This solved the vulnerability, and opens the door to using non-OpenSSL signature verification in the near future.

Great work!

It also means the remaining usages of OpenSSL can be safely replaced with something like LibreSSL or (perhaps better) BoringSSL.