diff --git a/.gitignore b/.gitignore
index d104c77b7..3ca961b72 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,7 @@
 build
 attic/clock
 .DS_Store
+*~
+.*.swp
+ID
+tags
diff --git a/include/ntp.h b/include/ntp.h
index 3af4e1f25..1c1a446ff 100644
--- a/include/ntp.h
+++ b/include/ntp.h
@@ -16,10 +16,7 @@
 #include "ntp_net.h"
 #include "nts.h"
 
-/* common place to check/crash on unlikely error return */
-void ntp_RAND_bytes(unsigned char *buf, int num);
-void ntp_RAND_priv_bytes(unsigned char *buf, int num);
-
+extern void ntp_random_buf (void*, size_t);
 
 /*
  * Calendar arithmetic - contributed by G. Healton
diff --git a/libntp/ntp_random.c b/libntp/ntp_random.c
index adb375b24..1f324ffcf 100644
--- a/libntp/ntp_random.c
+++ b/libntp/ntp_random.c
@@ -4,9 +4,12 @@
  */
 
 #include <stdint.h>
+#include <sys/random.h>
+#include <sys/syscall.h>
 
-#include <openssl/opensslv.h>
-#include <openssl/rand.h>
+#if !defined(__linux__) || !defined(__NR_getrandom)
+#  error required linux and getrandom
+#endif
 
 #include "config.h"
 #include "ntp.h"
@@ -18,24 +21,15 @@
  * so this won't be a problem on newer Linux systems.
  */
 
-void ntp_RAND_bytes(unsigned char *buf, int num) {
-	int err;
-	err = RAND_bytes(buf, num);
-	if (1 != err) {
-		msyslog(LOG_ERR, "ERR: RAND_bytes failed");
-		exit(1);
-	}
-}
-
-void ntp_RAND_priv_bytes(unsigned char *buf, int num) {
-	int err;
-#if (OPENSSL_VERSION_NUMBER > 0x1010100fL) && !defined(LIBRESSL_VERSION_NUMBER)
-	err = RAND_priv_bytes(buf, num);
-#else
-	err = RAND_bytes(buf, num);
-#endif
-	if (1 != err) {
-		msyslog(LOG_ERR, "ERR: RAND_priv_bytes failed");
-		exit(1);
-	}
+void
+ntp_random_buf (void* out, size_t len)
+{
+        if (len > 256) {
+                msyslog(LOG_ERR, "ERR: ntp_random_buf requested for %zu bytes\n", len);
+                exit(1);
+        }
+        if (getrandom(out, len, 0) != (ssize_t)len) {
+                msyslog(LOG_ERR, "ERR: ntp_random_buf failed: %s\n", strerror(errno));
+                exit(1);
+        }
 }
diff --git a/libntp/ssl_init.c b/libntp/ssl_init.c
index 1a4faf538..3811acf86 100644
--- a/libntp/ssl_init.c
+++ b/libntp/ssl_init.c
@@ -47,7 +47,6 @@ ssl_init(void)
 
 	/* More initialization help for seccomp */
 	/* RAND_poll in OpenSSL on Raspbian needs get{u,g,eu,eg}id() */
-	ntp_RAND_bytes(&dummy, 1);
 
 	digest_ctx = EVP_MD_CTX_new();
 	cmac_ctx = CMAC_CTX_new();
diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index 03b82b617..1bb3bee46 100644
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -2895,7 +2895,7 @@ static uint32_t derive_nonce(
 	unsigned int	len;
 
 	if (current_time >= next_salt_update) {
-		ntp_RAND_bytes(&salt[0], sizeof(salt));
+		ntp_random_buf(salt, sizeof(salt));
 		next_salt_update = current_time+SECSPERHR;
 		if (0) msyslog(LOG_INFO, "derive_nonce: update salt, %lld", \
 			(long long)next_salt_update);
diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
index 25d368c0c..8c4ca7cd8 100644
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -2161,8 +2161,8 @@ peer_xmit(
 		xpkt.reftime = htonl_fp(0);
 		xpkt.org = htonl_fp(0);
 		xpkt.rec = htonl_fp(0);
-		ntp_RAND_bytes((unsigned char *)&peer->org_rand,
-			sizeof(peer->org_rand));
+		ntp_random_buf((unsigned char *)&peer->org_rand,
+				sizeof(peer->org_rand));
 		get_systime(&peer->org_ts);	/* as late as possible */
 	} else {
 		xpkt.li_vn_mode = PKT_LI_VN_MODE(
diff --git a/ntpd/ntp_scanner.c b/ntpd/ntp_scanner.c
index 1182aeaf1..07b52298c 100644
--- a/ntpd/ntp_scanner.c
+++ b/ntpd/ntp_scanner.c
@@ -156,6 +156,8 @@ lex_open(
 			msyslog(LOG_ERR, "CONFIG: failed to open \'%s\': %s",
 				path, strerror(errno));
 			stream = NULL;
+			msyslog(LOG_ERR, "CONFIG: failed to open \'%s\': %s",
+				path, strerror(errno));
 		}
 	}
 	return stream;
diff --git a/ntpd/ntpd.c b/ntpd/ntpd.c
index 3503eaedd..7d38d97ff 100644
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -437,10 +437,10 @@ set_process_priority(void)
 		int pmax, pmin;
 		struct sched_param sched;
 
-		pmax = sched_get_priority_max(SCHED_FIFO);
+		pmax = sched_get_priority_max(SCHED_RR);
 		sched.sched_priority = pmax;
 		if ( config_priority_override ) {
-			pmin = sched_get_priority_min(SCHED_FIFO);
+			pmin = sched_get_priority_min(SCHED_RR);
 			if ( config_priority > pmax )
 				sched.sched_priority = pmax;
 			else if ( config_priority < pmin )
@@ -448,7 +448,7 @@ set_process_priority(void)
 			else
 				sched.sched_priority = config_priority;
 		}
-		if ( pthread_setschedparam(pthread_self(), SCHED_FIFO, &sched) != 0 )
+		if ( pthread_setschedparam(pthread_self(), SCHED_RR, &sched) != 0 )
 			msyslog(LOG_ERR, "INIT: pthread_setschedparam(): %s", strerror(errno));
 		else
 			need_priority = false;
diff --git a/ntpd/nts_cookie.c b/ntpd/nts_cookie.c
index 166d0230f..e9be85b6f 100644
--- a/ntpd/nts_cookie.c
+++ b/ntpd/nts_cookie.c
@@ -242,9 +242,8 @@ void nts_make_cookie_key(void) {
 	for (int i=nts_nKeys-1; i>0; i--) {
 	  nts_keys[i] = nts_keys[i-1];
 	}
-	ntp_RAND_priv_bytes(nts_keys[0].K, K_length);
-	ntp_RAND_bytes((uint8_t *)&nts_keys[0].I, sizeof(nts_keys[0].I));
-	return;
+	ntp_random_buf(nts_keys[0].K, K_length);
+	ntp_random_buf((uint8_t *)&nts_keys[0].I, sizeof(nts_keys[0].I));
 }
 
 bool nts_write_cookie_keys(void) {
@@ -332,7 +331,7 @@ int nts_make_cookie(uint8_t *cookie,
 	finger += sizeof(nts_keys[0].I);
 
 	nonce = finger;
-	ntp_RAND_bytes(finger, NONCE_LENGTH);
+	ntp_random_buf(finger, NONCE_LENGTH);
 	finger += NONCE_LENGTH;
 
 	used = finger-cookie;
diff --git a/ntpd/nts_extens.c b/ntpd/nts_extens.c
index 553b61b25..dbe985dba 100644
--- a/ntpd/nts_extens.c
+++ b/ntpd/nts_extens.c
@@ -72,7 +72,7 @@ int extens_client_send(struct peer *peer, struct pkt *xpkt) {
 	buf.left = MAX_EXT_LEN;
 
 	/* UID */
-	ntp_RAND_bytes(peer->nts_state.UID, NTS_UID_LENGTH);
+	ntp_random_buf(peer->nts_state.UID, NTS_UID_LENGTH);
 	ex_append_record_bytes(&buf, Unique_Identifier,
 			       peer->nts_state.UID, NTS_UID_LENGTH);
 
@@ -98,7 +98,7 @@ int extens_client_send(struct peer *peer, struct pkt *xpkt) {
 	append_uint16(&buf, NONCE_LENGTH);
 	append_uint16(&buf, CMAC_LENGTH);
 	nonce = buf.next;
-	ntp_RAND_bytes(nonce, NONCE_LENGTH);
+	ntp_random_buf(nonce, NONCE_LENGTH);
 	buf.next += NONCE_LENGTH;
 	buf.left -= NONCE_LENGTH;
 	left = buf.left;
@@ -304,7 +304,7 @@ int extens_server_send(struct ntspacket_t *ntspacket, struct pkt *xpkt) {
 	append_uint16(&buf, plainleng+CMAC_LENGTH);
 
 	nonce = buf.next;
-	ntp_RAND_bytes(nonce, NONCE_LENGTH);
+	ntp_random_buf(nonce, NONCE_LENGTH);
 	buf.next += NONCE_LENGTH;
 	buf.left -= NONCE_LENGTH;
 
diff --git a/tests/libntp/ntp_random.c b/tests/libntp/ntp_random.c
index f7f510b20..bc7602a0d 100644
--- a/tests/libntp/ntp_random.c
+++ b/tests/libntp/ntp_random.c
@@ -56,7 +56,7 @@ TEST(random, random_bytes) {
 	 */
 	for (int i=0; i<99; i++) {
 		unsigned char sample[BYTES];
-		ntp_RAND_bytes(&sample[0], BYTES);
+		ntp_random_buf(&sample[0], BYTES);
 		for (int j=0; j<BYTES; j++) {
 			zeros[j] &= ~sample[j];
 			ones[j] |= sample[j];
diff --git a/wscript b/wscript
index 7329d6e46..c4012691d 100644
--- a/wscript
+++ b/wscript
@@ -299,6 +299,9 @@ def configure(ctx):
 
     cc_test_flags = [
         ('f_stack_protector_all', '-fstack-protector-all'),
+        ('fortify_source', '-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3'),
+        ('f_stack_clash', '-fstack-clash-protection'),
+        ('fcf_protection', '-fcf-protection=full'),
         ('PIC', '-fPIC'),
         ('PIE', '-pie -fPIE'),
         # this quiets most of macOS warnings on -fpie
@@ -477,6 +480,12 @@ int main(int argc, char **argv) {
     #     ctx.env.CFLAGS = ['-Wsign-conversion'] + ctx.env.CFLAGS
     if ctx.env.HAS_f_stack_protector_all:
         ctx.env.CFLAGS = ['-fstack-protector-all'] + ctx.env.CFLAGS
+    if ctx.env.HAS_fortify_source:
+        ctx.env.CFLAGS = ['-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3'] + ctx.env.CFLAGS
+    if ctx.env.HAS_f_stack_clash:
+        ctx.env.CFLAGS = ['-fstack-clash-protection'] + ctx.env.CFLAGS
+    if ctx.env.HAS_fcf_protection:
+        ctx.env.CFLAGS = ['-fcf-protection=full'] + ctx.env.CFLAGS
 
     # old gcc takes -z,relro, but then barfs if -fPIE available and used.
     # ("relro", "-Wl,-z,relro"), # marks some sections read only