diff --git a/config.h.in b/config.h.in
index 83ad03e4d7..0c4f456cad 100644
--- a/config.h.in
+++ b/config.h.in
@@ -75,6 +75,9 @@
 /* Define to 1 if you have the <cmocka.h> header file. */
 #undef HAVE_CMOCKA_H
 
+/* Define to 1 if you have the `CRYPTO_zalloc' function. */
+#undef HAVE_CRYPTO_ZALLOC
+
 /* Define to 1 if you have the <devpoll.h> header file. */
 #undef HAVE_DEVPOLL_H
 
@@ -129,6 +132,21 @@
 /* Define to 1 if you have the `EVP_aes_256_ecb' function. */
 #undef HAVE_EVP_AES_256_ECB
 
+/* Define to 1 if you have the `EVP_CIPHER_CTX_free' function. */
+#undef HAVE_EVP_CIPHER_CTX_FREE
+
+/* Define to 1 if you have the `EVP_CIPHER_CTX_new' function. */
+#undef HAVE_EVP_CIPHER_CTX_NEW
+
+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */
+#undef HAVE_EVP_MD_CTX_FREE
+
+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
+#undef HAVE_EVP_MD_CTX_NEW
+
+/* Define to 1 if you have the `EVP_MD_CTX_reset' function. */
+#undef HAVE_EVP_MD_CTX_RESET
+
 /* Define to 1 if you have the `EVP_sha1' function. */
 #undef HAVE_EVP_SHA1
 
@@ -183,6 +201,18 @@
 /* Define to 1 if you have the <gssapi_krb5.h> header file. */
 #undef HAVE_GSSAPI_KRB5_H
 
+/* Define to 1 if you have the `HMAC_CTX_free' function. */
+#undef HAVE_HMAC_CTX_FREE
+
+/* Define to 1 if you have the `HMAC_CTX_get_md' function. */
+#undef HAVE_HMAC_CTX_GET_MD
+
+/* Define to 1 if you have the `HMAC_CTX_new' function. */
+#undef HAVE_HMAC_CTX_NEW
+
+/* Define to 1 if you have the `HMAC_CTX_reset' function. */
+#undef HAVE_HMAC_CTX_RESET
+
 /* Define to 1 if you have the <idn2.h> header file. */
 #undef HAVE_IDN2_H
 
diff --git a/configure b/configure
index bcacafecaf..1448dd39b2 100755
--- a/configure
+++ b/configure
@@ -15564,6 +15564,58 @@ See \`config.log' for more details" "$LINENO" 5; }
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
+#
+# Check for functions added in OpenSSL or LibreSSL
+#
+
+for ac_func in CRYPTO_zalloc
+do :
+  ac_fn_c_check_func "$LINENO" "CRYPTO_zalloc" "ac_cv_func_CRYPTO_zalloc"
+if test "x$ac_cv_func_CRYPTO_zalloc" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_CRYPTO_ZALLOC 1
+_ACEOF
+
+fi
+done
+
+for ac_func in EVP_CIPHER_CTX_new EVP_CIPHER_CTX_free
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+for ac_func in EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+for ac_func in HMAC_CTX_new HMAC_CTX_free HMAC_CTX_reset HMAC_CTX_get_md
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
 #
 # Check for algorithm support in OpenSSL
 #
diff --git a/configure.ac b/configure.ac
index 326c430fc8..3d280e8321 100644
--- a/configure.ac
+++ b/configure.ac
@@ -789,6 +789,15 @@ AC_COMPILE_IFELSE(
     [AC_MSG_RESULT([yes])],
     [AC_MSG_FAILURE([not found])])
 
+#
+# Check for functions added in OpenSSL or LibreSSL
+#
+
+AC_CHECK_FUNCS([CRYPTO_zalloc])
+AC_CHECK_FUNCS([EVP_CIPHER_CTX_new EVP_CIPHER_CTX_free])
+AC_CHECK_FUNCS([EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset])
+AC_CHECK_FUNCS([HMAC_CTX_new HMAC_CTX_free HMAC_CTX_reset HMAC_CTX_get_md])
+
 #
 # Check for algorithm support in OpenSSL
 #
diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c
index 9a428ea366..d1cbc83b2a 100644
--- a/lib/isc/openssl_shim.c
+++ b/lib/isc/openssl_shim.c
@@ -13,17 +13,17 @@
 
 #include <openssl/opensslv.h>
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-
 #include <stdlib.h>
 #include <string.h>
 #include "openssl_shim.h"
 #include <openssl/engine.h>
+#include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/crypto.h>
 
+#if !HAVE_CRYPTO_ZALLOC
 void *
-OPENSSL_zalloc(size_t size)
+CRYPTO_zalloc(size_t size)
 {
 	void *ret = OPENSSL_malloc(size);
 	if (ret != NULL) {
@@ -31,15 +31,18 @@ OPENSSL_zalloc(size_t size)
 	}
 	return (ret);
 }
+#endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10001000L || defined(LIBRESSL_VERSION_NUMBER)
+#if !HAVE_EVP_CIPHER_CTX_NEW
 EVP_CIPHER_CTX *
 EVP_CIPHER_CTX_new(void)
 {
 	EVP_CIPHER_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
 	return (ctx);
 }
+#endif
 
+#if !HAVE_EVP_CIPHER_CTX_FREE
 void
 EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
 {
@@ -50,6 +53,7 @@ EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
 }
 #endif
 
+#if !HAVE_EVP_MD_CTX_NEW
 EVP_MD_CTX *
 EVP_MD_CTX_new(void)
 {
@@ -59,7 +63,9 @@ EVP_MD_CTX_new(void)
 	}
 	return (ctx);
 }
+#endif
 
+#if !HAVE_EVP_MD_CTX_FREE
 void
 EVP_MD_CTX_free(EVP_MD_CTX *ctx)
 {
@@ -68,13 +74,17 @@ EVP_MD_CTX_free(EVP_MD_CTX *ctx)
 		OPENSSL_free(ctx);
 	}
 }
+#endif
 
+#if !HAVE_EVP_MD_CTX_RESET
 int
 EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
 {
 	return (EVP_MD_CTX_cleanup(ctx));
 }
+#endif
 
+#if !HAVE_HMAC_CTX_NEW
 HMAC_CTX *
 HMAC_CTX_new(void)
 {
@@ -87,7 +97,9 @@ HMAC_CTX_new(void)
 	}
 	return (ctx);
 }
+#endif
 
+#if !HAVE_HMAC_CTX_FREE
 void
 HMAC_CTX_free(HMAC_CTX *ctx)
 {
@@ -96,16 +108,18 @@ HMAC_CTX_free(HMAC_CTX *ctx)
 		OPENSSL_free(ctx);
 	}
 }
+#endif
 
+#if !HAVE_HMAC_CTX_RESET
 int
 HMAC_CTX_reset(HMAC_CTX *ctx) {
 	HMAC_CTX_cleanup(ctx);
 	return (1);
 }
+#endif
 
+#if !HAVE_HMAC_CTX_GET_MD
 const EVP_MD *HMAC_CTX_get_md(const HMAC_CTX *ctx) {
 	return ctx->md;
 }
-
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L ||
-	* defined(LIBRESSL_VERSION_NUMBER) */
+#endif
diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h
index 5c9dbdc7ec..fe427fb734 100644
--- a/lib/isc/openssl_shim.h
+++ b/lib/isc/openssl_shim.h
@@ -14,24 +14,48 @@
 #include <config.h>
 
 #include <openssl/opensslv.h>
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-
+#include <openssl/crypto.h>
 #include <openssl/engine.h>
+#include <openssl/evp.h>
 #include <openssl/hmac.h>
 
-void *OPENSSL_zalloc(size_t size);
-#if OPENSSL_VERSION_NUMBER < 0x10001000L || defined(LIBRESSL_VERSION_NUMBER)
+#if !HAVE_CRYPTO_ZALLOC
+void *CRYPTO_zalloc(size_t size);
+#define OPENSSL_zalloc(num) CRYPTO_zalloc(num)
+#endif
+
+#if !HAVE_EVP_CIPHER_CTX_NEW
 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
+#endif
+
+#if !HAVE_EVP_CIPHER_CTX_FREE
 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx);
 #endif
-EVP_MD_CTX *EVP_MD_CTX_new(void);
-void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
-int EVP_MD_CTX_reset(EVP_MD_CTX *ctx);
-HMAC_CTX *HMAC_CTX_new(void);
-void HMAC_CTX_free(HMAC_CTX *ctx);
-int HMAC_CTX_reset(HMAC_CTX *ctx);
-const EVP_MD *HMAC_CTX_get_md(const HMAC_CTX *ctx);
 
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L ||
-	* defined(LIBRESSL_VERSION_NUMBER) */
+#if !HAVE_EVP_MD_CTX_NEW
+EVP_MD_CTX *EVP_MD_CTX_new(void);
+#endif
+
+#if !HAVE_EVP_MD_CTX_FREE
+void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
+#endif
+
+#if !HAVE_EVP_MD_CTX_RESET
+int EVP_MD_CTX_reset(EVP_MD_CTX *ctx);
+#endif
+
+#if !HAVE_HMAC_CTX_NEW
+HMAC_CTX *HMAC_CTX_new(void);
+#endif
+
+#if !HAVE_HMAC_CTX_FREE
+void HMAC_CTX_free(HMAC_CTX *ctx);
+#endif
+
+#if !HAVE_HMAC_CTX_RESET
+int HMAC_CTX_reset(HMAC_CTX *ctx);
+#endif
+
+#if !HAVE_HMAC_CTX_GET_MD
+const EVP_MD *HMAC_CTX_get_md(const HMAC_CTX *ctx);
+#endif