diff -up db-5.3.28/dist/aclocal/options.m4.openssl db-5.3.28/dist/aclocal/options.m4
--- db-5.3.28/dist/aclocal/options.m4.openssl	2013-09-09 17:35:02.000000000 +0200
+++ db-5.3.28/dist/aclocal/options.m4	2018-10-22 11:02:08.037182417 +0200
@@ -406,7 +406,7 @@ AC_ARG_WITH([cryptography],
 	AC_HELP_STRING([--with-cryptography=yes|no|ipp], [Build database cryptography support @<:@default=yes@:>@.]),
 	[], [with_cryptography=$enable_cryptography])
 case "$with_cryptography" in
-yes|no|ipp) ;;
+yes|no|ipp|openssl) ;;
 *) AC_MSG_ERROR([unknown --with-cryptography argument \'$with_cryptography\']) ;;
 esac
 db_cv_build_cryptography="$with_cryptography"
diff -up db-5.3.28/dist/configure.ac.openssl db-5.3.28/dist/configure.ac
--- db-5.3.28/dist/configure.ac.openssl	2018-10-22 11:02:08.019182151 +0200
+++ db-5.3.28/dist/configure.ac	2018-10-22 14:40:52.467991248 +0200
@@ -994,6 +994,18 @@ in the configured include path.]))
 		AC_DEFINE(HAVE_CRYPTO_IPP)
 		AH_TEMPLATE(HAVE_CRYPTO_IPP,
 		    [Define to 1 if using Intel IPP for cryptography.])
+    else
+        if test "$db_cv_build_cryptography" = "openssl"; then
+            AC_CHECK_HEADERS(openssl/conf.h openssl/evp.h, [], AC_MSG_ERROR([\
+Openssl header files required for OPENSSL cryptography support were not found \
+in the configured include path.]))
+            AC_DEFINE(HAVE_CRYPTO_OPENSSL)
+            AC_CHECK_LIB(crypto, EVP_CIPHER_CTX_new,
+                [LDFLAGS="-lcrypto $LDFLAGS"], AC_MSG_ERROR([\
+Libcrypto was not found in the configured library path.]))
+            AH_TEMPLATE(HAVE_CRYPTO_OPENSSL,
+                [Define to 1 if using OpenSSL for cryptography.])
+        fi
 	fi
 else
 	CRYPTO_OBJS="crypto_stub${o}"
diff -up db-5.3.28/dist/Makefile.in.openssl db-5.3.28/dist/Makefile.in
--- db-5.3.28/dist/Makefile.in.openssl	2018-10-22 11:02:07.997181825 +0200
+++ db-5.3.28/dist/Makefile.in	2018-10-22 11:30:39.442854972 +0200
@@ -305,9 +305,10 @@ CXX_OBJS=\
 	cxx_except@o@ cxx_lock@o@ cxx_logc@o@ cxx_mpool@o@ cxx_multi@o@ \
 	cxx_rid@o@ cxx_seq@o@ cxx_site@o@ cxx_txn@o@
 
+CRYPTO_OBJS_RIJNDAEL=\
+	rijndael-alg-fst@o@ rijndael-api-fst@o@
 CRYPTO_OBJS=\
-	aes_method@o@ crypto@o@ mt19937db@o@ rijndael-alg-fst@o@ \
-	rijndael-api-fst@o@
+	aes_method@o@ crypto@o@ mt19937db@o@
 
 JAVA_OBJS=\
 	db_java_wrap@o@
diff -up db-5.3.28/src/crypto/aes_method.c.openssl db-5.3.28/src/crypto/aes_method.c
--- db-5.3.28/src/crypto/aes_method.c.openssl	2013-09-09 17:35:07.000000000 +0200
+++ db-5.3.28/src/crypto/aes_method.c	2018-10-22 17:54:53.439276678 +0200
@@ -17,6 +17,10 @@
 
 #ifdef HAVE_CRYPTO_IPP
 #include <ippcp.h>
+#elif defined(HAVE_CRYPTO_OPENSSL)
+#define OPENSSL_AES_ERROR -101
+#include <openssl/conf.h>
+#include <openssl/evp.h>
 #endif
 
 static void __aes_err __P((ENV *, int));
@@ -119,11 +123,13 @@ __aes_decrypt(env, aes_data, iv, cipher,
 	AES_CIPHER *aes;
 #ifdef	HAVE_CRYPTO_IPP
 	IppStatus ipp_ret;
+#elif defined(HAVE_CRYPTO_OPENSSL)
+   EVP_CIPHER_CTX *ctx;
+   int temp_len;
 #else
 	cipherInstance c;
-#endif
 	int ret;
-
+#endif
 	aes = (AES_CIPHER *)aes_data;
 	if (iv == NULL || cipher == NULL)
 		return (EINVAL);
@@ -137,6 +143,32 @@ __aes_decrypt(env, aes_data, iv, cipher,
 		__aes_err(env, (int)ipp_ret);
 		return (EAGAIN);
 	}
+#elif defined(HAVE_CRYPTO_OPENSSL)
+    if(!(ctx = EVP_CIPHER_CTX_new())) {
+		__aes_err(env, OPENSSL_AES_ERROR);
+        return (EAGAIN);
+    }
+    if(1 != EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, aes->key,
+        (unsigned char*)iv)) {
+		__aes_err(env, OPENSSL_AES_ERROR);
+        return (EAGAIN);
+    }
+
+    EVP_CIPHER_CTX_set_padding(ctx, 0);
+
+    if(1 != EVP_DecryptUpdate(ctx, (unsigned char*)cipher, &temp_len,
+        (unsigned char*)cipher, cipher_len)) {
+		__aes_err(env, OPENSSL_AES_ERROR);
+        return (EAGAIN);
+    }
+    cipher_len = temp_len;
+    if(1 != EVP_DecryptFinal_ex(ctx, ((unsigned char*)cipher) + temp_len,
+        &temp_len)) {
+		__aes_err(env, OPENSSL_AES_ERROR);
+        return (EAGAIN);
+    }
+    cipher_len += temp_len;
+    EVP_CIPHER_CTX_free(ctx);
 #else
 	/*
 	 * Initialize the cipher
@@ -174,6 +206,9 @@ __aes_encrypt(env, aes_data, iv, data, d
 	AES_CIPHER *aes;
 #ifdef	HAVE_CRYPTO_IPP
 	IppStatus ipp_ret;
+#elif defined(HAVE_CRYPTO_OPENSSL)
+   EVP_CIPHER_CTX *ctx;
+   int temp_len;
 #else
 	cipherInstance c;
 #endif
@@ -204,6 +239,32 @@ __aes_encrypt(env, aes_data, iv, data, d
 		__aes_err(env, (int)ipp_ret);
 		return (EAGAIN);
 	}
+#elif defined(HAVE_CRYPTO_OPENSSL)
+    if(!(ctx = EVP_CIPHER_CTX_new())) {
+		__aes_err(env, OPENSSL_AES_ERROR);
+        return (EAGAIN);
+    }
+    if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, aes->key,
+        (unsigned char*)tmp_iv)) {
+		__aes_err(env, OPENSSL_AES_ERROR);
+        return (EAGAIN);
+    }
+
+    EVP_CIPHER_CTX_set_padding(ctx, 0);
+
+    if(1 != EVP_EncryptUpdate(ctx, (unsigned char*)data, &temp_len,
+        (unsigned char*)data, data_len)) {
+		__aes_err(env, OPENSSL_AES_ERROR);
+        return (EAGAIN);
+    }
+    data_len = temp_len;
+    if(1 != EVP_EncryptFinal_ex(ctx, ((unsigned char*)data) + temp_len,
+        &temp_len)) {
+		__aes_err(env, OPENSSL_AES_ERROR);
+        return (EAGAIN);
+    }
+    data_len += temp_len;
+    EVP_CIPHER_CTX_free(ctx);
 #else
 	/*
 	 * Initialize the cipher
@@ -254,7 +315,7 @@ __aes_derivekeys(env, db_cipher, passwd,
 	SHA1_CTX ctx;
 #ifdef	HAVE_CRYPTO_IPP
 	IppStatus ipp_ret;
-#else
+#elif !defined(HAVE_CRYPTO_OPENSSL)
 	int ret;
 #endif
 	u_int32_t temp[DB_MAC_KEY/4];
@@ -278,6 +339,8 @@ __aes_derivekeys(env, db_cipher, passwd,
 		__aes_err(env, (int)ipp_ret);
 		return (EAGAIN);
 	}
+#elif defined(HAVE_CRYPTO_OPENSSL)
+    memcpy(aes->key, (unsigned char*) temp, DB_AES_CHUNK);
 #else
 	if ((ret = __db_makeKey(&aes->encrypt_ki, DIR_ENCRYPT,
 	    DB_AES_KEYLEN, (char *)temp)) != TRUE) {
@@ -320,6 +383,10 @@ __aes_err(env, err)
 	case ippStsUnderRunErr:
 		errstr = DB_STR("0185", "IPP AES srclen size error");
 		break;
+#elif defined(HAVE_CRYPTO_OPENSSL)
+	case OPENSSL_AES_ERROR:
+		errstr = DB_STR("0193", "AES unknown error");
+		break;
 #else
 	case BAD_KEY_DIR:
 		errstr = DB_STR("0186", "AES key direction is invalid");
diff -up db-5.3.28/src/dbinc/crypto.h.openssl db-5.3.28/src/dbinc/crypto.h
--- db-5.3.28/src/dbinc/crypto.h.openssl	2013-09-09 17:35:08.000000000 +0200
+++ db-5.3.28/src/dbinc/crypto.h	2018-10-22 11:02:08.038182432 +0200
@@ -59,7 +60,9 @@ struct __db_cipher {
 
 #ifdef HAVE_CRYPTO
 
+#ifndef HAVE_CRYPTO_OPENSSL
 #include "crypto/rijndael/rijndael-api-fst.h"
+#endif
 
 /*
  * Shared ciphering structure
@@ -77,6 +80,8 @@ typedef struct __cipher {
 typedef struct __aes_cipher {
 #ifdef	HAVE_CRYPTO_IPP
 	void		*ipp_ctx;	/* IPP key instance */
+#elif defined(HAVE_CRYPTO_OPENSSL)
+    unsigned char key[DB_AES_CHUNK];
 #else
 	keyInstance	decrypt_ki;	/* Decryption key instance */
 	keyInstance	encrypt_ki;	/* Encryption key instance */