* We fail if the version checker veto'd the load *or* if it is
* deferring to us (by returning its version) and we think it is too
* old.
+ * Unfortunately the version checker does not distinguish between
+ * engines built for openssl 1.1.x and openssl 3.x, but loading
+ * an engine that is built for openssl 1.1.x will cause a fatal
+ * error. Detect such engines, since EVP_PKEY_base_id is exported
+ * as a function in openssl 1.1.x, while it is a macro in openssl 3.x,
+ * and therefore only the symbol EVP_PKEY_get_base_id is available
+ * in openssl 3.x.
*/
- if (vcheck_res < OSSL_DYNAMIC_OLDEST) {
+ if (vcheck_res < OSSL_DYNAMIC_OLDEST
+ || DSO_bind_func(ctx->dynamic_dso,
+ "EVP_PKEY_base_id") != NULL) {
/* Fail */
ctx->bind_engine = NULL;
ctx->v_check = NULL;