the last nibble of the openssl version represents the status. that is, whether it is a beta or release. when it comes to version checks in openssh, this component does not matter, so ignore it. https://bugzilla.mindrot.org/show_bug.cgi?id=2212 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c @@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver) * For versions >= 1.0.0, major,minor,status must match and library * fix version must be equal to or newer than the header. */ - mask = 0xfff0000fL; /* major,minor,status */ + mask = 0xfff00000L; /* major,minor,status */ hfix = (headerver & 0x000ff000) >> 12; lfix = (libver & 0x000ff000) >> 12; if ( (headerver & mask) == (libver & mask) && lfix >= hfix)