Upgrade bitflags to 1.0

Closes #756
2017-12-25 19:38:00 -07:00 · 2017-12-25 19:38:00 -07:00 · bbae793eb3
parent 2aaba8bd7a
commit bbae793eb3
13 changed files with 190 additions and 223 deletions
--- a/openssl/Cargo.toml
+++ b/openssl/Cargo.toml
@ -19,7 +19,7 @@ v102 = []
 v110 = []
 [dependencies]
-bitflags = "0.9"
+bitflags = "1.0"
 foreign-types = "0.3.1"
 lazy_static = "1"
 libc = "0.2"
--- a/openssl/src/ec.rs
+++ b/openssl/src/ec.rs
@ -20,10 +20,10 @@
 //!
 //! ```
 //! use openssl::ec::{EcGroup, EcPoint};
-//! use openssl::nid;
+//! use openssl::nid::Nid;
 //! use openssl::error::ErrorStack;
-//! fn get_ec_point() -> Result< EcPoint, ErrorStack > {
+//! fn get_ec_point() -> Result<EcPoint, ErrorStack> {
-//!    let group = EcGroup::from_curve_name(nid::SECP224R1)?;
+//!    let group = EcGroup::from_curve_name(Nid::SECP224R1)?;
 //!    let point = EcPoint::new(&group)?;
 //!    Ok(point)
 //! }
@ -38,7 +38,7 @@ use std::mem;
 use libc::c_int;
 use {cvt, cvt_n, cvt_p, init};
-use bn::{BigNumRef, BigNumContextRef};
+use bn::{BigNumContextRef, BigNumRef};
 use error::ErrorStack;
 use nid::Nid;
@ -606,14 +606,14 @@ impl EcKey {
    /// ```no_run
    /// use openssl::bn::BigNumContext;
    /// use openssl::ec::*;
-    /// use openssl::nid;
+    /// use openssl::nid::Nid;
    /// use openssl::pkey::PKey;
    ///
    /// // get bytes from somewhere, i.e. this will not produce a valid key
    /// let public_key: Vec<u8> = vec![];
    ///
    /// // create an EcKey from the binary form of a EcPoint
-    /// let group = EcGroup::from_curve_name(nid::SECP256K1).unwrap();
+    /// let group = EcGroup::from_curve_name(Nid::SECP256K1).unwrap();
    /// let mut ctx = BigNumContext::new().unwrap();
    /// let point = EcPoint::from_bytes(&group, &public_key, &mut ctx).unwrap();
    /// let key = EcKey::from_public_key(&group, &point);
@ -645,7 +645,6 @@ impl EcKey {
    private_key_from_der!(EcKey, ffi::d2i_ECPrivateKey);
 }
 foreign_type_and_impl_send_sync! {
    type CType = ffi::EC_KEY;
    fn drop = ffi::EC_KEY_free;
@ -731,18 +730,18 @@ impl EcKeyBuilderRef {
 #[cfg(test)]
 mod test {
    use bn::{BigNum, BigNumContext};
-    use nid;
+    use nid::Nid;
    use data_encoding::BASE64URL_NOPAD;
    use super::*;
    #[test]
    fn key_new_by_curve_name() {
-        EcKey::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
+        EcKey::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
    }
    #[test]
    fn generate() {
-        let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
+        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
        let key = EcKey::generate(&group).unwrap();
        key.public_key().unwrap();
        key.private_key().unwrap();
@ -750,20 +749,20 @@ mod test {
    #[test]
    fn dup() {
-        let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
+        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
        let key = EcKey::generate(&group).unwrap();
        key.to_owned().unwrap();
    }
    #[test]
    fn point_new() {
-        let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
+        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
        EcPoint::new(&group).unwrap();
    }
    #[test]
    fn point_bytes() {
-        let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
+        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
        let key = EcKey::generate(&group).unwrap();
        let point = key.public_key().unwrap();
        let mut ctx = BigNumContext::new().unwrap();
@ -776,7 +775,7 @@ mod test {
    #[test]
    fn mul_generator() {
-        let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
+        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
        let key = EcKey::generate(&group).unwrap();
        let mut ctx = BigNumContext::new().unwrap();
        let mut public_key = EcPoint::new(&group).unwrap();
@ -792,7 +791,7 @@ mod test {
    #[test]
    fn key_from_public_key() {
-        let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
+        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
        let key = EcKey::generate(&group).unwrap();
        let mut ctx = BigNumContext::new().unwrap();
        let bytes = key.public_key()
@ -810,13 +809,13 @@ mod test {
    #[test]
    fn key_from_affine_coordinates() {
-        let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
+        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
-        let x = BASE64URL_NOPAD.decode(
+        let x = BASE64URL_NOPAD
-            "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4".as_bytes(),
+            .decode("MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4".as_bytes())
-        ).unwrap();
+            .unwrap();
-        let y = BASE64URL_NOPAD.decode(
+        let y = BASE64URL_NOPAD
-            "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM".as_bytes(),
+            .decode("4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM".as_bytes())
-        ).unwrap();
+            .unwrap();
        let xbn = BigNum::from_slice(&x).unwrap();
        let ybn = BigNum::from_slice(&y).unwrap();
@ -834,10 +833,10 @@ mod test {
    #[test]
    fn set_private_key() {
-        let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
+        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
-        let d = BASE64URL_NOPAD.decode(
+        let d = BASE64URL_NOPAD
-            "870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE".as_bytes(),
+            .decode("870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE".as_bytes())
-        ).unwrap();
+            .unwrap();
        let dbn = BigNum::from_slice(&d).unwrap();
@ -851,13 +850,13 @@ mod test {
    #[test]
    fn get_affine_coordinates() {
-        let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
+        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
-        let x = BASE64URL_NOPAD.decode(
+        let x = BASE64URL_NOPAD
-            "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4".as_bytes(),
+            .decode("MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4".as_bytes())
-        ).unwrap();
+            .unwrap();
-        let y = BASE64URL_NOPAD.decode(
+        let y = BASE64URL_NOPAD
-            "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM".as_bytes(),
+            .decode("4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM".as_bytes())
-        ).unwrap();
+            .unwrap();
        let xbn = BigNum::from_slice(&x).unwrap();
        let ybn = BigNum::from_slice(&y).unwrap();
--- a/openssl/src/nid.rs
+++ b/openssl/src/nid.rs
@ -16,9 +16,9 @@ use libc::c_int;
 /// To view the integer representation of a `Nid`:
 ///
 /// ```
-/// use openssl::nid;
+/// use openssl::nid::Nid;
 ///
-/// assert!(nid::AES_256_GCM.as_raw() == 901);
+/// assert!(Nid::AES_256_GCM.as_raw() == 901);
 /// ```
 ///
 /// # External Documentation
--- a/openssl/src/ocsp.rs
+++ b/openssl/src/ocsp.rs
@ -14,17 +14,17 @@ use x509::{X509, X509Ref};
 bitflags! {
    pub struct Flag: c_ulong {
-        const FLAG_NO_CERTS = ffi::OCSP_NOCERTS;
+        const NO_CERTS = ffi::OCSP_NOCERTS;
-        const FLAG_NO_INTERN = ffi::OCSP_NOINTERN;
+        const NO_INTERN = ffi::OCSP_NOINTERN;
-        const FLAG_NO_CHAIN = ffi::OCSP_NOCHAIN;
+        const NO_CHAIN = ffi::OCSP_NOCHAIN;
-        const FLAG_NO_VERIFY = ffi::OCSP_NOVERIFY;
+        const NO_VERIFY = ffi::OCSP_NOVERIFY;
-        const FLAG_NO_EXPLICIT = ffi::OCSP_NOEXPLICIT;
+        const NO_EXPLICIT = ffi::OCSP_NOEXPLICIT;
-        const FLAG_NO_CA_SIGN = ffi::OCSP_NOCASIGN;
+        const NO_CA_SIGN = ffi::OCSP_NOCASIGN;
-        const FLAG_NO_DELEGATED = ffi::OCSP_NODELEGATED;
+        const NO_DELEGATED = ffi::OCSP_NODELEGATED;
-        const FLAG_NO_CHECKS = ffi::OCSP_NOCHECKS;
+        const NO_CHECKS = ffi::OCSP_NOCHECKS;
-        const FLAG_TRUST_OTHER = ffi::OCSP_TRUSTOTHER;
+        const TRUST_OTHER = ffi::OCSP_TRUSTOTHER;
-        const FLAG_RESPID_KEY = ffi::OCSP_RESPID_KEY;
+        const RESPID_KEY = ffi::OCSP_RESPID_KEY;
-        const FLAG_NO_TIME = ffi::OCSP_NOTIME;
+        const NO_TIME = ffi::OCSP_NOTIME;
    }
 }
--- a/openssl/src/pkcs12.rs
+++ b/openssl/src/pkcs12.rs
@ -190,7 +190,7 @@ mod test {
    use asn1::Asn1Time;
    use rsa::Rsa;
    use pkey::PKey;
-    use nid;
+    use nid::Nid;
    use x509::{X509, X509Name};
    use x509::extension::KeyUsage;
@ -238,7 +238,7 @@ mod test {
        let pkey = PKey::from_rsa(rsa).unwrap();
        let mut name = X509Name::builder().unwrap();
-        name.append_entry_by_nid(nid::COMMONNAME, subject_name)
+        name.append_entry_by_nid(Nid::COMMONNAME, subject_name)
            .unwrap();
        let name = name.build();
--- a/openssl/src/pkey.rs
+++ b/openssl/src/pkey.rs
@ -1,4 +1,4 @@
-use libc::{c_void, c_char, c_int, size_t};
+use libc::{c_char, c_int, c_void, size_t};
 use std::ptr;
 use std::mem;
 use std::ffi::CString;
@ -10,9 +10,9 @@ use bio::MemBioSlice;
 use dh::Dh;
 use dsa::Dsa;
 use ec::EcKey;
-use rsa::{Rsa, Padding};
+use rsa::{Padding, Rsa};
 use error::ErrorStack;
-use util::{CallbackState, invoke_passwd_cb, invoke_passwd_cb_old};
+use util::{invoke_passwd_cb, invoke_passwd_cb_old, CallbackState};
 foreign_type_and_impl_send_sync! {
    type CType = ffi::EVP_PKEY;
@ -254,9 +254,7 @@ impl PKeyCtxRef {
    pub fn rsa_padding(&self) -> Result<Padding, ErrorStack> {
        let mut pad: c_int = 0;
        unsafe {
-            cvt(
+            cvt(ffi::EVP_PKEY_CTX_get_rsa_padding(self.as_ptr(), &mut pad))?;
                ffi::EVP_PKEY_CTX_get_rsa_padding(self.as_ptr(), &mut pad),
            )?;
        };
        Ok(Padding::from_raw(pad))
    }
@ -270,9 +268,7 @@ impl PKeyCtxRef {
    pub fn derive_set_peer(&mut self, peer: &PKeyRef) -> Result<(), ErrorStack> {
        unsafe {
-            cvt(
+            cvt(ffi::EVP_PKEY_derive_set_peer(self.as_ptr(), peer.as_ptr()))?;
                ffi::EVP_PKEY_derive_set_peer(self.as_ptr(), peer.as_ptr()),
            )?;
        }
        Ok(())
    }
@ -306,7 +302,7 @@ mod tests {
    use dsa::Dsa;
    use ec::{EcGroup, EcKey};
    use rsa::Rsa;
-    use nid;
+    use nid::Nid;
    use super::*;
@ -403,7 +399,7 @@ mod tests {
    #[test]
    fn test_ec_key_accessor() {
-        let ec_key = EcKey::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
+        let ec_key = EcKey::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
        let pkey = PKey::from_ec_key(ec_key).unwrap();
        pkey.ec_key().unwrap();
        assert!(pkey.rsa().is_err());
@ -411,7 +407,7 @@ mod tests {
    #[test]
    fn test_ec_key_derive() {
-        let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
+        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
        let ec_key = EcKey::generate(&group).unwrap();
        let ec_key2 = EcKey::generate(&group).unwrap();
        let pkey = PKey::from_ec_key(ec_key).unwrap();
--- a/openssl/src/sign.rs
+++ b/openssl/src/sign.rs
@ -353,7 +353,7 @@ mod test {
    use hash::MessageDigest;
    use sign::{Signer, Verifier};
    use ec::{EcGroup, EcKey};
-    use nid;
+    use nid::Nid;
    use rsa::{PKCS1_PADDING, Rsa};
    use dsa::Dsa;
    use pkey::PKey;
@ -569,7 +569,7 @@ mod test {
    #[test]
    fn ec() {
-        let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap();
+        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
        let key = EcKey::generate(&group).unwrap();
        let key = PKey::from_ec_key(key).unwrap();
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@ -3,8 +3,8 @@ use std::ops::{Deref, DerefMut};
 use dh::Dh;
 use error::ErrorStack;
-use ssl::{self, HandshakeError, Ssl, SslRef, SslContext, SslContextBuilder, SslMethod, SslStream,
+use ssl::{HandshakeError, Ssl, SslContext, SslContextBuilder, SslMethod, SslMode, SslOptions,
-          SSL_VERIFY_PEER};
+          SslRef, SslStream, SslVerifyMode};
 use pkey::PKeyRef;
 use version;
 use x509::X509Ref;
@ -29,26 +29,19 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
 fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
    let mut ctx = SslContextBuilder::new(method)?;
-    let mut opts = ssl::SSL_OP_ALL;
+    let opts = SslOptions::ALL | SslOptions::NO_TICKET | SslOptions::NO_COMPRESSION
-    opts &= !ssl::SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
+        | SslOptions::NO_SSLV2 | SslOptions::NO_SSLV3 | SslOptions::SINGLE_DH_USE
-    opts &= !ssl::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+        | SslOptions::SINGLE_ECDH_USE | SslOptions::CIPHER_SERVER_PREFERENCE;
    opts |= ssl::SSL_OP_NO_TICKET;
    opts |= ssl::SSL_OP_NO_COMPRESSION;
    opts |= ssl::SSL_OP_NO_SSLV2;
    opts |= ssl::SSL_OP_NO_SSLV3;
    opts |= ssl::SSL_OP_SINGLE_DH_USE;
    opts |= ssl::SSL_OP_SINGLE_ECDH_USE;
    opts |= ssl::SSL_OP_CIPHER_SERVER_PREFERENCE;
    ctx.set_options(opts);
-    let mut mode = ssl::SSL_MODE_AUTO_RETRY | ssl::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
+    let mut mode =
-        | ssl::SSL_MODE_ENABLE_PARTIAL_WRITE;
+        SslMode::AUTO_RETRY | SslMode::ACCEPT_MOVING_WRITE_BUFFER | SslMode::ENABLE_PARTIAL_WRITE;
    // This is quite a useful optimization for saving memory, but historically
    // caused CVEs in OpenSSL pre-1.0.1h, according to
    // https://bugs.python.org/issue25672
    if version::number() >= 0x1000108f {
-        mode |= ssl::SSL_MODE_RELEASE_BUFFERS;
+        mode |= SslMode::RELEASE_BUFFERS;
    }
    ctx.set_mode(mode);
@ -152,7 +145,11 @@ impl SslConnector {
    /// Returns a structure allowing for configuration of a single TLS session before connection.
    pub fn configure(&self) -> Result<ConnectConfiguration, ErrorStack> {
-        Ssl::new(&self.0).map(|ssl| ConnectConfiguration { ssl, sni: true, verify_hostname: true })
+        Ssl::new(&self.0).map(|ssl| ConnectConfiguration {
            ssl,
            sni: true,
            verify_hostname: true,
        })
    }
 }
@ -228,7 +225,9 @@ impl ConnectConfiguration {
    where
        S: Read + Write,
    {
-        self.use_server_name_indication(false).verify_hostname(false).connect("", stream)
+        self.use_server_name_indication(false)
            .verify_hostname(false)
            .connect("", stream)
    }
 }
@ -415,7 +414,7 @@ impl SslAcceptor {
 #[cfg(any(ossl102, ossl110))]
 fn setup_verify(ctx: &mut SslContextBuilder) {
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
 }
 #[cfg(ossl101)]
@ -435,7 +434,7 @@ fn setup_verify(ctx: &mut SslContextBuilder) {
 #[cfg(any(ossl102, ossl110))]
 fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
    let param = ssl._param_mut();
-    param.set_hostflags(::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+    param.set_hostflags(::verify::X509CheckFlags::NO_PARTIAL_WILDCARDS);
    match domain.parse() {
        Ok(ip) => param.set_ip(ip),
        Err(_) => param.set_host(domain),
@ -516,7 +515,10 @@ mod verify {
                // Unlike SANs, IP addresses in the subject name don't have a
                // different encoding.
                match domain.parse::<IpAddr>() {
-                    Ok(ip) => pattern.parse::<IpAddr>().ok().map_or(false, |pattern| pattern == ip),
+                    Ok(ip) => pattern
                        .parse::<IpAddr>()
                        .ok()
                        .map_or(false, |pattern| pattern == ip),
                    Err(_) => matches_dns(pattern, domain),
                }
            }
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@ -121,106 +121,85 @@ mod bio;
 #[cfg(test)]
 mod tests;
 // FIXME drop SSL_ prefix
 // FIXME remvove flags not used in OpenSSL 1.1
 bitflags! {
    /// Options controlling the behavior of an `SslContext`.
-    pub struct SslOption: c_ulong {
+    pub struct SslOptions: c_ulong {
        // FIXME remove
        const SSL_OP_MICROSOFT_SESS_ID_BUG = ffi::SSL_OP_MICROSOFT_SESS_ID_BUG;
        // FIXME remove
        const SSL_OP_NETSCAPE_CHALLENGE_BUG = ffi::SSL_OP_NETSCAPE_CHALLENGE_BUG;
        // FIXME remove
        const SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG =
            ffi::SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
        // FIXME remove
        const SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = ffi::SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER;
        // FIXME remove
        const SSL_OP_SSLEAY_080_CLIENT_DH_BUG = ffi::SSL_OP_SSLEAY_080_CLIENT_DH_BUG;
        // FIXME remove
        const SSL_OP_TLS_D5_BUG = ffi::SSL_OP_TLS_D5_BUG;
        // FIXME remove
        const SSL_OP_TLS_BLOCK_PADDING_BUG = ffi::SSL_OP_TLS_BLOCK_PADDING_BUG;
        // FIXME remove? not documented anywhere
        const SSL_OP_CISCO_ANYCONNECT = ffi::SSL_OP_CISCO_ANYCONNECT;
        /// Disables a countermeasure against an SSLv3/TLSv1.0 vulnerability affecting CBC ciphers.
-        const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = ffi::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+        const DONT_INSERT_EMPTY_FRAGMENTS = ffi::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
        /// A "reasonable default" set of options which enables compatibility flags.
-        const SSL_OP_ALL = ffi::SSL_OP_ALL;
+        const ALL = ffi::SSL_OP_ALL;
        /// Do not query the MTU.
        ///
        /// Only affects DTLS connections.
-        const SSL_OP_NO_QUERY_MTU = ffi::SSL_OP_NO_QUERY_MTU;
+        const NO_QUERY_MTU = ffi::SSL_OP_NO_QUERY_MTU;
        /// Enables Cookie Exchange as described in [RFC 4347 Section 4.2.1].
        ///
        /// Only affects DTLS connections.
        ///
        /// [RFC 4347 Section 4.2.1]: https://tools.ietf.org/html/rfc4347#section-4.2.1
-        const SSL_OP_COOKIE_EXCHANGE = ffi::SSL_OP_COOKIE_EXCHANGE;
+        const COOKIE_EXCHANGE = ffi::SSL_OP_COOKIE_EXCHANGE;
        /// Disables the use of session tickets for session resumption.
-        const SSL_OP_NO_TICKET = ffi::SSL_OP_NO_TICKET;
+        const NO_TICKET = ffi::SSL_OP_NO_TICKET;
        /// Always start a new session when performing a renegotiation on the server side.
-        const SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION =
+        const NO_SESSION_RESUMPTION_ON_RENEGOTIATION =
            ffi::SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
        /// Disables the use of TLS compression.
-        const SSL_OP_NO_COMPRESSION = ffi::SSL_OP_NO_COMPRESSION;
+        const NO_COMPRESSION = ffi::SSL_OP_NO_COMPRESSION;
        /// Allow legacy insecure renegotiation with servers or clients that do not support secure
        /// renegotiation.
-        const SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION =
+        const ALLOW_UNSAFE_LEGACY_RENEGOTIATION =
            ffi::SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
        /// Creates a new key for each session when using ECDHE.
        ///
        /// This is always enabled in OpenSSL 1.1.0.
-        const SSL_OP_SINGLE_ECDH_USE = ffi::SSL_OP_SINGLE_ECDH_USE;
+        const SINGLE_ECDH_USE = ffi::SSL_OP_SINGLE_ECDH_USE;
        /// Creates a new key for each session when using DHE.
        ///
        /// This is always enabled in OpenSSL 1.1.0.
-        const SSL_OP_SINGLE_DH_USE = ffi::SSL_OP_SINGLE_DH_USE;
+        const SINGLE_DH_USE = ffi::SSL_OP_SINGLE_DH_USE;
        /// Use the server's preferences rather than the client's when selecting a cipher.
        ///
        /// This has no effect on the client side.
-        const SSL_OP_CIPHER_SERVER_PREFERENCE = ffi::SSL_OP_CIPHER_SERVER_PREFERENCE;
+        const CIPHER_SERVER_PREFERENCE = ffi::SSL_OP_CIPHER_SERVER_PREFERENCE;
        /// Disables version rollback attach detection.
-        const SSL_OP_TLS_ROLLBACK_BUG = ffi::SSL_OP_TLS_ROLLBACK_BUG;
+        const TLS_ROLLBACK_BUG = ffi::SSL_OP_TLS_ROLLBACK_BUG;
        /// Disables the use of SSLv2.
-        const SSL_OP_NO_SSLV2 = ffi::SSL_OP_NO_SSLv2;
+        const NO_SSLV2 = ffi::SSL_OP_NO_SSLv2;
        /// Disables the use of SSLv3.
-        const SSL_OP_NO_SSLV3 = ffi::SSL_OP_NO_SSLv3;
+        const NO_SSLV3 = ffi::SSL_OP_NO_SSLv3;
        /// Disables the use of TLSv1.0.
-        const SSL_OP_NO_TLSV1 = ffi::SSL_OP_NO_TLSv1;
+        const NO_TLSV1 = ffi::SSL_OP_NO_TLSv1;
        /// Disables the use of TLSv1.1.
-        const SSL_OP_NO_TLSV1_1 = ffi::SSL_OP_NO_TLSv1_1;
+        const NO_TLSV1_1 = ffi::SSL_OP_NO_TLSv1_1;
        /// Disables the use of TLSv1.2.
-        const SSL_OP_NO_TLSV1_2 = ffi::SSL_OP_NO_TLSv1_2;
+        const NO_TLSV1_2 = ffi::SSL_OP_NO_TLSv1_2;
        /// Disables the use of DTLSv1.0
        ///
        /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0.
        #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
-        const SSL_OP_NO_DTLSV1 = ffi::SSL_OP_NO_DTLSv1;
+        const NO_DTLSV1 = ffi::SSL_OP_NO_DTLSv1;
        /// Disables the use of DTLSv1.2.
        /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0.
        #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
-        const SSL_OP_NO_DTLSV1_2 = ffi::SSL_OP_NO_DTLSv1_2;
+        const NO_DTLSV1_2 = ffi::SSL_OP_NO_DTLSv1_2;
        /// Disables the use of all (D)TLS protocol versions.
        ///
@ -238,7 +217,7 @@ bitflags! {
        /// let options = SSL_OP_NO_SSL_MASK & !SSL_OP_NO_TLSV1_2;
        /// ```
        #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
-        const SSL_OP_NO_SSL_MASK = ffi::SSL_OP_NO_SSL_MASK;
+        const NO_SSL_MASK = ffi::SSL_OP_NO_SSL_MASK;
    }
 }
@ -250,11 +229,11 @@ bitflags! {
        /// Normally, a write in OpenSSL will always write out all of the requested data, even if it
        /// requires more than one TLS record or write to the underlying stream. This option will
        /// cause a write to return after writing a single TLS record instead.
-        const SSL_MODE_ENABLE_PARTIAL_WRITE = ffi::SSL_MODE_ENABLE_PARTIAL_WRITE;
+        const ENABLE_PARTIAL_WRITE = ffi::SSL_MODE_ENABLE_PARTIAL_WRITE;
        /// Disables a check that the data buffer has not moved between calls when operating in a
        /// nonblocking context.
-        const SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER = ffi::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
+        const ACCEPT_MOVING_WRITE_BUFFER = ffi::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
        /// Enables automatic retries after TLS session events such as renegotiations or heartbeats.
        ///
@ -265,25 +244,19 @@ bitflags! {
        /// Note that `SslStream::read` and `SslStream::write` will automatically retry regardless
        /// of the state of this option. It only affects `SslStream::ssl_read` and
        /// `SslStream::ssl_write`.
-        const SSL_MODE_AUTO_RETRY = ffi::SSL_MODE_AUTO_RETRY;
+        const AUTO_RETRY = ffi::SSL_MODE_AUTO_RETRY;
        /// Disables automatic chain building when verifying a peer's certificate.
        ///
        /// TLS peers are responsible for sending the entire certificate chain from the leaf to a
        /// trusted root, but some will incorrectly not do so. OpenSSL will try to build the chain
        /// out of certificates it knows of, and this option will disable that behavior.
-        const SSL_MODE_NO_AUTO_CHAIN = ffi::SSL_MODE_NO_AUTO_CHAIN;
+        const NO_AUTO_CHAIN = ffi::SSL_MODE_NO_AUTO_CHAIN;
        /// Release memory buffers when the session does not need them.
        ///
        /// This saves ~34 KiB of memory for idle streams.
-        const SSL_MODE_RELEASE_BUFFERS = ffi::SSL_MODE_RELEASE_BUFFERS;
+        const RELEASE_BUFFERS = ffi::SSL_MODE_RELEASE_BUFFERS;
        // FIXME remove
        #[cfg(not(libressl))]
        const SSL_MODE_SEND_CLIENTHELLO_TIME = ffi::SSL_MODE_SEND_CLIENTHELLO_TIME;
        #[cfg(not(libressl))]
        const SSL_MODE_SEND_SERVERHELLO_TIME = ffi::SSL_MODE_SEND_SERVERHELLO_TIME;
        /// Sends the fake `TLS_FALLBACK_SCSV` cipher suite in the ClientHello message of a
        /// handshake.
@ -293,7 +266,7 @@ bitflags! {
        ///
        /// Do not use this unless you know what you're doing!
        #[cfg(not(libressl))]
-        const SSL_MODE_SEND_FALLBACK_SCSV = ffi::SSL_MODE_SEND_FALLBACK_SCSV;
+        const SEND_FALLBACK_SCSV = ffi::SSL_MODE_SEND_FALLBACK_SCSV;
    }
 }
@ -335,19 +308,19 @@ bitflags! {
        /// Verifies that the peer's certificate is trusted.
        ///
        /// On the server side, this will cause OpenSSL to request a certificate from the client.
-        const SSL_VERIFY_PEER = ::ffi::SSL_VERIFY_PEER;
+        const PEER = ::ffi::SSL_VERIFY_PEER;
        /// Disables verification of the peer's certificate.
        ///
        /// On the server side, this will cause OpenSSL to not request a certificate from the
        /// client. On the client side, the certificate will be checked for validity, but the
        /// negotiation will continue regardless of the result of that check.
-        const SSL_VERIFY_NONE = ::ffi::SSL_VERIFY_NONE;
+        const NONE = ::ffi::SSL_VERIFY_NONE;
        /// On the server side, abort the handshake if the client did not send a certificate.
        ///
        /// This should be paired with `SSL_VERIFY_PEER`. It has no effect on the client side.
-        const SSL_VERIFY_FAIL_IF_NO_PEER_CERT = ::ffi::SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+        const FAIL_IF_NO_PEER_CERT = ::ffi::SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
    }
 }
@ -900,9 +873,9 @@ impl SslContextBuilder {
    /// This corresponds to [`SSL_CTX_set_options`].
    ///
    /// [`SSL_CTX_set_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
-    pub fn set_options(&mut self, option: SslOption) -> SslOption {
+    pub fn set_options(&mut self, option: SslOptions) -> SslOptions {
        let ret = unsafe { compat::SSL_CTX_set_options(self.as_ptr(), option.bits()) };
-        SslOption::from_bits(ret).unwrap()
+        SslOptions::from_bits(ret).unwrap()
    }
    /// Returns the options used by the context.
@ -910,9 +883,9 @@ impl SslContextBuilder {
    /// This corresponds to [`SSL_CTX_get_options`].
    ///
    /// [`SSL_CTX_get_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
-    pub fn options(&self) -> SslOption {
+    pub fn options(&self) -> SslOptions {
        let ret = unsafe { compat::SSL_CTX_get_options(self.as_ptr()) };
-        SslOption::from_bits(ret).unwrap()
+        SslOptions::from_bits(ret).unwrap()
    }
    /// Clears the options used by the context, returning the old set.
@ -920,9 +893,9 @@ impl SslContextBuilder {
    /// This corresponds to [`SSL_CTX_clear_options`].
    ///
    /// [`SSL_CTX_clear_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
-    pub fn clear_options(&mut self, option: SslOption) -> SslOption {
+    pub fn clear_options(&mut self, option: SslOptions) -> SslOptions {
        let ret = unsafe { compat::SSL_CTX_clear_options(self.as_ptr(), option.bits()) };
-        SslOption::from_bits(ret).unwrap()
+        SslOptions::from_bits(ret).unwrap()
    }
    /// Set the protocols to be used during Next Protocol Negotiation (the protocols
--- a/openssl/src/ssl/tests/mod.rs
+++ b/openssl/src/ssl/tests/mod.rs
@ -19,7 +19,7 @@ use hash::MessageDigest;
 use ocsp::{OcspResponse, RESPONSE_STATUS_UNAUTHORIZED};
 use ssl;
 use ssl::{Error, HandshakeError, ShutdownResult, Ssl, SslAcceptorBuilder, SslConnectorBuilder,
-          SslContext, SslMethod, SslStream, SSL_VERIFY_NONE, SSL_VERIFY_PEER, STATUS_TYPE_OCSP};
+          SslContext, SslMethod, SslStream, SslVerifyMode, STATUS_TYPE_OCSP};
 use x509::{X509, X509Name, X509StoreContext, X509_FILETYPE_PEM};
 #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
 use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
@ -131,8 +131,7 @@ macro_rules! run_test(
            use std::net::TcpStream;
            use ssl;
            use ssl::SslMethod;
-            use ssl::{SslContext, Ssl, SslStream};
+            use ssl::{SslContext, Ssl, SslStream, SslVerifyMode, SslOptions};
            use ssl::SSL_VERIFY_PEER;
            use hash::MessageDigest;
            use x509::X509StoreContext;
            #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
@ -160,7 +159,7 @@ run_test!(new_ctx, |method, _| {
 run_test!(verify_untrusted, |method, stream| {
    let mut ctx = SslContext::builder(method).unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    match Ssl::new(&ctx.build()).unwrap().connect(stream) {
        Ok(_) => panic!("expected failure"),
@ -170,7 +169,7 @@ run_test!(verify_untrusted, |method, stream| {
 run_test!(verify_trusted, |method, stream| {
    let mut ctx = SslContext::builder(method).unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
        Ok(_) => {}
@ -189,7 +188,7 @@ run_test!(verify_trusted_with_set_cert, |method, stream| {
    store.add_cert(x509).unwrap();
    let mut ctx = SslContext::builder(method).unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    match ctx.set_verify_cert_store(store.build()) {
        Ok(_) => {}
@ -203,7 +202,7 @@ run_test!(verify_trusted_with_set_cert, |method, stream| {
 run_test!(verify_untrusted_callback_override_ok, |method, stream| {
    let mut ctx = SslContext::builder(method).unwrap();
-    ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| true);
+    ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| true);
    match Ssl::new(&ctx.build()).unwrap().connect(stream) {
        Ok(_) => (),
@ -213,14 +212,14 @@ run_test!(verify_untrusted_callback_override_ok, |method, stream| {
 run_test!(verify_untrusted_callback_override_bad, |method, stream| {
    let mut ctx = SslContext::builder(method).unwrap();
-    ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| false);
+    ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| false);
    assert!(Ssl::new(&ctx.build()).unwrap().connect(stream).is_err());
 });
 run_test!(verify_trusted_callback_override_ok, |method, stream| {
    let mut ctx = SslContext::builder(method).unwrap();
-    ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| true);
+    ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| true);
    match ctx.set_ca_file(&Path::new("test/cert.pem")) {
        Ok(_) => {}
@ -234,7 +233,7 @@ run_test!(verify_trusted_callback_override_ok, |method, stream| {
 run_test!(verify_trusted_callback_override_bad, |method, stream| {
    let mut ctx = SslContext::builder(method).unwrap();
-    ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| false);
+    ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| false);
    match ctx.set_ca_file(&Path::new("test/cert.pem")) {
        Ok(_) => {}
@ -245,7 +244,7 @@ run_test!(verify_trusted_callback_override_bad, |method, stream| {
 run_test!(verify_callback_load_certs, |method, stream| {
    let mut ctx = SslContext::builder(method).unwrap();
-    ctx.set_verify_callback(SSL_VERIFY_PEER, |_, x509_ctx| {
+    ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| {
        assert!(x509_ctx.current_cert().is_some());
        true
    });
@ -255,7 +254,7 @@ run_test!(verify_callback_load_certs, |method, stream| {
 run_test!(verify_trusted_get_error_ok, |method, stream| {
    let mut ctx = SslContext::builder(method).unwrap();
-    ctx.set_verify_callback(SSL_VERIFY_PEER, |_, x509_ctx| {
+    ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| {
        assert!(x509_ctx.error().is_none());
        true
    });
@ -269,7 +268,7 @@ run_test!(verify_trusted_get_error_ok, |method, stream| {
 run_test!(verify_trusted_get_error_err, |method, stream| {
    let mut ctx = SslContext::builder(method).unwrap();
-    ctx.set_verify_callback(SSL_VERIFY_PEER, |_, x509_ctx| {
+    ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| {
        assert!(x509_ctx.error().is_some());
        false
    });
@ -286,7 +285,7 @@ run_test!(verify_callback_data, |method, stream| {
    // Please update if "test/cert.pem" will ever change
    let node_hash_str = "59172d9313e84459bcff27f967e79e6e9217e584";
    let node_id = Vec::from_hex(node_hash_str).unwrap();
-    ctx.set_verify_callback(SSL_VERIFY_PEER, move |_preverify_ok, x509_ctx| {
+    ctx.set_verify_callback(SslVerifyMode::PEER, move |_preverify_ok, x509_ctx| {
        let cert = x509_ctx.current_cert();
        match cert {
            None => false,
@ -314,7 +313,7 @@ run_test!(ssl_verify_callback, |method, stream| {
    let node_hash_str = "59172d9313e84459bcff27f967e79e6e9217e584";
    let node_id = Vec::from_hex(node_hash_str).unwrap();
-    ssl.set_verify_callback(SSL_VERIFY_PEER, move |_, x509| {
+    ssl.set_verify_callback(SslVerifyMode::PEER, move |_, x509| {
        CHECKED.store(1, Ordering::SeqCst);
        match x509.current_cert() {
            None => false,
@ -349,7 +348,7 @@ fn test_write_hits_stream() {
    });
    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM)
        .unwrap();
    ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM)
@ -384,15 +383,15 @@ run_test!(get_ctx_options, |method, _| {
 run_test!(set_ctx_options, |method, _| {
    let mut ctx = SslContext::builder(method).unwrap();
-    let opts = ctx.set_options(ssl::SSL_OP_NO_TICKET);
+    let opts = ctx.set_options(SslOptions::NO_TICKET);
-    assert!(opts.contains(ssl::SSL_OP_NO_TICKET));
+    assert!(opts.contains(SslOptions::NO_TICKET));
 });
 run_test!(clear_ctx_options, |method, _| {
    let mut ctx = SslContext::builder(method).unwrap();
-    ctx.set_options(ssl::SSL_OP_ALL);
+    ctx.set_options(SslOptions::ALL);
-    let opts = ctx.clear_options(ssl::SSL_OP_ALL);
+    let opts = ctx.clear_options(SslOptions::ALL);
-    assert!(!opts.contains(ssl::SSL_OP_ALL));
+    assert!(!opts.contains(SslOptions::ALL));
 });
 #[test]
@ -481,7 +480,7 @@ fn test_state() {
 fn test_connect_with_unilateral_alpn() {
    let (_s, stream) = Server::new();
    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
    match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
        Ok(_) => {}
@ -503,7 +502,7 @@ fn test_connect_with_unilateral_alpn() {
 fn test_connect_with_unilateral_npn() {
    let (_s, stream) = Server::new();
    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
    match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
        Ok(_) => {}
@ -525,7 +524,7 @@ fn test_connect_with_unilateral_npn() {
 fn test_connect_with_alpn_successful_multiple_matching() {
    let (_s, stream) = Server::new_alpn();
    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    ctx.set_alpn_protocols(&[b"spdy/3.1", b"http/1.1"]).unwrap();
    match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
        Ok(_) => {}
@ -547,7 +546,7 @@ fn test_connect_with_alpn_successful_multiple_matching() {
 fn test_connect_with_npn_successful_multiple_matching() {
    let (_s, stream) = Server::new_alpn();
    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    ctx.set_npn_protocols(&[b"spdy/3.1", b"http/1.1"]).unwrap();
    match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
        Ok(_) => {}
@ -570,7 +569,7 @@ fn test_connect_with_npn_successful_multiple_matching() {
 fn test_connect_with_alpn_successful_single_match() {
    let (_s, stream) = Server::new_alpn();
    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    ctx.set_alpn_protocols(&[b"spdy/3.1"]).unwrap();
    match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
        Ok(_) => {}
@ -585,7 +584,6 @@ fn test_connect_with_alpn_successful_single_match() {
    assert_eq!(b"spdy/3.1", stream.ssl().selected_alpn_protocol().unwrap());
 }
 /// Tests that when both the client as well as the server use NPN and their
 /// lists of supported protocols have an overlap -- with only ONE protocol
 /// being valid for both.
@ -594,7 +592,7 @@ fn test_connect_with_alpn_successful_single_match() {
 fn test_connect_with_npn_successful_single_match() {
    let (_s, stream) = Server::new_alpn();
    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    ctx.set_npn_protocols(&[b"spdy/3.1"]).unwrap();
    match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
        Ok(_) => {}
@ -619,7 +617,7 @@ fn test_npn_server_advertise_multiple() {
    // We create a different context instance for the server...
    let listener_ctx = {
        let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-        ctx.set_verify(SSL_VERIFY_PEER);
+        ctx.set_verify(SslVerifyMode::PEER);
        ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
        assert!(
            ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM)
@ -636,7 +634,7 @@ fn test_npn_server_advertise_multiple() {
    });
    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    ctx.set_npn_protocols(&[b"spdy/3.1"]).unwrap();
    match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
        Ok(_) => {}
@ -662,7 +660,7 @@ fn test_alpn_server_advertise_multiple() {
    // We create a different context instance for the server...
    let listener_ctx = {
        let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-        ctx.set_verify(SSL_VERIFY_PEER);
+        ctx.set_verify(SslVerifyMode::PEER);
        ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
        assert!(
            ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM)
@ -679,7 +677,7 @@ fn test_alpn_server_advertise_multiple() {
    });
    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    ctx.set_alpn_protocols(&[b"spdy/3.1"]).unwrap();
    match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
        Ok(_) => {}
@ -705,7 +703,7 @@ fn test_alpn_server_select_none() {
    // We create a different context instance for the server...
    let listener_ctx = {
        let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-        ctx.set_verify(SSL_VERIFY_PEER);
+        ctx.set_verify(SslVerifyMode::PEER);
        ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
        assert!(
            ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM)
@ -722,7 +720,7 @@ fn test_alpn_server_select_none() {
    });
    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    ctx.set_alpn_protocols(&[b"http/2"]).unwrap();
    ctx.set_ca_file(&Path::new("test/root-ca.pem")).unwrap();
    // Now connect to the socket and make sure the protocol negotiation works...
@ -961,7 +959,7 @@ fn refcount_ssl_context() {
 fn default_verify_paths() {
    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
    ctx.set_default_verify_paths().unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    let s = TcpStream::connect("google.com:443").unwrap();
    let mut socket = Ssl::new(&ctx.build()).unwrap().connect(s).unwrap();
@ -987,7 +985,7 @@ fn add_extra_chain_cert() {
 fn verify_valid_hostname() {
    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
    ctx.set_default_verify_paths().unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    let mut ssl = Ssl::new(&ctx.build()).unwrap();
    ssl.param_mut()
@ -1011,7 +1009,7 @@ fn verify_valid_hostname() {
 fn verify_invalid_hostname() {
    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
    ctx.set_default_verify_paths().unwrap();
-    ctx.set_verify(SSL_VERIFY_PEER);
+    ctx.set_verify(SslVerifyMode::PEER);
    let mut ssl = Ssl::new(&ctx.build()).unwrap();
    ssl.param_mut()
@ -1081,7 +1079,7 @@ fn connector_no_hostname_can_disable_verify() {
    let (_s, tcp) = Server::new();
    let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap();
-    connector.set_verify(SSL_VERIFY_NONE);
+    connector.set_verify(SslVerifyMode::NONE);
    let connector = connector.build();
    connector
--- a/openssl/src/verify.rs
+++ b/openssl/src/verify.rs
@ -8,15 +8,15 @@ use error::ErrorStack;
 bitflags! {
    pub struct X509CheckFlags: c_uint {
-        const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT;
+        const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT;
-        const X509_CHECK_FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS;
+        const FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS;
-        const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
+        const NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
-        const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS;
+        const MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS;
-        const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
+        const SINGLE_LABEL_SUBDOMAINS
            = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS;
        /// Requires the `v110` feature and OpenSSL 1.1.0.
        #[cfg(all(feature = "v110", ossl110))]
-        const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
+        const NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
    }
 }
--- a/openssl/src/x509/extension.rs
+++ b/openssl/src/x509/extension.rs
@ -40,10 +40,10 @@ pub enum Extension {
    ///
    /// ```
    /// use openssl::x509::extension::Extension::*;
-    /// use openssl::nid;
+    /// use openssl::nid::Nid;
    ///
    /// # let generator = openssl::x509::X509Generator::new();
-    /// generator.add_extension(OtherNid(nid::BASIC_CONSTRAINTS,"critical,CA:TRUE".to_owned()));
+    /// generator.add_extension(OtherNid(Nid::BASIC_CONSTRAINTS,"critical,CA:TRUE".to_owned()));
    /// ```
    OtherNid(Nid, String),
    /// Arbitrary extensions by OID string. See `man ASN1_generate_nconf` for value syntax.
--- a/openssl/src/x509/tests.rs
+++ b/openssl/src/x509/tests.rs
@ -2,20 +2,19 @@ use hex::{FromHex, ToHex};
 use asn1::Asn1Time;
 use bn::{BigNum, MSB_MAYBE_ZERO};
-use ec::{NAMED_CURVE, EcGroup, EcKey};
+use ec::{EcGroup, EcKey, NAMED_CURVE};
 use hash::MessageDigest;
-use nid::X9_62_PRIME256V1;
+use nid::Nid;
 use pkey::PKey;
 use rsa::Rsa;
 use stack::Stack;
 use x509::{X509, X509Generator, X509Name, X509Req};
-use x509::extension::{Extension, BasicConstraints, KeyUsage, ExtendedKeyUsage,
+use x509::extension::{AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, Extension,
-                      SubjectKeyIdentifier, AuthorityKeyIdentifier, SubjectAlternativeName};
+                      KeyUsage, SubjectAlternativeName, SubjectKeyIdentifier};
-use ssl::{SslMethod, SslContextBuilder};
+use ssl::{SslContextBuilder, SslMethod};
 use x509::extension::AltNameOption as SAN;
 use x509::extension::KeyUsageOption::{DigitalSignature, KeyEncipherment};
 use x509::extension::ExtKeyUsageOption::{self, ClientAuth, ServerAuth};
 use nid;
 fn get_generator() -> X509Generator {
    X509Generator::new()
@ -28,11 +27,11 @@ fn get_generator() -> X509Generator {
            ServerAuth,
            ExtKeyUsageOption::Other("2.999.1".to_owned()),
        ]))
-        .add_extension(Extension::SubjectAltName(
+        .add_extension(Extension::SubjectAltName(vec![
-            vec![(SAN::DNS, "example.com".to_owned())],
+            (SAN::DNS, "example.com".to_owned()),
-        ))
+        ]))
        .add_extension(Extension::OtherNid(
-            nid::BASIC_CONSTRAINTS,
+            Nid::BASIC_CONSTRAINTS,
            "critical,CA:TRUE".to_owned(),
        ))
        .add_extension(Extension::OtherStr(
@ -68,11 +67,11 @@ fn test_cert_gen_extension_ordering() {
    let pkey = pkey();
    get_generator()
        .add_extension(Extension::OtherNid(
-            nid::SUBJECT_KEY_IDENTIFIER,
+            Nid::SUBJECT_KEY_IDENTIFIER,
            "hash".to_owned(),
        ))
        .add_extension(Extension::OtherNid(
-            nid::AUTHORITY_KEY_IDENTIFIER,
+            Nid::AUTHORITY_KEY_IDENTIFIER,
            "keyid:always".to_owned(),
        ))
        .sign(&pkey)
@ -86,11 +85,11 @@ fn test_cert_gen_extension_bad_ordering() {
    let pkey = pkey();
    let result = get_generator()
        .add_extension(Extension::OtherNid(
-            nid::AUTHORITY_KEY_IDENTIFIER,
+            Nid::AUTHORITY_KEY_IDENTIFIER,
            "keyid:always".to_owned(),
        ))
        .add_extension(Extension::OtherNid(
-            nid::SUBJECT_KEY_IDENTIFIER,
+            Nid::SUBJECT_KEY_IDENTIFIER,
            "hash".to_owned(),
        ))
        .sign(&pkey);
@ -108,7 +107,7 @@ fn test_req_gen() {
    let req = X509Req::from_pem(&reqpem).ok().expect("Failed to load PEM");
    let cn = (*req)
        .subject_name()
-        .entries_by_nid(nid::COMMONNAME)
+        .entries_by_nid(Nid::COMMONNAME)
        .next()
        .unwrap();
    assert_eq!(0, (*req).version());
@ -155,7 +154,7 @@ fn test_subject_read_cn() {
    let cert = include_bytes!("../../test/cert.pem");
    let cert = X509::from_pem(cert).unwrap();
    let subject = cert.subject_name();
-    let cn = subject.entries_by_nid(nid::COMMONNAME).next().unwrap();
+    let cn = subject.entries_by_nid(Nid::COMMONNAME).next().unwrap();
    assert_eq!(cn.data().as_slice(), b"foobar.com")
 }
@ -165,16 +164,16 @@ fn test_nid_values() {
    let cert = X509::from_pem(cert).unwrap();
    let subject = cert.subject_name();
-    let cn = subject.entries_by_nid(nid::COMMONNAME).next().unwrap();
+    let cn = subject.entries_by_nid(Nid::COMMONNAME).next().unwrap();
    assert_eq!(cn.data().as_slice(), b"example.com");
    let email = subject
-        .entries_by_nid(nid::PKCS9_EMAILADDRESS)
+        .entries_by_nid(Nid::PKCS9_EMAILADDRESS)
        .next()
        .unwrap();
    assert_eq!(email.data().as_slice(), b"test@example.com");
-    let friendly = subject.entries_by_nid(nid::FRIENDLYNAME).next().unwrap();
+    let friendly = subject.entries_by_nid(Nid::FRIENDLYNAME).next().unwrap();
    assert_eq!(&**friendly.data().as_utf8().unwrap(), "Example");
 }
@ -184,7 +183,7 @@ fn test_nid_uid_value() {
    let cert = X509::from_pem(cert).unwrap();
    let subject = cert.subject_name();
-    let cn = subject.entries_by_nid(nid::USERID).next().unwrap();
+    let cn = subject.entries_by_nid(Nid::USERID).next().unwrap();
    assert_eq!(cn.data().as_slice(), b"this is the userId");
 }
@ -230,7 +229,7 @@ fn x509_builder() {
    let pkey = pkey();
    let mut name = X509Name::builder().unwrap();
-    name.append_entry_by_nid(nid::COMMONNAME, "foobar.com")
+    name.append_entry_by_nid(Nid::COMMONNAME, "foobar.com")
        .unwrap();
    let name = name.build();
@ -289,7 +288,7 @@ fn x509_builder() {
    assert!(pkey.public_eq(&x509.public_key().unwrap()));
    let cn = x509.subject_name()
-        .entries_by_nid(nid::COMMONNAME)
+        .entries_by_nid(Nid::COMMONNAME)
        .next()
        .unwrap();
    assert_eq!("foobar.com".as_bytes(), cn.data().as_slice());
@ -300,7 +299,7 @@ fn x509_req_builder() {
    let pkey = pkey();
    let mut name = X509Name::builder().unwrap();
-    name.append_entry_by_nid(nid::COMMONNAME, "foobar.com")
+    name.append_entry_by_nid(Nid::COMMONNAME, "foobar.com")
        .unwrap();
    let name = name.build();
@ -361,7 +360,7 @@ fn issued() {
 #[test]
 fn ecdsa_cert() {
-    let mut group = EcGroup::from_curve_name(X9_62_PRIME256V1).unwrap();
+    let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
    group.set_asn1_flag(NAMED_CURVE);
    let key = EcKey::generate(&group).unwrap();
    let key = PKey::from_ec_key(key).unwrap();
@ -387,15 +386,15 @@ fn signature() {
    assert_eq!(
        signature.as_slice().to_hex(),
        "4af607b889790b43470442cfa551cdb8b6d0b0340d2958f76b9e3ef6ad4992230cead6842587f0ecad5\
-                78e6e11a221521e940187e3d6652de14e84e82f6671f097cc47932e022add3c0cb54a26bf27fa84c107\
+         78e6e11a221521e940187e3d6652de14e84e82f6671f097cc47932e022add3c0cb54a26bf27fa84c107\
-                4971caa6bee2e42d34a5b066c427f2d452038082b8073993399548088429de034fdd589dcfb0dd33be7\
+         4971caa6bee2e42d34a5b066c427f2d452038082b8073993399548088429de034fdd589dcfb0dd33be7\
-                ebdfdf698a28d628a89568881d658151276bde333600969502c4e62e1d3470a683364dfb241f78d310a\
+         ebdfdf698a28d628a89568881d658151276bde333600969502c4e62e1d3470a683364dfb241f78d310a\
-                89c119297df093eb36b7fd7540224f488806780305d1e79ffc938fe2275441726522ab36d88348e6c51\
+         89c119297df093eb36b7fd7540224f488806780305d1e79ffc938fe2275441726522ab36d88348e6c51\
-                f13dcc46b5e1cdac23c974fd5ef86aa41e91c9311655090a52333bc79687c748d833595d4c5f987508f\
+         f13dcc46b5e1cdac23c974fd5ef86aa41e91c9311655090a52333bc79687c748d833595d4c5f987508f\
-                e121997410d37c"
+         e121997410d37c"
    );
    let algorithm = cert.signature_algorithm();
-    assert_eq!(algorithm.object().nid(), nid::SHA256WITHRSAENCRYPTION);
+    assert_eq!(algorithm.object().nid(), Nid::SHA256WITHRSAENCRYPTION);
    assert_eq!(algorithm.object().to_string(), "sha256WithRSAEncryption");
 }