Followup to r1421305.
PR 56210

Backport of r1756163 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1756164 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1756050 13f79535-47bb-0310-9956-ffa450edef68

- Avoid use of deprecated functions for OpenSSL version >= 1.0

Backport of r1421305 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1756049 13f79535-47bb-0310-9956-ffa450edef68

warnings when building against OpenSSL 0.9.8a.

Backport of r1755881 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755882 13f79535-47bb-0310-9956-ffa450edef68

when building against OpenSSL 0.9.8a.

Backport of r1755874 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755875 13f79535-47bb-0310-9956-ffa450edef68

- move IDCONST macro outside of addition #if check.
  Otherwise we break compatibility with old
  OpenSSL 0.9.8 releases.

Backport of r1755856 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755869 13f79535-47bb-0310-9956-ffa450edef68

using OpenSSL 1.1.0.

This API is now a no-op in OpenSSL 1.1.0 and
deprecated.

Backport of r1755725 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755868 13f79535-47bb-0310-9956-ffa450edef68

Backport of r1755657 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755867 13f79535-47bb-0310-9956-ffa450edef68

- X509_STORE_CTX is now opaque.

Backport of r1740653 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755866 13f79535-47bb-0310-9956-ffa450edef68

- symbols get_rfc..._prime_... have been
  renamed to BN_get_rfc..._prime_...

Backport of r1740652 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755865 13f79535-47bb-0310-9956-ffa450edef68

Backport of r1738461 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755864 13f79535-47bb-0310-9956-ffa450edef68

- DH was made opaque

Backport of r1738410 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755862 13f79535-47bb-0310-9956-ffa450edef68

- BIO was made opaque after OpenSSL 1.1.0pre4.

Partial backport of r1737657 from trunk.

Also patrially backported to reduce code drift:
add some log messages and AP_DEBUG_ASSERTs
for functions that should never be called

Partial backport of r1519264 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755861 13f79535-47bb-0310-9956-ffa450edef68

Backport of r1735941 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755858 13f79535-47bb-0310-9956-ffa450edef68

  - Followup to r1735875:
    ssl_util_thread_setup() is gone.

Backport of r1735925 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755852 13f79535-47bb-0310-9956-ffa450edef68

- ab: use new API SSL_CTX_set_max_proto_version()
  and SSL_CTX_set_min_proto_version() in
  combination with TLS_client_method() instead
  of the old deprecated methods.

Backport of r1735891 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755851 13f79535-47bb-0310-9956-ffa450edef68

- The callback function passed to
  SSL_CTX_sess_set_get_cb() now needs the
  session id argument to be const.
  So constify the session id.

Backport of r1735883 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755850 13f79535-47bb-0310-9956-ffa450edef68

- use new API SSL_CTX_set_max_proto_version()
  and SSL_CTX_set_min_proto_version() instead
  of SSL_CTX_set_options()
- use new methods TLS_client_method() and
  TLS_server_method()

Partial backport of r1735882 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755849 13f79535-47bb-0310-9956-ffa450edef68

- ERR_remove_thread_state() no longer has an
  argument.

Backport of r1735878 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755848 13f79535-47bb-0310-9956-ffa450edef68

- SRP_VBASE_get_by_user() is deprecated now,
  one should use SRP_VBASE_get1_by_user()
  instead. The new function returns a pointer
  owned by the callee. It must be freed after
  use.

Backport of r1735877 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755846 13f79535-47bb-0310-9956-ffa450edef68

- remove thread locking. It is now builtin
  for OpenSSL 1.1.0

Backport of r1735875 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755845 13f79535-47bb-0310-9956-ffa450edef68

- Simplify code by using new 1.1.0 variant
  also for older OpenSSL. Also tested with
  1.0.2f and 0.9.8zh. No ssl test suite
  failures.

Backport of r1731423 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755844 13f79535-47bb-0310-9956-ffa450edef68

- 1.1.0-pre3 was relesed
  - remove pre2 comments which no longer apply
  - one more struct has been made opaque, use
    accessor function instead

Backport of r1731012 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755843 13f79535-47bb-0310-9956-ffa450edef68

- use common code for OpenSSL pre-1.1.0 and
  1.1.0 where possible.

Partial backport of r1730422 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755841 13f79535-47bb-0310-9956-ffa450edef68

Partial backport of r1730351 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755839 13f79535-47bb-0310-9956-ffa450edef68

- use SSL_peek instead of looping with
  has_buffered_data().

This fixes t/security/CVE-2009-3555.t where
has_buffered_data() doesn't help, because it
finds the buffered data and doesn't call
SSL_read(), so the reneg handshake isn't
triggered. SSL_peek() for 0 bytes seems to
reliably trigger the reneg in every case.

No more polling/sleeping. The code for the
OpenSSL 1.1.0 case is now again very close to
the pre 1.1.0 case.

Still need to run the full test suite with a
clean build.

Backport of r1730316 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755838 13f79535-47bb-0310-9956-ffa450edef68

- Fix typo in loop end condition

This code will be removed next. Thex fix is
for the case we want to roll teh code back
to this state.

Backport of r1730314 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755837 13f79535-47bb-0310-9956-ffa450edef68

- Fix renegotiation for the client side
  of a proxy connection.

Backport of r1730146 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755835 13f79535-47bb-0310-9956-ffa450edef68

- fix copy&paste typos
  (wrong version number in "#if").

Backport r1729998 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755832 13f79535-47bb-0310-9956-ffa450edef68

- fix rejecting client initiated renegotiations

Backport of r1729968 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755830 13f79535-47bb-0310-9956-ffa450edef68

- further improvements for renegotiation
No more test suite failures for reneg,
but still using not so nice polling.

Backport of r1729927 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755829 13f79535-47bb-0310-9956-ffa450edef68

Backport of r1729581 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755827 13f79535-47bb-0310-9956-ffa450edef68

- no need to check for opaque "valid" cert
  flag, since we get here only if internal
  certificate verification of OpenSSL returned
  ok=1.

Backport of r1729500 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755825 13f79535-47bb-0310-9956-ffa450edef68

- improve renegotiation loop.
  Should now also work in case only the
  cipher changes.
  Should now also work in case the handshake
  ends with an error.

Backport of r1729498 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755824 13f79535-47bb-0310-9956-ffa450edef68

The old compatibility macro check no longer works,
because those are now actual functions, so an
ifndef is not the correct check.

Backport of r1729435 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755822 13f79535-47bb-0310-9956-ffa450edef68

- partial support for renegotiations.
  - Not a good design, need to poll until
    renegotitation has finished.
  - Loop criterion not right, if no client certs
    will be send.
  - Also doesn't work for EC or DH ciphers.
    Unclear how to fix with current 1.1.0
    API.
  - Details see
    http://marc.info/?t=145493359200002&r=1&w=2

Backport of r1729341 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755821 13f79535-47bb-0310-9956-ffa450edef68

Only exist in OpenSSL 1.1.0. They were
renamed from EVP_MD_CTX_create() and
EVP_MD_CTX_destroy().

Followup to r1728979.

Partial backport of r1729037 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755819 13f79535-47bb-0310-9956-ffa450edef68

Backport of r1729032 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755818 13f79535-47bb-0310-9956-ffa450edef68

- don't check for SSLeay_version() in configure
  The function no longer exists in 1.1.0.
  It was replaced by OpenSSL_version().
- Switch between SSLeay_version(U) and
  OpenSSL_version() depending on version
  in modules/ssl/ssl_util_ssl.h.
- Use MODSSL_LIBRARY_DYNTEXT everywhere.

Backport of r1728981 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755817 13f79535-47bb-0310-9956-ffa450edef68

- followup to r1728909 (incomplete switch
  from struct to struct pointer).

Partial backport of r1728979 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755816 13f79535-47bb-0310-9956-ffa450edef68