From f0a10084343cfe8fd4f6f8535547e29851e4eec8 Mon Sep 17 00:00:00 2001
From: Nick Porter <nick@portercomputing.co.uk>
Date: Tue, 3 Dec 2024 18:12:57 +0000
Subject: [PATCH] OpenSSL >= 3.0 has API/ABI compatibility within major version
 numbers

So differing minor numbers are not an issue.
---
 src/lib/tls/version.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/lib/tls/version.c b/src/lib/tls/version.c
index 135d0f83c8e2..98cbf2f81813 100644
--- a/src/lib/tls/version.c
+++ b/src/lib/tls/version.c
@@ -53,15 +53,15 @@ int fr_openssl_version_consistent(void)
 
 	ssl_linked = OpenSSL_version_num();
 
+
 	/*
-	 *	Major and minor versions mismatch, that's bad.
+	 *	Major mismatch, that's bad.
 	 *
-	 *	We still allow mismatches between patch versions
-	 *	as they should be ABI compatible.
+	 *	For OpenSSL 3, the minor versions are API/ABI compatible.
 	 *
-	 *	This should work for >= 1.1.0 including 3.0.0
+	 *	https://openssl-library.org/policies/releasestrat/index.html
 	 */
-	if ((ssl_linked & 0xfff00000) != (ssl_built & 0xfff00000)) {
+	if ((ssl_linked & 0xff000000) != (ssl_built & 0xff000000)) {
 		ERROR("libssl version mismatch.  built: %lx linked: %lx",
 		      (unsigned long) ssl_built,
 		      (unsigned long) ssl_linked);