rubysl-openssl 1.0.2 → 2.0.0

data/ext/rubysl/openssl/ossl_rand.c

@@ -1,5 +1,5 @@
 /*
- * $Id: ossl_rand.c 16692 2008-05-29 18:15:50Z knu $
+ * $Id$
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.
@@ -37,7 +37,7 @@ static VALUE
 ossl_rand_seed(VALUE self, VALUE str)
 {
     StringValue(str);
-    RAND_seed(RSTRING_PTR(str), RSTRING_LEN(str));
+    RAND_seed(RSTRING_PTR(str), RSTRING_LENINT(str));
 
     return str;
 }
@@ -51,7 +51,7 @@ static VALUE
 ossl_rand_add(VALUE self, VALUE str, VALUE entropy)
 {
     StringValue(str);
-    RAND_add(RSTRING_PTR(str), RSTRING_LEN(str), NUM2DBL(entropy));
+    RAND_add(RSTRING_PTR(str), RSTRING_LENINT(str), NUM2DBL(entropy));
 
     return self;
 }
@@ -65,7 +65,7 @@ static VALUE
 ossl_rand_load_file(VALUE self, VALUE filename)
 {
     SafeStringValue(filename);
-	
+
     if(!RAND_load_file(RSTRING_PTR(filename), -1)) {
 	ossl_raise(eRandomError, NULL);
     }
@@ -99,7 +99,7 @@ ossl_rand_bytes(VALUE self, VALUE len)
     int n = NUM2INT(len);
 
     str = rb_str_new(0, n);
-    if (!RAND_bytes(RSTRING_PTR(str), n)) {
+    if (!RAND_bytes((unsigned char *)RSTRING_PTR(str), n)) {
 	ossl_raise(eRandomError, NULL);
     }
 
@@ -118,7 +118,7 @@ ossl_rand_pseudo_bytes(VALUE self, VALUE len)
     int n = NUM2INT(len);
 
     str = rb_str_new(0, n);
-    if (!RAND_pseudo_bytes(RSTRING_PTR(str), n)) {
+    if (!RAND_pseudo_bytes((unsigned char *)RSTRING_PTR(str), n)) {
 	ossl_raise(eRandomError, NULL);
     }
 
@@ -134,7 +134,7 @@ static VALUE
 ossl_rand_egd(VALUE self, VALUE filename)
 {
     SafeStringValue(filename);
-	
+
     if(!RAND_egd(RSTRING_PTR(filename))) {
 	ossl_raise(eRandomError, NULL);
     }
@@ -149,7 +149,7 @@ ossl_rand_egd(VALUE self, VALUE filename)
 static VALUE
 ossl_rand_egd_bytes(VALUE self, VALUE filename, VALUE len)
 {
-    long n = NUM2INT(len);
+    int n = NUM2INT(len);
 
     SafeStringValue(filename);
 
@@ -172,8 +172,8 @@ ossl_rand_status(VALUE self)
 }
 
 #define DEFMETH(class, name, func, argc) \
-	rb_define_method(class, name, func, argc); \
-	rb_define_singleton_method(class, name, func, argc);
+	rb_define_method((class), (name), (func), (argc)); \
+	rb_define_singleton_method((class), (name), (func), (argc));
 
 /*
  * INIT
@@ -181,14 +181,14 @@ ossl_rand_status(VALUE self)
 void
 Init_ossl_rand()
 {
-#if 0 /* let rdoc know about mOSSL */
-    mOSSL = rb_define_module("OpenSSL");
+#if 0
+    mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
 #endif
 
     mRandom = rb_define_module_under(mOSSL, "Random");
-	
+
     eRandomError = rb_define_class_under(mRandom, "RandomError", eOSSLError);
-	
+
     DEFMETH(mRandom, "seed", ossl_rand_seed, 1);
     DEFMETH(mRandom, "random_add", ossl_rand_add, 2);
     DEFMETH(mRandom, "load_random_file", ossl_rand_load_file, 1);
@@ -196,7 +196,7 @@ Init_ossl_rand()
     DEFMETH(mRandom, "random_bytes", ossl_rand_bytes, 1);
     DEFMETH(mRandom, "pseudo_bytes", ossl_rand_pseudo_bytes, 1);
     DEFMETH(mRandom, "egd", ossl_rand_egd, 1);
-    DEFMETH(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2);	
+    DEFMETH(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2);
     DEFMETH(mRandom, "status?", ossl_rand_status, 0)
 }
 

data/ext/rubysl/openssl/ossl_rand.h

@@ -1,5 +1,5 @@
 /*
- * $Id: ossl_rand.h 11708 2007-02-12 23:01:19Z shyouhei $
+ * $Id$
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.

data/ext/rubysl/openssl/ossl_ssl.c

@@ -1,5 +1,5 @@
 /*
- * $Id: ossl_ssl.c 32234 2011-06-26 08:58:06Z shyouhei $
+ * $Id$
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2000-2002  GOTOU Yuuzou <gotoyuzo@notwork.org>
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
@@ -11,19 +11,17 @@
  * (See the file 'LICENCE'.)
  */
 #include "ossl.h"
-#include <rubysig.h>
-#include <rubyio.h>
 
 #if defined(HAVE_UNISTD_H)
 #  include <unistd.h> /* for read(), and write() */
 #endif
 
-#define numberof(ary) (sizeof(ary)/sizeof(ary[0]))
+#define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
 
 #ifdef _WIN32
 #  define TO_SOCKET(s) _get_osfhandle(s)
 #else
-#  define TO_SOCKET(s) s
+#  define TO_SOCKET(s) (s)
 #endif
 
 VALUE mSSL;
@@ -31,44 +29,51 @@ VALUE eSSLError;
 VALUE cSSLContext;
 VALUE cSSLSocket;
 
-#define ossl_sslctx_set_cert(o,v)        rb_iv_set((o),"@cert",(v))
-#define ossl_sslctx_set_key(o,v)         rb_iv_set((o),"@key",(v))
-#define ossl_sslctx_set_client_ca(o,v)   rb_iv_set((o),"@client_ca",(v))
-#define ossl_sslctx_set_ca_file(o,v)     rb_iv_set((o),"@ca_file",(v))
-#define ossl_sslctx_set_ca_path(o,v)     rb_iv_set((o),"@ca_path",(v))
-#define ossl_sslctx_set_timeout(o,v)     rb_iv_set((o),"@timeout",(v))
-#define ossl_sslctx_set_verify_mode(o,v) rb_iv_set((o),"@verify_mode",(v))
-#define ossl_sslctx_set_verify_dep(o,v)  rb_iv_set((o),"@verify_depth",(v))
-#define ossl_sslctx_set_verify_cb(o,v)   rb_iv_set((o),"@verify_callback",(v))
-#define ossl_sslctx_set_options(o,v)     rb_iv_set((o),"@options",(v))
-#define ossl_sslctx_set_cert_store(o,v)  rb_iv_set((o),"@cert_store",(v))
-#define ossl_sslctx_set_extra_cert(o,v)  rb_iv_set((o),"@extra_chain_cert",(v))
-#define ossl_sslctx_set_client_cert_cb(o,v) rb_iv_set((o),"@client_cert_cb",(v))
-#define ossl_sslctx_set_tmp_dh_cb(o,v)   rb_iv_set((o),"@tmp_dh_callback",(v))
-#define ossl_sslctx_set_sess_id_ctx(o, v) rb_iv_get((o),"@session_id_context"(v))
-
-#define ossl_sslctx_get_cert(o)          rb_iv_get((o),"@cert")
-#define ossl_sslctx_get_key(o)           rb_iv_get((o),"@key")
-#define ossl_sslctx_get_client_ca(o)     rb_iv_get((o),"@client_ca")
-#define ossl_sslctx_get_ca_file(o)       rb_iv_get((o),"@ca_file")
-#define ossl_sslctx_get_ca_path(o)       rb_iv_get((o),"@ca_path")
-#define ossl_sslctx_get_timeout(o)       rb_iv_get((o),"@timeout")
-#define ossl_sslctx_get_verify_mode(o)   rb_iv_get((o),"@verify_mode")
-#define ossl_sslctx_get_verify_dep(o)    rb_iv_get((o),"@verify_depth")
-#define ossl_sslctx_get_verify_cb(o)     rb_iv_get((o),"@verify_callback")
-#define ossl_sslctx_get_options(o)       rb_iv_get((o),"@options")
-#define ossl_sslctx_get_cert_store(o)    rb_iv_get((o),"@cert_store")
-#define ossl_sslctx_get_extra_cert(o)    rb_iv_get((o),"@extra_chain_cert")
-#define ossl_sslctx_get_client_cert_cb(o) rb_iv_get((o),"@client_cert_cb")
-#define ossl_sslctx_get_tmp_dh_cb(o)     rb_iv_get((o),"@tmp_dh_callback")
-#define ossl_sslctx_get_sess_id_ctx(o)   rb_iv_get((o),"@session_id_context")
+#define ossl_sslctx_set_cert(o,v)        	rb_iv_set((o),"@cert",(v))
+#define ossl_sslctx_set_key(o,v)         	rb_iv_set((o),"@key",(v))
+#define ossl_sslctx_set_client_ca(o,v)   	rb_iv_set((o),"@client_ca",(v))
+#define ossl_sslctx_set_ca_file(o,v)     	rb_iv_set((o),"@ca_file",(v))
+#define ossl_sslctx_set_ca_path(o,v)     	rb_iv_set((o),"@ca_path",(v))
+#define ossl_sslctx_set_timeout(o,v)     	rb_iv_set((o),"@timeout",(v))
+#define ossl_sslctx_set_verify_mode(o,v) 	rb_iv_set((o),"@verify_mode",(v))
+#define ossl_sslctx_set_verify_dep(o,v)  	rb_iv_set((o),"@verify_depth",(v))
+#define ossl_sslctx_set_verify_cb(o,v)   	rb_iv_set((o),"@verify_callback",(v))
+#define ossl_sslctx_set_options(o,v)     	rb_iv_set((o),"@options",(v))
+#define ossl_sslctx_set_cert_store(o,v)  	rb_iv_set((o),"@cert_store",(v))
+#define ossl_sslctx_set_extra_cert(o,v)  	rb_iv_set((o),"@extra_chain_cert",(v))
+#define ossl_sslctx_set_client_cert_cb(o,v) 	rb_iv_set((o),"@client_cert_cb",(v))
+#define ossl_sslctx_set_tmp_dh_cb(o,v)   	rb_iv_set((o),"@tmp_dh_callback",(v))
+#define ossl_sslctx_set_sess_id_ctx(o, v) 	rb_iv_set((o),"@session_id_context",(v))
+
+#define ossl_sslctx_get_cert(o)          	rb_iv_get((o),"@cert")
+#define ossl_sslctx_get_key(o)           	rb_iv_get((o),"@key")
+#define ossl_sslctx_get_client_ca(o)     	rb_iv_get((o),"@client_ca")
+#define ossl_sslctx_get_ca_file(o)       	rb_iv_get((o),"@ca_file")
+#define ossl_sslctx_get_ca_path(o)       	rb_iv_get((o),"@ca_path")
+#define ossl_sslctx_get_timeout(o)       	rb_iv_get((o),"@timeout")
+#define ossl_sslctx_get_verify_mode(o)   	rb_iv_get((o),"@verify_mode")
+#define ossl_sslctx_get_verify_dep(o)    	rb_iv_get((o),"@verify_depth")
+#define ossl_sslctx_get_verify_cb(o)     	rb_iv_get((o),"@verify_callback")
+#define ossl_sslctx_get_options(o)       	rb_iv_get((o),"@options")
+#define ossl_sslctx_get_cert_store(o)    	rb_iv_get((o),"@cert_store")
+#define ossl_sslctx_get_extra_cert(o)    	rb_iv_get((o),"@extra_chain_cert")
+#define ossl_sslctx_get_client_cert_cb(o) 	rb_iv_get((o),"@client_cert_cb")
+#define ossl_sslctx_get_tmp_dh_cb(o)     	rb_iv_get((o),"@tmp_dh_callback")
+#define ossl_sslctx_get_sess_id_ctx(o)   	rb_iv_get((o),"@session_id_context")
 
 static const char *ossl_sslctx_attrs[] = {
     "cert", "key", "client_ca", "ca_file", "ca_path",
-    "timeout", "verify_mode", "verify_depth",
+    "timeout", "verify_mode", "verify_depth", "renegotiation_cb",
     "verify_callback", "options", "cert_store", "extra_chain_cert",
     "client_cert_cb", "tmp_dh_callback", "session_id_context",
     "session_get_cb", "session_new_cb", "session_remove_cb",
+#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
+    "servername_cb",
+#endif
+#ifdef HAVE_OPENSSL_NPN_NEGOTIATED
+    "npn_protocols",
+    "npn_select_cb",
+#endif
 };
 
 #define ossl_ssl_get_io(o)           rb_iv_get((o),"@io")
@@ -86,7 +91,12 @@ static const char *ossl_sslctx_attrs[] = {
 #define ossl_ssl_set_tmp_dh(o,v)     rb_iv_set((o),"@tmp_dh",(v))
 
 static const char *ossl_ssl_attr_readers[] = { "io", "context", };
-static const char *ossl_ssl_attrs[] = { "sync_close", };
+static const char *ossl_ssl_attrs[] = {
+#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
+    "hostname",
+#endif
+    "sync_close",
+};
 
 ID ID_callback_state;
 
@@ -97,12 +107,24 @@ struct {
     const char *name;
     SSL_METHOD *(*func)(void);
 } ossl_ssl_method_tab[] = {
-#define OSSL_SSL_METHOD_ENTRY(name) { #name, name##_method }
+#define OSSL_SSL_METHOD_ENTRY(name) { #name, (SSL_METHOD *(*)(void))name##_method }
     OSSL_SSL_METHOD_ENTRY(TLSv1),
     OSSL_SSL_METHOD_ENTRY(TLSv1_server),
     OSSL_SSL_METHOD_ENTRY(TLSv1_client),
+#if defined(HAVE_TLSV1_2_METHOD) && defined(HAVE_TLSV1_2_SERVER_METHOD) && \
+        defined(HAVE_TLSV1_2_CLIENT_METHOD)
+    OSSL_SSL_METHOD_ENTRY(TLSv1_2),
+    OSSL_SSL_METHOD_ENTRY(TLSv1_2_server),
+    OSSL_SSL_METHOD_ENTRY(TLSv1_2_client),
+#endif
+#if defined(HAVE_TLSV1_1_METHOD) && defined(HAVE_TLSV1_1_SERVER_METHOD) && \
+        defined(HAVE_TLSV1_1_CLIENT_METHOD)
+    OSSL_SSL_METHOD_ENTRY(TLSv1_1),
+    OSSL_SSL_METHOD_ENTRY(TLSv1_1_server),
+    OSSL_SSL_METHOD_ENTRY(TLSv1_1_client),
+#endif
 #if defined(HAVE_SSLV2_METHOD) && defined(HAVE_SSLV2_SERVER_METHOD) && \
-        defined(HAVE_SSLV2_CLIENT_METHOD)	
+        defined(HAVE_SSLV2_CLIENT_METHOD)
     OSSL_SSL_METHOD_ENTRY(SSLv2),
     OSSL_SSL_METHOD_ENTRY(SSLv2_server),
     OSSL_SSL_METHOD_ENTRY(SSLv2_client),
@@ -134,15 +156,27 @@ static VALUE
 ossl_sslctx_s_alloc(VALUE klass)
 {
     SSL_CTX *ctx;
+    long mode = SSL_MODE_ENABLE_PARTIAL_WRITE;
+
+#ifdef SSL_MODE_RELEASE_BUFFERS
+    mode |= SSL_MODE_RELEASE_BUFFERS;
+#endif
 
     ctx = SSL_CTX_new(SSLv23_method());
     if (!ctx) {
-        ossl_raise(eSSLError, "SSL_CTX_new:");
+        ossl_raise(eSSLError, "SSL_CTX_new");
     }
-    SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
+    SSL_CTX_set_mode(ctx, mode);
     return Data_Wrap_Struct(klass, 0, ossl_sslctx_free, ctx);
 }
 
+/*
+ * call-seq:
+ *    ctx.ssl_version = :TLSv1
+ *    ctx.ssl_version = "SSLv23_client"
+ *
+ * You can get a list of valid versions with OpenSSL::SSL::SSLContext::METHODS
+ */
 static VALUE
 ossl_sslctx_set_ssl_version(VALUE self, VALUE ssl_method)
 {
@@ -166,7 +200,7 @@ ossl_sslctx_set_ssl_version(VALUE self, VALUE ssl_method)
     }
     Data_Get_Struct(self, SSL_CTX, ctx);
     if (SSL_CTX_set_ssl_version(ctx, method) != 1) {
-        ossl_raise(eSSLError, "SSL_CTX_set_ssl_version:");
+        ossl_raise(eSSLError, "SSL_CTX_set_ssl_version");
     }
 
     return ssl_method;
@@ -221,13 +255,12 @@ ossl_call_client_cert_cb(VALUE obj)
 static int
 ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
 {
-    VALUE obj;
-    int status, success;
+    VALUE obj, success;
 
     obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
     success = rb_protect((VALUE(*)_((VALUE)))ossl_call_client_cert_cb,
-                         obj, &status);
-    if (status || !success) return 0;
+                         obj, NULL);
+    if (!RTEST(success)) return 0;
     *x509 = DupX509CertPtr(ossl_ssl_get_x509(obj));
     *pkey = DupPKeyPtr(ossl_ssl_get_key(obj));
 
@@ -256,15 +289,14 @@ ossl_call_tmp_dh_callback(VALUE *args)
 static DH*
 ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
 {
-    VALUE args[3];
-    int status, success;
+    VALUE args[3], success;
 
     args[0] = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
     args[1] = INT2FIX(is_export);
     args[2] = INT2FIX(keylength);
     success = rb_protect((VALUE(*)_((VALUE)))ossl_call_tmp_dh_callback,
-                         (VALUE)args, &status);
-    if (status || !success) return NULL;
+                         (VALUE)args, NULL);
+    if (!RTEST(success)) return NULL;
 
     return GetPKeyPtr(ossl_ssl_get_tmp_dh(args[0]))->pkey.dh;
 }
@@ -299,8 +331,8 @@ ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 static VALUE
 ossl_call_session_get_cb(VALUE ary)
 {
-    VALUE ssl_obj, sslctx_obj, cb, ret;
-    
+    VALUE ssl_obj, sslctx_obj, cb;
+
     Check_Type(ary, T_ARRAY);
     ssl_obj = rb_ary_entry(ary, 0);
 
@@ -327,7 +359,7 @@ ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
     ssl_obj = (VALUE)ptr;
     ary = rb_ary_new2(2);
     rb_ary_push(ary, ssl_obj);
-    rb_ary_push(ary, rb_str_new(buf, len));
+    rb_ary_push(ary, rb_str_new((const char *)buf, len));
 
     ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_session_get_cb, ary, &state);
     if (state) {
@@ -346,8 +378,8 @@ ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
 static VALUE
 ossl_call_session_new_cb(VALUE ary)
 {
-    VALUE ssl_obj, sslctx_obj, cb, ret;
-    
+    VALUE ssl_obj, sslctx_obj, cb;
+
     Check_Type(ary, T_ARRAY);
     ssl_obj = rb_ary_entry(ary, 0);
 
@@ -363,7 +395,7 @@ ossl_call_session_new_cb(VALUE ary)
 static int
 ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess)
 {
-    VALUE ary, ssl_obj, sess_obj, ret_obj;
+    VALUE ary, ssl_obj, sess_obj;
     void *ptr;
     int state = 0;
 
@@ -380,20 +412,26 @@ ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess)
     rb_ary_push(ary, ssl_obj);
     rb_ary_push(ary, sess_obj);
 
-    ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_session_new_cb, ary, &state);
+    rb_protect((VALUE(*)_((VALUE)))ossl_call_session_new_cb, ary, &state);
     if (state) {
         rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
-        return 0; /* what should be returned here??? */
     }
 
-    return RTEST(ret_obj) ? 1 : 0;
+    /*
+     * return 0 which means to OpenSSL that the the session is still
+     * valid (since we created Ruby Session object) and was not freed by us
+     * with SSL_SESSION_free(). Call SSLContext#remove_session(sess) in
+     * session_get_cb block if you don't want OpenSSL to cache the session
+     * internally.
+     */
+    return 0;
 }
 
 static VALUE
 ossl_call_session_remove_cb(VALUE ary)
 {
-    VALUE sslctx_obj, cb, ret;
-    
+    VALUE sslctx_obj, cb;
+
     Check_Type(ary, T_ARRAY);
     sslctx_obj = rb_ary_entry(ary, 0);
 
@@ -406,7 +444,7 @@ ossl_call_session_remove_cb(VALUE ary)
 static void
 ossl_sslctx_session_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
 {
-    VALUE ary, sslctx_obj, sess_obj, ret_obj;
+    VALUE ary, sslctx_obj, sess_obj;
     void *ptr;
     int state = 0;
 
@@ -423,7 +461,7 @@ ossl_sslctx_session_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
     rb_ary_push(ary, sslctx_obj);
     rb_ary_push(ary, sess_obj);
 
-    ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_session_new_cb, ary, &state);
+    rb_protect((VALUE(*)_((VALUE)))ossl_call_session_remove_cb, ary, &state);
     if (state) {
 /*
   the SSL_CTX is frozen, nowhere to save state.
@@ -448,13 +486,167 @@ ossl_sslctx_add_extra_chain_cert_i(VALUE i, VALUE arg)
     return i;
 }
 
+static VALUE ossl_sslctx_setup(VALUE self);
+
+#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
+static VALUE
+ossl_call_servername_cb(VALUE ary)
+{
+    VALUE ssl_obj, sslctx_obj, cb, ret_obj;
+
+    Check_Type(ary, T_ARRAY);
+    ssl_obj = rb_ary_entry(ary, 0);
+
+    sslctx_obj = rb_iv_get(ssl_obj, "@context");
+    if (NIL_P(sslctx_obj)) return Qnil;
+    cb = rb_iv_get(sslctx_obj, "@servername_cb");
+    if (NIL_P(cb)) return Qnil;
+
+    ret_obj = rb_funcall(cb, rb_intern("call"), 1, ary);
+    if (rb_obj_is_kind_of(ret_obj, cSSLContext)) {
+        SSL *ssl;
+        SSL_CTX *ctx2;
+
+        ossl_sslctx_setup(ret_obj);
+        Data_Get_Struct(ssl_obj, SSL, ssl);
+        Data_Get_Struct(ret_obj, SSL_CTX, ctx2);
+        SSL_set_SSL_CTX(ssl, ctx2);
+    } else if (!NIL_P(ret_obj)) {
+            ossl_raise(rb_eArgError, "servername_cb must return an OpenSSL::SSL::SSLContext object or nil");
+    }
+
+    return ret_obj;
+}
+
+static int
+ssl_servername_cb(SSL *ssl, int *ad, void *arg)
+{
+    VALUE ary, ssl_obj;
+    void *ptr;
+    int state = 0;
+    const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+
+    if (!servername)
+        return SSL_TLSEXT_ERR_OK;
+
+    if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
+    	return SSL_TLSEXT_ERR_ALERT_FATAL;
+    ssl_obj = (VALUE)ptr;
+    ary = rb_ary_new2(2);
+    rb_ary_push(ary, ssl_obj);
+    rb_ary_push(ary, rb_str_new2(servername));
+
+    rb_protect((VALUE(*)_((VALUE)))ossl_call_servername_cb, ary, &state);
+    if (state) {
+        rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+    }
+
+    return SSL_TLSEXT_ERR_OK;
+}
+#endif
+
+static void
+ssl_renegotiation_cb(const SSL *ssl)
+{
+    VALUE ssl_obj, sslctx_obj, cb;
+    void *ptr;
+
+    if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
+	ossl_raise(eSSLError, "SSL object could not be retrieved");
+    ssl_obj = (VALUE)ptr;
+
+    sslctx_obj = rb_iv_get(ssl_obj, "@context");
+    if (NIL_P(sslctx_obj)) return;
+    cb = rb_iv_get(sslctx_obj, "@renegotiation_cb");
+    if (NIL_P(cb)) return;
+
+    (void) rb_funcall(cb, rb_intern("call"), 1, ssl_obj);
+}
+
+#ifdef HAVE_OPENSSL_NPN_NEGOTIATED
+static VALUE
+ssl_npn_encode_protocol_i(VALUE cur, VALUE encoded)
+{
+    int len = RSTRING_LENINT(cur);
+    char len_byte;
+    if (len < 1 || len > 255)
+	ossl_raise(eSSLError, "Advertised protocol must have length 1..255");
+    /* Encode the length byte */
+    len_byte = len;
+    rb_str_buf_cat(encoded, &len_byte, 1);
+    rb_str_buf_cat(encoded, RSTRING_PTR(cur), len);
+    return Qnil;
+}
+
+static void
+ssl_npn_encode_protocols(VALUE sslctx, VALUE protocols)
+{
+    VALUE encoded = rb_str_new2("");
+    rb_iterate(rb_each, protocols, ssl_npn_encode_protocol_i, encoded);
+    StringValueCStr(encoded);
+    rb_iv_set(sslctx, "@_protocols", encoded);
+}
+
+static int
+ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg)
+{
+    VALUE sslctx_obj = (VALUE) arg;
+    VALUE protocols = rb_iv_get(sslctx_obj, "@_protocols");
+
+    *out = (const unsigned char *) RSTRING_PTR(protocols);
+    *outlen = RSTRING_LENINT(protocols);
+
+    return SSL_TLSEXT_ERR_OK;
+}
+
+static int
+ssl_npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
+{
+    int i = 0;
+    VALUE sslctx_obj, cb, protocols, selected;
+
+    sslctx_obj = (VALUE) arg;
+    cb = rb_iv_get(sslctx_obj, "@npn_select_cb");
+    protocols = rb_ary_new();
+
+    /* The format is len_1|proto_1|...|len_n|proto_n\0 */
+    while (in[i]) {
+	VALUE protocol = rb_str_new((const char *) &in[i + 1], in[i]);
+	rb_ary_push(protocols, protocol);
+	i += in[i] + 1;
+    }
+
+    selected = rb_funcall(cb, rb_intern("call"), 1, protocols);
+    StringValue(selected);
+    *out = (unsigned char *) StringValuePtr(selected);
+    *outlen = RSTRING_LENINT(selected);
+
+    return SSL_TLSEXT_ERR_OK;
+}
+#endif
+
+/* This function may serve as the entry point to support further
+ * callbacks. */
+static void
+ssl_info_cb(const SSL *ssl, int where, int val)
+{
+    int state = SSL_state(ssl);
+
+    if ((where & SSL_CB_HANDSHAKE_START) &&
+	(state & SSL_ST_ACCEPT)) {
+	ssl_renegotiation_cb(ssl);
+    }
+}
+
 /*
  * call-seq:
  *    ctx.setup => Qtrue # first time
  *    ctx.setup => nil # thereafter
  *
  * This method is called automatically when a new SSLSocket is created.
- * Normally you do not need to call this method (unless you are writing an extension in C).
+ * Normally you do not need to call this method (unless you are writing an
+ * extension in C).
  */
 static VALUE
 ossl_sslctx_setup(VALUE self)
@@ -506,14 +698,14 @@ ossl_sslctx_setup(VALUE self)
     if (cert && key) {
         if (!SSL_CTX_use_certificate(ctx, cert)) {
             /* Adds a ref => Safe to FREE */
-            ossl_raise(eSSLError, "SSL_CTX_use_certificate:");
+            ossl_raise(eSSLError, "SSL_CTX_use_certificate");
         }
         if (!SSL_CTX_use_PrivateKey(ctx, key)) {
             /* Adds a ref => Safe to FREE */
-            ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey:");
+            ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey");
         }
         if (!SSL_CTX_check_private_key(ctx)) {
-            ossl_raise(eSSLError, "SSL_CTX_check_private_key:");
+            ossl_raise(eSSLError, "SSL_CTX_check_private_key");
         }
     }
 
@@ -556,22 +748,36 @@ ossl_sslctx_setup(VALUE self)
     if(!NIL_P(val)) SSL_CTX_set_timeout(ctx, NUM2LONG(val));
 
     val = ossl_sslctx_get_verify_dep(self);
-    if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2LONG(val));
+    if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2INT(val));
 
     val = ossl_sslctx_get_options(self);
     if(!NIL_P(val)) {
-      SSL_CTX_set_options(ctx, NUM2LONG(val));
+    	SSL_CTX_set_options(ctx, NUM2LONG(val));
     } else {
-      SSL_CTX_set_options(ctx, SSL_OP_ALL);
+	SSL_CTX_set_options(ctx, SSL_OP_ALL);
     }
+
+#ifdef HAVE_OPENSSL_NPN_NEGOTIATED
+    val = rb_iv_get(self, "@npn_protocols");
+    if (!NIL_P(val)) {
+	ssl_npn_encode_protocols(self, val);
+	SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *) self);
+	OSSL_Debug("SSL NPN advertise callback added");
+    }
+    if (RTEST(rb_iv_get(self, "@npn_select_cb"))) {
+	SSL_CTX_set_next_proto_select_cb(ctx, ssl_npn_select_cb, (void *) self);
+	OSSL_Debug("SSL NPN select callback added");
+    }
+#endif
+
     rb_obj_freeze(self);
 
     val = ossl_sslctx_get_sess_id_ctx(self);
     if (!NIL_P(val)){
 	StringValue(val);
-	if (!SSL_CTX_set_session_id_context(ctx, RSTRING_PTR(val),
-					    RSTRING_LEN(val))){
-	    ossl_raise(eSSLError, "SSL_CTX_set_session_id_context:");
+	if (!SSL_CTX_set_session_id_context(ctx, (unsigned char *)RSTRING_PTR(val),
+					    RSTRING_LENINT(val))){
+	    ossl_raise(eSSLError, "SSL_CTX_set_session_id_context");
 	}
     }
 
@@ -587,6 +793,15 @@ ossl_sslctx_setup(VALUE self)
 	SSL_CTX_sess_set_remove_cb(ctx, ossl_sslctx_session_remove_cb);
 	OSSL_Debug("SSL SESSION remove callback added");
     }
+
+#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
+    val = rb_iv_get(self, "@servername_cb");
+    if (!NIL_P(val)) {
+        SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
+	OSSL_Debug("SSL TLSEXT servername callback added");
+    }
+#endif
+
     return Qtrue;
 }
 
@@ -609,6 +824,8 @@ ossl_ssl_cipher_to_ary(SSL_CIPHER *cipher)
 /*
  * call-seq:
  *    ctx.ciphers => [[name, version, bits, alg_bits], ...]
+ *
+ * The list of ciphers configured for this context.
  */
 static VALUE
 ossl_sslctx_get_ciphers(VALUE self)
@@ -629,10 +846,10 @@ ossl_sslctx_get_ciphers(VALUE self)
     if (!ciphers)
         return rb_ary_new();
 
-    num = sk_num((STACK*)ciphers);
+    num = sk_SSL_CIPHER_num(ciphers);
     ary = rb_ary_new2(num);
     for(i = 0; i < num; i++){
-        cipher = (SSL_CIPHER*)sk_value((STACK*)ciphers, i);
+        cipher = sk_SSL_CIPHER_value(ciphers, i);
         rb_ary_push(ary, ossl_ssl_cipher_to_ary(cipher));
     }
     return ary;
@@ -643,6 +860,12 @@ ossl_sslctx_get_ciphers(VALUE self)
  *    ctx.ciphers = "cipher1:cipher2:..."
  *    ctx.ciphers = [name, ...]
  *    ctx.ciphers = [[name, version, bits, alg_bits], ...]
+ *
+ * Sets the list of available ciphers for this context.  Note in a server
+ * context some ciphers require the appropriate certificates.  For example, an
+ * RSA cipher can only be chosen when an RSA certificate is available.
+ *
+ * See also OpenSSL::Cipher and OpenSSL::Cipher::ciphers
  */
 static VALUE
 ossl_sslctx_set_ciphers(VALUE self, VALUE v)
@@ -674,17 +897,17 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
         return Qnil;
     }
     if (!SSL_CTX_set_cipher_list(ctx, RSTRING_PTR(str))) {
-        ossl_raise(eSSLError, "SSL_CTX_set_cipher_list:");
+        ossl_raise(eSSLError, "SSL_CTX_set_cipher_list");
     }
 
     return v;
 }
 
-
 /*
  *  call-seq:
  *     ctx.session_add(session) -> true | false
  *
+ * Adds +session+ to the session cache
  */
 static VALUE
 ossl_sslctx_session_add(VALUE self, VALUE arg)
@@ -702,6 +925,7 @@ ossl_sslctx_session_add(VALUE self, VALUE arg)
  *  call-seq:
  *     ctx.session_remove(session) -> true | false
  *
+ * Removes +session+ from the session cache
  */
 static VALUE
 ossl_sslctx_session_remove(VALUE self, VALUE arg)
@@ -717,8 +941,9 @@ ossl_sslctx_session_remove(VALUE self, VALUE arg)
 
 /*
  *  call-seq:
- *     ctx.session_cache_mode -> integer
+ *     ctx.session_cache_mode -> Integer
  *
+ * The current session cache mode.
  */
 static VALUE
 ossl_sslctx_get_session_cache_mode(VALUE self)
@@ -732,8 +957,11 @@ ossl_sslctx_get_session_cache_mode(VALUE self)
 
 /*
  *  call-seq:
- *     ctx.session_cache_mode=(integer) -> integer
+ *     ctx.session_cache_mode=(integer) -> Integer
  *
+ * Sets the SSL session cache mode.  Bitwise-or together the desired
+ * SESSION_CACHE_* constants to set.  See SSL_CTX_set_session_cache_mode(3) for
+ * details.
  */
 static VALUE
 ossl_sslctx_set_session_cache_mode(VALUE self, VALUE arg)
@@ -749,8 +977,10 @@ ossl_sslctx_set_session_cache_mode(VALUE self, VALUE arg)
 
 /*
  *  call-seq:
- *     ctx.session_cache_size -> integer
+ *     ctx.session_cache_size -> Integer
  *
+ * Returns the current session cache size.  Zero is used to represent an
+ * unlimited cache size.
  */
 static VALUE
 ossl_sslctx_get_session_cache_size(VALUE self)
@@ -764,8 +994,10 @@ ossl_sslctx_get_session_cache_size(VALUE self)
 
 /*
  *  call-seq:
- *     ctx.session_cache_size=(integer) -> integer
+ *     ctx.session_cache_size=(integer) -> Integer
  *
+ * Sets the session cache size.  Returns the previously valid session cache
+ * size.  Zero is used to represent an unlimited session cache size.
  */
 static VALUE
 ossl_sslctx_set_session_cache_size(VALUE self, VALUE arg)
@@ -783,6 +1015,23 @@ ossl_sslctx_set_session_cache_size(VALUE self, VALUE arg)
  *  call-seq:
  *     ctx.session_cache_stats -> Hash
  *
+ * Returns a Hash containing the following keys:
+ *
+ * :accept:: Number of started SSL/TLS handshakes in server mode
+ * :accept_good:: Number of established SSL/TLS sessions in server mode
+ * :accept_renegotiate:: Number of start renegotiations in server mode
+ * :cache_full:: Number of sessions that were removed due to cache overflow
+ * :cache_hits:: Number of successfully reused connections
+ * :cache_misses:: Number of sessions proposed by clients that were not found
+ *                 in the cache
+ * :cache_num:: Number of sessions in the internal session cache
+ * :cb_hits:: Number of sessions retrieved from the external cache in server
+ *            mode
+ * :connect:: Number of started SSL/TLS handshakes in client mode
+ * :connect_good:: Number of established SSL/TLS sessions in client mode
+ * :connect_renegotiate:: Number of start renegotiations in client mode
+ * :timeouts:: Number of sessions proposed by clients that were found in the
+ *             cache but had expired due to timeouts
  */
 static VALUE
 ossl_sslctx_get_session_cache_stats(VALUE self)
@@ -814,6 +1063,7 @@ ossl_sslctx_get_session_cache_stats(VALUE self)
  *  call-seq:
  *     ctx.flush_sessions(time | nil) -> self
  *
+ * Removes sessions in the internal cache that have expired at +time+.
  */
 static VALUE
 ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
@@ -821,7 +1071,6 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
     VALUE arg1;
     SSL_CTX *ctx;
     time_t tm = 0;
-    int cb_state;
 
     rb_scan_args(argc, argv, "01", &arg1);
 
@@ -832,7 +1081,7 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
     } else if (rb_obj_is_instance_of(arg1, rb_cTime)) {
         tm = NUM2LONG(rb_funcall(arg1, rb_intern("to_i"), 0));
     } else {
-        rb_raise(rb_eArgError, "arg must be Time or nil");
+        ossl_raise(rb_eArgError, "arg must be Time or nil");
     }
 
     SSL_CTX_flush_sessions(ctx, (long)tm);
@@ -846,16 +1095,27 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
 static void
 ossl_ssl_shutdown(SSL *ssl)
 {
+    int i, rc;
+
     if (ssl) {
-        SSL_shutdown(ssl);
-        SSL_clear(ssl);
+	/* 4 is from SSL_smart_shutdown() of mod_ssl.c (v2.2.19) */
+	/* It says max 2x pending + 2x data = 4 */
+	for (i = 0; i < 4; ++i) {
+	    /*
+	     * Ignore the case SSL_shutdown returns -1. Empty handshake_func
+	     * must not happen.
+	     */
+	    if (rc = SSL_shutdown(ssl))
+		break;
+	}
+	SSL_clear(ssl);
+	ERR_clear_error();
     }
 }
 
 static void
 ossl_ssl_free(SSL *ssl)
 {
-    ossl_ssl_shutdown(ssl);
     SSL_free(ssl);
 }
 
@@ -870,9 +1130,11 @@ ossl_ssl_s_alloc(VALUE klass)
  *    SSLSocket.new(io) => aSSLSocket
  *    SSLSocket.new(io, ctx) => aSSLSocket
  *
- * === Parameters
- * * +io+ is a real ruby IO object.  Not an IO like object that responds to read/write.
- * * +ctx+ is an OpenSSLSSL::SSLContext.
+ * Creates a new SSL socket from +io+ which must be a real ruby object (not an
+ * IO-like object that responds to read/write.
+ *
+ * If +ctx+ is provided the SSL Sockets initial params will be taken from
+ * the context.
  *
  * The OpenSSL::Buffering module provides additional IO methods.
  *
@@ -893,6 +1155,9 @@ ossl_ssl_initialize(int argc, VALUE *argv, VALUE self)
     ossl_ssl_set_ctx(self, ctx);
     ossl_ssl_set_sync_close(self, Qfalse);
     ossl_sslctx_setup(ctx);
+
+    rb_iv_set(self, "@hostname", Qnil);
+
     rb_call_super(0, 0);
 
     return self;
@@ -908,15 +1173,25 @@ ossl_ssl_setup(VALUE self)
 
     Data_Get_Struct(self, SSL, ssl);
     if(!ssl){
+#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
+	VALUE hostname = rb_iv_get(self, "@hostname");
+#endif
+
         v_ctx = ossl_ssl_get_ctx(self);
         Data_Get_Struct(v_ctx, SSL_CTX, ctx);
 
         ssl = SSL_new(ctx);
         if (!ssl) {
-            ossl_raise(eSSLError, "SSL_new:");
+            ossl_raise(eSSLError, "SSL_new");
         }
         DATA_PTR(self) = ssl;
 
+#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
+        if (!NIL_P(hostname)) {
+           if (SSL_set_tlsext_host_name(ssl, StringValuePtr(hostname)) != 1)
+               ossl_raise(eSSLError, "SSL_set_tlsext_host_name");
+        }
+#endif
         io = ossl_ssl_get_io(self);
         GetOpenFile(io, fptr);
         rb_io_check_readable(fptr);
@@ -929,19 +1204,49 @@ ossl_ssl_setup(VALUE self)
 	SSL_set_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx, (void*)cb);
 	cb = ossl_sslctx_get_tmp_dh_cb(v_ctx);
 	SSL_set_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx, (void*)cb);
+	SSL_set_info_callback(ssl, ssl_info_cb);
     }
 
     return Qtrue;
 }
 
 #ifdef _WIN32
-#define ssl_get_error(ssl, ret) (errno = WSAGetLastError(), SSL_get_error(ssl, ret))
+#define ssl_get_error(ssl, ret) (errno = rb_w32_map_errno(WSAGetLastError()), SSL_get_error((ssl), (ret)))
 #else
-#define ssl_get_error(ssl, ret) SSL_get_error(ssl, ret)
+#define ssl_get_error(ssl, ret) SSL_get_error((ssl), (ret))
 #endif
 
+#define ossl_ssl_data_get_struct(v, ssl)		\
+do {							\
+    Data_Get_Struct((v), SSL, (ssl));			\
+    if (!(ssl)) {					\
+        rb_warning("SSL session is not started yet.");  \
+        return Qnil;					\
+    }							\
+} while (0)
+
+static void
+write_would_block(int nonblock)
+{
+    if (nonblock) {
+        VALUE exc = ossl_exc_new(eSSLError, "write would block");
+        rb_extend_object(exc, rb_mWaitWritable);
+        rb_exc_raise(exc);
+    }
+}
+
+static void
+read_would_block(int nonblock)
+{
+    if (nonblock) {
+        VALUE exc = ossl_exc_new(eSSLError, "read would block");
+        rb_extend_object(exc, rb_mWaitReadable);
+        rb_exc_raise(exc);
+    }
+}
+
 static VALUE
-ossl_start_ssl(VALUE self, int (*func)(), const char *funcname)
+ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, int nonblock)
 {
     SSL *ssl;
     rb_io_t *fptr;
@@ -950,15 +1255,26 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname)
 
     rb_ivar_set(self, ID_callback_state, Qnil);
 
-    Data_Get_Struct(self, SSL, ssl);
+    ossl_ssl_data_get_struct(self, ssl);
+
     GetOpenFile(ossl_ssl_get_io(self), fptr);
     for(;;){
-	if((ret = func(ssl)) > 0) break;
+	ret = func(ssl);
+
+        cb_state = rb_ivar_get(self, ID_callback_state);
+        if (!NIL_P(cb_state))
+            rb_jump_tag(NUM2INT(cb_state));
+
+	if (ret > 0)
+	    break;
+
 	switch((ret2 = ssl_get_error(ssl, ret))){
 	case SSL_ERROR_WANT_WRITE:
+            write_would_block(nonblock);
             rb_io_wait_writable(FPTR_TO_FD(fptr));
             continue;
 	case SSL_ERROR_WANT_READ:
+            read_would_block(nonblock);
             rb_io_wait_readable(FPTR_TO_FD(fptr));
             continue;
 	case SSL_ERROR_SYSCALL:
@@ -969,46 +1285,89 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname)
 	}
     }
 
-    cb_state = rb_ivar_get(self, ID_callback_state);
-    if (!NIL_P(cb_state))
-        rb_jump_tag(NUM2INT(cb_state));
-
     return self;
 }
 
 /*
  * call-seq:
  *    ssl.connect => self
+ *
+ * Initiates an SSL/TLS handshake with a server.  The handshake may be started
+ * after unencrypted data has been sent over the socket.
  */
 static VALUE
 ossl_ssl_connect(VALUE self)
 {
     ossl_ssl_setup(self);
-    return ossl_start_ssl(self, SSL_connect, "SSL_connect");
+    return ossl_start_ssl(self, SSL_connect, "SSL_connect", 0);
+}
+
+/*
+ * call-seq:
+ *    ssl.connect_nonblock => self
+ *
+ * Initiates the SSL/TLS handshake as a client in non-blocking manner.
+ *
+ *   # emulates blocking connect
+ *   begin
+ *     ssl.connect_nonblock
+ *   rescue IO::WaitReadable
+ *     IO.select([s2])
+ *     retry
+ *   rescue IO::WaitWritable
+ *     IO.select(nil, [s2])
+ *     retry
+ *   end
+ *
+ */
+static VALUE
+ossl_ssl_connect_nonblock(VALUE self)
+{
+    ossl_ssl_setup(self);
+    return ossl_start_ssl(self, SSL_connect, "SSL_connect", 1);
 }
 
 /*
  * call-seq:
  *    ssl.accept => self
+ *
+ * Waits for a SSL/TLS client to initiate a handshake.  The handshake may be
+ * started after unencrypted data has been sent over the socket.
  */
 static VALUE
 ossl_ssl_accept(VALUE self)
 {
     ossl_ssl_setup(self);
-    return ossl_start_ssl(self, SSL_accept, "SSL_accept");
+    return ossl_start_ssl(self, SSL_accept, "SSL_accept", 0);
 }
 
 /*
  * call-seq:
- *    ssl.sysread(length) => string
- *    ssl.sysread(length, buffer) => buffer
+ *    ssl.accept_nonblock => self
+ *
+ * Initiates the SSL/TLS handshake as a server in non-blocking manner.
+ *
+ *   # emulates blocking accept
+ *   begin
+ *     ssl.accept_nonblock
+ *   rescue IO::WaitReadable
+ *     IO.select([s2])
+ *     retry
+ *   rescue IO::WaitWritable
+ *     IO.select(nil, [s2])
+ *     retry
+ *   end
  *
- * === Parameters
- * * +length+ is a positive integer.
- * * +buffer+ is a string used to store the result.
  */
 static VALUE
-ossl_ssl_read(int argc, VALUE *argv, VALUE self)
+ossl_ssl_accept_nonblock(VALUE self)
+{
+    ossl_ssl_setup(self);
+    return ossl_start_ssl(self, SSL_accept, "SSL_accept", 1);
+}
+
+static VALUE
+ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
 {
     SSL *ssl;
     int ilen, nread = 0;
@@ -1028,33 +1387,35 @@ ossl_ssl_read(int argc, VALUE *argv, VALUE self)
     Data_Get_Struct(self, SSL, ssl);
     GetOpenFile(ossl_ssl_get_io(self), fptr);
     if (ssl) {
-	if(SSL_pending(ssl) <= 0)
+	if(!nonblock && SSL_pending(ssl) <= 0)
 	    rb_thread_wait_fd(FPTR_TO_FD(fptr));
 	for (;;){
-	    nread = SSL_read(ssl, RSTRING_PTR(str), RSTRING_LEN(str));
+	    nread = SSL_read(ssl, RSTRING_PTR(str), RSTRING_LENINT(str));
 	    switch(ssl_get_error(ssl, nread)){
 	    case SSL_ERROR_NONE:
 		goto end;
 	    case SSL_ERROR_ZERO_RETURN:
 		rb_eof_error();
 	    case SSL_ERROR_WANT_WRITE:
+                write_would_block(nonblock);
                 rb_io_wait_writable(FPTR_TO_FD(fptr));
                 continue;
 	    case SSL_ERROR_WANT_READ:
+                read_would_block(nonblock);
                 rb_io_wait_readable(FPTR_TO_FD(fptr));
 		continue;
 	    case SSL_ERROR_SYSCALL:
 		if(ERR_peek_error() == 0 && nread == 0) rb_eof_error();
 		rb_sys_fail(0);
 	    default:
-		ossl_raise(eSSLError, "SSL_read:");
+		ossl_raise(eSSLError, "SSL_read");
 	    }
         }
     }
     else {
-        ID id_sysread = rb_intern("sysread");
+        ID meth = nonblock ? rb_intern("read_nonblock") : rb_intern("sysread");
         rb_warning("SSL session is not started yet.");
-        return rb_funcall(ossl_ssl_get_io(self), id_sysread, 2, len, str);
+        return rb_funcall(ossl_ssl_get_io(self), meth, 2, len, str);
     }
 
   end:
@@ -1066,10 +1427,37 @@ ossl_ssl_read(int argc, VALUE *argv, VALUE self)
 
 /*
  * call-seq:
- *    ssl.syswrite(string) => integer
+ *    ssl.sysread(length) => string
+ *    ssl.sysread(length, buffer) => buffer
+ *
+ * Reads +length+ bytes from the SSL connection.  If a pre-allocated +buffer+
+ * is provided the data will be written into it.
  */
 static VALUE
-ossl_ssl_write(VALUE self, VALUE str)
+ossl_ssl_read(int argc, VALUE *argv, VALUE self)
+{
+    return ossl_ssl_read_internal(argc, argv, self, 0);
+}
+
+/*
+ * call-seq:
+ *    ssl.sysread_nonblock(length) => string
+ *    ssl.sysread_nonblock(length, buffer) => buffer
+ *
+ * A non-blocking version of #sysread.  Raises an SSLError if reading would
+ * block.
+ *
+ * Reads +length+ bytes from the SSL connection.  If a pre-allocated +buffer+
+ * is provided the data will be written into it.
+ */
+static VALUE
+ossl_ssl_read_nonblock(int argc, VALUE *argv, VALUE self)
+{
+    return ossl_ssl_read_internal(argc, argv, self, 1);
+}
+
+static VALUE
+ossl_ssl_write_internal(VALUE self, VALUE str, int nonblock)
 {
     SSL *ssl;
     int nwrite = 0;
@@ -1081,20 +1469,22 @@ ossl_ssl_write(VALUE self, VALUE str)
 
     if (ssl) {
 	for (;;){
-	    nwrite = SSL_write(ssl, RSTRING_PTR(str), RSTRING_LEN(str));
+	    nwrite = SSL_write(ssl, RSTRING_PTR(str), RSTRING_LENINT(str));
 	    switch(ssl_get_error(ssl, nwrite)){
 	    case SSL_ERROR_NONE:
 		goto end;
 	    case SSL_ERROR_WANT_WRITE:
+                write_would_block(nonblock);
                 rb_io_wait_writable(FPTR_TO_FD(fptr));
                 continue;
 	    case SSL_ERROR_WANT_READ:
+                read_would_block(nonblock);
                 rb_io_wait_readable(FPTR_TO_FD(fptr));
                 continue;
 	    case SSL_ERROR_SYSCALL:
 		if (errno) rb_sys_fail(0);
 	    default:
-		ossl_raise(eSSLError, "SSL_write:");
+		ossl_raise(eSSLError, "SSL_write");
 	    }
         }
     }
@@ -1108,19 +1498,54 @@ ossl_ssl_write(VALUE self, VALUE str)
     return INT2NUM(nwrite);
 }
 
+/*
+ * call-seq:
+ *    ssl.syswrite(string) => Integer
+ *
+ * Writes +string+ to the SSL connection.
+ */
+static VALUE
+ossl_ssl_write(VALUE self, VALUE str)
+{
+    return ossl_ssl_write_internal(self, str, 0);
+}
+
+/*
+ * call-seq:
+ *    ssl.syswrite_nonblock(string) => Integer
+ *
+ * Writes +string+ to the SSL connection in a non-blocking manner.  Raises an
+ * SSLError if writing would block.
+ */
+static VALUE
+ossl_ssl_write_nonblock(VALUE self, VALUE str)
+{
+    return ossl_ssl_write_internal(self, str, 1);
+}
+
 /*
  * call-seq:
  *    ssl.sysclose => nil
+ *
+ * Shuts down the SSL connection and prepares it for another connection.
  */
 static VALUE
 ossl_ssl_close(VALUE self)
 {
     SSL *ssl;
 
-    Data_Get_Struct(self, SSL, ssl);
-    ossl_ssl_shutdown(ssl);
-    if (RTEST(ossl_ssl_get_sync_close(self)))
-	rb_funcall(ossl_ssl_get_io(self), rb_intern("close"), 0);
+    ossl_ssl_data_get_struct(self, ssl);
+
+    if (ssl) {
+	VALUE io = ossl_ssl_get_io(self);
+	if (!RTEST(rb_funcall(io, rb_intern("closed?"), 0))) {
+	    ossl_ssl_shutdown(ssl);
+	    SSL_free(ssl);
+	    DATA_PTR(self) = NULL;
+	    if (RTEST(ossl_ssl_get_sync_close(self)))
+		rb_funcall(io, rb_intern("close"), 0);
+	}
+    }
 
     return Qnil;
 }
@@ -1128,6 +1553,8 @@ ossl_ssl_close(VALUE self)
 /*
  * call-seq:
  *    ssl.cert => cert or nil
+ *
+ * The X509 certificate for this socket endpoint.
  */
 static VALUE
 ossl_ssl_get_cert(VALUE self)
@@ -1135,11 +1562,7 @@ ossl_ssl_get_cert(VALUE self)
     SSL *ssl;
     X509 *cert = NULL;
 
-    Data_Get_Struct(self, SSL, ssl);
-    if (ssl) {
-        rb_warning("SSL session is not started yet.");
-        return Qnil;
-    }
+    ossl_ssl_data_get_struct(self, ssl);
 
     /*
      * Is this OpenSSL bug? Should add a ref?
@@ -1156,6 +1579,8 @@ ossl_ssl_get_cert(VALUE self)
 /*
  * call-seq:
  *    ssl.peer_cert => cert or nil
+ *
+ * The X509 certificate for this socket's peer.
  */
 static VALUE
 ossl_ssl_get_peer_cert(VALUE self)
@@ -1164,12 +1589,7 @@ ossl_ssl_get_peer_cert(VALUE self)
     X509 *cert = NULL;
     VALUE obj;
 
-    Data_Get_Struct(self, SSL, ssl);
-
-    if (!ssl){
-        rb_warning("SSL session is not started yet.");
-        return Qnil;
-    }
+    ossl_ssl_data_get_struct(self, ssl);
 
     cert = SSL_get_peer_certificate(ssl); /* Adds a ref => Safe to FREE. */
 
@@ -1185,6 +1605,8 @@ ossl_ssl_get_peer_cert(VALUE self)
 /*
  * call-seq:
  *    ssl.peer_cert_chain => [cert, ...] or nil
+ *
+ * The X509 certificate chain for this socket's peer.
  */
 static VALUE
 ossl_ssl_get_peer_cert_chain(VALUE self)
@@ -1195,11 +1617,8 @@ ossl_ssl_get_peer_cert_chain(VALUE self)
     VALUE ary;
     int i, num;
 
-    Data_Get_Struct(self, SSL, ssl);
-    if(!ssl){
-	rb_warning("SSL session is not started yet.");
-	return Qnil;
-    }
+    ossl_ssl_data_get_struct(self, ssl);
+
     chain = SSL_get_peer_cert_chain(ssl);
     if(!chain) return Qnil;
     num = sk_X509_num(chain);
@@ -1213,21 +1632,37 @@ ossl_ssl_get_peer_cert_chain(VALUE self)
 }
 
 /*
- * call-seq:
- *    ssl.cipher => [name, version, bits, alg_bits]
- */
+* call-seq:
+*    ssl.version => String
+*
+* Returns a String representing the SSL/TLS version that was negotiated
+* for the connection, for example "TLSv1.2".
+*/
+static VALUE
+ossl_ssl_get_version(VALUE self)
+{
+    SSL *ssl;
+
+    ossl_ssl_data_get_struct(self, ssl);
+
+    return rb_str_new2(SSL_get_version(ssl));
+}
+
+/*
+* call-seq:
+*    ssl.cipher => [name, version, bits, alg_bits]
+*
+* The cipher being used for the current connection
+*/
 static VALUE
 ossl_ssl_get_cipher(VALUE self)
 {
     SSL *ssl;
     SSL_CIPHER *cipher;
 
-    Data_Get_Struct(self, SSL, ssl);
-    if (!ssl) {
-        rb_warning("SSL session is not started yet.");
-        return Qnil;
-    }
-    cipher = SSL_get_current_cipher(ssl);
+    ossl_ssl_data_get_struct(self, ssl);
+
+    cipher = (SSL_CIPHER *)SSL_get_current_cipher(ssl);
 
     return ossl_ssl_cipher_to_ary(cipher);
 }
@@ -1235,6 +1670,8 @@ ossl_ssl_get_cipher(VALUE self)
 /*
  * call-seq:
  *    ssl.state => string
+ *
+ * A description of the current connection state.
  */
 static VALUE
 ossl_ssl_get_state(VALUE self)
@@ -1242,11 +1679,8 @@ ossl_ssl_get_state(VALUE self)
     SSL *ssl;
     VALUE ret;
 
-    Data_Get_Struct(self, SSL, ssl);
-    if (!ssl) {
-        rb_warning("SSL session is not started yet.");
-        return Qnil;
-    }
+    ossl_ssl_data_get_struct(self, ssl);
+
     ret = rb_str_new2(SSL_state_string(ssl));
     if (ruby_verbose) {
         rb_str_cat2(ret, ": ");
@@ -1257,49 +1691,47 @@ ossl_ssl_get_state(VALUE self)
 
 /*
  * call-seq:
- *    ssl.pending => integer
+ *    ssl.pending => Integer
+ *
+ * The number of bytes that are immediately available for reading
  */
 static VALUE
 ossl_ssl_pending(VALUE self)
 {
     SSL *ssl;
 
-    Data_Get_Struct(self, SSL, ssl);
-    if (!ssl) {
-        rb_warning("SSL session is not started yet.");
-        return Qnil;
-    }
+    ossl_ssl_data_get_struct(self, ssl);
 
     return INT2NUM(SSL_pending(ssl));
 }
 
 /*
- *  call-seq:
- *     ssl.session_reused? -> true | false
+ * call-seq:
+ *    ssl.session_reused? -> true | false
  *
+ * Returns true if a reused session was negotiated during the handshake.
  */
 static VALUE
 ossl_ssl_session_reused(VALUE self)
 {
     SSL *ssl;
 
-    Data_Get_Struct(self, SSL, ssl);
-    if (!ssl) {
-        rb_warning("SSL session is not started yet.");
-        return Qnil;
-    }
+    ossl_ssl_data_get_struct(self, ssl);
 
     switch(SSL_session_reused(ssl)) {
     case 1:	return Qtrue;
     case 0:	return Qfalse;
     default:	ossl_raise(eSSLError, "SSL_session_reused");
     }
+
+    UNREACHABLE;
 }
 
 /*
- *  call-seq:
- *     ssl.session = session -> session
+ * call-seq:
+ *    ssl.session = session -> session
  *
+ * Sets the Session to be used when the connection is established.
  */
 static VALUE
 ossl_ssl_set_session(VALUE self, VALUE arg1)
@@ -1310,11 +1742,7 @@ ossl_ssl_set_session(VALUE self, VALUE arg1)
 /* why is ossl_ssl_setup delayed? */
     ossl_ssl_setup(self);
 
-    Data_Get_Struct(self, SSL, ssl);
-    if (!ssl) {
-        rb_warning("SSL session is not started yet.");
-        return Qnil;
-    }
+    ossl_ssl_data_get_struct(self, ssl);
 
     SafeGetSSLSession(arg1, sess);
 
@@ -1324,58 +1752,319 @@ ossl_ssl_set_session(VALUE self, VALUE arg1)
     return arg1;
 }
 
+/*
+ * call-seq:
+ *    ssl.verify_result => Integer
+ *
+ * Returns the result of the peer certificates verification.  See verify(1)
+ * for error values and descriptions.
+ *
+ * If no peer certificate was presented X509_V_OK is returned.
+ */
 static VALUE
 ossl_ssl_get_verify_result(VALUE self)
 {
     SSL *ssl;
 
-    Data_Get_Struct(self, SSL, ssl);
-    if (!ssl) {
-        rb_warning("SSL session is not started yet.");
-        return Qnil;
-    }
+    ossl_ssl_data_get_struct(self, ssl);
 
     return INT2FIX(SSL_get_verify_result(ssl));
 }
 
+/*
+ * call-seq:
+ *    ssl.client_ca => [x509name, ...]
+ *
+ * Returns the list of client CAs. Please note that in contrast to
+ * SSLContext#client_ca= no array of X509::Certificate is returned but
+ * X509::Name instances of the CA's subject distinguished name.
+ *
+ * In server mode, returns the list set by SSLContext#client_ca=.
+ * In client mode, returns the list of client CAs sent from the server.
+ */
+static VALUE
+ossl_ssl_get_client_ca_list(VALUE self)
+{
+    SSL *ssl;
+    STACK_OF(X509_NAME) *ca;
+
+    ossl_ssl_data_get_struct(self, ssl);
+
+    ca = SSL_get_client_CA_list(ssl);
+    return ossl_x509name_sk2ary(ca);
+}
+
+#ifdef HAVE_OPENSSL_NPN_NEGOTIATED
+/*
+ * call-seq:
+ *    ssl.npn_protocol => String
+ *
+ * Returns the protocol string that was finally selected by the client
+ * during the handshake.
+ */
+static VALUE
+ossl_ssl_npn_protocol(VALUE self)
+{
+    SSL *ssl;
+    const unsigned char *out;
+    unsigned int outlen;
+
+    ossl_ssl_data_get_struct(self, ssl);
+
+    SSL_get0_next_proto_negotiated(ssl, &out, &outlen);
+    if (!outlen)
+	return Qnil;
+    else
+	return rb_str_new((const char *) out, outlen);
+}
+#endif
+
 void
 Init_ossl_ssl()
 {
     int i;
     VALUE ary;
 
-#if 0 /* let rdoc know about mOSSL */
-    mOSSL = rb_define_module("OpenSSL");
+#if 0
+    mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
 #endif
 
     ID_callback_state = rb_intern("@callback_state");
 
-    ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0,"ossl_ssl_ex_vcb_idx",0,0,0);
-    ossl_ssl_ex_store_p = SSL_get_ex_new_index(0,"ossl_ssl_ex_store_p",0,0,0);
-    ossl_ssl_ex_ptr_idx = SSL_get_ex_new_index(0,"ossl_ssl_ex_ptr_idx",0,0,0);
+    ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_vcb_idx",0,0,0);
+    ossl_ssl_ex_store_p = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_store_p",0,0,0);
+    ossl_ssl_ex_ptr_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_ptr_idx",0,0,0);
     ossl_ssl_ex_client_cert_cb_idx =
-	SSL_get_ex_new_index(0,"ossl_ssl_ex_client_cert_cb_idx",0,0,0);
+	SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_client_cert_cb_idx",0,0,0);
     ossl_ssl_ex_tmp_dh_callback_idx =
-	SSL_get_ex_new_index(0,"ossl_ssl_ex_tmp_dh_callback_idx",0,0,0);
+	SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_tmp_dh_callback_idx",0,0,0);
 
+    /* Document-module: OpenSSL::SSL
+     *
+     * Use SSLContext to set up the parameters for a TLS (former SSL)
+     * connection. Both client and server TLS connections are supported,
+     * SSLSocket and SSLServer may be used in conjunction with an instance
+     * of SSLContext to set up connections.
+     */
     mSSL = rb_define_module_under(mOSSL, "SSL");
+    /* Document-class: OpenSSL::SSL::SSLError
+     *
+     * Generic error class raised by SSLSocket and SSLContext.
+     */
     eSSLError = rb_define_class_under(mSSL, "SSLError", eOSSLError);
 
     Init_ossl_ssl_session();
 
-    /* class SSLContext
+    /* Document-class: OpenSSL::SSL::SSLContext
      *
-     * The following attributes are available but don't show up in rdoc.
-     * All attributes must be set before calling SSLSocket.new(io, ctx).
+     * An SSLContext is used to set various options regarding certificates,
+     * algorithms, verification, session caching, etc.  The SSLContext is
+     * used to create an SSLSocket.
+     *
+     * All attributes must be set before creating an SSLSocket as the
+     * SSLContext will be frozen afterward.
+     *
+     * The following attributes are available but don't show up in rdoc:
      * * ssl_version, cert, key, client_ca, ca_file, ca_path, timeout,
      * * verify_mode, verify_depth client_cert_cb, tmp_dh_callback,
      * * session_id_context, session_add_cb, session_new_cb, session_remove_cb
      */
     cSSLContext = rb_define_class_under(mSSL, "SSLContext", rb_cObject);
     rb_define_alloc_func(cSSLContext, ossl_sslctx_s_alloc);
-    for(i = 0; i < numberof(ossl_sslctx_attrs); i++)
-        rb_attr(cSSLContext, rb_intern(ossl_sslctx_attrs[i]), 1, 1, Qfalse);
+
+    /*
+     * Context certificate
+     */
+    rb_attr(cSSLContext, rb_intern("cert"), 1, 1, Qfalse);
+
+    /*
+     * Context private key
+     */
+    rb_attr(cSSLContext, rb_intern("key"), 1, 1, Qfalse);
+
+    /*
+     * A certificate or Array of certificates that will be sent to the client.
+     */
+    rb_attr(cSSLContext, rb_intern("client_ca"), 1, 1, Qfalse);
+
+    /*
+     * The path to a file containing a PEM-format CA certificate
+     */
+    rb_attr(cSSLContext, rb_intern("ca_file"), 1, 1, Qfalse);
+
+    /*
+     * The path to a directory containing CA certificates in PEM format.
+     *
+     * Files are looked up by subject's X509 name's hash value.
+     */
+    rb_attr(cSSLContext, rb_intern("ca_path"), 1, 1, Qfalse);
+
+    /*
+     * Maximum session lifetime.
+     */
+    rb_attr(cSSLContext, rb_intern("timeout"), 1, 1, Qfalse);
+
+    /*
+     * Session verification mode.
+     *
+     * Valid modes are VERIFY_NONE, VERIFY_PEER, VERIFY_CLIENT_ONCE,
+     * VERIFY_FAIL_IF_NO_PEER_CERT and defined on OpenSSL::SSL
+     */
+    rb_attr(cSSLContext, rb_intern("verify_mode"), 1, 1, Qfalse);
+
+    /*
+     * Number of CA certificates to walk when verifying a certificate chain.
+     */
+    rb_attr(cSSLContext, rb_intern("verify_depth"), 1, 1, Qfalse);
+
+    /*
+     * A callback for additional certificate verification.  The callback is
+     * invoked for each certificate in the chain.
+     *
+     * The callback is invoked with two values.  +preverify_ok+ indicates
+     * indicates if the verification was passed (true) or not (false).
+     * +store_context+ is an OpenSSL::X509::StoreContext containing the
+     * context used for certificate verification.
+     *
+     * If the callback returns false verification is stopped.
+     */
+    rb_attr(cSSLContext, rb_intern("verify_callback"), 1, 1, Qfalse);
+
+    /*
+     * Sets various OpenSSL options.
+     */
+    rb_attr(cSSLContext, rb_intern("options"), 1, 1, Qfalse);
+
+    /*
+     * An OpenSSL::X509::Store used for certificate verification
+     */
+    rb_attr(cSSLContext, rb_intern("cert_store"), 1, 1, Qfalse);
+
+    /*
+     * An Array of extra X509 certificates to be added to the certificate
+     * chain.
+     */
+    rb_attr(cSSLContext, rb_intern("extra_chain_cert"), 1, 1, Qfalse);
+
+    /*
+     * A callback invoked when a client certificate is requested by a server
+     * and no certificate has been set.
+     *
+     * The callback is invoked with a Session and must return an Array
+     * containing an OpenSSL::X509::Certificate and an OpenSSL::PKey.  If any
+     * other value is returned the handshake is suspended.
+     */
+    rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse);
+
+    /*
+     * A callback invoked when DH parameters are required.
+     *
+     * The callback is invoked with the Session for the key exchange, an
+     * flag indicating the use of an export cipher and the keylength
+     * required.
+     *
+     * The callback must return an OpenSSL::PKey::DH instance of the correct
+     * key length.
+     */
+    rb_attr(cSSLContext, rb_intern("tmp_dh_callback"), 1, 1, Qfalse);
+
+    /*
+     * Sets the context in which a session can be reused.  This allows
+     * sessions for multiple applications to be distinguished, for exapmle, by
+     * name.
+     */
+    rb_attr(cSSLContext, rb_intern("session_id_context"), 1, 1, Qfalse);
+
+    /*
+     * A callback invoked on a server when a session is proposed by the client
+     * but the session could not be found in the server's internal cache.
+     *
+     * The callback is invoked with the SSLSocket and session id.  The
+     * callback may return a Session from an external cache.
+     */
+    rb_attr(cSSLContext, rb_intern("session_get_cb"), 1, 1, Qfalse);
+
+    /*
+     * A callback invoked when a new session was negotiatied.
+     *
+     * The callback is invoked with an SSLSocket.  If false is returned the
+     * session will be removed from the internal cache.
+     */
+    rb_attr(cSSLContext, rb_intern("session_new_cb"), 1, 1, Qfalse);
+
+    /*
+     * A callback invoked when a session is removed from the internal cache.
+     *
+     * The callback is invoked with an SSLContext and a Session.
+     */
+    rb_attr(cSSLContext, rb_intern("session_remove_cb"), 1, 1, Qfalse);
+
+#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
+    /*
+     * A callback invoked at connect time to distinguish between multiple
+     * server names.
+     *
+     * The callback is invoked with an SSLSocket and a server name.  The
+     * callback must return an SSLContext for the server name or nil.
+     */
+    rb_attr(cSSLContext, rb_intern("servername_cb"), 1, 1, Qfalse);
+#endif
+    /*
+     * A callback invoked whenever a new handshake is initiated. May be used
+     * to disable renegotiation entirely.
+     *
+     * The callback is invoked with the active SSLSocket. The callback's
+     * return value is irrelevant, normal return indicates "approval" of the
+     * renegotiation and will continue the process. To forbid renegotiation
+     * and to cancel the process, an Error may be raised within the callback.
+     *
+     * === Disable client renegotiation
+     *
+     * When running a server, it is often desirable to disable client
+     * renegotiation entirely. You may use a callback as follows to implement
+     * this feature:
+     *
+     *   num_handshakes = 0
+     *   ctx.renegotiation_cb = lambda do |ssl|
+     *     num_handshakes += 1
+     *     raise RuntimeError.new("Client renegotiation disabled") if num_handshakes > 1
+     *   end
+     */
+    rb_attr(cSSLContext, rb_intern("renegotiation_cb"), 1, 1, Qfalse);
+#ifdef HAVE_OPENSSL_NPN_NEGOTIATED
+    /*
+     * An Enumerable of Strings. Each String represents a protocol to be
+     * advertised as the list of supported protocols for Next Protocol
+     * Negotiation. Supported in OpenSSL 1.0.1 and higher. Has no effect
+     * on the client side. If not set explicitly, the NPN extension will
+     * not be sent by the server in the handshake.
+     *
+     * === Example
+     *
+     *   ctx.npn_protocols = ["http/1.1", "spdy/2"]
+     */
+    rb_attr(cSSLContext, rb_intern("npn_protocols"), 1, 1, Qfalse);
+    /*
+     * A callback invoked on the client side when the client needs to select
+     * a protocol from the list sent by the server. Supported in OpenSSL 1.0.1
+     * and higher. The client MUST select a protocol of those advertised by
+     * the server. If none is acceptable, raising an error in the callback
+     * will cause the handshake to fail. Not setting this callback explicitly
+     * means not supporting the NPN extension on the client - any protocols
+     * advertised by the server will be ignored.
+     *
+     * === Example
+     *
+     *   ctx.npn_select_cb = lambda do |protocols|
+     *     #inspect the protocols and select one
+     *     protocols.first
+     *   end
+     */
+    rb_attr(cSSLContext, rb_intern("npn_select_cb"), 1, 1, Qfalse);
+#endif
+
     rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
+    rb_define_alias(cSSLContext, "ssl_timeout=", "timeout=");
     rb_define_method(cSSLContext, "initialize",  ossl_sslctx_initialize, -1);
     rb_define_method(cSSLContext, "ssl_version=", ossl_sslctx_set_ssl_version, 1);
     rb_define_method(cSSLContext, "ciphers",     ossl_sslctx_get_ciphers, 0);
@@ -1383,15 +2072,53 @@ Init_ossl_ssl()
 
     rb_define_method(cSSLContext, "setup", ossl_sslctx_setup, 0);
 
-    
+    /*
+     * No session caching for client or server
+     */
     rb_define_const(cSSLContext, "SESSION_CACHE_OFF", LONG2FIX(SSL_SESS_CACHE_OFF));
+
+    /*
+     * Client sessions are added to the session cache
+     */
     rb_define_const(cSSLContext, "SESSION_CACHE_CLIENT", LONG2FIX(SSL_SESS_CACHE_CLIENT)); /* doesn't actually do anything in 0.9.8e */
+
+    /*
+     * Server sessions are added to the session cache
+     */
     rb_define_const(cSSLContext, "SESSION_CACHE_SERVER", LONG2FIX(SSL_SESS_CACHE_SERVER));
+
+    /*
+     * Both client and server sessions are added to the session cache
+     */
     rb_define_const(cSSLContext, "SESSION_CACHE_BOTH", LONG2FIX(SSL_SESS_CACHE_BOTH)); /* no different than CACHE_SERVER in 0.9.8e */
+
+    /*
+     * Normally the session cache is checked for expired sessions every 255
+     * connections.  Since this may lead to a delay that cannot be controlled,
+     * the automatic flushing may be disabled and #flush_sessions can be
+     * called explicitly.
+     */
     rb_define_const(cSSLContext, "SESSION_CACHE_NO_AUTO_CLEAR", LONG2FIX(SSL_SESS_CACHE_NO_AUTO_CLEAR));
+
+    /*
+     * Always perform external lookups of sessions even if they are in the
+     * internal cache.
+     *
+     * This flag has no effect on clients
+     */
     rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_LOOKUP", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL_LOOKUP));
+
+    /*
+     * Never automatically store sessions in the internal store.
+     */
     rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_STORE", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL_STORE));
+
+    /*
+     * Enables both SESSION_CACHE_NO_INTERNAL_LOOKUP and
+     * SESSION_CACHE_NO_INTERNAL_STORE.
+     */
     rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL));
+
     rb_define_method(cSSLContext, "session_add",     ossl_sslctx_session_add, 1);
     rb_define_method(cSSLContext, "session_remove",     ossl_sslctx_session_remove, 1);
     rb_define_method(cSSLContext, "session_cache_mode",     ossl_sslctx_get_session_cache_mode, 0);
@@ -1406,10 +2133,11 @@ Init_ossl_ssl()
         rb_ary_push(ary, ID2SYM(rb_intern(ossl_ssl_method_tab[i].name)));
     }
     rb_obj_freeze(ary);
-    /* holds a list of available SSL/TLS methods */
+    /* The list of available SSL/TLS methods */
     rb_define_const(cSSLContext, "METHODS", ary);
 
-    /* class SSLSocket
+    /*
+     * Document-class: OpenSSL::SSL::SSLSocket
      *
      * The following attributes are available but don't show up in rdoc.
      * * io, context, sync_close
@@ -1424,21 +2152,31 @@ Init_ossl_ssl()
     rb_define_alias(cSSLSocket, "to_io", "io");
     rb_define_method(cSSLSocket, "initialize", ossl_ssl_initialize, -1);
     rb_define_method(cSSLSocket, "connect",    ossl_ssl_connect, 0);
+    rb_define_method(cSSLSocket, "connect_nonblock",    ossl_ssl_connect_nonblock, 0);
     rb_define_method(cSSLSocket, "accept",     ossl_ssl_accept, 0);
+    rb_define_method(cSSLSocket, "accept_nonblock",     ossl_ssl_accept_nonblock, 0);
     rb_define_method(cSSLSocket, "sysread",    ossl_ssl_read, -1);
+    rb_define_private_method(cSSLSocket, "sysread_nonblock",    ossl_ssl_read_nonblock, -1);
     rb_define_method(cSSLSocket, "syswrite",   ossl_ssl_write, 1);
+    rb_define_private_method(cSSLSocket, "syswrite_nonblock",    ossl_ssl_write_nonblock, 1);
     rb_define_method(cSSLSocket, "sysclose",   ossl_ssl_close, 0);
     rb_define_method(cSSLSocket, "cert",       ossl_ssl_get_cert, 0);
     rb_define_method(cSSLSocket, "peer_cert",  ossl_ssl_get_peer_cert, 0);
     rb_define_method(cSSLSocket, "peer_cert_chain", ossl_ssl_get_peer_cert_chain, 0);
+    rb_define_method(cSSLSocket, "ssl_version",    ossl_ssl_get_version, 0);
     rb_define_method(cSSLSocket, "cipher",     ossl_ssl_get_cipher, 0);
     rb_define_method(cSSLSocket, "state",      ossl_ssl_get_state, 0);
     rb_define_method(cSSLSocket, "pending",    ossl_ssl_pending, 0);
     rb_define_method(cSSLSocket, "session_reused?",    ossl_ssl_session_reused, 0);
+    /* implementation of OpenSSL::SSL::SSLSocket#session is in lib/openssl/ssl.rb */
     rb_define_method(cSSLSocket, "session=",    ossl_ssl_set_session, 1);
     rb_define_method(cSSLSocket, "verify_result", ossl_ssl_get_verify_result, 0);
+    rb_define_method(cSSLSocket, "client_ca", ossl_ssl_get_client_ca_list, 0);
+#ifdef HAVE_OPENSSL_NPN_NEGOTIATED
+    rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0);
+#endif
 
-#define ossl_ssl_def_const(x) rb_define_const(mSSL, #x, INT2FIX(SSL_##x))
+#define ossl_ssl_def_const(x) rb_define_const(mSSL, #x, INT2NUM(SSL_##x))
 
     ossl_ssl_def_const(VERIFY_NONE);
     ossl_ssl_def_const(VERIFY_PEER);
@@ -1474,8 +2212,17 @@ Init_ossl_ssl()
     ossl_ssl_def_const(OP_NO_SSLv2);
     ossl_ssl_def_const(OP_NO_SSLv3);
     ossl_ssl_def_const(OP_NO_TLSv1);
+#if defined(SSL_OP_NO_TLSv1_1)
+    ossl_ssl_def_const(OP_NO_TLSv1_1);
+#endif
+#if defined(SSL_OP_NO_TLSv1_2)
+    ossl_ssl_def_const(OP_NO_TLSv1_2);
+#endif
 #if defined(SSL_OP_NO_TICKET)
     ossl_ssl_def_const(OP_NO_TICKET);
+#endif
+#if defined(SSL_OP_NO_COMPRESSION)
+    ossl_ssl_def_const(OP_NO_COMPRESSION);
 #endif
     ossl_ssl_def_const(OP_PKCS1_CHECK_1);
     ossl_ssl_def_const(OP_PKCS1_CHECK_2);