certificate is explicitly trusted (using -addtrust option to x509 utility
for example) the verification is sucessful even if the chain is not complete.

initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.

Submitted by: James Baker <jbaker@tableausoftware.com> et al.

Workaround for slow Heap32Next on some versions of Windows.

an EVP_CIPHER_CTX structure which may have problems with external ENGINEs
who need to duplicate internal handles etc.

Submitted by: steve@openssl.org

More robust fix and workaround for PR#1949. Don't try to work out if there
is any write pending data as this can be unreliable: always flush.

Although it will be many years before TLS v2.0 or later appears old versions
of servers have a habit of hanging around for a considerable time so best
if we handle this properly now.

stops applications that call CRYPTO_free_all_ex_data() prematurely leaking
memory.

Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at>

Add options to output hash using older algorithm compatible with OpenSSL
versions before 1.0.0

1. Add provisional SCSV value.
2. Don't send SCSV and RI at same time.
3. Fatal error is SCSV received when renegotiating.

used compression algorithms in client hello (a legacy from when
the compression algorithm wasn't serialized with SSL_SESSION).

Change RI ctrl so it doesn't clash.

work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.

NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.

Change mismatch alerts to handshake_failure as required by spec.

Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set.

branches.

This means that http://www.openssl.org/news/changelog.html will
finally describe 0.9.8l.

and is a pre-requisite to adding password based CMS support.

load_crls and tidy up load_certs. Remove useless purpose variable from
verify utility: now done with args_verify.

Submitted by: steve@openssl.org

Add support for custom headers in OCSP requests.