diff -rup ntp-4.2.8p10/ntpq/ntpq.c ntp-4.2.8p10-new/ntpq/ntpq.c
--- ntp-4.2.8p10/ntpq/ntpq.c	2017-03-21 06:04:30.000000000 -0700
+++ ntp-4.2.8p10-new/ntpq/ntpq.c	2017-09-28 14:50:29.501452148 -0700
@@ -33,7 +33,6 @@
 #ifdef OPENSSL
 #include "openssl/evp.h"
 #include "openssl/objects.h"
-#include "openssl/err.h"
 #include "libssl_compat.h"
 #endif
 #include <ssl_applink.c>
@@ -227,13 +226,6 @@ static	void	on_ctrlc	(void);
 static	int	my_easprintf	(char**, const char *, ...) NTP_PRINTF(2, 3);
 void	ntpq_custom_opt_handler	(tOptions *, tOptDesc *);
 
-#ifdef OPENSSL
-# ifdef HAVE_EVP_MD_DO_ALL_SORTED
-static void list_md_fn(const EVP_MD *m, const char *from,
-		       const char *to, void *arg );
-# endif
-#endif
-static char *list_digest_names(void);
 
 /*
  * Built-in commands we understand
@@ -294,8 +286,8 @@ struct xcmd builtins[] = {
 	  { "version number", "", "", "" },
 	  "set the NTP version number to use for requests" },
 	{ "keytype",	keytype,	{ OPT|NTP_STR, NO, NO, NO },
-	  { "key type %s", "", "", "" },
-	  NULL },
+	  { "key type (md5|des)", "", "", "" },
+	  "set key type to use for authenticated requests (des|md5)" },
 	{ 0,		0,		{ NO, NO, NO, NO },
 	  { "", "", "", "" }, "" }
 };
@@ -477,37 +469,6 @@ ntpqmain(
 	if (!ipv6_works)
 		ai_fam_default = AF_INET;
 
-	/* Fixup keytype's help based on available digest names */
-
-	{
-	    char *list;
-	    char *msg;
-
-	    list = list_digest_names();
-	    for (icmd = 0; icmd < sizeof(builtins)/sizeof(builtins[0]); icmd++) {
-		if (strcmp("keytype", builtins[icmd].keyword) == 0)
-		    break;
-	    }
-
-	    /* CID: 1295478 */
-	    /* This should only "trip" if "keytype" is removed from builtins */
-	    INSIST(icmd < sizeof(builtins)/sizeof(builtins[0]));
-
-#ifdef OPENSSL
-	    builtins[icmd].desc[0] = "digest-name";
-	    my_easprintf(&msg,
-			 "set key type to use for authenticated requests, one of:%s",
-			 list);
-#else
-	    builtins[icmd].desc[0] = "md5";
-	    my_easprintf(&msg,
-			 "set key type to use for authenticated requests (%s)",
-			 list);
-#endif
-	    builtins[icmd].comment = msg;
-	    free(list);
-	}
-
 	progname = argv[0];
 
 	{
@@ -2558,11 +2519,11 @@ keytype(
 	key_type = keytype_from_text(digest_name, &digest_len);
 
 	if (!key_type) {
-		fprintf(fp, "keytype is not valid. "
+		fprintf(fp, "keytype must be 'md5'%s\n",
 #ifdef OPENSSL
-			"Type \"help keytype\" for the available digest types.\n");
+			" or a digest type provided by OpenSSL");
 #else
-			"Only \"md5\" is available.\n");
+			"");
 #endif
 		return;
 	}
@@ -3580,109 +3541,6 @@ ntpq_custom_opt_handler(
 		break;
 	}
 }
-/*
- * Obtain list of digest names
- */
-
-#ifdef OPENSSL
-# ifdef HAVE_EVP_MD_DO_ALL_SORTED
-struct hstate {
-   char *list;
-   const char **seen;
-   int idx;
-};
-#define K_PER_LINE 8
-#define K_NL_PFX_STR "\n    "
-#define K_DELIM_STR ", "
-static void list_md_fn(const EVP_MD *m, const char *from, const char *to, void *arg )
-{
-    size_t len, n;
-    const char *name, *cp, **seen;
-    struct hstate *hstate = arg;
-    EVP_MD_CTX *ctx;
-    u_int digest_len;
-    u_char digest[EVP_MAX_MD_SIZE];
-
-    if (!m)
-        return; /* Ignore aliases */
-
-    name = EVP_MD_name(m);
-
-    /* Lowercase names aren't accepted by keytype_from_text in ssl_init.c */
-
-    for( cp = name; *cp; cp++ ) {
-	if( islower((unsigned char)*cp) )
-	    return;
-    }
-    len = (cp - name) + 1;
-
-    /* There are duplicates.  Discard if name has been seen. */
-
-    for (seen = hstate->seen; *seen; seen++)
-        if (!strcmp(*seen, name))
-	    return;
-    n = (seen - hstate->seen) + 2;
-    hstate->seen = erealloc(hstate->seen, n * sizeof(*seen));
-    hstate->seen[n-2] = name;
-    hstate->seen[n-1] = NULL;
-
-    /* Discard MACs that NTP won't accept.
-     * Keep this consistent with keytype_from_text() in ssl_init.c.
-     */
-
-    ctx = EVP_MD_CTX_new();
-    EVP_DigestInit(ctx, EVP_get_digestbyname(name));
-    EVP_DigestFinal(ctx, digest, &digest_len);
-    EVP_MD_CTX_free(ctx);
-    if (digest_len > (MAX_MAC_LEN - sizeof(keyid_t)))
-        return;
-
-    if (hstate->list != NULL)
-	len += strlen(hstate->list);
-    len += (hstate->idx >= K_PER_LINE)? strlen(K_NL_PFX_STR): strlen(K_DELIM_STR);
-
-    if (hstate->list == NULL) {
-	hstate->list = (char *)emalloc(len);
-	hstate->list[0] = '\0';
-    } else
-	hstate->list = (char *)erealloc(hstate->list, len);
-
-    sprintf(hstate->list + strlen(hstate->list), "%s%s",
-	    ((hstate->idx >= K_PER_LINE)? K_NL_PFX_STR : K_DELIM_STR),
-	    name);
-    if (hstate->idx >= K_PER_LINE)
-	hstate->idx = 1;
-    else
-	hstate->idx++;
-}
-# endif
-#endif
-
-static char *list_digest_names(void)
-{
-    char *list = NULL;
-
-#ifdef OPENSSL
-# ifdef HAVE_EVP_MD_DO_ALL_SORTED
-    struct hstate hstate = { NULL, NULL, K_PER_LINE+1 };
-
-    hstate.seen = (const char **) emalloc_zero(1*sizeof( const char * )); // replaces -> calloc(1, sizeof( const char * ));
-
-    INIT_SSL();
-    EVP_MD_do_all_sorted(list_md_fn, &hstate);
-    list = hstate.list;
-    free(hstate.seen);
-# else
-    list = (char *)emalloc(sizeof("md5, others (upgrade to OpenSSL-1.0 for full list)"));
-    strcpy(list, "md5, others (upgrade to OpenSSL-1.0 for full list)");
-# endif
-#else
-    list = (char *)emalloc(sizeof("md5"));
-    strcpy(list, "md5");
-#endif
-
-    return list;
-}
 
 #define CTRLC_STACK_MAX 4
 static volatile size_t		ctrlc_stack_len = 0;