diff --git a/NEWS b/NEWS
index b04040871..9774e2c38 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,7 @@ Post-v3.4.0
      * TLSv1 and TLSv1.1 protocols are deprecated and disabled by default
        on OpenFlow and database connections.  Use --ssl-protocols to turn
        them back on.  Support will be fully removed in the next release.
+     * OpenSSL 1.1.1 or newer is now required for SSL/TLS support.
    - Userspace datapath:
      * The default zone limit, if set, is now inherited by any zone
        that does not have a specific value defined, rather than being
diff --git a/build-aux/generate-dhparams-c b/build-aux/generate-dhparams-c
index aca1dbca9..ffb56aa18 100755
--- a/build-aux/generate-dhparams-c
+++ b/build-aux/generate-dhparams-c
@@ -83,13 +83,7 @@ static int
 my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
 {
     ovs_assert(q == NULL);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
-    dh->p = p;
-    dh->g = g;
-    return 1;
-#else
     return DH_set0_pqg(dh, p, NULL, g);
-#endif
 }
 EOF
 dhparam_to_c lib/dh2048.pem
diff --git a/lib/dhparams.c b/lib/dhparams.c
index 50209d5d8..4232381ba 100644
--- a/lib/dhparams.c
+++ b/lib/dhparams.c
@@ -11,13 +11,7 @@ static int
 my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
 {
     ovs_assert(q == NULL);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
-    dh->p = p;
-    dh->g = g;
-    return 1;
-#else
     return DH_set0_pqg(dh, p, NULL, g);
-#endif
 }
 DH *get_dh2048(void)
 {
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 8928e83e0..8b0208e92 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -286,14 +286,12 @@ new_ssl_stream(char *name, char *server_name, int fd, enum session_type type,
     if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) {
         SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
     }
-#if OPENSSL_SUPPORTS_SNI
     if (server_name && !SSL_set_tlsext_host_name(ssl, server_name)) {
         VLOG_ERR("%s: failed to set server name indication (%s)",
                  server_name, ERR_error_string(ERR_get_error(), NULL));
         retval = ENOPROTOOPT;
         goto error;
     }
-#endif
 
     /* Create and return the ssl_stream. */
     sslv = xmalloc(sizeof *sslv);
@@ -499,14 +497,7 @@ get_peer_common_name(const struct ssl_stream *sslv)
         goto error;
     }
 
-    const char *cn;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
-    /* ASN1_STRING_data() is deprecated as of OpenSSL version 1.1 */
-    cn = (const char *)ASN1_STRING_data(cn_data);
-#else
-    cn = (const char *)ASN1_STRING_get0_data(cn_data);
- #endif
-    peer_name = xstrdup(cn);
+    peer_name = xstrdup((const char *) ASN1_STRING_get0_data(cn_data));
 
 error:
     X509_free(peer_cert);
@@ -571,13 +562,11 @@ ssl_connect(struct stream *stream)
                 "rejecting SSL/TLS connection during bootstrap race window");
             return EPROTO;
         } else {
-#if OPENSSL_SUPPORTS_SNI
             const char *servername = SSL_get_servername(
                 sslv->ssl, TLSEXT_NAMETYPE_host_name);
             if (servername) {
                 VLOG_DBG("connection indicated server name %s", servername);
             }
-#endif
 
             char *cn = get_peer_common_name(sslv);
 
@@ -1016,15 +1005,6 @@ do_ssl_init(void)
 {
     SSL_METHOD *method;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
-#ifdef _WIN32
-    /* The following call is needed if we "#include <openssl/applink.c>". */
-    CRYPTO_malloc_init();
-#endif
-    SSL_library_init();
-    SSL_load_error_strings();
-#endif
-
     if (!RAND_status()) {
         /* We occasionally see OpenSSL fail to seed its random number generator
          * in heavily loaded hypervisors.  I suspect the following scenario:
@@ -1269,12 +1249,6 @@ stream_ssl_set_protocols(const char *arg)
     }
 
     /* Start with all the flags off and turn them on as requested. */
-#ifndef SSL_OP_NO_SSL_MASK
-    /* For old OpenSSL without this macro, this is the correct value.  */
-#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | \
-                            SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \
-                            SSL_OP_NO_TLSv1_2)
-#endif
     long protocol_flags = SSL_OP_NO_SSL_MASK;
     struct {
         const char *name;
diff --git a/m4/openvswitch.m4 b/m4/openvswitch.m4
index a6b5c783b..b93516557 100644
--- a/m4/openvswitch.m4
+++ b/m4/openvswitch.m4
@@ -293,22 +293,6 @@ OpenFlow connections over SSL/TLS will not be supported.
    if test "$HAVE_OPENSSL" = yes; then
       AC_DEFINE([HAVE_OPENSSL], [1], [Define to 1 if OpenSSL is installed.])
    fi
-
-   OPENSSL_SUPPORTS_SNI=no
-   if test $HAVE_OPENSSL = yes; then
-      save_CPPFLAGS=$CPPFLAGS
-      CPPFLAGS="$CPPFLAGS $SSL_INCLUDES"
-      AC_CHECK_DECL([SSL_set_tlsext_host_name], [OPENSSL_SUPPORTS_SNI=yes],
-                    [], [#include <openssl/ssl.h>
-])
-      if test $OPENSSL_SUPPORTS_SNI = yes; then
-        AC_DEFINE(
-          [OPENSSL_SUPPORTS_SNI], [1],
-          [Define to 1 if OpenSSL supports Server Name Indication (SNI).])
-      fi
-      CPPFLAGS=$save_CPPFLAGS
-   fi
-   AC_SUBST([OPENSSL_SUPPORTS_SNI])
 ])
 
 dnl Checks for libraries needed by lib/socket-util.c.
diff --git a/tests/atlocal.in b/tests/atlocal.in
index 1c3d4891a..e70c03f8c 100644
--- a/tests/atlocal.in
+++ b/tests/atlocal.in
@@ -1,6 +1,5 @@
 # -*- shell-script -*-
 HAVE_OPENSSL='@HAVE_OPENSSL@'
-OPENSSL_SUPPORTS_SNI='@OPENSSL_SUPPORTS_SNI@'
 HAVE_UNBOUND='@HAVE_UNBOUND@'
 HAVE_BACKTRACE='@HAVE_BACKTRACE@'
 HAVE_UNWIND='@HAVE_UNWIND@'
diff --git a/tests/ovs-vsctl.at b/tests/ovs-vsctl.at
index febb9dadf..a0e49155a 100644
--- a/tests/ovs-vsctl.at
+++ b/tests/ovs-vsctl.at
@@ -1734,7 +1734,6 @@ AT_CLEANUP
 AT_SETUP([TLS server name indication (SNI)])
 AT_KEYWORDS([ovsdb server positive ssl tls sni])
 AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
-AT_SKIP_IF([test "$OPENSSL_SUPPORTS_SNI" = no])
 AT_SKIP_IF([test "$HAVE_UNBOUND" = no])
 OVSDB_INIT([conf.db])
 PKIDIR=$abs_top_builddir/tests