diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h
index d2f1bfafe..b0d472198 100644
--- a/include/mbedtls/cipher.h
+++ b/include/mbedtls/cipher.h
@@ -372,18 +372,6 @@ void cipher_free( cipher_context_t *ctx );
  */
 int cipher_init_ctx( cipher_context_t *ctx, const cipher_info_t *cipher_info );
 
-/**
- * \brief               Free the cipher-specific context of ctx. Freeing ctx
- *                      itself remains the responsibility of the caller.
- *
- * \deprecated          Use cipher_free() instead
- *
- * \param ctx           Free the cipher-specific context
- *
- * \returns             0
- */
-int cipher_free_ctx( cipher_context_t *ctx );
-
 /**
  * \brief               Returns the block size of the given cipher.
  *
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 5aa26d4ca..bee898cec 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1743,15 +1743,6 @@
  */
 #define POLARSSL_MD5_C
 
-/**
- * \def POLARSSL_MEMORY_C
- *
- * \deprecated Use POLARSSL_PLATFORM_MEMORY instead.
- *
- * Depends on: POLARSSL_PLATFORM_C
- */
-//#define POLARSSL_MEMORY_C
-
 /**
  * \def POLARSSL_MEMORY_BUFFER_ALLOC_C
  *
diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h
index 95da80be8..a1d6873c8 100644
--- a/include/mbedtls/md.h
+++ b/include/mbedtls/md.h
@@ -200,18 +200,6 @@ void md_free( md_context_t *ctx );
  */
 int md_init_ctx( md_context_t *ctx, const md_info_t *md_info );
 
-/**
- * \brief          Free the message-specific context of ctx. Freeing ctx itself
- *                 remains the responsibility of the caller.
- *
- * \deprecated     Use md_free() instead
- *
- * \param ctx      Free the message-specific context
- *
- * \returns        0
- */
-int md_free_ctx( md_context_t *ctx );
-
 /**
  * \brief           Returns the size of the message digest output.
  *
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 8b78e1fc8..04388b25a 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1227,7 +1227,7 @@ void ssl_set_dbg( ssl_context *ssl,
  *                 attempt at sending or receiving will result in a
  *                 POLARSSL_ERR_SSL_BAD_INPUT_DATA error.
  *
- * \deprecated     Superseded by ssl_set_bio_timeout().
+ * \deprecated     Superseded by ssl_set_bio_timeout() in 2.0.0
  */
 void ssl_set_bio( ssl_context *ssl,
         int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
@@ -1535,56 +1535,6 @@ void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain,
  */
 int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert,
                        pk_context *pk_key );
-
-#if defined(POLARSSL_RSA_C)
-/**
- * \brief          Set own certificate chain and private RSA key
- *
- *                 Note: own_cert should contain IN order from the bottom
- *                 up your certificate chain. The top certificate (self-signed)
- *                 can be omitted.
- *
- * \deprecated     Please use \c ssl_set_own_cert() instead.
- *
- * \param ssl      SSL context
- * \param own_cert own public certificate chain
- * \param rsa_key  own private RSA key
- *
- * \return          0 on success, or a specific error code.
- */
-int ssl_set_own_cert_rsa( ssl_context *ssl, x509_crt *own_cert,
-                          rsa_context *rsa_key );
-#endif /* POLARSSL_RSA_C */
-
-/**
- * \brief          Set own certificate and external RSA private
- *                 key and handling callbacks, such as the PKCS#11 wrappers
- *                 or any other external private key handler.
- *                 (see the respective RSA functions in rsa.h for documentation
- *                 of the callback parameters, with the only change being
- *                 that the rsa_context * is a void * in the callbacks)
- *
- *                 Note: own_cert should contain IN order from the bottom
- *                 up your certificate chain. The top certificate (self-signed)
- *                 can be omitted.
- *
- * \deprecated     Please use \c pk_init_ctx_rsa_alt()
- *                 and \c ssl_set_own_cert() instead.
- *
- * \param ssl      SSL context
- * \param own_cert own public certificate chain
- * \param rsa_key  alternate implementation private RSA key
- * \param rsa_decrypt  alternate implementation of \c rsa_pkcs1_decrypt()
- * \param rsa_sign     alternate implementation of \c rsa_pkcs1_sign()
- * \param rsa_key_len  function returning length of RSA key in bytes
- *
- * \return          0 on success, or a specific error code.
- */
-int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
-                          void *rsa_key,
-                          rsa_decrypt_func rsa_decrypt,
-                          rsa_sign_func rsa_sign,
-                          rsa_key_len_func rsa_key_len );
 #endif /* POLARSSL_X509_CRT_PARSE_C */
 
 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index e387c15a6..e9b92bcee 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -225,34 +225,6 @@ int x509_dn_gets( char *buf, size_t size, const x509_name *dn );
  */
 int x509_serial_gets( char *buf, size_t size, const x509_buf *serial );
 
-/**
- * \brief          Give an known OID, return its descriptive string.
- *
- * \deprecated     Use oid_get_extended_key_usage() instead.
- *
- * \warning        Only works for extended_key_usage OIDs!
- *
- * \param oid      buffer containing the oid
- *
- * \return         Return a string if the OID is known,
- *                 or NULL otherwise.
- */
-const char *x509_oid_get_description( x509_buf *oid );
-
-/**
- * \brief          Give an OID, return a string version of its OID number.
- *
- * \deprecated     Use oid_get_numeric_string() instead.
- *
- * \param buf      Buffer to write to
- * \param size     Maximum size of buffer
- * \param oid      Buffer containing the OID
- *
- * \return         Length of the string written (excluding final NULL) or
- *                 POLARSSL_ERR_OID_BUF_TO_SMALL in case of error
- */
-int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid );
-
 /**
  * \brief          Check a given x509_time against the system time and check
  *                 if it is not expired.
diff --git a/library/cipher.c b/library/cipher.c
index e5af2ae0d..e04b5b6ba 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -165,14 +165,6 @@ int cipher_init_ctx( cipher_context_t *ctx, const cipher_info_t *cipher_info )
     return( 0 );
 }
 
-/* compatibility wrapper */
-int cipher_free_ctx( cipher_context_t *ctx )
-{
-    cipher_free( ctx );
-
-    return( 0 );
-}
-
 int cipher_setkey( cipher_context_t *ctx, const unsigned char *key,
         int key_length, const operation_t operation )
 {
diff --git a/library/md.c b/library/md.c
index 4710d7574..c34e1211e 100644
--- a/library/md.c
+++ b/library/md.c
@@ -203,13 +203,6 @@ int md_init_ctx( md_context_t *ctx, const md_info_t *md_info )
     return( 0 );
 }
 
-int md_free_ctx( md_context_t *ctx )
-{
-    md_free( ctx );
-
-    return( 0 );
-}
-
 int md_starts( md_context_t *ctx )
 {
     if( ctx == NULL || ctx->md_info == NULL )
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 064860735..88de5de9e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5392,64 +5392,6 @@ int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert,
 
     return( 0 );
 }
-
-#if defined(POLARSSL_RSA_C)
-int ssl_set_own_cert_rsa( ssl_context *ssl, x509_crt *own_cert,
-                           rsa_context *rsa_key )
-{
-    int ret;
-    ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
-
-    if( key_cert == NULL )
-        return( POLARSSL_ERR_SSL_MALLOC_FAILED );
-
-    key_cert->key = polarssl_malloc( sizeof(pk_context) );
-    if( key_cert->key == NULL )
-        return( POLARSSL_ERR_SSL_MALLOC_FAILED );
-
-    pk_init( key_cert->key );
-
-    ret = pk_init_ctx( key_cert->key, pk_info_from_type( POLARSSL_PK_RSA ) );
-    if( ret != 0 )
-        return( ret );
-
-    if( ( ret = rsa_copy( pk_rsa( *key_cert->key ), rsa_key ) ) != 0 )
-        return( ret );
-
-    key_cert->cert = own_cert;
-    key_cert->key_own_alloc = 1;
-
-    return( 0 );
-}
-#endif /* POLARSSL_RSA_C */
-
-int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
-                          void *rsa_key,
-                          rsa_decrypt_func rsa_decrypt,
-                          rsa_sign_func rsa_sign,
-                          rsa_key_len_func rsa_key_len )
-{
-    int ret;
-    ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
-
-    if( key_cert == NULL )
-        return( POLARSSL_ERR_SSL_MALLOC_FAILED );
-
-    key_cert->key = polarssl_malloc( sizeof(pk_context) );
-    if( key_cert->key == NULL )
-        return( POLARSSL_ERR_SSL_MALLOC_FAILED );
-
-    pk_init( key_cert->key );
-
-    if( ( ret = pk_init_ctx_rsa_alt( key_cert->key, rsa_key,
-                                 rsa_decrypt, rsa_sign, rsa_key_len ) ) != 0 )
-        return( ret );
-
-    key_cert->cert = own_cert;
-    key_cert->key_own_alloc = 1;
-
-    return( 0 );
-}
 #endif /* POLARSSL_X509_CRT_PARSE_C */
 
 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
diff --git a/library/x509.c b/library/x509.c
index 33b1ac384..174e32dd2 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -877,28 +877,6 @@ int x509_key_size_helper( char *buf, size_t size, const char *name )
     return( 0 );
 }
 
-/*
- * Return an informational string describing the given OID
- */
-const char *x509_oid_get_description( x509_buf *oid )
-{
-    const char *desc = NULL;
-    int ret;
-
-    ret = oid_get_extended_key_usage( oid, &desc );
-
-    if( ret != 0 )
-        return( NULL );
-
-    return( desc );
-}
-
-/* Return the x.y.z.... style numeric string for the given OID */
-int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid )
-{
-    return oid_get_numeric_string( buf, size, oid );
-}
-
 /*
  * Return 0 if the x509_time is still valid, or 1 otherwise.
  */