Move SSL socket options into a separate options structure. Hacks Branch. NSS_PERFORMANCE_HACKS_BRANCH
authornelsonb%netscape.com
Fri, 26 Aug 2005 22:16:34 +0000
branchNSS_PERFORMANCE_HACKS_BRANCH
changeset 6060 a04e803f8b3c011cfa4414495fbc3cbf5e6f4feb
parent 6059 7ee9afaa712a883d6bb4f4b5e380144c03fa7260
child 6062 979491a2a572860317a1bf5757e3382e94ef404d
push idunknown
push userunknown
push dateunknown
Move SSL socket options into a separate options structure. Hacks Branch. Also implement two new environment variables.
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ecc.c
security/nss/lib/ssl/ssl3gthr.c
security/nss/lib/ssl/sslauth.c
security/nss/lib/ssl/sslcon.c
security/nss/lib/ssl/ssldef.c
security/nss/lib/ssl/sslgathr.c
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/sslinfo.c
security/nss/lib/ssl/sslsecur.c
security/nss/lib/ssl/sslsock.c
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -504,17 +504,17 @@ ssl3_config_match_init(sslSocket *ss)
     CK_MECHANISM_TYPE         cipher_mech;
     SSL3KEAType               exchKeyType;
     int                       i;
     int                       numPresent		= 0;
     int                       numEnabled		= 0;
     PRBool                    isServer;
     sslServerCerts           *svrAuth;
 
-    if (!ss->enableSSL3 && !ss->enableTLS) {
+    if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
     	return 0;
     }
     isServer = (PRBool)( ss && ss->sec.isServer );
 
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
 	suite = &ss->cipherSuites[i];
 	if (suite->enabled) {
 	    ++numEnabled;
@@ -599,17 +599,17 @@ config_match(ssl3CipherSuiteCfg *suite, 
 
 /* return number of cipher suites that match policy and enabled state */
 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
 static int
 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
 {
     int i, count = 0;
 
-    if (!ss->enableSSL3 && !ss->enableTLS) {
+    if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
     	return 0;
     }
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
 	if (config_match(&ss->cipherSuites[i], policy, enabled))
 	    count++;
     }
     if (count <= 0) {
 	PORT_SetError(SSL_ERROR_SSL_DISABLED);
@@ -617,17 +617,17 @@ count_cipher_suites(sslSocket *ss, int p
     return count;
 }
 
 static PRBool
 anyRestrictedEnabled(sslSocket *ss)
 {
     int i;
 
-    if (!ss->enableSSL3 && !ss->enableTLS) {
+    if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
     	return PR_FALSE;
     }
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
 	if (suite->policy == SSL_RESTRICTED &&
 	    suite->enabled &&
 	    suite->isPresent)
 	    return PR_TRUE;
@@ -654,31 +654,31 @@ Null_Cipher(void *ctx, unsigned char *ou
  */
 
 SECStatus
 ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion)
 {
     SSL3ProtocolVersion version;
     SSL3ProtocolVersion maxVersion;
 
-    if (ss->enableTLS) {
+    if (ss->opt.enableTLS) {
 	maxVersion = SSL_LIBRARY_VERSION_3_1_TLS;
-    } else if (ss->enableSSL3) {
+    } else if (ss->opt.enableSSL3) {
 	maxVersion = SSL_LIBRARY_VERSION_3_0;
     } else {
     	/* what are we doing here? */
-	PORT_Assert(ss->enableSSL3 || ss->enableTLS);
+	PORT_Assert(ss->opt.enableSSL3 || ss->opt.enableTLS);
 	PORT_SetError(SSL_ERROR_SSL_DISABLED);
 	return SECFailure;
     }
 
     ss->version = version = PR_MIN(maxVersion, peerVersion);
 
-    if ((version == SSL_LIBRARY_VERSION_3_1_TLS && ss->enableTLS) ||
-    	(version == SSL_LIBRARY_VERSION_3_0     && ss->enableSSL3)) {
+    if ((version == SSL_LIBRARY_VERSION_3_1_TLS && ss->opt.enableTLS) ||
+    	(version == SSL_LIBRARY_VERSION_3_0     && ss->opt.enableSSL3)) {
 	return SECSuccess;
     }
 
     PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
     return SECFailure;
 
 }
 
@@ -1024,17 +1024,17 @@ ssl3_CleanupKeyMaterial(ssl3KeyMaterial 
 **	       ssl3_HandleChangeCipherSpecs()
 **             ssl3_DestroySSL3Info
 ** Caller must hold SpecWriteLock.
 */
 static void
 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec)
 {
     PRBool freeit = (PRBool)(!spec->bypassCiphers);
-/*  PORT_Assert( ss->noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! */
+/*  PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! */
     if (spec->destroy) {
 	spec->destroy(spec->encodeContext, freeit);
 	spec->destroy(spec->decodeContext, freeit);
 	spec->encodeContext = NULL; /* paranoia */
 	spec->decodeContext = NULL;
     }
     if (spec->master_secret != NULL) {
 	PK11_FreeSymKey(spec->master_secret);
@@ -1061,17 +1061,17 @@ ssl3_SetupPendingCipherSpec(sslSocket *s
     ssl3CipherSpec *          cwSpec;
     ssl3CipherSuite           suite     = ss->ssl3.hs.cipher_suite;
     SSL3MACAlgorithm          mac;
     SSL3BulkCipher            cipher;
     SSL3KeyExchangeAlgorithm  kea;
     const ssl3CipherSuiteDef *suite_def;
     PRBool                    isTLS;
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     ssl_GetSpecWriteLock(ss);  /*******************************/
 
     pwSpec = ss->ssl3.pwSpec;
     PORT_Assert(pwSpec == ss->ssl3.prSpec);
 
     /* This hack provides maximal interoperability with SSL 3 servers. */
     cwSpec = ss->ssl3.cwSpec;
@@ -1138,17 +1138,17 @@ const ssl3BulkCipherDef *cipher_def;
       int                mode     = 0;
       unsigned int       optArg1  = 0;
       unsigned int       optArg2  = 0;
       PRBool             server_encrypts = ss->sec.isServer;
       CK_ULONG           macLength;
       SSLCipherAlgorithm calg;
       SECStatus          rv;
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
 
     pwSpec        = ss->ssl3.pwSpec;
     cipher_def    = pwSpec->cipher_def;
     macLength     = pwSpec->mac_size;
 
     /* MAC setup is done when computing the mac, not here.
@@ -1287,17 +1287,17 @@ const ssl3BulkCipherDef *cipher_def;
       CK_MECHANISM_TYPE  mechanism;
       CK_MECHANISM_TYPE  mac_mech;
       CK_ULONG           macLength;
       CK_ULONG           effKeyBits;
       SECItem            iv;
       SECItem            mac_param;
       SSLCipherAlgorithm calg;
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
 
     pwSpec        = ss->ssl3.pwSpec;
     cipher_def    = pwSpec->cipher_def;
     macLength     = pwSpec->mac_size;
 
     /* 
@@ -1425,17 +1425,17 @@ fail:
  * For the bypass case,  pms is NULL.
  */
 static SECStatus
 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
 {
     ssl3CipherSpec  *  pwSpec;
     SECStatus          rv;
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     ssl_GetSpecWriteLock(ss);	/**************************************/
 
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
 
     pwSpec        = ss->ssl3.pwSpec;
 
     if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) {
@@ -1719,17 +1719,17 @@ ssl3_SendRecord(   sslSocket *        ss
     PRInt32                   sent        =  0;
     PRBool                    isBlocking  = ssl_SocketIsBlocking(ss);
 
     SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s bytes=%d",
 		SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
 		bytes));
     PRINT_BUF(3, (ss, "Send record (plain text)", buf, bytes));
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     if (ss->ssl3.initialized == PR_FALSE) {
 	/* This can happen on a server if the very first incoming record
 	** looks like a defective ssl3 record (e.g. too long), and we're
 	** trying to send an alert.
 	*/
 	PR_ASSERT(type == content_alert);
 	rv = ssl3_InitState(ss);
@@ -1952,17 +1952,17 @@ spec_locked_loser:
  * Returns "len" or SECFailure,   never SECWouldBlock, nor SECSuccess.
  */
 int
 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
 			 PRInt32 len, PRInt32 flags)
 {
     PRInt32   sent	= 0;
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     while (len > 0) {
 	PRInt32   count;
 
 	if (sent > 0) {
 	    /*
 	     * The thread yield is intended to give the reader thread a
 	     * chance to get some cycles while the writer thread is in
@@ -1996,18 +1996,18 @@ ssl3_SendApplicationData(sslSocket *ss, 
  *             ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(),
  *             ssl3_SendFinished(),
  */
 static SECStatus
 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags)
 {
     PRInt32 rv;
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
 	return SECSuccess;
 
     rv = ssl3_SendRecord(ss, content_handshake, ss->sec.ci.sendBuf.buf,
 			 ss->sec.ci.sendBuf.len, flags);
     if (rv < 0) {
 	return (SECStatus)rv;	/* error code set by ssl3_SendRecord */
@@ -2037,19 +2037,19 @@ ssl3_HandleNoCertificate(sslSocket *ss)
 
     /* If the server has required client-auth blindly but doesn't
      * actually look at the certificate it won't know that no
      * certificate was presented so we shutdown the socket to ensure
      * an error.  We only do this if we haven't already completed the
      * first handshake because if we're redoing the handshake we 
      * know the server is paying attention to the certificate.
      */
-    if ((ss->requireCertificate == SSL_REQUIRE_ALWAYS) ||
+    if ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
 	(!ss->firstHsDone && 
-	 (ss->requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE))) {
+	 (ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE))) {
 	PRFileDesc * lower;
 
 	ss->sec.uncache(ss->sec.ci.sid);
 	SSL3_SendAlert(ss, alert_fatal, bad_certificate);
 
 	lower = ss->fd->lower;
 #ifdef _WIN32
 	lower->methods->shutdown(lower, PR_SHUTDOWN_SEND);
@@ -2166,18 +2166,18 @@ ssl3_DecodeError(sslSocket *ss)
 */
 static SECStatus
 ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf)
 {
     SSL3AlertLevel       level;
     SSL3AlertDescription desc;
     int                  error;
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle alert record", SSL_GETPID(), ss->fd));
 
     if (buf->len != 2) {
 	(void)ssl3_DecodeError(ss);
 	PORT_SetError(SSL_ERROR_RX_MALFORMED_ALERT);
 	return SECFailure;
     }
@@ -2264,18 +2264,18 @@ ssl3_SendChangeCipherSpecs(sslSocket *ss
     uint8             change = change_cipher_spec_choice;
     ssl3CipherSpec *  pwSpec;
     SECStatus         rv;
     PRInt32           sent;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record",
 		SSL_GETPID(), ss->fd));
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
     if (rv != SECSuccess) {
 	return rv;	/* error code set by ssl3_FlushHandshake */
     }
     sent = ssl3_SendRecord(ss, content_change_cipher_spec, &change, 1,
                               ssl_SEND_FLAG_FORCE_INTO_BUFFER);
     if (sent < 0) {
@@ -2314,18 +2314,18 @@ ssl3_SendChangeCipherSpecs(sslSocket *ss
 */
 static SECStatus
 ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
 {
     ssl3CipherSpec *           prSpec;
     SSL3WaitState              ws      = ss->ssl3.hs.ws;
     SSL3ChangeCipherSpecChoice change;
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record",
 		SSL_GETPID(), ss->fd));
 
     if (ws != wait_change_cipher) {
 	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
 	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
 	return SECFailure;
@@ -2391,18 +2391,18 @@ ssl3_DeriveMasterSecret(sslSocket *ss, c
     SECStatus         rv = SECFailure;
     CK_MECHANISM_TYPE master_derive;
     CK_MECHANISM_TYPE key_derive;
     SECItem           params;
     CK_FLAGS          keyFlags;
     CK_VERSION        pms_version;
     CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
-    PORT_Assert( ss->noLocks || ssl_HaveSpecWriteLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
     if (isTLS) {
 	if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
 	else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
 	key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
 	keyFlags      = CKF_SIGN | CKF_VERIFY;
     } else {
 	if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
@@ -2421,17 +2421,17 @@ ssl3_DeriveMasterSecret(sslSocket *ss, c
 	params.data = (unsigned char *) &master_params;
 	params.len  = sizeof master_params;
     }
 
     if (pms != NULL) {
 	pwSpec->master_secret = PK11_DeriveWithFlags((PK11SymKey *)pms, 
 					master_derive, &params, key_derive, 
 					CKA_DERIVE, 0, keyFlags);
-	if (!isDH && pwSpec->master_secret && ss->detectRollBack) {
+	if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) {
 	    SSL3ProtocolVersion client_version;
 	    client_version = pms_version.major << 8 | pms_version.minor;
 	    if (client_version != ss->clientHelloVersion) {
 		/* Destroy it.  Version roll-back detected. */
 		PK11_FreeSymKey(pwSpec->master_secret);
 	    	pwSpec->master_secret = NULL;
 	    }
 	}
@@ -2467,17 +2467,17 @@ ssl3_DeriveMasterSecret(sslSocket *ss, c
 	if (fpms) {
 	    PK11_FreeSymKey(fpms);
     	}
     }
     if (pwSpec->master_secret == NULL) {
 	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
 	return rv;
     }
-    if (ss->bypassPKCS11) {
+    if (ss->opt.bypassPKCS11) {
 	SECItem * keydata;
 	/* In hope of doing a "double bypass", 
 	 * need to extract the master secret's value from the key object 
 	 * and store it raw in the sslSocket struct.
 	 */
 	rv = PK11_ExtractKeyValue(pwSpec->master_secret);
 	if (rv != SECSuccess) {
 	    return rv;
@@ -2532,18 +2532,18 @@ ssl3_DeriveConnectionKeysPKCS11(sslSocke
     CK_SSL3_KEY_MAT_PARAMS key_material_params;
     CK_SSL3_KEY_MAT_OUT    returnedKeys;
     CK_MECHANISM_TYPE      key_derive;
     CK_MECHANISM_TYPE      bulk_mechanism;
     SSLCipherAlgorithm     calg;
     SECItem                params;
     PRBool         skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null);
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
-    PORT_Assert( ss->noLocks || ssl_HaveSpecWriteLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
 
     if (!pwSpec->master_secret) {
 	PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
 	return SECFailure;
     }
     /*
      * generate the key material
@@ -2646,21 +2646,21 @@ loser:
 **		ssl3_HandleHandshakeMessage()
 ** Caller must hold the ssl3Handshake lock.
 */
 static SECStatus
 ssl3_UpdateHandshakeHashes(sslSocket *ss, unsigned char *b, unsigned int l)
 {
     SECStatus  rv = SECSuccess;
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l));
 
-    if (ss->bypassPKCS11) {
+    if (ss->opt.bypassPKCS11) {
 	MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
 	SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
 	return rv;
     }
     rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
     if (rv != SECSuccess) {
 	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
 	return rv;
@@ -2680,17 +2680,17 @@ ssl3_UpdateHandshakeHashes(sslSocket *ss
  **************************************************************************/
 static SECStatus
 ssl3_AppendHandshake(sslSocket *ss, const void *void_src, PRInt32 bytes)
 {
     unsigned char *  src  = (unsigned char *)void_src;
     int              room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
     SECStatus        rv;
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) ); /* protects sendBuf. */
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); /* protects sendBuf. */
 
     if (ss->sec.ci.sendBuf.space < MAX_SEND_BUF_LENGTH && room < bytes) {
 	rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, PR_MAX(MIN_SEND_BUF_LENGTH,
 		 PR_MIN(MAX_SEND_BUF_LENGTH, ss->sec.ci.sendBuf.len + bytes)));
 	if (rv != SECSuccess)
 	    return rv;	/* sslBuffer_Grow has set a memory error code. */
 	room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
     }
@@ -2795,18 +2795,18 @@ ssl3_AppendHandshakeHeader(sslSocket *ss
  * If this function returns SECFailure, it has already sent an alert,
  * and has set a generic error code.  The caller should probably
  * override the generic error code by setting another.
  */
 static SECStatus
 ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, SSL3Opaque **b,
 		      PRUint32 *length)
 {
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if ((PRUint32)bytes > *length) {
 	return ssl3_DecodeError(ss);
     }
     PORT_Memcpy(v, *b, bytes);
     PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
     *b      += bytes;
     *length -= bytes;
@@ -2827,18 +2827,18 @@ ssl3_ConsumeHandshake(sslSocket *ss, voi
 static PRInt32
 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, SSL3Opaque **b,
 			    PRUint32 *length)
 {
     uint8     *buf = *b;
     int       i;
     PRInt32   num = 0;
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     PORT_Assert( bytes <= sizeof num);
 
     if ((PRUint32)bytes > *length) {
 	return ssl3_DecodeError(ss);
     }
     PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
 
     for (i = 0; i < bytes; i++)
@@ -2907,19 +2907,19 @@ ssl3_ComputeHandshakeHashes(sslSocket * 
 			    uint32          sender)
 {
     SECStatus     rv        = SECSuccess;
     PRBool        isTLS     = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
     unsigned int  outLength;
     SSL3Opaque    md5_inner[MAX_MAC_LENGTH];
     SSL3Opaque    sha_inner[MAX_MAC_LENGTH];
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (ss->bypassPKCS11) {
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (ss->opt.bypassPKCS11) {
 	/* compute them without PKCS11 */
 	PRUint64      md5_cx[MAX_MAC_CONTEXT_LLONGS];
 	PRUint64      sha_cx[MAX_MAC_CONTEXT_LLONGS];
 
 #define md5cx ((MD5Context *)md5_cx)
 #define shacx ((SHA1Context *)sha_cx)
 
 	if (!spec->msItem.data) {
@@ -3195,27 +3195,27 @@ ssl3_SendClientHello(sslSocket *ss)
     int              i;
     int              length;
     int              num_suites;
     int              actual_count = 0;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
 		ss->fd));
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     rv = ssl3_InitState(ss);
     if (rv != SECSuccess) {
 	return rv;		/* ssl3_InitState has set the error code. */
     }
 
     SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
 	    SSL_GETPID(), ss->fd ));
-    if (ss->bypassPKCS11) {
+    if (ss->opt.bypassPKCS11) {
 	MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
 	SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
     } else {
 	rv = PK11_DigestBegin(ss->ssl3.hs.md5);
 	if (rv != SECSuccess) {
 	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
 	    return rv;
 	}
@@ -3225,17 +3225,17 @@ ssl3_SendClientHello(sslSocket *ss)
 	    return rv;
 	}
     }
     /* We ignore ss->sec.ci.sid here, and use ssl_Lookup because Lookup
      * handles expired entries and other details.
      * XXX If we've been called from ssl2_BeginClientHandshake, then
      * this lookup is duplicative and wasteful.
      */
-    sid = (ss->noCache) ? NULL
+    sid = (ss->opt.noCache) ? NULL
 	    : ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, ss->url);
 
     /* We can't resume based on a different token. If the sid exists,
      * make sure the token that holds the master secret still exists ...
      * If we previously did client-auth, make sure that the token that holds
      * the private key still exists, is logged in, hasn't been removed, etc.
      */
     if (sid) {
@@ -3315,18 +3315,18 @@ ssl3_SendClientHello(sslSocket *ss)
     if (ss->sec.ci.sid != NULL) {
 	ssl_FreeSID(ss->sec.ci.sid);	/* decrement ref count, free if zero */
     }
     ss->sec.ci.sid = sid;
 
     ss->sec.send = ssl3_SendApplicationData;
 
     /* shouldn't get here if SSL3 is disabled, but ... */
-    PORT_Assert(ss->enableSSL3 || ss->enableTLS);
-    if (!ss->enableSSL3 && !ss->enableTLS) {
+    PORT_Assert(ss->opt.enableSSL3 || ss->opt.enableTLS);
+    if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
 	PORT_SetError(SSL_ERROR_SSL_DISABLED);
     	return SECFailure;
     }
 
     /* how many suites does our PKCS11 support (regardless of policy)? */
     num_suites = ssl3_config_match_init(ss);
     if (!num_suites)
     	return SECFailure;	/* ssl3_config_match_init has set error code. */
@@ -3431,18 +3431,18 @@ static SECStatus
 ssl3_HandleHelloRequest(sslSocket *ss)
 {
     sslSessionID *sid = ss->sec.ci.sid;
     SECStatus     rv;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle hello_request handshake",
 		SSL_GETPID(), ss->fd));
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (ss->ssl3.hs.ws == wait_server_hello)
 	return SECSuccess;
     if (ss->ssl3.hs.ws != idle_handshake || ss->sec.isServer) {
 	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
 	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
 	return SECFailure;
     }
@@ -3734,18 +3734,18 @@ done:
 static SECStatus
 sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
 {
     PK11SymKey *	pms 		= NULL;
     SECStatus           rv    		= SECFailure;
     SECItem 		enc_pms 	= {siBuffer, NULL, 0};
     PRBool              isTLS;
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
 
     /* Generate the pre-master secret ...  */
     ssl_GetSpecWriteLock(ss);
     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
 
     pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.pwSpec, NULL);
     ssl_ReleaseSpecWriteLock(ss);
     if (pms == NULL) {
@@ -3810,18 +3810,18 @@ sendDHClientKeyExchange(sslSocket * ss, 
     SECStatus           rv    		= SECFailure;
     PRBool              isTLS;
     CK_MECHANISM_TYPE	target;
 
     SECKEYDHParams	dhParam;		/* DH parameters */
     SECKEYPublicKey	*pubKey = NULL;		/* Ephemeral DH key */
     SECKEYPrivateKey	*privKey = NULL;	/* Ephemeral DH key */
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
 
     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
 
     /* Copy DH parameters from server key */
 
     dhParam.prime.data = svrPubKey->u.dh.prime.data;
     dhParam.prime.len = svrPubKey->u.dh.prime.len;
     dhParam.base.data = svrPubKey->u.dh.base.data;
@@ -3898,18 +3898,18 @@ ssl3_SendClientKeyExchange(sslSocket *ss
 {
     SECKEYPublicKey *	serverKey 	= NULL;
     SECStatus 		rv 		= SECFailure;
     PRBool              isTLS;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send client_key_exchange handshake",
 		SSL_GETPID(), ss->fd));
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     if (ss->sec.peerKey == NULL) {
 	serverKey = CERT_ExtractPublicKey(ss->sec.peerCert);
 	if (serverKey == NULL) {
 	    PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
 	    return SECFailure;
 	}
     } else {
@@ -3970,18 +3970,18 @@ loser:
 static SECStatus
 ssl3_SendCertificateVerify(sslSocket *ss)
 {
     SECStatus     rv		= SECFailure;
     PRBool        isTLS;
     SECItem       buf           = {siBuffer, NULL, 0};
     SSL3Hashes    hashes;
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
 		SSL_GETPID(), ss->fd));
 
     ssl_GetSpecReadLock(ss);
     rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
     ssl_ReleaseSpecReadLock(ss);
     if (rv != SECSuccess) {
@@ -4048,18 +4048,18 @@ ssl3_HandleServerHello(sslSocket *ss, SS
     SECItem       sidBytes 	= {siBuffer, NULL, 0};
     PRBool        sid_match;
     PRBool        isTLS		= PR_FALSE;
     SSL3AlertDescription desc   = illegal_parameter;
     SSL3ProtocolVersion version;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake",
     	SSL_GETPID(), ss->fd));
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     rv = ssl3_InitState(ss);
     if (rv != SECSuccess) {
 	errCode = PORT_GetError(); /* ssl3_InitState has set the error code. */
 	goto alert_loser;
     }
     if (ss->ssl3.hs.ws != wait_server_hello) {
         errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO;
@@ -4195,17 +4195,17 @@ ssl3_HandleServerHello(sslSocket *ss, SS
 	ss->sec.keaKeyBits    = sid->keaKeyBits;
 
 	/* 3 cases here:
 	 * a) key is wrapped (implies using PKCS11)
 	 * b) key is unwrapped, but we're still using PKCS11
 	 * c) key is unwrapped, and we're bypassing PKCS11.
 	 */
 	if (sid->u.ssl3.keys.msIsWrapped) {
-	    if (ss->bypassPKCS11) {
+	    if (ss->opt.bypassPKCS11) {
 		/* we cannot restart a non-bypass session in a 
 		** bypass socket.
 		*/
 		break;  
 	    }
 	    /* unwrap master secret with PKCS11 */
 	    slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
 				     sid->u.ssl3.masterSlotID);
@@ -4235,17 +4235,17 @@ ssl3_HandleServerHello(sslSocket *ss, SS
 		PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 
 			    NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
 			    CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
 	    errCode = PORT_GetError();
 	    PK11_FreeSymKey(wrapKey);
 	    if (pwSpec->master_secret == NULL) {
 		break;	/* errorCode set just after call to UnwrapSymKey. */
 	    }
-	} else if (ss->bypassPKCS11) {
+	} else if (ss->opt.bypassPKCS11) {
 	    /* MS is not wrapped */
 	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
 	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
 	    memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
 	    pwSpec->msItem.data = pwSpec->raw_master_secret;
 	    pwSpec->msItem.len  = wrappedMS.len;
 	} else {
 	    /* We CAN restart a bypass session in a non-bypass socket. */
@@ -4326,18 +4326,18 @@ ssl3_HandleServerKeyExchange(sslSocket *
     SECStatus        rv;
     int              errCode   = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
     SSL3AlertDescription desc  = illegal_parameter;
     SSL3Hashes       hashes;
     SECItem          signature = {siBuffer, NULL, 0};
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake",
 		SSL_GETPID(), ss->fd));
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (ss->ssl3.hs.ws != wait_server_key &&
 	ss->ssl3.hs.ws != wait_server_cert) {
 	errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
 	desc    = unexpected_message;
 	goto alert_loser;
     }
     if (ss->sec.peerCert == NULL) {
@@ -4377,17 +4377,17 @@ ssl3_HandleServerKeyExchange(sslSocket *
     	desc = isTLS ? decrypt_error : handshake_failure;
 
     	/*
      	 *  check to make sure the hash is signed by right guy
      	 */
     	rv = ssl3_ComputeExportRSAKeyHash(modulus, exponent,
 					  &ss->ssl3.hs.client_random,
 					  &ss->ssl3.hs.server_random, 
-					  &hashes, ss->bypassPKCS11);
+					  &hashes, ss->opt.bypassPKCS11);
         if (rv != SECSuccess) {
 	    errCode =
 	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
 	    goto alert_loser;
 	}
         rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
 				    isTLS, ss->pkcs11PinArg);
 	if (rv != SECSuccess)  {
@@ -4463,17 +4463,17 @@ ssl3_HandleServerKeyExchange(sslSocket *
     	desc = isTLS ? decrypt_error : handshake_failure;
 
     	/*
      	 *  check to make sure the hash is signed by right guy
      	 */
     	rv = ssl3_ComputeDHKeyHash(dh_p, dh_g, dh_Ys,
 					  &ss->ssl3.hs.client_random,
 					  &ss->ssl3.hs.server_random, 
-					  &hashes, ss->bypassPKCS11);
+					  &hashes, ss->opt.bypassPKCS11);
         if (rv != SECSuccess) {
 	    errCode =
 	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
 	    goto alert_loser;
 	}
         rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
 				    isTLS, ss->pkcs11PinArg);
 	if (rv != SECSuccess)  {
@@ -4667,18 +4667,18 @@ ssl3_HandleCertificateRequest(sslSocket 
     int                  nnames      = 0;
     SECStatus            rv;
     SSL3AlertDescription desc        = illegal_parameter;
     SECItem              cert_types  = {siBuffer, NULL, 0};
     CERTDistNames        ca_list;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
 		SSL_GETPID(), ss->fd));
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (ss->ssl3.hs.ws != wait_cert_request &&
     	ss->ssl3.hs.ws != wait_server_key) {
 	desc    = unexpected_message;
 	errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST;
 	goto alert_loser;
     }
 
@@ -4901,18 +4901,18 @@ static SECStatus
 ssl3_HandleServerHelloDone(sslSocket *ss)
 {
     SECStatus     rv;
     SSL3WaitState ws          = ss->ssl3.hs.ws;
     PRBool        send_verify = PR_FALSE;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake",
 		SSL_GETPID(), ss->fd));
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (ws != wait_hello_done  &&
         ws != wait_server_cert &&
 	ws != wait_server_key  &&
 	ws != wait_cert_request) {
 	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
 	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
 	return SECFailure;
@@ -4973,18 +4973,18 @@ loser:
 static SECStatus
 ssl3_SendHelloRequest(sslSocket *ss)
 {
     SECStatus rv;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send hello_request handshake", SSL_GETPID(),
 		ss->fd));
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     rv = ssl3_AppendHandshakeHeader(ss, hello_request, 0);
     if (rv != SECSuccess) {
 	return rv;	/* err set by AppendHandshake */
     }
     rv = ssl3_FlushHandshake(ss, 0);
     if (rv != SECSuccess) {
 	return rv;	/* error code set by ssl3_FlushHandshake */
@@ -5045,18 +5045,18 @@ static SECStatus
 ssl3_SendServerHelloSequence(sslSocket *ss)
 {
     const ssl3KEADef *kea_def;
     SECStatus         rv;
 
     SSL_TRC(3, ("%d: SSL3[%d]: begin send server_hello sequence",
 		SSL_GETPID(), ss->fd));
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     rv = ssl3_SendServerHello(ss);
     if (rv != SECSuccess) {
 	return rv;	/* err code is set. */
     }
     rv = ssl3_SendCertificate(ss);
     if (rv != SECSuccess) {
 	return rv;	/* error code is set. */
@@ -5095,28 +5095,28 @@ ssl3_SendServerHelloSequence(sslSocket *
 	       (kea_def->kea == kea_ecdhe_ecdsa)) {
 	rv = ssl3_SendServerKeyExchange(ss);
 	if (rv != SECSuccess) {
 	    return rv;	/* err code was set. */
 	}
 #endif /* NSS_ENABLE_ECC */
     }
 
-    if (ss->requestCertificate) {
+    if (ss->opt.requestCertificate) {
 	rv = ssl3_SendCertificateRequest(ss);
 	if (rv != SECSuccess) {
 	    return rv;		/* err code is set. */
 	}
     }
     rv = ssl3_SendServerHelloDone(ss);
     if (rv != SECSuccess) {
 	return rv;		/* err code is set. */
     }
 
-    ss->ssl3.hs.ws = (ss->requestCertificate) ? wait_client_cert
+    ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
                                                : wait_client_key;
     return SECSuccess;
 }
 
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 Client Hello message.
  * Caller must hold Handshake and RecvBuf locks.
  */
@@ -5135,18 +5135,18 @@ ssl3_HandleClientHello(sslSocket *ss, SS
     SECItem             suites   = {siBuffer, NULL, 0};
     SECItem             comps    = {siBuffer, NULL, 0};
     PRBool              haveSpecWriteLock = PR_FALSE;
     PRBool              haveXmitBufLock   = PR_FALSE;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
     	SSL_GETPID(), ss->fd));
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     /* Get peer name of client */
     rv = ssl_GetPeerInfo(ss);
     if (rv != SECSuccess) {
 	return rv;		/* error code is set. */
     }
 
     rv = ssl3_InitState(ss);
@@ -5180,17 +5180,17 @@ ssl3_HandleClientHello(sslSocket *ss, SS
     }
 
     /* grab the client's SID, if present. */
     rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
     if (rv != SECSuccess) {
 	goto loser;		/* malformed */
     }
 
-    if (sidBytes.len > 0 && !ss->noCache) {
+    if (sidBytes.len > 0 && !ss->opt.noCache) {
 	SSL_TRC(7, ("%d: SSL3[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x",
                     SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
 		    ss->sec.ci.peer.pr_s6_addr32[1], 
 		    ss->sec.ci.peer.pr_s6_addr32[2],
 		    ss->sec.ci.peer.pr_s6_addr32[3]));
 	if (ssl_sid_lookup) {
 	    sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sidBytes.data, 
 	                            sidBytes.len, ss->dbHandle);
@@ -5221,20 +5221,20 @@ ssl3_HandleClientHello(sslSocket *ss, SS
 
     if (sid != NULL) {
 	/* We've found a session cache entry for this client.
 	 * Now, if we're going to require a client-auth cert,
 	 * and we don't already have this client's cert in the session cache,
 	 * and this is the first handshake on this connection (not a redo),
 	 * then drop this old cache entry and start a new session.
 	 */
-	if ((sid->peerCert == NULL) && ss->requestCertificate &&
-	    ((ss->requireCertificate == SSL_REQUIRE_ALWAYS) ||
-	     (ss->requireCertificate == SSL_REQUIRE_NO_ERROR) ||
-	     ((ss->requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE) 
+	if ((sid->peerCert == NULL) && ss->opt.requestCertificate &&
+	    ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
+	     (ss->opt.requireCertificate == SSL_REQUIRE_NO_ERROR) ||
+	     ((ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE) 
 	      && !ss->firstHsDone))) {
 
 	    ++ssl3stats.hch_sid_cache_not_ok;
 	    ss->sec.uncache(sid);
 	    ssl_FreeSID(sid);
 	    sid = NULL;
 	}
     }
@@ -5337,17 +5337,17 @@ compression_found:
 	}
 	/* we need to resurrect the master secret.... */
 
 	ssl_GetSpecWriteLock(ss);  haveSpecWriteLock = PR_TRUE;
 	pwSpec = ss->ssl3.pwSpec;
 	if (sid->u.ssl3.keys.msIsWrapped) {
 	    PK11SymKey *    wrapKey; 	/* wrapping key */
 	    CK_FLAGS        keyFlags      = 0;
-	    if (ss->bypassPKCS11) {
+	    if (ss->opt.bypassPKCS11) {
 		/* we cannot restart a non-bypass session in a 
 		** bypass socket.
 		*/
 		break;  
 	    }
 
 	    wrapKey = getWrappingKey(ss, NULL, sid->u.ssl3.exchKeyType,
 				     sid->u.ssl3.masterWrapMech, 
@@ -5368,17 +5368,17 @@ compression_found:
 	    pwSpec->master_secret =
 		PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 
 			    NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
 			    CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
 	    PK11_FreeSymKey(wrapKey);
 	    if (pwSpec->master_secret == NULL) {
 		break;	/* not an error */
 	    }
-	} else if (ss->bypassPKCS11) {
+	} else if (ss->opt.bypassPKCS11) {
 	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
 	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
 	    memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
 	    pwSpec->msItem.data = pwSpec->raw_master_secret;
 	    pwSpec->msItem.len  = wrappedMS.len;
 	} else {
 	    /* We CAN restart a bypass session in a non-bypass socket. */
 	    /* need to import the raw master secret to session object */
@@ -5534,17 +5534,17 @@ ssl3_HandleV2ClientHello(sslSocket *ss, 
     int                 sid_length;
     int                 suite_length;
     int                 rand_length;
     int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
     SSL3AlertDescription desc    = handshake_failure;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle v2 client_hello", SSL_GETPID(), ss->fd));
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
 
     ssl_GetSSL3HandshakeLock(ss);
 
     rv = ssl3_InitState(ss);
     if (rv != SECSuccess) {
 	ssl_ReleaseSSL3HandshakeLock(ss);
 	return rv;		/* ssl3_InitState has set the error code. */
     }
@@ -5685,18 +5685,18 @@ ssl3_SendServerHello(sslSocket *ss)
 {
     sslSessionID *sid;
     SECStatus     rv;
     PRUint32      length;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(),
 		ss->fd));
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
 
     if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
 	PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
 	return SECFailure;
     }
 
     sid = ss->sec.ci.sid;
@@ -5764,33 +5764,33 @@ const ssl3KEADef *     kea_def     = ss-
     SECItem            ec_params = {siBuffer, NULL, 0};
     ECName             curve;
     SSL3KEAType        certIndex;
 #endif /* NSS_ENABLE_ECC */
 
     SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake",
 		SSL_GETPID(), ss->fd));
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     switch (kea_def->exchKeyType) {
     case kt_rsa:
 	/* Perform SSL Step-Down here. */
 	sdPub = ss->stepDownKeyPair->pubKey;
 	PORT_Assert(sdPub != NULL);
 	if (!sdPub) {
 	    PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
 	    return SECFailure;
 	}
     	rv = ssl3_ComputeExportRSAKeyHash(sdPub->u.rsa.modulus,
 					  sdPub->u.rsa.publicExponent,
 	                                  &ss->ssl3.hs.client_random,
 	                                  &ss->ssl3.hs.server_random,
-					  &hashes, ss->bypassPKCS11);
+					  &hashes, ss->opt.bypassPKCS11);
         if (rv != SECSuccess) {
 	    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
 	    return rv;
 	}
 
 	isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
 	rv = ssl3_SignHashes(&hashes, ss->serverCerts[kt_rsa].SERVERKEY, 
 	                     &signed_hash, isTLS);
@@ -5948,18 +5948,18 @@ const uint8 *      certTypes;
     int            i;
     int            calen	= 0;
     int            nnames	= 0;
     int            certTypesLength;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
 		SSL_GETPID(), ss->fd));
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     /* ssl3.ca_list is initialized to NULL, and never changed. */
     ca_list = ss->ssl3.ca_list;
     if (!ca_list) {
 	ca_list = ssl3_server_ca_list;
     }
 
     if (ca_list != NULL) {
@@ -6006,18 +6006,18 @@ const uint8 *      certTypes;
 static SECStatus
 ssl3_SendServerHelloDone(sslSocket *ss)
 {
     SECStatus rv;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send server_hello_done handshake",
 		SSL_GETPID(), ss->fd));
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     rv = ssl3_AppendHandshakeHeader(ss, server_hello_done, 0);
     if (rv != SECSuccess) {
 	return rv; 		/* err set by AppendHandshake. */
     }
     rv = ssl3_FlushHandshake(ss, 0);
     if (rv != SECSuccess) {
 	return rv;	/* error code set by ssl3_FlushHandshake */
@@ -6036,18 +6036,18 @@ ssl3_HandleCertificateVerify(sslSocket *
     SECItem              signed_hash = {siBuffer, NULL, 0};
     SECStatus            rv;
     int                  errCode     = SSL_ERROR_RX_MALFORMED_CERT_VERIFY;
     SSL3AlertDescription desc        = handshake_failure;
     PRBool               isTLS;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake",
 		SSL_GETPID(), ss->fd));
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) {
 	desc    = unexpected_message;
 	errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY;
 	goto alert_loser;
     }
 
     rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
@@ -6099,25 +6099,25 @@ ssl3_GenerateRSAPMS(sslSocket *ss, ssl3C
 {
     PK11SymKey *      pms		= NULL;
     PK11SlotInfo *    slot		= serverKeySlot;
     void *	      pwArg 		= ss->pkcs11PinArg;
     SECItem           param;
     CK_VERSION 	      version;
     CK_MECHANISM_TYPE mechanism_array[3];
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (slot == NULL) {
 	SSLCipherAlgorithm calg;
 	/* The specReadLock would suffice here, but we cannot assert on
 	** read locks.  Also, all the callers who call with a non-null
 	** slot already hold the SpecWriteLock.
 	*/
-	PORT_Assert( ss->noLocks || ssl_HaveSpecWriteLock(ss));
+	PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
 	PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
 
         calg = spec->cipher_def->calg;
 	PORT_Assert(alg2Mech[calg].calg == calg);
 
 	/* First get an appropriate slot.  */
 	mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN;
 	mechanism_array[1] = CKM_RSA_PKCS;
@@ -6174,18 +6174,18 @@ ssl3_HandleRSAClientKeyExchange(sslSocke
     ssl3CipherSpec *  pwSpec = ss->ssl3.pwSpec;
     unsigned int      outLen = 0;
     PRBool            isTLS  = PR_FALSE;
     SECStatus         rv;
     SECItem           enc_pms;
     unsigned char     rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
     SECItem           pmsItem = {siBuffer, rsaPmsBuf, sizeof rsaPmsBuf};
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     enc_pms.data = b;
     enc_pms.len  = length;
 
     if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
 	PRInt32 kLen;
 	kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len);
 	if (kLen < 0) {
@@ -6195,32 +6195,32 @@ ssl3_HandleRSAClientKeyExchange(sslSocke
 	if ((unsigned)kLen < enc_pms.len) {
 	    enc_pms.len = kLen;
 	}
 	isTLS = PR_TRUE;
     } else {
 	isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0);
     }
 
-    if (ss->bypassPKCS11) {
+    if (ss->opt.bypassPKCS11) {
 	/* TRIPLE BYPASS, get PMS directly from RSA decryption.
 	 * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer, 
 	 * then, check for version rollback attack, then 
 	 * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in 
 	 * pwSpec->msItem.  Finally call ssl3_InitPendingCipherSpec with 
 	 * ss and NULL, so that it will use the MS we've already derived here. 
 	 */
 
 	rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, 
 				   sizeof rsaPmsBuf, enc_pms.data, enc_pms.len);
 	if (rv != SECSuccess) {
 	    /* avoid Bleichenbacker attack.  generate faux pms. */
 	    rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
 	    /* ignore failure */
-	} else if (ss->detectRollBack) {
+	} else if (ss->opt.detectRollBack) {
 	    SSL3ProtocolVersion client_version = 
 					 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1];
 	    if (client_version != ss->clientHelloVersion) {
 		/* Version roll-back detected. ensure failure.  */
 		rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
 	    }
 	}
 	/* have PMS, build MS without PKCS11 */
@@ -6285,18 +6285,18 @@ ssl3_HandleClientKeyExchange(sslSocket *
 const ssl3KEADef *    kea_def;
 #ifdef NSS_ENABLE_ECC
     SECKEYPublicKey *serverPubKey       = NULL;
 #endif /* NSS_ENABLE_ECC */
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake",
 		SSL_GETPID(), ss->fd));
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (ss->ssl3.hs.ws != wait_client_key) {
 	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
     	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
 	return SECFailure;
     }
 
     kea_def   = ss->ssl3.hs.kea_def;
@@ -6493,18 +6493,18 @@ ssl3_SendCertificate(sslSocket *ss)
 #ifdef NISCC_TEST
     SECItem              fakeCert;
     int                  ndex           = -1;
 #endif
 
     SSL_TRC(3, ("%d: SSL3[%d]: send certificate handshake",
 		SSL_GETPID(), ss->fd));
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     if (ss->sec.localCert)
     	CERT_DestroyCertificate(ss->sec.localCert);
     if (ss->sec.isServer) {
 	sslServerCerts * sc = NULL;
 
 	/* XXX SSLKEAType isn't really a good choice for 
 	 * indexing certificates (it breaks when we deal
@@ -6613,18 +6613,18 @@ ssl3_HandleCertificate(sslSocket *ss, SS
     PRBool           trusted 	= PR_FALSE;
     PRBool           isTLS;
     SSL3AlertDescription desc	= bad_certificate;
     int              errCode    = SSL_ERROR_RX_MALFORMED_CERTIFICATE;
     SECItem          certItem;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake",
 		SSL_GETPID(), ss->fd));
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if ((ss->ssl3.hs.ws != wait_server_cert) &&
 	(ss->ssl3.hs.ws != wait_client_cert)) {
 	desc    = unexpected_message;
 	errCode = SSL_ERROR_RX_UNEXPECTED_CERTIFICATE;
 	goto alert_loser;
     }
 
@@ -7021,18 +7021,18 @@ ssl3_SendFinished(sslSocket *ss, PRInt32
     PRBool          isServer = ss->sec.isServer;
     SECStatus       rv;
     SSL3Sender      sender = isServer ? sender_server : sender_client;
     SSL3Finished    hashes;
     TLSFinished     tlsFinished;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd));
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     ssl_GetSpecReadLock(ss);
     cwSpec = ss->ssl3.cwSpec;
     isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
     rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender);
     if (isTLS && rv == SECSuccess) {
 	rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished);
     }
@@ -7159,18 +7159,18 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O
 {
     sslSessionID *    sid	   = ss->sec.ci.sid;
     SECStatus         rv           = SECSuccess;
     PRBool            isServer     = ss->sec.isServer;
     PRBool            isTLS;
     PRBool            doStepUp;
     SSL3KEAType       effectiveExchKeyType;
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake",
     	SSL_GETPID(), ss->fd));
 
     if (ss->ssl3.hs.ws != wait_finished) {
 	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
     	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED);
 	return SECFailure;
@@ -7254,17 +7254,17 @@ xmit_loser:
     ss->gs.readOffset  = 0;
 
     if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
 	effectiveExchKeyType = kt_rsa;
     } else {
 	effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
     }
 
-    if (sid->cached == never_cached && !ss->noCache && ss->sec.cache) {
+    if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) {
 	/* fill in the sid */
 	sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
 	sid->u.ssl3.compression = ss->ssl3.hs.compression;
 	sid->u.ssl3.policy      = ss->ssl3.policy;
 	sid->u.ssl3.exchKeyType = effectiveExchKeyType;
 	sid->version            = ss->version;
 	sid->authAlgorithm      = ss->sec.authAlgorithm;
 	sid->authKeyBits        = ss->sec.authKeyBits;
@@ -7315,18 +7315,18 @@ xmit_loser:
 static SECStatus
 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     SECStatus         rv 	= SECSuccess;
     SSL3HandshakeType type 	= ss->ssl3.hs.msg_type;
     SSL3Hashes        hashes;	/* computed hashes are put here. */
     PRUint8           hdr[4];
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     /*
      * We have to compute the hashes before we update them with the
      * current message.
      */
     ssl_GetSpecReadLock(ss);	/************************************/
     if((type == finished) || (type == certificate_verify)) {
 	SSL3Sender      sender = (SSL3Sender)0;
 	ssl3CipherSpec *rSpec  = ss->ssl3.prSpec;
@@ -7352,17 +7352,17 @@ ssl3_HandleHandshakeMessage(sslSocket *s
     hdr[1] = (PRUint8)(length >> 16);
     hdr[2] = (PRUint8)(length >>  8);
     hdr[3] = (PRUint8)(length      );
 
     /* Start new handshake hashes when we start a new handshake */
     if (ss->ssl3.hs.msg_type == client_hello) {
 	SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
 		SSL_GETPID(), ss->fd ));
-	if (ss->bypassPKCS11) {
+	if (ss->opt.bypassPKCS11) {
 	    MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
 	    SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
 	} else {
 	    rv = PK11_DigestBegin(ss->ssl3.hs.md5);
 	    if (rv != SECSuccess) {
 		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
 		return rv;
 	    }
@@ -7484,18 +7484,18 @@ ssl3_HandleHandshake(sslSocket *ss, sslB
      * complete message or several messages followed by another portion.
      *
      * Each message is made contiguous before being passed to the actual
      * message parser.
      */
     sslBuffer *buf = &ss->ssl3.hs.msgState; /* do not lose the original buffer pointer */
     SECStatus rv;
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (buf->buf == NULL) {
 	*buf = *origBuf;
     }
     while (buf->len > 0) {
 	if (ss->ssl3.hs.header_bytes < 4) {
 	    uint8 t;
 	    t = *(buf->buf++);
@@ -7625,17 +7625,17 @@ const ssl3BulkCipherDef *cipher_def;
     SECStatus            rv;
     unsigned int         hashBytes		= MAX_MAC_LENGTH + 1;
     unsigned int         padding_length;
     PRBool               isTLS;
     PRBool               padIsBad               = PR_FALSE;
     SSL3ContentType      rType;
     SSL3Opaque           hash[MAX_MAC_LENGTH];
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
 
     if (!ss->ssl3.initialized) {
 	ssl_GetSSL3HandshakeLock(ss);
 	rv = ssl3_InitState(ss);
 	ssl_ReleaseSSL3HandshakeLock(ss);
 	if (rv != SECSuccess) {
 	    return rv;		/* ssl3_InitState has set the error code. */
     	}
@@ -7843,17 +7843,17 @@ ssl3_InitCipherSpec(sslSocket *ss, ssl3C
     spec->server.write_mac_context = NULL;
 
     spec->write_seq_num.high       = 0;
     spec->write_seq_num.low        = 0;
 
     spec->read_seq_num.high        = 0;
     spec->read_seq_num.low         = 0;
 
-    spec->version                  = ss->enableTLS
+    spec->version                  = ss->opt.enableTLS
                                           ? SSL_LIBRARY_VERSION_3_1_TLS
                                           : SSL_LIBRARY_VERSION_3_0;
 }
 
 /* Called from:	ssl3_SendRecord
 **		ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
 **		ssl3_SendClientHello()
 **		ssl3_HandleServerHello()
@@ -7866,17 +7866,17 @@ ssl3_InitCipherSpec(sslSocket *ss, ssl3C
 **
 */
 static SECStatus
 ssl3_InitState(sslSocket *ss)
 {
     PK11Context *md5  = NULL;
     PK11Context *sha  = NULL;
     SECStatus    rv;
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     if (ss->ssl3.initialized)
     	return SECSuccess;	/* Function should be idempotent */
 
     ss->ssl3.policy = SSL_ALLOWED;
 
     ssl_GetSpecWriteLock(ss);
     ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
@@ -7889,17 +7889,17 @@ ssl3_InitState(sslSocket *ss)
     ssl_ReleaseSpecWriteLock(ss);
 
     /*
      * note: We should probably lookup an SSL3 slot for these
      * handshake hashes in hopes that we wind up with the same slots
      * that the master secret will wind up in ...
      */
     SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
-    if (ss->bypassPKCS11) {
+    if (ss->opt.bypassPKCS11) {
 	MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
 	SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
     } else {
 	ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5);
 	if (md5 == NULL) {
 	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
 	    goto loser;
 	}
@@ -8127,17 +8127,17 @@ ssl3_ConstructV2CipherSpecsHack(sslSocke
 {
     int i, count = 0;
 
     PORT_Assert(ss != 0);
     if (!ss) {
 	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
 	return SECFailure;
     }
-    if (!ss->enableSSL3 && !ss->enableTLS) {
+    if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
     	*size = 0;
 	return SECSuccess;
     }
     if (cs == NULL) {
 	*size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
 	return SECSuccess;
     }
 
@@ -8166,17 +8166,17 @@ ssl3_ConstructV2CipherSpecsHack(sslSocke
 ** called from SSL_RedoHandshake(), which already holds the handshake locks.
 */
 SECStatus
 ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache)
 {
     sslSessionID *   sid = ss->sec.ci.sid;
     SECStatus        rv;
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (!ss->firstHsDone ||
         ((ss->version >= SSL_LIBRARY_VERSION_3_0) &&
 	 ss->ssl3.initialized && 
 	 (ss->ssl3.hs.ws != idle_handshake))) {
 	PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
 	return SECFailure;
     }
@@ -8211,17 +8211,17 @@ ssl3_DestroySSL3Info(sslSocket *ss)
 	ssl3_CleanupPeerCerts(ss);
 
     if (ss->ssl3.clientCertChain != NULL) {
        CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
        ss->ssl3.clientCertChain = NULL;
     }
 
     /* clean up handshake */
-    if (ss->bypassPKCS11) {
+    if (ss->opt.bypassPKCS11) {
 	SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
 	MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
     } 
     if (ss->ssl3.hs.md5) {
 	PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
     }
     if (ss->ssl3.hs.sha) {
 	PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
--- a/security/nss/lib/ssl/ssl3ecc.c
+++ b/security/nss/lib/ssl/ssl3ecc.c
@@ -249,18 +249,18 @@ sendECDHClientKeyExchange(sslSocket * ss
     PK11SymKey *	pms 		= NULL;
     SECStatus           rv    		= SECFailure;
     PRBool              isTLS;
     CK_MECHANISM_TYPE	target;
     SECKEYPublicKey	*pubKey = NULL;		/* Ephemeral ECDH key */
     SECKEYPrivateKey	*privKey = NULL;	/* Ephemeral ECDH key */
     CK_EC_KDF_TYPE	kdf;
 
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
 
     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
 
     /* Generate ephemeral EC keypair */
     privKey = SECKEY_CreateECPrivateKey(&svrPubKey->u.ec.DEREncodedParams, 
 	                                &pubKey, NULL);
     if (!privKey || !pubKey) {
 	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
@@ -341,18 +341,18 @@ ssl3_HandleECDHClientKeyExchange(sslSock
 {
     PK11SymKey *      pms;
     SECStatus         rv;
     SECKEYPublicKey   clntPubKey;
     CK_MECHANISM_TYPE	target;
     PRBool isTLS;
     CK_EC_KDF_TYPE	kdf;
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     clntPubKey.keyType = ecKey;
     clntPubKey.u.ec.DEREncodedParams.len = 
 	srvrPubKey->u.ec.DEREncodedParams.len;
     clntPubKey.u.ec.DEREncodedParams.data = 
 	srvrPubKey->u.ec.DEREncodedParams.data;
 
     rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue, 
--- a/security/nss/lib/ssl/ssl3gthr.c
+++ b/security/nss/lib/ssl/ssl3gthr.c
@@ -67,17 +67,17 @@ static int
 ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags)
 {
     unsigned char *bp;
     unsigned char *lbp;
     int            nb;
     int            err;
     int            rv		= 1;
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     if (gs->state == GS_INIT) {
 	gs->state       = GS_HEADER;
 	gs->remainder   = 5;
 	gs->offset      = 0;
 	gs->writeOffset = 0;
 	gs->readOffset  = 0;
 	gs->inbuf.len   = 0;
     }
@@ -184,17 +184,17 @@ ssl3_GatherData(sslSocket *ss, sslGather
  * Caller must hold the recv buf lock.
  */
 int
 ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
 {
     SSL3Ciphertext cText;
     int            rv;
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     do {
 	/* bring in the next sslv3 record. */
 	rv = ssl3_GatherData(ss, &ss->gs, flags);
 	if (rv <= 0) {
 	    return rv;
 	}
 	
 	/* decipher it, and handle it if it's a handshake. 
@@ -225,15 +225,15 @@ ssl3_GatherCompleteHandshake(sslSocket *
  * Called from DoRecv in sslsecur.c
  * Caller must hold the recv buf lock.
  */
 int
 ssl3_GatherAppDataRecord(sslSocket *ss, int flags)
 {
     int            rv;
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     do {
 	rv = ssl3_GatherCompleteHandshake(ss, flags);
     } while (rv > 0 && ss->gs.buf.len == 0);
 
     return rv;
 }
--- a/security/nss/lib/ssl/sslauth.c
+++ b/security/nss/lib/ssl/sslauth.c
@@ -48,17 +48,17 @@ SSL_PeerCertificate(PRFileDesc *fd)
     sslSocket *ss;
 
     ss = ssl_FindSocket(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
 		 SSL_GETPID(), fd));
 	return 0;
     }
-    if (ss->useSecurity && ss->sec.peerCert) {
+    if (ss->opt.useSecurity && ss->sec.peerCert) {
 	return CERT_DupCertificate(ss->sec.peerCert);
     }
     return 0;
 }
 
 /* NEED LOCKS IN HERE.  */
 CERTCertificate *
 SSL_LocalCertificate(PRFileDesc *fd)
@@ -66,17 +66,17 @@ SSL_LocalCertificate(PRFileDesc *fd)
     sslSocket *ss;
 
     ss = ssl_FindSocket(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
 		 SSL_GETPID(), fd));
 	return NULL;
     }
-    if (ss->useSecurity) {
+    if (ss->opt.useSecurity) {
     	if (ss->sec.localCert) {
 	    return CERT_DupCertificate(ss->sec.localCert);
 	}
 	if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) {
 	    return CERT_DupCertificate(ss->sec.ci.sid->localCert);
 	}
     }
     return NULL;
@@ -104,17 +104,17 @@ SSL_SecurityStatus(PRFileDesc *fd, int *
     if (kp0) *kp0 = 0;
     if (kp1) *kp1 = 0;
     if (ip) *ip = 0;
     if (sp) *sp = 0;
     if (op) {
 	*op = SSL_SECURITY_STATUS_OFF;
     }
 
-    if (ss->useSecurity && ss->firstHsDone) {
+    if (ss->opt.useSecurity && ss->firstHsDone) {
 
 	if (ss->version < SSL_LIBRARY_VERSION_3_0) {
 	    cipherName = ssl_cipherName[ss->sec.cipherType];
 	} else {
 	    cipherName = ssl3_cipherName[ss->sec.cipherType];
 	}
 	if (cipherName && PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE;
 
--- a/security/nss/lib/ssl/sslcon.c
+++ b/security/nss/lib/ssl/sslcon.c
@@ -181,21 +181,21 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
     PRUint8 *	        cs		= NULL;
     unsigned int	allowed;
     unsigned int	count;
     int 		ssl3_count	= 0;
     int 		final_count;
     int 		i;
     SECStatus 		rv;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     count = 0;
     PORT_Assert(ss != 0);
-    allowed = !ss->enableSSL2 ? 0 :
+    allowed = !ss->opt.enableSSL2 ? 0 :
     	(ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
     while (allowed) {
     	if (allowed & 1) 
 	    ++count;
 	allowed >>= 1;
     }
 
     /* Call ssl3_config_match_init() once here, 
@@ -221,17 +221,17 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
 
     if (ss->cipherSpecs != NULL) {
 	PORT_Free(ss->cipherSpecs);
     }
     ss->cipherSpecs     = cs;
     ss->sizeCipherSpecs = count * 3;
 
     /* fill in cipher specs for SSL2 cipher suites */
-    allowed = !ss->enableSSL2 ? 0 :
+    allowed = !ss->opt.enableSSL2 ? 0 :
     	(ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
     for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) {
 	const PRUint8 * hs = implementedCipherSuites + i;
 	int             ok = allowed & (1U << hs[0]);
 	if (ok) {
 	    cs[0] = hs[0];
 	    cs[1] = hs[1];
 	    cs[2] = hs[2];
@@ -266,27 +266,27 @@ ssl2_CheckConfigSanity(sslSocket *ss)
     /* count the SSL2 and SSL3 enabled ciphers.
      * if either is zero, clear the socket's enable for that protocol.
      */
     if (!ss->cipherSpecs)
     	goto disabled;
 
     allowed = ss->allowedByPolicy & ss->chosenPreference;
     if (! allowed)
-	ss->enableSSL2 = PR_FALSE;     /* not really enabled if no ciphers */
+	ss->opt.enableSSL2 = PR_FALSE;     /* not really enabled if no ciphers */
 
     /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */
     /* Ask how many ssl3 CipherSuites were enabled. */
     rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount);
     if (rv != SECSuccess || ssl3CipherCount <= 0) {
-	ss->enableSSL3 = PR_FALSE;     /* not really enabled if no ciphers */
-	ss->enableTLS  = PR_FALSE;
+	ss->opt.enableSSL3 = PR_FALSE;     /* not really enabled if no ciphers */
+	ss->opt.enableTLS  = PR_FALSE;
     }
 
-    if (!ss->enableSSL2 && !ss->enableSSL3 && !ss->enableTLS) {
+    if (!ss->opt.enableSSL2 && !ss->opt.enableSSL3 && !ss->opt.enableTLS) {
 	SSL_DBG(("%d: SSL[%d]: Can't handshake! both v2 and v3 disabled.",
 		 SSL_GETPID(), ss->fd));
 disabled:
 	PORT_SetError(SSL_ERROR_SSL_DISABLED);
 	return SECFailure;
     }
     return SECSuccess;
 }
@@ -490,17 +490,17 @@ ssl2_CreateMAC(sslSecurityInfo *sec, SEC
  */
 
 /* Called from all the Send* functions below. */
 static SECStatus
 ssl2_GetSendBuffer(sslSocket *ss, unsigned int len)
 {
     SECStatus rv = SECSuccess;
 
-    PORT_Assert(ss->noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
 
     if (len < 128) {
 	len = 128;
     }
     if (len > ss->sec.ci.sendBuf.space) {
 	rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, len);
 	if (rv != SECSuccess) {
 	    SSL_DBG(("%d: SSL[%d]: ssl2_GetSendBuffer failed, tried to get %d bytes",
@@ -525,17 +525,17 @@ ssl2_GetSendBuffer(sslSocket *ss, unsign
  * Acquires and releases the socket's xmitBufLock.
  */	
 int
 ssl2_SendErrorMessage(sslSocket *ss, int error)
 {
     int rv;
     PRUint8 msg[SSL_HL_ERROR_HBYTES];
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     msg[0] = SSL_MT_ERROR;
     msg[1] = MSB(error);
     msg[2] = LSB(error);
 
     ssl_GetXmitBufLock(ss);    /***************************************/
 
     SSL_TRC(3, ("%d: SSL[%d]: sending error %d", SSL_GETPID(), ss->fd, error));
@@ -554,17 +554,17 @@ ssl2_SendErrorMessage(sslSocket *ss, int
  */
 static SECStatus
 ssl2_SendClientFinishedMessage(sslSocket *ss)
 {
     SECStatus        rv    = SECSuccess;
     int              sent;
     PRUint8    msg[1 + SSL_CONNECTIONID_BYTES];
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     ssl_GetXmitBufLock(ss);    /***************************************/
 
     if (ss->sec.ci.sentFinished == 0) {
 	ss->sec.ci.sentFinished = 1;
 
 	SSL_TRC(3, ("%d: SSL[%d]: sending client-finished",
 		    SSL_GETPID(), ss->fd));
@@ -590,17 +590,17 @@ ssl2_SendClientFinishedMessage(sslSocket
 static SECStatus
 ssl2_SendServerVerifyMessage(sslSocket *ss)
 {
     PRUint8 *        msg;
     int              sendLen;
     int              sent;
     SECStatus        rv;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     ssl_GetXmitBufLock(ss);    /***************************************/
 
     sendLen = 1 + SSL_CHALLENGE_BYTES;
     rv = ssl2_GetSendBuffer(ss, sendLen);
     if (rv != SECSuccess) {
 	goto done;
     }
@@ -625,17 +625,17 @@ done:
 static SECStatus
 ssl2_SendServerFinishedMessage(sslSocket *ss)
 {
     sslSessionID *   sid;
     PRUint8 *        msg;
     int              sendLen, sent;
     SECStatus        rv    = SECSuccess;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     ssl_GetXmitBufLock(ss);    /***************************************/
 
     if (ss->sec.ci.sentFinished == 0) {
 	ss->sec.ci.sentFinished = 1;
 	PORT_Assert(ss->sec.ci.sid != 0);
 	sid = ss->sec.ci.sid;
 
@@ -655,17 +655,17 @@ ssl2_SendServerFinishedMessage(sslSocket
 
 	DUMP_MSG(29, (ss, msg, sendLen));
 	sent = (*ss->sec.send)(ss, msg, sendLen, 0);
 
 	if (sent < 0) {
 	    /* If send failed, it is now a bogus  session-id */
 	    (*ss->sec.uncache)(sid);
 	    rv = (SECStatus)sent;
-	} else if (!ss->noCache) {
+	} else if (!ss->opt.noCache) {
 	    /* Put the sid in session-id cache, (may already be there) */
 	    (*ss->sec.cache)(sid);
 	    rv = SECSuccess;
 	}
 	ssl_FreeSID(sid);
 	ss->sec.ci.sid = 0;
     }
 done:
@@ -684,17 +684,17 @@ ssl2_SendSessionKeyMessage(sslSocket *ss
 		      PRUint8 *ck, int ckLen,
 		      PRUint8 *ek, int ekLen)
 {
     PRUint8 *        msg;
     int              sendLen;
     int              sent;
     SECStatus        rv;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     ssl_GetXmitBufLock(ss);    /***************************************/
 
     sendLen = SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen + caLen;
     rv = ssl2_GetSendBuffer(ss, sendLen);
     if (rv != SECSuccess) 
 	goto done;
 
@@ -730,17 +730,17 @@ done:
 static SECStatus
 ssl2_SendCertificateRequestMessage(sslSocket *ss)
 {
     PRUint8 *        msg;
     int              sent;
     int              sendLen;
     SECStatus        rv;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     ssl_GetXmitBufLock(ss);    /***************************************/
 
     sendLen = SSL_HL_REQUEST_CERTIFICATE_HBYTES + SSL_CHALLENGE_BYTES;
     rv = ssl2_GetSendBuffer(ss, sendLen);
     if (rv != SECSuccess) 
 	goto done;
 
@@ -770,17 +770,17 @@ done:
  */
 static int
 ssl2_SendCertificateResponseMessage(sslSocket *ss, SECItem *cert, 
                                     SECItem *encCode)
 {
     PRUint8 *msg;
     int rv, sendLen;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     ssl_GetXmitBufLock(ss);    /***************************************/
 
     sendLen = SSL_HL_CLIENT_CERTIFICATE_HBYTES + encCode->len + cert->len;
     rv = ssl2_GetSendBuffer(ss, sendLen);
     if (rv) 
     	goto done;
 
@@ -882,17 +882,17 @@ ssl2_CalcMAC(PRUint8             * resul
 static PRInt32 
 ssl2_SendClear(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
 {
     PRUint8         * out;
     int               rv;
     int               amount;
     int               count	= 0;
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes in the clear",
 		 SSL_GETPID(), ss->fd, len));
     PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
 
     while (len) {
 	amount = PR_MIN( len, MAX_STREAM_CYPHER_LEN );
 	if (amount + 2 > ss->sec.writeBuf.space) {
@@ -957,17 +957,17 @@ ssl2_SendStream(sslSocket *ss, const PRU
     int              rv;
     int              count	= 0;
 
     int              amount;
     PRUint8          macLen;
     int              nout;
     int              buflen;
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using stream cipher",
 		 SSL_GETPID(), ss->fd, len));
     PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
 
     while (len) {
 	ssl_GetSpecReadLock(ss);  /*************************************/
 
@@ -1062,17 +1062,17 @@ ssl2_SendBlock(sslSocket *ss, const PRUi
 
     unsigned int     hlen;		    /* output record hdr len, 2 or 3 */
     unsigned int     macLen;		    /* MAC is this many bytes long.  */
     int              amount;		    /* of plaintext to go in record. */
     unsigned int     padding;		    /* add this many padding byte.   */
     int              nout;		    /* ciphertext size after header. */
     int              buflen;		    /* size of generated record.     */
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using block cipher",
 		 SSL_GETPID(), ss->fd, len));
     PRINT_BUF(50, (ss, "clear data:", in, len));
 
     while (len) {
 	ssl_GetSpecReadLock(ss);  /*************************************/
 
@@ -1246,17 +1246,17 @@ ssl2_UseClearSendFunc(sslSocket *ss)
  *	ssl2_HandleClientHelloMessage
  *	ssl2_BeginServerHandshake
  */
 SECStatus
 ssl_GatherRecord1stHandshake(sslSocket *ss)
 {
     int rv;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     ssl_GetRecvBufLock(ss);
 
     if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
 	/* Wait for handshake to complete, or application data to arrive.  */
 	rv = ssl3_GatherCompleteHandshake(ss, 0);
     } else {
 	/* See if we have a complete record */
@@ -1364,17 +1364,17 @@ ssl2_ProduceKeys(sslSocket *    ss,
     unsigned      off;
     SECStatus     rv;
     PRUint8       countChar;
     PRUint8       km[3*16];	/* buffer for key material. */
 
     readKey->data = 0;
     writeKey->data = 0;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     rv = SECSuccess;
     cx = PK11_CreateDigestContext(SEC_OID_MD5);
     if (cx == NULL) {
 	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
 	return SECFailure;
     }
 
@@ -1436,17 +1436,17 @@ ssl2_CreateSessionCypher(sslSocket *ss, 
     SECItem           readKey;
     SECItem           writeKey;
 
     void *readcx = 0;
     void *writecx = 0;
     readKey.data = 0;
     writeKey.data = 0;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
     if((ss->sec.ci.sid == 0))
     	goto sec_loser;	/* don't crash if asserts are off */
 
     /* Trying to cut down on all these switch statements that should be tables.
      * So, test cipherType once, here, and then use tables below. 
      */
     switch (cipherType) {
     case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
@@ -1586,18 +1586,18 @@ ssl2_ServerSetupSessionCypher(sslSocket 
     PRUint8       *   kbuf = 0;	/* buffer for RSA decrypted data. */
     unsigned int      el1;	/* length of RSA decrypted data in kbuf */
     unsigned int      keySize;
     unsigned int      modulusLen;
     SECStatus         rv;
     PRUint8           mkbuf[SSL_MAX_MASTER_KEY_BYTES];
     sslServerCerts  * sc = ss->serverCerts + kt_rsa;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss)   );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss)   );
     PORT_Assert((sc->SERVERKEY != 0));
     PORT_Assert((ss->sec.ci.sid != 0));
     sid = ss->sec.ci.sid;
 
     keySize = (keyBits + 7) >> 3;
     /* Is the message just way too big? */
     if (keySize > SSL_MAX_MASTER_KEY_BYTES) {
 	/* bummer */
@@ -1674,17 +1674,17 @@ ssl2_ServerSetupSessionCypher(sslSocket 
 	/* Tsk tsk. */
 	SSL_DBG(("%d: SSL[%d]: strange encryption block",
 		 SSL_GETPID(), ss->fd));
 	PORT_SetError(SSL_ERROR_BAD_CLIENT);
 	goto hide_loser;
     }
 
     /* Make sure we're not subject to a version rollback attack. */
-    if (ss->enableSSL3 || ss->enableTLS) {
+    if (ss->opt.enableSSL3 || ss->opt.enableTLS) {
 	PRUint8 threes[8] = { 0x03, 0x03, 0x03, 0x03,
 			      0x03, 0x03, 0x03, 0x03 };
 	
 	if (PORT_Memcmp(kk - 8 - 1, threes, 8) == 0) {
 	    PORT_SetError(SSL_ERROR_BAD_CLIENT);
 	    goto hide_loser;
 	}
     }
@@ -1758,18 +1758,18 @@ ssl2_QualifyCypherSpecs(sslSocket *ss,
 {
     PRUint8 *    ms;
     PRUint8 *    hs;
     PRUint8 *    qs;
     int          mc;
     int          hc;
     PRUint8      qualifiedSpecs[ssl2_NUM_SUITES_IMPLEMENTED * 3];
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss)   );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss)   );
 
     if (!ss->cipherSpecs) {
 	ssl2_ConstructCipherSpecs(ss);
     }
 
     PRINT_BUF(10, (ss, "specs from client:", cs, csLen));
     qs = qualifiedSpecs;
     ms = ss->cipherSpecs;
@@ -1819,18 +1819,18 @@ ssl2_ChooseSessionCypher(sslSocket *ss,
     unsigned int    i;
     int             bestKeySize;
     int             bestRealKeySize;
     int             bestCypher;
     int             keySize;
     int             realKeySize;
     PRUint8 *       ohs               = hs;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss)   );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss)   );
 
     if (!ss->cipherSpecs) {
 	ssl2_ConstructCipherSpecs(ss);
     }
 
     if (!ss->preferredCipher) {
 	const PRUint8 * preferred = implementedCipherSuites;
     	unsigned int    allowed = ss->allowedByPolicy & ss->chosenPreference &
@@ -2039,17 +2039,17 @@ ssl2_ClientSetupSessionCypher(sslSocket 
     int               nc;
 
     unsigned char *eblock;	/* holds unencrypted PKCS#1 formatted key. */
     SECItem           rek;	/* holds portion of symkey to be encrypted. */
 
     PRUint8           keyData[SSL_MAX_MASTER_KEY_BYTES];
     PRUint8           iv     [8];
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     eblock = NULL;
 
     sid = ss->sec.ci.sid;
     PORT_Assert(sid != 0);
 
     cert = ss->sec.peerCert;
     
@@ -2126,17 +2126,17 @@ ssl2_ClientSetupSessionCypher(sslSocket 
     rek.data   = keyData + ckLen;
     rek.len    = keyLen  - ckLen;
     eblock = ssl_FormatSSL2Block(modulusLen, &rek);
     if (eblock == NULL) 
     	goto loser;
 
     /* Set up the padding for version 2 rollback detection. */
     /* XXX We should really use defines here */
-    if (ss->enableSSL3 || ss->enableTLS) {
+    if (ss->opt.enableSSL3 || ss->opt.enableTLS) {
 	PORT_Assert((modulusLen - rek.len) > 12);
 	PORT_Memset(eblock + modulusLen - rek.len - 8 - 1, 0x03, 8);
     }
     ekbuf = (PRUint8*) PORT_Alloc(modulusLen);
     if (!ekbuf) 
 	goto loser;
     PRINT_BUF(10, (ss, "master key encryption block:",
 		   eblock, modulusLen));
@@ -2180,27 +2180,27 @@ ssl2_ClientRegSessionID(sslSocket *ss, P
     sslSessionID *sid = ss->sec.ci.sid;
 
     /* Record entry in nonce cache */
     if (sid->peerCert == NULL) {
 	PORT_Memcpy(sid->u.ssl2.sessionID, s, sizeof(sid->u.ssl2.sessionID));
 	sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
 
     }
-    if (!ss->noCache)
+    if (!ss->opt.noCache)
 	(*ss->sec.cache)(sid);
 }
 
 /* Called from ssl2_HandleMessage() */
 static SECStatus
 ssl2_TriggerNextMessage(sslSocket *ss)
 {
     SECStatus        rv;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     if ((ss->sec.ci.requiredElements & CIS_HAVE_CERTIFICATE) &&
 	!(ss->sec.ci.sentElements & CIS_HAVE_CERTIFICATE)) {
 	ss->sec.ci.sentElements |= CIS_HAVE_CERTIFICATE;
 	rv = ssl2_SendCertificateRequestMessage(ss);
 	return rv;
     }
     return SECSuccess;
@@ -2218,17 +2218,17 @@ ssl2_TriggerNextMessage(sslSocket *ss)
 **             ssl2_RestartHandshakeAfterServerCert
 */
 static SECStatus
 ssl2_TryToFinish(sslSocket *ss)
 {
     SECStatus        rv;
     char             e, ef;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     e = ss->sec.ci.elements;
     ef = e | CIS_HAVE_FINISHED;
     if ((ef & ss->sec.ci.requiredElements) == ss->sec.ci.requiredElements) {
 	if (ss->sec.isServer) {
 	    /* Send server finished message if we already didn't */
 	    rv = ssl2_SendServerFinishedMessage(ss);
 	} else {
@@ -2256,17 +2256,17 @@ ssl2_SignResponse(sslSocket *ss,
 	     SECKEYPrivateKey *key,
 	     SECItem *response)
 {
     SGNContext *     sgn = NULL;
     PRUint8 *        challenge;
     unsigned int     len;
     SECStatus        rv		= SECFailure;
     
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     challenge = ss->sec.ci.serverChallenge;
     len = ss->sec.ci.serverChallengeLen;
     
     /* Sign the expected data... */
     sgn = SGN_NewContext(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,key);
     if (!sgn) 
     	goto done;
@@ -2419,18 +2419,18 @@ ssl2_HandleClientCertificate(sslSocket *
     CERTCertificate *cert	= NULL;
     SECKEYPublicKey *pubKey	= NULL;
     VFYContext *     vfy	= NULL;
     SECItem *        derCert;
     SECStatus        rv		= SECFailure;
     SECItem          certItem;
     SECItem          rep;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss)   );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss)   );
 
     /* Extract the certificate */
     certItem.data = cd;
     certItem.len  = cdLen;
 
     cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
 			 	   PR_FALSE, PR_TRUE);
     if (cert == NULL) {
@@ -2507,17 +2507,17 @@ static SECStatus
 ssl2_HandleMessage(sslSocket *ss)
 {
     PRUint8 *        data;
     PRUint8 *        cid;
     unsigned         len, certType, certLen, responseLen;
     int              rv;
     int              rv2;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     ssl_GetRecvBufLock(ss);
 
     data = ss->gs.buf.buf + ss->gs.recordOffset;
 
     if (ss->gs.recordLen < 1) {
 	goto bad_peer;
     }
@@ -2701,17 +2701,17 @@ ssl2_HandleMessage(sslSocket *ss)
 ** ssl2_RestartHandshakeAfterServerCert.
 */
 static SECStatus
 ssl2_HandleVerifyMessage(sslSocket *ss)
 {
     PRUint8 *        data;
     SECStatus        rv;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
     ssl_GetRecvBufLock(ss);
 
     data = ss->gs.buf.buf + ss->gs.recordOffset;
     DUMP_MSG(29, (ss, data, ss->gs.recordLen));
     if ((ss->gs.recordLen != 1 + SSL_CHALLENGE_BYTES) ||
 	(data[0] != SSL_MT_SERVER_VERIFY) ||
 	PORT_Memcmp(data+1, ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES)) {
 	/* Bad server */
@@ -2753,19 +2753,19 @@ ssl2_HandleServerHelloMessage(sslSocket 
 {
     sslSessionID *   sid;
     PRUint8 *        cert;
     PRUint8 *        cs;
     PRUint8 *        data;
     SECStatus        rv; 
     int              needed, sidHit, certLen, csLen, cidLen, certType, err;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    if (!ss->enableSSL2) {
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    if (!ss->opt.enableSSL2) {
 	PORT_SetError(SSL_ERROR_SSL2_DISABLED);
 	return SECFailure;
     }
 
     ssl_GetRecvBufLock(ss);
 
     PORT_Assert(ss->sec.ci.sid != 0);
     sid = ss->sec.ci.sid;
@@ -2984,17 +2984,17 @@ ssl2_BeginClientHandshake(sslSocket *ss)
     PRUint8           *msg;
     PRUint8           *cp;
     PRUint8           *localCipherSpecs = NULL;
     unsigned int      localCipherSize;
     unsigned int      i;
     int               sendLen, sidLen = 0;
     SECStatus         rv;
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     ss->sec.isServer     = 0;
     ss->sec.sendSequence = 0;
     ss->sec.rcvSequence  = 0;
     ssl_ChooseSessionIDProcs(&ss->sec);
 
     if (!ss->cipherSpecs) {
 	rv = ssl2_ConstructCipherSpecs(ss);
@@ -3030,33 +3030,33 @@ ssl2_BeginClientHandshake(sslSocket *ss)
 #else
 	goto loser;
 #endif
     }
 
     SSL_TRC(3, ("%d: SSL[%d]: sending client-hello", SSL_GETPID(), ss->fd));
 
     /* Try to find server in our session-id cache */
-    if (ss->noCache) {
+    if (ss->opt.noCache) {
 	sid = NULL;
     } else {
 	sid = ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, 
 	                    ss->url);
     }
     while (sid) {  /* this isn't really a loop */
 	/* if we're not doing this SID's protocol any more, drop it. */
-	if (((sid->version  < SSL_LIBRARY_VERSION_3_0) && !ss->enableSSL2) ||
-	    ((sid->version == SSL_LIBRARY_VERSION_3_0) && !ss->enableSSL3) ||
-	    ((sid->version >  SSL_LIBRARY_VERSION_3_0) && !ss->enableTLS)) {
+	if (((sid->version  < SSL_LIBRARY_VERSION_3_0) && !ss->opt.enableSSL2) ||
+	    ((sid->version == SSL_LIBRARY_VERSION_3_0) && !ss->opt.enableSSL3) ||
+	    ((sid->version >  SSL_LIBRARY_VERSION_3_0) && !ss->opt.enableTLS)) {
 	    ss->sec.uncache(sid);
 	    ssl_FreeSID(sid);
 	    sid = NULL;
 	    break;
 	}
-	if (ss->enableSSL2 && sid->version < SSL_LIBRARY_VERSION_3_0) {
+	if (ss->opt.enableSSL2 && sid->version < SSL_LIBRARY_VERSION_3_0) {
 	    /* If the cipher in this sid is not enabled, drop it. */
 	    for (i = 0; i < ss->sizeCipherSpecs; i += 3) {
 		if (ss->cipherSpecs[i] == sid->u.ssl2.cipherType)
 		    break;
 	    }
 	    if (i >= ss->sizeCipherSpecs) {
 		ss->sec.uncache(sid);
 		ssl_FreeSID(sid);
@@ -3091,18 +3091,18 @@ ssl2_BeginClientHandshake(sslSocket *ss)
 	if (ss->url != NULL) {
 	    sid->urlSvrName = PORT_Strdup(ss->url);
 	}
     }
     ss->sec.ci.sid = sid;
 
     PORT_Assert(sid != NULL);
 
-    if ((sid->version >= SSL_LIBRARY_VERSION_3_0 || !ss->v2CompatibleHello) &&
-        (ss->enableSSL3 || ss->enableTLS)) {
+    if ((sid->version >= SSL_LIBRARY_VERSION_3_0 || !ss->opt.v2CompatibleHello) &&
+        (ss->opt.enableSSL3 || ss->opt.enableTLS)) {
 
 	ss->gs.state      = GS_INIT;
 	ss->handshake     = ssl_GatherRecord1stHandshake;
 
 	/* ssl3_SendClientHello will override this if it succeeds. */
 	ss->version       = SSL_LIBRARY_VERSION_3_0;
 
 	ssl_GetXmitBufLock(ss);    /***************************************/
@@ -3133,19 +3133,19 @@ ssl2_BeginClientHandshake(sslSocket *ss)
 
     rv = ssl2_GetSendBuffer(ss, sendLen);
     if (rv) 
     	goto unlock_loser;
 
     /* Construct client-hello message */
     cp = msg = ss->sec.ci.sendBuf.buf;
     msg[0] = SSL_MT_CLIENT_HELLO;
-    if ( ss->enableTLS ) {
+    if ( ss->opt.enableTLS ) {
 	ss->clientHelloVersion = SSL_LIBRARY_VERSION_3_1_TLS;
-    } else if ( ss->enableSSL3 ) {
+    } else if ( ss->opt.enableSSL3 ) {
 	ss->clientHelloVersion = SSL_LIBRARY_VERSION_3_0;
     } else {
 	ss->clientHelloVersion = SSL_LIBRARY_VERSION_2;
     }
     
     msg[1] = MSB(ss->clientHelloVersion);
     msg[2] = LSB(ss->clientHelloVersion);
     msg[3] = MSB(localCipherSize);
@@ -3436,17 +3436,17 @@ ssl2_HandleClientHelloMessage(sslSocket 
     int             gotXmitBufLock = 0;
 #if defined(SOLARIS) && defined(i386)
     volatile PRUint8 hit;
 #else
     int             hit;
 #endif
     PRUint8         csImpl[sizeof implementedCipherSuites];
 
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     sc = ss->serverCerts + kt_rsa;
     serverCert = sc->serverCert;
 
     ssl_GetRecvBufLock(ss);
 
 
     data = ss->gs.buf.buf + ss->gs.recordOffset;
@@ -3465,17 +3465,17 @@ ssl2_HandleClientHelloMessage(sslSocket 
     }
 
     /* Examine version information */
     /*
      * See if this might be a V2 client hello asking to use the V3 protocol
      */
     if ((data[0] == SSL_MT_CLIENT_HELLO) && 
         (data[1] >= MSB(SSL_LIBRARY_VERSION_3_0)) && 
-	(ss->enableSSL3 || ss->enableTLS)) {
+	(ss->opt.enableSSL3 || ss->opt.enableTLS)) {
 	rv = ssl3_HandleV2ClientHello(ss, data, ss->gs.recordLen);
 	if (rv != SECFailure) { /* Success */
 	    ss->handshake             = NULL;
 	    ss->nextHandshake         = ssl_GatherRecord1stHandshake;
 	    ss->securityHandshake     = NULL;
 	    ss->gs.state              = GS_INIT;
 
 	    /* ssl3_HandleV3ClientHello has set ss->version,
@@ -3553,25 +3553,25 @@ ssl2_HandleClientHelloMessage(sslSocket 
 	csLen = ssl2_QualifyCypherSpecs(ss, cs, csLen);
 	if (csLen == 0) {
 	  /* We don't support any SSL v2 ciphers! */
 	  ssl2_SendErrorMessage(ss, SSL_PE_NO_CYPHERS);
 	  PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
 	  goto loser;
 	}
 	/* Since this handhsake is going to fail, don't cache it. */
-	ss->noCache = 1; 
+	ss->opt.noCache = 1; 
     }
 
     /* Squirrel away the challenge for later */
     PORT_Memcpy(ss->sec.ci.clientChallenge, challenge, challengeLen);
 
     /* Examine message and see if session-id is good */
     ss->sec.ci.elements = 0;
-    if (sdLen > 0 && !ss->noCache) {
+    if (sdLen > 0 && !ss->opt.noCache) {
 	SSL_TRC(7, ("%d: SSL[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x",
 		    SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
 		    ss->sec.ci.peer.pr_s6_addr32[1], 
 		    ss->sec.ci.peer.pr_s6_addr32[2],
 		    ss->sec.ci.peer.pr_s6_addr32[3]));
 	sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sd, sdLen, ss->dbHandle);
     } else {
 	sid = NULL;
@@ -3643,17 +3643,17 @@ ssl2_HandleClientHelloMessage(sslSocket 
     */
     if (ss->sec.localCert) {
 	CERT_DestroyCertificate(ss->sec.localCert);
     }
     ss->sec.localCert     = CERT_DupCertificate(serverCert);
 
     /* Build up final list of required elements */
     ss->sec.ci.requiredElements = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED;
-    if (ss->requestCertificate) {
+    if (ss->opt.requestCertificate) {
 	ss->sec.ci.requiredElements |= CIS_HAVE_CERTIFICATE;
     }
     ss->sec.ci.sentElements = 0;
 
     /* Send hello message back to client */
     sendLen = SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen
 	    + SSL_CONNECTIONID_BYTES;
 
@@ -3738,17 +3738,17 @@ ssl2_BeginServerHandshake(sslSocket *ss)
 
     ss->sec.isServer = 1;
     ssl_ChooseSessionIDProcs(&ss->sec);
     ss->sec.sendSequence = 0;
     ss->sec.rcvSequence = 0;
 
     /* don't turn on SSL2 if we don't have an RSA key and cert */
     if (!rsaAuth->SERVERKEY || !rsaAuth->serverCert) {
-	ss->enableSSL2 = PR_FALSE;
+	ss->opt.enableSSL2 = PR_FALSE;
     }
 
     if (!ss->cipherSpecs) {
 	rv = ssl2_ConstructCipherSpecs(ss);
 	if (rv != SECSuccess)
 	    goto loser;
     }
 
--- a/security/nss/lib/ssl/ssldef.c
+++ b/security/nss/lib/ssl/ssldef.c
@@ -112,17 +112,17 @@ int ssl_DefSend(sslSocket *ss, const uns
 {
     PRFileDesc *lower = ss->fd->lower;
     int rv, count;
 
 #if NSS_DISABLE_NAGLE_DELAYS
     /* Although this is overkill, we disable Nagle delays completely for 
     ** SSL sockets.
     */
-    if (ss->useSecurity && !ss->delayDisabled) {
+    if (ss->opt.useSecurity && !ss->delayDisabled) {
 	ssl_EnableNagleDelay(ss, PR_FALSE);   /* ignore error */
     	ss->delayDisabled = 1;
     }
 #endif
     count = 0;
     for (;;) {
 	rv = lower->methods->send(lower, (const void *)buf, len,
 				 flags, ss->wTimeout);
--- a/security/nss/lib/ssl/sslgathr.c
+++ b/security/nss/lib/ssl/sslgathr.c
@@ -85,17 +85,17 @@ static SECStatus ssl2_HandleV3HandshakeR
 */
 int 
 ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags)
 {
     unsigned char *  bp;
     unsigned char *  pBuf;
     int              nb, err, rv;
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
 
     if (gs->state == GS_INIT) {
 	/* Initialize gathering engine */
 	gs->state         = GS_HEADER;
 	gs->remainder     = 3;
 	gs->count         = 3;
 	gs->offset        = 0;
 	gs->recordLen     = 0;
@@ -136,19 +136,19 @@ ssl2_GatherData(sslSocket *ss, sslGather
 
 	if (gs->remainder > 0) {
 	    continue;
 	}
 
 	/* Probably finished this piece */
 	switch (gs->state) {
 	case GS_HEADER: 
-	    if ((ss->enableSSL3 || ss->enableTLS) && !ss->firstHsDone) {
+	    if ((ss->opt.enableSSL3 || ss->opt.enableTLS) && !ss->firstHsDone) {
 
-		PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+		PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
 		/* If this looks like an SSL3 handshake record, 
 		** and we're expecting an SSL2 Hello message from our peer, 
 		** handle it here.
 		*/
 		if (gs->hdr[0] == content_handshake) {
 		    if ((ss->nextHandshake == ssl2_HandleClientHelloMessage) ||
 			(ss->nextHandshake == ssl2_HandleServerHelloMessage)) {
@@ -180,17 +180,17 @@ ssl2_GatherData(sslSocket *ss, sslGather
 			/* XXX This is a hack.  We're assuming that any failure
 			 * XXX on the client hello is a failure to match
 			 * XXX ciphers.
 			 */
 			PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
 			return SECFailure;
 		    }
 		}
-	    }	/* ((ss->enableSSL3 || ss->enableTLS) && !ss->firstHsDone) */
+	    }	/* ((ss->opt.enableSSL3 || ss->opt.enableTLS) && !ss->firstHsDone) */
 
 	    /* we've got the first 3 bytes.  The header may be two or three. */
 	    if (gs->hdr[0] & 0x80) {
 		/* This record has a 2-byte header, and no padding */
 		gs->count = ((gs->hdr[0] & 0x7f) << 8) | gs->hdr[1];
 		gs->recordPadding = 0;
 	    } else {
 		/* This record has a 3-byte header that is all read in now. */
@@ -406,17 +406,17 @@ ssl2_GatherRecord(sslSocket *ss, int fla
  * Called from SocksStartGather in sslsocks.c
  * Caller must hold RecvBufLock. 
  */
 int 
 ssl2_StartGatherBytes(sslSocket *ss, sslGather *gs, unsigned int count)
 {
     int rv;
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     gs->state     = GS_DATA;
     gs->remainder = count;
     gs->count     = count;
     gs->offset    = 0;
     if (count > gs->buf.space) {
 	rv = sslBuffer_Grow(&gs->buf, count);
 	if (rv) {
 	    return rv;
@@ -450,18 +450,18 @@ ssl_DestroyGather(sslGather *gs)
 
 /* Caller must hold RecvBufLock. */
 static SECStatus
 ssl2_HandleV3HandshakeRecord(sslSocket *ss)
 {
     SECStatus           rv;
     SSL3ProtocolVersion version = (ss->gs.hdr[1] << 8) | ss->gs.hdr[2];
 
-    PORT_Assert( ss->noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     /* We've read in 3 bytes, there are 2 more to go in an ssl3 header. */
     ss->gs.remainder         = 2;
     ss->gs.count             = 0;
 
     /* Clearing these handshake pointers ensures that 
      * ssl_Do1stHandshake won't call ssl2_HandleMessage when we return.
      */
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -880,32 +880,17 @@ struct sslSecurityInfoStr {
 */
 struct sslSocketStr {
     PRFileDesc *	fd;
 
     /* Pointer to operations vector for this socket */
     const sslSocketOps * ops;
 
     /* SSL socket options */
-    unsigned int     useSecurity	: 1;
-    unsigned int     useSocks		: 1;
-    unsigned int     requestCertificate	: 1;
-    unsigned int     requireCertificate	: 2;
-    unsigned int     handshakeAsClient	: 1;
-    unsigned int     handshakeAsServer	: 1;
-    unsigned int     enableSSL2		: 1;
-    unsigned int     enableSSL3		: 1;
-    unsigned int     enableTLS		: 1;
-    unsigned int     noCache		: 1;
-    unsigned int     fdx		: 1; /* simultaneous R/W threads */
-    unsigned int     v2CompatibleHello	: 1; /* Send v3+ client hello in v2 format */
-    unsigned int     detectRollBack   	: 1; /* Detect rollback to SSL v3 */
-    unsigned int     noStepDown         : 1;
-    unsigned int     bypassPKCS11       : 1; 
-    unsigned int     noLocks            : 1; 
+    sslOptions       opt;
 
     /* State flags */
     unsigned long    clientAuthRequested;
     unsigned long    delayDisabled;       /* Nagle delay disabled */
     unsigned long    firstHsDone;         /* first handshake is complete. */
     unsigned long    handshakeBegun;     
     unsigned long    lastWriteBlocked;   
     unsigned long    recvdCloseNotify;    /* received SSL EOF. */
@@ -1126,52 +1111,52 @@ extern void      ssl_SetAlwaysBlock(sslS
 extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
 
 #define SSL_LOCK_READER(ss)		if (ss->recvLock) PZ_Lock(ss->recvLock)
 #define SSL_UNLOCK_READER(ss)		if (ss->recvLock) PZ_Unlock(ss->recvLock)
 #define SSL_LOCK_WRITER(ss)		if (ss->sendLock) PZ_Lock(ss->sendLock)
 #define SSL_UNLOCK_WRITER(ss)		if (ss->sendLock) PZ_Unlock(ss->sendLock)
 
 #define ssl_Get1stHandshakeLock(ss)     \
-    { if (!ss->noLocks) PZ_EnterMonitor((ss)->firstHandshakeLock); }
+    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->firstHandshakeLock); }
 #define ssl_Release1stHandshakeLock(ss) \
-    { if (!ss->noLocks) PZ_ExitMonitor((ss)->firstHandshakeLock); }
+    { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->firstHandshakeLock); }
 #define ssl_Have1stHandshakeLock(ss)    \
     (PZ_InMonitor((ss)->firstHandshakeLock))
 
 #define ssl_GetSSL3HandshakeLock(ss)	\
-    { if (!ss->noLocks) PZ_EnterMonitor((ss)->ssl3HandshakeLock); }
+    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->ssl3HandshakeLock); }
 #define ssl_ReleaseSSL3HandshakeLock(ss) \
-    { if (!ss->noLocks) PZ_ExitMonitor((ss)->ssl3HandshakeLock); }
+    { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->ssl3HandshakeLock); }
 #define ssl_HaveSSL3HandshakeLock(ss)	\
     (PZ_InMonitor((ss)->ssl3HandshakeLock))
 
 #define ssl_GetSpecReadLock(ss)		\
-    { if (!ss->noLocks) NSSRWLock_LockRead((ss)->specLock); }
+    { if (!ss->opt.noLocks) NSSRWLock_LockRead((ss)->specLock); }
 #define ssl_ReleaseSpecReadLock(ss)	\
-    { if (!ss->noLocks) NSSRWLock_UnlockRead((ss)->specLock); }
+    { if (!ss->opt.noLocks) NSSRWLock_UnlockRead((ss)->specLock); }
 
 #define ssl_GetSpecWriteLock(ss)	\
-    { if (!ss->noLocks) NSSRWLock_LockWrite((ss)->specLock); }
+    { if (!ss->opt.noLocks) NSSRWLock_LockWrite((ss)->specLock); }
 #define ssl_ReleaseSpecWriteLock(ss)	\
-    { if (!ss->noLocks) NSSRWLock_UnlockWrite((ss)->specLock); }
+    { if (!ss->opt.noLocks) NSSRWLock_UnlockWrite((ss)->specLock); }
 #define ssl_HaveSpecWriteLock(ss)	\
     (NSSRWLock_HaveWriteLock((ss)->specLock))
 
 #define ssl_GetRecvBufLock(ss)		\
-    { if (!ss->noLocks) PZ_EnterMonitor((ss)->recvBufLock); }
+    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->recvBufLock); }
 #define ssl_ReleaseRecvBufLock(ss)	\
-    { if (!ss->noLocks) PZ_ExitMonitor( (ss)->recvBufLock); }
+    { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->recvBufLock); }
 #define ssl_HaveRecvBufLock(ss)		\
     (PZ_InMonitor((ss)->recvBufLock))
 
 #define ssl_GetXmitBufLock(ss)		\
-    { if (!ss->noLocks) PZ_EnterMonitor((ss)->xmitBufLock); }
+    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->xmitBufLock); }
 #define ssl_ReleaseXmitBufLock(ss)	\
-    { if (!ss->noLocks) PZ_ExitMonitor( (ss)->xmitBufLock); }
+    { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->xmitBufLock); }
 #define ssl_HaveXmitBufLock(ss)		\
     (PZ_InMonitor((ss)->xmitBufLock))
 
 
 extern SECStatus ssl3_KeyAndMacDeriveBypass(ssl3CipherSpec * pwSpec,
 		    const unsigned char * cr, const unsigned char * sr,
 		    PRBool isTLS, PRBool isExport);
 extern  SECStatus ssl3_MasterKeyDeriveBypass( ssl3CipherSpec * pwSpec,
--- a/security/nss/lib/ssl/sslinfo.c
+++ b/security/nss/lib/ssl/sslinfo.c
@@ -55,17 +55,17 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLCh
 	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelInfo",
 		 SSL_GETPID(), fd));
 	return SECFailure;
     }
 
     memset(&inf, 0, sizeof inf);
     inf.length = PR_MIN(sizeof inf, len);
 
-    if (ss->useSecurity && ss->firstHsDone) {
+    if (ss->opt.useSecurity && ss->firstHsDone) {
         sid = ss->sec.ci.sid;
 	inf.protocolVersion  = ss->version;
 	inf.authKeyBits      = ss->sec.authKeyBits;
 	inf.keaKeyBits       = ss->sec.keaKeyBits;
 	if (ss->version < SSL_LIBRARY_VERSION_3_0) { /* SSL2 */
 	    inf.cipherSuite      = ss->sec.cipherType | 0xff00;
 	} else if (ss->ssl3.initialized) { 	/* SSL3 and TLS */
 
--- a/security/nss/lib/ssl/sslsecur.c
+++ b/security/nss/lib/ssl/sslsecur.c
@@ -107,19 +107,19 @@
  */
 int 
 ssl_Do1stHandshake(sslSocket *ss)
 {
     int rv        = SECSuccess;
     int loopCount = 0;
 
     do {
-	PORT_Assert(ss->noLocks ||  ssl_Have1stHandshakeLock(ss) );
-	PORT_Assert(ss->noLocks || !ssl_HaveRecvBufLock(ss));
-	PORT_Assert(ss->noLocks || !ssl_HaveXmitBufLock(ss));
+	PORT_Assert(ss->opt.noLocks ||  ssl_Have1stHandshakeLock(ss) );
+	PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
+	PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
 
 	if (ss->handshake == 0) {
 	    /* Previous handshake finished. Switch to next one */
 	    ss->handshake = ss->nextHandshake;
 	    ss->nextHandshake = 0;
 	}
 	if (ss->handshake == 0) {
 	    /* Previous handshake finished. Switch to security handshake */
@@ -148,18 +148,18 @@ ssl_Do1stHandshake(sslSocket *ss)
 	}
 	rv = (*ss->handshake)(ss);
 	++loopCount;
     /* This code must continue to loop on SECWouldBlock, 
      * or any positive value.	See XXX_1 comments.
      */
     } while (rv != SECFailure);  	/* was (rv >= 0); XXX_1 */
 
-    PORT_Assert(ss->noLocks || !ssl_HaveRecvBufLock(ss));
-    PORT_Assert(ss->noLocks || !ssl_HaveXmitBufLock(ss));
+    PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
+    PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
 
     if (rv == SECWouldBlock) {
 	PORT_SetError(PR_WOULD_BLOCK_ERROR);
 	rv = SECFailure;
     }
     return rv;
 }
 
@@ -197,17 +197,17 @@ SSL_ResetHandshake(PRFileDesc *s, PRBool
 
     ss = ssl_FindSocket(s);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in ResetHandshake", SSL_GETPID(), s));
 	return SECFailure;
     }
 
     /* Don't waste my time */
-    if (!ss->useSecurity)
+    if (!ss->opt.useSecurity)
 	return SECSuccess;
 
     SSL_LOCK_READER(ss);
     SSL_LOCK_WRITER(ss);
 
     /* Reset handshake state */
     ssl_Get1stHandshakeLock(ss);
     ssl_GetSSL3HandshakeLock(ss);
@@ -259,17 +259,17 @@ SSL_ReHandshake(PRFileDesc *fd, PRBool f
     SECStatus  rv;
     
     ss = ssl_FindSocket(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in RedoHandshake", SSL_GETPID(), fd));
 	return SECFailure;
     }
 
-    if (!ss->useSecurity)
+    if (!ss->opt.useSecurity)
 	return SECSuccess;
     
     ssl_Get1stHandshakeLock(ss);
 
     /* SSL v2 protocol does not support subsequent handshakes. */
     if (ss->version < SSL_LIBRARY_VERSION_3_0) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	rv = SECFailure;
@@ -301,17 +301,17 @@ SSL_HandshakeCallback(PRFileDesc *fd, SS
     
     ss = ssl_FindSocket(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in HandshakeCallback",
 		 SSL_GETPID(), fd));
 	return SECFailure;
     }
 
-    if (!ss->useSecurity) {
+    if (!ss->opt.useSecurity) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
 
     ssl_Get1stHandshakeLock(ss);
     ssl_GetSSL3HandshakeLock(ss);
 
     ss->handshakeCallback     = cb;
@@ -342,17 +342,17 @@ SSL_ForceHandshake(PRFileDesc *fd)
     ss = ssl_FindSocket(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in ForceHandshake",
 		 SSL_GETPID(), fd));
 	return rv;
     }
 
     /* Don't waste my time */
-    if (!ss->useSecurity) 
+    if (!ss->opt.useSecurity) 
     	return SECSuccess;
 
     ssl_Get1stHandshakeLock(ss);
 
     if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
 	int gatherResult;
 
     	ssl_GetRecvBufLock(ss);
@@ -413,17 +413,17 @@ sslBuffer_Grow(sslBuffer *b, unsigned in
 */
 SECStatus 
 ssl_SaveWriteData(sslSocket *ss, sslBuffer *buf, const void *data, 
                       unsigned int len)
 {
     unsigned int newlen;
     SECStatus    rv;
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
     newlen = buf->len + len;
     if (newlen > buf->space) {
 	rv = sslBuffer_Grow(buf, newlen);
 	if (rv) {
 	    return rv;
 	}
     }
     SSL_TRC(5, ("%d: SSL[%d]: saving %d bytes of data (%d total saved so far)",
@@ -440,17 +440,17 @@ ssl_SaveWriteData(sslSocket *ss, sslBuff
 ** Caller must hold xmitBufLock
 */
 int 
 ssl_SendSavedWriteData(sslSocket *ss, sslBuffer *buf, sslSendFunc send)
 {
     int rv	= 0;
     int len	= buf->len;
 
-    PORT_Assert( ss->noLocks || ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
     if (len != 0) {
 	SSL_TRC(5, ("%d: SSL[%d]: sending %d bytes of saved data",
 		     SSL_GETPID(), ss->fd, len));
 	rv = (*send)(ss, buf->buf, len, 0);
 	if (rv < 0) {
 	    return rv;
 	} 
 	if (rv < len) {
@@ -684,17 +684,17 @@ SSL_ConfigSecureServer(PRFileDesc *fd, C
         sc->serverKeyPair = ssl3_NewKeyPair(keyCopy, NULL);
         if (sc->serverKeyPair == NULL) {
             SECKEY_DestroyPrivateKey(keyCopy);
             goto loser;
         }
     }
 
     if (kea == kt_rsa && cert && sc->serverKeyBits > 512) {
-	if (ss->noStepDown) {
+	if (ss->opt.noStepDown) {
 	    /* disable all export ciphersuites */
 	} else {
 	    rv = ssl3_CreateRSAStepDownKeys(ss);
 	    if (rv != SECSuccess) {
 		return SECFailure; /* err set by ssl3_CreateRSAStepDownKeys */
 	    }
 	}
     }
@@ -868,17 +868,17 @@ ssl_DestroySecurityInfo(sslSecurityInfo 
 /************************************************************************/
 
 int 
 ssl_SecureConnect(sslSocket *ss, const PRNetAddr *sa)
 {
     PRFileDesc *osfd = ss->fd->lower;
     int rv;
 
-    if ( ss->handshakeAsServer ) {
+    if ( ss->opt.handshakeAsServer ) {
 	ss->securityHandshake = ssl2_BeginServerHandshake;
 	ss->handshaking = sslHandshakingAsServer;
     } else {
 	ss->securityHandshake = ssl2_BeginClientHandshake;
 	ss->handshaking = sslHandshakingAsClient;
     }
 
     /* connect to server */
@@ -967,17 +967,17 @@ ssl_SecureRecv(sslSocket *ss, unsigned c
 	PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR);
     	return PR_FAILURE;
     }
     if (flags & ~PR_MSG_PEEK) {
 	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
     	return PR_FAILURE;
     }
 
-    if (!ssl_SocketIsBlocking(ss) && !ss->fdx) {
+    if (!ssl_SocketIsBlocking(ss) && !ss->opt.fdx) {
 	ssl_GetXmitBufLock(ss);
 	if (ss->pendingBuf.len != 0) {
 	    rv = ssl_SendSavedWriteData(ss, &ss->pendingBuf, ssl_DefSend);
 	    if ((rv < 0) && (PORT_GetError() != PR_WOULD_BLOCK_ERROR)) {
 		ssl_ReleaseXmitBufLock(ss);
 		return SECFailure;
 	    }
 	    /* XXX short write? */
@@ -1143,17 +1143,17 @@ SSL_SetURL(PRFileDesc *fd, const char *u
 int
 SSL_DataPending(PRFileDesc *fd)
 {
     sslSocket *ss;
     int        rv  = 0;
 
     ss = ssl_FindSocket(fd);
 
-    if (ss && ss->useSecurity) {
+    if (ss && ss->opt.useSecurity) {
 
 	ssl_Get1stHandshakeLock(ss);
 	ssl_GetSSL3HandshakeLock(ss);
 
 	ssl_GetRecvBufLock(ss);
 	rv = ss->gs.writeOffset - ss->gs.readOffset;
 	ssl_ReleaseRecvBufLock(ss);
 
@@ -1191,17 +1191,17 @@ SSL_GetSessionID(PRFileDesc *fd)
     sslSocket *    ss;
     SECItem *      item = NULL;
 
     ss = ssl_FindSocket(fd);
     if (ss) {
 	ssl_Get1stHandshakeLock(ss);
 	ssl_GetSSL3HandshakeLock(ss);
 
-	if (ss->useSecurity && ss->firstHsDone && ss->sec.ci.sid) {
+	if (ss->opt.useSecurity && ss->firstHsDone && ss->sec.ci.sid) {
 	    item = (SECItem *)PORT_Alloc(sizeof(SECItem));
 	    if (item) {
 		sslSessionID * sid = ss->sec.ci.sid;
 		if (sid->version < SSL_LIBRARY_VERSION_3_0) {
 		    item->len = SSL2_SESSIONID_BYTES;
 		    item->data = (unsigned char*)PORT_Alloc(item->len);
 		    PORT_Memcpy(item->data, sid->u.ssl2.sessionID, item->len);
 		} else {
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -226,34 +226,20 @@ ssl_FindSocket(PRFileDesc *fd)
 }
 
 sslSocket *
 ssl_DupSocket(sslSocket *os)
 {
     sslSocket *ss;
     SECStatus rv;
 
-    ss = ssl_NewSocket((PRBool)(!os->noLocks));
+    ss = ssl_NewSocket((PRBool)(!os->opt.noLocks));
     if (ss) {
-	ss->useSecurity        = os->useSecurity;
-	ss->useSocks           = PR_FALSE;
-	ss->requestCertificate = os->requestCertificate;
-	ss->requireCertificate = os->requireCertificate;
-	ss->handshakeAsClient  = os->handshakeAsClient;
-	ss->handshakeAsServer  = os->handshakeAsServer;
-	ss->enableSSL2         = os->enableSSL2;
-	ss->enableSSL3         = os->enableSSL3;
-	ss->enableTLS          = os->enableTLS;
-	ss->noCache            = os->noCache;
-	ss->fdx                = os->fdx;
-	ss->v2CompatibleHello  = os->v2CompatibleHello;
-	ss->detectRollBack     = os->detectRollBack;
-	ss->noStepDown         = os->noStepDown;
-	ss->bypassPKCS11       = os->bypassPKCS11;
-	ss->noLocks            = os->noLocks;
+	ss->opt                = os->opt;
+	ss->opt.useSocks       = PR_FALSE;
 
 	ss->peerID             = !os->peerID ? NULL : PORT_Strdup(os->peerID);
 	ss->url                = !os->url    ? NULL : PORT_Strdup(os->url);
 
 	ss->ops      = os->ops;
 	ss->rTimeout = os->rTimeout;
 	ss->wTimeout = os->wTimeout;
 	ss->cTimeout = os->cTimeout;
@@ -272,17 +258,17 @@ ssl_DupSocket(sslSocket *os)
 		            os->sizeCipherSpecs);
 	    ss->sizeCipherSpecs    = os->sizeCipherSpecs;
 	    ss->preferredCipher    = os->preferredCipher;
 	} else {
 	    ss->cipherSpecs        = NULL;  /* produced lazily */
 	    ss->sizeCipherSpecs    = 0;
 	    ss->preferredCipher    = NULL;
 	}
-	if (ss->useSecurity) {
+	if (ss->opt.useSecurity) {
 	    /* This int should be SSLKEAType, but CC on Irix complains,
 	     * during the for loop.
 	     */
 	    int i;
 	    sslServerCerts * oc = os->serverCerts;
 	    sslServerCerts * sc = ss->serverCerts;
 
 	    for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) {
@@ -476,17 +462,17 @@ ssl_EnableNagleDelay(sslSocket *ss, PRBo
     }
 
     return rv;
 }
 
 static void
 ssl_ChooseOps(sslSocket *ss)
 {
-    ss->ops = ss->useSecurity ? &ssl_secure_ops       : &ssl_default_ops;
+    ss->ops = ss->opt.useSecurity ? &ssl_secure_ops : &ssl_default_ops;
 }
 
 /* Called from SSL_Enable (immediately below) */
 static SECStatus
 PrepareSocket(sslSocket *ss)
 {
     SECStatus     rv = SECSuccess;
 
@@ -511,126 +497,126 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
 	return SECFailure;
     }
 
     ssl_Get1stHandshakeLock(ss);
     ssl_GetSSL3HandshakeLock(ss);
 
     switch (which) {
       case SSL_SOCKS:
-	ss->useSocks = PR_FALSE;
+	ss->opt.useSocks = PR_FALSE;
 	rv = PrepareSocket(ss);
 	if (on) {
 	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	    rv = SECFailure;
 	}
 	break;
 
       case SSL_SECURITY:
-	ss->useSecurity = on;
+	ss->opt.useSecurity = on;
 	rv = PrepareSocket(ss);
 	break;
 
       case SSL_REQUEST_CERTIFICATE:
-	ss->requestCertificate = on;
+	ss->opt.requestCertificate = on;
 	break;
 
       case SSL_REQUIRE_CERTIFICATE:
-	ss->requireCertificate = on;
+	ss->opt.requireCertificate = on;
 	break;
 
       case SSL_HANDSHAKE_AS_CLIENT:
-	if ( ss->handshakeAsServer && on ) {
+	if ( ss->opt.handshakeAsServer && on ) {
 	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	    rv = SECFailure;
 	    break;
 	}
-	ss->handshakeAsClient = on;
+	ss->opt.handshakeAsClient = on;
 	break;
 
       case SSL_HANDSHAKE_AS_SERVER:
-	if ( ss->handshakeAsClient && on ) {
+	if ( ss->opt.handshakeAsClient && on ) {
 	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	    rv = SECFailure;
 	    break;
 	}
-	ss->handshakeAsServer = on;
+	ss->opt.handshakeAsServer = on;
 	break;
 
       case SSL_ENABLE_TLS:
-	ss->enableTLS           = on;
+	ss->opt.enableTLS       = on;
 	ss->preferredCipher     = NULL;
 	if (ss->cipherSpecs) {
 	    PORT_Free(ss->cipherSpecs);
 	    ss->cipherSpecs     = NULL;
 	    ss->sizeCipherSpecs = 0;
 	}
 	break;
 
       case SSL_ENABLE_SSL3:
-	ss->enableSSL3          = on;
+	ss->opt.enableSSL3      = on;
 	ss->preferredCipher     = NULL;
 	if (ss->cipherSpecs) {
 	    PORT_Free(ss->cipherSpecs);
 	    ss->cipherSpecs     = NULL;
 	    ss->sizeCipherSpecs = 0;
 	}
 	break;
 
       case SSL_ENABLE_SSL2:
-	ss->enableSSL2          = on;
+	ss->opt.enableSSL2       = on;
 	if (on) {
-	    ss->v2CompatibleHello = on;
+	    ss->opt.v2CompatibleHello = on;
 	}
 	ss->preferredCipher     = NULL;
 	if (ss->cipherSpecs) {
 	    PORT_Free(ss->cipherSpecs);
 	    ss->cipherSpecs     = NULL;
 	    ss->sizeCipherSpecs = 0;
 	}
 	break;
 
       case SSL_NO_CACHE:
-	ss->noCache = on;
+	ss->opt.noCache = on;
 	break;
 
       case SSL_ENABLE_FDX:
-      	ss->fdx = on;
+      	ss->opt.fdx = on;
 	break;
 
       case SSL_V2_COMPATIBLE_HELLO:
-      	ss->v2CompatibleHello = on;
+      	ss->opt.v2CompatibleHello = on;
 	if (!on) {
-	    ss->enableSSL2    = on;
+	    ss->opt.enableSSL2    = on;
 	}
 	break;
 
       case SSL_ROLLBACK_DETECTION:  
-	ss->detectRollBack = on;
+	ss->opt.detectRollBack = on;
         break;
 
       case SSL_NO_STEP_DOWN:        
-	ss->noStepDown     = on;         
+	ss->opt.noStepDown     = on;         
 	if (on) 
 	    SSL_DisableExportCipherSuites(fd);
 	break;
 
       case SSL_BYPASS_PKCS11:
 	if (ss->handshakeBegun) {
 	    PORT_SetError(PR_INVALID_STATE_ERROR);
 	    rv = SECFailure;
 	} else {
-	    ss->bypassPKCS11   = on;
+	    ss->opt.bypassPKCS11   = on;
 	}
 	break;
 
       case SSL_NO_LOCKS:
 	/* Need logic here to not let this be changed after the
 	** locks have been created. XXX NBB */
-	ss->noLocks        = on;
+	ss->opt.noLocks   = on;
 	locksEverDisabled = PR_TRUE;
 	break;
 
       default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	rv = SECFailure;
     }
 
@@ -657,31 +643,31 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
 	return SECFailure;
     }
 
     ssl_Get1stHandshakeLock(ss);
     ssl_GetSSL3HandshakeLock(ss);
 
     switch (which) {
     case SSL_SOCKS:               on = PR_FALSE;               break;
-    case SSL_SECURITY:            on = ss->useSecurity;        break;
-    case SSL_REQUEST_CERTIFICATE: on = ss->requestCertificate; break;
-    case SSL_REQUIRE_CERTIFICATE: on = ss->requireCertificate; break;
-    case SSL_HANDSHAKE_AS_CLIENT: on = ss->handshakeAsClient;  break;
-    case SSL_HANDSHAKE_AS_SERVER: on = ss->handshakeAsServer;  break;
-    case SSL_ENABLE_TLS:          on = ss->enableTLS;          break;
-    case SSL_ENABLE_SSL3:         on = ss->enableSSL3;         break;
-    case SSL_ENABLE_SSL2:         on = ss->enableSSL2;         break;
-    case SSL_NO_CACHE:            on = ss->noCache;            break;
-    case SSL_ENABLE_FDX:          on = ss->fdx;                break;
-    case SSL_V2_COMPATIBLE_HELLO: on = ss->v2CompatibleHello;  break;
-    case SSL_ROLLBACK_DETECTION:  on = ss->detectRollBack;     break;
-    case SSL_NO_STEP_DOWN:        on = ss->noStepDown;         break;
-    case SSL_BYPASS_PKCS11:       on = ss->bypassPKCS11;       break;
-    case SSL_NO_LOCKS:            on = ss->noLocks;            break;
+    case SSL_SECURITY:            on = ss->opt.useSecurity;        break;
+    case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break;
+    case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break;
+    case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient;  break;
+    case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer;  break;
+    case SSL_ENABLE_TLS:          on = ss->opt.enableTLS;          break;
+    case SSL_ENABLE_SSL3:         on = ss->opt.enableSSL3;         break;
+    case SSL_ENABLE_SSL2:         on = ss->opt.enableSSL2;         break;
+    case SSL_NO_CACHE:            on = ss->opt.noCache;            break;
+    case SSL_ENABLE_FDX:          on = ss->opt.fdx;                break;
+    case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello;  break;
+    case SSL_ROLLBACK_DETECTION:  on = ss->opt.detectRollBack;     break;
+    case SSL_NO_STEP_DOWN:        on = ss->opt.noStepDown;         break;
+    case SSL_BYPASS_PKCS11:       on = ss->opt.bypassPKCS11;       break;
+    case SSL_NO_LOCKS:            on = ss->opt.noLocks;            break;
 
     default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	rv = SECFailure;
     }
 
     ssl_ReleaseSSL3HandshakeLock(ss);
     ssl_Release1stHandshakeLock(ss);
@@ -935,17 +921,17 @@ SSL_CipherPrefSet(PRFileDesc *fd, PRInt3
 {
     SECStatus rv;
     sslSocket *ss = ssl_FindSocket(fd);
     
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd));
 	return SECFailure;
     }
-    if (enabled && ss->noStepDown && SSL_IsExportCipherSuite(which)) {
+    if (enabled && ss->opt.noStepDown && SSL_IsExportCipherSuite(which)) {
     	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
 	return SECFailure;
     }
     if (SSL_IS_SSL2_CIPHER(which)) {
 	rv = ssl2_CipherPrefSet(ss, which, enabled);
     } else {
 	rv = ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled);
     }
@@ -1113,18 +1099,18 @@ ssl_Accept(PRFileDesc *fd, PRNetAddr *so
     /* push ssl module onto the new socket */
     status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER);
     if (status != PR_SUCCESS)
 	goto loser;
 
     /* Now start server connection handshake with client.
     ** Don't need locks here because nobody else has a reference to ns yet.
     */
-    if ( ns->useSecurity ) {
-	if ( ns->handshakeAsClient ) {
+    if ( ns->opt.useSecurity ) {
+	if ( ns->opt.handshakeAsClient ) {
 	    ns->handshake = ssl2_BeginClientHandshake;
 	    ss->handshaking = sslHandshakingAsClient;
 	} else {
 	    ns->handshake = ssl2_BeginServerHandshake;
 	    ss->handshaking = sslHandshakingAsServer;
 	}
     }
     ns->TCPconnected = 1;
@@ -1270,17 +1256,17 @@ ssl_Recv(PRFileDesc *fd, void *buf, PRIn
 
     ss = ssl_GetPrivate(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd));
 	return SECFailure;
     }
     SSL_LOCK_READER(ss);
     ss->rTimeout = timeout;
-    if (!ss->fdx)
+    if (!ss->opt.fdx)
 	ss->wTimeout = timeout;
     rv = (*ss->ops->recv)(ss, (unsigned char*)buf, len, flags);
     SSL_UNLOCK_READER(ss);
     return rv;
 }
 
 static int PR_CALLBACK
 ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags,
@@ -1291,17 +1277,17 @@ ssl_Send(PRFileDesc *fd, const void *buf
 
     ss = ssl_GetPrivate(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd));
 	return SECFailure;
     }
     SSL_LOCK_WRITER(ss);
     ss->wTimeout = timeout;
-    if (!ss->fdx)
+    if (!ss->opt.fdx)
 	ss->rTimeout = timeout;
     rv = (*ss->ops->send)(ss, (const unsigned char*)buf, len, flags);
     SSL_UNLOCK_WRITER(ss);
     return rv;
 }
 
 static int PR_CALLBACK
 ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len)
@@ -1311,17 +1297,17 @@ ssl_Read(PRFileDesc *fd, void *buf, PRIn
 
     ss = ssl_GetPrivate(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd));
 	return SECFailure;
     }
     SSL_LOCK_READER(ss);
     ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
-    if (!ss->fdx)
+    if (!ss->opt.fdx)
 	ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
     rv = (*ss->ops->read)(ss, (unsigned char*)buf, len);
     SSL_UNLOCK_READER(ss);
     return rv;
 }
 
 static int PR_CALLBACK
 ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len)
@@ -1331,17 +1317,17 @@ ssl_Write(PRFileDesc *fd, const void *bu
 
     ss = ssl_GetPrivate(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd));
 	return SECFailure;
     }
     SSL_LOCK_WRITER(ss);
     ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
-    if (!ss->fdx)
+    if (!ss->opt.fdx)
 	ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
     rv = (*ss->ops->write)(ss, (const unsigned char*)buf, len);
     SSL_UNLOCK_WRITER(ss);
     return rv;
 }
 
 static PRStatus PR_CALLBACK
 ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr)
@@ -1427,17 +1413,17 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_fla
     *p_out_flags = 0;
     ss = ssl_GetPrivate(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll",
 		 SSL_GETPID(), fd));
 	return 0;	/* don't poll on this socket */
     }
 
-    if (ss->useSecurity && 
+    if (ss->opt.useSecurity && 
 	ss->handshaking != sslHandshakingUndetermined &&
         !ss->firstHsDone &&
 	(how_flags & PR_POLL_RW)) {
 	if (!ss->TCPconnected) {
 	    ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));
 	}
 	/* If it's not connected, then presumably the application is polling
 	** on read or write appropriately, so don't change it. 
@@ -1902,75 +1888,73 @@ ssl_MakeLocks(sslSocket *ss)
 	if (!ss->sendLock) 
 	    goto loser;
     }
     return SECSuccess;
 loser:
     return SECFailure;
 }
 
+#if (defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
+#define NSS_HAVE_GETENV 1
+#endif
 
 /*
 ** Create a newsocket structure for a file descriptor.
 */
 static sslSocket *
 ssl_NewSocket(PRBool makeLocks)
 {
     sslSocket *ss;
-#ifdef DEBUG
-#if (defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
+#if defined( NSS_HAVE_GETENV )
     static int firsttime = 1;
 
     if (firsttime) {
+	char * ev;
 	firsttime = 0;
-	{
-	    char *ev = getenv("SSLDEBUG");
-	    if (ev && ev[0]) {
-		ssl_debug = atoi(ev);
-		SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
-	    }
-	}
+#ifdef DEBUG
 #ifdef TRACE
-	{
-	    char *ev = getenv("SSLTRACE");
-	    if (ev && ev[0]) {
-		ssl_trace = atoi(ev);
-		SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
-	    }
+	ev = getenv("SSLTRACE");
+	if (ev && ev[0]) {
+	    ssl_trace = atoi(ev);
+	    SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
 	}
 #endif /* TRACE */
+	ev = getenv("SSLDEBUG");
+	if (ev && ev[0]) {
+	    ssl_debug = atoi(ev);
+	    SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
+	}
+#endif /* DEBUG */
+	ev = getenv("SSLBYPASS");
+	if (ev && ev[0]) {
+	    ssl_defaults.bypassPKCS11 = (ev[0] == '1');
+	    SSL_TRACE(("SSL: bypass default set to %d", \
+		      ssl_defaults.bypassPKCS11));
+	}
+	ev = getenv("SSLNOLOCKS");
+	if (ev && ev[0]) {
+	    ssl_defaults.noLocks = (ev[0] == '1');
+	    SSL_TRACE(("SSL: noLocks default set to %d", ssl_defaults.noLocks));
+	}
     }
-#endif /* XP_UNIX || XP_WIN32 */
-#endif /* DEBUG */
+#endif /* NSS_HAVE_GETENV */
 
     /* Make a new socket and get it ready */
     ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket));
     if (ss) {
         /* This should be of type SSLKEAType, but CC on IRIX
 	 * complains during the for loop.
 	 */
 	int i;
 	SECStatus status;
  
-	ss->useSecurity        = ssl_defaults.useSecurity;
-	ss->useSocks           = PR_FALSE;
-	ss->requestCertificate = ssl_defaults.requestCertificate;
-	ss->requireCertificate = ssl_defaults.requireCertificate;
-	ss->handshakeAsClient  = ssl_defaults.handshakeAsClient;
-	ss->handshakeAsServer  = ssl_defaults.handshakeAsServer;
-	ss->enableSSL2         = ssl_defaults.enableSSL2;
-	ss->enableSSL3         = ssl_defaults.enableSSL3;
-	ss->enableTLS          = ssl_defaults.enableTLS ;
-	ss->noCache            = ssl_defaults.noCache;
-	ss->fdx                = ssl_defaults.fdx;
-	ss->v2CompatibleHello  = ssl_defaults.v2CompatibleHello;
-	ss->detectRollBack     = ssl_defaults.detectRollBack;
-	ss->noStepDown         = ssl_defaults.noStepDown;
-	ss->bypassPKCS11       = ssl_defaults.bypassPKCS11;
-	ss->noLocks            = !makeLocks;
+	ss->opt                = ssl_defaults;
+	ss->opt.useSocks       = PR_FALSE;
+	ss->opt.noLocks        = !makeLocks;
 
 	ss->peerID             = NULL;
 	ss->rTimeout	       = PR_INTERVAL_NO_TIMEOUT;
 	ss->wTimeout	       = PR_INTERVAL_NO_TIMEOUT;
 	ss->cTimeout	       = PR_INTERVAL_NO_TIMEOUT;
 	ss->cipherSpecs        = NULL;
         ss->sizeCipherSpecs    = 0;  /* produced lazily */
         ss->preferredCipher    = NULL;