diff --git a/changes/ticket40165 b/changes/ticket40165
new file mode 100644
index 0000000000..a8dd0a339b
--- /dev/null
+++ b/changes/ticket40165
@@ -0,0 +1,5 @@
+  o Minor features (compilation):
+    - Disable deprecation warnings when building with OpenSSL 3.0.0 or later.
+      There are a number of newly deprecated APIs in OpenSSL 3.0.0 that Tor
+      still requires.  (A later version of Tor will try to stop depending on
+      these.)  Closes ticket 40165.
diff --git a/changes/ticket40170 b/changes/ticket40170
new file mode 100644
index 0000000000..cc1c8dbad1
--- /dev/null
+++ b/changes/ticket40170
@@ -0,0 +1,3 @@
+  o Minor bugfixes (tests):
+    - Fix the "tortls/openssl/log_one_error" test to work with OpenSSL 3.0.0.
+      Fixes bug 40170; bugfix on 0.2.8.1-alpha.
diff --git a/configure.ac b/configure.ac
index a03633a734..165b337a21 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1065,13 +1065,30 @@ LIBS="$TOR_OPENSSL_LIBS $LIBS"
 LDFLAGS="$TOR_LDFLAGS_openssl $LDFLAGS"
 CPPFLAGS="$TOR_CPPFLAGS_openssl $CPPFLAGS"
 
+dnl Tor currently uses a number of APIs that are deprecated in OpenSSL 3.0.0
+dnl and later.  We want to migrate away from them, but that will be a lot of
+dnl work. (See ticket tor#40166.)  For now, we disable the deprecation
+dnl warnings.
+
+AC_MSG_CHECKING([for OpenSSL >= 3.0.0])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <openssl/opensslv.h>
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER <= 0x30000000L
+#error "you_have_version_3"
+#endif
+   ]], [[]])],
+   [ AC_MSG_RESULT([no]) ],
+   [ AC_MSG_RESULT([yes]);
+     AC_DEFINE(OPENSSL_SUPPRESS_DEPRECATED, 1, [disable openssl deprecated-function warnings]) ])
+
+AC_MSG_CHECKING([for OpenSSL < 1.0.1])
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 #include <openssl/opensslv.h>
 #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1000100fL
 #error "too old"
 #endif
    ]], [[]])],
-   [ : ],
+   [ AC_MSG_RESULT([no]) ],
    [ AC_MSG_ERROR([OpenSSL is too old. We require 1.0.1 or later. You can specify a path to a newer one with --with-openssl-dir.]) ])
 
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
diff --git a/src/lib/crypt_ops/compat_openssl.h b/src/lib/crypt_ops/compat_openssl.h
index 5fd073bea1..c2e1459078 100644
--- a/src/lib/crypt_ops/compat_openssl.h
+++ b/src/lib/crypt_ops/compat_openssl.h
@@ -32,10 +32,6 @@
 #define OPENSSL_1_1_API
 #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && ... */
 
-#ifndef OPENSSL_VERSION
-#define OPENSSL_VERSION SSLEAY_VERSION
-#endif
-
 #ifndef OPENSSL_1_1_API
 #define OpenSSL_version(v) SSLeay_version(v)
 #define OpenSSL_version_num() SSLeay()
@@ -54,4 +50,3 @@
 #endif /* defined(ENABLE_OPENSSL) */
 
 #endif /* !defined(TOR_COMPAT_OPENSSL_H) */
-
diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.c b/src/lib/crypt_ops/crypto_openssl_mgt.c
index f2f5a55d05..065cbca1cc 100644
--- a/src/lib/crypt_ops/crypto_openssl_mgt.c
+++ b/src/lib/crypt_ops/crypto_openssl_mgt.c
@@ -101,13 +101,22 @@ static char *crypto_openssl_version_str = NULL;
 const char *
 crypto_openssl_get_version_str(void)
 {
+#ifdef OPENSSL_VERSION
+  const int query = OPENSSL_VERSION;
+#else
+  /* This old name was changed around OpenSSL 1.1.0 */
+  const int query = SSLEAY_VERSION;
+#endif
+
   if (crypto_openssl_version_str == NULL) {
-    const char *raw_version = OpenSSL_version(OPENSSL_VERSION);
+    const char *raw_version = OpenSSL_version(query);
     crypto_openssl_version_str = parse_openssl_version_str(raw_version);
   }
   return crypto_openssl_version_str;
 }
 
+#undef QUERY_OPENSSL_VERSION
+
 static char *crypto_openssl_header_version_str = NULL;
 /* Return a human-readable version of the compile-time openssl version
 * number. */
@@ -214,7 +223,7 @@ crypto_openssl_early_init(void)
     setup_openssl_threading();
 
     unsigned long version_num = OpenSSL_version_num();
-    const char *version_str = OpenSSL_version(OPENSSL_VERSION);
+    const char *version_str = crypto_openssl_get_version_str();
     if (version_num == OPENSSL_VERSION_NUMBER &&
         !strcmp(version_str, OPENSSL_VERSION_TEXT)) {
       log_info(LD_CRYPTO, "OpenSSL version matches version from headers "
diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.h b/src/lib/crypt_ops/crypto_openssl_mgt.h
index 083df00033..c67ab6467c 100644
--- a/src/lib/crypt_ops/crypto_openssl_mgt.h
+++ b/src/lib/crypt_ops/crypto_openssl_mgt.h
@@ -16,8 +16,7 @@
 #include "orconfig.h"
 
 #ifdef ENABLE_OPENSSL
-#include <openssl/engine.h>
-
+#include <openssl/opensslv.h>
 /*
   Macro to create an arbitrary OpenSSL version number as used by
   OPENSSL_VERSION_NUMBER or SSLeay(), since the actual numbers are a bit hard
diff --git a/src/test/test_tortls_openssl.c b/src/test/test_tortls_openssl.c
index e20b0d1ede..42a901fe77 100644
--- a/src/test/test_tortls_openssl.c
+++ b/src/test/test_tortls_openssl.c
@@ -279,8 +279,7 @@ test_tortls_log_one_error(void *ignored)
 
   mock_clean_saved_logs();
   tor_tls_log_one_error(tls, ERR_PACK(1, 2, 3), LOG_WARN, 0, NULL);
-  expect_log_msg("TLS error with 127.hello: "
-            "BN lib (in unknown library:(null):---)\n");
+  expect_log_msg_containing("TLS error with 127.hello");
 
   mock_clean_saved_logs();
   tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_HTTP_REQUEST),