diff --git a/Cargo.toml b/Cargo.toml
index 74c93dfb..a9f39ef1 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -15,8 +15,12 @@ exclude = ["/cargo_deny.sh", "/deny.toml", "/run-fuzz.sh"]
 rust-version = "1.65"
 
 [features]
-default = ["openssl"]
+default = ["openssl", "sha1"]
 openssl = ["dep:openssl", "dep:openssl-sys", "dep:libc"]
+
+# Without the sha1 feature, str0m uses the openssl sha1 impl which is slower.
+sha1 = ["dep:sha1"]
+
 _internal_dont_use_log_stats = []
 _internal_test_exports = []
 
@@ -27,32 +31,35 @@ fastrand = "2.0.1"
 once_cell = "1.17.0"
 sctp-proto = "0.3.0"
 combine = "4.6.6"
+
 # Sadly no DTLS support in rustls.
 # If you want to use a system provided openssl you can set env variable
 # OPENSSL_NO_VENDOR=1 to override the feature flag vendored
 openssl = { version = ">=0.10.66", features = ["vendored"], optional = true }
 openssl-sys = { version = "0.9.80", optional = true }
 libc = { version = "0.2", optional = true }
+
 # STUN
 hmac = "0.12.1"
 crc = "3.0.0"
 serde = { version = "1.0.152", features = ["derive"] }
 
 [target.'cfg(unix)'.dependencies]
-sha1 = { version = "0.10.6", features = ["asm"] }
+sha1 = { version = "0.10.6", features = ["asm"], optional = true }
 
-# Don't use `asm` on Windows until https://github.com/RustCrypto/asm-hashes/issues/45 is fixed.
-# The `asm` feature isn't compatible with `windows-msvc` toolchain and `openssl` breaks if we want to use `windows-gnu`.
-# Thus, don't use `asm` feature on Windows.
+# The ASM feature is broken on windows. Unclear where in the rust-crypto project
+# we're supposed to check when it gets sorted out.
 [target.'cfg(windows)'.dependencies]
-sha1 = { version = "0.10.6" }
+sha1 = { version = "0.10.6", optional = true }
 
 [dev-dependencies]
 rouille = { version = "3.5.0", features = ["ssl"] }
 serde_json = "1.0"
 tracing-subscriber = { version = "0.3.16", features = ["env-filter", "std"] }
 systemstat = "0.2.2"
-_str0m_test = { path = "_str0m_test" } # dummy package that enables "_internal_test_exports"
+
+# dummy package that enables "_internal_test_exports"
+_str0m_test = { path = "_str0m_test" }
 
 # This is to ensure MSRV 1.65
 # Remove when we move MSRV
diff --git a/src/crypto/mod.rs b/src/crypto/mod.rs
index 52cd3e7a..10e0a969 100644
--- a/src/crypto/mod.rs
+++ b/src/crypto/mod.rs
@@ -20,6 +20,8 @@ pub use srtp::{aead_aes_128_gcm, aes_128_cm_sha1_80, new_aead_aes_128_gcm};
 pub use srtp::{new_aes_128_cm_sha1_80, srtp_aes_128_ecb_round, SrtpProfile};
 
 /// SHA1 HMAC as used for STUN and older SRTP.
+/// If sha1 feature is enabled, it uses `rust-crypto` crate.
+#[cfg(feature = "sha1")]
 pub fn sha1_hmac(key: &[u8], payloads: &[&[u8]]) -> [u8; 20] {
     use hmac::Hmac;
     use hmac::Mac;
@@ -34,6 +36,25 @@ pub fn sha1_hmac(key: &[u8], payloads: &[&[u8]]) -> [u8; 20] {
     hmac.finalize().into_bytes().into()
 }
 
+/// If openssl is enabled and sha1 is not, it uses `openssl` crate.
+#[cfg(all(feature = "openssl", not(feature = "sha1")))]
+pub fn sha1_hmac(key: &[u8], payloads: &[&[u8]]) -> [u8; 20] {
+    use openssl::hash::MessageDigest;
+    use openssl::pkey::PKey;
+    use openssl::sign::Signer;
+
+    let key = PKey::hmac(key).expect("valid hmac key");
+    let mut signer = Signer::new(MessageDigest::sha1(), &key).expect("valid signer");
+
+    for payload in payloads {
+        signer.update(payload).expect("signer update");
+    }
+
+    let mut hash = [0u8; 20];
+    signer.sign(&mut hash).expect("sign to array");
+    hash
+}
+
 /// Errors that can arise in DTLS.
 #[derive(Debug, Error)]
 pub enum CryptoError {