The nice people at OpenSSL have already committed the two patches
(renegotiation with ECDHE ciphers, detecting HTTP-on-HTTPS) and I think
I found an easy way to trigger renegotiation without polling (using
SSL_peek).
The current code runs the test suite with 1.0.2 and with 1.1.0 without
any ssl related failures.
I'll let it settle a bit and test again once OpenSSL 1.1.0pre3 is out
before suggesting backport to 2.4. I also need to set up the test suite
environment for 2.4 with support for OpenSSL 0.9.8 to check against
regressions.
Regards,
Rainer