diff --git a/debian/patches/backend-Handle-ERROR_WANT_-READ-WRITE-from-ssl-reads.patch b/debian/patches/backend-Handle-ERROR_WANT_-READ-WRITE-from-ssl-reads.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b61dfdbbd901606f8dccc2465257ddb1c296a534
--- /dev/null
+++ b/debian/patches/backend-Handle-ERROR_WANT_-READ-WRITE-from-ssl-reads.patch
@@ -0,0 +1,47 @@
+From: Sjoerd Simons <sjoerd.simons@collabora.co.uk>
+Date: Mon, 13 Mar 2017 12:37:01 +0100
+Subject: [backend] Handle ERROR_WANT_{READ,WRITE} from ssl reads
+
+Upon a read SSLeay can return with either ERROR_WANT_READ or
+ERROR_WANT_WRITE to indicate the same function needs to be called again
+(e.g. due to underlying protocol handling having been done, but no data
+ yet for the API user). Handle this by modelling it as an EINTR errno,
+ such that the higher layers will retry the read.
+
+This fixes some issue we hit when using an https repository for DoD.
+
+Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>
+---
+ src/backend/BSSSL.pm | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/backend/BSSSL.pm b/src/backend/BSSSL.pm
+index 5045fe0..eb1e4e3 100644
+--- a/src/backend/BSSSL.pm
++++ b/src/backend/BSSSL.pm
+@@ -24,6 +24,7 @@
+ 
+ package BSSSL;
+ 
++use POSIX;
+ use Socket;
+ use Net::SSLeay;
+ 
+@@ -94,7 +95,16 @@ sub READLINE {
+ sub READ {
+   my ($sslr, undef, $len, $offset) = @_;
+   my $buf = \$_[1];
+-  my $r = Net::SSLeay::read($sslr->[0], $len);
++  print "length $len\n";
++  my ($r, $rv, $code);
++  ($r, $rv)  = Net::SSLeay::read($sslr->[0]);
++  if ($rv < 0) {
++        $code = Net::SSLeay::get_error($sslr->[0], $rv);
++        if ($code == &Net::SSLeay::ERROR_WANT_READ || $code == &Net::SSLeay::ERROR_WANT_WRITE) {
++          $! = POSIX::EINTR;
++        }
++  }
++
+   return undef unless defined $r;
+   return length($$buf = $r) unless defined $offset;
+   my $bl = length($$buf);
diff --git a/debian/patches/backend-Support-https-urls-for-package-downloads.patch b/debian/patches/backend-Support-https-urls-for-package-downloads.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b8f4545ed63e95314f680a0baecd1381e413ed2b
--- /dev/null
+++ b/debian/patches/backend-Support-https-urls-for-package-downloads.patch
@@ -0,0 +1,25 @@
+From: Sjoerd Simons <sjoerd.simons@collabora.co.uk>
+Date: Mon, 13 Mar 2017 12:37:51 +0100
+Subject: [backend] Support https urls for package downloads
+
+Enable support for https downloads via the BSWatcher module, such that
+the repserver can pull package down from https repositories.
+
+Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>
+---
+ src/backend/bs_repserver | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/backend/bs_repserver b/src/backend/bs_repserver
+index 6c52647..b61950b 100755
+--- a/src/backend/bs_repserver
++++ b/src/backend/bs_repserver
+@@ -55,7 +55,7 @@ use BSXML;
+ use BSVerify;
+ use BSHandoff;
+ use Build;
+-use BSWatcher;
++use BSWatcher ":https";
+ use BSStdServer;
+ use BSXPath;
+ use BSXPathKeys;
diff --git a/debian/patches/series b/debian/patches/series
index 13dd14a6994d989943c22358414075f9f9ff1fb6..0c2b3327af5080b9d1d15da6b8a2264f88f393a5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,3 +26,5 @@ publisher_reprepro_set_surprising_binary.patch
 Add-support-for-md5-and-sha256-cypted-passwords.patch
 Put-binary-uploads-in-architecture-dependent-subdirectori.patch
 Correct-reprepro-argument-to-match-current-version.patch
+backend-Handle-ERROR_WANT_-READ-WRITE-from-ssl-reads.patch
+backend-Support-https-urls-for-package-downloads.patch