diff --git a/configure.ac b/configure.ac
index 9e07a0c..7390358 100644
--- a/configure.ac
+++ b/configure.ac
@@ -251,8 +251,6 @@ AC_CHECK_FUNCS(m4_normalize([
 
 AC_SEARCH_LIBS([clock_gettime], [rt], [AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Define if clock_gettime is available.])])
 
-PKG_CHECK_MODULES([OPENSSL], [openssl])
-
 # Start by trying to find the needed tinfo parts by pkg-config
 PKG_CHECK_MODULES([TINFO], [tinfo],
   [AC_DEFINE([HAVE_CURSES_H], [1], [Define to 1 if <curses.h> is present])],
@@ -293,6 +291,49 @@ if test "x$ax_cv_have_TINFO" = xno ; then
     fi
 fi
 
+dnl Default to OpenSSL, or OS X crypto library if found
+AC_CHECK_HEADERS([CommonCrypto/CommonCrypto.h],
+  [default_crypto_library="apple-common-crypto"],
+  [default_crypto_library="openssl"]
+)
+
+dnl Allow user to select over the default.
+AC_ARG_WITH(
+  [crypto-library],
+  [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|nettle|apple-common-crypto @<:@default=openssl@:>@])],
+  [
+    case "${withval}" in
+      openssl|nettle|apple-common-crypto) ;;
+      *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;
+    esac
+  ],
+  [with_crypto_library="$default_crypto_library"]
+)
+
+dnl Checks for chosen crypto library
+case "${with_crypto_library}" in
+  openssl)
+    PKG_CHECK_MODULES([CRYPTO], [openssl],
+      [],
+      [AC_MSG_ERROR([OpenSSL crypto library not found])])
+    AC_DEFINE([USE_OPENSSL_AES], [1], [Use OpenSSL library])
+    ;;
+  nettle)
+    PKG_CHECK_MODULES([CRYPTO], [nettle],
+      [],
+      [AC_MSG_ERROR([Nettle crypto library not found])])
+    AC_DEFINE([USE_NETTLE_AES], [1], [Use Nettle library])
+    ;;
+  apple-common-crypto)
+    dnl Common Crypto is in Apple's standard paths and base libraries.
+    dnl So just check for presence of the header.
+    AC_CHECK_HEADERS([CommonCrypto/CommonCrypto.h],
+      [],
+      [AC_MSG_ERROR([Apple Common Crypto header not found])])
+    AC_DEFINE([USE_APPLE_COMMON_CRYPTO_AES], [1], [Use Apple Common Crypto library])
+    ;;
+esac
+
 AC_CHECK_DECL([forkpty],
   [AC_DEFINE([FORKPTY_IN_LIBUTIL], [1],
      [Define if libutil.h necessary for forkpty().])],
diff --git a/macosx/build.sh b/macosx/build.sh
index 9ca4b9d..d92fcdb 100755
--- a/macosx/build.sh
+++ b/macosx/build.sh
@@ -59,8 +59,7 @@ for arch in $ARCHS; do
     mkdir "${prefix}"
     if ./configure --prefix="${prefix}/local" \
 		   CC="cc -arch ${arch}" CPP="cc -arch ${arch} -E" CXX="c++ -arch ${arch}" \
-		   TINFO_LIBS=-lncurses \
-		   OPENSSL_CFLAGS="  " OPENSSL_LIBS="-lssl -lcrypto -lz" &&
+		   TINFO_LIBS=-lncurses &&
 	    make clean &&
 	    make install -j8 &&
 	    rm -f "${prefix}/etc"
diff --git a/src/crypto/Makefile.am b/src/crypto/Makefile.am
index 3f3b138..d01008e 100644
--- a/src/crypto/Makefile.am
+++ b/src/crypto/Makefile.am
@@ -1,4 +1,4 @@
-AM_CPPFLAGS = -I$(srcdir)/../util $(OPENSSL_CFLAGS)
+AM_CPPFLAGS = -I$(srcdir)/../util $(CRYPTO_CFLAGS)
 AM_CXXFLAGS = $(WARNING_CXXFLAGS) $(PICKY_CXXFLAGS) $(HARDEN_CFLAGS) $(MISC_CXXFLAGS)
 
 noinst_LIBRARIES = libmoshcrypto.a
diff --git a/src/crypto/ocb.cc b/src/crypto/ocb.cc
index d9516d9..1f73475 100644
--- a/src/crypto/ocb.cc
+++ b/src/crypto/ocb.cc
@@ -50,9 +50,13 @@
 
 /* This implementation has built-in support for multiple AES APIs. Set any
 /  one of the following to non-zero to specify which to use.               */
+#if 0
+#define USE_APPLE_COMMON_CRYPTO_AES       0
+#define USE_NETTLE_AES       0
 #define USE_OPENSSL_AES      1  /* http://openssl.org                      */
 #define USE_REFERENCE_AES    0  /* Internet search: rijndael-alg-fst.c     */
 #define USE_AES_NI           0  /* Uses compiler's intrinsics              */
+#endif
 
 /* During encryption and decryption, various "L values" are required.
 /  The L values can be precomputed during initialization (requiring extra
@@ -72,6 +76,7 @@
 /* Includes and compiler specific definitions                              */
 /* ----------------------------------------------------------------------- */
 
+#include "config.h"
 #include "ae.h"
 #include <stdlib.h>
 #include <string.h>
@@ -95,8 +100,12 @@
 	#include <intrin.h>
 	#pragma intrinsic(_byteswap_uint64, _BitScanForward, memcpy)
 #elif __GNUC__
+	#ifndef inline
 	#define inline __inline__            /* No "inline" in GCC ansi C mode */
+	#endif
+	#ifndef restrict
 	#define restrict __restrict__      /* No "restrict" in GCC ansi C mode */
+	#endif
 #endif
 
 #if _MSC_VER
@@ -347,6 +356,131 @@ static inline void AES_ecb_decrypt_blks(block *blks, unsigned nblks, AES_KEY *ke
 
 #define BPI 4  /* Number of blocks in buffer per ECB call */
 
+/*-------------------*/
+#elif USE_APPLE_COMMON_CRYPTO_AES
+/*-------------------*/
+
+#include <fatal_assert.h>
+#include <CommonCrypto/CommonCryptor.h>
+
+typedef struct {
+	CCCryptorRef ref;
+	uint8_t b[4096];
+} AES_KEY;
+#if (OCB_KEY_LEN == 0)
+#define ROUNDS(ctx) ((ctx)->rounds)
+#else
+#define ROUNDS(ctx) (6+OCB_KEY_LEN/4)
+#endif
+
+static inline void AES_set_encrypt_key(unsigned char *handle, const int bits, AES_KEY *key)
+{
+	CCCryptorStatus rv = CCCryptorCreateFromData(
+		kCCEncrypt,
+		kCCAlgorithmAES,
+		kCCOptionECBMode,
+		handle,
+		bits / 8,
+		NULL,
+		&(key->b),
+		sizeof (key->b),
+		&(key->ref),
+		NULL);
+
+	fatal_assert(rv == kCCSuccess);
+}
+static inline void AES_set_decrypt_key(unsigned char *handle, const int bits, AES_KEY *key)
+{
+	CCCryptorStatus rv = CCCryptorCreateFromData(
+		kCCDecrypt,
+		kCCAlgorithmAES,
+		kCCOptionECBMode,
+		handle,
+		bits / 8,
+		NULL,
+		&(key->b),
+		sizeof (key->b),
+		&(key->ref),
+		NULL);
+
+	fatal_assert(rv == kCCSuccess);
+}
+static inline void AES_encrypt(unsigned char *src, unsigned char *dst, AES_KEY *key) {
+	size_t dataOutMoved;
+	CCCryptorStatus rv = CCCryptorUpdate(
+		key->ref,
+		(const void *)src,
+		kCCBlockSizeAES128,
+		(void *)dst,
+		kCCBlockSizeAES128,
+		&dataOutMoved);
+	fatal_assert(rv == kCCSuccess);
+	fatal_assert(dataOutMoved == kCCBlockSizeAES128);
+}
+#if 0
+/* unused */
+static inline void AES_decrypt(unsigned char *src, unsigned char *dst, AES_KEY *key) {
+	AES_encrypt(src, dst, key);
+}
+#endif
+static inline void AES_ecb_encrypt_blks(block *blks, unsigned nblks, AES_KEY *key) {
+	const size_t dataSize = kCCBlockSizeAES128 * nblks;
+	size_t dataOutMoved;
+	CCCryptorStatus rv = CCCryptorUpdate(
+		key->ref,
+		(const void *)blks,
+		dataSize,
+		(void *)blks,
+		dataSize,
+		&dataOutMoved);
+	fatal_assert(rv == kCCSuccess);
+	fatal_assert(dataOutMoved == dataSize);
+}
+static inline void AES_ecb_decrypt_blks(block *blks, unsigned nblks, AES_KEY *key) {
+	AES_ecb_encrypt_blks(blks, nblks, key);
+}
+
+#define BPI 4  /* Number of blocks in buffer per ECB call */
+
+/*-------------------*/
+#elif USE_NETTLE_AES
+/*-------------------*/
+
+#include <nettle/aes.h>
+
+typedef struct aes_ctx AES_KEY;
+#if (OCB_KEY_LEN == 0)
+#define ROUNDS(ctx) ((ctx)->rounds)
+#else
+#define ROUNDS(ctx) (6+OCB_KEY_LEN/4)
+#endif
+
+static inline void AES_set_encrypt_key(unsigned char *handle, const int bits, AES_KEY *key)
+{
+	nettle_aes_set_encrypt_key(key, bits/8, (const uint8_t *)handle);
+}
+static inline void AES_set_decrypt_key(unsigned char *handle, const int bits, AES_KEY *key)
+{
+	nettle_aes_set_decrypt_key(key, bits/8, (const uint8_t *)handle);
+}
+static inline void AES_encrypt(unsigned char *src, unsigned char *dst, AES_KEY *key) {
+	nettle_aes_encrypt(key, AES_BLOCK_SIZE, dst, src);
+}
+#if 0
+/* unused */
+static inline void AES_decrypt(unsigned char *src, unsigned char *dst, AES_KEY *key) {
+	nettle_aes_decrypt(key, AES_BLOCK_SIZE, dst, src);
+}
+#endif
+static inline void AES_ecb_encrypt_blks(block *blks, unsigned nblks, AES_KEY *key) {
+	nettle_aes_encrypt(key, nblks * AES_BLOCK_SIZE, (unsigned char*)blks, (unsigned char*)blks);
+}
+static inline void AES_ecb_decrypt_blks(block *blks, unsigned nblks, AES_KEY *key) {
+	nettle_aes_decrypt(key, nblks * AES_BLOCK_SIZE, (unsigned char*)blks, (unsigned char*)blks);
+}
+
+#define BPI 4  /* Number of blocks in buffer per ECB call */
+
 /*-------------------*/
 #elif USE_REFERENCE_AES
 /*-------------------*/
@@ -560,6 +694,8 @@ static inline void AES_ecb_decrypt_blks(block *blks, unsigned nblks, AES_KEY *ke
 #define BPI 8  /* Number of blocks in buffer per ECB call   */
                /* Set to 4 for Westmere, 8 for Sandy Bridge */
 
+#else
+#error "No AES implementation selected."
 #endif
 
 /* ----------------------------------------------------------------------- */
diff --git a/src/examples/Makefile.am b/src/examples/Makefile.am
index 862ec0c..faa2286 100644
--- a/src/examples/Makefile.am
+++ b/src/examples/Makefile.am
@@ -7,11 +7,11 @@ endif
 
 encrypt_SOURCES = encrypt.cc
 encrypt_CPPFLAGS = -I$(srcdir)/../crypto
-encrypt_LDADD = ../crypto/libmoshcrypto.a $(OPENSSL_LIBS)
+encrypt_LDADD = ../crypto/libmoshcrypto.a $(CRYPTO_LIBS)
 
 decrypt_SOURCES = decrypt.cc
 decrypt_CPPFLAGS = -I$(srcdir)/../crypto
-decrypt_LDADD = ../crypto/libmoshcrypto.a $(OPENSSL_LIBS)
+decrypt_LDADD = ../crypto/libmoshcrypto.a $(CRYPTO_LIBS)
 
 parse_SOURCES = parse.cc
 parse_CPPFLAGS = -I$(srcdir)/../terminal -I$(srcdir)/../util
@@ -23,8 +23,8 @@ termemu_LDADD = ../terminal/libmoshterminal.a ../util/libmoshutil.a ../statesync
 
 ntester_SOURCES = ntester.cc
 ntester_CPPFLAGS = -I$(srcdir)/../util -I$(srcdir)/../statesync -I$(srcdir)/../terminal -I$(srcdir)/../network -I$(srcdir)/../crypto -I../protobufs $(protobuf_CFLAGS)
-ntester_LDADD = ../statesync/libmoshstatesync.a ../terminal/libmoshterminal.a ../network/libmoshnetwork.a ../crypto/libmoshcrypto.a ../protobufs/libmoshprotos.a ../util/libmoshutil.a $(LIBUTIL) -lm $(protobuf_LIBS)  $(OPENSSL_LIBS)
+ntester_LDADD = ../statesync/libmoshstatesync.a ../terminal/libmoshterminal.a ../network/libmoshnetwork.a ../crypto/libmoshcrypto.a ../protobufs/libmoshprotos.a ../util/libmoshutil.a $(LIBUTIL) -lm $(protobuf_LIBS)  $(CRYPTO_LIBS)
 
 benchmark_SOURCES = benchmark.cc
 benchmark_CPPFLAGS = -I$(srcdir)/../util -I$(srcdir)/../statesync -I$(srcdir)/../terminal -I../protobufs -I$(srcdir)/../frontend -I$(srcdir)/../crypto -I$(srcdir)/../network $(protobuf_CFLAGS)
-benchmark_LDADD = ../frontend/terminaloverlay.o ../statesync/libmoshstatesync.a ../terminal/libmoshterminal.a ../protobufs/libmoshprotos.a ../network/libmoshnetwork.a ../crypto/libmoshcrypto.a ../util/libmoshutil.a $(STDDJB_LDFLAGS) $(LIBUTIL) -lm $(TINFO_LIBS) $(protobuf_LIBS) $(OPENSSL_LIBS)
+benchmark_LDADD = ../frontend/terminaloverlay.o ../statesync/libmoshstatesync.a ../terminal/libmoshterminal.a ../protobufs/libmoshprotos.a ../network/libmoshnetwork.a ../crypto/libmoshcrypto.a ../util/libmoshutil.a $(STDDJB_LDFLAGS) $(LIBUTIL) -lm $(TINFO_LIBS) $(protobuf_LIBS) $(CRYPTO_LIBS)
diff --git a/src/frontend/Makefile.am b/src/frontend/Makefile.am
index a0345ae..5856469 100644
--- a/src/frontend/Makefile.am
+++ b/src/frontend/Makefile.am
@@ -1,7 +1,7 @@
-AM_CPPFLAGS = -I$(srcdir)/../statesync -I$(srcdir)/../terminal -I$(srcdir)/../network -I$(srcdir)/../crypto -I../protobufs -I$(srcdir)/../util $(TINFO_CFLAGS) $(protobuf_CFLAGS) $(OPENSSL_CFLAGS)
+AM_CPPFLAGS = -I$(srcdir)/../statesync -I$(srcdir)/../terminal -I$(srcdir)/../network -I$(srcdir)/../crypto -I../protobufs -I$(srcdir)/../util $(TINFO_CFLAGS) $(protobuf_CFLAGS) $(CRYPTO_CFLAGS)
 AM_CXXFLAGS = $(WARNING_CXXFLAGS) $(PICKY_CXXFLAGS) $(HARDEN_CFLAGS) $(MISC_CXXFLAGS)
 AM_LDFLAGS  = $(HARDEN_LDFLAGS)
-LDADD = ../crypto/libmoshcrypto.a ../network/libmoshnetwork.a ../statesync/libmoshstatesync.a ../terminal/libmoshterminal.a ../util/libmoshutil.a ../protobufs/libmoshprotos.a -lm $(TINFO_LIBS) $(protobuf_LIBS) $(OPENSSL_LIBS)
+LDADD = ../crypto/libmoshcrypto.a ../network/libmoshnetwork.a ../statesync/libmoshstatesync.a ../terminal/libmoshterminal.a ../util/libmoshutil.a ../protobufs/libmoshprotos.a -lm $(TINFO_LIBS) $(protobuf_LIBS) $(CRYPTO_LIBS)
 
 mosh_server_LDADD = $(LDADD) $(LIBUTIL)
 
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index db0ec60..7b3f952 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -27,12 +27,12 @@ base64_vector.cc: $(srcdir)/genbase64.pl
 	$(AM_V_GEN)perl $(srcdir)/genbase64.pl >> base64_vector.cc || rm base64_vector.cc
 
 ocb_aes_SOURCES = ocb-aes.cc test_utils.cc test_utils.h
-ocb_aes_CPPFLAGS = -I$(srcdir)/../crypto -I$(srcdir)/../util
-ocb_aes_LDADD = ../crypto/libmoshcrypto.a ../util/libmoshutil.a $(OPENSSL_LIBS)
+ocb_aes_CPPFLAGS = -I$(srcdir)/../crypto -I$(srcdir)/../util $(CRYPTO_CFLAGS)
+ocb_aes_LDADD = ../crypto/libmoshcrypto.a ../util/libmoshutil.a $(CRYPTO_LIBS)
 
 encrypt_decrypt_SOURCES = encrypt-decrypt.cc test_utils.cc test_utils.h
 encrypt_decrypt_CPPFLAGS = -I$(srcdir)/../crypto -I$(srcdir)/../util
-encrypt_decrypt_LDADD = ../crypto/libmoshcrypto.a ../util/libmoshutil.a $(OPENSSL_LIBS)
+encrypt_decrypt_LDADD = ../crypto/libmoshcrypto.a ../util/libmoshutil.a $(CRYPTO_LIBS)
 
 base64_SOURCES = base64.cc base64_vector.cc base64_vector.h genbase64.pl
 base64_CPPFLAGS = $(ocb_aes_CPPFLAGS)