(The attack against SSL 3.1 and TLS 1.0 is impractical anyway,
otherwise this would be a security relevant patch.)

links.

a bit of weird code in sk_new.

Submitted by:
Reviewed by:
PR:

string (some engines may have certificates protected by a PIN!) and
a description to put into error messages.

Also, have our own password callback that we can send both a password
and some prompt info to.  The default password callback in EVP assumes
that the passed parameter is a password, which isn't always the right
thing, and the ENGINE code (at least the nCipher one) makes other
assumptions...

Also, in spite of having the functions to load keys, some utilities
did the loading all by themselves...  That's changed too.

details (performance numbers and accompanying discussions:-). Note that
the code is not engaged in ./Configure yet. I'll add it later this week
along with updates for .spec file.

Submitted by:
Reviewed by:
PR:

passwords that were given to the key loading functions were completely
ignored, at least in the ncipher code, and then we made the assumption
that the callback wanted a prompt as user argument.

All that is now changed, and the application author is forced to give
a callback function of type pem_callback_cb and possibly an argument
for it, just as for all other functions that want to generate password
prompting.

NOTE: this change creates binary and source incompatibilities with
previous versions of OpenSSL [engine].  It's worth it this time, to
get it right (or at least better and with a chance that it'll work).

Add missing variable length cipher flag for Blowfish.

Only use trust settings if either trust or reject settings
are present, otherwise use compatibility mode. This stops
root CAs being rejected if they have alias of keyid set.

For some unknown reason fopen("con", "w") is the
only way to make this work. Using "r+" and "w+"
causes the fopen call to fail and the fallback
(using stdin) doesn't work because writing to stdin
fails.

environment were a part of a Unix operating systems, but these days
you see an increasing number of installations that do not necessarely
have these crucial parts by default, so it's needs mentioning.

as gmtime_r() on the systems where that is defined.

DEC C only have them declared that way (it doesn't really matter,
since the linker is case-insensitive by default)

characters.

compilers will complain against the check for less than zero.

symbols.

mistake.

reachable.

It's completely untested for now.  To be done in the next few days.