Updates from 1.0.0-stable
diff --git a/apps/apps.c b/apps/apps.c
index 9579395..7294c26 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -259,13 +259,6 @@
 		return(FORMAT_ASN1);
 	else if ((*s == 'T') || (*s == 't'))
 		return(FORMAT_TEXT);
-	else if ((*s == 'P') || (*s == 'p'))
- 		{
- 		if (s[1] == 'V' || s[1] == 'v')
- 			return FORMAT_PVK;
- 		else
-  			return(FORMAT_PEM);
- 		}
   	else if ((*s == 'N') || (*s == 'n'))
   		return(FORMAT_NETSCAPE);
   	else if ((*s == 'S') || (*s == 's'))
@@ -278,6 +271,13 @@
 		return(FORMAT_PKCS12);
 	else if ((*s == 'E') || (*s == 'e'))
 		return(FORMAT_ENGINE);
+	else if ((*s == 'P') || (*s == 'p'))
+ 		{
+ 		if (s[1] == 'V' || s[1] == 'v')
+ 			return FORMAT_PVK;
+ 		else
+  			return(FORMAT_PEM);
+ 		}
 	else
 		return(FORMAT_UNDEF);
 	}
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 7bcaa53..9d2cd5b 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -231,7 +231,7 @@
 
 subjectKeyIdentifier=hash
 
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier=keyid:always,issuer
 
 # This is what PKIX recommends but some broken software chokes on critical
 # extensions.
@@ -264,7 +264,7 @@
 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 
 # issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier=keyid:always
 
 [ proxy_cert_ext ]
 # These extensions should be added when creating a proxy certificate
@@ -297,7 +297,7 @@
 
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
+authorityKeyIdentifier=keyid,issuer
 
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
diff --git a/crypto/bio/b_sock.c b/crypto/bio/b_sock.c
index 0eee25a..da0f126 100644
--- a/crypto/bio/b_sock.c
+++ b/crypto/bio/b_sock.c
@@ -810,7 +810,7 @@
 #ifdef EAI_FAMILY
 # if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_BEOS_BONE) || defined(OPENSSL_SYS_MSDOS)
 #  define SOCKLEN_T size_t
-# else
+# elif !defined(SOCKLEN_T)
 #  define SOCKLEN_T socklen_t
 #endif
 	do {
diff --git a/crypto/objects/objects.h b/crypto/objects/objects.h
index 65b6f01..bd0ee52 100644
--- a/crypto/objects/objects.h
+++ b/crypto/objects/objects.h
@@ -1054,24 +1054,34 @@
  * the non-constness means a lot of complication, and in practice
  * comparison routines do always not touch their arguments.
  */
-#define _IMPLEMENT_OBJ_BSEARCH_CMP_FN(scope, type1, type2, nm)	\
+
+#define IMPLEMENT_OBJ_BSEARCH_CMP_FN(type1, type2, nm)	\
   static int nm##_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)	\
       { \
       type1 const *a = a_; \
       type2 const *b = b_; \
       return nm##_cmp(a,b); \
       } \
-  scope type2 *OBJ_bsearch_##nm(type1 *key, type2 const *base, int num) \
+  static type2 *OBJ_bsearch_##nm(type1 *key, type2 const *base, int num) \
       { \
       return (type2 *)OBJ_bsearch_(key, base, num, sizeof(type2), \
 					nm##_cmp_BSEARCH_CMP_FN); \
       } \
       extern void dummy_prototype(void)
 
-#define IMPLEMENT_OBJ_BSEARCH_CMP_FN(type1, type2, cmp) \
-  _IMPLEMENT_OBJ_BSEARCH_CMP_FN(static, type1, type2, cmp)
-#define IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(type1, type2, cmp)	\
-  _IMPLEMENT_OBJ_BSEARCH_CMP_FN(, type1, type2, cmp)
+#define IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(type1, type2, nm)	\
+  static int nm##_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)	\
+      { \
+      type1 const *a = a_; \
+      type2 const *b = b_; \
+      return nm##_cmp(a,b); \
+      } \
+  type2 *OBJ_bsearch_##nm(type1 *key, type2 const *base, int num) \
+      { \
+      return (type2 *)OBJ_bsearch_(key, base, num, sizeof(type2), \
+					nm##_cmp_BSEARCH_CMP_FN); \
+      } \
+      extern void dummy_prototype(void)
 
 #define OBJ_bsearch(type1,key,type2,base,num,cmp)			       \
   ((type2 *)OBJ_bsearch_(CHECKED_PTR_OF(type1,key),CHECKED_PTR_OF(type2,base), \
diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
index 10ee5e7..292cc3e 100644
--- a/crypto/pkcs12/p12_kiss.c
+++ b/crypto/pkcs12/p12_kiss.c
@@ -81,7 +81,7 @@
 	     STACK_OF(X509) **ca)
 {
 	STACK_OF(X509) *ocerts = NULL;
-	X509 *x;
+	X509 *x = NULL;
 	/* Check for NULL PKCS12 structure */
 
 	if(!p12)
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index e779c33..3beb699 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -116,6 +116,7 @@
 /* Under Win32 these are defined in wincrypt.h */
 #undef X509_NAME
 #undef X509_CERT_PAIR
+#undef X509_EXTENSIONS
 #endif
 
 #define X509_FILETYPE_PEM	1
diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c
index 19b3a8b..b13c567 100644
--- a/crypto/x509v3/v3_alt.c
+++ b/crypto/x509v3/v3_alt.c
@@ -605,6 +605,7 @@
 	if (!ret)
 		X509_NAME_free(nm);
 	gen->d.dirn = nm;
+	X509V3_section_free(ctx, sk);
 		
 	return ret;
 	}
diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
index 907e305..9914604 100644
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@@ -412,9 +412,6 @@
 	return(0);
 	}
 
-IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
-				    ssl_cipher_id);
-
 /* This function needs to check if the ciphers required are actually
  * available */
 const SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 893eb6e..e8d03bf 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1595,9 +1595,11 @@
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
 
+#ifndef OPENSSL_NO_SSL2
 const SSL_METHOD *SSLv2_method(void);		/* SSLv2 */
 const SSL_METHOD *SSLv2_server_method(void);	/* SSLv2 */
 const SSL_METHOD *SSLv2_client_method(void);	/* SSLv2 */
+#endif
 
 const SSL_METHOD *SSLv3_method(void);		/* SSLv3 */
 const SSL_METHOD *SSLv3_server_method(void);	/* SSLv3 */
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 17fc536..24cd426 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2986,3 +2986,6 @@
 
 IMPLEMENT_STACK_OF(SSL_CIPHER)
 IMPLEMENT_STACK_OF(SSL_COMP)
+IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
+				    ssl_cipher_id);
+
diff --git a/util/mk1mf.pl b/util/mk1mf.pl
index 0ed7cb4..6b052fa 100755
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -736,8 +736,8 @@
 	@a=grep(!/^e_camellia$/,@a) if $no_camellia;
 	@a=grep(!/^e_seed$/,@a) if $no_seed;
 
-	@a=grep(!/(^s2_)|(^s23_)/,@a) if $no_ssl2;
-	@a=grep(!/(^s3_)|(^s23_)/,@a) if $no_ssl3;
+	#@a=grep(!/(^s2_)|(^s23_)/,@a) if $no_ssl2;
+	#@a=grep(!/(^s3_)|(^s23_)/,@a) if $no_ssl3;
 
 	@a=grep(!/(_sock$)|(_acpt$)|(_conn$)|(^pxy_)/,@a) if $no_sock;
 
diff --git a/util/mkdef.pl b/util/mkdef.pl
index 96aa51a..29a5b96 100755
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -103,6 +103,8 @@
 			 "CMS",
 			 # CryptoAPI Engine
 			 "CAPIENG",
+			 # SSL v2
+			 "SSL2",
 			 # JPAKE
 			 "JPAKE",
 			 # Deprecated functions
@@ -125,7 +127,7 @@
 my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw;
 my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated;
 my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
-my $no_jpake;
+my $no_jpake; my $no_ssl2;
 
 my $zlib;
 
@@ -213,6 +215,7 @@
 	elsif (/^no-rfc3779$/)	{ $no_rfc3779=1; }
 	elsif (/^no-tlsext$/)	{ $no_tlsext=1; }
 	elsif (/^no-cms$/)	{ $no_cms=1; }
+	elsif (/^no-ssl2$/)	{ $no_ssl2=1; }
 	elsif (/^no-capieng$/)	{ $no_capieng=1; }
 	elsif (/^no-jpake$/)	{ $no_jpake=1; }
 	}
@@ -1145,6 +1148,7 @@
 			if ($keyword eq "TLSEXT" && $no_tlsext) { return 0; }
 			if ($keyword eq "PSK" && $no_psk) { return 0; }
 			if ($keyword eq "CMS" && $no_cms) { return 0; }
+			if ($keyword eq "SSL2" && $no_ssl2) { return 0; }
 			if ($keyword eq "CAPIENG" && $no_capieng) { return 0; }
 			if ($keyword eq "JPAKE" && $no_jpake) { return 0; }
 			if ($keyword eq "DEPRECATED" && $no_deprecated) { return 0; }