--- modules/ssl/ssl_util_stapling.c.orig 2017-06-20 20:02:47.000000000 -0700 +++ modules/ssl/ssl_util_stapling.c 2017-06-20 20:04:50.000000000 -0700 @@ -91,7 +91,7 @@ for (i = 0; i < sk_X509_num(extra_certs); i++) { issuer = sk_X509_value(extra_certs, i); if (X509_check_issued(issuer, x) == X509_V_OK) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); #else X509_up_ref(issuer); --- modules/ssl/ssl_engine_init.c.orig 2017-09-08 05:20:16.000000000 -0700 +++ modules/ssl/ssl_engine_init.c 2018-01-16 16:54:57.000000000 -0800 @@ -541,7 +544,7 @@ ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, "Creating new SSL context (protocols: %s)", cp); -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #ifndef OPENSSL_NO_SSL3 if (protocol == SSL_PROTOCOL_SSLV3) { method = mctx->pkp ? @@ -583,7 +586,11 @@ SSL_CTX_set_options(ctx, SSL_OP_ALL); -#if OPENSSL_VERSION_NUMBER < 0x10100000L + if (sc->allow_empty_fragments) { + SSL_CTX_clear_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); + } + +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) /* always disable SSLv2, as per RFC 6176 */ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); @@ -607,7 +614,7 @@ } #endif -#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ +#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */ /* We first determine the maximum protocol version we should provide */ if (protocol & SSL_PROTOCOL_TLSV1_2) { prot = TLS1_2_VERSION; @@ -642,7 +649,7 @@ } #endif SSL_CTX_set_min_proto_version(ctx, prot); -#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ +#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */ #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE if (sc->cipher_server_pref == TRUE) { --- modules/ssl/ssl_engine_kernel.c.orig 2017-05-02 11:01:17 UTC +++ modules/ssl/ssl_engine_kernel.c @@ -2455,7 +2455,7 @@ SRP_user_pwd *u; if (username == NULL -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) { #else || (u = SRP_VBASE_get1_by_user(mctx->srp_vbase, username)) == NULL) { --- modules/ssl/ssl_engine_vars.c.orig 2017-03-20 12:01:16 UTC +++ modules/ssl/ssl_engine_vars.c @@ -541,7 +541,7 @@ resdup = FALSE; } else if (strcEQ(var, "A_KEY")) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm)); #else ASN1_OBJECT *paobj;