diff --git a/changes/bug26116 b/changes/bug26116
new file mode 100644
index 000000000..3bfde74f7
--- /dev/null
+++ b/changes/bug26116
@@ -0,0 +1,7 @@
+  o Minor bugfixes (compatibility, openssl):
+    - Work around a change in OpenSSL 1.1.1 where
+      return values that would previously indicate "no password" now
+      indicate an empty password. Without this workaround, Tor instances
+      running with OpenSSL 1.1.1 would accept descriptors that other Tor
+      instances would reject. Fixes bug 26116; bugfix on 0.2.5.16.
+      
diff --git a/src/common/crypto_rsa.c b/src/common/crypto_rsa.c
index fa572580a..259656810 100644
--- a/src/common/crypto_rsa.c
+++ b/src/common/crypto_rsa.c
@@ -237,7 +237,7 @@ pem_no_password_cb(char *buf, int size, int rwflag, void *u)
   (void)size;
   (void)rwflag;
   (void)u;
-  return 0;
+  return -1;
 }
 
 /** Read a PEM-encoded private key from the <b>len</b>-byte string <b>s</b>