                       _             _ 
   _ __ ___   ___   __| |    ___ ___| |  
  | '_ ` _ \ / _ \ / _` |   / __/ __| |  
  | | | | | | (_) | (_| |   \__ \__ \ |  mod_ssl - Apache Interface to SSLeay  
  |_| |_| |_|\___/ \__,_|___|___/___/_|  http://www.engelschall.com/sw/mod_ssl/
                       |_____|         
  _____________________________________________________________________________


  ChangeLog
  ---------

  Changes with mod_ssl 2.0.12 (23-Sep-1998 to 02-Oct-1998)

   *) Cleaned up gcache stuff again and fixed a few problematic things 
      by adding extra runtime checks. Now gcache should no longer dump core.
      At least I've now found no more bug...

   *) Changed gcache communication from TCP-sockets to Unix domain 
      sockets in default configuration (httpd.conf-dist), because
      this is more reliable and safe.

   *) Incorporated reasonable change from Apache-SSL 1.25:
      Allow up to three retries at the pass phrase prompt.  
     
      [The other main change in Apache-SSL 1.25 (the client cert export via
      env variables) is intentionally not overtaken for mod_ssl because of
      three reasons: 1. it's a too large patch which is not acceptable for the
      stable mod_ssl 2.0 branch; 2. it still has some flaws Ben is still
      fixing for 1.26; 3. I'm still not convinced that providing complete
      Base64 encoded certs (greated than 1KB) via a set of environment
      variables is really reasonable (because of performance and system
      resource limits). Instead I'm still seeking for a real on-demand
      solution, but for mod_ssl 2.1, of course.]

   *) Backport from 2.1 branch: 
      Added a --force option to mod_ssl's configure script to let developers
      apply mod_ssl also to different Apache versions (especially 1.3.x-dev
      versions).

   *) Fixed portability problems with prop.sh aux script.

   *) Fixed gcache expiring: A static variable was not initialized.

   *) Fixed a few inconsistencies in the mod_ssl.html document.

   *) Fixed RSAref installation instructions in INSTALL file and a little big
      in libssl.module which caused problems for RSAref installations, too.

   *) Fixed mod_perl part in INSTALL file.

   *) Changed some Apache-SSL wordings in mod_ssl.html on request
      by Ben Laurie.

  Changes with mod_ssl 2.0.11 (17-Sep-1998 to 23-Sep-1998)

   *) Upgrade from Apache 1.3.1 to Apache 1.3.2

   *) Back-port from 2.1: 
      Enhanced the ssl.crt/Makefile: now <hash>.N extensions are
      created when conflicts occur and not only <hash>.0 

   *) Changed HTTPS support in mod_proxy: the ap_proxy_http_handler() function
      is (illegally because of DSO, of course) called used by third-party
      modules (like Apache::Proxy). So make make sure we don't change the
      signature of this function.

   *) Added answer to FAQ `Why is client auth broken after upgrading from
      SSLeay 0.8 to 0.9'. Because of the changed hash algorithm used for the
      symlinks.

   *) Now when `make certificate TYPE=custom' is used the generated
      ca.crt/ca.key files are installed, too.
   
   *) Make sure mkcert.sh removes temporary files after work.

   *) Enhanced the INSTALL file: Now an example section describes the
      installation with mod_perl and PHP3. Beside this some bugs were fixed
      and some more NOTEs were added.
  
  Changes with mod_ssl 2.0.10 (13-Sep-1998 to 17-Sep-1998)

   *) Temporarily added a fix from 1.3.2-dev for APACI's configure script to
      allow the `Group' directive to be adjusted correctly even under Linux
      boxes. Without this Linux users always have to fix the `Group' directive
      manually which is nasty.

   *) Added checks to APACI to automatically disable DSO for mod_proxy and
      mod_log_config when SSL is used (because they have to be built against
      SSLeay which is not supported in Apache 1.3.1). But we allow the user to
      explicitly use --enable-shared=.., but then at least he gets a warning.
      This way we protect the average user but don't hurt the experts.
      Especially with Apache 1.3.2 the experts want to use
      --enable-rule=SHARED_CHAIN for linking the DSO's against SSLeay.

   *) Make the SSL_HOOK_SetupConnection a little bit more robust. 

   *) Avoid confusing "unable to load 'random state'" messages
      from `ssleay genrsa' command.

   *) Renamed `aux' directory to `etc' because `aux' is a special name under
      Windows filesystems (and people at least wanted to extract the stuff
      under windows).

   *) Fix top-level Makefile.tmpl: replace `make' with `$(MAKE)'
      and grep out SSL_PROGRAM variable from src/Makefile.config directly
      (instead of running a subtarget) to avoid problems with Make output
      messages. This especially fixed the `make install' problems under Linux
      platforms (where GNU Make is used which gives nasty messages).

   *) Update INSTALL file: Use apachectl and add hint to 
      the Apache general error logfile.

   *) Allow ServerRoot relative path for SSLCertificateFile.

  Changes with mod_ssl 2.0.9 (12-Sep-1998 to 13-Sep-1998)

   *) Portability fixes: The ssl.crt/Makefile didn't work on
      all platforms because of braindead shells and the mkcert.sh script
      failed to use /dev/random because this device doesn't work as expected
      on some platforms.

  Changes with mod_ssl 2.0.8 (09-Sep-1998 to 12-Sep-1998)

   *) Make the whole build process (including `make certificate')
      independent of any installed ssleay.cnf file (some systems have it in
      non-standard locations and we don't need it any longer at all).

   *) Added Thawte's Strong Extranet module (mod_sxnet.c) to
      the ssl.contrib area. This module can be used together
      with mod_ssl.

   *) Fixed hash symlink generation under `make certificate'
      and `make install' for the cases where `ssleay' is not in $PATH.

   *) Fixed INSTALL document: rsaref.a has to be copied to librsaref.a

   *) Added more information to the mod_ssl.html file about the
      SSLCACertificateFile: It's also used implicitly for the "SSLv3 write
      certificate request A" where it's contents is sent to the client to
      enable him to verify a possible issuer chain on the server certificate.

   *) Fixed a few bugs in the new mkcert.sh script, enhanced it's
      dialogs and added a lot error checks.

  Changes with mod_ssl 2.0.7 (29-Aug-1998 to 09-Sep-1998)
   
   *) Changed the <VirtualHost> example in the conf/httpd.conf-dist
      file so it now uses _default_ instead of the server name. This is more
      portable and totally sufficient for our default configuration where
      only one virtual host is present.

   *) Backport from 2.1b branch: Now the mod_ssl `configure' script creates a
      `config.status' script as APACI does. This can be used for
      re-configuring mod_ssl the same way one does it for Apache.

   *) Backport from 2.1b branch: Added the first cut of HTTPS support for the
      proxy module. This is currently done by making the generic HTTP handler
      SSL-aware. But it still doesn't provide support for client or server
      authentication nor does it provide a way to configure it. Later we'll
      add perhaps SSLProxyXXXXX directives to allow the users to configure the
      SSL client inside the proxy.  But beside this it's full functional. One
      can use it for proxying https://xxx URLs and also use `ProxyPass
      https://xxxx'. (the sources of SSLeay's s_client and cURL were my
      friends ;-)

   *) In order to
      - reduce the confusion with sslcerts/server.pem and sslkeys/server.pem
      - provide less-problematic non-self-signed certificates on `make certificate'
      - prepare for mod_ssl 2.1 and the forthcoming client auth & CA scripts 
      the following cleanups were done:

      1. The files for the SSL certificate system are now stored in the
         following thee subdirs of the configuration directory:
         ssl.crt/ ...... contains the X.509 certificate(s)
         ssl.csr/ ...... contains the X.509 certificate signing requests(s)
         ssl.key/ ...... contains the RSA private key(s)
         Each directory contains a README file which describes the purpose and
         the contents.

      2. A ssl.crt/snakeoil.crt and ssl.key/snakeoil.key demo CA certificate
         and key is distributed with mod_ssl which is used to sign the test
         certificates the `make certificate' target creates.  This avoids the
         problems with MSIE users because MSIE doesn't like self-signed
         server-certificates very well.

      3. A ssl.crt/ca-bundle.crt is now installed (but not enabled!) which
         contains all 33 CA root certificates of known public CAs.  They were
         extracted from Netscape Communicator 4.06 with my certbundle stuff.

      4. The `make certificate' command now can create four types
         of certificate setups:
         $ make certificate TYPE=dummy    (dummy self-signed Snake Oil cert)
         $ make certificate TYPE=test     (test cert signed by Snake Oil CA)
         $ make certificate TYPE=custom   (custom cert signed by own CA)
         $ make certificate TYPE=official (existing official cert)
                CRT=/path/to/your.crt
                [KEY=/path/to/your.key]
         The default is TYPE=test which is equivalent to the old `make
         certificate' with the exception that now the generated certificate is
         no longer a self-signed one.  This overview text is also now
         displayed under built-time.  When KEY is missing it is assumed that
         it's present in the file from CRT and is extracted from there.

      5. For consistency with 4.) the mod_ssl configure script now
         uses --with-crt=FILE and --with-key=FILE options. When
         --with-key is missing it is assumed that it's present in
         the file from --with-crt and is extracted from there.

   *) Removed unnecessary DEBUG_XXXX stuff which gets replaced in
      mod_ssl 2.1b with ssl_log().

   *) Backport from 2.1b branch: Now on `make certificate' the hash symlinks
      in conf/sslcerts/ are generated via the provided Makefile instead of
      directly linking (which fails under some platforms).

   *) Backport from 2.1b branch: The top-level APACI Makefile now gives a hint
      for `apachectl start-SSL' (which internally uses the `httpd -DSSL'
      command).

   *) Backport from 2.1b branch: Replaced old kludges in mod_log_config.c
      to determine SSL protocol name with the clean SSL_get_version() which
      already exists in SSLeay 0.8 and 0.9.  And removed a few unneccessary
      local buffer usages in the mod_ssl-related code in mod_log_config.c.

   *) Merge in changes from Apache-SSL 1.23 to 1.24: Cache private keys over
      init rounds and restarts. This means you now can use enrypted private
      key files (where pass phrases are needed to read them in) and both
      survive the terminal detachment and the restart rounds of Apache. This
      is achieved by using an own permanent memory pool which survives server
      restarts and holds the private key files. Remember that this is _not_ a
      backported full-featured pass phrase handling from mod_ssl 2.1b.
      Instead it's exactly the easier handling from Apache-SSL 1.24. Because
      the mod_ssl 2.1b pass phrase handling is too complex to be backported to
      the 2.0 branch. At least it could lead to side-effects in 2.0 which I
      want to avoid.

   *) Fixed some pre-processor and variable declaration inconsitencies 
      which forced portability problems under some non-GCC compilers.

   *) Minor correction to the README, SUPPORT, etc. files.

  Changes with mod_ssl 2.0.6 (25-Aug-1998 to 29-Aug-1998)

   *) Added RSAref support for the US-citizens: mod_ssl now automatically
      recognizes an SSLeay compiled with -DRSAref, automatically finds
      libRSAglue and librsaref.a or rsaref.a.  Additionally beside SSL_BASE
      now the variable RSA_BASE can be used to select a particular RSAref
      source tree (if not installed under system locations). This way mod_ssl
      provides out-of-the-box support for SSLeay+RSAref.

   *) Back-port from 2.1: Replaced assert()ions with non-process-terminating
      runtime checks and removed some unnecessary debugging stuff. 

   *) Back-port from 2.1: Finally fixed the SSL connection deallocation and
      removed the old FREE_SESSION stuff by back-porting the change from the
      2.1 track.

   *) Added PGP public key as ssl.contrib/rse.pgp to the distribution 
      so people can use it on forthcoming releases to verify the tarballs
      signature.

   *) Taken over a change between Apache-SSL 1.22 and 1.23: Move the call for
      launching the gcache program to a later point in processing.

   *) Back-port from 2.1: Removed ERR_load_crypto_strings() call because it's
      already contained in SSL_load_error_string() from SSLeay 0.8 and 0.9.

  Changes with mod_ssl 2.0.5

   *) Fix per-server configuration structure merging.

   *) Added support for reliable piped logs to SSLLogFile directive which can
      be used to plug-in a filter program which receives the logfile entries.

   *) Removed per-server check for valid SSLVerifyClient argument because in
      mod_ssl it's no longer possible that an invalid argument can exit under
      run-time because the argument is already validated under config-time.

   *) Removed DEBUG_SSLEAY stuff from Apache-SSL because SSL_debug() does no
      longer exist in SSLeay 0.9.x.

   *) Added one more digit at the MOD_SSL define value to indicate beta or
      release versions. The scheme now is the following (only important when
      one has to check against the version of an SSL-aware Apache from within
      an own module): <version>.<revision><type><level> where <version>,
      <revision> and <level> are numbers between 0 and 99 while <type> is
      either `b' (for beta versions) or `.' (for release versions). From
      this the MOD_SSL define is created similar to this command:

          sprintf("%d%02d%c%02d", <version>, <revision>, 
                                  <type> == `b' ? 0 : 1, <level>);

      As an example: the beta version 2.1b3 has MOD_SSL=201003 while
      the release version 2.1.4 has MOD_SSL=201104.

   *) Fixed typos in mod_ssl.html document.

   *) Fixed typos in mod_ssl.c source.

   *) Created two buttons similar to the existing "Includes SSLeay
      encryption software" button: One for Apache ("Powered by Apache
      Webserver Software") and one for mod_ssl ("Secured by mod_ssl
      Interface"). These are now put on the default frontdoor webpage at
      install time.

   *) Removed half done DSO-related stuff from Apache-SSL because it's
      useless.  Why? Because mod_ssl currently _cannot_ be build as a DSO,
      because:

      1. Because SSLeay is directly called from within Apache's buffer code
         (SSL_write/SSL_read) because the Apache API lacks a hook for this.
         But direct calls from the core to modules and libraries is tabu under
         DSO situation.

      2. Because mod_ssl is directly called from within Apache's main loop
         for setting up the SSL protocol after the socket connection was
         established because the Apache API lacks a hook for this.  But
         direct calls from the core to modules and libraries is tabu under
         DSO situation.

      3. Because the pass-phrase dialog can be done only before Apache
         detaches from the terminal. But the general order is this:

           a) ap_read_config (where LoadModule is done)
           b) ap_init_modules (where mod_ssl can do the pass-phrase dialog)
           c) detaching
           d) ap_read_config (where DSOs are unloaded and reloaded)
           e) ap_init_modules (where mod_ssl no longer can do the dialog)

         When mod_ssl is not a DSO it can do the pass-phrase dialog in step
         b), but when it's a DSO (assuming 1. and 2. are already solved) then
         it cannot preserve information between b) and e) because it is
         unloaded in the meantime.

      So, for DSO the Apache kernel has to be bloated up with some more
      features. Currently I want to avoid this because DSO is still not not
      really worth the effort (there are other things which can be improved in
      mod_ssl first). 

  Changes with mod_ssl 2.0.4

   *) Added VERSIONS file to the distribution which contains the
      release date and version numbers for reference.

   *) Make sure the server.pem certificate files in sysconfdir/sslcerts/ is
      not overridden on APACI re-installs. Now a message simular to other
      existing APACI messages informs the user that his certificates are
      preserved.

   *) Added support for SSL_BASE=SYSTEM which means that SSLeay header files,
      libraries, configuration and binary files were not searched under a
      single SSL_BASE root. Instead they are searched inside the common system
      directories like /etc/, /usr/etc, /lib, /usr/lib, /usr/local/lib,
      /usr/include, etc. pp.

   *) Replaced even more old Apache-SSL relicts to make mod_ssl really secure,
      stable and robust: sprintf -> ap_snprinf, srcpy -> ap_cpystrn, fopen ->
      ap_pfopen. 

   *) Added U.S. export law information to SUPPORT file to make sure
      mailing list users inside the United States remember the U.S. export law.

  Changes with mod_ssl 2.0.3

   *) Fixed a view ap_log_error() calls where APLOG_NOERRNO was missing.

   *) For better compatibility with Stronghold and because it is really more
      intuitive we now also provide the CustomLog directives %{subjectdn}c and
      %{issuerdn}c: The (more intuitive) %{subjectdn}c replaced the (confusing)
      %{clientcert}c directive (although %{clientcert}c is still accepted as an
      alias).  And the %{issuerdn}c was added (with the alias %{cacert}c :-( ).
      This way custom logfiles now can contain the certificate issuer as well.

   *) For better configuration sharing with Stronghold (which uses
      the name mod_ssl.c for its module, too) mod_ssl now defines not only the
      C Pre-Processor define MOD_SSL, it now also pre-defines the Apache
      configuration define MOD_SSL. This now can be used with <IfDefine
      MOD_SSL>..</IfDefine> sections without the need to startup Apache
      explicitly with an -DSSL or -DMOD_SSL option. 
   
   *) ANSI C doesn't allow one to forward declare an array variable without
      specifying the actual array size. GCC didn't complain, but other vendor
      compilers (like /bin/cc under IRIX) do. This is now fixed by re-ordering
      the definitions in the code to make the forward declaration not
      necessary. 

   *) Let APACI adjust the port 443 to 8443 when installing under a non-root
      UID similar to what Apache already does with adjusting port 80 to 8080.

   *) Fix patch tool location for the situation where the user
      has to compile manually the stuff because of platforms errors.

   *) Incorporated changes from Apache-SSL 1.20 to 1.21:
      Was only a single register_cleanup -> ap_register_cleanup rename,
      because all other changes were either already in mod_ssl or will be done
      totally different with the next mod_ssl changes (for instance the
      logging stuff which gets replaced by a more improved version the next
      days - because Ben's idea to now log anything to Apache's error_log
      sounds not reasonable to me).

   *) Fixed variable arg usage in logging functions: va_end was missing.

  Changes with mod_ssl 2.0.2

   *) Make egrep arguments more safe because they failed under
      Solaris and other platforms. 

   *) Replaced basename() and dirname() functions in aux/patch/backupfile.c
      to avoid conflicts with glibc2's versions of these functions.

   *) Removed ssl.contrib/ssleay.diff because it was only needed
      for the temporary broken SSLeay 0.9.0b which was staying around on the
      net. 

   *) Now the sslcerts dir is created with permissions 755 and sslkeys 
      with 700 for security reasons.

   *) Now the FAQ inside the mod_ssl.html document has corresponding ToC
      entries. Additionally now the question "What is different between mod_ssl
      and Apache-SSL" is tried to be answered.  And a few hints were added on how
      to check HTTPS manually.

   *) Make the building of the 'patch' tool more robust by checking for
      success and providing a log of the failure. Additionally in case of
      problems the user now can use a --with-patch option to force the usage
      of a vendor patch program.

   *) Cleaned up the gcache stuff even more: reduced #includes
      to minimum and moved some stuff to the header file.

   *) Cleaned up the httpd.conf-dist entries for SSL.

   *) Cleanup mod_log_config.c patch and fixed %{version}c construct:
      It now says "SSLX" even under SSLeay 0.8.0.

   *) Misc. doc ajdustments: Fixed a few comment typos in apache.patch file;
      Added Announcement text as ANNOUNCE file to distribution; Fixed
      hyperlinks in mod_ssl.html document and added more useful hyperlinks to
      the README file.

   *) Replaced a lot of C constructs into shorthand defines to
      make the code even more readable and reviewable: 
      o ``strcmp ... == 0'' -> ``strEQ''
      o ``\0'' -> ``NUL''
      o ``ap_get_module_config(...)'' -> ``myXXConfig''
      o ``ap_overlay_tables'' -> ``cfgMergeTable''

   *) Fixed dependencies in src/modules/ssl/Makefile.tmpl

   *) Add Ben Laurie's copyright message to gcache sources, even when Ben
      missed it here. It's from Ben, so his copyright applies and credit has
      to be given. 

  Changes with mod_ssl 2.0.1

   *) Minor documentation updates.

   *) Now the ssl.patch/apache.diff file is named ssl.patch/apache.patch
      and contains descriptive annotations for each patches file. This way
      even the patches are easier reviewable.
 
   *) The configure patch was not 100% correct: The SSL has not to be
      disabled for --enable-module=most (where it should be enabled, of
      course). Instead it has to be disabled automatically for
      --enable-shared=max.
  
  Changes with mod_ssl 2.0.0
  
   *) Added "SSL library type" message to the configuration process
      to inform the user how we recognized the SSLeay location.
 
   *) Added support for conf/sslkeys/ directory both to configure
      script, Makefile.tmpl and default config files. Additionally now on
      "make install" the hash symlinks are created and a dummy server cert
      file is skipped.
 
   *) Fixed prop.sh script.
 
   *) Cleaned up mod_ssl.html document for release.
 
   *) Cleaned up the README file and added a situation report
      about the author conflict with Ben.
 
   *) Incorporated changes from Apache-SSL 1.19 to 1.20:
      - Do a cleanup before starting gcache.
      - Make gcache die when httpd dies. 
        This failing in previous versions appears to be a bug in Apache. 
      - Document the biz with passphrases and sleep.
      - Do Apache-SSL on inetd connections.
      ALL OTHER CHANGES BETWEEN APACHE-SSL 1.19 AND 1.20 WERE ALREADY DONE
      FOR MOD_SSL IN THE PAST BY Ralf S. Engelschall. Because it seems Ben
      just has drawn level Apache-SSL with the mod_ssl pre-release I sent to
      him last week.  Hmmmm...
 
   *) Minor cleanups to README and mod_ssl.html file.
 
   *) Now create the CHANGES.SSL in <apache>/src/ instead in <apache>/.
 
   *) Moved patch to a subdir aux/patch/ and added prop.sh for
      a visual process indicator while building the aux tools.
 
   *) Slightly fixed the configure scripts messages
 
   *) Added support for checking the Apache version: Now mod_ssl can
      only be applied to the correct matching Apache source tree.
 
   *) Added configurable support for mod_ssl version strings: Now
      a libssl.version file is created inside src/modules/ssl/ which holds
      the mod_ssl version. From this the libssl.module script creates a
      MOD_SSL_VERSION define holding the value as a string ("X.Y.Z") and a
      MOD_SSL define holding the value with a zero-spaced numerical value
      (XYYZZ). This way the mod_ssl received the string for the Server field
      and other modules can check against certain mod_ssl versions via #ifdef
      or more granular via #if MOD_SSL >= 20000 or whatever.
    
   *) Added support for named to SSLVerifyClient directive: Now the ogly
      numerical levels 0-2 are still valid but can be replaced by better
      readable names: "none", "optional", "require" and "optional_no_ca".
 
   *) Added Makefile for conf/sslcerts/ directory to keep <hash>.0 
      symlinks up-to-date.
 
   *) Translated the FAQ into HTML format and appended it to mod_ssl.html.
      Additionally I created a ca.sign script and a Makefile for sslcert/ in
      relation to the FAQ.
 
   *) Enhanced the logfile support: First I've converted nasty
      fprintf(stderr,..) to ap_log_error() variants. Second I've moved the
      fprintf(pConfig->fileLogfile,...) to ssl_log_own(pConfig,...) calls.
      And third error messages are now consistently prefixed with "mod_ssl:"
      and "SSLeay:" - dependend from which an error comes. And forth I've
      added the word "SSL" to a lot of messages to indicate that the
      SSL-relationship.  Additionally I removed doubled ERR_print_xxx calls.
  
   *) Cleanup up namespace by added lots of `static's, so only the
      module structure and the SSL_HOOK_xxx symbols are now exported.
 
   *) Fixed up Apache API structures for Apache 1.3: added MODULE_VAR_EXPORT
      for consistency and missing module structure dispatch pointers.
       
   *) Completely renamed the functions to use common prefixes which
      indicate their relationship and ordered the functions according to this
      relationship. Additionally a complete list of prototypes is now
      provided in mod_ssl.h. The order of functions now reflects the logical
      order when one wants to review the module: 1. API structures, 2. config
      handing, 3.  directive handling, 4. init functions, 5. API hooks, 6.
      internals, 7.  caching support, 8. logfile support and 9. utility
      functions.  Additionally I cleanup up the namespace of global data
      symbols: They now all have the prefix "_g": bFirstTime -> g_bFirstTime,
      szCacheServerPort -> g_szCacheServerPort, szCacheServerPath ->
      g_szCacheServerPath, s_pServer -> g_pServer.

   *) Now all stuff for SSLEay < 0.8.0 is removed because an #error was
      already given and there is now real need to support these versions any
      longer. As a consequence we now also could remove the CACHE_SESSIONS
      #ifdef mess because  this was enabled for >= 0.8.0 since a long time.

   *) Cleaned up the mess inside ap_config.h where TRUE, FALSE and BOOL
      where globally defined even when they were only used my mod_ssl.  Now
      all stuff mod_ssl needs is inside mod_ssl.h and not spread over the
      Apache sources without need. I've also cleaned up the "uchar"
      definition because this was defined only by coincidence. I've also
      replaced ugly return 0's with return FALSE and -1 by UNSET when the
      context was the one for UNSET (like for VerifyType). Additionally I
      replaced some incorrect declarations (extern uid_t ap_user_id) by
      including the correct header file (http_config_globals.h). In the same
      spirit for cleaness I've replaced the numerical filedescriptor numbers
      by the STDXX_FILENO aliases.

   *) Fixed a nasty bug: When a startup error occured an exit() was done.
      But an already started ssl_gcache program was not terminated because
      the exit() doesn't give Apache a chance to cleanup the pools (where the
      program is registered). Fixed by adding a bunch of ap_clear_pool()
      calls before the exit() calls. Additionally some more missing exit()'s
      were added to config checks. And last but not least a termination
      message is now created by ssl_gcache when it is terminated so one now
      see both the start and the termination of ssl_gcache program in the
      logfiles.
 
   *) Replaced various sprintf()'s by the more safe and correct ap_snprintf()
      variants. Same for fopen() and ap_pfopen() and other such functions.
 
   *) Prefixed all SSLeay function calls with __SSLeay to mark them
      for reviewing. I'm still not happy with this long and ugly reading
      prefix but need to use an initial one which doesn't conflict.
      Additionally I've then grep'ed out all __SSLeay prefixed symbols,
      sorted them by group and inserted them into a README which can help
      identifiying the used SSLeay API functions. The whole intent is
      just to make reviewing of the code more easier, because this is
      really important for security related sources.

   *) A lot of various minor cleanups and fixes: For instance I've corrected the
      directive descriptions, added some descriptive source comments, etc.
      Really to much of these minor cleanups to write them down, sorry.
 
   *) Added an FAQ file, assembled from some information found
      on www.apache-ssl.org

   *) Incorporated the changes between Apache-SSL 1.18-1.19
 
   *) Added back support for the old Apache 1.2 way of configuring and
      building by placing the SSL_BASE into src/Configuration.tmpl and
      providing steps in INSTALL, too.

   *) Added a complete Apache-style mod_ssl.html document which describes all
      mod_ssl directives in detail. I've also painted a nice mod_ssl logo out
      of the old mod_rewrite logo parts and a safety lock which secures the
      feather. The SSLeay logo is also part of the document to give credit.

   *) Added a `configure' frontend script for easy applying the mod_ssl
      source extension and patches to the Apache source tree. It also can
      replace APACI's configure script by running it in the background.
      Additionally a slightly changed GNU patch 2.1 tool is distributed under
      aux/ subdir to make sure the source patching works reliable because
      newer patches have problems with the apache.diff file and some systems
      have no "patch" at all.

   *) Split definitions from mod_ssl.c into own mod_ssl.h and converted all
      source files to the Apache coding styles to be consistent with the
      officially distributed Apache sources.
 
   *) Generation of a certificate is supported via top-level "make
      certificate" which correctly finds SSLeay both when SSLeay tree is the
      source tree or the installed tree.
 
   *) Added SSLNeedsSSL to config files and cleaned up the
      SSL-related stuff at the end of httpd.conf-dist.

   *) Out-of-the-box installation for a SSL-aware Apache is provided by
      automatically installing the certificate and the ssl_gcache program.
      Additionally the SSL-related directives in the extended httpd.conf file
      is adjusted, so one immediately can fire up an SSL-aware httpd.

   *) The name of the binary is now again "httpd" instead of the "httpsd"
      because "httpsd" reads ugly and confuses APACI. And there is no real
      need to distinguish between them, because one still can compile a
      standard Apache even after mod_ssl was applied to the Apache source
      tree. Or why isn't everybody using httppd just because mod_perl is
      built in? Bingo!
 
   *) Added Apache 1.3 Autoconf-style Interface (APACI) support to
      automatically enable the SSL module via --enable-module=ssl.  This also
      triggers the MOD_PERL define, so without this APACI option you still
      can build a standard Apache.

   *) Use the official Apache 1.3 way of adding strings to the
      HTTP Server header: via ap_add_version_component() instead of patching
      the defines in httpd.h.  Additionally it now creates a header like
      ``Server: Apache/1.3.1-dev (Unix) mod_ssl/2.0.0 SSLeay/0.9.0a'' i.e.
      SSLeay is part of the Server header. Because SSLeay's version is more
      important than mod_ssl's.

   *) Removed all broken parts in the original Ben-SSL patch, for instance
      incorrectly added newlines, incorrectly moved SecureWare, etc.

   *) Removed nasty terminal messages like "Skip first time initialization",
      "Launching ....", etc. These can be enabled in the future by using the
      ap_log_error stuff.

   *) Fixed incorrect log_ssl_info prototypes in mod_log_config.c from
      Ben-SSL patch and fixed minor other things.

   *) Cleaned up mod_ssl.c (formerly apache_ssl.c): removed unused variables
      mod_ssl.c, added prototypes, moved extern prototypes. Actually I've
      made it run quietly through ``gcc -Wall -Wshadow -Wpointer-arith
      -Wcast-align -Wmissing-prototypes -Wmissing-declarations
      -Wnested-externs -Winline'', etc.

   *) Renamed apache_ssl.c to mod_ssl.c for consistency and also
      to avoid problems inside APACI. Additionally the APACHE_SSL define was
      renamed to MOD_SSL which is also consistent which the behaviour of
      mod_perl which uses MOD_PERL.

   *) *GENESIS*: Based the complete code on Ben Laurie's latest Apache-SSL
      patch (Ben-SSL) version "apache_1.3.0+ssl_1.18". To avoid confusion and
      to show that its second generation stuff the mod_ssl version starts
      with 2.0.0. I've merged in all my previous work on Apache-SSL for
      Apache 1.3b, i.e. especially the APACI stuff.

