summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorG. Schlisio2017-05-12 09:30:12 +0200
committerG. Schlisio2017-05-12 09:30:12 +0200
commitf2f3cdd762a3b4119746d7d0305009333142d9bd (patch)
treef74c5216b731e6624a69bf14c339444bbc3e2dfe
parent60eca00cd121386f39a845287f91e9feb18af677 (diff)
downloadaur-f2f3cdd762a3b4119746d7d0305009333142d9bd.tar.gz
added patch for openssl1.1
-rw-r--r--.SRCINFO4
-rw-r--r--PKGBUILD9
-rw-r--r--httpd-2.4.23-openssl11.patch1307
3 files changed, 1316 insertions, 4 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 65d9e89406c3..d52273b31c2d 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
pkgbase = apache-tools
pkgdesc = Useful Apache tools - htdigest, htpasswd, ab, htdbm
pkgver = 2.4.25
- pkgrel = 1
+ pkgrel = 2
url = http://httpd.apache.org/
arch = i686
arch = x86_64
@@ -14,8 +14,10 @@ pkgbase = apache-tools
conflicts = apache
source = http://www.apache.org/dist/httpd/httpd-2.4.25.tar.bz2
source = apache-tools-Makefile.patch
+ source = httpd-2.4.23-openssl11.patch
sha256sums = f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2
sha256sums = 2dc48d34773b0c873d10e3542f77a4f7b50d5fb9bd8c52e3bb28b76ff9587f3f
+ sha256sums = e87409c13feb2abd66d88cdb8c88c2cc408491adb7fd6793025a3ad2d6599a60
pkgname = apache-tools
diff --git a/PKGBUILD b/PKGBUILD
index 0c394853b2ca..329542bd6a83 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -4,7 +4,7 @@
pkgname=apache-tools
pkgver=2.4.25
-pkgrel=1
+pkgrel=2
pkgdesc="Useful Apache tools - htdigest, htpasswd, ab, htdbm"
arch=("i686" "x86_64" "armv6h" "armv7h")
url="http://httpd.apache.org/"
@@ -13,13 +13,16 @@ depends=("apr-util" "pcre")
makedepends=("apr-util")
conflicts=(apache)
source=(http://www.apache.org/dist/httpd/httpd-$pkgver.tar.bz2
- $pkgname-Makefile.patch)
+ $pkgname-Makefile.patch
+ httpd-2.4.23-openssl11.patch)
sha256sums=('f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2'
- '2dc48d34773b0c873d10e3542f77a4f7b50d5fb9bd8c52e3bb28b76ff9587f3f')
+ '2dc48d34773b0c873d10e3542f77a4f7b50d5fb9bd8c52e3bb28b76ff9587f3f'
+ 'e87409c13feb2abd66d88cdb8c88c2cc408491adb7fd6793025a3ad2d6599a60')
prepare() {
cd httpd-$pkgver/
patch -p1 -i ../$pkgname-Makefile.patch
+ patch -p1 -i ../httpd-2.4.23-openssl11.patch
}
build() {
diff --git a/httpd-2.4.23-openssl11.patch b/httpd-2.4.23-openssl11.patch
new file mode 100644
index 000000000000..006ac7049f1e
--- /dev/null
+++ b/httpd-2.4.23-openssl11.patch
@@ -0,0 +1,1307 @@
+diff --git a/acinclude.m4 b/acinclude.m4
+index dd0e2ea..907fbe8 100644
+--- a/acinclude.m4
++++ b/acinclude.m4
+@@ -579,7 +579,7 @@ AC_DEFUN([APACHE_CHECK_OPENSSL],[
+ dnl Run library and function checks
+ liberrors=""
+ AC_CHECK_HEADERS([openssl/engine.h])
+- AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"])
++ AC_CHECK_FUNCS([SSL_CTX_new], [], [liberrors="yes"])
+ AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd])
+ if test "x$liberrors" != "x"; then
+ AC_MSG_WARN([OpenSSL libraries are unusable])
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+index 9e63a7d..adc90d1 100644
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -312,7 +312,13 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
+ #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
+ ENGINE_cleanup();
+ #endif
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
++ ERR_remove_thread_state(NULL);
++#else
+ ERR_remove_state(0);
++#endif
++#endif
+
+ /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only
+ * actually loaded the error strings once per process due to static
+@@ -342,7 +348,11 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
+ /* We must register the library in full, to ensure our configuration
+ * code can successfully test the SSL environment.
+ */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ CRYPTO_malloc_init();
++#else
++ OPENSSL_malloc_init();
++#endif
+ ERR_load_crypto_strings();
+ SSL_load_error_strings();
+ SSL_library_init();
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index cb3efa2..ba79ef3 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -47,21 +47,50 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server,
+ #define KEYTYPES "RSA or DSA"
+ #endif
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++/* OpenSSL Pre-1.1.0 compatibility */
++/* Taken from OpenSSL 1.1.0 snapshot 20160410 */
++static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
++{
++ /* q is optional */
++ if (p == NULL || g == NULL)
++ return 0;
++ BN_free(dh->p);
++ BN_free(dh->q);
++ BN_free(dh->g);
++ dh->p = p;
++ dh->q = q;
++ dh->g = g;
++
++ if (q != NULL) {
++ dh->length = BN_num_bits(q);
++ }
++
++ return 1;
++}
++#endif
++
+ /*
+- * Grab well-defined DH parameters from OpenSSL, see the get_rfc*
++ * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
+ * functions in <openssl/bn.h> for all available primes.
+ */
+-static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen)
++static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *))
+ {
+ DH *dh = DH_new();
++ BIGNUM *p, *g;
+
+ if (!dh) {
+ return NULL;
+ }
+- dh->p = prime(NULL);
+- BN_dec2bn(&dh->g, gen);
+- if (!dh->p || !dh->g) {
++ p = prime(NULL);
++ g = BN_new();
++ if (g != NULL) {
++ BN_set_word(g, 2);
++ }
++ if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) {
+ DH_free(dh);
++ BN_free(p);
++ BN_free(g);
+ return NULL;
+ }
+ return dh;
+@@ -73,12 +102,12 @@ static struct dhparam {
+ DH *dh; /* ...this, used for keys.... */
+ const unsigned int min; /* ...of length >= this. */
+ } dhparams[] = {
+- { get_rfc3526_prime_8192, NULL, 6145 },
+- { get_rfc3526_prime_6144, NULL, 4097 },
+- { get_rfc3526_prime_4096, NULL, 3073 },
+- { get_rfc3526_prime_3072, NULL, 2049 },
+- { get_rfc3526_prime_2048, NULL, 1025 },
+- { get_rfc2409_prime_1024, NULL, 0 }
++ { BN_get_rfc3526_prime_8192, NULL, 6145 },
++ { BN_get_rfc3526_prime_6144, NULL, 4097 },
++ { BN_get_rfc3526_prime_4096, NULL, 3073 },
++ { BN_get_rfc3526_prime_3072, NULL, 2049 },
++ { BN_get_rfc3526_prime_2048, NULL, 1025 },
++ { BN_get_rfc2409_prime_1024, NULL, 0 }
+ };
+
+ static void init_dh_params(void)
+@@ -86,7 +115,7 @@ static void init_dh_params(void)
+ unsigned n;
+
+ for (n = 0; n < sizeof(dhparams)/sizeof(dhparams[0]); n++)
+- dhparams[n].dh = make_dh_params(dhparams[n].prime, "2");
++ dhparams[n].dh = make_dh_params(dhparams[n].prime);
+ }
+
+ static void free_dh_params(void)
+@@ -153,7 +182,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+ "Init: this version of mod_ssl was compiled against "
+ "a newer library (%s, version currently loaded is %s)"
+ " - may result in undefined or erroneous behavior",
+- MODSSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION));
++ MODSSL_LIBRARY_TEXT, MODSSL_LIBRARY_DYNTEXT);
+ }
+
+ /* We initialize mc->pid per-process in the child init,
+@@ -228,9 +257,11 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+ #endif
+ }
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #if APR_HAS_THREADS
+ ssl_util_thread_setup(p);
+ #endif
++#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
+
+ /*
+ * SSL external crypto device ("engine") support
+@@ -351,6 +382,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+ modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
+
+ init_dh_params();
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ init_bio_methods();
++#endif
+
+ return OK;
+ }
+@@ -481,6 +515,9 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+ char *cp;
+ int protocol = mctx->protocol;
+ SSLSrvConfigRec *sc = mySrvConfig(s);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ int prot;
++#endif
+
+ /*
+ * Create the new per-server SSL context
+@@ -506,6 +543,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+ ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
+ "Creating new SSL context (protocols: %s)", cp);
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #ifndef OPENSSL_NO_SSL3
+ if (protocol == SSL_PROTOCOL_SSLV3) {
+ method = mctx->pkp ?
+@@ -536,12 +574,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+ SSLv23_client_method() : /* proxy */
+ SSLv23_server_method(); /* server */
+ }
++#else
++ method = mctx->pkp ?
++ TLS_client_method() : /* proxy */
++ TLS_server_method(); /* server */
++#endif
+ ctx = SSL_CTX_new(method);
+
+ mctx->ssl_ctx = ctx;
+
+ SSL_CTX_set_options(ctx, SSL_OP_ALL);
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ /* always disable SSLv2, as per RFC 6176 */
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+
+@@ -565,6 +609,43 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+ }
+ #endif
+
++#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
++ /* We first determine the maximum protocol version we should provide */
++ if (protocol & SSL_PROTOCOL_TLSV1_2) {
++ prot = TLS1_2_VERSION;
++ } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
++ prot = TLS1_1_VERSION;
++ } else if (protocol & SSL_PROTOCOL_TLSV1) {
++ prot = TLS1_VERSION;
++#ifndef OPENSSL_NO_SSL3
++ } else if (protocol & SSL_PROTOCOL_SSLV3) {
++ prot = SSL3_VERSION;
++#endif
++ } else {
++ SSL_CTX_free(ctx);
++ mctx->ssl_ctx = NULL;
++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
++ "No SSL protocols available [hint: SSLProtocol]");
++ return ssl_die(s);
++ }
++ SSL_CTX_set_max_proto_version(ctx, prot);
++
++ /* Next we scan for the minimal protocol version we should provide,
++ * but we do not allow holes between max and min */
++ if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
++ prot = TLS1_1_VERSION;
++ }
++ if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {
++ prot = TLS1_VERSION;
++ }
++#ifndef OPENSSL_NO_SSL3
++ if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) {
++ prot = SSL3_VERSION;
++ }
++#endif
++ SSL_CTX_set_min_proto_version(ctx, prot);
++#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
++
+ #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ if (sc->cipher_server_pref == TRUE) {
+ SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+@@ -858,7 +939,7 @@ static int use_certificate_chain(
+ unsigned long err;
+ int n;
+
+- if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
++ if ((bio = BIO_new(BIO_s_file())) == NULL)
+ return -1;
+ if (BIO_read_filename(bio, file) <= 0) {
+ BIO_free(bio);
+@@ -1200,7 +1281,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
+ "Custom DH parameters (%d bits) for %s loaded from %s",
+- BN_num_bits(dhparams->p), vhost_id, certfile);
++ DH_bits(dhparams), vhost_id, certfile);
+ DH_free(dhparams);
+ }
+
+@@ -1721,7 +1802,7 @@ apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
+ "an OpenSSL version with support for TLS extensions "
+ "(RFC 6066 - Server Name Indication / SNI), "
+ "but the currently used library version (%s) is "
+- "lacking this feature", SSLeay_version(SSLEAY_VERSION));
++ "lacking this feature", MODSSL_LIBRARY_DYNTEXT);
+ }
+ #endif
+
+@@ -1917,6 +1998,9 @@ apr_status_t ssl_init_ModuleKill(void *data)
+ ssl_init_ctx_cleanup(sc->server);
+ }
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ free_bio_methods();
++#endif
+ free_dh_params();
+
+ return APR_SUCCESS;
+diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
+index 82953ad..b463e1a 100644
+--- a/modules/ssl/ssl_engine_io.c
++++ b/modules/ssl/ssl_engine_io.c
+@@ -149,7 +149,7 @@ static int bio_filter_out_pass(bio_filter_out_ctx_t *outctx)
+ * success, -1 on failure. */
+ static int bio_filter_out_flush(BIO *bio)
+ {
+- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
+ apr_bucket *e;
+
+ AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb));
+@@ -162,10 +162,16 @@ static int bio_filter_out_flush(BIO *bio)
+
+ static int bio_filter_create(BIO *bio)
+ {
+- bio->shutdown = 1;
+- bio->init = 1;
++ BIO_set_shutdown(bio, 1);
++ BIO_set_init(bio, 1);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++ /* No setter method for OpenSSL 1.1.0 available,
++ * but I can't find any functional use of the
++ * "num" field there either.
++ */
+ bio->num = -1;
+- bio->ptr = NULL;
++#endif
++ BIO_set_data(bio, NULL);
+
+ return 1;
+ }
+@@ -190,7 +196,7 @@ static int bio_filter_out_read(BIO *bio, char *out, int outl)
+
+ static int bio_filter_out_write(BIO *bio, const char *in, int inl)
+ {
+- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
+ apr_bucket *e;
+ int need_flush;
+
+@@ -241,7 +247,7 @@ static int bio_filter_out_write(BIO *bio, const char *in, int inl)
+ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
+ {
+ long ret = 1;
+- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
++ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
+
+ switch (cmd) {
+ case BIO_CTRL_RESET:
+@@ -257,10 +263,10 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
+ ret = 0;
+ break;
+ case BIO_CTRL_GET_CLOSE:
+- ret = (long)bio->shutdown;
++ ret = (long)BIO_get_shutdown(bio);
+ break;
+ case BIO_CTRL_SET_CLOSE:
+- bio->shutdown = (int)num;
++ BIO_set_shutdown(bio, (int)num);
+ break;
+ case BIO_CTRL_FLUSH:
+ ret = bio_filter_out_flush(bio);
+@@ -294,19 +300,6 @@ static int bio_filter_out_puts(BIO *bio, const char *str)
+ return -1;
+ }
+
+-static BIO_METHOD bio_filter_out_method = {
+- BIO_TYPE_MEM,
+- "APR output filter",
+- bio_filter_out_write,
+- bio_filter_out_read, /* read is never called */
+- bio_filter_out_puts, /* puts is never called */
+- bio_filter_out_gets, /* gets is never called */
+- bio_filter_out_ctrl,
+- bio_filter_create,
+- bio_filter_destroy,
+- NULL
+-};
+-
+ typedef struct {
+ int length;
+ char *value;
+@@ -456,7 +449,7 @@ static apr_status_t brigade_consume(apr_bucket_brigade *bb,
+ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
+ {
+ apr_size_t inl = inlen;
+- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
++ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
+ apr_read_type_e block = inctx->block;
+
+ inctx->rc = APR_SUCCESS;
+@@ -536,20 +529,86 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
+ return -1;
+ }
+
++static int bio_filter_in_write(BIO *bio, const char *in, int inl)
++{
++ return -1;
++}
++
++static int bio_filter_in_puts(BIO *bio, const char *str)
++{
++ return -1;
++}
++
++static int bio_filter_in_gets(BIO *bio, char *buf, int size)
++{
++ return -1;
++}
++
++static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
++{
++ return -1;
++}
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++
++static BIO_METHOD bio_filter_out_method = {
++ BIO_TYPE_MEM,
++ "APR output filter",
++ bio_filter_out_write,
++ bio_filter_out_read, /* read is never called */
++ bio_filter_out_puts, /* puts is never called */
++ bio_filter_out_gets, /* gets is never called */
++ bio_filter_out_ctrl,
++ bio_filter_create,
++ bio_filter_destroy,
++ NULL
++};
+
+ static BIO_METHOD bio_filter_in_method = {
+ BIO_TYPE_MEM,
+ "APR input filter",
+- NULL, /* write is never called */
++ bio_filter_in_write, /* write is never called */
+ bio_filter_in_read,
+- NULL, /* puts is never called */
+- NULL, /* gets is never called */
+- NULL, /* ctrl is never called */
++ bio_filter_in_puts, /* puts is never called */
++ bio_filter_in_gets, /* gets is never called */
++ bio_filter_in_ctrl, /* ctrl is never called */
+ bio_filter_create,
+ bio_filter_destroy,
+ NULL
+ };
+
++#else
++
++static BIO_METHOD *bio_filter_out_method = NULL;
++static BIO_METHOD *bio_filter_in_method = NULL;
++
++void init_bio_methods(void)
++{
++ bio_filter_out_method = BIO_meth_new(BIO_TYPE_MEM, "APR output filter");
++ BIO_meth_set_write(bio_filter_out_method, &bio_filter_out_write);
++ BIO_meth_set_read(bio_filter_out_method, &bio_filter_out_read); /* read is never called */
++ BIO_meth_set_puts(bio_filter_out_method, &bio_filter_out_puts); /* puts is never called */
++ BIO_meth_set_gets(bio_filter_out_method, &bio_filter_out_gets); /* gets is never called */
++ BIO_meth_set_ctrl(bio_filter_out_method, &bio_filter_out_ctrl);
++ BIO_meth_set_create(bio_filter_out_method, &bio_filter_create);
++ BIO_meth_set_destroy(bio_filter_out_method, &bio_filter_destroy);
++
++ bio_filter_in_method = BIO_meth_new(BIO_TYPE_MEM, "APR input filter");
++ BIO_meth_set_write(bio_filter_in_method, &bio_filter_in_write); /* write is never called */
++ BIO_meth_set_read(bio_filter_in_method, &bio_filter_in_read);
++ BIO_meth_set_puts(bio_filter_in_method, &bio_filter_in_puts); /* puts is never called */
++ BIO_meth_set_gets(bio_filter_in_method, &bio_filter_in_gets); /* gets is never called */
++ BIO_meth_set_ctrl(bio_filter_in_method, &bio_filter_in_ctrl); /* ctrl is never called */
++ BIO_meth_set_create(bio_filter_in_method, &bio_filter_create);
++ BIO_meth_set_destroy(bio_filter_in_method, &bio_filter_destroy);
++}
++
++void free_bio_methods(void)
++{
++ BIO_meth_free(bio_filter_out_method);
++ BIO_meth_free(bio_filter_in_method);
++}
++#endif
+
+ static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,
+ char *buf,
+@@ -789,7 +848,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
+ */
+ ERR_clear_error();
+
+- outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;
++ outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite);
+ res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);
+
+ if (res < 0) {
+@@ -1267,9 +1326,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
+
+ if ((n = SSL_accept(filter_ctx->pssl)) <= 0) {
+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)
+- (filter_ctx->pbioRead->ptr);
++ BIO_get_data(filter_ctx->pbioRead);
+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)
+- (filter_ctx->pbioWrite->ptr);
++ BIO_get_data(filter_ctx->pbioWrite);
+ apr_status_t rc = inctx->rc ? inctx->rc : outctx->rc ;
+ ssl_err = SSL_get_error(filter_ctx->pssl, n);
+
+@@ -1682,8 +1741,8 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
+ return ap_pass_brigade(f->next, bb);
+ }
+
+- inctx = (bio_filter_in_ctx_t *)filter_ctx->pbioRead->ptr;
+- outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;
++ inctx = (bio_filter_in_ctx_t *)BIO_get_data(filter_ctx->pbioRead);
++ outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite);
+
+ /* When we are the writer, we must initialize the inctx
+ * mode so that we block for any required ssl input, because
+@@ -1964,8 +2023,12 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
+
+ filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
+- filter_ctx->pbioRead->ptr = (void *)inctx;
++#else
++ filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
++#endif
++ BIO_set_data(filter_ctx->pbioRead, (void *)inctx);
+
+ inctx->ssl = ssl;
+ inctx->bio_out = filter_ctx->pbioWrite;
+@@ -1995,8 +2058,12 @@ void ssl_io_filter_init(conn_rec *c, request_rec *r, SSL *ssl)
+ filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
+ filter_ctx, r, c);
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method);
+- filter_ctx->pbioWrite->ptr = (void *)bio_filter_out_ctx_new(filter_ctx, c);
++#else
++ filter_ctx->pbioWrite = BIO_new(bio_filter_out_method);
++#endif
++ BIO_set_data(filter_ctx->pbioWrite, (void *)bio_filter_out_ctx_new(filter_ctx, c));
+
+ /* write is non blocking for the benefit of async mpm */
+ if (c->cs) {
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+index d4459a2..da2776f 100644
+--- a/modules/ssl/ssl_engine_kernel.c
++++ b/modules/ssl/ssl_engine_kernel.c
+@@ -80,7 +80,7 @@ static apr_status_t upgrade_connection(request_rec *r)
+ SSL_set_accept_state(ssl);
+ SSL_do_handshake(ssl);
+
+- if (SSL_get_state(ssl) != SSL_ST_OK) {
++ if (!SSL_is_init_finished(ssl)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
+ "TLS upgrade handshake failed");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+@@ -114,6 +114,7 @@ static int has_buffered_data(request_rec *r)
+ return result;
+ }
+
++#ifdef HAVE_TLSEXT
+ static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2)
+ {
+ int i;
+@@ -215,6 +216,7 @@ static int ssl_server_compatible(server_rec *s1, server_rec *s2)
+
+ return 1;
+ }
++#endif
+
+ /*
+ * Post Read Request Handler
+@@ -432,7 +434,7 @@ int ssl_hook_Access(request_rec *r)
+ X509 *cert;
+ X509 *peercert;
+ X509_STORE *cert_store = NULL;
+- X509_STORE_CTX cert_store_ctx;
++ X509_STORE_CTX *cert_store_ctx;
+ STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
+ const SSL_CIPHER *cipher = NULL;
+ int depth, verify_old, verify, n, is_slave = 0;
+@@ -456,7 +458,7 @@ int ssl_hook_Access(request_rec *r)
+ * forbidden in the latter case, let ap_die() handle
+ * this recursive (same) error.
+ */
+- if (SSL_get_state(ssl) != SSL_ST_OK) {
++ if (!SSL_is_init_finished(ssl)) {
+ return HTTP_FORBIDDEN;
+ }
+ ctx = SSL_get_SSL_CTX(ssl);
+@@ -622,7 +624,7 @@ int ssl_hook_Access(request_rec *r)
+ !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list));
+ n++)
+ {
+- SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);
++ const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);
+
+ if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) {
+ renegotiate = TRUE;
+@@ -633,7 +635,7 @@ int ssl_hook_Access(request_rec *r)
+ !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old));
+ n++)
+ {
+- SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);
++ const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);
+
+ if (sk_SSL_CIPHER_find(cipher_list, value) < 0) {
+ renegotiate = TRUE;
+@@ -914,25 +916,27 @@ int ssl_hook_Access(request_rec *r)
+ cert = sk_X509_value(cert_stack, 0);
+ }
+
+- X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack);
++ cert_store_ctx = X509_STORE_CTX_new();
++ X509_STORE_CTX_init(cert_store_ctx, cert_store, cert, cert_stack);
+ depth = SSL_get_verify_depth(ssl);
+
+ if (depth >= 0) {
+- X509_STORE_CTX_set_depth(&cert_store_ctx, depth);
++ X509_STORE_CTX_set_depth(cert_store_ctx, depth);
+ }
+
+- X509_STORE_CTX_set_ex_data(&cert_store_ctx,
++ X509_STORE_CTX_set_ex_data(cert_store_ctx,
+ SSL_get_ex_data_X509_STORE_CTX_idx(),
+ (char *)ssl);
+
+- if (!X509_verify_cert(&cert_store_ctx)) {
++ if (!X509_verify_cert(cert_store_ctx)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224)
+ "Re-negotiation verification step failed");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+ }
+
+- SSL_set_verify_result(ssl, cert_store_ctx.error);
+- X509_STORE_CTX_cleanup(&cert_store_ctx);
++ SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(cert_store_ctx));
++ X509_STORE_CTX_cleanup(cert_store_ctx);
++ X509_STORE_CTX_free(cert_store_ctx);
+
+ if (cert_stack != SSL_get_peer_cert_chain(ssl)) {
+ /* we created this ourselves, so free it */
+@@ -940,6 +944,7 @@ int ssl_hook_Access(request_rec *r)
+ }
+ }
+ else {
++ char peekbuf[1];
+ const char *reneg_support;
+ request_rec *id = r->main ? r->main : r;
+
+@@ -983,7 +988,7 @@ int ssl_hook_Access(request_rec *r)
+ SSL_renegotiate(ssl);
+ SSL_do_handshake(ssl);
+
+- if (SSL_get_state(ssl) != SSL_ST_OK) {
++ if (!SSL_is_init_finished(ssl)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)
+ "Re-negotiation request failed");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+@@ -999,16 +1004,15 @@ int ssl_hook_Access(request_rec *r)
+ * However, this causes failures in perl-framework currently,
+ * perhaps pre-test if we have already negotiated?
+ */
+-#ifdef OPENSSL_NO_SSL_INTERN
+- SSL_set_state(ssl, SSL_ST_ACCEPT);
+-#else
+- ssl->state = SSL_ST_ACCEPT;
+-#endif
+- SSL_do_handshake(ssl);
++ /* Need to trigger renegotiation handshake by reading.
++ * Peeking 0 bytes actually works.
++ * See: http://marc.info/?t=145493359200002&r=1&w=2
++ */
++ SSL_peek(ssl, peekbuf, 0);
+
+ sslconn->reneg_state = RENEG_REJECT;
+
+- if (SSL_get_state(ssl) != SSL_ST_OK) {
++ if (!SSL_is_init_finished(ssl)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
+ "Re-negotiation handshake failed");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+@@ -1513,7 +1517,11 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
+ SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER);
+ #endif
+ pkey = SSL_get_privatekey(ssl);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
++#else
++ type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE;
++#endif
+
+ /*
+ * OpenSSL will call us with either keylen == 512 or keylen == 1024
+@@ -1725,11 +1733,19 @@ static void modssl_proxy_info_log(conn_rec *c,
+ * so we need to increment here to prevent them from
+ * being freed.
+ */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #define modssl_set_cert_info(info, cert, pkey) \
+ *cert = info->x509; \
+ CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
+ *pkey = info->x_pkey->dec_pkey; \
+ CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY)
++#else
++#define modssl_set_cert_info(info, cert, pkey) \
++ *cert = info->x509; \
++ X509_up_ref(*cert); \
++ *pkey = info->x_pkey->dec_pkey; \
++ EVP_PKEY_up_ref(*pkey);
++#endif
+
+ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
+ {
+@@ -1823,7 +1839,7 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
+
+ static void ssl_session_log(server_rec *s,
+ const char *request,
+- unsigned char *id,
++ IDCONST unsigned char *id,
+ unsigned int idlen,
+ const char *status,
+ const char *result,
+@@ -1863,7 +1879,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session)
+ SSLSrvConfigRec *sc = mySrvConfig(s);
+ long timeout = sc->session_cache_timeout;
+ BOOL rc;
+- unsigned char *id;
++ IDCONST unsigned char *id;
+ unsigned int idlen;
+
+ /*
+@@ -1907,7 +1923,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session)
+ * of our other Apache pre-forked server processes.
+ */
+ SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl,
+- unsigned char *id,
++ IDCONST unsigned char *id,
+ int idlen, int *do_copy)
+ {
+ /* Get Apache context back through OpenSSL context */
+@@ -1946,7 +1962,7 @@ void ssl_callback_DelSessionCacheEntry(SSL_CTX *ctx,
+ {
+ server_rec *s;
+ SSLSrvConfigRec *sc;
+- unsigned char *id;
++ IDCONST unsigned char *id;
+ unsigned int idlen;
+
+ /*
+@@ -2067,15 +2083,12 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
+ /* If the reneg state is to reject renegotiations, check the SSL
+ * state machine and move to ABORT if a Client Hello is being
+ * read. */
+- if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
+- int state = SSL_get_state((SSL *)ssl);
+-
+- if (state == SSL3_ST_SR_CLNT_HELLO_A
+- || state == SSL23_ST_SR_CLNT_HELLO_A) {
++ if (!scr->is_proxy &&
++ (where & SSL_CB_HANDSHAKE_START) &&
++ scr->reneg_state == RENEG_REJECT) {
+ scr->reneg_state = RENEG_ABORT;
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
+ "rejecting client initiated renegotiation");
+- }
+ }
+ /* If the first handshake is complete, change state to reject any
+ * subsequent client-initiated renegotiation. */
+@@ -2279,7 +2292,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
+ }
+
+ memcpy(keyname, ticket_key->key_name, 16);
+- RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH);
++ RAND_bytes(iv, EVP_MAX_IV_LENGTH);
+ EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
+ ticket_key->aes_key, iv);
+ HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
+@@ -2416,17 +2429,27 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
+ SRP_user_pwd *u;
+
+ if (username == NULL
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
++#else
++ || (u = SRP_VBASE_get1_by_user(mctx->srp_vbase, username)) == NULL) {
++#endif
+ *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
+ return SSL3_AL_FATAL;
+ }
+
+ if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) {
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ SRP_user_pwd_free(u);
++#endif
+ *ad = SSL_AD_INTERNAL_ERROR;
+ return SSL3_AL_FATAL;
+ }
+
+ /* reset all other options */
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ SRP_user_pwd_free(u);
++#endif
+ SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
+ return SSL_ERROR_NONE;
+ }
+diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
+index f295651..282a2a2 100644
+--- a/modules/ssl/ssl_engine_ocsp.c
++++ b/modules/ssl/ssl_engine_ocsp.c
+@@ -109,7 +109,7 @@ static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert,
+ {
+ OCSP_REQUEST *req = OCSP_REQUEST_new();
+
+- *certid = OCSP_cert_to_id(NULL, cert, ctx->current_issuer);
++ *certid = OCSP_cert_to_id(NULL, cert, X509_STORE_CTX_get0_current_issuer(ctx));
+ if (!*certid || !OCSP_request_add0_id(req, *certid)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921)
+ "could not retrieve certificate id");
+@@ -184,7 +184,7 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
+
+ if (rc == V_OCSP_CERTSTATUS_GOOD) {
+ /* TODO: allow flags configuration. */
+- if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) {
++ if (OCSP_basic_verify(basicResponse, NULL, X509_STORE_CTX_get0_store(ctx), 0) != 1) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
+ "failed to verify the OCSP response");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+@@ -262,7 +262,7 @@ int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
+ "No cert available to check with OCSP");
+ return 1;
+ }
+- else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
++ else if (X509_check_issued(cert,cert) == X509_V_OK) {
+ /* don't do OCSP checking for valid self-issued certs */
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
+ "Skipping OCSP check for valid self-issued cert");
+diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
+index 036cb36..42c22b0 100644
+--- a/modules/ssl/ssl_engine_vars.c
++++ b/modules/ssl/ssl_engine_vars.c
+@@ -380,7 +380,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn,
+ char buf[MODSSL_SESSION_ID_STRING_LEN];
+ SSL_SESSION *pSession = SSL_get_session(ssl);
+ if (pSession) {
+- unsigned char *id;
++ IDCONST unsigned char *id;
+ unsigned int idlen;
+
+ #ifdef OPENSSL_NO_SSL_INTERN
+@@ -545,13 +545,25 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
+ resdup = FALSE;
+ }
+ else if (strcEQ(var, "A_SIG")) {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
++#else
++ ASN1_OBJECT *paobj;
++ X509_ALGOR_get0(&paobj, NULL, NULL, X509_get0_tbs_sigalg(xs));
++ nid = OBJ_obj2nid(paobj);
++#endif
+ result = apr_pstrdup(p,
+ (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
+ resdup = FALSE;
+ }
+ else if (strcEQ(var, "A_KEY")) {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm));
++#else
++ ASN1_OBJECT *paobj;
++ X509_PUBKEY_get0_param(&paobj, NULL, 0, NULL, X509_get_X509_PUBKEY(xs));
++ nid = OBJ_obj2nid(paobj);
++#endif
+ result = apr_pstrdup(p,
+ (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
+ resdup = FALSE;
+@@ -613,11 +625,8 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *
+ for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {
+ if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)
+ && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {
+- for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
+- xsname->entries);
+- j++) {
+- xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
+- xsname->entries, j);
++ for (j = 0; j < X509_NAME_entry_count(xsname); j++) {
++ xsne = X509_NAME_get_entry(xsname, j);
+
+ n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
+
+@@ -919,7 +928,6 @@ static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var)
+ static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
+ X509_NAME *xn, apr_pool_t *p)
+ {
+- STACK_OF(X509_NAME_ENTRY) *ents = xn->entries;
+ X509_NAME_ENTRY *xsne;
+ apr_hash_t *count;
+ int i, nid;
+@@ -929,10 +937,9 @@ static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
+ count = apr_hash_make(p);
+
+ /* For each RDN... */
+- for (i = 0; i < sk_X509_NAME_ENTRY_num(ents); i++) {
++ for (i = 0; i < X509_NAME_entry_count(xn); i++) {
+ const char *tag;
+-
+- xsne = sk_X509_NAME_ENTRY_value(ents, i);
++ xsne = X509_NAME_get_entry(xn, i);
+
+ /* Retrieve the nid, and check whether this is one of the nids
+ * which are to be extracted. */
+@@ -1106,7 +1113,7 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer,
+ for (j = 0; j < count; j++) {
+ X509_EXTENSION *ext = X509_get_ext(xs, j);
+
+- if (OBJ_cmp(ext->object, oid) == 0) {
++ if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) {
+ BIO *bio = BIO_new(BIO_s_mem());
+
+ /* We want to obtain a string representation of the extensions
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+index 7813e41..08de3a1 100644
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -135,6 +135,13 @@
+ #define HAVE_SSL_CONF_CMD
+ #endif
+
++/* session id constness */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#define IDCONST
++#else
++#define IDCONST const
++#endif
++
+ /**
+ * The following features all depend on TLS extension support.
+ * Within this block, check again for features (not version numbers).
+@@ -151,6 +158,8 @@
+ /* OCSP stapling */
+ #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
+ #define HAVE_OCSP_STAPLING
++/* All exist but are no longer macros since OpenSSL 1.1.0 */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ /* backward compatibility with OpenSSL < 1.0 */
+ #ifndef sk_OPENSSL_STRING_num
+ #define sk_OPENSSL_STRING_num sk_num
+@@ -161,7 +170,8 @@
+ #ifndef sk_OPENSSL_STRING_pop
+ #define sk_OPENSSL_STRING_pop sk_pop
+ #endif
+-#endif
++#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
++#endif /* if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) */
+
+ /* TLS session tickets */
+ #if defined(SSL_CTX_set_tlsext_ticket_key_cb)
+@@ -189,6 +199,36 @@
+
+ #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
++#define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
++#define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
++#define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048
++#define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072
++#define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096
++#define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144
++#define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192
++#define BIO_set_init(x,v) (x->init=v)
++#define BIO_get_data(x) (x->ptr)
++#define BIO_set_data(x,v) (x->ptr=v)
++#define BIO_get_shutdown(x) (x->shutdown)
++#define BIO_set_shutdown(x,v) (x->shutdown=v)
++#define DH_bits(x) (BN_num_bits(x->p))
++#else
++void init_bio_methods(void);
++void free_bio_methods(void);
++#endif
++
++#if OPENSSL_VERSION_NUMBER < 0x10002000L
++#define X509_STORE_CTX_get0_store(x) (x->ctx)
++#endif
++
++#if OPENSSL_VERSION_NUMBER < 0x10000000L
++#ifndef X509_STORE_CTX_get0_current_issuer
++#define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer)
++#endif
++#endif
++
+ /* mod_ssl headers */
+ #include "ssl_util_ssl.h"
+
+@@ -454,12 +494,12 @@ typedef struct {
+ * partial fix for CVE-2009-3555. */
+ enum {
+ RENEG_INIT = 0, /* Before initial handshake */
+- RENEG_REJECT, /* After initial handshake; any client-initiated
+- * renegotiation should be rejected */
+- RENEG_ALLOW, /* A server-initiated renegotiation is taking
+- * place (as dictated by configuration) */
+- RENEG_ABORT /* Renegotiation initiated by client, abort the
+- * connection */
++ RENEG_REJECT, /* After initial handshake; any client-initiated
++ * renegotiation should be rejected */
++ RENEG_ALLOW, /* A server-initiated renegotiation is taking
++ * place (as dictated by configuration) */
++ RENEG_ABORT /* Renegotiation initiated by client, abort the
++ * connection */
+ } reneg_state;
+
+ server_rec *server;
+@@ -810,7 +850,7 @@ int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
+ int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
+ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+ int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
+-SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
++SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *);
+ void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
+ void ssl_callback_Info(const SSL *, int, int);
+ #ifdef HAVE_TLSEXT
+@@ -831,10 +871,10 @@ int ssl_callback_alpn_select(SSL *ssl, const unsigned char **out,
+ apr_status_t ssl_scache_init(server_rec *, apr_pool_t *);
+ void ssl_scache_status_register(apr_pool_t *p);
+ void ssl_scache_kill(server_rec *);
+-BOOL ssl_scache_store(server_rec *, UCHAR *, int,
++BOOL ssl_scache_store(server_rec *, IDCONST UCHAR *, int,
+ apr_time_t, SSL_SESSION *, apr_pool_t *);
+-SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int, apr_pool_t *);
+-void ssl_scache_remove(server_rec *, UCHAR *, int,
++SSL_SESSION *ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *);
++void ssl_scache_remove(server_rec *, IDCONST UCHAR *, int,
+ apr_pool_t *);
+
+ /** Proxy Support */
+@@ -882,7 +922,9 @@ void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
+ char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
+ const char * const *);
+ BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ void ssl_util_thread_setup(apr_pool_t *);
++#endif
+ int ssl_init_ssl_connection(conn_rec *c, request_rec *r);
+
+ BOOL ssl_util_vhost_matches(const char *servername, server_rec *s);
+diff --git a/modules/ssl/ssl_scache.c b/modules/ssl/ssl_scache.c
+index 70d1877..7b4a203 100644
+--- a/modules/ssl/ssl_scache.c
++++ b/modules/ssl/ssl_scache.c
+@@ -110,7 +110,7 @@ void ssl_scache_kill(server_rec *s)
+
+ }
+
+-BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen,
++BOOL ssl_scache_store(server_rec *s, IDCONST UCHAR *id, int idlen,
+ apr_time_t expiry, SSL_SESSION *sess,
+ apr_pool_t *p)
+ {
+@@ -144,7 +144,7 @@ BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen,
+ return rv == APR_SUCCESS ? TRUE : FALSE;
+ }
+
+-SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen,
++SSL_SESSION *ssl_scache_retrieve(server_rec *s, IDCONST UCHAR *id, int idlen,
+ apr_pool_t *p)
+ {
+ SSLModConfigRec *mc = myModConfig(s);
+@@ -173,7 +173,7 @@ SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen,
+ return d2i_SSL_SESSION(NULL, &ptr, destlen);
+ }
+
+-void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen,
++void ssl_scache_remove(server_rec *s, IDCONST UCHAR *id, int idlen,
+ apr_pool_t *p)
+ {
+ SSLModConfigRec *mc = myModConfig(s);
+diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c
+index ddde3c7..052d23e 100644
+--- a/modules/ssl/ssl_util.c
++++ b/modules/ssl/ssl_util.c
+@@ -247,6 +247,7 @@ void ssl_asn1_table_unset(apr_hash_t *table,
+ }
+
+ #if APR_HAS_THREADS
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ /*
+ * To ensure thread-safetyness in OpenSSL - work in progress
+ */
+@@ -362,6 +363,28 @@ static void ssl_dyn_destroy_function(struct CRYPTO_dynlock_value *l,
+ apr_pool_destroy(l->pool);
+ }
+
++#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++
++static void ssl_util_thr_id(CRYPTO_THREADID *id)
++{
++ /* OpenSSL needs this to return an unsigned long. On OS/390, the pthread
++ * id is a structure twice that big. Use the TCB pointer instead as a
++ * unique unsigned long.
++ */
++#ifdef __MVS__
++ struct PSA {
++ char unmapped[540]; /* PSATOLD is at offset 540 in the PSA */
++ unsigned long PSATOLD;
++ } *psaptr = 0; /* PSA is at address 0 */
++
++ CRYPTO_THREADID_set_numeric(id, psaptr->PSATOLD);
++#else
++ CRYPTO_THREADID_set_numeric(id, (unsigned long) apr_os_thread_current());
++#endif
++}
++
++#else
++
+ static unsigned long ssl_util_thr_id(void)
+ {
+ /* OpenSSL needs this to return an unsigned long. On OS/390, the pthread
+@@ -380,10 +403,16 @@ static unsigned long ssl_util_thr_id(void)
+ #endif
+ }
+
++#endif
++
+ static apr_status_t ssl_util_thread_cleanup(void *data)
+ {
+ CRYPTO_set_locking_callback(NULL);
++#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++ CRYPTO_THREADID_set_callback(NULL);
++#else
+ CRYPTO_set_id_callback(NULL);
++#endif
+
+ CRYPTO_set_dynlock_create_callback(NULL);
+ CRYPTO_set_dynlock_lock_callback(NULL);
+@@ -407,7 +436,11 @@ void ssl_util_thread_setup(apr_pool_t *p)
+ apr_thread_mutex_create(&(lock_cs[i]), APR_THREAD_MUTEX_DEFAULT, p);
+ }
+
++#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++ CRYPTO_THREADID_set_callback(ssl_util_thr_id);
++#else
+ CRYPTO_set_id_callback(ssl_util_thr_id);
++#endif
+
+ CRYPTO_set_locking_callback(ssl_util_thr_lock);
+
+@@ -422,4 +455,5 @@ void ssl_util_thread_setup(apr_pool_t *p)
+ apr_pool_cleanup_register(p, NULL, ssl_util_thread_cleanup,
+ apr_pool_cleanup_null);
+ }
+-#endif
++#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
++#endif /* #if APR_HAS_THREADS */
+diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c
+index a7607c7..9807592 100644
+--- a/modules/ssl/ssl_util_ssl.c
++++ b/modules/ssl/ssl_util_ssl.c
+@@ -488,7 +488,7 @@ EC_GROUP *ssl_ec_GetParamFromFile(const char *file)
+ ** _________________________________________________________________
+ */
+
+-char *modssl_SSL_SESSION_id2sz(unsigned char *id, int idlen,
++char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *id, int idlen,
+ char *str, int strsize)
+ {
+ if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH)
+diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h
+index 5f74831..4f18f91 100644
+--- a/modules/ssl/ssl_util_ssl.h
++++ b/modules/ssl/ssl_util_ssl.h
+@@ -41,7 +41,11 @@
+ #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
+ #define MODSSL_LIBRARY_NAME "OpenSSL"
+ #define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
++#else
++#define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION)
++#endif
+
+ /**
+ * Maximum length of a DER encoded session.
+@@ -67,7 +71,7 @@ char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsn
+ char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
+ BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **);
+ BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
+-char *modssl_SSL_SESSION_id2sz(unsigned char *, int, char *, int);
++char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int);
+
+ #endif /* __SSL_UTIL_SSL_H__ */
+ /** @} */
+diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
+index 413e40f..718a291 100644
+--- a/modules/ssl/ssl_util_stapling.c
++++ b/modules/ssl/ssl_util_stapling.c
+@@ -79,7 +79,7 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
+ X509 *issuer = NULL;
+ int i;
+ X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
+- X509_STORE_CTX inctx;
++ X509_STORE_CTX *inctx;
+ STACK_OF(X509) *extra_certs = NULL;
+
+ #ifdef OPENSSL_NO_SSL_INTERN
+@@ -91,18 +91,23 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
+ for (i = 0; i < sk_X509_num(extra_certs); i++) {
+ issuer = sk_X509_value(extra_certs, i);
+ if (X509_check_issued(issuer, x) == X509_V_OK) {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
++#else
++ X509_up_ref(issuer);
++#endif
+ return issuer;
+ }
+ }
+
+- if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL))
++ inctx = X509_STORE_CTX_new();
++ if (!X509_STORE_CTX_init(inctx, st, NULL, NULL))
+ return 0;
+- if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0)
++ if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)
+ issuer = NULL;
+- X509_STORE_CTX_cleanup(&inctx);
++ X509_STORE_CTX_cleanup(inctx);
++ X509_STORE_CTX_free(inctx);
+ return issuer;
+-
+ }
+
+ int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
+@@ -398,7 +403,9 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx,
+
+ if (bio) {
+ int n;
+- if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) &&
++ ASN1_INTEGER *pserial;
++ OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid);
++ if ((i2a_ASN1_INTEGER(bio, pserial) != -1) &&
+ ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
+ snum[n] = '\0';
+ BIO_free(bio);
+diff --git a/support/ab.c b/support/ab.c
+index 072d2e6..3d61b2d 100644
+--- a/support/ab.c
++++ b/support/ab.c
+@@ -2165,6 +2165,14 @@ int main(int argc, const char * const argv[])
+ apr_getopt_t *opt;
+ const char *opt_arg;
+ char c;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ int max_prot = TLS1_2_VERSION;
++#ifndef OPENSSL_NO_SSL3
++ int min_prot = SSL3_VERSION;
++#else
++ int min_prot = TLS1_VERSION;
++#endif
++#endif /* #if OPENSSL_VERSION_NUMBER >= 0x10100000L */
+ #ifdef USE_SSL
+ AB_SSL_METHOD_CONST SSL_METHOD *meth = SSLv23_client_method();
+ #endif
+@@ -2391,6 +2399,7 @@ int main(int argc, const char * const argv[])
+ method_str[CUSTOM_METHOD] = strdup(opt_arg);
+ break;
+ case 'f':
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if (strncasecmp(opt_arg, "ALL", 3) == 0) {
+ meth = SSLv23_client_method();
+ #ifndef OPENSSL_NO_SSL2
+@@ -2416,6 +2425,31 @@ int main(int argc, const char * const argv[])
+ } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) {
+ meth = TLSv1_client_method();
+ }
++#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
++ meth = TLS_client_method();
++ if (strncasecmp(opt_arg, "ALL", 3) == 0) {
++ max_prot = TLS1_2_VERSION;
++#ifndef OPENSSL_NO_SSL3
++ min_prot = SSL3_VERSION;
++#else
++ min_prot = TLS1_VERSION;
++#endif
++#ifndef OPENSSL_NO_SSL3
++ } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
++ max_prot = SSL3_VERSION;
++ min_prot = SSL3_VERSION;
++#endif
++ } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
++ max_prot = TLS1_1_VERSION;
++ min_prot = TLS1_1_VERSION;
++ } else if (strncasecmp(opt_arg, "TLS1.2", 6) == 0) {
++ max_prot = TLS1_2_VERSION;
++ min_prot = TLS1_2_VERSION;
++ } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) {
++ max_prot = TLS1_VERSION;
++ min_prot = TLS1_VERSION;
++ }
++#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
+ break;
+ #ifdef HAVE_TLSEXT
+ case 'I':
+@@ -2465,7 +2499,11 @@ int main(int argc, const char * const argv[])
+ #ifdef RSAREF
+ R_malloc_init();
+ #else
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ CRYPTO_malloc_init();
++#else
++ OPENSSL_malloc_init();
++#endif
+ #endif
+ SSL_load_error_strings();
+ SSL_library_init();
+@@ -2478,6 +2516,10 @@ int main(int argc, const char * const argv[])
+ exit(1);
+ }
+ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ SSL_CTX_set_max_proto_version(ssl_ctx, max_prot);
++ SSL_CTX_set_min_proto_version(ssl_ctx, min_prot);
++#endif
+ #ifdef SSL_MODE_RELEASE_BUFFERS
+ /* Keep memory usage as low as possible */
+ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS);