diff --git a/.gitignore b/.gitignore
index e48d0d3..aa24bbf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -64,6 +64,7 @@ compat/strtonum.c
 
 client.c
 config.c
+constraint.c
 control.c
 include/imsg.h
 include/md5_openbsd.h
diff --git a/compat/Makefile.am b/compat/Makefile.am
index d79690f..d49786c 100644
--- a/compat/Makefile.am
+++ b/compat/Makefile.am
@@ -62,6 +62,10 @@ libcompat_la_SOURCES += clock_gettime_osx.c
 endif
 endif
 
+if !HAVE_CLOSEFROM
+libcompat_la_SOURCES += closefrom.c
+endif
+
 if !HAVE_IMSG
 libcompat_la_SOURCES += imsg.c
 libcompat_la_SOURCES += imsg-buffer.c
diff --git a/compat/closefrom.c b/compat/closefrom.c
new file mode 100644
index 0000000..5cae58a
--- /dev/null
+++ b/compat/closefrom.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 2004-2005, 2007, 2010, 2012-2014
+ *	Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+
+#include <fcntl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#ifndef OPEN_MAX
+#define OPEN_MAX 256
+#endif
+
+/*
+ * Close all file descriptors greater than or equal to lowfd.
+ * This is the expensive (fallback) method.
+ */
+int
+closefrom(int lowfd)
+{
+    long fd, maxfd;
+
+    /*
+     * Fall back on sysconf() or getdtablesize().  We avoid checking
+     * resource limits since it is possible to open a file descriptor
+     * and then drop the rlimit such that it is below the open fd.
+     */
+#ifdef HAVE_SYSCONF
+    maxfd = sysconf(_SC_OPEN_MAX);
+#else
+    maxfd = getdtablesize();
+#endif /* HAVE_SYSCONF */
+    if (maxfd < 0)
+	maxfd = OPEN_MAX;
+
+    for (fd = lowfd; fd < maxfd; fd++) {
+#ifdef __APPLE__
+	/* Avoid potential libdispatch crash when we close its fds. */
+	(void) fcntl((int) fd, F_SETFD, FD_CLOEXEC);
+#else
+	(void) close((int) fd);
+#endif
+    }
+
+    return 0;
+}
diff --git a/configure.ac b/configure.ac
index 1e8af96..f4ee1e2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,7 +26,7 @@ AC_CONFIG_MACRO_DIR([m4])
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
 
 AC_SUBST([USER_CFLAGS], "$CFLAGS")
-CFLAGS="$CFLAGS -Wall -std=gnu99 -g"
+CFLAGS="-O2 -Wall -std=gnu99 -g"
 
 case $host_os in
 	*darwin*)
@@ -43,7 +43,7 @@ case $host_os in
 		;;
 	*linux*)
 		HOST_OS=linux
-		CFLAGS="$CFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
+		CFLAGS="$CFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_GNU_SOURCE"
 		AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
 		;;
 	*netbsd*)
@@ -102,10 +102,10 @@ LDFLAGS="$LDFLAGS $CLANG_FLAGS"
 # check functions that are expected to be in libc
 AC_CHECK_FUNCS([adjfreq ntp_adjtime adjtimex])
 AC_CHECK_FUNCS([arc4random arc4random_uniform asprintf explicit_bzero])
-AC_CHECK_FUNCS([getentropy memmem poll reallocarray])
+AC_CHECK_FUNCS([closefrom getentropy memmem poll reallocarray])
 AC_CHECK_FUNCS([setproctitle setgroups])
 AC_CHECK_FUNCS([setregid setresgid setreuid setresuid])
-AC_CHECK_FUNCS([strlcat strlcpy strtonum])
+AC_CHECK_FUNCS([strlcat strlcpy strtonum sysconf])
 
 # check auxiliary libraries that might contain other functions
 AC_SEARCH_LIBS([arc4random], [crypto])
@@ -118,11 +118,16 @@ AC_SEARCH_LIBS([SHA512Init], [md])
 AC_CHECK_FUNCS([arc4random ibuf_open MD5Init SHA512Init])
 AC_CHECK_FUNCS([clock_gettime clock_getres])
 
+# check for libtls
+AC_SEARCH_LIBS([tls_init],[tls])
+AC_CHECK_FUNCS([tls_config_set_ca_mem])
+
 # Share test results with automake
 AM_CONDITIONAL([HAVE_ADJFREQ], [test "x$ac_cv_func_adjfreq" = xyes])
 AM_CONDITIONAL([HAVE_ARC4RANDOM], [test "x$ac_cv_func_arc4random" = xyes])
 AM_CONDITIONAL([HAVE_ARC4RANDOM_UNIFORM], [test "x$ac_cv_func_arc4random_uniform" = xyes])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
+AM_CONDITIONAL([HAVE_CLOSEFROM], [test "x$ac_cv_func_closefrom" = xyes])
 AM_CONDITIONAL([HAVE_CLOCK_GETRES], [test "x$ac_cv_func_clock_getres" = xyes])
 AM_CONDITIONAL([HAVE_CLOCK_GETTIME], [test "x$ac_cv_func_clock_gettime" = xyes])
 AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
@@ -140,6 +145,11 @@ AM_CONDITIONAL([HAVE_SHA512], [test "x$ac_cv_func_SHA512Init" = xyes])
 AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
 AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
 AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
+AM_CONDITIONAL([HAVE_SYSCONF], [test "x$ac_cv_func_sysconf" = xyes])
+AM_CONDITIONAL([HAVE_LIBTLS], [test "x$ac_cv_func_tls_config_set_ca_mem" = xyes])
+if test "x$ac_cv_func_tls_config_set_ca_mem" = "xyes" ; then
+        AC_DEFINE([HAVE_LIBTLS], [1])
+fi
 
 # overrides for arc4random implementations with known issues
 AM_CONDITIONAL([HAVE_ARC4RANDOM],
diff --git a/include/tls.h b/include/tls.h
new file mode 100644
index 0000000..b7aa058
--- /dev/null
+++ b/include/tls.h
@@ -0,0 +1,31 @@
+/*
+ * Public domain
+ * tls.h compatibility shim
+ */
+
+#ifdef HAVE_LIBTLS
+#include_next <tls.h>
+
+#else
+
+#ifndef LIBCOMPAT_LIBTLS_H
+#define LIBCOMPAT_LIBTLS_H
+
+#include <sys/types.h>
+#include <stdint.h>
+
+static inline int
+tls_init(void)
+{
+	return -1;
+}
+
+static inline uint8_t *
+tls_load_file(const char *_file, size_t *_len, char *_password)
+{
+	return NULL;
+}
+
+#endif
+
+#endif
diff --git a/include/unistd.h b/include/unistd.h
index 31c1c67..05ac5ec 100644
--- a/include/unistd.h
+++ b/include/unistd.h
@@ -14,6 +14,10 @@ int getentropy(void *buf, size_t buflen);
 
 #include <grp.h>
 
+#ifndef HAVE_CLOSEFROM
+int closefrom(int fd);
+#endif
+
 #ifndef HAVE_SETGROUPS
 int setgroups(int ngroups, const gid_t *gidset);
 #endif
diff --git a/ntpd.conf b/ntpd.conf
index ed13ade..92c2c22 100644
--- a/ntpd.conf
+++ b/ntpd.conf
@@ -9,3 +9,4 @@
 # use a random selection of NTP Pool Time Servers
 # see http://support.ntp.org/bin/view/Servers/NTPPoolServers
 servers pool.ntp.org
+constraints from "https://www.google.com/search?q=openntpd"
diff --git a/src/Makefile.am b/src/Makefile.am
index cab0815..8c30677 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -33,6 +33,11 @@ ntpd_LDADD += $(top_builddir)/compat/libcompatnoopt.la
 
 ntpd_SOURCES = client.c
 ntpd_SOURCES += config.c
+if HAVE_LIBTLS
+ntpd_SOURCES += constraint.c
+else
+ntpd_SOURCES += constraint-disabled.c
+endif
 ntpd_SOURCES += control.c
 ntpd_SOURCES += log.c
 ntpd_SOURCES += log.h
diff --git a/src/constraint-disabled.c b/src/constraint-disabled.c
new file mode 100644
index 0000000..1c0708c
--- /dev/null
+++ b/src/constraint-disabled.c
@@ -0,0 +1,60 @@
+/*	$OpenBSD: constraint.c,v 1.5 2015/02/22 14:55:41 jsing Exp $	*/
+
+/*
+ * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "ntpd.h"
+
+int
+constraint_init(struct constraint *cstr)
+{
+	return (1);
+}
+
+
+int
+constraint_query(struct constraint *cstr)
+{
+	return (-1);
+}
+
+void
+constraint_check_child(void)
+{
+}
+
+int
+constraint_dispatch_msg(struct pollfd *pfd)
+{
+	return (1);
+}
+
+void
+constraint_dns(u_int32_t id, u_int8_t *data, size_t len)
+{
+}
+
+int
+constraint_cmp(const void *a, const void *b)
+{
+	return (*(const time_t *)a - *(const time_t *)b);
+}
+
+int
+constraint_check(double val)
+{
+	return (-1);
+}
diff --git a/update.sh b/update.sh
index 00da565..c4e6f07 100755
--- a/update.sh
+++ b/update.sh
@@ -50,8 +50,8 @@ for i in $libcrypto_src/crypto/getentropy_*.c; do
 done
 $CP $libcrypto_src/crypto/arc4random_*.h compat
 
-for i in client.c config.c control.c log.c log.h ntp.c ntp.h ntp_dns.c ntp_msg.c \
-	ntpd.c ntpd.h parse.y sensors.c server.c util.c \
+for i in client.c config.c constraint.c control.c log.c log.h ntp.c ntp.h \
+	ntp_dns.c ntp_msg.c ntpd.c ntpd.h parse.y sensors.c server.c util.c \
 	ntpctl.8 ntpd.8 ntpd.conf.5 ; do
 	file=`basename $i`
 	echo Copying $file