When setting the current certificate check that it has a corresponding
private key.

New flags to build certificate chains. The can be used to rearrange
the chain so all an application needs to do is add all certificates
in arbitrary order and then build the chain to check and correct them.

Add verify error code when building chain.

Update docs.

(cherry picked from commit b709f8ef54b1c9ad513878ba0213aa651a9acef8)

Add the extension parser in the s_client, ocsp and x509 apps.

The flag SSL_OP_MSIE_SSLV2_RSA_PADDING hasn't done anything since OpenSSL
0.9.7h but deleting it will break source compatibility with any software
that references it. Restore it but #define to zero.
(cherry picked from commit b17d6b8d1d49fa4732deff17cfd1833616af0d9c)

This can be used to speed up SRTP with libsrtp, e.g. on TI omap/sitara based devices.

Add the RFC6962 OIDs to the objects table.

If you use "-newkey rsa" it's supposed to read the default number of bits from the
config file.  However the value isn't used to generate the key, but it does
print it's generating such a key.  The set_keygen_ctx() doesn't call
EVP_PKEY_CTX_set_rsa_keygen_bits() and you end up with the default set in
pkey_rsa_init() (1024).  Afterwards the number of bits gets read from the config
file, but nothing is done with that anymore.

We now read the config first and use the value from the config file when no size
is given.

PR: 2592

apps/pkcs12.c accepts -password as an argument.  The document author
almost certainly meant to write "-password, -passin".

However, that is not correct, either.  Actually the code treats
-password as equivalent to -passin, EXCEPT when -export is also
specified, in which case -password as equivalent to -passout.

Improve CBC decrypt and CTR by ~13/16%, which adds up to ~25/33%
improvement over "pre-Silvermont" version. [Add performance table to
aesni-x86.pl].

When a chain is complete and ends in a trusted root checks are also
performed on the TA and the callback notified with ok==1. For
consistency do the same for chains where the TA is not self signed.

(cherry picked from commit a2317c3ffde3f1f73bd7fa3f08e420fb09043905)

(other processors unaffected).

The contract for custom extension callbacks has changed - all custom extension callbacks are triggered