diff --git a/execargs.patch b/execargs.patch
new file mode 100644
index 0000000..542a622
--- /dev/null
+++ b/execargs.patch
@@ -0,0 +1,23 @@
+--- src/options.old	2009-11-13 15:44:54.000000000 +0100
++++ src/options.c	2009-11-13 15:58:44.000000000 +0100
+@@ -793,6 +793,11 @@
+             break;
+         section->option.program=1;
+         section->execname=stralloc(arg);
++        if(!section->execargs) {
++            section->execargs=calloc(2, sizeof(char *));
++            section->execargs[0]=section->execname;
++            section->execargs[1]=NULL; /* to show that it's null-terminated */
++        }
+         return NULL; /* OK */
+     case CMD_DEFAULT:
+         break;
+@@ -1603,7 +1608,7 @@
+         while(*ptr && isspace((unsigned char)*ptr))
+             *ptr++='\0';
+     }
+-    retval[i]=NULL;
++    retval[i]=NULL; /* to show that it's null-terminated */
+     return retval;
+ }
+ #endif
diff --git a/no_ticket.patch b/no_ticket.patch
new file mode 100644
index 0000000..e9e0914
--- /dev/null
+++ b/no_ticket.patch
@@ -0,0 +1,22 @@
+--- src/options.old	2009-11-13 09:29:16.000000000 +0100
++++ src/options.c	2009-11-13 09:26:38.000000000 +0100
+@@ -1136,7 +1136,9 @@
+         if(strcasecmp(opt, "sessiond"))
+             break;
+         section->option.sessiond=1;
++#ifdef SSL_OP_NO_TICKET
+         section->ssl_options|=SSL_OP_NO_TICKET;
++#endif
+         if(!name2addrlist(&section->sessiond_addr, arg, DEFAULT_LOOPBACK))
+             return "Failed to resolve sessiond server address";
+         return NULL; /* OK */
+@@ -1706,7 +1708,9 @@
+         {"DONT_INSERT_EMPTY_FRAGMENTS", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
+         {"NO_QUERY_MTU", SSL_OP_NO_QUERY_MTU},
+         {"COOKIE_EXCHANGE", SSL_OP_COOKIE_EXCHANGE},
++#ifdef SSL_OP_NO_TICKET
+         {"NO_TICKET", SSL_OP_NO_TICKET},
++#endif
+         {"NO_SESSION_RESUMPTION_ON_RENEGOTIATION",
+             SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION},
+ #ifdef SSL_OP_NO_COMPRESSION
diff --git a/openssl097d.patch b/openssl097d.patch
new file mode 100644
index 0000000..c0e06ee
--- /dev/null
+++ b/openssl097d.patch
@@ -0,0 +1,36 @@
+--- src/options.c.orig	2009-10-01 09:52:52.000000000 +0200
++++ src/options.c	2009-11-27 11:24:43.998850503 +0100
+@@ -1136,7 +1136,9 @@
+         if(strcasecmp(opt, "sessiond"))
+             break;
+         section->option.sessiond=1;
++#ifdef SSL_OP_NO_TICKET
+         section->ssl_options|=SSL_OP_NO_TICKET;
++#endif
+         if(!name2addrlist(&section->sessiond_addr, arg, DEFAULT_LOOPBACK))
+             return "Failed to resolve sessiond server address";
+         return NULL; /* OK */
+@@ -1704,15 +1706,23 @@
+         {"TLS_D5_BUG", SSL_OP_TLS_D5_BUG},
+         {"TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG},
+         {"DONT_INSERT_EMPTY_FRAGMENTS", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
++#ifdef SSL_OP_NO_QUERY_MTU
+         {"NO_QUERY_MTU", SSL_OP_NO_QUERY_MTU},
++#endif
++#ifdef SSL_OP_COOKIE_EXCHANGE
+         {"COOKIE_EXCHANGE", SSL_OP_COOKIE_EXCHANGE},
++#endif
++#ifdef SSL_OP_NO_TICKET
+         {"NO_TICKET", SSL_OP_NO_TICKET},
++#endif
+         {"NO_SESSION_RESUMPTION_ON_RENEGOTIATION",
+             SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION},
+ #ifdef SSL_OP_NO_COMPRESSION
+         {"NO_COMPRESSION", SSL_OP_NO_COMPRESSION},
+ #endif
++#ifdef SSL_OP_SINGLE_ECDH_USE
+         {"SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE},
++#endif
+         {"SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE},
+         {"EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA},
+         {"CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE},
diff --git a/stunnel-4.26.tar.gz b/stunnel-4.26.tar.gz
deleted file mode 100644
index 92089fa..0000000
--- a/stunnel-4.26.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e9e6795072e84fa031a67fe5de3030014031f2d84ec85b26d6e1b33c8b686bd3
-size 531804
diff --git a/stunnel-4.28.tar.gz b/stunnel-4.28.tar.gz
new file mode 100644
index 0000000..434a5b8
--- /dev/null
+++ b/stunnel-4.28.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9be98fb1aa5e96e44095df267d89b776aa539e6dce90dd0d54db675e9a95cd80
+size 543008
diff --git a/stunnel-4.28.tar.gz.asc b/stunnel-4.28.tar.gz.asc
new file mode 100644
index 0000000..f330ddd
--- /dev/null
+++ b/stunnel-4.28.tar.gz.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+iD8DBQBK9yxE/NU+nXTHMtERArdZAJ9jqBNY2thmkiQYUUtX8KKSi7k2mgCfeKGM
+aegr9+rToWNsY8Whwg8fyFs=
+=o6KF
+-----END PGP SIGNATURE-----
diff --git a/stunnel-4.28.tar.gz.sha1 b/stunnel-4.28.tar.gz.sha1
new file mode 100644
index 0000000..7bfa5a1
--- /dev/null
+++ b/stunnel-4.28.tar.gz.sha1
@@ -0,0 +1 @@
+868cba9ec56ed6a02c8ecfa2a87614b4d433611b  stunnel-4.28.tar.gz
diff --git a/stunnel.changes b/stunnel.changes
index 7b585c0..e4d0617 100644
--- a/stunnel.changes
+++ b/stunnel.changes
@@ -1,3 +1,47 @@
+-------------------------------------------------------------------
+Fri Nov 27 11:11:59 CET 2009  - vetter@physik.uni-wuerzburg.de
+
+- fix compile problems with openssl 0.9.7d
+
+-------------------------------------------------------------------
+Fri Nov 27 09:45:54 CET 2009  - vetter@physik.uni-wuerzburg.de
+
+- bugfixes for 4.28
+    * Bugfixes
+          o "execargs" defaults to the "exec" parameter (thx to Peter Pentchev).
+          o no_ticket.patch
+
+- update to 4.27:
+    * New features
+          o Win32 DLLs for OpenSSL 0.9.8l.
+          o Transparent proxy support on Linux kernels >=2.6.28. See the manual for details.
+          o New socket options to control TCP keepalive on Linux: TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL.
+          o SSL options updated for the recent version of OpenSSL library.
+    * Bugfixes
+          o A serious bug in asynchronous shutdown code fixed.
+          o Data alignment updated in libwrap.c.
+          o Polish manual encoding fixed.
+          o Notes on compression implementation in OpenSSL added to the manual.
+
+
+
+-------------------------------------------------------------------
+Fri Apr 17 16:34:22 CEST 2009 - vetter@physik.uni-wuerzburg.de
+
+- update to 4.27:
+  * New features
+    - Win32 DLLs for OpenSSL 0.9.8k.
+    - FIPS support was updated for openssl-fips 1.2.
+    - New priority failover strategy for multiple "connect" targets,
+      controlled with "failover=rr" (default) or "failover=prio".
+    - pgsql protocol negotiation by Marko Kreen <markokr@gmail.com>.
+    - Building instructions were updated in INSTALL.W32 file.
+  * Bugfixes
+    - Libwrap helper processes fixed to close standard
+      input/output/error file descriptors.
+    - OS2 compilation fixes.
+    - WCE fixes by Pierre Delaage <delaage.pierre@free.fr>.
+
 -------------------------------------------------------------------
 Wed Feb 18 20:15:22 CEST 2009 - vetter@physik.uni-wuerzburg.de
 
diff --git a/stunnel.spec b/stunnel.spec
index 2324a5e..b15e446 100644
--- a/stunnel.spec
+++ b/stunnel.spec
@@ -19,7 +19,7 @@ BuildRequires:  gcc-c++ tcp_wrappers
 %endif
 Summary:        Universal SSL Tunnel
 License:        GNU Library General Public License v. 2.0 and 2.1 (LGPL)
-Version:        4.26
+Version:        4.28
 Release:        1.1
 Group:          Productivity/Networking/Security
 URL:            http://www.stunnel.org/
@@ -32,6 +32,8 @@ Source1:        stunnel.conf
 Source2:        stunnel.README
 Source3:        sysconfig.syslog-stunnel
 Source4:        stunnel.rc
+Patch1:		execargs.patch
+Patch2:		openssl097d.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define VENDOR SUSE
 
@@ -48,6 +50,8 @@ without any changes to the program code.
 
 %prep
 %setup -q
+%patch1
+%patch2
 
 %build
 #autoreconf -fi