diff --git a/pkgs/development/libraries/libressl/default.nix b/pkgs/development/libraries/libressl/default.nix
index f30ead30b3b..29b28e85f86 100644
--- a/pkgs/development/libraries/libressl/default.nix
+++ b/pkgs/development/libraries/libressl/default.nix
@@ -13,7 +13,15 @@ let
 
     nativeBuildInputs = [ cmake ];
 
-    cmakeFlags = [ "-DENABLE_NC=ON" "-DBUILD_SHARED_LIBS=ON" ];
+    cmakeFlags = [
+      "-DENABLE_NC=ON"
+      "-DBUILD_SHARED_LIBS=ON"
+      # Ensure that the output libraries do not require an executable stack.
+      # Without this define, assembly files in libcrypto do not include a
+      # .note.GNU-stack section, and if that section is missing from any object,
+      # the linker will make the stack executable.
+      "-DCMAKE_C_FLAGS=-DHAVE_GNU_STACK"
+    ];
 
     # The autoconf build is broken as of 2.9.1, resulting in the following error:
     # libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'.
@@ -23,15 +31,6 @@ let
       rm configure
     '';
 
-    # Ensure that the output libraries do not require an executable stack.
-    # Without this, libcrypto would be built with the executable stack flag set.
-    # For GCC the flag is '-z noexecstack'. Clang, which is used on Darwin,
-    # expects '--noexecstack'. Execstack is an ELF thing, so it is not needed
-    # on Darwin.
-    NIX_LDFLAGS = if stdenv.isDarwin
-      then []
-      else ["-z" "noexecstack"];
-
     enableParallelBuilding = true;
 
     outputs = [ "bin" "dev" "out" "man" "nc" ];