--- a/configure.ac
+++ b/configure.ac
@@ -478,18 +478,35 @@ dnl -----------------
 dnl CHECK FOR OPENSSL
 dnl -----------------
 
-AS_IF([test x"$tls_support" = x"yes"],[
-  dnl OpenBSD 5 needs the other-libraries (fourth argument) to the
-  dnl AC_CHECK_LIB for SSL_library_init, because it doesn't
-  dnl automatically append -lcrypto when linking with -lssl.
-  AC_CHECK_HEADER([openssl/ssl.h], , [AC_MSG_ERROR([openssl/ssl.h not found])])
-  AC_CHECK_LIB([crypto], [BIO_write], [TLSLIB="-lcrypto"],
-    [AC_MSG_ERROR([OpenSSL crypto library not found])])
-  AC_CHECK_LIB([ssl], [SSL_library_init], [TLSLIB="-lssl $TLSLIB"],
-    [AC_MSG_ERROR([OpenSSL library not found])],[$TLSLIB])],
-  [TLSLIB=])
+
+AS_IF([test x"$with_tls" != x"no"],[
+dnl OpenBSD 5 needs the other-libraries (fifth argument) to the
+dnl AC_CHECK_LIB for SSL_new, because it doesn't
+dnl automatically append -lcrypto when linking with -lssl.
+AC_CHECK_HEADER([openssl/ssl.h], HAVE_SSL_H=1)
+AC_CHECK_LIB([crypto], [BIO_write], [TLSLIB="-lcrypto"])
+AC_CHECK_LIB([ssl], [SSL_new], [TLSLIB="-lssl $TLSLIB"], [TLSLIB=],
+             [$TLSLIB])])
 AC_SUBST([TLSLIB])
 
+dnl -----------------
+dnl Enable TLS?
+dnl -----------------
+dnl By default (with_tls=''), enable TLS if header and libs were found.
+dnl If TLS requested (--with-tls with_tls=yes), error if header/lib not found.
+dnl If TLS disabled (--without-tls with_tls=no), don't enable it.
+tls_support=no
+TLS_SUPPORT=0
+AC_SUBST([TLS_SUPPORT])
+AS_IF([test "x$with_tls" = xyes && test "x$HAVE_SSL_H" = x],
+      [AC_MSG_ERROR([TLS requested but openssl/ssl.h not found])],
+      [test "x$with_tls" = xyes && test "x$TLSLIB" = x],
+      [AC_MSG_ERROR([TLS requested but crypto or ssl library not found])],
+      [test "x$with_tls" != xno && test "x$HAVE_SSL_H" = x1 && test "x$TLSLIB" != x],
+      [AC_DEFINE([TLS_SUPPORT], [1], [Support TLS for session encryption.])
+       TLS_SUPPORT=1
+       tls_support=yes])
+
 dnl ----------------
 dnl CHECK FLEX FIXUP
 dnl ----------------
--- a/mts/smtp/smtp.c
+++ b/mts/smtp/smtp.c
@@ -760,7 +760,12 @@ sm_end (int type)
 
 #ifdef TLS_SUPPORT
     if (tls_active) {
-	BIO_ssl_shutdown(io);
+/* az [2016-12-19 Mon 21:45]
+   for some unknown reason, bio_ssl_shutdown segfaults in openssl 1.1.
+   upstream's pre-1.7 code has switched to letting bio_free_all
+   take care of all shutdown-related aspects, which seems to work fine.
+   unfortunately the pre-1.7 changes are too big to backport.
+   BIO_ssl_shutdown(io); */
 	BIO_free_all(io);
     }
 #endif /* TLS_SUPPORT */
