options. Add new streaming i2d (though strictly speaking it is BER format
when streaming) and PEM functions.

These all process content on the fly without storing it all in memory.

terms of new API.

Submitted by: Matthew D Wood
Reviewed by: Bodo Moeller

include release date of 0.9.8e

EHLO or CAPABILITY handshake before sending STARTTLS

Submitted by: Goetz Babin-Ebell <goetz@shomitefo.de>

Change ssl_create_cipher_list() to prefer ephemeral ECDH over
ephemeral DH.

ciphersuite string such as "DEFAULT:RSA" cannot enable
authentication-only ciphersuites.

Also, change ssl_create_cipher_list() so that it no longer
starts with an arbitrary ciphersuite ordering, but instead
uses the logic that we previously had in SSL_DEFEAULT_CIPHER_LIST.
SSL_DEFAULT_CIPHER_LIST simplifies into just "ALL:!aNULL:!eNULL".

This change resolves a number of problems and obviates multiple kludges.
A new feature is that you can now say "AES256" or "AES128" (not just
"AES", which enables both).

In some cases the ciphersuite list generated from a given string is
affected by this change.  I hope this is just in those cases where the
previous behaviour did not make sense.

I thought it was about time I dusted this off. This stuff had been sitting on
my hard drive for *ages* (2003 in fact). Hasn't been tested well and may not
work properly.

Nothing uses it at present which is just as well.

Think of this as a traditional Christmas present which looks far more
impressive in the adverts and on the box, some of the bits are missing and
falls to bits if you play with it too much.

PR: 1354, 1355, 1398, 1408

(need to prevent the removal of trailing zero bits).

casts.

recent mingw modifications.

the redundant entries under the 0.9.9 heading.

in a denial of service.  (CVE-2006-2937)  [Steve Henson]

(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]

Fix SSL client code which could crash if connecting to a
 malicious SSLv2 server.  (CVE-2006-4343)
[Tavis Ormandy and Will Drewry, Google Security Team]

loaded. Add new function X509_CRL_get0_by_serial() to lookup a revoked
entry to avoid the need to access the structure directly.

Add new X509_CRL_METHOD to allow common CRL operations (verify, lookup) to be
redirected.

handling to support this.

ciphersuite as well

(CVE-2006-4339)

Submitted by: Ben Laurie, Google Security Team
Reviewed by: bmoeller, mjc, shenson

verify logic to try to use an unexpired CRL if possible.

them.