diff --git a/gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch b/gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
new file mode 100644
index 0000000..bea4eed
--- /dev/null
+++ b/gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
@@ -0,0 +1,82 @@
+From 3d390148c05a7ea2d401c4633e7d4db75ebf97d9 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Thu, 7 Nov 2024 11:07:02 +0100
+Subject: [PATCH] gh-126500: test_ssl: Don't stop ThreadedEchoServer on OSError
+ in ConnectionHandler; rely on __exit__ (GH-126503)
+
+If `read()` in the ConnectionHandler thread raises `OSError` (except `ConnectionError`),
+the ConnectionHandler shuts down the entire ThreadedEchoServer,
+preventing further connections.
+It also does that for `EPROTOTYPE` in `wrap_conn`.
+
+As far as I can see, this is done to avoid the server thread getting stuck,
+forgotten, in its accept loop. However, since 2011 (5b95eb90a7167285b6544b50865227c584943c9a)
+the server is used as a context manager, and its `__exit__` does `stop()` and `join()`.
+(I'm not sure if we *always* used `with` since that commit, but currently we do.)
+
+Make sure that the context manager *is* used, and remove the `server.stop()`
+calls from ConnectionHandler.
+(cherry picked from commit c9cda1608edf7664c10f4f467e24591062c2fe62)
+
+Co-authored-by: Petr Viktorin <encukou@gmail.com>
+---
+ Lib/test/test_ssl.py | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index 9b59ddd887aa0b..b6421c7a3c827b 100644
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -2300,7 +2300,6 @@ def wrap_conn(self):
+                 # See also http://erickt.github.io/blog/2014/11/19/adventures-in-debugging-a-potential-osx-kernel-bug/
+                 if e.errno != errno.EPROTOTYPE and sys.platform != "darwin":
+                     self.running = False
+-                    self.server.stop()
+                     self.close()
+                 return False
+             else:
+@@ -2435,10 +2434,6 @@ def run(self):
+                     self.close()
+                     self.running = False
+ 
+-                    # normally, we'd just stop here, but for the test
+-                    # harness, we want to stop the server
+-                    self.server.stop()
+-
+     def __init__(self, certificate=None, ssl_version=None,
+                  certreqs=None, cacerts=None,
+                  chatty=True, connectionchatty=False, starttls_server=False,
+@@ -2472,21 +2467,33 @@ def __init__(self, certificate=None, ssl_version=None,
+         self.conn_errors = []
+         threading.Thread.__init__(self)
+         self.daemon = True
++        self._in_context = False
+ 
+     def __enter__(self):
++        if self._in_context:
++            raise ValueError('Re-entering ThreadedEchoServer context')
++        self._in_context = True
+         self.start(threading.Event())
+         self.flag.wait()
+         return self
+ 
+     def __exit__(self, *args):
++        assert self._in_context
++        self._in_context = False
+         self.stop()
+         self.join()
+ 
+     def start(self, flag=None):
++        if not self._in_context:
++            raise ValueError(
++                'ThreadedEchoServer must be used as a context manager')
+         self.flag = flag
+         threading.Thread.start(self)
+ 
+     def run(self):
++        if not self._in_context:
++            raise ValueError(
++                'ThreadedEchoServer must be used as a context manager')
+         self.sock.settimeout(1.0)
+         self.sock.listen(5)
+         self.active = True
diff --git a/python310.changes b/python310.changes
index 76e6103..5320e46 100644
--- a/python310.changes
+++ b/python310.changes
@@ -41,6 +41,10 @@ Fri Apr 11 08:12:14 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
   - gh-121277: Writers of CPython’s documentation can now use
     next as the version for the versionchanged, versionadded,
     deprecated directives.
+- Add gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
+  which makes test_ssl not to stop ThreadedEchoServer on OSError,
+  which makes test_ssl pass with OpenSSL 3.5 (bsc#1241067,
+  gh#python/cpython!126572)
 - Remote upstreamed patch:
   - CVE-2025-0938-sq-brackets-domain-names.patch
 
diff --git a/python310.spec b/python310.spec
index d8dad88..eae830c 100644
--- a/python310.spec
+++ b/python310.spec
@@ -204,6 +204,9 @@ Patch27:        gh120226-fix-sendfile-test-kernel-610.patch
 # PATCH-FIX-UPSTREAM sphinx-802.patch mcepl@suse.com
 # status_iterator method moved between the Sphinx versions
 Patch28:        sphinx-802.patch
+# PATCH-FIX-UPSTREAM gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch bsc#1241067 mcepl@suse.com
+# don't stop ThreadedEchoServer on OSError, makes test_ssl fail with OpenSSL 3.5
+Patch29:        gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -487,6 +490,7 @@ other applications.
 %patch -p1 -P 24
 %patch -p1 -P 27
 %patch -p1 -P 28
+%patch -p1 -P 29
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac