diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 7775d2f1fda78..0b30f3cd3efb3 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -910,6 +910,7 @@ in {
   rsyslogd = handleTest ./rsyslogd.nix {};
   rtkit = runTest ./rtkit.nix;
   rtorrent = handleTest ./rtorrent.nix {};
+  rustls-libssl = handleTest ./rustls-libssl.nix {};
   rxe = handleTest ./rxe.nix {};
   sabnzbd = handleTest ./sabnzbd.nix {};
   samba = handleTest ./samba.nix {};
diff --git a/nixos/tests/rustls-libssl.nix b/nixos/tests/rustls-libssl.nix
new file mode 100644
index 0000000000000..079fa52435bc0
--- /dev/null
+++ b/nixos/tests/rustls-libssl.nix
@@ -0,0 +1,92 @@
+import ./make-test-python.nix (
+  { pkgs, lib, ... }:
+  let
+    caCert = builtins.readFile ./common/acme/server/ca.cert.pem;
+    certPath = ./common/acme/server/acme.test.cert.pem;
+    keyPath = ./common/acme/server/acme.test.key.pem;
+    hosts = ''
+      192.168.2.101 acme.test
+    '';
+  in
+  {
+    name = "rustls-libssl";
+    meta.maintainers = with pkgs.lib.maintainers; [
+      stephank
+      cpu
+    ];
+
+    nodes = {
+      server =
+        { lib, pkgs, ... }:
+        {
+          networking = {
+            interfaces.eth1 = {
+              ipv4.addresses = [
+                {
+                  address = "192.168.2.101";
+                  prefixLength = 24;
+                }
+              ];
+            };
+            extraHosts = hosts;
+            firewall.allowedTCPPorts = [ 443 ];
+          };
+
+          security.pki.certificates = [ caCert ];
+
+          services.nginx = {
+            enable = true;
+            package = pkgs.nginxMainline.override {
+              openssl = pkgs.rustls-libssl;
+              modules = [ ]; # slightly reduces the size of the build
+            };
+
+            # Hardcoded sole input accepted by rustls-libssl.
+            sslCiphers = "HIGH:!aNULL:!MD5";
+
+            virtualHosts."acme.test" = {
+              onlySSL = true;
+              sslCertificate = certPath;
+              sslCertificateKey = keyPath;
+              http2 = true;
+              reuseport = true;
+              root = lib.mkForce (
+                pkgs.runCommandLocal "testdir" { } ''
+                  mkdir "$out"
+                  cat > "$out/index.html" <<EOF
+                  <html><body>Hello World!</body></html>
+                  EOF
+                ''
+              );
+            };
+          };
+        };
+
+      client =
+        { pkgs, ... }:
+        {
+          environment.systemPackages = [ pkgs.curlHTTP3 ];
+          networking = {
+            interfaces.eth1 = {
+              ipv4.addresses = [
+                {
+                  address = "192.168.2.201";
+                  prefixLength = 24;
+                }
+              ];
+            };
+            extraHosts = hosts;
+          };
+
+          security.pki.certificates = [ caCert ];
+        };
+    };
+
+    testScript = ''
+      start_all()
+      server.wait_for_open_port(443)
+      client.succeed("curl --verbose --http1.1 https://acme.test | grep 'Hello World!'")
+      client.succeed("curl --verbose --http2-prior-knowledge https://acme.test | grep 'Hello World!'")
+    '';
+  }
+)
diff --git a/pkgs/by-name/ru/rustls-libssl/package.nix b/pkgs/by-name/ru/rustls-libssl/package.nix
new file mode 100644
index 0000000000000..8f5745edd13b1
--- /dev/null
+++ b/pkgs/by-name/ru/rustls-libssl/package.nix
@@ -0,0 +1,91 @@
+{
+  lib,
+  stdenv,
+  llvmPackages,
+  rustPlatform,
+  fetchFromGitHub,
+  pkg-config,
+  openssl,
+  nixosTests,
+}:
+
+let
+  version = "0.2.1";
+  target = stdenv.hostPlatform.rust.rustcTargetSpec;
+  libExt = stdenv.hostPlatform.extensions.sharedLibrary;
+in
+rustPlatform.buildRustPackage {
+  pname = "rustls-libssl";
+  inherit version;
+
+  src = fetchFromGitHub {
+    owner = "rustls";
+    repo = "rustls-openssl-compat";
+    rev = "v/${version}";
+    hash = "sha256-/QSFrkFVSRBmpXHc80dJFnYwvVYceAFnoCtmAGtnmqo=";
+  };
+
+  # NOTE: No longer necessary in the next release.
+  sourceRoot = "source/rustls-libssl";
+
+  cargoHash = "sha256-Yyrs2eN4QTGGD7A+VM1YkdsIRUh3laZac3rsJThjTXM=";
+
+  nativeBuildInputs = [
+    pkg-config # for openssl-sys
+    llvmPackages.lld # build.rs specifies LLD as linker
+  ];
+  buildInputs = [
+    openssl
+  ];
+
+  preCheck = ''
+    # tests dlopen libcrypto.so.3
+    export LD_LIBRARY_PATH=${lib.makeLibraryPath [ openssl ]}
+  '';
+
+  # rustls-libssl normally wants to be swapped in for libssl, and reuses
+  # libcrypto. Here, we accomplish something similar by symlinking most of
+  # OpenSSL, replacing only libssl.
+  outputs = [
+    "out"
+    "dev"
+  ];
+  installPhase = ''
+    mkdir -p $out/lib $dev/lib/pkgconfig
+
+    mv target/${target}/release/libssl${libExt} $out/lib/libssl${libExt}.3
+    ln -s libssl${libExt}.3 $out/lib/libssl${libExt}
+
+    ln -s ${openssl.out}/lib/libcrypto${libExt}.3 $out/lib/
+    ln -s libcrypto${libExt}.3 $out/lib/libcrypto${libExt}
+
+    if [[ -e ${openssl.out}/lib/engines-3 ]]; then
+      ln -s ${openssl.out}/lib/engines-3 $out/lib/
+    fi
+    if [[ -e ${openssl.out}/lib/ossl-modules ]]; then
+      ln -s ${openssl.out}/lib/ossl-modules $out/lib/
+    fi
+
+    ln -s ${openssl.dev}/include $dev/
+
+    cp ${openssl.dev}/lib/pkgconfig/*.pc $dev/lib/pkgconfig/
+    sed -i \
+      -e "s|${openssl.out}|$out|g" \
+      -e "s|${openssl.dev}|$dev|g" \
+      $dev/lib/pkgconfig/*.pc
+  '';
+
+  passthru.tests = nixosTests.rustls-libssl;
+
+  meta = {
+    description = "Partial reimplementation of the OpenSSL 3 libssl ABI using rustls";
+    homepage = "https://github.com/rustls/rustls-openssl-compat";
+    changelog = "https://github.com/rustls/rustls-openssl-compat/releases";
+    license = lib.licenses.asl20;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [
+      stephank
+      cpu
+    ];
+  };
+}