diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2024-06-11  Vladimir Shabanov  <dev@vshabanov.com>
+
+	* HsOpenSSL.cabal (Version): Bump version to 0.11.7.7
+
+	* Added generic functionality for adding extensions to X509 (#87)
+	by Ishan Sharma @ishan-rep
+
+	* Clear error stack after x509_verify validation failure (#91)
+	by Paolo Capriotti @pcapriotti
+
+	* Add withContextSetKeylogCallback: Allow any type inside action (#85)
+	by Akshay Mankar @akshaymankar
+
 2022-06-19  Vladimir Shabanov  <dev@vshabanov.com>
 
 	* HsOpenSSL.cabal (Version): Bump version to 0.11.7.6
diff --git a/HsOpenSSL.cabal b/HsOpenSSL.cabal
--- a/HsOpenSSL.cabal
+++ b/HsOpenSSL.cabal
@@ -10,7 +10,7 @@
     systems and stable. You may also be interested in the @tls@ package,
     <http://hackage.haskell.org/package/tls>, which is a pure Haskell
     implementation of SSL.
-Version:       0.11.7.6
+Version:       0.11.7.7
 License:       PublicDomain
 License-File:  COPYING
 Author:        Adam Langley, Mikhail Vorozhtsov, PHO, Taru Karttunen
@@ -74,9 +74,9 @@
 Library
     Build-Depends:
         base       >= 4.8 && < 5,
-        bytestring >= 0.9 && < 0.12,
-        network    >= 2.1 && < 3.2,
-        time       >= 1.5 && < 1.13
+        bytestring >= 0.9 && < 0.13,
+        network    >= 2.1 && < 3.3,
+        time       >= 1.5 && < 1.15
 
     Build-Tools: hsc2hs >= 0.67
 
@@ -163,7 +163,7 @@
     Build-Depends:
         HsOpenSSL,
         base                 >= 4.8 && < 5,
-        bytestring           >= 0.9 && < 0.12
+        bytestring           >= 0.9 && < 0.13
     Default-Language:
         Haskell2010
     GHC-Options:
@@ -190,7 +190,7 @@
     Build-Depends:
         HsOpenSSL,
         base                 >= 4.8 && < 5,
-        bytestring           >= 0.9 && < 0.12
+        bytestring           >= 0.9 && < 0.13
     Default-Language:
         Haskell2010
     GHC-Options:
@@ -204,7 +204,7 @@
     Build-Depends:
         HsOpenSSL,
         base                 >= 4.8 && < 5,
-        bytestring           >= 0.9 && < 0.12
+        bytestring           >= 0.9 && < 0.13
     Default-Language:
         Haskell2010
     GHC-Options:
diff --git a/OpenSSL/Session.hsc b/OpenSSL/Session.hsc
--- a/OpenSSL/Session.hsc
+++ b/OpenSSL/Session.hsc
@@ -406,7 +406,7 @@
 --
 -- FIXME: Not re-entrant (ignores previous callback and resets it to
 -- nullFunPtr on exit)
-withContextSetKeylogCallback :: SSLContext -> (String -> IO ()) -> IO () -> IO ()
+withContextSetKeylogCallback :: SSLContext -> (String -> IO ()) -> IO a -> IO a
 withContextSetKeylogCallback context cb action = do
   -- There doesn't seem to be a way to go from 'Ptr SSL_' to 'SSL', so let's
   -- just ignore it in the haskell callback.
diff --git a/OpenSSL/Utils.hs b/OpenSSL/Utils.hs
--- a/OpenSSL/Utils.hs
+++ b/OpenSSL/Utils.hs
@@ -4,11 +4,13 @@
     , failIf
     , failIf_
     , raiseOpenSSLError
+    , clearErrorStack
     , toHex
     , fromHex
     , peekCStringCLen
     )
     where
+import Control.Monad
 import Foreign.C.String
 import Foreign.C.Types
 import Foreign.Ptr
@@ -40,6 +42,12 @@
 
 raiseOpenSSLError :: IO a
 raiseOpenSSLError = getError >>= errorString >>= fail
+
+
+clearErrorStack :: IO ()
+clearErrorStack = do
+  e <- getError
+  when (e /= 0) clearErrorStack
 
 -- | Convert an integer to a hex string
 toHex :: (Num i, Bits i) => i -> String
diff --git a/OpenSSL/X509.hsc b/OpenSSL/X509.hsc
--- a/OpenSSL/X509.hsc
+++ b/OpenSSL/X509.hsc
@@ -5,7 +5,7 @@
 -- |An interface to X.509 certificate.
 module OpenSSL.X509
     ( -- * Type
-      X509
+      X509(..)
     , X509_
 
       -- * Functions to manipulate certificate
@@ -274,7 +274,9 @@
     where
       interpret :: CInt -> IO VerifyStatus
       interpret 1 = return VerifySuccess
-      interpret 0 = return VerifyFailure
+      interpret 0 = do
+        clearErrorStack
+        return VerifyFailure
       interpret _ = raiseOpenSSLError
 
 -- |@'printX509' cert@ translates a certificate into human-readable
diff --git a/OpenSSL/X509/Request.hs b/OpenSSL/X509/Request.hs
--- a/OpenSSL/X509/Request.hs
+++ b/OpenSSL/X509/Request.hs
@@ -32,6 +32,7 @@
     , setPublicKey
 
     , addExtensions
+    , addExtensionToX509
     )
     where
 
@@ -100,6 +101,8 @@
 foreign import capi unsafe "openssl/x509.h X509_REQ_add_extensions"
         _req_add_extensions :: Ptr X509_REQ -> Ptr STACK -> IO CInt
 
+foreign import capi unsafe "openssl/x509.h X509_add_ext"
+    _X509_add_ext :: Ptr Cert.X509_ -> Ptr X509_EXT -> CInt -> IO CInt
 
 -- |@'newX509Req'@ creates an empty certificate request. You must set
 -- the following properties to and sign it (see 'signX509Req') to
@@ -296,3 +299,23 @@
          Cert.setPublicKey   cert =<< getPublicKey req
 
          return cert
+
+-- | Add Extensions to a certificate (when the Server accepting certs requires it)
+-- E.g.:
+--
+-- > addExtensionToX509 cert1 87 "CA:FALSE"
+-- > addExtensionToX509 cert1 85 "critical,serverAuth, clientAuth" -- when this extension field is critical
+--
+addExtensionToX509 :: X509 -> Int -> String -> IO Bool
+addExtensionToX509 (Cert.X509 certFPtr) nid value = do
+    -- Context and config pointers are set to nullPtr for simplicity.
+    -- Depending on your use case, you might need to provide actual values.
+    result <- withForeignPtr certFPtr $ \certPtr ->
+              withCString value $ \cValue -> do
+                  extPtr <- _ext_create nullPtr nullPtr (fromIntegral nid) cValue
+                  if extPtr /= nullPtr
+                      then do
+                          res <- _X509_add_ext certPtr extPtr (-1)  -- Add to the end
+                          return (res == 0)
+                      else return False
+    return result
diff --git a/examples/HelloWorld.hs b/examples/HelloWorld.hs
--- a/examples/HelloWorld.hs
+++ b/examples/HelloWorld.hs
@@ -15,9 +15,9 @@
 
 
 main = withOpenSSL $
-       do putStrLn "cipher: DES-CBC"
-          des <- liftM fromJust $ getCipherByName "DES-CBC"
-
+       do putStrLn "cipher: DES3"
+          des <- liftM fromJust $ getCipherByName "DES3"
+           
           putStrLn "generating RSA keypair..."
           rsa <- generateRSAKey 512 65537 Nothing
 
