--- /dev/null
+commit 219b03891818f015317d60135e46307974794a82
+Author: Stefan de Konink <stefan@konink.de>
+Date: Fri Oct 17 19:20:36 2014 +0200
+
+ Disable SSLv3 by default.
+
+ http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html
+
+diff --git a/admin/PageAdvanced.py b/admin/PageAdvanced.py
+index 9d6a1420..21a9d0c9 100644
+--- a/admin/PageAdvanced.py
++++ b/admin/PageAdvanced.py
+@@ -96,7 +96,7 @@ NOTE_DH2048 = N_('Path to a Diffie Hellman (DH) parameters PEM file: 2048
+ NOTE_DH4096 = N_('Path to a Diffie Hellman (DH) parameters PEM file: 4096 bits.')
+ NOTE_TLS_TIMEOUT = N_('Timeout for the TLS/SSL handshake. Default: 15 seconds.')
+ NOTE_TLS_SSLv2 = N_('Allow clients to use SSL version 2 - Beware: it is vulnerable. (Default: No)')
+-NOTE_TLS_SSLv3 = N_('Allow clients to use SSL version 3 (Default: Yes)')
++NOTE_TLS_SSLv3 = N_('Allow clients to use SSL version 3 - Beware: it is vulnerable. (Default: No)')
+ NOTE_TLS_TLSv1 = N_('Allow clients to use TLS version 1 (Default: Yes)')
+ NOTE_TLS_TLSv1_1 = N_('Allow clients to use TLS version 1.1 (Default: Yes)')
+ NOTE_TLS_TLSv1_2 = N_('Allow clients to use TLS version 1.2 (Default: Yes)')
+@@ -181,7 +181,7 @@ class TLSWidget (CTK.Container):
+
+ table = CTK.PropsAuto(URL_APPLY)
+ table.Add (_('SSL version 2'), CTK.CheckCfgText('server!tls!protocol!SSLv2', False, _("Allow")), _(NOTE_TLS_SSLv2))
+- table.Add (_('SSL version 3'), CTK.CheckCfgText('server!tls!protocol!SSLv3', True, _("Allow")), _(NOTE_TLS_SSLv3))
++ table.Add (_('SSL version 3'), CTK.CheckCfgText('server!tls!protocol!SSLv3', False, _("Allow")), _(NOTE_TLS_SSLv3))
+ table.Add (_('TLS version 1'), CTK.CheckCfgText('server!tls!protocol!TLSv1', True, _("Allow")), _(NOTE_TLS_TLSv1))
+ table.Add (_('TLS version 1.1'), CTK.CheckCfgText('server!tls!protocol!TLSv1_1', True, _("Allow")), _(NOTE_TLS_TLSv1_1))
+ table.Add (_('TLS version 1.2'), CTK.CheckCfgText('server!tls!protocol!TLSv1_2', True, _("Allow")), _(NOTE_TLS_TLSv1_2))
+diff --git a/cherokee/cryptor.c b/cherokee/cryptor.c
+index 640b5379..4ae92fdd 100644
+--- a/cherokee/cryptor.c
++++ b/cherokee/cryptor.c
+@@ -49,7 +49,7 @@ cherokee_cryptor_init_base (cherokee_cryptor_t *cryp,
+ */
+ cryp->timeout_handshake = TIMEOUT_DEFAULT;
+ cryp->allow_SSLv2 = false;
+- cryp->allow_SSLv3 = true;
++ cryp->allow_SSLv3 = false;
+ cryp->allow_TLSv1 = true;
+ cryp->allow_TLSv1_1 = true;
+ cryp->allow_TLSv1_2 = true;
+
+commit 5bdd6dd6a5fa41ee11474e4f722a7a03806d1be6
+Author: Ilya <ilya.veselov@gmail.com>
+Date: Wed Dec 10 12:59:19 2014 +0500
+
+ Update ciphers configuration
+
+ In accordance to Mozilla's [Forward Secrecy recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy) (Intermediate compatibility).
+
+ This will also disable RC4 ciphers to mitigate POODLE in TLS attack.
+
+diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h
+index ed1f8ee0..1adfa97e 100644
+--- a/cherokee/cryptor.h
++++ b/cherokee/cryptor.h
+@@ -35,7 +35,7 @@
+
+ CHEROKEE_BEGIN_DECLS
+
+-#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
++#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
+
+ /* Callback function prototipes
+ */
+
+commit c6ac753005a2857c4af2f489b674c7449e04e64c
+Merge: 219b0389 5bdd6dd6
+Author: Stefan de Konink <stefan@konink.de>
+Date: Wed Dec 10 12:01:16 2014 +0100
+
+ Merge pull request #1168 from 13xforever/patch-1
+
+ Update ciphers configuration
+
+commit 4600b2e70df54044d301b77354979409e9413294
+Author: Stefan de Konink <stefan@konink.de>
+Date: Wed Dec 10 12:10:24 2014 +0100
+
+ Revert "Update ciphers configuration"
+
+diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h
+index 1adfa97e..ed1f8ee0 100644
+--- a/cherokee/cryptor.h
++++ b/cherokee/cryptor.h
+@@ -35,7 +35,7 @@
+
+ CHEROKEE_BEGIN_DECLS
+
+-#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
++#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
+
+ /* Callback function prototipes
+ */
+
+commit a02d96fe5960c5e906ad4952dfc36d5dc6eb4849
+Merge: c6ac7530 4600b2e7
+Author: Stefan de Konink <stefan@konink.de>
+Date: Wed Dec 10 12:10:49 2014 +0100
+
+ Merge pull request #1169 from cherokee/revert-1168-patch-1
+
+ Revert "Update ciphers configuration"
+
+commit a917d76ed9b4272478ca973084ec1037a950c443
+Author: Stefan de Konink <stefan@konink.de>
+Date: Wed Dec 10 13:35:45 2014 +0100
+
+ Reapply previous patch from commit 5bdd6dd6a5fa41ee11474e4f722a7a03806d1be6 by @13xforever
+
+ In accordance to Mozilla's [Forward Secrecy
+ recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy)
+ (Intermediate compatibility).
+
+ This will also disable RC4 ciphers to mitigate POODLE in TLS attack.
+
+ In addition: we loose the ability to do server side BEAST mitigation.
+ See the discussion at: https://github.com/cherokee/webserver/pull/1168
+
+diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h
+index ed1f8ee0..1adfa97e 100644
+--- a/cherokee/cryptor.h
++++ b/cherokee/cryptor.h
+@@ -35,7 +35,7 @@
+
+ CHEROKEE_BEGIN_DECLS
+
+-#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
++#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
+
+ /* Callback function prototipes
+ */
+
+commit 57b04ec506cde04794775e769d5485800427373e
+Author: Stefan de Konink <stefan@konink.de>
+Date: Mon May 8 13:20:32 2017 +0200
+
+ OpenSSL 1.1 uses the Secure Renegotiation Extension
+
+diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c
+index 74af1cb5..5f430b73 100644
+--- a/cherokee/cryptor_libssl.c
++++ b/cherokee/cryptor_libssl.c
+@@ -790,11 +790,13 @@ _socket_init_tls (cherokee_cryptor_socket_libssl_t *cryp,
+ }
+ #endif
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ /* Disable Ciphers renegotiation (CVE-2009-3555)
+ */
+ if (cryp->session->s3) {
+ cryp->session->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+ }
++#endif
+
+ return ret_ok;
+ }
+
+commit 07ab26e6683f5166f7cd7785fe714338e3ad369f
+Author: Stefan de Konink <stefan@konink.de>
+Date: Mon May 8 13:49:56 2017 +0200
+
+ Second attempt to update to OpenSSL 1.1.
+
+ To test if Cherokee now is able to compile on both installations.
+
+diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c
+index 5f430b73..1a4c452a 100644
+--- a/cherokee/cryptor_libssl.c
++++ b/cherokee/cryptor_libssl.c
+@@ -238,13 +238,13 @@ cherokee_cryptor_libssl_find_vserver (SSL *ssl,
+ /* SSL_set_SSL_CTX() only change certificates. We need to
+ * changes more options by hand.
+ */
+- SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
++ SSL_set_options(ssl, SSL_CTX_get_options(ctx));
+
+ if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
+ (SSL_num_renegotiations(ssl) == 0)) {
+
+- SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
+- SSL_CTX_get_verify_callback(ssl->ctx));
++ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx),
++ SSL_CTX_get_verify_callback(ctx));
+ }
+
+ return ret_ok;
+@@ -1332,10 +1332,15 @@ PLUGIN_INIT_NAME(libssl) (cherokee_plugin_loader_t *loader)
+
+ /* Init OpenSSL
+ */
+- OPENSSL_config (NULL);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++ OPENSSL_config(NULL);
+ SSL_library_init();
+ SSL_load_error_strings();
+ OpenSSL_add_all_algorithms();
++#else
++ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
++ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
++#endif
+
+ /* Ensure PRNG has been seeded with enough data
+ */
+diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c
+index 7f7702d5..0512baf5 100644
+--- a/cherokee/cryptor_libssl_dh_1024.c
++++ b/cherokee/cryptor_libssl_dh_1024.c
+@@ -4,7 +4,7 @@
+ #endif
+ static DH *get_dh1024()
+ {
+- static unsigned char dh1024_p[]={
++ static unsigned char dhp_1024[]={
+ 0x85,0x08,0xFF,0x6C,0xC1,0x0C,0x23,0x55,0xC5,0xF8,0x3D,0x47,
+ 0x6F,0x23,0x36,0xDA,0x98,0xF3,0xE4,0x56,0xCD,0xA0,0xF3,0x02,
+ 0x18,0xB0,0xCB,0xD2,0x92,0x4B,0xDC,0x76,0x2B,0x24,0x2B,0x20,
+@@ -17,16 +17,21 @@ static DH *get_dh1024()
+ 0xF4,0xB8,0xB7,0x5B,0xEF,0x7E,0x06,0x43,0x2A,0x8E,0x33,0x69,
+ 0x71,0x65,0x35,0xBF,0xCB,0xCD,0xB0,0x5B,
+ };
+- static unsigned char dh1024_g[]={
++ static unsigned char dhg_1024[]={
+ 0x02,
+ };
+ DH *dh;
++ BIGNUM *dhp_bn, *dhg_bn;
+
+ if ((dh=DH_new()) == NULL) return(NULL);
+- dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
+- dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
+- if ((dh->p == NULL) || (dh->g == NULL)) {
+- DH_free(dh); return(NULL);
++ dhp_bn = BN_bin2bn(dhp_1024, sizeof (dhp_1024), NULL);
++ dhg_bn = BN_bin2bn(dhg_1024, sizeof (dhg_1024), NULL);
++ if (dhp_bn == NULL || dhg_bn == NULL ||
++ !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
++ DH_free(dh);
++ BN_free(dhp_bn);
++ BN_free(dhg_bn);
++ return(NULL);
+ }
+ return(dh);
+ }
+diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c
+index 392361ec..463ba35a 100644
+--- a/cherokee/cryptor_libssl_dh_2048.c
++++ b/cherokee/cryptor_libssl_dh_2048.c
+@@ -4,7 +4,7 @@
+ #endif
+ static DH *get_dh2048()
+ {
+- static unsigned char dh2048_p[]={
++ static unsigned char dhp_2048[]={
+ 0xC8,0xF1,0xD4,0x48,0xB6,0x11,0x5B,0x2B,0x9E,0x3D,0xE4,0x49,
+ 0x0A,0xC4,0x8A,0x0B,0xFF,0xAC,0x09,0x4F,0x88,0x91,0x08,0xB8,
+ 0x7D,0x71,0xB7,0x7D,0x87,0x44,0x09,0x70,0x15,0xFF,0x0C,0xAF,
+@@ -28,16 +28,21 @@ static DH *get_dh2048()
+ 0x7C,0x83,0xB9,0x40,0x7A,0x2E,0xA4,0x1D,0x85,0x68,0x69,0x66,
+ 0xF8,0xAA,0x70,0x6B,
+ };
+- static unsigned char dh2048_g[]={
++ static unsigned char dhg_2048[]={
+ 0x02,
+ };
+ DH *dh;
++ BIGNUM *dhp_bn, *dhg_bn;
+
+ if ((dh=DH_new()) == NULL) return(NULL);
+- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
+- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
+- if ((dh->p == NULL) || (dh->g == NULL)) {
+- DH_free(dh); return(NULL);
++ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
++ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
++ if (dhp_bn == NULL || dhg_bn == NULL ||
++ !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
++ DH_free(dh);
++ BN_free(dhp_bn);
++ BN_free(dhg_bn);
++ return(NULL);
+ }
+ return(dh);
+ }
+diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c
+index 94845775..1c329a00 100644
+--- a/cherokee/cryptor_libssl_dh_4096.c
++++ b/cherokee/cryptor_libssl_dh_4096.c
+@@ -4,7 +4,7 @@
+ #endif
+ static DH *get_dh4096()
+ {
+- static unsigned char dh4096_p[]={
++ static unsigned char dhp_4096[]={
+ 0xD2,0xB2,0x5E,0x24,0x83,0x8E,0x04,0x17,0x39,0xAB,0x99,0x5A,
+ 0xAB,0x0C,0x15,0x3C,0x95,0xE0,0xE4,0x48,0x3F,0xE4,0x22,0x48,
+ 0xCA,0x19,0xCA,0xD0,0x9E,0xA7,0x09,0xD0,0x97,0x0F,0x31,0x49,
+@@ -49,16 +49,21 @@ static DH *get_dh4096()
+ 0xE9,0xD3,0x8C,0x4A,0x7C,0x49,0x36,0x84,0xBF,0xD0,0xE0,0x45,
+ 0x2C,0x74,0xC9,0x6D,0x09,0xDE,0xA1,0x33,
+ };
+- static unsigned char dh4096_g[]={
++ static unsigned char dhg_4096[]={
+ 0x02,
+ };
+ DH *dh;
++ BIGNUM *dhp_bn, *dhg_bn;
+
+ if ((dh=DH_new()) == NULL) return(NULL);
+- dh->p=BN_bin2bn(dh4096_p,sizeof(dh4096_p),NULL);
+- dh->g=BN_bin2bn(dh4096_g,sizeof(dh4096_g),NULL);
+- if ((dh->p == NULL) || (dh->g == NULL)) {
+- DH_free(dh); return(NULL);
++ dhp_bn = BN_bin2bn(dhp_4096, sizeof (dhp_4096), NULL);
++ dhg_bn = BN_bin2bn(dhg_4096, sizeof (dhg_4096), NULL);
++ if (dhp_bn == NULL || dhg_bn == NULL ||
++ !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
++ DH_free(dh);
++ BN_free(dhp_bn);
++ BN_free(dhg_bn);
++ return(NULL);
+ }
+ return(dh);
+ }
+diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c
+index bc1d8778..e7f64ed4 100644
+--- a/cherokee/cryptor_libssl_dh_512.c
++++ b/cherokee/cryptor_libssl_dh_512.c
+@@ -4,7 +4,7 @@
+ #endif
+ static DH *get_dh512()
+ {
+- static unsigned char dh512_p[]={
++ static unsigned char dhp_512[]={
+ 0xED,0x78,0x7E,0x95,0xB9,0x05,0xD5,0x00,0x38,0xC6,0x6B,0x49,
+ 0x78,0x22,0x78,0x43,0x8D,0xCC,0xF9,0x83,0x18,0xBB,0x6E,0xFE,
+ 0xCD,0x90,0xC3,0x84,0xA8,0x5C,0x04,0x84,0xEB,0x85,0x1D,0x5B,
+@@ -12,16 +12,21 @@ static DH *get_dh512()
+ 0xA5,0xA7,0x10,0x7D,0x43,0x1B,0x6F,0xAD,0xA8,0xA1,0xB0,0xD3,
+ 0xD9,0x23,0xD1,0x83,
+ };
+- static unsigned char dh512_g[]={
++ static unsigned char dhg_512[]={
+ 0x02,
+ };
+ DH *dh;
++ BIGNUM *dhp_bn, *dhg_bn;
+
+ if ((dh=DH_new()) == NULL) return(NULL);
+- dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
+- dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
+- if ((dh->p == NULL) || (dh->g == NULL)) {
+- DH_free(dh); return(NULL);
++ dhp_bn = BN_bin2bn(dhp_512, sizeof (dhp_512), NULL);
++ dhg_bn = BN_bin2bn(dhg_512, sizeof (dhg_512), NULL);
++ if (dhp_bn == NULL || dhg_bn == NULL ||
++ !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
++ DH_free(dh);
++ BN_free(dhp_bn);
++ BN_free(dhg_bn);
++ return(NULL);
+ }
+ return(dh);
+ }
+
+commit d20bf585c0d5f62e39c237575ba89ef0fed10d89
+Author: Stefan de Konink <stefan@konink.de>
+Date: Tue May 9 10:55:34 2017 +0200
+
+ Create more compatibility with openssl 1.1.
+
+ Remove the NULL checks, as they are already happening in the function below.
+
+diff --git a/cherokee/cryptor_libssl_compat.h b/cherokee/cryptor_libssl_compat.h
+new file mode 100644
+index 00000000..832a122a
+--- /dev/null
++++ b/cherokee/cryptor_libssl_compat.h
+@@ -0,0 +1,36 @@
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#include <string.h>
++#include <openssl/engine.h>
++
++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
++{
++ /* If the fields p and g in d are NULL, the corresponding input
++ * parameters MUST be non-NULL. q may remain NULL.
++ */
++
++ if ((dh->p == NULL && p == NULL)
++ || (dh->g == NULL && g == NULL))
++ return 0;
++
++ if (p != NULL) {
++ BN_free(dh->p);
++ dh->p = p;
++ }
++
++ if (q != NULL) {
++ BN_free(dh->q);
++ dh->q = q;
++ }
++
++ if (g != NULL) {
++ BN_free(dh->g);
++ dh->g = g;
++ }
++
++ if (q != NULL) {
++ dh->length = BN_num_bits(q);
++ }
++
++ return 1;
++}
++#endif
+diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c
+index 0512baf5..2a863f4c 100644
+--- a/cherokee/cryptor_libssl_dh_1024.c
++++ b/cherokee/cryptor_libssl_dh_1024.c
+@@ -2,6 +2,9 @@
+ #ifndef HEADER_DH_H
+ #include <openssl/dh.h>
+ #endif
++
++#include "cryptor_libssl_compat.h"
++
+ static DH *get_dh1024()
+ {
+ static unsigned char dhp_1024[]={
+@@ -26,8 +29,7 @@ static DH *get_dh1024()
+ if ((dh=DH_new()) == NULL) return(NULL);
+ dhp_bn = BN_bin2bn(dhp_1024, sizeof (dhp_1024), NULL);
+ dhg_bn = BN_bin2bn(dhg_1024, sizeof (dhg_1024), NULL);
+- if (dhp_bn == NULL || dhg_bn == NULL ||
+- !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
++ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+ DH_free(dh);
+ BN_free(dhp_bn);
+ BN_free(dhg_bn);
+diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c
+index 463ba35a..e81e6e3f 100644
+--- a/cherokee/cryptor_libssl_dh_2048.c
++++ b/cherokee/cryptor_libssl_dh_2048.c
+@@ -2,6 +2,9 @@
+ #ifndef HEADER_DH_H
+ #include <openssl/dh.h>
+ #endif
++
++#include "cryptor_libssl_compat.h"
++
+ static DH *get_dh2048()
+ {
+ static unsigned char dhp_2048[]={
+@@ -37,8 +40,7 @@ static DH *get_dh2048()
+ if ((dh=DH_new()) == NULL) return(NULL);
+ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
+ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
+- if (dhp_bn == NULL || dhg_bn == NULL ||
+- !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
++ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+ DH_free(dh);
+ BN_free(dhp_bn);
+ BN_free(dhg_bn);
+diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c
+index 1c329a00..b90c599f 100644
+--- a/cherokee/cryptor_libssl_dh_4096.c
++++ b/cherokee/cryptor_libssl_dh_4096.c
+@@ -2,6 +2,9 @@
+ #ifndef HEADER_DH_H
+ #include <openssl/dh.h>
+ #endif
++
++#include "cryptor_libssl_compat.h"
++
+ static DH *get_dh4096()
+ {
+ static unsigned char dhp_4096[]={
+@@ -58,8 +61,7 @@ static DH *get_dh4096()
+ if ((dh=DH_new()) == NULL) return(NULL);
+ dhp_bn = BN_bin2bn(dhp_4096, sizeof (dhp_4096), NULL);
+ dhg_bn = BN_bin2bn(dhg_4096, sizeof (dhg_4096), NULL);
+- if (dhp_bn == NULL || dhg_bn == NULL ||
+- !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
++ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+ DH_free(dh);
+ BN_free(dhp_bn);
+ BN_free(dhg_bn);
+diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c
+index e7f64ed4..93d63d48 100644
+--- a/cherokee/cryptor_libssl_dh_512.c
++++ b/cherokee/cryptor_libssl_dh_512.c
+@@ -2,6 +2,9 @@
+ #ifndef HEADER_DH_H
+ #include <openssl/dh.h>
+ #endif
++
++#include "cryptor_libssl_compat.h"
++
+ static DH *get_dh512()
+ {
+ static unsigned char dhp_512[]={
+@@ -21,8 +24,7 @@ static DH *get_dh512()
+ if ((dh=DH_new()) == NULL) return(NULL);
+ dhp_bn = BN_bin2bn(dhp_512, sizeof (dhp_512), NULL);
+ dhg_bn = BN_bin2bn(dhg_512, sizeof (dhg_512), NULL);
+- if (dhp_bn == NULL || dhg_bn == NULL ||
+- !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
++ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+ DH_free(dh);
+ BN_free(dhp_bn);
+ BN_free(dhg_bn);
+
+commit 43e5d17b3bd5fbb926f526f6ee84cf4ae299b8c8
+Author: Stefan de Konink <stefan@konink.de>
+Date: Tue May 9 11:41:45 2017 +0200
+
+ Fix for compilation.
+
+diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c
+index 1a4c452a..fabf9912 100644
+--- a/cherokee/cryptor_libssl.c
++++ b/cherokee/cryptor_libssl.c
+@@ -53,6 +53,8 @@ static DH *dh_param_1024 = NULL;
+ static DH *dh_param_2048 = NULL;
+ static DH *dh_param_4096 = NULL;
+
++#include "cryptor_libssl_compat.h"
++
+ #include "cryptor_libssl_dh_512.c"
+ #include "cryptor_libssl_dh_1024.c"
+ #include "cryptor_libssl_dh_2048.c"
+diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c
+index 2a863f4c..74a56c38 100644
+--- a/cherokee/cryptor_libssl_dh_1024.c
++++ b/cherokee/cryptor_libssl_dh_1024.c
+@@ -3,8 +3,6 @@
+ #include <openssl/dh.h>
+ #endif
+
+-#include "cryptor_libssl_compat.h"
+-
+ static DH *get_dh1024()
+ {
+ static unsigned char dhp_1024[]={
+diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c
+index e81e6e3f..dbb481aa 100644
+--- a/cherokee/cryptor_libssl_dh_2048.c
++++ b/cherokee/cryptor_libssl_dh_2048.c
+@@ -3,8 +3,6 @@
+ #include <openssl/dh.h>
+ #endif
+
+-#include "cryptor_libssl_compat.h"
+-
+ static DH *get_dh2048()
+ {
+ static unsigned char dhp_2048[]={
+diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c
+index b90c599f..aeaf3abc 100644
+--- a/cherokee/cryptor_libssl_dh_4096.c
++++ b/cherokee/cryptor_libssl_dh_4096.c
+@@ -3,8 +3,6 @@
+ #include <openssl/dh.h>
+ #endif
+
+-#include "cryptor_libssl_compat.h"
+-
+ static DH *get_dh4096()
+ {
+ static unsigned char dhp_4096[]={
+diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c
+index 93d63d48..ed776636 100644
+--- a/cherokee/cryptor_libssl_dh_512.c
++++ b/cherokee/cryptor_libssl_dh_512.c
+@@ -3,8 +3,6 @@
+ #include <openssl/dh.h>
+ #endif
+
+-#include "cryptor_libssl_compat.h"
+-
+ static DH *get_dh512()
+ {
+ static unsigned char dhp_512[]={
+
+commit 75f041e2255e6dd0692db2f14611c2647dbe8425
+Merge: dad221a9 43e5d17b
+Author: Stefan de Konink <stefan@konink.de>
+Date: Mon May 29 07:03:22 2017 +0200
+
+ Merge pull request #1196 from cherokee/openssl-1.1
+
+ OpenSSL 1.1 support
+
+
projects / packages / cherokee.git / commitdiff