void-packages/srcpkgs/nodejs/patches/fix-libressl.patch

diff -Naur node-v5.7.1.orig/lib/_tls_wrap.js node-v5.7.1/lib/_tls_wrap.js
--- node-v5.7.1.orig/lib/_tls_wrap.js	2016-03-02 14:20:54.000000000 -0800
+++ node-v5.7.1/lib/_tls_wrap.js	2016-03-09 12:41:27.567542510 -0800
@@ -165,26 +165,31 @@
     if (err)
       return self.destroy(err);
 
-    self._handle.endParser();
-  });
-}
-
-
-function oncertcb(info) {
-  var self = this;
-  var servername = info.servername;
-
-  loadSNI(self, servername, function(err, ctx) {
-    if (err)
-      return self.destroy(err);
-    requestOCSP(self, info, ctx, function(err) {
+    // Servername came from SSL session
+    // NOTE: TLS Session ticket doesn't include servername information
+    //
+    // Another note, From RFC3546:
+    //
+    //   If, on the other hand, the older
+    //   session is resumed, then the server MUST ignore extensions appearing
+    //   in the client hello, and send a server hello containing no
+    //   extensions; in this case the extension functionality negotiated
+    //   during the original session initiation is applied to the resumed
+    //   session.
+    //
+    // Therefore we should account session loading when dealing with servername
+    var servername = session && session.servername || hello.servername;
+    loadSNI(self, servername, function(err, ctx) {
       if (err)
         return self.destroy(err);
-
-      if (!self._handle)
-        return self.destroy(new Error('Socket is closed'));
-
-      self._handle.certCbDone();
+      requestOCSP(self, hello, ctx, function(err) {
+        if (err)
+          return self.destroy(err);
+
+        if (!self._handle)
+          return self.destroy(new Error('Socket is closed'));
+        self._handle.endParser();
+      });
     });
   });
 }
@@ -407,18 +412,15 @@
     ssl.onhandshakestart = () => onhandshakestart.call(this);
     ssl.onhandshakedone = () => onhandshakedone.call(this);
     ssl.onclienthello = (hello) => onclienthello.call(this, hello);
-    ssl.oncertcb = (info) => oncertcb.call(this, info);
     ssl.onnewsession = (key, session) => onnewsession.call(this, key, session);
     ssl.lastHandshakeTime = 0;
     ssl.handshakes = 0;
 
-    if (this.server) {
-      if (this.server.listenerCount('resumeSession') > 0 ||
-          this.server.listenerCount('newSession') > 0) {
-        ssl.enableSessionCallbacks();
-      }
-      if (this.server.listenerCount('OCSPRequest') > 0)
-        ssl.enableCertCb();
+    if (this.server &&
+         (this.server.listenerCount('resumeSession') > 0 ||
+          this.server.listenerCount('newSession') > 0 ||
+          this.server.listenerCount('OCSPRequest') > 0)) {
+      ssl.enableSessionCallbacks();
     }
   } else {
     ssl.onhandshakestart = function() {};
@@ -460,7 +462,7 @@
        options.server._contexts.length)) {
     assert(typeof options.SNICallback === 'function');
     this._SNICallback = options.SNICallback;
-    ssl.enableCertCb();
+    ssl.enableHelloParser();
   }
 
   if (process.features.tls_npn && options.NPNProtocols)
@@ -654,13 +656,6 @@
   }
 };
 
-TLSSocket.prototype.getEphemeralKeyInfo = function() {
-  if (this._handle)
-    return this._handle.getEphemeralKeyInfo();
-
-  return null;
-};
-
 TLSSocket.prototype.getProtocol = function() {
   if (this._handle)
     return this._handle.getProtocol();
@@ -1047,17 +1042,6 @@
     socket._start();
 
   socket.on('secure', function() {
-    // Check the size of DHE parameter above minimum requirement
-    // specified in options.
-    var ekeyinfo = socket.getEphemeralKeyInfo();
-    if (ekeyinfo.type === 'DH' && ekeyinfo.size < options.minDHSize) {
-      var err = new Error('DH parameter size ' + ekeyinfo.size +
-                          ' is less than ' + options.minDHSize);
-      socket.emit('error', err);
-      socket.destroy();
-      return;
-    }
-
     var verifyError = socket._handle.verifyError();
 
     // Verify that server's identity matches it's certificate's names
diff -Naur node-v5.7.1.orig/src/env.h node-v5.7.1/src/env.h
--- node-v5.7.1.orig/src/env.h	2016-03-02 14:20:54.000000000 -0800
+++ node-v5.7.1/src/env.h	2016-03-09 12:38:59.042899553 -0800
@@ -66,7 +66,6 @@
   V(cached_data_rejected_string, "cachedDataRejected")                        \
   V(callback_string, "callback")                                              \
   V(change_string, "change")                                                  \
-  V(oncertcb_string, "oncertcb")                                              \
   V(onclose_string, "_onclose")                                               \
   V(code_string, "code")                                                      \
   V(compare_string, "compare")                                                \
diff -Naur node-v5.7.1.orig/src/node_crypto.cc node-v5.7.1/src/node_crypto.cc
--- node-v5.7.1.orig/src/node_crypto.cc	2016-03-02 14:20:54.000000000 -0800
+++ node-v5.7.1/src/node_crypto.cc	2016-03-09 12:44:13.609732921 -0800
@@ -164,8 +164,6 @@
 #endif
 
 template void SSLWrap<TLSWrap>::DestroySSL();
-template int SSLWrap<TLSWrap>::SSLCertCallback(SSL* s, void* arg);
-template void SSLWrap<TLSWrap>::WaitForCertCb(CertCb cb, void* arg);
 
 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
 template int SSLWrap<TLSWrap>::SelectALPNCallback(
@@ -518,8 +516,7 @@
     for (int i = 0; i < sk_X509_num(extra_certs); i++) {
       X509* ca = sk_X509_value(extra_certs, i);
 
-      // NOTE: Increments reference count on `ca`
-      r = SSL_CTX_add1_chain_cert(ctx, ca);
+      r = SSL_CTX_add_extra_chain_cert(ctx, ca);
 
       if (!r) {
         ret = 0;
@@ -1045,7 +1042,7 @@
 void SecureContext::SetFreeListLength(const FunctionCallbackInfo<Value>& args) {
   SecureContext* wrap = Unwrap<SecureContext>(args.Holder());
 
-  wrap->ctx_->freelist_max_len = args[0]->Int32Value();
+  // wrap->ctx_->freelist_max_len = args[0]->Int32Value();
 }
 
 
@@ -1182,14 +1179,12 @@
   env->SetProtoMethod(t, "verifyError", VerifyError);
   env->SetProtoMethod(t, "getCurrentCipher", GetCurrentCipher);
   env->SetProtoMethod(t, "endParser", EndParser);
-  env->SetProtoMethod(t, "certCbDone", CertCbDone);
   env->SetProtoMethod(t, "renegotiate", Renegotiate);
   env->SetProtoMethod(t, "shutdownSSL", Shutdown);
   env->SetProtoMethod(t, "getTLSTicket", GetTLSTicket);
   env->SetProtoMethod(t, "newSessionDone", NewSessionDone);
   env->SetProtoMethod(t, "setOCSPResponse", SetOCSPResponse);
   env->SetProtoMethod(t, "requestOCSP", RequestOCSP);
-  env->SetProtoMethod(t, "getEphemeralKeyInfo", GetEphemeralKeyInfo);
   env->SetProtoMethod(t, "getProtocol", GetProtocol);
 
 #ifdef SSL_set_max_send_fragment
@@ -1805,50 +1800,6 @@
 }
 
 
-template <class Base>
-void SSLWrap<Base>::GetEphemeralKeyInfo(
-    const v8::FunctionCallbackInfo<v8::Value>& args) {
-  Base* w = Unwrap<Base>(args.Holder());
-  Environment* env = Environment::GetCurrent(args);
-
-  CHECK_NE(w->ssl_, nullptr);
-
-  // tmp key is available on only client
-  if (w->is_server())
-    return args.GetReturnValue().SetNull();
-
-  Local<Object> info = Object::New(env->isolate());
-
-  EVP_PKEY* key;
-
-  if (SSL_get_server_tmp_key(w->ssl_, &key)) {
-    switch (EVP_PKEY_id(key)) {
-      case EVP_PKEY_DH:
-        info->Set(env->type_string(),
-                  FIXED_ONE_BYTE_STRING(env->isolate(), "DH"));
-        info->Set(env->size_string(),
-                  Integer::New(env->isolate(), EVP_PKEY_bits(key)));
-        break;
-      case EVP_PKEY_EC:
-        {
-          EC_KEY* ec = EVP_PKEY_get1_EC_KEY(key);
-          int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
-          EC_KEY_free(ec);
-          info->Set(env->type_string(),
-                    FIXED_ONE_BYTE_STRING(env->isolate(), "ECDH"));
-          info->Set(env->name_string(),
-                    OneByteString(args.GetIsolate(), OBJ_nid2sn(nid)));
-          info->Set(env->size_string(),
-                    Integer::New(env->isolate(), EVP_PKEY_bits(key)));
-        }
-    }
-    EVP_PKEY_free(key);
-  }
-
-  return args.GetReturnValue().Set(info);
-}
-
-
 #ifdef SSL_set_max_send_fragment
 template <class Base>
 void SSLWrap<Base>::SetMaxSendFragment(
@@ -2234,129 +2185,6 @@
 
 
 template <class Base>
-void SSLWrap<Base>::WaitForCertCb(CertCb cb, void* arg) {
-  cert_cb_ = cb;
-  cert_cb_arg_ = arg;
-}
-
-
-template <class Base>
-int SSLWrap<Base>::SSLCertCallback(SSL* s, void* arg) {
-  Base* w = static_cast<Base*>(SSL_get_app_data(s));
-
-  if (!w->is_server())
-    return 1;
-
-  if (!w->is_waiting_cert_cb())
-    return 1;
-
-  if (w->cert_cb_running_)
-    return -1;
-
-  Environment* env = w->env();
-  HandleScope handle_scope(env->isolate());
-  Context::Scope context_scope(env->context());
-  w->cert_cb_running_ = true;
-
-  Local<Object> info = Object::New(env->isolate());
-
-  SSL_SESSION* sess = SSL_get_session(s);
-  if (sess != nullptr) {
-    if (sess->tlsext_hostname == nullptr) {
-      info->Set(env->servername_string(), String::Empty(env->isolate()));
-    } else {
-      Local<String> servername = OneByteString(env->isolate(),
-                                               sess->tlsext_hostname,
-                                               strlen(sess->tlsext_hostname));
-      info->Set(env->servername_string(), servername);
-    }
-    info->Set(env->tls_ticket_string(),
-              Boolean::New(env->isolate(), sess->tlsext_ticklen != 0));
-  }
-
-  bool ocsp = false;
-#ifdef NODE__HAVE_TLSEXT_STATUS_CB
-  ocsp = s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp;
-#endif
-
-  info->Set(env->ocsp_request_string(), Boolean::New(env->isolate(), ocsp));
-
-  Local<Value> argv[] = { info };
-  w->MakeCallback(env->oncertcb_string(), ARRAY_SIZE(argv), argv);
-
-  if (!w->cert_cb_running_)
-    return 1;
-
-  // Performing async action, wait...
-  return -1;
-}
-
-
-template <class Base>
-void SSLWrap<Base>::CertCbDone(const FunctionCallbackInfo<Value>& args) {
-  Base* w = Unwrap<Base>(args.Holder());
-  Environment* env = w->env();
-
-  CHECK(w->is_waiting_cert_cb() && w->cert_cb_running_);
-
-  Local<Object> object = w->object();
-  Local<Value> ctx = object->Get(env->sni_context_string());
-  Local<FunctionTemplate> cons = env->secure_context_constructor_template();
-
-  // Not an object, probably undefined or null
-  if (!ctx->IsObject())
-    goto fire_cb;
-
-  if (cons->HasInstance(ctx)) {
-    SecureContext* sc = Unwrap<SecureContext>(ctx.As<Object>());
-    w->sni_context_.Reset();
-    w->sni_context_.Reset(env->isolate(), ctx);
-
-    int rv;
-
-    // NOTE: reference count is not increased by this API methods
-    X509* x509 = SSL_CTX_get0_certificate(sc->ctx_);
-    EVP_PKEY* pkey = SSL_CTX_get0_privatekey(sc->ctx_);
-    STACK_OF(X509)* chain;
-
-    rv = SSL_CTX_get0_chain_certs(sc->ctx_, &chain);
-    if (rv)
-      rv = SSL_use_certificate(w->ssl_, x509);
-    if (rv)
-      rv = SSL_use_PrivateKey(w->ssl_, pkey);
-    if (rv && chain != nullptr)
-      rv = SSL_set1_chain(w->ssl_, chain);
-    if (rv)
-      rv = w->SetCACerts(sc);
-    if (!rv) {
-      unsigned long err = ERR_get_error();
-      if (!err)
-        return env->ThrowError("CertCbDone");
-      return ThrowCryptoError(env, err);
-    }
-  } else {
-    // Failure: incorrect SNI context object
-    Local<Value> err = Exception::TypeError(env->sni_context_err_string());
-    w->MakeCallback(env->onerror_string(), 1, &err);
-    return;
-  }
-
- fire_cb:
-  CertCb cb;
-  void* arg;
-
-  cb = w->cert_cb_;
-  arg = w->cert_cb_arg_;
-
-  w->cert_cb_running_ = false;
-  w->cert_cb_ = nullptr;
-  w->cert_cb_arg_ = nullptr;
-
-  cb(arg);
-}
-
-
-template <class Base>
 void SSLWrap<Base>::SSLGetter(Local<String> property,
                               const PropertyCallbackInfo<Value>& info) {
   SSL* ssl = Unwrap<Base>(info.This())->ssl_;
@@ -2387,10 +2215,6 @@
 
 template <class Base>
 int SSLWrap<Base>::SetCACerts(SecureContext* sc) {
-  int err = SSL_set1_verify_cert_store(ssl_, SSL_CTX_get_cert_store(sc->ctx_));
-  if (err != 1)
-    return err;
-
   STACK_OF(X509_NAME)* list = SSL_dup_CA_list(
       SSL_CTX_get_client_CA_list(sc->ctx_));
 
@@ -2484,10 +2308,6 @@
     DEBUG_PRINT("[%p] SSL: %s want read\n", ssl_, func);
     return 0;
 
-  } else if (err == SSL_ERROR_WANT_X509_LOOKUP) {
-    DEBUG_PRINT("[%p] SSL: %s want x509 lookup\n", ssl_, func);
-    return 0;
-
   } else if (err == SSL_ERROR_ZERO_RETURN) {
     HandleScope scope(ssl_env()->isolate());
 
@@ -2668,7 +2488,7 @@
   SSL* ssl = static_cast<SSL*>(
       X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
 
-  if (SSL_is_server(ssl))
+  if (ssl->server)
     return 1;
 
   // Client needs to check if the server cert is listed in the
@@ -2695,7 +2515,7 @@
 
     // Call the SNI callback and use its return value as context
     if (!conn->sniObject_.IsEmpty()) {
-      conn->sni_context_.Reset();
+      conn->sniContext_.Reset();
 
       Local<Object> sni_obj = PersistentToLocal(env->isolate(),
                                                 conn->sniObject_);
@@ -2711,7 +2531,7 @@
       Local<FunctionTemplate> secure_context_constructor_template =
           env->secure_context_constructor_template();
       if (secure_context_constructor_template->HasInstance(ret)) {
-        conn->sni_context_.Reset(env->isolate(), ret);
+        conn->sniContext_.Reset(env->isolate(), ret);
         SecureContext* sc = Unwrap<SecureContext>(ret.As<Object>());
         conn->SetSNIContext(sc);
       } else {
@@ -2749,8 +2569,6 @@
 
   InitNPN(sc);
 
-  SSL_set_cert_cb(conn->ssl_, SSLWrap<Connection>::SSLCertCallback, conn);
-
 #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
   if (is_server) {
     SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_);
diff -Naur node-v5.7.1.orig/src/node_crypto.h node-v5.7.1/src/node_crypto.h
--- node-v5.7.1.orig/src/node_crypto.h	2016-03-02 14:20:54.000000000 -0800
+++ node-v5.7.1/src/node_crypto.h	2016-03-09 12:45:11.683121390 -0800
@@ -177,10 +177,7 @@
         kind_(kind),
         next_sess_(nullptr),
         session_callbacks_(false),
-        new_session_wait_(false),
-        cert_cb_(nullptr),
-        cert_cb_arg_(nullptr),
-        cert_cb_running_(false) {
+        new_session_wait_(false) {
     ssl_ = SSL_new(sc->ctx_);
     env_->isolate()->AdjustAmountOfExternalAllocatedMemory(kExternalSize);
     CHECK_NE(ssl_, nullptr);
@@ -193,10 +190,6 @@
       next_sess_ = nullptr;
     }
 
-#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
-    sni_context_.Reset();
-#endif
-
 #ifdef NODE__HAVE_TLSEXT_STATUS_CB
     ocsp_response_.Reset();
 #endif  // NODE__HAVE_TLSEXT_STATUS_CB
@@ -207,11 +200,8 @@
   inline bool is_server() const { return kind_ == kServer; }
   inline bool is_client() const { return kind_ == kClient; }
   inline bool is_waiting_new_session() const { return new_session_wait_; }
-  inline bool is_waiting_cert_cb() const { return cert_cb_ != nullptr; }
 
  protected:
-  typedef void (*CertCb)(void* arg);
-
   // Size allocated by OpenSSL: one for SSL structure, one for SSL3_STATE and
   // some for buffers.
   // NOTE: Actually it is much more than this
@@ -239,15 +229,12 @@
   static void VerifyError(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetCurrentCipher(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void EndParser(const v8::FunctionCallbackInfo<v8::Value>& args);
-  static void CertCbDone(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void Renegotiate(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void Shutdown(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetTLSTicket(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void NewSessionDone(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetOCSPResponse(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void RequestOCSP(const v8::FunctionCallbackInfo<v8::Value>& args);
-  static void GetEphemeralKeyInfo(
-      const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetProtocol(const v8::FunctionCallbackInfo<v8::Value>& args);
 
 #ifdef SSL_set_max_send_fragment
@@ -281,12 +268,10 @@
                                 unsigned int inlen,
                                 void* arg);
   static int TLSExtStatusCallback(SSL* s, void* arg);
-  static int SSLCertCallback(SSL* s, void* arg);
   static void SSLGetter(v8::Local<v8::String> property,
                         const v8::PropertyCallbackInfo<v8::Value>& info);
 
   void DestroySSL();
-  void WaitForCertCb(CertCb cb, void* arg);
   void SetSNIContext(SecureContext* sc);
   int SetCACerts(SecureContext* sc);
 
@@ -301,21 +286,12 @@
   bool session_callbacks_;
   bool new_session_wait_;
 
-  // SSL_set_cert_cb
-  CertCb cert_cb_;
-  void* cert_cb_arg_;
-  bool cert_cb_running_;
-
   ClientHelloParser hello_parser_;
 
 #ifdef NODE__HAVE_TLSEXT_STATUS_CB
   v8::Persistent<v8::Object> ocsp_response_;
 #endif  // NODE__HAVE_TLSEXT_STATUS_CB
 
-#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
-  v8::Persistent<v8::Value> sni_context_;
-#endif
-
   friend class SecureContext;
 };
 
@@ -327,6 +303,7 @@
   ~Connection() override {
 #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
     sniObject_.Reset();
+    sniContext_.Reset();
     servername_.Reset();
 #endif
   }
@@ -341,6 +318,7 @@
 
 #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
   v8::Persistent<v8::Object> sniObject_;
+  v8::Persistent<v8::Value> sniContext_;
   v8::Persistent<v8::String> servername_;
 #endif
 
diff -Naur node-v5.7.1.orig/src/tls_wrap.cc node-v5.7.1/src/tls_wrap.cc
--- node-v5.7.1.orig/src/tls_wrap.cc	2016-03-02 14:20:54.000000000 -0800
+++ node-v5.7.1/src/tls_wrap.cc	2016-03-09 12:38:59.047899589 -0800
@@ -141,8 +141,6 @@
 
   InitNPN(sc_);
 
-  SSL_set_cert_cb(ssl_, SSLWrap<TLSWrap>::SSLCertCallback, this);
-
   if (is_server()) {
     SSL_set_accept_state(ssl_);
   } else if (is_client()) {
@@ -353,7 +351,6 @@
     case SSL_ERROR_NONE:
     case SSL_ERROR_WANT_READ:
     case SSL_ERROR_WANT_WRITE:
-    case SSL_ERROR_WANT_X509_LOOKUP:
       break;
     case SSL_ERROR_ZERO_RETURN:
       return scope.Escape(env()->zero_return_string());
@@ -769,6 +766,11 @@
         "EnableSessionCallbacks after destroySSL");
   }
   wrap->enable_session_callbacks();
+  EnableHelloParser(args);
+}
+
+void TLSWrap::EnableHelloParser(const FunctionCallbackInfo<Value>& args) {
+  TLSWrap* wrap = Unwrap<TLSWrap>(args.Holder());
   NodeBIO::FromBIO(wrap->enc_in_)->set_initial(kMaxHelloLength);
   wrap->hello_parser_.Start(SSLWrap<TLSWrap>::OnClientHello,
                             OnClientHelloParseEnd,
@@ -793,12 +795,6 @@
 }
 
 
-void TLSWrap::EnableCertCb(const FunctionCallbackInfo<Value>& args) {
-  TLSWrap* wrap = Unwrap<TLSWrap>(args.Holder());
-  wrap->WaitForCertCb(OnClientHelloParseEnd, wrap);
-}
-
-
 void TLSWrap::OnClientHelloParseEnd(void* arg) {
   TLSWrap* c = static_cast<TLSWrap*>(arg);
   c->Cycle();
@@ -896,8 +892,8 @@
   env->SetProtoMethod(t, "start", Start);
   env->SetProtoMethod(t, "setVerifyMode", SetVerifyMode);
   env->SetProtoMethod(t, "enableSessionCallbacks", EnableSessionCallbacks);
+  env->SetProtoMethod(t, "enableHelloParser", EnableHelloParser);
   env->SetProtoMethod(t, "destroySSL", DestroySSL);
-  env->SetProtoMethod(t, "enableCertCb", EnableCertCb);
 
   StreamBase::AddMethods<TLSWrap>(env, t, StreamBase::kFlagHasWritev);
   SSLWrap<TLSWrap>::AddMethods(env, t);
diff -Naur node-v5.7.1.orig/src/tls_wrap.h node-v5.7.1/src/tls_wrap.h
--- node-v5.7.1.orig/src/tls_wrap.h	2016-03-02 14:20:54.000000000 -0800
+++ node-v5.7.1/src/tls_wrap.h	2016-03-09 12:38:59.047899589 -0800
@@ -132,7 +132,7 @@
   static void SetVerifyMode(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void EnableSessionCallbacks(
       const v8::FunctionCallbackInfo<v8::Value>& args);
-  static void EnableCertCb(
+  static void EnableHelloParser(
       const v8::FunctionCallbackInfo<v8::Value>& args);
   static void DestroySSL(const v8::FunctionCallbackInfo<v8::Value>& args);
 
@@ -161,6 +161,10 @@
   // If true - delivered EOF to the js-land, either after `close_notify`, or
   // after the `UV_EOF` on socket.
   bool eof_;
+
+#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+  v8::Persistent<v8::Value> sni_context_;
+#endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
 };
 
 }  // namespace node
diff -Naur node-v5.7.1.orig/test/parallel/test-tls-client-getephemeralkeyinfo.js node-v5.7.1/test/parallel/test-tls-client-getephemeralkeyinfo.js
--- node-v5.7.1.orig/test/parallel/test-tls-client-getephemeralkeyinfo.js	2016-03-02 14:20:55.000000000 -0800
+++ node-v5.7.1/test/parallel/test-tls-client-getephemeralkeyinfo.js	1969-12-31 16:00:00.000000000 -0800
@@ -1,98 +0,0 @@
-'use strict';
-var common = require('../common');
-var assert = require('assert');
-
-if (!common.hasCrypto) {
-  console.log('1..0 # Skipped: missing crypto');
-  process.exit();
-}
-var tls = require('tls');
-
-var fs = require('fs');
-var key =  fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem');
-var cert = fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem');
-
-var ntests = 0;
-var nsuccess = 0;
-
-function loadDHParam(n) {
-  var path = common.fixturesDir;
-  if (n !== 'error') path += '/keys';
-  return fs.readFileSync(path + '/dh' + n + '.pem');
-}
-
-var cipherlist = {
-  'NOT_PFS': 'AES128-SHA256',
-  'DH': 'DHE-RSA-AES128-GCM-SHA256',
-  'ECDH': 'ECDHE-RSA-AES128-GCM-SHA256'
-};
-
-function test(size, type, name, next) {
-  var cipher = type ? cipherlist[type] : cipherlist['NOT_PFS'];
-
-  if (name) tls.DEFAULT_ECDH_CURVE = name;
-
-  var options = {
-    key: key,
-    cert: cert,
-    ciphers: cipher
-  };
-
-  if (type === 'DH') options.dhparam = loadDHParam(size);
-
-  var server = tls.createServer(options, function(conn) {
-    assert.strictEqual(conn.getEphemeralKeyInfo(), null);
-    conn.end();
-  });
-
-  server.on('close', function(err) {
-    assert(!err);
-    if (next) next();
-  });
-
-  server.listen(common.PORT, '127.0.0.1', function() {
-    var client = tls.connect({
-      port: common.PORT,
-      rejectUnauthorized: false
-    }, function() {
-      var ekeyinfo = client.getEphemeralKeyInfo();
-      assert.strictEqual(ekeyinfo.type, type);
-      assert.strictEqual(ekeyinfo.size, size);
-      assert.strictEqual(ekeyinfo.name, name);
-      nsuccess++;
-      server.close();
-    });
-  });
-}
-
-function testNOT_PFS() {
-  test(undefined, undefined, undefined, testDHE1024);
-  ntests++;
-}
-
-function testDHE1024() {
-  test(1024, 'DH', undefined, testDHE2048);
-  ntests++;
-}
-
-function testDHE2048() {
-  test(2048, 'DH', undefined, testECDHE256);
-  ntests++;
-}
-
-function testECDHE256() {
-  test(256, 'ECDH', tls.DEFAULT_ECDH_CURVE, testECDHE512);
-  ntests++;
-}
-
-function testECDHE512() {
-  test(521, 'ECDH', 'secp521r1', null);
-  ntests++;
-}
-
-testNOT_PFS();
-
-process.on('exit', function() {
-  assert.equal(ntests, nsuccess);
-  assert.equal(ntests, 5);
-});
diff -Naur node-v5.7.1.orig/test/parallel/test-tls-cnnic-whitelist.js node-v5.7.1/test/parallel/test-tls-cnnic-whitelist.js
--- node-v5.7.1.orig/test/parallel/test-tls-cnnic-whitelist.js	2016-03-02 14:20:55.000000000 -0800
+++ node-v5.7.1/test/parallel/test-tls-cnnic-whitelist.js	2016-03-09 12:38:59.048899596 -0800
@@ -53,7 +53,9 @@
       port: common.PORT,
       rejectUnauthorized: true
     },
-    errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
+    // LibreSSL returns CERT_UNTRUSTED in this case, OpenSSL UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
+    errorCode: 'CERT_UNTRUSTED'
+    // errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
   }
 ];
 
diff -Naur node-v5.7.1.orig/test/parallel/test-tls-sni-server-client.js node-v5.7.1/test/parallel/test-tls-sni-server-client.js
--- node-v5.7.1.orig/test/parallel/test-tls-sni-server-client.js	2016-03-02 14:20:55.000000000 -0800
+++ node-v5.7.1/test/parallel/test-tls-sni-server-client.js	2016-03-09 12:39:14.677009247 -0800
@@ -36,11 +36,6 @@
   'asterisk.test.com': {
     key: loadPEM('agent3-key'),
     cert: loadPEM('agent3-cert')
-  },
-  'chain.example.com': {
-    key: loadPEM('agent6-key'),
-    // NOTE: Contains ca3 chain cert
-    cert: loadPEM('agent6-cert')
   }
 };
 
@@ -48,29 +43,32 @@
 
 var clientsOptions = [{
   port: serverPort,
+  key: loadPEM('agent1-key'),
+  cert: loadPEM('agent1-cert'),
   ca: [loadPEM('ca1-cert')],
   servername: 'a.example.com',
   rejectUnauthorized: false
 }, {
   port: serverPort,
+  key: loadPEM('agent2-key'),
+  cert: loadPEM('agent2-cert'),
   ca: [loadPEM('ca2-cert')],
   servername: 'b.test.com',
   rejectUnauthorized: false
 }, {
   port: serverPort,
+  key: loadPEM('agent2-key'),
+  cert: loadPEM('agent2-cert'),
   ca: [loadPEM('ca2-cert')],
   servername: 'a.b.test.com',
   rejectUnauthorized: false
 }, {
   port: serverPort,
+  key: loadPEM('agent3-key'),
+  cert: loadPEM('agent3-cert'),
   ca: [loadPEM('ca1-cert')],
   servername: 'c.wrong.com',
   rejectUnauthorized: false
-}, {
-  port: serverPort,
-  ca: [loadPEM('ca1-cert')],
-  servername: 'chain.example.com',
-  rejectUnauthorized: false
 }];
 
 const serverResults = [];
@@ -82,7 +80,6 @@
 
 server.addContext('a.example.com', SNIContexts['a.example.com']);
 server.addContext('*.test.com', SNIContexts['asterisk.test.com']);
-server.addContext('chain.example.com', SNIContexts['chain.example.com']);
 
 server.listen(serverPort, startTest);
 
@@ -109,9 +106,7 @@
 }
 
 process.on('exit', function() {
-  assert.deepEqual(serverResults, [
-    'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com',
-    'chain.example.com'
-  ]);
-  assert.deepEqual(clientResults, [true, true, false, false, true]);
+  assert.deepEqual(serverResults, ['a.example.com', 'b.test.com',
+                                   'a.b.test.com', 'c.wrong.com']);
+  assert.deepEqual(clientResults, [true, true, false, false]);
 });