openssl: drop includes unused or duplicate

Also:
- vquic-tls.h: do not include unused headers for non-H3 builds.
- autotools: stop looking for `openssl/x509.h` header.
- cmp-config.pl: delete exception for `openssl/x509.h`.
- examples: format/comment sync between the two touched files.
- openssl: drop unused `curlx/wait.h` include.

Closes #20049

.github/scripts/cmp-config.pl

@@ -68,7 +68,6 @@ my %remove = (
     '#define HAVE_OPENSSL_PEM_H 1' => 1,
     '#define HAVE_OPENSSL_RSA_H 1' => 1,
     '#define HAVE_OPENSSL_SSL_H 1' => 1,
-    '#define HAVE_OPENSSL_X509_H 1' => 1,
     '#define HAVE_QUICHE_H 1' => 1,
     '#define HAVE_SSL_SET_QUIC_TLS_CBS 1' => 1,
     '#define HAVE_SSL_SET_QUIC_USE_LEGACY_CODEPOINT 1' => 1,

docs/examples/cacertinmem.c

@@ -28,7 +28,6 @@
 
 /* Requires: USE_OPENSSL */
 
-#include <openssl/err.h>
 #include <openssl/ssl.h>
 
 #include <stdio.h>

docs/examples/usercertinmem.c

@@ -38,9 +38,9 @@
 #endif
 
 #include <openssl/ssl.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
+
 #include <curl/curl.h>
+
 #include <stdio.h>
 
 #if defined(__GNUC__) || defined(__clang__)
@@ -189,7 +189,7 @@ int main(void)
     else
       printf("*** transfer failed ***\n");
 
-    /* second try: retrieve page using user certificate and key -> succeeds
+    /* second try: retrieve page using user certificate and key -> succeeds to
      * load the certificate and key by installing a function doing
      * the necessary "modifications" to the SSL CONTEXT just before link init
      */

lib/vquic/vquic-tls.h

@@ -25,14 +25,15 @@
  ***************************************************************************/
 
 #include "../curl_setup.h"
-#include "../bufq.h"
-#include "../vtls/vtls.h"
-#include "../vtls/vtls_int.h"
-#include "../vtls/openssl.h"
 
 #if defined(USE_HTTP3) && \
   (defined(USE_OPENSSL) || defined(USE_GNUTLS) || defined(USE_WOLFSSL))
 
+#include "../bufq.h"
+#include "../vtls/vtls.h"
+#include "../vtls/vtls_int.h"
+
+#include "../vtls/openssl.h"
 #include "../vtls/wolfssl.h"
 
 struct ssl_peer;

lib/vtls/openssl.c

@@ -52,7 +52,6 @@
 #include "../connect.h"
 #include "../progress.h"
 #include "../select.h"
-#include "../curlx/wait.h"
 #include "vtls.h"
 #include "vtls_int.h"
 #include "vtls_scache.h"
@@ -66,7 +65,6 @@
 #include "../strdup.h"
 #include "apple.h"
 
-#include <openssl/ssl.h>
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
 #ifndef OPENSSL_NO_DSA
@@ -74,12 +72,10 @@
 #endif
 #include <openssl/dh.h>
 #include <openssl/err.h>
-#include <openssl/md5.h>
 #include <openssl/conf.h>
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/bio.h>
-#include <openssl/buffer.h>
 #include <openssl/pkcs12.h>
 #include <openssl/tls1.h>
 #include <openssl/evp.h>

lib/vtls/schannel.h

@@ -58,7 +58,7 @@
 /* <wincrypt.h> has been included via the above <schnlsp.h>.
  * Or in case of ldap.c, it was included via <winldap.h>.
  * And since <wincrypt.h> has this:
- *   #define X509_NAME  ((LPCSTR) 7)
+ *   #define X509_NAME  ((LPCSTR)7)
  *
  * And in BoringSSL's <openssl/base.h> there is:
  *  typedef struct X509_name_st X509_NAME;

m4/curl-amissl.m4

@@ -52,8 +52,7 @@ if test "$HAVE_PROTO_BSDSOCKET_H" = "1"; then
       CURL_NETWORK_AND_TIME_LIBS="-lamisslstubs -lamisslauto $CURL_NETWORK_AND_TIME_LIBS"
       AC_DEFINE(USE_AMISSL, 1, [if AmiSSL is in use])
       AC_DEFINE(USE_OPENSSL, 1, [if OpenSSL is in use])
-      AC_CHECK_HEADERS(openssl/x509.h openssl/rsa.h openssl/crypto.h \
-                       openssl/pem.h openssl/ssl.h openssl/err.h)
+      AC_CHECK_HEADERS(openssl/rsa.h openssl/crypto.h openssl/pem.h openssl/ssl.h openssl/err.h)
     ],[
       AC_MSG_RESULT([no])
     ])

m4/curl-openssl.m4

@@ -211,8 +211,7 @@ if test "x$OPT_OPENSSL" != "xno"; then
 
     if test "$ac_cv_lib_ssl_SSL_connect" = "yes"; then
       dnl Have the libraries--check for OpenSSL headers
-      AC_CHECK_HEADERS(openssl/x509.h openssl/rsa.h openssl/crypto.h \
-                       openssl/pem.h openssl/ssl.h openssl/err.h,
+      AC_CHECK_HEADERS(openssl/rsa.h openssl/crypto.h openssl/pem.h openssl/ssl.h openssl/err.h,
         ssl_msg="OpenSSL"
         test "openssl" != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
         OPENSSL_ENABLED=1

tests/libtest/lib758.c

@@ -34,7 +34,6 @@
 
 #ifdef USE_OPENSSL
 
-#include <openssl/x509.h>
 #include <openssl/ssl.h>
 
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L