diff --git a/cstp.c b/cstp.c
index e68bd4b0..e769b728 100644
--- a/cstp.c
+++ b/cstp.c
@@ -35,7 +35,6 @@
 
 #include <openssl/ssl.h>
 #include <openssl/err.h>
-#include <openssl/rand.h>
 
 #include "openconnect-internal.h"
 
@@ -108,7 +107,7 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
 	/* Create (new) random master key for DTLS connection, if needed */
 	if (vpninfo->dtls_times.last_rekey + vpninfo->dtls_times.rekey <
 	    time(NULL) + 300 &&
-	    RAND_bytes(vpninfo->dtls_secret, sizeof(vpninfo->dtls_secret)) != 1) {
+	    openconnect_random(vpninfo->dtls_secret, sizeof(vpninfo->dtls_secret))) {
 		fprintf(stderr, _("Failed to initialise DTLS secret\n"));
 		exit(1);
 	}
diff --git a/libopenconnect.map.in b/libopenconnect.map.in
index 82adb673..c00ddb16 100644
--- a/libopenconnect.map.in
+++ b/libopenconnect.map.in
@@ -56,4 +56,5 @@ OPENCONNECT_PRIVATE {
 	openconnect_get_cert_details;
 	openconnect_get_cert_DER;
 	openconnect_sha1;
+	openconnect_random;
 };
diff --git a/openconnect-internal.h b/openconnect-internal.h
index a79b27d7..d28ebbfb 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -293,6 +293,7 @@ void openconnect_report_ssl_errors(struct openconnect_info *vpninfo);
 
 /* ${SSL_LIBRARY}.c */
 int openconnect_sha1(unsigned char *result, void *data, int len);
+int openconnect_random(void *bytes, int len);
 
 /* mainloop.c */
 int vpn_add_pollfd(struct openconnect_info *vpninfo, int fd, short events);
diff --git a/openssl.c b/openssl.c
index 57e3fc96..a3487883 100644
--- a/openssl.c
+++ b/openssl.c
@@ -25,6 +25,7 @@
 #include <errno.h>
 
 #include <openssl/evp.h>
+#include <openssl/rand.h>
 
 #include "openconnect-internal.h"
 
@@ -62,3 +63,10 @@ int openconnect_get_cert_DER(struct openconnect_info *vpninfo,
 	BIO_free(bp);
 	return l;
 }
+
+int openconnect_random(void *bytes, int len)
+{
+	if (RAND_bytes(bytes, len) != 1)
+		return -EIO;
+	return 0;
+}