diff -wru tlswrap-1.04.orig/tls.c tlswrap-1.04/tls.c
--- tlswrap-1.04.orig/tls.c	2006-11-25 19:52:08.000000000 +0100
+++ tlswrap-1.04/tls.c	2017-12-05 04:43:56.757223948 +0100
@@ -73,10 +73,12 @@
 		printf("egd_sock is %s\n", egd_sock);
 #ifdef HAVE_RAND_STATUS
 	if (RAND_status() != 1) {
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || OPENSSL_NO_EGD
 		if ( RAND_egd(egd_sock) == -1 ) {
 			fprintf(stderr, "egd_sock is %s\n", egd_sock);
 			sys_err("RAND_egd failed\n");
 		}
+#endif
 		if (RAND_status() != 1)
 			sys_err("ssl_init: System without /dev/urandom, PRNG seeding must be done manually.\r\n");
 	}
@@ -262,7 +264,8 @@
 	int					ok, extcount, i, j;
 	char 				*extstr;
 	SSL					*ssl;
-#if (OPENSSL_VERSION_NUMBER > 0x00908000L)
+#if (OPENSSL_VERSION_NUMBER > 0x10100000L)
+#elif (OPENSSL_VERSION_NUMBER > 0x00908000L)
 	unsigned char const		*data1;
 #else
 	unsigned char	*data1;
@@ -279,6 +282,16 @@
 	if (debug)
 		printf("tls_cert2\n");
 	
+#if (OPENSSL_VERSION_NUMBER > 0x10100000L)
+	if (ud->sec_level > 3) {
+		X509_VERIFY_PARAM *param = SSL_get0_param(ssl);
+		X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+		X509_VERIFY_PARAM_set1_host(param, ud->serv_dns.hostname, 0);
+		X509_VERIFY_PARAM_set1_ip_asc(param, ud->serv_data_host);
+		SSL_set_verify(ssl, SSL_VERIFY_PEER, 0);
+	}
+#endif
+
 	if ((x509_peer = SSL_get_peer_certificate(ssl)) == NULL)
 		return X509_V_ERR_APPLICATION_VERIFICATION; /* SSL_get_peer* can only be NULL on  'anonymous DH connections' so shouldn't happen. */
 
@@ -287,6 +300,8 @@
 		return SSL_get_verify_result(ssl);
 	}
 	
+
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
 	if ((extcount = X509_get_ext_count(x509_peer)) > 0) {
 		if (debug) printf("extcount = %d\n", extcount);
 		for (i = 0; i < extcount; i++) {
@@ -333,6 +348,7 @@
   		return X509_V_ERR_APPLICATION_VERIFICATION;
   	}
   }
+#endif
   X509_free(x509_peer);
 	return SSL_get_verify_result(ssl);
 }