diff --git a/configure b/configure
index 92341fa5fb..88f21d857f 100755
--- a/configure
+++ b/configure
@@ -16817,7 +16817,7 @@ fi
 		yes)
 
 $as_echo "#define HAVE_OPENSSL_ED448 1" >>confdefs.h
-],
+
 			;;
 		*)
 			;;
diff --git a/configure.in b/configure.in
index f930e709ae..66992da669 100644
--- a/configure.in
+++ b/configure.in
@@ -1901,7 +1901,7 @@ int main() {
 		case $have_ed448 in
 		yes)
 			AC_DEFINE(HAVE_OPENSSL_ED448, 1,
-				  [Define if your OpenSSL version supports Ed448.])],
+				  [Define if your OpenSSL version supports Ed448.])
 			;;	   
 		*)
 			;;
diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h
index c9cb939dd6..e085f1132b 100644
--- a/lib/dns/dst_openssl.h
+++ b/lib/dns/dst_openssl.h
@@ -23,13 +23,6 @@
 #include <openssl/crypto.h>
 #include <openssl/bn.h>
 
-#if !defined(OPENSSL_NO_ENGINE) && \
-    ((defined(CRYPTO_LOCK_ENGINE) && \
-      (OPENSSL_VERSION_NUMBER >= 0x0090707f)) || \
-     (OPENSSL_VERSION_NUMBER >= 0x10100000L))
-#define USE_ENGINE 1
-#endif
-
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 /*
  * These are new in OpenSSL 1.1.0.  BN_GENCB _cb needs to be declared in
@@ -65,7 +58,7 @@ isc_result_t
 dst__openssl_toresult3(isc_logcategory_t *category,
 		       const char *funcname, isc_result_t fallback);
 
-#ifdef USE_ENGINE
+#if !defined(OPENSSL_NO_ENGINE)
 ENGINE *
 dst__openssl_getengine(const char *engine);
 #else
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 4f1ff1c259..ac479ce484 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -46,7 +46,7 @@
 #include "dst_internal.h"
 #include "dst_openssl.h"
 
-#ifdef USE_ENGINE
+#if !defined(OPENSSL_NO_ENGINE)
 #include <openssl/engine.h>
 #endif
 
@@ -55,7 +55,7 @@ static isc_mutex_t *locks = NULL;
 static int nlocks;
 #endif
 
-#ifdef USE_ENGINE
+#if !defined(OPENSSL_NO_ENGINE)
 static ENGINE *e = NULL;
 #endif
 
@@ -147,7 +147,7 @@ isc_result_t
 dst__openssl_init(const char *engine) {
 	isc_result_t result;
 
-#if !defined(USE_ENGINE)
+#if defined(OPENSSL_NO_ENGINE)
 	UNUSED(engine);
 #endif
 
@@ -175,7 +175,7 @@ dst__openssl_init(const char *engine) {
 	ERR_load_crypto_strings();
 #endif
 
-#ifdef USE_ENGINE
+#if !defined(OPENSSL_NO_ENGINE)
 #if !defined(CONF_MFLAGS_DEFAULT_SECTION)
 	OPENSSL_config(NULL);
 #else
@@ -207,7 +207,7 @@ dst__openssl_init(const char *engine) {
 		}
 	}
 
-#endif /* USE_ENGINE */
+#endif /* !defined(OPENSSL_NO_ENGINE) */
 
 	/* Protect ourselves against unseeded PRNG */
 	if (RAND_status() != 1) {
@@ -219,7 +219,7 @@ dst__openssl_init(const char *engine) {
 
 	return (ISC_R_SUCCESS);
 
-#ifdef USE_ENGINE
+#if !defined(OPENSSL_NO_ENGINE)
  cleanup_rm:
 	if (e != NULL)
 		ENGINE_free(e);
@@ -248,11 +248,11 @@ dst__openssl_destroy(void) {
 #endif
 	OBJ_cleanup();
 	EVP_cleanup();
-#if defined(USE_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE)
 	if (e != NULL)
 		ENGINE_free(e);
 	e = NULL;
-#if defined(USE_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L
 	ENGINE_cleanup();
 #endif
 #endif
@@ -364,7 +364,7 @@ dst__openssl_toresult3(isc_logcategory_t *category,
 	return (result);
 }
 
-#if defined(USE_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE)
 ENGINE *
 dst__openssl_getengine(const char *engine) {
 
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index 8dfda0d2fa..7e3a5d77b3 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -50,6 +50,8 @@
 #include "dst_openssl.h"
 #include "dst_parse.h"
 
+#define PRIME2 "02"
+
 #define PRIME768 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088" \
 	"A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25" \
 	"F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF"
@@ -71,7 +73,7 @@
 
 static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data);
 
-static BIGNUM *bn2, *bn768, *bn1024, *bn1536;
+static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL;
 
 #if !defined(HAVE_DH_GET0_KEY)
 /*
@@ -722,32 +724,6 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	return (ret);
 }
 
-static void
-BN_fromhex(BIGNUM *b, const char *str) {
-	static const char hexdigits[] = "0123456789abcdef";
-	unsigned char data[512];
-	unsigned int i;
-	BIGNUM *out;
-
-	RUNTIME_CHECK(strlen(str) < 1024U && strlen(str) % 2 == 0U);
-	for (i = 0; i < strlen(str); i += 2) {
-		const char *s;
-		unsigned int high, low;
-
-		s = strchr(hexdigits, tolower((unsigned char)str[i]));
-		RUNTIME_CHECK(s != NULL);
-		high = (unsigned int)(s - hexdigits);
-
-		s = strchr(hexdigits, tolower((unsigned char)str[i + 1]));
-		RUNTIME_CHECK(s != NULL);
-		low = (unsigned int)(s - hexdigits);
-
-		data[i/2] = (unsigned char)((high << 4) + low);
-	}
-	out = BN_bin2bn(data, strlen(str)/2, b);
-	RUNTIME_CHECK(out != NULL);
-}
-
 static void
 openssldh_cleanup(void) {
 	BN_free(bn2);
@@ -784,17 +760,18 @@ isc_result_t
 dst__openssldh_init(dst_func_t **funcp) {
 	REQUIRE(funcp != NULL);
 	if (*funcp == NULL) {
-		bn2 = BN_new();
-		bn768 = BN_new();
-		bn1024 = BN_new();
-		bn1536 = BN_new();
-		if (bn2 == NULL || bn768 == NULL ||
-		    bn1024 == NULL || bn1536 == NULL)
+		if (BN_hex2bn(&bn2, PRIME2) == 0 || bn2 == NULL) {
 			goto cleanup;
-		BN_set_word(bn2, 2);
-		BN_fromhex(bn768, PRIME768);
-		BN_fromhex(bn1024, PRIME1024);
-		BN_fromhex(bn1536, PRIME1536);
+		}
+		if (BN_hex2bn(&bn768, PRIME768) == 0 || bn768 == NULL) {
+			goto cleanup;
+		}
+		if (BN_hex2bn(&bn1024, PRIME1024) == 0 || bn1024 == NULL) {
+			goto cleanup;
+		}
+		if (BN_hex2bn(&bn1536, PRIME1536) == 0 || bn1536 == NULL) {
+			goto cleanup;
+		}
 		*funcp = &openssldh_functions;
 	}
 	return (ISC_R_SUCCESS);
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 43f6d317bc..17c48679db 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -47,7 +47,7 @@
 #if OPENSSL_VERSION_NUMBER > 0x00908000L
 #include <openssl/bn.h>
 #endif
-#ifdef USE_ENGINE
+#if !defined(OPENSSL_NO_ENGINE)
 #include <openssl/engine.h>
 #endif
 
@@ -1482,13 +1482,13 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	isc_result_t ret;
 	int i;
 	RSA *rsa = NULL, *pubrsa = NULL;
-#ifdef USE_ENGINE
+#if !defined(OPENSSL_NO_ENGINE)
 	ENGINE *ep = NULL;
 	const BIGNUM *ex = NULL;
 #endif
 	isc_mem_t *mctx = key->mctx;
 	const char *engine = NULL, *label = NULL;
-#if defined(USE_ENGINE) || USE_EVP
+#if !defined(OPENSSL_NO_ENGINE) || USE_EVP
 	EVP_PKEY *pkey = NULL;
 #endif
 	BIGNUM *n = NULL, *e = NULL, *d = NULL;
@@ -1541,7 +1541,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	 * See if we can fetch it.
 	 */
 	if (label != NULL) {
-#ifdef USE_ENGINE
+#if !defined(OPENSSL_NO_ENGINE)
 		if (engine == NULL)
 			DST_RET(DST_R_NOENGINE);
 		ep = dst__openssl_getengine(engine);
@@ -1690,7 +1690,7 @@ static isc_result_t
 opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 		     const char *pin)
 {
-#ifdef USE_ENGINE
+#if !defined(OPENSSL_NO_ENGINE)
 	ENGINE *e = NULL;
 	isc_result_t ret;
 	EVP_PKEY *pkey = NULL;