commit - 237095fd9a40120ef4e4bb7b7525d45c89c6cfb0
commit + ba290ef3affaad8a51b789eeadab269df1ffd0af
blob - 251095ccaad5a57252183e4a64fefaa6d140f5ee
blob + 3b19dea29be1114a6755a2c9fa0e859d00cae3e6
--- config.c
+++ config.c
@@ -46,6 +46,10 @@ config_new(void)
 
 	conf->prefork = 3;
 
+#ifdef __OpenBSD__
+	conf->use_privsep_crypto = 1;
+#endif
+
 	conf->sock4 = -1;
 	conf->sock6 = -1;
 
@@ -63,8 +67,10 @@ config_purge(struct conf *conf)
 	struct envlist *e, *te;
 	struct alist *a, *ta;
 	struct pki *pki, *tpki;
+	int use_privsep_crypto;
 
 	ps = conf->ps;
+	use_privsep_crypto = conf->use_privsep_crypto;
 
 	if (conf->sock4 != -1) {
 		event_del(&conf->evsock4);
@@ -136,6 +142,7 @@ config_purge(struct conf *conf)
 	memset(conf, 0, sizeof(*conf));
 
 	conf->ps = ps;
+	conf->use_privsep_crypto = use_privsep_crypto;
 	conf->sock4 = conf->sock6 = -1;
 	conf->protos = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3;
 	init_mime(&conf->mime);
@@ -184,7 +191,8 @@ static int
 config_send_kp(struct privsep *ps, int cert_type, int key_type,
     const char *cert, const char *key)
 {
-	int fd, d;
+	struct conf *conf = ps->ps_env;
+	int fd, d, key_target;
 
 	log_debug("sending %s", cert);
 	if ((fd = open(cert, O_RDONLY)) == -1)
@@ -196,13 +204,19 @@ config_send_kp(struct privsep *ps, int cert_type, int 
 		close(d);
 		return -1;
 	}
-	if (config_send_file(ps, PROC_CRYPTO, cert_type, d, NULL, 0) == -1)
+	if (conf->use_privsep_crypto &&
+	    config_send_file(ps, PROC_CRYPTO, cert_type, d, NULL, 0) == -1)
 		return -1;
 
 	log_debug("sending %s", key);
 	if ((fd = open(key, O_RDONLY)) == -1)
 		return -1;
-	if (config_send_file(ps, PROC_CRYPTO, key_type, fd, NULL, 0) == -1)
+
+	key_target = PROC_CRYPTO;
+	if (!conf->use_privsep_crypto)
+		key_target = PROC_SERVER;
+
+	if (config_send_file(ps, key_target, key_type, fd, NULL, 0) == -1)
 		return -1;
 
 	if (proc_flush_imsg(ps, PROC_SERVER, -1) == -1)
blob - 36b9dd9e410f68e5a4b59ffe052cf44e14b96857
blob + 546238c5191be2527c8e9930084573199f139bac
--- ge.c
+++ ge.c
@@ -249,6 +249,9 @@ main(int argc, char **argv)
 	log_setverbose(0);
 	conf = config_new();
 
+	/* ge doesn't do privsep so no privsep crypto engine. */
+	conf->use_privsep_crypto = 0;
+
 	while ((ch = getopt_long(argc, argv, "d:H:hp:Vv", opts, NULL)) != -1) {
 		switch (ch) {
 		case 'd':
blob - 515f29c18bbd3cc8cb425842806655999e890366
blob + c68ab92ae218c467ce325262729266d389a51687
--- gmid.h
+++ gmid.h
@@ -228,6 +228,7 @@ struct conf {
 	char		 user[LOGIN_NAME_MAX];
 	int		 prefork;
 	int		 reload;
+	int		 use_privsep_crypto;
 
 	int		 sock4;
 	struct event	 evsock4;
blob - 79fcc155cf49bf3bafe5b72b2b9370b85c59be2a
blob + acf77034dc98e86c92242eed876d37aa6b8b10d3
--- server.c
+++ server.c
@@ -1395,11 +1395,7 @@ setup_tls(struct conf *conf)
 	if ((tlsconf = tls_config_new()) == NULL)
 		fatal("tls_config_new");
 
-	/*
-	 * ge doesn't use the privsep crypto engine; it doesn't use
-	 * privsep at all so `ps' is NULL.
-	 */
-	if (conf->ps != NULL)
+	if (conf->use_privsep_crypto)
 		tls_config_use_fake_private_key(tlsconf);
 
 	/* optionally accept client certs, but don't try to verify them */
@@ -1462,6 +1458,8 @@ server(struct privsep *ps, struct privsep_proc *p)
 void
 server_init(struct privsep *ps, struct privsep_proc *p, void *arg)
 {
+	struct conf *c;
+
 	SPLAY_INIT(&clients);
 
 #ifdef SIGINFO
@@ -1477,8 +1475,11 @@ server_init(struct privsep *ps, struct privsep_proc *p
 	 * ge doesn't use the privsep crypto engine; it doesn't use
 	 * privsep at all so `ps' is NULL.
 	 */
-	if (ps != NULL)
-		crypto_engine_init(ps->ps_env);
+	if (ps != NULL) {
+		c = ps->ps_env;
+		if (c->use_privsep_crypto)
+			crypto_engine_init(ps->ps_env);
+	}
 }
 
 int