diff --git a/.sai.json b/.sai.json
index 6af699b2e..8a937a79a 100644
--- a/.sai.json
+++ b/.sai.json
@@ -125,6 +125,10 @@
 			"cmake":	"-DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/openssl/v3/usr/local/lib64/libssl.a;/usr/local/src/openssl/v3/usr/local/lib64/libcrypto.a\" -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/openssl/v3/usr/local/include/\" -DLWS_WITH_MINIMAL_EXAMPLES=1 -DLWS_WITH_GENCRYPTO=0",
 			"platforms":	"none,linux-fedora-32/x86_64-amd/gcc"
 		},
+		"default-examples-openssl-v3-gencrypto": {
+			"cmake":	"-DLWS_SUPPRESS_DEPRECATED_API_WARNINGS=1 -DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/openssl/v3/usr/local/lib64/libssl.a;/usr/local/src/openssl/v3/usr/local/lib64/libcrypto.a\" -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/openssl/v3/usr/local/include/\" -DLWS_WITH_MINIMAL_EXAMPLES=1 -DLWS_WITH_GENCRYPTO=1",
+			"platforms":	"none,linux-fedora-32/x86_64-amd/gcc"
+		},
 		"default-examples-boringssl": {
 			"cmake":	"cmake .. -DLWS_WITH_BORINGSSL=1 -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/boringssl/include\" -DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/boringssl/build/ssl/libssl.so;/usr/local/src/boringssl/build/crypto/libcrypto.so\" -DLWS_WITH_MINIMAL_EXAMPLES=1",
 			"platforms":	"none,linux-fedora-32/x86_64-amd/gcc"
@@ -153,8 +157,9 @@
 			"cmake":	"-DLWS_WITH_PLUGINS=1",
 			"platforms":	"none,linux-fedora-32/x86_64-amd/gcc,linux-debian-sid/x86-amd/gcc,linux-debian-sid/x86_64-amd/gcc"
 		},
+		# WARN_DEPRECATED disabled for openssl v3 case on windows
 		"lws_system": {
-			"cmake":	"-DLWS_WITH_ACME=1 -DLWS_WITH_MINIMAL_EXAMPLES=1 -DCMAKE_BUILD_TYPE=RELEASE -DLWS_WITH_GENCRYPTO=1 -DLWS_WITH_JOSE=1 -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SYS_NTPCLIENT=1",
+			"cmake":	"-DLWS_SUPPRESS_DEPRECATED_API_WARNINGS=1 -DLWS_WITH_ACME=1 -DLWS_WITH_MINIMAL_EXAMPLES=1 -DCMAKE_BUILD_TYPE=RELEASE -DLWS_WITH_GENCRYPTO=1 -DLWS_WITH_JOSE=1 -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SYS_NTPCLIENT=1",
 			"platforms":	"w10/x86_64-amd/msvc, w10/x86_64-amd/noptmsvc"
 		},
 		"secure-streams": {
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 4e4d2dbfc..5221cd08e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -198,6 +198,8 @@ option(LWS_WITH_STATIC "Build the static version of the library" ON)
 option(LWS_WITH_SHARED "Build the shared version of the library" ON)
 option(LWS_LINK_TESTAPPS_DYNAMIC "Link the test apps to the shared version of the library. Default is to link statically" OFF)
 option(LWS_STATIC_PIC "Build the static version of the library with position-independent code" OFF)
+option(LWS_SUPPRESS_DEPRECATED_API_WARNINGS "Turn off complaints about, eg, openssl deprecated api usage" OFF)
+
 #
 # Specific platforms
 #
@@ -717,6 +719,7 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX OR COMPILER_IS_CLANG)
 
 	check_c_compiler_flag("-Wignored-qualifiers" LWS_GCC_HAS_IGNORED_QUALIFIERS)
 	check_c_compiler_flag("-Wtype-limits" LWS_GCC_HAS_TYPE_LIMITS)
+	check_c_compiler_flag("-Wno-deprecated-declarations" LWS_GCC_HAS_NO_DEPRECATED_DECLARATIONS)
 
 	if (LWS_GCC_HAS_IGNORED_QUALIFIERS)
 		set(CMAKE_C_FLAGS "-Wignored-qualifiers ${CMAKE_C_FLAGS}" )
@@ -744,6 +747,13 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX OR COMPILER_IS_CLANG)
 	if ("${DISABLE_WERROR}" STREQUAL "OFF")
 		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Werror")
 	endif()
+
+	if (LWS_SUPPRESS_DEPRECATED_API_WARNINGS)
+		set(CMAKE_C_FLAGS "-Wno-deprecated ${CMAKE_C_FLAGS}")
+		if (LWS_GCC_HAS_NO_DEPRECATED_DECLARATIONS)
+			set(CMAKE_C_FLAGS "-Wno-deprecated-declarations ${CMAKE_C_FLAGS}")
+		endif()
+	endif()
 endif ()
 
 if ((CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX) AND NOT LWS_WITHOUT_TESTAPPS)
diff --git a/cmake/lws_config.h.in b/cmake/lws_config.h.in
index ab7776370..732767c99 100644
--- a/cmake/lws_config.h.in
+++ b/cmake/lws_config.h.in
@@ -37,6 +37,7 @@
 #cmakedefine LWS_HAVE_BN_bn2binpad
 #cmakedefine LWS_HAVE_CLOCK_GETTIME
 #cmakedefine LWS_HAVE_EC_POINT_get_affine_coordinates
+#cmakedefine LWS_HAVE_EC_KEY_new_by_curve_name
 #cmakedefine LWS_HAVE_ECDSA_SIG_set0
 #cmakedefine LWS_HAVE_EVP_MD_CTX_free
 #cmakedefine LWS_HAVE_EVP_aes_128_wrap
@@ -116,6 +117,7 @@
 #cmakedefine LWS_SHA1_USE_OPENSSL_NAME
 #cmakedefine LWS_SSL_CLIENT_USE_OS_CA_CERTS
 #cmakedefine LWS_SSL_SERVER_WITH_ECDH_CERT
+#cmakedefine LWS_SUPPRESS_DEPRECATED_API_WARNINGS
 #cmakedefine LWS_TLS_LOG_PLAINTEXT_RX
 #cmakedefine LWS_TLS_LOG_PLAINTEXT_TX
 #cmakedefine LWS_WITH_ABSTRACT
diff --git a/include/libwebsockets.h b/include/libwebsockets.h
index 764b6b168..bf027a6c6 100644
--- a/include/libwebsockets.h
+++ b/include/libwebsockets.h
@@ -41,6 +41,10 @@ extern "C" {
 
 #include "lws_config.h"
 
+#if defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS)
+#define OPENSSL_USE_DEPRECATED
+#endif
+
 /* place for one-shot opaque forward references */
 
 typedef struct lws_context * lws_ctx_t;
diff --git a/lib/tls/CMakeLists.txt b/lib/tls/CMakeLists.txt
index a499b3308..9f7d2b3ff 100644
--- a/lib/tls/CMakeLists.txt
+++ b/lib/tls/CMakeLists.txt
@@ -307,6 +307,9 @@ CHECK_FUNCTION_EXISTS(${VARIA}HMAC_CTX_new LWS_HAVE_HMAC_CTX_new PARENT_SCOPE)
 CHECK_SYMBOL_EXISTS(${VARIA}SSL_CTX_set_ciphersuites LWS_HAVE_SSL_CTX_set_ciphersuites PARENT_SCOPE)
 CHECK_FUNCTION_EXISTS(${VARIA}EVP_PKEY_new_raw_private_key LWS_HAVE_EVP_PKEY_new_raw_private_key PARENT_SCOPE)
 
+# deprecated in openssl v3
+CHECK_FUNCTION_EXISTS(${VARIA}EC_KEY_new_by_curve_name LWS_HAVE_EC_KEY_new_by_curve_name PARENT_SCOPE)
+
 if (LWS_WITH_SSL AND NOT LWS_WITH_MBEDTLS)
 	# we don't want to confuse what's in or out of the wrapper with
 	# what's in an openssl also installed on the build host
diff --git a/lib/tls/openssl/lws-genec.c b/lib/tls/openssl/lws-genec.c
index 1e953b722..8600b622f 100644
--- a/lib/tls/openssl/lws-genec.c
+++ b/lib/tls/openssl/lws-genec.c
@@ -27,6 +27,12 @@
 #include "private-lib-core.h"
 #include "private-lib-tls-openssl.h"
 
+#if !defined(OPENSSL_NO_EC) && defined(LWS_HAVE_EC_KEY_new_by_curve_name) && \
+    (OPENSSL_VERSION_NUMBER >= 0x30000000l) && \
+     !defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS)
+#warning "You probably need LWS_SUPPRESS_DEPRECATED_API_WARNINGS"
+#endif
+
 /*
  * Care: many openssl apis return 1 for success.  These are translated to the
  * lws convention of 0 for success.
diff --git a/lib/tls/openssl/openssl-server.c b/lib/tls/openssl/openssl-server.c
index 3923f1453..24f832e69 100644
--- a/lib/tls/openssl/openssl-server.c
+++ b/lib/tls/openssl/openssl-server.c
@@ -155,7 +155,9 @@ lws_tls_server_certs_load(struct lws_vhost *vhost, struct lws *wsi,
 			  const char *mem_cert, size_t mem_cert_len,
 			  const char *mem_privkey, size_t mem_privkey_len)
 {
-#if !defined(OPENSSL_NO_EC)
+#if !defined(OPENSSL_NO_EC) && defined(LWS_HAVE_EC_KEY_new_by_curve_name) && \
+    ((OPENSSL_VERSION_NUMBER < 0x30000000l) || \
+     defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS))
 	const char *ecdh_curve = "prime256v1";
 #if !defined(LWS_WITH_BORINGSSL) && defined(LWS_HAVE_SSL_EXTRA_CHAIN_CERTS)
 	STACK_OF(X509) *extra_certs = NULL;
@@ -419,7 +421,9 @@ check_key:
 	}
 
 
-#if !defined(OPENSSL_NO_EC)
+#if !defined(OPENSSL_NO_EC) && defined(LWS_HAVE_EC_KEY_new_by_curve_name) && \
+    ((OPENSSL_VERSION_NUMBER < 0x30000000l) || \
+     defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS))
 	if (vhost->tls.ecdh_curve[0])
 		ecdh_curve = vhost->tls.ecdh_curve;
 
@@ -461,7 +465,8 @@ check_key:
 	}
 #else
 	return 0;
-#endif
+#endif /* !boringssl */
+
 	/* Get the public key from certificate */
 	pkey = X509_get_pubkey(x);
 	if (!pkey) {
@@ -486,13 +491,14 @@ check_key:
 	SSL_CTX_set_tmp_ecdh(vhost->tls.ssl_ctx, EC_key);
 
 	EC_KEY_free(EC_key);
-#else
-	lwsl_notice(" OpenSSL doesn't support ECDH\n");
-#endif
+
 #if !defined(OPENSSL_NO_EC) && !defined(LWS_WITH_BORINGSSL)
 post_ecdh:
 #endif
 	vhost->tls.skipped_certs = 0;
+#else
+	lwsl_notice(" OpenSSL doesn't support ECDH\n");
+#endif
 
 	return 0;
 }