Initial import of OpenSSL 0.9.6a

36 files changed, 521 insertions, 61 deletions

diff --git a/crypto/openssl/doc/apps/pkcs12.pod b/crypto/openssl/doc/apps/pkcs12.pod
index c400999..7e0307d 100644
--- a/crypto/openssl/doc/apps/pkcs12.pod
+++ b/crypto/openssl/doc/apps/pkcs12.pod
@@ -304,6 +304,26 @@ Include some extra certificates:
 
 Some would argue that the PKCS#12 standard is one big bug :-)
 
+Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation
+routines. Under rare circumstances this could produce a PKCS#12 file encrypted
+with an invalid key. As a result some PKCS#12 files which triggered this bug
+from other implementations (MSIE or Netscape) could not be decrypted
+by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could
+not be decrypted by other implementations. The chances of producing such
+a file are relatively small: less than 1 in 256.
+
+A side effect of fixing this bug is that any old invalidly encrypted PKCS#12
+files cannot no longer be parsed by the fixed version. Under such circumstances
+the B<pkcs12> utility will report that the MAC is OK but fail with a decryption
+error when extracting private keys.
+
+This problem can be resolved by extracting the private keys and certificates
+from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12
+file from the keys and certificates using a newer version of OpenSSL. For example:
+
+ old-openssl -in bad.p12 -out keycerts.pem
+ openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12
+
 =head1 SEE ALSO
 
 L<pkcs8(1)|pkcs8(1)>
diff --git a/crypto/openssl/doc/apps/s_client.pod b/crypto/openssl/doc/apps/s_client.pod
index 2f80375..f596ec7 100644
--- a/crypto/openssl/doc/apps/s_client.pod
+++ b/crypto/openssl/doc/apps/s_client.pod
@@ -32,6 +32,7 @@ B<openssl> B<s_client>
 [B<-no_tls1>]
 [B<-bugs>]
 [B<-cipher cipherlist>]
+[B<-rand file(s)>]
 
 =head1 DESCRIPTION
 
@@ -156,6 +157,14 @@ the server determines which cipher suite is used it should take the first
 supported cipher in the list sent by the client. See the B<ciphers>
 command for more information.
 
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
 =back
 
 =head1 CONNECTED COMMANDS
diff --git a/crypto/openssl/doc/apps/s_server.pod b/crypto/openssl/doc/apps/s_server.pod
index 0f29c36..0f67d55 100644
--- a/crypto/openssl/doc/apps/s_server.pod
+++ b/crypto/openssl/doc/apps/s_server.pod
@@ -39,6 +39,7 @@ B<openssl> B<s_client>
 [B<-hack>]
 [B<-www>]
 [B<-WWW>]
+[B<-rand file(s)>]
 
 =head1 DESCRIPTION
 
@@ -94,7 +95,7 @@ using a set of DH parameters. If not specified then an attempt is made to
 load the parameters from the server certificate file. If this fails then
 a static set of parameters hard coded into the s_server program will be used.
 
-=item B<-nodhe>
+=item B<-no_dhe>
 
 if this option is set then no DH parameters will be loaded effectively
 disabling the ephemeral DH cipher suites.
@@ -186,6 +187,14 @@ emulates a simple web server. Pages will be resolved relative to the
 current directory, for example if the URL https://myhost/page.html is
 requested the file ./page.html will be loaded.
 
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
 =back
 
 =head1 CONNECTED COMMANDS
diff --git a/crypto/openssl/doc/crypto/BN_rand.pod b/crypto/openssl/doc/crypto/BN_rand.pod
index 2a8bed5..cbae2fc 100644
--- a/crypto/openssl/doc/crypto/BN_rand.pod
+++ b/crypto/openssl/doc/crypto/BN_rand.pod
@@ -17,10 +17,12 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number
 =head1 DESCRIPTION
 
 BN_rand() generates a cryptographically strong pseudo-random number of
-B<bits> bits in length and stores it in B<rnd>. If B<top> is true, the
-two most significant bits of the number will be set to 1, so that the
-product of two such random numbers will always have 2*B<bits> length.
-If B<bottom> is true, the number will be odd.
+B<bits> bits in length and stores it in B<rnd>. If B<top> is -1, the
+most significant bit of the random number can be zero. If B<top> is 0,
+it is set to 1, and if B<top> is 1, the two most significant bits of
+the number will be set to 1, so that the product of two such random
+numbers will always have 2*B<bits> length.  If B<bottom> is true, the
+number will be odd.
 
 BN_pseudo_rand() does the same, but pseudo-random numbers generated by
 this function are not necessarily unpredictable. They can be used for
@@ -45,7 +47,7 @@ L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
 =head1 HISTORY
 
 BN_rand() is available in all versions of SSLeay and OpenSSL.
-BN_pseudo_rand() was added in OpenSSL 0.9.5, and BN_rand_range()
-in OpenSSL 0.9.6a.
+BN_pseudo_rand() was added in OpenSSL 0.9.5. The B<top> == -1 case
+and the function BN_rand_range() were added in OpenSSL 0.9.6a.
 
 =cut
diff --git a/crypto/openssl/doc/crypto/RAND_load_file.pod b/crypto/openssl/doc/crypto/RAND_load_file.pod
index 8dd700c..d8c134e 100644
--- a/crypto/openssl/doc/crypto/RAND_load_file.pod
+++ b/crypto/openssl/doc/crypto/RAND_load_file.pod
@@ -8,7 +8,7 @@ RAND_load_file, RAND_write_file, RAND_file_name - PRNG seed file
 
  #include <openssl/rand.h>
 
- const char *RAND_file_name(char *buf, int num);
+ const char *RAND_file_name(char *buf, size_t num);
 
  int RAND_load_file(const char *filename, long max_bytes);
 
diff --git a/crypto/openssl/doc/crypto/rand.pod b/crypto/openssl/doc/crypto/rand.pod
index 295b681..9545f0e 100644
--- a/crypto/openssl/doc/crypto/rand.pod
+++ b/crypto/openssl/doc/crypto/rand.pod
@@ -8,17 +8,17 @@ rand - pseudo-random number generator
 
  #include <openssl/rand.h>
 
- int  RAND_bytes(unsigned char *buf,int num);
- int  RAND_pseudo_bytes(unsigned char *buf,int num);
+ int  RAND_bytes(unsigned char *buf, int num);
+ int  RAND_pseudo_bytes(unsigned char *buf, int num);
 
- void RAND_seed(const void *buf,int num);
- void RAND_add(const void *buf,int num,int entropy);
+ void RAND_seed(const void *buf, int num);
+ void RAND_add(const void *buf, int num, int entropy);
  int  RAND_status(void);
  void RAND_screen(void);
 
- int  RAND_load_file(const char *file,long max_bytes);
+ int  RAND_load_file(const char *file, long max_bytes);
  int  RAND_write_file(const char *file);
- const char *RAND_file_name(char *file,int num);
+ const char *RAND_file_name(char *file, size_t num);
 
  int  RAND_egd(const char *path);
 
diff --git a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
index bf851dc..4b91c63 100644
--- a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
+++ b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
@@ -41,7 +41,7 @@ does use the full 128 bits (which would be returned for B<alg_bits>), of
 which however 88bits are fixed. The search space is hence only 40 bits.
 
 The string returned by SSL_CIPHER_description() in case of success consists
-of cleartext information seperated by one or more blanks in the following
+of cleartext information separated by one or more blanks in the following
 sequence:
 
 =over 4
@@ -65,7 +65,7 @@ B<DH/RSA>, B<DH/DSS>, B<Fortezza>.
 Authentication method: B<RSA>, B<DSS>, B<DH>, B<None>. None is the
 representation of anonymous ciphers.
 
-=item Enc=<symmectric encryption method>
+=item Enc=<symmetric encryption method>
 
 Encryption method with number of secret bits: B<DES(40)>, B<DES(56)>,
 B<3DES(168)>, B<RC4(40)>, B<RC4(56)>, B<RC4(64)>, B<RC4(128)>,
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_free.pod b/crypto/openssl/doc/ssl/SSL_CTX_free.pod
index de69672..c716cde 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_free.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_free.pod
@@ -17,7 +17,7 @@ SSL_CTX object pointed to by B<ctx> and frees up the allocated memory if the
 the reference count has reached 0.
 
 It also calls the free()ing procedures for indirectly affected items, if
-applicable: the session cacahe, the list of ciphers, the list of Client CAs,
+applicable: the session cache, the list of ciphers, the list of Client CAs,
 the certificates and keys.
 
 =head1 RETURN VALUES
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod b/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod
index 0e2d217..88f18bd 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod
@@ -33,7 +33,7 @@ which can be used e.g. for descriptions of the certificates.
 The B<CAfile> is processed on execution of the SSL_CTX_load_verify_locations()
 function.
 
-If on an TLS/SSL server no special setting is perfomed using *client_CA_list()
+If on an TLS/SSL server no special setting is performed using *client_CA_list()
 functions, the certificates contained in B<CAfile> are listed to the client
 as available CAs during the TLS/SSL handshake.
 
@@ -64,7 +64,7 @@ failure.
 
 When building its own certificate chain, an OpenSSL client/server will
 try to fill in missing certificates from B<CAfile>/B<CApath>, if the
-certificate chain was not explicitely specified (see
+certificate chain was not explicitly specified (see
 L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>,
 L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>.
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_new.pod b/crypto/openssl/doc/ssl/SSL_CTX_new.pod
index 8b16ea3..1dae8b0 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_new.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_new.pod
@@ -59,6 +59,10 @@ choice when compatibility is a concern.
 
 =back
 
+If a generic method is used, it is necessary to explicitly set client or
+server mode with L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
+or SSL_set_accept_state().
+
 The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
 SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the B<SSL_CTX_set_options()> or
 B<SSL_set_options()> functions. Using these options it is possible to choose
@@ -89,6 +93,6 @@ The return value points to an allocated SSL_CTX object.
 =head1 SEE ALSO
 
 L<SSL_CTX_free(3)|SSL_CTX_free(3)>, L<SSL_accept(3)|SSL_accept(3)>,
-L<ssl(3)|ssl(3)>
+L<ssl(3)|ssl(3)>,  L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
 
 =cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sess_number.pod b/crypto/openssl/doc/ssl/SSL_CTX_sess_number.pod
new file mode 100644
index 0000000..19aa4e2
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_sess_number.pod
@@ -0,0 +1,76 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_sess_number, SSL_CTX_sess_connect, SSL_CTX_sess_connect_good, SSL_CTX_sess_connect_renegotiate, SSL_CTX_sess_accept, SSL_CTX_sess_accept_good, SSL_CTX_sess_accept_renegotiate, SSL_CTX_sess_hits, SSL_CTX_sess_cb_hits, SSL_CTX_sess_misses, SSL_CTX_sess_timeouts, SSL_CTX_sess_cache_full - obtain session cache statistics
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_sess_number(SSL_CTX *ctx);
+ long SSL_CTX_sess_connect(SSL_CTX *ctx);
+ long SSL_CTX_sess_connect_good(SSL_CTX *ctx);
+ long SSL_CTX_sess_connect_renegotiate(SSL_CTX *ctx);
+ long SSL_CTX_sess_accept(SSL_CTX *ctx);
+ long SSL_CTX_sess_accept_good(SSL_CTX *ctx);
+ long SSL_CTX_sess_accept_renegotiate(SSL_CTX *ctx);
+ long SSL_CTX_sess_hits(SSL_CTX *ctx);
+ long SSL_CTX_sess_cb_hits(SSL_CTX *ctx);
+ long SSL_CTX_sess_misses(SSL_CTX *ctx);
+ long SSL_CTX_sess_timeouts(SSL_CTX *ctx);
+ long SSL_CTX_sess_cache_full(SSL_CTX *ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_sess_number() returns the current number of sessions in the internal
+session cache.
+
+SSL_CTX_sess_connect() returns the number of started SSL/TLS handshakes in
+client mode.
+
+SSL_CTX_sess_connect_good() returns the number of successfully established
+SSL/TLS sessions in client mode.
+
+SSL_CTX_sess_connect_renegotiate() returns the number of start renegotiations
+in client mode.
+
+SSL_CTX_sess_accept() returns the number of started SSL/TLS handshakes in
+server mode.
+
+SSL_CTX_sess_accept_good() returns the number of successfully established
+SSL/TLS sessions in server mode.
+
+SSL_CTX_sess_accept_renegotiate() returns the number of start renegotiations
+in server mode.
+
+SSL_CTX_sess_hits() returns the number of successfully reused sessions.
+In client mode a session set with L<SSL_set_session(3)|SSL_set_session(3)>
+successfully reused is counted as a hit. In server mode a session successfully
+retrieved from internal or external cache is counted as a hit.
+
+SSL_CTX_sess_cb_hits() returns the number of successfully retrieved sessions
+from the external session cache in server mode.
+
+SSL_CTX_sess_misses() returns the number of sessions proposed by clients
+that were not found in the internal session cache in server mode.
+
+SSL_CTX_sess_timeouts() returns the number of sessions proposed by clients
+and either found in the internal or external session cache in server mode,
+ but that were invalid due to timeout. These sessions are not included in
+the SSL_CTX_sess_hits() count.
+
+SSL_CTX_sess_cache_full() returns the number of sessions that were removed
+because the maximum session cache size was exceeded.
+
+=head1 RETURN VALUES
+
+The functions return the values indicated in the DESCRIPTION section.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>
+L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod
index 469933b..d59a7db 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod
@@ -45,6 +45,7 @@ SSL_CTX_sess_get_cache_size() returns the currently valid size.
 
 L<ssl(3)|ssl(3)>,
 L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
 L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)>
 
 =cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod b/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod
index ad92a8c..e05aab3 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod
@@ -20,7 +20,7 @@ internal session cache for B<ctx>.
 The sessions in the internal session cache are kept in an
 L<lhash(3)|lhash(3)> type database. It is possible to directly
 access this database e.g. for searching. In parallel, the sessions
-form a linked list which is maintained seperatly from the
+form a linked list which is maintained separately from the
 L<lhash(3)|lhash(3)> operations, so that the database must not be
 modified directly but by using the
 L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)> family of functions.
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod
index f27a291..81e3127 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod
@@ -41,7 +41,7 @@ the CAs available using the B<CAfile> option in
 L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
 are sent.
 
-This list can be explicitely set using the SSL_CTX_set_client_CA_list() for
+This list can be explicitly set using the SSL_CTX_set_client_CA_list() for
 B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list
 specified overrides the previous setting. The CAs listed do not become
 trusted (B<list> only contains the names, not the complete certificates); use
@@ -74,7 +74,7 @@ The operation succeeded.
 
 =item 0
 
-A failure while manipulating the STACK_OF(X509_NAME) object occured or
+A failure while manipulating the STACK_OF(X509_NAME) object occurred or
 the X509_NAME could not be extracted from B<cacert>. Check the error stack
 to find out the reason.
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod
new file mode 100644
index 0000000..9a035bb
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod
@@ -0,0 +1,78 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_mode, SSL_set_mode, SSL_CTX_get_mode, SSL_get_mode - manipulate SSL engine mode
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_set_mode(SSL_CTX *ctx, long mode);
+ long SSL_set_mode(SSL *ssl, long mode);
+
+ long SSL_CTX_get_mode(SSL_CTX *ctx);
+ long SSL_get_mode(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_mode() adds the mode set via bitmask in B<mode> to B<ctx>.
+Options already set before are not cleared.
+
+SSL_set_mode() adds the mode set via bitmask in B<mode> to B<ssl>.
+Options already set before are not cleared.
+
+SSL_CTX_get_mode() returns the mode set for B<ctx>.
+
+SSL_get_mode() returns the mode set for B<ssl>.
+
+=head1 NOTES
+
+The following mode changes are available:
+
+=over 4
+
+=item SSL_MODE_ENABLE_PARTIAL_WRITE
+
+Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
+when just a single record has been written). When not set (the default),
+SSL_write() will only report success once the complete chunk was written.
+
+=item SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
+
+Make it possible to retry SSL_write() with changed buffer location
+(the buffer contents must stay the same). This is not the default to avoid
+the misconception that non-blocking SSL_write() behaves like
+non-blocking write().
+
+=item SSL_MODE_AUTO_RETRY
+
+Never bother the application with retries if the transport is blocking.
+If a renegotiation take place during normal operation, a
+L<SSL_read(3)|SSL_read(3)> or L<SSL_write(3)|SSL_write(3)> would return
+with -1 and indicate the need to retry with SSL_ERROR_WANT_READ.
+In a non-blocking environment applications must be prepared to handle
+incomplete read/write operations.
+In a blocking environment, applications are not always prepared to
+deal with read/write operations returning without success report. The
+flag SSL_MODE_AUTO_RETRY will cause read/write operations to only
+return after the handshake and successful completion.
+
+=back
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_mode() and SSL_set_mode() return the new mode bitmask
+after adding B<mode>.
+
+SSL_CTX_get_mode() and SSL_get_mode() return the current bitmask.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_read(3)|SSL_read(3)>, L<SSL_write(3)|SSL_write(3)>
+
+=head1 HISTORY
+
+SSL_MODE_AUTO_RETRY as been added in OpenSSL 0.9.6.
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
index bd5b0cb..3dc7cc7 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
@@ -53,7 +53,7 @@ Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte
 challenge but then appears to only use 16 bytes when generating the
 encryption keys.  Using 16 bytes is ok but it should be ok to use 32.
 According to the SSLv3 spec, one should use 32 bytes for the challenge
-when opperating in SSLv2/v3 compatablity mode, but as mentioned above,
+when operating in SSLv2/v3 compatibility mode, but as mentioned above,
 this breaks this server so 16 bytes is the way to go.
 
 =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod
index ba3502a..083766f 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod
@@ -97,6 +97,7 @@ SSL_CTX_get_session_cache_mode() returns the currently set cache mode.
 =head1 SEE ALSO
 
 L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
+L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
 L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>,
 L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
 L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>,
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod
index 3091bd6..0020180 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod
@@ -17,8 +17,8 @@ SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method
 
 SSL_CTX_set_ssl_version() sets a new default TLS/SSL B<method> for SSL objects
 newly created from this B<ctx>. SSL objects already created with
-L<SSL_new(3)|SSL_new(3)> are not affected, except when SSL_clear() is
-being called.
+L<SSL_new(3)|SSL_new(3)> are not affected, except when
+L<SSL_clear(3)|SSL_clear(3)> is being called.
 
 SSL_set_ssl_method() sets a new TLS/SSL B<method> for a particular B<ssl>
 object. It may be reset, when SSL_clear() is called.
@@ -31,9 +31,9 @@ set in B<ssl>.
 The available B<method> choices are described in
 L<SSL_CTX_new(3)|SSL_CTX_new(3)>.
 
-When SSL_clear() is called and no session is connected to an SSL object,
-the method of the SSL object is reset to the method currently set in
-the corresponding SSL_CTX object.
+When L<SSL_clear(3)|SSL_clear(3)> is called and no session is connected to
+an SSL object, the method of the SSL object is reset to the method currently
+set in the corresponding SSL_CTX object.
 
 =head1 RETURN VALUES
 
@@ -55,6 +55,7 @@ The operation succeeded.
 =head1 SEE ALSO
 
 L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<SSL_new(3)|SSL_new(3)>,
-L<SSL_clear(3)|SSL_clear(3)>, L<ssl(3)|ssl(3)>
+L<SSL_clear(3)|SSL_clear(3)>, L<ssl(3)|ssl(3)>,
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
 
 =cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod
index 58fa3e6..3b2fe6f 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod
@@ -117,7 +117,7 @@ in the file to the certificate store. The other certificates are added
 to the store of chain certificates using
 L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>.
 There exists only one extra chain store, so that the same chain is appended
-to both types of certificates, RSA and DSA! If it is not intented to use
+to both types of certificates, RSA and DSA! If it is not intended to use
 both type of certificate at the same time, it is recommended to use the
 SSL_CTX_use_certificate_chain_file() instead of the
 SSL_CTX_use_certificate_file() function in order to allow the use of
diff --git a/crypto/openssl/doc/ssl/SSL_accept.pod b/crypto/openssl/doc/ssl/SSL_accept.pod
index 46f95ab..86f980d 100644
--- a/crypto/openssl/doc/ssl/SSL_accept.pod
+++ b/crypto/openssl/doc/ssl/SSL_accept.pod
@@ -37,6 +37,11 @@ nothing is to be done, but select() can be used to check for the required
 condition. When using a buffering BIO, like a BIO pair, data must be written
 into or retrieved out of the BIO before being able to continue.
 
+When using a generic method (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>), it
+is necessary to call SSL_set_accept_state()
+before calling SSL_accept() to explicitly switch the B<ssl> to server
+mode.
+
 =head1 RETURN VALUES
 
 The following return values can occur:
@@ -67,6 +72,8 @@ to find out the reason.
 =head1 SEE ALSO
 
 L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>,
-L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
+L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>,
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
+L<SSL_CTX_new(3)|SSL_CTX_new(3)>
 
 =cut
diff --git a/crypto/openssl/doc/ssl/SSL_clear.pod b/crypto/openssl/doc/ssl/SSL_clear.pod
index aeb0b5c..8b735d8 100644
--- a/crypto/openssl/doc/ssl/SSL_clear.pod
+++ b/crypto/openssl/doc/ssl/SSL_clear.pod
@@ -13,8 +13,17 @@ SSL_clear - reset SSL object to allow another connection
 =head1 DESCRIPTION
 
 Reset B<ssl> to allow another connection. All settings (method, ciphers,
-BIOs) are kept. A completely negotiated B<SSL_SESSION> is not freed but left
-untouched for the underlying B<SSL_CTX>.
+BIOs) are kept.
+
+=head1 NOTES
+
+SSL_clear is used to prepare an SSL object for a new connection. While all
+settings are kept, a side effect is the handling of the current SSL session.
+If a session is still B<open>, it is considered bad and will be removed
+from the session cache, as required by RFC2246. A session is considered open,
+if L<SSL_shutdown(3)|SSL_shutdown(3)> was not called for the connection
+or at least L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> was used to
+set the SSL_SENT_SHUTDOWN state.
 
 =head1 RETURN VALUES
 
@@ -34,6 +43,7 @@ The SSL_clear() operation was successful.
 =back
 
 L<SSL_new(3)|SSL_new(3)>, L<SSL_free(3)|SSL_free(3)>,
+L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
 L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, L<ssl(3)|ssl(3)>
 
 =cut
diff --git a/crypto/openssl/doc/ssl/SSL_connect.pod b/crypto/openssl/doc/ssl/SSL_connect.pod
index 00813ec..bcc1677 100644
--- a/crypto/openssl/doc/ssl/SSL_connect.pod
+++ b/crypto/openssl/doc/ssl/SSL_connect.pod
@@ -34,6 +34,11 @@ nothing is to be done, but select() can be used to check for the required
 condition. When using a buffering BIO, like a BIO pair, data must be written
 into or retrieved out of the BIO before being able to continue.
 
+When using a generic method (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>), it
+is necessary to call L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
+before calling SSL_connect() to explicitly switch the B<ssl> to client
+mode.
+
 =head1 RETURN VALUES
 
 The following return values can occur:
@@ -64,6 +69,8 @@ to find out the reason.
 =head1 SEE ALSO
 
 L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_accept(3)|SSL_accept(3)>,
-L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
+L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>,
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
+L<SSL_CTX_new(3)|SSL_CTX_new(3)>
 
 =cut
diff --git a/crypto/openssl/doc/ssl/SSL_free.pod b/crypto/openssl/doc/ssl/SSL_free.pod
index f3f0c34..2d4f8b6 100644
--- a/crypto/openssl/doc/ssl/SSL_free.pod
+++ b/crypto/openssl/doc/ssl/SSL_free.pod
@@ -16,18 +16,29 @@ SSL_free() decrements the reference count of B<ssl>, and removes the SSL
 structure pointed to by B<ssl> and frees up the allocated memory if the
 the reference count has reached 0.
 
-It also calls the free()ing procedures for indirectly affected items, if
+=head1 NOTES
+
+SSL_free() also calls the free()ing procedures for indirectly affected items, if
 applicable: the buffering BIO, the read and write BIOs,
 cipher lists specially created for this B<ssl>, the B<SSL_SESSION>.
 Do not explicitly free these indirectly freed up items before or after
 calling SSL_free(), as trying to free things twice may lead to program
 failure.
 
+The ssl session has reference counts from two users: the SSL object, for
+which the reference count is removed by SSL_free() and the internal
+session cache. If the session is considered bad, because
+L<SSL_shutdown(3)|SSL_shutdown(3)> was not called for the connection
+and L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> was not used to set the
+SSL_SENT_SHUTDOWN state, the session will also be removed
+from the session cache as required by RFC2246.
+
 =head1 RETURN VALUES
 
 SSL_free() does not provide diagnostic information.
 
 L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
+L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
 L<ssl(3)|ssl(3)>
 
 =cut
diff --git a/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod b/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod
index d358bc3..40e01cf 100644
--- a/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod
@@ -13,10 +13,10 @@ SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs
 
 =head1 DESCRIPTION
 
-SSL_CTX_get_client_CA_list() returns the list of client CAs explicitely set for
+SSL_CTX_get_client_CA_list() returns the list of client CAs explicitly set for
 B<ctx> using L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>.
 
-SSL_get_client_CA_list() returns the list of client CAs explicitely
+SSL_get_client_CA_list() returns the list of client CAs explicitly
 set for B<ssl> using SSL_set_client_CA_list() or B<ssl>'s SSL_CTX object with
 L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, when in
 server mode. In client mode, SSL_get_client_CA_list returns the list of
@@ -34,12 +34,12 @@ values:
 
 =item STACK_OF(X509_NAMES)
 
-List of CA names explicitely set (for B<ctx> or in server mode) or send
+List of CA names explicitly set (for B<ctx> or in server mode) or send
 by the server (client mode).
 
 =item NULL
 
-No client CA list was explicitely set (for B<ctx> or in server mode) or
+No client CA list was explicitly set (for B<ctx> or in server mode) or
 the server did not send a list of CAs (client mode).
 
 =back
diff --git a/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod b/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
index e93e820..390ce0b 100644
--- a/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
@@ -15,7 +15,7 @@ SSL_get_peer_cert_chain - get the X509 certificate chain of the peer
 SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates
 forming the certificate chain of the peer. If called on the client side,
 the stack also contains the peer's certificate; if called on the server
-side, the peer's certificate must be obtained seperately using
+side, the peer's certificate must be obtained separately using
 L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>.
 If the peer did not present a certificate, NULL is returned.
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod b/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod
index 79c089a..1102c7f 100644
--- a/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod
@@ -23,7 +23,7 @@ to check the verification state.
 
 The reference count of the X509 object is incremented by one, so that it
 will not be destroyed when the session containing the peer certificate is
-freed. The X509 object must be explicitely freed using X509_free().
+freed. The X509 object must be explicitly freed using X509_free().
 
 =head1 RETURN VALUES
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_session.pod b/crypto/openssl/doc/ssl/SSL_get_session.pod
index aff41fb..a0266e2 100644
--- a/crypto/openssl/doc/ssl/SSL_get_session.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_session.pod
@@ -16,14 +16,30 @@ SSL_get_session - retrieve TLS/SSL session data
 
 SSL_get_session() returns a pointer to the B<SSL_SESSION> actually used in
 B<ssl>. The reference count of the B<SSL_SESSION> is not incremented, so
-that the pointer can become invalid when the B<ssl> is freed and
-SSL_SESSION_free() is implicitly called.
+that the pointer can become invalid by other operations.
 
 SSL_get0_session() is the same as SSL_get_session().
 
 SSL_get1_session() is the same as SSL_get_session(), but the reference
 count of the B<SSL_SESSION> is incremented by one.
 
+=head1 NOTES
+
+The ssl session contains all information required to re-establish the
+connection without a new handshake.
+
+SSL_get0_session() returns a pointer to the actual session. As the
+reference counter is not incremented, the pointer is only valid while
+the connection is in use. If L<SSL_clear(3)|SSL_clear(3)> or
+L<SSL_free(3)|SSL_free(3)> is called, the session may be removed completely
+(if considered bad), and the pointer obtained will become invalid. Even
+if the session is valid, it can be removed at any time due to timeout
+during L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>.
+
+If the data is to be kept, SSL_get1_session() will increment the reference
+count and the session will stay in memory until explicitly freed with
+L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>, regardless of its state.
+
 =head1 RETURN VALUES
 
 The following return values can occur:
@@ -43,6 +59,7 @@ The return value points to the data of an SSL session.
 =head1 SEE ALSO
 
 L<ssl(3)|ssl(3)>, L<SSL_free(3)|SSL_free(3)>,
+L<SSL_clear(3)|SSL_clear(3)>,
 L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
 
 =cut
diff --git a/crypto/openssl/doc/ssl/SSL_get_verify_result.pod b/crypto/openssl/doc/ssl/SSL_get_verify_result.pod
index 4d66236..e6bac9c 100644
--- a/crypto/openssl/doc/ssl/SSL_get_verify_result.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_verify_result.pod
@@ -19,7 +19,7 @@ X509 certificate presented by the peer, if any.
 
 SSL_get_verify_result() can only return one error code while the verification
 of a certificate can fail because of many reasons at the same time. Only
-the last verification error that occured during the processing is available
+the last verification error that occurred during the processing is available
 from SSL_get_verify_result().
 
 The verification result is part of the established session and is restored
@@ -28,7 +28,7 @@ when a session is reused.
 =head1 BUGS
 
 If no peer certificate was presented, the returned result code is
-X509_V_OK. This is because no verification error occured, it does however
+X509_V_OK. This is because no verification error occurred, it does however
 not indicate success. SSL_get_verify_result() is only useful in connection
 with L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>.
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_version.pod b/crypto/openssl/doc/ssl/SSL_get_version.pod
new file mode 100644
index 0000000..24d5291
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_get_version.pod
@@ -0,0 +1,46 @@
+=pod
+
+=head1 NAME
+
+SSL_get_version - get the protocol version of a connection.
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ const char *SSL_get_version(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_get_cipher_version() returns the name of the protocol used for the
+connection B<ssl>.
+
+=head1 RETURN VALUES
+
+The following strings can occur:
+
+=over 4
+
+=item SSLv2
+
+The connection uses the SSLv2 protocol.
+
+=item SSLv3
+
+The connection uses the SSLv3 protocol.
+
+=item TLSv1
+
+The connection uses the TLSv1 protocol.
+
+=item unknown
+
+This indicates that no version has been set (no connection established).
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_read.pod b/crypto/openssl/doc/ssl/SSL_read.pod
index 9bff325..7db5ee0 100644
--- a/crypto/openssl/doc/ssl/SSL_read.pod
+++ b/crypto/openssl/doc/ssl/SSL_read.pod
@@ -8,7 +8,7 @@ SSL_read - read bytes from a TLS/SSL connection.
 
  #include <openssl/ssl.h>
 
- int SSL_read(SSL *ssl, char *buf, int num);
+ int SSL_read(SSL *ssl, void *buf, int num);
 
 =head1 DESCRIPTION
 
@@ -18,17 +18,29 @@ buffer B<buf>.
 =head1 NOTES
 
 If necessary, SSL_read() will negotiate a TLS/SSL session, if
-not already explicitly performed by SSL_connect() or SSL_accept(). If the
+not already explicitly performed by L<SSL_connect(3)|SSL_connect(3)> or
+L<SSL_accept(3)|SSL_accept(3)>. If the
 peer requests a re-negotiation, it will be performed transparently during
 the SSL_read() operation. The behaviour of SSL_read() depends on the
 underlying BIO. 
 
+For the transparent negotiation to succeed, the B<ssl> must have been
+initialized to client or server mode. This is not the case if a generic
+method is being used (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>, so that
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> or SSL_set_accept_state()
+must be used before the first call to an SSL_read() or
+L<SSL_write(3)|SSL_write(3)> function.
+
 If the underlying BIO is B<blocking>, SSL_read() will only return, once the
-read operation has been finished or an error occurred.
+read operation has been finished or an error occurred, except when a
+renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. 
+This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the
+L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> call.
 
 If the underlying BIO is B<non-blocking>, SSL_read() will also return
 when the underlying BIO could not satisfy the needs of SSL_read()
-to continue the operation. In this case a call to SSL_get_error() with the
+to continue the operation. In this case a call to
+L<SSL_get_error(3)|SSL_get_error(3)> with the
 return value of SSL_read() will yield B<SSL_ERROR_WANT_READ> or
 B<SSL_ERROR_WANT_WRITE>. As at any time a re-negotiation is possible, a
 call to SSL_read() can also cause write operations! The calling process
@@ -72,6 +84,9 @@ return value B<ret> to find out the reason.
 =head1 SEE ALSO
 
 L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_write(3)|SSL_write(3)>,
+L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
+L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
 L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
 
 =cut
diff --git a/crypto/openssl/doc/ssl/SSL_set_connect_state.pod b/crypto/openssl/doc/ssl/SSL_set_connect_state.pod
new file mode 100644
index 0000000..a8c4463
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_set_connect_state.pod
@@ -0,0 +1,47 @@
+=pod
+
+=head1 NAME
+
+SSL_set_connect_state, SSL_get_accept_state - prepare SSL object to work in client or server mode
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_set_connect_state(SSL *ssl);
+
+ void SSL_set_accept_state(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_set_connect_state() B<ssl> to work in client mode.
+
+SSL_set_accept_state() B<ssl> to work in server mode.
+
+=head1 NOTES
+
+When the SSL_CTX object was created with L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
+it was either assigned a dedicated client method, a dedicated server
+method, or a generic method, that can be used for both client and
+server connections. (The method might have been changed with
+L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)> or
+SSL_set_ssl_method().)
+
+In order to successfully accomplish the handshake, the SSL routines need
+to know whether they should act in server or client mode. If the generic
+method was used, this is not clear from the method itself and must be set
+with either SSL_set_connect_state() or SSL_set_accept_state(). If these
+routines are not called, the default value set when L<SSL_new(3)|SSL_new(3)>
+is called is server mode.
+
+=head1 RETURN VALUES
+
+SSL_set_connect_state() and SSL_set_accept_state() do not return diagnostic
+information.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
+L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_set_shutdown.pod b/crypto/openssl/doc/ssl/SSL_set_shutdown.pod
new file mode 100644
index 0000000..6b196c1
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_set_shutdown.pod
@@ -0,0 +1,68 @@
+=pod
+
+=head1 NAME
+
+SSL_set_shutdown, SSL_get_shutdown - manipulate shutdown state of an SSL connection
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_set_shutdown(SSL *ssl, int mode);
+
+ int SSL_get_shutdown(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_set_shutdown() sets the shutdown state of B<ssl> to B<mode>.
+
+SSL_get_shutdown() returns the shutdown mode of B<ssl>.
+
+=head1 NOTES
+
+The shutdown state of an ssl connection is a bitmask of:
+
+=over 4
+
+=item 0
+
+No shutdown setting, yet.
+
+=item SSL_SENT_SHUTDOWN
+
+A "close notify" shutdown alert was sent to the peer, the connection is being
+considered closed and the session is closed and correct.
+
+=item SSL_RECEIVED_SHUTDOWN
+
+A shutdown alert was received form the peer, either a normal "close notify"
+or a fatal error.
+
+=back
+
+SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN can be set at the same time.
+
+The shutdown state of the connection is used to determine the state of
+the ssl session. If the session is still open, when
+L<SSL_clear(3)|SSL_clear(3)> or L<SSL_free(3)|SSL_free(3)> is called,
+it is considered bad and removed according to RFC2246.
+The actual condition for a correctly closed session is SSL_SENT_SHUTDOWN.
+SSL_set_shutdown() can be used to set this state without sending a
+close alert to the peer (see L<SSL_shutdown(3)|SSL_shutdown(3)>).
+
+If a "close notify" was received, SSL_RECEIVED_SHUTDOWN will be set,
+for setting SSL_SENT_SHUTDOWN the application must however still call
+L<SSL_shutdown(3)|SSL_shutdown(3)> or SSL_set_shutdown() itself.
+
+=head1 RETURN VALUES
+
+SSL_set_shutdown() does not return diagnostic information.
+
+SSL_get_shutdown() returns the current setting.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_shutdown(3)|SSL_shutdown(3)>,
+L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_shutdown.pod b/crypto/openssl/doc/ssl/SSL_shutdown.pod
index 20e273b..7988dd3 100644
--- a/crypto/openssl/doc/ssl/SSL_shutdown.pod
+++ b/crypto/openssl/doc/ssl/SSL_shutdown.pod
@@ -12,9 +12,17 @@ SSL_shutdown - shut down a TLS/SSL connection
 
 =head1 DESCRIPTION
 
-SSL_shutdown() shuts down an active TLS/SSL connection. It sends the shutdown
-alert to the peer. The behaviour of SSL_shutdown() depends on the underlying
-BIO. 
+SSL_shutdown() shuts down an active TLS/SSL connection. It sends the 
+"close notify" shutdown alert to the peer.
+
+=head1 NOTES
+
+SSL_shutdown() tries to send the "close notify" shutdown alert to the peer.
+Whether the operation succeeds or not, the SSL_SENT_SHUTDOWN flag is set and
+a currently open session is considered closed and good and will be kept in the
+session cache for further reuse.
+
+The behaviour of SSL_shutdown() depends on the underlying BIO. 
 
 If the underlying BIO is B<blocking>, SSL_shutdown() will only return once the
 handshake has been finished or an error occurred.
@@ -57,6 +65,8 @@ Call SSL_get_error() with the return value B<ret> to find out the reason.
 =head1 SEE ALSO
 
 L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>,
-L<SSL_accept(3)|SSL_accept(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
+L<SSL_accept(3)|SSL_accept(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
+L<SSL_clear(3)|SSL_clear(3), L<SSL_free(3)|SSL_free(3)>,
+L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
 
 =cut
diff --git a/crypto/openssl/doc/ssl/SSL_write.pod b/crypto/openssl/doc/ssl/SSL_write.pod
index 8110161..be1ad76 100644
--- a/crypto/openssl/doc/ssl/SSL_write.pod
+++ b/crypto/openssl/doc/ssl/SSL_write.pod
@@ -8,7 +8,7 @@ SSL_write - write bytes to a TLS/SSL connection.
 
  #include <openssl/ssl.h>
 
- int SSL_write(SSL *ssl, char *buf, int num);
+ int SSL_write(SSL *ssl, const void *buf, int num);
 
 =head1 DESCRIPTION
 
@@ -18,17 +18,29 @@ B<ssl> connection.
 =head1 NOTES
 
 If necessary, SSL_write() will negotiate a TLS/SSL session, if
-not already explicitly performed by SSL_connect() or SSL_accept(). If the
+not already explicitly performed by L<SSL_connect(3)|SSL_connect(3)> or
+L<SSL_accept(3)|SSL_accept(3)>. If the
 peer requests a re-negotiation, it will be performed transparently during
 the SSL_write() operation. The behaviour of SSL_write() depends on the
 underlying BIO. 
 
+For the transparent negotiation to succeed, the B<ssl> must have been
+initialized to client or server mode. This is not the case if a generic
+method is being used (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>, so that
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> or SSL_set_accept_state()
+must be used before the first call to an L<SSL_read(3)|SSL_read(3)>
+or SSL_write() function.
+
 If the underlying BIO is B<blocking>, SSL_write() will only return, once the
-write operation has been finished or an error occurred.
+write operation has been finished or an error occurred, except when a
+renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. 
+This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the
+L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> call.
 
 If the underlying BIO is B<non-blocking>, SSL_write() will also return,
 when the underlying BIO could not satisfy the needs of SSL_write()
-to continue the operation. In this case a call to SSL_get_error() with the
+to continue the operation. In this case a call to
+L<SSL_get_error(3)|SSL_get_error(3)> with the
 return value of SSL_write() will yield B<SSL_ERROR_WANT_READ> or
 B<SSL_ERROR_WANT_WRITE>. As at any time a re-negotiation is possible, a
 call to SSL_write() can also cause read operations! The calling process
@@ -71,6 +83,9 @@ return value B<ret> to find out the reason.
 =head1 SEE ALSO
 
 L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_read(3)|SSL_read(3)>,
+L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
+L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
 L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
 
 =cut
diff --git a/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
index 8142b6b..9a1ba6c 100644
--- a/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
+++ b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
@@ -1,6 +1,7 @@
 =pod
 
 =head1 NAME
+
 d2i_SSL_SESSION, i2d_SSL_SESSION - convert SSL_SESSION object from/to ASN1 representation
 
 =head1 SYNOPSIS
diff --git a/crypto/openssl/doc/ssl/ssl.pod b/crypto/openssl/doc/ssl/ssl.pod
index 2911c83..e521245 100644
--- a/crypto/openssl/doc/ssl/ssl.pod
+++ b/crypto/openssl/doc/ssl/ssl.pod
@@ -544,11 +544,11 @@ connection defined in the B<SSL> structure.
 
 =item long B<SSL_num_renegotiations>(SSL *ssl);
 
-=item int B<SSL_peek>(SSL *ssl, char *buf, int num);
+=item int B<SSL_peek>(SSL *ssl, void *buf, int num);
 
 =item int B<SSL_pending>(SSL *ssl);
 
-=item int B<SSL_read>(SSL *ssl, char *buf, int num);
+=item int B<SSL_read>(SSL *ssl, void *buf, int num);
 
 =item int B<SSL_renegotiate>(SSL *ssl);
 
@@ -640,7 +640,7 @@ connection defined in the B<SSL> structure.
 
 =item int B<SSL_want_x509_lookup>(s);
 
-=item int B<SSL_write>(SSL *ssl, char *buf, int num);
+=item int B<SSL_write>(SSL *ssl, const void *buf, int num);
 
 =back
 
@@ -657,11 +657,13 @@ L<SSL_CTX_get_ex_new_index(3)|SSL_CTX_get_ex_new_index(3)>,
 L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>,
 L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
 L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
+L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
 L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>,
 L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
 L<SSL_CTX_sessions(3)|SSL_CTX_sessions(3)>,
 L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
 L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>,
+L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>,
 L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
 L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
 L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>,
@@ -679,12 +681,15 @@ L<SSL_get_peer_cert_chain(3)|SSL_get_peer_cert_chain(3)>,
 L<SSL_get_rbio(3)|SSL_get_rbio(3)>,
 L<SSL_get_session(3)|SSL_get_session(3)>,
 L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
+L<SSL_get_version(3)|SSL_get_version(3)>,
 L<SSL_library_init(3)|SSL_library_init(3)>,
 L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>,
 L<SSL_new(3)|SSL_new(3)>,
 L<SSL_read(3)|SSL_read(3)>, L<SSL_set_bio(3)|SSL_set_bio(3)>,
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
 L<SSL_set_fd(3)|SSL_set_fd(3)>, L<SSL_pending(3)|SSL_pending(3)>,
 L<SSL_set_session(3)|SSL_set_session(3)>,
+L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
 L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_write(3)|SSL_write(3)>,
 L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
 L<SSL_SESSION_get_ex_new_index(3)|SSL_SESSION_get_ex_new_index(3)>,