diff --git a/README.md b/README.md
index 99b669e..d87232a 100644
--- a/README.md
+++ b/README.md
@@ -28,6 +28,11 @@ CentOS:
     yum install python-setuptools && easy_install pip
     pip install git+https://github.com/shadowsocks/shadowsocks.git@master
 
+For CentOS 7, if you need AEAD ciphers, you need install libsodium
+```
+dnf install libsodium python34-pip
+pip3 install  git+https://github.com/shadowsocks/shadowsocks.git@master
+```
 Linux distributions with [snap](http://snapcraft.io/):
 
     snap install shadowsocks
diff --git a/shadowsocks/crypto/mbedtls.py b/shadowsocks/crypto/mbedtls.py
index b87c2eb..1954a86 100644
--- a/shadowsocks/crypto/mbedtls.py
+++ b/shadowsocks/crypto/mbedtls.py
@@ -408,22 +408,20 @@ ciphers = {
 
 
 def run_method(method):
-    from shadowsocks.crypto import openssl
 
     print(method, ': [stream]', 32)
     cipher = MbedTLSStreamCrypto(method, b'k' * 32, b'i' * 16, 1)
-    decipher = openssl.OpenSSLStreamCrypto(method, b'k' * 32, b'i' * 16, 0)
+    decipher = MbedTLSStreamCrypto(method, b'k' * 32, b'i' * 16, 0)
 
     util.run_cipher(cipher, decipher)
 
 
 def run_aead_method(method, key_len=16):
-    from shadowsocks.crypto import openssl
 
     print(method, ': [payload][tag]', key_len)
     key_len = int(key_len)
     cipher = MbedTLSAeadCrypto(method, b'k' * key_len, b'i' * key_len, 1)
-    decipher = openssl.OpenSSLAeadCrypto(
+    decipher = MbedTLSAeadCrypto(
         method,
         b'k' * key_len, b'i' * key_len, 0
     )
@@ -432,12 +430,11 @@ def run_aead_method(method, key_len=16):
 
 
 def run_aead_method_chunk(method, key_len=16):
-    from shadowsocks.crypto import openssl
 
     print(method, ': chunk([size][tag][payload][tag]', key_len)
     key_len = int(key_len)
     cipher = MbedTLSAeadCrypto(method, b'k' * key_len, b'i' * key_len, 1)
-    decipher = openssl.OpenSSLAeadCrypto(
+    decipher = MbedTLSAeadCrypto(
         method,
         b'k' * key_len, b'i' * key_len, 0
     )
diff --git a/shadowsocks/crypto/openssl.py b/shadowsocks/crypto/openssl.py
index f034bd1..ff63541 100644
--- a/shadowsocks/crypto/openssl.py
+++ b/shadowsocks/crypto/openssl.py
@@ -346,6 +346,8 @@ def run_method(method):
 
 def run_aead_method(method, key_len=16):
 
+    if not loaded:
+        load_openssl(None)
     print(method, ': [payload][tag]', key_len)
     cipher = libcrypto.EVP_get_cipherbyname(common.to_bytes(method))
     if not cipher:
@@ -362,6 +364,8 @@ def run_aead_method(method, key_len=16):
 
 def run_aead_method_chunk(method, key_len=16):
 
+    if not loaded:
+        load_openssl(None)
     print(method, ': chunk([size][tag][payload][tag]', key_len)
     cipher = libcrypto.EVP_get_cipherbyname(common.to_bytes(method))
     if not cipher:
diff --git a/tests/libopenssl/install.sh b/tests/libopenssl/install.sh
index e948bff..480c772 100755
--- a/tests/libopenssl/install.sh
+++ b/tests/libopenssl/install.sh
@@ -10,3 +10,10 @@ pushd openssl-$OPENSSL_VER
 # sudo ldconfig  # test multiple libcrypto
 popd
 rm -rf openssl-$OPENSSL_VER || exit 1
+
+rm /usr/bin/openssl || exit 1
+rm -r /usr/include/openssl || exit 1
+ln -s /usr/local/bin/openssl /usr/bin/openssl || exit 1
+ln -s /usr/local/include/openssl /usr/include/openssl || exit 1
+echo /usr/local/lib >> /etc/ld.so.conf || exit 1
+ldconfig -v || exit 1
diff --git a/utils/autoban.py b/utils/autoban.py
index c7af0a5..52aa163 100755
--- a/utils/autoban.py
+++ b/utils/autoban.py
@@ -24,9 +24,17 @@
 from __future__ import absolute_import, division, print_function, \
     with_statement
 
-import os
 import sys
+import socket
 import argparse
+import subprocess
+
+
+def inet_pton(str_ip):
+    try:
+        return socket.inet_pton(socket.AF_INET, str_ip)
+    except socket.error:
+        return None
 
 if __name__ == '__main__':
     parser = argparse.ArgumentParser(description='See README')
@@ -37,17 +45,22 @@ if __name__ == '__main__':
     ips = {}
     banned = set()
     for line in sys.stdin:
-        if 'can not parse header when' in line:
-            ip = line.split()[-1].split(':')[-2]
-            if ip not in ips:
-                ips[ip] = 1
-                print(ip)
-                sys.stdout.flush()
-            else:
-                ips[ip] += 1
-            if ip not in banned and ips[ip] >= config.count:
-                banned.add(ip)
-                cmd = 'iptables -A INPUT -s %s -j DROP' % ip
-                print(cmd, file=sys.stderr)
-                sys.stderr.flush()
-                os.system(cmd)
+        if 'can not parse header when' not in line:
+            continue
+        ip_str = line.split()[-1].rsplit(':', 1)[0]
+        ip = inet_pton(ip_str)
+        if ip is None:
+            continue
+        if ip not in ips:
+            ips[ip] = 1
+            sys.stdout.flush()
+        else:
+            ips[ip] += 1
+        if ip not in banned and ips[ip] >= config.count:
+            banned.add(ip)
+            print('ban ip %s' % ip_str)
+            cmd = ['iptables', '-A', 'INPUT', '-s', ip_str, '-j', 'DROP',
+                   '-m', 'comment', '--comment', 'autoban']
+            print(' '.join(cmd), file=sys.stderr)
+            sys.stderr.flush()
+            subprocess.call(cmd)