Ignore self issued certificates when checking path length constraints.

Duplicate OIDs in policy tree in case they are allocated.

Use anyPolicy from certificate cache and not current tree level.

version some time soon.

Submitted by: Daniel Black <daniel.subs@internode.on.net>

Add a -certsout option to output any certificates in a message.

Add test for example 4.11

to 'unsigned long' (ie. odd platforms/compilers), so a pointer-typed
version was added but it required portable code to check *both* modes to
determine equality. This commit maintains the availability of both thread
ID types, but deprecates the type-specific accessor APIs that invoke the
callbacks - instead a single type-independent API is used.  This simplifies
software that calls into this interface, and should also make it less
error-prone - as forgetting to call and compare *both* thread ID accessors
could have led to hard-to-debug/infrequent bugs (that might only affect
certain platforms or thread implementations). As the CHANGES note says,
there were corresponding deprecations and replacements in the
thread-related functions for BN_BLINDING and ERR too.

Submitted by: Richard Hartmann <richih.mailinglist@gmail.com>

Use default algorithms for OCSP request and response signing. New command
line option to support other digest use for OCSP certificate IDs.

  I just compiled the 9.9-dev version from the 12022007 tarball under
  DJGPP. There were only 2 changes needed, one for b_sock.c, since
  DJGPP with WATT32 doesn't define socklen_t and one for testtsa to
  handle DOS style path separators. I also noted what seems to be a
  typographical error in ts.pod. The test suite passes. The patch is
  attached.

  Since I am in the US, I have sent notifications to the Bureau of
  Industry and Security and to the NSA.

Submitted by: Tobias Stoeckmann <tobias@bugol.de>

Submitted by: Ernst G. Giessmann

PR: 1578
Submitted by: Charles Longeau <chl@tuxfamily.org>