diff --git a/srcpkgs/libressl/patches/fail-instead-of-trying-fallback.patch b/srcpkgs/libressl/patches/fail-instead-of-trying-fallback.patch
new file mode 100644
index 0000000000..9df423ed7a
--- /dev/null
+++ b/srcpkgs/libressl/patches/fail-instead-of-trying-fallback.patch
@@ -0,0 +1,21 @@
+<chris2> so, current flow for getentropy is
+<chris2> 1) use SYS_getrandom if it exists (true on glibc and musl)
+<chris2> 2) use /dev/urandom
+<chris2> 3) use sysctl (glibc only)
+<chris2> 4) use terrible fallback
+<chris2> and with a one-line patch it can instead kill itself after 3
+<chris2> so that should only affect processes running without /dev/urandom on old kernels
+<chris2> probably no harm else
+<xtraeme> +1
+
+--- crypto/compat/getentropy_linux.c.orig
++++ crypto/compat/getentropy_linux.c
+@@ -162,7 +162,7 @@
+ 	 * sysctl ABI, or consider providing a new failsafe API which
+ 	 * works in a chroot or when file descriptors are exhausted.
+ 	 */
+-#undef FAIL_INSTEAD_OF_TRYING_FALLBACK
++#define FAIL_INSTEAD_OF_TRYING_FALLBACK
+ #ifdef FAIL_INSTEAD_OF_TRYING_FALLBACK
+ 	raise(SIGKILL);
+ #endif
diff --git a/srcpkgs/libressl/template b/srcpkgs/libressl/template
index cee4507a24..16c872f7b3 100644
--- a/srcpkgs/libressl/template
+++ b/srcpkgs/libressl/template
@@ -1,7 +1,7 @@
 # Template file for 'libressl'
 pkgname=libressl
 version=2.2.4
-revision=3
+revision=4
 bootstrap=yes
 build_style=gnu-configure
 short_desc="Version of the TLS/crypto stack forked from OpenSSL"