untrusted comment: verify with openbsd-65-base.pub
RWSZaRmt1LEQT3TThgQiq2HdT7FAYv5cled4KUjgqIgZTO8TP4k0TyYknYO9o/X0LNPj6f7FAHY0j9s0zcyOGhzr35whT4ycNQs=

OpenBSD 6.5 errata 005, June 10, 2019:

TLS handshake fails if a client supporting TLS 1.3 tries to connect to
an OpenBSD server and sends a key share extension that does not include
X25519.

Apply by doing:
    signify -Vep /etc/signify/openbsd-65-base.pub -x 005_libssl.patch.sig \
        -m - | (cd /usr/src && patch -p0)

And then rebuild and install libssl:
    cd /usr/src/lib/libssl
    make obj
    make
    make install

Index: lib/libssl/ssl_tlsext.c
===================================================================
RCS file: /cvs/src/lib/libssl/ssl_tlsext.c,v
retrieving revision 1.44.2.1
diff -u -p -r1.44.2.1 ssl_tlsext.c
--- lib/libssl/ssl_tlsext.c	15 May 2019 19:25:15 -0000	1.44.2.1
+++ lib/libssl/ssl_tlsext.c	5 Jun 2019 14:26:13 -0000
@@ -1269,7 +1269,6 @@ tlsext_keyshare_server_parse(SSL *s, CBS
 	CBS key_exchange;
 	uint16_t group;
 	size_t out_len;
-	int ret = 0;
 
 	if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
 		goto err;
@@ -1301,11 +1300,9 @@ tlsext_keyshare_server_parse(SSL *s, CBS
 		if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
 		    &out_len))
 			goto err;
-
-		ret = 1;
 	}
 
-	return ret;
+	return 1;
 
  err:
 	*alert = SSL_AD_DECODE_ERROR;