*** empty log message ***

git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@178 2715db39-9adf-0310-9c64-84f055769b4b

24 files changed, 348 insertions, 185 deletions

diff --git a/BUGS b/BUGS
index 2dad3a7..fd3a961 100644
--- a/BUGS
+++ b/BUGS
@@ -1,5 +1,5 @@
 -------------
- 12 May 2003
+ 29 Jun 2003
 -------------
 
 1.  SSL.Connection.makefile() returns an instance of BIO.IOBuffer, 
@@ -19,5 +19,9 @@ ftps_server. (Works using Python 2.1.)
 5. Possible concurrency bugs in the SSL functionality as reported by Brent
 Chun.
 
+6. demo/ssl/echod-forking.py no longer works. (Tested with Python 2.2.2.)
+I won't bother try fixing this, since forking servers are passe.
+
+
 ---------------------------------------------------------------------------
-$Id: BUGS,v 1.4 2003/05/11 16:20:36 ngps Exp $
+$Id: BUGS,v 1.5 2003/06/30 06:12:41 ngps Exp $
diff --git a/CHANGES b/CHANGES
index d2744d5..aebfd1d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+ Changes since 0.11
+--------------------
+- ZServerSSL with client certificate-based authentication rides again.
+
+
  Changes since 0.10
 --------------------
 - Dave Berkeley <dave@rotwang.freeserve.co.uk> contributed fixes to
diff --git a/INSTALL b/INSTALL
index e92c0d2..ab95cfa 100644
--- a/INSTALL
+++ b/INSTALL
@@ -1,10 +1,10 @@
 ==========================
- Installing M2Crypto 0.11
+ Installing M2Crypto 0.12
 ==========================
 
 :Author: Ng Pheng Siong
-:Id: $Id: INSTALL,v 1.6 2003/06/22 16:28:47 ngps Exp $
-:Date: $Date: 2003/06/22 16:28:47 $
+:Id: $Id: INSTALL,v 1.7 2003/06/30 06:12:41 ngps Exp $
+:Date: $Date: 2003/06/30 06:12:41 $
 :Web-Site: http://www.post1.com/home/ngps/m2
 
 .. contents::
@@ -34,7 +34,7 @@ Preparation
 
      http://sebsauvage.net/python/mingw.html
 
-2. (**This step applies to both Windows and Un\*x platforms**). Tweak
+2. **This step applies to both Windows and Un\*x platforms**: Tweak
    Distutils per the above webpage. The following differs slightly from
    Sebastien's instructions:
 
diff --git a/LICENCE b/LICENCE
index 9e56d0e..dbb1aca 100644
--- a/LICENCE
+++ b/LICENCE
@@ -1,4 +1,4 @@
-Copyright (c) 1999-2002 Ng Pheng Siong. All rights reserved.
+Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved.
 
 Permission to use, copy, modify, and distribute this software and its
 documentation for any purpose and without fee is hereby granted,
diff --git a/M2Crypto/SSL/Connection.py b/M2Crypto/SSL/Connection.py
index 8f3e60b..fed6b73 100644
--- a/M2Crypto/SSL/Connection.py
+++ b/M2Crypto/SSL/Connection.py
@@ -2,7 +2,7 @@
 
 Copyright (c) 1999-2002 Ng Pheng Siong. All rights reserved."""
 
-RCS_id='$Id: Connection.py,v 1.10 2003/06/22 16:49:01 ngps Exp $'
+RCS_id='$Id: Connection.py,v 1.11 2003/06/30 06:14:34 ngps Exp $'
 
 # Python
 import socket, sys
@@ -53,6 +53,12 @@ class Connection:
     def ssl_get_error(self, ret):
         return m2.ssl_get_error(self.ssl, ret)
 
+    def set_client_CA_list_from_file(self, cafile):
+        m2.ssl_set_client_CA_list(self.ssl, cafile)
+
+    def set_client_CA_list_from_context(self):
+        m2.ssl_set_client_CA_list_from_context(self.ssl, self.ctx.ctx)
+
     def setup_addr(self, addr):
         self.addr = addr
 
diff --git a/M2Crypto/SSL/Context.py b/M2Crypto/SSL/Context.py
index e5b4bc2..f8a818d 100644
--- a/M2Crypto/SSL/Context.py
+++ b/M2Crypto/SSL/Context.py
@@ -2,7 +2,7 @@
 
 Copyright (c) 1999-2001 Ng Pheng Siong. All rights reserved."""
 
-RCS_id='$Id: Context.py,v 1.5 2003/06/22 16:52:50 ngps Exp $'
+RCS_id='$Id: Context.py,v 1.6 2003/06/30 06:14:34 ngps Exp $'
 
 # M2Crypto
 import cb
@@ -89,27 +89,29 @@ class Context:
         if not m2.ssl_ctx_check_privkey(self.ctx):
             raise ValueError, 'public/private key mismatch'
 
-    def load_client_ca(self, cafile):
+    def set_client_CA_list_from_file(self, cafile):
         """Load CA certs into the context. These CA certs are sent to the
         peer during *SSLv3 certificate request*.
         
         'cafile'    - File object containing one or more PEM-encoded CA
         certificates concatenated together.
         """
-        m2.ssl_ctx_load_client_CA(self.ctx, cafile)
+        m2.ssl_ctx_set_client_CA_list_from_file(self.ctx, cafile)
 
-    load_client_CA = load_client_ca
+    # Deprecated.
+    load_client_CA = load_client_ca = set_client_CA_list_from_file
 
-    def load_verify_info(self, cafile):
+    def load_verify_locations(self, cafile):
         """Load CA certs into the context. These CA certs are used during
         verification of the peer's certificate.
 
-        'cafile'    - File object containing one or more PEM-encoded CA
+        'cafile'    - File containing one or more PEM-encoded CA
         certificates concatenated together.
         """
         return m2.ssl_ctx_load_verify_locations(self.ctx, cafile)
 
-    load_verify_location = load_verify_info
+    # Deprecated.
+    load_verify_info = load_verify_locations
 
     def set_session_id_ctx(self, id):
         ret = m2.ssl_ctx_set_session_id_context(self.ctx, id)
@@ -130,8 +132,12 @@ class Context:
         """
         return self.allow_unknown_ca
 
-    def set_verify(self, mode, depth, callback=cb.ssl_verify_callback):
-        m2.ssl_ctx_set_verify(self.ctx, mode, callback)
+    #def set_verify(self, mode, depth, callback=cb.ssl_verify_callback):
+    def set_verify(self, mode, depth, callback=None):
+        if callback is None:
+            m2.ssl_ctx_set_verify_default(self.ctx, mode)
+        else:
+            m2.ssl_ctx_set_verify(self.ctx, mode, callback)
         m2.ssl_ctx_set_verify_depth(self.ctx, depth)
 
     def get_verify_mode(self):
diff --git a/README b/README
index 6dc168c..3768143 100644
--- a/README
+++ b/README
@@ -1,10 +1,10 @@
 ===============
- M2Crypto 0.11
+ M2Crypto 0.12
 ===============
 
 :Author: Ng Pheng Siong
-:Id: $Id: README,v 1.4 2003/06/22 16:28:47 ngps Exp $
-:Date: $Date: 2003/06/22 16:28:47 $
+:Id: $Id: README,v 1.5 2003/06/30 06:12:41 ngps Exp $
+:Date: $Date: 2003/06/30 06:12:41 $
 :Web-Site: http://www.post1.com/home/ngps/m2
 
 
diff --git a/SWIG/_ssl.i b/SWIG/_ssl.i
index f892183..bd7748b 100644
--- a/SWIG/_ssl.i
+++ b/SWIG/_ssl.i
@@ -1,5 +1,5 @@
 /* Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved. */
-/* $Id: _ssl.i,v 1.2 2003/06/22 18:26:44 ngps Exp $ */
+/* $Id: _ssl.i,v 1.3 2003/06/30 06:17:42 ngps Exp $ */
 
 %{
 #include <pythread.h>
@@ -171,10 +171,14 @@ int ssl_ctx_check_privkey(SSL_CTX *ctx) {
     return ret;
 }
 
-void ssl_ctx_load_client_CA(SSL_CTX *ctx, const char *ca_file) {
+void ssl_ctx_set_client_CA_list_from_file(SSL_CTX *ctx, const char *ca_file) {
     SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file));
 }
 
+void ssl_ctx_set_verify_default(SSL_CTX *ctx, int mode) {
+    SSL_CTX_set_verify(ctx, mode, NULL);
+}
+
 void ssl_ctx_set_verify(SSL_CTX *ctx, int mode, PyObject *pyfunc) {
     Py_XDECREF(ssl_verify_cb_func);
     Py_INCREF(pyfunc);
@@ -220,6 +224,14 @@ int bio_set_ssl(BIO *bio, SSL *ssl, int flag) {
     return BIO_ctrl(bio, BIO_C_SET_SSL, flag, (char *)ssl);
 }
     
+void ssl_set_client_CA_list_from_file(SSL *ssl, const char *ca_file) {
+    SSL_set_client_CA_list(ssl, SSL_load_client_CA_file(ca_file));
+}
+
+void ssl_set_client_CA_list_from_context(SSL *ssl, SSL_CTX *ctx) {
+    SSL_set_client_CA_list(ssl, SSL_CTX_get_client_CA_list(ctx));
+}
+
 int ssl_set_session_id_context(SSL *ssl, PyObject *sid_ctx) {
     const void *buf;
     int len;
diff --git a/demo/Zope/ZServer/HTTPS_Server.py b/demo/Zope/ZServer/HTTPS_Server.py
index 5357057..afe89b4 100644
--- a/demo/Zope/ZServer/HTTPS_Server.py
+++ b/demo/Zope/ZServer/HTTPS_Server.py
@@ -37,13 +37,12 @@ changes from Zope's HTTP server:
     Well, this is a *HTTPS* server :)
 
     X.509 certificate-based authentication -- When this is in force,
-    zhttps_handler, a subclass of zhttp_handler, is installed.  The 
-    https server is configured to _require_ an X.509 certificate 
-    from the client. When the request reaches zhttps_handler, it pulls 
-    the client's distinguished name (DN) from the certificate, maps 
-    that to a Zope user name and sets REMOTE_USER accordingly; if a 
-    mapping does not exist, REMOTE_USER is not set. Zope's REMOTE_USER
-    machinery takes care of the rest.
+    zhttps_handler, a subclass of zhttp_handler, is installed.  The
+    https server is configured to _require_ an X.509 certificate from
+    the client. When the request reaches zhttps_handler, it sets
+    REMOTE_USER to the client's subject distinguished name (DN) from
+    the certificate. Zope's REMOTE_USER machinery takes care of the
+    rest, e.g., in conjunction with the RemoteUserFolder product.
     
 """ 
 
@@ -60,25 +59,22 @@ from medusa.https_server import https_server, https_channel
 from medusa.asyncore import dispatcher
 
 
-ZSERVER_SSL_VERSION='0.11'
-
+ZSERVER_SSL_VERSION='0.12'
 
 register_subsystem('ZServer HTTPS_Server')
 
+
 class zhttps_handler(zhttp_handler):
     "zhttps handler - sets REMOTE_USER to user's X.509 certificate Subject DN"
 
-    def __init__ (self, module, x509_zope_map, uri_base=None, env=None):
+    def __init__ (self, module, uri_base=None, env=None):
         zhttp_handler.__init__(self, module, uri_base, env)
-        self.x509_zope = x509_zope_map
 
     def get_environment(self, request):
         env = zhttp_handler.get_environment(self, request)
-        peer = request.channel.get_peer_cert().get_subject()
-        try:
-            env['REMOTE_USER'] = self.x509_zope[str(peer)]
-        except KeyError:
-            pass
+        peer = request.channel.get_peer_cert()
+        if peer is not None:
+            env['REMOTE_USER'] = str(peer.get_subject())
         return env
 
 
diff --git a/demo/Zope/ZServer/medusa/https_server.py b/demo/Zope/ZServer/medusa/https_server.py
index c5d16f5..45dd810 100644
--- a/demo/Zope/ZServer/medusa/https_server.py
+++ b/demo/Zope/ZServer/medusa/https_server.py
@@ -4,12 +4,12 @@
 
 Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved."""
 
-RCS_id='$Id: https_server.py,v 1.5 2003/06/22 17:09:43 ngps Exp $'
+RCS_id='$Id: https_server.py,v 1.6 2003/06/30 06:22:00 ngps Exp $'
 
 import asynchat, asyncore, http_server, socket, sys
 from M2Crypto import SSL
 
-VERSION_STRING='0.11'
+VERSION_STRING='0.12'
 
 class https_channel(http_server.http_channel):
 
diff --git a/demo/Zope/ca.pem b/demo/Zope/ca.pem
index 11d28fc..b7c84a1 100644
--- a/demo/Zope/ca.pem
+++ b/demo/Zope/ca.pem
@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDRTCCAq6gAwIBAgIBADANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzER
-MA8GA1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQD
-ExtNMkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5n
-cHNAcG9zdDEuY29tMB4XDTAwMDkxMDA4NTgzNVoXDTAzMDkxMDA4NTgzNVowezEL
-MAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0
-byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJ
-KoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
-gYkCgYEAw8eBhjy0SrxpEmFqUu+xSd7p8uWq4T/Txfa+9SE/dBeoyydcqj5MO0Qq
-TjzNM3YHTy7rOSxJSxFBI0M/Q5rPSC961VJ1ZpdKglTGQTrePf4KxIqcowJgJiBL
-+2hCyK3ggCaKvDehQAFzPv9C20ym1gcZpxLbVtG6I86Xu0q19gECAwEAAaOB2DCB
-1TAdBgNVHQ4EFgQU+4cjaeucOpMV5cW/KVFP/u0oOAEwgaUGA1UdIwSBnTCBmoAU
-+4cjaeucOpMV5cW/KVFP/u0oOAGhf6R9MHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK
-EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5
-cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0
-MS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQDBdXSoxU/z
-g+ruWXqHYVK745tTrAbT+LoOhjZd+sYQ3s4eVHuE556Aw58fqs9xdsOIWM4IkhRW
-W99iFjGaNeiix3ppUK1DWKsNvYv+qPiQ81mQfk7VQSf7mdzTr//fCam1yjA2PPO9
-WQBPqSVBuauVvuJEkeJREn01+8kANRg3Zg==
+MIIDWTCCAsKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCU0cx
+ETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UE
+AxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMSIwIAYJKoZIhvcNAQkBFhNu
+Z3BzQG5ldG1lbWV0aWMuY29tMB4XDTAxMTIxNTA1NTU0NloXDTA0MTIxNDA1NTU0
+NlowgYAxCzAJBgNVBAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxML
+TTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3Rl
+cjEiMCAGCSqGSIb3DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbTCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAx8soJbS719LHK62VVVIQeC3oW0HvFArwPnA0LuEK
+q+LaqMOJg1rS7hvFdX03diV+XJw7cC0iECZYJNG4ii1xbY6KRmufkInaAwm54E3N
+e+YYVocaqUkcN6xVf6fwnLfPXbpFS/K2Umg11ObKMmi80JmiIdjcjRRCQZC7g1hf
+q+kCAwEAAaOB4DCB3TAdBgNVHQ4EFgQU6/qcBzEtQphfXLhiOHbt2KqBwMIwga0G
+A1UdIwSBpTCBooAU6/qcBzEtQphfXLhiOHbt2KqBwMKhgYakgYMwgYAxCzAJBgNV
+BAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0Ex
+JDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3RlcjEiMCAGCSqGSIb3
+DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqG
+SIb3DQEBBAUAA4GBAD+I14GuS5vJmyv1k7mUMbAicsWRHZ+zrGOq9L/L2LsA+lKQ
+dAzEZE2+Zv8LBPJVltbJJhcFNJS/ZMAjEm4xlJuCpvXVMxd/M5AM29aqekWlIK7J
+vsdDL8IuzpRkMniUiNKPhmB6IPIOslvUKx6QofcE0wDh6pg4VvIbCjkpZ7gf
 -----END CERTIFICATE-----
diff --git a/demo/Zope/z2s.py b/demo/Zope/z2s.py
index b440eb3..9937186 100644
--- a/demo/Zope/z2s.py
+++ b/demo/Zope/z2s.py
@@ -143,6 +143,11 @@ Options:
 
     Multiple -Y options can be provided to run multiple servers.
 
+  -x
+
+    If present, this option causes Zope to run in X.509 certificate-based
+    authentication mode.
+
   -C
   --force-http-connection-close
 
@@ -332,6 +337,9 @@ WEBDAV_SOURCE_PORT=[]
 # standard port for this handler, which is disabled by default.
 WEBDAV_SSL_SOURCE_PORT=[]
 
+# Should we use client X.509 certificate-based authentication?
+X509_REMOTE_USER=None
+
 ## FTP configuration
 
 # Port for the FTP Server. The standard port for FTP services is 21.
@@ -421,7 +429,7 @@ try:
 
 
     opts, args = getopt.getopt(sys.argv[1:],
-                               'hz:Z:t:i:a:d:u:w:W:y:Y:f:p:m:Sl:2DP:rF:L:XM:C',
+                               'hz:Z:t:i:a:d:u:w:W:y:Y:x:f:p:m:Sl:2DP:rF:L:XM:C',
                                ['icp=', 'force-http-connection-close'
                                ])
 
@@ -486,6 +494,11 @@ try:
             WEBDAV_SOURCE_PORT=server_info(WEBDAV_SOURCE_PORT, v)
         elif o=='-Y':
             WEBDAV_SSL_SOURCE_PORT=server_info(WEBDAV_SSL_SOURCE_PORT, v)
+        elif o=='-x':
+            if v in ('-', '0', ''):
+                X509_REMOTE_USER=None
+            else:
+                X509_REMOTE_USER=1
         elif o=='-f':
             FTP_PORT=server_info(FTP_PORT, v)
         elif o=='-P':
@@ -651,6 +664,49 @@ try:
     ## ZServer startup
     ##
 
+    ## In X509_REMOTE_USER mode, we log the client cert's subject DN.
+    if X509_REMOTE_USER:
+        
+        import base64, string, time
+
+        def log (self, bytes):
+            user_agent=self.get_header('user-agent')
+            if not user_agent: user_agent=''
+            referer=self.get_header('referer')
+            if not referer: referer=''  
+
+            get_peer_cert = getattr(self.channel, 'get_peer_cert', None)
+            if get_peer_cert is not None:
+                name = str(get_peer_cert().get_subject())
+            else:
+                name = 'Anonymous'
+            auth=self.get_header('Authorization')                
+            if auth is not None:
+                if string.lower(auth[:6]) == 'basic ':
+                    try: decoded=base64.decodestring(auth[6:])
+                    except base64.binascii.Error: decoded=''
+                    t = string.split(decoded, ':', 1)
+                    if len(t) < 2:
+                        name = 'Unknown (bad auth string)'
+                    else:
+                        name = t[0]
+
+            self.channel.server.logger.log (
+                self.channel.addr[0],
+                ' - %s [%s] "%s" %d %d "%s" "%s"\n' % (
+                    name,
+                    self.log_date_string (time.time()),
+                    self.request,
+                    self.reply_code,
+                    bytes,
+                    referer,
+                    user_agent
+                    )
+                )
+
+        from ZServer.medusa import http_server
+        http_server.http_request.log = log
+
     # Resolver and Logger, used by other servers
     if DNS_IP:
         rs = resolver.caching_resolver(DNS_IP)
@@ -722,12 +778,17 @@ try:
     # HTTPS Server
     if HTTPS_PORT:
         ssl_ctx = SSL.Context('sslv23')
-        ssl_ctx.load_cert('%s/server.pem' % INSTANCE_HOME)
-        ssl_ctx.load_verify_location('%s/ca.pem' % INSTANCE_HOME)
+        ssl_ctx.load_cert_chain('%s/server.pem' % INSTANCE_HOME)
+        ssl_ctx.load_verify_locations('%s/ca.pem' % INSTANCE_HOME)
         ssl_ctx.load_client_CA('%s/ca.pem' % INSTANCE_HOME)
-        ssl_ctx.set_verify(SSL.verify_none, 10)
+        #ssl_ctx.set_allow_unknown_ca(1)
         ssl_ctx.set_session_id_ctx(MODULE)
         ssl_ctx.set_tmp_dh('%s/dh1024.pem' % INSTANCE_HOME)
+        if X509_REMOTE_USER:
+            ssl_ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert, 10)
+            #ssl_ctx.set_verify(SSL.verify_peer, 10)
+        else:
+            ssl_ctx.set_verify(SSL.verify_none, 10)
         if type(HTTPS_PORT) is type(0): HTTPS_PORT=((IP_ADDRESS, HTTPS_PORT),)
     
         for address, port in HTTPS_PORT:
@@ -743,8 +804,11 @@ try:
             except KeyError:
                 pass
             HTTPS_ENV['HTTPS']='ON'
-    
-            zsh = zhttp_handler(MODULE, '', HTTPS_ENV)
+
+            if X509_REMOTE_USER:
+                zsh = zhttps_handler(MODULE, '', HTTPS_ENV)
+            else:
+                zsh = zhttp_handler(MODULE, '', HTTPS_ENV)
             hss.install_handler(zsh)
 
     # WebDAV source Server (runs HTTP, but munges request to return
@@ -794,8 +858,8 @@ try:
     #  'manage_FTPget').
     if WEBDAV_SSL_SOURCE_PORT:
         ssl_ctx = SSL.Context('sslv23')
-        ssl_ctx.load_cert('%s/server.pem' % INSTANCE_HOME)
-        ssl_ctx.load_verify_location('%s/ca.pem' % INSTANCE_HOME)
+        ssl_ctx.load_cert_chain('%s/server.pem' % INSTANCE_HOME)
+        ssl_ctx.load_verify_locations('%s/ca.pem' % INSTANCE_HOME)
         ssl_ctx.load_client_CA('%s/ca.pem' % INSTANCE_HOME)
         ssl_ctx.set_verify(SSL.verify_none, 10)
         ssl_ctx.set_session_id_ctx(MODULE)
diff --git a/demo/Zope/z2s.py.diff b/demo/Zope/z2s.py.diff
index 587e146..afb222d 100644
--- a/demo/Zope/z2s.py.diff
+++ b/demo/Zope/z2s.py.diff
@@ -1,5 +1,5 @@
 --- /usr/local/home/ngps/pkg/zope261/z2.py	Thu Jan 30 22:41:42 2003
-+++ z2s.py	Sat Jun 21 23:46:07 2003
++++ z2s.py	Mon Jun 30 13:37:51 2003
 @@ -105,9 +105,21 @@
  
      Multiple -w options can be provided to run multiple servers.
@@ -23,7 +23,7 @@
      "WebDAV source" is disabled.  The default is disabled.  Note that
      this feature is a workaround for the lack of "source-link" support
      in standard WebDAV clients.
-@@ -118,6 +130,19 @@
+@@ -118,6 +130,24 @@
  
      Multiple -W options can be provided to run multiple servers.
  
@@ -40,10 +40,15 @@
 +
 +    Multiple -Y options can be provided to run multiple servers.
 +
++  -x
++
++    If present, this option causes Zope to run in X.509 certificate-based
++    authentication mode.
++
    -C
    --force-http-connection-close
  
-@@ -286,9 +311,15 @@
+@@ -286,9 +316,15 @@
  # Port for HTTP Server. The standard port for HTTP services is 80.
  HTTP_PORT=8080
  
@@ -59,7 +64,7 @@
  # Should we close all HTTP connections, ignoring the (usually absent)
  # 'Connection:' header?
  FORCE_HTTP_CONNECTION_CLOSE=0
-@@ -297,6 +328,10 @@
+@@ -297,6 +333,13 @@
  # standard port for this handler, which is disabled by default.
  WEBDAV_SOURCE_PORT=[]
  
@@ -67,19 +72,22 @@
 +# standard port for this handler, which is disabled by default.
 +WEBDAV_SSL_SOURCE_PORT=[]
 +
++# Should we use client X.509 certificate-based authentication?
++X509_REMOTE_USER=None
++
  ## FTP configuration
  
  # Port for the FTP Server. The standard port for FTP services is 21.
-@@ -386,7 +421,7 @@
+@@ -386,7 +429,7 @@
  
  
      opts, args = getopt.getopt(sys.argv[1:],
 -                               'hz:Z:t:i:a:d:u:w:W:f:p:m:Sl:2DP:rF:L:XM:C',
-+                               'hz:Z:t:i:a:d:u:w:W:y:Y:f:p:m:Sl:2DP:rF:L:XM:C',
++                               'hz:Z:t:i:a:d:u:w:W:y:Y:x:f:p:m:Sl:2DP:rF:L:XM:C',
                                 ['icp=', 'force-http-connection-close'
                                 ])
  
-@@ -443,10 +478,14 @@
+@@ -443,10 +486,19 @@
              MONITOR_PORT=server_info(MONITOR_PORT, v)
          elif o=='-w':
              HTTP_PORT=server_info(HTTP_PORT, v)
@@ -91,10 +99,15 @@
              WEBDAV_SOURCE_PORT=server_info(WEBDAV_SOURCE_PORT, v)
 +        elif o=='-Y':
 +            WEBDAV_SSL_SOURCE_PORT=server_info(WEBDAV_SSL_SOURCE_PORT, v)
++        elif o=='-x':
++            if v in ('-', '0', ''):
++                X509_REMOTE_USER=None
++            else:
++                X509_REMOTE_USER=1
          elif o=='-f':
              FTP_PORT=server_info(FTP_PORT, v)
          elif o=='-P':
-@@ -601,11 +640,14 @@
+@@ -601,14 +653,60 @@
      from ZServer import resolver, logger, asyncore
  
      from ZServer import zhttp_server, zhttp_handler
@@ -109,7 +122,53 @@
      ## ZServer startup
      ##
  
-@@ -668,11 +710,43 @@
++    ## In X509_REMOTE_USER mode, we log the client cert's subject DN.
++    if X509_REMOTE_USER:
++        
++        import base64, string, time
++
++        def log (self, bytes):
++            user_agent=self.get_header('user-agent')
++            if not user_agent: user_agent=''
++            referer=self.get_header('referer')
++            if not referer: referer=''  
++
++            get_peer_cert = getattr(self.channel, 'get_peer_cert', None)
++            if get_peer_cert is not None:
++                name = str(get_peer_cert().get_subject())
++            else:
++                name = 'Anonymous'
++            auth=self.get_header('Authorization')                
++            if auth is not None:
++                if string.lower(auth[:6]) == 'basic ':
++                    try: decoded=base64.decodestring(auth[6:])
++                    except base64.binascii.Error: decoded=''
++                    t = string.split(decoded, ':', 1)
++                    if len(t) < 2:
++                        name = 'Unknown (bad auth string)'
++                    else:
++                        name = t[0]
++
++            self.channel.server.logger.log (
++                self.channel.addr[0],
++                ' - %s [%s] "%s" %d %d "%s" "%s"\n' % (
++                    name,
++                    self.log_date_string (time.time()),
++                    self.request,
++                    self.reply_code,
++                    bytes,
++                    referer,
++                    user_agent
++                    )
++                )
++
++        from ZServer.medusa import http_server
++        http_server.http_request.log = log
++
+     # Resolver and Logger, used by other servers
+     if DNS_IP:
+         rs = resolver.caching_resolver(DNS_IP)
+@@ -668,11 +766,51 @@
              # from another web server to ZServer, and would like the CGI
              # environment to reflect the CGI environment of the other web
              # server.
@@ -125,12 +184,17 @@
 +    # HTTPS Server
 +    if HTTPS_PORT:
 +        ssl_ctx = SSL.Context('sslv23')
-+        ssl_ctx.load_cert('%s/server.pem' % INSTANCE_HOME)
-+        ssl_ctx.load_verify_location('%s/ca.pem' % INSTANCE_HOME)
++        ssl_ctx.load_cert_chain('%s/server.pem' % INSTANCE_HOME)
++        ssl_ctx.load_verify_locations('%s/ca.pem' % INSTANCE_HOME)
 +        ssl_ctx.load_client_CA('%s/ca.pem' % INSTANCE_HOME)
-+        ssl_ctx.set_verify(SSL.verify_none, 10)
++        #ssl_ctx.set_allow_unknown_ca(1)
 +        ssl_ctx.set_session_id_ctx(MODULE)
 +        ssl_ctx.set_tmp_dh('%s/dh1024.pem' % INSTANCE_HOME)
++        if X509_REMOTE_USER:
++            ssl_ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert, 10)
++            #ssl_ctx.set_verify(SSL.verify_peer, 10)
++        else:
++            ssl_ctx.set_verify(SSL.verify_none, 10)
 +        if type(HTTPS_PORT) is type(0): HTTPS_PORT=((IP_ADDRESS, HTTPS_PORT),)
 +    
 +        for address, port in HTTPS_PORT:
@@ -146,14 +210,17 @@
 +            except KeyError:
 +                pass
 +            HTTPS_ENV['HTTPS']='ON'
-+    
-+            zsh = zhttp_handler(MODULE, '', HTTPS_ENV)
++
++            if X509_REMOTE_USER:
++                zsh = zhttps_handler(MODULE, '', HTTPS_ENV)
++            else:
++                zsh = zhttp_handler(MODULE, '', HTTPS_ENV)
 +            hss.install_handler(zsh)
 +
      # WebDAV source Server (runs HTTP, but munges request to return
      #  'manage_FTPget').
      if WEBDAV_SOURCE_PORT:
-@@ -716,6 +790,34 @@
+@@ -716,6 +854,34 @@
              else:
                  sys.WEBDAV_SOURCE_PORT_CLIENTS = None
  
@@ -161,8 +228,8 @@
 +    #  'manage_FTPget').
 +    if WEBDAV_SSL_SOURCE_PORT:
 +        ssl_ctx = SSL.Context('sslv23')
-+        ssl_ctx.load_cert('%s/server.pem' % INSTANCE_HOME)
-+        ssl_ctx.load_verify_location('%s/ca.pem' % INSTANCE_HOME)
++        ssl_ctx.load_cert_chain('%s/server.pem' % INSTANCE_HOME)
++        ssl_ctx.load_verify_locations('%s/ca.pem' % INSTANCE_HOME)
 +        ssl_ctx.load_client_CA('%s/ca.pem' % INSTANCE_HOME)
 +        ssl_ctx.set_verify(SSL.verify_none, 10)
 +        ssl_ctx.set_session_id_ctx(MODULE)
@@ -188,7 +255,7 @@
  
      # FTP Server
      if FTP_PORT:
-@@ -906,6 +1008,8 @@
+@@ -906,6 +1072,8 @@
      sys.exit(0)
  
  # Start Medusa, Ye Hass!
diff --git a/demo/https.howto/ca.pem b/demo/https.howto/ca.pem
index 11d28fc..b7c84a1 100644
--- a/demo/https.howto/ca.pem
+++ b/demo/https.howto/ca.pem
@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDRTCCAq6gAwIBAgIBADANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzER
-MA8GA1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQD
-ExtNMkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5n
-cHNAcG9zdDEuY29tMB4XDTAwMDkxMDA4NTgzNVoXDTAzMDkxMDA4NTgzNVowezEL
-MAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0
-byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJ
-KoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
-gYkCgYEAw8eBhjy0SrxpEmFqUu+xSd7p8uWq4T/Txfa+9SE/dBeoyydcqj5MO0Qq
-TjzNM3YHTy7rOSxJSxFBI0M/Q5rPSC961VJ1ZpdKglTGQTrePf4KxIqcowJgJiBL
-+2hCyK3ggCaKvDehQAFzPv9C20ym1gcZpxLbVtG6I86Xu0q19gECAwEAAaOB2DCB
-1TAdBgNVHQ4EFgQU+4cjaeucOpMV5cW/KVFP/u0oOAEwgaUGA1UdIwSBnTCBmoAU
-+4cjaeucOpMV5cW/KVFP/u0oOAGhf6R9MHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK
-EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5
-cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0
-MS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQDBdXSoxU/z
-g+ruWXqHYVK745tTrAbT+LoOhjZd+sYQ3s4eVHuE556Aw58fqs9xdsOIWM4IkhRW
-W99iFjGaNeiix3ppUK1DWKsNvYv+qPiQ81mQfk7VQSf7mdzTr//fCam1yjA2PPO9
-WQBPqSVBuauVvuJEkeJREn01+8kANRg3Zg==
+MIIDWTCCAsKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCU0cx
+ETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UE
+AxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMSIwIAYJKoZIhvcNAQkBFhNu
+Z3BzQG5ldG1lbWV0aWMuY29tMB4XDTAxMTIxNTA1NTU0NloXDTA0MTIxNDA1NTU0
+NlowgYAxCzAJBgNVBAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxML
+TTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3Rl
+cjEiMCAGCSqGSIb3DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbTCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAx8soJbS719LHK62VVVIQeC3oW0HvFArwPnA0LuEK
+q+LaqMOJg1rS7hvFdX03diV+XJw7cC0iECZYJNG4ii1xbY6KRmufkInaAwm54E3N
+e+YYVocaqUkcN6xVf6fwnLfPXbpFS/K2Umg11ObKMmi80JmiIdjcjRRCQZC7g1hf
+q+kCAwEAAaOB4DCB3TAdBgNVHQ4EFgQU6/qcBzEtQphfXLhiOHbt2KqBwMIwga0G
+A1UdIwSBpTCBooAU6/qcBzEtQphfXLhiOHbt2KqBwMKhgYakgYMwgYAxCzAJBgNV
+BAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0Ex
+JDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3RlcjEiMCAGCSqGSIb3
+DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqG
+SIb3DQEBBAUAA4GBAD+I14GuS5vJmyv1k7mUMbAicsWRHZ+zrGOq9L/L2LsA+lKQ
+dAzEZE2+Zv8LBPJVltbJJhcFNJS/ZMAjEm4xlJuCpvXVMxd/M5AM29aqekWlIK7J
+vsdDL8IuzpRkMniUiNKPhmB6IPIOslvUKx6QofcE0wDh6pg4VvIbCjkpZ7gf
 -----END CERTIFICATE-----
diff --git a/demo/medusa/ca.pem b/demo/medusa/ca.pem
index 11d28fc..b7c84a1 100644
--- a/demo/medusa/ca.pem
+++ b/demo/medusa/ca.pem
@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDRTCCAq6gAwIBAgIBADANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzER
-MA8GA1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQD
-ExtNMkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5n
-cHNAcG9zdDEuY29tMB4XDTAwMDkxMDA4NTgzNVoXDTAzMDkxMDA4NTgzNVowezEL
-MAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0
-byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJ
-KoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
-gYkCgYEAw8eBhjy0SrxpEmFqUu+xSd7p8uWq4T/Txfa+9SE/dBeoyydcqj5MO0Qq
-TjzNM3YHTy7rOSxJSxFBI0M/Q5rPSC961VJ1ZpdKglTGQTrePf4KxIqcowJgJiBL
-+2hCyK3ggCaKvDehQAFzPv9C20ym1gcZpxLbVtG6I86Xu0q19gECAwEAAaOB2DCB
-1TAdBgNVHQ4EFgQU+4cjaeucOpMV5cW/KVFP/u0oOAEwgaUGA1UdIwSBnTCBmoAU
-+4cjaeucOpMV5cW/KVFP/u0oOAGhf6R9MHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK
-EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5
-cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0
-MS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQDBdXSoxU/z
-g+ruWXqHYVK745tTrAbT+LoOhjZd+sYQ3s4eVHuE556Aw58fqs9xdsOIWM4IkhRW
-W99iFjGaNeiix3ppUK1DWKsNvYv+qPiQ81mQfk7VQSf7mdzTr//fCam1yjA2PPO9
-WQBPqSVBuauVvuJEkeJREn01+8kANRg3Zg==
+MIIDWTCCAsKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCU0cx
+ETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UE
+AxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMSIwIAYJKoZIhvcNAQkBFhNu
+Z3BzQG5ldG1lbWV0aWMuY29tMB4XDTAxMTIxNTA1NTU0NloXDTA0MTIxNDA1NTU0
+NlowgYAxCzAJBgNVBAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxML
+TTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3Rl
+cjEiMCAGCSqGSIb3DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbTCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAx8soJbS719LHK62VVVIQeC3oW0HvFArwPnA0LuEK
+q+LaqMOJg1rS7hvFdX03diV+XJw7cC0iECZYJNG4ii1xbY6KRmufkInaAwm54E3N
+e+YYVocaqUkcN6xVf6fwnLfPXbpFS/K2Umg11ObKMmi80JmiIdjcjRRCQZC7g1hf
+q+kCAwEAAaOB4DCB3TAdBgNVHQ4EFgQU6/qcBzEtQphfXLhiOHbt2KqBwMIwga0G
+A1UdIwSBpTCBooAU6/qcBzEtQphfXLhiOHbt2KqBwMKhgYakgYMwgYAxCzAJBgNV
+BAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0Ex
+JDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3RlcjEiMCAGCSqGSIb3
+DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqG
+SIb3DQEBBAUAA4GBAD+I14GuS5vJmyv1k7mUMbAicsWRHZ+zrGOq9L/L2LsA+lKQ
+dAzEZE2+Zv8LBPJVltbJJhcFNJS/ZMAjEm4xlJuCpvXVMxd/M5AM29aqekWlIK7J
+vsdDL8IuzpRkMniUiNKPhmB6IPIOslvUKx6QofcE0wDh6pg4VvIbCjkpZ7gf
 -----END CERTIFICATE-----
diff --git a/demo/smime/ca.pem b/demo/smime/ca.pem
index 11d28fc..b7c84a1 100644
--- a/demo/smime/ca.pem
+++ b/demo/smime/ca.pem
@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDRTCCAq6gAwIBAgIBADANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzER
-MA8GA1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQD
-ExtNMkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5n
-cHNAcG9zdDEuY29tMB4XDTAwMDkxMDA4NTgzNVoXDTAzMDkxMDA4NTgzNVowezEL
-MAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0
-byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJ
-KoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
-gYkCgYEAw8eBhjy0SrxpEmFqUu+xSd7p8uWq4T/Txfa+9SE/dBeoyydcqj5MO0Qq
-TjzNM3YHTy7rOSxJSxFBI0M/Q5rPSC961VJ1ZpdKglTGQTrePf4KxIqcowJgJiBL
-+2hCyK3ggCaKvDehQAFzPv9C20ym1gcZpxLbVtG6I86Xu0q19gECAwEAAaOB2DCB
-1TAdBgNVHQ4EFgQU+4cjaeucOpMV5cW/KVFP/u0oOAEwgaUGA1UdIwSBnTCBmoAU
-+4cjaeucOpMV5cW/KVFP/u0oOAGhf6R9MHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK
-EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5
-cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0
-MS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQDBdXSoxU/z
-g+ruWXqHYVK745tTrAbT+LoOhjZd+sYQ3s4eVHuE556Aw58fqs9xdsOIWM4IkhRW
-W99iFjGaNeiix3ppUK1DWKsNvYv+qPiQ81mQfk7VQSf7mdzTr//fCam1yjA2PPO9
-WQBPqSVBuauVvuJEkeJREn01+8kANRg3Zg==
+MIIDWTCCAsKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCU0cx
+ETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UE
+AxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMSIwIAYJKoZIhvcNAQkBFhNu
+Z3BzQG5ldG1lbWV0aWMuY29tMB4XDTAxMTIxNTA1NTU0NloXDTA0MTIxNDA1NTU0
+NlowgYAxCzAJBgNVBAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxML
+TTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3Rl
+cjEiMCAGCSqGSIb3DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbTCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAx8soJbS719LHK62VVVIQeC3oW0HvFArwPnA0LuEK
+q+LaqMOJg1rS7hvFdX03diV+XJw7cC0iECZYJNG4ii1xbY6KRmufkInaAwm54E3N
+e+YYVocaqUkcN6xVf6fwnLfPXbpFS/K2Umg11ObKMmi80JmiIdjcjRRCQZC7g1hf
+q+kCAwEAAaOB4DCB3TAdBgNVHQ4EFgQU6/qcBzEtQphfXLhiOHbt2KqBwMIwga0G
+A1UdIwSBpTCBooAU6/qcBzEtQphfXLhiOHbt2KqBwMKhgYakgYMwgYAxCzAJBgNV
+BAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0Ex
+JDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3RlcjEiMCAGCSqGSIb3
+DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqG
+SIb3DQEBBAUAA4GBAD+I14GuS5vJmyv1k7mUMbAicsWRHZ+zrGOq9L/L2LsA+lKQ
+dAzEZE2+Zv8LBPJVltbJJhcFNJS/ZMAjEm4xlJuCpvXVMxd/M5AM29aqekWlIK7J
+vsdDL8IuzpRkMniUiNKPhmB6IPIOslvUKx6QofcE0wDh6pg4VvIbCjkpZ7gf
 -----END CERTIFICATE-----
diff --git a/demo/ssl/ca.pem b/demo/ssl/ca.pem
index 11d28fc..b7c84a1 100644
--- a/demo/ssl/ca.pem
+++ b/demo/ssl/ca.pem
@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDRTCCAq6gAwIBAgIBADANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzER
-MA8GA1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQD
-ExtNMkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5n
-cHNAcG9zdDEuY29tMB4XDTAwMDkxMDA4NTgzNVoXDTAzMDkxMDA4NTgzNVowezEL
-MAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0
-byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJ
-KoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
-gYkCgYEAw8eBhjy0SrxpEmFqUu+xSd7p8uWq4T/Txfa+9SE/dBeoyydcqj5MO0Qq
-TjzNM3YHTy7rOSxJSxFBI0M/Q5rPSC961VJ1ZpdKglTGQTrePf4KxIqcowJgJiBL
-+2hCyK3ggCaKvDehQAFzPv9C20ym1gcZpxLbVtG6I86Xu0q19gECAwEAAaOB2DCB
-1TAdBgNVHQ4EFgQU+4cjaeucOpMV5cW/KVFP/u0oOAEwgaUGA1UdIwSBnTCBmoAU
-+4cjaeucOpMV5cW/KVFP/u0oOAGhf6R9MHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK
-EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5
-cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0
-MS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQDBdXSoxU/z
-g+ruWXqHYVK745tTrAbT+LoOhjZd+sYQ3s4eVHuE556Aw58fqs9xdsOIWM4IkhRW
-W99iFjGaNeiix3ppUK1DWKsNvYv+qPiQ81mQfk7VQSf7mdzTr//fCam1yjA2PPO9
-WQBPqSVBuauVvuJEkeJREn01+8kANRg3Zg==
+MIIDWTCCAsKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCU0cx
+ETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UE
+AxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMSIwIAYJKoZIhvcNAQkBFhNu
+Z3BzQG5ldG1lbWV0aWMuY29tMB4XDTAxMTIxNTA1NTU0NloXDTA0MTIxNDA1NTU0
+NlowgYAxCzAJBgNVBAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxML
+TTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3Rl
+cjEiMCAGCSqGSIb3DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbTCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAx8soJbS719LHK62VVVIQeC3oW0HvFArwPnA0LuEK
+q+LaqMOJg1rS7hvFdX03diV+XJw7cC0iECZYJNG4ii1xbY6KRmufkInaAwm54E3N
+e+YYVocaqUkcN6xVf6fwnLfPXbpFS/K2Umg11ObKMmi80JmiIdjcjRRCQZC7g1hf
+q+kCAwEAAaOB4DCB3TAdBgNVHQ4EFgQU6/qcBzEtQphfXLhiOHbt2KqBwMIwga0G
+A1UdIwSBpTCBooAU6/qcBzEtQphfXLhiOHbt2KqBwMKhgYakgYMwgYAxCzAJBgNV
+BAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0Ex
+JDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3RlcjEiMCAGCSqGSIb3
+DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqG
+SIb3DQEBBAUAA4GBAD+I14GuS5vJmyv1k7mUMbAicsWRHZ+zrGOq9L/L2LsA+lKQ
+dAzEZE2+Zv8LBPJVltbJJhcFNJS/ZMAjEm4xlJuCpvXVMxd/M5AM29aqekWlIK7J
+vsdDL8IuzpRkMniUiNKPhmB6IPIOslvUKx6QofcE0wDh6pg4VvIbCjkpZ7gf
 -----END CERTIFICATE-----
diff --git a/demo/ssl/echo.py b/demo/ssl/echo.py
index 776c520..e50d5ff 100644
--- a/demo/ssl/echo.py
+++ b/demo/ssl/echo.py
@@ -4,7 +4,7 @@
 
 Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved."""
 
-RCS_id='$Id: echo.py,v 1.3 2002/12/23 04:37:05 ngps Exp $'
+RCS_id='$Id: echo.py,v 1.4 2003/06/30 06:25:19 ngps Exp $'
 
 import getopt, sys
 from socket import gethostname
@@ -23,10 +23,11 @@ for opt in optlist:
 Rand.load_file('../randpool.dat', -1) 
 
 ctx = SSL.Context('sslv3')
-ctx.load_cert('client.pem')
-ctx.load_verify_info('ca.pem')
-ctx.load_client_ca('ca.pem')
-ctx.set_verify(SSL.verify_none, 10)
+ctx.load_cert_chain('client.pem')
+#ctx.set_verify(SSL.verify_none, 10)
+ctx.set_verify(SSL.verify_peer, 10, SSL.cb.ssl_verify_callback)
+ctx.load_verify_locations('ca.pem')
+#ctx.set_allow_unknown_ca(1)
 ctx.set_info_callback()
 
 s = SSL.Connection(ctx)
@@ -34,17 +35,17 @@ s.connect((host, port))
 print 'Host =', gethostname()
 print 'Cipher =', s.get_cipher().name()
 
-v = s.get_verify_result()
-if v != X509.V_OK:
-    s.close()
-    raise SystemExit, 'Server verification failed'
+## 2003-06-28, ngps: Depends on ctx.set_verify() above, RTFM for details.
+## v = s.get_verify_result()
+## if v != X509.V_OK:
+##     s.close()
+##     raise SystemExit, 'Server verification failed'
 
 peer = s.get_peer_cert()
-print 'Server =', peer.get_subject().CN
+print 'Server =', str(peer.get_subject())
 
 while 1:
     data = s.recv()
-    print 'XXX:', `data`
     if not data:
         break
     sys.stdout.write(data)
diff --git a/demo/ssl/echod-async.py b/demo/ssl/echod-async.py
index fbeb87b..8218734 100644
--- a/demo/ssl/echod-async.py
+++ b/demo/ssl/echod-async.py
@@ -4,7 +4,7 @@
 
 Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved."""
 
-RCS_id='$Id: echod-async.py,v 1.5 2002/12/23 04:37:27 ngps Exp $'
+RCS_id='$Id: echod-async.py,v 1.6 2003/06/30 06:25:19 ngps Exp $'
 
 import asyncore, errno, socket, time
 from M2Crypto import Rand, SSL
@@ -105,7 +105,8 @@ class ssl_echo_server(SSL.ssl_dispatcher):
 if __name__=='__main__':
     Rand.load_file('../randpool.dat', -1) 
     ctx = echod_lib.init_context('sslv23', 'server.pem', 'ca.pem', \
-            SSL.verify_peer | SSL.verify_fail_if_no_peer_cert)
+            #SSL.verify_peer | SSL.verify_fail_if_no_peer_cert)
+            SSL.verify_none)
     ctx.set_tmp_dh('dh1024.pem')
     ssl_echo_server('', 9999, ctx)
     asyncore.loop()
diff --git a/demo/ssl/echod-iterative.py b/demo/ssl/echod-iterative.py
index 6d8fc37..4c6822d 100644
--- a/demo/ssl/echod-iterative.py
+++ b/demo/ssl/echod-iterative.py
@@ -4,7 +4,7 @@
 
 Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved."""
 
-RCS_id='$Id: echod-iterative.py,v 1.6 2002/12/23 04:38:06 ngps Exp $'
+RCS_id='$Id: echod-iterative.py,v 1.7 2003/06/30 06:25:19 ngps Exp $'
 
 from M2Crypto import Rand, SSL
 import echod_lib
@@ -17,6 +17,7 @@ if __name__=='__main__':
     Rand.load_file('../randpool.dat', -1) 
     ctx=echod_lib.init_context('sslv23', 'server.pem', 'ca.pem', \
         SSL.verify_peer | SSL.verify_fail_if_no_peer_cert)
+        #SSL.verify_none)
     ctx.set_tmp_dh('dh1024.pem')
     s=SSL.SSLServer(('', 9999), ssl_echo_handler, ctx)
     s.serve_forever()   
diff --git a/demo/ssl/echod_lib.py b/demo/ssl/echod_lib.py
index 5b13706..0fa654e 100644
--- a/demo/ssl/echod_lib.py
+++ b/demo/ssl/echod_lib.py
@@ -2,18 +2,18 @@
 
 Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved."""
 
-RCS_id='$Id: echod_lib.py,v 1.5 2002/12/23 04:39:22 ngps Exp $'
+RCS_id='$Id: echod_lib.py,v 1.6 2003/06/30 06:25:19 ngps Exp $'
 
 import SocketServer
 from M2Crypto import SSL
 
 def init_context(protocol, certfile, cafile, verify, verify_depth=10):
     ctx = SSL.Context(protocol)
-    ctx.load_cert(certfile)
-    ctx.load_client_ca(cafile)
-    ctx.load_verify_info(cafile)
+    ctx.load_cert_chain(certfile)
+    ctx.load_verify_locations(cafile)
+    ctx.set_client_CA_list_from_file(cafile)    
     ctx.set_verify(verify, verify_depth)
-    ctx.set_allow_unknown_ca(1)
+    #ctx.set_allow_unknown_ca(1)
     ctx.set_session_id_ctx('echod')
     ctx.set_info_callback()
     return ctx
@@ -28,9 +28,7 @@ class ssl_echo_handler(SocketServer.BaseRequestHandler):
         if peer is not None:
             print 'Client CA        =', peer.get_issuer().O
             print 'Client Subject   =', peer.get_subject().CN
-        print 'XXX'
         x = self.request.write(self.buffer)
-        print 'YYY:', x
         while 1:
             try:
                 buf = self.request.read()
diff --git a/demo/ssl/https_cli.py b/demo/ssl/https_cli.py
index ee870b0..9970372 100644
--- a/demo/ssl/https_cli.py
+++ b/demo/ssl/https_cli.py
@@ -4,7 +4,7 @@
 
 Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved."""
 
-RCS_id='$Id: https_cli.py,v 1.6 2003/06/22 17:18:25 ngps Exp $'
+RCS_id='$Id: https_cli.py,v 1.7 2003/06/30 06:25:44 ngps Exp $'
 
 import sys
 from M2Crypto import Rand, SSL, httpslib, threading
@@ -33,8 +33,10 @@ if sys.version[:3] == '1.5':
 elif sys.version[0] == '2':
 
     def test_httpslib():
-        ctx = SSL.Context('sslv2')
-        #ctx.load_cert('client.pem')
+        ctx = SSL.Context('sslv23')
+        ctx.load_cert_chain('client.pem')
+        ctx.load_verify_locations('ca.pem')
+        ctx.set_verify(SSL.verify_peer, 10)        
         ctx.set_info_callback()
         h = httpslib.HTTPSConnection('127.0.0.1', 9443, ssl_context=ctx)
         h.set_debuglevel(1)
diff --git a/demo/ssl/https_srv.py b/demo/ssl/https_srv.py
index a2e8b73..8297527 100644
--- a/demo/ssl/https_srv.py
+++ b/demo/ssl/https_srv.py
@@ -15,7 +15,7 @@ TODO:
 Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved.
 """
 
-RCS_id = '$Id: https_srv.py,v 1.2 2002/12/23 04:41:31 ngps Exp $'
+RCS_id = '$Id: https_srv.py,v 1.3 2003/06/30 06:26:15 ngps Exp $'
 
 import os, sys
 from SimpleHTTPServer import SimpleHTTPRequestHandler
@@ -142,7 +142,7 @@ if __name__ == '__main__':
         #SSL.verify_peer | SSL.verify_fail_if_no_peer_cert)
     ctx.set_tmp_dh('dh1024.pem')
     os.chdir(wdir)
-    httpsd = HTTPS_Server(('', 9443), HTTP_Handler, ctx)
+    httpsd = HTTPS_Server(('', 19443), HTTP_Handler, ctx)
     httpsd.serve_forever()
     Rand.save_file('../randpool.dat')
 
diff --git a/setup.py b/setup.py
index 6d376bf..a4b3cdf 100644
--- a/setup.py
+++ b/setup.py
@@ -6,7 +6,7 @@ Distutils installer for M2Crypto.
 Copyright (c) 1999-2003, Ng Pheng Siong. All rights reserved.
 """
 
-_RCS_id = '$Id: setup.py,v 1.7 2003/06/22 16:45:33 ngps Exp $'
+_RCS_id = '$Id: setup.py,v 1.8 2003/06/30 06:13:11 ngps Exp $'
 
 import os, shutil
 from distutils.core import setup, Extension
@@ -38,8 +38,8 @@ m2crypto = Extension(name = '__m2crypto',
                      )
 
 setup(name = 'M2Crypto',
-    version = '0.11',
-    description = 'M2Crypto: A Python interface to OpenSSL',
+    version = '0.12',
+    description = 'M2Crypto: A Python crypto and SSL toolkit',
     author = 'Ng Pheng Siong',
     author_email = 'ngps@netmemetic.com',
     url = 'http://www.post1.com/home/ngps/m2/',