diff --git a/CMakeLists.txt b/CMakeLists.txt
index 06e6f943fd3..04dfd521b21 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -496,13 +496,14 @@ endif ()
 
 enable_testing() # Enable for tests without binary
 
-option(ENABLE_EXTERNAL_OPENSSL "This option is insecure and not recommended for any occasions. If it is enabled, it allows building with alternative OpenSSL library. By default, ClickHouse is using BoringSSL, which is better. Do not use this option." OFF)
+option(ENABLE_OPENSSL "This option is to use in-tree OpenSSL." OFF)
+
+option(ENABLE_OPENSSL_DYNAMIC "This option is to use dynamic linking OpenSSL." ON)
+
+# if (ENABLE_OPENSSL_DYNAMIC)
+#     find_package(OpenSSL 3.0 REQUIRED)
+# endif ()
 
-if (ENABLE_EXTERNAL_OPENSSL)
-    message (STATUS "Build and uses OpenSSL library instead of BoringSSL. This is strongly discouraged. Your build of ClickHouse will be unsupported.")
-    set(ENABLE_SSL 1)
-    target_compile_options(global-group INTERFACE "-Wno-deprecated-declarations")
-endif ()
 
 # when installing to /usr - place configs to /etc but for /usr/local place to /usr/local/etc
 if (CMAKE_INSTALL_PREFIX STREQUAL "/usr")
diff --git a/base/glibc-compatibility/CMakeLists.txt b/base/glibc-compatibility/CMakeLists.txt
index ef7ec6d7fc0..7aa9a3b4a61 100644
--- a/base/glibc-compatibility/CMakeLists.txt
+++ b/base/glibc-compatibility/CMakeLists.txt
@@ -37,7 +37,7 @@ if (GLIBC_COMPATIBILITY)
 
     target_include_directories(glibc-compatibility PRIVATE libcxxabi ${musl_arch_include_dir})
 
-    if (NOT USE_STATIC_LIBRARIES AND NOT USE_STATIC_LIBRARIES)
+    if (( NOT USE_STATIC_LIBRARIES AND NOT USE_STATIC_LIBRARIES ) OR ENABLE_OPENSSL_DYNAMIC)
         target_compile_options(glibc-compatibility PRIVATE -fPIC)
     endif ()
 
diff --git a/contrib/CMakeLists.txt b/contrib/CMakeLists.txt
index ec7382846c2..c28df7660d2 100644
--- a/contrib/CMakeLists.txt
+++ b/contrib/CMakeLists.txt
@@ -48,7 +48,11 @@ function(add_contrib cmake_folder)
     message(STATUS "Adding contrib module ${base_folders} (configuring with ${cmake_folder})")
     add_subdirectory (${cmake_folder})
 endfunction()
-
+if (ENABLE_OPENSSL OR ENABLE_OPENSSL_DYNAMIC)
+    add_contrib (openssl-cmake openssl)
+else ()
+    add_contrib (boringssl-cmake boringssl)
+endif ()
 add_contrib (miniselect-cmake miniselect)
 add_contrib (pdqsort-cmake pdqsort)
 add_contrib (sparsehash-c11-cmake sparsehash-c11)
@@ -74,11 +78,6 @@ add_contrib (re2-cmake re2)
 add_contrib (xz-cmake xz)
 add_contrib (brotli-cmake brotli)
 add_contrib (double-conversion-cmake double-conversion)
-if (NOT ENABLE_EXTERNAL_OPENSSL)
-    add_contrib (boringssl-cmake boringssl)
-else ()
-    add_contrib (openssl-cmake openssl)
-endif ()
 add_contrib (poco-cmake poco)
 add_contrib (croaring-cmake croaring)
 add_contrib (zstd-cmake zstd)
diff --git a/contrib/krb5-cmake/CMakeLists.txt b/contrib/krb5-cmake/CMakeLists.txt
index 8478def3cb1..7e184d424aa 100644
--- a/contrib/krb5-cmake/CMakeLists.txt
+++ b/contrib/krb5-cmake/CMakeLists.txt
@@ -578,7 +578,7 @@ if(CMAKE_SYSTEM_NAME MATCHES "Darwin")
     list(APPEND ALL_SRCS "${CMAKE_CURRENT_BINARY_DIR}/include_private/kcmrpc.c")
 endif()
 
-if (ENABLE_EXTERNAL_OPENSSL)
+if (ENABLE_OPENSSL OR ENABLE_OPENSSL_DYNAMIC)
     list(REMOVE_ITEM ALL_SRCS "${KRB5_SOURCE_DIR}/lib/crypto/openssl/enc_provider/aes.c")
     list(APPEND ALL_SRCS "${CMAKE_CURRENT_SOURCE_DIR}/aes.c")
 endif ()
diff --git a/contrib/libpq-cmake/CMakeLists.txt b/contrib/libpq-cmake/CMakeLists.txt
index 9d91397731e..55951f13958 100644
--- a/contrib/libpq-cmake/CMakeLists.txt
+++ b/contrib/libpq-cmake/CMakeLists.txt
@@ -59,7 +59,7 @@ set(SRCS
 
 add_library(_libpq ${SRCS})
 
-if (ENABLE_EXTERNAL_OPENSSL)
+if (ENABLE_OPENSSL OR ENABLE_OPENSSL_DYNAMIC)
     add_definitions(-DHAVE_BIO_METH_NEW)
     add_definitions(-DHAVE_HMAC_CTX_NEW)
     add_definitions(-DHAVE_HMAC_CTX_FREE)
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index ce2cc862b32..bd8b221e2ba 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -243,12 +243,12 @@ add_object_library(clickhouse_access Access)
 add_object_library(clickhouse_backups Backups)
 add_object_library(clickhouse_core Core)
 add_object_library(clickhouse_core_mysql Core/MySQL)
-if (NOT ENABLE_EXTERNAL_OPENSSL)
-    add_object_library(clickhouse_compression Compression)
-else ()
+if (ENABLE_OPENSSL OR ENABLE_OPENSSL_DYNAMIC)
     add_headers_and_sources(dbms Compression)
     list(REMOVE_ITEM dbms_headers Compression/CompressionCodecEncrypted.h)
     list(REMOVE_ITEM dbms_sources Compression/CompressionCodecEncrypted.cpp)
+else ()
+    add_object_library(clickhouse_compression Compression)
 endif ()
 add_object_library(clickhouse_querypipeline QueryPipeline)
 add_object_library(clickhouse_datatypes DataTypes)
diff --git a/src/configure_config.cmake b/src/configure_config.cmake
index c298ce2e562..d7cdb769525 100644
--- a/src/configure_config.cmake
+++ b/src/configure_config.cmake
@@ -135,6 +135,9 @@ endif()
 if (TARGET ch_contrib::capnp)
     set(USE_CAPNP 1)
 endif()
-if (NOT ENABLE_EXTERNAL_OPENSSL)
+if (NOT (ENABLE_OPENSSL OR ENABLE_OPENSSL_DYNAMIC))
     set(USE_BORINGSSL 1)
 endif ()
+if (ENABLE_OPENSSL)
+    set(USE_OPENSSL_INTREE 1)
+endif ()