diff --git a/config.h.in b/config.h.in
index 4c9b95a72..35ad34434 100644
--- a/config.h.in
+++ b/config.h.in
@@ -39,6 +39,15 @@
 /* Define to 1 if you have the <event.h> header file. */
 #undef HAVE_EVENT_H
 
+/* Define to 1 if you have the `EVP_sha1' function. */
+#undef HAVE_EVP_SHA1
+
+/* Define to 1 if you have the `EVP_sha256' function. */
+#undef HAVE_EVP_SHA256
+
+/* Define to 1 if you have the `EVP_sha512' function. */
+#undef HAVE_EVP_SHA512
+
 /* Define to 1 if you have the `fcntl' function. */
 #undef HAVE_FCNTL
 
diff --git a/configure b/configure
index edf1164d6..3c2d89a36 100755
--- a/configure
+++ b/configure
@@ -21259,6 +21259,102 @@ fi
 done
 
 
+
+
+for ac_func in EVP_sha1 EVP_sha256 EVP_sha512
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
 # check if libssl needs libdl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
diff --git a/configure.ac b/configure.ac
index d7f47a2c5..61b5b2e67 100644
--- a/configure.ac
+++ b/configure.ac
@@ -554,6 +554,7 @@ AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname],
 AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/rand.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_FUNCS([EVP_sha1 EVP_sha256 EVP_sha512])
 
 # check if libssl needs libdl
 BAKLIBS="$LIBS"
diff --git a/doc/Changelog b/doc/Changelog
index 4f343765b..2eacdb9d7 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -6,6 +6,7 @@
 	- changed to use new algorithm identifiers for sha256/sha512
 	  from ldns 1.4.0 (need very latest version).
 	- updated the included ldns tarball.
+	- proper detection of SHA256 and SHA512 functions (not just sizes).
 
 23 October 2008: Wouter
 	- a little more debug info for failure on signer names. prints names.
diff --git a/testcode/testbound.c b/testcode/testbound.c
index 591782e1d..d3b75e849 100644
--- a/testcode/testbound.c
+++ b/testcode/testbound.c
@@ -227,7 +227,7 @@ main(int argc, char* argv[])
 	while( (c=getopt(argc, argv, "2ho:p:")) != -1) {
 		switch(c) {
 		case '2':
-#ifdef SHA256_DIGEST_LENGTH
+#ifdef HAVE_EVP_SHA256
 			printf("SHA256 supported\n");
 			exit(0);
 #else
diff --git a/testcode/unitverify.c b/testcode/unitverify.c
index 915a01844..a468cd113 100644
--- a/testcode/unitverify.c
+++ b/testcode/unitverify.c
@@ -471,11 +471,11 @@ verify_test()
 	verifytest_file("testdata/test_signatures.6", "20080416005004");
 	verifytest_file("testdata/test_signatures.7", "20070829144150");
 	verifytest_file("testdata/test_signatures.8", "20070829144150");
-#ifdef SHA256_DIGEST_LENGTH
+#ifdef HAVE_EVP_SHA256
 	verifytest_file("testdata/test_signatures.9", "20070829144150");
 	verifytest_file("testdata/test_signatures.11", "20070829144150");
 #endif
-#ifdef SHA512_DIGEST_LENGTH
+#ifdef HAVE_EVP_SHA512
 	verifytest_file("testdata/test_signatures.10", "20070829144150");
 #endif
 	dstest_file("testdata/test_ds_sig.1");
diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c
index 4839fd921..ef50c5823 100644
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@@ -535,7 +535,7 @@ nsec3_get_hashed(ldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo,
 	ldns_buffer_write(buf, salt, saltlen);
 	ldns_buffer_flip(buf);
 	switch(algo) {
-#ifdef SHA_DIGEST_LENGTH
+#ifdef HAVE_EVP_SHA1
 		case NSEC3_HASH_SHA1:
 			hash_len = SHA_DIGEST_LENGTH;
 			if(hash_len > max)
@@ -554,7 +554,7 @@ nsec3_get_hashed(ldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo,
 					(unsigned char*)res);
 			}
 			break;
-#endif /* SHA_DIGEST_LENGTH */
+#endif /* HAVE_EVP_SHA1 */
 		default:
 			log_err("nsec3 hash of unknown algo %d", algo);
 			return 0;
@@ -580,7 +580,7 @@ nsec3_calc_hash(struct regional* region, ldns_buffer* buf,
 	ldns_buffer_write(buf, salt, saltlen);
 	ldns_buffer_flip(buf);
 	switch(algo) {
-#ifdef SHA_DIGEST_LENGTH
+#ifdef HAVE_EVP_SHA1
 		case NSEC3_HASH_SHA1:
 			c->hash_len = SHA_DIGEST_LENGTH;
 			c->hash = (uint8_t*)regional_alloc(region, 
@@ -601,7 +601,7 @@ nsec3_calc_hash(struct regional* region, ldns_buffer* buf,
 					(unsigned char*)c->hash);
 			}
 			break;
-#endif /* SHA_DIGEST_LENGTH */
+#endif /* HAVE_EVP_SHA1 */
 		default:
 			log_err("nsec3 hash of unknown algo %d", algo);
 			return -1;
diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index a6dd8f2d2..ce21f932d 100644
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -248,11 +248,11 @@ static size_t
 ds_digest_size_algo(struct ub_packed_rrset_key* k, size_t idx)
 {
 	switch(ds_get_digest_algo(k, idx)) {
-#ifdef SHA_DIGEST_LENGTH
+#ifdef HAVE_EVP_SHA1
 		case LDNS_SHA1:
 			return SHA_DIGEST_LENGTH;
 #endif
-#ifdef SHA256_DIGEST_LENGTH
+#ifdef HAVE_EVP_SHA256
 		case LDNS_SHA256:
 			return SHA256_DIGEST_LENGTH;
 #endif
@@ -294,13 +294,13 @@ ds_create_dnskey_digest(struct module_env* env,
 	ldns_buffer_flip(b);
 	
 	switch(ds_get_digest_algo(ds_rrset, ds_idx)) {
-#ifdef SHA_DIGEST_LENGTH
+#ifdef HAVE_EVP_SHA1
 		case LDNS_SHA1:
 			(void)SHA1((unsigned char*)ldns_buffer_begin(b),
 				ldns_buffer_limit(b), (unsigned char*)digest);
 			return 1;
 #endif
-#ifdef SHA256_DIGEST_LENGTH
+#ifdef HAVE_EVP_SHA256
 		case LDNS_SHA256:
 			(void)SHA256((unsigned char*)ldns_buffer_begin(b),
 				ldns_buffer_limit(b), (unsigned char*)digest);
@@ -370,11 +370,11 @@ dnskey_algo_id_is_supported(int id)
 	case LDNS_RSASHA1:
 	case LDNS_RSASHA1_NSEC3:
 	case LDNS_RSAMD5:
-#ifdef SHA256_DIGEST_LENGTH
+#ifdef HAVE_EVP_SHA256
 	case LDNS_RSASHA256:
 	case LDNS_RSASHA256_NSEC3:
 #endif
-#ifdef SHA512_DIGEST_LENGTH
+#ifdef HAVE_EVP_SHA512
 	case LDNS_RSASHA512:
 	case LDNS_RSASHA512_NSEC3:
 #endif
@@ -1302,11 +1302,11 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
 			break;
 		case LDNS_RSASHA1:
 		case LDNS_RSASHA1_NSEC3:
-#ifdef SHA256_DIGEST_LENGTH
+#ifdef HAVE_EVP_SHA256
 		case LDNS_RSASHA256:
 		case LDNS_RSASHA256_NSEC3:
 #endif
-#ifdef SHA512_DIGEST_LENGTH
+#ifdef HAVE_EVP_SHA512
 		case LDNS_RSASHA512:
 		case LDNS_RSASHA512_NSEC3:
 #endif
@@ -1323,13 +1323,13 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
 			}
 
 			/* select SHA version */
-#ifdef SHA256_DIGEST_LENGTH
+#ifdef HAVE_EVP_SHA256
 			if(algo == LDNS_RSASHA256 || 
 				algo == LDNS_RSASHA256_NSEC3)
 				*digest_type = EVP_sha256();
 			else
 #endif
-#ifdef SHA512_DIGEST_LENGTH
+#ifdef HAVE_EVP_SHA512
 				if(algo == LDNS_RSASHA512 || 
 					algo == LDNS_RSASHA512_NSEC3)
 				*digest_type = EVP_sha512();