diff --git a/configure.ac b/configure.ac
index 5fb0a23c..633ffcdf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -223,7 +223,7 @@ else
 fi
 AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode])
+AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method])
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
@@ -404,6 +404,18 @@ case "$enable_ecdsa" in
       ;;
 esac
 
+AC_ARG_ENABLE(dsa, AC_HELP_STRING([--disable-dsa], [Disable DSA support]))
+case "$enable_dsa" in
+    no)
+      ;;
+    *) dnl default
+      # detect if DSA is supported, and turn it off if not.
+      AC_CHECK_FUNC(EVP_dss1, [
+	AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
+      ], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
+	  fi ])
+      ;;
+esac
 
 AC_ARG_ENABLE(draft-dnssec-roadblock-avoidance, AC_HELP_STRING([--enable-draft-dnssec-roadblock-avoidance], [Enable experimental dnssec roadblock avoidance]))
 AC_ARG_ENABLE(draft-edns-cookies, AC_HELP_STRING([--enable-draft-edns-cookies], [Enable experimental edns cookies]))
diff --git a/m4/acx_openssl.m4 b/m4/acx_openssl.m4
index 485f6599..fc3b4dde 100644
--- a/m4/acx_openssl.m4
+++ b/m4/acx_openssl.m4
@@ -47,16 +47,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                 ACX_RUNTIME_PATH_ADD([$ssldir/lib])
             fi
         
-            AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto])
+            AC_MSG_CHECKING([for HMAC_Update in -lcrypto])
             LIBS="-lssl -lcrypto $LIBS"
             LIBSSL_LIBS="-lssl -lcrypto $LIBSSL_LIBS"
             AC_TRY_LINK(, [
-                int HMAC_CTX_init(void);
-                (void)HMAC_CTX_init();
+                int HMAC_Update(void);
+                (void)HMAC_Update();
               ], [
+                AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
+                          [If you have HMAC_Update])
                 AC_MSG_RESULT(yes)
-                AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, 
-                          [If you have HMAC_CTX_init])
               ], [
                 AC_MSG_RESULT(no)
                 # check if -lwsock32 or -lgdi32 are needed.	
@@ -66,11 +66,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                 LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32"
                 AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
                 AC_TRY_LINK([], [
-                    int HMAC_CTX_init(void);
-                    (void)HMAC_CTX_init();
+                    int HMAC_Update(void);
+                    (void)HMAC_Update();
                   ],[
-                    AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, 
-                        [If you have HMAC_CTX_init])
+                    AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
+                        [If you have HMAC_Update])
                     AC_MSG_RESULT(yes) 
                   ],[
                     AC_MSG_RESULT(no)
@@ -80,11 +80,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                     LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
                     AC_MSG_CHECKING([if -lcrypto needs -ldl])
                     AC_TRY_LINK([], [
-                        int HMAC_CTX_init(void);
-                        (void)HMAC_CTX_init();
+                        int HMAC_Update(void);
+                        (void)HMAC_Update();
                       ],[
-                        AC_DEFINE([HAVE_HMAC_CTX_INIT], 1, 
-                            [If you have HMAC_CTX_init])
+                        AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
+                            [If you have HMAC_Update])
                         AC_MSG_RESULT(yes) 
                       ],[
                         AC_MSG_RESULT(no)
diff --git a/src/context.c b/src/context.c
index ba2096f9..53cad3f3 100644
--- a/src/context.c
+++ b/src/context.c
@@ -1232,7 +1232,7 @@ getdns_context_create_with_extended_memory_functions(
 	result->edns_do_bit = 0;
 	result->edns_client_subnet_private = 0;
 	result->tls_query_padding_blocksize = 1; /* default is to not try to pad */
-	result-> tls_ctx = NULL;
+	result->tls_ctx = NULL;
 
 	result->extension = &result->default_eventloop.loop;
 	_getdns_default_eventloop_init(&result->default_eventloop);
@@ -1926,17 +1926,19 @@ getdns_return_t
 getdns_context_set_dns_root_servers(
     getdns_context *context, getdns_list *addresses)
 {
-#if defined(HAVE_LIBUNBOUND) && !defined(HAVE_UB_CTX_SET_STUB)
+#ifdef HAVE_LIBUNBOUND
+#  ifndef HAVE_UB_CTX_SET_STUB
 	char tmpfn[FILENAME_MAX] = P_tmpdir "/getdns-root-dns-servers-XXXXXX";
 	FILE *fh;
 	int fd;
 	size_t dst_len;
-#endif
+#  endif
 	size_t i;
 	getdns_dict *rr_dict;
 	getdns_return_t r;
 	getdns_bindata *addr_bd;
 	char dst[2048];
+#endif
 	getdns_list *newlist;
 
 	if (!context)
@@ -2893,9 +2895,22 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context,
 		if (context->tls_ctx == NULL) {
 #ifdef HAVE_TLS_v1_2
 			/* Create client context, use TLS v1.2 only for now */
+#  ifdef HAVE_TLS_CLIENT_METHOD
+			context->tls_ctx = SSL_CTX_new(TLS_client_method());
+#  else
 			context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());
+#  endif
 			if(context->tls_ctx == NULL)
 				return GETDNS_RETURN_BAD_CONTEXT;
+
+#  ifdef HAVE_TLS_CLIENT_METHOD
+			if (!SSL_CTX_set_min_proto_version(
+			    context->tls_ctx, TLS1_2_VERSION)) {
+				SSL_CTX_free(context->tls_ctx);
+				context->tls_ctx = NULL;
+				return GETDNS_RETURN_BAD_CONTEXT;
+			}
+#  endif
 			/* Be strict and only use the cipher suites recommended in RFC7525
 			   Unless we later fallback to opportunistic. */
 			const char* const PREFERRED_CIPHERS = "EECDH+aRSA+AESGCM:EECDH+aECDSA+AESGCM:EDH+aRSA+AESGCM";
@@ -2903,11 +2918,11 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context,
 				return GETDNS_RETURN_BAD_CONTEXT;
 			/* For strict authentication, we must have local root certs available
 		       Set up is done only when the tls_ctx is created (per getdns_context)*/
-#ifndef USE_WINSOCK
+#  ifndef USE_WINSOCK
 			if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) {
-#else
+#  else
 			if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) {
-#endif /* USE_WINSOCK */
+#  endif /* USE_WINSOCK */
 				if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) 
 					return GETDNS_RETURN_BAD_CONTEXT;
 			}
diff --git a/src/pubkey-pinning.c b/src/pubkey-pinning.c
index 427c965d..5263882b 100644
--- a/src/pubkey-pinning.c
+++ b/src/pubkey-pinning.c
@@ -393,18 +393,13 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset,
 		}
 
 		x = sk_X509_value(store->untrusted, i);
-		if (x->cert_info == NULL)
-			continue;
 #if defined(STUB_DEBUG) && STUB_DEBUG
 		DEBUG_STUB("%s %-35s: Name of cert: %d ",
 		           STUB_DEBUG_SETUP_TLS, __FUNCTION__, i);
 		if (x->cert_info->subject != NULL)
-			X509_NAME_print_ex_fp(stderr, x->cert_info->subject, 1, XN_FLAG_ONELINE);
+			X509_NAME_print_ex_fp(stderr, X509_get_subject_name(x), 1, XN_FLAG_ONELINE);
 		fprintf(stderr, "\n");
 #endif
-		if (x->cert_info->key == NULL)
-			continue;
-
 		/* digest the cert with sha256 */
 		len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), NULL);
 		if (len > sizeof(raw)) {
diff --git a/src/request-internal.c b/src/request-internal.c
index 69a6718c..429e6b2f 100644
--- a/src/request-internal.c
+++ b/src/request-internal.c
@@ -459,7 +459,10 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 	unsigned int result_mac_len = EVP_MAX_MD_SIZE;
 	uint16_t original_id;
 	const EVP_MD *digester;
-	HMAC_CTX ctx;
+	HMAC_CTX *ctx;
+#ifndef HAVE_HMAC_CTX_NEW
+	HMAC_CTX ctx_space;
+#endif
 
 	DEBUG_STUB("%s %-35s: Validate TSIG\n", STUB_DEBUG_TSIG, __FUNCTION__);
 	for ( rr = _getdns_rr_iter_init(&rr_spc, req->query,
@@ -587,14 +590,18 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 #endif
 	default                : return;
 	}
-	
-	HMAC_CTX_init(&ctx);
-	(void) HMAC_Init_ex(&ctx, req->upstream->tsig_key,
+#ifdef HAVE_HMAC_CTX_NEW
+	ctx = HMAC_CTX_new();
+#else
+	ctx = &ctx_space;
+	HMAC_CTX_init(ctx);
+#endif	
+	(void) HMAC_Init_ex(ctx, req->upstream->tsig_key,
 	    req->upstream->tsig_size, digester, NULL);
-	(void) HMAC_Update(&ctx, request_mac - 2, request_mac_len + 2);
-	(void) HMAC_Update(&ctx, req->response, rr->pos - req->response);
-	(void) HMAC_Update(&ctx, tsig_vars, gldns_buffer_position(&gbuf));
-	HMAC_Final(&ctx, result_mac, &result_mac_len);
+	(void) HMAC_Update(ctx, request_mac - 2, request_mac_len + 2);
+	(void) HMAC_Update(ctx, req->response, rr->pos - req->response);
+	(void) HMAC_Update(ctx, tsig_vars, gldns_buffer_position(&gbuf));
+	HMAC_Final(ctx, result_mac, &result_mac_len);
 
 	DEBUG_STUB("%s %-35s: Result MAC length: %d\n",
 	           STUB_DEBUG_TSIG, __FUNCTION__, (int)(result_mac_len));
@@ -602,8 +609,11 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 	    memcmp(result_mac, response_mac, result_mac_len) == 0)
 		req->tsig_status = GETDNS_DNSSEC_SECURE;
 
-	HMAC_CTX_cleanup(&ctx);
-
+#ifdef HAVE_HMAC_CTX_FREE
+	HMAC_CTX_free(ctx);
+#else
+	HMAC_CTX_cleanup(ctx);
+#endif
 	gldns_write_uint16(req->response, gldns_read_uint16(req->query));
 	gldns_write_uint16(req->response + 10,
 	    gldns_read_uint16(req->response + 10) + 1);
diff --git a/src/sync.c b/src/sync.c
index a75ce081..508492a6 100644
--- a/src/sync.c
+++ b/src/sync.c
@@ -57,7 +57,9 @@ typedef struct getdns_sync_data {
 static getdns_return_t
 getdns_sync_data_init(getdns_context *context, getdns_sync_data *data)
 {
+#ifdef HAVE_LIBUNBOUND
 	getdns_eventloop *ext = &context->sync_eventloop.loop;
+#endif
 
 	data->context  = context;
 	data->to_run   = 1;