--- src-orig/plugins/preauth/pkinit/pkinit_crypto_openssl.c	2017-09-26 02:28:22.000000000 +1000
+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	2017-10-17 16:10:45.096992610 +1100
@@ -36,6 +36,10 @@
 #include <dirent.h>
 #include <arpa/inet.h>
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#define X509_STORE_CTX_set0_trusted_stack X509_STORE_CTX_trusted_stack
+#endif
+
 static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context );
 static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context );
 
@@ -1200,7 +1204,7 @@
                 goto cleanup;
             X509_STORE_CTX_init(certctx, certstore, cert,
                                 id_cryptoctx->intermediateCAs);
-            X509_STORE_CTX_trusted_stack(certctx, id_cryptoctx->trustedCAs);
+            X509_STORE_CTX_set0_trusted_stack(certctx, id_cryptoctx->trustedCAs);
             if (!X509_verify_cert(certctx)) {
                 retval = oerr_cert(context, 0, certctx,
                                    _("Failed to verify own certificate"));
@@ -1630,7 +1634,7 @@
 
         /* add trusted CAs certificates for cert verification */
         if (idctx->trustedCAs != NULL)
-            X509_STORE_CTX_trusted_stack(cert_ctx, idctx->trustedCAs);
+            X509_STORE_CTX_set0_trusted_stack(cert_ctx, idctx->trustedCAs);
         else {
             pkiDebug("unable to find any trusted CAs\n");
             goto cleanup;
@@ -3007,9 +3011,13 @@
 int
 pkinit_openssl_init()
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+    OPENSSL_init_crypto(0, NULL);
+#else
     /* Initialize OpenSSL. */
     ERR_load_crypto_strings();
     OpenSSL_add_all_algorithms();
+#endif
     return 0;
 }