diff --git a/configure.ac b/configure.ac
index a7ab6a0..0838531 100644
--- a/configure.ac
+++ b/configure.ac
@@ -365,7 +365,7 @@ AC_ARG_WITH(
   [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|nettle|apple-common-crypto @<:@default=openssl@:>@])],
   [
     case "${withval}" in
-      openssl|nettle|apple-common-crypto) ;;
+      openssl|openssl-with-internal-ocb|openssl-with-openssl-ocb|nettle|apple-common-crypto) ;;
       *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;
     esac
   ],
@@ -373,36 +373,50 @@ AC_ARG_WITH(
 )
 
 dnl Checks for chosen crypto library
+PKG_CHECK_MODULES([OpenSSL], [openssl],
+  [have_openssl=yes
+    AC_CHECK_LIB([crypto], [AES_encrypt], [have_deprecated_openssl_aes=yes])
+    AC_CHECK_LIB([crypto], [EVP_aes_128_ocb], [have_evp_aes_ocb=yes])],
+  [:])
+PKG_CHECK_MODULES([Nettle], [nettle], [have_nettle=yes], [:])
+AS_CASE([$with_crypto_library],
+  [openssl*],
+    [AS_IF([test "x$have_openssl" != xyes],
+       [AC_MSG_ERROR([OpenSSL crypto library not found])])
+     AC_DEFINE([USE_OPENSSL_AES], [1], [Use OpenSSL library])
+     AC_SUBST([CRYPTO_CFLAGS], ["$OpenSSL_CFLAGS"])
+     AC_SUBST([CRYPTO_LIBS], ["$OpenSSL_LDFLAGS -lcrypto"])])
 case "${with_crypto_library}" in
-  openssl)
-    PKG_CHECK_MODULES([CRYPTO], [openssl],
-      [AC_DEFINE([USE_OPENSSL_AES], [1], [Use OpenSSL library])],
-      [AX_CHECK_LIBRARY([CRYPTO], [openssl/aes.h], [crypto],
-        [AC_DEFINE([USE_OPENSSL_AES], [1], [Use OpenSSL library])
-          AC_SUBST([CRYPTO_CFLAGS], ["$CRYPTO_CPPFLAGS"])
-          AC_SUBST([CRYPTO_LIBS], ["$CRYPTO_LDFLAGS -lcrypto"])],
-        [AC_MSG_ERROR([OpenSSL crypto library not found])])])
-        ;;
+  openssl|openssl-with-internal-ocb)
+    AS_IF([test "x$have_deprecated_openssl_aes" != xyes],
+      [AC_MSG_ERROR([found OpenSSL without AES support])])
+    AM_CONDITIONAL([USE_AES_OCB_FROM_OPENSSL], [false])
+    human_readable_cryptography_description='internal OCB, OpenSSL AES'
+    ;;
+  openssl-with-openssl-ocb)
+    AS_IF([test "x$have_evp_aes_ocb" != xyes],
+      [AC_MSG_ERROR([found OpenSSL without AES-OCB support])])
+    AM_CONDITIONAL([USE_AES_OCB_FROM_OPENSSL], [true])
+    human_readable_cryptography_description='OpenSSL OCB, OpenSSL AES'
+    ;;
   nettle)
-    PKG_CHECK_MODULES([CRYPTO], [nettle],
-      [],
+    AS_IF([test "x$have_nettle" != xyes],
       [AC_MSG_ERROR([Nettle crypto library not found])])
     AC_DEFINE([USE_NETTLE_AES], [1], [Use Nettle library])
+    AC_SUBST([CRYPTO_CFLAGS], ["$Nettle_CFLAGS"])
+    AC_SUBST([CRYPTO_LIBS], ["$Nettle_LDFLAGS"])
+    AM_CONDITIONAL([USE_AES_OCB_FROM_OPENSSL], [false])
+    human_readable_cryptography_description='internal OCB, Nettle AES'
     ;;
   apple-common-crypto)
-    dnl Common Crypto is in Apple's standard paths and base libraries.
-    dnl So just check for presence of the header.
-    AC_CHECK_HEADERS([CommonCrypto/CommonCrypto.h],
-      [],
+    AS_IF([test "x$ac_cv_header_CommonCrypto_CommonCrypto_h" != xyes],
       [AC_MSG_ERROR([Apple Common Crypto header not found])])
     AC_DEFINE([USE_APPLE_COMMON_CRYPTO_AES], [1], [Use Apple Common Crypto library])
+    AM_CONDITIONAL([USE_AES_OCB_FROM_OPENSSL], [false])
+    human_readable_cryptography_description='internal OCB, Apple Common Crypto AES'
     ;;
 esac
 
-AM_CONDITIONAL([CRYPTO_LIBRARY_OPENSSL], [test x$with_crypto_library = xopenssl])
-AM_CONDITIONAL([CRYPTO_LIBRARY_NETTLE], [test x$with_crypto_library = xnettle])
-AM_CONDITIONAL([CRYPTO_LIBRARY_APPLE], [test x$with_crypto_library = xapple-common-crypto])
-
 AC_ARG_ENABLE([static-crypto],
   [AS_HELP_STRING([--enable-static-crypto], [Link crypto library statically @<:@no@:>@])],
   [], [enable_static_crypto="$enable_static_libraries"])
@@ -585,4 +599,5 @@ AC_MSG_NOTICE([c++ compiler:        $CXX])
 AC_MSG_NOTICE([Warning CXXFLAGS:    $WARNING_CXXFLAGS])
 AC_MSG_NOTICE([Picky CXXFLAGS:      $PICKY_CXXFLAGS])
 AC_MSG_NOTICE([Harden CFLAGS:       $HARDEN_CFLAGS])
+AC_MSG_NOTICE([Cryptography:        $human_readable_cryptography_description])
 AC_MSG_NOTICE([ =============================])
diff --git a/src/crypto/Makefile.am b/src/crypto/Makefile.am
index eff0b1c..1be5412 100644
--- a/src/crypto/Makefile.am
+++ b/src/crypto/Makefile.am
@@ -4,7 +4,7 @@ AM_CXXFLAGS = $(WARNING_CXXFLAGS) $(PICKY_CXXFLAGS) $(HARDEN_CFLAGS) $(MISC_CXXF
 noinst_LIBRARIES = libmoshcrypto.a
 
 OCB_SRCS = ae.h
-if CRYPTO_LIBRARY_OPENSSL
+if USE_AES_OCB_FROM_OPENSSL
 OCB_SRCS += ocb_openssl.cc
 else
 OCB_SRCS += ocb_internal.cc
diff --git a/src/crypto/ocb_internal.cc b/src/crypto/ocb_internal.cc
index 0626873..2e04c29 100644
--- a/src/crypto/ocb_internal.cc
+++ b/src/crypto/ocb_internal.cc
@@ -26,10 +26,11 @@
 
 #include "config.h"
 
-/* This module implements the ae.h interface for Apple Common Crypto and
-/  Nettle.                                                                 */
-#if !defined(USE_APPLE_COMMON_CRYPTO_AES) && !defined(USE_NETTLE_AES)
-#error ocb_internal.cc only works with Apple Common Crypto or Nettle
+/* This module implements the ae.h interface for OpenSSL, Apple Common
+/  Crypto, and Nettle.                                                     */
+#if !defined(USE_OPENSSL_AES) && !defined(USE_APPLE_COMMON_CRYPTO_AES) && \
+    !defined(USE_NETTLE_AES)
+#error ocb_internal.cc only works with OpenSSL, Apple Common Crypto, or Nettle
 #endif
 
 /* ----------------------------------------------------------------------- */
@@ -62,6 +63,7 @@
 #if 0
 #define USE_APPLE_COMMON_CRYPTO_AES       0
 #define USE_NETTLE_AES       0
+#define USE_OPENSSL_AES      1  /* http://openssl.org                      */
 #endif
 
 /* During encryption and decryption, various "L values" are required.
@@ -352,8 +354,31 @@
 /* AES - Code uses OpenSSL API. Other implementations get mapped to it.    */
 /* ----------------------------------------------------------------------- */
 
+/*---------------*/
+#if USE_OPENSSL_AES
+/*---------------*/
+
+#include <openssl/aes.h>                            /* http://openssl.org/ */
+
+/* How to ECB encrypt an array of blocks, in place                         */
+static inline void AES_ecb_encrypt_blks(block *blks, unsigned nblks, AES_KEY *key) {
+	while (nblks) {
+		--nblks;
+		AES_encrypt((unsigned char *)(blks+nblks), (unsigned char *)(blks+nblks), key);
+	}
+}
+
+static inline void AES_ecb_decrypt_blks(block *blks, unsigned nblks, AES_KEY *key) {
+	while (nblks) {
+		--nblks;
+		AES_decrypt((unsigned char *)(blks+nblks), (unsigned char *)(blks+nblks), key);
+	}
+}
+
+#define BPI 4  /* Number of blocks in buffer per ECB call */
+
 /*-------------------*/
-#if USE_APPLE_COMMON_CRYPTO_AES
+#elif USE_APPLE_COMMON_CRYPTO_AES
 /*-------------------*/
 
 #include <fatal_assert.h>
@@ -1320,3 +1345,7 @@ int main()
     return 0;
 }
 #endif
+
+#if USE_OPENSSL_AES
+char infoString[] = "OCB3 (OpenSSL)";
+#endif