diff --git a/Makefile.am b/Makefile.am
index 3dd37380..695e690c 100755
--- a/Makefile.am
+++ b/Makefile.am
@@ -316,6 +316,7 @@ runner_SOURCES = \
 	utest/test_handy_extra.c \
 	utest/test_hexmap.c \
 	utest/test_lock.c \
+	utest/test_md5.c \
 	utest/test_pathcmp.c \
 	utest/test_rs_buf.c \
 	utest/test_slist.c \
diff --git a/UPGRADING b/UPGRADING
index fefe94eb..e67718f3 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -6,6 +6,8 @@ Blowfish has been deprecated by openssl.
 Burp will now encrypt new files with AES-CBC-256, but will still be able
 to decrypt files encrypted with blowfish as long as your openssl library
 supports it.
+The Windows installer will continue to come with openssl-1.1 for a few months,
+to allow time for people to switch from blowfish.
 
 3.1.0
 -----
diff --git a/src/handy_extra.c b/src/handy_extra.c
index 47887ec6..10476da3 100644
--- a/src/handy_extra.c
+++ b/src/handy_extra.c
@@ -12,11 +12,9 @@
 #include "handy_extra.h"
 #include "sbuf.h"
 
-/* Not ready yet
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/provider.h>
 #endif
-*/
 
 static int do_encryption(struct asfd *asfd, EVP_CIPHER_CTX *ctx,
 	uint8_t *inbuf, int inlen, uint8_t *outbuf, int *outlen,
diff --git a/src/md5.c b/src/md5.c
index 14918f78..667d77a2 100644
--- a/src/md5.c
+++ b/src/md5.c
@@ -4,10 +4,7 @@
 #include "log.h"
 #include "md5.h"
 
-/* Not ready yet
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
-*/
-#if 1
 
 struct md5 *md5_alloc(
 	const char *func
@@ -58,7 +55,7 @@ struct md5 *md5_alloc(
 	struct md5 *md5;
 	if(!(md5=(struct md5 *)calloc_w(1, sizeof(struct md5), func)))
 		return NULL;
-	if((md5->ctx=EVP_MD_CTX_new()))
+	if((md5->ctx=EVP_MD_CTX_create()))
 	{
 #ifdef UTEST
 		alloc_count++;
@@ -75,8 +72,9 @@ void md5_free(
 ) {
 	if(!md5 || !*md5)
 		return;
-	free_v((void **)&(*md5)->ctx);
-	EVP_MD_CTX_free((*md5)->ctx);
+	if ((*md5)->ctx)
+		EVP_MD_CTX_free((*md5)->ctx);
+	free_v((void **)md5);
 #ifdef UTEST
 	alloc_count--;
 #endif
@@ -86,7 +84,7 @@ void md5_free(
 int md5_init(
 	struct md5 *md5
 ) {
-	return EVP_MD_CTX_init(md5->ctx);
+	return EVP_DigestInit_ex(md5->ctx, EVP_md5(), NULL);
 }
 
 int md5_update(
diff --git a/src/md5.h b/src/md5.h
index d46d90f2..f1991c97 100644
--- a/src/md5.h
+++ b/src/md5.h
@@ -3,10 +3,7 @@
 
 #include <openssl/md5.h>
 
-/* Not ready yet
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
-*/
-#if 1
 struct md5 {
 	MD5_CTX *ctx;
 };
diff --git a/src/ssl.c b/src/ssl.c
index a025864e..1679f8d5 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -34,10 +34,7 @@ int ssl_do_accept(SSL *ssl)
 	}
 }
 
-/* Not ready yet
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
-*/
-#if 1
 int ssl_load_dh_params(SSL_CTX *ctx, struct conf **confs)
 {
 	DH *ret=0;
@@ -84,7 +81,7 @@ int ssl_load_dh_params(SSL_CTX *ctx, struct conf **confs)
 		return -1;
 	}
 
-	if(!OSSL_DECODER_from_bio(dctx, bio))
+	if(OSSL_DECODER_from_bio(dctx, bio))
 	{
 		logp_ssl_err("Decoding failure for: %s\n", ssl_dhfile);
 		BIO_free(bio);
diff --git a/src/win32/utest/Makefile b/src/win32/utest/Makefile
index 8c45dea9..fea95b61 100644
--- a/src/win32/utest/Makefile
+++ b/src/win32/utest/Makefile
@@ -111,6 +111,7 @@ CLIENT_OBJS = \
 	$(OBJDIR)/utest/test_fzp.o \
 	$(OBJDIR)/utest/test_handy_extra.o \
 	$(OBJDIR)/utest/test_hexmap.o \
+	$(OBJDIR)/utest/test_md5.o \
 	$(OBJDIR)/utest/test_pathcmp.o \
 	$(OBJDIR)/utest/test_rs_buf.o \
 	$(OBJDIR)/utest/test_slist.o \
diff --git a/utest/main.c b/utest/main.c
index 21b7f31a..3a928d4a 100644
--- a/utest/main.c
+++ b/utest/main.c
@@ -47,6 +47,7 @@ int main(int argc, char *argv[], char *envp[])
 	srunner_add_suite(sr, suite_fzp());
 	srunner_add_suite(sr, suite_handy_extra());
 	srunner_add_suite(sr, suite_hexmap());
+	srunner_add_suite(sr, suite_md5());
 	srunner_add_suite(sr, suite_pathcmp());
 	srunner_add_suite(sr, suite_rs_buf());
 	srunner_add_suite(sr, suite_slist());
diff --git a/utest/test.h b/utest/test.h
index c940c863..08d8b8fc 100644
--- a/utest/test.h
+++ b/utest/test.h
@@ -85,6 +85,7 @@ Suite *suite_fzp(void);
 Suite *suite_handy_extra(void);
 Suite *suite_hexmap(void);
 Suite *suite_lock(void);
+Suite *suite_md5(void);
 Suite *suite_pathcmp(void);
 Suite *suite_rs_buf(void);
 Suite *suite_server_auth(void);
diff --git a/utest/test_md5.c b/utest/test_md5.c
new file mode 100644
index 00000000..d2b1608c
--- /dev/null
+++ b/utest/test_md5.c
@@ -0,0 +1,42 @@
+#include <check.h>
+#include <stdlib.h>
+#include <string.h>
+#include "../src/alloc.h"
+#include "../src/hexmap.h"
+#include "../src/md5.h"
+#include "test.h"
+
+START_TEST(test_md5)
+{
+	uint8_t checksum[MD5_DIGEST_LENGTH];
+	struct md5 *md5;
+	fail_unless((md5=md5_alloc(__func__))!=NULL);
+	fail_unless(md5_init(md5));
+
+	fail_unless(md5_update(md5, "blah", strlen("blah"))!=4);
+	fail_unless(md5_final(md5, checksum)!=16);
+	ck_assert_str_eq(
+		"6f1ed002ab5595859014ebf0951522d9",
+		bytes_to_md5str(checksum)
+	);
+
+	md5_free(&md5);
+	fail_unless(md5==NULL);
+	alloc_check();
+}
+END_TEST
+
+Suite *suite_md5(void)
+{
+	Suite *s;
+	TCase *tc_core;
+
+	s=suite_create("md5");
+
+	tc_core=tcase_create("Core");
+
+	tcase_add_test(tc_core, test_md5);
+	suite_add_tcase(s, tc_core);
+
+	return s;
+}