diff --git a/LICENSES/README.md b/LICENSES/README.md
index f01049c13f..3c28de51b1 100644
--- a/LICENSES/README.md
+++ b/LICENSES/README.md
@@ -58,3 +58,8 @@ The following exceptions apply:
    **BSD-3-Clause** license.
  * any files under test/ without an explicit license we assume non-copyrightable
    (eg: computer-generated fuzzer data)
+
+## OpenSSL Notes
+
+Note that building the systemd project with OpenSSL does not affect the libsystemd.so
+shared library, which is not linked with the OpenSSL library.
diff --git a/src/libsystemd/meson.build b/src/libsystemd/meson.build
index 8ec871f6a4..02b2cd64b2 100644
--- a/src/libsystemd/meson.build
+++ b/src/libsystemd/meson.build
@@ -170,8 +170,7 @@ libsystemd_static = static_library(
         include_directories : libsystemd_includes,
         link_with : libbasic,
         dependencies : [threads,
-                        librt,
-                        libopenssl],
+                        librt],
         c_args : libsystemd_c_args)
 
 libsystemd_sym = files('libsystemd.sym')
diff --git a/src/libsystemd/sd-id128/sd-id128.c b/src/libsystemd/sd-id128/sd-id128.c
index 28ae10a198..992b19130e 100644
--- a/src/libsystemd/sd-id128/sd-id128.c
+++ b/src/libsystemd/sd-id128/sd-id128.c
@@ -4,21 +4,14 @@
 #include <fcntl.h>
 #include <unistd.h>
 
-#if HAVE_OPENSSL
-#include <openssl/hmac.h>
-#include <openssl/sha.h>
-#endif
-
 #include "sd-id128.h"
 
 #include "alloc-util.h"
 #include "fd-util.h"
 #include "hexdecoct.h"
+#include "hmac.h"
 #include "id128-util.h"
 #include "io-util.h"
-#if !HAVE_OPENSSL
-#include "khash.h"
-#endif
 #include "macro.h"
 #include "missing_syscall.h"
 #include "random-util.h"
@@ -278,43 +271,15 @@ _public_ int sd_id128_randomize(sd_id128_t *ret) {
 }
 
 static int get_app_specific(sd_id128_t base, sd_id128_t app_id, sd_id128_t *ret) {
+        uint8_t hmac[SHA256_DIGEST_SIZE];
         sd_id128_t result;
 
         assert(ret);
 
-#if HAVE_OPENSSL
-        /* We prefer doing this in-process, since we this means we are not dependent on kernel configuration,
-         * and this also works in locked down container environments. But some distros don't like OpenSSL's
-         * license and its (in-) compatibility with GPL2, hence also support khash */
-        uint8_t md[256/8];
-        if (!HMAC(EVP_sha256(),
-                  &base, sizeof(base),
-                  (const unsigned char*) &app_id, sizeof(app_id),
-                  md, NULL))
-                return -ENOTRECOVERABLE;
+        hmac_sha256(&base, sizeof(base), &app_id, sizeof(app_id), hmac);
 
         /* Take only the first half. */
-        memcpy(&result, md, MIN(sizeof(md), sizeof(result)));
-#else
-        _cleanup_(khash_unrefp) khash *h = NULL;
-        const void *p;
-        int r;
-
-        r = khash_new_with_key(&h, "hmac(sha256)", &base, sizeof(base));
-        if (r < 0)
-                return r;
-
-        r = khash_put(h, &app_id, sizeof(app_id));
-        if (r < 0)
-                return r;
-
-        r = khash_digest_data(h, &p);
-        if (r < 0)
-                return r;
-
-        /* We chop off the trailing 16 bytes */
-        memcpy(&result, p, MIN(khash_get_size(h), sizeof(result)));
-#endif
+        memcpy(&result, hmac, MIN(sizeof(hmac), sizeof(result)));
 
         *ret = id128_make_v4_uuid(result);
         return 0;
diff --git a/src/test/test-id128.c b/src/test/test-id128.c
index a61b35b9a3..55fdab0ab8 100644
--- a/src/test/test-id128.c
+++ b/src/test/test-id128.c
@@ -146,16 +146,11 @@ int main(int argc, char *argv[]) {
         assert_se(id128_read_fd(fd, ID128_UUID, &id2) >= 0);
         assert_se(sd_id128_equal(id, id2));
 
-        r = sd_id128_get_machine_app_specific(SD_ID128_MAKE(f0,3d,aa,eb,1c,33,4b,43,a7,32,17,29,44,bf,77,2e), &id);
-        if (r == -EOPNOTSUPP)
-                log_info("khash not supported on this kernel, skipping sd_id128_get_machine_app_specific() checks");
-        else {
-                assert_se(r >= 0);
-                assert_se(sd_id128_get_machine_app_specific(SD_ID128_MAKE(f0,3d,aa,eb,1c,33,4b,43,a7,32,17,29,44,bf,77,2e), &id2) >= 0);
-                assert_se(sd_id128_equal(id, id2));
-                assert_se(sd_id128_get_machine_app_specific(SD_ID128_MAKE(51,df,0b,4b,c3,b0,4c,97,80,e2,99,b9,8c,a3,73,b8), &id2) >= 0);
-                assert_se(!sd_id128_equal(id, id2));
-        }
+        assert_se(sd_id128_get_machine_app_specific(SD_ID128_MAKE(f0,3d,aa,eb,1c,33,4b,43,a7,32,17,29,44,bf,77,2e), &id) >= 0);
+        assert_se(sd_id128_get_machine_app_specific(SD_ID128_MAKE(f0,3d,aa,eb,1c,33,4b,43,a7,32,17,29,44,bf,77,2e), &id2) >= 0);
+        assert_se(sd_id128_equal(id, id2));
+        assert_se(sd_id128_get_machine_app_specific(SD_ID128_MAKE(51,df,0b,4b,c3,b0,4c,97,80,e2,99,b9,8c,a3,73,b8), &id2) >= 0);
+        assert_se(!sd_id128_equal(id, id2));
 
         /* Query the invocation ID */
         r = sd_id128_get_invocation(&id);