Blob Blame History Raw
commit 6a6bcf3d96115a6ef62289838cea418c185d8c88
Author: Paul Howarth <>
Date:   Wed Sep 19 09:38:40 2018 +0100

    Expose SSL_CTX_set_post_handshake_auth
    TLS 1.3 removed renegotiation in favor of rekeying and post handshake
    authentication (PHA). With PHA, a server can request a client certificate from
    a client at some point after the handshake. The feature is commonly used by
    HTTP servers for conditional and path specific TLS client auth. For example, a
    server can decide to require a cert based on HTTP method and/or path. A client
    must announce support for PHA during the handshake.
    Apache mod_ssl uses PHA:
    As of OpenSSL ticket, TLS 1.3
    clients no longer send the PHA TLS extension by default. For on-demand auth,
    PHA extension must be enabled with SSL_CTX_set_post_handshake_auth(), .
    This function is needed for the Apache httpd upstream test suite: .

diff --git a/SSLeay.xs b/SSLeay.xs
index a4dcb0a..5777ffc 100644
--- a/SSLeay.xs
+++ b/SSLeay.xs
@@ -7291,4 +7291,13 @@ SSL_export_keying_material(ssl, outlen, label, p)
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.1 */
+    SSL_CTX * s
+    int val
 #define REM_EOF "/* EOF - SSLeay.xs */"