Merge r1781575, r1781577, r1781580, r1781687, r1783305 from trunk:

PATCHES ACCEPTED TO BACKPORT FROM TRUNK:

  [ start all new proposals below, under PATCHES PROPOSED. ]

  *) mod_ssl: backport fix for PR 46037

     trunk patch: http://svn.apache.org/r1781575

                  http://svn.apache.org/r1781577

                  http://svn.apache.org/r1781580

                  http://svn.apache.org/r1781687

                  http://svn.apache.org/r1783305

     2.4.x patch: http://people.apache.org/~jfclere/patches/patch.46037.txt

     +1: jfclere, jim

     wrowe asks: Can we capitalize Verify in SSLOCSPNoverify to keep

                 with conventions?

     ylavic: +1 with http://svn.apache.org/r1788430, fixing the merge of

             SSLOCSPNoverify and capitalizing as suggested above.

PATCHES PROPOSED TO BACKPORT FROM TRUNK:

  [ New proposals should be added at the end of the list ]

</usage>

</directivesynopsis>

<directivesynopsis>

<name>SSLOCSPNoverify</name>

<description>skip the OCSP responder certificates verification</description>

<syntax>SSLOCSPNoverify <em>On/Off</em></syntax>

<default>SSLOCSPNoverify Off</default>

<contextlist><context>server config</context>

<context>virtual host</context></contextlist>

<compatibility>Available in httpd 2.5 and later, if using OpenSSL 0.9.7 or later</compatibility>

<usage>

<p>Skip the OCSP responder certificates verification, mostly useful when

testing an OCSP server.</p>

</usage>

</directivesynopsis>

<directivesynopsis>

<name>SSLOCSPResponderCertificateFile</name>

<description>Set of trusted PEM encoded OCSP responder certificates</description>

<syntax>SSLOCSPResponderCertificateFile <em>file</em></syntax>

<contextlist><context>server config</context>

<context>virtual host</context></contextlist>

<compatibility>Available in httpd 2.5 and later, if using OpenSSL 0.9.7 or later</compatibility>

<usage>

<p>This supplies a list of trusted OCSP responder certificates to be used

during OCSP responder certificate validation. The supplied certificates are

implicitly trusted without any further validation. This is typically used

where the OCSP responder certificate is self signed or omitted from the OCSP

response.</p>

</usage>

</directivesynopsis>

<directivesynopsis>

<name>SSLOCSPProxyURL</name>

<description>Proxy URL to use for OCSP requests</description>

    SSL_CMD_SRV(OCSPProxyURL, TAKE1,

                "Proxy URL to use for OCSP requests")

/* Define OCSP Responder Certificate Verification Directive */

    SSL_CMD_SRV(OCSPNoVerify, FLAG,

                "Do not verify OCSP Responder certificate ('on', 'off')")

/* Define OCSP Responder File Configuration Directive */

    SSL_CMD_SRV(OCSPResponderCertificateFile, TAKE1,

               "Trusted OCSP responder certificates"

               "(`/path/to/file' - PEM encoded certificates)")

#ifdef HAVE_OCSP_STAPLING

    /*

     * OCSP Stapling options

    mctx->ocsp_use_request_nonce = UNSET;

    mctx->proxy_uri              = NULL;

/* Set OCSP Responder Certificate Verification variable */

    mctx->ocsp_noverify       = UNSET;

/* Set OCSP Responder File variables */

    mctx->ocsp_verify_flags   = 0;

    mctx->ocsp_certs_file     = NULL;

    mctx->ocsp_certs          = NULL;

#ifdef HAVE_OCSP_STAPLING

    mctx->stapling_enabled           = UNSET;

    mctx->stapling_resptime_skew     = UNSET;

    cfgMergeInt(ocsp_responder_timeout);

    cfgMergeBool(ocsp_use_request_nonce);

    cfgMerge(proxy_uri, NULL);

/* Set OCSP Responder Certificate Verification directive */

    cfgMergeBool(ocsp_noverify);  

/* Set OCSP Responder File directive for importing */

    cfgMerge(ocsp_certs_file, NULL);

#ifdef HAVE_OCSP_STAPLING

    cfgMergeBool(stapling_enabled);

    cfgMergeInt(stapling_resptime_skew);

    return NULL;

}

/* Set OCSP responder certificate verification directive */

const char *ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag)

{

    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

    sc->server->ocsp_noverify = flag ? TRUE : FALSE;

    return NULL;

}

const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)

{

    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

#endif /* HAVE_SRP */

/* OCSP Responder File Function to read in value */

const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, 

					   const char *arg)

{

    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

    const char *err;

    if ((err = ssl_cmd_check_file(cmd, &arg))) {

        return err;

    }

    sc->server->ocsp_certs_file = arg;

    return NULL;

}

void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)

{

    apr_file_t *out = NULL;

            != APR_SUCCESS) {

            return rv;

        }

	/* Initialize OCSP Responder certificate if OCSP enabled */

	#ifndef OPENSSL_NO_OCSP

        	ssl_init_ocsp_certificates(s, sc->server);

	#endif

    }

    if (sc->proxy_enabled) {

        ssl_init_ctx_cleanup_proxy(sc->proxy);

        ssl_init_ctx_cleanup(sc->server);

	/* Not Sure but possibly clear X509 trusted cert file */

	#ifndef OPENSSL_NO_OCSP

		sk_X509_pop_free(sc->server->ocsp_certs, X509_free);

	#endif

    }

#if OPENSSL_VERSION_NUMBER >= 0x10100000L