From 5d702bae7ca7935a0dad1197bea309faeb390bca Mon Sep 17 00:00:00 2001
From: Paul Howarth <paul@city-fan.org>
Date: Thu, 13 Jan 2022 12:13:06 +0000
Subject: [PATCH] Update to 1.92

- New upstream release 1.92
  - Net::SSLeay now supports stable releases of OpenSSL 3.0
    - OpenSSL 3.0.0 introduces the concept of "providers", which contain
      cryptographic algorithm implementations; many outdated, deprecated
      and/or insecure algorithms have been moved to the "legacy" provider,
      which may need to be loaded explicitly in order to use them with
      Net::SSLeay (see "Low level API: OSSL_LIB_CTX and OSSL_PROVIDER
      related functions" in the Net::SSLeay module documentation for details)
    - Net::SSLeay's built-in PEM_get_string_PrivateKey() function depends on
      algorithms that have moved to the legacy provider described above; if
      OpenSSL has been compiled without the legacy provider, the tests
      t/local/33_x509_create_cert.t and t/local/63_ec_key_generate_key.t will
      fail when the test suite is run
    - TLS 1.1 and below may only be used at security level 0 as of OpenSSL
      3.0.0; if a minimum required security level is imposed (e.g. in an
      OpenSSL configuration file managed by the operating system), the tests
      t/local/44_sess.t and t/local/45_exporter.t will fail when the test
      suite is run
  - Net::SSLeay now supports stable releases of LibreSSL from the 3.2-3.4
    series (with the exception of 3.2.2 and 3.2.3 - see "COMPATIBILITY" in
    the Net::SSLeay module documentation for details)
    - The TLS 1.3 implementation in LibreSSL 3.1-3.3, parts of which are
      enabled by default, is not fully compatible with the libssl API and may
      not function as expected with Net::SSLeay; see "KNOWN BUGS AND CAVEATS"
      in the Net::SSLeay module documentation for details
  - A number of new libcrypto/libssl constants and functions are now exposed,
    including SSL_CTX_set_keylog_callback() and SSL_CTX_set_msg_callback(),
    which are helpful when debugging TLS handshakes; see the release notes
    for the 1.91 developer releases (in the Changes file) for a full list of
    newly-exposed constants and functions
---
 Net-SSLeay-1.90-OpenSSL3.patch | 3337 --------------------------------
 perl-Net-SSLeay.rpmlintrc      |    4 +-
 perl-Net-SSLeay.spec           |   40 +-
 sources                        |    2 +-
 4 files changed, 37 insertions(+), 3346 deletions(-)
 delete mode 100644 Net-SSLeay-1.90-OpenSSL3.patch

diff --git a/Net-SSLeay-1.90-OpenSSL3.patch b/Net-SSLeay-1.90-OpenSSL3.patch
deleted file mode 100644
index 5a47120..0000000
--- a/Net-SSLeay-1.90-OpenSSL3.patch
+++ /dev/null
@@ -1,3337 +0,0 @@
-diff --git a/Changes b/Changes
-index db61b2a..72886b3 100644
---- a/Changes
-+++ b/Changes
-@@ -1,5 +1,56 @@
- Revision history for Perl extension Net::SSLeay.
- 
-+????
-+	- Correct X509_STORE_CTX_init() return value to integer. Previous
-+	  versions of Net::SSLeay return nothing.
-+	- Update tests to call close() to avoid problems seen with
-+	  test 44_sess.t, and possibly other tests, running on older
-+	  Windows Perl versions. Also add some missing calls in tests
-+	  to shutdown and free ssl structures.
-+	- Fix multiple formatting errors in the documentation for Net::SSLeay.
-+	  Thanks to John Jetmore.
-+	- Check for presence of libssl headers in Makefile.PL, and exit with an
-+	  error instead of generating an invalid Makefile if they cannot be found.
-+	  Fixes RT#105189. Thanks to James E Keenan for the report.
-+	- Added support for SSL_CTX_set_msg_callback/SSL_set_msg_callback
-+	  Thanks to Tim Aerts.
-+	- Adjust time in ASN1_TIME_timet based on current offset to GMT to
-+	  address GH-148. Thanks to Steffen Ullrich.
-+	- Multiple updates to tests to match OpenSSL 3.0 behaviour.
-+	  Thanks to Michal Josef Špaček.
-+	- OpenSSL 3.0 related changes in tests include:
-+	  - TLSv1 and TLSv1.1 require security level 0 starting with 3.0 alpha 5.
-+	  - SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() ignore
-+	    unknown ciphersuites starting with 3.0 alpha 11.
-+	  - Error code and error string packing and formatting changes.
-+	  - PEM_get_string_PrivateKey default algorithm requires legacy provider.
-+	- See OpenSSL manual page migration_guide(7) for more information about
-+	  changes in OpenSSL 3.0.
-+	- Automatically detect OpenSSL installed via Homebrew on ARM-based macOS
-+	  systems. Thanks to Graham Knop for the patch.
-+	- Account for the divergence in TLSv1.3 ciphersuite names between OpenSSL and
-+	  LibreSSL, which was causing failures of some TLSv1.3 tests with LibreSSL.
-+	- In 36_verify.t, account for the presence of the X509_V_FLAG_LEGACY_VERIFY
-+	  flag (signalling the use of the legacy X.509 verifier) in LibreSSL 3.3.2 and
-+	  above.
-+	- In 43_misc_functions.t, account for the fact that LibreSSL 3.2.0 and above
-+	  implement TLSv1.3 without exposing a TLS1_3_VERSION constant.
-+	- Expose OpenSSL 3.0 functions
-+	  OSSL_LIB_CTX_get0_global_default, OSSL_PROVIDER_load,
-+	  OSSL_PROVIDER_try_load, OSSL_PROVIDER_unload,
-+	  OSSL_PROVIDER_available, OSSL_PROVIDER_do_all
-+	  OSSL_PROVIDER_get0_name and OSSL_PROVIDER_self_test.
-+	  Add test files 22_provider.t, 22_provider_try_load.t and
-+	  22_provider_try_load_zero_retain.t.
-+	- With OpenSSL 3.0 and later, the legacy provider is loaded in
-+	  33_x509_create_cert.t to allow PEM_get_string_PrivateKey to
-+	  continue working until its default encryption method is
-+	  updated. Fixes GH-272 and closes GH-273.
-+	- Remove the test suite's optional dependency on the non-core modules
-+	  Test::Exception, Test::NoWarnings and Test::Warn. Tests that verify
-+	  Net::SSLeay's behaviour when errors occur are now executed regardless of the
-+	  availability of these modules.
-+
- 1.90 2021-01-21
- 	- New stable release incorporating all changes from developer releases
- 	  1.89_01 to 1.89_05.
-diff --git a/MANIFEST b/MANIFEST
-index dfc6f1f..cbad0d0 100644
---- a/MANIFEST
-+++ b/MANIFEST
-@@ -199,6 +199,9 @@ t/local/11_read.t
- t/local/15_bio.t
- t/local/20_autoload.t
- t/local/21_constants.t
-+t/local/22_provider.t
-+t/local/22_provider_try_load.t
-+t/local/22_provider_try_load_zero_retain.t
- t/local/30_error.t
- t/local/31_rsa_generate_key.t
- t/local/32_x509_get_cert_info.t
-@@ -215,6 +218,7 @@ t/local/42_info_callback.t
- t/local/43_misc_functions.t
- t/local/44_sess.t
- t/local/45_exporter.t
-+t/local/46_msg_callback.t
- t/local/50_digest.t
- t/local/61_threads-cb-crash.t
- t/local/62_threads-ctx_new-deadlock.t
-diff --git a/Makefile.PL b/Makefile.PL
-index 6dcf155..eefa656 100644
---- a/Makefile.PL
-+++ b/Makefile.PL
-@@ -4,10 +4,22 @@ use strict;
- use warnings;
- 
- use Config;
-+use English qw( $OSNAME -no_match_vars );
- use ExtUtils::MakeMaker;
- use File::Basename ();
- use File::Spec;
-+use File::Spec::Functions qw(catfile);
- use Symbol qw(gensym);
-+use Text::Wrap;
-+
-+# According to http://cpanwiki.grango.org/wiki/CPANAuthorNotes, the ideal
-+# behaviour to exhibit when a prerequisite does not exist is to use exit code 0
-+# to ensure smoke testers stop immediately without reporting a FAIL; in all
-+# other environments, we want to fail more loudly
-+use constant MISSING_PREREQ => ( $ENV{AUTOMATED_TESTING} ? 0 : 1 );
-+
-+# Error messages displayed with alert() will be this many columns wide
-+use constant ALERT_WIDTH => 78;
- 
- # Define this to one if you want to link the openssl libraries statically into 
- # the Net-SSLeay loadable object on Windows
-@@ -34,7 +46,11 @@ my %eumm_args = (
-   VERSION_FROM => 'lib/Net/SSLeay.pm',
-   MIN_PERL_VERSION => '5.8.1',
-   CONFIGURE_REQUIRES => {
-+    'English' => '0',
-     'ExtUtils::MakeMaker' => '0',
-+    'File::Spec::Functions' => '0',
-+    'Text::Wrap' => '0',
-+    'constant' => '0',
-   },
-   TEST_REQUIRES => {
-     'Carp' => '0',
-@@ -47,6 +63,7 @@ my %eumm_args = (
-     'SelectSaver' => '0',
-     'Socket' => '0',
-     'Storable' => '0',
-+    'Test::Builder' => '0',
-     'Test::More' => '0.60_01',
-     'base' => '0',
-   },
-@@ -126,12 +143,38 @@ sub ssleay {
- EOM
-         exit 0; # according https://wiki.cpantesters.org/wiki/CPANAuthorNotes this is best-practice when "missing library"
-     }
-+
-+    my $opts = ssleay_get_build_opts($prefix);
-+
-+    # Ensure libssl headers exist before continuing - compilation will fail
-+    # without them
-+    if ( !defined $opts->{inc_path} ) {
-+        my $detail =
-+              'The libssl header files are required to build Net-SSLeay, but '
-+            . 'they are missing from ' . $prefix . '. They would typically '
-+            . 'reside in ' . catfile( $prefix, 'include', 'openssl' ) . '.';
-+
-+        if ( $OSNAME eq 'linux' ) {
-+            $detail .=
-+                  "\n\n"
-+                . 'If you are using the version of OpenSSL/LibreSSL packaged '
-+                . 'by your Linux distribution, you may need to install the '
-+                . 'corresponding "development" package via your package '
-+                . 'manager (e.g. libssl-dev for OpenSSL on Debian and Ubuntu, '
-+                . 'or openssl-devel for OpenSSL on Red Hat Enterprise Linux '
-+                . 'and Fedora).';
-+        }
-+
-+        alert( 'Could not find libssl headers', $detail );
-+
-+        exit MISSING_PREREQ;
-+    }
-+
-     check_openssl_version($prefix, $exec);
--    my $opts = ssleay_get_build_opts($prefix, $exec);
-     my %args = (
-         CCCDLFLAGS => $opts->{cccdlflags},
-         OPTIMIZE => $opts->{optimize},
--        INC => join(' ', map qq{-I"$_"}, @{$opts->{inc_paths}}),
-+        INC => qq{-I"$opts->{inc_path}"},
-         LIBS => join(' ', (map '-L'.maybe_quote($_), @{$opts->{lib_paths}}), (map {"-l$_"} @{$opts->{lib_links}})),
-     );
-     # From HMBRAND to handle multple version of OPENSSL installed
-@@ -145,15 +188,28 @@ EOM
- sub maybe_quote { $_[0] =~ / / ? qq{"$_[0]"} : $_[0] }
- 
- sub ssleay_get_build_opts {
--    my ($prefix, $exec) = @_;
-+    my ($prefix) = @_;
- 
-     my $opts = {
-         lib_links  => [],
-         cccdlflags => '',
-     };
--    for ("$prefix/include", "$prefix/inc32", '/usr/kerberos/include') {
--      push @{$opts->{inc_paths}}, $_ if -f "$_/openssl/ssl.h";
-+
-+    my @try_includes = (
-+        'include' => sub { 1 },
-+        'inc32'   => sub { $OSNAME eq 'MSWin32' },
-+    );
-+
-+    while (
-+           !defined $opts->{inc_path}
-+        && defined( my $dir = shift @try_includes )
-+        && defined( my $cond = shift @try_includes )
-+    ) {
-+        if ( $cond->() && -f "$prefix/$dir/openssl/ssl.h" ) {
-+            $opts->{inc_path} = "$prefix/$dir";
-+        }
-     }
-+
-     for ($prefix, "$prefix/lib64", "$prefix/lib", "$prefix/out32dll") {
-       push @{$opts->{lib_paths}}, $_ if -d $_;
-     }
-@@ -251,6 +307,7 @@ sub find_openssl_prefix {
- 
-     my @guesses = (
- 	'/home/linuxbrew/.linuxbrew/opt/openssl/bin/openssl' => '/home/linuxbrew/.linuxbrew/opt/openssl', # LinuxBrew openssl
-+	'/opt/homebrew/opt/openssl/bin/openssl' => '/opt/homebrew/opt/openssl', # macOS ARM homebrew
- 	'/usr/local/opt/openssl/bin/openssl' => '/usr/local/opt/openssl', # OSX homebrew openssl
- 	'/usr/local/bin/openssl'         => '/usr/local', # OSX homebrew openssl
- 	'/opt/local/bin/openssl'         => '/opt/local', # Macports openssl
-@@ -364,3 +421,21 @@ sub fixpath {
-     $text =~ s{\b/}{$sep}g;
-     return $text;
- }
-+
-+sub alert {
-+    my ( $err, $detail ) = @_;
-+
-+    local $Text::Wrap::columns = ALERT_WIDTH - 4;
-+
-+    print "\n";
-+
-+    print '*' x ALERT_WIDTH, "\n";
-+    print '* ', uc($err), ' ' x ( ALERT_WIDTH - length($err) - 4 ), ' *', "\n";
-+    print '*', ' ' x ( ALERT_WIDTH - 2 ), '*', "\n";
-+
-+    for ( split /\n/, Text::Wrap::wrap( '', '', $detail ) ) {
-+        print '* ', $_, ' ' x ( ALERT_WIDTH - length($_) - 4 ), ' *', "\n";
-+    }
-+
-+    print '*' x ALERT_WIDTH, "\n";
-+}
-diff --git a/README b/README
-index b720673..4d021f1 100644
---- a/README
-+++ b/README
-@@ -22,11 +22,11 @@ Perl 5.8.1 or higher.
- One of the following libssl implementations:
- 
- * Any stable release of OpenSSL (https://www.openssl.org) in the
--  0.9.8 - 1.1.1 branches, except for OpenSSL 0.9.8 - 0.9.8b.
-+  0.9.8 - 3.0 branches, except for OpenSSL 0.9.8 - 0.9.8b.
- * Any stable release of LibreSSL (https://www.libressl.org) in the
--  2.0 - 3.1 series.
-+  2.0 - 3.1 series or 3.3 series.
- 
--Net-SSLeay may not compile or pass its tests against newer releases
-+Net-SSLeay may not compile or pass its tests against releases other
- than the ones listed above due to libssl API incompatibilities, or, in
- the case of LibreSSL, because of deviations from the libssl API.
- 
-diff --git a/SSLeay.xs b/SSLeay.xs
-index 02b81e7..350e0d7 100644
---- a/SSLeay.xs
-+++ b/SSLeay.xs
-@@ -195,6 +195,9 @@ which conflicts with perls
- #if OPENSSL_VERSION_NUMBER >= 0x10000000L
- #include <openssl/ocsp.h>
- #endif
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+#include <openssl/provider.h>
-+#endif
- #undef BLOCK
- 
- /* Debugging output - to enable use:
-@@ -1474,6 +1477,71 @@ void ssleay_ctx_info_cb_invoke(const SSL *ssl, int where, int ret)
-     LEAVE;
- }
- 
-+void ssleay_msg_cb_invoke(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
-+{
-+    dSP;
-+    SV *cb_func, *cb_data;
-+
-+    cb_func = cb_data_advanced_get(ssl, "ssleay_msg_cb!!func");
-+    cb_data = cb_data_advanced_get(ssl, "ssleay_msg_cb!!data");
-+
-+    if ( ! SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV))
-+    croak ("Net::SSLeay: ssleay_msg_cb_invoke called, but not set to point to any perl function.\n");
-+
-+    ENTER;
-+    SAVETMPS;
-+
-+    PUSHMARK(SP);
-+    XPUSHs(sv_2mortal(newSViv(write_p)));
-+    XPUSHs(sv_2mortal(newSViv(version)));
-+    XPUSHs(sv_2mortal(newSViv(content_type)));
-+    XPUSHs(sv_2mortal(newSVpv((const char*)buf, len)));
-+    XPUSHs(sv_2mortal(newSViv(len)));
-+    XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl))));
-+    XPUSHs(sv_2mortal(newSVsv(cb_data)));
-+    PUTBACK;
-+
-+    call_sv(cb_func, G_VOID);
-+
-+    SPAGAIN;
-+    PUTBACK;
-+    FREETMPS;
-+    LEAVE;
-+}
-+
-+void ssleay_ctx_msg_cb_invoke(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
-+{
-+    dSP;
-+    SV *cb_func, *cb_data;
-+    SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
-+
-+    cb_func = cb_data_advanced_get(ctx, "ssleay_ctx_msg_cb!!func");
-+    cb_data = cb_data_advanced_get(ctx, "ssleay_ctx_msg_cb!!data");
-+
-+    if ( ! SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV))
-+    croak ("Net::SSLeay: ssleay_ctx_msg_cb_invoke called, but not set to point to any perl function.\n");
-+
-+    ENTER;
-+    SAVETMPS;
-+
-+    PUSHMARK(SP);
-+    XPUSHs(sv_2mortal(newSViv(write_p)));
-+    XPUSHs(sv_2mortal(newSViv(version)));
-+    XPUSHs(sv_2mortal(newSViv(content_type)));
-+    XPUSHs(sv_2mortal(newSVpv((const char*)buf, len)));
-+    XPUSHs(sv_2mortal(newSViv(len)));
-+    XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl))));
-+    XPUSHs(sv_2mortal(newSVsv(cb_data)));
-+    PUTBACK;
-+
-+    call_sv(cb_func, G_VOID);
-+
-+    SPAGAIN;
-+    PUTBACK;
-+    FREETMPS;
-+    LEAVE;
-+}
-+
- /* 
-  * Support for tlsext_ticket_key_cb_invoke was already in 0.9.8 but it was
-  * broken in various ways during the various 1.0.0* versions.
-@@ -1652,9 +1720,45 @@ void ssleay_ssl_ctx_sess_remove_cb_invoke(SSL_CTX *ctx, SSL_SESSION *sess)
-     LEAVE;
- }
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+int ossl_provider_do_all_cb_invoke(OSSL_PROVIDER *provider, void *cbdata) {
-+    dSP;
-+    int ret = 1;
-+    int count = -1;
-+    simple_cb_data_t *cb = cbdata;
-+
-+    PR1("STARTED: ossl_provider_do_all_cb_invoke\n");
-+    if (cb->func && SvOK(cb->func)) {
-+        ENTER;
-+        SAVETMPS;
-+
-+        PUSHMARK(SP);
-+        XPUSHs(sv_2mortal(newSViv(PTR2IV(provider))));
-+        if (cb->data) XPUSHs(cb->data);
-+
-+        PUTBACK;
-+
-+        count = call_sv(cb->func, G_SCALAR);
-+
-+        SPAGAIN;
-+
-+        if (count != 1)
-+          croak("Net::SSLeay: ossl_provider_do_all_cb_invoke perl function did not return a scalar\n");
-+
-+        ret = POPi;
-+
-+        PUTBACK;
-+        FREETMPS;
-+        LEAVE;
-+    }
-+
-+    return ret;
-+}
-+#endif
-+
- /* ============= end of callback stuff, begin helper functions ============== */
- 
--time_t ASN1_TIME_timet(ASN1_TIME *asn1t) {
-+time_t ASN1_TIME_timet(ASN1_TIME *asn1t, time_t *gmtoff) {
-     struct tm t;
-     const char *p = (const char*) asn1t->data;
-     size_t msec = 0, tz = 0, i, l;
-@@ -1720,7 +1824,14 @@ time_t ASN1_TIME_timet(ASN1_TIME *asn1t) {
- 
-     result = mktime(&t);
-     if (result == -1) return 0; /* broken time */
--    return result + adj + ( t.tm_isdst ? 3600:0 );
-+    result += adj;
-+    if (gmtoff && *gmtoff == -1) {
-+	*gmtoff = result - mktime(gmtime(&result));
-+	result += *gmtoff;
-+    } else {
-+	result += result - mktime(gmtime(&result));
-+    }
-+    return result;
- }
- 
- X509 * find_issuer(X509 *cert,X509_STORE *store, STACK_OF(X509) *chain) {
-@@ -4103,7 +4214,7 @@ X509V3_EXT_d2i(ext)
- X509_STORE_CTX *
- X509_STORE_CTX_new()
- 
--void
-+int
- X509_STORE_CTX_init(ctx, store=NULL, x509=NULL, chain=NULL)
-      X509_STORE_CTX * ctx
-      X509_STORE * store
-@@ -4336,6 +4447,10 @@ ASN1_TIME_free(s)
- time_t
- ASN1_TIME_timet(s)
-      ASN1_TIME *s
-+     CODE:
-+     RETVAL = ASN1_TIME_timet(s,NULL);
-+     OUTPUT:
-+     RETVAL
- 
- ASN1_TIME *
- ASN1_TIME_new()
-@@ -5447,6 +5562,39 @@ SSL_CTX_set_info_callback(ctx,callback,data=&PL_sv_undef)
-             SSL_CTX_set_info_callback(ctx, ssleay_ctx_info_cb_invoke);
-         }
- 
-+void
-+SSL_set_msg_callback(ssl,callback,data=&PL_sv_undef)
-+        SSL * ssl
-+        SV * callback
-+    SV * data
-+    CODE:
-+        if (callback==NULL || !SvOK(callback)) {
-+            SSL_set_msg_callback(ssl, NULL);
-+            cb_data_advanced_put(ssl, "ssleay_msg_cb!!func", NULL);
-+            cb_data_advanced_put(ssl, "ssleay_msg_cb!!data", NULL);
-+        } else {
-+            cb_data_advanced_put(ssl, "ssleay_msg_cb!!func", newSVsv(callback));
-+            cb_data_advanced_put(ssl, "ssleay_msg_cb!!data", newSVsv(data));
-+            SSL_set_msg_callback(ssl, ssleay_msg_cb_invoke);
-+        }
-+
-+void
-+SSL_CTX_set_msg_callback(ctx,callback,data=&PL_sv_undef)
-+        SSL_CTX * ctx
-+        SV * callback
-+    SV * data
-+    CODE:
-+        if (callback==NULL || !SvOK(callback)) {
-+            SSL_CTX_set_msg_callback(ctx, NULL);
-+            cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!func", NULL);
-+            cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!data", NULL);
-+        } else {
-+            cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!func", newSVsv(callback));
-+            cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!data", newSVsv(data));
-+            SSL_CTX_set_msg_callback(ctx, ssleay_ctx_msg_cb_invoke);
-+        }
-+
-+
- int
- SSL_set_purpose(s,purpose)
-      SSL *	s
-@@ -6172,7 +6320,7 @@ SSL_total_renegotiations(ssl)
-   OUTPUT:
-   RETVAL
- 
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
- void
- SSL_SESSION_get_master_key(s)
-      SSL_SESSION *   s
-@@ -7348,6 +7496,7 @@ OCSP_response_results(rsp,...)
- 	OCSP_BASICRESP *bsr;
- 	int i,want_array;
- 	time_t nextupd = 0;
-+	time_t gmtoff = -1;
- 	int getall,sksn;
- 
- 	bsr = OCSP_response_get1_basic(rsp);
-@@ -7440,15 +7589,15 @@ OCSP_response_results(rsp,...)
- 		    hv_store(details,"statusType",10,
- 			newSViv(status),0);
- 		    if (nextupdate) hv_store(details,"nextUpdate",10,
--			newSViv(ASN1_TIME_timet(nextupdate)),0);
-+			newSViv(ASN1_TIME_timet(nextupdate, &gmtoff)),0);
- 		    if (thisupdate) hv_store(details,"thisUpdate",10,
--			newSViv(ASN1_TIME_timet(thisupdate)),0);
-+			newSViv(ASN1_TIME_timet(thisupdate, &gmtoff)),0);
- 		    if (status == V_OCSP_CERTSTATUS_REVOKED) {
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
- 			OCSP_REVOKEDINFO *rev = sir->certStatus->value.revoked;
- 			revocationReason = ASN1_ENUMERATED_get(rev->revocationReason);
- #endif
--			hv_store(details,"revocationTime",14,newSViv(ASN1_TIME_timet(revocationTime)),0);
-+			hv_store(details,"revocationTime",14,newSViv(ASN1_TIME_timet(revocationTime, &gmtoff)),0);
- 			hv_store(details,"revocationReason",16,newSViv(revocationReason),0);
- 			hv_store(details,"revocationReason_str",20,newSVpv(
- 		            OCSP_crl_reason_str(revocationReason),0),0);
-@@ -7457,7 +7606,7 @@ OCSP_response_results(rsp,...)
- 		XPUSHs(sv_2mortal(newRV_noinc((SV*)idav)));
- 	    } else if (!error) {
- 		/* compute lowest nextUpdate */
--		time_t nu = ASN1_TIME_timet(nextupdate);
-+		time_t nu = ASN1_TIME_timet(nextupdate, &gmtoff);
- 		if (!nextupd || nextupd>nu) nextupd = nu;
- 	    }
- 
-@@ -7599,4 +7748,71 @@ SSL_export_keying_material(ssl, outlen, label, context=&PL_sv_undef)
- 
- #endif
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+
-+OSSL_LIB_CTX *
-+OSSL_LIB_CTX_get0_global_default()
-+
-+
-+OSSL_PROVIDER *
-+OSSL_PROVIDER_load(SV *libctx, const char *name)
-+    CODE:
-+        OSSL_LIB_CTX *ctx = NULL;
-+        if (libctx != &PL_sv_undef)
-+	    ctx = INT2PTR(OSSL_LIB_CTX *, SvIV(libctx));
-+        RETVAL = OSSL_PROVIDER_load(ctx, name);
-+        if (RETVAL == NULL)
-+	    XSRETURN_UNDEF;
-+    OUTPUT:
-+	  RETVAL
-+
-+OSSL_PROVIDER *
-+OSSL_PROVIDER_try_load(SV *libctx, const char *name, int retain_fallbacks)
-+    CODE:
-+        OSSL_LIB_CTX *ctx = NULL;
-+        if (libctx != &PL_sv_undef)
-+	    ctx = INT2PTR(OSSL_LIB_CTX *, SvIV(libctx));
-+        RETVAL = OSSL_PROVIDER_try_load(ctx, name, retain_fallbacks);
-+        if (RETVAL == NULL)
-+	    XSRETURN_UNDEF;
-+    OUTPUT:
-+	  RETVAL
-+
-+int
-+OSSL_PROVIDER_unload(OSSL_PROVIDER *prov)
-+
-+int
-+OSSL_PROVIDER_available(SV *libctx, const char *name)
-+    CODE:
-+        OSSL_LIB_CTX *ctx = NULL;
-+        if (libctx != &PL_sv_undef)
-+	    ctx = INT2PTR(OSSL_LIB_CTX *, SvIV(libctx));
-+        RETVAL = OSSL_PROVIDER_available(ctx, name);
-+    OUTPUT:
-+	  RETVAL
-+
-+int
-+OSSL_PROVIDER_do_all(SV *libctx, SV *perl_cb, SV *perl_cbdata = &PL_sv_undef)
-+    PREINIT:
-+        simple_cb_data_t* cbdata = NULL;
-+    CODE:
-+        OSSL_LIB_CTX *ctx = NULL;
-+        if (libctx != &PL_sv_undef)
-+	    ctx = INT2PTR(OSSL_LIB_CTX *, SvIV(libctx));
-+
-+        /* setup our callback */
-+        cbdata = simple_cb_data_new(perl_cb, perl_cbdata);
-+        RETVAL = OSSL_PROVIDER_do_all(ctx, ossl_provider_do_all_cb_invoke, cbdata);
-+        simple_cb_data_free(cbdata);
-+    OUTPUT:
-+        RETVAL
-+
-+const char *
-+OSSL_PROVIDER_get0_name(const OSSL_PROVIDER *prov)
-+
-+int
-+OSSL_PROVIDER_self_test(const OSSL_PROVIDER *prov)
-+
-+#endif
-+
- #define REM_EOF "/* EOF - SSLeay.xs */"
-diff --git a/constants.c b/constants.c
-index 722190c..cf5c0e7 100644
---- a/constants.c
-+++ b/constants.c
-@@ -4712,9 +4712,10 @@ constant (const char *name, size_t len) {
-        V_OCSP_CERTSTATUS_UNKNOWN X509_V_ERR_CA_MD_TOO_WEAK
-        X509_V_ERR_CERT_UNTRUSTED X509_V_ERR_EMAIL_MISMATCH
-        X509_V_ERR_INVALID_NON_CA X509_V_ERR_SUBTREE_MINMAX
--       X509_V_FLAG_CRL_CHECK_ALL X509_V_FLAG_NOTIFY_POLICY
--       X509_V_FLAG_NO_ALT_CHAINS X509_V_FLAG_NO_CHECK_TIME
--       X509_V_FLAG_PARTIAL_CHAIN X509_V_FLAG_TRUSTED_FIRST */
-+       X509_V_FLAG_CRL_CHECK_ALL X509_V_FLAG_LEGACY_VERIFY
-+       X509_V_FLAG_NOTIFY_POLICY X509_V_FLAG_NO_ALT_CHAINS
-+       X509_V_FLAG_NO_CHECK_TIME X509_V_FLAG_PARTIAL_CHAIN
-+       X509_V_FLAG_TRUSTED_FIRST */
-     /* Offset 20 gives the best switch position.  */
-     switch (name[20]) {
-     case '2':
-@@ -4785,6 +4786,16 @@ constant (const char *name, size_t len) {
-         goto not_there;
- #endif
- 
-+      }
-+      if (!memcmp(name, "X509_V_FLAG_LEGACY_VERIFY", 25)) {
-+      /*                                     ^           */
-+        
-+#ifdef X509_V_FLAG_LEGACY_VERIFY
-+        return X509_V_FLAG_LEGACY_VERIFY;
-+#else
-+        goto not_there;
-+#endif
-+
-       }
-       break;
-     case 'F':
-diff --git a/helper_script/regen_openssl_constants.pl b/helper_script/regen_openssl_constants.pl
-index 6fd2908..4d6744b 100644
---- a/helper_script/regen_openssl_constants.pl
-+++ b/helper_script/regen_openssl_constants.pl
-@@ -94,14 +94,12 @@ sub t_file {
- use lib 'inc';
- 
- use Net::SSLeay;
--use Test::Net::SSLeay;
-+use Test::Net::SSLeay qw(dies_like);
- 
--eval "use Test::Exception;";
--if (\$@) {
--    plan skip_all => 'Some tests need Test::Exception';
--} else {
--    plan tests => $count;
--}
-+# We rely on symbolic references to run the dies_like() tests:
-+no strict 'refs';
-+
-+plan tests => $count;
- 
- my \@c = (qw/
- $list
-@@ -110,9 +108,12 @@ $list
- my \@missing;
- my \%h = map { \$_=>1 } \@Net::SSLeay::EXPORT_OK;
- 
--for (\@c) {
--  like(eval("&Net::SSLeay::\$_; 'ok'") || \$\@, qr/^(ok|Your vendor has not defined SSLeay macro.*)\$/, "\$_");
--  push(\@missing, \$_) unless \$h{\$_};
-+for my \$c (\@c) {
-+    dies_like(sub {
-+        "Net::SSLeay::\$c"->();
-+        die "ok\\n";
-+    }, qr/^(ok\\n|Your vendor has not defined SSLeay macro.*)\$/, "\$c");
-+    push(\@missing, \$c) unless \$h{\$c};
- }
- 
- is(join(",", sort \@missing), '', 'constants missing in \@EXPORT_OK count='.scalar(\@missing));
-@@ -670,6 +671,7 @@ X509_V_FLAG_EXTENDED_CRL_SUPPORT
- X509_V_FLAG_IGNORE_CRITICAL
- X509_V_FLAG_INHIBIT_ANY
- X509_V_FLAG_INHIBIT_MAP
-+X509_V_FLAG_LEGACY_VERIFY
- X509_V_FLAG_NO_ALT_CHAINS
- X509_V_FLAG_NO_CHECK_TIME
- X509_V_FLAG_NOTIFY_POLICY
-diff --git a/inc/Test/Net/SSLeay.pm b/inc/Test/Net/SSLeay.pm
-index 9a85083..30d1199 100644
---- a/inc/Test/Net/SSLeay.pm
-+++ b/inc/Test/Net/SSLeay.pm
-@@ -11,6 +11,7 @@ use Cwd qw(abs_path);
- use English qw( $EVAL_ERROR $OSNAME $PERL_VERSION -no_match_vars );
- use File::Basename qw(dirname);
- use File::Spec::Functions qw( abs2rel catfile );
-+use Test::Builder;
- use Test::Net::SSLeay::Socket;
- 
- our $VERSION = '1.90';
-@@ -18,14 +19,21 @@ our $VERSION = '1.90';
- our @EXPORT_OK = qw(
-     can_fork can_really_fork can_thread
-     data_file_path
-+    dies_like
-+    dies_ok
-+    doesnt_warn
-     initialise_libssl
-     is_libressl is_openssl
-     is_protocol_usable
-+    lives_ok
-     new_ctx
-     protocols
-     tcp_socket
-+    warns_like
- );
- 
-+my $tester = Test::Builder->new();
-+
- my $data_path = catfile( dirname(__FILE__), '..', '..', '..', 't', 'data' );
- 
- my $initialised = 0;
-@@ -63,6 +71,29 @@ my %protos = (
-     },
- );
- 
-+my ( $test_no_warnings, $test_no_warnings_name, @warnings );
-+
-+END {
-+    _test_no_warnings() if $test_no_warnings;
-+}
-+
-+sub _all {
-+    my ( $sub, @list ) = @_;
-+
-+    for (@list) {
-+        $sub->() or return 0;
-+    }
-+
-+    return 1;
-+}
-+
-+sub _diag {
-+    my (%args) = @_;
-+
-+    $tester->diag( ' ' x 9, 'got: ', $args{got} );
-+    $tester->diag( ' ' x 4, 'expected: ', $args{expected} );
-+}
-+
- sub _libssl_fatal {
-     my ($context) = @_;
- 
-@@ -76,6 +107,17 @@ sub _load_net_ssleay {
-     return 1;
- }
- 
-+sub _test_no_warnings {
-+    my $got_str = join q{, }, map { qq{'$_'} } @warnings;
-+    my $got_type = @warnings == 1 ? 'warning' : 'warnings';
-+
-+    $tester->ok( @warnings == 0, $test_no_warnings_name )
-+        or _diag(
-+            got      => "$got_type $got_str",
-+            expected => 'no warnings',
-+        );
-+}
-+
- sub import {
-     my ( $class, @imports ) = @_;
- 
-@@ -152,6 +194,69 @@ sub data_file_path {
-     return $rel_path;
- }
- 
-+sub dies_like {
-+    my ( $sub, $expected, $name ) = @_;
-+
-+    my ( $got, $ok );
-+
-+    if ( eval { $sub->(); 1 } ) {
-+        $ok = $tester->ok ( 0, $name );
-+
-+        _diag(
-+            got      => 'subroutine lived',
-+            expected => "subroutine died with exception matching $expected",
-+        );
-+    }
-+    else {
-+        $got = $EVAL_ERROR;
-+
-+        my $test = $got =~ $expected;
-+
-+        $ok = $tester->ok( $test, $name )
-+            or _diag(
-+                got      => qq{subroutine died with exception '$got'},
-+                expected => "subroutine died with exception matching $expected",
-+            );
-+    }
-+
-+    $EVAL_ERROR = $got;
-+
-+    return $ok;
-+}
-+
-+sub dies_ok {
-+    my ( $sub, $name ) = @_;
-+
-+    my ( $got, $ok );
-+
-+    if ( eval { $sub->(); 1 } ) {
-+        $got = $EVAL_ERROR;
-+
-+        $ok = $tester->ok ( 0, $name );
-+
-+        _diag(
-+            got      => 'subroutine lived',
-+            expected => 'subroutine died',
-+        );
-+    }
-+    else {
-+        $got = $EVAL_ERROR;
-+
-+        $ok = $tester->ok( 1, $name );
-+    }
-+
-+    $EVAL_ERROR = $got;
-+
-+    return $ok;
-+}
-+
-+sub doesnt_warn {
-+    $test_no_warnings      = 1;
-+    $test_no_warnings_name = shift;
-+
-+    $SIG{__WARN__} = sub { push @warnings, shift };
-+}
-+
- sub initialise_libssl {
-     return 1 if $initialised;
- 
-@@ -304,6 +409,32 @@ sub is_protocol_usable {
-     croak 'Unexpected TLS state machine sequence: ' . join( ', ', @states );
- }
- 
-+sub lives_ok {
-+    my ( $sub, $name ) = @_;
-+
-+    my ( $got, $ok );
-+
-+    if ( !eval { $sub->(); 1 } ) {
-+        $got = $EVAL_ERROR;
-+
-+        $ok = $tester->ok ( 0, $name );
-+
-+        _diag(
-+            got      => qq{subroutine died with exception '$got'},
-+            expected => 'subroutine lived',
-+        );
-+    }
-+    else {
-+        $got = $EVAL_ERROR;
-+
-+        $ok = $tester->ok( 1, $name );
-+    }
-+
-+    $EVAL_ERROR = $got;
-+
-+    return $ok;
-+}
-+
- sub new_ctx {
-     my ( $min_proto, $max_proto ) = @_;
- 
-@@ -362,6 +493,41 @@ sub tcp_socket {
-     return Test::Net::SSLeay::Socket->new( proto => 'tcp' );
- }
- 
-+sub warns_like {
-+    my ( $sub, $expected, $name ) = @_;
-+
-+    my @expected =   ref $expected eq 'ARRAY'
-+                   ? @$expected
-+                   : ($expected);
-+
-+    my @got;
-+
-+    local $SIG{__WARN__} = sub { push @got, shift };
-+
-+    $sub->();
-+
-+    $SIG{__WARN__} = 'DEFAULT';
-+
-+    my $test =    scalar @got == scalar @expected
-+               && _all( sub { $got[$_] =~ $expected[$_] }, 0 .. $#got );
-+
-+    my $ok = $tester->ok( $test, $name )
-+        or do {
-+            my $got_str      = join q{, }, map { qq{'$_'} } @got;
-+            my $expected_str = join q{, }, map { qq{'$_'} } @expected;
-+
-+            my $got_plural      = @got == 1 ? '' : 's';
-+            my $expected_plural = @expected == 1 ? '' : 's';
-+
-+            _diag(
-+                got      => "warning$got_plural $got_str",
-+                expected => "warning$expected_plural matching $expected_str",
-+            );
-+        };
-+
-+    return $ok;
-+}
-+
- 1;
- 
- __END__
-@@ -466,6 +632,49 @@ this Perl, or false if not.
- Returns the relative path to a given file in the test suite data directory
- (C<t/local/>). Dies if the file does not exist.
- 
-+=head2 dies_like
-+
-+    dies_like(
-+        sub { die 'This subroutine always dies' },
-+        qr/always/,
-+        'A test that always passes'
-+    );
-+
-+Similar to L<C<throws_ok> in Test::Exception|Test::Exception/throws_ok>:
-+performs a L<Test::Builder> test that passes if a given subroutine dies with an
-+exception string that matches a given pattern, or fails if the subroutine does
-+not die or dies with an exception string that does not match the given pattern.
-+
-+This function preserves the value of C<$@> set by the given subroutine, so (for
-+example) other tests can be performed on the value of C<$@> afterwards.
-+
-+=head2 dies_ok
-+
-+    dies_ok(
-+        sub { my $x = 1 },
-+        'A test that always fails'
-+    );
-+
-+Similar to L<C<dies_ok> in Test::Exception|Test::Exception/dies_ok>: performs a
-+L<Test::Builder> test that passes if a given subroutine dies, or fails if it
-+does not.
-+
-+This function preserves the value of C<$@> set by the given subroutine, so (for
-+example) other tests can be performed on the value of C<$@> afterwards.
-+
-+=head2 doesnt_warn
-+
-+    doesnt_warn('Test script outputs no unexpected warnings');
-+
-+Offers similar functionality to L<Test::NoWarnings>: performs a L<Test::Builder>
-+test at the end of the test script that passes if the test script executes from
-+this point onwards without emitting any unexpected warnings, or fails if
-+warnings are emitted before the test script ends.
-+
-+Warnings omitted by subroutines that are executed as part of a L</warns_like>
-+test are not considered to be unexpected (even if the L</warns_like> test
-+fails), and will therefore not cause this test to fail.
-+
- =head2 initialise_libssl
- 
-     initialise_libssl();
-@@ -514,6 +723,20 @@ C<no-ssl3>), or run-time configuration (e.g., the use of TLSv1.0 will be
- forbidden if the OpenSSL configuration sets the default security level to 3 or
- higher; see L<SSL_CTX_set_security_level(3)>).
- 
-+=head2 lives_ok
-+
-+    lives_ok(
-+        sub { die 'Whoops' },
-+        'A test that always fails'
-+    );
-+
-+Similar to L<C<lives_ok> in Test::Exception|Test::Exception/lives_ok>: performs
-+a L<Test::Builder> test that passes if a given subroutine executes without
-+dying, or fails if it dies during execution.
-+
-+This function preserves the value of C<$@> set by the given subroutine, so (for
-+example) other tests can be performed on the value of C<$@> afterwards.
-+
- =head2 new_ctx
- 
-     my $ctx = new_ctx();
-@@ -566,6 +789,27 @@ closing connections.
- Returns a L<Test::Net::SSLeay::Socket|Test::Net::SSLeay::Socket> object. Dies
- on failure.
- 
-+=head2 warns_like
-+
-+    warns_like(
-+        sub {
-+            warn 'First warning';
-+            warn 'Second warning';
-+        },
-+        [
-+            qr/First/,
-+            qr/Second/,
-+        ],
-+        'A test that always passes'
-+    );
-+
-+Similar to L<C<warnings_like> in Test::Warn|Test::Warn/warnings_like>: performs
-+a L<Test::Builder> test that passes if a given subroutine emits a series of
-+warnings that match the given sequence of patterns, or fails if the subroutine
-+emits any other sequence of warnings (or no warnings at all). If a pattern is
-+given instead of an array reference, the subroutine will be expected to emit a
-+single warning matching the pattern.
-+
- =head1 BUGS
- 
- If you encounter a problem with this module that you believe is a bug, please
-diff --git a/lib/Net/SSLeay.pm b/lib/Net/SSLeay.pm
-index 99ac77f..fde0872 100644
---- a/lib/Net/SSLeay.pm
-+++ b/lib/Net/SSLeay.pm
-@@ -421,6 +421,7 @@ $VERSION = '1.90';
-     V_OCSP_CERTSTATUS_GOOD
-     V_OCSP_CERTSTATUS_REVOKED
-     V_OCSP_CERTSTATUS_UNKNOWN
-+    X509_V_FLAG_LEGACY_VERIFY
- );
- 
- sub AUTOLOAD {
-diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod
-index 6036b36..f0e8a10 100644
---- a/lib/Net/SSLeay.pod
-+++ b/lib/Net/SSLeay.pod
-@@ -49,17 +49,17 @@ Net::SSLeay supports the following libssl implementations:
- 
- =item *
- 
--Any stable release of L<OpenSSL|https://www.openssl.org> in the 0.9.8 - 1.1.1
-+Any stable release of L<OpenSSL|https://www.openssl.org> in the 0.9.8 - 3.0
- branches, except for OpenSSL 0.9.8 - 0.9.8b.
- 
- =item *
- 
- Any stable release of L<LibreSSL|https://www.libressl.org> in the 2.0 - 3.1
--series.
-+series or 3.3 series.
- 
- =back
- 
--Net::SSLeay may not function as expected with newer releases than the ones
-+Net::SSLeay may not function as expected with releases other than the ones
- listed above due to libssl API incompatibilities, or, in the case of LibreSSL,
- because of deviations from the libssl API.
- 
-@@ -926,6 +926,7 @@ a session secret callback can be set up to be called when a session secret is se
- by openssl.
- 
- Establish it like this:
-+
-     Net::SSLeay::set_session_secret_cb($ssl, \&session_secret_cb, $somedata);
- 
- It will be called like this:
-@@ -2576,7 +2577,7 @@ Check openssl doc L<http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html|htt
- 
- =item * CTX_get_verify_depth
- 
--Returns the verification depth limit currently set in $ctx. If no limit has been explicitly set, -1 is returned and the default value will be used.",
-+Returns the verification depth limit currently set in $ctx. If no limit has been explicitly set, -1 is returned and the default value will be used.
- 
-  my $rv = Net::SSLeay::CTX_get_verify_depth($ctx);
-  # $ctx - value corresponding to openssl's SSL_CTX structure
-@@ -4624,6 +4625,34 @@ When callback is undef, an existing callback will be disabled.
- 
- Check openssl doc L<http://www.openssl.org/docs/ssl/SSL_CTX_set_info_callback.html|http://www.openssl.org/docs/ssl/SSL_CTX_set_info_callback.html>
- 
-+=item * set_msg_callback
-+
-+Sets the callback function, that can be used to obtain protocol messages information for $ssl during connection setup and use.
-+When callback is undef, the callback setting currently valid for ctx is used.
-+Note that set_msg_callback_arg is not provided as there is no need to explicitly set $arg, this is handled by set_msg_callback.
-+
-+ Net::SSLeay::set_msg_callback($ssl, $cb, [$arg]);
-+ # $ssl - value corresponding to openssl's SSL structure
-+ # $cb - sub { my ($write_p,$version,$content_type,$buf,$len,$ssl,$arg) = @_; ... }
-+ #
-+ # returns: no return value
-+
-+Check openssl doc L<http://www.openssl.org/docs/manmaster/man3/SSL_set_msg_callback.html|http://www.openssl.org/docs/manmaster/man3/SSL_set_msg_callback.html>
-+
-+=item * CTX_set_msg_callback
-+
-+Sets the callback function on ctx, that can be used to obtain protocol messages information for ssl connection setup and use.
-+When callback is undef, the existing callback will be disabled.
-+Note that CTX_set_msg_callback_arg is not provided as there is no need to explicitly set $arg, this is handled by CTX_set_msg_callback.
-+
-+ Net::SSLeay::CTX_set_msg_callback($ssl, $cb, [$arg]);
-+ # $ssl - value corresponding to openssl's SSL structure
-+ # $cb - sub { my ($write_p,$version,$content_type,$buf,$len,$ssl,$arg) = @_; ... }
-+ #
-+ # returns: no return value
-+
-+Check openssl doc L<http://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_msg_callback.html|http://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_msg_callback.html>
-+
- =item * set_pref_cipher
- 
- Sets the list of available ciphers for $ssl using the control string $str.
-@@ -4709,13 +4738,13 @@ Setup pre-shared secret session resumption function.
-  # returns: no return value
- 
- The callback function will be called like:
--callback_function($secret, $ciphers, $pref_cipher, $data);
- 
--# $secret is the current master session key, usually all 0s at the beginning of a session
--# $ciphers is ref to an array of peer cipher names
--# $pref_cipher is a ref to an index into the list of cipher names of 
--#  the preferred cipher. Set it if you want to specify a preferred cipher
--# $data is the data passed to set_session_secret_cb
-+ callback_function($secret, $ciphers, $pref_cipher, $data);
-+ # $secret is the current master session key, usually all 0s at the beginning of a session
-+ # $ciphers is ref to an array of peer cipher names
-+ # $pref_cipher is a ref to an index into the list of cipher names of 
-+ #  the preferred cipher. Set it if you want to specify a preferred cipher
-+ # $data is the data passed to set_session_secret_cb
- 
- The callback function should return 1 if it likes the suggested cipher (or has selected an alternative 
- by setting pref_cipher), else it should return 0 (in which case OpenSSL will select its own preferred cipher).
-@@ -4735,12 +4764,12 @@ Setup encryption for TLS session tickets (stateless session reuse).
-  # returns: no return value
- 
- The callback function will be called like:
--getkey($data,[$key_name]) -> ($key,$current_key_name)
- 
--# $data is the data passed to set_session_secret_cb
--# $key_name is the name of the key OpenSSL has extracted from the session ticket
--# $key is the requested key for ticket encryption + HMAC
--# $current_key_name is the name for the currently valid key
-+ getkey($data,[$key_name]) -> ($key,$current_key_name)
-+ # $data is the data passed to set_session_secret_cb
-+ # $key_name is the name of the key OpenSSL has extracted from the session ticket
-+ # $key is the requested key for ticket encryption + HMAC
-+ # $current_key_name is the name for the currently valid key
- 
- OpenSSL will call the function without a key name if it generates a new ticket.
- It then needs the callback to return the encryption+HMAC key and an identifier
-@@ -4805,12 +4834,12 @@ Setup callback for TLS session tickets (stateless session reuse).
-  # returns: no return value
- 
- The callback function will be called like:
--getticket($ssl,$ticket,$data) -> $return_value
- 
--# $ssl is a value corresponding to openssl's SSL structure
--# $ticket is a value of received TLS session ticket (can also be empty)
--# $data is the data passed to set_session_ticket_ext_cb
--# $return_value is either 0 (failure) or 1 (success)
-+ getticket($ssl,$ticket,$data) -> $return_value
-+ # $ssl is a value corresponding to openssl's SSL structure
-+ # $ticket is a value of received TLS session ticket (can also be empty)
-+ # $data is the data passed to set_session_ticket_ext_cb
-+ # $return_value is either 0 (failure) or 1 (success)
- 
- This function is based on the OpenSSL function SSL_set_session_ticket_ext_cb.
- 
-@@ -4825,12 +4854,12 @@ Set TLS session ticket (stateless session reuse).
-  # returns: no return value
- 
- The callback function will be called like:
--getticket($ssl,$ticket,$data) -> $return_value
- 
--# $ssl is a value corresponding to openssl's SSL structure
--# $ticket is a value of received TLS session ticket (can also be empty)
--# $data is the data passed to set_session_ticket_ext_cb
--# $return_value is either 0 (failure) or 1 (success)
-+ getticket($ssl,$ticket,$data) -> $return_value
-+ # $ssl is a value corresponding to openssl's SSL structure
-+ # $ticket is a value of received TLS session ticket (can also be empty)
-+ # $data is the data passed to set_session_ticket_ext_cb
-+ # $return_value is either 0 (failure) or 1 (success)
- 
- This function is based on the OpenSSL function SSL_set_session_ticket_ext_cb.
- 
-@@ -6129,7 +6158,7 @@ Returns X509_EXTENSION from $x509 based on given NID.
- Returns fingerprint of certificate $cert.
- 
- B<NOTE:> Does not exactly correspond to any low level API function. The implementation
--is basen on openssl's C<X509_digest()>.
-+is based on openssl's C<X509_digest()>.
- 
-  Net::SSLeay::X509_get_fingerprint($x509, $type);
-  # $x509 - value corresponding to openssl's X509 structure
-@@ -7501,12 +7530,15 @@ returns a newly initialised X509_STORE_CTX structure.
- X509_STORE_CTX_init() sets up an X509_STORE_CTX for a subsequent verification operation.
- It must be called before each call to X509_verify_cert().
- 
--Net::SSLeay::X509_STORE_CTX_init($x509_store_ctx, $x509_store, $x509, $chain);
--
--# $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure (required)
--# $x509_store - value corresponding to openssl's X509_STORE structure (optional)
--# $x509 - value corresponding to openssl's X509 structure (optional)
--# $chain - value corresponding to openssl's STACK_OF(X509) structure (optional)
-+ my $rv = Net::SSLeay::X509_STORE_CTX_init($x509_store_ctx, $x509_store, $x509, $chain);
-+ # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure (required)
-+ # $x509_store - value corresponding to openssl's X509_STORE structure (optional)
-+ # $x509 - value corresponding to openssl's X509 structure (optional)
-+ # $chain - value corresponding to openssl's STACK_OF(X509) structure (optional)
-+ #
-+ # returns: 1 on success, 0 on failure
-+ #
-+ # Note: returns nothing with Net::SSLeay 1.90 and earlier.
- 
- Check openssl doc L<https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_init.html|https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_init.html>
- 
-@@ -7514,7 +7546,7 @@ Check openssl doc L<https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_
- 
- Frees an X509_STORE_CTX structure.
- 
--Net::SSLeay::X509_STORE_CTX_free($x509_store_ctx);
-+ Net::SSLeay::X509_STORE_CTX_free($x509_store_ctx);
- 
- # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
- 
-@@ -7527,10 +7559,10 @@ of the process is contained in the verify(1) manual page.
- If this function returns 0, use X509_STORE_CTX_get_error to get additional error
- information.
- 
--my $rv = Net::SSLeay::X509_verify_cert($x509_store_ctx);
--# $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
--#
--# returns: 1 if a complete chain can be built and validated, otherwise 0
-+ my $rv = Net::SSLeay::X509_verify_cert($x509_store_ctx);
-+ # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
-+ #
-+ # returns: 1 if a complete chain can be built and validated, otherwise 0
- 
- Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/X509_verify_cert.html|https://www.openssl.org/docs/manmaster/man3/X509_verify_cert.html>
- 
-@@ -7633,27 +7665,27 @@ Check openssl doc L<http://www.openssl.org/docs/crypto/X509_STORE_CTX_new.html|h
- 
- Returns a newly initialized X509_STORE structure.
- 
--my $rv = Net::SSLeay::X509_STORE_new();
--#
--# returns: value corresponding to openssl's X509_STORE structure (0 on failure)
-+ my $rv = Net::SSLeay::X509_STORE_new();
-+ #
-+ # returns: value corresponding to openssl's X509_STORE structure (0 on failure)
- 
- =item * X509_STORE_free
- 
- Frees an X509_STORE structure
- 
--Net::SSLeay::X509_STORE_free($x509_store);
--# $x509_store - value corresponding to openssl's X509_STORE structure
-+ Net::SSLeay::X509_STORE_free($x509_store);
-+ # $x509_store - value corresponding to openssl's X509_STORE structure
- 
- =item * X509_STORE_add_lookup
- 
- Adds a lookup to an X509_STORE for a given lookup method.
- 
--my $method = &Net::SSLeay::X509_LOOKUP_hash_dir;
--my $rv = Net::SSLeay::X509_STORE_add_lookup($x509_store, $method);
--# $method - value corresponding to openssl's X509_LOOKUP_METHOD structure
--# $x509_store - value corresponding to openssl's X509_STORE structure
--#
--# returns: value corresponding to openssl's X509_LOOKUP structure
-+ my $method = &Net::SSLeay::X509_LOOKUP_hash_dir;
-+ my $rv = Net::SSLeay::X509_STORE_add_lookup($x509_store, $method);
-+ # $method - value corresponding to openssl's X509_LOOKUP_METHOD structure
-+ # $x509_store - value corresponding to openssl's X509_STORE structure
-+ #
-+ # returns: value corresponding to openssl's X509_LOOKUP structure
- 
- Check openssl doc L<https://www.openssl.org/docs/man1.1.1/man3/X509_load_crl_file.html|https://www.openssl.org/docs/man1.1.1/man3/X509_load_crl_file.html>
- 
-@@ -7705,9 +7737,9 @@ Returns an X509_LOOKUP structure that instructs an X509_STORE to
- load files from a directory containing certificates with filenames
- in the format I<hash.N> or crls with filenames in the format I<hash.>B<r>I<N>
- 
--my $rv = Net::SSLeay::X509_LOOKUP_hash_dir();
--#
--# returns: value corresponding to openssl's X509_LOOKUP_METHOD structure, with the hashed directory method
-+ my $rv = Net::SSLeay::X509_LOOKUP_hash_dir();
-+ #
-+ # returns: value corresponding to openssl's X509_LOOKUP_METHOD structure, with the hashed directory method
- 
- Check openssl doc L<https://www.openssl.org/docs/man1.1.1/man3/X509_load_crl_file.html|https://www.openssl.org/docs/man1.1.1/man3/X509_load_crl_file.html>
- 
-@@ -7716,13 +7748,13 @@ Check openssl doc L<https://www.openssl.org/docs/man1.1.1/man3/X509_load_crl_fil
- Add a directory to an X509_LOOKUP structure, usually obtained from
- X509_STORE_add_lookup.
- 
--my $method = &Net::SSLeay::X509_LOOKUP_hash_dir;
--my $lookup = Net::SSLeay::X509_STORE_add_lookup($x509_store, $method);
--my $type = &Net::SSLeay::X509_FILETYPE_PEM;
--Net::SSLeay::X509_LOOKUP_add_dir($lookup, $dir, $type);
--# $lookup - value corresponding to openssl's X509_LOOKUP structure
--# $dir - string path to a directory
--s# $type - constant corresponding to the type of file in the directory - can be X509_FILETYPE_PEM, X509_FILETYPE_DEFAULT, or X509_FILETYPE_ASN1
-+ my $method = &Net::SSLeay::X509_LOOKUP_hash_dir;
-+ my $lookup = Net::SSLeay::X509_STORE_add_lookup($x509_store, $method);
-+ my $type = &Net::SSLeay::X509_FILETYPE_PEM;
-+ Net::SSLeay::X509_LOOKUP_add_dir($lookup, $dir, $type);
-+ # $lookup - value corresponding to openssl's X509_LOOKUP structure
-+ # $dir - string path to a directory
-+ # $type - constant corresponding to the type of file in the directory - can be X509_FILETYPE_PEM, X509_FILETYPE_DEFAULT, or X509_FILETYPE_ASN1
- 
- =item * X509_STORE_set_flags
- 
-@@ -8525,9 +8557,10 @@ Check openssl doc L<http://www.openssl.org/docs/crypto/RSA_new.html|http://www.o
- Returns a list of pointers to BIGNUMs representing the parameters of the key in
- this order:
- (n, e, d, p, q, dmp1, dmq1, iqmp)
-+
- Caution: returned list consists of SV pointers to BIGNUMs, which would need to be blessed as Crypt::OpenSSL::Bignum for further use
- 
--my (@params) = RSA_get_key_parameters($r);
-+ my (@params) = RSA_get_key_parameters($r);
- 
- =back
- 
-@@ -9128,7 +9161,7 @@ broader binary compatibility, e.g. make application work with both 1.0.2
- and prior version (in which case call to SSL_ctrl with new code
- returning error would have to be ignored when running with prior version).
- 
--Net::SSLeay::get_tlsa_record_byname($name, $port, $type);
-+ Net::SSLeay::get_tlsa_record_byname($name, $port, $type);
- 
- =back
- 
-@@ -9244,6 +9277,129 @@ These functions are only available since OpenSSL 1.1.1.
- =back
- 
- 
-+=head3 Low level API: OSSL_LIB_CTX and OSSL_PROVIDER related functions
-+
-+=over
-+
-+=item * OSSL_LIB_CTX_get0_global_default
-+
-+Returns a concrete (non NULL) reference to the global default library context.
-+
-+ my $libctx = Net::SSLeay::OSSL_LIB_CTX_get0_global_default();
-+ # returns: a value corresponding to OSSL_LIB_CTX structure or false on failure
-+
-+Typically it's simpler to use undef with functions that take an
-+OSSL_LIB_CTX argument when global default library context is needed.
-+
-+Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_LIB_CTX_get0_global_default.html|https://www.openssl.org/docs/manmaster/man3/OSSL_LIB_CTX_get0_global_default.html>
-+
-+=item * OSSL_PROVIDER_load
-+
-+Loads and initializes a provider
-+
-+ my $provider = Net::SSLeay::OSSL_PROVIDER_load($libctx, $name);
-+ # $libctx - value corresponding to OSSL_LIB_CTX structure or undef
-+ # $name - (string) provider name, e.g., 'legacy'
-+ #
-+ # returns: a value corresponding to OSSL_PROVIDER or false on failure
-+
-+Using undef loads the provider within the global default library context.
-+
-+ my $provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'legacy');
-+
-+Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_load.html|https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_load.html>
-+
-+=item * OSSL_PROVIDER_try_load
-+
-+Loads and initializes a provider similar to OSSL_PROVIDER_load with additional fallback control.
-+
-+ my $provider = Net::SSLeay::OSSL_PROVIDER_try_load($libctx, $name, $retain_fallbacks);
-+ # $libctx - value corresponding to OSSL_LIB_CTX structure or undef
-+ # $name - (string) provider name, e.g., 'legacy'
-+ # $retain_fallbacks - (integer) 0 or 1
-+ #
-+ # returns: a value corresponding to OSSL_PROVIDER or false on failure
-+
-+Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_try_load.html|https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_try_load.html>
-+
-+=item * OSSL_PROVIDER_unload
-+
-+Unloads the given provider.
-+
-+ my $rv = Net::SSLeay::OSSL_PROVIDER_unload($provider);
-+ # $provider - a value corresponding to OSSL_PROVIDER
-+ #
-+ # returns: (integer) 1 on success, 0 on error
-+
-+Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_unload.html|https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_unload.html>
-+
-+=item * OSSL_PROVIDER_available
-+
-+Checks if a named provider is available for use.
-+
-+ my $rv = Net::SSLeay::OSSL_PROVIDER_available($libctx, $name);
-+ # $libctx - value corresponding to OSSL_LIB_CTX structure or undef
-+ # $name - (string) provider name, e.g., 'legacy'
-+ #
-+ # returns: (integer) 1 if the named provider is available, otherwise 0.
-+
-+Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_available.html|https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_available.html>
-+
-+=item * OSSL_PROVIDER_do_all
-+
-+Iterates over all loaded providers. A callback is called for each provider.
-+
-+ my $rv = Net::SSLeay::OSSL_PROVIDER_do_all($libctx, $cb, $cbdata);
-+ # $libctx - value corresponding to OSSL_LIB_CTX structure or undef
-+ # $cb - reference to a perl callback function
-+ $ $cbdata - data that will be passed to callback function
-+ #
-+ # returns: (integer) 1 if all callbacks returned 1, 0 the first time a callback returns 0.
-+
-+Example:
-+
-+ sub do_all_cb {
-+     my ($provider, $cbdata) = @_;
-+
-+     my $name = Net::SSLeay::OSSL_PROVIDER_get0_name($provider);
-+     print "Callback for provider: '$name', cbdata: '$cbdata'\n";
-+     return 1;
-+  }
-+  my $data_for_cb = 'Hello';
-+
-+  # Triggers default provider automatic loading.
-+  Net::SSLeay::OSSL_PROVIDER_available(undef, 'default') || die 'default provider not available';
-+  Net::SSLeay::OSSL_PROVIDER_load(undef, 'legacy') || die 'load legacy';
-+  Net::SSLeay::OSSL_PROVIDER_load(undef, 'null')   || die 'load null';
-+  Net::SSLeay::OSSL_PROVIDER_do_all(undef, \&do_all_cb, $data_for_cb) || die 'a callback failed';
-+
-+Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_do_all.html|https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_do_all.html>
-+
-+=item * OSSL_PROVIDER_get0_name
-+
-+Returns the name of the given provider.
-+
-+ my $name = Net::SSLeay::OSSL_PROVIDER_get0_name($provider);
-+ # $provider - a value corresponding to OSSL_PROVIDER
-+ #
-+ # returns: (string) provider name, e.g., 'legacy'
-+
-+Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_get0_name.html|https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_get0_name.html>
-+
-+=item * OSSL_PROVIDER_self_test
-+
-+Runs the provider's self tests.
-+
-+ my $rv = Net::SSLeay::OSSL_PROVIDER_self_test($provider);
-+ # $libctx - value corresponding to OSSL_LIB_CTX structure or undef
-+ # $provider - a value corresponding to OSSL_PROVIDER
-+ #
-+ # returns: (integer) returns 1 if the self tests pass, 0 on error
-+
-+Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_self_test.html|https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_self_test.html>
-+
-+=back
-+
- =head2 Constants
- 
- There are many openssl constants available in L<Net::SSLeay>. You can use them like this:
-@@ -9269,190 +9425,191 @@ The list of all available constant names:
- 
- =for comment the next part is the output of: perl helper_script/regen_openssl_constants.pl -gen-pod
- 
-- ASN1_STRFLGS_ESC_CTRL           NID_netscape                              R_UNKNOWN_REMOTE_ERROR_TYPE
-- ASN1_STRFLGS_ESC_MSB            NID_netscape_base_url                     R_UNKNOWN_STATE
-- ASN1_STRFLGS_ESC_QUOTE          NID_netscape_ca_policy_url                R_X509_LIB
-- ASN1_STRFLGS_RFC2253            NID_netscape_ca_revocation_url            SENT_SHUTDOWN
-- CB_ACCEPT_EXIT                  NID_netscape_cert_extension               SESSION_ASN1_VERSION
-- CB_ACCEPT_LOOP                  NID_netscape_cert_sequence                SESS_CACHE_BOTH
-- CB_ALERT                        NID_netscape_cert_type                    SESS_CACHE_CLIENT
-- CB_CONNECT_EXIT                 NID_netscape_comment                      SESS_CACHE_NO_AUTO_CLEAR
-- CB_CONNECT_LOOP                 NID_netscape_data_type                    SESS_CACHE_NO_INTERNAL
-- CB_EXIT                         NID_netscape_renewal_url                  SESS_CACHE_NO_INTERNAL_LOOKUP
-- CB_HANDSHAKE_DONE               NID_netscape_revocation_url               SESS_CACHE_NO_INTERNAL_STORE
-- CB_HANDSHAKE_START              NID_netscape_ssl_server_name              SESS_CACHE_OFF
-- CB_LOOP                         NID_ns_sgc                                SESS_CACHE_SERVER
-- CB_READ                         NID_organizationName                      SSL3_VERSION
-- CB_READ_ALERT                   NID_organizationalUnitName                SSLEAY_BUILT_ON
-- CB_WRITE                        NID_pbeWithMD2AndDES_CBC                  SSLEAY_CFLAGS
-- CB_WRITE_ALERT                  NID_pbeWithMD2AndRC2_CBC                  SSLEAY_DIR
-- ERROR_NONE                      NID_pbeWithMD5AndCast5_CBC                SSLEAY_PLATFORM
-- ERROR_SSL                       NID_pbeWithMD5AndDES_CBC                  SSLEAY_VERSION
-- ERROR_SYSCALL                   NID_pbeWithMD5AndRC2_CBC                  ST_ACCEPT
-- ERROR_WANT_ACCEPT               NID_pbeWithSHA1AndDES_CBC                 ST_BEFORE
-- ERROR_WANT_CONNECT              NID_pbeWithSHA1AndRC2_CBC                 ST_CONNECT
-- ERROR_WANT_READ                 NID_pbe_WithSHA1And128BitRC2_CBC          ST_INIT
-- ERROR_WANT_WRITE                NID_pbe_WithSHA1And128BitRC4              ST_OK
-- ERROR_WANT_X509_LOOKUP          NID_pbe_WithSHA1And2_Key_TripleDES_CBC    ST_READ_BODY
-- ERROR_ZERO_RETURN               NID_pbe_WithSHA1And3_Key_TripleDES_CBC    ST_READ_HEADER
-- EVP_PKS_DSA                     NID_pbe_WithSHA1And40BitRC2_CBC           TLS1_1_VERSION
-- EVP_PKS_EC                      NID_pbe_WithSHA1And40BitRC4               TLS1_2_VERSION
-- EVP_PKS_RSA                     NID_pbes2                                 TLS1_3_VERSION
-- EVP_PKT_ENC                     NID_pbmac1                                TLS1_VERSION
-- EVP_PKT_EXCH                    NID_pkcs                                  TLSEXT_STATUSTYPE_ocsp
-- EVP_PKT_EXP                     NID_pkcs3                                 VERIFY_CLIENT_ONCE
-- EVP_PKT_SIGN                    NID_pkcs7                                 VERIFY_FAIL_IF_NO_PEER_CERT
-- EVP_PK_DH                       NID_pkcs7_data                            VERIFY_NONE
-- EVP_PK_DSA                      NID_pkcs7_digest                          VERIFY_PEER
-- EVP_PK_EC                       NID_pkcs7_encrypted                       VERIFY_POST_HANDSHAKE
-- EVP_PK_RSA                      NID_pkcs7_enveloped                       V_OCSP_CERTSTATUS_GOOD
-- FILETYPE_ASN1                   NID_pkcs7_signed                          V_OCSP_CERTSTATUS_REVOKED
-- FILETYPE_PEM                    NID_pkcs7_signedAndEnveloped              V_OCSP_CERTSTATUS_UNKNOWN
-- F_CLIENT_CERTIFICATE            NID_pkcs8ShroudedKeyBag                   WRITING
-- F_CLIENT_HELLO                  NID_pkcs9                                 X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
-- F_CLIENT_MASTER_KEY             NID_pkcs9_challengePassword               X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
-- F_D2I_SSL_SESSION               NID_pkcs9_contentType                     X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
-- F_GET_CLIENT_FINISHED           NID_pkcs9_countersignature                X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
-- F_GET_CLIENT_HELLO              NID_pkcs9_emailAddress                    X509_CHECK_FLAG_NO_WILDCARDS
-- F_GET_CLIENT_MASTER_KEY         NID_pkcs9_extCertAttributes               X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
-- F_GET_SERVER_FINISHED           NID_pkcs9_messageDigest                   X509_FILETYPE_ASN1
-- F_GET_SERVER_HELLO              NID_pkcs9_signingTime                     X509_FILETYPE_DEFAULT
-- F_GET_SERVER_VERIFY             NID_pkcs9_unstructuredAddress             X509_FILETYPE_PEM
-- F_I2D_SSL_SESSION               NID_pkcs9_unstructuredName                X509_LOOKUP
-- F_READ_N                        NID_private_key_usage_period              X509_PURPOSE_ANY
-- F_REQUEST_CERTIFICATE           NID_rc2_40_cbc                            X509_PURPOSE_CRL_SIGN
-- F_SERVER_HELLO                  NID_rc2_64_cbc                            X509_PURPOSE_NS_SSL_SERVER
-- F_SSL_CERT_NEW                  NID_rc2_cbc                               X509_PURPOSE_OCSP_HELPER
-- F_SSL_GET_NEW_SESSION           NID_rc2_cfb64                             X509_PURPOSE_SMIME_ENCRYPT
-- F_SSL_NEW                       NID_rc2_ecb                               X509_PURPOSE_SMIME_SIGN
-- F_SSL_READ                      NID_rc2_ofb64                             X509_PURPOSE_SSL_CLIENT
-- F_SSL_RSA_PRIVATE_DECRYPT       NID_rc4                                   X509_PURPOSE_SSL_SERVER
-- F_SSL_RSA_PUBLIC_ENCRYPT        NID_rc4_40                                X509_PURPOSE_TIMESTAMP_SIGN
-- F_SSL_SESSION_NEW               NID_rc5_cbc                               X509_TRUST_COMPAT
-- F_SSL_SESSION_PRINT_FP          NID_rc5_cfb64                             X509_TRUST_EMAIL
-- F_SSL_SET_FD                    NID_rc5_ecb                               X509_TRUST_OBJECT_SIGN
-- F_SSL_SET_RFD                   NID_rc5_ofb64                             X509_TRUST_OCSP_REQUEST
-- F_SSL_SET_WFD                   NID_ripemd160                             X509_TRUST_OCSP_SIGN
-- F_SSL_USE_CERTIFICATE           NID_ripemd160WithRSA                      X509_TRUST_SSL_CLIENT
-- F_SSL_USE_CERTIFICATE_ASN1      NID_rle_compression                       X509_TRUST_SSL_SERVER
-- F_SSL_USE_CERTIFICATE_FILE      NID_rsa                                   X509_TRUST_TSA
-- F_SSL_USE_PRIVATEKEY            NID_rsaEncryption                         X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
-- F_SSL_USE_PRIVATEKEY_ASN1       NID_rsadsi                                X509_V_ERR_AKID_SKID_MISMATCH
-- F_SSL_USE_PRIVATEKEY_FILE       NID_safeContentsBag                       X509_V_ERR_APPLICATION_VERIFICATION
-- F_SSL_USE_RSAPRIVATEKEY         NID_sdsiCertificate                       X509_V_ERR_CA_KEY_TOO_SMALL
-- F_SSL_USE_RSAPRIVATEKEY_ASN1    NID_secretBag                             X509_V_ERR_CA_MD_TOO_WEAK
-- F_SSL_USE_RSAPRIVATEKEY_FILE    NID_serialNumber                          X509_V_ERR_CERT_CHAIN_TOO_LONG
-- F_WRITE_PENDING                 NID_server_auth                           X509_V_ERR_CERT_HAS_EXPIRED
-- GEN_DIRNAME                     NID_sha                                   X509_V_ERR_CERT_NOT_YET_VALID
-- GEN_DNS                         NID_sha1                                  X509_V_ERR_CERT_REJECTED
-- GEN_EDIPARTY                    NID_sha1WithRSA                           X509_V_ERR_CERT_REVOKED
-- GEN_EMAIL                       NID_sha1WithRSAEncryption                 X509_V_ERR_CERT_SIGNATURE_FAILURE
-- GEN_IPADD                       NID_shaWithRSAEncryption                  X509_V_ERR_CERT_UNTRUSTED
-- GEN_OTHERNAME                   NID_stateOrProvinceName                   X509_V_ERR_CRL_HAS_EXPIRED
-- GEN_RID                         NID_subject_alt_name                      X509_V_ERR_CRL_NOT_YET_VALID
-- GEN_URI                         NID_subject_key_identifier                X509_V_ERR_CRL_PATH_VALIDATION_ERROR
-- GEN_X400                        NID_surname                               X509_V_ERR_CRL_SIGNATURE_FAILURE
-- LIBRESSL_VERSION_NUMBER         NID_sxnet                                 X509_V_ERR_DANE_NO_MATCH
-- MBSTRING_ASC                    NID_time_stamp                            X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
-- MBSTRING_BMP                    NID_title                                 X509_V_ERR_DIFFERENT_CRL_SCOPE
-- MBSTRING_FLAG                   NID_undef                                 X509_V_ERR_EE_KEY_TOO_SMALL
-- MBSTRING_UNIV                   NID_uniqueIdentifier                      X509_V_ERR_EMAIL_MISMATCH
-- MBSTRING_UTF8                   NID_x509Certificate                       X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
-- MIN_RSA_MODULUS_LENGTH_IN_BYTES NID_x509Crl                               X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
-- MODE_ACCEPT_MOVING_WRITE_BUFFER NID_zlib_compression                      X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
-- MODE_AUTO_RETRY                 NOTHING                                   X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
-- MODE_ENABLE_PARTIAL_WRITE       OCSP_RESPONSE_STATUS_INTERNALERROR        X509_V_ERR_EXCLUDED_VIOLATION
-- MODE_RELEASE_BUFFERS            OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     X509_V_ERR_HOSTNAME_MISMATCH
-- NID_OCSP_sign                   OCSP_RESPONSE_STATUS_SIGREQUIRED          X509_V_ERR_INVALID_CA
-- NID_SMIMECapabilities           OCSP_RESPONSE_STATUS_SUCCESSFUL           X509_V_ERR_INVALID_CALL
-- NID_X500                        OCSP_RESPONSE_STATUS_TRYLATER             X509_V_ERR_INVALID_EXTENSION
-- NID_X509                        OCSP_RESPONSE_STATUS_UNAUTHORIZED         X509_V_ERR_INVALID_NON_CA
-- NID_ad_OCSP                     OPENSSL_BUILT_ON                          X509_V_ERR_INVALID_POLICY_EXTENSION
-- NID_ad_ca_issuers               OPENSSL_CFLAGS                            X509_V_ERR_INVALID_PURPOSE
-- NID_algorithm                   OPENSSL_DIR                               X509_V_ERR_IP_ADDRESS_MISMATCH
-- NID_authority_key_identifier    OPENSSL_ENGINES_DIR                       X509_V_ERR_KEYUSAGE_NO_CERTSIGN
-- NID_basic_constraints           OPENSSL_PLATFORM                          X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
-- NID_bf_cbc                      OPENSSL_VERSION                           X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
-- NID_bf_cfb64                    OPENSSL_VERSION_NUMBER                    X509_V_ERR_NO_EXPLICIT_POLICY
-- NID_bf_ecb                      OP_ALL                                    X509_V_ERR_NO_VALID_SCTS
-- NID_bf_ofb64                    OP_ALLOW_NO_DHE_KEX                       X509_V_ERR_OCSP_CERT_UNKNOWN
-- NID_cast5_cbc                   OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION      X509_V_ERR_OCSP_VERIFY_FAILED
-- NID_cast5_cfb64                 OP_CIPHER_SERVER_PREFERENCE               X509_V_ERR_OCSP_VERIFY_NEEDED
-- NID_cast5_ecb                   OP_CISCO_ANYCONNECT                       X509_V_ERR_OUT_OF_MEM
-- NID_cast5_ofb64                 OP_COOKIE_EXCHANGE                        X509_V_ERR_PATH_LENGTH_EXCEEDED
-- NID_certBag                     OP_CRYPTOPRO_TLSEXT_BUG                   X509_V_ERR_PATH_LOOP
-- NID_certificate_policies        OP_DONT_INSERT_EMPTY_FRAGMENTS            X509_V_ERR_PERMITTED_VIOLATION
-- NID_client_auth                 OP_ENABLE_MIDDLEBOX_COMPAT                X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
-- NID_code_sign                   OP_EPHEMERAL_RSA                          X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
-- NID_commonName                  OP_LEGACY_SERVER_CONNECT                  X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION
-- NID_countryName                 OP_MICROSOFT_BIG_SSLV3_BUFFER             X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
-- NID_crlBag                      OP_MICROSOFT_SESS_ID_BUG                  X509_V_ERR_STORE_LOOKUP
-- NID_crl_distribution_points     OP_MSIE_SSLV2_RSA_PADDING                 X509_V_ERR_SUBJECT_ISSUER_MISMATCH
-- NID_crl_number                  OP_NETSCAPE_CA_DN_BUG                     X509_V_ERR_SUBTREE_MINMAX
-- NID_crl_reason                  OP_NETSCAPE_CHALLENGE_BUG                 X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
-- NID_delta_crl                   OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG        X509_V_ERR_SUITE_B_INVALID_ALGORITHM
-- NID_des_cbc                     OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG       X509_V_ERR_SUITE_B_INVALID_CURVE
-- NID_des_cfb64                   OP_NON_EXPORT_FIRST                       X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
-- NID_des_ecb                     OP_NO_ANTI_REPLAY                         X509_V_ERR_SUITE_B_INVALID_VERSION
-- NID_des_ede                     OP_NO_CLIENT_RENEGOTIATION                X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED
-- NID_des_ede3                    OP_NO_COMPRESSION                         X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
-- NID_des_ede3_cbc                OP_NO_ENCRYPT_THEN_MAC                    X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
-- NID_des_ede3_cfb64              OP_NO_QUERY_MTU                           X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
-- NID_des_ede3_ofb64              OP_NO_RENEGOTIATION                       X509_V_ERR_UNABLE_TO_GET_CRL
-- NID_des_ede_cbc                 OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
-- NID_des_ede_cfb64               OP_NO_SSL_MASK                            X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
-- NID_des_ede_ofb64               OP_NO_SSLv2                               X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
-- NID_des_ofb64                   OP_NO_SSLv3                               X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
-- NID_description                 OP_NO_TICKET                              X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
-- NID_desx_cbc                    OP_NO_TLSv1                               X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
-- NID_dhKeyAgreement              OP_NO_TLSv1_1                             X509_V_ERR_UNNESTED_RESOURCE
-- NID_dnQualifier                 OP_NO_TLSv1_2                             X509_V_ERR_UNSPECIFIED
-- NID_dsa                         OP_NO_TLSv1_3                             X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
-- NID_dsaWithSHA                  OP_PKCS1_CHECK_1                          X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
-- NID_dsaWithSHA1                 OP_PKCS1_CHECK_2                          X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
-- NID_dsaWithSHA1_2               OP_PRIORITIZE_CHACHA                      X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
-- NID_dsa_2                       OP_SAFARI_ECDHE_ECDSA_BUG                 X509_V_FLAG_ALLOW_PROXY_CERTS
-- NID_email_protect               OP_SINGLE_DH_USE                          X509_V_FLAG_CB_ISSUER_CHECK
-- NID_ext_key_usage               OP_SINGLE_ECDH_USE                        X509_V_FLAG_CHECK_SS_SIGNATURE
-- NID_ext_req                     OP_SSLEAY_080_CLIENT_DH_BUG               X509_V_FLAG_CRL_CHECK
-- NID_friendlyName                OP_SSLREF2_REUSE_CERT_TYPE_BUG            X509_V_FLAG_CRL_CHECK_ALL
-- NID_givenName                   OP_TLSEXT_PADDING                         X509_V_FLAG_EXPLICIT_POLICY
-- NID_hmacWithSHA1                OP_TLS_BLOCK_PADDING_BUG                  X509_V_FLAG_EXTENDED_CRL_SUPPORT
-- NID_id_ad                       OP_TLS_D5_BUG                             X509_V_FLAG_IGNORE_CRITICAL
-- NID_id_ce                       OP_TLS_ROLLBACK_BUG                       X509_V_FLAG_INHIBIT_ANY
-- NID_id_kp                       READING                                   X509_V_FLAG_INHIBIT_MAP
-- NID_id_pbkdf2                   RECEIVED_SHUTDOWN                         X509_V_FLAG_NOTIFY_POLICY
-- NID_id_pe                       RSA_3                                     X509_V_FLAG_NO_ALT_CHAINS
-- NID_id_pkix                     RSA_F4                                    X509_V_FLAG_NO_CHECK_TIME
-- NID_id_qt_cps                   R_BAD_AUTHENTICATION_TYPE                 X509_V_FLAG_PARTIAL_CHAIN
-- NID_id_qt_unotice               R_BAD_CHECKSUM                            X509_V_FLAG_POLICY_CHECK
-- NID_idea_cbc                    R_BAD_MAC_DECODE                          X509_V_FLAG_POLICY_MASK
-- NID_idea_cfb64                  R_BAD_RESPONSE_ARGUMENT                   X509_V_FLAG_SUITEB_128_LOS
-- NID_idea_ecb                    R_BAD_SSL_FILETYPE                        X509_V_FLAG_SUITEB_128_LOS_ONLY
-- NID_idea_ofb64                  R_BAD_SSL_SESSION_ID_LENGTH               X509_V_FLAG_SUITEB_192_LOS
-- NID_info_access                 R_BAD_STATE                               X509_V_FLAG_TRUSTED_FIRST
-- NID_initials                    R_BAD_WRITE_RETRY                         X509_V_FLAG_USE_CHECK_TIME
-- NID_invalidity_date             R_CHALLENGE_IS_DIFFERENT                  X509_V_FLAG_USE_DELTAS
-- NID_issuer_alt_name             R_CIPHER_TABLE_SRC_ERROR                  X509_V_FLAG_X509_STRICT
-- NID_keyBag                      R_INVALID_CHALLENGE_LENGTH                X509_V_OK
-- NID_key_usage                   R_NO_CERTIFICATE_SET                      XN_FLAG_COMPAT
-- NID_localKeyID                  R_NO_CERTIFICATE_SPECIFIED                XN_FLAG_DN_REV
-- NID_localityName                R_NO_CIPHER_LIST                          XN_FLAG_DUMP_UNKNOWN_FIELDS
-- NID_md2                         R_NO_CIPHER_MATCH                         XN_FLAG_FN_ALIGN
-- NID_md2WithRSAEncryption        R_NO_PRIVATEKEY                           XN_FLAG_FN_LN
-- NID_md5                         R_NO_PUBLICKEY                            XN_FLAG_FN_MASK
-- NID_md5WithRSA                  R_NULL_SSL_CTX                            XN_FLAG_FN_NONE
-- NID_md5WithRSAEncryption        R_PEER_DID_NOT_RETURN_A_CERTIFICATE       XN_FLAG_FN_OID
-- NID_md5_sha1                    R_PEER_ERROR                              XN_FLAG_FN_SN
-- NID_mdc2                        R_PEER_ERROR_CERTIFICATE                  XN_FLAG_MULTILINE
-- NID_mdc2WithRSA                 R_PEER_ERROR_NO_CIPHER                    XN_FLAG_ONELINE
-- NID_ms_code_com                 R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE XN_FLAG_RFC2253
-- NID_ms_code_ind                 R_PUBLIC_KEY_ENCRYPT_ERROR                XN_FLAG_SEP_COMMA_PLUS
-- NID_ms_ctl_sign                 R_PUBLIC_KEY_IS_NOT_RSA                   XN_FLAG_SEP_CPLUS_SPC
-- NID_ms_efs                      R_READ_WRONG_PACKET_TYPE                  XN_FLAG_SEP_MASK
-- NID_ms_ext_req                  R_SHORT_READ                              XN_FLAG_SEP_MULTILINE
-- NID_ms_sgc                      R_SSL_SESSION_ID_IS_DIFFERENT             XN_FLAG_SEP_SPLUS_SPC
-- NID_name                        R_UNABLE_TO_EXTRACT_PUBLIC_KEY            XN_FLAG_SPC_EQ
-+ ASN1_STRFLGS_ESC_CTRL           NID_netscape_base_url                     R_X509_LIB
-+ ASN1_STRFLGS_ESC_MSB            NID_netscape_ca_policy_url                SENT_SHUTDOWN
-+ ASN1_STRFLGS_ESC_QUOTE          NID_netscape_ca_revocation_url            SESSION_ASN1_VERSION
-+ ASN1_STRFLGS_RFC2253            NID_netscape_cert_extension               SESS_CACHE_BOTH
-+ CB_ACCEPT_EXIT                  NID_netscape_cert_sequence                SESS_CACHE_CLIENT
-+ CB_ACCEPT_LOOP                  NID_netscape_cert_type                    SESS_CACHE_NO_AUTO_CLEAR
-+ CB_ALERT                        NID_netscape_comment                      SESS_CACHE_NO_INTERNAL
-+ CB_CONNECT_EXIT                 NID_netscape_data_type                    SESS_CACHE_NO_INTERNAL_LOOKUP
-+ CB_CONNECT_LOOP                 NID_netscape_renewal_url                  SESS_CACHE_NO_INTERNAL_STORE
-+ CB_EXIT                         NID_netscape_revocation_url               SESS_CACHE_OFF
-+ CB_HANDSHAKE_DONE               NID_netscape_ssl_server_name              SESS_CACHE_SERVER
-+ CB_HANDSHAKE_START              NID_ns_sgc                                SSL3_VERSION
-+ CB_LOOP                         NID_organizationName                      SSLEAY_BUILT_ON
-+ CB_READ                         NID_organizationalUnitName                SSLEAY_CFLAGS
-+ CB_READ_ALERT                   NID_pbeWithMD2AndDES_CBC                  SSLEAY_DIR
-+ CB_WRITE                        NID_pbeWithMD2AndRC2_CBC                  SSLEAY_PLATFORM
-+ CB_WRITE_ALERT                  NID_pbeWithMD5AndCast5_CBC                SSLEAY_VERSION
-+ ERROR_NONE                      NID_pbeWithMD5AndDES_CBC                  ST_ACCEPT
-+ ERROR_SSL                       NID_pbeWithMD5AndRC2_CBC                  ST_BEFORE
-+ ERROR_SYSCALL                   NID_pbeWithSHA1AndDES_CBC                 ST_CONNECT
-+ ERROR_WANT_ACCEPT               NID_pbeWithSHA1AndRC2_CBC                 ST_INIT
-+ ERROR_WANT_CONNECT              NID_pbe_WithSHA1And128BitRC2_CBC          ST_OK
-+ ERROR_WANT_READ                 NID_pbe_WithSHA1And128BitRC4              ST_READ_BODY
-+ ERROR_WANT_WRITE                NID_pbe_WithSHA1And2_Key_TripleDES_CBC    ST_READ_HEADER
-+ ERROR_WANT_X509_LOOKUP          NID_pbe_WithSHA1And3_Key_TripleDES_CBC    TLS1_1_VERSION
-+ ERROR_ZERO_RETURN               NID_pbe_WithSHA1And40BitRC2_CBC           TLS1_2_VERSION
-+ EVP_PKS_DSA                     NID_pbe_WithSHA1And40BitRC4               TLS1_3_VERSION
-+ EVP_PKS_EC                      NID_pbes2                                 TLS1_VERSION
-+ EVP_PKS_RSA                     NID_pbmac1                                TLSEXT_STATUSTYPE_ocsp
-+ EVP_PKT_ENC                     NID_pkcs                                  VERIFY_CLIENT_ONCE
-+ EVP_PKT_EXCH                    NID_pkcs3                                 VERIFY_FAIL_IF_NO_PEER_CERT
-+ EVP_PKT_EXP                     NID_pkcs7                                 VERIFY_NONE
-+ EVP_PKT_SIGN                    NID_pkcs7_data                            VERIFY_PEER
-+ EVP_PK_DH                       NID_pkcs7_digest                          VERIFY_POST_HANDSHAKE
-+ EVP_PK_DSA                      NID_pkcs7_encrypted                       V_OCSP_CERTSTATUS_GOOD
-+ EVP_PK_EC                       NID_pkcs7_enveloped                       V_OCSP_CERTSTATUS_REVOKED
-+ EVP_PK_RSA                      NID_pkcs7_signed                          V_OCSP_CERTSTATUS_UNKNOWN
-+ FILETYPE_ASN1                   NID_pkcs7_signedAndEnveloped              WRITING
-+ FILETYPE_PEM                    NID_pkcs8ShroudedKeyBag                   X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
-+ F_CLIENT_CERTIFICATE            NID_pkcs9                                 X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
-+ F_CLIENT_HELLO                  NID_pkcs9_challengePassword               X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
-+ F_CLIENT_MASTER_KEY             NID_pkcs9_contentType                     X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
-+ F_D2I_SSL_SESSION               NID_pkcs9_countersignature                X509_CHECK_FLAG_NO_WILDCARDS
-+ F_GET_CLIENT_FINISHED           NID_pkcs9_emailAddress                    X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
-+ F_GET_CLIENT_HELLO              NID_pkcs9_extCertAttributes               X509_FILETYPE_ASN1
-+ F_GET_CLIENT_MASTER_KEY         NID_pkcs9_messageDigest                   X509_FILETYPE_DEFAULT
-+ F_GET_SERVER_FINISHED           NID_pkcs9_signingTime                     X509_FILETYPE_PEM
-+ F_GET_SERVER_HELLO              NID_pkcs9_unstructuredAddress             X509_LOOKUP
-+ F_GET_SERVER_VERIFY             NID_pkcs9_unstructuredName                X509_PURPOSE_ANY
-+ F_I2D_SSL_SESSION               NID_private_key_usage_period              X509_PURPOSE_CRL_SIGN
-+ F_READ_N                        NID_rc2_40_cbc                            X509_PURPOSE_NS_SSL_SERVER
-+ F_REQUEST_CERTIFICATE           NID_rc2_64_cbc                            X509_PURPOSE_OCSP_HELPER
-+ F_SERVER_HELLO                  NID_rc2_cbc                               X509_PURPOSE_SMIME_ENCRYPT
-+ F_SSL_CERT_NEW                  NID_rc2_cfb64                             X509_PURPOSE_SMIME_SIGN
-+ F_SSL_GET_NEW_SESSION           NID_rc2_ecb                               X509_PURPOSE_SSL_CLIENT
-+ F_SSL_NEW                       NID_rc2_ofb64                             X509_PURPOSE_SSL_SERVER
-+ F_SSL_READ                      NID_rc4                                   X509_PURPOSE_TIMESTAMP_SIGN
-+ F_SSL_RSA_PRIVATE_DECRYPT       NID_rc4_40                                X509_TRUST_COMPAT
-+ F_SSL_RSA_PUBLIC_ENCRYPT        NID_rc5_cbc                               X509_TRUST_EMAIL
-+ F_SSL_SESSION_NEW               NID_rc5_cfb64                             X509_TRUST_OBJECT_SIGN
-+ F_SSL_SESSION_PRINT_FP          NID_rc5_ecb                               X509_TRUST_OCSP_REQUEST
-+ F_SSL_SET_FD                    NID_rc5_ofb64                             X509_TRUST_OCSP_SIGN
-+ F_SSL_SET_RFD                   NID_ripemd160                             X509_TRUST_SSL_CLIENT
-+ F_SSL_SET_WFD                   NID_ripemd160WithRSA                      X509_TRUST_SSL_SERVER
-+ F_SSL_USE_CERTIFICATE           NID_rle_compression                       X509_TRUST_TSA
-+ F_SSL_USE_CERTIFICATE_ASN1      NID_rsa                                   X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
-+ F_SSL_USE_CERTIFICATE_FILE      NID_rsaEncryption                         X509_V_ERR_AKID_SKID_MISMATCH
-+ F_SSL_USE_PRIVATEKEY            NID_rsadsi                                X509_V_ERR_APPLICATION_VERIFICATION
-+ F_SSL_USE_PRIVATEKEY_ASN1       NID_safeContentsBag                       X509_V_ERR_CA_KEY_TOO_SMALL
-+ F_SSL_USE_PRIVATEKEY_FILE       NID_sdsiCertificate                       X509_V_ERR_CA_MD_TOO_WEAK
-+ F_SSL_USE_RSAPRIVATEKEY         NID_secretBag                             X509_V_ERR_CERT_CHAIN_TOO_LONG
-+ F_SSL_USE_RSAPRIVATEKEY_ASN1    NID_serialNumber                          X509_V_ERR_CERT_HAS_EXPIRED
-+ F_SSL_USE_RSAPRIVATEKEY_FILE    NID_server_auth                           X509_V_ERR_CERT_NOT_YET_VALID
-+ F_WRITE_PENDING                 NID_sha                                   X509_V_ERR_CERT_REJECTED
-+ GEN_DIRNAME                     NID_sha1                                  X509_V_ERR_CERT_REVOKED
-+ GEN_DNS                         NID_sha1WithRSA                           X509_V_ERR_CERT_SIGNATURE_FAILURE
-+ GEN_EDIPARTY                    NID_sha1WithRSAEncryption                 X509_V_ERR_CERT_UNTRUSTED
-+ GEN_EMAIL                       NID_shaWithRSAEncryption                  X509_V_ERR_CRL_HAS_EXPIRED
-+ GEN_IPADD                       NID_stateOrProvinceName                   X509_V_ERR_CRL_NOT_YET_VALID
-+ GEN_OTHERNAME                   NID_subject_alt_name                      X509_V_ERR_CRL_PATH_VALIDATION_ERROR
-+ GEN_RID                         NID_subject_key_identifier                X509_V_ERR_CRL_SIGNATURE_FAILURE
-+ GEN_URI                         NID_surname                               X509_V_ERR_DANE_NO_MATCH
-+ GEN_X400                        NID_sxnet                                 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
-+ LIBRESSL_VERSION_NUMBER         NID_time_stamp                            X509_V_ERR_DIFFERENT_CRL_SCOPE
-+ MBSTRING_ASC                    NID_title                                 X509_V_ERR_EE_KEY_TOO_SMALL
-+ MBSTRING_BMP                    NID_undef                                 X509_V_ERR_EMAIL_MISMATCH
-+ MBSTRING_FLAG                   NID_uniqueIdentifier                      X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
-+ MBSTRING_UNIV                   NID_x509Certificate                       X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
-+ MBSTRING_UTF8                   NID_x509Crl                               X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
-+ MIN_RSA_MODULUS_LENGTH_IN_BYTES NID_zlib_compression                      X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
-+ MODE_ACCEPT_MOVING_WRITE_BUFFER NOTHING                                   X509_V_ERR_EXCLUDED_VIOLATION
-+ MODE_AUTO_RETRY                 OCSP_RESPONSE_STATUS_INTERNALERROR        X509_V_ERR_HOSTNAME_MISMATCH
-+ MODE_ENABLE_PARTIAL_WRITE       OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     X509_V_ERR_INVALID_CA
-+ MODE_RELEASE_BUFFERS            OCSP_RESPONSE_STATUS_SIGREQUIRED          X509_V_ERR_INVALID_CALL
-+ NID_OCSP_sign                   OCSP_RESPONSE_STATUS_SUCCESSFUL           X509_V_ERR_INVALID_EXTENSION
-+ NID_SMIMECapabilities           OCSP_RESPONSE_STATUS_TRYLATER             X509_V_ERR_INVALID_NON_CA
-+ NID_X500                        OCSP_RESPONSE_STATUS_UNAUTHORIZED         X509_V_ERR_INVALID_POLICY_EXTENSION
-+ NID_X509                        OPENSSL_BUILT_ON                          X509_V_ERR_INVALID_PURPOSE
-+ NID_ad_OCSP                     OPENSSL_CFLAGS                            X509_V_ERR_IP_ADDRESS_MISMATCH
-+ NID_ad_ca_issuers               OPENSSL_DIR                               X509_V_ERR_KEYUSAGE_NO_CERTSIGN
-+ NID_algorithm                   OPENSSL_ENGINES_DIR                       X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
-+ NID_authority_key_identifier    OPENSSL_PLATFORM                          X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
-+ NID_basic_constraints           OPENSSL_VERSION                           X509_V_ERR_NO_EXPLICIT_POLICY
-+ NID_bf_cbc                      OPENSSL_VERSION_NUMBER                    X509_V_ERR_NO_VALID_SCTS
-+ NID_bf_cfb64                    OP_ALL                                    X509_V_ERR_OCSP_CERT_UNKNOWN
-+ NID_bf_ecb                      OP_ALLOW_NO_DHE_KEX                       X509_V_ERR_OCSP_VERIFY_FAILED
-+ NID_bf_ofb64                    OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION      X509_V_ERR_OCSP_VERIFY_NEEDED
-+ NID_cast5_cbc                   OP_CIPHER_SERVER_PREFERENCE               X509_V_ERR_OUT_OF_MEM
-+ NID_cast5_cfb64                 OP_CISCO_ANYCONNECT                       X509_V_ERR_PATH_LENGTH_EXCEEDED
-+ NID_cast5_ecb                   OP_COOKIE_EXCHANGE                        X509_V_ERR_PATH_LOOP
-+ NID_cast5_ofb64                 OP_CRYPTOPRO_TLSEXT_BUG                   X509_V_ERR_PERMITTED_VIOLATION
-+ NID_certBag                     OP_DONT_INSERT_EMPTY_FRAGMENTS            X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
-+ NID_certificate_policies        OP_ENABLE_MIDDLEBOX_COMPAT                X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
-+ NID_client_auth                 OP_EPHEMERAL_RSA                          X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION
-+ NID_code_sign                   OP_LEGACY_SERVER_CONNECT                  X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
-+ NID_commonName                  OP_MICROSOFT_BIG_SSLV3_BUFFER             X509_V_ERR_STORE_LOOKUP
-+ NID_countryName                 OP_MICROSOFT_SESS_ID_BUG                  X509_V_ERR_SUBJECT_ISSUER_MISMATCH
-+ NID_crlBag                      OP_MSIE_SSLV2_RSA_PADDING                 X509_V_ERR_SUBTREE_MINMAX
-+ NID_crl_distribution_points     OP_NETSCAPE_CA_DN_BUG                     X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
-+ NID_crl_number                  OP_NETSCAPE_CHALLENGE_BUG                 X509_V_ERR_SUITE_B_INVALID_ALGORITHM
-+ NID_crl_reason                  OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG        X509_V_ERR_SUITE_B_INVALID_CURVE
-+ NID_delta_crl                   OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG       X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
-+ NID_des_cbc                     OP_NON_EXPORT_FIRST                       X509_V_ERR_SUITE_B_INVALID_VERSION
-+ NID_des_cfb64                   OP_NO_ANTI_REPLAY                         X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED
-+ NID_des_ecb                     OP_NO_CLIENT_RENEGOTIATION                X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
-+ NID_des_ede                     OP_NO_COMPRESSION                         X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
-+ NID_des_ede3                    OP_NO_ENCRYPT_THEN_MAC                    X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
-+ NID_des_ede3_cbc                OP_NO_QUERY_MTU                           X509_V_ERR_UNABLE_TO_GET_CRL
-+ NID_des_ede3_cfb64              OP_NO_RENEGOTIATION                       X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
-+ NID_des_ede3_ofb64              OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
-+ NID_des_ede_cbc                 OP_NO_SSL_MASK                            X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
-+ NID_des_ede_cfb64               OP_NO_SSLv2                               X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
-+ NID_des_ede_ofb64               OP_NO_SSLv3                               X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
-+ NID_des_ofb64                   OP_NO_TICKET                              X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
-+ NID_description                 OP_NO_TLSv1                               X509_V_ERR_UNNESTED_RESOURCE
-+ NID_desx_cbc                    OP_NO_TLSv1_1                             X509_V_ERR_UNSPECIFIED
-+ NID_dhKeyAgreement              OP_NO_TLSv1_2                             X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
-+ NID_dnQualifier                 OP_NO_TLSv1_3                             X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
-+ NID_dsa                         OP_PKCS1_CHECK_1                          X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
-+ NID_dsaWithSHA                  OP_PKCS1_CHECK_2                          X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
-+ NID_dsaWithSHA1                 OP_PRIORITIZE_CHACHA                      X509_V_FLAG_ALLOW_PROXY_CERTS
-+ NID_dsaWithSHA1_2               OP_SAFARI_ECDHE_ECDSA_BUG                 X509_V_FLAG_CB_ISSUER_CHECK
-+ NID_dsa_2                       OP_SINGLE_DH_USE                          X509_V_FLAG_CHECK_SS_SIGNATURE
-+ NID_email_protect               OP_SINGLE_ECDH_USE                        X509_V_FLAG_CRL_CHECK
-+ NID_ext_key_usage               OP_SSLEAY_080_CLIENT_DH_BUG               X509_V_FLAG_CRL_CHECK_ALL
-+ NID_ext_req                     OP_SSLREF2_REUSE_CERT_TYPE_BUG            X509_V_FLAG_EXPLICIT_POLICY
-+ NID_friendlyName                OP_TLSEXT_PADDING                         X509_V_FLAG_EXTENDED_CRL_SUPPORT
-+ NID_givenName                   OP_TLS_BLOCK_PADDING_BUG                  X509_V_FLAG_IGNORE_CRITICAL
-+ NID_hmacWithSHA1                OP_TLS_D5_BUG                             X509_V_FLAG_INHIBIT_ANY
-+ NID_id_ad                       OP_TLS_ROLLBACK_BUG                       X509_V_FLAG_INHIBIT_MAP
-+ NID_id_ce                       READING                                   X509_V_FLAG_LEGACY_VERIFY
-+ NID_id_kp                       RECEIVED_SHUTDOWN                         X509_V_FLAG_NOTIFY_POLICY
-+ NID_id_pbkdf2                   RSA_3                                     X509_V_FLAG_NO_ALT_CHAINS
-+ NID_id_pe                       RSA_F4                                    X509_V_FLAG_NO_CHECK_TIME
-+ NID_id_pkix                     R_BAD_AUTHENTICATION_TYPE                 X509_V_FLAG_PARTIAL_CHAIN
-+ NID_id_qt_cps                   R_BAD_CHECKSUM                            X509_V_FLAG_POLICY_CHECK
-+ NID_id_qt_unotice               R_BAD_MAC_DECODE                          X509_V_FLAG_POLICY_MASK
-+ NID_idea_cbc                    R_BAD_RESPONSE_ARGUMENT                   X509_V_FLAG_SUITEB_128_LOS
-+ NID_idea_cfb64                  R_BAD_SSL_FILETYPE                        X509_V_FLAG_SUITEB_128_LOS_ONLY
-+ NID_idea_ecb                    R_BAD_SSL_SESSION_ID_LENGTH               X509_V_FLAG_SUITEB_192_LOS
-+ NID_idea_ofb64                  R_BAD_STATE                               X509_V_FLAG_TRUSTED_FIRST
-+ NID_info_access                 R_BAD_WRITE_RETRY                         X509_V_FLAG_USE_CHECK_TIME
-+ NID_initials                    R_CHALLENGE_IS_DIFFERENT                  X509_V_FLAG_USE_DELTAS
-+ NID_invalidity_date             R_CIPHER_TABLE_SRC_ERROR                  X509_V_FLAG_X509_STRICT
-+ NID_issuer_alt_name             R_INVALID_CHALLENGE_LENGTH                X509_V_OK
-+ NID_keyBag                      R_NO_CERTIFICATE_SET                      XN_FLAG_COMPAT
-+ NID_key_usage                   R_NO_CERTIFICATE_SPECIFIED                XN_FLAG_DN_REV
-+ NID_localKeyID                  R_NO_CIPHER_LIST                          XN_FLAG_DUMP_UNKNOWN_FIELDS
-+ NID_localityName                R_NO_CIPHER_MATCH                         XN_FLAG_FN_ALIGN
-+ NID_md2                         R_NO_PRIVATEKEY                           XN_FLAG_FN_LN
-+ NID_md2WithRSAEncryption        R_NO_PUBLICKEY                            XN_FLAG_FN_MASK
-+ NID_md5                         R_NULL_SSL_CTX                            XN_FLAG_FN_NONE
-+ NID_md5WithRSA                  R_PEER_DID_NOT_RETURN_A_CERTIFICATE       XN_FLAG_FN_OID
-+ NID_md5WithRSAEncryption        R_PEER_ERROR                              XN_FLAG_FN_SN
-+ NID_md5_sha1                    R_PEER_ERROR_CERTIFICATE                  XN_FLAG_MULTILINE
-+ NID_mdc2                        R_PEER_ERROR_NO_CIPHER                    XN_FLAG_ONELINE
-+ NID_mdc2WithRSA                 R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE XN_FLAG_RFC2253
-+ NID_ms_code_com                 R_PUBLIC_KEY_ENCRYPT_ERROR                XN_FLAG_SEP_COMMA_PLUS
-+ NID_ms_code_ind                 R_PUBLIC_KEY_IS_NOT_RSA                   XN_FLAG_SEP_CPLUS_SPC
-+ NID_ms_ctl_sign                 R_READ_WRONG_PACKET_TYPE                  XN_FLAG_SEP_MASK
-+ NID_ms_efs                      R_SHORT_READ                              XN_FLAG_SEP_MULTILINE
-+ NID_ms_ext_req                  R_SSL_SESSION_ID_IS_DIFFERENT             XN_FLAG_SEP_SPLUS_SPC
-+ NID_ms_sgc                      R_UNABLE_TO_EXTRACT_PUBLIC_KEY            XN_FLAG_SPC_EQ
-+ NID_name                        R_UNKNOWN_REMOTE_ERROR_TYPE
-+ NID_netscape                    R_UNKNOWN_STATE
- 
- =head2 INTERNAL ONLY functions (do not use these)
- 
-diff --git a/t/local/04_basic.t b/t/local/04_basic.t
-index d669782..92fe63e 100644
---- a/t/local/04_basic.t
-+++ b/t/local/04_basic.t
-@@ -3,24 +3,19 @@
- use lib 'inc';
- 
- use Net::SSLeay;
--use Test::Net::SSLeay;
-+use Test::Net::SSLeay qw(lives_ok);
- 
- plan tests => 16;
- 
--eval "use Test::Exception;";
--SKIP: {
--    skip 'Test::Exception required for some tests', 8 if $@;
--    lives_ok( sub { Net::SSLeay::randomize() }, 'seed pseudorandom number generator' );
--    lives_ok( sub { Net::SSLeay::ERR_load_crypto_strings() }, 'load libcrypto error strings' );
--    lives_ok( sub { Net::SSLeay::load_error_strings() }, 'load libssl error strings' );
--    lives_ok( sub { Net::SSLeay::library_init() }, 'register default TLS ciphers and digest functions' );
--    lives_ok( sub { Net::SSLeay::OpenSSL_add_all_digests() }, 'register all digest functions' );
--    #version numbers: 0x00903100 ~ 0.9.3, 0x0090600f ~ 0.6.9
--    ok( Net::SSLeay::SSLeay() >= 0x00903100, 'SSLeay (version min 0.9.3)' );
--    isnt( Net::SSLeay::SSLeay_version(), '', 'SSLeay (version string)' );
--    is( Net::SSLeay::SSLeay_version(),  Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_VERSION()), 'SSLeay_version optional argument' );
--}
--
-+lives_ok( sub { Net::SSLeay::randomize() }, 'seed pseudorandom number generator' );
-+lives_ok( sub { Net::SSLeay::ERR_load_crypto_strings() }, 'load libcrypto error strings' );
-+lives_ok( sub { Net::SSLeay::load_error_strings() }, 'load libssl error strings' );
-+lives_ok( sub { Net::SSLeay::library_init() }, 'register default TLS ciphers and digest functions' );
-+lives_ok( sub { Net::SSLeay::OpenSSL_add_all_digests() }, 'register all digest functions' );
-+#version numbers: 0x00903100 ~ 0.9.3, 0x0090600f ~ 0.6.9
-+ok( Net::SSLeay::SSLeay() >= 0x00903100, 'SSLeay (version min 0.9.3)' );
-+isnt( Net::SSLeay::SSLeay_version(), '', 'SSLeay (version string)' );
-+is( Net::SSLeay::SSLeay_version(),  Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_VERSION()), 'SSLeay_version optional argument' );
- is(Net::SSLeay::hello(), 1, 'hello world');
- 
- if (exists &Net::SSLeay::OpenSSL_version)
-diff --git a/t/local/06_tcpecho.t b/t/local/06_tcpecho.t
-index bc5c90e..e92c0eb 100644
---- a/t/local/06_tcpecho.t
-+++ b/t/local/06_tcpecho.t
-@@ -30,7 +30,7 @@ my $pid;
-         ok(Net::SSLeay::tcp_write_all(uc($got)), 'tcp_write_all');
- 
-         close Net::SSLeay::SSLCAT_S;
--        $server->close();
-+        $server->close() || die("server listen socket close: $!");
- 
-         exit;
-     }
-@@ -42,6 +42,8 @@ my @results;
-     push @results, [ $got eq uc($msg), 'sent and received correctly' ];
- }
- 
-+$server->close() || die("client listen socket close: $!");
-+
- waitpid $pid, 0;
- push @results, [ $? == 0, 'server exited with 0' ];
- 
-diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t
-index b0298e2..a430bfc 100644
---- a/t/local/07_sslecho.t
-+++ b/t/local/07_sslecho.t
-@@ -94,11 +94,11 @@ $ENV{RND_SEED} = '1234567890123456789012345678901234567890';
- 	    }
- 
-             Net::SSLeay::free($ssl);
--            close $ns;
-+            close($ns) || die("server close: $!");
-         }
- 
-         Net::SSLeay::CTX_free($ctx);
--        $server->close();
-+	$server->close() || die("server listen socket close: $!");
- 
-         exit;
-     }
-@@ -133,7 +133,7 @@ my @results;
-     Net::SSLeay::CTX_free($ctx);
- 
-     shutdown($s, 2);
--    close $s;
-+    close($s) || die("client close: $!");
- 
- }
- 
-@@ -199,9 +199,9 @@ my @results;
- 	    push @results, [Net::SSLeay::shutdown($ssl3) >= 0, 'client side ssl3 shutdown' ];
-             shutdown $s3, 2;
- 
--            close $s1;
--            close $s2;
--            close $s3;
-+            close($s1) || die("client close s1: $!");
-+            close($s2) || die("client close s2: $!");
-+            close($s3) || die("client close s3: $!");
- 
-             Net::SSLeay::free($ssl1);
-             Net::SSLeay::free($ssl2);
-@@ -314,9 +314,11 @@ my @results;
-     Net::SSLeay::free($ssl);
-     Net::SSLeay::CTX_free($ctx);
- 
--    close $s;
-+    close($s) || die("client close: $!");
- }
- 
-+$server->close() || die("client listen socket close: $!");
-+
- waitpid $pid, 0;
- push @results, [ $? == 0, 'server exited with 0' ];
- 
-diff --git a/t/local/11_read.t b/t/local/11_read.t
-index 876dc23..bab0ec0 100644
---- a/t/local/11_read.t
-+++ b/t/local/11_read.t
-@@ -59,8 +59,11 @@ sub server
- 
- 	    my $msg = Net::SSLeay::read($ssl);
- 	    Net::SSLeay::write($ssl, $msg);
-+	    Net::SSLeay::shutdown($ssl);
-+	    Net::SSLeay::free($ssl);
-+	    close($cl) || die("client close: $!");
- 	}
--    $server->close();
-+	$server->close() || die("server listen socket close: $!");
- 	exit(0);
-     }
- }
-@@ -90,7 +93,9 @@ sub client
- 
- 	Net::SSLeay::shutdown($ssl);
- 	Net::SSLeay::free($ssl);
-+	close($cl) || die("client close: $!");
-     }
-+    $server->close() || die("client listen socket close: $!");
-     return;
- }
- 
-diff --git a/t/local/21_constants.t b/t/local/21_constants.t
-index df12312..31b92ae 100644
---- a/t/local/21_constants.t
-+++ b/t/local/21_constants.t
-@@ -4,209 +4,211 @@
- use lib 'inc';
- 
- use Net::SSLeay;
--use Test::Net::SSLeay;
-+use Test::Net::SSLeay qw(dies_like);
- 
--eval "use Test::Exception;";
--if ($@) {
--    plan skip_all => 'Some tests need Test::Exception';
--} else {
--    plan tests => 553;
--}
-+# We rely on symbolic references to run the dies_like() tests:
-+no strict 'refs';
-+
-+plan tests => 554;
- 
- my @c = (qw/
-- ASN1_STRFLGS_ESC_CTRL           NID_netscape                              R_UNKNOWN_REMOTE_ERROR_TYPE
-- ASN1_STRFLGS_ESC_MSB            NID_netscape_base_url                     R_UNKNOWN_STATE
-- ASN1_STRFLGS_ESC_QUOTE          NID_netscape_ca_policy_url                R_X509_LIB
-- ASN1_STRFLGS_RFC2253            NID_netscape_ca_revocation_url            SENT_SHUTDOWN
-- CB_ACCEPT_EXIT                  NID_netscape_cert_extension               SESSION_ASN1_VERSION
-- CB_ACCEPT_LOOP                  NID_netscape_cert_sequence                SESS_CACHE_BOTH
-- CB_ALERT                        NID_netscape_cert_type                    SESS_CACHE_CLIENT
-- CB_CONNECT_EXIT                 NID_netscape_comment                      SESS_CACHE_NO_AUTO_CLEAR
-- CB_CONNECT_LOOP                 NID_netscape_data_type                    SESS_CACHE_NO_INTERNAL
-- CB_EXIT                         NID_netscape_renewal_url                  SESS_CACHE_NO_INTERNAL_LOOKUP
-- CB_HANDSHAKE_DONE               NID_netscape_revocation_url               SESS_CACHE_NO_INTERNAL_STORE
-- CB_HANDSHAKE_START              NID_netscape_ssl_server_name              SESS_CACHE_OFF
-- CB_LOOP                         NID_ns_sgc                                SESS_CACHE_SERVER
-- CB_READ                         NID_organizationName                      SSL3_VERSION
-- CB_READ_ALERT                   NID_organizationalUnitName                SSLEAY_BUILT_ON
-- CB_WRITE                        NID_pbeWithMD2AndDES_CBC                  SSLEAY_CFLAGS
-- CB_WRITE_ALERT                  NID_pbeWithMD2AndRC2_CBC                  SSLEAY_DIR
-- ERROR_NONE                      NID_pbeWithMD5AndCast5_CBC                SSLEAY_PLATFORM
-- ERROR_SSL                       NID_pbeWithMD5AndDES_CBC                  SSLEAY_VERSION
-- ERROR_SYSCALL                   NID_pbeWithMD5AndRC2_CBC                  ST_ACCEPT
-- ERROR_WANT_ACCEPT               NID_pbeWithSHA1AndDES_CBC                 ST_BEFORE
-- ERROR_WANT_CONNECT              NID_pbeWithSHA1AndRC2_CBC                 ST_CONNECT
-- ERROR_WANT_READ                 NID_pbe_WithSHA1And128BitRC2_CBC          ST_INIT
-- ERROR_WANT_WRITE                NID_pbe_WithSHA1And128BitRC4              ST_OK
-- ERROR_WANT_X509_LOOKUP          NID_pbe_WithSHA1And2_Key_TripleDES_CBC    ST_READ_BODY
-- ERROR_ZERO_RETURN               NID_pbe_WithSHA1And3_Key_TripleDES_CBC    ST_READ_HEADER
-- EVP_PKS_DSA                     NID_pbe_WithSHA1And40BitRC2_CBC           TLS1_1_VERSION
-- EVP_PKS_EC                      NID_pbe_WithSHA1And40BitRC4               TLS1_2_VERSION
-- EVP_PKS_RSA                     NID_pbes2                                 TLS1_3_VERSION
-- EVP_PKT_ENC                     NID_pbmac1                                TLS1_VERSION
-- EVP_PKT_EXCH                    NID_pkcs                                  TLSEXT_STATUSTYPE_ocsp
-- EVP_PKT_EXP                     NID_pkcs3                                 VERIFY_CLIENT_ONCE
-- EVP_PKT_SIGN                    NID_pkcs7                                 VERIFY_FAIL_IF_NO_PEER_CERT
-- EVP_PK_DH                       NID_pkcs7_data                            VERIFY_NONE
-- EVP_PK_DSA                      NID_pkcs7_digest                          VERIFY_PEER
-- EVP_PK_EC                       NID_pkcs7_encrypted                       VERIFY_POST_HANDSHAKE
-- EVP_PK_RSA                      NID_pkcs7_enveloped                       V_OCSP_CERTSTATUS_GOOD
-- FILETYPE_ASN1                   NID_pkcs7_signed                          V_OCSP_CERTSTATUS_REVOKED
-- FILETYPE_PEM                    NID_pkcs7_signedAndEnveloped              V_OCSP_CERTSTATUS_UNKNOWN
-- F_CLIENT_CERTIFICATE            NID_pkcs8ShroudedKeyBag                   WRITING
-- F_CLIENT_HELLO                  NID_pkcs9                                 X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
-- F_CLIENT_MASTER_KEY             NID_pkcs9_challengePassword               X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
-- F_D2I_SSL_SESSION               NID_pkcs9_contentType                     X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
-- F_GET_CLIENT_FINISHED           NID_pkcs9_countersignature                X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
-- F_GET_CLIENT_HELLO              NID_pkcs9_emailAddress                    X509_CHECK_FLAG_NO_WILDCARDS
-- F_GET_CLIENT_MASTER_KEY         NID_pkcs9_extCertAttributes               X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
-- F_GET_SERVER_FINISHED           NID_pkcs9_messageDigest                   X509_FILETYPE_ASN1
-- F_GET_SERVER_HELLO              NID_pkcs9_signingTime                     X509_FILETYPE_DEFAULT
-- F_GET_SERVER_VERIFY             NID_pkcs9_unstructuredAddress             X509_FILETYPE_PEM
-- F_I2D_SSL_SESSION               NID_pkcs9_unstructuredName                X509_LOOKUP
-- F_READ_N                        NID_private_key_usage_period              X509_PURPOSE_ANY
-- F_REQUEST_CERTIFICATE           NID_rc2_40_cbc                            X509_PURPOSE_CRL_SIGN
-- F_SERVER_HELLO                  NID_rc2_64_cbc                            X509_PURPOSE_NS_SSL_SERVER
-- F_SSL_CERT_NEW                  NID_rc2_cbc                               X509_PURPOSE_OCSP_HELPER
-- F_SSL_GET_NEW_SESSION           NID_rc2_cfb64                             X509_PURPOSE_SMIME_ENCRYPT
-- F_SSL_NEW                       NID_rc2_ecb                               X509_PURPOSE_SMIME_SIGN
-- F_SSL_READ                      NID_rc2_ofb64                             X509_PURPOSE_SSL_CLIENT
-- F_SSL_RSA_PRIVATE_DECRYPT       NID_rc4                                   X509_PURPOSE_SSL_SERVER
-- F_SSL_RSA_PUBLIC_ENCRYPT        NID_rc4_40                                X509_PURPOSE_TIMESTAMP_SIGN
-- F_SSL_SESSION_NEW               NID_rc5_cbc                               X509_TRUST_COMPAT
-- F_SSL_SESSION_PRINT_FP          NID_rc5_cfb64                             X509_TRUST_EMAIL
-- F_SSL_SET_FD                    NID_rc5_ecb                               X509_TRUST_OBJECT_SIGN
-- F_SSL_SET_RFD                   NID_rc5_ofb64                             X509_TRUST_OCSP_REQUEST
-- F_SSL_SET_WFD                   NID_ripemd160                             X509_TRUST_OCSP_SIGN
-- F_SSL_USE_CERTIFICATE           NID_ripemd160WithRSA                      X509_TRUST_SSL_CLIENT
-- F_SSL_USE_CERTIFICATE_ASN1      NID_rle_compression                       X509_TRUST_SSL_SERVER
-- F_SSL_USE_CERTIFICATE_FILE      NID_rsa                                   X509_TRUST_TSA
-- F_SSL_USE_PRIVATEKEY            NID_rsaEncryption                         X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
-- F_SSL_USE_PRIVATEKEY_ASN1       NID_rsadsi                                X509_V_ERR_AKID_SKID_MISMATCH
-- F_SSL_USE_PRIVATEKEY_FILE       NID_safeContentsBag                       X509_V_ERR_APPLICATION_VERIFICATION
-- F_SSL_USE_RSAPRIVATEKEY         NID_sdsiCertificate                       X509_V_ERR_CA_KEY_TOO_SMALL
-- F_SSL_USE_RSAPRIVATEKEY_ASN1    NID_secretBag                             X509_V_ERR_CA_MD_TOO_WEAK
-- F_SSL_USE_RSAPRIVATEKEY_FILE    NID_serialNumber                          X509_V_ERR_CERT_CHAIN_TOO_LONG
-- F_WRITE_PENDING                 NID_server_auth                           X509_V_ERR_CERT_HAS_EXPIRED
-- GEN_DIRNAME                     NID_sha                                   X509_V_ERR_CERT_NOT_YET_VALID
-- GEN_DNS                         NID_sha1                                  X509_V_ERR_CERT_REJECTED
-- GEN_EDIPARTY                    NID_sha1WithRSA                           X509_V_ERR_CERT_REVOKED
-- GEN_EMAIL                       NID_sha1WithRSAEncryption                 X509_V_ERR_CERT_SIGNATURE_FAILURE
-- GEN_IPADD                       NID_shaWithRSAEncryption                  X509_V_ERR_CERT_UNTRUSTED
-- GEN_OTHERNAME                   NID_stateOrProvinceName                   X509_V_ERR_CRL_HAS_EXPIRED
-- GEN_RID                         NID_subject_alt_name                      X509_V_ERR_CRL_NOT_YET_VALID
-- GEN_URI                         NID_subject_key_identifier                X509_V_ERR_CRL_PATH_VALIDATION_ERROR
-- GEN_X400                        NID_surname                               X509_V_ERR_CRL_SIGNATURE_FAILURE
-- LIBRESSL_VERSION_NUMBER         NID_sxnet                                 X509_V_ERR_DANE_NO_MATCH
-- MBSTRING_ASC                    NID_time_stamp                            X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
-- MBSTRING_BMP                    NID_title                                 X509_V_ERR_DIFFERENT_CRL_SCOPE
-- MBSTRING_FLAG                   NID_undef                                 X509_V_ERR_EE_KEY_TOO_SMALL
-- MBSTRING_UNIV                   NID_uniqueIdentifier                      X509_V_ERR_EMAIL_MISMATCH
-- MBSTRING_UTF8                   NID_x509Certificate                       X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
-- MIN_RSA_MODULUS_LENGTH_IN_BYTES NID_x509Crl                               X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
-- MODE_ACCEPT_MOVING_WRITE_BUFFER NID_zlib_compression                      X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
-- MODE_AUTO_RETRY                 NOTHING                                   X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
-- MODE_ENABLE_PARTIAL_WRITE       OCSP_RESPONSE_STATUS_INTERNALERROR        X509_V_ERR_EXCLUDED_VIOLATION
-- MODE_RELEASE_BUFFERS            OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     X509_V_ERR_HOSTNAME_MISMATCH
-- NID_OCSP_sign                   OCSP_RESPONSE_STATUS_SIGREQUIRED          X509_V_ERR_INVALID_CA
-- NID_SMIMECapabilities           OCSP_RESPONSE_STATUS_SUCCESSFUL           X509_V_ERR_INVALID_CALL
-- NID_X500                        OCSP_RESPONSE_STATUS_TRYLATER             X509_V_ERR_INVALID_EXTENSION
-- NID_X509                        OCSP_RESPONSE_STATUS_UNAUTHORIZED         X509_V_ERR_INVALID_NON_CA
-- NID_ad_OCSP                     OPENSSL_BUILT_ON                          X509_V_ERR_INVALID_POLICY_EXTENSION
-- NID_ad_ca_issuers               OPENSSL_CFLAGS                            X509_V_ERR_INVALID_PURPOSE
-- NID_algorithm                   OPENSSL_DIR                               X509_V_ERR_IP_ADDRESS_MISMATCH
-- NID_authority_key_identifier    OPENSSL_ENGINES_DIR                       X509_V_ERR_KEYUSAGE_NO_CERTSIGN
-- NID_basic_constraints           OPENSSL_PLATFORM                          X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
-- NID_bf_cbc                      OPENSSL_VERSION                           X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
-- NID_bf_cfb64                    OPENSSL_VERSION_NUMBER                    X509_V_ERR_NO_EXPLICIT_POLICY
-- NID_bf_ecb                      OP_ALL                                    X509_V_ERR_NO_VALID_SCTS
-- NID_bf_ofb64                    OP_ALLOW_NO_DHE_KEX                       X509_V_ERR_OCSP_CERT_UNKNOWN
-- NID_cast5_cbc                   OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION      X509_V_ERR_OCSP_VERIFY_FAILED
-- NID_cast5_cfb64                 OP_CIPHER_SERVER_PREFERENCE               X509_V_ERR_OCSP_VERIFY_NEEDED
-- NID_cast5_ecb                   OP_CISCO_ANYCONNECT                       X509_V_ERR_OUT_OF_MEM
-- NID_cast5_ofb64                 OP_COOKIE_EXCHANGE                        X509_V_ERR_PATH_LENGTH_EXCEEDED
-- NID_certBag                     OP_CRYPTOPRO_TLSEXT_BUG                   X509_V_ERR_PATH_LOOP
-- NID_certificate_policies        OP_DONT_INSERT_EMPTY_FRAGMENTS            X509_V_ERR_PERMITTED_VIOLATION
-- NID_client_auth                 OP_ENABLE_MIDDLEBOX_COMPAT                X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
-- NID_code_sign                   OP_EPHEMERAL_RSA                          X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
-- NID_commonName                  OP_LEGACY_SERVER_CONNECT                  X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION
-- NID_countryName                 OP_MICROSOFT_BIG_SSLV3_BUFFER             X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
-- NID_crlBag                      OP_MICROSOFT_SESS_ID_BUG                  X509_V_ERR_STORE_LOOKUP
-- NID_crl_distribution_points     OP_MSIE_SSLV2_RSA_PADDING                 X509_V_ERR_SUBJECT_ISSUER_MISMATCH
-- NID_crl_number                  OP_NETSCAPE_CA_DN_BUG                     X509_V_ERR_SUBTREE_MINMAX
-- NID_crl_reason                  OP_NETSCAPE_CHALLENGE_BUG                 X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
-- NID_delta_crl                   OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG        X509_V_ERR_SUITE_B_INVALID_ALGORITHM
-- NID_des_cbc                     OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG       X509_V_ERR_SUITE_B_INVALID_CURVE
-- NID_des_cfb64                   OP_NON_EXPORT_FIRST                       X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
-- NID_des_ecb                     OP_NO_ANTI_REPLAY                         X509_V_ERR_SUITE_B_INVALID_VERSION
-- NID_des_ede                     OP_NO_CLIENT_RENEGOTIATION                X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED
-- NID_des_ede3                    OP_NO_COMPRESSION                         X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
-- NID_des_ede3_cbc                OP_NO_ENCRYPT_THEN_MAC                    X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
-- NID_des_ede3_cfb64              OP_NO_QUERY_MTU                           X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
-- NID_des_ede3_ofb64              OP_NO_RENEGOTIATION                       X509_V_ERR_UNABLE_TO_GET_CRL
-- NID_des_ede_cbc                 OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
-- NID_des_ede_cfb64               OP_NO_SSL_MASK                            X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
-- NID_des_ede_ofb64               OP_NO_SSLv2                               X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
-- NID_des_ofb64                   OP_NO_SSLv3                               X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
-- NID_description                 OP_NO_TICKET                              X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
-- NID_desx_cbc                    OP_NO_TLSv1                               X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
-- NID_dhKeyAgreement              OP_NO_TLSv1_1                             X509_V_ERR_UNNESTED_RESOURCE
-- NID_dnQualifier                 OP_NO_TLSv1_2                             X509_V_ERR_UNSPECIFIED
-- NID_dsa                         OP_NO_TLSv1_3                             X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
-- NID_dsaWithSHA                  OP_PKCS1_CHECK_1                          X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
-- NID_dsaWithSHA1                 OP_PKCS1_CHECK_2                          X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
-- NID_dsaWithSHA1_2               OP_PRIORITIZE_CHACHA                      X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
-- NID_dsa_2                       OP_SAFARI_ECDHE_ECDSA_BUG                 X509_V_FLAG_ALLOW_PROXY_CERTS
-- NID_email_protect               OP_SINGLE_DH_USE                          X509_V_FLAG_CB_ISSUER_CHECK
-- NID_ext_key_usage               OP_SINGLE_ECDH_USE                        X509_V_FLAG_CHECK_SS_SIGNATURE
-- NID_ext_req                     OP_SSLEAY_080_CLIENT_DH_BUG               X509_V_FLAG_CRL_CHECK
-- NID_friendlyName                OP_SSLREF2_REUSE_CERT_TYPE_BUG            X509_V_FLAG_CRL_CHECK_ALL
-- NID_givenName                   OP_TLSEXT_PADDING                         X509_V_FLAG_EXPLICIT_POLICY
-- NID_hmacWithSHA1                OP_TLS_BLOCK_PADDING_BUG                  X509_V_FLAG_EXTENDED_CRL_SUPPORT
-- NID_id_ad                       OP_TLS_D5_BUG                             X509_V_FLAG_IGNORE_CRITICAL
-- NID_id_ce                       OP_TLS_ROLLBACK_BUG                       X509_V_FLAG_INHIBIT_ANY
-- NID_id_kp                       READING                                   X509_V_FLAG_INHIBIT_MAP
-- NID_id_pbkdf2                   RECEIVED_SHUTDOWN                         X509_V_FLAG_NOTIFY_POLICY
-- NID_id_pe                       RSA_3                                     X509_V_FLAG_NO_ALT_CHAINS
-- NID_id_pkix                     RSA_F4                                    X509_V_FLAG_NO_CHECK_TIME
-- NID_id_qt_cps                   R_BAD_AUTHENTICATION_TYPE                 X509_V_FLAG_PARTIAL_CHAIN
-- NID_id_qt_unotice               R_BAD_CHECKSUM                            X509_V_FLAG_POLICY_CHECK
-- NID_idea_cbc                    R_BAD_MAC_DECODE                          X509_V_FLAG_POLICY_MASK
-- NID_idea_cfb64                  R_BAD_RESPONSE_ARGUMENT                   X509_V_FLAG_SUITEB_128_LOS
-- NID_idea_ecb                    R_BAD_SSL_FILETYPE                        X509_V_FLAG_SUITEB_128_LOS_ONLY
-- NID_idea_ofb64                  R_BAD_SSL_SESSION_ID_LENGTH               X509_V_FLAG_SUITEB_192_LOS
-- NID_info_access                 R_BAD_STATE                               X509_V_FLAG_TRUSTED_FIRST
-- NID_initials                    R_BAD_WRITE_RETRY                         X509_V_FLAG_USE_CHECK_TIME
-- NID_invalidity_date             R_CHALLENGE_IS_DIFFERENT                  X509_V_FLAG_USE_DELTAS
-- NID_issuer_alt_name             R_CIPHER_TABLE_SRC_ERROR                  X509_V_FLAG_X509_STRICT
-- NID_keyBag                      R_INVALID_CHALLENGE_LENGTH                X509_V_OK
-- NID_key_usage                   R_NO_CERTIFICATE_SET                      XN_FLAG_COMPAT
-- NID_localKeyID                  R_NO_CERTIFICATE_SPECIFIED                XN_FLAG_DN_REV
-- NID_localityName                R_NO_CIPHER_LIST                          XN_FLAG_DUMP_UNKNOWN_FIELDS
-- NID_md2                         R_NO_CIPHER_MATCH                         XN_FLAG_FN_ALIGN
-- NID_md2WithRSAEncryption        R_NO_PRIVATEKEY                           XN_FLAG_FN_LN
-- NID_md5                         R_NO_PUBLICKEY                            XN_FLAG_FN_MASK
-- NID_md5WithRSA                  R_NULL_SSL_CTX                            XN_FLAG_FN_NONE
-- NID_md5WithRSAEncryption        R_PEER_DID_NOT_RETURN_A_CERTIFICATE       XN_FLAG_FN_OID
-- NID_md5_sha1                    R_PEER_ERROR                              XN_FLAG_FN_SN
-- NID_mdc2                        R_PEER_ERROR_CERTIFICATE                  XN_FLAG_MULTILINE
-- NID_mdc2WithRSA                 R_PEER_ERROR_NO_CIPHER                    XN_FLAG_ONELINE
-- NID_ms_code_com                 R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE XN_FLAG_RFC2253
-- NID_ms_code_ind                 R_PUBLIC_KEY_ENCRYPT_ERROR                XN_FLAG_SEP_COMMA_PLUS
-- NID_ms_ctl_sign                 R_PUBLIC_KEY_IS_NOT_RSA                   XN_FLAG_SEP_CPLUS_SPC
-- NID_ms_efs                      R_READ_WRONG_PACKET_TYPE                  XN_FLAG_SEP_MASK
-- NID_ms_ext_req                  R_SHORT_READ                              XN_FLAG_SEP_MULTILINE
-- NID_ms_sgc                      R_SSL_SESSION_ID_IS_DIFFERENT             XN_FLAG_SEP_SPLUS_SPC
-- NID_name                        R_UNABLE_TO_EXTRACT_PUBLIC_KEY            XN_FLAG_SPC_EQ
-+ ASN1_STRFLGS_ESC_CTRL           NID_netscape_base_url                     R_X509_LIB
-+ ASN1_STRFLGS_ESC_MSB            NID_netscape_ca_policy_url                SENT_SHUTDOWN
-+ ASN1_STRFLGS_ESC_QUOTE          NID_netscape_ca_revocation_url            SESSION_ASN1_VERSION
-+ ASN1_STRFLGS_RFC2253            NID_netscape_cert_extension               SESS_CACHE_BOTH
-+ CB_ACCEPT_EXIT                  NID_netscape_cert_sequence                SESS_CACHE_CLIENT
-+ CB_ACCEPT_LOOP                  NID_netscape_cert_type                    SESS_CACHE_NO_AUTO_CLEAR
-+ CB_ALERT                        NID_netscape_comment                      SESS_CACHE_NO_INTERNAL
-+ CB_CONNECT_EXIT                 NID_netscape_data_type                    SESS_CACHE_NO_INTERNAL_LOOKUP
-+ CB_CONNECT_LOOP                 NID_netscape_renewal_url                  SESS_CACHE_NO_INTERNAL_STORE
-+ CB_EXIT                         NID_netscape_revocation_url               SESS_CACHE_OFF
-+ CB_HANDSHAKE_DONE               NID_netscape_ssl_server_name              SESS_CACHE_SERVER
-+ CB_HANDSHAKE_START              NID_ns_sgc                                SSL3_VERSION
-+ CB_LOOP                         NID_organizationName                      SSLEAY_BUILT_ON
-+ CB_READ                         NID_organizationalUnitName                SSLEAY_CFLAGS
-+ CB_READ_ALERT                   NID_pbeWithMD2AndDES_CBC                  SSLEAY_DIR
-+ CB_WRITE                        NID_pbeWithMD2AndRC2_CBC                  SSLEAY_PLATFORM
-+ CB_WRITE_ALERT                  NID_pbeWithMD5AndCast5_CBC                SSLEAY_VERSION
-+ ERROR_NONE                      NID_pbeWithMD5AndDES_CBC                  ST_ACCEPT
-+ ERROR_SSL                       NID_pbeWithMD5AndRC2_CBC                  ST_BEFORE
-+ ERROR_SYSCALL                   NID_pbeWithSHA1AndDES_CBC                 ST_CONNECT
-+ ERROR_WANT_ACCEPT               NID_pbeWithSHA1AndRC2_CBC                 ST_INIT
-+ ERROR_WANT_CONNECT              NID_pbe_WithSHA1And128BitRC2_CBC          ST_OK
-+ ERROR_WANT_READ                 NID_pbe_WithSHA1And128BitRC4              ST_READ_BODY
-+ ERROR_WANT_WRITE                NID_pbe_WithSHA1And2_Key_TripleDES_CBC    ST_READ_HEADER
-+ ERROR_WANT_X509_LOOKUP          NID_pbe_WithSHA1And3_Key_TripleDES_CBC    TLS1_1_VERSION
-+ ERROR_ZERO_RETURN               NID_pbe_WithSHA1And40BitRC2_CBC           TLS1_2_VERSION
-+ EVP_PKS_DSA                     NID_pbe_WithSHA1And40BitRC4               TLS1_3_VERSION
-+ EVP_PKS_EC                      NID_pbes2                                 TLS1_VERSION
-+ EVP_PKS_RSA                     NID_pbmac1                                TLSEXT_STATUSTYPE_ocsp
-+ EVP_PKT_ENC                     NID_pkcs                                  VERIFY_CLIENT_ONCE
-+ EVP_PKT_EXCH                    NID_pkcs3                                 VERIFY_FAIL_IF_NO_PEER_CERT
-+ EVP_PKT_EXP                     NID_pkcs7                                 VERIFY_NONE
-+ EVP_PKT_SIGN                    NID_pkcs7_data                            VERIFY_PEER
-+ EVP_PK_DH                       NID_pkcs7_digest                          VERIFY_POST_HANDSHAKE
-+ EVP_PK_DSA                      NID_pkcs7_encrypted                       V_OCSP_CERTSTATUS_GOOD
-+ EVP_PK_EC                       NID_pkcs7_enveloped                       V_OCSP_CERTSTATUS_REVOKED
-+ EVP_PK_RSA                      NID_pkcs7_signed                          V_OCSP_CERTSTATUS_UNKNOWN
-+ FILETYPE_ASN1                   NID_pkcs7_signedAndEnveloped              WRITING
-+ FILETYPE_PEM                    NID_pkcs8ShroudedKeyBag                   X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
-+ F_CLIENT_CERTIFICATE            NID_pkcs9                                 X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
-+ F_CLIENT_HELLO                  NID_pkcs9_challengePassword               X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
-+ F_CLIENT_MASTER_KEY             NID_pkcs9_contentType                     X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
-+ F_D2I_SSL_SESSION               NID_pkcs9_countersignature                X509_CHECK_FLAG_NO_WILDCARDS
-+ F_GET_CLIENT_FINISHED           NID_pkcs9_emailAddress                    X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
-+ F_GET_CLIENT_HELLO              NID_pkcs9_extCertAttributes               X509_FILETYPE_ASN1
-+ F_GET_CLIENT_MASTER_KEY         NID_pkcs9_messageDigest                   X509_FILETYPE_DEFAULT
-+ F_GET_SERVER_FINISHED           NID_pkcs9_signingTime                     X509_FILETYPE_PEM
-+ F_GET_SERVER_HELLO              NID_pkcs9_unstructuredAddress             X509_LOOKUP
-+ F_GET_SERVER_VERIFY             NID_pkcs9_unstructuredName                X509_PURPOSE_ANY
-+ F_I2D_SSL_SESSION               NID_private_key_usage_period              X509_PURPOSE_CRL_SIGN
-+ F_READ_N                        NID_rc2_40_cbc                            X509_PURPOSE_NS_SSL_SERVER
-+ F_REQUEST_CERTIFICATE           NID_rc2_64_cbc                            X509_PURPOSE_OCSP_HELPER
-+ F_SERVER_HELLO                  NID_rc2_cbc                               X509_PURPOSE_SMIME_ENCRYPT
-+ F_SSL_CERT_NEW                  NID_rc2_cfb64                             X509_PURPOSE_SMIME_SIGN
-+ F_SSL_GET_NEW_SESSION           NID_rc2_ecb                               X509_PURPOSE_SSL_CLIENT
-+ F_SSL_NEW                       NID_rc2_ofb64                             X509_PURPOSE_SSL_SERVER
-+ F_SSL_READ                      NID_rc4                                   X509_PURPOSE_TIMESTAMP_SIGN
-+ F_SSL_RSA_PRIVATE_DECRYPT       NID_rc4_40                                X509_TRUST_COMPAT
-+ F_SSL_RSA_PUBLIC_ENCRYPT        NID_rc5_cbc                               X509_TRUST_EMAIL
-+ F_SSL_SESSION_NEW               NID_rc5_cfb64                             X509_TRUST_OBJECT_SIGN
-+ F_SSL_SESSION_PRINT_FP          NID_rc5_ecb                               X509_TRUST_OCSP_REQUEST
-+ F_SSL_SET_FD                    NID_rc5_ofb64                             X509_TRUST_OCSP_SIGN
-+ F_SSL_SET_RFD                   NID_ripemd160                             X509_TRUST_SSL_CLIENT
-+ F_SSL_SET_WFD                   NID_ripemd160WithRSA                      X509_TRUST_SSL_SERVER
-+ F_SSL_USE_CERTIFICATE           NID_rle_compression                       X509_TRUST_TSA
-+ F_SSL_USE_CERTIFICATE_ASN1      NID_rsa                                   X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
-+ F_SSL_USE_CERTIFICATE_FILE      NID_rsaEncryption                         X509_V_ERR_AKID_SKID_MISMATCH
-+ F_SSL_USE_PRIVATEKEY            NID_rsadsi                                X509_V_ERR_APPLICATION_VERIFICATION
-+ F_SSL_USE_PRIVATEKEY_ASN1       NID_safeContentsBag                       X509_V_ERR_CA_KEY_TOO_SMALL
-+ F_SSL_USE_PRIVATEKEY_FILE       NID_sdsiCertificate                       X509_V_ERR_CA_MD_TOO_WEAK
-+ F_SSL_USE_RSAPRIVATEKEY         NID_secretBag                             X509_V_ERR_CERT_CHAIN_TOO_LONG
-+ F_SSL_USE_RSAPRIVATEKEY_ASN1    NID_serialNumber                          X509_V_ERR_CERT_HAS_EXPIRED
-+ F_SSL_USE_RSAPRIVATEKEY_FILE    NID_server_auth                           X509_V_ERR_CERT_NOT_YET_VALID
-+ F_WRITE_PENDING                 NID_sha                                   X509_V_ERR_CERT_REJECTED
-+ GEN_DIRNAME                     NID_sha1                                  X509_V_ERR_CERT_REVOKED
-+ GEN_DNS                         NID_sha1WithRSA                           X509_V_ERR_CERT_SIGNATURE_FAILURE
-+ GEN_EDIPARTY                    NID_sha1WithRSAEncryption                 X509_V_ERR_CERT_UNTRUSTED
-+ GEN_EMAIL                       NID_shaWithRSAEncryption                  X509_V_ERR_CRL_HAS_EXPIRED
-+ GEN_IPADD                       NID_stateOrProvinceName                   X509_V_ERR_CRL_NOT_YET_VALID
-+ GEN_OTHERNAME                   NID_subject_alt_name                      X509_V_ERR_CRL_PATH_VALIDATION_ERROR
-+ GEN_RID                         NID_subject_key_identifier                X509_V_ERR_CRL_SIGNATURE_FAILURE
-+ GEN_URI                         NID_surname                               X509_V_ERR_DANE_NO_MATCH
-+ GEN_X400                        NID_sxnet                                 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
-+ LIBRESSL_VERSION_NUMBER         NID_time_stamp                            X509_V_ERR_DIFFERENT_CRL_SCOPE
-+ MBSTRING_ASC                    NID_title                                 X509_V_ERR_EE_KEY_TOO_SMALL
-+ MBSTRING_BMP                    NID_undef                                 X509_V_ERR_EMAIL_MISMATCH
-+ MBSTRING_FLAG                   NID_uniqueIdentifier                      X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
-+ MBSTRING_UNIV                   NID_x509Certificate                       X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
-+ MBSTRING_UTF8                   NID_x509Crl                               X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
-+ MIN_RSA_MODULUS_LENGTH_IN_BYTES NID_zlib_compression                      X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
-+ MODE_ACCEPT_MOVING_WRITE_BUFFER NOTHING                                   X509_V_ERR_EXCLUDED_VIOLATION
-+ MODE_AUTO_RETRY                 OCSP_RESPONSE_STATUS_INTERNALERROR        X509_V_ERR_HOSTNAME_MISMATCH
-+ MODE_ENABLE_PARTIAL_WRITE       OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     X509_V_ERR_INVALID_CA
-+ MODE_RELEASE_BUFFERS            OCSP_RESPONSE_STATUS_SIGREQUIRED          X509_V_ERR_INVALID_CALL
-+ NID_OCSP_sign                   OCSP_RESPONSE_STATUS_SUCCESSFUL           X509_V_ERR_INVALID_EXTENSION
-+ NID_SMIMECapabilities           OCSP_RESPONSE_STATUS_TRYLATER             X509_V_ERR_INVALID_NON_CA
-+ NID_X500                        OCSP_RESPONSE_STATUS_UNAUTHORIZED         X509_V_ERR_INVALID_POLICY_EXTENSION
-+ NID_X509                        OPENSSL_BUILT_ON                          X509_V_ERR_INVALID_PURPOSE
-+ NID_ad_OCSP                     OPENSSL_CFLAGS                            X509_V_ERR_IP_ADDRESS_MISMATCH
-+ NID_ad_ca_issuers               OPENSSL_DIR                               X509_V_ERR_KEYUSAGE_NO_CERTSIGN
-+ NID_algorithm                   OPENSSL_ENGINES_DIR                       X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
-+ NID_authority_key_identifier    OPENSSL_PLATFORM                          X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
-+ NID_basic_constraints           OPENSSL_VERSION                           X509_V_ERR_NO_EXPLICIT_POLICY
-+ NID_bf_cbc                      OPENSSL_VERSION_NUMBER                    X509_V_ERR_NO_VALID_SCTS
-+ NID_bf_cfb64                    OP_ALL                                    X509_V_ERR_OCSP_CERT_UNKNOWN
-+ NID_bf_ecb                      OP_ALLOW_NO_DHE_KEX                       X509_V_ERR_OCSP_VERIFY_FAILED
-+ NID_bf_ofb64                    OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION      X509_V_ERR_OCSP_VERIFY_NEEDED
-+ NID_cast5_cbc                   OP_CIPHER_SERVER_PREFERENCE               X509_V_ERR_OUT_OF_MEM
-+ NID_cast5_cfb64                 OP_CISCO_ANYCONNECT                       X509_V_ERR_PATH_LENGTH_EXCEEDED
-+ NID_cast5_ecb                   OP_COOKIE_EXCHANGE                        X509_V_ERR_PATH_LOOP
-+ NID_cast5_ofb64                 OP_CRYPTOPRO_TLSEXT_BUG                   X509_V_ERR_PERMITTED_VIOLATION
-+ NID_certBag                     OP_DONT_INSERT_EMPTY_FRAGMENTS            X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
-+ NID_certificate_policies        OP_ENABLE_MIDDLEBOX_COMPAT                X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
-+ NID_client_auth                 OP_EPHEMERAL_RSA                          X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION
-+ NID_code_sign                   OP_LEGACY_SERVER_CONNECT                  X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
-+ NID_commonName                  OP_MICROSOFT_BIG_SSLV3_BUFFER             X509_V_ERR_STORE_LOOKUP
-+ NID_countryName                 OP_MICROSOFT_SESS_ID_BUG                  X509_V_ERR_SUBJECT_ISSUER_MISMATCH
-+ NID_crlBag                      OP_MSIE_SSLV2_RSA_PADDING                 X509_V_ERR_SUBTREE_MINMAX
-+ NID_crl_distribution_points     OP_NETSCAPE_CA_DN_BUG                     X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
-+ NID_crl_number                  OP_NETSCAPE_CHALLENGE_BUG                 X509_V_ERR_SUITE_B_INVALID_ALGORITHM
-+ NID_crl_reason                  OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG        X509_V_ERR_SUITE_B_INVALID_CURVE
-+ NID_delta_crl                   OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG       X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
-+ NID_des_cbc                     OP_NON_EXPORT_FIRST                       X509_V_ERR_SUITE_B_INVALID_VERSION
-+ NID_des_cfb64                   OP_NO_ANTI_REPLAY                         X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED
-+ NID_des_ecb                     OP_NO_CLIENT_RENEGOTIATION                X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
-+ NID_des_ede                     OP_NO_COMPRESSION                         X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
-+ NID_des_ede3                    OP_NO_ENCRYPT_THEN_MAC                    X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
-+ NID_des_ede3_cbc                OP_NO_QUERY_MTU                           X509_V_ERR_UNABLE_TO_GET_CRL
-+ NID_des_ede3_cfb64              OP_NO_RENEGOTIATION                       X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
-+ NID_des_ede3_ofb64              OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
-+ NID_des_ede_cbc                 OP_NO_SSL_MASK                            X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
-+ NID_des_ede_cfb64               OP_NO_SSLv2                               X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
-+ NID_des_ede_ofb64               OP_NO_SSLv3                               X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
-+ NID_des_ofb64                   OP_NO_TICKET                              X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
-+ NID_description                 OP_NO_TLSv1                               X509_V_ERR_UNNESTED_RESOURCE
-+ NID_desx_cbc                    OP_NO_TLSv1_1                             X509_V_ERR_UNSPECIFIED
-+ NID_dhKeyAgreement              OP_NO_TLSv1_2                             X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
-+ NID_dnQualifier                 OP_NO_TLSv1_3                             X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
-+ NID_dsa                         OP_PKCS1_CHECK_1                          X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
-+ NID_dsaWithSHA                  OP_PKCS1_CHECK_2                          X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
-+ NID_dsaWithSHA1                 OP_PRIORITIZE_CHACHA                      X509_V_FLAG_ALLOW_PROXY_CERTS
-+ NID_dsaWithSHA1_2               OP_SAFARI_ECDHE_ECDSA_BUG                 X509_V_FLAG_CB_ISSUER_CHECK
-+ NID_dsa_2                       OP_SINGLE_DH_USE                          X509_V_FLAG_CHECK_SS_SIGNATURE
-+ NID_email_protect               OP_SINGLE_ECDH_USE                        X509_V_FLAG_CRL_CHECK
-+ NID_ext_key_usage               OP_SSLEAY_080_CLIENT_DH_BUG               X509_V_FLAG_CRL_CHECK_ALL
-+ NID_ext_req                     OP_SSLREF2_REUSE_CERT_TYPE_BUG            X509_V_FLAG_EXPLICIT_POLICY
-+ NID_friendlyName                OP_TLSEXT_PADDING                         X509_V_FLAG_EXTENDED_CRL_SUPPORT
-+ NID_givenName                   OP_TLS_BLOCK_PADDING_BUG                  X509_V_FLAG_IGNORE_CRITICAL
-+ NID_hmacWithSHA1                OP_TLS_D5_BUG                             X509_V_FLAG_INHIBIT_ANY
-+ NID_id_ad                       OP_TLS_ROLLBACK_BUG                       X509_V_FLAG_INHIBIT_MAP
-+ NID_id_ce                       READING                                   X509_V_FLAG_LEGACY_VERIFY
-+ NID_id_kp                       RECEIVED_SHUTDOWN                         X509_V_FLAG_NOTIFY_POLICY
-+ NID_id_pbkdf2                   RSA_3                                     X509_V_FLAG_NO_ALT_CHAINS
-+ NID_id_pe                       RSA_F4                                    X509_V_FLAG_NO_CHECK_TIME
-+ NID_id_pkix                     R_BAD_AUTHENTICATION_TYPE                 X509_V_FLAG_PARTIAL_CHAIN
-+ NID_id_qt_cps                   R_BAD_CHECKSUM                            X509_V_FLAG_POLICY_CHECK
-+ NID_id_qt_unotice               R_BAD_MAC_DECODE                          X509_V_FLAG_POLICY_MASK
-+ NID_idea_cbc                    R_BAD_RESPONSE_ARGUMENT                   X509_V_FLAG_SUITEB_128_LOS
-+ NID_idea_cfb64                  R_BAD_SSL_FILETYPE                        X509_V_FLAG_SUITEB_128_LOS_ONLY
-+ NID_idea_ecb                    R_BAD_SSL_SESSION_ID_LENGTH               X509_V_FLAG_SUITEB_192_LOS
-+ NID_idea_ofb64                  R_BAD_STATE                               X509_V_FLAG_TRUSTED_FIRST
-+ NID_info_access                 R_BAD_WRITE_RETRY                         X509_V_FLAG_USE_CHECK_TIME
-+ NID_initials                    R_CHALLENGE_IS_DIFFERENT                  X509_V_FLAG_USE_DELTAS
-+ NID_invalidity_date             R_CIPHER_TABLE_SRC_ERROR                  X509_V_FLAG_X509_STRICT
-+ NID_issuer_alt_name             R_INVALID_CHALLENGE_LENGTH                X509_V_OK
-+ NID_keyBag                      R_NO_CERTIFICATE_SET                      XN_FLAG_COMPAT
-+ NID_key_usage                   R_NO_CERTIFICATE_SPECIFIED                XN_FLAG_DN_REV
-+ NID_localKeyID                  R_NO_CIPHER_LIST                          XN_FLAG_DUMP_UNKNOWN_FIELDS
-+ NID_localityName                R_NO_CIPHER_MATCH                         XN_FLAG_FN_ALIGN
-+ NID_md2                         R_NO_PRIVATEKEY                           XN_FLAG_FN_LN
-+ NID_md2WithRSAEncryption        R_NO_PUBLICKEY                            XN_FLAG_FN_MASK
-+ NID_md5                         R_NULL_SSL_CTX                            XN_FLAG_FN_NONE
-+ NID_md5WithRSA                  R_PEER_DID_NOT_RETURN_A_CERTIFICATE       XN_FLAG_FN_OID
-+ NID_md5WithRSAEncryption        R_PEER_ERROR                              XN_FLAG_FN_SN
-+ NID_md5_sha1                    R_PEER_ERROR_CERTIFICATE                  XN_FLAG_MULTILINE
-+ NID_mdc2                        R_PEER_ERROR_NO_CIPHER                    XN_FLAG_ONELINE
-+ NID_mdc2WithRSA                 R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE XN_FLAG_RFC2253
-+ NID_ms_code_com                 R_PUBLIC_KEY_ENCRYPT_ERROR                XN_FLAG_SEP_COMMA_PLUS
-+ NID_ms_code_ind                 R_PUBLIC_KEY_IS_NOT_RSA                   XN_FLAG_SEP_CPLUS_SPC
-+ NID_ms_ctl_sign                 R_READ_WRONG_PACKET_TYPE                  XN_FLAG_SEP_MASK
-+ NID_ms_efs                      R_SHORT_READ                              XN_FLAG_SEP_MULTILINE
-+ NID_ms_ext_req                  R_SSL_SESSION_ID_IS_DIFFERENT             XN_FLAG_SEP_SPLUS_SPC
-+ NID_ms_sgc                      R_UNABLE_TO_EXTRACT_PUBLIC_KEY            XN_FLAG_SPC_EQ
-+ NID_name                        R_UNKNOWN_REMOTE_ERROR_TYPE               
-+ NID_netscape                    R_UNKNOWN_STATE                           
- 
- /);
- 
- my @missing;
- my %h = map { $_=>1 } @Net::SSLeay::EXPORT_OK;
- 
--for (@c) {
--  like(eval("&Net::SSLeay::$_; 'ok'") || $@, qr/^(ok|Your vendor has not defined SSLeay macro.*)$/, "$_");
--  push(@missing, $_) unless $h{$_};
-+for my $c (@c) {
-+    dies_like(sub {
-+        "Net::SSLeay::$c"->();
-+        die "ok\n";
-+    }, qr/^(ok\n|Your vendor has not defined SSLeay macro.*)$/, "$c");
-+    push(@missing, $c) unless $h{$c};
- }
- 
- is(join(",", sort @missing), '', 'constants missing in @EXPORT_OK count='.scalar(@missing));
-diff --git a/t/local/22_provider.t b/t/local/22_provider.t
-new file mode 100644
-index 0000000..f3a19a7
---- /dev/null
-+++ b/t/local/22_provider.t
-@@ -0,0 +1,103 @@
-+use lib 'inc';
-+
-+use Net::SSLeay;
-+use Test::Net::SSLeay (initialise_libssl);
-+
-+# We don't do intialise_libssl() now because we want to want to
-+# trigger automatic loading of the default provider.
-+#
-+# Quote from
-+# https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-default.html
-+# about default provider:
-+#
-+#   It is loaded automatically the first time that an algorithm is
-+#   fetched from a provider or a function acting on providers is
-+#   called and no other provider has been loaded yet.
-+#
-+#initialise_libssl(); # Don't do this
-+
-+if (defined &Net::SSLeay::OSSL_PROVIDER_load) {
-+    plan(tests => 16);
-+} else {
-+    plan(skip_all => "no support for providers");
-+}
-+
-+# provider loading, availability and unloading
-+{
-+    # See top of file why things are done in this order. We don't want
-+    # to load the default provider automatically.
-+
-+    my $null_provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'null');
-+    ok($null_provider, 'null provider load returns a pointer');
-+    my $null_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'null');
-+    is($null_avail, 1, 'null provider loaded and available');
-+
-+    my $default_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'default');
-+    is($default_avail, 0, 'default provider not loaded, not available');
-+    if ($default_avail)
-+    {
-+	diag('Default provider was already available. More provider tests in this and other provider test files may fail');
-+	diag('If your configuration loads the default provider, consider ignoring the errors or using OPENSSL_CONF environment variable');
-+	diag('For example: OPENSSL_CONF=/path/to/openssl/ssl/openssl.cnf.dist make test');
-+    }
-+
-+    my $null_unload = Net::SSLeay::OSSL_PROVIDER_unload($null_provider);
-+    is($null_unload, 1, 'null provider successfully unloaded');
-+    $null_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'null');
-+    is($null_avail, 0, 'null provider is no longer available');
-+
-+    $default_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'default');
-+    is($default_avail, 0, 'default provider still not loaded, not available');
-+
-+    my $default_provider_undef_libctx = Net::SSLeay::OSSL_PROVIDER_load(undef, 'default');
-+    ok($default_provider_undef_libctx, 'default provider with NULL libctx loaded successfully');
-+
-+    my $libctx = Net::SSLeay::OSSL_LIB_CTX_get0_global_default();
-+    ok($libctx, 'OSSL_LIB_CTX_get0_global_default() returns a pointer');
-+
-+    my $default_provider_default_libctx = Net::SSLeay::OSSL_PROVIDER_load($libctx, 'default');
-+    ok($default_provider_default_libctx, 'default provider with default libctx loaded successfully');
-+    is($default_provider_default_libctx, $default_provider_undef_libctx, 'OSSL_PROVIDER_load with undef and defined libctx return the same pointer');
-+}
-+
-+
-+# get0_name, selftest
-+{
-+    my $null_provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'null');
-+    my $default_provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'default');
-+
-+    is(Net::SSLeay::OSSL_PROVIDER_get0_name($null_provider), 'null', 'get0_name for null provider');
-+    is(Net::SSLeay::OSSL_PROVIDER_get0_name($default_provider), 'default', 'get0_name for default provider');
-+
-+    is(Net::SSLeay::OSSL_PROVIDER_self_test($null_provider), 1, 'self_test for null provider');
-+    is(Net::SSLeay::OSSL_PROVIDER_self_test($default_provider), 1, 'self_test for default provider');
-+}
-+
-+
-+# do_all
-+{
-+    my %seen_providers;
-+    sub all_cb {
-+	my ($provider_cb, $cbdata_cb) = @_;
-+
-+	fail('provider already seen') if exists $seen_providers{$provider_cb};
-+	$seen_providers{$provider_cb} = $cbdata_cb;
-+	return 1;
-+    };
-+
-+    my $null_provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'null');
-+    my $default_provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'default');
-+    my $cbdata = 'data for cb';
-+
-+    Net::SSLeay::OSSL_PROVIDER_do_all(undef, \&all_cb, $cbdata);
-+    foreach my $provider ($null_provider, $default_provider)
-+    {
-+	my $name = Net::SSLeay::OSSL_PROVIDER_get0_name($provider);
-+	is(delete $seen_providers{$provider}, $cbdata, "provider '$name' was seen");
-+    }
-+    foreach my $provider (keys(%seen_providers))
-+    {
-+	my $name = Net::SSLeay::OSSL_PROVIDER_get0_name($provider);
-+	diag("Provider '$name' was also seen by the callback");
-+    }
-+}
-diff --git a/t/local/22_provider_try_load.t b/t/local/22_provider_try_load.t
-new file mode 100644
-index 0000000..88edd6b
---- /dev/null
-+++ b/t/local/22_provider_try_load.t
-@@ -0,0 +1,29 @@
-+use lib 'inc';
-+
-+use Net::SSLeay;
-+use Test::Net::SSLeay (initialise_libssl);
-+
-+# Avoid default provider automatic loading. See 22_provider.t for more
-+# information.
-+#
-+#initialise_libssl(); # Don't do this
-+#
-+# We use a separate test file so that we get a newly loaded library
-+# that still has triggers for automatic loading enabled.
-+
-+if (defined &Net::SSLeay::OSSL_PROVIDER_load) {
-+    plan(tests => 3);
-+} else {
-+    plan(skip_all => "no support for providers");
-+}
-+
-+my ($null_provider, $default_avail, $null_avail);
-+
-+$null_provider = Net::SSLeay::OSSL_PROVIDER_try_load(undef, 'null', 1);
-+ok($null_provider, 'try_load("null", retain_fallbacks = 1) returns a pointer');
-+
-+$default_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'default');
-+is($default_avail, 1, 'default provider automatically loaded after try_load("null", retain_fallbacks = 1)');
-+
-+$null_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'null');
-+is($null_avail, 1, 'null provider loaded after try_load("null", retain_fallbacks = 1)');
-diff --git a/t/local/22_provider_try_load_zero_retain.t b/t/local/22_provider_try_load_zero_retain.t
-new file mode 100644
-index 0000000..ea9ddeb
---- /dev/null
-+++ b/t/local/22_provider_try_load_zero_retain.t
-@@ -0,0 +1,29 @@
-+use lib 'inc';
-+
-+use Net::SSLeay;
-+use Test::Net::SSLeay (initialise_libssl);
-+
-+# Avoid default provider automatic loading. See 22_provider.t for more
-+# information.
-+#
-+#initialise_libssl(); # Don't do this
-+#
-+# We use a separate test file so that we get a newly loaded library
-+# that still has triggers for automatic loading enabled.
-+
-+if (defined &Net::SSLeay::OSSL_PROVIDER_load) {
-+    plan(tests => 3);
-+} else {
-+    plan(skip_all => "no support for providers");
-+}
-+
-+my ($null_provider, $default_avail, $null_avail);
-+
-+$null_provider = Net::SSLeay::OSSL_PROVIDER_try_load(undef, 'null', 0);
-+ok($null_provider, 'try_load("null", retain_fallbacks = 0) returns a pointer');
-+
-+$default_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'default');
-+is($default_avail, 0, 'default provider not automatically loaded after try_load("null", retain_fallbacks = 0)');
-+
-+$null_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'null');
-+is($null_avail, 1, 'null provider loaded after try_load("null", retain_fallbacks = 0)');
-diff --git a/t/local/30_error.t b/t/local/30_error.t
-index 3f31ccd..8ad1560 100644
---- a/t/local/30_error.t
-+++ b/t/local/30_error.t
-@@ -1,17 +1,24 @@
- use lib 'inc';
- 
- use Net::SSLeay;
--use Test::Net::SSLeay qw(initialise_libssl);
-+use Test::Net::SSLeay qw(
-+    dies_like doesnt_warn initialise_libssl lives_ok warns_like
-+);
- 
--eval "use Test::Exception; use Test::Warn; use Test::NoWarnings; 1;";
--if ($@) {
--    plan skip_all => 'Requires Test::Exception, Test::Warn and Test::NoWarnings';
--} else {
--    plan tests => 11;
--}
-+plan tests => 11;
-+
-+doesnt_warn('tests run without outputting unexpected warnings');
- 
- initialise_libssl();
- 
-+# See below near 'sub put_err' for more about how error string and
-+# erro code contents have changed between library versions.
-+my $err_string = "foo $$: 1 - error:10000080:BIO routines:";
-+$err_string    = "foo $$: 1 - error:20000080:BIO routines:"
-+    if  Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_VERSION()) =~ m/^OpenSSL 3.0.0-alpha[1-4] /s;
-+$err_string    = "foo $$: 1 - error:2006D080:BIO routines:"
-+    if (Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") || Net::SSLeay::constant("OPENSSL_VERSION_NUMBER") < 0x30000000);
-+
- # Note, die_now usually just prints the process id and the argument string eg:
- # 57611: test
- # but on some systems, perhaps if diagnostics are enabled, it might [roduce something like:
-@@ -20,7 +27,7 @@ initialise_libssl();
- # therefore the qr match strings below have been chnaged so they dont have tooccur at the 
- # beginning of the line.
- {
--    throws_ok(sub {
-+    dies_like(sub {
-             Net::SSLeay::die_now('test')
-     }, qr/$$: test\n$/, 'die_now dies without errors');
- 
-@@ -29,12 +36,12 @@ initialise_libssl();
-     }, 'die_if_ssl_error lives without errors');
- 
-     put_err();
--    throws_ok(sub {
-+    dies_like(sub {
-             Net::SSLeay::die_now('test');
-     }, qr/$$: test\n$/, 'die_now dies with errors');
- 
-     put_err();
--    throws_ok(sub {
-+    dies_like(sub {
-             Net::SSLeay::die_if_ssl_error('test');
-     }, qr/$$: test\n$/, 'die_if_ssl_error dies with errors');
- }
-@@ -42,7 +49,7 @@ initialise_libssl();
- {
-     local $Net::SSLeay::trace = 1;
- 
--    throws_ok(sub {
-+    dies_like(sub {
-             Net::SSLeay::die_now('foo');
-     }, qr/$$: foo\n$/, 'die_now dies without arrors and with trace');
- 
-@@ -51,26 +58,46 @@ initialise_libssl();
-     }, 'die_if_ssl_error lives without errors and with trace');
- 
-     put_err();
--    warning_like(sub {
--            throws_ok(sub {
-+    warns_like(sub {
-+            dies_like(sub {
-                     Net::SSLeay::die_now('foo');
-             }, qr/^$$: foo\n$/, 'die_now dies with errors and trace');
--    }, qr/foo $$: 1 - error:2006d080/i, 'die_now raises warnings about the occurred error when tracing');
-+    }, qr/$err_string/i, 'die_now raises warnings about the occurred error when tracing');
- 
-     put_err();
--    warning_like(sub {
--            throws_ok(sub {
-+    warns_like(sub {
-+            dies_like(sub {
-                 Net::SSLeay::die_if_ssl_error('foo');
-             }, qr/^$$: foo\n$/, 'die_if_ssl_error dies with errors and trace');
--    }, qr/foo $$: 1 - error:2006d080/i, 'die_if_ssl_error raises warnings about the occurred error when tracing');
-+    }, qr/$err_string/i, 'die_if_ssl_error raises warnings about the occurred error when tracing');
- }
- 
-+# The resulting error strings looks something like below. The number
-+# after 'foo' is the process id. OpenSSL 3.0.0 drops function name and
-+# changes how error code is packed.
-+# - OpenSSL 3.0.0:        foo 61488: 1 - error:10000080:BIO routines::no such file
-+# - OpenSSL 3.0.0-alpha5: foo 16380: 1 - error:10000080:BIO routines::no such file
-+# - OpenSSL 3.0.0-alpha1: foo 16293: 1 - error:20000080:BIO routines::no such file
-+# - OpenSSL 1.1.1l:       foo 61202: 1 - error:2006D080:BIO routines:BIO_new_file:no such file
-+# - OpenSSL 1.1.0l:       foo 61295: 1 - error:2006D080:BIO routines:BIO_new_file:no such file
-+# - OpenSSL 1.0.2u:       foo 61400: 1 - error:2006D080:BIO routines:BIO_new_file:no such file
-+# - OpenSSL 1.0.1u:       foo 13621: 1 - error:2006D080:BIO routines:BIO_new_file:no such file
-+# - OpenSSL 1.0.0t:       foo 14349: 1 - error:2006D080:BIO routines:BIO_new_file:no such file
-+# - OpenSSL 0.9.8zh:      foo 14605: 1 - error:2006D080:BIO routines:BIO_new_file:no such file
-+# - OpenSSL 0.9.8f:       foo 14692: 1 - error:2006D080:BIO routines:BIO_new_file:no such file
-+#
-+# 1.1.1 series and earlier create error by ORing together lib, func
-+# and reason with 24 bit left shift, 12 bit left shift and without bit
-+# shift, respectively.
-+# 3.0.0 alpha1 drops function name from error string and alpha5
-+# changes bit shift of lib to 23.
-+# LibreSSL 2.5.1 drops function name from error string.
- sub put_err {
-     Net::SSLeay::ERR_put_error(
--        32, #lib
--       109, #func
--       128, #reason
--         1, #file
--         1, #line
-+        32, #lib    - 0x20 ERR_LIB_BIO 'BIO routines'
-+       109, #func   - 0x6D BIO_F_BIO_NEW_FILE 'BIO_new_file'
-+       128, #reason - 0x80 BIO_R_NO_SUCH_FILE 'no such file'
-+         1, #file   - file name (not packed into error code)
-+         1, #line   - line number (not packed into error code)
-     );
- }
-diff --git a/t/local/31_rsa_generate_key.t b/t/local/31_rsa_generate_key.t
-index 3a1efb3..dec3e80 100644
---- a/t/local/31_rsa_generate_key.t
-+++ b/t/local/31_rsa_generate_key.t
-@@ -1,14 +1,9 @@
- use lib 'inc';
- 
- use Net::SSLeay;
--use Test::Net::SSLeay qw(initialise_libssl);
-+use Test::Net::SSLeay qw( dies_like initialise_libssl lives_ok );
- 
--eval 'use Test::Exception';
--if ($@) {
--    plan skip_all => 'Test::Exception required';
--} else {
--    plan tests => 14;
--}
-+plan tests => 14;
- 
- initialise_libssl();
- 
-@@ -16,9 +11,9 @@ lives_ok(sub {
-         Net::SSLeay::RSA_generate_key(2048, 0x10001);
- }, 'RSA_generate_key with valid callback');
- 
--dies_ok(sub {
-+dies_like(sub {
-         Net::SSLeay::RSA_generate_key(2048, 0x10001, 1);
--}, 'RSA_generate_key with invalid callback');
-+}, qr/Undefined subroutine &main::1 called/, 'RSA_generate_key with invalid callback');
- 
- {
-     my $called = 0;
-diff --git a/t/local/32_x509_get_cert_info.t b/t/local/32_x509_get_cert_info.t
-index a1697ff..1f0f20a 100644
---- a/t/local/32_x509_get_cert_info.t
-+++ b/t/local/32_x509_get_cert_info.t
-@@ -8,8 +8,8 @@ use Test::Net::SSLeay qw(
- use lib '.';
- 
- my $tests =   ( is_openssl() && Net::SSLeay::SSLeay < 0x10100003 ) || is_libressl()
--            ? 721
--            : 724;
-+            ? 723
-+            : 726;
- 
- plan tests => $tests;
- 
-@@ -190,7 +190,7 @@ for my $f (keys (%$dump)) {
-                           Net::SSLeay::SSLeay < 0x30000000
-                           || (
-                                   Net::SSLeay::SSLeay == 0x30000000
--                               && Net::SSLeay::SSLeay_version( Net::SSLeay::SSLEAY_VERSION() ) =~ /-alpha1/
-+                               && Net::SSLeay::SSLeay_version( Net::SSLeay::SSLEAY_VERSION() ) =~ /-alpha1\ /
-                           )
-                       )
-                   ) {
-@@ -373,8 +373,8 @@ Net::SSLeay::X509_STORE_CTX_set_cert($ctx,$x509);
- my $ca_filename = data_file_path('root-ca.cert.pem');
- my $ca_bio = Net::SSLeay::BIO_new_file($ca_filename, 'rb');
- my $ca_x509 = Net::SSLeay::PEM_read_bio_X509($ca_bio);
--Net::SSLeay::X509_STORE_add_cert($x509_store,$ca_x509);
--Net::SSLeay::X509_STORE_CTX_init($ctx, $x509_store, $x509);
-+is (Net::SSLeay::X509_STORE_add_cert($x509_store,$ca_x509), 1, 'X509_STORE_add_cert');
-+is (Net::SSLeay::X509_STORE_CTX_init($ctx, $x509_store, $x509), 1, 'X509_STORE_CTX_init');
- SKIP: {
-     skip('X509_STORE_CTX_get0_cert requires OpenSSL 1.1.0-pre5+ or LibreSSL 2.7.0+', 1) unless defined (&Net::SSLeay::X509_STORE_CTX_get0_cert);
-     ok (my $x509_from_cert = Net::SSLeay::X509_STORE_CTX_get0_cert($ctx),'Get x509 from store ctx');
-diff --git a/t/local/33_x509_create_cert.t b/t/local/33_x509_create_cert.t
-index 3c5a2e8..3cad034 100755
---- a/t/local/33_x509_create_cert.t
-+++ b/t/local/33_x509_create_cert.t
-@@ -9,6 +9,13 @@ plan tests => 139;
- 
- initialise_libssl();
- 
-+if (defined &Net::SSLeay::OSSL_PROVIDER_load)
-+{
-+    my $provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'legacy');
-+    diag('Failed to load legacy provider: PEM_get_string_PrivateKey may fail')
-+	unless $provider;
-+}
-+
- my $ca_crt_pem = data_file_path('root-ca.cert.pem');
- my $ca_key_pem = data_file_path('root-ca.key.pem');
- 
-diff --git a/t/local/36_verify.t b/t/local/36_verify.t
-index 0b84461..22017e5 100644
---- a/t/local/36_verify.t
-+++ b/t/local/36_verify.t
-@@ -7,7 +7,7 @@ use Test::Net::SSLeay qw(
-     can_fork data_file_path initialise_libssl is_libressl is_openssl tcp_socket
- );
- 
--plan tests => 103;
-+plan tests => 105;
- 
- initialise_libssl();
- 
-@@ -40,9 +40,18 @@ SKIP: {
- 
- SKIP: {
-   skip 'openssl-0.9.8a required', 3 unless Net::SSLeay::SSLeay >= 0x0090801f;
--  ok(Net::SSLeay::X509_VERIFY_PARAM_get_flags($pm) == Net::SSLeay::X509_V_FLAG_ALLOW_PROXY_CERTS(), 'X509_VERIFY_PARAM_get_flags');
-+
-+  # From version 3.3.2, LibreSSL signals the use of its legacy X.509 verifier
-+  # via the X509_V_FLAG_LEGACY_VERIFY flag; this flag persists even after
-+  # X509_VERIFY_PARAM_clear_flags() is called
-+  my $base_flags =
-+      is_libressl() && Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") >= 0x3030200f
-+    ? Net::SSLeay::X509_V_FLAG_LEGACY_VERIFY()
-+    : 0;
-+
-+  ok(Net::SSLeay::X509_VERIFY_PARAM_get_flags($pm) == ($base_flags | Net::SSLeay::X509_V_FLAG_ALLOW_PROXY_CERTS()), 'X509_VERIFY_PARAM_get_flags');
-   ok(Net::SSLeay::X509_VERIFY_PARAM_clear_flags($pm, Net::SSLeay::X509_V_FLAG_ALLOW_PROXY_CERTS()), 'X509_VERIFY_PARAM_clear_flags');
--  ok(Net::SSLeay::X509_VERIFY_PARAM_get_flags($pm) == 0, 'X509_VERIFY_PARAM_get_flags');
-+  ok(Net::SSLeay::X509_VERIFY_PARAM_get_flags($pm) == ($base_flags | 0), 'X509_VERIFY_PARAM_get_flags');
- };
- 
- SKIP: {
-@@ -86,8 +95,8 @@ SKIP: {
- 
-     $server = tcp_socket();
- 
--    run_server();
--    $server->close();
-+    run_server(); # Forks: child does not return
-+    $server->close() || die("client listen socket close: $!");
-     client();
- }
- 
-@@ -223,7 +232,7 @@ sub verify_local_trust {
-     ok(my $store = Net::SSLeay::X509_STORE_new(), "X509_STORE_new creates new store");
-     ok(Net::SSLeay::X509_STORE_add_cert($store, $ca), "X509_STORE_add_cert CA cert");
-     ok(my $ctx = Net::SSLeay::X509_STORE_CTX_new(), "X509_STORE_CTX_new creates new store context");
--    Net::SSLeay::X509_STORE_CTX_init($ctx, $store, $cert);
-+    is(Net::SSLeay::X509_STORE_CTX_init($ctx, $store, $cert), 1, 'X509_STORE_CTX_init succeeds');
-     ok(!Net::SSLeay::X509_verify_cert($ctx), 'X509_verify_cert correctly fails');
-     is(Net::SSLeay::X509_STORE_CTX_get_error($ctx),
-         Net::SSLeay::X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY(), "X509_STORE_CTX_get_error returns unable to get local issuer certificate");
-@@ -241,7 +250,7 @@ sub verify_local_trust {
-     ok($store = Net::SSLeay::X509_STORE_new(), "X509_STORE_new creates new store");
-     ok(Net::SSLeay::X509_STORE_add_cert($store, $ca), "X509_STORE_add_cert CA cert");
-     ok($ctx = Net::SSLeay::X509_STORE_CTX_new(), "X509_STORE_CTX_new creates new store context");
--    Net::SSLeay::X509_STORE_CTX_init($ctx, $store, $cert, $x509_sk);
-+    is(Net::SSLeay::X509_STORE_CTX_init($ctx, $store, $cert, $x509_sk), 1, 'X509_STORE_CTX_init succeeds');
-     ok(Net::SSLeay::X509_verify_cert($ctx), 'X509_verify_cert correctly succeeds');
-     is(Net::SSLeay::X509_STORE_CTX_get_error($ctx), Net::SSLeay::X509_V_OK(), "X509_STORE_CTX_get_error returns ok");
-     Net::SSLeay::X509_STORE_free($store);
-@@ -295,7 +304,7 @@ sub client {
- 	test_wildcard_checks($ctx, $cl) if $task eq 'wildcard_checks';
- 	last if $task eq 'finish'; # Leaves $cl alive
- 
--	close($cl);
-+	close($cl) || die("client close: $!");
-     }
- 
-     # Tell the server to quit and see that our connection is still up
-@@ -307,6 +316,8 @@ sub client {
-     Net::SSLeay::ssl_write_all($ssl, $end);
-     Net::SSLeay::shutdown($ssl);
-     ok($end eq Net::SSLeay::ssl_read_all($ssl), 'Successful termination');
-+    Net::SSLeay::free($ssl);
-+    close($cl) || die("client final close: $!");
-     return;
- }
- 
-@@ -348,6 +359,10 @@ sub run_server
- 	if (defined $msg and $msg eq 'end')
- 	{
- 	    Net::SSLeay::ssl_write_all($ssl, 'end');
-+	    Net::SSLeay::shutdown($ssl);
-+	    Net::SSLeay::free($ssl);
-+	    close($cl) || die("server close: $!");
-+	    $server->close() || die("server listen socket close: $!");
- 	    exit (0);
- 	}
-     }
-diff --git a/t/local/39_pkcs12.t b/t/local/39_pkcs12.t
-index 5c7fb8b..5083331 100644
---- a/t/local/39_pkcs12.t
-+++ b/t/local/39_pkcs12.t
-@@ -3,7 +3,7 @@ use lib 'inc';
- use Net::SSLeay;
- use Test::Net::SSLeay qw( data_file_path initialise_libssl );
- 
--plan tests => 19;
-+plan tests => 17;
- 
- initialise_libssl();
- 
-@@ -36,12 +36,24 @@ my $filename3 = data_file_path('simple-cert.p12');
-   my $ca1_subj_name = Net::SSLeay::X509_get_subject_name($cachain[0]);
-   my $ca2_subj_name = Net::SSLeay::X509_get_subject_name($cachain[1]);
-   is(Net::SSLeay::X509_NAME_oneline($subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=simple-cert.net-ssleay.example', "X509_NAME_oneline [2/1]");
--  like(Net::SSLeay::X509_NAME_oneline($ca1_subj_name), qr/C=.*CN=.*/, "X509_NAME_oneline [2/2]");
--  like(Net::SSLeay::X509_NAME_oneline($ca2_subj_name), qr/C=.*CN=.*/, "X509_NAME_oneline [2/3]");
--  SKIP: {
--    skip("cert order in CA chain is different in openssl pre-1.0.0", 2) unless Net::SSLeay::SSLeay >= 0x01000000;
--    is(Net::SSLeay::X509_NAME_oneline($ca1_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Root CA', "X509_NAME_oneline [2/4]");
--    is(Net::SSLeay::X509_NAME_oneline($ca2_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Intermediate CA', "X509_NAME_oneline [2/5]");
-+  # OpenSSL versions 1.0.0-beta2 to 3.0.0-alpha6 inclusive and all versions of
-+  # LibreSSL return the CA certificate chain with the root CA certificate at the
-+  # end; all other versions return the certificate chain with the root CA
-+  # certificate at the start
-+  if (
-+         Net::SSLeay::SSLeay < 0x10000002
-+      || (
-+                Net::SSLeay::SSLeay == 0x30000000
-+             && Net::SSLeay::SSLeay_version( Net::SSLeay::SSLEAY_VERSION() ) !~ /-alpha[1-6] /
-+         )
-+      || Net::SSLeay::SSLeay > 0x30000000
-+  ) {
-+      is(Net::SSLeay::X509_NAME_oneline($ca1_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Intermediate CA', "X509_NAME_oneline [2/3]");
-+      is(Net::SSLeay::X509_NAME_oneline($ca2_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Root CA', "X509_NAME_oneline [2/4]");
-+  }
-+  else {
-+      is(Net::SSLeay::X509_NAME_oneline($ca1_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Root CA', "X509_NAME_oneline [2/3]");
-+      is(Net::SSLeay::X509_NAME_oneline($ca2_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Intermediate CA', "X509_NAME_oneline [2/4]");
-   }
- }
- 
-diff --git a/t/local/40_npn_support.t b/t/local/40_npn_support.t
-index e7c9c34..ea2d09b 100644
---- a/t/local/40_npn_support.t
-+++ b/t/local/40_npn_support.t
-@@ -58,8 +58,8 @@ my @results;
-         Net::SSLeay::ssl_write_all($ssl, uc($got));
-         Net::SSLeay::free($ssl);
-         Net::SSLeay::CTX_free($ctx);
--        close $ns;
--        $server->close();
-+        close($ns) || die("server close: $!");
-+        $server->close() || die("server listen socket close: $!");
-         exit;
-     }
- }
-@@ -84,7 +84,8 @@ my @results;
- 
-     Net::SSLeay::free($ssl1);
-     Net::SSLeay::CTX_free($ctx1);
--    close $s1;
-+    close($s1) || die("client close: $!");
-+    $server->close() || die("client listen socket close: $!");
- }
- 
- waitpid $pid, 0;
-diff --git a/t/local/41_alpn_support.t b/t/local/41_alpn_support.t
-index 052d17d..c3d5aa0 100644
---- a/t/local/41_alpn_support.t
-+++ b/t/local/41_alpn_support.t
-@@ -63,8 +63,8 @@ my @results;
-         Net::SSLeay::ssl_write_all($ssl, uc($got));
-         Net::SSLeay::free($ssl);
-         Net::SSLeay::CTX_free($ctx);
--        close $ns;
--        $server->close();
-+        close($ns) || die("server close: $!");
-+        $server->close() || die("server listen socket close: $!");
-         exit;
-     }
- }
-@@ -88,7 +88,8 @@ my @results;
- 
-     Net::SSLeay::free($ssl1);
-     Net::SSLeay::CTX_free($ctx1);
--    close $s1;
-+    close($s1) || die("client close: $!");
-+    $server->close() || die("client listen socket close: $!");
- }
- 
- waitpid $pid, 0;
-diff --git a/t/local/42_info_callback.t b/t/local/42_info_callback.t
-index 6f6afdb..8ddcb0c 100644
---- a/t/local/42_info_callback.t
-+++ b/t/local/42_info_callback.t
-@@ -36,7 +36,9 @@ my $server = tcp_socket();
- 	    for(1,2) {
- 		last if Net::SSLeay::shutdown($ssl)>0;
- 	    }
-+	    close($cl) || die("server close: $!");
- 	}
-+	$server->close() || die("server listen socket close: $!");
-         exit;
-     }
- }
-@@ -90,6 +92,8 @@ sub client {
-     } else {
- 	fail("$where: @states");
-     }
-+    close($cl) || die("client close: $!");
-+
- }
- 
- my $expect = qr{^
-@@ -101,5 +105,6 @@ my $expect = qr{^
- 
- client('ctx',$expect);
- client('ssl',$expect);
-+$server->close() || die("client listen socket close: $!");
- waitpid $pid, 0;
- 
-diff --git a/t/local/43_misc_functions.t b/t/local/43_misc_functions.t
-index c67df75..09effc8 100644
---- a/t/local/43_misc_functions.t
-+++ b/t/local/43_misc_functions.t
-@@ -35,12 +35,19 @@ our %tls_1_2_aead_cipher_to_keyblock_size = (
-      'AES256-GCM-SHA384' => 88,
-     );
- 
--our %tls_1_3_aead_cipher_to_keyblock_size = (
--     # Only in TLS 1.3
--     'TLS_AES_128_GCM_SHA256' => 56,
--     'TLS_AES_256_GCM_SHA384' => 88,
--     'TLS_CHACHA20_POLY1305_SHA256' => 88,
--    );
-+# LibreSSL uses different names for the TLSv1.3 ciphersuites:
-+our %tls_1_3_aead_cipher_to_keyblock_size =
-+      is_libressl()
-+    ? (
-+          'AEAD-AES128-GCM-SHA256'        => 56,
-+          'AEAD-AES256-GCM-SHA384'        => 88,
-+          'AEAD-CHACHA20-POLY1305-SHA256' => 88,
-+      )
-+    : (
-+         'TLS_AES_128_GCM_SHA256'       => 56,
-+         'TLS_AES_256_GCM_SHA384'       => 88,
-+         'TLS_CHACHA20_POLY1305_SHA256' => 88,
-+      );
- 
- # Combine the AEAD hashes
- our %aead_cipher_to_keyblock_size = (%tls_1_2_aead_cipher_to_keyblock_size, %tls_1_3_aead_cipher_to_keyblock_size);
-@@ -48,14 +55,14 @@ our %aead_cipher_to_keyblock_size = (%tls_1_2_aead_cipher_to_keyblock_size, %tls
- # Combine the hashes
- our %cipher_to_keyblock_size = (%non_aead_cipher_to_keyblock_size, %aead_cipher_to_keyblock_size);
- 
--our %version_str2int =
--    (
--     'SSLv3'   => sub {return eval {Net::SSLeay::SSL3_VERSION();}},
--     'TLSv1'   => sub {return eval {Net::SSLeay::TLS1_VERSION();}},
--     'TLSv1.1' => sub {return eval {Net::SSLeay::TLS1_1_VERSION();}},
--     'TLSv1.2' => sub {return eval {Net::SSLeay::TLS1_2_VERSION();}},
--     'TLSv1.3' => sub {return eval {Net::SSLeay::TLS1_3_VERSION();}},
--    );
-+our %version_str2int = (
-+    'SSLv3'   => sub { return eval { Net::SSLeay::SSL3_VERSION(); } },
-+    'TLSv1'   => sub { return eval { Net::SSLeay::TLS1_VERSION(); } },
-+    'TLSv1.1' => sub { return eval { Net::SSLeay::TLS1_1_VERSION(); } },
-+    'TLSv1.2' => sub { return eval { Net::SSLeay::TLS1_2_VERSION(); } },
-+    # LibreSSL >= 3.2.0 implements TLSv1.3, but doesn't define TLS1_3_VERSION
-+    'TLSv1.3' => sub { return is_libressl() ? 0x0304 : eval { Net::SSLeay::TLS1_3_VERSION(); } },
-+);
- 
- # Tests that don't need a connection
- client_test_ciphersuites();
-@@ -96,6 +103,10 @@ my $server = tcp_socket();
- 	# Echo back the termination request from client
- 	my $end = Net::SSLeay::read($ssl);
- 	Net::SSLeay::write($ssl, $end);
-+	Net::SSLeay::shutdown($ssl);
-+	Net::SSLeay::free($ssl);
-+	close($cl) || die("server close: $!");
-+	$server->close() || die("server listen socket close: $!");
- 	exit(0);
-     }
- }
-@@ -121,6 +132,10 @@ sub client {
-     my $end = "end";
-     Net::SSLeay::write($ssl, $end);
-     ok($end eq Net::SSLeay::read($ssl),  'Successful termination');
-+    Net::SSLeay::shutdown($ssl);
-+    Net::SSLeay::free($ssl);
-+    close($cl) || die("client close: $!");
-+    $server->close() || die("client listen socket close: $!");
-     return;
- }
- 
-@@ -245,6 +260,17 @@ sub client_test_ciphersuites
- 
-     my $ciphersuites = join(':', keys(%tls_1_3_aead_cipher_to_keyblock_size));
- 
-+    # In OpenSSL 3.0.0 alpha 11 (commit c1e8a0c66e32b4144fdeb49bd5ff7acb76df72b9)
-+    # SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() were
-+    # changed to ignore unknown ciphers
-+    my $ret_partially_bad_ciphersuites = 1;
-+    if (Net::SSLeay::SSLeay() == 0x30000000) {
-+	my $ssleay_version = Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_VERSION());
-+	$ret_partially_bad_ciphersuites = 0 if ($ssleay_version =~ m/-alpha(\d+)/s) && $1 < 11;
-+    } elsif (Net::SSLeay::SSLeay() < 0x30000000) {
-+	$ret_partially_bad_ciphersuites = 0;
-+    }
-+
-     my ($ctx, $rv, $ssl);
-     $ctx = Net::SSLeay::CTX_new();
-     $rv = Net::SSLeay::CTX_set_ciphersuites($ctx, $ciphersuites);
-@@ -257,7 +283,7 @@ sub client_test_ciphersuites
-     };
-     is($rv, 1, 'CTX set undef ciphersuites');
-     $rv = Net::SSLeay::CTX_set_ciphersuites($ctx, 'nosuchthing:' . $ciphersuites);
--    is($rv, 0, 'CTX set partially bad ciphersuites');
-+    is($rv, $ret_partially_bad_ciphersuites, 'CTX set partially bad ciphersuites');
-     $rv = Net::SSLeay::CTX_set_ciphersuites($ctx, 'nosuchthing:');
-     is($rv, 0, 'CTX set bad ciphersuites');
- 
-@@ -272,7 +298,7 @@ sub client_test_ciphersuites
-     };
-     is($rv, 1, 'SSL set undef ciphersuites');
-     $rv = Net::SSLeay::set_ciphersuites($ssl, 'nosuchthing:' . $ciphersuites);
--    is($rv, 0, 'SSL set partially bad ciphersuites');
-+    is($rv, $ret_partially_bad_ciphersuites, 'SSL set partially bad ciphersuites');
-     $rv = Net::SSLeay::set_ciphersuites($ssl, 'nosuchthing:');
-     is($rv, 0, 'SSL set bad ciphersuites');
- 
-diff --git a/t/local/44_sess.t b/t/local/44_sess.t
-index 36603a0..ce14422 100644
---- a/t/local/44_sess.t
-+++ b/t/local/44_sess.t
-@@ -163,6 +163,8 @@ sub server
- 
- 	    $ctx = new_ctx( $proto, $proto );
- 
-+	    Net::SSLeay::CTX_set_security_level($ctx, 0)
-+		if Net::SSLeay::SSLeay() >= 0x30000000 && ($proto eq 'TLSv1' || $proto eq 'TLSv1.1');
- 	    Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem);
- 	    Net::SSLeay::CTX_set_session_cache_mode($ctx, Net::SSLeay::SESS_CACHE_SERVER());
- 	    # Need OP_NO_TICKET to enable server side (Session ID based) resumption.
-@@ -212,6 +214,7 @@ sub server
- 
- 	    Net::SSLeay::SESSION_free($sess) unless $ret; # Not cached, undo get1
- 	    Net::SSLeay::free($ssl);
-+	    close($cl) || die("server close: $!");
- 	}
- 
- 	$cl = $server->accept();
-@@ -219,9 +222,8 @@ sub server
- 	print $cl "end\n";
- 	print $cl unpack( 'H*', Storable::freeze(\%server_stats) ), "\n";
- 
--	close $cl;
--
--	$server->close();
-+	close($cl) || die("server close stats socket: $!");
-+	$server->close() || die("server listen socket close: $!");
- 
- 	#use Data::Dumper; print "Server:\n" . Dumper(\%server_stats);
- 	exit(0);
-@@ -243,6 +245,8 @@ sub client {
- 
- 	$ctx = new_ctx( $proto, $proto );
- 
-+	Net::SSLeay::CTX_set_security_level($ctx, 0)
-+	    if Net::SSLeay::SSLeay() >= 0x30000000 && ($proto eq 'TLSv1' || $proto eq 'TLSv1.1');
- 	Net::SSLeay::CTX_set_session_cache_mode($ctx, Net::SSLeay::SESS_CACHE_CLIENT());
-         Net::SSLeay::CTX_set_options($ctx, Net::SSLeay::OP_ALL());
- 	Net::SSLeay::CTX_sess_set_new_cb($ctx, sub {client_new_cb(@_, $ctx, $round);});
-@@ -250,7 +254,10 @@ sub client {
- 	$ssl = Net::SSLeay::new($ctx);
- 
- 	Net::SSLeay::set_fd($ssl, $cl);
--	Net::SSLeay::connect($ssl);
-+	my $ret = Net::SSLeay::connect($ssl);
-+	if ($ret <= 0) {
-+	    diag("Protocol $proto, connect() returns $ret, Error: ".Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error()));
-+	}
- 	my $msg = Net::SSLeay::read($ssl);
- 	#print "server said: $msg\n";
- 
-@@ -267,6 +274,7 @@ sub client {
- 
- 	Net::SSLeay::shutdown($ssl);
- 	Net::SSLeay::free($ssl);
-+	close($cl) || die("client close: $!");
-     }
- 
-     $cl = $server->connect();
-@@ -276,7 +284,9 @@ sub client {
-     # Stats from server
-     chomp( my $server_stats = <$cl> );
-     my $server_stats_ref = Storable::thaw( pack( 'H*', $server_stats ) );
--    close $cl;
-+
-+    close($cl) || die("client close stats socket: $!");
-+    $server->close() || die("client listen socket close: $!");
- 
-     test_stats($server_stats_ref, \%client_stats);
- 
-diff --git a/t/local/45_exporter.t b/t/local/45_exporter.t
-index 2e3efdb..aaacc7b 100644
---- a/t/local/45_exporter.t
-+++ b/t/local/45_exporter.t
-@@ -56,6 +56,8 @@ sub server
- 
- 	    $ctx = new_ctx( $round, $round );
- 
-+	    Net::SSLeay::CTX_set_security_level($ctx, 0)
-+		if Net::SSLeay::SSLeay() >= 0x30000000 && ($round eq 'TLSv1' || $round eq 'TLSv1.1');
- 	    Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem);
- 	    $ssl = Net::SSLeay::new($ctx);
- 	    Net::SSLeay::set_fd($ssl, fileno($cl));
-@@ -66,7 +68,9 @@ sub server
- 
- 	    Net::SSLeay::shutdown($ssl);
- 	    Net::SSLeay::free($ssl);
-+	    close($cl) || die("server close: $!");
- 	}
-+	$server->close() || die("server listen socket close: $!");
- 	exit(0);
-     }
- }
-@@ -78,9 +82,14 @@ sub client {
-             my $cl = $server->connect();
- 
-             my $ctx = new_ctx( $round, $round );
-+	    Net::SSLeay::CTX_set_security_level($ctx, 0)
-+		if Net::SSLeay::SSLeay() >= 0x30000000 && ($round eq 'TLSv1' || $round eq 'TLSv1.1');
-             my $ssl = Net::SSLeay::new($ctx);
-             Net::SSLeay::set_fd( $ssl, $cl );
--            Net::SSLeay::connect($ssl);
-+            my $ret = Net::SSLeay::connect($ssl);
-+            if ($ret <= 0) {
-+                diag("Protocol $round, connect() returns $ret, Error: ".Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error()));
-+            }
- 
-             my $msg = Net::SSLeay::read($ssl);
- 
-@@ -90,6 +99,7 @@ sub client {
- 
-             Net::SSLeay::shutdown($ssl);
-             Net::SSLeay::free($ssl);
-+            close($cl) || die("client close: $!");
-         }
-         else {
-             SKIP: {
-@@ -97,6 +107,7 @@ sub client {
-             }
-         }
-     }
-+    $server->close() || die("client listen socket close: $!");
- 
-     return 1;
- }
-diff --git a/t/local/46_msg_callback.t b/t/local/46_msg_callback.t
-new file mode 100644
-index 0000000..587e5a0
---- /dev/null
-+++ b/t/local/46_msg_callback.t
-@@ -0,0 +1,114 @@
-+use lib 'inc';
-+
-+use Net::SSLeay;
-+use Test::Net::SSLeay qw(
-+    can_fork data_file_path initialise_libssl new_ctx tcp_socket
-+);
-+
-+if (not can_fork()) {
-+    plan skip_all => "fork() not supported on this system";
-+} else {
-+    plan tests => 10;
-+}
-+
-+initialise_libssl();
-+
-+my $pid;
-+alarm(30);
-+END { kill 9,$pid if $pid }
-+
-+my $server = tcp_socket();
-+
-+{
-+    # SSL server - just handle single connect and  shutdown connection
-+    my $cert_pem = data_file_path('simple-cert.cert.pem');
-+    my $key_pem  = data_file_path('simple-cert.key.pem');
-+
-+    defined($pid = fork()) or BAIL_OUT("failed to fork: $!");
-+    if ($pid == 0) {
-+	for(qw(ctx ssl)) {
-+	    my $cl = $server->accept();
-+	    my $ctx = new_ctx();
-+	    Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem);
-+	    my $ssl = Net::SSLeay::new($ctx);
-+	    Net::SSLeay::set_fd($ssl, fileno($cl));
-+	    Net::SSLeay::accept($ssl);
-+	    for(1,2) {
-+		last if Net::SSLeay::shutdown($ssl)>0;
-+	    }
-+	    close($cl) || die("server close: $!");
-+	}
-+	$server->close() || die("server listen socket close: $!");
-+        exit;
-+    }
-+}
-+
-+sub client {
-+    my ($where) = @_;
-+    # SSL client - connect and shutdown, all the while getting state updates
-+    #  with info callback
-+
-+    my @cb_data;
-+    my @states;
-+    my $msgcb = sub {
-+        my ($write_p,$version,$content_type,$buf,$len,$ssl,$cb_data) = @_;
-+        # buffer is of course randomized/timestamped, this is hard to test, so
-+        # skip this
-+        my $hex_buf = unpack("H*", $buf||'');
-+
-+        # version appears to be different running in different test envs that
-+        # have a different openssl version, so we skip that too. This isn't a
-+        # good test for that, and it's not up to Net::SSLeay to make all
-+        # openssl implementations look the same
-+
-+        # the 3 things this sub needs to do:
-+        #  1. not die
-+        #  2. no memory leak
-+        #  3. provide information
-+        #
-+        # The validness of the buffer can be checked, so we use this as a
-+        # validation instead. This selftest is not here to validate the
-+        # protocol and the intricacies of the possible implementation or 
-+        # version (ssl3 vs tls1 etc)
-+
-+        push @states,(defined $buf and length($buf) == $len)||0;
-+
-+        # cb_data can act as a check
-+        push @cb_data, $cb_data;
-+    };
-+
-+    my $cl = $server->connect();
-+    my $ctx = new_ctx();
-+    Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
-+    Net::SSLeay::CTX_set_msg_callback($ctx, $msgcb, "CB_DATA") if $where eq 'ctx';
-+    my $ssl = Net::SSLeay::new($ctx);
-+    Net::SSLeay::set_fd($ssl, $cl);
-+    Net::SSLeay::set_msg_callback($ssl, $msgcb, "CB_DATA") if $where eq 'ssl';
-+    Net::SSLeay::connect($ssl);
-+    for(1,2) {
-+	last if Net::SSLeay::shutdown($ssl)>0;
-+    }
-+    close($cl) || die("client close: $!");
-+
-+    ok(scalar(@states) > 1, "at least 2 messages logged: $where");
-+    my $all_ok = 1;
-+    $all_ok &= $_ for @states;
-+    is($all_ok, 1, "all states are OK: length(buf) = len for $where");
-+
-+    ok(scalar(@cb_data) > 1, "all cb data SV's are OK for $where (at least 2)");
-+    my $all_cb_data_ok = 0;
-+    $all_cb_data_ok++ for grep {$_ eq "CB_DATA"} grep {defined} @cb_data;
-+    is(scalar(@cb_data), $all_cb_data_ok, "all cb data SV's are OK for $where");
-+
-+    eval {
-+        Net::SSLeay::CTX_set_msg_callback($ctx, undef) if $where eq 'ctx';
-+        Net::SSLeay::set_msg_callback($ssl, undef) if $where eq 'ssl';
-+    };
-+    is($@, '', "no error during set_msg_callback() for $where");
-+}
-+
-+client('ctx');
-+client('ssl');
-+$server->close() || die("client listen socket close: $!");
-+waitpid $pid, 0;
-+
-diff --git a/typemap b/typemap
-index 373e711..c0547c6 100644
---- a/typemap
-+++ b/typemap
-@@ -81,6 +81,9 @@ cb_ssl_int_int_ret_void *  T_PTR
- cb_ssl_int_int_ret_RSA *  T_PTR
- cb_ssl_int_int_ret_DH  *  T_PTR
- perl_filehandle_t T_PERL_IO_HANDLE
-+OSSL_LIB_CTX * T_PTR
-+OSSL_PROVIDER * T_PTR
-+const OSSL_PROVIDER * T_PTR
- 
- INPUT
- 
diff --git a/perl-Net-SSLeay.rpmlintrc b/perl-Net-SSLeay.rpmlintrc
index 13aabcb..f9a7d58 100644
--- a/perl-Net-SSLeay.rpmlintrc
+++ b/perl-Net-SSLeay.rpmlintrc
@@ -1,4 +1,4 @@
 from Config import *
-addFilter("spelling-error %description -l en_US http -> ");
-addFilter("spelling-error %description -l en_US sslcat -> ");
+
+# SSL library allows user to set Crypto Policy
 addFilter("crypto-policy-non-compliance-openssl /usr/lib64/perl5/vendor_perl/auto/Net/SSLeay/SSLeay.so SSL_CTX_set_cipher_list");
diff --git a/perl-Net-SSLeay.spec b/perl-Net-SSLeay.spec
index f56f70a..7eb0ce8 100644
--- a/perl-Net-SSLeay.spec
+++ b/perl-Net-SSLeay.spec
@@ -5,13 +5,12 @@
 %endif
 
 Name:		perl-Net-SSLeay
-Version:	1.90
-Release:	7%{?dist}
+Version:	1.92
+Release:	1%{?dist}
 Summary:	Perl extension for using OpenSSL
 License:	Artistic 2.0
 URL:		https://metacpan.org/release/Net-SSLeay
 Source0:	https://cpan.metacpan.org/modules/by-module/Net/Net-SSLeay-%{version}.tar.gz
-Patch0:		Net-SSLeay-1.90-OpenSSL3.patch
 Patch10:	Net-SSLeay-1.90-pkgconfig.patch
 # =========== Module Build ===========================
 BuildRequires:	coreutils
@@ -85,9 +84,6 @@ so you can write servers or clients for more complicated applications.
 %prep
 %setup -q -n Net-SSLeay-%{version}
 
-# Fixes from upstream for OpenSSL 3.0.0
-%patch0 -p1
-
 # Get libraries to link against from pkg-config
 # https://github.com/radiator-software/p5-net-ssleay/pull/127
 %patch10
@@ -128,6 +124,38 @@ make test
 %{_mandir}/man3/Net::SSLeay::Handle.3*
 
 %changelog
+* Thu Jan 13 2022 Paul Howarth <paul@city-fan.org> - 1.92-1
+- Update to 1.92
+  - Net::SSLeay now supports stable releases of OpenSSL 3.0
+    - OpenSSL 3.0.0 introduces the concept of "providers", which contain
+      cryptographic algorithm implementations; many outdated, deprecated
+      and/or insecure algorithms have been moved to the "legacy" provider,
+      which may need to be loaded explicitly in order to use them with
+      Net::SSLeay (see "Low level API: OSSL_LIB_CTX and OSSL_PROVIDER
+      related functions" in the Net::SSLeay module documentation for details)
+    - Net::SSLeay's built-in PEM_get_string_PrivateKey() function depends on
+      algorithms that have moved to the legacy provider described above; if
+      OpenSSL has been compiled without the legacy provider, the tests
+      t/local/33_x509_create_cert.t and t/local/63_ec_key_generate_key.t will
+      fail when the test suite is run
+    - TLS 1.1 and below may only be used at security level 0 as of OpenSSL
+      3.0.0; if a minimum required security level is imposed (e.g. in an
+      OpenSSL configuration file managed by the operating system), the tests
+      t/local/44_sess.t and t/local/45_exporter.t will fail when the test
+      suite is run
+  - Net::SSLeay now supports stable releases of LibreSSL from the 3.2-3.4
+    series (with the exception of 3.2.2 and 3.2.3 - see "COMPATIBILITY" in
+    the Net::SSLeay module documentation for details)
+    - The TLS 1.3 implementation in LibreSSL 3.1-3.3, parts of which are
+      enabled by default, is not fully compatible with the libssl API and may
+      not function as expected with Net::SSLeay; see "KNOWN BUGS AND CAVEATS"
+      in the Net::SSLeay module documentation for details
+  - A number of new libcrypto/libssl constants and functions are now exposed,
+    including SSL_CTX_set_keylog_callback() and SSL_CTX_set_msg_callback(),
+    which are helpful when debugging TLS handshakes; see the release notes
+    for the 1.91 developer releases (in the Changes file) for a full list of
+    newly-exposed constants and functions
+
 * Tue Oct  5 2021 Paul Howarth <paul@city-fan.org> - 1.90-7
 - Fixes for OpenSSL 3.0.0 are now entirely from upstream
 
diff --git a/sources b/sources
index 7328f1a..9bb0820 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (Net-SSLeay-1.90.tar.gz) = 8a5f251b5ef1d8c2d619d984594a7a22ddeed2e5e726fe683a45f299d7878f4ca8ffab00480ebf5ef7a94ae1fcf6be05dfdaa68b8bfe2ad68443150765adb891
+SHA512 (Net-SSLeay-1.92.tar.gz) = e9d9161ebeb7be90f4c7a0ea98f1034892ce6d33aa72872683177b19daa1f4c5819f85ea9a052a076ec8d7c21705f6c344aef64680bc881bf3218d38e8b7b173