diff --git a/ChangeLog b/ChangeLog
index ec034232..0cccaf34 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,12 +1,14 @@
 * 2018-03-??: Version 1.4.1
+  * Bugfix #388: Prevent fallback to an earlier tries upstream within a
+    single query.  Thanks Robert Groenenberg
+  * PR #387: Compile with OpenSSL with deprecated APIs disabled.
+    Thanks Rosen Penev
   * PR #386: UDP failover improvements:
     - When all UDP upstreams fail, retry them (more or less) equally
     - Limit maximum UDP backoff (default to 1000)
       This is configurable with the --with-max-udp-backoff configure
       option.
     Thanks Robert Groenenberg
-  * Bugfix #388: Prevent fallback to an earlier tries upstream within a
-    single query.  Thanks Robert Groenenberg
   * Bugfix: Find zonecut with DS queries (instead of SOA queries).
     Thanks Elmer Lastdrager
   * Bugfix #385: Verifying insecure NODATA answers (broken since 1.2.1).
diff --git a/configure.ac b/configure.ac
index 044d5b93..3a96f942 100644
--- a/configure.ac
+++ b/configure.ac
@@ -636,7 +636,27 @@ case "$enable_dsa" in
     *) dnl default
       # detect if DSA is supported, and turn it off if not.
       AC_CHECK_FUNC(DSA_SIG_new, [
-	AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
+	AC_CHECK_TYPE(DSA_SIG*, [
+		AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
+	], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
+	  fi ], [
+AC_INCLUDES_DEFAULT
+#ifdef HAVE_OPENSSL_ENGINE_H
+# include <openssl/engine.h>
+#endif
+
+#ifdef HAVE_OPENSSL_RAND_H
+#include <openssl/rand.h>
+#endif
+
+#ifdef HAVE_OPENSSL_CONF_H
+#include <openssl/conf.h>
+#endif
+
+#ifdef HAVE_OPENSSL_ENGINE_H
+#include <openssl/engine.h>
+#endif
+])
       ], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
 	  fi ])
       ;;