--- b/crypto/heimdal/lib/krb5/crypto.c	
+++ b/crypto/heimdal/lib/krb5/crypto.c	
@@ -32,6 +32,9 @@ 
  */
 
 #include "krb5_locl.h"
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+#include <openssl/provider.h>
+#endif
 
 struct _krb5_key_usage {
     unsigned usage;
@@ -2054,6 +2057,11 @@ krb5_crypto_init(krb5_context context,
 	*crypto = NULL;
 	return ret;
     }
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+    if (OSSL_PROVIDER_load(NULL, "legacy") == NULL)
+	return EINVAL;
+#endif
+
     (*crypto)->key.schedule = NULL;
     (*crypto)->num_key_usage = 0;
     (*crypto)->key_usage = NULL;
--- b/crypto/heimdal/lib/krb5/salt.c	
+++ b/crypto/heimdal/lib/krb5/salt.c	
@@ -32,6 +32,9 @@ 
  */
 
 #include "krb5_locl.h"
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+#include <openssl/provider.h>
+#endif
 
 /* coverity[+alloc : arg-*3] */
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
@@ -43,6 +46,11 @@ krb5_salttype_to_string (krb5_context context,
     struct _krb5_encryption_type *e;
     struct salt_type *st;
 
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+    if (OSSL_PROVIDER_load(NULL, "legacy") == NULL)
+	return EINVAL;
+#endif
+
     e = _krb5_find_enctype (etype);
     if (e == NULL) {
 	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
@@ -75,6 +83,11 @@ krb5_string_to_salttype (krb5_context context,
     struct _krb5_encryption_type *e;
     struct salt_type *st;
 
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+    if (OSSL_PROVIDER_load(NULL, "legacy") == NULL)
+	return EINVAL;
+#endif
+
     e = _krb5_find_enctype (etype);
     if (e == NULL) {
 	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
@@ -196,6 +209,10 @@ krb5_string_to_key_data_salt_opaque (krb5_context context,
 			       enctype);
 	return KRB5_PROG_ETYPE_NOSUPP;
     }
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+    if (OSSL_PROVIDER_load(NULL, "legacy") == NULL)
+	return EINVAL;
+#endif
     for(st = et->keytype->string_to_key; st && st->type; st++)
 	if(st->type == salt.salttype)
 	    return (*st->string_to_key)(context, enctype, password,