diff --git a/ruby-1.8.x_openssl-1.0-tests.patch b/ruby-1.8.x_openssl-1.0-tests.patch
new file mode 100644
index 0000000..2fae89b
--- /dev/null
+++ b/ruby-1.8.x_openssl-1.0-tests.patch
@@ -0,0 +1,1465 @@
+Index: test/openssl/test_x509store.rb
+===================================================================
+--- test/openssl/test_x509store.rb	(.../ruby_1_8_7/test/openssl)	(revision 27451)
++++ test/openssl/test_x509store.rb	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -4,6 +4,7 @@
+ rescue LoadError
+ end
+ require "test/unit"
++require "tempfile"
+ 
+ if defined?(OpenSSL)
+ 
+@@ -198,7 +199,7 @@
+                           nil, nil, OpenSSL::Digest::SHA1.new)
+     store = OpenSSL::X509::Store.new
+     store.add_cert(ca1_cert)
+-    assert_raises(OpenSSL::X509::StoreError){
++    assert_raise(OpenSSL::X509::StoreError){
+       store.add_cert(ca1_cert)  # add same certificate twice
+     }
+ 
+@@ -209,10 +210,37 @@
+     crl2 = issue_crl(revoke_info, 2, now+1800, now+3600, [],
+                      ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+     store.add_crl(crl1)
+-    assert_raises(OpenSSL::X509::StoreError){
++    assert_raise(OpenSSL::X509::StoreError){
+       store.add_crl(crl2) # add CRL issued by same CA twice.
+     }
+   end
++
++  def test_add_file
++    ca1_cert = <<END
++-----BEGIN CERTIFICATE-----
++MIIBzzCCATigAwIBAgIBATANBgkqhkiG9w0BAQUFADANMQswCQYDVQQDDAJjYTAe
++Fw0wOTA1MjIxMDE5MjNaFw0xNDA1MjExMDE5MjNaMA0xCzAJBgNVBAMMAmNhMIGf
++MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcTL520vsbXHXPfkHKrcgWbk2zVf0y
++oK7bPg06kjCghs8KYsi9b/tT9KpkpejD0KucDBSmDILD3PvIWrNFcBRWf6ZC5vA5
++YuF6ueATuFhsXjUFuNLqyPcIX+XrOQmXgjiyO9nc5vzQwWRRhdyyT8DgCRUD/yHW
++pjD2ZEGIAVLY/wIDAQABoz8wPTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQf
++923P/SgiCcbiN20bbmuFM6SLxzALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEFBQAD
++gYEAE0CpCo8MxhfUNWMHF5GsGEG2+1LdE+aUX7gSb6d4vn1WjusrM2FoOFTomt32
++YPqJwMEbcqILq2v9Kkao4QNJRlK+z1xpRDnt1iBrHdXrYJFvYnfMqv3z7XAFPfQZ
++yMP+P2sR0jPzy4UNZfDIMmMUqQdhkz7onKWOGjXwLEtkCMs=
++-----END CERTIFICATE-----
++END
++
++    f = Tempfile.new("ca1_cert")
++    f << ca1_cert
++    f.close
++
++    store = OpenSSL::X509::Store.new
++    store.add_file(f.path)
++    assert_equal(true,  store.verify(OpenSSL::X509::Certificate.new(ca1_cert)))
++    f.unlink
++  end
++
+ end
+ 
+ end
+Index: test/openssl/test_x509cert.rb
+===================================================================
+--- test/openssl/test_x509cert.rb	(.../ruby_1_8_7/test/openssl)	(revision 27451)
++++ test/openssl/test_x509cert.rb	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -28,7 +28,7 @@
+   def test_serial
+     [1, 2**32, 2**100].each{|s|
+       cert = issue_cert(@ca, @rsa2048, s, Time.now, Time.now+3600, [],
+-                        nil, nil, OpenSSL::Digest::SHA1.new) 
++                        nil, nil, OpenSSL::Digest::SHA1.new)
+       assert_equal(s, cert.serial)
+       cert = OpenSSL::X509::Certificate.new(cert.to_der)
+       assert_equal(s, cert.serial)
+@@ -60,25 +60,25 @@
+   def test_validity
+     now = Time.now until now && now.usec != 0
+     cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
+-                      nil, nil, OpenSSL::Digest::SHA1.new) 
++                      nil, nil, OpenSSL::Digest::SHA1.new)
+     assert_not_equal(now, cert.not_before)
+     assert_not_equal(now+3600, cert.not_after)
+ 
+     now = Time.at(now.to_i)
+     cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
+-                      nil, nil, OpenSSL::Digest::SHA1.new) 
++                      nil, nil, OpenSSL::Digest::SHA1.new)
+     assert_equal(now.getutc, cert.not_before)
+     assert_equal((now+3600).getutc, cert.not_after)
+ 
+     now = Time.at(0)
+     cert = issue_cert(@ca, @rsa2048, 1, now, now, [],
+-                      nil, nil, OpenSSL::Digest::SHA1.new) 
++                      nil, nil, OpenSSL::Digest::SHA1.new)
+     assert_equal(now.getutc, cert.not_before)
+     assert_equal(now.getutc, cert.not_after)
+ 
+     now = Time.at(0x7fffffff)
+     cert = issue_cert(@ca, @rsa2048, 1, now, now, [],
+-                      nil, nil, OpenSSL::Digest::SHA1.new) 
++                      nil, nil, OpenSSL::Digest::SHA1.new)
+     assert_equal(now.getutc, cert.not_before)
+     assert_equal(now.getutc, cert.not_after)
+   end
+@@ -91,7 +91,7 @@
+       ["authorityKeyIdentifier","keyid:always",false],
+     ]
+     ca_cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, ca_exts,
+-                         nil, nil, OpenSSL::Digest::SHA1.new) 
++                         nil, nil, OpenSSL::Digest::SHA1.new)
+     ca_cert.extensions.each_with_index{|ext, i|
+       assert_equal(ca_exts[i].first, ext.oid)
+       assert_equal(ca_exts[i].last, ext.critical?)
+@@ -105,7 +105,7 @@
+       ["subjectAltName","email:ee1@ruby-lang.org",false],
+     ]
+     ee1_cert = issue_cert(@ee1, @rsa1024, 2, Time.now, Time.now+1800, ee1_exts,
+-                          ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new) 
++                          ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+     assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der)
+     ee1_cert.extensions.each_with_index{|ext, i|
+       assert_equal(ee1_exts[i].first, ext.oid)
+@@ -120,7 +120,7 @@
+       ["subjectAltName","email:ee2@ruby-lang.org",false],
+     ]
+     ee2_cert = issue_cert(@ee2, @rsa1024, 3, Time.now, Time.now+1800, ee2_exts,
+-                          ca_cert, @rsa2048, OpenSSL::Digest::MD5.new) 
++                          ca_cert, @rsa2048, OpenSSL::Digest::MD5.new)
+     assert_equal(ca_cert.subject.to_der, ee2_cert.issuer.to_der)
+     ee2_cert.extensions.each_with_index{|ext, i|
+       assert_equal(ee2_exts[i].first, ext.oid)
+@@ -129,47 +129,137 @@
+ 
+   end
+ 
++  def test_sign_and_verify_wrong_key_type
++    cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
++                      nil, nil, OpenSSL::Digest::SHA1.new)
++    cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
++                      nil, nil, OpenSSL::Digest::DSS1.new)
++    begin
++      assert_equal(false, cert_rsa.verify(@dsa256))
++    rescue OpenSSL::X509::CertificateError => e
++      # OpenSSL 1.0.0 added checks for pkey OID
++      assert_equal('wrong public key type', e.message)
++    end
++
++    begin
++      assert_equal(false, cert_dsa.verify(@rsa1024))
++    rescue OpenSSL::X509::CertificateError => e
++      # OpenSSL 1.0.0 added checks for pkey OID
++      assert_equal('wrong public key type', e.message)
++    end
++  end
++
+   def test_sign_and_verify
+     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+-                      nil, nil, OpenSSL::Digest::SHA1.new) 
++                      nil, nil, OpenSSL::Digest::SHA1.new)
+     assert_equal(false, cert.verify(@rsa1024))
+     assert_equal(true,  cert.verify(@rsa2048))
+-    assert_equal(false, cert.verify(@dsa256))
+-    assert_equal(false, cert.verify(@dsa512))
+     cert.serial = 2
+     assert_equal(false, cert.verify(@rsa2048))
+ 
+     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+-                      nil, nil, OpenSSL::Digest::MD5.new) 
++                      nil, nil, OpenSSL::Digest::MD5.new)
+     assert_equal(false, cert.verify(@rsa1024))
+     assert_equal(true,  cert.verify(@rsa2048))
+-    assert_equal(false, cert.verify(@dsa256))
+-    assert_equal(false, cert.verify(@dsa512))
+     cert.subject = @ee1
+     assert_equal(false, cert.verify(@rsa2048))
+ 
+     cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+-                      nil, nil, OpenSSL::Digest::DSS1.new) 
+-    assert_equal(false, cert.verify(@rsa1024))
+-    assert_equal(false, cert.verify(@rsa2048))
++                      nil, nil, OpenSSL::Digest::DSS1.new)
+     assert_equal(false, cert.verify(@dsa256))
+     assert_equal(true,  cert.verify(@dsa512))
+-    cert.not_after = Time.now 
++    cert.not_after = Time.now
+     assert_equal(false, cert.verify(@dsa512))
++  end
+ 
+-    assert_raises(OpenSSL::X509::CertificateError){
++  def test_dsig_algorithm_mismatch
++    assert_raise(OpenSSL::X509::CertificateError) do
+       cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+-                        nil, nil, OpenSSL::Digest::DSS1.new) 
+-    }
+-    assert_raises(OpenSSL::X509::CertificateError){
++                        nil, nil, OpenSSL::Digest::DSS1.new)
++    end
++    assert_raise(OpenSSL::X509::CertificateError) do
+       cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+-                        nil, nil, OpenSSL::Digest::MD5.new) 
+-    }
+-    assert_raises(OpenSSL::X509::CertificateError){
+-      cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+-                        nil, nil, OpenSSL::Digest::SHA1.new) 
+-    }
++                        nil, nil, OpenSSL::Digest::MD5.new)
++    end
+   end
++
++  def test_dsa_with_sha2
++    begin
++      cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
++                        nil, nil, OpenSSL::Digest::SHA256.new)
++      assert_equal("dsa_with_SHA256", cert.signature_algorithm)
++    rescue OpenSSL::X509::CertificateError
++      # dsa_with_sha2 not supported. skip following test.
++      return
++    end
++    # TODO: need more tests for dsa + sha2
++
++    # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requireds DSS1)
++    cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
++                      nil, nil, OpenSSL::Digest::SHA1.new)
++    assert_equal("dsaWithSHA1", cert.signature_algorithm)
++  end
++
++  def test_check_private_key
++    cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
++                      nil, nil, OpenSSL::Digest::SHA1.new)
++    assert_equal(true, cert.check_private_key(@rsa2048))
++  end
++
++  def test_to_text
++    cert_pem = <<END
++-----BEGIN CERTIFICATE-----
++MIIC8zCCAdugAwIBAgIBATANBgkqhkiG9w0BAQQFADA9MRMwEQYKCZImiZPyLGQB
++GRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVieS1sYW5nMQswCQYDVQQDDAJDQTAe
++Fw0wOTA1MjMxNTAzNDNaFw0wOTA1MjMxNjAzNDNaMD0xEzARBgoJkiaJk/IsZAEZ
++FgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5LWxhbmcxCzAJBgNVBAMMAkNBMIIB
++IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuV9ht9J7k4NBs38jOXvvTKY9
++gW8nLICSno5EETR1cuF7i4pNs9I1QJGAFAX0BEO4KbzXmuOvfCpD3CU+Slp1enen
++fzq/t/e/1IRW0wkJUJUFQign4CtrkJL+P07yx18UjyPlBXb81ApEmAB5mrJVSrWm
++qbjs07JbuS4QQGGXLc+Su96DkYKmSNVjBiLxVVSpyZfAY3hD37d60uG+X8xdW5v6
++8JkRFIhdGlb6JL8fllf/A/blNwdJOhVr9mESHhwGjwfSeTDPfd8ZLE027E5lyAVX
++9KZYcU00mOX+fdxOSnGqS/8JDRh0EPHDL15RcJjV2J6vZjPb0rOYGDoMcH+94wID
++AQABMA0GCSqGSIb3DQEBBAUAA4IBAQB8UTw1agA9wdXxHMUACduYu6oNL7pdF0dr
++w7a4QPJyj62h4+Umxvp13q0PBw0E+mSjhXMcqUhDLjrmMcvvNGhuh5Sdjbe3GI/M
++3lCC9OwYYIzzul7omvGC3JEIGfzzdNnPPCPKEWp5X9f0MKLMR79qOf+sjHTjN2BY
++SY3YGsEFxyTXDdqrlaYaOtTAdi/C+g1WxR8fkPLefymVwIFwvyc9/bnp7iBn7Hcw
++mbxtLPbtQ9mURT0GHewZRTGJ1aiTq9Ag3xXME2FPF04eFRd3mclOQZNXKQ+LDxYf
++k0X5FeZvsWf4srFxoVxlcDdJtHh91ZRpDDJYGQlsUm9CPTnO+e4E
++-----END CERTIFICATE-----
++END
++
++    cert = OpenSSL::X509::Certificate.new(cert_pem)
++
++    cert_text = <<END
++  [0]         Version: 3
++         SerialNumber: 1
++             IssuerDN: DC=org,DC=ruby-lang,CN=CA
++           Start Date: Sat May 23 17:03:43 CEST 2009
++           Final Date: Sat May 23 18:03:43 CEST 2009
++            SubjectDN: DC=org,DC=ruby-lang,CN=CA
++           Public Key: RSA Public Key
++            modulus: b95f61b7d27b938341b37f23397bef4ca63d816f272c80929e8e4411347572e17b8b8a4db3d2354091801405f40443b829bcd79ae3af7c2a43dc253e4a5a757a77a77f3abfb7f7bfd48456d30909509505422827e02b6b9092fe3f4ef2c75f148f23e50576fcd40a449800799ab2554ab5a6a9b8ecd3b25bb92e104061972dcf92bbde839182a648d5630622f15554a9c997c0637843dfb77ad2e1be5fcc5d5b9bfaf0991114885d1a56fa24bf1f9657ff03f6e53707493a156bf661121e1c068f07d27930cf7ddf192c4d36ec4e65c80557f4a658714d3498e5fe7ddc4e4a71aa4bff090d187410f1c32f5e517098d5d89eaf6633dbd2b398183a0c707fbde3
++    public exponent: 10001
++
++  Signature Algorithm: MD5withRSA
++            Signature: 7c513c356a003dc1d5f11cc50009db98bbaa0d2f
++                       ba5d17476bc3b6b840f2728fada1e3e526c6fa75
++                       dead0f070d04fa64a385731ca948432e3ae631cb
++                       ef34686e87949d8db7b7188fccde5082f4ec1860
++                       8cf3ba5ee89af182dc910819fcf374d9cf3c23ca
++                       116a795fd7f430a2cc47bf6a39ffac8c74e33760
++                       58498dd81ac105c724d70ddaab95a61a3ad4c076
++                       2fc2fa0d56c51f1f90f2de7f2995c08170bf273d
++                       fdb9e9ee2067ec773099bc6d2cf6ed43d994453d
++                       061dec19453189d5a893abd020df15cc13614f17
++                       4e1e15177799c94e419357290f8b0f161f9345f9
++                       15e66fb167f8b2b171a15c65703749b4787dd594
++                       690c325819096c526f423d39cef9ee04
++END
++    assert_not_nil(cert.to_text)
++    # This is commented out because it doesn't take timezone into consideration; FIXME
++    #assert_equal(cert_text, cert.to_text)
++  end
+ end
+ 
+ end
+Index: test/openssl/test_x509ext.rb
+===================================================================
+--- test/openssl/test_x509ext.rb	(.../ruby_1_8_7/test/openssl)	(revision 27451)
++++ test/openssl/test_x509ext.rb	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -69,6 +69,27 @@
+       %r{URI:ldap://ldap.example.com/cn=ca\?certificateRevocationList;binary},
+       cdp.value)
+   end
++
++  # JRUBY-3888
++  # Problems with subjectKeyIdentifier with non 20-bytes sha1 digested keys
++  def test_certificate_with_rare_extension
++    cert_file = File.expand_path('max.pem', File.dirname(__FILE__))
++    cer = OpenSSL::X509::Certificate.new(File.read(cert_file))
++    exts = Hash.new
++    cer.extensions.each{|ext| exts[ext.oid] = ext.value}
++
++    assert exts["subjectKeyIdentifier"] == "4C:B9:E1:DC:7A:AC:35:CF"
++  end
++
++  def test_extension_from_20_byte_sha1_digests
++    cert_file = File.expand_path('common.pem', File.dirname(__FILE__))
++    cer = OpenSSL::X509::Certificate.new(File.read(cert_file))
++    exts = Hash.new
++    cer.extensions.each{|ext| exts[ext.oid] = ext.value}
++
++    assert exts["subjectKeyIdentifier"] == "B4:AC:83:5D:21:FB:D6:8A:56:7E:B2:49:6D:69:BB:E4:6F:D8:5A:AC"
++  end
++
+ end
+ 
+ end
+Index: test/openssl/test_ec.rb
+===================================================================
+--- test/openssl/test_ec.rb	(.../ruby_1_8_7/test/openssl)	(revision 27451)
++++ test/openssl/test_ec.rb	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -87,12 +87,27 @@
+   def test_dsa_sign_verify
+     for key in @keys
+       sig = key.dsa_sign_asn1(@data1)
+-      assert_equal(key.dsa_verify_asn1(@data1, sig), true)
+-        
+-      assert_raises(OpenSSL::PKey::ECError) { key.dsa_sign_asn1(@data2) }
++      assert(key.dsa_verify_asn1(@data1, sig))
+     end
+   end
+ 
++  def test_dsa_sign_asn1_FIPS186_3
++    for key in @keys
++      size = key.group.order.num_bits / 8 + 1
++      dgst = (1..size).to_a.pack('C*')
++      begin
++        sig = key.dsa_sign_asn1(dgst)
++        # dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m
++        assert(key.dsa_verify_asn1(dgst + "garbage", sig))
++      rescue OpenSSL::PKey::ECError => e
++        # just an exception for longer dgst before openssl-0.9.8m
++        assert_equal('ECDSA_sign: data too large for key size', e.message)
++        # no need to do following tests
++        return
++      end
++    end
++  end
++
+   def test_dh_compute_key
+     for key in @keys
+       k = OpenSSL::PKey::EC.new(key.group)
+Index: test/openssl/test_pkcs7.rb
+===================================================================
+--- test/openssl/test_pkcs7.rb	(.../ruby_1_8_7/test/openssl)	(revision 27451)
++++ test/openssl/test_pkcs7.rb	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -28,6 +28,7 @@
+       ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
+       ["authorityKeyIdentifier","keyid:always",false],
+       ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
++      ["nsCertType","client,email",false],
+     ]
+     @ee1_cert = issue_cert(ee1, @rsa1024, 2, Time.now, Time.now+1800, ee_exts,
+                            @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+@@ -35,7 +36,7 @@
+                            @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+   end
+ 
+-  def issue_cert(*args)             
++  def issue_cert(*args)
+     OpenSSL::TestUtils.issue_cert(*args)
+   end
+ 
+@@ -46,6 +47,127 @@
+ 
+     data = "aaaaa\r\nbbbbb\r\nccccc\r\n"
+     tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs)
++    p7 = OpenSSL::PKCS7.new(tmp.to_der)
++    certs = p7.certificates
++    signers = p7.signers
++    assert(p7.verify([], store))
++    assert_equal(data, p7.data)
++    assert_equal(2, certs.size)
++    assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
++    assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
++    assert_equal(1, signers.size)
++    assert_equal(@ee1_cert.serial, signers[0].serial)
++    assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
++
++    # Normaly OpenSSL tries to translate the supplied content into canonical
++    # MIME format (e.g. a newline character is converted into CR+LF).
++    # If the content is a binary, PKCS7::BINARY flag should be used.
++
++    data = "aaaaa\nbbbbb\nccccc\n"
++    flag = OpenSSL::PKCS7::BINARY
++    tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs, flag)
++    p7 = OpenSSL::PKCS7.new(tmp.to_der)
++    certs = p7.certificates
++    signers = p7.signers
++    assert(p7.verify([], store))
++    assert_equal(data, p7.data)
++    assert_equal(2, certs.size)
++    assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
++    assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
++    assert_equal(1, signers.size)
++    assert_equal(@ee1_cert.serial, signers[0].serial)
++    assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
++
++    # A signed-data which have multiple signatures can be created
++    # through the following steps.
++    #   1. create two signed-data
++    #   2. copy signerInfo and certificate from one to another
++
++    tmp1 = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, [], flag)
++    tmp2 = OpenSSL::PKCS7.sign(@ee2_cert, @rsa1024, data, [], flag)
++    tmp1.add_signer(tmp2.signers[0])
++    tmp1.add_certificate(@ee2_cert)
++
++    p7 = OpenSSL::PKCS7.new(tmp1.to_der)
++    certs = p7.certificates
++    signers = p7.signers
++    assert(p7.verify([], store))
++    assert_equal(data, p7.data)
++    assert_equal(2, certs.size)
++    assert_equal(2, signers.size)
++    assert_equal(@ee1_cert.serial, signers[0].serial)
++    assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
++    assert_equal(@ee2_cert.serial, signers[1].serial)
++    assert_equal(@ee2_cert.issuer.to_s, signers[1].issuer.to_s)
++  end
++
++  def test_detached_sign
++    store = OpenSSL::X509::Store.new
++    store.add_cert(@ca_cert)
++    ca_certs = [@ca_cert]
++
++    data = "aaaaa\nbbbbb\nccccc\n"
++    flag = OpenSSL::PKCS7::BINARY|OpenSSL::PKCS7::DETACHED
++    tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs, flag)
++    p7 = OpenSSL::PKCS7.new(tmp.to_der)
++    a1 = OpenSSL::ASN1.decode(p7)
++
++    certs = p7.certificates
++    signers = p7.signers
++    assert(!p7.verify([], store))
++    assert(p7.verify([], store, data))
++    assert_equal(data, p7.data)
++    assert_equal(2, certs.size)
++    assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
++    assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
++    assert_equal(1, signers.size)
++    assert_equal(@ee1_cert.serial, signers[0].serial)
++    assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
++  end
++
++  def test_enveloped
++    if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x0090704f
++      # PKCS7_encrypt() of OpenSSL-0.9.7d goes to SEGV.
++      # http://www.mail-archive.com/openssl-dev@openssl.org/msg17376.html
++      return
++    end
++
++    certs = [@ee1_cert, @ee2_cert]
++    cipher = OpenSSL::Cipher::AES.new("128-CBC")
++    data = "aaaaa\nbbbbb\nccccc\n"
++
++    tmp = OpenSSL::PKCS7.encrypt(certs, data, cipher, OpenSSL::PKCS7::BINARY)
++    p7 = OpenSSL::PKCS7.new(tmp.to_der)
++    recip = p7.recipients
++    assert_equal(:enveloped, p7.type)
++    assert_equal(2, recip.size)
++
++    assert_equal(@ca_cert.subject.to_s, recip[0].issuer.to_s)
++    assert_equal(2, recip[0].serial)
++    assert_equal(data, p7.decrypt(@rsa1024, @ee1_cert))
++
++    assert_equal(@ca_cert.subject.to_s, recip[1].issuer.to_s)
++    assert_equal(3, recip[1].serial)
++    assert_equal(data, p7.decrypt(@rsa1024, @ee2_cert))
++  end
++
++  def silent
++    begin
++      back, $VERBOSE = $VERBOSE, nil
++      yield
++    ensure
++      $VERBOSE = back if back
++    end
++  end
++
++  def test_signed_pkcs7_pkcs7
++  silent do
++    store = OpenSSL::X509::Store.new
++    store.add_cert(@ca_cert)
++    ca_certs = [@ca_cert]
++
++    data = "aaaaa\r\nbbbbb\r\nccccc\r\n"
++    tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs)
+     p7 = OpenSSL::PKCS7::PKCS7.new(tmp.to_der)
+     certs = p7.certificates
+     signers = p7.signers
+@@ -77,7 +199,7 @@
+     assert_equal(@ee1_cert.serial, signers[0].serial)
+     assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
+ 
+-    # A signed-data which have multiple signatures can be created 
++    # A signed-data which have multiple signatures can be created
+     # through the following steps.
+     #   1. create two signed-data
+     #   2. copy signerInfo and certificate from one to another
+@@ -85,7 +207,7 @@
+     tmp1 = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, [], flag)
+     tmp2 = OpenSSL::PKCS7.sign(@ee2_cert, @rsa1024, data, [], flag)
+     tmp1.add_signer(tmp2.signers[0])
+-    tmp1.add_certificate(@ee2_cert)  
++    tmp1.add_certificate(@ee2_cert)
+ 
+     p7 = OpenSSL::PKCS7::PKCS7.new(tmp1.to_der)
+     certs = p7.certificates
+@@ -99,8 +221,10 @@
+     assert_equal(@ee2_cert.serial, signers[1].serial)
+     assert_equal(@ee2_cert.issuer.to_s, signers[1].issuer.to_s)
+   end
++  end
+ 
+-  def test_detached_sign
++  def test_detached_sign_pkcs7_pkcs7
++  silent do
+     store = OpenSSL::X509::Store.new
+     store.add_cert(@ca_cert)
+     ca_certs = [@ca_cert]
+@@ -123,8 +247,10 @@
+     assert_equal(@ee1_cert.serial, signers[0].serial)
+     assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
+   end
++  end
+ 
+-  def test_enveloped
++  def test_enveloped_pkcs7_pkcs7
++  silent do
+     if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x0090704f
+       # PKCS7_encrypt() of OpenSSL-0.9.7d goes to SEGV.
+       # http://www.mail-archive.com/openssl-dev@openssl.org/msg17376.html
+@@ -149,6 +275,7 @@
+     assert_equal(3, recip[1].serial)
+     assert_equal(data, p7.decrypt(@rsa1024, @ee2_cert))
+   end
++  end
+ end
+ 
+ end
+Index: test/openssl/ssl_server.rb
+===================================================================
+--- test/openssl/ssl_server.rb	(.../ruby_1_8_7/test/openssl)	(revision 27451)
++++ test/openssl/ssl_server.rb	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -53,7 +53,7 @@
+     port = port + i
+     break
+   rescue Errno::EADDRINUSE
+-    next 
++    next
+   end
+ }
+ ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
+Index: test/openssl/utils.rb
+===================================================================
+--- test/openssl/utils.rb	(.../ruby_1_8_7/test/openssl)	(revision 27451)
++++ test/openssl/utils.rb	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -96,16 +96,16 @@
+     cert
+   end
+ 
+-  def issue_crl(revoke_info, serial, lastup, nextup, extensions, 
++  def issue_crl(revoke_info, serial, lastup, nextup, extensions,
+                 issuer, issuer_key, digest)
+     crl = OpenSSL::X509::CRL.new
+     crl.issuer = issuer.subject
+     crl.version = 1
+     crl.last_update = lastup
+     crl.next_update = nextup
+-    revoke_info.each{|serial, time, reason_code|
++    revoke_info.each{|rserial, time, reason_code|
+       revoked = OpenSSL::X509::Revoked.new
+-      revoked.serial = serial
++      revoked.serial = rserial
+       revoked.time = time
+       enum = OpenSSL::ASN1::Enumerated(reason_code)
+       ext = OpenSSL::X509::Extension.new("CRLReason", enum)
+Index: test/openssl/test_ssl.rb
+===================================================================
+--- test/openssl/test_ssl.rb	(.../ruby_1_8_7/test/openssl)	(revision 27451)
++++ test/openssl/test_ssl.rb	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -6,6 +6,8 @@
+ require "rbconfig"
+ require "socket"
+ require "test/unit"
++require 'tempfile'
++
+ begin
+   loadpath = $:.dup
+   $:.replace($: | [File.expand_path("../ruby", File.dirname(__FILE__))])
+@@ -58,6 +60,20 @@
+     OpenSSL::TestUtils.issue_crl(*arg)
+   end
+ 
++  def choose_port(port)
++    tcps = nil
++    100.times{ |i|
++      begin
++        tcps = TCPServer.new("127.0.0.1", port+i)
++        port = port + i
++        break
++      rescue Errno::EADDRINUSE
++        next
++      end
++    }
++    return tcps, port
++  end
++
+   def readwrite_loop(ctx, ssl)
+     while line = ssl.gets
+       if line =~ /^STARTTLS$/
+@@ -78,22 +94,22 @@
+       begin
+         ssl = ssls.accept
+       rescue OpenSSL::SSL::SSLError
+-      	retry
++        retry
+       end
+ 
+       Thread.start do
+-        Thread.current.abort_on_exception = true  
++        Thread.current.abort_on_exception = true
+         server_proc.call(ctx, ssl)
+       end
+     end
+-  rescue Errno::EBADF, IOError
++  rescue Errno::EBADF, IOError, Errno::EINVAL, Errno::ECONNABORTED
+   end
+ 
+   def start_server(port0, verify_mode, start_immediately, args = {}, &block)
+     ctx_proc = args[:ctx_proc]
+     server_proc = args[:server_proc]
+     server_proc ||= method(:readwrite_loop)
+-  
++
+     store = OpenSSL::X509::Store.new
+     store.add_cert(@ca_cert)
+     store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+@@ -106,8 +122,7 @@
+     ctx_proc.call(ctx) if ctx_proc
+ 
+     Socket.do_not_reverse_lookup = true
+-    tcps = nil
+-    port = port0
++    tcps, port = choose_port(port0)
+     begin
+       tcps = TCPServer.new("127.0.0.1", port)
+     rescue Errno::EADDRINUSE
+@@ -120,22 +135,33 @@
+ 
+     begin
+       server = Thread.new do
+-        Thread.current.abort_on_exception = true  
++        Thread.current.abort_on_exception = true
+         server_loop(ctx, ssls, server_proc)
+       end
+ 
+-      $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, pid, port) if $DEBUG
++      $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, $$, port) if $DEBUG
+ 
+       block.call(server, port.to_i)
+     ensure
+-      tcps.close if (tcps)
+-      if (server)
+-        server.join(5)
+-        if server.alive?
+-          server.kill
+-          server.join
+-          flunk("TCPServer was closed and SSLServer is still alive") unless $!
++      begin
++        begin
++          tcps.shutdown
++        rescue Errno::ENOTCONN
++          # when `Errno::ENOTCONN: Socket is not connected' on some platforms,
++          # call #close instead of #shutdown.
++          tcps.close
++          tcps = nil
++        end if (tcps)
++        if (server)
++          server.join(5)
++          if server.alive?
++            server.kill
++            server.join
++            flunk("TCPServer was closed and SSLServer is still alive") unless $!
++          end
+         end
++      ensure
++        tcps.close if (tcps)
+       end
+     end
+   end
+@@ -180,6 +206,8 @@
+       ssl.sync_close = true
+       ssl.connect
+ 
++      assert_raise(ArgumentError) { ssl.sysread(-1) }
++
+       # syswrite and sysread
+       ITERATIONS.times{|i|
+         str = "x" * 100 + "\n"
+@@ -193,6 +221,13 @@
+         assert_equal(str, buf)
+       }
+ 
++      # puts and gets
++      ITERATIONS.times{
++        str = "x" * 100 + "\n"
++        ssl.puts(str)
++        assert_equal(str, ssl.gets)
++      }
++
+       # read and write
+       ITERATIONS.times{|i|
+         str = "x" * 100 + "\n"
+@@ -213,7 +248,7 @@
+   def test_client_auth
+     vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+     start_server(PORT, vflag, true){|server, port|
+-      assert_raises(OpenSSL::SSL::SSLError){
++      assert_raise(OpenSSL::SSL::SSLError){
+         sock = TCPSocket.new("127.0.0.1", port)
+         ssl = OpenSSL::SSL::SSLSocket.new(sock)
+         ssl.connect
+@@ -247,6 +282,82 @@
+     }
+   end
+ 
++  def test_client_auth_with_server_store
++    vflag = OpenSSL::SSL::VERIFY_PEER
++
++    localcacert_file = Tempfile.open("cafile")
++    localcacert_file << @ca_cert.to_pem
++    localcacert_file.close
++    localcacert_path = localcacert_file.path
++
++    ssl_store = OpenSSL::X509::Store.new
++    ssl_store.purpose = OpenSSL::X509::PURPOSE_ANY
++    ssl_store.add_file(localcacert_path)
++
++    args = {}
++    args[:ctx_proc] = proc { |server_ctx|
++      server_ctx.cert = @svr_cert
++      server_ctx.key = @svr_key
++      server_ctx.verify_mode = vflag
++      server_ctx.cert_store = ssl_store
++    }
++
++    start_server(PORT, vflag, true, args){|server, port|
++      ctx = OpenSSL::SSL::SSLContext.new
++      ctx.cert = @cli_cert
++      ctx.key = @cli_key
++      sock = TCPSocket.new("127.0.0.1", port)
++      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
++      ssl.sync_close = true
++      ssl.connect
++      ssl.puts("foo")
++      assert_equal("foo\n", ssl.gets)
++      ssl.close
++      localcacert_file.unlink
++    }
++  end
++
++  def test_client_crl_with_server_store
++    vflag = OpenSSL::SSL::VERIFY_PEER
++
++    localcacert_file = Tempfile.open("cafile")
++    localcacert_file << @ca_cert.to_pem
++    localcacert_file.close
++    localcacert_path = localcacert_file.path
++
++    ssl_store = OpenSSL::X509::Store.new
++    ssl_store.purpose = OpenSSL::X509::PURPOSE_ANY
++    ssl_store.add_file(localcacert_path)
++    ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
++
++    crl = issue_crl([], 1, Time.now, Time.now+1600, [],
++                    @cli_cert, @ca_key, OpenSSL::Digest::SHA1.new)
++
++    ssl_store.add_crl(OpenSSL::X509::CRL.new(crl.to_pem))
++
++    args = {}
++    args[:ctx_proc] = proc { |server_ctx|
++      server_ctx.cert = @svr_cert
++      server_ctx.key = @svr_key
++      server_ctx.verify_mode = vflag
++      server_ctx.cert_store = ssl_store
++    }
++
++    start_server(PORT, vflag, true, args){|s, p|
++      ctx = OpenSSL::SSL::SSLContext.new
++      ctx.cert = @cli_cert
++      ctx.key = @cli_key
++      assert_raise(OpenSSL::SSL::SSLError){
++        sock = TCPSocket.new("127.0.0.1", p)
++        ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
++        ssl.sync_close = true
++        ssl.connect
++        ssl.close
++      }
++      localcacert_file.unlink
++    }
++  end
++
+   def test_starttls
+     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|server, port|
+       sock = TCPSocket.new("127.0.0.1", port)
+@@ -352,10 +463,10 @@
+       sock = TCPSocket.new("127.0.0.1", port)
+       ssl = OpenSSL::SSL::SSLSocket.new(sock)
+       ssl.connect
+-      assert_raises(sslerr){ssl.post_connection_check("localhost.localdomain")}
+-      assert_raises(sslerr){ssl.post_connection_check("127.0.0.1")}
++      assert_raise(sslerr){ssl.post_connection_check("localhost.localdomain")}
++      assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
+       assert(ssl.post_connection_check("localhost"))
+-      assert_raises(sslerr){ssl.post_connection_check("foo.example.com")}
++      assert_raise(sslerr){ssl.post_connection_check("foo.example.com")}
+ 
+       cert = ssl.peer_cert
+       assert(!OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain"))
+@@ -378,8 +489,8 @@
+       ssl.connect
+       assert(ssl.post_connection_check("localhost.localdomain"))
+       assert(ssl.post_connection_check("127.0.0.1"))
+-      assert_raises(sslerr){ssl.post_connection_check("localhost")}
+-      assert_raises(sslerr){ssl.post_connection_check("foo.example.com")}
++      assert_raise(sslerr){ssl.post_connection_check("localhost")}
++      assert_raise(sslerr){ssl.post_connection_check("foo.example.com")}
+ 
+       cert = ssl.peer_cert
+       assert(OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain"))
+@@ -400,9 +511,9 @@
+       ssl = OpenSSL::SSL::SSLSocket.new(sock)
+       ssl.connect
+       assert(ssl.post_connection_check("localhost.localdomain"))
+-      assert_raises(sslerr){ssl.post_connection_check("127.0.0.1")}
+-      assert_raises(sslerr){ssl.post_connection_check("localhost")}
+-      assert_raises(sslerr){ssl.post_connection_check("foo.example.com")}
++      assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
++      assert_raise(sslerr){ssl.post_connection_check("localhost")}
++      assert_raise(sslerr){ssl.post_connection_check("foo.example.com")}
+       cert = ssl.peer_cert
+       assert(OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain"))
+       assert(!OpenSSL::SSL.verify_certificate_identity(cert, "127.0.0.1"))
+@@ -494,7 +605,7 @@
+         ctx.session_add(saved_session)
+       end
+       connections += 1
+-      
++
+       readwrite_loop(ctx, ssl)
+     end
+ 
+@@ -532,6 +643,50 @@
+       end
+     end
+   end
++
++  def test_tlsext_hostname
++    return unless OpenSSL::SSL::SSLSocket.instance_methods.include?("hostname")
++
++    ctx_proc = Proc.new do |ctx, ssl|
++      foo_ctx = ctx.dup
++
++      ctx.servername_cb = Proc.new do |ssl2, hostname|
++        case hostname
++        when 'foo.example.com'
++          foo_ctx
++        when 'bar.example.com'
++          nil
++        else
++          raise "unknown hostname #{hostname.inspect}"
++        end
++      end
++    end
++
++    server_proc = Proc.new do |ctx, ssl|
++      readwrite_loop(ctx, ssl)
++    end
++
++    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc, :server_proc => server_proc) do |server, port|
++      2.times do |i|
++        sock = TCPSocket.new("127.0.0.1", port)
++        ctx = OpenSSL::SSL::SSLContext.new
++        if defined?(OpenSSL::SSL::OP_NO_TICKET)
++          # disable RFC4507 support
++          ctx.options = OpenSSL::SSL::OP_NO_TICKET
++        end
++        ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
++        ssl.sync_close = true
++        ssl.hostname = (i & 1 == 0) ? 'foo.example.com' : 'bar.example.com'
++        ssl.connect
++
++        str = "x" * 100 + "\n"
++        ssl.puts(str)
++        assert_equal(str, ssl.gets)
++
++        ssl.close
++      end
++    end
++  end
+ end
+ 
+ end
+Index: test/openssl/max.pem
+===================================================================
+--- test/openssl/max.pem	(.../ruby_1_8_7/test/openssl)	(revision 0)
++++ test/openssl/max.pem	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -0,0 +1,29 @@
++-----BEGIN CERTIFICATE-----
++MIIE4zCCA8ugAwIBAgIDBbhlMA0GCSqGSIb3DQEBBQUAMIGXMQswCQYDVQQGEwJB
++VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp
++bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMR4wHAYDVQQLDBVhLXNpZ24tUHJl
++bWl1bS1FbmMtMDIxHjAcBgNVBAMMFWEtc2lnbi1QcmVtaXVtLUVuYy0wMjAeFw0w
++OTA2MjYwOTExMzZaFw0xNDA2MjYwOTExMzZaMGAxCzAJBgNVBAYTAkFUMRcwFQYD
++VQQDDA5NYXggTXVzdGVybWFubjETMBEGA1UEBAwKTXVzdGVybWFubjEMMAoGA1UE
++KgwDTWF4MRUwEwYDVQQFEww3NTkzNjIxNTE2MTYwgd8wDQYJKoZIhvcNAQEBBQAD
++gc0AMIHJAoHBAO+1eEcrMoYJ2S2iybcqUEzIxKQ9yJJL0XRNQSrKo/bDOBibfQ3H
++E/TExiivgdXG2p0UjuPO1NEFgxhT5gtdaLthV2Kuokb+vbp3mWoUGz+uHIILT2zJ
++TG6Yz6sooi/ppNIagFx3qAdFes8QMAereZQp0zzphK/a21FTLk0GVHpw+DWn7NRn
++ynDVY0XgFkHXS4uHSfZDhzMGXVef3+SJLQzsV8R1ThMYQeoizA7tj6hT3YeBID2E
++lh86V1Z8XuznUQIDAQABo4IBsDCCAawwEwYDVR0jBAwwCoAIRyFHjpdh4x4wewYI
++KwYBBQUHAQEEbzBtMEIGCCsGAQUFBzAChjZodHRwOi8vd3d3LmEtdHJ1c3QuYXQv
++Y2VydHMvYS1zaWduLVByZW1pdW0tRW5jLTAyYS5jcnQwJwYIKwYBBQUHMAGGG2h0
++dHA6Ly9vY3NwLmEtdHJ1c3QuYXQvb2NzcDBNBgNVHSAERjBEMEIGBiooABEBDDA4
++MDYGCCsGAQUFBwIBFipodHRwOi8vd3d3LmEtdHJ1c3QuYXQvZG9jcy9jcC9hLXNp
++Z24tdG9rZW4wgZoGA1UdHwSBkjCBjzCBjKCBiaCBhoaBg2xkYXA6Ly9sZGFwLmEt
++dHJ1c3QuYXQvb3U9YS1zaWduLVByZW1pdW0tRW5jLTAyLG89QS1UcnVzdCxjPUFU
++P2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3Q/YmFzZT9vYmplY3RjbGFzcz1laWRD
++ZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MBEGA1UdDgQKBAhMueHceqw1zzAOBgNVHQ8B
++Af8EBAMCBLAwCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEASLyAbafKFN5h
++0Mkk0QQoUl4Uvl+yy2ECe/QWNmDQpd7UCw1UAKrMvR8p6OcBiTnvbvg1HnbWI3Hy
++BaEhGAhb1tziWkbV93z1NQCIt8hmdqE7GEp58ptYSuzwev6rgO/RZIxI9FCQn9kJ
++ruGTM8hOIkh3QEy7Mq6utquMOEO0hQSUOvZkJdaSqHAoh2I3SzsxGr3juAa61x+0
++K8kW1ZgIsc0jhhb3NOyso48AqDK6oqwfiC6fp/HzSB5gycLllWrgUnMeae6Axbag
++dImyOtaoxhIwZCr1tjTaQmaNK49kpvDGlIuDIQHf8uZgAoyduQfAvwiQ0llu5Ns2
++AOs41se+Gg==
++-----END CERTIFICATE-----
+
+Property changes on: max.pem
+___________________________________________________________________
+Added: svn:eol-style
+   + LF
+
+Index: test/openssl/test_config.rb
+===================================================================
+--- test/openssl/test_config.rb	(.../ruby_1_8_7/test/openssl)	(revision 0)
++++ test/openssl/test_config.rb	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -0,0 +1,16 @@
++require 'openssl'
++require "test/unit"
++
++class OpenSSL::TestConfig < Test::Unit::TestCase
++  def test_freeze
++    c = OpenSSL::Config.new
++    c['foo'] = [['key', 'value']]
++    c.freeze
++
++    # [ruby-core:18377]
++    # RuntimeError for 1.9, TypeError for 1.8
++    assert_raise(TypeError, /frozen/) do
++      c['foo'] = [['key', 'wrong']]
++    end
++  end
++end
+
+Property changes on: test_config.rb
+___________________________________________________________________
+Added: svn:eol-style
+   + LF
+
+Index: test/openssl/test_x509name.rb
+===================================================================
+--- test/openssl/test_x509name.rb	(.../ruby_1_8_7/test/openssl)	(revision 27451)
++++ test/openssl/test_x509name.rb	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -6,6 +6,8 @@
+ 
+ if defined?(OpenSSL)
+ 
++require 'digest/md5'
++
+ class OpenSSL::TestX509Name < Test::Unit::TestCase
+   OpenSSL::ASN1::ObjectId.register(
+     "1.2.840.113549.1.9.1", "emailAddress", "emailAddress")
+@@ -261,6 +263,28 @@
+     assert_equal(OpenSSL::ASN1::IA5STRING, ary[3][2])
+     assert_equal(OpenSSL::ASN1::PRINTABLESTRING, ary[4][2])
+   end
++
++  def name_hash(name)
++    # OpenSSL 1.0.0 uses SHA1 for canonical encoding (not just a der) of
++    # X509Name for X509_NAME_hash.
++    name.respond_to?(:hash_old) ? name.hash_old : name.hash
++  end
++
++  def calc_hash(d)
++    (d[0] & 0xff) | (d[1] & 0xff) << 8 | (d[2] & 0xff) << 16 | (d[3] & 0xff) << 24
++  end
++
++  def test_hash
++    dn = "/DC=org/DC=ruby-lang/CN=www.ruby-lang.org"
++    name = OpenSSL::X509::Name.parse(dn)
++    d = Digest::MD5.digest(name.to_der)
++    assert_equal(calc_hash(d), name_hash(name))
++    #
++    dn = "/DC=org/DC=ruby-lang/CN=baz.ruby-lang.org"
++    name = OpenSSL::X509::Name.parse(dn)
++    d = Digest::MD5.digest(name.to_der)
++    assert_equal(calc_hash(d), name_hash(name))
++  end
+ end
+ 
+ end
+Index: test/openssl/test_x509crl.rb
+===================================================================
+--- test/openssl/test_x509crl.rb	(.../ruby_1_8_7/test/openssl)	(revision 27451)
++++ test/openssl/test_x509crl.rb	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -125,13 +125,13 @@
+   def test_extension
+     cert_exts = [
+       ["basicConstraints", "CA:TRUE", true],
+-      ["subjectKeyIdentifier", "hash", false], 
+-      ["authorityKeyIdentifier", "keyid:always", false], 
++      ["subjectKeyIdentifier", "hash", false],
++      ["authorityKeyIdentifier", "keyid:always", false],
+       ["subjectAltName", "email:xyzzy@ruby-lang.org", false],
+       ["keyUsage", "cRLSign, keyCertSign", true],
+     ]
+     crl_exts = [
+-      ["authorityKeyIdentifier", "keyid:always", false], 
++      ["authorityKeyIdentifier", "keyid:always", false],
+       ["issuerAltName", "issuer:copy", false],
+     ]
+ 
+@@ -190,6 +190,30 @@
+     assert_match((2**100).to_s, crl.extensions[0].value)
+   end
+ 
++  def test_sign_and_verify_wrong_key_type
++    cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
++                      nil, nil, OpenSSL::Digest::SHA1.new)
++    crl_rsa = issue_crl([], 1, Time.now, Time.now+1600, [],
++                    cert_rsa, @rsa2048, OpenSSL::Digest::SHA1.new)
++    cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
++                      nil, nil, OpenSSL::Digest::DSS1.new)
++    crl_dsa = issue_crl([], 1, Time.now, Time.now+1600, [],
++                    cert_dsa, @dsa512, OpenSSL::Digest::DSS1.new)
++    begin
++      assert_equal(false, crl_rsa.verify(@dsa256))
++    rescue OpenSSL::X509::CRLError => e
++      # OpenSSL 1.0.0 added checks for pkey OID
++      assert_equal('wrong public key type', e.message)
++    end
++
++    begin
++      assert_equal(false, crl_dsa.verify(@rsa1024))
++    rescue OpenSSL::X509::CRLError => e
++      # OpenSSL 1.0.0 added checks for pkey OID
++      assert_equal('wrong public key type', e.message)
++    end
++  end
++
+   def test_sign_and_verify
+     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                       nil, nil, OpenSSL::Digest::SHA1.new)
+@@ -197,8 +221,6 @@
+                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+     assert_equal(false, crl.verify(@rsa1024))
+     assert_equal(true,  crl.verify(@rsa2048))
+-    assert_equal(false, crl.verify(@dsa256))
+-    assert_equal(false, crl.verify(@dsa512))
+     crl.version = 0
+     assert_equal(false, crl.verify(@rsa2048))
+ 
+@@ -206,13 +228,26 @@
+                       nil, nil, OpenSSL::Digest::DSS1.new)
+     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
+                     cert, @dsa512, OpenSSL::Digest::DSS1.new)
+-    assert_equal(false, crl.verify(@rsa1024))
+-    assert_equal(false, crl.verify(@rsa2048))
+     assert_equal(false, crl.verify(@dsa256))
+     assert_equal(true,  crl.verify(@dsa512))
+     crl.version = 0
+     assert_equal(false, crl.verify(@dsa512))
+   end
++
++  def test_create_from_pem
++    crl = <<END
++-----BEGIN X509 CRL-----
++MIHkME8CAQEwDQYJKoZIhvcNAQEFBQAwDTELMAkGA1UEAwwCY2EXDTA5MDUyMzEw
++MTkyM1oXDTE0MDUyMjEwMTkyM1qgDjAMMAoGA1UdFAQDAgEAMA0GCSqGSIb3DQEB
++BQUAA4GBAGrGXN03TQdoluA5Xjv64We9EOvmE0EviKMeaZ/n8krEwFhUK7Yq3GVD
++BFrb40cdFX1433buCZHG7Tq7eGv8cG1eO5RasuiedurMQXmVRDTDjGor/58Dk/Wy
++owO/GR8ASm6Fx6AUKEgLAaoaaptpaWtEB+N4uaGvc0LFO9WY+ZMq
++-----END X509 CRL-----
++END
++    crl = OpenSSL::X509::CRL.new(crl)
++    assert_equal(1, crl.version)
++    assert_equal(OpenSSL::X509::Name.parse("/CN=ca").to_der, crl.issuer.to_der)
++  end
+ end
+ 
+ end
+Index: test/openssl/common.pem
+===================================================================
+--- test/openssl/common.pem	(.../ruby_1_8_7/test/openssl)	(revision 0)
++++ test/openssl/common.pem	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -0,0 +1,48 @@
++-----BEGIN CERTIFICATE-----
++MIIIgTCCB2mgAwIBAgICGuwwDQYJKoZIhvcNAQEFBQAwgeAxCzAJBgNVBAYTAkVT
++MS4wLAYJKoZIhvcNAQkBFh9hY19jYW1lcmZpcm1hX2NjQGNhbWVyZmlybWEuY29t
++MUMwQQYDVQQHEzpNYWRyaWQgKHNlZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNh
++bWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQFEwlBODI3NDMyODcxGTAXBgNV
++BAoTEEFDIENhbWVyZmlybWEgU0ExLTArBgNVBAMTJEFDIENhbWVyZmlybWEgQ2Vy
++dGlmaWNhZG9zIENhbWVyYWxlczAeFw0wNTA0MDgxMDUxMDBaFw0wOTA0MDcxMDUx
++MDBaMIIBsDELMAkGA1UEBhMCRVMxHzAdBgNVBAMTFkNlcnRpZmljYWRvIGRlIFBy
++dWViYXMxIjAgBgkqhkiG9w0BCQEWE2luZm9AY2FtZXJmaXJtYS5jb20xEjAQBgNV
++BAUTCTEyMzQ1Njc4WjETMBEGA1UEBBMKZGUgUHJ1ZWJhczEUMBIGA1UEKhMLQ2Vy
++dGlmaWNhZG8xTjBMBgorBgEEAYGHLh4CEz5DSUYgSVZBIChWQVQgbnVtYmVyIGFz
++IGJ5IGFydGljbGUgMjhoIG9mIERpcmVjdGl2ZSA3Ny8zODgvRUVDKTEbMBkGCisG
++AQQBgYcuHgMTC0VTQTAwMTIzNDU2MR0wGwYDVQQKExRPIERFTU8gQUMgQ2FtZXJm
++aXJtYTEeMBwGA1UECxMVT1UgREVNTyBBQyBDYW1lcmZpcm1hMR0wGwYDVQQMExRU
++IERFTU8gQUMgQ2FtZXJmaXJtYTFSMFAGA1UEDRNJQ2hhbWJlcnMgb2YgQ29tbWVy
++Y2UgUXVhbGlmaWVkIENlcnRpZmljYXRlOiBOYXR1cmFsIFBlcnNvbiBDQU0tUEYt
++U1ctS1BTQzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwmt+Ul58DwnCmPvZ
++NiLJ7nXSIGBfb5hFEph7sP4NRFCVzLDOGpzIYTJ9CR+m0LVaUVTXgeLANjw1DEPC
++kplWfpQejO4/nPVfRalg2GosrmqnaN3Y1lurnpQGdCz7nLOYJdS1ME52mzau8OFZ
++1fSuM+/jHfLvABuwaLXb0OvWlVMCAwEAAaOCA/QwggPwMAwGA1UdEwEB/wQCMAAw
++DgYDVR0PAQH/BAQDAgO4MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAR
++BglghkgBhvhCAQEEBAMCBaAwQgYJYIZIAYb4QgEDBDUWM1VSSTpodHRwOi8vY3Js
++LmNhbWVyZmlybWEuY29tL2FjX2NhbWVyZmlybWFfY2MuY2dpPzBGBglghkgBhvhC
++AQgEORY3VVJJOmh0dHA6Ly9jcHMuY2FtZXJmaXJtYS5jb20vY3BzL2FjX2NhbWVy
++ZmlybWFfY2MuaHRtbDA5BglghkgBhvhCAQ0ELBYqQ2VydGlmaWNhZG8gZGUgcHJ1
++ZWJhcyBzaW4gcmVzcG9uc2FiaWxpZGFkMB0GA1UdDgQWBBS0rINdIfvWilZ+sklt
++abvkb9harDB4BggrBgEFBQcBAQRsMGowQAYIKwYBBQUHMAKGNGh0dHA6Ly93d3cu
++Y2FtZXJmaXJtYS5jb20vY2VydHMvYWNfY2FtZXJmaXJtYV9jYy5jcnQwJgYIKwYB
++BQUHMAGGGmh0dHA6Ly9vY3NwLmNhbWVyZmlybWEuY29tMIGrBgNVHSMEgaMwgaCA
++FLYfTp0caJEuN3Jg4UaPWqUqMTG5oYGEpIGBMH8xCzAJBgNVBAYTAkVVMScwJQYD
++VQQKEx5BQyBDYW1lcmZpcm1hIFNBIENJRiBBODI3NDMyODcxIzAhBgNVBAsTGmh0
++dHA6Ly93d3cuY2hhbWJlcnNpZ24ub3JnMSIwIAYDVQQDExlDaGFtYmVycyBvZiBD
++b21tZXJjZSBSb290ggEFMHYGA1UdHwRvMG0wNKAyoDCGLmh0dHA6Ly9jcmwuY2Ft
++ZXJmaXJtYS5jb20vYWNfY2FtZXJmaXJtYV9jYy5jcmwwNaAzoDGGL2h0dHA6Ly9j
++cmwxLmNhbWVyZmlybWEuY29tL2FjX2NhbWVyZmlybWFfY2MuY3JsMB4GA1UdEQQX
++MBWBE2luZm9AY2FtZXJmaXJtYS5jb20wKgYDVR0SBCMwIYEfYWNfY2FtZXJmaXJt
++YV9jY0BjYW1lcmZpcm1hLmNvbTCBmgYDVR0gBIGSMIGPMIGMBg0rBgEEAYGHLgoJ
++AgEBMHswPwYIKwYBBQUHAgEWM2h0dHA6Ly9jcHMuY2FtZXJmaXJtYS5jb20vY3Bz
++L2FjX2NhbWVyZmlybWFfY2MuaHRtbDA4BggrBgEFBQcCAjAsGipDZXJ0aWZpY2Fk
++byBkZSBwcnVlYmFzIHNpbiByZXNwb25zYWJpbGlkYWQwLwYIKwYBBQUHAQMEIzAh
++MAgGBgQAjkYBATAVBgYEAI5GAQIwCxMDRVVSAgEAAgEBMA0GCSqGSIb3DQEBBQUA
++A4IBAQBBfXUkreSi+Zr696+HxCpZmwhko/JmF25C3rECXvZ7L2OXEBELxiygOBpm
++hs3EgRRTVA6tdWliPbI9m0Vp61qOYD566ilQspBS7MeGvNQoyyuk43EQakSCNZcl
++dE6mqjXl3OT4At57vvJOnlzeidqmrPM2ULfFMBD2K6oce3PelRdOvM8stYEwqpCu
++7/jC/F+Y8ZKJTroqOYv5saHozKSooq4QP9Xd1YOFrZlh5oP7B5lpfUmphQwi/+M5
++dUJywr3f+s5aaHlhkoPhNEmuhDK834PT6OekkSFCt3P/MBs71ERvSWgf1GcG+Vcm
++f9cJTANAF/i6XDLRAJPsvFkNpMfc
++-----END CERTIFICATE-----
+
+Property changes on: common.pem
+___________________________________________________________________
+Added: svn:eol-style
+   + LF
+
+Index: test/openssl/test_hmac.rb
+===================================================================
+--- test/openssl/test_hmac.rb	(.../ruby_1_8_7/test/openssl)	(revision 27451)
++++ test/openssl/test_hmac.rb	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -4,15 +4,13 @@
+ end
+ require "test/unit"
+ 
+-if defined?(OpenSSL)
+-
+ class OpenSSL::TestHMAC < Test::Unit::TestCase
+   def setup
+-    @digest = OpenSSL::Digest::MD5.new
++    @digest = OpenSSL::Digest::MD5
+     @key = "KEY"
+     @data = "DATA"
+-    @h1 = OpenSSL::HMAC.new(@key, @digest)
+-    @h2 = OpenSSL::HMAC.new(@key, @digest)
++    @h1 = OpenSSL::HMAC.new(@key, @digest.new)
++    @h2 = OpenSSL::HMAC.new(@key, "MD5")
+   end
+ 
+   def teardown
+@@ -20,8 +18,14 @@
+ 
+   def test_hmac
+     @h1.update(@data)
+-    assert_equal(OpenSSL::HMAC.digest(@digest, @key, @data), @h1.digest, "digest")
+-    assert_equal(OpenSSL::HMAC.hexdigest(@digest, @key, @data), @h1.hexdigest, "hexdigest")
++    @h2.update(@data)
++    assert_equal(@h1.digest, @h2.digest)
++
++    assert_equal(OpenSSL::HMAC.digest(@digest.new, @key, @data), @h1.digest, "digest")
++    assert_equal(OpenSSL::HMAC.hexdigest(@digest.new, @key, @data), @h1.hexdigest, "hexdigest")
++
++    assert_equal(OpenSSL::HMAC.digest("MD5", @key, @data), @h2.digest, "digest")
++    assert_equal(OpenSSL::HMAC.hexdigest("MD5", @key, @data), @h2.hexdigest, "hexdigest")
+   end
+ 
+   def test_dup
+@@ -29,6 +33,14 @@
+     h = @h1.dup
+     assert_equal(@h1.digest, h.digest, "dup digest")
+   end
+-end
+ 
++  def test_sha256
++    digest256 = OpenSSL::Digest::Digest.new("sha256")
++    assert_equal(
++      "\210\236-\3270\331Yq\265\177sE\266\231hXa\332\250\026\235O&c*\307\001\227~\260n\362",
++      OpenSSL::HMAC.digest(digest256, 'blah', "blah"))
++    assert_equal(
++      "889e2dd730d95971b57f7345b699685861daa8169d4f26632ac701977eb06ef2",
++      OpenSSL::HMAC.hexdigest(digest256, 'blah', "blah"))
++  end
+ end
+Index: test/openssl/test_cipher.rb
+===================================================================
+--- test/openssl/test_cipher.rb	(.../ruby_1_8_7/test/openssl)	(revision 27451)
++++ test/openssl/test_cipher.rb	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -12,6 +12,7 @@
+     @c2 = OpenSSL::Cipher::DES.new(:EDE3, "CBC")
+     @key = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
+     @iv = "\0\0\0\0\0\0\0\0"
++    @iv1 = "\1\1\1\1\1\1\1\1"
+     @hexkey = "0000000000000000000000000000000000000000000000"
+     @hexiv = "0000000000000000"
+     @data = "DATA"
+@@ -63,11 +64,82 @@
+     assert_equal(s1, s2, "encrypt reset")
+   end
+ 
++  def test_set_iv
++    @c1.encrypt
++    @c1.key = @key
++    @c1.iv = @iv
++    s1 = @c1.update(@data) + @c1.final
++    @c1.iv = @iv1
++    s1 += @c1.update(@data) + @c1.final
++    @c1.reset
++    @c1.iv = @iv
++    s2 = @c1.update(@data) + @c1.final
++    @c1.iv = @iv1
++    s2 += @c1.update(@data) + @c1.final
++    assert_equal(s1, s2, "encrypt reset")
++  end
++
+   def test_empty_data
+     @c1.encrypt
+-    assert_raises(ArgumentError){ @c1.update("") }
++    assert_raise(ArgumentError){ @c1.update("") }
+   end
+ 
++  def test_disable_padding(padding=0)
++    # assume a padding size of 8
++    # encrypt the data with padding
++    @c1.encrypt
++    @c1.key = @key
++    @c1.iv = @iv
++    encrypted_data = @c1.update(@data) + @c1.final
++    assert_equal(8, encrypted_data.size)
++    # decrypt with padding disabled
++    @c1.decrypt
++    @c1.padding = padding
++    decrypted_data = @c1.update(encrypted_data) + @c1.final
++    # check that the result contains the padding
++    assert_equal(8, decrypted_data.size)
++    assert_equal(@data, decrypted_data[0...@data.size])
++  end
++
++  if RUBY_PLATFORM =~ /java/
++    # JRuby extension - using Java padding types
++
++    def test_disable_padding_javastyle
++      test_disable_padding('NoPadding')
++    end
++
++    def test_iso10126_padding
++      @c1.encrypt
++      @c1.key = @key
++      @c1.iv = @iv
++      @c1.padding = 'ISO10126Padding'
++      encrypted_data = @c1.update(@data) + @c1.final
++      # decrypt with padding disabled to see the padding
++      @c1.decrypt
++      @c1.padding = 0
++      decrypted_data = @c1.update(encrypted_data) + @c1.final
++      assert_equal(@data, decrypted_data[0...@data.size])
++      # last byte should be the amount of padding
++      assert_equal(4, decrypted_data[-1])
++    end
++
++    def test_iso10126_padding_boundry
++      @data = 'HELODATA' # 8 bytes, same as padding size
++      @c1.encrypt
++      @c1.key = @key
++      @c1.iv = @iv
++      @c1.padding = 'ISO10126Padding'
++      encrypted_data = @c1.update(@data) + @c1.final
++      # decrypt with padding disabled to see the padding
++      @c1.decrypt
++      @c1.padding = 0
++      decrypted_data = @c1.update(encrypted_data) + @c1.final
++      assert_equal(@data, decrypted_data[0...@data.size])
++      # padding should be one whole block
++      assert_equal(8, decrypted_data[-1])
++    end
++  end
++
+   if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00907000
+     def test_ciphers
+       OpenSSL::Cipher.ciphers.each{|name|
+@@ -90,6 +162,30 @@
+       }
+     end
+   end
++
++  # JRUBY-4028
++  def test_jruby_4028
++    key = "0599E113A7EE32A9"
++    data = "1234567890~5J96LC303C1D22DD~20090930005944~http%3A%2F%2Flocalhost%3A8080%2Flogin%3B0%3B1~http%3A%2F%2Fmix-stage.oracle.com%2F~00"
++    c1 = OpenSSL::Cipher::Cipher.new("DES-CBC")
++    c1.padding = 0
++    c1.iv = "0" * 8
++    c1.encrypt
++    c1.key = key
++    e = c1.update data
++    e << c1.final
++
++    c2 = OpenSSL::Cipher::Cipher.new("DES-CBC")
++    c2.padding = 0
++    c2.iv = "0" * 8
++    c2.decrypt
++    c2.key = key
++    d = c2.update e
++    d << c2.final
++
++    assert_equal "\342\320B.\300&X\310\344\253\025\215\017*\22015\344\024D\342\213\361\336\311\271\326\016\243\214\026\2545\002\237,\017s\202\316&Ew\323\221H\376\200\304\201\365\332Im\240\361\037\246\3536\001A2\341\324o0\350\364%=\325\330\240\324u\225\304h\277\272\361f\024\324\352\336\353N\002/]C\370!\003)\212oa\225\207\333\340\245\207\024\351\037\327[\212\001{\216\f\315\345\372\v\226\r\233?\002\vJK", e
++    assert_equal data, d
++  end
+ end
+ 
+ end
+Index: test/openssl/test_x509req.rb
+===================================================================
+--- test/openssl/test_x509req.rb	(.../ruby_1_8_7/test/openssl)	(revision 27451)
++++ test/openssl/test_x509req.rb	(.../ruby_1_8/test/openssl)	(revision 27451)
+@@ -103,38 +103,89 @@
+     assert_equal(exts, get_ext_req(attrs[1].value))
+   end
+ 
++  def test_sign_and_verify_wrong_key_type
++    req_rsa = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
++    req_dsa = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
++    begin
++      assert_equal(false, req_rsa.verify(@dsa256))
++    rescue OpenSSL::X509::RequestError => e
++      # OpenSSL 1.0.0 added checks for pkey OID
++      assert_equal('wrong public key type', e.message)
++    end
++
++    begin
++      assert_equal(false, req_dsa.verify(@rsa1024))
++    rescue OpenSSL::X509::RequestError => e
++      # OpenSSL 1.0.0 added checks for pkey OID
++      assert_equal('wrong public key type', e.message)
++    end
++  end
++
+   def test_sign_and_verify
+     req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
+     assert_equal(true,  req.verify(@rsa1024))
+     assert_equal(false, req.verify(@rsa2048))
+-    assert_equal(false, req.verify(@dsa256))
+-    assert_equal(false, req.verify(@dsa512))
+     req.version = 1
+     assert_equal(false, req.verify(@rsa1024))
+ 
+     req = issue_csr(0, @dn, @rsa2048, OpenSSL::Digest::MD5.new)
+     assert_equal(false, req.verify(@rsa1024))
+     assert_equal(true,  req.verify(@rsa2048))
+-    assert_equal(false, req.verify(@dsa256))
+-    assert_equal(false, req.verify(@dsa512))
+     req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar")
+     assert_equal(false, req.verify(@rsa2048))
+ 
+     req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
+-    assert_equal(false, req.verify(@rsa1024))
+-    assert_equal(false, req.verify(@rsa2048))
+     assert_equal(false, req.verify(@dsa256))
+     assert_equal(true,  req.verify(@dsa512))
+     req.public_key = @rsa1024.public_key
+     assert_equal(false, req.verify(@dsa512))
++  end
+ 
+-    assert_raise(OpenSSL::X509::RequestError){
+-      issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) }
+-    assert_raise(OpenSSL::X509::RequestError){
+-      issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new) }
+-    assert_raise(OpenSSL::X509::RequestError){
+-      issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) }
++  def test_dsig_algorithm_mismatch
++    assert_raise(OpenSSL::X509::RequestError) do
++      issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new)
++    end
++    assert_raise(OpenSSL::X509::RequestError) do
++      issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new)
++    end
+   end
++
++  def test_create_from_pem
++    req = <<END
++-----BEGIN CERTIFICATE REQUEST-----
++MIIBVTCBvwIBADAWMRQwEgYDVQQDDAsxOTIuMTY4LjAuNDCBnzANBgkqhkiG9w0B
++AQEFAAOBjQAwgYkCgYEA0oTTzFLydOTVtBpNdYl4S0356AysVkHlqD/tNEMxQT0l
++dXdNoDKb/3TfM5WMciNxBb8rImJ51vEIf6WaWvPbaawcmhNWA9JmhMIeFCdeXyu/
++XEjiiEOL4MkWf6qfsu6VoPr2YSnR0iiWLgWcnRPuy84+PE1XPPl1qGDA0apWJ9kC
++AwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAKdlyDzVrXRLkPdukQUTTy6uwhv35SKL
++FfiKDrHtnFYd7VbynQ1sRre5CknuRrm+E7aEJEwpz6MS+6nqmQ6JwGcm/hlZM/m7
++DVD201pI3p6LIxaRyXE20RYTp0Jj6jv+tNFd0wjVlzgStmcplNo8hu6Dtp1gKETW
++qL7M4i48FXHn
++-----END CERTIFICATE REQUEST-----
++END
++    req = OpenSSL::X509::Request.new(req)
++
++    assert_equal(0, req.version)
++    assert_equal(OpenSSL::X509::Name.parse("/CN=192.168.0.4").to_der, req.subject.to_der)
++  end
++
++  def test_create_to_pem
++    req_s = <<END
++-----BEGIN CERTIFICATE REQUEST-----
++MIIBVTCBvwIBADAWMRQwEgYDVQQDDAsxOTIuMTY4LjAuNDCBnzANBgkqhkiG9w0B
++AQEFAAOBjQAwgYkCgYEA0oTTzFLydOTVtBpNdYl4S0356AysVkHlqD/tNEMxQT0l
++dXdNoDKb/3TfM5WMciNxBb8rImJ51vEIf6WaWvPbaawcmhNWA9JmhMIeFCdeXyu/
++XEjiiEOL4MkWf6qfsu6VoPr2YSnR0iiWLgWcnRPuy84+PE1XPPl1qGDA0apWJ9kC
++AwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAKdlyDzVrXRLkPdukQUTTy6uwhv35SKL
++FfiKDrHtnFYd7VbynQ1sRre5CknuRrm+E7aEJEwpz6MS+6nqmQ6JwGcm/hlZM/m7
++DVD201pI3p6LIxaRyXE20RYTp0Jj6jv+tNFd0wjVlzgStmcplNo8hu6Dtp1gKETW
++qL7M4i48FXHn
++-----END CERTIFICATE REQUEST-----
++END
++    req = OpenSSL::X509::Request.new(req_s)
++
++    assert_equal(req_s, req.to_pem)
++  end
+ end
+ 
+ end
diff --git a/ruby-1.8.x_openssl-1.0.patch b/ruby-1.8.x_openssl-1.0.patch
new file mode 100644
index 0000000..5b52fbe
--- /dev/null
+++ b/ruby-1.8.x_openssl-1.0.patch
@@ -0,0 +1,3407 @@
+Index: ext/openssl/ossl_pkey_dsa.c
+===================================================================
+--- ext/openssl/ossl_pkey_dsa.c.orig
++++ ext/openssl/ossl_pkey_dsa.c
+@@ -161,19 +161,19 @@ ossl_dsa_initialize(int argc, VALUE *arg
+ 	in = ossl_obj2bio(arg);
+ 	dsa = PEM_read_bio_DSAPrivateKey(in, NULL, ossl_pem_passwd_cb, passwd);
+ 	if (!dsa) {
+-	    BIO_reset(in);
++	    (void)BIO_reset(in);
+ 	    dsa = PEM_read_bio_DSAPublicKey(in, NULL, NULL, NULL);
+ 	}
+ 	if (!dsa) {
+-	    BIO_reset(in);
++	    (void)BIO_reset(in);
+ 	    dsa = PEM_read_bio_DSA_PUBKEY(in, NULL, NULL, NULL);
+ 	}
+ 	if (!dsa) {
+-	    BIO_reset(in);
++	    (void)BIO_reset(in);
+ 	    dsa = d2i_DSAPrivateKey_bio(in, NULL);
+ 	}
+ 	if (!dsa) {
+-	    BIO_reset(in);
++	    (void)BIO_reset(in);
+ 	    dsa = d2i_DSA_PUBKEY_bio(in, NULL);
+ 	}
+ 	BIO_free(in);
+@@ -289,7 +289,7 @@ ossl_dsa_to_der(VALUE self)
+     if((len = i2d_func(pkey->pkey.dsa, NULL)) <= 0)
+ 	ossl_raise(eDSAError, NULL);
+     str = rb_str_new(0, len);
+-    p = RSTRING_PTR(str);
++    p = (unsigned char *)RSTRING_PTR(str);
+     if(i2d_func(pkey->pkey.dsa, &p) < 0)
+ 	ossl_raise(eDSAError, NULL);
+     ossl_str_adjust(str, p);
+@@ -387,7 +387,7 @@ static VALUE
+ ossl_dsa_sign(VALUE self, VALUE data)
+ {
+     EVP_PKEY *pkey;
+-    int buf_len;
++    unsigned int buf_len;
+     VALUE str;
+ 
+     GetPKeyDSA(self, pkey);
+@@ -396,7 +396,8 @@ ossl_dsa_sign(VALUE self, VALUE data)
+ 	ossl_raise(eDSAError, "Private DSA key needed!");
+     }
+     str = rb_str_new(0, ossl_dsa_buf_size(pkey));
+-    if (!DSA_sign(0, RSTRING_PTR(data), RSTRING_LEN(data), RSTRING_PTR(str),
++    if (!DSA_sign(0, (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data),
++		  (unsigned char *)RSTRING_PTR(str),
+ 		  &buf_len, pkey->pkey.dsa)) { /* type is ignored (0) */
+ 	ossl_raise(eDSAError, NULL);
+     }
+@@ -420,8 +421,8 @@ ossl_dsa_verify(VALUE self, VALUE digest
+     StringValue(digest);
+     StringValue(sig);
+     /* type is ignored (0) */
+-    ret = DSA_verify(0, RSTRING_PTR(digest), RSTRING_LEN(digest),
+-		     RSTRING_PTR(sig), RSTRING_LEN(sig), pkey->pkey.dsa);
++    ret = DSA_verify(0, (unsigned char *)RSTRING_PTR(digest), RSTRING_LEN(digest),
++		     (unsigned char *)RSTRING_PTR(sig), RSTRING_LEN(sig), pkey->pkey.dsa);
+     if (ret < 0) {
+ 	ossl_raise(eDSAError, NULL);
+     }
+@@ -432,11 +433,11 @@ ossl_dsa_verify(VALUE self, VALUE digest
+     return Qfalse;
+ }
+ 
+-OSSL_PKEY_BN(dsa, p);
+-OSSL_PKEY_BN(dsa, q);
+-OSSL_PKEY_BN(dsa, g);
+-OSSL_PKEY_BN(dsa, pub_key);
+-OSSL_PKEY_BN(dsa, priv_key);
++OSSL_PKEY_BN(dsa, p)
++OSSL_PKEY_BN(dsa, q)
++OSSL_PKEY_BN(dsa, g)
++OSSL_PKEY_BN(dsa, pub_key)
++OSSL_PKEY_BN(dsa, priv_key)
+ 
+ /*
+  * INIT
+Index: ext/openssl/ossl_x509attr.c
+===================================================================
+--- ext/openssl/ossl_x509attr.c.orig
++++ ext/openssl/ossl_x509attr.c
+@@ -92,16 +92,17 @@ static VALUE
+ ossl_x509attr_initialize(int argc, VALUE *argv, VALUE self)
+ {
+     VALUE oid, value;
+-    X509_ATTRIBUTE *attr;
+-    unsigned char *p;
++    X509_ATTRIBUTE *attr, *x;
++    const unsigned char *p;
+ 
+     GetX509Attr(self, attr);
+     if(rb_scan_args(argc, argv, "11", &oid, &value) == 1){
+ 	oid = ossl_to_der_if_possible(oid);
+ 	StringValue(oid);
+-	p = RSTRING_PTR(oid);
+-	if(!d2i_X509_ATTRIBUTE((X509_ATTRIBUTE**)&DATA_PTR(self),
+-			       &p, RSTRING_LEN(oid))){
++	p = (unsigned char *)RSTRING_PTR(oid);
++	x = d2i_X509_ATTRIBUTE(&attr, &p, RSTRING_LEN(oid));
++	DATA_PTR(self) = attr;
++	if(!x){
+ 	    ossl_raise(eX509AttrError, NULL);
+ 	}
+ 	return self;
+@@ -212,15 +213,16 @@ ossl_x509attr_get_value(VALUE self)
+     if(OSSL_X509ATTR_IS_SINGLE(attr)){
+ 	length = i2d_ASN1_TYPE(attr->value.single, NULL);
+ 	str = rb_str_new(0, length);
+-	p = RSTRING_PTR(str);
++	p = (unsigned char *)RSTRING_PTR(str);
+ 	i2d_ASN1_TYPE(attr->value.single, &p);
+ 	ossl_str_adjust(str, p);
+     }
+     else{
+-	length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, NULL,
+-			i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
++	length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set,
++			(unsigned char **) NULL, i2d_ASN1_TYPE,
++			V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
+ 	str = rb_str_new(0, length);
+-	p = RSTRING_PTR(str);
++	p = (unsigned char *)RSTRING_PTR(str);
+ 	i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, &p,
+ 			i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
+ 	ossl_str_adjust(str, p);
+@@ -246,7 +248,7 @@ ossl_x509attr_to_der(VALUE self)
+     if((len = i2d_X509_ATTRIBUTE(attr, NULL)) <= 0)
+ 	ossl_raise(eX509AttrError, NULL);
+     str = rb_str_new(0, len);
+-    p = RSTRING_PTR(str);
++    p = (unsigned char *)RSTRING_PTR(str);
+     if(i2d_X509_ATTRIBUTE(attr, &p) <= 0)
+ 	ossl_raise(eX509AttrError, NULL);
+     rb_str_set_len(str, p - (unsigned char*)RSTRING_PTR(str)); 
+Index: ext/openssl/ossl_ssl.c
+===================================================================
+--- ext/openssl/ossl_ssl.c.orig
++++ ext/openssl/ossl_ssl.c
+@@ -69,6 +69,9 @@ static const char *ossl_sslctx_attrs[] =
+     "verify_callback", "options", "cert_store", "extra_chain_cert",
+     "client_cert_cb", "tmp_dh_callback", "session_id_context",
+     "session_get_cb", "session_new_cb", "session_remove_cb",
++#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
++    "servername_cb",
++#endif
+ };
+ 
+ #define ossl_ssl_get_io(o)           rb_iv_get((o),"@io")
+@@ -86,7 +89,12 @@ static const char *ossl_sslctx_attrs[] =
+ #define ossl_ssl_set_tmp_dh(o,v)     rb_iv_set((o),"@tmp_dh",(v))
+ 
+ static const char *ossl_ssl_attr_readers[] = { "io", "context", };
+-static const char *ossl_ssl_attrs[] = { "sync_close", };
++static const char *ossl_ssl_attrs[] = {
++#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
++    "hostname",
++#endif
++    "sync_close", 
++};
+ 
+ ID ID_callback_state;
+ 
+@@ -297,7 +305,7 @@ ossl_ssl_verify_callback(int preverify_o
+ static VALUE
+ ossl_call_session_get_cb(VALUE ary)
+ {
+-    VALUE ssl_obj, sslctx_obj, cb, ret;
++    VALUE ssl_obj, sslctx_obj, cb;
+     
+     Check_Type(ary, T_ARRAY);
+     ssl_obj = rb_ary_entry(ary, 0);
+@@ -325,7 +333,7 @@ ossl_sslctx_session_get_cb(SSL *ssl, uns
+     ssl_obj = (VALUE)ptr;
+     ary = rb_ary_new2(2);
+     rb_ary_push(ary, ssl_obj);
+-    rb_ary_push(ary, rb_str_new(buf, len));
++    rb_ary_push(ary, rb_str_new((const char *)buf, len));
+ 
+     ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_session_get_cb, ary, &state);
+     if (state) {
+@@ -344,7 +352,7 @@ ossl_sslctx_session_get_cb(SSL *ssl, uns
+ static VALUE
+ ossl_call_session_new_cb(VALUE ary)
+ {
+-    VALUE ssl_obj, sslctx_obj, cb, ret;
++    VALUE ssl_obj, sslctx_obj, cb;
+     
+     Check_Type(ary, T_ARRAY);
+     ssl_obj = rb_ary_entry(ary, 0);
+@@ -387,10 +395,11 @@ ossl_sslctx_session_new_cb(SSL *ssl, SSL
+     return RTEST(ret_obj) ? 1 : 0;
+ }
+ 
++#if 0				/* unused */
+ static VALUE
+ ossl_call_session_remove_cb(VALUE ary)
+ {
+-    VALUE sslctx_obj, cb, ret;
++    VALUE sslctx_obj, cb;
+     
+     Check_Type(ary, T_ARRAY);
+     sslctx_obj = rb_ary_entry(ary, 0);
+@@ -400,6 +409,7 @@ ossl_call_session_remove_cb(VALUE ary)
+ 
+     return rb_funcall(cb, rb_intern("call"), 1, ary);
+ }
++#endif
+ 
+ static void
+ ossl_sslctx_session_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
+@@ -446,6 +456,66 @@ ossl_sslctx_add_extra_chain_cert_i(VALUE
+     return i;
+ }
+ 
++static VALUE ossl_sslctx_setup(VALUE self);
++
++#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
++static VALUE
++ossl_call_servername_cb(VALUE ary)
++{
++    VALUE ssl_obj, sslctx_obj, cb, ret_obj;
++
++    Check_Type(ary, T_ARRAY);
++    ssl_obj = rb_ary_entry(ary, 0);
++
++    sslctx_obj = rb_iv_get(ssl_obj, "@context");
++    if (NIL_P(sslctx_obj)) return Qnil;
++    cb = rb_iv_get(sslctx_obj, "@servername_cb");
++    if (NIL_P(cb)) return Qnil;
++
++    ret_obj = rb_funcall(cb, rb_intern("call"), 1, ary);
++    if (rb_obj_is_kind_of(ret_obj, cSSLContext)) {
++        SSL *ssl;
++        SSL_CTX *ctx2;
++
++        ossl_sslctx_setup(ret_obj);
++        Data_Get_Struct(ssl_obj, SSL, ssl);
++        Data_Get_Struct(ret_obj, SSL_CTX, ctx2);
++        SSL_set_SSL_CTX(ssl, ctx2);
++    } else if (!NIL_P(ret_obj)) {
++            rb_raise(rb_eArgError, "servername_cb must return an OpenSSL::SSL::SSLContext object or nil");
++    }
++
++    return ret_obj;
++}
++
++static int
++ssl_servername_cb(SSL *ssl, int *ad, void *arg)
++{
++    VALUE ary, ssl_obj, ret_obj;
++    void *ptr;
++    int state = 0;
++    const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
++
++    if (!servername)
++        return SSL_TLSEXT_ERR_OK;
++
++    if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
++    	return SSL_TLSEXT_ERR_ALERT_FATAL;
++    ssl_obj = (VALUE)ptr;
++    ary = rb_ary_new2(2);
++    rb_ary_push(ary, ssl_obj);
++    rb_ary_push(ary, rb_str_new2(servername));
++
++    ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_servername_cb, ary, &state);
++    if (state) {
++        rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
++        return SSL_TLSEXT_ERR_ALERT_FATAL;
++    }
++
++    return SSL_TLSEXT_ERR_OK;
++}
++#endif
++
+ /*
+  * call-seq:
+  *    ctx.setup => Qtrue # first time
+@@ -563,7 +633,7 @@ ossl_sslctx_setup(VALUE self)
+     val = ossl_sslctx_get_sess_id_ctx(self);
+     if (!NIL_P(val)){
+ 	StringValue(val);
+-	if (!SSL_CTX_set_session_id_context(ctx, RSTRING_PTR(val),
++	if (!SSL_CTX_set_session_id_context(ctx, (unsigned char *)RSTRING_PTR(val),
+ 					    RSTRING_LEN(val))){
+ 	    ossl_raise(eSSLError, "SSL_CTX_set_session_id_context:");
+ 	}
+@@ -581,6 +651,15 @@ ossl_sslctx_setup(VALUE self)
+ 	SSL_CTX_sess_set_remove_cb(ctx, ossl_sslctx_session_remove_cb);
+ 	OSSL_Debug("SSL SESSION remove callback added");
+     }
++
++#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
++    val = rb_iv_get(self, "@servername_cb");
++    if (!NIL_P(val)) {
++        SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
++	OSSL_Debug("SSL TLSEXT servername callback added");
++    }
++#endif
++
+     return Qtrue;
+ }
+ 
+@@ -815,7 +894,6 @@ ossl_sslctx_flush_sessions(int argc, VAL
+     VALUE arg1;
+     SSL_CTX *ctx;
+     time_t tm = 0;
+-    int cb_state;
+ 
+     rb_scan_args(argc, argv, "01", &arg1);
+ 
+@@ -829,7 +907,7 @@ ossl_sslctx_flush_sessions(int argc, VAL
+         rb_raise(rb_eArgError, "arg must be Time or nil");
+     }
+ 
+-    SSL_CTX_flush_sessions(ctx, tm);
++    SSL_CTX_flush_sessions(ctx, (long)tm);
+ 
+     return self;
+ }
+@@ -887,6 +965,9 @@ ossl_ssl_initialize(int argc, VALUE *arg
+     ossl_ssl_set_ctx(self, ctx);
+     ossl_ssl_set_sync_close(self, Qfalse);
+     ossl_sslctx_setup(ctx);
++
++    rb_iv_set(self, "@hostname", Qnil);
++
+     rb_call_super(0, 0);
+ 
+     return self;
+@@ -902,6 +983,10 @@ ossl_ssl_setup(VALUE self)
+ 
+     Data_Get_Struct(self, SSL, ssl);
+     if(!ssl){
++#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
++	VALUE hostname = rb_iv_get(self, "@hostname");
++#endif
++
+         v_ctx = ossl_ssl_get_ctx(self);
+         Data_Get_Struct(v_ctx, SSL_CTX, ctx);
+ 
+@@ -911,6 +996,12 @@ ossl_ssl_setup(VALUE self)
+         }
+         DATA_PTR(self) = ssl;
+ 
++#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
++        if (!NIL_P(hostname)) {
++           if (SSL_set_tlsext_host_name(ssl, StringValuePtr(hostname)) != 1)
++               ossl_raise(eSSLError, "SSL_set_tlsext_host_name:");
++        }
++#endif
+         io = ossl_ssl_get_io(self);
+         GetOpenFile(io, fptr);
+         rb_io_check_readable(fptr);
+@@ -947,7 +1038,15 @@ ossl_start_ssl(VALUE self, int (*func)()
+     Data_Get_Struct(self, SSL, ssl);
+     GetOpenFile(ossl_ssl_get_io(self), fptr);
+     for(;;){
+-	if((ret = func(ssl)) > 0) break;
++	ret = func(ssl);
++
++        cb_state = rb_ivar_get(self, ID_callback_state);
++        if (!NIL_P(cb_state))
++            rb_jump_tag(NUM2INT(cb_state));
++
++	if (ret > 0)
++	    break;
++
+ 	switch((ret2 = ssl_get_error(ssl, ret))){
+ 	case SSL_ERROR_WANT_WRITE:
+             rb_io_wait_writable(FPTR_TO_FD(fptr));
+@@ -963,10 +1062,6 @@ ossl_start_ssl(VALUE self, int (*func)()
+ 	}
+     }
+ 
+-    cb_state = rb_ivar_get(self, ID_callback_state);
+-    if (!NIL_P(cb_state))
+-        rb_jump_tag(NUM2INT(cb_state));
+-
+     return self;
+ }
+ 
+@@ -1196,10 +1291,10 @@ ossl_ssl_get_peer_cert_chain(VALUE self)
+     }
+     chain = SSL_get_peer_cert_chain(ssl);
+     if(!chain) return Qnil;
+-    num = sk_num(chain);
++    num = sk_X509_num(chain);
+     ary = rb_ary_new2(num);
+     for (i = 0; i < num; i++){
+-	cert = (X509*)sk_value(chain, i);
++	cert = sk_X509_value(chain, i);
+ 	rb_ary_push(ary, ossl_x509_new(cert));
+     }
+ 
+@@ -1344,13 +1439,13 @@ Init_ossl_ssl()
+ 
+     ID_callback_state = rb_intern("@callback_state");
+ 
+-    ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0,"ossl_ssl_ex_vcb_idx",0,0,0);
+-    ossl_ssl_ex_store_p = SSL_get_ex_new_index(0,"ossl_ssl_ex_store_p",0,0,0);
+-    ossl_ssl_ex_ptr_idx = SSL_get_ex_new_index(0,"ossl_ssl_ex_ptr_idx",0,0,0);
++    ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_vcb_idx",0,0,0);
++    ossl_ssl_ex_store_p = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_store_p",0,0,0);
++    ossl_ssl_ex_ptr_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_ptr_idx",0,0,0);
+     ossl_ssl_ex_client_cert_cb_idx =
+-	SSL_get_ex_new_index(0,"ossl_ssl_ex_client_cert_cb_idx",0,0,0);
++	SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_client_cert_cb_idx",0,0,0);
+     ossl_ssl_ex_tmp_dh_callback_idx =
+-	SSL_get_ex_new_index(0,"ossl_ssl_ex_tmp_dh_callback_idx",0,0,0);
++	SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_tmp_dh_callback_idx",0,0,0);
+ 
+     mSSL = rb_define_module_under(mOSSL, "SSL");
+     eSSLError = rb_define_class_under(mSSL, "SSLError", eOSSLError);
+Index: ext/openssl/ossl_ocsp.c
+===================================================================
+--- ext/openssl/ossl_ocsp.c.orig
++++ ext/openssl/ossl_ocsp.c
+@@ -103,15 +103,17 @@ static VALUE
+ ossl_ocspreq_initialize(int argc, VALUE *argv, VALUE self)
+ {
+     VALUE arg;
+-    unsigned char *p;
++    const unsigned char *p;
+ 
+     rb_scan_args(argc, argv, "01", &arg);
+     if(!NIL_P(arg)){
++	OCSP_REQUEST *req = DATA_PTR(self), *x;
+ 	arg = ossl_to_der_if_possible(arg);
+ 	StringValue(arg);
+ 	p = (unsigned char*)RSTRING_PTR(arg);
+-	if(!d2i_OCSP_REQUEST((OCSP_REQUEST**)&DATA_PTR(self), &p,
+-			     RSTRING_LEN(arg))){
++	x = d2i_OCSP_REQUEST(&req, &p, RSTRING_LEN(arg));
++	DATA_PTR(self) = req;
++	if(!x){
+ 	    ossl_raise(eOCSPError, "cannot load DER encoded request");
+ 	}
+     }
+@@ -134,7 +136,7 @@ ossl_ocspreq_add_nonce(int argc, VALUE *
+     else{
+ 	StringValue(val);
+ 	GetOCSPReq(self, req);
+-	ret = OCSP_request_add1_nonce(req, RSTRING_PTR(val), RSTRING_LEN(val));
++	ret = OCSP_request_add1_nonce(req, (unsigned char *)RSTRING_PTR(val), RSTRING_LEN(val));
+     }
+     if(!ret) ossl_raise(eOCSPError, NULL);
+ 
+@@ -265,7 +267,7 @@ ossl_ocspreq_to_der(VALUE self)
+     if((len = i2d_OCSP_REQUEST(req, NULL)) <= 0)
+ 	ossl_raise(eOCSPError, NULL);
+     str = rb_str_new(0, len);
+-    p = RSTRING_PTR(str);
++    p = (unsigned char *)RSTRING_PTR(str);
+     if(i2d_OCSP_REQUEST(req, &p) <= 0)
+ 	ossl_raise(eOCSPError, NULL);
+     ossl_str_adjust(str, p);
+@@ -310,15 +312,17 @@ static VALUE
+ ossl_ocspres_initialize(int argc, VALUE *argv, VALUE self)
+ {
+     VALUE arg;
+-    unsigned char *p;
++    const unsigned char *p;
+ 
+     rb_scan_args(argc, argv, "01", &arg);
+     if(!NIL_P(arg)){
++	OCSP_RESPONSE *res = DATA_PTR(self), *x;
+ 	arg = ossl_to_der_if_possible(arg);
+ 	StringValue(arg);
+-	p = RSTRING_PTR(arg);
+-	if(!d2i_OCSP_RESPONSE((OCSP_RESPONSE**)&DATA_PTR(self), &p,
+-			      RSTRING_LEN(arg))){
++	p = (unsigned char *)RSTRING_PTR(arg);
++	x = d2i_OCSP_RESPONSE(&res, &p, RSTRING_LEN(arg));
++	DATA_PTR(self) = res;
++	if(!x){
+ 	    ossl_raise(eOCSPError, "cannot load DER encoded response");
+ 	}
+     }
+@@ -377,8 +381,8 @@ ossl_ocspres_to_der(VALUE self)
+     if((len = i2d_OCSP_RESPONSE(res, NULL)) <= 0)
+ 	ossl_raise(eOCSPError, NULL);
+     str = rb_str_new(0, len);
+-    p = RSTRING_PTR(str);
+-    if(i2d_OCSP_RESPONSE(res, NULL) <= 0)
++    p = (unsigned char *)RSTRING_PTR(str);
++    if(i2d_OCSP_RESPONSE(res, &p) <= 0)
+ 	ossl_raise(eOCSPError, NULL);
+     ossl_str_adjust(str, p);
+ 
+@@ -436,7 +440,7 @@ ossl_ocspbres_add_nonce(int argc, VALUE
+     else{
+ 	StringValue(val);
+ 	GetOCSPBasicRes(self, bs);
+-	ret = OCSP_basic_add1_nonce(bs, RSTRING_PTR(val), RSTRING_LEN(val));
++	ret = OCSP_basic_add1_nonce(bs, (unsigned char *)RSTRING_PTR(val), RSTRING_LEN(val));
+     }
+     if(!ret) ossl_raise(eOCSPError, NULL);
+ 
+Index: ext/openssl/ossl_engine.c
+===================================================================
+--- ext/openssl/ossl_engine.c.orig
++++ ext/openssl/ossl_engine.c
+@@ -119,7 +119,7 @@ ossl_engine_s_by_id(VALUE klass, VALUE i
+     if(!ENGINE_init(e))
+ 	ossl_raise(eEngineError, NULL);
+     ENGINE_ctrl(e, ENGINE_CTRL_SET_PASSWORD_CALLBACK,
+-		0, NULL, (void(*)())ossl_pem_passwd_cb);
++                0, NULL, (void(*)(void))ossl_pem_passwd_cb);
+     ERR_clear_error();
+ 
+     return obj;
+@@ -326,7 +326,7 @@ static VALUE
+ ossl_engine_inspect(VALUE self)
+ {
+     VALUE str;
+-    char *cname = rb_class2name(rb_obj_class(self));
++    const char *cname = rb_class2name(rb_obj_class(self));
+     
+     str = rb_str_new2("#<");
+     rb_str_cat2(str, cname);
+Index: ext/openssl/ossl_config.c
+===================================================================
+--- ext/openssl/ossl_config.c.orig
++++ ext/openssl/ossl_config.c
+@@ -158,14 +158,6 @@ ossl_config_initialize(int argc, VALUE *
+     return self;
+ }
+ 
+-static void
+-rb_ossl_config_modify_check(VALUE config)
+-{
+-    if (OBJ_FROZEN(config)) rb_error_frozen("OpenSSL::Config");
+-    if (!OBJ_TAINTED(config) && rb_safe_level() >= 4)
+-	rb_raise(rb_eSecurityError, "Insecure: can't modify OpenSSL config");
+-}
+-
+ static VALUE
+ ossl_config_add_value(VALUE self, VALUE section, VALUE name, VALUE value)
+ {
+@@ -175,7 +167,6 @@ ossl_config_add_value(VALUE self, VALUE
+     CONF *conf;
+     CONF_VALUE *sv, *cv;
+ 
+-    rb_ossl_config_modify_check(self);
+     StringValue(section);
+     StringValue(name);
+     StringValue(value);
+@@ -201,6 +192,25 @@ ossl_config_add_value(VALUE self, VALUE
+ #endif
+ }
+ 
++static void
++rb_ossl_config_modify_check(VALUE config)
++{
++    if (OBJ_FROZEN(config)) rb_error_frozen("OpenSSL::Config");
++    if (!OBJ_TAINTED(config) && rb_safe_level() >= 4)
++	rb_raise(rb_eSecurityError, "Insecure: can't modify OpenSSL config");
++}
++
++static VALUE
++ossl_config_add_value_m(VALUE self, VALUE section, VALUE name, VALUE value)
++{
++#if defined(OSSL_NO_CONF_API)
++    rb_notimplement();
++#else
++    rb_ossl_config_modify_check(self);
++    return ossl_config_add_value(self, section, name, value);
++#endif
++}
++
+ static VALUE
+ ossl_config_get_value(VALUE self, VALUE section, VALUE name)
+ {
+@@ -303,6 +313,12 @@ ossl_config_get_section_old(VALUE self,
+ }
+ 
+ #ifdef IMPLEMENT_LHASH_DOALL_ARG_FN
++#define IMPLEMENT_LHASH_DOALL_ARG_FN_098(f_name,o_type,a_type) \
++            void f_name##_LHASH_DOALL_ARG(void *arg1, void *arg2) { \
++		                o_type a = (o_type)arg1; \
++		                a_type b = (a_type)arg2; \
++		                f_name(a,b); }
++
+ static void
+ get_conf_section(CONF_VALUE *cv, VALUE ary)
+ {
+@@ -310,7 +326,7 @@ get_conf_section(CONF_VALUE *cv, VALUE a
+     rb_ary_push(ary, rb_str_new2(cv->section));
+ }
+ 
+-static IMPLEMENT_LHASH_DOALL_ARG_FN(get_conf_section, CONF_VALUE*, VALUE);
++static IMPLEMENT_LHASH_DOALL_ARG_FN_098(get_conf_section, CONF_VALUE*, VALUE)
+ 
+ static VALUE
+ ossl_config_get_sections(VALUE self)
+@@ -348,7 +364,7 @@ dump_conf_value(CONF_VALUE *cv, VALUE st
+     rb_str_cat2(str, "\n");
+ }
+ 
+-static IMPLEMENT_LHASH_DOALL_ARG_FN(dump_conf_value, CONF_VALUE*, VALUE);
++static IMPLEMENT_LHASH_DOALL_ARG_FN_098(dump_conf_value, CONF_VALUE*, VALUE)
+ 
+ static VALUE
+ dump_conf(CONF *conf)
+@@ -392,13 +408,15 @@ each_conf_value(CONF_VALUE *cv, void* du
+     }
+ }
+ 
+-static IMPLEMENT_LHASH_DOALL_ARG_FN(each_conf_value, CONF_VALUE*, void*);
++static IMPLEMENT_LHASH_DOALL_ARG_FN_098(each_conf_value, CONF_VALUE*, void*)
+ 
+ static VALUE
+ ossl_config_each(VALUE self)
+ {
+     CONF *conf;
+ 
++    RETURN_ENUMERATOR(self, 0, 0);
++
+     GetConfig(self, conf);
+     lh_doall_arg(conf->data, LHASH_DOALL_ARG_FN(each_conf_value), (void*)NULL);
+ 
+@@ -431,7 +449,7 @@ static VALUE
+ ossl_config_inspect(VALUE self)
+ {
+     VALUE str, ary = ossl_config_get_sections(self);
+-    char *cname = rb_class2name(rb_obj_class(self));
++    const char *cname = rb_class2name(rb_obj_class(self));
+ 
+     str = rb_str_new2("#<");
+     rb_str_cat2(str, cname);
+@@ -448,11 +466,14 @@ ossl_config_inspect(VALUE self)
+ void
+ Init_ossl_config()
+ {
++    char *default_config_file;
+     eConfigError = rb_define_class_under(mOSSL, "ConfigError", eOSSLError);
+     cConfig = rb_define_class_under(mOSSL, "Config", rb_cObject);
+ 
++    default_config_file = CONF_get1_default_config_file();
+     rb_define_const(cConfig, "DEFAULT_CONFIG_FILE",
+-		    rb_str_new2(CONF_get1_default_config_file()));
++		    rb_str_new2(default_config_file));
++    OPENSSL_free(default_config_file);
+     rb_include_module(cConfig, rb_mEnumerable);
+     rb_define_singleton_method(cConfig, "parse", ossl_config_s_parse, 1);
+     rb_define_alias(CLASS_OF(cConfig), "load", "new");
+@@ -461,7 +482,7 @@ Init_ossl_config()
+     rb_define_method(cConfig, "initialize", ossl_config_initialize, -1);
+     rb_define_method(cConfig, "get_value", ossl_config_get_value, 2);
+     rb_define_method(cConfig, "value", ossl_config_get_value_old, -1);
+-    rb_define_method(cConfig, "add_value", ossl_config_add_value, 3);
++    rb_define_method(cConfig, "add_value", ossl_config_add_value_m, 3);
+     rb_define_method(cConfig, "[]", ossl_config_get_section, 1);
+     rb_define_method(cConfig, "section", ossl_config_get_section_old, 1);
+     rb_define_method(cConfig, "[]=", ossl_config_set_section, 2);
+Index: ext/openssl/ossl_hmac.c
+===================================================================
+--- ext/openssl/ossl_hmac.c.orig
++++ ext/openssl/ossl_hmac.c
+@@ -42,7 +42,7 @@ static void
+ ossl_hmac_free(HMAC_CTX *ctx)
+ {
+     HMAC_CTX_cleanup(ctx);
+-    free(ctx);
++    ruby_xfree(ctx);
+ }
+ 
+ static VALUE
+@@ -103,13 +103,13 @@ ossl_hmac_update(VALUE self, VALUE data)
+ 
+     StringValue(data);
+     GetHMAC(self, ctx);
+-    HMAC_Update(ctx, RSTRING_PTR(data), RSTRING_LEN(data));
++    HMAC_Update(ctx, (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data));
+ 
+     return self;
+ }
+ 
+ static void
+-hmac_final(HMAC_CTX *ctx, char **buf, int *buf_len)
++hmac_final(HMAC_CTX *ctx, unsigned char **buf, unsigned int *buf_len)
+ {
+     HMAC_CTX final;
+ 
+@@ -132,13 +132,13 @@ static VALUE
+ ossl_hmac_digest(VALUE self)
+ {
+     HMAC_CTX *ctx;
+-    char *buf;
+-    int buf_len;
++    unsigned char *buf;
++    unsigned int buf_len;
+     VALUE digest;
+ 	
+     GetHMAC(self, ctx);
+     hmac_final(ctx, &buf, &buf_len);
+-    digest = ossl_buf2str(buf, buf_len);
++    digest = ossl_buf2str((char *)buf, buf_len);
+     
+     return digest;
+ }
+@@ -152,8 +152,9 @@ static VALUE
+ ossl_hmac_hexdigest(VALUE self)
+ {
+     HMAC_CTX *ctx;
+-    char *buf, *hexbuf;
+-    int buf_len;
++    unsigned char *buf;
++    char *hexbuf;
++    unsigned int buf_len;
+     VALUE hexdigest;
+ 	
+     GetHMAC(self, ctx);
+@@ -192,15 +193,15 @@ ossl_hmac_reset(VALUE self)
+ static VALUE
+ ossl_hmac_s_digest(VALUE klass, VALUE digest, VALUE key, VALUE data)
+ {
+-    char *buf;
+-    int buf_len;
++    unsigned char *buf;
++    unsigned int buf_len;
+ 	
+     StringValue(key);
+     StringValue(data);
+     buf = HMAC(GetDigestPtr(digest), RSTRING_PTR(key), RSTRING_LEN(key),
+-	       RSTRING_PTR(data), RSTRING_LEN(data), NULL, &buf_len);
++	       (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data), NULL, &buf_len);
+ 
+-    return rb_str_new(buf, buf_len);
++    return rb_str_new((const char *)buf, buf_len);
+ }
+ 
+ /*
+@@ -211,15 +212,16 @@ ossl_hmac_s_digest(VALUE klass, VALUE di
+ static VALUE
+ ossl_hmac_s_hexdigest(VALUE klass, VALUE digest, VALUE key, VALUE data)
+ {
+-    char *buf, *hexbuf;
+-    int buf_len;
++    unsigned char *buf;
++    char *hexbuf;
++    unsigned int buf_len;
+     VALUE hexdigest;
+ 
+     StringValue(key);
+     StringValue(data);
+ 	
+     buf = HMAC(GetDigestPtr(digest), RSTRING_PTR(key), RSTRING_LEN(key),
+-	       RSTRING_PTR(data), RSTRING_LEN(data), NULL, &buf_len);
++	       (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data), NULL, &buf_len);
+     if (string2hex(buf, buf_len, &hexbuf, NULL) != 2 * buf_len) {
+ 	ossl_raise(eHMACError, "Cannot convert buf to hexbuf");
+     }
+Index: ext/openssl/ossl_cipher.c
+===================================================================
+--- ext/openssl/ossl_cipher.c.orig
++++ ext/openssl/ossl_cipher.c
+@@ -67,7 +67,7 @@ ossl_cipher_free(EVP_CIPHER_CTX *ctx)
+ {
+     if (ctx) {
+ 	EVP_CIPHER_CTX_cleanup(ctx);
+-	free(ctx);
++        ruby_xfree(ctx);
+     }
+ }
+ 
+@@ -124,12 +124,14 @@ ossl_cipher_copy(VALUE self, VALUE other
+     return self;
+ }
+ 
++#ifdef HAVE_OBJ_NAME_DO_ALL_SORTED
+ static void*
+ add_cipher_name_to_ary(const OBJ_NAME *name, VALUE ary)
+ {
+     rb_ary_push(ary, rb_str_new2(name->name));
+     return NULL;
+ }
++#endif
+ 
+ /*
+  *  call-seq:
+@@ -186,7 +188,7 @@ ossl_cipher_init(int argc, VALUE *argv,
+ 	 * We deprecated the arguments for this method, but we decided
+ 	 * keeping this behaviour for backward compatibility.
+ 	 */
+-	char *cname  = rb_class2name(rb_obj_class(self));
++	const char *cname  = rb_class2name(rb_obj_class(self));
+ 	rb_warn("argumtents for %s#encrypt and %s#decrypt were deprecated; "
+                 "use %s#pkcs5_keyivgen to derive key and IV",
+                 cname, cname, cname);
+@@ -202,7 +204,7 @@ ossl_cipher_init(int argc, VALUE *argv,
+ 	    else memcpy(iv, RSTRING_PTR(init_v), sizeof(iv));
+ 	}
+ 	EVP_BytesToKey(EVP_CIPHER_CTX_cipher(ctx), EVP_md5(), iv,
+-		       RSTRING_PTR(pass), RSTRING_LEN(pass), 1, key, NULL);
++		       (unsigned char *)RSTRING_PTR(pass), RSTRING_LEN(pass), 1, key, NULL);
+ 	p_key = key;
+ 	p_iv = iv;
+     }
+@@ -279,13 +281,13 @@ ossl_cipher_pkcs5_keyivgen(int argc, VAL
+ 	StringValue(vsalt);
+ 	if(RSTRING_LEN(vsalt) != PKCS5_SALT_LEN)
+ 	    rb_raise(eCipherError, "salt must be an 8-octet string");
+-	salt = RSTRING_PTR(vsalt);
++	salt = (unsigned char *)RSTRING_PTR(vsalt);
+     }
+     iter = NIL_P(viter) ? 2048 : NUM2INT(viter);
+     digest = NIL_P(vdigest) ? EVP_md5() : GetDigestPtr(vdigest);
+     GetCipher(self, ctx);
+     EVP_BytesToKey(EVP_CIPHER_CTX_cipher(ctx), digest, salt,
+-		   RSTRING_PTR(vpass), RSTRING_LEN(vpass), iter, key, iv); 
++		   (unsigned char *)RSTRING_PTR(vpass), RSTRING_LEN(vpass), iter, key, iv); 
+     if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, -1) != 1)
+ 	ossl_raise(eCipherError, NULL);
+     OPENSSL_cleanse(key, sizeof key);
+@@ -297,26 +299,6 @@ ossl_cipher_pkcs5_keyivgen(int argc, VAL
+ 
+ /*
+  *  call-seq:
+- *     cipher << data -> string
+- *
+- *  === Parameters
+- *  +data+ is a nonempty string.
+- *
+- * This method is deprecated and not available in 1.9.x or later.
+- */
+-static VALUE
+-ossl_cipher_update_deprecated(VALUE self, VALUE data)
+-{
+-    char *cname;
+-
+-    cname = rb_class2name(rb_obj_class(self));
+-    rb_warning("%s#<< is deprecated; use %s#update instead", cname, cname);
+-    return rb_funcall(self, rb_intern("update"), 1, data);
+-}
+-
+-
+-/*
+- *  call-seq:
+  *     cipher.update(data [, buffer]) -> string or buffer
+  *
+  *  === Parameters
+@@ -327,14 +309,14 @@ static VALUE
+ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
+ {
+     EVP_CIPHER_CTX *ctx;
+-    char *in;
++    unsigned char *in;
+     int in_len, out_len;
+     VALUE data, str;
+ 
+     rb_scan_args(argc, argv, "11", &data, &str);
+ 
+     StringValue(data);
+-    in = RSTRING_PTR(data);
++    in = (unsigned char *)RSTRING_PTR(data);
+     if ((in_len = RSTRING_LEN(data)) == 0)
+         rb_raise(rb_eArgError, "data must not be empty");
+     GetCipher(self, ctx);
+@@ -347,7 +329,7 @@ ossl_cipher_update(int argc, VALUE *argv
+         rb_str_resize(str, out_len);
+     }
+ 
+-    if (!EVP_CipherUpdate(ctx, RSTRING_PTR(str), &out_len, in, in_len))
++    if (!EVP_CipherUpdate(ctx, (unsigned char *)RSTRING_PTR(str), &out_len, in, in_len))
+ 	ossl_raise(eCipherError, NULL);
+     assert(out_len < RSTRING_LEN(str));
+     rb_str_set_len(str, out_len);
+@@ -372,7 +354,7 @@ ossl_cipher_final(VALUE self)
+ 
+     GetCipher(self, ctx);
+     str = rb_str_new(0, EVP_CIPHER_CTX_block_size(ctx));
+-    if (!EVP_CipherFinal_ex(ctx, RSTRING_PTR(str), &out_len))
++    if (!EVP_CipherFinal_ex(ctx, (unsigned char *)RSTRING_PTR(str), &out_len))
+ 	ossl_raise(eCipherError, NULL);
+     assert(out_len <= RSTRING_LEN(str));
+     rb_str_set_len(str, out_len);
+@@ -415,7 +397,7 @@ ossl_cipher_set_key(VALUE self, VALUE ke
+     if (RSTRING_LEN(key) < EVP_CIPHER_CTX_key_length(ctx))
+         ossl_raise(eCipherError, "key length too short");
+ 
+-    if (EVP_CipherInit_ex(ctx, NULL, NULL, RSTRING_PTR(key), NULL, -1) != 1)
++    if (EVP_CipherInit_ex(ctx, NULL, NULL, (unsigned char *)RSTRING_PTR(key), NULL, -1) != 1)
+         ossl_raise(eCipherError, NULL);
+ 
+     return key;
+@@ -440,7 +422,7 @@ ossl_cipher_set_iv(VALUE self, VALUE iv)
+     if (RSTRING_LEN(iv) < EVP_CIPHER_CTX_iv_length(ctx))
+         ossl_raise(eCipherError, "iv length too short");
+ 
+-    if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, RSTRING_PTR(iv), -1) != 1)
++    if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, (unsigned char *)RSTRING_PTR(iv), -1) != 1)
+ 	ossl_raise(eCipherError, NULL);
+ 
+     return iv;
+@@ -551,9 +533,6 @@ Init_ossl_cipher(void)
+     rb_define_method(cCipher, "decrypt", ossl_cipher_decrypt, -1);
+     rb_define_method(cCipher, "pkcs5_keyivgen", ossl_cipher_pkcs5_keyivgen, -1);
+     rb_define_method(cCipher, "update", ossl_cipher_update, -1);
+-#if RUBY_VERSION_CODE < 190
+-    rb_define_method(cCipher, "<<", ossl_cipher_update_deprecated, 1);
+-#endif
+     rb_define_method(cCipher, "final", ossl_cipher_final, 0);
+     rb_define_method(cCipher, "name", ossl_cipher_name, 0);
+     rb_define_method(cCipher, "key=", ossl_cipher_set_key, 1);
+Index: ext/openssl/ossl_pkey_rsa.c
+===================================================================
+--- ext/openssl/ossl_pkey_rsa.c.orig
++++ ext/openssl/ossl_pkey_rsa.c
+@@ -151,23 +151,23 @@ ossl_rsa_initialize(int argc, VALUE *arg
+ 	in = ossl_obj2bio(arg);
+ 	rsa = PEM_read_bio_RSAPrivateKey(in, NULL, ossl_pem_passwd_cb, passwd);
+ 	if (!rsa) {
+-	    BIO_reset(in);
++	    (void)BIO_reset(in);
+ 	    rsa = PEM_read_bio_RSAPublicKey(in, NULL, NULL, NULL);
+ 	}
+ 	if (!rsa) {
+-	    BIO_reset(in);
++	    (void)BIO_reset(in);
+ 	    rsa = PEM_read_bio_RSA_PUBKEY(in, NULL, NULL, NULL);
+ 	}
+ 	if (!rsa) {
+-	    BIO_reset(in);
++	    (void)BIO_reset(in);
+ 	    rsa = d2i_RSAPrivateKey_bio(in, NULL);
+ 	}
+ 	if (!rsa) {
+-	    BIO_reset(in);
++	    (void)BIO_reset(in);
+ 	    rsa = d2i_RSAPublicKey_bio(in, NULL);
+ 	}
+ 	if (!rsa) {
+-	    BIO_reset(in);
++	    (void)BIO_reset(in);
+ 	    rsa = d2i_RSA_PUBKEY_bio(in, NULL);
+ 	}
+ 	BIO_free(in);
+@@ -288,7 +288,7 @@ ossl_rsa_to_der(VALUE self)
+     if((len = i2d_func(pkey->pkey.rsa, NULL)) <= 0)
+ 	ossl_raise(eRSAError, NULL);
+     str = rb_str_new(0, len);
+-    p = RSTRING_PTR(str);
++    p = (unsigned char *)RSTRING_PTR(str);
+     if(i2d_func(pkey->pkey.rsa, &p) < 0)
+ 	ossl_raise(eRSAError, NULL);
+     ossl_str_adjust(str, p);
+@@ -315,8 +315,8 @@ ossl_rsa_public_encrypt(int argc, VALUE
+     pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
+     StringValue(buffer);
+     str = rb_str_new(0, ossl_rsa_buf_size(pkey));
+-    buf_len = RSA_public_encrypt(RSTRING_LEN(buffer), RSTRING_PTR(buffer),
+-				 RSTRING_PTR(str), pkey->pkey.rsa,
++    buf_len = RSA_public_encrypt(RSTRING_LEN(buffer), (unsigned char *)RSTRING_PTR(buffer),
++				 (unsigned char *)RSTRING_PTR(str), pkey->pkey.rsa,
+ 				 pad);
+     if (buf_len < 0) ossl_raise(eRSAError, NULL);
+     rb_str_set_len(str, buf_len);
+@@ -341,8 +341,8 @@ ossl_rsa_public_decrypt(int argc, VALUE
+     pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
+     StringValue(buffer);
+     str = rb_str_new(0, ossl_rsa_buf_size(pkey));
+-    buf_len = RSA_public_decrypt(RSTRING_LEN(buffer), RSTRING_PTR(buffer),
+-				 RSTRING_PTR(str), pkey->pkey.rsa,
++    buf_len = RSA_public_decrypt(RSTRING_LEN(buffer), (unsigned char *)RSTRING_PTR(buffer),
++				 (unsigned char *)RSTRING_PTR(str), pkey->pkey.rsa,
+ 				 pad);
+     if (buf_len < 0) ossl_raise(eRSAError, NULL);
+     rb_str_set_len(str, buf_len);
+@@ -370,8 +370,8 @@ ossl_rsa_private_encrypt(int argc, VALUE
+     pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
+     StringValue(buffer);
+     str = rb_str_new(0, ossl_rsa_buf_size(pkey));
+-    buf_len = RSA_private_encrypt(RSTRING_LEN(buffer), RSTRING_PTR(buffer),
+-				  RSTRING_PTR(str), pkey->pkey.rsa,
++    buf_len = RSA_private_encrypt(RSTRING_LEN(buffer), (unsigned char *)RSTRING_PTR(buffer),
++				  (unsigned char *)RSTRING_PTR(str), pkey->pkey.rsa,
+ 				  pad);
+     if (buf_len < 0) ossl_raise(eRSAError, NULL);
+     rb_str_set_len(str, buf_len);
+@@ -400,8 +400,8 @@ ossl_rsa_private_decrypt(int argc, VALUE
+     pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
+     StringValue(buffer);
+     str = rb_str_new(0, ossl_rsa_buf_size(pkey));
+-    buf_len = RSA_private_decrypt(RSTRING_LEN(buffer), RSTRING_PTR(buffer),
+-				  RSTRING_PTR(str), pkey->pkey.rsa,
++    buf_len = RSA_private_decrypt(RSTRING_LEN(buffer), (unsigned char *)RSTRING_PTR(buffer),
++				  (unsigned char *)RSTRING_PTR(str), pkey->pkey.rsa,
+ 				  pad);
+     if (buf_len < 0) ossl_raise(eRSAError, NULL);
+     rb_str_set_len(str, buf_len);
+@@ -519,14 +519,14 @@ ossl_rsa_blinding_off(VALUE self)
+ }
+  */
+ 
+-OSSL_PKEY_BN(rsa, n);
+-OSSL_PKEY_BN(rsa, e);
+-OSSL_PKEY_BN(rsa, d);
+-OSSL_PKEY_BN(rsa, p);
+-OSSL_PKEY_BN(rsa, q);
+-OSSL_PKEY_BN(rsa, dmp1);
+-OSSL_PKEY_BN(rsa, dmq1);
+-OSSL_PKEY_BN(rsa, iqmp);
++OSSL_PKEY_BN(rsa, n)
++OSSL_PKEY_BN(rsa, e)
++OSSL_PKEY_BN(rsa, d)
++OSSL_PKEY_BN(rsa, p)
++OSSL_PKEY_BN(rsa, q)
++OSSL_PKEY_BN(rsa, dmp1)
++OSSL_PKEY_BN(rsa, dmq1)
++OSSL_PKEY_BN(rsa, iqmp)
+ 
+ /*
+  * INIT
+Index: ext/openssl/ossl_x509req.c
+===================================================================
+--- ext/openssl/ossl_x509req.c.orig
++++ ext/openssl/ossl_x509req.c
+@@ -99,7 +99,7 @@ static VALUE
+ ossl_x509req_initialize(int argc, VALUE *argv, VALUE self)
+ {
+     BIO *in;
+-    X509_REQ *req;
++    X509_REQ *req, *x = DATA_PTR(self);
+     VALUE arg;
+ 
+     if (rb_scan_args(argc, argv, "01", &arg) == 0) {
+@@ -107,10 +107,12 @@ ossl_x509req_initialize(int argc, VALUE
+     }
+     arg = ossl_to_der_if_possible(arg);
+     in = ossl_obj2bio(arg);
+-    req = PEM_read_bio_X509_REQ(in, (X509_REQ **)&DATA_PTR(self), NULL, NULL);
++    req = PEM_read_bio_X509_REQ(in, &x, NULL, NULL);
++    DATA_PTR(self) = x;
+     if (!req) {
+-	BIO_reset(in);
+-	req = d2i_X509_REQ_bio(in, (X509_REQ **)&DATA_PTR(self));
++	(void)BIO_reset(in);
++	req = d2i_X509_REQ_bio(in, &x);
++	DATA_PTR(self) = x;
+     }
+     BIO_free(in);
+     if (!req) ossl_raise(eX509ReqError, NULL);
+@@ -171,7 +173,7 @@ ossl_x509req_to_der(VALUE self)
+     if ((len = i2d_X509_REQ(req, NULL)) <= 0)
+ 	ossl_raise(eX509CertError, NULL);
+     str = rb_str_new(0, len);
+-    p = RSTRING_PTR(str);
++    p = (unsigned char *)RSTRING_PTR(str);
+     if (i2d_X509_REQ(req, &p) <= 0)
+ 	ossl_raise(eX509ReqError, NULL);
+     ossl_str_adjust(str, p);
+Index: ext/openssl/ossl_pkey_ec.c
+===================================================================
+--- ext/openssl/ossl_pkey_ec.c.orig
++++ ext/openssl/ossl_pkey_ec.c
+@@ -186,22 +186,22 @@ static VALUE ossl_ec_key_initialize(int
+ 
+             ec = PEM_read_bio_ECPrivateKey(in, NULL, NULL, NULL);
+             if (!ec) {
+-                BIO_reset(in);
++                (void)BIO_reset(in);
+                 ec = PEM_read_bio_EC_PUBKEY(in, NULL, NULL, NULL);
+             }
+             if (!ec) {
+-                BIO_reset(in);
++                (void)BIO_reset(in);
+                 ec = d2i_ECPrivateKey_bio(in, NULL);
+             }
+             if (!ec) {
+-                BIO_reset(in);
++                (void)BIO_reset(in);
+                 ec = d2i_EC_PUBKEY_bio(in, NULL);
+             }
+ 
+             BIO_free(in);
+ 
+             if (ec == NULL) {
+-                const char *name = STR2CSTR(arg);
++                const char *name = StringValueCStr(arg);
+                 int nid = OBJ_sn2nid(name);
+ 
+                 if (nid == NID_undef)
+@@ -463,8 +463,10 @@ static VALUE ossl_ec_key_to_string(VALUE
+     BIO *out;
+     int i = -1;
+     int private = 0;
++#if 0  /* unused now */
+     EVP_CIPHER *cipher = NULL;
+     char *password = NULL;
++#endif
+     VALUE str;
+ 
+     Require_EC_KEY(self, ec);
+@@ -484,13 +486,18 @@ static VALUE ossl_ec_key_to_string(VALUE
+     switch(format) {
+     case EXPORT_PEM:
+     	if (private) {
++#if 0  /* unused now */
+     	    if (cipher || password)
+ /* BUG: finish cipher/password key export */
+     	        rb_notimplement();
+             i = PEM_write_bio_ECPrivateKey(out, ec, cipher, NULL, 0, NULL, password);
++#endif
++            i = PEM_write_bio_ECPrivateKey(out, ec, NULL, NULL, 0, NULL, NULL);
+     	} else {
++#if 0  /* unused now */
+     	    if (cipher || password)
+                 rb_raise(rb_eArgError, "encryption is not supported when exporting this key type");
++#endif
+ 
+             i = PEM_write_bio_EC_PUBKEY(out, ec);
+         }
+@@ -498,13 +505,17 @@ static VALUE ossl_ec_key_to_string(VALUE
+     	break;
+     case EXPORT_DER:
+         if (private) {
++#if 0  /* unused now */
+     	    if (cipher || password)
+                 rb_raise(rb_eArgError, "encryption is not supported when exporting this key type");
++#endif
+ 
+             i = i2d_ECPrivateKey_bio(out, ec);
+         } else {
++#if 0  /* unused now */
+     	    if (cipher || password)
+                 rb_raise(rb_eArgError, "encryption is not supported when exporting this key type");
++#endif
+ 
+             i = i2d_EC_PUBKEY_bio(out, ec);
+         }
+@@ -670,7 +681,7 @@ static VALUE ossl_ec_key_dsa_sign_asn1(V
+ 
+ /*
+  *  call-seq:
+- *     key.dsa_verify(data, sig)   => true or false
++ *     key.dsa_verify_asn1(data, sig)   => true or false
+  *
+  *  See the OpenSSL documentation for ECDSA_verify()
+  */
+@@ -695,7 +706,7 @@ static void ossl_ec_group_free(ossl_ec_g
+ {
+     if (!ec_group->dont_free && ec_group->group)
+         EC_GROUP_clear_free(ec_group->group);
+-    free(ec_group);
++    ruby_xfree(ec_group);
+ }
+ 
+ static VALUE ossl_ec_group_alloc(VALUE klass)
+@@ -767,14 +778,14 @@ static VALUE ossl_ec_group_initialize(in
+ 
+             group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL);
+             if (!group) {
+-                BIO_reset(in);
++                (void)BIO_reset(in);
+                 group = d2i_ECPKParameters_bio(in, NULL);
+             }
+ 
+             BIO_free(in);
+ 
+             if (!group) {
+-                const char *name = STR2CSTR(arg1);
++                const char *name = StringValueCStr(arg1);
+                 int nid = OBJ_sn2nid(name);
+ 
+                 if (nid == NID_undef)
+@@ -1081,7 +1092,7 @@ static VALUE ossl_ec_group_get_seed(VALU
+     if (seed_len == 0)
+         return Qnil;
+ 
+-    return rb_str_new(EC_GROUP_get0_seed(group), seed_len);
++    return rb_str_new((const char *)EC_GROUP_get0_seed(group), seed_len);
+ }
+ 
+ /*  call-seq:
+@@ -1096,7 +1107,7 @@ static VALUE ossl_ec_group_set_seed(VALU
+     Require_EC_GROUP(self, group);
+     StringValue(seed);
+ 
+-    if (EC_GROUP_set_seed(group, RSTRING_PTR(seed), RSTRING_LEN(seed)) != RSTRING_LEN(seed))
++    if (EC_GROUP_set_seed(group, (unsigned char *)RSTRING_PTR(seed), RSTRING_LEN(seed)) != RSTRING_LEN(seed))
+         ossl_raise(eEC_GROUP, "EC_GROUP_set_seed");
+ 
+     return seed;
+@@ -1201,7 +1212,7 @@ static void ossl_ec_point_free(ossl_ec_p
+ {
+     if (!ec_point->dont_free && ec_point->point)
+         EC_POINT_clear_free(ec_point->point);
+-    free(ec_point);
++    ruby_xfree(ec_point);
+ }
+ 
+ static VALUE ossl_ec_point_alloc(VALUE klass)
+Index: ext/openssl/ossl_digest.c
+===================================================================
+--- ext/openssl/ossl_digest.c.orig
++++ ext/openssl/ossl_digest.c
+@@ -38,7 +38,7 @@ GetDigestPtr(VALUE obj)
+     const EVP_MD *md;
+ 
+     if (TYPE(obj) == T_STRING) {
+-    	const char *name = STR2CSTR(obj);
++    	const char *name = StringValueCStr(obj);
+ 
+         md = EVP_get_digestbyname(name);
+         if (!md)
+@@ -96,7 +96,6 @@ ossl_digest_initialize(int argc, VALUE *
+ {
+     EVP_MD_CTX *ctx;
+     const EVP_MD *md;
+-    char *name;
+     VALUE type, data;
+ 
+     rb_scan_args(argc, argv, "11", &type, &data);
+@@ -182,7 +181,7 @@ ossl_digest_finish(int argc, VALUE *argv
+         rb_str_resize(str, EVP_MD_CTX_size(ctx));
+     }
+ 
+-    EVP_DigestFinal_ex(ctx, RSTRING_PTR(str), NULL);
++    EVP_DigestFinal_ex(ctx, (unsigned char *)RSTRING_PTR(str), NULL);
+ 
+     return str;
+ }
+@@ -234,7 +233,6 @@ ossl_digest_block_length(VALUE self)
+ void
+ Init_ossl_digest()
+ {
+-    rb_require("openssl");
+     rb_require("digest");
+ 
+ #if 0 /* let rdoc know about mOSSL */
+Index: ext/openssl/ossl.c
+===================================================================
+--- ext/openssl/ossl.c.orig
++++ ext/openssl/ossl.c
+@@ -15,7 +15,7 @@
+  * String to HEXString conversion
+  */
+ int
+-string2hex(char *buf, int buf_len, char **hexbuf, int *hexbuf_len)
++string2hex(const unsigned char *buf, int buf_len, char **hexbuf, int *hexbuf_len)
+ {
+     static const char hex[]="0123456789abcdef";
+     int i, len = 2 * buf_len;
+@@ -92,7 +92,7 @@ ossl_x509_ary2sk(VALUE ary)
+ 
+ #define OSSL_IMPL_SK2ARY(name, type)	        \
+ VALUE						\
+-ossl_##name##_sk2ary(STACK *sk)			\
++ossl_##name##_sk2ary(STACK_OF(type) *sk)	\
+ {						\
+     type *t;					\
+     int i, num;					\
+@@ -102,7 +102,7 @@ ossl_##name##_sk2ary(STACK *sk)			\
+ 	OSSL_Debug("empty sk!");		\
+ 	return Qnil;				\
+     }						\
+-    num = sk_num(sk);				\
++    num = sk_##type##_num(sk);			\
+     if (num < 0) {				\
+ 	OSSL_Debug("items in sk < -1???");	\
+ 	return rb_ary_new();			\
+@@ -110,7 +110,7 @@ ossl_##name##_sk2ary(STACK *sk)			\
+     ary = rb_ary_new2(num);			\
+ 						\
+     for (i=0; i<num; i++) {			\
+-	t = (type *)sk_value(sk, i);		\
++	t = sk_##type##_value(sk, i);		\
+ 	rb_ary_push(ary, ossl_##name##_new(t));	\
+     }						\
+     return ary;					\
+@@ -272,10 +272,9 @@ ossl_to_der_if_possible(VALUE obj)
+ /*
+  * Errors
+  */
+-void
+-ossl_raise(VALUE exc, const char *fmt, ...)
++static VALUE
++ossl_make_error(VALUE exc, const char *fmt, va_list args)
+ {
+-    va_list args;
+     char buf[BUFSIZ];
+     const char *msg;
+     long e;
+@@ -287,17 +286,14 @@ ossl_raise(VALUE exc, const char *fmt, .
+     e = ERR_peek_error();
+ #endif
+     if (fmt) {
+-	va_start(args, fmt);
+ 	len = vsnprintf(buf, BUFSIZ, fmt, args);
+-	va_end(args);
+     }
+     if (len < BUFSIZ && e) {
+ 	if (dOSSL == Qtrue) /* FULL INFO */
+ 	    msg = ERR_error_string(e, NULL);
+ 	else
+ 	    msg = ERR_reason_error_string(e);
+-	fmt = len ? ": %s" : "%s";
+-	len += snprintf(buf+len, BUFSIZ-len, fmt, msg);
++	len += snprintf(buf+len, BUFSIZ-len, "%s%s", (len ? ": " : ""), msg);
+     }
+     if (dOSSL == Qtrue){ /* show all errors on the stack */
+ 	while ((e = ERR_get_error()) != 0){
+@@ -307,7 +303,29 @@ ossl_raise(VALUE exc, const char *fmt, .
+     ERR_clear_error();
+ 
+     if(len > BUFSIZ) len = strlen(buf);
+-    rb_exc_raise(rb_exc_new(exc, buf, len));
++    return rb_exc_new(exc, buf, len);
++}
++
++void
++ossl_raise(VALUE exc, const char *fmt, ...)
++{
++    va_list args;
++    VALUE err;
++    va_start(args, fmt);
++    err = ossl_make_error(exc, fmt, args);
++    va_end(args);
++    rb_exc_raise(err);
++}
++
++VALUE
++ossl_exc_new(VALUE exc, const char *fmt, ...)
++{
++    va_list args;
++    VALUE err;
++    va_start(args, fmt);
++    err = ossl_make_error(exc, fmt, args);
++    va_end(args);
++    return err;
+ }
+ 
+ /*
+@@ -446,7 +464,7 @@ Init_openssl()
+     /*
+      * Verify callback Proc index for ext-data
+      */
+-    if ((ossl_verify_cb_idx = X509_STORE_CTX_get_ex_new_index(0, "ossl_verify_cb_idx", 0, 0, 0)) < 0)
++    if ((ossl_verify_cb_idx = X509_STORE_CTX_get_ex_new_index(0, (void *)"ossl_verify_cb_idx", 0, 0, 0)) < 0)
+         ossl_raise(eOSSLError, "X509_STORE_CTX_get_ex_new_index");
+ 
+     /*
+@@ -488,7 +506,7 @@ Init_openssl()
+  * Check if all symbols are OK with 'make LDSHARED=gcc all'
+  */
+ int
+-main(int argc, char *argv[], char *env[])
++main(int argc, char *argv[])
+ {
+     return 0;
+ }
+Index: ext/openssl/ossl_x509store.c
+===================================================================
+--- ext/openssl/ossl_x509store.c.orig
++++ ext/openssl/ossl_x509store.c
+@@ -212,7 +212,7 @@ ossl_x509store_add_file(VALUE self, VALU
+     char *path = NULL;
+ 
+     if(file != Qnil){
+-        Check_SafeStr(file);
++        SafeStringValue(file);
+ 	path = RSTRING_PTR(file);
+     }
+     GetX509Store(self, store);
+@@ -233,7 +233,7 @@ ossl_x509store_add_path(VALUE self, VALU
+     char *path = NULL;
+ 
+     if(dir != Qnil){
+-        Check_SafeStr(dir);
++        SafeStringValue(dir);
+ 	path = RSTRING_PTR(dir);
+     }
+     GetX509Store(self, store);
+Index: ext/openssl/ossl.h
+===================================================================
+--- ext/openssl/ossl.h.orig
++++ ext/openssl/ossl.h
+@@ -108,9 +108,16 @@ extern VALUE eOSSLError;
+ } while (0)
+ 
+ /*
++ * Compatibility
++ */
++#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#define STACK _STACK
++#endif
++
++/*
+  * String to HEXString conversion
+  */
+-int string2hex(char *, int, char **, int *);
++int string2hex(const unsigned char *, int, char **, int *);
+ 
+ /*
+  * Data Conversion
+@@ -139,6 +146,7 @@ int ossl_pem_passwd_cb(char *, int, int,
+  */
+ #define OSSL_ErrMsg() ERR_reason_error_string(ERR_get_error())
+ NORETURN(void ossl_raise(VALUE, const char *, ...));
++VALUE ossl_exc_new(VALUE, const char *, ...);
+ 
+ /*
+  * Verify callback
+@@ -167,10 +175,10 @@ VALUE ossl_to_der_if_possible(VALUE);
+ extern VALUE dOSSL;
+ 
+ #if defined(HAVE_VA_ARGS_MACRO)
+-#define OSSL_Debug(fmt, ...) do { \
++#define OSSL_Debug(...) do { \
+   if (dOSSL == Qtrue) { \
+     fprintf(stderr, "OSSL_DEBUG: "); \
+-    fprintf(stderr, fmt, ##__VA_ARGS__); \
++    fprintf(stderr, __VA_ARGS__); \
+     fprintf(stderr, " [%s:%d]\n", __FILE__, __LINE__); \
+   } \
+ } while (0)
+Index: ext/openssl/lib/openssl/digest.rb
+===================================================================
+--- ext/openssl/lib/openssl/digest.rb.orig
++++ ext/openssl/lib/openssl/digest.rb
+@@ -40,7 +40,7 @@ module OpenSSL
+           super(name, data.first)
+         }
+       }
+-      singleton = (class <<klass; self; end)
++      singleton = (class << klass; self; end)
+       singleton.class_eval{
+         define_method(:digest){|data| Digest.digest(name, data) }
+         define_method(:hexdigest){|data| Digest.hexdigest(name, data) }
+Index: ext/openssl/lib/openssl/x509-internal.rb
+===================================================================
+--- /dev/null
++++ ext/openssl/lib/openssl/x509-internal.rb
+@@ -0,0 +1,153 @@
++=begin
++= $RCSfile$ -- Ruby-space definitions that completes C-space funcs for X509 and subclasses
++
++= Info
++  'OpenSSL for Ruby 2' project
++  Copyright (C) 2002  Michal Rokos <m.rokos@sh.cvut.cz>
++  All rights reserved.
++
++= Licence
++  This program is licenced under the same licence as Ruby.
++  (See the file 'LICENCE'.)
++
++= Version
++  $Id$
++=end
++
++module OpenSSL
++  module X509
++    class ExtensionFactory
++      def create_extension(*arg)
++        if arg.size > 1
++          create_ext(*arg)
++        else
++          send("create_ext_from_"+arg[0].class.name.downcase, arg[0])
++        end
++      end
++
++      def create_ext_from_array(ary)
++        raise ExtensionError, "unexpected array form" if ary.size > 3
++        create_ext(ary[0], ary[1], ary[2])
++      end
++
++      def create_ext_from_string(str) # "oid = critical, value"
++        oid, value = str.split(/=/, 2)
++        oid.strip!
++        value.strip!
++        create_ext(oid, value)
++      end
++
++      def create_ext_from_hash(hash)
++        create_ext(hash["oid"], hash["value"], hash["critical"])
++      end
++    end
++
++    class Extension
++      def to_s # "oid = critical, value"
++        str = self.oid
++        str << " = "
++        str << "critical, " if self.critical?
++        str << self.value.gsub(/\n/, ", ")
++      end
++
++      def to_h # {"oid"=>sn|ln, "value"=>value, "critical"=>true|false}
++        {"oid"=>self.oid,"value"=>self.value,"critical"=>self.critical?}
++      end
++
++      def to_a
++        [ self.oid, self.value, self.critical? ]
++      end
++    end
++
++    class Name
++      module RFC2253DN
++        Special = ',=+<>#;'
++        HexChar = /[0-9a-fA-F]/
++        HexPair = /#{HexChar}#{HexChar}/
++        HexString = /#{HexPair}+/
++        Pair = /\\(?:[#{Special}]|\\|"|#{HexPair})/
++        StringChar = /[^#{Special}\\"]/
++        QuoteChar = /[^\\"]/
++        AttributeType = /[a-zA-Z][0-9a-zA-Z]*|[0-9]+(?:\.[0-9]+)*/
++        AttributeValue = /
++          (?!["#])((?:#{StringChar}|#{Pair})*)|
++          \#(#{HexString})|
++          "((?:#{QuoteChar}|#{Pair})*)"
++        /x
++        TypeAndValue = /\A(#{AttributeType})=#{AttributeValue}/
++
++        module_function
++
++        def expand_pair(str)
++          return nil unless str
++          return str.gsub(Pair){
++            pair = $&
++            case pair.size
++            when 2 then pair[1,1]
++            when 3 then Integer("0x#{pair[1,2]}").chr
++            else raise OpenSSL::X509::NameError, "invalid pair: #{str}"
++            end
++          }
++        end
++
++        def expand_hexstring(str)
++          return nil unless str
++          der = str.gsub(HexPair){$&.to_i(16).chr }
++          a1 = OpenSSL::ASN1.decode(der)
++          return a1.value, a1.tag
++        end
++
++        def expand_value(str1, str2, str3)
++          value = expand_pair(str1)
++          value, tag = expand_hexstring(str2) unless value
++          value = expand_pair(str3) unless value
++          return value, tag
++        end
++
++        def scan(dn)
++          str = dn
++          ary = []
++          while true
++            if md = TypeAndValue.match(str)
++              matched = md.to_s
++              remain = md.post_match
++              type = md[1]
++              value, tag = expand_value(md[2], md[3], md[4]) rescue nil
++              if value
++                type_and_value = [type, value]
++                type_and_value.push(tag) if tag
++                ary.unshift(type_and_value)
++                if remain.length > 2 && remain[0] == ?,
++                  str = remain[1..-1]
++                  next
++                elsif remain.length > 2 && remain[0] == ?+
++                  raise OpenSSL::X509::NameError,
++                    "multi-valued RDN is not supported: #{dn}"
++                elsif remain.empty?
++                  break
++                end
++              end
++            end
++            msg_dn = dn[0, dn.length - str.length] + " =>" + str
++            raise OpenSSL::X509::NameError, "malformed RDN: #{msg_dn}"
++          end
++          return ary
++        end
++      end
++
++      class <<self
++        def parse_rfc2253(str, template=OBJECT_TYPE_TEMPLATE)
++          ary = OpenSSL::X509::Name::RFC2253DN.scan(str)
++          self.new(ary, template)
++        end
++
++        def parse_openssl(str, template=OBJECT_TYPE_TEMPLATE)
++          ary = str.scan(/\s*([^\/,]+)\s*/).collect{|i| i[0].split("=", 2) }
++          self.new(ary, template)
++        end
++
++        alias parse parse_openssl
++      end
++    end
++  end
++end
+Index: ext/openssl/lib/openssl/ssl.rb
+===================================================================
+--- ext/openssl/lib/openssl/ssl.rb.orig
++++ ext/openssl/lib/openssl/ssl.rb
+@@ -1,179 +1 @@
+-=begin
+-= $RCSfile$ -- Ruby-space definitions that completes C-space funcs for SSL
+-
+-= Info
+-  'OpenSSL for Ruby 2' project
+-  Copyright (C) 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
+-  All rights reserved.
+-
+-= Licence
+-  This program is licenced under the same licence as Ruby.
+-  (See the file 'LICENCE'.)
+-
+-= Version
+-  $Id: ssl.rb 16193 2008-04-25 06:51:21Z knu $
+-=end
+-
+-require "openssl"
+-require "openssl/buffering"
+-require "fcntl"
+-
+-module OpenSSL
+-  module SSL
+-    class SSLContext
+-      DEFAULT_PARAMS = {
+-        :ssl_version => "SSLv23",
+-        :verify_mode => OpenSSL::SSL::VERIFY_PEER,
+-        :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
+-        :options => OpenSSL::SSL::OP_ALL,
+-      }
+-
+-      DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
+-      DEFAULT_CERT_STORE.set_default_paths
+-      if defined?(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL)
+-        DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+-      end
+-
+-      def set_params(params={})
+-        params = DEFAULT_PARAMS.merge(params)
+-        self.ssl_version = params.delete(:ssl_version)
+-        params.each{|name, value| self.__send__("#{name}=", value) }
+-        if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
+-          unless self.ca_file or self.ca_path or self.cert_store
+-            self.cert_store = DEFAULT_CERT_STORE
+-          end
+-        end
+-        return params
+-      end
+-    end
+-
+-    module SocketForwarder
+-      def addr
+-        to_io.addr
+-      end
+-
+-      def peeraddr
+-        to_io.peeraddr
+-      end
+-
+-      def setsockopt(level, optname, optval)
+-        to_io.setsockopt(level, optname, optval)
+-      end
+-
+-      def getsockopt(level, optname)
+-        to_io.getsockopt(level, optname)
+-      end
+-
+-      def fcntl(*args)
+-        to_io.fcntl(*args)
+-      end
+-
+-      def closed?
+-        to_io.closed?
+-      end
+-
+-      def do_not_reverse_lookup=(flag)
+-        to_io.do_not_reverse_lookup = flag
+-      end
+-    end
+-
+-    module Nonblock
+-      def initialize(*args)
+-        flag = File::NONBLOCK
+-        flag |= @io.fcntl(Fcntl::F_GETFL) if defined?(Fcntl::F_GETFL)
+-        @io.fcntl(Fcntl::F_SETFL, flag)
+-        super
+-      end
+-    end
+-
+-    def verify_certificate_identity(cert, hostname)
+-      should_verify_common_name = true
+-      cert.extensions.each{|ext|
+-        next if ext.oid != "subjectAltName"
+-        ext.value.split(/,\s+/).each{|general_name|
+-          if /\ADNS:(.*)/ =~ general_name
+-            should_verify_common_name = false
+-            reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
+-            return true if /\A#{reg}\z/i =~ hostname
+-          elsif /\AIP Address:(.*)/ =~ general_name
+-            should_verify_common_name = false
+-            return true if $1 == hostname
+-          end
+-        }
+-      }
+-      if should_verify_common_name
+-        cert.subject.to_a.each{|oid, value|
+-          if oid == "CN"
+-            reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
+-            return true if /\A#{reg}\z/i =~ hostname
+-          end
+-        }
+-      end
+-      return false
+-    end
+-    module_function :verify_certificate_identity
+-
+-    class SSLSocket
+-      include Buffering
+-      include SocketForwarder
+-      include Nonblock
+-
+-      def post_connection_check(hostname)
+-        unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
+-          raise SSLError, "hostname was not match with the server certificate"
+-        end
+-        return true
+-      end
+-
+-      def session
+-        SSL::Session.new(self)
+-      rescue SSL::Session::SessionError
+-        nil
+-      end
+-    end
+-
+-    class SSLServer
+-      include SocketForwarder
+-      attr_accessor :start_immediately
+-
+-      def initialize(svr, ctx)
+-        @svr = svr
+-        @ctx = ctx
+-        unless ctx.session_id_context
+-          session_id = OpenSSL::Digest::MD5.hexdigest($0)
+-          @ctx.session_id_context = session_id
+-        end
+-        @start_immediately = true
+-      end
+-
+-      def to_io
+-        @svr
+-      end
+-
+-      def listen(backlog=5)
+-        @svr.listen(backlog)
+-      end
+-
+-      def shutdown(how=Socket::SHUT_RDWR)
+-        @svr.shutdown(how)
+-      end
+-
+-      def accept
+-        sock = @svr.accept
+-        begin
+-          ssl = OpenSSL::SSL::SSLSocket.new(sock, @ctx)
+-          ssl.sync_close = true
+-          ssl.accept if @start_immediately
+-          ssl
+-        rescue SSLError => ex
+-          sock.close
+-          raise ex
+-        end
+-      end
+-
+-      def close
+-        @svr.close
+-      end
+-    end
+-  end
+-end
++require 'openssl'
+Index: ext/openssl/lib/openssl/x509.rb
+===================================================================
+--- ext/openssl/lib/openssl/x509.rb.orig
++++ ext/openssl/lib/openssl/x509.rb
+@@ -1,154 +1 @@
+-=begin
+-= $RCSfile$ -- Ruby-space definitions that completes C-space funcs for X509 and subclasses
+-
+-= Info
+-  'OpenSSL for Ruby 2' project
+-  Copyright (C) 2002  Michal Rokos <m.rokos@sh.cvut.cz>
+-  All rights reserved.
+-
+-= Licence
+-  This program is licenced under the same licence as Ruby.
+-  (See the file 'LICENCE'.)
+-
+-= Version
+-  $Id: x509.rb 11708 2007-02-12 23:01:19Z shyouhei $
+-=end
+-
+-require "openssl"
+-
+-module OpenSSL
+-  module X509
+-    class ExtensionFactory
+-      def create_extension(*arg)
+-        if arg.size > 1
+-          create_ext(*arg)
+-        else
+-          send("create_ext_from_"+arg[0].class.name.downcase, arg[0])
+-        end
+-      end
+-
+-      def create_ext_from_array(ary)
+-        raise ExtensionError, "unexpected array form" if ary.size > 3 
+-        create_ext(ary[0], ary[1], ary[2])
+-      end
+-
+-      def create_ext_from_string(str) # "oid = critical, value"
+-        oid, value = str.split(/=/, 2)
+-        oid.strip!
+-        value.strip!
+-        create_ext(oid, value)
+-      end
+-      
+-      def create_ext_from_hash(hash)
+-        create_ext(hash["oid"], hash["value"], hash["critical"])
+-      end
+-    end
+-    
+-    class Extension
+-      def to_s # "oid = critical, value"
+-        str = self.oid
+-        str << " = "
+-        str << "critical, " if self.critical?
+-        str << self.value.gsub(/\n/, ", ")
+-      end
+-        
+-      def to_h # {"oid"=>sn|ln, "value"=>value, "critical"=>true|false}
+-        {"oid"=>self.oid,"value"=>self.value,"critical"=>self.critical?}
+-      end
+-
+-      def to_a
+-        [ self.oid, self.value, self.critical? ]
+-      end
+-    end
+-
+-    class Name
+-      module RFC2253DN
+-        Special = ',=+<>#;'
+-        HexChar = /[0-9a-fA-F]/
+-        HexPair = /#{HexChar}#{HexChar}/
+-        HexString = /#{HexPair}+/
+-        Pair = /\\(?:[#{Special}]|\\|"|#{HexPair})/
+-        StringChar = /[^#{Special}\\"]/
+-        QuoteChar = /[^\\"]/
+-        AttributeType = /[a-zA-Z][0-9a-zA-Z]*|[0-9]+(?:\.[0-9]+)*/
+-        AttributeValue = /
+-          (?!["#])((?:#{StringChar}|#{Pair})*)|
+-          \#(#{HexString})|
+-          "((?:#{QuoteChar}|#{Pair})*)"
+-        /x
+-        TypeAndValue = /\A(#{AttributeType})=#{AttributeValue}/
+-
+-        module_function
+-
+-        def expand_pair(str)
+-          return nil unless str
+-          return str.gsub(Pair){|pair|
+-            case pair.size
+-            when 2 then pair[1,1]
+-            when 3 then Integer("0x#{pair[1,2]}").chr
+-            else raise OpenSSL::X509::NameError, "invalid pair: #{str}"
+-            end
+-          }
+-        end
+-
+-        def expand_hexstring(str)
+-          return nil unless str
+-          der = str.gsub(HexPair){|hex| Integer("0x#{hex}").chr }
+-          a1 = OpenSSL::ASN1.decode(der)
+-          return a1.value, a1.tag
+-        end
+-
+-        def expand_value(str1, str2, str3)
+-          value = expand_pair(str1)
+-          value, tag = expand_hexstring(str2) unless value
+-          value = expand_pair(str3) unless value
+-          return value, tag
+-        end
+-
+-        def scan(dn)
+-          str = dn
+-          ary = []
+-          while true
+-            if md = TypeAndValue.match(str)
+-              matched = md.to_s
+-              remain = md.post_match
+-              type = md[1]
+-              value, tag = expand_value(md[2], md[3], md[4]) rescue nil
+-              if value
+-                type_and_value = [type, value]
+-                type_and_value.push(tag) if tag
+-                ary.unshift(type_and_value)
+-                if remain.length > 2 && remain[0] == ?,
+-                  str = remain[1..-1]
+-                  next
+-                elsif remain.length > 2 && remain[0] == ?+
+-                  raise OpenSSL::X509::NameError,
+-                    "multi-valued RDN is not supported: #{dn}"
+-                elsif remain.empty?
+-                  break
+-                end
+-              end
+-            end
+-            msg_dn = dn[0, dn.length - str.length] + " =>" + str
+-            raise OpenSSL::X509::NameError, "malformed RDN: #{msg_dn}"
+-          end
+-          return ary
+-        end
+-      end
+-
+-      class <<self
+-        def parse_rfc2253(str, template=OBJECT_TYPE_TEMPLATE)
+-          ary = OpenSSL::X509::Name::RFC2253DN.scan(str)
+-          self.new(ary, template)
+-        end
+-
+-        def parse_openssl(str, template=OBJECT_TYPE_TEMPLATE)
+-          ary = str.scan(/\s*([^\/,]+)\s*/).collect{|i| i[0].split("=", 2) }
+-          self.new(ary, template)
+-        end
+-
+-        alias parse parse_openssl
+-      end
+-    end
+-  end
+-end
++require 'openssl'
+Index: ext/openssl/lib/openssl/buffering.rb
+===================================================================
+--- ext/openssl/lib/openssl/buffering.rb.orig
++++ ext/openssl/lib/openssl/buffering.rb
+@@ -14,6 +14,7 @@
+   $Id: buffering.rb 13706 2007-10-15 08:29:08Z usa $
+ =end
+ 
++module OpenSSL
+ module Buffering
+   include Enumerable
+   attr_accessor :sync
+@@ -237,3 +238,4 @@ module Buffering
+     sysclose
+   end
+ end
++end
+Index: ext/openssl/lib/openssl/ssl-internal.rb
+===================================================================
+--- /dev/null
++++ ext/openssl/lib/openssl/ssl-internal.rb
+@@ -0,0 +1,179 @@
++=begin
++= $RCSfile$ -- Ruby-space definitions that completes C-space funcs for SSL
++
++= Info
++  'OpenSSL for Ruby 2' project
++  Copyright (C) 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
++  All rights reserved.
++
++= Licence
++  This program is licenced under the same licence as Ruby.
++  (See the file 'LICENCE'.)
++
++= Version
++  $Id$
++=end
++
++require "openssl/buffering"
++require "fcntl"
++
++module OpenSSL
++  module SSL
++    class SSLContext
++      DEFAULT_PARAMS = {
++        :ssl_version => "SSLv23",
++        :verify_mode => OpenSSL::SSL::VERIFY_PEER,
++        :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
++        :options => OpenSSL::SSL::OP_ALL,
++      }
++
++      DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
++      DEFAULT_CERT_STORE.set_default_paths
++      if defined?(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL)
++        DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
++      end
++
++      def set_params(params={})
++        params = DEFAULT_PARAMS.merge(params)
++        # ssl_version need to be set at first.
++        self.ssl_version = params.delete(:ssl_version)
++        params.each{|name, value| self.__send__("#{name}=", value) }
++        if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
++          unless self.ca_file or self.ca_path or self.cert_store
++            self.cert_store = DEFAULT_CERT_STORE
++          end
++        end
++        return params
++      end
++    end
++
++    module SocketForwarder
++      def addr
++        to_io.addr
++      end
++
++      def peeraddr
++        to_io.peeraddr
++      end
++
++      def setsockopt(level, optname, optval)
++        to_io.setsockopt(level, optname, optval)
++      end
++
++      def getsockopt(level, optname)
++        to_io.getsockopt(level, optname)
++      end
++
++      def fcntl(*args)
++        to_io.fcntl(*args)
++      end
++
++      def closed?
++        to_io.closed?
++      end
++
++      def do_not_reverse_lookup=(flag)
++        to_io.do_not_reverse_lookup = flag
++      end
++    end
++
++    module Nonblock
++      def initialize(*args)
++        flag = File::NONBLOCK
++        flag |= @io.fcntl(Fcntl::F_GETFL) if defined?(Fcntl::F_GETFL)
++        @io.fcntl(Fcntl::F_SETFL, flag)
++        super
++      end
++    end
++
++    def verify_certificate_identity(cert, hostname)
++      should_verify_common_name = true
++      cert.extensions.each{|ext|
++        next if ext.oid != "subjectAltName"
++        ext.value.split(/,\s+/).each{|general_name|
++          if /\ADNS:(.*)/ =~ general_name
++            should_verify_common_name = false
++            reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
++            return true if /\A#{reg}\z/i =~ hostname
++          elsif /\AIP Address:(.*)/ =~ general_name
++            should_verify_common_name = false
++            return true if $1 == hostname
++          end
++        }
++      }
++      if should_verify_common_name
++        cert.subject.to_a.each{|oid, value|
++          if oid == "CN"
++            reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
++            return true if /\A#{reg}\z/i =~ hostname
++          end
++        }
++      end
++      return false
++    end
++    module_function :verify_certificate_identity
++
++    class SSLSocket
++      include Buffering
++      include SocketForwarder
++      include Nonblock
++
++      def post_connection_check(hostname)
++        unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
++          raise SSLError, "hostname was not match with the server certificate"
++        end
++        return true
++      end
++
++      def session
++        SSL::Session.new(self)
++      rescue SSL::Session::SessionError
++        nil
++      end
++    end
++
++    class SSLServer
++      include SocketForwarder
++      attr_accessor :start_immediately
++
++      def initialize(svr, ctx)
++        @svr = svr
++        @ctx = ctx
++        unless ctx.session_id_context
++          session_id = OpenSSL::Digest::MD5.hexdigest($0)
++          @ctx.session_id_context = session_id
++        end
++        @start_immediately = true
++      end
++
++      def to_io
++        @svr
++      end
++
++      def listen(backlog=5)
++        @svr.listen(backlog)
++      end
++
++      def shutdown(how=Socket::SHUT_RDWR)
++        @svr.shutdown(how)
++      end
++
++      def accept
++        sock = @svr.accept
++        begin
++          ssl = OpenSSL::SSL::SSLSocket.new(sock, @ctx)
++          ssl.sync_close = true
++          ssl.accept if @start_immediately
++          ssl
++        rescue SSLError => ex
++          sock.close
++          raise ex
++        end
++      end
++
++      def close
++        @svr.close
++      end
++    end
++  end
++end
+Index: ext/openssl/lib/openssl.rb
+===================================================================
+--- ext/openssl/lib/openssl.rb.orig
++++ ext/openssl/lib/openssl.rb
+@@ -20,6 +20,6 @@ require 'openssl/bn'
+ require 'openssl/cipher'
+ require 'openssl/digest'
+ require 'openssl/pkcs7'
+-require 'openssl/ssl'
+-require 'openssl/x509'
++require 'openssl/ssl-internal'
++require 'openssl/x509-internal'
+ 
+Index: ext/openssl/lib/net/telnets.rb
+===================================================================
+--- ext/openssl/lib/net/telnets.rb.orig
++++ ext/openssl/lib/net/telnets.rb
+@@ -145,7 +145,7 @@ module Net
+         end
+       end
+     end # preprocess
+-    
++
+     alias waitfor_org waitfor
+ 
+     def waitfor(options)
+@@ -181,7 +181,7 @@ module Net
+         begin
+           c = @rest + @sock.sysread(1024 * 1024)
+           @dumplog.log_dump('<', c) if @options.has_key?("Dump_log")
+-          if @options["Telnetmode"]   
++          if @options["Telnetmode"]
+             pos = 0
+             catch(:next){
+               while true
+@@ -213,11 +213,11 @@ module Net
+           end
+           @log.print(buf) if @options.has_key?("Output_log")
+           line.concat(buf)
+-          yield buf if block_given?   
++          yield buf if block_given?
+         rescue EOFError # End of file reached
+           if line == ''
+             line = nil
+-            yield nil if block_given? 
++            yield nil if block_given?
+           end
+           break
+         end
+Index: ext/openssl/ossl_bn.c
+===================================================================
+--- ext/openssl/ossl_bn.c.orig
++++ ext/openssl/ossl_bn.c
+@@ -131,12 +131,12 @@ ossl_bn_initialize(int argc, VALUE *argv
+ 
+     switch (base) {
+     case 0:
+-	if (!BN_mpi2bn(RSTRING_PTR(str), RSTRING_LEN(str), bn)) {
++	if (!BN_mpi2bn((unsigned char *)RSTRING_PTR(str), RSTRING_LEN(str), bn)) {
+ 	    ossl_raise(eBNError, NULL);
+ 	}
+ 	break;
+     case 2:
+-	if (!BN_bin2bn(RSTRING_PTR(str), RSTRING_LEN(str), bn)) {
++	if (!BN_bin2bn((unsigned char *)RSTRING_PTR(str), RSTRING_LEN(str), bn)) {
+ 	    ossl_raise(eBNError, NULL);
+ 	}
+ 	break;
+@@ -151,7 +151,7 @@ ossl_bn_initialize(int argc, VALUE *argv
+ 	}
+ 	break;
+     default:
+-	ossl_raise(rb_eArgError, "illegal radix %d", base);
++	ossl_raise(rb_eArgError, "invalid radix %d", base);
+     }
+     return self;
+ }
+@@ -185,13 +185,13 @@ ossl_bn_to_s(int argc, VALUE *argv, VALU
+     case 0:
+ 	len = BN_bn2mpi(bn, NULL);
+         str = rb_str_new(0, len);
+-	if (BN_bn2mpi(bn, RSTRING_PTR(str)) != len)
++	if (BN_bn2mpi(bn, (unsigned char *)RSTRING_PTR(str)) != len)
+ 	    ossl_raise(eBNError, NULL);
+ 	break;
+     case 2:
+ 	len = BN_num_bytes(bn);
+         str = rb_str_new(0, len);
+-	if (BN_bn2bin(bn, RSTRING_PTR(str)) != len)
++	if (BN_bn2bin(bn, (unsigned char *)RSTRING_PTR(str)) != len)
+ 	    ossl_raise(eBNError, NULL);
+ 	break;
+     case 10:
+@@ -203,7 +203,7 @@ ossl_bn_to_s(int argc, VALUE *argv, VALU
+ 	str = ossl_buf2str(buf, strlen(buf));
+ 	break;
+     default:
+-	ossl_raise(rb_eArgError, "illegal radix %d", base);
++	ossl_raise(rb_eArgError, "invalid radix %d", base);
+     }
+ 
+     return str;
+@@ -272,9 +272,9 @@ ossl_bn_coerce(VALUE self, VALUE other)
+ 	}						\
+ 	return Qfalse;					\
+     }
+-BIGNUM_BOOL1(is_zero);
+-BIGNUM_BOOL1(is_one);
+-BIGNUM_BOOL1(is_odd);
++BIGNUM_BOOL1(is_zero)
++BIGNUM_BOOL1(is_one)
++BIGNUM_BOOL1(is_odd)
+ 
+ #define BIGNUM_1c(func)					\
+     /*							\
+@@ -298,7 +298,7 @@ BIGNUM_BOOL1(is_odd);
+ 	WrapBN(CLASS_OF(self), obj, result);		\
+ 	return obj;					\
+     }
+-BIGNUM_1c(sqr);
++BIGNUM_1c(sqr)
+ 
+ #define BIGNUM_2(func)					\
+     /*							\
+@@ -322,8 +322,8 @@ BIGNUM_1c(sqr);
+ 	WrapBN(CLASS_OF(self), obj, result);		\
+ 	return obj;					\
+     }
+-BIGNUM_2(add);
+-BIGNUM_2(sub);
++BIGNUM_2(add)
++BIGNUM_2(sub)
+ 
+ #define BIGNUM_2c(func)						\
+     /*								\
+@@ -347,12 +347,12 @@ BIGNUM_2(sub);
+ 	WrapBN(CLASS_OF(self), obj, result);			\
+ 	return obj;						\
+     }
+-BIGNUM_2c(mul);
+-BIGNUM_2c(mod);
+-BIGNUM_2c(exp);
+-BIGNUM_2c(gcd);
+-BIGNUM_2c(mod_sqr);
+-BIGNUM_2c(mod_inverse);
++BIGNUM_2c(mul)
++BIGNUM_2c(mod)
++BIGNUM_2c(exp)
++BIGNUM_2c(gcd)
++BIGNUM_2c(mod_sqr)
++BIGNUM_2c(mod_inverse)
+ 
+ /*
+  * call-seq:
+@@ -407,10 +407,10 @@ ossl_bn_div(VALUE self, VALUE other)
+ 	WrapBN(CLASS_OF(self), obj, result);			\
+ 	return obj;						\
+     }
+-BIGNUM_3c(mod_add);
+-BIGNUM_3c(mod_sub);
+-BIGNUM_3c(mod_mul);
+-BIGNUM_3c(mod_exp);
++BIGNUM_3c(mod_add)
++BIGNUM_3c(mod_sub)
++BIGNUM_3c(mod_mul)
++BIGNUM_3c(mod_exp)
+ 
+ #define BIGNUM_BIT(func)				\
+     /*							\
+@@ -428,9 +428,9 @@ BIGNUM_3c(mod_exp);
+ 	}						\
+ 	return self;					\
+     }
+-BIGNUM_BIT(set_bit);
+-BIGNUM_BIT(clear_bit);
+-BIGNUM_BIT(mask_bits);
++BIGNUM_BIT(set_bit)
++BIGNUM_BIT(clear_bit)
++BIGNUM_BIT(mask_bits)
+ 
+ /*
+  * call-seq:
+@@ -474,8 +474,8 @@ ossl_bn_is_bit_set(VALUE self, VALUE bit
+ 	WrapBN(CLASS_OF(self), obj, result);		\
+ 	return obj;					\
+     }
+-BIGNUM_SHIFT(lshift);
+-BIGNUM_SHIFT(rshift);
++BIGNUM_SHIFT(lshift)
++BIGNUM_SHIFT(rshift)
+ 
+ #define BIGNUM_SELF_SHIFT(func)				\
+     /*							\
+@@ -494,8 +494,8 @@ BIGNUM_SHIFT(rshift);
+ 		ossl_raise(eBNError, NULL);		\
+ 	return self;					\
+     }
+-BIGNUM_SELF_SHIFT(lshift);
+-BIGNUM_SELF_SHIFT(rshift);
++BIGNUM_SELF_SHIFT(lshift)
++BIGNUM_SELF_SHIFT(rshift)
+ 
+ #define BIGNUM_RAND(func)					\
+     /*								\
+@@ -528,8 +528,8 @@ BIGNUM_SELF_SHIFT(rshift);
+ 	WrapBN(klass, obj, result);				\
+ 	return obj;						\
+     }
+-BIGNUM_RAND(rand);
+-BIGNUM_RAND(pseudo_rand);
++BIGNUM_RAND(rand)
++BIGNUM_RAND(pseudo_rand)
+ 
+ #define BIGNUM_RAND_RANGE(func)					\
+     /*								\
+@@ -552,8 +552,8 @@ BIGNUM_RAND(pseudo_rand);
+ 	WrapBN(klass, obj, result);				\
+ 	return obj;						\
+     }
+-BIGNUM_RAND_RANGE(rand);
+-BIGNUM_RAND_RANGE(pseudo_rand);
++BIGNUM_RAND_RANGE(rand)
++BIGNUM_RAND_RANGE(pseudo_rand)
+ 
+ /*
+  * call-seq:
+@@ -608,8 +608,8 @@ ossl_bn_s_generate_prime(int argc, VALUE
+ 	GetBN(self, bn);			\
+ 	return INT2FIX(BN_##func(bn));		\
+     }
+-BIGNUM_NUM(num_bytes);
+-BIGNUM_NUM(num_bits);
++BIGNUM_NUM(num_bytes)
++BIGNUM_NUM(num_bits)
+ 
+ static VALUE
+ ossl_bn_copy(VALUE self, VALUE other)
+@@ -642,8 +642,8 @@ ossl_bn_copy(VALUE self, VALUE other)
+ 	GetBN(self, bn1);				\
+ 	return INT2FIX(BN_##func(bn1, bn2));		\
+     }
+-BIGNUM_CMP(cmp);
+-BIGNUM_CMP(ucmp);
++BIGNUM_CMP(cmp)
++BIGNUM_CMP(ucmp)
+ 
+ static VALUE
+ ossl_bn_eql(VALUE self, VALUE other)
+Index: ext/openssl/ossl_asn1.c
+===================================================================
+--- ext/openssl/ossl_asn1.c.orig
++++ ext/openssl/ossl_asn1.c
+@@ -33,7 +33,7 @@ asn1time_to_time(ASN1_TIME *time)
+ 	
+     switch (time->type) {
+     case V_ASN1_UTCTIME:
+-	if (sscanf(time->data, "%2d%2d%2d%2d%2d%2dZ", &tm.tm_year, &tm.tm_mon,
++	if (sscanf((const char *)time->data, "%2d%2d%2d%2d%2d%2dZ", &tm.tm_year, &tm.tm_mon,
+     		&tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
+ 	    ossl_raise(rb_eTypeError, "bad UTCTIME format");
+ 	} 
+@@ -44,7 +44,7 @@ asn1time_to_time(ASN1_TIME *time)
+ 	}
+ 	break;
+     case V_ASN1_GENERALIZEDTIME:
+-	if (sscanf(time->data, "%4d%2d%2d%2d%2d%2dZ", &tm.tm_year, &tm.tm_mon,
++	if (sscanf((const char *)time->data, "%4d%2d%2d%2d%2d%2dZ", &tm.tm_year, &tm.tm_mon,
+     		&tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
+ 	    ossl_raise(rb_eTypeError, "bad GENERALIZEDTIME format" );
+ 	} 
+@@ -80,7 +80,7 @@ time_to_time_t(VALUE time)
+ VALUE
+ asn1str_to_str(ASN1_STRING *str)
+ {
+-    return rb_str_new(str->data, str->length);
++    return rb_str_new((const char *)str->data, str->length);
+ }
+ 
+ /*
+@@ -214,7 +214,7 @@ obj_to_asn1bstr(VALUE obj, long unused_b
+     StringValue(obj);
+     if(!(bstr = ASN1_BIT_STRING_new()))
+ 	ossl_raise(eASN1Error, NULL);
+-    ASN1_BIT_STRING_set(bstr, RSTRING_PTR(obj), RSTRING_LEN(obj));
++    ASN1_BIT_STRING_set(bstr, (unsigned char *)RSTRING_PTR(obj), RSTRING_LEN(obj));
+     bstr->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
+     bstr->flags |= ASN1_STRING_FLAG_BITS_LEFT|(unused_bits&0x07);
+ 
+@@ -306,21 +306,21 @@ obj_to_asn1derstr(VALUE obj)
+ static VALUE
+ decode_bool(unsigned char* der, int length)
+ {
+-    int bool;
+-    unsigned char *p;
++    int val;
++    const unsigned char *p;
+ 
+     p = der;
+-    if((bool = d2i_ASN1_BOOLEAN(NULL, &p, length)) < 0)
++    if((val = d2i_ASN1_BOOLEAN(NULL, &p, length)) < 0)
+ 	ossl_raise(eASN1Error, NULL);
+ 
+-    return bool ? Qtrue : Qfalse;
++    return val ? Qtrue : Qfalse;
+ }
+ 
+ static VALUE
+ decode_int(unsigned char* der, int length)
+ {
+     ASN1_INTEGER *ai;
+-    unsigned char *p;
++    const unsigned char *p;
+     VALUE ret; 
+     int status = 0;
+ 
+@@ -339,7 +339,7 @@ static VALUE
+ decode_bstr(unsigned char* der, int length, long *unused_bits)
+ {
+     ASN1_BIT_STRING *bstr;
+-    unsigned char *p, *buf;
++    const unsigned char *p;
+     long len;
+     VALUE ret;
+ 
+@@ -347,16 +347,11 @@ decode_bstr(unsigned char* der, int leng
+     if(!(bstr = d2i_ASN1_BIT_STRING(NULL, &p, length)))
+ 	ossl_raise(eASN1Error, NULL);
+     len = bstr->length;
+-    if(!(buf = OPENSSL_malloc(len))){
+-	ASN1_BIT_STRING_free(bstr);
+-	ossl_raise(eASN1Error, NULL);
+-    }
+     *unused_bits = 0;
+     if(bstr->flags & ASN1_STRING_FLAG_BITS_LEFT)
+ 	*unused_bits = bstr->flags & 0x07;
+-    memcpy(buf, bstr->data, len);
++    ret = rb_str_new((const char *)bstr->data, len);
+     ASN1_BIT_STRING_free(bstr);
+-    ret = ossl_buf2str(buf, len);
+ 
+     return ret;
+ }
+@@ -365,7 +360,7 @@ static VALUE
+ decode_enum(unsigned char* der, int length)
+ {
+     ASN1_ENUMERATED *ai;
+-    unsigned char *p;
++    const unsigned char *p;
+     VALUE ret; 
+     int status = 0;
+ 
+@@ -384,7 +379,7 @@ static VALUE
+ decode_null(unsigned char* der, int length)
+ {
+     ASN1_NULL *null;
+-    unsigned char *p;
++    const unsigned char *p;
+ 
+     p = der;
+     if(!(null = d2i_ASN1_NULL(NULL, &p, length)))
+@@ -398,7 +393,7 @@ static VALUE
+ decode_obj(unsigned char* der, int length)
+ {
+     ASN1_OBJECT *obj;
+-    unsigned char *p;
++    const unsigned char *p;
+     VALUE ret;
+     int nid;
+     BIO *bio;
+@@ -427,7 +422,7 @@ static VALUE
+ decode_time(unsigned char* der, int length)
+ {
+     ASN1_TIME *time;
+-    unsigned char *p;
++    const unsigned char *p;
+     VALUE ret;
+     int status = 0;
+ 
+@@ -500,7 +495,7 @@ ossl_asn1_get_asn1type(VALUE obj)
+     value = ossl_asn1_get_value(obj);
+     switch(tag){
+     case V_ASN1_BOOLEAN:
+-	ptr = (void*)obj_to_asn1bool(value);
++	ptr = (void*)(VALUE)obj_to_asn1bool(value);
+ 	free_func = NULL;
+ 	break;
+     case V_ASN1_INTEGER:         /* FALLTHROUGH */
+@@ -702,7 +697,7 @@ ossl_asn1data_to_der(VALUE self)
+     if((length = ASN1_object_size(1, RSTRING_LEN(value), tag)) <= 0)
+ 	ossl_raise(eASN1Error, NULL);
+     der = rb_str_new(0, length);
+-    p = RSTRING_PTR(der);
++    p = (unsigned char *)RSTRING_PTR(der);
+     ASN1_put_object(&p, is_cons, RSTRING_LEN(value), tag, tag_class);
+     memcpy(p, RSTRING_PTR(value), RSTRING_LEN(value));
+     p += RSTRING_LEN(value);
+@@ -716,6 +711,7 @@ ossl_asn1_decode0(unsigned char **pp, lo
+ 		  int once, int yield)
+ {
+     unsigned char *start, *p;
++    const unsigned char *p0;
+     long len, off = *offset;
+     int hlen, tag, tc, j;
+     VALUE ary, asn1data, value, tag_class;
+@@ -724,7 +720,9 @@ ossl_asn1_decode0(unsigned char **pp, lo
+     p = *pp;
+     while(length > 0){
+ 	start = p;
+-	j = ASN1_get_object(&p, &len, &tag, &tc, length);
++	p0 = p;
++	j = ASN1_get_object(&p0, &len, &tag, &tc, length);
++	p = (unsigned char *)p0;
+ 	if(j & 0x80) ossl_raise(eASN1Error, NULL);
+ 	hlen = p - start;
+ 	if(yield){
+@@ -759,7 +757,7 @@ ossl_asn1_decode0(unsigned char **pp, lo
+ 	    else value = ossl_asn1_decode0(&p, len, &off, depth+1, 0, yield);
+ 	}
+ 	else{
+-	    value = rb_str_new(p, len);
++	    value = rb_str_new((const char *)p, len);
+ 	    p += len;
+ 	    off += len;
+ 	}
+@@ -824,7 +822,7 @@ ossl_asn1_traverse(VALUE self, VALUE obj
+ 
+     obj = ossl_to_der_if_possible(obj);
+     tmp = rb_str_new4(StringValue(obj));
+-    p = RSTRING_PTR(tmp);
++    p = (unsigned char *)RSTRING_PTR(tmp);
+     ossl_asn1_decode0(&p, RSTRING_LEN(tmp), &offset, 0, 0, 1);
+ 
+     return Qnil;
+@@ -840,7 +838,7 @@ ossl_asn1_decode(VALUE self, VALUE obj)
+ 
+     obj = ossl_to_der_if_possible(obj);
+     tmp = rb_str_new4(StringValue(obj));
+-    p = RSTRING_PTR(tmp);
++    p = (unsigned char *)RSTRING_PTR(tmp);
+     ary = ossl_asn1_decode0(&p, RSTRING_LEN(tmp), &offset, 0, 1, 0);
+     ret = rb_ary_entry(ary, 0);
+ 
+@@ -857,7 +855,7 @@ ossl_asn1_decode_all(VALUE self, VALUE o
+ 
+     obj = ossl_to_der_if_possible(obj);
+     tmp = rb_str_new4(StringValue(obj));
+-    p = RSTRING_PTR(tmp);
++    p = (unsigned char *)RSTRING_PTR(tmp);
+     ret = ossl_asn1_decode0(&p, RSTRING_LEN(tmp), &offset, 0, 0, 0);
+ 
+     return ret;
+@@ -925,7 +923,7 @@ ossl_asn1prim_to_der(VALUE self)
+ {
+     ASN1_TYPE *asn1;
+     int tn, tc, explicit;
+-    long length, reallen;
++    long len, reallen;
+     unsigned char *buf, *p;
+     VALUE str;
+ 
+@@ -934,27 +932,25 @@ ossl_asn1prim_to_der(VALUE self)
+     explicit = ossl_asn1_is_explicit(self);
+     asn1 = ossl_asn1_get_asn1type(self);
+ 
+-    length = ASN1_object_size(1, ossl_i2d_ASN1_TYPE(asn1, NULL), tn);
+-    if(!(buf = OPENSSL_malloc(length))){
++    len = ASN1_object_size(1, ossl_i2d_ASN1_TYPE(asn1, NULL), tn);
++    if(!(buf = OPENSSL_malloc(len))){
+ 	ossl_ASN1_TYPE_free(asn1);
+ 	ossl_raise(eASN1Error, "cannot alloc buffer");
+     }
+     p = buf;
+-    if(tc == V_ASN1_UNIVERSAL) ossl_i2d_ASN1_TYPE(asn1, &p);
+-    else{
+-	if(explicit){
+-	    ASN1_put_object(&p, 1, ossl_i2d_ASN1_TYPE(asn1, NULL), tn, tc);
+-	    ossl_i2d_ASN1_TYPE(asn1, &p);
+-	}
+-	else{
+-	    ossl_i2d_ASN1_TYPE(asn1, &p);
+-	    *buf = tc | tn | (*buf & V_ASN1_CONSTRUCTED);
+-	}
++    if (tc == V_ASN1_UNIVERSAL) {
++        ossl_i2d_ASN1_TYPE(asn1, &p);
++    } else if (explicit) {
++        ASN1_put_object(&p, 1, ossl_i2d_ASN1_TYPE(asn1, NULL), tn, tc);
++        ossl_i2d_ASN1_TYPE(asn1, &p);
++    } else {
++        ossl_i2d_ASN1_TYPE(asn1, &p);
++        *buf = tc | tn | (*buf & V_ASN1_CONSTRUCTED);
+     }
+     ossl_ASN1_TYPE_free(asn1);
+     reallen = p - buf;
+-    assert(reallen <= length);
+-    str = ossl_buf2str(buf, reallen); /* buf will be free in ossl_buf2str */
++    assert(reallen <= len);
++    str = ossl_buf2str((char *)buf, reallen); /* buf will be free in ossl_buf2str */
+ 
+     return str;
+ }
+@@ -976,7 +972,7 @@ ossl_asn1cons_to_der(VALUE self)
+     seq_len = ASN1_object_size(1, RSTRING_LEN(value), tag);
+     length = ASN1_object_size(1, seq_len, tn);
+     str = rb_str_new(0, length);
+-    p = RSTRING_PTR(str);
++    p = (unsigned char *)RSTRING_PTR(str);
+     if(tc == V_ASN1_UNIVERSAL)
+ 	ASN1_put_object(&p, 1, RSTRING_LEN(value), tn, tc);
+     else{
+Index: ext/openssl/ossl_pkcs12.c
+===================================================================
+--- ext/openssl/ossl_pkcs12.c.orig
++++ ext/openssl/ossl_pkcs12.c
+@@ -137,15 +137,17 @@ ossl_pkcs12_initialize(int argc, VALUE *
+     X509 *x509;
+     STACK_OF(X509) *x509s = NULL;
+     int st = 0;
++    PKCS12 *pkcs = DATA_PTR(self);
+ 
+     if(rb_scan_args(argc, argv, "02", &arg, &pass) == 0) return self;
+     passphrase = NIL_P(pass) ? NULL : StringValuePtr(pass);
+     in = ossl_obj2bio(arg);
+-    d2i_PKCS12_bio(in, (PKCS12 **)&DATA_PTR(self));
++    d2i_PKCS12_bio(in, &pkcs);
++    DATA_PTR(self) = pkcs;
+     BIO_free(in);
+ 
+     pkey = cert = ca = Qnil;
+-    if(!PKCS12_parse((PKCS12*)DATA_PTR(self), passphrase, &key, &x509, &x509s))
++    if(!PKCS12_parse(pkcs, passphrase, &key, &x509, &x509s))
+ 	ossl_raise(ePKCS12Error, "PKCS12_parse");
+     pkey = rb_protect((VALUE(*)_((VALUE)))ossl_pkey_new, (VALUE)key,
+ 		      &st); /* NO DUP */
+@@ -181,7 +183,7 @@ ossl_pkcs12_to_der(VALUE self)
+     if((len = i2d_PKCS12(p12, NULL)) <= 0)
+ 	ossl_raise(ePKCS12Error, NULL);
+     str = rb_str_new(0, len);
+-    p = RSTRING_PTR(str);
++    p = (unsigned char *)RSTRING_PTR(str);
+     if(i2d_PKCS12(p12, &p) <= 0)
+ 	ossl_raise(ePKCS12Error, NULL);
+     ossl_str_adjust(str, p);
+Index: ext/openssl/ossl_ssl_session.c
+===================================================================
+--- ext/openssl/ossl_ssl_session.c.orig
++++ ext/openssl/ossl_ssl_session.c
+@@ -36,8 +36,6 @@ static VALUE ossl_ssl_session_alloc(VALU
+ static VALUE ossl_ssl_session_initialize(VALUE self, VALUE arg1)
+ {
+ 	SSL_SESSION *ctx = NULL;
+-	VALUE obj;
+-	unsigned char *p;
+ 
+ 	if (RDATA(self)->data)
+ 		ossl_raise(eSSLSession, "SSL Session already initialized");
+@@ -55,7 +53,7 @@ static VALUE ossl_ssl_session_initialize
+ 		ctx = PEM_read_bio_SSL_SESSION(in, NULL, NULL, NULL);
+ 
+ 		if (!ctx) {
+-			BIO_reset(in);
++			(void)BIO_reset(in);
+ 			ctx = d2i_SSL_SESSION_bio(in, NULL);
+ 		}
+ 
+@@ -86,9 +84,18 @@ static VALUE ossl_ssl_session_eq(VALUE v
+ 	GetSSLSession(val1, ctx1);
+ 	SafeGetSSLSession(val2, ctx2);
+ 
+-	switch (SSL_SESSION_cmp(ctx1, ctx2)) {
+-	case 0:		return Qtrue;
+-	default:	return Qfalse;
++	/*
++	 * OpenSSL 1.0.0betas do not have non-static SSL_SESSION_cmp.
++	 * ssl_session_cmp (was SSL_SESSION_cmp in 0.9.8) is for lhash
++	 * comparing so we should not depend on it.  Just compare sessions
++	 * by version and id.
++	 */
++	if ((ctx1->ssl_version == ctx2->ssl_version) &&
++	    (ctx1->session_id_length == ctx2->session_id_length) &&
++	    (memcmp(ctx1->session_id, ctx2->session_id, ctx1->session_id_length) == 0)) {
++	    return Qtrue;
++	} else {
++	    return Qfalse;
+ 	}
+ }
+ 
+@@ -100,7 +107,7 @@ static VALUE ossl_ssl_session_eq(VALUE v
+ static VALUE ossl_ssl_session_get_time(VALUE self)
+ {
+ 	SSL_SESSION *ctx;
+-	time_t t;
++	long t;
+ 
+ 	GetSSLSession(self, ctx);
+ 
+@@ -122,20 +129,20 @@ static VALUE ossl_ssl_session_get_time(V
+ static VALUE ossl_ssl_session_get_timeout(VALUE self)
+ {
+ 	SSL_SESSION *ctx;
+-	time_t t;
++	long t;
+ 
+ 	GetSSLSession(self, ctx);
+ 
+ 	t = SSL_SESSION_get_timeout(ctx);
+ 
+-	return ULONG2NUM(t);
++	return LONG2NUM(t);
+ }
+ 
+ #define SSLSESSION_SET_TIME(func)						\
+ 	static VALUE ossl_ssl_session_set_##func(VALUE self, VALUE time_v)	\
+ 	{									\
+ 		SSL_SESSION *ctx;						\
+-		time_t t;							\
++		long t;								\
+ 										\
+ 		GetSSLSession(self, ctx);					\
+ 										\
+@@ -147,7 +154,7 @@ static VALUE ossl_ssl_session_get_timeou
+ 			rb_raise(rb_eArgError, "unknown type");			\
+ 		}								\
+ 										\
+-		t = NUM2ULONG(time_v);						\
++		t = NUM2LONG(time_v);						\
+ 										\
+ 		SSL_SESSION_set_##func(ctx, t);					\
+ 										\
+Index: ext/openssl/ossl_ns_spki.c
+===================================================================
+--- ext/openssl/ossl_ns_spki.c.orig
++++ ext/openssl/ossl_ns_spki.c
+@@ -56,14 +56,14 @@ ossl_spki_initialize(int argc, VALUE *ar
+ {
+     NETSCAPE_SPKI *spki;
+     VALUE buffer;
+-    unsigned char *p;
++    const unsigned char *p;
+ 	
+     if (rb_scan_args(argc, argv, "01", &buffer) == 0) {
+ 	return self;
+     }
+     StringValue(buffer);
+     if (!(spki = NETSCAPE_SPKI_b64_decode(RSTRING_PTR(buffer), -1))) {
+-	p = RSTRING_PTR(buffer);
++	p = (unsigned char *)RSTRING_PTR(buffer);
+ 	if (!(spki = d2i_NETSCAPE_SPKI(NULL, &p, RSTRING_LEN(buffer)))) {
+ 	    ossl_raise(eSPKIError, NULL);
+ 	}
+@@ -87,7 +87,7 @@ ossl_spki_to_der(VALUE self)
+     if ((len = i2d_NETSCAPE_SPKI(spki, NULL)) <= 0)
+         ossl_raise(eX509CertError, NULL);
+     str = rb_str_new(0, len);
+-    p = RSTRING_PTR(str);
++    p = (unsigned char *)RSTRING_PTR(str);
+     if (i2d_NETSCAPE_SPKI(spki, &p) <= 0)
+         ossl_raise(eX509CertError, NULL);
+     ossl_str_adjust(str, p);
+@@ -172,7 +172,7 @@ ossl_spki_get_challenge(VALUE self)
+ 	return rb_str_new(0, 0);
+     }
+ 
+-    return rb_str_new(spki->spkac->challenge->data,
++    return rb_str_new((const char *)spki->spkac->challenge->data,
+ 		      spki->spkac->challenge->length);
+ }
+ 
+Index: ext/openssl/ossl_x509crl.c
+===================================================================
+--- ext/openssl/ossl_x509crl.c.orig
++++ ext/openssl/ossl_x509crl.c
+@@ -91,7 +91,7 @@ static VALUE
+ ossl_x509crl_initialize(int argc, VALUE *argv, VALUE self)
+ {
+     BIO *in;
+-    X509_CRL *crl;
++    X509_CRL *crl, *x = DATA_PTR(self);
+     VALUE arg;
+ 
+     if (rb_scan_args(argc, argv, "01", &arg) == 0) {
+@@ -99,10 +99,12 @@ ossl_x509crl_initialize(int argc, VALUE
+     }
+     arg = ossl_to_der_if_possible(arg);
+     in = ossl_obj2bio(arg);
+-    crl = PEM_read_bio_X509_CRL(in, (X509_CRL **)&DATA_PTR(self), NULL, NULL);
++    crl = PEM_read_bio_X509_CRL(in, &x, NULL, NULL);
++    DATA_PTR(self) = x;
+     if (!crl) {
+-	BIO_reset(in);
+-	crl = d2i_X509_CRL_bio(in, (X509_CRL **)&DATA_PTR(self));
++	(void)BIO_reset(in);
++	crl = d2i_X509_CRL_bio(in, &x);
++	DATA_PTR(self) = x;
+     }
+     BIO_free(in);
+     if (!crl) ossl_raise(eX509CRLError, NULL);
+@@ -262,7 +264,7 @@ ossl_x509crl_get_revoked(VALUE self)
+     VALUE ary, revoked;
+ 
+     GetX509CRL(self, crl);
+-    num = sk_X509_CRL_num(X509_CRL_get_REVOKED(crl));
++    num = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
+     if (num < 0) {
+ 	OSSL_Debug("num < 0???");
+ 	return rb_ary_new();
+@@ -270,7 +272,7 @@ ossl_x509crl_get_revoked(VALUE self)
+     ary = rb_ary_new2(num);
+     for(i=0; i<num; i++) {
+ 	/* NO DUP - don't free! */
+-	rev = (X509_REVOKED *)sk_X509_CRL_value(X509_CRL_get_REVOKED(crl), i);
++	rev = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
+ 	revoked = ossl_x509revoked_new(rev);
+ 	rb_ary_push(ary, revoked);
+     }
+Index: ext/openssl/ossl_x509name.c
+===================================================================
+--- ext/openssl/ossl_x509name.c.orig
++++ ext/openssl/ossl_x509name.c
+@@ -135,11 +135,14 @@ ossl_x509name_initialize(int argc, VALUE
+ 	    rb_block_call(tmp, rb_intern("each"), 0, 0, ossl_x509name_init_i, args);
+ 	}
+ 	else{
+-	    unsigned char *p;
++	    const unsigned char *p;
+ 	    VALUE str = ossl_to_der_if_possible(arg);
++	    X509_NAME *x;
+ 	    StringValue(str);
+-	    p = RSTRING_PTR(str);
+-	    if(!d2i_X509_NAME((X509_NAME**)&DATA_PTR(self), &p, RSTRING_LEN(str))){
++	    p = (unsigned char *)RSTRING_PTR(str);
++	    x = d2i_X509_NAME(&name, &p, RSTRING_LEN(str));
++	    DATA_PTR(self) = name;
++	    if(!x){
+ 		ossl_raise(eX509NameError, NULL);
+ 	    }
+ 	}
+@@ -164,7 +167,7 @@ VALUE ossl_x509name_add_entry(int argc,
+     if(NIL_P(type)) type = rb_aref(OBJECT_TYPE_TEMPLATE, oid);
+     GetX509Name(self, name);
+     if (!X509_NAME_add_entry_by_txt(name, RSTRING_PTR(oid), NUM2INT(type),
+-		RSTRING_PTR(value), RSTRING_LEN(value), -1, 0)) {
++		(const unsigned char *)RSTRING_PTR(value), RSTRING_LEN(value), -1, 0)) {
+ 	ossl_raise(eX509NameError, NULL);
+     }
+ 
+@@ -245,7 +248,7 @@ ossl_x509name_to_a(VALUE self)
+ 	}
+ 	short_name = OBJ_nid2sn(OBJ_ln2nid(long_name));
+ 	ary = rb_ary_new3(3, rb_str_new2(short_name),
+-        		  rb_str_new(entry->value->data, entry->value->length),
++        		  rb_str_new((const char *)entry->value->data, entry->value->length),
+         		  INT2FIX(entry->value->type));
+ 	rb_ary_push(ret, ary);
+     }
+@@ -303,6 +306,27 @@ ossl_x509name_hash(VALUE self)
+     return ULONG2NUM(hash);
+ }
+ 
++#ifdef HAVE_X509_NAME_HASH_OLD
++/*
++ * call-seq:
++ *    name.hash_old => integer
++ *
++ * hash_old returns MD5 based hash used in OpenSSL 0.9.X.
++ */
++static VALUE
++ossl_x509name_hash_old(VALUE self)
++{
++    X509_NAME *name;
++    unsigned long hash;
++
++    GetX509Name(self, name);
++
++    hash = X509_NAME_hash_old(name);
++
++    return ULONG2NUM(hash);
++}
++#endif
++
+ /*
+  * call-seq:
+  *    name.to_der => string
+@@ -319,7 +343,7 @@ ossl_x509name_to_der(VALUE self)
+     if((len = i2d_X509_NAME(name, NULL)) <= 0)
+ 	ossl_raise(eX509NameError, NULL);
+     str = rb_str_new(0, len);
+-    p = RSTRING_PTR(str);
++    p = (unsigned char *)RSTRING_PTR(str);
+     if(i2d_X509_NAME(name, &p) <= 0)
+ 	ossl_raise(eX509NameError, NULL);
+     ossl_str_adjust(str, p);
+@@ -348,6 +372,9 @@ Init_ossl_x509name()
+     rb_define_alias(cX509Name, "<=>", "cmp");
+     rb_define_method(cX509Name, "eql?", ossl_x509name_eql, 1);
+     rb_define_method(cX509Name, "hash", ossl_x509name_hash, 0);
++#ifdef HAVE_X509_NAME_HASH_OLD
++    rb_define_method(cX509Name, "hash_old", ossl_x509name_hash_old, 0);
++#endif
+     rb_define_method(cX509Name, "to_der", ossl_x509name_to_der, 0);
+ 
+     utf8str = INT2NUM(V_ASN1_UTF8STRING);
+Index: ext/openssl/ossl_pkey.c
+===================================================================
+--- ext/openssl/ossl_pkey.c.orig
++++ ext/openssl/ossl_pkey.c
+@@ -164,7 +164,7 @@ ossl_pkey_sign(VALUE self, VALUE digest,
+ {
+     EVP_PKEY *pkey;
+     EVP_MD_CTX ctx;
+-    int buf_len;
++    unsigned int buf_len;
+     VALUE str;
+ 
+     if (rb_funcall(self, id_private_q, 0, NULL) != Qtrue) {
+@@ -175,9 +175,9 @@ ossl_pkey_sign(VALUE self, VALUE digest,
+     StringValue(data);
+     EVP_SignUpdate(&ctx, RSTRING_PTR(data), RSTRING_LEN(data));
+     str = rb_str_new(0, EVP_PKEY_size(pkey)+16);
+-    if (!EVP_SignFinal(&ctx, RSTRING_PTR(str), &buf_len, pkey))
++    if (!EVP_SignFinal(&ctx, (unsigned char *)RSTRING_PTR(str), &buf_len, pkey))
+ 	ossl_raise(ePKeyError, NULL);
+-    assert(buf_len <= RSTRING_LEN(str));
++    assert((long)buf_len <= RSTRING_LEN(str));
+     rb_str_set_len(str, buf_len);
+ 
+     return str;
+@@ -194,7 +194,7 @@ ossl_pkey_verify(VALUE self, VALUE diges
+     StringValue(sig);
+     StringValue(data);
+     EVP_VerifyUpdate(&ctx, RSTRING_PTR(data), RSTRING_LEN(data));
+-    switch (EVP_VerifyFinal(&ctx, RSTRING_PTR(sig), RSTRING_LEN(sig), pkey)) {
++    switch (EVP_VerifyFinal(&ctx, (unsigned char *)RSTRING_PTR(sig), RSTRING_LEN(sig), pkey)) {
+     case 0:
+ 	return Qfalse;
+     case 1:
+Index: ext/openssl/openssl_missing.h
+===================================================================
+--- ext/openssl/openssl_missing.h.orig
++++ ext/openssl/openssl_missing.h
+@@ -18,6 +18,9 @@ extern "C" {
+ #ifndef TYPEDEF_D2I_OF
+ typedef char *d2i_of_void();
+ #endif
++#ifndef TYPEDEF_I2D_OF
++typedef int i2d_of_void();
++#endif
+ 
+ /*
+  * These functions are not included in headers of OPENSSL <= 0.9.6b
+@@ -25,39 +28,39 @@ typedef char *d2i_of_void();
+ 
+ #if !defined(PEM_read_bio_DSAPublicKey)
+ # define PEM_read_bio_DSAPublicKey(bp,x,cb,u) (DSA *)PEM_ASN1_read_bio( \
+-        (char *(*)())d2i_DSAPublicKey,PEM_STRING_DSA_PUBLIC,bp,(char **)x,cb,u)
++        (d2i_of_void *)d2i_DSAPublicKey,PEM_STRING_DSA_PUBLIC,bp,(void **)x,cb,u)
+ #endif
+ 
+ #if !defined(PEM_write_bio_DSAPublicKey)
+ # define PEM_write_bio_DSAPublicKey(bp,x) \
+-	PEM_ASN1_write_bio((int (*)())i2d_DSAPublicKey,\
++	PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPublicKey,\
+ 		PEM_STRING_DSA_PUBLIC,\
+ 		bp,(char *)x, NULL, NULL, 0, NULL, NULL)
+ #endif
+ 
+ #if !defined(DSAPrivateKey_dup)
+-# define DSAPrivateKey_dup(dsa) (DSA *)ASN1_dup((int (*)())i2d_DSAPrivateKey, \
+-	(char *(*)())d2i_DSAPrivateKey,(char *)dsa)
++# define DSAPrivateKey_dup(dsa) (DSA *)ASN1_dup((i2d_of_void *)i2d_DSAPrivateKey, \
++	(d2i_of_void *)d2i_DSAPrivateKey,(char *)dsa)
+ #endif
+ 
+ #if !defined(DSAPublicKey_dup)
+-# define DSAPublicKey_dup(dsa) (DSA *)ASN1_dup((int (*)())i2d_DSAPublicKey, \
+-	(char *(*)())d2i_DSAPublicKey,(char *)dsa)
++# define DSAPublicKey_dup(dsa) (DSA *)ASN1_dup((i2d_of_void *)i2d_DSAPublicKey, \
++	(d2i_of_void *)d2i_DSAPublicKey,(char *)dsa)
+ #endif
+ 
+ #if !defined(X509_REVOKED_dup)
+-# define X509_REVOKED_dup(rev) (X509_REVOKED *)ASN1_dup((int (*)())i2d_X509_REVOKED, \
+-	(char *(*)())d2i_X509_REVOKED, (char *)rev)
++# define X509_REVOKED_dup(rev) (X509_REVOKED *)ASN1_dup((i2d_of_void *)i2d_X509_REVOKED, \
++	(d2i_of_void *)d2i_X509_REVOKED, (char *)rev)
+ #endif
+ 
+ #if !defined(PKCS7_SIGNER_INFO_dup)
+-#  define PKCS7_SIGNER_INFO_dup(si) (PKCS7_SIGNER_INFO *)ASN1_dup((int (*)())i2d_PKCS7_SIGNER_INFO, \
+-	(char *(*)())d2i_PKCS7_SIGNER_INFO, (char *)si)
++#  define PKCS7_SIGNER_INFO_dup(si) (PKCS7_SIGNER_INFO *)ASN1_dup((i2d_of_void *)i2d_PKCS7_SIGNER_INFO, \
++	(d2i_of_void *)d2i_PKCS7_SIGNER_INFO, (char *)si)
+ #endif
+ 
+ #if !defined(PKCS7_RECIP_INFO_dup)
+-#  define PKCS7_RECIP_INFO_dup(ri) (PKCS7_RECIP_INFO *)ASN1_dup((int (*)())i2d_PKCS7_RECIP_INFO, \
+-	(char *(*)())d2i_PKCS7_RECIP_INFO, (char *)ri)
++#  define PKCS7_RECIP_INFO_dup(ri) (PKCS7_RECIP_INFO *)ASN1_dup((i2d_of_void *)i2d_PKCS7_RECIP_INFO, \
++	(d2i_of_void *)d2i_PKCS7_RECIP_INFO, (char *)ri)
+ #endif
+ 
+ #if !defined(HAVE_EVP_MD_CTX_INIT)
+Index: ext/openssl/ossl_pkey_dh.c
+===================================================================
+--- ext/openssl/ossl_pkey_dh.c.orig
++++ ext/openssl/ossl_pkey_dh.c
+@@ -169,7 +169,7 @@ ossl_dh_initialize(int argc, VALUE *argv
+ 	in = ossl_obj2bio(arg);
+ 	dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
+ 	if (!dh){
+-	    BIO_reset(in);
++	    (void)BIO_reset(in);
+ 	    dh = d2i_DHparams_bio(in, NULL);
+ 	}
+ 	BIO_free(in);
+@@ -254,7 +254,7 @@ ossl_dh_to_der(VALUE self)
+     if((len = i2d_DHparams(pkey->pkey.dh, NULL)) <= 0)
+ 	ossl_raise(eDHError, NULL);
+     str = rb_str_new(0, len);
+-    p = RSTRING_PTR(str);
++    p = (unsigned char *)RSTRING_PTR(str);
+     if(i2d_DHparams(pkey->pkey.dh, &p) < 0)
+ 	ossl_raise(eDHError, NULL);
+     ossl_str_adjust(str, p);
+@@ -407,7 +407,7 @@ ossl_dh_compute_key(VALUE self, VALUE pu
+     pub_key = GetBNPtr(pub);
+     len = DH_size(dh);
+     str = rb_str_new(0, len);
+-    if ((len = DH_compute_key(RSTRING_PTR(str), pub_key, dh)) < 0) {
++    if ((len = DH_compute_key((unsigned char *)RSTRING_PTR(str), pub_key, dh)) < 0) {
+ 	ossl_raise(eDHError, NULL);
+     }
+     rb_str_set_len(str, len);
+@@ -415,10 +415,10 @@ ossl_dh_compute_key(VALUE self, VALUE pu
+     return str;
+ }
+ 
+-OSSL_PKEY_BN(dh, p);
+-OSSL_PKEY_BN(dh, g);
+-OSSL_PKEY_BN(dh, pub_key);
+-OSSL_PKEY_BN(dh, priv_key);
++OSSL_PKEY_BN(dh, p)
++OSSL_PKEY_BN(dh, g)
++OSSL_PKEY_BN(dh, pub_key)
++OSSL_PKEY_BN(dh, priv_key)
+ 
+ /*
+  * -----BEGIN DH PARAMETERS-----
+Index: ext/openssl/ossl_x509cert.c
+===================================================================
+--- ext/openssl/ossl_x509cert.c.orig
++++ ext/openssl/ossl_x509cert.c
+@@ -134,7 +134,7 @@ static VALUE
+ ossl_x509_initialize(int argc, VALUE *argv, VALUE self)
+ {
+     BIO *in;
+-    X509 *x509;
++    X509 *x509, *x = DATA_PTR(self);
+     VALUE arg;
+ 
+     if (rb_scan_args(argc, argv, "01", &arg) == 0) {
+@@ -143,10 +143,12 @@ ossl_x509_initialize(int argc, VALUE *ar
+     }
+     arg = ossl_to_der_if_possible(arg);
+     in = ossl_obj2bio(arg);
+-    x509 = PEM_read_bio_X509(in, (X509 **)&DATA_PTR(self), NULL, NULL);
++    x509 = PEM_read_bio_X509(in, &x, NULL, NULL);
++    DATA_PTR(self) = x;
+     if (!x509) {
+-	BIO_reset(in);
+-	x509 = d2i_X509_bio(in, (X509 **)&DATA_PTR(self));
++	(void)BIO_reset(in);
++	x509 = d2i_X509_bio(in, &x);
++	DATA_PTR(self) = x;
+     }
+     BIO_free(in);
+     if (!x509) ossl_raise(eX509CertError, NULL);
+@@ -190,7 +192,7 @@ ossl_x509_to_der(VALUE self)
+     if ((len = i2d_X509(x509, NULL)) <= 0)
+ 	ossl_raise(eX509CertError, NULL);
+     str = rb_str_new(0, len);
+-    p = RSTRING_PTR(str);
++    p = (unsigned char *)RSTRING_PTR(str);
+     if (i2d_X509(x509, &p) <= 0)
+ 	ossl_raise(eX509CertError, NULL);
+     ossl_str_adjust(str, p);
+@@ -690,7 +692,7 @@ static VALUE
+ ossl_x509_inspect(VALUE self)
+ {
+     VALUE str;
+-    char *cname = rb_class2name(rb_obj_class(self));
++    const char *cname = rb_class2name(rb_obj_class(self));
+ 
+     str = rb_str_new2("#<");
+     rb_str_cat2(str, cname);
+Index: ext/openssl/ossl_rand.c
+===================================================================
+--- ext/openssl/ossl_rand.c.orig
++++ ext/openssl/ossl_rand.c
+@@ -99,7 +99,7 @@ ossl_rand_bytes(VALUE self, VALUE len)
+     int n = NUM2INT(len);
+ 
+     str = rb_str_new(0, n);
+-    if (!RAND_bytes(RSTRING_PTR(str), n)) {
++    if (!RAND_bytes((unsigned char *)RSTRING_PTR(str), n)) {
+ 	ossl_raise(eRandomError, NULL);
+     }
+ 
+@@ -118,7 +118,7 @@ ossl_rand_pseudo_bytes(VALUE self, VALUE
+     int n = NUM2INT(len);
+ 
+     str = rb_str_new(0, n);
+-    if (!RAND_pseudo_bytes(RSTRING_PTR(str), n)) {
++    if (!RAND_pseudo_bytes((unsigned char *)RSTRING_PTR(str), n)) {
+ 	ossl_raise(eRandomError, NULL);
+     }
+ 
+Index: ext/openssl/ossl_pkcs5.c
+===================================================================
+--- ext/openssl/ossl_pkcs5.c.orig
++++ ext/openssl/ossl_pkcs5.c
+@@ -29,14 +29,17 @@ ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE
+     VALUE str;
+     const EVP_MD *md;
+     int len = NUM2INT(keylen);
++    unsigned char* salt_p;
++    unsigned char* str_p;
+ 
+     StringValue(pass);
+     StringValue(salt);
+     md = GetDigestPtr(digest);
+-
+     str = rb_str_new(0, len);
++    salt_p = (unsigned char*)RSTRING_PTR(salt);
++    str_p = (unsigned char*)RSTRING_PTR(str);
+ 
+-    if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), RSTRING_PTR(salt), RSTRING_LEN(salt), NUM2INT(iter), md, len, RSTRING_PTR(str)) != 1)
++    if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), salt_p, RSTRING_LEN(salt), NUM2INT(iter), md, len, str_p) != 1)
+         ossl_raise(ePKCS5, "PKCS5_PBKDF2_HMAC");
+ 
+     return str;
+@@ -72,7 +75,9 @@ ossl_pkcs5_pbkdf2_hmac_sha1(VALUE self,
+ 
+     str = rb_str_new(0, len);
+ 
+-    if (PKCS5_PBKDF2_HMAC_SHA1(RSTRING_PTR(pass), RSTRING_LEN(pass), RSTRING_PTR(salt), RSTRING_LEN(salt), NUM2INT(iter), len, RSTRING_PTR(str)) != 1)
++    if (PKCS5_PBKDF2_HMAC_SHA1(RSTRING_PTR(pass), RSTRING_LEN(pass),
++			       (const unsigned char *)RSTRING_PTR(salt), RSTRING_LEN(salt), NUM2INT(iter),
++			       len, (unsigned char *)RSTRING_PTR(str)) != 1)
+         ossl_raise(ePKCS5, "PKCS5_PBKDF2_HMAC_SHA1");
+ 
+     return str;
+Index: ext/openssl/ossl_x509ext.c
+===================================================================
+--- ext/openssl/ossl_x509ext.c.orig
++++ ext/openssl/ossl_x509ext.c
+@@ -198,6 +198,7 @@ ossl_x509extfactory_initialize(int argc,
+ 	ossl_x509extfactory_set_subject_req(self, subject_req);
+     if (!NIL_P(crl))
+ 	ossl_x509extfactory_set_crl(self, crl);
++    rb_iv_set(self, "@config", Qnil);
+ 
+     return self;
+ }
+@@ -273,16 +274,17 @@ static VALUE
+ ossl_x509ext_initialize(int argc, VALUE *argv, VALUE self)
+ {
+     VALUE oid, value, critical;
+-    unsigned char *p;
+-    X509_EXTENSION *ext;
++    const unsigned char *p;
++    X509_EXTENSION *ext, *x;
+ 
+     GetX509Ext(self, ext);
+     if(rb_scan_args(argc, argv, "12", &oid, &value, &critical) == 1){
+ 	oid = ossl_to_der_if_possible(oid);
+ 	StringValue(oid);
+-	p  = RSTRING_PTR(oid);
+-	if(!d2i_X509_EXTENSION((X509_EXTENSION**)&DATA_PTR(self),
+-			       &p, RSTRING_LEN(oid)))
++	p = (unsigned char *)RSTRING_PTR(oid);
++	x = d2i_X509_EXTENSION(&ext, &p, RSTRING_LEN(oid));
++	DATA_PTR(self) = ext;
++	if(!x)
+ 	    ossl_raise(eX509ExtError, NULL);
+ 	return self;
+     }
+@@ -323,14 +325,15 @@ ossl_x509ext_set_value(VALUE self, VALUE
+ 	ossl_raise(eX509ExtError, "malloc error");
+     memcpy(s, RSTRING_PTR(data), RSTRING_LEN(data));
+     if(!(asn1s = ASN1_OCTET_STRING_new())){
+-	free(s);
++        OPENSSL_free(s);
+ 	ossl_raise(eX509ExtError, NULL);
+     }
+     if(!M_ASN1_OCTET_STRING_set(asn1s, s, RSTRING_LEN(data))){
+-	free(s);
++        OPENSSL_free(s);
+ 	ASN1_OCTET_STRING_free(asn1s);
+ 	ossl_raise(eX509ExtError, NULL);
+     }
++    OPENSSL_free(s);
+     GetX509Ext(self, ext);
+     X509_EXTENSION_set_data(ext, asn1s);
+ 
+@@ -409,7 +412,7 @@ ossl_x509ext_to_der(VALUE obj)
+     if((len = i2d_X509_EXTENSION(ext, NULL)) <= 0)
+ 	ossl_raise(eX509ExtError, NULL);
+     str = rb_str_new(0, len);
+-    p = RSTRING_PTR(str);
++    p = (unsigned char *)RSTRING_PTR(str);
+     if(i2d_X509_EXTENSION(ext, &p) < 0)
+ 	ossl_raise(eX509ExtError, NULL);
+     ossl_str_adjust(str, p);
+Index: ext/openssl/ossl_pkcs7.c
+===================================================================
+--- ext/openssl/ossl_pkcs7.c.orig
++++ ext/openssl/ossl_pkcs7.c
+@@ -309,7 +309,7 @@ ossl_pkcs7_alloc(VALUE klass)
+ static VALUE
+ ossl_pkcs7_initialize(int argc, VALUE *argv, VALUE self)
+ {
+-    PKCS7 *p7;
++    PKCS7 *p7, *pkcs = DATA_PTR(self);
+     BIO *in;
+     VALUE arg;
+ 
+@@ -317,10 +317,12 @@ ossl_pkcs7_initialize(int argc, VALUE *a
+ 	return self;
+     arg = ossl_to_der_if_possible(arg);
+     in = ossl_obj2bio(arg);
+-    p7 = PEM_read_bio_PKCS7(in, (PKCS7 **)&DATA_PTR(self), NULL, NULL);
++    p7 = PEM_read_bio_PKCS7(in, &pkcs, NULL, NULL);
++    DATA_PTR(self) = pkcs;
+     if (!p7) {
+-	BIO_reset(in);
+-        p7 = d2i_PKCS7_bio(in, (PKCS7 **)&DATA_PTR(self));
++	(void)BIO_reset(in);
++        p7 = d2i_PKCS7_bio(in, &pkcs);
++	DATA_PTR(self) = pkcs;
+     }
+     BIO_free(in);
+     ossl_pkcs7_set_data(self, Qnil);
+@@ -570,12 +572,11 @@ ossl_pkcs7_add_certificate(VALUE self, V
+     return self;
+ }
+ 
+-static STACK *
+-pkcs7_get_certs_or_crls(VALUE self, int want_certs)
++static STACK_OF(X509) *
++pkcs7_get_certs(VALUE self)
+ {
+     PKCS7 *pkcs7;
+     STACK_OF(X509) *certs;
+-    STACK_OF(X509_CRL) *crls;
+     int i;
+ 
+     GetPKCS7(self, pkcs7);
+@@ -583,17 +584,38 @@ pkcs7_get_certs_or_crls(VALUE self, int
+     switch(i){
+     case NID_pkcs7_signed:
+         certs = pkcs7->d.sign->cert;
+-        crls = pkcs7->d.sign->crl;
+         break;
+     case NID_pkcs7_signedAndEnveloped:
+         certs = pkcs7->d.signed_and_enveloped->cert;
++        break;
++    default:
++        certs = NULL;
++    }
++
++    return certs;
++}
++
++static STACK_OF(X509_CRL) *
++pkcs7_get_crls(VALUE self)
++{
++    PKCS7 *pkcs7;
++    STACK_OF(X509_CRL) *crls;
++    int i;
++
++    GetPKCS7(self, pkcs7);
++    i = OBJ_obj2nid(pkcs7->type);
++    switch(i){
++    case NID_pkcs7_signed:
++        crls = pkcs7->d.sign->crl;
++        break;
++    case NID_pkcs7_signedAndEnveloped:
+         crls = pkcs7->d.signed_and_enveloped->crl;
+         break;
+     default:
+-        certs = crls = NULL;
++        crls = NULL;
+     }
+ 
+-    return want_certs ? certs : crls;
++    return crls;
+ }
+ 
+ static VALUE
+@@ -608,7 +630,7 @@ ossl_pkcs7_set_certificates(VALUE self,
+     STACK_OF(X509) *certs;
+     X509 *cert;
+ 
+-    certs = pkcs7_get_certs_or_crls(self, 1);
++    certs = pkcs7_get_certs(self);
+     while((cert = sk_X509_pop(certs))) X509_free(cert);
+     rb_block_call(ary, rb_intern("each"), 0, 0, ossl_pkcs7_set_certs_i, self);
+ 
+@@ -618,7 +640,7 @@ ossl_pkcs7_set_certificates(VALUE self,
+ static VALUE
+ ossl_pkcs7_get_certificates(VALUE self)
+ {
+-    return ossl_x509_sk2ary(pkcs7_get_certs_or_crls(self, 1));
++    return ossl_x509_sk2ary(pkcs7_get_certs(self));
+ }
+ 
+ static VALUE
+@@ -648,7 +670,7 @@ ossl_pkcs7_set_crls(VALUE self, VALUE ar
+     STACK_OF(X509_CRL) *crls;
+     X509_CRL *crl;
+ 
+-    crls = pkcs7_get_certs_or_crls(self, 0);
++    crls = pkcs7_get_crls(self);
+     while((crl = sk_X509_CRL_pop(crls))) X509_CRL_free(crl);
+     rb_block_call(ary, rb_intern("each"), 0, 0, ossl_pkcs7_set_crls_i, self);
+ 
+@@ -658,7 +680,7 @@ ossl_pkcs7_set_crls(VALUE self, VALUE ar
+ static VALUE
+ ossl_pkcs7_get_crls(VALUE self)
+ {
+-    return ossl_x509crl_sk2ary(pkcs7_get_certs_or_crls(self, 0));
++    return ossl_x509crl_sk2ary(pkcs7_get_crls(self));
+ }
+ 
+ static VALUE
+@@ -778,7 +800,7 @@ ossl_pkcs7_to_der(VALUE self)
+     if((len = i2d_PKCS7(pkcs7, NULL)) <= 0)
+ 	ossl_raise(ePKCS7Error, NULL);
+     str = rb_str_new(0, len);
+-    p = RSTRING_PTR(str);
++    p = (unsigned char *)RSTRING_PTR(str);
+     if(i2d_PKCS7(pkcs7, &p) <= 0)
+ 	ossl_raise(ePKCS7Error, NULL);
+     ossl_str_adjust(str, p);
+Index: ext/openssl/extconf.rb
+===================================================================
+--- ext/openssl/extconf.rb.orig
++++ ext/openssl/extconf.rb
+@@ -91,12 +91,16 @@ have_func("X509_CRL_add0_revoked")
+ have_func("X509_CRL_set_issuer_name")
+ have_func("X509_CRL_set_version")
+ have_func("X509_CRL_sort")
++have_func("X509_NAME_hash_old")
+ have_func("X509_STORE_get_ex_data")
+ have_func("X509_STORE_set_ex_data")
+ have_func("OBJ_NAME_do_all_sorted")
+ have_func("SSL_SESSION_get_id")
+ have_func("OPENSSL_cleanse")
+-if try_compile("#define FOO(a, ...) foo(a, ##__VA_ARGS__)\n int x(){FOO(1);FOO(1,2);FOO(1,2,3);}\n")
++unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h'])
++	have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME")
++end
++if try_compile("#define FOO(...) foo(__VA_ARGS__)\n int x(){FOO(1);FOO(1,2);FOO(1,2,3);}\n")
+   $defs.push("-DHAVE_VA_ARGS_MACRO")
+ end
+ if have_header("openssl/engine.h")
diff --git a/ruby-1.8.x_yaml2byte.patch b/ruby-1.8.x_yaml2byte.patch
new file mode 100644
index 0000000..da62f26
--- /dev/null
+++ b/ruby-1.8.x_yaml2byte.patch
@@ -0,0 +1,37 @@
+I: Program causes undefined operation
+   (likely same variable used twiceand post/pre incremented in the same expression).
+   e.g. x = x++; Split it in two operations.
+W: ruby sequence-point yaml2byte.c:67, 104
+
+yaml2byte.c: In function 'bytestring_append':
+yaml2byte.c:67:21: warning: operation on 'str->buffer' may be undefined
+yaml2byte.c: In function 'bytestring_extend':
+yaml2byte.c:104:25: warning: operation on 'str->buffer' may be undefined
+
+#define S_REALLOC_N(var,type,n) (var)=(type*)realloc((char*)(var),sizeof(type)*(n))
+
+so the old code expanded to:
+str->buffer = str->buffer = (char*)realloc((char*)str->buffer, sizeof(char)*str->length + 1)
+
+Index: ext/syck/yaml2byte.c
+===================================================================
+--- ext/syck/yaml2byte.c	(revision 27446)
++++ ext/syck/yaml2byte.c	(working copy)
+@@ -64,7 +64,7 @@
+         grow = (length - str->remaining) + CHUNKSIZE;
+         str->remaining += grow;
+         str->length    += grow; 
+-        str->buffer = S_REALLOC_N( str->buffer, char, str->length + 1 );
++        S_REALLOC_N( str->buffer, char, str->length + 1 );
+         assert(str->buffer);
+     }
+     curr = str->buffer + (str->length - str->remaining);
+@@ -101,7 +101,7 @@
+             grow = (length - str->remaining) + CHUNKSIZE;
+             str->remaining += grow;
+             str->length    += grow; 
+-            str->buffer = S_REALLOC_N( str->buffer, char, str->length + 1 );
++            S_REALLOC_N( str->buffer, char, str->length + 1 );
+         }
+         curr = str->buffer + (str->length - str->remaining);
+         from = ext->buffer;
diff --git a/ruby.changes b/ruby.changes
index f1912ae..ea77d15 100644
--- a/ruby.changes
+++ b/ruby.changes
@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Thu Apr 22 22:06:56 UTC 2010 - mrueckert@suse.de
+
+- added ruby-1.8.x_openssl-1.0.patch and 
+  ruby-1.8.x_openssl-1.0-tests.patch:
+  fix building with openssl 1.0.0 (taken from svn)
+- added ruby-1.8.x_yaml2byte.patch:
+  fix warning about sequence point
+- remove requires on glibc-devel again
+
+-------------------------------------------------------------------
+Sat Mar 13 21:25:30 UTC 2010 - crrodriguez@opensuse.org
+
+- ruby-devel requires glibc-devel 
+
 -------------------------------------------------------------------
 Tue Feb 23 12:02:11 UTC 2010 - mrueckert@suse.de
 
diff --git a/ruby.spec b/ruby.spec
index 2967378..1ef6f18 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -20,7 +20,7 @@
 
 Name:           ruby
 Version:        1.8.7.p249
-Release:        1
+Release:        2
 #
 %define pkg_version 1.8.7
 %define patch_level p249
@@ -64,6 +64,9 @@ Patch7:         ruby-1.8.7-p72_vendor_specific.patch
 Patch8:         ruby-1.8.7-p72_topdir.patch
 # can be removed on next version update. pulled from svn
 Patch9:         ruby-1.8.x_digest_non_void_return.patch
+Patch10:        ruby-1.8.x_openssl-1.0.patch
+Patch11:        ruby-1.8.x_openssl-1.0-tests.patch
+Patch12:        ruby-1.8.x_yaml2byte.patch
 # vendor ruby files taken from:
 # http://svn.macports.org/repository/macports/trunk/dports/lang/ruby/
 Source3:        site-specific.rb
@@ -246,6 +249,9 @@ Authors:
 %patch7
 %patch8
 %patch9
+%patch10
+%patch11
+%patch12
 %if 0%{?with_bleak_house}
   for patch in valgrind configure gc ; do
     patch -p0 < bleak_house-%{bleak_house_version}/ruby/${patch}.patch