diff --git a/check_inv_ALPN_lists.patch b/check_inv_ALPN_lists.patch
new file mode 100644
index 0000000..e76d16e
--- /dev/null
+++ b/check_inv_ALPN_lists.patch
@@ -0,0 +1,51 @@
+From cc5c00ae5fd3c19d07fff79b5c4a08f5e58697ad Mon Sep 17 00:00:00 2001
+From: "Nathaniel J. Smith" <njs@pobox.com>
+Date: Wed, 27 Oct 2021 11:54:08 -0700
+Subject: [PATCH 1/2] Check for invalid ALPN lists before calling OpenSSL, for
+ consistency
+
+Fixes gh-1043
+---
+ src/OpenSSL/SSL.py |   12 ++++++++++++
+ tests/test_ssl.py  |    2 +-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -1423,6 +1423,12 @@ class Context(object):
+             This list should be a Python list of bytestrings representing the
+             protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
+         """
++        # Different versions of OpenSSL are inconsistent about how they handle
++        # empty proto lists (see #1043), so we avoid the problem entirely by
++        # rejecting them ourselves.
++        if not protos:
++            raise ValueError("at least one protocol must be specified")
++
+         # Take the list of protocols and join them together, prefixing them
+         # with their lengths.
+         protostr = b"".join(
+@@ -2451,6 +2457,12 @@ class Connection(object):
+             This list should be a Python list of bytestrings representing the
+             protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
+         """
++        # Different versions of OpenSSL are inconsistent about how they handle
++        # empty proto lists (see #1043), so we avoid the problem entirely by
++        # rejecting them ourselves.
++        if not protos:
++            raise ValueError("at least one protocol must be specified")
++
+         # Take the list of protocols and join them together, prefixing them
+         # with their lengths.
+         protostr = b"".join(
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -1934,7 +1934,7 @@ class TestApplicationLayerProtoNegotiati
+         protocols list. Ensure that we produce a user-visible error.
+         """
+         context = Context(SSLv23_METHOD)
+-        with pytest.raises(Error):
++        with pytest.raises(ValueError):
+             context.set_alpn_protos([])
+ 
+     def test_alpn_set_on_connection(self):
diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes
index 15ddbdd..c68bc8b 100644
--- a/python-pyOpenSSL.changes
+++ b/python-pyOpenSSL.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sat Oct 30 19:08:35 UTC 2021 - Matej Cepl <mcepl@suse.com>
+
+- Add check_inv_ALPN_lists.patch checks for invalid ALPN lists
+  before calling OpenSSL (gh#pyca/pyopenssl#1056).
+
 -------------------------------------------------------------------
 Tue Oct 26 20:27:12 UTC 2021 - Dirk Müller <dmueller@suse.com>
 
diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec
index 03c73a5..ea18da2 100644
--- a/python-pyOpenSSL.spec
+++ b/python-pyOpenSSL.spec
@@ -28,6 +28,9 @@ Source:         https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpe
 # PATCH-FIX-UPSTREAM skip-networked-test.patch gh#pyca/pyopenssl#68 mcepl@suse.com
 # Mark tests requiring network access
 Patch0:         skip-networked-test.patch
+# PATCH-FIX-UPSTREAM check_inv_ALPN_lists.patch gh#pyca/pyopenssl#1056 mcepl@suse.com
+#  Check for invalid ALPN lists before calling OpenSSL
+Patch1:         check_inv_ALPN_lists.patch
 BuildRequires:  %{python_module cffi}
 BuildRequires:  %{python_module cryptography >= 3.3}
 BuildRequires:  %{python_module flaky}