diff --git a/Net-SSLeay-1.90-OpenSSL3.patch b/Net-SSLeay-1.90-OpenSSL3.patch
index beec494..5a47120 100644
--- a/Net-SSLeay-1.90-OpenSSL3.patch
+++ b/Net-SSLeay-1.90-OpenSSL3.patch
@@ -1,71 +1,90 @@
-This is a set of mostly-upstream changes to support use with
-OpenSSL 3.0.
-
-The only change not yet committed upstream is:
-https://github.com/radiator-software/p5-net-ssleay/pull/273
-(Change default cipher for PEM_get_string_PrivateKey)
-
-diff -urp --unidirectional-new-file Net-SSLeay-1.90/lib/Net/SSLeay.pod Net-SSLeay-1.90.patched/lib/Net/SSLeay.pod
---- Net-SSLeay-1.90/lib/Net/SSLeay.pod	2021-01-21 15:14:11.000000000 +0000
-+++ Net-SSLeay-1.90.patched/lib/Net/SSLeay.pod	2021-09-15 11:26:35.478846534 +0100
-@@ -1711,7 +1711,7 @@ Converts public key $pk into PEM formatt
-  my $rv = Net::SSLeay::PEM_get_string_PrivateKey($pk, $passwd, $enc_alg);
-  # $pk - value corresponding to openssl's EVP_PKEY structure
-  # $passwd - [optional] (string) password to use for key encryption
-- # $enc_alg - [optional] algorithm to use for key encryption (default: DES_CBC) - value corresponding to openssl's EVP_CIPHER structure
-+ # $enc_alg - [optional] algorithm to use for key encryption (default: DES_EDE3_CBC) - value corresponding to openssl's EVP_CIPHER structure
-  #
-  # returns: PEM formatted string
- 
-@@ -4624,6 +4624,34 @@ When callback is undef, an existing call
+diff --git a/Changes b/Changes
+index db61b2a..72886b3 100644
+--- a/Changes
++++ b/Changes
+@@ -1,5 +1,56 @@
+ Revision history for Perl extension Net::SSLeay.
  
- Check openssl doc L<http://www.openssl.org/docs/ssl/SSL_CTX_set_info_callback.html|http://www.openssl.org/docs/ssl/SSL_CTX_set_info_callback.html>
- 
-+=item * set_msg_callback
-+
-+Sets the callback function, that can be used to obtain protocol messages information for $ssl during connection setup and use.
-+When callback is undef, the callback setting currently valid for ctx is used.
-+Note that set_msg_callback_arg is not provided as there is no need to explicitly set $arg, this is handled by set_msg_callback.
-+
-+ Net::SSLeay::set_msg_callback($ssl, $cb, [$arg]);
-+ # $ssl - value corresponding to openssl's SSL structure
-+ # $cb - sub { my ($write_p,$version,$content_type,$buf,$len,$ssl,$arg) = @_; ... }
-+ #
-+ # returns: no return value
-+
-+Check openssl doc L<http://www.openssl.org/docs/manmaster/man3/SSL_set_msg_callback.html|http://www.openssl.org/docs/manmaster/man3/SSL_set_msg_callback.html>
-+
-+=item * CTX_set_msg_callback
-+
-+Sets the callback function on ctx, that can be used to obtain protocol messages information for ssl connection setup and use.
-+When callback is undef, the existing callback will be disabled.
-+Note that CTX_set_msg_callback_arg is not provided as there is no need to explicitly set $arg, this is handled by CTX_set_msg_callback.
-+
-+ Net::SSLeay::CTX_set_msg_callback($ssl, $cb, [$arg]);
-+ # $ssl - value corresponding to openssl's SSL structure
-+ # $cb - sub { my ($write_p,$version,$content_type,$buf,$len,$ssl,$arg) = @_; ... }
-+ #
-+ # returns: no return value
-+
-+Check openssl doc L<http://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_msg_callback.html|http://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_msg_callback.html>
++????
++	- Correct X509_STORE_CTX_init() return value to integer. Previous
++	  versions of Net::SSLeay return nothing.
++	- Update tests to call close() to avoid problems seen with
++	  test 44_sess.t, and possibly other tests, running on older
++	  Windows Perl versions. Also add some missing calls in tests
++	  to shutdown and free ssl structures.
++	- Fix multiple formatting errors in the documentation for Net::SSLeay.
++	  Thanks to John Jetmore.
++	- Check for presence of libssl headers in Makefile.PL, and exit with an
++	  error instead of generating an invalid Makefile if they cannot be found.
++	  Fixes RT#105189. Thanks to James E Keenan for the report.
++	- Added support for SSL_CTX_set_msg_callback/SSL_set_msg_callback
++	  Thanks to Tim Aerts.
++	- Adjust time in ASN1_TIME_timet based on current offset to GMT to
++	  address GH-148. Thanks to Steffen Ullrich.
++	- Multiple updates to tests to match OpenSSL 3.0 behaviour.
++	  Thanks to Michal Josef Špaček.
++	- OpenSSL 3.0 related changes in tests include:
++	  - TLSv1 and TLSv1.1 require security level 0 starting with 3.0 alpha 5.
++	  - SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() ignore
++	    unknown ciphersuites starting with 3.0 alpha 11.
++	  - Error code and error string packing and formatting changes.
++	  - PEM_get_string_PrivateKey default algorithm requires legacy provider.
++	- See OpenSSL manual page migration_guide(7) for more information about
++	  changes in OpenSSL 3.0.
++	- Automatically detect OpenSSL installed via Homebrew on ARM-based macOS
++	  systems. Thanks to Graham Knop for the patch.
++	- Account for the divergence in TLSv1.3 ciphersuite names between OpenSSL and
++	  LibreSSL, which was causing failures of some TLSv1.3 tests with LibreSSL.
++	- In 36_verify.t, account for the presence of the X509_V_FLAG_LEGACY_VERIFY
++	  flag (signalling the use of the legacy X.509 verifier) in LibreSSL 3.3.2 and
++	  above.
++	- In 43_misc_functions.t, account for the fact that LibreSSL 3.2.0 and above
++	  implement TLSv1.3 without exposing a TLS1_3_VERSION constant.
++	- Expose OpenSSL 3.0 functions
++	  OSSL_LIB_CTX_get0_global_default, OSSL_PROVIDER_load,
++	  OSSL_PROVIDER_try_load, OSSL_PROVIDER_unload,
++	  OSSL_PROVIDER_available, OSSL_PROVIDER_do_all
++	  OSSL_PROVIDER_get0_name and OSSL_PROVIDER_self_test.
++	  Add test files 22_provider.t, 22_provider_try_load.t and
++	  22_provider_try_load_zero_retain.t.
++	- With OpenSSL 3.0 and later, the legacy provider is loaded in
++	  33_x509_create_cert.t to allow PEM_get_string_PrivateKey to
++	  continue working until its default encryption method is
++	  updated. Fixes GH-272 and closes GH-273.
++	- Remove the test suite's optional dependency on the non-core modules
++	  Test::Exception, Test::NoWarnings and Test::Warn. Tests that verify
++	  Net::SSLeay's behaviour when errors occur are now executed regardless of the
++	  availability of these modules.
 +
- =item * set_pref_cipher
- 
- Sets the list of available ciphers for $ssl using the control string $str.
-@@ -7507,6 +7535,10 @@ Net::SSLeay::X509_STORE_CTX_init($x509_s
- # $x509_store - value corresponding to openssl's X509_STORE structure (optional)
- # $x509 - value corresponding to openssl's X509 structure (optional)
- # $chain - value corresponding to openssl's STACK_OF(X509) structure (optional)
-+#
-+# returns: 1 on success, 0 on failure
-+#
-+# Note: returns nothing with Net::SSLeay 1.90 and earlier.
- 
- Check openssl doc L<https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_init.html|https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_init.html>
- 
-diff -urp --unidirectional-new-file Net-SSLeay-1.90/Makefile.PL Net-SSLeay-1.90.patched/Makefile.PL
---- Net-SSLeay-1.90/Makefile.PL	2021-09-15 11:36:31.240135816 +0100
-+++ Net-SSLeay-1.90.patched/Makefile.PL	2021-09-15 11:26:35.384847261 +0100
+ 1.90 2021-01-21
+ 	- New stable release incorporating all changes from developer releases
+ 	  1.89_01 to 1.89_05.
+diff --git a/MANIFEST b/MANIFEST
+index dfc6f1f..cbad0d0 100644
+--- a/MANIFEST
++++ b/MANIFEST
+@@ -199,6 +199,9 @@ t/local/11_read.t
+ t/local/15_bio.t
+ t/local/20_autoload.t
+ t/local/21_constants.t
++t/local/22_provider.t
++t/local/22_provider_try_load.t
++t/local/22_provider_try_load_zero_retain.t
+ t/local/30_error.t
+ t/local/31_rsa_generate_key.t
+ t/local/32_x509_get_cert_info.t
+@@ -215,6 +218,7 @@ t/local/42_info_callback.t
+ t/local/43_misc_functions.t
+ t/local/44_sess.t
+ t/local/45_exporter.t
++t/local/46_msg_callback.t
+ t/local/50_digest.t
+ t/local/61_threads-cb-crash.t
+ t/local/62_threads-ctx_new-deadlock.t
+diff --git a/Makefile.PL b/Makefile.PL
+index 6dcf155..eefa656 100644
+--- a/Makefile.PL
++++ b/Makefile.PL
 @@ -4,10 +4,22 @@ use strict;
  use warnings;
  
@@ -101,7 +120,15 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/Makefile.PL Net-SSLeay-1.90.
    },
    TEST_REQUIRES => {
      'Carp' => '0',
-@@ -126,12 +142,38 @@ sub ssleay {
+@@ -47,6 +63,7 @@ my %eumm_args = (
+     'SelectSaver' => '0',
+     'Socket' => '0',
+     'Storable' => '0',
++    'Test::Builder' => '0',
+     'Test::More' => '0.60_01',
+     'base' => '0',
+   },
+@@ -126,12 +143,38 @@ sub ssleay {
  EOM
          exit 0; # according https://wiki.cpantesters.org/wiki/CPANAuthorNotes this is best-practice when "missing library"
      }
@@ -142,7 +169,7 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/Makefile.PL Net-SSLeay-1.90.
          LIBS => join(' ', (map '-L'.maybe_quote($_), @{$opts->{lib_paths}}), (map {"-l$_"} @{$opts->{lib_links}})),
      );
      # From HMBRAND to handle multple version of OPENSSL installed
-@@ -145,15 +187,28 @@ EOM
+@@ -145,15 +188,28 @@ EOM
  sub maybe_quote { $_[0] =~ / / ? qq{"$_[0]"} : $_[0] }
  
  sub ssleay_get_build_opts {
@@ -174,7 +201,15 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/Makefile.PL Net-SSLeay-1.90.
      for ($prefix, "$prefix/lib64", "$prefix/lib", "$prefix/out32dll") {
        push @{$opts->{lib_paths}}, $_ if -d $_;
      }
-@@ -369,3 +424,21 @@ sub fixpath {
+@@ -251,6 +307,7 @@ sub find_openssl_prefix {
+ 
+     my @guesses = (
+ 	'/home/linuxbrew/.linuxbrew/opt/openssl/bin/openssl' => '/home/linuxbrew/.linuxbrew/opt/openssl', # LinuxBrew openssl
++	'/opt/homebrew/opt/openssl/bin/openssl' => '/opt/homebrew/opt/openssl', # macOS ARM homebrew
+ 	'/usr/local/opt/openssl/bin/openssl' => '/usr/local/opt/openssl', # OSX homebrew openssl
+ 	'/usr/local/bin/openssl'         => '/usr/local', # OSX homebrew openssl
+ 	'/opt/local/bin/openssl'         => '/opt/local', # Macports openssl
+@@ -364,3 +421,21 @@ sub fixpath {
      $text =~ s{\b/}{$sep}g;
      return $text;
  }
@@ -196,21 +231,40 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/Makefile.PL Net-SSLeay-1.90.
 +
 +    print '*' x ALERT_WIDTH, "\n";
 +}
-diff -urp --unidirectional-new-file Net-SSLeay-1.90/MANIFEST Net-SSLeay-1.90.patched/MANIFEST
---- Net-SSLeay-1.90/MANIFEST	2021-01-21 21:05:03.000000000 +0000
-+++ Net-SSLeay-1.90.patched/MANIFEST	2021-09-15 11:26:35.472846580 +0100
-@@ -215,6 +215,7 @@ t/local/42_info_callback.t
- t/local/43_misc_functions.t
- t/local/44_sess.t
- t/local/45_exporter.t
-+t/local/46_msg_callback.t
- t/local/50_digest.t
- t/local/61_threads-cb-crash.t
- t/local/62_threads-ctx_new-deadlock.t
-diff -urp --unidirectional-new-file Net-SSLeay-1.90/SSLeay.xs Net-SSLeay-1.90.patched/SSLeay.xs
---- Net-SSLeay-1.90/SSLeay.xs	2021-01-21 15:14:11.000000000 +0000
-+++ Net-SSLeay-1.90.patched/SSLeay.xs	2021-09-15 11:26:35.554845946 +0100
-@@ -1474,6 +1474,71 @@ void ssleay_ctx_info_cb_invoke(const SSL
+diff --git a/README b/README
+index b720673..4d021f1 100644
+--- a/README
++++ b/README
+@@ -22,11 +22,11 @@ Perl 5.8.1 or higher.
+ One of the following libssl implementations:
+ 
+ * Any stable release of OpenSSL (https://www.openssl.org) in the
+-  0.9.8 - 1.1.1 branches, except for OpenSSL 0.9.8 - 0.9.8b.
++  0.9.8 - 3.0 branches, except for OpenSSL 0.9.8 - 0.9.8b.
+ * Any stable release of LibreSSL (https://www.libressl.org) in the
+-  2.0 - 3.1 series.
++  2.0 - 3.1 series or 3.3 series.
+ 
+-Net-SSLeay may not compile or pass its tests against newer releases
++Net-SSLeay may not compile or pass its tests against releases other
+ than the ones listed above due to libssl API incompatibilities, or, in
+ the case of LibreSSL, because of deviations from the libssl API.
+ 
+diff --git a/SSLeay.xs b/SSLeay.xs
+index 02b81e7..350e0d7 100644
+--- a/SSLeay.xs
++++ b/SSLeay.xs
+@@ -195,6 +195,9 @@ which conflicts with perls
+ #if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ #include <openssl/ocsp.h>
+ #endif
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#include <openssl/provider.h>
++#endif
+ #undef BLOCK
+ 
+ /* Debugging output - to enable use:
+@@ -1474,6 +1477,71 @@ void ssleay_ctx_info_cb_invoke(const SSL *ssl, int where, int ret)
      LEAVE;
  }
  
@@ -252,179 +306,2255 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/SSLeay.xs Net-SSLeay-1.90.pa
 +    SV *cb_func, *cb_data;
 +    SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
 +
-+    cb_func = cb_data_advanced_get(ctx, "ssleay_ctx_msg_cb!!func");
-+    cb_data = cb_data_advanced_get(ctx, "ssleay_ctx_msg_cb!!data");
++    cb_func = cb_data_advanced_get(ctx, "ssleay_ctx_msg_cb!!func");
++    cb_data = cb_data_advanced_get(ctx, "ssleay_ctx_msg_cb!!data");
++
++    if ( ! SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV))
++    croak ("Net::SSLeay: ssleay_ctx_msg_cb_invoke called, but not set to point to any perl function.\n");
++
++    ENTER;
++    SAVETMPS;
++
++    PUSHMARK(SP);
++    XPUSHs(sv_2mortal(newSViv(write_p)));
++    XPUSHs(sv_2mortal(newSViv(version)));
++    XPUSHs(sv_2mortal(newSViv(content_type)));
++    XPUSHs(sv_2mortal(newSVpv((const char*)buf, len)));
++    XPUSHs(sv_2mortal(newSViv(len)));
++    XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl))));
++    XPUSHs(sv_2mortal(newSVsv(cb_data)));
++    PUTBACK;
++
++    call_sv(cb_func, G_VOID);
++
++    SPAGAIN;
++    PUTBACK;
++    FREETMPS;
++    LEAVE;
++}
++
+ /* 
+  * Support for tlsext_ticket_key_cb_invoke was already in 0.9.8 but it was
+  * broken in various ways during the various 1.0.0* versions.
+@@ -1652,9 +1720,45 @@ void ssleay_ssl_ctx_sess_remove_cb_invoke(SSL_CTX *ctx, SSL_SESSION *sess)
+     LEAVE;
+ }
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++int ossl_provider_do_all_cb_invoke(OSSL_PROVIDER *provider, void *cbdata) {
++    dSP;
++    int ret = 1;
++    int count = -1;
++    simple_cb_data_t *cb = cbdata;
++
++    PR1("STARTED: ossl_provider_do_all_cb_invoke\n");
++    if (cb->func && SvOK(cb->func)) {
++        ENTER;
++        SAVETMPS;
++
++        PUSHMARK(SP);
++        XPUSHs(sv_2mortal(newSViv(PTR2IV(provider))));
++        if (cb->data) XPUSHs(cb->data);
++
++        PUTBACK;
++
++        count = call_sv(cb->func, G_SCALAR);
++
++        SPAGAIN;
++
++        if (count != 1)
++          croak("Net::SSLeay: ossl_provider_do_all_cb_invoke perl function did not return a scalar\n");
++
++        ret = POPi;
++
++        PUTBACK;
++        FREETMPS;
++        LEAVE;
++    }
++
++    return ret;
++}
++#endif
++
+ /* ============= end of callback stuff, begin helper functions ============== */
+ 
+-time_t ASN1_TIME_timet(ASN1_TIME *asn1t) {
++time_t ASN1_TIME_timet(ASN1_TIME *asn1t, time_t *gmtoff) {
+     struct tm t;
+     const char *p = (const char*) asn1t->data;
+     size_t msec = 0, tz = 0, i, l;
+@@ -1720,7 +1824,14 @@ time_t ASN1_TIME_timet(ASN1_TIME *asn1t) {
+ 
+     result = mktime(&t);
+     if (result == -1) return 0; /* broken time */
+-    return result + adj + ( t.tm_isdst ? 3600:0 );
++    result += adj;
++    if (gmtoff && *gmtoff == -1) {
++	*gmtoff = result - mktime(gmtime(&result));
++	result += *gmtoff;
++    } else {
++	result += result - mktime(gmtime(&result));
++    }
++    return result;
+ }
+ 
+ X509 * find_issuer(X509 *cert,X509_STORE *store, STACK_OF(X509) *chain) {
+@@ -4103,7 +4214,7 @@ X509V3_EXT_d2i(ext)
+ X509_STORE_CTX *
+ X509_STORE_CTX_new()
+ 
+-void
++int
+ X509_STORE_CTX_init(ctx, store=NULL, x509=NULL, chain=NULL)
+      X509_STORE_CTX * ctx
+      X509_STORE * store
+@@ -4336,6 +4447,10 @@ ASN1_TIME_free(s)
+ time_t
+ ASN1_TIME_timet(s)
+      ASN1_TIME *s
++     CODE:
++     RETVAL = ASN1_TIME_timet(s,NULL);
++     OUTPUT:
++     RETVAL
+ 
+ ASN1_TIME *
+ ASN1_TIME_new()
+@@ -5447,6 +5562,39 @@ SSL_CTX_set_info_callback(ctx,callback,data=&PL_sv_undef)
+             SSL_CTX_set_info_callback(ctx, ssleay_ctx_info_cb_invoke);
+         }
+ 
++void
++SSL_set_msg_callback(ssl,callback,data=&PL_sv_undef)
++        SSL * ssl
++        SV * callback
++    SV * data
++    CODE:
++        if (callback==NULL || !SvOK(callback)) {
++            SSL_set_msg_callback(ssl, NULL);
++            cb_data_advanced_put(ssl, "ssleay_msg_cb!!func", NULL);
++            cb_data_advanced_put(ssl, "ssleay_msg_cb!!data", NULL);
++        } else {
++            cb_data_advanced_put(ssl, "ssleay_msg_cb!!func", newSVsv(callback));
++            cb_data_advanced_put(ssl, "ssleay_msg_cb!!data", newSVsv(data));
++            SSL_set_msg_callback(ssl, ssleay_msg_cb_invoke);
++        }
++
++void
++SSL_CTX_set_msg_callback(ctx,callback,data=&PL_sv_undef)
++        SSL_CTX * ctx
++        SV * callback
++    SV * data
++    CODE:
++        if (callback==NULL || !SvOK(callback)) {
++            SSL_CTX_set_msg_callback(ctx, NULL);
++            cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!func", NULL);
++            cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!data", NULL);
++        } else {
++            cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!func", newSVsv(callback));
++            cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!data", newSVsv(data));
++            SSL_CTX_set_msg_callback(ctx, ssleay_ctx_msg_cb_invoke);
++        }
++
++
+ int
+ SSL_set_purpose(s,purpose)
+      SSL *	s
+@@ -6172,7 +6320,7 @@ SSL_total_renegotiations(ssl)
+   OUTPUT:
+   RETVAL
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
+ void
+ SSL_SESSION_get_master_key(s)
+      SSL_SESSION *   s
+@@ -7348,6 +7496,7 @@ OCSP_response_results(rsp,...)
+ 	OCSP_BASICRESP *bsr;
+ 	int i,want_array;
+ 	time_t nextupd = 0;
++	time_t gmtoff = -1;
+ 	int getall,sksn;
+ 
+ 	bsr = OCSP_response_get1_basic(rsp);
+@@ -7440,15 +7589,15 @@ OCSP_response_results(rsp,...)
+ 		    hv_store(details,"statusType",10,
+ 			newSViv(status),0);
+ 		    if (nextupdate) hv_store(details,"nextUpdate",10,
+-			newSViv(ASN1_TIME_timet(nextupdate)),0);
++			newSViv(ASN1_TIME_timet(nextupdate, &gmtoff)),0);
+ 		    if (thisupdate) hv_store(details,"thisUpdate",10,
+-			newSViv(ASN1_TIME_timet(thisupdate)),0);
++			newSViv(ASN1_TIME_timet(thisupdate, &gmtoff)),0);
+ 		    if (status == V_OCSP_CERTSTATUS_REVOKED) {
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 			OCSP_REVOKEDINFO *rev = sir->certStatus->value.revoked;
+ 			revocationReason = ASN1_ENUMERATED_get(rev->revocationReason);
+ #endif
+-			hv_store(details,"revocationTime",14,newSViv(ASN1_TIME_timet(revocationTime)),0);
++			hv_store(details,"revocationTime",14,newSViv(ASN1_TIME_timet(revocationTime, &gmtoff)),0);
+ 			hv_store(details,"revocationReason",16,newSViv(revocationReason),0);
+ 			hv_store(details,"revocationReason_str",20,newSVpv(
+ 		            OCSP_crl_reason_str(revocationReason),0),0);
+@@ -7457,7 +7606,7 @@ OCSP_response_results(rsp,...)
+ 		XPUSHs(sv_2mortal(newRV_noinc((SV*)idav)));
+ 	    } else if (!error) {
+ 		/* compute lowest nextUpdate */
+-		time_t nu = ASN1_TIME_timet(nextupdate);
++		time_t nu = ASN1_TIME_timet(nextupdate, &gmtoff);
+ 		if (!nextupd || nextupd>nu) nextupd = nu;
+ 	    }
+ 
+@@ -7599,4 +7748,71 @@ SSL_export_keying_material(ssl, outlen, label, context=&PL_sv_undef)
+ 
+ #endif
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++
++OSSL_LIB_CTX *
++OSSL_LIB_CTX_get0_global_default()
++
++
++OSSL_PROVIDER *
++OSSL_PROVIDER_load(SV *libctx, const char *name)
++    CODE:
++        OSSL_LIB_CTX *ctx = NULL;
++        if (libctx != &PL_sv_undef)
++	    ctx = INT2PTR(OSSL_LIB_CTX *, SvIV(libctx));
++        RETVAL = OSSL_PROVIDER_load(ctx, name);
++        if (RETVAL == NULL)
++	    XSRETURN_UNDEF;
++    OUTPUT:
++	  RETVAL
++
++OSSL_PROVIDER *
++OSSL_PROVIDER_try_load(SV *libctx, const char *name, int retain_fallbacks)
++    CODE:
++        OSSL_LIB_CTX *ctx = NULL;
++        if (libctx != &PL_sv_undef)
++	    ctx = INT2PTR(OSSL_LIB_CTX *, SvIV(libctx));
++        RETVAL = OSSL_PROVIDER_try_load(ctx, name, retain_fallbacks);
++        if (RETVAL == NULL)
++	    XSRETURN_UNDEF;
++    OUTPUT:
++	  RETVAL
++
++int
++OSSL_PROVIDER_unload(OSSL_PROVIDER *prov)
++
++int
++OSSL_PROVIDER_available(SV *libctx, const char *name)
++    CODE:
++        OSSL_LIB_CTX *ctx = NULL;
++        if (libctx != &PL_sv_undef)
++	    ctx = INT2PTR(OSSL_LIB_CTX *, SvIV(libctx));
++        RETVAL = OSSL_PROVIDER_available(ctx, name);
++    OUTPUT:
++	  RETVAL
++
++int
++OSSL_PROVIDER_do_all(SV *libctx, SV *perl_cb, SV *perl_cbdata = &PL_sv_undef)
++    PREINIT:
++        simple_cb_data_t* cbdata = NULL;
++    CODE:
++        OSSL_LIB_CTX *ctx = NULL;
++        if (libctx != &PL_sv_undef)
++	    ctx = INT2PTR(OSSL_LIB_CTX *, SvIV(libctx));
++
++        /* setup our callback */
++        cbdata = simple_cb_data_new(perl_cb, perl_cbdata);
++        RETVAL = OSSL_PROVIDER_do_all(ctx, ossl_provider_do_all_cb_invoke, cbdata);
++        simple_cb_data_free(cbdata);
++    OUTPUT:
++        RETVAL
++
++const char *
++OSSL_PROVIDER_get0_name(const OSSL_PROVIDER *prov)
++
++int
++OSSL_PROVIDER_self_test(const OSSL_PROVIDER *prov)
++
++#endif
++
+ #define REM_EOF "/* EOF - SSLeay.xs */"
+diff --git a/constants.c b/constants.c
+index 722190c..cf5c0e7 100644
+--- a/constants.c
++++ b/constants.c
+@@ -4712,9 +4712,10 @@ constant (const char *name, size_t len) {
+        V_OCSP_CERTSTATUS_UNKNOWN X509_V_ERR_CA_MD_TOO_WEAK
+        X509_V_ERR_CERT_UNTRUSTED X509_V_ERR_EMAIL_MISMATCH
+        X509_V_ERR_INVALID_NON_CA X509_V_ERR_SUBTREE_MINMAX
+-       X509_V_FLAG_CRL_CHECK_ALL X509_V_FLAG_NOTIFY_POLICY
+-       X509_V_FLAG_NO_ALT_CHAINS X509_V_FLAG_NO_CHECK_TIME
+-       X509_V_FLAG_PARTIAL_CHAIN X509_V_FLAG_TRUSTED_FIRST */
++       X509_V_FLAG_CRL_CHECK_ALL X509_V_FLAG_LEGACY_VERIFY
++       X509_V_FLAG_NOTIFY_POLICY X509_V_FLAG_NO_ALT_CHAINS
++       X509_V_FLAG_NO_CHECK_TIME X509_V_FLAG_PARTIAL_CHAIN
++       X509_V_FLAG_TRUSTED_FIRST */
+     /* Offset 20 gives the best switch position.  */
+     switch (name[20]) {
+     case '2':
+@@ -4785,6 +4786,16 @@ constant (const char *name, size_t len) {
+         goto not_there;
+ #endif
+ 
++      }
++      if (!memcmp(name, "X509_V_FLAG_LEGACY_VERIFY", 25)) {
++      /*                                     ^           */
++        
++#ifdef X509_V_FLAG_LEGACY_VERIFY
++        return X509_V_FLAG_LEGACY_VERIFY;
++#else
++        goto not_there;
++#endif
++
+       }
+       break;
+     case 'F':
+diff --git a/helper_script/regen_openssl_constants.pl b/helper_script/regen_openssl_constants.pl
+index 6fd2908..4d6744b 100644
+--- a/helper_script/regen_openssl_constants.pl
++++ b/helper_script/regen_openssl_constants.pl
+@@ -94,14 +94,12 @@ sub t_file {
+ use lib 'inc';
+ 
+ use Net::SSLeay;
+-use Test::Net::SSLeay;
++use Test::Net::SSLeay qw(dies_like);
+ 
+-eval "use Test::Exception;";
+-if (\$@) {
+-    plan skip_all => 'Some tests need Test::Exception';
+-} else {
+-    plan tests => $count;
+-}
++# We rely on symbolic references to run the dies_like() tests:
++no strict 'refs';
++
++plan tests => $count;
+ 
+ my \@c = (qw/
+ $list
+@@ -110,9 +108,12 @@ $list
+ my \@missing;
+ my \%h = map { \$_=>1 } \@Net::SSLeay::EXPORT_OK;
+ 
+-for (\@c) {
+-  like(eval("&Net::SSLeay::\$_; 'ok'") || \$\@, qr/^(ok|Your vendor has not defined SSLeay macro.*)\$/, "\$_");
+-  push(\@missing, \$_) unless \$h{\$_};
++for my \$c (\@c) {
++    dies_like(sub {
++        "Net::SSLeay::\$c"->();
++        die "ok\\n";
++    }, qr/^(ok\\n|Your vendor has not defined SSLeay macro.*)\$/, "\$c");
++    push(\@missing, \$c) unless \$h{\$c};
+ }
+ 
+ is(join(",", sort \@missing), '', 'constants missing in \@EXPORT_OK count='.scalar(\@missing));
+@@ -670,6 +671,7 @@ X509_V_FLAG_EXTENDED_CRL_SUPPORT
+ X509_V_FLAG_IGNORE_CRITICAL
+ X509_V_FLAG_INHIBIT_ANY
+ X509_V_FLAG_INHIBIT_MAP
++X509_V_FLAG_LEGACY_VERIFY
+ X509_V_FLAG_NO_ALT_CHAINS
+ X509_V_FLAG_NO_CHECK_TIME
+ X509_V_FLAG_NOTIFY_POLICY
+diff --git a/inc/Test/Net/SSLeay.pm b/inc/Test/Net/SSLeay.pm
+index 9a85083..30d1199 100644
+--- a/inc/Test/Net/SSLeay.pm
++++ b/inc/Test/Net/SSLeay.pm
+@@ -11,6 +11,7 @@ use Cwd qw(abs_path);
+ use English qw( $EVAL_ERROR $OSNAME $PERL_VERSION -no_match_vars );
+ use File::Basename qw(dirname);
+ use File::Spec::Functions qw( abs2rel catfile );
++use Test::Builder;
+ use Test::Net::SSLeay::Socket;
+ 
+ our $VERSION = '1.90';
+@@ -18,14 +19,21 @@ our $VERSION = '1.90';
+ our @EXPORT_OK = qw(
+     can_fork can_really_fork can_thread
+     data_file_path
++    dies_like
++    dies_ok
++    doesnt_warn
+     initialise_libssl
+     is_libressl is_openssl
+     is_protocol_usable
++    lives_ok
+     new_ctx
+     protocols
+     tcp_socket
++    warns_like
+ );
+ 
++my $tester = Test::Builder->new();
++
+ my $data_path = catfile( dirname(__FILE__), '..', '..', '..', 't', 'data' );
+ 
+ my $initialised = 0;
+@@ -63,6 +71,29 @@ my %protos = (
+     },
+ );
+ 
++my ( $test_no_warnings, $test_no_warnings_name, @warnings );
++
++END {
++    _test_no_warnings() if $test_no_warnings;
++}
++
++sub _all {
++    my ( $sub, @list ) = @_;
++
++    for (@list) {
++        $sub->() or return 0;
++    }
++
++    return 1;
++}
++
++sub _diag {
++    my (%args) = @_;
++
++    $tester->diag( ' ' x 9, 'got: ', $args{got} );
++    $tester->diag( ' ' x 4, 'expected: ', $args{expected} );
++}
++
+ sub _libssl_fatal {
+     my ($context) = @_;
+ 
+@@ -76,6 +107,17 @@ sub _load_net_ssleay {
+     return 1;
+ }
+ 
++sub _test_no_warnings {
++    my $got_str = join q{, }, map { qq{'$_'} } @warnings;
++    my $got_type = @warnings == 1 ? 'warning' : 'warnings';
++
++    $tester->ok( @warnings == 0, $test_no_warnings_name )
++        or _diag(
++            got      => "$got_type $got_str",
++            expected => 'no warnings',
++        );
++}
++
+ sub import {
+     my ( $class, @imports ) = @_;
+ 
+@@ -152,6 +194,69 @@ sub data_file_path {
+     return $rel_path;
+ }
+ 
++sub dies_like {
++    my ( $sub, $expected, $name ) = @_;
++
++    my ( $got, $ok );
++
++    if ( eval { $sub->(); 1 } ) {
++        $ok = $tester->ok ( 0, $name );
++
++        _diag(
++            got      => 'subroutine lived',
++            expected => "subroutine died with exception matching $expected",
++        );
++    }
++    else {
++        $got = $EVAL_ERROR;
++
++        my $test = $got =~ $expected;
++
++        $ok = $tester->ok( $test, $name )
++            or _diag(
++                got      => qq{subroutine died with exception '$got'},
++                expected => "subroutine died with exception matching $expected",
++            );
++    }
++
++    $EVAL_ERROR = $got;
++
++    return $ok;
++}
++
++sub dies_ok {
++    my ( $sub, $name ) = @_;
++
++    my ( $got, $ok );
++
++    if ( eval { $sub->(); 1 } ) {
++        $got = $EVAL_ERROR;
++
++        $ok = $tester->ok ( 0, $name );
++
++        _diag(
++            got      => 'subroutine lived',
++            expected => 'subroutine died',
++        );
++    }
++    else {
++        $got = $EVAL_ERROR;
++
++        $ok = $tester->ok( 1, $name );
++    }
++
++    $EVAL_ERROR = $got;
++
++    return $ok;
++}
++
++sub doesnt_warn {
++    $test_no_warnings      = 1;
++    $test_no_warnings_name = shift;
++
++    $SIG{__WARN__} = sub { push @warnings, shift };
++}
++
+ sub initialise_libssl {
+     return 1 if $initialised;
+ 
+@@ -304,6 +409,32 @@ sub is_protocol_usable {
+     croak 'Unexpected TLS state machine sequence: ' . join( ', ', @states );
+ }
+ 
++sub lives_ok {
++    my ( $sub, $name ) = @_;
++
++    my ( $got, $ok );
++
++    if ( !eval { $sub->(); 1 } ) {
++        $got = $EVAL_ERROR;
++
++        $ok = $tester->ok ( 0, $name );
++
++        _diag(
++            got      => qq{subroutine died with exception '$got'},
++            expected => 'subroutine lived',
++        );
++    }
++    else {
++        $got = $EVAL_ERROR;
++
++        $ok = $tester->ok( 1, $name );
++    }
++
++    $EVAL_ERROR = $got;
++
++    return $ok;
++}
++
+ sub new_ctx {
+     my ( $min_proto, $max_proto ) = @_;
+ 
+@@ -362,6 +493,41 @@ sub tcp_socket {
+     return Test::Net::SSLeay::Socket->new( proto => 'tcp' );
+ }
+ 
++sub warns_like {
++    my ( $sub, $expected, $name ) = @_;
++
++    my @expected =   ref $expected eq 'ARRAY'
++                   ? @$expected
++                   : ($expected);
++
++    my @got;
++
++    local $SIG{__WARN__} = sub { push @got, shift };
++
++    $sub->();
++
++    $SIG{__WARN__} = 'DEFAULT';
++
++    my $test =    scalar @got == scalar @expected
++               && _all( sub { $got[$_] =~ $expected[$_] }, 0 .. $#got );
++
++    my $ok = $tester->ok( $test, $name )
++        or do {
++            my $got_str      = join q{, }, map { qq{'$_'} } @got;
++            my $expected_str = join q{, }, map { qq{'$_'} } @expected;
++
++            my $got_plural      = @got == 1 ? '' : 's';
++            my $expected_plural = @expected == 1 ? '' : 's';
++
++            _diag(
++                got      => "warning$got_plural $got_str",
++                expected => "warning$expected_plural matching $expected_str",
++            );
++        };
++
++    return $ok;
++}
++
+ 1;
+ 
+ __END__
+@@ -466,6 +632,49 @@ this Perl, or false if not.
+ Returns the relative path to a given file in the test suite data directory
+ (C<t/local/>). Dies if the file does not exist.
+ 
++=head2 dies_like
++
++    dies_like(
++        sub { die 'This subroutine always dies' },
++        qr/always/,
++        'A test that always passes'
++    );
++
++Similar to L<C<throws_ok> in Test::Exception|Test::Exception/throws_ok>:
++performs a L<Test::Builder> test that passes if a given subroutine dies with an
++exception string that matches a given pattern, or fails if the subroutine does
++not die or dies with an exception string that does not match the given pattern.
++
++This function preserves the value of C<$@> set by the given subroutine, so (for
++example) other tests can be performed on the value of C<$@> afterwards.
++
++=head2 dies_ok
++
++    dies_ok(
++        sub { my $x = 1 },
++        'A test that always fails'
++    );
++
++Similar to L<C<dies_ok> in Test::Exception|Test::Exception/dies_ok>: performs a
++L<Test::Builder> test that passes if a given subroutine dies, or fails if it
++does not.
++
++This function preserves the value of C<$@> set by the given subroutine, so (for
++example) other tests can be performed on the value of C<$@> afterwards.
++
++=head2 doesnt_warn
++
++    doesnt_warn('Test script outputs no unexpected warnings');
++
++Offers similar functionality to L<Test::NoWarnings>: performs a L<Test::Builder>
++test at the end of the test script that passes if the test script executes from
++this point onwards without emitting any unexpected warnings, or fails if
++warnings are emitted before the test script ends.
++
++Warnings omitted by subroutines that are executed as part of a L</warns_like>
++test are not considered to be unexpected (even if the L</warns_like> test
++fails), and will therefore not cause this test to fail.
++
+ =head2 initialise_libssl
+ 
+     initialise_libssl();
+@@ -514,6 +723,20 @@ C<no-ssl3>), or run-time configuration (e.g., the use of TLSv1.0 will be
+ forbidden if the OpenSSL configuration sets the default security level to 3 or
+ higher; see L<SSL_CTX_set_security_level(3)>).
+ 
++=head2 lives_ok
++
++    lives_ok(
++        sub { die 'Whoops' },
++        'A test that always fails'
++    );
++
++Similar to L<C<lives_ok> in Test::Exception|Test::Exception/lives_ok>: performs
++a L<Test::Builder> test that passes if a given subroutine executes without
++dying, or fails if it dies during execution.
++
++This function preserves the value of C<$@> set by the given subroutine, so (for
++example) other tests can be performed on the value of C<$@> afterwards.
++
+ =head2 new_ctx
+ 
+     my $ctx = new_ctx();
+@@ -566,6 +789,27 @@ closing connections.
+ Returns a L<Test::Net::SSLeay::Socket|Test::Net::SSLeay::Socket> object. Dies
+ on failure.
+ 
++=head2 warns_like
++
++    warns_like(
++        sub {
++            warn 'First warning';
++            warn 'Second warning';
++        },
++        [
++            qr/First/,
++            qr/Second/,
++        ],
++        'A test that always passes'
++    );
++
++Similar to L<C<warnings_like> in Test::Warn|Test::Warn/warnings_like>: performs
++a L<Test::Builder> test that passes if a given subroutine emits a series of
++warnings that match the given sequence of patterns, or fails if the subroutine
++emits any other sequence of warnings (or no warnings at all). If a pattern is
++given instead of an array reference, the subroutine will be expected to emit a
++single warning matching the pattern.
++
+ =head1 BUGS
+ 
+ If you encounter a problem with this module that you believe is a bug, please
+diff --git a/lib/Net/SSLeay.pm b/lib/Net/SSLeay.pm
+index 99ac77f..fde0872 100644
+--- a/lib/Net/SSLeay.pm
++++ b/lib/Net/SSLeay.pm
+@@ -421,6 +421,7 @@ $VERSION = '1.90';
+     V_OCSP_CERTSTATUS_GOOD
+     V_OCSP_CERTSTATUS_REVOKED
+     V_OCSP_CERTSTATUS_UNKNOWN
++    X509_V_FLAG_LEGACY_VERIFY
+ );
+ 
+ sub AUTOLOAD {
+diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod
+index 6036b36..f0e8a10 100644
+--- a/lib/Net/SSLeay.pod
++++ b/lib/Net/SSLeay.pod
+@@ -49,17 +49,17 @@ Net::SSLeay supports the following libssl implementations:
+ 
+ =item *
+ 
+-Any stable release of L<OpenSSL|https://www.openssl.org> in the 0.9.8 - 1.1.1
++Any stable release of L<OpenSSL|https://www.openssl.org> in the 0.9.8 - 3.0
+ branches, except for OpenSSL 0.9.8 - 0.9.8b.
+ 
+ =item *
+ 
+ Any stable release of L<LibreSSL|https://www.libressl.org> in the 2.0 - 3.1
+-series.
++series or 3.3 series.
+ 
+ =back
+ 
+-Net::SSLeay may not function as expected with newer releases than the ones
++Net::SSLeay may not function as expected with releases other than the ones
+ listed above due to libssl API incompatibilities, or, in the case of LibreSSL,
+ because of deviations from the libssl API.
+ 
+@@ -926,6 +926,7 @@ a session secret callback can be set up to be called when a session secret is se
+ by openssl.
+ 
+ Establish it like this:
++
+     Net::SSLeay::set_session_secret_cb($ssl, \&session_secret_cb, $somedata);
+ 
+ It will be called like this:
+@@ -2576,7 +2577,7 @@ Check openssl doc L<http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html|htt
+ 
+ =item * CTX_get_verify_depth
+ 
+-Returns the verification depth limit currently set in $ctx. If no limit has been explicitly set, -1 is returned and the default value will be used.",
++Returns the verification depth limit currently set in $ctx. If no limit has been explicitly set, -1 is returned and the default value will be used.
+ 
+  my $rv = Net::SSLeay::CTX_get_verify_depth($ctx);
+  # $ctx - value corresponding to openssl's SSL_CTX structure
+@@ -4624,6 +4625,34 @@ When callback is undef, an existing callback will be disabled.
+ 
+ Check openssl doc L<http://www.openssl.org/docs/ssl/SSL_CTX_set_info_callback.html|http://www.openssl.org/docs/ssl/SSL_CTX_set_info_callback.html>
+ 
++=item * set_msg_callback
++
++Sets the callback function, that can be used to obtain protocol messages information for $ssl during connection setup and use.
++When callback is undef, the callback setting currently valid for ctx is used.
++Note that set_msg_callback_arg is not provided as there is no need to explicitly set $arg, this is handled by set_msg_callback.
++
++ Net::SSLeay::set_msg_callback($ssl, $cb, [$arg]);
++ # $ssl - value corresponding to openssl's SSL structure
++ # $cb - sub { my ($write_p,$version,$content_type,$buf,$len,$ssl,$arg) = @_; ... }
++ #
++ # returns: no return value
++
++Check openssl doc L<http://www.openssl.org/docs/manmaster/man3/SSL_set_msg_callback.html|http://www.openssl.org/docs/manmaster/man3/SSL_set_msg_callback.html>
++
++=item * CTX_set_msg_callback
++
++Sets the callback function on ctx, that can be used to obtain protocol messages information for ssl connection setup and use.
++When callback is undef, the existing callback will be disabled.
++Note that CTX_set_msg_callback_arg is not provided as there is no need to explicitly set $arg, this is handled by CTX_set_msg_callback.
++
++ Net::SSLeay::CTX_set_msg_callback($ssl, $cb, [$arg]);
++ # $ssl - value corresponding to openssl's SSL structure
++ # $cb - sub { my ($write_p,$version,$content_type,$buf,$len,$ssl,$arg) = @_; ... }
++ #
++ # returns: no return value
++
++Check openssl doc L<http://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_msg_callback.html|http://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_msg_callback.html>
++
+ =item * set_pref_cipher
+ 
+ Sets the list of available ciphers for $ssl using the control string $str.
+@@ -4709,13 +4738,13 @@ Setup pre-shared secret session resumption function.
+  # returns: no return value
+ 
+ The callback function will be called like:
+-callback_function($secret, $ciphers, $pref_cipher, $data);
+ 
+-# $secret is the current master session key, usually all 0s at the beginning of a session
+-# $ciphers is ref to an array of peer cipher names
+-# $pref_cipher is a ref to an index into the list of cipher names of 
+-#  the preferred cipher. Set it if you want to specify a preferred cipher
+-# $data is the data passed to set_session_secret_cb
++ callback_function($secret, $ciphers, $pref_cipher, $data);
++ # $secret is the current master session key, usually all 0s at the beginning of a session
++ # $ciphers is ref to an array of peer cipher names
++ # $pref_cipher is a ref to an index into the list of cipher names of 
++ #  the preferred cipher. Set it if you want to specify a preferred cipher
++ # $data is the data passed to set_session_secret_cb
+ 
+ The callback function should return 1 if it likes the suggested cipher (or has selected an alternative 
+ by setting pref_cipher), else it should return 0 (in which case OpenSSL will select its own preferred cipher).
+@@ -4735,12 +4764,12 @@ Setup encryption for TLS session tickets (stateless session reuse).
+  # returns: no return value
+ 
+ The callback function will be called like:
+-getkey($data,[$key_name]) -> ($key,$current_key_name)
+ 
+-# $data is the data passed to set_session_secret_cb
+-# $key_name is the name of the key OpenSSL has extracted from the session ticket
+-# $key is the requested key for ticket encryption + HMAC
+-# $current_key_name is the name for the currently valid key
++ getkey($data,[$key_name]) -> ($key,$current_key_name)
++ # $data is the data passed to set_session_secret_cb
++ # $key_name is the name of the key OpenSSL has extracted from the session ticket
++ # $key is the requested key for ticket encryption + HMAC
++ # $current_key_name is the name for the currently valid key
+ 
+ OpenSSL will call the function without a key name if it generates a new ticket.
+ It then needs the callback to return the encryption+HMAC key and an identifier
+@@ -4805,12 +4834,12 @@ Setup callback for TLS session tickets (stateless session reuse).
+  # returns: no return value
+ 
+ The callback function will be called like:
+-getticket($ssl,$ticket,$data) -> $return_value
+ 
+-# $ssl is a value corresponding to openssl's SSL structure
+-# $ticket is a value of received TLS session ticket (can also be empty)
+-# $data is the data passed to set_session_ticket_ext_cb
+-# $return_value is either 0 (failure) or 1 (success)
++ getticket($ssl,$ticket,$data) -> $return_value
++ # $ssl is a value corresponding to openssl's SSL structure
++ # $ticket is a value of received TLS session ticket (can also be empty)
++ # $data is the data passed to set_session_ticket_ext_cb
++ # $return_value is either 0 (failure) or 1 (success)
+ 
+ This function is based on the OpenSSL function SSL_set_session_ticket_ext_cb.
+ 
+@@ -4825,12 +4854,12 @@ Set TLS session ticket (stateless session reuse).
+  # returns: no return value
+ 
+ The callback function will be called like:
+-getticket($ssl,$ticket,$data) -> $return_value
+ 
+-# $ssl is a value corresponding to openssl's SSL structure
+-# $ticket is a value of received TLS session ticket (can also be empty)
+-# $data is the data passed to set_session_ticket_ext_cb
+-# $return_value is either 0 (failure) or 1 (success)
++ getticket($ssl,$ticket,$data) -> $return_value
++ # $ssl is a value corresponding to openssl's SSL structure
++ # $ticket is a value of received TLS session ticket (can also be empty)
++ # $data is the data passed to set_session_ticket_ext_cb
++ # $return_value is either 0 (failure) or 1 (success)
+ 
+ This function is based on the OpenSSL function SSL_set_session_ticket_ext_cb.
+ 
+@@ -6129,7 +6158,7 @@ Returns X509_EXTENSION from $x509 based on given NID.
+ Returns fingerprint of certificate $cert.
+ 
+ B<NOTE:> Does not exactly correspond to any low level API function. The implementation
+-is basen on openssl's C<X509_digest()>.
++is based on openssl's C<X509_digest()>.
+ 
+  Net::SSLeay::X509_get_fingerprint($x509, $type);
+  # $x509 - value corresponding to openssl's X509 structure
+@@ -7501,12 +7530,15 @@ returns a newly initialised X509_STORE_CTX structure.
+ X509_STORE_CTX_init() sets up an X509_STORE_CTX for a subsequent verification operation.
+ It must be called before each call to X509_verify_cert().
+ 
+-Net::SSLeay::X509_STORE_CTX_init($x509_store_ctx, $x509_store, $x509, $chain);
+-
+-# $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure (required)
+-# $x509_store - value corresponding to openssl's X509_STORE structure (optional)
+-# $x509 - value corresponding to openssl's X509 structure (optional)
+-# $chain - value corresponding to openssl's STACK_OF(X509) structure (optional)
++ my $rv = Net::SSLeay::X509_STORE_CTX_init($x509_store_ctx, $x509_store, $x509, $chain);
++ # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure (required)
++ # $x509_store - value corresponding to openssl's X509_STORE structure (optional)
++ # $x509 - value corresponding to openssl's X509 structure (optional)
++ # $chain - value corresponding to openssl's STACK_OF(X509) structure (optional)
++ #
++ # returns: 1 on success, 0 on failure
++ #
++ # Note: returns nothing with Net::SSLeay 1.90 and earlier.
+ 
+ Check openssl doc L<https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_init.html|https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_init.html>
+ 
+@@ -7514,7 +7546,7 @@ Check openssl doc L<https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_
+ 
+ Frees an X509_STORE_CTX structure.
+ 
+-Net::SSLeay::X509_STORE_CTX_free($x509_store_ctx);
++ Net::SSLeay::X509_STORE_CTX_free($x509_store_ctx);
+ 
+ # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
+ 
+@@ -7527,10 +7559,10 @@ of the process is contained in the verify(1) manual page.
+ If this function returns 0, use X509_STORE_CTX_get_error to get additional error
+ information.
+ 
+-my $rv = Net::SSLeay::X509_verify_cert($x509_store_ctx);
+-# $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
+-#
+-# returns: 1 if a complete chain can be built and validated, otherwise 0
++ my $rv = Net::SSLeay::X509_verify_cert($x509_store_ctx);
++ # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
++ #
++ # returns: 1 if a complete chain can be built and validated, otherwise 0
+ 
+ Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/X509_verify_cert.html|https://www.openssl.org/docs/manmaster/man3/X509_verify_cert.html>
+ 
+@@ -7633,27 +7665,27 @@ Check openssl doc L<http://www.openssl.org/docs/crypto/X509_STORE_CTX_new.html|h
+ 
+ Returns a newly initialized X509_STORE structure.
+ 
+-my $rv = Net::SSLeay::X509_STORE_new();
+-#
+-# returns: value corresponding to openssl's X509_STORE structure (0 on failure)
++ my $rv = Net::SSLeay::X509_STORE_new();
++ #
++ # returns: value corresponding to openssl's X509_STORE structure (0 on failure)
+ 
+ =item * X509_STORE_free
+ 
+ Frees an X509_STORE structure
+ 
+-Net::SSLeay::X509_STORE_free($x509_store);
+-# $x509_store - value corresponding to openssl's X509_STORE structure
++ Net::SSLeay::X509_STORE_free($x509_store);
++ # $x509_store - value corresponding to openssl's X509_STORE structure
+ 
+ =item * X509_STORE_add_lookup
+ 
+ Adds a lookup to an X509_STORE for a given lookup method.
+ 
+-my $method = &Net::SSLeay::X509_LOOKUP_hash_dir;
+-my $rv = Net::SSLeay::X509_STORE_add_lookup($x509_store, $method);
+-# $method - value corresponding to openssl's X509_LOOKUP_METHOD structure
+-# $x509_store - value corresponding to openssl's X509_STORE structure
+-#
+-# returns: value corresponding to openssl's X509_LOOKUP structure
++ my $method = &Net::SSLeay::X509_LOOKUP_hash_dir;
++ my $rv = Net::SSLeay::X509_STORE_add_lookup($x509_store, $method);
++ # $method - value corresponding to openssl's X509_LOOKUP_METHOD structure
++ # $x509_store - value corresponding to openssl's X509_STORE structure
++ #
++ # returns: value corresponding to openssl's X509_LOOKUP structure
+ 
+ Check openssl doc L<https://www.openssl.org/docs/man1.1.1/man3/X509_load_crl_file.html|https://www.openssl.org/docs/man1.1.1/man3/X509_load_crl_file.html>
+ 
+@@ -7705,9 +7737,9 @@ Returns an X509_LOOKUP structure that instructs an X509_STORE to
+ load files from a directory containing certificates with filenames
+ in the format I<hash.N> or crls with filenames in the format I<hash.>B<r>I<N>
+ 
+-my $rv = Net::SSLeay::X509_LOOKUP_hash_dir();
+-#
+-# returns: value corresponding to openssl's X509_LOOKUP_METHOD structure, with the hashed directory method
++ my $rv = Net::SSLeay::X509_LOOKUP_hash_dir();
++ #
++ # returns: value corresponding to openssl's X509_LOOKUP_METHOD structure, with the hashed directory method
+ 
+ Check openssl doc L<https://www.openssl.org/docs/man1.1.1/man3/X509_load_crl_file.html|https://www.openssl.org/docs/man1.1.1/man3/X509_load_crl_file.html>
+ 
+@@ -7716,13 +7748,13 @@ Check openssl doc L<https://www.openssl.org/docs/man1.1.1/man3/X509_load_crl_fil
+ Add a directory to an X509_LOOKUP structure, usually obtained from
+ X509_STORE_add_lookup.
+ 
+-my $method = &Net::SSLeay::X509_LOOKUP_hash_dir;
+-my $lookup = Net::SSLeay::X509_STORE_add_lookup($x509_store, $method);
+-my $type = &Net::SSLeay::X509_FILETYPE_PEM;
+-Net::SSLeay::X509_LOOKUP_add_dir($lookup, $dir, $type);
+-# $lookup - value corresponding to openssl's X509_LOOKUP structure
+-# $dir - string path to a directory
+-s# $type - constant corresponding to the type of file in the directory - can be X509_FILETYPE_PEM, X509_FILETYPE_DEFAULT, or X509_FILETYPE_ASN1
++ my $method = &Net::SSLeay::X509_LOOKUP_hash_dir;
++ my $lookup = Net::SSLeay::X509_STORE_add_lookup($x509_store, $method);
++ my $type = &Net::SSLeay::X509_FILETYPE_PEM;
++ Net::SSLeay::X509_LOOKUP_add_dir($lookup, $dir, $type);
++ # $lookup - value corresponding to openssl's X509_LOOKUP structure
++ # $dir - string path to a directory
++ # $type - constant corresponding to the type of file in the directory - can be X509_FILETYPE_PEM, X509_FILETYPE_DEFAULT, or X509_FILETYPE_ASN1
+ 
+ =item * X509_STORE_set_flags
+ 
+@@ -8525,9 +8557,10 @@ Check openssl doc L<http://www.openssl.org/docs/crypto/RSA_new.html|http://www.o
+ Returns a list of pointers to BIGNUMs representing the parameters of the key in
+ this order:
+ (n, e, d, p, q, dmp1, dmq1, iqmp)
++
+ Caution: returned list consists of SV pointers to BIGNUMs, which would need to be blessed as Crypt::OpenSSL::Bignum for further use
+ 
+-my (@params) = RSA_get_key_parameters($r);
++ my (@params) = RSA_get_key_parameters($r);
+ 
+ =back
+ 
+@@ -9128,7 +9161,7 @@ broader binary compatibility, e.g. make application work with both 1.0.2
+ and prior version (in which case call to SSL_ctrl with new code
+ returning error would have to be ignored when running with prior version).
+ 
+-Net::SSLeay::get_tlsa_record_byname($name, $port, $type);
++ Net::SSLeay::get_tlsa_record_byname($name, $port, $type);
+ 
+ =back
+ 
+@@ -9244,6 +9277,129 @@ These functions are only available since OpenSSL 1.1.1.
+ =back
+ 
+ 
++=head3 Low level API: OSSL_LIB_CTX and OSSL_PROVIDER related functions
++
++=over
++
++=item * OSSL_LIB_CTX_get0_global_default
++
++Returns a concrete (non NULL) reference to the global default library context.
++
++ my $libctx = Net::SSLeay::OSSL_LIB_CTX_get0_global_default();
++ # returns: a value corresponding to OSSL_LIB_CTX structure or false on failure
++
++Typically it's simpler to use undef with functions that take an
++OSSL_LIB_CTX argument when global default library context is needed.
++
++Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_LIB_CTX_get0_global_default.html|https://www.openssl.org/docs/manmaster/man3/OSSL_LIB_CTX_get0_global_default.html>
++
++=item * OSSL_PROVIDER_load
++
++Loads and initializes a provider
++
++ my $provider = Net::SSLeay::OSSL_PROVIDER_load($libctx, $name);
++ # $libctx - value corresponding to OSSL_LIB_CTX structure or undef
++ # $name - (string) provider name, e.g., 'legacy'
++ #
++ # returns: a value corresponding to OSSL_PROVIDER or false on failure
++
++Using undef loads the provider within the global default library context.
++
++ my $provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'legacy');
++
++Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_load.html|https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_load.html>
++
++=item * OSSL_PROVIDER_try_load
++
++Loads and initializes a provider similar to OSSL_PROVIDER_load with additional fallback control.
++
++ my $provider = Net::SSLeay::OSSL_PROVIDER_try_load($libctx, $name, $retain_fallbacks);
++ # $libctx - value corresponding to OSSL_LIB_CTX structure or undef
++ # $name - (string) provider name, e.g., 'legacy'
++ # $retain_fallbacks - (integer) 0 or 1
++ #
++ # returns: a value corresponding to OSSL_PROVIDER or false on failure
++
++Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_try_load.html|https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_try_load.html>
++
++=item * OSSL_PROVIDER_unload
++
++Unloads the given provider.
++
++ my $rv = Net::SSLeay::OSSL_PROVIDER_unload($provider);
++ # $provider - a value corresponding to OSSL_PROVIDER
++ #
++ # returns: (integer) 1 on success, 0 on error
++
++Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_unload.html|https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_unload.html>
++
++=item * OSSL_PROVIDER_available
++
++Checks if a named provider is available for use.
++
++ my $rv = Net::SSLeay::OSSL_PROVIDER_available($libctx, $name);
++ # $libctx - value corresponding to OSSL_LIB_CTX structure or undef
++ # $name - (string) provider name, e.g., 'legacy'
++ #
++ # returns: (integer) 1 if the named provider is available, otherwise 0.
++
++Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_available.html|https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_available.html>
++
++=item * OSSL_PROVIDER_do_all
++
++Iterates over all loaded providers. A callback is called for each provider.
++
++ my $rv = Net::SSLeay::OSSL_PROVIDER_do_all($libctx, $cb, $cbdata);
++ # $libctx - value corresponding to OSSL_LIB_CTX structure or undef
++ # $cb - reference to a perl callback function
++ $ $cbdata - data that will be passed to callback function
++ #
++ # returns: (integer) 1 if all callbacks returned 1, 0 the first time a callback returns 0.
++
++Example:
++
++ sub do_all_cb {
++     my ($provider, $cbdata) = @_;
++
++     my $name = Net::SSLeay::OSSL_PROVIDER_get0_name($provider);
++     print "Callback for provider: '$name', cbdata: '$cbdata'\n";
++     return 1;
++  }
++  my $data_for_cb = 'Hello';
++
++  # Triggers default provider automatic loading.
++  Net::SSLeay::OSSL_PROVIDER_available(undef, 'default') || die 'default provider not available';
++  Net::SSLeay::OSSL_PROVIDER_load(undef, 'legacy') || die 'load legacy';
++  Net::SSLeay::OSSL_PROVIDER_load(undef, 'null')   || die 'load null';
++  Net::SSLeay::OSSL_PROVIDER_do_all(undef, \&do_all_cb, $data_for_cb) || die 'a callback failed';
++
++Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_do_all.html|https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_do_all.html>
++
++=item * OSSL_PROVIDER_get0_name
++
++Returns the name of the given provider.
++
++ my $name = Net::SSLeay::OSSL_PROVIDER_get0_name($provider);
++ # $provider - a value corresponding to OSSL_PROVIDER
++ #
++ # returns: (string) provider name, e.g., 'legacy'
++
++Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_get0_name.html|https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_get0_name.html>
++
++=item * OSSL_PROVIDER_self_test
++
++Runs the provider's self tests.
++
++ my $rv = Net::SSLeay::OSSL_PROVIDER_self_test($provider);
++ # $libctx - value corresponding to OSSL_LIB_CTX structure or undef
++ # $provider - a value corresponding to OSSL_PROVIDER
++ #
++ # returns: (integer) returns 1 if the self tests pass, 0 on error
++
++Check openssl doc L<https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_self_test.html|https://www.openssl.org/docs/manmaster/man3/OSSL_PROVIDER_self_test.html>
++
++=back
++
+ =head2 Constants
+ 
+ There are many openssl constants available in L<Net::SSLeay>. You can use them like this:
+@@ -9269,190 +9425,191 @@ The list of all available constant names:
+ 
+ =for comment the next part is the output of: perl helper_script/regen_openssl_constants.pl -gen-pod
+ 
+- ASN1_STRFLGS_ESC_CTRL           NID_netscape                              R_UNKNOWN_REMOTE_ERROR_TYPE
+- ASN1_STRFLGS_ESC_MSB            NID_netscape_base_url                     R_UNKNOWN_STATE
+- ASN1_STRFLGS_ESC_QUOTE          NID_netscape_ca_policy_url                R_X509_LIB
+- ASN1_STRFLGS_RFC2253            NID_netscape_ca_revocation_url            SENT_SHUTDOWN
+- CB_ACCEPT_EXIT                  NID_netscape_cert_extension               SESSION_ASN1_VERSION
+- CB_ACCEPT_LOOP                  NID_netscape_cert_sequence                SESS_CACHE_BOTH
+- CB_ALERT                        NID_netscape_cert_type                    SESS_CACHE_CLIENT
+- CB_CONNECT_EXIT                 NID_netscape_comment                      SESS_CACHE_NO_AUTO_CLEAR
+- CB_CONNECT_LOOP                 NID_netscape_data_type                    SESS_CACHE_NO_INTERNAL
+- CB_EXIT                         NID_netscape_renewal_url                  SESS_CACHE_NO_INTERNAL_LOOKUP
+- CB_HANDSHAKE_DONE               NID_netscape_revocation_url               SESS_CACHE_NO_INTERNAL_STORE
+- CB_HANDSHAKE_START              NID_netscape_ssl_server_name              SESS_CACHE_OFF
+- CB_LOOP                         NID_ns_sgc                                SESS_CACHE_SERVER
+- CB_READ                         NID_organizationName                      SSL3_VERSION
+- CB_READ_ALERT                   NID_organizationalUnitName                SSLEAY_BUILT_ON
+- CB_WRITE                        NID_pbeWithMD2AndDES_CBC                  SSLEAY_CFLAGS
+- CB_WRITE_ALERT                  NID_pbeWithMD2AndRC2_CBC                  SSLEAY_DIR
+- ERROR_NONE                      NID_pbeWithMD5AndCast5_CBC                SSLEAY_PLATFORM
+- ERROR_SSL                       NID_pbeWithMD5AndDES_CBC                  SSLEAY_VERSION
+- ERROR_SYSCALL                   NID_pbeWithMD5AndRC2_CBC                  ST_ACCEPT
+- ERROR_WANT_ACCEPT               NID_pbeWithSHA1AndDES_CBC                 ST_BEFORE
+- ERROR_WANT_CONNECT              NID_pbeWithSHA1AndRC2_CBC                 ST_CONNECT
+- ERROR_WANT_READ                 NID_pbe_WithSHA1And128BitRC2_CBC          ST_INIT
+- ERROR_WANT_WRITE                NID_pbe_WithSHA1And128BitRC4              ST_OK
+- ERROR_WANT_X509_LOOKUP          NID_pbe_WithSHA1And2_Key_TripleDES_CBC    ST_READ_BODY
+- ERROR_ZERO_RETURN               NID_pbe_WithSHA1And3_Key_TripleDES_CBC    ST_READ_HEADER
+- EVP_PKS_DSA                     NID_pbe_WithSHA1And40BitRC2_CBC           TLS1_1_VERSION
+- EVP_PKS_EC                      NID_pbe_WithSHA1And40BitRC4               TLS1_2_VERSION
+- EVP_PKS_RSA                     NID_pbes2                                 TLS1_3_VERSION
+- EVP_PKT_ENC                     NID_pbmac1                                TLS1_VERSION
+- EVP_PKT_EXCH                    NID_pkcs                                  TLSEXT_STATUSTYPE_ocsp
+- EVP_PKT_EXP                     NID_pkcs3                                 VERIFY_CLIENT_ONCE
+- EVP_PKT_SIGN                    NID_pkcs7                                 VERIFY_FAIL_IF_NO_PEER_CERT
+- EVP_PK_DH                       NID_pkcs7_data                            VERIFY_NONE
+- EVP_PK_DSA                      NID_pkcs7_digest                          VERIFY_PEER
+- EVP_PK_EC                       NID_pkcs7_encrypted                       VERIFY_POST_HANDSHAKE
+- EVP_PK_RSA                      NID_pkcs7_enveloped                       V_OCSP_CERTSTATUS_GOOD
+- FILETYPE_ASN1                   NID_pkcs7_signed                          V_OCSP_CERTSTATUS_REVOKED
+- FILETYPE_PEM                    NID_pkcs7_signedAndEnveloped              V_OCSP_CERTSTATUS_UNKNOWN
+- F_CLIENT_CERTIFICATE            NID_pkcs8ShroudedKeyBag                   WRITING
+- F_CLIENT_HELLO                  NID_pkcs9                                 X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
+- F_CLIENT_MASTER_KEY             NID_pkcs9_challengePassword               X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
+- F_D2I_SSL_SESSION               NID_pkcs9_contentType                     X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
+- F_GET_CLIENT_FINISHED           NID_pkcs9_countersignature                X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
+- F_GET_CLIENT_HELLO              NID_pkcs9_emailAddress                    X509_CHECK_FLAG_NO_WILDCARDS
+- F_GET_CLIENT_MASTER_KEY         NID_pkcs9_extCertAttributes               X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
+- F_GET_SERVER_FINISHED           NID_pkcs9_messageDigest                   X509_FILETYPE_ASN1
+- F_GET_SERVER_HELLO              NID_pkcs9_signingTime                     X509_FILETYPE_DEFAULT
+- F_GET_SERVER_VERIFY             NID_pkcs9_unstructuredAddress             X509_FILETYPE_PEM
+- F_I2D_SSL_SESSION               NID_pkcs9_unstructuredName                X509_LOOKUP
+- F_READ_N                        NID_private_key_usage_period              X509_PURPOSE_ANY
+- F_REQUEST_CERTIFICATE           NID_rc2_40_cbc                            X509_PURPOSE_CRL_SIGN
+- F_SERVER_HELLO                  NID_rc2_64_cbc                            X509_PURPOSE_NS_SSL_SERVER
+- F_SSL_CERT_NEW                  NID_rc2_cbc                               X509_PURPOSE_OCSP_HELPER
+- F_SSL_GET_NEW_SESSION           NID_rc2_cfb64                             X509_PURPOSE_SMIME_ENCRYPT
+- F_SSL_NEW                       NID_rc2_ecb                               X509_PURPOSE_SMIME_SIGN
+- F_SSL_READ                      NID_rc2_ofb64                             X509_PURPOSE_SSL_CLIENT
+- F_SSL_RSA_PRIVATE_DECRYPT       NID_rc4                                   X509_PURPOSE_SSL_SERVER
+- F_SSL_RSA_PUBLIC_ENCRYPT        NID_rc4_40                                X509_PURPOSE_TIMESTAMP_SIGN
+- F_SSL_SESSION_NEW               NID_rc5_cbc                               X509_TRUST_COMPAT
+- F_SSL_SESSION_PRINT_FP          NID_rc5_cfb64                             X509_TRUST_EMAIL
+- F_SSL_SET_FD                    NID_rc5_ecb                               X509_TRUST_OBJECT_SIGN
+- F_SSL_SET_RFD                   NID_rc5_ofb64                             X509_TRUST_OCSP_REQUEST
+- F_SSL_SET_WFD                   NID_ripemd160                             X509_TRUST_OCSP_SIGN
+- F_SSL_USE_CERTIFICATE           NID_ripemd160WithRSA                      X509_TRUST_SSL_CLIENT
+- F_SSL_USE_CERTIFICATE_ASN1      NID_rle_compression                       X509_TRUST_SSL_SERVER
+- F_SSL_USE_CERTIFICATE_FILE      NID_rsa                                   X509_TRUST_TSA
+- F_SSL_USE_PRIVATEKEY            NID_rsaEncryption                         X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
+- F_SSL_USE_PRIVATEKEY_ASN1       NID_rsadsi                                X509_V_ERR_AKID_SKID_MISMATCH
+- F_SSL_USE_PRIVATEKEY_FILE       NID_safeContentsBag                       X509_V_ERR_APPLICATION_VERIFICATION
+- F_SSL_USE_RSAPRIVATEKEY         NID_sdsiCertificate                       X509_V_ERR_CA_KEY_TOO_SMALL
+- F_SSL_USE_RSAPRIVATEKEY_ASN1    NID_secretBag                             X509_V_ERR_CA_MD_TOO_WEAK
+- F_SSL_USE_RSAPRIVATEKEY_FILE    NID_serialNumber                          X509_V_ERR_CERT_CHAIN_TOO_LONG
+- F_WRITE_PENDING                 NID_server_auth                           X509_V_ERR_CERT_HAS_EXPIRED
+- GEN_DIRNAME                     NID_sha                                   X509_V_ERR_CERT_NOT_YET_VALID
+- GEN_DNS                         NID_sha1                                  X509_V_ERR_CERT_REJECTED
+- GEN_EDIPARTY                    NID_sha1WithRSA                           X509_V_ERR_CERT_REVOKED
+- GEN_EMAIL                       NID_sha1WithRSAEncryption                 X509_V_ERR_CERT_SIGNATURE_FAILURE
+- GEN_IPADD                       NID_shaWithRSAEncryption                  X509_V_ERR_CERT_UNTRUSTED
+- GEN_OTHERNAME                   NID_stateOrProvinceName                   X509_V_ERR_CRL_HAS_EXPIRED
+- GEN_RID                         NID_subject_alt_name                      X509_V_ERR_CRL_NOT_YET_VALID
+- GEN_URI                         NID_subject_key_identifier                X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+- GEN_X400                        NID_surname                               X509_V_ERR_CRL_SIGNATURE_FAILURE
+- LIBRESSL_VERSION_NUMBER         NID_sxnet                                 X509_V_ERR_DANE_NO_MATCH
+- MBSTRING_ASC                    NID_time_stamp                            X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
+- MBSTRING_BMP                    NID_title                                 X509_V_ERR_DIFFERENT_CRL_SCOPE
+- MBSTRING_FLAG                   NID_undef                                 X509_V_ERR_EE_KEY_TOO_SMALL
+- MBSTRING_UNIV                   NID_uniqueIdentifier                      X509_V_ERR_EMAIL_MISMATCH
+- MBSTRING_UTF8                   NID_x509Certificate                       X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
+- MIN_RSA_MODULUS_LENGTH_IN_BYTES NID_x509Crl                               X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
+- MODE_ACCEPT_MOVING_WRITE_BUFFER NID_zlib_compression                      X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
+- MODE_AUTO_RETRY                 NOTHING                                   X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
+- MODE_ENABLE_PARTIAL_WRITE       OCSP_RESPONSE_STATUS_INTERNALERROR        X509_V_ERR_EXCLUDED_VIOLATION
+- MODE_RELEASE_BUFFERS            OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     X509_V_ERR_HOSTNAME_MISMATCH
+- NID_OCSP_sign                   OCSP_RESPONSE_STATUS_SIGREQUIRED          X509_V_ERR_INVALID_CA
+- NID_SMIMECapabilities           OCSP_RESPONSE_STATUS_SUCCESSFUL           X509_V_ERR_INVALID_CALL
+- NID_X500                        OCSP_RESPONSE_STATUS_TRYLATER             X509_V_ERR_INVALID_EXTENSION
+- NID_X509                        OCSP_RESPONSE_STATUS_UNAUTHORIZED         X509_V_ERR_INVALID_NON_CA
+- NID_ad_OCSP                     OPENSSL_BUILT_ON                          X509_V_ERR_INVALID_POLICY_EXTENSION
+- NID_ad_ca_issuers               OPENSSL_CFLAGS                            X509_V_ERR_INVALID_PURPOSE
+- NID_algorithm                   OPENSSL_DIR                               X509_V_ERR_IP_ADDRESS_MISMATCH
+- NID_authority_key_identifier    OPENSSL_ENGINES_DIR                       X509_V_ERR_KEYUSAGE_NO_CERTSIGN
+- NID_basic_constraints           OPENSSL_PLATFORM                          X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+- NID_bf_cbc                      OPENSSL_VERSION                           X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+- NID_bf_cfb64                    OPENSSL_VERSION_NUMBER                    X509_V_ERR_NO_EXPLICIT_POLICY
+- NID_bf_ecb                      OP_ALL                                    X509_V_ERR_NO_VALID_SCTS
+- NID_bf_ofb64                    OP_ALLOW_NO_DHE_KEX                       X509_V_ERR_OCSP_CERT_UNKNOWN
+- NID_cast5_cbc                   OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION      X509_V_ERR_OCSP_VERIFY_FAILED
+- NID_cast5_cfb64                 OP_CIPHER_SERVER_PREFERENCE               X509_V_ERR_OCSP_VERIFY_NEEDED
+- NID_cast5_ecb                   OP_CISCO_ANYCONNECT                       X509_V_ERR_OUT_OF_MEM
+- NID_cast5_ofb64                 OP_COOKIE_EXCHANGE                        X509_V_ERR_PATH_LENGTH_EXCEEDED
+- NID_certBag                     OP_CRYPTOPRO_TLSEXT_BUG                   X509_V_ERR_PATH_LOOP
+- NID_certificate_policies        OP_DONT_INSERT_EMPTY_FRAGMENTS            X509_V_ERR_PERMITTED_VIOLATION
+- NID_client_auth                 OP_ENABLE_MIDDLEBOX_COMPAT                X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+- NID_code_sign                   OP_EPHEMERAL_RSA                          X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+- NID_commonName                  OP_LEGACY_SERVER_CONNECT                  X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION
+- NID_countryName                 OP_MICROSOFT_BIG_SSLV3_BUFFER             X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
+- NID_crlBag                      OP_MICROSOFT_SESS_ID_BUG                  X509_V_ERR_STORE_LOOKUP
+- NID_crl_distribution_points     OP_MSIE_SSLV2_RSA_PADDING                 X509_V_ERR_SUBJECT_ISSUER_MISMATCH
+- NID_crl_number                  OP_NETSCAPE_CA_DN_BUG                     X509_V_ERR_SUBTREE_MINMAX
+- NID_crl_reason                  OP_NETSCAPE_CHALLENGE_BUG                 X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
+- NID_delta_crl                   OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG        X509_V_ERR_SUITE_B_INVALID_ALGORITHM
+- NID_des_cbc                     OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG       X509_V_ERR_SUITE_B_INVALID_CURVE
+- NID_des_cfb64                   OP_NON_EXPORT_FIRST                       X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
+- NID_des_ecb                     OP_NO_ANTI_REPLAY                         X509_V_ERR_SUITE_B_INVALID_VERSION
+- NID_des_ede                     OP_NO_CLIENT_RENEGOTIATION                X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED
+- NID_des_ede3                    OP_NO_COMPRESSION                         X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
+- NID_des_ede3_cbc                OP_NO_ENCRYPT_THEN_MAC                    X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
+- NID_des_ede3_cfb64              OP_NO_QUERY_MTU                           X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
+- NID_des_ede3_ofb64              OP_NO_RENEGOTIATION                       X509_V_ERR_UNABLE_TO_GET_CRL
+- NID_des_ede_cbc                 OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+- NID_des_ede_cfb64               OP_NO_SSL_MASK                            X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
+- NID_des_ede_ofb64               OP_NO_SSLv2                               X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
+- NID_des_ofb64                   OP_NO_SSLv3                               X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
+- NID_description                 OP_NO_TICKET                              X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+- NID_desx_cbc                    OP_NO_TLSv1                               X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+- NID_dhKeyAgreement              OP_NO_TLSv1_1                             X509_V_ERR_UNNESTED_RESOURCE
+- NID_dnQualifier                 OP_NO_TLSv1_2                             X509_V_ERR_UNSPECIFIED
+- NID_dsa                         OP_NO_TLSv1_3                             X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+- NID_dsaWithSHA                  OP_PKCS1_CHECK_1                          X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+- NID_dsaWithSHA1                 OP_PKCS1_CHECK_2                          X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+- NID_dsaWithSHA1_2               OP_PRIORITIZE_CHACHA                      X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+- NID_dsa_2                       OP_SAFARI_ECDHE_ECDSA_BUG                 X509_V_FLAG_ALLOW_PROXY_CERTS
+- NID_email_protect               OP_SINGLE_DH_USE                          X509_V_FLAG_CB_ISSUER_CHECK
+- NID_ext_key_usage               OP_SINGLE_ECDH_USE                        X509_V_FLAG_CHECK_SS_SIGNATURE
+- NID_ext_req                     OP_SSLEAY_080_CLIENT_DH_BUG               X509_V_FLAG_CRL_CHECK
+- NID_friendlyName                OP_SSLREF2_REUSE_CERT_TYPE_BUG            X509_V_FLAG_CRL_CHECK_ALL
+- NID_givenName                   OP_TLSEXT_PADDING                         X509_V_FLAG_EXPLICIT_POLICY
+- NID_hmacWithSHA1                OP_TLS_BLOCK_PADDING_BUG                  X509_V_FLAG_EXTENDED_CRL_SUPPORT
+- NID_id_ad                       OP_TLS_D5_BUG                             X509_V_FLAG_IGNORE_CRITICAL
+- NID_id_ce                       OP_TLS_ROLLBACK_BUG                       X509_V_FLAG_INHIBIT_ANY
+- NID_id_kp                       READING                                   X509_V_FLAG_INHIBIT_MAP
+- NID_id_pbkdf2                   RECEIVED_SHUTDOWN                         X509_V_FLAG_NOTIFY_POLICY
+- NID_id_pe                       RSA_3                                     X509_V_FLAG_NO_ALT_CHAINS
+- NID_id_pkix                     RSA_F4                                    X509_V_FLAG_NO_CHECK_TIME
+- NID_id_qt_cps                   R_BAD_AUTHENTICATION_TYPE                 X509_V_FLAG_PARTIAL_CHAIN
+- NID_id_qt_unotice               R_BAD_CHECKSUM                            X509_V_FLAG_POLICY_CHECK
+- NID_idea_cbc                    R_BAD_MAC_DECODE                          X509_V_FLAG_POLICY_MASK
+- NID_idea_cfb64                  R_BAD_RESPONSE_ARGUMENT                   X509_V_FLAG_SUITEB_128_LOS
+- NID_idea_ecb                    R_BAD_SSL_FILETYPE                        X509_V_FLAG_SUITEB_128_LOS_ONLY
+- NID_idea_ofb64                  R_BAD_SSL_SESSION_ID_LENGTH               X509_V_FLAG_SUITEB_192_LOS
+- NID_info_access                 R_BAD_STATE                               X509_V_FLAG_TRUSTED_FIRST
+- NID_initials                    R_BAD_WRITE_RETRY                         X509_V_FLAG_USE_CHECK_TIME
+- NID_invalidity_date             R_CHALLENGE_IS_DIFFERENT                  X509_V_FLAG_USE_DELTAS
+- NID_issuer_alt_name             R_CIPHER_TABLE_SRC_ERROR                  X509_V_FLAG_X509_STRICT
+- NID_keyBag                      R_INVALID_CHALLENGE_LENGTH                X509_V_OK
+- NID_key_usage                   R_NO_CERTIFICATE_SET                      XN_FLAG_COMPAT
+- NID_localKeyID                  R_NO_CERTIFICATE_SPECIFIED                XN_FLAG_DN_REV
+- NID_localityName                R_NO_CIPHER_LIST                          XN_FLAG_DUMP_UNKNOWN_FIELDS
+- NID_md2                         R_NO_CIPHER_MATCH                         XN_FLAG_FN_ALIGN
+- NID_md2WithRSAEncryption        R_NO_PRIVATEKEY                           XN_FLAG_FN_LN
+- NID_md5                         R_NO_PUBLICKEY                            XN_FLAG_FN_MASK
+- NID_md5WithRSA                  R_NULL_SSL_CTX                            XN_FLAG_FN_NONE
+- NID_md5WithRSAEncryption        R_PEER_DID_NOT_RETURN_A_CERTIFICATE       XN_FLAG_FN_OID
+- NID_md5_sha1                    R_PEER_ERROR                              XN_FLAG_FN_SN
+- NID_mdc2                        R_PEER_ERROR_CERTIFICATE                  XN_FLAG_MULTILINE
+- NID_mdc2WithRSA                 R_PEER_ERROR_NO_CIPHER                    XN_FLAG_ONELINE
+- NID_ms_code_com                 R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE XN_FLAG_RFC2253
+- NID_ms_code_ind                 R_PUBLIC_KEY_ENCRYPT_ERROR                XN_FLAG_SEP_COMMA_PLUS
+- NID_ms_ctl_sign                 R_PUBLIC_KEY_IS_NOT_RSA                   XN_FLAG_SEP_CPLUS_SPC
+- NID_ms_efs                      R_READ_WRONG_PACKET_TYPE                  XN_FLAG_SEP_MASK
+- NID_ms_ext_req                  R_SHORT_READ                              XN_FLAG_SEP_MULTILINE
+- NID_ms_sgc                      R_SSL_SESSION_ID_IS_DIFFERENT             XN_FLAG_SEP_SPLUS_SPC
+- NID_name                        R_UNABLE_TO_EXTRACT_PUBLIC_KEY            XN_FLAG_SPC_EQ
++ ASN1_STRFLGS_ESC_CTRL           NID_netscape_base_url                     R_X509_LIB
++ ASN1_STRFLGS_ESC_MSB            NID_netscape_ca_policy_url                SENT_SHUTDOWN
++ ASN1_STRFLGS_ESC_QUOTE          NID_netscape_ca_revocation_url            SESSION_ASN1_VERSION
++ ASN1_STRFLGS_RFC2253            NID_netscape_cert_extension               SESS_CACHE_BOTH
++ CB_ACCEPT_EXIT                  NID_netscape_cert_sequence                SESS_CACHE_CLIENT
++ CB_ACCEPT_LOOP                  NID_netscape_cert_type                    SESS_CACHE_NO_AUTO_CLEAR
++ CB_ALERT                        NID_netscape_comment                      SESS_CACHE_NO_INTERNAL
++ CB_CONNECT_EXIT                 NID_netscape_data_type                    SESS_CACHE_NO_INTERNAL_LOOKUP
++ CB_CONNECT_LOOP                 NID_netscape_renewal_url                  SESS_CACHE_NO_INTERNAL_STORE
++ CB_EXIT                         NID_netscape_revocation_url               SESS_CACHE_OFF
++ CB_HANDSHAKE_DONE               NID_netscape_ssl_server_name              SESS_CACHE_SERVER
++ CB_HANDSHAKE_START              NID_ns_sgc                                SSL3_VERSION
++ CB_LOOP                         NID_organizationName                      SSLEAY_BUILT_ON
++ CB_READ                         NID_organizationalUnitName                SSLEAY_CFLAGS
++ CB_READ_ALERT                   NID_pbeWithMD2AndDES_CBC                  SSLEAY_DIR
++ CB_WRITE                        NID_pbeWithMD2AndRC2_CBC                  SSLEAY_PLATFORM
++ CB_WRITE_ALERT                  NID_pbeWithMD5AndCast5_CBC                SSLEAY_VERSION
++ ERROR_NONE                      NID_pbeWithMD5AndDES_CBC                  ST_ACCEPT
++ ERROR_SSL                       NID_pbeWithMD5AndRC2_CBC                  ST_BEFORE
++ ERROR_SYSCALL                   NID_pbeWithSHA1AndDES_CBC                 ST_CONNECT
++ ERROR_WANT_ACCEPT               NID_pbeWithSHA1AndRC2_CBC                 ST_INIT
++ ERROR_WANT_CONNECT              NID_pbe_WithSHA1And128BitRC2_CBC          ST_OK
++ ERROR_WANT_READ                 NID_pbe_WithSHA1And128BitRC4              ST_READ_BODY
++ ERROR_WANT_WRITE                NID_pbe_WithSHA1And2_Key_TripleDES_CBC    ST_READ_HEADER
++ ERROR_WANT_X509_LOOKUP          NID_pbe_WithSHA1And3_Key_TripleDES_CBC    TLS1_1_VERSION
++ ERROR_ZERO_RETURN               NID_pbe_WithSHA1And40BitRC2_CBC           TLS1_2_VERSION
++ EVP_PKS_DSA                     NID_pbe_WithSHA1And40BitRC4               TLS1_3_VERSION
++ EVP_PKS_EC                      NID_pbes2                                 TLS1_VERSION
++ EVP_PKS_RSA                     NID_pbmac1                                TLSEXT_STATUSTYPE_ocsp
++ EVP_PKT_ENC                     NID_pkcs                                  VERIFY_CLIENT_ONCE
++ EVP_PKT_EXCH                    NID_pkcs3                                 VERIFY_FAIL_IF_NO_PEER_CERT
++ EVP_PKT_EXP                     NID_pkcs7                                 VERIFY_NONE
++ EVP_PKT_SIGN                    NID_pkcs7_data                            VERIFY_PEER
++ EVP_PK_DH                       NID_pkcs7_digest                          VERIFY_POST_HANDSHAKE
++ EVP_PK_DSA                      NID_pkcs7_encrypted                       V_OCSP_CERTSTATUS_GOOD
++ EVP_PK_EC                       NID_pkcs7_enveloped                       V_OCSP_CERTSTATUS_REVOKED
++ EVP_PK_RSA                      NID_pkcs7_signed                          V_OCSP_CERTSTATUS_UNKNOWN
++ FILETYPE_ASN1                   NID_pkcs7_signedAndEnveloped              WRITING
++ FILETYPE_PEM                    NID_pkcs8ShroudedKeyBag                   X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
++ F_CLIENT_CERTIFICATE            NID_pkcs9                                 X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
++ F_CLIENT_HELLO                  NID_pkcs9_challengePassword               X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
++ F_CLIENT_MASTER_KEY             NID_pkcs9_contentType                     X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
++ F_D2I_SSL_SESSION               NID_pkcs9_countersignature                X509_CHECK_FLAG_NO_WILDCARDS
++ F_GET_CLIENT_FINISHED           NID_pkcs9_emailAddress                    X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
++ F_GET_CLIENT_HELLO              NID_pkcs9_extCertAttributes               X509_FILETYPE_ASN1
++ F_GET_CLIENT_MASTER_KEY         NID_pkcs9_messageDigest                   X509_FILETYPE_DEFAULT
++ F_GET_SERVER_FINISHED           NID_pkcs9_signingTime                     X509_FILETYPE_PEM
++ F_GET_SERVER_HELLO              NID_pkcs9_unstructuredAddress             X509_LOOKUP
++ F_GET_SERVER_VERIFY             NID_pkcs9_unstructuredName                X509_PURPOSE_ANY
++ F_I2D_SSL_SESSION               NID_private_key_usage_period              X509_PURPOSE_CRL_SIGN
++ F_READ_N                        NID_rc2_40_cbc                            X509_PURPOSE_NS_SSL_SERVER
++ F_REQUEST_CERTIFICATE           NID_rc2_64_cbc                            X509_PURPOSE_OCSP_HELPER
++ F_SERVER_HELLO                  NID_rc2_cbc                               X509_PURPOSE_SMIME_ENCRYPT
++ F_SSL_CERT_NEW                  NID_rc2_cfb64                             X509_PURPOSE_SMIME_SIGN
++ F_SSL_GET_NEW_SESSION           NID_rc2_ecb                               X509_PURPOSE_SSL_CLIENT
++ F_SSL_NEW                       NID_rc2_ofb64                             X509_PURPOSE_SSL_SERVER
++ F_SSL_READ                      NID_rc4                                   X509_PURPOSE_TIMESTAMP_SIGN
++ F_SSL_RSA_PRIVATE_DECRYPT       NID_rc4_40                                X509_TRUST_COMPAT
++ F_SSL_RSA_PUBLIC_ENCRYPT        NID_rc5_cbc                               X509_TRUST_EMAIL
++ F_SSL_SESSION_NEW               NID_rc5_cfb64                             X509_TRUST_OBJECT_SIGN
++ F_SSL_SESSION_PRINT_FP          NID_rc5_ecb                               X509_TRUST_OCSP_REQUEST
++ F_SSL_SET_FD                    NID_rc5_ofb64                             X509_TRUST_OCSP_SIGN
++ F_SSL_SET_RFD                   NID_ripemd160                             X509_TRUST_SSL_CLIENT
++ F_SSL_SET_WFD                   NID_ripemd160WithRSA                      X509_TRUST_SSL_SERVER
++ F_SSL_USE_CERTIFICATE           NID_rle_compression                       X509_TRUST_TSA
++ F_SSL_USE_CERTIFICATE_ASN1      NID_rsa                                   X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
++ F_SSL_USE_CERTIFICATE_FILE      NID_rsaEncryption                         X509_V_ERR_AKID_SKID_MISMATCH
++ F_SSL_USE_PRIVATEKEY            NID_rsadsi                                X509_V_ERR_APPLICATION_VERIFICATION
++ F_SSL_USE_PRIVATEKEY_ASN1       NID_safeContentsBag                       X509_V_ERR_CA_KEY_TOO_SMALL
++ F_SSL_USE_PRIVATEKEY_FILE       NID_sdsiCertificate                       X509_V_ERR_CA_MD_TOO_WEAK
++ F_SSL_USE_RSAPRIVATEKEY         NID_secretBag                             X509_V_ERR_CERT_CHAIN_TOO_LONG
++ F_SSL_USE_RSAPRIVATEKEY_ASN1    NID_serialNumber                          X509_V_ERR_CERT_HAS_EXPIRED
++ F_SSL_USE_RSAPRIVATEKEY_FILE    NID_server_auth                           X509_V_ERR_CERT_NOT_YET_VALID
++ F_WRITE_PENDING                 NID_sha                                   X509_V_ERR_CERT_REJECTED
++ GEN_DIRNAME                     NID_sha1                                  X509_V_ERR_CERT_REVOKED
++ GEN_DNS                         NID_sha1WithRSA                           X509_V_ERR_CERT_SIGNATURE_FAILURE
++ GEN_EDIPARTY                    NID_sha1WithRSAEncryption                 X509_V_ERR_CERT_UNTRUSTED
++ GEN_EMAIL                       NID_shaWithRSAEncryption                  X509_V_ERR_CRL_HAS_EXPIRED
++ GEN_IPADD                       NID_stateOrProvinceName                   X509_V_ERR_CRL_NOT_YET_VALID
++ GEN_OTHERNAME                   NID_subject_alt_name                      X509_V_ERR_CRL_PATH_VALIDATION_ERROR
++ GEN_RID                         NID_subject_key_identifier                X509_V_ERR_CRL_SIGNATURE_FAILURE
++ GEN_URI                         NID_surname                               X509_V_ERR_DANE_NO_MATCH
++ GEN_X400                        NID_sxnet                                 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
++ LIBRESSL_VERSION_NUMBER         NID_time_stamp                            X509_V_ERR_DIFFERENT_CRL_SCOPE
++ MBSTRING_ASC                    NID_title                                 X509_V_ERR_EE_KEY_TOO_SMALL
++ MBSTRING_BMP                    NID_undef                                 X509_V_ERR_EMAIL_MISMATCH
++ MBSTRING_FLAG                   NID_uniqueIdentifier                      X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
++ MBSTRING_UNIV                   NID_x509Certificate                       X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
++ MBSTRING_UTF8                   NID_x509Crl                               X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
++ MIN_RSA_MODULUS_LENGTH_IN_BYTES NID_zlib_compression                      X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
++ MODE_ACCEPT_MOVING_WRITE_BUFFER NOTHING                                   X509_V_ERR_EXCLUDED_VIOLATION
++ MODE_AUTO_RETRY                 OCSP_RESPONSE_STATUS_INTERNALERROR        X509_V_ERR_HOSTNAME_MISMATCH
++ MODE_ENABLE_PARTIAL_WRITE       OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     X509_V_ERR_INVALID_CA
++ MODE_RELEASE_BUFFERS            OCSP_RESPONSE_STATUS_SIGREQUIRED          X509_V_ERR_INVALID_CALL
++ NID_OCSP_sign                   OCSP_RESPONSE_STATUS_SUCCESSFUL           X509_V_ERR_INVALID_EXTENSION
++ NID_SMIMECapabilities           OCSP_RESPONSE_STATUS_TRYLATER             X509_V_ERR_INVALID_NON_CA
++ NID_X500                        OCSP_RESPONSE_STATUS_UNAUTHORIZED         X509_V_ERR_INVALID_POLICY_EXTENSION
++ NID_X509                        OPENSSL_BUILT_ON                          X509_V_ERR_INVALID_PURPOSE
++ NID_ad_OCSP                     OPENSSL_CFLAGS                            X509_V_ERR_IP_ADDRESS_MISMATCH
++ NID_ad_ca_issuers               OPENSSL_DIR                               X509_V_ERR_KEYUSAGE_NO_CERTSIGN
++ NID_algorithm                   OPENSSL_ENGINES_DIR                       X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
++ NID_authority_key_identifier    OPENSSL_PLATFORM                          X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
++ NID_basic_constraints           OPENSSL_VERSION                           X509_V_ERR_NO_EXPLICIT_POLICY
++ NID_bf_cbc                      OPENSSL_VERSION_NUMBER                    X509_V_ERR_NO_VALID_SCTS
++ NID_bf_cfb64                    OP_ALL                                    X509_V_ERR_OCSP_CERT_UNKNOWN
++ NID_bf_ecb                      OP_ALLOW_NO_DHE_KEX                       X509_V_ERR_OCSP_VERIFY_FAILED
++ NID_bf_ofb64                    OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION      X509_V_ERR_OCSP_VERIFY_NEEDED
++ NID_cast5_cbc                   OP_CIPHER_SERVER_PREFERENCE               X509_V_ERR_OUT_OF_MEM
++ NID_cast5_cfb64                 OP_CISCO_ANYCONNECT                       X509_V_ERR_PATH_LENGTH_EXCEEDED
++ NID_cast5_ecb                   OP_COOKIE_EXCHANGE                        X509_V_ERR_PATH_LOOP
++ NID_cast5_ofb64                 OP_CRYPTOPRO_TLSEXT_BUG                   X509_V_ERR_PERMITTED_VIOLATION
++ NID_certBag                     OP_DONT_INSERT_EMPTY_FRAGMENTS            X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
++ NID_certificate_policies        OP_ENABLE_MIDDLEBOX_COMPAT                X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
++ NID_client_auth                 OP_EPHEMERAL_RSA                          X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION
++ NID_code_sign                   OP_LEGACY_SERVER_CONNECT                  X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
++ NID_commonName                  OP_MICROSOFT_BIG_SSLV3_BUFFER             X509_V_ERR_STORE_LOOKUP
++ NID_countryName                 OP_MICROSOFT_SESS_ID_BUG                  X509_V_ERR_SUBJECT_ISSUER_MISMATCH
++ NID_crlBag                      OP_MSIE_SSLV2_RSA_PADDING                 X509_V_ERR_SUBTREE_MINMAX
++ NID_crl_distribution_points     OP_NETSCAPE_CA_DN_BUG                     X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
++ NID_crl_number                  OP_NETSCAPE_CHALLENGE_BUG                 X509_V_ERR_SUITE_B_INVALID_ALGORITHM
++ NID_crl_reason                  OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG        X509_V_ERR_SUITE_B_INVALID_CURVE
++ NID_delta_crl                   OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG       X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
++ NID_des_cbc                     OP_NON_EXPORT_FIRST                       X509_V_ERR_SUITE_B_INVALID_VERSION
++ NID_des_cfb64                   OP_NO_ANTI_REPLAY                         X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED
++ NID_des_ecb                     OP_NO_CLIENT_RENEGOTIATION                X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
++ NID_des_ede                     OP_NO_COMPRESSION                         X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
++ NID_des_ede3                    OP_NO_ENCRYPT_THEN_MAC                    X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
++ NID_des_ede3_cbc                OP_NO_QUERY_MTU                           X509_V_ERR_UNABLE_TO_GET_CRL
++ NID_des_ede3_cfb64              OP_NO_RENEGOTIATION                       X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
++ NID_des_ede3_ofb64              OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
++ NID_des_ede_cbc                 OP_NO_SSL_MASK                            X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
++ NID_des_ede_cfb64               OP_NO_SSLv2                               X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
++ NID_des_ede_ofb64               OP_NO_SSLv3                               X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
++ NID_des_ofb64                   OP_NO_TICKET                              X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
++ NID_description                 OP_NO_TLSv1                               X509_V_ERR_UNNESTED_RESOURCE
++ NID_desx_cbc                    OP_NO_TLSv1_1                             X509_V_ERR_UNSPECIFIED
++ NID_dhKeyAgreement              OP_NO_TLSv1_2                             X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
++ NID_dnQualifier                 OP_NO_TLSv1_3                             X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
++ NID_dsa                         OP_PKCS1_CHECK_1                          X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
++ NID_dsaWithSHA                  OP_PKCS1_CHECK_2                          X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
++ NID_dsaWithSHA1                 OP_PRIORITIZE_CHACHA                      X509_V_FLAG_ALLOW_PROXY_CERTS
++ NID_dsaWithSHA1_2               OP_SAFARI_ECDHE_ECDSA_BUG                 X509_V_FLAG_CB_ISSUER_CHECK
++ NID_dsa_2                       OP_SINGLE_DH_USE                          X509_V_FLAG_CHECK_SS_SIGNATURE
++ NID_email_protect               OP_SINGLE_ECDH_USE                        X509_V_FLAG_CRL_CHECK
++ NID_ext_key_usage               OP_SSLEAY_080_CLIENT_DH_BUG               X509_V_FLAG_CRL_CHECK_ALL
++ NID_ext_req                     OP_SSLREF2_REUSE_CERT_TYPE_BUG            X509_V_FLAG_EXPLICIT_POLICY
++ NID_friendlyName                OP_TLSEXT_PADDING                         X509_V_FLAG_EXTENDED_CRL_SUPPORT
++ NID_givenName                   OP_TLS_BLOCK_PADDING_BUG                  X509_V_FLAG_IGNORE_CRITICAL
++ NID_hmacWithSHA1                OP_TLS_D5_BUG                             X509_V_FLAG_INHIBIT_ANY
++ NID_id_ad                       OP_TLS_ROLLBACK_BUG                       X509_V_FLAG_INHIBIT_MAP
++ NID_id_ce                       READING                                   X509_V_FLAG_LEGACY_VERIFY
++ NID_id_kp                       RECEIVED_SHUTDOWN                         X509_V_FLAG_NOTIFY_POLICY
++ NID_id_pbkdf2                   RSA_3                                     X509_V_FLAG_NO_ALT_CHAINS
++ NID_id_pe                       RSA_F4                                    X509_V_FLAG_NO_CHECK_TIME
++ NID_id_pkix                     R_BAD_AUTHENTICATION_TYPE                 X509_V_FLAG_PARTIAL_CHAIN
++ NID_id_qt_cps                   R_BAD_CHECKSUM                            X509_V_FLAG_POLICY_CHECK
++ NID_id_qt_unotice               R_BAD_MAC_DECODE                          X509_V_FLAG_POLICY_MASK
++ NID_idea_cbc                    R_BAD_RESPONSE_ARGUMENT                   X509_V_FLAG_SUITEB_128_LOS
++ NID_idea_cfb64                  R_BAD_SSL_FILETYPE                        X509_V_FLAG_SUITEB_128_LOS_ONLY
++ NID_idea_ecb                    R_BAD_SSL_SESSION_ID_LENGTH               X509_V_FLAG_SUITEB_192_LOS
++ NID_idea_ofb64                  R_BAD_STATE                               X509_V_FLAG_TRUSTED_FIRST
++ NID_info_access                 R_BAD_WRITE_RETRY                         X509_V_FLAG_USE_CHECK_TIME
++ NID_initials                    R_CHALLENGE_IS_DIFFERENT                  X509_V_FLAG_USE_DELTAS
++ NID_invalidity_date             R_CIPHER_TABLE_SRC_ERROR                  X509_V_FLAG_X509_STRICT
++ NID_issuer_alt_name             R_INVALID_CHALLENGE_LENGTH                X509_V_OK
++ NID_keyBag                      R_NO_CERTIFICATE_SET                      XN_FLAG_COMPAT
++ NID_key_usage                   R_NO_CERTIFICATE_SPECIFIED                XN_FLAG_DN_REV
++ NID_localKeyID                  R_NO_CIPHER_LIST                          XN_FLAG_DUMP_UNKNOWN_FIELDS
++ NID_localityName                R_NO_CIPHER_MATCH                         XN_FLAG_FN_ALIGN
++ NID_md2                         R_NO_PRIVATEKEY                           XN_FLAG_FN_LN
++ NID_md2WithRSAEncryption        R_NO_PUBLICKEY                            XN_FLAG_FN_MASK
++ NID_md5                         R_NULL_SSL_CTX                            XN_FLAG_FN_NONE
++ NID_md5WithRSA                  R_PEER_DID_NOT_RETURN_A_CERTIFICATE       XN_FLAG_FN_OID
++ NID_md5WithRSAEncryption        R_PEER_ERROR                              XN_FLAG_FN_SN
++ NID_md5_sha1                    R_PEER_ERROR_CERTIFICATE                  XN_FLAG_MULTILINE
++ NID_mdc2                        R_PEER_ERROR_NO_CIPHER                    XN_FLAG_ONELINE
++ NID_mdc2WithRSA                 R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE XN_FLAG_RFC2253
++ NID_ms_code_com                 R_PUBLIC_KEY_ENCRYPT_ERROR                XN_FLAG_SEP_COMMA_PLUS
++ NID_ms_code_ind                 R_PUBLIC_KEY_IS_NOT_RSA                   XN_FLAG_SEP_CPLUS_SPC
++ NID_ms_ctl_sign                 R_READ_WRONG_PACKET_TYPE                  XN_FLAG_SEP_MASK
++ NID_ms_efs                      R_SHORT_READ                              XN_FLAG_SEP_MULTILINE
++ NID_ms_ext_req                  R_SSL_SESSION_ID_IS_DIFFERENT             XN_FLAG_SEP_SPLUS_SPC
++ NID_ms_sgc                      R_UNABLE_TO_EXTRACT_PUBLIC_KEY            XN_FLAG_SPC_EQ
++ NID_name                        R_UNKNOWN_REMOTE_ERROR_TYPE
++ NID_netscape                    R_UNKNOWN_STATE
+ 
+ =head2 INTERNAL ONLY functions (do not use these)
+ 
+diff --git a/t/local/04_basic.t b/t/local/04_basic.t
+index d669782..92fe63e 100644
+--- a/t/local/04_basic.t
++++ b/t/local/04_basic.t
+@@ -3,24 +3,19 @@
+ use lib 'inc';
+ 
+ use Net::SSLeay;
+-use Test::Net::SSLeay;
++use Test::Net::SSLeay qw(lives_ok);
+ 
+ plan tests => 16;
+ 
+-eval "use Test::Exception;";
+-SKIP: {
+-    skip 'Test::Exception required for some tests', 8 if $@;
+-    lives_ok( sub { Net::SSLeay::randomize() }, 'seed pseudorandom number generator' );
+-    lives_ok( sub { Net::SSLeay::ERR_load_crypto_strings() }, 'load libcrypto error strings' );
+-    lives_ok( sub { Net::SSLeay::load_error_strings() }, 'load libssl error strings' );
+-    lives_ok( sub { Net::SSLeay::library_init() }, 'register default TLS ciphers and digest functions' );
+-    lives_ok( sub { Net::SSLeay::OpenSSL_add_all_digests() }, 'register all digest functions' );
+-    #version numbers: 0x00903100 ~ 0.9.3, 0x0090600f ~ 0.6.9
+-    ok( Net::SSLeay::SSLeay() >= 0x00903100, 'SSLeay (version min 0.9.3)' );
+-    isnt( Net::SSLeay::SSLeay_version(), '', 'SSLeay (version string)' );
+-    is( Net::SSLeay::SSLeay_version(),  Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_VERSION()), 'SSLeay_version optional argument' );
+-}
+-
++lives_ok( sub { Net::SSLeay::randomize() }, 'seed pseudorandom number generator' );
++lives_ok( sub { Net::SSLeay::ERR_load_crypto_strings() }, 'load libcrypto error strings' );
++lives_ok( sub { Net::SSLeay::load_error_strings() }, 'load libssl error strings' );
++lives_ok( sub { Net::SSLeay::library_init() }, 'register default TLS ciphers and digest functions' );
++lives_ok( sub { Net::SSLeay::OpenSSL_add_all_digests() }, 'register all digest functions' );
++#version numbers: 0x00903100 ~ 0.9.3, 0x0090600f ~ 0.6.9
++ok( Net::SSLeay::SSLeay() >= 0x00903100, 'SSLeay (version min 0.9.3)' );
++isnt( Net::SSLeay::SSLeay_version(), '', 'SSLeay (version string)' );
++is( Net::SSLeay::SSLeay_version(),  Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_VERSION()), 'SSLeay_version optional argument' );
+ is(Net::SSLeay::hello(), 1, 'hello world');
+ 
+ if (exists &Net::SSLeay::OpenSSL_version)
+diff --git a/t/local/06_tcpecho.t b/t/local/06_tcpecho.t
+index bc5c90e..e92c0eb 100644
+--- a/t/local/06_tcpecho.t
++++ b/t/local/06_tcpecho.t
+@@ -30,7 +30,7 @@ my $pid;
+         ok(Net::SSLeay::tcp_write_all(uc($got)), 'tcp_write_all');
+ 
+         close Net::SSLeay::SSLCAT_S;
+-        $server->close();
++        $server->close() || die("server listen socket close: $!");
+ 
+         exit;
+     }
+@@ -42,6 +42,8 @@ my @results;
+     push @results, [ $got eq uc($msg), 'sent and received correctly' ];
+ }
+ 
++$server->close() || die("client listen socket close: $!");
++
+ waitpid $pid, 0;
+ push @results, [ $? == 0, 'server exited with 0' ];
+ 
+diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t
+index b0298e2..a430bfc 100644
+--- a/t/local/07_sslecho.t
++++ b/t/local/07_sslecho.t
+@@ -94,11 +94,11 @@ $ENV{RND_SEED} = '1234567890123456789012345678901234567890';
+ 	    }
+ 
+             Net::SSLeay::free($ssl);
+-            close $ns;
++            close($ns) || die("server close: $!");
+         }
+ 
+         Net::SSLeay::CTX_free($ctx);
+-        $server->close();
++	$server->close() || die("server listen socket close: $!");
+ 
+         exit;
+     }
+@@ -133,7 +133,7 @@ my @results;
+     Net::SSLeay::CTX_free($ctx);
+ 
+     shutdown($s, 2);
+-    close $s;
++    close($s) || die("client close: $!");
+ 
+ }
+ 
+@@ -199,9 +199,9 @@ my @results;
+ 	    push @results, [Net::SSLeay::shutdown($ssl3) >= 0, 'client side ssl3 shutdown' ];
+             shutdown $s3, 2;
+ 
+-            close $s1;
+-            close $s2;
+-            close $s3;
++            close($s1) || die("client close s1: $!");
++            close($s2) || die("client close s2: $!");
++            close($s3) || die("client close s3: $!");
+ 
+             Net::SSLeay::free($ssl1);
+             Net::SSLeay::free($ssl2);
+@@ -314,9 +314,11 @@ my @results;
+     Net::SSLeay::free($ssl);
+     Net::SSLeay::CTX_free($ctx);
+ 
+-    close $s;
++    close($s) || die("client close: $!");
+ }
+ 
++$server->close() || die("client listen socket close: $!");
++
+ waitpid $pid, 0;
+ push @results, [ $? == 0, 'server exited with 0' ];
+ 
+diff --git a/t/local/11_read.t b/t/local/11_read.t
+index 876dc23..bab0ec0 100644
+--- a/t/local/11_read.t
++++ b/t/local/11_read.t
+@@ -59,8 +59,11 @@ sub server
+ 
+ 	    my $msg = Net::SSLeay::read($ssl);
+ 	    Net::SSLeay::write($ssl, $msg);
++	    Net::SSLeay::shutdown($ssl);
++	    Net::SSLeay::free($ssl);
++	    close($cl) || die("client close: $!");
+ 	}
+-    $server->close();
++	$server->close() || die("server listen socket close: $!");
+ 	exit(0);
+     }
+ }
+@@ -90,7 +93,9 @@ sub client
+ 
+ 	Net::SSLeay::shutdown($ssl);
+ 	Net::SSLeay::free($ssl);
++	close($cl) || die("client close: $!");
+     }
++    $server->close() || die("client listen socket close: $!");
+     return;
+ }
+ 
+diff --git a/t/local/21_constants.t b/t/local/21_constants.t
+index df12312..31b92ae 100644
+--- a/t/local/21_constants.t
++++ b/t/local/21_constants.t
+@@ -4,209 +4,211 @@
+ use lib 'inc';
+ 
+ use Net::SSLeay;
+-use Test::Net::SSLeay;
++use Test::Net::SSLeay qw(dies_like);
+ 
+-eval "use Test::Exception;";
+-if ($@) {
+-    plan skip_all => 'Some tests need Test::Exception';
+-} else {
+-    plan tests => 553;
+-}
++# We rely on symbolic references to run the dies_like() tests:
++no strict 'refs';
++
++plan tests => 554;
+ 
+ my @c = (qw/
+- ASN1_STRFLGS_ESC_CTRL           NID_netscape                              R_UNKNOWN_REMOTE_ERROR_TYPE
+- ASN1_STRFLGS_ESC_MSB            NID_netscape_base_url                     R_UNKNOWN_STATE
+- ASN1_STRFLGS_ESC_QUOTE          NID_netscape_ca_policy_url                R_X509_LIB
+- ASN1_STRFLGS_RFC2253            NID_netscape_ca_revocation_url            SENT_SHUTDOWN
+- CB_ACCEPT_EXIT                  NID_netscape_cert_extension               SESSION_ASN1_VERSION
+- CB_ACCEPT_LOOP                  NID_netscape_cert_sequence                SESS_CACHE_BOTH
+- CB_ALERT                        NID_netscape_cert_type                    SESS_CACHE_CLIENT
+- CB_CONNECT_EXIT                 NID_netscape_comment                      SESS_CACHE_NO_AUTO_CLEAR
+- CB_CONNECT_LOOP                 NID_netscape_data_type                    SESS_CACHE_NO_INTERNAL
+- CB_EXIT                         NID_netscape_renewal_url                  SESS_CACHE_NO_INTERNAL_LOOKUP
+- CB_HANDSHAKE_DONE               NID_netscape_revocation_url               SESS_CACHE_NO_INTERNAL_STORE
+- CB_HANDSHAKE_START              NID_netscape_ssl_server_name              SESS_CACHE_OFF
+- CB_LOOP                         NID_ns_sgc                                SESS_CACHE_SERVER
+- CB_READ                         NID_organizationName                      SSL3_VERSION
+- CB_READ_ALERT                   NID_organizationalUnitName                SSLEAY_BUILT_ON
+- CB_WRITE                        NID_pbeWithMD2AndDES_CBC                  SSLEAY_CFLAGS
+- CB_WRITE_ALERT                  NID_pbeWithMD2AndRC2_CBC                  SSLEAY_DIR
+- ERROR_NONE                      NID_pbeWithMD5AndCast5_CBC                SSLEAY_PLATFORM
+- ERROR_SSL                       NID_pbeWithMD5AndDES_CBC                  SSLEAY_VERSION
+- ERROR_SYSCALL                   NID_pbeWithMD5AndRC2_CBC                  ST_ACCEPT
+- ERROR_WANT_ACCEPT               NID_pbeWithSHA1AndDES_CBC                 ST_BEFORE
+- ERROR_WANT_CONNECT              NID_pbeWithSHA1AndRC2_CBC                 ST_CONNECT
+- ERROR_WANT_READ                 NID_pbe_WithSHA1And128BitRC2_CBC          ST_INIT
+- ERROR_WANT_WRITE                NID_pbe_WithSHA1And128BitRC4              ST_OK
+- ERROR_WANT_X509_LOOKUP          NID_pbe_WithSHA1And2_Key_TripleDES_CBC    ST_READ_BODY
+- ERROR_ZERO_RETURN               NID_pbe_WithSHA1And3_Key_TripleDES_CBC    ST_READ_HEADER
+- EVP_PKS_DSA                     NID_pbe_WithSHA1And40BitRC2_CBC           TLS1_1_VERSION
+- EVP_PKS_EC                      NID_pbe_WithSHA1And40BitRC4               TLS1_2_VERSION
+- EVP_PKS_RSA                     NID_pbes2                                 TLS1_3_VERSION
+- EVP_PKT_ENC                     NID_pbmac1                                TLS1_VERSION
+- EVP_PKT_EXCH                    NID_pkcs                                  TLSEXT_STATUSTYPE_ocsp
+- EVP_PKT_EXP                     NID_pkcs3                                 VERIFY_CLIENT_ONCE
+- EVP_PKT_SIGN                    NID_pkcs7                                 VERIFY_FAIL_IF_NO_PEER_CERT
+- EVP_PK_DH                       NID_pkcs7_data                            VERIFY_NONE
+- EVP_PK_DSA                      NID_pkcs7_digest                          VERIFY_PEER
+- EVP_PK_EC                       NID_pkcs7_encrypted                       VERIFY_POST_HANDSHAKE
+- EVP_PK_RSA                      NID_pkcs7_enveloped                       V_OCSP_CERTSTATUS_GOOD
+- FILETYPE_ASN1                   NID_pkcs7_signed                          V_OCSP_CERTSTATUS_REVOKED
+- FILETYPE_PEM                    NID_pkcs7_signedAndEnveloped              V_OCSP_CERTSTATUS_UNKNOWN
+- F_CLIENT_CERTIFICATE            NID_pkcs8ShroudedKeyBag                   WRITING
+- F_CLIENT_HELLO                  NID_pkcs9                                 X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
+- F_CLIENT_MASTER_KEY             NID_pkcs9_challengePassword               X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
+- F_D2I_SSL_SESSION               NID_pkcs9_contentType                     X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
+- F_GET_CLIENT_FINISHED           NID_pkcs9_countersignature                X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
+- F_GET_CLIENT_HELLO              NID_pkcs9_emailAddress                    X509_CHECK_FLAG_NO_WILDCARDS
+- F_GET_CLIENT_MASTER_KEY         NID_pkcs9_extCertAttributes               X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
+- F_GET_SERVER_FINISHED           NID_pkcs9_messageDigest                   X509_FILETYPE_ASN1
+- F_GET_SERVER_HELLO              NID_pkcs9_signingTime                     X509_FILETYPE_DEFAULT
+- F_GET_SERVER_VERIFY             NID_pkcs9_unstructuredAddress             X509_FILETYPE_PEM
+- F_I2D_SSL_SESSION               NID_pkcs9_unstructuredName                X509_LOOKUP
+- F_READ_N                        NID_private_key_usage_period              X509_PURPOSE_ANY
+- F_REQUEST_CERTIFICATE           NID_rc2_40_cbc                            X509_PURPOSE_CRL_SIGN
+- F_SERVER_HELLO                  NID_rc2_64_cbc                            X509_PURPOSE_NS_SSL_SERVER
+- F_SSL_CERT_NEW                  NID_rc2_cbc                               X509_PURPOSE_OCSP_HELPER
+- F_SSL_GET_NEW_SESSION           NID_rc2_cfb64                             X509_PURPOSE_SMIME_ENCRYPT
+- F_SSL_NEW                       NID_rc2_ecb                               X509_PURPOSE_SMIME_SIGN
+- F_SSL_READ                      NID_rc2_ofb64                             X509_PURPOSE_SSL_CLIENT
+- F_SSL_RSA_PRIVATE_DECRYPT       NID_rc4                                   X509_PURPOSE_SSL_SERVER
+- F_SSL_RSA_PUBLIC_ENCRYPT        NID_rc4_40                                X509_PURPOSE_TIMESTAMP_SIGN
+- F_SSL_SESSION_NEW               NID_rc5_cbc                               X509_TRUST_COMPAT
+- F_SSL_SESSION_PRINT_FP          NID_rc5_cfb64                             X509_TRUST_EMAIL
+- F_SSL_SET_FD                    NID_rc5_ecb                               X509_TRUST_OBJECT_SIGN
+- F_SSL_SET_RFD                   NID_rc5_ofb64                             X509_TRUST_OCSP_REQUEST
+- F_SSL_SET_WFD                   NID_ripemd160                             X509_TRUST_OCSP_SIGN
+- F_SSL_USE_CERTIFICATE           NID_ripemd160WithRSA                      X509_TRUST_SSL_CLIENT
+- F_SSL_USE_CERTIFICATE_ASN1      NID_rle_compression                       X509_TRUST_SSL_SERVER
+- F_SSL_USE_CERTIFICATE_FILE      NID_rsa                                   X509_TRUST_TSA
+- F_SSL_USE_PRIVATEKEY            NID_rsaEncryption                         X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
+- F_SSL_USE_PRIVATEKEY_ASN1       NID_rsadsi                                X509_V_ERR_AKID_SKID_MISMATCH
+- F_SSL_USE_PRIVATEKEY_FILE       NID_safeContentsBag                       X509_V_ERR_APPLICATION_VERIFICATION
+- F_SSL_USE_RSAPRIVATEKEY         NID_sdsiCertificate                       X509_V_ERR_CA_KEY_TOO_SMALL
+- F_SSL_USE_RSAPRIVATEKEY_ASN1    NID_secretBag                             X509_V_ERR_CA_MD_TOO_WEAK
+- F_SSL_USE_RSAPRIVATEKEY_FILE    NID_serialNumber                          X509_V_ERR_CERT_CHAIN_TOO_LONG
+- F_WRITE_PENDING                 NID_server_auth                           X509_V_ERR_CERT_HAS_EXPIRED
+- GEN_DIRNAME                     NID_sha                                   X509_V_ERR_CERT_NOT_YET_VALID
+- GEN_DNS                         NID_sha1                                  X509_V_ERR_CERT_REJECTED
+- GEN_EDIPARTY                    NID_sha1WithRSA                           X509_V_ERR_CERT_REVOKED
+- GEN_EMAIL                       NID_sha1WithRSAEncryption                 X509_V_ERR_CERT_SIGNATURE_FAILURE
+- GEN_IPADD                       NID_shaWithRSAEncryption                  X509_V_ERR_CERT_UNTRUSTED
+- GEN_OTHERNAME                   NID_stateOrProvinceName                   X509_V_ERR_CRL_HAS_EXPIRED
+- GEN_RID                         NID_subject_alt_name                      X509_V_ERR_CRL_NOT_YET_VALID
+- GEN_URI                         NID_subject_key_identifier                X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+- GEN_X400                        NID_surname                               X509_V_ERR_CRL_SIGNATURE_FAILURE
+- LIBRESSL_VERSION_NUMBER         NID_sxnet                                 X509_V_ERR_DANE_NO_MATCH
+- MBSTRING_ASC                    NID_time_stamp                            X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
+- MBSTRING_BMP                    NID_title                                 X509_V_ERR_DIFFERENT_CRL_SCOPE
+- MBSTRING_FLAG                   NID_undef                                 X509_V_ERR_EE_KEY_TOO_SMALL
+- MBSTRING_UNIV                   NID_uniqueIdentifier                      X509_V_ERR_EMAIL_MISMATCH
+- MBSTRING_UTF8                   NID_x509Certificate                       X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
+- MIN_RSA_MODULUS_LENGTH_IN_BYTES NID_x509Crl                               X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
+- MODE_ACCEPT_MOVING_WRITE_BUFFER NID_zlib_compression                      X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
+- MODE_AUTO_RETRY                 NOTHING                                   X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
+- MODE_ENABLE_PARTIAL_WRITE       OCSP_RESPONSE_STATUS_INTERNALERROR        X509_V_ERR_EXCLUDED_VIOLATION
+- MODE_RELEASE_BUFFERS            OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     X509_V_ERR_HOSTNAME_MISMATCH
+- NID_OCSP_sign                   OCSP_RESPONSE_STATUS_SIGREQUIRED          X509_V_ERR_INVALID_CA
+- NID_SMIMECapabilities           OCSP_RESPONSE_STATUS_SUCCESSFUL           X509_V_ERR_INVALID_CALL
+- NID_X500                        OCSP_RESPONSE_STATUS_TRYLATER             X509_V_ERR_INVALID_EXTENSION
+- NID_X509                        OCSP_RESPONSE_STATUS_UNAUTHORIZED         X509_V_ERR_INVALID_NON_CA
+- NID_ad_OCSP                     OPENSSL_BUILT_ON                          X509_V_ERR_INVALID_POLICY_EXTENSION
+- NID_ad_ca_issuers               OPENSSL_CFLAGS                            X509_V_ERR_INVALID_PURPOSE
+- NID_algorithm                   OPENSSL_DIR                               X509_V_ERR_IP_ADDRESS_MISMATCH
+- NID_authority_key_identifier    OPENSSL_ENGINES_DIR                       X509_V_ERR_KEYUSAGE_NO_CERTSIGN
+- NID_basic_constraints           OPENSSL_PLATFORM                          X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+- NID_bf_cbc                      OPENSSL_VERSION                           X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+- NID_bf_cfb64                    OPENSSL_VERSION_NUMBER                    X509_V_ERR_NO_EXPLICIT_POLICY
+- NID_bf_ecb                      OP_ALL                                    X509_V_ERR_NO_VALID_SCTS
+- NID_bf_ofb64                    OP_ALLOW_NO_DHE_KEX                       X509_V_ERR_OCSP_CERT_UNKNOWN
+- NID_cast5_cbc                   OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION      X509_V_ERR_OCSP_VERIFY_FAILED
+- NID_cast5_cfb64                 OP_CIPHER_SERVER_PREFERENCE               X509_V_ERR_OCSP_VERIFY_NEEDED
+- NID_cast5_ecb                   OP_CISCO_ANYCONNECT                       X509_V_ERR_OUT_OF_MEM
+- NID_cast5_ofb64                 OP_COOKIE_EXCHANGE                        X509_V_ERR_PATH_LENGTH_EXCEEDED
+- NID_certBag                     OP_CRYPTOPRO_TLSEXT_BUG                   X509_V_ERR_PATH_LOOP
+- NID_certificate_policies        OP_DONT_INSERT_EMPTY_FRAGMENTS            X509_V_ERR_PERMITTED_VIOLATION
+- NID_client_auth                 OP_ENABLE_MIDDLEBOX_COMPAT                X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+- NID_code_sign                   OP_EPHEMERAL_RSA                          X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+- NID_commonName                  OP_LEGACY_SERVER_CONNECT                  X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION
+- NID_countryName                 OP_MICROSOFT_BIG_SSLV3_BUFFER             X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
+- NID_crlBag                      OP_MICROSOFT_SESS_ID_BUG                  X509_V_ERR_STORE_LOOKUP
+- NID_crl_distribution_points     OP_MSIE_SSLV2_RSA_PADDING                 X509_V_ERR_SUBJECT_ISSUER_MISMATCH
+- NID_crl_number                  OP_NETSCAPE_CA_DN_BUG                     X509_V_ERR_SUBTREE_MINMAX
+- NID_crl_reason                  OP_NETSCAPE_CHALLENGE_BUG                 X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
+- NID_delta_crl                   OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG        X509_V_ERR_SUITE_B_INVALID_ALGORITHM
+- NID_des_cbc                     OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG       X509_V_ERR_SUITE_B_INVALID_CURVE
+- NID_des_cfb64                   OP_NON_EXPORT_FIRST                       X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
+- NID_des_ecb                     OP_NO_ANTI_REPLAY                         X509_V_ERR_SUITE_B_INVALID_VERSION
+- NID_des_ede                     OP_NO_CLIENT_RENEGOTIATION                X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED
+- NID_des_ede3                    OP_NO_COMPRESSION                         X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
+- NID_des_ede3_cbc                OP_NO_ENCRYPT_THEN_MAC                    X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
+- NID_des_ede3_cfb64              OP_NO_QUERY_MTU                           X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
+- NID_des_ede3_ofb64              OP_NO_RENEGOTIATION                       X509_V_ERR_UNABLE_TO_GET_CRL
+- NID_des_ede_cbc                 OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+- NID_des_ede_cfb64               OP_NO_SSL_MASK                            X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
+- NID_des_ede_ofb64               OP_NO_SSLv2                               X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
+- NID_des_ofb64                   OP_NO_SSLv3                               X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
+- NID_description                 OP_NO_TICKET                              X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+- NID_desx_cbc                    OP_NO_TLSv1                               X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+- NID_dhKeyAgreement              OP_NO_TLSv1_1                             X509_V_ERR_UNNESTED_RESOURCE
+- NID_dnQualifier                 OP_NO_TLSv1_2                             X509_V_ERR_UNSPECIFIED
+- NID_dsa                         OP_NO_TLSv1_3                             X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+- NID_dsaWithSHA                  OP_PKCS1_CHECK_1                          X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+- NID_dsaWithSHA1                 OP_PKCS1_CHECK_2                          X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+- NID_dsaWithSHA1_2               OP_PRIORITIZE_CHACHA                      X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+- NID_dsa_2                       OP_SAFARI_ECDHE_ECDSA_BUG                 X509_V_FLAG_ALLOW_PROXY_CERTS
+- NID_email_protect               OP_SINGLE_DH_USE                          X509_V_FLAG_CB_ISSUER_CHECK
+- NID_ext_key_usage               OP_SINGLE_ECDH_USE                        X509_V_FLAG_CHECK_SS_SIGNATURE
+- NID_ext_req                     OP_SSLEAY_080_CLIENT_DH_BUG               X509_V_FLAG_CRL_CHECK
+- NID_friendlyName                OP_SSLREF2_REUSE_CERT_TYPE_BUG            X509_V_FLAG_CRL_CHECK_ALL
+- NID_givenName                   OP_TLSEXT_PADDING                         X509_V_FLAG_EXPLICIT_POLICY
+- NID_hmacWithSHA1                OP_TLS_BLOCK_PADDING_BUG                  X509_V_FLAG_EXTENDED_CRL_SUPPORT
+- NID_id_ad                       OP_TLS_D5_BUG                             X509_V_FLAG_IGNORE_CRITICAL
+- NID_id_ce                       OP_TLS_ROLLBACK_BUG                       X509_V_FLAG_INHIBIT_ANY
+- NID_id_kp                       READING                                   X509_V_FLAG_INHIBIT_MAP
+- NID_id_pbkdf2                   RECEIVED_SHUTDOWN                         X509_V_FLAG_NOTIFY_POLICY
+- NID_id_pe                       RSA_3                                     X509_V_FLAG_NO_ALT_CHAINS
+- NID_id_pkix                     RSA_F4                                    X509_V_FLAG_NO_CHECK_TIME
+- NID_id_qt_cps                   R_BAD_AUTHENTICATION_TYPE                 X509_V_FLAG_PARTIAL_CHAIN
+- NID_id_qt_unotice               R_BAD_CHECKSUM                            X509_V_FLAG_POLICY_CHECK
+- NID_idea_cbc                    R_BAD_MAC_DECODE                          X509_V_FLAG_POLICY_MASK
+- NID_idea_cfb64                  R_BAD_RESPONSE_ARGUMENT                   X509_V_FLAG_SUITEB_128_LOS
+- NID_idea_ecb                    R_BAD_SSL_FILETYPE                        X509_V_FLAG_SUITEB_128_LOS_ONLY
+- NID_idea_ofb64                  R_BAD_SSL_SESSION_ID_LENGTH               X509_V_FLAG_SUITEB_192_LOS
+- NID_info_access                 R_BAD_STATE                               X509_V_FLAG_TRUSTED_FIRST
+- NID_initials                    R_BAD_WRITE_RETRY                         X509_V_FLAG_USE_CHECK_TIME
+- NID_invalidity_date             R_CHALLENGE_IS_DIFFERENT                  X509_V_FLAG_USE_DELTAS
+- NID_issuer_alt_name             R_CIPHER_TABLE_SRC_ERROR                  X509_V_FLAG_X509_STRICT
+- NID_keyBag                      R_INVALID_CHALLENGE_LENGTH                X509_V_OK
+- NID_key_usage                   R_NO_CERTIFICATE_SET                      XN_FLAG_COMPAT
+- NID_localKeyID                  R_NO_CERTIFICATE_SPECIFIED                XN_FLAG_DN_REV
+- NID_localityName                R_NO_CIPHER_LIST                          XN_FLAG_DUMP_UNKNOWN_FIELDS
+- NID_md2                         R_NO_CIPHER_MATCH                         XN_FLAG_FN_ALIGN
+- NID_md2WithRSAEncryption        R_NO_PRIVATEKEY                           XN_FLAG_FN_LN
+- NID_md5                         R_NO_PUBLICKEY                            XN_FLAG_FN_MASK
+- NID_md5WithRSA                  R_NULL_SSL_CTX                            XN_FLAG_FN_NONE
+- NID_md5WithRSAEncryption        R_PEER_DID_NOT_RETURN_A_CERTIFICATE       XN_FLAG_FN_OID
+- NID_md5_sha1                    R_PEER_ERROR                              XN_FLAG_FN_SN
+- NID_mdc2                        R_PEER_ERROR_CERTIFICATE                  XN_FLAG_MULTILINE
+- NID_mdc2WithRSA                 R_PEER_ERROR_NO_CIPHER                    XN_FLAG_ONELINE
+- NID_ms_code_com                 R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE XN_FLAG_RFC2253
+- NID_ms_code_ind                 R_PUBLIC_KEY_ENCRYPT_ERROR                XN_FLAG_SEP_COMMA_PLUS
+- NID_ms_ctl_sign                 R_PUBLIC_KEY_IS_NOT_RSA                   XN_FLAG_SEP_CPLUS_SPC
+- NID_ms_efs                      R_READ_WRONG_PACKET_TYPE                  XN_FLAG_SEP_MASK
+- NID_ms_ext_req                  R_SHORT_READ                              XN_FLAG_SEP_MULTILINE
+- NID_ms_sgc                      R_SSL_SESSION_ID_IS_DIFFERENT             XN_FLAG_SEP_SPLUS_SPC
+- NID_name                        R_UNABLE_TO_EXTRACT_PUBLIC_KEY            XN_FLAG_SPC_EQ
++ ASN1_STRFLGS_ESC_CTRL           NID_netscape_base_url                     R_X509_LIB
++ ASN1_STRFLGS_ESC_MSB            NID_netscape_ca_policy_url                SENT_SHUTDOWN
++ ASN1_STRFLGS_ESC_QUOTE          NID_netscape_ca_revocation_url            SESSION_ASN1_VERSION
++ ASN1_STRFLGS_RFC2253            NID_netscape_cert_extension               SESS_CACHE_BOTH
++ CB_ACCEPT_EXIT                  NID_netscape_cert_sequence                SESS_CACHE_CLIENT
++ CB_ACCEPT_LOOP                  NID_netscape_cert_type                    SESS_CACHE_NO_AUTO_CLEAR
++ CB_ALERT                        NID_netscape_comment                      SESS_CACHE_NO_INTERNAL
++ CB_CONNECT_EXIT                 NID_netscape_data_type                    SESS_CACHE_NO_INTERNAL_LOOKUP
++ CB_CONNECT_LOOP                 NID_netscape_renewal_url                  SESS_CACHE_NO_INTERNAL_STORE
++ CB_EXIT                         NID_netscape_revocation_url               SESS_CACHE_OFF
++ CB_HANDSHAKE_DONE               NID_netscape_ssl_server_name              SESS_CACHE_SERVER
++ CB_HANDSHAKE_START              NID_ns_sgc                                SSL3_VERSION
++ CB_LOOP                         NID_organizationName                      SSLEAY_BUILT_ON
++ CB_READ                         NID_organizationalUnitName                SSLEAY_CFLAGS
++ CB_READ_ALERT                   NID_pbeWithMD2AndDES_CBC                  SSLEAY_DIR
++ CB_WRITE                        NID_pbeWithMD2AndRC2_CBC                  SSLEAY_PLATFORM
++ CB_WRITE_ALERT                  NID_pbeWithMD5AndCast5_CBC                SSLEAY_VERSION
++ ERROR_NONE                      NID_pbeWithMD5AndDES_CBC                  ST_ACCEPT
++ ERROR_SSL                       NID_pbeWithMD5AndRC2_CBC                  ST_BEFORE
++ ERROR_SYSCALL                   NID_pbeWithSHA1AndDES_CBC                 ST_CONNECT
++ ERROR_WANT_ACCEPT               NID_pbeWithSHA1AndRC2_CBC                 ST_INIT
++ ERROR_WANT_CONNECT              NID_pbe_WithSHA1And128BitRC2_CBC          ST_OK
++ ERROR_WANT_READ                 NID_pbe_WithSHA1And128BitRC4              ST_READ_BODY
++ ERROR_WANT_WRITE                NID_pbe_WithSHA1And2_Key_TripleDES_CBC    ST_READ_HEADER
++ ERROR_WANT_X509_LOOKUP          NID_pbe_WithSHA1And3_Key_TripleDES_CBC    TLS1_1_VERSION
++ ERROR_ZERO_RETURN               NID_pbe_WithSHA1And40BitRC2_CBC           TLS1_2_VERSION
++ EVP_PKS_DSA                     NID_pbe_WithSHA1And40BitRC4               TLS1_3_VERSION
++ EVP_PKS_EC                      NID_pbes2                                 TLS1_VERSION
++ EVP_PKS_RSA                     NID_pbmac1                                TLSEXT_STATUSTYPE_ocsp
++ EVP_PKT_ENC                     NID_pkcs                                  VERIFY_CLIENT_ONCE
++ EVP_PKT_EXCH                    NID_pkcs3                                 VERIFY_FAIL_IF_NO_PEER_CERT
++ EVP_PKT_EXP                     NID_pkcs7                                 VERIFY_NONE
++ EVP_PKT_SIGN                    NID_pkcs7_data                            VERIFY_PEER
++ EVP_PK_DH                       NID_pkcs7_digest                          VERIFY_POST_HANDSHAKE
++ EVP_PK_DSA                      NID_pkcs7_encrypted                       V_OCSP_CERTSTATUS_GOOD
++ EVP_PK_EC                       NID_pkcs7_enveloped                       V_OCSP_CERTSTATUS_REVOKED
++ EVP_PK_RSA                      NID_pkcs7_signed                          V_OCSP_CERTSTATUS_UNKNOWN
++ FILETYPE_ASN1                   NID_pkcs7_signedAndEnveloped              WRITING
++ FILETYPE_PEM                    NID_pkcs8ShroudedKeyBag                   X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
++ F_CLIENT_CERTIFICATE            NID_pkcs9                                 X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
++ F_CLIENT_HELLO                  NID_pkcs9_challengePassword               X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
++ F_CLIENT_MASTER_KEY             NID_pkcs9_contentType                     X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
++ F_D2I_SSL_SESSION               NID_pkcs9_countersignature                X509_CHECK_FLAG_NO_WILDCARDS
++ F_GET_CLIENT_FINISHED           NID_pkcs9_emailAddress                    X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
++ F_GET_CLIENT_HELLO              NID_pkcs9_extCertAttributes               X509_FILETYPE_ASN1
++ F_GET_CLIENT_MASTER_KEY         NID_pkcs9_messageDigest                   X509_FILETYPE_DEFAULT
++ F_GET_SERVER_FINISHED           NID_pkcs9_signingTime                     X509_FILETYPE_PEM
++ F_GET_SERVER_HELLO              NID_pkcs9_unstructuredAddress             X509_LOOKUP
++ F_GET_SERVER_VERIFY             NID_pkcs9_unstructuredName                X509_PURPOSE_ANY
++ F_I2D_SSL_SESSION               NID_private_key_usage_period              X509_PURPOSE_CRL_SIGN
++ F_READ_N                        NID_rc2_40_cbc                            X509_PURPOSE_NS_SSL_SERVER
++ F_REQUEST_CERTIFICATE           NID_rc2_64_cbc                            X509_PURPOSE_OCSP_HELPER
++ F_SERVER_HELLO                  NID_rc2_cbc                               X509_PURPOSE_SMIME_ENCRYPT
++ F_SSL_CERT_NEW                  NID_rc2_cfb64                             X509_PURPOSE_SMIME_SIGN
++ F_SSL_GET_NEW_SESSION           NID_rc2_ecb                               X509_PURPOSE_SSL_CLIENT
++ F_SSL_NEW                       NID_rc2_ofb64                             X509_PURPOSE_SSL_SERVER
++ F_SSL_READ                      NID_rc4                                   X509_PURPOSE_TIMESTAMP_SIGN
++ F_SSL_RSA_PRIVATE_DECRYPT       NID_rc4_40                                X509_TRUST_COMPAT
++ F_SSL_RSA_PUBLIC_ENCRYPT        NID_rc5_cbc                               X509_TRUST_EMAIL
++ F_SSL_SESSION_NEW               NID_rc5_cfb64                             X509_TRUST_OBJECT_SIGN
++ F_SSL_SESSION_PRINT_FP          NID_rc5_ecb                               X509_TRUST_OCSP_REQUEST
++ F_SSL_SET_FD                    NID_rc5_ofb64                             X509_TRUST_OCSP_SIGN
++ F_SSL_SET_RFD                   NID_ripemd160                             X509_TRUST_SSL_CLIENT
++ F_SSL_SET_WFD                   NID_ripemd160WithRSA                      X509_TRUST_SSL_SERVER
++ F_SSL_USE_CERTIFICATE           NID_rle_compression                       X509_TRUST_TSA
++ F_SSL_USE_CERTIFICATE_ASN1      NID_rsa                                   X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
++ F_SSL_USE_CERTIFICATE_FILE      NID_rsaEncryption                         X509_V_ERR_AKID_SKID_MISMATCH
++ F_SSL_USE_PRIVATEKEY            NID_rsadsi                                X509_V_ERR_APPLICATION_VERIFICATION
++ F_SSL_USE_PRIVATEKEY_ASN1       NID_safeContentsBag                       X509_V_ERR_CA_KEY_TOO_SMALL
++ F_SSL_USE_PRIVATEKEY_FILE       NID_sdsiCertificate                       X509_V_ERR_CA_MD_TOO_WEAK
++ F_SSL_USE_RSAPRIVATEKEY         NID_secretBag                             X509_V_ERR_CERT_CHAIN_TOO_LONG
++ F_SSL_USE_RSAPRIVATEKEY_ASN1    NID_serialNumber                          X509_V_ERR_CERT_HAS_EXPIRED
++ F_SSL_USE_RSAPRIVATEKEY_FILE    NID_server_auth                           X509_V_ERR_CERT_NOT_YET_VALID
++ F_WRITE_PENDING                 NID_sha                                   X509_V_ERR_CERT_REJECTED
++ GEN_DIRNAME                     NID_sha1                                  X509_V_ERR_CERT_REVOKED
++ GEN_DNS                         NID_sha1WithRSA                           X509_V_ERR_CERT_SIGNATURE_FAILURE
++ GEN_EDIPARTY                    NID_sha1WithRSAEncryption                 X509_V_ERR_CERT_UNTRUSTED
++ GEN_EMAIL                       NID_shaWithRSAEncryption                  X509_V_ERR_CRL_HAS_EXPIRED
++ GEN_IPADD                       NID_stateOrProvinceName                   X509_V_ERR_CRL_NOT_YET_VALID
++ GEN_OTHERNAME                   NID_subject_alt_name                      X509_V_ERR_CRL_PATH_VALIDATION_ERROR
++ GEN_RID                         NID_subject_key_identifier                X509_V_ERR_CRL_SIGNATURE_FAILURE
++ GEN_URI                         NID_surname                               X509_V_ERR_DANE_NO_MATCH
++ GEN_X400                        NID_sxnet                                 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
++ LIBRESSL_VERSION_NUMBER         NID_time_stamp                            X509_V_ERR_DIFFERENT_CRL_SCOPE
++ MBSTRING_ASC                    NID_title                                 X509_V_ERR_EE_KEY_TOO_SMALL
++ MBSTRING_BMP                    NID_undef                                 X509_V_ERR_EMAIL_MISMATCH
++ MBSTRING_FLAG                   NID_uniqueIdentifier                      X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
++ MBSTRING_UNIV                   NID_x509Certificate                       X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
++ MBSTRING_UTF8                   NID_x509Crl                               X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
++ MIN_RSA_MODULUS_LENGTH_IN_BYTES NID_zlib_compression                      X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
++ MODE_ACCEPT_MOVING_WRITE_BUFFER NOTHING                                   X509_V_ERR_EXCLUDED_VIOLATION
++ MODE_AUTO_RETRY                 OCSP_RESPONSE_STATUS_INTERNALERROR        X509_V_ERR_HOSTNAME_MISMATCH
++ MODE_ENABLE_PARTIAL_WRITE       OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     X509_V_ERR_INVALID_CA
++ MODE_RELEASE_BUFFERS            OCSP_RESPONSE_STATUS_SIGREQUIRED          X509_V_ERR_INVALID_CALL
++ NID_OCSP_sign                   OCSP_RESPONSE_STATUS_SUCCESSFUL           X509_V_ERR_INVALID_EXTENSION
++ NID_SMIMECapabilities           OCSP_RESPONSE_STATUS_TRYLATER             X509_V_ERR_INVALID_NON_CA
++ NID_X500                        OCSP_RESPONSE_STATUS_UNAUTHORIZED         X509_V_ERR_INVALID_POLICY_EXTENSION
++ NID_X509                        OPENSSL_BUILT_ON                          X509_V_ERR_INVALID_PURPOSE
++ NID_ad_OCSP                     OPENSSL_CFLAGS                            X509_V_ERR_IP_ADDRESS_MISMATCH
++ NID_ad_ca_issuers               OPENSSL_DIR                               X509_V_ERR_KEYUSAGE_NO_CERTSIGN
++ NID_algorithm                   OPENSSL_ENGINES_DIR                       X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
++ NID_authority_key_identifier    OPENSSL_PLATFORM                          X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
++ NID_basic_constraints           OPENSSL_VERSION                           X509_V_ERR_NO_EXPLICIT_POLICY
++ NID_bf_cbc                      OPENSSL_VERSION_NUMBER                    X509_V_ERR_NO_VALID_SCTS
++ NID_bf_cfb64                    OP_ALL                                    X509_V_ERR_OCSP_CERT_UNKNOWN
++ NID_bf_ecb                      OP_ALLOW_NO_DHE_KEX                       X509_V_ERR_OCSP_VERIFY_FAILED
++ NID_bf_ofb64                    OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION      X509_V_ERR_OCSP_VERIFY_NEEDED
++ NID_cast5_cbc                   OP_CIPHER_SERVER_PREFERENCE               X509_V_ERR_OUT_OF_MEM
++ NID_cast5_cfb64                 OP_CISCO_ANYCONNECT                       X509_V_ERR_PATH_LENGTH_EXCEEDED
++ NID_cast5_ecb                   OP_COOKIE_EXCHANGE                        X509_V_ERR_PATH_LOOP
++ NID_cast5_ofb64                 OP_CRYPTOPRO_TLSEXT_BUG                   X509_V_ERR_PERMITTED_VIOLATION
++ NID_certBag                     OP_DONT_INSERT_EMPTY_FRAGMENTS            X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
++ NID_certificate_policies        OP_ENABLE_MIDDLEBOX_COMPAT                X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
++ NID_client_auth                 OP_EPHEMERAL_RSA                          X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION
++ NID_code_sign                   OP_LEGACY_SERVER_CONNECT                  X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
++ NID_commonName                  OP_MICROSOFT_BIG_SSLV3_BUFFER             X509_V_ERR_STORE_LOOKUP
++ NID_countryName                 OP_MICROSOFT_SESS_ID_BUG                  X509_V_ERR_SUBJECT_ISSUER_MISMATCH
++ NID_crlBag                      OP_MSIE_SSLV2_RSA_PADDING                 X509_V_ERR_SUBTREE_MINMAX
++ NID_crl_distribution_points     OP_NETSCAPE_CA_DN_BUG                     X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
++ NID_crl_number                  OP_NETSCAPE_CHALLENGE_BUG                 X509_V_ERR_SUITE_B_INVALID_ALGORITHM
++ NID_crl_reason                  OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG        X509_V_ERR_SUITE_B_INVALID_CURVE
++ NID_delta_crl                   OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG       X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
++ NID_des_cbc                     OP_NON_EXPORT_FIRST                       X509_V_ERR_SUITE_B_INVALID_VERSION
++ NID_des_cfb64                   OP_NO_ANTI_REPLAY                         X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED
++ NID_des_ecb                     OP_NO_CLIENT_RENEGOTIATION                X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
++ NID_des_ede                     OP_NO_COMPRESSION                         X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
++ NID_des_ede3                    OP_NO_ENCRYPT_THEN_MAC                    X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
++ NID_des_ede3_cbc                OP_NO_QUERY_MTU                           X509_V_ERR_UNABLE_TO_GET_CRL
++ NID_des_ede3_cfb64              OP_NO_RENEGOTIATION                       X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
++ NID_des_ede3_ofb64              OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
++ NID_des_ede_cbc                 OP_NO_SSL_MASK                            X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
++ NID_des_ede_cfb64               OP_NO_SSLv2                               X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
++ NID_des_ede_ofb64               OP_NO_SSLv3                               X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
++ NID_des_ofb64                   OP_NO_TICKET                              X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
++ NID_description                 OP_NO_TLSv1                               X509_V_ERR_UNNESTED_RESOURCE
++ NID_desx_cbc                    OP_NO_TLSv1_1                             X509_V_ERR_UNSPECIFIED
++ NID_dhKeyAgreement              OP_NO_TLSv1_2                             X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
++ NID_dnQualifier                 OP_NO_TLSv1_3                             X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
++ NID_dsa                         OP_PKCS1_CHECK_1                          X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
++ NID_dsaWithSHA                  OP_PKCS1_CHECK_2                          X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
++ NID_dsaWithSHA1                 OP_PRIORITIZE_CHACHA                      X509_V_FLAG_ALLOW_PROXY_CERTS
++ NID_dsaWithSHA1_2               OP_SAFARI_ECDHE_ECDSA_BUG                 X509_V_FLAG_CB_ISSUER_CHECK
++ NID_dsa_2                       OP_SINGLE_DH_USE                          X509_V_FLAG_CHECK_SS_SIGNATURE
++ NID_email_protect               OP_SINGLE_ECDH_USE                        X509_V_FLAG_CRL_CHECK
++ NID_ext_key_usage               OP_SSLEAY_080_CLIENT_DH_BUG               X509_V_FLAG_CRL_CHECK_ALL
++ NID_ext_req                     OP_SSLREF2_REUSE_CERT_TYPE_BUG            X509_V_FLAG_EXPLICIT_POLICY
++ NID_friendlyName                OP_TLSEXT_PADDING                         X509_V_FLAG_EXTENDED_CRL_SUPPORT
++ NID_givenName                   OP_TLS_BLOCK_PADDING_BUG                  X509_V_FLAG_IGNORE_CRITICAL
++ NID_hmacWithSHA1                OP_TLS_D5_BUG                             X509_V_FLAG_INHIBIT_ANY
++ NID_id_ad                       OP_TLS_ROLLBACK_BUG                       X509_V_FLAG_INHIBIT_MAP
++ NID_id_ce                       READING                                   X509_V_FLAG_LEGACY_VERIFY
++ NID_id_kp                       RECEIVED_SHUTDOWN                         X509_V_FLAG_NOTIFY_POLICY
++ NID_id_pbkdf2                   RSA_3                                     X509_V_FLAG_NO_ALT_CHAINS
++ NID_id_pe                       RSA_F4                                    X509_V_FLAG_NO_CHECK_TIME
++ NID_id_pkix                     R_BAD_AUTHENTICATION_TYPE                 X509_V_FLAG_PARTIAL_CHAIN
++ NID_id_qt_cps                   R_BAD_CHECKSUM                            X509_V_FLAG_POLICY_CHECK
++ NID_id_qt_unotice               R_BAD_MAC_DECODE                          X509_V_FLAG_POLICY_MASK
++ NID_idea_cbc                    R_BAD_RESPONSE_ARGUMENT                   X509_V_FLAG_SUITEB_128_LOS
++ NID_idea_cfb64                  R_BAD_SSL_FILETYPE                        X509_V_FLAG_SUITEB_128_LOS_ONLY
++ NID_idea_ecb                    R_BAD_SSL_SESSION_ID_LENGTH               X509_V_FLAG_SUITEB_192_LOS
++ NID_idea_ofb64                  R_BAD_STATE                               X509_V_FLAG_TRUSTED_FIRST
++ NID_info_access                 R_BAD_WRITE_RETRY                         X509_V_FLAG_USE_CHECK_TIME
++ NID_initials                    R_CHALLENGE_IS_DIFFERENT                  X509_V_FLAG_USE_DELTAS
++ NID_invalidity_date             R_CIPHER_TABLE_SRC_ERROR                  X509_V_FLAG_X509_STRICT
++ NID_issuer_alt_name             R_INVALID_CHALLENGE_LENGTH                X509_V_OK
++ NID_keyBag                      R_NO_CERTIFICATE_SET                      XN_FLAG_COMPAT
++ NID_key_usage                   R_NO_CERTIFICATE_SPECIFIED                XN_FLAG_DN_REV
++ NID_localKeyID                  R_NO_CIPHER_LIST                          XN_FLAG_DUMP_UNKNOWN_FIELDS
++ NID_localityName                R_NO_CIPHER_MATCH                         XN_FLAG_FN_ALIGN
++ NID_md2                         R_NO_PRIVATEKEY                           XN_FLAG_FN_LN
++ NID_md2WithRSAEncryption        R_NO_PUBLICKEY                            XN_FLAG_FN_MASK
++ NID_md5                         R_NULL_SSL_CTX                            XN_FLAG_FN_NONE
++ NID_md5WithRSA                  R_PEER_DID_NOT_RETURN_A_CERTIFICATE       XN_FLAG_FN_OID
++ NID_md5WithRSAEncryption        R_PEER_ERROR                              XN_FLAG_FN_SN
++ NID_md5_sha1                    R_PEER_ERROR_CERTIFICATE                  XN_FLAG_MULTILINE
++ NID_mdc2                        R_PEER_ERROR_NO_CIPHER                    XN_FLAG_ONELINE
++ NID_mdc2WithRSA                 R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE XN_FLAG_RFC2253
++ NID_ms_code_com                 R_PUBLIC_KEY_ENCRYPT_ERROR                XN_FLAG_SEP_COMMA_PLUS
++ NID_ms_code_ind                 R_PUBLIC_KEY_IS_NOT_RSA                   XN_FLAG_SEP_CPLUS_SPC
++ NID_ms_ctl_sign                 R_READ_WRONG_PACKET_TYPE                  XN_FLAG_SEP_MASK
++ NID_ms_efs                      R_SHORT_READ                              XN_FLAG_SEP_MULTILINE
++ NID_ms_ext_req                  R_SSL_SESSION_ID_IS_DIFFERENT             XN_FLAG_SEP_SPLUS_SPC
++ NID_ms_sgc                      R_UNABLE_TO_EXTRACT_PUBLIC_KEY            XN_FLAG_SPC_EQ
++ NID_name                        R_UNKNOWN_REMOTE_ERROR_TYPE               
++ NID_netscape                    R_UNKNOWN_STATE                           
+ 
+ /);
+ 
+ my @missing;
+ my %h = map { $_=>1 } @Net::SSLeay::EXPORT_OK;
+ 
+-for (@c) {
+-  like(eval("&Net::SSLeay::$_; 'ok'") || $@, qr/^(ok|Your vendor has not defined SSLeay macro.*)$/, "$_");
+-  push(@missing, $_) unless $h{$_};
++for my $c (@c) {
++    dies_like(sub {
++        "Net::SSLeay::$c"->();
++        die "ok\n";
++    }, qr/^(ok\n|Your vendor has not defined SSLeay macro.*)$/, "$c");
++    push(@missing, $c) unless $h{$c};
+ }
+ 
+ is(join(",", sort @missing), '', 'constants missing in @EXPORT_OK count='.scalar(@missing));
+diff --git a/t/local/22_provider.t b/t/local/22_provider.t
+new file mode 100644
+index 0000000..f3a19a7
+--- /dev/null
++++ b/t/local/22_provider.t
+@@ -0,0 +1,103 @@
++use lib 'inc';
++
++use Net::SSLeay;
++use Test::Net::SSLeay (initialise_libssl);
++
++# We don't do intialise_libssl() now because we want to want to
++# trigger automatic loading of the default provider.
++#
++# Quote from
++# https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-default.html
++# about default provider:
++#
++#   It is loaded automatically the first time that an algorithm is
++#   fetched from a provider or a function acting on providers is
++#   called and no other provider has been loaded yet.
++#
++#initialise_libssl(); # Don't do this
++
++if (defined &Net::SSLeay::OSSL_PROVIDER_load) {
++    plan(tests => 16);
++} else {
++    plan(skip_all => "no support for providers");
++}
++
++# provider loading, availability and unloading
++{
++    # See top of file why things are done in this order. We don't want
++    # to load the default provider automatically.
++
++    my $null_provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'null');
++    ok($null_provider, 'null provider load returns a pointer');
++    my $null_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'null');
++    is($null_avail, 1, 'null provider loaded and available');
++
++    my $default_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'default');
++    is($default_avail, 0, 'default provider not loaded, not available');
++    if ($default_avail)
++    {
++	diag('Default provider was already available. More provider tests in this and other provider test files may fail');
++	diag('If your configuration loads the default provider, consider ignoring the errors or using OPENSSL_CONF environment variable');
++	diag('For example: OPENSSL_CONF=/path/to/openssl/ssl/openssl.cnf.dist make test');
++    }
++
++    my $null_unload = Net::SSLeay::OSSL_PROVIDER_unload($null_provider);
++    is($null_unload, 1, 'null provider successfully unloaded');
++    $null_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'null');
++    is($null_avail, 0, 'null provider is no longer available');
++
++    $default_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'default');
++    is($default_avail, 0, 'default provider still not loaded, not available');
++
++    my $default_provider_undef_libctx = Net::SSLeay::OSSL_PROVIDER_load(undef, 'default');
++    ok($default_provider_undef_libctx, 'default provider with NULL libctx loaded successfully');
++
++    my $libctx = Net::SSLeay::OSSL_LIB_CTX_get0_global_default();
++    ok($libctx, 'OSSL_LIB_CTX_get0_global_default() returns a pointer');
++
++    my $default_provider_default_libctx = Net::SSLeay::OSSL_PROVIDER_load($libctx, 'default');
++    ok($default_provider_default_libctx, 'default provider with default libctx loaded successfully');
++    is($default_provider_default_libctx, $default_provider_undef_libctx, 'OSSL_PROVIDER_load with undef and defined libctx return the same pointer');
++}
++
++
++# get0_name, selftest
++{
++    my $null_provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'null');
++    my $default_provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'default');
++
++    is(Net::SSLeay::OSSL_PROVIDER_get0_name($null_provider), 'null', 'get0_name for null provider');
++    is(Net::SSLeay::OSSL_PROVIDER_get0_name($default_provider), 'default', 'get0_name for default provider');
++
++    is(Net::SSLeay::OSSL_PROVIDER_self_test($null_provider), 1, 'self_test for null provider');
++    is(Net::SSLeay::OSSL_PROVIDER_self_test($default_provider), 1, 'self_test for default provider');
++}
++
++
++# do_all
++{
++    my %seen_providers;
++    sub all_cb {
++	my ($provider_cb, $cbdata_cb) = @_;
++
++	fail('provider already seen') if exists $seen_providers{$provider_cb};
++	$seen_providers{$provider_cb} = $cbdata_cb;
++	return 1;
++    };
++
++    my $null_provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'null');
++    my $default_provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'default');
++    my $cbdata = 'data for cb';
++
++    Net::SSLeay::OSSL_PROVIDER_do_all(undef, \&all_cb, $cbdata);
++    foreach my $provider ($null_provider, $default_provider)
++    {
++	my $name = Net::SSLeay::OSSL_PROVIDER_get0_name($provider);
++	is(delete $seen_providers{$provider}, $cbdata, "provider '$name' was seen");
++    }
++    foreach my $provider (keys(%seen_providers))
++    {
++	my $name = Net::SSLeay::OSSL_PROVIDER_get0_name($provider);
++	diag("Provider '$name' was also seen by the callback");
++    }
++}
+diff --git a/t/local/22_provider_try_load.t b/t/local/22_provider_try_load.t
+new file mode 100644
+index 0000000..88edd6b
+--- /dev/null
++++ b/t/local/22_provider_try_load.t
+@@ -0,0 +1,29 @@
++use lib 'inc';
++
++use Net::SSLeay;
++use Test::Net::SSLeay (initialise_libssl);
++
++# Avoid default provider automatic loading. See 22_provider.t for more
++# information.
++#
++#initialise_libssl(); # Don't do this
++#
++# We use a separate test file so that we get a newly loaded library
++# that still has triggers for automatic loading enabled.
++
++if (defined &Net::SSLeay::OSSL_PROVIDER_load) {
++    plan(tests => 3);
++} else {
++    plan(skip_all => "no support for providers");
++}
 +
-+    if ( ! SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV))
-+    croak ("Net::SSLeay: ssleay_ctx_msg_cb_invoke called, but not set to point to any perl function.\n");
++my ($null_provider, $default_avail, $null_avail);
 +
-+    ENTER;
-+    SAVETMPS;
++$null_provider = Net::SSLeay::OSSL_PROVIDER_try_load(undef, 'null', 1);
++ok($null_provider, 'try_load("null", retain_fallbacks = 1) returns a pointer');
 +
-+    PUSHMARK(SP);
-+    XPUSHs(sv_2mortal(newSViv(write_p)));
-+    XPUSHs(sv_2mortal(newSViv(version)));
-+    XPUSHs(sv_2mortal(newSViv(content_type)));
-+    XPUSHs(sv_2mortal(newSVpv((const char*)buf, len)));
-+    XPUSHs(sv_2mortal(newSViv(len)));
-+    XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl))));
-+    XPUSHs(sv_2mortal(newSVsv(cb_data)));
-+    PUTBACK;
++$default_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'default');
++is($default_avail, 1, 'default provider automatically loaded after try_load("null", retain_fallbacks = 1)');
 +
-+    call_sv(cb_func, G_VOID);
++$null_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'null');
++is($null_avail, 1, 'null provider loaded after try_load("null", retain_fallbacks = 1)');
+diff --git a/t/local/22_provider_try_load_zero_retain.t b/t/local/22_provider_try_load_zero_retain.t
+new file mode 100644
+index 0000000..ea9ddeb
+--- /dev/null
++++ b/t/local/22_provider_try_load_zero_retain.t
+@@ -0,0 +1,29 @@
++use lib 'inc';
 +
-+    SPAGAIN;
-+    PUTBACK;
-+    FREETMPS;
-+    LEAVE;
++use Net::SSLeay;
++use Test::Net::SSLeay (initialise_libssl);
++
++# Avoid default provider automatic loading. See 22_provider.t for more
++# information.
++#
++#initialise_libssl(); # Don't do this
++#
++# We use a separate test file so that we get a newly loaded library
++# that still has triggers for automatic loading enabled.
++
++if (defined &Net::SSLeay::OSSL_PROVIDER_load) {
++    plan(tests => 3);
++} else {
++    plan(skip_all => "no support for providers");
 +}
 +
- /* 
-  * Support for tlsext_ticket_key_cb_invoke was already in 0.9.8 but it was
-  * broken in various ways during the various 1.0.0* versions.
-@@ -1654,7 +1719,7 @@ void ssleay_ssl_ctx_sess_remove_cb_invok
- 
- /* ============= end of callback stuff, begin helper functions ============== */
- 
--time_t ASN1_TIME_timet(ASN1_TIME *asn1t) {
-+time_t ASN1_TIME_timet(ASN1_TIME *asn1t, time_t *gmtoff) {
-     struct tm t;
-     const char *p = (const char*) asn1t->data;
-     size_t msec = 0, tz = 0, i, l;
-@@ -1720,7 +1785,14 @@ time_t ASN1_TIME_timet(ASN1_TIME *asn1t)
- 
-     result = mktime(&t);
-     if (result == -1) return 0; /* broken time */
--    return result + adj + ( t.tm_isdst ? 3600:0 );
-+    result += adj;
-+    if (gmtoff && *gmtoff == -1) {
-+	*gmtoff = result - mktime(gmtime(&result));
-+	result += *gmtoff;
-+    } else {
-+	result += result - mktime(gmtime(&result));
-+    }
-+    return result;
- }
- 
- X509 * find_issuer(X509 *cert,X509_STORE *store, STACK_OF(X509) *chain) {
-@@ -4103,7 +4175,7 @@ X509V3_EXT_d2i(ext)
- X509_STORE_CTX *
- X509_STORE_CTX_new()
- 
--void
-+int
- X509_STORE_CTX_init(ctx, store=NULL, x509=NULL, chain=NULL)
-      X509_STORE_CTX * ctx
-      X509_STORE * store
-@@ -4336,6 +4408,10 @@ ASN1_TIME_free(s)
- time_t
- ASN1_TIME_timet(s)
-      ASN1_TIME *s
-+     CODE:
-+     RETVAL = ASN1_TIME_timet(s,NULL);
-+     OUTPUT:
-+     RETVAL
- 
- ASN1_TIME *
- ASN1_TIME_new()
-@@ -4556,7 +4632,7 @@ PEM_get_string_PrivateKey(pk,passwd=NULL
-             if (passwd_len>0) {
-                 /* encrypted key */
-                 if (!enc_alg)
--                    PEM_write_bio_PrivateKey(bp,pk,EVP_des_cbc(),(unsigned char *)passwd,passwd_len,cb,u);
-+                    PEM_write_bio_PrivateKey(bp,pk,EVP_des_ede3_cbc(),(unsigned char *)passwd,passwd_len,cb,u);
-                 else
-                     PEM_write_bio_PrivateKey(bp,pk,enc_alg,(unsigned char *)passwd,passwd_len,cb,u);
-             }
-@@ -5447,6 +5523,39 @@ SSL_CTX_set_info_callback(ctx,callback,d
-             SSL_CTX_set_info_callback(ctx, ssleay_ctx_info_cb_invoke);
-         }
- 
-+void
-+SSL_set_msg_callback(ssl,callback,data=&PL_sv_undef)
-+        SSL * ssl
-+        SV * callback
-+    SV * data
-+    CODE:
-+        if (callback==NULL || !SvOK(callback)) {
-+            SSL_set_msg_callback(ssl, NULL);
-+            cb_data_advanced_put(ssl, "ssleay_msg_cb!!func", NULL);
-+            cb_data_advanced_put(ssl, "ssleay_msg_cb!!data", NULL);
-+        } else {
-+            cb_data_advanced_put(ssl, "ssleay_msg_cb!!func", newSVsv(callback));
-+            cb_data_advanced_put(ssl, "ssleay_msg_cb!!data", newSVsv(data));
-+            SSL_set_msg_callback(ssl, ssleay_msg_cb_invoke);
-+        }
++my ($null_provider, $default_avail, $null_avail);
 +
-+void
-+SSL_CTX_set_msg_callback(ctx,callback,data=&PL_sv_undef)
-+        SSL_CTX * ctx
-+        SV * callback
-+    SV * data
-+    CODE:
-+        if (callback==NULL || !SvOK(callback)) {
-+            SSL_CTX_set_msg_callback(ctx, NULL);
-+            cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!func", NULL);
-+            cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!data", NULL);
-+        } else {
-+            cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!func", newSVsv(callback));
-+            cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!data", newSVsv(data));
-+            SSL_CTX_set_msg_callback(ctx, ssleay_ctx_msg_cb_invoke);
-+        }
++$null_provider = Net::SSLeay::OSSL_PROVIDER_try_load(undef, 'null', 0);
++ok($null_provider, 'try_load("null", retain_fallbacks = 0) returns a pointer');
 +
++$default_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'default');
++is($default_avail, 0, 'default provider not automatically loaded after try_load("null", retain_fallbacks = 0)');
 +
- int
- SSL_set_purpose(s,purpose)
-      SSL *	s
-@@ -6172,7 +6281,7 @@ SSL_total_renegotiations(ssl)
-   OUTPUT:
-   RETVAL
++$null_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'null');
++is($null_avail, 1, 'null provider loaded after try_load("null", retain_fallbacks = 0)');
+diff --git a/t/local/30_error.t b/t/local/30_error.t
+index 3f31ccd..8ad1560 100644
+--- a/t/local/30_error.t
++++ b/t/local/30_error.t
+@@ -1,17 +1,24 @@
+ use lib 'inc';
  
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
- void
- SSL_SESSION_get_master_key(s)
-      SSL_SESSION *   s
-@@ -7348,6 +7457,7 @@ OCSP_response_results(rsp,...)
- 	OCSP_BASICRESP *bsr;
- 	int i,want_array;
- 	time_t nextupd = 0;
-+	time_t gmtoff = -1;
- 	int getall,sksn;
- 
- 	bsr = OCSP_response_get1_basic(rsp);
-@@ -7440,15 +7550,15 @@ OCSP_response_results(rsp,...)
- 		    hv_store(details,"statusType",10,
- 			newSViv(status),0);
- 		    if (nextupdate) hv_store(details,"nextUpdate",10,
--			newSViv(ASN1_TIME_timet(nextupdate)),0);
-+			newSViv(ASN1_TIME_timet(nextupdate, &gmtoff)),0);
- 		    if (thisupdate) hv_store(details,"thisUpdate",10,
--			newSViv(ASN1_TIME_timet(thisupdate)),0);
-+			newSViv(ASN1_TIME_timet(thisupdate, &gmtoff)),0);
- 		    if (status == V_OCSP_CERTSTATUS_REVOKED) {
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
- 			OCSP_REVOKEDINFO *rev = sir->certStatus->value.revoked;
- 			revocationReason = ASN1_ENUMERATED_get(rev->revocationReason);
- #endif
--			hv_store(details,"revocationTime",14,newSViv(ASN1_TIME_timet(revocationTime)),0);
-+			hv_store(details,"revocationTime",14,newSViv(ASN1_TIME_timet(revocationTime, &gmtoff)),0);
- 			hv_store(details,"revocationReason",16,newSViv(revocationReason),0);
- 			hv_store(details,"revocationReason_str",20,newSVpv(
- 		            OCSP_crl_reason_str(revocationReason),0),0);
-@@ -7457,7 +7567,7 @@ OCSP_response_results(rsp,...)
- 		XPUSHs(sv_2mortal(newRV_noinc((SV*)idav)));
- 	    } else if (!error) {
- 		/* compute lowest nextUpdate */
--		time_t nu = ASN1_TIME_timet(nextupdate);
-+		time_t nu = ASN1_TIME_timet(nextupdate, &gmtoff);
- 		if (!nextupd || nextupd>nu) nextupd = nu;
- 	    }
+ use Net::SSLeay;
+-use Test::Net::SSLeay qw(initialise_libssl);
++use Test::Net::SSLeay qw(
++    dies_like doesnt_warn initialise_libssl lives_ok warns_like
++);
  
-diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/30_error.t Net-SSLeay-1.90.patched/t/local/30_error.t
---- Net-SSLeay-1.90/t/local/30_error.t	2020-11-18 09:12:44.000000000 +0000
-+++ Net-SSLeay-1.90.patched/t/local/30_error.t	2021-09-15 11:26:35.571845815 +0100
-@@ -12,6 +12,14 @@ if ($@) {
+-eval "use Test::Exception; use Test::Warn; use Test::NoWarnings; 1;";
+-if ($@) {
+-    plan skip_all => 'Requires Test::Exception, Test::Warn and Test::NoWarnings';
+-} else {
+-    plan tests => 11;
+-}
++plan tests => 11;
++
++doesnt_warn('tests run without outputting unexpected warnings');
  
  initialise_libssl();
  
@@ -439,16 +2569,57 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/30_error.t Net-SSLea
  # Note, die_now usually just prints the process id and the argument string eg:
  # 57611: test
  # but on some systems, perhaps if diagnostics are enabled, it might [roduce something like:
-@@ -55,22 +63,42 @@ initialise_libssl();
-             throws_ok(sub {
+@@ -20,7 +27,7 @@ initialise_libssl();
+ # therefore the qr match strings below have been chnaged so they dont have tooccur at the 
+ # beginning of the line.
+ {
+-    throws_ok(sub {
++    dies_like(sub {
+             Net::SSLeay::die_now('test')
+     }, qr/$$: test\n$/, 'die_now dies without errors');
+ 
+@@ -29,12 +36,12 @@ initialise_libssl();
+     }, 'die_if_ssl_error lives without errors');
+ 
+     put_err();
+-    throws_ok(sub {
++    dies_like(sub {
+             Net::SSLeay::die_now('test');
+     }, qr/$$: test\n$/, 'die_now dies with errors');
+ 
+     put_err();
+-    throws_ok(sub {
++    dies_like(sub {
+             Net::SSLeay::die_if_ssl_error('test');
+     }, qr/$$: test\n$/, 'die_if_ssl_error dies with errors');
+ }
+@@ -42,7 +49,7 @@ initialise_libssl();
+ {
+     local $Net::SSLeay::trace = 1;
+ 
+-    throws_ok(sub {
++    dies_like(sub {
+             Net::SSLeay::die_now('foo');
+     }, qr/$$: foo\n$/, 'die_now dies without arrors and with trace');
+ 
+@@ -51,26 +58,46 @@ initialise_libssl();
+     }, 'die_if_ssl_error lives without errors and with trace');
+ 
+     put_err();
+-    warning_like(sub {
+-            throws_ok(sub {
++    warns_like(sub {
++            dies_like(sub {
                      Net::SSLeay::die_now('foo');
              }, qr/^$$: foo\n$/, 'die_now dies with errors and trace');
 -    }, qr/foo $$: 1 - error:2006d080/i, 'die_now raises warnings about the occurred error when tracing');
 +    }, qr/$err_string/i, 'die_now raises warnings about the occurred error when tracing');
  
      put_err();
-     warning_like(sub {
-             throws_ok(sub {
+-    warning_like(sub {
+-            throws_ok(sub {
++    warns_like(sub {
++            dies_like(sub {
                  Net::SSLeay::die_if_ssl_error('foo');
              }, qr/^$$: foo\n$/, 'die_if_ssl_error dies with errors and trace');
 -    }, qr/foo $$: 1 - error:2006d080/i, 'die_if_ssl_error raises warnings about the occurred error when tracing');
@@ -489,9 +2660,43 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/30_error.t Net-SSLea
 +         1, #line   - line number (not packed into error code)
      );
  }
-diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/32_x509_get_cert_info.t Net-SSLeay-1.90.patched/t/local/32_x509_get_cert_info.t
---- Net-SSLeay-1.90/t/local/32_x509_get_cert_info.t	2020-11-18 09:12:44.000000000 +0000
-+++ Net-SSLeay-1.90.patched/t/local/32_x509_get_cert_info.t	2021-09-15 11:26:35.398847153 +0100
+diff --git a/t/local/31_rsa_generate_key.t b/t/local/31_rsa_generate_key.t
+index 3a1efb3..dec3e80 100644
+--- a/t/local/31_rsa_generate_key.t
++++ b/t/local/31_rsa_generate_key.t
+@@ -1,14 +1,9 @@
+ use lib 'inc';
+ 
+ use Net::SSLeay;
+-use Test::Net::SSLeay qw(initialise_libssl);
++use Test::Net::SSLeay qw( dies_like initialise_libssl lives_ok );
+ 
+-eval 'use Test::Exception';
+-if ($@) {
+-    plan skip_all => 'Test::Exception required';
+-} else {
+-    plan tests => 14;
+-}
++plan tests => 14;
+ 
+ initialise_libssl();
+ 
+@@ -16,9 +11,9 @@ lives_ok(sub {
+         Net::SSLeay::RSA_generate_key(2048, 0x10001);
+ }, 'RSA_generate_key with valid callback');
+ 
+-dies_ok(sub {
++dies_like(sub {
+         Net::SSLeay::RSA_generate_key(2048, 0x10001, 1);
+-}, 'RSA_generate_key with invalid callback');
++}, qr/Undefined subroutine &main::1 called/, 'RSA_generate_key with invalid callback');
+ 
+ {
+     my $called = 0;
+diff --git a/t/local/32_x509_get_cert_info.t b/t/local/32_x509_get_cert_info.t
+index a1697ff..1f0f20a 100644
+--- a/t/local/32_x509_get_cert_info.t
++++ b/t/local/32_x509_get_cert_info.t
 @@ -8,8 +8,8 @@ use Test::Net::SSLeay qw(
  use lib '.';
  
@@ -512,7 +2717,7 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/32_x509_get_cert_inf
                            )
                        )
                    ) {
-@@ -373,8 +373,8 @@ Net::SSLeay::X509_STORE_CTX_set_cert($ct
+@@ -373,8 +373,8 @@ Net::SSLeay::X509_STORE_CTX_set_cert($ctx,$x509);
  my $ca_filename = data_file_path('root-ca.cert.pem');
  my $ca_bio = Net::SSLeay::BIO_new_file($ca_filename, 'rb');
  my $ca_x509 = Net::SSLeay::PEM_read_bio_X509($ca_bio);
@@ -523,9 +2728,28 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/32_x509_get_cert_inf
  SKIP: {
      skip('X509_STORE_CTX_get0_cert requires OpenSSL 1.1.0-pre5+ or LibreSSL 2.7.0+', 1) unless defined (&Net::SSLeay::X509_STORE_CTX_get0_cert);
      ok (my $x509_from_cert = Net::SSLeay::X509_STORE_CTX_get0_cert($ctx),'Get x509 from store ctx');
-diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/36_verify.t Net-SSLeay-1.90.patched/t/local/36_verify.t
---- Net-SSLeay-1.90/t/local/36_verify.t	2021-01-16 17:16:40.000000000 +0000
-+++ Net-SSLeay-1.90.patched/t/local/36_verify.t	2021-09-15 11:26:35.376847323 +0100
+diff --git a/t/local/33_x509_create_cert.t b/t/local/33_x509_create_cert.t
+index 3c5a2e8..3cad034 100755
+--- a/t/local/33_x509_create_cert.t
++++ b/t/local/33_x509_create_cert.t
+@@ -9,6 +9,13 @@ plan tests => 139;
+ 
+ initialise_libssl();
+ 
++if (defined &Net::SSLeay::OSSL_PROVIDER_load)
++{
++    my $provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'legacy');
++    diag('Failed to load legacy provider: PEM_get_string_PrivateKey may fail')
++	unless $provider;
++}
++
+ my $ca_crt_pem = data_file_path('root-ca.cert.pem');
+ my $ca_key_pem = data_file_path('root-ca.key.pem');
+ 
+diff --git a/t/local/36_verify.t b/t/local/36_verify.t
+index 0b84461..22017e5 100644
+--- a/t/local/36_verify.t
++++ b/t/local/36_verify.t
 @@ -7,7 +7,7 @@ use Test::Net::SSLeay qw(
      can_fork data_file_path initialise_libssl is_libressl is_openssl tcp_socket
  );
@@ -535,7 +2759,39 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/36_verify.t Net-SSLe
  
  initialise_libssl();
  
-@@ -223,7 +223,7 @@ sub verify_local_trust {
+@@ -40,9 +40,18 @@ SKIP: {
+ 
+ SKIP: {
+   skip 'openssl-0.9.8a required', 3 unless Net::SSLeay::SSLeay >= 0x0090801f;
+-  ok(Net::SSLeay::X509_VERIFY_PARAM_get_flags($pm) == Net::SSLeay::X509_V_FLAG_ALLOW_PROXY_CERTS(), 'X509_VERIFY_PARAM_get_flags');
++
++  # From version 3.3.2, LibreSSL signals the use of its legacy X.509 verifier
++  # via the X509_V_FLAG_LEGACY_VERIFY flag; this flag persists even after
++  # X509_VERIFY_PARAM_clear_flags() is called
++  my $base_flags =
++      is_libressl() && Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") >= 0x3030200f
++    ? Net::SSLeay::X509_V_FLAG_LEGACY_VERIFY()
++    : 0;
++
++  ok(Net::SSLeay::X509_VERIFY_PARAM_get_flags($pm) == ($base_flags | Net::SSLeay::X509_V_FLAG_ALLOW_PROXY_CERTS()), 'X509_VERIFY_PARAM_get_flags');
+   ok(Net::SSLeay::X509_VERIFY_PARAM_clear_flags($pm, Net::SSLeay::X509_V_FLAG_ALLOW_PROXY_CERTS()), 'X509_VERIFY_PARAM_clear_flags');
+-  ok(Net::SSLeay::X509_VERIFY_PARAM_get_flags($pm) == 0, 'X509_VERIFY_PARAM_get_flags');
++  ok(Net::SSLeay::X509_VERIFY_PARAM_get_flags($pm) == ($base_flags | 0), 'X509_VERIFY_PARAM_get_flags');
+ };
+ 
+ SKIP: {
+@@ -86,8 +95,8 @@ SKIP: {
+ 
+     $server = tcp_socket();
+ 
+-    run_server();
+-    $server->close();
++    run_server(); # Forks: child does not return
++    $server->close() || die("client listen socket close: $!");
+     client();
+ }
+ 
+@@ -223,7 +232,7 @@ sub verify_local_trust {
      ok(my $store = Net::SSLeay::X509_STORE_new(), "X509_STORE_new creates new store");
      ok(Net::SSLeay::X509_STORE_add_cert($store, $ca), "X509_STORE_add_cert CA cert");
      ok(my $ctx = Net::SSLeay::X509_STORE_CTX_new(), "X509_STORE_CTX_new creates new store context");
@@ -544,7 +2800,7 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/36_verify.t Net-SSLe
      ok(!Net::SSLeay::X509_verify_cert($ctx), 'X509_verify_cert correctly fails');
      is(Net::SSLeay::X509_STORE_CTX_get_error($ctx),
          Net::SSLeay::X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY(), "X509_STORE_CTX_get_error returns unable to get local issuer certificate");
-@@ -241,7 +241,7 @@ sub verify_local_trust {
+@@ -241,7 +250,7 @@ sub verify_local_trust {
      ok($store = Net::SSLeay::X509_STORE_new(), "X509_STORE_new creates new store");
      ok(Net::SSLeay::X509_STORE_add_cert($store, $ca), "X509_STORE_add_cert CA cert");
      ok($ctx = Net::SSLeay::X509_STORE_CTX_new(), "X509_STORE_CTX_new creates new store context");
@@ -553,9 +2809,39 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/36_verify.t Net-SSLe
      ok(Net::SSLeay::X509_verify_cert($ctx), 'X509_verify_cert correctly succeeds');
      is(Net::SSLeay::X509_STORE_CTX_get_error($ctx), Net::SSLeay::X509_V_OK(), "X509_STORE_CTX_get_error returns ok");
      Net::SSLeay::X509_STORE_free($store);
-diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/39_pkcs12.t Net-SSLeay-1.90.patched/t/local/39_pkcs12.t
---- Net-SSLeay-1.90/t/local/39_pkcs12.t	2020-11-18 09:12:44.000000000 +0000
-+++ Net-SSLeay-1.90.patched/t/local/39_pkcs12.t	2021-09-15 11:26:35.468846611 +0100
+@@ -295,7 +304,7 @@ sub client {
+ 	test_wildcard_checks($ctx, $cl) if $task eq 'wildcard_checks';
+ 	last if $task eq 'finish'; # Leaves $cl alive
+ 
+-	close($cl);
++	close($cl) || die("client close: $!");
+     }
+ 
+     # Tell the server to quit and see that our connection is still up
+@@ -307,6 +316,8 @@ sub client {
+     Net::SSLeay::ssl_write_all($ssl, $end);
+     Net::SSLeay::shutdown($ssl);
+     ok($end eq Net::SSLeay::ssl_read_all($ssl), 'Successful termination');
++    Net::SSLeay::free($ssl);
++    close($cl) || die("client final close: $!");
+     return;
+ }
+ 
+@@ -348,6 +359,10 @@ sub run_server
+ 	if (defined $msg and $msg eq 'end')
+ 	{
+ 	    Net::SSLeay::ssl_write_all($ssl, 'end');
++	    Net::SSLeay::shutdown($ssl);
++	    Net::SSLeay::free($ssl);
++	    close($cl) || die("server close: $!");
++	    $server->close() || die("server listen socket close: $!");
+ 	    exit (0);
+ 	}
+     }
+diff --git a/t/local/39_pkcs12.t b/t/local/39_pkcs12.t
+index 5c7fb8b..5083331 100644
+--- a/t/local/39_pkcs12.t
++++ b/t/local/39_pkcs12.t
 @@ -3,7 +3,7 @@ use lib 'inc';
  use Net::SSLeay;
  use Test::Net::SSLeay qw( data_file_path initialise_libssl );
@@ -565,7 +2851,7 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/39_pkcs12.t Net-SSLe
  
  initialise_libssl();
  
-@@ -36,12 +36,24 @@ my $filename3 = data_file_path('simple-c
+@@ -36,12 +36,24 @@ my $filename3 = data_file_path('simple-cert.p12');
    my $ca1_subj_name = Net::SSLeay::X509_get_subject_name($cachain[0]);
    my $ca2_subj_name = Net::SSLeay::X509_get_subject_name($cachain[1]);
    is(Net::SSLeay::X509_NAME_oneline($subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=simple-cert.net-ssleay.example', "X509_NAME_oneline [2/1]");
@@ -596,10 +2882,162 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/39_pkcs12.t Net-SSLe
    }
  }
  
-diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/43_misc_functions.t Net-SSLeay-1.90.patched/t/local/43_misc_functions.t
---- Net-SSLeay-1.90/t/local/43_misc_functions.t	2021-01-21 15:14:11.000000000 +0000
-+++ Net-SSLeay-1.90.patched/t/local/43_misc_functions.t	2021-09-15 11:26:35.563845877 +0100
-@@ -245,6 +245,17 @@ sub client_test_ciphersuites
+diff --git a/t/local/40_npn_support.t b/t/local/40_npn_support.t
+index e7c9c34..ea2d09b 100644
+--- a/t/local/40_npn_support.t
++++ b/t/local/40_npn_support.t
+@@ -58,8 +58,8 @@ my @results;
+         Net::SSLeay::ssl_write_all($ssl, uc($got));
+         Net::SSLeay::free($ssl);
+         Net::SSLeay::CTX_free($ctx);
+-        close $ns;
+-        $server->close();
++        close($ns) || die("server close: $!");
++        $server->close() || die("server listen socket close: $!");
+         exit;
+     }
+ }
+@@ -84,7 +84,8 @@ my @results;
+ 
+     Net::SSLeay::free($ssl1);
+     Net::SSLeay::CTX_free($ctx1);
+-    close $s1;
++    close($s1) || die("client close: $!");
++    $server->close() || die("client listen socket close: $!");
+ }
+ 
+ waitpid $pid, 0;
+diff --git a/t/local/41_alpn_support.t b/t/local/41_alpn_support.t
+index 052d17d..c3d5aa0 100644
+--- a/t/local/41_alpn_support.t
++++ b/t/local/41_alpn_support.t
+@@ -63,8 +63,8 @@ my @results;
+         Net::SSLeay::ssl_write_all($ssl, uc($got));
+         Net::SSLeay::free($ssl);
+         Net::SSLeay::CTX_free($ctx);
+-        close $ns;
+-        $server->close();
++        close($ns) || die("server close: $!");
++        $server->close() || die("server listen socket close: $!");
+         exit;
+     }
+ }
+@@ -88,7 +88,8 @@ my @results;
+ 
+     Net::SSLeay::free($ssl1);
+     Net::SSLeay::CTX_free($ctx1);
+-    close $s1;
++    close($s1) || die("client close: $!");
++    $server->close() || die("client listen socket close: $!");
+ }
+ 
+ waitpid $pid, 0;
+diff --git a/t/local/42_info_callback.t b/t/local/42_info_callback.t
+index 6f6afdb..8ddcb0c 100644
+--- a/t/local/42_info_callback.t
++++ b/t/local/42_info_callback.t
+@@ -36,7 +36,9 @@ my $server = tcp_socket();
+ 	    for(1,2) {
+ 		last if Net::SSLeay::shutdown($ssl)>0;
+ 	    }
++	    close($cl) || die("server close: $!");
+ 	}
++	$server->close() || die("server listen socket close: $!");
+         exit;
+     }
+ }
+@@ -90,6 +92,8 @@ sub client {
+     } else {
+ 	fail("$where: @states");
+     }
++    close($cl) || die("client close: $!");
++
+ }
+ 
+ my $expect = qr{^
+@@ -101,5 +105,6 @@ my $expect = qr{^
+ 
+ client('ctx',$expect);
+ client('ssl',$expect);
++$server->close() || die("client listen socket close: $!");
+ waitpid $pid, 0;
+ 
+diff --git a/t/local/43_misc_functions.t b/t/local/43_misc_functions.t
+index c67df75..09effc8 100644
+--- a/t/local/43_misc_functions.t
++++ b/t/local/43_misc_functions.t
+@@ -35,12 +35,19 @@ our %tls_1_2_aead_cipher_to_keyblock_size = (
+      'AES256-GCM-SHA384' => 88,
+     );
+ 
+-our %tls_1_3_aead_cipher_to_keyblock_size = (
+-     # Only in TLS 1.3
+-     'TLS_AES_128_GCM_SHA256' => 56,
+-     'TLS_AES_256_GCM_SHA384' => 88,
+-     'TLS_CHACHA20_POLY1305_SHA256' => 88,
+-    );
++# LibreSSL uses different names for the TLSv1.3 ciphersuites:
++our %tls_1_3_aead_cipher_to_keyblock_size =
++      is_libressl()
++    ? (
++          'AEAD-AES128-GCM-SHA256'        => 56,
++          'AEAD-AES256-GCM-SHA384'        => 88,
++          'AEAD-CHACHA20-POLY1305-SHA256' => 88,
++      )
++    : (
++         'TLS_AES_128_GCM_SHA256'       => 56,
++         'TLS_AES_256_GCM_SHA384'       => 88,
++         'TLS_CHACHA20_POLY1305_SHA256' => 88,
++      );
+ 
+ # Combine the AEAD hashes
+ our %aead_cipher_to_keyblock_size = (%tls_1_2_aead_cipher_to_keyblock_size, %tls_1_3_aead_cipher_to_keyblock_size);
+@@ -48,14 +55,14 @@ our %aead_cipher_to_keyblock_size = (%tls_1_2_aead_cipher_to_keyblock_size, %tls
+ # Combine the hashes
+ our %cipher_to_keyblock_size = (%non_aead_cipher_to_keyblock_size, %aead_cipher_to_keyblock_size);
+ 
+-our %version_str2int =
+-    (
+-     'SSLv3'   => sub {return eval {Net::SSLeay::SSL3_VERSION();}},
+-     'TLSv1'   => sub {return eval {Net::SSLeay::TLS1_VERSION();}},
+-     'TLSv1.1' => sub {return eval {Net::SSLeay::TLS1_1_VERSION();}},
+-     'TLSv1.2' => sub {return eval {Net::SSLeay::TLS1_2_VERSION();}},
+-     'TLSv1.3' => sub {return eval {Net::SSLeay::TLS1_3_VERSION();}},
+-    );
++our %version_str2int = (
++    'SSLv3'   => sub { return eval { Net::SSLeay::SSL3_VERSION(); } },
++    'TLSv1'   => sub { return eval { Net::SSLeay::TLS1_VERSION(); } },
++    'TLSv1.1' => sub { return eval { Net::SSLeay::TLS1_1_VERSION(); } },
++    'TLSv1.2' => sub { return eval { Net::SSLeay::TLS1_2_VERSION(); } },
++    # LibreSSL >= 3.2.0 implements TLSv1.3, but doesn't define TLS1_3_VERSION
++    'TLSv1.3' => sub { return is_libressl() ? 0x0304 : eval { Net::SSLeay::TLS1_3_VERSION(); } },
++);
+ 
+ # Tests that don't need a connection
+ client_test_ciphersuites();
+@@ -96,6 +103,10 @@ my $server = tcp_socket();
+ 	# Echo back the termination request from client
+ 	my $end = Net::SSLeay::read($ssl);
+ 	Net::SSLeay::write($ssl, $end);
++	Net::SSLeay::shutdown($ssl);
++	Net::SSLeay::free($ssl);
++	close($cl) || die("server close: $!");
++	$server->close() || die("server listen socket close: $!");
+ 	exit(0);
+     }
+ }
+@@ -121,6 +132,10 @@ sub client {
+     my $end = "end";
+     Net::SSLeay::write($ssl, $end);
+     ok($end eq Net::SSLeay::read($ssl),  'Successful termination');
++    Net::SSLeay::shutdown($ssl);
++    Net::SSLeay::free($ssl);
++    close($cl) || die("client close: $!");
++    $server->close() || die("client listen socket close: $!");
+     return;
+ }
+ 
+@@ -245,6 +260,17 @@ sub client_test_ciphersuites
  
      my $ciphersuites = join(':', keys(%tls_1_3_aead_cipher_to_keyblock_size));
  
@@ -617,7 +3055,7 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/43_misc_functions.t 
      my ($ctx, $rv, $ssl);
      $ctx = Net::SSLeay::CTX_new();
      $rv = Net::SSLeay::CTX_set_ciphersuites($ctx, $ciphersuites);
-@@ -257,7 +268,7 @@ sub client_test_ciphersuites
+@@ -257,7 +283,7 @@ sub client_test_ciphersuites
      };
      is($rv, 1, 'CTX set undef ciphersuites');
      $rv = Net::SSLeay::CTX_set_ciphersuites($ctx, 'nosuchthing:' . $ciphersuites);
@@ -626,7 +3064,7 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/43_misc_functions.t 
      $rv = Net::SSLeay::CTX_set_ciphersuites($ctx, 'nosuchthing:');
      is($rv, 0, 'CTX set bad ciphersuites');
  
-@@ -272,7 +283,7 @@ sub client_test_ciphersuites
+@@ -272,7 +298,7 @@ sub client_test_ciphersuites
      };
      is($rv, 1, 'SSL set undef ciphersuites');
      $rv = Net::SSLeay::set_ciphersuites($ssl, 'nosuchthing:' . $ciphersuites);
@@ -635,9 +3073,10 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/43_misc_functions.t 
      $rv = Net::SSLeay::set_ciphersuites($ssl, 'nosuchthing:');
      is($rv, 0, 'SSL set bad ciphersuites');
  
-diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/44_sess.t Net-SSLeay-1.90.patched/t/local/44_sess.t
---- Net-SSLeay-1.90/t/local/44_sess.t	2020-12-12 13:55:23.000000000 +0000
-+++ Net-SSLeay-1.90.patched/t/local/44_sess.t	2021-09-15 11:26:35.567845846 +0100
+diff --git a/t/local/44_sess.t b/t/local/44_sess.t
+index 36603a0..ce14422 100644
+--- a/t/local/44_sess.t
++++ b/t/local/44_sess.t
 @@ -163,6 +163,8 @@ sub server
  
  	    $ctx = new_ctx( $proto, $proto );
@@ -647,6 +3086,26 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/44_sess.t Net-SSLeay
  	    Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem);
  	    Net::SSLeay::CTX_set_session_cache_mode($ctx, Net::SSLeay::SESS_CACHE_SERVER());
  	    # Need OP_NO_TICKET to enable server side (Session ID based) resumption.
+@@ -212,6 +214,7 @@ sub server
+ 
+ 	    Net::SSLeay::SESSION_free($sess) unless $ret; # Not cached, undo get1
+ 	    Net::SSLeay::free($ssl);
++	    close($cl) || die("server close: $!");
+ 	}
+ 
+ 	$cl = $server->accept();
+@@ -219,9 +222,8 @@ sub server
+ 	print $cl "end\n";
+ 	print $cl unpack( 'H*', Storable::freeze(\%server_stats) ), "\n";
+ 
+-	close $cl;
+-
+-	$server->close();
++	close($cl) || die("server close stats socket: $!");
++	$server->close() || die("server listen socket close: $!");
+ 
+ 	#use Data::Dumper; print "Server:\n" . Dumper(\%server_stats);
+ 	exit(0);
 @@ -243,6 +245,8 @@ sub client {
  
  	$ctx = new_ctx( $proto, $proto );
@@ -668,9 +3127,29 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/44_sess.t Net-SSLeay
  	my $msg = Net::SSLeay::read($ssl);
  	#print "server said: $msg\n";
  
-diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/45_exporter.t Net-SSLeay-1.90.patched/t/local/45_exporter.t
---- Net-SSLeay-1.90/t/local/45_exporter.t	2020-12-12 13:55:23.000000000 +0000
-+++ Net-SSLeay-1.90.patched/t/local/45_exporter.t	2021-09-15 11:26:35.567845846 +0100
+@@ -267,6 +274,7 @@ sub client {
+ 
+ 	Net::SSLeay::shutdown($ssl);
+ 	Net::SSLeay::free($ssl);
++	close($cl) || die("client close: $!");
+     }
+ 
+     $cl = $server->connect();
+@@ -276,7 +284,9 @@ sub client {
+     # Stats from server
+     chomp( my $server_stats = <$cl> );
+     my $server_stats_ref = Storable::thaw( pack( 'H*', $server_stats ) );
+-    close $cl;
++
++    close($cl) || die("client close stats socket: $!");
++    $server->close() || die("client listen socket close: $!");
+ 
+     test_stats($server_stats_ref, \%client_stats);
+ 
+diff --git a/t/local/45_exporter.t b/t/local/45_exporter.t
+index 2e3efdb..aaacc7b 100644
+--- a/t/local/45_exporter.t
++++ b/t/local/45_exporter.t
 @@ -56,6 +56,8 @@ sub server
  
  	    $ctx = new_ctx( $round, $round );
@@ -680,7 +3159,17 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/45_exporter.t Net-SS
  	    Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem);
  	    $ssl = Net::SSLeay::new($ctx);
  	    Net::SSLeay::set_fd($ssl, fileno($cl));
-@@ -78,9 +80,14 @@ sub client {
+@@ -66,7 +68,9 @@ sub server
+ 
+ 	    Net::SSLeay::shutdown($ssl);
+ 	    Net::SSLeay::free($ssl);
++	    close($cl) || die("server close: $!");
+ 	}
++	$server->close() || die("server listen socket close: $!");
+ 	exit(0);
+     }
+ }
+@@ -78,9 +82,14 @@ sub client {
              my $cl = $server->connect();
  
              my $ctx = new_ctx( $round, $round );
@@ -696,9 +3185,27 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/45_exporter.t Net-SS
  
              my $msg = Net::SSLeay::read($ssl);
  
-diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/46_msg_callback.t Net-SSLeay-1.90.patched/t/local/46_msg_callback.t
---- Net-SSLeay-1.90/t/local/46_msg_callback.t	1970-01-01 01:00:00.000000000 +0100
-+++ Net-SSLeay-1.90.patched/t/local/46_msg_callback.t	2021-09-15 11:26:35.478846534 +0100
+@@ -90,6 +99,7 @@ sub client {
+ 
+             Net::SSLeay::shutdown($ssl);
+             Net::SSLeay::free($ssl);
++            close($cl) || die("client close: $!");
+         }
+         else {
+             SKIP: {
+@@ -97,6 +107,7 @@ sub client {
+             }
+         }
+     }
++    $server->close() || die("client listen socket close: $!");
+ 
+     return 1;
+ }
+diff --git a/t/local/46_msg_callback.t b/t/local/46_msg_callback.t
+new file mode 100644
+index 0000000..587e5a0
+--- /dev/null
++++ b/t/local/46_msg_callback.t
 @@ -0,0 +1,114 @@
 +use lib 'inc';
 +
@@ -814,3 +3321,17 @@ diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/46_msg_callback.t Ne
 +$server->close() || die("client listen socket close: $!");
 +waitpid $pid, 0;
 +
+diff --git a/typemap b/typemap
+index 373e711..c0547c6 100644
+--- a/typemap
++++ b/typemap
+@@ -81,6 +81,9 @@ cb_ssl_int_int_ret_void *  T_PTR
+ cb_ssl_int_int_ret_RSA *  T_PTR
+ cb_ssl_int_int_ret_DH  *  T_PTR
+ perl_filehandle_t T_PERL_IO_HANDLE
++OSSL_LIB_CTX * T_PTR
++OSSL_PROVIDER * T_PTR
++const OSSL_PROVIDER * T_PTR
+ 
+ INPUT
+ 
diff --git a/perl-Net-SSLeay.spec b/perl-Net-SSLeay.spec
index 5bf0174..f56f70a 100644
--- a/perl-Net-SSLeay.spec
+++ b/perl-Net-SSLeay.spec
@@ -6,13 +6,13 @@
 
 Name:		perl-Net-SSLeay
 Version:	1.90
-Release:	6%{?dist}
+Release:	7%{?dist}
 Summary:	Perl extension for using OpenSSL
 License:	Artistic 2.0
 URL:		https://metacpan.org/release/Net-SSLeay
 Source0:	https://cpan.metacpan.org/modules/by-module/Net/Net-SSLeay-%{version}.tar.gz
+Patch0:		Net-SSLeay-1.90-OpenSSL3.patch
 Patch10:	Net-SSLeay-1.90-pkgconfig.patch
-Patch11:	Net-SSLeay-1.90-OpenSSL3.patch
 # =========== Module Build ===========================
 BuildRequires:	coreutils
 BuildRequires:	findutils
@@ -24,13 +24,11 @@ BuildRequires:	perl-devel
 BuildRequires:	perl-generators
 BuildRequires:	perl-interpreter
 BuildRequires:	perl(constant)
-BuildRequires:	perl(Cwd)
 BuildRequires:	perl(English)
 BuildRequires:	perl(ExtUtils::MakeMaker) >= 6.76
 BuildRequires:	perl(ExtUtils::PkgConfig)
 BuildRequires:	perl(ExtUtils::MM)
 BuildRequires:	perl(File::Basename)
-BuildRequires:	perl(File::Path)
 BuildRequires:	perl(File::Spec::Functions)
 BuildRequires:	perl(Symbol)
 BuildRequires:	perl(Text::Wrap)
@@ -38,20 +36,27 @@ BuildRequires:	perl(utf8)
 # =========== Module Runtime =========================
 BuildRequires:	perl(AutoLoader)
 BuildRequires:	perl(Carp)
+BuildRequires:	perl(Errno)
 BuildRequires:	perl(Exporter)
 BuildRequires:	perl(MIME::Base64)
 BuildRequires:	perl(Socket)
+BuildRequires:	perl(vars)
 BuildRequires:	perl(XSLoader)
 # =========== Test Suite =============================
+BuildRequires:	perl(base)
 BuildRequires:	perl(Config)
+BuildRequires:	perl(Cwd)
 BuildRequires:	perl(File::Spec)
 BuildRequires:	perl(FindBin)
 BuildRequires:	perl(HTTP::Tiny)
 BuildRequires:	perl(IO::Handle)
 BuildRequires:	perl(IO::Socket::INET)
 BuildRequires:	perl(lib)
+BuildRequires:	perl(Scalar::Util)
+BuildRequires:	perl(SelectSaver)
 BuildRequires:	perl(Storable)
 BuildRequires:	perl(strict)
+BuildRequires:	perl(Test::Builder)
 BuildRequires:	perl(Test::More) >= 0.61
 BuildRequires:	perl(threads)
 BuildRequires:	perl(warnings)
@@ -59,10 +64,8 @@ BuildRequires:	perl(warnings)
 %if %{with perl_Net_SSLeay_enables_optional_test}
 BuildRequires:	perl(Test::Exception)
 # Test::Kwalitee 1.00 not used
-BuildRequires:	perl(Test::NoWarnings)
-BuildRequires:	perl(Test::Pod) >= 1.0
+BuildRequires:	perl(Test::Pod) >= 1.41
 # Test::Pod::Coverage 1.00 not used
-BuildRequires:	perl(Test::Warn)
 %endif
 # =========== Module Runtime =========================
 Requires:	perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
@@ -82,13 +85,13 @@ so you can write servers or clients for more complicated applications.
 %prep
 %setup -q -n Net-SSLeay-%{version}
 
+# Fixes from upstream for OpenSSL 3.0.0
+%patch0 -p1
+
 # Get libraries to link against from pkg-config
 # https://github.com/radiator-software/p5-net-ssleay/pull/127
 %patch10
 
-# Fixes (mainly from upstream) for OpenSSL 3.0.0
-%patch11 -p1
-
 # Fix permissions in examples to avoid bogus doc-file dependencies
 chmod -c 644 examples/*
 
@@ -98,7 +101,7 @@ PERL_MM_USE_DEFAULT=1 perl Makefile.PL \
 	INSTALLDIRS=vendor \
 	NO_PACKLIST=1 \
 	NO_PERLLOCAL=1 \
-	OPTIMIZE="%{optflags}" </dev/null
+	OPTIMIZE="%{optflags}" < /dev/null
 %{make_build}
 
 %install
@@ -125,6 +128,9 @@ make test
 %{_mandir}/man3/Net::SSLeay::Handle.3*
 
 %changelog
+* Tue Oct  5 2021 Paul Howarth <paul@city-fan.org> - 1.90-7
+- Fixes for OpenSSL 3.0.0 are now entirely from upstream
+
 * Wed Sep 15 2021 Paul Howarth <paul@city-fan.org> - 1.90-6
 - Add fixes (mainly from upstream) for OpenSSL 3.0.0