Patches to enable SSL for ucspi-tcp in order to run fefe's fnord with https.

All patches are based on ucspi-tcp-0.88
The original patch enabling SSL is ucspi-tcp-ssl-20020705.patch by André Oppermann (originally used for qmail over SSL), c.f. fnord mini HOWTO

We have a jail patch ucspi-tcp-ssl-20031121.patch which includes André's patch and adds options -j and -J, to have the SSL translator process chroot to a jail directory (-J), which should be completely empty, and drop root to a nonprivileged uid (-j) before starting any SSL communications.
This way, if the SSL is compromised by yet another OpenSLL buffer overflow, the damage is limited to
  • manipulating the communication,
    which is no problem since the other side can send any crap it wants even via an uncompromised SSL connection, anyway
  • using up ressources,
    which can be addressed using softlimit and/or quotas for the jail user
  • exploiting kernel bugs
    like the recent do_mremap issue, which you should fix

The CA cert file patch ucspi-tcp-ssl-20040113.patch includes the other patches and adds an option -a to specify a file containing CA (certificate authority) certificates like with the Apache mod_ssl option SSLCACertificateFile. Note that unlike Apache, fnord/ucspi-tcp-ssl does not perform client authentication. Yet, special CA certificates are sometimes needed if an intermediate certificate used by your issuing CA expires (which recently happened for some Verisign intermediate certs).
So, to add to the Intermediate CA Replacement Instructions : for fnord/ucspi-tcp-ssl, get this patch and the new "intermediate.crt" offered by Verisign and run tcpserver with "-a intermediate.crt". That's it.
Note that the file given with -a is passed to SSL_CTX_load_verify_locations and thus may contain several CA certificates, which will be used during SSL connection negotiation to close any gap in the certificate chain.