diff --git a/.openconnect.metadata b/.openconnect.metadata
new file mode 100644
index 0000000..0abf01c
--- /dev/null
+++ b/.openconnect.metadata
@@ -0,0 +1 @@
+1fa47eb23fa6fd41b3b7b88b9079a92285add7d8  SOURCES/openconnect-9.12.tar.gz
diff --git a/SOURCES/0001-Ignore-errors-fetching-NC-landing-page-if-auth-was-s.patch b/SOURCES/0001-Ignore-errors-fetching-NC-landing-page-if-auth-was-s.patch
new file mode 100644
index 0000000..6fe452c
--- /dev/null
+++ b/SOURCES/0001-Ignore-errors-fetching-NC-landing-page-if-auth-was-s.patch
@@ -0,0 +1,65 @@
+From 4ff991c46e6b202cabd623eeffa5ae1af1ba5c8e Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Fri, 23 Apr 2021 10:40:44 +0100
+Subject: [PATCH 1/2] Ignore errors fetching NC landing page if auth was
+ successful
+
+Signed-off-by: David Woodhouse <dwmw2@infradead.org>
+(cherry picked from commit 3e77943692b511719d9217d2ecc43588b7c6c08b)
+---
+ auth-juniper.c    | 18 +++++++++++-------
+ www/changelog.xml |  2 +-
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/auth-juniper.c b/auth-juniper.c
+index 19d43978..63af3bfc 100644
+--- a/auth-juniper.c
++++ b/auth-juniper.c
+@@ -663,6 +663,17 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
+ 			ret = do_https_request(vpninfo, "GET", NULL, NULL,
+ 					       &form_buf, 2);
+ 
++		/* After login, the server will redirect the "browser" to a landing page.
++		 * https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784
++		 * turned some of those landing pages into a 403 but we don't *care*
++		 * about that as long as we have the cookie we wanted. So check for
++		 * cookie success *before* checking 'ret'. */
++		if (!check_cookie_success(vpninfo)) {
++			free(form_buf);
++			ret = 0;
++			break;
++		}
++
+ 		if (ret < 0)
+ 			break;
+ 
+@@ -680,13 +691,6 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
+ 			break;
+ 		}
+ 
+-		if (!check_cookie_success(vpninfo)) {
+-			buf_free(url);
+-			free(form_buf);
+-			ret = 0;
+-			break;
+-		}
+-
+ 		doc = htmlReadMemory(form_buf, ret, url->data, NULL,
+ 				     HTML_PARSE_RECOVER|HTML_PARSE_NOERROR|HTML_PARSE_NOWARNING|HTML_PARSE_NONET);
+ 		buf_free(url);
+diff --git a/www/changelog.xml b/www/changelog.xml
+index bca5c8e2..1a05eda7 100644
+--- a/www/changelog.xml
++++ b/www/changelog.xml
+@@ -15,7 +15,7 @@
+ <ul>
+    <li><b>OpenConnect HEAD</b>
+      <ul>
+-       <li><i>No changelog entries yet</i></li>
++       <li>Ignore failures to fetch the NC landing page if the authentication was successful.</li>
+      </ul><br/>
+   </li>
+   <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.10.tar.gz">OpenConnect v8.10</a></b>
+-- 
+2.31.1
+
diff --git a/SOURCES/0002-Unconditionally-bypass-system-crypto-policy.patch b/SOURCES/0002-Unconditionally-bypass-system-crypto-policy.patch
new file mode 100644
index 0000000..d274370
--- /dev/null
+++ b/SOURCES/0002-Unconditionally-bypass-system-crypto-policy.patch
@@ -0,0 +1,134 @@
+From cc4658504b21eb87f9fa6bf7c1e42b83b6f64aaa Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Sat, 12 Jun 2021 08:50:09 +0100
+Subject: [PATCH 2/2] Unconditionally bypass system crypto policy
+
+This makes me extremely sad, but they rolled it out with *no* way to
+selectively allow the user to say "connect anyway", as we've always had
+for "invalid" certificates, etc.
+
+It's just unworkable and incomplete as currently implemented in the
+distributions, so we have no choice except to bypass it and wait for
+it to be fixed.
+
+Signed-off-by: David Woodhouse <dwmw2@infradead.org>
+(cherry picked from commit 7e862f2f0352409357fa7a4762481fde49909eb8
+ and commit d29822cf30293d5f8b039baf3306eed2769fa0b5)
+---
+ configure.ac           |  3 +++
+ libopenconnect.map.in  |  2 +-
+ main.c                 | 23 +++++++++++++++++++++++
+ openconnect-internal.h |  9 +++++++++
+ www/changelog.xml      |  1 +
+ 5 files changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 8b1b540f..3ea5e9cc 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -26,6 +26,7 @@ symver_getline=
+ symver_asprintf=
+ symver_vasprintf=
+ symver_win32_strerror=
++symver_win32_setenv=
+ 
+ case $host_os in
+  *linux* | *gnu* | *nacl*)
+@@ -54,6 +55,7 @@ case $host_os in
+     # For asprintf()
+     AC_DEFINE(_GNU_SOURCE, 1, [_GNU_SOURCE])
+     symver_win32_strerror="openconnect__win32_strerror;"
++    symver_win32_setenv="openconnect__win32_setenv;"
+     # Win32 does have the SCard API
+     system_pcsc_libs="-lwinscard"
+     system_pcsc_cflags=
+@@ -156,6 +158,7 @@ AC_SUBST(SYMVER_GETLINE, $symver_getline)
+ AC_SUBST(SYMVER_ASPRINTF, $symver_asprintf)
+ AC_SUBST(SYMVER_VASPRINTF, $symver_vasprintf)
+ AC_SUBST(SYMVER_WIN32_STRERROR, $symver_win32_strerror)
++AC_SUBST(SYMVER_WIN32_SETENV, $symver_win32_setenv)
+ 
+ AS_COMPILER_FLAGS(WFLAGS,
+         "-Wall
+diff --git a/libopenconnect.map.in b/libopenconnect.map.in
+index 5b4bc5d7..1039aacf 100644
+--- a/libopenconnect.map.in
++++ b/libopenconnect.map.in
+@@ -109,7 +109,7 @@ OPENCONNECT_5_6 {
+ } OPENCONNECT_5_5;
+ 
+ OPENCONNECT_PRIVATE {
+- global: @SYMVER_TIME@ @SYMVER_GETLINE@ @SYMVER_JAVA@ @SYMVER_ASPRINTF@ @SYMVER_VASPRINTF@ @SYMVER_WIN32_STRERROR@
++ global: @SYMVER_TIME@ @SYMVER_GETLINE@ @SYMVER_JAVA@ @SYMVER_ASPRINTF@ @SYMVER_VASPRINTF@ @SYMVER_WIN32_STRERROR@ @SYMVER_WIN32_SETENV@
+ 	openconnect_get_tls_library_version;
+ 	openconnect_fopen_utf8;
+ 	openconnect_open_utf8;
+diff --git a/main.c b/main.c
+index cc3dd91e..129755a1 100644
+--- a/main.c
++++ b/main.c
+@@ -1436,6 +1436,29 @@ int main(int argc, char **argv)
+ 			openconnect_binary_version, openconnect_version_str);
+ 	}
+ 
++	/* Some systems have a crypto policy which completely prevents DTLSv1.0
++	 * from being used, which is entirely pointless and will just drive
++	 * users back to the crappy proprietary clients. Or drive OpenConnect
++	 * to implement its own DTLS instead of using the system crypto libs.
++	 * We're happy to conform by default to the system policy which is
++	 * carefully curated to keep up to date with developments in crypto
++	 * attacks —  but we also *need* to be able to override it and connect
++	 * anyway, when the user asks us to. Just as we *can* continue even
++	 * when the server has an invalid certificate, based on user input.
++	 * It was a massive oversight that GnuTLS implemented the system
++	 * policy *without* that basic override facility, so until/unless
++	 * it actually gets implemented properly we have to just disable it.
++	 * We can't do this from openconnect_init_ssl() since that would be
++	 * calling setenv() from a library in someone else's process. And
++	 * thankfully we don't really need to since the auth-dialogs don't
++	 * care; this is mostly for the DTLS connection.
++	 */
++#ifdef OPENCONNECT_GNUTLS
++	setenv("GNUTLS_SYSTEM_PRIORITY_FILE", DEVNULL, 0);
++#else
++	setenv("OPENSSL_CONF", DEVNULL, 0);
++#endif
++
+ 	openconnect_init_ssl();
+ 
+ 	vpninfo = openconnect_vpninfo_new((char *)"Open AnyConnect VPN Agent",
+diff --git a/openconnect-internal.h b/openconnect-internal.h
+index 92edf763..9eb274c2 100644
+--- a/openconnect-internal.h
++++ b/openconnect-internal.h
+@@ -41,6 +41,15 @@
+ 
+ #include "openconnect.h"
+ 
++/* Equivalent of "/dev/null" on Windows.
++ * See https://stackoverflow.com/a/44163934
++ */
++#ifdef _WIN32
++#define DEVNULL "NUL:"
++#else
++#define DEVNULL "/dev/null"
++#endif
++
+ #if defined(OPENCONNECT_OPENSSL)
+ #include <openssl/ssl.h>
+ #include <openssl/err.h>
+diff --git a/www/changelog.xml b/www/changelog.xml
+index 1a05eda7..ca90413f 100644
+--- a/www/changelog.xml
++++ b/www/changelog.xml
+@@ -16,6 +16,7 @@
+    <li><b>OpenConnect HEAD</b>
+      <ul>
+        <li>Ignore failures to fetch the NC landing page if the authentication was successful.</li>
++       <li>Disable brittle "system policy" enforcement where it cannot be gracefully overridden at user request. <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1960763"><i>(RH#1960763)</i></a>.</li>
+      </ul><br/>
+   </li>
+   <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.10.tar.gz">OpenConnect v8.10</a></b>
+-- 
+2.31.1
+
diff --git a/SOURCES/openconnect-9.12.tar.gz.asc b/SOURCES/openconnect-9.12.tar.gz.asc
new file mode 100644
index 0000000..48b7796
--- /dev/null
+++ b/SOURCES/openconnect-9.12.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEvgfZ/VSAmrLEsP9fY3Ys2mfi81kFAmRoemcACgkQY3Ys2mfi
+81naVQ//XPASeJMAl4eDUT49eSXqh2WIzrwdGvWJtk/hgF5ftTjC2bGSQnEnV7Zg
+99jDAAE8ZYh72eaI2Gj7WwyWoqL56xRlI3EQRBOou2Pz1a/9vZsi1JhpbsSMweia
+D+b1v0jS0P0g+7sHYRl/naehyS6u1umtaceiSxg4l3XcobWne4K9b7i2RAPdaTrd
+fNTOSwdXgWXYhZ2yEyd5EF4paBgQgquDQ9WPcUv7NWN+L4xncaKer/0D3IqcFdeP
+B/pB/nN93b6C4BsKPQRyNbWPeikEBd8sbjReLr2ohjA4IH6CPZisAdK6iwhMD2kn
+a2FH7CXxH4imIVv93cq3w59pdMXEIdJ0O4NPEH14T1YTulgfi9+j+45BzTQpLwGA
+sMx0flSEnYgFvC9uthpIu+g5zk+icUSn3iwCa8BC3fn0KP40atzVQLhxYs/kDn5B
+te6rCtzWPLiwcOy/DpRuSUjUTv74Eaa/T6LorKX/JSjOjg5lSPKFq7Sbcw9JN4yy
+m2mXED87JeVyY82O8Mz6DzSAYJ1zY4+B7MZ0D6NbvwqXjNw6zQgYCNJi0Lh/z1VW
+gH1d/7XThjReaaXiDU9sV49hLxxIZnlu7HbyO3Pv+ZlB6GzNj5WW+iPjbf93BF7P
+wGLeDAsU+QIV/GqI/2aySV6jKzksBHMA8IJNhpTEozYUC51zEOI=
+=uYim
+-----END PGP SIGNATURE-----