Stop implying that we support openssl 1.0.0; we don't.

Closes ticket 20303.

The LIBRESSL_VERSION_NUMBER check is needed because if our openssl
is really libressl, it will have an openssl version number we can't
really believe.

3 files changed, 9 insertions, 4 deletions

diff --git a/changes/no_openssl_100 b/changes/no_openssl_100
new file mode 100644
index 0000000000..dd89da8126
--- /dev/null
+++ b/changes/no_openssl_100
@@ -0,0 +1,4 @@
+  o Required libraries:
+    - When building with OpenSSL, Tor now requires version 1.0.1 or later.
+      OpenSSL 1.0.0 and earlier are no longer supported by the openssl team,
+      and should not be used. Closes ticket 20303.
diff --git a/configure.ac b/configure.ac
index 23371d3b4b..af42896dc8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -614,12 +614,12 @@ CPPFLAGS="$TOR_CPPFLAGS_openssl $CPPFLAGS"
 
 AC_TRY_COMPILE([
 #include <openssl/opensslv.h>
-#if OPENSSL_VERSION_NUMBER < 0x1000000fL
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1000100fL
 #error "too old"
 #endif
    ], [],
    [ : ],
-   [ AC_ERROR([OpenSSL is too old. We require 1.0.0 or later. You can specify a path to a newer one with --with-openssl-dir.]) ])
+   [ AC_ERROR([OpenSSL is too old. We require 1.0.1 or later. You can specify a path to a newer one with --with-openssl-dir.]) ])
 
 AC_TRY_COMPILE([
 #include <openssl/opensslv.h>
diff --git a/src/common/compat_openssl.h b/src/common/compat_openssl.h
index a7bdb0a224..1bfe188075 100644
--- a/src/common/compat_openssl.h
+++ b/src/common/compat_openssl.h
@@ -15,8 +15,9 @@
  * \brief compatability definitions for working with different openssl forks
  **/
 
-#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
-#error "We require OpenSSL >= 1.0.0"
+#if !defined(LIBRESSL_VERSION_NUMBER) && \
+  OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,1)
+#error "We require OpenSSL >= 1.0.1"
 #endif
 
 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && \