diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest
index 99b5b012c2..e9a287e234 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest
@@ -1,7 +1,2 @@
-DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
-DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4 SHA512 a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6
-DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32
 DIST openssl-1.1.1i-bindist-1.0.tar.xz 18124 BLAKE2B bcbce700676d1d61498ac98281b7ad06f9970d91afa6bfb2c259ab7462b2554be79a1c06759bc7aaeca9948c2f5276bac2c4f42dbc6822669f863444b9913ccd SHA512 1dbb81bcb4cf7e634bb363c7e2bb2590a1fe3fcb6c3b5e377cac3c5241abd116c2a89c516be8e5fd1799ab64375a58052a4df944eeadc87b0b7785da710906d8
-DIST openssl-1.1.1i.tar.gz 9808346 BLAKE2B ca98bab08e1874134da113dd0bda0583c133c7dce5b739f9601641ed2cf97894e5e13d901f0db9367aa5d7b78c552ac598aa0a3c2a3f0a438daae044e29f58d6 SHA512 fe12e0ab9e1688f24dd862ac633d0ab703b499c0f34b53c3560aa0d3879d81d647aa0678ed517dda5efb2711f669fcb1a1e0e24f6eac2efc2cf4eae6b62014d8
-DIST openssl-1.1.1j.tar.gz 9823161 BLAKE2B e5699abeca83acd82546e74a0645f2a765d51f22226f8c537d92285eb0b11e12b0a9476cbd3cb6a594e9840433d713be39884fb4dcd5c3968b36ad4f582ed23a SHA512 51e44995663b5258b0018bdc1e2b0e7e8e0cce111138ca1f80514456af920fce4e409a411ce117c0f3eb9190ac3e47c53a43f39b06acd35b7494e2bec4a607d5
-DIST openssl-1.1.1k.tar.gz 9823400 BLAKE2B e9bd90f17bc819c4960d07bbee04346e8a7adb87a764a09d033ef76f1d638c67b180c4f2beb84ec25fbff54ccc9c14c13b9b16a27cac231a5dd22b02635d5cec SHA512 73cd042d4056585e5a9dd7ab68e7c7310a3a4c783eafa07ab0b560e7462b924e4376436a6d38a155c687f6942a881cfc0c1b9394afcde1d8c46bf396e7d51121
+DIST openssl-1.1.1l.tar.gz 9834044 BLAKE2B 9e8739015db63a013c05587e3d164d67c3f65f1f6c5fc75e4592bcd038c036cde88a7bc95fbc1f1b4ed876f6124ca4dabcd4f5dbb45d1b84299f2efe1a59431a SHA512 d9611f393e37577cca05004531388d3e0ebbf714894cab9f95f4903909cd4f45c214faab664c0cbc3ad3cca309d500b9e6d0ecbf9a0a0588d1677dc6b047f9e0
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.1.1i-riscv32.patch b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.1.1i-riscv32.patch
new file mode 100644
index 0000000000..c94b0323eb
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.1.1i-riscv32.patch
@@ -0,0 +1,61 @@
+From 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc Mon Sep 17 00:00:00 2001
+From: Alistair Francis <alistair.francis@wdc.com>
+Date: Thu, 29 Aug 2019 13:56:21 -0700
+Subject: [PATCH] Add support for io_pgetevents_time64 syscall
+
+32-bit architectures that are y2038 safe don't include syscalls that use
+32-bit time_t. Instead these architectures have suffixed syscalls that
+always use a 64-bit time_t. In the case of the io_getevents syscall the
+syscall has been replaced with the io_pgetevents_time64 syscall instead.
+
+This patch changes the io_getevents() function to use the correct
+syscall based on the avaliable syscalls and the time_t size. We will
+only use the new 64-bit time_t syscall if the architecture is using a
+64-bit time_t. This is to avoid having to deal with 32/64-bit
+conversions and relying on a 64-bit timespec struct on 32-bit time_t
+platforms. As of Linux 5.3 there are no 32-bit time_t architectures
+without __NR_io_getevents. In the future if a 32-bit time_t architecture
+wants to use the 64-bit syscalls we can handle the conversion.
+
+This fixes build failures on 32-bit RISC-V.
+
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Paul Dale <paul.dale@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/9819)
+---
+ engines/e_afalg.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/engines/e_afalg.c b/engines/e_afalg.c
+index dacbe358cb..99516cb1bb 100644
+--- a/engines/e_afalg.c
++++ b/engines/e_afalg.c
+@@ -125,7 +125,23 @@ static ossl_inline int io_getevents(aio_context_t ctx, long min, long max,
+                                struct io_event *events,
+                                struct timespec *timeout)
+ {
++#if defined(__NR_io_getevents)
+     return syscall(__NR_io_getevents, ctx, min, max, events, timeout);
++#elif defined(__NR_io_pgetevents_time64)
++    /* Let's only support the 64 suffix syscalls for 64-bit time_t.
++     * This simplifies the code for us as we don't need to use a 64-bit
++     * version of timespec with a 32-bit time_t and handle converting
++     * between 64-bit and 32-bit times and check for overflows.
++     */
++    if (sizeof(timeout->tv_sec) == 8)
++        return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL);
++    else {
++        errno = ENOSYS;
++        return -1;
++    }
++#else
++# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64."
++#endif
+ }
+ 
+ static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key,
+-- 
+2.26.2
+
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml
index 5ca8d93d2f..350be7c07b 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml
@@ -8,9 +8,11 @@
 <use>
  <flag name="asm">Support assembly hand optimized crypto functions (i.e. faster run time)</flag>
  <flag name="bindist">Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI</flag>
+ <flag name="ktls">Enable support for Kernel implementation of TLS (kTLS)</flag>
  <flag name="rfc3779">Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers)</flag>
  <flag name="sslv2">Support for the old/insecure SSLv2 protocol -- note: not required for TLS/https</flag>
  <flag name="sslv3">Support for the old/insecure SSLv3 protocol -- note: not required for TLS/https</flag>
+ <flag name="tls-compression">Enable support for discouraged TLS compression</flag>
  <flag name="tls-heartbeat">Enable the Heartbeat Extension in TLS and DTLS</flag>
 </use>
 <upstream>
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.1.1k.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.1.1l.ebuild
similarity index 94%
rename from sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.1.1k.ebuild
rename to sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.1.1l.ebuild
index 3ff96d1c98..3a94b0df1f 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.1.1k.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.1.1l.ebuild
@@ -3,7 +3,7 @@
 
 EAPI="7"
 
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal systemd
+inherit flag-o-matic toolchain-funcs multilib-minimal systemd
 
 MY_P=${P/_/-}
 
@@ -27,13 +27,13 @@ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
 LICENSE="openssl"
 SLOT="0/1.1" # .so version of libssl/libcrypto
 [[ "${PV}" = *_pre* ]] || \
-KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
-IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
+KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla"
 RESTRICT="
 	!test? ( test )"
 
 RDEPEND=">=app-misc/c_rehash-1.7-r1
-	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
 DEPEND="${RDEPEND}"
 BDEPEND="
 	>=dev-lang/perl-5
@@ -47,6 +47,7 @@ PDEPEND="app-misc/ca-certificates"
 
 PATCHES=(
 	"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
+	"${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
 )
 
 S="${WORKDIR}/${MY_P}"
@@ -62,7 +63,7 @@ pkg_setup() {
 	[[ ${MERGE_TYPE} == binary ]] && return
 
 	# must check in pkg_setup; sysctl don't work with userpriv!
-	if has test ${FEATURES} && use sctp; then
+	if use test && use sctp; then
 		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
 		# if sctp.auth_enable is not enabled.
 		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
@@ -116,7 +117,7 @@ src_prepare() {
 
 	eapply_user #332661
 
-	if has test ${FEATURES} && use sctp && has network-sandbox ${FEATURES}; then
+	if use test && use sctp && has network-sandbox ${FEATURES}; then
 		ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"
 		rm test/recipes/80-test_ssl_new.t || die
 		eend $?
@@ -221,8 +222,8 @@ multilib_src_configure() {
 		$(use_ssl asm) \
 		$(use_ssl rfc3779) \
 		$(use_ssl sctp) \
+		$(use_ssl tls-compression zlib) \
 		$(use_ssl tls-heartbeat heartbeats) \
-		$(use_ssl zlib) \
 		--prefix="${EPREFIX}"/usr \
 		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
 		--libdir=$(get_libdir) \
@@ -269,6 +270,15 @@ multilib_src_install() {
 	fi
 
 	emake DESTDIR="${D}" install
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs.  But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
 }
 
 multilib_src_install_all() {
@@ -278,13 +288,6 @@ multilib_src_install_all() {
 
 	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
 
-	# This is crappy in that the static archives are still built even
-	# when USE=static-libs.  But this is due to a failing in the openssl
-	# build system: the static archives are built as PIC all the time.
-	# Only way around this would be to manually configure+compile openssl
-	# twice; once with shared lib support enabled and once without.
-	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
-
 	# Namespace openssl programs to prevent conflicts with other man pages
 	cd "${ED}"/usr/share/man || die
 	local m d s
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.unmask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.unmask
index dcd8a72487..7ab0928e31 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.unmask
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.unmask
@@ -1,5 +1,5 @@
 # Overwrite outdated portage-stable mask
-=dev-libs/openssl-1.1.1k
+=dev-libs/openssl-1.1.1l
 
 # Overwrite portage-stable mask - this package was removed in
 # gentoo. We still need it, since sys-libs/libsemanage still requires