Add a regression test suite for SSL support.

It's not run by the global "check" or "installcheck" targets, because the
temporary installation it creates accepts TCP connections from any user
the same host, which is insecure.

src/test/Makefile

@@ -14,6 +14,10 @@ include $(top_builddir)/src/Makefile.global
 
 SUBDIRS = regress isolation modules
 
+# The SSL suite is not secure to run on a multi-user system, so don't run
+# it as part of global "check" target.
+ALWAYS_SUBDIRS = ssl
+
 # We want to recurse to all subdirs for all standard targets, except that
 # installcheck and install should not recurse into the subdirectory "modules".
 
@@ -23,3 +27,5 @@ installable_dirs := $(filter-out modules, $(SUBDIRS))
 $(call recurse,$(recurse_alldirs_targets))
 $(call recurse,installcheck, $(installable_dirs))
 $(call recurse,install, $(installable_dirs))
+
+$(recurse_always)

src/test/ssl/Makefile

@@ -0,0 +1,126 @@
+#-------------------------------------------------------------------------
+#
+# Makefile for src/test/ssl
+#
+# Portions Copyright (c) 1996-2014, PostgreSQL Global Development Group
+# Portions Copyright (c) 1994, Regents of the University of California
+#
+# src/test/ssl/Makefile
+#
+#-------------------------------------------------------------------------
+
+subdir = src/test/ssl
+top_builddir = ../../..
+include $(top_builddir)/src/Makefile.global
+
+CERTIFICATES := server_ca server-cn-and-alt-names \
+	server-cn-only server-single-alt-name server-multiple-alt-names \
+	server-no-names server-revoked server-ss \
+	client_ca client client-revoked \
+	root_ca
+
+SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
+	ssl/client.crl ssl/server.crl ssl/root.crl \
+	ssl/both-cas-1.crt ssl/both-cas-2.crt \
+	ssl/root+server_ca.crt ssl/root+server.crl \
+	ssl/root+client_ca.crt ssl/root+client.crl
+
+# This target generates all the key and certificate files.
+sslfiles: $(SSLFILES)
+
+# Openssl requires a directory to put all generated certificates in. We don't
+# use this for anything, but we need a location.
+ssl/new_certs_dir:
+	mkdir ssl/new_certs_dir
+
+# Rule for creating private/public key pairs.
+ssl/%.key:
+	openssl genrsa -out $@ 1024
+	chmod 0600 $@
+
+# Root CA certificate
+ssl/root_ca.crt: ssl/root_ca.key cas.config
+	touch ssl/root_ca-certindex
+	openssl req -new -out ssl/root_ca.crt -x509 -config cas.config -config root_ca.config -key ssl/root_ca.key
+	echo "01" > ssl/root_ca.srl
+
+# Client and server CAs
+ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir
+	touch ssl/$*_ca-certindex
+	openssl req -new -out ssl/temp_ca.crt -config cas.config -config $*_ca.config -key ssl/$*_ca.key
+# Sign the certificate with the root CA
+	openssl ca -name root_ca -batch -config cas.config -in ssl/temp_ca.crt -out ssl/temp_ca_signed.crt
+	openssl x509 -in ssl/temp_ca_signed.crt -out ssl/$*_ca.crt # to keep just the PEM cert
+	rm ssl/temp_ca.crt ssl/temp_ca_signed.crt
+	echo "01" > ssl/$*_ca.srl
+
+# Server certificates, signed by server CA:
+ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config
+	openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config
+	openssl ca -name server_ca -batch -config cas.config -in ssl/server-$*.csr -out ssl/temp.crt  -extensions v3_req -extfile server-$*.config
+	openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert
+	rm ssl/server-$*.csr
+
+# Self-signed version of server-cn-only.crt
+ssl/server-ss.crt: ssl/server-cn-only.key ssl/server-cn-only.crt server-cn-only.config
+	openssl req -new -key ssl/server-cn-only.key -out ssl/server-ss.csr -config server-cn-only.config
+	openssl x509 -req -days 10000 -in ssl/server-ss.csr -signkey ssl/server-cn-only.key -out ssl/server-ss.crt  -extensions v3_req -extfile server-cn-only.config
+	rm ssl/server-ss.csr
+
+# Client certificate, signed by the client CA:
+ssl/client.crt: ssl/client.key ssl/client_ca.crt
+	openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config
+	openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client.csr
+	openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert
+	rm ssl/client.csr ssl/temp.crt
+
+# Another client certificate, signed by the client CA. This one is revoked.
+ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config
+	openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config
+	openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-revoked.csr
+	openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert
+	rm ssl/client-revoked.csr ssl/temp.crt
+
+# Root certificate files that contains both CA certificates, for testing
+# that multiple certificates can be used.
+ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
+	cat $^ > $@
+
+# The same, but the certs are in different order
+ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
+	cat $^ > $@
+
+# A root certificate file for the client, to validate server certs.
+ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
+	cat $^ > $@
+
+# and for the server, to validate client certs
+ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
+	cat $^ > $@
+
+#### CRLs
+
+ssl/client.crl: ssl/client-revoked.crt
+	openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt
+	openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl
+
+ssl/server.crl: ssl/server-revoked.crt
+	openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt
+	openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl
+
+ssl/root.crl: ssl/root_ca.crt
+	openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl
+
+# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
+# chain, even if some of them are empty.
+ssl/root+server.crl: ssl/root.crl ssl/server.crl
+	cat $^ > $@
+ssl/root+client.crl: ssl/root.crl ssl/client.crl
+	cat $^ > $@
+
+.PHONY: sslfiles-clean
+sslfiles-clean:
+	rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
+
+check:
+	$(prove_check)

src/test/ssl/README

@@ -0,0 +1,83 @@
+src/test/ssl/README
+
+SSL regression tests
+====================
+
+This directory contains a test suite for SSL support. It tests both
+client-side functionality, i.e. verifying server certificates, and
+server-side functionality, i.e. certificate authorization.
+
+Running the tests
+=================
+
+    make check
+
+NOTE: This creates a temporary installation, and sets it up to listen for TCP
+connections on localhost. Any user on the same host is allowed to log in to
+the test installation while the tests are running. Do not run this suite
+on a multi-user system where you don't trust all local users!
+
+Certificates
+============
+
+The test suite needs a set of public/private key pairs and certificates to
+run:
+
+root_ca
+	root CA, use to sign the server and client CA certificates.
+
+server_ca
+	CA used to sign server certificates.
+
+client_ca
+	CA used to sign client certificates.
+
+server-cn-only
+server-cn-and-alt-names
+server-single-alt-name
+server-multiple-alt-names
+server-no-names
+	server certificates, with small variations in the hostnames present
+        in the certificate. Signed by server_ca.
+
+server-ss
+	same as server-cn-only, but self-signed.
+
+client
+	a client certificate, for user "ssltestuser". Signed by client_ca.
+
+client-revoked
+	like "client", but marked as revoked in the client CA's CRL.
+
+In addition, there are a few files that combine various certificates together
+in the same file:
+
+both-cas-1
+	Contains root_ca.crt, client_ca.crt and server_ca.crt, in that order.
+
+both-cas-2
+	Contains root_ca.crt, server_ca.crt and client_ca.crt, in that order.
+
+root+server_ca
+	Contains root_crt and server_ca.crt. For use as client's "sslrootcert"
+	option.
+
+root+client_ca
+	Contains root_crt and client_ca.crt. For use as server's "ssl_ca_file".
+
+There are also CRLs for each of the CAs: root.crl, server.crl and client.crl.
+
+For convenience, all of these keypairs and certificates are included in the
+ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to
+recreate them if you need to make changes.
+
+TODO
+====
+
+* Allow the client-side of the tests to be run on different host easily.
+  Currently, you have to manually set up the certificates for the right
+  hostname, and modify the test file to skip setting up the server. And you
+  have to modify the server to accept connections from the client host.
+
+* Test having multiple server certificates, so that the private key chooses
+  the certificate to present to clients. (And the same in the client-side.)

src/test/ssl/ServerSetup.pm

@@ -0,0 +1,96 @@
+# This module sets up a test server, for the SSL regression tests.
+#
+# The server is configured as follows:
+#
+# - SSL enabled, with the server certificate specified by argument to
+#   switch_server_cert function.
+# - ssl/root+client_ca.crt as the CA root for validating client certs.
+# - reject non-SSL connections
+# - a database called trustdb that lets anyone in
+# - another database called certdb that uses certificate authentiction, ie.
+#   the client must present a valid certificate signed by the client CA
+# - two users, called ssltestuser and anotheruser.
+#
+# The server is configured to only accept connections from localhost. If you
+# want to run the client from another host, you'll have to configure that
+# manually.
+package ServerSetup;
+
+use strict;
+use warnings;
+use TestLib;
+use Test::More;
+
+use Exporter 'import';
+our @EXPORT = qw(
+  configure_test_server_for_ssl switch_server_cert
+);
+
+sub configure_test_server_for_ssl
+{
+  my $tempdir = $_[0];
+
+  # Create test users and databases
+  psql 'postgres', "CREATE USER ssltestuser";
+  psql 'postgres', "CREATE USER anotheruser";
+  psql 'postgres', "CREATE DATABASE trustdb";
+  psql 'postgres', "CREATE DATABASE certdb";
+
+  # enable logging etc.
+  open CONF, ">>$tempdir/pgdata/postgresql.conf";
+  print CONF "fsync=off\n";
+  print CONF "log_connections=on\n";
+  print CONF "log_hostname=on\n";
+  print CONF "log_statement=all\n";
+
+  # enable SSL and set up server key
+  print CONF "include 'sslconfig.conf'";
+
+  close CONF;
+
+
+  # Copy all server certificates and keys, and client root cert, to the data dir
+  system_or_bail "cp ssl/server-*.crt '$tempdir'/pgdata";
+  system_or_bail "cp ssl/server-*.key '$tempdir'/pgdata";
+  system_or_bail "chmod 0600 '$tempdir'/pgdata/server-*.key";
+  system_or_bail "cp ssl/root+client_ca.crt '$tempdir'/pgdata";
+  system_or_bail "cp ssl/root+client.crl '$tempdir'/pgdata";
+
+  # Only accept SSL connections from localhost. Our tests don't depend on this
+  # but seems best to keep it as narrow as possible for security reasons.
+  #
+  # When connecting to certdb, also check the client certificate.
+  open HBA, ">$tempdir/pgdata/pg_hba.conf";
+  print HBA "# TYPE  DATABASE        USER            ADDRESS                 METHOD\n";
+  print HBA "hostssl trustdb         ssltestuser     127.0.0.1/32            trust\n";
+  print HBA "hostssl trustdb         ssltestuser     ::1/128                 trust\n";
+  print HBA "hostssl certdb          ssltestuser     127.0.0.1/32            cert\n";
+  print HBA "hostssl certdb          ssltestuser     ::1/128                 cert\n";
+  close HBA;
+}
+
+# Change the configuration to use given server cert file, and restart
+# the server so that the configuration takes effect.
+sub switch_server_cert
+{
+  my $tempdir = $_[0];
+  my $certfile = $_[1];
+
+  diag "Restarting server with certfile \"$certfile\"...";
+
+  open SSLCONF, ">$tempdir/pgdata/sslconfig.conf";
+  print SSLCONF "ssl=on\n";
+  print SSLCONF "ssl_ca_file='root+client_ca.crt'\n";
+  print SSLCONF "ssl_cert_file='$certfile.crt'\n";
+  print SSLCONF "ssl_key_file='$certfile.key'\n";
+  print SSLCONF "ssl_crl_file='root+client.crl'\n";
+  close SSLCONF;
+
+  # Stop and restart server to reload the new config. We cannot use
+  # restart_test_server() because that overrides listen_addresses to only all
+  # Unix domain socket connections.
+
+  system_or_bail 'pg_ctl', 'stop', '-D', "$tempdir/pgdata", '-w';
+  system_or_bail 'pg_ctl', 'start', '-D', "$tempdir/pgdata", '-w', '-l',
+        "$tempdir/logfile";
+}

src/test/ssl/cas.config

@@ -0,0 +1,65 @@
+# This file contains the configuration for all the CAs.
+
+[ req ]
+prompt                 = no
+req_extensions         = v3_req
+
+# For Subject Alternative Names
+[ v3_req ]
+subjectAltName = @alt_names
+
+# Root CA, used to sign the certificates of the intermediary server and
+# client CAs.
+[ root_ca ]
+dir = ./ssl/
+database = ./ssl/root_ca-certindex
+serial = ./ssl/root_ca.srl
+default_md = sha1
+default_days= 10000
+default_crl_days= 10000
+certificate = ./ssl/root_ca.crt
+private_key = ./ssl/root_ca.key
+new_certs_dir = ./ssl/new_certs_dir
+policy					= policy_match
+email_in_dn				= no
+
+# CA used to sign all the server certificates.
+[ server_ca ]
+dir = ./ssl/
+database = ./ssl/server_ca-certindex
+default_md = sha1
+default_days= 10000
+default_crl_days= 10000
+certificate = ./ssl/server_ca.crt
+private_key = ./ssl/server_ca.key
+new_certs_dir = ./ssl/new_certs_dir
+serial = ./ssl/server_ca.srl
+policy					= policy_match
+email_in_dn				= no
+unique_subject = no
+crl = ./ssl/server.crl
+
+# CA used to sign all the client certificates.
+[ client_ca ]
+dir = ./ssl/
+database = ./ssl/client_ca-certindex
+default_md = sha1
+default_days= 10000
+default_crl_days= 10000
+certificate = ./ssl/client_ca.crt
+private_key = ./ssl/client_ca.key
+new_certs_dir = ./ssl/new_certs_dir
+serial = ./ssl/client_ca.srl
+policy					= policy_match
+email_in_dn				= no
+unique_subject = no
+crl = ./ssl/client.crl
+
+# This is common for all CAs.
+[ policy_match ]
+countryName = optional
+stateOrProvinceName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = optional
+emailAddress = optional

src/test/ssl/client.config

@@ -0,0 +1,13 @@
+# An OpenSSL format CSR config file for creating a client certificate.
+#
+# The certificate is for user "ssltestuser".
+
+[ req ]
+distinguished_name     = req_distinguished_name
+prompt                 = no
+
+[ req_distinguished_name ]
+CN                     = ssltestuser
+
+# no extensions in client certs
+[ v3_req ]

src/test/ssl/client_ca.config

@@ -0,0 +1,11 @@
+# An OpenSSL format CSR config file for creating the client root certificate.
+# This configuration file is also used when operating the CA.
+#
+# This certificate is used to sign client certificates. It is self-signed.
+
+[ req ]
+distinguished_name     = req_distinguished_name
+prompt                 = no
+
+[ req_distinguished_name ]
+CN                     = Test CA for PostgreSQL SSL regression test client certs

src/test/ssl/root_ca.config

@@ -0,0 +1,9 @@
+# A root certificate authority. The server and client CA's certificates
+# are signed by this root CA.
+
+[ req ]
+distinguished_name     = req_distinguished_name
+prompt                 = no
+
+[ req_distinguished_name ]
+CN                     = Test root CA for PostgreSQL SSL regression test suite

src/test/ssl/server-cn-and-alt-names.config

@@ -0,0 +1,25 @@
+# An OpenSSL format CSR config file for creating a server certificate.
+#
+# This certificate contains both a CN, and SANs.
+
+
+[ req ]
+distinguished_name     = req_distinguished_name
+req_extensions         = v3_req
+prompt                 = no
+
+[ req_distinguished_name ]
+# Note: According to RFC 2818 and 6125, the CN is ignored, when SANs are
+# present. In practice, the hostname that's put in the CN field is always
+# also listed as a SAN, but we intentionally don't do that here so that we
+# can test adherence to those RFCs.
+CN = common-name.pg-ssltest.test
+OU = PostgreSQL test suite
+
+# For Subject Alternative Names
+[ v3_req ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = dns1.alt-name.pg-ssltest.test
+DNS.2 = dns2.alt-name.pg-ssltest.test

src/test/ssl/server-cn-only.config

@@ -0,0 +1,15 @@
+# An OpenSSL format CSR config file for creating a server certificate.
+#
+
+[ req ]
+distinguished_name     = req_distinguished_name
+req_extensions         = v3_req
+prompt                 = no
+
+[ req_distinguished_name ]
+CN = common-name.pg-ssltest.test
+OU = PostgreSQL test suite
+
+# For Subject Alternative Names
+[ v3_req ]
+

src/test/ssl/server-multiple-alt-names.config

@@ -0,0 +1,20 @@
+# An OpenSSL format CSR config file for creating a server certificate.
+#
+# This certificate contains multiple SANs, and no CN.
+
+[ req ]
+distinguished_name     = req_distinguished_name
+req_extensions         = v3_req
+prompt                 = no
+
+[ req_distinguished_name ]
+OU = PostgreSQL test suite
+
+# For Subject Alternative Names
+[ v3_req ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = dns1.alt-name.pg-ssltest.test
+DNS.2 = dns2.alt-name.pg-ssltest.test
+DNS.3 = *.wildcard.pg-ssltest.test

src/test/ssl/server-no-names.config

@@ -0,0 +1,17 @@
+# An OpenSSL format CSR config file for creating a server certificate.
+#
+# This certificate contains no CN, nor SANs. Not very useful, but make
+# sure the client can handle it gracefully.
+
+[ req ]
+distinguished_name     = req_distinguished_name
+req_extensions         = v3_req
+prompt                 = no
+
+[ req_distinguished_name ]
+OU = PostgreSQL test suite
+
+# For Subject Alternative Names
+[ v3_req ]
+
+[ alt_names ]

src/test/ssl/server-revoked.config

@@ -0,0 +1,17 @@
+# An OpenSSL format CSR config file for creating a server certificate.
+#
+# This is identical to server-cn-only certificate, but this one is revoked
+# later.
+
+[ req ]
+distinguished_name     = req_distinguished_name
+req_extensions         = v3_req
+prompt                 = no
+
+[ req_distinguished_name ]
+CN = common-name.pg-ssltest.test
+OU = PostgreSQL test suite
+
+# For Subject Alternative Names
+[ v3_req ]
+

src/test/ssl/server-single-alt-name.config

@@ -0,0 +1,18 @@
+# An OpenSSL format CSR config file for creating a server certificate.
+#
+# This certificate has a single SAN, and no CN.
+
+[ req ]
+distinguished_name     = req_distinguished_name
+req_extensions         = v3_req
+prompt                 = no
+
+[ req_distinguished_name ]
+OU = PostgreSQL test suite
+
+# For Subject Alternative Names
+[ v3_req ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = single.alt-name.pg-ssltest.test

src/test/ssl/server_ca.config

@@ -0,0 +1,11 @@
+# An OpenSSL format CSR config file for creating the server root certificate.
+# This configuration file is also used when operating the CA.
+#
+# This certificate is used to sign server certificates. It is self-signed.
+
+[ req ]
+distinguished_name     = req_distinguished_name
+prompt                 = no
+
+[ req_distinguished_name ]
+CN                     = Test CA for PostgreSQL SSL regression test server certs

src/test/ssl/ssl/.gitignore

@@ -0,0 +1,2 @@
+*.old
+new_certs_dir

src/test/ssl/ssl/both-cas-1.crt

@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIB9zCCAWACCQD13ziQMRDLGTANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVU
+ZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBz
+dWl0ZTAeFw0xNDEyMDQxMTUyMDFaFw0xNTAxMDMxMTUyMDFaMEAxPjA8BgNVBAMM
+NVRlc3Qgcm9vdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0
+IHN1aXRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC7TLars/P/obbNlsz
+cX/wZFnZ97L4dAiJAE+ZusoTqLalRnPbQEtrPfMA/eL/gjq69ehnPcehMIxnYRAV
++xqOnMiUacf+6TQBrjrnfCQZkYkngzYajTqhQogdM7sUHtvBvTs1EkjdVznQUN9B
+BRZi6zEvUMkc8/+KaiEKc0zAKQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAAhmmj+R
+XP1+AREKWE33P8AkXTTGkXMvULZSgteHWxbBc08TbxJLTsqDvwp0lY/9nH48Ejx5
+XYIdDAED9Bwsm50y9u5p5OsO9YqHJfIsC9+Ui3paDHU543Y8CtZC4Ye5OcFn4/lp
+ew5Ix9E0LHJlY+LCfVEKSV0jDP6aMsYETpIe
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB8TCCAVoCAQIwDQYJKoZIhvcNAQEFBQAwQDE+MDwGA1UEAww1VGVzdCByb290
+IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcN
+MTQxMjA0MTE1MjAxWhcNNDIwNDIxMTE1MjAxWjBCMUAwPgYDVQQDDDdUZXN0IENB
+IGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRz
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIJfmyeyPe6g3+16+WsGB8LRMW
+zfMXKKjxsBd3Zu2ka7jvfKe4ockw87kY01k0G4NHJgWH5zO2OuCNDOa8z+GLqSSO
+LYoMvik9+BLgFR8zBPshy77Rpb3CtpDjJUAU8TWQOT0cC56IwEgj2zswctqKIeFg
+ogkTbfg5KTNKSd4VUwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAIHyYzFTIvvrUFFD
+yxhU3xyH6nx7HC47fxN+1kQjDa4MjvNsm/dOKETvS4b6GUKOudEKENBHzJW08hhs
+vn8uvmWEmyYcUyhp9r5lH2oaa6fySbnc+PE8YD2WNe+et1OdIMwqVwOegCeI85FN
+UtZk2tJjiRXJxBlheaaBxrzYjOBO
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB8TCCAVoCAQEwDQYJKoZIhvcNAQEFBQAwQDE+MDwGA1UEAww1VGVzdCByb290
+IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcN
+MTQxMjA0MTE1MjAxWhcNNDIwNDIxMTE1MjAxWjBCMUAwPgYDVQQDDDdUZXN0IENB
+IGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRz
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC15tOzDBVKaCRDz9L5LMpPk8DR
+RGHHOe4OuO6WTkUzjbjuKyiQbmtcp00R4dULbSM57ESvI/Ny0gPt+J/QKAOG8S5t
+09wDpKxKcgZSZ6Nd6FaK+D+ZhUVAkP3hB0ba0wo1JZff/0e4B+VJhXTjl7RRHfbr
+AEuDYFxv9T3K/Jq04wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJys1pnYvO+u8Wca
+6xUToGMpqTnImKa+dX8tMKsp6mXAN/dWrOVMDWnjBhQxShhAZBsaJ4iUeXPJlctw
+KzkUCQo6BsUbPMTSQlPuyHHdZBOTHDIW4SylKaBQvkundkhhBO7aHwFV3QjxZKcH
+XqpGyY2ryrgdj2D4+H55NDXYjj/m
+-----END CERTIFICATE-----

src/test/ssl/ssl/both-cas-2.crt

@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIB9zCCAWACCQD13ziQMRDLGTANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVU
+ZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBz
+dWl0ZTAeFw0xNDEyMDQxMTUyMDFaFw0xNTAxMDMxMTUyMDFaMEAxPjA8BgNVBAMM
+NVRlc3Qgcm9vdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0
+IHN1aXRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC7TLars/P/obbNlsz
+cX/wZFnZ97L4dAiJAE+ZusoTqLalRnPbQEtrPfMA/eL/gjq69ehnPcehMIxnYRAV
++xqOnMiUacf+6TQBrjrnfCQZkYkngzYajTqhQogdM7sUHtvBvTs1EkjdVznQUN9B
+BRZi6zEvUMkc8/+KaiEKc0zAKQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAAhmmj+R
+XP1+AREKWE33P8AkXTTGkXMvULZSgteHWxbBc08TbxJLTsqDvwp0lY/9nH48Ejx5
+XYIdDAED9Bwsm50y9u5p5OsO9YqHJfIsC9+Ui3paDHU543Y8CtZC4Ye5OcFn4/lp
+ew5Ix9E0LHJlY+LCfVEKSV0jDP6aMsYETpIe
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB8TCCAVoCAQEwDQYJKoZIhvcNAQEFBQAwQDE+MDwGA1UEAww1VGVzdCByb290
+IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcN
+MTQxMjA0MTE1MjAxWhcNNDIwNDIxMTE1MjAxWjBCMUAwPgYDVQQDDDdUZXN0IENB
+IGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRz
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC15tOzDBVKaCRDz9L5LMpPk8DR
+RGHHOe4OuO6WTkUzjbjuKyiQbmtcp00R4dULbSM57ESvI/Ny0gPt+J/QKAOG8S5t
+09wDpKxKcgZSZ6Nd6FaK+D+ZhUVAkP3hB0ba0wo1JZff/0e4B+VJhXTjl7RRHfbr
+AEuDYFxv9T3K/Jq04wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJys1pnYvO+u8Wca
+6xUToGMpqTnImKa+dX8tMKsp6mXAN/dWrOVMDWnjBhQxShhAZBsaJ4iUeXPJlctw
+KzkUCQo6BsUbPMTSQlPuyHHdZBOTHDIW4SylKaBQvkundkhhBO7aHwFV3QjxZKcH
+XqpGyY2ryrgdj2D4+H55NDXYjj/m
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB8TCCAVoCAQIwDQYJKoZIhvcNAQEFBQAwQDE+MDwGA1UEAww1VGVzdCByb290
+IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcN
+MTQxMjA0MTE1MjAxWhcNNDIwNDIxMTE1MjAxWjBCMUAwPgYDVQQDDDdUZXN0IENB
+IGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRz
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIJfmyeyPe6g3+16+WsGB8LRMW
+zfMXKKjxsBd3Zu2ka7jvfKe4ockw87kY01k0G4NHJgWH5zO2OuCNDOa8z+GLqSSO
+LYoMvik9+BLgFR8zBPshy77Rpb3CtpDjJUAU8TWQOT0cC56IwEgj2zswctqKIeFg
+ogkTbfg5KTNKSd4VUwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAIHyYzFTIvvrUFFD
+yxhU3xyH6nx7HC47fxN+1kQjDa4MjvNsm/dOKETvS4b6GUKOudEKENBHzJW08hhs
+vn8uvmWEmyYcUyhp9r5lH2oaa6fySbnc+PE8YD2WNe+et1OdIMwqVwOegCeI85FN
+UtZk2tJjiRXJxBlheaaBxrzYjOBO
+-----END CERTIFICATE-----

src/test/ssl/ssl/client-revoked.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxzCCATACAQIwDQYJKoZIhvcNAQEFBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
+Fw0xNDEyMDQxMTUyMDFaFw00MjA0MjExMTUyMDFaMBYxFDASBgNVBAMMC3NzbHRl
+c3R1c2VyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDg8LJSdf9nhkMSYmhn
++F3yqVSu+UXTcmPejKTBZRd4moLL2ti41K3M2xZDiZOn8V7To9AAD/tN3lPkn2y4
+ZqKD+zChVPJ5yUSpenVxKRckyK2pO4aNItgt60YJp119IG7mH/nfobl6nraI3xxk
+WGyT7O2sOOpokW9fF4DJfLe6lQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAMTRz+Nl
+hJeym72oGRIiJ7ODsIS4cVRQ13TwEtV/wPZ+skc/V7RFfHro5hyRwkbfIoZvhCld
+ZkyAXhQyiru0JzoklfEbOtwuC+J+XvXQ7aupIrnGRHF0yyEIYAEhgSRzaUvKWKlB
+gttm9tKwJuVCBYHh+cCGU0LnR3jhxVUqaL9d
+-----END CERTIFICATE-----

src/test/ssl/ssl/client-revoked.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDg8LJSdf9nhkMSYmhn+F3yqVSu+UXTcmPejKTBZRd4moLL2ti4
+1K3M2xZDiZOn8V7To9AAD/tN3lPkn2y4ZqKD+zChVPJ5yUSpenVxKRckyK2pO4aN
+Itgt60YJp119IG7mH/nfobl6nraI3xxkWGyT7O2sOOpokW9fF4DJfLe6lQIDAQAB
+AoGBAKh3PGaL3zPuly8eqqkrl1kVPsopAQXCx083MHFzP+fgeJMqnWOYTW5+qyb7
+061VFbsWFcLmNUV1fIleaTOWEqG0BXkG8VgS0sxEEV6N4sR6ePK2tOA81ZxFhXOR
+bJx8oys2U0kZZVRLvuj5+KjLMSBwWHEIpobE+zz4F9xcTXjlAkEA/6O0yApJ7sBQ
+XS54tK3m7NCYU8yEUD3Yidg9SmaYjiNwhLZ2e9KreQEkcbiHR8R0FHUxzKb/dItt
+2SauaHpCzwJBAOFB6DF0KM0XsfK209LoGvcA6t/aazOtbBlq9I49siKBE74Z7wJu
+0xsH8ndCkBPatoSn2ZuuXv3ozGNU9J+JFVsCQQDAOdk2koYFgZbseoVJV3rNmAzy
+9laH//lTrcZoq70LJJr3MDzn3wIRe0psONWAobinqXhI60or2KxBHVUIOucBAkEA
+qfDSHzU2bvx4aNeb2Vr4tO7BRB8Bj5w/mLGDTSiokrV00o+4LMq1g4gsWeMi1YfE
++TG0z2nvCnoucKYwY4fFTwJAbW0FLKUzRvX8dM3nXxs8vGktH8TH+dqsUfrZt9ms
+2nF1wwAD2OUXf94dnRvlgSMC7RMbTPAeoHnkqCpb1w++lg==
+-----END RSA PRIVATE KEY-----

src/test/ssl/ssl/client.crl

@@ -0,0 +1,9 @@
+-----BEGIN X509 CRL-----
+MIIBHTCBhzANBgkqhkiG9w0BAQUFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xNDEy
+MDQxMTUyMDFaFw00MjA0MjExMTUyMDFaMBQwEgIBAhcNMTQxMjA0MTE1MjAxWjAN
+BgkqhkiG9w0BAQUFAAOBgQDGZTiMkukrcJheXCzKlNKKTyteOmR/sQYj36nyyV2U
+Iac9gYSYAb8ecjUrtcL/innhDAupGUxGR3QltSPo6q1yn9L8BJWJIz+BqK6aV4fb
+3lqGtTQKr+8qaKC7mi5TBafJmkUiNsbclNZl/ooQPW+Gzm++JpunK4uGzdW+4I6/
+fQ==
+-----END X509 CRL-----

src/test/ssl/ssl/client.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxzCCATACAQEwDQYJKoZIhvcNAQEFBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
+Fw0xNDEyMDQxMTUyMDFaFw00MjA0MjExMTUyMDFaMBYxFDASBgNVBAMMC3NzbHRl
+c3R1c2VyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDErK6Z/Mv8oTKe026e
+SXhtrAeHPVAWM69Sb3zeQb8bnoqusfc0jQhaqvQqq6UYyCPRsH2qAp8B8Cdf93/B
+I5WIKGWcj107fB+dxqeuCS8QHyvO9Ygr9KYHWMKMz4DR+AsWYqoBXxgFjzwDAQB9
+SZRMRgUyHR+qQRGEXkgMLgwrbQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACnd/MjL
+pGmAHIdbMKcIqMPmAhnkzyfoPE+V6V/6Fm3f9iwHYr4ivxTMhdTffFFyVMxvCDEw
+a0Hlx/wPPnbvsJLiWCHYzXJsyISarIU+euxUYQY1w2tTkmgITESM1eDq2SOMnvqK
+iLoSyGNPrq2tAWPTyx7il1Q72ZNl6w3w+uY4
+-----END CERTIFICATE-----

src/test/ssl/ssl/client.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDErK6Z/Mv8oTKe026eSXhtrAeHPVAWM69Sb3zeQb8bnoqusfc0
+jQhaqvQqq6UYyCPRsH2qAp8B8Cdf93/BI5WIKGWcj107fB+dxqeuCS8QHyvO9Ygr
+9KYHWMKMz4DR+AsWYqoBXxgFjzwDAQB9SZRMRgUyHR+qQRGEXkgMLgwrbQIDAQAB
+AoGAbbKLaKRR+sTGgUQY7Py5ySIsyMfwBZIqdeZtVWKCf5s8axgkdBE92aSEr9Ax
+M9Nd9zVjwhHYMrKKo8JeZZG9csrt/XxgHXDbp+6y4lx0SW1XOmOp39K7h9mUmEVj
+XtICn75z4xYvJDG61xjqtrkh0lKaDr87VDJuuIjbcB2RdNkCQQD3A0Jue8hjoKhN
+H/CjtF/zfL/rkY0BO2Ryyp882AsUZu4y6YbAkrUJbySVIEU7oHleZaTJ/tzC7Ifs
+3XNO7iTnAkEAy9SPQNGU0SNkR2/H7x5JdllMOlOZzl+YUMQpDzH08o/u3RnfcFM8
+72rYJenxLorKpuG5YXTYxRFet4GIhMqOiwJBAOHStgoh2lrSxurzl2FihxIoa6Em
+iP2mWbfkbF4IuWBmlcAv5QTrWt0MIiq/vOu9Uxgs3tHY0eTWr5GqB0AS0eMCQQCw
+S80LlzpMGXxmfTxEicGoZ1wTJrPlV7F6Se/pgKAIHI3RFsu3b4dI3PTO9iTwyIK3
+DI02ycWjzX5K4fKeSEQ5AkEAr87kSTl5xM9Z9Cew+FX3ICJRbRNChJEsMPgo+2GW
+PVrzAxEMk/zP0vb3Mjf5yYjpCYPF0BCgVRsbmN86DE5bng==
+-----END RSA PRIVATE KEY-----

src/test/ssl/ssl/client_ca.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB8TCCAVoCAQIwDQYJKoZIhvcNAQEFBQAwQDE+MDwGA1UEAww1VGVzdCByb290
+IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcN
+MTQxMjA0MTE1MjAxWhcNNDIwNDIxMTE1MjAxWjBCMUAwPgYDVQQDDDdUZXN0IENB
+IGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRz
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIJfmyeyPe6g3+16+WsGB8LRMW
+zfMXKKjxsBd3Zu2ka7jvfKe4ockw87kY01k0G4NHJgWH5zO2OuCNDOa8z+GLqSSO
+LYoMvik9+BLgFR8zBPshy77Rpb3CtpDjJUAU8TWQOT0cC56IwEgj2zswctqKIeFg
+ogkTbfg5KTNKSd4VUwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAIHyYzFTIvvrUFFD
+yxhU3xyH6nx7HC47fxN+1kQjDa4MjvNsm/dOKETvS4b6GUKOudEKENBHzJW08hhs
+vn8uvmWEmyYcUyhp9r5lH2oaa6fySbnc+PE8YD2WNe+et1OdIMwqVwOegCeI85FN
+UtZk2tJjiRXJxBlheaaBxrzYjOBO
+-----END CERTIFICATE-----

src/test/ssl/ssl/client_ca.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDIJfmyeyPe6g3+16+WsGB8LRMWzfMXKKjxsBd3Zu2ka7jvfKe4
+ockw87kY01k0G4NHJgWH5zO2OuCNDOa8z+GLqSSOLYoMvik9+BLgFR8zBPshy77R
+pb3CtpDjJUAU8TWQOT0cC56IwEgj2zswctqKIeFgogkTbfg5KTNKSd4VUwIDAQAB
+AoGBALNvsFu+IFuiFKgLsGT1fZr2Qi3ot+5kSopbp74pbhZBaUxzwl451YjoiGJk
+YI3huKEZyk2cDvVp9ZUfIuHVsUsRkUtlMYAWJoxypbLWFw0efa9TNDbsoxGSjs8N
+TCZOqK6VKEbckTd2Mg8vanB+A8PswOPW94es32Y9XKwBaFsJAkEA5WVHtYs8aczd
+uJMuteUkv2R0OFL8wgIgkXRyk0BNJjVYwe/DbvW/J6W2DTsvoeFMZ9U+p2tEX9ab
+ak7RlCFNtwJBAN9cWRfVzKY6P62UZmIdsvDYJNaWaamfZguKx69q0FD1jcjl0C8R
+3w6xCVrGQCPbbQibNTLbIKPC/jrUcu6c9UUCQQDNiNGXeAnJQiXnGvjfQVCLrBX1
+4WVW71D/Arcl+JcnhOTh31HcOZPski1r7XvgL12mKwrYNuQser0Fo1lkv/JBAkBx
+VOUrz+KP8Xw/8c1lOVaDF9jRPO6OD3/ymU8qtZLPkViIt/rC91lrle5+LZt71ilj
+tYTvsfnEvfrLFOLgKanVAkEAvyofcM5gr7gTiC+XxhjUyDNn2lYwoog+D67E6YvL
+chheY2FNRrqpCi0Zhi8KlUXnp4wtHA6zBW46l1xSxz4lYg==
+-----END RSA PRIVATE KEY-----

src/test/ssl/ssl/root+client.crl

@@ -0,0 +1,17 @@
+-----BEGIN X509 CRL-----
+MIIBBDBvMA0GCSqGSIb3DQEBBQUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xNDEyMDQx
+MTUyMDFaFw00MjA0MjExMTUyMDFaMA0GCSqGSIb3DQEBBQUAA4GBAK7EbBLD03t6
+zv2yRS6ByDg7X9CPbPVReUQ21ntI652lsJ4veAJeSWQXITEjC/mt+VkN8pKH8eEg
+hp0vZmS7zIzL+UdPZkJYokAdmBsmP1ymDvOHd52XssjM1e6d7pNKwk6Z40x6Tpvq
+cStL3sC4tomx+vn7zzSUcS3hwdcHvnwZ
+-----END X509 CRL-----
+-----BEGIN X509 CRL-----
+MIIBHTCBhzANBgkqhkiG9w0BAQUFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xNDEy
+MDQxMTUyMDFaFw00MjA0MjExMTUyMDFaMBQwEgIBAhcNMTQxMjA0MTE1MjAxWjAN
+BgkqhkiG9w0BAQUFAAOBgQDGZTiMkukrcJheXCzKlNKKTyteOmR/sQYj36nyyV2U
+Iac9gYSYAb8ecjUrtcL/innhDAupGUxGR3QltSPo6q1yn9L8BJWJIz+BqK6aV4fb
+3lqGtTQKr+8qaKC7mi5TBafJmkUiNsbclNZl/ooQPW+Gzm++JpunK4uGzdW+4I6/
+fQ==
+-----END X509 CRL-----

src/test/ssl/ssl/root+client_ca.crt

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIB9zCCAWACCQD13ziQMRDLGTANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVU
+ZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBz
+dWl0ZTAeFw0xNDEyMDQxMTUyMDFaFw0xNTAxMDMxMTUyMDFaMEAxPjA8BgNVBAMM
+NVRlc3Qgcm9vdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0
+IHN1aXRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC7TLars/P/obbNlsz
+cX/wZFnZ97L4dAiJAE+ZusoTqLalRnPbQEtrPfMA/eL/gjq69ehnPcehMIxnYRAV
++xqOnMiUacf+6TQBrjrnfCQZkYkngzYajTqhQogdM7sUHtvBvTs1EkjdVznQUN9B
+BRZi6zEvUMkc8/+KaiEKc0zAKQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAAhmmj+R
+XP1+AREKWE33P8AkXTTGkXMvULZSgteHWxbBc08TbxJLTsqDvwp0lY/9nH48Ejx5
+XYIdDAED9Bwsm50y9u5p5OsO9YqHJfIsC9+Ui3paDHU543Y8CtZC4Ye5OcFn4/lp
+ew5Ix9E0LHJlY+LCfVEKSV0jDP6aMsYETpIe
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB8TCCAVoCAQIwDQYJKoZIhvcNAQEFBQAwQDE+MDwGA1UEAww1VGVzdCByb290
+IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcN
+MTQxMjA0MTE1MjAxWhcNNDIwNDIxMTE1MjAxWjBCMUAwPgYDVQQDDDdUZXN0IENB
+IGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRz
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIJfmyeyPe6g3+16+WsGB8LRMW
+zfMXKKjxsBd3Zu2ka7jvfKe4ockw87kY01k0G4NHJgWH5zO2OuCNDOa8z+GLqSSO
+LYoMvik9+BLgFR8zBPshy77Rpb3CtpDjJUAU8TWQOT0cC56IwEgj2zswctqKIeFg
+ogkTbfg5KTNKSd4VUwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAIHyYzFTIvvrUFFD
+yxhU3xyH6nx7HC47fxN+1kQjDa4MjvNsm/dOKETvS4b6GUKOudEKENBHzJW08hhs
+vn8uvmWEmyYcUyhp9r5lH2oaa6fySbnc+PE8YD2WNe+et1OdIMwqVwOegCeI85FN
+UtZk2tJjiRXJxBlheaaBxrzYjOBO
+-----END CERTIFICATE-----

src/test/ssl/ssl/root+server.crl

@@ -0,0 +1,17 @@
+-----BEGIN X509 CRL-----
+MIIBBDBvMA0GCSqGSIb3DQEBBQUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xNDEyMDQx
+MTUyMDFaFw00MjA0MjExMTUyMDFaMA0GCSqGSIb3DQEBBQUAA4GBAK7EbBLD03t6
+zv2yRS6ByDg7X9CPbPVReUQ21ntI652lsJ4veAJeSWQXITEjC/mt+VkN8pKH8eEg
+hp0vZmS7zIzL+UdPZkJYokAdmBsmP1ymDvOHd52XssjM1e6d7pNKwk6Z40x6Tpvq
+cStL3sC4tomx+vn7zzSUcS3hwdcHvnwZ
+-----END X509 CRL-----
+-----BEGIN X509 CRL-----
+MIIBHTCBhzANBgkqhkiG9w0BAQUFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xNDEy
+MDQxMTUyMDFaFw00MjA0MjExMTUyMDFaMBQwEgIBBhcNMTQxMjA0MTE1MjAxWjAN
+BgkqhkiG9w0BAQUFAAOBgQCmFnFkEt0+Ialw4E+4nIAJWJO9XDE71FdRfX3QChs8
+ZJtBseaMNeUC1FY1zHOYQhtMy+Uatda6hx/QiyidF2oP5KpWp+R11M554Ifxem3X
+KDQDBQNee+1IIJ7a1kxAUxeSNP+0a3/bmUxI5sbomINnKeIDqDO8d2vmO2VLxJm6
+MA==
+-----END X509 CRL-----

src/test/ssl/ssl/root+server_ca.crt

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIB9zCCAWACCQD13ziQMRDLGTANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVU
+ZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBz
+dWl0ZTAeFw0xNDEyMDQxMTUyMDFaFw0xNTAxMDMxMTUyMDFaMEAxPjA8BgNVBAMM
+NVRlc3Qgcm9vdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0
+IHN1aXRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC7TLars/P/obbNlsz
+cX/wZFnZ97L4dAiJAE+ZusoTqLalRnPbQEtrPfMA/eL/gjq69ehnPcehMIxnYRAV
++xqOnMiUacf+6TQBrjrnfCQZkYkngzYajTqhQogdM7sUHtvBvTs1EkjdVznQUN9B
+BRZi6zEvUMkc8/+KaiEKc0zAKQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAAhmmj+R
+XP1+AREKWE33P8AkXTTGkXMvULZSgteHWxbBc08TbxJLTsqDvwp0lY/9nH48Ejx5
+XYIdDAED9Bwsm50y9u5p5OsO9YqHJfIsC9+Ui3paDHU543Y8CtZC4Ye5OcFn4/lp
+ew5Ix9E0LHJlY+LCfVEKSV0jDP6aMsYETpIe
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB8TCCAVoCAQEwDQYJKoZIhvcNAQEFBQAwQDE+MDwGA1UEAww1VGVzdCByb290
+IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcN
+MTQxMjA0MTE1MjAxWhcNNDIwNDIxMTE1MjAxWjBCMUAwPgYDVQQDDDdUZXN0IENB
+IGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRz
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC15tOzDBVKaCRDz9L5LMpPk8DR
+RGHHOe4OuO6WTkUzjbjuKyiQbmtcp00R4dULbSM57ESvI/Ny0gPt+J/QKAOG8S5t
+09wDpKxKcgZSZ6Nd6FaK+D+ZhUVAkP3hB0ba0wo1JZff/0e4B+VJhXTjl7RRHfbr
+AEuDYFxv9T3K/Jq04wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJys1pnYvO+u8Wca
+6xUToGMpqTnImKa+dX8tMKsp6mXAN/dWrOVMDWnjBhQxShhAZBsaJ4iUeXPJlctw
+KzkUCQo6BsUbPMTSQlPuyHHdZBOTHDIW4SylKaBQvkundkhhBO7aHwFV3QjxZKcH
+XqpGyY2ryrgdj2D4+H55NDXYjj/m
+-----END CERTIFICATE-----

src/test/ssl/ssl/root.crl

@@ -0,0 +1,8 @@
+-----BEGIN X509 CRL-----
+MIIBBDBvMA0GCSqGSIb3DQEBBQUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xNDEyMDQx
+MTUyMDFaFw00MjA0MjExMTUyMDFaMA0GCSqGSIb3DQEBBQUAA4GBAK7EbBLD03t6
+zv2yRS6ByDg7X9CPbPVReUQ21ntI652lsJ4veAJeSWQXITEjC/mt+VkN8pKH8eEg
+hp0vZmS7zIzL+UdPZkJYokAdmBsmP1ymDvOHd52XssjM1e6d7pNKwk6Z40x6Tpvq
+cStL3sC4tomx+vn7zzSUcS3hwdcHvnwZ
+-----END X509 CRL-----

src/test/ssl/ssl/root_ca.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9zCCAWACCQD13ziQMRDLGTANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVU
+ZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBz
+dWl0ZTAeFw0xNDEyMDQxMTUyMDFaFw0xNTAxMDMxMTUyMDFaMEAxPjA8BgNVBAMM
+NVRlc3Qgcm9vdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0
+IHN1aXRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC7TLars/P/obbNlsz
+cX/wZFnZ97L4dAiJAE+ZusoTqLalRnPbQEtrPfMA/eL/gjq69ehnPcehMIxnYRAV
++xqOnMiUacf+6TQBrjrnfCQZkYkngzYajTqhQogdM7sUHtvBvTs1EkjdVznQUN9B
+BRZi6zEvUMkc8/+KaiEKc0zAKQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAAhmmj+R
+XP1+AREKWE33P8AkXTTGkXMvULZSgteHWxbBc08TbxJLTsqDvwp0lY/9nH48Ejx5
+XYIdDAED9Bwsm50y9u5p5OsO9YqHJfIsC9+Ui3paDHU543Y8CtZC4Ye5OcFn4/lp
+ew5Ix9E0LHJlY+LCfVEKSV0jDP6aMsYETpIe
+-----END CERTIFICATE-----

src/test/ssl/ssl/root_ca.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQDC7TLars/P/obbNlszcX/wZFnZ97L4dAiJAE+ZusoTqLalRnPb
+QEtrPfMA/eL/gjq69ehnPcehMIxnYRAV+xqOnMiUacf+6TQBrjrnfCQZkYkngzYa
+jTqhQogdM7sUHtvBvTs1EkjdVznQUN9BBRZi6zEvUMkc8/+KaiEKc0zAKQIDAQAB
+AoGAa1z8kqiQe86Edr9UslwEjOKo/r5IzEIU5WjPbywL25Ikr5nDfHLIV5QygUxV
+uEgBkzKYxCyqBOVZoCM9Ge5JrGcWO+N7IVVpirJRLgafu17sWyOsFIdT0QfNBYEl
+sdcz70c0Rsfk+hnsJ3KDOAxEhmPZe1mT9Rl6g1qpzva1/1ECQQDkxzDyhm8/F41B
+1z9m6Gz8X3fIb4cx1WpMZHG3XNyD5rzPiUhuIqATUHTCGIig0nYzYr1AOVNSN6pb
+5whOuW4VAkEA2h7bIZd3yfn1YNZYk24ORwZssE5r5ryQeOwuDGJH8FxPk/LqZE8T
+OX+ptPRyDowd2UZFRz0jxKl3RR4W/VtixQJAehaK2oI/j+3jpkVWQna64puX8tEB
+1uhLR+U6gl3+GC3kiOR8ULoNrwD6rjIlh52JErcYw9NT0cZ/FXhfiJOQWQJAFr3a
+2RDC05M1K0iN6aky4eLgmC1FAMSuR31Qe8gPehcV0PYlzBmWhosx9YT7E1s2jX3P
+IVNVlF6a6eDuQrIxhQJAL8ELX6MNW05PzETZpYSOTvkOeGND7INc5Md28Yv9SkPd
+c/HvFDVQF0OsgFrIcuBP8o7YaQBETJPqFHMao+WB6w==
+-----END RSA PRIVATE KEY-----

src/test/ssl/ssl/server-cn-and-alt-names.crt

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICSTCCAbKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBCMUAwPgYDVQQDDDdUZXN0
+IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
+cnRzMB4XDTE0MTIwNDExNTIwMVoXDTQyMDQyMTExNTIwMVowRjEeMBwGA1UECwwV
+UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1z
+c2x0ZXN0LnRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ0ERoXVz7aK
+ZLL2W8psViLKVorl1pvLz4m0Uw0X8iQkHgN+/gMNs2nHDzQFtbOc3NVbBxnnosbF
+XuGeCrlz+xK3J4Y5g6up9xNPCbtLM+RxBtMx/a/8naO+4yraQD51pZgNUMjSYeIL
+9UeB3VFg928+swacichtJIlwU3KAiEzRAgMBAAGjSzBJMEcGA1UdEQRAMD6CHWRu
+czEuYWx0LW5hbWUucGctc3NsdGVzdC50ZXN0gh1kbnMyLmFsdC1uYW1lLnBnLXNz
+bHRlc3QudGVzdDANBgkqhkiG9w0BAQUFAAOBgQBwQP7EuwvnURefrRvLKP+Txzwg
+xEZK/ZG/dSExX7CP8ib5JZQUuJpMzYmyGFbTpLJOU5qrE+vI2rxfHrWOYZU4IB1f
+u053N3slzi5ClKGKZt4y7LM4hupQ13xRfgIpasSJdEI3n/BCmeEdFVBqzKMQJxQe
+tHn3NapFkra7DHe2xQ==
+-----END CERTIFICATE-----

src/test/ssl/ssl/server-cn-and-alt-names.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQCdBEaF1c+2imSy9lvKbFYiylaK5daby8+JtFMNF/IkJB4Dfv4D
+DbNpxw80BbWznNzVWwcZ56LGxV7hngq5c/sStyeGOYOrqfcTTwm7SzPkcQbTMf2v
+/J2jvuMq2kA+daWYDVDI0mHiC/VHgd1RYPdvPrMGnInIbSSJcFNygIhM0QIDAQAB
+AoGAFVtJhFaqo/d67uSXY5cMuDqxPr84S4STO/Ws/jDtnIDVHECfqCaq6o5KwRat
+ujpxxwtUke9xsnuSBjoK12KxGYoEFCstNJx2L77TvjkxcC85C6aGHWxLWCELqnn3
+3HmCE4I9i/kltO2YTje12nEWVkntqjvnqpAaFeQQ2vRO9KkCQQDOQo2FT0DX7VI7
+riSNjspfPQS5ESB1xTlcJL7aBS7iubAkVmRPBGM/UZpLLXacgV2WqUp6swcXculc
+SXyx15zDAkEAwuGxNx+SzoLxHzRi2P64+xCo3O4OOP7Fle0/Uyk+DyS9dFljdZbf
+mh28uKqflF0LRe+J4vKKqSHb3dqLdOrm2wJARAFdd96xmn/85QB9vM6fmtcbf4lO
+EoZ8aw0Sf//FfauLj++MEyF3N6FIJhFPUjq1CL+4dswgQnL4zhzMqDZW0QJAchas
+p8e9K1bvEESb5cthweGj6gsXmnhUdgw5eVb4tObeXuIB3xJffxsPo9CHsdSyx9OP
+FqTFVnSzAfNylxT55wJAICUYlyM6/VVMKb9bAoMz7nqg7N/utGEMijT2AqukQues
+jYm2TNtP033yibtWHjwBPDKL5JxsgDfG2x1LYiG6Kw==
+-----END RSA PRIVATE KEY-----

src/test/ssl/ssl/server-cn-only.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB/DCCAWWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBCMUAwPgYDVQQDDDdUZXN0
+IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
+cnRzMB4XDTE0MTIwNDExNTIwMVoXDTQyMDQyMTExNTIwMVowRjEeMBwGA1UECwwV
+UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1z
+c2x0ZXN0LnRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAON0emWfWbLb
+4cSdixPiKiSwwiRbVw371L2t90jVY1ucJc/8YRUrRMhdsKdsP2NuwtFx1Mghspzt
+c/v6Dj/V9raYsHDGKK7OSPDF97GT9xM6yqm3FAY3l0QdP78XhiIZOhTO4fOJkAfQ
+LVhXca2X0krl0jF57/o5in6GHuyhulLPAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEA
+V7NgLA+RVPeWo5/TLsJyEf3tPnvpdq4Dfr/nDNDyWLhfrmny3Nuykfwap8JZHXG7
+oo+owRzgAXaJnr++5PvCo82Jp+gCNf5foZBx3GWdPsJY8d/0oREhFXhpqLCUUoiO
+2295A+mrgwfXoI+tlFypNb0T9x6qHOQlBUX+o1JBdnw=
+-----END CERTIFICATE-----

src/test/ssl/ssl/server-cn-only.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDjdHpln1my2+HEnYsT4ioksMIkW1cN+9S9rfdI1WNbnCXP/GEV
+K0TIXbCnbD9jbsLRcdTIIbKc7XP7+g4/1fa2mLBwxiiuzkjwxfexk/cTOsqptxQG
+N5dEHT+/F4YiGToUzuHziZAH0C1YV3Gtl9JK5dIxee/6OYp+hh7sobpSzwIDAQAB
+AoGAHzYfiYxZQarcix9XM05InCpJKbYC9x9EbRbPJQZrEOoXYjfulnoOgTQiBodb
+F2jegOEO4ruFB/Wpgb0pcWcJ6Hgqh+GptulX1yWl7XzivvTDN6DO796pyNa581kN
+CrS9Sy0owktidlX5SJiXw2AOV1bNsvUBNapwyBFKsB3+XgECQQD/4yTJEAdRMZw1
+3czmcmzw+Aq/IBsd3w/GgX6jME02Br3LqnTIelNTPVNqEpy4wb6rNug2Dm79OWwh
+PNr799vPAkEA444gzKEUB7O2N8RnfLD5/n7Gl+P1MGOH0Rk6lxxAJ+Py8Itm1pV/
+3o9xwi1kguXdd+wqpL+B2gJDCpgSmJDZAQJBAIxbn5XaAOl8eN7jJr1RDoiuxdZI
+Whdsf063QStqFzAHSpwoh55f2szR2qtYQjblrxxjJcRg7mhf0vv4UXXcYukCQQDR
+wqZBewp3vxVtesLaklkgW8S9JwlRva3o9hSoTwZkvx+m1RnLHKxugFQg5q8MatAo
+R69XhqEwUX1zOpOJx5wBAkEAkvuuVdjo4baxildMPWSH/CcYlZs8c7ofs/Y6VkdV
+zIYMoGnGS7CfJbKLkXP7amlp9Gn1xgCPpbRJrik3Nafa9Q==
+-----END RSA PRIVATE KEY-----

src/test/ssl/ssl/server-multiple-alt-names.crt

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICPzCCAaigAwIBAgIBBDANBgkqhkiG9w0BAQUFADBCMUAwPgYDVQQDDDdUZXN0
+IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
+cnRzMB4XDTE0MTIwNDExNTIwMVoXDTQyMDQyMTExNTIwMVowIDEeMBwGA1UECwwV
+UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDMaR3uJ4+1P76DaUDWklA4L3Uic0ogorawfGuBO9pFB0w/kV6AAJGwhEy1DTi2
+neaAraa383F+e0Kpmbp1hXZ8k5DwKe6pHCv+R1RwRMqGrC6nQPM/tRsU97z7ROM8
++5QDE64zYtWkJGjQrpXmLC2sHSFIFyrHoi6MIzopKNSCpwIDAQABo2cwZTBjBgNV
+HREEXDBagh1kbnMxLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQt
+bmFtZS5wZy1zc2x0ZXN0LnRlc3SCGioud2lsZGNhcmQucGctc3NsdGVzdC50ZXN0
+MA0GCSqGSIb3DQEBBQUAA4GBAG4lVLFuJsXsaeFpZBiudnklH17bAx11X51UsL7r
+oDp1AL2bHZnACqedHyed4n4+4UYezPbLOO5ITFSkIdkXYa5ohTjrwymhVGN9Sxlb
+1fitKKXWenvixOwPVk8g4e1Ev8JDofTPQNIFA7C8IbGunm8J0Pe7jF6KxlknP9A0
+x0Li
+-----END CERTIFICATE-----

src/test/ssl/ssl/server-multiple-alt-names.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDMaR3uJ4+1P76DaUDWklA4L3Uic0ogorawfGuBO9pFB0w/kV6A
+AJGwhEy1DTi2neaAraa383F+e0Kpmbp1hXZ8k5DwKe6pHCv+R1RwRMqGrC6nQPM/
+tRsU97z7ROM8+5QDE64zYtWkJGjQrpXmLC2sHSFIFyrHoi6MIzopKNSCpwIDAQAB
+AoGBAI+m+/LHeLYO0yt1B60D7D5gE7ifPyQKVctX1RFgZ7eFNm+iEMByJfDgOSwv
+24BzHW+nGfhCrKsPorygHarDnY0TfInIX5OHaOgiJ2z6mQnCmH9nwX+ZAezeVlZR
+3QqdmRJzFRcqVD2cU2nk/DG2MJDpyqyfaBQ+FXHZGX03LWbRAkEA5SpdsgQkOW/S
+/5ENpACEixD9WU2EJjNOymddy64ODy6ug9Xc46nw6Xkn4EI+wmcmrmi65oH+hx+G
+g0k+aQmi2QJBAORYri1cNxupOSdQ7tY6DoPuMKMrV4FmuiF3XJWb2qZoNZLG4Lai
+kLn9A8yWJmKyu6V+tvz/DYRHlA870FDM4X8CQENoE8lB+JnAb7Lmqrl7wYDaTXsQ
+FvfZjapxfyBjIRWMKJ70sBVzLj6ueXE4axdpmfIhMiCNSh3awwko6SeiQvkCQHwx
+LypEiURmGUuk3QFuug5PMezM2d7rPDiPbq+AAL+Y1epqeDVc3VIKplJTJ7VueFhe
+PrADGBrlw0U1xurrQ4kCQCui0QT42Ppey48lvxu5S5+dOvkjF8p7Ml59aRqlcjPm
+2q38zM/AJlrekSclGszy/PjaXeZzFM+aCYKAsk8h7YE=
+-----END RSA PRIVATE KEY-----

src/test/ssl/ssl/server-no-names.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAT+gAwIBAgIBBTANBgkqhkiG9w0BAQUFADBCMUAwPgYDVQQDDDdUZXN0
+IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
+cnRzMB4XDTE0MTIwNDExNTIwMVoXDTQyMDQyMTExNTIwMVowIDEeMBwGA1UECwwV
+UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDXRZ+AOvlbHnupGqPsW4zYOE36wyMgwYnsafRMRkZd9R5GLtqnchIBdA9Lg2VP
+gK0355KTYtsdfdnC1kjflkeY+ZAvpRAMarV9fuE3z5kE3qDh4IsSJ3EyxoH7QwEL
+x01INf7QVEb/7y6s1Cw0GBonXnMel/8kfPBFpJ3+p4rw1wIDAQABMA0GCSqGSIb3
+DQEBBQUAA4GBAIvauevxaS0gnHu3RivMZp9UZe0r9Ja38CqdFnNUT+Z4MS0fOyWq
+9uz3JO7rdLmBtLEUNX2VNR8jIet9/gfxAO5MTYw+nSQ7Ci39kgSQYkCs4gZVS2TJ
+GeOpfcBipOFkI9O0nElAmNVFDB5j5bY5NfCNAMoD1q/FzovxlcskCOdh
+-----END CERTIFICATE-----

src/test/ssl/ssl/server-no-names.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXwIBAAKBgQDXRZ+AOvlbHnupGqPsW4zYOE36wyMgwYnsafRMRkZd9R5GLtqn
+chIBdA9Lg2VPgK0355KTYtsdfdnC1kjflkeY+ZAvpRAMarV9fuE3z5kE3qDh4IsS
+J3EyxoH7QwELx01INf7QVEb/7y6s1Cw0GBonXnMel/8kfPBFpJ3+p4rw1wIDAQAB
+AoGBAKMdFCBbjzmlvVmC4BZlwDDNaPjLB0D4pQNHvV5WGVd0Nb5EHlWmL1J+mGBF
+bWxyOc4UX5Hh49lS1L+3EnyoKBKzsuPafLLXpVM2ujkkJt8iYenWUDqw1+g6zM97
+bHaQAa/U6+Mqn+dfcAn4FpYknZ0V4cvKqKw6CzjypkmHeLwxAkEA7F0tiV2nhkzN
+huOifLaxQHkOOBIgaFLGAMLwYHLlwVjPxk6O34+XPMehFQbetL431ZweUdGSY1fX
+jURXR72APQJBAOkn4AuhVWoS3lMWQc58kMCzY4+Xwd6ILKXMhFTZA2iNn7IUVEUe
+F2wjq292lu+tIfH+CdRjgCAC7B4OVaI2EqMCQQCZzHeY7ovXY5pIr05HgEkN/rc1
+3PWhbFrSnAX1fE3r5XItQ2jMJ47tSaiTGglH6o5CPHeuHYP3iG0FyvZQBAqxAkEA
+izskr81IFG/wE+3WnlgEmQ6HBdi6DQmEn/3hiEmPn3/zPYSmTiAKHKmwVn+a4sWg
+38G0XQCOIo+cMNaejJ99wQJBAINI+vfNR8A3wDsvz9hVpa+yZ4aDOeFETJprGsin
+D0v/xzviq1LPrOCuarioyEpYS47bzIKGSeAtC38VB4tQyEo=
+-----END RSA PRIVATE KEY-----

src/test/ssl/ssl/server-revoked.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB/DCCAWWgAwIBAgIBBjANBgkqhkiG9w0BAQUFADBCMUAwPgYDVQQDDDdUZXN0
+IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
+cnRzMB4XDTE0MTIwNDExNTIwMVoXDTQyMDQyMTExNTIwMVowRjEeMBwGA1UECwwV
+UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1z
+c2x0ZXN0LnRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK09F4gQyZP/
+Z5fbOrLbQySBonwt9Wbb5iAEm5618oDk/YLkl1AQo2eoTabevY7+DwHPMMwR9MSA
+yUlvJ8Gc3MNAOIag0o63NNOZxYIzpqqAElOMPNE/FRlpVJyauGZ7lV/Y34vjtHxu
+4Pmi0jOLNMzUNjlN0rQrz0xaTGQ1rX1bAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEA
+ghgb9HNsSfyX1JMLYlCudOTQ/LuoXeXFsqFxRDAOXCCaSrH9T4lUZayBGNOd8kgZ
+FFHJo4WhZx7sE/foXuax/QGLi/mGrVw2xfJdD9SIQndzdnExoQndb+gvGSH/23s4
+Oif6jcSMPCLpoTaqVQdyPcw7DI9h26YzZ71IybBxPNE=
+-----END CERTIFICATE-----

src/test/ssl/ssl/server-revoked.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCtPReIEMmT/2eX2zqy20MkgaJ8LfVm2+YgBJuetfKA5P2C5JdQ
+EKNnqE2m3r2O/g8BzzDMEfTEgMlJbyfBnNzDQDiGoNKOtzTTmcWCM6aqgBJTjDzR
+PxUZaVScmrhme5Vf2N+L47R8buD5otIzizTM1DY5TdK0K89MWkxkNa19WwIDAQAB
+AoGBAJNJ5b/hxgD2nXUXB4kZsrRPI37A9GxHehiu0kDWISBFkOTAxYVlIAj5p0vB
+BRmWF9xJ9AsNGTYY6QpuXzbVzzsqxpzqfrmcbpnEwJPIN74cWSBU3As6SVtkD414
+TjV3TxJlER87D4Jtk2vWvwjWt2tj7fAe/9B44l211jStT0/BAkEA5oRVIBUrLGhb
+ZCHMFEHfF5BtGYNUa54QDK1cJCmstv3CEfR/g1cHLKgnbXRzbIZ4u54sjY4PhviB
+nCVdr6umbwJBAMBjxj8BOFceswCgse3LdaO5O2YPh/h014iiwrll+XB5ufxq5mOa
+9gaKmE8eUBmuWwcE05xbzSUaBhCTjVNNrdUCQQCvylcIYlxMP0ECuWtiP2GcHL22
+aRql/yIKKOJNiaJ24klvW98qD+IewhVfOSEUr+++VD9xq9ZXfYeJxk0NvH7tAkAR
+hQR4mFPZGyKR3BBX5z8/OY7/LErlhT5bYvb4iyC77VnScqmoSGQ/FD/qdIg2znnb
+mcTraDC2QDhtKgKko15BAkAxtNExYOsPlW3kuhMRnDV3mB3h1TLghl9rYuHfSM5F
+9D7tpJ8FZa4P7BE5bfI1CPoRJsVVw0rUf1ihaMkUyxfI
+-----END RSA PRIVATE KEY-----

src/test/ssl/ssl/server-single-alt-name.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICBjCCAW+gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBCMUAwPgYDVQQDDDdUZXN0
+IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
+cnRzMB4XDTE0MTIwNDExNTIwMVoXDTQyMDQyMTExNTIwMVowIDEeMBwGA1UECwwV
+UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQCqGqSv5i36Nk7FDQhRmBXi9M81Ox6YNAm1ha6Wj/MCfOlsCwWFfTFoTf5k1Why
+dB8yDlqGvZ2daf6mfgaui4R9uwVgbrPhhDUArtT1u5PBIqDdS10Z8E8iGStga/HQ
+J4CPlrXltX0ll4EC0EMj6SaF1dsYTMld4O7ipCZ62U7EowIDAQABoy4wLDAqBgNV
+HREEIzAhgh9zaW5nbGUuYWx0LW5hbWUucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3
+DQEBBQUAA4GBAC/otQQ0Ie+YqgH53nDvMpZ3Ol8xodOUWneRPI8Wf601Qi8Q4yY5
+9Gv+iU6ZEidn92y0hYXiHzItl/1K6LvIQM/yuro0j+48M/rdzl1qImSnxy0eGHbA
+3fOvUNt8ymYKsgsAfeqHZmWUidEZ/jF9Y72oER/6ImnmsbjEFtHVFDRL
+-----END CERTIFICATE-----

src/test/ssl/ssl/server-single-alt-name.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCqGqSv5i36Nk7FDQhRmBXi9M81Ox6YNAm1ha6Wj/MCfOlsCwWF
+fTFoTf5k1WhydB8yDlqGvZ2daf6mfgaui4R9uwVgbrPhhDUArtT1u5PBIqDdS10Z
+8E8iGStga/HQJ4CPlrXltX0ll4EC0EMj6SaF1dsYTMld4O7ipCZ62U7EowIDAQAB
+AoGANPD34psEIkS2vVNyDFsGLM2+k7WjrwE7KFjD3q5MlrCjwXGotUQilXD4xQ86
+Y6zKbLzU5eyr2ms7yzub/sUDZdBdJkU39NzEAf8dKN/UvhSGSZH1zxRCm1SmDrxZ
+BM3TEEGZUVrcamJF2EldPdbmBo8EiFyuPT7UMObvYt0li6kCQQDUol5X57+6ZGvF
+QrmE/3dz+zxa5fZikiG82mrpS9RiXlSssHbE4z04UARgLCGloqlFIQTsKCHnsK7i
+hTX41FL/AkEAzMvGWthn3QG1cVT8tLhinhAL2C/v9Mjq1SnlWi/9qs28mAtYa926
+wNv+DwcEOEvamCStj+n3q8LRZ/zxbpliXQJAVq7eoR1z9uuLV75s3QA8VUbdgvzu
+pZ6HLHMqVHM6YOOtxzylHny472UHc6FqEhkuwmTEmfV+ZPKNSQEfUJJWRwJBAK1Z
+p7LqDzCh66Xc3HNUyBUnW/9IxIKdNznsVrk6eiwELik9IUFc1GG/VZP+ynGks4mp
+MkjpML3xEDRHhU2rA/kCQQCzhjCPuiZtPpe7fM/gl78q+TSXu/Rr8e/LYYmHeRbq
+G9ojPe6Kx+toOPrOaaDLbRd6tkmwoLl9eSW/EW/aHwWY
+-----END RSA PRIVATE KEY-----

src/test/ssl/ssl/server-ss.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICCDCCAXGgAwIBAgIJAJKfiuFnjnPZMA0GCSqGSIb3DQEBCwUAMEYxJDAiBgNV
+BAMMG2NvbW1vbi1uYW1lLnBnLXNzbHRlc3QudGVzdDEeMBwGA1UECwwVUG9zdGdy
+ZVNRTCB0ZXN0IHN1aXRlMB4XDTE0MTIwNDExNTIwMVoXDTQyMDQyMTExNTIwMVow
+RjEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVzdC50ZXN0MR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAON0emWfWbLb4cSdixPiKiSwwiRbVw371L2t90jVY1ucJc/8YRUrRMhdsKds
+P2NuwtFx1Mghspztc/v6Dj/V9raYsHDGKK7OSPDF97GT9xM6yqm3FAY3l0QdP78X
+hiIZOhTO4fOJkAfQLVhXca2X0krl0jF57/o5in6GHuyhulLPAgMBAAEwDQYJKoZI
+hvcNAQELBQADgYEAoMiPEDM4EmgyOc6kVRSVa+Q+6Wc+O7WX7LmEZprXyJErQ51H
+X0KWcznjass1YzVeT+hCOyEQWSbEs8W1+b0FZleD6Cng9ZfD10Oz/4nCBy8al7sn
+GlQk0KHYlMOcQDfmFr5CNuoIo77rtapDlVxIhMAxBJKTlYvimbNh3XM9g4U=
+-----END CERTIFICATE-----

src/test/ssl/ssl/server-ss.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDHz31rLL10XaTbD+K4UQcrtV+2Jq9C9U65lDk6LtsGVkW3os0P
+b0MtXZEijnPvVDa7Kwq4mvKzTJ/SZwtA6zxSC8gs9gpql3ZSINsrzHC9XNxNbUgZ
+gPGiAq9j8C2kRnTKae3tDsEa54XWZXTFniu0Lbk1lXEeompCZZv4wqaSfwIDAQAB
+AoGADrqV1TOsF4rbnyZRoSKf87HgB05ctwPcNMPfYBGaJaJwazP+B7g87HgsPa7g
+jvDXQ/7NQIRzhZINafYcl0F/5a7tbO6DyCXJzoYYZ4NOb8ng1HBpaBMhcigOeeeZ
+i+KBYDjPzEeVfUOxIADWuh8HuVQWgB2WOdWg2GSuC4MZrXkCQQD3AuKxW7W4PJzP
+ZMY4RpnvFlfUyNWKM/0vMeDv88QUK+LH1MWMSIsYPSBS5sTB8b7lR0kb3IhDkuNP
+MeoiZNIlAkEAzxTj5ITO92RL7JI85Z1WBMPgOjvw5ffQF95GiLUN7My1SB5KJUWX
+pI108sY6oigHNDYjlL8rfsJHoz3MpPaG0wJBAMNOwcXwuMebDXYivWSD1nUoGnyB
+6+5h2yA09SFlgjVc2eydfTHFrk2VD3jdRNgA+Kq7acAg6JFdlGPrGLDnPQ0CQGrs
+X2tMA82LVQSW0ajBn3ugY/PNpWoolaLtW0AVNFZzsJrHQQOTtmP5wkvkfLvjrSyR
+U7fnKZ8u02x/aV44CI8CQCQSiBF1mTqiNUZswX0z8m8KRiYplS9+UdtHqbwo91dw
+BD/KWzZKJjGEbc3RN1MIQUq02cp1ZU3pNU7afALBF4s=
+-----END RSA PRIVATE KEY-----

src/test/ssl/ssl/server.crl

@@ -0,0 +1,9 @@
+-----BEGIN X509 CRL-----
+MIIBHTCBhzANBgkqhkiG9w0BAQUFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xNDEy
+MDQxMTUyMDFaFw00MjA0MjExMTUyMDFaMBQwEgIBBhcNMTQxMjA0MTE1MjAxWjAN
+BgkqhkiG9w0BAQUFAAOBgQCmFnFkEt0+Ialw4E+4nIAJWJO9XDE71FdRfX3QChs8
+ZJtBseaMNeUC1FY1zHOYQhtMy+Uatda6hx/QiyidF2oP5KpWp+R11M554Ifxem3X
+KDQDBQNee+1IIJ7a1kxAUxeSNP+0a3/bmUxI5sbomINnKeIDqDO8d2vmO2VLxJm6
+MA==
+-----END X509 CRL-----

src/test/ssl/ssl/server_ca.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB8TCCAVoCAQEwDQYJKoZIhvcNAQEFBQAwQDE+MDwGA1UEAww1VGVzdCByb290
+IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcN
+MTQxMjA0MTE1MjAxWhcNNDIwNDIxMTE1MjAxWjBCMUAwPgYDVQQDDDdUZXN0IENB
+IGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRz
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC15tOzDBVKaCRDz9L5LMpPk8DR
+RGHHOe4OuO6WTkUzjbjuKyiQbmtcp00R4dULbSM57ESvI/Ny0gPt+J/QKAOG8S5t
+09wDpKxKcgZSZ6Nd6FaK+D+ZhUVAkP3hB0ba0wo1JZff/0e4B+VJhXTjl7RRHfbr
+AEuDYFxv9T3K/Jq04wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJys1pnYvO+u8Wca
+6xUToGMpqTnImKa+dX8tMKsp6mXAN/dWrOVMDWnjBhQxShhAZBsaJ4iUeXPJlctw
+KzkUCQo6BsUbPMTSQlPuyHHdZBOTHDIW4SylKaBQvkundkhhBO7aHwFV3QjxZKcH
+XqpGyY2ryrgdj2D4+H55NDXYjj/m
+-----END CERTIFICATE-----

src/test/ssl/ssl/server_ca.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC15tOzDBVKaCRDz9L5LMpPk8DRRGHHOe4OuO6WTkUzjbjuKyiQ
+bmtcp00R4dULbSM57ESvI/Ny0gPt+J/QKAOG8S5t09wDpKxKcgZSZ6Nd6FaK+D+Z
+hUVAkP3hB0ba0wo1JZff/0e4B+VJhXTjl7RRHfbrAEuDYFxv9T3K/Jq04wIDAQAB
+AoGBAKxkghg7iGYHQu9dpCXw9B/s+R2bgEuPNHWRgNTEg0MzuqNGFeCkNW4PRLSA
+4ic9HNiFeia+nLgiIAVFzzg44/VCvzD8P0EdJo9bRqV+mmm15YBcpV+F3I5RLOuq
+IWuRHyDbt+wsZyzdzPN0ElV3AUmj/0vkfX0xoRwXeGqimBFpAkEA5/PpK0qjvK3z
+hv4lC0nX3bmaKfFFEDRiufK+/WUGMHx8YS55CqjpcbR+xMPAFswWEcBEQnj6zbDm
+a4hEjlwXBwJBAMjCi9UcDe3Sp/mmxFklxmMusIHqldA5YsOyCjtSLxpgHJLdwcMx
+KWH3Q9nUrn4WxhlHhY8W6smNgQDzVk1TgEUCQCd2ef8hjcX2Gm6nIopPH+jbQP1N
+zSA6qWlVgWT/IRRyuX6XN4S2xDDSMpcrbqzyP/b5LSPaDWGdbTZyUqedx1UCQDjA
+/sTVNH7aAZCK+5D0I9xgE5f2mDmQL4KBL3FLr3M2Xn2KYT9sA3Xlb/IBtP6CM6hr
+1q733JH0Bdcd83TSuT0CQQCb4dzfNLuYscHBnQYsMCZvMSKmQZ2LKUANGra/mX+i
+7JZ7wngI548ypMK2lJWnb2Ce+0cR8GAPVHWOTx2srtH4
+-----END RSA PRIVATE KEY-----

src/test/ssl/t/001_ssltests.pl

@@ -0,0 +1,223 @@
+use strict;
+use warnings;
+use TestLib;
+use Test::More tests => 38;
+use ServerSetup;
+use File::Copy;
+
+# Like TestLib.pm, we use IPC::Run
+BEGIN
+{
+	eval {
+		require IPC::Run;
+		import IPC::Run qw(run start);
+		1;
+	} or do
+	{
+		plan skip_all => "IPC::Run not available";
+	  }
+}
+
+#### Some configuration
+
+# This is the hostname used to connect to the server. This cannot be a
+# hostname, because the server certificate is always for the domain
+# postgresql-ssl-regression.test.
+my $SERVERHOSTADDR='127.0.0.1';
+
+my $tempdir = TestLib::tempdir;
+#my $tempdir = "tmp_check";
+
+
+# Define a couple of helper functions to test connecting to the server.
+
+my $common_connstr;
+
+sub run_test_psql {
+	my $connstr = $_[0];
+	my $logstring = $_[1];
+
+	my $cmd = [ 'psql',
+				'-A', '-t',
+				'-c', "SELECT 'connected with $connstr'",
+				'-d', "$connstr"
+		];
+
+    open CLIENTLOG, ">>$tempdir/client-log" or die "Could not open client-log file";
+	print CLIENTLOG "\n# Running test: $connstr $logstring\n";
+	close CLIENTLOG;
+
+	my $result = run $cmd, '>>', "$tempdir/client-log", '2>&1';
+	return $result;
+}
+
+#
+# The first argument is a (part of a) connection string, and it's also printed
+# out as the test case name. It is appended to $common_connstr global variable,
+# which also contains a libpq connection string.
+#
+# The second argument is a hostname to connect to.
+sub test_connect_ok {
+	my $connstr = $_[0];
+
+	my $result = run_test_psql("$common_connstr $connstr", "(should succeed)");
+	ok($result, $connstr);
+}
+
+sub test_connect_fails {
+	my $connstr = $_[0];
+
+	my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
+	ok(!$result, "$connstr (should fail)");
+}
+
+# The client's private key must not be world-readable. Git doesn't track
+# permissions (except for the executable bit), so they might be wrong after
+# a checkout.
+system_or_bail "chmod 0600 ssl/client.key";
+
+#### Part 0. Set up the server.
+
+diag "setting up data directory in \"$tempdir\"...";
+start_test_server($tempdir);
+configure_test_server_for_ssl($tempdir);
+switch_server_cert($tempdir, 'server-cn-only');
+
+### Part 1. Run client-side tests.
+###
+### Test that libpq accepts/rejects the connection correctly, depending
+### on sslmode and whether the server's certificate looks correct. No
+### client certificate is used in these tests.
+
+diag "running client tests...";
+
+$common_connstr="user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
+
+# The server should not accept non-SSL connections
+diag "test that the server doesn't accept non-SSL connections";
+test_connect_fails("sslmode=disable");
+
+# Try without a root cert. In sslmode=require, this should work. In verify-ca
+# or verify-full mode it should fail
+diag "connect without server root cert";
+test_connect_ok   ("sslrootcert=invalid sslmode=require");
+test_connect_fails("sslrootcert=invalid sslmode=verify-ca");
+test_connect_fails("sslrootcert=invalid sslmode=verify-full");
+
+# Try with wrong root cert, should fail. (we're using the client CA as the
+# root, but the server's key is signed by the server CA)
+diag "connect without wrong server root cert";
+test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=require");
+test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
+test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-full");
+
+# Try with just the server CA's cert. This fails because the root file
+# must contain the whole chain up to the root CA.
+diag "connect with server CA cert, without root CA";
+test_connect_fails("sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
+
+# And finally, with the correct root cert.
+diag "connect with correct server CA cert file";
+test_connect_ok   ("sslrootcert=ssl/root+server_ca.crt sslmode=require");
+test_connect_ok   ("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+test_connect_ok   ("sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
+
+# Test with cert root file that contains two certificates. The client should
+# be able to pick the right one, regardless of the order in the file.
+test_connect_ok   ("sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
+test_connect_ok   ("sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
+
+diag "testing sslcrl option with a non-revoked cert";
+
+# Invalid CRL filename is the same as no CRL, succeeds
+test_connect_ok   ("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid");
+# A CRL belonging to a different CA is not accepted, fails
+test_connect_fails("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl");
+# With the correct CRL, succeeds (this cert is not revoked)
+test_connect_ok   ("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl");
+
+# Check that connecting with verify-full fails, when the hostname doesn't
+# match the hostname in the server's certificate.
+diag "test mismatch between hostname and server certificate";
+$common_connstr="user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
+
+test_connect_ok   ("sslmode=require host=wronghost.test");
+test_connect_ok   ("sslmode=verify-ca host=wronghost.test");
+test_connect_fails("sslmode=verify-full host=wronghost.test");
+
+# Test Subject Alternative Names.
+switch_server_cert($tempdir, 'server-multiple-alt-names');
+
+diag "test hostname matching with X509 Subject Alternative Names";
+$common_connstr="user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
+
+test_connect_ok   ("host=dns1.alt-name.pg-ssltest.test");
+test_connect_ok   ("host=dns2.alt-name.pg-ssltest.test");
+test_connect_ok   ("host=foo.wildcard.pg-ssltest.test");
+
+test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
+
+# Test certificate with a single Subject Alternative Name. (this gives a
+# slightly different error message, that's all)
+switch_server_cert($tempdir, 'server-single-alt-name');
+
+diag "test hostname matching with a single X509 Subject Alternative Name";
+$common_connstr="user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
+
+test_connect_ok   ("host=single.alt-name.pg-ssltest.test");
+
+test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
+
+# Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN
+# should be ignored when the certificate has both.
+switch_server_cert($tempdir, 'server-cn-and-alt-names');
+
+diag "test certificate with both a CN and SANs";
+$common_connstr="user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
+
+test_connect_ok   ("host=dns1.alt-name.pg-ssltest.test");
+test_connect_ok   ("host=dns2.alt-name.pg-ssltest.test");
+test_connect_fails("host=common-name.pg-ssltest.test");
+
+# Finally, test a server certificate that has no CN or SANs. Of course, that's
+# not a very sensible certificate, but libpq should handle it gracefully.
+switch_server_cert($tempdir, 'server-no-names');
+$common_connstr="user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
+
+test_connect_ok   ("sslmode=verify-ca host=common-name.pg-ssltest.test");
+test_connect_fails("sslmode=verify-full host=common-name.pg-ssltest.test");
+
+# Test that the CRL works
+diag "Testing client-side CRL";
+switch_server_cert($tempdir, 'server-revoked');
+
+$common_connstr="user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
+
+# Without the CRL, succeeds. With it, fails.
+test_connect_ok   ("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+test_connect_fails("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl");
+
+### Part 2. Server-side tests.
+###
+### Test certificate authorization.
+
+diag "Testing certificate authorization...";
+$common_connstr="sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";
+
+# no client cert
+test_connect_fails("user=ssltestuser sslcert=invalid");
+
+# correct client cert
+test_connect_ok   ("user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client.key");
+
+# client cert belonging to another user
+test_connect_fails("user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client.key");
+
+# revoked client cert
+test_connect_fails("user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked.key");
+
+
+# All done! Save the log, before the temporary installation is deleted
+copy("$tempdir/client-log", "./client-log");