SSL_CTX and SSL, functions to set them and defaults if no values set.

yet.

Add a function X509_STORE_CTX_purpose_inherit() which implements the logic
of "inheriting" purpose and trust from a parent structure and using a default:
this will be used in the SSL code and possibly future S/MIME.

Partial documentation of the 'verify' utility. Still need to document how all
the extension checking works and the various error messages.

(because now SSL_new makes a copy).

and to lots of PEM_... functions.
Submitted by: Damien Miller <dmiller@ilogic.com.au>

SSL_MODE_ENABLE_PARTIAL_WRITE, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER.

Pointed out by: Janez Jere <jj@void.si>

a pain to read when using 4-space tabs.

unsigned/signed cmp error in asn1parse. Change various pem_all.c args to
use pem_password_cb.

those functions without having a parameter list declaration.
(There are various similar cases left ...)

Submitted by: Richard Levitte <richard@levitte.org>

Also I've subsituted real tabs for 8-spaces sequences in some lines so that
things don't look that weird with a tab-width of 4.

Submitted by:
Reviewed by:
PR:

that SSL_set_{accept,connect}_state be called before
SSL_{accept,connect} may be used.
Submitted by:
Reviewed by:
PR:

called sess_cert instead of just cert.  This is in preparation of further
changes: Probably often when s->session->sess_cert is used, we should
use s->cert instead; s->session->sess_cert should be a new structure
containing only the stuff that is for just one connection (e.g.
the peer's certificate, which the SSL client implementations currently
store in s->session->[sess_]cert, which is a very confusing thing to do).
Submitted by:
Reviewed by:
PR:

pointers.  The cert_st handling is changed by this in various ways.
Submitted by:
Reviewed by:
PR:

Submitted by:
Reviewed by:
PR:

callbacks.

Submitted by:
Reviewed by:
PR:

Submitted by:
Reviewed by:
PR:

Submitted by:
Reviewed by:
PR:

ssl/ssl_lib.c and ssl/ssl.h. At least the double ctx-variable
confused some compilers.

Submitted by: Lennart Bong <lob@kulthea.stacken.kth.se>
Reviewed by: Ralf S. Engelschall

private keys and/or callback functions which directly correspond to their
SSL_CTX_xxx() counterparts but work on a per-connection basis. This is needed
for applications which have to configure certificates on a per-connection
basis (e.g. Apache+mod_ssl) instead of a per-context basis (e.g.
s_server).

For the RSA certificate situation is makes no difference, but for the DSA
certificate situation this fixes the "no shared cipher" problem where the
OpenSSL cipher selection procedure failed because the temporary keys were not
overtaken from the context and the API provided no way to reconfigure them.

The new functions now let applications reconfigure the stuff and they are in
detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh,
SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback.  Additionally a new
non-public-API function ssl_cert_instantiate() is used as a helper function
and also to reduce code redundancy inside ssl_rsa.c.

Submitted by: Ralf S. Engelschall
Reviewed by: Ben Laurie