Log message:
*: bump for openssl 3

Log message:
net: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts...):

net/radsecproxy/distinfo

The following distfiles could not be fetched (fetched conditionally?):

./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch

Log message:
net: Remove SHA1 hashes for distfiles

Log message:
*: Recursive revision bump for openssl 1.1.1.

Log message:
Update to 0.34.1. From the changelog:

- Corrected typo in pen.c per suggestion by Belinda Liu.
  This fixes issue #38.
- Merged pull request from Vincent Bernat for OpenSSL 1.1.0 compatibility.
  This fixes issue #28.
- Allow setting local address for upstream connections. This fixes issue #31.
- New penctl command "source" to set this option.
- Fixed issue #30: UDP not working in combination with a configuration file.
- In epoll.c: check for EPOLLHUP.
- In dsr.c: always use our real mac address, to avoid confusing switches.
- Cleaned up code residue surrounded by "#if 0".
- Added CS_HALFDEAD for UDP streams that haven't seen traffic in a while.
- Bug in pending_and_closing: don't modify the list we're looping over.
- Updated pen manpage.
- Deprecated -Q option (it didn't do anything since kqueue was already the
  default where it was available).
- Fixed error handling in epoll support.
- Added transparent UDP test case to testsuite.sh.
- Contribution from Talik Eichinger: add X-Forwarded-Proto when doing
  SSL decryption.
- Added tarpit test case to testsuite.sh.
- Tarpit functionality to be used with the DSR mode.
- pen.1: removed obsolete -S option, updated defaults for -x and -L.
- In failover_server: sanity checks to failover routine.
- In add_client: add the initial server to .client as well as .initial.
- In failover_server: changed abuse_server to ABUSE_SERVER and emerg_server
  to EMERG_SERVER, to handle their default NO_SERVER values.
  See issue #19 on Github.
- At the suggestion from Marcos Vinicius Rogowski, the hash algorith
  will now include the client port number if the -r (roundrobin)
  option is used. See https://github.com/UlricE/pen/pull/18
- Fixed IP-based client tracking.
- Removed unnecessary #include <pen.h> in dlist.c
- Added UDP mode for Direct Server Return.
- Updated configure.ac for compatibility with CentOS 6.
- Added #ifdef around SSLv3 initialization code in ssl, as
  suggested by jca@openbsd.org.
- Transparent reverse proxy support for Linux, FreeBSD and OpenBSD.
- Allow the client table size to be updated on the fly. Default size still 2048.
- Allow the connection table size to be updated in the fly. Default still 500.
- See penctl.1, options clients_max and conn_max.
- Introduced the macro NO_SERVER to be used instead of -1 to signify
  error conditions and such.
- Removed the fixed server table size along with the -S option.
- Fixed cosmetic bug in startup code which required port to be specified
  on backend servers even if it was the same as the listening port.
- Numerous updates to support the madness that is Windows.
- Fix from Vincent Bernat: segfault when not using SSL.
- DSR support using Netmap on FreeBSD.
- Unbroke DSR on Linux.
- Replaced all calls to perror with debug(..., strerror(errno);
- Updated penlog and penlogd to use diag.[ch].
- More refactoring: broke out conn.[ch], client.[ch], server.[ch],
  idler.[ch].
- Made a hash index such that the load balancer may balance load.
- Broke out Windows code from pen.c into windows.c. Added windows.h.
- Broke out public definitions for dsr into dsr.h.
- Broke out memory management into memory.[ch].
- Broke out dignostic and logging functions into diag.[ch].
- Broke out settings into settings.[ch].
- Broke out access lists into acl.[ch].
- Broke out event initialization into event.[ch].
- Added pen_epoll.h, pen_kqueue.h, pen_poll.h, pen_select.h.
- Broke out pen_aton et al into netconv.[ch].
- Added dsr.c
- Bug in copy_down affecting SSL connections fixed.
- Updated ocsp stapling to be compatible with server name indication.
- Added pen-ocsp.sh script.
- SSL code broken out into ssl.[ch]. SSL context creation broken
  out from ssl_init to ssl_create_context.
- Server Name Indication support. New command to enable:
  ssl_sni_path PATH
  where PATH is the name of a directory containing domain.key,
  domain.crt and domain.ca files for each domain.
- OCSP stapling. New command ssl_ocsp_response filename
  specifies the location of the ocsp response to be stapled.
  The response must be pre-fetched. The idea was borrowed
  from Rob Stradling.
- New command ssl_client_renegotiation_interval specifies the
  minimum number of seconds the client must wait between
  renegotiation requests. Default 3600.
- Enabled SSL session resumption.
- In do_cmd: don't print "ignoring command" for comments starting
  with '#'.
- Added ssl_option no_tlsv1.1 and ssl_option no_tlsv1.2 to disable
  SSL 1.1 and 1.2 respectively.
- Added autoconf check that the ECDHE is available and not disabled.
- Bumped default max connections and listen queue to 500.
- Support for ECDHE cipher suites.
- New commands ssl_option and ssl_ciphers to individually disable
  insecure protocols and ciphers.
- Updated penctl.1 with the new command.
- New knob to tweak max number of pending nonblocking connection
  attempts: pending_max N (default 100).
- Moved dlist prototypes to dlist.h.
- Added check to close idle connections after a period of inactivity.
- Penctl: idle_timeout N (default 0 = never close idle connections).
- Moved git repository to GitHub..
- New feature: dummy server. Rather than acting as a proxy,
  Pen will pretend to be a web server with just barely enough
  functionality to work as a test target.
- Penctl: dummy|no dummy.
- Yet Another command: abort_on_error|no abort_on_error makes
  Pen call abort() (or not) when encountering a fatal error.
- New feature: "reliable idling". Pen will make and maintain a
  number of idle connections to the backend servers. When a connection
  closes, a new one is made (hence "reliable"). Penctl: idlers [N].
- In do_cmd: return diagnostics to penctl so the user can see them,
  instead of uselessly sending them to syslog.
- New penctl commands:
    - socket N (print which connection the socket belongs to)
    - connection N (print info on the specified connection)
    - close N (forcibly close connection N)
- In open_listener: check that the requested port is in range.
- Fixed bug in dlist_insert.
- Even load distribution when a server is unavailable.
- Let pen save the settings for tcp_nodelay and tcp_fastclose.
- Make flush_up and flush_down return the correct value on error.
- Added config.h.win with reasonable settings for Windows.
- Better detection and blacklisting of unavailable servers.
- New penctl commands:
    - tcp_nodelay sets TCP_NODELAY on sockets. Turn off with no tcp_nodelay.
    - tcp_fastclose closes both upstream and downstream sockets if one of them
    - closes theirs. Will take the values up, down, both or off (default).
- Rather than making a table of pending connections every time through
  the main loop, keep them in a doubly linked list which is only updated
  as needed. O(n) -> O(1).
- A bug in udp mode: after successful "connect", do not event_add downfd,
  because it is equal to listenfd and epoll_ctl doesn't like that.
- Module kqueue.c updated.
- Module poll.c: set unused fd:s to -1, or Solaris will say ENOSYS.
- Enable diagnostic messages by default in configure.ac.
- Changed event bookkeeping from stateless to stateful.
- Made keepalive optional and added "keepalive / no keepalive" penctl \ 
command.
- Added windows.c and pen.h to the release tarball.
- More sensible autoconfiguration defaults: poll, kqueue, epoll, openssl and geoip
  are built if found unless explicitly excluded.
- New event management defaults: kqueue, epoll, poll, select in that order.
- New penctl commands: kqueue, epoll, poll, select.
- New command line option: -O cmd where cmd is any penctl command.
  E.g. -O select to use select instead of the compiled-in default.
- New penctl option "listen [address:]port" to allow listening address
  to be changed on the fly or via a configuration file.
- New pen options -i and -u to install and uninstall Pen as a Windows service.
- See pen manpage.
- Reduced default timeout to 3 seconds.
- New autoconf option --enable-debugging to enable debugging code.
- Lots of fixes for compatibility with Windows.
- Fixed bug in mainloop which kept trying to write 0 bytes.
- MinGW port. Use Makefile.win to compile.
- Event management code broken out into select.c, poll.c, kqueue.c and epoll.c.
- New command-line option -m to accept multiple incoming connections in a batch.
- New command-line option -q to set incoming pending connection queue length.
- Close upfd when failing over.
- Adjusted debug logging levels.
- Started on epoll support for Linux.
- Rewrote output_net and output_file to take a variable number of arguments.
- Handle timed out connection attempts in mainloop_kqueue.
- Fixed mainloop_kqueue.
- A lot of code broken out from mainloop_select into separate functions.
- Fixed mainloop_poll.
- Bugfixes related to the new backend connection logic.
- Cleaned up and simplified add_client() and associated circuitry.
- Connections to back end servers are now nonblocking and parallel.
- Removed the -n option and all code explicitly using blocking sockets.
- Removed the -D option and the "delayed forward" feature.
- Renamed server and client fields in the conn, client and server structures
  to better reflect what they are.
- Restructured the add_client, store_client, store_conn and try_server
  functions.
- Allow write_cfg to save IPv6 and GeoIP access lists.
- Fixed a bug in write_cfg, where Pen would try to write to an unwritable
  file. Reported by Steven Myint
- Return UDP replies from the server to the client.
- UDP load balancing code restructured and bugfixed.
- In mainloop_select: When there is a pending connection, keep accepting
  up to multi_accept times *or* until EAGAIN *or* connection table is full.
  This improves performance under load.
- Updated GeoIP support for IPv6.
- Servers can have ipv6 addresses. It is possible to use a mix of ipv4
  and ipv6 servers:
  ./pen -df -S 2 -r :::2222 [::1]:22 [127.0.0.1]:22
- In order to allow server addresses with : in them (i.e. ipv6), it is now
  possible to use square brackets around the address part of the server
  specification: [address]:port (e.g. [::1]:8080).
- Pen can now listen on ipv6 sockets in addition to ipv4 and unix ones.
  I.e. things like "pen ::1:2222 127.0.0.1:22" are now possible.
- snprintf format errors reported by Christopher Meng fixed in
  pen.c and penctl.c.
- Updated pen manpage to clarify what the control socket does.
- Resist opening control socket running as root.
- Remove the default file name for web log.
- New feature: unix domain listening sockets.
- Redesigned server and client structs to allow ipv6 addresses and require
  less casting (yuck) in the code.
- Updated penctl man page with syntax for IPv6 and GeoIP access lists.
- Fixed cosmetic signedness compiler warnings.
- Moved defines for ACE_IPV4 et al outside #ifdef HAVE_SSL clause.
  Otherwise pen won't compile without ssl.
- GeoIP access lists.
- Added "special exception" clause for linking with OpenSSL.
- Penlog ipv6 compatible.
- Modernized automake configuration.
- Penctl ipv6 compatible.
- Updated autoconf to 2.69.
- Updated SSL code. Protocol ssl2 removed. Default changed to tls1.
- Added UDP patch from Zen.
- Added patch from Debian that fixes some issues with penctl.cgi.
- Priority based server selection algorithm.
- Patch from Stephen P. Schaefer fixes several issues in write_cfg.
- In the server_by_weight function, multiply current connections
  by WEIGHT_FACTOR to make the selection mo fine grained when the
  number of connections is small.
- Patch from Dana Contreras: send stdio to /dev/null after forking.
- Fixed a bunch of cosmetic signedness compiler warnings.

Log message:
Unconditionally remove SSLv2 support. Bump revision.

Log message:
Fix build without support for SSLv2

Log message:
Bump PKGREVISION for security/openssl ABI bump.