diff --git a/src/common/crypto.c b/src/common/crypto.c
index c4597cf5f2..a486b23513 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -228,7 +228,9 @@ crypto_global_init(int useAccel)
 void
 crypto_thread_cleanup(void)
 {
+#ifndef ENABLE_0119_PARANOIA
   ERR_remove_state(0);
+#endif
 }
 
 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
@@ -237,13 +239,17 @@ int
 crypto_global_cleanup(void)
 {
   EVP_cleanup();
+#ifndef ENABLE_0119_PARANOIA
   ERR_remove_state(0);
+#endif
   ERR_free_strings();
 #ifndef NO_ENGINES
   ENGINE_cleanup();
+#ifndef ENABLE_0119_PARANOIA
   CONF_modules_unload(1);
   CRYPTO_cleanup_all_ex_data();
 #endif
+#endif
 #ifdef TOR_IS_MULTITHREADED
   if (_n_openssl_mutexes) {
     int n = _n_openssl_mutexes;
@@ -1375,7 +1381,9 @@ crypto_dh_new(void)
   if (!(res->dh->g = BN_dup(dh_param_g)))
     goto err;
 
+#ifndef ENABLE_0119_PARANOIA
   res->dh->length = DH_PRIVATE_KEY_BITS;
+#endif
 
   return res;
  err:
@@ -1602,7 +1610,11 @@ crypto_dh_free(crypto_dh_env_t *dh)
 
 /* Use RAND_poll if openssl is 0.9.6 release or later.  (The "f" means
    "release".)  */
+#ifndef ENABLE_0119_PARANOIA
 #define USE_RAND_POLL (OPENSSL_VERSION_NUMBER >= 0x0090600fl)
+#else
+#define USE_RAND_POLL 0
+#endif
 
 /** Seed OpenSSL's random number generator with bytes from the
  * operating system.  Return 0 on success, -1 on failure.
diff --git a/src/common/crypto.h b/src/common/crypto.h
index be53b964bb..28571d16a8 100644
--- a/src/common/crypto.h
+++ b/src/common/crypto.h
@@ -15,6 +15,8 @@
 
 #include <stdio.h>
 
+#undef ENABLE_0119_PARANOIA
+
 /** Length of the output of our message digest. */
 #define DIGEST_LEN 20
 /** Length of our symmetric cipher's keys. */
diff --git a/src/common/tortls.c b/src/common/tortls.c
index cd070b164d..7a41a931f7 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -363,7 +363,9 @@ tor_tls_context_new(crypto_pk_env_t *identity,
       goto error;
     SSL_CTX_set_options(*ctx, SSL_OP_NO_SSLv2);
 #endif
+#ifndef ENABLE_0119_PARANOIA
     SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_DH_USE);
+#endif
     if (!SSL_CTX_set_cipher_list(*ctx, CIPHER_LIST))
       goto error;
     if (!client_only) {