diff --git a/configure.ac b/configure.ac
index 5dabc80f..cf6286dc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,498 +1,501 @@
 #
 # Copyright (C) 2010-2017 Red Hat, Inc.  All rights reserved.
 #
 # Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
 #          Federico Simoncelli <fsimon@kronosnet.org>
 #
 # This software licensed under GPL-2.0+, LGPL-2.0+
 #
 
 #                                               -*- Autoconf -*-
 # Process this file with autoconf to produce a configure script.
 #
 
 AC_PREREQ([2.63])
 AC_INIT([kronosnet],
 	m4_esyscmd([build-aux/git-version-gen .tarball-version]),
 	[devel@lists.kronosnet.org])
 AC_USE_SYSTEM_EXTENSIONS
 AM_INIT_AUTOMAKE([1.11.1 dist-bzip2 dist-xz color-tests -Wno-portability subdir-objects])
 LT_PREREQ([2.2.6])
 LT_INIT
 
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_SRCDIR([kronosnetd/main.c])
 AC_CONFIG_HEADERS([config.h])
 
 AC_CANONICAL_HOST
 AC_PROG_LIBTOOL
 
 AC_LANG([C])
 
 systemddir=${prefix}/lib/systemd/system
 
 if test "$prefix" = "NONE"; then
 	prefix="/usr"
 	if test "$localstatedir" = "\${prefix}/var"; then
 		localstatedir="/var"
 	fi
 	if test "$sysconfdir" = "\${prefix}/etc"; then
 		sysconfdir="/etc"
 	fi
 	if test "$systemddir" = "NONE/lib/systemd/system"; then
 		systemddir=/lib/systemd/system
 	fi
 	if test "$libdir" = "\${exec_prefix}/lib"; then
 		if test -e /usr/lib64; then
 			libdir="/usr/lib64"
 		else
 			libdir="/usr/lib"
 		fi
 	fi
 fi
 
 # Checks for programs.
 if ! ${MAKE-make} --version /cannot/make/this >/dev/null 2>&1; then
 	AC_MSG_ERROR(["you don't seem to have GNU make; it is required"])
 fi
 
 AC_PROG_AWK
 AC_PROG_GREP
 AC_PROG_SED
 AC_PROG_CPP
 AC_PROG_CC
 AC_PROG_CC_C99
 if test "x$ac_cv_prog_cc_c99" = "xno"; then
 	AC_MSG_ERROR(["C99 support is required"])
 fi
 AC_PROG_LN_S
 AC_PROG_INSTALL
 AC_PROG_MAKE_SET
 AC_PROG_CXX
 AC_PROG_RANLIB
 AC_CHECK_PROGS([PUBLICAN], [publican], [:])
 AC_CHECK_PROGS([PKGCONFIG], [pkg-config])
 
 AC_ARG_ENABLE([libknet-sctp],
 	[  --disable-libknet-sctp            : disable libknet SCTP support ],,
 	[ enable_libknet_sctp="yes" ])
 AM_CONDITIONAL([BUILDSCTP], [test x$enable_libknet_sctp = xyes])
 
 AC_ARG_ENABLE([crypto-all],
 	[  --disable-crypto-all              : disable libknet all crypto modules support ],,
 	[ enable_crypto_all="yes" ])
 
 AC_ARG_ENABLE([crypto-nss],
 	[  --disable-crypto-nss              : disable libknet nss support ],,
 	[ enable_crypto_nss="$enable_crypto_all" ])
 AM_CONDITIONAL([BUILDCRYPTONSS], [test x$enable_crypto_nss = xyes])
 
 AC_ARG_ENABLE([crypto-openssl],
 	[  --disable-crypto-openssl          : disable libknet openssl support ],,
 	[ enable_crypto_openssl="$enable_crypto_all" ])
 AM_CONDITIONAL([BUILDCRYPTOOPENSSL], [test x$enable_crypto_openssl = xyes])
 
 AC_ARG_ENABLE([compress-all],
 	[  --disable-compress-all            : disable libknet all compress modules support ],,
 	[ enable_compress_all="yes" ])
 
 AC_ARG_ENABLE([compress-zlib],
 	[  --disable-compress-zlib           : disable libknet zlib support ],,
 	[ enable_compress_zlib="$enable_compress_all" ])
 AM_CONDITIONAL([BUILDCOMPZLIB], [test x$enable_compress_zlib = xyes])
 
 AC_ARG_ENABLE([compress-lz4],
 	[  --disable-compress-lz4            : disable libknet lz4 support ],,
 	[ enable_compress_lz4="$enable_compress_all" ])
 AM_CONDITIONAL([BUILDCOMPLZ4], [test x$enable_compress_lz4 = xyes])
 
 AC_ARG_ENABLE([compress-lzo2],
 	[  --disable-compress-lzo2           : disable libknet lzo2 support ],,
 	[ enable_compress_lzo2="$enable_compress_all" ])
 AM_CONDITIONAL([BUILDCOMPLZO2], [test x$enable_compress_lzo2 = xyes])
 
 AC_ARG_ENABLE([compress-lzma],
 	[  --disable-compress-lzma           : disable libknet lzma support ],,
 	[ enable_compress_lzma="$enable_compress_all" ])
 AM_CONDITIONAL([BUILDCOMPLZMA], [test x$enable_compress_lzma = xyes])
 
 AC_ARG_ENABLE([compress-bzip2],
 	[  --disable-compress-bzip2          : disable libknet bzip2 support ],,
 	[ enable_compress_bzip2="$enable_compress_all" ])
 AM_CONDITIONAL([BUILDCOMPBZIP2], [test x$enable_compress_bzip2 = xyes])
 
 AC_ARG_ENABLE([poc],
 	[  --disable-poc                     : disable building poc code ],,
 	[ enable_poc="yes" ])
 AM_CONDITIONAL([BUILD_POC], [test x$enable_poc = xyes])
 
 AC_ARG_ENABLE([kronosnetd],
 	[  --enable-kronosnetd               : Kronosnetd support ],,
 	[ enable_kronosnetd="no" ])
 AM_CONDITIONAL([BUILD_KRONOSNETD], [test x$enable_kronosnetd = xyes])
 
 AC_ARG_ENABLE([libtap],
 	[  --enable-libtap                   : libtap support ],,
 	[ enable_libtap="no" ])
 
 if test "x$enable_kronosnetd" = xyes; then
 	enable_libtap=yes
 fi
 AM_CONDITIONAL([BUILD_LIBTAP], [test x$enable_libtap = xyes])
 
 ## local helper functions
 # this function checks if CC support options passed as
 # args. Global CFLAGS are ignored during this test.
 cc_supports_flag() {
 	saveCPPFLAGS="$CPPFLAGS"
 	CPPFLAGS="$@"
 	if echo $CC | grep -q clang; then
 		CPPFLAGS="-Werror $CPPFLAGS"
 	fi
 	AC_MSG_CHECKING([whether $CC supports "$@"])
 	AC_PREPROC_IFELSE([AC_LANG_PROGRAM([])],
 			  [RC=0; AC_MSG_RESULT([yes])],
 			  [RC=1; AC_MSG_RESULT([no])])
 	CPPFLAGS="$saveCPPFLAGS"
 	return $RC
 }
 
 # helper macro to check libs without adding them to LIBS
 check_lib_no_libs() {
 	lib_no_libs_arg1=$1
 	shift
 	lib_no_libs_arg2=$1
 	shift
 	lib_no_libs_args=$@
 	AC_CHECK_LIB([$lib_no_libs_arg1],
 		     [$lib_no_libs_arg2],,,
 		     [$lib_no_libs_args])
         LIBS=$ac_check_lib_save_LIBS
 }
 
 # Checks for C features
 AC_C_INLINE
 
 # Checks for libraries.
 AC_CHECK_LIB([pthread], [pthread_create], [AC_SUBST([pthread_LIBS], [-lpthread])], [AC_MSG_ERROR([kronosnet requires pthread library])])
 AC_CHECK_LIB([m], [ceil], [AC_SUBST([m_LIBS], [-lm])], [AC_MSG_ERROR([kronosnet requires m library])])
 AC_CHECK_LIB([rt], [clock_gettime], [AC_SUBST([rt_LIBS], [-lrt])], [AC_MSG_ERROR([kronosnet requires rt library])])
 
 AC_SEARCH_LIBS([dlopen], [dl dld], [AC_SUBST([dl_LIBS], [$ac_res])], [AC_MSG_ERROR([kronosnet requires dl library])])
 
 # workaround pkg-config bootstrapping
 PKG_CHECK_MODULES([foobarbaz],[foobarbaz], [AC_MSG_NOTICE([bootstrapping pkg-config])], [AC_MSG_NOTICE([bootstrapping pkg-config])])
 
 # crypto libraries checks
 if test "x$enable_crypto_nss" = xyes; then
 	PKG_CHECK_MODULES([nss],[nss])
 	AC_DEFINE_UNQUOTED([BUILDCRYPTONSS], [1], [Enable nss crypto])
 fi
 
 if test "x$enable_crypto_openssl" = xyes; then
-	PKG_CHECK_MODULES([openssl],[openssl])
+	PKG_CHECK_MODULES([openssl],[openssl < 1.1],
+			  [AC_DEFINE_UNQUOTED([BUILDCRYPTOOPENSSL10], [1], [openssl 1.0 crypto])],
+			  [PKG_CHECK_MODULES([openssl],[openssl >= 1.1],
+					     [AC_DEFINE_UNQUOTED([BUILDCRYPTOOPENSSL11], [1], [openssl 1.1 crypto])])])
 	AC_DEFINE_UNQUOTED([BUILDCRYPTOOPENSSL], [1], [Enable openssl crypto])
 fi
 
 # compress libraries checks
 if test "x$enable_compress_zlib" = xyes; then
 	PKG_CHECK_MODULES([zlib], [zlib])
 	AC_DEFINE_UNQUOTED([BUILDCOMPZLIB], [1], [Enable zlib compression])
 fi
 if test "x$enable_compress_lz4" = xyes; then
 	PKG_CHECK_MODULES([liblz4], [liblz4])
 	AC_DEFINE_UNQUOTED([BUILDCOMPLZ4], [1], [Enable lz4 compress])
 fi
 if test "x$enable_compress_lzo2" = xyes; then
 	PKG_CHECK_MODULES([lzo2], [lzo2],,
 		[AC_CHECK_HEADERS([lzo/lzo1x.h],
 			[AC_CHECK_LIB([lzo2], [lzo1x_decompress_safe],
 				[AC_SUBST([lzo2_LIBS], [-llzo2])])],
 				[AC_MSG_ERROR(["missing required lzo/lzo1x.h header"])])])
 	AC_DEFINE_UNQUOTED([BUILDCOMPLZO2], [1], [Enable lzo2 compress])
 fi
 if test "x$enable_compress_lzma" = xyes; then
 	PKG_CHECK_MODULES([liblzma], [liblzma])
 	AC_DEFINE_UNQUOTED([BUILDCOMPLZMA], [1], [Enable lzma compress])
 fi
 if test "x$enable_compress_bzip2" = xyes; then
 	PKG_CHECK_MODULES([bzip2], [bzip2],,
 		[AC_CHECK_HEADERS([bzlib.h],
 			[AC_CHECK_LIB([bz2], [BZ2_bzBuffToBuffCompress],
 				[AC_SUBST([bzip2_LIBS], [-lbz2])])],
 				[AC_MSG_ERROR(["missing required bzlib.h"])])])
 	AC_DEFINE_UNQUOTED([BUILDCOMPBZIP2], [1], [Enable bzip2 compress])
 fi
 
 # Checks for header files.
 AC_CHECK_HEADERS([fcntl.h])
 AC_CHECK_HEADERS([stdlib.h])
 AC_CHECK_HEADERS([string.h])
 AC_CHECK_HEADERS([strings.h])
 AC_CHECK_HEADERS([sys/ioctl.h])
 AC_CHECK_HEADERS([syslog.h])
 AC_CHECK_HEADERS([unistd.h])
 AC_CHECK_HEADERS([netinet/in.h])
 AC_CHECK_HEADERS([sys/socket.h])
 AC_CHECK_HEADERS([arpa/inet.h])
 AC_CHECK_HEADERS([netdb.h])
 AC_CHECK_HEADERS([limits.h])
 AC_CHECK_HEADERS([stdint.h])
 AC_CHECK_HEADERS([sys/epoll.h])
 
 if test "x$enable_libknet_sctp" = xyes; then
 	AC_CHECK_HEADERS([netinet/sctp.h],, [AC_MSG_ERROR(["missing required SCTP headers"])])
 fi
 
 # Checks for typedefs, structures, and compiler characteristics.
 AC_C_INLINE
 AC_TYPE_SIZE_T
 AC_TYPE_PID_T
 AC_TYPE_SSIZE_T
 AC_TYPE_UINT8_T
 AC_TYPE_UINT16_T
 AC_TYPE_UINT32_T
 AC_TYPE_UINT64_T
 AC_TYPE_INT32_T
 
 # Checks for library functions.
 AC_FUNC_ALLOCA
 AC_FUNC_FORK
 AC_FUNC_MALLOC
 AC_FUNC_REALLOC
 AC_CHECK_FUNCS([memset])
 AC_CHECK_FUNCS([strdup])
 AC_CHECK_FUNCS([strerror])
 AC_CHECK_FUNCS([dup2])
 AC_CHECK_FUNCS([select])
 AC_CHECK_FUNCS([socket])
 AC_CHECK_FUNCS([inet_ntoa])
 AC_CHECK_FUNCS([memmove])
 AC_CHECK_FUNCS([strchr])
 AC_CHECK_FUNCS([atexit])
 AC_CHECK_FUNCS([ftruncate])
 AC_CHECK_FUNCS([strrchr])
 AC_CHECK_FUNCS([strstr])
 AC_CHECK_FUNCS([clock_gettime])
 AC_CHECK_FUNCS([strcasecmp])
 AC_CHECK_FUNCS([kevent])
 # if neither sys/epoll.h nor kevent are present, we should fail.
 
 if test "x$ac_cv_header_sys_epoll_h" = xno && test "x$ac_cv_func_kevent" = xno; then
 	AC_MSG_ERROR([Both epoll and kevent unavailable on this OS])
 fi
 
 if test "x$ac_cv_header_sys_epoll_h" = xyes && test "x$ac_cv_func_kevent" = xyes; then
 	AC_MSG_ERROR([Both epoll and kevent available on this OS, please contact the maintainers to fix the code])
 fi
 
 # checks (for kronosnetd)
 if test "x$enable_kronosnetd" = xyes; then
 	AC_CHECK_HEADERS([security/pam_appl.h],
 			 [AC_CHECK_LIB([pam], [pam_start])],
 			 [AC_MSG_ERROR([Unable to find LinuxPAM devel files])])
 
 	AC_CHECK_HEADERS([security/pam_misc.h],
 			 [AC_CHECK_LIB([pam_misc], [misc_conv])],
 			 [AC_MSG_ERROR([Unable to find LinuxPAM MISC devel files])])
 
 	PKG_CHECK_MODULES([libqb], [libqb])
 
 	AC_CHECK_LIB([qb], [qb_log_thread_priority_set],
 		     [have_qb_log_thread_priority_set="yes"],
 		     [have_qb_log_thread_priority_set="no"])
 	if test "x${have_qb_log_thread_priority_set}" = xyes; then
 		AC_DEFINE_UNQUOTED([HAVE_QB_LOG_THREAD_PRIORITY_SET], [1], [have qb_log_thread_priority_set])
 	fi
 fi
 
 # local options
 AC_ARG_ENABLE([debug],
 	[  --enable-debug          enable debug build. ],
 	[ default="no" ])
 
 AC_ARG_ENABLE([publicandocs],
 	[  --enable-publicandocs   enable docs build. ],
 	[ default="no" ])
 
 AC_ARG_WITH([initdefaultdir],
 	[  --with-initdefaultdir   : path to /etc/sysconfig/.. or /etc/default dir. ],
 	[ INITDEFAULTDIR="$withval" ],
 	[ INITDEFAULTDIR="$sysconfdir/default" ])
 
 AC_ARG_WITH([initddir],
 	[  --with-initddir=DIR     : path to init script directory. ],
 	[ INITDDIR="$withval" ],
 	[ INITDDIR="$sysconfdir/init.d" ])
 
 AC_ARG_WITH([systemddir],
 	[  --with-systemddir=DIR   : path to systemd unit files directory. ],
 	[ SYSTEMDDIR="$withval" ],
 	[ SYSTEMDDIR="$systemddir" ])
 
 AC_ARG_WITH([syslogfacility],
 	[  --with-syslogfacility=FACILITY
 			  default syslog facility. ],
 	[ SYSLOGFACILITY="$withval" ],
 	[ SYSLOGFACILITY="LOG_DAEMON" ])
 
 AC_ARG_WITH([sysloglevel],
 	[  --with-sysloglevel=LEVEL
 			  default syslog level. ],
 	[ SYSLOGLEVEL="$withval" ],
 	[ SYSLOGLEVEL="LOG_INFO" ])
 
 AC_ARG_WITH([defaultadmgroup],
 	[  --with-defaultadmgroup=GROUP
 			  define PAM group. Users part of this group will be
 			  allowed to configure kronosnet. Others will only
 			  receive read-only rights. ],
 	[ DEFAULTADMGROUP="$withval" ],
 	[ DEFAULTADMGROUP="kronosnetadm" ])
 
 ## random vars
 LOGDIR=${localstatedir}/log/
 RUNDIR=${localstatedir}/run/
 DEFAULT_CONFIG_DIR=${sysconfdir}/kronosnet
 
 ## do subst
 
 AM_CONDITIONAL([BUILD_DOCS], [test "x${enable_publicandocs}" = xyes])
 AM_CONDITIONAL([DEBUG], [test "x${enable_debug}" = xyes])
 
 AC_SUBST([DEFAULT_CONFIG_DIR])
 AC_SUBST([INITDEFAULTDIR])
 AC_SUBST([INITDDIR])
 AC_SUBST([SYSTEMDDIR])
 AC_SUBST([LOGDIR])
 AC_SUBST([DEFAULTADMGROUP])
 
 AC_DEFINE_UNQUOTED([DEFAULT_CONFIG_DIR],
 		   ["$(eval echo ${DEFAULT_CONFIG_DIR})"],
 		   [Default config directory])
 
 AC_DEFINE_UNQUOTED([DEFAULT_CONFIG_FILE],
 		   ["$(eval echo ${DEFAULT_CONFIG_DIR}/kronosnetd.conf)"],
 		   [Default config file])
 
 AC_DEFINE_UNQUOTED([LOGDIR],
 		   ["$(eval echo ${LOGDIR})"],
 		   [Default logging directory])
 
 AC_DEFINE_UNQUOTED([DEFAULT_LOG_FILE],
 		   ["$(eval echo ${LOGDIR}/kronosnetd.log)"],
 		   [Default log file])
 
 AC_DEFINE_UNQUOTED([RUNDIR],
 		   ["$(eval echo ${RUNDIR})"],
 		   [Default run directory])
 
 AC_DEFINE_UNQUOTED([SYSLOGFACILITY],
 		   [$(eval echo ${SYSLOGFACILITY})],
 		   [Default syslog facility])
 
 AC_DEFINE_UNQUOTED([SYSLOGLEVEL],
 		   [$(eval echo ${SYSLOGLEVEL})],
 		   [Default syslog level])
 
 AC_DEFINE_UNQUOTED([DEFAULTADMGROUP],
 		   ["$(eval echo ${DEFAULTADMGROUP})"],
 		   [Default admin group])
 
 ## *FLAGS handling
 ENV_CFLAGS="$CFLAGS"
 ENV_CPPFLAGS="$CPPFLAGS"
 ENV_LDFLAGS="$LDFLAGS"
 
 # debug build stuff
 if test "x${enable_debug}" = xyes; then
 	AC_DEFINE_UNQUOTED([DEBUG], [1], [Compiling Debugging code])
 	OPT_CFLAGS="-O0"
 else
 	OPT_CFLAGS="-O3"
 fi
 
 # gdb flags
 if test "x${GCC}" = xyes; then
 	GDB_FLAGS="-ggdb3"
 else
 	GDB_FLAGS="-g"
 fi
 
 # extra warnings
 EXTRA_WARNINGS=""
 
 WARNLIST="
 	all
 	extra
 	unused
 	shadow
 	missing-prototypes
 	missing-declarations
 	suggest-attribute=noreturn
 	suggest-attribute=format
 	strict-prototypes
 	declaration-after-statement
 	pointer-arith
 	write-strings
 	cast-align
 	bad-function-cast
 	missing-format-attribute
 	float-equal
 	format=2
 	format-signedness
 	format-security
 	format-nonliteral
 	no-long-long
 	unsigned-char
 	gnu89-inline
 	no-strict-aliasing
 	error
 	address
 	cpp
 	overflow
 	parentheses
 	sequence-point
 	switch
 	shift-overflow=2
 	overlength-strings
 	retundent-decls
 	init-self
 	uninitialized
 	unused-but-set-variable
 	unused-function
 	unused-result
 	unused-value
 	unused-variable
 	unknown-pragmas
 	no-unused-parameter
 	"
 
 for j in $WARNLIST; do
 	if cc_supports_flag -W$j; then
 		EXTRA_WARNINGS="$EXTRA_WARNINGS -W$j";
 	fi
 done
 
 CFLAGS="$ENV_CFLAGS $lt_prog_compiler_pic $OPT_CFLAGS $GDB_FLAGS \
 	$EXTRA_WARNINGS $WERROR_CFLAGS"
 CPPFLAGS="$ENV_CPPFLAGS"
 LDFLAGS="$ENV_LDFLAGS $lt_prog_compiler_pic -Wl,--as-needed"
 
 AC_CONFIG_FILES([
 		Makefile
 		init/Makefile
 		libtap/Makefile
 		libtap/libtap.pc
 		kronosnetd/Makefile
 		kronosnetd/kronosnetd.logrotate
 		libknet/Makefile
 		libknet/libknet.pc
 		libknet/tests/Makefile
 		docs/Makefile
 		poc-code/Makefile
 		poc-code/iov-hash/Makefile
 		poc-code/access-list/Makefile
 		])
 
 AC_OUTPUT
diff --git a/libknet/crypto_openssl.c b/libknet/crypto_openssl.c
index 643e4b2b..904193a7 100644
--- a/libknet/crypto_openssl.c
+++ b/libknet/crypto_openssl.c
@@ -1,687 +1,887 @@
 /*
  * Copyright (C) 2010-2017 Red Hat, Inc.  All rights reserved.
  *
  * Author: Fabio M. Di Nitto <fabbione@kronosnet.org>
  *
  * This software licensed under GPL-2.0+, LGPL-2.0+
  */
 
 #include "config.h"
 
 #include <errno.h>
 #include <dlfcn.h>
 #include <string.h>
 #ifdef BUILDCRYPTOOPENSSL
 #include <openssl/conf.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/rand.h>
 #include <openssl/err.h>
 
 #include "common.h"
 #include "crypto.h"
 #include "crypto_openssl.h"
 #include "logging.h"
 
-#define SSLERR_BUF_SIZE 256 /* https://www.openssl.org/docs/man1.0.2/crypto/ERR_error_string.html */
+/*
+ * 1.0.2 requires at least 120 bytes
+ * 1.1.0 requires at least 256 bytes
+ */
+#define SSLERR_BUF_SIZE 512
 
-#define LIBOPENSSL_10 "libcrypto.so.10"
+/*
+ * make this more generic.
+ * Fedora packages it one way, Debian another
+ * and it changes by version
+ */
+#define LIBOPENSSL "libcrypto.so"
 
 /*
  * global vars for dlopen
  */
 static void *openssl_lib;
 
 /*
  * symbols remapping
  */
+#ifdef BUILDCRYPTOOPENSSL10
 void (*_int_OPENSSL_add_all_algorithms_noconf)(void);
+#endif
+#ifdef BUILDCRYPTOOPENSSL11
+int (*_int_OPENSSL_init_crypto)(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
+#endif
 
+#ifdef BUILDCRYPTOOPENSSL10
 void (*_int_ERR_load_crypto_strings)(void);
+#endif
 unsigned long (*_int_ERR_get_error)(void);
 void (*_int_ERR_error_string_n)(unsigned long e, char *buf, size_t len);
+#ifdef BUILDCRYPTOOPENSSL10
 void (*_int_ERR_free_strings)(void);
+#endif
 
 void (*_int_RAND_seed)(const void *buf, int num);
 int (*_int_RAND_bytes)(unsigned char *buf, int num);
 
 const EVP_MD *(*_int_EVP_get_digestbyname)(const char *name);
 int (*_int_EVP_MD_size)(const EVP_MD *md);
 unsigned char *(*_int_HMAC)(const EVP_MD *evp_md, const void *key, int key_len,
 			    const unsigned char *d, size_t n, unsigned char *md,
 			    unsigned int *md_len);
 
 const EVP_CIPHER *(*_int_EVP_get_cipherbyname)(const char *name);
 int (*_int_EVP_CIPHER_block_size)(const EVP_CIPHER *cipher);
+
+#ifdef BUILDCRYPTOOPENSSL10
 void (*_int_EVP_CIPHER_CTX_init)(EVP_CIPHER_CTX *a);
 int (*_int_EVP_CIPHER_CTX_cleanup)(EVP_CIPHER_CTX *a);
+#endif
+#ifdef BUILDCRYPTOOPENSSL11
+EVP_CIPHER_CTX *(*_int_EVP_CIPHER_CTX_new)(void);
+void (*_int_EVP_CIPHER_CTX_free)(EVP_CIPHER_CTX *c);
+#endif
 
 int (*_int_EVP_EncryptInit_ex)(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
 			       ENGINE *impl, const unsigned char *key,
 			       const unsigned char *iv);
 int (*_int_EVP_EncryptUpdate)(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
 			      const unsigned char *in, int inl);
 int (*_int_EVP_EncryptFinal_ex)(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
 
 int (*_int_EVP_DecryptInit_ex)(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
 			       ENGINE *impl, const unsigned char *key,
 			       const unsigned char *iv);
 int (*_int_EVP_DecryptUpdate)(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
 			      const unsigned char *in, int inl);
 int (*_int_EVP_DecryptFinal_ex)(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
 
+#ifdef BUILDCRYPTOOPENSSL10
 void (*_int_EVP_cleanup)(void);
+#endif
 
 static void clean_openssl_syms(void)
 {
+#ifdef BUILDCRYPTOOPENSSL10
 	_int_OPENSSL_add_all_algorithms_noconf = NULL;
+#endif
+#ifdef BUILDCRYPTOOPENSSL11
+	_int_OPENSSL_init_crypto = NULL;
+#endif
+#ifdef BUILDCRYPTOOPENSSL10
 	_int_ERR_load_crypto_strings = NULL;
+#endif
 	_int_ERR_get_error = NULL;
 	_int_ERR_error_string_n = NULL;
+#ifdef BUILDCRYPTOOPENSSL10
 	_int_ERR_free_strings = NULL;
+#endif
 	_int_RAND_seed = NULL;
 	_int_RAND_bytes = NULL;
 	_int_EVP_get_digestbyname = NULL;
 	_int_EVP_MD_size = NULL;
 	_int_HMAC = NULL;
 	_int_EVP_get_cipherbyname = NULL;
 	_int_EVP_CIPHER_block_size = NULL;
+#ifdef BUILDCRYPTOOPENSSL10
 	_int_EVP_CIPHER_CTX_init = NULL;
 	_int_EVP_CIPHER_CTX_cleanup = NULL;
+#endif
+#ifdef BUILDCRYPTOOPENSSL11
+	_int_EVP_CIPHER_CTX_new = NULL;
+	_int_EVP_CIPHER_CTX_free = NULL;
+#endif
 	_int_EVP_EncryptInit_ex = NULL;
 	_int_EVP_EncryptUpdate = NULL;
 	_int_EVP_EncryptFinal_ex = NULL;
 	_int_EVP_DecryptInit_ex = NULL;
 	_int_EVP_DecryptUpdate = NULL;
 	_int_EVP_DecryptFinal_ex = NULL;
+#ifdef BUILDCRYPTOOPENSSL10
 	_int_EVP_cleanup = NULL;
+#endif
 	return;
 }
 
 static int opensslcrypto_remap_symbols(knet_handle_t knet_h)
 {
 	int err = 0;
 	char *error = NULL;
 
+#ifdef BUILDCRYPTOOPENSSL10
 	_int_OPENSSL_add_all_algorithms_noconf = dlsym(openssl_lib, "OPENSSL_add_all_algorithms_noconf");
 	if (!_int_OPENSSL_add_all_algorithms_noconf) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map OPENSSL_add_all_algorithms_noconf: %s", error);
 		err = -1;
 		goto out;
 	}
-
+#endif
+#ifdef BUILDCRYPTOOPENSSL11
+	_int_OPENSSL_init_crypto = dlsym(openssl_lib, "OPENSSL_init_crypto");
+	if (!_int_OPENSSL_init_crypto) {
+		error = dlerror();
+		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map OPENSSL_init_crypto: %s", error);
+		err = -1;
+		goto out;
+	}
+#endif
+#ifdef BUILDCRYPTOOPENSSL10
 	_int_ERR_load_crypto_strings = dlsym(openssl_lib, "ERR_load_crypto_strings");
 	if (!_int_ERR_load_crypto_strings) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map ERR_load_crypto_strings: %s", error);
 		err = -1;
 		goto out;
 	}
+#endif
 
 	_int_ERR_get_error = dlsym(openssl_lib, "ERR_get_error");
 	if (!_int_ERR_get_error) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map ERR_get_error: %s", error);
 		err = -1;
 		goto out;
 	}
 
 	_int_ERR_error_string_n = dlsym(openssl_lib, "ERR_error_string_n");
 	if (!_int_ERR_error_string_n) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map ERR_error_string_n: %s", error);
 		err = -1;
 		goto out;
 	}
 
+#ifdef BUILDCRYPTOOPENSSL10
 	_int_ERR_free_strings = dlsym(openssl_lib, "ERR_free_strings");
 	if (!_int_ERR_free_strings) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map ERR_free_strings: %s", error);
 		err = -1;
 		goto out;
 	}
+#endif
 
 	_int_RAND_seed = dlsym(openssl_lib, "RAND_seed");
 	if (!_int_RAND_seed) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map RAND_seed: %s", error);
 		err = -1;
 		goto out;
 	}
 
 	_int_RAND_bytes = dlsym(openssl_lib, "RAND_bytes");
 	if (!_int_RAND_bytes) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map RAND_bytes: %s", error);
 		err = -1;
 		goto out;
 	}
 
 	_int_EVP_get_digestbyname = dlsym(openssl_lib, "EVP_get_digestbyname");
 	if (!_int_EVP_get_digestbyname) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map EVP_get_digestbyname: %s", error);
 		err = -1;
 		goto out;
 	}
 
 	_int_EVP_MD_size = dlsym(openssl_lib, "EVP_MD_size");
 	if (!_int_EVP_MD_size) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map EVP_MD_size: %s", error);
 		err = -1;
 		goto out;
 	}
 
 	_int_HMAC = dlsym(openssl_lib, "HMAC");
 	if (!_int_HMAC) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map HMAC: %s", error);
 		err = -1;
 		goto out;
 	}
 
 	_int_EVP_get_cipherbyname = dlsym(openssl_lib, "EVP_get_cipherbyname");
 	if (!_int_EVP_get_cipherbyname) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map EVP_get_cipherbyname: %s", error);
 		err = -1;
 		goto out;
 	}
 
 	_int_EVP_CIPHER_block_size = dlsym(openssl_lib, "EVP_CIPHER_block_size");
 	if (!_int_EVP_CIPHER_block_size) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map EVP_CIPHER_block_size: %s", error);
 		err = -1;
 		goto out;
 	}
 
+#ifdef BUILDCRYPTOOPENSSL10
 	_int_EVP_CIPHER_CTX_init = dlsym(openssl_lib, "EVP_CIPHER_CTX_init");
 	if (!_int_EVP_CIPHER_CTX_init) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map EVP_CIPHER_CTX_init: %s", error);
 		err = -1;
 		goto out;
 	}
 
 	_int_EVP_CIPHER_CTX_cleanup = dlsym(openssl_lib, "EVP_CIPHER_CTX_cleanup");
 	if (!_int_EVP_CIPHER_CTX_cleanup) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map EVP_CIPHER_CTX_cleanup: %s", error);
 		err = -1;
 		goto out;
 	}
+#endif
+#ifdef BUILDCRYPTOOPENSSL11
+	_int_EVP_CIPHER_CTX_new = dlsym(openssl_lib, "EVP_CIPHER_CTX_new");
+	if (!_int_EVP_CIPHER_CTX_new) {
+		error = dlerror();
+		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map EVP_CIPHER_CTX_new: %s", error);
+		err = -1;
+		goto out;
+	}
+
+	_int_EVP_CIPHER_CTX_free = dlsym(openssl_lib, "EVP_CIPHER_CTX_free");
+	if (!_int_EVP_CIPHER_CTX_free) {
+		error = dlerror();
+		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map EVP_CIPHER_CTX_free: %s", error);
+		err = -1;
+		goto out;
+	}
+#endif
 
 	_int_EVP_EncryptInit_ex = dlsym(openssl_lib, "EVP_EncryptInit_ex");
 	if (!_int_EVP_EncryptInit_ex) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map EVP_EncryptInit_ex: %s", error);
 		err = -1;
 		goto out;
 	}
 
 	_int_EVP_EncryptUpdate = dlsym(openssl_lib, "EVP_EncryptUpdate");
 	if (!_int_EVP_EncryptUpdate) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map EVP_EncryptUpdate: %s", error);
 		err = -1;
 		goto out;
 	}
 
 	_int_EVP_EncryptFinal_ex = dlsym(openssl_lib, "EVP_EncryptFinal_ex");
 	if (!_int_EVP_EncryptFinal_ex) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map EVP_EncryptFinal_ex: %s", error);
 		err = -1;
 		goto out;
 	}
 
 	_int_EVP_DecryptInit_ex = dlsym(openssl_lib, "EVP_DecryptInit_ex");
 	if (!_int_EVP_DecryptInit_ex) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map EVP_DecryptInit_ex: %s", error);
 		err = -1;
 		goto out;
 	}
 
 	_int_EVP_DecryptUpdate = dlsym(openssl_lib, "EVP_DecryptUpdate");
 	if (!_int_EVP_DecryptUpdate) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map EVP_DecryptUpdate: %s", error);
 		err = -1;
 		goto out;
 	}
 
 	_int_EVP_DecryptFinal_ex = dlsym(openssl_lib, "EVP_DecryptFinal_ex");
 	if (!_int_EVP_DecryptFinal_ex) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map EVP_DecryptFinal_ex: %s", error);
 		err = -1;
 		goto out;
 	}
 
+#ifdef BUILDCRYPTOOPENSSL10
 	_int_EVP_cleanup = dlsym(openssl_lib, "EVP_cleanup");
 	if (!_int_EVP_cleanup) {
 		error = dlerror();
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unable to map EVP_cleanup: %s", error);
 		err = -1;
 		goto out;
 	}
+#endif
 
 out:
 	if (err) {
 		clean_openssl_syms();
 	}
 
 	return err;
 }
 
 void opensslcrypto_unload_lib(
 	knet_handle_t knet_h)
 {
 	if (openssl_lib) {
+#ifdef BUILDCRYPTOOPENSSL10
 		if (_int_EVP_cleanup) {
 			(*_int_EVP_cleanup)();
 		}
 		if (_int_ERR_free_strings) {
 			(*_int_ERR_free_strings)();
 		}
-
+#endif
 		dlclose(openssl_lib);
 		openssl_lib = NULL;
 		clean_openssl_syms();
 	}
 
 	return;
 }
 
 int opensslcrypto_load_lib(
 	knet_handle_t knet_h)
 {
 	int err = 0, savederrno = 0;
 
 	if (!openssl_lib) {
-		openssl_lib = open_lib(knet_h, LIBOPENSSL_10, 0);
+		openssl_lib = open_lib(knet_h, LIBOPENSSL, 0);
 		if (!openssl_lib) {
 			savederrno = errno;
 			err = -1;
 			goto out;
 		}
 
 		if (opensslcrypto_remap_symbols(knet_h) < 0) {
 			savederrno = errno;
 			err = -1;
 			goto out;
 		}
 
+#ifdef BUILDCRYPTOOPENSSL10
 		(*_int_ERR_load_crypto_strings)();
 		(*_int_OPENSSL_add_all_algorithms_noconf)();
+#endif
+#ifdef BUILDCRYPTOOPENSSL11
+		(*_int_OPENSSL_init_crypto)(OPENSSL_INIT_ADD_ALL_CIPHERS \
+					    | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+#endif
 	}
 
 out:
 	if (err) {
 		opensslcrypto_unload_lib(knet_h);
 	}
 	errno = savederrno;
 	return err;
 }
 
 /*
  * crypto definitions and conversion tables
  */
 
 #define SALT_SIZE 16
 
 struct opensslcrypto_instance {
 	void *private_key;
 
 	int private_key_len;
 
 	const EVP_CIPHER *crypto_cipher_type;
 
 	const EVP_MD *crypto_hash_type;
 };
 
 /*
- * crypt/decrypt functions
+ * crypt/decrypt functions openssl1.0
  */
 
+#ifdef BUILDCRYPTOOPENSSL10
 static int encrypt_openssl(
 	knet_handle_t knet_h,
 	const struct iovec *iov,
 	int iovcnt,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
 	struct opensslcrypto_instance *instance = knet_h->crypto_instance->model_instance;
 	EVP_CIPHER_CTX	ctx;
 	int		tmplen = 0, offset = 0;
 	unsigned char	*salt = buf_out;
 	unsigned char	*data = buf_out + SALT_SIZE;
 	int		err = 0;
 	int		i;
 	char		sslerr[SSLERR_BUF_SIZE];
 
 	(*_int_EVP_CIPHER_CTX_init)(&ctx);
 
 	/*
 	 * contribute to PRNG for each packet we send/receive
 	 */
 	(*_int_RAND_seed)((unsigned char *)iov[iovcnt - 1].iov_base, iov[iovcnt - 1].iov_len);
 
 	if (!(*_int_RAND_bytes)(salt, SALT_SIZE)) {
 		(*_int_ERR_error_string_n)((*_int_ERR_get_error)(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to get random salt data: %s", sslerr);
 		err = -1;
 		goto out;
 	}
 
 	/*
 	 * add warning re keylength
 	 */
 	(*_int_EVP_EncryptInit_ex)(&ctx, instance->crypto_cipher_type, NULL, instance->private_key, salt);
 
 	for (i=0; i<iovcnt; i++) {
 		if (!(*_int_EVP_EncryptUpdate)(&ctx,
 					       data + offset, &tmplen,
 					       (unsigned char *)iov[i].iov_base, iov[i].iov_len)) {
 			(*_int_ERR_error_string_n)((*_int_ERR_get_error)(), sslerr, sizeof(sslerr));
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to encrypt: %s", sslerr);
 			err = -1;
 			goto out;
 		}
 		offset = offset + tmplen;
 	}
 
 	if (!(*_int_EVP_EncryptFinal_ex)(&ctx, data + offset, &tmplen)) {
 		(*_int_ERR_error_string_n)((*_int_ERR_get_error)(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize encrypt: %s", sslerr);
 		err = -1;
 		goto out;
 	}
 
 	*buf_out_len = offset + tmplen + SALT_SIZE;
 
 out:
 	(*_int_EVP_CIPHER_CTX_cleanup)(&ctx);
 	return err;
 }
 
 static int decrypt_openssl (
 	knet_handle_t knet_h,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
 	struct opensslcrypto_instance *instance = knet_h->crypto_instance->model_instance;
 	EVP_CIPHER_CTX	ctx;
 	int		tmplen1 = 0, tmplen2 = 0;
 	unsigned char	*salt = (unsigned char *)buf_in;
 	unsigned char	*data = salt + SALT_SIZE;
 	int		datalen = buf_in_len - SALT_SIZE;
 	int		err = 0;
 	char		sslerr[SSLERR_BUF_SIZE];
 
 	(*_int_EVP_CIPHER_CTX_init)(&ctx);
 
 	/*
 	 * contribute to PRNG for each packet we send/receive
 	 */
 	(*_int_RAND_seed)(buf_in, buf_in_len);
 
 	/*
 	 * add warning re keylength
 	 */
 	(*_int_EVP_DecryptInit_ex)(&ctx, instance->crypto_cipher_type, NULL, instance->private_key, salt);
 
 	if (!(*_int_EVP_DecryptUpdate)(&ctx, buf_out, &tmplen1, data, datalen)) {
 		(*_int_ERR_error_string_n)((*_int_ERR_get_error)(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
 		err = -1;
 		goto out;
 	}
 
 	if (!(*_int_EVP_DecryptFinal_ex)(&ctx, buf_out + tmplen1, &tmplen2)) {
 		(*_int_ERR_error_string_n)((*_int_ERR_get_error)(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
 		err = -1;
 		goto out;
 	}
 
 	*buf_out_len = tmplen1 + tmplen2;
 
 out:
 	(*_int_EVP_CIPHER_CTX_cleanup)(&ctx);
 	return err;
 }
+#endif
+
+#ifdef BUILDCRYPTOOPENSSL11
+static int encrypt_openssl(
+	knet_handle_t knet_h,
+	const struct iovec *iov,
+	int iovcnt,
+	unsigned char *buf_out,
+	ssize_t *buf_out_len)
+{
+	struct opensslcrypto_instance *instance = knet_h->crypto_instance->model_instance;
+	EVP_CIPHER_CTX	*ctx;
+	int		tmplen = 0, offset = 0;
+	unsigned char	*salt = buf_out;
+	unsigned char	*data = buf_out + SALT_SIZE;
+	int		err = 0;
+	int		i;
+	char		sslerr[SSLERR_BUF_SIZE];
+
+	ctx = (*_int_EVP_CIPHER_CTX_new)();
+
+	/*
+	 * contribute to PRNG for each packet we send/receive
+	 */
+	(*_int_RAND_seed)((unsigned char *)iov[iovcnt - 1].iov_base, iov[iovcnt - 1].iov_len);
+
+	if (!(*_int_RAND_bytes)(salt, SALT_SIZE)) {
+		(*_int_ERR_error_string_n)((*_int_ERR_get_error)(), sslerr, sizeof(sslerr));
+		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to get random salt data: %s", sslerr);
+		err = -1;
+		goto out;
+	}
+
+	/*
+	 * add warning re keylength
+	 */
+	(*_int_EVP_EncryptInit_ex)(ctx, instance->crypto_cipher_type, NULL, instance->private_key, salt);
+
+	for (i=0; i<iovcnt; i++) {
+		if (!(*_int_EVP_EncryptUpdate)(ctx,
+					       data + offset, &tmplen,
+					       (unsigned char *)iov[i].iov_base, iov[i].iov_len)) {
+			(*_int_ERR_error_string_n)((*_int_ERR_get_error)(), sslerr, sizeof(sslerr));
+			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to encrypt: %s", sslerr);
+			err = -1;
+			goto out;
+		}
+		offset = offset + tmplen;
+	}
+
+	if (!(*_int_EVP_EncryptFinal_ex)(ctx, data + offset, &tmplen)) {
+		(*_int_ERR_error_string_n)((*_int_ERR_get_error)(), sslerr, sizeof(sslerr));
+		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize encrypt: %s", sslerr);
+		err = -1;
+		goto out;
+	}
+
+	*buf_out_len = offset + tmplen + SALT_SIZE;
+
+out:
+	(*_int_EVP_CIPHER_CTX_free)(ctx);
+	return err;
+}
+
+static int decrypt_openssl (
+	knet_handle_t knet_h,
+	const unsigned char *buf_in,
+	const ssize_t buf_in_len,
+	unsigned char *buf_out,
+	ssize_t *buf_out_len)
+{
+	struct opensslcrypto_instance *instance = knet_h->crypto_instance->model_instance;
+	EVP_CIPHER_CTX	*ctx;
+	int		tmplen1 = 0, tmplen2 = 0;
+	unsigned char	*salt = (unsigned char *)buf_in;
+	unsigned char	*data = salt + SALT_SIZE;
+	int		datalen = buf_in_len - SALT_SIZE;
+	int		err = 0;
+	char		sslerr[SSLERR_BUF_SIZE];
+
+	ctx = (*_int_EVP_CIPHER_CTX_new)();
+
+	/*
+	 * contribute to PRNG for each packet we send/receive
+	 */
+	(*_int_RAND_seed)(buf_in, buf_in_len);
+
+	/*
+	 * add warning re keylength
+	 */
+	(*_int_EVP_DecryptInit_ex)(ctx, instance->crypto_cipher_type, NULL, instance->private_key, salt);
+
+	if (!(*_int_EVP_DecryptUpdate)(ctx, buf_out, &tmplen1, data, datalen)) {
+		(*_int_ERR_error_string_n)((*_int_ERR_get_error)(), sslerr, sizeof(sslerr));
+		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
+		err = -1;
+		goto out;
+	}
+
+	if (!(*_int_EVP_DecryptFinal_ex)(ctx, buf_out + tmplen1, &tmplen2)) {
+		(*_int_ERR_error_string_n)((*_int_ERR_get_error)(), sslerr, sizeof(sslerr));
+		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
+		err = -1;
+		goto out;
+	}
+
+	*buf_out_len = tmplen1 + tmplen2;
+
+out:
+	(*_int_EVP_CIPHER_CTX_free)(ctx);
+	return err;
+}
+#endif
 
 /*
  * hash/hmac/digest functions
  */
 
 static int calculate_openssl_hash(
 	knet_handle_t knet_h,
 	const unsigned char *buf,
 	const size_t buf_len,
 	unsigned char *hash)
 {
 	struct opensslcrypto_instance *instance = knet_h->crypto_instance->model_instance;
 	unsigned int hash_len = 0;
 	unsigned char *hash_out = NULL;
 	char sslerr[SSLERR_BUF_SIZE];
 
 	hash_out = (*_int_HMAC)(instance->crypto_hash_type,
 				instance->private_key, instance->private_key_len,
 				buf, buf_len,
 				hash, &hash_len);
 
 	if ((!hash_out) || (hash_len != knet_h->sec_hash_size)) {
 		(*_int_ERR_error_string_n)((*_int_ERR_get_error)(), sslerr, sizeof(sslerr));
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to calculate hash: %s", sslerr);
 		return -1;
 	}
 
 	return 0;
 }
 
 /*
  * exported API
  */
 
 int opensslcrypto_encrypt_and_sign (
 	knet_handle_t knet_h,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
 	struct iovec iov_in;
 
 	memset(&iov_in, 0, sizeof(iov_in));
 	iov_in.iov_base = (unsigned char *)buf_in;
 	iov_in.iov_len = buf_in_len;
 
 	return opensslcrypto_encrypt_and_signv(knet_h, &iov_in, 1, buf_out, buf_out_len);
 }
 
 int opensslcrypto_encrypt_and_signv (
 	knet_handle_t knet_h,
 	const struct iovec *iov_in,
 	int iovcnt_in,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
 	struct opensslcrypto_instance *instance = knet_h->crypto_instance->model_instance;
 	int i;
 
 	if (instance->crypto_cipher_type) {
 		if (encrypt_openssl(knet_h, iov_in, iovcnt_in, buf_out, buf_out_len) < 0) {
 			return -1;
 		}
 	} else {
 		*buf_out_len = 0;
 		for (i=0; i<iovcnt_in; i++) {
 			memmove(buf_out + *buf_out_len, iov_in[i].iov_base, iov_in[i].iov_len);
 			*buf_out_len = *buf_out_len + iov_in[i].iov_len;
 		}
 	}
 
 	if (instance->crypto_hash_type) {
 		if (calculate_openssl_hash(knet_h, buf_out, *buf_out_len, buf_out + *buf_out_len) < 0) {
 			return -1;
 		}
 		*buf_out_len = *buf_out_len + knet_h->sec_hash_size;
 	}
 
 	return 0;
 }
 
 int opensslcrypto_authenticate_and_decrypt (
 	knet_handle_t knet_h,
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
 	ssize_t *buf_out_len)
 {
 	struct opensslcrypto_instance *instance = knet_h->crypto_instance->model_instance;
 	ssize_t temp_len = buf_in_len;
 
 	if (instance->crypto_hash_type) {
 		unsigned char tmp_hash[knet_h->sec_hash_size];
 		ssize_t temp_buf_len = buf_in_len - knet_h->sec_hash_size;
 
 		if ((temp_buf_len < 0) || (temp_buf_len > KNET_MAX_PACKET_SIZE)) {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Incorrect packet size.");
 			return -1;
 		}
 
 		if (calculate_openssl_hash(knet_h, buf_in, temp_buf_len, tmp_hash) < 0) {
 			return -1;
 		}
 
 		if (memcmp(tmp_hash, buf_in + temp_buf_len, knet_h->sec_hash_size) != 0) {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Digest does not match");
 			return -1;
 		}
 
 		temp_len = temp_len - knet_h->sec_hash_size;
 		*buf_out_len = temp_len;
 	}
 	if (instance->crypto_cipher_type) {
 		if (decrypt_openssl(knet_h, buf_in, temp_len, buf_out, buf_out_len) < 0) {
 			return -1;
 		}
 	} else {
 		memmove(buf_out, buf_in, temp_len);
 		*buf_out_len = temp_len;
 	}
 
 	return 0;
 }
 
 int opensslcrypto_init(
 	knet_handle_t knet_h,
 	struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
 {
 	struct opensslcrypto_instance *opensslcrypto_instance = NULL;
 
 	log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO,
 		  "Initizializing openssl crypto module [%s/%s]",
 		  knet_handle_crypto_cfg->crypto_cipher_type,
 		  knet_handle_crypto_cfg->crypto_hash_type);
 
 	knet_h->crypto_instance->model_instance = malloc(sizeof(struct opensslcrypto_instance));
 	if (!knet_h->crypto_instance->model_instance) {
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to allocate memory for openssl model instance");
 		return -1;
 	}
 
 	opensslcrypto_instance = knet_h->crypto_instance->model_instance;
 
 	memset(opensslcrypto_instance, 0, sizeof(struct opensslcrypto_instance));
 
 	if (strcmp(knet_handle_crypto_cfg->crypto_cipher_type, "none") == 0) {
 		opensslcrypto_instance->crypto_cipher_type = NULL;
 	} else {
 		opensslcrypto_instance->crypto_cipher_type = (*_int_EVP_get_cipherbyname)(knet_handle_crypto_cfg->crypto_cipher_type);
 		if (!opensslcrypto_instance->crypto_cipher_type) {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unknown crypto cipher type requested");
 			goto out_err;
 		}
 	}
 
 	if (strcmp(knet_handle_crypto_cfg->crypto_hash_type, "none") == 0) {
 		opensslcrypto_instance->crypto_hash_type = NULL;
 	} else {
 		opensslcrypto_instance->crypto_hash_type = (*_int_EVP_get_digestbyname)(knet_handle_crypto_cfg->crypto_hash_type);
 		if (!opensslcrypto_instance->crypto_hash_type) {
 			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "unknown crypto hash type requested");
 			goto out_err;
 		}
 	}
 
 	if ((opensslcrypto_instance->crypto_cipher_type) &&
 	    (!opensslcrypto_instance->crypto_hash_type)) {
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "crypto communication requires hash specified");
 		goto out_err;
 	}
 
 	opensslcrypto_instance->private_key = malloc(knet_handle_crypto_cfg->private_key_len);
 	if (!opensslcrypto_instance->private_key) {
 		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to allocate memory for openssl private key");
 		goto out_err;
 	}
 	memmove(opensslcrypto_instance->private_key, knet_handle_crypto_cfg->private_key, knet_handle_crypto_cfg->private_key_len);
 	opensslcrypto_instance->private_key_len = knet_handle_crypto_cfg->private_key_len;
 
 	knet_h->sec_header_size = 0;
 
 	if (opensslcrypto_instance->crypto_hash_type) {
 		knet_h->sec_hash_size = (*_int_EVP_MD_size)(opensslcrypto_instance->crypto_hash_type);
 		knet_h->sec_header_size += knet_h->sec_hash_size;
 	}
 
 	if (opensslcrypto_instance->crypto_cipher_type) {
 		int block_size;
 
 		block_size = (*_int_EVP_CIPHER_block_size)(opensslcrypto_instance->crypto_cipher_type);
 		if (block_size < 0) {
 			goto out_err;
 		}
 
 		knet_h->sec_header_size += (block_size * 2);
 		knet_h->sec_header_size += SALT_SIZE;
 		knet_h->sec_salt_size = SALT_SIZE;
 		knet_h->sec_block_size = block_size;
 	}
 
 	return 0;
 
 out_err:
 	opensslcrypto_fini(knet_h);
 
 	return -1;
 }
 
 void opensslcrypto_fini(
 	knet_handle_t knet_h)
 {
 	struct opensslcrypto_instance *opensslcrypto_instance = knet_h->crypto_instance->model_instance;
 
 	if (opensslcrypto_instance) {
 		if (opensslcrypto_instance->private_key) {
 			free(opensslcrypto_instance->private_key);
 			opensslcrypto_instance->private_key = NULL;
 		}
 		free(opensslcrypto_instance);
 		knet_h->crypto_instance->model_instance = NULL;
 		knet_h->sec_header_size = 0;
 	}
 
 	return;
 }
 #endif