Apache 1.3.11 + mod_ssl 2.5.0 merge

219 files changed, 12171 insertions, 3459 deletions

diff --git a/usr.sbin/httpd/cgi-bin/printenv b/usr.sbin/httpd/cgi-bin/printenv
index 7d389e0ac56..207074361a7 100644
--- a/usr.sbin/httpd/cgi-bin/printenv
+++ b/usr.sbin/httpd/cgi-bin/printenv
@@ -1,7 +1,13 @@
 #!/usr/local/bin/perl
+##
+##  printenv -- demo CGI program which just prints its environment
+##
 
-print "Content-type: text/html\n\n";
-while (($key, $val) = each %ENV) {
-	print "$key = $val<BR>\n";
+print "Content-type: text/plain\n\n";
+foreach $var (sort(keys(%ENV))) {
+    $val = $ENV{$var};
+    $val =~ s|\n|\\n|g;
+    $val =~ s|"|\\"|g;
+    print "${var}=\"${val}\"\n";
 }
 
diff --git a/usr.sbin/httpd/conf/httpd.conf-dist b/usr.sbin/httpd/conf/httpd.conf-dist
index d3dfe858013..047116afbb5 100644
--- a/usr.sbin/httpd/conf/httpd.conf-dist
+++ b/usr.sbin/httpd/conf/httpd.conf-dist
@@ -319,7 +319,7 @@ DocumentRoot "@@ServerRoot@@/htdocs"
 # Note that "MultiViews" must be named *explicitly* --- "Options All"
 # doesn't give it to you.
 #
-    Options Indexes FollowSymLinks
+    Options Indexes FollowSymLinks MultiViews
 
 #
 # This controls which options the .htaccess files in directories can
@@ -352,10 +352,10 @@ UserDir public_html
 #        Order allow,deny
 #        Allow from all
 #    </Limit>
-#    <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
+#    <LimitExcept GET POST OPTIONS PROPFIND>
 #        Order deny,allow
 #        Deny from all
-#    </Limit>
+#    </LimitExcept>
 #</Directory>
 
 #
@@ -638,34 +638,64 @@ AddEncoding x-gzip gz tgz
 #
 # AddLanguage allows you to specify the language of a document. You can
 # then use content negotiation to give a browser a file in a language
-# it can understand.  Note that the suffix does not have to be the same
-# as the language keyword --- those with documents in Polish (whose
-# net-standard language code is pl) may wish to use "AddLanguage pl .po" 
-# to avoid the ambiguity with the common suffix for perl scripts.
+# it can understand.  
+#
+# Note 1: The suffix does not have to be the same as the language 
+# keyword --- those with documents in Polish (whose net-standard 
+# language code is pl) may wish to use "AddLanguage pl .po" to 
+# avoid the ambiguity with the common suffix for perl scripts.
+#
+# Note 2: The example entries below illustrate that in quite
+# some cases the two character 'Language' abbriviation is not
+# identical to the two character 'Country' code for it's country,
+# E.g. 'Danmark/dk' versus 'Danish/da'.
 #
+# Note 3: In the case of 'ltz' we violate the RFC by using a three char 
+# specifier. But there is 'work in progress' to fix this and get 
+# the reference data for rfc1766 cleaned up.
+#
+# Danish (da) - Dutch (nl) - English (en) - Estonian (ee)
+# French (fr) - German (de) - Greek-Modern (el)
+# Italian (it) -Portugese (pt) - Luxembourgeois* (ltz)
+# Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz)
+#
+AddLanguage da .dk
+AddLanguage nl .nl
 AddLanguage en .en
+AddLanguage et .ee
 AddLanguage fr .fr
 AddLanguage de .de
-AddLanguage da .da
 AddLanguage el .el
 AddLanguage it .it
+AddLanguage pt .pt
+AddLanguage ltz .lu
+AddLanguage ca .ca
+AddLanguage es .es
+AddLanguage sv .se
+AddLanguage cz .cz
 
-#
 # LanguagePriority allows you to give precedence to some languages
 # in case of a tie during content negotiation.
-# Just list the languages in decreasing order of preference.
 #
-LanguagePriority en fr de
+# Just list the languages in decreasing order of preference. We have
+# more or less alphabetized them here. You probably want to change this.
+#
+LanguagePriority en da nl et fr de el it pt ltz ca es sv
 
 #
 # AddType allows you to tweak mime.types without actually editing it, or to
 # make certain files to be certain types.
 #
-# For example, the PHP3 module (not part of the Apache distribution - see
+# For example, the PHP 3.x module (not part of the Apache distribution - see
 # http://www.php.net) will typically use:
 #
 #AddType application/x-httpd-php3 .php3
 #AddType application/x-httpd-php3-source .phps
+#
+# And for PHP 4.x, use:
+#
+#AddType application/x-httpd-php .php
+#AddType application/x-httpd-php-source .phps
 
 AddType application/x-tar .tgz
 
@@ -904,6 +934,13 @@ SSLMutex  file:logs/ssl_mutex
 #   Pseudo Random Number Generator (PRNG):
 #   Configure one or more sources to seed the PRNG of the 
 #   SSL library. The seed data should be of good random quality.
+#   WARNING! On some platforms /dev/random blocks if not enough entropy
+#   is available. This means you then cannot use the /dev/random device
+#   because it would lead to very long connection times (as long as
+#   it requires to make more entropy available). But usually those
+#   platforms additionally provide a /dev/urandom device which doesn't
+#   block. So, if available, use this one instead. Read the mod_ssl User
+#   Manual for more details.
 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 #SSLRandomSeed startup file:/dev/random  512
@@ -952,13 +989,19 @@ SSLEngine on
 #   the certificate is encrypted, then you will be prompted for a
 #   pass phrase.  Note that a kill -HUP will prompt again. A test
 #   certificate can be generated with `make certificate' under
-#   built time.
+#   built time. Keep in mind that if you've both a RSA and a DSA
+#   certificate you can configure both in parallel (to also allow
+#   the use of DSA ciphers, etc.)
 SSLCertificateFile @@ServerRoot@@/conf/ssl.crt/server.crt
+#SSLCertificateFile @@ServerRoot@@/conf/ssl.crt/server-dsa.crt
 
 #   Server Private Key:
 #   If the key is not combined with the certificate, use this
-#   directive to point at the key file.
+#   directive to point at the key file.  Keep in mind that if
+#   you've both a RSA and a DSA private key you can configure
+#   both in parallel (to also allow the use of DSA ciphers, etc.)
 SSLCertificateKeyFile @@ServerRoot@@/conf/ssl.key/server.key
+#SSLCertificateKeyFile @@ServerRoot@@/conf/ssl.key/server-dsa.key
 
 #   Server Certificate Chain:
 #   Point SSLCertificateChainFile at a file containing the
@@ -1014,43 +1057,55 @@ SSLCertificateKeyFile @@ServerRoot@@/conf/ssl.key/server.key
 
 #   SSL Engine Options:
 #   Set various options for the SSL engine.
-#   FakeBasicAuth:
+#   o FakeBasicAuth:
 #     Translate the client X.509 into a Basic Authorisation.  This means that
 #     the standard Auth/DBMAuth methods can be used for access control.  The
 #     user name is the `one line' version of the client's X.509 certificate.
 #     Note that no password is obtained from the user. Every entry in the user
 #     file needs this password: `xxj31ZMTZzkVA'.
-#   ExportCertData:
+#   o ExportCertData:
 #     This exports two additional environment variables: SSL_CLIENT_CERT and
 #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
 #     server (always existing) and the client (only existing when client
 #     authentication is used). This can be used to import the certificates
 #     into CGI scripts.
-#   CompatEnvVars:
+#   o StdEnvVars:
+#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+#     Per default this exportation is switched off for performance reasons,
+#     because the extraction step is an expensive operation and is usually
+#     useless for serving static content. So one usually enables the
+#     exportation for CGI and SSI requests only.
+#   o CompatEnvVars:
 #     This exports obsolete environment variables for backward compatibility
 #     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
 #     to provide compatibility to existing CGI scripts.
-#   StrictRequire:
+#   o StrictRequire:
 #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
 #     under a "Satisfy any" situation, i.e. when it applies access is denied
 #     and no other module can change it.
-#   OptRenegotiate:
+#   o OptRenegotiate:
 #     This enables optimized SSL connection renegotiation handling when SSL
 #     directives are used in per-directory context. 
 #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
+<Files ~ "\.(cgi|shtml)$">
+    SSLOptions +StdEnvVars
+</Files>
+<Directory "@@ServerRoot@@/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
 
 #   SSL Protocol Adjustments:
 #   The safe and default but still SSL/TLS standard compliant shutdown
 #   approach is that mod_ssl sends the close notify alert but doesn't wait for
 #   the close notify alert from client. When you need a different shutdown
 #   approach you can use one of the following variables:
-#   ssl-unclean-shutdown:
+#   o ssl-unclean-shutdown:
 #     This forces an unclean shutdown when the connection is closed, i.e. no
 #     SSL close notify alert is send or allowed to received.  This violates
 #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
 #     this when you receive I/O errors because of the standard approach where
 #     mod_ssl sends the close notify alert.
-#   ssl-accurate-shutdown:
+#   o ssl-accurate-shutdown:
 #     This forces an accurate shutdown when the connection is closed, i.e. a
 #     SSL close notify alert is send and mod_ssl waits for the close notify
 #     alert of the client. This is 100% SSL/TLS standard compliant, but in
diff --git a/usr.sbin/httpd/conf/httpd.conf-dist-win b/usr.sbin/httpd/conf/httpd.conf-dist-win
index f5b6a4c7f10..e5650f688ef 100644
--- a/usr.sbin/httpd/conf/httpd.conf-dist-win
+++ b/usr.sbin/httpd/conf/httpd.conf-dist-win
@@ -271,7 +271,7 @@ DocumentRoot "@@ServerRoot@@/htdocs"
 # Note that "MultiViews" must be named *explicitly* --- "Options All"
 # doesn't give it to you.
 #
-    Options Indexes FollowSymLinks
+    Options Indexes FollowSymLinks MultiViews
 
 #
 # This controls which options the .htaccess files in directories can
@@ -565,24 +565,49 @@ AddEncoding x-gzip gz tgz
 #
 # AddLanguage allows you to specify the language of a document. You can
 # then use content negotiation to give a browser a file in a language
-# it can understand.  Note that the suffix does not have to be the same
-# as the language keyword --- those with documents in Polish (whose
-# net-standard language code is pl) may wish to use "AddLanguage pl .po" 
-# to avoid the ambiguity with the common suffix for perl scripts.
+# it can understand.  
 #
+# Note 1: The suffix does not have to be the same as the language 
+# keyword --- those with documents in Polish (whose net-standard 
+# language code is pl) may wish to use "AddLanguage pl .po" to 
+# avoid the ambiguity with the common suffix for perl scripts.
+#
+# Note 2: The example entries below illustrate that in quite
+# some cases the two character 'Language' abbriviation is not
+# identical to the two character 'Country' code for it's country,
+# E.g. 'Danmark/dk' versus 'Danish/da'.
+#
+# Note 3: In the case of 'ltz' we violate the RFC by using a three char 
+# specifier. But there is 'work in progress' to fix this and get 
+# the reference data for rfc1766 cleaned up.
+#
+# Danish (da) - Dutch (nl) - English (en) - Estonian (ee)
+# French (fr) - German (de) - Greek-Modern (el)
+# Italian (it) -Portugese (pt) - Luxembourgeois* (ltz)
+# Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz)
+#
+AddLanguage da .dk
+AddLanguage nl .nl
 AddLanguage en .en
+AddLanguage et .ee
 AddLanguage fr .fr
 AddLanguage de .de
-AddLanguage da .da
 AddLanguage el .el
 AddLanguage it .it
+AddLanguage pt .pt
+AddLanguage ltz .lu
+AddLanguage ca .ca
+AddLanguage es .es
+AddLanguage sv .se
+AddLanguage cz .cz
 
-#
 # LanguagePriority allows you to give precedence to some languages
 # in case of a tie during content negotiation.
-# Just list the languages in decreasing order of preference.
 #
-LanguagePriority en fr de
+# Just list the languages in decreasing order of preference. We have
+# more or less alphabetized them here. You probably want to change this.
+#
+LanguagePriority en da nl et fr de el it pt ltz ca es sv
 
 #
 # AddType allows you to tweak mime.types without actually editing it, or to
diff --git a/usr.sbin/httpd/conf/httpd.conf-dist.nw b/usr.sbin/httpd/conf/httpd.conf-dist.nw
new file mode 100644
index 00000000000..41cde7b057e
--- /dev/null
+++ b/usr.sbin/httpd/conf/httpd.conf-dist.nw
@@ -0,0 +1,814 @@
+#
+# Based upon the NCSA server configuration files originally by Rob McCool.
+#
+# This is the main Apache server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://www.apache.org/docs/> for detailed information about
+# the directives.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do.  They're here only as hints or reminders.  If you are unsure
+# consult the online docs. You have been warned.  
+#
+# After this file is processed, the server will look for and process
+# sys:/apache/conf/srm.conf and then sys:/apache/conf/access.conf
+# unless you have overridden these with ResourceConfig and/or
+# AccessConfig directives here.
+#
+# The configuration directives are grouped into three basic sections:
+#  1. Directives that control the operation of the Apache server process as a
+#     whole (the 'global environment').
+#  2. Directives that define the parameters of the 'main' or 'default' server,
+#     which responds to requests that aren't handled by a virtual host.
+#     These directives also provide default values for the settings
+#     of all virtual hosts.
+#  3. Settings for virtual hosts, which allow Web requests to be sent to
+#     different IP addresses or hostnames and have them handled by the
+#     same Apache server process.
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32 and
+# sys:/ for NetWare), the server will use that explicit path.  If the
+# filenames do *not* begin with "/", the value of ServerRoot is prepended
+#  -- so "logs/foo.log" with ServerRoot set to "/usr/local/apache" will be
+# interpreted by the server as "/usr/local/apache/logs/foo.log".
+#
+
+### Section 1: Global Environment
+#
+# The directives in this section affect the overall operation of Apache,
+# such as the number of concurrent requests it can handle or where it
+# can find its configuration files.
+#
+
+#
+# ServerType is either inetd, or standalone.  Inetd mode is only supported on
+# Unix platforms.
+#
+ServerType standalone
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE!  If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the LockFile documentation
+# (available at <URL:http://www.apache.org/docs/mod/core.html#lockfile>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+ServerRoot "sys:/apache"
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+#
+PidFile logs/httpd.pid
+
+#
+# ScoreBoardFile: File used to store internal server process information.
+# Not all architectures require this.  But if yours does (you'll know because
+# this file will be  created when you run Apache) then you *must* ensure that
+# no two invocations of Apache share the same scoreboard file.
+#
+ScoreBoardFile logs/apache_status
+
+#
+# In the standard configuration, the server will process this file,
+# srm.conf, and access.conf in that order.  The latter two files are
+# now distributed empty, as it is recommended that all directives
+# be kept in a single file for simplicity.  The commented-out values
+# below are the built-in defaults.  You can have the server ignore
+# these files altogether by using "/dev/null" (for Unix) or
+# "nul" (for Win32) for the arguments to the directives.
+#
+#ResourceConfig conf/srm.conf
+#AccessConfig conf/access.conf
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 300
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+KeepAliveTimeout 15
+
+#
+# Number of concurrent threads (i.e., requests) the server will allow.
+# Set this value according to the responsiveness of the server (more
+# requests active at once means they're all handled more slowly) and
+# the amount of system resources you'll allow the server to consume.
+#
+ThreadsPerChild 50
+
+#
+# When NetWare creates a thread you need to specify the stack size.
+# You may need to increase this if you get stack overflows.
+# ThreadStackSize 65536
+
+ThreadStackSize 65536
+
+#
+# MaxRequestsPerChild: the number of requests each child process is
+# allowed to process before the child dies.  The child will exit so
+# as to avoid problems after prolonged use when Apache (and maybe the
+# libraries it uses) leak memory or other resources.  On most systems, this
+# isn't really needed, but a few (such as Solaris) do have notable leaks
+# in the libraries. For these platforms, set to something like 10000
+# or so; a setting of 0 means unlimited.
+#
+# NOTE: This value does not include keepalive requests after the initial
+#       request per connection. For example, if a child process handles
+#       an initial request and 10 subsequent "keptalive" requests, it
+#       would only count as 1 request towards this limit.
+#
+MaxRequestsPerChild 0
+
+#
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, in addition to the default. See also the <VirtualHost>
+# directive.
+#
+#Listen 3000
+#Listen 12.34.56.78:80
+
+
+#
+# BindAddress: You can support virtual hosts with this option. This directive
+# is used to tell the server which IP address to listen to. It can either
+# contain "*", an IP address, or a fully qualified Internet domain name.
+# See also the <VirtualHost> and Listen directives.
+#
+#BindAddress *
+
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# have to place corresponding `LoadModule' lines at this location so the
+# directives contained in it are actually available _before_ they are used.
+# Please read the file README.DSO in the Apache 1.3 distribution for more
+# details about the DSO mechanism and run `httpd -l' for the list of already
+# built-in (statically linked and thus always available) modules in your httpd
+# binary.
+#
+# Note: The order is which modules are loaded is important.  Don't change
+# the order below without expert advice.
+
+# LoadModule anon_auth_module modules/authanon
+# LoadModule cern_meta_module modules/cernmeta
+# LoadModule digest_module modules/digest
+# LoadModule expires_module modules/expires
+# LoadModule headers_module modules/headers
+# LoadModule proxy_module modules/proxy
+# LoadModule rewrite_module modules/rewrite
+# LoadModule speling_module modules/speling
+# LoadModule status_module modules/status
+# LoadModule info_module modules/info
+# LoadModule usertrack_module modules/usrtrack
+
+#
+# ExtendedStatus controls whether Apache will generate "full" status
+# information (ExtendedStatus On) or just basic information (ExtendedStatus
+# Off) when the "server-status" handler is called. The default is Off.
+#
+#ExtendedStatus On
+
+### Section 2: 'Main' server configuration
+#
+# The directives in this section set up the values used by the 'main'
+# server, which responds to any requests that aren't handled by a
+# <VirtualHost> definition.  These values also provide defaults for
+# any <VirtualHost> containers you may define later in the file.
+#
+# All of these directives may appear inside <VirtualHost> containers,
+# in which case these default settings will be overridden for the
+# virtual host being defined.
+#
+
+#
+# Port: The port to which the standalone server listens. For
+# ports < 1023, you will need httpd to be run as root initially.
+#
+Port 80
+
+#
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed.  This address appears on some server-generated pages, such
+# as error documents.
+#
+ServerAdmin someone@somewhere.com
+
+#
+# ServerName allows you to set a host name which is sent back to clients for
+# your server if it's different than the one the program would get (i.e., use
+# "www" instead of the host's real name).
+#
+# Note: You cannot just invent host names and hope they work. The name you 
+# define here must be a valid DNS name for your host. If you don't understand
+# this, ask your network administrator.
+# If your host doesn't have a registered DNS name, enter its IP address here.
+# You will have to access it by its address (e.g., http://123.45.67.89/)
+# anyway, and this will make redirections work in a sensible way.
+#
+ServerName 123.45.67.89
+
+#
+# DocumentRoot: The directory out of which you will serve your
+# documents. By default, all requests are taken from this directory, but
+# symbolic links and aliases may be used to point to other locations.
+#
+DocumentRoot "sys:/apache/htdocs"
+
+#
+# Each directory to which Apache has access, can be configured with respect
+# to which services and features are allowed and/or disabled in that
+# directory (and its subdirectories). 
+#
+# First, we configure the "default" to be a very restrictive set of 
+# permissions.  
+#
+<Directory />
+    Options FollowSymLinks
+    AllowOverride None
+</Directory>
+
+#
+# Note that from this point forward you must specifically allow
+# particular features to be enabled - so if something's not working as
+# you might expect, make sure that you have specifically enabled it
+# below.
+#
+
+#
+# This should be changed to whatever you set DocumentRoot to.
+#
+<Directory "sys:/apache/htdocs">
+#
+# This may also be "None", "All", or any combination of "Indexes",
+# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
+#
+# Note that "MultiViews" must be named *explicitly* --- "Options All"
+# doesn't give it to you.
+#
+    Options Indexes FollowSymLinks
+
+#
+# This controls which options the .htaccess files in directories can
+# override. Can also be "All", or any combination of "Options", "FileInfo", 
+# "AuthConfig", and "Limit"
+#
+    AllowOverride None
+
+#
+# Controls who can get stuff from this server.
+#
+    Order allow,deny
+    Allow from all
+</Directory>
+
+#
+# UserDir: The name of the directory which is appended onto a user's home
+# directory if a ~user request is received.
+#
+UserDir public_html
+#
+# Control access to UserDir directories.  The following is an example
+# for a site where these directories are restricted to read-only.
+#
+#<Directory /home/*/public_html>
+#    AllowOverride FileInfo AuthConfig Limit
+#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+#    <Limit GET POST OPTIONS PROPFIND>
+#        Order allow,deny
+#        Allow from all
+#    </Limit>
+#    <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
+#        Order deny,allow
+#        Deny from all
+#    </Limit>
+#</Directory>
+
+#
+# DirectoryIndex: Name of the file or files to use as a pre-written HTML
+# directory index.  Separate multiple entries with spaces.
+#
+DirectoryIndex index.html
+
+#
+# AccessFileName: The name of the file to look for in each directory
+# for access control information.
+#
+#AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess files from being viewed by
+# Web clients.  Since .htaccess files often contain authorization
+# information, access is disallowed for security reasons.  Comment
+# these lines out if you want Web visitors to see the contents of
+# .htaccess files.  If you change the AccessFileName directive above,
+# be sure to make the corresponding changes here.
+#
+# Also, folks tend to use names such as .htpasswd for password
+# files, so this will protect those as well.
+#
+<Files ~ "^\.ht">
+    Order allow,deny
+    Deny from all
+</Files>
+
+#
+# CacheNegotiatedDocs: By default, Apache sends "Pragma: no-cache" with each
+# document that was negotiated on the basis of content. This asks proxy
+# servers not to cache the document. Uncommenting the following line disables
+# this behavior, and proxies will be allowed to cache the documents.
+#
+#CacheNegotiatedDocs
+
+#
+# UseCanonicalName:  (new for 1.3)  With this setting turned on, whenever
+# Apache needs to construct a self-referencing URL (a URL that refers back
+# to the server the response is coming from) it will use ServerName and
+# Port to form a "canonical" name.  With this setting off, Apache will
+# use the hostname:port that the client supplied, when possible.  This
+# also affects SERVER_NAME and SERVER_PORT in CGI scripts.
+#
+UseCanonicalName On
+
+#
+# TypesConfig describes where the mime.types file (or equivalent) is
+# to be found.
+#
+TypesConfig conf/mime.types
+
+#
+# DefaultType is the default MIME type the server will use for a document
+# if it cannot otherwise determine one, such as from filename extensions.
+# If your server contains mostly text or HTML documents, "text/plain" is
+# a good value.  If most of your content is binary, such as applications
+# or images, you may want to use "application/octet-stream" instead to
+# keep browsers from trying to display binary files as though they are
+# text.
+#
+DefaultType text/plain
+
+#
+# The mod_mime_magic module allows the server to use various hints from the
+# contents of the file itself to determine its type.  The MIMEMagicFile
+# directive tells the module where the hint definitions are located.
+# mod_mime_magic is not part of the default server (you have to add
+# it yourself with a LoadModule [see the DSO paragraph in the 'Global
+# Environment' section], or recompile the server and include mod_mime_magic
+# as part of the configuration), so it's enclosed in an <IfModule> container.
+# This means that the MIMEMagicFile directive will only be processed if the
+# module is part of the server.
+#
+<IfModule mod_mime_magic.c>
+    MIMEMagicFile conf/magic
+</IfModule>
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog logs/error_log
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive (see below).
+#
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+#
+# The location and format of the access logfile (Common Logfile Format).
+# If you do not define any access logfiles within a <VirtualHost>
+# container, they will be logged here.  Contrariwise, if you *do*
+# define per-<VirtualHost> access logfiles, transactions will be
+# logged therein and *not* in this file.
+#
+#CustomLog logs/access_log common
+
+#
+# If you would like to have agent and referer logfiles, uncomment the
+# following directives.
+#
+#CustomLog logs/referer_log referer
+#CustomLog logs/agent_log agent
+
+#
+# If you prefer a single logfile with access, agent, and referer information
+# (Combined Logfile Format) you can use the following directive.
+#
+#CustomLog logs/access_log combined
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (error documents, FTP directory listings,
+# mod_status and mod_info output etc., but not CGI generated documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+#
+ServerSignature On
+
+#
+# Aliases: Add here as many aliases as you need (with no limit). The format is 
+# Alias fakename realname
+#
+# Note that if you include a trailing / on fakename then the server will
+# require it to be present in the URL.  So "/icons" isn't aliased in this
+# example, only "/icons/"..
+#
+Alias /icons/ "sys:/apache/icons/"
+
+<Directory "sys:/apache/icons">
+    Options Indexes MultiViews
+    AllowOverride None
+    Order allow,deny
+    Allow from all
+</Directory>
+
+#
+# ScriptAlias: This controls which directories contain server scripts.
+# ScriptAliases are essentially the same as Aliases, except that
+# documents in the realname directory are treated as applications and
+# run by the server when requested rather than as documents sent to the client.
+# The same rules about trailing "/" apply to ScriptAlias directives as to
+# Alias.
+#
+ScriptAlias /cgi-bin/ "sys:/apache/cgi-bin/"
+
+#
+# "sys:/apache/cgi-bin" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+#
+<Directory "sys:/apache/cgi-bin">
+    AllowOverride None
+    Options None
+    Order allow,deny
+    Allow from all
+</Directory>
+
+#
+# Redirect allows you to tell clients about documents which used to exist in
+# your server's namespace, but do not anymore. This allows you to tell the
+# clients where to look for the relocated document.
+# Format: Redirect old-URI new-URL
+#
+
+#
+# Directives controlling the display of server-generated directory listings.
+#
+
+#
+# FancyIndexing is whether you want fancy directory indexing or standard
+#
+IndexOptions FancyIndexing
+
+#
+# AddIcon* directives tell the server which icon to show for different
+# files or filename extensions.  These are only displayed for
+# FancyIndexed directories.
+#
+AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
+
+AddIconByType (TXT,/icons/text.gif) text/*
+AddIconByType (IMG,/icons/image2.gif) image/*
+AddIconByType (SND,/icons/sound2.gif) audio/*
+AddIconByType (VID,/icons/movie.gif) video/*
+
+AddIcon /icons/binary.gif .bin .exe
+AddIcon /icons/binhex.gif .hqx
+AddIcon /icons/tar.gif .tar
+AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
+AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
+AddIcon /icons/a.gif .ps .ai .eps
+AddIcon /icons/layout.gif .html .shtml .htm .pdf
+AddIcon /icons/text.gif .txt
+AddIcon /icons/c.gif .c
+AddIcon /icons/p.gif .pl .py
+AddIcon /icons/f.gif .for
+AddIcon /icons/dvi.gif .dvi
+AddIcon /icons/uuencoded.gif .uu
+AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+AddIcon /icons/tex.gif .tex
+AddIcon /icons/bomb.gif core
+
+AddIcon /icons/back.gif ..
+AddIcon /icons/hand.right.gif README
+AddIcon /icons/folder.gif ^^DIRECTORY^^
+AddIcon /icons/blank.gif ^^BLANKICON^^
+
+#
+# DefaultIcon is which icon to show for files which do not have an icon
+# explicitly set.
+#
+DefaultIcon /icons/unknown.gif
+
+#
+# AddDescription allows you to place a short description after a file in
+# server-generated indexes.  These are only displayed for FancyIndexed
+# directories.
+# Format: AddDescription "description" filename
+#
+#AddDescription "GZIP compressed document" .gz
+#AddDescription "tar archive" .tar
+#AddDescription "GZIP compressed tar archive" .tgz
+
+#
+# ReadmeName is the name of the README file the server will look for by
+# default, and append to directory listings.
+#
+# HeaderName is the name of a file which should be prepended to
+# directory indexes. 
+#
+# The server will first look for name.html and include it if found.
+# If name.html doesn't exist, the server will then look for name.txt
+# and include it as plaintext if found.
+#
+ReadmeName README
+HeaderName HEADER
+
+#
+# IndexIgnore is a set of filenames which directory indexing should ignore
+# and not include in the listing.  Shell-style wildcarding is permitted.
+#
+IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
+
+#
+# AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress
+# information on the fly. Note: Not all browsers support this.
+# Despite the name similarity, the following Add* directives have nothing
+# to do with the FancyIndexing customization directives above.
+#
+AddEncoding x-compress Z
+AddEncoding x-gzip gz tgz
+
+#
+# AddLanguage allows you to specify the language of a document. You can
+# then use content negotiation to give a browser a file in a language
+# it can understand.  Note that the suffix does not have to be the same
+# as the language keyword --- those with documents in Polish (whose
+# net-standard language code is pl) may wish to use "AddLanguage pl .po" 
+# to avoid the ambiguity with the common suffix for perl scripts.
+#
+AddLanguage en .en
+AddLanguage fr .fr
+AddLanguage de .de
+AddLanguage da .da
+AddLanguage el .el
+AddLanguage it .it
+
+#
+# LanguagePriority allows you to give precedence to some languages
+# in case of a tie during content negotiation.
+# Just list the languages in decreasing order of preference.
+#
+LanguagePriority en fr de
+
+#
+# AddType allows you to tweak mime.types without actually editing it, or to
+# make certain files to be certain types.
+#
+# For example, the PHP3 module (not part of the Apache distribution - see
+# http://www.php.net) will typically use:
+#
+#AddType application/x-httpd-php3 .php3
+#AddType application/x-httpd-php3-source .phps
+
+AddType application/x-tar .tgz
+
+#
+# AddHandler allows you to map certain file extensions to "handlers",
+# actions unrelated to filetype. These can be either built into the server
+# or added with the Action command (see below)
+#
+# If you want to use server side includes, or CGI outside
+# ScriptAliased directories, uncomment the following lines.
+#
+# To use CGI scripts:
+#
+#AddHandler cgi-script .cgi
+
+#
+# To use server-parsed HTML files
+#
+#AddType text/html .shtml
+#AddHandler server-parsed .shtml
+
+#
+# Uncomment the following line to enable Apache's send-asis HTTP file
+# feature
+#
+#AddHandler send-as-is asis
+
+#
+# If you wish to use server-parsed imagemap files, use
+#
+#AddHandler imap-file map
+
+#
+# To enable type maps, you might want to use
+#
+#AddHandler type-map var
+
+#
+# Action lets you define media types that will execute a script whenever
+# a matching file is called. This eliminates the need for repeated URL
+# pathnames for oft-used CGI file processors.
+# Format: Action media/type /cgi-script/location
+# Format: Action handler-name /cgi-script/location
+#
+
+#
+# MetaDir: specifies the name of the directory in which Apache can find
+# meta information files. These files contain additional HTTP headers
+# to include when sending the document
+#
+#MetaDir .web
+
+#
+# MetaSuffix: specifies the file name suffix for the file containing the
+# meta information.
+#
+#MetaSuffix .meta
+
+#
+# Customizable error response (Apache style)
+#  these come in three flavors
+#
+#    1) plain text
+#ErrorDocument 500 "The server made a boo boo.
+#  n.b.  the (") marks it as text, it does not get output
+#
+#    2) local redirects
+#ErrorDocument 404 /missing.html
+#  to redirect to local URL /missing.html
+#ErrorDocument 404 /cgi-bin/missing_handler.pl
+#  N.B.: You can redirect to a script or a document using server-side-includes.
+#
+#    3) external redirects
+#ErrorDocument 402 http://some.other_server.com/subscription_info.html
+#  N.B.: Many of the environment variables associated with the original
+#  request will *not* be available to such a script.
+
+#
+# The following directives modify normal HTTP response behavior.
+# The first directive disables keepalive for Netscape 2.x and browsers that
+# spoof it. There are known problems with these browser implementations.
+# The second directive is for Microsoft Internet Explorer 4.0b2
+# which has a broken HTTP/1.1 implementation and does not properly
+# support keepalive when it is used on 301 or 302 (redirect) responses.
+#
+BrowserMatch "Mozilla/2" nokeepalive
+BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+
+#
+# The following directive disables HTTP/1.1 responses to browsers which
+# are in violation of the HTTP/1.0 spec by not being able to grok a
+# basic 1.1 response.
+#
+BrowserMatch "RealPlayer 4\.0" force-response-1.0
+BrowserMatch "Java/1\.0" force-response-1.0
+BrowserMatch "JDK/1\.0" force-response-1.0
+
+#
+# Allow server status reports, with the URL of http://servername/server-status
+# Change the ".your_domain.com" to match your domain to enable.
+#
+#<Location /server-status>
+#    SetHandler server-status
+#    Order deny,allow
+#    Deny from all
+#    Allow from .your_domain.com
+#</Location>
+
+#
+# Allow remote server configuration reports, with the URL of
+#  http://servername/server-info (requires that mod_info.c be loaded).
+# Change the ".your_domain.com" to match your domain to enable.
+#
+#<Location /server-info>
+#    SetHandler server-info
+#    Order deny,allow
+#    Deny from all
+#    Allow from .your_domain.com
+#</Location>
+
+#
+# There have been reports of people trying to abuse an old bug from pre-1.1
+# days.  This bug involved a CGI script distributed as a part of Apache.
+# By uncommenting these lines you can redirect these attacks to a logging 
+# script on phf.apache.org.  Or, you can record them yourself, using the script
+# support/phf_abuse_log.cgi.
+#
+#<Location /cgi-bin/phf*>
+#    Deny from all
+#    ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
+#</Location>
+
+#
+# Proxy Server directives. Uncomment the following lines to
+# enable the proxy server:
+#
+#<IfModule mod_proxy.c>
+#ProxyRequests On
+#
+#<Directory proxy:*>
+#    Order deny,allow
+#    Deny from all
+#    Allow from .your_domain.com
+#</Directory>
+
+#
+# Enable/disable the handling of HTTP/1.1 "Via:" headers.
+# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
+# Set to one of: Off | On | Full | Block
+#
+#ProxyVia On
+
+#
+# To enable the cache as well, edit and uncomment the following lines:
+# (no cacheing without CacheRoot)
+#
+#CacheRoot "sys:/apache/proxy"
+#CacheSize 5
+#CacheGcInterval 4
+#CacheMaxExpire 24
+#CacheLastModifiedFactor 0.1
+#CacheDefaultExpire 1
+#NoCache a_domain.com another_domain.edu joes.garage_sale.com
+
+#</IfModule>
+# End of proxy directives.
+
+### Section 3: Virtual Hosts
+#
+# VirtualHost: If you want to maintain multiple domains/hostnames on your
+# machine you can setup VirtualHost containers for them.
+# Please see the documentation at <URL:http://www.apache.org/docs/vhosts/>
+# for further details before you try to setup virtual hosts.
+# You may use the command line option '-S' to verify your virtual host
+# configuration.
+
+#
+# If you want to use name-based virtual hosts you need to define at
+# least one IP address (and port number) for them.
+#
+#NameVirtualHost 123.45.67.89:8080
+
+
+#
+# VirtualHost example:
+# Almost any Apache directive may go into a VirtualHost container.
+#
+#<VirtualHost ip.address.of.host.some_domain.com>
+#    ServerAdmin webmaster@host.some_domain.com
+#    DocumentRoot /www/docs/host.some_domain.com
+#    ServerName host.some_domain.com
+#    ErrorLog logs/host.some_domain.com-error_log
+#    CustomLog logs/host.some_domain.com-access_log common
+#</VirtualHost>
+
+#<VirtualHost _default_:*>
+#</VirtualHost>
+
diff --git a/usr.sbin/httpd/conf/mime.types b/usr.sbin/httpd/conf/mime.types
index d53db0f4e88..0e6ccc4d11a 100644
--- a/usr.sbin/httpd/conf/mime.types
+++ b/usr.sbin/httpd/conf/mime.types
@@ -16,22 +16,33 @@ application/activemessage
 application/andrew-inset	ez
 application/applefile
 application/atomicmail
+application/batch-smtp
 application/cals-1840
 application/commonground
 application/cybercash
 application/dca-rft
 application/dec-dx
 application/eshop
+application/http
 application/hyperstudio
 application/iges
+application/index
+application/index.cmd
+application/index.obj
+application/index.response
+application/index.vnd
+application/ipp
 application/mac-binhex40	hqx
 application/mac-compactpro	cpt
 application/macwriteii
 application/marc
 application/mathematica
+application/mathematica-old
 application/msword		doc
 application/news-message-id
 application/news-transmission
+application/ocsp-request
+application/ocsp-response
 application/octet-stream	bin dms lha lzh exe class
 application/oda			oda
 application/pdf			pdf
@@ -41,6 +52,9 @@ application/pgp-signature
 application/pkcs10
 application/pkcs7-mime
 application/pkcs7-signature
+application/pkix-cert
+application/pkix-crl
+application/pkixcmp
 application/postscript		ai eps ps
 application/prs.alvestrand.titrax-sheet
 application/prs.cww
@@ -48,6 +62,7 @@ application/prs.nprend
 application/remote-printing
 application/riscos
 application/rtf			rtf
+application/sdp
 application/set-payment
 application/set-payment-initiation
 application/set-registration
@@ -59,14 +74,24 @@ application/smil		smi smil
 application/vemmi
 application/vnd.3M.Post-it-Notes
 application/vnd.FloGraphIt
+application/vnd.accpac.simply.aso
+application/vnd.accpac.simply.imp
 application/vnd.acucobol
 application/vnd.anser-web-certificate-issue-initiation
 application/vnd.anser-web-funds-transfer-initiation
 application/vnd.audiograph
 application/vnd.businessobjects
 application/vnd.claymore
+application/vnd.commerce-battelle
+application/vnd.commonspace
 application/vnd.comsocaller
+application/vnd.cosmocaller
+application/vnd.cups-postscript
+application/vnd.cups-raster
+application/vnd.cups-raw
+application/vnd.cybank
 application/vnd.dna
+application/vnd.dpgraph
 application/vnd.dxr
 application/vnd.ecdis-update
 application/vnd.ecowin.chart
@@ -76,7 +101,10 @@ application/vnd.ecowin.series
 application/vnd.ecowin.seriesrequest
 application/vnd.ecowin.seriesupdate
 application/vnd.enliven
+application/vnd.epson.msf
+application/vnd.epson.quickanime
 application/vnd.epson.salt
+application/vnd.epson.ssf
 application/vnd.fdf
 application/vnd.ffsns
 application/vnd.framemaker
@@ -86,15 +114,19 @@ application/vnd.fujitsu.oasys3
 application/vnd.fujitsu.oasysgp
 application/vnd.fujitsu.oasysprs
 application/vnd.fujixerox.docuworks
+application/vnd.fut-misnet
 application/vnd.hp-HPGL
 application/vnd.hp-PCL
 application/vnd.hp-PCLXL
+application/vnd.hp-hpid
 application/vnd.hp-hps
 application/vnd.ibm.MiniPay
 application/vnd.ibm.modcap
 application/vnd.intercon.formnet
 application/vnd.intertrust.digibox
 application/vnd.intertrust.nncp
+application/vnd.intu.qbo
+application/vnd.intu.qfx
 application/vnd.is-xpr
 application/vnd.japannet-directory-service
 application/vnd.japannet-jpnstore-wakeup
@@ -108,13 +140,27 @@ application/vnd.koan
 application/vnd.lotus-1-2-3
 application/vnd.lotus-approach
 application/vnd.lotus-freelance
+application/vnd.lotus-notes
 application/vnd.lotus-organizer
 application/vnd.lotus-screencam
 application/vnd.lotus-wordpro
+application/vnd.mediastation.cdkey
 application/vnd.meridian-slingshot
 application/vnd.mif		mif
 application/vnd.minisoft-hp3000-save
 application/vnd.mitsubishi.misty-guard.trustweb
+application/vnd.mobius.daf
+application/vnd.mobius.dis
+application/vnd.mobius.msl
+application/vnd.mobius.plc
+application/vnd.mobius.txf
+application/vnd.motorola.flexsuite
+application/vnd.motorola.flexsuite.adsi
+application/vnd.motorola.flexsuite.fis
+application/vnd.motorola.flexsuite.gotap
+application/vnd.motorola.flexsuite.kmr
+application/vnd.motorola.flexsuite.ttc
+application/vnd.motorola.flexsuite.wem
 application/vnd.ms-artgalry
 application/vnd.ms-asf
 application/vnd.ms-excel	xls
@@ -132,22 +178,51 @@ application/vnd.novadigm.EDM
 application/vnd.novadigm.EDX
 application/vnd.novadigm.EXT
 application/vnd.osa.netdeploy
+application/vnd.pg.format
+application/vnd.pg.osasli
 application/vnd.powerbuilder6
 application/vnd.powerbuilder6-s
+application/vnd.powerbuilder7
+application/vnd.powerbuilder7-s
+application/vnd.powerbuilder75
+application/vnd.powerbuilder75-s
+application/vnd.previewsystems.box
+application/vnd.publishare-delta-tree
 application/vnd.rapid
 application/vnd.seemail
+application/vnd.shana.informed.formdata
 application/vnd.shana.informed.formtemplate
 application/vnd.shana.informed.interchange
 application/vnd.shana.informed.package
 application/vnd.street-stream
 application/vnd.svd
 application/vnd.swiftview-ics
+application/vnd.triscape.mxs
 application/vnd.truedoc
+application/vnd.ufdl
+application/vnd.uplanet.alert
+application/vnd.uplanet.alert-wbxml
+application/vnd.uplanet.bearer-choi-wbxml
+application/vnd.uplanet.bearer-choice
+application/vnd.uplanet.cacheop
+application/vnd.uplanet.cacheop-wbxml
+application/vnd.uplanet.channel
+application/vnd.uplanet.channel-wbxml
+application/vnd.uplanet.list
+application/vnd.uplanet.list-wbxml
+application/vnd.uplanet.listcmd
+application/vnd.uplanet.listcmd-wbxml
+application/vnd.uplanet.signal
+application/vnd.vcx
 application/vnd.visio
+application/vnd.wap.wbxml
+application/vnd.wap.wmlc
+application/vnd.wap.wmlscriptc
 application/vnd.webturbo
 application/vnd.wrq-hp3000-labelled
 application/vnd.wt.stf
 application/vnd.xara
+application/vnd.xfdl
 application/vnd.yellowriver-custom-menu
 application/wita
 application/wordperfect5.1
@@ -188,9 +263,18 @@ application/xml
 application/zip			zip
 audio/32kadpcm
 audio/basic			au snd
+audio/l16
 audio/midi			mid midi kar
 audio/mpeg			mpga mp2 mp3
+audio/vnd.cns.anp1
+audio/vnd.cns.inf1
+audio/vnd.digital-winds
+audio/vnd.lucent.voice
+audio/vnd.nortel.vbk
+audio/vnd.octel.sbc
 audio/vnd.qcelp
+audio/vnd.rhetorex.32kadpcm
+audio/vnd.vmx.cvsd
 audio/x-aiff			aif aiff aifc
 audio/x-pn-realaudio		ram rm
 audio/x-pn-realaudio-plugin	rpm
@@ -206,12 +290,17 @@ image/jpeg			jpeg jpg jpe
 image/naplps
 image/png			png
 image/prs.btif
+image/prs.pti
 image/tiff			tiff tif
+image/vnd.cns.inf2
 image/vnd.dwg
 image/vnd.dxf
+image/vnd.fastbidsheet
 image/vnd.fpx
+image/vnd.mix
 image/vnd.net-fpx
 image/vnd.svf
+image/vnd.wap.wbmp
 image/vnd.xiff
 image/x-cmu-raster		ras
 image/x-portable-anymap		pnm
@@ -229,9 +318,12 @@ message/http
 message/news
 message/partial
 message/rfc822
+message/s-http
 model/iges			igs iges
 model/mesh			msh mesh silo
 model/vnd.dwf
+model/vnd.flatland.3dml
+model/vnd.gtw
 model/vrml			wrl vrml
 multipart/alternative
 multipart/appledouble
@@ -246,6 +338,7 @@ multipart/related
 multipart/report
 multipart/signed
 multipart/voice-message
+text/calendar
 text/css			css
 text/directory
 text/enriched
@@ -260,10 +353,14 @@ text/tab-separated-values	tsv
 text/uri-list
 text/vnd.abc
 text/vnd.flatland.3dml
+text/vnd.fly
 text/vnd.fmi.flexstor
 text/vnd.in3d.3dml
 text/vnd.in3d.spot
 text/vnd.latex-z
+text/vnd.motorola.reflex
+text/vnd.wap.wml
+text/vnd.wap.wmlscript
 text/x-setext			etx
 text/xml			xml
 video/mpeg			mpeg mpg mpe
diff --git a/usr.sbin/httpd/conf/ssl.crl/Makefile b/usr.sbin/httpd/conf/ssl.crl/Makefile
index 448938df4a6..5401506fb7f 100644
--- a/usr.sbin/httpd/conf/ssl.crl/Makefile
+++ b/usr.sbin/httpd/conf/ssl.crl/Makefile
@@ -1,6 +1,6 @@
 ##
 ##  Makefile to keep the hash symlinks in SSLCARevocationPath up to date
-##  Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved. 
+##  Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. 
 ##
 
 SSL_PROGRAM=
diff --git a/usr.sbin/httpd/conf/ssl.crt/Makefile b/usr.sbin/httpd/conf/ssl.crt/Makefile
index 2f6555445e6..bf5eacd8ec8 100644
--- a/usr.sbin/httpd/conf/ssl.crt/Makefile
+++ b/usr.sbin/httpd/conf/ssl.crt/Makefile
@@ -1,6 +1,6 @@
 ##
 ##  Makefile to keep the hash symlinks in SSLCACertificatePath up to date
-##  Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved. 
+##  Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. 
 ##
 
 SSL_PROGRAM=
diff --git a/usr.sbin/httpd/conf/ssl.crt/ca-bundle.crt b/usr.sbin/httpd/conf/ssl.crt/ca-bundle.crt
index dcd48febddc..478f5f681e2 100644
--- a/usr.sbin/httpd/conf/ssl.crt/ca-bundle.crt
+++ b/usr.sbin/httpd/conf/ssl.crt/ca-bundle.crt
@@ -1,6 +1,6 @@
 ##
 ##  ca-bundle.crt -- Bundle of CA Root Certificates
-##  Last Modified: Sat Sep  5 14:44:16 CEST 1998
+##  Last Modified: Fri Oct 22 17:15:27 CEST 1999
 ##
 ##  This is a bundle of X.509 certificates of public
 ##  Certificate Authorities (CA). These were automatically
@@ -13,350 +13,396 @@
 ##  (SKIPME)
 ##
 
-AT&T Certificate Services
-=========================
-MD5 Fingerprint: 34:FA:BD:73:DB:25:C5:54:33:A2:AB:B3:27:5F:2A:84
+ABAecom (sub., Am. Bankers Assn.) Root CA
+=========================================
+MD5 Fingerprint: BA:D9:60:04:63:E6:92:07:3C:C5:38:93:66:38:24:FE
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIIB6TCCAVICBQKXAAABMA0GCSqGSIb3DQEBAgUAMDsxCzAJBgNVBAYTAlVTMQ0w
-CwYDVQQKFARBVCZUMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczAeFw05
-NjAxMjkwMDAwMDBaFw05OTEyMzEwMDAwMDBaMDsxCzAJBgNVBAYTAlVTMQ0wCwYD
-VQQKFARBVCZUMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCBnzANBgkq
-hkiG9w0BAQEFAAOBjQAwgYkCgYEA4B4BZBu4FMf+4eYIognBkdYGm/KT2cN+qWZB
-nFFn7xNmoQUnAcoQS/l9dS2pOoa+N51yGUdEDGRHRk8qtaC1FYvTTmPDA/jH6hSX
-uSkutmQZWLsAzL0I1jnCcU+e3uiHYTCF4NX8fNWGKtuTFvAYwzZguuU8xhBGydV8
-rke2aCECAwEAATANBgkqhkiG9w0BAQIFAAOBgQAY8kGLnBFYFSdCZIRd+3VxQYee
-T8ekWxvpJOT/lHGwKmrE/FAr2KjQbr4JYD+IxBw3afgkntjGDiU09HqhRJl3W4C3
-d9IxMPH/S5CBnIAy+qhiZP8dGi0D4Ou3Tbvjo43eTIUNw5iypGttGH/89CAqYH6a
-lXNGm5lfSbfqcD3tig==
+MIIDkjCCAnqgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAkRDMRMwEQYDVQQHEwpXYXNoaW5ndG9uMRcwFQYDVQQKEw5BQkEu
+RUNPTSwgSW5jLjEZMBcGA1UEAxMQQUJBLkVDT00gUm9vdCBDQTEeMBwGCSqGSIb3
+DQEJARYPa2RhZ3Vpb0BhYmEuY29tMB4XDTk4MDcyOTE2NTk1MloXDTA1MDcyNzE2
+NTk1MlowgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJEQzETMBEGA1UEBxMKV2Fz
+aGluZ3RvbjEXMBUGA1UEChMOQUJBLkVDT00sIEluYy4xGTAXBgNVBAMTEEFCQS5F
+Q09NIFJvb3QgQ0ExHjAcBgkqhkiG9w0BCQEWD2tkYWd1aW9AYWJhLmNvbTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMae3L3cDgkaUcaSm5lrjGmJvhvF
+ohFOhGYNmfH/H5mhM9a0kouli57Wp5DEybSBGp6HUP9zVqdtEFsIE6asCKkaIHIa
+DzN0sVixVm81Nj0zXpPjmgK1obfxbzEFNQ3XoA/OMmexPUj2SYuisf5GgC4/7EQN
+FKfeuhDXvAn/VZZRF05luCegEpEA9bc7Ur2oNT4T0xhRvRb3fRIBiTc768GiYEK+
+QBzTd2hv+LQHfma542pUDaboHGDi7+6drWPsk2udrWMOno8jlhcF/Oh11hQ16i2D
+mvZVjpNNsYziQWJk0P1G0/kVeo5G1EjbNge1b3JlD3BHdBW87oNQzk72r90CAwEA
+AaMPMA0wCwYDVR0PBAQDAgLUMA0GCSqGSIb3DQEBBQUAA4IBAQBobiY2tbG5cy5Y
+88T6IXNua5n4739dw7v3GyaeotvxbzI/5NjejwuXiE6bNp3RhWABmMdovkPBBoBn
+JuMZwXZG3VfOxPa54d2cxyoEYZUpuXa/f93fs5fPmMsz5AXUyi3Z4xIpXhjoPwXM
+aN5mX6LB15EExfCQSEFgW6hC85lUL6s3FVwTyTasHxaTWV1vXjkToFrSvTAPeGg8
+ptYvOS8ME51zN+daqhu3HsGRKb+Z8lqYclOV9IAyznxRb7XNSpnc44MbwcGdchyU
+vjtfIwfoAWmL22SjjLIFKQFSfX5zrRHnLDVqCyMKGnnfcqLRR5/I61zt/szuAQkw
+sV/IDA62
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
-        Version: 1 (0x0)
-        Serial Number:
-            02:97:00:00:01
-        Signature Algorithm: md2WithRSAEncryption
-        Issuer: C=US, O=AT&T, OU=Certificate Services
+        Version: 3 (0x2)
+        Serial Number: 0 (0x0)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=DC, L=Washington, O=ABA.ECOM, Inc., CN=ABA.ECOM Root CA/Email=kdaguio@aba.com
         Validity
-            Not Before: Jan 29 00:00:00 1996 GMT
-            Not After : Dec 31 00:00:00 1999 GMT
-        Subject: C=US, O=AT&T, OU=Certificate Services
+            Not Before: Jul 29 16:59:52 1998 GMT
+            Not After : Jul 27 16:59:52 2005 GMT
+        Subject: C=US, ST=DC, L=Washington, O=ABA.ECOM, Inc., CN=ABA.ECOM Root CA/Email=kdaguio@aba.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:e0:1e:01:64:1b:b8:14:c7:fe:e1:e6:08:a2:09:
-                    c1:91:d6:06:9b:f2:93:d9:c3:7e:a9:66:41:9c:51:
-                    67:ef:13:66:a1:05:27:01:ca:10:4b:f9:7d:75:2d:
-                    a9:3a:86:be:37:9d:72:19:47:44:0c:64:47:46:4f:
-                    2a:b5:a0:b5:15:8b:d3:4e:63:c3:03:f8:c7:ea:14:
-                    97:b9:29:2e:b6:64:19:58:bb:00:cc:bd:08:d6:39:
-                    c2:71:4f:9e:de:e8:87:61:30:85:e0:d5:fc:7c:d5:
-                    86:2a:db:93:16:f0:18:c3:36:60:ba:e5:3c:c6:10:
-                    46:c9:d5:7c:ae:47:b6:68:21
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:c6:9e:dc:bd:dc:0e:09:1a:51:c6:92:9b:99:6b:
+                    8c:69:89:be:1b:c5:a2:11:4e:84:66:0d:99:f1:ff:
+                    1f:99:a1:33:d6:b4:92:8b:a5:8b:9e:d6:a7:90:c4:
+                    c9:b4:81:1a:9e:87:50:ff:73:56:a7:6d:10:5b:08:
+                    13:a6:ac:08:a9:1a:20:72:1a:0f:33:74:b1:58:b1:
+                    56:6f:35:36:3d:33:5e:93:e3:9a:02:b5:a1:b7:f1:
+                    6f:31:05:35:0d:d7:a0:0f:ce:32:67:b1:3d:48:f6:
+                    49:8b:a2:b1:fe:46:80:2e:3f:ec:44:0d:14:a7:de:
+                    ba:10:d7:bc:09:ff:55:96:51:17:4e:65:b8:27:a0:
+                    12:91:00:f5:b7:3b:52:bd:a8:35:3e:13:d3:18:51:
+                    bd:16:f7:7d:12:01:89:37:3b:eb:c1:a2:60:42:be:
+                    40:1c:d3:77:68:6f:f8:b4:07:7e:66:b9:e3:6a:54:
+                    0d:a6:e8:1c:60:e2:ef:ee:9d:ad:63:ec:93:6b:9d:
+                    ad:63:0e:9e:8f:23:96:17:05:fc:e8:75:d6:14:35:
+                    ea:2d:83:9a:f6:55:8e:93:4d:b1:8c:e2:41:62:64:
+                    d0:fd:46:d3:f9:15:7a:8e:46:d4:48:db:36:07:b5:
+                    6f:72:65:0f:70:47:74:15:bc:ee:83:50:ce:4e:f6:
+                    af:dd
                 Exponent: 65537 (0x10001)
-    Signature Algorithm: md2WithRSAEncryption
-        18:f2:41:8b:9c:11:58:15:27:42:64:84:5d:fb:75:71:41:87:
-        9e:4f:c7:a4:5b:1b:e9:24:e4:ff:94:71:b0:2a:6a:c4:fc:50:
-        2b:d8:a8:d0:6e:be:09:60:3f:88:c4:1c:37:69:f8:24:9e:d8:
-        c6:0e:25:34:f4:7a:a1:44:99:77:5b:80:b7:77:d2:31:30:f1:
-        ff:4b:90:81:9c:80:32:fa:a8:62:64:ff:1d:1a:2d:03:e0:eb:
-        b7:4d:bb:e3:a3:8d:de:4c:85:0d:c3:98:b2:a4:6b:6d:18:7f:
-        fc:f4:20:2a:60:7e:9a:95:73:46:9b:99:5f:49:b7:ea:70:3d:
-        ed:8a
+        X509v3 extensions:
+            X509v3 Key Usage: 
+                ....
+    Signature Algorithm: sha1WithRSAEncryption
+        68:6e:26:36:b5:b1:b9:73:2e:58:f3:c4:fa:21:73:6e:6b:99:
+        f8:ef:7f:5d:c3:bb:f7:1b:26:9e:a2:db:f1:6f:32:3f:e4:d8:
+        de:8f:0b:97:88:4e:9b:36:9d:d1:85:60:01:98:c7:68:be:43:
+        c1:06:80:67:26:e3:19:c1:76:46:dd:57:ce:c4:f6:b9:e1:dd:
+        9c:c7:2a:04:61:95:29:b9:76:bf:7f:dd:df:b3:97:cf:98:cb:
+        33:e4:05:d4:ca:2d:d9:e3:12:29:5e:18:e8:3f:05:cc:68:de:
+        66:5f:a2:c1:d7:91:04:c5:f0:90:48:41:60:5b:a8:42:f3:99:
+        54:2f:ab:37:15:5c:13:c9:36:ac:1f:16:93:59:5d:6f:5e:39:
+        13:a0:5a:d2:bd:30:0f:78:68:3c:a6:d6:2f:39:2f:0c:13:9d:
+        73:37:e7:5a:aa:1b:b7:1e:c1:91:29:bf:99:f2:5a:98:72:53:
+        95:f4:80:32:ce:7c:51:6f:b5:cd:4a:99:dc:e3:83:1b:c1:c1:
+        9d:72:1c:94:be:3b:5f:23:07:e8:01:69:8b:db:64:a3:8c:b2:
+        05:29:01:52:7d:7e:73:ad:11:e7:2c:35:6a:0b:23:0a:1a:79:
+        df:72:a2:d1:47:9f:c8:eb:5c:ed:fe:cc:ee:01:09:30:b1:5f:
+        c8:0c:0e:b6
 
-AT&T Directory Services
-=======================
-MD5 Fingerprint: 4C:FC:FD:DD:DF:AC:7E:14:A5:0A:DE:0B:F5:38:9D:AC
+ANX Network CA by DST
+=====================
+MD5 Fingerprint: A8:ED:DE:EB:93:88:66:D8:2F:C3:BD:1D:BE:45:BE:4D
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIIB3zCCAUgCAQAwDQYJKoZIhvcNAQEEBQAwOTELMAkGA1UEBhMCVVMxDTALBgNV
-BAoUBEFUJlQxGzAZBgNVBAsUEkRpcmVjdG9yeSBTZXJ2aWNlczAeFw05NjAxMTgy
-MTAzNTJaFw0wMTAxMTYyMTAzNTJaMDkxCzAJBgNVBAYTAlVTMQ0wCwYDVQQKFARB
-VCZUMRswGQYDVQQLFBJEaXJlY3RvcnkgU2VydmljZXMwgZ0wDQYJKoZIhvcNAQEB
-BQADgYsAMIGHAoGBAIdkcokLII+HJ6zGIv4AQGlIr8aGzSMz4xHFMRoffp6SE7ai
-rOOwHyoHbLbU3kv68aKgfc5Lvr4mSAmMhRHeyyLnwu5EUf5n1Vta4BY3VAS4OzIS
-lIOesU2AbKSpdqy4pJf3qwtspUO6bk/FTgAwFjw/mRTaoiAIi7rtdqyXANVtAgEP
-MA0GCSqGSIb3DQEBBAUAA4GBADhQHQrTG7uin2yNEKpCGwWN5CWr+1WubbpTZxUH
-muxVn3KJXySw28pkvWSqwozZPaJFt8aScVHv7eFRVJdWNaHO5ETER2b/kdqInCPC
-s9RiSryUVZyAjrPdTxrtElq1Lrz4S87G1HCzsyL4Xlw2eqa4OXNGQ1ybmr0efqcE
-zyU2
+MIIDTTCCAragAwIBAgIENm6ibzANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJV
+UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMR0wGwYDVQQL
+ExREU1QgKEFOWCBOZXR3b3JrKSBDQTAeFw05ODEyMDkxNTQ2NDhaFw0xODEyMDkx
+NjE2NDhaMFIxCzAJBgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVy
+ZSBUcnVzdCBDby4xHTAbBgNVBAsTFERTVCAoQU5YIE5ldHdvcmspIENBMIGdMA0G
+CSqGSIb3DQEBAQUAA4GLADCBhwKBgQC0SBGAWKDVpZkP9jcsRLZu0XzzKmueEbaI
+IwRccSWeahJ3EW6/aDllqPay9qIYsokVoGe3eowiSGv2hDQftsr3G3LL8ltI04ce
+InYTBLSsbJZ/5w4IyTJRMC3VgOghZ7rzXggkLAdZnZAa7kbJtaQelrRBkdR/0o04
+JrBvQ24JfQIBA6OCATAwggEsMBEGCWCGSAGG+EIBAQQEAwIABzB0BgNVHR8EbTBr
+MGmgZ6BlpGMwYTELMAkGA1UEBhMCVVMxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0
+dXJlIFRydXN0IENvLjEdMBsGA1UECxMURFNUIChBTlggTmV0d29yaykgQ0ExDTAL
+BgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkxNTQ2NDhagQ8yMDE4MTIw
+OTE1NDY0OFowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFIwWVXDMFgpTZMKlhKqz
+ZBdDP4I2MB0GA1UdDgQWBBSMFlVwzBYKU2TCpYSqs2QXQz+CNjAMBgNVHRMEBTAD
+AQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqGSIb3DQEBBQUAA4GB
+AEklyWCxDF+pORDTxTRVfc95wynr3vnCQPnoVsXwL+z02exIUbhjOF6TbhiWhbnK
+UJykuOpmJmiThW9vTHHQvnoLPDG5975pnhDX0UDorBZxq66rOOFwscqSFuBdhaYY
+gAYAnOGmGEJRp2hoWe8mlF+tMQz+KR4XAYQ3W+gSMqNd
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
-        Version: 1 (0x0)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=US, O=AT&T, OU=Directory Services
+        Version: 3 (0x2)
+        Serial Number: 913220207 (0x366ea26f)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=Digital Signature Trust Co., OU=DST (ANX Network) CA
         Validity
-            Not Before: Jan 18 21:03:52 1996 GMT
-            Not After : Jan 16 21:03:52 2001 GMT
-        Subject: C=US, O=AT&T, OU=Directory Services
+            Not Before: Dec  9 15:46:48 1998 GMT
+            Not After : Dec  9 16:16:48 2018 GMT
+        Subject: C=US, O=Digital Signature Trust Co., OU=DST (ANX Network) CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
-                    00:87:64:72:89:0b:20:8f:87:27:ac:c6:22:fe:00:
-                    40:69:48:af:c6:86:cd:23:33:e3:11:c5:31:1a:1f:
-                    7e:9e:92:13:b6:a2:ac:e3:b0:1f:2a:07:6c:b6:d4:
-                    de:4b:fa:f1:a2:a0:7d:ce:4b:be:be:26:48:09:8c:
-                    85:11:de:cb:22:e7:c2:ee:44:51:fe:67:d5:5b:5a:
-                    e0:16:37:54:04:b8:3b:32:12:94:83:9e:b1:4d:80:
-                    6c:a4:a9:76:ac:b8:a4:97:f7:ab:0b:6c:a5:43:ba:
-                    6e:4f:c5:4e:00:30:16:3c:3f:99:14:da:a2:20:08:
-                    8b:ba:ed:76:ac:97:00:d5:6d
-                Exponent: 15 (0xf)
-    Signature Algorithm: md5WithRSAEncryption
-        38:50:1d:0a:d3:1b:bb:a2:9f:6c:8d:10:aa:42:1b:05:8d:e4:
-        25:ab:fb:55:ae:6d:ba:53:67:15:07:9a:ec:55:9f:72:89:5f:
-        24:b0:db:ca:64:bd:64:aa:c2:8c:d9:3d:a2:45:b7:c6:92:71:
-        51:ef:ed:e1:51:54:97:56:35:a1:ce:e4:44:c4:47:66:ff:91:
-        da:88:9c:23:c2:b3:d4:62:4a:bc:94:55:9c:80:8e:b3:dd:4f:
-        1a:ed:12:5a:b5:2e:bc:f8:4b:ce:c6:d4:70:b3:b3:22:f8:5e:
-        5c:36:7a:a6:b8:39:73:46:43:5c:9b:9a:bd:1e:7e:a7:04:cf:
-        25:36
+                    00:b4:48:11:80:58:a0:d5:a5:99:0f:f6:37:2c:44:
+                    b6:6e:d1:7c:f3:2a:6b:9e:11:b6:88:23:04:5c:71:
+                    25:9e:6a:12:77:11:6e:bf:68:39:65:a8:f6:b2:f6:
+                    a2:18:b2:89:15:a0:67:b7:7a:8c:22:48:6b:f6:84:
+                    34:1f:b6:ca:f7:1b:72:cb:f2:5b:48:d3:87:1e:22:
+                    76:13:04:b4:ac:6c:96:7f:e7:0e:08:c9:32:51:30:
+                    2d:d5:80:e8:21:67:ba:f3:5e:08:24:2c:07:59:9d:
+                    90:1a:ee:46:c9:b5:a4:1e:96:b4:41:91:d4:7f:d2:
+                    8d:38:26:b0:6f:43:6e:09:7d
+                Exponent: 3 (0x3)
+        X509v3 extensions:
+            Netscape Cert Type: 
+                ....
+            X509v3 CRL Distribution Points: 
+                0k0i.g.e.c0a1.0...U....US1$0"..U.
+..Digital Signature Trust Co.1.0...U....DST (ANX Network) CA1
0...U....CRL1
+            X509v3 Private Key Usage Period: 
+                0"..19981209154648Z..20181209154648Z
+            X509v3 Key Usage: 
+                ....
+            X509v3 Authority Key Identifier: 
+                0.....Up..
+Sd.....d.C?.6
+            X509v3 Subject Key Identifier: 
+                ....Up..
+Sd.....d.C?.6
+            X509v3 Basic Constraints: 
+                0....
+            1.2.840.113533.7.65.0: 
+                0
+..V4.0....
+    Signature Algorithm: sha1WithRSAEncryption
+        49:25:c9:60:b1:0c:5f:a9:39:10:d3:c5:34:55:7d:cf:79:c3:
+        29:eb:de:f9:c2:40:f9:e8:56:c5:f0:2f:ec:f4:d9:ec:48:51:
+        b8:63:38:5e:93:6e:18:96:85:b9:ca:50:9c:a4:b8:ea:66:26:
+        68:93:85:6f:6f:4c:71:d0:be:7a:0b:3c:31:b9:f7:be:69:9e:
+        10:d7:d1:40:e8:ac:16:71:ab:ae:ab:38:e1:70:b1:ca:92:16:
+        e0:5d:85:a6:18:80:06:00:9c:e1:a6:18:42:51:a7:68:68:59:
+        ef:26:94:5f:ad:31:0c:fe:29:1e:17:01:84:37:5b:e8:12:32:
+        a3:5d
 
-BBN Certificate Services CA Root 1
-==================================
-MD5 Fingerprint: A1:FB:06:83:8A:10:0D:6B:C9:58:81:D9:C2:92:C2:59
+Access America by DST
+=====================
+MD5 Fingerprint: CD:3B:3D:62:5B:09:B8:09:36:87:9E:12:2F:71:64:BA
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIICLTCCAZYCBQKpAAABMA0GCSqGSIb3DQEBBAUAMF0xCzAJBgNVBAYTAlVTMSEw
-HwYDVQQKExhCQk4gQ2VydGlmaWNhdGUgU2VydmljZXMxKzApBgNVBAMTIkJCTiBD
-ZXJ0aWZpY2F0ZSBTZXJ2aWNlcyBDQSBSb290IDEwHhcNOTYwMjE1MjExMDI4WhcN
-OTkxMjI1MjM1OTAwWjBdMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYQkJOIENlcnRp
-ZmljYXRlIFNlcnZpY2VzMSswKQYDVQQDEyJCQk4gQ2VydGlmaWNhdGUgU2Vydmlj
-ZXMgQ0EgUm9vdCAxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCumxTY8sfW
-G+oIQzC8UZXF9srcCW6HCHQnkUuJX+qgINcFWfDZczCGReaMZv4QNCroxL3hRFEU
-caJwZu2PM9fbwzgCDGFLIfR7Ic7gymjhQnwFJvto86DkJjkVUFeGOdniZSZAWxGI
-+quBj2pF1g9dduEouvoLYQthcAFcgZHCBQIDAQABMA0GCSqGSIb3DQEBBAUAA4GB
-AEioN5Rz5i0PHaMe8PhXVAxUvtrcfYppV02qHOukBzRS4Jd+bHGHhP/AWO/hn/Ds
-6nwT/0FVK5OsXCwaIjelUYf7nhJnJ/XPvDamTL1anx6KWuuF7nBrQ/1hWHc1lWsv
-cN69hymuI8KmO5S5sBPWTsrb1BV6FRPjlVR1DLU+RNMH
+MIID2DCCAsACEQDQHkCLAAB3bQAAAAEAAAAEMA0GCSqGSIb3DQEBBQUAMIGpMQsw
+CQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENp
+dHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UE
+CxMIRFNUQ0EgWDIxFjAUBgNVBAMTDURTVCBSb290Q0EgWDIxITAfBgkqhkiG9w0B
+CQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTAeFw05ODExMzAyMjQ2MTZaFw0wODExMjcy
+MjQ2MTZaMIGpMQswCQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMO
+U2FsdCBMYWtlIENpdHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0
+IENvLjERMA8GA1UECxMIRFNUQ0EgWDIxFjAUBgNVBAMTDURTVCBSb290Q0EgWDIx
+ITAfBgkqhkiG9w0BCQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBANx18IzAdZaawGIfJvfE4Zrq4FZzW5nNAUSoCLbV
+p9oaBBg5kkp4o4HC9Xd6ULRw/5qrxsfKboNPQpj7Jgva3G3WqZlVUmfpKAOS3OWw
+BZoPFflrWXJW8vo5/Kpo7g8fEIMv/J36F5bdguPmRX3AS4BEH+0s4IT9kVySVGkl
+5WJp3OXuAFK9MwutdQKFp2RQLcUZGTDAJtvJ0/0uma1ZtQtN1EGuhUhDWdy3qOKi
+3sOP17ihYqZoUFLkzzGnlIXan0YyF1bl8utmPRL/Q9uY73fPy4GNNLHGUEom0eQ+
+QVCvbK4iNC7Va26Dunm4dmVI2gkpZGMiuftHdoWMhkTLCdsCAwEAATANBgkqhkiG
+9w0BAQUFAAOCAQEAtTYOXeFhKFoRZcA/gwN5Tb4opgsHAlKFzfiR0BBstWogWxyQ
+2TA8xkieil5k+aFxd+8EJx8H6+Qm93N0yUQYGmbT4EOvkTvRyyzYdFQ6HE3K1GjN
+I3wdEJ5F6fYAbqbNGf9PLCmPV03Ed5K+4EwJ+11EhmYhqLkyolbV6YyDfFk/xPEL
+553snr2cGA4+wjl5KLcDDQjLxufZATdQEOzMYRZA1K8xdHv8PzGn0EdzMzkbzE5q
+10mDEQb+64JYMzJM8FasHpwvVpp7wUocpf1VNs78lk30sPDst2yC7S8xmUJMqbIN
+uBVd8d+6ybVK1GSYsyapMMj9puyrliGtf8J4tg==
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 1 (0x0)
         Serial Number:
-            02:a9:00:00:01
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=US, O=BBN Certificate Services, CN=BBN Certificate Services CA Root 1
+            d0:1e:40:8b:00:00:77:6d:00:00:00:01:00:00:00:04
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X2, CN=DST RootCA X2/Email=ca@digsigtrust.com
         Validity
-            Not Before: Feb 15 21:10:28 1996 GMT
-            Not After : Dec 25 23:59:00 1999 GMT
-        Subject: C=US, O=BBN Certificate Services, CN=BBN Certificate Services CA Root 1
+            Not Before: Nov 30 22:46:16 1998 GMT
+            Not After : Nov 27 22:46:16 2008 GMT
+        Subject: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X2, CN=DST RootCA X2/Email=ca@digsigtrust.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:ae:9b:14:d8:f2:c7:d6:1b:ea:08:43:30:bc:51:
-                    95:c5:f6:ca:dc:09:6e:87:08:74:27:91:4b:89:5f:
-                    ea:a0:20:d7:05:59:f0:d9:73:30:86:45:e6:8c:66:
-                    fe:10:34:2a:e8:c4:bd:e1:44:51:14:71:a2:70:66:
-                    ed:8f:33:d7:db:c3:38:02:0c:61:4b:21:f4:7b:21:
-                    ce:e0:ca:68:e1:42:7c:05:26:fb:68:f3:a0:e4:26:
-                    39:15:50:57:86:39:d9:e2:65:26:40:5b:11:88:fa:
-                    ab:81:8f:6a:45:d6:0f:5d:76:e1:28:ba:fa:0b:61:
-                    0b:61:70:01:5c:81:91:c2:05
-                Exponent: 65537 (0x10001)
-    Signature Algorithm: md5WithRSAEncryption
-        48:a8:37:94:73:e6:2d:0f:1d:a3:1e:f0:f8:57:54:0c:54:be:
-        da:dc:7d:8a:69:57:4d:aa:1c:eb:a4:07:34:52:e0:97:7e:6c:
-        71:87:84:ff:c0:58:ef:e1:9f:f0:ec:ea:7c:13:ff:41:55:2b:
-        93:ac:5c:2c:1a:22:37:a5:51:87:fb:9e:12:67:27:f5:cf:bc:
-        36:a6:4c:bd:5a:9f:1e:8a:5a:eb:85:ee:70:6b:43:fd:61:58:
-        77:35:95:6b:2f:70:de:bd:87:29:ae:23:c2:a6:3b:94:b9:b0:
-        13:d6:4e:ca:db:d4:15:7a:15:13:e3:95:54:75:0c:b5:3e:44:
-        d3:07
-
-BelSign Class 1 CA
-==================
-MD5 Fingerprint: A7:48:93:0A:64:AD:98:E0:FA:5B:5A:BE:6F:29:F1:68
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIC2zCCAkSgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBpzELMAkGA1UEBhMCQkUx
-ETAPBgNVBAcTCEJydXNzZWxzMRMwEQYDVQQKEwpCZWxTaWduIE5WMS4wLAYDVQQL
-EyVCZWxTaWduIENsYXNzIDEgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQD
-ExJCZWxTaWduIENsYXNzIDEgQ0ExIzAhBgkqhkiG9w0BCQEWFHdlYm1hc3RlckBi
-ZWxzaWduLmJlMB4XDTk3MDcxNjA3Mzc0MFoXDTk4MDcxNjA3Mzc0MFowgacxCzAJ
-BgNVBAYTAkJFMREwDwYDVQQHEwhCcnVzc2VsczETMBEGA1UEChMKQmVsU2lnbiBO
-VjEuMCwGA1UECxMlQmVsU2lnbiBDbGFzcyAxIENlcnRpZmljYXRlIEF1dGhvcml0
-eTEbMBkGA1UEAxMSQmVsU2lnbiBDbGFzcyAxIENBMSMwIQYJKoZIhvcNAQkBFhR3
-ZWJtYXN0ZXJAYmVsc2lnbi5iZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-sq9gL9wra5hRLyH3rekrKjqUIxKYI4VSasXHPPGJNdCdrh2Zsqes1c79/NkXvujL
-WGlwHgOX4iDlmwfz4oJGX8u5/iIAC00j3et0dSKEMK+Xvn1axJHjy4LgUTuFQmGU
-IdTjUPOMimFibL3xDwCsf2jZZhyc3ZfH/07UJAueXzECAwEAAaMVMBMwEQYJYIZI
-AYb4QgEBBAQDAgAHMA0GCSqGSIb3DQEBBAUAA4GBABrXCt53AQrkp/frgxe7uqVC
-QrZ5+dEPp8PaUIqTWQDwzdLdyjCNNbNROtOXQyo/YsAP0xHhpAwGE1nCMz86t7+0
-ei9qA9Ac69RNlEhdIOKYij96tBWG6HdxoRNLrefCyrANRfHmcc1CVZl2UByloW89
-qCqmWUqxEU8NTK8jzB3a
------END CERTIFICATE-----
-Certificate Ingredients:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Class 1 Certificate Authority, CN=BelSign Class 1 CA/Email=webmaster@belsign.be
-        Validity
-            Not Before: Jul 16 07:37:40 1997 GMT
-            Not After : Jul 16 07:37:40 1998 GMT
-        Subject: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Class 1 Certificate Authority, CN=BelSign Class 1 CA/Email=webmaster@belsign.be
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:b2:af:60:2f:dc:2b:6b:98:51:2f:21:f7:ad:e9:
-                    2b:2a:3a:94:23:12:98:23:85:52:6a:c5:c7:3c:f1:
-                    89:35:d0:9d:ae:1d:99:b2:a7:ac:d5:ce:fd:fc:d9:
-                    17:be:e8:cb:58:69:70:1e:03:97:e2:20:e5:9b:07:
-                    f3:e2:82:46:5f:cb:b9:fe:22:00:0b:4d:23:dd:eb:
-                    74:75:22:84:30:af:97:be:7d:5a:c4:91:e3:cb:82:
-                    e0:51:3b:85:42:61:94:21:d4:e3:50:f3:8c:8a:61:
-                    62:6c:bd:f1:0f:00:ac:7f:68:d9:66:1c:9c:dd:97:
-                    c7:ff:4e:d4:24:0b:9e:5f:31
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:dc:75:f0:8c:c0:75:96:9a:c0:62:1f:26:f7:c4:
+                    e1:9a:ea:e0:56:73:5b:99:cd:01:44:a8:08:b6:d5:
+                    a7:da:1a:04:18:39:92:4a:78:a3:81:c2:f5:77:7a:
+                    50:b4:70:ff:9a:ab:c6:c7:ca:6e:83:4f:42:98:fb:
+                    26:0b:da:dc:6d:d6:a9:99:55:52:67:e9:28:03:92:
+                    dc:e5:b0:05:9a:0f:15:f9:6b:59:72:56:f2:fa:39:
+                    fc:aa:68:ee:0f:1f:10:83:2f:fc:9d:fa:17:96:dd:
+                    82:e3:e6:45:7d:c0:4b:80:44:1f:ed:2c:e0:84:fd:
+                    91:5c:92:54:69:25:e5:62:69:dc:e5:ee:00:52:bd:
+                    33:0b:ad:75:02:85:a7:64:50:2d:c5:19:19:30:c0:
+                    26:db:c9:d3:fd:2e:99:ad:59:b5:0b:4d:d4:41:ae:
+                    85:48:43:59:dc:b7:a8:e2:a2:de:c3:8f:d7:b8:a1:
+                    62:a6:68:50:52:e4:cf:31:a7:94:85:da:9f:46:32:
+                    17:56:e5:f2:eb:66:3d:12:ff:43:db:98:ef:77:cf:
+                    cb:81:8d:34:b1:c6:50:4a:26:d1:e4:3e:41:50:af:
+                    6c:ae:22:34:2e:d5:6b:6e:83:ba:79:b8:76:65:48:
+                    da:09:29:64:63:22:b9:fb:47:76:85:8c:86:44:cb:
+                    09:db
                 Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            Netscape Cert Type: 
-                ....
-    Signature Algorithm: md5WithRSAEncryption
-        1a:d7:0a:de:77:01:0a:e4:a7:f7:eb:83:17:bb:ba:a5:42:42:
-        b6:79:f9:d1:0f:a7:c3:da:50:8a:93:59:00:f0:cd:d2:dd:ca:
-        30:8d:35:b3:51:3a:d3:97:43:2a:3f:62:c0:0f:d3:11:e1:a4:
-        0c:06:13:59:c2:33:3f:3a:b7:bf:b4:7a:2f:6a:03:d0:1c:eb:
-        d4:4d:94:48:5d:20:e2:98:8a:3f:7a:b4:15:86:e8:77:71:a1:
-        13:4b:ad:e7:c2:ca:b0:0d:45:f1:e6:71:cd:42:55:99:76:50:
-        1c:a5:a1:6f:3d:a8:2a:a6:59:4a:b1:11:4f:0d:4c:af:23:cc:
-        1d:da
+    Signature Algorithm: sha1WithRSAEncryption
+        b5:36:0e:5d:e1:61:28:5a:11:65:c0:3f:83:03:79:4d:be:28:
+        a6:0b:07:02:52:85:cd:f8:91:d0:10:6c:b5:6a:20:5b:1c:90:
+        d9:30:3c:c6:48:9e:8a:5e:64:f9:a1:71:77:ef:04:27:1f:07:
+        eb:e4:26:f7:73:74:c9:44:18:1a:66:d3:e0:43:af:91:3b:d1:
+        cb:2c:d8:74:54:3a:1c:4d:ca:d4:68:cd:23:7c:1d:10:9e:45:
+        e9:f6:00:6e:a6:cd:19:ff:4f:2c:29:8f:57:4d:c4:77:92:be:
+        e0:4c:09:fb:5d:44:86:66:21:a8:b9:32:a2:56:d5:e9:8c:83:
+        7c:59:3f:c4:f1:0b:e7:9d:ec:9e:bd:9c:18:0e:3e:c2:39:79:
+        28:b7:03:0d:08:cb:c6:e7:d9:01:37:50:10:ec:cc:61:16:40:
+        d4:af:31:74:7b:fc:3f:31:a7:d0:47:73:33:39:1b:cc:4e:6a:
+        d7:49:83:11:06:fe:eb:82:58:33:32:4c:f0:56:ac:1e:9c:2f:
+        56:9a:7b:c1:4a:1c:a5:fd:55:36:ce:fc:96:4d:f4:b0:f0:ec:
+        b7:6c:82:ed:2f:31:99:42:4c:a9:b2:0d:b8:15:5d:f1:df:ba:
+        c9:b5:4a:d4:64:98:b3:26:a9:30:c8:fd:a6:ec:ab:96:21:ad:
+        7f:c2:78:b6
 
-BelSign Class 2 CA
-==================
-MD5 Fingerprint: 77:A9:F0:33:6B:A7:9F:6D:46:B7:A9:3A:64:9E:B7:31
+American Express CA
+===================
+MD5 Fingerprint: 1C:D5:8E:82:BE:70:55:8E:39:61:DF:AD:51:DB:6B:A0
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIIC2zCCAkSgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBpzELMAkGA1UEBhMCQkUx
-ETAPBgNVBAcTCEJydXNzZWxzMRMwEQYDVQQKEwpCZWxTaWduIE5WMS4wLAYDVQQL
-EyVCZWxTaWduIENsYXNzIDIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQD
-ExJCZWxTaWduIENsYXNzIDIgQ0ExIzAhBgkqhkiG9w0BCQEWFHdlYm1hc3RlckBi
-ZWxzaWduLmJlMB4XDTk3MDcxNjE2MzMzMFoXDTk4MDcxNjE2MzMzMFowgacxCzAJ
-BgNVBAYTAkJFMREwDwYDVQQHEwhCcnVzc2VsczETMBEGA1UEChMKQmVsU2lnbiBO
-VjEuMCwGA1UECxMlQmVsU2lnbiBDbGFzcyAyIENlcnRpZmljYXRlIEF1dGhvcml0
-eTEbMBkGA1UEAxMSQmVsU2lnbiBDbGFzcyAyIENBMSMwIQYJKoZIhvcNAQkBFhR3
-ZWJtYXN0ZXJAYmVsc2lnbi5iZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-yY6kcPaUwNY2Oo+sqGp3zG072OeFl5pu0NTrYR7CeUxDD2p+pBDm9ZMia66zWwWY
-bbF389cjZGNITO0T1OyZDlICiGINd4e1ot6/wsQVlvOEjNDmDne8+qZ2kyjb/0u2
-OEhce9aLTr77Q+yX8/4uclBTxZsr1esWT79rwer6LtkCAwEAAaMVMBMwEQYJYIZI
-AYb4QgEBBAQDAgAHMA0GCSqGSIb3DQEBBAUAA4GBALBicqaAfFthm9WCEC/BpTC0
-3wdwJklQSqC0yUQVhcqizA1m4EAxScVOw3yRo78OZvWzzS0r3lfdeo2rJP6MSfN/
-uSlGcrz0IlVlK5Y3Gvlr0ZdsM7bNdxUw2pBGOc2IzD9K8JrcHs2shIguCcFNNR+t
-kPqQxS6KlhbGzWd/E2Rg
+MIICkDCCAfkCAgCNMA0GCSqGSIb3DQEBBAUAMIGPMQswCQYDVQQGEwJVUzEnMCUG
+A1UEChMeQW1lcmljYW4gRXhwcmVzcyBDb21wYW55LCBJbmMuMSYwJAYDVQQLEx1B
+bWVyaWNhbiBFeHByZXNzIFRlY2hub2xvZ2llczEvMC0GA1UEAxMmQW1lcmljYW4g
+RXhwcmVzcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNOTgwODE0MjIwMTAwWhcN
+MDYwODE0MjM1OTAwWjCBjzELMAkGA1UEBhMCVVMxJzAlBgNVBAoTHkFtZXJpY2Fu
+IEV4cHJlc3MgQ29tcGFueSwgSW5jLjEmMCQGA1UECxMdQW1lcmljYW4gRXhwcmVz
+cyBUZWNobm9sb2dpZXMxLzAtBgNVBAMTJkFtZXJpY2FuIEV4cHJlc3MgQ2VydGlm
+aWNhdGUgQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJ8kmS
+hcr9FSm1BrZE7PyIo/KGzv8UTyQckvnCI8HOQ99dNMi4FOzVKnCRSZXXVs2U8amT
+0Ggi3E19oApyKkfqJfCFAF82VGHPC/k3Wmed6R/pZD9wlWGn0DAC3iYopGYDBOkw
++48zB/lvYYeictvzaHhjZlmpybdm4RWySDYs+QIDAQABMA0GCSqGSIb3DQEBBAUA
+A4GBAGgXYrhzi0xs60qlPqvlnS7SzYoHV/PGWZd2Fxf4Uo4nk9hY2Chs9KIEeorC
+diSxArTfKPL386infiNIYYj0EWiuJl32oUtTJWrYKhQCDuCHIG6eGVxzkAsj4jGX
+Iz/VIqLTBnvaN/XXtUFEF3pFAtmFRWbWjsfwegyZYiJpW+3S
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
+        Version: 1 (0x0)
+        Serial Number: 141 (0x8d)
         Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Class 2 Certificate Authority, CN=BelSign Class 2 CA/Email=webmaster@belsign.be
+        Issuer: C=US, O=American Express Company, Inc., OU=American Express Technologies, CN=American Express Certificate Authority
         Validity
-            Not Before: Jul 16 16:33:30 1997 GMT
-            Not After : Jul 16 16:33:30 1998 GMT
-        Subject: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Class 2 Certificate Authority, CN=BelSign Class 2 CA/Email=webmaster@belsign.be
+            Not Before: Aug 14 22:01:00 1998 GMT
+            Not After : Aug 14 23:59:00 2006 GMT
+        Subject: C=US, O=American Express Company, Inc., OU=American Express Technologies, CN=American Express Certificate Authority
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
-                    00:c9:8e:a4:70:f6:94:c0:d6:36:3a:8f:ac:a8:6a:
-                    77:cc:6d:3b:d8:e7:85:97:9a:6e:d0:d4:eb:61:1e:
-                    c2:79:4c:43:0f:6a:7e:a4:10:e6:f5:93:22:6b:ae:
-                    b3:5b:05:98:6d:b1:77:f3:d7:23:64:63:48:4c:ed:
-                    13:d4:ec:99:0e:52:02:88:62:0d:77:87:b5:a2:de:
-                    bf:c2:c4:15:96:f3:84:8c:d0:e6:0e:77:bc:fa:a6:
-                    76:93:28:db:ff:4b:b6:38:48:5c:7b:d6:8b:4e:be:
-                    fb:43:ec:97:f3:fe:2e:72:50:53:c5:9b:2b:d5:eb:
-                    16:4f:bf:6b:c1:ea:fa:2e:d9
+                    00:c9:f2:49:92:85:ca:fd:15:29:b5:06:b6:44:ec:
+                    fc:88:a3:f2:86:ce:ff:14:4f:24:1c:92:f9:c2:23:
+                    c1:ce:43:df:5d:34:c8:b8:14:ec:d5:2a:70:91:49:
+                    95:d7:56:cd:94:f1:a9:93:d0:68:22:dc:4d:7d:a0:
+                    0a:72:2a:47:ea:25:f0:85:00:5f:36:54:61:cf:0b:
+                    f9:37:5a:67:9d:e9:1f:e9:64:3f:70:95:61:a7:d0:
+                    30:02:de:26:28:a4:66:03:04:e9:30:fb:8f:33:07:
+                    f9:6f:61:87:a2:72:db:f3:68:78:63:66:59:a9:c9:
+                    b7:66:e1:15:b2:48:36:2c:f9
                 Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            Netscape Cert Type: 
-                ....
     Signature Algorithm: md5WithRSAEncryption
-        b0:62:72:a6:80:7c:5b:61:9b:d5:82:10:2f:c1:a5:30:b4:df:
-        07:70:26:49:50:4a:a0:b4:c9:44:15:85:ca:a2:cc:0d:66:e0:
-        40:31:49:c5:4e:c3:7c:91:a3:bf:0e:66:f5:b3:cd:2d:2b:de:
-        57:dd:7a:8d:ab:24:fe:8c:49:f3:7f:b9:29:46:72:bc:f4:22:
-        55:65:2b:96:37:1a:f9:6b:d1:97:6c:33:b6:cd:77:15:30:da:
-        90:46:39:cd:88:cc:3f:4a:f0:9a:dc:1e:cd:ac:84:88:2e:09:
-        c1:4d:35:1f:ad:90:fa:90:c5:2e:8a:96:16:c6:cd:67:7f:13:
-        64:60
+        68:17:62:b8:73:8b:4c:6c:eb:4a:a5:3e:ab:e5:9d:2e:d2:cd:
+        8a:07:57:f3:c6:59:97:76:17:17:f8:52:8e:27:93:d8:58:d8:
+        28:6c:f4:a2:04:7a:8a:c2:76:24:b1:02:b4:df:28:f2:f7:f3:
+        a8:a7:7e:23:48:61:88:f4:11:68:ae:26:5d:f6:a1:4b:53:25:
+        6a:d8:2a:14:02:0e:e0:87:20:6e:9e:19:5c:73:90:0b:23:e2:
+        31:97:23:3f:d5:22:a2:d3:06:7b:da:37:f5:d7:b5:41:44:17:
+        7a:45:02:d9:85:45:66:d6:8e:c7:f0:7a:0c:99:62:22:69:5b:
+        ed:d2
 
-BelSign Class 3 CA
-==================
-MD5 Fingerprint: 9A:B6:64:18:02:CF:7E:98:6D:87:DF:07:4B:48:E9:06
+American Express Global CA
+==========================
+MD5 Fingerprint: 63:1B:66:93:8C:F3:66:CB:3C:79:57:DC:05:49:EA:DB
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIIC2zCCAkSgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBpzELMAkGA1UEBhMCQkUx
-ETAPBgNVBAcTCEJydXNzZWxzMRMwEQYDVQQKEwpCZWxTaWduIE5WMS4wLAYDVQQL
-EyVCZWxTaWduIENsYXNzIDMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQD
-ExJCZWxTaWduIENsYXNzIDMgQ0ExIzAhBgkqhkiG9w0BCQEWFHdlYm1hc3RlckBi
-ZWxzaWduLmJlMB4XDTk3MDcxNjE2MzYyN1oXDTk4MDcxNjE2MzYyN1owgacxCzAJ
-BgNVBAYTAkJFMREwDwYDVQQHEwhCcnVzc2VsczETMBEGA1UEChMKQmVsU2lnbiBO
-VjEuMCwGA1UECxMlQmVsU2lnbiBDbGFzcyAzIENlcnRpZmljYXRlIEF1dGhvcml0
-eTEbMBkGA1UEAxMSQmVsU2lnbiBDbGFzcyAzIENBMSMwIQYJKoZIhvcNAQkBFhR3
-ZWJtYXN0ZXJAYmVsc2lnbi5iZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-sD6eFQRcNaFc+Odk/HLa1O8FjK44uqlhIW0t6DJBWEJR3wGV77ybz7ATYFh4t109
-g4RJj/kg8G6hIl/N9mMrsucU3HZHxQAibUhgDvFHwjWGxf2QIU1VjLPeb76DdkyC
-HOFgfAwkz6BqT5a4Wpqp3Td+NLCS7UthSLhUr3o+rQ8CAwEAAaMVMBMwEQYJYIZI
-AYb4QgEBBAQDAgAHMA0GCSqGSIb3DQEBBAUAA4GBAEsBh3JrV4XzAcnC/Z5Im1CV
-mQ5ISAoIW2ldkbdqYq11b/UxnLDnzbkPpdmAY6MEJzB1ewagEOsOn43Mf5MymY+e
-QrcFltW0xzrdGCk/d3EJW2HR40J+ohWrRRvYCmmK4R+EUF4UnVfhGDcK+cKKE3Xw
-ID16iapyk+Xwh16radQD
+MIIEBDCCAuygAwIBAgICAIUwDQYJKoZIhvcNAQEFBQAwgZYxCzAJBgNVBAYTAlVT
+MScwJQYDVQQKEx5BbWVyaWNhbiBFeHByZXNzIENvbXBhbnksIEluYy4xJjAkBgNV
+BAsTHUFtZXJpY2FuIEV4cHJlc3MgVGVjaG5vbG9naWVzMTYwNAYDVQQDEy1BbWVy
+aWNhbiBFeHByZXNzIEdsb2JhbCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNOTgw
+ODE0MTkwNjAwWhcNMTMwODE0MjM1OTAwWjCBljELMAkGA1UEBhMCVVMxJzAlBgNV
+BAoTHkFtZXJpY2FuIEV4cHJlc3MgQ29tcGFueSwgSW5jLjEmMCQGA1UECxMdQW1l
+cmljYW4gRXhwcmVzcyBUZWNobm9sb2dpZXMxNjA0BgNVBAMTLUFtZXJpY2FuIEV4
+cHJlc3MgR2xvYmFsIENlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAPAkJmYu++tKc3FTiUfLJjxTkpRMysKFtQ34w1e9
+Lyofahi3V68MABb6oLaQpvcaoS5mJsdoo4qTaWa1RlYtHYLqkAwKIsKJUI0F89Sr
+c0HwzxKsKLRvFJSWWUuekHWG3+JH6+HpT0N+h8onGGaetcFAZX38YW+tm3LPqV7Y
+8/nabpEQ+ky16n4g3qk5L/WI5IpvNcYgnCuGRjMK/DFVpWusFkDpzTVZbzIEw3u1
+D3t3cPNIuypSgs6vKW3xEW9t5gcAAe+a8yYNpnkTZ6/4qxx1rJG1a75AsN6cDLFp
+hRlxkRNFyt/R/eayypaDedvFuKpbepALeFY+xteflEgR9a0CAwEAAaNaMFgwEgYD
+VR0TAQH/BAgwBgEB/wIBBTAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgoq
+hkiG+Q8KAQUBMBkGA1UdDgQSBBBXRzV7NicRqAj8L0Yl6yRpMA0GCSqGSIb3DQEB
+BQUAA4IBAQDHYUWoinG5vjTpIXshzVYTmNUwY+kYqkuSFb8LHbvskmnFLsNhi+gw
+RcsQRsFzOFyLGdIr80DrfHKzLh4n43WVihybLsSVBYZy0FX0oZJSeVzb9Pjc5dcS
+sUDHPIbkMWVKyjfG3nZXGWlMRmn8Kq0WN3qTrPchSy3766lQy8HRQAjaA2mHpzde
+VcHF7cTjjgwml5tcV0ty4/IDBdACOyYDQJCevgtbSQx48dVMVSng9v1MA6lUAjLR
+V1qFrEPtWzsWX6C/NdtLnnvo/+cNPDuom0lBRvVzTv+SZSGDE1Vx60k8f4gawhIo
+JaFGS0E3l3/sjvHUoZbCILZerakcHhGg
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Class 3 Certificate Authority, CN=BelSign Class 3 CA/Email=webmaster@belsign.be
+        Serial Number: 133 (0x85)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=American Express Company, Inc., OU=American Express Technologies, CN=American Express Global Certificate Authority
         Validity
-            Not Before: Jul 16 16:36:27 1997 GMT
-            Not After : Jul 16 16:36:27 1998 GMT
-        Subject: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Class 3 Certificate Authority, CN=BelSign Class 3 CA/Email=webmaster@belsign.be
+            Not Before: Aug 14 19:06:00 1998 GMT
+            Not After : Aug 14 23:59:00 2013 GMT
+        Subject: C=US, O=American Express Company, Inc., OU=American Express Technologies, CN=American Express Global Certificate Authority
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:b0:3e:9e:15:04:5c:35:a1:5c:f8:e7:64:fc:72:
-                    da:d4:ef:05:8c:ae:38:ba:a9:61:21:6d:2d:e8:32:
-                    41:58:42:51:df:01:95:ef:bc:9b:cf:b0:13:60:58:
-                    78:b7:5d:3d:83:84:49:8f:f9:20:f0:6e:a1:22:5f:
-                    cd:f6:63:2b:b2:e7:14:dc:76:47:c5:00:22:6d:48:
-                    60:0e:f1:47:c2:35:86:c5:fd:90:21:4d:55:8c:b3:
-                    de:6f:be:83:76:4c:82:1c:e1:60:7c:0c:24:cf:a0:
-                    6a:4f:96:b8:5a:9a:a9:dd:37:7e:34:b0:92:ed:4b:
-                    61:48:b8:54:af:7a:3e:ad:0f
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:f0:24:26:66:2e:fb:eb:4a:73:71:53:89:47:cb:
+                    26:3c:53:92:94:4c:ca:c2:85:b5:0d:f8:c3:57:bd:
+                    2f:2a:1f:6a:18:b7:57:af:0c:00:16:fa:a0:b6:90:
+                    a6:f7:1a:a1:2e:66:26:c7:68:a3:8a:93:69:66:b5:
+                    46:56:2d:1d:82:ea:90:0c:0a:22:c2:89:50:8d:05:
+                    f3:d4:ab:73:41:f0:cf:12:ac:28:b4:6f:14:94:96:
+                    59:4b:9e:90:75:86:df:e2:47:eb:e1:e9:4f:43:7e:
+                    87:ca:27:18:66:9e:b5:c1:40:65:7d:fc:61:6f:ad:
+                    9b:72:cf:a9:5e:d8:f3:f9:da:6e:91:10:fa:4c:b5:
+                    ea:7e:20:de:a9:39:2f:f5:88:e4:8a:6f:35:c6:20:
+                    9c:2b:86:46:33:0a:fc:31:55:a5:6b:ac:16:40:e9:
+                    cd:35:59:6f:32:04:c3:7b:b5:0f:7b:77:70:f3:48:
+                    bb:2a:52:82:ce:af:29:6d:f1:11:6f:6d:e6:07:00:
+                    01:ef:9a:f3:26:0d:a6:79:13:67:af:f8:ab:1c:75:
+                    ac:91:b5:6b:be:40:b0:de:9c:0c:b1:69:85:19:71:
+                    91:13:45:ca:df:d1:fd:e6:b2:ca:96:83:79:db:c5:
+                    b8:aa:5b:7a:90:0b:78:56:3e:c6:d7:9f:94:48:11:
+                    f5:ad
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            Netscape Cert Type: 
+            X509v3 Basic Constraints: critical
+                0.......
+            X509v3 Key Usage: critical
                 ....
-    Signature Algorithm: md5WithRSAEncryption
-        4b:01:87:72:6b:57:85:f3:01:c9:c2:fd:9e:48:9b:50:95:99:
-        0e:48:48:0a:08:5b:69:5d:91:b7:6a:62:ad:75:6f:f5:31:9c:
-        b0:e7:cd:b9:0f:a5:d9:80:63:a3:04:27:30:75:7b:06:a0:10:
-        eb:0e:9f:8d:cc:7f:93:32:99:8f:9e:42:b7:05:96:d5:b4:c7:
-        3a:dd:18:29:3f:77:71:09:5b:61:d1:e3:42:7e:a2:15:ab:45:
-        1b:d8:0a:69:8a:e1:1f:84:50:5e:14:9d:57:e1:18:37:0a:f9:
-        c2:8a:13:75:f0:20:3d:7a:89:aa:72:93:e5:f0:87:5e:ab:69:
-        d4:03
+            X509v3 Certificate Policies: 
+                0.0..
+*.H...
+...
+            X509v3 Subject Key Identifier: 
+                ..WG5{6'..../F%.$i
+    Signature Algorithm: sha1WithRSAEncryption
+        c7:61:45:a8:8a:71:b9:be:34:e9:21:7b:21:cd:56:13:98:d5:
+        30:63:e9:18:aa:4b:92:15:bf:0b:1d:bb:ec:92:69:c5:2e:c3:
+        61:8b:e8:30:45:cb:10:46:c1:73:38:5c:8b:19:d2:2b:f3:40:
+        eb:7c:72:b3:2e:1e:27:e3:75:95:8a:1c:9b:2e:c4:95:05:86:
+        72:d0:55:f4:a1:92:52:79:5c:db:f4:f8:dc:e5:d7:12:b1:40:
+        c7:3c:86:e4:31:65:4a:ca:37:c6:de:76:57:19:69:4c:46:69:
+        fc:2a:ad:16:37:7a:93:ac:f7:21:4b:2d:fb:eb:a9:50:cb:c1:
+        d1:40:08:da:03:69:87:a7:37:5e:55:c1:c5:ed:c4:e3:8e:0c:
+        26:97:9b:5c:57:4b:72:e3:f2:03:05:d0:02:3b:26:03:40:90:
+        9e:be:0b:5b:49:0c:78:f1:d5:4c:55:29:e0:f6:fd:4c:03:a9:
+        54:02:32:d1:57:5a:85:ac:43:ed:5b:3b:16:5f:a0:bf:35:db:
+        4b:9e:7b:e8:ff:e7:0d:3c:3b:a8:9b:49:41:46:f5:73:4e:ff:
+        92:65:21:83:13:55:71:eb:49:3c:7f:88:1a:c2:12:28:25:a1:
+        46:4b:41:37:97:7f:ec:8e:f1:d4:a1:96:c2:20:b6:5e:ad:a9:
+        1c:1e:11:a0
 
 BelSign Object Publishing CA
 ============================
-MD5 Fingerprint: 7E:9E:13:72:CD:CC:93:B7:91:F0:F9:3A:53:98:E9:F9
+MD5 Fingerprint: 8A:02:F8:DF:B8:E1:84:9F:5A:C2:60:24:65:D1:73:FB
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIIDAzCCAmygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBuzELMAkGA1UEBhMCQkUx
+MIIDAzCCAmygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBuzELMAkGA1UEBhMCQkUx
 ETAPBgNVBAcTCEJydXNzZWxzMRMwEQYDVQQKEwpCZWxTaWduIE5WMTgwNgYDVQQL
 Ey9CZWxTaWduIE9iamVjdCBQdWJsaXNoaW5nIENlcnRpZmljYXRlIEF1dGhvcml0
 eTElMCMGA1UEAxMcQmVsU2lnbiBPYmplY3QgUHVibGlzaGluZyBDQTEjMCEGCSqG
-SIb3DQEJARYUd2VibWFzdGVyQGJlbHNpZ24uYmUwHhcNOTcwOTE5MTczMjA4WhcN
-OTgwOTE5MTczMjA4WjCBuzELMAkGA1UEBhMCQkUxETAPBgNVBAcTCEJydXNzZWxz
+SIb3DQEJARYUd2VibWFzdGVyQGJlbHNpZ24uYmUwHhcNOTcwOTE5MjIwMzAwWhcN
+MDcwOTE5MjIwMzAwWjCBuzELMAkGA1UEBhMCQkUxETAPBgNVBAcTCEJydXNzZWxz
 MRMwEQYDVQQKEwpCZWxTaWduIE5WMTgwNgYDVQQLEy9CZWxTaWduIE9iamVjdCBQ
 dWJsaXNoaW5nIENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGA1UEAxMcQmVsU2ln
 biBPYmplY3QgUHVibGlzaGluZyBDQTEjMCEGCSqGSIb3DQEJARYUd2VibWFzdGVy
@@ -364,20 +410,20 @@ QGJlbHNpZ24uYmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMQuH7a/7oJA
 3fm3LkHVngWxWtAmfGJVA5v8y2HeS+/+6Jn+h7mIz5DaDwk8dt8Xl7bLPyVF/bS8
 WAC+sFq2FIeP7mdkrR2Ig7tnn2VhAFgIgFCfgMkx9iqQHC33SmwQ9iNDXTgJYIhX
 As0WbBj8zfuSKnfQnpOjXYhk0Mj4XVRRAgMBAAGjFTATMBEGCWCGSAGG+EIBAQQE
-AwIABzANBgkqhkiG9w0BAQQFAAOBgQC2BusyKzhrbPnVg979McEUX6aoISuMLwtF
-Edlv2u9V77JyWq2MV6vqzUJTsCX76BUmIdvloXuv6NsJyblIdwEbEorSmtoInPoq
-Idx/76+txVjCATred/tXu/NuVhfkWbULhCoR6L1gu4Uae2ksVt8tVW19pQBvjDLP
-ViEqU4/UlQ==
+AwIABzANBgkqhkiG9w0BAQQFAAOBgQBjdhd8lvBTpV0BHFPOKcJ+daxMDaIIc7Rq
+Mf0CBhSZ3FQEpL/IloafMUMyJVf2hfYluze+oXkjyVcGJXFrRU/49AJAFoIir1Tq
+Mij2De6ZuksIUQ9uhiMhTC0liIHELg7xEyw4ipUCJMM6lWPkk45IuwhHcl+u5jpa
+R9Zxxp6aUg==
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 3 (0x2)
-        Serial Number: 0 (0x0)
+        Serial Number: 1 (0x1)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Object Publishing Certificate Authority, CN=BelSign Object Publishing CA/Email=webmaster@belsign.be
         Validity
-            Not Before: Sep 19 17:32:08 1997 GMT
-            Not After : Sep 19 17:32:08 1998 GMT
+            Not Before: Sep 19 22:03:00 1997 GMT
+            Not After : Sep 19 22:03:00 2007 GMT
         Subject: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Object Publishing Certificate Authority, CN=BelSign Object Publishing CA/Email=webmaster@belsign.be
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -397,46 +443,46 @@ Certificate Ingredients:
             Netscape Cert Type: 
                 ....
     Signature Algorithm: md5WithRSAEncryption
-        b6:06:eb:32:2b:38:6b:6c:f9:d5:83:de:fd:31:c1:14:5f:a6:
-        a8:21:2b:8c:2f:0b:45:11:d9:6f:da:ef:55:ef:b2:72:5a:ad:
-        8c:57:ab:ea:cd:42:53:b0:25:fb:e8:15:26:21:db:e5:a1:7b:
-        af:e8:db:09:c9:b9:48:77:01:1b:12:8a:d2:9a:da:08:9c:fa:
-        2a:21:dc:7f:ef:af:ad:c5:58:c2:01:3a:de:77:fb:57:bb:f3:
-        6e:56:17:e4:59:b5:0b:84:2a:11:e8:bd:60:bb:85:1a:7b:69:
-        2c:56:df:2d:55:6d:7d:a5:00:6f:8c:32:cf:56:21:2a:53:8f:
-        d4:95
+        63:76:17:7c:96:f0:53:a5:5d:01:1c:53:ce:29:c2:7e:75:ac:
+        4c:0d:a2:08:73:b4:6a:31:fd:02:06:14:99:dc:54:04:a4:bf:
+        c8:96:86:9f:31:43:32:25:57:f6:85:f6:25:bb:37:be:a1:79:
+        23:c9:57:06:25:71:6b:45:4f:f8:f4:02:40:16:82:22:af:54:
+        ea:32:28:f6:0d:ee:99:ba:4b:08:51:0f:6e:86:23:21:4c:2d:
+        25:88:81:c4:2e:0e:f1:13:2c:38:8a:95:02:24:c3:3a:95:63:
+        e4:93:8e:48:bb:08:47:72:5f:ae:e6:3a:5a:47:d6:71:c6:9e:
+        9a:52
 
 BelSign Secure Server CA
 ========================
-MD5 Fingerprint: DB:38:25:7E:C4:CE:FF:62:13:4D:5F:13:F5:A4:E3:B2
+MD5 Fingerprint: 3D:5E:82:C6:D9:AD:D9:8B:93:6B:0C:10:B9:49:0A:B1
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIIC8zCCAlygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBszELMAkGA1UEBhMCQkUx
+MIIC8zCCAlygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBszELMAkGA1UEBhMCQkUx
 ETAPBgNVBAcTCEJydXNzZWxzMRMwEQYDVQQKEwpCZWxTaWduIE5WMTQwMgYDVQQL
 EytCZWxTaWduIFNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSEw
 HwYDVQQDExhCZWxTaWduIFNlY3VyZSBTZXJ2ZXIgQ0ExIzAhBgkqhkiG9w0BCQEW
-FHdlYm1hc3RlckBiZWxzaWduLmJlMB4XDTk3MDcxNTExMzYwNVoXDTk4MDcxNTEx
-MzYwNVowgbMxCzAJBgNVBAYTAkJFMREwDwYDVQQHEwhCcnVzc2VsczETMBEGA1UE
+FHdlYm1hc3RlckBiZWxzaWduLmJlMB4XDTk3MDcxNjIyMDA1NFoXDTA3MDcxNjIy
+MDA1NFowgbMxCzAJBgNVBAYTAkJFMREwDwYDVQQHEwhCcnVzc2VsczETMBEGA1UE
 ChMKQmVsU2lnbiBOVjE0MDIGA1UECxMrQmVsU2lnbiBTZWN1cmUgU2VydmVyIENl
 cnRpZmljYXRlIEF1dGhvcml0eTEhMB8GA1UEAxMYQmVsU2lnbiBTZWN1cmUgU2Vy
 dmVyIENBMSMwIQYJKoZIhvcNAQkBFhR3ZWJtYXN0ZXJAYmVsc2lnbi5iZTCBnzAN
 BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1gESeJL4BEJ/yccig/x8R3AwK0kLPjZA
 kCjaIXODU/LE0RZAwFP/rqbGJLMnbaWzPTl3XagG9ubpvGMRTgZlcAqdk/miQIt/
 SoQOjRax1swIZBIM4ChLyKWEkBf7EUYu1qeFGMsYrmOasFgG9ADP+MQJGjUMofnu
-Sv1t3v4mpTsCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgAHMA0GCSqGSIb3DQEB
-BAUAA4GBAM+owZu2GKE9msjt80gfGaKbmZ88JUE1cvWPUQp6fZZjvn+CTqhyjWa2
-imE626ja7TiHf2rP4QxFvCP6hiSmh79a2yL9hep5h6lrjGN55iydFsx8dcFDR3hR
-cTxl02hNKspC6hTgMiR8RyGnWt+IlJqHNPA/JoOLGXTdfu0bzQJe
+Sv1t3v4mpTsCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgCgMA0GCSqGSIb3DQEB
+BAUAA4GBAGw9mcMF4h3K5S2qaIWLQDEgZhNo5lg6idCNdbLFYth9go/32TKBd/Y1
+W4UpzmeyubwrGXjP84f9RvGVdbIJVwMwwXrNckdxgMp9ncllPEcRIn36BwsoeKGT
+6AVFSOIyMko96FMcELfHc4wHUOH5yStTQfWDjeUJOUqOA2KqQGOL
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 3 (0x2)
-        Serial Number: 0 (0x0)
+        Serial Number: 1 (0x1)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Secure Server Certificate Authority, CN=BelSign Secure Server CA/Email=webmaster@belsign.be
         Validity
-            Not Before: Jul 15 11:36:05 1997 GMT
-            Not After : Jul 15 11:36:05 1998 GMT
+            Not Before: Jul 16 22:00:54 1997 GMT
+            Not After : Jul 16 22:00:54 2007 GMT
         Subject: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Secure Server Certificate Authority, CN=BelSign Secure Server CA/Email=webmaster@belsign.be
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -456,160 +502,905 @@ Certificate Ingredients:
             Netscape Cert Type: 
                 ....
     Signature Algorithm: md5WithRSAEncryption
-        cf:a8:c1:9b:b6:18:a1:3d:9a:c8:ed:f3:48:1f:19:a2:9b:99:
-        9f:3c:25:41:35:72:f5:8f:51:0a:7a:7d:96:63:be:7f:82:4e:
-        a8:72:8d:66:b6:8a:61:3a:db:a8:da:ed:38:87:7f:6a:cf:e1:
-        0c:45:bc:23:fa:86:24:a6:87:bf:5a:db:22:fd:85:ea:79:87:
-        a9:6b:8c:63:79:e6:2c:9d:16:cc:7c:75:c1:43:47:78:51:71:
-        3c:65:d3:68:4d:2a:ca:42:ea:14:e0:32:24:7c:47:21:a7:5a:
-        df:88:94:9a:87:34:f0:3f:26:83:8b:19:74:dd:7e:ed:1b:cd:
-        02:5e
+        6c:3d:99:c3:05:e2:1d:ca:e5:2d:aa:68:85:8b:40:31:20:66:
+        13:68:e6:58:3a:89:d0:8d:75:b2:c5:62:d8:7d:82:8f:f7:d9:
+        32:81:77:f6:35:5b:85:29:ce:67:b2:b9:bc:2b:19:78:cf:f3:
+        87:fd:46:f1:95:75:b2:09:57:03:30:c1:7a:cd:72:47:71:80:
+        ca:7d:9d:c9:65:3c:47:11:22:7d:fa:07:0b:28:78:a1:93:e8:
+        05:45:48:e2:32:32:4a:3d:e8:53:1c:10:b7:c7:73:8c:07:50:
+        e1:f9:c9:2b:53:41:f5:83:8d:e5:09:39:4a:8e:03:62:aa:40:
+        63:8b
 
-Canada Post Corporation CA
-==========================
-MD5 Fingerprint: 44:A2:FF:F8:64:8D:81:80:A0:39:83:5B:84:1A:F3:75
+Deutsche Telekom AG Root CA
+===========================
+MD5 Fingerprint: 77:DE:04:94:77:D0:0C:5F:A7:B1:F4:30:18:87:FB:55
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIICoDCCAgmgAwIBAgIEManqojANBgkqhkiG9w0BAQQFADAyMQswCQYDVQQGEwJD
-QTEjMCEGA1UEChMaQ2FuYWRhIFBvc3QgQ29ycG9yYXRpb24gQ0EwHhcNOTYwNTI3
-MTg0NzEzWhcNMTYwNTI3MTg0NzEzWjAyMQswCQYDVQQGEwJDQTEjMCEGA1UEChMa
-Q2FuYWRhIFBvc3QgQ29ycG9yYXRpb24gQ0EwgZ0wDQYJKoZIhvcNAQEBBQADgYsA
-MIGHAoGBANaOhvxpCFOOAL6o+31+Ocpua+x9vObeuc+RiplHOsBFW3BLdqJti5TU
-NL6IjaJ5NJyQxmWd7A/SyaaO4DRFYYioS0pbXaXzHhC1j4rEC9OU/HCDjE5rHnjR
-f5M++fWRSfywcEa3xsK2OlDrZyCLtw44MnetfR6rOkCgIJi0RASHAgEDo4HEMIHB
-ME4GA1UdGQRHMEUwQzBBMQswCQYDVQQGEwJDQTEjMCEGA1UEChMaQ2FuYWRhIFBv
-c3QgQ29ycG9yYXRpb24gQ0ExDTALBgNVBAMTBENSTDEwFAYDVR0BBA0wC4AJODMz
-MjE5MjM0MCsGA1UdAgQkMCIECTgzMzIxOTIzNAMCAgQwEYEPMjAxNjA1MjcxODQ3
-MTNaMA0GA1UdCgQGMAQDAgeAMB0GCSqGSIb2fQdBAAQQMA4bCHYyLjFhLkIxAwIH
-gDANBgkqhkiG9w0BAQQFAAOBgQC1NHsoRqGKQ3x6osylZo2A5XftvpVAHj/y1QTz
-55M2foIxTWrDN599E74usALfIxrXYBJfWSlmtRRXl0qpAkTs+NH0eboEq52Z1Vy6
-zXFzNrgR/tQIc958XwgwEpUkftfYL22kaA3aKw4Uc70ZZhWe5LeVhQSmavPhoI9f
-hozpMQ==
+MIICjjCCAfegAwIBAgIBBjANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJERTEc
+MBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEdMBsGA1UECxMUVGVsZVNlYyBU
+cnVzdCBDZW50ZXIxITAfBgNVBAMTGERldXRzY2hlIFRlbGVrb20gUm9vdCBDQTAe
+Fw05ODEyMDkwOTExMDBaFw0wNDEyMDkyMzU5MDBaMG0xCzAJBgNVBAYTAkRFMRww
+GgYDVQQKExNEZXV0c2NoZSBUZWxla29tIEFHMR0wGwYDVQQLExRUZWxlU2VjIFRy
+dXN0IENlbnRlcjEhMB8GA1UEAxMYRGV1dHNjaGUgVGVsZWtvbSBSb290IENBMIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdBSz5BbO5EtdpcffqVjAIVxRDe7sa
+nG0vV2HX4vVEa+42QZb2ZM7hwbK5pBQEmFDocPiONZp9ScFhHVmu2gYYlX2tzuyp
+vtEYD0CRdiqj5f3+iRX0V/fgVdp1rQD0LME1zLRDJlViRC4BJZyKW/DB0AA1eP41
+3pRAZHiDocw5iQIDAQABoz4wPDAPBgNVHRMECDAGAQH/AgEFMA4GA1UdDwEB/wQE
+AwIBBjAZBgNVHQ4EEgQQLIdZH4sTgLL5hp0+En5YljANBgkqhkiG9w0BAQQFAAOB
+gQAP/nO1B4hvoAuJ6spQH5TelCsLJ15P9RyVJtqMllStGZE3Q12ryYuzzW+YOT3t
+3TXjcbftE5OD6IblKTMTE7w1e/0oL3BZ1dO0jSgTWTvI1XT5RcIHYKq4GFT5pWj/
+1wXVj7YFMS5BSvQQH2BHGguLGU2SVyDS71AZ6M3QcLy8Ng==
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 3 (0x2)
-        Serial Number: 833219234 (0x31a9eaa2)
+        Serial Number: 6 (0x6)
         Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=CA, O=Canada Post Corporation CA
+        Issuer: C=DE, O=Deutsche Telekom AG, OU=TeleSec Trust Center, CN=Deutsche Telekom Root CA
         Validity
-            Not Before: May 27 18:47:13 1996 GMT
-            Not After : May 27 18:47:13 2016 GMT
-        Subject: C=CA, O=Canada Post Corporation CA
+            Not Before: Dec  9 09:11:00 1998 GMT
+            Not After : Dec  9 23:59:00 2004 GMT
+        Subject: C=DE, O=Deutsche Telekom AG, OU=TeleSec Trust Center, CN=Deutsche Telekom Root CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
-                    00:d6:8e:86:fc:69:08:53:8e:00:be:a8:fb:7d:7e:
-                    39:ca:6e:6b:ec:7d:bc:e6:de:b9:cf:91:8a:99:47:
-                    3a:c0:45:5b:70:4b:76:a2:6d:8b:94:d4:34:be:88:
-                    8d:a2:79:34:9c:90:c6:65:9d:ec:0f:d2:c9:a6:8e:
-                    e0:34:45:61:88:a8:4b:4a:5b:5d:a5:f3:1e:10:b5:
-                    8f:8a:c4:0b:d3:94:fc:70:83:8c:4e:6b:1e:78:d1:
-                    7f:93:3e:f9:f5:91:49:fc:b0:70:46:b7:c6:c2:b6:
-                    3a:50:eb:67:20:8b:b7:0e:38:32:77:ad:7d:1e:ab:
-                    3a:40:a0:20:98:b4:44:04:87
+                    00:dd:05:2c:f9:05:b3:b9:12:d7:69:71:f7:ea:56:
+                    30:08:57:14:43:7b:bb:1a:9c:6d:2f:57:61:d7:e2:
+                    f5:44:6b:ee:36:41:96:f6:64:ce:e1:c1:b2:b9:a4:
+                    14:04:98:50:e8:70:f8:8e:35:9a:7d:49:c1:61:1d:
+                    59:ae:da:06:18:95:7d:ad:ce:ec:a9:be:d1:18:0f:
+                    40:91:76:2a:a3:e5:fd:fe:89:15:f4:57:f7:e0:55:
+                    da:75:ad:00:f4:2c:c1:35:cc:b4:43:26:55:62:44:
+                    2e:01:25:9c:8a:5b:f0:c1:d0:00:35:78:fe:35:de:
+                    94:40:64:78:83:a1:cc:39:89
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                0.......
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Subject Key Identifier: 
+                ..,.Y........>.~X.
+    Signature Algorithm: md5WithRSAEncryption
+        0f:fe:73:b5:07:88:6f:a0:0b:89:ea:ca:50:1f:94:de:94:2b:
+        0b:27:5e:4f:f5:1c:95:26:da:8c:96:54:ad:19:91:37:43:5d:
+        ab:c9:8b:b3:cd:6f:98:39:3d:ed:dd:35:e3:71:b7:ed:13:93:
+        83:e8:86:e5:29:33:13:13:bc:35:7b:fd:28:2f:70:59:d5:d3:
+        b4:8d:28:13:59:3b:c8:d5:74:f9:45:c2:07:60:aa:b8:18:54:
+        f9:a5:68:ff:d7:05:d5:8f:b6:05:31:2e:41:4a:f4:10:1f:60:
+        47:1a:0b:8b:19:4d:92:57:20:d2:ef:50:19:e8:cd:d0:70:bc:
+        bc:36
+
+Digital Signature Trust Co. Global CA 1
+=======================================
+MD5 Fingerprint: 25:7A:BA:83:2E:B6:A2:0B:DA:FE:F5:02:0F:08:D7:AD
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIDKTCCApKgAwIBAgIENnAVljANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJV
+UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMREwDwYDVQQL
+EwhEU1RDQSBFMTAeFw05ODEyMTAxODEwMjNaFw0xODEyMTAxODQwMjNaMEYxCzAJ
+BgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4x
+ETAPBgNVBAsTCERTVENBIEUxMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCg
+bIGpzzQeJN3+hijM3oMv+V7UQtLodGBmE5gGHKlREmlvMVW5SXIACH7TpWJENySZ
+j9mDSI+ZbZUTu0M7LklOiDfBu1h//uG9+LthzfNHwJmm8fOR6Hh8AMthyUQncWlV
+Sn5JTe2io74CTADKAqjuAQIxZA9SLRN0dja1erQtcQIBA6OCASQwggEgMBEGCWCG
+SAGG+EIBAQQEAwIABzBoBgNVHR8EYTBfMF2gW6BZpFcwVTELMAkGA1UEBhMCVVMx
+JDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UECxMI
+RFNUQ0EgRTExDTALBgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMTAxODEw
+MjNagQ8yMDE4MTIxMDE4MTAyM1owCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFGp5
+fpFpRhgTCgJ3pVlbYJglDqL4MB0GA1UdDgQWBBRqeX6RaUYYEwoCd6VZW2CYJQ6i
++DAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqG
+SIb3DQEBBQUAA4GBACIS2Hod3IEGtgllsofIH160L+nEHvI8wbsEkBFKg05+k7lN
+QseSJqBcNJo4cvj9axY+IO6CizEqkzaFI4iKPANo08kJD038bKTaKHKTDomAsH3+
+gG9lbRgzl4vCa4nuYD3Im+9/KzJic5PLPON74nZ4RbyhkwS7hp86W0N6w4pl
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 913315222 (0x36701596)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=Digital Signature Trust Co., OU=DSTCA E1
+        Validity
+            Not Before: Dec 10 18:10:23 1998 GMT
+            Not After : Dec 10 18:40:23 2018 GMT
+        Subject: C=US, O=Digital Signature Trust Co., OU=DSTCA E1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:a0:6c:81:a9:cf:34:1e:24:dd:fe:86:28:cc:de:
+                    83:2f:f9:5e:d4:42:d2:e8:74:60:66:13:98:06:1c:
+                    a9:51:12:69:6f:31:55:b9:49:72:00:08:7e:d3:a5:
+                    62:44:37:24:99:8f:d9:83:48:8f:99:6d:95:13:bb:
+                    43:3b:2e:49:4e:88:37:c1:bb:58:7f:fe:e1:bd:f8:
+                    bb:61:cd:f3:47:c0:99:a6:f1:f3:91:e8:78:7c:00:
+                    cb:61:c9:44:27:71:69:55:4a:7e:49:4d:ed:a2:a3:
+                    be:02:4c:00:ca:02:a8:ee:01:02:31:64:0f:52:2d:
+                    13:74:76:36:b5:7a:b4:2d:71
                 Exponent: 3 (0x3)
         X509v3 extensions:
-            2.5.29.25: 
-                0E0C0A1.0...U....CA1#0!..U.
-..Canada Post Corporation CA1
0...U....CRL1
-            2.5.29.1: 
-                0...833219234
-            2.5.29.2: 
-                0"..833219234....0...20160527184713Z
-            2.5.29.10: 
-                0.....
+            Netscape Cert Type: 
+                ....
+            X509v3 CRL Distribution Points: 
+                0_0].[.Y.W0U1.0...U....US1$0"..U.
+..Digital Signature Trust Co.1.0...U....DSTCA E11
0...U....CRL1
+            X509v3 Private Key Usage Period: 
+                0"..19981210181023Z..20181210181023Z
+            X509v3 Key Usage: 
+                ....
+            X509v3 Authority Key Identifier: 
+                0...jy~.iF..
+.w.Y[`.%...
+            X509v3 Subject Key Identifier: 
+                ..jy~.iF..
+.w.Y[`.%...
+            X509v3 Basic Constraints: 
+                0....
+            1.2.840.113533.7.65.0: 
+                0
+..V4.0....
+    Signature Algorithm: sha1WithRSAEncryption
+        22:12:d8:7a:1d:dc:81:06:b6:09:65:b2:87:c8:1f:5e:b4:2f:
+        e9:c4:1e:f2:3c:c1:bb:04:90:11:4a:83:4e:7e:93:b9:4d:42:
+        c7:92:26:a0:5c:34:9a:38:72:f8:fd:6b:16:3e:20:ee:82:8b:
+        31:2a:93:36:85:23:88:8a:3c:03:68:d3:c9:09:0f:4d:fc:6c:
+        a4:da:28:72:93:0e:89:80:b0:7d:fe:80:6f:65:6d:18:33:97:
+        8b:c2:6b:89:ee:60:3d:c8:9b:ef:7f:2b:32:62:73:93:cb:3c:
+        e3:7b:e2:76:78:45:bc:a1:93:04:bb:86:9f:3a:5b:43:7a:c3:
+        8a:65
+
+Digital Signature Trust Co. Global CA 2
+=======================================
+MD5 Fingerprint: 6C:C9:A7:6E:47:F1:0C:E3:53:3B:78:4C:4D:C2:6A:C5
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIID2DCCAsACEQDQHkCLAAACfAAAAAIAAAABMA0GCSqGSIb3DQEBBQUAMIGpMQsw
+CQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENp
+dHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UE
+CxMIRFNUQ0EgWDExFjAUBgNVBAMTDURTVCBSb290Q0EgWDExITAfBgkqhkiG9w0B
+CQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTAeFw05ODEyMDExODE4NTVaFw0wODExMjgx
+ODE4NTVaMIGpMQswCQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMO
+U2FsdCBMYWtlIENpdHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0
+IENvLjERMA8GA1UECxMIRFNUQ0EgWDExFjAUBgNVBAMTDURTVCBSb290Q0EgWDEx
+ITAfBgkqhkiG9w0BCQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBANLGJrbnpT3BxGjVUG9TxW9JEwm4ryxIjRRqoxdf
+WvnTLnUv2Chi0ZMv/E3Uq4flCMeZ55I/db3rJbQVwZsZPdJEjdd0IG03Ao9pk1uK
+xBmd9LIO/BZsubEFkoPRhSxglD5FVaDZqwgh5mDoO3TymVBRaNADLbGAvqPYUrBE
+zUNKcI5YhZXhTizWLUFv1oTnyJhEykfbLCSlaSbPa7gnYsP0yXqSI+0TZ4KuRS5F
+5X5yP4WdlGIQ5jyRoa13AOAV7POEgHJ6jm5gl8ckWRA0g1vhpaRptlc1HHhZxtMv
+OnNn7pTKBBMFYgZwI7P0fO5F2WQLW0mqpEPOJsREEmy43XkCAwEAATANBgkqhkiG
+9w0BAQUFAAOCAQEAojeyP2n714Z5VEkxlTMr89EJFEliYIalsBHiUMIdBlc+Legz
+ZL6bqq1fG03UmZWii5rJYnK1aerZWKs17RWiQ9a2vAd5ZWRzfdd5ynvVWlHG4VME
+lo04z6MXrDlxawHDi1M8Y+nuecDkvpIyZHqzH5eUYr3qsiAVlfuX8ngvYzZAOONG
+Dx3drJXK50uQe7FLqdTF65raqtWjlBRGjS0f8zrWkzr2Pnn86Oawde3uPclwx12q
+gUtGJRzHbBXjlU4PqjI3lAoXJJIThFjSY28r9+ZbYgsTF7ANUkz+/m9c4pFuHf2k
+Ytdo+o56T9II2pPc8JIRetDccpMMc5NihWjQ9A==
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 1 (0x0)
+        Serial Number:
+            d0:1e:40:8b:00:00:02:7c:00:00:00:02:00:00:00:01
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X1, CN=DST RootCA X1/Email=ca@digsigtrust.com
+        Validity
+            Not Before: Dec  1 18:18:55 1998 GMT
+            Not After : Nov 28 18:18:55 2008 GMT
+        Subject: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X1, CN=DST RootCA X1/Email=ca@digsigtrust.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:d2:c6:26:b6:e7:a5:3d:c1:c4:68:d5:50:6f:53:
+                    c5:6f:49:13:09:b8:af:2c:48:8d:14:6a:a3:17:5f:
+                    5a:f9:d3:2e:75:2f:d8:28:62:d1:93:2f:fc:4d:d4:
+                    ab:87:e5:08:c7:99:e7:92:3f:75:bd:eb:25:b4:15:
+                    c1:9b:19:3d:d2:44:8d:d7:74:20:6d:37:02:8f:69:
+                    93:5b:8a:c4:19:9d:f4:b2:0e:fc:16:6c:b9:b1:05:
+                    92:83:d1:85:2c:60:94:3e:45:55:a0:d9:ab:08:21:
+                    e6:60:e8:3b:74:f2:99:50:51:68:d0:03:2d:b1:80:
+                    be:a3:d8:52:b0:44:cd:43:4a:70:8e:58:85:95:e1:
+                    4e:2c:d6:2d:41:6f:d6:84:e7:c8:98:44:ca:47:db:
+                    2c:24:a5:69:26:cf:6b:b8:27:62:c3:f4:c9:7a:92:
+                    23:ed:13:67:82:ae:45:2e:45:e5:7e:72:3f:85:9d:
+                    94:62:10:e6:3c:91:a1:ad:77:00:e0:15:ec:f3:84:
+                    80:72:7a:8e:6e:60:97:c7:24:59:10:34:83:5b:e1:
+                    a5:a4:69:b6:57:35:1c:78:59:c6:d3:2f:3a:73:67:
+                    ee:94:ca:04:13:05:62:06:70:23:b3:f4:7c:ee:45:
+                    d9:64:0b:5b:49:aa:a4:43:ce:26:c4:44:12:6c:b8:
+                    dd:79
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+        a2:37:b2:3f:69:fb:d7:86:79:54:49:31:95:33:2b:f3:d1:09:
+        14:49:62:60:86:a5:b0:11:e2:50:c2:1d:06:57:3e:2d:e8:33:
+        64:be:9b:aa:ad:5f:1b:4d:d4:99:95:a2:8b:9a:c9:62:72:b5:
+        69:ea:d9:58:ab:35:ed:15:a2:43:d6:b6:bc:07:79:65:64:73:
+        7d:d7:79:ca:7b:d5:5a:51:c6:e1:53:04:96:8d:38:cf:a3:17:
+        ac:39:71:6b:01:c3:8b:53:3c:63:e9:ee:79:c0:e4:be:92:32:
+        64:7a:b3:1f:97:94:62:bd:ea:b2:20:15:95:fb:97:f2:78:2f:
+        63:36:40:38:e3:46:0f:1d:dd:ac:95:ca:e7:4b:90:7b:b1:4b:
+        a9:d4:c5:eb:9a:da:aa:d5:a3:94:14:46:8d:2d:1f:f3:3a:d6:
+        93:3a:f6:3e:79:fc:e8:e6:b0:75:ed:ee:3d:c9:70:c7:5d:aa:
+        81:4b:46:25:1c:c7:6c:15:e3:95:4e:0f:aa:32:37:94:0a:17:
+        24:92:13:84:58:d2:63:6f:2b:f7:e6:5b:62:0b:13:17:b0:0d:
+        52:4c:fe:fe:6f:5c:e2:91:6e:1d:fd:a4:62:d7:68:fa:8e:7a:
+        4f:d2:08:da:93:dc:f0:92:11:7a:d0:dc:72:93:0c:73:93:62:
+        85:68:d0:f4
+
+Entrust Worldwide by DST
+========================
+MD5 Fingerprint: B4:65:22:0A:7C:AD:DF:41:B7:D5:44:D5:AD:FA:9A:75
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIDRzCCArCgAwIBAgIENm3FGDANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJV
+UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRswGQYDVQQL
+ExJEU1QtRW50cnVzdCBHVEkgQ0EwHhcNOTgxMjA5MDAwMjI0WhcNMTgxMjA5MDAz
+MjI0WjBQMQswCQYDVQQGEwJVUzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUg
+VHJ1c3QgQ28uMRswGQYDVQQLExJEU1QtRW50cnVzdCBHVEkgQ0EwgZ0wDQYJKoZI
+hvcNAQEBBQADgYsAMIGHAoGBALYd90uNDxPjEvUJ/gYyDq9MQfV91Ec9KgrfgwXe
+3n3mAxb2UTrLRxpKrX7E/R20vnSKeN0Lg460hBPE+/htKa6h4Q8PQ+O1XmBp+oOU
+/Hnm3Hbt0UQrjv0Su/4XdxcMie2n71F9xO04wzujevviTaBgtfL9E2XTxuw/vjWc
+PSLvAgEDo4IBLjCCASowEQYJYIZIAYb4QgEBBAQDAgAHMHIGA1UdHwRrMGkwZ6Bl
+oGOkYTBfMQswCQYDVQQGEwJVUzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUg
+VHJ1c3QgQ28uMRswGQYDVQQLExJEU1QtRW50cnVzdCBHVEkgQ0ExDTALBgNVBAMT
+BENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkwMDAyMjRagQ8yMDE4MTIwOTAwMDIy
+NFowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFJOaRMrQeFOAKUkE38evMz+ZdV+u
+MB0GA1UdDgQWBBSTmkTK0HhTgClJBN/HrzM/mXVfrjAMBgNVHRMEBTADAQH/MBkG
+CSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqGSIb3DQEBBQUAA4GBAGSJzAOn
+3AryWCDn/RegKHLNh7DNmLUkR2MzMRAQsu+KV3KuTAPgZ5+sYEOEIsGpo+Wxp94J
+1M8NeEYjW49Je/4TIpeU6nJI4SwgeJbpZkUZywllY2E/0UmYsXYQVdVjSmZLpAdr
+3nt/ueaTWxoCW4AO3Y0Y1Iqjwmjxo+AY0U5M
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 913163544 (0x366dc518)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=Digital Signature Trust Co., OU=DST-Entrust GTI CA
+        Validity
+            Not Before: Dec  9 00:02:24 1998 GMT
+            Not After : Dec  9 00:32:24 2018 GMT
+        Subject: C=US, O=Digital Signature Trust Co., OU=DST-Entrust GTI CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:b6:1d:f7:4b:8d:0f:13:e3:12:f5:09:fe:06:32:
+                    0e:af:4c:41:f5:7d:d4:47:3d:2a:0a:df:83:05:de:
+                    de:7d:e6:03:16:f6:51:3a:cb:47:1a:4a:ad:7e:c4:
+                    fd:1d:b4:be:74:8a:78:dd:0b:83:8e:b4:84:13:c4:
+                    fb:f8:6d:29:ae:a1:e1:0f:0f:43:e3:b5:5e:60:69:
+                    fa:83:94:fc:79:e6:dc:76:ed:d1:44:2b:8e:fd:12:
+                    bb:fe:17:77:17:0c:89:ed:a7:ef:51:7d:c4:ed:38:
+                    c3:3b:a3:7a:fb:e2:4d:a0:60:b5:f2:fd:13:65:d3:
+                    c6:ec:3f:be:35:9c:3d:22:ef
+                Exponent: 3 (0x3)
+        X509v3 extensions:
+            Netscape Cert Type: 
+                ....
+            X509v3 CRL Distribution Points: 
+                0i0g.e.c.a0_1.0...U....US1$0"..U.
+..Digital Signature Trust Co.1.0...U....DST-Entrust GTI CA1
0...U....CRL1
+            X509v3 Private Key Usage Period: 
+                0"..19981209000224Z..20181209000224Z
+            X509v3 Key Usage: 
+                ....
+            X509v3 Authority Key Identifier: 
+                0.....D..xS.)I....3?.u_.
+            X509v3 Subject Key Identifier: 
+                ....D..xS.)I....3?.u_.
+            X509v3 Basic Constraints: 
+                0....
+            1.2.840.113533.7.65.0: 
+                0
+..V4.0....
+    Signature Algorithm: sha1WithRSAEncryption
+        64:89:cc:03:a7:dc:0a:f2:58:20:e7:fd:17:a0:28:72:cd:87:
+        b0:cd:98:b5:24:47:63:33:31:10:10:b2:ef:8a:57:72:ae:4c:
+        03:e0:67:9f:ac:60:43:84:22:c1:a9:a3:e5:b1:a7:de:09:d4:
+        cf:0d:78:46:23:5b:8f:49:7b:fe:13:22:97:94:ea:72:48:e1:
+        2c:20:78:96:e9:66:45:19:cb:09:65:63:61:3f:d1:49:98:b1:
+        76:10:55:d5:63:4a:66:4b:a4:07:6b:de:7b:7f:b9:e6:93:5b:
+        1a:02:5b:80:0e:dd:8d:18:d4:8a:a3:c2:68:f1:a3:e0:18:d1:
+        4e:4c
+
+Equifax Premium CA
+==================
+MD5 Fingerprint: A9:E9:A8:9D:0E:73:E3:B1:2F:37:0D:E8:48:3F:86:ED
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIDIzCCAoygAwIBAgIENeHvHjANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJV
+UzEQMA4GA1UEChMHRXF1aWZheDEuMCwGA1UECxMlRXF1aWZheCBQcmVtaXVtIENl
+cnRpZmljYXRlIEF1dGhvcml0eTAeFw05ODA4MjQyMjU0MjNaFw0xODA4MjQyMjU0
+MjNaME8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFcXVpZmF4MS4wLAYDVQQLEyVF
+cXVpZmF4IFByZW1pdW0gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIGfMA0GCSqGSIb3
+DQEBAQUAA4GNADCBiQKBgQDOoQaOBswIC8GGqN4g1Q0O0Q3En+pq2bPCMkdAb4qI
+pAm9OCwd5svmpPM269rrvPxkswf2Lbyqzp8ZSGhK/PWiRX4JEPWPs0lcIwY56hOL
+uAvNkR12X9k3oUT7X5DyZ7PNGJlDH3YSawLylYM4Q8L2YjTKyXhdX9LYupr/vhBg
+WwIDAQABo4IBCjCCAQYwcQYDVR0fBGowaDBmoGSgYqRgMF4xCzAJBgNVBAYTAlVT
+MRAwDgYDVQQKEwdFcXVpZmF4MS4wLAYDVQQLEyVFcXVpZmF4IFByZW1pdW0gQ2Vy
+dGlmaWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIw
+MTgwODI0MjI1NDIzWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUFe6yKFmrbuX4
+z4uB9CThrj91G5gwHQYDVR0OBBYEFBXusihZq27l+M+LgfQk4a4/dRuYMAwGA1Ud
+EwQFMAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEB
+BQUAA4GBAL0LnCepA9so3JipS9DRjqeoGlqR4Jzx9xh8LiKeNh/JqLXNRkpu+jUH
+G4YI65/iqPmdQS06rlxctl80BOv8KmCw+3TkhellOJbuFcfGd2MSvYpoH6tsfdrK
+XBPO6snrCVzFc+cSAdXZUwee4A+W8Iu0u0VIn4bFGVWgy5bFA/xI
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 903999262 (0x35e1ef1e)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=Equifax, OU=Equifax Premium Certificate Authority
+        Validity
+            Not Before: Aug 24 22:54:23 1998 GMT
+            Not After : Aug 24 22:54:23 2018 GMT
+        Subject: C=US, O=Equifax, OU=Equifax Premium Certificate Authority
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:ce:a1:06:8e:06:cc:08:0b:c1:86:a8:de:20:d5:
+                    0d:0e:d1:0d:c4:9f:ea:6a:d9:b3:c2:32:47:40:6f:
+                    8a:88:a4:09:bd:38:2c:1d:e6:cb:e6:a4:f3:36:eb:
+                    da:eb:bc:fc:64:b3:07:f6:2d:bc:aa:ce:9f:19:48:
+                    68:4a:fc:f5:a2:45:7e:09:10:f5:8f:b3:49:5c:23:
+                    06:39:ea:13:8b:b8:0b:cd:91:1d:76:5f:d9:37:a1:
+                    44:fb:5f:90:f2:67:b3:cd:18:99:43:1f:76:12:6b:
+                    02:f2:95:83:38:43:c2:f6:62:34:ca:c9:78:5d:5f:
+                    d2:d8:ba:9a:ff:be:10:60:5b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 CRL Distribution Points: 
+                0h0f.d.b.`0^1.0...U....US1.0...U.
+..Equifax1.0,..U...%Equifax Premium Certificate Authority1
0...U....CRL1
+            X509v3 Private Key Usage Period: 
+                0...20180824225423Z
+            X509v3 Key Usage: 
+                ....
+            X509v3 Authority Key Identifier: 
+                0......(Y.n......$..?u..
+            X509v3 Subject Key Identifier: 
+                .....(Y.n......$..?u..
+            X509v3 Basic Constraints: 
+                0....
             1.2.840.113533.7.65.0: 
-                0...v2.1a.B1....
+                0...V3.0c....
+    Signature Algorithm: sha1WithRSAEncryption
+        bd:0b:9c:27:a9:03:db:28:dc:98:a9:4b:d0:d1:8e:a7:a8:1a:
+        5a:91:e0:9c:f1:f7:18:7c:2e:22:9e:36:1f:c9:a8:b5:cd:46:
+        4a:6e:fa:35:07:1b:86:08:eb:9f:e2:a8:f9:9d:41:2d:3a:ae:
+        5c:5c:b6:5f:34:04:eb:fc:2a:60:b0:fb:74:e4:85:e9:65:38:
+        96:ee:15:c7:c6:77:63:12:bd:8a:68:1f:ab:6c:7d:da:ca:5c:
+        13:ce:ea:c9:eb:09:5c:c5:73:e7:12:01:d5:d9:53:07:9e:e0:
+        0f:96:f0:8b:b4:bb:45:48:9f:86:c5:19:55:a0:cb:96:c5:03:
+        fc:48
+
+Equifax Secure CA
+=================
+MD5 Fingerprint: 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
+UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
+dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
+MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
+dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
+BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
+cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
+AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
+aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
+ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
+IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
+MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
+A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
+7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
+1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 903804111 (0x35def4cf)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
+        Validity
+            Not Before: Aug 22 16:41:51 1998 GMT
+            Not After : Aug 22 16:41:51 2018 GMT
+        Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:c1:5d:b1:58:67:08:62:ee:a0:9a:2d:1f:08:6d:
+                    91:14:68:98:0a:1e:fe:da:04:6f:13:84:62:21:c3:
+                    d1:7c:ce:9f:05:e0:b8:01:f0:4e:34:ec:e2:8a:95:
+                    04:64:ac:f1:6b:53:5f:05:b3:cb:67:80:bf:42:02:
+                    8e:fe:dd:01:09:ec:e1:00:14:4f:fc:fb:f0:0c:dd:
+                    43:ba:5b:2b:e1:1f:80:70:99:15:57:93:16:f1:0f:
+                    97:6a:b7:c2:68:23:1c:cc:4d:59:30:ac:51:1e:3b:
+                    af:2b:d6:ee:63:45:7b:c5:d9:5f:50:d2:e3:50:0f:
+                    3a:88:e7:bf:14:fd:e0:c7:b9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 CRL Distribution Points: 
+                0g0e.c.a._0]1.0...U....US1.0...U.
+..Equifax1-0+..U...$Equifax Secure Certificate Authority1
0...U....CRL1
+            X509v3 Private Key Usage Period: 
+                0...20180822164151Z
+            X509v3 Key Usage: 
+                ....
+            X509v3 Authority Key Identifier: 
+                0...H.h.+....G.# .O3....
+            X509v3 Subject Key Identifier: 
+                ..H.h.+....G.# .O3....
+            X509v3 Basic Constraints: 
+                0....
+            1.2.840.113533.7.65.0: 
+                0...V3.0c....
+    Signature Algorithm: sha1WithRSAEncryption
+        58:ce:29:ea:fc:f7:de:b5:ce:02:b9:17:b5:85:d1:b9:e3:e0:
+        95:cc:25:31:0d:00:a6:92:6e:7f:b6:92:63:9e:50:95:d1:9a:
+        6f:e4:11:de:63:85:6e:98:ee:a8:ff:5a:c8:d3:55:b2:66:71:
+        57:de:c0:21:eb:3d:2a:a7:23:49:01:04:86:42:7b:fc:ee:7f:
+        a2:16:52:b5:67:67:d3:40:db:3b:26:58:b2:28:77:3d:ae:14:
+        77:61:d6:fa:2a:66:27:a0:0d:fa:a7:73:5c:ea:70:f1:94:21:
+        65:44:5f:fa:fc:ef:29:68:a9:a2:87:79:ef:79:ef:4f:ac:07:
+        77:38
+
+GTE CyberTrust Global Root
+==========================
+MD5 Fingerprint: CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
+VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
+bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
+b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
+UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
+cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
+b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
+iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
+r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
+04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
+GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
+3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
+lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 421 (0x1a5)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Global Root
+        Validity
+            Not Before: Aug 13 00:29:00 1998 GMT
+            Not After : Aug 13 23:59:00 2018 GMT
+        Subject: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Global Root
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:95:0f:a0:b6:f0:50:9c:e8:7a:c7:88:cd:dd:17:
+                    0e:2e:b0:94:d0:1b:3d:0e:f6:94:c0:8a:94:c7:06:
+                    c8:90:97:c8:b8:64:1a:7a:7e:6c:3c:53:e1:37:28:
+                    73:60:7f:b2:97:53:07:9f:53:f9:6d:58:94:d2:af:
+                    8d:6d:88:67:80:e6:ed:b2:95:cf:72:31:ca:a5:1c:
+                    72:ba:5c:02:e7:64:42:e7:f9:a9:2c:d6:3a:0d:ac:
+                    8d:42:aa:24:01:39:e6:9c:3f:01:85:57:0d:58:87:
+                    45:f8:d3:85:aa:93:69:26:85:70:48:80:3f:12:15:
+                    c7:79:b4:1f:05:2f:3b:62:99
+                Exponent: 65537 (0x10001)
     Signature Algorithm: md5WithRSAEncryption
-        b5:34:7b:28:46:a1:8a:43:7c:7a:a2:cc:a5:66:8d:80:e5:77:
-        ed:be:95:40:1e:3f:f2:d5:04:f3:e7:93:36:7e:82:31:4d:6a:
-        c3:37:9f:7d:13:be:2e:b0:02:df:23:1a:d7:60:12:5f:59:29:
-        66:b5:14:57:97:4a:a9:02:44:ec:f8:d1:f4:79:ba:04:ab:9d:
-        99:d5:5c:ba:cd:71:73:36:b8:11:fe:d4:08:73:de:7c:5f:08:
-        30:12:95:24:7e:d7:d8:2f:6d:a4:68:0d:da:2b:0e:14:73:bd:
-        19:66:15:9e:e4:b7:95:85:04:a6:6a:f3:e1:a0:8f:5f:86:8c:
-        e9:31
+        6d:eb:1b:09:e9:5e:d9:51:db:67:22:61:a4:2a:3c:48:77:e3:
+        a0:7c:a6:de:73:a2:14:03:85:3d:fb:ab:0e:30:c5:83:16:33:
+        81:13:08:9e:7b:34:4e:df:40:c8:74:d7:b9:7d:dc:f4:76:55:
+        7d:9b:63:54:18:e9:f0:ea:f3:5c:b1:d9:8b:42:1e:b9:c0:95:
+        4e:ba:fa:d5:e2:7c:f5:68:61:bf:8e:ec:05:97:5f:5b:b0:d7:
+        a3:85:34:c4:24:a7:0d:0f:95:93:ef:cb:94:d8:9e:1f:9d:5c:
+        85:6d:c7:aa:ae:4f:1f:22:b5:cd:95:ad:ba:a7:cc:f9:ab:0b:
+        7a:7f
 
-CertiSign BR
-============
-MD5 Fingerprint: 82:DC:BF:51:6E:E3:9E:F3:96:7C:60:6D:A6:6C:FC:C8
+GTE CyberTrust Japan Root CA
+============================
+MD5 Fingerprint: DE:AB:FF:43:2A:65:37:06:9B:28:B5:7A:E8:84:D3:8E
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIICLzCCAZgCAQEwDQYJKoZIhvcNAQEEBQAwYDELMAkGA1UEBhMCQlIxLTArBgNV
-BAoTJENlcnRpU2lnbiBDZXJ0aWZpY2Fkb3JhIERpZ2l0YWwgTHRkYTEiMCAGA1UE
-CxMZQlIgQ2VydGlmaWNhdGlvbiBTZXJ2aWNlczAeFw05NzAxMDEwMDAwMDBaFw05
-OTEyMzEyMzU5NTlaMGAxCzAJBgNVBAYTAkJSMS0wKwYDVQQKEyRDZXJ0aVNpZ24g
-Q2VydGlmaWNhZG9yYSBEaWdpdGFsIEx0ZGExIjAgBgNVBAsTGUJSIENlcnRpZmlj
-YXRpb24gU2VydmljZXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMlhcXN2
-E0NRY6pFj6jgv0yOQL4i8bXx1aPsYCqF8yJVABOdacvOxjsj8GOvVMNkxfxIeyt2
-8uT9Buhk9G0U9BkzR5ZK5Az+IiSqE7bUc/us/nfoFNo8ViXR5oTsjAIkfMIyhci2
-ud+iSg+IVT38KaiutSTJJ5vUEITiPSSAosVlAgMBAAEwDQYJKoZIhvcNAQEEBQAD
-gYEAEhZCBvobbXxhI3GWkLkt52RYccLBFP2tv24T4cbGDf8hVK1zVa4OLFSZ6wnB
-WKKVquESds7N/09fHxqwKCEJU3F9KE3lrUDfJvLFnpqCvIcMse1bfmrFSBzWhDh3
-6ck29gn/lSBpdOKL4NYBsbuhwIw3lIJSNVc+0X5zaImWvWg=
+MIICETCCAXoCAU4wDQYJKoZIhvcNAQEEBQAwUTELMAkGA1UEBhMCSlAxHzAdBgNV
+BAoTFkN5YmVyVHJ1c3QgSmFwYW4sIEluYy4xITAfBgNVBAMTGEN5YmVyVHJ1c3Qg
+SkFQQU4gUm9vdCBDQTAeFw05ODA4MDQwNzU3MDBaFw0wMzA4MDQyMzU5MDBaMFEx
+CzAJBgNVBAYTAkpQMR8wHQYDVQQKExZDeWJlclRydXN0IEphcGFuLCBJbmMuMSEw
+HwYDVQQDExhDeWJlclRydXN0IEpBUEFOIFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBALet/MpHEHaJ/Wes5HMGfIFLHda1fA5Hr+ymVHWoxP1lr+fI
+sbFsNDWN97lkVygLIVredP7ceC6GRhJMfxEf3JO9X75mmIa4t+xtSdOQ2eF5AFZo
+uq1sHyw7H8ksjEOwBELqgXOmzjN1RQ2KRXIvqldV5AfDQ+J1Og+8PNCEzrrvAgMB
+AAEwDQYJKoZIhvcNAQEEBQADgYEAt6ZkowyAPBzE2O5BO+WGpJ5gXdYBMqhqZC0g
+cEC6ck5m+gdlTgOOC/1W4K07IKcy+rISHoDfHuN6GMxX2+bJNGDvdesQFtCkLnDY
+JCO4pXdzQvkHOt0BbAiTBzUmECVgKf8J5WSfabkWSfNc3SRjRpMNsFM2dbxIILsZ
+to/QIv0=
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 1 (0x0)
-        Serial Number: 1 (0x1)
+        Serial Number: 78 (0x4e)
         Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=BR, O=CertiSign Certificadora Digital Ltda, OU=BR Certification Services
+        Issuer: C=JP, O=CyberTrust Japan, Inc., CN=CyberTrust JAPAN Root CA
         Validity
-            Not Before: Jan  1 00:00:00 1997 GMT
-            Not After : Dec 31 23:59:59 1999 GMT
-        Subject: C=BR, O=CertiSign Certificadora Digital Ltda, OU=BR Certification Services
+            Not Before: Aug  4 07:57:00 1998 GMT
+            Not After : Aug  4 23:59:00 2003 GMT
+        Subject: C=JP, O=CyberTrust Japan, Inc., CN=CyberTrust JAPAN Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:b7:ad:fc:ca:47:10:76:89:fd:67:ac:e4:73:06:
+                    7c:81:4b:1d:d6:b5:7c:0e:47:af:ec:a6:54:75:a8:
+                    c4:fd:65:af:e7:c8:b1:b1:6c:34:35:8d:f7:b9:64:
+                    57:28:0b:21:5a:de:74:fe:dc:78:2e:86:46:12:4c:
+                    7f:11:1f:dc:93:bd:5f:be:66:98:86:b8:b7:ec:6d:
+                    49:d3:90:d9:e1:79:00:56:68:ba:ad:6c:1f:2c:3b:
+                    1f:c9:2c:8c:43:b0:04:42:ea:81:73:a6:ce:33:75:
+                    45:0d:8a:45:72:2f:aa:57:55:e4:07:c3:43:e2:75:
+                    3a:0f:bc:3c:d0:84:ce:ba:ef
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: md5WithRSAEncryption
+        b7:a6:64:a3:0c:80:3c:1c:c4:d8:ee:41:3b:e5:86:a4:9e:60:
+        5d:d6:01:32:a8:6a:64:2d:20:70:40:ba:72:4e:66:fa:07:65:
+        4e:03:8e:0b:fd:56:e0:ad:3b:20:a7:32:fa:b2:12:1e:80:df:
+        1e:e3:7a:18:cc:57:db:e6:c9:34:60:ef:75:eb:10:16:d0:a4:
+        2e:70:d8:24:23:b8:a5:77:73:42:f9:07:3a:dd:01:6c:08:93:
+        07:35:26:10:25:60:29:ff:09:e5:64:9f:69:b9:16:49:f3:5c:
+        dd:24:63:46:93:0d:b0:53:36:75:bc:48:20:bb:19:b6:8f:d0:
+        22:fd
+
+GTE CyberTrust Japan Secure Server CA
+=====================================
+MD5 Fingerprint: DD:0D:0D:B4:78:4B:7D:CE:30:0A:A6:35:C6:AB:4C:88
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIICIzCCAYwCAU8wDQYJKoZIhvcNAQEEBQAwWjELMAkGA1UEBhMCSlAxHzAdBgNV
+BAoTFkN5YmVyVHJ1c3QgSmFwYW4sIEluYy4xKjAoBgNVBAMTIUN5YmVyVHJ1c3Qg
+SkFQQU4gU2VjdXJlIFNlcnZlciBDQTAeFw05ODA4MDQwODA2MzJaFw0wMzA4MDQy
+MzU5MDBaMFoxCzAJBgNVBAYTAkpQMR8wHQYDVQQKExZDeWJlclRydXN0IEphcGFu
+LCBJbmMuMSowKAYDVQQDEyFDeWJlclRydXN0IEpBUEFOIFNlY3VyZSBTZXJ2ZXIg
+Q0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKwmo6G4b2rALBL52zEFkuf9
++tSBtLjVKtWQ+vBDZfwSFcrs27lh3jNjN0+vADx/kjcbGHPlnzyI8RoTRP558sMm
+lQ8L8J4UByFsV8Jdw+JRsM2LX81fhjj4eZc57Oi/Ui6xXqqprozt7tfIty4xi7Q5
+kjt8gScHGgFEL0lzILbJAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAaB17Eu5aeSkx
+ygGsi1CpJ5ksAPw4Ghz/wtXwE/4bpzn1gBTrUfrAjXuEG1musTVRbqE+1xvsoJ7f
+4KWCluOxP9io8ct5gI738ESZfhT1I6MR42hLBTZuiOOrhqo4UwNCO9O5+eC/BenT
+X8NKp7b9t12QSfiasq1mpoIAk65g/yA=
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 79 (0x4f)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=JP, O=CyberTrust Japan, Inc., CN=CyberTrust JAPAN Secure Server CA
+        Validity
+            Not Before: Aug  4 08:06:32 1998 GMT
+            Not After : Aug  4 23:59:00 2003 GMT
+        Subject: C=JP, O=CyberTrust Japan, Inc., CN=CyberTrust JAPAN Secure Server CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:ac:26:a3:a1:b8:6f:6a:c0:2c:12:f9:db:31:05:
+                    92:e7:fd:fa:d4:81:b4:b8:d5:2a:d5:90:fa:f0:43:
+                    65:fc:12:15:ca:ec:db:b9:61:de:33:63:37:4f:af:
+                    00:3c:7f:92:37:1b:18:73:e5:9f:3c:88:f1:1a:13:
+                    44:fe:79:f2:c3:26:95:0f:0b:f0:9e:14:07:21:6c:
+                    57:c2:5d:c3:e2:51:b0:cd:8b:5f:cd:5f:86:38:f8:
+                    79:97:39:ec:e8:bf:52:2e:b1:5e:aa:a9:ae:8c:ed:
+                    ee:d7:c8:b7:2e:31:8b:b4:39:92:3b:7c:81:27:07:
+                    1a:01:44:2f:49:73:20:b6:c9
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: md5WithRSAEncryption
+        68:1d:7b:12:ee:5a:79:29:31:ca:01:ac:8b:50:a9:27:99:2c:
+        00:fc:38:1a:1c:ff:c2:d5:f0:13:fe:1b:a7:39:f5:80:14:eb:
+        51:fa:c0:8d:7b:84:1b:59:ae:b1:35:51:6e:a1:3e:d7:1b:ec:
+        a0:9e:df:e0:a5:82:96:e3:b1:3f:d8:a8:f1:cb:79:80:8e:f7:
+        f0:44:99:7e:14:f5:23:a3:11:e3:68:4b:05:36:6e:88:e3:ab:
+        86:aa:38:53:03:42:3b:d3:b9:f9:e0:bf:05:e9:d3:5f:c3:4a:
+        a7:b6:fd:b7:5d:90:49:f8:9a:b2:ad:66:a6:82:00:93:ae:60:
+        ff:20
+
+GTE CyberTrust Root 2
+=====================
+MD5 Fingerprint: BA:ED:17:57:9A:4B:FF:7C:F9:C9:1F:A2:CD:1A:D6:87
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIICUDCCAbkCAgGbMA0GCSqGSIb3DQEBBAUAMHAxCzAJBgNVBAYTAlVTMRgwFgYD
+VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
+bHV0aW9ucywgSW5jLjEeMBwGA1UEAxMVR1RFIEN5YmVyVHJ1c3QgUm9vdCAyMB4X
+DTk4MDgxMTExMzUwN1oXDTA4MDgxMTExMjIxNlowcDELMAkGA1UEBhMCVVMxGDAW
+BgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEnMCUGA1UECxMeR1RFIEN5YmVyVHJ1c3Qg
+U29sdXRpb25zLCBJbmMuMR4wHAYDVQQDExVHVEUgQ3liZXJUcnVzdCBSb290IDIw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANksTE4vaRoj41a6886EwAnAefFE
+XzMfFZF/iogouCRFzI8YzR900bWPcUzWMfZzloSUQMWpg2Akfa9vNLdLTMIJgDtF
+BJ7EPMQndXsADKFkR7UUXYJLUTpYu0RMPdPlBjjoYVyYeLuAs5zacoJioN+cX+v5
+T3fCzGAYAGs0giWzAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAo2SRbxDt526iQkCU
+eM74FAjR+kOF60bNkhTQ7y4tNjkY2brJJ4gp6UgXb/jBqshhbS39QC11QzCXOfgU
+ZL1v72OoK0LfsloNJex7N9jOkSmCFvnoYqLhdsQCfd0li5jh9g1gjPZZkEBRRNHC
++xkkHhc5a3QhFTPWVdeCHnAsJ6g=
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 411 (0x19b)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Root 2
+        Validity
+            Not Before: Aug 11 11:35:07 1998 GMT
+            Not After : Aug 11 11:22:16 2008 GMT
+        Subject: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Root 2
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
-                    00:c9:61:71:73:76:13:43:51:63:aa:45:8f:a8:e0:
-                    bf:4c:8e:40:be:22:f1:b5:f1:d5:a3:ec:60:2a:85:
-                    f3:22:55:00:13:9d:69:cb:ce:c6:3b:23:f0:63:af:
-                    54:c3:64:c5:fc:48:7b:2b:76:f2:e4:fd:06:e8:64:
-                    f4:6d:14:f4:19:33:47:96:4a:e4:0c:fe:22:24:aa:
-                    13:b6:d4:73:fb:ac:fe:77:e8:14:da:3c:56:25:d1:
-                    e6:84:ec:8c:02:24:7c:c2:32:85:c8:b6:b9:df:a2:
-                    4a:0f:88:55:3d:fc:29:a8:ae:b5:24:c9:27:9b:d4:
-                    10:84:e2:3d:24:80:a2:c5:65
+                    00:d9:2c:4c:4e:2f:69:1a:23:e3:56:ba:f3:ce:84:
+                    c0:09:c0:79:f1:44:5f:33:1f:15:91:7f:8a:88:28:
+                    b8:24:45:cc:8f:18:cd:1f:74:d1:b5:8f:71:4c:d6:
+                    31:f6:73:96:84:94:40:c5:a9:83:60:24:7d:af:6f:
+                    34:b7:4b:4c:c2:09:80:3b:45:04:9e:c4:3c:c4:27:
+                    75:7b:00:0c:a1:64:47:b5:14:5d:82:4b:51:3a:58:
+                    bb:44:4c:3d:d3:e5:06:38:e8:61:5c:98:78:bb:80:
+                    b3:9c:da:72:82:62:a0:df:9c:5f:eb:f9:4f:77:c2:
+                    cc:60:18:00:6b:34:82:25:b3
                 Exponent: 65537 (0x10001)
     Signature Algorithm: md5WithRSAEncryption
-        12:16:42:06:fa:1b:6d:7c:61:23:71:96:90:b9:2d:e7:64:58:
-        71:c2:c1:14:fd:ad:bf:6e:13:e1:c6:c6:0d:ff:21:54:ad:73:
-        55:ae:0e:2c:54:99:eb:09:c1:58:a2:95:aa:e1:12:76:ce:cd:
-        ff:4f:5f:1f:1a:b0:28:21:09:53:71:7d:28:4d:e5:ad:40:df:
-        26:f2:c5:9e:9a:82:bc:87:0c:b1:ed:5b:7e:6a:c5:48:1c:d6:
-        84:38:77:e9:c9:36:f6:09:ff:95:20:69:74:e2:8b:e0:d6:01:
-        b1:bb:a1:c0:8c:37:94:82:52:35:57:3e:d1:7e:73:68:89:96:
-        bd:68
+        a3:64:91:6f:10:ed:e7:6e:a2:42:40:94:78:ce:f8:14:08:d1:
+        fa:43:85:eb:46:cd:92:14:d0:ef:2e:2d:36:39:18:d9:ba:c9:
+        27:88:29:e9:48:17:6f:f8:c1:aa:c8:61:6d:2d:fd:40:2d:75:
+        43:30:97:39:f8:14:64:bd:6f:ef:63:a8:2b:42:df:b2:5a:0d:
+        25:ec:7b:37:d8:ce:91:29:82:16:f9:e8:62:a2:e1:76:c4:02:
+        7d:dd:25:8b:98:e1:f6:0d:60:8c:f6:59:90:40:51:44:d1:c2:
+        fb:19:24:1e:17:39:6b:74:21:15:33:d6:55:d7:82:1e:70:2c:
+        27:a8
+
+GTE CyberTrust Root 3
+=====================
+MD5 Fingerprint: DB:81:96:57:AE:64:61:EF:77:A7:83:C4:51:24:3C:87
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIICUDCCAbkCAgGXMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlVTMRgwFgYD
+VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
+bHV0aW9ucywgSW5jLjEeMBwGA1UEAxMVR1RFIEN5YmVyVHJ1c3QgUm9vdCAzMB4X
+DTk4MDgxMDE5NTkwOFoXDTA4MDgxMDE5MzYzOVowcDELMAkGA1UEBhMCVVMxGDAW
+BgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEnMCUGA1UECxMeR1RFIEN5YmVyVHJ1c3Qg
+U29sdXRpb25zLCBJbmMuMR4wHAYDVQQDExVHVEUgQ3liZXJUcnVzdCBSb290IDMw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOHzsSsLztwU2TSXYlASVmOETFP6
+wIXP+sHdD955E39T+6oOYN3iYr/G7k6ZNKpoQzWZ+KP982O9AVRqnrI6lix7eCjG
+WrWNGhUY/eOMLqJQCVtx1g21GB8ZjgQpk5N4q18U53NC8gMMV6IbUDsLu1ngoDoD
+7icbWky5sAjKuRqJAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAheutlCAG6bKiazvy
+ZuvjS7gSJgXl9JGo3IfcmPSUwfRhvdWcbFFzlV7QvdfmRdw8z0aE1ee57ORnY24A
+KHdxXUoF6bl8hszCRLveKUja6t29F58dUQGo6BResVf3/9qPzpX+Le0yEnf/fGph
+la4xcgYI8PnzDY7i76hTXZEDg94=
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 407 (0x197)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Root 3
+        Validity
+            Not Before: Aug 10 19:59:08 1998 GMT
+            Not After : Aug 10 19:36:39 2008 GMT
+        Subject: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Root 3
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:e1:f3:b1:2b:0b:ce:dc:14:d9:34:97:62:50:12:
+                    56:63:84:4c:53:fa:c0:85:cf:fa:c1:dd:0f:de:79:
+                    13:7f:53:fb:aa:0e:60:dd:e2:62:bf:c6:ee:4e:99:
+                    34:aa:68:43:35:99:f8:a3:fd:f3:63:bd:01:54:6a:
+                    9e:b2:3a:96:2c:7b:78:28:c6:5a:b5:8d:1a:15:18:
+                    fd:e3:8c:2e:a2:50:09:5b:71:d6:0d:b5:18:1f:19:
+                    8e:04:29:93:93:78:ab:5f:14:e7:73:42:f2:03:0c:
+                    57:a2:1b:50:3b:0b:bb:59:e0:a0:3a:03:ee:27:1b:
+                    5a:4c:b9:b0:08:ca:b9:1a:89
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+        85:eb:ad:94:20:06:e9:b2:a2:6b:3b:f2:66:eb:e3:4b:b8:12:
+        26:05:e5:f4:91:a8:dc:87:dc:98:f4:94:c1:f4:61:bd:d5:9c:
+        6c:51:73:95:5e:d0:bd:d7:e6:45:dc:3c:cf:46:84:d5:e7:b9:
+        ec:e4:67:63:6e:00:28:77:71:5d:4a:05:e9:b9:7c:86:cc:c2:
+        44:bb:de:29:48:da:ea:dd:bd:17:9f:1d:51:01:a8:e8:14:5e:
+        b1:57:f7:ff:da:8f:ce:95:fe:2d:ed:32:12:77:ff:7c:6a:61:
+        95:ae:31:72:06:08:f0:f9:f3:0d:8e:e2:ef:a8:53:5d:91:03:
+        83:de
+
+GTE CyberTrust Root 4
+=====================
+MD5 Fingerprint: 33:43:02:B1:B9:E0:73:B1:B1:20:CA:CB:C7:84:03:50
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIDVTCCAj0CAgGoMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlVTMRgwFgYD
+VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
+bHV0aW9ucywgSW5jLjEeMBwGA1UEAxMVR1RFIEN5YmVyVHJ1c3QgUm9vdCA0MB4X
+DTk4MDgxMzEzNTEwMFoXDTEzMDgxMzIzNTkwMFowcDELMAkGA1UEBhMCVVMxGDAW
+BgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEnMCUGA1UECxMeR1RFIEN5YmVyVHJ1c3Qg
+U29sdXRpb25zLCBJbmMuMR4wHAYDVQQDExVHVEUgQ3liZXJUcnVzdCBSb290IDQw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6nSJuf9pmPDlCsaMqb9P3
+vK6sMVrXEZBHuZ0ZLvnzGyKgw+GnusT8XgqUS5haSybkH/Tc8/6OiNxsLXx3hyZQ
+wF5OqCih6hdpT03GAQ7amg0GViYVtqRdejWvje14Uob5OKuzAdPaBZaxtlCrwKGu
+F1P6QzkgcWUj223Etu2YRYPX0vbiqWv7+XXM78WrcZY16N+OkZuoEHUft84Tjmuz
+lneXGpEvxyxpmfAPKmgAmHZEG4wo0uuO9IO0f6QlXmw72cZo1WG41F4xB7VbkDVS
+V3sXIO0tuB6OiDk+Usvf8FyxZbulErSQY79xnTLB2r9QSpW+BjrEK+vNmHZETQvl
+AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAEOvHIfJSbpliTRJPOoHO0eiedSgO5Bs
+3n+oVMPoTEAyvMjsHOXZrEC6/Iw/wnOc9GTq36ntTlvIAWDuOW1DJ/N/qgjS/k5v
+FDJNfeQ0gKU1xNZGULQ7oC1lH09lfjQoLcCndn0xyQ0zFvYgGSARULsDzHBtlrfv
+TKfaNhXPu03UltyITWyY7blz/ihXoO1k+AqBKXP29pcyhzm0ge/ZTRoHNPe6QjXe
+V9xc1vfF6wonDIGmwtBoTv2SW0iD9haKjzZb7TFsP0F6cfeSPzGkCkBM84biYcE8
+SYEtpbjvupcPvCsdm4ny0o4eTYbywqv2LZnAGyoNobZP+SxYTT19Nwo=
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 424 (0x1a8)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Root 4
+        Validity
+            Not Before: Aug 13 13:51:00 1998 GMT
+            Not After : Aug 13 23:59:00 2013 GMT
+        Subject: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Root 4
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:ba:9d:22:6e:7f:da:66:3c:39:42:b1:a3:2a:6f:
+                    d3:f7:bc:ae:ac:31:5a:d7:11:90:47:b9:9d:19:2e:
+                    f9:f3:1b:22:a0:c3:e1:a7:ba:c4:fc:5e:0a:94:4b:
+                    98:5a:4b:26:e4:1f:f4:dc:f3:fe:8e:88:dc:6c:2d:
+                    7c:77:87:26:50:c0:5e:4e:a8:28:a1:ea:17:69:4f:
+                    4d:c6:01:0e:da:9a:0d:06:56:26:15:b6:a4:5d:7a:
+                    35:af:8d:ed:78:52:86:f9:38:ab:b3:01:d3:da:05:
+                    96:b1:b6:50:ab:c0:a1:ae:17:53:fa:43:39:20:71:
+                    65:23:db:6d:c4:b6:ed:98:45:83:d7:d2:f6:e2:a9:
+                    6b:fb:f9:75:cc:ef:c5:ab:71:96:35:e8:df:8e:91:
+                    9b:a8:10:75:1f:b7:ce:13:8e:6b:b3:96:77:97:1a:
+                    91:2f:c7:2c:69:99:f0:0f:2a:68:00:98:76:44:1b:
+                    8c:28:d2:eb:8e:f4:83:b4:7f:a4:25:5e:6c:3b:d9:
+                    c6:68:d5:61:b8:d4:5e:31:07:b5:5b:90:35:52:57:
+                    7b:17:20:ed:2d:b8:1e:8e:88:39:3e:52:cb:df:f0:
+                    5c:b1:65:bb:a5:12:b4:90:63:bf:71:9d:32:c1:da:
+                    bf:50:4a:95:be:06:3a:c4:2b:eb:cd:98:76:44:4d:
+                    0b:e5
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+        43:af:1c:87:c9:49:ba:65:89:34:49:3c:ea:07:3b:47:a2:79:
+        d4:a0:3b:90:6c:de:7f:a8:54:c3:e8:4c:40:32:bc:c8:ec:1c:
+        e5:d9:ac:40:ba:fc:8c:3f:c2:73:9c:f4:64:ea:df:a9:ed:4e:
+        5b:c8:01:60:ee:39:6d:43:27:f3:7f:aa:08:d2:fe:4e:6f:14:
+        32:4d:7d:e4:34:80:a5:35:c4:d6:46:50:b4:3b:a0:2d:65:1f:
+        4f:65:7e:34:28:2d:c0:a7:76:7d:31:c9:0d:33:16:f6:20:19:
+        20:11:50:bb:03:cc:70:6d:96:b7:ef:4c:a7:da:36:15:cf:bb:
+        4d:d4:96:dc:88:4d:6c:98:ed:b9:73:fe:28:57:a0:ed:64:f8:
+        0a:81:29:73:f6:f6:97:32:87:39:b4:81:ef:d9:4d:1a:07:34:
+        f7:ba:42:35:de:57:dc:5c:d6:f7:c5:eb:0a:27:0c:81:a6:c2:
+        d0:68:4e:fd:92:5b:48:83:f6:16:8a:8f:36:5b:ed:31:6c:3f:
+        41:7a:71:f7:92:3f:31:a4:0a:40:4c:f3:86:e2:61:c1:3c:49:
+        81:2d:a5:b8:ef:ba:97:0f:bc:2b:1d:9b:89:f2:d2:8e:1e:4d:
+        86:f2:c2:ab:f6:2d:99:c0:1b:2a:0d:a1:b6:4f:f9:2c:58:4d:
+        3d:7d:37:0a
+
+GTE CyberTrust Root 5
+=====================
+MD5 Fingerprint: 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIDtjCCAp6gAwIBAgICAbYwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UEBhMCVVMx
+GDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEnMCUGA1UECxMeR1RFIEN5YmVyVHJ1
+c3QgU29sdXRpb25zLCBJbmMuMR4wHAYDVQQDExVHVEUgQ3liZXJUcnVzdCBSb290
+IDUwHhcNOTgwODE0MTQ1MDAwWhcNMTMwODE0MjM1OTAwWjBwMQswCQYDVQQGEwJV
+UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
+cnVzdCBTb2x1dGlvbnMsIEluYy4xHjAcBgNVBAMTFUdURSBDeWJlclRydXN0IFJv
+b3QgNTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALwSbj+KfHqXAewe
+uzlaAvR4RKJIG457SVJ6uHtHs6+Um2+7lvoramVcuByUc76/iQoigO5X/IwFu3Cf
+lzkE2qOHXKjlyq/AM5rVN1xLrOSA0KYjYPv9ci6UncfOwgQy73hgXe2thw9FZR48
+mgqavl0dmezn8tHGehfZrZtUln/EfGC/haoVNR1A2hG87FQhKC0joajwzy3N3fx+
+D17hZQdWywe00lboXjHMGGPEhtIthc+Tkqtt/mg5+95zvYb45EZ66p8My/QZ/mO8
+0Sx7iDM29uThnAxTgWAc2i6rlqkWiBNQmbK9Vd8VMH7o5Zj7cH5stQf8/Ea30O03
+ln4y/iECAwEAAaNaMFgwEgYDVR0TAQH/BAgwBgEB/wIBBTAOBgNVHQ8BAf8EBAMC
+AQYwFwYDVR0gBBAwDjAMBgoqhkiG+GMBAgEDMBkGA1UdDgQSBBB2CkkhOEyf3vjE
+ScdxcZGdMA0GCSqGSIb3DQEBBQUAA4IBAQBBOtQYW9q43iEc4Y4J5fFoNP/elvQH
+9ac886xKsZv6kvqb7eYyIapKdsXcTzjl39WG5NXIdn2Y17HNj021kSNsi4rr6nzv
+FJTExvAfSi0ycWMrY5EmAgm2gB3t4sy4f9uHY8jh0GwmsTUdQGYQG82VVBgzYewT
+T9oT95mvPtDPjqZyorPDBZrJJ32SzH5SjbOrcG2eiZ9N6xp1wpiq1QIW1wyKvyXk
+6y28mOlYOBl8uTf+2+KZCHMGx5eDan0QAS8yuRcFSmXmL86+XlOmgumaUwqEdC2D
+ysiUFnZflGEo8IWnObvXi9moshMdVAk0JH0ggX1mfqKQdFwQxr3sqxvC
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 438 (0x1b6)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Root 5
+        Validity
+            Not Before: Aug 14 14:50:00 1998 GMT
+            Not After : Aug 14 23:59:00 2013 GMT
+        Subject: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Root 5
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:bc:12:6e:3f:8a:7c:7a:97:01:ec:1e:bb:39:5a:
+                    02:f4:78:44:a2:48:1b:8e:7b:49:52:7a:b8:7b:47:
+                    b3:af:94:9b:6f:bb:96:fa:2b:6a:65:5c:b8:1c:94:
+                    73:be:bf:89:0a:22:80:ee:57:fc:8c:05:bb:70:9f:
+                    97:39:04:da:a3:87:5c:a8:e5:ca:af:c0:33:9a:d5:
+                    37:5c:4b:ac:e4:80:d0:a6:23:60:fb:fd:72:2e:94:
+                    9d:c7:ce:c2:04:32:ef:78:60:5d:ed:ad:87:0f:45:
+                    65:1e:3c:9a:0a:9a:be:5d:1d:99:ec:e7:f2:d1:c6:
+                    7a:17:d9:ad:9b:54:96:7f:c4:7c:60:bf:85:aa:15:
+                    35:1d:40:da:11:bc:ec:54:21:28:2d:23:a1:a8:f0:
+                    cf:2d:cd:dd:fc:7e:0f:5e:e1:65:07:56:cb:07:b4:
+                    d2:56:e8:5e:31:cc:18:63:c4:86:d2:2d:85:cf:93:
+                    92:ab:6d:fe:68:39:fb:de:73:bd:86:f8:e4:46:7a:
+                    ea:9f:0c:cb:f4:19:fe:63:bc:d1:2c:7b:88:33:36:
+                    f6:e4:e1:9c:0c:53:81:60:1c:da:2e:ab:96:a9:16:
+                    88:13:50:99:b2:bd:55:df:15:30:7e:e8:e5:98:fb:
+                    70:7e:6c:b5:07:fc:fc:46:b7:d0:ed:37:96:7e:32:
+                    fe:21
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                0.......
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Certificate Policies: 
+                0.0..
+*.H..c....
+            X509v3 Subject Key Identifier: 
+                ..v
+I!8L....I.qq..
+    Signature Algorithm: sha1WithRSAEncryption
+        41:3a:d4:18:5b:da:b8:de:21:1c:e1:8e:09:e5:f1:68:34:ff:
+        de:96:f4:07:f5:a7:3c:f3:ac:4a:b1:9b:fa:92:fa:9b:ed:e6:
+        32:21:aa:4a:76:c5:dc:4f:38:e5:df:d5:86:e4:d5:c8:76:7d:
+        98:d7:b1:cd:8f:4d:b5:91:23:6c:8b:8a:eb:ea:7c:ef:14:94:
+        c4:c6:f0:1f:4a:2d:32:71:63:2b:63:91:26:02:09:b6:80:1d:
+        ed:e2:cc:b8:7f:db:87:63:c8:e1:d0:6c:26:b1:35:1d:40:66:
+        10:1b:cd:95:54:18:33:61:ec:13:4f:da:13:f7:99:af:3e:d0:
+        cf:8e:a6:72:a2:b3:c3:05:9a:c9:27:7d:92:cc:7e:52:8d:b3:
+        ab:70:6d:9e:89:9f:4d:eb:1a:75:c2:98:aa:d5:02:16:d7:0c:
+        8a:bf:25:e4:eb:2d:bc:98:e9:58:38:19:7c:b9:37:fe:db:e2:
+        99:08:73:06:c7:97:83:6a:7d:10:01:2f:32:b9:17:05:4a:65:
+        e6:2f:ce:be:5e:53:a6:82:e9:9a:53:0a:84:74:2d:83:ca:c8:
+        94:16:76:5f:94:61:28:f0:85:a7:39:bb:d7:8b:d9:a8:b2:13:
+        1d:54:09:34:24:7d:20:81:7d:66:7e:a2:90:74:5c:10:c6:bd:
+        ec:ab:1b:c2
 
 GTE CyberTrust Root CA
 ======================
-MD5 Fingerprint: 22:47:D0:75:47:5C:43:08:52:6A:2C:F3:3E:B1:53:5B
+MD5 Fingerprint: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIIB9TCCAV4CAQAwDQYJKoZIhvcNAQEEBQAwRTELMAkGA1UEBhMCVVMxGDAWBgNV
-BAoTD0dURSBDb3Jwb3JhdGlvbjEcMBoGA1UEAxMTR1RFIEN5YmVyVHJ1c3QgUm9v
-dDAaFws5NjAyMjMxOTE1WhcLOTkxMjMxMjM1OVowRTELMAkGA1UEBhMCVVMxGDAW
-BgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEcMBoGA1UEAxMTR1RFIEN5YmVyVHJ1c3Qg
-Um9vdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuOZPutuYfHF8r0S30w9G
-2WTlk8FCjse6SY01LXrni73lBTFZxrEvCgz7n6c/oglmhFYeNykbh+l+DMqan6V/
-9RWUo9WiRoLYaEzRNxUGaK+9+LCz8Cn1lVoJFmF3CiIl1E9Fqse95Zbf+dSojkLM
-JMAekSdKtW0GgGM5xKJeOAMCAwEAATANBgkqhkiG9w0BAQQFAAOBgQA0mwkFnUJI
-f3wkjsKIZXhrTSoOr+3t8GotN+tXUQ6KrS0TAqFAakH2aXK/D6BOVeeCpleRi11D
-CMn4cQeC4z4UASQMOethIveiC0IjFMoQGDYKBdHISvEOs/0A0MbuVfJMYrQZcx9I
-GNiwTrB1vLmEix+WioPxoBqi7f+HjKNPog==
+MIIB+jCCAWMCAgGjMA0GCSqGSIb3DQEBBAUAMEUxCzAJBgNVBAYTAlVTMRgwFgYD
+VQQKEw9HVEUgQ29ycG9yYXRpb24xHDAaBgNVBAMTE0dURSBDeWJlclRydXN0IFJv
+b3QwHhcNOTYwMjIzMjMwMTAwWhcNMDYwMjIzMjM1OTAwWjBFMQswCQYDVQQGEwJV
+UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMRwwGgYDVQQDExNHVEUgQ3liZXJU
+cnVzdCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC45k+625h8cXyv
+RLfTD0bZZOWTwUKOx7pJjTUteueLveUFMVnGsS8KDPufpz+iCWaEVh43KRuH6X4M
+ypqfpX/1FZSj1aJGgthoTNE3FQZor734sLPwKfWVWgkWYXcKIiXUT0Wqx73llt/5
+1KiOQswkwB6RJ0q1bQaAYznEol44AwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABKz
+dcZfHeFhVYAA1IFLezEPI2PnPfMD+fQ2qLvZ46WXTeorKeDWanOB5sCJo9Px4KWl
+IjeaY8JIILTbcuPI9tl8vrGvU9oUtCG41tWW4/5ODFlitppK+ULdjG+BqXH/9Apy
+bW1EDp3zdHSo1TRJ6V6e6bR64eVaH4QwnNOfpSXY
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 1 (0x0)
-        Serial Number: 0 (0x0)
+        Serial Number: 419 (0x1a3)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: C=US, O=GTE Corporation, CN=GTE CyberTrust Root
         Validity
-            Not Before: Feb 23 19:15:00 1996 GMT
-            Not After : Dec 31 23:59:00 1999 GMT
+            Not Before: Feb 23 23:01:00 1996 GMT
+            Not After : Feb 23 23:59:00 2006 GMT
         Subject: C=US, O=GTE Corporation, CN=GTE CyberTrust Root
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -626,451 +1417,976 @@ Certificate Ingredients:
                     06:80:63:39:c4:a2:5e:38:03
                 Exponent: 65537 (0x10001)
     Signature Algorithm: md5WithRSAEncryption
-        34:9b:09:05:9d:42:48:7f:7c:24:8e:c2:88:65:78:6b:4d:2a:
-        0e:af:ed:ed:f0:6a:2d:37:eb:57:51:0e:8a:ad:2d:13:02:a1:
-        40:6a:41:f6:69:72:bf:0f:a0:4e:55:e7:82:a6:57:91:8b:5d:
-        43:08:c9:f8:71:07:82:e3:3e:14:01:24:0c:39:eb:61:22:f7:
-        a2:0b:42:23:14:ca:10:18:36:0a:05:d1:c8:4a:f1:0e:b3:fd:
-        00:d0:c6:ee:55:f2:4c:62:b4:19:73:1f:48:18:d8:b0:4e:b0:
-        75:bc:b9:84:8b:1f:96:8a:83:f1:a0:1a:a2:ed:ff:87:8c:a3:
-        4f:a2
+        12:b3:75:c6:5f:1d:e1:61:55:80:00:d4:81:4b:7b:31:0f:23:
+        63:e7:3d:f3:03:f9:f4:36:a8:bb:d9:e3:a5:97:4d:ea:2b:29:
+        e0:d6:6a:73:81:e6:c0:89:a3:d3:f1:e0:a5:a5:22:37:9a:63:
+        c2:48:20:b4:db:72:e3:c8:f6:d9:7c:be:b1:af:53:da:14:b4:
+        21:b8:d6:d5:96:e3:fe:4e:0c:59:62:b6:9a:4a:f9:42:dd:8c:
+        6f:81:a9:71:ff:f4:0a:72:6d:6d:44:0e:9d:f3:74:74:a8:d5:
+        34:49:e9:5e:9e:e9:b4:7a:e1:e5:5a:1f:84:30:9c:d3:9f:a5:
+        25:d8
 
-GTE CyberTrust Secure Server CA
-===============================
-MD5 Fingerprint: E6:77:D7:5A:16:B8:D1:66:D5:96:06:3B:7D:D2:EB:1C
+GlobalSign Partners CA
+======================
+MD5 Fingerprint: 3C:75:CD:4C:BD:A9:D0:8A:79:4F:50:16:37:84:F4:2B
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIICJTCCAY4CAU8wDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCVVMxGDAWBgNV
-BAoTD0dURSBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpR1RFIFNlY3VyZSBTZXJ2ZXIg
-Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTcwMjEzMTYwMjEzWhcNOTkxMjMw
-MjM1OTAwWjBbMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9u
-MTIwMAYDVQQDEylHVEUgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhv
-cml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAseQZFuzriZ+mN7yI6GKO
-PfAUXT/80hM6J03XXhT/1C/BAa9ziIYclDKoxSHv45+DFl3f5lZBQyfbmAxc8gVT
-Oq8X9hNDIVuBFUYip7BwoxOvjXC1FK3jWEvLeVTtvCeW9/Uu9MjTIE1AvcwPUuT+
-ecnhXqUcVuD+3LaEj9vVAqUCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBaUWg15Wnp
-LLmvndnWDCXedGTLJJdQxOleCX/3ZorwsuZpfEBAfqduxsHowQOgAMzSeuFLSNfU
-U7hIbxWTjazlrjO7a+lcKYWf6KpFfF7uaYdKZRiEt32ftoag0Pt2qRFr3mvAFwrz
-TDSYONKgPg9FYF9DhkPsGfXDzgC3cx+qUg==
+MIIDnjCCAoagAwIBAgILAgAAAAAA1ni50a8wDQYJKoZIhvcNAQEEBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05OTAxMjgxMjAw
+MDBaFw0wOTAxMjgxMjAwMDBaMF8xCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+YWxTaWduIG52LXNhMRQwEgYDVQQLEwtQYXJ0bmVycyBDQTEfMB0GA1UEAxMWR2xv
+YmFsU2lnbiBQYXJ0bmVycyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBANIs+DKsShJ6N8gpkaWujG4eDsA0M4jlM3EWHHiEaMMYNFAuFj6xlIJPsZqf
+APjGETXGaXuYAq0ABohs50wzKACIJ0Yfh7NxdWO8MruI3mYYDlAGk7T2vBQ3MD0i
+3z3/dX7ZChrFn7P80KyzCHqJ0wHoAFznSgs9TXsmordiBovaRt2TFz8/WwJLC7aI
+IBGSAK27xy7U40Wu9YlafI2krYVkMsAnjMbyioCShiRWWY10aKKDQrOePVBBhm8g
+bvb9ztMZ4zLMj+2aXm0fKPVSrG4YXvg90ZLlumwBiEsK8i3eZTMFQqBMqjF2vv2/
+gXj5cRxGXi0VlS0wWY5MQdFiqz0CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgAGMB0G
+A1UdDgQWBBRDJI1wFQhiVZxPDEAXXYZeD6JM+zAfBgNVHSMEGDAWgBRge2YaRQ2X
+yolQL30EzTSo//z9SzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA4IB
+AQBm7bSIaRGZgiGDrKFti5uErQ8tyB6Mynt+rarUjt4H1p5Fx6W4nAc5YCVVGsBP
+GeXPFylJiRg1ZuXrKEBOV8mvs+S4IAWjO5VQkUmUKX0s5YhBpUWIXp2CJ/fS71u1
+T5++/jVlLFVkn+FR2iJhd7pYTo/GeVlZbjCAok+QbiELrdBoOZAQm+0iZW8eETjm
+f4zS8zltR9Uh6Op1OkHRrfYWnV0LIb3zH2MGJR3BHzVxLOsgGdXBsOw95W/tAgc/
+E3tmktZEwZj3X1CLelvCb22w0fjldKBAN6MlD+Q9ymQxk5BcMHu5OTGaXkzNuUFP
+UOQ9OK7IZtnHO11RR6ybq/Kt
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
-        Version: 1 (0x0)
-        Serial Number: 79 (0x4f)
+        Version: 3 (0x2)
+        Serial Number:
+            02:00:00:00:00:00:d6:78:b9:d1:af
         Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=US, O=GTE Corporation, CN=GTE Secure Server Certification Authority
+        Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
         Validity
-            Not Before: Feb 13 16:02:13 1997 GMT
-            Not After : Dec 30 23:59:00 1999 GMT
-        Subject: C=US, O=GTE Corporation, CN=GTE Secure Server Certification Authority
+            Not Before: Jan 28 12:00:00 1999 GMT
+            Not After : Jan 28 12:00:00 2009 GMT
+        Subject: C=BE, O=GlobalSign nv-sa, OU=Partners CA, CN=GlobalSign Partners CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:b1:e4:19:16:ec:eb:89:9f:a6:37:bc:88:e8:62:
-                    8e:3d:f0:14:5d:3f:fc:d2:13:3a:27:4d:d7:5e:14:
-                    ff:d4:2f:c1:01:af:73:88:86:1c:94:32:a8:c5:21:
-                    ef:e3:9f:83:16:5d:df:e6:56:41:43:27:db:98:0c:
-                    5c:f2:05:53:3a:af:17:f6:13:43:21:5b:81:15:46:
-                    22:a7:b0:70:a3:13:af:8d:70:b5:14:ad:e3:58:4b:
-                    cb:79:54:ed:bc:27:96:f7:f5:2e:f4:c8:d3:20:4d:
-                    40:bd:cc:0f:52:e4:fe:79:c9:e1:5e:a5:1c:56:e0:
-                    fe:dc:b6:84:8f:db:d5:02:a5
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:d2:2c:f8:32:ac:4a:12:7a:37:c8:29:91:a5:ae:
+                    8c:6e:1e:0e:c0:34:33:88:e5:33:71:16:1c:78:84:
+                    68:c3:18:34:50:2e:16:3e:b1:94:82:4f:b1:9a:9f:
+                    00:f8:c6:11:35:c6:69:7b:98:02:ad:00:06:88:6c:
+                    e7:4c:33:28:00:88:27:46:1f:87:b3:71:75:63:bc:
+                    32:bb:88:de:66:18:0e:50:06:93:b4:f6:bc:14:37:
+                    30:3d:22:df:3d:ff:75:7e:d9:0a:1a:c5:9f:b3:fc:
+                    d0:ac:b3:08:7a:89:d3:01:e8:00:5c:e7:4a:0b:3d:
+                    4d:7b:26:a2:b7:62:06:8b:da:46:dd:93:17:3f:3f:
+                    5b:02:4b:0b:b6:88:20:11:92:00:ad:bb:c7:2e:d4:
+                    e3:45:ae:f5:89:5a:7c:8d:a4:ad:85:64:32:c0:27:
+                    8c:c6:f2:8a:80:92:86:24:56:59:8d:74:68:a2:83:
+                    42:b3:9e:3d:50:41:86:6f:20:6e:f6:fd:ce:d3:19:
+                    e3:32:cc:8f:ed:9a:5e:6d:1f:28:f5:52:ac:6e:18:
+                    5e:f8:3d:d1:92:e5:ba:6c:01:88:4b:0a:f2:2d:de:
+                    65:33:05:42:a0:4c:aa:31:76:be:fd:bf:81:78:f9:
+                    71:1c:46:5e:2d:15:95:2d:30:59:8e:4c:41:d1:62:
+                    ab:3d
                 Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Subject Key Identifier: 
+                ..C$.p..bU.O.@.].^..L.
+            X509v3 Authority Key Identifier: 
+                0...`{f.E
...P/}..4....K
+            X509v3 Basic Constraints: critical
+                0....
     Signature Algorithm: md5WithRSAEncryption
-        5a:51:68:35:e5:69:e9:2c:b9:af:9d:d9:d6:0c:25:de:74:64:
-        cb:24:97:50:c4:e9:5e:09:7f:f7:66:8a:f0:b2:e6:69:7c:40:
-        40:7e:a7:6e:c6:c1:e8:c1:03:a0:00:cc:d2:7a:e1:4b:48:d7:
-        d4:53:b8:48:6f:15:93:8d:ac:e5:ae:33:bb:6b:e9:5c:29:85:
-        9f:e8:aa:45:7c:5e:ee:69:87:4a:65:18:84:b7:7d:9f:b6:86:
-        a0:d0:fb:76:a9:11:6b:de:6b:c0:17:0a:f3:4c:34:98:38:d2:
-        a0:3e:0f:45:60:5f:43:86:43:ec:19:f5:c3:ce:00:b7:73:1f:
-        aa:52
+        66:ed:b4:88:69:11:99:82:21:83:ac:a1:6d:8b:9b:84:ad:0f:
+        2d:c8:1e:8c:ca:7b:7e:ad:aa:d4:8e:de:07:d6:9e:45:c7:a5:
+        b8:9c:07:39:60:25:55:1a:c0:4f:19:e5:cf:17:29:49:89:18:
+        35:66:e5:eb:28:40:4e:57:c9:af:b3:e4:b8:20:05:a3:3b:95:
+        50:91:49:94:29:7d:2c:e5:88:41:a5:45:88:5e:9d:82:27:f7:
+        d2:ef:5b:b5:4f:9f:be:fe:35:65:2c:55:64:9f:e1:51:da:22:
+        61:77:ba:58:4e:8f:c6:79:59:59:6e:30:80:a2:4f:90:6e:21:
+        0b:ad:d0:68:39:90:10:9b:ed:22:65:6f:1e:11:38:e6:7f:8c:
+        d2:f3:39:6d:47:d5:21:e8:ea:75:3a:41:d1:ad:f6:16:9d:5d:
+        0b:21:bd:f3:1f:63:06:25:1d:c1:1f:35:71:2c:eb:20:19:d5:
+        c1:b0:ec:3d:e5:6f:ed:02:07:3f:13:7b:66:92:d6:44:c1:98:
+        f7:5f:50:8b:7a:5b:c2:6f:6d:b0:d1:f8:e5:74:a0:40:37:a3:
+        25:0f:e4:3d:ca:64:31:93:90:5c:30:7b:b9:39:31:9a:5e:4c:
+        cd:b9:41:4f:50:e4:3d:38:ae:c8:66:d9:c7:3b:5d:51:47:ac:
+        9b:ab:f2:ad
 
-GTIS/PWGSC, Canada Gov. Secure CA
-=================================
-MD5 Fingerprint: C0:85:54:7B:39:35:5A:FE:24:3E:69:AE:C0:BE:B9:85
+GlobalSign Primary Class 1 CA
+=============================
+MD5 Fingerprint: 5C:AC:59:01:A4:86:53:CB:10:66:B5:D6:D6:71:FF:01
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIIClzCCAgCgAwIBAgIEM2DfuTANBgkqhkiG9w0BAQQFADAsMQswCQYDVQQGEwJD
-QTELMAkGA1UEChMCZ2MxEDAOBgNVBAMTB0dUSVMuQ0EwJhcROTcwNDI1MTI0NTQ0
-KzA1MDAXETE3MDQyNTEyNDU0NCswNTAwMCwxCzAJBgNVBAYTAkNBMQswCQYDVQQK
-EwJnYzEQMA4GA1UEAxMHR1RJUy5DQTCBnTANBgkqhkiG9w0BAQEFAAOBiwAwgYcC
-gYEAnpY3wwHvZOMklOj2GQsFQuGfUxs3UTabjlpflY29/OE/XhphGiOvgXWKlOhd
-Es+QPtv9Hwh41ZDK8FjoVxDxB75W+JA9mKiwFxPP+D6y/2NHmgobS0Rzb9AZxWiQ
-/GYW8GfJF2YBW8+7VZSZrGihHOUjUropAdkVv/hyK7427BkCAQOjgb8wgbwwSAYD
-VR0ZBEEwPzA9MDsxCzAJBgNVBAYTAkNBMQswCQYDVQQKEwJnYzEQMA4GA1UEAxMH
-R1RJUy5DQTENMAsGA1UEAxMEQ1JMMTAUBgNVHQEEDTALgAk4NjE5ODY3NDUwLwYD
-VR0CBCgwJgQJODYxOTg2NzQ1AwICBDAVgRMyMDE3MDQyNTEyNDU0NCswNTAwMA0G
-A1UdCgQGMAQDAgeAMBoGCSqGSIb2fQdBAAQNMAsbBXYyLjFkAwIHgDANBgkqhkiG
-9w0BAQQFAAOBgQB5SVjeXva/2XyNWu3ynves91YagqcwP80jrMGlLuXnIcY1G8jh
-hKoYbag5HaI6u5mFWiPDu0XRlZ8EdOzgmool5JHEXn0gMmLiFokubkM4bbHidObv
-xU2KViOBGSZK5xkeQoiSFKkRKb0pQ6lX+3Qq64RcErZ4UTnDYdIHeV6jSg==
+MIIDrDCCApSgAwIBAgILAgAAAAAA1ni4N88wDQYJKoZIhvcNAQEEBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MTUxMjAw
+MDBaFw0wOTAxMjgxMjAwMDBaMG0xCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+YWxTaWduIG52LXNhMRswGQYDVQQLExJQcmltYXJ5IENsYXNzIDEgQ0ExJjAkBgNV
+BAMTHUdsb2JhbFNpZ24gUHJpbWFyeSBDbGFzcyAxIENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAvSA1R9Eo1gijEjkjRw29cCFSDlcxlaY0V2vsfkN5
+wwZSSM28taGZvdgfMrzP125ybS53IpCCTkuPmgwBQprZcFm2nR/mY9EMrR1O+IWB
++a7vn6ZSYUR5GnVF4GFWRW1CjD1yy6akErea9dZg0GBQs46mpuy09BLNf6jO77Ph
+hTD+csTm53eznlhB1lGDiAfGtmlPNt7RC0g/vdafIXRkbycGPkv9Dqabv6RIV4yQ
+7okYCwKBGL5n/lNgiCe6o3M0S1pWtN5zBe2Yll3sSudA/EsJYuvQ4zFPhdF6q1ln
+K/uID+uqg701/WEn7GYOQlf3acIM7/xqwm5J2o9BOK5IqQIDAQABo2MwYTAOBgNV
+HQ8BAf8EBAMCAAYwHQYDVR0OBBYEFPzgZvZaNZnrQB7SuB5DvJiOH4rDMB8GA1Ud
+IwQYMBaAFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
+KoZIhvcNAQEEBQADggEBAJujCETO8pCdcfMyswVqterPKZjeVT6gFn0GekTWr9L6
+E1iM+BzHqx20G+9paJhcCDmP4Pf7SMwh57gz2wWqNCRsSuXpe2Deg7MfCr5BdfzM
+MEi3wSYdBDOqtnjtKsu6VpcybvcxlS5G8hTuJ8f3Yom5XFrTOIpk9Te08bM0ctXV
+IT1L13iT1zFmNR6j2EdJbxyt4YB/+JgkbHOsDsIadwKjJge3x2tdvILVKkgdY89Q
+Mqb7HBhHFQpbDFw4JJoEmKgISF98NIdjqy2NTAB3lBt2uvUWGKMVry+U9ikAdsEV
+F9PpN0121MtLKVkkrNpKoOpj3l9Usfrz0UXLxWS0cyE=
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 3 (0x2)
-        Serial Number: 861986745 (0x3360dfb9)
+        Serial Number:
+            02:00:00:00:00:00:d6:78:b8:37:cf
         Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=CA, O=gc, CN=GTIS.CA
+        Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
         Validity
-            Not Before: Apr 25 12:45:44 1997
-            Not After : Apr 25 12:45:44 2017
-        Subject: C=CA, O=gc, CN=GTIS.CA
+            Not Before: Sep 15 12:00:00 1998 GMT
+            Not After : Jan 28 12:00:00 2009 GMT
+        Subject: C=BE, O=GlobalSign nv-sa, OU=Primary Class 1 CA, CN=GlobalSign Primary Class 1 CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:9e:96:37:c3:01:ef:64:e3:24:94:e8:f6:19:0b:
-                    05:42:e1:9f:53:1b:37:51:36:9b:8e:5a:5f:95:8d:
-                    bd:fc:e1:3f:5e:1a:61:1a:23:af:81:75:8a:94:e8:
-                    5d:12:cf:90:3e:db:fd:1f:08:78:d5:90:ca:f0:58:
-                    e8:57:10:f1:07:be:56:f8:90:3d:98:a8:b0:17:13:
-                    cf:f8:3e:b2:ff:63:47:9a:0a:1b:4b:44:73:6f:d0:
-                    19:c5:68:90:fc:66:16:f0:67:c9:17:66:01:5b:cf:
-                    bb:55:94:99:ac:68:a1:1c:e5:23:52:ba:29:01:d9:
-                    15:bf:f8:72:2b:be:36:ec:19
-                Exponent: 3 (0x3)
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:bd:20:35:47:d1:28:d6:08:a3:12:39:23:47:0d:
+                    bd:70:21:52:0e:57:31:95:a6:34:57:6b:ec:7e:43:
+                    79:c3:06:52:48:cd:bc:b5:a1:99:bd:d8:1f:32:bc:
+                    cf:d7:6e:72:6d:2e:77:22:90:82:4e:4b:8f:9a:0c:
+                    01:42:9a:d9:70:59:b6:9d:1f:e6:63:d1:0c:ad:1d:
+                    4e:f8:85:81:f9:ae:ef:9f:a6:52:61:44:79:1a:75:
+                    45:e0:61:56:45:6d:42:8c:3d:72:cb:a6:a4:12:b7:
+                    9a:f5:d6:60:d0:60:50:b3:8e:a6:a6:ec:b4:f4:12:
+                    cd:7f:a8:ce:ef:b3:e1:85:30:fe:72:c4:e6:e7:77:
+                    b3:9e:58:41:d6:51:83:88:07:c6:b6:69:4f:36:de:
+                    d1:0b:48:3f:bd:d6:9f:21:74:64:6f:27:06:3e:4b:
+                    fd:0e:a6:9b:bf:a4:48:57:8c:90:ee:89:18:0b:02:
+                    81:18:be:67:fe:53:60:88:27:ba:a3:73:34:4b:5a:
+                    56:b4:de:73:05:ed:98:96:5d:ec:4a:e7:40:fc:4b:
+                    09:62:eb:d0:e3:31:4f:85:d1:7a:ab:59:67:2b:fb:
+                    88:0f:eb:aa:83:bd:35:fd:61:27:ec:66:0e:42:57:
+                    f7:69:c2:0c:ef:fc:6a:c2:6e:49:da:8f:41:38:ae:
+                    48:a9
+                Exponent: 65537 (0x10001)
         X509v3 extensions:
-            2.5.29.25: 
-                0?0=0;1.0...U....CA1.0...U.
-..gc1.0...U....GTIS.CA1
0...U....CRL1
-            2.5.29.1: 
-                0...861986745
-            2.5.29.2: 
-                0&..861986745....0...20170425124544+0500
-            2.5.29.10: 
-                0.....
-            1.2.840.113533.7.65.0: 
-                0...v2.1d....
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Subject Key Identifier: 
+                ....f.Z5..@....C......
+            X509v3 Authority Key Identifier: 
+                0...`{f.E
...P/}..4....K
+            X509v3 Basic Constraints: critical
+                0....
     Signature Algorithm: md5WithRSAEncryption
-        79:49:58:de:5e:f6:bf:d9:7c:8d:5a:ed:f2:9e:f7:ac:f7:56:
-        1a:82:a7:30:3f:cd:23:ac:c1:a5:2e:e5:e7:21:c6:35:1b:c8:
-        e1:84:aa:18:6d:a8:39:1d:a2:3a:bb:99:85:5a:23:c3:bb:45:
-        d1:95:9f:04:74:ec:e0:9a:8a:25:e4:91:c4:5e:7d:20:32:62:
-        e2:16:89:2e:6e:43:38:6d:b1:e2:74:e6:ef:c5:4d:8a:56:23:
-        81:19:26:4a:e7:19:1e:42:88:92:14:a9:11:29:bd:29:43:a9:
-        57:fb:74:2a:eb:84:5c:12:b6:78:51:39:c3:61:d2:07:79:5e:
-        a3:4a
+        9b:a3:08:44:ce:f2:90:9d:71:f3:32:b3:05:6a:b5:ea:cf:29:
+        98:de:55:3e:a0:16:7d:06:7a:44:d6:af:d2:fa:13:58:8c:f8:
+        1c:c7:ab:1d:b4:1b:ef:69:68:98:5c:08:39:8f:e0:f7:fb:48:
+        cc:21:e7:b8:33:db:05:aa:34:24:6c:4a:e5:e9:7b:60:de:83:
+        b3:1f:0a:be:41:75:fc:cc:30:48:b7:c1:26:1d:04:33:aa:b6:
+        78:ed:2a:cb:ba:56:97:32:6e:f7:31:95:2e:46:f2:14:ee:27:
+        c7:f7:62:89:b9:5c:5a:d3:38:8a:64:f5:37:b4:f1:b3:34:72:
+        d5:d5:21:3d:4b:d7:78:93:d7:31:66:35:1e:a3:d8:47:49:6f:
+        1c:ad:e1:80:7f:f8:98:24:6c:73:ac:0e:c2:1a:77:02:a3:26:
+        07:b7:c7:6b:5d:bc:82:d5:2a:48:1d:63:cf:50:32:a6:fb:1c:
+        18:47:15:0a:5b:0c:5c:38:24:9a:04:98:a8:08:48:5f:7c:34:
+        87:63:ab:2d:8d:4c:00:77:94:1b:76:ba:f5:16:18:a3:15:af:
+        2f:94:f6:29:00:76:c1:15:17:d3:e9:37:4d:76:d4:cb:4b:29:
+        59:24:ac:da:4a:a0:ea:63:de:5f:54:b1:fa:f3:d1:45:cb:c5:
+        64:b4:73:21
 
-GTIS/PWGSC, Canada Gov. Web CA
-==============================
-MD5 Fingerprint: E5:33:E1:2B:54:08:B8:CC:DC:A2:B5:AE:98:82:D3:9E
+GlobalSign Primary Class 2 CA
+=============================
+MD5 Fingerprint: A9:A9:42:59:7E:BE:5A:94:E4:2C:C6:8B:1C:2A:44:B6
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIIC1zCCAkCgAwIBAgIEMwTIGTANBgkqhkiG9w0BAQQFADAvMQswCQYDVQQGEwJD
-QTELMAkGA1UEChMCZ2MxEzARBgNVBAsTCkdUSVMuV2ViQ0EwHhcNOTcwMjE0MjAx
-NjI0WhcNMDIwMjE0MjAxNjI0WjAvMQswCQYDVQQGEwJDQTELMAkGA1UEChMCZ2Mx
-EzARBgNVBAsTCkdUSVMuV2ViQ0EwgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAoGB
-AL8/DPpoIBgpc5mcJftJYUDSzUI2j5tY1GQBip5QFXQIFFSYO8AOoXpzE/QOHnzS
-bStoaARlRu0BNp9mhpmVIsxcsvQYWGmqy5oyZ0VXYcoVD0sajpUP01Iel2BpkG1e
-4cbLINkASKtEnGTaYRi/EMGHCCASgidLka9mBv7J7dsNAgEDo4IBADCB/TAfBgNV
-HSMEGDAWgBQ2QWSJWcYO7DEQlKpkiyobwyRSrTAdBgNVHQ4EFgQUNkFkiVnGDuwx
-EJSqZIsqG8MkUq0wCwYDVR0PBAQDAgEGMBoGA1UdEAQTMBGBDzIwMDIwMjE0MjAx
-NjI0WjAMBgNVHRMEBTADAQH/MFEGA1UdHwRKMEgwRqBEoEKkQDA+MQswCQYDVQQG
-EwJDQTELMAkGA1UEChMCZ2MxEzARBgNVBAsTCkdUSVMuV2ViQ0ExDTALBgNVBAMT
-BENSTDEwHgYJKoZIhvZ9B0EABBEwDxsJV0VCQ0EgMS4wAwIGwDARBglghkgBhvhC
-AQEEBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAVCd1Jtu7ewlCbc+0Bzvlr/v6Pysx
-Yii3KrD4aK057zSxj4eE4Enu27xKS0VDEZyHvVCRTdlUp14lYMn+ky45skr9H8UH
-ZZzfrhfEiZW5TBTjgEpC+xTYugj52JZYf6pNgq+yWvpjSSA3ekgUCqKAqDK06oy5
-6RtyijZjq0z2ec4=
+MIIDrDCCApSgAwIBAgILAgAAAAAA1ni4jY0wDQYJKoZIhvcNAQEEBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05OTAxMjgxMjAw
+MDBaFw0wOTAxMjgxMjAwMDBaMG0xCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+YWxTaWduIG52LXNhMRswGQYDVQQLExJQcmltYXJ5IENsYXNzIDIgQ0ExJjAkBgNV
+BAMTHUdsb2JhbFNpZ24gUHJpbWFyeSBDbGFzcyAyIENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAkoz+7/RFjhdBbvzYvyFvqwadUsEsAJ0/joW4f0qP
+vaBjKspJJ65agvR04lWS/8LRqnmitvrVnYIET8ayxl5jpzq62O7rim+ftrsoQcAi
++05IGgaS17/Xz7nZvThPOw1EblVB/vwJ29i/844h8egStfYTpdPGTJMisAL/7h0M
+xKhrT3VoVujcKBJQ96gknS4kOfsJBd7lo2RJIdBofnEwkbFg4Dn0UPh6TZgAa3x5
+uk7OSuK6Nh23xTYVlZxkQupfxLr1QAW+4TpZvYSnGbjeTVNQzgfR0lHT7w2BbObn
+bctdfD98zOxPgycl/3BQ9oNZdYQGZlgs3omNAKZJ+aVDdwIDAQABo2MwYTAOBgNV
+HQ8BAf8EBAMCAAYwHQYDVR0OBBYEFHznsrEs3rGna+l2DOGj/U5sx7n2MB8GA1Ud
+IwQYMBaAFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
+KoZIhvcNAQEEBQADggEBAGPdWc6KeaqYnU7FiWQ3foqTZy8Q6m8nw413bfJcVpQZ
+GmlgMEZdj/JtRTyONZd8L7hR4uiJvYjPJxwINFyIwWgk25GF5M/7+0ON6CUBG8QO
+9wBCSIYfJAhYWoyN8mtHLGiRsWlC/Q2NySbmkoamZG6Sxc4+PH1x4yOkq8fVqKnf
+gqc76IbVw08Y40TQ4NzzxWgu/qUvBYTIfkdCU2uHSv4y/14+cIy3qBXMF8L/RuzQ
+7C20bhIoqflA6evUZpdTqWlVwKmqsi7N0Wn0vvi7fGnuVKbbnvtapj7+mu+UUUt1
+7tjU4ZrxAlYTiQ6nQouWi4UMG4W+Jq6rppm8IvFz30I=
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 3 (0x2)
-        Serial Number: 855951385 (0x3304c819)
+        Serial Number:
+            02:00:00:00:00:00:d6:78:b8:8d:8d
         Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=CA, O=gc, OU=GTIS.WebCA
+        Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
+        Validity
+            Not Before: Jan 28 12:00:00 1999 GMT
+            Not After : Jan 28 12:00:00 2009 GMT
+        Subject: C=BE, O=GlobalSign nv-sa, OU=Primary Class 2 CA, CN=GlobalSign Primary Class 2 CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:92:8c:fe:ef:f4:45:8e:17:41:6e:fc:d8:bf:21:
+                    6f:ab:06:9d:52:c1:2c:00:9d:3f:8e:85:b8:7f:4a:
+                    8f:bd:a0:63:2a:ca:49:27:ae:5a:82:f4:74:e2:55:
+                    92:ff:c2:d1:aa:79:a2:b6:fa:d5:9d:82:04:4f:c6:
+                    b2:c6:5e:63:a7:3a:ba:d8:ee:eb:8a:6f:9f:b6:bb:
+                    28:41:c0:22:fb:4e:48:1a:06:92:d7:bf:d7:cf:b9:
+                    d9:bd:38:4f:3b:0d:44:6e:55:41:fe:fc:09:db:d8:
+                    bf:f3:8e:21:f1:e8:12:b5:f6:13:a5:d3:c6:4c:93:
+                    22:b0:02:ff:ee:1d:0c:c4:a8:6b:4f:75:68:56:e8:
+                    dc:28:12:50:f7:a8:24:9d:2e:24:39:fb:09:05:de:
+                    e5:a3:64:49:21:d0:68:7e:71:30:91:b1:60:e0:39:
+                    f4:50:f8:7a:4d:98:00:6b:7c:79:ba:4e:ce:4a:e2:
+                    ba:36:1d:b7:c5:36:15:95:9c:64:42:ea:5f:c4:ba:
+                    f5:40:05:be:e1:3a:59:bd:84:a7:19:b8:de:4d:53:
+                    50:ce:07:d1:d2:51:d3:ef:0d:81:6c:e6:e7:6d:cb:
+                    5d:7c:3f:7c:cc:ec:4f:83:27:25:ff:70:50:f6:83:
+                    59:75:84:06:66:58:2c:de:89:8d:00:a6:49:f9:a5:
+                    43:77
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Subject Key Identifier: 
+                ..|...,...k.v....Nl...
+            X509v3 Authority Key Identifier: 
+                0...`{f.E
...P/}..4....K
+            X509v3 Basic Constraints: critical
+                0....
+    Signature Algorithm: md5WithRSAEncryption
+        63:dd:59:ce:8a:79:aa:98:9d:4e:c5:89:64:37:7e:8a:93:67:
+        2f:10:ea:6f:27:c3:8d:77:6d:f2:5c:56:94:19:1a:69:60:30:
+        46:5d:8f:f2:6d:45:3c:8e:35:97:7c:2f:b8:51:e2:e8:89:bd:
+        88:cf:27:1c:08:34:5c:88:c1:68:24:db:91:85:e4:cf:fb:fb:
+        43:8d:e8:25:01:1b:c4:0e:f7:00:42:48:86:1f:24:08:58:5a:
+        8c:8d:f2:6b:47:2c:68:91:b1:69:42:fd:0d:8d:c9:26:e6:92:
+        86:a6:64:6e:92:c5:ce:3e:3c:7d:71:e3:23:a4:ab:c7:d5:a8:
+        a9:df:82:a7:3b:e8:86:d5:c3:4f:18:e3:44:d0:e0:dc:f3:c5:
+        68:2e:fe:a5:2f:05:84:c8:7e:47:42:53:6b:87:4a:fe:32:ff:
+        5e:3e:70:8c:b7:a8:15:cc:17:c2:ff:46:ec:d0:ec:2d:b4:6e:
+        12:28:a9:f9:40:e9:eb:d4:66:97:53:a9:69:55:c0:a9:aa:b2:
+        2e:cd:d1:69:f4:be:f8:bb:7c:69:ee:54:a6:db:9e:fb:5a:a6:
+        3e:fe:9a:ef:94:51:4b:75:ee:d8:d4:e1:9a:f1:02:56:13:89:
+        0e:a7:42:8b:96:8b:85:0c:1b:85:be:26:ae:ab:a6:99:bc:22:
+        f1:73:df:42
+
+GlobalSign Primary Class 3 CA
+=============================
+MD5 Fingerprint: 98:12:A3:4B:95:A9:96:64:94:E7:50:8C:3E:E1:83:5A
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgILAgAAAAAA1ni41sMwDQYJKoZIhvcNAQEEBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05OTAxMjgxMjAw
+MDBaFw0wOTAxMjgxMjAwMDBaMG0xCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+YWxTaWduIG52LXNhMRswGQYDVQQLExJQcmltYXJ5IENsYXNzIDMgQ0ExJjAkBgNV
+BAMTHUdsb2JhbFNpZ24gUHJpbWFyeSBDbGFzcyAzIENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAkV5WZdbAwAScv0fEXHt6MQH5WJaZ4xyEL9xWj631
+WYHVQ2ZdWpOMdcqp5xHBURAUYMks1HuvxneGq3onrm+VuQvKtkb7fhr0DRRt0slO
+sq7wVPZcQEw2SHToVIxlZhCnvSu3II0FSa14fdIkI1Dj8LR5mwE5/6870y3u4UmN
+jS88akFFL5vjPeES5JF1ns+gPjySgW+KLhjc4PKMjP2H2Qf0QJTJTk9D32dWb70D
+UHyZZ6S5PJFsAm6E1vxG98xvGD4X8O8LZBZX5qyG8UiqQ8HJJ3hzREXihX26/7Ph
++xsFpEs7mRIlAVAUaq9d6sgM7uTa7EuLXGgTldzDtTA61wIDAQABo2MwYTAOBgNV
+HQ8BAf8EBAMCAAYwHQYDVR0OBBYEFMw2zBe0RZEv7c87MEh3+7UUmb7jMB8GA1Ud
+IwQYMBaAFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
+KoZIhvcNAQEEBQADggEBAFeyVMy9lRdkYIm2U5EMRZLDPahsw8yyGPV4QXTYfaMn
+r3cNWT6UHWn6idMMvRoB9D/o4Hcagiha5mLXt+M2yQ6feuPC08xZiQzvFovwNnci
+yqS2t8FCZwFAY8znOGSHWxSWZnstFO69SW3/d9DiTlvTgMJND8q4nYGXpzRux+Oc
+SOW0qkX19mVMSPISwtKTjMIVJPMrUv/jCK64btYsEs85yxIq56l7X5g9o+HMpmOJ
+XH0xdfnV1l3y0NQ9355xqA7c5CCXeOZ/U6QNUU+OOwOuow1aTcN55zVYcELJXqFe
+tNkio0RTNaTQz3OAxc+fVph2+RRMd4eCydx+XTTVNnU=
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            02:00:00:00:00:00:d6:78:b8:d6:c3
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
+        Validity
+            Not Before: Jan 28 12:00:00 1999 GMT
+            Not After : Jan 28 12:00:00 2009 GMT
+        Subject: C=BE, O=GlobalSign nv-sa, OU=Primary Class 3 CA, CN=GlobalSign Primary Class 3 CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:91:5e:56:65:d6:c0:c0:04:9c:bf:47:c4:5c:7b:
+                    7a:31:01:f9:58:96:99:e3:1c:84:2f:dc:56:8f:ad:
+                    f5:59:81:d5:43:66:5d:5a:93:8c:75:ca:a9:e7:11:
+                    c1:51:10:14:60:c9:2c:d4:7b:af:c6:77:86:ab:7a:
+                    27:ae:6f:95:b9:0b:ca:b6:46:fb:7e:1a:f4:0d:14:
+                    6d:d2:c9:4e:b2:ae:f0:54:f6:5c:40:4c:36:48:74:
+                    e8:54:8c:65:66:10:a7:bd:2b:b7:20:8d:05:49:ad:
+                    78:7d:d2:24:23:50:e3:f0:b4:79:9b:01:39:ff:af:
+                    3b:d3:2d:ee:e1:49:8d:8d:2f:3c:6a:41:45:2f:9b:
+                    e3:3d:e1:12:e4:91:75:9e:cf:a0:3e:3c:92:81:6f:
+                    8a:2e:18:dc:e0:f2:8c:8c:fd:87:d9:07:f4:40:94:
+                    c9:4e:4f:43:df:67:56:6f:bd:03:50:7c:99:67:a4:
+                    b9:3c:91:6c:02:6e:84:d6:fc:46:f7:cc:6f:18:3e:
+                    17:f0:ef:0b:64:16:57:e6:ac:86:f1:48:aa:43:c1:
+                    c9:27:78:73:44:45:e2:85:7d:ba:ff:b3:e1:fb:1b:
+                    05:a4:4b:3b:99:12:25:01:50:14:6a:af:5d:ea:c8:
+                    0c:ee:e4:da:ec:4b:8b:5c:68:13:95:dc:c3:b5:30:
+                    3a:d7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Subject Key Identifier: 
+                ...6...E./..;0Hw......
+            X509v3 Authority Key Identifier: 
+                0...`{f.E
...P/}..4....K
+            X509v3 Basic Constraints: critical
+                0....
+    Signature Algorithm: md5WithRSAEncryption
+        57:b2:54:cc:bd:95:17:64:60:89:b6:53:91:0c:45:92:c3:3d:
+        a8:6c:c3:cc:b2:18:f5:78:41:74:d8:7d:a3:27:af:77:0d:59:
+        3e:94:1d:69:fa:89:d3:0c:bd:1a:01:f4:3f:e8:e0:77:1a:82:
+        28:5a:e6:62:d7:b7:e3:36:c9:0e:9f:7a:e3:c2:d3:cc:59:89:
+        0c:ef:16:8b:f0:36:77:22:ca:a4:b6:b7:c1:42:67:01:40:63:
+        cc:e7:38:64:87:5b:14:96:66:7b:2d:14:ee:bd:49:6d:ff:77:
+        d0:e2:4e:5b:d3:80:c2:4d:0f:ca:b8:9d:81:97:a7:34:6e:c7:
+        e3:9c:48:e5:b4:aa:45:f5:f6:65:4c:48:f2:12:c2:d2:93:8c:
+        c2:15:24:f3:2b:52:ff:e3:08:ae:b8:6e:d6:2c:12:cf:39:cb:
+        12:2a:e7:a9:7b:5f:98:3d:a3:e1:cc:a6:63:89:5c:7d:31:75:
+        f9:d5:d6:5d:f2:d0:d4:3d:df:9e:71:a8:0e:dc:e4:20:97:78:
+        e6:7f:53:a4:0d:51:4f:8e:3b:03:ae:a3:0d:5a:4d:c3:79:e7:
+        35:58:70:42:c9:5e:a1:5e:b4:d9:22:a3:44:53:35:a4:d0:cf:
+        73:80:c5:cf:9f:56:98:76:f9:14:4c:77:87:82:c9:dc:7e:5d:
+        34:d5:36:75
+
+GlobalSign Root CA
+==================
+MD5 Fingerprint: AB:BF:EA:E3:6B:29:A6:CC:A6:78:35:99:EF:AD:2B:80
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIDdTCCAl2gAwIBAgILAgAAAAAA1ni3lAUwDQYJKoZIhvcNAQEEBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
+MDBaFw0xNDAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
+aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
+jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
+xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
+1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
+snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
+U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
+9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIABjAdBgNVHQ4EFgQU
+YHtmGkUNl8qJUC99BM00qP/8/UswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
+AQQFAAOCAQEArqqf/LfSyx9fOSkoGJ40yWxPbxrwZKJwSk8ThptgKJ7ogUmYfQq7
+5bCdPTbbjwVR/wkxKh/diXeeDy5slQTthsu0AD+EAk2AaioteAuubyuig0SDH81Q
+gkwkr733pbTIWg/050deSY43lv6aiAU62cDbKYfmGZZHpzqmjIs8d/5GY6dT2iHR
+rH5Jokvmw2dZL7OKDrssvamqQnw1wdh/1acxOk5jQzmvCLBhNIzTmKlDNPYPhyk7
+ncJWWJh3w/cbrPad+D6qp1RF8PX51TFl/mtYnHGzHtdS6jIX/EBgHcl5JLL2bP2o
+Zg6C3ZjL2sJETy6ge/L3ayx2EYRGinij4w==
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            02:00:00:00:00:00:d6:78:b7:94:05
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
+        Validity
+            Not Before: Sep  1 12:00:00 1998 GMT
+            Not After : Jan 28 12:00:00 2014 GMT
+        Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b:
+                    83:25:6b:ea:48:1f:f1:2a:b0:b9:95:11:04:bd:f0:
+                    63:d1:e2:67:66:cf:1c:dd:cf:1b:48:2b:ee:8d:89:
+                    8e:9a:af:29:80:65:ab:e9:c7:2d:12:cb:ab:1c:4c:
+                    70:07:a1:3d:0a:30:cd:15:8d:4f:f8:dd:d4:8c:50:
+                    15:1c:ef:50:ee:c4:2e:f7:fc:e9:52:f2:91:7d:e0:
+                    6d:d5:35:30:8e:5e:43:73:f2:41:e9:d5:6a:e3:b2:
+                    89:3a:56:39:38:6f:06:3c:88:69:5b:2a:4d:c5:a7:
+                    54:b8:6c:89:cc:9b:f9:3c:ca:e5:fd:89:f5:12:3c:
+                    92:78:96:d6:dc:74:6e:93:44:61:d1:8d:c7:46:b2:
+                    75:0e:86:e8:19:8a:d5:6d:6c:d5:78:16:95:a2:e9:
+                    c8:0a:38:eb:f2:24:13:4f:73:54:93:13:85:3a:1b:
+                    bc:1e:34:b5:8b:05:8c:b9:77:8b:b1:db:1f:20:91:
+                    ab:09:53:6e:90:ce:7b:37:74:b9:70:47:91:22:51:
+                    63:16:79:ae:b1:ae:41:26:08:c8:19:2b:d1:46:aa:
+                    48:d6:64:2a:d7:83:34:ff:2c:2a:c1:6c:19:43:4a:
+                    07:85:e7:d3:7c:f6:21:68:ef:ea:f2:52:9f:7f:93:
+                    90:cf
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Subject Key Identifier: 
+                ..`{f.E
...P/}..4....K
+            X509v3 Basic Constraints: critical
+                0....
+    Signature Algorithm: md5WithRSAEncryption
+        ae:aa:9f:fc:b7:d2:cb:1f:5f:39:29:28:18:9e:34:c9:6c:4f:
+        6f:1a:f0:64:a2:70:4a:4f:13:86:9b:60:28:9e:e8:81:49:98:
+        7d:0a:bb:e5:b0:9d:3d:36:db:8f:05:51:ff:09:31:2a:1f:dd:
+        89:77:9e:0f:2e:6c:95:04:ed:86:cb:b4:00:3f:84:02:4d:80:
+        6a:2a:2d:78:0b:ae:6f:2b:a2:83:44:83:1f:cd:50:82:4c:24:
+        af:bd:f7:a5:b4:c8:5a:0f:f4:e7:47:5e:49:8e:37:96:fe:9a:
+        88:05:3a:d9:c0:db:29:87:e6:19:96:47:a7:3a:a6:8c:8b:3c:
+        77:fe:46:63:a7:53:da:21:d1:ac:7e:49:a2:4b:e6:c3:67:59:
+        2f:b3:8a:0e:bb:2c:bd:a9:aa:42:7c:35:c1:d8:7f:d5:a7:31:
+        3a:4e:63:43:39:af:08:b0:61:34:8c:d3:98:a9:43:34:f6:0f:
+        87:29:3b:9d:c2:56:58:98:77:c3:f7:1b:ac:f6:9d:f8:3e:aa:
+        a7:54:45:f0:f5:f9:d5:31:65:fe:6b:58:9c:71:b3:1e:d7:52:
+        ea:32:17:fc:40:60:1d:c9:79:24:b2:f6:6c:fd:a8:66:0e:82:
+        dd:98:cb:da:c2:44:4f:2e:a0:7b:f2:f7:6b:2c:76:11:84:46:
+        8a:78:a3:e3
+
+National Retail Federation by DST
+=================================
+MD5 Fingerprint: AD:8E:0F:9E:01:6B:A0:C5:74:D5:0C:D3:68:65:4F:1E
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIEAjCCAuoCEQDQHkCKAAACfAAAAAMAAAABMA0GCSqGSIb3DQEBBQUAMIG+MQsw
+CQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENp
+dHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjEjMCEGA1UE
+CxMaTmF0aW9uYWwgUmV0YWlsIEZlZGVyYXRpb24xGTAXBgNVBAMTEERTVCAoTlJG
+KSBSb290Q0ExITAfBgkqhkiG9w0BCQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTAeFw05
+ODEyMTExNjE0MTZaFw0wODEyMDgxNjE0MTZaMIG+MQswCQYDVQQGEwJ1czENMAsG
+A1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxJDAiBgNVBAoTG0Rp
+Z2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjEjMCEGA1UECxMaTmF0aW9uYWwgUmV0
+YWlsIEZlZGVyYXRpb24xGTAXBgNVBAMTEERTVCAoTlJGKSBSb290Q0ExITAfBgkq
+hkiG9w0BCQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBANmsm3f6UNPM3LlArLlyagCHI/wPliHQJq/k4rVf+tOmfSEw
+LswXgo+YdPxnpKbfiJeiQin1p9sRk/teIzDCqrwi50Eb5e0l3sg/295XRXhARoOy
+1Ro93w9FbdVjAnXYL8Zuq5WRdDcNy00JXNHUWzra3Q7Ia5nY1TnM34VVxJJTAqPh
+94DJcKPa3DPEf6JHCBw1lh+hAxwwg/TEzP+Yw7BGRKLAv63b0oH2TJgsp14k84bK
+Y9W6ffCawErQG1ju7Klnz2kCbCLAYCws0cgg6sgt+92cu8tRTNznVwQ7VJsRpTJ0
+7HQB85AVWy98LJNluWZntIGINeWekRh/gahByMsCAwEAATANBgkqhkiG9w0BAQUF
+AAOCAQEAhF4LO+ygjRyb0DwdcWnkGn9kvoFlYcWMatd8AHTgemJV7SR84GHj8t0U
+5hFugw7h6qmegK2aIL/gV37V0LWEYy3ZGOS9GzUsXq5hdqpnhTs44TGBHzF/5tf4
+W9K7Y3mGxIzF3gqu19H8AXT/trYNYoFnHLsm+CSA4Fxe2KSKOo99y/+So/18qTJp
+B1hYYUKZUgOxOD3GcW9s8uh9BqrBfFPLGi2IT8mpp6xpb/ekH9h0gfVKv7FVt9N3
+OKdvwkrI4nOJ01dy4UMvcjz2H7f4BEpuwemUF+SXF/QOE4ZvjavoXy20/2zWorQf
+7LmUaqoSTxrd9Xe1JYzyigrx/FJbWA==
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 1 (0x0)
+        Serial Number:
+            d0:1e:40:8a:00:00:02:7c:00:00:00:03:00:00:00:01
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=National Retail Federation, CN=DST (NRF) RootCA/Email=ca@digsigtrust.com
+        Validity
+            Not Before: Dec 11 16:14:16 1998 GMT
+            Not After : Dec  8 16:14:16 2008 GMT
+        Subject: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=National Retail Federation, CN=DST (NRF) RootCA/Email=ca@digsigtrust.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:d9:ac:9b:77:fa:50:d3:cc:dc:b9:40:ac:b9:72:
+                    6a:00:87:23:fc:0f:96:21:d0:26:af:e4:e2:b5:5f:
+                    fa:d3:a6:7d:21:30:2e:cc:17:82:8f:98:74:fc:67:
+                    a4:a6:df:88:97:a2:42:29:f5:a7:db:11:93:fb:5e:
+                    23:30:c2:aa:bc:22:e7:41:1b:e5:ed:25:de:c8:3f:
+                    db:de:57:45:78:40:46:83:b2:d5:1a:3d:df:0f:45:
+                    6d:d5:63:02:75:d8:2f:c6:6e:ab:95:91:74:37:0d:
+                    cb:4d:09:5c:d1:d4:5b:3a:da:dd:0e:c8:6b:99:d8:
+                    d5:39:cc:df:85:55:c4:92:53:02:a3:e1:f7:80:c9:
+                    70:a3:da:dc:33:c4:7f:a2:47:08:1c:35:96:1f:a1:
+                    03:1c:30:83:f4:c4:cc:ff:98:c3:b0:46:44:a2:c0:
+                    bf:ad:db:d2:81:f6:4c:98:2c:a7:5e:24:f3:86:ca:
+                    63:d5:ba:7d:f0:9a:c0:4a:d0:1b:58:ee:ec:a9:67:
+                    cf:69:02:6c:22:c0:60:2c:2c:d1:c8:20:ea:c8:2d:
+                    fb:dd:9c:bb:cb:51:4c:dc:e7:57:04:3b:54:9b:11:
+                    a5:32:74:ec:74:01:f3:90:15:5b:2f:7c:2c:93:65:
+                    b9:66:67:b4:81:88:35:e5:9e:91:18:7f:81:a8:41:
+                    c8:cb
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+        84:5e:0b:3b:ec:a0:8d:1c:9b:d0:3c:1d:71:69:e4:1a:7f:64:
+        be:81:65:61:c5:8c:6a:d7:7c:00:74:e0:7a:62:55:ed:24:7c:
+        e0:61:e3:f2:dd:14:e6:11:6e:83:0e:e1:ea:a9:9e:80:ad:9a:
+        20:bf:e0:57:7e:d5:d0:b5:84:63:2d:d9:18:e4:bd:1b:35:2c:
+        5e:ae:61:76:aa:67:85:3b:38:e1:31:81:1f:31:7f:e6:d7:f8:
+        5b:d2:bb:63:79:86:c4:8c:c5:de:0a:ae:d7:d1:fc:01:74:ff:
+        b6:b6:0d:62:81:67:1c:bb:26:f8:24:80:e0:5c:5e:d8:a4:8a:
+        3a:8f:7d:cb:ff:92:a3:fd:7c:a9:32:69:07:58:58:61:42:99:
+        52:03:b1:38:3d:c6:71:6f:6c:f2:e8:7d:06:aa:c1:7c:53:cb:
+        1a:2d:88:4f:c9:a9:a7:ac:69:6f:f7:a4:1f:d8:74:81:f5:4a:
+        bf:b1:55:b7:d3:77:38:a7:6f:c2:4a:c8:e2:73:89:d3:57:72:
+        e1:43:2f:72:3c:f6:1f:b7:f8:04:4a:6e:c1:e9:94:17:e4:97:
+        17:f4:0e:13:86:6f:8d:ab:e8:5f:2d:b4:ff:6c:d6:a2:b4:1f:
+        ec:b9:94:6a:aa:12:4f:1a:dd:f5:77:b5:25:8c:f2:8a:0a:f1:
+        fc:52:5b:58
+
+Novell E-Commerce Community by DST
+==================================
+MD5 Fingerprint: 93:C2:8E:11:7B:D4:F3:03:19:BD:28:75:13:4A:45:4A
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIDKTCCApKgAwIBAgIENm7TzjANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJV
+UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMREwDwYDVQQL
+EwhEU1RDQSBFMjAeFw05ODEyMDkxOTE3MjZaFw0xODEyMDkxOTQ3MjZaMEYxCzAJ
+BgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4x
+ETAPBgNVBAsTCERTVENBIEUyMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQC/
+k48Xku8zExjrEH9OFr//Bo8qhbxe+SSmJIi2A7fBw18DW9Fvrn5C6mYjuGODVvso
+LeE4i7TuqAHhzhy2iCoiRoX7n6dwqUcUP87eZfCocfdPJmyMvMa1795JJ/9IKn3o
+TQPMx7JSxhcxEzu1TdvIxPbDDyQq2gyd55FbgM2UnQIBA6OCASQwggEgMBEGCWCG
+SAGG+EIBAQQEAwIABzBoBgNVHR8EYTBfMF2gW6BZpFcwVTELMAkGA1UEBhMCVVMx
+JDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UECxMI
+RFNUQ0EgRTIxDTALBgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkxOTE3
+MjZagQ8yMDE4MTIwOTE5MTcyNlowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFB6C
+TShlgDzJQW6sNS5ay97u+DlbMB0GA1UdDgQWBBQegk0oZYA8yUFurDUuWsve7vg5
+WzAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqG
+SIb3DQEBBQUAA4GBAEeNg61i8tuwnkUiBbmi1gMOOHLnnvx75pO2mqWilMg0HZHR
+xdf0CiUPPXiBng+xZ8SQTGPdXqfiup/1902lMXucKS1M/mQ+7LZT/uqb7YLbdHVL
+B3luHtgZg3Pe9T7Qtd7nS2h9Qy4qIOF+oHhEngj1mPnHfxsb1gYgAlihw6ID
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 913232846 (0x366ed3ce)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=Digital Signature Trust Co., OU=DSTCA E2
         Validity
-            Not Before: Feb 14 20:16:24 1997 GMT
-            Not After : Feb 14 20:16:24 2002 GMT
-        Subject: C=CA, O=gc, OU=GTIS.WebCA
+            Not Before: Dec  9 19:17:26 1998 GMT
+            Not After : Dec  9 19:47:26 2018 GMT
+        Subject: C=US, O=Digital Signature Trust Co., OU=DSTCA E2
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
-                    00:bf:3f:0c:fa:68:20:18:29:73:99:9c:25:fb:49:
-                    61:40:d2:cd:42:36:8f:9b:58:d4:64:01:8a:9e:50:
-                    15:74:08:14:54:98:3b:c0:0e:a1:7a:73:13:f4:0e:
-                    1e:7c:d2:6d:2b:68:68:04:65:46:ed:01:36:9f:66:
-                    86:99:95:22:cc:5c:b2:f4:18:58:69:aa:cb:9a:32:
-                    67:45:57:61:ca:15:0f:4b:1a:8e:95:0f:d3:52:1e:
-                    97:60:69:90:6d:5e:e1:c6:cb:20:d9:00:48:ab:44:
-                    9c:64:da:61:18:bf:10:c1:87:08:20:12:82:27:4b:
-                    91:af:66:06:fe:c9:ed:db:0d
+                    00:bf:93:8f:17:92:ef:33:13:18:eb:10:7f:4e:16:
+                    bf:ff:06:8f:2a:85:bc:5e:f9:24:a6:24:88:b6:03:
+                    b7:c1:c3:5f:03:5b:d1:6f:ae:7e:42:ea:66:23:b8:
+                    63:83:56:fb:28:2d:e1:38:8b:b4:ee:a8:01:e1:ce:
+                    1c:b6:88:2a:22:46:85:fb:9f:a7:70:a9:47:14:3f:
+                    ce:de:65:f0:a8:71:f7:4f:26:6c:8c:bc:c6:b5:ef:
+                    de:49:27:ff:48:2a:7d:e8:4d:03:cc:c7:b2:52:c6:
+                    17:31:13:3b:b5:4d:db:c8:c4:f6:c3:0f:24:2a:da:
+                    0c:9d:e7:91:5b:80:cd:94:9d
                 Exponent: 3 (0x3)
         X509v3 extensions:
-            X509v3 Authority Key Identifier: 
-                0...6Ad.Y...1...d.*..$R.
-            X509v3 Subject Key Identifier: 
-                ..6Ad.Y...1...d.*..$R.
-            X509v3 Key Usage: 
+            Netscape Cert Type: 
                 ....
+            X509v3 CRL Distribution Points: 
+                0_0].[.Y.W0U1.0...U....US1$0"..U.
+..Digital Signature Trust Co.1.0...U....DSTCA E21
0...U....CRL1
             X509v3 Private Key Usage Period: 
-                0...20020214201624Z
+                0"..19981209191726Z..20181209191726Z
+            X509v3 Key Usage: 
+                ....
+            X509v3 Authority Key Identifier: 
+                0.....M(e.<.An.5.Z....9[
+            X509v3 Subject Key Identifier: 
+                ....M(e.<.An.5.Z....9[
             X509v3 Basic Constraints: 
                 0....
-            X509v3 CRL Distribution Points: 
-                0H0F.D.B.@0>1.0...U....CA1.0...U.
-..gc1.0...U...
-GTIS.WebCA1
0...U....CRL1
             1.2.840.113533.7.65.0: 
-                0...WEBCA 1.0....
+                0
+..V4.0....
+    Signature Algorithm: sha1WithRSAEncryption
+        47:8d:83:ad:62:f2:db:b0:9e:45:22:05:b9:a2:d6:03:0e:38:
+        72:e7:9e:fc:7b:e6:93:b6:9a:a5:a2:94:c8:34:1d:91:d1:c5:
+        d7:f4:0a:25:0f:3d:78:81:9e:0f:b1:67:c4:90:4c:63:dd:5e:
+        a7:e2:ba:9f:f5:f7:4d:a5:31:7b:9c:29:2d:4c:fe:64:3e:ec:
+        b6:53:fe:ea:9b:ed:82:db:74:75:4b:07:79:6e:1e:d8:19:83:
+        73:de:f5:3e:d0:b5:de:e7:4b:68:7d:43:2e:2a:20:e1:7e:a0:
+        78:44:9e:08:f5:98:f9:c7:7f:1b:1b:d6:06:20:02:58:a1:c3:
+        a2:03
+
+TC TrustCenter, Germany, Class 0 CA
+===================================
+MD5 Fingerprint: 35:85:49:8E:6E:57:FE:BD:97:F1:C9:46:23:3A:B6:7D
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIENTCCA56gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBvDELMAkGA1UEBhMCREUx
+EDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxOjA4BgNVBAoTMVRD
+IFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtzIEdtYkgx
+IjAgBgNVBAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDAgQ0ExKTAnBgkqhkiG9w0B
+CQEWGmNlcnRpZmljYXRlQHRydXN0Y2VudGVyLmRlMB4XDTk4MDMwOTEzNTQ0OFoX
+DTA1MTIzMTEzNTQ0OFowgbwxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJn
+MRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFUQyBUcnVzdENlbnRlciBmb3Ig
+U2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJIMSIwIAYDVQQLExlUQyBUcnVz
+dENlbnRlciBDbGFzcyAwIENBMSkwJwYJKoZIhvcNAQkBFhpjZXJ0aWZpY2F0ZUB0
+cnVzdGNlbnRlci5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA333mvr/V
+8C9tTg7R4I0LfztU6IrisJ8oxYrGubMzJ/UnyhpMVBJrtLJGsx1Ls/QhC0sCLqHC
+NJyFoMR4EdvbaycrCSoYTkDMn3EZZ5l0onw/wdiLI8hjO4ohq1zeHvSN3LQYwwVz
+9Gq0ofoBCCsBD203W6o4hmc51+Vf+uR+zKMCAwEAAaOCAUMwggE/MEAGCWCGSAGG
++EIBAwQzFjFodHRwczovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL2NoZWNr
+LXJldi5jZ2k/MEAGCWCGSAGG+EIBBAQzFjFodHRwczovL3d3dy50cnVzdGNlbnRl
+ci5kZS9jZ2ktYmluL2NoZWNrLXJldi5jZ2k/MDwGCWCGSAGG+EIBBwQvFi1odHRw
+czovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL1JlbmV3LmNnaT8wPgYJYIZI
+AYb4QgEIBDEWL2h0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lcy9p
+bmRleC5odG1sMCgGCWCGSAGG+EIBDQQbFhlUQyBUcnVzdENlbnRlciBDbGFzcyAw
+IENBMBEGCWCGSAGG+EIBAQQEAwIABzANBgkqhkiG9w0BAQQFAAOBgQBNB39fCTAZ
+kqoFR3qUdVQqrs/82AxC4UU4KySVssqHynnEw5eQXmIYxsk4YUxoNdNMFBHrxM2h
+qdjFnmgnMgc1RQT4XyGgYB4cAEgEWNLFy65tMm49d5WMhcflrlCddUp7/wsneepN
+pFn/7FrqJqU5g6TReM6nqX683SvKEpMDSg==
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 0 CA/Email=certificate@trustcenter.de
+        Validity
+            Not Before: Mar  9 13:54:48 1998 GMT
+            Not After : Dec 31 13:54:48 2005 GMT
+        Subject: C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 0 CA/Email=certificate@trustcenter.de
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:df:7d:e6:be:bf:d5:f0:2f:6d:4e:0e:d1:e0:8d:
+                    0b:7f:3b:54:e8:8a:e2:b0:9f:28:c5:8a:c6:b9:b3:
+                    33:27:f5:27:ca:1a:4c:54:12:6b:b4:b2:46:b3:1d:
+                    4b:b3:f4:21:0b:4b:02:2e:a1:c2:34:9c:85:a0:c4:
+                    78:11:db:db:6b:27:2b:09:2a:18:4e:40:cc:9f:71:
+                    19:67:99:74:a2:7c:3f:c1:d8:8b:23:c8:63:3b:8a:
+                    21:ab:5c:de:1e:f4:8d:dc:b4:18:c3:05:73:f4:6a:
+                    b4:a1:fa:01:08:2b:01:0f:6d:37:5b:aa:38:86:67:
+                    39:d7:e5:5f:fa:e4:7e:cc:a3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            Netscape Revocation Url: 
+                .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+            Netscape CA Revocation Url: 
+                .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+            Netscape Renewal Url: 
+                .-https://www.trustcenter.de/cgi-bin/Renew.cgi?
+            Netscape CA Policy Url: 
+                ./http://www.trustcenter.de/guidelines/index.html
+            Netscape Comment: 
+                ..TC TrustCenter Class 0 CA
             Netscape Cert Type: 
                 ....
     Signature Algorithm: md5WithRSAEncryption
-        54:27:75:26:db:bb:7b:09:42:6d:cf:b4:07:3b:e5:af:fb:fa:
-        3f:2b:31:62:28:b7:2a:b0:f8:68:ad:39:ef:34:b1:8f:87:84:
-        e0:49:ee:db:bc:4a:4b:45:43:11:9c:87:bd:50:91:4d:d9:54:
-        a7:5e:25:60:c9:fe:93:2e:39:b2:4a:fd:1f:c5:07:65:9c:df:
-        ae:17:c4:89:95:b9:4c:14:e3:80:4a:42:fb:14:d8:ba:08:f9:
-        d8:96:58:7f:aa:4d:82:af:b2:5a:fa:63:49:20:37:7a:48:14:
-        0a:a2:80:a8:32:b4:ea:8c:b9:e9:1b:72:8a:36:63:ab:4c:f6:
-        79:ce
+        4d:07:7f:5f:09:30:19:92:aa:05:47:7a:94:75:54:2a:ae:cf:
+        fc:d8:0c:42:e1:45:38:2b:24:95:b2:ca:87:ca:79:c4:c3:97:
+        90:5e:62:18:c6:c9:38:61:4c:68:35:d3:4c:14:11:eb:c4:cd:
+        a1:a9:d8:c5:9e:68:27:32:07:35:45:04:f8:5f:21:a0:60:1e:
+        1c:00:48:04:58:d2:c5:cb:ae:6d:32:6e:3d:77:95:8c:85:c7:
+        e5:ae:50:9d:75:4a:7b:ff:0b:27:79:ea:4d:a4:59:ff:ec:5a:
+        ea:26:a5:39:83:a4:d1:78:ce:a7:a9:7e:bc:dd:2b:ca:12:93:
+        03:4a
 
-IBM World Registry CA
-=====================
-MD5 Fingerprint: 7C:73:0A:91:E2:FF:94:34:93:36:FE:B0:35:30:82:4F
+TC TrustCenter, Germany, Class 1 CA
+===================================
+MD5 Fingerprint: 64:3F:F8:3E:52:14:4A:59:BA:93:56:04:0B:23:02:D1
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIIDMDCCApmgAwIBAgIEM4IK0jANBgkqhkiG9w0BAQQFADBfMQswCQYDVQQGEwJV
-UzEbMBkGA1UEChMSSUJNIFdvcmxkIFJlZ2lzdHJ5MTMwMQYDVQQDEypJQk0gV29y
-bGQgUmVnaXN0cnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwJhcROTcwNTIwMTYz
-NDI1KzA1MDAXETE3MDUyMDE2MzQyNSswNTAwMF8xCzAJBgNVBAYTAlVTMRswGQYD
-VQQKExJJQk0gV29ybGQgUmVnaXN0cnkxMzAxBgNVBAMTKklCTSBXb3JsZCBSZWdp
-c3RyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnTANBgkqhkiG9w0BAQEFAAOB
-iwAwgYcCgYEAynkqIs2NpBvRvZV/h24Ce3UlfjuWa1KyZUhpKH/R1RTQOwgIcouG
-37+Xgq8rc4hsgPC/us5A0kpaWv24Yrxul5UVMWRY22hj2wVY21eWs2jN1rCFGXlC
-J17SlwJCjwswzl8mYiNaVZ5UAst1kRYWLXTjYbUymaa3dXJTOP9+VMECAQOjgfIw
-ge8wewYDVR0ZBHQwcjBwMG4xCzAJBgNVBAYTAlVTMRswGQYDVQQKExJJQk0gV29y
-bGQgUmVnaXN0cnkxMzAxBgNVBAMTKklCTSBXb3JsZCBSZWdpc3RyeSBDZXJ0aWZp
-Y2F0aW9uIEF1dGhvcml0eTENMAsGA1UEAxMEQ1JMMTAUBgNVHQEEDTALgAk4NjQx
-NjA0NjYwLwYDVR0CBCgwJgQJODY0MTYwNDY2AwICBDAVgRMyMDE3MDUyMDE2MzQy
-NSswNTAwMA0GA1UdCgQGMAQDAgeAMBoGCSqGSIb2fQdBAAQNMAsbBXYyLjFkAwIH
-gDANBgkqhkiG9w0BAQQFAAOBgQAkRA8/6wQA8G1zXvMTYDEBL3JrIXHYGLkO6SHZ
-QJvRJzOKumG5C1V8l3PNzaCLlxMsjAyF3JxWnXa5F7Ieuy9ApDshfP4FtfBhM/SJ
-A6bJLvhdyMoWF99Vp5NXSeS88jiKvlpJcQa6dLxjqtMbU//Qp9of6iRHnXITsey4
-2yaGtQ==
+MIIENTCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBvDELMAkGA1UEBhMCREUx
+EDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxOjA4BgNVBAoTMVRD
+IFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtzIEdtYkgx
+IjAgBgNVBAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDEgQ0ExKTAnBgkqhkiG9w0B
+CQEWGmNlcnRpZmljYXRlQHRydXN0Y2VudGVyLmRlMB4XDTk4MDMwOTEzNTYzM1oX
+DTA1MTIzMTEzNTYzM1owgbwxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJn
+MRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFUQyBUcnVzdENlbnRlciBmb3Ig
+U2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJIMSIwIAYDVQQLExlUQyBUcnVz
+dENlbnRlciBDbGFzcyAxIENBMSkwJwYJKoZIhvcNAQkBFhpjZXJ0aWZpY2F0ZUB0
+cnVzdGNlbnRlci5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsCnrtHaz
+rte2W7Re573jsZxJBFdboavZfxMb/bphq9jncd8tAJRdUUh9I+91YoSQPAofWRF0
+L46Apf0wAj0pUs1yGkkhnLzLUo5IoWOWyBCFMGlXdEXAWobG1T3gaFd9MWokjUWX
+PjF+aGYybiRt7DI2yUHK8DFEyKNhyhugNh8CAwEAAaOCAUMwggE/MEAGCWCGSAGG
++EIBAwQzFjFodHRwczovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL2NoZWNr
+LXJldi5jZ2k/MEAGCWCGSAGG+EIBBAQzFjFodHRwczovL3d3dy50cnVzdGNlbnRl
+ci5kZS9jZ2ktYmluL2NoZWNrLXJldi5jZ2k/MDwGCWCGSAGG+EIBBwQvFi1odHRw
+czovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL1JlbmV3LmNnaT8wPgYJYIZI
+AYb4QgEIBDEWL2h0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lcy9p
+bmRleC5odG1sMCgGCWCGSAGG+EIBDQQbFhlUQyBUcnVzdENlbnRlciBDbGFzcyAx
+IENBMBEGCWCGSAGG+EIBAQQEAwIABzANBgkqhkiG9w0BAQQFAAOBgQAFQlImpAwn
+AUSsXCUowkRCVAi5HcU+bFlmxLNOUKf4+JZ1oZZ16BY4oM1dbvp5pxt7HR7DALlm
+vlrWYg/n8nu470zgwD9Zrjm3hAmeq/GpLmtp4q3M8up4CQUgOEJxGH7Hspfm1QIF
+BlajX/GqwsRP/vfvFg+d7KqFzz0pJPEEzQ==
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 3 (0x2)
-        Serial Number: 864160466 (0x33820ad2)
+        Serial Number: 2 (0x2)
         Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=US, O=IBM World Registry, CN=IBM World Registry Certification Authority
+        Issuer: C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 1 CA/Email=certificate@trustcenter.de
         Validity
-            Not Before: May 20 16:34:25 1997
-            Not After : May 20 16:34:25 2017
-        Subject: C=US, O=IBM World Registry, CN=IBM World Registry Certification Authority
+            Not Before: Mar  9 13:56:33 1998 GMT
+            Not After : Dec 31 13:56:33 2005 GMT
+        Subject: C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 1 CA/Email=certificate@trustcenter.de
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
-                    00:ca:79:2a:22:cd:8d:a4:1b:d1:bd:95:7f:87:6e:
-                    02:7b:75:25:7e:3b:96:6b:52:b2:65:48:69:28:7f:
-                    d1:d5:14:d0:3b:08:08:72:8b:86:df:bf:97:82:af:
-                    2b:73:88:6c:80:f0:bf:ba:ce:40:d2:4a:5a:5a:fd:
-                    b8:62:bc:6e:97:95:15:31:64:58:db:68:63:db:05:
-                    58:db:57:96:b3:68:cd:d6:b0:85:19:79:42:27:5e:
-                    d2:97:02:42:8f:0b:30:ce:5f:26:62:23:5a:55:9e:
-                    54:02:cb:75:91:16:16:2d:74:e3:61:b5:32:99:a6:
-                    b7:75:72:53:38:ff:7e:54:c1
-                Exponent: 3 (0x3)
+                    00:b0:29:eb:b4:76:b3:ae:d7:b6:5b:b4:5e:e7:bd:
+                    e3:b1:9c:49:04:57:5b:a1:ab:d9:7f:13:1b:fd:ba:
+                    61:ab:d8:e7:71:df:2d:00:94:5d:51:48:7d:23:ef:
+                    75:62:84:90:3c:0a:1f:59:11:74:2f:8e:80:a5:fd:
+                    30:02:3d:29:52:cd:72:1a:49:21:9c:bc:cb:52:8e:
+                    48:a1:63:96:c8:10:85:30:69:57:74:45:c0:5a:86:
+                    c6:d5:3d:e0:68:57:7d:31:6a:24:8d:45:97:3e:31:
+                    7e:68:66:32:6e:24:6d:ec:32:36:c9:41:ca:f0:31:
+                    44:c8:a3:61:ca:1b:a0:36:1f
+                Exponent: 65537 (0x10001)
         X509v3 extensions:
-            2.5.29.25: 
-                0r0p0n1.0...U....US1.0...U.
-..IBM World Registry1301..U...*IBM World Registry Certification Authority1
0...U....CRL1
-            2.5.29.1: 
-                0...864160466
-            2.5.29.2: 
-                0&..864160466....0...20170520163425+0500
-            2.5.29.10: 
-                0.....
-            1.2.840.113533.7.65.0: 
-                0...v2.1d....
+            Netscape Revocation Url: 
+                .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+            Netscape CA Revocation Url: 
+                .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+            Netscape Renewal Url: 
+                .-https://www.trustcenter.de/cgi-bin/Renew.cgi?
+            Netscape CA Policy Url: 
+                ./http://www.trustcenter.de/guidelines/index.html
+            Netscape Comment: 
+                ..TC TrustCenter Class 1 CA
+            Netscape Cert Type: 
+                ....
     Signature Algorithm: md5WithRSAEncryption
-        24:44:0f:3f:eb:04:00:f0:6d:73:5e:f3:13:60:31:01:2f:72:
-        6b:21:71:d8:18:b9:0e:e9:21:d9:40:9b:d1:27:33:8a:ba:61:
-        b9:0b:55:7c:97:73:cd:cd:a0:8b:97:13:2c:8c:0c:85:dc:9c:
-        56:9d:76:b9:17:b2:1e:bb:2f:40:a4:3b:21:7c:fe:05:b5:f0:
-        61:33:f4:89:03:a6:c9:2e:f8:5d:c8:ca:16:17:df:55:a7:93:
-        57:49:e4:bc:f2:38:8a:be:5a:49:71:06:ba:74:bc:63:aa:d3:
-        1b:53:ff:d0:a7:da:1f:ea:24:47:9d:72:13:b1:ec:b8:db:26:
-        86:b5
+        05:42:52:26:a4:0c:27:01:44:ac:5c:25:28:c2:44:42:54:08:
+        b9:1d:c5:3e:6c:59:66:c4:b3:4e:50:a7:f8:f8:96:75:a1:96:
+        75:e8:16:38:a0:cd:5d:6e:fa:79:a7:1b:7b:1d:1e:c3:00:b9:
+        66:be:5a:d6:62:0f:e7:f2:7b:b8:ef:4c:e0:c0:3f:59:ae:39:
+        b7:84:09:9e:ab:f1:a9:2e:6b:69:e2:ad:cc:f2:ea:78:09:05:
+        20:38:42:71:18:7e:c7:b2:97:e6:d5:02:05:06:56:a3:5f:f1:
+        aa:c2:c4:4f:fe:f7:ef:16:0f:9d:ec:aa:85:cf:3d:29:24:f1:
+        04:cd
 
-Integrion CA
-============
-MD5 Fingerprint: C4:51:2D:B7:2C:DF:AC:CE:E1:AA:42:8D:6D:DC:9E:4D
+TC TrustCenter, Germany, Class 2 CA
+===================================
+MD5 Fingerprint: E1:E9:96:53:77:E1:F0:38:A0:02:AB:94:C6:95:7B:FC
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIIDQDCCAqmgAwIBAgIEM4H1lTANBgkqhkiG9w0BAQQFADBkMQswCQYDVQQGEwJV
-UzEkMCIGA1UEChMbSW50ZWdyaW9uIEZpbmFuY2lhbCBOZXR3b3JrMS8wLQYDVQQD
-EyZJbnRlZ3Jpb24gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUm9vdDAmFxE5NzA1
-MjAxNTAzNDgrMDUwMBcRMTcwNTIwMTUwMzQ4KzA1MDAwZDELMAkGA1UEBhMCVVMx
-JDAiBgNVBAoTG0ludGVncmlvbiBGaW5hbmNpYWwgTmV0d29yazEvMC0GA1UEAxMm
-SW50ZWdyaW9uIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFJvb3QwgZ0wDQYJKoZI
-hvcNAQEBBQADgYsAMIGHAoGBAOlRdtGPUtlAn/kmXIMgAg6JJ9g/cRuDS4LFe39o
-+op03fpSt1NoHtDUaS97uW9s5Wpcfe0Uydn+cvLfcKhVH+sRdVrqxRuMS/k0KP64
-S+i6wur71npDA7cpo9+An93YrXFIaM1qUaQamAshhuX+B6J5e0vi3OiQbvqv2Pjy
-DsKBAgEDo4H4MIH1MIGABgNVHRkEeTB3MHUwczELMAkGA1UEBhMCVVMxJDAiBgNV
-BAoTG0ludGVncmlvbiBGaW5hbmNpYWwgTmV0d29yazEvMC0GA1UEAxMmSW50ZWdy
-aW9uIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFJvb3QxDTALBgNVBAMTBENSTDEw
-FAYDVR0BBA0wC4AJODY0MTU1MDI5MC8GA1UdAgQoMCYECTg2NDE1NTAyOQMCAgQw
-FYETMjAxNzA1MjAxNTAzNDgrMDUwMDANBgNVHQoEBjAEAwIHgDAaBgkqhkiG9n0H
-QQAEDTALGwV2Mi4xZAMCB4AwDQYJKoZIhvcNAQEEBQADgYEAz+/uSkXWkzakcAVX
-2jTUkUdzdDb200iARTOXdSL6dJ6F4YSo/bwzELBcd4kTStgtl3GDvpLjZaAbznp3
-ESREQZVBENqGPNosH7m43TJHLRG1koU7CrgPO2Tq0BOIMGXjhbfs5HCRg5G+FRQX
-pY8T6IGyrMtUy9aFLrLMZ713gfo=
+MIIENTCCA56gAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBvDELMAkGA1UEBhMCREUx
+EDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxOjA4BgNVBAoTMVRD
+IFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtzIEdtYkgx
+IjAgBgNVBAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDIgQ0ExKTAnBgkqhkiG9w0B
+CQEWGmNlcnRpZmljYXRlQHRydXN0Y2VudGVyLmRlMB4XDTk4MDMwOTEzNTc0NFoX
+DTA1MTIzMTEzNTc0NFowgbwxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJn
+MRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFUQyBUcnVzdENlbnRlciBmb3Ig
+U2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJIMSIwIAYDVQQLExlUQyBUcnVz
+dENlbnRlciBDbGFzcyAyIENBMSkwJwYJKoZIhvcNAQkBFhpjZXJ0aWZpY2F0ZUB0
+cnVzdGNlbnRlci5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2jjo7TIA
+KXGDAQ2/jAHc2satOaSpii/Vi1xoX1DGYvVmvcqRIuyqHVHXPbNRsoNOXctJsPBM
+VeVrLceFCzAckk6C1MoC7fdvvtzg4xS4BVPymvRWi1qehZPRtIJWrk27qEtXFrz+
++Fie+CmNsHvNeMlPrItnDPGc+/xXm1dcTw0CAwEAAaOCAUMwggE/MEAGCWCGSAGG
++EIBAwQzFjFodHRwczovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL2NoZWNr
+LXJldi5jZ2k/MEAGCWCGSAGG+EIBBAQzFjFodHRwczovL3d3dy50cnVzdGNlbnRl
+ci5kZS9jZ2ktYmluL2NoZWNrLXJldi5jZ2k/MDwGCWCGSAGG+EIBBwQvFi1odHRw
+czovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL1JlbmV3LmNnaT8wPgYJYIZI
+AYb4QgEIBDEWL2h0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lcy9p
+bmRleC5odG1sMCgGCWCGSAGG+EIBDQQbFhlUQyBUcnVzdENlbnRlciBDbGFzcyAy
+IENBMBEGCWCGSAGG+EIBAQQEAwIABzANBgkqhkiG9w0BAQQFAAOBgQCJG/Tv6Tji
+bAz2zW9JzinM+6YP+Y0+lUbW/EcyibLIBmF60ucNEwKUC9mLVkf0u+fFX3v0Y0yu
+fDTqDaKpsyyF8+P+J1QQkrCPksGYQhhwSNtOLOsNJGjk0fe+Cakph7vo2tw+o4hC
+MfXR43+u2I4AWnSYsE/G/yN7XHMAeMnbTg==
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 3 (0x2)
-        Serial Number: 864155029 (0x3381f595)
+        Serial Number: 3 (0x3)
         Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=US, O=Integrion Financial Network, CN=Integrion Certification Authority Root
+        Issuer: C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 2 CA/Email=certificate@trustcenter.de
         Validity
-            Not Before: May 20 15:03:48 1997
-            Not After : May 20 15:03:48 2017
-        Subject: C=US, O=Integrion Financial Network, CN=Integrion Certification Authority Root
+            Not Before: Mar  9 13:57:44 1998 GMT
+            Not After : Dec 31 13:57:44 2005 GMT
+        Subject: C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 2 CA/Email=certificate@trustcenter.de
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
-                    00:e9:51:76:d1:8f:52:d9:40:9f:f9:26:5c:83:20:
-                    02:0e:89:27:d8:3f:71:1b:83:4b:82:c5:7b:7f:68:
-                    fa:8a:74:dd:fa:52:b7:53:68:1e:d0:d4:69:2f:7b:
-                    b9:6f:6c:e5:6a:5c:7d:ed:14:c9:d9:fe:72:f2:df:
-                    70:a8:55:1f:eb:11:75:5a:ea:c5:1b:8c:4b:f9:34:
-                    28:fe:b8:4b:e8:ba:c2:ea:fb:d6:7a:43:03:b7:29:
-                    a3:df:80:9f:dd:d8:ad:71:48:68:cd:6a:51:a4:1a:
-                    98:0b:21:86:e5:fe:07:a2:79:7b:4b:e2:dc:e8:90:
-                    6e:fa:af:d8:f8:f2:0e:c2:81
-                Exponent: 3 (0x3)
+                    00:da:38:e8:ed:32:00:29:71:83:01:0d:bf:8c:01:
+                    dc:da:c6:ad:39:a4:a9:8a:2f:d5:8b:5c:68:5f:50:
+                    c6:62:f5:66:bd:ca:91:22:ec:aa:1d:51:d7:3d:b3:
+                    51:b2:83:4e:5d:cb:49:b0:f0:4c:55:e5:6b:2d:c7:
+                    85:0b:30:1c:92:4e:82:d4:ca:02:ed:f7:6f:be:dc:
+                    e0:e3:14:b8:05:53:f2:9a:f4:56:8b:5a:9e:85:93:
+                    d1:b4:82:56:ae:4d:bb:a8:4b:57:16:bc:fe:f8:58:
+                    9e:f8:29:8d:b0:7b:cd:78:c9:4f:ac:8b:67:0c:f1:
+                    9c:fb:fc:57:9b:57:5c:4f:0d
+                Exponent: 65537 (0x10001)
         X509v3 extensions:
-            2.5.29.25: 
-                0w0u0s1.0...U....US1$0"..U.
-..Integrion Financial Network1/0-..U...&Integrion Certification Authority Root1
0...U....CRL1
-            2.5.29.1: 
-                0...864155029
-            2.5.29.2: 
-                0&..864155029....0...20170520150348+0500
-            2.5.29.10: 
-                0.....
-            1.2.840.113533.7.65.0: 
-                0...v2.1d....
+            Netscape Revocation Url: 
+                .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+            Netscape CA Revocation Url: 
+                .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+            Netscape Renewal Url: 
+                .-https://www.trustcenter.de/cgi-bin/Renew.cgi?
+            Netscape CA Policy Url: 
+                ./http://www.trustcenter.de/guidelines/index.html
+            Netscape Comment: 
+                ..TC TrustCenter Class 2 CA
+            Netscape Cert Type: 
+                ....
     Signature Algorithm: md5WithRSAEncryption
-        cf:ef:ee:4a:45:d6:93:36:a4:70:05:57:da:34:d4:91:47:73:
-        74:36:f6:d3:48:80:45:33:97:75:22:fa:74:9e:85:e1:84:a8:
-        fd:bc:33:10:b0:5c:77:89:13:4a:d8:2d:97:71:83:be:92:e3:
-        65:a0:1b:ce:7a:77:11:24:44:41:95:41:10:da:86:3c:da:2c:
-        1f:b9:b8:dd:32:47:2d:11:b5:92:85:3b:0a:b8:0f:3b:64:ea:
-        d0:13:88:30:65:e3:85:b7:ec:e4:70:91:83:91:be:15:14:17:
-        a5:8f:13:e8:81:b2:ac:cb:54:cb:d6:85:2e:b2:cc:67:bd:77:
-        81:fa
+        89:1b:f4:ef:e9:38:e2:6c:0c:f6:cd:6f:49:ce:29:cc:fb:a6:
+        0f:f9:8d:3e:95:46:d6:fc:47:32:89:b2:c8:06:61:7a:d2:e7:
+        0d:13:02:94:0b:d9:8b:56:47:f4:bb:e7:c5:5f:7b:f4:63:4c:
+        ae:7c:34:ea:0d:a2:a9:b3:2c:85:f3:e3:fe:27:54:10:92:b0:
+        8f:92:c1:98:42:18:70:48:db:4e:2c:eb:0d:24:68:e4:d1:f7:
+        be:09:a9:29:87:bb:e8:da:dc:3e:a3:88:42:31:f5:d1:e3:7f:
+        ae:d8:8e:00:5a:74:98:b0:4f:c6:ff:23:7b:5c:73:00:78:c9:
+        db:4e
 
-KEYWITNESS, Canada CA
-=====================
-MD5 Fingerprint: 78:29:EC:13:15:D7:8B:46:70:9B:47:92:4D:8B:6B:8E
+TC TrustCenter, Germany, Class 3 CA
+===================================
+MD5 Fingerprint: 62:AB:B6:15:4A:B4:B0:16:77:FF:AE:CF:16:16:2B:8C
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIICHTCCAYYCARQwDQYJKoZIhvcNAQEEBQAwWDELMAkGA1UEBhMCQ0ExHzAdBgNV
-BAMTFktleXdpdG5lc3MgQ2FuYWRhIEluYy4xKDAmBgorBgEEASoCCwIBExhrZXl3
-aXRuZXNzQGtleXdpdG5lc3MuY2EwHhcNOTYwNTA3MDAwMDAwWhcNOTkwNTA3MDAw
-MDAwWjBYMQswCQYDVQQGEwJDQTEfMB0GA1UEAxMWS2V5d2l0bmVzcyBDYW5hZGEg
-SW5jLjEoMCYGCisGAQQBKgILAgETGGtleXdpdG5lc3NAa2V5d2l0bmVzcy5jYTCB
-nTANBgkqhkiG9w0BAQEFAAOBiwAwgYcCgYEAzSP6KuHtmPTp0JM+13qAAkzMwQKv
-XLYff/pXQm8w0SDFtSEHQCyphsLzZISuPYUu7YW9VLAYKO9q+BvnCxYfkyVPx/iO
-w7nKmIQOVdAv73h3xXIoX2C/GSvRcqK32D/glzRaAb0EnMh4Rc2TjRXydhARq7hb
-Lp5S3YE+nGTIKZMCAQMwDQYJKoZIhvcNAQEEBQADgYEAMho1ur9DJ9a01Lh25eOb
-TWzAhsl3NbprFi0TRkqwMlOhW1rpmeIMhogXTg3+gqxOR+/7/zms7jXI+lI3Ckmt
-Wa3iiqkcxl8f+G9zfs2gMegMvvVN2bKrihK2MHhoEXwN8UlNo/2y6f8d8JH6VIX/
-M5Dowb+km6RiRr1hElmYQYk=
+MIIENTCCA56gAwIBAgIBBDANBgkqhkiG9w0BAQQFADCBvDELMAkGA1UEBhMCREUx
+EDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxOjA4BgNVBAoTMVRD
+IFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtzIEdtYkgx
+IjAgBgNVBAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDMgQ0ExKTAnBgkqhkiG9w0B
+CQEWGmNlcnRpZmljYXRlQHRydXN0Y2VudGVyLmRlMB4XDTk4MDMwOTEzNTg0OVoX
+DTA1MTIzMTEzNTg0OVowgbwxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJn
+MRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFUQyBUcnVzdENlbnRlciBmb3Ig
+U2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJIMSIwIAYDVQQLExlUQyBUcnVz
+dENlbnRlciBDbGFzcyAzIENBMSkwJwYJKoZIhvcNAQkBFhpjZXJ0aWZpY2F0ZUB0
+cnVzdGNlbnRlci5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtrTBNQUu
+DY3soEBqHA4nplCSa1AbB94u53bM4Nr8hKhejGNqK03ZTgJ2EcEL8o15ygC28bAO
+1/ukFz2vq2l6lie/rzOhmipZqsS1NwjyEqUxtkP1MpZxKCirjSiG37vu4wx9MNbD
+UquPXSeca8Cj5wVrV0lEs27qZM/SjnpQd3cCAwEAAaOCAUMwggE/MEAGCWCGSAGG
++EIBAwQzFjFodHRwczovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL2NoZWNr
+LXJldi5jZ2k/MEAGCWCGSAGG+EIBBAQzFjFodHRwczovL3d3dy50cnVzdGNlbnRl
+ci5kZS9jZ2ktYmluL2NoZWNrLXJldi5jZ2k/MDwGCWCGSAGG+EIBBwQvFi1odHRw
+czovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL1JlbmV3LmNnaT8wPgYJYIZI
+AYb4QgEIBDEWL2h0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lcy9p
+bmRleC5odG1sMCgGCWCGSAGG+EIBDQQbFhlUQyBUcnVzdENlbnRlciBDbGFzcyAz
+IENBMBEGCWCGSAGG+EIBAQQEAwIABzANBgkqhkiG9w0BAQQFAAOBgQCEhlBieaAn
+4SW6CbE0DxMJ7S3Ko+aV+TCszRelzj2Xnex8jyZ/wGHKIveR3Tw2WZqbdfe85Mjt
+7AK2IqfzLPHIknhttu7FKOyAIE+5awjnL6eGHn2xCJ9UuQA3PKDYGsiWHPQyFJw5
+lbfu8ENJwl7oy3lvU7/7SYos2EvZVfIScA==
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
-        Version: 1 (0x0)
-        Serial Number: 20 (0x14)
+        Version: 3 (0x2)
+        Serial Number: 4 (0x4)
         Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=CA, CN=Keywitness Canada Inc./1.3.6.1.4.1.42.2.11.2.1=keywitness@keywitness.ca
+        Issuer: C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/Email=certificate@trustcenter.de
         Validity
-            Not Before: May  7 00:00:00 1996 GMT
-            Not After : May  7 00:00:00 1999 GMT
-        Subject: C=CA, CN=Keywitness Canada Inc./1.3.6.1.4.1.42.2.11.2.1=keywitness@keywitness.ca
+            Not Before: Mar  9 13:58:49 1998 GMT
+            Not After : Dec 31 13:58:49 2005 GMT
+        Subject: C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/Email=certificate@trustcenter.de
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
-                    00:cd:23:fa:2a:e1:ed:98:f4:e9:d0:93:3e:d7:7a:
-                    80:02:4c:cc:c1:02:af:5c:b6:1f:7f:fa:57:42:6f:
-                    30:d1:20:c5:b5:21:07:40:2c:a9:86:c2:f3:64:84:
-                    ae:3d:85:2e:ed:85:bd:54:b0:18:28:ef:6a:f8:1b:
-                    e7:0b:16:1f:93:25:4f:c7:f8:8e:c3:b9:ca:98:84:
-                    0e:55:d0:2f:ef:78:77:c5:72:28:5f:60:bf:19:2b:
-                    d1:72:a2:b7:d8:3f:e0:97:34:5a:01:bd:04:9c:c8:
-                    78:45:cd:93:8d:15:f2:76:10:11:ab:b8:5b:2e:9e:
-                    52:dd:81:3e:9c:64:c8:29:93
-                Exponent: 3 (0x3)
+                    00:b6:b4:c1:35:05:2e:0d:8d:ec:a0:40:6a:1c:0e:
+                    27:a6:50:92:6b:50:1b:07:de:2e:e7:76:cc:e0:da:
+                    fc:84:a8:5e:8c:63:6a:2b:4d:d9:4e:02:76:11:c1:
+                    0b:f2:8d:79:ca:00:b6:f1:b0:0e:d7:fb:a4:17:3d:
+                    af:ab:69:7a:96:27:bf:af:33:a1:9a:2a:59:aa:c4:
+                    b5:37:08:f2:12:a5:31:b6:43:f5:32:96:71:28:28:
+                    ab:8d:28:86:df:bb:ee:e3:0c:7d:30:d6:c3:52:ab:
+                    8f:5d:27:9c:6b:c0:a3:e7:05:6b:57:49:44:b3:6e:
+                    ea:64:cf:d2:8e:7a:50:77:77
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            Netscape Revocation Url: 
+                .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+            Netscape CA Revocation Url: 
+                .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+            Netscape Renewal Url: 
+                .-https://www.trustcenter.de/cgi-bin/Renew.cgi?
+            Netscape CA Policy Url: 
+                ./http://www.trustcenter.de/guidelines/index.html
+            Netscape Comment: 
+                ..TC TrustCenter Class 3 CA
+            Netscape Cert Type: 
+                ....
     Signature Algorithm: md5WithRSAEncryption
-        32:1a:35:ba:bf:43:27:d6:b4:d4:b8:76:e5:e3:9b:4d:6c:c0:
-        86:c9:77:35:ba:6b:16:2d:13:46:4a:b0:32:53:a1:5b:5a:e9:
-        99:e2:0c:86:88:17:4e:0d:fe:82:ac:4e:47:ef:fb:ff:39:ac:
-        ee:35:c8:fa:52:37:0a:49:ad:59:ad:e2:8a:a9:1c:c6:5f:1f:
-        f8:6f:73:7e:cd:a0:31:e8:0c:be:f5:4d:d9:b2:ab:8a:12:b6:
-        30:78:68:11:7c:0d:f1:49:4d:a3:fd:b2:e9:ff:1d:f0:91:fa:
-        54:85:ff:33:90:e8:c1:bf:a4:9b:a4:62:46:bd:61:12:59:98:
-        41:89
+        84:86:50:62:79:a0:27:e1:25:ba:09:b1:34:0f:13:09:ed:2d:
+        ca:a3:e6:95:f9:30:ac:cd:17:a5:ce:3d:97:9d:ec:7c:8f:26:
+        7f:c0:61:ca:22:f7:91:dd:3c:36:59:9a:9b:75:f7:bc:e4:c8:
+        ed:ec:02:b6:22:a7:f3:2c:f1:c8:92:78:6d:b6:ee:c5:28:ec:
+        80:20:4f:b9:6b:08:e7:2f:a7:86:1e:7d:b1:08:9f:54:b9:00:
+        37:3c:a0:d8:1a:c8:96:1c:f4:32:14:9c:39:95:b7:ee:f0:43:
+        49:c2:5e:e8:cb:79:6f:53:bf:fb:49:8a:2c:d8:4b:d9:55:f2:
+        12:70
 
-MCI Mall CA
-===========
-MD5 Fingerprint: 79:F1:0A:61:BD:32:F5:16:12:D8:07:6B:8D:9B:A1:76
+TC TrustCenter, Germany, Class 4 CA
+===================================
+MD5 Fingerprint: BF:AF:EC:C4:DA:F9:30:F9:CA:35:CA:25:E4:3F:8D:89
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIIB8zCCAVwCBQJtAABCMA0GCSqGSIb3DQEBAgUAMEAxCzAJBgNVBAYTAlVTMQww
-CgYDVQQKEwNNQ0kxFDASBgNVBAsTC2ludGVybmV0TUNJMQ0wCwYDVQQLEwRNQUxM
-MB4XDTk2MDcxNjAwMDAwMFoXDTk4MDcxNjIzNTk1OVowQDELMAkGA1UEBhMCVVMx
-DDAKBgNVBAoTA01DSTEUMBIGA1UECxMLaW50ZXJuZXRNQ0kxDTALBgNVBAsTBE1B
-TEwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOMhI19RqC3Aj64Q8G/OSIDy
-lF6Ig/zkPw03HjTwCAySTaP7y6UG6Z7WNjAGJ8xJiN/Fn1+TbB+pQeyg1NKYdlVv
-xaOlQkmG9yXGHshDMZH7SebfTjbMbdXg/hiMQ/LrEzmVJ9QrrJjrqQ8tIZtcm1vP
-HEQZJoFuiO2aY7tWdlFvAgMBAAEwDQYJKoZIhvcNAQECBQADgYEAX+q/3vMnwY9I
-hiPIX+IggtEOf4U69dyy27k/Tdw22v5YhEzfynrcmxEenGV8ciLk65VblIj+mhAz
-WwmnpFxPlGJZUGwKvqS9HFxatnBybjEdFf9g5Vxa9isF6YhfqovSNPoIBySSoXSF
-a0am9n4me9H5GAiTQpNq8SnjcyPWToM=
+MIIENTCCA56gAwIBAgIBBTANBgkqhkiG9w0BAQQFADCBvDELMAkGA1UEBhMCREUx
+EDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxOjA4BgNVBAoTMVRD
+IFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtzIEdtYkgx
+IjAgBgNVBAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDQgQ0ExKTAnBgkqhkiG9w0B
+CQEWGmNlcnRpZmljYXRlQHRydXN0Y2VudGVyLmRlMB4XDTk4MDMwOTE0MDAyMFoX
+DTA1MTIzMTE0MDAyMFowgbwxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJn
+MRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFUQyBUcnVzdENlbnRlciBmb3Ig
+U2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJIMSIwIAYDVQQLExlUQyBUcnVz
+dENlbnRlciBDbGFzcyA0IENBMSkwJwYJKoZIhvcNAQkBFhpjZXJ0aWZpY2F0ZUB0
+cnVzdGNlbnRlci5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvy9j1jZ7
+sg3TVfVkbOYlXca0yBS6JTiD61ZipVWpZaP0I5nCS7nQzVRnpqOgo6kzK3bkva13
+su1cEnTDxbYPUppyk0OQYmYVD0Wl3eDduG9AblfBeXKjYKq6dh0SiVNa/AK+4QkT
+xUov3D2LGa3XiyRF+0z0zVw1HSlMUfPybFUCAwEAAaOCAUMwggE/MEAGCWCGSAGG
++EIBAwQzFjFodHRwczovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL2NoZWNr
+LXJldi5jZ2k/MEAGCWCGSAGG+EIBBAQzFjFodHRwczovL3d3dy50cnVzdGNlbnRl
+ci5kZS9jZ2ktYmluL2NoZWNrLXJldi5jZ2k/MDwGCWCGSAGG+EIBBwQvFi1odHRw
+czovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL1JlbmV3LmNnaT8wPgYJYIZI
+AYb4QgEIBDEWL2h0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lcy9p
+bmRleC5odG1sMCgGCWCGSAGG+EIBDQQbFhlUQyBUcnVzdENlbnRlciBDbGFzcyA0
+IENBMBEGCWCGSAGG+EIBAQQEAwIABzANBgkqhkiG9w0BAQQFAAOBgQCUaBQbJZ4p
+mbGyI9JEs5Wf0Z5VBN3jL4IzVZZ3GZ0rnmUc+orjx48l/LEeVUYPj/9PNy+kdlmm
+ZOvVFnC93ZUzDKQNJOtkULRDEfJDvg1xmCLsAa/s98dcccN1kVgZ6N2g9LTxvBBK
+85O0Bkm7H2bSvXRH4Zr569erbR+64R0s2g==
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
-        Version: 1 (0x0)
-        Serial Number:
-            02:6d:00:00:42
-        Signature Algorithm: md2WithRSAEncryption
-        Issuer: C=US, O=MCI, OU=internetMCI, OU=MALL
+        Version: 3 (0x2)
+        Serial Number: 5 (0x5)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 4 CA/Email=certificate@trustcenter.de
         Validity
-            Not Before: Jul 16 00:00:00 1996 GMT
-            Not After : Jul 16 23:59:59 1998 GMT
-        Subject: C=US, O=MCI, OU=internetMCI, OU=MALL
+            Not Before: Mar  9 14:00:20 1998 GMT
+            Not After : Dec 31 14:00:20 2005 GMT
+        Subject: C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 4 CA/Email=certificate@trustcenter.de
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
-                    00:e3:21:23:5f:51:a8:2d:c0:8f:ae:10:f0:6f:ce:
-                    48:80:f2:94:5e:88:83:fc:e4:3f:0d:37:1e:34:f0:
-                    08:0c:92:4d:a3:fb:cb:a5:06:e9:9e:d6:36:30:06:
-                    27:cc:49:88:df:c5:9f:5f:93:6c:1f:a9:41:ec:a0:
-                    d4:d2:98:76:55:6f:c5:a3:a5:42:49:86:f7:25:c6:
-                    1e:c8:43:31:91:fb:49:e6:df:4e:36:cc:6d:d5:e0:
-                    fe:18:8c:43:f2:eb:13:39:95:27:d4:2b:ac:98:eb:
-                    a9:0f:2d:21:9b:5c:9b:5b:cf:1c:44:19:26:81:6e:
-                    88:ed:9a:63:bb:56:76:51:6f
+                    00:bf:2f:63:d6:36:7b:b2:0d:d3:55:f5:64:6c:e6:
+                    25:5d:c6:b4:c8:14:ba:25:38:83:eb:56:62:a5:55:
+                    a9:65:a3:f4:23:99:c2:4b:b9:d0:cd:54:67:a6:a3:
+                    a0:a3:a9:33:2b:76:e4:bd:ad:77:b2:ed:5c:12:74:
+                    c3:c5:b6:0f:52:9a:72:93:43:90:62:66:15:0f:45:
+                    a5:dd:e0:dd:b8:6f:40:6e:57:c1:79:72:a3:60:aa:
+                    ba:76:1d:12:89:53:5a:fc:02:be:e1:09:13:c5:4a:
+                    2f:dc:3d:8b:19:ad:d7:8b:24:45:fb:4c:f4:cd:5c:
+                    35:1d:29:4c:51:f3:f2:6c:55
                 Exponent: 65537 (0x10001)
-    Signature Algorithm: md2WithRSAEncryption
-        5f:ea:bf:de:f3:27:c1:8f:48:86:23:c8:5f:e2:20:82:d1:0e:
-        7f:85:3a:f5:dc:b2:db:b9:3f:4d:dc:36:da:fe:58:84:4c:df:
-        ca:7a:dc:9b:11:1e:9c:65:7c:72:22:e4:eb:95:5b:94:88:fe:
-        9a:10:33:5b:09:a7:a4:5c:4f:94:62:59:50:6c:0a:be:a4:bd:
-        1c:5c:5a:b6:70:72:6e:31:1d:15:ff:60:e5:5c:5a:f6:2b:05:
-        e9:88:5f:aa:8b:d2:34:fa:08:07:24:92:a1:74:85:6b:46:a6:
-        f6:7e:26:7b:d1:f9:18:08:93:42:93:6a:f1:29:e3:73:23:d6:
-        4e:83
+        X509v3 extensions:
+            Netscape Revocation Url: 
+                .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+            Netscape CA Revocation Url: 
+                .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+            Netscape Renewal Url: 
+                .-https://www.trustcenter.de/cgi-bin/Renew.cgi?
+            Netscape CA Policy Url: 
+                ./http://www.trustcenter.de/guidelines/index.html
+            Netscape Comment: 
+                ..TC TrustCenter Class 4 CA
+            Netscape Cert Type: 
+                ....
+    Signature Algorithm: md5WithRSAEncryption
+        94:68:14:1b:25:9e:29:99:b1:b2:23:d2:44:b3:95:9f:d1:9e:
+        55:04:dd:e3:2f:82:33:55:96:77:19:9d:2b:9e:65:1c:fa:8a:
+        e3:c7:8f:25:fc:b1:1e:55:46:0f:8f:ff:4f:37:2f:a4:76:59:
+        a6:64:eb:d5:16:70:bd:dd:95:33:0c:a4:0d:24:eb:64:50:b4:
+        43:11:f2:43:be:0d:71:98:22:ec:01:af:ec:f7:c7:5c:71:c3:
+        75:91:58:19:e8:dd:a0:f4:b4:f1:bc:10:4a:f3:93:b4:06:49:
+        bb:1f:66:d2:bd:74:47:e1:9a:f9:eb:d7:ab:6d:1f:ba:e1:1d:
+        2c:da
 
 Thawte Personal Basic CA
 ========================
@@ -1373,338 +2689,167 @@ Certificate Ingredients:
         b2:75:1b:f6:42:f2:ef:c7:f2:18:f9:89:bc:a3:ff:8a:23:2e:
         70:47
 
-Uptime Group Plc. Class 1 CA
-============================
-MD5 Fingerprint: 85:1F:0A:65:74:43:24:2F:A7:01:C8:71:A4:95:D8:0F
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIDojCCAooCAQAwDQYJKoZIhvcNAQEEBQAwgZYxCzAJBgNVBAYTAlVLMQ8wDQYD
-VQQIEwZMb25kb24xGTAXBgNVBAoTEFVwdGltZSBHcm91cCBQbGMxHDAaBgNVBAsT
-E1VwdGltZSBDb21tZXJjZSBMdGQxFzAVBgNVBAMTDlVUQyBDbGFzcyAxIENBMSQw
-IgYJKoZIhvcNAQkBFhVjZXJ0c0B1cHRpbWVncm91cC5jb20wHhcNOTcwNDIyMTQ1
-MDEwWhcNMDIwNDIxMTQ1MDEwWjCBljELMAkGA1UEBhMCVUsxDzANBgNVBAgTBkxv
-bmRvbjEZMBcGA1UEChMQVXB0aW1lIEdyb3VwIFBsYzEcMBoGA1UECxMTVXB0aW1l
-IENvbW1lcmNlIEx0ZDEXMBUGA1UEAxMOVVRDIENsYXNzIDEgQ0ExJDAiBgkqhkiG
-9w0BCQEWFWNlcnRzQHVwdGltZWdyb3VwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAPQoQsO2kFXOCSTPns0SyKv/r4YghHaifW/ApwiNEW1xA0aG
-qBbKVxX1TceS7Jg+lpmDtSxc5F6Nlsc58ZXCBakB1smBAvfwYgt2B5vUDeQVFZtM
-bfJT70xpIT+iPLdZscCSVvMqcrGbgyeXqH0LhWcKnT2G4jcHy7eoOkDolng3H1jp
-gkabA1e+0zMF7nOMgb1m90yab1M3IfW0UzqR8LmZONb9ZaLu0vAsbRdJ7XXkz5XF
-shDHw4qXmQuk+A2HWSe/S0Q+3pb9Cwt3ys5pDxIR+FYjHuBc6tQE8wGyNM2k4yLA
-zj7JnTL8HOJHd0fqGiyjARH9qaRWVeDXAphQmiMCAwEAATANBgkqhkiG9w0BAQQF
-AAOCAQEALclv/qbaCcTqIuRw3VvQPubyszQqnLwXxq2LUL5EC+dkyq1leTQhMB16
-eIorl8nQFSr2c8cjLjnbgIVTdssrlgzWBZrX/rtJA/qgavK7ncoKrcjGl9wSolKd
-0xOVPkpxAzQJv1T/FQkgHXpV18q8jFq5mx9vs9o/vzogDD7Vw1B2uHkT/IcTJN4h
-OTKLQJnJXJgqwxeX6BFYFX2s4m2To8i9B/vorAj3Ak0wwwLOP0xsrEvbx2wcrE+i
-FHdRSG2rNPAc7MoYeQkwZ/U7fZ4niaqgghcxgn7ItiCTrvj1UBXgb6lYkSnM0hbH
-pw1V0iqRo6JIHWeVbrc4Ek4XXOEASg==
------END CERTIFICATE-----
-Certificate Ingredients:
-    Data:
-        Version: 1 (0x0)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=UK, ST=London, O=Uptime Group Plc, OU=Uptime Commerce Ltd, CN=UTC Class 1 CA/Email=certs@uptimegroup.com
-        Validity
-            Not Before: Apr 22 14:50:10 1997 GMT
-            Not After : Apr 21 14:50:10 2002 GMT
-        Subject: C=UK, ST=London, O=Uptime Group Plc, OU=Uptime Commerce Ltd, CN=UTC Class 1 CA/Email=certs@uptimegroup.com
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:f4:28:42:c3:b6:90:55:ce:09:24:cf:9e:cd:12:
-                    c8:ab:ff:af:86:20:84:76:a2:7d:6f:c0:a7:08:8d:
-                    11:6d:71:03:46:86:a8:16:ca:57:15:f5:4d:c7:92:
-                    ec:98:3e:96:99:83:b5:2c:5c:e4:5e:8d:96:c7:39:
-                    f1:95:c2:05:a9:01:d6:c9:81:02:f7:f0:62:0b:76:
-                    07:9b:d4:0d:e4:15:15:9b:4c:6d:f2:53:ef:4c:69:
-                    21:3f:a2:3c:b7:59:b1:c0:92:56:f3:2a:72:b1:9b:
-                    83:27:97:a8:7d:0b:85:67:0a:9d:3d:86:e2:37:07:
-                    cb:b7:a8:3a:40:e8:96:78:37:1f:58:e9:82:46:9b:
-                    03:57:be:d3:33:05:ee:73:8c:81:bd:66:f7:4c:9a:
-                    6f:53:37:21:f5:b4:53:3a:91:f0:b9:99:38:d6:fd:
-                    65:a2:ee:d2:f0:2c:6d:17:49:ed:75:e4:cf:95:c5:
-                    b2:10:c7:c3:8a:97:99:0b:a4:f8:0d:87:59:27:bf:
-                    4b:44:3e:de:96:fd:0b:0b:77:ca:ce:69:0f:12:11:
-                    f8:56:23:1e:e0:5c:ea:d4:04:f3:01:b2:34:cd:a4:
-                    e3:22:c0:ce:3e:c9:9d:32:fc:1c:e2:47:77:47:ea:
-                    1a:2c:a3:01:11:fd:a9:a4:56:55:e0:d7:02:98:50:
-                    9a:23
-                Exponent: 65537 (0x10001)
-    Signature Algorithm: md5WithRSAEncryption
-        2d:c9:6f:fe:a6:da:09:c4:ea:22:e4:70:dd:5b:d0:3e:e6:f2:
-        b3:34:2a:9c:bc:17:c6:ad:8b:50:be:44:0b:e7:64:ca:ad:65:
-        79:34:21:30:1d:7a:78:8a:2b:97:c9:d0:15:2a:f6:73:c7:23:
-        2e:39:db:80:85:53:76:cb:2b:96:0c:d6:05:9a:d7:fe:bb:49:
-        03:fa:a0:6a:f2:bb:9d:ca:0a:ad:c8:c6:97:dc:12:a2:52:9d:
-        d3:13:95:3e:4a:71:03:34:09:bf:54:ff:15:09:20:1d:7a:55:
-        d7:ca:bc:8c:5a:b9:9b:1f:6f:b3:da:3f:bf:3a:20:0c:3e:d5:
-        c3:50:76:b8:79:13:fc:87:13:24:de:21:39:32:8b:40:99:c9:
-        5c:98:2a:c3:17:97:e8:11:58:15:7d:ac:e2:6d:93:a3:c8:bd:
-        07:fb:e8:ac:08:f7:02:4d:30:c3:02:ce:3f:4c:6c:ac:4b:db:
-        c7:6c:1c:ac:4f:a2:14:77:51:48:6d:ab:34:f0:1c:ec:ca:18:
-        79:09:30:67:f5:3b:7d:9e:27:89:aa:a0:82:17:31:82:7e:c8:
-        b6:20:93:ae:f8:f5:50:15:e0:6f:a9:58:91:29:cc:d2:16:c7:
-        a7:0d:55:d2:2a:91:a3:a2:48:1d:67:95:6e:b7:38:12:4e:17:
-        5c:e1:00:4a
-
-Uptime Group Plc. Class 2 CA
-============================
-MD5 Fingerprint: 54:6A:EA:11:24:BF:94:8B:0B:0A:17:60:D8:35:B3:21
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIDojCCAooCAQAwDQYJKoZIhvcNAQEEBQAwgZYxCzAJBgNVBAYTAlVLMQ8wDQYD
-VQQIEwZMb25kb24xGTAXBgNVBAoTEFVwdGltZSBHcm91cCBQbGMxHDAaBgNVBAsT
-E1VwdGltZSBDb21tZXJjZSBMdGQxFzAVBgNVBAMTDlVUQyBDbGFzcyAyIENBMSQw
-IgYJKoZIhvcNAQkBFhVjZXJ0c0B1cHRpbWVncm91cC5jb20wHhcNOTcwNDIyMTUw
-NzQ4WhcNMDIwNDIxMTUwNzQ4WjCBljELMAkGA1UEBhMCVUsxDzANBgNVBAgTBkxv
-bmRvbjEZMBcGA1UEChMQVXB0aW1lIEdyb3VwIFBsYzEcMBoGA1UECxMTVXB0aW1l
-IENvbW1lcmNlIEx0ZDEXMBUGA1UEAxMOVVRDIENsYXNzIDIgQ0ExJDAiBgkqhkiG
-9w0BCQEWFWNlcnRzQHVwdGltZWdyb3VwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAMATJMT7b+8pbfgG2KVEEdnRQnC2+db7JOI1dWm4To9olUuc
-3TlquvJ4ZsmK+3dVbh9xow4LTQCnImwqnAWzr3geHvLFP01IfVWgpWPFZ5hrMx6X
-xPRJ5yDpYvusMn7MS0pQjKmdKCW9o+fnoLj168ffBtRozXg5MbWrFeQ8pkTRDItz
-rLoNlCZpHPqqctaabJ5CmNbGjMfScrezxbTe/VsZFOGnW5F0p5BvV7AeclUkbZsu
-A/zt4N8FEPEEgG6qM7ybEwj85Yn0Zf+Lnj/dB+6/h33katp9YRLFbxpDNFPCAIPt
-FwqkFKm9D69d5rKz6WuhFvcWytnIW6SPFq2BROUCAwEAATANBgkqhkiG9w0BAQQF
-AAOCAQEAJqXpA+iigG46cQyRmtbp56U+Cr2Ee20fU52LTZYqQx0vO8rPdXCvPZQG
-lXRVQCN43SIlf8fu9qRGgk57Whsz0ndq6tgGG+SCzYX4Ic6G1A5ABrTKcdujYlcs
-DZfr578Th55m4T4r5Sl3MVs2nLkCf15GYULJqkiDpICsnvCymLJe1nqmRubO7Fk8
-Qxjsu+eTmD2sxW80w7n0w0/Gn8LHB/LFnnRmqrnJgwATR+IlW/ojk+GzwGHAL8br
-IWxjemkBdSYMgFBB/pRYbJI7KY8Cjd/F4DpCYUYrAd3/zywHC0Kpir81ZZYzGz3J
-7Dm6ulALVW08BkueGo6Dai4V1wiG2A==
------END CERTIFICATE-----
-Certificate Ingredients:
-    Data:
-        Version: 1 (0x0)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=UK, ST=London, O=Uptime Group Plc, OU=Uptime Commerce Ltd, CN=UTC Class 2 CA/Email=certs@uptimegroup.com
-        Validity
-            Not Before: Apr 22 15:07:48 1997 GMT
-            Not After : Apr 21 15:07:48 2002 GMT
-        Subject: C=UK, ST=London, O=Uptime Group Plc, OU=Uptime Commerce Ltd, CN=UTC Class 2 CA/Email=certs@uptimegroup.com
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:c0:13:24:c4:fb:6f:ef:29:6d:f8:06:d8:a5:44:
-                    11:d9:d1:42:70:b6:f9:d6:fb:24:e2:35:75:69:b8:
-                    4e:8f:68:95:4b:9c:dd:39:6a:ba:f2:78:66:c9:8a:
-                    fb:77:55:6e:1f:71:a3:0e:0b:4d:00:a7:22:6c:2a:
-                    9c:05:b3:af:78:1e:1e:f2:c5:3f:4d:48:7d:55:a0:
-                    a5:63:c5:67:98:6b:33:1e:97:c4:f4:49:e7:20:e9:
-                    62:fb:ac:32:7e:cc:4b:4a:50:8c:a9:9d:28:25:bd:
-                    a3:e7:e7:a0:b8:f5:eb:c7:df:06:d4:68:cd:78:39:
-                    31:b5:ab:15:e4:3c:a6:44:d1:0c:8b:73:ac:ba:0d:
-                    94:26:69:1c:fa:aa:72:d6:9a:6c:9e:42:98:d6:c6:
-                    8c:c7:d2:72:b7:b3:c5:b4:de:fd:5b:19:14:e1:a7:
-                    5b:91:74:a7:90:6f:57:b0:1e:72:55:24:6d:9b:2e:
-                    03:fc:ed:e0:df:05:10:f1:04:80:6e:aa:33:bc:9b:
-                    13:08:fc:e5:89:f4:65:ff:8b:9e:3f:dd:07:ee:bf:
-                    87:7d:e4:6a:da:7d:61:12:c5:6f:1a:43:34:53:c2:
-                    00:83:ed:17:0a:a4:14:a9:bd:0f:af:5d:e6:b2:b3:
-                    e9:6b:a1:16:f7:16:ca:d9:c8:5b:a4:8f:16:ad:81:
-                    44:e5
-                Exponent: 65537 (0x10001)
-    Signature Algorithm: md5WithRSAEncryption
-        26:a5:e9:03:e8:a2:80:6e:3a:71:0c:91:9a:d6:e9:e7:a5:3e:
-        0a:bd:84:7b:6d:1f:53:9d:8b:4d:96:2a:43:1d:2f:3b:ca:cf:
-        75:70:af:3d:94:06:95:74:55:40:23:78:dd:22:25:7f:c7:ee:
-        f6:a4:46:82:4e:7b:5a:1b:33:d2:77:6a:ea:d8:06:1b:e4:82:
-        cd:85:f8:21:ce:86:d4:0e:40:06:b4:ca:71:db:a3:62:57:2c:
-        0d:97:eb:e7:bf:13:87:9e:66:e1:3e:2b:e5:29:77:31:5b:36:
-        9c:b9:02:7f:5e:46:61:42:c9:aa:48:83:a4:80:ac:9e:f0:b2:
-        98:b2:5e:d6:7a:a6:46:e6:ce:ec:59:3c:43:18:ec:bb:e7:93:
-        98:3d:ac:c5:6f:34:c3:b9:f4:c3:4f:c6:9f:c2:c7:07:f2:c5:
-        9e:74:66:aa:b9:c9:83:00:13:47:e2:25:5b:fa:23:93:e1:b3:
-        c0:61:c0:2f:c6:eb:21:6c:63:7a:69:01:75:26:0c:80:50:41:
-        fe:94:58:6c:92:3b:29:8f:02:8d:df:c5:e0:3a:42:61:46:2b:
-        01:dd:ff:cf:2c:07:0b:42:a9:8a:bf:35:65:96:33:1b:3d:c9:
-        ec:39:ba:ba:50:0b:55:6d:3c:06:4b:9e:1a:8e:83:6a:2e:15:
-        d7:08:86:d8
-
-Uptime Group Plc. Class 3 CA
+UPS Document Exchange by DST
 ============================
-MD5 Fingerprint: DB:E8:28:92:1A:70:8C:7B:88:7B:C1:59:ED:A2:BB:D1
+MD5 Fingerprint: 78:A5:FB:10:4B:E4:63:2E:D2:6B:FB:F2:B6:C2:4B:8E
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIIDojCCAooCAQAwDQYJKoZIhvcNAQEEBQAwgZYxCzAJBgNVBAYTAlVLMQ8wDQYD
-VQQIEwZMb25kb24xGTAXBgNVBAoTEFVwdGltZSBHcm91cCBQbGMxHDAaBgNVBAsT
-E1VwdGltZSBDb21tZXJjZSBMdGQxFzAVBgNVBAMTDlVUQyBDbGFzcyAzIENBMSQw
-IgYJKoZIhvcNAQkBFhVjZXJ0c0B1cHRpbWVncm91cC5jb20wHhcNOTcwNDIyMTUx
-ODI5WhcNMDIwNDIxMTUxODI5WjCBljELMAkGA1UEBhMCVUsxDzANBgNVBAgTBkxv
-bmRvbjEZMBcGA1UEChMQVXB0aW1lIEdyb3VwIFBsYzEcMBoGA1UECxMTVXB0aW1l
-IENvbW1lcmNlIEx0ZDEXMBUGA1UEAxMOVVRDIENsYXNzIDMgQ0ExJDAiBgkqhkiG
-9w0BCQEWFWNlcnRzQHVwdGltZWdyb3VwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAKsfYAK/UDNcXPl7ZczrjYEt72odEFfczb4IkL16VrWd4DRi
-BPcEZerbrNf6qjv/zl8Z3iYMGCskLsqEGIFdIHwHwyFTFvqn7o/eyiBtxIf63Icl
-JiWf3/1A2x5GZ5U09IRxacpKl0uKuq3k1HyyCKeL9tzfFHRoaV+NoGXhcP8CQa2x
-xCmdUoi+XWweB0RB370O/i1gjqXu+lh3K6U7nxMiSnrwI9LVEWwuqF14MiZLExl/
-2vjr8N1UDUjRlFMdE7cX7y8XMtmrmy2OgnoDP1C0Kbrx4koBr53JBebdpn8Iaxkx
-WCnS8mBbDUVhkcBWs0UeW+qMSxFb1NcbMxO+0WECAwEAATANBgkqhkiG9w0BAQQF
-AAOCAQEAfm14amDVZ9FJOan0Lljfzuy2HS9ZheUC8AbKsy5oB1wrn0P2v+R84b71
-FFAibwJEG62u4k5Y0vDGAuhl3vWVjLkEK4V4b4utZ7Y4uGmdEdWAt4usl7u4pcdh
-A+1JEt0kCbfPhRQkOlNSpgLPMgvNiSOHF7T6j255CpUfp6YHuf5SeZJYBdnk2a1H
-nQ7RUT6H5fHvESy0Qa0Pg0pOrvyh8ym0TLSFuCwUhvJT0uFYh/2pYX10SqAQ1ayQ
-FavlHeYT9rHjS3Hukl3BtKeHREuqgknWMxs+Mo/kEGoAkQo94gACH/IDp67sjQQb
-01EjJ6AehwjKiYwU5C1oI5PJRPLb1Q==
+MIID+DCCAuACEQDQHkCLAAACfAAAAAcAAAABMA0GCSqGSIb3DQEBBQUAMIG5MQsw
+CQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENp
+dHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjEeMBwGA1UE
+CxMVVW5pdGVkIFBhcmNlbCBTZXJ2aWNlMRkwFwYDVQQDExBEU1QgKFVQUykgUm9v
+dENBMSEwHwYJKoZIhvcNAQkBFhJjYUBkaWdzaWd0cnVzdC5jb20wHhcNOTgxMjEw
+MDAyNTQ2WhcNMDgxMjA3MDAyNTQ2WjCBuTELMAkGA1UEBhMCdXMxDTALBgNVBAgT
+BFV0YWgxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MSQwIgYDVQQKExtEaWdpdGFs
+IFNpZ25hdHVyZSBUcnVzdCBDby4xHjAcBgNVBAsTFVVuaXRlZCBQYXJjZWwgU2Vy
+dmljZTEZMBcGA1UEAxMQRFNUIChVUFMpIFJvb3RDQTEhMB8GCSqGSIb3DQEJARYS
+Y2FAZGlnc2lndHJ1c3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEA7xfsrynm2SsnwNt7JJ9m9ASjwq0KyrDNhCuqN/OAoWDvQo/lXXdfV0JU3Svb
+YbJxXpN7b1/rJCvnpPLr8XOzC431Wdcy36yQjk4xuiVNtgym8eWvDOHlb1IDFcHf
+vn5KpqYYRnA/76dNqNz1dNlhekA8oZQo6sKUiMs3FQUZPJViuhwt+yiM0ciekjxb
+EVQ7eNlHO5stSuY+e2vf9PYFzyj2upg2AJ48N4UKnN63pIXFY/23YhRtFx7MioCF
+QjIRsCHinXfJgBZBnuvlFIl/t8O8T8Gfh5uW7GP2+ZBWDpWjIwqMZNqbuxx3sExd
+5sjo9X15LVckP8zjPSyYzxKfFwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQC7OI4E
+IiZYDiFEVsy9WXwpaMtcD8iGVD+BeKetj8xG9xxUuHktW3IFaugh0OwdHf6kNFG+
+7u3OzJwWaOJddXMIQzGRahArEMJLafjJrZio/bjv9qvwXyHvy4VrCe0vSGa1YHLA
+6KDHmNsO9xtzjTQICnvFd2KqMCObsB6LgJhU3AWHs6liWfyLtxWarETszzUa9w8u
+XZJLAch77qA37eQdgg2ZQUMXrdTVyuP5fReiAdAwD0C53LkEgmmDtvkP+gaS96j0
+1hcc8F5/xCnI5uHi/zZoIVGu/6m6hJKtinsz2JDSwXltMzM5dKwbOHGfLAeQ6h3g
+04lfy+8UjSdUpb1G
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 1 (0x0)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=UK, ST=London, O=Uptime Group Plc, OU=Uptime Commerce Ltd, CN=UTC Class 3 CA/Email=certs@uptimegroup.com
+        Serial Number:
+            d0:1e:40:8b:00:00:02:7c:00:00:00:07:00:00:00:01
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=United Parcel Service, CN=DST (UPS) RootCA/Email=ca@digsigtrust.com
         Validity
-            Not Before: Apr 22 15:18:29 1997 GMT
-            Not After : Apr 21 15:18:29 2002 GMT
-        Subject: C=UK, ST=London, O=Uptime Group Plc, OU=Uptime Commerce Ltd, CN=UTC Class 3 CA/Email=certs@uptimegroup.com
+            Not Before: Dec 10 00:25:46 1998 GMT
+            Not After : Dec  7 00:25:46 2008 GMT
+        Subject: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=United Parcel Service, CN=DST (UPS) RootCA/Email=ca@digsigtrust.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (2048 bit)
                 Modulus (2048 bit):
-                    00:ab:1f:60:02:bf:50:33:5c:5c:f9:7b:65:cc:eb:
-                    8d:81:2d:ef:6a:1d:10:57:dc:cd:be:08:90:bd:7a:
-                    56:b5:9d:e0:34:62:04:f7:04:65:ea:db:ac:d7:fa:
-                    aa:3b:ff:ce:5f:19:de:26:0c:18:2b:24:2e:ca:84:
-                    18:81:5d:20:7c:07:c3:21:53:16:fa:a7:ee:8f:de:
-                    ca:20:6d:c4:87:fa:dc:87:25:26:25:9f:df:fd:40:
-                    db:1e:46:67:95:34:f4:84:71:69:ca:4a:97:4b:8a:
-                    ba:ad:e4:d4:7c:b2:08:a7:8b:f6:dc:df:14:74:68:
-                    69:5f:8d:a0:65:e1:70:ff:02:41:ad:b1:c4:29:9d:
-                    52:88:be:5d:6c:1e:07:44:41:df:bd:0e:fe:2d:60:
-                    8e:a5:ee:fa:58:77:2b:a5:3b:9f:13:22:4a:7a:f0:
-                    23:d2:d5:11:6c:2e:a8:5d:78:32:26:4b:13:19:7f:
-                    da:f8:eb:f0:dd:54:0d:48:d1:94:53:1d:13:b7:17:
-                    ef:2f:17:32:d9:ab:9b:2d:8e:82:7a:03:3f:50:b4:
-                    29:ba:f1:e2:4a:01:af:9d:c9:05:e6:dd:a6:7f:08:
-                    6b:19:31:58:29:d2:f2:60:5b:0d:45:61:91:c0:56:
-                    b3:45:1e:5b:ea:8c:4b:11:5b:d4:d7:1b:33:13:be:
-                    d1:61
+                    00:ef:17:ec:af:29:e6:d9:2b:27:c0:db:7b:24:9f:
+                    66:f4:04:a3:c2:ad:0a:ca:b0:cd:84:2b:aa:37:f3:
+                    80:a1:60:ef:42:8f:e5:5d:77:5f:57:42:54:dd:2b:
+                    db:61:b2:71:5e:93:7b:6f:5f:eb:24:2b:e7:a4:f2:
+                    eb:f1:73:b3:0b:8d:f5:59:d7:32:df:ac:90:8e:4e:
+                    31:ba:25:4d:b6:0c:a6:f1:e5:af:0c:e1:e5:6f:52:
+                    03:15:c1:df:be:7e:4a:a6:a6:18:46:70:3f:ef:a7:
+                    4d:a8:dc:f5:74:d9:61:7a:40:3c:a1:94:28:ea:c2:
+                    94:88:cb:37:15:05:19:3c:95:62:ba:1c:2d:fb:28:
+                    8c:d1:c8:9e:92:3c:5b:11:54:3b:78:d9:47:3b:9b:
+                    2d:4a:e6:3e:7b:6b:df:f4:f6:05:cf:28:f6:ba:98:
+                    36:00:9e:3c:37:85:0a:9c:de:b7:a4:85:c5:63:fd:
+                    b7:62:14:6d:17:1e:cc:8a:80:85:42:32:11:b0:21:
+                    e2:9d:77:c9:80:16:41:9e:eb:e5:14:89:7f:b7:c3:
+                    bc:4f:c1:9f:87:9b:96:ec:63:f6:f9:90:56:0e:95:
+                    a3:23:0a:8c:64:da:9b:bb:1c:77:b0:4c:5d:e6:c8:
+                    e8:f5:7d:79:2d:57:24:3f:cc:e3:3d:2c:98:cf:12:
+                    9f:17
                 Exponent: 65537 (0x10001)
-    Signature Algorithm: md5WithRSAEncryption
-        7e:6d:78:6a:60:d5:67:d1:49:39:a9:f4:2e:58:df:ce:ec:b6:
-        1d:2f:59:85:e5:02:f0:06:ca:b3:2e:68:07:5c:2b:9f:43:f6:
-        bf:e4:7c:e1:be:f5:14:50:22:6f:02:44:1b:ad:ae:e2:4e:58:
-        d2:f0:c6:02:e8:65:de:f5:95:8c:b9:04:2b:85:78:6f:8b:ad:
-        67:b6:38:b8:69:9d:11:d5:80:b7:8b:ac:97:bb:b8:a5:c7:61:
-        03:ed:49:12:dd:24:09:b7:cf:85:14:24:3a:53:52:a6:02:cf:
-        32:0b:cd:89:23:87:17:b4:fa:8f:6e:79:0a:95:1f:a7:a6:07:
-        b9:fe:52:79:92:58:05:d9:e4:d9:ad:47:9d:0e:d1:51:3e:87:
-        e5:f1:ef:11:2c:b4:41:ad:0f:83:4a:4e:ae:fc:a1:f3:29:b4:
-        4c:b4:85:b8:2c:14:86:f2:53:d2:e1:58:87:fd:a9:61:7d:74:
-        4a:a0:10:d5:ac:90:15:ab:e5:1d:e6:13:f6:b1:e3:4b:71:ee:
-        92:5d:c1:b4:a7:87:44:4b:aa:82:49:d6:33:1b:3e:32:8f:e4:
-        10:6a:00:91:0a:3d:e2:00:02:1f:f2:03:a7:ae:ec:8d:04:1b:
-        d3:51:23:27:a0:1e:87:08:ca:89:8c:14:e4:2d:68:23:93:c9:
-        44:f2:db:d5
+    Signature Algorithm: sha1WithRSAEncryption
+        bb:38:8e:04:22:26:58:0e:21:44:56:cc:bd:59:7c:29:68:cb:
+        5c:0f:c8:86:54:3f:81:78:a7:ad:8f:cc:46:f7:1c:54:b8:79:
+        2d:5b:72:05:6a:e8:21:d0:ec:1d:1d:fe:a4:34:51:be:ee:ed:
+        ce:cc:9c:16:68:e2:5d:75:73:08:43:31:91:6a:10:2b:10:c2:
+        4b:69:f8:c9:ad:98:a8:fd:b8:ef:f6:ab:f0:5f:21:ef:cb:85:
+        6b:09:ed:2f:48:66:b5:60:72:c0:e8:a0:c7:98:db:0e:f7:1b:
+        73:8d:34:08:0a:7b:c5:77:62:aa:30:23:9b:b0:1e:8b:80:98:
+        54:dc:05:87:b3:a9:62:59:fc:8b:b7:15:9a:ac:44:ec:cf:35:
+        1a:f7:0f:2e:5d:92:4b:01:c8:7b:ee:a0:37:ed:e4:1d:82:0d:
+        99:41:43:17:ad:d4:d5:ca:e3:f9:7d:17:a2:01:d0:30:0f:40:
+        b9:dc:b9:04:82:69:83:b6:f9:0f:fa:06:92:f7:a8:f4:d6:17:
+        1c:f0:5e:7f:c4:29:c8:e6:e1:e2:ff:36:68:21:51:ae:ff:a9:
+        ba:84:92:ad:8a:7b:33:d8:90:d2:c1:79:6d:33:33:39:74:ac:
+        1b:38:71:9f:2c:07:90:ea:1d:e0:d3:89:5f:cb:ef:14:8d:27:
+        54:a5:bd:46
 
-Uptime Group Plc. Class 4 CA
-============================
-MD5 Fingerprint: 2D:1F:C7:64:33:AC:18:97:B1:00:BB:A3:93:23:09:A6
+VeriSign Class 4 Primary CA
+===========================
+MD5 Fingerprint: 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIIDojCCAooCAQAwDQYJKoZIhvcNAQEEBQAwgZYxCzAJBgNVBAYTAlVLMQ8wDQYD
-VQQIEwZMb25kb24xGTAXBgNVBAoTEFVwdGltZSBHcm91cCBQbGMxHDAaBgNVBAsT
-E1VwdGltZSBDb21tZXJjZSBMdGQxFzAVBgNVBAMTDlVUQyBDbGFzcyA0IENBMSQw
-IgYJKoZIhvcNAQkBFhVjZXJ0c0B1cHRpbWVncm91cC5jb20wHhcNOTcwNDIyMTUy
-NjEzWhcNMDIwNDIxMTUyNjEzWjCBljELMAkGA1UEBhMCVUsxDzANBgNVBAgTBkxv
-bmRvbjEZMBcGA1UEChMQVXB0aW1lIEdyb3VwIFBsYzEcMBoGA1UECxMTVXB0aW1l
-IENvbW1lcmNlIEx0ZDEXMBUGA1UEAxMOVVRDIENsYXNzIDQgQ0ExJDAiBgkqhkiG
-9w0BCQEWFWNlcnRzQHVwdGltZWdyb3VwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAMhtrrgyds49zudjK8OFALva1ADqhhpmPiZHIVzkcsf5TF7s
-zGb6PBC/noZxBdHs406LYZ655UC24Iub6LVn3XiSEqhJNmKgnBH2gM94mcZR3KIp
-LZBYdyocBJFQ0cWlsZrAy60UNWVoncVg+Uvp4qDwjz4DPFRadRAb9Mmpswk9Wr3c
-oqgj46E/mQp+ne8oGCBSKrFF5TqTNy7Dj2wvpfTLeIkecOZ5HvIldBqZJ0Zf+/ps
-JaID3B8ACiZyGlwS2edHVmfNHe15FMTllx+EyNq80vwjHIMZhENRhkNDXPuXOeE5
-4YNFWaK9isFZi31Rw2wdw46YwkKOHzj4QalMwbECAwEAATANBgkqhkiG9w0BAQQF
-AAOCAQEAKUDQukOPK5jK6oEpJYB7TX1E9yhB26hgHeK61oag+iBEcFK1Fk5wQWbZ
-F97uJK7ofwpE1DRSXpvccvLiZIKngN7Ca7jttAoQYvRkc6xj8c+pbInvinITME74
-2mazPeuvdgl5DwNv/9Htq8P73WEQXW/LX/H1BGX8RnFBKRaeKPIMnyRLb49f5/Lz
-Fhrwb4ZQnl20ktUEkNeep8E9LoWomUajKOLX+Lcm0bAqVIESNVam7/cPeoOpLa8R
-8ZmCOSPSy+qLUf+7yMVVmrCtmGMSXdqBpCTvZLBU41x+K7sYme8CXl5weDQZTn2c
-fK8/9TT8cxbw+gczPRMCC1Xu95tU2A==
+MIICMTCCAZoCBQKmAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw
+FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMg
+UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa
+Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln
+biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0LJ1
+9njQrlpQ9OlQqZ+M1++RlHDo0iSQdomF1t+s5gEXMoDwnZNHvJplnR+Xrr/phnVj
+IIm9gFidBAydqMEk6QvlMXi9/C0MN2qeeIDpRnX57aP7E3vIwUzSo+/1PLBij0pd
+O92VZ48TucE81qcmm+zDO3rZTbxtm+gVAePwR6kCAwEAATANBgkqhkiG9w0BAQIF
+AAOBgQBT3dPwnCR+QKri/AAa19oM/DJhuBUNlvP6Vxt/M3yv6ZiaYch6s7f/sdyZ
+g9ysEvxwyR84Qu1E9oAuW2szaayc01znX1oYx7EteQSWQZGZQbE8DbqEOcY7l/Am
+yY7uvcxClf8exwI/VAx49byqYHwCaejcrOICdmHEPgPq0ook0Q==
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 1 (0x0)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=UK, ST=London, O=Uptime Group Plc, OU=Uptime Commerce Ltd, CN=UTC Class 4 CA/Email=certs@uptimegroup.com
+        Serial Number:
+            02:a6:00:00:01
+        Signature Algorithm: md2WithRSAEncryption
+        Issuer: C=US, O=VeriSign, Inc., OU=Class 4 Public Primary Certification Authority
         Validity
-            Not Before: Apr 22 15:26:13 1997 GMT
-            Not After : Apr 21 15:26:13 2002 GMT
-        Subject: C=UK, ST=London, O=Uptime Group Plc, OU=Uptime Commerce Ltd, CN=UTC Class 4 CA/Email=certs@uptimegroup.com
+            Not Before: Jan 29 00:00:00 1996 GMT
+            Not After : Dec 31 23:59:59 1999 GMT
+        Subject: C=US, O=VeriSign, Inc., OU=Class 4 Public Primary Certification Authority
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:c8:6d:ae:b8:32:76:ce:3d:ce:e7:63:2b:c3:85:
-                    00:bb:da:d4:00:ea:86:1a:66:3e:26:47:21:5c:e4:
-                    72:c7:f9:4c:5e:ec:cc:66:fa:3c:10:bf:9e:86:71:
-                    05:d1:ec:e3:4e:8b:61:9e:b9:e5:40:b6:e0:8b:9b:
-                    e8:b5:67:dd:78:92:12:a8:49:36:62:a0:9c:11:f6:
-                    80:cf:78:99:c6:51:dc:a2:29:2d:90:58:77:2a:1c:
-                    04:91:50:d1:c5:a5:b1:9a:c0:cb:ad:14:35:65:68:
-                    9d:c5:60:f9:4b:e9:e2:a0:f0:8f:3e:03:3c:54:5a:
-                    75:10:1b:f4:c9:a9:b3:09:3d:5a:bd:dc:a2:a8:23:
-                    e3:a1:3f:99:0a:7e:9d:ef:28:18:20:52:2a:b1:45:
-                    e5:3a:93:37:2e:c3:8f:6c:2f:a5:f4:cb:78:89:1e:
-                    70:e6:79:1e:f2:25:74:1a:99:27:46:5f:fb:fa:6c:
-                    25:a2:03:dc:1f:00:0a:26:72:1a:5c:12:d9:e7:47:
-                    56:67:cd:1d:ed:79:14:c4:e5:97:1f:84:c8:da:bc:
-                    d2:fc:23:1c:83:19:84:43:51:86:43:43:5c:fb:97:
-                    39:e1:39:e1:83:45:59:a2:bd:8a:c1:59:8b:7d:51:
-                    c3:6c:1d:c3:8e:98:c2:42:8e:1f:38:f8:41:a9:4c:
-                    c1:b1
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:d0:b2:75:f6:78:d0:ae:5a:50:f4:e9:50:a9:9f:
+                    8c:d7:ef:91:94:70:e8:d2:24:90:76:89:85:d6:df:
+                    ac:e6:01:17:32:80:f0:9d:93:47:bc:9a:65:9d:1f:
+                    97:ae:bf:e9:86:75:63:20:89:bd:80:58:9d:04:0c:
+                    9d:a8:c1:24:e9:0b:e5:31:78:bd:fc:2d:0c:37:6a:
+                    9e:78:80:e9:46:75:f9:ed:a3:fb:13:7b:c8:c1:4c:
+                    d2:a3:ef:f5:3c:b0:62:8f:4a:5d:3b:dd:95:67:8f:
+                    13:b9:c1:3c:d6:a7:26:9b:ec:c3:3b:7a:d9:4d:bc:
+                    6d:9b:e8:15:01:e3:f0:47:a9
                 Exponent: 65537 (0x10001)
-    Signature Algorithm: md5WithRSAEncryption
-        29:40:d0:ba:43:8f:2b:98:ca:ea:81:29:25:80:7b:4d:7d:44:
-        f7:28:41:db:a8:60:1d:e2:ba:d6:86:a0:fa:20:44:70:52:b5:
-        16:4e:70:41:66:d9:17:de:ee:24:ae:e8:7f:0a:44:d4:34:52:
-        5e:9b:dc:72:f2:e2:64:82:a7:80:de:c2:6b:b8:ed:b4:0a:10:
-        62:f4:64:73:ac:63:f1:cf:a9:6c:89:ef:8a:72:13:30:4e:f8:
-        da:66:b3:3d:eb:af:76:09:79:0f:03:6f:ff:d1:ed:ab:c3:fb:
-        dd:61:10:5d:6f:cb:5f:f1:f5:04:65:fc:46:71:41:29:16:9e:
-        28:f2:0c:9f:24:4b:6f:8f:5f:e7:f2:f3:16:1a:f0:6f:86:50:
-        9e:5d:b4:92:d5:04:90:d7:9e:a7:c1:3d:2e:85:a8:99:46:a3:
-        28:e2:d7:f8:b7:26:d1:b0:2a:54:81:12:35:56:a6:ef:f7:0f:
-        7a:83:a9:2d:af:11:f1:99:82:39:23:d2:cb:ea:8b:51:ff:bb:
-        c8:c5:55:9a:b0:ad:98:63:12:5d:da:81:a4:24:ef:64:b0:54:
-        e3:5c:7e:2b:bb:18:99:ef:02:5e:5e:70:78:34:19:4e:7d:9c:
-        7c:af:3f:f5:34:fc:73:16:f0:fa:07:33:3d:13:02:0b:55:ee:
-        f7:9b:54:d8
+    Signature Algorithm: md2WithRSAEncryption
+        53:dd:d3:f0:9c:24:7e:40:aa:e2:fc:00:1a:d7:da:0c:fc:32:
+        61:b8:15:0d:96:f3:fa:57:1b:7f:33:7c:af:e9:98:9a:61:c8:
+        7a:b3:b7:ff:b1:dc:99:83:dc:ac:12:fc:70:c9:1f:38:42:ed:
+        44:f6:80:2e:5b:6b:33:69:ac:9c:d3:5c:e7:5f:5a:18:c7:b1:
+        2d:79:04:96:41:91:99:41:b1:3c:0d:ba:84:39:c6:3b:97:f0:
+        26:c9:8e:ee:bd:cc:42:95:ff:1e:c7:02:3f:54:0c:78:f5:bc:
+        aa:60:7c:02:69:e8:dc:ac:e2:02:76:61:c4:3e:03:ea:d2:8a:
+        24:d1
 
-VeriSign Class 1 Primary CA
-===========================
-MD5 Fingerprint: 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
+Verisign Class 1 Public Primary Certification Authority
+=======================================================
+MD5 Fingerprint: 97:60:E8:57:5F:D3:50:47:E5:43:0C:94:36:8A:B0:62
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIICPDCCAaUCEDJQM89Q0VbzXIGtZVxPyCUwDQYJKoZIhvcNAQECBQAwXzELMAkG
-A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
-cyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
-MDEyOTAwMDAwMFoXDTIwMDEwNzIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
-BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmlt
-YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76OCWvRoiC5XOooJskXQ0f
-zGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTXjzRniAnNFBHi
-TkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQABMA0G
-CSqGSIb3DQEBAgUAA4GBAEtEZmBoZOSYG/OwcuaViXzde7OVwB0u2NgZ0C00PcZQ
-mhCGjKo/O6gE/DdSlcPZydvN8oYGxLEb8IKIMEKOF1AcZHq4PplJdJf8rAJD+5YM
-VgQlDHx8h50kp9jwMim1pN9dokzFFjKoQvZFprY2ueC/ZTaTwtLXa9zeWdaiNfhF
+MIICPTCCAaYCEQDNun9W8N/kvFT+IqyzcqpVMA0GCSqGSIb3DQEBAgUAMF8xCzAJ
+BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh
+c3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05
+NjAxMjkwMDAwMDBaFw0yODA4MDEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD
+VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJp
+bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0N
+H8xlbgyw0FaEGIeaBpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR
+4k5FVmkfeAKA2txHkSm7NsljXMXg1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAATAN
+BgkqhkiG9w0BAQIFAAOBgQBMP7iLxmjf7kMzDl3ppssHhE16M/+SG/Q2rdiVIjZo
+EWx8QszznC7EBz8UsA9P/5CSdvnivErpj82ggAr3xSnxgiJduLHdgSOjeyUVRjB5
+FvjqBUuUfx3CHMjjt/QQQDwTw18fU+hI5Ia0e6E1sHslurjTjqs/OJ0ANACY89Fx
+lA==
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 1 (0x0)
         Serial Number:
-            32:50:33:cf:50:d1:56:f3:5c:81:ad:65:5c:4f:c8:25
+            cd:ba:7f:56:f0:df:e4:bc:54:fe:22:ac:b3:72:aa:55
         Signature Algorithm: md2WithRSAEncryption
         Issuer: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary Certification Authority
         Validity
             Not Before: Jan 29 00:00:00 1996 GMT
-            Not After : Jan  7 23:59:59 2020 GMT
+            Not After : Aug  1 23:59:59 2028 GMT
         Subject: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary Certification Authority
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -1721,44 +2866,101 @@ Certificate Ingredients:
                     2a:2f:31:aa:ee:a3:67:da:db
                 Exponent: 65537 (0x10001)
     Signature Algorithm: md2WithRSAEncryption
-        4b:44:66:60:68:64:e4:98:1b:f3:b0:72:e6:95:89:7c:dd:7b:
-        b3:95:c0:1d:2e:d8:d8:19:d0:2d:34:3d:c6:50:9a:10:86:8c:
-        aa:3f:3b:a8:04:fc:37:52:95:c3:d9:c9:db:cd:f2:86:06:c4:
-        b1:1b:f0:82:88:30:42:8e:17:50:1c:64:7a:b8:3e:99:49:74:
-        97:fc:ac:02:43:fb:96:0c:56:04:25:0c:7c:7c:87:9d:24:a7:
-        d8:f0:32:29:b5:a4:df:5d:a2:4c:c5:16:32:a8:42:f6:45:a6:
-        b6:36:b9:e0:bf:65:36:93:c2:d2:d7:6b:dc:de:59:d6:a2:35:
-        f8:45
+        4c:3f:b8:8b:c6:68:df:ee:43:33:0e:5d:e9:a6:cb:07:84:4d:
+        7a:33:ff:92:1b:f4:36:ad:d8:95:22:36:68:11:6c:7c:42:cc:
+        f3:9c:2e:c4:07:3f:14:b0:0f:4f:ff:90:92:76:f9:e2:bc:4a:
+        e9:8f:cd:a0:80:0a:f7:c5:29:f1:82:22:5d:b8:b1:dd:81:23:
+        a3:7b:25:15:46:30:79:16:f8:ea:05:4b:94:7f:1d:c2:1c:c8:
+        e3:b7:f4:10:40:3c:13:c3:5f:1f:53:e8:48:e4:86:b4:7b:a1:
+        35:b0:7b:25:ba:b8:d3:8e:ab:3f:38:9d:00:34:00:98:f3:d1:
+        71:94
 
-VeriSign Class 2 Primary CA
-===========================
-MD5 Fingerprint: EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8
+Verisign Class 1 Public Primary Certification Authority - G2
+============================================================
+MD5 Fingerprint: F2:7D:E9:54:E4:A3:22:0D:76:9F:E7:0B:BB:B3:24:2B
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIICPTCCAaYCEQC6WslMBTuS1qe2307QU5INMA0GCSqGSIb3DQEBAgUAMF8xCzAJ
-BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh
-c3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05
-NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD
-VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMiBQdWJsaWMgUHJp
-bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB
-jQAwgYkCgYEAtlqLow1qI4OAa885h/QhEzMGTCWi7VUSl8WngLn6g8EgoPovFQ18
-oWBrfnks+gYPOq72G2+x0v8vKFJfg31LxHq3+GYfgFT8t8KOWUoUV0bRmpO+QZED
-uxWAk1zr58wIbD8+s0r8/0tsI9VQgiZEGY4jw3HqGSRHBJ51v8imAB8CAwEAATAN
-BgkqhkiG9w0BAQIFAAOBgQC2AB+TV6QHp0DOZUA/VV7t7/pUSaUw1iF8YYfug5ML
-v7Qz8pisnwa/TqjOFIFMywROWMPPX+5815pvy0GKt3+BuP+EYcYnQ2UdDOyxAArd
-G6S7x3ggKLKi3TaVLuFUT79guXdoEZkj6OpS6KoATmdOu5C1RZtG644W78QzWzM9
-1Q==
+MIIDAjCCAmsCEDnKVIn+UCIy/jLZ2/sbhBkwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
+BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
+c3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
+MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
+emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
+DTk4MDUxODAwMDAwMFoXDTE4MDUxODIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
+FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMSBQdWJsaWMg
+UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
+YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
+MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCq0Lq+Fi24g9TK0g+8djHKlNgdk4xWArzZbxpvUjZudVYK
+VdPfQ4chEWWKfo+9Id5rMj8bhDSVBZ1BNeuS65bdqlk/AVNtmU/t5eIqWpDBucSm
+Fc/IReumXY6cPvBkJHalzasab7bYe1FhbqZ/h8jit+U03EGI6glAvnOSPWvndQID
+AQABMA0GCSqGSIb3DQEBBQUAA4GBAIv3GhDOdlwHq4OZ3BeAbzQ5XZg+a3Is4cei
+e0ApuXiIukzFo2penm574/ICQQxmvq37rqIUzpLzojSLtLK2JPLl1eDI5WJthHvL
+vrsDi3xXyvA3qZCviu4Dvh0onNkmdqDNxJ1O8K4HFtW+r1cIatCgQkJCHvQgzKV4
+gpUmOIpH
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 1 (0x0)
+        Serial Number:
+            39:ca:54:89:fe:50:22:32:fe:32:d9:db:fb:1b:84:19
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
+        Validity
+            Not Before: May 18 00:00:00 1998 GMT
+            Not After : May 18 23:59:59 2018 GMT
+        Subject: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:aa:d0:ba:be:16:2d:b8:83:d4:ca:d2:0f:bc:76:
+                    31:ca:94:d8:1d:93:8c:56:02:bc:d9:6f:1a:6f:52:
+                    36:6e:75:56:0a:55:d3:df:43:87:21:11:65:8a:7e:
+                    8f:bd:21:de:6b:32:3f:1b:84:34:95:05:9d:41:35:
+                    eb:92:eb:96:dd:aa:59:3f:01:53:6d:99:4f:ed:e5:
+                    e2:2a:5a:90:c1:b9:c4:a6:15:cf:c8:45:eb:a6:5d:
+                    8e:9c:3e:f0:64:24:76:a5:cd:ab:1a:6f:b6:d8:7b:
+                    51:61:6e:a6:7f:87:c8:e2:b7:e5:34:dc:41:88:ea:
+                    09:40:be:73:92:3d:6b:e7:75
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+        8b:f7:1a:10:ce:76:5c:07:ab:83:99:dc:17:80:6f:34:39:5d:
+        98:3e:6b:72:2c:e1:c7:a2:7b:40:29:b9:78:88:ba:4c:c5:a3:
+        6a:5e:9e:6e:7b:e3:f2:02:41:0c:66:be:ad:fb:ae:a2:14:ce:
+        92:f3:a2:34:8b:b4:b2:b6:24:f2:e5:d5:e0:c8:e5:62:6d:84:
+        7b:cb:be:bb:03:8b:7c:57:ca:f0:37:a9:90:af:8a:ee:03:be:
+        1d:28:9c:d9:26:76:a0:cd:c4:9d:4e:f0:ae:07:16:d5:be:af:
+        57:08:6a:d0:a0:42:42:42:1e:f4:20:cc:a5:78:82:95:26:38:
+        8a:47
+
+Verisign Class 2 Public Primary Certification Authority
+=======================================================
+MD5 Fingerprint: B3:9C:25:B1:C3:2E:32:53:80:15:30:9D:4D:02:77:3E
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaUCEC0b/EoXjaOR6+f/9YtFvgswDQYJKoZIhvcNAQECBQAwXzELMAkG
+A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
+cyAyIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
+MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
+BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAyIFB1YmxpYyBQcmlt
+YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQC2WoujDWojg4BrzzmH9CETMwZMJaLtVRKXxaeAufqDwSCg+i8VDXyh
+YGt+eSz6Bg86rvYbb7HS/y8oUl+DfUvEerf4Zh+AVPy3wo5ZShRXRtGak75BkQO7
+FYCTXOvnzAhsPz6zSvz/S2wj1VCCJkQZjiPDceoZJEcEnnW/yKYAHwIDAQABMA0G
+CSqGSIb3DQEBAgUAA4GBAIobK/o5wXTXXtgZZKJYSi034DNHD6zt96rbHuSLBlxg
+J8pFUs4W7z8GZOeUaHxgMxURaa+dYo2jA1Rrpr7l7gUYYAS/QoD90KioHgE796Nc
+r6Pc5iaAIzy4RHT3Cq5Ji2F4zCS/iIqnDupzGUH9TQPwiNHleI2lKk/2lw0Xd8rY
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 1 (0x0)
         Serial Number:
-            ba:5a:c9:4c:05:3b:92:d6:a7:b6:df:4e:d0:53:92:0d
+            2d:1b:fc:4a:17:8d:a3:91:eb:e7:ff:f5:8b:45:be:0b
         Signature Algorithm: md2WithRSAEncryption
         Issuer: C=US, O=VeriSign, Inc., OU=Class 2 Public Primary Certification Authority
         Validity
             Not Before: Jan 29 00:00:00 1996 GMT
-            Not After : Jan  7 23:59:59 2004 GMT
+            Not After : Aug  1 23:59:59 2028 GMT
         Subject: C=US, O=VeriSign, Inc., OU=Class 2 Public Primary Certification Authority
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -1775,44 +2977,101 @@ Certificate Ingredients:
                     47:04:9e:75:bf:c8:a6:00:1f
                 Exponent: 65537 (0x10001)
     Signature Algorithm: md2WithRSAEncryption
-        b6:00:1f:93:57:a4:07:a7:40:ce:65:40:3f:55:5e:ed:ef:fa:
-        54:49:a5:30:d6:21:7c:61:87:ee:83:93:0b:bf:b4:33:f2:98:
-        ac:9f:06:bf:4e:a8:ce:14:81:4c:cb:04:4e:58:c3:cf:5f:ee:
-        7c:d7:9a:6f:cb:41:8a:b7:7f:81:b8:ff:84:61:c6:27:43:65:
-        1d:0c:ec:b1:00:0a:dd:1b:a4:bb:c7:78:20:28:b2:a2:dd:36:
-        95:2e:e1:54:4f:bf:60:b9:77:68:11:99:23:e8:ea:52:e8:aa:
-        00:4e:67:4e:bb:90:b5:45:9b:46:eb:8e:16:ef:c4:33:5b:33:
-        3d:d5
+        8a:1b:2b:fa:39:c1:74:d7:5e:d8:19:64:a2:58:4a:2d:37:e0:
+        33:47:0f:ac:ed:f7:aa:db:1e:e4:8b:06:5c:60:27:ca:45:52:
+        ce:16:ef:3f:06:64:e7:94:68:7c:60:33:15:11:69:af:9d:62:
+        8d:a3:03:54:6b:a6:be:e5:ee:05:18:60:04:bf:42:80:fd:d0:
+        a8:a8:1e:01:3b:f7:a3:5c:af:a3:dc:e6:26:80:23:3c:b8:44:
+        74:f7:0a:ae:49:8b:61:78:cc:24:bf:88:8a:a7:0e:ea:73:19:
+        41:fd:4d:03:f0:88:d1:e5:78:8d:a5:2a:4f:f6:97:0d:17:77:
+        ca:d8
 
-VeriSign Class 3 Primary CA
-===========================
-MD5 Fingerprint: 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D
+Verisign Class 2 Public Primary Certification Authority - G2
+============================================================
+MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJ
-BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh
-c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05
-NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD
-VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJp
-bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB
-jQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqo
-RAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4
-rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATAN
-BgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJp
-STbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNH
-ciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZ
-pA==
+MIIDAzCCAmwCEQC5L2DMiJ+hekYJuFtwbIqvMA0GCSqGSIb3DQEBBQUAMIHBMQsw
+CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xPDA6BgNVBAsTM0Ns
+YXNzIDIgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH
+MjE6MDgGA1UECxMxKGMpIDE5OTggVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9y
+aXplZCB1c2Ugb25seTEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazAe
+Fw05ODA1MTgwMDAwMDBaFw0yODA4MDEyMzU5NTlaMIHBMQswCQYDVQQGEwJVUzEX
+MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xPDA6BgNVBAsTM0NsYXNzIDIgUHVibGlj
+IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjE6MDgGA1UECxMx
+KGMpIDE5OTggVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s
+eTEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAp4gBIXQs5xoD8JjhlzwPIQjxnNuX6Zr8wgQGE75fUsjM
+HiwSViy4AWkszJkfrbCWrnkE8hM5wXuYuggs6MKEEyyqaekJ9MepAqRCwiNPStjw
+DqL7MWzJ5m+ZJwf15vRMeJ5t60aG+rmGyVTyssSv1EYcWskVMP8NbPUtDm3Of3cC
+AwEAATANBgkqhkiG9w0BAQUFAAOBgQByLvl/0fFx+8Se9sVeUYpAmLho+Jscg9ji
+nb3/7aHmZuovCfTK1+qlK5X2JGCGTUQug6XELaDTrnhpb3LabK4I8GOSN+a7xDAX
+rXfMSTWqz9iP0b63GJZHc2pUIjRkLbYWm1lbtFFZOrMLFPQS32eg9K0yZF6xRnIn
+jBJ7xUS0rg==
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 1 (0x0)
         Serial Number:
-            e4:9e:fd:f3:3a:e8:0e:cf:a5:11:3e:19:a4:24:02:32
+            b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=VeriSign, Inc., OU=Class 2 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
+        Validity
+            Not Before: May 18 00:00:00 1998 GMT
+            Not After : Aug  1 23:59:59 2028 GMT
+        Subject: C=US, O=VeriSign, Inc., OU=Class 2 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:a7:88:01:21:74:2c:e7:1a:03:f0:98:e1:97:3c:
+                    0f:21:08:f1:9c:db:97:e9:9a:fc:c2:04:06:13:be:
+                    5f:52:c8:cc:1e:2c:12:56:2c:b8:01:69:2c:cc:99:
+                    1f:ad:b0:96:ae:79:04:f2:13:39:c1:7b:98:ba:08:
+                    2c:e8:c2:84:13:2c:aa:69:e9:09:f4:c7:a9:02:a4:
+                    42:c2:23:4f:4a:d8:f0:0e:a2:fb:31:6c:c9:e6:6f:
+                    99:27:07:f5:e6:f4:4c:78:9e:6d:eb:46:86:fa:b9:
+                    86:c9:54:f2:b2:c4:af:d4:46:1c:5a:c9:15:30:ff:
+                    0d:6c:f5:2d:0e:6d:ce:7f:77
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+        72:2e:f9:7f:d1:f1:71:fb:c4:9e:f6:c5:5e:51:8a:40:98:b8:
+        68:f8:9b:1c:83:d8:e2:9d:bd:ff:ed:a1:e6:66:ea:2f:09:f4:
+        ca:d7:ea:a5:2b:95:f6:24:60:86:4d:44:2e:83:a5:c4:2d:a0:
+        d3:ae:78:69:6f:72:da:6c:ae:08:f0:63:92:37:e6:bb:c4:30:
+        17:ad:77:cc:49:35:aa:cf:d8:8f:d1:be:b7:18:96:47:73:6a:
+        54:22:34:64:2d:b6:16:9b:59:5b:b4:51:59:3a:b3:0b:14:f4:
+        12:df:67:a0:f4:ad:32:64:5e:b1:46:72:27:8c:12:7b:c5:44:
+        b4:ae
+
+Verisign Class 3 Public Primary Certification Authority
+=======================================================
+MD5 Fingerprint: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
+A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
+cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
+MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
+BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
+YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
+BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
+I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
+CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
+lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
+AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 1 (0x0)
+        Serial Number:
+            70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
         Signature Algorithm: md2WithRSAEncryption
         Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
         Validity
             Not Before: Jan 29 00:00:00 1996 GMT
-            Not After : Jan  7 23:59:59 2004 GMT
+            Not After : Aug  1 23:59:59 2028 GMT
         Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -1829,67 +3088,130 @@ Certificate Ingredients:
                     71:64:4c:65:2e:81:68:45:a7
                 Exponent: 65537 (0x10001)
     Signature Algorithm: md2WithRSAEncryption
-        61:70:ec:2f:3f:9e:fd:2b:e6:68:54:21:b0:67:79:08:0c:20:
-        96:31:8a:0d:7a:be:b6:26:df:79:2c:22:69:49:36:e3:97:77:
-        62:61:a2:32:d7:7a:54:21:36:ba:02:c9:34:e7:25:da:44:35:
-        b0:d2:5c:80:5d:b3:94:f8:f9:ac:ee:a4:60:75:2a:1f:95:49:
-        23:b1:4a:7c:f4:b3:47:72:21:5b:7e:97:ab:54:ac:62:e7:5d:
-        ec:ae:9b:d2:c9:b2:24:fb:82:ad:e9:67:15:4b:ba:aa:a6:f0:
-        97:a0:f6:b0:97:57:00:c8:0c:3c:09:a0:82:04:ba:41:da:f7:
-        99:a4
+        bb:4c:12:2b:cf:2c:26:00:4f:14:13:dd:a6:fb:fc:0a:11:84:
+        8c:f3:28:1c:67:92:2f:7c:b6:c5:fa:df:f0:e8:95:bc:1d:8f:
+        6c:2c:a8:51:cc:73:d8:a4:c0:53:f0:4e:d6:26:c0:76:01:57:
+        81:92:5e:21:f1:d1:b1:ff:e7:d0:21:58:cd:69:17:e3:44:1c:
+        9c:19:44:39:89:5c:dc:9c:00:0f:56:8d:02:99:ed:a2:90:45:
+        4c:e4:bb:10:a4:3d:f0:32:03:0e:f1:ce:f8:e8:c9:51:8c:e6:
+        62:9f:e6:9f:c0:7d:b7:72:9c:c9:36:3a:6b:9f:4e:a8:ff:64:
+        0d:64
 
-VeriSign Class 4 Primary CA
-===========================
-MD5 Fingerprint: 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
+Verisign Class 3 Public Primary Certification Authority - G2
+============================================================
+MD5 Fingerprint: A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
 PEM Data:
 -----BEGIN CERTIFICATE-----
-MIICMTCCAZoCBQKmAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw
-FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMg
-UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa
-Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln
-biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp
-Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0LJ1
-9njQrlpQ9OlQqZ+M1++RlHDo0iSQdomF1t+s5gEXMoDwnZNHvJplnR+Xrr/phnVj
-IIm9gFidBAydqMEk6QvlMXi9/C0MN2qeeIDpRnX57aP7E3vIwUzSo+/1PLBij0pd
-O92VZ48TucE81qcmm+zDO3rZTbxtm+gVAePwR6kCAwEAATANBgkqhkiG9w0BAQIF
-AAOBgQBT3dPwnCR+QKri/AAa19oM/DJhuBUNlvP6Vxt/M3yv6ZiaYch6s7f/sdyZ
-g9ysEvxwyR84Qu1E9oAuW2szaayc01znX1oYx7EteQSWQZGZQbE8DbqEOcY7l/Am
-yY7uvcxClf8exwI/VAx49byqYHwCaejcrOICdmHEPgPq0ook0Q==
+MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
+BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
+c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
+MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
+emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
+DTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
+FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMg
+UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
+YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
+MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4
+pO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg0
+13gfqLptQ5GVj0VXXn7F+8qkBOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwID
+AQABMA0GCSqGSIb3DQEBBQUAA4GBAFFNzb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSk
+U01UbSuvDV1Ai2TT1+7eVmGSX6bEHRBhNtMsJzzoKQm5EWR0zLVznxxIqbxhAe7i
+F6YM40AIOw7n60RzKprxaZLvcRTDOaxxp5EJb+RxBrO6WVcmeQD2+A2iMzAo1KpY
+oJ2daZH9
 -----END CERTIFICATE-----
 Certificate Ingredients:
     Data:
         Version: 1 (0x0)
         Serial Number:
-            02:a6:00:00:01
-        Signature Algorithm: md2WithRSAEncryption
-        Issuer: C=US, O=VeriSign, Inc., OU=Class 4 Public Primary Certification Authority
+            7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
         Validity
-            Not Before: Jan 29 00:00:00 1996 GMT
-            Not After : Dec 31 23:59:59 1999 GMT
-        Subject: C=US, O=VeriSign, Inc., OU=Class 4 Public Primary Certification Authority
+            Not Before: May 18 00:00:00 1998 GMT
+            Not After : Aug  1 23:59:59 2028 GMT
+        Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
-                    00:d0:b2:75:f6:78:d0:ae:5a:50:f4:e9:50:a9:9f:
-                    8c:d7:ef:91:94:70:e8:d2:24:90:76:89:85:d6:df:
-                    ac:e6:01:17:32:80:f0:9d:93:47:bc:9a:65:9d:1f:
-                    97:ae:bf:e9:86:75:63:20:89:bd:80:58:9d:04:0c:
-                    9d:a8:c1:24:e9:0b:e5:31:78:bd:fc:2d:0c:37:6a:
-                    9e:78:80:e9:46:75:f9:ed:a3:fb:13:7b:c8:c1:4c:
-                    d2:a3:ef:f5:3c:b0:62:8f:4a:5d:3b:dd:95:67:8f:
-                    13:b9:c1:3c:d6:a7:26:9b:ec:c3:3b:7a:d9:4d:bc:
-                    6d:9b:e8:15:01:e3:f0:47:a9
+                    00:cc:5e:d1:11:5d:5c:69:d0:ab:d3:b9:6a:4c:99:
+                    1f:59:98:30:8e:16:85:20:46:6d:47:3f:d4:85:20:
+                    84:e1:6d:b3:f8:a4:ed:0c:f1:17:0f:3b:f9:a7:f9:
+                    25:d7:c1:cf:84:63:f2:7c:63:cf:a2:47:f2:c6:5b:
+                    33:8e:64:40:04:68:c1:80:b9:64:1c:45:77:c7:d8:
+                    6e:f5:95:29:3c:50:e8:34:d7:78:1f:a8:ba:6d:43:
+                    91:95:8f:45:57:5e:7e:c5:fb:ca:a4:04:eb:ea:97:
+                    37:54:30:6f:bb:01:47:32:33:cd:dc:57:9b:64:69:
+                    61:f8:9b:1d:1c:89:4f:5c:67
                 Exponent: 65537 (0x10001)
-    Signature Algorithm: md2WithRSAEncryption
-        53:dd:d3:f0:9c:24:7e:40:aa:e2:fc:00:1a:d7:da:0c:fc:32:
-        61:b8:15:0d:96:f3:fa:57:1b:7f:33:7c:af:e9:98:9a:61:c8:
-        7a:b3:b7:ff:b1:dc:99:83:dc:ac:12:fc:70:c9:1f:38:42:ed:
-        44:f6:80:2e:5b:6b:33:69:ac:9c:d3:5c:e7:5f:5a:18:c7:b1:
-        2d:79:04:96:41:91:99:41:b1:3c:0d:ba:84:39:c6:3b:97:f0:
-        26:c9:8e:ee:bd:cc:42:95:ff:1e:c7:02:3f:54:0c:78:f5:bc:
-        aa:60:7c:02:69:e8:dc:ac:e2:02:76:61:c4:3e:03:ea:d2:8a:
-        24:d1
+    Signature Algorithm: sha1WithRSAEncryption
+        51:4d:cd:be:5c:cb:98:19:9c:15:b2:01:39:78:2e:4d:0f:67:
+        70:70:99:c6:10:5a:94:a4:53:4d:54:6d:2b:af:0d:5d:40:8b:
+        64:d3:d7:ee:de:56:61:92:5f:a6:c4:1d:10:61:36:d3:2c:27:
+        3c:e8:29:09:b9:11:64:74:cc:b5:73:9f:1c:48:a9:bc:61:01:
+        ee:e2:17:a6:0c:e3:40:08:3b:0e:e7:eb:44:73:2a:9a:f1:69:
+        92:ef:71:14:c3:39:ac:71:a7:91:09:6f:e4:71:06:b3:ba:59:
+        57:26:79:00:f6:f8:0d:a2:33:30:28:d4:aa:58:a0:9d:9d:69:
+        91:fd
+
+Verisign Class 4 Public Primary Certification Authority - G2
+============================================================
+MD5 Fingerprint: 26:6D:2C:19:98:B6:70:68:38:50:54:19:EC:90:34:60
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIDAjCCAmsCEDKIjprS9esTR/h/xCA3JfgwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
+BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
+c3MgNCBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
+MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
+emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
+DTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
+FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgNCBQdWJsaWMg
+UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
+YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
+MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQC68OTP+cSuhVS5B1f5j8V/aBH4xBewRNzjMHPVKmIquNDM
+HO0oW369atyzkSTKQWI8/AIBvxwWMZQFl3Zuoq29YRdsTjCG8FE3KlDHqGKB3FtK
+qsGgtG7rL+VXxbErQHDbWk2hjh+9Ax/YA9SPTJlxvOKCzFjomDqG04Y48wApHwID
+AQABMA0GCSqGSIb3DQEBBQUAA4GBAIWMEsGnuVAVess+rLhDityq3RS6iYF+ATwj
+cSGIL4LcY/oCRaxFWdcqWERbt5+BO5JoPeI3JPV7bI92NZYJqFmduc4jq3TWg/0y
+cyfYaT5DdPauxYma51N86Xv2S/PBZYPejYqcPIiNOVn8qj8ijaHBZlCBckztImRP
+T8qAkbYp
+-----END CERTIFICATE-----
+Certificate Ingredients:
+    Data:
+        Version: 1 (0x0)
+        Serial Number:
+            32:88:8e:9a:d2:f5:eb:13:47:f8:7f:c4:20:37:25:f8
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=VeriSign, Inc., OU=Class 4 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
+        Validity
+            Not Before: May 18 00:00:00 1998 GMT
+            Not After : Aug  1 23:59:59 2028 GMT
+        Subject: C=US, O=VeriSign, Inc., OU=Class 4 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:ba:f0:e4:cf:f9:c4:ae:85:54:b9:07:57:f9:8f:
+                    c5:7f:68:11:f8:c4:17:b0:44:dc:e3:30:73:d5:2a:
+                    62:2a:b8:d0:cc:1c:ed:28:5b:7e:bd:6a:dc:b3:91:
+                    24:ca:41:62:3c:fc:02:01:bf:1c:16:31:94:05:97:
+                    76:6e:a2:ad:bd:61:17:6c:4e:30:86:f0:51:37:2a:
+                    50:c7:a8:62:81:dc:5b:4a:aa:c1:a0:b4:6e:eb:2f:
+                    e5:57:c5:b1:2b:40:70:db:5a:4d:a1:8e:1f:bd:03:
+                    1f:d8:03:d4:8f:4c:99:71:bc:e2:82:cc:58:e8:98:
+                    3a:86:d3:86:38:f3:00:29:1f
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+        85:8c:12:c1:a7:b9:50:15:7a:cb:3e:ac:b8:43:8a:dc:aa:dd:
+        14:ba:89:81:7e:01:3c:23:71:21:88:2f:82:dc:63:fa:02:45:
+        ac:45:59:d7:2a:58:44:5b:b7:9f:81:3b:92:68:3d:e2:37:24:
+        f5:7b:6c:8f:76:35:96:09:a8:59:9d:b9:ce:23:ab:74:d6:83:
+        fd:32:73:27:d8:69:3e:43:74:f6:ae:c5:89:9a:e7:53:7c:e9:
+        7b:f6:4b:f3:c1:65:83:de:8d:8a:9c:3c:88:8d:39:59:fc:aa:
+        3f:22:8d:a1:c1:66:50:81:72:4c:ed:22:64:4f:4f:ca:80:91:
+        b6:29
 
 Verisign/RSA Commercial CA
 ==========================
diff --git a/usr.sbin/httpd/conf/ssl.crt/server.crt b/usr.sbin/httpd/conf/ssl.crt/server.crt
index bd81de479f9..7bce44938c4 100644
--- a/usr.sbin/httpd/conf/ssl.crt/server.crt
+++ b/usr.sbin/httpd/conf/ssl.crt/server.crt
@@ -1,24 +1 @@
------BEGIN CERTIFICATE-----
-MIID9zCCA7OgAwIBAgIBATALBgcqhkjOOAQDBQAwgakxCzAJBgNVBAYTAlhZMRUw
-EwYDVQQIEwxTbmFrZSBEZXNlcnQxEzARBgNVBAcTClNuYWtlIFRvd24xFzAVBgNV
-BAoTDlNuYWtlIE9pbCwgTHRkMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3Jp
-dHkxFTATBgNVBAMTDFNuYWtlIE9pbCBDQTEeMBwGCSqGSIb3DQEJARYPY2FAc25h
-a2VvaWwuZG9tMB4XDTk5MDkyNjIzMjEwN1oXDTAwMDkyNTIzMjEwN1owgacxCzAJ
-BgNVBAYTAkNBMRUwEwYDVQQIEwxTbmFrZSBEZXNlcnQxEzARBgNVBAcTClNuYWtl
-IFRvd24xFzAVBgNVBAoTDlNuYWtlIE9pbCwgTHRkMRcwFQYDVQQLEw5XZWJzZXJ2
-ZXIgVGVhbTEZMBcGA1UEAxMQd3d3LnNuYWtlb2lsLmRvbTEfMB0GCSqGSIb3DQEJ
-ARYQd3d3QHNuYWtlb2lsLmRvbTCCAbYwggErBgcqhkjOOAQBMIIBHgKBgQDqP04J
-h4QoUWqPJZftxsgLdO54hGmvEYr2o2nqMjO/DbVuujr8QDnVWNRveEuVdrx6AftC
-chgIvdJS4LTqfvgOmIwsGYylADmycIRlBVHd5q1ocGldkeEBiY+cS5yv8ro1x4DR
-Cd0axmhBvTu2BRbippaK7PNALw5xs8eQch0KLQIVAJ8rT8F7NqIRASUjy1Bwx701
-zSIfAoGAT5RMEmjJ4HXOJ0GyIKAesFQhOy3gXXUfV4zXTpSMz8cQWfTqxLgVjkvZ
-Ct6SYcNmpaRnJyrmUdGD2uSwBcMkXj3G/NI/7n1C6ZuBTt1x6TCQA72nYh0xQaj/
-kbmhT2wNyONMx/sZO/WPUr0qvu/012FS2YlKtq3wRM4+XHz7jY0DgYQAAoGALQRQ
-WcPauYnMR1C58HkpE+0LRjJc7yBm0Cdj0pYkGc3u4xD22W/N4+59SOzBQyIs35Cj
-4K3zx0CzEjnhGG5pRIi4JPUARHtnPS+c+lWc9I+Mbj1q9UzEPncBf4Giwm8u5W94
-5t1yCnPT6Gim3X6hfl1MpOY6RfJ5FtoO7hc2gKCjbDBqMBsGA1UdEQQUMBKBEHd3
-d0BzbmFrZW9pbC5kb20wOAYJYIZIAYb4QgENBCsWKW1vZF9zc2wgZ2VuZXJhdGVk
-IHRlc3Qgc2VydmVyIGNlcnRpZmljYXRlMBEGCWCGSAGG+EIBAQQEAwIGQDALBgcq
-hkjOOAQDBQADMQAwLgIVAJO78wM4d3V8yqbYVe2qutyRchITAhUAhj4Ugp5BW4TL
-f7d80PTwfN2OZps=
------END CERTIFICATE-----
+THIS FILE HAS TO BE REPLACED BY A REAL SERVER CERTIFICATE! (SKIPME)
diff --git a/usr.sbin/httpd/conf/ssl.crt/snakeoil-ca-dsa.crt b/usr.sbin/httpd/conf/ssl.crt/snakeoil-ca-dsa.crt
index 059b9500d3a..4f4aaf63084 100644
--- a/usr.sbin/httpd/conf/ssl.crt/snakeoil-ca-dsa.crt
+++ b/usr.sbin/httpd/conf/ssl.crt/snakeoil-ca-dsa.crt
@@ -1,22 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIDsjCCA3CgAwIBAgIBADALBgcqhkjOOAQDBQAwgakxCzAJBgNVBAYTAlhZMRUw
+MIIEEzCCA8+gAwIBAgIBADALBgcqhkjOOAQDBQAwga8xCzAJBgNVBAYTAlhZMRUw
 EwYDVQQIEwxTbmFrZSBEZXNlcnQxEzARBgNVBAcTClNuYWtlIFRvd24xFzAVBgNV
-BAoTDlNuYWtlIE9pbCwgTHRkMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3Jp
-dHkxFTATBgNVBAMTDFNuYWtlIE9pbCBDQTEeMBwGCSqGSIb3DQEJARYPY2FAc25h
-a2VvaWwuZG9tMB4XDTk5MDIyNTEzMjgyOFoXDTAwMDIyNTEzMjgyOFowgakxCzAJ
-BgNVBAYTAlhZMRUwEwYDVQQIEwxTbmFrZSBEZXNlcnQxEzARBgNVBAcTClNuYWtl
-IFRvd24xFzAVBgNVBAoTDlNuYWtlIE9pbCwgTHRkMR4wHAYDVQQLExVDZXJ0aWZp
-Y2F0ZSBBdXRob3JpdHkxFTATBgNVBAMTDFNuYWtlIE9pbCBDQTEeMBwGCSqGSIb3
-DQEJARYPY2FAc25ha2VvaWwuZG9tMIIBtzCCASsGByqGSM44BAEwggEeAoGBAOo/
-TgmHhChRao8ll+3GyAt07niEaa8RivajaeoyM78NtW66OvxAOdVY1G94S5V2vHoB
-+0JyGAi90lLgtOp++A6YjCwZjKUAObJwhGUFUd3mrWhwaV2R4QGJj5xLnK/yujXH
-gNEJ3RrGaEG9O7YFFuKmlors80AvDnGzx5ByHQotAhUAnytPwXs2ohEBJSPLUHDH
-vTXNIh8CgYBPlEwSaMngdc4nQbIgoB6wVCE7LeBddR9XjNdOlIzPxxBZ9OrEuBWO
-S9kK3pJhw2alpGcnKuZR0YPa5LAFwyRePcb80j/ufULpm4FO3XHpMJADvadiHTFB
-qP+RuaFPbA3I40zH+xk79Y9SvSq+7/TXYVLZiUq2rfBEzj5cfPuNjQOBhQACgYEA
-h81lHQjrZEuzKJe/hOymQW10xT1LusO2F3Zs5IIokxqSW7UQTpsqQkyvgJOUOF55
-Lj/WOdLwqtSPnge2xl7R2fNLvLLKkAySIoG3PRJMLlLM2CuXOku3sNHLLr/vWfEY
-G4le4h8I9YKM89oE/Mdn2SfAbumwCfZA7uv4Xj1YOkajJjAkMA8GA1UdEwQIMAYB
-Af8CAQAwEQYJYIZIAYb4QgEBBAQDAgAHMAsGByqGSM44BAMFAAMvADAsAhQlr1HV
-alYuS4uwZcY6I/5JzSZVhgIUS7sP0rSX0jF5l9gKI7syp34QNWE=
+BAoTDlNuYWtlIE9pbCwgTHRkMSQwIgYDVQQLExtDZXJ0aWZpY2F0ZSBBdXRob3Jp
+dHkgKERTQSkxFTATBgNVBAMTDFNuYWtlIE9pbCBDQTEeMBwGCSqGSIb3DQEJARYP
+Y2FAc25ha2VvaWwuZG9tMB4XDTk5MTAyMTE4MjkzN1oXDTAxMTAyMDE4MjkzN1ow
+ga8xCzAJBgNVBAYTAlhZMRUwEwYDVQQIEwxTbmFrZSBEZXNlcnQxEzARBgNVBAcT
+ClNuYWtlIFRvd24xFzAVBgNVBAoTDlNuYWtlIE9pbCwgTHRkMSQwIgYDVQQLExtD
+ZXJ0aWZpY2F0ZSBBdXRob3JpdHkgKERTQSkxFTATBgNVBAMTDFNuYWtlIE9pbCBD
+QTEeMBwGCSqGSIb3DQEJARYPY2FAc25ha2VvaWwuZG9tMIIBtjCCASsGByqGSM44
+BAEwggEeAoGBAIufVdfx9oweG3NK2n3BjoFVM+4RT1ukyaGtvq+Bo1nLh1N7pVLz
+invAZ6mrkJCN84vgeN1r6DXbHO2jy7EGQIM73xeD2rzoJjjkdmT6robIY4tlI4Px
+xAfCHWhQ/rmzlPPTXw4UHOkjdsfF87pph6VZjOIOIUqnUGtR25r6krhJAhUA8sdJ
+X0VLPxnsgc6DVmvkfzahA6UCgYBZI9bJ9Vc8AXyHYYNv5x/3uTjhWQdn5HGl7waC
+GV8Gf0vcRJZRk04kx8MuWfLt1K1hT3xVNU16SJ1i5oGy/ISQWufLs0JSaK5pKdfh
+SO0UOQ2Ff2PlhsJEYuaxzzrkBPngpG7fU7b90ocujo2AU+KuKMfL30cngtFj1n0e
+RdXOzAOBhAACgYAsjVZYJl5pyLiRK+FfLF6dMI1BCRzyz3/EK4CLh1XjZ5IZCi6b
+dua9YTVwum4w8buOE86P2zC/9Z9tpEpn1Joqf68jgjmzPKNpaO2AiQQC5UkzGzpx
+EVagyIzL0FP+WIM0ABLodiyoDkmPydPpllQjnG/O9na5o4gkrgxsqNKQLKN6MHgw
+GgYDVR0RBBMwEYEPY2FAc25ha2VvaWwuZG9tMA8GA1UdEwQIMAYBAf8CAQAwNgYJ
+YIZIAYb4QgENBCkWJ21vZF9zc2wgZ2VuZXJhdGVkIGN1c3RvbSBDQSBjZXJ0aWZp
+Y2F0ZTARBglghkgBhvhCAQEEBAMCAgQwCwYHKoZIzjgEAwUAAzEAMC4CFQC/d4P2
+0mWRROo+DKuNJDnnjQ9NmQIVAKs5D8EhoYBwBm4IwOsuvd3YWoVa
 -----END CERTIFICATE-----
diff --git a/usr.sbin/httpd/conf/ssl.crt/snakeoil-ca-rsa.crt b/usr.sbin/httpd/conf/ssl.crt/snakeoil-ca-rsa.crt
index d93b2785396..cc473b3fc9e 100644
--- a/usr.sbin/httpd/conf/ssl.crt/snakeoil-ca-rsa.crt
+++ b/usr.sbin/httpd/conf/ssl.crt/snakeoil-ca-rsa.crt
@@ -1,18 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIC8DCCAlmgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkx
+MIIDRDCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkx
 FTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUG
 A1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhv
 cml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBz
-bmFrZW9pbC5kb20wHhcNOTgxMDA4MTc0MDE5WhcNOTkxMDA4MTc0MDE5WjCBqTEL
+bmFrZW9pbC5kb20wHhcNOTkxMDIxMTgyMTQ2WhcNMDExMDIwMTgyMTQ2WjCBqTEL
 MAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25h
 a2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRp
 ZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZI
 hvcNAQkBFg9jYUBzbmFrZW9pbC5kb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
-AoGBAKlxCqDvA2n8morNiVc3u56jIAsufQSV0KXDZ5Qr0VGoy7MYugy5wFS9mt7M
-v6o0SE3bCYM8LhoqIEuUq/zQkUchfpsy9QZRVzje/tb26I8AIOG+aTRrFlBBPgTu
-Ddb4Zz6pvkTRncv33C7mfN5Nq6gLYLmPJZN10Vejt22VQ4oFAgMBAAGjJjAkMA8G
-A1UdEwQIMAYBAf8CAQAwEQYJYIZIAYb4QgEBBAQDAgAHMA0GCSqGSIb3DQEBBAUA
-A4GBAAii8jwWUAwJlpE3KxKXBG0bm5QqWN2zsD0mXtZOt1Zwpwkb+pr7pezCQGzG
-ivx1vfoVVjPRDYwDzAWBJLbrjTjfAIEpGOvjajw4QzbdAIjWcvNiOVa/DzkUyXW7
-yLuGsFm84kXrtbpSZTSC+s1NFvEUboHxFs1JhtiFzpDBsPzP
+AoGBANiTGAmWoiB2Qx3SbwFXwjbqU9ZwnfBE5Er1h1kNh487D782I8mcT/CzxmsH
+evK3heBKTEno+jB0y5p4+QShxryaMUUbRoOGfrlrVwc/dbwJQz7UNyqDlWnvnW4p
+TfdVd+8JlCpYFB23Z7bmpUV1Xy6VFKBahzIhzITaux1vvEPLAgMBAAGjejB4MBoG
+A1UdEQQTMBGBD2NhQHNuYWtlb2lsLmRvbTAPBgNVHRMECDAGAQH/AgEAMDYGCWCG
+SAGG+EIBDQQpFidtb2Rfc3NsIGdlbmVyYXRlZCBjdXN0b20gQ0EgY2VydGlmaWNh
+dGUwEQYJYIZIAYb4QgEBBAQDAgIEMA0GCSqGSIb3DQEBBAUAA4GBAImhzPY4PBRt
+PQbAQBAmHIBRcb69iTbFC+dghnVJQ3F549rZapY420kQDKQ6aCybPFmxJ/Rf27gY
+FuAuo+B8EEVX0lU8VUSEhYQedODnQ3skwcT02g4b33GkzH7ED2N9kaa6U65UUrcE
+KXJgz7tmAQHnTc9K1g2qIApIjnr3FrrJ
 -----END CERTIFICATE-----
diff --git a/usr.sbin/httpd/conf/ssl.crt/snakeoil-dsa.crt b/usr.sbin/httpd/conf/ssl.crt/snakeoil-dsa.crt
index 476424f84d9..4b7b90ef0e7 100644
--- a/usr.sbin/httpd/conf/ssl.crt/snakeoil-dsa.crt
+++ b/usr.sbin/httpd/conf/ssl.crt/snakeoil-dsa.crt
@@ -1,22 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIDnzCCA1ygAwIBAgIBFTALBgcqhkjOOAQDBQAwgakxCzAJBgNVBAYTAlhZMRUw
+MIIEAzCCA8GgAwIBAgIBATALBgcqhkjOOAQDBQAwga8xCzAJBgNVBAYTAlhZMRUw
 EwYDVQQIEwxTbmFrZSBEZXNlcnQxEzARBgNVBAcTClNuYWtlIFRvd24xFzAVBgNV
-BAoTDlNuYWtlIE9pbCwgTHRkMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3Jp
-dHkxFTATBgNVBAMTDFNuYWtlIE9pbCBDQTEeMBwGCSqGSIb3DQEJARYPY2FAc25h
-a2VvaWwuZG9tMB4XDTk5MDIyNTEzMjgzMloXDTAwMDIyNTEzMjgzMlowgacxCzAJ
-BgNVBAYTAlhZMRUwEwYDVQQIEwxTbmFrZSBEZXNlcnQxEzARBgNVBAcTClNuYWtl
-IFRvd24xFzAVBgNVBAoTDlNuYWtlIE9pbCwgTHRkMRcwFQYDVQQLEw5XZWJzZXJ2
-ZXIgVGVhbTEZMBcGA1UEAxMQd3d3LnNuYWtlb2lsLmRvbTEfMB0GCSqGSIb3DQEJ
-ARYQd3d3QHNuYWtlb2lsLmRvbTCCAbYwggErBgcqhkjOOAQBMIIBHgKBgQDqP04J
-h4QoUWqPJZftxsgLdO54hGmvEYr2o2nqMjO/DbVuujr8QDnVWNRveEuVdrx6AftC
-chgIvdJS4LTqfvgOmIwsGYylADmycIRlBVHd5q1ocGldkeEBiY+cS5yv8ro1x4DR
-Cd0axmhBvTu2BRbippaK7PNALw5xs8eQch0KLQIVAJ8rT8F7NqIRASUjy1Bwx701
-zSIfAoGAT5RMEmjJ4HXOJ0GyIKAesFQhOy3gXXUfV4zXTpSMz8cQWfTqxLgVjkvZ
-Ct6SYcNmpaRnJyrmUdGD2uSwBcMkXj3G/NI/7n1C6ZuBTt1x6TCQA72nYh0xQaj/
-kbmhT2wNyONMx/sZO/WPUr0qvu/012FS2YlKtq3wRM4+XHz7jY0DgYQAAoGAHX6Q
-e2/rMmZewuBxGtyyzzRt7UJcc4c8y2JNRctygdxwGsZD06i6reR8l6wIaLFhZl8b
-3DkLNvzssTXsOcR7x82bv9vmknLvjQk3FRJvmfpSAPcNRBUk/1L8UKHkfAP6B31A
-h7tRlG36W/iBw1cighqTnDxnNDqv6Wgbd7REtxSjFTATMBEGCWCGSAGG+EIBAQQE
-AwIAQDALBgcqhkjOOAQDBQADMAAwLQIUTpfmWwLjKYJFFX5p8fvra8No7CwCFQCL
-0q3LdCx1EsUtmsgakN6Yru18Fw==
+BAoTDlNuYWtlIE9pbCwgTHRkMSQwIgYDVQQLExtDZXJ0aWZpY2F0ZSBBdXRob3Jp
+dHkgKERTQSkxFTATBgNVBAMTDFNuYWtlIE9pbCBDQTEeMBwGCSqGSIb3DQEJARYP
+Y2FAc25ha2VvaWwuZG9tMB4XDTk5MTAyMTE4Mjk1MFoXDTAxMTAyMDE4Mjk1MFow
+ga0xCzAJBgNVBAYTAlhZMRUwEwYDVQQIEwxTbmFrZSBEZXNlcnQxEzARBgNVBAcT
+ClNuYWtlIFRvd24xFzAVBgNVBAoTDlNuYWtlIE9pbCwgTHRkMR0wGwYDVQQLExRX
+ZWJzZXJ2ZXIgVGVhbSAoRFNBKTEZMBcGA1UEAxMQd3d3LnNuYWtlb2lsLmRvbTEf
+MB0GCSqGSIb3DQEJARYQd3d3QHNuYWtlb2lsLmRvbTCCAbYwggErBgcqhkjOOAQB
+MIIBHgKBgQCLn1XX8faMHhtzStp9wY6BVTPuEU9bpMmhrb6vgaNZy4dTe6VS84p7
+wGepq5CQjfOL4Hjda+g12xzto8uxBkCDO98Xg9q86CY45HZk+q6GyGOLZSOD8cQH
+wh1oUP65s5Tz018OFBzpI3bHxfO6aYelWYziDiFKp1BrUdua+pK4SQIVAPLHSV9F
+Sz8Z7IHOg1Zr5H82oQOlAoGAWSPWyfVXPAF8h2GDb+cf97k44VkHZ+Rxpe8Gghlf
+Bn9L3ESWUZNOJMfDLlny7dStYU98VTVNekidYuaBsvyEkFrny7NCUmiuaSnX4Ujt
+FDkNhX9j5YbCRGLmsc865AT54KRu31O2/dKHLo6NgFPirijHy99HJ4LRY9Z9HkXV
+zswDgYQAAoGAcARR9kHyvPAuiSlt2ofunB0OA3qIpbcYutu1jeR3EC8JDxp/lrWE
+mYxubcOLaqqIJifiD9hf+RuhSNg0D+0A7yjXgFPI13Loo7lqNu0trG4ULV4GUU2b
+zoxp/PQQtJiB4B0DJCO789+ZsdUpJN1Tat3ocIRgryZb6Hor9ifF9iGjbjBsMBsG
+A1UdEQQUMBKBEHd3d0BzbmFrZW9pbC5kb20wOgYJYIZIAYb4QgENBC0WK21vZF9z
+c2wgZ2VuZXJhdGVkIGN1c3RvbSBzZXJ2ZXIgY2VydGlmaWNhdGUwEQYJYIZIAYb4
+QgEBBAQDAgZAMAsGByqGSM44BAMFAAMvADAsAhRXQ6Pm1pLo0Du/A7Lg1ILzncj5
+3gIUBHvNEBKuqJERC8Zt7LECsjmrVMM=
 -----END CERTIFICATE-----
diff --git a/usr.sbin/httpd/conf/ssl.crt/snakeoil-rsa.crt b/usr.sbin/httpd/conf/ssl.crt/snakeoil-rsa.crt
index cec878433ab..18747b9732a 100644
--- a/usr.sbin/httpd/conf/ssl.crt/snakeoil-rsa.crt
+++ b/usr.sbin/httpd/conf/ssl.crt/snakeoil-rsa.crt
@@ -1,18 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIC7jCCAlegAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkx
+MIIDNjCCAp+gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkx
 FTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUG
 A1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhv
 cml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBz
-bmFrZW9pbC5kb20wHhcNOTgxMDIxMDg1ODM2WhcNOTkxMDIxMDg1ODM2WjCBpzEL
+bmFrZW9pbC5kb20wHhcNOTkxMDIxMTgyMTUxWhcNMDExMDIwMTgyMTUxWjCBpzEL
 MAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25h
 a2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxFzAVBgNVBAsTDldlYnNl
 cnZlciBUZWFtMRkwFwYDVQQDExB3d3cuc25ha2VvaWwuZG9tMR8wHQYJKoZIhvcN
 AQkBFhB3d3dAc25ha2VvaWwuZG9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
-gQDH9Ge/s2zcH+da+rPTx/DPRp3xGjHZ4GG6pCmvADIEtBtKBFAcZ64n+Dy7Np8b
-vKR+yy5DGQiijsH1D/j8HlGE+q4TZ8OFk7BNBFazHxFbYI4OKMiCxdKzdif1yfaa
-lWoANFlAzlSdbxeGVHoT0K+gT5w3UxwZKv2DLbCTzLZyPwIDAQABoyYwJDAPBgNV
-HRMECDAGAQH/AgEAMBEGCWCGSAGG+EIBAQQEAwIAQDANBgkqhkiG9w0BAQQFAAOB
-gQAZUIHAL4D09oE6Lv2k56Gp38OBDuILvwLg1v1KL8mQR+KFjghCrtpqaztZqcDt
-2q2QoyulCgSzHbEGmi0EsdkPfg6mp0penssIFePYNI+/8u9HT4LuKMJX15hxBam7
-dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1/L4NMGBCQ==
+gQC554Ro+VH0dJONqljPBW+C72MDNGNy9eXnzejXrczsHs3Pc92Vaat6CpIEEGue
+yG29xagb1o7Gj2KRgpVYcmdx6tHd2JkFW5BcFVfWXL42PV4rf9ziYon8jWsbK2aE
++L6hCtcbxdbHOGZdSIWZJwc/1Vs70S/7ImW+Zds8YEFiAwIDAQABo24wbDAbBgNV
+HREEFDASgRB3d3dAc25ha2VvaWwuZG9tMDoGCWCGSAGG+EIBDQQtFittb2Rfc3Ns
+IGdlbmVyYXRlZCBjdXN0b20gc2VydmVyIGNlcnRpZmljYXRlMBEGCWCGSAGG+EIB
+AQQEAwIGQDANBgkqhkiG9w0BAQQFAAOBgQB6MRsYGTXUR53/nTkRDQlBdgCcnhy3
+hErfmPNl/Or5jWOmuufeIXqCvM6dK7kW/KBboui4pffIKUVafLUMdARVV6BpIGMI
+5LmVFK3sgwuJ01v/90hCt4kTWoT8YHbBLtQh7PzWgJoBAY7MJmjSguYCRt91sU4K
+s0dfWsdItkw4uQ==
 -----END CERTIFICATE-----
diff --git a/usr.sbin/httpd/conf/ssl.csr/server.csr b/usr.sbin/httpd/conf/ssl.csr/server.csr
index ee662f9980f..756b9c0e1cd 100644
--- a/usr.sbin/httpd/conf/ssl.csr/server.csr
+++ b/usr.sbin/httpd/conf/ssl.csr/server.csr
@@ -1,17 +1 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICqzCCAmkCAQAwgacxCzAJBgNVBAYTAkNBMRUwEwYDVQQIEwxTbmFrZSBEZXNl
-cnQxEzARBgNVBAcTClNuYWtlIFRvd24xFzAVBgNVBAoTDlNuYWtlIE9pbCwgTHRk
-MRcwFQYDVQQLEw5XZWJzZXJ2ZXIgVGVhbTEZMBcGA1UEAxMQd3d3LnNuYWtlb2ls
-LmRvbTEfMB0GCSqGSIb3DQEJARYQd3d3QHNuYWtlb2lsLmRvbTCCAbYwggErBgcq
-hkjOOAQBMIIBHgKBgQDqP04Jh4QoUWqPJZftxsgLdO54hGmvEYr2o2nqMjO/DbVu
-ujr8QDnVWNRveEuVdrx6AftCchgIvdJS4LTqfvgOmIwsGYylADmycIRlBVHd5q1o
-cGldkeEBiY+cS5yv8ro1x4DRCd0axmhBvTu2BRbippaK7PNALw5xs8eQch0KLQIV
-AJ8rT8F7NqIRASUjy1Bwx701zSIfAoGAT5RMEmjJ4HXOJ0GyIKAesFQhOy3gXXUf
-V4zXTpSMz8cQWfTqxLgVjkvZCt6SYcNmpaRnJyrmUdGD2uSwBcMkXj3G/NI/7n1C
-6ZuBTt1x6TCQA72nYh0xQaj/kbmhT2wNyONMx/sZO/WPUr0qvu/012FS2YlKtq3w
-RM4+XHz7jY0DgYQAAoGALQRQWcPauYnMR1C58HkpE+0LRjJc7yBm0Cdj0pYkGc3u
-4xD22W/N4+59SOzBQyIs35Cj4K3zx0CzEjnhGG5pRIi4JPUARHtnPS+c+lWc9I+M
-bj1q9UzEPncBf4Giwm8u5W945t1yCnPT6Gim3X6hfl1MpOY6RfJ5FtoO7hc2gKCg
-ADALBgcqhkjOOAQDBQADLwAwLAIUIw3mxHOCnxC1f5iF+f8mMyO2Y2QCFEuacVDH
-ah8yODb2kWvXNfDYlCb+
------END CERTIFICATE REQUEST-----
+THIS FILE HAS TO BE REPLACED BY A REAL SERVER CERTIFICATE SIGNING REQUEST! (SKIPME)
diff --git a/usr.sbin/httpd/conf/ssl.key/server.key b/usr.sbin/httpd/conf/ssl.key/server.key
index e69de29bb2d..e002ef03693 100644
--- a/usr.sbin/httpd/conf/ssl.key/server.key
+++ b/usr.sbin/httpd/conf/ssl.key/server.key
@@ -0,0 +1 @@
+THIS FILE HAS TO BE REPLACED BY A REAL SERVER PRIVATE KEY! (SKIPME)
diff --git a/usr.sbin/httpd/conf/ssl.key/snakeoil-ca-dsa.key b/usr.sbin/httpd/conf/ssl.key/snakeoil-ca-dsa.key
index 7097968c4d8..89169da7ba7 100644
--- a/usr.sbin/httpd/conf/ssl.key/snakeoil-ca-dsa.key
+++ b/usr.sbin/httpd/conf/ssl.key/snakeoil-ca-dsa.key
@@ -1,12 +1,12 @@
 -----BEGIN DSA PRIVATE KEY-----
-MIIBuwIBAAKBgQDqP04Jh4QoUWqPJZftxsgLdO54hGmvEYr2o2nqMjO/DbVuujr8
-QDnVWNRveEuVdrx6AftCchgIvdJS4LTqfvgOmIwsGYylADmycIRlBVHd5q1ocGld
-keEBiY+cS5yv8ro1x4DRCd0axmhBvTu2BRbippaK7PNALw5xs8eQch0KLQIVAJ8r
-T8F7NqIRASUjy1Bwx701zSIfAoGAT5RMEmjJ4HXOJ0GyIKAesFQhOy3gXXUfV4zX
-TpSMz8cQWfTqxLgVjkvZCt6SYcNmpaRnJyrmUdGD2uSwBcMkXj3G/NI/7n1C6ZuB
-Tt1x6TCQA72nYh0xQaj/kbmhT2wNyONMx/sZO/WPUr0qvu/012FS2YlKtq3wRM4+
-XHz7jY0CgYEAh81lHQjrZEuzKJe/hOymQW10xT1LusO2F3Zs5IIokxqSW7UQTpsq
-QkyvgJOUOF55Lj/WOdLwqtSPnge2xl7R2fNLvLLKkAySIoG3PRJMLlLM2CuXOku3
-sNHLLr/vWfEYG4le4h8I9YKM89oE/Mdn2SfAbumwCfZA7uv4Xj1YOkYCFE36t8V/
-6xxtOIFKQSn1nX+Oi7vn
+MIIBuwIBAAKBgQCLn1XX8faMHhtzStp9wY6BVTPuEU9bpMmhrb6vgaNZy4dTe6VS
+84p7wGepq5CQjfOL4Hjda+g12xzto8uxBkCDO98Xg9q86CY45HZk+q6GyGOLZSOD
+8cQHwh1oUP65s5Tz018OFBzpI3bHxfO6aYelWYziDiFKp1BrUdua+pK4SQIVAPLH
+SV9FSz8Z7IHOg1Zr5H82oQOlAoGAWSPWyfVXPAF8h2GDb+cf97k44VkHZ+Rxpe8G
+ghlfBn9L3ESWUZNOJMfDLlny7dStYU98VTVNekidYuaBsvyEkFrny7NCUmiuaSnX
+4UjtFDkNhX9j5YbCRGLmsc865AT54KRu31O2/dKHLo6NgFPirijHy99HJ4LRY9Z9
+HkXVzswCgYAsjVZYJl5pyLiRK+FfLF6dMI1BCRzyz3/EK4CLh1XjZ5IZCi6bdua9
+YTVwum4w8buOE86P2zC/9Z9tpEpn1Joqf68jgjmzPKNpaO2AiQQC5UkzGzpxEVag
+yIzL0FP+WIM0ABLodiyoDkmPydPpllQjnG/O9na5o4gkrgxsqNKQLAIVANDb2WME
+cYQBeW7FgeCXtSBf75d/
 -----END DSA PRIVATE KEY-----
diff --git a/usr.sbin/httpd/conf/ssl.key/snakeoil-ca-rsa.key b/usr.sbin/httpd/conf/ssl.key/snakeoil-ca-rsa.key
index 4b5679f9cf8..e224be4ebe4 100644
--- a/usr.sbin/httpd/conf/ssl.key/snakeoil-ca-rsa.key
+++ b/usr.sbin/httpd/conf/ssl.key/snakeoil-ca-rsa.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCpcQqg7wNp/JqKzYlXN7ueoyALLn0EldClw2eUK9FRqMuzGLoM
-ucBUvZrezL+qNEhN2wmDPC4aKiBLlKv80JFHIX6bMvUGUVc43v7W9uiPACDhvmk0
-axZQQT4E7g3W+Gc+qb5E0Z3L99wu5nzeTauoC2C5jyWTddFXo7dtlUOKBQIDAQAB
-AoGAWZ8Y6BaDz8N0WoZsZl1sN3RAtqlYJty3B3ZbitvCU1bcp1Yk0iZNvIStLbtO
-hVAyDjwUw/1IxT4S5uc0MPyAWiozasjCkyDpZ4spNWn1HLq1ZITZR9eZAN33EGBl
-3UH2uw7Neq431EBPlrWb2thoWS373CtgC+jlzHulT7WEE+ECQQDhWXxiRH+XBf4D
-BJcwoiL7AMqtXfdbQdaUOvWypInXdrkg8Ghgw7cxMlzzP8niD0mGQpwLvHKtIW26
-tlRGarXnAkEAwHzg7RFzQ6XzCqV2hQfOJ9l+Uw3cz8eIdC0UI8qvUsZcBLGrFJtv
-wq0x602ARYnskGyPQDQyQ9wCATbltYCrMwJAeMt5C0vggNnrcT6ytJUU3ytreUcX
-YsmF9mssbRgZ829miSuVJ9mBh1OR06pr00uSg++MqhXX+soigaVew2hMHQJAQI3g
-9UCj8m0GPGzPeb/rYKvtVLdSdZCKb8PqfDJuaAlENQLMyGV0rspc8ngUa73cy3bM
-+BBJRz7SoUui8CMNxwJBAIkOdzotkWCqq4osI0qhzpEOnTlin+iehPl6GdXtn7c/
-AZKiqek6Dr5hms3IdCfV+B8xq2E+IWmx4TJDSbMfS3E=
+MIICXQIBAAKBgQDYkxgJlqIgdkMd0m8BV8I26lPWcJ3wRORK9YdZDYePOw+/NiPJ
+nE/ws8ZrB3ryt4XgSkxJ6PowdMuaePkEoca8mjFFG0aDhn65a1cHP3W8CUM+1Dcq
+g5Vp751uKU33VXfvCZQqWBQdt2e25qVFdV8ulRSgWocyIcyE2rsdb7xDywIDAQAB
+AoGAEIvUZ08h3dcLM6kTIAgjZ2ypsRVzi5rH0k5F4/DbrX62qkYpn8qYdOxXOXAd
+3ZNV4BftEiyBiNgzgf7CD6+IblZUqkc1dUc96AJH16CUXM/favAHhIoSdyhrnAH8
+O9UN1KxlzUpvLDOelbOdL4/4sQ0XXqd9DJcZkeKc4zCi35kCQQD43SlsTDBeO7ae
+Ig5qnJ/g2V2V4bPh1xTH7LjxthsksOqPUEt3DgRmRVq+qeDyyxN49V9uFYf8oXDl
+1FchPranAkEA3sjny2sxBNIBGtPVLGFl+aukBRkNOdmssVcBudsnigOEL0lbd4Wu
+07ok0zeCuAu+yHRYJKY4eqWVGQJ/DtUSPQJBAIqxVuCQJXSe+stuV3J7D28UNN/P
+BZ0bbO1utDOhNcdhAZgVO7mCClmk1UnlCwTEwHls5l5HiZ31qyGrEVPpy4kCQDfR
+VmIdBTcT9rrmAC8SaB5Z5spwMGQiKaZ1CjWqtwlZQDEozAXyNI9PwBI7gkDikHZg
+0AS+sL/p5KVTfsoUkHECQQDWCSgpZ8k7EajS1RWIGH/GcFT/GaKX8yiMIP2S3Atc
+nl7yMj8yw+1N503FF0aRwimryXQt/VHVYjtYsSAgNU/i
 -----END RSA PRIVATE KEY-----
diff --git a/usr.sbin/httpd/conf/ssl.key/snakeoil-dsa.key b/usr.sbin/httpd/conf/ssl.key/snakeoil-dsa.key
index c902a35e1f8..0f78bd0fd57 100644
--- a/usr.sbin/httpd/conf/ssl.key/snakeoil-dsa.key
+++ b/usr.sbin/httpd/conf/ssl.key/snakeoil-dsa.key
@@ -1,12 +1,12 @@
 -----BEGIN DSA PRIVATE KEY-----
-MIIBugIBAAKBgQDqP04Jh4QoUWqPJZftxsgLdO54hGmvEYr2o2nqMjO/DbVuujr8
-QDnVWNRveEuVdrx6AftCchgIvdJS4LTqfvgOmIwsGYylADmycIRlBVHd5q1ocGld
-keEBiY+cS5yv8ro1x4DRCd0axmhBvTu2BRbippaK7PNALw5xs8eQch0KLQIVAJ8r
-T8F7NqIRASUjy1Bwx701zSIfAoGAT5RMEmjJ4HXOJ0GyIKAesFQhOy3gXXUfV4zX
-TpSMz8cQWfTqxLgVjkvZCt6SYcNmpaRnJyrmUdGD2uSwBcMkXj3G/NI/7n1C6ZuB
-Tt1x6TCQA72nYh0xQaj/kbmhT2wNyONMx/sZO/WPUr0qvu/012FS2YlKtq3wRM4+
-XHz7jY0CgYAdfpB7b+syZl7C4HEa3LLPNG3tQlxzhzzLYk1Fy3KB3HAaxkPTqLqt
-5HyXrAhosWFmXxvcOQs2/OyxNew5xHvHzZu/2+aScu+NCTcVEm+Z+lIA9w1EFST/
-UvxQoeR8A/oHfUCHu1GUbfpb+IHDVyKCGpOcPGc0Oq/paBt3tES3FAIUN8K7/R9o
-3WNST0oFx9RaJ5YSiq8=
+MIIBuwIBAAKBgQCLn1XX8faMHhtzStp9wY6BVTPuEU9bpMmhrb6vgaNZy4dTe6VS
+84p7wGepq5CQjfOL4Hjda+g12xzto8uxBkCDO98Xg9q86CY45HZk+q6GyGOLZSOD
+8cQHwh1oUP65s5Tz018OFBzpI3bHxfO6aYelWYziDiFKp1BrUdua+pK4SQIVAPLH
+SV9FSz8Z7IHOg1Zr5H82oQOlAoGAWSPWyfVXPAF8h2GDb+cf97k44VkHZ+Rxpe8G
+ghlfBn9L3ESWUZNOJMfDLlny7dStYU98VTVNekidYuaBsvyEkFrny7NCUmiuaSnX
+4UjtFDkNhX9j5YbCRGLmsc865AT54KRu31O2/dKHLo6NgFPirijHy99HJ4LRY9Z9
+HkXVzswCgYBwBFH2QfK88C6JKW3ah+6cHQ4Deoiltxi627WN5HcQLwkPGn+WtYSZ
+jG5tw4tqqogmJ+IP2F/5G6FI2DQP7QDvKNeAU8jXcuijuWo27S2sbhQtXgZRTZvO
+jGn89BC0mIHgHQMkI7vz35mx1Skk3VNq3ehwhGCvJlvoeiv2J8X2IQIVAOTRp7zp
+En7QlXnXw1s7xXbbuKP0
 -----END DSA PRIVATE KEY-----
diff --git a/usr.sbin/httpd/conf/ssl.key/snakeoil-rsa.key b/usr.sbin/httpd/conf/ssl.key/snakeoil-rsa.key
index 892ced51e22..6e3cbd90485 100644
--- a/usr.sbin/httpd/conf/ssl.key/snakeoil-rsa.key
+++ b/usr.sbin/httpd/conf/ssl.key/snakeoil-rsa.key
@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDH9Ge/s2zcH+da+rPTx/DPRp3xGjHZ4GG6pCmvADIEtBtKBFAc
-Z64n+Dy7Np8bvKR+yy5DGQiijsH1D/j8HlGE+q4TZ8OFk7BNBFazHxFbYI4OKMiC
-xdKzdif1yfaalWoANFlAzlSdbxeGVHoT0K+gT5w3UxwZKv2DLbCTzLZyPwIDAQAB
-AoGBAJe+252YRV0ouSNKb36hlhc3uFVpU7vNlV1XiGrO8yauqKcbbtCfvoOG2FAb
-u9QI7a1r9MfnD66OOJQKcyKiv6mcR0FpDI/vwmcPiBbxaJJc+59/Aq2bOAoAgwfg
-Xp/F5hNbV1G90uifxgRYyVeJ3mfh5RLobeH0Y3sfn2UUuczBAkEA5N/eeJ2vVv+9
-pkZViZatQ8OIO0h20DdWFNQH2Wqrr2kDZMzndVGganKJG2m0B3rRbe8AhfV4QM3P
-u+WHxfgYvQJBAN+nGaHJLr8Lm/+7GFDWxkvTeg4Z/D2OU2mUH3/vIPzzZHz5Rz6N
-RSWs/17LW/Cfp445xOBV41KAflnQn3YiXKsCQCKXVzdhlauPcWlc/faSiFNSjRdw
-p0xm4KK7PQh2H8aeF343nc/Ua2tLLj+vZR8wR9DWq3yTkf4xXPEoCrI4Af0CQQCI
-qIUb+18p80EOANd5xdKC0KSa6zvarRXAxHZ+6LICfgJf7r2ethmTTOL5nE8Ad72d
-RSVMYo61gbgyzywwtgxjAkBqtLZTBm1m9XGqIPWf5eSOegEz55Nmb2KJVaJLJzLN
-7S5aWSFoGFkrQ84cSNZmEHInt+zi3kxD1f9gvb0p8oIS
+MIICXgIBAAKBgQC554Ro+VH0dJONqljPBW+C72MDNGNy9eXnzejXrczsHs3Pc92V
+aat6CpIEEGueyG29xagb1o7Gj2KRgpVYcmdx6tHd2JkFW5BcFVfWXL42PV4rf9zi
+Yon8jWsbK2aE+L6hCtcbxdbHOGZdSIWZJwc/1Vs70S/7ImW+Zds8YEFiAwIDAQAB
+AoGBAKTvnFGKSkUJnNQGe66I0wunGgCA3W7kbarAzEF2qKYhGlZhJQnn68RmVnAW
+pXUFvB+vmtu/+4J9OmWBJsGHFvC9xH32a0PWNr7APjAKrjAD8GWS7Z6BjuxN8QhD
+WlFMmpYhYIjT1jt7RNfs2gJGS2Ryu3zutUQGwtUB9Pou03dJAkEA6yttwVINFqQP
+utgUZ1JUHrN/rE73FzYsF/CwJp5d3rLHenZzLT0iW+kNDLUw/VpzYxK7bF2Qrt/3
+QIUWwm2InQJBAMpe+jhNMJeLDLc3tG3zeithT0mFkuzWWmT2PJgQ0V78UWhw/fSn
+Qqnq7KBY/DNjlfhezrozLDD73/ccmha0Ax8CQQCBaBlyOtNm9QqO116K6HvPlRiZ
+Wa6QQEgNOG3GInknFZu9ILcKWsywZNLAfmgh0gcSqnkmDWqTQD0PbOz0Ok/lAkEA
+g24JrfUbwOASww9PhDUju/a36rTwhhZ0oKt3EP+jKsBOErmHhZP3bKlhQoZoTOu5
+Y5QXSMChS7LZcwDFZkdE2wJATRgMbhErif+ZRwt9XJRdCo5Sx6ewyGyxjc5gvUyK
+KegHcgru/ZC3pGlujRD2LqxgJNAn5QTdW4LK8xVPFySTYg==
 -----END RSA PRIVATE KEY-----
diff --git a/usr.sbin/httpd/htdocs/manual/dso.html b/usr.sbin/httpd/htdocs/manual/dso.html
index f8377af9d5b..566aefb564f 100644
--- a/usr.sbin/httpd/htdocs/manual/dso.html
+++ b/usr.sbin/httpd/htdocs/manual/dso.html
@@ -199,6 +199,7 @@ o  Mac OS X Server    (1.0)
 o  Mac OS             (10.0 preview 1)
 o  OpenStep/Mach      (4.2)
 o  DGUX               (??)
+o  NetWare            (5.1)
 </PRE>
 
 <P>
diff --git a/usr.sbin/httpd/htdocs/manual/index.html b/usr.sbin/httpd/htdocs/manual/index.html
index 79eacd5e6be..998b4c5e132 100644
--- a/usr.sbin/httpd/htdocs/manual/index.html
+++ b/usr.sbin/httpd/htdocs/manual/index.html
@@ -43,6 +43,7 @@
 <LI><A HREF="vhosts/index.html">Virtual Hosts</A>
 <LI><A HREF="dso.html">Dynamic Shared Object (DSO) support</A>
 <LI><A HREF="handler.html">Handlers</A>
+<LI><A HREF="content-negotiation.html">Content negotiation</A>
 <LI><A HREF="env.html">Special purpose environment variables</A>
 <LI><A HREF="misc/API.html">The Apache API</A>
 <LI><A HREF="suexec.html">Using SetUserID Execution for CGI</A>
@@ -51,6 +52,7 @@
 <H3><A NAME="oth">Other Notes</A></H3>
 <UL>
 <LI><A HREF="misc/FAQ.html">Frequently Asked Questions</A>
+<LI><A HREF="misc/rewriteguide.html">URL Rewriting Guide</A>
 <LI><A HREF="misc/perf-tuning.html">General Performance hints</A> for
 getting the best performance out of Apache
 <LI><A HREF="misc/perf.html">OS Specific Performance hints</A> to help
diff --git a/usr.sbin/httpd/htdocs/manual/install-tpf.html b/usr.sbin/httpd/htdocs/manual/install-tpf.html
index 6a357452aeb..661edba8850 100644
--- a/usr.sbin/httpd/htdocs/manual/install-tpf.html
+++ b/usr.sbin/httpd/htdocs/manual/install-tpf.html
@@ -9,7 +9,7 @@
  <A NAME="top">Installing the Apache 1.3 HTTP Server on TPF</A>
 </H1>
 <HR>
-<CENTER>[&nbsp;<A HREF="#setup">Setup</A>
+<CENTER>[&nbsp;<A HREF="#download">Download</A>
    &nbsp;|&nbsp;<A HREF="#compilation">Compilation</A>
    &nbsp;|&nbsp;<A HREF="#installation">Installation</A>
    &nbsp;|&nbsp;<A HREF="#visualage">VisualAge</A>&nbsp;]
@@ -26,53 +26,65 @@ htdocs/manual/<A HREF="readme-tpf.html">readme-tpf.html</A>
 for basic information on the port of Apache to TPF including required PUT level
 and supported functions &amp; modules.
 </P>
-
-<H2 align=center><A NAME="setup">Setup</A></H2>
-<P>
-Due to the use of EBCDIC on MVS OS/390 Open Edition
-(later referred to simply as
-"Open Edition"), we've found that the most reliable
-method for loading Apache onto your system is to unzip and tar the distribution
-file on your PC, and then copy the extracted files to Open Edition
-via an NFS client
-capable of transferring the data in EBCDIC format.
-</P>
-<P>
-Before moving the distribution to an
-Open Edition environment, verify that the NFS drive will transfer the
-filenames with upper/lower case preserved.
-</P>
-<P>
-Since Open Edition is not the ultimate destination of the files,
-the only required files and subdirectories that need to be moved to
-Open Edition
-are in /src.
-</P>
-<P>
-<FONT COLOR=red><STRONG>WARNING</STRONG></FONT>:
-If you are using a product such as WinZip on your PC, verify that
-the <EM>"TAR File Smart CR/LF Conversion"</EM> option is NOT checked.
-You can find this in WinZip under Options, Configuration.
-This will save you lots of headaches later on.
-</P>
-<P>
-<FONT COLOR=red><STRONG>WARNING</STRONG></FONT>:
-Editing files on a PC before moving them to Open Edition may result
-in the loss/addition of unprintable characters.  Files of concern include shell
-scripts and src/Configuration.  The most common problems are with
-tab characters
-and CR/LF characters.  Most editors will handle the CR/LF problem correctly
-but none seem to handle tab characters.  If you need to edit files, edit them
-in a UNIX editor such as vi or emacs.
-</P>
-
+<H2 align=center><A NAME="download">Download</A></H2>
+Releases of the Apache server are compressed into a "tarball" file and stored on the Apache web site.
+You will need to choose a version and download the corresponding tarball to your PC.
+Additionally the source code from the tarball will need to be copied onto an MVS OS/390 Open Edition machine 
+(later referred to simply as "Open Edition") for compiling.
+So here are all the details on how to get Apache and how to get it where it needs to be:
+<ol>
+   <li><A HREF="http://www.apache.org/dist/">Download</A>
+       the gzipped Apache files (the "tarball") to your PC.
+       The file name on the web site will be something like <i>apache_1.3.x.tar.gz</i>.
+       <br><font color=red size=4>TIP: </font>Be sure to keep the <i>.tar.gz</i> extension
+           when choosing the name of the PC file.
+       <br><br>
+   <li>Decompress the tarball on your PC using WinZip or some other PC decompression tool.
+       <br><font color=red size=4>TIP: </font>If you are using WinZip verify that the
+            <EM>"TAR File Smart CR/LF Conversion"</EM> option (under Options, Configuration) is NOT checked.<br>
+            This is what you can expect if you use WinZip:
+       <ul>
+           <li>open the tarball with WinZip (this can usually be done simply by double-clicking
+               on the downloaded tarball)
+           <li>you will be told that the archive contains one file (such as <i>apache_1.3.x.tar</i>) -
+               allow WinZip to decompress it to a temporary folder
+           <li>extract the archived files onto your PC - 
+               you'll be using files from the <tt>conf, htdocs,</tt> and <tt>icons</tt> directories later in the install phase
+       </ul>
+       <br>
+   <li>FTP the tarball to your Open Edition machine using binary mode:
+       <ul>
+           <li>activate FTP in an MSDOS window: <tt><b>ftp <i>your.open.edition.machine.com</i></b></tt>
+           <li>sign in
+           <li>set mode to binary: <tt><b>binary</b></tt>
+           <li>send the file to Open Edition:<br>
+               <tt><b>&nbsp;&nbsp;&nbsp;send <i>c:\downloaded_filename.tar.gz open_edition_filename.tar.gz</i></b></tt>
+           <li>exit FTP: <tt><b>bye</b></tt>
+       </ul>
+       <br><font color=red size=4>TIP: </font>
+        Open Edition and UNIX file names are case sensitive.  If you use an NFS client to transfer files
+        from your PC to Open Edition (instead of using FTP as described above) verify that the NFS drive will transfer the
+        file names with upper/lower case preserved.<br>
+       <br>
+   <li>Decompress the gzipped file on Open Edition: <tt><b>gunzip <i>open_edition_filename.tar.gz</i></b></tt>
+       <br>Note that the <i>.tar.gz</i> file will be replaced by the gunzipped <i>.tar</i> archive file.
+       <br><br>
+   <li>Extract the archived files necessary for compiling Apache:  
+       <ul>
+           <li><tt><b>pax -rvkf <i>open_edition_filename.tar</i> -o from=ISO8859-1,to=IBM-1047 "*/src"</b></tt>
+           <li>switch to the source code subdirectory of the newly extracted apache directory: <tt><b>cd <i>apache-1.3</i>/src</b></tt>
+           <li>remove unnecessary subdirectories:
+               <tt><b>rm -r os/bs2000 os/mpeix os/netware os/os2 os/os390 os/win32</b></tt>
+       </ul>
+</ol>
+<br>
 <H2 align=center><A NAME="compilation">Compilation</A></H2>
 <P>
 Apache supports the notion of "optional modules".  However,
 the server has to know which modules are compiled into it.  In order for
 those modules to be effective, it is necessary to generate a short bit of
-code ("modules.c") which simply has a list of them. If you are using the
-make and Configure utility, "modules.c" will be created for you.
+code (modules.c) which simply has a list of them. If you are using the <tt>Configure</tt> utility
+and <tt>make</tt>, modules.c and other necessary files will be created for you automatically.
 </P>
 <P>
 The provided scripts assume a c89 compiler and have only been tested on an
@@ -80,8 +92,15 @@ Open Edition environment.  If you are using a platform other that
 Open Edition you may need to modify src/os/tpf/TPFExport and src/Configure
 to match your environment.
 </P>
+<font color=red size=4>TIP: </font>
+Editing files on your PC prior to moving them to Open Edition may result
+in the loss/addition of unprintable characters.  Files of concern include shell
+scripts and src/Configuration.  The most common problems are with
+tab characters and CR/LF characters.  Most editors will handle the CR/LF problem correctly
+but none seem to handle tab characters.  If you need to edit files prior to moving them to Open Edition,
+edit them in a UNIX editor such as vi or emacs.<br>
 <P>
-Note that UNIX/Open Edition commands in this section are shown in
+Note that Open Edition commands in this section are shown in
 <TT><STRONG>bold</STRONG></TT>,
 are case sensitive, and must be made from the "src" directory.
 </P>
@@ -93,15 +112,12 @@ are case sensitive, and must be made from the "src" directory.
     of various "Rules" and an additional section at the bottom that determines
     which modules to compile:
     <BR><BR>
-    <OL type=a>
+    <UL>
     <LI>Adjust the Rules and <TT>EXTRA_CFLAGS|LIBS|LDFLAGS|INCLUDES</TT>
         if you feel so inclined.
     <BR><BR>
     <LI>Comment out (by preceding the line with a "#") lines corresponding
         to those modules you DO&nbsp;NOT wish to include.
-        At present the following modules MUST be commented out
-        as they are not yet supported on TPF: mod_actions, mod_auth,
-        mod_cgi, mod_env, mod_include, & mod_status.
     <BR><BR>
     <LI>Uncomment (by removing the initial "#", if present) lines
         corresponding to those optional modules you wish
@@ -109,8 +125,16 @@ are case sensitive, and must be made from the "src" directory.
         you have written.
         The htdocs/manual/<A HREF="readme-tpf.html">readme-tpf.html</A>
         document lists the modules that have been tested on TPF.
-    </OL>
-    <BR>
+    </UL>
+    <br>The modules placed in the Apache distribution are the ones that have been
+    tested and are used regularly by various members of the Apache development
+    group.  Additional modules contributed by members or third parties with specific
+    needs or functions are available at
+    <A 
+HREF="http://www.apache.org/dist/contrib/modules/">http://www.apache.org/dist/contrib/modules/</A>.
+    There are instructions on that page for linking these modules into the core Apache
+    code.
+    <BR><BR>
 <LI>Set the TPF environment variables:
     <TT><STRONG>.&nbsp;os/tpf/TPFExport</STRONG></TT>
     <BR>
@@ -124,13 +148,10 @@ are case sensitive, and must be made from the "src" directory.
     DO&nbsp;NOT modify the <TT>TPF=YES</TT> export variable.  If this is
     changed, the "Configure" script will not recognize TPF.
     <BR><BR>
-<LI>Remove the src/lib/expat-lite directory:
-    <TT><STRONG>rm -r lib/expat-lite</STRONG></TT>
-    <BR><BR>
 <LI>Run the "Configure" script:
     <TT><STRONG>Configure</STRONG></TT>
     <BR>
-    The output will look something like this...
+    This generates modules.c, include/ap_config_auto.h, and necessary Makefiles:
       <PRE>
       Using config file: Configuration
       Creating Makefile
@@ -139,17 +160,15 @@ are case sensitive, and must be made from the "src" directory.
        + setting C pre-processor to c89 -E
        + checking for system header files
        + adding selected modules
+       + checking sizeof various data types
       Creating Makefile in support
-      Creating Makefile in main
-      Creating Makefile in ap
       Creating Makefile in regex
       Creating Makefile in os/tpf
+      Creating Makefile in ap
+      Creating Makefile in main
       Creating Makefile in modules/standard
-      Creating Makefile in modules/example
       $ _
       </PRE>
-    This generates modules.c and new versions of the Makefiles.
-    <BR><BR>
     If you want to maintain multiple configurations, you can
     say, <EM>e.g.</EM>,
     <BR>
@@ -162,9 +181,8 @@ are case sensitive, and must be made from the "src" directory.
        + setting C compiler to &lt;whatever&gt;
       et cetera
       </PRE>
-
     If you receive an error such as "<TT>Configure 146: FSUM7351 not found</TT>"
-    the most likely explanation is that one or more of the make related
+    the most likely explanation is that one or more of the <tt>make</tt> related
     files were edited on a non-UNIX platform, corrupting the end-of-line marks.
     Verify that lines ending with "\" in the flagged file do&nbsp;not have trailing
     spaces.  Using the vi editor and the sample error above as an example...
@@ -178,19 +196,42 @@ are case sensitive, and must be made from the "src" directory.
     distributed version of the file and make the site-specific
     changes again using a UNIX compatible editor such as vi or emacs.
     Then try the Configure command again.
-    <BR><PRE>            close the file:                 <STRONG>:q  </STRONG>(or 
+    <BR><PRE>            close the file:                 <STRONG>:q  </STRONG>(or <STRONG>:quit!</STRONG>)</PRE>
+
+<LI>Edit include/ap_config.h if you would like the scoreboard kept in shared
+    memory instead of file or system heap.<br>
+    The default behavior for Apache on all platforms <i>except</i> TPF is to use the
+    file system for maintaining the scoreboard (which holds current Apache children status).
+    The default behavior for Apache on TPF is to use system heap.  Available with
+    PUT10 is the use of shared memory for the scoreboard in place of the file system.
+    This reduces file activity for the parent Apache ECB and improves performance.
+    To activate shared memory, uncomment or <em>add</em> the directive
+    <tt><b>#define&nbsp;USE_SHMGET_SCOREBOARD</b></tt>
+    and comment out or <em>remove</em> the directive <tt><b>#define USE_TPF_SCOREBOARD</b></tt>
+    both of which are in the TPF section in ap_config.h.
+    This change will only take effect after Apache is (re)compiled.
+    <br><br>
+    If you prefer to use the file system instead of system heap or shared memory, ensure that both
+    <tt>USE_TPF_SCOREBOARD</tt> and <tt>USE_SHMGET_SCOREBOARD</tt> are commented out or removed.
+    This change will only take effect after Apache is (re)compiled.
+
+<A NAME="daemon"></A><br>&nbsp;<br>
+<LI>Edit include/ap_config.h if you plan on using the ZINET DAEMON model instead of the NOLISTEN model.<br>
+    The default behavior is to let Apache check the server status (active/inactive) with ZINET
+    and shut itself down when appropriate.  The default behavior also includes checking Apache's activation number.
+    Available with PUT11 (PJ25761) ZINET can perform these functions instead of Apache by using the DAEMON model.
+    This model offers increased reliability and is preferred over the NOLISTEN model.
+    If Apache goes down while running under the NOLISTEN model ZINET will not reactivate it nor alert the operator.
+    To use the DAEMON model you must modify the default behavior of Apache by uncommenting or adding the directive
+    <tt><b>#define&nbsp;USE_TPF_DAEMON</b></tt> within the TPF section in ap_config.h.
+    This directive is also recommend when starting Apache from the command line (APAR PJ26515).
+    This change will only take effect after Apache is (re)compiled.
+    <br><br>
+
 
-<STRONG>:quit!</STRONG>)</PRE>
 <LI>Now compile the programs: <TT><STRONG>make</STRONG></TT><BR>
-    The modules placed in the Apache distribution are the ones that have been
-    tested and are used regularly by various members of the Apache development
-    group.  Additional modules contributed by members or third parties with specific
-    needs or functions are available at
-    <A 
-HREF="http://www.apache.org/dist/contrib/modules/">http://www.apache.org/dist/contrib/modules/</A>.
-    There are instructions on that page for linking these modules into the core Apache
-    code.
-    <BR><BR>
+    Besides compiling, <tt>make</tt> also runs main/gen_test_char.c and main/gen_uri_delims.c
+    in order to create main/test_char.h and main/uri_delims.h respectively<BR><BR>
     If during compilation you get a warning about a missing 'regex.h', set
     <TT>WANTHSREGEX=yes</TT> in the src/Configuration file and start back at the
     <TT><STRONG>Configure</STRONG></TT> step.
@@ -199,35 +240,48 @@ HREF="http://www.apache.org/dist/contrib/modules/">http://www.apache.org/dist/co
 <A NAME="installation">&nbsp;</A>
 <H2 align=center>Installation</H2>
 <OL>
-<LI>After compilation, you will have all the object files required to build an
-  "httpd" loadset.  The next step is to link the object files and create a loadset to be
-  stored in a PDS.  Sample JCL for linking and loadsets has been included in
-  src/os/tpf/samples as "linkdll.jcl" and "loadset.jcl".  You can submit these jobs
-  from CMS or directly from Open Edition if you have the proper authority.  After
-  the jobs have completed, you can <TT>ZOLDR LOAD</TT> them to your TPF system.
-  <BR><BR>
-  NOTE: The <TT>mod_<EM>xxx</EM>.o</TT> files in the linkdll.jcl file must correspond to the
-  <TT>mod_<EM>xxx</EM>.o</TT> lines in the src/Configuration file.
-  <BR><BR>
+<LI>Link the compiled object files into a DLL.
+    Sample link JCL has been included as src/os/tpf/samples/linkdll.jcl.
+    You will need to modify this JCL:
+    <ul>
+       <li>Change the IDs, data set names, and libraries for your particular site.
+       <li>Add/remove <TT>mod_<EM>xxx</EM>.o</TT> files so they correspond to the
+           <TT>mod_<EM>xxx</EM>.o</TT> lines in your src/Configuration file.
+    </ul>
+  <br><font color=red size=4>TIP: </font>
+  Do NOT include gen_test_char.o or gen_uri_delims.o in the link JCL since these files are only
+  used during the <tt>make</tt> step.
+  <br><br>
+<LI>Create a loadset.  Sample loadset JCL has been included as src/os/tpf/samples/loadset.jcl.
+    You will need to modify this JCL for your particular site.
+  <br><br>
+<LI>Load (<tt>ZOLDR LOAD</tt>) and activate (<tt>ZOLDR ACT</tt>) the loadset on your test system.
+  <br><br>
+<LI>Ensure that the program name you are using for Apache has <tt>RESTRICT</tt> and <tt>KEY0</tt> authorization.
+    <tt><b>zdpat <i>pppp</i>&nbsp;</b>(<b>c-c</b>)</tt> will display allocation information.
+    You can use <tt><b>zapat&nbsp;<i>pppp</i>&nbsp;restrict&nbsp;key0&nbsp;</b>(<b>c-c</b>)</tt> to alter the
+    authorization.
+    Note that if the program name is unallocated, you must have the loadset for it activated or you will receive
+    INVALID PROGRAM NAME from the <tt>zdpat/zapat</tt> entries.
+   <br><br>
 <LI>
   Apache requires a configuration file to initialize itself during activation.
   (Previously three configuration files were used.)
   Copy the distribution version, /conf/httpd.conf-dist, to /conf/httpd.conf and then
-  edit the /conf/httpd.conf copy with your site specific information.  If your system is pre-PUT09 you
-  <font color=red><STRONG>must</STRONG></FONT> change <TT>ServerType</TT> from <TT>standalone</TT>
-  to <TT>inetd</TT>.
+  edit the /conf/httpd.conf copy with your site specific information.
   <BR><BR>
   General documentation for Apache is located at
   <A HREF="http://www.apache.org/docs/">http://www.apache.org/docs/</A>
-  and in the HTML pages included with this distribution under the
+  and in the HTML pages included with the distribution (tarball) under the
   /htdocs/manual directory.
   <BR><BR>
 <LI>On TPF activate ZCLAW and update INETD using ZINET entries, the common case:
     <BR><BR>
     <PRE>
-    ZINET ADD S-TFTP   PGM-CTFT PORT-69 PROTOCOL-UDP MODEL-NOWAIT
-    ZINET ADD S-APACHE PGM-<EM>pppp</EM> PROTOCOL-TCP MODEL-NOWAIT PORT-80  (if inetd mode)
-    ZINET ADD S-APACHE PGM-<EM>pppp</EM> PROTOCOL-TCP MODEL-NOLISTEN        (if standalone mode)</PRE>
+    ZINET ADD S-TFTP PGM-CTFT PORT-69 PROTOCOL-UDP MODEL-NOWAIT
+
+    ZINET ADD S-APACHE PGM-<EM>pppp</EM> MODEL-NOLISTEN
+    or ZINET ADD S-APACHE PGM-<EM>pppp</EM> MODEL-DAEMON USER-root <A HREF="#daemon">(see notes above regarding the DAEMON model)</A></PRE>
   Please refer to <EM>IBM Transaction Processing Facility Transmission Control
   Protocol/Internet Protocol Version 4 Release 1</EM> for more information
   on ZCLAW, INETD, and TFTP.
@@ -239,19 +293,23 @@ HREF="http://www.apache.org/dist/contrib/modules/">http://www.apache.org/dist/co
      /usr/local/apache/logs
      /usr/local/apache/icons
      /usr/local/apache/htdocs</PRE>
-    The logs directory must exist in order to avoid an
-    <CODE>fopen</CODE> error while running Apache.  TFTP an empty file into
-    the logs subdirectory to create it.  All gif, jpg, and zip files should be
-    TFTP'd as binary; conf files and html pages should be TFTP'd as text.
+    All gif, jpg, and zip files should be TFTP'd as binary; conf files and html pages should be TFTP'd as text.
+    <br>The logs directory must exist in order to avoid an <CODE>fopen</CODE> error while running Apache.
+    If you're running a PUT10 or higher version of TPF make the directory using the
+    <tt><b>zfile mkdir /usr/local/apache/logs</b></tt> functional entry.
+    If you're running TPF version PUT09 TFTP an empty file into the logs subdirectory to create it.  
+    <br><br>
+<LI>Start the server using the <tt><b>ZINET START S-APACHE</b></tt> command.
 </OL>
 <A NAME="visualage">&nbsp;</A>
 <H2 align=center>Compiling with VisualAge TPF</H2>
 <P>
-  It is not required that "make" be used to compile Apache for TPF:
+  It is not required that <tt>make</tt> be used to compile Apache for TPF:
   Individual programs may be compiled using IBM's VisualAge TPF product.
   This is particularly useful when compiling selected programs for the Debug Tool.
   <BR><BR>
   The following VisualAge compile settings are required:
+</P>
   <UL>
   <LI><EM>"DEFINE - Define preprocessor macro name(s)"</EM> must include
      <TT><STRONG>TPF, CHARSET_EBCDIC, _POSIX_SOURCE,</STRONG></TT> and
@@ -264,10 +322,9 @@ HREF="http://www.apache.org/dist/contrib/modules/">http://www.apache.org/dist/co
   <BR><BR>
   <LI><EM>"LONGNAME - Support long names"</EM> must be checked
   </UL>
-</P>
 <HR>
 <CENTER>[&nbsp;<A HREF="#top">top</A>
-   &nbsp;|&nbsp;<A HREF="#setup">Setup</A>
+   &nbsp;|&nbsp;<A HREF="#download">Download</A>
    &nbsp;|&nbsp;<A HREF="#compilation">Compilation</A>
    &nbsp;|&nbsp;<A HREF="#installation">Installation</A>
    &nbsp;|&nbsp;<A HREF="#visualage">VisualAge</A>&nbsp;]
diff --git a/usr.sbin/httpd/htdocs/manual/install.html b/usr.sbin/httpd/htdocs/manual/install.html
index 2abeea575df..f82c50bec1e 100644
--- a/usr.sbin/httpd/htdocs/manual/install.html
+++ b/usr.sbin/httpd/htdocs/manual/install.html
@@ -221,7 +221,7 @@ file.
 If when you run <CODE>httpd</CODE> it complained about being unable to
 "bind" to an address, then either some other process is already using
 the port you have configured Apache to use, or you are running httpd
-as a normal user but trying to use port below 1024 (such as the
+as a normal user but trying to use a port below 1024 (such as the
 default port 80).
 
 <P>
diff --git a/usr.sbin/httpd/htdocs/manual/misc/FAQ.html b/usr.sbin/httpd/htdocs/manual/misc/FAQ.html
index 04475577e93..7d85c93a14a 100644
--- a/usr.sbin/httpd/htdocs/manual/misc/FAQ.html
+++ b/usr.sbin/httpd/htdocs/manual/misc/FAQ.html
@@ -21,7 +21,7 @@
 
   <H1 ALIGN="CENTER">Apache Server Frequently Asked Questions</H1>
   <P>
-  $Revision: 1.4 $ ($Date: 1999/09/29 06:29:00 $)
+  $Revision: 1.5 $ ($Date: 2000/01/25 18:29:23 $)
   </P>
   <P>
   The latest version of this FAQ is always available from the main
@@ -252,6 +252,9 @@
 	Use ServerName directive to set it manually.</samp>"  What does
 	this mean?</A>
    </LI>
+   <LI><A HREF="#ws2_32dll">When I try to start Apache for Windows, I get a message
+	like "<samp>Unable To Locate WS2_32.DLL...</samp>". What should I do?</A>
+   </LI>
   </OL>
  </LI>
 
@@ -483,6 +486,8 @@
    </LI>
    <LI><A HREF="#search">Does Apache include a search engine?</A>
    </LI>
+   <LI><A HREF="#rotate">How can I rotate my log files?</A>
+   </LI>
   </OL>
  </LI>
 
@@ -561,6 +566,25 @@
   PA</STRONG>t<STRONG>CH</STRONG>y server&quot;.  It was
   based on some existing code and a series of &quot;patch files&quot;.
   </P>
+
+  <P>
+  For many developers it is also a reverant connotation to the Native
+  American Indian tribe of Apache, <A
+  HREF="http://www.indians.org/welker/apache.htm">well-known for their
+  superior skills in warfare strategy and inexhaustible endurance</A>.
+  Online information about the Apache Nation is tough to locate; we 
+  suggest searching 
+  <A HREF="http://www.google.com/search?q=Apache+Nation">Google</A>, 
+  <A HREF="http://www.northernlight.com/nlquery.fcg?qr=Apache+Nation">Northernlight</A>, 
+  <A HREF="http://infoseek.go.com/Titles?qt=Apache+Nation">Infoseek</A>, or 
+  <A HREF="http://www.alltheweb.com/cgi-bin/asearch?query=Apache+Nation">AllTheWeb</A>.
+  </P>
+  <P>
+  In addition, <A
+  HREF="http://www.indian.org/">http://www.indian.org/</A> and <A
+  HREF="http://www.nativeweb.com/">http://www.nativeweb.com/</A> are
+  two excellent resources for Native American information.
+  </P>
   <HR>
  </LI>
 
@@ -840,6 +864,36 @@
   (see <A HREF="../new_features_1_3.html#misc">year-2000 improvements in
   Apache 1.3</A> for details).
   </P>
+  <p>
+  The Apache HTTP Server project is an open-source software product of
+  the Apache Software Foundation.  The project and the Foundation
+  <b>cannot</b> offer legal assurances regarding any suitability
+  of the software for your application.  There are several commercial
+  Apache support organizations and derivative server products available
+  that may be able to stand behind the software and provide you with
+  any assurances you may require.  You may find links to some of these
+  vendors at
+  <samp>&lt;<a href="http://www.apache.org/info/support.cgi"
+            >http://www.apache.org/info/support.cgi</a>&gt;</samp>.
+  </p>
+  <p>
+  The Apache HTTP server software is distributed with the following
+  disclaimer, found in the software license:
+  </p>
+  <pre>
+   THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
+   EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+   IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+   PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE APACHE GROUP OR
+   ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+   NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+   LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+   HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+   STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+   ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+   OF THE POSSIBILITY OF SUCH DAMAGE.
+  </pre>
   <HR>
  </LI>
 
@@ -1394,11 +1448,34 @@
   </dl>
   <p>
   in the file.  Correct it if there one there with wrong information, or
-  add one if you don't already have one.  Then try to start the server
+  add one if you don't already have one.
+  </p>
+  <p>
+  Also, make sure that your Windows system has DNS enabled.  See the TCP/IP
+  setup component of the Networking or Internet Options control panel.
+  </p>
+  <p>
+  After verifying that DNS is enabled and that you have a valid hostname
+  in your <samp>ServerName</samp> directive, try to start the server
   again.
   </p>
   <hr>
  </LI>
+ <LI><A name="ws2_32dll">
+       <b>When I try to start Apache for Windows, I get a message
+	like "<samp>Unable To Locate WS2_32.DLL...</samp>". What should I do?</b></A>
+  <p>
+  Short answer: You need to install Winsock 2, available from
+  <A HREF="http://www.microsoft.com/windows95/downloads/">http://www.microsoft.com/windows95/downloads/</A>
+  </p>
+  <p>
+  Detailed answer: Prior to version 1.3.9, Apache for Windows used Winsock 1.1. Beginning with
+  version 1.3.9, Apache began using Winsock 2 features (specifically, WSADuplicateSocket()).
+  WS2_32.DLL implements the Winsock 2 API. Winsock 2 ships with Windows NT 4.0 and Windows 98.
+  Some of the earlier releases of Windows 95 did not include Winsock 2.
+  </p>
+  <hr>
+ </LI>
 
 </OL>
 
@@ -2867,6 +2944,27 @@
   </P>
   <HR>
  </LI>
+ <LI><A NAME="rotate">
+      <STRONG>How can I rotate my log files?</STRONG>
+     </A>
+  <P>The simple answer: by piping the transfer log into an appropriate
+  log file rotation utility.</P>
+  <P>The longer answer: In the src/support/ directory, you will find a
+  utility called <CODE>rotatelogs</CODE> which can be used like this:<PRE>
+   TransferLog "|/path/to/rotatelogs /path/to/logs/access_log 86400"
+  </PRE> to enable daily rotation of the log files.<BR>
+  A more sophisticated solution of a logfile rotation utility is
+  available under the name <CODE>cronolog</CODE> from Andrew Ford's site at
+  <A HREF="http://www.ford-mason.co.uk/resources/cronolog/"
+  >http://www.ford-mason.co.uk/resources/cronolog/</A>. It can automatically
+  create logfile subdirectories based on time and date, and can have a
+  constant symlink point to the rotating logfiles. (As of version 1.6.1,
+  cronolog is available under the <A HREF="../LICENSE">Apache License</A>).
+  Use it like this:<PRE>
+   CustomLog "|/path/to/cronolog --symlink=/usr/local/apache/logs/access_log /usr/local/apache/logs/%Y/%m/access_log" combined
+  </PRE></P>
+  <HR>
+ </LI>
 </OL>
 
 
diff --git a/usr.sbin/httpd/htdocs/manual/misc/perf-tuning.html b/usr.sbin/httpd/htdocs/manual/misc/perf-tuning.html
index 46995c9eccd..58ca489f61e 100644
--- a/usr.sbin/httpd/htdocs/manual/misc/perf-tuning.html
+++ b/usr.sbin/httpd/htdocs/manual/misc/perf-tuning.html
@@ -17,7 +17,7 @@
 
 <H3>Introduction</H3>
 <P>Apache is a general webserver, which is designed to be correct first, and
-fast second.  Even so, it's performance is quite satisfactory.  Most
+fast second.  Even so, its performance is quite satisfactory.  Most
 sites have less than 10Mbits of outgoing bandwidth, which Apache can
 fill using only a low end Pentium-based webserver.  In practice sites
 with more bandwidth require more than one machine to fill the bandwidth
diff --git a/usr.sbin/httpd/htdocs/manual/misc/security_tips.html b/usr.sbin/httpd/htdocs/manual/misc/security_tips.html
index d1b186d3caa..c41bff857a6 100644
--- a/usr.sbin/httpd/htdocs/manual/misc/security_tips.html
+++ b/usr.sbin/httpd/htdocs/manual/misc/security_tips.html
@@ -231,7 +231,6 @@ HREF="http://www.apache.org/security_report.html">please let us
 know</A>.
 
 <P>
-<HR>
 
 <HR>
 
diff --git a/usr.sbin/httpd/htdocs/manual/mod/core.html b/usr.sbin/httpd/htdocs/manual/mod/core.html
index b189202b797..fdaedbdbf14 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/core.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/core.html
@@ -94,6 +94,7 @@ always available.
 <LI><A HREF="#servertype">ServerType</A>
 <LI><A HREF="#startservers">StartServers</A>
 <LI><A HREF="#threadsperchild">ThreadsPerChild</A>
+<LI><A HREF="#threadstacksize">ThreadStackSize</A>
 <LI><A HREF="#timeout">TimeOut</A>
 <LI><A HREF="#usecanonicalname">UseCanonicalName</A>
 <LI><A HREF="#user">User</A>
@@ -2399,7 +2400,9 @@ Access controls which are applied in this way are effective for
 desired.</STRONG> If you wish to apply access controls only to
 specific methods, while leaving other methods unprotected, then place
 the <CODE>require</CODE> statement into a <A
-HREF="#limit">&lt;Limit&gt;</A> section<P><HR>
+HREF="#limit">&lt;Limit&gt;</A> section<P>
+<P>See also <A HREF="#satisfy">Satisfy</A> and <A HREF="mod_access.html">mod_access</A>.
+<HR>
 
 <H2><A NAME="resourceconfig">ResourceConfig directive</A></H2>
 <!--%plaintext &lt;?INDEX {\tt ResourceConfig} directive&gt; -->
@@ -2604,7 +2607,9 @@ password. With the "any" option the client will be granted access if
 they either pass the host restriction or enter a valid username and
 password. This can be used to password restrict an area, but to let
 clients from particular addresses in without prompting for a password.
-
+<P>
+See also <A HREF="#require">require</A> and 
+<A HREF="mod_access.html">mod_access</A>.
 
 <P><HR>
 
@@ -2774,16 +2779,26 @@ with
  REL="Help"
 ><STRONG>Status:</STRONG></A> core<P>
 
-The ServerName directive sets the hostname of the server; this is only
+The ServerName directive sets the hostname of the server; this is
 used when creating redirection URLs. If it is not specified, then the
 server attempts to deduce it from its own IP address; however this may
 not work reliably, or may not return the preferred hostname. For example:
-<BLOCKQUOTE><CODE>ServerName www.wibble.com</CODE></BLOCKQUOTE>
+<BLOCKQUOTE><CODE>ServerName www.example.com</CODE></BLOCKQUOTE>
 would be used if the canonical (main) name of the actual machine
-were <CODE>monster.wibble.com</CODE>.<P>
+were <CODE>simple.example.com</CODE>.<P>
+
+If you are using <A HREF="../vhosts/name-based.html">name-based
+virtual hosts</A>, the <CODE>ServerName</CODE> inside a
+<A HREF="#virtualhost"><CODE>&lt;VirtualHost&gt;</CODE></A>
+section specifies what hostname must appear in the request's
+<CODE>Host:</CODE> header to match this virtual host.<P>
+
 <P><STRONG>See Also</STRONG>:<BR>
 <A HREF="../dns-caveats.html">DNS Issues</A><BR>
+<A HREF="../vhosts/index.html">Apache virtual host documentation</A><BR>
 <A HREF="#usecanonicalname">UseCanonicalName</A><BR>
+<A HREF="#namevirtualhost">NameVirtualHost</A><BR>
+<A HREF="#serveralias">ServerAlias</A><BR>
 </P>
 <HR>
 
@@ -3035,7 +3050,7 @@ See also <A HREF="#minspareservers">MinSpareServers</A> and
 <A
  HREF="directive-dict.html#Status"
  REL="Help"
-><STRONG>Status:</STRONG></A> core (Windows)<BR>
+><STRONG>Status:</STRONG></A> core (Windows, NetWare)<BR>
 <STRONG>Compatibility:</STRONG> Available only with Apache 1.3 and later
 with Windows
 
@@ -3050,6 +3065,38 @@ with Windows
 
 <HR>
 
+<H2><A NAME="threadstacksize">ThreadStackSize</A></H2>
+<A
+ HREF="directive-dict.html#Syntax"
+ REL="Help"
+><STRONG>Syntax:</STRONG></A> ThreadStackSize <EM>number</EM><BR>
+<A
+ HREF="directive-dict.html#Default"
+ REL="Help"
+><STRONG>Default:</STRONG></A> <CODE>ThreadStackSize 65536</CODE><BR>
+<A
+ HREF="directive-dict.html#Context"
+ REL="Help"
+><STRONG>Context:</STRONG></A> server config<BR>
+<A
+ HREF="directive-dict.html#Status"
+ REL="Help"
+><STRONG>Status:</STRONG></A> core (NetWare)<BR>
+<STRONG>Compatibility:</STRONG> Available only with Apache 1.3 and later
+with NetWare
+
+<P>This directive tells the server what stack size to use for each of the
+   running threads. If you ever get a stack overflow you will need to bump
+   this number to a higher setting.
+   
+<P>This directive has no effect on other systems.
+<HR>
+
+
+
+
+
+
 <H2><A NAME="timeout">TimeOut directive</A></H2>
 <!--%plaintext &lt;?INDEX {\tt TimeOut} directive&gt; -->
 <A
@@ -3096,7 +3143,7 @@ a packet is sent.
 <A HREF="directive-dict.html#Default" REL="Help">
 <STRONG>Default:</STRONG></A> <CODE>UseCanonicalName on</CODE><BR>
 <A HREF="directive-dict.html#Context" REL="Help">
-<STRONG>Context:</STRONG></A> server config, virtual host<BR>
+<STRONG>Context:</STRONG></A> server config, virtual host, directory<BR>
 <A HREF="directive-dict.html#Override" REL="Help">
 <STRONG>Override:</STRONG></A> Options<BR>
 <A HREF="directive-dict.html#Compatibility" REL="Help">
diff --git a/usr.sbin/httpd/htdocs/manual/mod/directives.html b/usr.sbin/httpd/htdocs/manual/mod/directives.html
index 993bccf805d..e4bf0126d85 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/directives.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/directives.html
@@ -50,6 +50,7 @@ of the terms used in their descriptions available.
 <LI><A HREF="mod_alias.html#alias">Alias</A>
 <LI><A HREF="mod_alias.html#aliasmatch">AliasMatch</A>
 <LI><A HREF="mod_access.html#allow">allow</A>
+<LI><A HREF="mod_proxy.html#allowconnect">AllowCONNECT</A>
 <LI><A HREF="core.html#allowoverride">AllowOverride</A>
 <LI><A HREF="mod_auth_anon.html#anonymous">Anonymous</A>
 <LI><A HREF="mod_auth_anon.html#Authoritative">Anonymous_Authoritative</A>
@@ -162,6 +163,7 @@ of the terms used in their descriptions available.
 <LI><A HREF="core.html#pidfile">PidFile</A>
 <LI><A HREF="core.html#port">Port</A>
 <LI><A HREF="mod_proxy.html#proxyblock">ProxyBlock</A>
+<LI><A HREF="mod_proxy.html#proxydomain">ProxyDomain</A>
 <LI><A HREF="mod_proxy.html#proxypass">ProxyPass</A>
 <LI><A HREF="mod_proxy.html#proxypassreverse">ProxyPassReverse</A>
 <LI><A HREF="mod_proxy.html#proxyreceivebuffersize">ProxyReceiveBufferSize</A>
@@ -243,6 +245,10 @@ of the terms used in their descriptions available.
 <LI><A HREF="core.html#user">User</A>
 <LI><A HREF="mod_userdir.html#userdir">UserDir</A>
 <LI><A HREF="core.html#virtualhost">&lt;VirtualHost&gt;</A>
+<LI><A HREF="mod_vhost_alias.html#virtualdocumentroot">VirtualDocumentRoot</A>
+<LI><A HREF="mod_vhost_alias.html#virtualdocumentrootip">VirtualDocumentRootIP</A>
+<LI><A HREF="mod_vhost_alias.html#virtualscriptalias">VirtualScriptAlias</A>
+<LI><A HREF="mod_vhost_alias.html#virtualscriptaliasip">VirtualScriptAliasIP</A>
 <LI><A HREF="mod_include.html#xbithack">XBitHack</A>
 </UL>
 
diff --git a/usr.sbin/httpd/htdocs/manual/mod/index.html b/usr.sbin/httpd/htdocs/manual/mod/index.html
index 564f76b5ef8..193468b22f7 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/index.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/index.html
@@ -116,7 +116,7 @@ mod_log_config module in Apache 1.2 and up
 <DT><A HREF="mod_speling.html">mod_speling</A> Apache 1.3 and up
 <DD>Automatically correct minor typos in URLs
 <DT><A HREF="mod_ssl/index.html">mod_ssl</A> Apache 1.3 with mod_ssl applied
-<DD>Apache SSL interface to SSLeay
+<DD>Apache SSL interface to OpenSSL
 <DT><A HREF="mod_status.html">mod_status</A>
 <DD>Server status display
 <DT><A HREF="mod_userdir.html">mod_userdir</A>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_access.html b/usr.sbin/httpd/htdocs/manual/mod/mod_access.html
index ff1a01d7b0c..ac96041ec5d 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_access.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_access.html
@@ -34,6 +34,10 @@ hostname or IP address.
 <LI><A HREF="#denyfromenv">deny from env=</A>
 <LI><A HREF="#order">order</A>
 </UL>
+<DL>
+<DD>See also <A HREF="core.html#satisfy">Satisfy</A>
+    and <A HREF="core.html#require">require</A>.
+</DL>
 <HR>
 
 
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_actions.html b/usr.sbin/httpd/htdocs/manual/mod/mod_actions.html
index 816a186ed2a..9b02aa5e382 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_actions.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_actions.html
@@ -100,17 +100,23 @@ PATH_INFO and PATH_TRANSLATED environment variables.
  HREF="directive-dict.html#Compatibility"
  REL="Help"
 ><STRONG>Compatibility:</STRONG></A> Script is only available in Apache 1.1
-and later
+and later; arbitrary method use is only available with 1.3.10 and later
 </P>
 
 <P>
-This directive adds an action, which will activate <EM>cgi-script</EM> when
-a file is requested using the method of <EM>method</EM>, which can be
-one of <CODE>GET</CODE>, <CODE>POST</CODE>, <CODE>PUT</CODE> or
-<CODE>DELETE</CODE>. It sends the
+This directive adds an action, which will activate <i>cgi-script</i> when
+a file is requested using the method of <i>method</i>.  It sends the
 URL and file path of the requested document using the standard
 CGI PATH_INFO and PATH_TRANSLATED environment variables.
 </P>
+<blockquote>
+Prior to Apache 1.3.10, <i>method</i> can only be
+one of <code>GET</code>, <code>POST</code>, <code>PUT</code>, or
+<code>DELETE</code>.   As of 1.3.10, any arbitrary method name
+may be used.  <b>Method names are case-sensitive</b>, so
+<code>Script&nbsp;PUT</code> and <code>Script&nbsp;put</code>
+have two entirely different effects.
+</blockquote>
 <P>
 Note that the Script command defines default actions only. If a CGI
 script is called, or some other resource that is capable of handling
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_auth_anon.html b/usr.sbin/httpd/htdocs/manual/mod/mod_auth_anon.html
index 2248c99a84d..f9ff56e95ea 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_auth_anon.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_auth_anon.html
@@ -41,9 +41,6 @@ allows users to share URLs.
 <A HREF="#Directives">Directives</A> /
 <A HREF="#Example">Example</A> /
 <A HREF="#CompileTimeOptions">Compile time options</A> /
-<A HREF="#RevisionHistory">RevisionHistory</A> /
-<A HREF="#Person">Person to blame</A> /
-<A HREF="#Sourcecode">Sourcecode</A>
 <P>
 
 <H2><A NAME="Directives">Directives</A></H2>
@@ -315,55 +312,12 @@ require valid-user        <BR>
 &lt;/Files&gt;<BR>
 </CODE></BLOCKQUOTE>
 
-
 <HR>
 <H2><A NAME="CompileTimeOptions">Compile Time Options</A></H2>
 
 Currently there are no Compile options.
 
 <HR>
-<H2><A NAME="RevisionHistory">Revision History</A></H2>
-
-This version: 23 Nov 1995, 24 Feb 1996, 16 May 1996.
-
-<DL>
-
-<DT>Version 0.4<BR></DT>
-    <DD>First release
-    </DD>
-<DT>Version 0.5<BR></DT>
-    <DD>Added 'VerifyEmail' and 'LogEmail' options. Multiple
-        'anonymous' tokens allowed. more docs. Added Authoritative
-        functionality.
-    </DD>
-</DL>
-
-
-<HR>
-<H2><A NAME="Person">Contact/person to blame</A></H2>
-
-This module was written for the
-<A HREF="http://ewse.ceo.org">European Wide Service Exchange</A> by
-&lt;<A
-     HREF="mailto:Dirk.vanGulik@jrc.it"
-     ><CODE>Dirk.vanGulik@jrc.it</CODE></A>&gt;.
-Feel free to contact me if you have any problems, ice-creams or bugs. This
-documentation, courtesy of Nick Himba, <A HREF="mailto:himba@cs.utwente.nl">
-<CODE>&lt;himba@cs.utwente.nl&gt;</CODE></A>.
-<P>
-
-
-<HR>
-<H2><A NAME="Sourcecode">Sourcecode</A></H2>
-
-The source code can be found at <A HREF="http://www.apache.org"><CODE>
-http://www.apache.org</CODE></A>. A snapshot of a development version
-usually resides at <A HREF="http://me-www.jrc.it/~dirkx/mod_auth_anon.c"><CODE>
-http://me-www.jrc.it/~dirkx/mod_auth_anon.c</CODE></A>. Please make sure
-that you always quote the version you use when filing a bug report.
-<P>
-
-<HR>
 
 <H3 ALIGN="CENTER">
  Apache HTTP Server Version 1.3
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_auth_digest.html b/usr.sbin/httpd/htdocs/manual/mod/mod_auth_digest.html
index 6b2c044d412..bbc56f10cea 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_auth_digest.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_auth_digest.html
@@ -375,7 +375,7 @@ username/password. The URIs may be either absolute URIs (i.e. inluding a
 scheme, host, port, etc) or relative URIs.
 
 <P>This directive <em>should</em> always be specified and contain at least
-the (set of) root URI(s) for this space. Omiting to do so will cause the
+the (set of) root URI(s) for this space. Omitting to do so will cause the
 client to send the Authorization header for <em>every request</em> sent to
 this server. Apart from increasing the size of the request, it may also
 have a detrimental effect on performance if "AuthDigestNcCheck" is on.
@@ -410,7 +410,7 @@ this protection space. Example:
 password system than Basic authentication, but only works with supporting
 browsers. As of this writing (July 1999), the only major browsers which
 support digest authentication are <A
-HREF="http://www.microsoft.com/windows/ie/">Internet Exploder 5.0</A> and
+HREF="http://www.microsoft.com/windows/ie/">Internet Explorer 5.0</A> and
 <A HREF="http://www.w3.org/Amaya/">Amaya</A>. Therefore, we do not
 recommend using this feature on a large Internet site. However, for
 personal and intra-net use, where browser users can be controlled, it is
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_autoindex.html b/usr.sbin/httpd/htdocs/manual/mod/mod_autoindex.html
index 5d88d0b4f42..c5477d69b5f 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_autoindex.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_autoindex.html
@@ -221,6 +221,17 @@ added if the directory is covered by an
 <CODE>IndexOptions&nbsp;SuppressSize</CODE>, and 19 bytes may be
 added if <CODE>IndexOptions&nbsp;SuppressLastModified</CODE> is
 in effect.  The widest this column can be is therefore 49 bytes.
+<blockquote>
+As of Apache 1.3.10, the
+<a href="#indexoptions:descriptionwidth">DescriptionWidth</a>
+<samp>IndexOptions</samp> keyword allows you to adjust this width
+to any arbitrary size.
+</blockquote>
+<b>Caution:</b> Descriptive text defined with <samp>AddDescription</samp>
+may contain HTML markup, such as tags and character entities.  If the
+width of the description column should happen to truncate a tagged
+element (such as cutting off the end of a bolded phrase), the results
+may affect the rest of the directory listing.
 </P>
 <HR>
 
@@ -551,12 +562,23 @@ IndexIgnore README .htaccess *~
  REL="Help"
 ><STRONG>Compatibility:</STRONG></A> '+/-' syntax and merging of multiple
  <SAMP>IndexOptions</SAMP> directives is only available with
- Apache 1.3.3 and later
+ Apache 1.3.3 and later; the <samp>FoldersFirst</samp> and
+ <samp>DescriptionWidth</samp> options are only
+ available with Apache 1.3.10 and later
 <P>
 
 The IndexOptions directive specifies the behavior of the directory indexing.
 <EM>Option</EM> can be one of
 <DL>
+<dt><a name="indexoptions:descriptionwidth">DescriptionWidth=[<em>n</em> | *]
+ (<em>Apache 1.3.10 and later</em>)</a>
+<dd>
+The <samp>DescriptionWidth</samp> keyword allows you to specify the
+width of the description column in characters.  If the keyword value
+is '<samp>*</samp>', then the column is automatically sized to the
+length of the longest filename in the display.
+<b>See the section on <a href="#adddescription"><samp>AddDescription</samp></a>
+for dangers inherent in truncating descriptions.</b></dd>
 <DT><A NAME="indexoptions:fancyindexing">FancyIndexing</A>
 <DD><!--%plaintext &lt;?INDEX {\tt FancyIndexing} index option&gt; -->
 This turns on fancy indexing of directories.
@@ -570,6 +592,21 @@ This turns on fancy indexing of directories.
  is combined with any <SAMP>IndexOptions</SAMP> directive already
  specified for the current scope.</STRONG>
 </BLOCKQUOTE>
+<dt><a name="indexoptions:foldersfirst">FoldersFirst
+ (<i>Apache 1.3.10 and later</i>)</a></dt>
+<dd>
+If this option is enabled, subdirectories in a FancyIndexed listing
+will <i>always</i> appear first, followed by normal files in the
+directory.  The listing is basically broken into two components,
+the files and the subdirectories, and each is sorted separately and
+then displayed subdirectories-first.  For instance, if the sort order
+is descending by name, and <samp>FoldersFirst</samp> is enabled,
+subdirectory <samp>Zed</samp> will be listed before subdirectory
+<samp>Beta</samp>, which will be listed before normal files
+<samp>Gamma</samp> and <samp>Alpha</samp>.
+<b>This option only has an effect if
+<a href="#indexoptions:fancyindexing"><samp>FancyIndexing</samp></a>
+is also enabled.</b></dd>
 <DT><A NAME="indexoptions:iconheight">IconHeight[=pixels] (<EM>Apache 1.3 and later</EM>)</A>
 <DD>
 <!--%plaintext &lt;?INDEX {\tt IconHeight} index option&gt; -->
@@ -654,14 +691,14 @@ directive in recent (post-1.3.0) versions of Apache.
 The default is that no options are enabled. If multiple IndexOptions
 could apply to a directory, then the most specific one is taken complete;
 the options are not merged. For example:
-<BLOCKQUOTE><CODE>
-&lt;Directory /web/docs&gt; <BR>
-IndexOptions FancyIndexing <BR>
-&lt;/Directory&gt;<BR>
-&lt;Directory /web/docs/spec&gt; <BR>
-IndexOptions ScanHTMLTitles <BR>
+<BLOCKQUOTE><pre>
+&lt;Directory /web/docs&gt;
+    IndexOptions FancyIndexing
 &lt;/Directory&gt;
-</CODE></BLOCKQUOTE>
+&lt;Directory /web/docs/spec&gt;
+    IndexOptions ScanHTMLTitles
+&lt;/Directory&gt;
+</pre></BLOCKQUOTE>
 then only <CODE>ScanHTMLTitles</CODE> will be set for the /web/docs/spec
 directory.
 </P>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_imap.html b/usr.sbin/httpd/htdocs/manual/mod/mod_imap.html
index aa1e3de06cc..b7522db4116 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_imap.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_imap.html
@@ -147,7 +147,7 @@ is called without valid coordinates.
 
 
 The ImapDefault directive sets the default <CODE>default</CODE> used in
-the imagemap files.  It's value is overridden by a <CODE>default</CODE>
+the imagemap files.  Its value is overridden by a <CODE>default</CODE>
 directive within the imagemap file.  If not present, the
 <CODE>default</CODE> action is <CODE>nocontent</CODE>, which means
 that a <CODE>204 No Content</CODE> is sent to the client.  In this
@@ -179,7 +179,7 @@ case, the client should continue to display the original page.
 1.1 and later.<P>
 
 The ImapBase directive sets the default <CODE>base</CODE> used in
-the imagemap files.  It's value is overridden by a <CODE>base</CODE>
+the imagemap files.  Its value is overridden by a <CODE>base</CODE>
 directive within the imagemap file.  If not present, the
 <CODE>base</CODE> defaults to <CODE>http://servername/</CODE>.
 
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_log_config.html b/usr.sbin/httpd/htdocs/manual/mod/mod_log_config.html
index 1b8b0e15add..9295d0be7fd 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_log_config.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_log_config.html
@@ -127,22 +127,28 @@ the log files, and `%' directives which are replaced in the log file
 by the values as follows:
 
 <PRE>
-%...b:          Bytes sent, excluding HTTP headers.
-%...f:          Filename
-%...{FOOBAR}e:  The contents of the environment variable FOOBAR
-%...h:          Remote host
 %...a:          Remote IP-address
 %...A:          Local IP-address
+%...B:          Bytes sent, excluding HTTP headers.
+%...b:          Bytes sent, excluding HTTP headers. In CLF format
+		i.e. a '-' rather than a 0 when no bytes are sent.
+%...{FOOBAR}e:  The contents of the environment variable FOOBAR
+%...f:          Filename
+%...h:          Remote host
+%...H		The request protocol
 %...{Foobar}i:  The contents of Foobar: header line(s) in the request
                 sent to the server.
 %...l:          Remote logname (from identd, if supplied)
+%...m		The request method
 %...{Foobar}n:  The contents of note "Foobar" from another module.
 %...{Foobar}o:  The contents of Foobar: header line(s) in the reply.
 %...p:          The canonical Port of the server serving the request
 %...P:          The process ID of the child that serviced the request.
+%...q		The query string (prepended with a ? if a query string exists,
+		otherwise an empty string)
 %...r:          First line of request
-%...s:          Status.  For requests that got internally redirected, this
-                is status of the *original* request --- %...&gt;s for the last.
+%...s:          Status.  For requests that got internally redirected, this is
+                the status of the *original* request --- %...&gt;s for the last.
 %...t:          Time, in common log format time format (standard english format)
 %...{format}t:  The time, in the form given by format, which should
                 be in strftime(3) format. (potentially localised)
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_mime.html b/usr.sbin/httpd/htdocs/manual/mod/mod_mime.html
index 5afba4e0de5..957921bddc6 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_mime.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_mime.html
@@ -35,12 +35,12 @@ which determines how the document will be processed within the server.
 
 <P>
 
-The directives <A HREF="#addencoding">AddEncoding</A>, <A
-HREF="#addhandler">AddHandler</A>, <A
-HREF="#addlanguage">AddLanguage</A> and <A HREF="#addtype">AddType</A>
+The directives <a href="#addcharset">AddCharset</a>,
+<A HREF="#addencoding">AddEncoding</A>, <A HREF="#addhandler">AddHandler</A>,
+<A HREF="#addlanguage">AddLanguage</A> and <A HREF="#addtype">AddType</A>
 are all used to map file extensions onto the meta-information for that
-file.  Respectively they set the content-encoding, handler,
-content-language and MIME-type (content-type) of documents.  The
+file.  Respectively they set the character set, content-encoding, handler,
+content-language, and MIME-type (content-type) of documents.  The
 directive <A HREF="#typesconfig">TypesConfig</A> is used to specify a
 file which also maps extensions onto MIME types. The directives <A
 HREF="#forcetype">ForceType</A> and <A
@@ -92,6 +92,7 @@ mod_imap imagemap file.
 
 <H2>Directives</H2>
 <UL>
+<li><a href="#addcharset">AddCharset</a></li>
 <LI><A HREF="#addencoding">AddEncoding</A>
 <LI><A HREF="#addhandler">AddHandler</A>
 <LI><A HREF="#addlanguage">AddLanguage</A>
@@ -104,6 +105,60 @@ mod_imap imagemap file.
 </UL>
 <HR>
 
+<H2><A NAME="addcharset">AddCharset</A></H2>
+<A HREF="directive-dict.html#Syntax" REL="Help"
+><STRONG>Syntax:</STRONG></A> AddCharset <i>charset extension
+ [extension...]</i><br>
+<A HREF="directive-dict.html#Context" REL="Help"
+><STRONG>Context:</STRONG></A> server config, virtual host, directory, .htaccess<BR>
+<A
+ HREF="directive-dict.html#Override"
+ REL="Help"
+><STRONG>Override:</STRONG></A> FileInfo<BR>
+<A
+ HREF="directive-dict.html#Status"
+ REL="Help"
+><STRONG>Status:</STRONG></A> Base<BR>
+<A
+ HREF="directive-dict.html#Module"
+ REL="Help"
+><STRONG>Module:</STRONG></A> mod_mime
+<br>
+<A HREF="directive-dict.html#Compatibility" REL="Help"
+><STRONG>Compatibility:</STRONG></A> AddCharset is only available in Apache
+1.3.10 and later
+
+<P>
+The AddCharset directive maps the given filename extensions to the
+specified content charset. <i>charset</i> is the MIME charset
+parameter of filenames containing <i>extension</i>.  This mapping is
+added to any already in force, overriding any mappings that already
+exist for the same <i>extension</i>.
+</P>
+<P>
+Example:
+<pre>
+    AddLanguage ja .ja
+    AddCharset EUC-JP .euc
+    AddCharset ISO-2022-JP .jis
+    AddCharset SHIFT_JIS .sjis
+</pre>
+
+<P>
+Then the document <samp>xxxx.ja.jis</samp> will be treated as being a
+Japanese document whose charset is ISO-2022-JP (as will the document
+<samp>xxxx.jis.ja</samp>). Although the content charset is reported to
+the client, the browser is unlikely to use this information. The
+AddCharset directive is more useful for
+<A HREF="../content-negotiation.html">content negotiation</A>, where
+the server returns one from several documents based on the client's
+charset preference.
+</P>
+<P>
+<STRONG>See also</STRONG>: <A HREF="mod_negotiation.html">mod_negotiation</A>
+</P>
+
+<hr>
 
 <H2><A NAME="addencoding">AddEncoding</A></H2>
 <!--%plaintext &lt;?INDEX {\tt AddEncoding} directive&gt; -->
@@ -348,7 +403,12 @@ multiple extensions</A>
 <A
  HREF="directive-dict.html#Module"
  REL="Help"
-><STRONG>Module:</STRONG></A> mod_mime<P>
+><STRONG>Module:</STRONG></A> mod_mime<BR>
+<A
+ HREF="directive-dict.html#Compatibility"
+ REL="Help"
+><STRONG>Compatibility:</STRONG></A> DefaultLanguage is only available in Apache
+1.3.4 and later.<P>
 
 The DefaultLanguage directive tells Apache that all files in the
 directive's scope (<EM>e.g.</EM>, all files covered by the current
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_rewrite.html b/usr.sbin/httpd/htdocs/manual/mod/mod_rewrite.html
index 37a7316bbd4..efbe6574135 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_rewrite.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_rewrite.html
@@ -93,7 +93,7 @@ redirection or even to an internal proxy throughput.
 
 <P>
 But all this functionality and flexibility has its drawback: complexity. So
-don't expect to understand this module in it's whole in just one day.
+don't expect to understand this module in its whole in just one day.
 
 <P>
 This module was invented and originally written in April 1996<BR>
@@ -1016,10 +1016,9 @@ expanded constructs in addition to plain text:
 <CODE>$N</CODE>
 </STRONG></BLOCKQUOTE>
 
-(1 &lt;= N &lt;= 9) which provide access to the grouped parts (parenthesis!)
-of the
-pattern from the corresponding <CODE>RewriteRule</CODE> directive (the one
-following the current bunch of <CODE>RewriteCond</CODE> directives).
+(0 &lt;= N &lt;= 9) which provide access to the grouped parts (parenthesis!)
+of the pattern from the corresponding <CODE>RewriteRule</CODE> directive (the
+one following the current bunch of <CODE>RewriteCond</CODE> directives).
 
 <P>
 <LI><STRONG>RewriteCond backreferences</STRONG>: These are backreferences of
@@ -1437,7 +1436,7 @@ which is substituted for (or replaces) the original URL for which
 <LI><A HREF="#mapfunc">mapping-function</A> calls (<CODE>${mapname:key|default}</CODE>)
 </OL>
 
-Back-references are <CODE>$</CODE><STRONG>N</STRONG> (<STRONG>N</STRONG>=1..9) identifiers which
+Back-references are <CODE>$</CODE><STRONG>N</STRONG> (<STRONG>N</STRONG>=0..9) identifiers which
 will be replaced by the contents of the <STRONG>N</STRONG>th group of the matched
 <EM>Pattern</EM>. The server-variables are the same as for the
 <EM>TestString</EM> of a <CODE>RewriteCond</CODE> directive. The
@@ -1863,15 +1862,10 @@ SCRIPT_URI=http://en1.engelschall.com/u/rse/
 
 <H2><A NAME="Solutions">Practical Solutions</A></H2>
 
-There is a comprehensive collection of practical solutions for URL-based
-problems available by the author of mod_rewrite.  Here you will find real-life
-rulesets and additional information.
-
-<BLOCKQUOTE>
-<STRONG>Apache URL Rewriting Guide</STRONG><BR>
-<STRONG><A HREF="http://www.engelschall.com/pw/apache/rewriteguide/"
-        >http://www.engelschall.com/pw/apache/rewriteguide/</A></STRONG>
-</BLOCKQUOTE>
+We also have an <a href="../misc/rewriteguide.html">URL Rewriting
+Guide</a> available, which provides a collection of practical solutions
+for URL-based problems. There you can find real-life rulesets and
+additional information about mod_rewrite.
 
 <HR>
 
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/index.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/index.html
index e34ed1cc1e1..265f4a78c5c 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/index.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/index.html
@@ -3,7 +3,7 @@
 <title>mod_ssl: Title Page</title>
 
 <!--
-  Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+  Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
 
   Redistribution and use in source and binary forms, with or without
   modification, are permitted provided that the following conditions
@@ -148,7 +148,7 @@ H4 {
         </tr>
         <tr>
         <td align="right">
-        <font face="Arial,Helvetica">mod_ssl version 2.4</font> &nbsp;&nbsp;
+        <font face="Arial,Helvetica">mod_ssl version 2.5</font> &nbsp;&nbsp;
         </td>
         </tr>
         </table>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_compat.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_compat.html
index cdb28cb9c85..e43f61dea01 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_compat.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_compat.html
@@ -3,7 +3,7 @@
 <title>mod_ssl: Compatibility</title>
 
 <!--
-  Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+  Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
 
   Redistribution and use in source and binary forms, with or without
   modification, are permitted provided that the following conditions
@@ -250,16 +250,17 @@ Unknown
 <td>
 <img src="ssl_compat.gfont000.gif" alt="H" width="40" height="34" border="0" align="left">
 ere we talk about backward compatibility to other SSL solutions. As you
-perhaps know mod_ssl is not the only existing SSL solution for Apache.
-Actually there are four additional products available: Ben Laurie's freely
-available <a href="http://www.apache-ssl.org/">Apache-SSL</a> (from where
-mod_ssl were originally derived), RedHat's commercial <a
+perhaps know, mod_ssl is not the only existing SSL solution for Apache.
+Actually there are four additional major products available on the market: Ben
+Laurie's freely available <a href="http://www.apache-ssl.org/">Apache-SSL</a>
+(from where mod_ssl were originally derived in 1998), RedHat's commercial <a
 href="http://www.redhat.com/products/product-details.phtml?id=rhsa">Secure Web
 Server</a> (which is based on mod_ssl), Covalent's commercial <a
-href="http://raven.covalent.net/">Raven SSL Module</a> (also based on
-Apache-SSL) and finally C2Net's commercial product <a
+href="http://raven.covalent.net/">Raven SSL Module</a> (also based on mod_ssl)
+and finally C2Net's commercial product <a
 href="http://www.c2.net/products/stronghold/">Stronghold</a> (based on a
-different evolution branch named Sioux).
+different evolution branch named Sioux up to Stronghold 2.x and based on
+mod_ssl since Stronghold 3.x).
 </td>
 <td>
 &nbsp;&nbsp;
@@ -555,12 +556,12 @@ if (document.images) {
         <td>        <table width="598">
         <tr>
         <td align="left"><font face="Arial,Helvetica">
-        <a href="http://www.modssl.org/">mod_ssl</a> 2.4, User Manual<br>
+        <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
         The Apache Interface to OpenSSL
         </font>
         </td>
         <td align="right"><font face="Arial,Helvetica">
-        Copyright &copy; 1998-1999
+        Copyright &copy; 1998-2000
         <a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br>
         All Rights Reserved<br>
         </font>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_compat.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_compat.wml
index 33bd4ea3ba5..e73c61ee786 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_compat.wml
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_compat.wml
@@ -17,16 +17,17 @@ them are more compatible than others.
 <td>
 
 <big H>ere we talk about backward compatibility to other SSL solutions. As you
-perhaps know mod_ssl is not the only existing SSL solution for Apache.
-Actually there are four additional products available: Ben Laurie's freely
-available <a href="http://www.apache-ssl.org/">Apache-SSL</a> (from where
-mod_ssl were originally derived), RedHat's commercial <a
+perhaps know, mod_ssl is not the only existing SSL solution for Apache.
+Actually there are four additional major products available on the market: Ben
+Laurie's freely available <a href="http://www.apache-ssl.org/">Apache-SSL</a>
+(from where mod_ssl were originally derived in 1998), RedHat's commercial <a
 href="http://www.redhat.com/products/product-details.phtml?id=rhsa">Secure Web
 Server</a> (which is based on mod_ssl), Covalent's commercial <a
-href="http://raven.covalent.net/">Raven SSL Module</a> (also based on
-Apache-SSL) and finally C2Net's commercial product <a
+href="http://raven.covalent.net/">Raven SSL Module</a> (also based on mod_ssl)
+and finally C2Net's commercial product <a
 href="http://www.c2.net/products/stronghold/">Stronghold</a> (based on a
-different evolution branch named Sioux).
+different evolution branch named Sioux up to Stronghold 2.x and based on
+mod_ssl since Stronghold 3.x).
 
 </td>
 <td>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_cover.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_cover.wml
index 360dbaab1d2..1028e99910d 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_cover.wml
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_cover.wml
@@ -17,7 +17,7 @@
         </tr>
         <tr>
         <td align=right>
-        <font face="Arial,Helvetica">mod_ssl version 2.4</font> &nbsp;&nbsp;
+        <font face="Arial,Helvetica">mod_ssl version 2.5</font> &nbsp;&nbsp;
         </td>
         </tr>
         </table>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html
index aa17eb4b275..b633181bddb 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html
@@ -3,7 +3,7 @@
 <title>mod_ssl: F.A.Q.</title>
 
 <!--
-  Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+  Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
 
   Redistribution and use in source and binary forms, with or without
   modification, are permitted provided that the following conditions
@@ -267,7 +267,7 @@ author.
 </td>
 <td>
 <DIV align="right">
-<table cellspacing="0" cellpadding="5" border="0" bgcolor="#ccccff" width="300">
+<table cellspacing="0" cellpadding="5" border="0" bgcolor="#ccccff" width="350">
 <tr>
 <td bgcolor="#333399">
 <font face="Arial,Helvetica" color="#ccccff">
@@ -281,50 +281,57 @@ author.
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC1"><strong>About the module</strong></a><br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC2"><strong>What is the history of mod_ssl?</strong></a><br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC3"><strong>Apache-SSL vs. mod_ssl: differences?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC4"><strong>mod_ssl/Apache versions?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC5"><strong>mod_ssl and Year 2000?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC6"><strong>mod_ssl and Wassenaar Arrangement?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC7"><strong>About Installation</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC8"><strong>Core dumps for HTTPS requests?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC9"><strong>Core dumps for Apache+mod_ssl+PHP3?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC10"><strong>Undefined symbols on startup?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC11"><strong>Permission problem on SSLMutex</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC12"><strong>Shared memory and process size?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC13"><strong>About Configuration</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC14"><strong>HTTP and HTTPS with a single server?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC15"><strong>Where is the HTTPS port?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC16"><strong>How to test HTTPS manually?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC17"><strong>Why does my connection hang?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC18"><strong>Why do I get connection refused?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC19"><strong>How to switch with relative hyperlinks?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC20"><strong>About Certificates</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC21"><strong>What are Keys, CSRs and Certs?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC22"><strong>Difference on startup?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC23"><strong>How to create a dummy cert?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC24"><strong>How to create a real cert?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC25"><strong>How to create my own CA?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC26"><strong>How to change a pass phrase?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC27"><strong>How to remove a pass phrase?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC28"><strong>How to verify a key/cert pair?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC29"><strong>Bad Certificate Error?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC30"><strong>Why does a 2048-bit key not work?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC31"><strong>Why is client auth broken?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC32"><strong>How to convert from PEM to DER?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC33"><strong>Verisign and the magic getca program?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC34"><strong>Global IDs or SGC?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC35"><strong>About SSL Protocol</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC36"><strong>Why has the server a higher load?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC37"><strong>Which ciphers are supported?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC38"><strong>HTTPS and name-based vhosts</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC39"><strong>The lock icon in Netscape locks very late</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC40"><strong>Why do I get I/O errors with my MSIE clients?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC41"><strong>Why do I get I/O errors with my NS clients?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC42"><strong>About Support</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC43"><strong>Resources in case of problems?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC44"><strong>Support in case of problems?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC45"><strong>How to write a problem report?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC46"><strong>I got a core dump, can you help me?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC47"><strong>How to get a backtrace?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC4"><strong>mod_ssl vs. commercial alternatives?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC5"><strong>mod_ssl/Apache versions?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC6"><strong>mod_ssl and Year 2000?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC7"><strong>mod_ssl and Wassenaar Arrangement?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC8"><strong>About Installation</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC9"><strong>Core dumps for HTTPS requests?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC10"><strong>Core dumps for Apache+mod_ssl+PHP3?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC11"><strong>Undefined symbols on startup?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC12"><strong>Permission problem on SSLMutex</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC13"><strong>Shared memory and process size?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC14"><strong>Shared memory and pathname?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC15"><strong>About Configuration</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC16"><strong>HTTP and HTTPS with a single server?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC17"><strong>Where is the HTTPS port?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC18"><strong>How to test HTTPS manually?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC19"><strong>Why does my connection hang?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC20"><strong>Why do I get connection refused?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC21"><strong>Why are the SSL_XXX variables missing?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC22"><strong>How to switch with relative hyperlinks?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC23"><strong>About Certificates</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC24"><strong>What are Keys, CSRs and Certs?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC25"><strong>Difference on startup?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC26"><strong>How to create a dummy cert?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC27"><strong>How to create a real cert?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC28"><strong>How to create my own CA?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC29"><strong>How to change a pass phrase?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC30"><strong>How to remove a pass phrase?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC31"><strong>How to verify a key/cert pair?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC32"><strong>Bad Certificate Error?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC33"><strong>Why does a 2048-bit key not work?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC34"><strong>Why is client auth broken?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC35"><strong>How to convert from PEM to DER?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC36"><strong>Verisign and the magic getca program?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC37"><strong>Global IDs or SGC?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC38"><strong>Global IDs and Cert Chain?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC39"><strong>About SSL Protocol</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC40"><strong>Why has the server a higher load?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC41"><strong>Why are connections horribly slow?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC42"><strong>Which ciphers are supported?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC43"><strong>How to use Anonymous-DH ciphers</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC44"><strong>Why do I get 'no shared ciphers'?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC45"><strong>HTTPS and name-based vhosts</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC46"><strong>The lock icon in Netscape locks very late</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC47"><strong>Why do I get I/O errors with my MSIE clients?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC48"><strong>Why do I get I/O errors with my NS clients?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC49"><strong>About Support</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC50"><strong>Resources in case of problems?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC51"><strong>Support in case of problems?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC52"><strong>How to write a problem report?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC53"><strong>I got a core dump, can you help me?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC54"><strong>How to get a backtrace?</strong></a><br>
 </font>
 </td>
 </tr>
@@ -339,7 +346,7 @@ author.
 <li><a name="ToC2"></a>
     <a name="history"></a>
     <strong id="faq">What is the history of mod_ssl?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#history"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#history"><b>L</b></a>]
     <p>
     The mod_ssl v1 package was initially created in April 1998 by <a
     href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> via porting <a
@@ -364,7 +371,7 @@ author.
     <a name="apssl-diff"></a>
     <strong id="faq">What are the functional differences between mod_ssl and Apache-SSL, from where
 it is originally derived?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#apssl-diff"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#apssl-diff"><b>L</b></a>]
     <p>
     This neither can be answered in short (there were too much code changes)
     nor can be answered at all by the author (there would be immediately flame
@@ -400,9 +407,58 @@ it is originally derived?</strong>&nbsp;&nbsp;
     etc?"), etc. pp.
 <p>
 <li><a name="ToC4"></a>
+    <a name="apssl-diff"></a>
+    <strong id="faq">What are the major differences between mod_ssl and
+the commercial alternatives like Raven or Stronghold?</strong>&nbsp;&nbsp;
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#apssl-diff"><b>L</b></a>]
+    <p>
+    As of this writing (end of the year 1999) the major difference is
+    the RSA license which one receives (very cheaply in contrast to
+    a direct licensing from RSA DSI) with the commercial Apache SSL
+    products. On the other hand, one needs this license only in the
+    US, of course. So for non-US citizens this point is useless. And
+    even for US citizens the situations is at least solved next year
+    (September 20th, 2000) when the RSA patent expires.
+    <p>
+    Second, there is the point that one has guarrantied support from
+    the commercial vendors. On the other hand, if you monitored the
+    Open Source quality of mod_ssl and the support activities
+    found on <a href="mailto:modssl-users@modssl.org">
+    <code>modssl-users@modssl.org</code></a>, you could ask yourself
+    whether you are really convinced that you can get better support
+    from a commercial vendor.
+    <p>
+    Third, people often think they would receive perhaps at least a
+    better technical SSL solution than mod_ssl from the commercial
+    vendors. But this is not really the truth, because all commercial
+    alternatives (Raven 1.4.x, Stronghold 3.x, RedHat SWS 2.x, etc.)
+    <i>are</i> actually based on mod_ssl and OpenSSL. The reason for
+    this common misunderstanding is mainly because some vendors make no
+    attempt to make it reasonably clear that their product is actually
+    mod_ssl based. So, do not think, just because the commercial
+    alternatives are usually more expensive, that you are also receiving
+    an alternative <i>technical</i> SSL solution. This is usually not
+    the case. Actually the vendors versions of Apache, mod_ssl and OpenSSL
+    often stay behind the latest free versions and this way still do not
+    include perhaps important bug and security fixes. On the other hand,
+    it sometimes occurs that a vendor version includes useful changes
+    which are not available through the official freely available
+    packages. But most vendors play fair and contribute back those
+    changes to the free software world, of course.
+    <p>
+    So, in short: There are lots of commercial versions of the popular
+    Apache+mod_ssl+OpenSSL server combination available. And until the
+    RSA patent expires in the year 2000, US citizens have no chance,
+    of course. They have to buy one of the commercial versions. Non-US
+    citizens are not forced into this situation and should decide
+    carefully whether they really need to buy a commercial version or
+    whether it would not be sufficient to directly use the free and
+    official versions of the Apache, mod_ssl and OpenSSL packages.
+<p>
+<li><a name="ToC5"></a>
     <a name="what-version"></a>
     <strong id="faq">How do I know which mod_ssl version is for which Apache version?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#what-version"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#what-version"><b>L</b></a>]
     <p>
     That's trivial: mod_ssl uses version strings of the syntax
     <em>&lt;mod_ssl-version&gt;</em>-<em>&lt;apache-version&gt;</em>, for
@@ -412,10 +468,10 @@ it is originally derived?</strong>&nbsp;&nbsp;
     version (unless you use the <code>--force</code> option to mod_ssl's
     <code>configure</code> command ;-).
 <p>
-<li><a name="ToC5"></a>
+<li><a name="ToC6"></a>
     <a name="y2k"></a>
     <strong id="faq">Is mod_ssl Year 2000 compliant?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#y2k"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#y2k"><b>L</b></a>]
     <p>
     Yes, mod_ssl is Year 2000 compliant.
     <p>
@@ -435,10 +491,10 @@ it is originally derived?</strong>&nbsp;&nbsp;
     (either a Unix or Win32 platform) is Year 2000 compliant is a different
     question which cannot be answered here.
 <p>
-<li><a name="ToC6"></a>
+<li><a name="ToC7"></a>
     <a name="wassenaar"></a>
     <strong id="faq">What about mod_ssl and the Wassenaar Arrangement?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#wassenaar"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#wassenaar"><b>L</b></a>]
     <p>
     First, let us explain what <i>Wassenaar</i> and it's <i>Arrangement on
     Export Controls for Conventional Arms and Dual-Use Goods and
@@ -489,13 +545,13 @@ it is originally derived?</strong>&nbsp;&nbsp;
 </ul>
 <p>
 <br>
-<H2><a name="ToC7">About Installation</a></H2>
+<H2><a name="ToC8">About Installation</a></H2>
 <ul>
 <p>
-<li><a name="ToC8"></a>
+<li><a name="ToC9"></a>
     <a name="core-dbm"></a>
     <strong id="faq">When I access my website the first time via HTTPS I get a core dump?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#core-dbm"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#core-dbm"><b>L</b></a>]
     <p>
     There can be a lot of reasons why a core dump can occur, of course.
     Ranging from buggy third-party modules, over buggy vendor libraries up to
@@ -506,10 +562,10 @@ it is originally derived?</strong>&nbsp;&nbsp;
     newer ``<tt>SSLSessionCache shm:</tt>'' variant (after you've rebuilt
     Apache with MM, of course).
 <p>
-<li><a name="ToC9"></a>
+<li><a name="ToC10"></a>
     <a name="core-php3"></a>
     <strong id="faq">My Apache dumps core when I add both mod_ssl and PHP3?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#core-php3"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#core-php3"><b>L</b></a>]
     <p>
     Make sure you add mod_ssl to the Apache source tree first and then do a
     fresh configuration and installation of PHP3. For SSL support EAPI patches
@@ -517,10 +573,10 @@ it is originally derived?</strong>&nbsp;&nbsp;
     to know about these in order to work correctly. Always make sure that
     <tt>-DEAPI</tt> is contained in the compiler flags when PHP3 is build.
 <p>
-<li><a name="ToC10"></a>
+<li><a name="ToC11"></a>
     <a name="dso-sym"></a>
     <strong id="faq">When I startup Apache I get errors about undefined symbols like ap_global_ctx?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#dso-sym"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#dso-sym"><b>L</b></a>]
     <p>
     This actually means you installed mod_ssl as a DSO, but without rebuilding
     Apache with EAPI. Because EAPI is a requirement for mod_ssl, you need an
@@ -528,10 +584,10 @@ it is originally derived?</strong>&nbsp;&nbsp;
     this Apache with EAPI enabled (explicitly specify
     <tt>--enable-rule=EAPI</tt> at the APACI command line).
 <p>
-<li><a name="ToC11"></a>
+<li><a name="ToC12"></a>
     <a name="mutex-perm"></a>
     <strong id="faq">When I startup Apache I get permission errors related to SSLMutex?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#mutex-perm"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#mutex-perm"><b>L</b></a>]
     <p>
     When you receive entries like ``<code>mod_ssl: Child could not open
     SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows)
@@ -542,11 +598,11 @@ it is originally derived?</strong>&nbsp;&nbsp;
     set at least for the UID under which Apache's children are running (see
     the <code>User</code> directive of Apache).
 <p>
-<li><a name="ToC12"></a>
+<li><a name="ToC13"></a>
     <a name="mm"></a>
     <strong id="faq">When I use the MM library and the shared memory cache each process grows
 1.5MB according to `top' although I specified 512000 as the cache size?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#mm"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#mm"><b>L</b></a>]
     <p>
     The additional 1MB are caused by the global shared memory pool EAPI
     allocates for all modules and which is not used by mod_ssl for
@@ -557,16 +613,29 @@ it is originally derived?</strong>&nbsp;&nbsp;
     course. Instead the additional memory consumption is shared by
     all processes, i.e. the 1.5MB are allocated only once per Apache
     instance and not once per Apache server process.
+<p>
+<li><a name="ToC14"></a>
+    <a name="mmpath"></a>
+    <strong id="faq">Apache creates files in a directory declared by the internal
+EAPI_MM_CORE_PATH define. Is there a way to override the path using a
+configuration directive?</strong>&nbsp;&nbsp;
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#mmpath"><b>L</b></a>]
+    <p>
+    No, there is not configuration directive, because for technical
+    bootstrapping reasons, a directive not possible at all. Instead
+    use ``<code>CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"'
+    ./configure ...</code>'' when building Apache or use option
+    <b>-d</b> when starting <code>httpd</code>.
 </ul>
 <p>
 <br>
-<H2><a name="ToC13">About Configuration</a></H2>
+<H2><a name="ToC15">About Configuration</a></H2>
 <ul>
 <p>
-<li><a name="ToC14"></a>
+<li><a name="ToC16"></a>
     <a name="https-parallel"></a>
     <strong id="faq">Is it possible to provide HTTP and HTTPS with a single server?</strong></strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#https-parallel"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#https-parallel"><b>L</b></a>]
     <p>
     Yes, HTTP and HTTPS use different server ports, so there is no direct
     conflict between them. Either run two separate server instances (one binds
@@ -575,20 +644,20 @@ it is originally derived?</strong>&nbsp;&nbsp;
     Apache dispatches: one responding to port 80 and speaking HTTP and one
     responding to port 443 speaking HTTPS.
 <p>
-<li><a name="ToC15"></a>
+<li><a name="ToC17"></a>
     <a name="https-port"></a>
     <strong id="faq">I know that HTTP is on port 80, but where is HTTPS?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#https-port"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#https-port"><b>L</b></a>]
     <p>
     You can run HTTPS on any port, but the standards specify port 443, which
     is where any HTTPS compliant browser will look by default. You can force
     your browser to look on a different port by specifying it in the URL like
     this (for port 666): <code>https://secure.server.dom:666/</code>
 <p>
-<li><a name="ToC16"></a>
+<li><a name="ToC18"></a>
     <a name="https-test"></a>
     <strong id="faq">How can I speak HTTPS manually for testing purposes?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#https-test"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#https-test"><b>L</b></a>]
     <p>
     While you usually just use
     <p>
@@ -607,17 +676,17 @@ it is originally derived?</strong>&nbsp;&nbsp;
     SSL handshake. For a more general command line client which directly
     understands both the HTTP and HTTPS scheme, can perform GET and POST
     methods, can use a proxy, supports byte ranges, etc. you should have a
-    look at nifty <a href="http://www.fts.frontec.se/~dast/curl/">cURL</a>
+    look at nifty <a href="http://curl.haxx.nu/">cURL</a>
     tool. With it you can directly check if your Apache is running fine on
     Port 80 and 443 as following:
     <p>
     <code><b>$ curl http://localhost/</b></code><br>
     <code><b>$ curl https://localhost/</b></code><br>
 <p>
-<li><a name="ToC17"></a>
+<li><a name="ToC19"></a>
     <a name="hang"></a>
     <strong id="faq">Why does the connection hang when I connect to my SSL-aware Apache server?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#hang"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#hang"><b>L</b></a>]
     <p>
     Because you connected with HTTP to the HTTPS port, i.e. you used an URL of
     the form ``<code>http://</code>'' instead of ``<code>https://</code>''.
@@ -627,11 +696,11 @@ it is originally derived?</strong>&nbsp;&nbsp;
     virtual server that supports SSL, which is probably the IP associated with
     your hostname, not localhost (127.0.0.1).
 <p>
-<li><a name="ToC18"></a>
+<li><a name="ToC20"></a>
     <a name="hang"></a>
     <strong id="faq">Why do I get ``Connection Refused'' messages when trying to access my freshly
 installed Apache+mod_ssl server via HTTPS?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#hang"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#hang"><b>L</b></a>]
     <p>
     There can be various reasons. Some of the common mistakes is that people
     start Apache with just ``<tt>apachectl start</tt>'' (or
@@ -642,10 +711,19 @@ installed Apache+mod_ssl server via HTTPS?</strong>&nbsp;&nbsp;
     yourself a favor and start over with the default configuration mod_ssl
     provides you.
 <p>
-<li><a name="ToC19"></a>
+<li><a name="ToC21"></a>
+    <a name="env-vars"></a>
+    <strong id="faq">In my CGI programs and SSI scripts the various documented
+<code>SSL_XXX</code> variables do not exists. Why?</strong>&nbsp;&nbsp;
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#env-vars"><b>L</b></a>]
+    <p>
+    Just make sure you have ``<code>SSLOptions +StdEnvVars</code>''
+    enabled for the context of your CGI/SSI requests.
+<p>
+<li><a name="ToC22"></a>
     <a name="relative-links"></a>
     <strong id="faq">How can I use relative hyperlinks to switch between HTTP and HTTPS?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#relative-links"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#relative-links"><b>L</b></a>]
     <p>
     Usually you have to use fully-qualified hyperlinks because
     you have to change the URL scheme. But with the help of some URL
@@ -663,13 +741,13 @@ installed Apache+mod_ssl server via HTTPS?</strong>&nbsp;&nbsp;
 </ul>
 <p>
 <br>
-<H2><a name="ToC20">About Certificates</a></H2>
+<H2><a name="ToC23">About Certificates</a></H2>
 <ul>
 <p>
-<li><a name="ToC21"></a>
+<li><a name="ToC24"></a>
     <a name="what-is"></a>
     <strong id="faq">What are RSA Private Keys, CSRs and Certificates?</strong></strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#what-is"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#what-is"><b>L</b></a>]
     <p>
     The RSA private key file is a digital file that you can use to decrypt
     messages sent to you. It has a public component which you distribute (via
@@ -684,10 +762,10 @@ installed Apache+mod_ssl server via HTTPS?</strong>&nbsp;&nbsp;
     See the <a href="ssl_intro.html">Introduction</a> chapter for a general
     description of the SSL protocol.
 <p>
-<li><a name="ToC22"></a>
+<li><a name="ToC25"></a>
     <a name="startup"></a>
     <strong id="faq">Seems like there is a difference on startup between the original Apache and an SSL-aware Apache?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#startup"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#startup"><b>L</b></a>]
     <p>
     Yes, in general, starting Apache with a built-in mod_ssl is just like
     starting an unencumbered Apache, except for the fact that when you have a
@@ -700,10 +778,10 @@ installed Apache+mod_ssl server via HTTPS?</strong>&nbsp;&nbsp;
     below under ``How can I get rid of the pass-phrase dialog at Apache
     startup time?''.
 <p>
-<li><a name="ToC23"></a>
+<li><a name="ToC26"></a>
     <a name="cert-dummy"></a>
     <strong id="faq">How can I create a dummy SSL server Certificate for testing purposes?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#cert-dummy"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#cert-dummy"><b>L</b></a>]
     <p>
     A Certificate does not have to be signed by a public CA. You can use your
     private key to sign the Certificate which contains your public key. You
@@ -722,11 +800,11 @@ installed Apache+mod_ssl server via HTTPS?</strong>&nbsp;&nbsp;
     BUT REMEMBER: YOU REALLY HAVE TO CREATE A REAL CERTIFICATE FOR THE LONG
     RUN! HOW THIS IS DONE IS DESCRIBED IN THE NEXT ANSWER.
 <p>
-<li><a name="ToC24"></a>
+<li><a name="ToC27"></a>
     <a name="cert-real"></a>
     <strong id="faq">Ok, I've got my server installed and want to create a real SSL
 server Certificate for it. How do I do it?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#cert-real"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#cert-real"><b>L</b></a>]
     <p>
     Here is a step-by-step description:
     <p>
@@ -818,10 +896,10 @@ server Certificate for it. How do I do it?</strong>&nbsp;&nbsp;
        The <code>server.csr</code> file is no longer needed.
     </ol>
 <p>
-<li><a name="ToC25"></a>
+<li><a name="ToC28"></a>
     <a name="cert-ownca"></a>
     <strong id="faq">How can I create and use my own Certificate Authority (CA)?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#cert-ownca"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#cert-ownca"><b>L</b></a>]
     <p>
     The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code>
     script provided by OpenSSL. The long and manual answer is this:
@@ -868,10 +946,10 @@ server Certificate for it. How do I do it?</strong>&nbsp;&nbsp;
        This signs the server CSR and results in a <code>server.crt</code> file.
     </ol>
 <p>
-<li><a name="ToC26"></a>
+<li><a name="ToC29"></a>
     <a name="change-passphrase"></a>
     <strong id="faq">How can I change the pass-phrase on my private key file?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#change-passphrase"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#change-passphrase"><b>L</b></a>]
     <p>
     You simply have to read it with the old pass-phrase and write it again
     by specifying the new pass-phrase. You can accomplish this with the following
@@ -884,10 +962,10 @@ server Certificate for it. How do I do it?</strong>&nbsp;&nbsp;
     prompt enter the old pass-phrase and at the second prompt
     enter the new pass-phrase.
 <p>
-<li><a name="ToC27"></a>
+<li><a name="ToC30"></a>
     <a name="remove-passphrase"></a>
     <strong id="faq">How can I get rid of the pass-phrase dialog at Apache startup time?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#remove-passphrase"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#remove-passphrase"><b>L</b></a>]
     <p>
     The reason why this dialog pops up at startup and every re-start
     is that the RSA private key inside your server.key file is stored in
@@ -919,10 +997,10 @@ server Certificate for it. How do I do it?</strong>&nbsp;&nbsp;
     exec:/path/to/program</code>'' facility. But keep in mind that this is
     neither more nor less secure, of course.
 <p>
-<li><a name="ToC28"></a>
+<li><a name="ToC31"></a>
     <a name="verify-key"></a>
     <strong id="faq">How do I verify that a private key matches its Certificate?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#verify-key"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#verify-key"><b>L</b></a>]
     <p>
     The private key contains a series of numbers. Two of those numbers form
     the "public key", the others are part of your "private key". The "public
@@ -949,11 +1027,11 @@ server Certificate for it. How do I do it?</strong>&nbsp;&nbsp;
     <p>
     <code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code>
 <p>
-<li><a name="ToC29"></a>
+<li><a name="ToC32"></a>
     <a name="keysize1"></a>
     <strong id="faq">What does it mean when my connections fail with an "alert bad certificate"
 error?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#keysize1"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#keysize1"><b>L</b></a>]
     <p>
     Usually when you see errors like ``<tt>OpenSSL: error:14094412: SSL
     routines:SSL3_READ_BYTES:sslv3 alert bad certificate</tt>'' in the SSL
@@ -961,10 +1039,10 @@ error?</strong>&nbsp;&nbsp;
     certificate/private-key which perhaps contain a RSA-key not equal to 1024
     bits. For instance Netscape Navigator 3.x is one of those browsers.
 <p>
-<li><a name="ToC30"></a>
+<li><a name="ToC33"></a>
     <a name="keysize2"></a>
     <strong id="faq">Why does my 2048-bit private key not work?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#keysize2"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#keysize2"><b>L</b></a>]
     <p>
     The private key sizes for SSL must be either 512 or 1024 for compatibility
     with certain web browsers. A keysize of 1024 bits is recommended because
@@ -972,11 +1050,11 @@ error?</strong>&nbsp;&nbsp;
     Navigator and Microsoft Internet Explorer, and with other browsers that
     use RSA's BSAFE cryptography toolkit.
 <p>
-<li><a name="ToC31"></a>
+<li><a name="ToC34"></a>
     <a name="hash-symlinks"></a>
     <strong id="faq">Why is client authentication broken after upgrading from
 SSLeay version 0.8 to 0.9?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#hash-symlinks"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#hash-symlinks"><b>L</b></a>]
     <p>
     The CA certificates under the path you configured with
     <code>SSLCACertificatePath</code> are found by SSLeay through hash
@@ -986,10 +1064,10 @@ SSLeay version 0.8 to 0.9?</strong>&nbsp;&nbsp;
     all old hash symlinks and re-create new ones after upgrading. Use the
     <code>Makefile</code> mod_ssl placed into this directory.
 <p>
-<li><a name="ToC32"></a>
+<li><a name="ToC35"></a>
     <a name="pem-to-der"></a>
     <strong id="faq">How can I convert a certificate from PEM to DER format?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#pem-to-der"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#pem-to-der"><b>L</b></a>]
     <p>
     The default certificate format for SSLeay/OpenSSL is PEM, which actually
     is Base64 encoded DER with header and footer lines. For some applications
@@ -998,11 +1076,11 @@ SSLeay version 0.8 to 0.9?</strong>&nbsp;&nbsp;
     corresponding DER file <code>cert.der</code> with the following command:
     <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code>
 <p>
-<li><a name="ToC33"></a>
+<li><a name="ToC36"></a>
     <a name="verisign-getca"></a>
     <strong id="faq">I try to install a Verisign certificate. Why can't I find neither the
 <code>getca</code> nor <code>getverisign</code> programs Verisign mentions?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#verisign-getca"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#verisign-getca"><b>L</b></a>]
     <p>
     This is because Verisign has never provided specific instructions
     for Apache+mod_ssl. Rather they tell you what you should do
@@ -1016,37 +1094,63 @@ SSLeay version 0.8 to 0.9?</strong>&nbsp;&nbsp;
     href="http://www.thawte.com/certs/server/keygen/mod_ssl.html">
     Thawte's mod_ssl instructions</a>.
 <p>
-<li><a name="ToC34"></a>
+<li><a name="ToC37"></a>
     <a name="gid"></a>
     <strong id="faq">Can I use the Server Gated Cryptography (SGC) facility (aka Verisign Global
 ID) also with mod_ssl?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#gid"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#gid"><b>L</b></a>]
     <p>
     Yes, mod_ssl since version 2.1 supports the SGC facility. You don't have
     to configure anything special for this, just use a Global ID as your
     server certificate. The <i>step up</i> of the clients are then
     automatically handled by mod_ssl under run-time. For details please read
     the <tt>README.GlobalID</tt> document in the mod_ssl distribution.
+<p>
+<li><a name="ToC38"></a>
+    <a name="gid"></a>
+    <strong id="faq">After I have installed my new Verisign Global ID server certificate, the
+browsers complain that they cannot verify the server certificate?</strong>&nbsp;&nbsp;
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#gid"><b>L</b></a>]
+    <p>
+    That is because Verisign uses an intermediate CA certificate between
+    the root CA certificate (which is installed in the browsers) and
+    the server certificate (which you installed in the server). You
+    should have received this additional CA certificate from Verisign.
+    If not, complain to them. Then configure this certificate with the
+    <code>SSLCertificateChainFile</code> directive in the server. This
+    makes sure the intermediate CA certificate is send to the browser
+    and this way fills the gap in the certificate chain.
 </ul>
 <p>
 <br>
-<H2><a name="ToC35">About SSL Protocol</a></H2>
+<H2><a name="ToC39">About SSL Protocol</a></H2>
 <ul>
 <p>
-<li><a name="ToC36"></a>
+<li><a name="ToC40"></a>
     <a name="load"></a>
     <strong id="faq">Why has my webserver a higher load now that I run SSL there?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#load"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#load"><b>L</b></a>]
     <p>
     Because SSL uses strong cryptographic encryption and this needs a lot of
     number crunching. And because when you request a webpage via HTTPS even
     the images are transfered encrypted. So, when you have a lot of HTTPS
     traffic the load increases.
 <p>
-<li><a name="ToC37"></a>
+<li><a name="ToC41"></a>
+    <a name="random"></a>
+    <strong id="faq">Often HTTPS connections to my server require up to 30 seconds for establishing
+the connection, although sometimes it works faster?</strong>&nbsp;&nbsp;
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#random"><b>L</b></a>]
+    <p>
+    Usually this is caused by using a <code>/dev/random</code> device for
+    <code>SSLRandomSeed</code> which is blocking in read(2) calls if not
+    enough entropy is available. Read more about this problem in the refernce
+    chapter under <code>SSLRandomSeed</code>.
+<p>
+<li><a name="ToC42"></a>
     <a name="ciphers"></a>
     <strong id="faq">What SSL Ciphers are supported by mod_ssl?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#ciphers"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#ciphers"><b>L</b></a>]
     <p>
     Usually just all SSL ciphers which are supported by the
     version of OpenSSL in use (can depend on the way you built
@@ -1067,10 +1171,41 @@ ID) also with mod_ssl?</strong>&nbsp;&nbsp;
     <p>
     <code><strong>$ openssl ciphers -v</strong></code><br>
 <p>
-<li><a name="ToC38"></a>
+<li><a name="ToC43"></a>
+    <a name="cipher-adh"></a>
+    <strong id="faq">I want to use Anonymous Diffie-Hellman (ADH) ciphers, but I always get ``no
+shared cipher'' errors?</strong>&nbsp;&nbsp;
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#cipher-adh"><b>L</b></a>]
+    <p>
+    In order to use Anonymous Diffie-Hellman (ADH) ciphers, it is not enough
+    to just put ``<code>ADH</code>'' into your <code>SSLCipherSuite</code>.
+    Additionally you have to build OpenSSL with
+    ``<code>-DSSL_ALLOW_ADH</code>''. Because per default OpenSSL does not
+    allow ADH ciphers for security reasons. So if you are actually enabling
+    these ciphers make sure you are informed about the side-effects.
+<p>
+<li><a name="ToC44"></a>
+    <a name="cipher-shared"></a>
+    <strong id="faq">I always just get a 'no shared ciphers' error if
+I try to connect to my freshly installed server?</strong>&nbsp;&nbsp;
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#cipher-shared"><b>L</b></a>]
+    <p>
+    Either you have messed up your <code>SSLCipherSuite</code>
+    directive (compare it with the pre-configured example in
+    <code>httpd.conf-dist</code>) or you have choosen the DSA/DH
+    algorithms instead of RSA under "<code>make certificate</code>"
+    and ignored or overseen the warnings. Because if you have choosen
+    DSA/DH, then your server no longer speaks RSA-based SSL ciphers
+    (at least not until you also configure an additional RSA-based
+    certificate/key pair). But current browsers like NS or IE only speak
+    RSA ciphers. The result is the "no shared ciphers" error. To fix
+    this, regenerate your server certificate/key pair and this time
+    choose the RSA algorithm.
+<p>
+<li><a name="ToC45"></a>
     <a name="vhosts"></a>
     <strong id="faq">Why can't I use SSL with name-based/non-IP-based virtual hosts?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#vhosts"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#vhosts"><b>L</b></a>]
     <p>
     The reason is very technical. Actually it's some sort of a chicken and
     egg problem: The SSL protocol layer stays below the HTTP protocol layer
@@ -1084,12 +1219,12 @@ ID) also with mod_ssl?</strong>&nbsp;&nbsp;
     handshake is finished. But the information is already needed at the SSL
     handshake phase. Bingo!
 <p>
-<li><a name="ToC39"></a>
+<li><a name="ToC46"></a>
     <a name="lock-icon"></a>
     <strong id="faq">When I use Basic Authentication over HTTPS the lock icon in Netscape browsers
 still show the unlocked state when the dialog pops up. Does this mean the
 username/password is still transmitted unencrypted?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#lock-icon"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#lock-icon"><b>L</b></a>]
     <p>
     No, the username/password is already transmitted encrypted. The icon in
     Netscape browsers is just not really synchronized with the SSL/TLS layer
@@ -1101,12 +1236,12 @@ username/password is still transmitted unencrypted?</strong>&nbsp;&nbsp;
     handshake phase and switched to encrypted communication. So, don't get
     confused by this icon.
 <p>
-<li><a name="ToC40"></a>
+<li><a name="ToC47"></a>
     <a name="io-ie"></a>
     <strong id="faq">When I connect via HTTPS to an Apache+mod_ssl server with Microsoft Internet
 Explorer (MSIE) I sometimes get I/O errors and the message "bad data from the
 server". What's the reason?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#io-ie"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#io-ie"><b>L</b></a>]
     <p>
     The reason is that MSIE's SSL implementation has some subtle bugs related
     to the HTTP keep-alive facility and the SSL close notify alerts on socket
@@ -1118,12 +1253,12 @@ server". What's the reason?</strong>&nbsp;&nbsp;
     SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
     </pre>
 <p>
-<li><a name="ToC41"></a>
+<li><a name="ToC48"></a>
     <a name="io-ns"></a>
     <strong id="faq">When I connect via HTTPS to an Apache+mod_ssl server with Netscape Navigator I
 get I/O errors and the message "Netscape has encountered bad data from the
 server" What's the reason?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#io-ns"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#io-ns"><b>L</b></a>]
     <p>
     The problem usually is that you had created a new server certificate with
     the same DN, but you had told your browser to accept forever the old
@@ -1134,21 +1269,21 @@ server" What's the reason?</strong>&nbsp;&nbsp;
 </ul>
 <p>
 <br>
-<H2><a name="ToC42">About Support</a></H2>
+<H2><a name="ToC49">About Support</a></H2>
 <ul>
 <p>
-<li><a name="ToC43"></a>
+<li><a name="ToC50"></a>
     <a name="resources"></a>
     <strong id="faq">What information resources are available in case of mod_ssl problems?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#resources"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#resources"><b>L</b></a>]
     <p>
 The following information resources are available.
 In case of problems you should search here first.
 <p>
 <ol>
 <li><em>Answers in the User Manual's F.A.Q. List (this)</em><br>
-    <a href="http://www.modssl.org/docs/2.4/ssl_faq.html">
-    http://www.modssl.org/docs/2.4/ssl_faq.html</a><br>
+    <a href="http://www.modssl.org/docs/2.5/ssl_faq.html">
+    http://www.modssl.org/docs/2.5/ssl_faq.html</a><br>
     First look inside the F.A.Q. (this text), perhaps your problem is such
     popular that it was already answered a lot of times in the past.
 <p>
@@ -1166,10 +1301,10 @@ In case of problems you should search here first.
     someone else already has reported the problem.
 </ol>
 <p>
-<li><a name="ToC44"></a>
+<li><a name="ToC51"></a>
     <a name="contact"></a>
     <strong id="faq">What support contacts are available in case of mod_ssl problems?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#contact"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#contact"><b>L</b></a>]
     <p>
 The following lists all support possibilities for mod_ssl, in order of
 preference, i.e. start in this order and do not pick the support possibility
@@ -1200,11 +1335,11 @@ you just like most, please.
     usually not processed as fast as a posting on modssl-users.
 </ol>
 <p>
-<li><a name="ToC45"></a>
+<li><a name="ToC52"></a>
     <a name="report-details"></a>
     <strong id="faq">What information and details I've to provide to
 the author when writing a bug report?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#report-details"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#report-details"><b>L</b></a>]
     <p>
 You have to at least always provide the following information:
 <p>
@@ -1238,10 +1373,10 @@ You have to at least always provide the following information:
     course.
 </ul>
 <p>
-<li><a name="ToC46"></a>
+<li><a name="ToC53"></a>
     <a name="core-dumped"></a>
     <strong id="faq">I got a core dump, can you help me?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#core-dumped"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#core-dumped"><b>L</b></a>]
     <p>
     In general no, at least not unless you provide more details about the code
     location where Apache dumped core. What is usually always required in
@@ -1249,10 +1384,10 @@ You have to at least always provide the following information:
     information it is mostly impossible to find the problem and help you in
     fixing it.
 <p>
-<li><a name="ToC47"></a>
+<li><a name="ToC54"></a>
     <a name="report-backtrace"></a>
     <strong id="faq">Ok, I got a core dump but how do I get a backtrace to find out the reason for it?</strong>&nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#report-backtrace"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#report-backtrace"><b>L</b></a>]
     <p>
 Follow the following steps:
 <p>
@@ -1267,11 +1402,11 @@ Follow the following steps:
     make sure that the core-dump file can be written. You then should get a
     <code>/tmp/core</code> or <code>/tmp/httpd.core</code> file. When you
     don't get this, try to run your server under an UID != 0 (root), because
-    most "current" kernels Most "current" kernels do not allow a process to
-    dump core after it has done a <code>setuid()</code> (unless it does an
-    <code>exec()</code>) for security reasons (there can be privileged
-    information left over in memory). Additionally you can run
-    ``<code>/path/to/httpd -X</code>'' manually to force Apache not not fork.
+    most "current" kernels do not allow a process to dump core after it has
+    done a <code>setuid()</code> (unless it does an <code>exec()</code>) for
+    security reasons (there can be privileged information left over in
+    memory). Additionally you can run ``<code>/path/to/httpd -X</code>''
+    manually to force Apache not not fork.
 <p>
 <li>Analyze the core-dump. For this run ``<code>gdb /path/to/httpd
     /tmp/httpd.core</code>'' or a similar command has to run. In GDB you then
@@ -1342,12 +1477,12 @@ if (document.images) {
         <td>        <table width="598">
         <tr>
         <td align="left"><font face="Arial,Helvetica">
-        <a href="http://www.modssl.org/">mod_ssl</a> 2.4, User Manual<br>
+        <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
         The Apache Interface to OpenSSL
         </font>
         </td>
         <td align="right"><font face="Arial,Helvetica">
-        Copyright &copy; 1998-1999
+        Copyright &copy; 1998-2000
         <a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br>
         All Rights Reserved<br>
         </font>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml
index 899faa40162..9a8250fe179 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml
@@ -37,7 +37,7 @@ author.
 <td>
 
 <div align=right>
-<table cellspacing=0 cellpadding=5 border=0 bgcolor="#ccccff" width=300>
+<table cellspacing=0 cellpadding=5 border=0 bgcolor="#ccccff" width=350>
 <tr>
 <td bgcolor="#333399">
 <font face="Arial,Helvetica" color="#ccccff">
@@ -69,7 +69,7 @@ author.
     <a name="<get-var ref>"></a>
     <strong id="faq">%body</strong>\
     &nbsp;&nbsp;
-    [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#<get-var ref>"><b>L</b></a>]
+    [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#<get-var ref>"><b>L</b></a>]
     <p>
 <restore toc>
 <restore ref>
@@ -141,6 +141,57 @@ it is originally derived?
     ("is it possible for you to easily trace down the problems via logfiles,
     etc?"), etc. pp.
 
+<faq ref="apssl-diff" toc="mod_ssl vs. commercial alternatives?">
+What are the major differences between mod_ssl and
+the commercial alternatives like Raven or Stronghold?
+</faq>
+
+    As of this writing (end of the year 1999) the major difference is
+    the RSA license which one receives (very cheaply in contrast to
+    a direct licensing from RSA DSI) with the commercial Apache SSL
+    products. On the other hand, one needs this license only in the
+    US, of course. So for non-US citizens this point is useless. And
+    even for US citizens the situations is at least solved next year
+    (September 20th, 2000) when the RSA patent expires.
+        
+    <p>
+    Second, there is the point that one has guarrantied support from
+    the commercial vendors. On the other hand, if you monitored the
+    Open Source quality of mod_ssl and the support activities
+    found on <a href="mailto:modssl-users@modssl.org">
+    <code>modssl-users@modssl.org</code></a>, you could ask yourself
+    whether you are really convinced that you can get better support
+    from a commercial vendor.
+    
+    <p>
+    Third, people often think they would receive perhaps at least a
+    better technical SSL solution than mod_ssl from the commercial
+    vendors. But this is not really the truth, because all commercial
+    alternatives (Raven 1.4.x, Stronghold 3.x, RedHat SWS 2.x, etc.)
+    <i>are</i> actually based on mod_ssl and OpenSSL. The reason for
+    this common misunderstanding is mainly because some vendors make no
+    attempt to make it reasonably clear that their product is actually
+    mod_ssl based. So, do not think, just because the commercial
+    alternatives are usually more expensive, that you are also receiving
+    an alternative <i>technical</i> SSL solution. This is usually not
+    the case. Actually the vendors versions of Apache, mod_ssl and OpenSSL
+    often stay behind the latest free versions and this way still do not
+    include perhaps important bug and security fixes. On the other hand,
+    it sometimes occurs that a vendor version includes useful changes
+    which are not available through the official freely available
+    packages. But most vendors play fair and contribute back those
+    changes to the free software world, of course.
+    
+    <p>
+    So, in short: There are lots of commercial versions of the popular
+    Apache+mod_ssl+OpenSSL server combination available. And until the
+    RSA patent expires in the year 2000, US citizens have no chance,
+    of course. They have to buy one of the commercial versions. Non-US
+    citizens are not forced into this situation and should decide
+    carefully whether they really need to buy a commercial version or
+    whether it would not be sufficient to directly use the free and
+    official versions of the Apache, mod_ssl and OpenSSL packages.
+
 <faq ref="what-version" toc="mod_ssl/Apache versions?">
 How do I know which mod_ssl version is for which Apache version?
 </faq>
@@ -302,6 +353,18 @@ When I use the MM library and the shared memory cache each process grows
     all processes, i.e. the 1.5MB are allocated only once per Apache
     instance and not once per Apache server process.
 
+<faq ref="mmpath" toc="Shared memory and pathname?">
+Apache creates files in a directory declared by the internal
+EAPI_MM_CORE_PATH define. Is there a way to override the path using a
+configuration directive?
+</faq>
+
+    No, there is not configuration directive, because for technical
+    bootstrapping reasons, a directive not possible at all. Instead
+    use ``<code>CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"'
+    ./configure ...</code>'' when building Apache or use option
+    <b>-d</b> when starting <code>httpd</code>.
+
 </ul>
 
 <p>
@@ -351,7 +414,7 @@ How can I speak HTTPS manually for testing purposes?
     SSL handshake.  For a more general command line client which directly
     understands both the HTTP and HTTPS scheme, can perform GET and POST
     methods, can use a proxy, supports byte ranges, etc. you should have a
-    look at nifty <a href="http://www.fts.frontec.se/~dast/curl/">cURL</a>
+    look at nifty <a href="http://curl.haxx.nu/">cURL</a>
     tool.  With it you can directly check if your Apache is running fine on
     Port 80 and 443 as following:
     <p>
@@ -384,6 +447,14 @@ installed Apache+mod_ssl server via HTTPS?
     yourself a favor and start over with the default configuration mod_ssl
     provides you. 
 
+<faq ref="env-vars" toc="Why are the SSL_XXX variables missing?">
+In my CGI programs and SSI scripts the various documented
+<code>SSL_XXX</code> variables do not exists. Why?
+</faq>
+
+    Just make sure you have ``<code>SSLOptions +StdEnvVars</code>''
+    enabled for the context of your CGI/SSI requests.
+
 <faq ref="relative-links" toc="How to switch with relative hyperlinks?">
 How can I use relative hyperlinks to switch between HTTP and HTTPS?
 </faq>
@@ -807,6 +878,20 @@ ID) also with mod_ssl?
     automatically handled by mod_ssl under run-time. For details please read
     the <tt>README.GlobalID</tt> document in the mod_ssl distribution.
 
+<faq ref="gid" toc="Global IDs and Cert Chain?">
+After I have installed my new Verisign Global ID server certificate, the
+browsers complain that they cannot verify the server certificate?
+</faq>
+
+    That is because Verisign uses an intermediate CA certificate between
+    the root CA certificate (which is installed in the browsers) and
+    the server certificate (which you installed in the server). You
+    should have received this additional CA certificate from Verisign.
+    If not, complain to them. Then configure this certificate with the
+    <code>SSLCertificateChainFile</code> directive in the server. This
+    makes sure the intermediate CA certificate is send to the browser
+    and this way fills the gap in the certificate chain.
+
 </ul>
 
 <p>
@@ -824,6 +909,16 @@ Why has my webserver a higher load now that I run SSL there?
     the images are transfered encrypted. So, when you have a lot of HTTPS
     traffic the load increases.
 
+<faq ref="random" toc="Why are connections horribly slow?">
+Often HTTPS connections to my server require up to 30 seconds for establishing
+the connection, although sometimes it works faster?
+</faq>
+
+    Usually this is caused by using a <code>/dev/random</code> device for
+    <code>SSLRandomSeed</code> which is blocking in read(2) calls if not
+    enough entropy is available. Read more about this problem in the refernce
+    chapter under <code>SSLRandomSeed</code>.
+
 <faq ref="ciphers" toc="Which ciphers are supported?">
 What SSL Ciphers are supported by mod_ssl?
 </faq>
@@ -847,6 +942,35 @@ What SSL Ciphers are supported by mod_ssl?
     <p>
     <code><strong>$ openssl ciphers -v</strong></code><br>
 
+<faq ref="cipher-adh" toc="How to use Anonymous-DH ciphers">
+I want to use Anonymous Diffie-Hellman (ADH) ciphers, but I always get ``no
+shared cipher'' errors?
+</faq>
+
+    In order to use Anonymous Diffie-Hellman (ADH) ciphers, it is not enough
+    to just put ``<code>ADH</code>'' into your <code>SSLCipherSuite</code>.
+    Additionally you have to build OpenSSL with
+    ``<code>-DSSL_ALLOW_ADH</code>''. Because per default OpenSSL does not
+    allow ADH ciphers for security reasons. So if you are actually enabling
+    these ciphers make sure you are informed about the side-effects.
+
+<faq ref="cipher-shared" toc="Why do I get 'no shared ciphers'?">
+I always just get a 'no shared ciphers' error if
+I try to connect to my freshly installed server?
+</faq>
+  
+    Either you have messed up your <code>SSLCipherSuite</code>
+    directive (compare it with the pre-configured example in
+    <code>httpd.conf-dist</code>) or you have choosen the DSA/DH
+    algorithms instead of RSA under "<code>make certificate</code>"
+    and ignored or overseen the warnings. Because if you have choosen
+    DSA/DH, then your server no longer speaks RSA-based SSL ciphers
+    (at least not until you also configure an additional RSA-based
+    certificate/key pair). But current browsers like NS or IE only speak
+    RSA ciphers. The result is the "no shared ciphers" error. To fix
+    this, regenerate your server certificate/key pair and this time
+    choose the RSA algorithm.
+
 <faq ref="vhosts" toc="HTTPS and name-based vhosts">
 Why can't I use SSL with name-based/non-IP-based virtual hosts?
 </faq>
@@ -927,8 +1051,8 @@ In case of problems you should search here first.
 <p>
 <ol>
 <li><em>Answers in the User Manual's F.A.Q. List (this)</em><br>
-    <a href="http://www.modssl.org/docs/2.4/ssl_faq.html">
-    http://www.modssl.org/docs/2.4/ssl_faq.html</a><br>
+    <a href="http://www.modssl.org/docs/2.5/ssl_faq.html">
+    http://www.modssl.org/docs/2.5/ssl_faq.html</a><br>
     First look inside the F.A.Q. (this text), perhaps your problem is such
     popular that it was already answered a lot of times in the past.
 <p>
@@ -1047,11 +1171,11 @@ Follow the following steps:
     make sure that the core-dump file can be written. You then should get a
     <code>/tmp/core</code> or <code>/tmp/httpd.core</code> file. When you
     don't get this, try to run your server under an UID != 0 (root), because
-    most "current" kernels Most "current" kernels do not allow a process to
-    dump core after it has done a <code>setuid()</code> (unless it does an
-    <code>exec()</code>) for security reasons (there can be privileged
-    information left over in memory).  Additionally you can run
-    ``<code>/path/to/httpd -X</code>'' manually to force Apache not not fork.
+    most "current" kernels do not allow a process to dump core after it has
+    done a <code>setuid()</code> (unless it does an <code>exec()</code>) for
+    security reasons (there can be privileged information left over in
+    memory).  Additionally you can run ``<code>/path/to/httpd -X</code>''
+    manually to force Apache not not fork.
 <p>
 <li>Analyze the core-dump. For this run ``<code>gdb /path/to/httpd
     /tmp/httpd.core</code>'' or a similar command has to run. In GDB you then
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_glossary.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_glossary.html
index ccc3a4643a9..79947dd5f2a 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_glossary.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_glossary.html
@@ -3,7 +3,7 @@
 <title>mod_ssl: Glossary</title>
 
 <!--
-  Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+  Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
 
   Redistribution and use in source and binary forms, with or without
   modification, are permitted provided that the following conditions
@@ -406,12 +406,12 @@ if (document.images) {
         <td>        <table width="598">
         <tr>
         <td align="left"><font face="Arial,Helvetica">
-        <a href="http://www.modssl.org/">mod_ssl</a> 2.4, User Manual<br>
+        <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
         The Apache Interface to OpenSSL
         </font>
         </td>
         <td align="right"><font face="Arial,Helvetica">
-        Copyright &copy; 1998-1999
+        Copyright &copy; 1998-2000
         <a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br>
         All Rights Reserved<br>
         </font>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html
index cd9348df33d..c8451adeb21 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html
@@ -3,7 +3,7 @@
 <title>mod_ssl: HowTo</title>
 
 <!--
-  Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+  Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
 
   Redistribution and use in source and binary forms, with or without
   modification, are permitted provided that the following conditions
@@ -474,7 +474,7 @@ solution is:
 #   be liberal in general
 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 &lt;Location /strong/area&gt;
-#   but https://hostname/string/area/ and below requires strong ciphers
+#   but https://hostname/strong/area/ and below requires strong ciphers
 SSLCipherSuite HIGH:MEDIUM
 &lt;/Location&gt;
 </pre></td>
@@ -884,12 +884,12 @@ if (document.images) {
         <td>        <table width="598">
         <tr>
         <td align="left"><font face="Arial,Helvetica">
-        <a href="http://www.modssl.org/">mod_ssl</a> 2.4, User Manual<br>
+        <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
         The Apache Interface to OpenSSL
         </font>
         </td>
         <td align="right"><font face="Arial,Helvetica">
-        Copyright &copy; 1998-1999
+        Copyright &copy; 1998-2000
         <a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br>
         All Rights Reserved<br>
         </font>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml
index 32f361e78e5..20cdd633040 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml
@@ -155,7 +155,7 @@ solution is:
 \#   be liberal in general
 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 &lt;Location /strong/area&gt;
-\#   but https://hostname/string/area/ and below requires strong ciphers
+\#   but https://hostname/strong/area/ and below requires strong ciphers
 SSLCipherSuite HIGH:MEDIUM
 &lt;/Location&gt;
 </config>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.html
index 4011de2ee03..ecee2367506 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.html
@@ -3,7 +3,7 @@
 <title>mod_ssl: Introduction</title>
 
 <!--
-  Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+  Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
 
   Redistribution and use in source and binary forms, with or without
   modification, are permitted provided that the following conditions
@@ -832,7 +832,7 @@ is what mod_ssl provides to you for the Apache webserver...
      http://www.rsa.com/rsalabs/pubs/PKCS/</a>.
 <p>
 <li><a name="MIME"></a>
-[MIME] N. Freed, N. Borenstein, <em>ultipurpose Internet Mail Extensions
+[MIME] N. Freed, N. Borenstein, <em>Multipurpose Internet Mail Extensions
        (MIME) Part One: Format of Internet Message Bodies</em>, RFC2045.
        See for instance <a href="ftp://ftp.isi.edu/in-notes/rfc2045.txt">
        ftp://ftp.isi.edu/in-notes/rfc2045.txt</a>.
@@ -916,12 +916,12 @@ if (document.images) {
         <td>        <table width="598">
         <tr>
         <td align="left"><font face="Arial,Helvetica">
-        <a href="http://www.modssl.org/">mod_ssl</a> 2.4, User Manual<br>
+        <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
         The Apache Interface to OpenSSL
         </font>
         </td>
         <td align="right"><font face="Arial,Helvetica">
-        Copyright &copy; 1998-1999
+        Copyright &copy; 1998-2000
         <a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br>
         All Rights Reserved<br>
         </font>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.wml
index 6239655e657..03b438302b6 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.wml
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.wml
@@ -619,7 +619,7 @@ is what mod_ssl provides to you for the Apache webserver...
      http://www.rsa.com/rsalabs/pubs/PKCS/</a>.
 <p>
 <li><a name="MIME"></a>
-[MIME] N. Freed, N. Borenstein, <em>ultipurpose Internet Mail Extensions
+[MIME] N. Freed, N. Borenstein, <em>Multipurpose Internet Mail Extensions
        (MIME) Part One: Format of Internet Message Bodies</em>, RFC2045.
        See for instance <a href="ftp://ftp.isi.edu/in-notes/rfc2045.txt">
        ftp://ftp.isi.edu/in-notes/rfc2045.txt</a>.
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_overview.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_overview.html
index 9b6c3e0bef6..2d68c6ac544 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_overview.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_overview.html
@@ -3,7 +3,7 @@
 <title>mod_ssl: Preface</title>
 
 <!--
-  Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+  Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
 
   Redistribution and use in source and binary forms, with or without
   modification, are permitted provided that the following conditions
@@ -486,12 +486,12 @@ if (document.images) {
         <td>        <table width="598">
         <tr>
         <td align="left"><font face="Arial,Helvetica">
-        <a href="http://www.modssl.org/">mod_ssl</a> 2.4, User Manual<br>
+        <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
         The Apache Interface to OpenSSL
         </font>
         </td>
         <td align="right"><font face="Arial,Helvetica">
-        Copyright &copy; 1998-1999
+        Copyright &copy; 1998-2000
         <a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br>
         All Rights Reserved<br>
         </font>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html
index 1633b75fd98..de8166b5716 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html
@@ -3,7 +3,7 @@
 <title>mod_ssl: Reference</title>
 
 <!--
-  Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+  Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
 
   Redistribution and use in source and binary forms, with or without
   modification, are permitted provided that the following conditions
@@ -1374,6 +1374,12 @@ the certificate chain construction, it has the side-effect that client
 certificates issued by this same CA certificate are also accepted on client
 authentication. That's usually not one expect.
 <p>
+But be careful: Providing the certificate chain works only if you are using a
+<i>single</i> (either RSA <i>or</i> DSA) based server certificate. If you are
+using a coupled RSA+DSA certificate pair, this will work only if actually both
+certificates use the <i>same</i> certificate chain. Else the browsers will be
+confused in this situation.
+<p>
 Example:
 <blockquote>
 <pre>
@@ -2007,6 +2013,14 @@ preceded by a <code>-</code> are removed from the options currently in force.
 <p>
 The available <em>option</em>s are:
 <ul>
+<li><code>StdEnvVars</code>
+    <p>
+    When this option is enabled, the standard set of SSL related CGI/SSI
+    environment variables are created. This per default is disabled for
+    performance reasons, because the information extraction step is a
+    rather expensive operation. So one usually enables this option for
+    CGI and SSI requests only.
+<p>
 <li><code>CompatEnvVars</code>
     <p>
     When this option is enabled, additional CGI/SSI environment variables are
@@ -2036,8 +2050,10 @@ The available <em>option</em>s are:
     <code>openssl x509</code> command: <code>openssl x509 -noout -subject -in
     </code><em>certificate</em><code>.crt</code>). Note that no password is
     obtained from the user. Every entry in the user file needs this password:
-    ``<code>xxj31ZMTZzkVA</code>'', which is the encrypted version of the word
-    ``<code>password</code>''.
+    ``<code>xxj31ZMTZzkVA</code>'', which is the DES-encrypted version of the
+    word `<code>password</code>''. Those who live under MD5-based encryption
+    (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5
+    hash of the same word: ``<code>$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/</code>''.
 <p>
 <li><code>StrictRequire</code>
     <p>
@@ -2068,7 +2084,10 @@ The available <em>option</em>s are:
 Example:
 <blockquote>
 <pre>
-SSLOptions +FakeBasicAuth -CompatEnvVars
+SSLOptions +FakeBasicAuth -StrictRequire
+&lt;Files ~ "\.(cgi|shtml)$"&gt;
+    SSLOptions +StdEnvVars +CompatEnvVars -ExportCertData
+&lt;Files&gt;
 </pre>
 </blockquote>
 <!-- SSLRequireSSL -------------------------------------------------->
@@ -2282,19 +2301,31 @@ SSL_PROTOCOL           SSL_CLIENT_V_START     SSL_SERVER_V_START
 SSL_SESSION_ID         SSL_CLIENT_V_END       SSL_SERVER_V_END
 SSL_CIPHER             SSL_CLIENT_S_DN        SSL_SERVER_S_DN
 SSL_CIPHER_EXPORT      SSL_CLIENT_S_DN_C      SSL_SERVER_S_DN_C
-SSL_CIPHER_ALGKEYSIZE  SSL_CLIENT_S_DN_SP     SSL_SERVER_S_DN_SP
+SSL_CIPHER_ALGKEYSIZE  SSL_CLIENT_S_DN_ST     SSL_SERVER_S_DN_ST
 SSL_CIPHER_USEKEYSIZE  SSL_CLIENT_S_DN_L      SSL_SERVER_S_DN_L
 SSL_VERSION_LIBRARY    SSL_CLIENT_S_DN_O      SSL_SERVER_S_DN_O
 SSL_VERSION_INTERFACE  SSL_CLIENT_S_DN_OU     SSL_SERVER_S_DN_OU
                        SSL_CLIENT_S_DN_CN     SSL_SERVER_S_DN_CN
+                       SSL_CLIENT_S_DN_T      SSL_SERVER_S_DN_T
+                       SSL_CLIENT_S_DN_I      SSL_SERVER_S_DN_I
+                       SSL_CLIENT_S_DN_G      SSL_SERVER_S_DN_G
+                       SSL_CLIENT_S_DN_S      SSL_SERVER_S_DN_S
+                       SSL_CLIENT_S_DN_D      SSL_SERVER_S_DN_D
+                       SSL_CLIENT_S_DN_UID    SSL_SERVER_S_DN_UID
                        SSL_CLIENT_S_DN_Email  SSL_SERVER_S_DN_Email
                        SSL_CLIENT_I_DN        SSL_SERVER_I_DN
                        SSL_CLIENT_I_DN_C      SSL_SERVER_I_DN_C
-                       SSL_CLIENT_I_DN_SP     SSL_SERVER_I_DN_SP
+                       SSL_CLIENT_I_DN_ST     SSL_SERVER_I_DN_ST
                        SSL_CLIENT_I_DN_L      SSL_SERVER_I_DN_L
                        SSL_CLIENT_I_DN_O      SSL_SERVER_I_DN_O
                        SSL_CLIENT_I_DN_OU     SSL_SERVER_I_DN_OU
                        SSL_CLIENT_I_DN_CN     SSL_SERVER_I_DN_CN
+                       SSL_CLIENT_I_DN_T      SSL_SERVER_I_DN_T
+                       SSL_CLIENT_I_DN_I      SSL_SERVER_I_DN_I
+                       SSL_CLIENT_I_DN_G      SSL_SERVER_I_DN_G
+                       SSL_CLIENT_I_DN_S      SSL_SERVER_I_DN_S
+                       SSL_CLIENT_I_DN_D      SSL_SERVER_I_DN_D
+                       SSL_CLIENT_I_DN_UID    SSL_SERVER_I_DN_UID
                        SSL_CLIENT_I_DN_Email  SSL_SERVER_I_DN_Email
                        SSL_CLIENT_A_SIG       SSL_SERVER_A_SIG
                        SSL_CLIENT_A_KEY       SSL_SERVER_A_KEY
@@ -2364,7 +2395,8 @@ compatibility variables.
 <tr id="H"><td><code>SSL_SERVER_A_KEY</code></td>              <td>string</td>    <td>Algorithm used for the public key of server's certificate</td></tr>
 <tr id="D"><td><code>SSL_SERVER_CERT</code></td>               <td>string</td>    <td>PEM-encoded server certificate</td></tr>
 </table>
-[ where <em>x509</em> is a component of a X.509 DN: <code>C, SP, L, O, OU, CN, Email</code> ]</td>
+[ where <em>x509</em> is a component of a X.509 DN:
+  <code>C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email</code> ]</td>
 </tr></table>
 </td></tr></table>
 </div>
@@ -2453,12 +2485,12 @@ if (document.images) {
         <td>        <table width="598">
         <tr>
         <td align="left"><font face="Arial,Helvetica">
-        <a href="http://www.modssl.org/">mod_ssl</a> 2.4, User Manual<br>
+        <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
         The Apache Interface to OpenSSL
         </font>
         </td>
         <td align="right"><font face="Arial,Helvetica">
-        Copyright &copy; 1998-1999
+        Copyright &copy; 1998-2000
         <a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br>
         All Rights Reserved<br>
         </font>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml
index e7e0fa080ac..bd91edd0efd 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml
@@ -822,6 +822,13 @@ certificates issued by this same CA certificate are also accepted on client
 authentication. That's usually not one expect.
 
 <p>
+But be careful: Providing the certificate chain works only if you are using a
+<i>single</i> (either RSA <i>or</i> DSA) based server certificate. If you are
+using a coupled RSA+DSA certificate pair, this will work only if actually both
+certificates use the <i>same</i> certificate chain.  Else the browsers will be
+confused in this situation.
+
+<p>
 Example:
 <blockquote>
 <pre>
@@ -1202,6 +1209,14 @@ preceded by a <code>-</code> are removed from the options currently in force.
 The available <em>option</em>s are:
 
 <ul>
+<li><code>StdEnvVars</code>
+    <p>
+    When this option is enabled, the standard set of SSL related CGI/SSI
+    environment variables are created. This per default is disabled for
+    performance reasons, because the information extraction step is a
+    rather expensive operation. So one usually enables this option for
+    CGI and SSI requests only.
+<p>
 <li><code>CompatEnvVars</code>
     <p>
     When this option is enabled, additional CGI/SSI environment variables are
@@ -1231,8 +1246,10 @@ The available <em>option</em>s are:
     <code>openssl x509</code> command: <code>openssl x509 -noout -subject -in
     </code><em>certificate</em><code>.crt</code>).  Note that no password is
     obtained from the user. Every entry in the user file needs this password:
-    ``<code>xxj31ZMTZzkVA</code>'', which is the encrypted version of the word
-    ``<code>password</code>''.
+    ``<code>xxj31ZMTZzkVA</code>'', which is the DES-encrypted version of the
+    word `<code>password</code>''. Those who live under MD5-based encryption
+    (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5
+    hash of the same word: ``<code>$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/</code>''.
 <p>
 <li><code>StrictRequire</code>
     <p>
@@ -1264,7 +1281,10 @@ The available <em>option</em>s are:
 Example:
 <blockquote>
 <pre>
-SSLOptions +FakeBasicAuth -CompatEnvVars
+SSLOptions +FakeBasicAuth -StrictRequire
+&lt;Files ~ "\.(cgi|shtml)$"&gt;
+    SSLOptions +StdEnvVars +CompatEnvVars -ExportCertData
+&lt;Files&gt;
 </pre>
 </blockquote>
 
@@ -1422,19 +1442,31 @@ SSL_PROTOCOL           SSL_CLIENT_V_START     SSL_SERVER_V_START
 SSL_SESSION_ID         SSL_CLIENT_V_END       SSL_SERVER_V_END    
 SSL_CIPHER             SSL_CLIENT_S_DN        SSL_SERVER_S_DN     
 SSL_CIPHER_EXPORT      SSL_CLIENT_S_DN_C      SSL_SERVER_S_DN_C   
-SSL_CIPHER_ALGKEYSIZE  SSL_CLIENT_S_DN_SP     SSL_SERVER_S_DN_SP  
+SSL_CIPHER_ALGKEYSIZE  SSL_CLIENT_S_DN_ST     SSL_SERVER_S_DN_ST  
 SSL_CIPHER_USEKEYSIZE  SSL_CLIENT_S_DN_L      SSL_SERVER_S_DN_L   
 SSL_VERSION_LIBRARY    SSL_CLIENT_S_DN_O      SSL_SERVER_S_DN_O   
 SSL_VERSION_INTERFACE  SSL_CLIENT_S_DN_OU     SSL_SERVER_S_DN_OU  
                        SSL_CLIENT_S_DN_CN     SSL_SERVER_S_DN_CN  
+                       SSL_CLIENT_S_DN_T      SSL_SERVER_S_DN_T  
+                       SSL_CLIENT_S_DN_I      SSL_SERVER_S_DN_I  
+                       SSL_CLIENT_S_DN_G      SSL_SERVER_S_DN_G  
+                       SSL_CLIENT_S_DN_S      SSL_SERVER_S_DN_S  
+                       SSL_CLIENT_S_DN_D      SSL_SERVER_S_DN_D  
+                       SSL_CLIENT_S_DN_UID    SSL_SERVER_S_DN_UID  
                        SSL_CLIENT_S_DN_Email  SSL_SERVER_S_DN_Email
                        SSL_CLIENT_I_DN        SSL_SERVER_I_DN       
                        SSL_CLIENT_I_DN_C      SSL_SERVER_I_DN_C    
-                       SSL_CLIENT_I_DN_SP     SSL_SERVER_I_DN_SP   
+                       SSL_CLIENT_I_DN_ST     SSL_SERVER_I_DN_ST   
                        SSL_CLIENT_I_DN_L      SSL_SERVER_I_DN_L    
                        SSL_CLIENT_I_DN_O      SSL_SERVER_I_DN_O    
                        SSL_CLIENT_I_DN_OU     SSL_SERVER_I_DN_OU   
                        SSL_CLIENT_I_DN_CN     SSL_SERVER_I_DN_CN   
+                       SSL_CLIENT_I_DN_T      SSL_SERVER_I_DN_T  
+                       SSL_CLIENT_I_DN_I      SSL_SERVER_I_DN_I  
+                       SSL_CLIENT_I_DN_G      SSL_SERVER_I_DN_G  
+                       SSL_CLIENT_I_DN_S      SSL_SERVER_I_DN_S  
+                       SSL_CLIENT_I_DN_D      SSL_SERVER_I_DN_D  
+                       SSL_CLIENT_I_DN_UID    SSL_SERVER_I_DN_UID  
                        SSL_CLIENT_I_DN_Email  SSL_SERVER_I_DN_Email
                        SSL_CLIENT_A_SIG       SSL_SERVER_A_SIG    
                        SSL_CLIENT_A_KEY       SSL_SERVER_A_KEY    
@@ -1501,7 +1533,8 @@ compatibility variables.
 <tr id=H><td><code>SSL_SERVER_A_KEY</code></td>              <td>string</td>    <td>Algorithm used for the public key of server's certificate</td></tr>
 <tr id=D><td><code>SSL_SERVER_CERT</code></td>               <td>string</td>    <td>PEM-encoded server certificate</td></tr>
 </table>
-[ where <em>x509</em> is a component of a X.509 DN: <code>C, SP, L, O, OU, CN, Email</code> ]
+[ where <em>x509</em> is a component of a X.509 DN:
+  <code>C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email</code> ]
 </float>
 
 
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_template.inc b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_template.inc
index 27421e14e6c..fd1161eae66 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_template.inc
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_template.inc
@@ -1,6 +1,6 @@
 ##
 ## ssl_template.inc -- mod_ssl User Manual: The Heart
-## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved. 
+## Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. 
 ##
 
 #use wml::std::page
@@ -16,7 +16,7 @@
 <head>\
 <protect>
 <!--
-  Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+  Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
 
   Redistribution and use in source and binary forms, with or without
   modification, are permitted provided that the following conditions
@@ -233,13 +233,13 @@ H4 {
         <tr>
         <td align=left>\
         <font face="Arial,Helvetica"> 
-        <a href="http://www.modssl.org/">mod_ssl</a> 2.4, User Manual<br>
+        <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
         The Apache Interface to OpenSSL
         </font>
         </td>
         <td align=right>\
         <font face="Arial,Helvetica"> 
-        Copyright &copy; 1998-1999
+        Copyright &copy; 1998-2000
         <a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br>
         All Rights Reserved<br>
         </font>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_vhost_alias.html b/usr.sbin/httpd/htdocs/manual/mod/mod_vhost_alias.html
index 17506e3042b..d9331a57527 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_vhost_alias.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_vhost_alias.html
@@ -23,13 +23,9 @@
 
 <P>
 This module is contained in the <CODE>mod_vhost_alias.c</CODE> file
-and is not compiled in by default. It should be mentioned near the
-start of the <CODE>Configuration</CODE> file so that it doesn't
-override the behaviour of other modules that do filename translation,
-<EM>e.g.</EM>, <A HREF="mod_userdir.html"><CODE>mod_userdir</CODE></A> and
-<A HREF="mod_alias.html"><CODE>mod_alias</CODE></A>. It provides
-support for <A HREF="../vhosts/mass.html">dynamically configured mass
-virtual hosting</A>.
+and is not compiled in by default. It provides support for
+<A HREF="../vhosts/mass.html">dynamically configured mass virtual
+hosting</A>.
 </P>
 
 <H2>Directory Name Interpolation</H2>
@@ -149,14 +145,14 @@ this module.
 
 <H2>Directives</H2>
 <UL>
-  <LI><A HREF="#VirtualDocumentRoot">VirtualDocumentRoot</A>
-  <LI><A HREF="#VirtualDocumentRootIP">VirtualDocumentRootIP</A>
-  <LI><A HREF="#VirtualScriptAlias">VirtualScriptAlias</A>
-  <LI><A HREF="#VirtualScriptAliasIP">VirtualScriptAliasIP</A>
+  <LI><A HREF="#virtualdocumentroot">VirtualDocumentRoot</A>
+  <LI><A HREF="#virtualdocumentrootip">VirtualDocumentRootIP</A>
+  <LI><A HREF="#virtualscriptalias">VirtualScriptAlias</A>
+  <LI><A HREF="#virtualscriptaliasip">VirtualScriptAliasIP</A>
 </UL>
 <HR>
 
-<H2><A NAME="VirtualDocumentRoot">VirtualDocumentRoot directive</A></H2>
+<H2><A NAME="virtualdocumentroot">VirtualDocumentRoot directive</A></H2>
 <P>
 <A
  HREF="directive-dict.html#Syntax"
@@ -191,11 +187,11 @@ as the root of the document tree in a similar manner to the
 directive's argument. If <EM>interpolated-directory</EM> is
 <CODE>none</CODE> then <CODE>VirtaulDocumentRoot</CODE> is turned off.
 This directive cannot be used in the same context as
-<A HREF="#VirtualDocumentRootIP"><CODE>VirtualDocumentRootIP</CODE></A>.
+<A HREF="#virtualdocumentrootip"><CODE>VirtualDocumentRootIP</CODE></A>.
 </P>
 <HR>
 
-<H2><A NAME="VirtualDocumentRootIP">VirtualDocumentRootIP directive</A></H2>
+<H2><A NAME="virtualdocumentrootip">VirtualDocumentRootIP directive</A></H2>
 <P>
 <A
  HREF="directive-dict.html#Syntax"
@@ -223,13 +219,13 @@ This directive cannot be used in the same context as
 ><STRONG>Compatibility:</STRONG></A> VirtualDocumentRootIP is only available in 1.3.7 and later.</P>
 <P>
 The <CODE>VirtualDocumentRootIP</CODE> directive is like the
-<A HREF="#VirtualDocumentRoot"><CODE>VirtualDocumentRoot</CODE></A> directive,
+<A HREF="#virtualdocumentroot"><CODE>VirtualDocumentRoot</CODE></A> directive,
 except that it uses the IP address of the server end of the connection
 instead of the server name.
 </P>
 <HR>
 
-<H2><A NAME="VirtualScriptAlias">VirtualScriptAlias directive</A></H2>
+<H2><A NAME="virtualscriptalias">VirtualScriptAlias directive</A></H2>
 <P>
 <A
  HREF="directive-dict.html#Syntax"
@@ -258,7 +254,7 @@ instead of the server name.
 <P>
 The <CODE>VirtualScriptAlias</CODE> directive allows you to determine
 where Apache will find CGI scripts in a similar manner to
-<A HREF="#VirtualDocumentRoot"><CODE>VirtualDocumentRoot</CODE></A>
+<A HREF="#virtualdocumentroot"><CODE>VirtualDocumentRoot</CODE></A>
 does for other documents. It matches requests for URIs starting
 <CODE>/cgi-bin/</CODE>, much like
 <CODE><A HREF="mod_alias.html#scriptalias">ScriptAlias</A> /cgi-bin/</CODE>
@@ -266,7 +262,7 @@ would.
 </P>
 <HR>
 
-<H2><A NAME="VirtualScriptAlias">VirtualScriptAliasIP directive</A></H2>
+<H2><A NAME="virtualscriptaliasip">VirtualScriptAliasIP directive</A></H2>
 <P>
 <A
  HREF="directive-dict.html#Syntax"
@@ -293,8 +289,8 @@ would.
  REL="Help"
 ><STRONG>Compatibility:</STRONG></A> VirtualScriptAliasIP is only available in 1.3.7 and later.</P>
 <P>
-The <CODE>VirtualScriptAliasIP</CODE> directibe is like the
-<A HREF="#VirtualScriptAlias"><CODE>VirtualScriptAlias</CODE></A> directive,
+The <CODE>VirtualScriptAliasIP</CODE> directive is like the
+<A HREF="#virtualscriptalias"><CODE>VirtualScriptAlias</CODE></A> directive,
 except that it uses the IP address of the server end of the connection
 instead of the server name.
 </P>
diff --git a/usr.sbin/httpd/htdocs/manual/new_features_1_3.html b/usr.sbin/httpd/htdocs/manual/new_features_1_3.html
index 578b83cfda9..7a8ff4a22e9 100644
--- a/usr.sbin/httpd/htdocs/manual/new_features_1_3.html
+++ b/usr.sbin/httpd/htdocs/manual/new_features_1_3.html
@@ -43,13 +43,16 @@ the <A HREF="upgrading_to_1_3.html">upgrade notes</A>.
     modules can be loaded into the server process space only when necessary,
     thus overall memory usage by Apache will be significantly reduced.  DSO
     currently is supported on FreeBSD, OpenBSD, NetBSD, Linux, Solaris, SunOS,
-    Digital UNIX, IRIX, HP/UX, UnixWare, AIX, ReliantUnix and generic SVR4
-    platforms.
+    Digital UNIX, IRIX, HP/UX, UnixWare, NetWare, AIX, ReliantUnix and generic
+    SVR4 platforms.
 
 <DT><STRONG><A HREF="windows.html">Support for Windows NT/95</A></STRONG>
 <DD>Apache now experimentally supports the Windows NT and Windows 95
     operating systems.
 
+<DT><STRONG><A HREF="netware.html">Support for NetWare 5.x</A></STRONG>
+<DD>Apache now experimentally supports the NetWare 5.x operating systems.
+
 <DT><STRONG><A HREF="sourcereorg.html">Re-organized 
     Sources</A></STRONG>
 <DD>The source files for Apache have been re-organized. The main
diff --git a/usr.sbin/httpd/htdocs/manual/readme-tpf.html b/usr.sbin/httpd/htdocs/manual/readme-tpf.html
index a9267dfb387..9d1a82a279c 100644
--- a/usr.sbin/httpd/htdocs/manual/readme-tpf.html
+++ b/usr.sbin/httpd/htdocs/manual/readme-tpf.html
@@ -19,7 +19,7 @@
    IBM's EBCDIC-based
    <A HREF="http://www.s390.ibm.com/products/tpf/tpfhp.html">TPF</A>
    (Transaction Processing Facility) operating system.
-   Unless otherwise noted TPF version 4.1 PUT08 and APAR PJ25589 are required.
+   Unless otherwise noted TPF version 4.1 PUT09 is required.
    <BR><BR>
    Refer to htdocs/manual/<A HREF="install-tpf.html">install-tpf.html</A>
    for step-by-step installation instructions.
@@ -37,14 +37,9 @@
 <P>
    The distributed configuration files (httpd.conf-dist and
    mime.types, both located in the conf subdirectory)
-   work on TPF with only a couple of operating system specific changes
-   to httpd.conf:<BR>
-   <UL>
-   <LI>ServerType needs to be "inetd" on pre-PUT09 systems.
-   <LI>Performance considerations may dictate setting KeepAlive to "Off"
-       (the default is "On") or lowering the Timeout value from the default
-       300 seconds (5 minutes) in order to reduce the number of active ECBs on your system.
-   </UL>
+   work on TPF.  Performance considerations may dictate setting KeepAlive to "Off"
+   (the default is "On") or lowering the Timeout value from the default
+   300 seconds (5 minutes) in order to reduce the number of active ECBs on your system.
 </P>
 
 <A NAME="whats_available">&nbsp;</A>
@@ -58,8 +53,12 @@
 
    <multicol COLS=3><UL>
    <LI>alloc.c
+   <LI>ap_base64.c
+   <LI>ap_checkpass.c
    <LI>ap_cpystrn.c
    <LI>ap_fnmatch.c
+   <LI>ap_md5c.c
+   <LI>ap_sha1.c
    <LI>ap_signal.c
    <LI>ap_slack.c
    <LI>ap_snprintf.c
@@ -68,29 +67,32 @@
    <LI>ebcdic.c
    <LI>gen_test.char.c
    <LI>gen_uri_delims.c
+   <LI>htpasswd.c <i><small>(requires PUT10)</small></i>
    <LI>http_config.c
    <LI>http_core.c
    <LI>http_log.c
-   <LI>http_main.c <A HREF="#note_1"> <i><small>(see note 1)</small></i></A>
+   <LI>http_main.c
    <LI>http_protocol.c
    <LI>http_request.c
-   <LI>http_vhost.c <i><small>(requires PUT9)</small></i>
+   <LI>http_vhost.c
    <LI>logresolve.c <i><small>(requires PUT10)</small></i>
-   <LI>mod_access.c <A HREF="#note_2"> <i><small>(see note 2)</small></i></A>
+   <LI>mod_access.c <A HREF="#notes"> <i><small>(see note 1)</small></i></A>
    <LI>mod_actions.c
    <LI>mod_alias.c
    <LI>mod_asis.c
+   <LI>mod_auth.c
    <LI>mod_auth_anon.c
    <LI>mod_autoindex.c
    <LI>mod_cern_meta.c
    <LI>mod_cgi.c <i><small>(requires PUT10)</small></i>
+   <LI>mod_digest.c
    <LI>mod_dir.c
    <LI>mod_env.c
    <LI>mod_example.c
    <LI>mod_expires.c
    <LI>mod_headers.c
    <LI>mod_imap.c
-   <LI>mod_include.c <A HREF="#note_3"> <i><small>(see note 3)</small></i></A>
+   <LI>mod_include.c <A HREF="#notes"> <i><small>(see note 2)</small></i></A>
    <LI>mod_info.c
    <LI>mod_log_agent.c
    <LI>mod_log_config.c
@@ -99,57 +101,58 @@
    <LI>mod_mime_magic.c
    <LI>mod_negotiation.c
    <LI><A HREF="http://hpwww.ec-lyon.fr/~vincent/apache/mod_put.html">mod_put.c</A>
+          <i> <small>(third party module)</small></i>
+   <LI>mod_proxy.c
    <LI>mod_setenvif.c
    <LI>mod_speling.c
    <LI>mod_status.c
+   <LI>mod_tpf_shm_static.c <i><small>(third party module, requires PUT10)</small></i>
    <LI>mod_unique_id.c <i><small>(requires PUT10)</small></i>
    <LI>mod_userdir.c
    <LI>mod_usertrack.c
    <LI>os.c
    <LI>os-inline.c
+   <LI>proxy_cache.c
+   <LI>proxy_connect.c
+   <LI>proxy_ftp.c
+   <LI>proxy_http.c
+   <LI>proxy_util.c
    <LI>regular expression parser
+   <LI>regular expression test tool <i><small>(requires PUT10)</small></i>
+   <LI>rfc1413.c
    <LI>rotatelogs.c <i><small>(requires PUT10)</small></i>
    <LI>util.c
    <LI>util_date.c
+   <LI>util_md5.c
    <LI>util_script.c
    <LI>util_uri.c
    </UL></MULTICOL>
-   <br><b>Notes:</b>
-      <A NAME="note_1">&nbsp;</A>
+   <A NAME="notes"></A><b>Notes:</b>
    <ol>
-      <li>"Standalone" mode requires TPF version 4.1 PUT09
-   <A NAME="note_2">&nbsp;</A>
       <li>Use of mod_access directives &quot;<tt>allow from</tt>&quot; &amp; &quot;<tt>deny from</tt>&quot;
           with host <i>names</i> (verses ip addresses) requires TPF version 4.1 PUT10
-      <A NAME="note_3">&nbsp;</A>
       <li>CGI execution requires TPF version 4.1 PUT10
    </ol>
 
 <H3>Components/modules not yet supported on TPF:</H3>
 
    <multicol COLS=3><UL>
-   <LI>ap_md5c.c
-   <LI>htpasswd.c
-   <LI>mod_auth.c
-   <LI>mod_digest.c
-   <LI>mod_mmap_static.c
-   <LI>mod_proxy.c
+   <LI>htdigest.c
+   <LI>lib/expat-lite
+   <LI>mod_auth_digest.c
    <LI>mod_rewrite.c
-   <LI>proxy_cache.c
-   <LI>proxy_connect.c
-   <LI>proxy_ftp.c
-   <LI>proxy_http.c
-   <LI>proxy_util.c
-   <LI>rfc1413.c
-   <LI>util_md5.c
+   <LI>mod_vhost_alias.c
    </UL></MULTICOL>
 
 <H3>Components/modules that don't apply or that probably won't ever be available on TPF:</H3>
 
    <multicol COLS=3><UL>
+   <LI>ab.c
+   <LI>ap_getpass.c
    <LI>mod_auth_db.c
    <LI>mod_auth_dbm.c
    <LI>mod_auth_db.module
+   <LI>mod_mmap_static.c
    <LI>mod_so.c
    <LI>suexec.c
    </UL></MULTICOL>
@@ -172,13 +175,13 @@
       <LI>bypass the use of <CODE>ap_block_alarms()</CODE> &amp;
          <CODE>ap_unblock_alarms()</CODE>
       <LI>add <CODE>tpf_process_signals()</CODE> calls
-      <LI>add <CODE>select()</CODE> calls in buff.c to prevent blocking.
+      <LI>add <CODE>select()</CODE> calls to prevent blocking.
       </UL>
    <BR>
    </UL>
 
    <H3>Find that function...</H3>
-   <P>Some simple functions &amp; definitions needed to be added
+   <P>Some simple functions &amp; definitions initially needed to be added
       on TPF, such as <CODE>FD_SET()</CODE>.
       We've put these in src/os/tpf/os.h for now.
    </P>
diff --git a/usr.sbin/httpd/htdocs/manual/vhosts/index.html b/usr.sbin/httpd/htdocs/manual/vhosts/index.html
index 852af89db59..5a26a956168 100644
--- a/usr.sbin/httpd/htdocs/manual/vhosts/index.html
+++ b/usr.sbin/httpd/htdocs/manual/vhosts/index.html
@@ -47,7 +47,7 @@ of virtual host support in Apache version 1.3 and later.</P>
 <LI><A HREF="examples.html">Virtual Host examples for common setups</A>
 <LI><A HREF="details.html">In-Depth Discussion of Virtual Host Matching</A>
 <LI><A HREF="fd-limits.html">File Descriptor Limits</A>
-<LI><A HREF="mass.html">Dynamically Configured Mass Virtual Hosting with mod_rewrite</A>
+<LI><A HREF="mass.html">Dynamically Configured Mass Virtual Hosting</A>
 </UL>
 
 <H2>Configuration directives</H2>
diff --git a/usr.sbin/httpd/htdocs/manual/windows.html b/usr.sbin/httpd/htdocs/manual/windows.html
index 7b26d4b304d..784b9cb39b3 100644
--- a/usr.sbin/httpd/htdocs/manual/windows.html
+++ b/usr.sbin/httpd/htdocs/manual/windows.html
@@ -358,7 +358,7 @@ In these cases, the proper ServerRoot should be set in the configuration file.
 If you don't specify a configuration file name with -f or -n, Apache will
 use the file name compiled into the server, usually "conf/httpd.conf".  Invoking
 Apache with the -V switch will display this value labeled as SERVER_CONFIG_FILE.
-Apache will then determine it's ServerRoot by trying the following, in this order:
+Apache will then determine its ServerRoot by trying the following, in this order:
 
 <UL>
 <LI>A ServerRoot directive via a -C switch.
@@ -393,7 +393,7 @@ old version in the file system.
 <P>
 If you did not do a binary install then Apache will in some
 scenarios complain that about the missing registry key.  This
-warning can be ignored if it otherwise was able to find it's
+warning can be ignored if it otherwise was able to find its
 configuration files.
 
 <P>
diff --git a/usr.sbin/httpd/src/ApacheCore.def b/usr.sbin/httpd/src/ApacheCore.def
index e82c26d2b61..26e748c42c6 100644
--- a/usr.sbin/httpd/src/ApacheCore.def
+++ b/usr.sbin/httpd/src/ApacheCore.def
@@ -359,6 +359,7 @@ EXPORTS
 	ap_SHA1Update   @354
 	ap_SHA1Final   @355
 	ap_sha1_base64   @356
+        ap_send_error_response @357
 	ap_add_config_define   @357
 	ap_global_ctx   @358
 	ap_ctx_new   @359
diff --git a/usr.sbin/httpd/src/ApacheCoreOS2.def b/usr.sbin/httpd/src/ApacheCoreOS2.def
index 5476d091dc9..6a3bdb3e516 100644
--- a/usr.sbin/httpd/src/ApacheCoreOS2.def
+++ b/usr.sbin/httpd/src/ApacheCoreOS2.def
@@ -364,3 +364,5 @@ EXPORTS
 	ap_SHA1Update	@358
 	ap_SHA1Final	@359
 	ap_sha1_base64	@360
+	ap_add_file_conf  @361
+	ap_set_config_vectors  @362
diff --git a/usr.sbin/httpd/src/CHANGES b/usr.sbin/httpd/src/CHANGES
index 1c95e220c5a..229ced6c17b 100644
--- a/usr.sbin/httpd/src/CHANGES
+++ b/usr.sbin/httpd/src/CHANGES
@@ -1,3 +1,332 @@
+Changes with Apache 1.3.11
+
+  *) MPE builds are no longer stripped, which caused the executable
+     to not work. [Mark Bixby]
+
+Changes with Apache 1.3.10
+
+  *) Fixed parsing of TAKE13-based configuration directives.
+     [Steffen Roller <sr@daa.de>] PR#5550
+
+  *) rename the lookup() function to hashTableLookup() (in expat-lite)
+     to prevent name clashes with modules / third-party software.
+     [Ralf S. Engelschall, Greg Stein]
+
+  *) Reduce the time that a parent waits for its children to die
+     after SIGKILL has been sent, since there isn't much point in waiting
+     another 16 seconds beyond the initial SIGTERM waiting period.
+     [Ed Korthof]
+
+  *) Add --suexec-umask option to configure, and severity levels
+     to suexec log messages.  Also clarify a couple of those messages,
+     which were perhaps a bit too cryptic.  [Ken Coar] PR#4178
+
+  *) The end_chunk() code forgot to convert the trailing CRLF pair
+     from EBCDIC to ASCII. Fixed. [Martin Kraemer]
+
+  *) An Action set for a Location that didn't correspond to a file didn't
+     work. Fixed.
+     [Manoj Kasichainula, Ben Laurie]
+
+  *) ProxyPass and mod_rewrite's proxy mode erroneously converted 
+     authentication requests to proxy authentication requests.
+     [Ben Laurie]
+
+  *) Reverse a patch which broke HPUX shared builds. Basically
+     we comment out the SHLIB_SUFFIX_NAME=sl line in Configure.
+     [Ryan Bloom]
+
+  *) Added the mod_rewrite `URL Rewriting Guide' to the online
+     documentation (htdocs/manual/misc/rewriteguide.html). This paper
+     provides a large collection of practical solutions to URL based
+     problems a webmaster is often confronted with.
+     [Ralf S. Engelschall]
+
+  *) Add a suexec status report to the '-l' (compiled-in modules)
+     output. [Ken Coar]
+
+  *) Changes to enable server-parsed mod_autoindex Header and
+     Readme files. [Raymond S Brand <rsbx@rsbx.net>]
+
+  *) Add back support for UseCanonicalName in <Directory> containers
+     [Manoj Kasichainula]
+
+  *) More rigorous checking of Host: headers to fix security problems
+     with mass name-based virtual hosting (whether using mod_rewrite
+     or mod_vhost_alias).
+     [Ben Hyde, Tony Finch]
+
+  *) Updated README.config to reflect current APACI state.
+     [Brian Slesinsky <bslesins@best.com>] PR#5397
+
+  *) Added SuSE and BSDI layouts to config.layout for convinience reasons.
+     [Sebastian Helms <sebastian.helms@gmx.de>, Timur Bakeyev
+     <timur@com.bat.ru>] PR#5112 PR#5154
+
+  *) Consistency cleanup of the complete APXS tool and corresponding manpage.
+     [Ralf S. Engelschall]
+
+  *) Add %q logging format directive (logs "?" and the query string part
+     of a query, or the empty string if no query).
+     Can be used in combination with %m, %U and %H: "%m %U%q %H" is the
+     same as "%r".  [Peter Watkins <peterw@usa.net>]
+
+  *) Improve OS390 port to work on older system releases
+     [Paul Gilmartin <pg@sweng.stortek.com>]
+
+  *) Enhance mod_mime with an AddCharset directive to properly handle
+     that negotiation dimension.
+     [Youichirou Koga <y-koga@isoternet.org>]
+
+  *) OS: Added first cut at support for IBM's OS/390.
+     [Ovies Brabson <oviesb@us.ibm.com>]
+
+  *) Replace all occurrences of "\012\015" by a macro CRLF. This makes
+     the code (somewhat) more readable, and improves the portability
+     to character sets other than ASCII (e.g., EBCDIC).
+     This patch results in no functional change whatsoever on ASCII
+     machines, but allows EBCDIC platforms to live without the
+     ebcdic2ascii_strictly() kludge.
+     [Paul Gilmartin <pg@sweng.stortek.com>, slightly modified
+     by Martin Kraemer]
+
+  *) more fixes to mod_auth_digest:
+     - better comparing of request-uri with uri parameter in Authorization
+       header
+     - added a check for a MUST condition in the spec
+     - fixed SEGV
+     [Ronald Tschalär]
+
+  *) mod_proxy now works on TPF.
+     [Joe Moenich <moenich@us.ibm.com>]
+
+  *) Enhance mod_actions' Script handling to be able to deal with
+     arbitrary methods and not just the well-known ones.  This allows
+     experimental or organisation-private methods to be used without
+     waiting for Apache to catch up.
+     [Ken Coar]
+
+  *) Fix various compile time warnings in hashbang_emul code which
+     prevent successful compilation on OS/390  [Ovies Brabson
+     <oviesb@us.ibm.com>, Paul Gilmartin <pg@sweng.stortek.com>]
+
+  *) EBCDIC: Fixed binary upload capability (plain and chunked) for
+     all methods using the ap_*_client_block() functions, most notably
+     POST and PUT. The functionality to switch input between protocol
+     parts (chunks) and (possibly binary) data had been missing all
+     the time, making chunked PUT impossible until now.
+     [Martin Kraemer]
+
+  *) Fixed a recently introduced off-by-one-character bug in 
+     mod_rewrite's expansion of expression back-references.
+     [Cliff Woolley <jwoolley@wlu.edu>] PR#4766 PR#5389
+
+  *) Add IndexOptions DescriptionWidth so that the width of the
+     description field in fancy-indexed directory listings can
+     be specified.
+     [Ken Coar] PR#2324, plus lots that are closed unsatisfied
+
+  *) EBCDIC: Escaped characters were encoding the ebcdic representation
+     of the special characters, not the latin1 representation. This
+     would result in invalid URI's for, e.g., filenames (with special chars)
+     in mod_autoindex.c [Martin Kraemer]
+
+  *) EBCDIC: Fix Byte Ranges for EBCDIC platforms. The necessary switch
+     between implied conversion for protocol parts and configured
+     conversion for document data was missing. The effect of this was that
+     PDF files could not be read by Acrobat Reader (which sends long
+     lists of byte ranges in each request) when the server was apache
+     on ebcdic machines.
+     [Noted by Oliver Reh <Oliver.Reh@FAEDV-N.Bayern.de>, solved by Martin
+     Kraemer, warnings fixed by Ovies Brabson <oviesb@us.ibm.com>]
+
+  *) Add IndexOptions FoldersFirst to allow fancy-indexed directory
+     listings to have the subdirectories always listed at the top.
+     [Ken Coar]
+
+  *) BS2000: Use send() instead of write() in the core buff routines
+     for better performance and fewer restrictions (max. transfer size)
+     [Martin Kraemer]
+
+  *) If the compiler sanity check fails, force the verbose output
+     for TestCompile so people can have a clue what the problem
+     is. [Jim Jagielski]
+
+  *) Add --iconsdir, --htdocsdir, and --cgidir option to top-level
+     configure script to allow one to override the corresponding 
+     variables from config.layout.
+     [Ralf S. Engelschall]
+
+  *) Fixed `quad integer' (aka `long long') handling in ap_snprintf.c
+     [Jim Jagielski, Ralf S. Engelschall]
+
+  *) Fixed error handling in dbmmanage script.
+     [Andrew McRae <andrew@liquid.com>] PR#4973
+
+  *) Fixed NEXT/OpenStep building by adding an fallback typedef for 
+     rlim_t to ap_config.h.
+     [Mark Miller <markm@swoon.net>] PR#4906
+
+  *) Fix SHARED_CORE feature for HPUX by backing-out a change (comitted
+     between 1.3.7 and 1.3.9) which changed the DSO extension from `sl' to
+     `so'. This worked only for modules (where we load the DSO manually), but
+     horribly fails under HPUX for DSO-based/shared libraries (where our
+     $SHLIB_SUFFIX_NAME is used, too).
+     [Gary Silverman <gary.silverman@abnamro.com>] PR#4974
+ 
+  *) Added support for Berkeley-DB/3.x to mod_auth_db.
+     [Steve Atkins <steve@blighty.com>, Ralf S. Engelschall] PR#5382
+
+  *) Fixed mod_auth_digest.c: result of an open() call was being 
+     checked against the wrong failure value.
+     [Rick Ohnemus <rjohnemus@systemware-inc.com>] PR#5292
+
+  *) Removed the variable name "template" from a prototype for SunOS4 
+     in ap_config.h to make C++ compiler happy, too.
+     [SAKAI Kiyotaka <ksakai@netwk.ntt-at.co.jp>] PR#5363
+
+  *) Added missing links to htdocs/manual/mod/directives.html 
+     for AllowCONNECT and ProxyDomain. [Patrik Grip-Jansson 
+     <patrikj@gnulix.org>, Ralf S. Engelschall] PR#5319
+
+  *) Fixed typo in htdocs/manual/install.html.
+     [Chris Pepper <pepper@tgg.com>] PR#5360
+
+  *) Fix $AWK/awk usage in top-level configure script: We confused ourself and
+     replaced the wrong "$AWK" with a plain "awk" in the last releases. So we
+     now both fix this and move the comment which already tried to explain it
+     more closer to the location to which it applies.
+     [Paul Gilmartin <pg@sweng.stortek.com>, Ralf S. Engelschall] PR#5304
+ 
+  *) Replaced pipes with commas in GuessOS' fallback output (displayed for not
+     explicitly recognized platforms) to avoid side-effects with APACI's
+     --shadow feature and similar uses where GuessOS' output is used directly
+     on the filesystem (where pipes are meta-characters!).
+     [Paul Gilmartin <pg@sweng.stortek.com>] PR#5303
+
+  *) Made stripping of a trailing slash in directory names in top-level
+     configure script more robust and this way support also a plain `/' 
+     as the argument without resulting in an empty name.
+     [Matthias Lohmann <lohm@lynet.de>, Ralf S. Engelschall] PR#5291
+ 
+  *) Made `tr' usage in top-level configure script more portable 
+     by always using square brackets consistently.
+     [Masashi Kizaki <kizaki@cpo.dnp.co.jp>] PR#5230
+
+  *) Fixed ap_config_auto.h generation in src/Configure: there for the ``quad
+     integer'' stuff ``#ifndef+#undef+#endif'' pairs were generated instead of
+     ``#ifdef+#undef+#endif'' pairs.
+     [Greg Siebers <gsiebers@vignette.com>] PR#5231
+  
+  *) EBCDIC: fix the hsregex package to correctly deal with [a-zA-Z] type
+     character ranges (the alphabet is non-contiguous in EBCDIC) and with
+     the special [:cntrl:] range (the control character class is determined
+     dynamically at run time). [Martin Kraemer]
+
+  *) Add --with-port option to APACI. [Ian Kallen <spidaman@salon.com>]
+
+  *) Fixed QUERY_STRING handling for `RewriteRule ... [P]'
+     in per-directory context.
+     [Martin Zeh <martin.zeh@sat1.de>] PR#5073
+
+  *) Overhauled mod_rewrite's general substitution function
+     (expand_backref_inbuffer): 1. The `$0' backreference is now officially
+     allowed and documented and references the while pattern space; 2. the
+     ampersamp (&) backreference (which is equal to $0) is no longer expanded,
+     because it was never documented and only leads to confusion with
+     QUERY_STRINGS; 3. backslashes (\) are honored correctly, that is `\$N'
+     now really forces the dollar to be an ordinary character and $N is
+     not expanded. 
+     [Ralf S. Engelschall] PR#4766 PR#4161
+
+  *) Make sure mod_rewrite escapes QUERY_STRINGS on redirects.
+     [Klaus Johannes Rusch <KlausRusch@atmedia.net>] PR#4734
+
+  *) Make sure mod_rewrite matches URL schemes case-insensitive and also allow
+     additional (commonly used) URL schemes ldap:, news: and mailto:.
+     [Ralf S. Engelschall, Klaus Johannes Rusch <KlausRusch@atmedia.net>] PR#3140
+
+  *) Overhauled ApacheBench (ab) manpage ab.8.
+     [Simon Baldwin <simonb@sco.com>] PR#5139
+
+  *) Made sure ApacheBench (ab) performs no more requests than 
+     specified on command line (option -n).
+     [Jim Cox <jc@superlink.net>] PR#4839
+
+  *) Support DSOs properly on 32-bit HP-UX 11.0
+     [Dilip Khandekar <dilip@cup.hp.com>]
+
+  *) Fix problem with proxy configuration where globally set configuration
+     options were overridden inside virtual hosts.
+     [Graham Leggett <minfrin@sharp.fm>]
+
+  *) Fix ProxyReceiveBufferSize where default value was left uninitialised.
+     [Graham Leggett <minfrin@sharp.fm>]
+
+  *) Added a CLF '-' respecting %B to the log format.
+     Suggested by Ragnar Kjørstad [dirkx]
+
+  *) Added protocol(%m)/method(%H) logging to the log format.
+     Suggested by Peter W <peterw@usa.net> [dirkx]
+
+  *) Added a HEAD method to 'ab'. [dirkx]
+
+  *) When generating the Location: header, mod_speling forgot
+     to escape the spelling-fixed uri. [Martin Kraemer]
+
+  *) Update for the next release of the TPF OS (PUT11)
+     [David McCreedy <McCreedy@us.ibm.com>]
+
+  *) Add some compile-time flags to the output when -V is used for TPF
+     [David McCreedy <McCreedy@us.ibm.com>]
+
+  *) mod_auth_digest fixes:
+     - Use unix-io instead of stdio to read /dev/random (fixes problems
+       on FreeBSD)
+       [Kano <tomo@crane-inc.co.jp>] PR#4967
+     - Correctly unescape all parts of the request uri and the uri
+       attribute of the Authorization header before doing comparison
+       [Joe Orton <joe@orton.demon.co.uk>, Ronald Tschalär]
+     - Fixes for MD5-sess
+       [Joe Orton <joe@orton.demon.co.uk>]
+     - Don't send a domain attribute in Proxy-Authenticate
+       [Ronald Tschalär]
+
+  *) ap_base64decode_binary does not null-terminate the output anymore
+     [Bill Stoddard, Ronald Tschalär]
+
+  *) WIN32: The following bugs introduced in Apache 1.3.9 have been fixed
+     - CGIs broken if script calls other programs which deliver on stdout
+       (Search this file for "DETACHED")
+     - 16 bit CGIs should work now
+     - Server will not start if passed the -d option with spaces in the
+       argument. [Bill Stoddard]
+
+  *) WIN32: GetExtensionVersion() comparison in mod_isapi fails when
+     using some non-MS compilers [Bill Stoddard]
+     PR#3597, PR#3782, PR#3781, PR#4887
+
+  *) Allow BeOS to use its native closesocket() call
+     [David Reid <abb37@dial.pipex.com>]
+
+  *) More TPF changes. Code reorganization for cleanliness, regex
+     changes for testing, as well as doc and build updates.
+     [David McCreedy <McCreedy@us.ibm.com> and others at IBM]
+
+  *) Add TPF processing for the socket read to the rfc1413 code.
+     [David McCreedy <McCreedy@us.ibm.com> and others at IBM]
+
+  *) Require the batch (-b) option and default to MD5 on TPF in htpasswd.
+     [David McCreedy <McCreedy@us.ibm.com> and others at IBM]
+
+  *) Move "handler not found" warning message to below the check
+     for a wildcard handler.  [Dirk <dirkm@teleport.com>, Roy Fielding]
+     PR#2584, PR#2751, PR#3349, PR#3436, PR#3548, PR#4384, PR#4795, PR#4807
+
+  *) Build errors in src/support stop with an error, just like all the
+     other recursive make calls. [David Harris <dharris@drh.net>]
+
+
 Changes with Apache 1.3.9
 
   *) Remove bogus error message when a redirect doesn't set Location.
diff --git a/usr.sbin/httpd/src/CHANGES.SSL b/usr.sbin/httpd/src/CHANGES.SSL
index f66fd5cf107..649b5e0ce47 100644
--- a/usr.sbin/httpd/src/CHANGES.SSL
+++ b/usr.sbin/httpd/src/CHANGES.SSL
@@ -17,12 +17,78 @@
   _INTENTIONALLY_ no contributor names attached to the entries. Instead all
   contributors are listed in the CREDITS file.
 
+      ____    ____  
+     |___ \  | ___| 
+       __) | |___ \ 
+      / __/ _ ___) |
+  __ |_____(_)____/___________________________________________
+               
+  Changes with mod_ssl 2.5.0 (08-Jan-2000 to 22-Jan-2000)
+
+   *) Switched the old "POST for HTTPS" support code from
+      defined(SSL_EXPERIMENTAL) to !defined(SSL_CONSERVATIVE), because this
+      code is both already stable (even it's not a conservative approach) and
+      important. This way POST support is now available per default, but still
+      can be disabled/removed by very conservative people with an easy
+      --enable-rule=SSL_CONSERVATIVE.
+
+   *) Added SSL_CONSERVATIVE rule to src/Configuration.tmpl which
+      complements SSL_EXPERIMENTAL. Both rules are per default set
+      to "no", i.e. disabled. But while SSL_EXPERIMENTAL still enables
+      experimental code, enables SSL_CONSERVATIVE conservative code.  That is,
+      actually per default some non-conservative things might be enabled which
+      can be _disabled_ by forcing mod_ssl to use only conservative
+      approaches.
+
+   *) Added entry about "no shared ciphers" to FAQ.
+
+   *) Upgraded to the new Apache version: 1.3.11 (BTW, Apache 1.3.10
+      was never released). This moves the mod_ssl community to the
+      latest Apache state and this way implicitly provides them over 70
+      bugfixes and cleanups which 1.3.11 provides over 1.3.9.
+
       ____   _  _   
      |___ \ | || |  
        __) || || |_ 
       / __/ |__   _|
   __ |_____(_) |_| ___________________________________________
 
+  Changes with mod_ssl 2.4.10 (24-Nov-1999 to 08-Jan-2000)
+
+   *) Mentioned MD5-encrypted password in ssl_reference.wml in addition
+      to DES-encrypted password.
+   
+   *) Added a new FAQ entry about the path internally pre-defined by
+      EAPI_MM_CORE_PATH.
+
+   *) Adjust the name-based-vhost complain: Talk say "you should not
+      use" instead of "you cannot use", because first there are
+      situations where it can be reasonable to use name-based vhosts with
+      SSL and second there is no technical restriction on the mod_ssl side,
+      of course.
+
+   *) Changed the license on mod_define.c from the BSD/Apache-style
+      license to a even less restrictive MIT-style license to allow
+      everyone to do with this module what they want.
+
+   *) Fixed a compile-time warning under very strict compilers by using
+      a more correct `ssl_verify_t' (enum based) instead of `int' in
+      ssl_engine_config.c.
+
+   *) Various minor documentation updates.
+
+   *) Made the EAPI-vs-plain-API complain in mod_so more clear.
+
+   *) Adjusted all copyright messages to contain the new year 2000 ;)
+
+   *) Fixed INSTALL.W32 document for latest OpenSSL versions.
+
+   *) Fixed SSL session id context configuration: the value is now an
+      MD5 of `server:port' and this way always a string of just 32 bytes,
+      so OpenSSL's SSL_set_session_id_context() doesn't fail.
+
+   *) Removed old CVS informations from etc/patch.tar tarball.
+
   Changes with mod_ssl 2.4.9 (05-Nov-1999 to 24-Nov-1999)
 
    *) Fixed SSLRequire expression evaluation for number strings.
diff --git a/usr.sbin/httpd/src/Configuration.tmpl b/usr.sbin/httpd/src/Configuration.tmpl
index 9bb3345d424..9574ca46c3c 100644
--- a/usr.sbin/httpd/src/Configuration.tmpl
+++ b/usr.sbin/httpd/src/Configuration.tmpl
@@ -53,9 +53,14 @@
 #
 # o The SSL_EXPERIMENTAL rule can be used to enable still experimental code
 #   inside mod_ssl. These are usually new features which need some more
-#   testing before they can be considered stable. So, enabled this on your own
+#   testing before they can be considered stable. So, enable this on your own
 #   risk and only when you like to see Apache+mod_ssl dump core ;-)
 #
+# o The SSL_CONSERVATIVE rule can be used to disable some non-conservative
+#   code inside mod_ssl. These are usually recently introduced features 
+#   which some people still want to consider unstable. So, to be maximum 
+#   conservative, one can enable this flag and this way remove such code.
+#
 # o The SSL_VENDOR rule can be used to enable code inside mod_ssl which can be
 #   used by product vendors to extend mod_ssl via EAPI hooks without patching
 #   the source. Additionally ssl_vendor*.c source files are automatically
@@ -66,6 +71,7 @@
 Rule SSL_COMPAT=yes
 Rule SSL_SDBM=default
 Rule SSL_EXPERIMENTAL=no
+Rule SSL_CONSERVATIVE=no
 Rule SSL_VENDOR=no
 
 ################################################################
diff --git a/usr.sbin/httpd/src/Configure b/usr.sbin/httpd/src/Configure
index 307bfc4b21b..fb82691fd49 100644
--- a/usr.sbin/httpd/src/Configure
+++ b/usr.sbin/httpd/src/Configure
@@ -82,9 +82,14 @@ APLIBDIRS=""
 
 ####################################################################
 ## Now handle any arguments, which, for now, is -file
-## to select an alternate Configuration file
+## to select an alternate Configuration file and -v
+## to turn on verbose mode
 ##
 while [ "x$1" != "x" ]; do
+  if [ "x$1" = "x-v" ] ; then
+    shift 1;
+    vflag="-v";
+  fi
   if [ "x$1" = "x-file" ] ; then
     shift 1; file=$1; shift 1
     if [ ! -r $file ]; then
@@ -273,10 +278,11 @@ case "$PLAT" in
 	DEF_WANTHSREGEX=yes
 	;;
     *MPE/iX*)
-	OS='MPE/iX'
+	export OS='MPE/iX'
+	OSDIR='os/mpeix'
 	CFLAGS="$CFLAGS -DMPE -D_POSIX_SOURCE -D_SOCKET_SOURCE"
-	LIBS="$LIBS -lsocket -lsvipc"
-	LDFLAGS="$LDFLAGS -Xlinker \"-WL,cap=ia,ba,ph,pm;nmstack=1024000\""
+	LIBS="$LIBS -lsocket -lsvipc -lcurses"
+	LDFLAGS="$LDFLAGS -Xlinker \"-WL,cap=ia,ba,ph;nmstack=1024000\""
 	CAT="/bin/cat" # built-in cat is badly broken for stdin redirection
 	;;
     *-apple-aux3*)
@@ -621,7 +627,8 @@ case "$PLAT" in
     BS2000*-siemens-sysv4*)
 	OS='BS2000'
 	OSDIR='os/bs2000'
-	CC='c89 -XLLML -XLLMK -XL'
+	# If you are using a CPP before V3.0, delete the -Kno_integer_overflow flag
+	CC='c89 -XLLML -XLLMK -XL -Kno_integer_overflow'
 	CFLAGS="$CFLAGS -DCHARSET_EBCDIC -DSVR4 -D_XPG_IV"
 	DEF_WANTHSREGEX=yes
 	DBM_LIB=""
@@ -778,6 +785,14 @@ case "$PLAT" in
 	CFLAGS="-D_TANDEM_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
 	CC='c89'
 	;;
+    *-IBM-OS390*)
+       OS='OS390'
+       OSDIR='os/os390'
+       CC='c89'
+       CFLAGS="$CFLAGS -DOS390 -DCHARSET_EBCDIC -D_ALL_SOURCE"
+       DEF_WANTHSREGEX=yes
+       LIBS="$LIBS"
+       ;;
     *) # default: Catch systems we don't know about
 	OS='Unknown and unsupported OS'
     	echo Sorry, but we cannot grok \"$PLAT\"
@@ -825,6 +840,7 @@ echo >>Makefile.config "OSDIR=\$(SRCDIR)/$OSDIR"
 echo >>Makefile.config "INCDIR=\$(SRCDIR)/include"
 echo >>Makefile.config "INCLUDES0=-I\$(OSDIR) -I\$(INCDIR)"
 echo >>Makefile.config "SHELL=$SHELL"
+echo >>Makefile.config "OS=$OS"
 
 ####################################################################
 ## And adjust/override WANTHSREGEX as needed
@@ -892,9 +908,9 @@ fi
 ##
 TCPP=`egrep '^CPP=' Makefile.config | tail -1 | awk -F= '{print $2}'`
 if [ "x$TCPP" != "x" ]; then
-    CPP=`CC=$CC CPP=$TCPP ./helpers/findcpp.sh`
+    CPP=`CPP="$TCPP"; export CPP CC; ./helpers/findcpp.sh`
 else
-    CPP=`CC=$CC ./helpers/findcpp.sh`
+    CPP=`export CC; ./helpers/findcpp.sh`
 fi
 if [ "x$TCPP" = "x" ]; then
     echo "CPP=$CPP" >> Makefile.config
@@ -915,12 +931,14 @@ echo "#ifndef AP_CONFIG_AUTO_H" >>$AP_CONFIG_AUTO_H
 echo "#define AP_CONFIG_AUTO_H" >>$AP_CONFIG_AUTO_H
 
 echo " + checking for system header files"
-CHECK_FOR_HEADERS="dlfcn.h dl.h bstring.h crypt.h unistd.h sys/resource.h sys/select.h sys/processor.h"
+CHECK_FOR_HEADERS="dlfcn.h dl.h bstring.h crypt.h unistd.h sys/resource.h sys/select.h sys/processor.h sys/param.h"
+(
+export CPP
 for header in $CHECK_FOR_HEADERS; do
     echo "" >>$AP_CONFIG_AUTO_H
     echo "/* check: #include <$header> */" >>$AP_CONFIG_AUTO_H
     name="`echo $header | sed -e 's:/:_:g' -e 's:\.:_:g' | tr '[a-z]' '[A-Z]'`"
-    CPP=$CPP ./helpers/checkheader.sh $header
+    ./helpers/checkheader.sh $header
     if [ $? -eq 0 ]; then
 	echo "#ifndef HAVE_${name}" >>$AP_CONFIG_AUTO_H
 	echo "#define HAVE_${name} 1" >>$AP_CONFIG_AUTO_H
@@ -931,6 +949,7 @@ for header in $CHECK_FOR_HEADERS; do
 	echo "#endif" >>$AP_CONFIG_AUTO_H
     fi
 done
+)
 
 ####################################################################
 # Special AIX 4.x support: need to check for sys/processor.h
@@ -983,11 +1002,18 @@ if [ "x$using_shlib" = "x1" ] ; then
     DEF_SHARED_CORE=no
     DEF_SHARED_CHAIN=no
     SHLIB_SUFFIX_NAME=so
+    SHMOD_SUFFIX_NAME=so
     SHLIB_SUFFIX_DEPTH=all
     SHLIB_EXPORT_FILES=no
     SHARED_CORE_EP='lib$(TARGET).ep'
     SHCORE_IMPLIB=''
     case "$PLAT" in
+	*MPE/iX*)
+	    LD_SHLIB=ld	
+	    LDFLAGS_SHLIB='-b -a archive'
+	    LDFLAGS_MOD_SHLIB=$LDFLAGS_SHLIB
+	    LIBS_SHLIB='$(OSDIR)/mpe_dl_stub.o'	
+	    ;;
 	*-linux1)
 	    CFLAGS_SHLIB="-fpic"
 	    LDFLAGS_SHLIB="-Bshareable"
@@ -1142,7 +1168,7 @@ if [ "x$using_shlib" = "x1" ] ; then
 		*/gcc|gcc ) CFLAGS_SHLIB="-fpic" ;;
 		*/cc|cc   ) CFLAGS_SHLIB="" ;;
 	    esac
-	    LDFLAGS_SHLIB="-shared -expect_unresolved '*' -s"
+	    LDFLAGS_SHLIB='-shared -expect_unresolved "*" -s'
 	    LDFLAGS_MOD_SHLIB=$LDFLAGS_SHLIB
 	    LDFLAGS_SHLIB_EXPORT=""
 	    ;;
@@ -1219,6 +1245,7 @@ if [ "x$using_shlib" = "x1" ] ; then
 	    LDFLAGS_SHLIB="-b"
 	    LDFLAGS_MOD_SHLIB=$LDFLAGS_SHLIB
 	    LDFLAGS_SHLIB_EXPORT="-Wl,-E -Wl,-B,deferred"
+	    SHLIB_SUFFIX_NAME=sl
 	    ;;
 	*-hp-hpux10.*|*-hp-hpux11.*)
 	    case $CC in
@@ -1228,6 +1255,7 @@ if [ "x$using_shlib" = "x1" ] ; then
 	    LDFLAGS_SHLIB="-b"
 	    LDFLAGS_MOD_SHLIB=$LDFLAGS_SHLIB
 	    LDFLAGS_SHLIB_EXPORT="-Wl,-E -Wl,-B,deferred -Wl,+s"
+	    SHLIB_SUFFIX_NAME=sl
 	    ;;
 	*-ibm-aix*)
 	    case $CC in
@@ -1261,6 +1289,7 @@ if [ "x$using_shlib" = "x1" ] ; then
 	    LDFLAGS_SHLIB="`echo $LDFLAGS|sed -e s/-Zexe//` -Zdll"
 	    LDFLAGS_MOD_SHLIB=$LDFLAGS_SHLIB
 	    SHLIB_SUFFIX_NAME=dll
+	    SHMOD_SUFFIX_NAME=dll
 	    SHLIB_SUFFIX_DEPTH=0
 	    LD_SHLIB=$CC
 	    LD_SHCORE_DEF="ApacheCoreOS2.def"
@@ -1366,7 +1395,7 @@ case "$OS" in
     'HI-UX')
 	case "$CC" in
 	    */cc|cc )
-		CFLAGS="$CFLAGS -Aa -D_HIUX_SOURCE"
+		CFLAGS="$CFLAGS -Aa -Ae -D_HIUX_SOURCE"
 		OPTIM=" "
 		TOPTIM=""
 	    ;;
@@ -1375,7 +1404,7 @@ case "$OS" in
     'HP-UX'|'HP-UX 10'|'HP-UX 11')
 	case "$CC" in
 	    */cc|cc )
-		CFLAGS="$CFLAGS -Aa -D_HPUX_SOURCE"
+		CFLAGS="$CFLAGS -Aa -Ae -D_HPUX_SOURCE"
 		OPTIM=" "
 		TOPTIM=""
 	    ;;
@@ -1457,6 +1486,15 @@ case "$PLAT" in
 	fi
 	;;
     BS2000*-siemens-sysv4*)
+	# Activate RISC compilation if this is a SR2000 machine
+	# (test written by Thomas Dorner <Thomas.Dorner@start.de>
+	# for perl5 port):
+	ISSR2000="`bs2cmd SHOW-SYSTEM-INFO | grep 'HSI-ATT'`"
+	case "$ISSR2000" in
+	    *TYPE*SR*)
+	        CFLAGS="$CFLAGS -Krisc_4000"
+	        ;;
+	esac
 	# Depending on the BS2000 OS and compiler/crte release,
 	# -lnsl may be available (or may be not).
 	# In standard SVR4 systems, -lsocket relies on some symbols
@@ -1653,7 +1691,7 @@ for modfile in $MODFILES ; do
 		    modlibs="$modlibs $modlibs1"
 		fi
 		rm -f $tmpfile2 $tmpfile3
-		if [ "x$ext" != "x$SHLIB_SUFFIX_NAME" ]; then
+		if [ "x$ext" != "x$SHMOD_SUFFIX_NAME" ]; then
 		    ext=o
 		fi
 	fi
@@ -1661,11 +1699,11 @@ for modfile in $MODFILES ; do
 		modname=`echo $modbase | sed 's/^.*\///' | \
 			sed 's/^mod_//' | sed 's/^lib//' | sed 's/$/_module/'`
 	fi
-	if [ "x$ext" != "x$SHLIB_SUFFIX_NAME" ]; then
+	if [ "x$ext" != "x$SHMOD_SUFFIX_NAME" ]; then
 		echo "Module $modname $modbase.$ext" >>$tmpfile
 	fi
 	#   optionally generate export file for some linkers 
-	if [ "x$ext" = "x$SHLIB_SUFFIX_NAME" -a "x$SHLIB_EXPORT_FILES" = "xyes" ]; then
+	if [ "x$ext" = "x$SHMOD_SUFFIX_NAME" -a "x$SHLIB_EXPORT_FILES" = "xyes" ]; then
 		echo "$modname" >$modbase.exp
 	fi
 done
@@ -1803,7 +1841,7 @@ if [ "x$using_shlib" = "x1" ] ; then
 	#    select the special subtarget for shared core generation
 	SUBTARGET=target_shared
 	#    determine additional suffixes for libhttpd.so
-	V=1 R=3 P=9
+	V=1 R=3 P=11
 	if [ "x$SHLIB_SUFFIX_DEPTH" = "x0" ]; then
 	    SHLIB_SUFFIX_LIST=""
 	fi
@@ -1823,6 +1861,14 @@ if [ "x$using_shlib" = "x1" ] ; then
 fi
 
 ####################################################################
+## Don't force DL emulation, if not necessary. Currently only used
+## by os/unix/os.c. 
+##
+if [ "x$using_shlib" != "x1" ] ; then
+    CFLAGS="$CFLAGS -DNO_DL_NEEDED"
+fi
+
+####################################################################
 ## Set the value of the shared libary flags, if they aren't explicitly
 ## set in the configuration file
 ##
@@ -1989,6 +2035,7 @@ echo "" >>Makefile
 echo "SUBDIRS=$SUBDIRS lib modules" >> Makefile
 echo "SUBTARGET=$SUBTARGET" >> Makefile
 echo "SHLIB_SUFFIX_NAME=$SHLIB_SUFFIX_NAME" >> Makefile
+echo "SHMOD_SUFFIX_NAME=$SHMOD_SUFFIX_NAME" >> Makefile
 echo "SHLIB_SUFFIX_LIST=$SHLIB_SUFFIX_LIST" >> Makefile
 echo "SHLIB_EXPORT_FILES=$SHLIB_EXPORT_FILES" >> Makefile
 echo "" >> Makefile
@@ -2124,7 +2171,7 @@ if [ "x$AP_TYPE_OFF_T" != "x$AP_TYPE_LONG" ]; then
 else
     echo "" >>$AP_CONFIG_AUTO_H
     echo "/* determine: is off_t a quad */" >>$AP_CONFIG_AUTO_H
-    echo "#ifndef AP_OFF_T_IS_QUAD" >>$AP_CONFIG_AUTO_H
+    echo "#ifdef AP_OFF_T_IS_QUAD" >>$AP_CONFIG_AUTO_H
     echo "#undef AP_OFF_T_IS_QUAD" >>$AP_CONFIG_AUTO_H
     echo "#endif" >>$AP_CONFIG_AUTO_H
 fi
@@ -2146,7 +2193,7 @@ if [ "x$AP_TYPE_VOID_P" = "x$AP_TYPE_QUAD" ]; then
 else
     echo "" >>$AP_CONFIG_AUTO_H
     echo "/* determine: is void * a quad */" >>$AP_CONFIG_AUTO_H
-    echo "#ifndef AP_VOID_P_IS_QUAD" >>$AP_CONFIG_AUTO_H
+    echo "#ifdef AP_VOID_P_IS_QUAD" >>$AP_CONFIG_AUTO_H
     echo "#undef AP_VOID_P_IS_QUAD" >>$AP_CONFIG_AUTO_H
     echo "#endif" >>$AP_CONFIG_AUTO_H
 fi
@@ -2206,17 +2253,26 @@ if [ "x$OS" = "xTPF" ] ; then
     :
 else
    echo " + doing sanity check on compiler and options"
-   if ./helpers/TestCompile sanity; then
+   if ./helpers/TestCompile $vflag sanity; then
       :
    else
-   echo "** A test compilation with your Makefile configuration"
-   echo "** failed. This is most likely because your C compiler"
-   echo "** is not ANSI. Apache requires an ANSI C Compiler, such"
-   echo "** as gcc. The above error message from your compiler"
-   echo "** will also provide a clue."
-   echo " Aborting!"
-   exitcode=1
-   exit 1
+      if [ "x$vflag" = "x-v" ] ; then
+         WHEREERR="above"
+      else
+         WHEREERR="below"
+      fi
+      echo "** A test compilation with your Makefile configuration"
+      echo "** failed.  The $WHEREERR error output from the compilation"
+      echo "** test will give you an idea what is failing. Note that"
+      echo "** Apache requires an ANSI C Compiler, such as gcc. "
+      echo ""
+      echo "======== Error Output for sanity check ========"
+      (./helpers/TestCompile -v sanity)
+      echo "============= End of Error Report ============="
+      echo ""
+      echo " Aborting!"
+      exitcode=1
+      exit 1
    fi
 fi
 
@@ -2287,7 +2343,10 @@ all clean distclean depend ::
 	@for i in \$(MODULES) ""; do \\
 	  if [ "x\$\$i" != "x" ]; then \\
 	    echo "===> \$(SDP)modules/\$\$i"; \\
-		(cd \$\$i && \$(MAKE) \$(MFLAGS_STATIC) SDP='\$(SDP)' CC='\$(CC)' AUX_CFLAGS='\$(CFLAGS)' RANLIB='\$(RANLIB)' \$@) || exit 1; \\
+		case "x\$(OS)" in \\
+		  xOS390 | xTPF) (cd \$\$i && \$(MAKE) SDP='\$(SDP)' \$@) || exit 1;; \\
+		              *) (cd \$\$i && \$(MAKE) \$(MFLAGS_STATIC) SDP='\$(SDP)' CC='\$(CC)' AUX_CFLAGS='\$(CFLAGS)' RANLIB='\$(RANLIB)' \$@) || exit 1;; \\
+		esac; \\
 		echo "<=== \$(SDP)modules/\$\$i"; \\
 	  fi; \\
 	done
diff --git a/usr.sbin/httpd/src/Makefile.nt b/usr.sbin/httpd/src/Makefile.nt
index 02dc752f645..9d0dbab491d 100644
--- a/usr.sbin/httpd/src/Makefile.nt
+++ b/usr.sbin/httpd/src/Makefile.nt
@@ -59,6 +59,9 @@ _build:
 	 nmake /nologo CFG="htpasswd - Win32 %LONG%" -f htpasswd.mak
 	 nmake /nologo CFG="htdigest - Win32 %LONG%" -f htdigest.mak
 	cd ..
+	cd lib/expat-lite
+	 nmake /nologo CFG="xmlparse - Win32 %LONG%" -f xmlparse.mak
+	cd ../..
 	cd main
 	 nmake /nologo CFG="gen_uri_delims - Win32 %LONG%" -f gen_uri_delims.mak
 	 nmake /nologo CFG="gen_test_char - Win32 %LONG%" -f gen_test_char.mak
@@ -119,6 +122,9 @@ _clean:
 	 nmake /nologo CFG="htpasswd - Win32 %LONG%" -f htpasswd.mak clean
 	 nmake /nologo CFG="htdigest - Win32 %LONG%" -f htdigest.mak clean
 	cd ..
+	cd lib/expat-lite
+	 nmake /nologo CFG="xmlparse - Win32 %LONG%" -f xmlparse.mak clean
+	cd ../..
 	cd main
 	 nmake /nologo CFG="gen_uri_delims - Win32 %LONG%" -f gen_uri_delims.mak clean
 	 del uri_delims.h
diff --git a/usr.sbin/httpd/src/Makefile.tmpl b/usr.sbin/httpd/src/Makefile.tmpl
index a0b666a1efc..bbc4b729f61 100644
--- a/usr.sbin/httpd/src/Makefile.tmpl
+++ b/usr.sbin/httpd/src/Makefile.tmpl
@@ -76,7 +76,10 @@ certificate:
 subdirs:
 	@for i in $(SUBDIRS); do \
 		echo "===> $(SDP)$$i"; \
-		( cd $$i && $(MAKE) $(MFLAGS_STATIC) SDP='$(SDP)' CC='$(CC)' AUX_CFLAGS='$(CFLAGS)' RANLIB='$(RANLIB)') || exit 1; \
+		case ".$(OS)" in \
+		  .OS390 | .TPF) ( cd $$i && $(MAKE) SDP='$(SDP)' ) || exit 1;; \
+		              *) ( cd $$i && $(MAKE) $(MFLAGS_STATIC) SDP='$(SDP)' CC='$(CC)' AUX_CFLAGS='$(CFLAGS)' RANLIB='$(RANLIB)') || exit 1;; \
+		esac; \
 		echo "<=== $(SDP)$$i"; \
 	done
 
@@ -84,7 +87,7 @@ support: support-dir
 
 support-dir:
 	@echo "===> $(SDP)support"; \
-	cd support; $(MAKE) $(MFLAGS_STATIC) SDP='$(SDP)' CC='$(CC)' AUX_CFLAGS='$(CFLAGS)' RANLIB='$(RANLIB)'; \
+	cd support; $(MAKE) $(MFLAGS_STATIC) SDP='$(SDP)' CC='$(CC)' AUX_CFLAGS='$(CFLAGS)' RANLIB='$(RANLIB)' || exit 1; \
 	echo "<=== $(SDP)support"
 
 clean:
diff --git a/usr.sbin/httpd/src/Makefile_win32.txt b/usr.sbin/httpd/src/Makefile_win32.txt
index e4e3bc1e799..b64607daacf 100644
--- a/usr.sbin/httpd/src/Makefile_win32.txt
+++ b/usr.sbin/httpd/src/Makefile_win32.txt
@@ -37,6 +37,9 @@ _build:
 	 nmake /nologo CFG="htpasswd - Win32 Release" -f htpasswd.mak
 	 nmake /nologo CFG="htdigest - Win32 Release" -f htdigest.mak
 	cd ..
+	cd lib/expat-lite
+	 nmake /nologo CFG="xmlparse - Win32 Release" -f xmlparse.mak
+	cd ../..
 	cd main
 	 nmake /nologo CFG="gen_uri_delims - Win32 Release" -f gen_uri_delims.mak
 	 nmake /nologo CFG="gen_test_char - Win32 Release" -f gen_test_char.mak
@@ -97,6 +100,9 @@ clean:
 	 nmake /nologo CFG="htpasswd - Win32 Release" -f htpasswd.mak clean
 	 nmake /nologo CFG="htdigest - Win32 Release" -f htdigest.mak clean
 	cd ..
+	cd lib/expat-lite
+	 nmake /nologo CFG="xmlparse - Win32 Release" -f xmlparse.mak clean
+	cd ../..
 	cd main
 	 nmake /nologo CFG="gen_uri_delims - Win32 Release" -f gen_uri_delims.mak clean
 	 del uri_delims.h
diff --git a/usr.sbin/httpd/src/Makefile_win32_debug.txt b/usr.sbin/httpd/src/Makefile_win32_debug.txt
index 15817ee34b3..220427fadf3 100644
--- a/usr.sbin/httpd/src/Makefile_win32_debug.txt
+++ b/usr.sbin/httpd/src/Makefile_win32_debug.txt
@@ -37,6 +37,9 @@ _build:
 	 nmake /nologo CFG="htpasswd - Win32 Debug" -f htpasswd.mak
 	 nmake /nologo CFG="htdigest - Win32 Debug" -f htdigest.mak
 	cd ..
+	cd lib/expat-lite
+	 nmake /nologo CFG="xmlparse - Win32 Debug" -f xmlparse.mak
+	cd ../..
 	cd main
 	 nmake /nologo CFG="gen_uri_delims - Win32 Debug" -f gen_uri_delims.mak
 	 nmake /nologo CFG="gen_test_char - Win32 Debug" -f gen_test_char.mak
@@ -97,6 +100,9 @@ clean:
 	 nmake /nologo CFG="htpasswd - Win32 Debug" -f htpasswd.mak clean
 	 nmake /nologo CFG="htdigest - Win32 Debug" -f htdigest.mak clean
 	cd ..
+	cd lib/expat-lite
+	 nmake /nologo CFG="xmlparse - Win32 Debug" -f xmlparse.mak clean
+	cd ../..
 	cd main
 	 nmake /nologo CFG="gen_uri_delims - Win32 Debug" -f gen_uri_delims.mak clean
 	 del uri_delims.h
diff --git a/usr.sbin/httpd/src/PORTING b/usr.sbin/httpd/src/PORTING
index 24c7c4f3771..52103d24f1d 100644
--- a/usr.sbin/httpd/src/PORTING
+++ b/usr.sbin/httpd/src/PORTING
@@ -4,10 +4,11 @@ The Semi-Official Guide to Porting Apache
 Introduction:
 -------------
 Apache has been ported to a wide variety of platforms, from multiple
-UNIX varients to OS/2. Nonetheless, there are most likely a few
-platforms out there that currently are not "officially" supported
-under Apache. Porting Apache to these platforms can be quite simple
-depending on the "genericness" of the OS. This doc will provide
+UNIX variants to OS/2. Starting with v1.3, it will even run under
+Windows95 and Windows NT. Nonetheless, there are most likely a few
+platforms out there that currently are not "officially" supported under
+Apache. Porting Apache to these platforms can be quite simple
+depending on the "genericness" of the OS. This document will provide
 some basic guidelines to help the potential porter.
 
 -------------
@@ -22,10 +23,11 @@ basic controlling functions for them (like accept(), bind(), etc).
 The source for Apache is written in ANSI-C, so an ANSI-C compiler
 is required. However, Apache does not use or require ANSI-only
 functions or options (eg: the "%n" parameter in the scanf()
-family); the source basically uses ANSI function prototyping but
-no other specific ANSIisms. Thus, an ANSI-to-K&R filter _may_
-work, although as far as I know it has not yet been tried. If you
-attempt this, let the Apache team know (mailto: new-httpd@hyperreal.com).
+family) as much as possible to ease portability. Generally,
+an ANSI-C compiler (eg: gcc) even without a full-blown ANSI
+C library is usually sufficient.
+
+At present, the Apache source is not compatible with C++.
 
 -------------------
 The Starting Point:
@@ -35,7 +37,7 @@ script. This is a simple script that attempts to determine the
 platform and OS you are running on. The output of this script
 is used by Configure to set some basic compilation parameters.
 
-The output of ./helpers/GuessOS was designed to be GNUconfig.guess
+The output of ./helpers/GuessOS was designed to be GNU 'config.guess'
 compatible (from GNU/autoconf). The format of the output string
 is:
 
@@ -43,15 +45,20 @@ is:
 
 This string is returned to the main Configure script as the
 shell variable $PLAT. If Configure is not "aware" of that platform
-(or cannot correctly parse it), it will complain and die.
+(or cannot correctly parse it), it will complain and die. We realize
+that this may not be the best solution; the intent is to get as
+much feedback as possible.
 
 ----------------------
 Configure cannot Grok:
 ----------------------
-If this happens to you, then it means that Configure doesn't
-know how to configure and compile Apache for your OS. The first
-course of action is the easiest: Look in Configure and see if
-there are any OSs which is similar to yours.
+If this happens to you, then it means that Configure doesn't know
+how to configure and compile Apache for your OS. It will still try
+nonetheless, but at this point, all bets are off.
+
+The best solution if this happens to you is to make Apache aware
+of your OS.  The first course of action is the easiest:  Look in
+Configure and see if there are any OSs which are similar to yours.
 
 For example, let's say that your OS is similar to HP-UX, but that
 GuessOS returns "foobar-intel-hubble". You would then edit
@@ -89,14 +96,14 @@ is generic enough that most ports are incredibly easy. No matter
 what, however, there are 2 source files that need to be updated
 for the port:
 
-   Configure
-   conf.h
+   ./Configure
+   ./include/ap_config.h
 
 Configure:
 ==========
 Configure concerns itself with determining the OS-type for the
 build and setting up a few Makefile variables for the build. The
-most important is 'OS' and 'CFLAGS'. For example, when Configure
+most important are 'OS' and 'CFLAGS'. For example, when Configure
 determines a build for A/UX, it runs the following lines:
 
   case "$PLAT" in
@@ -104,22 +111,27 @@ determines a build for A/UX, it runs the following lines:
 	OS='A/UX 3.1.x'
 	CFLAGS="$CFLAGS -DAUX -D_POSIX_SOURCE"
 	LIBS="$LIBS -lposix -lbsd"
-	LFLAGS="$LFLAGS -s"
+	LDFLAGS="$LDFLAGS -s"
 	DEF_WANTHSREGEX=no
 	;;
 
 The 'OS' variable is used to define the system Apache is being built
 for. You will also note that 'CFLAGS' defines "-DAUX". In this case,
-'AUX' is a magic cookie used by the Apache code (mainly conf.h [see
+'AUX' is a magic cookie used by the Apache code (mainly ap_config.h [see
 below]) to handle OS-specific code. Each code that has and requires
 such OS-specific code will require a unique "system cookie" defined
 in 'CFLAGS'. You will also note that Configure also goes ahead and
-predefines the LIBS and LFLAGS Makefile variables (DEF_WANTHSREGEX is
-explained below).
+predefines the LIBS and LDFLAGS Makefile variables.
 
-conf.h:
+DEF_WANTHSREGEX indicates the "default" setting of the WANTHSREGEX rule.
+If left undefined it'll default to yes.  Yes means the src/regex/
+directory, containing Henry Spencer's regex library will be used rather
+than any system supplied regex.  It's been our experience that system
+supplied regex libraries are generally buggy, and should be avoided.
+
+ap_config.h:
 =======
-The Apache code, specifically in conf.h, uses a variety of #defines to
+The Apache code, specifically in ap_config.h, uses a variety of #defines to
 control how the code is compiled and what options are available for each
 supported OS. One of the hardest parts about the porting process is
 determining which of the following are applicable for your system and
@@ -132,6 +144,7 @@ setup. This time using the example of AIX, we see:
    #define HAVE_SYS_SELECT_H
    #define JMP_BUF sigjmp_buf
    #define HAVE_MMAP
+   #define USE_MMAP_SCOREBOARD
    typedef int rlim_t;
 
 The above lines describe which functions,  capabilities and specifics
@@ -139,7 +152,7 @@ are required for Apache to build and run under IBM AIX (the #undefs
 are not strictly required, but are a Good Idea anyway).
 
 The following several lines provide a list and short description
-of these #defines. By correcting #defining the ones you need in conf.h
+of these #defines. By correctly #defining the ones you need in ap_config.h
 (wrapped by the above mentioned "system cookie"), you can fine tune the
 build for your OS.
 
@@ -161,57 +174,112 @@ build for your OS.
  HAVE_*:
   Does this OS have/support this capability?
 
-    HAVE_GMTOFF:
-      Define if the OS's tm struct has the tm_gmtoff element
-
-    HAVE_RESOURCE:
-      Define if the OS supports the getrlimit()/setrlimit() functions
-
     HAVE_MMAP:
-      Define if the OS supports the BSD mmap() call. This is used by various
-      OSs to allow the scoreboard file to be held in shared mmapped-memory
-      instead of a real file.
+      The OS has a working mmap() implementation
 
     HAVE_SHMGET:
-      Define if the OS has the SysV-based shmget() family of shared-memory
-      functions. Used to allow the scoreboard to live in a shared-memory
-      slot instead of a real file.
+      The OS has a working shmget() (SystemV shared memory) implementation
+
+    HAVE_GMTOFF:
+      Define if the OS's tm struct has the tm_gmtoff element
 
     HAVE_CRYPT_H:
-      Define if the OS has the <crypt.h> header file.
+      Defined if the OS has the <crypt.h> header file. This is set
+      automatically during the Configure process and stored in the
+      src/include/ap_config_auto.h header file.
 
     HAVE_SYS_SELECT_H:
-      Define if the OS has the <sys/select.h> header file.
+      Defined if the OS has the <sys/select.h> header file. This is
+      set automatically during the Configure process and stored in the
+      src/include/ap_config_auto.h header file.
 
     HAVE_SYS_RESOURCE_H:
-      Define if the OS has and supports the getrlimit/setrlimit
+      Defined if the OS has and supports the getrlimit/setrlimit
       family. Apache uses this to determine if RLIMIT_CPU|VMEM|DATA|RLIMIT
-      is found and used.
-
-    HAVE_SNPRINTF:
-      Apache makes extensive use of the snprintf() function. many
-      platforms do not provide this function. If your platform
-      does provide it _and_ it's reliable (most are not) then
-      define this to use the OS version. Otherwise, Apache will
-      use it's own.
+      is found and used. This also assumes that the getrlimit()/setrlimit()
+      functions are available as well. This is set automatically during the
+      Configure process and stored in the src/include/ap_config_auto.h header
+      file.
+
+    HAVE_SYS_PARAM_H:
+      Defined if the OS has the <sys/param.h> header file. This is
+      set automatically during the Configure process and stored in the
+      src/include/ap_config_auto.h header file.
+
 --
 
  USE_*:
   These #defines are used for functions and ability that aren't exactly
   required but should be used.
 
+     USE_MMAP_SCOREBOARD:
+      Define if the OS supports the BSD mmap() call. This is used by various
+      OSs to allow the scoreboard file to be held in shared mmapped-memory
+      instead of a real file.  Note that this is only used to determine
+      if mmap should be used for shared memory. If HAVE_MMAP is not
+      #defined, this will automatically be unset.
+
+     USE_SHMGET_SCOREBOARD:
+      Define if the OS has the SysV-based shmget() family of shared-memory
+      functions. Used to allow the scoreboard to live in a shared-memory
+      slot instead of a real file. If HAVE_SHMGET is not #defined,
+      this will automatically be unset.
+
+     <<NOTE: If neither USE_MMAP_SCOREBOARD or USE_SHMGET_SCOREBOARD
+	     is defined, a file-based scoreboard will be used and
+	     SCOREBOARD_FILE will automatically be defined >>
+
+     USE_POSIX_SCOREBOARD:
+      Defined on QNX currently where the shared memory scoreboard follows
+      the POSIX 1003.4 spec.
+    
+     USE_OS2_SCOREBOARD:
+      Defined on OS2, uses OS2 primitives to construct shared memory for
+      the scoreboard.
+
+     USE_LONGJMP:
+      Define to use the longjmp() call instead of siglongjmp()
+      (as well as setjmp() instead of sigsetjmp()).
+
+     USE_MMAP_FILES:
+      Enable the use of mmap() for sending static files. If HAVE_MMAP
+      is not #defined, this will automatically be unset.
+
+ USE_*_SERIALIZED_ACCEPT:
+  See htdocs/manual/misc/perf-tuning.html for an in-depth discussion of
+  why these are required.  These are choices for implementing a semaphore
+  between children entering accept().  A complete port should define one
+  of these, many may work and it's worthwhile timing them.  Without these
+  the server will not implement multiple Listen directives reliably.
+
      USE_FCNTL_SERIALIZED_ACCEPT:
-      Define if the OS requires a mutex "lock" around the socket accept()
-      call. Use fcntl() locking.
+      Use fcntl() to implement the semaphore.
 
      USE_FLOCK_SERIALIZED_ACCEPT:
-      Define if the OS requires a mutex "lock" around the socket accept()
-      call. Use flock() locking (fcntl() is expensive on some OSs, esp.
-      when using NFS).
+      Use flock() to implement the semaphore (fcntl() is expensive on
+      some OSs, esp.  when using NFS).
 
-     USE_LONGJMP:
-      use the longjmp() call instead of siglongjmp()
-      (as well as setjmp() instead of sigsetjmp())
+     USE_USLOCK_SERIALIZED_ACCEPT:
+      Probably IRIX only: use uslock() to serialize, which is far faster
+      on multiprocessor boxes (and far slower on uniprocessor, yay).
+
+     USE_SYSVSEM_SERIALIZED_ACCEPT:
+      Use System V semaphores to implement the semaphore.  These are
+      problematic in that they won't be cleaned up if apache is kill -9d,
+      and there's the potential of a CGI causing a denial of service
+      attack if it's running as the same uid as apache (i.e. suexec
+      is recommended on public servers).  But they can be faster than
+      either of fcntl() or flock() on some systems.
+
+     USE_PTHREAD_SERIALIZED_ACCEPT:
+      Use POSIX mutexes to implement the semaphore.
+
+     << NOTE: If none of the above USE_*SERIALIZED_ACCEPTs are
+	      defined, NO_SERIALIZED_ACCEPT will automatically
+	      be defined if MULTITHREAD is not defined >>
+
+     SINGLE_LISTEN_UNSERIALIZED_ACCEPT:
+      It's safe to unserialize single-socket accept().
 
 --
 
@@ -219,22 +287,57 @@ build for your OS.
    These are defined if the OS does NOT have the specified function or if
    we should not use it.
 
+      NO_SHMGET:
+       Do not use shmget() (SystemV shared memory) at all.
+
+      NO_MMAP:
+       Do not use mmap() at all.
+
       NO_UNISTD_H:
+
       NO_KILLPG:
+
       NO_SETSID:
+
       NO_USE_SIGACTION:
        Do not use the sigaction() call, even if we have it.
+
       NO_LINGCLOSE:
        Do not use Apache's soft, "lingering" close feature to
-       terminate connections.
+       terminate connections. If you find that your server crashes
+       due to being choked by too many FIN_WAIT_2 network states, 
+       some reports indicate that #define'ing this will help.
+
       NO_SLACK:
        Do not use the "slack" fd feature which requires a working fcntl
        F_DUPFD.
+
+      NO_GETTIMEOFDAY:
+       OS does not have the gettimeofday() function (which is
+       BSDish).
+
+      NO_TIMES:
+       OS does not have the times() function.
+
+      NO_OTHER_CHILD:
+       Do not implement the register_other_child API, usually because
+       certain system calls aren't available.
+
+      NO_RELIABLE_PIPED_LOGS:
+       Do not use reliable piped logs, which happen to also require
+       the register_other_child API.  The reliable piped log code
+       requires another child spawning interface which hasn't been
+       generalised yet.
+
 --
 
   MISC #DEFINES:
    Various other #defines used in the code.
 
+      MULTITHREAD:
+       Defined if the OS is multi-threaded. Valid only on
+       Win32 at present.
+
       JMP_BUF:
        The variable-type for siglongjmp() or longjmp() call.
 
@@ -242,16 +345,37 @@ build for your OS.
        Amount to move sbrk() breakpoint, if required, before attaching
        shared-memory segment.
 
+      NET_SIZE_T:
+       Some functions such as accept(), getsockname(), getpeername() take
+       an int *len on some architectures and a size_t *len on others.
+       If left undefined apache will default it to int.  See
+       include/ap_config.h for a description of NET_SIZE_T.
+
+      NEED_HASHBANG_EMUL:
+       The execve()/etc. functions on this platform do not deal with #!,
+       so it must be emulated by Apache.
+
+      SYS_SIGLIST
+       Should be defined to point to a const char * const * array of
+       signal descriptions.  This is frequently sys_siglist or
+       _sys_siglist, defined in <signals.h>
+
+      ap_wait_t
+       The type used for wait()/waitpid()/... status parameter.  Usually
+       int.
+
 -----------
 Conclusion:
 -----------
 The above hints, and a good understanding of your OS and Apache, will
 go a LONG way in helping you get Apache built and running on your
-OS. If you have a port, PLEASE send Email to 'new-httpd@hyperreal.com'
-with the patches so that we may add them to the official version.
+OS. If you have a port, PLEASE send Email to 'Apache@Apache.Org',
+or log a suggestion report at <http://bugs.apache.org/>, with
+the patches so that we may add them to the official version.
 If you hit a rough spot in the porting process, you can also try
 sending Email to that address as well and, if you are lucky, someone
 will respond. Another good source is the 'comp.infosystems.www.servers.unix'
 Usenet group as well.
 
 Good luck and happy porting!
+
diff --git a/usr.sbin/httpd/src/README.EBCDIC b/usr.sbin/httpd/src/README.EBCDIC
index e3361adadf3..78a5acfaac8 100644
--- a/usr.sbin/httpd/src/README.EBCDIC
+++ b/usr.sbin/httpd/src/README.EBCDIC
@@ -42,10 +42,9 @@ decisions of the port to this machine.
 
 * This port therefore features a built-in protocol level conversion
   for the server-internal strings (which the compiler translated to
-  EBCDIC strings) and server-generated documents. The hard coded
-  ASCII escapes \012 and \015 which are ubiquitious in the server
-  code are an exception: they are not converted to ASCII a second
-  time.
+  EBCDIC strings) and server-generated documents. This presumes that
+  hard coded ASCII escapes \012 and \015 will not exist in the server
+  code; rather coders will use the CRLF, CR, and LF macros.
 
 * By examining the call hierarchy for the BUFF management routines,
   I added an "ebcdic/ascii conversion layer" which would be crossed
diff --git a/usr.sbin/httpd/src/ap/ap_base64.c b/usr.sbin/httpd/src/ap/ap_base64.c
index 89cda4b5c26..82497d3f6f2 100644
--- a/usr.sbin/httpd/src/ap/ap_base64.c
+++ b/usr.sbin/httpd/src/ap/ap_base64.c
@@ -139,6 +139,7 @@ API_EXPORT(int) ap_base64decode(char *bufplain, const char *bufcoded)
     for (i = 0; i < len; i++)
 	bufplain[i] = os_toebcdic[bufplain[i]];
 #endif				/* CHARSET_EBCDIC */
+    bufplain[len] = '\0';
     return len;
 }
 
@@ -186,7 +187,6 @@ API_EXPORT(int) ap_base64decode_binary(unsigned char *bufplain,
 	    (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
     }
 
-    *(bufout++) = '\0';
     nbytesdecoded -= (4 - nprbytes) & 3;
     return nbytesdecoded;
 }
diff --git a/usr.sbin/httpd/src/ap/ap_checkpass.c b/usr.sbin/httpd/src/ap/ap_checkpass.c
index 63258c9e275..a4a597e2f1e 100644
--- a/usr.sbin/httpd/src/ap/ap_checkpass.c
+++ b/usr.sbin/httpd/src/ap/ap_checkpass.c
@@ -97,7 +97,7 @@ API_EXPORT(char *) ap_validate_password(const char *passwd, const char *hash)
 	/*
 	 * It's not our algorithm, so feed it to crypt() if possible.
 	 */
-#if defined(WIN32) || defined(TPF)
+#if defined(WIN32) || defined(NETWARE)
 	/*
 	 * On Windows, the only alternative to our MD5 algorithm is plain
 	 * text.
diff --git a/usr.sbin/httpd/src/ap/ap_ctx.c b/usr.sbin/httpd/src/ap/ap_ctx.c
index f714fc3ac5a..a2dda81df24 100644
--- a/usr.sbin/httpd/src/ap/ap_ctx.c
+++ b/usr.sbin/httpd/src/ap/ap_ctx.c
@@ -1,5 +1,5 @@
 /* ====================================================================
- * Copyright (c) 1998 The Apache Group.  All rights reserved.
+ * Copyright (c) 1998-2000 The Apache Group.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/ap/ap_execve.c b/usr.sbin/httpd/src/ap/ap_execve.c
index e126b8a5d76..346ce134661 100644
--- a/usr.sbin/httpd/src/ap/ap_execve.c
+++ b/usr.sbin/httpd/src/ap/ap_execve.c
@@ -99,7 +99,7 @@
 #undef execle
 #undef execve
 
-static const char **hashbang(const char *filename, char **argv);
+static const char **hashbang(const char *filename, char * const *argv);
 
 
 /* Historically, a list of arguments on the stack was often treated as
@@ -133,7 +133,7 @@ int ap_execle(const char *filename, const char *argv0, ...)
 
     /* Pass two --- copy the argument strings into the result space */
     va_start(adummy, argv0);
-    argv[0] = argv0;
+    argv[0] = (char *)argv0;
     for (argc = 1; (argv[argc] = va_arg(adummy, char *)) != NULL; ++argc) {
 	continue;
     }
@@ -149,7 +149,7 @@ int ap_execle(const char *filename, const char *argv0, ...)
 /* Count number of entries in vector "args", including the trailing NULL entry
  */
 static int
-count_args(const char **args)
+count_args(char * const *args)
 {
     int i;
     for (i = 0; args[i] != NULL; ++i) {
@@ -163,14 +163,14 @@ count_args(const char **args)
  * We have to fiddle with the argv array to make it work on platforms
  * which don't support the "hashbang" interpreter line by default.
  */
-int ap_execve(const char *filename, const char *argv[],
-	      const char *envp[])
+int ap_execve(const char *filename, char * const argv[],
+	      char * const envp[])
 {
-    const char **script_argv;
+    char **script_argv;
     extern char **environ;
 
     if (envp == NULL) {
-	envp = (const char **) environ;
+	envp = (char * const *) environ;
     }
 
     /* Try to execute the file directly first: */
@@ -201,7 +201,7 @@ int ap_execve(const char *filename, const char *argv[],
 	 * Interpret the line following the #! as a command line
 	 * in shell style.
 	 */
-	if ((script_argv = hashbang(filename, argv)) != NULL) {
+	if ((script_argv = (char **)hashbang(filename, argv)) != NULL) {
 
 	    /* new filename is the interpreter to call */
 	    filename = script_argv[0];
@@ -257,7 +257,7 @@ int ap_execve(const char *filename, const char *argv[],
  */
 #define HACKBUFSZ 1024		/* Max chars in #! vector */
 #define HACKVECSZ 128		/* Max words in #! vector */
-static const char **hashbang(const char *filename, char **argv)
+static const char **hashbang(const char *filename, char * const *argv)
 {
     char lbuf[HACKBUFSZ];
     char *sargv[HACKVECSZ];
@@ -347,7 +347,7 @@ static const char **hashbang(const char *filename, char **argv)
 	    }
 	    ++i;
 
-	    newargv = (char **) malloc((p - lbuf + 1)
+	    newargv = (const char **) malloc((p - lbuf + 1)
                       + (i + sargc + 1) * sizeof(*newargv));
 	    if (newargv == NULL) {
 		fprintf(stderr, "Ouch!  Out of memory in hashbang()!\n");
diff --git a/usr.sbin/httpd/src/ap/ap_getpass.c b/usr.sbin/httpd/src/ap/ap_getpass.c
index 80988d16fdd..9ed6897d6b3 100644
--- a/usr.sbin/httpd/src/ap/ap_getpass.c
+++ b/usr.sbin/httpd/src/ap/ap_getpass.c
@@ -62,7 +62,9 @@
  */
 
 #include "ap_config.h"
+#ifndef NETWARE
 #include <sys/types.h>
+#endif
 #include <errno.h>
 #include "ap.h"
 
@@ -83,28 +85,55 @@
 #define ERR_OVERFLOW 5
 
 #ifdef MPE
-/*
- * MPE lacks getpass() and a way to suppress stdin echo.  So for now, just
- * issue the prompt and read the results with echo.  (Ugh).
- */
+#include <termios.h>
 
-static char *getpass(const char *prompt)
+char *
+getpass(const char *prompt)
 {
-    static char password[MAX_STRING_LEN];
+	static char		buf[MAX_STRING_LEN+1];	/* null byte at end */
+	char			*ptr;
+	sigset_t		sig, sigsave;
+	struct termios	term, termsave;
+	FILE			*fp,*outfp;
+	int				c;
+
+        if ((outfp = fp = fopen("/dev/tty", "w+")) == NULL) {
+                outfp = stderr;
+                fp = stdin;
+        }
 
-    fputs(prompt, stderr);
-    gets((char *) &password);
+	sigemptyset(&sig);	/* block SIGINT & SIGTSTP, save signal mask */
+	sigaddset(&sig, SIGINT);
+	sigaddset(&sig, SIGTSTP);
+	sigprocmask(SIG_BLOCK, &sig, &sigsave);
 
-    if (strlen((char *) &password) > (MAX_STRING_LEN - 1)) {
-	password[MAX_STRING_LEN - 1] = '\0';
-    }
+	tcgetattr(fileno(fp), &termsave);	/* save tty state */
+	term = termsave;			/* structure copy */
+	term.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL);
+	tcsetattr(fileno(fp), TCSAFLUSH, &term);
 
-    return (char *) &password;
-}
+	fputs(prompt, outfp);
 
-#endif
+	ptr = buf;
+	while ( (c = getc(fp)) != EOF && c != '\n') {
+		if (ptr < &buf[MAX_STRING_LEN])
+			*ptr++ = c;
+	}
+	*ptr = 0;			/* null terminate */
+	putc('\n', outfp);		/* we echo a newline */
 
-#ifdef WIN32
+						/* restore tty state */
+	tcsetattr(fileno(fp), TCSAFLUSH, &termsave);
+
+						/* restore signal mask */
+	sigprocmask(SIG_SETMASK, &sigsave, NULL);
+	if (fp != stdin) fclose(fp);
+
+	return(buf);
+}
+#endif /* MPE */
+
+#if defined(WIN32) || defined(NETWARE)
 /*
  * Windows lacks getpass().  So we'll re-implement it here.
  */
diff --git a/usr.sbin/httpd/src/ap/ap_hook.c b/usr.sbin/httpd/src/ap/ap_hook.c
index 3f649b63928..a5634f0c570 100644
--- a/usr.sbin/httpd/src/ap/ap_hook.c
+++ b/usr.sbin/httpd/src/ap/ap_hook.c
@@ -2,7 +2,7 @@
 =pod
 #endif
 /* ====================================================================
- * Copyright (c) 1998 The Apache Group.  All rights reserved.
+ * Copyright (c) 1998-2000 The Apache Group.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/ap/ap_md5c.c b/usr.sbin/httpd/src/ap/ap_md5c.c
index 7a8aee5965d..18e67ff0221 100644
--- a/usr.sbin/httpd/src/ap/ap_md5c.c
+++ b/usr.sbin/httpd/src/ap/ap_md5c.c
@@ -232,12 +232,12 @@ API_EXPORT(void) ap_MD5Update(AP_MD5_CTX *context, const unsigned char *input,
     memcpy(&context->buffer[idx], &input[i], inputLen - i);
 #else /*CHARSET_EBCDIC*/
     if (inputLen >= partLen) {
-	ebcdic2ascii_strictly(&context->buffer[idx], input, partLen);
+	ebcdic2ascii(&context->buffer[idx], input, partLen);
 	MD5Transform(context->state, context->buffer);
 
 	for (i = partLen; i + 63 < inputLen; i += 64) {
 	    unsigned char inp_tmp[64];
-	    ebcdic2ascii_strictly(inp_tmp, &input[i], 64);
+	    ebcdic2ascii(inp_tmp, &input[i], 64);
 	    MD5Transform(context->state, inp_tmp);
 	}
 
@@ -248,7 +248,7 @@ API_EXPORT(void) ap_MD5Update(AP_MD5_CTX *context, const unsigned char *input,
     }
 
     /* Buffer remaining input */
-    ebcdic2ascii_strictly(&context->buffer[idx], &input[i], inputLen - i);
+    ebcdic2ascii(&context->buffer[idx], &input[i], inputLen - i);
 #endif /*CHARSET_EBCDIC*/
 }
 
diff --git a/usr.sbin/httpd/src/ap/ap_mm.c b/usr.sbin/httpd/src/ap/ap_mm.c
index 198b99c515f..95df26e33d0 100644
--- a/usr.sbin/httpd/src/ap/ap_mm.c
+++ b/usr.sbin/httpd/src/ap/ap_mm.c
@@ -1,5 +1,5 @@
 /* ====================================================================
- * Copyright (c) 1999 The Apache Group.  All rights reserved.
+ * Copyright (c) 1999-2000 The Apache Group.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/ap/ap_sha1.c b/usr.sbin/httpd/src/ap/ap_sha1.c
index 1d4d9ea49b6..1658c3ff65a 100644
--- a/usr.sbin/httpd/src/ap/ap_sha1.c
+++ b/usr.sbin/httpd/src/ap/ap_sha1.c
@@ -292,7 +292,7 @@ API_EXPORT(void) ap_SHA1Update(AP_SHA1_CTX *sha_info, const char *buf,
 	if (i > count) {
 	    i = count;
 	}
-	ebcdic2ascii_strictly(((AP_BYTE *) sha_info->data) + sha_info->local,
+	ebcdic2ascii(((AP_BYTE *) sha_info->data) + sha_info->local,
 			      buffer, i);
 	count -= i;
 	buffer += i;
@@ -306,13 +306,13 @@ API_EXPORT(void) ap_SHA1Update(AP_SHA1_CTX *sha_info, const char *buf,
 	}
     }
     while (count >= SHA_BLOCKSIZE) {
-	ebcdic2ascii_strictly((AP_BYTE *)sha_info->data, buffer, SHA_BLOCKSIZE);
+	ebcdic2ascii((AP_BYTE *)sha_info->data, buffer, SHA_BLOCKSIZE);
 	buffer += SHA_BLOCKSIZE;
 	count -= SHA_BLOCKSIZE;
 	maybe_byte_reverse(sha_info->data, SHA_BLOCKSIZE);
 	sha_transform(sha_info);
     }
-    ebcdic2ascii_strictly((AP_BYTE *)sha_info->data, buffer, count);
+    ebcdic2ascii((AP_BYTE *)sha_info->data, buffer, count);
     sha_info->local = count;
 #else
     ap_SHA1Update_binary(sha_info, (const unsigned char *) buf, count);
diff --git a/usr.sbin/httpd/src/ap/ap_snprintf.c b/usr.sbin/httpd/src/ap/ap_snprintf.c
index 648d55fca74..a50c4af380f 100644
--- a/usr.sbin/httpd/src/ap/ap_snprintf.c
+++ b/usr.sbin/httpd/src/ap/ap_snprintf.c
@@ -62,7 +62,9 @@
 
 #include <stdio.h>
 #include <ctype.h>
+#ifndef NETWARE
 #include <sys/types.h>
+#endif
 #include <stdarg.h>
 #include <string.h>
 #include <stdlib.h>
@@ -82,7 +84,6 @@ typedef enum {
 #define AP_LONGEST_LONG		long
 #endif
 #define NUL			'\0'
-#define INT_NULL		((int *)0)
 #define WIDE_INT		long
 #define WIDEST_INT		AP_LONGEST_LONG
 
@@ -130,7 +131,7 @@ static char *ap_cvt(double arg, int ndigits, int *decpt, int *sign, int eflag, c
     register int r2;
     double fi, fj;
     register char *p, *p1;
-
+    
     if (ndigits >= NDIG - 1)
 	ndigits = NDIG - 2;
     r2 = 0;
@@ -401,18 +402,19 @@ static char *conv_10(register wide_int num, register bool_int is_unsigned,
     return (p);
 }
 
-static char *conv_10_quad(register widest_int num, register bool_int is_unsigned,
+static char *conv_10_quad(widest_int num, register bool_int is_unsigned,
 		     register bool_int *is_negative, char *buf_end,
 		     register int *len)
 {
     register char *p = buf_end;
-    register u_widest_int magnitude;
+    u_widest_int magnitude;
 
     /*
-     * If the value is less than the maximum unsigned long value,
-     * then we know we aren't using quads, so use the faster function
+     * We see if we can use the faster non-quad version by checking the
+     * number against the largest long value it can be. If <=, we
+     * punt to the quicker version.
      */
-    if (num <= ULONG_MAX)
+    if ((num <= ULONG_MAX && is_unsigned) || (num <= LONG_MAX && !is_unsigned))
     	return(conv_10( (wide_int)num, is_unsigned, is_negative,
 	       buf_end, len));
 
@@ -445,7 +447,7 @@ static char *conv_10_quad(register widest_int num, register bool_int is_unsigned
      * We use a do-while loop so that we write at least 1 digit 
      */
     do {
-	register u_widest_int new_magnitude = magnitude / 10;
+	u_widest_int new_magnitude = magnitude / 10;
 
 	*--p = (char) (magnitude - new_magnitude * 10 + '0');
 	magnitude = new_magnitude;
@@ -618,7 +620,7 @@ static char *conv_p2(register u_wide_int num, register int nbits,
     return (p);
 }
 
-static char *conv_p2_quad(register u_widest_int num, register int nbits,
+static char *conv_p2_quad(u_widest_int num, register int nbits,
 		     char format, char *buf_end, register int *len)
 {
     register int mask = (1 << nbits) - 1;
diff --git a/usr.sbin/httpd/src/helpers/GuessOS b/usr.sbin/httpd/src/helpers/GuessOS
index c68cfb5aba2..5ac4552a018 100644
--- a/usr.sbin/httpd/src/helpers/GuessOS
+++ b/usr.sbin/httpd/src/helpers/GuessOS
@@ -12,6 +12,20 @@
 # Be as similar to the output of config.guess/config.sub
 # as possible.
 
+# Handle TPF before handling other OSes.  This
+# is being done because TPF is sometimes compiled
+# on OS/390.  When that is the case, if we don't
+# handle TPF ahead of the other OSes, TPF will
+# fall into the OS/390 case and this script would
+# return an incorrect value for the platform.
+#
+# Apache is not compiled on the TPF platform
+# therefore an environment variable is used
+if [ "x$TPF" = "xYES" ]; then
+    echo "TPF"
+    exit 0	
+fi
+
 # First get uname entries that we use below
 
 MACHINE=`(uname -m) 2>/dev/null` || MACHINE="unknown"
@@ -279,6 +293,9 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
     *:*:*:"DRS 6000")
         echo "drs6000-whatever-whatever"; exit 0;
 	;;
+    OS/390:*)
+        echo "${MACHINE}-IBM-OS390-${RELEASE}-${VERSION}"; exit 0;
+        ;;
 esac
 
 #
@@ -294,13 +311,6 @@ if [ -d /usr/apollo ]; then
     exit 0
 fi
 
-# Apache is not compiled on the TPF platform
-# therefore an environment variable is used
-if [ "x$TPF" = "xYES" ]; then
-    echo "TPF"
-    exit 0	
-fi
-
 # Now NeXT
 ISNEXT=`hostinfo 2>/dev/null`
 case "$ISNEXT" in
@@ -326,5 +336,5 @@ esac
 # At this point we gone through all the one's
 # we know of: Punt
 
-echo "${MACHINE}-whatever-${SYSTEM}|${RELEASE}|${VERSION}" 
+echo "${MACHINE}-whatever-${SYSTEM},${RELEASE},${VERSION}" 
 exit 0
diff --git a/usr.sbin/httpd/src/helpers/TestCompile b/usr.sbin/httpd/src/helpers/TestCompile
index 4622a3f2fc7..034c613ae51 100644
--- a/usr.sbin/httpd/src/helpers/TestCompile
+++ b/usr.sbin/httpd/src/helpers/TestCompile
@@ -1,6 +1,6 @@
 #!/bin/sh
 exstat=1
-trap 'rm -f Makefile dummy dummy.exe testfunc.c testfunc testfunc.exe; exit $exstat' 0 1 2 3 15
+trap 'rm -f Makefile dummy ../dummy.o dummy.exe testfunc.c testfunc ../testfunc.o testfunc.exe; exit $exstat' 0 1 2 3 15
 #
 # Yet another Apache Configure helper script.
 # This script tests certain aspects of the compilation
@@ -191,7 +191,8 @@ esac
 #
 # Get makefile settings and build a basic Makefile
 #
-rm -f dummy
+rm -f dummy ../dummy.o testfunc ../testfunc.o
+
 cat ../Makefile.config > Makefile
 cat <<EOF >> Makefile
 CFLAGS=\$(OPTIM) \$(CFLAGS1) \$(EXTRA_CFLAGS)
@@ -200,10 +201,10 @@ INCLUDES=\$(INCLUDES1) \$(EXTRA_INCLUDES)
 LDFLAGS=\$(LDFLAGS1) \$(EXTRA_LDFLAGS)
 
 dummy:
-	cd ..; \$(CC) \$(CFLAGS) \$(INCLUDES) \$(LDFLAGS) helpers/dummy.c -o helpers/dummy $TLIB \$(LIBS)
+	cd ..; \$(CC) \$(CFLAGS) \$(INCLUDES) \$(LDFLAGS) -o helpers/dummy helpers/dummy.c $TLIB \$(LIBS)
 
 testfunc:
-	cd ..; \$(CC) \$(CFLAGS) \$(INCLUDES) \$(LDFLAGS) helpers/testfunc.c -o helpers/testfunc $TLIB \$(LIBS)
+	cd ..; \$(CC) \$(CFLAGS) \$(INCLUDES) \$(LDFLAGS) -o helpers/testfunc helpers/testfunc.c $TLIB \$(LIBS)
 EOF
 
 # Now run that Makefile
@@ -216,8 +217,16 @@ eval "${MAKE-make} ${TARGET} $ERRDIR >&2"
 # have PrintPath just search this directory.
 
 if ./PrintPath -s -p`pwd` $TARGET ; then
+    if [ "x$OS" = "xMPE/iX" ]; then
+	# clever hack to check for unresolved externals without actually
+	# executing the test program 
+	if eval "callci run `pwd`/$TARGET\;stdin=\*notfound 2>&1 | /bin/grep ^UNRESOLVED $ERRDIR >&2"; then
+	    exit 1 # there were unresolved externals
+	fi
+    fi
     if [ "x$TCRUNIT" = "xyes" ]; then
 	`pwd`/$TARGET
     fi
     exstat=0
 fi
+
diff --git a/usr.sbin/httpd/src/helpers/binbuild.sh b/usr.sbin/httpd/src/helpers/binbuild.sh
index e6c3a4b4a9f..9d44b6a5e9d 100644
--- a/usr.sbin/httpd/src/helpers/binbuild.sh
+++ b/usr.sbin/httpd/src/helpers/binbuild.sh
@@ -6,12 +6,14 @@
 # This script falls under the Apache License.
 # See http://www.apache.org/docs/LICENSE
 
-
-CONFIGPARAM="--with-layout=BinaryDistribution --enable-module=most --enable-shared=max"
+OS=`src/helpers/GuessOS`
+case "x$OS" in
+  x*390*) CONFIGPARAM="--with-layout=BinaryDistribution --enable-module=most";;
+      *) CONFIGPARAM="--with-layout=BinaryDistribution --enable-module=most --enable-shared=max";;
+esac
 APDIR=`pwd`
 APDIR=`basename $APDIR`
 VER=`echo $APDIR |sed s/apache_//`
-OS=`src/helpers/GuessOS`
 TAR="`src/helpers/PrintPath tar`"
 GTAR="`src/helpers/PrintPath gtar`"
 GZIP="`src/helpers/PrintPath gzip`"
@@ -269,7 +271,10 @@ else
   else
     if [ "x$TAR" != "x" ]
     then
-      $TAR -cf ../apache_$VER-$OS.tar -C .. apache_$VER
+      case "x$OS" in
+        x*390*) $TAR -cfU ../apache_$VER-$OS.tar -C .. apache_$VER;;
+	    *) $TAR -cf ../apache_$VER-$OS.tar -C .. apache_$VER;;
+      esac
       if [ "x$GZIP" != "x" ]
       then
         $GZIP ../apache_$VER-$OS.tar
diff --git a/usr.sbin/httpd/src/helpers/fmn.sh b/usr.sbin/httpd/src/helpers/fmn.sh
index 0f17b55a08b..2900499da99 100644
--- a/usr.sbin/httpd/src/helpers/fmn.sh
+++ b/usr.sbin/httpd/src/helpers/fmn.sh
@@ -14,7 +14,7 @@
 modfile=$1
 
 #   the part from the Configure script
-tmpfile=/tmp/fmn.tmp.$$
+tmpfile=${TMPDIR-/tmp}/fmn.tmp.$$
 rm -f $tmpfile
 modname=''
 ext=`echo $modfile | sed 's/^.*\.//'`
diff --git a/usr.sbin/httpd/src/helpers/install.sh b/usr.sbin/httpd/src/helpers/install.sh
index 9a8821fa290..f0d2a14e951 100644
--- a/usr.sbin/httpd/src/helpers/install.sh
+++ b/usr.sbin/httpd/src/helpers/install.sh
@@ -93,7 +93,7 @@ dst="$dst$ext"
 
 #  Make a temp file name in the proper directory.
 dstdir=`dirname $dst`
-dsttmp=$dstdir/#inst.$$#
+dsttmp=$dstdir/inst.$$
 
 #  Move or copy the file name to the temp name
 $instcmd $src $dsttmp
diff --git a/usr.sbin/httpd/src/include/ap.h b/usr.sbin/httpd/src/include/ap.h
index a04c90596a7..da284cb4f3c 100644
--- a/usr.sbin/httpd/src/include/ap.h
+++ b/usr.sbin/httpd/src/include/ap.h
@@ -68,7 +68,7 @@ extern "C" {
 API_EXPORT(char *) ap_cpystrn(char *, const char *, size_t);
 int ap_slack(int, int);
 int ap_execle(const char *, const char *, ...);
-int ap_execve(const char *, const char *argv[], const char *envp[]);
+int ap_execve(const char *, char * const argv[], char * const envp[]);
 API_EXPORT(int) ap_getpass(const char *prompt, char *pwbuf, size_t bufsiz);
 
 /* small utility macros to make things easier to read */
@@ -180,7 +180,7 @@ API_EXPORT(int) ap_base64decode(char * plain_dst, const char *coded_src);
 API_EXPORT(int) ap_base64decode_binary(unsigned char * plain_dst, const char *coded_src);
 
 /* Password validation, as used in AuthType Basic which is able to cope
- * (based on the prexix) with the SHA1, Apache's internal MD5 and (depending
+ * (based on the prefix) with the SHA1, Apache's internal MD5 and (depending
  * on your platform either plain or crypt(3) passwords.
  */
 API_EXPORT(char *) ap_validate_password(const char *passwd, const char *hash);
diff --git a/usr.sbin/httpd/src/include/ap_config.h b/usr.sbin/httpd/src/include/ap_config.h
index e7219cf892e..5ea94b88a4d 100644
--- a/usr.sbin/httpd/src/include/ap_config.h
+++ b/usr.sbin/httpd/src/include/ap_config.h
@@ -72,7 +72,7 @@ extern "C" {
 /*
  * Support for platform dependent autogenerated defines
  */
-#ifndef WIN32
+#if !defined(WIN32) && !defined(NETWARE)
 #include "ap_config_auto.h"
 #else
 /* not available under WIN32, so provide important entries manually */
@@ -81,9 +81,12 @@ extern "C" {
 
 /* Have to include sys/stat.h before ../os/win32/os.h so we can override
 stat() properly */
+#ifndef NETWARE
 #include <sys/types.h>
+#endif
 #include <sys/stat.h>
 
+
 /* So that we can use inline on some critical functions, and use
  * GNUC attributes (such as to get -Wall warnings for printf-like
  * functions).  Only do this in gcc 2.7 or later ... it may work
@@ -108,17 +111,11 @@ stat() properly */
 #endif
 
 #ifdef WIN32
-/* include process.h first so we can override spawn[lv]e* properly */
-#include <process.h>
 #include "../os/win32/os.h"
 #else
 #include "os.h"
 #endif
 
-#if !defined(QNX) && !defined(MPE) && !defined(WIN32) && !defined(TPF)
-#include <sys/param.h>
-#endif
-
 /* Define one of these according to your system. */
 #if defined(MINT)
 typedef int rlim_t;
@@ -148,7 +145,6 @@ extern void GETPRIVMODE();
 extern void GETUSERMODE();
 extern char *inet_ntoa();
 #define NO_SLACK
-#define NO_GETTIMEOFDAY
 #define S_IEXEC  S_IXUSR
 #define S_IREAD  S_IRUSR
 #define S_IWRITE S_IWUSR
@@ -159,7 +155,7 @@ extern char *inet_ntoa();
 #undef NO_KILLPG
 #undef NO_SETSID
 char *crypt(const char *pw, const char *salt);
-char *mktemp(char *template);
+char *mktemp(char *);
 #define HAVE_MMAP 1
 #define USE_MMAP_SCOREBOARD
 #define USE_MMAP_FILES
@@ -349,6 +345,7 @@ typedef int rlim_t;
 
 #elif defined(NEXT)
 typedef unsigned short mode_t;
+typedef int rlim_t;
 #define HAVE_GMTOFF 1
 #undef NO_KILLPG
 #define NO_SETSID
@@ -420,9 +417,6 @@ typedef int pid_t;
 #define PLATFORM "Mac OS"
 #endif
 #define HAVE_DYLD
-#ifdef MAC_OS_X_SERVER
-#define DYLD_CANT_UNLOAD
-#endif /* MAC_OS_X_SERVER */
 #define HAVE_GMTOFF
 #define HAVE_MMAP
 #define USE_MMAP_FILES
@@ -929,12 +923,12 @@ typedef int rlim_t;
 #define NO_LINGCLOSE
 #define NO_MMAP
 #define NO_OTHER_CHILD
+#define NO_PIPED_LOGS
 #define NO_RELIABLE_PIPED_LOGS
 #define NO_SETSID
 #define NO_SLACK
 #define NO_TIMES
 #define NO_USE_SIGACTION
-#define NO_WRITEV
 #define USE_LONGJMP
 /*#define USE_SHMGET_SCOREBOARD*/
 #define USE_TPF_ACCEPT
@@ -942,6 +936,10 @@ typedef int rlim_t;
 /*#define USE_TPF_DAEMON*/
 #define USE_TPF_SCOREBOARD
 #define USE_TPF_SELECT
+#define S_IREAD S_IRUSR
+#define S_IWRITE S_IWUSR
+#define S_IEXEC S_IXUSR
+#define crypt(buf,salt) ((char *)buf)
 #undef  offsetof
 #define offsetof(s_type,field) ((size_t)&(((s_type*)0)->field))
 
@@ -951,6 +949,32 @@ typedef int rlim_t;
 #define NEED_INITGROUPS
 #define NO_SLACK
 
+#elif defined(OS390)                /* IBM OS/390 Operating System      */
+#define HAVE_MMAP
+#define HAVE_SHMGET
+#define USE_SHMGET_SCOREBOARD
+#define USE_MMAP_FILES
+#define USE_FCNTL_SERIALIZED_ACCEPT
+#define _POSIX_SOURCE
+#include <signal.h>
+#ifdef SIGDUMP  /* SIGDUMP is not defined by OS/390 v1r2 */
+#define NSIG SIGDUMP+1
+#else
+#define NSIG 40
+#endif
+#define JMP_BUF sigjmp_buf
+#define _XOPEN_SOURCE_EXTENDED 1
+#define _OPEN_MSGQ_EXT
+#define _XOPEN_SOURCE
+#define SHM_R S_IRUSR
+#define SHM_W S_IWUSR
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/msg.h>
+#include <sys/socket.h>
+#define NET_SIZE_T size_t
+#define NEED_HASHBANG_EMUL
+
 #else
 /* Unknown system - Edit these to match */
 #ifdef BSD
@@ -966,6 +990,10 @@ typedef int rlim_t;
 #undef NEED_STRDUP
 #endif
 
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif /* HAVE_SYS_PARAM_H */
+
 /* stuff marked API_EXPORT is part of the API, and intended for use
  * by modules
  */
@@ -1018,7 +1046,9 @@ typedef int rlim_t;
  * file. If you have neither, I'm confused.
  */
 
+#ifndef NETWARE
 #include <sys/types.h>
+#endif
 #include <stdarg.h>
 
 #if !defined(NEXT) && !defined(WIN32)
@@ -1038,10 +1068,10 @@ typedef int rlim_t;
 #include <strings.h>
 #endif
 #include "ap_ctype.h"
-#if !defined(MPE) && !defined(WIN32) && !defined(TPF) && !defined(__TANDEM)
+#if !defined(MPE) && !defined(WIN32) && !defined(TPF) && !defined(__TANDEM) && !defined(NETWARE)
 #include <sys/file.h>
 #endif
-#ifndef WIN32
+#if !defined(WIN32) && !defined(NETWARE)
 #include <sys/socket.h>
 #ifdef HAVE_SYS_SELECT_H
 #include <sys/select.h>
@@ -1049,6 +1079,9 @@ typedef int rlim_t;
 #ifndef TPF
 #include <netinet/in.h>
 #endif /* TPF */
+#if defined(OS390) && !defined(NO_ADDRESS)
+#define NO_ADDRESS NO_DATA  /* Not defined properly by OS/390 v1r2 */
+#endif
 #include <netdb.h>
 #include <sys/ioctl.h>
 #if !defined(MPE) && !defined(BEOS) && !defined(TPF)
@@ -1058,28 +1091,44 @@ typedef int rlim_t;
 #include <pwd.h>
 #include <grp.h>
 #include <fcntl.h>
+#ifndef BEOS
 #define closesocket(s) close(s)
+#endif
 #ifndef O_BINARY
 #define O_BINARY (0)
 #endif
-
-#else /* WIN32 */
-#include <winsock2.h>
-#include <malloc.h>
-#include <io.h>
-#include <fcntl.h>
 #endif /* ndef WIN32 */
+
 #include <limits.h>
 #include <time.h>		/* for ctime */
 #ifdef WIN32
 #define strftime(s,max,format,tm)  os_strftime(s,max,format,tm)
 #endif
 #include <signal.h>
+#ifdef NETWARE
+#undef SIGKILL
+#undef SA_NOCLDSTOP
+#undef SIGALRM
+#undef SIGCHILD
+#undef SIGCONT
+#undef SIGHUP
+#undef SIGPIPE
+#undef SIGQUIT
+#undef SIGSTOP
+#undef SIGTSTP
+#undef SIGTTIN
+#undef SIGTTOU
+#undef SIGUSR1
+#undef SIGUSR2
+#undef SIG_BLOCK
+#undef SIG_SETMASK
+#undef SIG_UNBLOCK
+#endif
 #if defined(TPF) && defined(NSIG)
 #undef NSIG
 #endif
 #include <errno.h>
-#if !defined(QNX) && !defined(CONVEXOS11) && !defined(NEXT) && !defined(TPF)
+#if !defined(QNX) && !defined(CONVEXOS11) && !defined(NEXT) && !defined(TPF) && !defined(NETWARE)
 #include <memory.h>
 #endif
 
@@ -1227,8 +1276,8 @@ Sigfunc *signal(int signo, Sigfunc * func);
  */
 #ifdef NEED_HASHBANG_EMUL
 extern int ap_execle(const char *filename, const char *arg,...);
-extern int ap_execve(const char *filename, const char *argv[],
-                     const char *envp[]);
+extern int ap_execve(const char *filename, char * const argv[],
+                     char * const envp[]);
 /* ap_execle() is a wrapper function around ap_execve(). */
 #define execle  ap_execle
 #define execve(path,argv,envp)  ap_execve(path,argv,envp)
diff --git a/usr.sbin/httpd/src/include/ap_ctx.h b/usr.sbin/httpd/src/include/ap_ctx.h
index 18f0f334e7f..4e7e9c34a44 100644
--- a/usr.sbin/httpd/src/include/ap_ctx.h
+++ b/usr.sbin/httpd/src/include/ap_ctx.h
@@ -1,5 +1,5 @@
 /* ====================================================================
- * Copyright (c) 1998 The Apache Group.  All rights reserved.
+ * Copyright (c) 1998-2000 The Apache Group.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/include/ap_hook.h b/usr.sbin/httpd/src/include/ap_hook.h
index d00bfec924b..0836cde4bb7 100644
--- a/usr.sbin/httpd/src/include/ap_hook.h
+++ b/usr.sbin/httpd/src/include/ap_hook.h
@@ -2,7 +2,7 @@
 =cut
 #endif
 /* ====================================================================
- * Copyright (c) 1998 The Apache Group.  All rights reserved.
+ * Copyright (c) 1998-2000 The Apache Group.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -697,8 +697,8 @@ ap_ctx(3)
 
 =head1 HISTORY
 
-The ap_hook(3) interface was originally designed and implemented in October
-1998 by Ralf S. Engelschall as part of the mod_ssl project.
+The ap_hook(3) interface was originally designed and 
+implemented in October 1998 by Ralf S. Engelschall.
 
 =head1 AUTHOR
 
diff --git a/usr.sbin/httpd/src/include/ap_md5.h b/usr.sbin/httpd/src/include/ap_md5.h
index 1e5b9cdaa8a..3ed74af15e2 100644
--- a/usr.sbin/httpd/src/include/ap_md5.h
+++ b/usr.sbin/httpd/src/include/ap_md5.h
@@ -94,6 +94,8 @@ extern "C" {
 
 /* MD5.H - header file for MD5C.C */
 
+#define MD5_DIGESTSIZE 16
+
 /* UINT4 defines a four byte word */
 typedef unsigned int UINT4;
 
@@ -114,7 +116,8 @@ typedef struct {
 API_EXPORT(void) ap_MD5Init(AP_MD5_CTX *context);
 API_EXPORT(void) ap_MD5Update(AP_MD5_CTX *context, const unsigned char *input,
 			      unsigned int inputLen);
-API_EXPORT(void) ap_MD5Final(unsigned char digest[16], AP_MD5_CTX *context);
+API_EXPORT(void) ap_MD5Final(unsigned char digest[MD5_DIGESTSIZE],
+			     AP_MD5_CTX *context);
 API_EXPORT(void) ap_MD5Encode(const unsigned char *password,
 			      const unsigned char *salt,
 			      char *result, size_t nbytes);
diff --git a/usr.sbin/httpd/src/include/ap_mm.h b/usr.sbin/httpd/src/include/ap_mm.h
index 5e85c53ffbe..90159b830f5 100644
--- a/usr.sbin/httpd/src/include/ap_mm.h
+++ b/usr.sbin/httpd/src/include/ap_mm.h
@@ -1,5 +1,5 @@
 /* ====================================================================
- * Copyright (c) 1999 The Apache Group.  All rights reserved.
+ * Copyright (c) 1999-2000 The Apache Group.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/include/http_conf_globals.h b/usr.sbin/httpd/src/include/http_conf_globals.h
index 7ba0abed370..c78b336a825 100644
--- a/usr.sbin/httpd/src/include/http_conf_globals.h
+++ b/usr.sbin/httpd/src/include/http_conf_globals.h
@@ -72,6 +72,9 @@ extern int ap_docrootcheck;
 extern uid_t ap_user_id;
 extern char *ap_user_name;
 extern gid_t ap_group_id;
+#ifdef NETWARE
+extern unsigned int ap_thread_stack_size;
+#endif
 #ifdef MULTIPLE_GROUPS
 extern gid_t group_id_list[NGROUPS_MAX];
 #endif
diff --git a/usr.sbin/httpd/src/include/http_log.h b/usr.sbin/httpd/src/include/http_log.h
index d9162bd22fb..89356bc7ffb 100644
--- a/usr.sbin/httpd/src/include/http_log.h
+++ b/usr.sbin/httpd/src/include/http_log.h
@@ -136,7 +136,7 @@ API_EXPORT(void) ap_log_reason(const char *reason, const char *fname,
 
 typedef struct piped_log {
     pool *p;
-#ifndef NO_RELIABLE_PIPED_LOGS
+#if !defined(NO_RELIABLE_PIPED_LOGS) || defined(TPF)
     char *program;
     int pid;
     int fds[2];
@@ -147,7 +147,7 @@ typedef struct piped_log {
 
 API_EXPORT(piped_log *) ap_open_piped_log (pool *p, const char *program);
 API_EXPORT(void) ap_close_piped_log (piped_log *);
-#ifndef NO_RELIABLE_PIPED_LOGS
+#if !defined(NO_RELIABLE_PIPED_LOGS) || defined(TPF)
 #define ap_piped_log_read_fd(pl)	((pl)->fds[0])
 #define ap_piped_log_write_fd(pl)	((pl)->fds[1])
 #else
diff --git a/usr.sbin/httpd/src/include/http_protocol.h b/usr.sbin/httpd/src/include/http_protocol.h
index 3824c1aba06..bf6155a7ce2 100644
--- a/usr.sbin/httpd/src/include/http_protocol.h
+++ b/usr.sbin/httpd/src/include/http_protocol.h
@@ -103,7 +103,7 @@ API_EXPORT(void) ap_finalize_request_protocol(request_rec *r);
  * problem with the ErrorDocument.
  */
 
-void ap_send_error_response(request_rec *r, int recursive_error);
+API_EXPORT(void) ap_send_error_response(request_rec *r, int recursive_error);
 
 /* Set last modified header line from the lastmod date of the associated file.
  * Also, set content length.
diff --git a/usr.sbin/httpd/src/include/httpd.h b/usr.sbin/httpd/src/include/httpd.h
index 0b9e0f86e1d..9ad91305f5a 100644
--- a/usr.sbin/httpd/src/include/httpd.h
+++ b/usr.sbin/httpd/src/include/httpd.h
@@ -99,6 +99,8 @@ extern "C" {
 #define HTTPD_ROOT "/apache"
 #elif defined(BEOS)
 #define HTTPD_ROOT "/boot/home/apache"
+#elif defined(NETWARE)
+#define HTTPD_ROOT "sys:/apache"
 #else
 #define HTTPD_ROOT "/usr/local/apache"
 #endif
@@ -252,7 +254,7 @@ extern "C" {
 
 /* The default path for CGI scripts if none is currently set */
 #ifndef DEFAULT_PATH
-#define DEFAULT_PATH "/bin:/usr/bin:local/bin"
+#define DEFAULT_PATH "/bin:/usr/bin:/usr/ucb:/usr/bsd:/usr/local/bin"
 #endif
 
 /* The path to the shell interpreter, for parsed docs */
@@ -449,7 +451,7 @@ extern "C" {
  * Example: "Apache/1.1.0 MrWidget/0.1-alpha" 
  */
 
-#define SERVER_BASEVERSION "Apache/1.3.9"	/* SEE COMMENTS ABOVE */
+#define SERVER_BASEVERSION "Apache/1.3.11"	/* SEE COMMENTS ABOVE */
 #define SERVER_VERSION  SERVER_BASEVERSION
 enum server_token_type {
     SrvTk_MIN,		/* eg: Apache/1.3.0 */
@@ -468,7 +470,7 @@ API_EXPORT(void) ap_add_config_define(const char *define);
  * Always increases along the same track as the source branch.
  * For example, Apache 1.4.2 would be '10402100', 2.5b7 would be '20500007'.
  */
-#define APACHE_RELEASE 10309100
+#define APACHE_RELEASE 10311100
 
 #define SERVER_PROTOCOL "HTTP/1.1"
 #ifndef SERVER_SUPPORT
@@ -630,6 +632,8 @@ API_EXPORT(void) ap_add_config_define(const char *define);
 #ifndef CHARSET_EBCDIC
 #define LF 10
 #define CR 13
+#define CRLF "\015\012"
+#define OS_ASC(c) (c)
 #else /* CHARSET_EBCDIC */
 #include "ebcdic.h"
 /* OSD_POSIX uses the EBCDIC charset. The transition ASCII->EBCDIC is done in
@@ -641,6 +645,8 @@ API_EXPORT(void) ap_add_config_define(const char *define);
  */
 #define CR '\r'
 #define LF '\n'
+#define CRLF "\r\n"
+#define OS_ASC(c) (os_toascii[c])
 #endif /* CHARSET_EBCDIC */
 
 /* Possible values for request_rec.read_body (set by handling module):
@@ -685,6 +691,12 @@ typedef struct listen_rec listen_rec;
 
 #include "util_uri.h"
 
+enum proxyreqtype {
+    NOT_PROXY=0,
+    STD_PROXY,
+    PROXY_PASS
+};
+
 struct request_rec {
 
     ap_pool *pool;
@@ -708,7 +720,7 @@ struct request_rec {
 
     char *the_request;		/* First line of request, so we can log it */
     int assbackwards;		/* HTTP/0.9, "simple" request */
-    int proxyreq;		/* A proxy request (calculated during
+    enum proxyreqtype proxyreq;/* A proxy request (calculated during
 				 * post_read_request or translate_name) */
     int header_only;		/* HEAD request, as opposed to GET */
     char *protocol;		/* Protocol, as given to us, or HTTP/0.9 */
@@ -972,7 +984,7 @@ struct listen_rec {
     listen_rec *next;
     struct sockaddr_in local_addr;	/* local IP address and port */
     int fd;
-    int used;			/* Only used during restart */
+    int used;			/* Only used during restart */        
 /* more stuff here, like which protocol is bound to the port */
 };
 
diff --git a/usr.sbin/httpd/src/include/multithread.h b/usr.sbin/httpd/src/include/multithread.h
index bed94638b69..901046fd082 100644
--- a/usr.sbin/httpd/src/include/multithread.h
+++ b/usr.sbin/httpd/src/include/multithread.h
@@ -19,7 +19,11 @@ typedef void event;
  * I believe this is terribly ugly
  */
 #ifdef MULTITHREAD
+#ifdef NETWARE
+#define APACHE_TLS
+#else
 #define APACHE_TLS __declspec( thread )
+#endif
 
 thread *create_thread(void (thread_fn) (void *thread_arg), void *thread_arg);
 int kill_thread(thread *thread_id);
diff --git a/usr.sbin/httpd/src/include/scoreboard.h b/usr.sbin/httpd/src/include/scoreboard.h
index a8f88e3f394..0fadf8a8206 100644
--- a/usr.sbin/httpd/src/include/scoreboard.h
+++ b/usr.sbin/httpd/src/include/scoreboard.h
@@ -63,13 +63,14 @@ extern "C" {
 #endif
 
 #ifndef WIN32
-#ifdef TPF
+#if defined(TPF) || defined(NETWARE)
 #include <time.h>
 #else
 #include <sys/times.h>
 #endif /* TPF */
 #endif
 
+
 /* Scoreboard info on a process is, for now, kept very brief --- 
  * just status value and pid (the latter so that the caretaker process
  * can properly update the scoreboard when a process dies).  We may want
diff --git a/usr.sbin/httpd/src/lib/expat-lite/CHANGES b/usr.sbin/httpd/src/lib/expat-lite/CHANGES
index e424068ed91..0340d07ee1a 100644
--- a/usr.sbin/httpd/src/lib/expat-lite/CHANGES
+++ b/usr.sbin/httpd/src/lib/expat-lite/CHANGES
@@ -18,24 +18,48 @@ the following Expat distribution subdirectories:
 We also retain expat/expat.html for attribution to James Clark and
 licensing information.
 
-In addition, we remove expat/xmltok/dllmain.c from our version since
-we statically link expat-lite into the executable (rather than
-building a DLL on the Win32 platform). The *.dsp files are also
-removed, since we place those elsewhere in the Apache source
-distribution and they will have a very different structure.
+Note that Apache has replaced (with custom versions) the .dsp files
+normally distributed with Expat. Other changes are detailed further
+below.
 
-Makefile.tmpl has been created from scratch to provide build
-instructions to the Apache build system.
+
+=== FILES ADDED ===
 
 This file (CHANGES) has been added to document changes from the
 original Expat distribution.
 
+Makefile.tmpl has been created from scratch to provide build
+instructions to the Apache build system.
+
+xmlparse.def and xmltok.def have been added.
+
+.cvsignore has been added.
 
-=== CHANGES TO ORIGINAL ===
 
-There have been no changes made to any Expat file at this point in
-time (May 31, 1999).
+=== CHANGES TO ORIGINAL ===
 
 The files, in their original state from the Expat distribution, have
 been tagged within CVS with the "EXPAT_1_1" tag. That tag may be used
 as a reference for changes made by the Apache Group.
+
+The following changes have been made:
+
+June, 1999:
+
+  - modified xmldef.h to define XML_BYTE_ORDER in terms of the
+    AP_BYTE_ORDER symbol.
+  - removed compilation warnings from: xmlparse.c, xmltok.c, xmltok.h, 
+    xmltok_impl.c, xmltok_ns.c
+
+November, 1999:
+
+  - xmlparse.{def,dsp,mak} and xmltok.{def,dsp,mak} were added.
+    NOTE: the .dsp files are different from the standard Expat
+	  distribution.
+  - dllmain.c (from the Expat distribution) was added
+
+January, 2000:
+
+  - Renamed lookup() in hashtable.[ch] to hashTableLookup() to prevent
+    possible conflicts with third-party libraries and modules. Updated
+    calls in xmlparse.c accordingly.
diff --git a/usr.sbin/httpd/src/lib/expat-lite/hashtable.c b/usr.sbin/httpd/src/lib/expat-lite/hashtable.c
index 780a0610414..26a3b444f74 100644
--- a/usr.sbin/httpd/src/lib/expat-lite/hashtable.c
+++ b/usr.sbin/httpd/src/lib/expat-lite/hashtable.c
@@ -58,7 +58,7 @@ unsigned long hash(KEY s)
   return h;
 }
 
-NAMED *lookup(HASH_TABLE *table, KEY name, size_t createSize)
+NAMED *hashTableLookup(HASH_TABLE *table, KEY name, size_t createSize)
 {
   size_t i;
   if (table->size == 0) {
diff --git a/usr.sbin/httpd/src/lib/expat-lite/hashtable.h b/usr.sbin/httpd/src/lib/expat-lite/hashtable.h
index df8ab8a4c83..5c3f38cbb2e 100644
--- a/usr.sbin/httpd/src/lib/expat-lite/hashtable.h
+++ b/usr.sbin/httpd/src/lib/expat-lite/hashtable.h
@@ -56,7 +56,7 @@ typedef struct {
   size_t usedLim;
 } HASH_TABLE;
 
-NAMED *lookup(HASH_TABLE *table, KEY name, size_t createSize);
+NAMED *hashTableLookup(HASH_TABLE *table, KEY name, size_t createSize);
 void hashTableInit(HASH_TABLE *);
 void hashTableDestroy(HASH_TABLE *);
 
diff --git a/usr.sbin/httpd/src/lib/expat-lite/xmlparse.c b/usr.sbin/httpd/src/lib/expat-lite/xmlparse.c
index 8f9d09c86ee..62f4116171e 100644
--- a/usr.sbin/httpd/src/lib/expat-lite/xmlparse.c
+++ b/usr.sbin/httpd/src/lib/expat-lite/xmlparse.c
@@ -1132,7 +1132,7 @@ doContent(XML_Parser parser,
 				next - enc->minBytesPerChar);
 	if (!name)
 	  return XML_ERROR_NO_MEMORY;
-	entity = (ENTITY *)lookup(&dtd.generalEntities, name, 0);
+	entity = (ENTITY *)hashTableLookup(&dtd.generalEntities, name, 0);
 	poolDiscard(&dtd.pool);
 	if (!entity) {
 	  if (dtd.complete || dtd.standalone)
@@ -1496,12 +1496,12 @@ static enum XML_Error storeAtts(XML_Parser parser, const ENCODING *enc,
   const XML_Char *localPart;
 
   if (tagNamePtr) {
-    elementType = (ELEMENT_TYPE *)lookup(&dtd.elementTypes, tagNamePtr->str, 0);
+    elementType = (ELEMENT_TYPE *)hashTableLookup(&dtd.elementTypes, tagNamePtr->str, 0);
     if (!elementType) {
       tagNamePtr->str = poolCopyString(&dtd.pool, tagNamePtr->str);
       if (!tagNamePtr->str)
 	return XML_ERROR_NO_MEMORY;
-      elementType = (ELEMENT_TYPE *)lookup(&dtd.elementTypes, tagNamePtr->str, sizeof(ELEMENT_TYPE));
+      elementType = (ELEMENT_TYPE *)hashTableLookup(&dtd.elementTypes, tagNamePtr->str, sizeof(ELEMENT_TYPE));
       if (!elementType)
         return XML_ERROR_NO_MEMORY;
       if (ns && !setElementTypePrefix(parser, elementType))
@@ -1613,7 +1613,7 @@ static enum XML_Error storeAtts(XML_Parser parser, const ENCODING *enc,
       if (appAtts[i][-1] == 2) {
         ATTRIBUTE_ID *id;
         ((XML_Char *)(appAtts[i]))[-1] = 0;
-	id = (ATTRIBUTE_ID *)lookup(&dtd.attributeIds, appAtts[i], 0);
+	id = (ATTRIBUTE_ID *)hashTableLookup(&dtd.attributeIds, appAtts[i], 0);
 	if (id->prefix->binding) {
 	  int j;
 	  const BINDING *b = id->prefix->binding;
@@ -2037,7 +2037,7 @@ prologProcessor(XML_Parser parser,
 	const XML_Char *name = poolStoreString(&dtd.pool, encoding, s, next);
 	if (!name)
 	  return XML_ERROR_NO_MEMORY;
-	declElementType = (ELEMENT_TYPE *)lookup(&dtd.elementTypes, name, sizeof(ELEMENT_TYPE));
+	declElementType = (ELEMENT_TYPE *)hashTableLookup(&dtd.elementTypes, name, sizeof(ELEMENT_TYPE));
 	if (!declElementType)
 	  return XML_ERROR_NO_MEMORY;
 	if (declElementType->name != name)
@@ -2129,7 +2129,7 @@ prologProcessor(XML_Parser parser,
 	if (!name)
 	  return XML_ERROR_NO_MEMORY;
 	if (dtd.complete) {
-	  declEntity = (ENTITY *)lookup(&dtd.generalEntities, name, sizeof(ENTITY));
+	  declEntity = (ENTITY *)hashTableLookup(&dtd.generalEntities, name, sizeof(ENTITY));
 	  if (!declEntity)
 	    return XML_ERROR_NO_MEMORY;
 	  if (declEntity->name != name) {
@@ -2439,7 +2439,7 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, int isCdata,
 			       next - enc->minBytesPerChar);
 	if (!name)
 	  return XML_ERROR_NO_MEMORY;
-	entity = (ENTITY *)lookup(&dtd.generalEntities, name, 0);
+	entity = (ENTITY *)hashTableLookup(&dtd.generalEntities, name, 0);
 	poolDiscard(&temp2Pool);
 	if (!entity) {
 	  if (dtd.complete) {
@@ -2696,7 +2696,7 @@ static int setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType)
       }
       if (!poolAppendChar(&dtd.pool, XML_T('\0')))
 	return 0;
-      prefix = (PREFIX *)lookup(&dtd.prefixes, poolStart(&dtd.pool), sizeof(PREFIX));
+      prefix = (PREFIX *)hashTableLookup(&dtd.prefixes, poolStart(&dtd.pool), sizeof(PREFIX));
       if (!prefix)
 	return 0;
       if (prefix->name == poolStart(&dtd.pool))
@@ -2721,7 +2721,7 @@ getAttributeId(XML_Parser parser, const ENCODING *enc, const char *start, const
   if (!name)
     return 0;
   ++name;
-  id = (ATTRIBUTE_ID *)lookup(&dtd.attributeIds, name, sizeof(ATTRIBUTE_ID));
+  id = (ATTRIBUTE_ID *)hashTableLookup(&dtd.attributeIds, name, sizeof(ATTRIBUTE_ID));
   if (!id)
     return 0;
   if (id->name != name)
@@ -2739,7 +2739,7 @@ getAttributeId(XML_Parser parser, const ENCODING *enc, const char *start, const
       if (name[5] == '\0')
 	id->prefix = &dtd.defaultPrefix;
       else
-	id->prefix = (PREFIX *)lookup(&dtd.prefixes, name + 6, sizeof(PREFIX));
+	id->prefix = (PREFIX *)hashTableLookup(&dtd.prefixes, name + 6, sizeof(PREFIX));
       id->xmlns = 1;
     }
     else {
@@ -2753,7 +2753,7 @@ getAttributeId(XML_Parser parser, const ENCODING *enc, const char *start, const
 	  }
 	  if (!poolAppendChar(&dtd.pool, XML_T('\0')))
 	    return 0;
-	  id->prefix = (PREFIX *)lookup(&dtd.prefixes, poolStart(&dtd.pool), sizeof(PREFIX));
+	  id->prefix = (PREFIX *)hashTableLookup(&dtd.prefixes, poolStart(&dtd.pool), sizeof(PREFIX));
 	  if (id->prefix->name == poolStart(&dtd.pool))
 	    poolFinish(&dtd.pool);
 	  else
@@ -2846,7 +2846,7 @@ int setContext(XML_Parser parser, const XML_Char *context)
       ENTITY *e;
       if (!poolAppendChar(&tempPool, XML_T('\0')))
 	return 0;
-      e = (ENTITY *)lookup(&dtd.generalEntities, poolStart(&tempPool), 0);
+      e = (ENTITY *)hashTableLookup(&dtd.generalEntities, poolStart(&tempPool), 0);
       if (e)
 	e->open = 1;
       if (*s != XML_T('\0'))
@@ -2861,7 +2861,7 @@ int setContext(XML_Parser parser, const XML_Char *context)
       else {
 	if (!poolAppendChar(&tempPool, XML_T('\0')))
 	  return 0;
-	prefix = (PREFIX *)lookup(&dtd.prefixes, poolStart(&tempPool), sizeof(PREFIX));
+	prefix = (PREFIX *)hashTableLookup(&dtd.prefixes, poolStart(&tempPool), sizeof(PREFIX));
 	if (!prefix)
 	  return 0;
         if (prefix->name == poolStart(&tempPool))
@@ -2971,7 +2971,7 @@ static int dtdCopy(DTD *newDtd, const DTD *oldDtd)
     name = poolCopyString(&(newDtd->pool), oldP->name);
     if (!name)
       return 0;
-    if (!lookup(&(newDtd->prefixes), name, sizeof(PREFIX)))
+    if (!hashTableLookup(&(newDtd->prefixes), name, sizeof(PREFIX)))
       return 0;
   }
 
@@ -2993,7 +2993,7 @@ static int dtdCopy(DTD *newDtd, const DTD *oldDtd)
     if (!name)
       return 0;
     ++name;
-    newA = (ATTRIBUTE_ID *)lookup(&(newDtd->attributeIds), name, sizeof(ATTRIBUTE_ID));
+    newA = (ATTRIBUTE_ID *)hashTableLookup(&(newDtd->attributeIds), name, sizeof(ATTRIBUTE_ID));
     if (!newA)
       return 0;
     newA->maybeTokenized = oldA->maybeTokenized;
@@ -3002,7 +3002,7 @@ static int dtdCopy(DTD *newDtd, const DTD *oldDtd)
       if (oldA->prefix == &oldDtd->defaultPrefix)
 	newA->prefix = &newDtd->defaultPrefix;
       else
-	newA->prefix = (PREFIX *)lookup(&(newDtd->prefixes), oldA->prefix->name, 0);
+	newA->prefix = (PREFIX *)hashTableLookup(&(newDtd->prefixes), oldA->prefix->name, 0);
     }
   }
 
@@ -3020,7 +3020,7 @@ static int dtdCopy(DTD *newDtd, const DTD *oldDtd)
     name = poolCopyString(&(newDtd->pool), oldE->name);
     if (!name)
       return 0;
-    newE = (ELEMENT_TYPE *)lookup(&(newDtd->elementTypes), name, sizeof(ELEMENT_TYPE));
+    newE = (ELEMENT_TYPE *)hashTableLookup(&(newDtd->elementTypes), name, sizeof(ELEMENT_TYPE));
     if (!newE)
       return 0;
     if (oldE->nDefaultAtts) {
@@ -3030,9 +3030,9 @@ static int dtdCopy(DTD *newDtd, const DTD *oldDtd)
     }
     newE->allocDefaultAtts = newE->nDefaultAtts = oldE->nDefaultAtts;
     if (oldE->prefix)
-      newE->prefix = (PREFIX *)lookup(&(newDtd->prefixes), oldE->prefix->name, 0);
+      newE->prefix = (PREFIX *)hashTableLookup(&(newDtd->prefixes), oldE->prefix->name, 0);
     for (i = 0; i < newE->nDefaultAtts; i++) {
-      newE->defaultAtts[i].id = (ATTRIBUTE_ID *)lookup(&(newDtd->attributeIds), oldE->defaultAtts[i].id->name, 0);
+      newE->defaultAtts[i].id = (ATTRIBUTE_ID *)hashTableLookup(&(newDtd->attributeIds), oldE->defaultAtts[i].id->name, 0);
       newE->defaultAtts[i].isCdata = oldE->defaultAtts[i].isCdata;
       if (oldE->defaultAtts[i].value) {
 	newE->defaultAtts[i].value = poolCopyString(&(newDtd->pool), oldE->defaultAtts[i].value);
@@ -3057,7 +3057,7 @@ static int dtdCopy(DTD *newDtd, const DTD *oldDtd)
     name = poolCopyString(&(newDtd->pool), oldE->name);
     if (!name)
       return 0;
-    newE = (ENTITY *)lookup(&(newDtd->generalEntities), name, sizeof(ENTITY));
+    newE = (ENTITY *)hashTableLookup(&(newDtd->generalEntities), name, sizeof(ENTITY));
     if (!newE)
       return 0;
     if (oldE->systemId) {
diff --git a/usr.sbin/httpd/src/main/alloc.c b/usr.sbin/httpd/src/main/alloc.c
index 8086df2a6db..e134c33bf37 100644
--- a/usr.sbin/httpd/src/main/alloc.c
+++ b/usr.sbin/httpd/src/main/alloc.c
@@ -624,7 +624,9 @@ void ap_init_alloc_shared(int early)
         mm_size = ap_mm_maxsize();
         if (mm_size > EAPI_MM_CORE_MAXSIZE)
             mm_size = EAPI_MM_CORE_MAXSIZE;
-        mm_path = ap_server_root_relative(permanent_pool, EAPI_MM_CORE_PATH);
+        mm_path = ap_server_root_relative(permanent_pool, 
+                  ap_psprintf(permanent_pool, "%s.%ld", 
+                              EAPI_MM_CORE_PATH, (long)getpid()));
         if ((mm = ap_mm_create(mm_size, mm_path)) == NULL) {
             fprintf(stderr, "Ouch! ap_mm_create(%d, \"%s\") failed\n", mm_size, mm_path);
             err1 = ap_mm_error();
@@ -634,7 +636,6 @@ void ap_init_alloc_shared(int early)
             if (err2 == NULL)
                 err2 = "-unknown-";
             fprintf(stderr, "Error: MM: %s: OS: %s\n", err1, err2);
-            abort();
             exit(1);
         }
     }
@@ -2225,7 +2226,7 @@ API_EXPORT(int) ap_pclosesocket(pool *a, int sock)
 
     ap_block_alarms();
     res = closesocket(sock);
-#ifdef WIN32
+#if defined(WIN32) || defined(NETWARE)
     errno = WSAGetLastError();
 #endif /* WIN32 */
     save_errno = errno;
@@ -2305,7 +2306,7 @@ how) {
 #endif /* WIN32 */
 
 /* for ap_fdopen, to get binary mode */
-#if defined (OS2) || defined (WIN32)
+#if defined (OS2) || defined (WIN32) || defined (NETWARE)
 #define BINMODE	"b"
 #else
 #define BINMODE
@@ -2378,7 +2379,7 @@ static pid_t spawn_child_core(pool *p, int (*func) (void *, child_info *),
 	if (pipe_err) {
 	    hStdErr = dup(fileno(stderr));
 	    if(dup2(err_fds[1], fileno(stderr)))
-		ap_log_error(APLOG_MARK, APLOG_ERR, NULL, "dup2(stdin) failed");
+		ap_log_error(APLOG_MARK, APLOG_ERR, NULL, "dup2(stderr) failed");
 	    close(err_fds[1]);
 	}
 
@@ -2430,6 +2431,10 @@ static pid_t spawn_child_core(pool *p, int (*func) (void *, child_info *),
 	 */
 
     }
+#elif defined(NETWARE)
+     /* NetWare currently has no pipes yet. This will
+        be solved with the new libc for NetWare soon. */
+     pid = 0;
 #elif defined(OS2)
     {
         int save_in=-1, save_out=-1, save_err=-1;
@@ -2891,6 +2896,7 @@ static void free_proc_chain(struct process_chain *procs)
     for (p = procs; p; p = p->next) {
 	CloseHandle((HANDLE) p->pid);
     }
+#elif defined(NETWARE)
 #else
 #ifndef NEED_WAITPID
     /* Pick up all defunct processes */
diff --git a/usr.sbin/httpd/src/main/buff.c b/usr.sbin/httpd/src/main/buff.c
index 33555a75763..70b8ed08865 100644
--- a/usr.sbin/httpd/src/main/buff.c
+++ b/usr.sbin/httpd/src/main/buff.c
@@ -119,7 +119,7 @@
  * futher I/O will be done
  */
 
-#ifdef WIN32
+#if defined(WIN32) || defined(NETWARE)
 
 /*
   select() sometimes returns 1 even though the write will block. We must work around this.
@@ -141,12 +141,13 @@ int sendwithtimeout(int sock, const char *buf, int len, int flags)
     if (!(tv.tv_sec = ap_check_alarm()))
 	return (send(sock, buf, len, flags));
 
-    rv = ioctlsocket(sock, FIONBIO, &iostate);
+    rv = ioctlsocket(sock, FIONBIO, (u_long*)&iostate);
     iostate = 0;
     if (rv) {
 	err = WSAGetLastError();
 	ap_assert(0);
     }
+
     rv = send(sock, buf, len, flags);
     if (rv == SOCKET_ERROR) {
 	err = WSAGetLastError();
@@ -161,27 +162,36 @@ int sendwithtimeout(int sock, const char *buf, int len, int flags)
 		if (rv == SOCKET_ERROR)
 		    err = WSAGetLastError();
 		else if (rv == 0) {
- 		    ioctlsocket(sock, FIONBIO, &iostate);
+ 		    ioctlsocket(sock, FIONBIO, (u_long*)&iostate);
 		    if(ap_check_alarm() < 0) {
 			WSASetLastError(EINTR);	/* Simulate an alarm() */
 			return (SOCKET_ERROR);
 		    }
-		}
+ 		}
 		else {
 		    rv = send(sock, buf, len, flags);
 		    if (rv == SOCKET_ERROR) {
 		        err = WSAGetLastError();
 			if(err == WSAEWOULDBLOCK) {
-			    ap_log_error(APLOG_MARK,APLOG_DEBUG,NULL,
-				"select claimed we could write, but in fact we couldn't. This is a bug in Windows.");
+			    
 			    retry=1;
+#ifdef NETWARE
+                            ap_log_error(APLOG_MARK,APLOG_DEBUG,NULL,
+                                         "select claimed we could write, but in fact we couldn't.");
+                            ThreadSwitchWithDelay();
+#else
+                            ap_log_error(APLOG_MARK,APLOG_DEBUG,NULL,
+                                         "select claimed we could write, but in fact we couldn't. This is a bug in Windows.");
 			    Sleep(100);
+#endif
 			}
 		    }
 		}
 	    } while(retry);
     }
-    ioctlsocket(sock, FIONBIO, &iostate);
+
+    ioctlsocket(sock, FIONBIO, (u_long*)&iostate);
+
     if (rv == SOCKET_ERROR)
 	WSASetLastError(err);
     return (rv);
@@ -202,9 +212,10 @@ int recvwithtimeout(int sock, char *buf, int len, int flags)
     if (!(tv.tv_sec = ap_check_alarm()))
 	return (recv(sock, buf, len, flags));
 
-    rv = ioctlsocket(sock, FIONBIO, &iostate);
+    rv = ioctlsocket(sock, FIONBIO, (u_long*)&iostate);
     iostate = 0;
     ap_assert(!rv);
+
     rv = recv(sock, buf, len, flags);
     if (rv == SOCKET_ERROR) {
 	err = WSAGetLastError();
@@ -216,7 +227,7 @@ int recvwithtimeout(int sock, char *buf, int len, int flags)
 	    if (rv == SOCKET_ERROR)
 		err = WSAGetLastError();
 	    else if (rv == 0) {
-		ioctlsocket(sock, FIONBIO, &iostate);
+		ioctlsocket(sock, FIONBIO, (u_long*)&iostate);
 		ap_check_alarm();
 		WSASetLastError(WSAEWOULDBLOCK);
 		return (SOCKET_ERROR);
@@ -228,7 +239,9 @@ int recvwithtimeout(int sock, char *buf, int len, int flags)
 	    }
 	}
     }
-    ioctlsocket(sock, FIONBIO, &iostate);
+
+    ioctlsocket(sock, FIONBIO, (u_long*)&iostate);
+
     if (rv == SOCKET_ERROR)
 	WSASetLastError(err);
     return (rv);
@@ -244,8 +257,10 @@ static int ap_read(BUFF *fb, void *buf, int nbyte)
     
 #ifdef WIN32
     if (fb->hFH != INVALID_HANDLE_VALUE) {
-        if (!ReadFile(fb->hFH,buf,nbyte,&rv,NULL))
+        if (!ReadFile(fb->hFH,buf,nbyte,&rv,NULL)) {
+            errno = GetLastError();
             rv = -1;
+        }
     }
     else
 #endif
@@ -261,7 +276,7 @@ static ap_inline int buff_read(BUFF *fb, void *buf, int nbyte)
 {
     int rv;
 
-#if defined (WIN32)
+#if defined (WIN32) || defined(NETWARE)
     if (fb->flags & B_SOCKET) {
 #ifdef EAPI
 	if (!ap_hook_call("ap::buff::recvwithtimeout", &rv, fb, buf, nbyte))
@@ -274,26 +289,25 @@ static ap_inline int buff_read(BUFF *fb, void *buf, int nbyte)
 	rv = ap_read(fb, buf, nbyte);
 #elif defined (BEOS)
     if (fb->flags & B_SOCKET) {
-    rv = recv(fb->fd_in, buf, nbyte, 0);
+        rv = recv(fb->fd_in, buf, nbyte, 0);
     } else
-    rv = ap_read(fb,buf,nbyte);
+        rv = ap_read(fb,buf,nbyte);
 #elif defined(TPF)
     fd_set fds;
     struct timeval tv;
 
     ap_check_signals();
     if (fb->flags & B_SOCKET) {
-        alarm(rv = alarm(0));
         FD_ZERO(&fds);
         FD_SET(fb->fd_in, &fds);
-        tv.tv_sec = rv+1;
+        tv.tv_sec = 1;
         tv.tv_usec = 0;
         rv = ap_select(fb->fd_in + 1, &fds, NULL, NULL, &tv);
         if (rv > 0)
             rv = ap_read(fb, buf, nbyte);
     }
     else
-    rv = ap_read(fb, buf, nbyte);
+        rv = ap_read(fb, buf, nbyte);
 #else
     rv = ap_read(fb, buf, nbyte);
 #endif /* WIN32 */
@@ -307,8 +321,10 @@ static int ap_write(BUFF *fb, const void *buf, int nbyte)
     
 #ifdef WIN32
     if (fb->hFH != INVALID_HANDLE_VALUE) {
-        if (!WriteFile(fb->hFH,buf,nbyte,&rv,NULL))
-          rv = -1;
+        if (!WriteFile(fb->hFH,buf,nbyte,&rv,NULL)) {
+            errno = GetLastError();
+            rv = -1;
+        }
     }
     else
 #endif
@@ -318,6 +334,17 @@ static int ap_write(BUFF *fb, const void *buf, int nbyte)
 #if defined (B_SFIO)
 	rv = sfwrite(fb->sf_out, buf, nbyte);
 #else
+#ifdef _OSD_POSIX
+        /* Sorry, but this is a hack: On BS2000, currently the send() call
+         * has slightly better performance, and it doesn't have a maximum
+	 * transfer size of 16kB per write. Both write() and writev()
+	 * currently have such a limit and therefore don't work
+	 * too well with MMAP files.
+	 */
+	if (fb->flags & B_SOCKET)
+	    rv = send(fb->fd, buf, nbyte, 0);
+	else
+#endif
 	rv = write(fb->fd, buf, nbyte);
 #endif
     
@@ -328,7 +355,7 @@ static ap_inline int buff_write(BUFF *fb, const void *buf, int nbyte)
 {
     int rv;
 
-#if defined(WIN32)
+#if defined(WIN32) || defined(NETWARE)
     if (fb->flags & B_SOCKET) {
 #ifdef EAPI
 	if (!ap_hook_call("ap::buff::sendwithtimeout", &rv, fb, buf, nbyte))
@@ -341,9 +368,9 @@ static ap_inline int buff_write(BUFF *fb, const void *buf, int nbyte)
 	rv = ap_write(fb, buf, nbyte);
 #elif defined(BEOS)
     if(fb->flags & B_SOCKET) {
-    rv = send(fb->fd, buf, nbyte, 0);
+        rv = send(fb->fd, buf, nbyte, 0);
     } else 
-    rv = ap_write(fb, buf,nbyte);
+        rv = ap_write(fb, buf,nbyte);
 #else
     rv = ap_write(fb, buf, nbyte);
 #endif /* WIN32 */
@@ -536,17 +563,19 @@ static void end_chunk(BUFF *fb)
 	*strp++ = ' ';
 	++i;
     }
-    *strp++ = '\015';
-    *strp = '\012';
+    *strp++ = CR;
+    *strp = LF;
+
+    /* tack on the trailing CRLF, we've reserved room for this */
+    fb->outbase[fb->outcnt++] = CR;
+    fb->outbase[fb->outcnt++] = LF;
+
 #ifdef CHARSET_EBCDIC
     /* Chunks are an HTTP/1.1 Protocol feature. They must ALWAYS be in ASCII */
     ebcdic2ascii(&fb->outbase[fb->outchunk], &fb->outbase[fb->outchunk], CHUNK_HEADER_SIZE);
+    ebcdic2ascii(&fb->outbase[fb->outcnt-2], &fb->outbase[fb->outcnt-2], 2);
 #endif /*CHARSET_EBCDIC*/
 
-    /* tack on the trailing CRLF, we've reserved room for this */
-    fb->outbase[fb->outcnt++] = '\015';
-    fb->outbase[fb->outcnt++] = '\012';
-
     fb->outchunk = -1;
 }
 
@@ -870,27 +899,15 @@ API_EXPORT(int) ap_bgets(char *buff, int n, BUFF *fb)
 	}
 
 	ch = fb->inptr[i++];
-#ifndef CHARSET_EBCDIC
-	if (ch == '\012') {	/* got LF */
-	    if (ct == 0)
-		buff[ct++] = '\n';
-/* if just preceeded by CR, replace CR with LF */
-	    else if (buff[ct - 1] == '\015')
-		buff[ct - 1] = '\n';
-	    else if (ct < n - 1)
-		buff[ct++] = '\n';
-	    else
-		i--;		/* no room for LF */
-	    break;
-	}
-#else /* an EBCDIC machine: do the same, but convert to EBCDIC on the fly: */
+#ifdef CHARSET_EBCDIC
 	if (fb->flags & B_ASCII2EBCDIC)
 	    ch = os_toebcdic[(unsigned char)ch];
-	if (ch == os_toebcdic['\012']) {  /* got LF */
+#endif
+	if (ch == LF) {  /* got LF */
 	    if (ct == 0)
 		buff[ct++] = '\n';
 /* if just preceeded by CR, replace CR with LF */
-	    else if (buff[ct - 1] == os_toebcdic['\015'])
+	    else if (buff[ct - 1] == CR)
 		buff[ct - 1] = '\n';
 	    else if (ct < n - 1)
 		buff[ct++] = '\n';
@@ -898,7 +915,6 @@ API_EXPORT(int) ap_bgets(char *buff, int n, BUFF *fb)
 		i--;		/* no room for LF */
 	    break;
 	}
-#endif
 	if (ct == n - 1) {
 	    i--;		/* push back ch */
 	    break;
@@ -1158,7 +1174,7 @@ static int bcwrite(BUFF *fb, const void *buf, int nbyte)
 #ifdef NO_WRITEV
     /* without writev() this has poor performance, too bad */
 
-    ap_snprintf(chunksize, sizeof(chunksize), "%x\015\012", nbyte);
+    ap_snprintf(chunksize, sizeof(chunksize), "%x" CRLF, nbyte);
 #ifdef CHARSET_EBCDIC
     /* Chunks are an HTTP/1.1 Protocol feature. They must ALWAYS be in ASCII */
     ebcdic2ascii(chunksize, chunksize, strlen(chunksize));
@@ -1167,12 +1183,12 @@ static int bcwrite(BUFF *fb, const void *buf, int nbyte)
 	return -1;
     if (write_it_all(fb, buf, nbyte) == -1)
 	return -1;
-    if (write_it_all(fb, "\015\012", 2) == -1)
+    if (write_it_all(fb, CRLF, 2) == -1)
 	return -1;
     return nbyte;
 #else
     vec[0].iov_base = chunksize;
-    vec[0].iov_len = ap_snprintf(chunksize, sizeof(chunksize), "%x\015\012",
+    vec[0].iov_len = ap_snprintf(chunksize, sizeof(chunksize), "%x" CRLF,
 				 nbyte);
 #ifdef CHARSET_EBCDIC
     /* Chunks are an HTTP/1.1 Protocol feature. They must ALWAYS be in ASCII */
@@ -1180,7 +1196,7 @@ static int bcwrite(BUFF *fb, const void *buf, int nbyte)
 #endif /*CHARSET_EBCDIC*/
     vec[1].iov_base = (void *) buf;	/* cast is to avoid const warning */
     vec[1].iov_len = nbyte;
-    vec[2].iov_base = "\015\012";
+    vec[2].iov_base = CRLF;
     vec[2].iov_len = 2;
 
     return writev_it_all(fb, vec, (sizeof(vec) / sizeof(vec[0]))) ? -1 : nbyte;
@@ -1212,7 +1228,7 @@ static int large_write(BUFF *fb, const void *buf, int nbyte)
     if (fb->flags & B_CHUNK) {
 	vec[nvec].iov_base = chunksize;
 	vec[nvec].iov_len = ap_snprintf(chunksize, sizeof(chunksize),
-					"%x\015\012", nbyte);
+					"%x" CRLF, nbyte);
 #ifdef CHARSET_EBCDIC
     /* Chunks are an HTTP/1.1 Protocol feature. They must ALWAYS be in ASCII */
 	ebcdic2ascii(chunksize, chunksize, strlen(chunksize));
@@ -1221,7 +1237,7 @@ static int large_write(BUFF *fb, const void *buf, int nbyte)
 	vec[nvec].iov_base = (void *) buf;
 	vec[nvec].iov_len = nbyte;
 	++nvec;
-	vec[nvec].iov_base = "\015\012";
+	vec[nvec].iov_base = CRLF;
 	vec[nvec].iov_len = 2;
 	++nvec;
     }
@@ -1458,7 +1474,7 @@ API_EXPORT(int) ap_bclose(BUFF *fb)
 	rc1 = ap_bflush(fb);
     else
 	rc1 = 0;
-#ifdef WIN32
+#if defined(WIN32) || defined(NETWARE)
     if (fb->flags & B_SOCKET) {
 	rc2 = ap_pclosesocket(fb->pool, fb->fd);
 	if (fb->fd_in != fb->fd) {
@@ -1468,10 +1484,12 @@ API_EXPORT(int) ap_bclose(BUFF *fb)
 	    rc3 = 0;
 	}
     }
+#ifndef NETWARE
     else if (fb->hFH != INVALID_HANDLE_VALUE) {
-	    rc2 = ap_pcloseh(fb->pool, fb->hFH);
-	    rc3 = 0;
+        rc2 = ap_pcloseh(fb->pool, fb->hFH);
+        rc3 = 0;
     }
+#endif
     else {
 #elif defined(BEOS)
     if (fb->flags & B_SOCKET) {
@@ -1491,7 +1509,7 @@ API_EXPORT(int) ap_bclose(BUFF *fb)
 	else {
 	    rc3 = 0;
 	}
-#if defined(WIN32) || defined (BEOS)
+#if defined(WIN32) || defined (BEOS) || defined(NETWARE)
     }
 #endif
 
diff --git a/usr.sbin/httpd/src/main/http_config.c b/usr.sbin/httpd/src/main/http_config.c
index 8525b841103..13f12217b15 100644
--- a/usr.sbin/httpd/src/main/http_config.c
+++ b/usr.sbin/httpd/src/main/http_config.c
@@ -512,11 +512,6 @@ int ap_invoke_handler(request_rec *r)
         }
     }
 
-    if (result == HTTP_INTERNAL_SERVER_ERROR && r->handler) {
-        ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, r,
-            "handler \"%s\" not found for: %s", r->handler, r->filename);
-    }
-
     /* Pass two --- wildcard matches */
 
     for (handp = wildhandlers; handp->hr.content_type; ++handp) {
@@ -529,6 +524,10 @@ int ap_invoke_handler(request_rec *r)
          }
     }
 
+    if (result == HTTP_INTERNAL_SERVER_ERROR && r->handler && r->filename) {
+        ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, r,
+            "handler \"%s\" not found for: %s", r->handler, r->filename);
+    }
     return HTTP_INTERNAL_SERVER_ERROR;
 }
 
@@ -728,6 +727,7 @@ void ap_setup_prelinked_modules()
         sizeof(module *)*(total_modules+DYNAMIC_MODULE_LIMIT+1));
     if (ap_loaded_modules == NULL) {
 	fprintf(stderr, "Ouch!  Out of memory in ap_setup_prelinked_modules()!\n");
+	exit(1);
     }
     for (m = ap_preloaded_modules, m2 = ap_loaded_modules; *m != NULL; )
         *m2++ = *m++;
@@ -910,7 +910,7 @@ static const char *invoke_cmd(const command_rec *cmd, cmd_parms *parms,
 	w2 = *args ? ap_getword_conf(parms->pool, &args) : NULL;
 	w3 = *args ? ap_getword_conf(parms->pool, &args) : NULL;
 
-	if (*w == '\0' || (*w2 && !w3) || *args != 0)
+	if (*w == '\0' || (w2 && *w2 && !w3) || *args != 0)
 	    return ap_pstrcat(parms->pool, cmd->name,
 			    " takes one or three arguments",
 			    cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL);
@@ -1694,6 +1694,11 @@ void ap_show_modules()
     int n;
 
     printf("Compiled-in modules:\n");
-    for (n = 0; ap_loaded_modules[n]; ++n)
+    for (n = 0; ap_loaded_modules[n]; ++n) {
 	printf("  %s\n", ap_loaded_modules[n]->name);
+    }
+    printf("suexec: %s\n",
+	   ap_suexec_enabled
+	       ? "enabled; valid wrapper " SUEXEC_BIN
+	       : "disabled; invalid wrapper " SUEXEC_BIN);
 }
diff --git a/usr.sbin/httpd/src/main/http_core.c b/usr.sbin/httpd/src/main/http_core.c
index e02d32ec5f4..8c11f1771f8 100644
--- a/usr.sbin/httpd/src/main/http_core.c
+++ b/usr.sbin/httpd/src/main/http_core.c
@@ -2171,6 +2171,8 @@ static const char *set_daemons_to_start(cmd_parms *cmd, void *dummy, char *arg)
 {
 #ifdef WIN32
     fprintf(stderr, "WARNING: StartServers has no effect on Win32\n");
+#elif defined(NETWARE)
+    fprintf(stderr, "WARNING: StartServers has no effect on NetWare\n");
 #else
     const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
     if (err != NULL) {
@@ -2390,12 +2392,25 @@ static const char *set_bind_address(cmd_parms *cmd, void *dummy, char *arg)
     return NULL;
 }
 
+#ifdef NETWARE
+static const char *set_threadstacksize(cmd_parms *cmd, void *dummy, char *stacksize)
+{
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+    if (err != NULL) {
+        return err;
+    }
+    
+    ap_thread_stack_size = atoi(stacksize);    
+    return NULL;
+}
+#endif
+
 static const char *set_listener(cmd_parms *cmd, void *dummy, char *ips)
 {
     listen_rec *new;
     char *ports;
     unsigned short port;
-
+    
     const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
     if (err != NULL) {
         return err;
@@ -2842,7 +2857,7 @@ static const command_rec core_cmds[] = {
 { "ContentDigest", set_content_md5, NULL, OR_OPTIONS,
   FLAG, "whether or not to send a Content-MD5 header with each request" },
 { "UseCanonicalName", set_use_canonical_name, NULL,
-  RSRC_CONF, TAKE1,
+  RSRC_CONF|ACCESS_CONF, TAKE1,
   "How to work out the ServerName : Port when constructing URLs" },
 { "StartServers", set_daemons_to_start, NULL, RSRC_CONF, TAKE1,
   "Number of child processes launched at server startup" },
@@ -2881,6 +2896,10 @@ static const command_rec core_cmds[] = {
    OR_ALL, TAKE12, "soft/hard limits for max number of processes per uid" },
 { "BindAddress", set_bind_address, NULL, RSRC_CONF, TAKE1,
   "'*', a numeric IP address, or the name of a host with a unique IP address"},
+#ifdef NETWARE
+{ "ThreadStackSize", set_threadstacksize, NULL, RSRC_CONF, TAKE1,
+  "Stack size each created thread will use."},
+#endif
 { "Listen", set_listener, NULL, RSRC_CONF, TAKE1,
   "A port number or a numeric IP address and a port number"},
 { "SendBufferSize", set_send_buffer_size, NULL, RSRC_CONF, TAKE1,
@@ -2937,7 +2956,7 @@ static int core_translate(request_rec *r)
     void *sconf = r->server->module_config;
     core_server_config *conf = ap_get_module_config(sconf, &core_module);
   
-    if (r->proxyreq) {
+    if (r->proxyreq != NOT_PROXY) {
         return HTTP_FORBIDDEN;
     }
     if ((r->uri[0] != '/') && strcmp(r->uri, "*")) {
@@ -3037,23 +3056,17 @@ static int default_handler(request_rec *r)
     }
 
     if (r->finfo.st_mode == 0 || (r->path_info && *r->path_info)) {
-	char *emsg;
-
-	emsg = "File does not exist: ";
-	if (r->path_info == NULL) {
-	    emsg = ap_pstrcat(r->pool, emsg, r->filename, NULL);
-	}
-	else {
-	    emsg = ap_pstrcat(r->pool, emsg, r->filename, r->path_info, NULL);
-	}
-	ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, "%s", emsg);
+	ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r,
+		      "File does not exist: %s",r->path_info ?
+		      ap_pstrcat(r->pool, r->filename, r->path_info, NULL)
+		      : r->filename);
 	return HTTP_NOT_FOUND;
     }
     if (r->method_number != M_GET) {
         return METHOD_NOT_ALLOWED;
     }
 	
-#if defined(OS2) || defined(WIN32)
+#if defined(OS2) || defined(WIN32) || defined(NETWARE)
     /* Need binary mode for OS/2 */
     f = ap_pfopen(r->pool, r->filename, "rb");
 #else
@@ -3075,6 +3088,19 @@ static int default_handler(request_rec *r)
         return errstatus;
     }
 
+#ifdef CHARSET_EBCDIC
+    /* To make serving of "raw ASCII text" files easy (they serve faster
+     * since they don't have to be converted from EBCDIC), a new
+     * "magic" type prefix was invented: text/x-ascii-{plain,html,...}
+     * If we detect one of these content types here, we simply correct
+     * the type to the real text/{plain,html,...} type. Otherwise, we
+     * set a flag that translation is required later on.
+     *
+     * Note: convert_flag is not used in the MMAP path;
+     * ap_checkconv() sets a request_req flag based on content_type
+     */ 
+    convert_flag = ap_checkconv(r);
+#endif
 #ifdef USE_MMAP_FILES
     ap_block_alarms();
     if ((r->finfo.st_size >= MMAP_THRESHOLD)
@@ -3098,14 +3124,6 @@ static int default_handler(request_rec *r)
 #endif
 
 #ifdef CHARSET_EBCDIC
-	/* To make serving of "raw ASCII text" files easy (they serve faster
-	 * since they don't have to be converted from EBCDIC), a new
-	 * "magic" type prefix was invented: text/x-ascii-{plain,html,...}
-	 * If we detect one of these content types here, we simply correct
-	 * the type to the real text/{plain,html,...} type. Otherwise, we
-	 * set a flag that translation is required later on.
-	 */
-	convert_flag = ap_checkconv(r);
 	if (d->content_md5 & 1) {
 	    ap_table_setn(r->headers_out, "Content-MD5",
 			  ap_md5digest(r->pool, f, convert_flag));
diff --git a/usr.sbin/httpd/src/main/http_log.c b/usr.sbin/httpd/src/main/http_log.c
index 7a1e0ea5d0c..a4927bfb113 100644
--- a/usr.sbin/httpd/src/main/http_log.c
+++ b/usr.sbin/httpd/src/main/http_log.c
@@ -168,7 +168,10 @@ static int error_log_child(void *cmd, child_info *pinfo)
     /* No concept of a child process on Win32 */
     signal(SIGHUP, SIG_IGN);
 #endif /* ndef SIGHUP */
-#if defined(WIN32)
+#if defined(NETWARE)
+    child_pid = spawnlp(P_NOWAIT, SHELL_PATH, (char *)cmd);
+    return(child_pid);
+#elif defined(WIN32)
     child_pid = spawnl(_P_NOWAIT, SHELL_PATH, SHELL_PATH, "/c", (char *)cmd, NULL);
     return(child_pid);
 #elif defined(OS2)
@@ -407,7 +410,7 @@ static void log_error_core(const char *file, int line, int level,
 	    FORMAT_MESSAGE_FROM_SYSTEM,
 	    NULL,
 	    nErrorCode,
-	    MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
+	    MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), /* Default language */
 	    (LPTSTR) errstr + len,
 	    sizeof(errstr) - len,
 	    NULL 
@@ -570,6 +573,7 @@ API_EXPORT(void) ap_log_assert(const char *szExp, const char *szFile, int nLine)
 
 /* piped log support */
 
+#ifndef NO_PIPED_LOGS
 #ifndef NO_RELIABLE_PIPED_LOGS
 /* forward declaration */
 static void piped_log_maintenance(int reason, void *data, ap_wait_t status);
@@ -725,7 +729,10 @@ static int piped_log_child(void *cmd, child_info *pinfo)
 #ifdef SIGHUP
     signal(SIGHUP, SIG_IGN);
 #endif
-#if defined(WIN32)
+#if defined(NETWARE)
+    child_pid = spawnlp(P_NOWAIT, SHELL_PATH, (char *)cmd);
+    return(child_pid);
+#elif defined(WIN32)
     child_pid = spawnl(_P_NOWAIT, SHELL_PATH, SHELL_PATH, "/c", (char *)cmd, NULL);
     return(child_pid);
 #elif defined(OS2)
@@ -746,18 +753,8 @@ API_EXPORT(piped_log *) ap_open_piped_log(pool *p, const char *program)
 {
     piped_log *pl;
     FILE *dummy;
-#ifdef TPF
-    TPF_FORK_CHILD cld;
-    cld.filename = (char *)program;
-    cld.subprocess_env = NULL;
-    cld.prog_type = FORK_NAME;
-
-    if (!ap_spawn_child (p, NULL, &cld,
-      kill_after_timeout, &dummy, NULL, NULL)){
-#else
     if (!ap_spawn_child(p, piped_log_child, (void *)program,
 			kill_after_timeout, &dummy, NULL, NULL)) {
-#endif /* TPF */
 	perror("ap_spawn_child");
 	fprintf(stderr, "Couldn't fork child for piped log process\n");
 	exit (1);
@@ -775,3 +772,4 @@ API_EXPORT(void) ap_close_piped_log(piped_log *pl)
     ap_pfclose(pl->p, pl->write_f);
 }
 #endif
+#endif
diff --git a/usr.sbin/httpd/src/main/http_main.c b/usr.sbin/httpd/src/main/http_main.c
index 469b3ebd8d9..839f3c60f04 100644
--- a/usr.sbin/httpd/src/main/http_main.c
+++ b/usr.sbin/httpd/src/main/http_main.c
@@ -116,10 +116,9 @@ int ap_main(int argc, char *argv[]);
 #endif
 #ifdef WIN32
 #include "../os/win32/getopt.h"
-#elif !defined(BEOS) && !defined(TPF)
+#elif !defined(BEOS) && !defined(TPF) && !defined(NETWARE) && !defined(OS390)
 #include <netinet/tcp.h>
 #endif
-
 #ifdef HAVE_BSTRING_H
 #include <bstring.h>		/* for IRIX, FD_SET calls bzero() */
 #endif
@@ -228,7 +227,12 @@ void *ap_dummy_mutex = &ap_dummy_mutex;
  * Actual definitions of config globals... here because this is
  * for the most part the only code that acts on 'em.  (Hmmm... mod_main.c?)
  */
-
+ 
+#ifdef NETWARE
+int ap_thread_count = 0;
+BOOL ap_main_finished = FALSE;
+unsigned int ap_thread_stack_size = 65536;
+#endif
 int ap_standalone=0;
 int ap_configtestonly=0;
 int ap_docrootcheck=1;
@@ -297,11 +301,15 @@ array_header *ap_server_config_defines;
 /* *Non*-shared http_main globals... */
 
 static server_rec *server_conf;
+#ifndef NETWARE
 static JMP_BUF APACHE_TLS jmpbuffer;
+#endif
 static int sd;
 static fd_set listenfds;
 static int listenmaxfd;
+#ifndef NETWARE
 static pid_t pgrp;
+#endif
 
 /* one_process --- debugging mode variable; can be set from the command line
  * with the -X flag.  If set, this gets you the child_main loop running
@@ -319,7 +327,9 @@ static int one_process = 0;
 /* set if timeouts are to be handled by the children and not by the parent.
  * i.e. child_timeouts = !standalone || one_process.
  */
+#ifndef NETWARE
 static int child_timeouts;
+#endif
 
 #ifdef DEBUG_SIGSTOP
 int raise_sigstop_flags;
@@ -345,7 +355,9 @@ static pool *ptrans;		/* Pool for per-transaction stuff */
 static pool *pchild;		/* Pool for httpd child stuff */
 static pool *pcommands;	/* Pool for -C and -c switches */
 
+#ifndef NETWARE
 static int APACHE_TLS my_pid;	/* it seems silly to call getpid all the time */
+#endif
 #ifndef MULTITHREAD
 static int my_child_num;
 #endif
@@ -453,7 +465,9 @@ static void ap_call_close_connection_hook(conn_rec *c)
 }
 #endif /* EAPI */
 
+#ifndef NETWARE
 static APACHE_TLS int volatile exit_after_unblock = 0;
+#endif
 
 #ifdef GPROF
 /* 
@@ -1090,9 +1104,42 @@ static void usage(char *bin)
     fprintf(stderr, "  -i               : install an Apache service\n");
     fprintf(stderr, "  -u               : uninstall an Apache service\n");
 #endif
+
+#ifdef NETWARE
+    clean_parent_exit(0);
+#else
     exit(1);
+#endif
 }
 
+
+
+#ifdef NETWARE
+/* Thread Storage Data */
+typedef struct _TSD {
+    conn_rec*		current_conn;
+    int 			alarms_blocked;
+    int				alarm_pending;
+    request_rec*	timeout_req;
+    char*			timeout_name;
+    JMP_BUF			jmpbuffer;
+    int				exit_after_unblock;
+    void 			(*alarm_fn) (int);
+    unsigned int 	alarm_expiry_time;
+} TSD;
+
+#define get_tsd            TSD* tsd = (TSD*) GetThreadDataAreaPtr();
+#define current_conn       tsd->current_conn
+#define alarms_blocked     tsd->alarms_blocked
+#define alarm_pending      tsd->alarm_pending
+#define timeout_req        tsd->timeout_req
+#define timeout_name       tsd->timeout_name
+#define jmpbuffer          tsd->jmpbuffer
+#define exit_after_unblock tsd->exit_after_unblock
+#define alarm_fn           tsd->alarm_fn
+#define alarm_expiry_time  tsd->alarm_expiry_time
+
+#else
 /*****************************************************************
  *
  * Timeout handling.  DISTINCTLY not thread-safe, but all this stuff
@@ -1105,11 +1152,15 @@ static APACHE_TLS request_rec *volatile timeout_req;
 static APACHE_TLS const char *volatile timeout_name = NULL;
 static APACHE_TLS int volatile alarms_blocked = 0;
 static APACHE_TLS int volatile alarm_pending = 0;
+#endif
+
 
 static void timeout(int sig)
 {
     void *dirconf;
-
+#ifdef NETWARE
+    get_tsd
+#endif    
     if (alarms_blocked) {
 	alarm_pending = 1;
 	return;
@@ -1137,7 +1188,6 @@ static void timeout(int sig)
 	/* Someone has asked for this transaction to just be aborted
 	 * if it times out...
 	 */
-
 	request_rec *log_req = timeout_req;
 	request_rec *save_req = timeout_req;
 
@@ -1147,6 +1197,9 @@ static void timeout(int sig)
 	timeout_req = NULL;
 
 	while (log_req->main || log_req->prev) {
+#ifdef NETWARE
+            ThreadSwitch();
+#endif
 	    /* Get back to original request... */
 	    if (log_req->main)
 		log_req = log_req->main;
@@ -1157,7 +1210,7 @@ static void timeout(int sig)
 	if (!current_conn->keptalive) {
 	    /* in some cases we come here before setting the time */
 	    if (log_req->request_time == 0) {
-	      log_req->request_time = time(0);
+                log_req->request_time = time(0);
 	    }
 	    ap_log_transaction(log_req);
 	}
@@ -1168,11 +1221,10 @@ static void timeout(int sig)
 
 	ap_bsetflag(save_req->connection->client, B_EOUT, 1);
 	ap_bclose(save_req->connection->client);
-
+	
 	if (!ap_standalone)
 	    exit(0);
-
-	ap_longjmp(jmpbuffer, 1);
+        ap_longjmp(jmpbuffer, 1);
     }
     else {			/* abort the connection */
 #ifdef EAPI
@@ -1184,6 +1236,7 @@ static void timeout(int sig)
     }
 }
 
+
 #ifndef TPF
 /*
  * These two called from alloc.c to protect its critical sections...
@@ -1193,11 +1246,17 @@ static void timeout(int sig)
 
 API_EXPORT(void) ap_block_alarms(void)
 {
+#ifdef NETWARE
+    get_tsd
+#endif
     ++alarms_blocked;
 }
 
 API_EXPORT(void) ap_unblock_alarms(void)
 {
+#ifdef NETWARE
+    get_tsd
+#endif
     --alarms_blocked;
     if (alarms_blocked == 0) {
 	if (exit_after_unblock) {
@@ -1220,12 +1279,14 @@ API_EXPORT(void) ap_unblock_alarms(void)
 }
 #endif /* TPF */
 
+#ifndef NETWARE
 static APACHE_TLS void (*volatile alarm_fn) (int) = NULL;
+#endif
 #ifdef WIN32
 static APACHE_TLS unsigned int alarm_expiry_time = 0;
 #endif /* WIN32 */
 
-#ifndef WIN32
+#if !defined(WIN32)  && !defined(NETWARE)
 static void alrm_handler(int sig)
 {
     if (alarm_fn) {
@@ -1242,8 +1303,12 @@ unsigned int ap_set_callback_and_alarm(void (*fn) (int), int x)
 {
     unsigned int old;
 
-#ifdef WIN32
+#if defined(WIN32) || defined(NETWARE)
+#ifdef NETWARE
+    get_tsd
+#endif
     old = alarm_expiry_time;
+
     if (old)
 	old -= time(0);
     if (x == 0) {
@@ -1281,9 +1346,12 @@ unsigned int ap_set_callback_and_alarm(void (*fn) (int), int x)
 }
 
 
-#ifdef WIN32
+#if defined(WIN32) || defined(NETWARE)
 API_EXPORT(int) ap_check_alarm(void)
 {
+#ifdef NETWARE
+    get_tsd
+#endif
     if (alarm_expiry_time) {
 	unsigned int t;
 
@@ -1311,7 +1379,9 @@ API_EXPORT(int) ap_check_alarm(void)
 API_EXPORT(void) ap_reset_timeout(request_rec *r)
 {
     int i;
-
+#ifdef NETWARE
+    get_tsd
+#endif
     if (timeout_name) {		/* timeout has been set */
 	i = ap_set_callback_and_alarm(alarm_fn, r->server->timeout);
 	if (i == 0)		/* timeout already expired, so set it back to 0 */
@@ -1325,37 +1395,42 @@ API_EXPORT(void) ap_reset_timeout(request_rec *r)
 void ap_keepalive_timeout(char *name, request_rec *r)
 {
     unsigned int to;
-
+#ifdef NETWARE
+    get_tsd
+#endif
     timeout_req = r;
     timeout_name = name;
-
     if (r->connection->keptalive)
 	to = r->server->keep_alive_timeout;
     else
 	to = r->server->timeout;
     ap_set_callback_and_alarm(timeout, to);
-
 }
 
 API_EXPORT(void) ap_hard_timeout(char *name, request_rec *r)
 {
+#ifdef NETWARE
+    get_tsd
+#endif
     timeout_req = r;
     timeout_name = name;
-
     ap_set_callback_and_alarm(timeout, r->server->timeout);
-
 }
 
 API_EXPORT(void) ap_soft_timeout(char *name, request_rec *r)
 {
+#ifdef NETWARE
+    get_tsd
+#endif
     timeout_name = name;
-
     ap_set_callback_and_alarm(timeout, r->server->timeout);
-
 }
 
 API_EXPORT(void) ap_kill_timeout(request_rec *dummy)
 {
+#ifdef NETWARE
+    get_tsd
+#endif
     ap_check_signals();
     ap_set_callback_and_alarm(NULL, 0);
     timeout_req = NULL;
@@ -1415,6 +1490,9 @@ static void sock_enable_linger(int s)
 
 static void lingerout(int sig)
 {
+#ifdef NETWARE
+    get_tsd
+#endif
     if (alarms_blocked) {
 	alarm_pending = 1;
 	return;
@@ -1429,8 +1507,10 @@ static void lingerout(int sig)
 
 static void linger_timeout(void)
 {
+#ifdef NETWARE
+    get_tsd
+#endif
     timeout_name = "lingering close";
-
     ap_set_callback_and_alarm(lingerout, MAX_SECS_TO_LINGER);
 }
 
@@ -1497,6 +1577,10 @@ static void lingering_close(request_rec *r)
 	 * These parameters are reset on each pass, since they might be
 	 * changed by select.
 	 */
+#ifdef NETWARE
+        ThreadSwitch();
+#endif
+
 	FD_SET(lsd, &lfds);
 	tv.tv_sec = 2;
 	tv.tv_usec = 0;
@@ -1922,7 +2006,7 @@ static void setup_shared_mem(pool *p)
 	}
 #endif
 	ap_log_error(APLOG_MARK, APLOG_EMERG, server_conf,
-		    "could not call shmget");
+                     "could not call shmget");
 	exit(APEXIT_INIT);
     }
 
@@ -2154,6 +2238,10 @@ static ap_inline void put_scoreboard_info(int child_num,
 static void clean_parent_exit(int code) __attribute__((noreturn));
 static void clean_parent_exit(int code)
 {
+#ifdef NETWARE
+    AMCSocketCleanup();
+    ap_main_finished = TRUE;
+#endif
     /* Clear the pool - including any registered cleanups */
     ap_destroy_pool(pglobal);
 #ifdef EAPI
@@ -2176,6 +2264,10 @@ int ap_update_child_status(int child_num, int status, request_rec *r)
     ss = &ap_scoreboard_image->servers[child_num];
     old_status = ss->status;
     ss->status = status;
+#ifdef NETWARE
+    ap_scoreboard_image->parent[child_num].pid = GetThreadID();
+#endif
+
 #ifdef OPTIMIZE_TIMEOUTS
     ++ss->cur_vtime;
 #endif
@@ -2333,7 +2425,7 @@ static void reclaim_child_processes(int terminate)
 
     ap_sync_scoreboard_image();
 
-    for (tries = terminate ? 4 : 1; tries <= 9; ++tries) {
+    for (tries = terminate ? 4 : 1; tries <= 12; ++tries) {
 	/* don't want to hold up progress any more than 
 	 * necessary, but we need to allow children a few moments to exit.
 	 * Set delay with an exponential backoff.
@@ -2388,8 +2480,13 @@ static void reclaim_child_processes(int terminate)
 		   "child process %d still did not exit, sending a SIGKILL",
 			    pid);
 		kill(pid, SIGKILL);
+		waittime = 1024 * 16; /* give them some time to die */
+		break;
+	    case 9:     /*   6 sec */
+	    case 10:    /* 6.1 sec */
+	    case 11:    /* 6.4 sec */
 		break;
-	    case 9:     /* 14 sec */
+	    case 12:    /* 7.4 sec */
 		/* gave it our best shot, but alas...  If this really 
 		 * is a child we are trying to kill and it really hasn't
 		 * exited, we will likely fail to bind to the port
@@ -2495,6 +2592,30 @@ static int wait_or_timeout(ap_wait_t *status)
 	}
     }
     return (-1);
+#elif defined(NETWARE)
+    struct timeval tv;
+    int ret = 0;
+
+    ++wait_or_timeout_counter;
+    if (wait_or_timeout_counter == INTERVAL_OF_WRITABLE_PROBES) {
+	    wait_or_timeout_counter = 0;
+#ifndef NO_OTHER_CHILD
+	    probe_writable_fds();
+#endif
+    }
+
+    if (ret == -1 && errno == EINTR) {
+	    return -1;
+    }
+
+    if (ret > 0) {
+	    return ret;
+    }
+    
+    tv.tv_sec = SCOREBOARD_MAINTENANCE_INTERVAL / 1000000;
+    tv.tv_usec = SCOREBOARD_MAINTENANCE_INTERVAL % 1000000;
+    ap_select(0, NULL, NULL, NULL, &tv);
+    return -1;
 
 #else /* WIN32 */
     struct timeval tv;
@@ -2664,7 +2785,7 @@ static void sig_coredump(int sig)
 {
     chdir(ap_coredump_dir);
     signal(sig, SIG_DFL);
-#ifndef WIN32
+#if !defined(WIN32) && !defined(NETWARE)
     kill(getpid(), sig);
 #else
     raise(sig);
@@ -2686,6 +2807,9 @@ static void just_die(int sig)
 {				/* SIGHUP to child process??? */
     /* if alarms are blocked we have to wait to die otherwise we might
      * end up with corruption in alloc.c's internal structures */
+#ifdef NETWARE
+    get_tsd
+#endif
     if (alarms_blocked) {
 	exit_after_unblock = 1;
     }
@@ -2836,7 +2960,7 @@ static void sig_term(int sig)
 
 static void restart(int sig)
 {
-#ifndef WIN32
+#if !defined (WIN32) && !defined(NETWARE)
     ap_start_restart(sig == SIGUSR1);
 #else
     ap_start_restart(1);
@@ -2931,8 +3055,9 @@ static void set_signals(void)
 	signal(SIGXFSZ, SIG_DFL);
 #endif /* SIGXFSZ */
     }
-
+#ifndef NETWARE
     signal(SIGTERM, sig_term);
+#endif
 #ifdef SIGHUP
     signal(SIGHUP, restart);
 #endif /* SIGHUP */
@@ -2953,7 +3078,7 @@ static void set_signals(void)
 
 static void detach(void)
 {
-#if !defined(WIN32)
+#if !defined(WIN32) && !defined(NETWARE)
     int x;
 
     chdir("/");
@@ -3025,7 +3150,7 @@ static void detach(void)
 
 static void set_group_privs(void)
 {
-#ifndef WIN32
+#if !defined(WIN32) && !defined(NETWARE)
     if (!geteuid()) {
 	char *name;
 
@@ -3085,17 +3210,19 @@ static void set_group_privs(void)
 /* check to see if we have the 'suexec' setuid wrapper installed */
 static int init_suexec(void)
 {
+    int result = 0;
+
 #ifndef WIN32
     struct stat wrapper;
 
-    if ((stat(SUEXEC_BIN, &wrapper)) != 0)
-	return (ap_suexec_enabled);
-
-    if ((wrapper.st_mode & S_ISUID) && wrapper.st_uid == 0) {
-	ap_suexec_enabled = 1;
+    if ((stat(SUEXEC_BIN, &wrapper)) != 0) {
+	result = 0;
+    }
+    else if ((wrapper.st_mode & S_ISUID) && (wrapper.st_uid == 0)) {
+	result = 1;
     }
 #endif /* ndef WIN32 */
-    return (ap_suexec_enabled);
+    return result;
 }
 
 /*****************************************************************
@@ -3166,6 +3293,9 @@ static void sock_disable_nagle(int s)
 
     if (setsockopt(s, IPPROTO_TCP, TCP_NODELAY, (char *) &just_say_no,
 		   sizeof(int)) < 0) {
+#ifdef NETWARE
+        errno = WSAGetLastError();
+#endif
 	ap_log_error(APLOG_MARK, APLOG_WARNING, server_conf,
 		    "setsockopt: (TCP_NODELAY)");
     }
@@ -3175,7 +3305,6 @@ static void sock_disable_nagle(int s)
 #define sock_disable_nagle(s)	/* NOOP */
 #endif
 
-
 static int make_sock(pool *p, const struct sockaddr_in *server)
 {
     int s;
@@ -3191,10 +3320,11 @@ static int make_sock(pool *p, const struct sockaddr_in *server)
     /* note that because we're about to slack we don't use psocket */
     ap_block_alarms();
     if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
-	ap_log_error(APLOG_MARK, APLOG_CRIT, server_conf,
+	    ap_log_error(APLOG_MARK, APLOG_CRIT, server_conf,
 		    "make_sock: failed to get a socket for %s", addr);
-	ap_unblock_alarms();
-	exit(1);
+
+	    ap_unblock_alarms();
+	    exit(1);
     }
 
     /* Solaris (probably versions 2.4, 2.5, and 2.5.1 with various levels
@@ -3227,8 +3357,6 @@ static int make_sock(pool *p, const struct sockaddr_in *server)
 #endif /* TPF */
 #endif
 
-#ifndef MPE
-/* MPE does not support SO_REUSEADDR and SO_KEEPALIVE */
 #ifndef _OSD_POSIX
     if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (char *) &one, sizeof(int)) < 0) {
 	ap_log_error(APLOG_MARK, APLOG_CRIT, server_conf,
@@ -3243,7 +3371,7 @@ static int make_sock(pool *p, const struct sockaddr_in *server)
     }
 #endif /*_OSD_POSIX*/
     one = 1;
-#ifdef SO_KEEPALIVE
+#if defined(SO_KEEPALIVE) && !defined(MPE)
     if (setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *) &one, sizeof(int)) < 0) {
 	ap_log_error(APLOG_MARK, APLOG_CRIT, server_conf,
 		    "make_sock: for %s, setsockopt: (SO_KEEPALIVE)", addr);
@@ -3257,7 +3385,6 @@ static int make_sock(pool *p, const struct sockaddr_in *server)
 	return -1;
     }
 #endif
-#endif
 
     sock_disable_nagle(s);
     sock_enable_linger(s);
@@ -3384,10 +3511,15 @@ static void copy_listeners(pool *p)
     lr = ap_listeners;
     do {
 	listen_rec *nr = malloc(sizeof *nr);
-	if (nr == NULL) {
-	    fprintf(stderr, "Ouch!  malloc failed in copy_listeners()\n");
-	    exit(1);
-	}
+
+#ifdef NETWARE
+        ThreadSwitch();
+#endif
+	
+        if (nr == NULL) {
+            fprintf(stderr, "Ouch!  malloc failed in copy_listeners()\n");
+            exit(1);
+        }
 	*nr = *lr;
 	ap_kill_cleanups_for_socket(p, nr->fd);
 	nr->next = old_listeners;
@@ -3438,7 +3570,7 @@ static void setup_listeners(pool *p)
     for (;;) {
 	fd = find_listener(lr);
 	if (fd < 0) {
-	    fd = make_sock(p, &lr->local_addr);
+        fd = make_sock(p, &lr->local_addr);
 	}
 	else {
 	    ap_note_cleanups_for_socket(p, fd);
@@ -3482,6 +3614,9 @@ static ap_inline listen_rec *find_ready_listener(fd_set * main_fds)
 
     lr = head_listener;
     do {
+#ifdef NETWARE
+	ThreadSwitch();
+#endif
 	if (FD_ISSET(lr->fd, main_fds)) {
 	    head_listener = lr->next;
 	    return (lr);
@@ -3492,7 +3627,7 @@ static ap_inline listen_rec *find_ready_listener(fd_set * main_fds)
 }
 
 
-#ifdef WIN32
+#if defined(WIN32) || defined(NETWARE)
 static int s_iInitCount = 0;
 
 static int AMCSocketInitialize(void)
@@ -3509,22 +3644,23 @@ static int AMCSocketInitialize(void)
 	return (s_iInitCount);
 
     /* s_iInitCount == 0. Do the initailization */
-    iVersionRequested = MAKEWORD(1, 1);
+    iVersionRequested = MAKEWORD(2, 0);
     err = WSAStartup((WORD) iVersionRequested, &wsaData);
     if (err) {
+        printf("WSAStartup failed with error %d\n", err);
 	s_iInitCount = -1;
 	return (s_iInitCount);
     }
-    if (LOBYTE(wsaData.wVersion) != 1 ||
-	HIBYTE(wsaData.wVersion) != 1) {
+
+    if (LOBYTE(wsaData.wVersion) != 2 ||
+	HIBYTE(wsaData.wVersion) != 0) {
+        printf("Apache requires Winsock 2. Please see the Apache FAQ for more information.\n");
 	s_iInitCount = -2;
 	WSACleanup();
 	return (s_iInitCount);
     }
-
     s_iInitCount++;
     return (s_iInitCount);
-
 }
 
 
@@ -3548,6 +3684,9 @@ static void show_compile_settings(void)
 #endif
 #ifdef EAPI_MM
     printf(" -D EAPI_MM\n");
+#ifdef EAPI_MM_CORE_PATH
+    printf(" -D EAPI_MM_CORE_PATH=\"" EAPI_MM_CORE_PATH "\"\n");
+#endif
 #endif
 #ifdef BIG_SECURITY_HOLE
     printf(" -D BIG_SECURITY_HOLE\n");
@@ -3567,6 +3706,12 @@ static void show_compile_settings(void)
 #ifdef USE_SHMGET_SCOREBOARD
     printf(" -D USE_SHMGET_SCOREBOARD\n");
 #endif
+#ifdef USE_TPF_SCOREBOARD
+    printf(" -D USE_TPF_SCOREBOARD\n");
+#endif
+#ifdef USE_TPF_DAEMON
+    printf(" -D USE_TPF_DAEMON\n");
+#endif
 #ifdef USE_OS2_SCOREBOARD
     printf(" -D USE_OS2_SCOREBOARD\n");
 #endif
@@ -3679,7 +3824,7 @@ static void common_init(void)
     (void) set42sig();
 #endif
 
-#ifdef WIN32
+#if defined(WIN32) || defined(NETWARE)
     /* Initialize the stupid sockets */
     AMCSocketInitialize();
 #endif /* WIN32 */
@@ -4801,9 +4946,9 @@ int REALMAIN(int argc, char *argv[])
 #endif
 
 #ifdef TPF
-    APACHE_TPF_INPUT input_parms;
+    EBW_AREA input_parms;
     ecbptr()->ebrout = PRIMECRAS;
-    input_parms = * (APACHE_TPF_INPUT *)(&(ecbptr()->ebw000));
+    input_parms = * (EBW_AREA *)(&(ecbptr()->ebw000));
 #endif
 
     MONCONTROL(0);
@@ -4858,6 +5003,7 @@ int REALMAIN(int argc, char *argv[])
 	    show_compile_settings();
 	    exit(0);
 	case 'l':
+	    ap_suexec_enabled = init_suexec();
 	    ap_show_modules();
 	    exit(0);
 	case 'L':
@@ -4868,7 +5014,7 @@ int REALMAIN(int argc, char *argv[])
 	    break;
 #ifdef TPF
 	case 'x':
-	    os_tpf_child(&input_parms);
+	    os_tpf_child(&input_parms.child);
 	    set_signals();
 	    break;
 #endif
@@ -4916,10 +5062,18 @@ int REALMAIN(int argc, char *argv[])
 
     if (ap_configtestonly) {
         fprintf(stderr, "Syntax OK\n");
+#ifdef EAPI
+        clean_parent_exit(0);
+#else
         exit(0);
+#endif
     }
     if (ap_dump_settings) {
+#ifdef EAPI
+        clean_parent_exit(0);
+#else
         exit(0);
+#endif
     }
 
     child_timeouts = !ap_standalone || one_process;
@@ -4935,7 +5089,8 @@ int REALMAIN(int argc, char *argv[])
 #else
     if (ap_standalone) {
         if(!tpf_child) {
-            memcpy(tpf_server_name, input_parms.inetd_server.servname, INETD_SERVNAME_LENGTH);
+            memcpy(tpf_server_name, input_parms.parent.servname,
+                   INETD_SERVNAME_LENGTH);
             tpf_server_name[INETD_SERVNAME_LENGTH+1] = '\0';
             ap_open_logs(server_conf, pconf);
         }
@@ -4944,15 +5099,16 @@ int REALMAIN(int argc, char *argv[])
         version_locked++;
         if(tpf_child) {
             copy_listeners(pconf);
-            reset_tpf_listeners(&input_parms);
+            reset_tpf_listeners(&input_parms.child);
             server_conf->error_log = NULL;
 #ifdef SCOREBOARD_FILE
-            scoreboard_fd = input_parms.scoreboard_fd;
+            scoreboard_fd = input_parms.child.scoreboard_fd;
             ap_scoreboard_image = &_scoreboard_image;
 #else /* must be USE_TPF_SCOREBOARD or USE_SHMGET_SCOREBOARD */
-            ap_scoreboard_image = (scoreboard *)input_parms.scoreboard_heap;
+            ap_scoreboard_image =
+                (scoreboard *)input_parms.child.scoreboard_heap;
 #endif
-            child_main(input_parms.slot);
+            child_main(input_parms.child.slot);
         }
         else
             STANDALONE_MAIN(argc, argv);
@@ -4999,10 +5155,8 @@ int REALMAIN(int argc, char *argv[])
 	}
 
 #ifdef TPF
-/* TPF only passes the incoming socket number from the internet daemon
-   in ebw000 */
-    sock_in = * (int*)(&(ecbptr()->ebw000));
-    sock_out = * (int*)(&(ecbptr()->ebw000));
+/* TPF's Internet Daemon passes the incoming socket nbr (inetd mode only) */
+    sock_in = sock_out = input_parms.parent.socket;
 /* TPF also needs a signal set for alarm in inetd mode */
     signal(SIGALRM, alrm_handler);
 #elif defined(MPE)
@@ -5173,8 +5327,9 @@ globals allowed_globals =
 void add_job(int sock)
 {
     joblist *new_job;
-
+    
     ap_assert(allowed_globals.jobmutex);
+
     /* TODO: If too many jobs in queue, sleep, check for problems */
     ap_acquire_mutex(allowed_globals.jobmutex);
     new_job = (joblist *) malloc(sizeof(joblist));
@@ -5268,6 +5423,20 @@ static void child_sub_main(int child_num)
     int dupped_csd = -1;
     int srv = 0;
 
+#ifdef NETWARE
+    TSD* tsd = NULL;
+
+    while(tsd == NULL) {
+        tsd = (TSD*) GetThreadDataAreaPtr();
+        ThreadSwitchWithDelay();
+    }
+
+    SetCurrentNameSpace(4);
+    SetTargetNameSpace(4);
+
+    ap_thread_count++;
+#endif
+
     ptrans = ap_make_sub_pool(pconf);
 
     (void) ap_update_child_status(child_num, SERVER_READY, (request_rec *) NULL);
@@ -5280,22 +5449,28 @@ static void child_sub_main(int child_num)
 #else
     sigsetjmp(jmpbuffer, 1);
 #endif
-#ifdef SIGURG
+#if defined(SIGURG)
     signal(SIGURG, timeout);
 #endif
 
+#ifdef NETWARE
+    tsd = (TSD*) GetThreadDataAreaPtr();
+#endif
+
     while (1) {
 	BUFF *conn_io;
 	request_rec *r;
-
+	
+#ifdef NETWARE
+        ThreadSwitch();
+#endif
 	/*
 	 * (Re)initialize this child to a pre-connection state.
 	 */
-
+	 
 	ap_set_callback_and_alarm(NULL, 0); /* Cancel any outstanding alarms */
 	timeout_req = NULL;                 /* No request in progress */
 	current_conn = NULL;
-
 	ap_clear_pool(ptrans);
 
 	(void) ap_update_child_status(child_num, SERVER_READY,
@@ -5307,6 +5482,7 @@ static void child_sub_main(int child_num)
 	csd = remove_job();
 	if (csd == -1)
 	    break;		/* time to exit */
+		    
 	requests_this_child++;
 
 	ap_note_cleanups_for_socket(ptrans, csd);
@@ -5316,7 +5492,7 @@ static void child_sub_main(int child_num)
 	 * socket options, file descriptors, and read/write buffers.
 	 */
 
-	clen = sizeof(sa_server);
+	clen = sizeof(sa_server);	
 	if (getsockname(csd, &sa_server, &clen) < 0) {
 	    ap_log_error(APLOG_MARK, APLOG_WARNING, server_conf, "getsockname");
 	    continue;
@@ -5349,21 +5525,22 @@ static void child_sub_main(int child_num)
 				          (struct sockaddr_in *) &sa_client,
 				          (struct sockaddr_in *) &sa_server,
 				          child_num);
-
+				          
 	/*
 	 * Read and process each request found on our connection
 	 * until no requests are left or we decide to close.
 	 */
-
 	while ((r = ap_read_request(current_conn)) != NULL) {
-	    (void) ap_update_child_status(child_num, SERVER_BUSY_WRITE, r);
+#ifdef NETWARE
+            ThreadSwitch();
+#endif
+            (void) ap_update_child_status(child_num, SERVER_BUSY_WRITE, r);
 
 	    if (r->status == HTTP_OK)
 		ap_process_request(r);
 
 	    if (ap_extended_status)
 		increment_counts(child_num, r);
-
 	    if (!current_conn->keepalive || current_conn->aborted)
 		break;
 
@@ -5405,10 +5582,18 @@ static void child_sub_main(int child_num)
     }
     ap_destroy_pool(ptrans);
     (void) ap_update_child_status(child_num, SERVER_DEAD, NULL);
+    
+#ifdef NETWARE
+    ap_thread_count--;
+#endif
 }
 
 
+#ifdef NETWARE
+void child_main(void* child_num_arg)
+#else
 void child_main(int child_num_arg)
+#endif
 {
     /*
      * Only reason for this function, is to pass in
@@ -5417,7 +5602,15 @@ void child_main(int child_num_arg)
      * variables and I don't need to make those
      * damn variables static/global
      */
+#ifdef NETWARE
+    TSD Tsd;
+
+    memset(&Tsd, 0, sizeof(TSD));
+	SaveThreadDataAreaPtr(&Tsd);
+	child_sub_main((int)child_num_arg);
+#else
     child_sub_main(child_num_arg);
+#endif
 }
 
 
@@ -5503,6 +5696,7 @@ void setup_signal_names(char *prefix)
     APD2("signal prefix %s", signal_name_prefix);
 }
 
+#ifndef NETWARE
 static void setup_inherited_listeners(pool *p)
 {
     HANDLE pipe;
@@ -5511,69 +5705,227 @@ static void setup_inherited_listeners(pool *p)
     WSAPROTOCOL_INFO WSAProtocolInfo;
     DWORD BytesRead;
 
-    /* Open the pipe to the parent process to receive the inherited socket
-     * data. The sockets have been set to listening in the parent process.
-     */
-    pipe = GetStdHandle(STD_INPUT_HANDLE);
-
     /* Setup the listeners */
     listenmaxfd = -1;
     FD_ZERO(&listenfds);
-    lr = ap_listeners;
 
-    FD_ZERO(&listenfds);
-
-    for (;;) {
-	fd = find_listener(lr);
-	if (fd < 0) {
-            if (!ReadFile(pipe, 
-                          &WSAProtocolInfo, sizeof(WSAPROTOCOL_INFO),
-                          &BytesRead,
-                          (LPOVERLAPPED) NULL)){
-                ap_log_error(APLOG_MARK, APLOG_WIN32ERROR|APLOG_CRIT, server_conf,
-                             "setup_inherited_listeners: Unable to read socket data from parent");
-                exit(1);
-            }
-            fd = WSASocket(FROM_PROTOCOL_INFO,
-                           FROM_PROTOCOL_INFO,
-                           FROM_PROTOCOL_INFO,
-                           &WSAProtocolInfo,
-                           0,
-                           0);
-            if (fd == INVALID_SOCKET) {
-                ap_log_error(APLOG_MARK, APLOG_WIN32ERROR|APLOG_CRIT, server_conf,
-                             "setup_inherited_listeners: WSASocket failed to get inherit the socket.");
-                exit(1);
-            }
-            APD2("setup_inherited_listeners: WSASocket() returned socket %d", fd);
-	}
-	else {
-	    ap_note_cleanups_for_socket(p, fd);
-	}
-	if (fd >= 0) {
-	    FD_SET(fd, &listenfds);
-	    if (fd > listenmaxfd)
-		listenmaxfd = fd;
-	}
-	lr->fd = fd;
-	if (lr->next == NULL)
-	    break;
-	lr = lr->next;
+    /* Open the pipe to the parent process to receive the inherited socket
+     * data. The sockets have been set to listening in the parent process.
+     */
+    pipe = GetStdHandle(STD_INPUT_HANDLE);
+    for (lr = ap_listeners; lr; lr = lr->next) {
+        if (!ReadFile(pipe, &WSAProtocolInfo, sizeof(WSAPROTOCOL_INFO), 
+                      &BytesRead, (LPOVERLAPPED) NULL)) {
+            ap_log_error(APLOG_MARK, APLOG_WIN32ERROR|APLOG_CRIT, server_conf,
+                         "setup_inherited_listeners: Unable to read socket data from parent");
+            signal_parent(0);	/* tell parent to die */
+            exit(1);
+        }
+        ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, server_conf,
+                         "BytesRead = %d WSAProtocolInfo = %x20", BytesRead, WSAProtocolInfo);
+        fd = WSASocket(FROM_PROTOCOL_INFO, FROM_PROTOCOL_INFO, FROM_PROTOCOL_INFO,
+                       &WSAProtocolInfo, 0, 0);
+        if (fd == INVALID_SOCKET) {
+            ap_log_error(APLOG_MARK, APLOG_WIN32ERROR|APLOG_CRIT, server_conf,
+                         "setup_inherited_listeners: WSASocket failed to open the inherited socket.");
+            signal_parent(0);	/* tell parent to die */
+            exit(1);
+        }
+        if (fd >= 0) {
+            FD_SET(fd, &listenfds);
+            if (fd > listenmaxfd)
+                listenmaxfd = fd;
+        }
+        ap_note_cleanups_for_socket(p, fd);
+        lr->fd = fd;
+        if (lr->next == NULL) {
+            /* turn the list into a ring */
+            lr->next = ap_listeners;
+            break;
+        }
     }
-    /* turn the list into a ring */
-    lr->next = ap_listeners;
     head_listener = ap_listeners;
     close_unused_listeners();
     CloseHandle(pipe);
     return;
 }
+#endif
 
 /*
  * worker_main() is main loop for the child process. The loop in
  * this function becomes the controlling thread for the actually working
  * threads (which run in a loop in child_sub_main()).
  */
+ 
+#ifdef NETWARE
+void worker_main(void)
+{
+    int nthreads;
+    fd_set main_fds;
+    int srv;
+    int clen;
+    int csd;
+    struct sockaddr_in sa_client;
+    int total_jobs = 0;
+    thread **child_handles;
+    int rv;
+    int i;
+    struct timeval tv;
+    int my_pid;
+    
+    int count_select_errors = 0;
+    pool *pchild;
+
+    pchild = ap_make_sub_pool(pconf);
+
+    ap_standalone = 1;
+    sd = -1;
+    nthreads = ap_threads_per_child;
+    
+    if (nthreads <= 0)
+        nthreads = 40;
+	    
+    my_pid = getpid();
+
+    ++ap_my_generation;
+
+    copy_listeners(pconf);
+    ap_restart_time = time(NULL);
+
+    reinit_scoreboard(pconf);
+    setup_listeners(pconf);
+
+    if (listenmaxfd == -1) {
+        /* Help, no sockets were made, better log something and exit */
+        ap_log_error(APLOG_MARK, APLOG_CRIT|APLOG_NOERRNO, NULL,
+                     "No sockets were created for listening");
+        
+        ap_destroy_pool(pchild);
+        cleanup_scoreboard();
+        exit(0);
+    }
+    
+    set_signals();
+
+    /*
+     * - Initialize allowed_globals
+     * - Create the thread table
+     * - Spawn off threads
+     * - Create listen socket set (done above)
+     * - loop {
+     *       wait for request
+     *       create new job
+     *   } while (!time to exit)
+     * - Close all listeners
+     * - Wait for all threads to complete
+     * - Exit
+     */
+
+    ap_child_init_modules(pconf, server_conf);
+    allowed_globals.jobmutex = ap_create_mutex(NULL);
+    allowed_globals.jobsemaphore = create_semaphore(0);
+
+    /* spawn off the threads */
+    child_handles = (thread *) malloc(nthreads * sizeof(int));
+    
+    for (i = 0; i < nthreads; i++) {
+        child_handles[i] = create_thread((void (*)(void *)) child_main, (void *) i);
+    }
+    
+    if (nthreads > max_daemons_limit) {
+        max_daemons_limit = nthreads;
+    }
+
+    while (1) {    
+        tv.tv_sec = 1;
+        tv.tv_usec = 0;
+        
+        ThreadSwitch();
+        
+        if (shutdown_pending)
+            break;
+            
+        memcpy(&main_fds, &listenfds, sizeof(fd_set));
+        srv = ap_select(listenmaxfd + 1, &main_fds, NULL, NULL, &tv);
+
+        if (srv == 0) {
+            count_select_errors = 0;    /* reset count of errors */
+            continue;
+        }
+        else if (srv == SOCKET_ERROR) {
+            if (h_errno != WSAEINTR) {
+                /* A "real" error occurred, log it and increment the count of
+                 * select errors. This count is used to ensure we don't go into
+                 * a busy loop of continuous errors.
+                 */
+                ap_log_error(APLOG_MARK, APLOG_WARNING, server_conf, 
+                             "select failed with errno %d", h_errno);
+                count_select_errors++;
+                if (count_select_errors > MAX_SELECT_ERRORS) {
+                    ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, server_conf,
+                                 "Too many errors in select loop. Child process exiting.");
+                    break;
+                }
+            }
+            continue;
+        } else {
+            listen_rec *lr;
+            
+            lr = find_ready_listener(&main_fds);
+	    
+            if (lr != NULL) {
+                sd = lr->fd;
+            }
+        }
+
+        do {
+            clen = sizeof(sa_client);
+            csd = accept(sd, (struct sockaddr *) &sa_client, &clen);
+            
+            if (csd == INVALID_SOCKET) {
+                csd = -1;
+            }
+        } while (csd < 0 && h_errno == EINTR);
+	
+        if (csd == INVALID_SOCKET) {
+            if (h_errno != WSAECONNABORTED) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, server_conf,
+                             "accept: (client socket) failed with errno = %d",h_errno);
+            }
+        }
+        else {
+            add_job(csd);
+            total_jobs++;
+        }
+    }
+      
+    APD2("process PID %d exiting", my_pid);
+
+    /* Get ready to shutdown and exit */
+    allowed_globals.exit_now = 1;
+    ap_release_mutex(start_mutex);
+
+    for (i = 0; i < nthreads; i++) {
+        add_job(-1);
+    }
 
+    APD2("process PID %d waiting for worker threads to exit", my_pid);
+    while(ap_thread_count)
+        ThreadSwitch();
+    
+    destroy_semaphore(allowed_globals.jobsemaphore);
+    ap_destroy_mutex(allowed_globals.jobmutex);
+    
+    ap_child_exit_modules(pconf, server_conf);
+    ap_destroy_pool(pchild);
+    free(child_handles);
+    cleanup_scoreboard();
+
+    APD2("process PID %d exited", my_pid);
+    clean_parent_exit(0);
+
+}
+#else
 void worker_main(void)
 {
     int nthreads;
@@ -5592,6 +5944,7 @@ void worker_main(void)
     int max_jobs_per_exe;
     int max_jobs_after_exit_request;
     HANDLE hObjects[2];
+
     int count_select_errors = 0;
     pool *pchild;
 
@@ -5620,7 +5973,7 @@ void worker_main(void)
     ap_restart_time = time(NULL);
 
     reinit_scoreboard(pconf);
-
+    
     /*
      * Wait until we have permission to start accepting connections.
      * start_mutex is used to ensure that only one child ever
@@ -5711,40 +6064,31 @@ void worker_main(void)
 
 	tv.tv_sec = wait_time;
 	tv.tv_usec = 0;
-
 	memcpy(&main_fds, &listenfds, sizeof(fd_set));
+
 	srv = ap_select(listenmaxfd + 1, &main_fds, NULL, NULL, &tv);
-#ifdef WIN32
-	if (srv == SOCKET_ERROR) {
-	    /* Map the Win32 error into a standard Unix error condition */
-	    errno = WSAGetLastError();
-	    srv = -1;
-	}
-#endif /* WIN32 */
 
-	if (srv < 0) {
-	    /* Error occurred - if EINTR, loop around with problem */
-	    if (errno != EINTR) {
-		/* A "real" error occurred, log it and increment the count of
-		 * select errors. This count is used to ensure we don't go into
-		 * a busy loop of continuous errors.
-		 */
-		ap_log_error(APLOG_MARK, APLOG_ERR, server_conf, "select: (listen)");
-		count_select_errors++;
-		if (count_select_errors > MAX_SELECT_ERRORS) {
-		    ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, server_conf,
-			"Too many errors in select loop. Child process exiting.");
-		    break;
-		}
-	    }
-	    continue;
-	}
-	count_select_errors = 0;    /* reset count of errors */
-	if (srv == 0) {
+        if (srv == 0) {
+            count_select_errors = 0;    /* reset count of errors */            
             continue;
-	}
-
-	{
+        }
+	else if (srv == SOCKET_ERROR) {
+            if (h_errno != WSAEINTR) {
+                /* A "real" error occurred, log it and increment the count of
+                 * select errors. This count is used to ensure we don't go into
+                 * a busy loop of continuous errors.
+                 */
+                ap_log_error(APLOG_MARK, APLOG_WARNING, server_conf, 
+                             "select failed with errno %d", h_errno);
+                count_select_errors++;
+                if (count_select_errors > MAX_SELECT_ERRORS) {
+                    ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, server_conf,
+                                 "Too many errors in select loop. Child process exiting.");
+                    break;
+                }
+            }
+            continue;
+	} else {
 	    listen_rec *lr;
 
 	    lr = find_ready_listener(&main_fds);
@@ -5755,24 +6099,16 @@ void worker_main(void)
 	do {
 	    clen = sizeof(sa_client);
 	    csd = accept(sd, (struct sockaddr *) &sa_client, &clen);
-#ifdef WIN32
 	    if (csd == INVALID_SOCKET) {
 		csd = -1;
-		errno = WSAGetLastError();
 	    }
-#endif /* WIN32 */
-	} while (csd < 0 && errno == EINTR);
+	} while (csd < 0 && h_errno == WSAEINTR);
 
 	if (csd < 0) {
-#if defined(EPROTO) && defined(ECONNABORTED)
-	    if ((errno != EPROTO) && (errno != ECONNABORTED))
-#elif defined(EPROTO)
-	    if (errno != EPROTO)
-#elif defined(ECONNABORTED)
-	    if (errno != ECONNABORTED)
-#endif
+	    if (h_errno != WSAECONNABORTED) {
 		ap_log_error(APLOG_MARK, APLOG_ERR, server_conf,
-			    "accept: (client socket)");
+                             "accept: (client socket) failed with errno = %d",h_errno);
+            }
 	}
 	else {
 	    add_job(csd);
@@ -5928,7 +6264,7 @@ static int create_process(pool *p, HANDLE *handles, HANDLE *events,
     pCommand = ap_psprintf(p, "\"%s\" -Z %s -f \"%s\"", buf, exit_event_name, ap_server_confname);  
 
     for (i = 1; i < argc; i++) {
-        pCommand = ap_pstrcat(p, pCommand, " ", argv[i], NULL);
+        pCommand = ap_pstrcat(p, pCommand, " \"", argv[i], "\"", NULL);
     }
 
     /* Create a pipe to send socket info to the child */
@@ -6027,10 +6363,9 @@ static PSECURITY_ATTRIBUTES GetNullACL()
         return NULL;
     }
     /*
-     * We can safely use GetLastError() here without presetting it;
-     * {Initialize,Set}SecurityDescriptor() have been verified as clearing it
-     * on successful completion.
+     * Win98 returns nonzero on failure; check LastError to make sure.
      */
+    SetLastError(0);
     if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION)
 	|| GetLastError()) {
         LocalFree( pSD );
@@ -6270,6 +6605,7 @@ die_now:
     service_set_status(SERVICE_STOPPED);
     return (0);
 }
+#endif
 
 /*
  * Send signal to a running Apache. On entry signal should contain
@@ -6348,9 +6684,35 @@ int service_init()
     return TRUE;
 }
 
-#ifdef WIN32
-__declspec(dllexport)
-     int apache_main(int argc, char *argv[])
+
+#ifdef NETWARE
+extern char *optarg;
+
+void signal_handler(int sig)
+{
+    switch (sig) {
+    case SIGTERM:
+        shutdown_pending = 1;
+
+        while(!ap_main_finished)
+            ThreadSwitchWithDelay();
+
+        break;
+    }
+    return;
+}
+
+int main(int argc, char *argv[]) 
+{
+    ExitThread(TSR_THREAD, 0);
+}
+#endif
+
+#if defined(NETWARE)
+int apache_main(int argc, char *argv[])
+#elif defined(WIN32)
+ __declspec(dllexport)
+int apache_main(int argc, char *argv[])
 #else
 int REALMAIN(int argc, char *argv[]) 
 #endif
@@ -6365,6 +6727,15 @@ int REALMAIN(int argc, char *argv[])
     char *signal_to_send = NULL;
     char cwd[MAX_STRING_LEN];
 
+#ifdef NETWARE
+    TSD Tsd;
+
+    SetCurrentNameSpace(4);
+    SetTargetNameSpace(4);
+    signal(SIGTERM, signal_handler);
+    memset(&Tsd, 0, sizeof(Tsd));
+    SaveThreadDataAreaPtr(&Tsd);
+#else
     /* Service application
      * Configuration file in registry at:
      * HKLM\System\CurrentControlSet\Services\[Svc name]\Parameters\ConfPath
@@ -6373,6 +6744,7 @@ int REALMAIN(int argc, char *argv[])
         service_main(master_main, argc, argv);
         clean_parent_exit(0);
     }
+#endif
 
     /* Console application or a child process. */
 
@@ -6385,7 +6757,13 @@ int REALMAIN(int argc, char *argv[])
 
     common_init();
     ap_setup_prelinked_modules();
-
+    
+#ifdef NETWARE
+    if(!*ap_server_root) {
+        ap_cpystrn(ap_server_root, bslash2slash(remove_filename(argv[0])),
+                   sizeof(ap_server_root));
+    }
+#else
     if(!GetCurrentDirectory(sizeof(cwd),cwd)) {
        ap_log_error(APLOG_MARK,APLOG_WIN32ERROR, NULL,
        "GetCurrentDirectory() failure");
@@ -6394,6 +6772,7 @@ int REALMAIN(int argc, char *argv[])
 
     ap_cpystrn(cwd, ap_os_canonical_filename(pcommands, cwd), sizeof(cwd));
     ap_cpystrn(ap_server_root, cwd, sizeof(ap_server_root));
+#endif
 
     while ((c = getopt(argc, argv, "D:C:c:Xd:f:vVlLZ:iusStThk:n:")) != -1) {
         char **new;
@@ -6465,17 +6844,21 @@ int REALMAIN(int argc, char *argv[])
 	    ap_set_version();
 	    printf("Server version: %s\n", ap_get_server_version());
 	    printf("Server built:   %s\n", ap_get_server_built());
-	    exit(0);
+            clean_parent_exit(0);
+
 	case 'V':
 	    ap_set_version();
 	    show_compile_settings();
-	    exit(0);
+            clean_parent_exit(0);
+
 	case 'l':
 	    ap_show_modules();
-	    exit(0);
+            clean_parent_exit(0);
+
 	case 'L':
 	    ap_show_directives();
-	    exit(0);
+            clean_parent_exit(0);
+
 	case 'X':
 	    ++one_process;	/* Weird debugging mode. */
 	    break;
@@ -6492,6 +6875,9 @@ int REALMAIN(int argc, char *argv[])
 	case '?':
 	    usage(ap_server_argv0);
         }   /* switch */
+#ifdef NETWARE
+        ThreadSwitch();
+#endif
     }       /* while  */
 
     /* ServerConfFile is found in this order:
@@ -6501,11 +6887,13 @@ int REALMAIN(int argc, char *argv[])
      * (4) [Registry: HKLM\Software\[product]\ServerRoot]/SERVER_CONFIG_FILE
      * (5) /HTTPD_ROOT/SERVER_CONFIG_FILE
      */
-
+     
     if (!conf_specified) {
         ap_cpystrn(ap_server_confname, SERVER_CONFIG_FILE, sizeof(ap_server_confname));
         if (access(ap_server_root_relative(pcommands, ap_server_confname), 0)) {
+#ifndef NETWARE
             ap_registry_get_server_root(pconf, ap_server_root, sizeof(ap_server_root));
+#endif
             if (!*ap_server_root)
                 ap_cpystrn(ap_server_root, HTTPD_ROOT, sizeof(ap_server_root));
             ap_cpystrn(ap_server_root, ap_os_canonical_filename(pcommands, ap_server_root),
@@ -6568,25 +6956,38 @@ int REALMAIN(int argc, char *argv[])
         send_signal(pconf, signal_to_send);
         clean_parent_exit(0);
     }
-
+    
+#ifndef NETWARE
     if (!child && !ap_dump_settings) { 
         ap_log_pid(pconf, ap_pid_fname);
     }
+#endif
 
     post_parse_init();
 
 #ifdef OS2
     printf("%s running...\n", ap_get_server_version());
 #endif
-#ifdef WIN32
+#if defined(WIN32) || defined(NETWARE)
     if (!child) {
 	printf("%s running...\n", ap_get_server_version());
     }
 #endif
+
+#ifndef NETWARE
     if (one_process && !exit_event)
 	exit_event = create_event(0, 0, NULL);
     if (one_process && !start_mutex)
 	start_mutex = ap_create_mutex(NULL);
+#endif
+
+#ifdef NETWARE
+    worker_main();
+    destroy_semaphore(allowed_globals.jobsemaphore);
+
+    while((ap_thread_count) || (!shutdown_pending))
+        ThreadSwitchWithDelay();
+#else
     /*
      * In the future, the main will spawn off a couple
      * of children and monitor them. As soon as a child
@@ -6601,6 +7002,7 @@ int REALMAIN(int argc, char *argv[])
     }
     else 
         master_main(argc, argv);
+#endif
 
     clean_parent_exit(0);
     return 0;	/* purely to avoid a warning */
@@ -6685,6 +7087,14 @@ int main(int argc, char *argv[], char *envp[])
     char **envpnew;
     int c, i, l;
 
+#ifdef MPE
+    /*
+     * MPE doesn't currently initialize the envp parameter.  Instead, we must
+     * use the global variable environ. 
+     */
+    envp = environ;
+#endif
+	
     /* 
      * parse argument line, 
      * but only handle the -L option 
@@ -6767,6 +7177,7 @@ int main(int argc, char *argv[], char *envp[])
 #endif /* ndef SHARED_CORE_BOOTSTRAP */
 
 #ifndef SHARED_CORE_BOOTSTRAP
+#include "httpd.h"
 /*
  * Force ap_validate_password() into the image so that modules like
  * mod_auth can use it even if they're dynamically loaded.
diff --git a/usr.sbin/httpd/src/main/http_protocol.c b/usr.sbin/httpd/src/main/http_protocol.c
index 0869708f726..1622f08aaa0 100644
--- a/usr.sbin/httpd/src/main/http_protocol.c
+++ b/usr.sbin/httpd/src/main/http_protocol.c
@@ -81,6 +81,27 @@
           ap_bgetopt (r->connection->client, BO_BYTECT, &r->bytes_sent); \
   } while (0)
 
+#ifdef CHARSET_EBCDIC
+/* Save & Restore the current conversion settings
+ * "input"  means: ASCII -> EBCDIC (when reading MIME Headers and PUT/POST data)
+ * "output" means: EBCDIC -> ASCII (when sending MIME Headers and Chunks)
+ */
+
+#define PUSH_EBCDIC_INPUTCONVERSION_STATE(_buff, _onoff) \
+        int _convert_in = ap_bgetflag(_buff, B_ASCII2EBCDIC); \
+        ap_bsetflag(_buff, B_ASCII2EBCDIC, _onoff);
+
+#define POP_EBCDIC_INPUTCONVERSION_STATE(_buff) \
+        ap_bsetflag(_buff, B_ASCII2EBCDIC, _convert_in);
+
+#define PUSH_EBCDIC_OUTPUTCONVERSION_STATE(_buff, _onoff) \
+        int _convert_out = ap_bgetflag(_buff, B_EBCDIC2ASCII); \
+        ap_bsetflag(_buff, B_EBCDIC2ASCII, _onoff);
+
+#define POP_EBCDIC_OUTPUTCONVERSION_STATE(_buff) \
+        ap_bsetflag(_buff, B_EBCDIC2ASCII, _convert_out);
+
+#endif /*CHARSET_EBCDIC*/
 
 static int parse_byterange(char *range, long clength, long *start, long *end)
 {
@@ -212,22 +233,36 @@ static int internal_byterange(int realreq, long *tlength, request_rec *r,
 {
     long range_start, range_end;
     char *range;
+#ifdef CHARSET_EBCDIC
+    /* determine current setting of conversion flag,
+     * set to ON (protocol strings MUST be converted)
+     * and reset to original setting before returning
+     */
+    PUSH_EBCDIC_OUTPUTCONVERSION_STATE(r->connection->client, 1);
+#endif /*CHARSET_EBCDIC*/
 
     if (!**r_range) {
         if (r->byterange > 1) {
             if (realreq)
-                ap_rvputs(r, "\015\012--", r->boundary, "--\015\012", NULL);
+                ap_rvputs(r, CRLF "--", r->boundary, "--" CRLF, NULL);
             else
                 *tlength += 4 + strlen(r->boundary) + 4;
         }
+#ifdef CHARSET_EBCDIC
+        POP_EBCDIC_OUTPUTCONVERSION_STATE(r->connection->client);
+#endif /*CHARSET_EBCDIC*/
         return 0;
     }
 
     range = ap_getword(r->pool, r_range, ',');
-    if (!parse_byterange(range, r->clength, &range_start, &range_end))
+    if (!parse_byterange(range, r->clength, &range_start, &range_end)) {
+#ifdef CHARSET_EBCDIC
+        POP_EBCDIC_OUTPUTCONVERSION_STATE(r->connection->client);
+#endif /*CHARSET_EBCDIC*/
         /* Skip this one */
         return internal_byterange(realreq, tlength, r, r_range, offset,
                                   length);
+    }
 
     if (r->byterange > 1) {
         const char *ct = r->content_type ? r->content_type : ap_default_type(r);
@@ -236,8 +271,8 @@ static int internal_byterange(int realreq, long *tlength, request_rec *r,
         ap_snprintf(ts, sizeof(ts), "%ld-%ld/%ld", range_start, range_end,
                     r->clength);
         if (realreq)
-            ap_rvputs(r, "\015\012--", r->boundary, "\015\012Content-type: ",
-                   ct, "\015\012Content-range: bytes ", ts, "\015\012\015\012",
+            ap_rvputs(r, CRLF "--", r->boundary, CRLF "Content-type: ",
+                   ct, CRLF "Content-range: bytes ", ts, CRLF CRLF,
                    NULL);
         else
             *tlength += 4 + strlen(r->boundary) + 16 + strlen(ct) + 23 +
@@ -251,6 +286,9 @@ static int internal_byterange(int realreq, long *tlength, request_rec *r,
     else {
         *tlength += range_end - range_start + 1;
     }
+#ifdef CHARSET_EBCDIC
+    POP_EBCDIC_OUTPUTCONVERSION_STATE(r->connection->client);
+#endif /*CHARSET_EBCDIC*/
     return 1;
 }
 
@@ -664,14 +702,27 @@ static int getline(char *s, int n, BUFF *in, int fold)
     char *pos, next;
     int retval;
     int total = 0;
+#ifdef CHARSET_EBCDIC
+    /* When getline() is called, the HTTP protocol is in a state
+     * where we MUST be reading "plain text" protocol stuff,
+     * (Request line, MIME headers, Chunk sizes) regardless of
+     * the MIME type and conversion setting of the document itself.
+     * Save the current setting of the ASCII-EBCDIC conversion flag
+     * for uploads, then temporarily set it to ON
+     * (and restore it before returning).
+     */
+    PUSH_EBCDIC_INPUTCONVERSION_STATE(in, 1);
+#endif /*CHARSET_EBCDIC*/
 
     pos = s;
 
     do {
         retval = ap_bgets(pos, n, in);     /* retval == -1 if error, 0 if EOF */
 
-        if (retval <= 0)
-            return ((retval < 0) && (total == 0)) ? -1 : total;
+        if (retval <= 0) {
+            total = ((retval < 0) && (total == 0)) ? -1 : total;
+            break;
+        }
 
         /* retval is the number of characters read, not including NUL      */
 
@@ -696,7 +747,7 @@ static int getline(char *s, int n, BUFF *in, int fold)
             ++n;
         }
         else
-            return total;       /* if not, input line exceeded buffer size */
+            break;       /* if not, input line exceeded buffer size */
 
         /* Continue appending if line folding is desired and
          * the last line was not empty and we have room in the buffer and
@@ -706,6 +757,11 @@ static int getline(char *s, int n, BUFF *in, int fold)
                   && (ap_blookc(&next, in) == 1)
                   && ((next == ' ') || (next == '\t')));
 
+#ifdef CHARSET_EBCDIC
+    /* restore ASCII->EBCDIC conversion state */
+    POP_EBCDIC_INPUTCONVERSION_STATE(in);
+#endif /*CHARSET_EBCDIC*/
+
     return total;
 }
 
@@ -993,7 +1049,7 @@ request_rec *ap_read_request(conn_rec *conn)
     r->status = HTTP_OK;                         /* Until further notice. */
 
     /* update what we think the virtual host is based on the headers we've
-     * now read
+     * now read. may update status.
      */
     ap_update_vhost_from_headers(r);
 
@@ -1016,6 +1072,8 @@ request_rec *ap_read_request(conn_rec *conn)
         ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
                       "client sent HTTP/1.1 request without hostname "
                       "(see RFC2068 section 9, and 14.23): %s", r->uri);
+    }
+    if (r->status != HTTP_OK) {
         ap_send_error_response(r, 0);
         ap_log_transaction(r);
         return r;
@@ -1113,7 +1171,8 @@ API_EXPORT(void) ap_note_basic_auth_failure(request_rec *r)
         ap_note_auth_failure(r);
     else
         ap_table_setn(r->err_headers_out,
-                  r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
+                  r->proxyreq == STD_PROXY ? "Proxy-Authenticate"
+		      : "WWW-Authenticate",
                   ap_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r), "\"",
                           NULL));
 }
@@ -1121,7 +1180,8 @@ API_EXPORT(void) ap_note_basic_auth_failure(request_rec *r)
 API_EXPORT(void) ap_note_digest_auth_failure(request_rec *r)
 {
     ap_table_setn(r->err_headers_out,
-	    r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
+	    r->proxyreq == STD_PROXY ? "Proxy-Authenticate"
+		  : "WWW-Authenticate",
 	    ap_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%lu\"",
 		ap_auth_name(r), r->request_time));
 }
@@ -1129,8 +1189,9 @@ API_EXPORT(void) ap_note_digest_auth_failure(request_rec *r)
 API_EXPORT(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
 {
     const char *auth_line = ap_table_get(r->headers_in,
-                                      r->proxyreq ? "Proxy-Authorization"
-                                                  : "Authorization");
+					 r->proxyreq == STD_PROXY
+					 ? "Proxy-Authorization"
+					 : "Authorization");
     const char *t;
 
     if (!(t = ap_auth_type(r)) || strcasecmp(t, "Basic"))
@@ -1287,15 +1348,12 @@ API_EXPORT(int) ap_index_of_response(int status)
 API_EXPORT_NONSTD(int) ap_send_header_field(request_rec *r,
     const char *fieldname, const char *fieldval)
 {
-    return (0 < ap_rvputs(r, fieldname, ": ", fieldval, "\015\012", NULL));
+    return (0 < ap_rvputs(r, fieldname, ": ", fieldval, CRLF, NULL));
 }
 
 API_EXPORT(void) ap_basic_http_header(request_rec *r)
 {
     char *protocol;
-#ifdef CHARSET_EBCDIC
-    int convert = ap_bgetflag(r->connection->client, B_EBCDIC2ASCII);
-#endif /*CHARSET_EBCDIC*/
 
     if (r->assbackwards)
         return;
@@ -1306,7 +1364,7 @@ API_EXPORT(void) ap_basic_http_header(request_rec *r)
     /* mod_proxy is only HTTP/1.0, so avoid sending HTTP/1.1 error response;
      * kluge around broken browsers when indicated by force-response-1.0
      */
-    if (r->proxyreq
+    if (r->proxyreq != NOT_PROXY
         || (r->proto_num == HTTP_VERSION(1,0)
             && ap_table_get(r->subprocess_env, "force-response-1.0"))) {
 
@@ -1317,12 +1375,12 @@ API_EXPORT(void) ap_basic_http_header(request_rec *r)
         protocol = SERVER_PROTOCOL;
 
 #ifdef CHARSET_EBCDIC
-    ap_bsetflag(r->connection->client, B_EBCDIC2ASCII, 1);
+    { PUSH_EBCDIC_OUTPUTCONVERSION_STATE(r->connection->client, 1);
 #endif /*CHARSET_EBCDIC*/
 
     /* Output the HTTP/1.x Status-Line and the Date and Server fields */
 
-    ap_rvputs(r, protocol, " ", r->status_line, "\015\012", NULL);
+    ap_rvputs(r, protocol, " ", r->status_line, CRLF, NULL);
 
     ap_send_header_field(r, "Date", ap_gm_timestr_822(r->pool, r->request_time));
     ap_send_header_field(r, "Server", ap_get_server_version());
@@ -1330,8 +1388,7 @@ API_EXPORT(void) ap_basic_http_header(request_rec *r)
     ap_table_unset(r->headers_out, "Date");        /* Avoid bogosity */
     ap_table_unset(r->headers_out, "Server");
 #ifdef CHARSET_EBCDIC
-    if (!convert)
-        ap_bsetflag(r->connection->client, B_EBCDIC2ASCII, convert);
+    POP_EBCDIC_OUTPUTCONVERSION_STATE(r->connection->client); }
 #endif /*CHARSET_EBCDIC*/
 }
 
@@ -1358,9 +1415,9 @@ static void terminate_header(BUFF *client)
 
     ap_bgetopt(client, BO_BYTECT, &bs);
     if (bs >= 255 && bs <= 257)
-        ap_bputs("X-Pad: avoid browser bug\015\012", client);
+        ap_bputs("X-Pad: avoid browser bug" CRLF, client);
 
-    ap_bputs("\015\012", client);  /* Send the terminating empty line */
+    ap_bputs(CRLF, client);  /* Send the terminating empty line */
 }
 
 /* Build the Allow field-value from the request handler method mask.
@@ -1405,11 +1462,11 @@ API_EXPORT(int) ap_send_http_trace(request_rec *r)
 
     /* Now we recreate the request, and echo it back */
 
-    ap_rvputs(r, r->the_request, "\015\012", NULL);
+    ap_rvputs(r, r->the_request, CRLF, NULL);
 
     ap_table_do((int (*) (void *, const char *, const char *))
                 ap_send_header_field, (void *) r, r->headers_in, NULL);
-    ap_rputs("\015\012", r);
+    ap_rputs(CRLF, r);
 
     ap_kill_timeout(r);
     return OK;
@@ -1538,9 +1595,6 @@ API_EXPORT(void) ap_send_http_header(request_rec *r)
 {
     int i;
     const long int zero = 0L;
-#ifdef CHARSET_EBCDIC
-    int convert = ap_bgetflag(r->connection->client, B_EBCDIC2ASCII);
-#endif /*CHARSET_EBCDIC*/
 
     if (r->assbackwards) {
         if (!r->main)
@@ -1577,7 +1631,7 @@ API_EXPORT(void) ap_send_http_header(request_rec *r)
     ap_basic_http_header(r);
 
 #ifdef CHARSET_EBCDIC
-    ap_bsetflag(r->connection->client, B_EBCDIC2ASCII, 1);
+    { PUSH_EBCDIC_OUTPUTCONVERSION_STATE(r->connection->client, 1);
 #endif /*CHARSET_EBCDIC*/
 
     ap_set_keepalive(r);
@@ -1632,8 +1686,7 @@ API_EXPORT(void) ap_send_http_header(request_rec *r)
     if (r->chunked)
         ap_bsetflag(r->connection->client, B_CHUNK, 1);
 #ifdef CHARSET_EBCDIC
-    if (!convert)
-        ap_bsetflag(r->connection->client, B_EBCDIC2ASCII, convert);
+    POP_EBCDIC_OUTPUTCONVERSION_STATE(r->connection->client); }
 #endif /*CHARSET_EBCDIC*/
 }
 
@@ -1645,6 +1698,9 @@ API_EXPORT(void) ap_send_http_header(request_rec *r)
 API_EXPORT(void) ap_finalize_request_protocol(request_rec *r)
 {
     if (r->chunked && !r->connection->aborted) {
+#ifdef CHARSET_EBCDIC
+	PUSH_EBCDIC_OUTPUTCONVERSION_STATE(r->connection->client, 1);
+#endif
         /*
          * Turn off chunked encoding --- we can only do this once.
          */
@@ -1652,10 +1708,14 @@ API_EXPORT(void) ap_finalize_request_protocol(request_rec *r)
         ap_bsetflag(r->connection->client, B_CHUNK, 0);
 
         ap_soft_timeout("send ending chunk", r);
-        ap_rputs("0\015\012", r);
+        ap_rputs("0" CRLF, r);
         /* If we had footer "headers", we'd send them now */
-        ap_rputs("\015\012", r);
+        ap_rputs(CRLF, r);
         ap_kill_timeout(r);
+
+#ifdef CHARSET_EBCDIC
+	POP_EBCDIC_OUTPUTCONVERSION_STATE(r->connection->client);
+#endif /*CHARSET_EBCDIC*/
     }
 }
 
@@ -1751,6 +1811,23 @@ API_EXPORT(int) ap_setup_client_block(request_rec *r, int read_policy)
         return HTTP_REQUEST_ENTITY_TOO_LARGE;
     }
 
+#ifdef CHARSET_EBCDIC
+    {
+        /* @@@ Temporary kludge for guessing the conversion @@@
+         * from looking at the MIME header. 
+         * If no Content-Type header is found, text conversion is assumed.
+         */
+        const char *typep = ap_table_get(r->headers_in, "Content-Type");
+        int convert_in = (typep == NULL ||
+                          strncasecmp(typep, "text/", 5) == 0 ||
+                          strncasecmp(typep, "message/", 8) == 0 ||
+                          strncasecmp(typep, "multipart/", 10) == 0 ||
+                          strcasecmp (typep, "application/x-www-form-urlencoded") == 0
+                         );
+        ap_bsetflag(r->connection->client, B_ASCII2EBCDIC, convert_in);
+    }
+#endif
+
     return OK;
 }
 
@@ -1763,7 +1840,7 @@ API_EXPORT(int) ap_should_client_block(request_rec *r)
 
     if (r->expecting_100 && r->proto_num >= HTTP_VERSION(1,1)) {
         /* sending 100 Continue interim response */
-        ap_rvputs(r, SERVER_PROTOCOL, " ", status_lines[0], "\015\012\015\012",
+        ap_rvputs(r, SERVER_PROTOCOL, " ", status_lines[0], CRLF CRLF,
                   NULL);
         ap_rflush(r);
     }
@@ -1935,9 +2012,20 @@ API_EXPORT(long) ap_get_client_block(request_rec *r, char *buffer, int bufsiz)
     r->remaining -= len_read;
 
     if (r->remaining == 0) {    /* End of chunk, get trailing CRLF */
+#ifdef CHARSET_EBCDIC
+        /* Chunk end is Protocol stuff! Set conversion = 1 to read CR LF: */
+        PUSH_EBCDIC_INPUTCONVERSION_STATE(r->connection->client, 1);
+#endif /*CHARSET_EBCDIC*/
+
         if ((c = ap_bgetc(r->connection->client)) == CR) {
             c = ap_bgetc(r->connection->client);
         }
+
+#ifdef CHARSET_EBCDIC
+        /* restore ASCII->EBCDIC conversion state */
+        POP_EBCDIC_INPUTCONVERSION_STATE(r->connection->client);
+#endif /*CHARSET_EBCDIC*/
+
         if (c != LF) {
             r->connection->keepalive = -1;
             return -1;
@@ -2392,7 +2480,7 @@ API_EXPORT(int) ap_rflush(request_rec *r)
  * and 5xx (server error) messages that have not been redirected to another
  * handler via the ErrorDocument feature.
  */
-void ap_send_error_response(request_rec *r, int recursive_error)
+API_EXPORT(void) ap_send_error_response(request_rec *r, int recursive_error)
 {
     int status = r->status;
     int idx = ap_index_of_response(status);
@@ -2627,8 +2715,8 @@ void ap_send_error_response(request_rec *r, int recursive_error)
 	    }
 	    break;
 	case BAD_GATEWAY:
-	    ap_rputs("The proxy server received an invalid\015\012"
-	             "response from an upstream server.<P>\015\012", r);
+	    ap_rputs("The proxy server received an invalid" CRLF
+	             "response from an upstream server.<P>" CRLF, r);
 	    if ((error_notes = ap_table_get(r->notes, "error-notes")) != NULL) {
 		ap_rvputs(r, error_notes, "<P>\n", NULL);
 	    }
diff --git a/usr.sbin/httpd/src/main/http_request.c b/usr.sbin/httpd/src/main/http_request.c
index e6f66316582..3bcab8935e1 100644
--- a/usr.sbin/httpd/src/main/http_request.c
+++ b/usr.sbin/httpd/src/main/http_request.c
@@ -113,7 +113,7 @@ static int check_safe_file(request_rec *r)
 
 static int check_symlinks(char *d, int opts)
 {
-#if defined(OS2) || defined(WIN32)
+#if defined(OS2) || defined(WIN32) || defined(NETWARE)
     /* OS/2 doesn't have symlinks */
     return OK;
 #else
@@ -983,7 +983,7 @@ API_EXPORT(void) ap_die(int type, request_rec *r)
      * about proxy authentication.  They treat it like normal auth, and then
      * we tweak the status.
      */
-    if (r->status == AUTH_REQUIRED && r->proxyreq) {
+    if (r->status == AUTH_REQUIRED && r->proxyreq == STD_PROXY) {
         r->status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
     }
 
@@ -1088,7 +1088,7 @@ static void process_request_internal(request_rec *r)
     int access_status;
 
     /* Ignore embedded %2F's in path for proxy requests */
-    if (!r->proxyreq && r->parsed_uri.path) {
+    if (r->proxyreq == NOT_PROXY && r->parsed_uri.path) {
 	access_status = ap_unescape_url(r->parsed_uri.path);
 	if (access_status) {
 	    ap_die(access_status, r);
@@ -1108,7 +1108,7 @@ static void process_request_internal(request_rec *r)
         return;
     }
 
-    if (!r->proxyreq) {
+    if (r->proxyreq == NOT_PROXY) {
 	/*
 	 * We don't want TRACE to run through the normal handler set, we
 	 * handle it specially.
@@ -1176,8 +1176,9 @@ static void process_request_internal(request_rec *r)
     case SATISFY_ANY:
         if (((access_status = ap_check_access(r)) != 0) || !ap_auth_type(r)) {
             if (!ap_some_auth_required(r)) {
-                decl_die(access_status, ap_auth_type(r)
-		    ? "check access"
+                decl_die(access_status ? access_status :
+			 HTTP_INTERNAL_SERVER_ERROR,
+			 ap_auth_type(r) ? "check access"
 		    : "perform authentication. AuthType not set!", r);
                 return;
             }
@@ -1197,7 +1198,7 @@ static void process_request_internal(request_rec *r)
         break;
     }
 
-    if (! (r->proxyreq 
+    if (! (r->proxyreq != NOT_PROXY
 	   && r->parsed_uri.scheme != NULL
 	   && strcmp(r->parsed_uri.scheme, "http") == 0) ) {
 	if ((access_status = ap_find_types(r)) != 0) {
diff --git a/usr.sbin/httpd/src/main/http_vhost.c b/usr.sbin/httpd/src/main/http_vhost.c
index 793048f9471..0152ddda326 100644
--- a/usr.sbin/httpd/src/main/http_vhost.c
+++ b/usr.sbin/httpd/src/main/http_vhost.c
@@ -657,22 +657,51 @@ void ap_fini_vhost_config(pool *p, server_rec *main_s)
  * run-time vhost matching functions
  */
 
-/* Remove :port and optionally a single trailing . from the hostname, this
- * canonicalizes it somewhat.
+/* Lowercase and remove any trailing dot and/or :port from the hostname,
+ * and check that it is sane.
  */
 static void fix_hostname(request_rec *r)
 {
-    const char *hostname = r->hostname;
-    char *host = ap_getword(r->pool, &hostname, ':');	/* get rid of port */
-    size_t l;
-
-    /* trim a trailing . */
-    l = strlen(host);
-    if (l > 0 && host[l-1] == '.') {
-        host[l-1] = '\0';
+    char *host = ap_palloc(r->pool, strlen(r->hostname) + 1);
+    const char *src;
+    char *dst;
+
+    /* check and copy the host part */
+    src = r->hostname;
+    dst = host;
+    while (*src) {
+	if (!ap_isalnum(*src) && *src != '.' && *src != '-') {
+	    if (*src == ':')
+		break;
+	    else
+		goto bad;
+	} else {
+	    *dst++ = *src++;
+	}
+    }
+    /* check the port part */
+    if (*src++ == ':') {
+	while (*src) {
+	    if (!ap_isdigit(*src++)) {
+		goto bad;
+	    }
+	}
+    }
+    /* strip trailing gubbins */
+    if (dst > host && dst[-1] == '.') {
+	dst[-1] = '\0';
+    } else {
+	dst[0] = '\0';
     }
 
     r->hostname = host;
+    return;
+
+bad:
+    r->status = HTTP_BAD_REQUEST;
+    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
+		  "Client sent malformed Host header");
+    return;
 }
 
 
@@ -874,6 +903,8 @@ void ap_update_vhost_from_headers(request_rec *r)
     /* must set this for HTTP/1.1 support */
     if (r->hostname || (r->hostname = ap_table_get(r->headers_in, "Host"))) {
 	fix_hostname(r);
+	if (r->status != HTTP_OK)
+	    return;
     }
     /* check if we tucked away a name_chain */
     if (r->connection->vhost_lookup_data) {
diff --git a/usr.sbin/httpd/src/main/rfc1413.c b/usr.sbin/httpd/src/main/rfc1413.c
index 65bc6ef4d07..c503be185c6 100644
--- a/usr.sbin/httpd/src/main/rfc1413.c
+++ b/usr.sbin/httpd/src/main/rfc1413.c
@@ -100,6 +100,12 @@ int ap_rfc1413_timeout = RFC1413_TIMEOUT;	/* Global so it can be changed */
 
 static JMP_BUF timebuf;
 
+/* ident_timeout - handle timeouts */
+static void ident_timeout(int sig)
+{
+    ap_longjmp(timebuf, sig);
+}
+
 /* bind_connect - bind both ends of a socket */
 /* Ambarish fix this. Very broken */
 static int get_rfc1413(int sock, const struct sockaddr_in *our_sin,
@@ -124,6 +130,9 @@ static int get_rfc1413(int sock, const struct sockaddr_in *our_sin,
 
     our_query_sin = *our_sin;
     our_query_sin.sin_port = htons(ANY_PORT);
+#ifdef MPE 
+    our_query_sin.sin_addr.s_addr = INADDR_ANY;
+#endif
     rmt_query_sin = *rmt_sin;
     rmt_query_sin.sin_port = htons(RFC1413_PORT);
 
@@ -148,7 +157,7 @@ static int get_rfc1413(int sock, const struct sockaddr_in *our_sin,
 
     /* send query to server. Handle short write. */
 #ifdef CHARSET_EBCDIC
-    ebcdic2ascii(&buffer, &buffer, buflen);
+    ebcdic2ascii(buffer, buffer, buflen);
 #endif
     i = 0;
     while(i < strlen(buffer)) {
@@ -173,11 +182,26 @@ static int get_rfc1413(int sock, const struct sockaddr_in *our_sin,
     i = 0;
     memset(buffer, '\0', sizeof(buffer));
     /*
-     * Note that the strchr function below checks for 10 instead of '\n'
+     * Note that the strchr function below checks for \012 instead of '\n'
      * this allows it to work on both ASCII and EBCDIC machines.
      */
     while((cp = strchr(buffer, '\012')) == NULL && i < sizeof(buffer) - 1) {
         int j;
+  
+#ifdef TPF
+        /*
+         * socket read on TPF doesn't get interrupted by
+         * signals so additional processing is needed
+         */
+        j = ap_set_callback_and_alarm(NULL, 0);
+        ap_set_callback_and_alarm(ident_timeout, j);
+        j = select(&sock, 1, 0, 0, j * 1000);
+        if (j < 1) {
+            ap_set_callback_and_alarm(NULL, 0);
+            ap_check_signals();
+            return -1;
+        }
+#endif /* TPF */
 	j = read(sock, buffer+i, (sizeof(buffer) - 1) - i);
 	if (j < 0 && errno != EINTR) {
 	   ap_log_error(APLOG_MARK, APLOG_CRIT, srv,
@@ -191,7 +215,7 @@ static int get_rfc1413(int sock, const struct sockaddr_in *our_sin,
 
 /* RFC1413_USERLEN = 512 */
 #ifdef CHARSET_EBCDIC
-    ascii2ebcdic(&buffer, &buffer, (size_t)i);
+    ascii2ebcdic(buffer, buffer, (size_t)i);
 #endif
     if (sscanf(buffer, "%u , %u : USERID :%*[^:]:%512s", &rmt_port, &our_port,
 	       user) != 3 || ntohs(rmt_sin->sin_port) != rmt_port
@@ -209,12 +233,6 @@ static int get_rfc1413(int sock, const struct sockaddr_in *our_sin,
     return 0;
 }
 
-/* ident_timeout - handle timeouts */
-static void ident_timeout(int sig)
-{
-    ap_longjmp(timebuf, sig);
-}
-
 /* rfc1413 - return remote user name, given socket structures */
 char *ap_rfc1413(conn_rec *conn, server_rec *srv)
 {
diff --git a/usr.sbin/httpd/src/main/util.c b/usr.sbin/httpd/src/main/util.c
index 771ad400030..c4fff1c8138 100644
--- a/usr.sbin/httpd/src/main/util.c
+++ b/usr.sbin/httpd/src/main/util.c
@@ -807,7 +807,7 @@ API_EXPORT(configfile_t *) ap_pcfg_openfile(pool *p, const char *name)
         return NULL;
     }
 
-    file = ap_pfopen(p, name, "r");
+    file = ap_pfopen(p, name, "rt");
 #ifdef DEBUG
     saved_errno = errno;
     ap_log_error(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, NULL,
@@ -1377,7 +1377,7 @@ API_EXPORT(char *) ap_escape_shell_cmd(pool *p, const char *str)
     s = (const unsigned char *)str;
     for (; *s; ++s) {
 
-#if defined(OS2) || defined(WIN32)
+#if defined(OS2) || defined(WIN32) || defined(NETWARE)
 	/* Don't allow '&' in parameters under OS/2. */
 	/* This can be used to send commands to the shell. */
 	if (*s == '&') {
@@ -1469,7 +1469,7 @@ API_EXPORT(char *) ap_construct_server(pool *p, const char *hostname,
 
 /* c2x takes an unsigned, and expects the caller has guaranteed that
  * 0 <= what < 256... which usually means that you have to cast to
- * unsigned char first, because (unsigned)(char)(x) fist goes through
+ * unsigned char first, because (unsigned)(char)(x) first goes through
  * signed extension to an int before the unsigned cast.
  *
  * The reason for this assumption is to assist gcc code generation --
@@ -1481,6 +1481,9 @@ static const char c2x_table[] = "0123456789abcdef";
 
 static ap_inline unsigned char *c2x(unsigned what, unsigned char *where)
 {
+#ifdef CHARSET_EBCDIC
+    what = os_toascii[what];
+#endif /*CHARSET_EBCDIC*/
     *where++ = '%';
     *where++ = c2x_table[what >> 4];
     *where++ = c2x_table[what & 0xf];
@@ -1637,7 +1640,7 @@ API_EXPORT(int) ap_can_exec(const struct stat *finfo)
 #ifdef MULTIPLE_GROUPS
     int cnt;
 #endif
-#if defined(OS2) || defined(WIN32)
+#if defined(OS2) || defined(WIN32) || defined(NETWARE)
     /* OS/2 dosen't have Users and Groups */
     return 1;
 #else
@@ -1746,7 +1749,7 @@ char *strstr(char *s1, char *s2)
 #ifdef NEED_INITGROUPS
 int initgroups(const char *name, gid_t basegid)
 {
-#if defined(QNX) || defined(MPE) || defined(BEOS) || defined(_OSD_POSIX) || defined(TPF) || defined(__TANDEM)
+#if defined(QNX) || defined(MPE) || defined(BEOS) || defined(TPF) || defined(__TANDEM) || defined(NETWARE)
 /* QNX, MPE and BeOS do not appear to support supplementary groups. */
     return 0;
 #else /* ndef QNX */
@@ -1826,7 +1829,7 @@ API_EXPORT(void) ap_str_tolower(char *str)
 
 API_EXPORT(uid_t) ap_uname2id(const char *name)
 {
-#ifdef WIN32
+#if defined(WIN32) || defined(NETWARE)
     return (1);
 #else
     struct passwd *ent;
@@ -1844,7 +1847,7 @@ API_EXPORT(uid_t) ap_uname2id(const char *name)
 
 API_EXPORT(gid_t) ap_gname2id(const char *name)
 {
-#ifdef WIN32
+#if defined(WIN32) || defined(NETWARE)
     return (1);
 #else
     struct group *ent;
@@ -1946,7 +1949,7 @@ char *ap_get_local_host(pool *a)
 	perror("Unable to gethostname");
 	exit(1);
     }
-    str[sizeof(str)-1] = '\0';
+    str[sizeof(str) - 1] = '\0';
     if ((!(p = gethostbyname(str))) || (!(server_hostname = find_fqdn(a, p)))) {
 	fprintf(stderr, "%s: cannot determine local host name.\n",
 		ap_server_argv0);
diff --git a/usr.sbin/httpd/src/main/util_script.c b/usr.sbin/httpd/src/main/util_script.c
index 467dd2964c1..3c41fe175ec 100644
--- a/usr.sbin/httpd/src/main/util_script.c
+++ b/usr.sbin/httpd/src/main/util_script.c
@@ -200,7 +200,7 @@ API_EXPORT(void) ap_add_common_vars(request_rec *r)
     conn_rec *c = r->connection;
     const char *rem_logname;
     char *env_path;
-#ifdef WIN32
+#if defined(WIN32) || defined(OS2)
     char *env_temp;
 #endif
     const char *host;
@@ -250,7 +250,7 @@ API_EXPORT(void) ap_add_common_vars(request_rec *r)
 	}
     }
 
-    if (!(env_path = getenv("PATH"))) {
+    if (!(env_path = ap_pstrdup(r->pool, getenv("PATH")))) {
 	env_path = DEFAULT_PATH;
     }
 
@@ -266,6 +266,21 @@ API_EXPORT(void) ap_add_common_vars(request_rec *r)
     }
 #endif
 
+#ifdef OS2
+    if (env_temp = getenv("COMSPEC")) {
+        ap_table_addn(e, "COMSPEC", env_temp);            
+    }
+    if (env_temp = getenv("ETC")) {
+        ap_table_addn(e, "ETC", env_temp);            
+    }
+    if (env_temp = getenv("DPATH")) {
+        ap_table_addn(e, "DPATH", env_temp);            
+    }
+    if (env_temp = getenv("PERLLIB_PREFIX")) {
+        ap_table_addn(e, "PERLLIB_PREFIX", env_temp);            
+    }
+#endif
+
     ap_table_addn(e, "PATH", env_path);
     ap_table_addn(e, "SERVER_SIGNATURE", ap_psignature("", r));
     ap_table_addn(e, "SERVER_SOFTWARE", ap_get_server_version());
@@ -471,8 +486,12 @@ API_EXPORT(int) ap_scan_script_header_err_core(request_rec *r, char *buffer,
 	/* Delete terminal (CR?)LF */
 
 	p = strlen(w);
+        /* Indeed, the host's '\n':
+           '\012' for UNIX; '\015' for MacOS; '\025' for OS/390
+           -- whatever the script generates.
+        */
 	if (p > 0 && w[p - 1] == '\n') {
-	    if (p > 1 && w[p - 2] == '\015') {
+	    if (p > 1 && w[p - 2] == CR) {
 		w[p - 2] = '\0';
 	    }
 	    else {
@@ -1019,7 +1038,9 @@ API_EXPORT(int) ap_call_exec(request_rec *r, child_info *pinfo, char *argv0,
             i++;
         }
 
-        if (CreateProcess(NULL, pCommand, NULL, NULL, TRUE, DETACHED_PROCESS, pEnvBlock,
+        if (CreateProcess(NULL, pCommand, NULL, NULL, TRUE, 
+                          0,
+                          pEnvBlock,
                           ap_make_dirstr_parent(r->pool, r->filename),
                           &si, &pi)) {
             if (fileType == eFileTypeEXE16) {
@@ -1043,7 +1064,7 @@ API_EXPORT(int) ap_call_exec(request_rec *r, child_info *pinfo, char *argv0,
         }
         return (pid);
     }
-
+#elif defined(NETWARE)
 #else
     if (ap_suexec_enabled
 	&& ((r->server->server_uid != ap_user_id)
diff --git a/usr.sbin/httpd/src/modules/experimental/Makefile.tmpl b/usr.sbin/httpd/src/modules/experimental/Makefile.tmpl
index 371167d6cd1..30cabaf5b77 100644
--- a/usr.sbin/httpd/src/modules/experimental/Makefile.tmpl
+++ b/usr.sbin/httpd/src/modules/experimental/Makefile.tmpl
@@ -12,7 +12,7 @@ mod_mmap_static.o: mod_mmap_static.c $(INCDIR)/httpd.h \
  $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \
  $(INCDIR)/http_log.h $(INCDIR)/http_protocol.h \
  $(INCDIR)/http_request.h $(INCDIR)/http_core.h
-mod_digest.o: mod_digest.c $(INCDIR)/httpd.h \
+mod_auth_digest.o: mod_auth_digest.c $(INCDIR)/httpd.h \
  $(INCDIR)/ap_config.h $(INCDIR)/ap_mmn.h \
  $(INCDIR)/ap_config_auto.h $(OSDIR)/os.h \
  $(INCDIR)/ap_ctype.h $(INCDIR)/hsregex.h \
diff --git a/usr.sbin/httpd/src/modules/experimental/mod_auth_digest.c b/usr.sbin/httpd/src/modules/experimental/mod_auth_digest.c
index 43795221f86..18312aea94e 100644
--- a/usr.sbin/httpd/src/modules/experimental/mod_auth_digest.c
+++ b/usr.sbin/httpd/src/modules/experimental/mod_auth_digest.c
@@ -130,6 +130,12 @@
 #include "util_uri.h"
 #include "util_md5.h"
 #include "ap_sha1.h"
+
+#ifdef WIN32
+/* Crypt APIs are available on Win95 with OSR 2 */
+#include <wincrypt.h>
+#endif
+
 #ifdef HAVE_SHMEM_MM
 #include "mm.h"
 #endif	/* HAVE_SHMEM_MM */
@@ -160,7 +166,7 @@ typedef struct digest_config_struct {
 
 
 #define NONCE_TIME_LEN	(((sizeof(time_t)+2)/3)*4)
-#define NONCE_HASH_LEN	40
+#define NONCE_HASH_LEN	(2*SHA_DIGESTSIZE)
 #define NONCE_LEN	(NONCE_TIME_LEN + NONCE_HASH_LEN)
 
 #define	SECRET_LEN	20
@@ -172,7 +178,7 @@ typedef struct hash_entry {
     unsigned long      key;			/* the key for this entry    */
     struct hash_entry *next;			/* next entry in the bucket  */
     unsigned long      nonce_count;		/* for nonce-count checking  */
-    char               ha1[17];			/* for algorithm=MD5-sess    */
+    char               ha1[2*MD5_DIGESTSIZE+1];	/* for algorithm=MD5-sess    */
     char               last_nonce[NONCE_LEN+1];	/* for one-time nonce's      */
 } client_entry;
 
@@ -206,7 +212,8 @@ typedef struct digest_header_struct {
     /* the following fields are not (directly) from the header */
     time_t                nonce_time;
     enum hdr_sts          auth_hdr_sts;
-    uri_components       *request_uri;
+    const char           *raw_request_uri;
+    uri_components       *psd_request_uri;
     int                   needed_auth;
     client_entry         *client;
 } digest_header_rec;
@@ -271,10 +278,34 @@ static void cleanup_tables(void *not_used)
 }
 #endif	/* HAVE_SHMEM_MM */
 
+#ifdef WIN32
+/* TODO: abstract out the random number generation. APR? */
+static void initialize_secret(server_rec *s)
+{
+    HCRYPTPROV hProv;
+
+    ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, s,
+		 "Digest: generating secret for digest authentication ...");
+    if (!CryptAcquireContext(&hProv,NULL,NULL,PROV_RSA_FULL,0)) {
+        ap_log_error(APLOG_MARK, APLOG_CRIT, s, 
+                     "Digest: Error acquiring context. Errno = %d",
+                     GetLastError());
+        exit(EXIT_FAILURE);
+    }
+    if (!CryptGenRandom(hProv,sizeof(secret),secret)) {
+        ap_log_error(APLOG_MARK, APLOG_CRIT, s, 
+                     "Digest: Error generating secret. Errno = %d",
+                     GetLastError());
+        exit(EXIT_FAILURE);
+    }
+
+    ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, s, "Digest: done");
+}
+#else
 static void initialize_secret(server_rec *s)
 {
 #ifdef	DEV_RANDOM
-    FILE *rnd;
+    int rnd;
     size_t got, tot;
 #else
     extern int randbyte(void);	/* from the truerand library */
@@ -287,24 +318,19 @@ static void initialize_secret(server_rec *s)
 #ifdef	DEV_RANDOM
 #define	XSTR(x)	#x
 #define	STR(x)	XSTR(x)
-    if ((rnd = fopen(STR(DEV_RANDOM), "rb")) == NULL) {
+    if ((rnd = open(STR(DEV_RANDOM), O_RDONLY)) == -1) {
 	ap_log_error(APLOG_MARK, APLOG_CRIT, s,
 		     "Digest: Couldn't open " STR(DEV_RANDOM));
 	exit(EXIT_FAILURE);
     }
-    if (setvbuf(rnd, NULL, _IONBF, 0) != 0) {
-	ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_CRIT, s,
-		     "Digest: Error trying to disable buffering for " STR(DEV_RANDOM));
-	exit(EXIT_FAILURE);
-    }
     for (tot=0; tot<sizeof(secret); tot += got) {
-	if ((got = fread(secret+tot, 1, sizeof(secret)-tot, rnd)) < 1) {
+	if ((got = read(rnd, secret+tot, sizeof(secret)-tot)) < 0) {
 	    ap_log_error(APLOG_MARK, APLOG_CRIT, s,
 			 "Digest: Error reading " STR(DEV_RANDOM));
 	    exit(EXIT_FAILURE);
 	}
     }
-    fclose(rnd);
+    close(rnd);
 #undef	STR
 #undef	XSTR
 #else	/* use truerand */
@@ -317,6 +343,7 @@ static void initialize_secret(server_rec *s)
 
     ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, s, "Digest: done");
 }
+#endif
 
 #ifdef HAVE_SHMEM_MM
 static void initialize_tables(server_rec *s)
@@ -472,9 +499,9 @@ static const char *set_realm(cmd_parms *cmd, void *config, const char *realm)
      * and directives outside a virtual host section)
      */
     ap_SHA1Init(&conf->nonce_ctx);
+    ap_SHA1Update_binary(&conf->nonce_ctx, secret, sizeof(secret));
     ap_SHA1Update_binary(&conf->nonce_ctx, (const unsigned char *) realm,
 			 strlen(realm));
-    ap_SHA1Update_binary(&conf->nonce_ctx, secret, sizeof(secret));
 
     return DECLINE_CMD;
 }
@@ -799,14 +826,14 @@ static client_entry *get_client(unsigned long key, const request_rec *r)
 /* Parse the Authorization header, if it exists */
 static int get_digest_rec(request_rec *r, digest_header_rec *resp)
 {
-    const char *auth_line = ap_table_get(r->headers_in,
-					 r->proxyreq ? "Proxy-Authorization"
-						     : "Authorization");
+    const char *auth_line;
     size_t l;
     int vk = 0, vv = 0;
     char *key, *value;
 
-
+    auth_line = ap_table_get(r->headers_in,
+			     r->proxyreq == STD_PROXY ? "Proxy-Authorization"
+						      : "Authorization");
     if (!auth_line) {
 	resp->auth_hdr_sts = NO_HEADER;
 	return !OK;
@@ -885,7 +912,8 @@ static int get_digest_rec(request_rec *r, digest_header_rec *resp)
     }
 
     if (!resp->username || !resp->realm || !resp->nonce || !resp->uri
-	|| !resp->digest) {
+	|| !resp->digest
+	|| (resp->message_qop && (!resp->cnonce || !resp->nonce_count))) {
 	resp->auth_hdr_sts = INVALID;
 	return !OK;
     }
@@ -918,7 +946,8 @@ static int update_nonce_count(request_rec *r)
 	return DECLINED;
 
     resp = ap_pcalloc(r->pool, sizeof(digest_header_rec));
-    resp->request_uri = &r->parsed_uri;
+    resp->raw_request_uri = r->unparsed_uri;
+    resp->psd_request_uri = &r->parsed_uri;
     resp->needed_auth = 0;
     ap_set_module_config(r->request_config, &digest_auth_module, resp);
 
@@ -1075,12 +1104,12 @@ static const char *get_session(const request_rec *r,
     if (ha1 == NULL || ha1[0] == '\0') {
 	urp = get_userpw_hash(r, resp, conf);
 	ha1 = ap_md5(r->pool,
-		     (unsigned char *) ap_pstrcat(r->pool, ha1, ":", resp->nonce,
+		     (unsigned char *) ap_pstrcat(r->pool, urp, ":", resp->nonce,
 						  ":", resp->cnonce, NULL));
 	if (!resp->client)
 	    resp->client = gen_client(r);
 	if (resp->client)
-	    memcpy(resp->client->ha1, ha1, 17);
+	    memcpy(resp->client->ha1, ha1, sizeof(resp->client->ha1));
     }
 
     return ha1;
@@ -1241,20 +1270,23 @@ static void note_digest_auth_failure(request_rec *r,
      * unneccessarily (it's usually > 200 bytes!).
      */
 
-    if (conf->uri_list)
+    if (r->proxyreq != NOT_PROXY)
+	domain = NULL;	/* don't send domain for proxy requests */
+    else if (conf->uri_list)
 	domain = conf->uri_list;
     else {
 	/* They didn't specify any domain, so let's guess at it */
-	domain = guess_domain(r->pool, resp->request_uri->path, r->filename,
+	domain = guess_domain(r->pool, resp->psd_request_uri->path, r->filename,
 			      conf->dir_name);
 	if (domain[0] == '/' && domain[1] == '\0')
-	    domain = "";	/* "/" is the default, so no need to send it */
+	    domain = NULL;	/* "/" is the default, so no need to send it */
 	else
 	    domain = ap_pstrcat(r->pool, ", domain=\"", domain, "\"", NULL);
     }
 
     ap_table_mergen(r->err_headers_out,
-		    r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
+		    r->proxyreq == STD_PROXY ? "Proxy-Authenticate"
+					     : "WWW-Authenticate",
 		    ap_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%s\", "
 					 "algorithm=%s%s%s%s%s",
 				ap_auth_name(r), nonce, conf->algorithm,
@@ -1432,6 +1464,36 @@ static const char *new_digest(const request_rec *r,
 }
 
 
+static void copy_uri_components(uri_components *dst, uri_components *src,
+				request_rec *r) {
+    if (src->scheme && src->scheme[0] != '\0')
+	dst->scheme = src->scheme;
+    else
+	dst->scheme = (char *) "http";
+
+    if (src->hostname && src->hostname[0] != '\0') {
+	dst->hostname = ap_pstrdup(r->pool, src->hostname);
+	ap_unescape_url(dst->hostname);
+    }
+    else
+	dst->hostname = (char *) ap_get_server_name(r);
+
+    if (src->port_str && src->port_str[0] != '\0')
+	dst->port = src->port;
+    else
+	dst->port = ap_get_server_port(r);
+
+    if (src->path && src->path[0] != '\0') {
+	dst->path = ap_pstrdup(r->pool, src->path);
+	ap_unescape_url(dst->path);
+    }
+
+    if (src->query && src->query[0] != '\0') {
+	dst->query = ap_pstrdup(r->pool, src->query);
+	ap_unescape_url(dst->query);
+    }
+}
+
 /* These functions return 0 if client is OK, and proper error status
  * if not... either AUTH_REQUIRED, if we made a check, and it failed, or
  * SERVER_ERROR, if things are so totally confused that we couldn't
@@ -1493,8 +1555,9 @@ static int authenticate_digest_user(request_rec *r)
 			  "`%s': %s", resp->scheme, r->uri);
 	else if (resp->auth_hdr_sts == INVALID)
 	    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
-			  "Digest: missing user, realm, nonce, uri, or digest "
-			  "in authorization header: %s", r->uri);
+			  "Digest: missing user, realm, nonce, uri, digest, "
+			  "cnonce, or nonce_count in authorization header: %s",
+			  r->uri);
 	/* else (resp->auth_hdr_sts == NO_HEADER) */
 	note_digest_auth_failure(r, conf, resp, 0);
 	return AUTH_REQUIRED;
@@ -1506,23 +1569,60 @@ static int authenticate_digest_user(request_rec *r)
 
     /* check the auth attributes */
 
-    if (strcmp(resp->uri, resp->request_uri->path)) {
-	uri_components *r_uri = resp->request_uri, d_uri;
-	ap_parse_uri_components(r->pool, resp->uri, &d_uri);
-
-	if ((d_uri.hostname && d_uri.hostname[0] != '\0'
-	     && strcasecmp(d_uri.hostname, r->server->server_hostname))
-	    || (d_uri.port_str && d_uri.port != r->server->port)
-	    || (!d_uri.port_str && r->server->port != 80)
-	    || strcmp(d_uri.path, r_uri->path)
-	    || (d_uri.query != r_uri->query
-		&& (!d_uri.query || !r_uri->query
-		    || strcmp(d_uri.query, r_uri->query)))
+    if (strcmp(resp->uri, resp->raw_request_uri)) {
+	/* Hmm, the simple match didn't work (probably a proxy modified the
+	 * request-uri), so lets do a more sophisticated match
+	 */
+	uri_components r_uri, d_uri;
+
+	copy_uri_components(&r_uri, resp->psd_request_uri, r);
+	if (ap_parse_uri_components(r->pool, resp->uri, &d_uri) != HTTP_OK) {
+	    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
+			  "Digest: invalid uri <%s> in Authorization header",
+			  resp->uri);
+	    return BAD_REQUEST;
+	}
+
+	if (d_uri.hostname)
+	    ap_unescape_url(d_uri.hostname);
+	if (d_uri.path)
+	    ap_unescape_url(d_uri.path);
+	if (d_uri.query)
+	    ap_unescape_url(d_uri.query);
+
+	if (r->method_number == M_CONNECT) {
+	    if (strcmp(resp->uri, r_uri.hostinfo)) {
+		ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
+			      "Digest: uri mismatch - <%s> does not match "
+			      "request-uri <%s>", resp->uri, r_uri.hostinfo);
+		return BAD_REQUEST;
+	    }
+	}
+	else if (
+	    /* check hostname matches, if present */
+	    (d_uri.hostname && d_uri.hostname[0] != '\0'
+	      && strcasecmp(d_uri.hostname, r_uri.hostname))
+	    /* check port matches, if present */
+	    || (d_uri.port_str && d_uri.port != r_uri.port)
+	    /* check that server-port is default port if no port present */
+	    || (d_uri.hostname && d_uri.hostname[0] != '\0'
+		&& !d_uri.port_str && r_uri.port != ap_default_port(r))
+	    /* check that path matches */
+	    || (d_uri.path != r_uri.path
+		/* either exact match */
+	        && (!d_uri.path || !r_uri.path
+		    || strcmp(d_uri.path, r_uri.path))
+		/* or '*' matches empty path in scheme://host */
+	        && !(d_uri.path && !r_uri.path && resp->psd_request_uri->hostname
+		    && d_uri.path[0] == '*' && d_uri.path[1] == '\0'))
+	    /* check that query matches */
+	    || (d_uri.query != r_uri.query
+		&& (!d_uri.query || !r_uri.query
+		    || strcmp(d_uri.query, r_uri.query)))
 	    ) {
 	    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
 			  "Digest: uri mismatch - <%s> does not match "
-			  "request-uri <%s>", resp->uri,
-			  ap_unparse_uri_components(r->pool, r_uri, 0));
+			  "request-uri <%s>", resp->uri, resp->raw_request_uri);
 	    return BAD_REQUEST;
 	}
     }
@@ -1785,9 +1885,8 @@ static int add_auth_info(request_rec *r)
 	 */
 	char *entity_info =
 	    ap_md5(r->pool,
-		   (unsigned char *) ap_pstrcat(r->pool,
-		       ap_unparse_uri_components(r->pool,
-						 resp->request_uri, 0), ":",
+		   (unsigned char *) ap_pstrcat(r->pool, resp->raw_request_uri,
+		       ":",
 		       r->content_type ? r->content_type : ap_default_type(r), ":",
 		       hdr(r->headers_out, "Content-Length"), ":",
 		       r->content_encoding ? r->content_encoding : "", ":",
@@ -1818,7 +1917,8 @@ static int add_auth_info(request_rec *r)
 				   gen_nonce(r->pool, r->request_time,
 					     resp->opaque, r->server, conf),
 				   "\"", NULL);
-	    resp->client->nonce_count = 0;
+	    if (resp->client)
+		resp->client->nonce_count = 0;
 	}
     }
     else if (conf->nonce_lifetime == 0 && resp->client) {
@@ -1887,8 +1987,8 @@ static int add_auth_info(request_rec *r)
 
     if (ai && ai[0])
 	ap_table_mergen(r->headers_out,
-			r->proxyreq ? "Proxy-Authentication-Info" :
-				      "Authentication-Info",
+			r->proxyreq == STD_PROXY ? "Proxy-Authentication-Info"
+						 : "Authentication-Info",
 			ai);
     return OK;
 }
diff --git a/usr.sbin/httpd/src/modules/extra/mod_define.c b/usr.sbin/httpd/src/modules/extra/mod_define.c
index 149eb12a89d..0cb95a459d0 100644
--- a/usr.sbin/httpd/src/modules/extra/mod_define.c
+++ b/usr.sbin/httpd/src/modules/extra/mod_define.c
@@ -1,69 +1,39 @@
-/* ====================================================================
- * Copyright (c) 1995-1998 The Apache Group.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the Apache Group
- *    for use in the Apache HTTP server project (http://www.apache.org/)."
- *
- * 4. The names "Apache Server" and "Apache Group" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    apache@apache.org.
- *
- * 5. Products derived from this software may not be called "Apache"
- *    nor may "Apache" appear in their names without prior written
- *    permission of the Apache Group.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the Apache Group
- *    for use in the Apache HTTP server project (http://www.apache.org/)."
- *
- * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE APACHE GROUP OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
+/*
+**  mod_define.c - Apache module for configuration defines ($xxx)
+**
+**  Copyright (c) 1998-2000 Ralf S. Engelschall <rse@engelschall.com>
+**  Copyright (c) 1998-2000 Christian Reiber <chrei@en.muc.de>
+**
+**  Permission to use, copy, modify, and distribute this software for
+**  any purpose with or without fee is hereby granted, provided that
+**  the above copyright notice and this permission notice appear in all
+**  copies.
+**
+**  THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+**  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+**  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+**  IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
+**  CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+**  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+**  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+**  USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+**  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+**  OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+**  OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+**  SUCH DAMAGE.
+*/
+
+/*
+ *  HISTORY
  *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Group and was originally based
- * on public domain software written at the National Center for
- * Supercomputing Applications, University of Illinois, Urbana-Champaign.
- * For more information on the Apache Group and the Apache HTTP server
- * project, please see <http://www.apache.org/>.
+ *  v1.0: Originally written in December 1998 by
+ *        Ralf S. Engelschall <rse@engelschall.com> and
+ *        Christian Reiber <chrei@en.muc.de>
  *
+ *  v1.1: Completely Overhauled in August 1999 by
+ *        Ralf S. Engelschall <rse@engelschall.com>
  */
 
-/*
-**  mod_define.c -- Apache module for configuration defines ($xxx)
-**  v1.0: Originally written in December 1998 by 
-**        Ralf S. Engelschall <rse@engelschall.com> and
-**        Christian Reiber <chrei@en.muc.de>
-**  v1.1: Completely Overhauled in August 1999 by
-**        Ralf S. Engelschall <rse@engelschall.com>
-*/
-
 #include "ap_config.h"
 #include "ap_ctype.h"
 #include "httpd.h"
@@ -76,14 +46,14 @@
 #error "This module requires the Extended API (EAPI) facilities."
 #endif
 
-/* 
+/*
  * The global table of defines
  */
 
 static table *tDefines         = NULL;   /* global table of defines */
 static int    bOnceSeenADefine = FALSE;  /* optimization flag */
 
-/* 
+/*
  * Forward declaration
  */
 static int   DefineIndex      (pool *, char *, int *, int *, char **);
@@ -97,8 +67,8 @@ static char *DefineRewriteHook(cmd_parms *, void *, const char *);
  * Character classes for scanner function
  */
 typedef enum {
-    CC_ESCAPE, CC_DOLLAR, CC_BRACEOPEN, CC_BRACECLOSE, 
-    CC_IDCHAR1, CC_IDCHAR, CC_OTHER, CC_EOS   
+    CC_ESCAPE, CC_DOLLAR, CC_BRACEOPEN, CC_BRACECLOSE,
+    CC_IDCHAR1, CC_IDCHAR, CC_OTHER, CC_EOS
 } CharClass;
 
 /*
@@ -170,11 +140,11 @@ static int DefineIndex(pool *p, char *cpLine, int *pos, int *len, char **cpVar)
         switch (s) {
             case SS_NONE:
                 switch (cc) {
-                    case CC_ESCAPE: 
+                    case CC_ESCAPE:
                         s = SS_SKIP;
                         break;
-                    case CC_DOLLAR: 
-                        s = SS_DOLLAR; 
+                    case CC_DOLLAR:
+                        s = SS_DOLLAR;
                         break;
                     default:
                         break;
@@ -186,38 +156,38 @@ static int DefineIndex(pool *p, char *cpLine, int *pos, int *len, char **cpVar)
                 break;
             case SS_DOLLAR:
                 switch (cc) {
-                    case CC_BRACEOPEN: 
-                        s = SS_TOKEN_BRACED;   
-                        *pos = cp-cpLine-1; 
-                        (*len) = 2; 
-                        *cpVar = cp+1; 
+                    case CC_BRACEOPEN:
+                        s = SS_TOKEN_BRACED;
+                        *pos = cp-cpLine-1;
+                        (*len) = 2;
+                        *cpVar = cp+1;
                         break;
-                    case CC_IDCHAR1: 
-                        s = SS_TOKEN_UNBRACED; 
-                        *pos = cp-cpLine-1; 
-                        (*len) = 2; 
-                        *cpVar = cp; 
+                    case CC_IDCHAR1:
+                        s = SS_TOKEN_UNBRACED;
+                        *pos = cp-cpLine-1;
+                        (*len) = 2;
+                        *cpVar = cp;
                         break;
                     case CC_ESCAPE:
-                        s = SS_SKIP; 
+                        s = SS_SKIP;
                         break;
-                    default: 
-                        s = SS_NONE; 
+                    default:
+                        s = SS_NONE;
                         break;
                 }
                 break;
             case SS_TOKEN_BRACED:
                 switch (cc) {
                     case CC_IDCHAR1:
-                    case CC_IDCHAR: 
-                        (*len)++; 
+                    case CC_IDCHAR:
+                        (*len)++;
                         break;
-                    case CC_BRACECLOSE: 
-                        (*len)++; 
+                    case CC_BRACECLOSE:
+                        (*len)++;
                         cp2 = ap_palloc(p, cp-*cpVar+1);
-                        ap_cpystrn(cp2, *cpVar, cp-*cpVar+1); 
+                        ap_cpystrn(cp2, *cpVar, cp-*cpVar+1);
                         *cpVar = cp2;
-                        s = SS_FOUND; 
+                        s = SS_FOUND;
                         break;
                     default:
                         cpError = ap_psprintf(p, "Illegal character '%c' in identifier", *cp);
@@ -228,14 +198,14 @@ static int DefineIndex(pool *p, char *cpLine, int *pos, int *len, char **cpVar)
             case SS_TOKEN_UNBRACED:
                 switch (cc) {
                     case CC_IDCHAR1:
-                    case CC_IDCHAR: 
-                        (*len)++; 
+                    case CC_IDCHAR:
+                        (*len)++;
                         break;
                     default:
                         cp2 = ap_palloc(p, cp-*cpVar+1);
-                        ap_cpystrn(cp2, *cpVar, cp-*cpVar+1); 
+                        ap_cpystrn(cp2, *cpVar, cp-*cpVar+1);
                         *cpVar = cp2;
-                        s = SS_FOUND; 
+                        s = SS_FOUND;
                         break;
                 }
                 break;
@@ -281,10 +251,10 @@ static char *DefineExpand(pool *p, char *cpToken, int tok_len, char *cpVal)
 
     val_len  = strlen(cpVal);
     rest_len = strlen(cpToken+tok_len);
-    if (val_len < tok_len) 
+    if (val_len < tok_len)
         memcpy(cpToken+val_len, cpToken+tok_len, rest_len+1);
     else if (val_len > tok_len)
-        for (cp = cpToken+strlen(cpToken); cp > cpToken+tok_len-1; cp--)  
+        for (cp = cpToken+strlen(cpToken); cp > cpToken+tok_len-1; cp--)
             *(cp+(val_len-tok_len)) = *cp;
     memcpy(cpToken, cpVal, val_len);
     return NULL;
@@ -333,7 +303,7 @@ static char *DefineRewriteHook(cmd_parms *cmd, void *config, const char *line)
         for (i = 0; i < len; i++)
             marker[i] = '^';
         marker[i] = '\0';
-        fprintf(stderr, 
+        fprintf(stderr,
                 "Found variable `%s' (pos: %d, len: %d)\n"
                 "  %s\n"
                 "  %s%s\n",
@@ -346,16 +316,16 @@ static char *DefineRewriteHook(cmd_parms *cmd, void *config, const char *line)
             cpLine = cpBuf;
         }
         if ((cpVal = DefineFetch(p, cpVar)) == NULL) {
-            ap_log_error(APLOG_MARK, APLOG_ERR, s, 
-                         "mod_define: Variable '%s' not defined: file %s, line %d", 
+            ap_log_error(APLOG_MARK, APLOG_ERR, s,
+                         "mod_define: Variable '%s' not defined: file %s, line %d",
                          cpVar, cmd->config_file->name,
                          cmd->config_file->line_number);
             cpBuf = NULL;
             break;
         }
         if ((cpError = DefineExpand(p, cpLine+pos, len, cpVal)) != NULL) {
-            ap_log_error(APLOG_MARK, APLOG_ERR, s, 
-                         "mod_define: %s: file %s, line %d", 
+            ap_log_error(APLOG_MARK, APLOG_ERR, s,
+                         "mod_define: %s: file %s, line %d",
                          cpError, cmd->config_file->name,
                          cmd->config_file->line_number);
             cpBuf = NULL;
@@ -368,7 +338,7 @@ static char *DefineRewriteHook(cmd_parms *cmd, void *config, const char *line)
 /*
  * Implementation of the `Define' configuration directive
  */
-static const char *cmd_define(cmd_parms *cmd, void *config, 
+static const char *cmd_define(cmd_parms *cmd, void *config,
                               char *cpVar, char *cpVal)
 {
     if (tDefines == NULL)
@@ -406,7 +376,7 @@ static void DefineCleanup(void *data)
     return;
 }
 
-/* 
+/*
  * Module Directive lists
  */
 static const command_rec DefineDirectives[] = {
@@ -415,11 +385,11 @@ static const command_rec DefineDirectives[] = {
     { NULL }
 };
 
-/* 
+/*
  * Module API dispatch list
  */
 module MODULE_VAR_EXPORT define_module = {
-    STANDARD_MODULE_STUFF, 
+    STANDARD_MODULE_STUFF,
     NULL,                  /* module initializer                  */
     NULL,                  /* create per-dir    config structures */
     NULL,                  /* merge  per-dir    config structures */
diff --git a/usr.sbin/httpd/src/modules/proxy/mod_proxy.c b/usr.sbin/httpd/src/modules/proxy/mod_proxy.c
index cfd3aa1d372..0587ec319f6 100644
--- a/usr.sbin/httpd/src/modules/proxy/mod_proxy.c
+++ b/usr.sbin/httpd/src/modules/proxy/mod_proxy.c
@@ -153,7 +153,7 @@ static int proxy_detect(request_rec *r)
 	    && !strcasecmp(r->parsed_uri.scheme, ap_http_method(r))
 	    && ap_matches_request_vhost(r, r->parsed_uri.hostname,
                r->parsed_uri.port_str ? r->parsed_uri.port : ap_default_port(r)))) {
-	    r->proxyreq = 1;
+	    r->proxyreq = STD_PROXY;
 	    r->uri = r->unparsed_uri;
 	    r->filename = ap_pstrcat(r->pool, "proxy:", r->uri, NULL);
 	    r->handler = "proxy-server";
@@ -163,7 +163,7 @@ static int proxy_detect(request_rec *r)
     else if (conf->req && r->method_number == M_CONNECT
 	     && r->parsed_uri.hostname
 	     && r->parsed_uri.port_str) {
-	    r->proxyreq = 1;
+	    r->proxyreq = STD_PROXY;
 	    r->uri = r->unparsed_uri;
 	    r->filename = ap_pstrcat(r->pool, "proxy:", r->uri, NULL);
 	    r->handler = "proxy-server";
@@ -179,7 +179,7 @@ static int proxy_trans(request_rec *r)
     int i, len;
     struct proxy_alias *ent = (struct proxy_alias *) conf->aliases->elts;
 
-    if (r->proxyreq) {
+    if (r->proxyreq != NOT_PROXY) {
 	/* someone has already set up the proxy, it was possibly ourselves
 	 * in proxy_detect
 	 */
@@ -198,7 +198,7 @@ static int proxy_trans(request_rec *r)
            r->filename = ap_pstrcat(r->pool, "proxy:", ent[i].real,
                                  r->uri + len, NULL);
            r->handler = "proxy-server";
-           r->proxyreq = 1;
+           r->proxyreq = PROXY_PASS;
            return OK;
 	}
     }
@@ -218,7 +218,7 @@ static int proxy_fixup(request_rec *r)
     int rc;
 #endif /* EAPI */
 
-    if (!r->proxyreq || strncmp(r->filename, "proxy:", 6) != 0)
+    if (r->proxyreq == NOT_PROXY || strncmp(r->filename, "proxy:", 6) != 0)
 	return DECLINED;
 
     url = &r->filename[6];
@@ -294,7 +294,7 @@ static int proxy_needsdomain(request_rec *r, const char *url, const char *domain
     const char *ref;
 
     /* We only want to worry about GETs */
-    if (!r->proxyreq || r->method_number != M_GET || !r->parsed_uri.hostname)
+    if (r->proxyreq == NOT_PROXY || r->method_number != M_GET || !r->parsed_uri.hostname)
 	return DECLINED;
 
     /* If host does contain a dot already, or it is "localhost", decline */
@@ -338,7 +338,7 @@ static int proxy_handler(request_rec *r)
     int direct_connect = 0;
     const char *maxfwd_str;
 
-    if (!r->proxyreq || strncmp(r->filename, "proxy:", 6) != 0)
+    if (r->proxyreq == NOT_PROXY || strncmp(r->filename, "proxy:", 6) != 0)
 	return DECLINED;
 
     if (r->method_number == M_TRACE &&
@@ -346,7 +346,7 @@ static int proxy_handler(request_rec *r)
 	int maxfwd = strtol(maxfwd_str, NULL, 10);
 	if (maxfwd < 1) {
 	    int access_status;
-	    r->proxyreq = 0;
+	    r->proxyreq = NOT_PROXY;
 	    if ((access_status = ap_send_http_trace(r)))
 		ap_die(access_status, r);
 	    else
@@ -478,18 +478,65 @@ static void *
     ps->allowed_connect_ports = ap_make_array(p, 10, sizeof(int));
     ps->domain = NULL;
     ps->viaopt = via_off; /* initially backward compatible with 1.3.1 */
+    ps->viaopt_set = 0; /* 0 means default */
     ps->req = 0;
+    ps->req_set = 0;
+    ps->recv_buffer_size = 0; /* this default was left unset for some reason */
+    ps->recv_buffer_size_set = 0;
 
     ps->cache.root = NULL;
     ps->cache.space = DEFAULT_CACHE_SPACE;
+    ps->cache.space_set = 0;
     ps->cache.maxexpire = DEFAULT_CACHE_MAXEXPIRE;
+    ps->cache.maxexpire_set = 0;
     ps->cache.defaultexpire = DEFAULT_CACHE_EXPIRE;
+    ps->cache.defaultexpire_set = 0;
     ps->cache.lmfactor = DEFAULT_CACHE_LMFACTOR;
+    ps->cache.lmfactor_set = 0;
     ps->cache.gcinterval = -1;
+    ps->cache.gcinterval_set = 0;
     /* at these levels, the cache can have 2^18 directories (256,000)  */
     ps->cache.dirlevels = 3;
+    ps->cache.dirlevels_set = 0;
     ps->cache.dirlength = 1;
+    ps->cache.dirlength_set = 0;
     ps->cache.cache_completion = DEFAULT_CACHE_COMPLETION;
+    ps->cache.cache_completion_set = 0;
+
+    return ps;
+}
+
+static void *
+     merge_proxy_config(pool *p, void *basev,
+                        void *overridesv)
+{
+    proxy_server_conf *ps = ap_pcalloc(p, sizeof(proxy_server_conf));
+    proxy_server_conf *base = (proxy_server_conf *) basev;
+    proxy_server_conf *overrides = (proxy_server_conf *) overridesv;
+
+    ps->proxies = ap_append_arrays(p, base->proxies, overrides->proxies);
+    ps->aliases = ap_append_arrays(p, base->aliases, overrides->aliases);
+    ps->raliases = ap_append_arrays(p, base->raliases, overrides->raliases);
+    ps->noproxies = ap_append_arrays(p, base->noproxies, overrides->noproxies);
+    ps->dirconn = ap_append_arrays(p, base->dirconn, overrides->dirconn);
+    ps->nocaches = ap_append_arrays(p, base->nocaches, overrides->nocaches);
+    ps->allowed_connect_ports = ap_append_arrays(p, base->allowed_connect_ports, overrides->allowed_connect_ports);
+
+    ps->domain = (overrides->domain == NULL) ? base->domain : overrides->domain;
+    ps->viaopt = (overrides->viaopt_set == 0) ? base->viaopt : overrides->viaopt;
+    ps->req = (overrides->req_set == 0) ? base->req : overrides->req;
+    ps->recv_buffer_size = (overrides->recv_buffer_size_set == 0) ? base->recv_buffer_size : overrides->recv_buffer_size;
+
+    ps->cache.root = (overrides->cache.root == NULL) ? base->cache.root : overrides->cache.root;
+    ps->cache.space = (overrides->cache.space_set == 0) ? base->cache.space : overrides->cache.space;
+    ps->cache.maxexpire = (overrides->cache.maxexpire_set == 0) ? base->cache.maxexpire : overrides->cache.maxexpire;
+    ps->cache.defaultexpire = (overrides->cache.defaultexpire_set == 0) ? base->cache.defaultexpire : overrides->cache.defaultexpire;
+    ps->cache.lmfactor = (overrides->cache.lmfactor_set == 0) ? base->cache.lmfactor : overrides->cache.lmfactor;
+    ps->cache.gcinterval = (overrides->cache.gcinterval_set == 0) ? base->cache.gcinterval : overrides->cache.gcinterval;
+    /* at these levels, the cache can have 2^18 directories (256,000)  */
+    ps->cache.dirlevels = (overrides->cache.dirlevels_set == 0) ? base->cache.dirlevels : overrides->cache.dirlevels;
+    ps->cache.dirlength = (overrides->cache.dirlength_set == 0) ? base->cache.dirlength : overrides->cache.dirlength;
+    ps->cache.cache_completion = (overrides->cache.cache_completion_set == 0) ? base->cache.cache_completion : overrides->cache.cache_completion;
 
     return ps;
 }
@@ -688,6 +735,7 @@ static const char *
     ap_get_module_config(parms->server->module_config, &proxy_module);
 
     psf->req = flag;
+    psf->req_set = 1;
     return NULL;
 }
 
@@ -702,6 +750,7 @@ static const char *
     if (sscanf(arg, "%d", &val) != 1)
 	return "CacheSize value must be an integer (kBytes)";
     psf->cache.space = val;
+    psf->cache.space_set = 1;
     return NULL;
 }
 
@@ -726,6 +775,7 @@ static const char *
     if (sscanf(arg, "%lg", &val) != 1)
 	return "CacheLastModifiedFactor value must be a float";
     psf->cache.lmfactor = val;
+    psf->cache.lmfactor_set = 1;
 
     return NULL;
 }
@@ -740,6 +790,7 @@ static const char *
     if (sscanf(arg, "%lg", &val) != 1)
 	return "CacheMaxExpire value must be a float";
     psf->cache.maxexpire = (int) (val * (double) SEC_ONE_HR);
+    psf->cache.maxexpire_set = 1;
     return NULL;
 }
 
@@ -753,6 +804,7 @@ static const char *
     if (sscanf(arg, "%lg", &val) != 1)
 	return "CacheDefaultExpire value must be a float";
     psf->cache.defaultexpire = (int) (val * (double) SEC_ONE_HR);
+    psf->cache.defaultexpire_set = 1;
     return NULL;
 }
 
@@ -766,6 +818,7 @@ static const char *
     if (sscanf(arg, "%lg", &val) != 1)
 	return "CacheGcInterval value must be a float";
     psf->cache.gcinterval = (int) (val * (double) SEC_ONE_HR);
+    psf->cache.gcinterval_set = 1;
     return NULL;
 }
 
@@ -782,6 +835,7 @@ static const char *
     if (val * psf->cache.dirlength > CACHEFILE_LEN)
 	return "CacheDirLevels*CacheDirLength value must not be higher than 20";
     psf->cache.dirlevels = val;
+    psf->cache.dirlevels_set = 1;
     return NULL;
 }
 
@@ -798,6 +852,7 @@ static const char *
     if (val * psf->cache.dirlevels > CACHEFILE_LEN)
 	return "CacheDirLevels*CacheDirLength value must not be higher than 20";
     psf->cache.dirlength = val;
+    psf->cache.dirlength_set = 1;
     return NULL;
 }
 
@@ -843,6 +898,7 @@ static const char *
     }
 
     psf->recv_buffer_size = s;
+    psf->recv_buffer_size_set = 1;
     return NULL;
 }
 
@@ -859,6 +915,8 @@ static const char*
 
     if (s > 0)
       psf->cache.cache_completion = ((float)s / 100);
+
+    psf->cache.cache_completion = 1;
     return NULL;    
 }
 
@@ -881,6 +939,7 @@ static const char*
                "off | on | full | block";
     }
 
+    psf->viaopt_set = 1;
     return NULL;    
 }
 
@@ -942,7 +1001,7 @@ module MODULE_VAR_EXPORT proxy_module =
     NULL,			/* create per-directory config structure */
     NULL,			/* merge per-directory config structures */
     create_proxy_config,	/* create per-server config structure */
-    NULL,			/* merge per-server config structures */
+    merge_proxy_config,		/* merge per-server config structures */
     proxy_cmds,			/* command table */
     proxy_handlers,		/* handlers */
     proxy_trans,		/* translate_handler */
@@ -963,3 +1022,11 @@ module MODULE_VAR_EXPORT proxy_module =
     NULL			/* EAPI: new_connection  */
 #endif
 };
+
+
+#ifdef NETWARE
+int main(int argc, char *argv[]) 
+{
+    ExitThread(TSR_THREAD, 0);
+}
+#endif
diff --git a/usr.sbin/httpd/src/modules/proxy/mod_proxy.h b/usr.sbin/httpd/src/modules/proxy/mod_proxy.h
index 9eb3428d80c..9edd6e6eaac 100644
--- a/usr.sbin/httpd/src/modules/proxy/mod_proxy.h
+++ b/usr.sbin/httpd/src/modules/proxy/mod_proxy.h
@@ -128,13 +128,6 @@ enum enctype {
 /* maximum  'CacheDirLevels*CacheDirLength' value */
 #define CACHEFILE_LEN 20	/* must be less than HASH_LEN/2 */
 
-#ifdef CHARSET_EBCDIC
-#define CRLF   "\r\n"
-#else /*CHARSET_EBCDIC*/
-#define CRLF   "\015\012"
-#endif /*CHARSET_EBCDIC*/
-
-
 #define	SEC_ONE_DAY		86400	/* one day, in seconds */
 #define	SEC_ONE_HR		3600	/* one hour, in seconds */
 
@@ -193,13 +186,21 @@ struct nocache_entry {
 struct cache_conf {
     const char *root;		/* the location of the cache directory */
     off_t space;			/* Maximum cache size (in 1024 bytes) */
+    char space_set;
     time_t maxexpire;		/* Maximum time to keep cached files in secs */
+    char maxexpire_set;
     time_t defaultexpire;	/* default time to keep cached file in secs */
+    char defaultexpire_set;
     double lmfactor;		/* factor for estimating expires date */
+    char lmfactor_set;
     time_t gcinterval;		/* garbage collection interval, in seconds */
+    char gcinterval_set;
     int dirlevels;		/* Number of levels of subdirectories */
+    char dirlevels_set;
     int dirlength;		/* Length of subdirectory names */
+    char dirlength_set;
     float cache_completion;	/* Force cache completion after this point */
+    char cache_completion_set;
 };
 
 typedef struct {
@@ -213,13 +214,16 @@ typedef struct {
     array_header *allowed_connect_ports;
     char *domain;		/* domain name to use in absence of a domain name in the request */
     int req;			/* true if proxy requests are enabled */
+    char req_set;
     enum {
       via_off,
       via_on,
       via_block,
       via_full
     } viaopt;                   /* how to deal with proxy Via: headers */
+    char viaopt_set;
     size_t recv_buffer_size;
+    char recv_buffer_size_set;
 } proxy_server_conf;
 
 struct hdr_entry {
@@ -289,7 +293,7 @@ int ap_proxy_http_handler(request_rec *r, cache_req *c, char *url,
 int ap_proxy_hex2c(const char *x);
 void ap_proxy_c2hex(int ch, char *x);
 char *ap_proxy_canonenc(pool *p, const char *x, int len, enum enctype t,
-		     int isenc);
+			enum proxyreqtype isenc);
 char *ap_proxy_canon_netloc(pool *p, char **const urlp, char **userp,
 			 char **passwordp, char **hostp, int *port);
 const char *ap_proxy_date_canon(pool *p, const char *x);
diff --git a/usr.sbin/httpd/src/modules/proxy/proxy_cache.c b/usr.sbin/httpd/src/modules/proxy/proxy_cache.c
index 90de9a057e1..00854cb8f21 100644
--- a/usr.sbin/httpd/src/modules/proxy/proxy_cache.c
+++ b/usr.sbin/httpd/src/modules/proxy/proxy_cache.c
@@ -73,6 +73,9 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #endif
+#ifdef TPF
+#include "os.h"
+#endif
 
 DEF_Explain
 
@@ -123,7 +126,7 @@ static int sub_garbage_coll(request_rec *r, array_header *files,
 			    const char *cachedir, const char *cachesubdir);
 static void help_proxy_garbage_coll(request_rec *r);
 static int should_proxy_garbage_coll(request_rec *r);
-#if !defined(WIN32) && !defined(MPE) && !defined(OS2)
+#if !defined(WIN32) && !defined(MPE) && !defined(OS2) && !defined(NETWARE) && !defined(TPF)
 static void detached_proxy_garbage_coll(request_rec *r);
 #endif
 
@@ -143,7 +146,7 @@ void ap_proxy_garbage_coll(request_rec *r)
 
     ap_block_alarms();		/* avoid SIGALRM on big cache cleanup */
     if (should_proxy_garbage_coll(r))
-#if !defined(WIN32) && !defined(MPE) && !defined(OS2)
+#if !defined(WIN32) && !defined(MPE) && !defined(OS2) && !defined(NETWARE) && !defined(TPF)
         detached_proxy_garbage_coll(r);
 #else
         help_proxy_garbage_coll(r);
@@ -203,7 +206,7 @@ static int gcdiff(const void *ap, const void *bp)
 	return 0;
 }
 
-#if !defined(WIN32) && !defined(MPE) && !defined(OS2)
+#if !defined(WIN32) && !defined(MPE) && !defined(OS2) && !defined(NETWARE) && !defined(TPF)
 static void detached_proxy_garbage_coll(request_rec *r)
 {
     pid_t pid;
@@ -465,9 +468,19 @@ static int sub_garbage_coll(request_rec *r, array_header *files,
 	/*      if (strlen(ent->d_name) != HASH_LEN) continue; */
 
 /* under OS/2 use dirent's d_attr to identify a diretory */
-#ifdef OS2
+/* under TPF use stat to identify a directory */
+#if defined(OS2) || defined(TPF)
 /* is it a directory? */
+#ifdef OS2
 	if (ent->d_attr & A_DIR) {
+#elif defined(TPF)
+    if (stat(filename, &buf) == -1) {
+        if (errno != ENOENT)
+            ap_log_error(APLOG_MARK, APLOG_ERR, r->server,
+                 "proxy gc: stat(%s)", filename);
+    }
+    if (S_ISDIR(buf.st_mode)) {
+#endif
 	    char newcachedir[HUGE_STRING_LEN];
 	    ap_snprintf(newcachedir, sizeof(newcachedir),
 			"%s%s/", cachesubdir, ent->d_name);
@@ -500,8 +513,8 @@ static int sub_garbage_coll(request_rec *r, array_header *files,
 	    continue;
 	}
 
-/* In OS/2 this has already been done above */
-#ifndef OS2
+/* In OS/2 and TPF this has already been done above */
+#if !defined(OS2) && !defined(TPF)
 	if (S_ISDIR(buf.st_mode)) {
 	    char newcachedir[HUGE_STRING_LEN];
 	    close(fd);
@@ -728,7 +741,7 @@ int ap_proxy_cache_check(request_rec *r, char *url, struct cache_conf *conf,
 	    ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r,
 			 "proxy: bad (short?) cache file: %s", c->filename);
 	if (i != 1) {
-	    ap_pclosef(r->pool, cachefp->fd);
+	    ap_pclosef(r->pool, ap_bfileno(cachefp, B_WR));
 	    cachefp = NULL;
 	}
     }
@@ -754,7 +767,7 @@ int ap_proxy_cache_check(request_rec *r, char *url, struct cache_conf *conf,
 		if ((q = ap_table_get(c->hdrs, "Expires")) != NULL)
 		    ap_table_set(r->headers_out, "Expires", q);
 	    }
-	    ap_pclosef(r->pool, cachefp->fd);
+	    ap_pclosef(r->pool, ap_bfileno(cachefp, B_WR));
 	    Explain0("Use local copy, cached file hasn't changed");
 	    return HTTP_NOT_MODIFIED;
 	}
@@ -772,7 +785,7 @@ int ap_proxy_cache_check(request_rec *r, char *url, struct cache_conf *conf,
 	r->sent_bodyct = 1;
 	if (!r->header_only)
 	    ap_proxy_send_fb(cachefp, r, NULL);
-	ap_pclosef(r->pool, cachefp->fd);
+	ap_pclosef(r->pool, ap_bfileno(cachefp, B_WR));
 	return OK;
     }
 
@@ -876,7 +889,7 @@ int ap_proxy_cache_update(cache_req *c, table *resp_hdrs,
 	Explain1("Response is not cacheable, unlinking %s", c->filename);
 /* close the file */
 	if (c->fp != NULL) {
-	    ap_pclosef(r->pool, c->fp->fd);
+	    ap_pclosef(r->pool, ap_bfileno(c->fp, B_WR));
 	    c->fp = NULL;
 	}
 /* delete the previously cached file */
@@ -973,17 +986,17 @@ int ap_proxy_cache_update(cache_req *c, table *resp_hdrs,
 /* set any changed headers somehow */
 /* update dates and version, but not content-length */
 	    if (lmod != c->lmod || expc != c->expire || date != c->date) {
-		off_t curpos = lseek(c->fp->fd, 0, SEEK_SET);
+		off_t curpos = lseek(ap_bfileno(c->fp, B_WR), 0, SEEK_SET);
 		if (curpos == -1)
 		    ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
 				 "proxy: error seeking on cache file %s",
 				 c->filename);
-		else if (write(c->fp->fd, buff, 35) == -1)
+		else if (write(ap_bfileno(c->fp, B_WR), buff, 35) == -1)
 		    ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
 				 "proxy: error updating cache file %s",
 				 c->filename);
 	    }
-	    ap_pclosef(r->pool, c->fp->fd);
+	    ap_pclosef(r->pool, ap_bfileno(c->fp, B_WR));
 	    Explain0("Remote document not modified, use local copy");
 	    /* CHECKME: Is this right? Shouldn't we check IMS again here? */
 	    return HTTP_NOT_MODIFIED;
@@ -1005,31 +1018,31 @@ int ap_proxy_cache_update(cache_req *c, table *resp_hdrs,
 /* set any changed headers somehow */
 /* update dates and version, but not content-length */
 	    if (lmod != c->lmod || expc != c->expire || date != c->date) {
-		off_t curpos = lseek(c->fp->fd, 0, SEEK_SET);
+		off_t curpos = lseek(ap_bfileno(c->fp, B_WR), 0, SEEK_SET);
 
 		if (curpos == -1)
 		    ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
 				 "proxy: error seeking on cache file %s",
 				 c->filename);
-		else if (write(c->fp->fd, buff, 35) == -1)
+		else if (write(ap_bfileno(c->fp, B_WR), buff, 35) == -1)
 		    ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
 				 "proxy: error updating cache file %s",
 				 c->filename);
 	    }
-	    ap_pclosef(r->pool, c->fp->fd);
+	    ap_pclosef(r->pool, ap_bfileno(c->fp, B_WR));
 	    return OK;
 	}
     }
 /* new or modified file */
     if (c->fp != NULL) {
-	ap_pclosef(r->pool, c->fp->fd);
-	c->fp->fd = -1;
+	ap_pclosef(r->pool, ap_bfileno(c->fp, B_WR));
     }
     c->version = 0;
     ap_proxy_sec2hex(0, buff + 27);
     buff[35] = ' ';
 
 /* open temporary file */
+#ifndef TPF
 #define TMPFILESTR	"/tmpXXXXXX"
     if (conf->cache.root == NULL)
 	return DECLINED;
@@ -1038,6 +1051,15 @@ int ap_proxy_cache_update(cache_req *c, table *resp_hdrs,
     strcat(c->tempfile, TMPFILESTR);
 #undef TMPFILESTR
     p = mktemp(c->tempfile);
+#else
+    if (conf->cache.root == NULL)
+    return DECLINED;
+    c->tempfile = ap_palloc(r->pool, strlen(conf->cache.root) +1+ L_tmpnam);
+    strcpy(c->tempfile, conf->cache.root);
+    strcat(c->tempfile, "/");
+    p = tmpnam(NULL);
+    strcat(c->tempfile, p);
+#endif
     if (p == NULL)
 	return DECLINED;
 
@@ -1057,7 +1079,7 @@ int ap_proxy_cache_update(cache_req *c, table *resp_hdrs,
     if (ap_bvputs(c->fp, buff, "X-URL: ", c->url, "\n", NULL) == -1) {
 	ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
 		     "proxy: error writing cache file(%s)", c->tempfile);
-	ap_pclosef(r->pool, c->fp->fd);
+	ap_pclosef(r->pool, ap_bfileno(c->fp, B_WR));
 	unlink(c->tempfile);
 	c->fp = NULL;
     }
@@ -1082,7 +1104,7 @@ void ap_proxy_cache_tidy(cache_req *c)
     if (c->len != -1) {
 /* file lengths don't match; don't cache it */
 	if (bc != c->len) {
-	    ap_pclosef(c->req->pool, c->fp->fd);	/* no need to flush */
+	    ap_pclosef(c->req->pool, ap_bfileno(c->fp, B_WR));	/* no need to flush */
 	    unlink(c->tempfile);
 	    return;
 	}
@@ -1102,11 +1124,11 @@ void ap_proxy_cache_tidy(cache_req *c)
 	c->len = bc;
 	ap_bflush(c->fp);
 	ap_proxy_sec2hex(c->len, buff);
-	curpos = lseek(c->fp->fd, 36, SEEK_SET);
+	curpos = lseek(ap_bfileno(c->fp, B_WR), 36, SEEK_SET);
 	if (curpos == -1)
 	    ap_log_error(APLOG_MARK, APLOG_ERR, s,
 			 "proxy: error seeking on cache file %s", c->tempfile);
-	else if (write(c->fp->fd, buff, 8) == -1)
+	else if (write(ap_bfileno(c->fp, B_WR), buff, 8) == -1)
 	    ap_log_error(APLOG_MARK, APLOG_ERR, s,
 			 "proxy: error updating cache file %s", c->tempfile);
     }
@@ -1115,12 +1137,12 @@ void ap_proxy_cache_tidy(cache_req *c)
 	ap_log_error(APLOG_MARK, APLOG_ERR, s,
 		     "proxy: error writing to cache file %s",
 		     c->tempfile);
-	ap_pclosef(c->req->pool, c->fp->fd);
+	ap_pclosef(c->req->pool, ap_bfileno(c->fp, B_WR));
 	unlink(c->tempfile);
 	return;
     }
 
-    if (ap_pclosef(c->req->pool, c->fp->fd) == -1) {
+    if (ap_pclosef(c->req->pool, ap_bfileno(c->fp, B_WR)) == -1) {
 	ap_log_error(APLOG_MARK, APLOG_ERR, s,
 		     "proxy: error closing cache file %s", c->tempfile);
 	unlink(c->tempfile);
@@ -1142,7 +1164,7 @@ void ap_proxy_cache_tidy(cache_req *c)
 	    if (!p)
 		break;
 	    *p = '\0';
-#ifdef WIN32
+#if defined(WIN32) || defined(NETWARE)
 	    if (mkdir(c->filename) < 0 && errno != EEXIST)
 #elif defined(__TANDEM)
 	    if (mkdir(c->filename, S_IRWXU | S_IRWXG | S_IRWXO) < 0 && errno != EEXIST)
@@ -1155,7 +1177,7 @@ void ap_proxy_cache_tidy(cache_req *c)
 	    *p = '/';
 	    ++p;
 	}
-#if defined(OS2) || defined(WIN32)
+#if defined(OS2) || defined(WIN32) || defined(NETWARE)
 	/* Under OS/2 use rename. */
 	if (rename(c->tempfile, c->filename) == -1)
 	    ap_log_error(APLOG_MARK, APLOG_ERR, s,
diff --git a/usr.sbin/httpd/src/modules/proxy/proxy_connect.c b/usr.sbin/httpd/src/modules/proxy/proxy_connect.c
index 82203f2c9ef..5fe8000c855 100644
--- a/usr.sbin/httpd/src/modules/proxy/proxy_connect.c
+++ b/usr.sbin/httpd/src/modules/proxy/proxy_connect.c
@@ -241,11 +241,11 @@ int ap_proxy_connect_handler(request_rec *r, cache_req *c, char *url,
     while (1) {			/* Infinite loop until error (one side closes the connection) */
 	FD_ZERO(&fds);
 	FD_SET(sock, &fds);
-	FD_SET(r->connection->client->fd, &fds);
+	FD_SET(ap_bfileno(r->connection->client, B_WR), &fds);
 
 	Explain0("Going to sleep (select)");
-	i = ap_select((r->connection->client->fd > sock ?
-		       r->connection->client->fd + 1 :
+	i = ap_select((ap_bfileno(r->connection->client, B_WR) > sock ?
+		       ap_bfileno(r->connection->client, B_WR) + 1 :
 		       sock + 1), &fds, NULL, NULL, NULL);
 	Explain1("Woke from select(), i=%d", i);
 
@@ -255,16 +255,16 @@ int ap_proxy_connect_handler(request_rec *r, cache_req *c, char *url,
 		if ((nbytes = read(sock, buffer, HUGE_STRING_LEN)) != 0) {
 		    if (nbytes == -1)
 			break;
-		    if (write(r->connection->client->fd, buffer, nbytes) == EOF)
+		    if (write(ap_bfileno(r->connection->client, B_WR), buffer, nbytes) == EOF)
 			break;
 		    Explain1("Wrote %d bytes to client", nbytes);
 		}
 		else
 		    break;
 	    }
-	    else if (FD_ISSET(r->connection->client->fd, &fds)) {
+	    else if (FD_ISSET(ap_bfileno(r->connection->client, B_WR), &fds)) {
 		Explain0("client->fd was set");
-		if ((nbytes = read(r->connection->client->fd, buffer,
+		if ((nbytes = read(ap_bfileno(r->connection->client, B_WR), buffer,
 				   HUGE_STRING_LEN)) != 0) {
 		    if (nbytes == -1)
 			break;
diff --git a/usr.sbin/httpd/src/modules/proxy/proxy_ftp.c b/usr.sbin/httpd/src/modules/proxy/proxy_ftp.c
index 47ca9daf9d4..9c57a704e8c 100644
--- a/usr.sbin/httpd/src/modules/proxy/proxy_ftp.c
+++ b/usr.sbin/httpd/src/modules/proxy/proxy_ftp.c
@@ -102,11 +102,7 @@ static int ftp_check_string(const char *x)
 	    ch = ap_proxy_hex2c(&x[i + 1]);
 	    i += 2;
 	}
-#ifndef CHARSET_EBCDIC
-	if (ch == '\015' || ch == '\012' || (ch & 0x80))
-#else /*CHARSET_EBCDIC*/
-	if (ch == '\r' || ch == '\n' || (os_toascii[ch] & 0x80))
-#endif /*CHARSET_EBCDIC*/
+	if (ch == CR || ch == LF || (OS_ASC(ch) & 0x80))
 	    return 0;
     }
     return 1;
@@ -140,7 +136,8 @@ int ap_proxy_ftp_canon(request_rec *r, char *url)
     strp = strchr(url, ';');
     if (strp != NULL) {
 	*(strp++) = '\0';
-	parms = ap_proxy_canonenc(p, strp, strlen(strp), enc_parm, r->proxyreq);
+	parms = ap_proxy_canonenc(p, strp, strlen(strp), enc_parm,
+				  r->proxyreq);
 	if (parms == NULL)
 	    return HTTP_BAD_REQUEST;
     }
@@ -153,15 +150,15 @@ int ap_proxy_ftp_canon(request_rec *r, char *url)
     if (!ftp_check_string(path))
 	return HTTP_BAD_REQUEST;
 
-    if (!r->proxyreq && r->args != NULL) {
+    if (r->proxyreq == NOT_PROXY && r->args != NULL) {
 	if (strp != NULL) {
-	    strp = ap_proxy_canonenc(p, r->args, strlen(r->args), enc_parm, 1);
+	    strp = ap_proxy_canonenc(p, r->args, strlen(r->args), enc_parm, STD_PROXY);
 	    if (strp == NULL)
 		return HTTP_BAD_REQUEST;
 	    parms = ap_pstrcat(p, parms, "?", strp, NULL);
 	}
 	else {
-	    strp = ap_proxy_canonenc(p, r->args, strlen(r->args), enc_fpath, 1);
+	    strp = ap_proxy_canonenc(p, r->args, strlen(r->args), enc_fpath, STD_PROXY);
 	    if (strp == NULL)
 		return HTTP_BAD_REQUEST;
 	    path = ap_pstrcat(p, path, "?", strp, NULL);
@@ -420,7 +417,7 @@ static long int send_dir(BUFF *f, request_rec *r, cache_req *c, char *cwd)
  */
 static int ftp_unauthorized (request_rec *r, int log_it)
 {
-    r->proxyreq = 0;
+    r->proxyreq = NOT_PROXY;
     /* Log failed requests if they supplied a password
      * (log username/password guessing attempts)
      */
@@ -564,6 +561,7 @@ int ap_proxy_ftp_handler(request_rec *r, cache_req *c, char *url)
 	return HTTP_INTERNAL_SERVER_ERROR;
     }
 
+#ifndef TPF
     if (conf->recv_buffer_size > 0
 	&& setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
 		       (const char *) &conf->recv_buffer_size, sizeof(int))
@@ -571,6 +569,7 @@ int ap_proxy_ftp_handler(request_rec *r, cache_req *c, char *url)
 	    ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
 			 "setsockopt(SO_RCVBUF): Failed to set ProxyReceiveBufferSize, using default");
     }
+#endif
 
     if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *) &one,
 		   sizeof(one)) == -1) {
@@ -778,7 +777,7 @@ int ap_proxy_ftp_handler(request_rec *r, cache_req *c, char *url)
 
     if (parms[0] != 'a') {
 	/* set type to image */
-	/* TM - Added \015\012 to the end of TYPE I, otherwise it hangs the
+	/* TM - Added CRLF to the end of TYPE I, otherwise it hangs the
 	   connection */
 	ap_bputs("TYPE I" CRLF, f);
 	ap_bflush(f);
@@ -816,6 +815,7 @@ int ap_proxy_ftp_handler(request_rec *r, cache_req *c, char *url)
 	return HTTP_INTERNAL_SERVER_ERROR;
     }
 
+#ifndef TPF
     if (conf->recv_buffer_size) {
 	if (setsockopt(dsock, SOL_SOCKET, SO_RCVBUF,
 	       (const char *) &conf->recv_buffer_size, sizeof(int)) == -1) {
@@ -823,6 +823,7 @@ int ap_proxy_ftp_handler(request_rec *r, cache_req *c, char *url)
 			 "setsockopt(SO_RCVBUF): Failed to set ProxyReceiveBufferSize, using default");
 	}
     }
+#endif
 
     ap_bputs("PASV" CRLF, f);
     ap_bflush(f);
diff --git a/usr.sbin/httpd/src/modules/proxy/proxy_http.c b/usr.sbin/httpd/src/modules/proxy/proxy_http.c
index b5cb31358c6..78a889a6b26 100644
--- a/usr.sbin/httpd/src/modules/proxy/proxy_http.c
+++ b/usr.sbin/httpd/src/modules/proxy/proxy_http.c
@@ -97,7 +97,8 @@ int ap_proxy_http_canon(request_rec *r, char *url, const char *scheme, int def_p
 	search = r->args;
 
 /* process path */
-    path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, r->proxyreq);
+    path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path,
+			     r->proxyreq);
     if (path == NULL)
 	return HTTP_BAD_REQUEST;
 
@@ -263,6 +264,7 @@ int ap_proxy_http_handler(request_rec *r, cache_req *c, char *url,
 	return HTTP_INTERNAL_SERVER_ERROR;
     }
 
+#ifndef TPF
     if (conf->recv_buffer_size) {
 	if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
 		       (const char *) &conf->recv_buffer_size, sizeof(int))
@@ -271,6 +273,7 @@ int ap_proxy_http_handler(request_rec *r, cache_req *c, char *url,
 			 "setsockopt(SO_RCVBUF): Failed to set ProxyReceiveBufferSize, using default");
 	}
     }
+#endif
 
 #ifdef SINIX_D_RESOLVER_BUG
     {
diff --git a/usr.sbin/httpd/src/modules/proxy/proxy_util.c b/usr.sbin/httpd/src/modules/proxy/proxy_util.c
index c1258f14995..52f8f50aaee 100644
--- a/usr.sbin/httpd/src/modules/proxy/proxy_util.c
+++ b/usr.sbin/httpd/src/modules/proxy/proxy_util.c
@@ -134,8 +134,8 @@ void ap_proxy_c2hex(int ch, char *x)
  * and encodes those which must be encoded, and does not touch
  * those which must not be touched.
  */
-char *
-     ap_proxy_canonenc(pool *p, const char *x, int len, enum enctype t, int isenc)
+char *ap_proxy_canonenc(pool *p, const char *x, int len, enum enctype t,
+			enum proxyreqtype isenc)
 {
     int i, j, ch;
     char *y;
@@ -177,7 +177,7 @@ char *
 	    continue;
 	}
 /* decode it if not already done */
-	if (isenc && ch == '%') {
+	if (isenc != NOT_PROXY && ch == '%') {
 	    if (!ap_isxdigit(x[i + 1]) || !ap_isxdigit(x[i + 2]))
 		return NULL;
 	    ch = ap_proxy_hex2c(&x[i + 1]);
@@ -280,7 +280,7 @@ char *
 	if (!ap_isdigit(host[i]) && host[i] != '.')
 	    break;
     /* must be an IP address */
-#ifdef WIN32
+#if defined(WIN32) || defined(NETWARE) || defined(TPF)
     if (host[i] == '\0' && (inet_addr(host) == -1))
 #else
     if (host[i] == '\0' && (ap_inet_addr(host) == -1 || inet_network(host) == -1))
@@ -517,7 +517,7 @@ long int ap_proxy_send_fb(BUFF *f, request_rec *r, cache_req *c)
 
     ap_kill_timeout(r);
 
-#ifdef WIN32
+#if defined(WIN32) || defined(TPF)
     /* works fine under win32, so leave it */
     ap_hard_timeout("proxy send body", r);
     alternate_timeouts = 0;
@@ -600,7 +600,7 @@ long int ap_proxy_send_fb(BUFF *f, request_rec *r, cache_req *c)
                          (c->len * c->cache_completion < total_bytes_rcvd);
 
                     if (! ok) {
-                        ap_pclosef(c->req->pool, c->fp->fd);
+                        ap_pclosef(c->req->pool, ap_bfileno(c->fp, B_WR));
                         c->fp = NULL;
                         unlink(c->tempfile);
 			c = NULL;
@@ -831,7 +831,7 @@ cache_req *ap_proxy_cache_error(cache_req *c)
 {
     if (c != NULL) {
 	if (c->fp != NULL) {
-	    ap_pclosef(c->req->pool, c->fp->fd);
+	    ap_pclosef(c->req->pool, ap_bfileno(c->fp, B_WR));
 	    c->fp = NULL;
 	}
 	if (c->tempfile) unlink(c->tempfile);
@@ -1242,7 +1242,7 @@ int ap_proxy_doconnect(int sock, struct sockaddr_in *addr, request_rec *r)
     ap_hard_timeout("proxy connect", r);
     do {
 	i = connect(sock, (struct sockaddr *) addr, sizeof(struct sockaddr_in));
-#ifdef WIN32
+#if defined(WIN32) || defined(NETWARE)
 	if (i == SOCKET_ERROR)
 	    errno = WSAGetLastError();
 #endif /* WIN32 */
diff --git a/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl b/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl
index 59308a4c262..0a6f6242fd6 100644
--- a/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl
+++ b/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl
@@ -9,7 +9,7 @@
 ##
 
 ##  ====================================================================
-##  Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+##  Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
 ## 
 ##  Redistribution and use in source and binary forms, with or without
 ##  modification, are permitted provided that the following conditions
@@ -166,6 +166,7 @@ ssl_expr_scan.c: ssl_expr_scan.l ssl_expr_parse.h
 ssl_expr_parse.c ssl_expr_parse.h: ssl_expr_parse.y
 	yacc -d ssl_expr_parse.y
 	sed -e 's;yy;ssl_expr_yy;g' \
+	    -e '/#ifndef lint/,/#endif/d' \
 	    -e '/#if defined(c_plusplus) || defined(__cplusplus)/,/#endif/d' \
 	    <y.tab.c >ssl_expr_parse.c && rm -f y.tab.c
 	sed -e 's;yy;ssl_expr_yy;g' \
diff --git a/usr.sbin/httpd/src/modules/ssl/Makefile.win32 b/usr.sbin/httpd/src/modules/ssl/Makefile.win32
index 0e7976f26a3..7d1188ff15f 100644
--- a/usr.sbin/httpd/src/modules/ssl/Makefile.win32
+++ b/usr.sbin/httpd/src/modules/ssl/Makefile.win32
@@ -10,7 +10,7 @@
 
 ##
 ##  ====================================================================
-##  Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+##  Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
 ## 
 ##  Redistribution and use in source and binary forms, with or without
 ##  modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/README b/usr.sbin/httpd/src/modules/ssl/README
index ffa32268574..416af28176d 100644
--- a/usr.sbin/httpd/src/modules/ssl/README
+++ b/usr.sbin/httpd/src/modules/ssl/README
@@ -7,7 +7,7 @@
  mod_ssl                               ``Ralf Engelschall has released an
  Apache Interface to OpenSSL             excellent module that integrates
  http://www.modssl.org/                  Apache and SSLeay.''                 
- Version 2.4                                               -- Tim J. Hudson
+ Version 2.5                                               -- Tim J. Hudson
                                            
  SYNOPSIS
 
@@ -60,11 +60,12 @@
    ssl_util_table.c ........ the hash table library source
    ssl_util_table.h ........ the hash table library header
 
- The source files are written in clean ANSI C and pass the ``gcc -O -g -ggdb3
- -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
- -Wmissing-declarations -Wnested-externs -Winline'' compiler test without any
- complains. When you make changes or additions make sure the source still
- passes this compiler test.
+ The source files are written in clean ANSI C and pass the ``gcc -O -g
+ -ggdb3 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
+ -Wmissing-declarations -Wnested-externs -Winline'' compiler test
+ (assuming `gcc' is GCC 2.95.2 or newer) without any complains. When
+ you make changes or additions make sure the source still passes this
+ compiler test.
 
  FUNCTIONS
   
diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.module b/usr.sbin/httpd/src/modules/ssl/libssl.module
index d6537529aa4..45248ddd4f9 100644
--- a/usr.sbin/httpd/src/modules/ssl/libssl.module
+++ b/usr.sbin/httpd/src/modules/ssl/libssl.module
@@ -10,7 +10,7 @@
 
 ##
 ##  ====================================================================
-##  Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+##  Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
 ## 
 ##  Redistribution and use in source and binary forms, with or without
 ##  modification, are permitted provided that the following conditions
@@ -139,11 +139,13 @@ ConfigStart
         my_rule_SSL_COMPAT=$SSL_COMPAT
         my_rule_SSL_SDBM=$SSL_SDBM
         my_rule_SSL_EXPERIMENTAL=$SSL_EXPERIMENTAL
+        my_rule_SSL_CONSERVATIVE=$SSL_CONSERVATIVE
         my_rule_SSL_VENDOR=$SSL_VENDOR
     else
         my_rule_SSL_COMPAT=`./helpers/CutRule SSL_COMPAT $file`
         my_rule_SSL_SDBM=`./helpers/CutRule SSL_SDBM $file`
         my_rule_SSL_EXPERIMENTAL=`./helpers/CutRule SSL_EXPERIMENTAL $file`
+        my_rule_SSL_CONSERVATIVE=`./helpers/CutRule SSL_CONSERVATIVE $file`
         my_rule_SSL_VENDOR=`./helpers/CutRule SSL_VENDOR $file`
     fi
 
@@ -167,6 +169,16 @@ ConfigStart
         echo "$my_prefix SSL interface experimental code: disabled"
     fi
 
+    #
+    #   determine conservative mode
+    #
+    if [ ".$my_rule_SSL_CONSERVATIVE" = .yes ]; then
+        echo "$my_prefix SSL interface conservative code: enabled"
+        SSL_CFLAGS="$SSL_CFLAGS -DSSL_CONSERVATIVE"
+    else
+        echo "$my_prefix SSL interface conservative code: disabled"
+    fi
+
     # 
     #   determine vendor mode
     #
@@ -300,12 +312,8 @@ ConfigStart
             fi
         done
         if [ ".$SSL_BINDIR" = . ]; then
-#            echo "Error: Cannot find SSL binaries in $PATH" 1>&2
-#            exit 1
-# 	     Kludge for OpenBSD - Make sure we work even if the stuff
-# isn't there yet. 
-             SSL_BINDIR="/usr/sbin"
-	     SSL_PROGRAM="/usr/sbin/openssl"
+            echo "Error: Cannot find SSL binaries in $PATH" 1>&2
+            exit 1
         fi
     else
         for name in openssl ssleay; do
@@ -329,18 +337,15 @@ ConfigStart
     #
     #   SSL version
     #
-# kludged for OpenBSD - Don't want this retarded shit breaking make build
-# when openssl isn't there yet. 
-#    SSL_VERSION_ID="`$SSL_PROGRAM version`"
-#    echo "$my_prefix SSL library version: $SSL_VERSION_ID"
-#    case $SSL_VERSION_ID in
-#        *0.[5678].*|*0.9.[012]* )
-#            echo "Error: OpenSSL VERSIONS BELOW 0.9.3 ARE NO LONGER SUPPORTED."
-#            echo "Hint:  Use OpenSSL version 0.9.3 or higher!"
-#            exit 1
-#            ;;
-#    esac
-    SSL_VERSION_ID=0.9.4
+    SSL_VERSION_ID="`$SSL_PROGRAM version`"
+    echo "$my_prefix SSL library version: $SSL_VERSION_ID"
+    case $SSL_VERSION_ID in
+        *0.[5678].*|*0.9.[012]* )
+            echo "Error: OpenSSL VERSIONS BELOW 0.9.3 ARE NO LONGER SUPPORTED."
+            echo "Hint:  Use OpenSSL version 0.9.3 or higher!"
+            exit 1
+            ;;
+    esac
 
     #
     #   determine location of OpenSSL headers
diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.version b/usr.sbin/httpd/src/modules/ssl/libssl.version
index 048d140c25d..352a795ba42 100644
--- a/usr.sbin/httpd/src/modules/ssl/libssl.version
+++ b/usr.sbin/httpd/src/modules/ssl/libssl.version
@@ -1 +1 @@
-mod_ssl/2.4.9-1.3.9
+mod_ssl/2.5.0-1.3.11
diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
index d473c1237bd..92ebad83622 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -74,7 +74,7 @@
  *  identify the module to SCCS `what' and RCS `ident' commands
  */
 static char const sccsid[] = "@(#) mod_ssl/" MOD_SSL_VERSION " >";
-static char const rcsid[]  = "$Id: mod_ssl.c,v 1.2 1999/09/29 06:29:45 beck Exp $";
+static char const rcsid[]  = "$Id: mod_ssl.c,v 1.3 2000/01/25 18:29:53 beck Exp $";
 
 /*
  *  the table of configuration directives we provide
diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
index 503615d0b5e..d564b66406c 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -110,6 +110,7 @@
 #include "http_core.h"
 #include "http_log.h"
 #include "scoreboard.h"
+#include "util_md5.h"
 #include "fnmatch.h"
 #undef CORE_PRIVATE
 
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c
index 2690de05af2..de92ab89574 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
index 0d53222cb8a..3fdc86efb58 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -619,7 +619,7 @@ const char *ssl_cmd_SSLVerifyClient(
     cmd_parms *cmd, SSLDirConfigRec *dc, char *level)
 {
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-    int id;
+    ssl_verify_t id;
 
     if (strEQ(level, "0") || strcEQ(level, "none"))
         id = SSL_CVERIFY_NONE;
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_dh.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_dh.c
index dba9040b49a..ae8869cbd6d 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_dh.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_dh.c
@@ -12,7 +12,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ds.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ds.c
index b83b5b93052..d83ebe5ebaa 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ds.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ds.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c
index 14e1efd9089..87a550c2748 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -296,6 +296,7 @@ static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb)
     char *errmsg;
     int rc;
     char *cpVHostID;
+    char *cpVHostMD5;
 
     if (ap_ctx_get(r->ctx, "ssl::proxy::enabled") == PFALSE)
         return NULL;
@@ -312,7 +313,13 @@ static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb)
         return errmsg;
     }
     SSL_clear(ssl);
-    SSL_set_session_id_context(ssl, (unsigned char *)cpVHostID, strlen(cpVHostID));
+    cpVHostMD5 = ap_md5(r->pool, cpVHostID);
+    if (!SSL_set_session_id_context(ssl, (unsigned char *)cpVHostMD5, strlen(cpVHostMD5))) {
+        errmsg = ap_pstrcat(r->pool, "Unable to set session id context to `%s': ", cpVHostMD5,
+                            ERR_reason_error_string(ERR_get_error()), NULL);
+        ap_ctx_set(fb->ctx, "ssl", NULL);
+        return errmsg;
+    }
     SSL_set_fd(ssl, fb->fd);
     ap_ctx_set(fb->ctx, "ssl", ssl);
 
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
index 350a6957ce1..a59068780a4 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -346,18 +346,8 @@ void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p)
 
         /* generate 512 bit RSA key */
         if ((rsa = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) {
-#ifdef __OpenBSD__
-            ssl_log(s, SSL_LOG_ERROR, "Init: Failed to generate temporary 512 bit RSA private key");
-            ssl_log(s, SSL_LOG_ERROR, "Init: (SSL won't work without an RSA capable shared library)");
-            ssl_log(s, SSL_LOG_ERROR, "Init: See ssl(8)");
-            /* harmless in http only case. We'll get a fatal error below
-             * if this didn't work and we try to init https servers
-             */
-            return;
-#else
             ssl_log(s, SSL_LOG_ERROR, "Init: Failed to generate temporary 512 bit RSA private key");
             ssl_die();
-#endif
         }
         asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:512");
         asn1->nData  = i2d_RSAPrivateKey(rsa, NULL);
@@ -714,7 +704,14 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
                         cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"), pathlen);
             }
             if (SSL_X509_getCN(p, sc->pPublicCert[i], &cp)) {
-                if (strNE(s->server_hostname, cp)) {
+                if (ap_is_fnmatch(cp) &&
+                    !ap_fnmatch(cp, s->server_hostname, FNM_PERIOD|FNM_CASE_BLIND)) {
+                    ssl_log(s, SSL_LOG_WARN,
+                        "Init: (%s) %s server certificate wildcard CommonName (CN) `%s' "
+                        "does NOT match server name!?", cpVHostID, 
+                        (i == SSL_AIDX_RSA ? "RSA" : "DSA"), cp);
+                }
+                else if (strNE(s->server_hostname, cp)) {
                     ssl_log(s, SSL_LOG_WARN,
                         "Init: (%s) %s server certificate CommonName (CN) `%s' "
                         "does NOT match server name!?", cpVHostID, 
@@ -883,7 +880,7 @@ void ssl_init_CheckServers(server_rec *sm, pool *p)
     ap_destroy_pool(sp);
     if (bConflict)
         ssl_log(sm, SSL_LOG_WARN,
-                "Init: You cannot use name-based virtual hosts in conjunction with SSL!!");
+                "Init: You should not use name-based virtual hosts in conjunction with SSL!!");
 
     return;
 }
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c
index cde377c84fa..fc1f0d8ee4d 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -70,7 +70,7 @@
 **  _________________________________________________________________
 */
 
-#ifdef SSL_EXPERIMENTAL
+#ifndef SSL_CONSERVATIVE
 
 /*
  * Background:
@@ -285,7 +285,7 @@ static int ssl_io_suck_read(SSL *ssl, char *buf, int len)
 /* override SSL_read in the following code... */
 #define SSL_read ssl_io_suck_read
 
-#endif /* SSL_EXPERIMENTAL */
+#endif /* !SSL_CONSERVATIVE */
 
 /*  _________________________________________________________________
 **
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
index 2561a43cbd3..ff45e996ff1 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -134,6 +134,7 @@ void ssl_hook_NewConnection(conn_rec *conn)
     SSL *ssl;
     char *cp;
     char *cpVHostID;
+    char *cpVHostMD5;
     X509 *xs;
     int rc;
     int n;
@@ -186,7 +187,15 @@ void ssl_hook_NewConnection(conn_rec *conn)
         return;
     }
     SSL_clear(ssl);
-    SSL_set_session_id_context(ssl, (unsigned char *)cpVHostID, strlen(cpVHostID));
+    cpVHostMD5 = ap_md5(conn->pool, cpVHostID);
+    if (!SSL_set_session_id_context(ssl, (unsigned char *)cpVHostMD5, strlen(cpVHostMD5))) {
+        ssl_log(conn->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+                "Unable to set session id context to `%s'", cpVHostMD5);
+        ap_ctx_set(fb->ctx, "ssl", NULL);
+        ap_bsetflag(fb, B_EOF|B_EOUT, 1);
+        conn->aborted = 1;
+        return;
+    }
     SSL_set_app_data(ssl, conn);
     apctx = ap_ctx_new(conn->pool);
     ap_ctx_set(apctx, "ssl::request_rec", NULL);
@@ -902,7 +911,7 @@ int ssl_hook_Access(request_rec *r)
     }
 #endif /* SSL_EXPERIMENTAL */
 
-#ifndef SSL_EXPERIMENTAL 
+#ifdef SSL_CONSERVATIVE 
     /* 
      *  SSL renegotiations in conjunction with HTTP
      *  requests using the POST method are not supported.
@@ -911,10 +920,10 @@ int ssl_hook_Access(request_rec *r)
         ssl_log(r->server, SSL_LOG_ERROR,
                 "SSL Re-negotiation in conjunction with POST method not supported!");
         ssl_log(r->server, SSL_LOG_INFO,
-                "There is only experimental support which has to be enabled first");
+                "You have to compile without -DSSL_CONSERVATIVE to enabled support for this.");
         return METHOD_NOT_ALLOWED;
     }
-#endif /* not SSL_EXPERIMENTAL */
+#endif /* SSL_CONSERVATIVE */
 
     /*
      * now do the renegotiation if anything was actually reconfigured
@@ -967,7 +976,7 @@ int ssl_hook_Access(request_rec *r)
                 SSL_set_session_id_context(ssl, (unsigned char *)&(r->main), sizeof(r->main));
             else
                 SSL_set_session_id_context(ssl, (unsigned char *)&r, sizeof(r));
-#ifdef SSL_EXPERIMENTAL
+#ifndef SSL_CONSERVATIVE
             ssl_io_suck(r, ssl);
 #endif
             SSL_renegotiate(ssl);
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c
index 31ac31cef83..faabce00397 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c
index 2f5eca251e7..06ed510f15d 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c
index 570cabe3fa9..cf2c90bb3d8 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c
index 4ae847f8865..2b50b438122 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c
index 593245d3e21..eefb5056308 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c
index 84fa17c39e7..c08fa8fb26f 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr.c b/usr.sbin/httpd/src/modules/ssl/ssl_expr.c
index 8601468dca8..58afabb1fc7 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_expr.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr.h b/usr.sbin/httpd/src/modules/ssl/ssl_expr.h
index 42c6cdde9fb..684270017b6 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_expr.h
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr.h
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c b/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c
index 6e1fc60384b..ca55e5b90d1 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.c b/usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.c
new file mode 100644
index 00000000000..f6b45840879
--- /dev/null
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.c
@@ -0,0 +1,574 @@
+#include <stdlib.h>
+#define YYBYACC 1
+#define YYMAJOR 1
+#define YYMINOR 9
+#define YYLEX ssl_expr_yylex()
+#define YYEMPTY -1
+#define ssl_expr_yyclearin (ssl_expr_yychar=(YYEMPTY))
+#define ssl_expr_yyerrok (ssl_expr_yyerrflag=0)
+#define YYRECOVERING (ssl_expr_yyerrflag!=0)
+static int ssl_expr_yygrowstack();
+#define YYPREFIX "ssl_expr_yy"
+#line 72 "ssl_expr_parse.y"
+#include "mod_ssl.h"
+#line 75 "ssl_expr_parse.y"
+typedef union {
+    char     *cpVal;
+    ssl_expr *exVal;
+} YYSTYPE;
+#line 29 "y.tab.c"
+#define T_TRUE 257
+#define T_FALSE 258
+#define T_DIGIT 259
+#define T_ID 260
+#define T_STRING 261
+#define T_REGEX 262
+#define T_REGEX_I 263
+#define T_FUNC_FILE 264
+#define T_OP_EQ 265
+#define T_OP_NE 266
+#define T_OP_LT 267
+#define T_OP_LE 268
+#define T_OP_GT 269
+#define T_OP_GE 270
+#define T_OP_REG 271
+#define T_OP_NRE 272
+#define T_OP_IN 273
+#define T_OP_OR 274
+#define T_OP_AND 275
+#define T_OP_NOT 276
+#define YYERRCODE 256
+const short ssl_expr_yylhs[] = {                                        -1,
+    0,    1,    1,    1,    1,    1,    1,    1,    2,    2,
+    2,    2,    2,    2,    2,    2,    2,    5,    5,    6,
+    6,    6,    6,    4,    4,    3,
+};
+const short ssl_expr_yylen[] = {                                         2,
+    1,    1,    1,    2,    3,    3,    1,    3,    3,    3,
+    3,    3,    3,    3,    5,    3,    3,    1,    3,    1,
+    1,    4,    1,    1,    1,    4,
+};
+const short ssl_expr_yydefred[] = {                                      0,
+    2,    3,   20,   21,    0,    0,    0,    0,    0,    0,
+    7,   23,    0,    0,    4,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    8,
+    0,    0,    6,    9,   10,   11,   12,   13,   14,   24,
+   25,   16,   17,    0,   26,   22,    0,   18,   15,    0,
+   19,
+};
+const short ssl_expr_yydgoto[] = {                                       9,
+   10,   11,   12,   42,   47,   13,
+};
+const short ssl_expr_yysindex[] = {                                    -37,
+    0,    0,    0,    0,  -35,  -37,  -37,  -99,    0, -247,
+    0,    0, -250, -229,    0,  -39, -227,  -37,  -37,  -33,
+  -33,  -33,  -33,  -33,  -33, -233, -233,  -89,   -6,    0,
+  -87, -239,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,  -33,    0,    0,  -38,    0,    0,  -33,
+    0,
+};
+const short ssl_expr_yyrindex[] = {                                      0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,   39,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    1,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,
+};
+const short ssl_expr_yygindex[] = {                                      0,
+    7,    0,    0,   13,    0,  -13,
+};
+#define YYTABLESIZE 275
+const short ssl_expr_yytable[] = {                                       8,
+    5,   30,    7,    8,   14,   50,   34,   35,   36,   37,
+   38,   39,   15,   16,   20,   21,   22,   23,   24,   25,
+   26,   27,   28,   17,   32,   33,   18,   19,   40,   41,
+   48,   29,   31,   44,   45,   19,   51,   46,    1,   43,
+    0,    5,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,   49,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    1,
+    2,    3,    0,    4,    0,    3,    5,    4,    0,    0,
+    5,    0,    0,    0,   18,   19,    0,    0,    6,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    5,
+};
+const short ssl_expr_yycheck[] = {                                      37,
+    0,   41,   40,   37,   40,   44,   20,   21,   22,   23,
+   24,   25,    6,    7,  265,  266,  267,  268,  269,  270,
+  271,  272,  273,  123,   18,   19,  274,  275,  262,  263,
+   44,  261,  260,  123,   41,  275,   50,  125,    0,   27,
+   -1,   41,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,  125,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,  257,
+  258,  259,   -1,  261,   -1,  259,  264,  261,   -1,   -1,
+  264,   -1,   -1,   -1,  274,  275,   -1,   -1,  276,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,  274,
+};
+#define YYFINAL 9
+#ifndef YYDEBUG
+#define YYDEBUG 0
+#elif YYDEBUG
+#include <stdio.h>
+#endif
+#define YYMAXTOKEN 276
+#if YYDEBUG
+const char * const ssl_expr_yyname[] = {
+"end-of-file",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+0,0,0,"'%'",0,0,"'('","')'",0,0,"','",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"'{'",0,"'}'",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"T_TRUE",
+"T_FALSE","T_DIGIT","T_ID","T_STRING","T_REGEX","T_REGEX_I","T_FUNC_FILE",
+"T_OP_EQ","T_OP_NE","T_OP_LT","T_OP_LE","T_OP_GT","T_OP_GE","T_OP_REG",
+"T_OP_NRE","T_OP_IN","T_OP_OR","T_OP_AND","T_OP_NOT",
+};
+const char * const ssl_expr_yyrule[] = {
+"$accept : root",
+"root : expr",
+"expr : T_TRUE",
+"expr : T_FALSE",
+"expr : T_OP_NOT expr",
+"expr : expr T_OP_OR expr",
+"expr : expr T_OP_AND expr",
+"expr : comparison",
+"expr : '(' expr ')'",
+"comparison : word T_OP_EQ word",
+"comparison : word T_OP_NE word",
+"comparison : word T_OP_LT word",
+"comparison : word T_OP_LE word",
+"comparison : word T_OP_GT word",
+"comparison : word T_OP_GE word",
+"comparison : word T_OP_IN '{' words '}'",
+"comparison : word T_OP_REG regex",
+"comparison : word T_OP_NRE regex",
+"words : word",
+"words : words ',' word",
+"word : T_DIGIT",
+"word : T_STRING",
+"word : '%' '{' T_ID '}'",
+"word : funccall",
+"regex : T_REGEX",
+"regex : T_REGEX_I",
+"funccall : T_FUNC_FILE '(' T_STRING ')'",
+};
+#endif
+#ifdef YYSTACKSIZE
+#undef YYMAXDEPTH
+#define YYMAXDEPTH YYSTACKSIZE
+#else
+#ifdef YYMAXDEPTH
+#define YYSTACKSIZE YYMAXDEPTH
+#else
+#define YYSTACKSIZE 10000
+#define YYMAXDEPTH 10000
+#endif
+#endif
+#define YYINITSTACKSIZE 200
+int ssl_expr_yydebug;
+int ssl_expr_yynerrs;
+int ssl_expr_yyerrflag;
+int ssl_expr_yychar;
+short *ssl_expr_yyssp;
+YYSTYPE *ssl_expr_yyvsp;
+YYSTYPE ssl_expr_yyval;
+YYSTYPE ssl_expr_yylval;
+short *ssl_expr_yyss;
+short *ssl_expr_yysslim;
+YYSTYPE *ssl_expr_yyvs;
+int ssl_expr_yystacksize;
+#line 180 "ssl_expr_parse.y"
+
+int ssl_expr_yyerror(char *s)
+{
+    ssl_expr_error = s;
+    return 2;
+}
+
+#line 232 "y.tab.c"
+/* allocate initial stack or double stack size, up to YYMAXDEPTH */
+static int ssl_expr_yygrowstack()
+{
+    int newsize, i;
+    short *newss;
+    YYSTYPE *newvs;
+
+    if ((newsize = ssl_expr_yystacksize) == 0)
+        newsize = YYINITSTACKSIZE;
+    else if (newsize >= YYMAXDEPTH)
+        return -1;
+    else if ((newsize *= 2) > YYMAXDEPTH)
+        newsize = YYMAXDEPTH;
+    i = ssl_expr_yyssp - ssl_expr_yyss;
+    if ((newss = (short *)realloc(ssl_expr_yyss, newsize * sizeof *newss)) == NULL)
+        return -1;
+    ssl_expr_yyss = newss;
+    ssl_expr_yyssp = newss + i;
+    if ((newvs = (YYSTYPE *)realloc(ssl_expr_yyvs, newsize * sizeof *newvs)) == NULL)
+        return -1;
+    ssl_expr_yyvs = newvs;
+    ssl_expr_yyvsp = newvs + i;
+    ssl_expr_yystacksize = newsize;
+    ssl_expr_yysslim = ssl_expr_yyss + newsize - 1;
+    return 0;
+}
+
+#define YYABORT goto ssl_expr_yyabort
+#define YYREJECT goto ssl_expr_yyabort
+#define YYACCEPT goto ssl_expr_yyaccept
+#define YYERROR goto ssl_expr_yyerrlab
+
+int
+ssl_expr_yyparse()
+{
+    register int ssl_expr_yym, ssl_expr_yyn, ssl_expr_yystate;
+#if YYDEBUG
+    register const char *ssl_expr_yys;
+
+    if ((ssl_expr_yys = getenv("YYDEBUG")))
+    {
+        ssl_expr_yyn = *ssl_expr_yys;
+        if (ssl_expr_yyn >= '0' && ssl_expr_yyn <= '9')
+            ssl_expr_yydebug = ssl_expr_yyn - '0';
+    }
+#endif
+
+    ssl_expr_yynerrs = 0;
+    ssl_expr_yyerrflag = 0;
+    ssl_expr_yychar = (-1);
+
+    if (ssl_expr_yyss == NULL && ssl_expr_yygrowstack()) goto ssl_expr_yyoverflow;
+    ssl_expr_yyssp = ssl_expr_yyss;
+    ssl_expr_yyvsp = ssl_expr_yyvs;
+    *ssl_expr_yyssp = ssl_expr_yystate = 0;
+
+ssl_expr_yyloop:
+    if ((ssl_expr_yyn = ssl_expr_yydefred[ssl_expr_yystate])) goto ssl_expr_yyreduce;
+    if (ssl_expr_yychar < 0)
+    {
+        if ((ssl_expr_yychar = ssl_expr_yylex()) < 0) ssl_expr_yychar = 0;
+#if YYDEBUG
+        if (ssl_expr_yydebug)
+        {
+            ssl_expr_yys = 0;
+            if (ssl_expr_yychar <= YYMAXTOKEN) ssl_expr_yys = ssl_expr_yyname[ssl_expr_yychar];
+            if (!ssl_expr_yys) ssl_expr_yys = "illegal-symbol";
+            printf("%sdebug: state %d, reading %d (%s)\n",
+                    YYPREFIX, ssl_expr_yystate, ssl_expr_yychar, ssl_expr_yys);
+        }
+#endif
+    }
+    if ((ssl_expr_yyn = ssl_expr_yysindex[ssl_expr_yystate]) && (ssl_expr_yyn += ssl_expr_yychar) >= 0 &&
+            ssl_expr_yyn <= YYTABLESIZE && ssl_expr_yycheck[ssl_expr_yyn] == ssl_expr_yychar)
+    {
+#if YYDEBUG
+        if (ssl_expr_yydebug)
+            printf("%sdebug: state %d, shifting to state %d\n",
+                    YYPREFIX, ssl_expr_yystate, ssl_expr_yytable[ssl_expr_yyn]);
+#endif
+        if (ssl_expr_yyssp >= ssl_expr_yysslim && ssl_expr_yygrowstack())
+        {
+            goto ssl_expr_yyoverflow;
+        }
+        *++ssl_expr_yyssp = ssl_expr_yystate = ssl_expr_yytable[ssl_expr_yyn];
+        *++ssl_expr_yyvsp = ssl_expr_yylval;
+        ssl_expr_yychar = (-1);
+        if (ssl_expr_yyerrflag > 0)  --ssl_expr_yyerrflag;
+        goto ssl_expr_yyloop;
+    }
+    if ((ssl_expr_yyn = ssl_expr_yyrindex[ssl_expr_yystate]) && (ssl_expr_yyn += ssl_expr_yychar) >= 0 &&
+            ssl_expr_yyn <= YYTABLESIZE && ssl_expr_yycheck[ssl_expr_yyn] == ssl_expr_yychar)
+    {
+        ssl_expr_yyn = ssl_expr_yytable[ssl_expr_yyn];
+        goto ssl_expr_yyreduce;
+    }
+    if (ssl_expr_yyerrflag) goto ssl_expr_yyinrecovery;
+#if defined(lint) || defined(__GNUC__)
+    goto ssl_expr_yynewerror;
+#endif
+ssl_expr_yynewerror:
+    ssl_expr_yyerror("syntax error");
+#if defined(lint) || defined(__GNUC__)
+    goto ssl_expr_yyerrlab;
+#endif
+ssl_expr_yyerrlab:
+    ++ssl_expr_yynerrs;
+ssl_expr_yyinrecovery:
+    if (ssl_expr_yyerrflag < 3)
+    {
+        ssl_expr_yyerrflag = 3;
+        for (;;)
+        {
+            if ((ssl_expr_yyn = ssl_expr_yysindex[*ssl_expr_yyssp]) && (ssl_expr_yyn += YYERRCODE) >= 0 &&
+                    ssl_expr_yyn <= YYTABLESIZE && ssl_expr_yycheck[ssl_expr_yyn] == YYERRCODE)
+            {
+#if YYDEBUG
+                if (ssl_expr_yydebug)
+                    printf("%sdebug: state %d, error recovery shifting\
+ to state %d\n", YYPREFIX, *ssl_expr_yyssp, ssl_expr_yytable[ssl_expr_yyn]);
+#endif
+                if (ssl_expr_yyssp >= ssl_expr_yysslim && ssl_expr_yygrowstack())
+                {
+                    goto ssl_expr_yyoverflow;
+                }
+                *++ssl_expr_yyssp = ssl_expr_yystate = ssl_expr_yytable[ssl_expr_yyn];
+                *++ssl_expr_yyvsp = ssl_expr_yylval;
+                goto ssl_expr_yyloop;
+            }
+            else
+            {
+#if YYDEBUG
+                if (ssl_expr_yydebug)
+                    printf("%sdebug: error recovery discarding state %d\n",
+                            YYPREFIX, *ssl_expr_yyssp);
+#endif
+                if (ssl_expr_yyssp <= ssl_expr_yyss) goto ssl_expr_yyabort;
+                --ssl_expr_yyssp;
+                --ssl_expr_yyvsp;
+            }
+        }
+    }
+    else
+    {
+        if (ssl_expr_yychar == 0) goto ssl_expr_yyabort;
+#if YYDEBUG
+        if (ssl_expr_yydebug)
+        {
+            ssl_expr_yys = 0;
+            if (ssl_expr_yychar <= YYMAXTOKEN) ssl_expr_yys = ssl_expr_yyname[ssl_expr_yychar];
+            if (!ssl_expr_yys) ssl_expr_yys = "illegal-symbol";
+            printf("%sdebug: state %d, error recovery discards token %d (%s)\n",
+                    YYPREFIX, ssl_expr_yystate, ssl_expr_yychar, ssl_expr_yys);
+        }
+#endif
+        ssl_expr_yychar = (-1);
+        goto ssl_expr_yyloop;
+    }
+ssl_expr_yyreduce:
+#if YYDEBUG
+    if (ssl_expr_yydebug)
+        printf("%sdebug: state %d, reducing by rule %d (%s)\n",
+                YYPREFIX, ssl_expr_yystate, ssl_expr_yyn, ssl_expr_yyrule[ssl_expr_yyn]);
+#endif
+    ssl_expr_yym = ssl_expr_yylen[ssl_expr_yyn];
+    ssl_expr_yyval = ssl_expr_yyvsp[1-ssl_expr_yym];
+    switch (ssl_expr_yyn)
+    {
+case 1:
+#line 118 "ssl_expr_parse.y"
+{ ssl_expr_info.expr = ssl_expr_yyvsp[0].exVal; }
+break;
+case 2:
+#line 121 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_True,  NULL, NULL); }
+break;
+case 3:
+#line 122 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_False, NULL, NULL); }
+break;
+case 4:
+#line 123 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_Not,   ssl_expr_yyvsp[0].exVal,   NULL); }
+break;
+case 5:
+#line 124 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_Or,    ssl_expr_yyvsp[-2].exVal,   ssl_expr_yyvsp[0].exVal);   }
+break;
+case 6:
+#line 125 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_And,   ssl_expr_yyvsp[-2].exVal,   ssl_expr_yyvsp[0].exVal);   }
+break;
+case 7:
+#line 126 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_Comp,  ssl_expr_yyvsp[0].exVal,   NULL); }
+break;
+case 8:
+#line 127 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_yyvsp[-1].exVal; }
+break;
+case 9:
+#line 130 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_EQ,  ssl_expr_yyvsp[-2].exVal, ssl_expr_yyvsp[0].exVal); }
+break;
+case 10:
+#line 131 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_NE,  ssl_expr_yyvsp[-2].exVal, ssl_expr_yyvsp[0].exVal); }
+break;
+case 11:
+#line 132 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_LT,  ssl_expr_yyvsp[-2].exVal, ssl_expr_yyvsp[0].exVal); }
+break;
+case 12:
+#line 133 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_LE,  ssl_expr_yyvsp[-2].exVal, ssl_expr_yyvsp[0].exVal); }
+break;
+case 13:
+#line 134 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_GT,  ssl_expr_yyvsp[-2].exVal, ssl_expr_yyvsp[0].exVal); }
+break;
+case 14:
+#line 135 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_GE,  ssl_expr_yyvsp[-2].exVal, ssl_expr_yyvsp[0].exVal); }
+break;
+case 15:
+#line 136 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_IN,  ssl_expr_yyvsp[-4].exVal, ssl_expr_yyvsp[-1].exVal); }
+break;
+case 16:
+#line 137 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_REG, ssl_expr_yyvsp[-2].exVal, ssl_expr_yyvsp[0].exVal); }
+break;
+case 17:
+#line 138 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_NRE, ssl_expr_yyvsp[-2].exVal, ssl_expr_yyvsp[0].exVal); }
+break;
+case 18:
+#line 141 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_ListElement, ssl_expr_yyvsp[0].exVal, NULL); }
+break;
+case 19:
+#line 142 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_ListElement, ssl_expr_yyvsp[0].exVal, ssl_expr_yyvsp[-2].exVal);   }
+break;
+case 20:
+#line 145 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_Digit,  ssl_expr_yyvsp[0].cpVal, NULL); }
+break;
+case 21:
+#line 146 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_String, ssl_expr_yyvsp[0].cpVal, NULL); }
+break;
+case 22:
+#line 147 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_Var,    ssl_expr_yyvsp[-1].cpVal, NULL); }
+break;
+case 23:
+#line 148 "ssl_expr_parse.y"
+{ ssl_expr_yyval.exVal = ssl_expr_yyvsp[0].exVal; }
+break;
+case 24:
+#line 151 "ssl_expr_parse.y"
+{ 
+                regex_t *regex;
+                if ((regex = ap_pregcomp(ssl_expr_info.pool, ssl_expr_yyvsp[0].cpVal, 
+                                         REG_EXTENDED|REG_NOSUB)) == NULL) {
+                    ssl_expr_error = "Failed to compile regular expression";
+                    YYERROR;
+                    regex = NULL;
+                }
+                ssl_expr_yyval.exVal = ssl_expr_make(op_Regex, regex, NULL);
+            }
+break;
+case 25:
+#line 161 "ssl_expr_parse.y"
+{
+                regex_t *regex;
+                if ((regex = ap_pregcomp(ssl_expr_info.pool, ssl_expr_yyvsp[0].cpVal, 
+                                         REG_EXTENDED|REG_NOSUB|REG_ICASE)) == NULL) {
+                    ssl_expr_error = "Failed to compile regular expression";
+                    YYERROR;
+                    regex = NULL;
+                }
+                ssl_expr_yyval.exVal = ssl_expr_make(op_Regex, regex, NULL);
+            }
+break;
+case 26:
+#line 173 "ssl_expr_parse.y"
+{ 
+               ssl_expr *args = ssl_expr_make(op_ListElement, ssl_expr_yyvsp[-1].cpVal, NULL);
+               ssl_expr_yyval.exVal = ssl_expr_make(op_Func, "file", args);
+            }
+break;
+#line 526 "y.tab.c"
+    }
+    ssl_expr_yyssp -= ssl_expr_yym;
+    ssl_expr_yystate = *ssl_expr_yyssp;
+    ssl_expr_yyvsp -= ssl_expr_yym;
+    ssl_expr_yym = ssl_expr_yylhs[ssl_expr_yyn];
+    if (ssl_expr_yystate == 0 && ssl_expr_yym == 0)
+    {
+#if YYDEBUG
+        if (ssl_expr_yydebug)
+            printf("%sdebug: after reduction, shifting from state 0 to\
+ state %d\n", YYPREFIX, YYFINAL);
+#endif
+        ssl_expr_yystate = YYFINAL;
+        *++ssl_expr_yyssp = YYFINAL;
+        *++ssl_expr_yyvsp = ssl_expr_yyval;
+        if (ssl_expr_yychar < 0)
+        {
+            if ((ssl_expr_yychar = ssl_expr_yylex()) < 0) ssl_expr_yychar = 0;
+#if YYDEBUG
+            if (ssl_expr_yydebug)
+            {
+                ssl_expr_yys = 0;
+                if (ssl_expr_yychar <= YYMAXTOKEN) ssl_expr_yys = ssl_expr_yyname[ssl_expr_yychar];
+                if (!ssl_expr_yys) ssl_expr_yys = "illegal-symbol";
+                printf("%sdebug: state %d, reading %d (%s)\n",
+                        YYPREFIX, YYFINAL, ssl_expr_yychar, ssl_expr_yys);
+            }
+#endif
+        }
+        if (ssl_expr_yychar == 0) goto ssl_expr_yyaccept;
+        goto ssl_expr_yyloop;
+    }
+    if ((ssl_expr_yyn = ssl_expr_yygindex[ssl_expr_yym]) && (ssl_expr_yyn += ssl_expr_yystate) >= 0 &&
+            ssl_expr_yyn <= YYTABLESIZE && ssl_expr_yycheck[ssl_expr_yyn] == ssl_expr_yystate)
+        ssl_expr_yystate = ssl_expr_yytable[ssl_expr_yyn];
+    else
+        ssl_expr_yystate = ssl_expr_yydgoto[ssl_expr_yym];
+#if YYDEBUG
+    if (ssl_expr_yydebug)
+        printf("%sdebug: after reduction, shifting from state %d \
+to state %d\n", YYPREFIX, *ssl_expr_yyssp, ssl_expr_yystate);
+#endif
+    if (ssl_expr_yyssp >= ssl_expr_yysslim && ssl_expr_yygrowstack())
+    {
+        goto ssl_expr_yyoverflow;
+    }
+    *++ssl_expr_yyssp = ssl_expr_yystate;
+    *++ssl_expr_yyvsp = ssl_expr_yyval;
+    goto ssl_expr_yyloop;
+ssl_expr_yyoverflow:
+    ssl_expr_yyerror("yacc stack overflow");
+ssl_expr_yyabort:
+    return (1);
+ssl_expr_yyaccept:
+    return (0);
+}
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.y b/usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.y
index f1819f46d8e..ef54d074052 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.y
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.y
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.c b/usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.c
new file mode 100644
index 00000000000..4fe4da916be
--- /dev/null
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.c
@@ -0,0 +1,2002 @@
+#define yy_create_buffer ssl_expr_yy_create_buffer
+#define yy_delete_buffer ssl_expr_yy_delete_buffer
+#define yy_scan_buffer ssl_expr_yy_scan_buffer
+#define yy_scan_string ssl_expr_yy_scan_string
+#define yy_scan_bytes ssl_expr_yy_scan_bytes
+#define yy_flex_debug ssl_expr_yy_flex_debug
+#define yy_init_buffer ssl_expr_yy_init_buffer
+#define yy_flush_buffer ssl_expr_yy_flush_buffer
+#define yy_load_buffer_state ssl_expr_yy_load_buffer_state
+#define yy_switch_to_buffer ssl_expr_yy_switch_to_buffer
+#define yyin ssl_expr_yyin
+#define yyleng ssl_expr_yyleng
+#define yylex ssl_expr_yylex
+#define yyout ssl_expr_yyout
+#define yyrestart ssl_expr_yyrestart
+#define yytext ssl_expr_yytext
+
+/* A lexical scanner generated by flex */
+
+/* Scanner skeleton version:
+ */
+
+#define FLEX_SCANNER
+#define YY_FLEX_MAJOR_VERSION 2
+#define YY_FLEX_MINOR_VERSION 5
+
+#include <stdio.h>
+
+
+/* cfront 1.2 defines "c_plusplus" instead of "__cplusplus" */
+#ifdef c_plusplus
+#ifndef __cplusplus
+#define __cplusplus
+#endif
+#endif
+
+
+#ifdef __cplusplus
+
+#include <stdlib.h>
+#include <unistd.h>
+
+/* Use prototypes in function declarations. */
+#define YY_USE_PROTOS
+
+/* The "const" storage-class-modifier is valid. */
+#define YY_USE_CONST
+
+#else	/* ! __cplusplus */
+
+#if __STDC__
+
+#define YY_USE_PROTOS
+#define YY_USE_CONST
+
+#endif	/* __STDC__ */
+#endif	/* ! __cplusplus */
+
+#ifdef __TURBOC__
+ #pragma warn -rch
+ #pragma warn -use
+#include <io.h>
+#include <stdlib.h>
+#define YY_USE_CONST
+#define YY_USE_PROTOS
+#endif
+
+#ifdef YY_USE_CONST
+#define yyconst const
+#else
+#define yyconst
+#endif
+
+
+#ifdef YY_USE_PROTOS
+#define YY_PROTO(proto) proto
+#else
+#define YY_PROTO(proto) ()
+#endif
+
+/* Returned upon end-of-file. */
+#define YY_NULL 0
+
+/* Promotes a possibly negative, possibly signed char to an unsigned
+ * integer for use as an array index.  If the signed char is negative,
+ * we want to instead treat it as an 8-bit unsigned char, hence the
+ * double cast.
+ */
+#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c)
+
+/* Enter a start condition.  This macro really ought to take a parameter,
+ * but we do it the disgusting crufty way forced on us by the ()-less
+ * definition of BEGIN.
+ */
+#define BEGIN yy_start = 1 + 2 *
+
+/* Translate the current start state into a value that can be later handed
+ * to BEGIN to return to the state.  The YYSTATE alias is for lex
+ * compatibility.
+ */
+#define YY_START ((yy_start - 1) / 2)
+#define YYSTATE YY_START
+
+/* Action number for EOF rule of a given start state. */
+#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
+
+/* Special action meaning "start processing a new file". */
+#define YY_NEW_FILE yyrestart( yyin )
+
+#define YY_END_OF_BUFFER_CHAR 0
+
+/* Size of default input buffer. */
+#define YY_BUF_SIZE 16384
+
+typedef struct yy_buffer_state *YY_BUFFER_STATE;
+
+extern int yyleng;
+extern FILE *yyin, *yyout;
+
+#define EOB_ACT_CONTINUE_SCAN 0
+#define EOB_ACT_END_OF_FILE 1
+#define EOB_ACT_LAST_MATCH 2
+
+/* The funky do-while in the following #define is used to turn the definition
+ * int a single C statement (which needs a semi-colon terminator).  This
+ * avoids problems with code like:
+ *
+ * 	if ( condition_holds )
+ *		yyless( 5 );
+ *	else
+ *		do_something_else();
+ *
+ * Prior to using the do-while the compiler would get upset at the
+ * "else" because it interpreted the "if" statement as being all
+ * done when it reached the ';' after the yyless() call.
+ */
+
+/* Return all but the first 'n' matched characters back to the input stream. */
+
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+		*yy_cp = yy_hold_char; \
+		YY_RESTORE_YY_MORE_OFFSET \
+		yy_c_buf_p = yy_cp = yy_bp + n - YY_MORE_ADJ; \
+		YY_DO_BEFORE_ACTION; /* set up yytext again */ \
+		} \
+	while ( 0 )
+
+#define unput(c) yyunput( c, yytext_ptr )
+
+/* The following is because we cannot portably get our hands on size_t
+ * (without autoconf's help, which isn't available because we want
+ * flex-generated scanners to compile on their own).
+ */
+typedef unsigned int yy_size_t;
+
+
+struct yy_buffer_state
+	{
+	FILE *yy_input_file;
+
+	char *yy_ch_buf;		/* input buffer */
+	char *yy_buf_pos;		/* current position in input buffer */
+
+	/* Size of input buffer in bytes, not including room for EOB
+	 * characters.
+	 */
+	yy_size_t yy_buf_size;
+
+	/* Number of characters read into yy_ch_buf, not including EOB
+	 * characters.
+	 */
+	int yy_n_chars;
+
+	/* Whether we "own" the buffer - i.e., we know we created it,
+	 * and can realloc() it to grow it, and should free() it to
+	 * delete it.
+	 */
+	int yy_is_our_buffer;
+
+	/* Whether this is an "interactive" input source; if so, and
+	 * if we're using stdio for input, then we want to use getc()
+	 * instead of fread(), to make sure we stop fetching input after
+	 * each newline.
+	 */
+	int yy_is_interactive;
+
+	/* Whether we're considered to be at the beginning of a line.
+	 * If so, '^' rules will be active on the next match, otherwise
+	 * not.
+	 */
+	int yy_at_bol;
+
+	/* Whether to try to fill the input buffer when we reach the
+	 * end of it.
+	 */
+	int yy_fill_buffer;
+
+	int yy_buffer_status;
+#define YY_BUFFER_NEW 0
+#define YY_BUFFER_NORMAL 1
+	/* When an EOF's been seen but there's still some text to process
+	 * then we mark the buffer as YY_EOF_PENDING, to indicate that we
+	 * shouldn't try reading from the input source any more.  We might
+	 * still have a bunch of tokens to match, though, because of
+	 * possible backing-up.
+	 *
+	 * When we actually see the EOF, we change the status to "new"
+	 * (via yyrestart()), so that the user can continue scanning by
+	 * just pointing yyin at a new input file.
+	 */
+#define YY_BUFFER_EOF_PENDING 2
+	};
+
+static YY_BUFFER_STATE yy_current_buffer = 0;
+
+/* We provide macros for accessing buffer states in case in the
+ * future we want to put the buffer states in a more general
+ * "scanner state".
+ */
+#define YY_CURRENT_BUFFER yy_current_buffer
+
+
+/* yy_hold_char holds the character lost when yytext is formed. */
+static char yy_hold_char;
+
+static int yy_n_chars;		/* number of characters read into yy_ch_buf */
+
+
+int yyleng;
+
+/* Points to current character in buffer. */
+static char *yy_c_buf_p = (char *) 0;
+static int yy_init = 1;		/* whether we need to initialize */
+static int yy_start = 0;	/* start state number */
+
+/* Flag which is used to allow yywrap()'s to do buffer switches
+ * instead of setting up a fresh yyin.  A bit of a hack ...
+ */
+static int yy_did_buffer_switch_on_eof;
+
+void yyrestart YY_PROTO(( FILE *input_file ));
+
+void yy_switch_to_buffer YY_PROTO(( YY_BUFFER_STATE new_buffer ));
+void yy_load_buffer_state YY_PROTO(( void ));
+YY_BUFFER_STATE yy_create_buffer YY_PROTO(( FILE *file, int size ));
+void yy_delete_buffer YY_PROTO(( YY_BUFFER_STATE b ));
+void yy_init_buffer YY_PROTO(( YY_BUFFER_STATE b, FILE *file ));
+void yy_flush_buffer YY_PROTO(( YY_BUFFER_STATE b ));
+#define YY_FLUSH_BUFFER yy_flush_buffer( yy_current_buffer )
+
+YY_BUFFER_STATE yy_scan_buffer YY_PROTO(( char *base, yy_size_t size ));
+YY_BUFFER_STATE yy_scan_string YY_PROTO(( yyconst char *yy_str ));
+YY_BUFFER_STATE yy_scan_bytes YY_PROTO(( yyconst char *bytes, int len ));
+
+static void *yy_flex_alloc YY_PROTO(( yy_size_t ));
+static void *yy_flex_realloc YY_PROTO(( void *, yy_size_t ));
+static void yy_flex_free YY_PROTO(( void * ));
+
+#define yy_new_buffer yy_create_buffer
+
+#define yy_set_interactive(is_interactive) \
+	{ \
+	if ( ! yy_current_buffer ) \
+		yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \
+	yy_current_buffer->yy_is_interactive = is_interactive; \
+	}
+
+#define yy_set_bol(at_bol) \
+	{ \
+	if ( ! yy_current_buffer ) \
+		yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \
+	yy_current_buffer->yy_at_bol = at_bol; \
+	}
+
+#define YY_AT_BOL() (yy_current_buffer->yy_at_bol)
+
+
+#define yywrap() 1
+#define YY_SKIP_YYWRAP
+typedef unsigned char YY_CHAR;
+FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
+typedef int yy_state_type;
+extern char *yytext;
+#define yytext_ptr yytext
+
+static yy_state_type yy_get_previous_state YY_PROTO(( void ));
+static yy_state_type yy_try_NUL_trans YY_PROTO(( yy_state_type current_state ));
+static int yy_get_next_buffer YY_PROTO(( void ));
+static void yy_fatal_error YY_PROTO(( yyconst char msg[] ));
+
+/* Done after the current pattern has been matched and before the
+ * corresponding action - sets up yytext.
+ */
+#define YY_DO_BEFORE_ACTION \
+	yytext_ptr = yy_bp; \
+	yyleng = (int) (yy_cp - yy_bp); \
+	yy_hold_char = *yy_cp; \
+	*yy_cp = '\0'; \
+	yy_c_buf_p = yy_cp;
+
+#define YY_NUM_RULES 46
+#define YY_END_OF_BUFFER 47
+static yyconst short int yy_accept[86] =
+    {   0,
+        0,    0,    0,    0,    0,    0,    0,    0,   47,   45,
+        1,   38,    2,   45,   43,   24,   45,   28,   44,   44,
+       44,   44,   44,   44,   44,   44,   44,   44,   44,   45,
+       13,    4,    3,   14,   16,   18,   17,    1,   22,   32,
+       34,   43,   26,   20,   31,   30,   44,   44,   19,   44,
+       44,   29,   27,   39,   25,   23,   15,   15,   21,   44,
+       35,   44,   36,   13,   12,    5,    6,   10,   11,    7,
+        8,    9,   33,   44,   44,   37,   44,    5,    6,   44,
+       40,   41,    5,   42,    0
+    } ;
+
+static yyconst int yy_ec[256] =
+    {   0,
+        1,    1,    1,    1,    1,    1,    1,    1,    2,    3,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    2,    4,    5,    1,    1,    1,    6,    1,    1,
+        1,    1,    1,    1,    7,    1,    1,    8,    8,    8,
+        8,    8,    8,    8,    8,    9,    9,    1,    1,   10,
+       11,   12,    1,    1,   13,   13,   13,   13,   13,   13,
+       13,   13,   13,   13,   13,   13,   13,   13,   13,   13,
+       13,   13,   13,   13,   13,   13,   13,   13,   13,   13,
+        1,   14,    1,    1,    7,    1,   15,   16,   13,   17,
+
+       18,   19,   20,   13,   21,   13,   13,   22,   23,   24,
+       25,   13,   26,   27,   28,   29,   30,   13,   13,   13,
+       13,   13,    1,   31,    1,   32,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1
+    } ;
+
+static yyconst int yy_meta[33] =
+    {   0,
+        1,    1,    2,    1,    3,    1,    4,    4,    4,    1,
+        1,    1,    4,    3,    4,    4,    4,    4,    4,    4,
+        4,    4,    4,    4,    4,    4,    4,    4,    4,    4,
+        1,    1
+    } ;
+
+static yyconst short int yy_base[93] =
+    {   0,
+        0,    0,   30,   31,    0,    0,   82,   81,  101,  142,
+       35,   28,  142,   94,   32,   88,   31,   87,    0,   69,
+       66,   28,   28,   67,   29,   63,   30,   63,   62,   57,
+        0,  142,  142,   88,  142,  142,  142,   48,  142,  142,
+      142,   44,  142,  142,  142,  142,    0,   70,    0,   64,
+       63,    0,    0,    0,    0,    0,  142,    0,    0,   55,
+        0,   46,  142,    0,  142,   53,   62,  142,  142,  142,
+      142,  142,    0,   44,   48,    0,   41,   70,   72,   38,
+        0,    0,   74,    0,  142,  117,  121,  125,   50,  129,
+      133,  137
+
+    } ;
+
+static yyconst short int yy_def[93] =
+    {   0,
+       85,    1,   86,   86,   87,   87,   88,   88,   85,   85,
+       85,   85,   85,   85,   85,   85,   85,   85,   89,   89,
+       89,   89,   89,   89,   89,   90,   89,   89,   89,   85,
+       91,   85,   85,   92,   85,   85,   85,   85,   85,   85,
+       85,   85,   85,   85,   85,   85,   89,   89,   89,   89,
+       89,   89,   89,   89,   89,   89,   85,   89,   89,   89,
+       89,   89,   85,   91,   85,   85,   85,   85,   85,   85,
+       85,   85,   89,   89,   89,   89,   89,   85,   85,   89,
+       89,   89,   85,   89,    0,   85,   85,   85,   85,   85,
+       85,   85
+
+    } ;
+
+static yyconst short int yy_nxt[175] =
+    {   0,
+       10,   11,   11,   12,   13,   14,   10,   15,   15,   16,
+       17,   18,   19,   10,   20,   19,   19,   21,   22,   23,
+       24,   25,   26,   27,   28,   19,   19,   19,   29,   19,
+       30,   10,   32,   32,   33,   33,   38,   38,   39,   42,
+       42,   44,   50,   34,   34,   52,   55,   59,   51,   38,
+       38,   42,   42,   47,   60,   84,   53,   56,   82,   40,
+       78,   79,   45,   57,   57,   81,   57,   57,   57,   79,
+       79,   80,   57,   57,   57,   77,   57,   83,   79,   79,
+       79,   79,   79,   76,   75,   74,   73,   63,   62,   61,
+       54,   49,   48,   57,   57,   66,   67,   46,   43,   41,
+
+       85,   37,   37,   68,   85,   85,   69,   85,   85,   85,
+       85,   70,   85,   85,   71,   85,   72,   31,   31,   31,
+       31,   35,   35,   35,   35,   36,   36,   36,   36,   58,
+       85,   58,   58,   64,   85,   85,   64,   65,   65,   65,
+       65,    9,   85,   85,   85,   85,   85,   85,   85,   85,
+       85,   85,   85,   85,   85,   85,   85,   85,   85,   85,
+       85,   85,   85,   85,   85,   85,   85,   85,   85,   85,
+       85,   85,   85,   85
+    } ;
+
+static yyconst short int yy_chk[175] =
+    {   0,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    3,    4,    3,    4,   11,   11,   12,   15,
+       15,   17,   22,    3,    4,   23,   25,   27,   22,   38,
+       38,   42,   42,   89,   27,   80,   23,   25,   77,   12,
+       66,   66,   17,   26,   26,   75,   26,   26,   26,   67,
+       67,   74,   26,   26,   26,   62,   26,   78,   78,   79,
+       79,   83,   83,   60,   51,   50,   48,   30,   29,   28,
+       24,   21,   20,   26,   26,   34,   34,   18,   16,   14,
+
+        9,    8,    7,   34,    0,    0,   34,    0,    0,    0,
+        0,   34,    0,    0,   34,    0,   34,   86,   86,   86,
+       86,   87,   87,   87,   87,   88,   88,   88,   88,   90,
+        0,   90,   90,   91,    0,    0,   91,   92,   92,   92,
+       92,   85,   85,   85,   85,   85,   85,   85,   85,   85,
+       85,   85,   85,   85,   85,   85,   85,   85,   85,   85,
+       85,   85,   85,   85,   85,   85,   85,   85,   85,   85,
+       85,   85,   85,   85
+    } ;
+
+static yy_state_type yy_last_accepting_state;
+static char *yy_last_accepting_cpos;
+
+/* The intent behind this definition is that it'll catch
+ * any uses of REJECT which flex missed.
+ */
+#define REJECT reject_used_but_not_detected
+#define yymore() yymore_used_but_not_detected
+#define YY_MORE_ADJ 0
+#define YY_RESTORE_YY_MORE_OFFSET
+char *yytext;
+#line 1 "ssl_expr_scan.l"
+#define INITIAL 0
+/*                      _             _ 
+**  _ __ ___   ___   __| |    ___ ___| |  
+** | '_ ` _ \ / _ \ / _` |   / __/ __| |  
+** | | | | | | (_) | (_| |   \__ \__ \ | mod_ssl - Apache Interface to OpenSSL
+** |_| |_| |_|\___/ \__,_|___|___/___/_| http://www.modssl.org/
+**                      |_____|         
+**  ssl_expr_scan.l
+**  Expression Scanner
+*/
+/* ====================================================================
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following
+ *    disclaimer in the documentation and/or other materials
+ *    provided with the distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by 
+ *     Ralf S. Engelschall <rse@engelschall.com> for use in the
+ *     mod_ssl project (http://www.modssl.org/)."
+ *
+ * 4. The names "mod_ssl" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    rse@engelschall.com.
+ *
+ * 5. Products derived from this software may not be called "mod_ssl"
+ *    nor may "mod_ssl" appear in their names without prior
+ *    written permission of Ralf S. Engelschall.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by 
+ *     Ralf S. Engelschall <rse@engelschall.com> for use in the
+ *     mod_ssl project (http://www.modssl.org/)."
+ *
+ * THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL RALF S. ENGELSCHALL OR
+ * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+/* ``Killing for peace is 
+like fucking for virginity.''
+-- Unknown  */
+/*  _________________________________________________________________
+**
+**  Expression Scanner
+**  _________________________________________________________________
+*/
+#line 73 "ssl_expr_scan.l"
+#include "mod_ssl.h"
+
+#include "ssl_expr_parse.h"
+
+#define YY_NO_UNPUT 1
+int yyinput(char *buf, int max_size);
+
+#undef  YY_INPUT
+#define YY_INPUT(buf,result,max_size) \
+    (result = yyinput(buf, max_size))
+
+#define MAX_STR_LEN 2048
+/* %option stack */
+#define YY_NEVER_INTERACTIVE 1
+#define str 1
+
+#define regex 2
+#define regex_flags 3
+
+#line 537 "lex.ssl_expr_yy.c"
+
+/* Macros after this point can all be overridden by user definitions in
+ * section 1.
+ */
+
+#ifndef YY_SKIP_YYWRAP
+#ifdef __cplusplus
+extern "C" int yywrap YY_PROTO(( void ));
+#else
+extern int yywrap YY_PROTO(( void ));
+#endif
+#endif
+
+#ifndef YY_NO_UNPUT
+static void yyunput YY_PROTO(( int c, char *buf_ptr ));
+#endif
+
+#ifndef yytext_ptr
+static void yy_flex_strncpy YY_PROTO(( char *, yyconst char *, int ));
+#endif
+
+#ifdef YY_NEED_STRLEN
+static int yy_flex_strlen YY_PROTO(( yyconst char * ));
+#endif
+
+#ifndef YY_NO_INPUT
+#ifdef __cplusplus
+static int yyinput YY_PROTO(( void ));
+#else
+static int input YY_PROTO(( void ));
+#endif
+#endif
+
+#if YY_STACK_USED
+static int yy_start_stack_ptr = 0;
+static int yy_start_stack_depth = 0;
+static int *yy_start_stack = 0;
+#ifndef YY_NO_PUSH_STATE
+static void yy_push_state YY_PROTO(( int new_state ));
+#endif
+#ifndef YY_NO_POP_STATE
+static void yy_pop_state YY_PROTO(( void ));
+#endif
+#ifndef YY_NO_TOP_STATE
+static int yy_top_state YY_PROTO(( void ));
+#endif
+
+#else
+#define YY_NO_PUSH_STATE 1
+#define YY_NO_POP_STATE 1
+#define YY_NO_TOP_STATE 1
+#endif
+
+#ifdef YY_MALLOC_DECL
+YY_MALLOC_DECL
+#else
+#if __STDC__
+#ifndef __cplusplus
+#include <stdlib.h>
+#endif
+#else
+/* Just try to get by without declaring the routines.  This will fail
+ * miserably on non-ANSI systems for which sizeof(size_t) != sizeof(int)
+ * or sizeof(void*) != sizeof(int).
+ */
+#endif
+#endif
+
+/* Amount of stuff to slurp up with each read. */
+#ifndef YY_READ_BUF_SIZE
+#define YY_READ_BUF_SIZE 8192
+#endif
+
+/* Copy whatever the last rule matched to the standard output. */
+
+#ifndef ECHO
+/* This used to be an fputs(), but since the string might contain NUL's,
+ * we now use fwrite().
+ */
+#define ECHO (void) fwrite( yytext, yyleng, 1, yyout )
+#endif
+
+/* Gets input and stuffs it into "buf".  number of characters read, or YY_NULL,
+ * is returned in "result".
+ */
+#ifndef YY_INPUT
+#define YY_INPUT(buf,result,max_size) \
+	if ( yy_current_buffer->yy_is_interactive ) \
+		{ \
+		int c = '*', n; \
+		for ( n = 0; n < max_size && \
+			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
+			buf[n] = (char) c; \
+		if ( c == '\n' ) \
+			buf[n++] = (char) c; \
+		if ( c == EOF && ferror( yyin ) ) \
+			YY_FATAL_ERROR( "input in flex scanner failed" ); \
+		result = n; \
+		} \
+	else if ( ((result = fread( buf, 1, max_size, yyin )) == 0) \
+		  && ferror( yyin ) ) \
+		YY_FATAL_ERROR( "input in flex scanner failed" );
+#endif
+
+/* No semi-colon after return; correct usage is to write "yyterminate();" -
+ * we don't want an extra ';' after the "return" because that will cause
+ * some compilers to complain about unreachable statements.
+ */
+#ifndef yyterminate
+#define yyterminate() return YY_NULL
+#endif
+
+/* Number of entries by which start-condition stack grows. */
+#ifndef YY_START_STACK_INCR
+#define YY_START_STACK_INCR 25
+#endif
+
+/* Report a fatal error. */
+#ifndef YY_FATAL_ERROR
+#define YY_FATAL_ERROR(msg) yy_fatal_error( msg )
+#endif
+
+/* Default declaration of generated scanner - a define so the user can
+ * easily add parameters.
+ */
+#ifndef YY_DECL
+#define YY_DECL int yylex YY_PROTO(( void ))
+#endif
+
+/* Code executed at the beginning of each rule, after yytext and yyleng
+ * have been set up.
+ */
+#ifndef YY_USER_ACTION
+#define YY_USER_ACTION
+#endif
+
+/* Code executed at the end of each rule. */
+#ifndef YY_BREAK
+#define YY_BREAK break;
+#endif
+
+#define YY_RULE_SETUP \
+	YY_USER_ACTION
+
+YY_DECL
+	{
+	register yy_state_type yy_current_state;
+	register char *yy_cp, *yy_bp;
+	register int yy_act;
+
+#line 94 "ssl_expr_scan.l"
+
+  
+  char  caStr[MAX_STR_LEN];
+  char *cpStr = NULL;
+  char  caRegex[MAX_STR_LEN];
+  char *cpRegex = NULL;
+  char  cRegexDel = NUL;
+
+ /*
+  * Whitespaces
+  */
+#line 700 "lex.ssl_expr_yy.c"
+
+	if ( yy_init )
+		{
+		yy_init = 0;
+
+#ifdef YY_USER_INIT
+		YY_USER_INIT;
+#endif
+
+		if ( ! yy_start )
+			yy_start = 1;	/* first start state */
+
+		if ( ! yyin )
+			yyin = stdin;
+
+		if ( ! yyout )
+			yyout = stdout;
+
+		if ( ! yy_current_buffer )
+			yy_current_buffer =
+				yy_create_buffer( yyin, YY_BUF_SIZE );
+
+		yy_load_buffer_state();
+		}
+
+	while ( 1 )		/* loops until end-of-file is reached */
+		{
+		yy_cp = yy_c_buf_p;
+
+		/* Support of yytext. */
+		*yy_cp = yy_hold_char;
+
+		/* yy_bp points to the position in yy_ch_buf of the start of
+		 * the current run.
+		 */
+		yy_bp = yy_cp;
+
+		yy_current_state = yy_start;
+yy_match:
+		do
+			{
+			register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)];
+			if ( yy_accept[yy_current_state] )
+				{
+				yy_last_accepting_state = yy_current_state;
+				yy_last_accepting_cpos = yy_cp;
+				}
+			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+				{
+				yy_current_state = (int) yy_def[yy_current_state];
+				if ( yy_current_state >= 86 )
+					yy_c = yy_meta[(unsigned int) yy_c];
+				}
+			yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+			++yy_cp;
+			}
+		while ( yy_current_state != 85 );
+		yy_cp = yy_last_accepting_cpos;
+		yy_current_state = yy_last_accepting_state;
+
+yy_find_action:
+		yy_act = yy_accept[yy_current_state];
+
+		YY_DO_BEFORE_ACTION;
+
+
+do_action:	/* This label is used only to access EOF actions. */
+
+
+		switch ( yy_act )
+	{ /* beginning of action switch */
+			case 0: /* must back up */
+			/* undo the effects of YY_DO_BEFORE_ACTION */
+			*yy_cp = yy_hold_char;
+			yy_cp = yy_last_accepting_cpos;
+			yy_current_state = yy_last_accepting_state;
+			goto yy_find_action;
+
+case 1:
+YY_RULE_SETUP
+#line 105 "ssl_expr_scan.l"
+{ 
+    /* NOP */
+}
+	YY_BREAK
+/*
+  * C-style strings ("...")
+  */
+case 2:
+YY_RULE_SETUP
+#line 112 "ssl_expr_scan.l"
+{
+    cpStr = caStr;
+    BEGIN(str);
+}
+	YY_BREAK
+case 3:
+YY_RULE_SETUP
+#line 116 "ssl_expr_scan.l"
+{
+    BEGIN(INITIAL);
+    *cpStr = NUL;
+    yylval.cpVal = ap_pstrdup(ssl_expr_info.pool, caStr);
+    return T_STRING;
+}
+	YY_BREAK
+case 4:
+YY_RULE_SETUP
+#line 122 "ssl_expr_scan.l"
+{
+    yyerror("Unterminated string");
+}
+	YY_BREAK
+case 5:
+YY_RULE_SETUP
+#line 125 "ssl_expr_scan.l"
+{
+    int result;
+
+    (void)sscanf(yytext+1, "%o", &result);
+    if (result > 0xff)
+        yyerror("Escape sequence out of bound");
+    else
+        *cpStr++ = result;
+}
+	YY_BREAK
+case 6:
+YY_RULE_SETUP
+#line 134 "ssl_expr_scan.l"
+{
+    yyerror("Bad escape sequence");
+}
+	YY_BREAK
+case 7:
+YY_RULE_SETUP
+#line 137 "ssl_expr_scan.l"
+{ *cpStr++ = '\n'; }
+	YY_BREAK
+case 8:
+YY_RULE_SETUP
+#line 138 "ssl_expr_scan.l"
+{ *cpStr++ = '\r'; }
+	YY_BREAK
+case 9:
+YY_RULE_SETUP
+#line 139 "ssl_expr_scan.l"
+{ *cpStr++ = '\t'; }
+	YY_BREAK
+case 10:
+YY_RULE_SETUP
+#line 140 "ssl_expr_scan.l"
+{ *cpStr++ = '\b'; }
+	YY_BREAK
+case 11:
+YY_RULE_SETUP
+#line 141 "ssl_expr_scan.l"
+{ *cpStr++ = '\f'; }
+	YY_BREAK
+case 12:
+YY_RULE_SETUP
+#line 142 "ssl_expr_scan.l"
+{
+    *cpStr++ = yytext[1];
+}
+	YY_BREAK
+case 13:
+YY_RULE_SETUP
+#line 145 "ssl_expr_scan.l"
+{
+    char *cp = yytext;
+    while (*cp != NUL)
+        *cpStr++ = *cp++;
+}
+	YY_BREAK
+case 14:
+YY_RULE_SETUP
+#line 150 "ssl_expr_scan.l"
+{
+    *cpStr++ = yytext[1];
+}
+	YY_BREAK
+/*
+  * Regular Expression
+  */
+case 15:
+YY_RULE_SETUP
+#line 157 "ssl_expr_scan.l"
+{
+    cRegexDel = yytext[1];
+    cpRegex = caRegex;
+    BEGIN(regex);
+}
+	YY_BREAK
+case 16:
+YY_RULE_SETUP
+#line 162 "ssl_expr_scan.l"
+{
+    if (yytext[0] == cRegexDel) {
+        *cpRegex = NUL;
+        BEGIN(regex_flags);
+    }
+    else {
+        *cpRegex++ = yytext[0];
+    }
+}
+	YY_BREAK
+case 17:
+YY_RULE_SETUP
+#line 171 "ssl_expr_scan.l"
+{
+    yylval.cpVal = ap_pstrdup(ssl_expr_info.pool, caRegex);
+    BEGIN(INITIAL);
+    return T_REGEX_I;
+}
+	YY_BREAK
+case 18:
+YY_RULE_SETUP
+#line 176 "ssl_expr_scan.l"
+{
+    yylval.cpVal = ap_pstrdup(ssl_expr_info.pool, caRegex);
+    yyless(0);
+    BEGIN(INITIAL);
+    return T_REGEX;
+}
+	YY_BREAK
+case YY_STATE_EOF(regex_flags):
+#line 182 "ssl_expr_scan.l"
+{
+    yylval.cpVal = ap_pstrdup(ssl_expr_info.pool, caRegex);
+    BEGIN(INITIAL);
+    return T_REGEX;
+}
+	YY_BREAK
+/*
+  * Operators
+  */
+case 19:
+YY_RULE_SETUP
+#line 191 "ssl_expr_scan.l"
+{ return T_OP_EQ; }
+	YY_BREAK
+case 20:
+YY_RULE_SETUP
+#line 192 "ssl_expr_scan.l"
+{ return T_OP_EQ; }
+	YY_BREAK
+case 21:
+YY_RULE_SETUP
+#line 193 "ssl_expr_scan.l"
+{ return T_OP_NE; }
+	YY_BREAK
+case 22:
+YY_RULE_SETUP
+#line 194 "ssl_expr_scan.l"
+{ return T_OP_NE; }
+	YY_BREAK
+case 23:
+YY_RULE_SETUP
+#line 195 "ssl_expr_scan.l"
+{ return T_OP_LT; }
+	YY_BREAK
+case 24:
+YY_RULE_SETUP
+#line 196 "ssl_expr_scan.l"
+{ return T_OP_LT; }
+	YY_BREAK
+case 25:
+YY_RULE_SETUP
+#line 197 "ssl_expr_scan.l"
+{ return T_OP_LE; }
+	YY_BREAK
+case 26:
+YY_RULE_SETUP
+#line 198 "ssl_expr_scan.l"
+{ return T_OP_LE; }
+	YY_BREAK
+case 27:
+YY_RULE_SETUP
+#line 199 "ssl_expr_scan.l"
+{ return T_OP_GT; }
+	YY_BREAK
+case 28:
+YY_RULE_SETUP
+#line 200 "ssl_expr_scan.l"
+{ return T_OP_GT; }
+	YY_BREAK
+case 29:
+YY_RULE_SETUP
+#line 201 "ssl_expr_scan.l"
+{ return T_OP_GE; }
+	YY_BREAK
+case 30:
+YY_RULE_SETUP
+#line 202 "ssl_expr_scan.l"
+{ return T_OP_GE; }
+	YY_BREAK
+case 31:
+YY_RULE_SETUP
+#line 203 "ssl_expr_scan.l"
+{ return T_OP_REG; }
+	YY_BREAK
+case 32:
+YY_RULE_SETUP
+#line 204 "ssl_expr_scan.l"
+{ return T_OP_NRE; }
+	YY_BREAK
+case 33:
+YY_RULE_SETUP
+#line 205 "ssl_expr_scan.l"
+{ return T_OP_AND; }
+	YY_BREAK
+case 34:
+YY_RULE_SETUP
+#line 206 "ssl_expr_scan.l"
+{ return T_OP_AND; }
+	YY_BREAK
+case 35:
+YY_RULE_SETUP
+#line 207 "ssl_expr_scan.l"
+{ return T_OP_OR; }
+	YY_BREAK
+case 36:
+YY_RULE_SETUP
+#line 208 "ssl_expr_scan.l"
+{ return T_OP_OR; }
+	YY_BREAK
+case 37:
+YY_RULE_SETUP
+#line 209 "ssl_expr_scan.l"
+{ return T_OP_NOT; }
+	YY_BREAK
+case 38:
+YY_RULE_SETUP
+#line 210 "ssl_expr_scan.l"
+{ return T_OP_NOT; }
+	YY_BREAK
+case 39:
+YY_RULE_SETUP
+#line 211 "ssl_expr_scan.l"
+{ return T_OP_IN; }
+	YY_BREAK
+/*
+  * Functions
+  */
+case 40:
+YY_RULE_SETUP
+#line 216 "ssl_expr_scan.l"
+{ return T_FUNC_FILE; }
+	YY_BREAK
+/*
+  * Specials
+  */
+case 41:
+YY_RULE_SETUP
+#line 221 "ssl_expr_scan.l"
+{ return T_TRUE; }
+	YY_BREAK
+case 42:
+YY_RULE_SETUP
+#line 222 "ssl_expr_scan.l"
+{ return T_FALSE; }
+	YY_BREAK
+/*
+  * Digits
+  */
+case 43:
+YY_RULE_SETUP
+#line 227 "ssl_expr_scan.l"
+{
+    yylval.cpVal = ap_pstrdup(ssl_expr_info.pool, yytext);
+    return T_DIGIT;
+}
+	YY_BREAK
+/*
+  * Identifiers
+  */
+case 44:
+YY_RULE_SETUP
+#line 235 "ssl_expr_scan.l"
+{
+    yylval.cpVal = ap_pstrdup(ssl_expr_info.pool, yytext);
+    return T_ID;
+}
+	YY_BREAK
+/*
+  * Anything else is returned as is...
+  */
+case 45:
+YY_RULE_SETUP
+#line 243 "ssl_expr_scan.l"
+{ 
+    return yytext[0];
+}
+	YY_BREAK
+case 46:
+YY_RULE_SETUP
+#line 247 "ssl_expr_scan.l"
+YY_FATAL_ERROR( "flex scanner jammed" );
+	YY_BREAK
+#line 1100 "lex.ssl_expr_yy.c"
+case YY_STATE_EOF(INITIAL):
+case YY_STATE_EOF(str):
+case YY_STATE_EOF(regex):
+	yyterminate();
+
+	case YY_END_OF_BUFFER:
+		{
+		/* Amount of text matched not including the EOB char. */
+		int yy_amount_of_matched_text = (int) (yy_cp - yytext_ptr) - 1;
+
+		/* Undo the effects of YY_DO_BEFORE_ACTION. */
+		*yy_cp = yy_hold_char;
+		YY_RESTORE_YY_MORE_OFFSET
+
+		if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_NEW )
+			{
+			/* We're scanning a new file or input source.  It's
+			 * possible that this happened because the user
+			 * just pointed yyin at a new source and called
+			 * yylex().  If so, then we have to assure
+			 * consistency between yy_current_buffer and our
+			 * globals.  Here is the right place to do so, because
+			 * this is the first action (other than possibly a
+			 * back-up) that will match for the new input source.
+			 */
+			yy_n_chars = yy_current_buffer->yy_n_chars;
+			yy_current_buffer->yy_input_file = yyin;
+			yy_current_buffer->yy_buffer_status = YY_BUFFER_NORMAL;
+			}
+
+		/* Note that here we test for yy_c_buf_p "<=" to the position
+		 * of the first EOB in the buffer, since yy_c_buf_p will
+		 * already have been incremented past the NUL character
+		 * (since all states make transitions on EOB to the
+		 * end-of-buffer state).  Contrast this with the test
+		 * in input().
+		 */
+		if ( yy_c_buf_p <= &yy_current_buffer->yy_ch_buf[yy_n_chars] )
+			{ /* This was really a NUL. */
+			yy_state_type yy_next_state;
+
+			yy_c_buf_p = yytext_ptr + yy_amount_of_matched_text;
+
+			yy_current_state = yy_get_previous_state();
+
+			/* Okay, we're now positioned to make the NUL
+			 * transition.  We couldn't have
+			 * yy_get_previous_state() go ahead and do it
+			 * for us because it doesn't know how to deal
+			 * with the possibility of jamming (and we don't
+			 * want to build jamming into it because then it
+			 * will run more slowly).
+			 */
+
+			yy_next_state = yy_try_NUL_trans( yy_current_state );
+
+			yy_bp = yytext_ptr + YY_MORE_ADJ;
+
+			if ( yy_next_state )
+				{
+				/* Consume the NUL. */
+				yy_cp = ++yy_c_buf_p;
+				yy_current_state = yy_next_state;
+				goto yy_match;
+				}
+
+			else
+				{
+				yy_cp = yy_last_accepting_cpos;
+				yy_current_state = yy_last_accepting_state;
+				goto yy_find_action;
+				}
+			}
+
+		else switch ( yy_get_next_buffer() )
+			{
+			case EOB_ACT_END_OF_FILE:
+				{
+				yy_did_buffer_switch_on_eof = 0;
+
+				if ( yywrap() )
+					{
+					/* Note: because we've taken care in
+					 * yy_get_next_buffer() to have set up
+					 * yytext, we can now set up
+					 * yy_c_buf_p so that if some total
+					 * hoser (like flex itself) wants to
+					 * call the scanner after we return the
+					 * YY_NULL, it'll still work - another
+					 * YY_NULL will get returned.
+					 */
+					yy_c_buf_p = yytext_ptr + YY_MORE_ADJ;
+
+					yy_act = YY_STATE_EOF(YY_START);
+					goto do_action;
+					}
+
+				else
+					{
+					if ( ! yy_did_buffer_switch_on_eof )
+						YY_NEW_FILE;
+					}
+				break;
+				}
+
+			case EOB_ACT_CONTINUE_SCAN:
+				yy_c_buf_p =
+					yytext_ptr + yy_amount_of_matched_text;
+
+				yy_current_state = yy_get_previous_state();
+
+				yy_cp = yy_c_buf_p;
+				yy_bp = yytext_ptr + YY_MORE_ADJ;
+				goto yy_match;
+
+			case EOB_ACT_LAST_MATCH:
+				yy_c_buf_p =
+				&yy_current_buffer->yy_ch_buf[yy_n_chars];
+
+				yy_current_state = yy_get_previous_state();
+
+				yy_cp = yy_c_buf_p;
+				yy_bp = yytext_ptr + YY_MORE_ADJ;
+				goto yy_find_action;
+			}
+		break;
+		}
+
+	default:
+		YY_FATAL_ERROR(
+			"fatal flex scanner internal error--no action found" );
+	} /* end of action switch */
+		} /* end of scanning one token */
+	} /* end of yylex */
+
+
+/* yy_get_next_buffer - try to read in a new buffer
+ *
+ * Returns a code representing an action:
+ *	EOB_ACT_LAST_MATCH -
+ *	EOB_ACT_CONTINUE_SCAN - continue scanning from current position
+ *	EOB_ACT_END_OF_FILE - end of file
+ */
+
+static int yy_get_next_buffer()
+	{
+	register char *dest = yy_current_buffer->yy_ch_buf;
+	register char *source = yytext_ptr;
+	register int number_to_move, i;
+	int ret_val;
+
+	if ( yy_c_buf_p > &yy_current_buffer->yy_ch_buf[yy_n_chars + 1] )
+		YY_FATAL_ERROR(
+		"fatal flex scanner internal error--end of buffer missed" );
+
+	if ( yy_current_buffer->yy_fill_buffer == 0 )
+		{ /* Don't try to fill the buffer, so this is an EOF. */
+		if ( yy_c_buf_p - yytext_ptr - YY_MORE_ADJ == 1 )
+			{
+			/* We matched a single character, the EOB, so
+			 * treat this as a final EOF.
+			 */
+			return EOB_ACT_END_OF_FILE;
+			}
+
+		else
+			{
+			/* We matched some text prior to the EOB, first
+			 * process it.
+			 */
+			return EOB_ACT_LAST_MATCH;
+			}
+		}
+
+	/* Try to read more data. */
+
+	/* First move last chars to start of buffer. */
+	number_to_move = (int) (yy_c_buf_p - yytext_ptr) - 1;
+
+	for ( i = 0; i < number_to_move; ++i )
+		*(dest++) = *(source++);
+
+	if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_EOF_PENDING )
+		/* don't do the read, it's not guaranteed to return an EOF,
+		 * just force an EOF
+		 */
+		yy_current_buffer->yy_n_chars = yy_n_chars = 0;
+
+	else
+		{
+		int num_to_read =
+			yy_current_buffer->yy_buf_size - number_to_move - 1;
+
+		while ( num_to_read <= 0 )
+			{ /* Not enough room in the buffer - grow it. */
+#ifdef YY_USES_REJECT
+			YY_FATAL_ERROR(
+"input buffer overflow, can't enlarge buffer because scanner uses REJECT" );
+#else
+
+			/* just a shorter name for the current buffer */
+			YY_BUFFER_STATE b = yy_current_buffer;
+
+			int yy_c_buf_p_offset =
+				(int) (yy_c_buf_p - b->yy_ch_buf);
+
+			if ( b->yy_is_our_buffer )
+				{
+				int new_size = b->yy_buf_size * 2;
+
+				if ( new_size <= 0 )
+					b->yy_buf_size += b->yy_buf_size / 8;
+				else
+					b->yy_buf_size *= 2;
+
+				b->yy_ch_buf = (char *)
+					/* Include room in for 2 EOB chars. */
+					yy_flex_realloc( (void *) b->yy_ch_buf,
+							 b->yy_buf_size + 2 );
+				}
+			else
+				/* Can't grow it, we don't own it. */
+				b->yy_ch_buf = 0;
+
+			if ( ! b->yy_ch_buf )
+				YY_FATAL_ERROR(
+				"fatal error - scanner input buffer overflow" );
+
+			yy_c_buf_p = &b->yy_ch_buf[yy_c_buf_p_offset];
+
+			num_to_read = yy_current_buffer->yy_buf_size -
+						number_to_move - 1;
+#endif
+			}
+
+		if ( num_to_read > YY_READ_BUF_SIZE )
+			num_to_read = YY_READ_BUF_SIZE;
+
+		/* Read in more data. */
+		YY_INPUT( (&yy_current_buffer->yy_ch_buf[number_to_move]),
+			yy_n_chars, num_to_read );
+
+		yy_current_buffer->yy_n_chars = yy_n_chars;
+		}
+
+	if ( yy_n_chars == 0 )
+		{
+		if ( number_to_move == YY_MORE_ADJ )
+			{
+			ret_val = EOB_ACT_END_OF_FILE;
+			yyrestart( yyin );
+			}
+
+		else
+			{
+			ret_val = EOB_ACT_LAST_MATCH;
+			yy_current_buffer->yy_buffer_status =
+				YY_BUFFER_EOF_PENDING;
+			}
+		}
+
+	else
+		ret_val = EOB_ACT_CONTINUE_SCAN;
+
+	yy_n_chars += number_to_move;
+	yy_current_buffer->yy_ch_buf[yy_n_chars] = YY_END_OF_BUFFER_CHAR;
+	yy_current_buffer->yy_ch_buf[yy_n_chars + 1] = YY_END_OF_BUFFER_CHAR;
+
+	yytext_ptr = &yy_current_buffer->yy_ch_buf[0];
+
+	return ret_val;
+	}
+
+
+/* yy_get_previous_state - get the state just before the EOB char was reached */
+
+static yy_state_type yy_get_previous_state()
+	{
+	register yy_state_type yy_current_state;
+	register char *yy_cp;
+
+	yy_current_state = yy_start;
+
+	for ( yy_cp = yytext_ptr + YY_MORE_ADJ; yy_cp < yy_c_buf_p; ++yy_cp )
+		{
+		register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1);
+		if ( yy_accept[yy_current_state] )
+			{
+			yy_last_accepting_state = yy_current_state;
+			yy_last_accepting_cpos = yy_cp;
+			}
+		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+			{
+			yy_current_state = (int) yy_def[yy_current_state];
+			if ( yy_current_state >= 86 )
+				yy_c = yy_meta[(unsigned int) yy_c];
+			}
+		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+		}
+
+	return yy_current_state;
+	}
+
+
+/* yy_try_NUL_trans - try to make a transition on the NUL character
+ *
+ * synopsis
+ *	next_state = yy_try_NUL_trans( current_state );
+ */
+
+#ifdef YY_USE_PROTOS
+static yy_state_type yy_try_NUL_trans( yy_state_type yy_current_state )
+#else
+static yy_state_type yy_try_NUL_trans( yy_current_state )
+yy_state_type yy_current_state;
+#endif
+	{
+	register int yy_is_jam;
+	register char *yy_cp = yy_c_buf_p;
+
+	register YY_CHAR yy_c = 1;
+	if ( yy_accept[yy_current_state] )
+		{
+		yy_last_accepting_state = yy_current_state;
+		yy_last_accepting_cpos = yy_cp;
+		}
+	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+		{
+		yy_current_state = (int) yy_def[yy_current_state];
+		if ( yy_current_state >= 86 )
+			yy_c = yy_meta[(unsigned int) yy_c];
+		}
+	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+	yy_is_jam = (yy_current_state == 85);
+
+	return yy_is_jam ? 0 : yy_current_state;
+	}
+
+
+#ifndef YY_NO_UNPUT
+#ifdef YY_USE_PROTOS
+static void yyunput( int c, register char *yy_bp )
+#else
+static void yyunput( c, yy_bp )
+int c;
+register char *yy_bp;
+#endif
+	{
+	register char *yy_cp = yy_c_buf_p;
+
+	/* undo effects of setting up yytext */
+	*yy_cp = yy_hold_char;
+
+	if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 )
+		{ /* need to shift things up to make room */
+		/* +2 for EOB chars. */
+		register int number_to_move = yy_n_chars + 2;
+		register char *dest = &yy_current_buffer->yy_ch_buf[
+					yy_current_buffer->yy_buf_size + 2];
+		register char *source =
+				&yy_current_buffer->yy_ch_buf[number_to_move];
+
+		while ( source > yy_current_buffer->yy_ch_buf )
+			*--dest = *--source;
+
+		yy_cp += (int) (dest - source);
+		yy_bp += (int) (dest - source);
+		yy_current_buffer->yy_n_chars =
+			yy_n_chars = yy_current_buffer->yy_buf_size;
+
+		if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 )
+			YY_FATAL_ERROR( "flex scanner push-back overflow" );
+		}
+
+	*--yy_cp = (char) c;
+
+
+	yytext_ptr = yy_bp;
+	yy_hold_char = *yy_cp;
+	yy_c_buf_p = yy_cp;
+	}
+#endif	/* ifndef YY_NO_UNPUT */
+
+
+#ifdef __cplusplus
+static int yyinput()
+#else
+static int input()
+#endif
+	{
+	int c;
+
+	*yy_c_buf_p = yy_hold_char;
+
+	if ( *yy_c_buf_p == YY_END_OF_BUFFER_CHAR )
+		{
+		/* yy_c_buf_p now points to the character we want to return.
+		 * If this occurs *before* the EOB characters, then it's a
+		 * valid NUL; if not, then we've hit the end of the buffer.
+		 */
+		if ( yy_c_buf_p < &yy_current_buffer->yy_ch_buf[yy_n_chars] )
+			/* This was really a NUL. */
+			*yy_c_buf_p = '\0';
+
+		else
+			{ /* need more input */
+			int offset = yy_c_buf_p - yytext_ptr;
+			++yy_c_buf_p;
+
+			switch ( yy_get_next_buffer() )
+				{
+				case EOB_ACT_LAST_MATCH:
+					/* This happens because yy_g_n_b()
+					 * sees that we've accumulated a
+					 * token and flags that we need to
+					 * try matching the token before
+					 * proceeding.  But for input(),
+					 * there's no matching to consider.
+					 * So convert the EOB_ACT_LAST_MATCH
+					 * to EOB_ACT_END_OF_FILE.
+					 */
+
+					/* Reset buffer status. */
+					yyrestart( yyin );
+
+					/* fall through */
+
+				case EOB_ACT_END_OF_FILE:
+					{
+					if ( yywrap() )
+						return EOF;
+
+					if ( ! yy_did_buffer_switch_on_eof )
+						YY_NEW_FILE;
+#ifdef __cplusplus
+					return yyinput();
+#else
+					return input();
+#endif
+					}
+
+				case EOB_ACT_CONTINUE_SCAN:
+					yy_c_buf_p = yytext_ptr + offset;
+					break;
+				}
+			}
+		}
+
+	c = *(unsigned char *) yy_c_buf_p;	/* cast for 8-bit char's */
+	*yy_c_buf_p = '\0';	/* preserve yytext */
+	yy_hold_char = *++yy_c_buf_p;
+
+
+	return c;
+	}
+
+
+#ifdef YY_USE_PROTOS
+void yyrestart( FILE *input_file )
+#else
+void yyrestart( input_file )
+FILE *input_file;
+#endif
+	{
+	if ( ! yy_current_buffer )
+		yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE );
+
+	yy_init_buffer( yy_current_buffer, input_file );
+	yy_load_buffer_state();
+	}
+
+
+#ifdef YY_USE_PROTOS
+void yy_switch_to_buffer( YY_BUFFER_STATE new_buffer )
+#else
+void yy_switch_to_buffer( new_buffer )
+YY_BUFFER_STATE new_buffer;
+#endif
+	{
+	if ( yy_current_buffer == new_buffer )
+		return;
+
+	if ( yy_current_buffer )
+		{
+		/* Flush out information for old buffer. */
+		*yy_c_buf_p = yy_hold_char;
+		yy_current_buffer->yy_buf_pos = yy_c_buf_p;
+		yy_current_buffer->yy_n_chars = yy_n_chars;
+		}
+
+	yy_current_buffer = new_buffer;
+	yy_load_buffer_state();
+
+	/* We don't actually know whether we did this switch during
+	 * EOF (yywrap()) processing, but the only time this flag
+	 * is looked at is after yywrap() is called, so it's safe
+	 * to go ahead and always set it.
+	 */
+	yy_did_buffer_switch_on_eof = 1;
+	}
+
+
+#ifdef YY_USE_PROTOS
+void yy_load_buffer_state( void )
+#else
+void yy_load_buffer_state()
+#endif
+	{
+	yy_n_chars = yy_current_buffer->yy_n_chars;
+	yytext_ptr = yy_c_buf_p = yy_current_buffer->yy_buf_pos;
+	yyin = yy_current_buffer->yy_input_file;
+	yy_hold_char = *yy_c_buf_p;
+	}
+
+
+#ifdef YY_USE_PROTOS
+YY_BUFFER_STATE yy_create_buffer( FILE *file, int size )
+#else
+YY_BUFFER_STATE yy_create_buffer( file, size )
+FILE *file;
+int size;
+#endif
+	{
+	YY_BUFFER_STATE b;
+
+	b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_buf_size = size;
+
+	/* yy_ch_buf has to be 2 characters longer than the size given because
+	 * we need to put in 2 end-of-buffer characters.
+	 */
+	b->yy_ch_buf = (char *) yy_flex_alloc( b->yy_buf_size + 2 );
+	if ( ! b->yy_ch_buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_is_our_buffer = 1;
+
+	yy_init_buffer( b, file );
+
+	return b;
+	}
+
+
+#ifdef YY_USE_PROTOS
+void yy_delete_buffer( YY_BUFFER_STATE b )
+#else
+void yy_delete_buffer( b )
+YY_BUFFER_STATE b;
+#endif
+	{
+	if ( ! b )
+		return;
+
+	if ( b == yy_current_buffer )
+		yy_current_buffer = (YY_BUFFER_STATE) 0;
+
+	if ( b->yy_is_our_buffer )
+		yy_flex_free( (void *) b->yy_ch_buf );
+
+	yy_flex_free( (void *) b );
+	}
+
+
+#ifndef YY_ALWAYS_INTERACTIVE
+#ifndef YY_NEVER_INTERACTIVE
+extern int isatty YY_PROTO(( int ));
+#endif
+#endif
+
+#ifdef YY_USE_PROTOS
+void yy_init_buffer( YY_BUFFER_STATE b, FILE *file )
+#else
+void yy_init_buffer( b, file )
+YY_BUFFER_STATE b;
+FILE *file;
+#endif
+
+
+	{
+	yy_flush_buffer( b );
+
+	b->yy_input_file = file;
+	b->yy_fill_buffer = 1;
+
+#if YY_ALWAYS_INTERACTIVE
+	b->yy_is_interactive = 1;
+#else
+#if YY_NEVER_INTERACTIVE
+	b->yy_is_interactive = 0;
+#else
+	b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
+#endif
+#endif
+	}
+
+
+#ifdef YY_USE_PROTOS
+void yy_flush_buffer( YY_BUFFER_STATE b )
+#else
+void yy_flush_buffer( b )
+YY_BUFFER_STATE b;
+#endif
+
+	{
+	if ( ! b )
+		return;
+
+	b->yy_n_chars = 0;
+
+	/* We always need two end-of-buffer characters.  The first causes
+	 * a transition to the end-of-buffer state.  The second causes
+	 * a jam in that state.
+	 */
+	b->yy_ch_buf[0] = YY_END_OF_BUFFER_CHAR;
+	b->yy_ch_buf[1] = YY_END_OF_BUFFER_CHAR;
+
+	b->yy_buf_pos = &b->yy_ch_buf[0];
+
+	b->yy_at_bol = 1;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	if ( b == yy_current_buffer )
+		yy_load_buffer_state();
+	}
+
+
+#ifndef YY_NO_SCAN_BUFFER
+#ifdef YY_USE_PROTOS
+YY_BUFFER_STATE yy_scan_buffer( char *base, yy_size_t size )
+#else
+YY_BUFFER_STATE yy_scan_buffer( base, size )
+char *base;
+yy_size_t size;
+#endif
+	{
+	YY_BUFFER_STATE b;
+
+	if ( size < 2 ||
+	     base[size-2] != YY_END_OF_BUFFER_CHAR ||
+	     base[size-1] != YY_END_OF_BUFFER_CHAR )
+		/* They forgot to leave room for the EOB's. */
+		return 0;
+
+	b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
+
+	b->yy_buf_size = size - 2;	/* "- 2" to take care of EOB's */
+	b->yy_buf_pos = b->yy_ch_buf = base;
+	b->yy_is_our_buffer = 0;
+	b->yy_input_file = 0;
+	b->yy_n_chars = b->yy_buf_size;
+	b->yy_is_interactive = 0;
+	b->yy_at_bol = 1;
+	b->yy_fill_buffer = 0;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	yy_switch_to_buffer( b );
+
+	return b;
+	}
+#endif
+
+
+#ifndef YY_NO_SCAN_STRING
+#ifdef YY_USE_PROTOS
+YY_BUFFER_STATE yy_scan_string( yyconst char *yy_str )
+#else
+YY_BUFFER_STATE yy_scan_string( yy_str )
+yyconst char *yy_str;
+#endif
+	{
+	int len;
+	for ( len = 0; yy_str[len]; ++len )
+		;
+
+	return yy_scan_bytes( yy_str, len );
+	}
+#endif
+
+
+#ifndef YY_NO_SCAN_BYTES
+#ifdef YY_USE_PROTOS
+YY_BUFFER_STATE yy_scan_bytes( yyconst char *bytes, int len )
+#else
+YY_BUFFER_STATE yy_scan_bytes( bytes, len )
+yyconst char *bytes;
+int len;
+#endif
+	{
+	YY_BUFFER_STATE b;
+	char *buf;
+	yy_size_t n;
+	int i;
+
+	/* Get memory for full buffer, including space for trailing EOB's. */
+	n = len + 2;
+	buf = (char *) yy_flex_alloc( n );
+	if ( ! buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
+
+	for ( i = 0; i < len; ++i )
+		buf[i] = bytes[i];
+
+	buf[len] = buf[len+1] = YY_END_OF_BUFFER_CHAR;
+
+	b = yy_scan_buffer( buf, n );
+	if ( ! b )
+		YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
+
+	/* It's okay to grow etc. this buffer, and we should throw it
+	 * away when we're done.
+	 */
+	b->yy_is_our_buffer = 1;
+
+	return b;
+	}
+#endif
+
+
+#ifndef YY_NO_PUSH_STATE
+#ifdef YY_USE_PROTOS
+static void yy_push_state( int new_state )
+#else
+static void yy_push_state( new_state )
+int new_state;
+#endif
+	{
+	if ( yy_start_stack_ptr >= yy_start_stack_depth )
+		{
+		yy_size_t new_size;
+
+		yy_start_stack_depth += YY_START_STACK_INCR;
+		new_size = yy_start_stack_depth * sizeof( int );
+
+		if ( ! yy_start_stack )
+			yy_start_stack = (int *) yy_flex_alloc( new_size );
+
+		else
+			yy_start_stack = (int *) yy_flex_realloc(
+					(void *) yy_start_stack, new_size );
+
+		if ( ! yy_start_stack )
+			YY_FATAL_ERROR(
+			"out of memory expanding start-condition stack" );
+		}
+
+	yy_start_stack[yy_start_stack_ptr++] = YY_START;
+
+	BEGIN(new_state);
+	}
+#endif
+
+
+#ifndef YY_NO_POP_STATE
+static void yy_pop_state()
+	{
+	if ( --yy_start_stack_ptr < 0 )
+		YY_FATAL_ERROR( "start-condition stack underflow" );
+
+	BEGIN(yy_start_stack[yy_start_stack_ptr]);
+	}
+#endif
+
+
+#ifndef YY_NO_TOP_STATE
+static int yy_top_state()
+	{
+	return yy_start_stack[yy_start_stack_ptr - 1];
+	}
+#endif
+
+#ifndef YY_EXIT_FAILURE
+#define YY_EXIT_FAILURE 2
+#endif
+
+#ifdef YY_USE_PROTOS
+static void yy_fatal_error( yyconst char msg[] )
+#else
+static void yy_fatal_error( msg )
+char msg[];
+#endif
+	{
+	(void) fprintf( stderr, "%s\n", msg );
+	exit( YY_EXIT_FAILURE );
+	}
+
+
+
+/* Redefine yyless() so it works in section 3 code. */
+
+#undef yyless
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+		yytext[yyleng] = yy_hold_char; \
+		yy_c_buf_p = yytext + n; \
+		yy_hold_char = *yy_c_buf_p; \
+		*yy_c_buf_p = '\0'; \
+		yyleng = n; \
+		} \
+	while ( 0 )
+
+
+/* Internal utility routines. */
+
+#ifndef yytext_ptr
+#ifdef YY_USE_PROTOS
+static void yy_flex_strncpy( char *s1, yyconst char *s2, int n )
+#else
+static void yy_flex_strncpy( s1, s2, n )
+char *s1;
+yyconst char *s2;
+int n;
+#endif
+	{
+	register int i;
+	for ( i = 0; i < n; ++i )
+		s1[i] = s2[i];
+	}
+#endif
+
+#ifdef YY_NEED_STRLEN
+#ifdef YY_USE_PROTOS
+static int yy_flex_strlen( yyconst char *s )
+#else
+static int yy_flex_strlen( s )
+yyconst char *s;
+#endif
+	{
+	register int n;
+	for ( n = 0; s[n]; ++n )
+		;
+
+	return n;
+	}
+#endif
+
+
+#ifdef YY_USE_PROTOS
+static void *yy_flex_alloc( yy_size_t size )
+#else
+static void *yy_flex_alloc( size )
+yy_size_t size;
+#endif
+	{
+	return (void *) malloc( size );
+	}
+
+#ifdef YY_USE_PROTOS
+static void *yy_flex_realloc( void *ptr, yy_size_t size )
+#else
+static void *yy_flex_realloc( ptr, size )
+void *ptr;
+yy_size_t size;
+#endif
+	{
+	/* The cast to (char *) in the following accommodates both
+	 * implementations that use char* generic pointers, and those
+	 * that use void* generic pointers.  It works with the latter
+	 * because both ANSI C and C++ allow castless assignment from
+	 * any pointer type to void*, and deal with argument conversions
+	 * as though doing an assignment.
+	 */
+	return (void *) realloc( (char *) ptr, size );
+	}
+
+#ifdef YY_USE_PROTOS
+static void yy_flex_free( void *ptr )
+#else
+static void yy_flex_free( ptr )
+void *ptr;
+#endif
+	{
+	free( ptr );
+	}
+
+#if YY_MAIN
+int main()
+	{
+	yylex();
+	return 0;
+	}
+#endif
+#line 247 "ssl_expr_scan.l"
+
+
+int yyinput(char *buf, int max_size)
+{
+    int n;
+
+    if ((n = MIN(max_size, ssl_expr_info.inputbuf
+                         + ssl_expr_info.inputlen 
+                         - ssl_expr_info.inputptr)) <= 0)
+        return YY_NULL;
+    memcpy(buf, ssl_expr_info.inputptr, n);
+    ssl_expr_info.inputptr += n;
+    return n;
+}
+
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.l b/usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.l
index c111b41bdf7..d4fa4c67081 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.l
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.l
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util.c b/usr.sbin/httpd/src/modules/ssl/ssl_util.c
index 7f69c495e5d..bfc9e5fcc3e 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.c b/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.c
index 4340f88ffad..5ed60d05e6e 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.h b/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.h
index def1d3d94f7..9468a68f8df 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.h
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.h
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c
index a357be08c7f..16f9155249e 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h
index 2b5f3ce6d92..43866dd461c 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_table.c b/usr.sbin/httpd/src/modules/ssl/ssl_util_table.c
index 8a3fbea55b3..207ea086bc2 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util_table.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_table.c
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1999-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_table.h b/usr.sbin/httpd/src/modules/ssl/ssl_util_table.h
index 5ad7a2a33ca..e7398569a30 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util_table.h
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_table.h
@@ -9,7 +9,7 @@
 */
 
 /* ====================================================================
- * Copyright (c) 1999 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1999-2000 Ralf S. Engelschall. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/standard/mod_actions.c b/usr.sbin/httpd/src/modules/standard/mod_actions.c
index 5906ee4c43a..d5ab4098f1a 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_actions.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_actions.c
@@ -87,8 +87,18 @@
 #include "util_script.h"
 
 typedef struct {
+    char *method;
+    char *script;
+} xmethod_t;
+
+/*
+ * HTTP methods are case-sensitive, so we can't use a table structure to
+ * track extension method mappings -- table keys are case-INsensitive.
+ */
+typedef struct {
     table *action_types;       /* Added with Action... */
     char *scripted[METHODS];   /* Added with Script... */
+    array_header *xmethods;    /* Added with Script -- extension methods */
 } action_dir_config;
 
 module action_module;
@@ -96,11 +106,11 @@ module action_module;
 static void *create_action_dir_config(pool *p, char *dummy)
 {
     action_dir_config *new =
-    (action_dir_config *) ap_palloc(p, sizeof(action_dir_config));
+	(action_dir_config *) ap_palloc(p, sizeof(action_dir_config));
 
     new->action_types = ap_make_table(p, 4);
     memset(new->scripted, 0, sizeof(new->scripted));
-
+    new->xmethods = ap_make_array(p, 4, sizeof(xmethod_t));
     return new;
 }
 
@@ -119,29 +129,56 @@ static void *merge_action_dir_configs(pool *p, void *basev, void *addv)
         new->scripted[i] = add->scripted[i] ? add->scripted[i]
                                             : base->scripted[i];
     }
+    new->xmethods = ap_append_arrays(p, add->xmethods, base->xmethods);
     return new;
 }
 
-static const char *add_action(cmd_parms *cmd, action_dir_config * m, char *type,
+static const char *add_action(cmd_parms *cmd, action_dir_config *m, char *type,
 			      char *script)
 {
     ap_table_setn(m->action_types, type, script);
     return NULL;
 }
 
-static const char *set_script(cmd_parms *cmd, action_dir_config * m,
+static const char *set_script(cmd_parms *cmd, action_dir_config *m,
                               char *method, char *script)
 {
     int methnum;
 
     methnum = ap_method_number_of(method);
-    if (methnum == M_TRACE)
-        return "TRACE not allowed for Script";
-    else if (methnum == M_INVALID)
-        return "Unknown method type for Script";
-    else
+    if (methnum == M_TRACE) {
+	return "TRACE not allowed for Script";
+    }
+    else if (methnum != M_INVALID) {
         m->scripted[methnum] = script;
+    }
+    else {
+	/*
+	 * We used to return "Unknown method type for Script"
+	 * but now we actually handle unknown methods.
+	 */
+	xmethod_t *xm;
+	xmethod_t *list;
+	int i;
 
+	/*
+	 * Scan through the list; if the method already has a script
+	 * defined, overwrite it.  Otherwise, add it.
+	 */
+	list = (xmethod_t *) m->xmethods->elts;
+	for (i = 0; i < m->xmethods->nelts; ++i) {
+	    xm = &list[i];
+	    if (strcmp(method, xm->method) == 0) {
+		xm->script = script;
+		break;
+	    }
+	}
+	if (i <= m->xmethods->nelts) {
+	    xm = ap_push_array(m->xmethods);
+	    xm->method = method;
+	    xm->script = script;
+	}
+    }
     return NULL;
 }
 
@@ -164,41 +201,61 @@ static int action_handler(request_rec *r)
 
     /* Set allowed stuff */
     for (i = 0; i < METHODS; ++i) {
-        if (conf->scripted[i])
-            r->allowed |= (1 << i);
+	if (conf->scripted[i]) {
+	    r->allowed |= (1 << i);
+	}
     }
 
     /* First, check for the method-handling scripts */
     if (r->method_number == M_GET) {
-        if (r->args)
+        if (r->args) {
             script = conf->scripted[M_GET];
-        else
+	}
+        else {
             script = NULL;
+	}
     }
     else {
-        script = conf->scripted[r->method_number];
+	if (r->method_number != M_INVALID) {
+	    script = conf->scripted[r->method_number];
+	}
+	else {
+	    int j;
+	    xmethod_t *xm;
+	    xmethod_t *list;
+
+	    script = NULL;
+	    list = (xmethod_t *) conf->xmethods->elts;
+	    for (j = 0; j < conf->xmethods->nelts; ++j) {
+		xm = &list[j];
+		if (strcmp(r->method, xm->method) == 0) {
+		    script = xm->script;
+		    break;
+		}
+	    }
+	}
     }
 
     /* Check for looping, which can happen if the CGI script isn't */
-    if (script && r->prev && r->prev->prev)
+    if (script && r->prev && r->prev->prev) {
 	return DECLINED;
+    }
 
     /* Second, check for actions (which override the method scripts) */
     if ((t = ap_table_get(conf->action_types,
-		       action ? action : ap_default_type(r)))) {
+			  action ? action : ap_default_type(r)))) {
 	script = t;
-	if (r->finfo.st_mode == 0) {
-	    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
-			"File does not exist: %s", r->filename);
-	    return NOT_FOUND;
-	}
     }
 
-    if (script == NULL)
+    if (script == NULL) {
 	return DECLINED;
+    }
 
-    ap_internal_redirect_handler(ap_pstrcat(r->pool, script, ap_escape_uri(r->pool,
-			  r->uri), r->args ? "?" : NULL, r->args, NULL), r);
+    ap_internal_redirect_handler(ap_pstrcat(r->pool, script,
+					    ap_escape_uri(r->pool,
+							  r->uri),
+					    r->args ? "?" : NULL,
+					    r->args, NULL), r);
     return OK;
 }
 
diff --git a/usr.sbin/httpd/src/modules/standard/mod_auth_anon.c b/usr.sbin/httpd/src/modules/standard/mod_auth_anon.c
index e0c35b104fb..a6b8b80c779 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_auth_anon.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_auth_anon.c
@@ -313,3 +313,10 @@ module MODULE_VAR_EXPORT anon_auth_module =
     NULL,			/* child_exit */
     NULL			/* post read-request */
 };
+
+#ifdef NETWARE
+int main(int argc, char *argv[]) 
+{
+    ExitThread(TSR_THREAD, 0);
+}
+#endif
diff --git a/usr.sbin/httpd/src/modules/standard/mod_auth_db.c b/usr.sbin/httpd/src/modules/standard/mod_auth_db.c
index e09e8eb6c4b..a6339885430 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_auth_db.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_auth_db.c
@@ -97,9 +97,14 @@
 #include "http_protocol.h"
 #include <db.h>
 
-#if defined(DB_VERSION_MAJOR) && (DB_VERSION_MAJOR == 2)
+#if defined(DB_VERSION_MAJOR)
+#if (DB_VERSION_MAJOR == 2)
 #define DB2
 #endif
+#if (DB_VERSION_MAJOR == 3)
+#define DB3
+#endif
+#endif
 
 typedef struct {
 
@@ -161,7 +166,10 @@ static char *get_db_pw(request_rec *r, char *user, const char *auth_dbpwfile)
     q.data = user;
     q.size = strlen(q.data);
 
-#ifdef DB2
+#if defined(DB3)
+    if (   db_create(&f, NULL, 0) != 0 
+        || f->open(f, auth_dbpwfile, NULL, DB_HASH, DB_RDONLY, 0664) != 0) {
+#elif defined(DB2)
     if (db_open(auth_dbpwfile, DB_HASH, DB_RDONLY, 0664, NULL, NULL, &f) != 0) {
 #else
     if (!(f = dbopen(auth_dbpwfile, O_RDONLY, 0664, DB_HASH, NULL))) {
@@ -171,7 +179,7 @@ static char *get_db_pw(request_rec *r, char *user, const char *auth_dbpwfile)
 	return NULL;
     }
 
-#ifdef DB2
+#if defined(DB2) || defined(DB3)
     if (!((f->get) (f, NULL, &q, &d, 0))) {
 #else
     if (!((f->get) (f, &q, &d, 0))) {
@@ -181,7 +189,7 @@ static char *get_db_pw(request_rec *r, char *user, const char *auth_dbpwfile)
 	pw[d.size] = '\0';	/* Terminate the string */
     }
 
-#ifdef DB2
+#if defined(DB2) || defined(DB3)
     (f->close) (f, 0);
 #else
     (f->close) (f);
diff --git a/usr.sbin/httpd/src/modules/standard/mod_auth_db.module b/usr.sbin/httpd/src/modules/standard/mod_auth_db.module
index 5508e290a7c..4636763b2a7 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_auth_db.module
+++ b/usr.sbin/httpd/src/modules/standard/mod_auth_db.module
@@ -2,22 +2,21 @@ Name: db_auth_module
 ConfigStart
     DB_VERSION=''
     DB_LIB=''
-    if ./helpers/TestCompile func db_open; then
+    if ./helpers/TestCompile func db_create; then
+        DB_VERSION='Berkeley-DB/3.x'
+    elif ./helpers/TestCompile lib db db_create; then
+        DB_VERSION='Berkeley-DB/3.x'
+        DB_LIB='-ldb'
+    elif ./helpers/TestCompile func db_open; then
         DB_VERSION='Berkeley-DB/2.x'
-    else
-        if ./helpers/TestCompile lib db db_open; then
-            DB_VERSION='Berkeley-DB/2.x'
-            DB_LIB='-ldb'
-        else
-            if ./helpers/TestCompile func dbopen; then
-                DB_VERSION='Berkeley-DB/1.x'
-            else
-                if ./helpers/TestCompile lib db dbopen; then
-                    DB_VERSION='Berkeley-DB/1.x'
-                    DB_LIB='-ldb'
-                fi
-            fi 
-        fi
+    elif ./helpers/TestCompile lib db db_open; then
+        DB_VERSION='Berkeley-DB/2.x'
+        DB_LIB='-ldb'
+    elif ./helpers/TestCompile func dbopen; then
+        DB_VERSION='Berkeley-DB/1.x'
+    elif ./helpers/TestCompile lib db dbopen; then
+        DB_VERSION='Berkeley-DB/1.x'
+        DB_LIB='-ldb'
     fi
     if [ ".$DB_VERSION" != . ]; then
         if [ ".$DB_LIB" != . ]; then
@@ -27,7 +26,7 @@ ConfigStart
             echo "      using $DB_VERSION for mod_auth_db (-lc)"
         fi
     else
-        echo "Error: Neither Berkeley-DB/1.x nor Berkeley-DB/2.x library found."
+        echo "Error: None of Berkeley-DB 1.x, 2.x or 3.x libraries found."
         echo "       Either disable mod_auth_db or provide us with the paths"
         echo "       to the Berkeley-DB include and library files."
         echo "       (Hint: INCLUDES, LDFLAGS, LIBS)"
diff --git a/usr.sbin/httpd/src/modules/standard/mod_autoindex.c b/usr.sbin/httpd/src/modules/standard/mod_autoindex.c
index 9c28dc40864..df1365b2ef4 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_autoindex.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_autoindex.c
@@ -95,6 +95,7 @@ module MODULE_VAR_EXPORT autoindex_module;
 #define SUPPRESS_PREAMBLE 64
 #define SUPPRESS_COLSORT 128
 #define NO_OPTIONS 256
+#define FOLDERS_FIRST 512
 
 #define K_PAD 1
 #define K_NOPAD 0
@@ -124,6 +125,7 @@ module MODULE_VAR_EXPORT autoindex_module;
  * Other default dimensions.
  */
 #define DEFAULT_NAME_WIDTH 23
+#define DEFAULT_DESC_WIDTH 23
 
 struct item {
     char *type;
@@ -140,13 +142,14 @@ typedef struct ai_desc_t {
 } ai_desc_t;
 
 typedef struct autoindex_config_struct {
-
     char *default_icon;
     int opts;
     int incremented_opts;
     int decremented_opts;
     int name_width;
     int name_adjust;
+    int desc_width;
+    int desc_adjust;
     int icon_width;
     int icon_height;
     char *default_order;
@@ -400,6 +403,9 @@ static const char *add_opts(cmd_parms *cmd, void *d, const char *optstr)
         else if (!strcasecmp(w, "SuppressColumnSorting")) {
             option = SUPPRESS_COLSORT;
 	}
+        else if (!strcasecmp(w, "FoldersFirst")) {
+            option = FOLDERS_FIRST;
+	}
 	else if (!strcasecmp(w, "None")) {
 	    if (action != '\0') {
 		return "Cannot combine '+' or '-' with 'None' keyword";
@@ -461,6 +467,31 @@ static const char *add_opts(cmd_parms *cmd, void *d, const char *optstr)
 		d_cfg->name_adjust = K_NOADJUST;
 	    }
 	}
+	else if (!strcasecmp(w, "DescriptionWidth")) {
+	    if (action != '-') {
+		return "DescriptionWidth with no value may only appear as "
+		       "'-DescriptionWidth'";
+	    }
+	    d_cfg->desc_width = DEFAULT_DESC_WIDTH;
+	    d_cfg->desc_adjust = K_NOADJUST;
+	}
+	else if (!strncasecmp(w, "DescriptionWidth=", 17)) {
+	    if (action == '-') {
+		return "Cannot combine '-' with DescriptionWidth=n";
+	    }
+	    if (w[17] == '*') {
+		d_cfg->desc_adjust = K_ADJUST;
+	    }
+	    else {
+		int width = atoi(&w[17]);
+
+		if (width < 12) {
+		    return "DescriptionWidth value must be greater than 12";
+		}
+		d_cfg->desc_width = width;
+		d_cfg->desc_adjust = K_NOADJUST;
+	    }
+	}
 	else {
 	    return "Invalid directory indexing option";
 	}
@@ -572,6 +603,8 @@ static void *create_autoindex_config(pool *p, char *dummy)
     new->icon_height = 0;
     new->name_width = DEFAULT_NAME_WIDTH;
     new->name_adjust = K_UNSET;
+    new->desc_width = DEFAULT_DESC_WIDTH;
+    new->desc_adjust = K_UNSET;
     new->icon_list = ap_make_array(p, 4, sizeof(struct item));
     new->alt_list = ap_make_array(p, 4, sizeof(struct item));
     new->desc_list = ap_make_array(p, 4, sizeof(ai_desc_t));
@@ -659,6 +692,17 @@ static void *merge_autoindex_configs(pool *p, void *basev, void *addv)
 	new->name_width = add->name_width;
 	new->name_adjust = add->name_adjust;
     }
+    /*
+     * Likewise for DescriptionWidth.
+     */
+    if (add->desc_adjust == K_UNSET) {
+	new->desc_width = base->desc_width;
+	new->desc_adjust = base->desc_adjust;
+    }
+    else {
+	new->desc_width = add->desc_width;
+	new->desc_adjust = add->desc_adjust;
+    }
 
     new->default_order = (add->default_order != NULL)
 	? add->default_order : base->default_order;
@@ -681,6 +725,8 @@ struct ent {
     time_t lm;
     struct ent *next;
     int ascending;
+    int isdir;
+    int checkdir;
     char key;
 };
 
@@ -924,6 +970,10 @@ static void do_emit_plain(request_rec *r, FILE *f)
     ap_rputs("</PRE>\n", r);
 }
 
+/* See mod_include */
+#define SUB_REQ_STRING	"Sub request to mod_include"
+#define PARENT_STRING	"Parent request to mod_include"
+
 /*
  * Handle the preamble through the H1 tag line, inclusive.  Locate
  * the file with a subrequests.  Process text/html documents by actually
@@ -966,6 +1016,11 @@ static void emit_head(request_rec *r, char *header_fname, int suppress_amble,
 		if (! suppress_amble) {
 		    emit_preamble(r, title);
 		}
+
+		/* See mod_include */
+		ap_table_add(r->notes, PARENT_STRING, "");
+		ap_table_add(rr->notes, SUB_REQ_STRING, "");
+
 		/*
 		 * If there's a problem running the subrequest, display the
 		 * preamble if we didn't do it before -- the header file
@@ -976,6 +1031,7 @@ static void emit_head(request_rec *r, char *header_fname, int suppress_amble,
 		    emit_amble = suppress_amble;
 		    emit_H1 = 1;
 		}
+		ap_table_unset(r->notes, PARENT_STRING);	/* cleanup */
 	    }
 	    else if (!strncasecmp("text/", rr->content_type, 5)) {
 		/*
@@ -1041,11 +1097,17 @@ static void emit_tail(request_rec *r, char *readme_fname, int suppress_amble)
 	if (rr->content_type != NULL) {
 	    if (!strcasecmp(ap_field_noparam(r->pool, rr->content_type),
 			    "text/html")) {
+
+		/* See mod_include */
+		ap_table_add(r->notes, PARENT_STRING, "");
+		ap_table_add(rr->notes, SUB_REQ_STRING, "");
+
 		if (ap_run_sub_req(rr) == OK) {
 		    /* worked... */
 		    suppress_sig = 1;
 		    suppress_post = suppress_amble;
 		}
+		ap_table_unset(r->notes, PARENT_STRING);	/* cleanup */
 	    }
 	    else if (!strncasecmp("text/", rr->content_type, 5)) {
 		/*
@@ -1147,6 +1209,14 @@ static struct ent *make_autoindex_entry(char *name, int autoindex_opts,
     p->alt = NULL;
     p->desc = NULL;
     p->lm = -1;
+    p->isdir = 0;
+    /*
+     * It's obnoxious to have to include this in every entry, but the qsort()
+     * comparison routine only takes two arguments..  The alternative would
+     * add another function call to each invocation.  Let's use memory
+     * rather than CPU.
+     */
+    p->checkdir = ((d->opts & FOLDERS_FIRST) != 0);
     p->key = ap_toupper(keyid);
     p->ascending = (ap_toupper(direction) == D_ASCENDING);
 
@@ -1156,6 +1226,7 @@ static struct ent *make_autoindex_entry(char *name, int autoindex_opts,
 	if (rr->finfo.st_mode != 0) {
 	    p->lm = rr->finfo.st_mtime;
 	    if (S_ISDIR(rr->finfo.st_mode)) {
+		p->isdir = 1;
 	        if (!(p->icon = find_icon(d, rr, 1))) {
 		    p->icon = find_default_icon(d, "^^DIRECTORY^^");
 		}
@@ -1193,19 +1264,27 @@ static struct ent *make_autoindex_entry(char *name, int autoindex_opts,
 }
 
 static char *terminate_description(autoindex_config_rec *d, char *desc,
-				   int autoindex_opts)
+				   int autoindex_opts, int desc_width)
 {
-    int maxsize = 23;
+    int maxsize = desc_width;
     register int x;
 
-    if (autoindex_opts & SUPPRESS_LAST_MOD) {
-	maxsize += 19;
-    }
-    if (autoindex_opts & SUPPRESS_SIZE) {
-	maxsize += 7;
+    /*
+     * If there's no DescriptionWidth in effect, default to the old
+     * behaviour of adjusting the description size depending upon
+     * what else is being displayed.  Otherwise, stick with the
+     * setting.
+     */
+    if (d->desc_adjust == K_UNSET) {
+	if (autoindex_opts & SUPPRESS_LAST_MOD) {
+	    maxsize += 19;
+	}
+	if (autoindex_opts & SUPPRESS_SIZE) {
+	    maxsize += 7;
+	}
     }
 
-    for (x = 0; desc[x] && (maxsize > 0 || desc[x]=='<'); x++) {
+    for (x = 0; desc[x] && ((maxsize > 0) || (desc[x] == '<')); x++) {
 	if (desc[x] == '<') {
 	    while (desc[x] != '>') {
 		if (!desc[x]) {
@@ -1271,6 +1350,7 @@ static void output_directories(struct ent **ar, int n,
     int static_columns = (autoindex_opts & SUPPRESS_COLSORT);
     pool *scratch = ap_make_sub_pool(r->pool);
     int name_width;
+    int desc_width;
     char *name_scratch;
     char *pad_scratch;
 
@@ -1278,6 +1358,17 @@ static void output_directories(struct ent **ar, int n,
 	name = "/";
     }
 
+    desc_width = d->desc_width;
+    if (d->desc_adjust == K_ADJUST) {
+	for (x = 0; x < n; x++) {
+	    if (ar[x]->desc != NULL) {
+		int t = strlen(ar[x]->desc);
+		if (t > desc_width) {
+		    desc_width = t;
+		}
+	    }
+	}
+    }
     name_width = d->name_width;
     if (d->name_adjust == K_ADJUST) {
 	for (x = 0; x < n; x++) {
@@ -1377,17 +1468,17 @@ static void output_directories(struct ent **ar, int n,
 
 	    nwidth = strlen(t2);
 	    if (nwidth > name_width) {
-	      memcpy(name_scratch, t2, name_width - 3);
-	      name_scratch[name_width - 3] = '.';
-	      name_scratch[name_width - 2] = '.';
-	      name_scratch[name_width - 1] = '>';
-	      name_scratch[name_width] = 0;
-	      t2 = name_scratch;
-	      nwidth = name_width;
+		memcpy(name_scratch, t2, name_width - 3);
+		name_scratch[name_width - 3] = '.';
+		name_scratch[name_width - 2] = '.';
+		name_scratch[name_width - 1] = '>';
+		name_scratch[name_width] = 0;
+		t2 = name_scratch;
+		nwidth = name_width;
 	    }
 	    ap_rvputs(r, " <A HREF=\"", anchor, "\">",
-	      ap_escape_html(scratch, t2), "</A>", pad_scratch + nwidth,
-	      NULL);
+		      ap_escape_html(scratch, t2), "</A>",
+		      pad_scratch + nwidth, NULL);
 	    /*
 	     * The blank before the storm.. er, before the next field.
 	     */
@@ -1411,7 +1502,8 @@ static void output_directories(struct ent **ar, int n,
 	    if (!(autoindex_opts & SUPPRESS_DESC)) {
 		if (ar[x]->desc) {
 		    ap_rputs(terminate_description(d, ar[x]->desc,
-						   autoindex_opts), r);
+						   autoindex_opts,
+						   desc_width), r);
 		}
 	    }
 	}
@@ -1451,6 +1543,15 @@ static int dsortf(struct ent **e1, struct ent **e2)
         return 1;
     }
     /*
+     * Now see if one's a directory and one isn't, AND we're listing
+     * directories first.
+     */
+    if ((*e1)->checkdir) {
+	if ((*e1)->isdir != (*e2)->isdir) {
+	    return (*e1)->isdir ? -1 : 1;
+	}
+    }
+    /*
      * All of our comparisons will be of the c1 entry against the c2 one,
      * so assign them appropriately to take care of the ordering.
      */
diff --git a/usr.sbin/httpd/src/modules/standard/mod_cern_meta.c b/usr.sbin/httpd/src/modules/standard/mod_cern_meta.c
index dbc1de6cabb..fb7d48b675f 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_cern_meta.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_cern_meta.c
@@ -150,7 +150,9 @@
 
 #include "httpd.h"
 #include "http_config.h"
+#ifndef NETWARE
 #include <sys/types.h>
+#endif
 #include <sys/stat.h>
 #include "util_script.h"
 #include "http_log.h"
@@ -393,3 +395,11 @@ module MODULE_VAR_EXPORT cern_meta_module =
     NULL,			/* child_exit */
     NULL			/* post read-request */
 };
+
+
+#ifdef NETWARE
+int main(int argc, char *argv[]) 
+{
+    ExitThread(TSR_THREAD, 0);
+}
+#endif
diff --git a/usr.sbin/httpd/src/modules/standard/mod_cgi.c b/usr.sbin/httpd/src/modules/standard/mod_cgi.c
index 392fb5a1f13..617817ebef2 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_cgi.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_cgi.c
@@ -210,7 +210,7 @@ static int log_script(request_rec *r, cgi_server_conf * conf, int ret,
 	/* Soak up script output */
 	while (ap_bgets(argsbuffer, HUGE_STRING_LEN, script_in) > 0)
 	    continue;
-#ifdef WIN32
+#if defined(WIN32) || defined(NETWARE)
         /* Soak up stderr and redirect it to the error log.
          * Script output to stderr is already directed to the error log
          * on Unix, thanks to the magic of fork().
diff --git a/usr.sbin/httpd/src/modules/standard/mod_digest.c b/usr.sbin/httpd/src/modules/standard/mod_digest.c
index 74190d997be..02b8215fd9d 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_digest.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_digest.c
@@ -136,9 +136,7 @@ static char *get_hash(request_rec *r, char *user, char *auth_pwfile)
 
 static int get_digest_rec(request_rec *r, digest_header_rec * response)
 {
-    const char *auth_line = ap_table_get(r->headers_in,
-                                    r->proxyreq ? "Proxy-Authorization"
-                                    : "Authorization");
+    const char *auth_line;
     int l;
     int s, vk = 0, vv = 0;
     const char *t;
@@ -154,6 +152,9 @@ static int get_digest_rec(request_rec *r, digest_header_rec * response)
 	return SERVER_ERROR;
     }
 
+    auth_line = ap_table_get(r->headers_in,
+			     r->proxyreq == STD_PROXY ? "Proxy-Authorization"
+			                              : "Authorization");
     if (!auth_line) {
 	ap_note_digest_auth_failure(r);
 	return AUTH_REQUIRED;
@@ -388,3 +389,11 @@ module MODULE_VAR_EXPORT digest_module =
     NULL,			/* child_exit */
     NULL			/* post read-request */
 };
+
+
+#ifdef NETWARE
+int main(int argc, char *argv[]) 
+{
+    ExitThread(TSR_THREAD, 0);
+}
+#endif
diff --git a/usr.sbin/httpd/src/modules/standard/mod_expires.c b/usr.sbin/httpd/src/modules/standard/mod_expires.c
index 4fcf51a8106..73392bdd2a2 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_expires.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_expires.c
@@ -508,3 +508,11 @@ module MODULE_VAR_EXPORT expires_module =
     NULL,                       /* child_exit */
     NULL                        /* post read-request */
 };
+
+
+#ifdef NETWARE
+int main(int argc, char *argv[]) 
+{
+    ExitThread(TSR_THREAD, 0);
+}
+#endif
diff --git a/usr.sbin/httpd/src/modules/standard/mod_headers.c b/usr.sbin/httpd/src/modules/standard/mod_headers.c
index c3d50503eed..d3e66a55d97 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_headers.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_headers.c
@@ -263,3 +263,11 @@ module MODULE_VAR_EXPORT headers_module =
     NULL,                       /* child_exit */
     NULL                        /* post read-request */
 };
+
+#ifdef NETWARE
+int main(int argc, char *argv[]) 
+{
+    ExitThread(TSR_THREAD, 0);
+}
+#endif
+
diff --git a/usr.sbin/httpd/src/modules/standard/mod_include.c b/usr.sbin/httpd/src/modules/standard/mod_include.c
index 3ee96db83b5..dacf096fc76 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_include.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_include.c
@@ -108,9 +108,6 @@
 
 module MODULE_VAR_EXPORT includes_module;
 
-/* just need some arbitrary non-NULL pointer which can't also be a request_rec */
-#define NESTED_INCLUDE_MAGIC	(&includes_module)
-
 /* ------------------------ Environment function -------------------------- */
 
 /* XXX: could use ap_table_overlap here */
@@ -129,7 +126,7 @@ static void add_include_vars(request_rec *r, char *timefmt)
               ap_ht_time(r->pool, r->finfo.st_mtime, timefmt, 0));
     ap_table_setn(e, "DOCUMENT_URI", r->uri);
     ap_table_setn(e, "DOCUMENT_PATH_INFO", r->path_info);
-#ifndef WIN32
+#if !defined(WIN32) && !defined(NETWARE)
     pw = getpwuid(r->finfo.st_uid);
     if (pw) {
         ap_table_setn(e, "USER_NAME", ap_pstrdup(r->pool, pw->pw_name));
@@ -745,10 +742,7 @@ static int handle_include(FILE *in, request_rec *r, const char *error, int noexe
                 ap_rputs(error, r);
             }
 
-	    /* destroy the sub request if it's not a nested include */
-            if (rr != NULL
-		&& ap_get_module_config(rr->request_config, &includes_module)
-		    != NESTED_INCLUDE_MAGIC) {
+	    if (rr != NULL) {
 		ap_destroy_sub_req(rr);
             }
         }
@@ -786,7 +780,7 @@ static int include_cmd_child(void *arg, child_info *pinfo)
     FILE *dbg = fopen("/dev/tty", "w");
 #endif
 #endif
-#ifndef WIN32
+#if !defined(WIN32) && !defined(OS2)
     char err_string[MAX_STRING_LEN];
 #endif
 
@@ -2375,6 +2369,53 @@ static int send_parsed_file(request_rec *r)
         return OK;
     }
 
+#define SUB_REQ_STRING	"Sub request to mod_include"
+#define PARENT_STRING	"Parent request to mod_include"
+
+    if (ap_table_get(r->notes, SUB_REQ_STRING)) {
+	/*
+	 * The note is a flag to mod_include that this request
+	 * should be treated as if it was a subrequest originating
+	 * in the handle_include() procedure of mod_include.
+	 */
+
+	/*
+	 * There is no good way to pass the parent request_rec to mod_include.
+	 * Tables only take string values and there is nowhere appropriate in
+	 * in the request_rec that can safely be used. So, search for the
+	 * parent note by walking up the r->main list of subrequests, and at
+	 * each level walking back through any internal redirects. This is
+	 * the same request walking that mod_include uses in the procedure
+	 * handle_include().
+	 */
+	request_rec *p = r->main;
+	request_rec *q = p;
+
+	while (q) {
+	    if (ap_table_get(q->notes, PARENT_STRING)) {
+		/* Kludge --- See below */
+		ap_set_module_config(r->request_config, &includes_module, q);
+
+		/* Create the initial environment in the parent */
+		ap_add_common_vars(q);
+		ap_add_cgi_vars(q);
+		add_include_vars(q, DEFAULT_TIME_FORMAT);
+
+		/* Cleanup - This should allow this technique to nest */
+		ap_table_unset(r->notes, SUB_REQ_STRING);
+		ap_table_unset(q->notes, PARENT_STRING);
+		break;
+	    }
+	    if (q->prev != NULL) {
+		q = q->prev;
+	    }
+	    else {
+		p = p->main;
+		q = p;
+	    }
+	}
+    }
+
     if ((parent = ap_get_module_config(r->request_config, &includes_module))) {
 	/* Kludge --- for nested includes, we want to keep the subprocess
 	 * environment of the base document (for compatibility); that means
@@ -2410,9 +2451,16 @@ static int send_parsed_file(request_rec *r)
     send_parsed_content(f, r);
 
     if (parent) {
-	/* signify that the sub request should not be killed */
-	ap_set_module_config(r->request_config, &includes_module,
-	    NESTED_INCLUDE_MAGIC);
+	/*
+	 * All the work is finished for this subrequest. The following
+	 * makes it safe for the creator of the subrequest to destroy it
+	 * via ap_destroy_sub_req() once the call to ap_run_sub_req()
+	 * returns. This is required since the original pool of the
+	 * subrequest has been merged into the pool of the parent request
+	 * of the subrequest (see Kludge above). The alternative is to
+	 * NOT destroy the subrequest.
+	 */
+	r->pool = ap_make_sub_pool(r->pool);
     }
 
     ap_kill_timeout(r);
diff --git a/usr.sbin/httpd/src/modules/standard/mod_info.c b/usr.sbin/httpd/src/modules/standard/mod_info.c
index 27995855780..3dd696cd437 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_info.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_info.c
@@ -68,7 +68,7 @@
  * GET /server-info?module_name - Returns configuration for a single module
  * GET /server-info?list - Returns quick list of included modules
  *
- * Rasmus Lerdorf <rasmus@vex.net>, May 1996
+ * Rasmus Lerdorf <rasmus@php.net>, May 1996
  *
  * 05.01.96 Initial Version
  *
@@ -693,3 +693,11 @@ module MODULE_VAR_EXPORT info_module =
     NULL,                       /* child_exit */
     NULL                        /* post read-request */
 };
+
+
+#ifdef NETWARE
+int main(int argc, char *argv[]) 
+{
+    ExitThread(TSR_THREAD, 0);
+}
+#endif
diff --git a/usr.sbin/httpd/src/modules/standard/mod_log_config.c b/usr.sbin/httpd/src/modules/standard/mod_log_config.c
index def4069b961..78af1c8b968 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_log_config.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_log_config.c
@@ -117,7 +117,9 @@
  * literal characters copied into the log files, and '%' directives as
  * follows:
  *
- * %...b:  bytes sent, excluding HTTP headers.
+ * %...B:  bytes sent, excluding HTTP headers.
+ * %...b:  bytes sent, excluding HTTP headers in CLF format, i.e. a '-'
+ *         when no bytes where sent (rather than a '0'.
  * %...{FOOBAR}e:  The contents of the environment variable FOOBAR
  * %...f:  filename
  * %...h:  remote host
@@ -141,6 +143,9 @@
  * %...U:  the URL path requested.
  * %...v:  the configured name of the server (i.e. which virtual host?)
  * %...V:  the server name according to the UseCanonicalName setting
+ * %...m:  the request method
+ * %...H:  the request protocol
+ * %...q:  the query string prepended by "?", or empty if no query string
  *
  * The '...' can be nothing at all (e.g. "%h %u %r %s %b"), or it can
  * indicate conditions for inclusion of the item (which will cause it
@@ -337,12 +342,25 @@ static const char *log_request_uri(request_rec *r, char *a)
 {
     return r->uri;
 }
+static const char *log_request_method(request_rec *r, char *a)
+{
+    return r->method;
+}
+static const char *log_request_protocol(request_rec *r, char *a)
+{
+    return r->protocol;
+}
+static const char *log_request_query(request_rec *r, char *a)
+{
+    return (r->args != NULL) ? ap_pstrcat(r->pool, "?", r->args, NULL)
+                             : "";
+}
 static const char *log_status(request_rec *r, char *a)
 {
     return pfmt(r->pool, r->status);
 }
 
-static const char *log_bytes_sent(request_rec *r, char *a)
+static const char *clf_log_bytes_sent(request_rec *r, char *a)
 {
     if (!r->sent_bodyct) {
         return "-";
@@ -354,6 +372,19 @@ static const char *log_bytes_sent(request_rec *r, char *a)
     }
 }
 
+static const char *log_bytes_sent(request_rec *r, char *a)
+{
+    if (!r->sent_bodyct) {
+        return "0";
+    }
+    else {
+        long int bs;
+        ap_bgetopt(r->connection->client, BO_BYTECT, &bs);
+	return ap_psprintf(r->pool, "%ld", bs);
+    }
+}
+
+
 static const char *log_header_in(request_rec *r, char *a)
 {
     return ap_table_get(r->headers_in, a);
@@ -483,7 +514,10 @@ static struct log_item_list {
         's', log_status, 1
     },
     {
-        'b', log_bytes_sent, 0
+        'b', clf_log_bytes_sent, 0
+    },
+    {
+        'B', log_bytes_sent, 0
     },
     {
         'i', log_header_in, 0
@@ -510,6 +544,15 @@ static struct log_item_list {
         'P', log_child_pid, 0
     },
     {
+        'H', log_request_protocol, 0
+    },
+    {
+        'm', log_request_method, 0
+    },
+    {
+        'q', log_request_query, 0
+    },
+    {
         '\0'
     }
 };
diff --git a/usr.sbin/httpd/src/modules/standard/mod_mime.c b/usr.sbin/httpd/src/modules/standard/mod_mime.c
index f27356bfdd3..134196f1d9e 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_mime.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_mime.c
@@ -68,6 +68,13 @@
 #include "http_config.h"
 #include "http_log.h"
 
+/*
+ * isascii(c) isn't universal, and even those places where it is
+ * defined it's not always right for our needs.  Roll our own that
+ * we can rely on.
+ */
+#define ap_isascii(c) ((OS_ASC(c) & 0x80) == 0)
+
 typedef struct handlers_info {
     char *name;
 } handlers_info;
@@ -75,6 +82,7 @@ typedef struct handlers_info {
 typedef struct {
     table *forced_types;        /* Additional AddTyped stuff */
     table *encoding_types;      /* Added with AddEncoding... */
+    table *charset_types;	/* Added with AddCharset... */
     table *language_types;      /* Added with AddLanguage... */
     table *handlers;            /* Added with AddHandler...  */
     array_header *handlers_remove;     /* List of handlers to remove */
@@ -84,6 +92,24 @@ typedef struct {
     char *default_language;     /* Language if no AddLanguage ext found */
 } mime_dir_config;
 
+typedef struct param_s {
+    char *attr;
+    char *val;
+    struct param_s *next;
+} param;
+
+typedef struct {
+    char *type;
+    char *subtype;
+    param *param;
+} content_type;
+
+static char tspecial[] = {
+    '(', ')', '<', '>', '@', ',', ';', ':',
+    '\\', '"', '/', '[', ']', '?', '=',
+    '\0'
+};
+
 module MODULE_VAR_EXPORT mime_module;
 
 static void *create_mime_dir_config(pool *p, char *dummy)
@@ -93,6 +119,7 @@ static void *create_mime_dir_config(pool *p, char *dummy)
 
     new->forced_types = ap_make_table(p, 4);
     new->encoding_types = ap_make_table(p, 4);
+    new->charset_types = ap_make_table(p, 4);
     new->language_types = ap_make_table(p, 4);
     new->handlers = ap_make_table(p, 4);
     new->handlers_remove = ap_make_array(p, 4, sizeof(handlers_info));
@@ -119,9 +146,11 @@ static void *merge_mime_dir_configs(pool *p, void *basev, void *addv)
     }
 
     new->forced_types = ap_overlay_tables(p, add->forced_types,
-                                       base->forced_types);
+					 base->forced_types);
     new->encoding_types = ap_overlay_tables(p, add->encoding_types,
                                          base->encoding_types);
+    new->charset_types = ap_overlay_tables(p, add->charset_types,
+					   base->charset_types);
     new->language_types = ap_overlay_tables(p, add->language_types,
                                          base->language_types);
     new->handlers = ap_overlay_tables(p, add->handlers,
@@ -135,17 +164,18 @@ static void *merge_mime_dir_configs(pool *p, void *basev, void *addv)
     return new;
 }
 
-static const char *add_type(cmd_parms *cmd, mime_dir_config * m, char *ct,
+static const char *add_type(cmd_parms *cmd, mime_dir_config *m, char *ct,
                             char *ext)
 {
     if (*ext == '.')
-        ++ext;
+	++ext;
+	
     ap_str_tolower(ct);
     ap_table_setn(m->forced_types, ext, ct);
     return NULL;
 }
 
-static const char *add_encoding(cmd_parms *cmd, mime_dir_config * m, char *enc,
+static const char *add_encoding(cmd_parms *cmd, mime_dir_config *m, char *enc,
                                 char *ext)
 {
     if (*ext == '.')
@@ -155,17 +185,29 @@ static const char *add_encoding(cmd_parms *cmd, mime_dir_config * m, char *enc,
     return NULL;
 }
 
-static const char *add_language(cmd_parms *cmd, mime_dir_config * m, char *lang,
+static const char *add_charset(cmd_parms *cmd, mime_dir_config *m,
+			       char *charset, char *ext)
+{
+    if (*ext == '.') {
+	++ext;
+    }
+    ap_str_tolower(charset);
+    ap_table_setn(m->charset_types, ext, charset);
+    return NULL;
+}
+
+static const char *add_language(cmd_parms *cmd, mime_dir_config *m, char *lang,
                                 char *ext)
 {
-    if (*ext == '.')
-        ++ext;
+    if (*ext == '.') {
+	++ext;
+    }
     ap_str_tolower(lang);
     ap_table_setn(m->language_types, ext, lang);
     return NULL;
 }
 
-static const char *add_handler(cmd_parms *cmd, mime_dir_config * m, char *hdlr,
+static const char *add_handler(cmd_parms *cmd, mime_dir_config *m, char *hdlr,
                                char *ext)
 {
     if (*ext == '.')
@@ -209,6 +251,8 @@ static const command_rec mime_cmds[] =
      "a mime type followed by one or more file extensions"},
     {"AddEncoding", add_encoding, NULL, OR_FILEINFO, ITERATE2,
      "an encoding (e.g., gzip), followed by one or more file extensions"},
+    {"AddCharset", add_charset, NULL, OR_FILEINFO, ITERATE2,
+     "a charset (e.g., iso-2022-jp), followed by one or more file extensions"},
     {"AddLanguage", add_language, NULL, OR_FILEINFO, ITERATE2,
      "a language (e.g., fr), followed by one or more file extensions"},
     {"AddHandler", add_handler, NULL, OR_FILEINFO, ITERATE2,
@@ -275,6 +319,249 @@ static void init_mime(server_rec *s, pool *p)
     ap_cfg_closefile(f);
 }
 
+static char *zap_sp(char *s)
+{
+    char *tp;
+
+    if (s == NULL) {
+	return (NULL);
+    }
+    if (*s == '\0') {
+	return (s);
+    }
+
+    /* delete prefixed white space */
+    for (; *s == ' ' || *s == '\t' || *s == '\n'; s++);
+
+    /* delete postfixed white space */
+    for (tp = s; *tp != '\0'; tp++);
+    for (tp--; tp != s && (*tp == ' ' || *tp == '\t' || *tp == '\n'); tp--) {
+	*tp = '\0';
+    }
+    return (s);
+}
+
+static int is_token(char c)
+{
+    int res;
+
+    res = (ap_isascii(c) && isgraph(c)
+	   && (strchr(tspecial, c) == NULL)) ? 1 : -1;
+    return res;
+}
+
+static int is_qtext(char c)
+{
+    int res;
+
+    res = (ap_isascii(c) && (c != '"') && (c != '\\') && (c != '\n'))
+	? 1 : -1;
+    return res;
+}
+
+static int is_quoted_pair(char *s)
+{
+    int res = -1;
+    int c;
+
+    if (((s + 1) != NULL) && (*s == '\\')) {
+	c = (int) *(s + 1);
+	if (ap_isascii(c)) {
+	    res = 1;
+	}
+    }
+    return (res);
+}
+
+static content_type *analyze_ct(pool *p, char *s)
+{
+    char *tp, *mp, *cp;
+    char *attribute, *value;
+    int quoted = 0;
+
+    content_type *ctp;
+    param *pp, *npp;
+
+    /* initialize ctp */
+    ctp = (content_type *) ap_palloc(p, sizeof(content_type));
+    ctp->type = NULL;
+    ctp->subtype = NULL;
+    ctp->param = NULL;
+
+    tp = ap_pstrdup(p, s);
+
+    mp = tp;
+    cp = mp;
+
+    /* getting a type */
+    if (!(cp = strchr(mp, '/'))) {
+	ap_log_error(APLOG_MARK, APLOG_WARNING, NULL,
+		     "mod_mime: analyze_ct: cannot get media type from '%s'",
+		     mp);
+	return (NULL);
+    }
+    ctp->type = ap_pstrndup(p, mp, cp - mp);
+    ctp->type = zap_sp(ctp->type);
+    if (ctp->type == NULL || *(ctp->type) == '\0' ||
+	strchr(ctp->type, ';') || strchr(ctp->type, ' ') ||
+	strchr(ctp->type, '\t')) {
+	ap_log_error(APLOG_MARK, APLOG_WARNING, NULL,
+		     "Cannot get media subtype.");
+	return (NULL);
+    }
+
+    /* getting a subtype */
+    cp++;
+    mp = cp;
+
+    for (; *cp != ';' && *cp != '\0'; cp++);
+    ctp->subtype = ap_pstrndup(p, mp, cp - mp);
+    ctp->subtype = zap_sp(ctp->subtype);
+    if ((ctp->subtype == NULL) || (*(ctp->subtype) == '\0') ||
+	strchr(ctp->subtype, ' ') || strchr(ctp->subtype, '\t')) {
+	ap_log_error(APLOG_MARK, APLOG_WARNING, NULL,
+		     "Cannot get media subtype.");
+	return (NULL);
+    }
+    cp = zap_sp(cp);
+    if (cp == NULL || *cp == '\0') {
+	return (ctp);
+    }
+
+    /* getting parameters */
+    cp++;
+    cp = zap_sp(cp);
+    if (cp == NULL || *cp == '\0') {
+	ap_log_error(APLOG_MARK, APLOG_WARNING, NULL,
+		     "Cannot get media parameter.");
+	return (NULL);
+    }
+    mp = cp;
+    attribute = NULL;
+    value = NULL;
+
+    while (cp != NULL && *cp != '\0') {
+	if (attribute == NULL) {
+	    if (is_token((int) *cp) > 0) {
+		cp++;
+		continue;
+	    }
+	    else if (*cp == ' ' || *cp == '\t' || *cp == '\n') {
+		cp++;
+		continue;
+	    }
+	    else if (*cp == '=') {
+		attribute = ap_pstrndup(p, mp, cp - mp);
+		attribute = zap_sp(attribute);
+		if (attribute == NULL || *attribute == '\0') {
+		    ap_log_error(APLOG_MARK, APLOG_WARNING, NULL,
+				 "Cannot get media parameter.");
+		    return (NULL);
+		}
+		cp++;
+		cp = zap_sp(cp);
+		if (cp == NULL || *cp == '\0') {
+		    ap_log_error(APLOG_MARK, APLOG_WARNING, NULL,
+				 "Cannot get media parameter.");
+		    return (NULL);
+		}
+		mp = cp;
+		continue;
+	    }
+	    else {
+		ap_log_error(APLOG_MARK, APLOG_WARNING, NULL,
+			     "Cannot get media parameter.");
+		return (NULL);
+	    }
+	}
+	else {
+	    if (mp == cp) {
+		if (*cp == '"') {
+		    quoted = 1;
+		    cp++;
+		}
+		else {
+		    quoted = 0;
+		}
+	    }
+	    if (quoted > 0) {
+		while (quoted && *cp != '\0') {
+		    if (is_qtext((int) *cp) > 0) {
+			cp++;
+		    }
+		    else if (is_quoted_pair(cp) > 0) {
+			cp += 2;
+		    }
+		    else if (*cp == '"') {
+			cp++;
+			while (*cp == ' ' || *cp == '\t' || *cp == '\n') {
+			    cp++;
+			}
+			if (*cp != ';' && *cp != '\0') {
+			    ap_log_error(APLOG_MARK, APLOG_WARNING, NULL,
+					 "Cannot get media parameter.");
+			    return(NULL);
+			}
+			quoted = 0;
+		    }
+		    else {
+			ap_log_error(APLOG_MARK, APLOG_WARNING, NULL,
+				     "Cannot get media parameter.");
+			return (NULL);
+		    }
+		}
+	    }
+	    else {
+		while (1) {
+		    if (is_token((int) *cp) > 0) {
+			cp++;
+		    }
+		    else if (*cp == '\0' || *cp == ';') {
+			break;
+		    }
+		    else {
+			ap_log_error(APLOG_MARK, APLOG_WARNING, NULL,
+				     "Cannot get media parameter.");
+			return (NULL);
+		    }
+		}
+	    }
+	    value = ap_pstrndup(p, mp, cp - mp);
+	    value = zap_sp(value);
+	    if (value == NULL || *value == '\0') {
+		ap_log_error(APLOG_MARK, APLOG_WARNING, NULL,
+			     "Cannot get media parameter.");
+		return (NULL);
+	    }
+
+	    pp = ap_palloc(p, sizeof(param));
+	    pp->attr = attribute;
+	    pp->val = value;
+	    pp->next = NULL;
+
+	    if (ctp->param == NULL) {
+		ctp->param = pp;
+	    }
+	    else {
+		npp = ctp->param;
+		while (npp->next) {
+		    npp = npp->next;
+		}
+		npp->next = pp;
+	    }
+	    quoted = 0;
+	    attribute = NULL;
+	    value = NULL;
+	    if (*cp == '\0') {
+		break;
+	    }
+	    cp++;
+	    mp = cp;
+	}
+    }
+    return (ctp);
+}
+
 static int find_ct(request_rec *r)
 {
     const char *fn = strrchr(r->filename, '/');
@@ -283,6 +570,7 @@ static int find_ct(request_rec *r)
     char *ext;
     const char *orighandler = r->handler;
     const char *type;
+    const char *charset = NULL;
 
     if (S_ISDIR(r->finfo.st_mode)) {
         r->content_type = DIR_MAGIC_TYPE;
@@ -294,8 +582,9 @@ static int find_ct(request_rec *r)
      * pointer to getword, causing a SEGV ..
      */
 
-    if (fn == NULL)
-        fn = r->filename;
+    if (fn == NULL) {
+	fn = r->filename;
+    }
 
     /* Parse filename extensions, which can be in any order */
     while ((ext = ap_getword(r->pool, &fn, '.')) && *ext) {
@@ -308,6 +597,12 @@ static int find_ct(request_rec *r)
             found = 1;
         }
 
+	/* Add charset to Content-Type */
+	if ((type = ap_table_get(conf->charset_types, ext))) {
+	    charset = type;
+	    found = 1;
+	}
+
         /* Check for Content-Language */
         if ((type = ap_table_get(conf->language_types, ext))) {
             const char **new;
@@ -331,7 +626,8 @@ static int find_ct(request_rec *r)
         }
 
         /* Check for a special handler, but not for proxy request */
-        if ((type = ap_table_get(conf->handlers, ext)) && !r->proxyreq) {
+        if ((type = ap_table_get(conf->handlers, ext))
+	    && r->proxyreq == NOT_PROXY) {
             r->handler = type;
             found = 1;
         }
@@ -347,8 +643,46 @@ static int find_ct(request_rec *r)
             r->content_languages = NULL;
             r->content_encoding = NULL;
             r->handler = orighandler;
-        }
+	    charset = NULL;
+	}
+    }
 
+    if (r->content_type) {
+	content_type *ctp;
+	char *ct;
+	int override = 0;
+
+	ct = (char *) ap_palloc(r->pool,
+				sizeof(char) * (strlen(r->content_type) + 1));
+	strcpy(ct, r->content_type);
+
+	if ((ctp = analyze_ct(r->pool, ct))) {
+	    param *pp = ctp->param;
+	    r->content_type = ap_pstrcat(r->pool, ctp->type, "/",
+					 ctp->subtype, NULL);
+	    while (pp != NULL) {
+		if (charset && !strcmp(pp->attr, "charset")) {
+		    if (!override) {
+			r->content_type = ap_pstrcat(r->pool, r->content_type,
+						     "; charset=", charset,
+						     NULL);
+			override = 1;
+		    }
+		}
+		else {
+		    r->content_type = ap_pstrcat(r->pool, r->content_type,
+						 "; ", pp->attr,
+						 "=", pp->val,
+						 NULL);
+		}
+		pp = pp->next;
+	    }
+	    if (charset && !override) {
+		r->content_type = ap_pstrcat(r->pool, r->content_type,
+					     "; charset=", charset,
+					     NULL);
+	    }
+	}
     }
 
     /* Set default language, if none was specified by the extensions
diff --git a/usr.sbin/httpd/src/modules/standard/mod_rewrite.c b/usr.sbin/httpd/src/modules/standard/mod_rewrite.c
index fa16d2d1916..4b48b854079 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_rewrite.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_rewrite.c
@@ -92,7 +92,9 @@
 #include "mod_rewrite.h"
 
 #ifndef NO_WRITEV
+#ifndef NETWARE
 #include <sys/types.h>
+#endif
 #include <sys/uio.h>
 #endif
 
@@ -1121,7 +1123,7 @@ static int hook_uri2file(request_rec *r)
             }
 
             /* now make sure the request gets handled by the proxy handler */
-            r->proxyreq = 1;
+            r->proxyreq = PROXY_PASS;
             r->handler  = "proxy-server";
 
             rewritelog(r, 1, "go-ahead with proxy request %s [OK]",
@@ -1129,13 +1131,19 @@ static int hook_uri2file(request_rec *r)
             return OK;
         }
         else if (  (strlen(r->filename) > 7 &&
-                    strncasecmp(r->filename, "http://", 7) == 0)
+                    strncasecmp(r->filename, "http://",   7) == 0)
                 || (strlen(r->filename) > 8 &&
-                    strncasecmp(r->filename, "https://", 8) == 0)
+                    strncasecmp(r->filename, "https://",  8) == 0)
                 || (strlen(r->filename) > 9 &&
                     strncasecmp(r->filename, "gopher://", 9) == 0)
                 || (strlen(r->filename) > 6 &&
-                    strncasecmp(r->filename, "ftp://", 6) == 0)    ) {
+                    strncasecmp(r->filename, "ftp://",    6) == 0)
+                || (strlen(r->filename) > 5 &&
+                    strncasecmp(r->filename, "ldap:",     5) == 0)
+                || (strlen(r->filename) > 5 &&
+                    strncasecmp(r->filename, "news:",     5) == 0)
+                || (strlen(r->filename) > 7 &&
+                    strncasecmp(r->filename, "mailto:",   7) == 0)) {
             /* it was finally rewritten to a remote URL */
 
             /* skip 'scheme:' */
@@ -1155,8 +1163,8 @@ static int hook_uri2file(request_rec *r)
 
             /* append the QUERY_STRING part */
             if (r->args != NULL) {
-               r->filename = ap_pstrcat(r->pool, r->filename,
-                                        "?", r->args, NULL);
+                r->filename = ap_pstrcat(r->pool, r->filename, "?", 
+                                         ap_escape_uri(r->pool, r->args), NULL);
             }
 
             /* determine HTTP redirect response code */
@@ -1200,7 +1208,7 @@ static int hook_uri2file(request_rec *r)
             /* it was finally rewritten to a local path */
 
             /* expand "/~user" prefix */
-#ifndef WIN32
+#if !defined(WIN32) && !defined(NETWARE)
             r->filename = expand_tildepaths(r, r->filename);
 #endif
             rewritelog(r, 2, "local path result: %s", r->filename);
@@ -1373,15 +1381,13 @@ static int hook_fixup(request_rec *r)
              * (r->path_info was already appended by the
              * rewriting engine because of the per-dir context!)
              */
-            if (r->args != NULL
-                && r->uri == r->unparsed_uri) {
-                /* see proxy_http:proxy_http_canon() */
+            if (r->args != NULL) {
                 r->filename = ap_pstrcat(r->pool, r->filename,
                                          "?", r->args, NULL);
             }
 
             /* now make sure the request gets handled by the proxy handler */
-            r->proxyreq = 1;
+            r->proxyreq = PROXY_PASS;
             r->handler  = "proxy-server";
 
             rewritelog(r, 1, "[per-dir %s] go-ahead with proxy request "
@@ -1389,13 +1395,19 @@ static int hook_fixup(request_rec *r)
             return OK;
         }
         else if (  (strlen(r->filename) > 7 &&
-                    strncmp(r->filename, "http://", 7) == 0)
+                    strncasecmp(r->filename, "http://",   7) == 0)
                 || (strlen(r->filename) > 8 &&
-                    strncmp(r->filename, "https://", 8) == 0)
+                    strncasecmp(r->filename, "https://",  8) == 0)
                 || (strlen(r->filename) > 9 &&
-                    strncmp(r->filename, "gopher://", 9) == 0)
+                    strncasecmp(r->filename, "gopher://", 9) == 0)
                 || (strlen(r->filename) > 6 &&
-                    strncmp(r->filename, "ftp://", 6) == 0)    ) {
+                    strncasecmp(r->filename, "ftp://",    6) == 0)
+                || (strlen(r->filename) > 5 &&
+                    strncasecmp(r->filename, "ldap:",     5) == 0)
+                || (strlen(r->filename) > 5 &&
+                    strncasecmp(r->filename, "news:",     5) == 0)
+                || (strlen(r->filename) > 7 &&
+                    strncasecmp(r->filename, "mailto:",   7) == 0)) {
             /* it was finally rewritten to a remote URL */
 
             /* because we are in a per-dir context
@@ -1444,8 +1456,8 @@ static int hook_fixup(request_rec *r)
 
             /* append the QUERY_STRING part */
             if (r->args != NULL) {
-                r->filename = ap_pstrcat(r->pool, r->filename,
-                                         "?", r->args, NULL);
+                r->filename = ap_pstrcat(r->pool, r->filename, "?", 
+                                         ap_escape_uri(r->pool, r->args), NULL);
             }
 
             /* determine HTTP redirect response code */
@@ -1845,7 +1857,7 @@ static int apply_rewrite_rule(request_rec *r, rewriterule_entry *p,
                 /*  One condition is false, but another can be
                  *  still true, so we have to continue...
                  */
-	        ap_table_unset(r->notes, VARY_KEY_THIS);
+                ap_table_unset(r->notes, VARY_KEY_THIS);
                 continue;
             }
             else {
@@ -1871,11 +1883,11 @@ static int apply_rewrite_rule(request_rec *r, rewriterule_entry *p,
                 break;
             }
         }
-	vary = ap_table_get(r->notes, VARY_KEY_THIS);
-	if (vary != NULL) {
-	    ap_table_merge(r->notes, VARY_KEY, vary);
-	    ap_table_unset(r->notes, VARY_KEY_THIS);
-	}
+        vary = ap_table_get(r->notes, VARY_KEY_THIS);
+        if (vary != NULL) {
+            ap_table_merge(r->notes, VARY_KEY, vary);
+            ap_table_unset(r->notes, VARY_KEY_THIS);
+        }
     }
     /*  if any condition fails the complete rule fails  */
     if (failed) {
@@ -1891,7 +1903,7 @@ static int apply_rewrite_rule(request_rec *r, rewriterule_entry *p,
      */
     if ((vary = ap_table_get(r->notes, VARY_KEY)) != NULL) {
         ap_table_merge(r->headers_out, "Vary", vary);
-	ap_table_unset(r->notes, VARY_KEY);
+        ap_table_unset(r->notes, VARY_KEY);
     }
 
     /*
@@ -2003,10 +2015,13 @@ static int apply_rewrite_rule(request_rec *r, rewriterule_entry *p,
     i = strlen(r->filename);
     if (   prefixstrip
         && !(   r->filename[0] == '/'
-             || (   (i > 7 && strncasecmp(r->filename, "http://", 7) == 0)
-                 || (i > 8 && strncasecmp(r->filename, "https://", 8) == 0)
+             || (   (i > 7 && strncasecmp(r->filename, "http://",   7) == 0)
+                 || (i > 8 && strncasecmp(r->filename, "https://",  8) == 0)
                  || (i > 9 && strncasecmp(r->filename, "gopher://", 9) == 0)
-                 || (i > 6 && strncasecmp(r->filename, "ftp://", 6) == 0)))) {
+                 || (i > 6 && strncasecmp(r->filename, "ftp://",    6) == 0)
+                 || (i > 5 && strncasecmp(r->filename, "ldap:",     5) == 0)
+                 || (i > 5 && strncasecmp(r->filename, "news:",     5) == 0)
+                 || (i > 7 && strncasecmp(r->filename, "mailto:",   7) == 0)))) {
         rewritelog(r, 3, "[per-dir %s] add per-dir prefix: %s -> %s%s",
                    perdir, r->filename, perdir, r->filename);
         r->filename = ap_pstrcat(r->pool, perdir, r->filename, NULL);
@@ -2071,10 +2086,13 @@ static int apply_rewrite_rule(request_rec *r, rewriterule_entry *p,
      *  directly force an external HTTP redirect.
      */
     i = strlen(r->filename);
-    if (   (i > 7 && strncasecmp(r->filename, "http://", 7)   == 0)
-        || (i > 8 && strncasecmp(r->filename, "https://", 8)  == 0)
+    if (   (i > 7 && strncasecmp(r->filename, "http://",   7) == 0)
+        || (i > 8 && strncasecmp(r->filename, "https://",  8) == 0)
         || (i > 9 && strncasecmp(r->filename, "gopher://", 9) == 0)
-        || (i > 6 && strncasecmp(r->filename, "ftp://", 6)    == 0)) {
+        || (i > 6 && strncasecmp(r->filename, "ftp://",    6) == 0)
+        || (i > 5 && strncasecmp(r->filename, "ldap:",     5) == 0)
+        || (i > 5 && strncasecmp(r->filename, "news:",     5) == 0)
+        || (i > 7 && strncasecmp(r->filename, "mailto:",   7) == 0) ) {
         if (perdir == NULL) {
             rewritelog(r, 2,
                        "implicitly forcing redirect (rc=%d) with %s",
@@ -2431,10 +2449,13 @@ static void fully_qualify_uri(request_rec *r)
     int port;
 
     i = strlen(r->filename);
-    if (!(   (i > 7 && strncasecmp(r->filename, "http://", 7)   == 0)
-          || (i > 8 && strncasecmp(r->filename, "https://", 8)  == 0)
+    if (!(   (i > 7 && strncasecmp(r->filename, "http://",   7) == 0)
+          || (i > 8 && strncasecmp(r->filename, "https://",  8) == 0)
           || (i > 9 && strncasecmp(r->filename, "gopher://", 9) == 0)
-          || (i > 6 && strncasecmp(r->filename, "ftp://", 6)    == 0))) {
+          || (i > 6 && strncasecmp(r->filename, "ftp://",    6) == 0)
+          || (i > 5 && strncasecmp(r->filename, "ldap:",     5) == 0)
+          || (i > 5 && strncasecmp(r->filename, "news:",     5) == 0)
+          || (i > 7 && strncasecmp(r->filename, "mailto:",   7) == 0))) {
 
         thisserver = ap_get_server_name(r);
         port = ap_get_server_port(r);
@@ -2470,34 +2491,37 @@ static void fully_qualify_uri(request_rec *r)
 static void expand_backref_inbuffer(pool *p, char *buf, int nbuf,
                                     backrefinfo *bri, char c)
 {
-    int i;
+    register int i;
 
-    if (bri->nsub < 1) {
-        return;
-    }
-
-    if (c != '$') {
-        /* safe existing $N backrefs and replace <c>N with $N backrefs */
-        for (i = 0; buf[i] != '\0' && i < nbuf; i++) {
-            if (buf[i] == '$' && (buf[i+1] >= '0' && buf[i+1] <= '9')) {
-                buf[i++] = '\001';
-            }
-            else if (buf[i] == c && (buf[i+1] >= '0' && buf[i+1] <= '9')) {
-                buf[i++] = '$';
-            }
+    /* protect existing $N and & backrefs and replace <c>N with $N backrefs */
+    for (i = 0; buf[i] != '\0' && i < nbuf; i++) {
+        if (buf[i] == '\\' && (buf[i+1] != '\0' && i < (nbuf-1))) {
+            i++; /* protect next */
+        }
+        else if (buf[i] == '&') {
+            buf[i] = '\001';
+        }
+        else if (c != '$' && buf[i] == '$' && (buf[i+1] >= '0' && buf[i+1] <= '9')) {
+            buf[i] = '\002';
+            i++; /* speedup */
+        }
+        else if (buf[i] == c && (buf[i+1] >= '0' && buf[i+1] <= '9')) {
+            buf[i] = '$';
+            i++; /* speedup */
         }
     }
 
-    /* now apply the pregsub() function */
+    /* now apply the standard regex substitution function */
     ap_cpystrn(buf, ap_pregsub(p, buf, bri->source,
-                         bri->nsub+1, bri->regmatch), nbuf);
+                               bri->nsub+1, bri->regmatch), nbuf);
 
-    if (c != '$') {
-        /* restore the original $N backrefs */
-        for (i = 0; buf[i] != '\0' && i < nbuf; i++) {
-            if (buf[i] == '\001' && (buf[i+1] >= '0' && buf[i+1] <= '9')) {
-                buf[i++] = '$';
-            }
+    /* restore the original $N and & backrefs */
+    for (i = 0; buf[i] != '\0' && i < nbuf; i++) {
+        if (buf[i] == '\001') {
+            buf[i] = '&';
+        }
+        else if (buf[i] == '\002') {
+            buf[i] = '$';
         }
     }
 }
@@ -2509,7 +2533,7 @@ static void expand_backref_inbuffer(pool *p, char *buf, int nbuf,
 **  Unix /etc/passwd database information
 **
 */
-#ifndef WIN32
+#if !defined(WIN32) && !defined(NETWARE)
 static char *expand_tildepaths(request_rec *r, char *uri)
 {
     char user[LONG_STRING_LEN];
@@ -3023,16 +3047,14 @@ static void rewrite_rand_init(void)
 
 static int rewrite_rand(int l, int h)
 {
-    int i;
-    char buf[50];
-
     rewrite_rand_init();
-    ap_snprintf(buf, sizeof(buf), "%.0f", 
-                (((double)(rand()%RAND_MAX)/RAND_MAX)*(h-l)));
-    i = atoi(buf)+1;
-    if (i < l) i = l;
-    if (i > h) i = h;
-    return i;
+
+    /* Get [0,1) and then scale to the appropriate range. Note that using
+     * a floating point value ensures that we use all bits of the rand()
+     * result. Doing an integer modulus would only use the lower-order bits
+     * which may not be as uniformly random.
+     */
+    return ((double)(rand() % RAND_MAX) / RAND_MAX) * (h - l + 1) + l;
 }
 
 static char *select_random_value_part(request_rec *r, char *value)
@@ -3274,7 +3296,7 @@ static void rewritelock_create(server_rec *s, pool *p)
                      "file %s", lockname);
         exit(1);
     }
-#if !defined(OS2) && !defined(WIN32)
+#if !defined(OS2) && !defined(WIN32) && !defined(NETWARE)
     /* make sure the childs have access to this file */
     if (geteuid() == 0 /* is superuser */)
         chown(lockname, ap_user_id, -1 /* no gid change */);
@@ -3437,6 +3459,8 @@ static int rewritemap_program_child(void *cmd, child_info *pinfo)
             child_pid = pi.dwProcessId;
         }
     }
+#elif defined(NETWARE)
+   // Need something here!!! Spawn????
 #elif defined(OS2)
     /* IBM OS/2 */
     execl(SHELL_PATH, SHELL_PATH, "/c", (char *)cmd, NULL);
@@ -3615,7 +3639,7 @@ static char *lookup_variable(request_rec *r, char *var)
     }
     else if (strcasecmp(var, "API_VERSION") == 0) { /* non-standard */
         ap_snprintf(resultbuf, sizeof(resultbuf), "%d:%d",
-		    MODULE_MAGIC_NUMBER_MAJOR, MODULE_MAGIC_NUMBER_MINOR);
+                    MODULE_MAGIC_NUMBER_MAJOR, MODULE_MAGIC_NUMBER_MINOR);
         result = resultbuf;
     }
 
@@ -3709,7 +3733,7 @@ static char *lookup_variable(request_rec *r, char *var)
         LOOKAHEAD(ap_sub_req_lookup_file)
     }
 
-#ifndef WIN32
+#if !defined(WIN32) && !defined(NETWARE)
     /* Win32 has a rather different view of file ownerships.
        For now, just forget it */
 
@@ -3744,7 +3768,7 @@ static char *lookup_variable(request_rec *r, char *var)
             }
         }
     }
-#endif /* ndef WIN32 */
+#endif /* ndef WIN32 && NETWARE*/
 
 #ifdef EAPI
     else {
@@ -3776,7 +3800,7 @@ static char *lookup_header(request_rec *r, const char *name)
             continue;
         }
         if (strcasecmp(hdrs[i].key, name) == 0) {
-	    ap_table_merge(r->notes, VARY_KEY_THIS, name);
+            ap_table_merge(r->notes, VARY_KEY_THIS, name);
             return hdrs[i].val;
         }
     }
@@ -4268,5 +4292,11 @@ static int compare_lexicography(char *cpNum1, char *cpNum2)
     return 0;
 }
 
+#ifdef NETWARE
+int main(int argc, char *argv[]) 
+{
+    ExitThread(TSR_THREAD, 0);
+}
+#endif
 
 /*EOF*/
diff --git a/usr.sbin/httpd/src/modules/standard/mod_rewrite.h b/usr.sbin/httpd/src/modules/standard/mod_rewrite.h
index 22ff3375589..46c255279f8 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_rewrite.h
+++ b/usr.sbin/httpd/src/modules/standard/mod_rewrite.h
@@ -101,7 +101,9 @@
 #include <signal.h>
 #include <errno.h>
 #include <ctype.h>
+#ifndef NETWARE
 #include <sys/types.h>
+#endif
 #include <sys/stat.h>
 
     /* Include from the Apache server ... */
@@ -157,7 +159,7 @@
 #endif
 #if !defined(USE_FCNTL) && !defined(USE_FLOCK)
 #define USE_FLOCK 1
-#if !defined(MPE) && !defined(WIN32) && !defined(__TANDEM)
+#if !defined(MPE) && !defined(WIN32) && !defined(__TANDEM) && !defined(NETWARE)
 #include <sys/file.h>
 #endif
 #ifndef LOCK_UN
diff --git a/usr.sbin/httpd/src/modules/standard/mod_so.c b/usr.sbin/httpd/src/modules/standard/mod_so.c
index c3c89c975f4..7429da4ca30 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_so.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_so.c
@@ -267,6 +267,14 @@ static const char *load_module(cmd_parms *cmd, void *dummy,
                           "' in file ", szModuleFile, " is garbled -"
                           " perhaps this is not an Apache module DSO?", NULL);
     }
+#ifdef EAPI
+    if (modp->magic == MODULE_MAGIC_COOKIE_AP13) {
+        ap_log_error(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, NULL,
+                     "Loaded DSO %s uses plain Apache 1.3 API, "
+                     "this module might crash under EAPI! "
+                     "(please recompile it with -DEAPI)", filename);
+    }
+#endif
 
     /* 
      * Add this module to the Apache core structures
diff --git a/usr.sbin/httpd/src/modules/standard/mod_speling.c b/usr.sbin/httpd/src/modules/standard/mod_speling.c
index 067fd77c719..328ec9937af 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_speling.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_speling.c
@@ -244,7 +244,7 @@ static int check_speling(request_rec *r)
     }
 
     /* We've already got a file of some kind or another */
-    if (r->proxyreq || (r->finfo.st_mode != 0)) {
+    if (r->proxyreq != NOT_PROXY || (r->finfo.st_mode != 0)) {
         return DECLINED;
     }
 
@@ -408,10 +408,11 @@ static int check_speling(request_rec *r)
 	    && (candidates->nelts == 1
 		|| variant[0].quality != variant[1].quality)) {
 
-            nuri = ap_pstrcat(r->pool, url, variant[0].name, r->path_info,
-			      r->parsed_uri.query ? "?" : "",
-			      r->parsed_uri.query ? r->parsed_uri.query : "",
-			      NULL);
+            nuri = ap_escape_uri(r->pool, ap_pstrcat(r->pool, url,
+						     variant[0].name,
+						     r->path_info, NULL));
+	    if (r->parsed_uri.query)
+		nuri = ap_pstrcat(r->pool, nuri, "?", r->parsed_uri.query, NULL);
 
             ap_table_setn(r->headers_out, "Location",
 			  ap_construct_url(r->pool, nuri, r));
@@ -556,3 +557,10 @@ module MODULE_VAR_EXPORT speling_module =
     NULL,                       /* child_exit */
     NULL                        /* post read-request */
 };
+
+#ifdef NETWARE
+int main(int argc, char *argv[]) 
+{
+    ExitThread(TSR_THREAD, 0);
+}
+#endif
diff --git a/usr.sbin/httpd/src/modules/standard/mod_status.c b/usr.sbin/httpd/src/modules/standard/mod_status.c
index ad09467f4ab..fba55c982f5 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_status.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_status.c
@@ -814,3 +814,10 @@ module MODULE_VAR_EXPORT status_module =
     NULL,			/* child_exit */
     NULL			/* post read-request */
 };
+
+#ifdef NETWARE
+int main(int argc, char *argv[]) 
+{
+    ExitThread(TSR_THREAD, 0);
+}
+#endif
diff --git a/usr.sbin/httpd/src/modules/standard/mod_userdir.c b/usr.sbin/httpd/src/modules/standard/mod_userdir.c
index 5c0e26d2753..829f8e22335 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_userdir.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_userdir.c
@@ -290,10 +290,10 @@ static int translate_userdir(request_rec *r)
             return REDIRECT;
         }
         else {
-#ifdef WIN32
-            /* Need to figure out home dirs on NT */
+#if defined(WIN32) || defined(NETWARE)
+            /* Need to figure out home dirs on NT and NetWare */
             return DECLINED;
-#else                           /* WIN32 */
+#else                           /* WIN32 & NetWare */
             struct passwd *pw;
             if ((pw = getpwnam(w))) {
 #ifdef OS2
@@ -303,7 +303,7 @@ static int translate_userdir(request_rec *r)
                 filename = ap_pstrcat(r->pool, pw->pw_dir, "/", userdir, NULL);
 #endif
             }
-#endif                          /* WIN32 */
+#endif                          /* WIN32 & NetWare */
         }
 
         /*
diff --git a/usr.sbin/httpd/src/modules/standard/mod_usertrack.c b/usr.sbin/httpd/src/modules/standard/mod_usertrack.c
index 1b50e159967..95983028564 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_usertrack.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_usertrack.c
@@ -137,7 +137,11 @@ static void make_cookie(request_rec *r)
     struct tms mpe_tms;
 #elif !defined(WIN32)
     struct timeval tv;
+#ifdef NETWARE
+    time_t tz = 0;
+#else
     struct timezone tz = {0, 0};
+#endif /* defined(NETWARE) */
 #endif
     /* 1024 == hardcoded constant */
     char cookiebuf[1024];
@@ -158,6 +162,9 @@ static void make_cookie(request_rec *r)
     ap_snprintf(cookiebuf, sizeof(cookiebuf), "%s.%d%ld%ld", rname,
 		(int) getpid(),
                 (long) r->request_time, (long) mpe_tms.tms_utime);
+#elif defined(NETWARE)
+    ap_snprintf(cookiebuf, sizeof(cookiebuf), "%s.%d%ld%ld", rname,
+        (int) getpid(), (long) r->request_time, (long) clock());                
 #elif defined(WIN32)
     /*
      * We lack gettimeofday() and we lack times(). So we'll use a combination
@@ -375,3 +382,12 @@ module MODULE_VAR_EXPORT usertrack_module = {
     NULL,                       /* child_exit */
     NULL                        /* post read-request */
 };
+
+
+#ifdef NETWARE
+int main(int argc, char *argv[]) 
+{
+    ExitThread(TSR_THREAD, 0);
+}
+#endif
+
diff --git a/usr.sbin/httpd/src/os/bs2000/bs2login.c b/usr.sbin/httpd/src/os/bs2000/bs2login.c
index 32eb1aecb00..dad5bab5f9d 100644
--- a/usr.sbin/httpd/src/os/bs2000/bs2login.c
+++ b/usr.sbin/httpd/src/os/bs2000/bs2login.c
@@ -192,7 +192,6 @@ int os_init_job_environment(server_rec *server, const char *user_name, int one_p
 {
     _rini_struct            inittask; 
     char                    username[USER_LEN+1];
-    int                     save_errno;
     bs2_ForkType            type = os_forktype();
 
     /* We can be sure that no change to uid==0 is possible because of
diff --git a/usr.sbin/httpd/src/os/bs2000/ebcdic.c b/usr.sbin/httpd/src/os/bs2000/ebcdic.c
index 0303fc6dbb7..be926503757 100644
--- a/usr.sbin/httpd/src/os/bs2000/ebcdic.c
+++ b/usr.sbin/httpd/src/os/bs2000/ebcdic.c
@@ -60,193 +60,123 @@
 #include "ap_config.h"
 #include "ebcdic.h"
 /*
-	   Initial Port for  Apache-1.3 by <Martin.Kraemer@Mch.SNI.De>
+           Initial Port for Apache-1.3 by <Martin.Kraemer@Mch.SNI.De>
+
+"BS2000 OSD/POSIX" is a POSIX subsystem on a main frame. It is made
+by Fujitsu-Siemens Computers GmbH, Germany. The POSIX system has been
+derived from a regular SVR4 source and thus is very "compatible"
+to other unixes. In fact, it received the X/Open branding.
 
-"BS2000 OSD" is a POSIX on a main frame. It is made by Siemens AG, Germany.
 Within the POSIX subsystem, the same character set was chosen as in
-"native BS2000", namely EBCDIC.
+"native BS2000", namely EBCDIC. This requires conversions at various
+stages of the request and response processing.
 
-EBCDIC Table. (Yes, in EBCDIC, the letters 'a'..'z' are not contiguous!)
+EBCDIC Table. (In EBCDIC, the letters 'a'..'z' are not contiguous!)
 This table is bijective, i.e. there are no ambigous or duplicate characters
-00    00 01 02 03 85 09 86 7f  87 8d 8e 0b 0c 0d 0e 0f  *................*
-10    10 11 12 13 8f 0a 08 97  18 19 9c 9d 1c 1d 1e 1f  *................*
-20    80 81 82 83 84 92 17 1b  88 89 8a 8b 8c 05 06 07  *................*
-30    90 91 16 93 94 95 96 04  98 99 9a 9b 14 15 9e 1a  *................*
-40    20 a0 e2 e4 e0 e1 e3 e5  e7 f1 60 2e 3c 28 2b 7c  * .........`.<(+|*
-50    26 e9 ea eb e8 ed ee ef  ec df 21 24 2a 29 3b 9f  *&.........!$*);.*
-60    2d 2f c2 c4 c0 c1 c3 c5  c7 d1 5e 2c 25 5f 3e 3f  *-/........^,%_>?*
-70    f8 c9 ca cb c8 cd ce cf  cc a8 3a 23 40 27 3d 22  *..........:#@'="*
-80    d8 61 62 63 64 65 66 67  68 69 ab bb f0 fd fe b1  *.abcdefghi......*
-90    b0 6a 6b 6c 6d 6e 6f 70  71 72 aa ba e6 b8 c6 a4  *.jklmnopqr......*
-a0    b5 af 73 74 75 76 77 78  79 7a a1 bf d0 dd de ae  *..stuvwxyz......*
-b0    a2 a3 a5 b7 a9 a7 b6 bc  bd be ac 5b 5c 5d b4 d7  *...........[\]..*
-c0    f9 41 42 43 44 45 46 47  48 49 ad f4 f6 f2 f3 f5  *.ABCDEFGHI......*
-d0    a6 4a 4b 4c 4d 4e 4f 50  51 52 b9 fb fc db fa ff  *.JKLMNOPQR......*
-e0    d9 f7 53 54 55 56 57 58  59 5a b2 d4 d6 d2 d3 d5  *..STUVWXYZ......*
-f0    30 31 32 33 34 35 36 37  38 39 b3 7b dc 7d da 7e  *0123456789.{.}.~*
 */
 
-/* The bijective ebcdic-to-ascii table: */
-const unsigned char os_toascii_strictly[256] = {
-/*00*/ 0x00, 0x01, 0x02, 0x03, 0x85, 0x09, 0x86, 0x7f,
-       0x87, 0x8d, 0x8e, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /*................*/
-/*10*/ 0x10, 0x11, 0x12, 0x13, 0x8f, 0x0a, 0x08, 0x97,
-       0x18, 0x19, 0x9c, 0x9d, 0x1c, 0x1d, 0x1e, 0x1f, /*................*/
-/*20*/ 0x80, 0x81, 0x82, 0x83, 0x84, 0x92, 0x17, 0x1b,
-       0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x05, 0x06, 0x07, /*................*/
-/*30*/ 0x90, 0x91, 0x16, 0x93, 0x94, 0x95, 0x96, 0x04,
-       0x98, 0x99, 0x9a, 0x9b, 0x14, 0x15, 0x9e, 0x1a, /*................*/
-/*40*/ 0x20, 0xa0, 0xe2, 0xe4, 0xe0, 0xe1, 0xe3, 0xe5,
-       0xe7, 0xf1, 0x60, 0x2e, 0x3c, 0x28, 0x2b, 0x7c, /* .........`.<(+|*/
-/*50*/ 0x26, 0xe9, 0xea, 0xeb, 0xe8, 0xed, 0xee, 0xef,
-       0xec, 0xdf, 0x21, 0x24, 0x2a, 0x29, 0x3b, 0x9f, /*&.........!$*);.*/
-/*60*/ 0x2d, 0x2f, 0xc2, 0xc4, 0xc0, 0xc1, 0xc3, 0xc5,
-       0xc7, 0xd1, 0x5e, 0x2c, 0x25, 0x5f, 0x3e, 0x3f, /*-/........^,%_>?*/
-/*70*/ 0xf8, 0xc9, 0xca, 0xcb, 0xc8, 0xcd, 0xce, 0xcf,
-       0xcc, 0xa8, 0x3a, 0x23, 0x40, 0x27, 0x3d, 0x22, /*..........:#@'="*/
-/*80*/ 0xd8, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-       0x68, 0x69, 0xab, 0xbb, 0xf0, 0xfd, 0xfe, 0xb1, /*.abcdefghi......*/
-/*90*/ 0xb0, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
-       0x71, 0x72, 0xaa, 0xba, 0xe6, 0xb8, 0xc6, 0xa4, /*.jklmnopqr......*/
-/*a0*/ 0xb5, 0xaf, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
-       0x79, 0x7a, 0xa1, 0xbf, 0xd0, 0xdd, 0xde, 0xae, /*..stuvwxyz......*/
-/*b0*/ 0xa2, 0xa3, 0xa5, 0xb7, 0xa9, 0xa7, 0xb6, 0xbc,
-       0xbd, 0xbe, 0xac, 0x5b, 0x5c, 0x5d, 0xb4, 0xd7, /*...........[\]..*/
-/*c0*/ 0xf9, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
-       0x48, 0x49, 0xad, 0xf4, 0xf6, 0xf2, 0xf3, 0xf5, /*.ABCDEFGHI......*/
-/*d0*/ 0xa6, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
-       0x51, 0x52, 0xb9, 0xfb, 0xfc, 0xdb, 0xfa, 0xff, /*.JKLMNOPQR......*/
-/*e0*/ 0xd9, 0xf7, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58,
-       0x59, 0x5a, 0xb2, 0xd4, 0xd6, 0xd2, 0xd3, 0xd5, /*..STUVWXYZ......*/
-/*f0*/ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
-       0x38, 0x39, 0xb3, 0x7b, 0xdc, 0x7d, 0xda, 0x7e  /*0123456789.{.}.~*/
-};
-
-/* This table is (almost) identical to the previous one. The only difference
- * is the fact that it maps every EBCDIC *except 0x0A* to its ASCII
- * equivalent. The reason for this table is simple: Throughout the
- * server, protocol strings are used in the form
- *  "Content-Type: text/plain\015\012". Now all the characters in the string
- * are stored as EBCDIC, only the semantics of \012 is completely
- * different from LF (look it up in the table above). \015 happens to be
- * mapped to \015 anyway, so there's no special case for it.
- * 
- * In THIS table, EBCDIC-\012 is mapped to ASCII-\012.
- * This table is therefore used wherever an EBCDIC to ASCII conversion is
- * needed in the server.
- */
-/* ebcdic-to-ascii with \012 mapped to ASCII-\n */
+/* Bijective ebcdic-to-ascii table: */
 const unsigned char os_toascii[256] = {
-/*00*/ 0x00, 0x01, 0x02, 0x03, 0x85, 0x09, 0x86, 0x7f,
-       0x87, 0x8d, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /*................*/
-/*10*/ 0x10, 0x11, 0x12, 0x13, 0x8f, 0x0a, 0x08, 0x97,
-       0x18, 0x19, 0x9c, 0x9d, 0x1c, 0x1d, 0x1e, 0x1f, /*................*/
-/*20*/ 0x80, 0x81, 0x82, 0x83, 0x84, 0x92, 0x17, 0x1b,
-       0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x05, 0x06, 0x07, /*................*/
-/*30*/ 0x90, 0x91, 0x16, 0x93, 0x94, 0x95, 0x96, 0x04,
-       0x98, 0x99, 0x9a, 0x9b, 0x14, 0x15, 0x9e, 0x1a, /*................*/
-/*40*/ 0x20, 0xa0, 0xe2, 0xe4, 0xe0, 0xe1, 0xe3, 0xe5,
-       0xe7, 0xf1, 0x60, 0x2e, 0x3c, 0x28, 0x2b, 0x7c, /* .........`.<(+|*/
-/*50*/ 0x26, 0xe9, 0xea, 0xeb, 0xe8, 0xed, 0xee, 0xef,
-       0xec, 0xdf, 0x21, 0x24, 0x2a, 0x29, 0x3b, 0x9f, /*&.........!$*);.*/
-/*60*/ 0x2d, 0x2f, 0xc2, 0xc4, 0xc0, 0xc1, 0xc3, 0xc5,
-       0xc7, 0xd1, 0x5e, 0x2c, 0x25, 0x5f, 0x3e, 0x3f, /*-/........^,%_>?*/
-/*70*/ 0xf8, 0xc9, 0xca, 0xcb, 0xc8, 0xcd, 0xce, 0xcf,
-       0xcc, 0xa8, 0x3a, 0x23, 0x40, 0x27, 0x3d, 0x22, /*..........:#@'="*/
-/*80*/ 0xd8, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-       0x68, 0x69, 0xab, 0xbb, 0xf0, 0xfd, 0xfe, 0xb1, /*.abcdefghi......*/
-/*90*/ 0xb0, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
-       0x71, 0x72, 0xaa, 0xba, 0xe6, 0xb8, 0xc6, 0xa4, /*.jklmnopqr......*/
-/*a0*/ 0xb5, 0xaf, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
-       0x79, 0x7a, 0xa1, 0xbf, 0xd0, 0xdd, 0xde, 0xae, /*..stuvwxyz......*/
-/*b0*/ 0xa2, 0xa3, 0xa5, 0xb7, 0xa9, 0xa7, 0xb6, 0xbc,
-       0xbd, 0xbe, 0xac, 0x5b, 0x5c, 0x5d, 0xb4, 0xd7, /*...........[\]..*/
-/*c0*/ 0xf9, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
-       0x48, 0x49, 0xad, 0xf4, 0xf6, 0xf2, 0xf3, 0xf5, /*.ABCDEFGHI......*/
-/*d0*/ 0xa6, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
-       0x51, 0x52, 0xb9, 0xfb, 0xfc, 0xdb, 0xfa, 0xff, /*.JKLMNOPQR......*/
-/*e0*/ 0xd9, 0xf7, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58,
-       0x59, 0x5a, 0xb2, 0xd4, 0xd6, 0xd2, 0xd3, 0xd5, /*..STUVWXYZ......*/
-/*f0*/ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
-       0x38, 0x39, 0xb3, 0x7b, 0xdc, 0x7d, 0xda, 0x7e  /*0123456789.{.}.~*/
+/*00*/  0x00, 0x01, 0x02, 0x03, 0x85, 0x09, 0x86, 0x7f,
+        0x87, 0x8d, 0x8e, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /*................*/
+/*10*/  0x10, 0x11, 0x12, 0x13, 0x8f, 0x0a, 0x08, 0x97,
+        0x18, 0x19, 0x9c, 0x9d, 0x1c, 0x1d, 0x1e, 0x1f, /*................*/
+/*20*/  0x80, 0x81, 0x82, 0x83, 0x84, 0x92, 0x17, 0x1b,
+        0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x05, 0x06, 0x07, /*................*/
+/*30*/  0x90, 0x91, 0x16, 0x93, 0x94, 0x95, 0x96, 0x04,
+        0x98, 0x99, 0x9a, 0x9b, 0x14, 0x15, 0x9e, 0x1a, /*................*/
+/*40*/  0x20, 0xa0, 0xe2, 0xe4, 0xe0, 0xe1, 0xe3, 0xe5,
+        0xe7, 0xf1, 0x60, 0x2e, 0x3c, 0x28, 0x2b, 0x7c, /* .........`.<(+|*/
+/*50*/  0x26, 0xe9, 0xea, 0xeb, 0xe8, 0xed, 0xee, 0xef,
+        0xec, 0xdf, 0x21, 0x24, 0x2a, 0x29, 0x3b, 0x9f, /*&.........!$*);.*/
+/*60*/  0x2d, 0x2f, 0xc2, 0xc4, 0xc0, 0xc1, 0xc3, 0xc5,
+        0xc7, 0xd1, 0x5e, 0x2c, 0x25, 0x5f, 0x3e, 0x3f, /*-/........^,%_>?*/
+/*70*/  0xf8, 0xc9, 0xca, 0xcb, 0xc8, 0xcd, 0xce, 0xcf,
+        0xcc, 0xa8, 0x3a, 0x23, 0x40, 0x27, 0x3d, 0x22, /*..........:#@'="*/
+/*80*/  0xd8, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+        0x68, 0x69, 0xab, 0xbb, 0xf0, 0xfd, 0xfe, 0xb1, /*.abcdefghi......*/
+/*90*/  0xb0, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
+        0x71, 0x72, 0xaa, 0xba, 0xe6, 0xb8, 0xc6, 0xa4, /*.jklmnopqr......*/
+/*a0*/  0xb5, 0xaf, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+        0x79, 0x7a, 0xa1, 0xbf, 0xd0, 0xdd, 0xde, 0xae, /*..stuvwxyz......*/
+/*b0*/  0xa2, 0xa3, 0xa5, 0xb7, 0xa9, 0xa7, 0xb6, 0xbc,
+        0xbd, 0xbe, 0xac, 0x5b, 0x5c, 0x5d, 0xb4, 0xd7, /*...........[\]..*/
+/*c0*/  0xf9, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+        0x48, 0x49, 0xad, 0xf4, 0xf6, 0xf2, 0xf3, 0xf5, /*.ABCDEFGHI......*/
+/*d0*/  0xa6, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
+        0x51, 0x52, 0xb9, 0xfb, 0xfc, 0xdb, 0xfa, 0xff, /*.JKLMNOPQR......*/
+/*e0*/  0xd9, 0xf7, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58,
+        0x59, 0x5a, 0xb2, 0xd4, 0xd6, 0xd2, 0xd3, 0xd5, /*..STUVWXYZ......*/
+/*f0*/  0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0xb3, 0x7b, 0xdc, 0x7d, 0xda, 0x7e  /*0123456789.{.}.~*/
 };
 
-/* The ascii-to-ebcdic table:
-00    00 01 02 03 37 2d 2e 2f  16 05 15 0b 0c 0d 0e 0f  *................*
-10    10 11 12 13 3c 3d 32 26  18 19 3f 27 1c 1d 1e 1f  *................*
-20    40 5a 7f 7b 5b 6c 50 7d  4d 5d 5c 4e 6b 60 4b 61  * !"#$%&'()*+,-./
-30    f0 f1 f2 f3 f4 f5 f6 f7  f8 f9 7a 5e 4c 7e 6e 6f  *0123456789:;<=>?*
-40    7c c1 c2 c3 c4 c5 c6 c7  c8 c9 d1 d2 d3 d4 d5 d6  *@ABCDEFGHIJKLMNO*
-50    d7 d8 d9 e2 e3 e4 e5 e6  e7 e8 e9 bb bc bd 6a 6d  *PQRSTUVWXYZ[\]^_*
-60    4a 81 82 83 84 85 86 87  88 89 91 92 93 94 95 96  *`abcdefghijklmno*
-70    97 98 99 a2 a3 a4 a5 a6  a7 a8 a9 fb 4f fd ff 07  *pqrstuvwxyz{|}~.*
-80    20 21 22 23 24 04 06 08  28 29 2a 2b 2c 09 0a 14  *................*
-90    30 31 25 33 34 35 36 17  38 39 3a 3b 1a 1b 3e 5f  *................*
-a0    41 aa b0 b1 9f b2 d0 b5  79 b4 9a 8a ba ca af a1  *................*
-b0    90 8f ea fa be a0 b6 b3  9d da 9b 8b b7 b8 b9 ab  *................*
-c0    64 65 62 66 63 67 9e 68  74 71 72 73 78 75 76 77  *................*
-d0    ac 69 ed ee eb ef ec bf  80 e0 fe dd fc ad ae 59  *................*
-e0    44 45 42 46 43 47 9c 48  54 51 52 53 58 55 56 57  *................*
-f0    8c 49 cd ce cb cf cc e1  70 c0 de db dc 8d 8e df  *................*
-*/
+
+/* Bijective ascii-to-ebcdic table: */
 const unsigned char os_toebcdic[256] = {
 /*00*/  0x00, 0x01, 0x02, 0x03, 0x37, 0x2d, 0x2e, 0x2f,
-	0x16, 0x05, 0x15, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,  /*................*/
+        0x16, 0x05, 0x15, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,  /*................*/
 /*10*/  0x10, 0x11, 0x12, 0x13, 0x3c, 0x3d, 0x32, 0x26,
-	0x18, 0x19, 0x3f, 0x27, 0x1c, 0x1d, 0x1e, 0x1f,  /*................*/
+        0x18, 0x19, 0x3f, 0x27, 0x1c, 0x1d, 0x1e, 0x1f,  /*................*/
 /*20*/  0x40, 0x5a, 0x7f, 0x7b, 0x5b, 0x6c, 0x50, 0x7d,
-	0x4d, 0x5d, 0x5c, 0x4e, 0x6b, 0x60, 0x4b, 0x61,  /* !"#$%&'()*+,-./ */
+        0x4d, 0x5d, 0x5c, 0x4e, 0x6b, 0x60, 0x4b, 0x61,  /* !"#$%&'()*+,-./ */
 /*30*/  0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
-	0xf8, 0xf9, 0x7a, 0x5e, 0x4c, 0x7e, 0x6e, 0x6f,  /*0123456789:;<=>?*/
+        0xf8, 0xf9, 0x7a, 0x5e, 0x4c, 0x7e, 0x6e, 0x6f,  /*0123456789:;<=>?*/
 /*40*/  0x7c, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
-	0xc8, 0xc9, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6,  /*@ABCDEFGHIJKLMNO*/
+        0xc8, 0xc9, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6,  /*@ABCDEFGHIJKLMNO*/
 /*50*/  0xd7, 0xd8, 0xd9, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6,
-	0xe7, 0xe8, 0xe9, 0xbb, 0xbc, 0xbd, 0x6a, 0x6d,  /*PQRSTUVWXYZ[\]^_*/
+        0xe7, 0xe8, 0xe9, 0xbb, 0xbc, 0xbd, 0x6a, 0x6d,  /*PQRSTUVWXYZ[\]^_*/
 /*60*/  0x4a, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
-	0x88, 0x89, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96,  /*`abcdefghijklmno*/
+        0x88, 0x89, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96,  /*`abcdefghijklmno*/
 /*70*/  0x97, 0x98, 0x99, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6,
-	0xa7, 0xa8, 0xa9, 0xfb, 0x4f, 0xfd, 0xff, 0x07,  /*pqrstuvwxyz{|}~.*/
+        0xa7, 0xa8, 0xa9, 0xfb, 0x4f, 0xfd, 0xff, 0x07,  /*pqrstuvwxyz{|}~.*/
 /*80*/  0x20, 0x21, 0x22, 0x23, 0x24, 0x04, 0x06, 0x08,
-	0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x09, 0x0a, 0x14,  /*................*/
+        0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x09, 0x0a, 0x14,  /*................*/
 /*90*/  0x30, 0x31, 0x25, 0x33, 0x34, 0x35, 0x36, 0x17,
-	0x38, 0x39, 0x3a, 0x3b, 0x1a, 0x1b, 0x3e, 0x5f,  /*................*/
+        0x38, 0x39, 0x3a, 0x3b, 0x1a, 0x1b, 0x3e, 0x5f,  /*................*/
 /*a0*/  0x41, 0xaa, 0xb0, 0xb1, 0x9f, 0xb2, 0xd0, 0xb5,
-	0x79, 0xb4, 0x9a, 0x8a, 0xba, 0xca, 0xaf, 0xa1,  /*................*/
+        0x79, 0xb4, 0x9a, 0x8a, 0xba, 0xca, 0xaf, 0xa1,  /*................*/
 /*b0*/  0x90, 0x8f, 0xea, 0xfa, 0xbe, 0xa0, 0xb6, 0xb3,
-	0x9d, 0xda, 0x9b, 0x8b, 0xb7, 0xb8, 0xb9, 0xab,  /*................*/
+        0x9d, 0xda, 0x9b, 0x8b, 0xb7, 0xb8, 0xb9, 0xab,  /*................*/
 /*c0*/  0x64, 0x65, 0x62, 0x66, 0x63, 0x67, 0x9e, 0x68,
-	0x74, 0x71, 0x72, 0x73, 0x78, 0x75, 0x76, 0x77,  /*................*/
+        0x74, 0x71, 0x72, 0x73, 0x78, 0x75, 0x76, 0x77,  /*................*/
 /*d0*/  0xac, 0x69, 0xed, 0xee, 0xeb, 0xef, 0xec, 0xbf,
-	0x80, 0xe0, 0xfe, 0xdd, 0xfc, 0xad, 0xae, 0x59,  /*................*/
+        0x80, 0xe0, 0xfe, 0xdd, 0xfc, 0xad, 0xae, 0x59,  /*................*/
 /*e0*/  0x44, 0x45, 0x42, 0x46, 0x43, 0x47, 0x9c, 0x48,
-	0x54, 0x51, 0x52, 0x53, 0x58, 0x55, 0x56, 0x57,  /*................*/
+        0x54, 0x51, 0x52, 0x53, 0x58, 0x55, 0x56, 0x57,  /*................*/
 /*f0*/  0x8c, 0x49, 0xcd, 0xce, 0xcb, 0xcf, 0xcc, 0xe1,
-	0x70, 0xc0, 0xde, 0xdb, 0xdc, 0x8d, 0x8e, 0xdf   /*................*/
+        0x70, 0xc0, 0xde, 0xdb, 0xdc, 0x8d, 0x8e, 0xdf   /*................*/
 };
 
 /* Translate a memory block from EBCDIC (host charset) to ASCII (net charset)
  * dest and srce may be identical, or separate memory blocks, but
- * should not overlap.
+ * should not overlap. These functions intentionally have an interface
+ * compatible to memcpy(3).
  */
-void
-ebcdic2ascii(unsigned char *dest, const unsigned char *srce, size_t count)
-{
-	while (count-- != 0) {
-		*dest++ = os_toascii[*srce++];
-	}
-}
-void
-ebcdic2ascii_strictly(unsigned char *dest, const unsigned char *srce, size_t count)
+
+void *
+ebcdic2ascii(void *dest, const void *srce, size_t count)
 {
-	while (count-- != 0) {
-		*dest++ = os_toascii_strictly[*srce++];
-	}
+    unsigned char *udest = dest;
+    const unsigned char *usrce = srce;
+
+    while (count-- != 0) {
+        *udest++ = os_toascii[*usrce++];
+    }
+
+    return dest;
 }
-void
-ascii2ebcdic(unsigned char *dest, const unsigned char *srce, size_t count)
+
+void *
+ascii2ebcdic(void *dest, const void *srce, size_t count)
 {
-	while (count-- != 0) {
-		*dest++ = os_toebcdic[*srce++];
-	}
+    unsigned char *udest = dest;
+    const unsigned char *usrce = srce;
+
+    while (count-- != 0) {
+        *udest++ = os_toebcdic[*usrce++];
+    }
+
+    return dest;
 }
 #endif /*CHARSET_EBCDIC*/
diff --git a/usr.sbin/httpd/src/os/bs2000/ebcdic.h b/usr.sbin/httpd/src/os/bs2000/ebcdic.h
index 267f9786df2..9712cfaf00f 100644
--- a/usr.sbin/httpd/src/os/bs2000/ebcdic.h
+++ b/usr.sbin/httpd/src/os/bs2000/ebcdic.h
@@ -1,8 +1,11 @@
+#ifndef AP_EBCDIC_H
+#define AP_EBCDIC_H  "$Id: ebcdic.h,v 1.2 2000/01/25 18:30:05 beck Exp $"
+
 #include <sys/types.h>
 
 extern const unsigned char os_toascii[256];
 extern const unsigned char os_toebcdic[256];
-void ebcdic2ascii(unsigned char *dest, const unsigned char *srce, size_t count);
-void ebcdic2ascii_strictly(unsigned char *dest, const unsigned char *srce, size_t count);
-void ascii2ebcdic(unsigned char *dest, const unsigned char *srce, size_t count);
+void *ebcdic2ascii(void *dest, const void *srce, size_t count);
+void *ascii2ebcdic(void *dest, const void *srce, size_t count);
 
+#endif /*AP_EBCDIC_H*/
diff --git a/usr.sbin/httpd/src/os/bs2000/os.c b/usr.sbin/httpd/src/os/bs2000/os.c
index c33810a2f0d..a23e245f77e 100644
--- a/usr.sbin/httpd/src/os/bs2000/os.c
+++ b/usr.sbin/httpd/src/os/bs2000/os.c
@@ -85,7 +85,8 @@ int ap_checkconv(struct request_rec *r)
 
     /* Conversion is applied to text/ files only, if ever. */
     if (type && (strncasecmp(type, "text/", 5) == 0 ||
-		 strncasecmp(type, "message/", 8) == 0)) {
+		 strncasecmp(type, "message/", 8) == 0 ||
+		 strncasecmp(type, "multipart/", 10) == 0)) {
 	if (strncasecmp(type, ASCIITEXT_MAGIC_TYPE_PREFIX,
 			sizeof(ASCIITEXT_MAGIC_TYPE_PREFIX)-1) == 0)
 	    r->content_type = ap_pstrcat(r->pool, "text/",
diff --git a/usr.sbin/httpd/src/os/os2/os.c b/usr.sbin/httpd/src/os/os2/os.c
index 4a45c1fd26e..934ca24614d 100644
--- a/usr.sbin/httpd/src/os/os2/os.c
+++ b/usr.sbin/httpd/src/os/os2/os.c
@@ -7,8 +7,10 @@
 #define INCL_DOS
 #include <os2.h>
 #include <stdio.h>
+#include <string.h>
 
 static int rc=0;
+static char errorstr[20];
 
 void ap_os_dso_init(void)
 {
@@ -18,7 +20,6 @@ void ap_os_dso_init(void)
 
 ap_os_dso_handle_t ap_os_dso_load(const char *module_name)
 {
-    char errorstr[200];
     HMODULE handle;
 
     rc = DosLoadModule(errorstr, sizeof(errorstr), module_name, &handle);
@@ -54,5 +55,9 @@ void *ap_os_dso_sym(ap_os_dso_handle_t handle, const char *funcname)
 
 const char *ap_os_dso_error(void)
 {
-    return ap_os_error_message(rc);
+    static char message[200];
+    strcpy(message, ap_os_error_message(rc));
+    strcat(message, " for module ");
+    strcat(message, errorstr);
+    return message;
 }
diff --git a/usr.sbin/httpd/src/os/os390/ebcdic.c b/usr.sbin/httpd/src/os/os390/ebcdic.c
new file mode 100644
index 00000000000..02ae9db3e8a
--- /dev/null
+++ b/usr.sbin/httpd/src/os/os390/ebcdic.c
@@ -0,0 +1,173 @@
+/* ====================================================================
+ * Copyright (c) 1998-1999 The Apache Group.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the Apache Group
+ *    for use in the Apache HTTP server project (http://www.apache.org/)."
+ *
+ * 4. The names "Apache Server" and "Apache Group" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    apache@apache.org.
+ *
+ * 5. Products derived from this software may not be called "Apache"
+ *    nor may "Apache" appear in their names without prior written
+ *    permission of the Apache Group.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the Apache Group
+ *    for use in the Apache HTTP server project (http://www.apache.org/)."
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE APACHE GROUP OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Group and was originally based
+ * on public domain software written at the National Center for
+ * Supercomputing Applications, University of Illinois, Urbana-Champaign.
+ * For more information on the Apache Group and the Apache HTTP server
+ * project, please see <http://www.apache.org/>.
+ *
+ */
+
+
+#ifdef CHARSET_EBCDIC
+#include "ap_config.h"
+#include "ebcdic.h"
+/*
+This code does basic character mapping for IBM's OS/390 Unix
+System Services operating system.  It is a modified version
+of <Martin.Kraemer@Mch.SNI.De>'s code for the BS2000
+(apache/src/os/bs2000/ebcdic.c).
+*/
+
+/*
+Bijective EBCDIC (character set IBM-1047) to US-ASCII table:
+This table is bijective - there are no ambigous or duplicate characters.
+*/
+const unsigned char os_toascii[256] = {
+    0x00, 0x01, 0x02, 0x03, 0x85, 0x09, 0x86, 0x7f, /* 00-0f:           */
+    0x87, 0x8d, 0x8e, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* ................ */
+    0x10, 0x11, 0x12, 0x13, 0x8f, 0x0a, 0x08, 0x97, /* 10-1f:           */
+    0x18, 0x19, 0x9c, 0x9d, 0x1c, 0x1d, 0x1e, 0x1f, /* ................ */
+    0x80, 0x81, 0x82, 0x83, 0x84, 0x92, 0x17, 0x1b, /* 20-2f:           */
+    0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x05, 0x06, 0x07, /* ................ */
+    0x90, 0x91, 0x16, 0x93, 0x94, 0x95, 0x96, 0x04, /* 30-3f:           */
+    0x98, 0x99, 0x9a, 0x9b, 0x14, 0x15, 0x9e, 0x1a, /* ................ */
+    0x20, 0xa0, 0xe2, 0xe4, 0xe0, 0xe1, 0xe3, 0xe5, /* 40-4f:           */
+    0xe7, 0xf1, 0xa2, 0x2e, 0x3c, 0x28, 0x2b, 0x7c, /*  ...........<(+| */
+    0x26, 0xe9, 0xea, 0xeb, 0xe8, 0xed, 0xee, 0xef, /* 50-5f:           */
+    0xec, 0xdf, 0x21, 0x24, 0x2a, 0x29, 0x3b, 0x5e, /* &.........!$*);^ */
+    0x2d, 0x2f, 0xc2, 0xc4, 0xc0, 0xc1, 0xc3, 0xc5, /* 60-6f:           */
+    0xc7, 0xd1, 0xa6, 0x2c, 0x25, 0x5f, 0x3e, 0x3f, /* -/.........,%_>? */
+    0xf8, 0xc9, 0xca, 0xcb, 0xc8, 0xcd, 0xce, 0xcf, /* 70-7f:           */
+    0xcc, 0x60, 0x3a, 0x23, 0x40, 0x27, 0x3d, 0x22, /* .........`:#@'=" */
+    0xd8, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, /* 80-8f:           */
+    0x68, 0x69, 0xab, 0xbb, 0xf0, 0xfd, 0xfe, 0xb1, /* .abcdefghi...... */
+    0xb0, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, /* 90-9f:           */
+    0x71, 0x72, 0xaa, 0xba, 0xe6, 0xb8, 0xc6, 0xa4, /* .jklmnopqr...... */
+    0xb5, 0x7e, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, /* a0-af:           */
+    0x79, 0x7a, 0xa1, 0xbf, 0xd0, 0x5b, 0xde, 0xae, /* .~stuvwxyz...[.. */
+    0xac, 0xa3, 0xa5, 0xb7, 0xa9, 0xa7, 0xb6, 0xbc, /* b0-bf:           */
+    0xbd, 0xbe, 0xdd, 0xa8, 0xaf, 0x5d, 0xb4, 0xd7, /* .............].. */
+    0x7b, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, /* c0-cf:           */
+    0x48, 0x49, 0xad, 0xf4, 0xf6, 0xf2, 0xf3, 0xf5, /* {ABCDEFGHI...... */
+    0x7d, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, /* d0-df:           */
+    0x51, 0x52, 0xb9, 0xfb, 0xfc, 0xf9, 0xfa, 0xff, /* }JKLMNOPQR...... */
+    0x5c, 0xf7, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, /* e0-ef:           */
+    0x59, 0x5a, 0xb2, 0xd4, 0xd6, 0xd2, 0xd3, 0xd5, /* \.STUVWXYZ...... */
+    0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, /* f0-ff:           */
+    0x38, 0x39, 0xb3, 0xdb, 0xdc, 0xd9, 0xda, 0x9f  /* 0123456789...... */
+};
+
+
+/*
+The US-ASCII to EBCDIC (character set IBM-1047) table:
+This table is bijective (no ambiguous or duplicate characters)
+*/
+const unsigned char os_toebcdic[256] = {
+    0x00, 0x01, 0x02, 0x03, 0x37, 0x2d, 0x2e, 0x2f, /* 00-0f:           */
+    0x16, 0x05, 0x15, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* ................ */
+    0x10, 0x11, 0x12, 0x13, 0x3c, 0x3d, 0x32, 0x26, /* 10-1f:           */
+    0x18, 0x19, 0x3f, 0x27, 0x1c, 0x1d, 0x1e, 0x1f, /* ................ */
+    0x40, 0x5a, 0x7f, 0x7b, 0x5b, 0x6c, 0x50, 0x7d, /* 20-2f:           */
+    0x4d, 0x5d, 0x5c, 0x4e, 0x6b, 0x60, 0x4b, 0x61, /*  !"#$%&'()*+,-./ */
+    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, /* 30-3f:           */
+    0xf8, 0xf9, 0x7a, 0x5e, 0x4c, 0x7e, 0x6e, 0x6f, /* 0123456789:;<=>? */
+    0x7c, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, /* 40-4f:           */
+    0xc8, 0xc9, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, /* @ABCDEFGHIJKLMNO */
+    0xd7, 0xd8, 0xd9, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, /* 50-5f:           */
+    0xe7, 0xe8, 0xe9, 0xad, 0xe0, 0xbd, 0x5f, 0x6d, /* PQRSTUVWXYZ[\]^_ */
+    0x79, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, /* 60-6f:           */
+    0x88, 0x89, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, /* `abcdefghijklmno */
+    0x97, 0x98, 0x99, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, /* 70-7f:           */
+    0xa7, 0xa8, 0xa9, 0xc0, 0x4f, 0xd0, 0xa1, 0x07, /* pqrstuvwxyz{|}~. */
+    0x20, 0x21, 0x22, 0x23, 0x24, 0x04, 0x06, 0x08, /* 80-8f:           */
+    0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x09, 0x0a, 0x14, /* ................ */
+    0x30, 0x31, 0x25, 0x33, 0x34, 0x35, 0x36, 0x17, /* 90-9f:           */
+    0x38, 0x39, 0x3a, 0x3b, 0x1a, 0x1b, 0x3e, 0xff, /* ................ */
+    0x41, 0xaa, 0x4a, 0xb1, 0x9f, 0xb2, 0x6a, 0xb5, /* a0-af:           */
+    0xbb, 0xb4, 0x9a, 0x8a, 0xb0, 0xca, 0xaf, 0xbc, /* ................ */
+    0x90, 0x8f, 0xea, 0xfa, 0xbe, 0xa0, 0xb6, 0xb3, /* b0-bf:           */
+    0x9d, 0xda, 0x9b, 0x8b, 0xb7, 0xb8, 0xb9, 0xab, /* ................ */
+    0x64, 0x65, 0x62, 0x66, 0x63, 0x67, 0x9e, 0x68, /* c0-cf:           */
+    0x74, 0x71, 0x72, 0x73, 0x78, 0x75, 0x76, 0x77, /* ................ */
+    0xac, 0x69, 0xed, 0xee, 0xeb, 0xef, 0xec, 0xbf, /* d0-df:           */
+    0x80, 0xfd, 0xfe, 0xfb, 0xfc, 0xba, 0xae, 0x59, /* ................ */
+    0x44, 0x45, 0x42, 0x46, 0x43, 0x47, 0x9c, 0x48, /* e0-ef:           */
+    0x54, 0x51, 0x52, 0x53, 0x58, 0x55, 0x56, 0x57, /* ................ */
+    0x8c, 0x49, 0xcd, 0xce, 0xcb, 0xcf, 0xcc, 0xe1, /* f0-ff:           */
+    0x70, 0xdd, 0xde, 0xdb, 0xdc, 0x8d, 0x8e, 0xdf  /* ................ */
+};
+
+/* Translate a memory block from EBCDIC (host charset) to ASCII (net charset)
+ * dest and srce may be identical, or separate memory blocks, but
+ * should not overlap.
+ */
+void
+ebcdic2ascii(void *dest, const void *srce, size_t count)
+{
+    unsigned char *udest = dest;
+    const unsigned char *usrce = srce;
+    while (count-- != 0) {
+        *udest++ = os_toascii[*usrce++];
+    }
+}
+
+void
+ascii2ebcdic(void *dest, const void *srce, size_t count)
+{
+        unsigned char *udest = dest;
+        const unsigned char *usrce = srce;
+
+        while (count-- != 0) {
+                *udest++ = os_toebcdic[*usrce++];
+    }
+}
+#endif /*CHARSET_EBCDIC*/
+
diff --git a/usr.sbin/httpd/src/os/tpf/TPFExport b/usr.sbin/httpd/src/os/tpf/TPFExport
index 449ebf2f93a..c737f8d0b2f 100644
--- a/usr.sbin/httpd/src/os/tpf/TPFExport
+++ b/usr.sbin/httpd/src/os/tpf/TPFExport
@@ -4,4 +4,6 @@ export _C89_CCMODE=1
 # replace the following with the location of your TPF include files
 export _C89_INCDIRS="/u/tpf41/currentmaint/include /u/tpf41/currentmaint/include/oco" 
 export TPF=YES
+export _C89_INCLIBS=""
+export _C89_CSYSLIB=""
 echo "Done"
diff --git a/usr.sbin/httpd/src/os/tpf/ebcdic.c b/usr.sbin/httpd/src/os/tpf/ebcdic.c
index be029f42597..5207ea88114 100644
--- a/usr.sbin/httpd/src/os/tpf/ebcdic.c
+++ b/usr.sbin/httpd/src/os/tpf/ebcdic.c
@@ -69,53 +69,9 @@ the BS2000 (apache/src/os/bs2000/ebcdic.c).
 Bijective EBCDIC (character set IBM-1047) to US-ASCII table:
 This table is bijective - there are no ambigous or duplicate characters.
 */
-const unsigned char os_toascii_strictly[256] = {
-    0x00, 0x01, 0x02, 0x03, 0x85, 0x09, 0x86, 0x7f, /* 00-0f:           */
-    0x87, 0x8d, 0x8e, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* ................ */
-    0x10, 0x11, 0x12, 0x13, 0x8f, 0x0a, 0x08, 0x97, /* 10-1f:           */
-    0x18, 0x19, 0x9c, 0x9d, 0x1c, 0x1d, 0x1e, 0x1f, /* ................ */
-    0x80, 0x81, 0x82, 0x83, 0x84, 0x92, 0x17, 0x1b, /* 20-2f:           */
-    0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x05, 0x06, 0x07, /* ................ */
-    0x90, 0x91, 0x16, 0x93, 0x94, 0x95, 0x96, 0x04, /* 30-3f:           */
-    0x98, 0x99, 0x9a, 0x9b, 0x14, 0x15, 0x9e, 0x1a, /* ................ */
-    0x20, 0xa0, 0xe2, 0xe4, 0xe0, 0xe1, 0xe3, 0xe5, /* 40-4f:           */
-    0xe7, 0xf1, 0xa2, 0x2e, 0x3c, 0x28, 0x2b, 0x7c, /*  ...........<(+| */
-    0x26, 0xe9, 0xea, 0xeb, 0xe8, 0xed, 0xee, 0xef, /* 50-5f:           */
-    0xec, 0xdf, 0x21, 0x24, 0x2a, 0x29, 0x3b, 0x5e, /* &.........!$*);^ */
-    0x2d, 0x2f, 0xc2, 0xc4, 0xc0, 0xc1, 0xc3, 0xc5, /* 60-6f:           */
-    0xc7, 0xd1, 0xa6, 0x2c, 0x25, 0x5f, 0x3e, 0x3f, /* -/.........,%_>? */
-    0xf8, 0xc9, 0xca, 0xcb, 0xc8, 0xcd, 0xce, 0xcf, /* 70-7f:           */
-    0xcc, 0x60, 0x3a, 0x23, 0x40, 0x27, 0x3d, 0x22, /* .........`:#@'=" */
-    0xd8, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, /* 80-8f:           */
-    0x68, 0x69, 0xab, 0xbb, 0xf0, 0xfd, 0xfe, 0xb1, /* .abcdefghi...... */
-    0xb0, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, /* 90-9f:           */
-    0x71, 0x72, 0xaa, 0xba, 0xe6, 0xb8, 0xc6, 0xa4, /* .jklmnopqr...... */
-    0xb5, 0x7e, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, /* a0-af:           */
-    0x79, 0x7a, 0xa1, 0xbf, 0xd0, 0x5b, 0xde, 0xae, /* .~stuvwxyz...[.. */
-    0xac, 0xa3, 0xa5, 0xb7, 0xa9, 0xa7, 0xb6, 0xbc, /* b0-bf:           */
-    0xbd, 0xbe, 0xdd, 0xa8, 0xaf, 0x5d, 0xb4, 0xd7, /* .............].. */
-    0x7b, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, /* c0-cf:           */
-    0x48, 0x49, 0xad, 0xf4, 0xf6, 0xf2, 0xf3, 0xf5, /* {ABCDEFGHI...... */
-    0x7d, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, /* d0-df:           */
-    0x51, 0x52, 0xb9, 0xfb, 0xfc, 0xf9, 0xfa, 0xff, /* }JKLMNOPQR...... */
-    0x5c, 0xf7, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, /* e0-ef:           */
-    0x59, 0x5a, 0xb2, 0xd4, 0xd6, 0xd2, 0xd3, 0xd5, /* \.STUVWXYZ...... */
-    0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, /* f0-ff:           */
-    0x38, 0x39, 0xb3, 0xdb, 0xdc, 0xd9, 0xda, 0x9f  /* 0123456789...... */
-};
-
-/*
-Server EBCDIC (character set IBM-1047) to US-ASCII table:
-This table is a copy of the os_toascii_strictly bijective table above.
-The only change is that hex 0a (\012 octal) is mapped to hex 0a
-(ASCII's line feed) instead of hex 8e.  This is done because throughout
-Apache, protocol string definitions hardcode the linefeed as \012 (octal):
-"Content-Type: text/plain\015\012".  Without this kludge all protocol
-string definitions would need to be changed from ...\012 to ...\025.
-*/
 const unsigned char os_toascii[256] = {
     0x00, 0x01, 0x02, 0x03, 0x85, 0x09, 0x86, 0x7f, /* 00-0f:           */
-    0x87, 0x8d, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* ................ */
+    0x87, 0x8d, 0x8e, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* ................ */
     0x10, 0x11, 0x12, 0x13, 0x8f, 0x0a, 0x08, 0x97, /* 10-1f:           */
     0x18, 0x19, 0x9c, 0x9d, 0x1c, 0x1d, 0x1e, 0x1f, /* ................ */
     0x80, 0x81, 0x82, 0x83, 0x84, 0x92, 0x17, 0x1b, /* 20-2f:           */
@@ -201,13 +157,6 @@ ebcdic2ascii(void *dest, const void *srce, size_t count)
     }
 }
 void
-ebcdic2ascii_strictly(unsigned char *dest, const unsigned char *srce, size_t count)
-{
-    while (count-- != 0) {
-        *dest++ = os_toascii_strictly[*srce++];
-    }
-}
-void
 ascii2ebcdic(void *dest, const void *srce, size_t count)
 {
         unsigned char *udest = dest;
diff --git a/usr.sbin/httpd/src/os/tpf/ebcdic.h b/usr.sbin/httpd/src/os/tpf/ebcdic.h
index e9c4120e1a3..3f2a63f06d0 100644
--- a/usr.sbin/httpd/src/os/tpf/ebcdic.h
+++ b/usr.sbin/httpd/src/os/tpf/ebcdic.h
@@ -3,6 +3,5 @@
 extern const unsigned char os_toascii[256];
 extern const unsigned char os_toebcdic[256];
 void ebcdic2ascii(void *dest, const void *srce, size_t count);
-void ebcdic2ascii_strictly(unsigned char *dest, const unsigned char *srce, size_t count);
 void ascii2ebcdic(void *dest, const void *srce, size_t count);
 
diff --git a/usr.sbin/httpd/src/os/tpf/os.c b/usr.sbin/httpd/src/os/tpf/os.c
index e4682324cd1..d0f1bf9f479 100644
--- a/usr.sbin/httpd/src/os/tpf/os.c
+++ b/usr.sbin/httpd/src/os/tpf/os.c
@@ -66,6 +66,13 @@
 #include "scoreboard.h"
 #include "http_log.h"
 #include "http_conf_globals.h"
+#ifdef __PIPE_
+#include "ipc.h"
+#include "shm.h"
+static TPF_FD_LIST *tpf_fds = NULL;
+#endif
+
+void *tpf_shm_static_ptr = NULL;
 
 static FILE *sock_fp;
 
@@ -168,14 +175,6 @@ char *getpass(const char* prompt)
     return((char *)NULL);
 }
 
-#ifndef __PIPE_
-int pipe(int fildes[2])
-{
-    errno = ENOSYS;
-    return(-1);
-}
-#endif
-  
 /* fork and exec functions are not defined on
    TPF due to the implementation of tpf_fork() */
  
@@ -225,8 +224,6 @@ int ap_tpf_spawn_child(pool *p, int (*func) (void *, child_info *),
    array_header             *env_arr = ap_table_elts ((array_header *) cld->subprocess_env);
    table_entry              *elts = (table_entry *) env_arr->elts;
 
-
-
    if (func) {
       if (result=func(data, NULL)) {
           return 0;                    /* error from child function */
@@ -241,7 +238,6 @@ int ap_tpf_spawn_child(pool *p, int (*func) (void *, child_info *),
       dup2(out_fds[1], STDOUT_FILENO);
    }
 
-
    if (pipe_in) {
       fd_flags_in = fcntl(in_fds[1], F_GETFD);
       fcntl(in_fds[1], F_SETFD, FD_CLOEXEC);
@@ -371,6 +367,8 @@ pid_t os_fork(server_rec *s, int slot)
 
     input_parms.slot = slot;
     input_parms.restart_time = ap_restart_time;
+    input_parms.shm_static_ptr = tpf_shm_static_ptr;
+    input_parms.tpf_fds = tpf_fds;
     fork_input.ebw_data = &input_parms;
     fork_input.program = ap_server_argv0;
     fork_input.prog_type = TPF_FORK_NAME;
@@ -397,11 +395,12 @@ int os_check_server(char *server) {
 
 void os_note_additional_cleanups(pool *p, int sd) {
     char sockfilename[50];
-    /* write the socket to file so that TPF socket device driver will close socket in case
-       we happen to abend. */
+    /* write the socket to file so that TPF socket device driver
+       will close socket in case we happen to abend. */
     sprintf(sockfilename, "/dev/tpf.socket.file/%.8X", sd);
     sock_fp = fopen(sockfilename, "r+");
-    ap_note_cleanups_for_file(p, sock_fp);  /* arrange to close on exec or restart */
+    /* arrange to close on exec or restart */
+    ap_note_cleanups_for_file(p, sock_fp);
     fcntl(sd,F_SETFD,FD_CLOEXEC);
 }
 
@@ -409,6 +408,257 @@ void os_tpf_child(APACHE_TPF_INPUT *input_parms) {
     tpf_child = 1;
     ap_my_generation = input_parms->generation;
     ap_restart_time = input_parms->restart_time;
+    tpf_fds = input_parms->tpf_fds;
+    tpf_shm_static_ptr = input_parms->shm_static_ptr;
+}
+
+#ifndef __PIPE_
+
+int pipe(int fildes[2])
+{
+    errno = ENOSYS;
+    return(-1);
 }
 
+API_EXPORT(piped_log *) ap_open_piped_log(pool *p, const char *program)
 
+{
+    fprintf(stderr, "Pipes not supported on this TPF system\n");
+    exit (1);
+}
+
+#else
+
+void ap_tpf_detach_shared_mem(void *address)
+{
+    if (*((void **)address)) {
+        shmdt(*((void **)address));
+        *((void **)address) = NULL;
+    }
+}
+
+static void *ap_tpf_get_shared_mem(size_t size)
+{
+    key_t shmkey = IPC_PRIVATE;
+    int shmid = -1;
+    void *result;
+
+    if ((shmid = shmget(shmkey, size, IPC_CREAT | SHM_R | SHM_W)) == -1) {
+        perror("shmget failed in ap_tpf_get_shared_mem funciton");
+        exit(1);
+    }
+#define BADSHMAT ((void *)(-1))
+    if ((result = shmat(shmid, 0, 0)) == BADSHMAT) {
+        perror("shmat failed in ap_tpf_get_shared_mem");
+    }
+    if (shmctl(shmid, IPC_RMID, NULL) != 0) {
+        perror("shmctl(IPC_RMID) failed in ap_tpf_get_shared_mem");
+    }
+    if (result == BADSHMAT) {   /* now bailout */
+        exit(1);
+    }
+
+    return result;
+}
+
+int ap_tpf_fd_lookup(enum FILE_TYPE file_type, const char *fname)
+/* lookup a fd in the fd inheritance table */
+{
+    if (tpf_fds) {
+        int i;
+        TPF_FD_ITEM *fd_item = &tpf_fds->first_item;
+
+        for (i = 1; i <= tpf_fds->nbr_of_items; i++, fd_item++) {
+            /* check for an fd with the same type and name */
+            if ((file_type == fd_item->file_type) &&
+                (strcmp(fname, fd_item->fname) == 0) ) {
+                /* we've got a match, check that fd is still open */
+                struct stat stbuf;
+
+                if (fstat(fd_item->fd, &stbuf) == 0) {
+                    return(fd_item->fd);
+                }
+                else {
+                    /* fd is not open - the entire fd table is suspect */
+                    fprintf(stderr, "fstat failed in ap_tpf_fd_lookup "
+                                    "for fd %i (filename/pipe to %s): %s\n",
+                            fd_item->fd, fname, strerror(errno));
+                    ap_tpf_detach_shared_mem(&tpf_fds);
+                    return(-1);
+                }
+            }
+        }
+    }
+    return(-1);
+}
+
+void ap_tpf_add_fd(pool *p, int fd, enum FILE_TYPE file_type, const char *fname)
+/* add a newly opened fd to the fd inheritance table */
+{
+    int fname_size;
+
+    if (tpf_child) {
+        return; /* no kids allowed */
+    }
+    if (tpf_fds == NULL) {
+        /* get shared memory if necssary */
+        tpf_fds = ap_tpf_get_shared_mem((size_t)TPF_FD_LIST_SIZE);
+        if (tpf_fds) {
+            ap_register_cleanup(p, (void *)&tpf_fds,
+                                ap_tpf_detach_shared_mem, ap_null_cleanup);
+            tpf_fds->nbr_of_items = 0;
+            tpf_fds->next_avail_byte = &tpf_fds->first_item;
+            tpf_fds->last_avail_byte = (char *)tpf_fds + TPF_FD_LIST_SIZE;
+        }
+    }
+    /* add fd */
+    if (tpf_fds) {
+        TPF_FD_ITEM *fd_item;
+
+        /* make sure there's room */
+        fname_size = strlen(fname) + 1;
+        if (sizeof(TPF_FD_ITEM) + fname_size >
+            (char *)tpf_fds->last_avail_byte -
+            (char *)tpf_fds->next_avail_byte) {
+            fprintf(stderr, "fd inheritance table out of room, increase "
+                    "TPF_FD_LIST_SIZE in os.h and recompile Apache\n");
+            exit(1);
+        }
+        /* add the new item */
+        fd_item = tpf_fds->next_avail_byte;
+        tpf_fds->next_avail_byte = fd_item + 1;
+        tpf_fds->last_avail_byte
+            = (char *)tpf_fds->last_avail_byte - fname_size;
+        fd_item->fname = tpf_fds->last_avail_byte;
+        strcpy(fd_item->fname, fname);
+        fd_item->fd = fd;
+        fd_item->file_type = file_type;
+        tpf_fds->nbr_of_items++;
+    }
+}
+
+API_EXPORT(piped_log *) ap_open_piped_log(pool *p, const char *program)
+{
+    int log_fd;
+    piped_log *pl;
+
+    /* check fd inheritance table to see if this log is already open */
+    log_fd = ap_tpf_fd_lookup(PIPE_OUT, program);
+    if (log_fd < 0) {
+        /* this is a new log - open it */
+        FILE *dummy;
+        TPF_FORK_CHILD cld;
+        cld.filename = (char *)program;
+        cld.subprocess_env = NULL;
+        cld.prog_type = FORK_NAME;
+
+        if (ap_spawn_child(p, NULL, &cld, kill_after_timeout,
+            &dummy, NULL, NULL)) {
+            log_fd = fileno(dummy);
+            /* add this log to the fd inheritance table */
+            ap_tpf_add_fd(p, log_fd, PIPE_OUT, program);
+        }
+        else {
+            perror("ap_spawn_child");
+            fprintf(stderr, "Couldn't fork child for piped log process\n");
+            exit (1);
+        }
+    }
+
+    pl = ap_palloc(p, sizeof (*pl));
+    pl->p = p;
+    pl->fds[1] = log_fd;
+
+    return pl;
+}
+
+#endif /* __PIPE_ */
+
+/*   The following functions are used for the tpf specific module called
+     mod_tpf_shm_static.  This module is a clone of Apache's mod_mmap_static.
+     Because TPF doesn't support the system call mmap(), it is replaced by
+     shared memory, but uses the mmap directives, etc.   */
+
+union align{
+
+   /* Types which are likely to have the longest RELEVANT alignment
+    * restrictions...     */
+
+   char *cp;
+   void (*f) (void);
+   long l;
+   FILE *fp;
+   double d;
+};
+
+#define CLICK_SZ (sizeof(union align))
+union block_hdr {
+    union align a;
+
+    /* Actual header... */
+
+    struct {
+        char *endp;
+        union block_hdr *next;
+        char *first_avail;
+ #ifdef POOL_DEBUG
+        union block_hdr *global_next;
+        struct pool *owning_pool;
+ #endif
+     } h;
+};
+
+struct pool {
+    union block_hdr *first;
+    union block_hdr *last;
+    struct cleanup *cleanups;
+    struct process_chain *subprocesses;
+    struct pool *sub_pools;
+    struct pool *sub_next;
+    struct pool *sub_prev;
+    struct pool *parent;
+    char *free_first_avail;
+#ifdef ALLOC_USE_MALLOC
+    void *allocation_list;
+#endif
+#ifdef POOL_DEBUG
+    struct pool *joined;
+#endif
+};
+
+#include "alloc.h"
+#define POOL_HDR_CLICKS (1 + ((sizeof(struct pool) - 1) / CLICK_SZ))
+#define POOL_HDR_BYTES (POOL_HDR_CLICKS * CLICK_SZ)
+
+pool * ap_get_shared_mem_pool(size_t size)
+{
+    pool *new_pool;
+    union block_hdr *blok;
+
+    blok = (union block_hdr *) ap_tpf_get_shared_mem(size);
+    /* if shm fails, it will exit  blok will be valid here */
+    memset((char *) blok, '\0', size);
+    blok->h.next = NULL;
+    blok->h.first_avail = (char *) (blok + 1);
+    blok->h.endp = size + blok->h.first_avail;
+    new_pool = (pool *) blok->h.first_avail;
+    blok->h.first_avail += POOL_HDR_BYTES;
+    new_pool->free_first_avail = blok->h.first_avail;
+    new_pool->first = new_pool->last = blok;
+
+    return new_pool;
+}
+
+int ap_check_shm_space(struct pool *a, int size)
+{
+    union block_hdr *blok = a->last;
+    char *first_avail = blok->h.first_avail;
+    char *new_first_avail;
+
+    new_first_avail = first_avail + size;
+    if (new_first_avail <= blok->h.endp) {
+         return (1);
+    }
+    else
+         return (0);
+}
diff --git a/usr.sbin/httpd/src/os/tpf/os.h b/usr.sbin/httpd/src/os/tpf/os.h
index ff653229029..7c04b9cc122 100644
--- a/usr.sbin/httpd/src/os/tpf/os.h
+++ b/usr.sbin/httpd/src/os/tpf/os.h
@@ -3,8 +3,11 @@
 
 #define PLATFORM "TPF"
 
-#ifdef errno
+/* if the compiler defined errno then undefine it
+   and pick up the correct definition from errno.h */
+#if defined(errno) && !defined(__errnoh)
 #undef errno
+#include <errno.h>
 #endif
 
 /*
@@ -69,19 +72,46 @@ typedef struct fd_set {
 
 /* TPF doesn't have, or need, tzset (it is used in mod_expires.c) */
 #define tzset()
+ 
+/* definitions for the file descriptor inheritance table */
+#define TPF_FD_LIST_SIZE 4000
+
+enum FILE_TYPE { PIPE_OUT = 1, PIPE_IN, PIPE_ERR };
+
+typedef struct tpf_fd_item {
+    int            fd;
+    enum FILE_TYPE file_type;
+    char           *fname;
+}TPF_FD_ITEM;
+
+typedef struct tpf_fd_list {
+    void           *next_avail_byte;
+    void           *last_avail_byte;
+    unsigned int   nbr_of_items;
+    TPF_FD_ITEM    first_item;
+}TPF_FD_LIST;
 
 #include <i$netd.h>
-struct apache_input {
-    INETD_SERVER_INPUT  inetd_server;
+typedef struct apache_input {
     void                *scoreboard_heap;   /* scoreboard system heap address */
     int                 scoreboard_fd;      /* scoreboard file descriptor */
     int                 slot;               /* child number */
     int                 generation;         /* server generation number */
     int                 listeners[10];
     time_t              restart_time;
-};
-
-typedef struct apache_input APACHE_TPF_INPUT;
+    TPF_FD_LIST         *tpf_fds;           /* fd inheritance table ptr */
+    void                *shm_static_ptr;    /* shm ptr for static pages */
+}APACHE_TPF_INPUT;
+
+typedef union ebw_area {
+    INETD_SERVER_INPUT parent;
+    APACHE_TPF_INPUT   child;
+}EBW_AREA;
+ 
+extern void *tpf_shm_static_ptr;            /* mod_tpf_shm_static */
+#define TPF_SHM_STATIC_SIZE 200000
+#define MMAP_SEGMENT_SIZE 32767             /* writev can handle 32767 */
+#define _SYS_UIO_H_                         /* writev */
 
 typedef struct tpf_fork_child {
      char  *filename;
diff --git a/usr.sbin/httpd/src/os/tpf/samples/linkdll.jcl b/usr.sbin/httpd/src/os/tpf/samples/linkdll.jcl
index 6bcd17c6b07..b57aa04ad6a 100644
--- a/usr.sbin/httpd/src/os/tpf/samples/linkdll.jcl
+++ b/usr.sbin/httpd/src/os/tpf/samples/linkdll.jcl
@@ -1,88 +1,105 @@
-//APACH JOB MSGLEVEL=(1,1),CLASS=A,MSGCLASS=A

-/*ROUTE PRINT XXXXXX.XXXXXX

-/*ROUTE PUNCH XXXXXX.XXXXXX

-/*NOTIFY XXXXXX.XXXXXX

+//LINKDLL  JOB MSGLEVEL=(1,1),CLASS=G,MSGCLASS=S

+/*ROUTE PRINT <your-id-here>

+/*ROUTE PUNCH <your-id-here>

+/*NOTIFY <your-id-here>

 //CCLE JCLLIB ORDER=(SYS1.CBC.SCBCPRC,SYS1.CEE.SCEEPROC)

 //PRELINK EXEC EDCPL,COND.LKED=(0,NE),

-// PPARM='OMVS,DLLNAME(pppp)',

+// PPARM='OMVS,DLLNAME(CHTA)',

 // LREGSIZ='2048K',

 // LPARM='AMODE=31,RMODE=ANY,LIST,XREF'

-//PLKED.SYSLIB DD DISP=SHR,DSN=FSE0000.DEVP.STUB.OB

-//             DD DISP=SHR,DSN=FSE0000.DEVP.CLIB.OB

-//             DD DISP=SHR,DSN=ACP.CLIB.RLSE46.WEB

-//             DD DISP=SHR,DSN=ACP.STUB.RLSE46.WEB

+//PLKED.SYSLIB DD DISP=SHR,DSN=ACP.STUB.RLSE40

 //             DD DISP=SHR,DSN=ACP.CLIB.RLSE40

-//             DD DISP=SHR,DSN=ACP.STUB.RLSE40

-//PLKED.SYSDEFSD DD DSN=APA0000.DEVP.IMPORTS.DSD(ppppvv),DISP=SHR

-//PLKED.DSD DD DSN=APA0000.DEVP.IMPORTS.DSD,DISP=SHR

-//PLKED.OBJLIB DD DISP=SHR,DSN=FSE0000.DEVP.TEST.OB

-//             DD DISP=SHR,DSN=ACP.OBJ.RLSE46.WEB

-//             DD DISP=SHR,DSN=ACP.OBJ.INTG98.NBS

-//             DD DISP=SHR,DSN=ACP.MAIN.SYST.OBBSS

+//PLKED.OBJLIB DD DISP=SHR,DSN=ACP.MAIN.SYST.OBBSS

 //             DD DISP=SHR,DSN=ACP.DF.MAIN.SYST.OBBSS

 //             DD DISP=SHR,DSN=ACP.OBJ.RLSE40.BSS

-//PLKED.OBJ1   DD PATH='/usr/local/apache/src/ap/ap_cpystrn.o'

-//PLKED.OBJ2   DD PATH='/usr/local/apache/src/ap/ap_execve.o'

-//PLKED.OBJ3   DD PATH='/usr/local/apache/src/ap/ap_signal.o'

-//PLKED.OBJ4   DD PATH='/usr/local/apache/src/ap/ap_slack.o'

-//PLKED.OBJ5   DD PATH='/usr/local/apache/src/ap/ap_snprintf.o'

-//PLKED.OBJ6   DD PATH='/usr/local/apache/src/ap/ap_strings.o'

-//PLKED.OBJ7   DD PATH='/usr/local/apache/src/os/tpf/ebcdic.o'

-//PLKED.OBJ8   DD PATH='/usr/local/apache/src/os/tpf/os.o'

-//PLKED.OBJ9   DD PATH='/usr/local/apache/src/os/tpf/os-inline.o'

-//PLKED.OBJ10  DD PATH='/usr/local/apache/src/regex/regcomp.o'

-//PLKED.OBJ11  DD PATH='/usr/local/apache/src/regex/regerror.o'

-//PLKED.OBJ12  DD PATH='/usr/local/apache/src/regex/regexec.o'

-//PLKED.OBJ13  DD PATH='/usr/local/apache/src/regex/regfree.o'

-//PLKED.OBJ14  DD PATH='/usr/local/apache/src/main/alloc.o'

-//PLKED.OBJ15  DD PATH='/usr/local/apache/src/main/buff.o'

-//PLKED.OBJ16  DD PATH='/usr/local/apache/src/main/fnmatch.o'

-//PLKED.OBJ17  DD PATH='/usr/local/apache/src/main/http_config.o'

-//PLKED.OBJ18  DD PATH='/usr/local/apache/src/main/http_core.o'

-//PLKED.OBJ19  DD PATH='/usr/local/apache/src/main/http_log.o'

-//PLKED.OBJ20  DD PATH='/usr/local/apache/src/main/http_main.o'

-//PLKED.OBJ21  DD PATH='/usr/local/apache/src/main/http_protocol.o'

-//PLKED.OBJ22  DD PATH='/usr/local/apache/src/main/http_request.o'

-//PLKED.OBJ23  DD PATH='/usr/local/apache/src/main/http_vhost.o'

-//PLKED.OBJ24  DD PATH='/usr/local/apache/src/main/md5c.o'

-//PLKED.OBJ25  DD PATH='/usr/local/apache/src/main/rfc1413.o'

-//PLKED.OBJ26  DD PATH='/usr/local/apache/src/main/util.o'

-//PLKED.OBJ27  DD PATH='/usr/local/apache/src/main/util_date.o'

-//PLKED.OBJ28  DD PATH='/usr/local/apache/src/main/util_md5.o'

-//PLKED.OBJ29  DD PATH='/usr/local/apache/src/main/util_script.o'

-//PLKED.OBJ30  DD PATH='/usr/local/apache/src/main/util_uri.o'

-//PLKED.OBJ31  DD PATH='/usr/local/apache/src/modules.o'

-//PLKED.OBJ32  DD PATH='/usr/local/apache/src/buildmark.o'

-//PLKED.OBJ33  DD PATH='/usr/local/apache/src/modules/standard/mod_auto\

+//PLKED.OBJ01  DD PATH='/<your-path-here>/src/ap/ap_base64.o'

+//PLKED.OBJ02  DD PATH='/<your-path-here>/src/ap/ap_checkpass.o'

+//PLKED.OBJ03  DD PATH='/<your-path-here>/src/ap/ap_cpystrn.o'

+//PLKED.OBJ04  DD PATH='/<your-path-here>/src/ap/ap_execve.o'

+//PLKED.OBJ05  DD PATH='/<your-path-here>/src/ap/ap_fnmatch.o'

+//PLKED.OBJ06  DD PATH='/<your-path-here>/src/ap/ap_getpass.o'

+//PLKED.OBJ07  DD PATH='/<your-path-here>/src/ap/ap_md5c.o'

+//PLKED.OBJ08  DD PATH='/<your-path-here>/src/ap/ap_sha1.o'

+//PLKED.OBJ09  DD PATH='/<your-path-here>/src/ap/ap_signal.o'

+//PLKED.OBJ10  DD PATH='/<your-path-here>/src/ap/ap_slack.o'

+//PLKED.OBJ11  DD PATH='/<your-path-here>/src/ap/ap_snprintf.o'

+//PLKED.OBJ12  DD PATH='/<your-path-here>/src/buildmark.o'

+//PLKED.OBJ13  DD PATH='/<your-path-here>/src/main/alloc.o'

+//PLKED.OBJ14  DD PATH='/<your-path-here>/src/main/buff.o'

+//PLKED.OBJ15  DD PATH='/<your-path-here>/src/main/http_config.o'

+//PLKED.OBJ16  DD PATH='/<your-path-here>/src/main/http_core.o'

+//PLKED.OBJ17  DD PATH='/<your-path-here>/src/main/http_log.o'

+//PLKED.OBJ18  DD PATH='/<your-path-here>/src/main/http_main.o'

+//PLKED.OBJ19  DD PATH='/<your-path-here>/src/main/http_protocol.o'

+//PLKED.OBJ20  DD PATH='/<your-path-here>/src/main/http_request.o'

+//PLKED.OBJ21  DD PATH='/<your-path-here>/src/main/http_vhost.o'

+//PLKED.OBJ22  DD PATH='/<your-path-here>/src/main/rfc1413.o'

+//PLKED.OBJ23  DD PATH='/<your-path-here>/src/main/util.o'

+//PLKED.OBJ24  DD PATH='/<your-path-here>/src/main/util_date.o'

+//PLKED.OBJ25  DD PATH='/<your-path-here>/src/main/util_md5.o'

+//PLKED.OBJ26  DD PATH='/<your-path-here>/src/main/util_script.o'

+//PLKED.OBJ27  DD PATH='/<your-path-here>/src/main/util_uri.o'

+//PLKED.OBJ28  DD PATH='/<your-path-here>/src/modules.o'

+//PLKED.OBJ29  DD PATH='/<your-path-here>/src/modules/standard/mod_acce\

+//             ss.o'

+//PLKED.OBJ30  DD PATH='/<your-path-here>/src/modules/standard/mod_acti\

+//             ons.o'

+//PLKED.OBJ31  DD PATH='/<your-path-here>/src/modules/standard/mod_alia\

+//             s.o'

+//PLKED.OBJ32  DD PATH='/<your-path-here>/src/modules/standard/mod_asis\

+//             .o'

+//PLKED.OBJ33  DD PATH='/<your-path-here>/src/modules/standard/mod_auth\

+//             .o'

+//PLKED.OBJ34  DD PATH='/<your-path-here>/src/modules/standard/mod_auto\

 //             index.o'

-//PLKED.OBJ34  DD PATH='/usr/local/apache/src/modules/standard/mod_dir.\

+//PLKED.OBJ35  DD PATH='/<your-path-here>/src/modules/standard/mod_cgi.\

+//             o'

+//PLKED.OBJ36  DD PATH='/<your-path-here>/src/modules/standard/mod_dir.\

+//             o'

+//PLKED.OBJ37  DD PATH='/<your-path-here>/src/modules/standard/mod_env.\

 //             o'

-//PLKED.OBJ35  DD PATH='/usr/local/apache/src/modules/standard/mod_mime\

+//PLKED.OBJ38  DD PATH='/<your-path-here>/src/modules/standard/mod_imap\

 //             .o'

-//PLKED.OBJ36  DD PATH='/usr/local/apache/src/modules/standard/mod_sete\

+//PLKED.OBJ39  DD PATH='/<your-path-here>/src/modules/standard/mod_incl\

+//             ude.o'

+//PLKED.OBJ40  DD PATH='/<your-path-here>/src/modules/standard/mod_log_\

+//             config.o'

+//PLKED.OBJ41  DD PATH='/<your-path-here>/src/modules/standard/mod_mime\

+//             .o'

+//PLKED.OBJ42  DD PATH='/<your-path-here>/src/modules/standard/mod_nego\

+//             tiation.o'

+//PLKED.OBJ43  DD PATH='/<your-path-here>/src/modules/standard/mod_sete\

 //             nvif.o'

-//PLKED.OBJ37  DD PATH='/usr/local/apache/src/modules/standard/mod_alia\

-//             s.o'

-//PLKED.OBJ38  DD PATH='/usr/local/apache/src/modules/standard/mod_acce\

-//             ss.o'

-//PLKED.OBJ39  DD PATH='/usr/local/apache/src/modules/standard/mod_user\

+//PLKED.OBJ44  DD PATH='/<your-path-here>/src/modules/standard/mod_stat\

+//             us.o'

+//PLKED.OBJ45  DD PATH='/<your-path-here>/src/modules/standard/mod_user\

 //             dir.o'

-//PLKED.OBJ40  DD PATH='/usr/local/apache/src/modules/standard/mod_spel\

-//             ing.o'

-//PLKED.OBJ41  DD PATH='/usr/local/apache/src/modules/standard/mod_nego\

-//             tiation.o'

+//PLKED.OBJ46  DD PATH='/<your-path-here>/src/os/tpf/cgetop.o'

+//PLKED.OBJ47  DD PATH='/<your-path-here>/src/os/tpf/ebcdic.o'

+//PLKED.OBJ48  DD PATH='/<your-path-here>/src/os/tpf/os.o'

+//PLKED.OBJ49  DD PATH='/<your-path-here>/src/os/tpf/os-inline.o'

+//PLKED.OBJ50  DD PATH='/<your-path-here>/src/regex/regcomp.o'

+//PLKED.OBJ51  DD PATH='/<your-path-here>/src/regex/regerror.o'

+//PLKED.OBJ52  DD PATH='/<your-path-here>/src/regex/regexec.o'

+//PLKED.OBJ53  DD PATH='/<your-path-here>/src/regex/regfree.o'

+//PLKED.OBJ54  DD PATH='/<your-path-here>/src/lib/expat-lite/hashtable.\

+//             o'

+//PLKED.OBJ55  DD PATH='/<your-path-here>/src/lib/expat-lite/xmlparse.o\

+//             '

+//PLKED.OBJ56  DD PATH='/<your-path-here>/src/lib/expat-lite/xmlrole.o'

+//PLKED.OBJ57  DD PATH='/<your-path-here>/src/lib/expat-lite/xmltok.o'

 //PLKED.SYSIN DD *

  ORDER @@DLMHDR

  INCLUDE OBJLIB(CSTRTD40)

- INCLUDE OBJ1

- INCLUDE OBJ2

- INCLUDE OBJ3

- INCLUDE OBJ4

- INCLUDE OBJ5

- INCLUDE OBJ6

- INCLUDE OBJ7

- INCLUDE OBJ8

- INCLUDE OBJ9

+ INCLUDE OBJ01

+ INCLUDE OBJ02

+ INCLUDE OBJ03

+ INCLUDE OBJ04

+ INCLUDE OBJ05

+ INCLUDE OBJ06

+ INCLUDE OBJ07

+ INCLUDE OBJ08

+ INCLUDE OBJ09

  INCLUDE OBJ10

  INCLUDE OBJ11

  INCLUDE OBJ12

@@ -115,7 +132,24 @@
  INCLUDE OBJ39

  INCLUDE OBJ40

  INCLUDE OBJ41

+ INCLUDE OBJ42

+ INCLUDE OBJ43

+ INCLUDE OBJ44

+ INCLUDE OBJ45

+ INCLUDE OBJ46

+ INCLUDE OBJ47

+ INCLUDE OBJ48

+ INCLUDE OBJ49

+ INCLUDE OBJ50

+ INCLUDE OBJ51

+ INCLUDE OBJ52

+ INCLUDE OBJ53

+ INCLUDE OBJ54

+ INCLUDE OBJ55

+ INCLUDE OBJ56

+ INCLUDE OBJ57

+ INCLUDE OBJLIB(CINET640)

 /*

 //*** WARNING *** NEVER change .LK to .OB in SYSLMOD!!!

-//LKED.SYSLMOD DD DISP=OLD,DSN=xxxxxx.xxxx(ppppvv)

+//LKED.SYSLMOD DD DISP=OLD,DSN=<your-dsn-here>(CHTA<vv>)

 //

diff --git a/usr.sbin/httpd/src/os/tpf/samples/loadset.jcl b/usr.sbin/httpd/src/os/tpf/samples/loadset.jcl
index c0134d4cb82..445f6ccf1e3 100644
--- a/usr.sbin/httpd/src/os/tpf/samples/loadset.jcl
+++ b/usr.sbin/httpd/src/os/tpf/samples/loadset.jcl
@@ -1,31 +1,14 @@
-//OLDRWEB JOB MSGLEVEL=1,CLASS=A,MSGCLASS=S

-//JOBCAT DD DSN=ICFCAT.ESAWK2,DISP=SHR

-/*ROUTE PRINT xxxxxx.xxxxxxx

-/*ROUTE PUNCH xxxxxx.xxxxxxx

-//TLDR   EXEC  PGM=TPFLDRCA,REGION=8M,

+//LOADSET  JOB MSGLEVEL=1,CLASS=G,MSGCLASS=S

+/*ROUTE PRINT <your-id-here>

+/*ROUTE PUNCH <your-id-here>

+//TLDR   EXEC  PGM=TPFLDR40,REGION=8M,

 //             PARM='OLDR,SYS=ACP,CLMSIZE=8000000'

-//STEPLIB  DD  DSN=ACP.LINK.RLSE46.WEB,DISP=SHR

-//         DD  DSN=ACP.LINK.RLSE40.BSS,DISP=SHR

-//         DD  DSN=VIS0000.DEVP.TEST.LK,DISP=SHR

+//STEPLIB  DD  DSN=ACP.LINK.RLSE40.BSS,DISP=SHR

 //         DD  DSN=SYS1.CEE.SCEERUN,DISP=SHR

-//SALTB    DD  DSN=ACP.SALTBL.RLSE46.WEB,DISP=SHR

-//         DD  DSN=ACP.SALTBL.INTG46.WEB,DISP=SHR

-//OBJLIB   DD  DSN=FSE0000.DEVP.TEST.OB,DISP=SHR

-//         DD  DSN=APA0000.DEVP.TEST.OB,DISP=SHR

-//         DD  DSN=ACP.DRVE.TEST.OB,DISP=SHR

-//         DD  DSN=ACP.OBJ.RLSE46.WEB,DISP=SHR

-//         DD  DSN=ACP.OBJ.INTG36.DRV,DISP=SHR

-//         DD  DSN=ACP.OBJ.INTG46.WEB,DISP=SHR

-//         DD  DSN=ACP.OBJ.INTG40.BSS,DISP=SHR

-//LOADMOD  DD  DSN=FSE0000.DEVP.TEST.LK,DISP=SHR

-//         DD  DSN=APA0000.DEVP.TEST.LK,DISP=SHR

-//         DD  DSN=CWEISS.LINK,DISP=SHR

-//         DD  DSN=ACP.DRVE.TEST.LK,DISP=SHR

-//         DD  DSN=ACP.LINK.RLSE46.WEB,DISP=SHR

-//         DD  DSN=ACP.LINK.INTG98.NBS,DISP=SHR

-//         DD  DSN=ACP.LINK.INTG46.WEB,DISP=SHR

-//         DD  DSN=ACP.LINK.INTG36.DRV,DISP=SHR

-//         DD  DSN=ACP.LINK.INTG40.BSS,DISP=SHR

+//SALTB    DD  DSN=ACP.SALTBL.RLSE40.BSS,DISP=SHR

+//OBJLIB   DD  DSN=ACP.OBJ.RLSE40.BSS,DISP=SHR

+//LOADMOD  DD  DSN=<your-dsn-here>,DISP=SHR

+//         DD  DSN=ACP.LINK.RLSE40.BSS,DISP=SHR

 //LOADSUM  DD  DSN=&&LOADSUM,DISP=(NEW,PASS),UNIT=SYSDA,

 //             LRECL=133,SPACE=(TRK,(10,10)),RECFM=FBA

 //CPRTEMP  DD  UNIT=SYSDA,

@@ -48,11 +31,11 @@
 SYSID=BSS

 PATVERS=NONE

 SALVERS=40

-LOADER   LOADSET  lllllll

-LOADER   CALL  PROG ppppvv

+LOADER   LOADSET  HTTPD<vv>

+LOADER   CALL  PROG CHTA<vv>

 /*

 //TRANSMIT EXEC PGM=IKJEFT01,

-//  PARM='TRANSMIT xxxxxx.xxxxxx DDNAME(SYSTSIN) NOLOG NONOTIFY SEQ'

+//  PARM='TRANSMIT <your-id-here> DDNAME(SYSTSIN) NOLOG NONOTIFY SEQ'

 //SYSTSIN  DD  UNIT=SYSDA,

 //             DSN=&&VRDROUT,DISP=(OLD,DELETE)

 //SYSTSPRT DD  DUMMY

diff --git a/usr.sbin/httpd/src/os/unix/os.c b/usr.sbin/httpd/src/os/unix/os.c
index 18a0395da62..aff2a94600d 100644
--- a/usr.sbin/httpd/src/os/unix/os.c
+++ b/usr.sbin/httpd/src/os/unix/os.c
@@ -14,11 +14,14 @@ extern void ap_is_not_here(void);
 void ap_is_not_here(void) {}
 
 /*
- * Insert the DSO emulation code for AIX
+ * Insert the DSO emulation code for AIX for releases of AIX prior
+ * to 4.3. Use the native DSO code for 4.3 and later.
  */
-#ifdef AIX
+#if defined(AIX) && !defined(NO_DL_NEEDED)
+#if AIX < 43
 #include "os-aix-dso.c"
 #endif
+#endif
 
 /*
  *  Abstraction layer for loading
@@ -97,7 +100,7 @@ void ap_os_dso_init(void)
 
 void *ap_os_dso_load(const char *path)
 {
-#if defined(HPUX) || defined(HPUX10)
+#if defined(HPUX) || defined(HPUX10) || defined(HPUX11)
     shl_t handle;
     handle = shl_load(path, BIND_IMMEDIATE|BIND_VERBOSE|BIND_NOSTART, 0L);
     return (void *)handle;
@@ -120,7 +123,7 @@ void *ap_os_dso_load(const char *path)
 
 void ap_os_dso_unload(void *handle)
 {
-#if defined(HPUX) || defined(HPUX10)
+#if defined(HPUX) || defined(HPUX10) || defined(HPUX11)
     shl_unload((shl_t)handle);
 
 #elif defined(HAVE_DYLD)
@@ -135,7 +138,7 @@ void ap_os_dso_unload(void *handle)
 
 void *ap_os_dso_sym(void *handle, const char *symname)
 {
-#if defined(HPUX) || defined(HPUX10)
+#if defined(HPUX) || defined(HPUX10) || defined(HPUX11)
     void *symaddr = NULL;
     int status;
 
@@ -171,7 +174,7 @@ void *ap_os_dso_sym(void *handle, const char *symname)
 
 const char *ap_os_dso_error(void)
 {
-#if defined(HPUX) || defined(HPUX10)
+#if defined(HPUX) || defined(HPUX10) || defined(HPUX11)
     return strerror(errno);
 #elif defined(HAVE_DYLD)
     return NULL;
diff --git a/usr.sbin/httpd/src/os/unix/os.h b/usr.sbin/httpd/src/os/unix/os.h
index 6689dfae5c6..ed32d6abe09 100644
--- a/usr.sbin/httpd/src/os/unix/os.h
+++ b/usr.sbin/httpd/src/os/unix/os.h
@@ -104,11 +104,14 @@ extern int ap_os_is_path_absolute(const char *file);
 #endif
 
 /*
- * Do not use native AIX DSO support
+ * Do not use native AIX DSO support on releases of AIX prior
+ * to 4.3. 
  */
 #ifdef AIX
+#if AIX < 43
 #undef HAVE_DLFCN_H
 #endif
+#endif
 
 #ifdef HAVE_DLFCN_H
 #include <dlfcn.h>
diff --git a/usr.sbin/httpd/src/os/win32/ApacheModuleAuthDigest.dsp b/usr.sbin/httpd/src/os/win32/ApacheModuleAuthDigest.dsp
new file mode 100644
index 00000000000..ea2f015121b
--- /dev/null
+++ b/usr.sbin/httpd/src/os/win32/ApacheModuleAuthDigest.dsp
@@ -0,0 +1,97 @@
+# Microsoft Developer Studio Project File - Name="ApacheModuleAuthDigest" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 5.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
+
+CFG=ApacheModuleAuthDigest - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "apachemoduleauthdigest.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "apachemoduleauthdigest.mak"\
+ CFG="ApacheModuleAuthDigest - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "ApacheModuleAuthDigest - Win32 Release" (based on\
+ "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "ApacheModuleAuthDigest - Win32 Debug" (based on\
+ "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "ApacheModuleAuthDigest - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir ".\ApacheModuleAuthDigestD"
+# PROP Intermediate_Dir ".\ApacheModuleAuthDigestD"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\..\include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "SHARED_MODULE" /YX /FD /c
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /o NUL /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /o NUL /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /machine:I386
+# ADD LINK32 ..\..\CoreR\ApacheCore.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /machine:I386
+
+!ELSEIF  "$(CFG)" == "ApacheModuleAuthDigest - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir ".\ApacheModuleAuthDigestD"
+# PROP Intermediate_Dir ".\ApacheModuleAuthDigestD"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /FD /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /Zi /Od /I "..\..\include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "SHARED_MODULE" /YX /FD /c
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /o NUL /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /o NUL /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 ..\..\CoreD\ApacheCore.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /debug /machine:I386 /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "ApacheModuleAuthDigest - Win32 Release"
+# Name "ApacheModuleAuthDigest - Win32 Debug"
+# Begin Source File
+
+SOURCE=..\..\modules\experimental\mod_auth_digest.c
+# End Source File
+# End Target
+# End Project
diff --git a/usr.sbin/httpd/src/os/win32/ApacheModuleAuthDigest.mak b/usr.sbin/httpd/src/os/win32/ApacheModuleAuthDigest.mak
new file mode 100644
index 00000000000..67b6434ca21
--- /dev/null
+++ b/usr.sbin/httpd/src/os/win32/ApacheModuleAuthDigest.mak
@@ -0,0 +1,246 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on ApacheModuleAuthDigest.dsp
+!IF "$(CFG)" == ""
+CFG=ApacheModuleAuthDigest - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to ApacheModuleAuthDigest -\
+ Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "ApacheModuleAuthDigest - Win32 Release" && "$(CFG)" !=\
+ "ApacheModuleAuthDigest - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "ApacheModuleAuthDigest.mak"\
+ CFG="ApacheModuleAuthDigest - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "ApacheModuleAuthDigest - Win32 Release" (based on\
+ "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "ApacheModuleAuthDigest - Win32 Debug" (based on\
+ "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "ApacheModuleAuthDigest - Win32 Release"
+
+OUTDIR=.\ApacheModuleAuthDigestD
+INTDIR=.\ApacheModuleAuthDigestD
+# Begin Custom Macros
+OutDir=.\.\ApacheModuleAuthDigestD
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "$(OUTDIR)\ApacheModuleAuthDigest.dll"
+
+!ELSE 
+
+ALL : "$(OUTDIR)\ApacheModuleAuthDigest.dll"
+
+!ENDIF 
+
+CLEAN :
+	-@erase "$(INTDIR)\mod_auth_digest.obj"
+	-@erase "$(INTDIR)\vc50.idb"
+	-@erase "$(OUTDIR)\ApacheModuleAuthDigest.dll"
+	-@erase "$(OUTDIR)\ApacheModuleAuthDigest.exp"
+	-@erase "$(OUTDIR)\ApacheModuleAuthDigest.lib"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "..\..\include" /D "NDEBUG" /D "WIN32" /D\
+ "_WINDOWS" /D "SHARED_MODULE" /Fp"$(INTDIR)\ApacheModuleAuthDigest.pch" /YX\
+ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_OBJS=.\ApacheModuleAuthDigestD/
+CPP_SBRS=.
+
+.c{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+MTL=midl.exe
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /o NUL /win32 
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\ApacheModuleAuthDigest.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=..\..\CoreR\ApacheCore.lib kernel32.lib user32.lib gdi32.lib\
+ winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib\
+ uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll\
+ /incremental:no /pdb:"$(OUTDIR)\ApacheModuleAuthDigest.pdb" /machine:I386\
+ /out:"$(OUTDIR)\ApacheModuleAuthDigest.dll"\
+ /implib:"$(OUTDIR)\ApacheModuleAuthDigest.lib" 
+LINK32_OBJS= \
+	"$(INTDIR)\mod_auth_digest.obj"
+
+"$(OUTDIR)\ApacheModuleAuthDigest.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "ApacheModuleAuthDigest - Win32 Debug"
+
+OUTDIR=.\ApacheModuleAuthDigestD
+INTDIR=.\ApacheModuleAuthDigestD
+# Begin Custom Macros
+OutDir=.\.\ApacheModuleAuthDigestD
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "$(OUTDIR)\ApacheModuleAuthDigest.dll"
+
+!ELSE 
+
+ALL : "$(OUTDIR)\ApacheModuleAuthDigest.dll"
+
+!ENDIF 
+
+CLEAN :
+	-@erase "$(INTDIR)\mod_auth_digest.obj"
+	-@erase "$(INTDIR)\vc50.idb"
+	-@erase "$(INTDIR)\vc50.pdb"
+	-@erase "$(OUTDIR)\ApacheModuleAuthDigest.dll"
+	-@erase "$(OUTDIR)\ApacheModuleAuthDigest.exp"
+	-@erase "$(OUTDIR)\ApacheModuleAuthDigest.ilk"
+	-@erase "$(OUTDIR)\ApacheModuleAuthDigest.lib"
+	-@erase "$(OUTDIR)\ApacheModuleAuthDigest.pdb"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MTd /W3 /Gm /GX /Zi /Od /I "..\..\include" /D "_DEBUG" /D\
+ "WIN32" /D "_WINDOWS" /D "SHARED_MODULE"\
+ /Fp"$(INTDIR)\ApacheModuleAuthDigest.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\"\
+ /FD /c 
+CPP_OBJS=.\ApacheModuleAuthDigestD/
+CPP_SBRS=.
+
+.c{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+MTL=midl.exe
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /o NUL /win32 
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\ApacheModuleAuthDigest.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=..\..\CoreD\ApacheCore.lib kernel32.lib user32.lib gdi32.lib\
+ winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib\
+ uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll\
+ /incremental:yes /pdb:"$(OUTDIR)\ApacheModuleAuthDigest.pdb" /debug\
+ /machine:I386 /out:"$(OUTDIR)\ApacheModuleAuthDigest.dll"\
+ /implib:"$(OUTDIR)\ApacheModuleAuthDigest.lib" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\mod_auth_digest.obj"
+
+"$(OUTDIR)\ApacheModuleAuthDigest.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+
+!IF "$(CFG)" == "ApacheModuleAuthDigest - Win32 Release" || "$(CFG)" ==\
+ "ApacheModuleAuthDigest - Win32 Debug"
+SOURCE=..\..\modules\experimental\mod_auth_digest.c
+DEP_CPP_MOD_A=\
+	"..\..\include\alloc.h"\
+	"..\..\include\ap.h"\
+	"..\..\include\ap_config.h"\
+	"..\..\include\ap_ctype.h"\
+	"..\..\include\ap_md5.h"\
+	"..\..\include\ap_mmn.h"\
+	"..\..\include\ap_sha1.h"\
+	"..\..\include\buff.h"\
+	"..\..\include\hsregex.h"\
+	"..\..\include\http_conf_globals.h"\
+	"..\..\include\http_config.h"\
+	"..\..\include\http_core.h"\
+	"..\..\include\http_log.h"\
+	"..\..\include\http_protocol.h"\
+	"..\..\include\http_request.h"\
+	"..\..\include\httpd.h"\
+	"..\..\include\util_md5.h"\
+	"..\..\include\util_uri.h"\
+	".\os.h"\
+	".\readdir.h"\
+	
+
+"$(INTDIR)\mod_auth_digest.obj" : $(SOURCE) $(DEP_CPP_MOD_A) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+
+!ENDIF 
+
diff --git a/usr.sbin/httpd/src/os/win32/mod_isapi.c b/usr.sbin/httpd/src/os/win32/mod_isapi.c
index fa002708ba5..f5e48a6a7d0 100644
--- a/usr.sbin/httpd/src/os/win32/mod_isapi.c
+++ b/usr.sbin/httpd/src/os/win32/mod_isapi.c
@@ -172,7 +172,7 @@ int isapi_handler (request_rec *r) {
 
     /* Run GetExtensionVersion() */
 
-    if ((*isapi_version)(pVer) != TRUE) {
+    if (!(*isapi_version)(pVer)) {
 	ap_log_rerror(APLOG_MARK, APLOG_ALERT, r,
 		    "ISAPI GetExtensionVersion() failed: %s", r->filename);
 	FreeLibrary(isapi_handle);
diff --git a/usr.sbin/httpd/src/os/win32/os.h b/usr.sbin/httpd/src/os/win32/os.h
index 80ffd7e65e3..18f1a164228 100644
--- a/usr.sbin/httpd/src/os/win32/os.h
+++ b/usr.sbin/httpd/src/os/win32/os.h
@@ -1,6 +1,79 @@
+/* ====================================================================
+ * Copyright (c) 1995-1999 The Apache Group.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the Apache Group
+ *    for use in the Apache HTTP server project (http://www.apache.org/)."
+ *
+ * 4. The names "Apache Server" and "Apache Group" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    apache@apache.org.
+ *
+ * 5. Products derived from this software may not be called "Apache"
+ *    nor may "Apache" appear in their names without prior written
+ *    permission of the Apache Group.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the Apache Group
+ *    for use in the Apache HTTP server project (http://www.apache.org/)."
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE APACHE GROUP OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Group and was originally based
+ * on public domain software written at the National Center for
+ * Supercomputing Applications, University of Illinois, Urbana-Champaign.
+ * For more information on the Apache Group and the Apache HTTP server
+ * project, please see <http://www.apache.org/>.
+ *
+ */
+
 #ifndef APACHE_OS_H
 #define APACHE_OS_H
 
+/* 
+ * Compile the server including all the Windows NT 4.0 header files by 
+ * default. We still want the server to run on Win95/98 so use 
+ * runtime checks before calling NT specific functions to verify we are 
+ * really running on an NT system.
+ */
+#define _WIN32_WINNT 0x0400
+
+#include <windows.h>
+#include <winsock2.h>
+#include <mswsock.h>
+#include <process.h>
+#include <malloc.h>
+#include <io.h>
+#include <fcntl.h>
+
 #define PLATFORM "Win32"
 
 /*
@@ -18,9 +91,8 @@
 #include <direct.h>
 
 #define STATUS
-/*#define WIN32_LEAN_AND_MEAN Now defined in project files */
 #ifndef STRICT
- #define STRICT
+#define STRICT
 #endif
 #define CASE_BLIND_FILESYSTEM
 #define NO_WRITEV
@@ -28,7 +100,6 @@
 #define NO_USE_SIGACTION
 #define NO_TIMES
 #define NO_GETTIMEOFDAY
-//#define NEED_PROCESS_H    although we do, this is specially handled in ap_config.h
 #define USE_LONGJMP
 #define HAVE_MMAP
 #define USE_MMAP_SCOREBOARD
diff --git a/usr.sbin/httpd/src/os/win32/registry.c b/usr.sbin/httpd/src/os/win32/registry.c
index 23eeb5e4495..025a5f1a7c1 100644
--- a/usr.sbin/httpd/src/os/win32/registry.c
+++ b/usr.sbin/httpd/src/os/win32/registry.c
@@ -38,7 +38,7 @@
 
 #define VENDOR   "Apache Group"
 #define SOFTWARE "Apache"
-#define VERSION  "1.3.9"
+#define VERSION  "1.3.11"
 
 #define REGKEY "SOFTWARE\\" VENDOR "\\" SOFTWARE "\\" VERSION
 
diff --git a/usr.sbin/httpd/src/regex/Makefile.tmpl b/usr.sbin/httpd/src/regex/Makefile.tmpl
index fc0aa5ad953..6ecb4c6ba99 100644
--- a/usr.sbin/httpd/src/regex/Makefile.tmpl
+++ b/usr.sbin/httpd/src/regex/Makefile.tmpl
@@ -66,6 +66,10 @@ regexec.o:	engine.c engine.ih
 regerror.o:	regerror.ih
 debug.o:	debug.ih
 main.o:	main.ih
+ 
+# tester - just compile... do not link
+re-nolink: $(OBJS)
+	$(CC) $(CFLAGS) $(LDFLAGS) $(OBJS) $(LIBS) -c
 
 # tester
 re:	$(OBJS)
diff --git a/usr.sbin/httpd/src/regex/main.c b/usr.sbin/httpd/src/regex/main.c
index 1c4364cae9f..5a9ada8ffd9 100644
--- a/usr.sbin/httpd/src/regex/main.c
+++ b/usr.sbin/httpd/src/regex/main.c
@@ -3,6 +3,9 @@
 #include <sys/types.h>
 #include <assert.h>
 #include <stdlib.h>
+#ifdef TPF
+#include <sysapi.h> /* for tmslc() */
+#endif /* TPF */
 
 #include "hsregex.h"
 #include "main.ih"
@@ -139,6 +142,9 @@ FILE *in;
 	char *bpname = "REG_BADPAT";
 	regex_t re;
 
+#ifdef TPF
+        tmslc(TMSLC_ENABLE, "IBMHIPRI"); /* extend our process' life */
+#endif /* TPF */
 	while (fgets(inbuf, sizeof(inbuf), in) != NULL) {
 		line++;
 		if (inbuf[0] == '#' || inbuf[0] == '\n')
diff --git a/usr.sbin/httpd/src/regex/regcomp.c b/usr.sbin/httpd/src/regex/regcomp.c
index b74d6fc96c1..1e60ca36829 100644
--- a/usr.sbin/httpd/src/regex/regcomp.c
+++ b/usr.sbin/httpd/src/regex/regcomp.c
@@ -100,6 +100,29 @@ int cflags;
 #else
 #	define	GOODFLAGS(f)	((f)&~REG_DUMP)
 #endif
+#ifdef CHARSET_EBCDIC /* Added for Apache by <martin@apache.org> */
+	static int initialized = 0;
+
+	if (!initialized) {
+		unsigned ch, idx = 0;
+		static unsigned char ctlchars_ebcdic[256+1];
+
+		for (ch = 1; ch <= 0xFF; ++ch) {
+			if (ap_iscntrl(ch)) {
+				ctlchars_ebcdic[idx++] = ch;
+			}
+		}
+		ctlchars_ebcdic[idx++] = '\0'; /* redundant */
+
+		for (idx=0; idx < sizeof(cclasses) / sizeof(cclasses[0]); ++idx) {
+			if (strcmp(cclasses[idx].name, "cntrl") == 0) {
+				cclasses[idx].chars = (char *)ctlchars_ebcdic;
+				break;
+			}
+		}
+		initialized = 1;
+	}
+#endif /*CHARSET_EBCDIC*/
 
 	cflags = GOODFLAGS(cflags);
 	if ((cflags&REG_EXTENDED) && (cflags&REG_NOSPEC))
@@ -708,8 +731,22 @@ register cset *cs;
 			finish = start;
 /* xxx what about signed chars here... */
 		REQUIRE(start <= finish, REG_ERANGE);
+#ifndef CHARSET_EBCDIC
 		for (i = start; i <= finish; i++)
 			CHadd(cs, i);
+#else /* Added for Apache by <martin@apache.org> */
+		/* Special provision for character ranges [a-zA-Z], */
+		/* which are non-contiguous in EBCDIC: */
+		if ((ap_isupper(start) && ap_isupper(finish)) ||
+		    (ap_islower(start) && ap_islower(finish))) {
+			for (i = start; i <= finish; i++)
+				if (ap_isalpha(i))
+					CHadd(cs, i);
+		} else {
+			for (i = start; i <= finish; i++)
+				CHadd(cs, i);
+		}
+#endif /*CHARSET_EBCDIC*/
 		break;
 	}
 }
diff --git a/usr.sbin/httpd/src/regex/regex2.h b/usr.sbin/httpd/src/regex/regex2.h
index e79497181a8..d15cb172336 100644
--- a/usr.sbin/httpd/src/regex/regex2.h
+++ b/usr.sbin/httpd/src/regex/regex2.h
@@ -8,7 +8,7 @@
  = #endif
  = #endif
  =
- = #if defined(RHAPSODY)
+ = #if defined(MAC_OS) || defined(MAC_OS_X_SERVER)
  = #define ap_private_extern __private_extern__
  = #else
  = #define ap_private_extern
diff --git a/usr.sbin/httpd/src/support/Makefile.tmpl b/usr.sbin/httpd/src/support/Makefile.tmpl
index 33c13777739..68b69edc8a1 100644
--- a/usr.sbin/httpd/src/support/Makefile.tmpl
+++ b/usr.sbin/httpd/src/support/Makefile.tmpl
@@ -14,19 +14,19 @@ OBJS=htpasswd.o htdigest.o rotatelogs.o logresolve.o ab.o
 all: $(TARGETS)
 
 htpasswd: htpasswd.o
-	$(CC) $(CFLAGS) htpasswd.o -o htpasswd $(LDFLAGS) $(LIBS)
+	$(CC) $(CFLAGS) -o htpasswd $(LDFLAGS) htpasswd.o $(LIBS)
 
 htdigest: htdigest.o
-	$(CC) $(CFLAGS) htdigest.o -o htdigest $(LDFLAGS) $(LIBS)
+	$(CC) $(CFLAGS) -o htdigest $(LDFLAGS) htdigest.o $(LIBS)
 
 rotatelogs: rotatelogs.o
-	$(CC) $(CFLAGS) rotatelogs.o -o rotatelogs $(LDFLAGS) $(LIBS)
+	$(CC) $(CFLAGS) -o rotatelogs $(LDFLAGS) rotatelogs.o $(LIBS)
 
 logresolve: logresolve.o
-	$(CC) $(CFLAGS) logresolve.o -o logresolve $(LDFLAGS) $(LIBS)
+	$(CC) $(CFLAGS) -o logresolve $(LDFLAGS) logresolve.o $(LIBS)
 
 ab: ab.o
-	$(CC) $(CFLAGS) ab.o -o ab $(LDFLAGS) $(LIBS)
+	$(CC) $(CFLAGS) -o ab $(LDFLAGS) ab.o $(LIBS)
 
 apxs: apxs.pl
 	sed <apxs.pl >apxs \
@@ -39,7 +39,7 @@ apxs: apxs.pl
 	    -e 's%@LIBS_SHLIB@%$(LIBS_SHLIB)%g' && chmod a+x apxs
 
 suexec: suexec.o
-	$(CC) $(CFLAGS) suexec.o -o suexec $(LDFLAGS) $(LIBS)
+	$(CC) $(CFLAGS) -o suexec $(LDFLAGS) suexec.o $(LIBS)
 
 clean:
 	rm -f $(TARGETS) *.o
diff --git a/usr.sbin/httpd/src/support/ab.8 b/usr.sbin/httpd/src/support/ab.8
index 871c457797a..eb9829e9d66 100644
--- a/usr.sbin/httpd/src/support/ab.8
+++ b/usr.sbin/httpd/src/support/ab.8
@@ -1,5 +1,4 @@
-.TH ab 1 "March 1998"
-.\" $Id: ab.8,v 1.1 1999/09/29 06:30:07 beck Exp $
+.TH ab 1 "October 1999"
 .\" Copyright (c) 1998-1999 The Apache Group. All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -59,6 +58,8 @@ ab \- Apache HTTP server benchmarking tool
 [
 .B \-k
 ] [
+.B \-i
+] [
 .BI \-n " requests"
 ] [
 .BI \-t " timelimit"
@@ -102,108 +103,112 @@ ab \- Apache HTTP server benchmarking tool
 .PP
 .SH DESCRIPTION
 .B ab
-is a tool for benchmarking your Apache HyperText Transfer Protocol (HTTP)
-server. It is designed to give you an impression on how performant is your
-current Apache installation.  This especially shows you how much requests per
-time your Apache installation is capable to serve. 
+is a tool for benchmarking the performance of your Apache HyperText Transfer
+Protocol (HTTP) server.  It does this by giving you an indication of how
+many requests per second your Apache installation can serve.
 .PP
 .SH OPTIONS
 .TP 12
 .B \-k 
-Enable the HTTP KeepAlive feature, i.e. perform multiple requests within one
-HTTP session instead. Default is no KeepAlive.
+Enable the HTTP KeepAlive feature; that is, perform multiple requests
+within one HTTP session. Default is no KeepAlive.
+.TP 12
+.B \-i
+Use an HTTP 'HEAD' instead of the GET method. Cannot be mixed with POST.
 .TP 12
 .BI \-n " requests"
-Number of requests to perform for the benchmarking session.  The default is to
-just perform one single request which usually leads to not very representative
-benchmarking results.
+The number of requests to perform for the benchmarking session.  The
+default is to perform just one single request, which will not give
+representative benchmarking results.
 .TP 12
 .BI \-t " timelimit"
-Seconds to max. spend for benchmarking. This implies
-a 
-.B \-n 
-.B 50000
-internally. Use this to benchmark the server within a fixed total amount of
-time.  Per default there is no timelimit. 
+The number of seconds to spend benchmarking. Using this option automatically
+set the number of requests for the benchmarking session to 50000.
+Use this to benchmark the server for a fixed period of time.  By
+default, there is no timelimit. 
 .TP 12
 .BI \-c " concurrency"
-Number of multiple requests per time to perform. 
-Default is one request per time.
+The number of simultaneous requests to perform. The default is to
+perform one HTTP request at at time, that is, no concurrency.
 
 .TP 12
 .BI \-p " POST file"
-File containing data to POST.
+A file containing data that the program will send to the Apache server in
+any HTTP POST requests.
 
 .TP 12
 .BI \-A " Authorization username:password"
-Supply BASIC Authentification credentials to the server. The username
-and password are separated by a single ':' and send on the wire uuencoded.
-The string is send regardless of wether the server needs it; (i.e. has
-send an 401. Authentifcation needed).
+Supply Basic Authentication credentials to the server. The username
+and password are separated by a single ':', and sent as uuencoded data.
+The string is sent regardless of whether the server needs it; that is,
+has sent a 401 Authentication needed.
 
 .TP 12
 .BI \-p " Proxy-Authorization username:password"
-Supply BASIC Authentification credentials to a proxy en-route. The username
-and password are separated by a single ':' and send on the wire uuencoded.
-The string is send regardless of wether the proxy needs it; (i.e. has
-send an 407 Proxy authentifcation needed).
+Supply Basic Authentication credentials to a proxy en-route. The username
+and password are separated by a single ':', and sent as uuencoded data.
+The string is sent regardless of whether the proxy needs it; that is,
+has sent a 407 Proxy authentication needed.
 
 .TP 12
 .BI \-C " Cookie name=value"
-Add a 'Cookie:' line to the request. The argument is typically in the form
-of a 'name=value' pair. This field is repeatable.
+Add a 'Cookie:' line to the request. The argument is typically
+a 'name=value' pair. This option may be repeated.
 
 .TP 12
 .BI \-p " Header string"
-Postfix extra headers to the request. The argument is typically in the form
-of a valid header line; containing a colon separated field value pair. (i.e. 
-'Accept-Encoding: zip/zop;8bit').
+Append extra headers to the request. The argument is typically in the form
+of a valid header line, usually a colon separated field value pair, for
+example, 'Accept-Encoding: zip/zop;8bit'.
 
 .TP 12
 .BI \-T " content-type"
-Content-type header to use for POST data.
+The content-type header to use for POST data.
 
 .TP 12
 .B \-v 
-Set verbosity level - 4 and above prints information on headers, 3 and
-above prints response codes (404, 200, etc.), 2 and above prints
-warnings and info.
+Sets the verbosity level.  Level 4 and above prints information on headers,
+level 3 and above prints response codes (for example, 404, 200), and level 2
+and above prints warnings and informational messages.
 
 .TP 12
 .BI \-w
-Print out results in HTML tables.  Default table is two columns wide,
+Print out results in HTML tables.  The default table is two columns wide,
 with a white background.
 .TP 12
 .BI \-x " attributes"
-String to use as attributes for <table>.  Attributes are inserted
+The string to use as attributes for <table>.  Attributes are inserted
 <table 
 .B here
 >
 .TP 12
 .BI \-y " attributes"
-String to use as attributes for <tr>.
+The string to use as attributes for <tr>.
 .TP 12
 .BI \-z " attributes"
-String to use as attributes for <td>.
+The string to use as attributes for <td>.
 .TP 12
 .B \-V
-Display version number and exit.
+Display the version number and exit.
 .TP 12
 .B \-h 
 Display usage information.
 .PD
 .SH BUGS
 There are various statically declared buffers of fixed length. Combined
-with the lazy parsing of the command line arguments, the response headers
-from the server and other external inputs this might bite you.
+with inefficient parsing of the command line arguments, the response headers
+from the server, and other external inputs, these buffers might overflow.
 .P
-It does not implement HTTP/1.x fully; only accepts some 'expected' forms
-of responses. The rather heavy use of 
+.B Ab
+does not implement HTTP/1.x fully; instead, it only accepts
+some 'expected' forms of responses.
+.P
+The rather heavy use of 
 .BR strstr(3)
-shows up top in profile,
-which might indicate a performance problem; i.e. you would measure the
-.BR ab
-performance rather than the server's.
+by the program may skew performance results, since it uses significant
+CPU resources.  Make sure that performance limits are not hit by
+.B ab
+before your server's limit is reached.
 
 .SH SEE ALSO
 .BR httpd(8)
diff --git a/usr.sbin/httpd/src/support/ab.c b/usr.sbin/httpd/src/support/ab.c
index 0d968b247a2..e1abd8dae91 100644
--- a/usr.sbin/httpd/src/support/ab.c
+++ b/usr.sbin/httpd/src/support/ab.c
@@ -97,7 +97,7 @@
  *   only an issue for loopback usage
  */
 
-#define VERSION "1.3a"
+#define VERSION "1.3c"
 
 /*  -------------------------------------------------------------------- */
 
@@ -128,7 +128,9 @@
 #include "ebcdic.h"
 #endif
 #include <fcntl.h>
+#ifndef MPE
 #include <sys/time.h>
+#endif
 
 #ifndef NO_WRITEV
 #include <sys/types.h>
@@ -224,6 +226,16 @@ struct data *stats;		/* date for each request */
 fd_set readbits, writebits;	/* bits for select */
 struct sockaddr_in server;	/* server addr structure */
 
+#ifndef BEOS
+#define ab_close(s) close(s)
+#define ab_read(a,b,c) read(a,b,c)
+#define ab_write(a,b,c) write(a,b,c)
+#else
+#define ab_close(s) closesocket(s)
+#define ab_read(a,b,c) recv(a,b,c,0)
+#define ab_write(a,b,c) send(a,b,c,0)
+#endif
+
 /* --------------------------------------------------------- */
 
 /* simple little function to perror and exit */
@@ -254,7 +266,7 @@ static void write_request(struct connection * c)
     out[0].iov_base = request;
     out[0].iov_len = reqlen;
 
-    if (posting) {
+    if (posting>0) {
 	out[1].iov_base = postdata;
 	out[1].iov_len = postlen;
 	outcnt = 2;
@@ -262,9 +274,9 @@ static void write_request(struct connection * c)
     }
     writev(c->fd,out, outcnt);
 #else
-    write(c->fd,request,reqlen);
-    if (posting) {
-        write(c->fd,postdata,postlen);
+    ab_write(c->fd,request,reqlen);
+    if (posting>0) {
+        ab_write(c->fd,postdata,postlen);
         totalposted += (reqlen + postlen);
     }
 #endif
@@ -281,7 +293,11 @@ static void write_request(struct connection * c)
 static void nonblock(int fd)
 {
     int i = 1;
+#ifdef BEOS
+    setsockopt(fd, SOL_SOCKET, SO_NONBLOCK, &i, sizeof(i));
+#else
     ioctl(fd, FIONBIO, &i);
+#endif
 }
 
 /* --------------------------------------------------------- */
@@ -331,7 +347,7 @@ static void output_results(void)
     if (keepalive)
 	printf("Keep-Alive requests:    %d\n", doneka);
     printf("Total transferred:      %d bytes\n", totalread);
-    if (posting)
+    if (posting>0)
 	printf("Total POSTed:           %d\n", totalposted);
     printf("HTML transferred:       %d bytes\n", totalbread);
 
@@ -340,7 +356,7 @@ static void output_results(void)
 	printf("Requests per second:    %.2f\n", 1000 * (float) (done) / timetaken);
 	printf("Transfer rate:          %.2f kb/s received\n",
 	       (float) (totalread) / timetaken);
-	if (posting) {
+	if (posting>0) {
 	    printf("                        %.2f kb/s sent\n",
 		   (float) (totalposted) / timetaken);
 	    printf("                        %.2f kb/s total\n",
@@ -429,7 +445,7 @@ static void output_html_results(void)
     printf("<tr %s><th colspan=2 %s>Total transferred:</th>"
 	   "<td colspan=2 %s>%d bytes</td></tr>\n",
 	   trstring, tdstring, tdstring, totalread);
-    if (posting)
+    if (posting>0)
 	printf("<tr %s><th colspan=2 %s>Total POSTed:</th>"
 	       "<td colspan=2 %s>%d</td></tr>\n",
 	       trstring, tdstring, tdstring, totalposted);
@@ -445,7 +461,7 @@ static void output_html_results(void)
 	printf("<tr %s><th colspan=2 %s>Transfer rate:</th>"
 	       "<td colspan=2 %s>%.2f kb/s received</td></tr>\n",
 	     trstring, tdstring, tdstring, (float) (totalread) / timetaken);
-	if (posting) {
+	if (posting>0) {
 	    printf("<tr %s><td colspan=2 %s>&nbsp;</td>"
 		   "<td colspan=2 %s>%.2f kb/s sent</td></tr>\n",
 		   trstring, tdstring, tdstring,
@@ -526,7 +542,7 @@ static void start_connect(struct connection * c)
 	    return;
 	}
 	else {
-	    close(c->fd);
+	    ab_close(c->fd);
 	    err_conn++;
 	    if (bad++ > 10) {
 		err("\nTest aborted after 10 failures\n\n");
@@ -536,7 +552,8 @@ static void start_connect(struct connection * c)
     }
 
     /* connected first time */
-    write_request(c);
+    c->state = STATE_CONNECTING;
+    FD_SET(c->fd, &writebits);
 }
 
 /* --------------------------------------------------------- */
@@ -570,7 +587,7 @@ static void close_connection(struct connection * c)
 	}
     }
 
-    close(c->fd);
+    ab_close(c->fd);
     FD_CLR(c->fd, &readbits);
     FD_CLR(c->fd, &writebits);
 
@@ -589,7 +606,8 @@ static void read_connection(struct connection * c)
     char *part;
     char respcode[4];		/* 3 digits and null */
 
-    r = read(c->fd, buffer, sizeof(buffer));
+    r = ab_read(c->fd, buffer, sizeof(buffer));
+
     if (r == 0 || (r < 0 && errno != EAGAIN)) {
 	good++;
 	close_connection(c);
@@ -635,7 +653,7 @@ static void read_connection(struct connection * c)
 		return;
 	    else {
 		/* header is in invalid or too big - close connection */
-		close(c->fd);
+		ab_close(c->fd);
 		if (bad++ > 10) {
 		    err("\nTest aborted after 10 failures\n\n");
 		}
@@ -703,7 +721,8 @@ static void read_connection(struct connection * c)
 	totalbread += r;
     }
 
-    if (c->keepalive && (c->bread >= c->length)) {
+    /* cater for the case where we're using keepalives and doing HEAD requests */
+    if (c->keepalive && ((c->bread >= c->length) || (posting < 0))) {
 	/* finished a keep-alive connection */
 	good++;
 	doneka++;
@@ -769,13 +788,14 @@ static void test(void)
     FD_ZERO(&writebits);
 
     /* setup request */
-    if (!posting) {
-	sprintf(request, "GET %s HTTP/1.0\r\n"
+    if (posting <= 0) {
+	sprintf(request, "%s %s HTTP/1.0\r\n"
 		"User-Agent: ApacheBench/%s\r\n"
 		"%s" "%s" "%s"
 		"Host: %s\r\n"
 		"Accept: */*\r\n"
-		"\r\n" "%s",
+		"%s" "\r\n",
+		(posting == 0) ? "GET" : "HEAD",
 		path,
 		VERSION,
 		keepalive ? "Connection: Keep-Alive\r\n" : "",
@@ -864,14 +884,14 @@ static void test(void)
 static void copyright(void)
 {
     if (!use_html) {
-	printf("This is ApacheBench, Version %s\n", VERSION);
+	printf("This is ApacheBench, Version %s\n", VERSION " <$Revision: 1.4 $> apache-1.3");
 	printf("Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\n");
 	printf("Copyright (c) 1998-1999 The Apache Group, http://www.apache.org/\n");
 	printf("\n");
     }
     else {
 	printf("<p>\n");
-	printf(" This is ApacheBench, Version %s<br>\n", VERSION);
+	printf(" This is ApacheBench, Version %s <i>&lt;%s&gt;</i> apache-1.3<br>\n", VERSION, "$Revision: 1.4 $");
 	printf(" Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/<br>\n");
 	printf(" Copyright (c) 1998-1999 The Apache Group, http://www.apache.org/<br>\n");
 	printf("</p>\n<p>\n");
@@ -890,6 +910,7 @@ static void usage(char *progname)
     fprintf(stderr, "    -T content-type Content-type header for POSTing\n");
     fprintf(stderr, "    -v verbosity    How much troubleshooting info to print\n");
     fprintf(stderr, "    -w              Print out results in HTML tables\n");
+    fprintf(stderr, "    -i              Use HEAD instead of GET\n");
     fprintf(stderr, "    -x attributes   String to insert as table attributes\n");
     fprintf(stderr, "    -y attributes   String to insert as tr attributes\n");
     fprintf(stderr, "    -z attributes   String to insert as td or th attributes\n");
@@ -983,7 +1004,7 @@ int main(int argc, char **argv)
     auth[0] = '\0';
     hdrs[0] = '\0';
     optind = 1;
-    while ((c = getopt(argc, argv, "n:c:t:T:p:v:kVhwx:y:z:C:H:P:A:")) > 0) {
+    while ((c = getopt(argc, argv, "n:c:t:T:p:v:kVhwix:y:z:C:H:P:A:")) > 0) {
 	switch (c) {
 	case 'n':
 	    requests = atoi(optarg);
@@ -997,7 +1018,16 @@ int main(int argc, char **argv)
 	case 'c':
 	    concurrency = atoi(optarg);
 	    break;
+	case 'i':
+	    if (posting==1) 
+		err("Cannot mix POST and HEAD");
+
+	    posting = -1;
+	    break;
 	case 'p':
+	    if (posting!=0) 
+		err("Cannot mix POST and HEAD");
+
 	    if (0 == (r = open_postfile(optarg))) {
 		posting = 1;
 	    }
diff --git a/usr.sbin/httpd/src/support/apxs.8 b/usr.sbin/httpd/src/support/apxs.8
index ee61a37985f..15e5f28199e 100644
--- a/usr.sbin/httpd/src/support/apxs.8
+++ b/usr.sbin/httpd/src/support/apxs.8
@@ -57,21 +57,21 @@ apxs \- APache eXtenSion tool
 .B apxs
 .B \-g
 [
-.BI \-S " name=value
+.BI \-S " variable=value
 ]
-.BI \-n " modname"
+.BI \-n " name"
 
 .B apxs
 .B \-q
 [
-.BI \-S " name=value
+.BI \-S " variable=value
 ]
 .IR query " ..."
 
 .B apxs
 .B \-c
 [
-.BI \-S " name=value
+.BI \-S " variable=value
 ]
 [
 .BI \-o " dsofile"
@@ -80,7 +80,7 @@ apxs \- APache eXtenSion tool
 .BI \-I " incdir"
 ]
 [
-.BI \-D " name=value"
+.BI \-D " variable[=value]"
 ]
 [
 .BI \-L " libdir"
@@ -99,10 +99,10 @@ apxs \- APache eXtenSion tool
 .B apxs
 .B \-i
 [
-.BI \-S " name=value
+.BI \-S " variable=value
 ]
 [
-.BI \-n " modname"
+.BI \-n " name"
 ]
 [
 .B \-a
@@ -115,10 +115,10 @@ apxs \- APache eXtenSion tool
 .B apxs
 .B \-e
 [
-.BI \-S " name=value
+.BI \-S " variable=value
 ]
 [
-.BI \-n " modname"
+.BI \-n " name"
 ]
 [
 .B \-a
@@ -132,7 +132,7 @@ apxs \- APache eXtenSion tool
 .B apxs
 is a tool for building and installing extension modules for the Apache
 HyperText Transfer Protocol (HTTP) server. This is achieved by building a
-dynamic shared object (DSO) from one or more source or object
+Dynamic Shared Object (DSO) from one or more source or object
 .I files
 which then can be loaded into
 the Apache server under runtime via the
@@ -140,7 +140,7 @@ the Apache server under runtime via the
 directive from
 .BR mod_so.
 
-So to use this extension mechanism your platform has
+So to use this extension mechanism, your platform has
 to support the DSO feature and your
 Apache
 .B httpd
@@ -159,7 +159,7 @@ You can check this yourself by manually running the command
 The module
 .B mod_so
 should be part of the displayed list.
-If these requirements are fulfilled you can easily extend
+If these requirements are fulfilled, you can easily extend
 your Apache server's functionality by installing your own
 modules with the DSO mechanism by the help of this
 .B apxs
@@ -184,31 +184,28 @@ The arguments
 can be any C source file (.c), a object file (.o) or
 even a library archive (.a). The
 .B apxs
-tool automatically recognizes these extensions and automtaically used the C
-source files for compilation while just using the object and archive files for
-the linking phase. But when using such pre-compiled objects make sure they are
-compiled for position independend code (PIC) to be able to use them for a
-dynamically loaded shared object.
-For instance with GCC you always just have to use
+tool automatically recognizes these extensions and automatically uses the C
+source files for compilation while it just uses the object and archive files for
+the linking phase. But when using such pre-compiled objects, make sure they are
+compiled for Position Independend Code (PIC) to be able to use them for a
+DSO. For instance with GCC you always just have to use
 .BR -fpic .
 For other
-C compilers consult its manual
-page or at watch for the flags
+C compilers please consult its manual
+page or watch for the flags
 .B apxs
 uses to compile the object files.
 
-For more details about DSO support in Apache read the documentation
+For more details about DSO support in Apache, first read the background
+information about DSO in htdocs/manual/dso.html, then read the documentation
 of
-.B mod_so
-or perhaps even read the
-.B src/modules/standard/mod_so.c
-source file.
+.BR mod_so .
 
 .PP
 .SH OPTIONS
 Common options:
 .TP 12
-.BI \-n " modname"
+.BI \-n " name"
 This explicitly sets the module name for the
 .B \-i
 (install)
@@ -231,14 +228,14 @@ Performs a query for
 .BR apxs 's
 knowledge about certain settings. The
 .I query
-parameters can be one or more of the following strings:
+parameters can be one or more of the following variable names:
 .nf
   CC              TARGET
   CFLAGS          SBINDIR    
   CFLAGS_SHLIB    INCLUDEDIR 
   LD_SHLIB        LIBEXECDIR 
   LDFLAGS_SHLIB   SYSCONFDIR 
-  LIBS_SHLIB
+  LIBS_SHLIB      PREFIX
 .fi
 Use this for manually determining settings. For instance use
 .nf
@@ -249,8 +246,10 @@ to Apache's C header files.
 .PP
 Configuration options:
 .TP 12
-.BI \-S " name=value"
-This option changes the apxs settings described above.
+.BI \-S " variable=value"
+This option changes the 
+.B apxs 
+settings described above.
 .PP
 Template Generation options:
 .TP 12
@@ -262,10 +261,12 @@ This generates a subdirectory
 and there two files: A sample module source file named
 .BI mod_ name.c
 which can be used as a template for creating your own modules or
-as a quick start for playing with the APXS mechanism.
+as a quick start for playing with the 
+.B apxs
+mechanism.
 And a corresponding
 .B Makefile
-for even easier build and installing of this module.
+for even easier building and installing of this module.
 .PP
 DSO compilation options:
 .TP 12
@@ -273,7 +274,7 @@ DSO compilation options:
 This indicates the compilation operation. It first compiles the C source
 files (.c) of
 .I files
-into corresponding object files (.o) and then builds a dynamically shared object in
+into corresponding object files (.o) and then builds a DSO in
 .I dsofile
 by linking these object files plus the remaining
 object files (.o and .a) of
@@ -287,14 +288,14 @@ and thus usually defaults to
 .BI mod_ name.so
 .TP 12
 .BI \-o " dsofile"
-Explicitly specifies the filename of the created dynamically shared object. If
+Explicitly specifies the filename of the created DSO file. If
 not specified and the name cannot be guessed from the
 .I files
 list, the fallback name
 .B mod_unknown.so
 is used.
 .TP 12
-.BI \-D " name=value"
+.BI \-D " variable[=value]"
 This option is directly passed through to the compilation command(s).
 Use this to add your own defines to the build process.
 .TP 12
@@ -326,7 +327,7 @@ DSO installation and configuration options:
 .TP 12
 .B \-i
 This indicates the installation operation and installs one or more
-dynamically shared objects into the
+DSOs into the
 server's
 .I libexec
 directory.
@@ -360,7 +361,7 @@ configuration file without attempting to install the module.
 .SH EXAMPLES
 Assume you have an Apache module named mod_foo.c available which should extend
 Apache's server functionality. To accomplish this you first have to compile
-the C source into a shared object suitable for loading into the Apache server
+the C source into a DSO suitable for loading into the Apache server
 under runtime via the following command:
 
 .nf
@@ -372,10 +373,10 @@ under runtime via the following command:
 
 Then you have to update the Apache configuration by making sure a
 .B LoadModule
-directive is present to load this shared object. To simplify this
+directive is present to load this DSO. To simplify this
 step
 .B apxs
-provides an automatic way to install the shared object in its
+provides an automatic way to install the DSO in the
 "libexec" directory and updating the
 .B httpd.conf
 file accordingly. This can be achieved by running:
@@ -395,7 +396,7 @@ This way a line named
 .fi
 
 is added to the configuration file if still not present.
-If you want to have this disabled per default use the
+If you want to have this operation to be disabled, use the
 .B \-A
 option, i.e.
 
@@ -403,8 +404,12 @@ option, i.e.
   $ apxs -i -A mod_foo.c
 .fi
 
-For a quick test of the APXS mechanism you can create a sample Apache module
-template plus a corresponding Makefile via:
+For a quick test of the 
+.B apxs
+mechanism you can create a sample Apache module
+template plus a corresponding 
+.B Makefile 
+via:
 
 .nf
   $ apxs -g -n foo
@@ -414,7 +419,7 @@ template plus a corresponding Makefile via:
   $ _
 .fi
 
-Then you can immediately compile this sample module into a shared object and
+Then you can immediately compile this sample module into a DSO and
 load it into the Apache server:
 
 .nf
@@ -436,7 +441,9 @@ load it into the Apache server:
 
 You can even use
 .B apxs
-to compile complex modules outside the Apache source tree, like PHP3:
+to compile complex modules outside the Apache source tree, like PHP3, because
+.B apxs 
+automatically recognized C source files and object files.  
 
 .nf
   $ cd php3
@@ -447,10 +454,8 @@ to compile complex modules outside the Apache source tree, like PHP3:
   $ _
 .fi
 
-because
-.B apxs
-automatically recognized C source files and object files.  Only C source files
-are compiled while remaining object files are used for the linking phase.
+Only C source files are compiled while remaining object files are used for the
+linking phase.
 
 .PD
 .SH SEE ALSO
diff --git a/usr.sbin/httpd/src/support/apxs.pl b/usr.sbin/httpd/src/support/apxs.pl
index c9c5ea85ef5..a39b9fd15bf 100644
--- a/usr.sbin/httpd/src/support/apxs.pl
+++ b/usr.sbin/httpd/src/support/apxs.pl
@@ -68,18 +68,18 @@ package apxs;
 ##  Configuration
 ##
 
-my $CFG_TARGET        = '@TARGET@';            # substituted via Makefile.tmpl 
-my $CFG_CC            = '@CC@';                # substituted via Makefile.tmpl
-my $CFG_CFLAGS        = '@CFLAGS@';            # substituted via Makefile.tmpl
-my $CFG_CFLAGS_SHLIB  = '@CFLAGS_SHLIB@';      # substituted via Makefile.tmpl
-my $CFG_LD_SHLIB      = '@LD_SHLIB@';          # substituted via Makefile.tmpl
-my $CFG_LDFLAGS_SHLIB = '@LDFLAGS_MOD_SHLIB@'; # substituted via Makefile.tmpl 
-my $CFG_LIBS_SHLIB    = '@LIBS_SHLIB@';        # substituted via Makefile.tmpl 
-my $CFG_PREFIX        = '@prefix@';            # substituted via APACI install
-my $CFG_SBINDIR       = '@sbindir@';           # substituted via APACI install
-my $CFG_INCLUDEDIR    = '@includedir@';        # substituted via APACI install
-my $CFG_LIBEXECDIR    = '@libexecdir@';        # substituted via APACI install
-my $CFG_SYSCONFDIR    = '@sysconfdir@';        # substituted via APACI install
+my $CFG_TARGET        = q(@TARGET@);            # substituted via Makefile.tmpl 
+my $CFG_CC            = q(@CC@);                # substituted via Makefile.tmpl
+my $CFG_CFLAGS        = q(@CFLAGS@);            # substituted via Makefile.tmpl
+my $CFG_CFLAGS_SHLIB  = q(@CFLAGS_SHLIB@);      # substituted via Makefile.tmpl
+my $CFG_LD_SHLIB      = q(@LD_SHLIB@);          # substituted via Makefile.tmpl
+my $CFG_LDFLAGS_SHLIB = q(@LDFLAGS_MOD_SHLIB@); # substituted via Makefile.tmpl 
+my $CFG_LIBS_SHLIB    = q(@LIBS_SHLIB@);        # substituted via Makefile.tmpl 
+my $CFG_PREFIX        = q(@prefix@);            # substituted via APACI install
+my $CFG_SBINDIR       = q(@sbindir@);           # substituted via APACI install
+my $CFG_INCLUDEDIR    = q(@includedir@);        # substituted via APACI install
+my $CFG_LIBEXECDIR    = q(@libexecdir@);        # substituted via APACI install
+my $CFG_SYSCONFDIR    = q(@sysconfdir@);        # substituted via APACI install
 
 ##
 ##  Cleanup the above stuff
@@ -89,21 +89,6 @@ $CFG_CFLAGS =~ s|\s+$||;
 $CFG_CFLAGS =~ s|\s+`.+apaci`||;
 
 ##
-##  Initial shared object support check
-##
-if (not -x "$CFG_SBINDIR/$CFG_TARGET") {
-	print STDERR "apxs:Error: $CFG_SBINDIR/$CFG_TARGET not found or not executable\n";
-	exit(1);
-}
-if (not grep(/mod_so/, `$CFG_SBINDIR/$CFG_TARGET -l`)) {
-    print STDERR "apxs:Error: Sorry, no shared object support for Apache\n";
-    print STDERR "apxs:Error: available under your platform. Make sure\n";
-    print STDERR "apxs:Error: the Apache module mod_so is compiled into\n";
-    print STDERR "apxs:Error: your server binary `$CFG_SBINDIR/$CFG_TARGET'.\n";
-    exit(1);
-}
-
-##
 ##  parse argument line
 ##
 
@@ -142,10 +127,10 @@ sub Getopts {
             last;
         }
         $pos = index($argumentative,$first);
-        if($pos >= $[) {
-            if($args[$pos+1] eq ':') {
+        if ($pos >= $[) {
+            if ($args[$pos+1] eq ':') {
                 shift(@ARGV);
-                if($rest eq '') {
+                if ($rest eq '') {
                     unless (@ARGV) {
                         print STDERR "apxs:Error: Incomplete option: $first (needs an argument)\n";
                         ++$errs;
@@ -156,7 +141,7 @@ sub Getopts {
             }
             elsif ($args[$pos+1] eq '+') {
                 shift(@ARGV);
-                if($rest eq '') {
+                if ($rest eq '') {
                     unless (@ARGV) {
                         print STDERR "apxs:Error: Incomplete option: $first (needs an argument)\n";
                         ++$errs;
@@ -167,7 +152,7 @@ sub Getopts {
             }
             else {
                 eval "\$opt_$first = 1";
-                if($rest eq '') {
+                if ($rest eq '') {
                     shift(@ARGV);
                 }
                 else {
@@ -178,7 +163,7 @@ sub Getopts {
         else {
             print STDERR "apxs:Error: Unknown option: $first\n";
             ++$errs;
-            if($rest ne '') {
+            if ($rest ne '') {
                 $ARGV[0] = "-$rest";
             }
             else {
@@ -212,28 +197,41 @@ my @args = @ARGV;
 my $name = 'unknown';
 $name = $opt_n if ($opt_n ne '');
 
+#   overriding of configuration variables
 if (@opt_S) {
     my ($opt_S);
     foreach $opt_S (@opt_S) {
-	if ($opt_S =~ m/^([^=]+)=(.*)$/) {
-	    my ($var) = $1;
-	    my ($val) = $2;
-	    my $oldval = eval "\$CFG_$var";
-
-	    unless ($var and $oldval) {
-		print STDERR "apxs:Error: no config variable $var\n";
-		&usage;
-	    }
-
-	    eval "\$CFG_${var}=\"${val}\"";
-	} else {
-	    print STDERR "apxs:Error: malformatted -S option\n";
-	    &usage;
-	}	
+        if ($opt_S =~ m/^([^=]+)=(.*)$/) {
+            my ($var, $val) = ($1, $2);
+            my $oldval = eval "\$CFG_$var";
+            unless ($var and $oldval) {
+                print STDERR "apxs:Error: no config variable $var\n";
+                &usage;
+            }
+            eval "\$CFG_${var}=\"${val}\"";
+        } else {
+            print STDERR "apxs:Error: malformatted -S option\n";
+            &usage;
+        }       
     }
 }
 
 ##
+##  Initial DSO support check
+##
+if (not -x "$CFG_SBINDIR/$CFG_TARGET") {
+    print STDERR "apxs:Error: $CFG_SBINDIR/$CFG_TARGET not found or not executable\n";
+    exit(1);
+}
+if (not grep(/mod_so/, `$CFG_SBINDIR/$CFG_TARGET -l`)) {
+    print STDERR "apxs:Error: Sorry, no DSO support for Apache available\n";
+    print STDERR "apxs:Error: under your platform. Make sure the Apache\n";
+    print STDERR "apxs:Error: module mod_so is compiled into your server\n";
+    print STDERR "apxs:Error: binary `$CFG_SBINDIR/$CFG_TARGET'.\n";
+    exit(1);
+}
+
+##
 ##  Operation
 ##
 
@@ -259,7 +257,7 @@ if ($opt_g) {
     ##
 
     if (-d $name) {
-        print STDERR "apxs:Error: Directory `$name' already exists. Remove first\n";
+        print STDERR "apxs:Error: Directory `$name' already exists. Remove it first\n";
         exit(1);
     }
 
@@ -283,7 +281,6 @@ if ($opt_g) {
     exit(0);
 }
 
-
 if ($opt_q) {
     ##
     ##  QUERY INFORMATION 
@@ -316,7 +313,7 @@ if ($opt_q) {
 
 if ($opt_c) {
     ##
-    ##  SHARED OBJECT COMPILATION
+    ##  DSO COMPILATION
     ##
 
     #   split files into sources and objects
@@ -369,6 +366,7 @@ if ($opt_c) {
     foreach $s (@srcs) {
         my $o = $s;
         $o =~ s|\.c$|.o|;
+        $o =~ s|^.*/||;
         push(@cmds, "$CFG_CC $cflags -I$CFG_INCLUDEDIR $opt -c $s");
         unshift(@objs, $o);
     }
@@ -382,11 +380,11 @@ if ($opt_c) {
     $opt = '';
     my ($opt_Wl, $opt_L, $opt_l);
     foreach $opt_Wl (@opt_W) {
-		if($CFG_LD_SHLIB ne "gcc") {
-	        $opt .= " $1" if ($opt_Wl =~ m|^\s*l,(.*)$|);
-		} else {
-	        $opt .= " -W$opt_Wl";
-		}
+        if ($CFG_LD_SHLIB !~ m/gcc$/) {
+            $opt .= " $1" if ($opt_Wl =~ m|^\s*l,(.*)$|);
+        } else {
+            $opt .= " -W$opt_Wl";
+        }
     }
     foreach $opt_L (@opt_L) {
         $opt .= " -L$opt_L";
@@ -403,13 +401,13 @@ if ($opt_c) {
 
     #   allow one-step compilation and installation
     if ($opt_i or $opt_e) {
-        @args = ( $dso_file );
+        @args = ($dso_file);
     }
 }
 
 if ($opt_i or $opt_e) {
     ##
-    ##  SHARED OBJECT INSTALLATION
+    ##  DSO INSTALLATION
     ##
 
     #   determine installation commands
@@ -420,14 +418,14 @@ if ($opt_i or $opt_e) {
     my $f;
     foreach $f (@args) {
         if ($f !~ m|\.so$|) {
-            print STDERR "apxs:Error: file $f is not a shared object\n";
+            print STDERR "apxs:Error: file $f is not a DSO\n";
             exit(1);
         }
         my $t = $f;
         $t =~ s|^.+/([^/]+)$|$1|;
         if ($opt_i) {
-	    push(@cmds, "cp $f $CFG_LIBEXECDIR/$t");
-	    push(@cmds, "chmod 755 $CFG_LIBEXECDIR/$t");
+            push(@cmds, "cp $f $CFG_LIBEXECDIR/$t");
+            push(@cmds, "chmod 755 $CFG_LIBEXECDIR/$t");
         }
 
         #   determine module symbolname and filename
@@ -454,8 +452,8 @@ if ($opt_i or $opt_e) {
                 }
             }
             if ($name eq '') {
-                print "apxs:Error: Sorry, cannot determine bootstrap symbol name\n";
-                print "apxs:Error: Please specify one with option `-n'\n";
+                print STDERR "apxs:Error: Sorry, cannot determine bootstrap symbol name.\n";
+                print STDERR "apxs:Error: Please specify one with option `-n'.\n";
                 exit(1);
             }
         }
@@ -475,7 +473,7 @@ if ($opt_i or $opt_e) {
     #   activate module via LoadModule/AddModule directive
     if ($opt_a or $opt_A) {
         if (not -f "$CFG_SYSCONFDIR/$CFG_TARGET.conf") {
-            print "apxs:Error: Config file $CFG_SYSCONFDIR/$CFG_TARGET.conf not found\n";
+            print STDERR "apxs:Error: Config file $CFG_SYSCONFDIR/$CFG_TARGET.conf not found\n";
             exit(1);
         }
 
@@ -511,12 +509,15 @@ if ($opt_i or $opt_e) {
             }
         }
         if (@lmd or @amd) {
-            open(FP, ">$CFG_SYSCONFDIR/$CFG_TARGET.conf.new") || die;
-            print FP $content;
-            close(FP);
-            system("cp $CFG_SYSCONFDIR/$CFG_TARGET.conf $CFG_SYSCONFDIR/$CFG_TARGET.conf.bak && " .
-                   "cp $CFG_SYSCONFDIR/$CFG_TARGET.conf.new $CFG_SYSCONFDIR/$CFG_TARGET.conf && " .
-                   "rm $CFG_SYSCONFDIR/$CFG_TARGET.conf.new");
+            if (open(FP, ">$CFG_SYSCONFDIR/$CFG_TARGET.conf.new")) {
+                print FP $content;
+                close(FP);
+                system("cp $CFG_SYSCONFDIR/$CFG_TARGET.conf $CFG_SYSCONFDIR/$CFG_TARGET.conf.bak && " .
+                       "cp $CFG_SYSCONFDIR/$CFG_TARGET.conf.new $CFG_SYSCONFDIR/$CFG_TARGET.conf && " .
+                       "rm $CFG_SYSCONFDIR/$CFG_TARGET.conf.new");
+            } else {
+                print STDERR "apxs:Error: unable to open configuration file\n";
+            }
         }
     }
 }
@@ -532,7 +533,7 @@ __DATA__
 APXS=apxs
 APACHECTL=apachectl
 
-#   additional defines, includes and libraries
+#   additional user defines, includes and libraries
 #DEF=-Dmy_define=my_value
 #INC=-Imy/include/dir
 #LIB=-Lmy/lib/dir -lmylib
@@ -540,11 +541,12 @@ APACHECTL=apachectl
 #   the default target
 all: mod_%NAME%.so
 
-#   compile the shared object file
+#   compile the DSO file
 mod_%NAME%.so: mod_%NAME%.c
 	$(APXS) -c $(DEF) $(INC) $(LIB) mod_%NAME%.c
 
-#   install the shared object file into Apache 
+#   install the DSO file into the Apache installation
+#   and activate it in the Apache configuration
 install: all
 	$(APXS) -i -a -n '%NAME%' mod_%NAME%.so
 
@@ -556,12 +558,10 @@ clean:
 test: reload
 	lynx -mime_header http://localhost/%NAME%
 
-#   install and activate shared object by reloading Apache to
-#   force a reload of the shared object file
+#   reload the module by installing and restarting Apache
 reload: install restart
 
-#   the general Apache start/restart/stop
-#   procedures
+#   the general Apache start/restart/stop procedures
 start:
 	$(APACHECTL) start
 restart:
@@ -574,14 +574,14 @@ stop:
 **  mod_%NAME%.c -- Apache sample %NAME% module
 **  [Autogenerated via ``apxs -n %NAME% -g'']
 **
-**  To play with this sample module first compile it into a
+**  To play with this sample module, first compile it into a
 **  DSO file and install it into Apache's libexec directory 
 **  by running:
 **
 **    $ apxs -c -i mod_%NAME%.c
 **
-**  Then activate it in Apache's %TARGET%.conf file for instance
-**  for the URL /%NAME% in as follows:
+**  Then activate it in Apache's %TARGET%.conf file, for instance
+**  for the URL /%NAME%, as follows:
 **
 **    #   %TARGET%.conf
 **    LoadModule %NAME%_module libexec/mod_%NAME%.so
diff --git a/usr.sbin/httpd/src/support/dbmmanage b/usr.sbin/httpd/src/support/dbmmanage
index 721bdd1eb37..d176d85748e 100644
--- a/usr.sbin/httpd/src/support/dbmmanage
+++ b/usr.sbin/httpd/src/support/dbmmanage
@@ -91,7 +91,7 @@ my @range = ();
 my($mode, $flags) = $command =~ 
     /^(?:view|check)$/ ? (0644, O_RDONLY) : (0644, O_RDWR|O_CREAT);
 
-tie %DB, "AnyDBM_File", $file, $flags, $mode || die "Can't tie $file: $!";
+tie (%DB, "AnyDBM_File", $file, $flags, $mode) || die "Can't tie $file: $!";
 dbmc->$command();
 untie %DB;
 
diff --git a/usr.sbin/httpd/src/support/htdigest.c b/usr.sbin/httpd/src/support/htdigest.c
index d1fc41800fd..6d42bbd4134 100644
--- a/usr.sbin/httpd/src/support/htdigest.c
+++ b/usr.sbin/httpd/src/support/htdigest.c
@@ -67,10 +67,12 @@
  */
 
 #include "ap_config.h"
+#ifndef NETWARE
 #include <sys/types.h>
+#endif
 #include "ap.h"
 #include "ap_md5.h"
-#if defined(MPE) || defined(QNX) || defined(WIN32) || defined(__TANDEM)
+#if defined(MPE) || defined(QNX) || defined(WIN32) || defined(__TANDEM) || defined(OS390)
 #include <signal.h>
 #else
 #include <sys/signal.h>
@@ -93,6 +95,7 @@
 
 char *tn;
 
+
 static void getword(char *word, char *line, char stop)
 {
     int x = 0, y;
@@ -189,6 +192,18 @@ static void interrupted(void)
     exit(1);
 }
 
+
+#ifdef NETWARE
+static void copy_file(FILE *target, FILE *source)
+{
+    static char line[MAX_STRING_LEN];
+
+    while (!(getline(line, MAX_STRING_LEN, source))) {  
+	putline(target, line);
+    }
+}
+#endif
+
 int main(int argc, char *argv[])
 {
     FILE *tfp, *f;
@@ -257,15 +272,29 @@ int main(int argc, char *argv[])
     if (!found) {
 	printf("Adding user %s in realm %s\n", user, realm);
 	add_password(user, realm, tfp);
-    }
+    }   
     fclose(f);
     fclose(tfp);
+#ifndef NETWARE
 #if defined(OS2) || defined(WIN32)
     sprintf(command, "copy \"%s\" \"%s\"", tn, argv[1]);
 #else
     sprintf(command, "cp %s %s", tn, argv[1]);
 #endif
     system(command);
+#else
+    if (!(tfp = fopen(tn, "r"))) {
+    fprintf(stderr, "Could not open temp file.\n");
+    exit(1);
+    }
+    
+    if (!(f = fopen(argv[1], "w"))) {
+    fprintf(stderr, "Could not open %s.\n", argv[1]);    
+    exit(1);    
+    }
+    
+    copy_file(f, tfp);
+#endif
     unlink(tn);
     return 0;
 }
diff --git a/usr.sbin/httpd/src/support/htdigest.mcp.gz b/usr.sbin/httpd/src/support/htdigest.mcp.gz
new file mode 100644
index 00000000000..a2c23f218af
--- /dev/null
+++ b/usr.sbin/httpd/src/support/htdigest.mcp.gz
diff --git a/usr.sbin/httpd/src/support/htpasswd.c b/usr.sbin/httpd/src/support/htpasswd.c
index 21a24e0c0a3..23d0941ed62 100644
--- a/usr.sbin/httpd/src/support/htpasswd.c
+++ b/usr.sbin/httpd/src/support/htpasswd.c
@@ -79,7 +79,9 @@
  */
 
 #include "ap_config.h"
+#ifndef NETWARE
 #include <sys/types.h>
+#endif
 #include <signal.h>
 #include <errno.h>
 #include "ap.h"
@@ -170,6 +172,10 @@ static int mkrecord(char *user, char *record, size_t rlen, char *passwd,
 	pw = passwd;
     }
     else {
+#ifdef TPF
+        fprintf(stderr, "Invalid entry. The -b option is required on TPF.\n");
+        return usage();
+#else
 	if (ap_getpass("New password: ", pwin, sizeof(pwin)) != 0) {
 	    ap_snprintf(record, (rlen - 1), "password too long (>%d)",
 			sizeof(pwin) - 1);
@@ -182,6 +188,7 @@ static int mkrecord(char *user, char *record, size_t rlen, char *passwd,
 	}
 	pw = pwin;
         memset(pwv, '\0', sizeof(pwin));
+#endif /* TPF */
     }
     switch (alg) {
 
@@ -436,6 +443,11 @@ int main(int argc, char *argv[])
 	alg = ALG_APMD5;
 	fprintf(stderr, "Automatically using MD5 format on Windows.\n");
     }
+#elif defined(TPF)
+    if (alg == ALG_CRYPT) {
+        alg = ALG_APMD5;
+        fprintf(stderr, "Automatically using MD5 format.\n");
+     }
 #endif
 
 #if (!(defined(WIN32) || defined(TPF)))
diff --git a/usr.sbin/httpd/src/support/htpasswd.mcp.gz b/usr.sbin/httpd/src/support/htpasswd.mcp.gz
new file mode 100644
index 00000000000..88d4853bf2d
--- /dev/null
+++ b/usr.sbin/httpd/src/support/htpasswd.mcp.gz
diff --git a/usr.sbin/httpd/src/support/httpd.exp b/usr.sbin/httpd/src/support/httpd.exp
index 083d981a4a3..bcb09e17d8c 100644
--- a/usr.sbin/httpd/src/support/httpd.exp
+++ b/usr.sbin/httpd/src/support/httpd.exp
@@ -1,4 +1,4 @@
-#!
+#! .
 ap_MD5Encode
 ap_MD5Final
 ap_MD5Init
@@ -9,6 +9,7 @@ ap_SHA1Update_binary
 ap_SHA1Update
 ap_add_cgi_vars
 ap_add_common_vars
+ap_add_file_conf
 ap_add_module
 ap_add_named_module
 ap_add_per_dir_conf
@@ -308,6 +309,7 @@ ap_server_root
 ap_server_root_relative
 ap_set_byterange
 ap_set_callback_and_alarm
+ap_set_config_vectors
 ap_set_content_length
 ap_set_etag
 ap_set_file_slot
@@ -344,6 +346,7 @@ ap_sub_req_lookup_uri
 ap_sub_req_method_uri
 ap_suexec_enabled
 ap_sync_scoreboard_image
+ap_sys_siglist
 ap_table_add
 ap_table_addn
 ap_table_do
diff --git a/usr.sbin/httpd/src/support/logresolve.c b/usr.sbin/httpd/src/support/logresolve.c
index bcdc6e51b56..6b4ae6bc277 100644
--- a/usr.sbin/httpd/src/support/logresolve.c
+++ b/usr.sbin/httpd/src/support/logresolve.c
@@ -1,7 +1,7 @@
 /*
  * logresolve 1.1
  *
- * Tom Rathborne - tomr@uunet.ca - http://www.uunet.ca/~tomr/
+ * Tom Rathborne - tomr@aceldama.com - http://www.aceldama.com/~tomr/
  * UUNET Canada, April 16, 1995
  *
  * Rewritten by David Robinson. (drtr@ast.cam.ac.uk)
diff --git a/usr.sbin/httpd/src/support/mkcert.sh b/usr.sbin/httpd/src/support/mkcert.sh
index 0008ddc702e..5c5ca5d9053 100644
--- a/usr.sbin/httpd/src/support/mkcert.sh
+++ b/usr.sbin/httpd/src/support/mkcert.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 ##
 ##  mkcert.sh -- Make SSL Certificate Files for `make certificate' command
-##  Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved. 
+##  Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. 
 ##
 
 #   parameters
@@ -53,7 +53,7 @@ esac
 
 #   display header
 echo "${T_MD}SSL Certificate Generation Utility${T_ME} (mkcert.sh)"
-echo "Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved."
+echo "Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved."
 
 #   on request view certificates only
 if [ ".$view" != . ]; then
@@ -63,7 +63,7 @@ if [ ".$view" != . ]; then
         echo "______________________________________________________________________"
         $openssl x509 -noout -text -in $sslcrtdir/ca.crt
         echo ""
-        if [ ".`$openssl x509 -noout -text -in $sslcrtdir/ca.crt | grep "Signature Algorithm" | grep -i RSA`" != . ]; then
+        if [ ".`$openssl x509 -noout -text -in $sslcrtdir/ca.crt | grep 'Signature Algorithm' | grep -i RSA`" != . ]; then
             echo "${T_MD}CA RSA Private Key${T_ME} [ca.key]"
             echo "______________________________________________________________________"
             $openssl rsa -noout -text -in $sslkeydir/ca.key
@@ -79,7 +79,7 @@ if [ ".$view" != . ]; then
         echo "______________________________________________________________________"
         $openssl x509 -noout -text -in $sslcrtdir/server.crt
         echo ""
-        if [ ".`$openssl x509 -noout -text -in $sslcrtdir/server.crt | grep "Signature Algorithm" | grep -i RSA`" != . ]; then
+        if [ ".`$openssl x509 -noout -text -in $sslcrtdir/server.crt | grep 'Signature Algorithm' | grep -i RSA`" != . ]; then
             echo "${T_MD}Server RSA Private Key${T_ME} [server.key]"
             echo "______________________________________________________________________"
             $openssl rsa -noout -text -in $sslkeydir/server.key
@@ -145,6 +145,7 @@ case $type in
             cp $sslcrtdir/snakeoil-dsa.crt $sslcrtdir/server.crt
             cp $sslkeydir/snakeoil-dsa.key $sslkeydir/server.key
         fi
+        chmod 600 $sslkeydir/server.key
         echo "${T_MD}RESULT: Server Certification Files${T_ME}"
         echo ""
         echo "o  ${T_MD}conf/ssl.key/server.key${T_ME}"
@@ -190,6 +191,15 @@ case $type in
                 fi
             done
         fi
+        if [ ".$algo" = ".DSA" ]; then
+            echo ""
+            echo "${T_MD}WARNING!${T_ME} You're generating a DSA based certificate/key pair."
+            echo "         This implies that RSA based ciphers won't be available later,"
+            echo "         which for your web server currently still means that mostly all"
+            echo "         popular web browsers cannot connect to it. At least not until"
+            echo "         you also generate an additional RSA based certificate/key pair"
+            echo "         and configure them in parallel."
+        fi
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 1: Generating $algo private key (1024 bit) [server.key]${T_ME}"
@@ -218,6 +228,7 @@ case $type in
                 exit 1
             fi
         fi
+        chmod 600 $sslkeydir/server.key
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 2: Generating X.509 certificate signing request [server.csr]${T_ME}"
@@ -254,6 +265,12 @@ EOT
             exit 1
         fi
         rm -f .mkcert.cfg
+        prompt="8. Certificate Validity     (days)          [365]:"
+        echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt"
+        read days
+        if [ ".$days" = . ]; then
+            days=365
+        fi
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt]${T_ME}"
@@ -275,7 +292,7 @@ EOT
         fi
         if [ ".$algo" = .RSA ]; then
             $openssl x509 $extfile \
-                          -days 365 \
+                          -days $days \
                           -CAserial .mkcert.serial \
                           -CA $sslcrtdir/snakeoil-ca-rsa.crt \
                           -CAkey $sslkeydir/snakeoil-ca-rsa.key \
@@ -283,7 +300,7 @@ EOT
                           -out $sslcrtdir/server.crt
         else
             $openssl x509 $extfile \
-                          -days 365 \
+                          -days $days \
                           -CAserial .mkcert.serial \
                           -CA $sslcrtdir/snakeoil-ca-dsa.crt \
                           -CAkey $sslkeydir/snakeoil-ca-dsa.key \
@@ -350,6 +367,7 @@ EOT
             fi
             cp $sslkeydir/server.key.crypt $sslkeydir/server.key
             rm -f $sslkeydir/server.key.crypt
+            chmod 600 $sslkeydir/server.key
             echo "Fine, you're using an encrypted $algo private key."
         else
             echo "Warning, you're using an unencrypted $algo private key."
@@ -408,6 +426,15 @@ EOT
                 fi
             done
         fi
+        if [ ".$algo" = ".DSA" ]; then
+            echo ""
+            echo "${T_MD}WARNING!${T_ME} You're generating DSA based certificate/key pairs."
+            echo "         This implies that RSA based ciphers won't be available later,"
+            echo "         which for your web server currently still means that mostly all"
+            echo "         popular web browsers cannot connect to it. At least not until"
+            echo "         you also generate an additional RSA based certificate/key pair"
+            echo "         and configure them in parallel."
+        fi
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 1: Generating $algo private key for CA (1024 bit) [ca.key]${T_ME}"
@@ -439,6 +466,7 @@ EOT
                 exit 1
             fi
         fi
+        chmod 600 $sslkeydir/ca.key
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 2: Generating X.509 certificate signing request for CA [ca.csr]${T_ME}"
@@ -475,6 +503,12 @@ EOT
             exit 1
         fi
         rm -f .mkcert.cfg
+        prompt="8. Certificate Validity     (days)          [365]:"
+        echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt"
+        read days
+        if [ ".$days" = . ]; then
+            days=365
+        fi
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]${T_ME}"
@@ -493,7 +527,7 @@ nsCertType       = sslCA
 EOT
         fi
         $openssl x509 $extfile \
-                      -days 365 \
+                      -days $days \
                       -signkey $sslkeydir/ca.key \
                       -in      $sslcsrdir/ca.csr -req \
                       -out     $sslcrtdir/ca.crt
@@ -546,6 +580,7 @@ EOT
                 exit 1
             fi
         fi
+        chmod 600 $sslkeydir/server.key
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]${T_ME}"
@@ -582,6 +617,12 @@ EOT
             exit 1
         fi
         rm -f .mkcert.cfg
+        prompt="8. Certificate Validity     (days)          [365]:"
+        echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt"
+        read days
+        if [ ".$days" = . ]; then
+            days=365
+        fi
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 6: Generating X.509 certificate signed by own CA [server.crt]${T_ME}"
@@ -602,7 +643,7 @@ EOT
             echo '01' >.mkcert.serial
         fi
         $openssl x509 $extfile \
-                      -days 365 \
+                      -days $days \
                       -CAserial .mkcert.serial \
                       -CA    $sslcrtdir/ca.crt \
                       -CAkey $sslkeydir/ca.key \
@@ -664,6 +705,7 @@ EOT
             fi
             cp $sslkeydir/ca.key.crypt $sslkeydir/ca.key
             rm -f $sslkeydir/ca.key.crypt
+            chmod 600 $sslkeydir/ca.key
             echo "Fine, you're using an encrypted private key."
         else
             echo "Warning, you're using an unencrypted private key."
@@ -703,6 +745,7 @@ EOT
             fi
             cp $sslkeydir/server.key.crypt $sslkeydir/server.key
             rm -f $sslkeydir/server.key.crypt
+            chmod 600 $sslkeydir/server.key
             echo "Fine, you're using an encrypted $algo private key."
         else
             echo "Warning, you're using an unencrypted $algo private key."
@@ -770,6 +813,7 @@ EOT
             sed -e '/-----BEGIN ... PRIVATE KEY/,/-----END ... PRIVATE KEY/p' -e '/.*/d' \
                 <$key >$sslkeydir/server.key
         fi
+        chmod 600 $sslkeydir/server.key
         $openssl x509 -noout -in $sslcrtdir/server.crt
         if [ $? -ne 0 ]; then
             echo "mkcert.sh:Error: Failed to check certificate contents: $crt" 1>&2
diff --git a/usr.sbin/httpd/src/support/suexec.8 b/usr.sbin/httpd/src/support/suexec.8
index 410d450f2f4..801d7abce91 100644
--- a/usr.sbin/httpd/src/support/suexec.8
+++ b/usr.sbin/httpd/src/support/suexec.8
@@ -64,13 +64,6 @@ It is run from within Apache automatically to switch the user when
 an external program has to be run under a different user. For more
 information about suEXEC see the document `Apache suEXEC Support'
 under http://www.apache.org/docs/suexec.html .
-.PP
-.SH BUGS
-.B suexec
-is not installed setuid root by default on OpenBSD. In order to use
-apache with suexec, you will need to permit this file setuid root. 
-Be very careful in doing so. improper use of suexec can have severe
-security implications.
 .PD
 .SH SEE ALSO
 .BR httpd(8)
diff --git a/usr.sbin/httpd/src/support/suexec.c b/usr.sbin/httpd/src/support/suexec.c
index 2ab326321f7..2cf6a0ebc57 100644
--- a/usr.sbin/httpd/src/support/suexec.c
+++ b/usr.sbin/httpd/src/support/suexec.c
@@ -69,6 +69,18 @@
  ***********************************************************************
  *
  *
+ * Error messages in the suexec logfile are prefixed with severity values
+ * similar to those used by the main server:
+ *
+ *  Sev     Meaning
+ * emerg:  Failure of some basic system function
+ * alert:  Bug in the way Apache is communicating with suexec
+ * crit:   Basic information is missing, invalid, or incorrect
+ * error:  Script permission/configuration error
+ * warn:   
+ * notice: Some issue of which the sysadmin/webmaster ought to be aware
+ * info:   Normal activity message
+ * debug:  Self-explanatory
  */
 
 #include "ap_config.h"
@@ -206,7 +218,7 @@ static void clean_env(void)
 
 
     if ((cleanenv = (char **) calloc(AP_ENVBUF, sizeof(char *))) == NULL) {
-        log_err("failed to malloc memory for environment\n");
+        log_err("emerg: failed to malloc memory for environment\n");
 	exit(120);
     }
 
@@ -267,7 +279,7 @@ int main(int argc, char *argv[])
      */
     prog = argv[0];
     if (argc < 4) {
-	log_err("too few arguments\n");
+	log_err("alert: too few arguments\n");
 	exit(101);
     }
     target_uname = argv[1];
@@ -280,7 +292,7 @@ int main(int argc, char *argv[])
      */
     uid = getuid();
     if ((pw = getpwuid(uid)) == NULL) {
-	log_err("invalid uid: (%ld)\n", uid);
+	log_err("crit: invalid uid: (%ld)\n", uid);
 	exit(102);
     }
 
@@ -292,15 +304,17 @@ int main(int argc, char *argv[])
 #ifdef _OSD_POSIX
     /* User name comparisons are case insensitive on BS2000/OSD */
     if (strcasecmp(HTTPD_USER, pw->pw_name)) {
-        log_err("user mismatch (%s instead of %s)\n", pw->pw_name, HTTPD_USER);
+        log_err("crit: calling user mismatch (%s instead of %s)\n",
+		pw->pw_name, HTTPD_USER);
 	exit(103);
     }
-#else  /*_OSD_POSIX*/
+#else  /* _OSD_POSIX */
     if (strcmp(HTTPD_USER, pw->pw_name)) {
-        log_err("user mismatch (%s instead of %s)\n", pw->pw_name, HTTPD_USER);
+        log_err("crit: calling user mismatch (%s instead of %s)\n",
+		pw->pw_name, HTTPD_USER);
 	exit(103);
     }
-#endif /*_OSD_POSIX*/
+#endif /* _OSD_POSIX */
 
     /*
      * Check for a leading '/' (absolute path) in the command to be executed,
@@ -310,7 +324,7 @@ int main(int argc, char *argv[])
      */
     if ((cmd[0] == '/') || (!strncmp(cmd, "../", 3))
 	|| (strstr(cmd, "/../") != NULL)) {
-        log_err("invalid command (%s)\n", cmd);
+        log_err("error: invalid command (%s)\n", cmd);
 	exit(104);
     }
 
@@ -328,7 +342,7 @@ int main(int argc, char *argv[])
      * Error out if the target username is invalid.
      */
     if ((pw = getpwnam(target_uname)) == NULL) {
-	log_err("invalid target user name: (%s)\n", target_uname);
+	log_err("crit: invalid target user name: (%s)\n", target_uname);
 	exit(105);
     }
 
@@ -337,7 +351,7 @@ int main(int argc, char *argv[])
      */
     if (strspn(target_gname, "1234567890") != strlen(target_gname)) {
 	if ((gr = getgrnam(target_gname)) == NULL) {
-	    log_err("invalid target group name: (%s)\n", target_gname);
+	    log_err("crit: invalid target group name: (%s)\n", target_gname);
 	    exit(106);
 	}
 	gid = gr->gr_gid;
@@ -359,7 +373,8 @@ int main(int argc, char *argv[])
 	switch (pid = ufork(target_uname))
 	{
 	case -1:	/* Error */
-	    log_err("failed to setup bs2000 environment for user %s: %s\n",
+	    log_err("emerg: failed to setup bs2000 environment for user "
+		    "%s: %s\n",
 		    target_uname, strerror(errno));
 	    exit(150);
 	case 0:	/* Child */
@@ -368,12 +383,13 @@ int main(int argc, char *argv[])
 	    while (pid != waitpid(pid, &status, 0))
 		;
 	    /* @@@ FIXME: should we deal with STOP signals as well? */
-	    if (WIFSIGNALED(status))
+	    if (WIFSIGNALED(status)) {
 		kill (getpid(), WTERMSIG(status));
+	    }
 	    exit(WEXITSTATUS(status));
 	}
     }
-#endif /*_OSD_POSIX*/
+#endif /* _OSD_POSIX */
 
     /*
      * Save these for later since initgroups will hose the struct
@@ -386,7 +402,7 @@ int main(int argc, char *argv[])
      * Log the transaction here to be sure we have an open log 
      * before we setuid().
      */
-    log_err("uid: (%s/%s) gid: (%s/%s) cmd: %s\n",
+    log_err("info: (target/actual) uid: (%s/%s) gid: (%s/%s) cmd: %s\n",
 	    target_uname, actual_uname,
 	    target_gname, actual_gname,
 	    cmd);
@@ -396,7 +412,7 @@ int main(int argc, char *argv[])
      * a UID less than UID_MIN.  Tsk tsk.
      */
     if ((uid == 0) || (uid < UID_MIN)) {
-	log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
+	log_err("crit: cannot run as forbidden uid (%d/%s)\n", uid, cmd);
 	exit(107);
     }
 
@@ -405,7 +421,7 @@ int main(int argc, char *argv[])
      * or as a GID less than GID_MIN.  Tsk tsk.
      */
     if ((gid == 0) || (gid < GID_MIN)) {
-	log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
+	log_err("crit: cannot run as forbidden gid (%d/%s)\n", gid, cmd);
 	exit(108);
     }
 
@@ -416,7 +432,7 @@ int main(int argc, char *argv[])
      * and setgid() to the target group. If unsuccessful, error out.
      */
     if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) {
-	log_err("failed to setgid (%ld: %s)\n", gid, cmd);
+	log_err("emerg: failed to setgid (%ld: %s)\n", gid, cmd);
 	exit(109);
     }
 
@@ -424,7 +440,7 @@ int main(int argc, char *argv[])
      * setuid() to the target user.  Error out on fail.
      */
     if ((setuid(uid)) != 0) {
-	log_err("failed to setuid (%ld: %s)\n", uid, cmd);
+	log_err("emerg: failed to setuid (%ld: %s)\n", uid, cmd);
 	exit(110);
     }
 
@@ -437,7 +453,7 @@ int main(int argc, char *argv[])
      * directories.  Yuck.
      */
     if (getcwd(cwd, AP_MAXPATH) == NULL) {
-	log_err("cannot get current working directory\n");
+	log_err("emerg: cannot get current working directory\n");
 	exit(111);
     }
 
@@ -446,7 +462,8 @@ int main(int argc, char *argv[])
 	    ((chdir(USERDIR_SUFFIX)) != 0) ||
 	    ((getcwd(dwd, AP_MAXPATH)) == NULL) ||
 	    ((chdir(cwd)) != 0)) {
-	    log_err("cannot get docroot information (%s)\n", target_homedir);
+	    log_err("emerg: cannot get docroot information (%s)\n",
+		    target_homedir);
 	    exit(112);
 	}
     }
@@ -454,13 +471,13 @@ int main(int argc, char *argv[])
 	if (((chdir(DOC_ROOT)) != 0) ||
 	    ((getcwd(dwd, AP_MAXPATH)) == NULL) ||
 	    ((chdir(cwd)) != 0)) {
-	    log_err("cannot get docroot information (%s)\n", DOC_ROOT);
+	    log_err("emerg: cannot get docroot information (%s)\n", DOC_ROOT);
 	    exit(113);
 	}
     }
 
     if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
-	log_err("command not in docroot (%s/%s)\n", cwd, cmd);
+	log_err("error: command not in docroot (%s/%s)\n", cwd, cmd);
 	exit(114);
     }
 
@@ -468,7 +485,7 @@ int main(int argc, char *argv[])
      * Stat the cwd and verify it is a directory, or error out.
      */
     if (((lstat(cwd, &dir_info)) != 0) || !(S_ISDIR(dir_info.st_mode))) {
-	log_err("cannot stat directory: (%s)\n", cwd);
+	log_err("error: cannot stat directory: (%s)\n", cwd);
 	exit(115);
     }
 
@@ -476,7 +493,7 @@ int main(int argc, char *argv[])
      * Error out if cwd is writable by others.
      */
     if ((dir_info.st_mode & S_IWOTH) || (dir_info.st_mode & S_IWGRP)) {
-	log_err("directory is writable by others: (%s)\n", cwd);
+	log_err("error: directory is writable by others: (%s)\n", cwd);
 	exit(116);
     }
 
@@ -484,7 +501,7 @@ int main(int argc, char *argv[])
      * Error out if we cannot stat the program.
      */
     if (((lstat(cmd, &prg_info)) != 0) || (S_ISLNK(prg_info.st_mode))) {
-	log_err("cannot stat program: (%s)\n", cmd);
+	log_err("error: cannot stat program: (%s)\n", cmd);
 	exit(117);
     }
 
@@ -492,7 +509,7 @@ int main(int argc, char *argv[])
      * Error out if the program is writable by others.
      */
     if ((prg_info.st_mode & S_IWOTH) || (prg_info.st_mode & S_IWGRP)) {
-	log_err("file is writable by others: (%s/%s)\n", cwd, cmd);
+	log_err("error: file is writable by others: (%s/%s)\n", cwd, cmd);
 	exit(118);
     }
 
@@ -500,7 +517,7 @@ int main(int argc, char *argv[])
      * Error out if the file is setuid or setgid.
      */
     if ((prg_info.st_mode & S_ISUID) || (prg_info.st_mode & S_ISGID)) {
-	log_err("file is either setuid or setgid: (%s/%s)\n", cwd, cmd);
+	log_err("error: file is either setuid or setgid: (%s/%s)\n", cwd, cmd);
 	exit(119);
     }
 
@@ -512,7 +529,7 @@ int main(int argc, char *argv[])
 	(gid != dir_info.st_gid) ||
 	(uid != prg_info.st_uid) ||
 	(gid != prg_info.st_gid)) {
-	log_err("target uid/gid (%ld/%ld) mismatch "
+	log_err("error: target uid/gid (%ld/%ld) mismatch "
 		"with directory (%ld/%ld) or program (%ld/%ld)\n",
 		uid, gid,
 		dir_info.st_uid, dir_info.st_gid,
@@ -525,10 +542,20 @@ int main(int argc, char *argv[])
      * "[error] Premature end of script headers: ..."
      */
     if (!(prg_info.st_mode & S_IXUSR)) {
-	log_err("file has no execute permission: (%s/%s)\n", cwd, cmd);
+	log_err("error: file has no execute permission: (%s/%s)\n", cwd, cmd);
 	exit(121);
     }
 
+#ifdef SUEXEC_UMASK
+    /*
+     * umask() uses inverse logic; bits are CLEAR for allowed access.
+     */
+    if ((~SUEXEC_UMASK) & 0022) {
+	log_err("notice: SUEXEC_UMASK of %03o allows "
+		"write permission to group and/or other\n", SUEXEC_UMASK);
+    }
+    umask(SUEXEC_UMASK);
+#endif /* SUEXEC_UMASK */
     clean_env();
 
     /* 
@@ -567,6 +594,6 @@ int main(int argc, char *argv[])
      *
      * Oh well, log the failure and error out.
      */
-    log_err("(%d)%s: exec failed (%s)\n", errno, strerror(errno), cmd);
+    log_err("emerg: (%d)%s: exec failed (%s)\n", errno, strerror(errno), cmd);
     exit(255);
 }
diff --git a/usr.sbin/httpd/src/support/suexec.h b/usr.sbin/httpd/src/support/suexec.h
index 5a5f4832da7..892badd1e0b 100644
--- a/usr.sbin/httpd/src/support/suexec.h
+++ b/usr.sbin/httpd/src/support/suexec.h
@@ -78,7 +78,7 @@
  *            for suEXEC.  For most systems, 500 or 100 is common.
  */
 #ifndef UID_MIN
-#define UID_MIN 1000
+#define UID_MIN 100
 #endif
 
 /*
@@ -86,7 +86,7 @@
  *            for suEXEC.  For most systems, 100 is common.
  */
 #ifndef GID_MIN
-#define GID_MIN 1000
+#define GID_MIN 100
 #endif
 
 /*
@@ -120,7 +120,7 @@
  *             debugging purposes.
  */
 #ifndef LOG_EXEC
-#define LOG_EXEC "/var/log/suexec_log"	/* Need me? */
+#define LOG_EXEC "/usr/local/apache/logs/cgi.log"	/* Need me? */
 #endif
 
 /*
@@ -129,7 +129,7 @@
  *             that can be used for suEXEC behavior.
  */
 #ifndef DOC_ROOT
-#define DOC_ROOT "/var/www/htdocs"
+#define DOC_ROOT "/usr/local/apache/htdocs"
 #endif
 
 /*
@@ -137,7 +137,7 @@
  *
  */
 #ifndef SAFE_PATH
-#define SAFE_PATH "/usr/bin:/bin:/usr/local/bin"
+#define SAFE_PATH "/usr/local/bin:/usr/bin:/bin"
 #endif
 
 #endif /* _SUEXEC_H */