the last nibble of the openssl version represents the status.  that is,
whether it is a beta or release.  when it comes to version checks in
openssh, this component does not matter, so ignore it.

https://bugzilla.mindrot.org/show_bug.cgi?id=2212

--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
 	 * For versions >= 1.0.0, major,minor,status must match and library
 	 * fix version must be equal to or newer than the header.
 	 */
-	mask = 0xfff0000fL; /* major,minor,status */
+	mask = 0xfff00000L; /* major,minor,status */
 	hfix = (headerver & 0x000ff000) >> 12;
 	lfix = (libver & 0x000ff000) >> 12;
 	if ( (headerver & mask) == (libver & mask) && lfix >= hfix)