diff --git a/cmake/CMakeLists.txt b/cmake/CMakeLists.txt
index dbfa16e03..10bd0491e 100644
--- a/cmake/CMakeLists.txt
+++ b/cmake/CMakeLists.txt
@@ -351,6 +351,7 @@ endif()
 declare_project(thirdparty/openssh ${EXCLUDE_FROM_ALL})
 
 # openssl
+# NOTE: `EXCLUDE_FROM_ALL` is not used because `ffi/crypto` needs `libcrypto`.
 declare_project(thirdparty/openssl)
 
 # pcre2
diff --git a/ffi/crypto.lua b/ffi/crypto.lua
index 98ec990aa..7a3d45397 100644
--- a/ffi/crypto.lua
+++ b/ffi/crypto.lua
@@ -7,7 +7,7 @@ LuaJIT FFI wrapper for libcrypto (OpenSSL).
 local ffi = require("ffi")
 require("ffi/crypto_h")
 
-local libcrypto = ffi.loadlib("crypto", "1.1")
+local libcrypto = ffi.loadlib("crypto", "3")
 local crypto = {}
 
 function crypto.pbkdf2_hmac_sha1(pass, salt, iterations, key_len)
diff --git a/thirdparty/openssl/CMakeLists.txt b/thirdparty/openssl/CMakeLists.txt
index b5b0928be..e63780e32 100644
--- a/thirdparty/openssl/CMakeLists.txt
+++ b/thirdparty/openssl/CMakeLists.txt
@@ -1,5 +1,4 @@
 list(APPEND PATCH_FILES
-    openssl-1.1.0j-parallel_install_fix.patch
     reduce_build_verbosity.patch
     macos_rpath.patch
 )
@@ -27,7 +26,62 @@ if(CHOST)
     list(APPEND CFG_ENV_VAR CROSS_COMPILE=${CHOST}-)
 endif()
 
-set(CFG_OPTS shared)
+if(MONOLIBTIC)
+    set(CFG_OPTS no-shared)
+else()
+    set(CFG_OPTS shared)
+endif()
+
+list(APPEND CFG_OPTS
+    --api=1.1.1
+    no-afalgeng
+    no-apps
+    no-argon2
+    no-async
+    no-bf
+    no-capieng
+    no-cast
+    no-cmac
+    no-cms
+    no-comp
+    no-default-thread-pool
+    no-deprecated
+    no-des
+    no-dsa
+    no-dynamic-engine
+    no-ecx
+    no-gost
+    no-idea
+    no-legacy
+    no-md4
+    no-padlockeng
+    no-quic
+    no-rc2
+    no-rc4
+    no-rc5
+    no-rmd160
+    no-seed
+    no-srp
+    no-tests
+    no-thread-pool
+    no-ts
+    no-ui-console
+    no-uplink
+    no-whirlpool
+)
+if(NOT CMAKE_BUILD_TYPE STREQUAL "Debug")
+    list(APPEND CFG_OPTS
+        no-err
+        no-filenames
+    )
+endif()
+
+# Do we support SIMD?
+if(WANT_SIMD)
+    list(APPEND CFG_OPTS enable-asm)
+else()
+    list(APPEND CFG_OPTS no-asm)
+endif()
 
 if(ANDROID)
     assert_var_defined(ENV{NDKABI})
@@ -52,13 +106,6 @@ else()
     endif()
 endif()
 
-# Do we support SIMD?
-if(WANT_SIMD)
-    set(ASM_OPT enable-asm)
-else()
-    set(ASM_OPT no-asm)
-endif()
-
 if(APPLE)
     list(APPEND CONFIGURE_CMD ${SOURCE_DIR}/Configure)
     if(DARWIN_AARCH64)
@@ -74,17 +121,13 @@ else()
     list(APPEND CONFIGURE_CMD ${SOURCE_DIR}/Configure)
 endif()
 
-set(CFG_OPTS ${CFG_OPTS} ${ASM_OPT} no-async no-idea no-mdc2 no-rc5 no-tests)
 list(APPEND CFG_CMD COMMAND
     env ${CFG_ENV_VAR}
     ${CONFIGURE_CMD}
     --prefix=${STAGING_DIR}
+    --libdir=lib
     ${CFG_OPTS}
 )
-if(ANDROID)
-    # Disable versioning of shared objects.
-    list(APPEND CFG_CMD COMMAND ${ISED} "s|^SHLIB_EXT=.*|SHLIB_EXT=${LIB_EXT}|" Makefile)
-endif()
 
 set(MAKE_CMD
     make
@@ -102,20 +145,14 @@ list(APPEND BUILD_CMD COMMAND ${MAKE_CMD} build_libs)
 
 list(APPEND INSTALL_CMD COMMAND ${MAKE_CMD} install_dev)
 
-if(MONOLIBTIC)
-    list(APPEND INSTALL_CMD COMMAND sh -c "rm -v \"$1\"* \"$2\"*" --
-        ${STAGING_DIR}/lib/libcrypto${LIB_EXT}
-        ${STAGING_DIR}/lib/libssl${LIB_EXT}
-    )
-else()
-    append_shared_lib_install_commands(INSTALL_CMD crypto VERSION 1.1)
-    append_shared_lib_install_commands(INSTALL_CMD ssl VERSION 1.1)
+if(NOT MONOLIBTIC)
+    append_shared_lib_install_commands(INSTALL_CMD crypto VERSION 3)
+    append_shared_lib_install_commands(INSTALL_CMD ssl VERSION 3)
 endif()
 
 external_project(
-    DOWNLOAD URL 3f76825f195e52d4b10c70040681a275
-    https://github.com/openssl/openssl/releases/download/OpenSSL_1_1_1w/openssl-1.1.1w.tar.gz
-    https://www.openssl.org/source/old/1.1.1/openssl-1.1.1w.tar.gz
+    DOWNLOAD URL 34733f7be2d60ecd8bd9ddb796e182af
+    https://github.com/openssl/openssl/releases/download/openssl-3.4.0/openssl-3.4.0.tar.gz
     PATCH_FILES ${PATCH_FILES}
     CONFIGURE_COMMAND ${CFG_CMD}
     BUILD_COMMAND ${BUILD_CMD}
diff --git a/thirdparty/openssl/fix_libcrypto_pkg-config_entry.patch b/thirdparty/openssl/fix_libcrypto_pkg-config_entry.patch
index b8c201b72..28bd2d1b8 100644
--- a/thirdparty/openssl/fix_libcrypto_pkg-config_entry.patch
+++ b/thirdparty/openssl/fix_libcrypto_pkg-config_entry.patch
@@ -1,13 +1,13 @@
---- a/Configurations/unix-Makefile.tmpl
-+++ b/Configurations/unix-Makefile.tmpl
-@@ -974,8 +974,8 @@
- 	    echo 'Name: OpenSSL-libcrypto'; \
- 	    echo 'Description: OpenSSL cryptography library'; \
- 	    echo 'Version: '$(VERSION); \
--	    echo 'Libs: -L$${libdir} -lcrypto'; \
--	    echo 'Libs.private: $(LIB_EX_LIBS)'; \
-+	    echo 'Libs: -L$${libdir} -lcrypto $(LIB_EX_LIBS)'; \
-+	    echo 'Libs.private:'; \
- 	    echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
- 
- libssl.pc:
+--- i/exporters/pkg-config/libcrypto.pc.in
++++ w/exporters/pkg-config/libcrypto.pc.in
+@@ -17,8 +17,8 @@
+ Name: OpenSSL-libcrypto
+ Description: OpenSSL cryptography library
+ Version: {- $OpenSSL::safe::installdata::VERSION -}
+-Libs: -L${libdir} -lcrypto
+-Libs.private: {- join(' ', @OpenSSL::safe::installdata::LDLIBS) -}
++Libs: -L${libdir} -lcrypto {- join(' ', @OpenSSL::safe::installdata::LDLIBS) -}
++Libs.private:
+ Cflags:{- $OUT = ' -I${includedir}';
+           if (scalar @OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX > 1) {
+               $OUT = '';
diff --git a/thirdparty/openssl/macos_rpath.patch b/thirdparty/openssl/macos_rpath.patch
index 9736d41b9..55cee7ac3 100644
--- a/thirdparty/openssl/macos_rpath.patch
+++ b/thirdparty/openssl/macos_rpath.patch
@@ -1,10 +1,10 @@
 --- i/Configurations/shared-info.pl
 +++ w/Configurations/shared-info.pl
-@@ -44,7 +44,7 @@ my %shared_info;
+@@ -49,7 +49,7 @@
      'darwin-shared' => {
          module_ldflags        => '-bundle',
          shared_ldflag         => '-dynamiclib -current_version $(SHLIB_VERSION_NUMBER) -compatibility_version $(SHLIB_VERSION_NUMBER)',
--        shared_sonameflag     => '-install_name $(INSTALLTOP)/$(LIBDIR)/',
+-        shared_sonameflag     => '-install_name $(libdir)/',
 +        shared_sonameflag     => '-install_name @rpath/',
      },
      'cygwin-shared' => {
diff --git a/thirdparty/openssl/openssl-1.1.0j-parallel_install_fix.patch b/thirdparty/openssl/openssl-1.1.0j-parallel_install_fix.patch
deleted file mode 100644
index c837e208c..000000000
--- a/thirdparty/openssl/openssl-1.1.0j-parallel_install_fix.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-https://github.com/openssl/openssl/issues/7679
-
---- a/Configurations/unix-Makefile.tmpl
-+++ b/Configurations/unix-Makefile.tmpl
-@@ -77,8 +77,14 @@
-      # to. You're welcome.
-      sub dependmagic {
-          my $target = shift;
--
--         return "$target: build_generated\n\t\$(MAKE) depend && \$(MAKE) _$target\n_$target";
-+		  my $magic = <<"_____";
-+$target: build_generated depend
-+		 \$(MAKE) _$target
-+_$target
-+_____
-+		 # Remove line ending
-+		 $magic =~ s|\R$||;
-+		 return $magic;
-      }
-      '';
- -}
diff --git a/thirdparty/turbo/CMakeLists.txt b/thirdparty/turbo/CMakeLists.txt
index f9081a34e..f123ecce6 100644
--- a/thirdparty/turbo/CMakeLists.txt
+++ b/thirdparty/turbo/CMakeLists.txt
@@ -3,6 +3,8 @@ list(APPEND PATCH_FILES
     # libtffi_wrap library, and pull in upstream fixes.
     turbo.patch
     d7a8a247a4a2689b0f207162eb804141c87c4899.patch
+    # Fix some deprecated OpenSSL calls.
+    openssl.patch
 )
 
 # Remove the 7 years-old copy of a CA bundle that turbo doesn't actually use.
diff --git a/thirdparty/turbo/openssl.patch b/thirdparty/turbo/openssl.patch
new file mode 100644
index 000000000..868bb0e4f
--- /dev/null
+++ b/thirdparty/turbo/openssl.patch
@@ -0,0 +1,29 @@
+--- i/deps/turbo_ffi_wrap.c
++++ w/deps/turbo_ffi_wrap.c
+@@ -58,7 +58,7 @@
+     int common_name_loc = -1;
+     X509_NAME_ENTRY *common_name_entry = 0;
+     ASN1_STRING *common_name_asn1 = 0;
+-    char *common_name_str = 0;
++    const char *common_name_str = 0;
+ 
+     common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name(
+                                                      (X509 *) server_cert),
+@@ -77,7 +77,7 @@
+     if (!common_name_asn1) {
+         return Error;
+     }
+-    common_name_str = (char *) ASN1_STRING_data(common_name_asn1);
++    common_name_str = (const char *) ASN1_STRING_get0_data(common_name_asn1);
+     if (ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) {
+         return MalformedCertificate;
+     }
+@@ -113,7 +113,7 @@
+     for (i=0; i<san_names_nb; i++){
+         const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);
+         if (current_name->type == GEN_DNS){
+-            char *dns_name = (char *)ASN1_STRING_data(current_name->d.dNSName);
++            const char *dns_name = (const char *)ASN1_STRING_get0_data(current_name->d.dNSName);
+             dns_name_sz = strlen(dns_name);
+             if (ASN1_STRING_length(current_name->d.dNSName) != dns_name_sz){
+                 result = MalformedCertificate;