SSL issues from updated OpenWRT box

I have an application where a device running OpenWRT obtains a broker certificate and then connects to a Mosquitto broker, running the version in the Ubuntu 22.04 repos.

As a test I can connect and subscribe from the commandline:
mosquitto_sub -h <host> -p <port> --cafile broker-cert.pem -t '#' -u <user> -P <pass> --insecure

This all worked until I upgraded the OS on my device. As far as I can tell this relates to the OpenSSL version being raised from 1.1.1n to 1.1.1t. mosquitto_sub reports “Protocol error” and mosquitto.log shows

2024-01-25 16:12:09: OpenSSL Error[0]: error:0A000438:SSL routines::tlsv1 alert internal error
2024-01-25 16:12:09: Client <unknown> disconnected: Protocol error.

To be clear this is failing after a full firmware upgrade on the device (a Teltonika TRB255) so it’s possible that something other than the SSL version bump is the issue, but those errors point me in that direction.

Any suggestions how to debug this?

OpenSSL on the broker’s server is 3.0.2 15. The SSL certs are generated as follows:
openssl req -newkey rsa:2048 -nodes -keyout broker-key.pem -x509 -days 30 -out broker-cert.pem
… with Mosquitto configured with:

  certfile /path/to/broker-cert.pem
  keyfile /path/to/broker-key.pem