diff --git a/flake.nix b/flake.nix
index d7a462b..6d9dbee 100644
--- a/flake.nix
+++ b/flake.nix
@@ -142,8 +142,7 @@
         box = buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "box";
         luna = buildSys "x86_64-linux" stable
           [ "${nixos-hardware}/common/cpu/intel" ] "luna";
-        h =
-          buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "h";
+        h = buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "h";
         router =
           buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "router";
 
@@ -195,7 +194,8 @@
             isUnstable = true;
           };
           gosignify = pkgs.callPackage ./pkgs/gosignify.nix { inherit pkgs; };
-          govulncheck = pkgs.callPackage ./pkgs/govulncheck.nix { inherit pkgs; };
+          govulncheck =
+            pkgs.callPackage ./pkgs/govulncheck.nix { inherit pkgs; };
           zutty = pkgs.callPackage ./pkgs/zutty.nix {
             inherit pkgs;
             isUnstable = true;
diff --git a/overlays/default.nix b/overlays/default.nix
index 9f0dda8..c4a3b3b 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -13,8 +13,25 @@ let
       doCheck = false;
     });
   };
+  openssl_3 = self: super: {
+    openssl_3 = super.openssl_3.overrideAttrs (old: rec {
+      pname = "openssl";
+      version = "3.0.7";
+      sha256 = "sha256-gwSdBComDmlvYkBqxcCL9wb9hDg/lFzyG9YentlcOW4=";
+      src = super.fetchurl {
+        url = "https://www.openssl.org/source/${pname}-${version}.tar.gz";
+        inherit sha256;
+      };
+      patches = [
+        ./nix-ssl-cert-file.patch
+        ./openssl-disable-kernel-detection.patch
+        ./use-etc-ssl-certs.patch
+      ];
+    });
+  };
 in {
   nixpkgs.overlays = if isUnstable then [
+    openssl_3
 
     (self: super: {
       zig = super.zig.overrideAttrs (old: {
@@ -40,9 +57,9 @@ in {
 
       });
     })
-  ] else
-  [
+  ] else [
     openssh
+    openssl_3
 
     (self: super: {
       matrix-synapse = super.matrix-synapse.overrideAttrs (old: rec {
diff --git a/overlays/nix-ssl-cert-file.patch b/overlays/nix-ssl-cert-file.patch
new file mode 100644
index 0000000..e7090f4
--- /dev/null
+++ b/overlays/nix-ssl-cert-file.patch
@@ -0,0 +1,15 @@
+diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
+index 37d73ca84c..e328896234 100644
+--- a/crypto/x509/by_file.c
++++ b/crypto/x509/by_file.c
+@@ -54,7 +54,9 @@ static int by_file_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
+     switch (cmd) {
+     case X509_L_FILE_LOAD:
+         if (argl == X509_FILETYPE_DEFAULT) {
+-            file = ossl_safe_getenv(X509_get_default_cert_file_env());
++            file = ossl_safe_getenv("NIX_SSL_CERT_FILE");
++            if (!file)
++                file = ossl_safe_getenv(X509_get_default_cert_file_env());
+             if (file)
+                 ok = (X509_load_cert_crl_file_ex(ctx, file, X509_FILETYPE_PEM,
+                                                  libctx, propq) != 0);
diff --git a/overlays/openssl-disable-kernel-detection.patch b/overlays/openssl-disable-kernel-detection.patch
new file mode 100644
index 0000000..0458556
--- /dev/null
+++ b/overlays/openssl-disable-kernel-detection.patch
@@ -0,0 +1,25 @@
+diff --git a/Configure b/Configure
+index a558e5ab1a..9a884f0b0f 100755
+--- a/Configure
++++ b/Configure
+@@ -1714,20 +1714,6 @@ unless ($disabled{devcryptoeng}) {
+ 
+ unless ($disabled{ktls}) {
+     $config{ktls}="";
+-    my $cc = $config{CROSS_COMPILE}.$config{CC};
+-    if ($target =~ m/^linux/) {
+-        system("printf '#include <sys/types.h>\n#include <linux/tls.h>' | $cc -E - >/dev/null 2>&1");
+-        if ($? != 0) {
+-            disable('too-old-kernel', 'ktls');
+-        }
+-    } elsif ($target =~ m/^BSD/) {
+-        system("printf '#include <sys/types.h>\n#include <sys/ktls.h>' | $cc -E - >/dev/null 2>&1");
+-        if ($? != 0) {
+-            disable('too-old-freebsd', 'ktls');
+-        }
+-    } else {
+-        disable('not-linux-or-freebsd', 'ktls');
+-    }
+ }
+ 
+ push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
diff --git a/overlays/use-etc-ssl-certs.patch b/overlays/use-etc-ssl-certs.patch
new file mode 100644
index 0000000..67d1996
--- /dev/null
+++ b/overlays/use-etc-ssl-certs.patch
@@ -0,0 +1,13 @@
+diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
+index 329ef62..9a8df64 100644
+--- a/include/internal/cryptlib.h
++++ b/include/internal/cryptlib.h
+@@ -56,7 +56,7 @@ DEFINE_LHASH_OF(MEM);
+ # ifndef OPENSSL_SYS_VMS
+ #  define X509_CERT_AREA          OPENSSLDIR
+ #  define X509_CERT_DIR           OPENSSLDIR "/certs"
+-#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
++#  define X509_CERT_FILE          "/etc/ssl/certs/ca-certificates.crt"
+ #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
+ #  define CTLOG_FILE              OPENSSLDIR "/ct_log_list.cnf"
+ # else
diff --git a/pkgs/govulncheck.nix b/pkgs/govulncheck.nix
index 026f216..378a25f 100644
--- a/pkgs/govulncheck.nix
+++ b/pkgs/govulncheck.nix
@@ -15,7 +15,7 @@ buildGoModule rec {
   proxyVendor = true;
 
   doCheck = false;
-  
+
   subPackages = [ "cmd/govulncheck" ];
 
   meta = {