---
 mailx.1   |    5 +++++
 openssl.c |   29 ++++++++++++++++++++++++++---
 2 files changed, 31 insertions(+), 3 deletions(-)

Index: mailx.1
===================================================================
--- mailx.1.orig
+++ mailx.1
@@ -2723,6 +2723,8 @@ Only applicable if SSL/TLS support is bu
 Accept SSLv2 connections.
 These are normally not allowed
 because this protocol version is insecure.
+.br
+.B WARNING: on modern systems SSLv2 as well as SSLv3 are unavailable!
 .TP
 .B stealthmua
 Inhibits the generation of
@@ -3599,6 +3601,8 @@ Selects a SSL/TLS protocol version;
 valid values are `ssl2', `ssl3', and `tls1'.
 If unset, the method is selected automatically,
 if possible.
+.br
+.B WARNING: Do not use this option. 'ssl2', 'ssl3' are no longer available and 'tls1' forces use of TLS 1.0
 .TP
 \fBssl-method-\fIuser\fB@\fIhost\fR
 Overrides
@@ -3609,6 +3613,8 @@ for a specific account.
 Gives the pathname to an entropy daemon socket,
 see
 .IR RAND_egd (3).
+.br
+.B WARNING: On Linux this API is unavailable.
 .TP
 .B ssl-rand-file
 Gives the pathname to a file with entropy data,
@@ -3617,6 +3623,8 @@ see
 If the file is a regular file writable by the invoking user,
 new data is written to it after it has been loaded.
 Only applicable if SSL/TLS support is built using OpenSSL.
+.br
+.B WARNING: On linux the CSPRNG is seeded automatically and this option has no effect.
 .TP
 .B ssl-verify
 Sets the action to be performed if an error occurs
Index: openssl.c
===================================================================
--- openssl.c.orig
+++ openssl.c
@@ -135,10 +135,18 @@ ssl_rand_init(void)
 {
 	char *cp;
 	int state = 0;
+	
+	if(RAND_status())
+		return 1;
 
 	if ((cp = value("ssl-rand-egd")) != NULL) {
 		cp = expand(cp);
-		if (RAND_egd(cp) == -1) {
+#ifndef OPENSSL_NO_EGD
+		if (RAND_egd(cp) == -1)
+#else
+		if (1)
+#endif
+		{
 			fprintf(stderr, catgets(catd, CATSET, 245,
 				"entropy daemon at \"%s\" not available\n"),
 					cp);
@@ -221,12 +229,13 @@ ssl_select_method(const char *uhp)
 
 	cp = ssl_method_string(uhp);
 	if (cp != NULL) {
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1010006fL
 #ifndef OPENSSL_NO_SSL2
 		if (equal(cp, "ssl2"))
 			method = SSLv2_client_method();
 		else
-#endif 
-            if (equal(cp, "ssl3"))
+#endif
+		if (equal(cp, "ssl3"))
 			method = SSLv3_client_method();
 		else if (equal(cp, "tls1"))
 			method = TLSv1_client_method();
@@ -235,8 +244,25 @@ ssl_select_method(const char *uhp)
 					"Invalid SSL method \"%s\"\n"), cp);
 			method = SSLv23_client_method();
 		}
+#else
+		method = NULL;
+		if (equal(cp, "tls"))
+			method = TLS_client_method();
+		else if (equal(cp, "dtls"))
+			method = DTLS_client_method();
+
+		if (!method) {
+			fprintf(stderr, catgets(catd, CATSET, 244,
+					"Invalid SSL method \"%s\"\n"), cp);
+			method = TLS_client_method();
+		}
+#endif
 	} else
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1010006fL
 		method = SSLv23_client_method();
+#else
+		method = TLS_client_method();
+#endif
 	return method;
 }
 
@@ -307,6 +333,8 @@ ssl_certificate(struct sock *sp, const c
 				"cannot load private key from file %s\n"),
 						key);
 			ac_free(keyvar);
+			if(SSL_CTX_check_private_key(sp->s_ctx) != 1)
+				fprintf(stderr, "certificate/key mismatch");
 		} else
 			fprintf(stderr, catgets(catd, CATSET, 239,
 				"cannot load certificate from file %s\n"),
@@ -383,7 +411,7 @@ ssl_open(const char *server, struct sock
 	/* available with OpenSSL 0.9.6 or later */
 	SSL_CTX_set_mode(sp->s_ctx, SSL_MODE_AUTO_RETRY);
 #endif	/* SSL_MODE_AUTO_RETRY */
-	options = SSL_OP_ALL;
+	options = SSL_OP_ALL|SSL_OP_NO_TICKET;
 	if (value("ssl-v2-allow") == NULL)
 		options |= SSL_OP_NO_SSLv2;
 	SSL_CTX_set_options(sp->s_ctx, options);