I noticed that although the docs generally refer to the capi engine as "builtin", it doesn't appear to be linked statically with openssl, and is actually being loaded by the dynamic engine mechanism. I believe this is because the OPENSSL_NO_STATIC_ENGINE flag is being set by Configure. The only way I see to disable this flag is to pass disable-dynamic-engine to Configure. Is this the correct way to get the builtin engines linked statically? Do I understand correctly that dynamic loading of the builtin engines is now the default?