diff --git a/conanfile.py b/conanfile.py
index 14275013..379b23f5 100644
--- a/conanfile.py
+++ b/conanfile.py
@@ -35,7 +35,7 @@ def requirements(self):
         self.requires("klib/2021-04-06@adguard_team/native_libs_common", transitive_headers=True)
         self.requires("ldns/2021-03-29@adguard_team/native_libs_common", transitive_headers=True)
         self.requires("magic_enum/0.9.5", transitive_headers=True)
-        self.requires("native_libs_common/6.1.8@adguard_team/native_libs_common", transitive_headers=True)
+        self.requires("native_libs_common/6.1.11@adguard_team/native_libs_common", transitive_headers=True)
         self.requires("ngtcp2/1.0.1@adguard_team/native_libs_common", transitive_headers=True)
         self.requires("pcre2/10.37@adguard_team/native_libs_common", transitive_headers=True)
         self.requires("tldregistry/2022-12-26@adguard_team/native_libs_common", transitive_headers=True)
diff --git a/net/tls_codec.cpp b/net/tls_codec.cpp
index 5e21f027..2d628419 100644
--- a/net/tls_codec.cpp
+++ b/net/tls_codec.cpp
@@ -36,6 +36,9 @@ Error<TlsCodec::TlsError> TlsCodec::connect(const std::string &sni, std::vector<
     ag::UniquePtr<SSL_CTX, &SSL_CTX_free> ctx{SSL_CTX_new(TLS_client_method())};
     SSL_CTX_set_verify(ctx.get(), SSL_VERIFY_PEER, nullptr);
     SSL_CTX_set_cert_verify_callback(ctx.get(), ssl_verify_callback, this);
+#ifdef OPENSSL_IS_BORINGSSL
+    SSL_CTX_set_permute_extensions(ctx.get(), true);
+#endif // OPENSSL_IS_BORINGSSL
     TlsSessionCache::prepare_ssl_ctx(ctx.get());
 
     m_ssl.reset(SSL_new(ctx.get()));
diff --git a/upstream/upstream_doh.cpp b/upstream/upstream_doh.cpp
index c7e5639c..9dee905b 100644
--- a/upstream/upstream_doh.cpp
+++ b/upstream/upstream_doh.cpp
@@ -1140,6 +1140,7 @@ ag::coro::Task<ag::Error<ag::dns::DnsError>> ag::dns::DohUpstream::Http3Connecti
     SSL_CTX_set_cert_verify_callback(ssl_ctx.get(), on_certificate_verify, this);
     TlsSessionCache::prepare_ssl_ctx(ssl_ctx.get());
 #ifdef OPENSSL_IS_BORINGSSL
+    SSL_CTX_set_permute_extensions(ssl_ctx.get(), true);
     if (0 != ngtcp2_crypto_boringssl_configure_client_context(ssl_ctx.get()))
 #else
     if (0 != ngtcp2_crypto_quictls_configure_client_context(ssl_ctx.get()))
diff --git a/upstream/upstream_doq.cpp b/upstream/upstream_doq.cpp
index 9534a4a6..5ac1c046 100644
--- a/upstream/upstream_doq.cpp
+++ b/upstream/upstream_doq.cpp
@@ -855,6 +855,9 @@ int DoqUpstream::init_ssl_ctx() {
     // setup our verifier
     SSL_CTX_set_verify(m_ssl_ctx.get(), SSL_VERIFY_PEER, nullptr);
     SSL_CTX_set_cert_verify_callback(m_ssl_ctx.get(), DoqUpstream::ssl_verify_callback, nullptr);
+#ifdef OPENSSL_IS_BORINGSSL
+    SSL_CTX_set_permute_extensions(m_ssl_ctx.get(), true);
+#endif // OPENSSL_IS_BORINGSSL
     TlsSessionCache::prepare_ssl_ctx(m_ssl_ctx.get());
     return 0;
 }