Update POCO to 1.11.0

vendor/POCO/NetSSL_OpenSSL/cmake/PocoNetSSLConfig.cmake

@@ -3,4 +3,5 @@ find_dependency(PocoFoundation)
 find_dependency(PocoUtil)
 find_dependency(PocoNet)
 find_dependency(PocoCrypto)
+find_dependency(OpenSSL REQUIRED COMPONENTS SSL)
 include("${CMAKE_CURRENT_LIST_DIR}/PocoNetSSLTargets.cmake")

vendor/POCO/NetSSL_OpenSSL/include/Poco/Net/AcceptCertificateHandler.h

@@ -27,7 +27,7 @@ namespace Net {
 
 
 class NetSSL_API AcceptCertificateHandler: public InvalidCertificateHandler
-	/// A AcceptCertificateHandler is invoked whenever an error 
+	/// A AcceptCertificateHandler is invoked whenever an error
 	/// occurs verifying the certificate. It always accepts
 	/// the certificate.
 	///

vendor/POCO/NetSSL_OpenSSL/include/Poco/Net/Context.h

@@ -20,10 +20,12 @@
 
 #include "Poco/Net/NetSSL.h"
 #include "Poco/Net/SocketDefs.h"
+#include "Poco/Net/InvalidCertificateHandler.h"
 #include "Poco/Crypto/X509Certificate.h"
 #include "Poco/Crypto/EVPPKey.h"
 #include "Poco/Crypto/RSAKey.h"
 #include "Poco/RefCountedObject.h"
+#include "Poco/SharedPtr.h"
 #include "Poco/AutoPtr.h"
 #include <openssl/ssl.h>
 #include <cstdlib>
@@ -135,6 +137,7 @@ public:
 
 		std::string certificateFile;
 			/// Path to the certificate file (in PEM format).
+			///
 			/// If the private key and the certificate are stored in the same file, this
 			/// can be empty if privateKeyFile is given.
 
@@ -156,6 +159,10 @@ public:
 			/// Specifies whether the builtin CA certificates from OpenSSL are used.
 			/// Defaults to false.
 
+		bool ocspStaplingVerification;
+			/// Specifies whether Client should verify OCSP Response
+			/// Defaults to false.
+
 		std::string cipherList;
 			/// Specifies the supported ciphers in OpenSSL notation.
 			/// Defaults to "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH".
@@ -188,6 +195,8 @@ public:
 			///   "X448:X25519:ffdhe4096:ffdhe3072:ffdhe2048:ffdhe6144:ffdhe8192:P-521:P-384:P-256"
 	};
 
+	using InvalidCertificateHandlerPtr = Poco::SharedPtr<InvalidCertificateHandler>;
+
 	Context(Usage usage, const Params& params);
 		/// Creates a Context using the given parameters.
 		///
@@ -397,6 +406,20 @@ public:
 		/// preferences. When called, the SSL/TLS server will choose following its own
 		/// preferences.
 
+	bool ocspStaplingResponseVerificationEnabled() const;
+		/// Returns true if automatic OCSP response
+		/// reception and verification is enabled for client connections
+
+	void setInvalidCertificateHandler(InvalidCertificateHandlerPtr pInvalidCertificageHandler);
+		/// Sets a Context-specific InvalidCertificateHandler.
+		///
+		/// If specified, this InvalidCertificateHandler will be used instead of the
+		/// one globally set in the SSLManager.
+
+	InvalidCertificateHandlerPtr getInvalidCertificateHandler() const;
+		/// Returns the InvalidCertificateHandler set for this Context,
+		/// or a null pointer if none has been set.
+
 private:
 	void init(const Params& params);
 		/// Initializes the Context with the given parameters.
@@ -415,6 +438,8 @@ private:
 	VerificationMode _mode;
 	SSL_CTX* _pSSLContext;
 	bool _extendedCertificateVerification;
+	bool _ocspStaplingResponseVerification;
+	InvalidCertificateHandlerPtr _pInvalidCertificateHandler;
 };
 
 
@@ -456,6 +481,18 @@ inline bool Context::extendedCertificateVerificationEnabled() const
 }
 
 
+inline bool Context::ocspStaplingResponseVerificationEnabled() const
+{
+	return _ocspStaplingResponseVerification;
+}
+
+
+inline Context::InvalidCertificateHandlerPtr Context::getInvalidCertificateHandler() const
+{
+	return _pInvalidCertificateHandler;
+}
+
+
 } } // namespace Poco::Net
 
 

vendor/POCO/NetSSL_OpenSSL/include/Poco/Net/InvalidCertificateHandler.h

@@ -19,20 +19,22 @@
 
 
 #include "Poco/Net/NetSSL.h"
-#include "Poco/Net/VerificationErrorArgs.h"
 
 
 namespace Poco {
 namespace Net {
 
 
+class VerificationErrorArgs;
+
+
 class NetSSL_API InvalidCertificateHandler
 	/// A InvalidCertificateHandler is invoked whenever an error occurs verifying the certificate. It allows the user
 	/// to inspect and accept/reject the certificate.
 	/// One can install one's own InvalidCertificateHandler by implementing this interface. Note that
-	/// in the implementation file of the subclass the following code must be present (assuming you use the namespace My_API 
+	/// in the implementation file of the subclass the following code must be present (assuming you use the namespace My_API
 	/// and the name of your handler class is MyGuiHandler):
-	///    
+	///
 	///    #include "Poco/Net/CertificateHandlerFactory.h"
 	///    ...
 	///    POCO_REGISTER_CHFACTORY(My_API, MyGuiHandler)
@@ -43,7 +45,7 @@ class NetSSL_API InvalidCertificateHandler
 	///
 	/// or in case one uses Poco::Util::Application one can rely on an XML configuration and put the following entry
 	/// under the path openSSL.invalidCertificateHandler:
-	///    
+	///
 	///    <invalidCertificateHandler>
 	///        <name>MyGuiHandler<name>
 	///        <options>
@@ -56,7 +58,7 @@ class NetSSL_API InvalidCertificateHandler
 public:
 	InvalidCertificateHandler(bool handleErrorsOnServerSide);
 		/// Creates the InvalidCertificateHandler.
-		/// 
+		///
 		/// Set handleErrorsOnServerSide to true if the certificate handler is used on the server side.
 		/// Automatically registers at one of the SSLManager::VerificationError events.
 

vendor/POCO/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h

@@ -272,12 +272,21 @@ protected:
 		/// The request is delegated to the PrivatekeyPassword event. This method returns the
 		/// length of the password.
 
+	static int verifyOCSPResponseCallback(SSL* pSSL, void* arg);
+		/// The return value of this method defines how errors in
+		/// verification are handled. Return 0 to terminate the handshake,
+		/// or 1 to continue despite the error.
+
 	static Poco::Util::AbstractConfiguration& appConfig();
 		/// Returns the application configuration.
 		///
 		/// Throws a InvalidStateException if not application instance
 		/// is available.
 
+	int contextIndex() const;
+		/// Returns the index for SSL_CTX_set_ex_data() and SSL_CTX_get_ex_data() to
+		/// store the Context* in the underlying SSL_CTX.
+
 private:
 	SSLManager();
 		/// Creates the SSLManager.
@@ -310,6 +319,7 @@ private:
 	Context::Ptr                     _ptrDefaultClientContext;
 	PrivateKeyPassphraseHandlerPtr   _ptrClientPassphraseHandler;
 	InvalidCertificateHandlerPtr     _ptrClientCertificateHandler;
+	int                              _contextIndex;
 	Poco::FastMutex                  _mutex;
 
 	static const std::string CFG_PRIV_KEY_FILE;
@@ -389,6 +399,12 @@ inline int SSLManager::verifyClientCallback(int ok, X509_STORE_CTX* pStore)
 }
 
 
+inline int SSLManager::contextIndex() const
+{
+	return _contextIndex;
+}
+
+
 } } // namespace Poco::Net
 
 

vendor/POCO/NetSSL_OpenSSL/include/Poco/Net/SecureServerSocketImpl.h

@@ -47,7 +47,7 @@ public:
 		/// with the client.
 		///
 		/// The client socket's address is returned in clientAddr.
-	
+
 	void connect(const SocketAddress& address);
 		/// Not supported by this kind of socket.
 		///
@@ -62,8 +62,18 @@ public:
 		/// Not supported by this kind of socket.
 		///
 		/// Throws a Poco::InvalidAccessException.
-	
-	void bind(const SocketAddress& address, bool reuseAddress = false, bool reusePort = false);
+
+	void bind(const SocketAddress& address, bool reuseAddress = false);
+		/// Bind a local address to the socket.
+		///
+		/// This is usually only done when establishing a server
+		/// socket. TCP clients should not bind a socket to a
+		/// specific address.
+		///
+		/// If reuseAddress is true, sets the SO_REUSEADDR
+		/// socket option.
+
+	void bind(const SocketAddress& address, bool reuseAddress, bool reusePort);
 		/// Bind a local address to the socket.
 		///
 		/// This is usually only done when establishing a server
@@ -76,7 +86,43 @@ public:
 		/// If reusePort is true, sets the SO_REUSEPORT
 		/// socket option.
 
-		
+	void bind6(const SocketAddress& address, bool reuseAddress = false, bool ipV6Only = false);
+		/// Bind a local IPv6 address to the socket.
+		///
+		/// This is usually only done when establishing a server
+		/// socket. TCP clients should not bind a socket to a
+		/// specific address.
+		///
+		/// If reuseAddress is true, sets the SO_REUSEADDR
+		/// socket option.
+		///
+		/// The given address must be an IPv6 address. The
+		/// IPPROTO_IPV6/IPV6_V6ONLY option is set on the socket
+		/// according to the ipV6Only parameter.
+		///
+		/// If the library has not been built with IPv6 support,
+		/// a Poco::NotImplementedException will be thrown.
+
+	void bind6(const SocketAddress& address, bool reuseAddress, bool reusePort, bool ipV6Only);
+		/// Bind a local IPv6 address to the socket.
+		///
+		/// This is usually only done when establishing a server
+		/// socket. TCP clients should not bind a socket to a
+		/// specific address.
+		///
+		/// If reuseAddress is true, sets the SO_REUSEADDR
+		/// socket option.
+		///
+		/// If reusePort is true, sets the SO_REUSEPORT
+		/// socket option.
+		///
+		/// The given address must be an IPv6 address. The
+		/// IPPROTO_IPV6/IPV6_V6ONLY option is set on the socket
+		/// according to the ipV6Only parameter.
+		///
+		/// If the library has not been built with IPv6 support,
+		/// a Poco::NotImplementedException will be thrown.
+
 	void listen(int backlog = 64);
 		/// Puts the socket into listening state.
 		///
@@ -89,27 +135,27 @@ public:
 
 	void close();
 		/// Close the socket.
-	
+
 	int sendBytes(const void* buffer, int length, int flags = 0);
 		/// Not supported by this kind of socket.
 		///
 		/// Throws a Poco::InvalidAccessException.
-	
+
 	int receiveBytes(void* buffer, int length, int flags = 0);
 		/// Not supported by this kind of socket.
 		///
 		/// Throws a Poco::InvalidAccessException.
-	
+
 	int sendTo(const void* buffer, int length, const SocketAddress& address, int flags = 0);
 		/// Not supported by this kind of socket.
 		///
 		/// Throws a Poco::InvalidAccessException.
-	
+
 	int receiveFrom(void* buffer, int length, SocketAddress& address, int flags = 0);
 		/// Not supported by this kind of socket.
 		///
 		/// Throws a Poco::InvalidAccessException.
-	
+
 	void sendUrgent(unsigned char data);
 		/// Not supported by this kind of socket.
 		///
@@ -118,7 +164,7 @@ public:
 	bool secure() const;
 		/// Returns true iff the socket's connection is secure
 		/// (using SSL or TLS).
-		
+
 	Context::Ptr context() const;
 		/// Returns the SSL context used by this socket.
 

vendor/POCO/NetSSL_OpenSSL/include/Poco/Net/SecureSocketImpl.h

@@ -56,29 +56,39 @@ public:
 		/// with the client.
 		///
 		/// The client socket's address is returned in clientAddr.
-	
+
 	void connect(const SocketAddress& address, bool performHandshake);
-		/// Initializes the socket and establishes a secure connection to 
+		/// Initializes the socket and establishes a secure connection to
 		/// the TCP server at the given address.
 		///
-		/// If performHandshake is true, the SSL handshake is performed immediately 
+		/// If performHandshake is true, the SSL handshake is performed immediately
 		/// after establishing the connection. Otherwise, the handshake is performed
 		/// the first time sendBytes(), receiveBytes() or completeHandshake() is called.
 
 	void connect(const SocketAddress& address, const Poco::Timespan& timeout, bool performHandshake);
-		/// Initializes the socket, sets the socket timeout and 
+		/// Initializes the socket, sets the socket timeout and
 		/// establishes a secure connection to the TCP server at the given address.
 		///
-		/// If performHandshake is true, the SSL handshake is performed immediately 
+		/// If performHandshake is true, the SSL handshake is performed immediately
 		/// after establishing the connection. Otherwise, the handshake is performed
 		/// the first time sendBytes(), receiveBytes() or completeHandshake() is called.
 
 	void connectNB(const SocketAddress& address);
-		/// Initializes the socket and establishes a secure connection to 
+		/// Initializes the socket and establishes a secure connection to
 		/// the TCP server at the given address. Prior to opening the
 		/// connection the socket is set to nonblocking mode.
 
-	void bind(const SocketAddress& address, bool reuseAddress = false, bool reusePort = false);
+	void bind(const SocketAddress& address, bool reuseAddress = false);
+		/// Bind a local address to the socket.
+		///
+		/// This is usually only done when establishing a server
+		/// socket. TCP clients should not bind a socket to a
+		/// specific address.
+		///
+		/// If reuseAddress is true, sets the SO_REUSEADDR
+		/// socket option.
+
+	void bind(const SocketAddress& address, bool reuseAddress, bool reusePort);
 		/// Bind a local address to the socket.
 		///
 		/// This is usually only done when establishing a server
@@ -90,7 +100,44 @@ public:
 		///
 		/// If reusePort is true, sets the SO_REUSEPORT
 		/// socket option.
-		
+
+	void bind6(const SocketAddress& address, bool reuseAddress = false, bool ipV6Only = false);
+		/// Bind a local IPv6 address to the socket.
+		///
+		/// This is usually only done when establishing a server
+		/// socket. TCP clients should not bind a socket to a
+		/// specific address.
+		///
+		/// If reuseAddress is true, sets the SO_REUSEADDR
+		/// socket option.
+		///
+		/// The given address must be an IPv6 address. The
+		/// IPPROTO_IPV6/IPV6_V6ONLY option is set on the socket
+		/// according to the ipV6Only parameter.
+		///
+		/// If the library has not been built with IPv6 support,
+		/// a Poco::NotImplementedException will be thrown.
+
+	void bind6(const SocketAddress& address, bool reuseAddress, bool reusePort, bool ipV6Only);
+		/// Bind a local IPv6 address to the socket.
+		///
+		/// This is usually only done when establishing a server
+		/// socket. TCP clients should not bind a socket to a
+		/// specific address.
+		///
+		/// If reuseAddress is true, sets the SO_REUSEADDR
+		/// socket option.
+		///
+		/// If reusePort is true, sets the SO_REUSEPORT
+		/// socket option.
+		///
+		/// The given address must be an IPv6 address. The
+		/// IPPROTO_IPV6/IPV6_V6ONLY option is set on the socket
+		/// according to the ipV6Only parameter.
+		///
+		/// If the library has not been built with IPv6 support,
+		/// a Poco::NotImplementedException will be thrown.
+
 	void listen(int backlog = 64);
 		/// Puts the socket into listening state.
 		///
@@ -108,42 +155,42 @@ public:
 
 	void close();
 		/// Close the socket.
-		
+
 	void abort();
 		/// Aborts the connection by closing the
 		/// underlying TCP connection. No orderly SSL shutdown
 		/// is performed.
-	
+
 	int sendBytes(const void* buffer, int length, int flags = 0);
 		/// Sends the contents of the given buffer through
 		/// the socket. Any specified flags are ignored.
 		///
 		/// Returns the number of bytes sent, which may be
 		/// less than the number of bytes specified.
-	
+
 	int receiveBytes(void* buffer, int length, int flags = 0);
 		/// Receives data from the socket and stores it
 		/// in buffer. Up to length bytes are received.
 		///
 		/// Returns the number of bytes received.
-		
+
 	int available() const;
 		/// Returns the number of bytes available from the
 		/// SSL buffer for immediate reading.
-	
+
 	int completeHandshake();
 		/// Completes the SSL handshake.
 		///
 		/// If the SSL connection was the result of an accept(),
 		/// the server-side handshake is completed, otherwise
-		/// a client-side handshake is performed. 
-		
+		/// a client-side handshake is performed.
+
 	poco_socket_t sockfd();
 		/// Returns the underlying socket descriptor.
 
 	X509* peerCertificate() const;
 		/// Returns the peer's certificate.
-		
+
 	Context::Ptr context() const;
 		/// Returns the SSL context used for this socket.
 
@@ -158,17 +205,17 @@ public:
 
 	void setPeerHostName(const std::string& hostName);
 		/// Sets the peer host name for certificate validation purposes.
-		
+
 	const std::string& getPeerHostName() const;
 		/// Returns the peer host name.
-		
+
 	Session::Ptr currentSession();
 		/// Returns the SSL session of the current connection,
 		/// for reuse in a future connection (if session caching
 		/// is enabled).
 		///
 		/// If no connection is established, returns null.
-		
+
 	void useSession(Session::Ptr pSession);
 		/// Sets the SSL session to use for the next
 		/// connection. Setting a previously saved Session
@@ -178,31 +225,31 @@ public:
 		/// can be given.
 		///
 		/// Must be called before connect() to be effective.
-		
+
 	bool sessionWasReused();
 		/// Returns true iff a reused session was negotiated during
 		/// the handshake.
-		
+
 protected:
 	void acceptSSL();
 		/// Performs a server-side SSL handshake and certificate verification.
 
 	void connectSSL(bool performHandshake);
-		/// Performs a client-side SSL handshake and establishes a secure 
+		/// Performs a client-side SSL handshake and establishes a secure
 		/// connection over an already existing TCP connection.
-	
+
 	long verifyPeerCertificateImpl(const std::string& hostName);
 		/// Performs post-connect (or post-accept) peer certificate validation.
-		
+
 	static bool isLocalHost(const std::string& hostName);
-		/// Returns true iff the given host name is the local host 
+		/// Returns true iff the given host name is the local host
 		/// (either "localhost" or "127.0.0.1").
 
 	bool mustRetry(int rc);
 		/// Returns true if the last operation should be retried,
 		/// otherwise false.
 		///
-		/// In case of an SSL_ERROR_WANT_READ error, and if the socket is 
+		/// In case of an SSL_ERROR_WANT_READ error, and if the socket is
 		/// blocking, waits for the underlying socket to become readable.
 		///
 		/// In case of an SSL_ERROR_WANT_WRITE error, and if the socket is
@@ -216,7 +263,7 @@ protected:
 		/// Handles an SSL error by throwing an appropriate exception.
 
 	void reset();
-		/// Prepares the socket for re-use. 
+		/// Prepares the socket for re-use.
 		///
 		/// After closing and resetting a socket, the socket can
 		/// be used for a new connection.
@@ -224,7 +271,7 @@ protected:
 		/// Note that simply closing a socket is not sufficient
 		/// to be able to re-use it again.
 
-private:	
+private:
 	SecureSocketImpl(const SecureSocketImpl&);
 	SecureSocketImpl& operator = (const SecureSocketImpl&);
 
@@ -234,7 +281,7 @@ private:
 	bool _needHandshake;
 	std::string _peerHostName;
 	Session::Ptr _pSession;
-	
+
 	friend class SecureStreamSocketImpl;
 };
 

vendor/POCO/NetSSL_OpenSSL/include/Poco/Net/VerificationErrorArgs.h

@@ -20,6 +20,7 @@
 
 #include "Poco/Net/NetSSL.h"
 #include "Poco/Net/X509Certificate.h"
+#include "Poco/Net/Context.h"
 
 
 namespace Poco {
@@ -30,12 +31,15 @@ class NetSSL_API VerificationErrorArgs
 	/// A utility class for certificate error handling.
 {
 public:
-	VerificationErrorArgs(const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg);
+	VerificationErrorArgs(Poco::Net::Context::Ptr pContext, const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg);
 		/// Creates the VerificationErrorArgs. _ignoreError is per default set to false.
 
 	~VerificationErrorArgs();
 		/// Destroys the VerificationErrorArgs.
 
+	Poco::Net::Context::Ptr context() const;
+		/// Returns the Context of the underlying connection causing the error.
+
 	const X509Certificate& certificate() const;
 		/// Returns the certificate that caused the error.
 
@@ -55,6 +59,7 @@ public:
 		/// returns the value of _ignoreError
 
 private:
+	Poco::Net::Context::Ptr _pContext;
 	X509Certificate	_cert;
 	int             _errorDepth;
 	int             _errorNumber;
@@ -66,6 +71,12 @@ private:
 //
 // inlines
 //
+inline Poco::Net::Context::Ptr VerificationErrorArgs::context() const
+{
+	return _pContext;
+}
+
+
 inline const X509Certificate& VerificationErrorArgs::certificate() const
 {
 	return _cert;

vendor/POCO/NetSSL_OpenSSL/src/AcceptCertificateHandler.cpp

@@ -13,6 +13,7 @@
 
 
 #include "Poco/Net/AcceptCertificateHandler.h"
+#include "Poco/Net/VerificationErrorArgs.h"
 
 
 namespace Poco {

vendor/POCO/NetSSL_OpenSSL/src/ConsoleCertificateHandler.cpp

@@ -13,6 +13,7 @@
 
 
 #include "Poco/Net/ConsoleCertificateHandler.h"
+#include "Poco/Net/VerificationErrorArgs.h"
 #include <iostream>
 
 

vendor/POCO/NetSSL_OpenSSL/src/Context.cpp

@@ -34,6 +34,7 @@ Context::Params::Params():
 	verificationMode(VERIFY_RELAXED),
 	verificationDepth(9),
 	loadDefaultCAs(false),
+	ocspStaplingVerification(false),
 	cipherList("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"),
 	dhUse2048Bits(false)
 {
@@ -44,7 +45,8 @@ Context::Context(Usage usage, const Params& params):
 	_usage(usage),
 	_mode(params.verificationMode),
 	_pSSLContext(0),
-	_extendedCertificateVerification(true)
+	_extendedCertificateVerification(true),
+	_ocspStaplingResponseVerification(false)
 {
 	init(params);
 }
@@ -62,7 +64,8 @@ Context::Context(
 	_usage(usage),
 	_mode(verificationMode),
 	_pSSLContext(0),
-	_extendedCertificateVerification(true)
+	_extendedCertificateVerification(true),
+	_ocspStaplingResponseVerification(false)
 {
 	Params params;
 	params.privateKeyFile = privateKeyFile;
@@ -86,7 +89,8 @@ Context::Context(
 	_usage(usage),
 	_mode(verificationMode),
 	_pSSLContext(0),
-	_extendedCertificateVerification(true)
+	_extendedCertificateVerification(true),
+	_ocspStaplingResponseVerification(false)
 {
 	Params params;
 	params.caLocation = caLocation;
@@ -155,13 +159,15 @@ void Context::init(const Params& params)
 			}
 		}
 
-		if (!params.certificateFile.empty())
+		std::string certificateFile = params.certificateFile;
+		if (certificateFile.empty()) certificateFile = params.privateKeyFile;
+		if (!certificateFile.empty())
 		{
-			errCode = SSL_CTX_use_certificate_chain_file(_pSSLContext, Poco::Path::transcode(params.certificateFile).c_str());
+			errCode = SSL_CTX_use_certificate_chain_file(_pSSLContext, Poco::Path::transcode(certificateFile).c_str());
 			if (errCode != 1)
 			{
 				std::string errMsg = Utility::getLastError();
-				throw SSLContextException(std::string("Error loading certificate from file ") + params.certificateFile, errMsg);
+				throw SSLContextException(std::string("Error loading certificate from file ") + certificateFile, errMsg);
 			}
 		}
 
@@ -174,6 +180,18 @@ void Context::init(const Params& params)
 		SSL_CTX_set_verify_depth(_pSSLContext, params.verificationDepth);
 		SSL_CTX_set_mode(_pSSLContext, SSL_MODE_AUTO_RETRY);
 		SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF);
+		SSL_CTX_set_ex_data(_pSSLContext, SSLManager::instance().contextIndex(), this);
+
+		if (!isForServerUse() && params.ocspStaplingVerification)
+		{
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+			_ocspStaplingResponseVerification = true;
+			SSL_CTX_set_tlsext_status_cb(_pSSLContext, &SSLManager::verifyOCSPResponseCallback);
+			SSL_CTX_set_tlsext_status_arg(_pSSLContext, this);
+#else
+			throw SSLContextException("OCSP Stapling is not supported by this OpenSSL version");
+#endif
+		}
 
 		initDH(params.dhUse2048Bits, params.dhParamsFile);
 		initECDH(params.ecdhCurve);
@@ -395,7 +413,7 @@ void Context::requireMinimumProtocol(Protocols protocol)
 	case PROTO_SSLV2:
 		throw Poco::InvalidArgumentException("SSLv2 is no longer supported");
 	case PROTO_SSLV3:
-		version = SSL3_VERSION;
+		throw Poco::InvalidArgumentException("SSLv3 is no longer supported");
 		break;
 	case PROTO_TLSV1:
 		version = TLS1_VERSION;
@@ -424,7 +442,7 @@ void Context::requireMinimumProtocol(Protocols protocol)
 		throw Poco::InvalidArgumentException("SSLv2 is no longer supported");
 
 	case PROTO_SSLV3:
-		disableProtocols(PROTO_SSLV2);
+		throw Poco::InvalidArgumentException("SSLv3 is no longer supported");
 		break;
 
 	case PROTO_TLSV1:
@@ -463,6 +481,12 @@ void Context::preferServerCiphers()
 }
 
 
+void Context::setInvalidCertificateHandler(InvalidCertificateHandlerPtr pInvalidCertificateHandler)
+{
+	_pInvalidCertificateHandler = pInvalidCertificateHandler;
+}
+
+
 void Context::createSSLContext()
 {
 	int minTLSVersion = 0;

vendor/POCO/NetSSL_OpenSSL/src/HTTPSClientSession.cpp

@@ -140,7 +140,7 @@ void HTTPSClientSession::connect(const SocketAddress& address)
 	if (getProxyHost().empty() || bypassProxy())
 	{
 		SecureStreamSocket sss(socket());
-		if (sss.getPeerHostName().empty()) 
+		if (sss.getPeerHostName().empty())
 		{
 			sss.setPeerHostName(getHost());
 		}
@@ -172,8 +172,8 @@ int HTTPSClientSession::read(char* buffer, std::streamsize length)
 	try
 	{
 		return HTTPSession::read(buffer, length);
-	} 
-	catch(SSLConnectionUnexpectedlyClosedException&)
+	}
+	catch (SSLConnectionUnexpectedlyClosedException&)
 	{
 		return 0;
 	}

vendor/POCO/NetSSL_OpenSSL/src/HTTPSSessionInstantiator.cpp

@@ -41,10 +41,9 @@ HTTPClientSession* HTTPSSessionInstantiator::createClientSession(const Poco::URI
 {
 	poco_assert (uri.getScheme() == "https");
 	HTTPSClientSession* pSession = _pContext.isNull() ? new HTTPSClientSession(uri.getHost(), uri.getPort()) : new HTTPSClientSession(uri.getHost(), uri.getPort(), _pContext);
-	if (!proxyHost().empty())
+	if (!getProxyConfig().host.empty())
 	{
-		pSession->setProxy(proxyHost(), proxyPort());
-		pSession->setProxyCredentials(proxyUsername(), proxyPassword());
+		pSession->setProxyConfig(getProxyConfig());
 	}
 	return pSession;
 }

vendor/POCO/NetSSL_OpenSSL/src/InvalidCertificateHandler.cpp

@@ -26,26 +26,11 @@ namespace Net {
 
 InvalidCertificateHandler::InvalidCertificateHandler(bool handleErrorsOnServerSide): _handleErrorsOnServerSide(handleErrorsOnServerSide)
 {
-	if (_handleErrorsOnServerSide)
-		SSLManager::instance().ServerVerificationError += Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
-	else
-		SSLManager::instance().ClientVerificationError += Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
 }
 
 
 InvalidCertificateHandler::~InvalidCertificateHandler()
 {
-	try
-	{
-		if (_handleErrorsOnServerSide)
-			SSLManager::instance().ServerVerificationError -= Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
-		else
-			SSLManager::instance().ClientVerificationError -= Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
-	}
-	catch (...)
-	{
-		poco_unexpected();
-	}
 }
 
 

vendor/POCO/NetSSL_OpenSSL/src/RejectCertificateHandler.cpp

@@ -13,6 +13,7 @@
 
 
 #include "Poco/Net/RejectCertificateHandler.h"
+#include "Poco/Net/VerificationErrorArgs.h"
 
 
 namespace Poco {

vendor/POCO/NetSSL_OpenSSL/src/SSLManager.cpp

@@ -12,6 +12,11 @@
 //
 
 
+#if defined(_MSC_VER)
+#pragma warning(disable:4996) // deprecation warnings
+#endif
+
+
 #include "Poco/Net/SSLManager.h"
 #include "Poco/Net/Context.h"
 #include "Poco/Net/Utility.h"
@@ -24,6 +29,10 @@
 #include "Poco/StringTokenizer.h"
 #include "Poco/Util/Application.h"
 #include "Poco/Util/OptionException.h"
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+#include <openssl/ocsp.h>
+#include <openssl/tls1.h>
+#endif
 
 
 namespace Poco {
@@ -67,7 +76,8 @@ const bool        SSLManager::VAL_FIPS_MODE(false);
 #endif
 
 
-SSLManager::SSLManager()
+SSLManager::SSLManager():
+	_contextIndex(SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL))
 {
 }
 
@@ -204,16 +214,45 @@ int SSLManager::verifyCallback(bool server, int ok, X509_STORE_CTX* pStore)
 {
 	if (!ok)
 	{
+		SSLManager& sslManager = SSLManager::instance();
+		SSL* pSSL = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(pStore, SSL_get_ex_data_X509_STORE_CTX_idx()));
+		poco_assert_dbg (pSSL);
+		SSL_CTX* pSSLContext = SSL_get_SSL_CTX(pSSL);
+		poco_assert_dbg (pSSLContext);
+
+		Context* pContext = reinterpret_cast<Context*>(SSL_CTX_get_ex_data(pSSLContext, sslManager.contextIndex()));
+		poco_assert_dbg (pContext);
+
 		X509* pCert = X509_STORE_CTX_get_current_cert(pStore);
 		X509Certificate x509(pCert, true);
 		int depth = X509_STORE_CTX_get_error_depth(pStore);
 		int err = X509_STORE_CTX_get_error(pStore);
 		std::string error(X509_verify_cert_error_string(err));
-		VerificationErrorArgs args(x509, depth, err, error);
+		VerificationErrorArgs args(Context::Ptr(pContext, true), x509, depth, err, error);
 		if (server)
-			SSLManager::instance().ServerVerificationError.notify(&SSLManager::instance(), args);
+		{
+			if (pContext->getInvalidCertificateHandler())
+			{
+				pContext->getInvalidCertificateHandler()->onInvalidCertificate(&sslManager, args);
+			}
+			else if (sslManager._ptrServerCertificateHandler)
+			{
+				sslManager._ptrServerCertificateHandler->onInvalidCertificate(&sslManager, args);
+			}
+			sslManager.ServerVerificationError.notify(&sslManager, args);
+		}
 		else
-			SSLManager::instance().ClientVerificationError.notify(&SSLManager::instance(), args);
+		{
+			if (pContext->getInvalidCertificateHandler())
+			{
+				pContext->getInvalidCertificateHandler()->onInvalidCertificate(&sslManager, args);
+			}
+			else if (sslManager._ptrClientCertificateHandler)
+			{
+				sslManager._ptrClientCertificateHandler->onInvalidCertificate(&sslManager, args);
+			}
+			sslManager.ClientVerificationError.notify(&sslManager, args);
+		}
 		ok = args.getIgnoreError() ? 1 : 0;
 	}
 
@@ -235,6 +274,145 @@ int SSLManager::privateKeyPassphraseCallback(char* pBuf, int size, int flag, voi
 }
 
 
+int SSLManager::verifyOCSPResponseCallback(SSL* pSSL, void* arg)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+	const long OCSP_VALIDITY_LEEWAY = 5*60;
+
+	Poco::Net::Context* pContext = static_cast<Poco::Net::Context*>(arg);
+
+	// Fetch the OSCP verify flag
+	bool ocspVerifyFlag = pContext->ocspStaplingResponseVerificationEnabled();
+
+	const unsigned char* pResp;
+	int len = SSL_get_tlsext_status_ocsp_resp(pSSL, &pResp);
+	if (!pResp)
+	{
+		// OCSP response not received
+		return ocspVerifyFlag ? 0 : 1;
+	}
+
+	OCSP_RESPONSE* pOcspResp = d2i_OCSP_RESPONSE(NULL, &pResp, len);
+	if (!pOcspResp) return 0;
+
+	if (OCSP_response_status(pOcspResp) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
+	{
+		OCSP_RESPONSE_free(pOcspResp);
+		return 0;
+	}
+
+	OCSP_BASICRESP* pBasicResp = OCSP_response_get1_basic(pOcspResp);
+	if (!pBasicResp)
+	{
+		OCSP_RESPONSE_free(pOcspResp);
+		return 0;
+	}
+
+	X509* pPeerCert = SSL_get_peer_certificate(pSSL);
+	if (!pPeerCert)
+	{
+		OCSP_BASICRESP_free(pBasicResp);
+		OCSP_RESPONSE_free(pOcspResp);
+		return 0;
+	}
+
+	X509* pPeerIssuerCert = NULL;
+	STACK_OF(X509)* pCertChain = SSL_get_peer_cert_chain(pSSL);
+	unsigned certChainLen = sk_X509_num(pCertChain);
+	for (int i= 0; i < certChainLen ; i++)
+	{
+		if (!pPeerIssuerCert)
+		{
+			X509* pIssuerCert = sk_X509_value(pCertChain, i);
+			if (X509_check_issued(pIssuerCert, pPeerCert) == X509_V_OK)
+			{
+				pPeerIssuerCert = pIssuerCert;
+				break;
+			}
+		}
+	}
+	if (!pPeerIssuerCert)
+	{
+		X509_free(pPeerCert);
+		OCSP_BASICRESP_free(pBasicResp);
+		OCSP_RESPONSE_free(pOcspResp);
+		return 0;
+	}
+
+	STACK_OF(X509)* pCerts = sk_X509_new_null();
+	if (pCerts)
+	{
+		X509* pCert = X509_dup(pPeerIssuerCert);
+		if (pCert && !sk_X509_push(pCerts, pCert))
+		{
+			X509_free(pCert);
+			sk_X509_free(pCerts);
+			pCerts = NULL;
+		}
+	}
+
+	X509_STORE* pStore = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(pSSL));
+
+	int verifyStatus = OCSP_basic_verify(pBasicResp, pCerts, pStore, OCSP_TRUSTOTHER);
+
+	sk_X509_pop_free(pCerts, X509_free);
+
+	if (verifyStatus <= 0)
+	{
+		X509_free(pPeerCert);
+		OCSP_BASICRESP_free(pBasicResp);
+		OCSP_RESPONSE_free(pOcspResp);
+		return 0;
+	}
+
+	OCSP_CERTID* pCertId = OCSP_cert_to_id(NULL, pPeerCert, pPeerIssuerCert);
+	if (!pCertId)
+	{
+		X509_free(pPeerCert);
+		OCSP_BASICRESP_free(pBasicResp);
+		OCSP_RESPONSE_free(pOcspResp);
+		return 0;
+	}
+
+	X509_free(pPeerCert);
+
+	ASN1_GENERALIZEDTIME* pRevTime;
+	ASN1_GENERALIZEDTIME* pThisUpdate;
+	ASN1_GENERALIZEDTIME* pNextUpdate;
+	int certStatus;
+	int reason;
+	if (!OCSP_resp_find_status(pBasicResp, pCertId, &certStatus, &reason, &pRevTime, &pThisUpdate, &pNextUpdate))
+	{
+		OCSP_CERTID_free(pCertId);
+		OCSP_BASICRESP_free(pBasicResp);
+		OCSP_RESPONSE_free(pOcspResp);
+		return 0;
+	}
+
+	OCSP_CERTID_free(pCertId);
+
+	if (certStatus != V_OCSP_CERTSTATUS_GOOD)
+	{
+		OCSP_BASICRESP_free(pBasicResp);
+		OCSP_RESPONSE_free(pOcspResp);
+		return 0;
+	}
+
+	if (!OCSP_check_validity(pThisUpdate, pNextUpdate, OCSP_VALIDITY_LEEWAY, -1))
+	{
+		OCSP_BASICRESP_free(pBasicResp);
+		OCSP_RESPONSE_free(pOcspResp);
+		return 0;
+	}
+
+	OCSP_BASICRESP_free(pBasicResp);
+	OCSP_RESPONSE_free(pOcspResp);
+#endif
+
+	return 1;
+}
+
+
 void SSLManager::initDefaultContext(bool server)
 {
 	if (server && _ptrDefaultServerContext) return;

vendor/POCO/NetSSL_OpenSSL/src/SecureServerSocketImpl.cpp

@@ -54,13 +54,20 @@ void SecureServerSocketImpl::connect(const SocketAddress& address, const Poco::T
 {
 	throw Poco::InvalidAccessException("Cannot connect() a SecureServerSocket");
 }
-	
+
 
 void SecureServerSocketImpl::connectNB(const SocketAddress& address)
 {
 	throw Poco::InvalidAccessException("Cannot connect() a SecureServerSocket");
 }
-	
+
+
+void SecureServerSocketImpl::bind(const SocketAddress& address, bool reuseAddress)
+{
+	_impl.bind(address, reuseAddress);
+	reset(_impl.sockfd());
+}
+
 
 void SecureServerSocketImpl::bind(const SocketAddress& address, bool reuseAddress, bool reusePort)
 {
@@ -68,20 +75,34 @@ void SecureServerSocketImpl::bind(const SocketAddress& address, bool reuseAddres
 	reset(_impl.sockfd());
 }
 
-	
+
+void SecureServerSocketImpl::bind6(const SocketAddress& address, bool reuseAddress, bool ipV6Only)
+{
+	_impl.bind6(address, reuseAddress, ipV6Only);
+	reset(_impl.sockfd());
+}
+
+
+void SecureServerSocketImpl::bind6(const SocketAddress& address, bool reuseAddress, bool reusePort, bool ipV6Only)
+{
+	_impl.bind6(address, reuseAddress, reusePort, ipV6Only);
+	reset(_impl.sockfd());
+}
+
+
 void SecureServerSocketImpl::listen(int backlog)
 {
 	_impl.listen(backlog);
 	reset(_impl.sockfd());
 }
-	
+
 
 void SecureServerSocketImpl::close()
 {
 	reset();
 	_impl.close();
 }
-	
+
 
 int SecureServerSocketImpl::sendBytes(const void* buffer, int length, int flags)
 {

vendor/POCO/NetSSL_OpenSSL/src/SecureSocketImpl.cpp

@@ -164,6 +164,13 @@ void SecureSocketImpl::connectSSL(bool performHandshake)
 	}
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+	if(_pContext->ocspStaplingResponseVerificationEnabled())
+	{
+		SSL_set_tlsext_status_type(_pSSL, TLSEXT_STATUSTYPE_ocsp);
+	}
+#endif
+
 	if (_pSession)
 	{
 		SSL_set_session(_pSSL, _pSession->sslSession());
@@ -192,6 +199,14 @@ void SecureSocketImpl::connectSSL(bool performHandshake)
 }
 
 
+void SecureSocketImpl::bind(const SocketAddress& address, bool reuseAddress)
+{
+	poco_check_ptr (_pSocket);
+
+	_pSocket->bind(address, reuseAddress);
+}
+
+
 void SecureSocketImpl::bind(const SocketAddress& address, bool reuseAddress, bool reusePort)
 {
 	poco_check_ptr (_pSocket);
@@ -200,6 +215,22 @@ void SecureSocketImpl::bind(const SocketAddress& address, bool reuseAddress, boo
 }
 
 
+void SecureSocketImpl::bind6(const SocketAddress& address, bool reuseAddress, bool ipV6Only)
+{
+	poco_check_ptr (_pSocket);
+
+	_pSocket->bind6(address, reuseAddress, ipV6Only);
+}
+
+
+void SecureSocketImpl::bind6(const SocketAddress& address, bool reuseAddress, bool reusePort, bool ipV6Only)
+{
+	poco_check_ptr (_pSocket);
+
+	_pSocket->bind6(address, reuseAddress, reusePort, ipV6Only);
+}
+
+
 void SecureSocketImpl::listen(int backlog)
 {
 	poco_check_ptr (_pSocket);

vendor/POCO/NetSSL_OpenSSL/src/VerificationErrorArgs.cpp

@@ -19,7 +19,8 @@ namespace Poco {
 namespace Net {
 
 
-VerificationErrorArgs::VerificationErrorArgs(const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg):
+VerificationErrorArgs::VerificationErrorArgs(Poco::Net::Context::Ptr pContext, const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg):
+	_pContext(pContext),
 	_cert(cert),
 	_errorDepth(errDepth),
 	_errorNumber(errNum),

vendor/POCO/NetSSL_OpenSSL/testsuite/any.pem

@@ -1,54 +1,49 @@
 -----BEGIN CERTIFICATE-----
-MIIEFjCCAv6gAwIBAgIBAjALBgkqhkiG9w0BAQUwgdMxEzARBgNVBAMMCmFwcGlu
-Zi5jb20xNjA0BgNVBAoMLUFwcGxpZWQgSW5mb3JtYXRpY3MgU29mdHdhcmUgRW5n
-aW5lZXJpbmcgR21iSDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxEjAQBgNVBAgMCUNh
-cmludGhpYTELMAkGA1UEBgwCQVQxHjAcBgNVBAcMFVN0LiBKYWtvYiBpbSBSb3Nl
-bnRhbDEtMCsGCSqGSIb3DQEJAQweZ3VlbnRlci5vYmlsdHNjaG5pZ0BhcHBpbmYu
-Y29tMB4XDTA5MDIyMzEzNDIwMloXDTExMTEyMDEzNDIwMlowgcoxCjAIBgNVBAMM
-ASoxNjA0BgNVBAoMLUFwcGxpZWQgSW5mb3JtYXRpY3MgU29mdHdhcmUgRW5naW5l
-ZXJpbmcgR21iSDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxEjAQBgNVBAgMCUNhcmlu
-dGhpYTELMAkGA1UEBgwCQVQxHjAcBgNVBAcMFVN0LiBKYWtvYiBpbSBSb3NlbnRh
-bDEtMCsGCSqGSIb3DQEJAQweZ3VlbnRlci5vYmlsdHNjaG5pZ0BhcHBpbmYuY29t
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxjGFE96wa83Kdiv0m10O
-XmBmZ5xuclalVTCisLzUmAekbItMjkmI6dVw9r5gd0W5zDWrgPYUmYgtvqnxSHRK
-PRAN410Yq9vqWYvQscpnXGlqUag8t+OBXJhiFnnea/btA0zGVZk6RE/7cWK8AtKH
-Q/Xds3AUJ1L/1uV/e/5azyUDyptsmHbCMUwWhGBrj/KZEviHmRMN/xJLrbIBPkla
-4HRB61rI8in0jziCwThJ7KiQumzWRu2IJjS+VoNWvG52dYLDvfxppuY1rlF0SG/h
-JuSJQqJjZZ11V4TePHscFkGU2tnHqF4UhSjLFJWsGuxnAmZTeIRmavmIIMm3/G6C
-WwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAc+mn/ZEaK59B/UAgx8cMlGM9UigJv
-L9O46pno3YirBq9SrMzf5b6rrbJm8tkQNfldqaVNA5oVbfxnAHhCUDkX8m0x/De8
-teo9nFei8kETQ25ykV+WLapOdrYxakHPtNVgDTGWNb2GY/hH3nMvtdgFvaS80ncD
-tOa13tE4jopFQFY56VKq+sv4Hm5JDvr+dD/g77Cio02sUzSH96FrFIG5/kw1NihB
-IJKZ4n7atQizDe4TiR/NRonmZNbsB+18yTKT8traCS30JGKQqYxXuVKPyQd7FARv
-ajZxRPbcpAtvWBKXpRHXo4xIBJaPktVOG2hGovjRixXYb83hQ87t1Ozy
+MIIDojCCAooCCQD768hnUSguIzANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMC
+QVQxEjAQBgNVBAgMCUNhcmludGhpYTEeMBwGA1UEBwwVU3QuIEpha29iIGltIFJv
+c2VudGFsMTYwNAYDVQQKDC1BcHBsaWVkIEluZm9ybWF0aWNzIFNvZnR3YXJlIEVu
+Z2luZWVyaW5nIEdtYkgxFzAVBgNVBAMMDnd3dy5hcHBpbmYuY29tMB4XDTIxMDYx
+NjE1NDEwMFoXDTQxMDYxMTE1NDEwMFowgZIxCzAJBgNVBAYTAkFUMRIwEAYDVQQI
+DAlDYXJpbnRoaWExHjAcBgNVBAcMFVN0LiBKYWtvYiBpbSBSb3NlbnRhbDE2MDQG
+A1UECgwtQXBwbGllZCBJbmZvcm1hdGljcyBTb2Z0d2FyZSBFbmdpbmVlcmluZyBH
+bWJIMRcwFQYDVQQDDA53d3cuYXBwaW5mLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMI1emXmsjDX+m3vh6QOYrtcW5YWKzVhfDoAltl7Cl12O5rh
+FfdcVvmHHmgHot/xkb2sPTTDFtm7DzA/igzjdhDJ0qTwoEpBZR/7OtjgF9uZQc8w
+e4ahADHseUpJGolbsMyE6/wbFG3bekxjIbork10ECLWNwhrNBejOWxVjKhKVXREu
+3KFglhtI0MnCfbV8EC/IT+1Ep6+GT5NrEougIre8N3Ts/fuvHuQqIVzW2DGOEpm7
+qkJ3BIhJpXRkN/MFuGgqZjCghbHoBRxXDU211GDA6g06WpF4eTMhzwEYHotZ1Jyb
+AV/HG7eHlt0chU1Lqql/4okd2rZJWClRzuZaikkCAwEAATANBgkqhkiG9w0BAQUF
+AAOCAQEALwC4hmaldmpbTa+NKmgD9AherFW4IKZsBBTbTxTBzK6UsgKkGiTZ+2Z0
+95hCv1WhgHrvQ6qjH2D9eGC9VL0VPEALm1YSDJQWMK2fVsuaTeOJ/BCVzv4f42sT
+AXPsEIT32RTscvCvf9F5wAOW5vLrWW4kYbeBOK0gN1GnCJVLivMFkYHeEgH/08wN
+OenXNYX21BqJxbsAXXvLpuCFGmCJlHA1Jach041frllWi17ECor++u64Fvd12OHM
+Lgiztyr3GEqHogpeQ87iWq6uNC+u3bmQUeJgsx911iw8h55LKuKjPAoboGb8rYY+
+7trsTkkW+vkQDr89huGV21dviCDKvA==
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,0950752701CB74AF
-
-OmaLdMcP3JDy8JMX41wNH/WvMp6gLGwmqQRob633n95YxVdii0oR8fk4GgmJeYF0
-FrNm5g32vnVyqDZylX4as3GT822HhCA+f7mYpGZltQ47TG15tGTMUNuwIhHlouZs
-ZGNclelBB3FHEZAD0Fns2hZ4jZhMDj67wD0YyGcp8so/A+fxedGdwNbJSC1Auuy4
-7uRsY0ZJC1LjMHXkyBEXaL1QA4CGjBlm22Dbo8eoGXcaohsZpDsM7OU7MaQnldM0
-AK8jONZ45127JoDJD41Wgfm0m7tIErsD5CbhHPaddOjQ0OerprEkplhOR+V+ano1
-Pv4adRZOBjr00NDB43WK9x+ZHVQ5tIXxUbqYWZAfvA1PpiYego5XLUCxfy7D6Lms
-hV6CAt/fYeBrQOvwLREboKLBOe9A8quP2wi7zkR3KQHty9Tm9efF3PfQSxJTlKg9
-YJ2n/6omX1aXCjQghbnfEcl4tCmj6z2rHCSiJgEOcwDYhGRbQveYieZUH5iKMzYY
-YytHkHPfZfzhlJ0WG0AKdA6UlrjEjF09txaZR3Nj4Zf4kZAu727N81HnlFCRvDqV
-ZjHUrbE7fJuc3diffUfIHuQZuWcoYDejIbASjcJMHZOpbbPR2ZCYQqUmvg/IgAD6
-M2GDbvfvLnu1BaCrNMdOxM4j+sLNhm8qqAMxZ/wkZA9Sqhi2EifZwf5jWKNU3Vtx
-C/w621efHawDME3WTMunDtjn7Sgm3NP508cz8OgcEcZLwENu8JH5pWR0Y0+qvlPM
-DYpCu2Zh6TBLU6Cfuxl2GigHHBhm8Eza/vE6dVbpyvEozejtVKi+RYskqz8ynYtl
-r9NpDkEFcqGFLX/X7fajR4JxzxYx0Ms+CHHBlBLw44eMl1Izb9OBgfUK3a7wJ0Z1
-vEmzcVtXZMqKDvqY3wddCcbtpVZhRnAUFgT3/b5ISxQ6xxFg67YQaJ0knuRwOZCI
-xSvNsxXb6s5xt8gRx8MY8W1CVW0QSH4gUpKdJFiF/6nYq7h8F1A5QYr34uJn5pa2
-bsagCMhCUHKn/hrtTJ/4bC7n7utulXyEZJDGS38nNe5TBmAxeA+MkOAO7AEb8aDo
-RylaKT77tmeZXWBtlQGHj0bt2fPOEW3e0WUeNwk4qnKqSGdwbXGFK+yWxgGOxFDT
-4NqUjDV7lhj1r3mKEufLIqP6GxAlewpH1uLA+ty2eNfG793pytlyhNikzmkliXex
-WnBUYQM6ZBclW0nALHxxOJWZlnBCESgo9lSHMeB7adJXuwaUmqHx4u+yNzaFS6pr
-LemBEUCHfLeGFM9E9YbgNe51q5+vXZYN5MZtqyex4AqPdGEGpwXBk43RK79mP84G
-QQRAAcs6KMj1/Sl7pmg9acrxskLWljtsnvdCJ8a+VXjLDyp2wks1z2Gnw7cguZdD
-Ah4hjH8LDTsEJxOr2DNJu/V9JDPKd0uGyaW0AOanwAn7tszivGddb/WrzImCIMBa
-Lb/cqujvS9YsIK6xrq4LMxR5wE6Hol0qs6xO89Y9OpuuRxAYfRUl4nDTg0WjS5Ga
-0aoSXB0kOFkEwb3WGq+b26606RBYDKu7RsJoyWoXq42JZ1jkEYKCNeNS8hWh8GKd
+MIIEogIBAAKCAQEAwjV6ZeayMNf6be+HpA5iu1xblhYrNWF8OgCW2XsKXXY7muEV
+91xW+YceaAei3/GRvaw9NMMW2bsPMD+KDON2EMnSpPCgSkFlH/s62OAX25lBzzB7
+hqEAMex5SkkaiVuwzITr/BsUbdt6TGMhuiuTXQQItY3CGs0F6M5bFWMqEpVdES7c
+oWCWG0jQycJ9tXwQL8hP7USnr4ZPk2sSi6Ait7w3dOz9+68e5CohXNbYMY4Smbuq
+QncEiEmldGQ38wW4aCpmMKCFsegFHFcNTbXUYMDqDTpakXh5MyHPARgei1nUnJsB
+X8cbt4eW3RyFTUuqqX/iiR3atklYKVHO5lqKSQIDAQABAoIBACSx9BmS+HJQLMpe
+6vMtoKwkLE30jF9+tvlCqT4YiIHWWDbQdtURRoHJbQ5c+wJzY4VCKSJyBjxHovwL
+1WrQA7vyVnHB4ZeGObRMRPc7iGZ+07dxQrXSb/X+54AIxhHUGFjceLZe64JCaR5L
+0NCbcTGvFHIxgc6MlKRDcWReI1H1QJ9g06OvjaRYYcSIBw+s4yGfuNF7lZ0790vd
+fAXZRjSt4OHP/xLD+e1ytOmu7MAueSJ3gEXRuUcjprigBjX8OOV+Q6w229sOX82w
+sUZcPGGzN5bVd+7+aNrSgIJpkeQ8dj+Smyn4KtGN2GgJH/y80XmTlTQPXZkYFNPk
++a6/au0CgYEA5Y1+gwNaWEMiFB5NsnIgHX1XD2xoE4JZGstGHkBnW2XiA1QRdMHp
+ELNzr/kZ5ohMgqTuOl7crNsqq2b4HS8CqvxmO8TEWeA3u7HLhlIgUrjqHvlpGkfk
+6KCDn6Q48+L2FSo9ubaWufGkoMDNLpgJwqOyX1jB/+71GP2GrGJctrcCgYEA2JWK
+ntzowR+JU5vaGkNBwjpPywhDx2i+4aLvw39arpheMT2ODdnjkBgD8MBBXpZwRyU6
+NKxs5m38T2hZgHVcZ9+YuizLfHfbhJpk2Q4zRXSo5GF3Q6CAXLgCR32TWcGKv6xl
+3WhpfI0Kl+IaX2oXtRMysXFiyYxQF88o20fJxv8CgYAqyrKvx5s64uDicTe4sS+t
+b6UgGexY3q6voP8kOotJ7XcxeaV7Z36D/3/saPpcEEJ7BDXoqbBnhL+yjhJolk/g
+Agco0yhrPLIHCkDPfFXMNe5m8cWXAZn5h5qh0uJPDJslHOe+y/vTE+nFkctuCSeg
+ohVpUslvZWNJUlGdpwRzhwKBgHDD23q/NghnLQ71FGecIP7JcYYadX+7j7bXKNK2
+2jYRaulkTTP1AECj4FlXIDHpTegc/+Mw6zpGhZmqkP8LG+ORTWmRrRjPJuIxqNRC
+SnudM9pEzN3PEUY1ICqsvS18UYtebWML2/BXVu6hcG3BRTqoFjrA+FhLz9+1omYZ
+SHttAoGADTfnp6jZshOiK3l377DKLYfzgkhMXruJSlP2VtgxGEtbyb402PNYGy1Y
+uMTjbU3nEMzqglZR/34PqNO2Yj/I5aeVR4S4xaPOSSgDC1X7W9oXr4sXp5sgWQO+
+zahDICoo1R2hrvT+4ifCu+/YRCE6dx0xezVPVqPsMdCZRIfTW+Q=
 -----END RSA PRIVATE KEY-----

vendor/POCO/NetSSL_OpenSSL/testsuite/src/HTTPSClientSessionTest.cpp

@@ -371,7 +371,6 @@ void HTTPSClientSessionTest::testCachedSession()
 	HTTPSClientSession s2("127.0.0.1", srv.port(), pClientContext, pSession1);
 	HTTPRequest request2(HTTPRequest::HTTP_GET, "/small");
 	s2.sendRequest(request2);
-	Session::Ptr pSession2 = s2.sslSession();
 	HTTPResponse response2;
 	std::istream& rs2 = s2.receiveResponse(response2);
 	assertTrue (response2.getContentLength() == HTTPSTestServer::SMALL_BODY.length());
@@ -380,11 +379,8 @@ void HTTPSClientSessionTest::testCachedSession()
 	StreamCopier::copyStream(rs2, ostr2);
 	assertTrue (ostr2.str() == HTTPSTestServer::SMALL_BODY);
 
-	assertTrue (pSession1 == pSession2);
-
 	HTTPRequest request3(HTTPRequest::HTTP_GET, "/small");
 	s2.sendRequest(request3);
-	Session::Ptr pSession3 = s2.sslSession();
 	HTTPResponse response3;
 	std::istream& rs3 = s2.receiveResponse(response3);
 	assertTrue (response3.getContentLength() == HTTPSTestServer::SMALL_BODY.length());
@@ -393,14 +389,11 @@ void HTTPSClientSessionTest::testCachedSession()
 	StreamCopier::copyStream(rs3, ostr3);
 	assertTrue (ostr3.str() == HTTPSTestServer::SMALL_BODY);
 
-	assertTrue (pSession1 == pSession3);
-
 	Thread::sleep(15000); // wait for session to expire
 	pServerContext->flushSessionCache();
 
 	HTTPRequest request4(HTTPRequest::HTTP_GET, "/small");
 	s2.sendRequest(request4);
-	Session::Ptr pSession4 = s2.sslSession();
 	HTTPResponse response4;
 	std::istream& rs4 = s2.receiveResponse(response4);
 	assertTrue (response4.getContentLength() == HTTPSTestServer::SMALL_BODY.length());
@@ -408,8 +401,6 @@ void HTTPSClientSessionTest::testCachedSession()
 	std::ostringstream ostr4;
 	StreamCopier::copyStream(rs4, ostr4);
 	assertTrue (ostr4.str() == HTTPSTestServer::SMALL_BODY);
-
-	assertTrue (pSession1 != pSession4);
 }
 
 

vendor/POCO/NetSSL_OpenSSL/testsuite/src/TCPServerTest.cpp

@@ -18,6 +18,8 @@
 #include "Poco/Net/SecureStreamSocket.h"
 #include "Poco/Net/SecureServerSocket.h"
 #include "Poco/Net/Context.h"
+#include "Poco/Net/RejectCertificateHandler.h"
+#include "Poco/Net/AcceptCertificateHandler.h"
 #include "Poco/Net/Session.h"
 #include "Poco/Net/SSLManager.h"
 #include "Poco/Util/Application.h"
@@ -70,6 +72,26 @@ namespace
 			}
 		}
 	};
+
+	class NullConnection: public TCPServerConnection
+	{
+	public:
+		NullConnection(const StreamSocket& s): TCPServerConnection(s)
+		{
+		}
+
+		void run()
+		{
+			SecureStreamSocket ss = socket();
+			try
+			{
+				ss.completeHandshake();
+			}
+			catch (...)
+			{
+			}
+		}
+	};
 }
 
 
@@ -381,6 +403,50 @@ void TCPServerTest::testReuseSession()
 }
 
 
+void TCPServerTest::testContextInvalidCertificateHandler()
+{
+	SecureServerSocket svs(0);
+	TCPServer srv(new TCPServerConnectionFactoryImpl<NullConnection>(), svs);
+	srv.start();
+
+	Context::Ptr pClientContext = new Context(
+		Context::CLIENT_USE,
+		"",
+		"",
+		"",
+		Context::VERIFY_RELAXED,
+		9,
+		true,
+		"ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
+
+	pClientContext->setInvalidCertificateHandler(new Poco::Net::RejectCertificateHandler(false));
+
+	SocketAddress sa("127.0.0.1", svs.address().port());
+
+	try
+	{
+		SecureStreamSocket ss1(sa, pClientContext);
+		fail("must throw with RejectCertificateHandler");
+	}
+	catch (...)
+	{
+	}
+
+	pClientContext->setInvalidCertificateHandler(new Poco::Net::AcceptCertificateHandler(false));
+
+	try
+	{
+		SecureStreamSocket ss1(sa, pClientContext);
+	}
+	catch (...)
+	{
+		fail("must not throw with AcceptCertificateHandler");
+	}
+
+	srv.stop();
+}
+
+
 void TCPServerTest::setUp()
 {
 }
@@ -400,6 +466,7 @@ CppUnit::Test* TCPServerTest::suite()
 	CppUnit_addTest(pSuite, TCPServerTest, testMultiConnections);
 	CppUnit_addTest(pSuite, TCPServerTest, testReuseSocket);
 	CppUnit_addTest(pSuite, TCPServerTest, testReuseSession);
+	CppUnit_addTest(pSuite, TCPServerTest, testContextInvalidCertificateHandler);
 
 	return pSuite;
 }

vendor/POCO/NetSSL_OpenSSL/testsuite/src/TCPServerTest.h

@@ -29,6 +29,7 @@ public:
 	void testMultiConnections();
 	void testReuseSocket();
 	void testReuseSession();
+	void testContextInvalidCertificateHandler();
 
 	void setUp();
 	void tearDown();