diff --git a/SOURCES/bacula-9.0.6-use-crypto-from-openssl.patch b/SOURCES/bacula-9.0.6-use-crypto-from-openssl.patch
new file mode 100644
index 0000000..5f40438
--- /dev/null
+++ b/SOURCES/bacula-9.0.6-use-crypto-from-openssl.patch
@@ -0,0 +1,303 @@
+Author: Vaclav Dolezal <vdolezal@redhat.com>
+Date:   Mon Aug 12 14:51:39 2019 +0200
+
+    Use functions from OpenSSL for HMAC, MD5 and random bytes
+
+diff --git a/bacula/src/dird/dird_conf.c b/bacula/src/dird/dird_conf.c
+index 02fae0bab..dff241356 100644
+--- a/bacula/src/dird/dird_conf.c
++++ b/bacula/src/dird/dird_conf.c
+@@ -42,6 +42,10 @@
+ #include "bacula.h"
+ #include "dird.h"
+ 
++#if HAVE_OPENSSL
++# include <openssl/evp.h>
++#endif
++
+ /* Define the first and last resource ID record
+  * types. Note, these should be unique for each
+  * daemon though not a requirement.
+@@ -1645,6 +1649,11 @@ void free_resource(RES *rres, int type)
+          free(res->res_fs.exclude_items);
+       }
+       res->res_fs.num_excludes = 0;
++#if HAVE_OPENSSL
++      EVP_MD_CTX_free(res->res_fs.md5c);
++      res->res_fs.md5c = NULL;
++      res->res_fs.have_MD5 = false;
++#endif
+       break;
+    case R_POOL:
+       if (res->res_pool.pool_type) {
+diff --git a/bacula/src/dird/dird_conf.h b/bacula/src/dird/dird_conf.h
+index 5174a7a14..4e910c5bd 100644
+--- a/bacula/src/dird/dird_conf.h
++++ b/bacula/src/dird/dird_conf.h
+@@ -24,6 +24,10 @@
+ 
+ /* NOTE:  #includes at the end of this file */
+ 
++#if HAVE_OPENSSL
++# include <openssl/evp.h>
++#endif
++
+ /*
+  * Resource codes -- they must be sequential for indexing
+  */
+@@ -591,7 +595,11 @@ public:
+    INCEXE **exclude_items;
+    int32_t num_excludes;
+    bool have_MD5;                     /* set if MD5 initialized */
++#if HAVE_OPENSSL
++   EVP_MD_CTX *md5c;                  /* MD5 of include/exclude */
++#else
+    struct MD5Context md5c;            /* MD5 of include/exclude */
++#endif
+    char MD5[30];                      /* base 64 representation of MD5 */
+    bool ignore_fs_changes;            /* Don't force Full if FS changed */
+    bool enable_vss;                   /* Enable Volume Shadow Copy */
+diff --git a/bacula/src/dird/inc_conf.c b/bacula/src/dird/inc_conf.c
+index 3f4fbf55e..64b422242 100644
+--- a/bacula/src/dird/inc_conf.c
++++ b/bacula/src/dird/inc_conf.c
+@@ -32,6 +32,10 @@
+ #include <regex.h>
+ #endif
+ 
++#if HAVE_OPENSSL
++# include <openssl/evp.h>
++#endif
++
+ /* Forward referenced subroutines */
+ 
+ void store_inc(LEX *lc, RES_ITEM *item, int index, int pass);
+@@ -354,7 +358,17 @@ static void store_newinc(LEX *lc, RES_ITEM *item, int index, int pass)
+    bool options;
+ 
+    if (!res_all.res_fs.have_MD5) {
++#if HAVE_OPENSSL
++      res_all.res_fs.md5c = EVP_MD_CTX_new();
++      if (!res_all.res_fs.md5c
++         || !EVP_DigestInit_ex(res_all.res_fs.md5c, EVP_md5(), NULL)
++      ) {
++         Emsg1(M_ERROR_TERM, 0, "MD5 computation failed: %s\n",
++               ERR_reason_error_string(ERR_peek_last_error()));
++      }
++#else
+       MD5Init(&res_all.res_fs.md5c);
++#endif
+       res_all.res_fs.have_MD5 = true;
+    }
+    memset(&res_incexe, 0, sizeof(INCEXE));
+@@ -620,7 +634,13 @@ static void store_fname(LEX *lc, RES_ITEM2 *item, int index, int pass, bool excl
+          }
+       case T_QUOTED_STRING:
+          if (res_all.res_fs.have_MD5) {
++#if HAVE_OPENSSL
++            if (!EVP_DigestUpdate(res_all.res_fs.md5c, (void *)lc->str, (size_t) lc->str_len))
++               Emsg1(M_ERROR_TERM, 0, "MD5 computation failed: %s\n",
++                     ERR_reason_error_string(ERR_peek_last_error()));
++#else
+             MD5Update(&res_all.res_fs.md5c, (unsigned char *)lc->str, lc->str_len);
++#endif
+          }
+          incexe = &res_incexe;
+          if (incexe->name_list.size() == 0) {
+@@ -663,7 +683,13 @@ static void store_plugin_name(LEX *lc, RES_ITEM2 *item, int index, int pass, boo
+          }
+       case T_QUOTED_STRING:
+          if (res_all.res_fs.have_MD5) {
++#if HAVE_OPENSSL
++            if (!EVP_DigestUpdate(res_all.res_fs.md5c, (void *)lc->str, (size_t) lc->str_len))
++               Emsg1(M_ERROR_TERM, 0, "MD5 computation failed: %s\n",
++                     ERR_reason_error_string(ERR_peek_last_error()));
++#else
+             MD5Update(&res_all.res_fs.md5c, (unsigned char *)lc->str, lc->str_len);
++#endif
+          }
+          incexe = &res_incexe;
+          if (incexe->plugin_list.size() == 0) {
+diff --git a/bacula/src/dird/job.c b/bacula/src/dird/job.c
+index b5b39c7d5..7d69f0157 100644
+--- a/bacula/src/dird/job.c
++++ b/bacula/src/dird/job.c
+@@ -25,6 +25,10 @@
+ #include "bacula.h"
+ #include "dird.h"
+ 
++#if HAVE_OPENSSL
++# include <openssl/evp.h>
++#endif
++
+ /* Forward referenced subroutines */
+ static void *job_thread(void *arg);
+ static void job_monitor_watchdog(watchdog_t *self);
+@@ -1308,10 +1312,27 @@ bool get_or_create_fileset_record(JCR *jcr)
+    memset(&fsr, 0, sizeof(FILESET_DBR));
+    bstrncpy(fsr.FileSet, jcr->fileset->hdr.name, sizeof(fsr.FileSet));
+    if (jcr->fileset->have_MD5) {
++#if HAVE_OPENSSL
++      EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
++      if (!mdctx)
++         Emsg1(M_ERROR_TERM, 0, "MD5 computation failed: %s\n",
++               ERR_reason_error_string(ERR_peek_last_error()));
++#else
+       struct MD5Context md5c;
++#endif
+       unsigned char digest[MD5HashSize];
++#if HAVE_OPENSSL
++      if (!EVP_MD_CTX_copy_ex(mdctx, jcr->fileset->md5c)
++         || !EVP_DigestFinal_ex(mdctx, digest, NULL)
++      ) {
++         Emsg1(M_ERROR_TERM, 0, "MD5 computation failed: %s\n",
++               ERR_reason_error_string(ERR_peek_last_error()));
++      }
++      EVP_MD_CTX_free(mdctx);
++#else
+       memcpy(&md5c, &jcr->fileset->md5c, sizeof(md5c));
+       MD5Final(digest, &md5c);
++#endif
+       /*
+        * Keep the flag (last arg) set to false otherwise old FileSets will
+        * get new MD5 sums and the user will get Full backups on everything
+diff --git a/bacula/src/lib/hmac.c b/bacula/src/lib/hmac.c
+index a8d5e3dc0..dc3b78383 100644
+--- a/bacula/src/lib/hmac.c
++++ b/bacula/src/lib/hmac.c
+@@ -26,6 +26,10 @@
+  */
+ #include "bacula.h"
+ 
++#if HAVE_OPENSSL
++# include <openssl/hmac.h>
++#endif
++
+ #define PAD_LEN 64           /* PAD length */
+ #define SIG_LEN MD5HashSize  /* MD5 digest length */
+ 
+@@ -36,6 +40,19 @@ hmac_md5(
+     uint8_t*  key,             /* pointer to authentication key */
+     int   key_len,             /* length of authentication key */
+     uint8_t  *hmac)            /* returned hmac-md5 */
++#if HAVE_OPENSSL
++{
++    if (!HMAC(
++        EVP_md5(),
++        key, key_len,
++        text, text_len,
++        hmac, NULL
++    )) {
++        Emsg0(M_ERROR_TERM, 0, "HMAC computation failed\n");
++    }
++
++}
++#else
+ {
+    MD5Context md5c;
+    uint8_t k_ipad[PAD_LEN];    /* inner padding - key XORd with ipad */
+@@ -90,6 +107,7 @@ hmac_md5(
+    MD5Update(&md5c, hmac, SIG_LEN);   /* hash inner hash */
+    MD5Final(hmac, &md5c);             /* store results */
+ }
++#endif
+ /*
+ Test Vectors (Trailing '\0' of a character string not included in test):
+ 
+diff --git a/bacula/src/lib/parse_conf.c b/bacula/src/lib/parse_conf.c
+index cb3573fbd..3f3f93fdc 100644
+--- a/bacula/src/lib/parse_conf.c
++++ b/bacula/src/lib/parse_conf.c
+@@ -59,6 +59,10 @@
+ #define MAX_PATH  1024
+ #endif
+ 
++#if HAVE_OPENSSL
++# include <openssl/evp.h>
++#endif
++
+ /*
+  * Define the Union of all the common resource structure definitions.
+  */
+@@ -538,7 +542,11 @@ void store_dir(LEX *lc, RES_ITEM *item, int index, int pass)
+ void store_password(LEX *lc, RES_ITEM *item, int index, int pass)
+ {
+    unsigned int i, j;
++#if HAVE_OPENSSL
++   EVP_MD_CTX *mdctx = NULL;
++#else
+    struct MD5Context md5c;
++#endif
+    unsigned char digest[CRYPTO_DIGEST_MD5_SIZE];
+    char sig[100];
+ 
+@@ -548,9 +556,21 @@ void store_password(LEX *lc, RES_ITEM *item, int index, int pass)
+    } else {
+       lex_get_token(lc, T_STRING);
+       if (pass == 1) {
++#if HAVE_OPENSSL
++         mdctx = EVP_MD_CTX_new();
++         if (!mdctx
++            || !EVP_DigestInit_ex(mdctx, EVP_md5(), NULL)
++            || !EVP_DigestUpdate(mdctx, (const void *) lc->str, (size_t) lc->str_len)
++            || !EVP_DigestFinal_ex(mdctx, digest, NULL)
++         ) {
++            Emsg1(M_ERROR_TERM, 0, "MD5 computation failed: %s\n",
++                  ERR_reason_error_string(ERR_peek_last_error()));
++         }
++#else
+          MD5Init(&md5c);
+          MD5Update(&md5c, (unsigned char *) (lc->str), lc->str_len);
+          MD5Final(digest, &md5c);
++#endif
+          for (i = j = 0; i < sizeof(digest); i++) {
+             sprintf(&sig[j], "%02x", digest[i]);
+             j += 2;
+diff --git a/bacula/src/lib/util.c b/bacula/src/lib/util.c
+index 2c425aa4c..e82b907d8 100644
+--- a/bacula/src/lib/util.c
++++ b/bacula/src/lib/util.c
+@@ -707,6 +707,35 @@ int do_shell_expansion(char *name, int name_len)
+     from SpeakFreely by John Walker */
+ 
+ void make_session_key(char *key, char *seed, int mode)
++#if HAVE_OPENSSL
++{
++   int j, k;
++   unsigned char buf[16];
++
++   (void) seed;
++
++   if (!RAND_bytes(buf, sizeof(buf)))
++       Emsg1(M_ERROR_TERM, 0, "Random bytes generation failed: %s\n",
++             ERR_reason_error_string(ERR_peek_last_error()));
++
++   if (mode) {
++     for (j = k = 0; j < 16; j++) {
++        unsigned char rb = buf[j];
++
++#define Rad16(x) ((x) + 'A')
++        key[k++] = Rad16((rb >> 4) & 0xF);
++        key[k++] = Rad16(rb & 0xF);
++#undef Rad16
++        if (j & 1) {
++           key[k++] = '-';
++        }
++     }
++     key[--k] = 0;
++   } else {
++      memcpy(key, buf, sizeof(buf));
++   }
++}
++#else
+ {
+    int j, k;
+    struct MD5Context md5c;
+@@ -790,6 +819,7 @@ void make_session_key(char *key, char *seed, int mode)
+    }
+ }
+ #undef nextrand
++#endif
+ 
+ void encode_session_key(char *encode, char *session, char *key, int maxlen)
+ {
diff --git a/SPECS/bacula.spec b/SPECS/bacula.spec
index 397facb..37b6c55 100644
--- a/SPECS/bacula.spec
+++ b/SPECS/bacula.spec
@@ -3,7 +3,7 @@
 
 Name:               bacula
 Version:            9.0.6
-Release:            4%{?dist}
+Release:            6%{?dist}
 Summary:            Cross platform network backup for Linux, Unix, Mac and Windows
 # See LICENSE for details
 License:            AGPLv3 with exceptions
@@ -49,6 +49,8 @@ Patch9:             %{name}-9.0.6-tray-monitor-task.patch
 Patch10:            %{name}-7.0.4-autoconf.patch
 Patch11:            %{name}-9.0.6-qt5-support.patch
 
+Patch12:            %{name}-9.0.6-use-crypto-from-openssl.patch
+
 BuildRequires:      desktop-file-utils
 BuildRequires:      perl-generators
 BuildRequires:      sed
@@ -311,6 +313,7 @@ This development package contains static libraries and header files.
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p2
 
 cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} .
 
@@ -430,10 +433,7 @@ chmod 755 %{buildroot}%{_libdir}/bacula/*
 chmod 755 %{buildroot}%{_libexecdir}/bacula/*
 chmod 644 %{buildroot}%{_libexecdir}/bacula/btraceback.*
 
-%post libs -p /sbin/ldconfig
-
-%postun libs -p /sbin/ldconfig
-exit 0
+%ldconfig_scriptlets libs
 
 %post libs-sql
 /usr/sbin/alternatives --install %{_libdir}/libbaccats.so libbaccats.so %{_libdir}/libbaccats-mysql.so 50
@@ -555,7 +555,7 @@ fi
 %{_libdir}/libbaccfg-%{version}.so
 %{_libdir}/libbacfind-%{version}.so
 %{_libdir}/libbacsd-%{version}.so
-%{_libdir}/libbaccats-%{version}.so
+%exclude %{_libdir}/libbaccats-%{version}.so
 
 %files libs-sql
 %{_libdir}/libbaccats-mysql-%{version}.so
@@ -705,6 +705,12 @@ fi
 %{_libdir}/libbacsql.so
 
 %changelog
+* Fri Jun 28 2019 Václav Doležal <vdolezal@redhat.com> - 9.0.6-6
+- Fix error in postun and rpm -V
+
+* Fri Jun 28 2019 Václav Doležal <vdolezal@redhat.com> - 9.0.6-5
+- use OpenSSL library instead of internal implementations of MD5 and HMAC (#1613068)
+
 * Thu Aug 16 2018 Václav Doležal <vdolezal@redhat.com> - 9.0.6-4
 - remove Nagios plugin (#1616438)