get0(self.as_ptr(), &mut r, ptr::null_mut());
+            BigNumRef::from_const_ptr(r)
+        }
+    }
+
+    /// Returns internal component `s` of an `DsaSig`.
+    #[corresponds(DSA_SIG_get0)]
+    pub fn s(&self) -> &BigNumRef {
+        unsafe {
+            let mut s = ptr::null();
+            DSA_SIG_get0(self.as_ptr(), ptr::null_mut(), &mut s);
+            BigNumRef::from_const_ptr(s)
+        }
+    }
+}
+
+cfg_if! {
+    if #[cfg(any(ossl110, libressl273))] {
+        use ffi::{DSA_SIG_set0, DSA_SIG_get0};
+    } else {
+        #[allow(bad_style)]
+        unsafe fn DSA_SIG_set0(
+            sig: *mut ffi::DSA_SIG,
+            r: *mut ffi::BIGNUM,
+            s: *mut ffi::BIGNUM,
+        ) -> c_int {
+            if r.is_null() || s.is_null() {
+                return 0;
+            }
+            ffi::BN_clear_free((*sig).r);
+            ffi::BN_clear_free((*sig).s);
+            (*sig).r = r;
+            (*sig).s = s;
+            1
+        }
+
+        #[allow(bad_style)]
+        unsafe fn DSA_SIG_get0(
+            sig: *const ffi::DSA_SIG,
+            pr: *mut *const ffi::BIGNUM,
+            ps: *mut *const ffi::BIGNUM)
+        {
+            if !pr.is_null() {
+                (*pr) = (*sig).r;
+            }
+            if !ps.is_null() {
+                (*ps) = (*sig).s;
+            }
+        }
+    }
+}
+
 #[cfg(test)]
 mod test {
     use super::*;
@@ -444,10 +597,51 @@ mod test {
         assert!(verifier.verify(&signature[..]).unwrap());
     }
 
+    #[test]
+    #[cfg(not(boringssl))]
+    fn test_signature_der() {
+        use std::convert::TryInto;
+
+        const TEST_DATA: &[u8] = &[0, 1, 2, 3, 4, 5, 6, 7, 8, 9];
+        let dsa_ref = Dsa::generate(1024).unwrap();
+
+        let pub_key: PKey<_> = dsa_ref.clone().try_into().unwrap();
+        let priv_key: PKey<_> = dsa_ref.try_into().unwrap();
+
+        let mut signer = Signer::new(MessageDigest::sha256(), &priv_key).unwrap();
+        signer.update(TEST_DATA).unwrap();
+
+        let signature = signer.sign_to_vec().unwrap();
+        eprintln!("{:?}", signature);
+        let signature = DsaSig::from_der(&signature).unwrap();
+
+        let r = BigNum::from_slice(&signature.r().to_vec()).unwrap();
+        let s = BigNum::from_slice(&signature.s().to_vec()).unwrap();
+
+        let signature = DsaSig::from_private_components(r, s).unwrap();
+        let signature = signature.to_der().unwrap();
+
+        let mut verifier = Verifier::new(MessageDigest::sha256(), &pub_key).unwrap();
+        verifier.update(TEST_DATA).unwrap();
+        assert!(verifier.verify(&signature[..]).unwrap());
+    }
+
     #[test]
     #[allow(clippy::redundant_clone)]
     fn clone() {
         let key = Dsa::generate(2048).unwrap();
         drop(key.clone());
     }
+
+    #[test]
+    fn dsa_sig_debug() {
+        let sig = DsaSig::from_der(&[
+            48, 46, 2, 21, 0, 135, 169, 24, 58, 153, 37, 175, 248, 200, 45, 251, 112, 238, 238, 89,
+            172, 177, 182, 166, 237, 2, 21, 0, 159, 146, 151, 237, 187, 8, 82, 115, 14, 183, 103,
+            12, 203, 46, 161, 208, 251, 167, 123, 131,
+        ])
+        .unwrap();
+        let s = format!("{:?}", sig);
+        assert_eq!(s, "DsaSig { r: 774484690634577222213819810519929266740561094381, s: 910998676210681457251421818099943952372231273347 }");
+    }
 }
diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs
index d768612c74..a6a6dc975a 100644
--- a/openssl/src/ec.rs
+++ b/openssl/src/ec.rs
@@ -14,7 +14,7 @@
 //!
 //! [`EcGroup`]: struct.EcGroup.html
 //! [`Nid`]: ../nid/struct.Nid.html
-//! [Eliptic Curve Cryptography]: https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography
+//! [Elliptic Curve Cryptography]: https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography
 use foreign_types::{ForeignType, ForeignTypeRef};
 use libc::c_int;
 use std::fmt;
diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs
index 355bba10ee..eadae31653 100644
--- a/openssl/src/nid.rs
+++ b/openssl/src/nid.rs
@@ -215,6 +215,12 @@ impl Nid {
     pub const SECT409R1: Nid = Nid(ffi::NID_sect409r1);
     pub const SECT571K1: Nid = Nid(ffi::NID_sect571k1);
     pub const SECT571R1: Nid = Nid(ffi::NID_sect571r1);
+    #[cfg(ossl110)]
+    pub const BRAINPOOL_P256R1: Nid = Nid(ffi::NID_brainpoolP256r1);
+    #[cfg(ossl110)]
+    pub const BRAINPOOL_P384R1: Nid = Nid(ffi::NID_brainpoolP384r1);
+    #[cfg(ossl110)]
+    pub const BRAINPOOL_P512R1: Nid = Nid(ffi::NID_brainpoolP512r1);
     pub const WAP_WSG_IDM_ECID_WTLS1: Nid = Nid(ffi::NID_wap_wsg_idm_ecid_wtls1);
     pub const WAP_WSG_IDM_ECID_WTLS3: Nid = Nid(ffi::NID_wap_wsg_idm_ecid_wtls3);
     pub const WAP_WSG_IDM_ECID_WTLS4: Nid = Nid(ffi::NID_wap_wsg_idm_ecid_wtls4);
diff --git a/openssl/src/pkcs7.rs b/openssl/src/pkcs7.rs
index e1b30f9289..ae4571db85 100644
--- a/openssl/src/pkcs7.rs
+++ b/openssl/src/pkcs7.rs
@@ -361,7 +361,9 @@ mod tests {
         assert_eq!(content.expect("should be non-empty"), message.as_bytes());
     }
 
+    /// https://marc.info/?l=openbsd-cvs&m=166602943014106&w=2
     #[test]
+    #[cfg_attr(all(libressl360, not(libressl361)), ignore)]
     fn sign_verify_test_normal() {
         let cert = include_bytes!("../test/cert.pem");
         let cert = X509::from_pem(cert).unwrap();
@@ -397,7 +399,9 @@ mod tests {
         assert!(content.is_none());
     }
 
+    /// https://marc.info/?l=openbsd-cvs&m=166602943014106&w=2
     #[test]
+    #[cfg_attr(all(libressl360, not(libressl361)), ignore)]
     fn signers() {
         let cert = include_bytes!("../test/cert.pem");
         let cert = X509::from_pem(cert).unwrap();
diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs
index 1e09b77b54..7d438ebadc 100644
--- a/openssl/src/pkey.rs
+++ b/openssl/src/pkey.rs
@@ -238,10 +238,10 @@ where
         unsafe { ffi::EVP_PKEY_cmp(self.as_ptr(), other.as_ptr()) == 1 }
     }
 
-    /// Raw byte representation of a public key
+    /// Raw byte representation of a public key.
     ///
     /// This function only works for algorithms that support raw public keys.
-    /// Currently this is: X25519, ED25519, X448 or ED448
+    /// Currently this is: [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`].
     #[corresponds(EVP_PKEY_get_raw_public_key)]
     #[cfg(ossl111)]
     pub fn raw_public_key(&self) -> Result<Vec<u8>, ErrorStack> {
@@ -289,10 +289,10 @@ where
         ffi::i2d_PrivateKey
     }
 
-    /// Raw byte representation of a private key
+    /// Raw byte representation of a private key.
     ///
     /// This function only works for algorithms that support raw private keys.
-    /// Currently this is: HMAC, X25519, ED25519, X448 or ED448
+    /// Currently this is: [`Id::HMAC`], [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`].
     #[corresponds(EVP_PKEY_get_raw_private_key)]
     #[cfg(ossl111)]
     pub fn raw_private_key(&self) -> Result<Vec<u8>, ErrorStack> {
@@ -482,25 +482,109 @@ impl PKey<Private> {
         ctx.keygen()
     }
 
-    /// Generates a new private Ed25519 key
+    /// Generates a new private X25519 key.
+    ///
+    /// To import a private key from raw bytes see [`PKey::private_key_from_raw_bytes`].
+    ///
+    /// # Examples
+    ///
+    /// ```
+    /// # fn main() -> Result<(), Box<dyn std::error::Error>> {
+    /// use openssl::pkey::{PKey, Id};
+    /// use openssl::derive::Deriver;
+    ///
+    /// let public = // ...
+    /// # &PKey::generate_x25519()?.raw_public_key()?;
+    /// let public_key = PKey::public_key_from_raw_bytes(public, Id::X25519)?;
+    ///
+    /// let key = PKey::generate_x25519()?;
+    /// let mut deriver = Deriver::new(&key)?;
+    /// deriver.set_peer(&public_key)?;
+    ///
+    /// let secret = deriver.derive_to_vec()?;
+    /// assert_eq!(secret.len(), 32);
+    /// # Ok(()) }
+    /// ```
     #[cfg(ossl111)]
     pub fn generate_x25519() -> Result<PKey<Private>, ErrorStack> {
         PKey::generate_eddsa(Id::X25519)
     }
 
-    /// Generates a new private Ed448 key
+    /// Generates a new private X448 key.
+    ///
+    /// To import a private key from raw bytes see [`PKey::private_key_from_raw_bytes`].
+    ///
+    /// # Examples
+    ///
+    /// ```
+    /// # fn main() -> Result<(), Box<dyn std::error::Error>> {
+    /// use openssl::pkey::{PKey, Id};
+    /// use openssl::derive::Deriver;
+    ///
+    /// let public = // ...
+    /// # &PKey::generate_x448()?.raw_public_key()?;
+    /// let public_key = PKey::public_key_from_raw_bytes(public, Id::X448)?;
+    ///
+    /// let key = PKey::generate_x448()?;
+    /// let mut deriver = Deriver::new(&key)?;
+    /// deriver.set_peer(&public_key)?;
+    ///
+    /// let secret = deriver.derive_to_vec()?;
+    /// assert_eq!(secret.len(), 56);
+    /// # Ok(()) }
+    /// ```
     #[cfg(ossl111)]
     pub fn generate_x448() -> Result<PKey<Private>, ErrorStack> {
         PKey::generate_eddsa(Id::X448)
     }
 
-    /// Generates a new private Ed25519 key
+    /// Generates a new private Ed25519 key.
+    ///
+    /// To import a private key from raw bytes see [`PKey::private_key_from_raw_bytes`].
+    ///
+    /// # Examples
+    ///
+    /// ```
+    /// # fn main() -> Result<(), Box<dyn std::error::Error>> {
+    /// use openssl::pkey::{PKey, Id};
+    /// use openssl::sign::Signer;
+    ///
+    /// let key = PKey::generate_ed25519()?;
+    /// let public_key = key.raw_public_key()?;
+    ///
+    /// let mut signer = Signer::new_without_digest(&key)?;
+    /// let digest = // ...
+    /// # &vec![0; 32];
+    /// let signature = signer.sign_oneshot_to_vec(digest)?;
+    /// assert_eq!(signature.len(), 64);
+    /// # Ok(()) }
+    /// ```
     #[cfg(ossl111)]
     pub fn generate_ed25519() -> Result<PKey<Private>, ErrorStack> {
         PKey::generate_eddsa(Id::ED25519)
     }
 
-    /// Generates a new private Ed448 key
+    /// Generates a new private Ed448 key.
+    ///
+    /// To import a private key from raw bytes see [`PKey::private_key_from_raw_bytes`].
+    ///
+    /// # Examples
+    ///
+    /// ```
+    /// # fn main() -> Result<(), Box<dyn std::error::Error>> {
+    /// use openssl::pkey::{PKey, Id};
+    /// use openssl::sign::Signer;
+    ///
+    /// let key = PKey::generate_ed448()?;
+    /// let public_key = key.raw_public_key()?;
+    ///
+    /// let mut signer = Signer::new_without_digest(&key)?;
+    /// let digest = // ...
+    /// # &vec![0; 32];
+    /// let signature = signer.sign_oneshot_to_vec(digest)?;
+    /// assert_eq!(signature.len(), 114);
+    /// # Ok(()) }
+    /// ```
     #[cfg(ossl111)]
     pub fn generate_ed448() -> Result<PKey<Private>, ErrorStack> {
         PKey::generate_eddsa(Id::ED448)
diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs
index a08d1e2ef9..120d6369a0 100644
--- a/openssl/src/x509/store.rs
+++ b/openssl/src/x509/store.rs
@@ -50,7 +50,7 @@ use crate::error::ErrorStack;
 use crate::ssl::SslFiletype;
 use crate::stack::StackRef;
 #[cfg(any(ossl102, libressl261))]
-use crate::x509::verify::X509VerifyFlags;
+use crate::x509::verify::{X509VerifyFlags, X509VerifyParamRef};
 use crate::x509::{X509Object, X509};
 use crate::{cvt, cvt_p};
 use openssl_macros::corresponds;
@@ -122,6 +122,13 @@ impl X509StoreBuilderRef {
     pub fn set_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> {
         unsafe { cvt(ffi::X509_STORE_set_flags(self.as_ptr(), flags.bits())).map(|_| ()) }
     }
+
+    /// Sets certificate chain validation related parameters.
+    #[corresponds[X509_STORE_set1_param]]
+    #[cfg(any(ossl102, libressl261))]
+    pub fn set_param(&mut self, param: &X509VerifyParamRef) -> Result<(), ErrorStack> {
+        unsafe { cvt(ffi::X509_STORE_set1_param(self.as_ptr(), param.as_ptr())).map(|_| ()) }
+    }
 }
 
 generic_foreign_type_and_impl_send_sync! {
diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs
index fcca2c7bf1..ace6175017 100644
--- a/openssl/src/x509/tests.rs
+++ b/openssl/src/x509/tests.rs
@@ -13,11 +13,13 @@ use crate::x509::extension::{
 };
 use crate::x509::store::X509StoreBuilder;
 #[cfg(any(ossl102, libressl261))]
-use crate::x509::verify::X509VerifyFlags;
+use crate::x509::verify::{X509VerifyFlags, X509VerifyParam};
 #[cfg(ossl110)]
 use crate::x509::X509Builder;
 use crate::x509::{X509Name, X509Req, X509StoreContext, X509VerifyResult, X509};
 use hex::{self, FromHex};
+#[cfg(any(ossl102, libressl261))]
+use libc::time_t;
 
 fn pkey() -> PKey<Private> {
     let rsa = Rsa::generate(2048).unwrap();
@@ -543,3 +545,126 @@ fn test_name_cmp() {
     assert_eq!(Ordering::Equal, subject.try_cmp(subject).unwrap());
     assert_eq!(Ordering::Greater, subject.try_cmp(issuer).unwrap());
 }
+
+#[test]
+#[cfg(any(ossl102, libressl261))]
+fn test_verify_param_set_time_fails_verification() {
+    const TEST_T_2030: time_t = 1893456000;
+
+    let cert = include_bytes!("../../test/cert.pem");
+    let cert = X509::from_pem(cert).unwrap();
+    let ca = include_bytes!("../../test/root-ca.pem");
+    let ca = X509::from_pem(ca).unwrap();
+    let chain = Stack::new().unwrap();
+
+    let mut store_bldr = X509StoreBuilder::new().unwrap();
+    store_bldr.add_cert(ca).unwrap();
+    let mut verify_params = X509VerifyParam::new().unwrap();
+    verify_params.set_time(TEST_T_2030);
+    store_bldr.set_param(&verify_params).unwrap();
+    let store = store_bldr.build();
+
+    let mut context = X509StoreContext::new().unwrap();
+    assert_eq!(
+        context
+            .init(&store, &cert, &chain, |c| {
+                c.verify_cert()?;
+                Ok(c.error())
+            })
+            .unwrap()
+            .error_string(),
+        "certificate has expired"
+    )
+}
+
+#[test]
+#[cfg(any(ossl102, libressl261))]
+fn test_verify_param_set_time() {
+    const TEST_T_2020: time_t = 1577836800;
+
+    let cert = include_bytes!("../../test/cert.pem");
+    let cert = X509::from_pem(cert).unwrap();
+    let ca = include_bytes!("../../test/root-ca.pem");
+    let ca = X509::from_pem(ca).unwrap();
+    let chain = Stack::new().unwrap();
+
+    let mut store_bldr = X509StoreBuilder::new().unwrap();
+    store_bldr.add_cert(ca).unwrap();
+    let mut verify_params = X509VerifyParam::new().unwrap();
+    verify_params.set_time(TEST_T_2020);
+    store_bldr.set_param(&verify_params).unwrap();
+    let store = store_bldr.build();
+
+    let mut context = X509StoreContext::new().unwrap();
+    assert!(context
+        .init(&store, &cert, &chain, |c| c.verify_cert())
+        .unwrap());
+}
+
+#[test]
+#[cfg(any(ossl102, libressl261))]
+fn test_verify_param_set_depth() {
+    let cert = include_bytes!("../../test/leaf.pem");
+    let cert = X509::from_pem(cert).unwrap();
+    let intermediate_ca = include_bytes!("../../test/intermediate-ca.pem");
+    let intermediate_ca = X509::from_pem(intermediate_ca).unwrap();
+    let ca = include_bytes!("../../test/root-ca.pem");
+    let ca = X509::from_pem(ca).unwrap();
+    let mut chain = Stack::new().unwrap();
+    chain.push(intermediate_ca).unwrap();
+
+    let mut store_bldr = X509StoreBuilder::new().unwrap();
+    store_bldr.add_cert(ca).unwrap();
+    let mut verify_params = X509VerifyParam::new().unwrap();
+    // OpenSSL 1.1.0+ considers the root certificate to not be part of the chain, while 1.0.2 and LibreSSL do
+    let expected_depth = if cfg!(any(ossl110)) { 1 } else { 2 };
+    verify_params.set_depth(expected_depth);
+    store_bldr.set_param(&verify_params).unwrap();
+    let store = store_bldr.build();
+
+    let mut context = X509StoreContext::new().unwrap();
+    assert!(context
+        .init(&store, &cert, &chain, |c| c.verify_cert())
+        .unwrap());
+}
+
+#[test]
+#[cfg(any(ossl102, libressl261))]
+fn test_verify_param_set_depth_fails_verification() {
+    let cert = include_bytes!("../../test/leaf.pem");
+    let cert = X509::from_pem(cert).unwrap();
+    let intermediate_ca = include_bytes!("../../test/intermediate-ca.pem");
+    let intermediate_ca = X509::from_pem(intermediate_ca).unwrap();
+    let ca = include_bytes!("../../test/root-ca.pem");
+    let ca = X509::from_pem(ca).unwrap();
+    let mut chain = Stack::new().unwrap();
+    chain.push(intermediate_ca).unwrap();
+
+    let mut store_bldr = X509StoreBuilder::new().unwrap();
+    store_bldr.add_cert(ca).unwrap();
+    let mut verify_params = X509VerifyParam::new().unwrap();
+    // OpenSSL 1.1.0+ considers the root certificate to not be part of the chain, while 1.0.2 and LibreSSL do
+    let expected_depth = if cfg!(any(ossl110)) { 0 } else { 1 };
+    verify_params.set_depth(expected_depth);
+    store_bldr.set_param(&verify_params).unwrap();
+    let store = store_bldr.build();
+
+    // OpenSSL 1.1.0+ added support for X509_V_ERR_CERT_CHAIN_TOO_LONG, while 1.0.2 simply ignores the intermediate
+    let expected_error = if cfg!(any(ossl110, libressl261)) {
+        "certificate chain too long"
+    } else {
+        "unable to get local issuer certificate"
+    };
+
+    let mut context = X509StoreContext::new().unwrap();
+    assert_eq!(
+        context
+            .init(&store, &cert, &chain, |c| {
+                c.verify_cert()?;
+                Ok(c.error())
+            })
+            .unwrap()
+            .error_string(),
+        expected_error
+    )
+}
diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs
index 4752133996..20dd4bea8d 100644
--- a/openssl/src/x509/verify.rs
+++ b/openssl/src/x509/verify.rs
@@ -1,10 +1,10 @@
 use bitflags::bitflags;
 use foreign_types::ForeignTypeRef;
-use libc::{c_uint, c_ulong};
+use libc::{c_int, c_uint, c_ulong, time_t};
 use std::net::IpAddr;
 
-use crate::cvt;
 use crate::error::ErrorStack;
+use crate::{cvt, cvt_p};
 use openssl_macros::corresponds;
 
 bitflags! {
@@ -69,6 +69,17 @@ foreign_type_and_impl_send_sync! {
     pub struct X509VerifyParamRef;
 }
 
+impl X509VerifyParam {
+    /// Create an X509VerifyParam
+    #[corresponds(X509_VERIFY_PARAM_new)]
+    pub fn new() -> Result<X509VerifyParam, ErrorStack> {
+        unsafe {
+            ffi::init();
+            cvt_p(ffi::X509_VERIFY_PARAM_new()).map(X509VerifyParam)
+        }
+    }
+}
+
 impl X509VerifyParamRef {
     /// Set the host flags.
     #[corresponds(X509_VERIFY_PARAM_set_hostflags)]
@@ -139,4 +150,16 @@ impl X509VerifyParamRef {
             .map(|_| ())
         }
     }
+
+    /// Set the verification time, where time is of type time_t, traditionaly defined as seconds since the epoch
+    #[corresponds(X509_VERIFY_PARAM_set_time)]
+    pub fn set_time(&mut self, time: time_t) {
+        unsafe { ffi::X509_VERIFY_PARAM_set_time(self.as_ptr(), time) }
+    }
+
+    /// Set the verification depth
+    #[corresponds(X509_VERIFY_PARAM_set_depth)]
+    pub fn set_depth(&mut self, depth: c_int) {
+        unsafe { ffi::X509_VERIFY_PARAM_set_depth(self.as_ptr(), depth) }
+    }
 }
diff --git a/openssl/test/intermediate-ca.key b/openssl/test/intermediate-ca.key
new file mode 100644
index 0000000000..48f449534e
--- /dev/null
+++ b/openssl/test/intermediate-ca.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA1HsHFTpgKeWL/y6oKtARZm0Dy6J/08E0CujmdpVp0xnkXi/A
+RARnbMEbOPfmBUMOkVtQT3+l5aCgIAX+Kg6K7sQvio8nQUgOxuO1YpGlYu9EMtc7
+5fNxA1T0CuXXx8ClfEqW1ZV7ziQV0J4gzvuI26A7XyUhdk1oP/Al3F/94TmH6dtP
+SQ2K901O2zknU+bpPheQy08SE20k/nUOJAsiwtsxqY8hHOL1sXZ4K+I311hl0QpD
+OYf7eBcBdo2Mc5Nzjd9LPGLk1lE3itAXpayFMmfuuA0IdH1gNfy18axFEEVnj6CS
+2epGpmAckUEWUOse1WBhDEt6ddowT1iw7X4mWwIDAQABAoIBAGMGXzuudAiymTc5
+OFiTlbhlkAJEXkyC201GU7nqUmJ2y651lKZeYxEVQimfpszG/rARnXEfbWKCJH4o
+LNbO5kL2na12n/XVrkVU9EDW3fwoxGDpXFoDxaSm4AGAMrs+diFh5b/upb9ho+UQ
+/PtZ0OOCXokuFdU7qB08P3jgJ8LhooqWnZ4AC0rhN85CMNIKs/nrUrnmS3FZLVd/
+NWI9Vfjsndd41Gkho0A7tgOSnwRupk/Bv1b0px31h8ucp9/nLuR8vbGSdS/R9Sta
+pB9KNYYQ3LrhQGjddnEU0gj8qsuWgnoPf7eaWsLVunPLHQzL2hNNKL1eBADm7Lhh
+avIlnrkCgYEA8Q8UhOeIO0sMU8sB4NPTUf2UT9xjURoowGsGgbDEk21eABH6VC33
+VYt5r5xwbZFQvVaTbe+EI1YDpjH1cvpmorEWI47Nm4Vbf9JujW/hoQwuwpzOpdUT
+2G4tfMQrmTw/9HJ0l9+1Ib+A93dB8GvR0NE1uueaWanWvXARInwGiscCgYEA4aZ9
+mbhuwx88sSRMXwxSZw+R5BRrjdC0CeoimGg4/P84bKgc0YsjAha5jWaC/h8xN2Pb
+w45b3hQ0/FP8xohP0bp/5eeiDbqb6JuO5bI3CnfBrVpu1CAuIrf7lhkar3a0wluB
+k03fVHuVLtydACDJBKrZm1F39lpiZiEqlBIp080CgYEAwRwYjwPAEefkHzhQ7+Ah
+uNwQtQ1TjsQLA2J5mumWAJirphjA1jDgo+oQ+Iq1UkEIUjWJ85bd30TntXruK0bH
+c+uzVZbvxXfGvhZAtBN9x/svdn4R2a1hsY9J51prpt0qStRp7MSsoTV9xkEGVOi6
+87K1fV5OOyggvC+Lunlq8D8CgYAVSCOObPOdWYPa3SaKzFm1OKW00iw2qtlgGgH7
+R9EgI14J+W0GYk4B82y6plFycDSvGa7vaazGbDd3GOC9RLvqduF7KHaDPvdXX9yB
+U2aXiSXuGJpdTU+snJeQ13tJ0zNHJWQ6JV0L1cADNHFmQrFSzF5LpMpgpLOlGDmw
+z2m8fQKBgQDclFeonyn0zcXqznun9kAKkMij4s6lSdRgi/5Zh1WbJwOso9oWfwz9
+SSTP2KBO8B+/yFvuo5SWrbNaTz9/KuzMTv4HXz5ukLbyN9Jjtk73fdBBRSjL+zF5
+jU56oXHrwBhEqWQ77Ps60r+FmDjUgUhyJl14ZfkzICUK7NLFxKrvMQ==
+-----END RSA PRIVATE KEY-----
diff --git a/openssl/test/intermediate-ca.pem b/openssl/test/intermediate-ca.pem
new file mode 100644
index 0000000000..266ef593cb
--- /dev/null
+++ b/openssl/test/intermediate-ca.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDszCCApugAwIBAgIEFSQSITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB
+VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
+cyBQdHkgTHRkMB4XDTIyMTEwMzA3MDc0OVoXDTI2MDgxMTA3MDc0OVowgYkxCzAJ
+BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
+dCBXaWRnaXRzIFB0eSBMdGQxIDAeBgNVBAsMF0ludGVybWVkaWF0ZSBEZXBhcnRt
+ZW50MSAwHgYDVQQDDBdpbnRlcm1lZGlhdGUuZm9vYmFyLmNvbTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBANR7BxU6YCnli/8uqCrQEWZtA8uif9PBNAro
+5naVadMZ5F4vwEQEZ2zBGzj35gVDDpFbUE9/peWgoCAF/ioOiu7EL4qPJ0FIDsbj
+tWKRpWLvRDLXO+XzcQNU9Arl18fApXxKltWVe84kFdCeIM77iNugO18lIXZNaD/w
+Jdxf/eE5h+nbT0kNivdNTts5J1Pm6T4XkMtPEhNtJP51DiQLIsLbMamPIRzi9bF2
+eCviN9dYZdEKQzmH+3gXAXaNjHOTc43fSzxi5NZRN4rQF6WshTJn7rgNCHR9YDX8
+tfGsRRBFZ4+gktnqRqZgHJFBFlDrHtVgYQxLenXaME9YsO1+JlsCAwEAAaNmMGQw
+HQYDVR0OBBYEFAXJImmmxYXx6L1SRRhgP3Tyq2J6MB8GA1UdIwQYMBaAFGzTpQOr
+DV8syY2KnIiniHe4N/2aMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQD
+AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQCnUh7iNbnFBjVa4sFx02r65syxUhcvM/ya
+DcSe1esGUwjZLyKVl9BTfQ6kfNa/6Z/t5cprp0R3etalN31dxka7xSDwzFNdBczB
+zYDIVOVlcGLL1Xjozacm6YHo773dqxZS36rVMk3NqNUY6GJJ+CGso2xZShcBg2KG
+fPlNPiRz3847E3dwouDYcP1MXf2ql/Y7dRbE+8kb3bWkSusJVb/4EHjpR7yZjKmh
+eXHVVx1dKnCGRldn3+dSNhN6mxNaSeBE2hb158+diQvL5u3f//va7SOpCi0f4d8E
+UCnLhieyrDlr42XXfz42BqRpqBO1SDjQwzIIc9Fbevwb916OSExp
+-----END CERTIFICATE-----
diff --git a/openssl/test/leaf.pem b/openssl/test/leaf.pem
new file mode 100644
index 0000000000..0f7aa808de
--- /dev/null
+++ b/openssl/test/leaf.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDejCCAmICBBUkEiQwDQYJKoZIhvcNAQELBQAwgYkxCzAJBgNVBAYTAkFVMRMw
+EQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0
+eSBMdGQxIDAeBgNVBAsMF0ludGVybWVkaWF0ZSBEZXBhcnRtZW50MSAwHgYDVQQD
+DBdpbnRlcm1lZGlhdGUuZm9vYmFyLmNvbTAeFw0yMjExMDMwNzE3NTJaFw0yNjA4
+MTEwNzE3NTJaMHkxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGDAWBgNVBAsMD0xlYWYg
+RGVwYXJ0bWVudDEYMBYGA1UEAwwPbGVhZi5mb29iYXIuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs9STUHGIcSOtioK6+02k9Jx4JuYVJ0SB7Ebd
+FAhGiOxBSoOljRVmmALti89QMmRiRqlyJnGJch7AloCCRsLJA0MfUYvauqmKHZFk
+iqtZ1HocHQ/LGNKfkILcclb4xp2nGYntKAyEqer3Qc6aPWAnQAV/+BshU1vlMfwU
+T6vOJRG69mft6dkHEWSzZd7++7HmFQGnDmIs5jBJVCOgKVttkN8Bk2EsTvJi9zl2
+SXLTcVrTAxEvuawv2ZXvdI/Cpt1WW0litXlFLcYBGwt/N93TX/L3Iyw5HcNd/xf9
+QwOr6RR66krQJzKxwcIY934uq6cyTQhexgnffb65qXL4bbV5fwIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQAZf0/r04AeKN2QhQ7Z0o2Iu/Yj3OD2tnbxVoltYk8CRfp3
+7VGl/5PUbmXXBSwMc4Udj88JlreU7iNEPAKtBqFczw0pwNfvxKG4Eh3vsfKrP+5g
+gtVwDG0mWeKJ7udrmFt8N0uwxVYDKp/gv5+Bw2eMew9Eoyenj6k2yg0nbFKzA3EH
+DqngETzX0dhdiYwVcoJFUK5ni3tVl9qi6FpmaTE6C5nTQLyH4CI+vo2x/QHINGaJ
+OzY/rx35iyVqXVqxN/gO/hp6g0nT5zLuMg2rfvcAhdDsD7htYcHiNkofrC8s0oQE
+W+r01EhxdEVvY1nYWanBCF6tktc5v5qf2WMS4ye5
+-----END CERTIFICATE-----
diff --git a/systest/build.rs b/systest/build.rs
index 2618a05b97..e54438114b 100644
--- a/systest/build.rs
+++ b/systest/build.rs
@@ -55,6 +55,7 @@ fn main() {
         .header("openssl/x509v3.h")
         .header("openssl/safestack.h")
         .header("openssl/hmac.h")
+        .header("openssl/obj_mac.h")
         .header("openssl/ssl.h")
         .header("openssl/err.h")
         .header("openssl/rand.h")