diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..d2aaebbcec16eee8739296e77f07dc4dbe04d361
--- /dev/null
+++ b/.devcontainer/Dockerfile
@@ -0,0 +1,8 @@
+FROM baltig.infn.it:4567/storm2/build/ngx-voms-build:issue-17-latest
+
+USER root
+
+RUN yum install -y https://repo.ius.io/ius-release-el7.rpm centos-release-scl \
+ && yum install -y git224 devtoolset-10
+
+USER $BUILD_USER
diff --git a/.devcontainer/assets/install-build-deps.sh b/.devcontainer/assets/install-build-deps.sh
new file mode 100644
index 0000000000000000000000000000000000000000..16c0977e6be1d15e75ae4bab9a25af6c38937dd0
--- /dev/null
+++ b/.devcontainer/assets/install-build-deps.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
+
+yum -y install epel-release
+
+yum -y install \
+ gcc-c++ \
+ GeoIP-devel \
+ gd-devel \
+ gettext \
+ ccache \
+ libxslt-devel \
+ lcov \
+ perl-ExtUtils-Embed \
+ perl-Test-Nginx \
+ perl-Digest-SHA \
+ readline-devel \
+ boost-devel \
+ voms-devel \
+ make \
+ patch
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
new file mode 100644
index 0000000000000000000000000000000000000000..821c8c54b3feb734b8bbe030ab408635e355ff7c
--- /dev/null
+++ b/.devcontainer/devcontainer.json
@@ -0,0 +1,28 @@
+// For format details, see https://aka.ms/vscode-remote/devcontainer.json or this file's README at:
+// https://github.com/microsoft/vscode-dev-containers/tree/v0.159.0/containers/cpp
+{
+ "name": "C++",
+ "build": {
+ "dockerfile": "Dockerfile",
+ },
+ "runArgs": [
+ "--cap-add=SYS_PTRACE",
+ "--security-opt",
+ "seccomp=unconfined"
+ ],
+ // Set *default* container specific settings.json values on container create.
+ "settings": {
+ "terminal.integrated.defaultProfile.linux": "bash"
+ },
+ // Add the IDs of extensions you want installed when the container is created.
+ "extensions": [
+ "ms-vscode.cpptools",
+ ],
+ // Use 'forwardPorts' to make a list of ports inside the container available locally.
+ // "forwardPorts": [],
+ // Use 'postCreateCommand' to run commands after the container is created.
+ //"postCreateCommand": "sudo debuginfo-install -y voms",
+ // Comment out this line to run as root instead.
+ "remoteUser": "build",
+ "remoteEnv": {"NGX_HTTP_VOMS_MODULE_ROOT": "${containerWorkspaceFolder}"}
+}
\ No newline at end of file
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 9409383adacf16c1f90186e9cc0d9a0001ddb9e0..484e7319fd1b351472d55ef831d17599249e4f9e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,5 +1,3 @@
-#image: ${CI_REGISTRY}/storm2/build/ngx-voms-build:master-latest
-image: storm2/ngx-voms-build:latest
stages:
- build
@@ -8,10 +6,12 @@ stages:
build-rpm:
stage: build
+ image: centos:7
script:
- env | sort
- - export VOMS_MODULE_HOME=${CI_PROJECT_DIR}
- - cd rpm && sh make_packaging.sh && cd ..
+ - sh .devcontainer/assets/install-build-deps.sh
+ - yum install -y rpm-build redhat-rpm-config rpmdevtools
+ - cd rpm && sh make_packaging.sh ${CI_PROJECT_DIR} && cd ..
- mv ${HOME}/rpmbuild ./rpmbuild
artifacts:
paths:
diff --git a/README.md b/README.md
index ed301d6967883f09a25eebaf420f34be69857892..53604a06eb5ef7bb9a38a4ce9fbb48d405a51a73 100644
--- a/README.md
+++ b/README.md
@@ -4,24 +4,30 @@
## Description
-_ngx_http_voms_module_ is a module for the [Nginx web server](https://www.nginx.org/) that enables client-side authentication based on X.509 proxy certificates augmented with VOMS Attribute Certificates, typically obtained from a [Virtual Organization Membership Service](https://italiangrid.github.io/voms/) (VOMS) server.
+*ngx_http_voms_module* is a module for the [Nginx web server](https://www.nginx.org/) that enables client-side authentication based on X.509 proxy certificates augmented with VOMS Attribute Certificates, typically obtained from a [Virtual Organization Membership Service](https://italiangrid.github.io/voms/) (VOMS) server.
-The module defines a set of [_embedded_ variables](~embedded-variables), whose values are extracted from the first Attribute Certificate found in the certificate chain.
+The module defines a set of [*embedded* variables](#embedded-variables), whose values are extracted from the first Attribute Certificate found in the certificate chain.
## Installation
The generic installation instructions are:
- $ cd nginx-1.x.y
- $ ./configure --add-module=/path/to/ngx_http_voms_module
- $ make && make install
+```shell
+$ cd nginx-x.y.z
+$ ./configure --add-module=/path/to/ngx_http_voms_module
+$ make && make install
+```
+
+The module is written in C++, using features from C++14 that are supported by gcc v. 4.8.5 (the version available in CentOS 7) enabling the option `-std=c++1y` (see [`config.make`](config.make)).
A Docker image is available for use in the context of the StoRM2 project, where the OpenResty distribution is used:
- $ docker run --rm -it -v /path/to/ngx_http_voms_module:/home/build/ngx_http_voms_module storm2/ngx-voms-build
- % cd openresty-1.x.y
- % ./configure ${RESTY_CONFIG_OPTIONS} --add-module=../ngx_http_voms_module
- % make && make install
+```shell
+$ docker run --rm -it -v /path/to/ngx_http_voms_module:/home/build/ngx_http_voms_module storm2/ngx-voms-build
+$ cd openresty-x.y.z
+$ ./configure ${RESTY_CONFIG_OPTIONS} --add-module=../ngx_http_voms_module
+$ make && make install
+```
## Embedded Variables
@@ -37,74 +43,74 @@ _Example_: ``/C=IT/O=IGI/CN=test0``
Like `voms_user`, the Subject of the End-Entity certificate. Unlike `voms_user`, it is available even for non-VOMS proxies and is formatted according to RFC 2253.
-_Example_: ``CN=test0,O=IGI,C=IT``
+_Example_: `CN=test0,O=IGI,C=IT`
### voms_user_ca
The Issuer (Certificate Authority) of the End-Entity certificate.
-_Example_: ``/C=IT/O=IGI/CN=Test CA``
+_Example_: `/C=IT/O=IGI/CN=Test CA`
### ssl_client_ee_i_dn
Like `voms_user_ca`, the Issuer of the End-Entity certificate. Unlike `voms_user_ca`, it is available even for non-VOMS proxies and is formatted according to RFC 2253.
-_Example_: ``CN=Test CA,O=IGI,C=IT``
+_Example_: `CN=Test CA,O=IGI,C=IT`
### voms_fqans
A comma-separated list of Fully Qualified Attribute Names. See [The VOMS Attribute Certificate Format](http://ogf.org/documents/GFD.182.pdf) for more details.
-_Example_: ``/test/exp1,/test/exp2,/test/exp3/Role=PIPPO``
+_Example_: `/test.vo/exp1,/test.vo/exp2,/test.vo/exp3/Role=PIPPO`
### voms_server
The Subject of the VOMS server certificate, used to sign the Attribute Certificate.
-_Example_: ``/C=IT/O=IGI/CN=voms.example``
+_Example_: `/C=IT/O=IGI/CN=voms.example`
### voms_server_ca
The Issuer (Certificate Authority) of the VOMS server certificate.
-_Example_: ``/C=IT/O=IGI/CN=Test CA``
+_Example_: `/C=IT/O=IGI/CN=Test CA`
### voms_vo
The name of the Virtual Organization (VO) to which the End Entity belongs.
-_Example_: ``test.vo``
+_Example_: `test.vo`
### voms_server_uri
The hostname and port of the VOMS network service that issued the Attribute Certificate, in the form _hostname_ :_port_.
-_Example_: ``voms.example:15000``
+_Example_: `voms.example:15000`
### voms_not_before
-The date before which the Attribute Certificate is not yet valid, in the form _YYYYMMDDhhmmss_ ``Z``.
+The date before which the Attribute Certificate is not yet valid, in the form _YYYYMMDDhhmmss_ `Z`.
-_Example_: ``20180101000000Z``
+_Example_: `20180101000000Z`
### voms_not_after
-The date after which the Attribute Certificate is not valid anymore, in the form _YYYYMMDDhhmmss_ ``Z``.
+The date after which the Attribute Certificate is not valid anymore, in the form _YYYYMMDDhhmmss_ `Z`.
-_Example_: ``20180101120000Z``
+_Example_: `20180101120000Z`
### voms_generic_attributes
-A comma-separated list of attributes, each defined by three properties and formatted as ``n=``_name_ ``v=``_value_ ``q=``_qualifier_. The qualifier typically coincides with the name of the VO.
+A comma-separated list of attributes, each defined by three properties and formatted as `n=`_name_ `v=`_value_ `q=`_qualifier_. The qualifier typically coincides with the name of the VO.
-_Example_: ``n=nickname v=newland q=test.vo,n=nickname v=giaco q=test.vo``
+_Example_: `n=nickname v=newland q=test.vo,n=nickname v=giaco q=test.vo`
### voms_serial
The serial number of the Attribute Certificate in hexadecimal format.
-_Example_: ``7B``
+_Example_: `7B`
## Testing
-Setup and files to test the *ngx\_http\_voms\_module* are contained in the `t` folder.
+Setup and files to test the *ngx_http_voms_module* are contained in the [`t`](t) folder.
diff --git a/config.make b/config.make
new file mode 100644
index 0000000000000000000000000000000000000000..37d163efb942c3b1cc53bde65832f92c2bcadf90
--- /dev/null
+++ b/config.make
@@ -0,0 +1,2 @@
+echo "objs/addon/src/ngx_http_voms_module.o: CFLAGS += --std=c++1y -Werror" >> $NGX_MAKEFILE
+
diff --git a/nginx-httpg_no_delegation.patch b/nginx-httpg_no_delegation.patch
new file mode 100644
index 0000000000000000000000000000000000000000..71bcfba72e36edb0d2888bb0efe06c90946701d8
--- /dev/null
+++ b/nginx-httpg_no_delegation.patch
@@ -0,0 +1,19 @@
+diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
+index d9a1dbed..7438816e 100644
+--- a/src/http/ngx_http_parse.c
++++ b/src/http/ngx_http_parse.c
+@@ -149,7 +149,13 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
+ break;
+ }
+
+- if ((ch < 'A' || ch > 'Z') && ch != '_' && ch != '-') {
++ if (ch == '0') {
++ // httpg with no delegation
++ // eat the character and continue with the rest of the request
++ ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "httpg request w/o delegation");
++ r->request_start++;
++ // httpg with a delegation request would fail for an unknown method
++ } else if ((ch < 'A' || ch > 'Z') && ch != '_' && ch != '-') {
+ return NGX_HTTP_PARSE_INVALID_METHOD;
+ }
+
diff --git a/rpm/SPECS/openresty-voms-debug.spec b/rpm/SPECS/openresty-voms-debug.spec
index e5b6abce9161ef87399910cdc6bb65c73b57a4b9..f4690caf80ba1d4e7bfa171f0eca751edf87de61 100644
--- a/rpm/SPECS/openresty-voms-debug.spec
+++ b/rpm/SPECS/openresty-voms-debug.spec
@@ -1,7 +1,7 @@
Name: openresty-voms
-Version: 1.15.8.1
-Release: 7%{?dist}
-Summary: OpenResty with Voms
+Version: 1.19.9.1
+Release: 1%{?dist}
+Summary: OpenResty, scalable web platform by extending NGINX with Lua, with HTTPG and VOMS support
Group: System Environment/Daemons
@@ -12,34 +12,27 @@ URL: https://openresty.org/
Source0: https://openresty.org/download/openresty-%{version}.tar.gz
Patch0: nginx-httpg_no_delegation.patch
-
+
%if 0%{?amzn} >= 2 || 0%{?suse_version} || 0%{?fedora} || 0%{?rhel} >= 7
%define use_systemd 1
%endif
-Source1: openresty-voms.service
-Source2: openresty-voms.init
+Source1: %{name}.service
+Source2: %{name}.init
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: perl-File-Temp
BuildRequires: ccache, gcc, make, perl, systemtap-sdt-devel
-#BuildRequires: openresty-zlib-devel >= 1.2.11-3
-BuildRequires: zlib-devel >= 1.2.7-18
-#BuildRequires: openresty-openssl-devel >= 1.1.0h-1
-BuildRequires: openssl-devel >= 1.0.2k-19
-#BuildRequires: openresty-pcre-devel >= 8.42-1
-BuildRequires: pcre-devel >= 8.32-17
-#Requires: openresty-zlib >= 1.2.11-3
-Requires: zlib >= 1.2.7-18
-#Requires: openresty-openssl >= 1.1.0h-1
-Requires: openssl >= 1.0.2k-19
-#Requires: openresty-pcre >= 8.42-1
-Requires: pcre >= 8.32-17
-
-# The path location is /usr/local/openresty-voms, therefore I can avoid to handle
-# Conflicts for standard rpm
-# Conflicts: openresty >= 1.15.8.2
+BuildRequires: zlib-devel
+BuildRequires: openssl-devel
+BuildRequires: pcre-devel
+BuildRequires: voms-devel
+BuildRequires: boost-devel
+Requires: zlib
+Requires: openssl
+Requires: pcre
+Requires: voms
%if 0%{?suse_version}
@@ -69,31 +62,6 @@ Requires(preun): chkconfig, initscripts
AutoReqProv: no
%define orprefix %{_usr}/local/%{name}
-%define oroprefix /usr
-%define zlib_prefix %{orprefix}/zlib
-%define pcre_prefix %{orprefix}/pcre
-%define openssl_prefix %{orprefix}/openssl
-
-%define voms_module_prefix ${VOMS_MODULE_HOME}
-
-# Remove source code from debuginfo package.
-%define __debug_install_post \
- %{_rpmconfigdir}/find-debuginfo.sh %{?_missing_build_ids_terminate_build:--strict-build-id} %{?_find_debuginfo_opts} "%{_builddir}/%{?buildsubdir}"; \
- rm -rf "${RPM_BUILD_ROOT}/usr/src/debug"; \
- mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/openresty-%{version}"; \
- mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/tmp"; \
- mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/builddir"; \
-%{nil}
-
-%if 0%{?fedora} >= 27
-%undefine _debugsource_packages
-%undefine _debuginfo_subpackages
-%endif
-
-%if 0%{?rhel} >= 8
-%undefine _debugsource_packages
-%undefine _debuginfo_subpackages
-%endif
%description
@@ -115,17 +83,41 @@ web applications that are capable to handle 10K ~ 1000K+ connections in
a single box.
+%if 0%{?suse_version}
+
+%debug_package
+
+%else
+
+# Remove source code from debuginfo package.
+%define __debug_install_post \
+ %{_rpmconfigdir}/find-debuginfo.sh %{?_missing_build_ids_terminate_build:--strict-build-id} %{?_find_debuginfo_opts} "%{_builddir}/%{?buildsubdir}"; \
+ rm -rf "${RPM_BUILD_ROOT}/usr/src/debug"; \
+ mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/openresty-%{version}"; \
+ mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/tmp"; \
+ mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/builddir"; \
+%{nil}
+
+%endif
+
+%if 0%{?fedora} >= 27
+%undefine _debugsource_packages
+%undefine _debuginfo_subpackages
+%endif
+
+%if 0%{?rhel} >= 8
+%undefine _debugsource_packages
+%undefine _debuginfo_subpackages
+%endif
+
+
%package resty
Summary: OpenResty command-line utility, resty
Group: Development/Tools
-Requires: perl, openresty-voms >= %{version}-%{release}
+Requires: perl, %{name} >= %{version}-%{release}
Requires: perl(File::Spec), perl(FindBin), perl(List::Util), perl(Getopt::Long), perl(File::Temp), perl(POSIX), perl(Time::HiRes)
-# The path location is /usr/local/openresty-voms, therefore I can avoid to handle
-# Conflicts for standard rpm
-# Conflicts: openresty-resty >= 1.15.8.2
-
%if 0%{?fedora} >= 10 || 0%{?rhel} >= 6 || 0%{?centos} >= 6
BuildArch: noarch
%endif
@@ -149,10 +141,6 @@ Summary: OpenResty documentation tool, restydoc
Group: Development/Tools
Requires: perl, perl(Getopt::Std), perl(File::Spec), perl(FindBin), perl(Cwd), perl(File::Temp), perl(Pod::Man), perl(Pod::Text)
-# The path location is /usr/local/openresty-voms, therefore I can avoid to handle
-# Conflicts for standard rpm
-# Conflicts: openresty-doc >= 1.15.8.2
-
%if (!0%{?rhel} || 0%{?rhel} < 7) && !0%{?fedora}
Requires: groff
%endif
@@ -183,16 +171,12 @@ services, and dynamic web gateways.
Summary: OpenResty Package Manager
Group: Development/Tools
-Requires: perl, openresty-voms >= %{version}-%{release}, perl(Digest::MD5)
-Requires: openresty-voms-doc >= %{version}-%{release}, openresty-voms-resty >= %{version}-%{release}
+Requires: perl, %{name} >= %{version}-%{release}, perl(Digest::MD5)
+Requires: %{name}-doc >= %{version}-%{release}, %{name}-resty >= %{version}-%{release}
Requires: curl, tar, gzip
#BuildRequires: perl(Digest::MD5)
Requires: perl(Encode), perl(FindBin), perl(File::Find), perl(File::Path), perl(File::Spec), perl(Cwd), perl(Digest::MD5), perl(File::Copy), perl(File::Temp), perl(Getopt::Long)
-# The path location is /usr/local/openresty-voms, therefore I can avoid to handle
-# Conflicts for standard rpm
-# Conflicts: openresty-opm >= 1.15.8.2
-
%if 0%{?fedora} >= 10 || 0%{?rhel} >= 6 || 0%{?centos} >= 6
BuildArch: noarch
%endif
@@ -214,8 +198,7 @@ cd ../..
--prefix="%{orprefix}" \
--with-cc='ccache gcc -fdiagnostics-color=always' \
--with-debug \
- --with-cc-opt="-DNGX_LUA_ABORT_AT_PANIC -I%{zlib_prefix}/include -I%{pcre_prefix}/include -I%{openssl_prefix}/include -O0" \
- --with-ld-opt="-L%{zlib_prefix}/lib -L%{pcre_prefix}/lib -L%{openssl_prefix}/lib -Wl,-rpath,%{zlib_prefix}/lib:%{pcre_prefix}/lib:%{openssl_prefix}/lib" \
+ --with-cc-opt="-DNGX_LUA_ABORT_AT_PANIC -Og" \
--with-pcre-jit \
--without-http_rds_json_module \
--without-http_rds_csv_module \
@@ -240,12 +223,12 @@ cd ../..
--with-http_mp4_module \
--with-http_gunzip_module \
--with-threads \
+ --with-compat \
--with-luajit-xcflags='-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT' \
- --with-dtrace-probes \
--add-module=%{voms_module_prefix} \
- %{?_smp_mflags}
+ -j`nproc`
-make %{?_smp_mflags}
+make -j`nproc`
%install
@@ -261,7 +244,6 @@ ln -sf %{orprefix}/bin/resty %{buildroot}/usr/bin/
ln -sf %{orprefix}/bin/restydoc %{buildroot}/usr/bin/
ln -sf %{orprefix}/bin/opm %{buildroot}/usr/bin/
ln -sf %{orprefix}/nginx/sbin/nginx %{buildroot}/usr/bin/%{name}
-ls -al %{buildroot}/usr/bin
%if 0%{?use_systemd}
@@ -286,7 +268,7 @@ rm -rf %{buildroot}
%post
%if 0%{?use_systemd}
-%systemd_post openresty-voms.service
+%systemd_post %{name}.service
%else
%if ! 0%{?suse_version}
/sbin/chkconfig --add %{name}
@@ -296,7 +278,7 @@ rm -rf %{buildroot}
%preun
%if 0%{?use_systemd}
-%systemd_preun openresty-voms.service
+%systemd_preun %{name}.service
%else
%if ! 0%{?suse_version}
if [ $1 = 0 ]; then
@@ -309,7 +291,7 @@ fi
%if 0%{?use_systemd}
%postun
-%systemd_postun_with_restart openresty-voms.service
+%systemd_postun_with_restart %{name}.service
%endif
@@ -329,7 +311,6 @@ fi
%{orprefix}/nginx/html/*
%{orprefix}/nginx/logs/
%{orprefix}/nginx/sbin/*
-%{orprefix}/nginx/tapset/*
%config(noreplace) %{orprefix}/nginx/conf/*
%{orprefix}/COPYRIGHT
@@ -363,6 +344,18 @@ fi
%changelog
+* Fri Nov 12 2021 Francesco Giacomini
+- add HTTPG and VOMS support to openresty 1.19.9.1
+* Fri Aug 6 2021 Yichun Zhang (agentzh) 1.19.9.1-1
+- upgraded openresty to 1.19.9.1.
+* Mon May 31 2021 Yichun Zhang (agentzh) 1.19.3.2-1
+- upgraded openresty to 1.19.3.2.
+* Fri Nov 6 2020 Yichun Zhang (agentzh) 1.19.3.1-1
+- upgraded openresty to 1.19.3.1.
+* Mon Jul 13 2020 Yichun Zhang (agentzh) 1.17.8.2-1
+- upgraded openresty to 1.17.8.2.
+* Fri Jul 3 2020 Yichun Zhang (agentzh) 1.17.8.1-1
+- upgraded openresty to 1.17.8.1.
* Mon Nov 18 2019 Elisabetta Ronchieri 1.15.8.2-7
- handled rpm package with voms module.
* Thu Aug 29 2019 Yichun Zhang (agentzh) 1.15.8.2-1
diff --git a/rpm/SPECS/openresty-voms.spec b/rpm/SPECS/openresty-voms.spec
index 5d92298ab11521a8614f0e29549cb921f5de220b..e62ed2114a69e126867d7728a4c372f97e1df74f 100644
--- a/rpm/SPECS/openresty-voms.spec
+++ b/rpm/SPECS/openresty-voms.spec
@@ -1,7 +1,7 @@
Name: openresty-voms
-Version: 1.15.8.1
-Release: 7%{?dist}
-Summary: OpenResty with Voms
+Version: 1.19.9.1
+Release: 1%{?dist}
+Summary: OpenResty, scalable web platform by extending NGINX with Lua, with HTTPG and VOMS support
Group: System Environment/Daemons
@@ -12,32 +12,27 @@ URL: https://openresty.org/
Source0: https://openresty.org/download/openresty-%{version}.tar.gz
Patch0: nginx-httpg_no_delegation.patch
-
+
%if 0%{?amzn} >= 2 || 0%{?suse_version} || 0%{?fedora} || 0%{?rhel} >= 7
%define use_systemd 1
%endif
-Source1: openresty-voms.service
-Source2: openresty-voms.init
+Source1: %{name}.service
+Source2: %{name}.init
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: perl-File-Temp
BuildRequires: ccache, gcc, make, perl, systemtap-sdt-devel
-BuildRequires: zlib-devel >= 1.2.7-18
-BuildRequires: openssl-devel >= 1.0.2k-19
-BuildRequires: pcre-devel >= 8.32-17
-BuildRequires: voms-devel
-BuildRequires: boost-devel
-Requires: zlib >= 1.2.7-18
-Requires: openssl >= 1.0.2k-19
-Requires: pcre >= 8.32-17
-Requires: voms
-
-
-# The path location is /usr/local/openresty-voms, therefore I can avoid to handle
-# Conflicts for standard rpm
-# Conflicts: openresty >= 1.15.8.2
+BuildRequires: zlib-devel
+BuildRequires: openssl-devel
+BuildRequires: pcre-devel
+BuildRequires: voms-devel
+BuildRequires: boost-devel
+Requires: zlib
+Requires: openssl
+Requires: pcre
+Requires: voms
%if 0%{?suse_version}
@@ -67,31 +62,6 @@ Requires(preun): chkconfig, initscripts
AutoReqProv: no
%define orprefix %{_usr}/local/%{name}
-#%define oroprefix %{_usr}/local/openresty
-%define zlib_prefix /usr
-%define pcre_prefix /usr
-%define openssl_prefix %{orprefix}/openssl
-
-%define voms_module_prefix ${VOMS_MODULE_HOME}
-
-# Remove source code from debuginfo package.
-%define __debug_install_post \
- %{_rpmconfigdir}/find-debuginfo.sh %{?_missing_build_ids_terminate_build:--strict-build-id} %{?_find_debuginfo_opts} "%{_builddir}/%{?buildsubdir}"; \
- rm -rf "${RPM_BUILD_ROOT}/usr/src/debug"; \
- mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/openresty-%{version}"; \
- mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/tmp"; \
- mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/builddir"; \
-%{nil}
-
-%if 0%{?fedora} >= 27
-%undefine _debugsource_packages
-%undefine _debuginfo_subpackages
-%endif
-
-%if 0%{?rhel} >= 8
-%undefine _debugsource_packages
-%undefine _debuginfo_subpackages
-%endif
%description
@@ -113,17 +83,41 @@ web applications that are capable to handle 10K ~ 1000K+ connections in
a single box.
+%if 0%{?suse_version}
+
+%debug_package
+
+%else
+
+# Remove source code from debuginfo package.
+%define __debug_install_post \
+ %{_rpmconfigdir}/find-debuginfo.sh %{?_missing_build_ids_terminate_build:--strict-build-id} %{?_find_debuginfo_opts} "%{_builddir}/%{?buildsubdir}"; \
+ rm -rf "${RPM_BUILD_ROOT}/usr/src/debug"; \
+ mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/openresty-%{version}"; \
+ mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/tmp"; \
+ mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/builddir"; \
+%{nil}
+
+%endif
+
+%if 0%{?fedora} >= 27
+%undefine _debugsource_packages
+%undefine _debuginfo_subpackages
+%endif
+
+%if 0%{?rhel} >= 8
+%undefine _debugsource_packages
+%undefine _debuginfo_subpackages
+%endif
+
+
%package resty
Summary: OpenResty command-line utility, resty
Group: Development/Tools
-Requires: perl, openresty-voms >= %{version}-%{release}
+Requires: perl, %{name} >= %{version}-%{release}
Requires: perl(File::Spec), perl(FindBin), perl(List::Util), perl(Getopt::Long), perl(File::Temp), perl(POSIX), perl(Time::HiRes)
-# The path location is /usr/local/openresty-voms, therefore I can avoid to handle
-# Conflicts for standard rpm
-# Conflicts: openresty-resty >= 1.15.8.2
-
%if 0%{?fedora} >= 10 || 0%{?rhel} >= 6 || 0%{?centos} >= 6
BuildArch: noarch
%endif
@@ -147,10 +141,6 @@ Summary: OpenResty documentation tool, restydoc
Group: Development/Tools
Requires: perl, perl(Getopt::Std), perl(File::Spec), perl(FindBin), perl(Cwd), perl(File::Temp), perl(Pod::Man), perl(Pod::Text)
-# The path location is /usr/local/openresty-voms, therefore I can avoid to handle
-# Conflicts for standard rpm
-# Conflicts: openresty-doc >= 1.15.8.2
-
%if (!0%{?rhel} || 0%{?rhel} < 7) && !0%{?fedora}
Requires: groff
%endif
@@ -181,16 +171,12 @@ services, and dynamic web gateways.
Summary: OpenResty Package Manager
Group: Development/Tools
-Requires: perl, openresty-voms >= %{version}-%{release}, perl(Digest::MD5)
-Requires: openresty-voms-doc >= %{version}-%{release}, openresty-voms-resty >= %{version}-%{release}
+Requires: perl, %{name} >= %{version}-%{release}, perl(Digest::MD5)
+Requires: %{name}-doc >= %{version}-%{release}, %{name}-resty >= %{version}-%{release}
Requires: curl, tar, gzip
#BuildRequires: perl(Digest::MD5)
Requires: perl(Encode), perl(FindBin), perl(File::Find), perl(File::Path), perl(File::Spec), perl(Cwd), perl(Digest::MD5), perl(File::Copy), perl(File::Temp), perl(Getopt::Long)
-# The path location is /usr/local/openresty-voms, therefore I can avoid to handle
-# Conflicts for standard rpm
-# Conflicts: openresty-opm >= 1.15.8.2
-
%if 0%{?fedora} >= 10 || 0%{?rhel} >= 6 || 0%{?centos} >= 6
BuildArch: noarch
%endif
@@ -211,8 +197,7 @@ cd ../..
./configure \
--prefix="%{orprefix}" \
--with-cc='ccache gcc -fdiagnostics-color=always' \
- --with-cc-opt="-DNGX_LUA_ABORT_AT_PANIC -I%{zlib_prefix}/include -I%{pcre_prefix}/include -I%{openssl_prefix}/include" \
- --with-ld-opt="-L%{zlib_prefix}/lib -L%{pcre_prefix}/lib -L%{openssl_prefix}/lib -Wl,-rpath,%{zlib_prefix}/lib:%{pcre_prefix}/lib:%{openssl_prefix}/lib" \
+ --with-cc-opt="-DNGX_LUA_ABORT_AT_PANIC" \
--with-pcre-jit \
--without-http_rds_json_module \
--without-http_rds_csv_module \
@@ -237,12 +222,12 @@ cd ../..
--with-http_mp4_module \
--with-http_gunzip_module \
--with-threads \
+ --with-compat \
--with-luajit-xcflags='-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT' \
- --with-dtrace-probes \
--add-module=%{voms_module_prefix} \
- %{?_smp_mflags}
+ -j`nproc`
-make %{?_smp_mflags}
+make -j`nproc`
%install
@@ -258,7 +243,6 @@ ln -sf %{orprefix}/bin/resty %{buildroot}/usr/bin/
ln -sf %{orprefix}/bin/restydoc %{buildroot}/usr/bin/
ln -sf %{orprefix}/bin/opm %{buildroot}/usr/bin/
ln -sf %{orprefix}/nginx/sbin/nginx %{buildroot}/usr/bin/%{name}
-ls -al %{buildroot}/usr/bin
%if 0%{?use_systemd}
@@ -283,7 +267,7 @@ rm -rf %{buildroot}
%post
%if 0%{?use_systemd}
-%systemd_post openresty-voms.service
+%systemd_post %{name}.service
%else
%if ! 0%{?suse_version}
/sbin/chkconfig --add %{name}
@@ -293,7 +277,7 @@ rm -rf %{buildroot}
%preun
%if 0%{?use_systemd}
-%systemd_preun openresty-voms.service
+%systemd_preun %{name}.service
%else
%if ! 0%{?suse_version}
if [ $1 = 0 ]; then
@@ -306,7 +290,7 @@ fi
%if 0%{?use_systemd}
%postun
-%systemd_postun_with_restart openresty-voms.service
+%systemd_postun_with_restart %{name}.service
%endif
@@ -326,7 +310,6 @@ fi
%{orprefix}/nginx/html/*
%{orprefix}/nginx/logs/
%{orprefix}/nginx/sbin/*
-%{orprefix}/nginx/tapset/*
%config(noreplace) %{orprefix}/nginx/conf/*
%{orprefix}/COPYRIGHT
@@ -360,6 +343,18 @@ fi
%changelog
+* Fri Nov 12 2021 Francesco Giacomini
+- add HTTPG and VOMS support to openresty 1.19.9.1
+* Fri Aug 6 2021 Yichun Zhang (agentzh) 1.19.9.1-1
+- upgraded openresty to 1.19.9.1.
+* Mon May 31 2021 Yichun Zhang (agentzh) 1.19.3.2-1
+- upgraded openresty to 1.19.3.2.
+* Fri Nov 6 2020 Yichun Zhang (agentzh) 1.19.3.1-1
+- upgraded openresty to 1.19.3.1.
+* Mon Jul 13 2020 Yichun Zhang (agentzh) 1.17.8.2-1
+- upgraded openresty to 1.17.8.2.
+* Fri Jul 3 2020 Yichun Zhang (agentzh) 1.17.8.1-1
+- upgraded openresty to 1.17.8.1.
* Mon Nov 18 2019 Elisabetta Ronchieri 1.15.8.2-7
- handled rpm package with voms module.
* Thu Aug 29 2019 Yichun Zhang (agentzh) 1.15.8.2-1
diff --git a/rpm/make_packaging.sh b/rpm/make_packaging.sh
index c872aa4a30404295ea75e601e9326ecbb5ed5e10..97537e98402306ceee491a0a051721224909a752 100644
--- a/rpm/make_packaging.sh
+++ b/rpm/make_packaging.sh
@@ -1,31 +1,27 @@
#!/bin/sh
-# install rpm build tools:
-sudo yum install -y rpm-build redhat-rpm-config rpmdevtools
+voms_module_prefix=${HOME}/ngx_http_voms_module
+if [ $# -eq 1 ]; then
+ voms_module_prefix=$1
+fi
-# install openresty's build requirements:
-sudo yum install -y gcc make perl \
- perl-Data-Dumper libtool ElectricFence systemtap-sdt-devel valgrind-devel \
- ccache clang boost-devel
+if [ ! -d "$voms_module_prefix" ]; then
+ echo "$voms_module_prefix doesn't exist" >&2
+ exit 1
+fi
-mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
-echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros
+mkdir -p ${HOME}/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
+cat <<EOF > ${HOME}/.rpmmacros
+%_topdir %{getenv:HOME}/rpmbuild
+%voms_module_prefix ${voms_module_prefix}
+EOF
-cp ${HOME}/nginx-httpg_no_delegation.patch ~/rpmbuild/SOURCES/
+cat ${HOME}/.rpmmacros
-cp SOURCES/* ~/rpmbuild/SOURCES/
-cp SPECS/*.spec ~/rpmbuild/SPECS/
+cp ${voms_module_prefix}/nginx-httpg_no_delegation.patch ${HOME}/rpmbuild/SOURCES/
-cd ~/rpmbuild/SPECS
+cp SOURCES/* ${HOME}/rpmbuild/SOURCES/
+cp SPECS/*.spec ${HOME}/rpmbuild/SPECS/
-for file in *.spec; do
- spectool -g -R $file
-done
-
-cat ${CI_PROJECT_DIR}/.rpmmacros
-
-rpmbuild -ba openresty-voms.spec
-
-cd ~
-
-# tar cvzf rpmbuild.tar.gz rpmbuild
+spectool -g -R ${HOME}/rpmbuild/SPECS/openresty-voms.spec
+rpmbuild -ba ${HOME}/rpmbuild/SPECS/openresty-voms.spec
diff --git a/src/ngx_http_voms_module.cpp b/src/ngx_http_voms_module.cpp
index bee998fc68e5edb6f9d41bd7a342798ac53fc3e5..c76a9f709c3039b1bae161ac6f2972708d9b56c4 100644
--- a/src/ngx_http_voms_module.cpp
+++ b/src/ngx_http_voms_module.cpp
@@ -328,7 +328,7 @@ static void cache_voms_ac(ngx_http_request_t* r,
auto c = r->connection;
auto cln = ngx_pool_cleanup_add(c->pool, 0);
if (cln) {
- auto r = ac_cache.insert({c, std::move(acp)});
+ auto r = ac_cache.insert(std::make_pair(c, std::move(acp)));
// we insert into the cache exactly once per connection
assert(r.second);
cln->handler = clean_voms_ac;
@@ -353,7 +353,7 @@ static MaybeVomsAc const& get_voms_ac(ngx_http_request_t* r)
MaybeVomsAc* acp = get_voms_ac_from_cache(r);
if (!acp) {
- auto p = std::make_unique<MaybeVomsAc>(retrieve_voms_ac_from_proxy(r));
+ std::unique_ptr<MaybeVomsAc> p{new MaybeVomsAc(retrieve_voms_ac_from_proxy(r))};
acp = p.get();
cache_voms_ac(r, std::move(p));
}
@@ -624,7 +624,7 @@ static ngx_int_t get_ssl_client_ee_cert_raw(ngx_http_request_t* r,
{
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
- *result = {};
+ *result = {0, nullptr};
auto ee_cert = get_ee_cert(r);
@@ -661,6 +661,15 @@ static ngx_int_t get_ssl_client_ee_cert_raw(ngx_http_request_t* r,
return NGX_OK;
}
+namespace boost {
+template <typename IteratorT, typename IntegerT>
+inline iterator_range<IteratorT> make_iterator_range_n(IteratorT first,
+ IntegerT n)
+{
+ return iterator_range<IteratorT>(first, boost::next(first, n));
+}
+} // namespace boost
+
static ngx_int_t get_ssl_client_ee_cert(ngx_http_request_t* r,
ngx_http_variable_value_t* v,
uintptr_t data)
@@ -670,7 +679,7 @@ static ngx_int_t get_ssl_client_ee_cert(ngx_http_request_t* r,
v->not_found = 1;
v->valid = 0;
- ngx_str_t cert{};
+ ngx_str_t cert{0, nullptr};
if (get_ssl_client_ee_cert_raw(r, &cert) != NGX_OK) {
return NGX_ERROR;
diff --git a/t/README.md b/t/README.md
index ee40d5c57a9c935a48137af765d67b873edc5987..1b861006fc81aba8835be7f1a34712d0bf8d5030 100644
--- a/t/README.md
+++ b/t/README.md
@@ -1,54 +1,52 @@
-# ngx\_http\_voms\_module Testing
+# `ngx_http_voms_module` Testing
## Description
-Setup and files to test the *ngx\_http\_voms\_module* are contained in the `t` folder. The [Openresty data-driven testsuite](https://openresty.gitbooks.io/programming-openresty/content/testing/) has been adopted for testing.
+Setup and files to test the *ngx_http_voms_module* are contained in the `t` folder. The [Openresty data-driven testsuite](https://openresty.gitbooks.io/programming-openresty/content/testing/) has been adopted for testing.
### Test fixture setup
-Proxy certificates are in the `certs` folder (see [README.md](certs/README.md) for further details), while trust-anchors (e.g. igi-test-ca.pem) are contained in `trust-anchors`.
+All the certificates and proxy certificates used in the tests are in the [`certs`](certs) folder (see that [README](certs/README.md) for further details), while trust-anchors (e.g. igi-test-ca.pem) are in the [`trust-anchors`](trust-anchors) folder.
-Nginx server certificate and key are nginx\_voms\_example.cert.pem and nginx\_voms\_example\_key.pem, respectively, and they are contained in `certs`.
+`vomses` is the _vomses_ file needed for the generation of proxy certificates.
-To perform correctly the VOMS AC validation, a \*.lsc or \*.pem file is needed, see [VOMS client 3.3.0 User Guide](http://italiangrid.github.io/voms/documentation/voms-clients-guide/3.0.3/) for further details. The *voms.example.lsc* can be found in `vomsdir/test.vo`.
+The LSC file `voms.example.lsc`, needed to perform correctly the VOMS AC validation, is in the [`vomsdir/test.vo`](vomsdir/test.vo) folder.
### Running Tests
To run the tests made available in `t` just type
- prove -v
+```shell
+$ prove -v
+```
from `t`' s parent directory.
-Using the docker image provided to exploit Openresty in the Storm2 project (see [README.md](../README.md) for further details):
-
- cp -r t /tmp
- cd /tmp
- prove -v
-
-A copy of the `t` folder is needed since the `prove` command creates a directory `servroot` in `t`.
-
-### Test coverage
-
-To enable test coverage pass the `--coverage` option to both the compiler and the linker. For example, if the build happens inside the ``storm2/nginx-voms-build`` image:
+The `prove` command creates a directory called `servroot` in `t`, so if the `t` folder is accessible read-only, for
+example in a docker container, just make a copy somewhere else and run the tests from there:
```
- % ./configure ${RESTY_CONFIG_OPTIONS} --add-module=../ngx_http_voms_module --with-debug --with-cc-opt="-g -O0 --coverage" --with-ld-opt="--coverage"
- % make && make install
+cp -r t /tmp
+cd /tmp
+prove -v
```
-Building in debug mode, with no optimizations, helps to better associate coverage information to source code.
+### Test coverage
-The above command generates data files aside the source files for all Nginx. To enable coverage only for ``ngx_http_voms_module`` the ``--coverage`` option should be passed only when compiling ``ngx_http_voms_module.cpp`` (to be done).
+To enable test coverage pass the `--coverage` option to both the compiler and the linker. For example:
-Then run the tests, e.g. with `prove`. This will create other data files with coverage information. To view that information, run `gcov <source of object file>`, e.g. `gcov /home/build/openresty-1.13.6.1/build/nginx-1.13.6/objs/addon/src/ngx_http_voms_module.o`. This will produce files with the ``.gcov`` extension in the current directory.
+```shell
+$ ./configure ${RESTY_CONFIG_OPTIONS} --add-module=../ngx_http_voms_module --with-debug --with-cc-opt="-g -Og --coverage" --with-ld-opt="--coverage"
+$ make && make install
+```
+The above command generates data files aside the source files for all Nginx. To enable coverage only for `ngx_http_voms_module` the `--coverage` option should be passed only when compiling `ngx_http_voms_module.cpp`, adding the option to `config.make`.
-Check result on [storm2 ngx_http_voms_module pages](https://storm2.baltig-pages.infn.it/ngx_http_voms_module/)
+Running the tests will then create other data files with coverage information. To view that information, run `gcov <object file>`, e.g. `gcov .../objs/addon/src/ngx_http_voms_module.o`. This will produce files with the `.gcov` extension in the current directory.
-### Testing directly the NGINX server
+### Testing directly the Nginx server
-You can reuse the config file `t/servroot/conf/nginx.conf` produced by `test::Nginx`, which contains e.g. something like
+You can reuse the config file `t/servroot/conf/nginx.conf` produced by `test::Nginx`, which contains something like
```
server {
@@ -64,23 +62,29 @@ server {
}
}
```
+
You may want to change the configuration so that the log goes to standard output instead of to a log file:
+
```
server {
error_log /dev/stdout debug;
...
```
+
Start nginx:
+
+```shell
+$ nginx -p t/servroot
```
-nginx -p t/servroot
-```
-Modify (as root) /etc/hosts so that nginx-voms.example is an alias for localhost:
+Modify (as root) `/etc/hosts` so that `nginx-voms.example` is an alias for `localhost`:
+
```
127.0.0.1 localhost nginx-voms.example
```
-Then run e.g. `curl` calling directly the https endpoint:
-```
-curl https://nginx-voms.example:8443 --cert t/certs/3.pem --capath t/trust-anchors --cacert t/certs/3.cert.pem
+Then run for example `curl`, calling directly the HTTPS endpoint:
+
+```shell
+$ curl https://nginx-voms.example:8443 --cert t/certs/3.pem --capath t/trust-anchors --cacert t/certs/3.cert.pem
```
diff --git a/t/certs/3.cert.pem b/t/certs/3.cert.pem
index 15be540efb76d6db892021e3b4ca4fb2d3e69f33..26ee62f1086bac0c7ead8119cfa93fb46340e046 100644
--- a/t/certs/3.cert.pem
+++ b/t/certs/3.cert.pem
@@ -1,54 +1,57 @@
-----BEGIN CERTIFICATE-----
-MIIJPDCCCCagAwIBAgIEZ/6+ljALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
-DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMTgwMzE1MTY0NTE5WhcN
+MIIJxTCCCK+gAwIBAgIEYHBIzjALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
+DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMjExMTEwMTUwNjAxWhcN
MjIwOTI0MTUzOTM0WjBAMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYD
-VQQDEwV0ZXN0MDETMBEGA1UEAxMKMTc0NDc0ODE4MjCBnzANBgkqhkiG9w0BAQEF
-AAOBjQAwgYkCgYEAmS0/UqVrzzRvttdHu/v4y7Sfm5ceFJ4lQfBienwvS3F0oOtJ
-7sMqZNktJ2vhAK6ckt5C9PhdvgZa7HJTy1G8GZAbpxEDfAVMSVXFrN8KY7oybA4N
-mmr6jfuuXJCUe3DioxQuUHcH8ShXSiGXm/uoQVe7QfPHtHYtk1xmdA//L1kCAwEA
-AaOCBtkwggbVMA4GA1UdDwEB/wQEAwIF4DAdBggrBgEFBQcBDgEB/wQOMAwwCgYI
-KwYBBQUHFQEwggaiBgorBgEEAb5FZGQFBIIGkjCCBo4wggaKMIIGhjCCBW4CAQEw
-NqA0MC+kLTArMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYDVQQDEwV0
-ZXN0MAIBCaA4MDakNDAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUwEwYD
-VQQDDAx2b21zLmV4YW1wbGUwDQYJKoZIhvcNAQELBQACAXswIhgPMjAxODAxMDEw
-MDAwMDBaGA8yMDMwMDEwMTAwMDAwMFowYzBhBgorBgEEAb5FZGQEMVMwUaAehhx0
-ZXN0LnZvOi8vdm9tcy5leGFtcGxlOjE1MDAwMC8ECi90ZXN0L2V4cDEECi90ZXN0
-L2V4cDIEFS90ZXN0L2V4cDMvUm9sZT1QSVBQTzCCBFowcAYKKwYBBAG+RWRkCwRi
-MGAwXjBcMB6GHHRlc3Qudm86Ly92b21zLmV4YW1wbGU6MTUwMDAwOjAcBAhuaWNr
-bmFtZQQHbmV3bGFuZAQHdGVzdC52bzAaBAhuaWNrbmFtZQQFZ2lhY28EB3Rlc3Qu
-dm8wggOyBgorBgEEAb5FZGQKBIIDojCCA54wggOaMIIDljCCAn6gAwIBAgICAxMw
-DQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCSVQxDDAKBgNVBAoMA0lHSTEQMA4G
-A1UEAwwHVGVzdCBDQTAeFw0xNzEyMDYwOTQ2MzdaFw0yNzEyMDQwOTQ2MzdaMDIx
-CzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kxFTATBgNVBAMMDHZvbXMuZXhhbXBs
-ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALx/yNoeDZNQtJgiGi+t
-I/SSK3KREpvv4aOipgMEvcfCf3hReP2UBtOq6N1Wjx3VHaVJP0yyTNE+aSxgwI9f
-D3xtpMtYDG7eM2psMhG70+FNAxO1H5k1HR+vtHvathtadnZUBPPo12BrxlXZ1BLr
-e/I93+ye2tTfEK/u3J2WxxSMYBbYksopjN/3T4+Lp4AB5/d6TzwyQq/OLvgae7y1
-6yCn1SjBpNNU09zA3JZ7xAnFny/I23NhAeQul7kFZBrcdgkJ66++bEe5W0GGwVHA
-/mUjK5SssIFGmZrCnm8LYgM001u12+esOA4xY+2BH268QWWJsY0vX/qK2ois+Ms/
-6ysCAwEAAaOBujCBtzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQzjAnUSZQBztH7
-C50ZXq3E1/WQxDAOBgNVHQ8BAf8EBAMCBeAwPgYDVR0lBDcwNQYIKwYBBQUHAwEG
-CCsGAQUFBwMCBgorBgEEAYI3CgMDBglghkgBhvhCBAEGCCsGAQUFBwMEMB8GA1Ud
-IwQYMBaAFJF3NnsutGnzJ+q39giLSiOiEUnGMBcGA1UdEQQQMA6CDHZvbXMuZXhh
-bXBsZTANBgkqhkiG9w0BAQsFAAOCAQEA4MUI5JKbJgkEZLmeySeCLJBMS/E8Gk3N
-9lr+ilhrNkI7e9DgZiruLa3QKllSyESFtpCvEknM3qRlqulug+HPINOYjz6ooYL4
-9W6Xc3i+RqdapxAwtwETz7QDxnT35LhRITN5SojWAcvBIjdunx0sPuvQCVE7Cl+1
-GbYaNWOVlPWZobwYvISqm3A6si3C7VAZIBaUIepJ4dhhEJ31KWURohUrivcUWkm4
-LVwP/Hcg5wM6FbghMdgz/I9wHKaQgISzrx8tKJ7G4opD7CYyv9dqqkJaLFApM123
-6Fgitsd7v6SsVTItUVga7p6A0k0kS2rjly6nXONQhDO17KQgbnAd6TAJBgNVHTgE
-AgUAMCUGA1UdIwQeMByAGgQYMBaAFJF3NnsutGnzJ+q39giLSiOiEUnGMA0GCSqG
-SIb3DQEBCwUAA4IBAQAZoBjoegcM+SPWiBU+qTtYDYRVuShZwzx6L/74iwVMYT5m
-waosJYZsMC9FvwdQUpuajrJ2B5LaQwe9iaEekukh/GGFJJme2WVrf6VBhwKBSUtV
-f9UMqqF8PSdDwkEwsqSJXFq1mT/izMm+kYy0gppkv3SXDznAYKTtv7+CBPwctbvi
-pcAF5b0KT/ET2vy6zpMbbyT/yUraHJ40Uq9/AwHSbUhsG+XDMVwcMdrdvRYVIpKW
-AUya8pyGAIOVN/YVtLZ+3l0Kt6Ku8dXMwm1Ym9Yk2xukq1jIGMfyEPKq0Rv2NICy
-M5aY7ROPiV+6g8yfTalguqk4RtItSLU+gCX9umv2MAsGCSqGSIb3DQEBBQOCAQEA
-iFx5+S5BFWIAZs7vSPFS3krpJKjjTVpF/QidXHhhNdWcyeO8NRalo1/UmaImRWHN
-JK+Nw8Io/ldHE9ZbytEnfSCI7ouwqWR3gz924LA9xqd8+8ue0avtrj0bCH2/qid8
-p3IN2HNHRTiPjIcg/0UgOxFcZEoliLhm4cSgKTeZFal7Z6wCADN4dgF5WpPsZ8l7
-gu4RPRfYBjxXLGZwLI0WD6yHKA1cEYe/HU/KXmszQjOCXffi9tB6p9UxCAFzJfGg
-U0LnSy+xWpR3sAeZgoUyqdw72ueGlOX0M4vkVmtOupursXW9mQackfeC31dE4pql
-+pn63MqMKHqYIgDlIwbZzw==
+VQQDEwV0ZXN0MDETMBEGA1UEAxMKMTYxNzk3MTQwNjCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAI5wfeykjF7uRvfcoiZXNX+a0pXfV+ZFzwUUDgVhQ7eV
+ySXmYvZyvE1ML28nzM1ZS3rXfp+8TevgY7GLMehUzg0eHWu+ec+T3cn3H545p8iz
+9B8VSj3I1GtdbHcVEBPD+vCp6RqvTlzFYkKkFTFsyIbLRtLUVW8vkO4x4KRYTfK5
+oXCDRF0y9WnpUkK4PnxsK76wMts5psrEl9nSymT97QrsnyEfiwJ1Jf/rQwGKu5xt
+GPD5G2BtTdDNdlxUEmJ61cX/gkvIqCuuOoPFZPRMzMqOy8ZQ1gxesSLIXNzMR4y6
+Klfzug4zUNOJgHlcYk5vbYZ8UUBYqvdf8QcsERUFgBMCAwEAAaOCBt4wggbaMA4G
+A1UdDwEB/wQEAwIF4DAdBggrBgEFBQcBDgEB/wQOMAwwCgYIKwYBBQUHFQEwggan
+BgorBgEEAb5FZGQFBIIGlzCCBpMwggaPMIIGizCCBXMCAQEwNqA0MC+kLTArMQsw
+CQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYDVQQDEwV0ZXN0MAIBCaA4MDak
+NDAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUwEwYDVQQDDAx2b21zLmV4
+YW1wbGUwDQYJKoZIhvcNAQELBQACAwHiQDAiGA8yMDIxMTExMDAwMDAwMFoYDzIw
+MzExMjMxMDAwMDAwWjBsMGoGCisGAQQBvkVkZAQxXDBaoB6GHHRlc3Qudm86Ly92
+b21zLmV4YW1wbGU6MTUwMDAwOAQNL3Rlc3Qudm8vZXhwMQQNL3Rlc3Qudm8vZXhw
+MgQYL3Rlc3Qudm8vZXhwMy9Sb2xlPVBJUFBPMIIEVDBwBgorBgEEAb5FZGQLBGIw
+YDBeMFwwHoYcdGVzdC52bzovL3ZvbXMuZXhhbXBsZToxNTAwMDA6MBwECG5pY2tu
+YW1lBAduZXdsYW5kBAd0ZXN0LnZvMBoECG5pY2tuYW1lBAVnaWFjbwQHdGVzdC52
+bzCCA7IGCisGAQQBvkVkZAoEggOiMIIDnjCCA5owggOWMIICfqADAgECAgIDEzAN
+BgkqhkiG9w0BAQsFADAtMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRAwDgYD
+VQQDDAdUZXN0IENBMB4XDTE3MTIwNjA5NDYzN1oXDTI3MTIwNDA5NDYzN1owMjEL
+MAkGA1UEBhMCSVQxDDAKBgNVBAoMA0lHSTEVMBMGA1UEAwwMdm9tcy5leGFtcGxl
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvH/I2h4Nk1C0mCIaL60j
+9JIrcpESm+/ho6KmAwS9x8J/eFF4/ZQG06ro3VaPHdUdpUk/TLJM0T5pLGDAj18P
+fG2ky1gMbt4zamwyEbvT4U0DE7UfmTUdH6+0e9q2G1p2dlQE8+jXYGvGVdnUEut7
+8j3f7J7a1N8Qr+7cnZbHFIxgFtiSyimM3/dPj4ungAHn93pPPDJCr84u+Bp7vLXr
+IKfVKMGk01TT3MDclnvECcWfL8jbc2EB5C6XuQVkGtx2CQnrr75sR7lbQYbBUcD+
+ZSMrlKywgUaZmsKebwtiAzTTW7Xb56w4DjFj7YEfbrxBZYmxjS9f+oraiKz4yz/r
+KwIDAQABo4G6MIG3MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFDOMCdRJlAHO0fsL
+nRlercTX9ZDEMA4GA1UdDwEB/wQEAwIF4DA+BgNVHSUENzA1BggrBgEFBQcDAQYI
+KwYBBQUHAwIGCisGAQQBgjcKAwMGCWCGSAGG+EIEAQYIKwYBBQUHAwQwHwYDVR0j
+BBgwFoAUkXc2ey60afMn6rf2CItKI6IRScYwFwYDVR0RBBAwDoIMdm9tcy5leGFt
+cGxlMA0GCSqGSIb3DQEBCwUAA4IBAQDgxQjkkpsmCQRkuZ7JJ4IskExL8TwaTc32
+Wv6KWGs2Qjt70OBmKu4trdAqWVLIRIW2kK8SSczepGWq6W6D4c8g05iPPqihgvj1
+bpdzeL5Gp1qnEDC3ARPPtAPGdPfkuFEhM3lKiNYBy8EiN26fHSw+69AJUTsKX7UZ
+tho1Y5WU9ZmhvBi8hKqbcDqyLcLtUBkgFpQh6knh2GEQnfUpZRGiFSuK9xRaSbgt
+XA/8dyDnAzoVuCEx2DP8j3AcppCAhLOvHy0onsbiikPsJjK/12qqQlosUCkzXbfo
+WCK2x3u/pKxVMi1RWBrunoDSTSRLauOXLqdc41CEM7XspCBucB3pMAkGA1UdOAQC
+BQAwHwYDVR0jBBgwFoAUM4wJ1EmUAc7R+wudGV6txNf1kMQwDQYJKoZIhvcNAQEL
+BQADggEBAHVMOJjozsFmQ1DCoeWG9UVKN1T07VFBnluEXMu+jGMddzSbS7mmuxDB
+lzYtpN6kU8MBWaiiWWlA7PVimGceP7u+kSAL97cG+JsosPOQekQ1fIWm79c0jh/k
+znKP7JmCPXaHAq21pVsvwSpJUH7AMM6z1XkVvQsMQgEdvmhqCZwU9Bz5Jl6w45mV
+0XTVpuH2z+Ei3ZoAhBkOLlECHTY+xqXjlgnrTnMblOAkbdhyDhmDAAuvSOPuYre/
+l+Y2T0pZ1Jdg/7mm+HMp34RvOD0ju8HxGV75yZSeM/aw3dRVBWhpt9OK40zqE8b1
+AJwIAJKRD+vmNXzuXK5VYkzGhrZKwHMwCwYJKoZIhvcNAQEFA4IBAQC27d7EF7tN
+N3eES5XaFXT0/ey+msRrzQKh5of+k8JnkfuA7Lrr5ERY3FK19BorfuU/JwOvh8pt
+TVtSoHqv4gu0WGDdyvzdsllvxPfKN/ZygUruMkNOrqhXT5yzpv9NOfcSw0Ovw0IW
+GtsNIDtfTFg1hdqk4fl3sFv5zCLok/pEnifVZqw+Nl8D/HP0vefcQhjr5XqSSWHX
+diYLEyawys0dr30PFWLuVCqppb5jxNmGJX81+FEZfvjAH1mvFfuFXqVUBakCVBP2
+p7RENnJbMxQt/6GBnR1fjreYE/jxT1rRkUWhgisN/f5ol/N1lm+nWPzar9nOMYTL
+3R/NPg/i866C
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
diff --git a/t/certs/3.key.pem b/t/certs/3.key.pem
index 889603377138258d4da5ea465af424a790cd8b52..7dd14e97afee8283365c60867a12a1fbba432c54 100644
--- a/t/certs/3.key.pem
+++ b/t/certs/3.key.pem
@@ -1,15 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCZLT9SpWvPNG+210e7+/jLtJ+blx4UniVB8GJ6fC9LcXSg60nu
-wypk2S0na+EArpyS3kL0+F2+BlrsclPLUbwZkBunEQN8BUxJVcWs3wpjujJsDg2a
-avqN+65ckJR7cOKjFC5QdwfxKFdKIZeb+6hBV7tB88e0di2TXGZ0D/8vWQIDAQAB
-AoGAFA5VnTelnxLJkdIsRVPfpqR2xYOK3745OKIF8u2xr5oiYDOOkaGiOmQpQmEg
-q9sxCxXpBHREqe3hF9Z8XEHOdAIFqFt1MgwJB3OmtaXRwDDPJ3WRZFvxYde+/KII
-U3ca1tOmoLgVyto/7v+9Z7Rn7g4wFEDlK+r4I+zGtLO6xAECQQDkSRUxDw/w+BOR
-Rl2OOdLCgf8Xv+G7z5qd3tRN+UcvQ14EYkAqOnCFNoWZfaxx89qEIVmIAImTgI2N
-8EStzPOBAkEAq8XZeK9fbFXG0617odwr0NX6UiKVpl/pR2kxS53+XUxlDusb8Y6d
-mqllpDjcD/c28MYyf3wzrp1sSVszk7xH2QJAQrrONAH4IfMSHTQZYtqqLes7+uA/
-Btw/kQgyvPwx/7HMiLGDmhRtEbOHR//BaanjZR4ugp/Nl01Lk4L5QGiZgQJAKgZz
-2GT/sZ+iz3MoRkd5qNRRM/smJdhdWI1R9DApZWYla2r2ITlFMeuz5GPM41MWa/3x
-qOMYOeZl8eSQT9rGsQJBANxbeVGdg4D0qvgtFSzpclcQiTffW293DP84Bs6QKNW0
-Fkh3ZcFHHDEmeZuDOPBQDI+ZQxT7Yy+of31h2sehsX4=
+MIIEowIBAAKCAQEAjnB97KSMXu5G99yiJlc1f5rSld9X5kXPBRQOBWFDt5XJJeZi
+9nK8TUwvbyfMzVlLetd+n7xN6+BjsYsx6FTODR4da755z5PdyfcfnjmnyLP0HxVK
+PcjUa11sdxUQE8P68KnpGq9OXMViQqQVMWzIhstG0tRVby+Q7jHgpFhN8rmhcINE
+XTL1aelSQrg+fGwrvrAy2zmmysSX2dLKZP3tCuyfIR+LAnUl/+tDAYq7nG0Y8Pkb
+YG1N0M12XFQSYnrVxf+CS8ioK646g8Vk9EzMyo7LxlDWDF6xIshc3MxHjLoqV/O6
+DjNQ04mAeVxiTm9thnxRQFiq91/xBywRFQWAEwIDAQABAoIBAGxj//8nDEZlDg4p
+kB6a+HP9DcjMp2fssWeM5kqDxHMcgW/czGv7zX0Iv4PXhoqxK7Xz7ECDm8wl+dcu
+NDE274Gd7AeEb89dF0ZMTnwqJZqeDePlYJR5keONuS85EP3pgbjHo0ISKxB/h5Fs
+qU/uFv40C9X9jHHKgYAw5mBJbi+Il4sVt3guviJwnWeJ80XvjQL3VsVf64Sa3ytA
+El8PR8lQPONRiAgDB6OTaPsSoqHkXkUPCuQY5s+ODqH6uSvtNE1KpZIctOvMf+xo
+dJNdXRD7ZRaOXgOPwtfkLy/xHjjn+ifrbGOFCYfJAgM6B/TfOLianFm5NxViDD/f
+NzoZN/kCgYEA7L5Yj83apLk7SJ+tHVWKXHCpTudSS4I6VIu2x41eOt3fDDoTjshx
+tD2bj7VWpg/LBoRRPG4vsXa17/zLNX8MMBY8zeZni6PBf/+sgnk+iml0LVNwf923
+fgKYqUrF575uDKHrAUFIjU1Fn68cA5RW3dd0ba9bAZ11kzxkhfJA1C8CgYEAmgZ5
+UB5HcMri5ozll085on0p59hgMETrTYuZbF7uyjD+x18m/U1DRy5Iolmwwbx1o0Wp
+elQty7LYqtg9s3xHGss5Q0VUwWxtzN96LiaX93Pk+Ja4K9VV+Wy6XYgN+Hk5Gioe
+kT/FbJ6b/xMx0kwa4jJFUEV3udYNU13tOJOEhV0CgYBT0GfGMZjwrGtioLVHJ1ue
+snweZSLrfKVt/TCuoUv1B0vKJl16NVib+Ruz2v1cOUclfX7NKC1WZLKwzgybWelU
+tOq98o5CD62XxUqrvoT3t7HbwiiX/ETUJdMqTECYdQC9FC4A+b3X2L2HdRUz5zaB
+v5+GnYhYoAhaIg1spoFxHQKBgFCUPncpwBpEKjyPTbXBHtfhP0Eps/jMtYVWGSfW
+6nog88l+ADnYZ/AfSKSW46AXZjvKwAVdcK/2mt+WTYFO7SwZUZXd+Z9PiIn8CEGI
+s0wj95AN2cAk1duthDpWaWiqkrMbge5fPHu85sOlWRU5936K6jQ6g45Xa5VHuEk2
+88eJAoGBAOJR7HrGBfLGTyrHVhwjvHmJMgh03sGxOyeWOKYuEdSYNsAHJD270tbb
+ojP9yKsStj72bidGrmXB0AkNZuOGR6nvvEWF8cDupj4Hcs27L/dux++gjWPMC0Jk
+Gq4ydzSOaZaKFiYQMsfP0X8F53ReUEdBPoufSzfnmrpbfS48p6B2
-----END RSA PRIVATE KEY-----
diff --git a/t/certs/3.pem b/t/certs/3.pem
index d54e52a3b7da983a844847ef68d0bb39c014cb58..b3c28a1d67e05fa7e279e4202e8e7fdfa25d1ead 100644
--- a/t/certs/3.pem
+++ b/t/certs/3.pem
@@ -1,69 +1,84 @@
-----BEGIN CERTIFICATE-----
-MIIJPDCCCCagAwIBAgIEZ/6+ljALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
-DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMTgwMzE1MTY0NTE5WhcN
+MIIJxTCCCK+gAwIBAgIEYHBIzjALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
+DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMjExMTEwMTUwNjAxWhcN
MjIwOTI0MTUzOTM0WjBAMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYD
-VQQDEwV0ZXN0MDETMBEGA1UEAxMKMTc0NDc0ODE4MjCBnzANBgkqhkiG9w0BAQEF
-AAOBjQAwgYkCgYEAmS0/UqVrzzRvttdHu/v4y7Sfm5ceFJ4lQfBienwvS3F0oOtJ
-7sMqZNktJ2vhAK6ckt5C9PhdvgZa7HJTy1G8GZAbpxEDfAVMSVXFrN8KY7oybA4N
-mmr6jfuuXJCUe3DioxQuUHcH8ShXSiGXm/uoQVe7QfPHtHYtk1xmdA//L1kCAwEA
-AaOCBtkwggbVMA4GA1UdDwEB/wQEAwIF4DAdBggrBgEFBQcBDgEB/wQOMAwwCgYI
-KwYBBQUHFQEwggaiBgorBgEEAb5FZGQFBIIGkjCCBo4wggaKMIIGhjCCBW4CAQEw
-NqA0MC+kLTArMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYDVQQDEwV0
-ZXN0MAIBCaA4MDakNDAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUwEwYD
-VQQDDAx2b21zLmV4YW1wbGUwDQYJKoZIhvcNAQELBQACAXswIhgPMjAxODAxMDEw
-MDAwMDBaGA8yMDMwMDEwMTAwMDAwMFowYzBhBgorBgEEAb5FZGQEMVMwUaAehhx0
-ZXN0LnZvOi8vdm9tcy5leGFtcGxlOjE1MDAwMC8ECi90ZXN0L2V4cDEECi90ZXN0
-L2V4cDIEFS90ZXN0L2V4cDMvUm9sZT1QSVBQTzCCBFowcAYKKwYBBAG+RWRkCwRi
-MGAwXjBcMB6GHHRlc3Qudm86Ly92b21zLmV4YW1wbGU6MTUwMDAwOjAcBAhuaWNr
-bmFtZQQHbmV3bGFuZAQHdGVzdC52bzAaBAhuaWNrbmFtZQQFZ2lhY28EB3Rlc3Qu
-dm8wggOyBgorBgEEAb5FZGQKBIIDojCCA54wggOaMIIDljCCAn6gAwIBAgICAxMw
-DQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCSVQxDDAKBgNVBAoMA0lHSTEQMA4G
-A1UEAwwHVGVzdCBDQTAeFw0xNzEyMDYwOTQ2MzdaFw0yNzEyMDQwOTQ2MzdaMDIx
-CzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kxFTATBgNVBAMMDHZvbXMuZXhhbXBs
-ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALx/yNoeDZNQtJgiGi+t
-I/SSK3KREpvv4aOipgMEvcfCf3hReP2UBtOq6N1Wjx3VHaVJP0yyTNE+aSxgwI9f
-D3xtpMtYDG7eM2psMhG70+FNAxO1H5k1HR+vtHvathtadnZUBPPo12BrxlXZ1BLr
-e/I93+ye2tTfEK/u3J2WxxSMYBbYksopjN/3T4+Lp4AB5/d6TzwyQq/OLvgae7y1
-6yCn1SjBpNNU09zA3JZ7xAnFny/I23NhAeQul7kFZBrcdgkJ66++bEe5W0GGwVHA
-/mUjK5SssIFGmZrCnm8LYgM001u12+esOA4xY+2BH268QWWJsY0vX/qK2ois+Ms/
-6ysCAwEAAaOBujCBtzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQzjAnUSZQBztH7
-C50ZXq3E1/WQxDAOBgNVHQ8BAf8EBAMCBeAwPgYDVR0lBDcwNQYIKwYBBQUHAwEG
-CCsGAQUFBwMCBgorBgEEAYI3CgMDBglghkgBhvhCBAEGCCsGAQUFBwMEMB8GA1Ud
-IwQYMBaAFJF3NnsutGnzJ+q39giLSiOiEUnGMBcGA1UdEQQQMA6CDHZvbXMuZXhh
-bXBsZTANBgkqhkiG9w0BAQsFAAOCAQEA4MUI5JKbJgkEZLmeySeCLJBMS/E8Gk3N
-9lr+ilhrNkI7e9DgZiruLa3QKllSyESFtpCvEknM3qRlqulug+HPINOYjz6ooYL4
-9W6Xc3i+RqdapxAwtwETz7QDxnT35LhRITN5SojWAcvBIjdunx0sPuvQCVE7Cl+1
-GbYaNWOVlPWZobwYvISqm3A6si3C7VAZIBaUIepJ4dhhEJ31KWURohUrivcUWkm4
-LVwP/Hcg5wM6FbghMdgz/I9wHKaQgISzrx8tKJ7G4opD7CYyv9dqqkJaLFApM123
-6Fgitsd7v6SsVTItUVga7p6A0k0kS2rjly6nXONQhDO17KQgbnAd6TAJBgNVHTgE
-AgUAMCUGA1UdIwQeMByAGgQYMBaAFJF3NnsutGnzJ+q39giLSiOiEUnGMA0GCSqG
-SIb3DQEBCwUAA4IBAQAZoBjoegcM+SPWiBU+qTtYDYRVuShZwzx6L/74iwVMYT5m
-waosJYZsMC9FvwdQUpuajrJ2B5LaQwe9iaEekukh/GGFJJme2WVrf6VBhwKBSUtV
-f9UMqqF8PSdDwkEwsqSJXFq1mT/izMm+kYy0gppkv3SXDznAYKTtv7+CBPwctbvi
-pcAF5b0KT/ET2vy6zpMbbyT/yUraHJ40Uq9/AwHSbUhsG+XDMVwcMdrdvRYVIpKW
-AUya8pyGAIOVN/YVtLZ+3l0Kt6Ku8dXMwm1Ym9Yk2xukq1jIGMfyEPKq0Rv2NICy
-M5aY7ROPiV+6g8yfTalguqk4RtItSLU+gCX9umv2MAsGCSqGSIb3DQEBBQOCAQEA
-iFx5+S5BFWIAZs7vSPFS3krpJKjjTVpF/QidXHhhNdWcyeO8NRalo1/UmaImRWHN
-JK+Nw8Io/ldHE9ZbytEnfSCI7ouwqWR3gz924LA9xqd8+8ue0avtrj0bCH2/qid8
-p3IN2HNHRTiPjIcg/0UgOxFcZEoliLhm4cSgKTeZFal7Z6wCADN4dgF5WpPsZ8l7
-gu4RPRfYBjxXLGZwLI0WD6yHKA1cEYe/HU/KXmszQjOCXffi9tB6p9UxCAFzJfGg
-U0LnSy+xWpR3sAeZgoUyqdw72ueGlOX0M4vkVmtOupursXW9mQackfeC31dE4pql
-+pn63MqMKHqYIgDlIwbZzw==
+VQQDEwV0ZXN0MDETMBEGA1UEAxMKMTYxNzk3MTQwNjCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAI5wfeykjF7uRvfcoiZXNX+a0pXfV+ZFzwUUDgVhQ7eV
+ySXmYvZyvE1ML28nzM1ZS3rXfp+8TevgY7GLMehUzg0eHWu+ec+T3cn3H545p8iz
+9B8VSj3I1GtdbHcVEBPD+vCp6RqvTlzFYkKkFTFsyIbLRtLUVW8vkO4x4KRYTfK5
+oXCDRF0y9WnpUkK4PnxsK76wMts5psrEl9nSymT97QrsnyEfiwJ1Jf/rQwGKu5xt
+GPD5G2BtTdDNdlxUEmJ61cX/gkvIqCuuOoPFZPRMzMqOy8ZQ1gxesSLIXNzMR4y6
+Klfzug4zUNOJgHlcYk5vbYZ8UUBYqvdf8QcsERUFgBMCAwEAAaOCBt4wggbaMA4G
+A1UdDwEB/wQEAwIF4DAdBggrBgEFBQcBDgEB/wQOMAwwCgYIKwYBBQUHFQEwggan
+BgorBgEEAb5FZGQFBIIGlzCCBpMwggaPMIIGizCCBXMCAQEwNqA0MC+kLTArMQsw
+CQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYDVQQDEwV0ZXN0MAIBCaA4MDak
+NDAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUwEwYDVQQDDAx2b21zLmV4
+YW1wbGUwDQYJKoZIhvcNAQELBQACAwHiQDAiGA8yMDIxMTExMDAwMDAwMFoYDzIw
+MzExMjMxMDAwMDAwWjBsMGoGCisGAQQBvkVkZAQxXDBaoB6GHHRlc3Qudm86Ly92
+b21zLmV4YW1wbGU6MTUwMDAwOAQNL3Rlc3Qudm8vZXhwMQQNL3Rlc3Qudm8vZXhw
+MgQYL3Rlc3Qudm8vZXhwMy9Sb2xlPVBJUFBPMIIEVDBwBgorBgEEAb5FZGQLBGIw
+YDBeMFwwHoYcdGVzdC52bzovL3ZvbXMuZXhhbXBsZToxNTAwMDA6MBwECG5pY2tu
+YW1lBAduZXdsYW5kBAd0ZXN0LnZvMBoECG5pY2tuYW1lBAVnaWFjbwQHdGVzdC52
+bzCCA7IGCisGAQQBvkVkZAoEggOiMIIDnjCCA5owggOWMIICfqADAgECAgIDEzAN
+BgkqhkiG9w0BAQsFADAtMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRAwDgYD
+VQQDDAdUZXN0IENBMB4XDTE3MTIwNjA5NDYzN1oXDTI3MTIwNDA5NDYzN1owMjEL
+MAkGA1UEBhMCSVQxDDAKBgNVBAoMA0lHSTEVMBMGA1UEAwwMdm9tcy5leGFtcGxl
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvH/I2h4Nk1C0mCIaL60j
+9JIrcpESm+/ho6KmAwS9x8J/eFF4/ZQG06ro3VaPHdUdpUk/TLJM0T5pLGDAj18P
+fG2ky1gMbt4zamwyEbvT4U0DE7UfmTUdH6+0e9q2G1p2dlQE8+jXYGvGVdnUEut7
+8j3f7J7a1N8Qr+7cnZbHFIxgFtiSyimM3/dPj4ungAHn93pPPDJCr84u+Bp7vLXr
+IKfVKMGk01TT3MDclnvECcWfL8jbc2EB5C6XuQVkGtx2CQnrr75sR7lbQYbBUcD+
+ZSMrlKywgUaZmsKebwtiAzTTW7Xb56w4DjFj7YEfbrxBZYmxjS9f+oraiKz4yz/r
+KwIDAQABo4G6MIG3MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFDOMCdRJlAHO0fsL
+nRlercTX9ZDEMA4GA1UdDwEB/wQEAwIF4DA+BgNVHSUENzA1BggrBgEFBQcDAQYI
+KwYBBQUHAwIGCisGAQQBgjcKAwMGCWCGSAGG+EIEAQYIKwYBBQUHAwQwHwYDVR0j
+BBgwFoAUkXc2ey60afMn6rf2CItKI6IRScYwFwYDVR0RBBAwDoIMdm9tcy5leGFt
+cGxlMA0GCSqGSIb3DQEBCwUAA4IBAQDgxQjkkpsmCQRkuZ7JJ4IskExL8TwaTc32
+Wv6KWGs2Qjt70OBmKu4trdAqWVLIRIW2kK8SSczepGWq6W6D4c8g05iPPqihgvj1
+bpdzeL5Gp1qnEDC3ARPPtAPGdPfkuFEhM3lKiNYBy8EiN26fHSw+69AJUTsKX7UZ
+tho1Y5WU9ZmhvBi8hKqbcDqyLcLtUBkgFpQh6knh2GEQnfUpZRGiFSuK9xRaSbgt
+XA/8dyDnAzoVuCEx2DP8j3AcppCAhLOvHy0onsbiikPsJjK/12qqQlosUCkzXbfo
+WCK2x3u/pKxVMi1RWBrunoDSTSRLauOXLqdc41CEM7XspCBucB3pMAkGA1UdOAQC
+BQAwHwYDVR0jBBgwFoAUM4wJ1EmUAc7R+wudGV6txNf1kMQwDQYJKoZIhvcNAQEL
+BQADggEBAHVMOJjozsFmQ1DCoeWG9UVKN1T07VFBnluEXMu+jGMddzSbS7mmuxDB
+lzYtpN6kU8MBWaiiWWlA7PVimGceP7u+kSAL97cG+JsosPOQekQ1fIWm79c0jh/k
+znKP7JmCPXaHAq21pVsvwSpJUH7AMM6z1XkVvQsMQgEdvmhqCZwU9Bz5Jl6w45mV
+0XTVpuH2z+Ei3ZoAhBkOLlECHTY+xqXjlgnrTnMblOAkbdhyDhmDAAuvSOPuYre/
+l+Y2T0pZ1Jdg/7mm+HMp34RvOD0ju8HxGV75yZSeM/aw3dRVBWhpt9OK40zqE8b1
+AJwIAJKRD+vmNXzuXK5VYkzGhrZKwHMwCwYJKoZIhvcNAQEFA4IBAQC27d7EF7tN
+N3eES5XaFXT0/ey+msRrzQKh5of+k8JnkfuA7Lrr5ERY3FK19BorfuU/JwOvh8pt
+TVtSoHqv4gu0WGDdyvzdsllvxPfKN/ZygUruMkNOrqhXT5yzpv9NOfcSw0Ovw0IW
+GtsNIDtfTFg1hdqk4fl3sFv5zCLok/pEnifVZqw+Nl8D/HP0vefcQhjr5XqSSWHX
+diYLEyawys0dr30PFWLuVCqppb5jxNmGJX81+FEZfvjAH1mvFfuFXqVUBakCVBP2
+p7RENnJbMxQt/6GBnR1fjreYE/jxT1rRkUWhgisN/f5ol/N1lm+nWPzar9nOMYTL
+3R/NPg/i866C
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCZLT9SpWvPNG+210e7+/jLtJ+blx4UniVB8GJ6fC9LcXSg60nu
-wypk2S0na+EArpyS3kL0+F2+BlrsclPLUbwZkBunEQN8BUxJVcWs3wpjujJsDg2a
-avqN+65ckJR7cOKjFC5QdwfxKFdKIZeb+6hBV7tB88e0di2TXGZ0D/8vWQIDAQAB
-AoGAFA5VnTelnxLJkdIsRVPfpqR2xYOK3745OKIF8u2xr5oiYDOOkaGiOmQpQmEg
-q9sxCxXpBHREqe3hF9Z8XEHOdAIFqFt1MgwJB3OmtaXRwDDPJ3WRZFvxYde+/KII
-U3ca1tOmoLgVyto/7v+9Z7Rn7g4wFEDlK+r4I+zGtLO6xAECQQDkSRUxDw/w+BOR
-Rl2OOdLCgf8Xv+G7z5qd3tRN+UcvQ14EYkAqOnCFNoWZfaxx89qEIVmIAImTgI2N
-8EStzPOBAkEAq8XZeK9fbFXG0617odwr0NX6UiKVpl/pR2kxS53+XUxlDusb8Y6d
-mqllpDjcD/c28MYyf3wzrp1sSVszk7xH2QJAQrrONAH4IfMSHTQZYtqqLes7+uA/
-Btw/kQgyvPwx/7HMiLGDmhRtEbOHR//BaanjZR4ugp/Nl01Lk4L5QGiZgQJAKgZz
-2GT/sZ+iz3MoRkd5qNRRM/smJdhdWI1R9DApZWYla2r2ITlFMeuz5GPM41MWa/3x
-qOMYOeZl8eSQT9rGsQJBANxbeVGdg4D0qvgtFSzpclcQiTffW293DP84Bs6QKNW0
-Fkh3ZcFHHDEmeZuDOPBQDI+ZQxT7Yy+of31h2sehsX4=
+MIIEowIBAAKCAQEAjnB97KSMXu5G99yiJlc1f5rSld9X5kXPBRQOBWFDt5XJJeZi
+9nK8TUwvbyfMzVlLetd+n7xN6+BjsYsx6FTODR4da755z5PdyfcfnjmnyLP0HxVK
+PcjUa11sdxUQE8P68KnpGq9OXMViQqQVMWzIhstG0tRVby+Q7jHgpFhN8rmhcINE
+XTL1aelSQrg+fGwrvrAy2zmmysSX2dLKZP3tCuyfIR+LAnUl/+tDAYq7nG0Y8Pkb
+YG1N0M12XFQSYnrVxf+CS8ioK646g8Vk9EzMyo7LxlDWDF6xIshc3MxHjLoqV/O6
+DjNQ04mAeVxiTm9thnxRQFiq91/xBywRFQWAEwIDAQABAoIBAGxj//8nDEZlDg4p
+kB6a+HP9DcjMp2fssWeM5kqDxHMcgW/czGv7zX0Iv4PXhoqxK7Xz7ECDm8wl+dcu
+NDE274Gd7AeEb89dF0ZMTnwqJZqeDePlYJR5keONuS85EP3pgbjHo0ISKxB/h5Fs
+qU/uFv40C9X9jHHKgYAw5mBJbi+Il4sVt3guviJwnWeJ80XvjQL3VsVf64Sa3ytA
+El8PR8lQPONRiAgDB6OTaPsSoqHkXkUPCuQY5s+ODqH6uSvtNE1KpZIctOvMf+xo
+dJNdXRD7ZRaOXgOPwtfkLy/xHjjn+ifrbGOFCYfJAgM6B/TfOLianFm5NxViDD/f
+NzoZN/kCgYEA7L5Yj83apLk7SJ+tHVWKXHCpTudSS4I6VIu2x41eOt3fDDoTjshx
+tD2bj7VWpg/LBoRRPG4vsXa17/zLNX8MMBY8zeZni6PBf/+sgnk+iml0LVNwf923
+fgKYqUrF575uDKHrAUFIjU1Fn68cA5RW3dd0ba9bAZ11kzxkhfJA1C8CgYEAmgZ5
+UB5HcMri5ozll085on0p59hgMETrTYuZbF7uyjD+x18m/U1DRy5Iolmwwbx1o0Wp
+elQty7LYqtg9s3xHGss5Q0VUwWxtzN96LiaX93Pk+Ja4K9VV+Wy6XYgN+Hk5Gioe
+kT/FbJ6b/xMx0kwa4jJFUEV3udYNU13tOJOEhV0CgYBT0GfGMZjwrGtioLVHJ1ue
+snweZSLrfKVt/TCuoUv1B0vKJl16NVib+Ruz2v1cOUclfX7NKC1WZLKwzgybWelU
+tOq98o5CD62XxUqrvoT3t7HbwiiX/ETUJdMqTECYdQC9FC4A+b3X2L2HdRUz5zaB
+v5+GnYhYoAhaIg1spoFxHQKBgFCUPncpwBpEKjyPTbXBHtfhP0Eps/jMtYVWGSfW
+6nog88l+ADnYZ/AfSKSW46AXZjvKwAVdcK/2mt+WTYFO7SwZUZXd+Z9PiIn8CEGI
+s0wj95AN2cAk1duthDpWaWiqkrMbge5fPHu85sOlWRU5936K6jQ6g45Xa5VHuEk2
+88eJAoGBAOJR7HrGBfLGTyrHVhwjvHmJMgh03sGxOyeWOKYuEdSYNsAHJD270tbb
+ojP9yKsStj72bidGrmXB0AkNZuOGR6nvvEWF8cDupj4Hcs27L/dux++gjWPMC0Jk
+Gq4ydzSOaZaKFiYQMsfP0X8F53ReUEdBPoufSzfnmrpbfS48p6B2
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
diff --git a/t/certs/4.cert.pem b/t/certs/4.cert.pem
index 8b2c062188be147b5c015f41c905ce3905154b7e..2df69801eb30f5aa36f1a8fa7832c41e0e08d87f 100644
--- a/t/certs/4.cert.pem
+++ b/t/certs/4.cert.pem
@@ -1,54 +1,56 @@
-----BEGIN CERTIFICATE-----
-MIIJUTCCCDugAwIBAgIEaWasDzALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
-DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMTgwMzE1MTYzNDM5WhcN
+MIIJrDCCCJagAwIBAgIEXQoW5DALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
+DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMjExMTEwMTUyNjExWhcN
MjIwOTI0MTUzOTM0WjBAMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYD
-VQQDEwV0ZXN0MDETMBEGA1UEAxMKMTc2ODMzNjM5OTCBnzANBgkqhkiG9w0BAQEF
-AAOBjQAwgYkCgYEAsH+q/KhzMLzYimKXZ8MV9B81mqWwUNdfkyp3ZmnsZV1yQLJ8
-pLm/zEX6Z+dyVkTfi80qIOIsv+81UtwT+OFeAJ+TR3e432BrXrrPitQuCBYUaTef
-LH5iKmtCSiaJnY3BACjUdwRiIOzibcBY3obZR9RtrLZ9DpHR0W/0z1ShW8MCAwEA
-AaOCBu4wggbqMA4GA1UdDwEB/wQEAwIF4DAdBggrBgEFBQcBDgEB/wQOMAwwCgYI
-KwYBBQUHFQEwgga3BgorBgEEAb5FZGQFBIIGpzCCBqMwggafMIIGmzCCBYMCAQEw
-NqA0MC+kLTArMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYDVQQDEwV0
-ZXN0MAIBCaA4MDakNDAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUwEwYD
-VQQDDAx2b21zLmV4YW1wbGUwDQYJKoZIhvcNAQELBQACAQAwIhgPMjAxODAxMDEw
-MDAwMDBaGA8yMDMwMDEwMTAwMDAwMFowYzBhBgorBgEEAb5FZGQEMVMwUaAehhx0
-ZXN0LnZvOi8vdm9tcy5leGFtcGxlOjE1MDAwMC8ECi90ZXN0L2V4cDEECi90ZXN0
-L2V4cDIEFS90ZXN0L2V4cDMvUm9sZT1QSVBQTzCCBG8wgYQGCisGAQQBvkVkZAsE
-djB0MHIwcDAehhx0ZXN0LnZvOi8vdm9tcy5leGFtcGxlOjE1MDAwME4wHgQIbmlj
-a25hbWUECW5ld2xhbmQ4NgQHdGVzdC52bzAsBAV0aXRsZQQaYXNzZWduaXN0YSVk
-aSVyaWNlcmNhQENOQUYEB3Rlc3Qudm8wggOyBgorBgEEAb5FZGQKBIIDojCCA54w
-ggOaMIIDljCCAn6gAwIBAgICAxMwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMC
-SVQxDDAKBgNVBAoMA0lHSTEQMA4GA1UEAwwHVGVzdCBDQTAeFw0xNzEyMDYwOTQ2
-MzdaFw0yNzEyMDQwOTQ2MzdaMDIxCzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kx
-FTATBgNVBAMMDHZvbXMuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBALx/yNoeDZNQtJgiGi+tI/SSK3KREpvv4aOipgMEvcfCf3hReP2UBtOq
-6N1Wjx3VHaVJP0yyTNE+aSxgwI9fD3xtpMtYDG7eM2psMhG70+FNAxO1H5k1HR+v
-tHvathtadnZUBPPo12BrxlXZ1BLre/I93+ye2tTfEK/u3J2WxxSMYBbYksopjN/3
-T4+Lp4AB5/d6TzwyQq/OLvgae7y16yCn1SjBpNNU09zA3JZ7xAnFny/I23NhAeQu
-l7kFZBrcdgkJ66++bEe5W0GGwVHA/mUjK5SssIFGmZrCnm8LYgM001u12+esOA4x
-Y+2BH268QWWJsY0vX/qK2ois+Ms/6ysCAwEAAaOBujCBtzAMBgNVHRMBAf8EAjAA
-MB0GA1UdDgQWBBQzjAnUSZQBztH7C50ZXq3E1/WQxDAOBgNVHQ8BAf8EBAMCBeAw
-PgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMCBgorBgEEAYI3CgMDBglghkgB
-hvhCBAEGCCsGAQUFBwMEMB8GA1UdIwQYMBaAFJF3NnsutGnzJ+q39giLSiOiEUnG
-MBcGA1UdEQQQMA6CDHZvbXMuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOCAQEA4MUI
-5JKbJgkEZLmeySeCLJBMS/E8Gk3N9lr+ilhrNkI7e9DgZiruLa3QKllSyESFtpCv
-EknM3qRlqulug+HPINOYjz6ooYL49W6Xc3i+RqdapxAwtwETz7QDxnT35LhRITN5
-SojWAcvBIjdunx0sPuvQCVE7Cl+1GbYaNWOVlPWZobwYvISqm3A6si3C7VAZIBaU
-IepJ4dhhEJ31KWURohUrivcUWkm4LVwP/Hcg5wM6FbghMdgz/I9wHKaQgISzrx8t
-KJ7G4opD7CYyv9dqqkJaLFApM1236Fgitsd7v6SsVTItUVga7p6A0k0kS2rjly6n
-XONQhDO17KQgbnAd6TAJBgNVHTgEAgUAMCUGA1UdIwQeMByAGgQYMBaAFJF3Nnsu
-tGnzJ+q39giLSiOiEUnGMA0GCSqGSIb3DQEBCwUAA4IBAQBHsP+LCvcSnQtb4DsD
-onUP1cRrjuxDptJUNXhPhmqw4dvLyir5Ea9hhRMzziCMKy8/COcQv6ECwni6xLLX
-PFTLHEyp+PEcVxwixGtBXF8W2fniEEkN6buHxykqUEhBxT0R4DS4OFKyNsA3m4WD
-TC2WAYx0n1yQTBqaMfOH9Q+/QAzTyWB1WNRfqxWcuZgyCFlw23X/ZzIXpPD7ZX3o
-gAIW++i13fa5QzT6uI/iM2vRo/eNvdVs+bGB1130EtKS1nba4CahoyoHJrLGjqiw
-58BUD8HqWKMF1UkDr4+UPdUo31xNE94UraZZO4n9bJrrvuQzKgJLfW/1JBjm+lCP
-ISVhMAsGCSqGSIb3DQEBBQOCAQEACTHB0rNOG9bv8rz40U7zb8XEkCOd96lOwfZk
-OIwSGE+dACn7K4c8c8iWTas6Gw8Ev0d1IbiQNY1Erc36Wy29kna9Qw5Ph81dhhkQ
-LMHjd6LO7oXf6jUE164hv1Rnqq8Hdae843pwlntn+eg3HuLYlI2ijUK/kjG5Tw38
-75aRAnJffBh61zcuV7GOrbOQVObaOQYLpon0Qr1tLlFso0MAMAuXK4sgNQtpUIbI
-zd2/oXGJwH1SXrcgg+NCRnFjZ5Do+ARzMB8W5/O+N0UiqOJOuaRiPp3sVPffLv0W
-UOcUdk1EOhVomM7nVlJzzg49Xvc4+a7a2UIyV3UaB9+VbkVSag==
+VQQDEwV0ZXN0MDETMBEGA1UEAxMKMTU2MDk0MjMwODCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAJ19QWu2rgpFfaHe3Rrq5F9xglljmgHtaYorBB/c4vq2
+NfmOGtOxEgQmP4oWClwPwchEFHuU+CzdztFfvx3M5wI1ypaZFuSCqXCtaUsnKCX3
+B4DF13RK5NnJSUlz1TOWfOYr+XLETG7hTsJCPmWZE/t8LQE4VasriUv2xybrx+sr
+YmZ1mPeL2qdC1L55LPEM6BKUml81baTnrHV4oSQF5oXI0YnMn2FyiA3odYY7RRrd
+tlxpRhz5oLrWh8keu+hRfiihB41KAi9223zIVhuPCYW48uXPht40EHogTnry1gN/
+k06eFGelAXyV+WQYZ5ioeYcMVMlMEq8QbLRN3AasvS0CAwEAAaOCBsUwggbBMA4G
+A1UdDwEB/wQEAwIF4DAdBggrBgEFBQcBDgEB/wQOMAwwCgYIKwYBBQUHFQEwggaO
+BgorBgEEAb5FZGQFBIIGfjCCBnowggZ2MIIGcjCCBVoCAQEwNqA0MC+kLTArMQsw
+CQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYDVQQDEwV0ZXN0MAIBCaA4MDak
+NDAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUwEwYDVQQDDAx2b21zLmV4
+YW1wbGUwDQYJKoZIhvcNAQELBQACAwHiQTAiGA8yMDIxMTExMDAwMDAwMFoYDzIw
+MzExMjMxMDAwMDAwWjA+MDwGCisGAQQBvkVkZAQxLjAsoB6GHHRlc3Qudm86Ly92
+b21zLmV4YW1wbGU6MTUwMDAwCgQIL3Rlc3Qudm8wggRpMIGEBgorBgEEAb5FZGQL
+BHYwdDByMHAwHoYcdGVzdC52bzovL3ZvbXMuZXhhbXBsZToxNTAwMDBOMB4ECG5p
+Y2tuYW1lBAluZXdsYW5kODYEB3Rlc3Qudm8wLAQFdGl0bGUEGmFzc2VnbmlzdGEl
+ZGklcmljZXJjYUBDTkFGBAd0ZXN0LnZvMIIDsgYKKwYBBAG+RWRkCgSCA6IwggOe
+MIIDmjCCA5YwggJ+oAMCAQICAgMTMA0GCSqGSIb3DQEBCwUAMC0xCzAJBgNVBAYT
+AklUMQwwCgYDVQQKDANJR0kxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTcxMjA2MDk0
+NjM3WhcNMjcxMjA0MDk0NjM3WjAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJ
+MRUwEwYDVQQDDAx2b21zLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC8f8jaHg2TULSYIhovrSP0kitykRKb7+GjoqYDBL3Hwn94UXj9lAbT
+qujdVo8d1R2lST9MskzRPmksYMCPXw98baTLWAxu3jNqbDIRu9PhTQMTtR+ZNR0f
+r7R72rYbWnZ2VATz6Ndga8ZV2dQS63vyPd/sntrU3xCv7tydlscUjGAW2JLKKYzf
+90+Pi6eAAef3ek88MkKvzi74Gnu8tesgp9UowaTTVNPcwNyWe8QJxZ8vyNtzYQHk
+Lpe5BWQa3HYJCeuvvmxHuVtBhsFRwP5lIyuUrLCBRpmawp5vC2IDNNNbtdvnrDgO
+MWPtgR9uvEFlibGNL1/6itqIrPjLP+srAgMBAAGjgbowgbcwDAYDVR0TAQH/BAIw
+ADAdBgNVHQ4EFgQUM4wJ1EmUAc7R+wudGV6txNf1kMQwDgYDVR0PAQH/BAQDAgXg
+MD4GA1UdJQQ3MDUGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZI
+AYb4QgQBBggrBgEFBQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJ
+xjAXBgNVHREEEDAOggx2b21zLmV4YW1wbGUwDQYJKoZIhvcNAQELBQADggEBAODF
+COSSmyYJBGS5nskngiyQTEvxPBpNzfZa/opYazZCO3vQ4GYq7i2t0CpZUshEhbaQ
+rxJJzN6kZarpboPhzyDTmI8+qKGC+PVul3N4vkanWqcQMLcBE8+0A8Z09+S4USEz
+eUqI1gHLwSI3bp8dLD7r0AlROwpftRm2GjVjlZT1maG8GLyEqptwOrItwu1QGSAW
+lCHqSeHYYRCd9SllEaIVK4r3FFpJuC1cD/x3IOcDOhW4ITHYM/yPcBymkICEs68f
+LSiexuKKQ+wmMr/XaqpCWixQKTNdt+hYIrbHe7+krFUyLVFYGu6egNJNJEtq45cu
+p1zjUIQzteykIG5wHekwCQYDVR04BAIFADAfBgNVHSMEGDAWgBQzjAnUSZQBztH7
+C50ZXq3E1/WQxDANBgkqhkiG9w0BAQsFAAOCAQEASzEdsvSfkkh4a4+BNWuVUDbf
+a4GLTdczDVWAy+2xaSMUXPZEuf8V1EDWyxQAuNjkuFeXmMGAeo6PEmjHab9tJS92
+UbHCM0EyLKMkHh5plAk3nkAo/BxHWChaPI620c1cJRci/KDRtAB4DMi3a5COsV8N
+fwkH6fj6B0yiK2UJiuTdSFED2c9+xb+q5fzFmvxj4k65D1uwEuoUlNedjpkR1BRa
+VU6gqCSLiXuU+SLDRcowh3CShputVtMqE5mU6nFGRodCVjyop666iQY+PB7qDjjN
+YG2gnUxYaV8ppkVhI23O6c3zl9nrb0flEhIZk4gOmjcxCVAphyj0E/cumnc6cTAL
+BgkqhkiG9w0BAQUDggEBAAAivXn5x0YScPQ6Lv1eCLyfVUq4Q7Ltpjonz+5wDbzY
+wy+JEJQvfexsbBLPOF5Irjz9L+pSfjy8XnEHOzeCZgO97ZtqP8T2+Stvv0gycp1E
+ZGyWPIRfGasJvqeNKXt5Kkf/JYDZw/eC7jYGhi0fKq3gkfh5Dj6IBs9GjMKAi3Wh
+5nzr1LbxEz7DEE5yuUAU7OzYgKUzfl0gnfnJ4Ak7lDXdFlkyJ19iveaFHFFvSUw1
+mga4wQpLAxnWIXfl+JjfGjj0KXvxUMfAD7KJ92EwUpqGQC9Qsq1+WXZrS8Qetctl
+Bv6JlS3G74FiTOn8206byyvgNzkDSi4WoVi/lNDdYG4=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
diff --git a/t/certs/4.key.pem b/t/certs/4.key.pem
index 3a3d4ba41dabb8c61e7653b4516981b2174e2a56..84f591cb2ee27353f80f6c1d2123db4e38f9b987 100644
--- a/t/certs/4.key.pem
+++ b/t/certs/4.key.pem
@@ -1,15 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQCwf6r8qHMwvNiKYpdnwxX0HzWapbBQ11+TKndmaexlXXJAsnyk
-ub/MRfpn53JWRN+LzSog4iy/7zVS3BP44V4An5NHd7jfYGteus+K1C4IFhRpN58s
-fmIqa0JKJomdjcEAKNR3BGIg7OJtwFjehtlH1G2stn0OkdHRb/TPVKFbwwIDAQAB
-AoGBAIAppJrlIwggCUmrv++r3LQxOXZ7nCWHzzIJIzyt6+fLTFyofxQKgbiuk9+B
-VChKyN02dMH+Gqqg4+KwRpxx4hRy03ahItP7/1bCw6MV9Kd+brj2Zk+QreFrUT+7
-DS8EgL5Hu96K/ksCL+eef9HOGlVWR1R+dfl8ciORRAqHAZ5pAkEA3YG7vG7Iu+nJ
-hiONUoTderqTlFpBAV1bDk7cYYUIkdTfLkDIVetFXJOIQUmk0MpVvkjpgXpDjw+1
-XcJb1S70HQJBAMv7tVqoKaNf8P/KTc/xcmp4+qW4gzK1+BWDqo4dwzX9JR+u4mvX
-ZBGR86A116wQDourRSchKlTVa+5v3QqSyV8CQCn7PZ6gDJF45MX0lQNPxT5OgEv8
-sxdUHz7d+WzOLuqcwtPcWVvXZGUAXTGqiH896fRPk1oD1ywVGRW1EXydEo0CQD/f
-FB1L9KXEf+kIRq8rEkGGmi1UBjjVw9WwwbH4XczE9F/kWd+ctSfPRLLQyTSGXpeb
-TG8BMokXvtENU/BgoA8CQQCWsTDPb1hWvL/GQA4wARlo+cQ73n1Uz6fzQJf2WBoV
-7HSTpTULFpCaUJLyD3fvA8ofGvzD1mmKgxgsyBe494RA
+MIIEpAIBAAKCAQEAnX1Ba7auCkV9od7dGurkX3GCWWOaAe1piisEH9zi+rY1+Y4a
+07ESBCY/ihYKXA/ByEQUe5T4LN3O0V+/HcznAjXKlpkW5IKpcK1pSycoJfcHgMXX
+dErk2clJSXPVM5Z85iv5csRMbuFOwkI+ZZkT+3wtAThVqyuJS/bHJuvH6ytiZnWY
+94vap0LUvnks8QzoEpSaXzVtpOesdXihJAXmhcjRicyfYXKIDeh1hjtFGt22XGlG
+HPmgutaHyR676FF+KKEHjUoCL3bbfMhWG48Jhbjy5c+G3jQQeiBOevLWA3+TTp4U
+Z6UBfJX5ZBhnmKh5hwxUyUwSrxBstE3cBqy9LQIDAQABAoIBAFx7UnCDXR5xAj6N
+FgAZkbQufuIpKCYbmY9mhUyEtNGPMJD0jvJjF/ZR05wuJzU6l4wX1oNfzoDiW/H9
+rMg+LCXTGr1m9teHlyKw4pUcUGpC7ygChewnks4FcsDsgXWC2KN9jUWE2nF+Y3aV
+2fhldSOIHxGJWF1k+oIeT4KekM6axqEFCpOEUpvlmeqmiJdSwKnanAFobIyyXF7a
+awg9TY8i0b5oqOHlUAmJFFyVaIt8NvHq4nIwqWAJG+2AL/3m51+E4PBIUy8FE+VU
+UylAI1HLMYOgeC5bVm9mG50Dl40hlLGugRdCiAY/iMJzNJWj1eASZKleFRDOXaJ9
+6NCiX00CgYEAygIP8aIrzwN1d7l5Zlyyvi5zqR+Jzp1sYI+2p+7qwtFGVuAF6VgC
+pnju69++XkyU1AneNcYKja1osMQ7bzEXlwP+JuidVciDUFMFd6NoYo9n6SiDaluk
+BQbYRvbfAfjzTctlqScEXfqHZBxc4wqX1Oglhlv/7gWwBkIzOdtC2Q8CgYEAx5UZ
+IDBdTCEEV8hj6ZU9xD7Tez/yaVV9Uyqo8WZ84LeWRrCm0doB5EpQBTFE1pGxmk0M
+ws+KHuvp0a4gNwKFLKjlJ4gtA063caFZLgC2n3/IPSIv+0jjCtp4JkD1PtwkoqvZ
+YKTodTSQlPzU9GAH4QcRuEVarnUVML0nfwzkrgMCgYEAtfz5pDT3xr5U+5Fq318v
+4Mo0hO7W1f9Y/f07Dzvc37pt5iJY8QnLCXL1vCaMeKQBiK2DNWq/YzgQkv+Wk+vk
+VrbQJvl1lSzZsGm7CTd7+R88+/71tcHtmGG8QuJxsnM3rqRJaASwmIH1q6kpvZlz
+g+nItKz5etRA6sKFJ+By7t0CgYEAqQaFu/QZ35KKyglFTJp/MAeBNX1nwHuNYvTb
+FW6Vzf7NP1r2PP1j4sJo2KzsPsgu4J3mc8oukJd9c34DfHMe9D6pq/wxGv78bziV
+fVdPUu92VwfwGOGWnyd83/DdgnoQcNAXjji7Qh/dXsBtXfVCVvqUsDnUXbF828Um
+gPwbY58CgYAOOW43ND0kIM+N3PoseyLDZtz1hZVeQyJRJ63NVEM070U5h5zzbDFV
+KqIL+qtczNbhY9aPq6pcz6ZwwP5LF9HaYu4axwCQXP+c21rNiIPkEbDpatxXYeke
+fIMgm2V5wYQg4VLTfWRZCoQxscux1MCIpMubFsV7fE9hBL+t/PrelA==
-----END RSA PRIVATE KEY-----
diff --git a/t/certs/4.pem b/t/certs/4.pem
index 7e55bacd0251ecd1c7a0efb22ff143ff133b1ad1..a4503cd0a89bd55a0be3abd36d6353c2d48f40f3 100644
--- a/t/certs/4.pem
+++ b/t/certs/4.pem
@@ -1,69 +1,83 @@
-----BEGIN CERTIFICATE-----
-MIIJUTCCCDugAwIBAgIEaWasDzALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
-DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMTgwMzE1MTYzNDM5WhcN
+MIIJrDCCCJagAwIBAgIEXQoW5DALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
+DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMjExMTEwMTUyNjExWhcN
MjIwOTI0MTUzOTM0WjBAMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYD
-VQQDEwV0ZXN0MDETMBEGA1UEAxMKMTc2ODMzNjM5OTCBnzANBgkqhkiG9w0BAQEF
-AAOBjQAwgYkCgYEAsH+q/KhzMLzYimKXZ8MV9B81mqWwUNdfkyp3ZmnsZV1yQLJ8
-pLm/zEX6Z+dyVkTfi80qIOIsv+81UtwT+OFeAJ+TR3e432BrXrrPitQuCBYUaTef
-LH5iKmtCSiaJnY3BACjUdwRiIOzibcBY3obZR9RtrLZ9DpHR0W/0z1ShW8MCAwEA
-AaOCBu4wggbqMA4GA1UdDwEB/wQEAwIF4DAdBggrBgEFBQcBDgEB/wQOMAwwCgYI
-KwYBBQUHFQEwgga3BgorBgEEAb5FZGQFBIIGpzCCBqMwggafMIIGmzCCBYMCAQEw
-NqA0MC+kLTArMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYDVQQDEwV0
-ZXN0MAIBCaA4MDakNDAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUwEwYD
-VQQDDAx2b21zLmV4YW1wbGUwDQYJKoZIhvcNAQELBQACAQAwIhgPMjAxODAxMDEw
-MDAwMDBaGA8yMDMwMDEwMTAwMDAwMFowYzBhBgorBgEEAb5FZGQEMVMwUaAehhx0
-ZXN0LnZvOi8vdm9tcy5leGFtcGxlOjE1MDAwMC8ECi90ZXN0L2V4cDEECi90ZXN0
-L2V4cDIEFS90ZXN0L2V4cDMvUm9sZT1QSVBQTzCCBG8wgYQGCisGAQQBvkVkZAsE
-djB0MHIwcDAehhx0ZXN0LnZvOi8vdm9tcy5leGFtcGxlOjE1MDAwME4wHgQIbmlj
-a25hbWUECW5ld2xhbmQ4NgQHdGVzdC52bzAsBAV0aXRsZQQaYXNzZWduaXN0YSVk
-aSVyaWNlcmNhQENOQUYEB3Rlc3Qudm8wggOyBgorBgEEAb5FZGQKBIIDojCCA54w
-ggOaMIIDljCCAn6gAwIBAgICAxMwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMC
-SVQxDDAKBgNVBAoMA0lHSTEQMA4GA1UEAwwHVGVzdCBDQTAeFw0xNzEyMDYwOTQ2
-MzdaFw0yNzEyMDQwOTQ2MzdaMDIxCzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kx
-FTATBgNVBAMMDHZvbXMuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBALx/yNoeDZNQtJgiGi+tI/SSK3KREpvv4aOipgMEvcfCf3hReP2UBtOq
-6N1Wjx3VHaVJP0yyTNE+aSxgwI9fD3xtpMtYDG7eM2psMhG70+FNAxO1H5k1HR+v
-tHvathtadnZUBPPo12BrxlXZ1BLre/I93+ye2tTfEK/u3J2WxxSMYBbYksopjN/3
-T4+Lp4AB5/d6TzwyQq/OLvgae7y16yCn1SjBpNNU09zA3JZ7xAnFny/I23NhAeQu
-l7kFZBrcdgkJ66++bEe5W0GGwVHA/mUjK5SssIFGmZrCnm8LYgM001u12+esOA4x
-Y+2BH268QWWJsY0vX/qK2ois+Ms/6ysCAwEAAaOBujCBtzAMBgNVHRMBAf8EAjAA
-MB0GA1UdDgQWBBQzjAnUSZQBztH7C50ZXq3E1/WQxDAOBgNVHQ8BAf8EBAMCBeAw
-PgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMCBgorBgEEAYI3CgMDBglghkgB
-hvhCBAEGCCsGAQUFBwMEMB8GA1UdIwQYMBaAFJF3NnsutGnzJ+q39giLSiOiEUnG
-MBcGA1UdEQQQMA6CDHZvbXMuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOCAQEA4MUI
-5JKbJgkEZLmeySeCLJBMS/E8Gk3N9lr+ilhrNkI7e9DgZiruLa3QKllSyESFtpCv
-EknM3qRlqulug+HPINOYjz6ooYL49W6Xc3i+RqdapxAwtwETz7QDxnT35LhRITN5
-SojWAcvBIjdunx0sPuvQCVE7Cl+1GbYaNWOVlPWZobwYvISqm3A6si3C7VAZIBaU
-IepJ4dhhEJ31KWURohUrivcUWkm4LVwP/Hcg5wM6FbghMdgz/I9wHKaQgISzrx8t
-KJ7G4opD7CYyv9dqqkJaLFApM1236Fgitsd7v6SsVTItUVga7p6A0k0kS2rjly6n
-XONQhDO17KQgbnAd6TAJBgNVHTgEAgUAMCUGA1UdIwQeMByAGgQYMBaAFJF3Nnsu
-tGnzJ+q39giLSiOiEUnGMA0GCSqGSIb3DQEBCwUAA4IBAQBHsP+LCvcSnQtb4DsD
-onUP1cRrjuxDptJUNXhPhmqw4dvLyir5Ea9hhRMzziCMKy8/COcQv6ECwni6xLLX
-PFTLHEyp+PEcVxwixGtBXF8W2fniEEkN6buHxykqUEhBxT0R4DS4OFKyNsA3m4WD
-TC2WAYx0n1yQTBqaMfOH9Q+/QAzTyWB1WNRfqxWcuZgyCFlw23X/ZzIXpPD7ZX3o
-gAIW++i13fa5QzT6uI/iM2vRo/eNvdVs+bGB1130EtKS1nba4CahoyoHJrLGjqiw
-58BUD8HqWKMF1UkDr4+UPdUo31xNE94UraZZO4n9bJrrvuQzKgJLfW/1JBjm+lCP
-ISVhMAsGCSqGSIb3DQEBBQOCAQEACTHB0rNOG9bv8rz40U7zb8XEkCOd96lOwfZk
-OIwSGE+dACn7K4c8c8iWTas6Gw8Ev0d1IbiQNY1Erc36Wy29kna9Qw5Ph81dhhkQ
-LMHjd6LO7oXf6jUE164hv1Rnqq8Hdae843pwlntn+eg3HuLYlI2ijUK/kjG5Tw38
-75aRAnJffBh61zcuV7GOrbOQVObaOQYLpon0Qr1tLlFso0MAMAuXK4sgNQtpUIbI
-zd2/oXGJwH1SXrcgg+NCRnFjZ5Do+ARzMB8W5/O+N0UiqOJOuaRiPp3sVPffLv0W
-UOcUdk1EOhVomM7nVlJzzg49Xvc4+a7a2UIyV3UaB9+VbkVSag==
+VQQDEwV0ZXN0MDETMBEGA1UEAxMKMTU2MDk0MjMwODCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAJ19QWu2rgpFfaHe3Rrq5F9xglljmgHtaYorBB/c4vq2
+NfmOGtOxEgQmP4oWClwPwchEFHuU+CzdztFfvx3M5wI1ypaZFuSCqXCtaUsnKCX3
+B4DF13RK5NnJSUlz1TOWfOYr+XLETG7hTsJCPmWZE/t8LQE4VasriUv2xybrx+sr
+YmZ1mPeL2qdC1L55LPEM6BKUml81baTnrHV4oSQF5oXI0YnMn2FyiA3odYY7RRrd
+tlxpRhz5oLrWh8keu+hRfiihB41KAi9223zIVhuPCYW48uXPht40EHogTnry1gN/
+k06eFGelAXyV+WQYZ5ioeYcMVMlMEq8QbLRN3AasvS0CAwEAAaOCBsUwggbBMA4G
+A1UdDwEB/wQEAwIF4DAdBggrBgEFBQcBDgEB/wQOMAwwCgYIKwYBBQUHFQEwggaO
+BgorBgEEAb5FZGQFBIIGfjCCBnowggZ2MIIGcjCCBVoCAQEwNqA0MC+kLTArMQsw
+CQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYDVQQDEwV0ZXN0MAIBCaA4MDak
+NDAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUwEwYDVQQDDAx2b21zLmV4
+YW1wbGUwDQYJKoZIhvcNAQELBQACAwHiQTAiGA8yMDIxMTExMDAwMDAwMFoYDzIw
+MzExMjMxMDAwMDAwWjA+MDwGCisGAQQBvkVkZAQxLjAsoB6GHHRlc3Qudm86Ly92
+b21zLmV4YW1wbGU6MTUwMDAwCgQIL3Rlc3Qudm8wggRpMIGEBgorBgEEAb5FZGQL
+BHYwdDByMHAwHoYcdGVzdC52bzovL3ZvbXMuZXhhbXBsZToxNTAwMDBOMB4ECG5p
+Y2tuYW1lBAluZXdsYW5kODYEB3Rlc3Qudm8wLAQFdGl0bGUEGmFzc2VnbmlzdGEl
+ZGklcmljZXJjYUBDTkFGBAd0ZXN0LnZvMIIDsgYKKwYBBAG+RWRkCgSCA6IwggOe
+MIIDmjCCA5YwggJ+oAMCAQICAgMTMA0GCSqGSIb3DQEBCwUAMC0xCzAJBgNVBAYT
+AklUMQwwCgYDVQQKDANJR0kxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTcxMjA2MDk0
+NjM3WhcNMjcxMjA0MDk0NjM3WjAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJ
+MRUwEwYDVQQDDAx2b21zLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC8f8jaHg2TULSYIhovrSP0kitykRKb7+GjoqYDBL3Hwn94UXj9lAbT
+qujdVo8d1R2lST9MskzRPmksYMCPXw98baTLWAxu3jNqbDIRu9PhTQMTtR+ZNR0f
+r7R72rYbWnZ2VATz6Ndga8ZV2dQS63vyPd/sntrU3xCv7tydlscUjGAW2JLKKYzf
+90+Pi6eAAef3ek88MkKvzi74Gnu8tesgp9UowaTTVNPcwNyWe8QJxZ8vyNtzYQHk
+Lpe5BWQa3HYJCeuvvmxHuVtBhsFRwP5lIyuUrLCBRpmawp5vC2IDNNNbtdvnrDgO
+MWPtgR9uvEFlibGNL1/6itqIrPjLP+srAgMBAAGjgbowgbcwDAYDVR0TAQH/BAIw
+ADAdBgNVHQ4EFgQUM4wJ1EmUAc7R+wudGV6txNf1kMQwDgYDVR0PAQH/BAQDAgXg
+MD4GA1UdJQQ3MDUGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZI
+AYb4QgQBBggrBgEFBQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJ
+xjAXBgNVHREEEDAOggx2b21zLmV4YW1wbGUwDQYJKoZIhvcNAQELBQADggEBAODF
+COSSmyYJBGS5nskngiyQTEvxPBpNzfZa/opYazZCO3vQ4GYq7i2t0CpZUshEhbaQ
+rxJJzN6kZarpboPhzyDTmI8+qKGC+PVul3N4vkanWqcQMLcBE8+0A8Z09+S4USEz
+eUqI1gHLwSI3bp8dLD7r0AlROwpftRm2GjVjlZT1maG8GLyEqptwOrItwu1QGSAW
+lCHqSeHYYRCd9SllEaIVK4r3FFpJuC1cD/x3IOcDOhW4ITHYM/yPcBymkICEs68f
+LSiexuKKQ+wmMr/XaqpCWixQKTNdt+hYIrbHe7+krFUyLVFYGu6egNJNJEtq45cu
+p1zjUIQzteykIG5wHekwCQYDVR04BAIFADAfBgNVHSMEGDAWgBQzjAnUSZQBztH7
+C50ZXq3E1/WQxDANBgkqhkiG9w0BAQsFAAOCAQEASzEdsvSfkkh4a4+BNWuVUDbf
+a4GLTdczDVWAy+2xaSMUXPZEuf8V1EDWyxQAuNjkuFeXmMGAeo6PEmjHab9tJS92
+UbHCM0EyLKMkHh5plAk3nkAo/BxHWChaPI620c1cJRci/KDRtAB4DMi3a5COsV8N
+fwkH6fj6B0yiK2UJiuTdSFED2c9+xb+q5fzFmvxj4k65D1uwEuoUlNedjpkR1BRa
+VU6gqCSLiXuU+SLDRcowh3CShputVtMqE5mU6nFGRodCVjyop666iQY+PB7qDjjN
+YG2gnUxYaV8ppkVhI23O6c3zl9nrb0flEhIZk4gOmjcxCVAphyj0E/cumnc6cTAL
+BgkqhkiG9w0BAQUDggEBAAAivXn5x0YScPQ6Lv1eCLyfVUq4Q7Ltpjonz+5wDbzY
+wy+JEJQvfexsbBLPOF5Irjz9L+pSfjy8XnEHOzeCZgO97ZtqP8T2+Stvv0gycp1E
+ZGyWPIRfGasJvqeNKXt5Kkf/JYDZw/eC7jYGhi0fKq3gkfh5Dj6IBs9GjMKAi3Wh
+5nzr1LbxEz7DEE5yuUAU7OzYgKUzfl0gnfnJ4Ak7lDXdFlkyJ19iveaFHFFvSUw1
+mga4wQpLAxnWIXfl+JjfGjj0KXvxUMfAD7KJ92EwUpqGQC9Qsq1+WXZrS8Qetctl
+Bv6JlS3G74FiTOn8206byyvgNzkDSi4WoVi/lNDdYG4=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQCwf6r8qHMwvNiKYpdnwxX0HzWapbBQ11+TKndmaexlXXJAsnyk
-ub/MRfpn53JWRN+LzSog4iy/7zVS3BP44V4An5NHd7jfYGteus+K1C4IFhRpN58s
-fmIqa0JKJomdjcEAKNR3BGIg7OJtwFjehtlH1G2stn0OkdHRb/TPVKFbwwIDAQAB
-AoGBAIAppJrlIwggCUmrv++r3LQxOXZ7nCWHzzIJIzyt6+fLTFyofxQKgbiuk9+B
-VChKyN02dMH+Gqqg4+KwRpxx4hRy03ahItP7/1bCw6MV9Kd+brj2Zk+QreFrUT+7
-DS8EgL5Hu96K/ksCL+eef9HOGlVWR1R+dfl8ciORRAqHAZ5pAkEA3YG7vG7Iu+nJ
-hiONUoTderqTlFpBAV1bDk7cYYUIkdTfLkDIVetFXJOIQUmk0MpVvkjpgXpDjw+1
-XcJb1S70HQJBAMv7tVqoKaNf8P/KTc/xcmp4+qW4gzK1+BWDqo4dwzX9JR+u4mvX
-ZBGR86A116wQDourRSchKlTVa+5v3QqSyV8CQCn7PZ6gDJF45MX0lQNPxT5OgEv8
-sxdUHz7d+WzOLuqcwtPcWVvXZGUAXTGqiH896fRPk1oD1ywVGRW1EXydEo0CQD/f
-FB1L9KXEf+kIRq8rEkGGmi1UBjjVw9WwwbH4XczE9F/kWd+ctSfPRLLQyTSGXpeb
-TG8BMokXvtENU/BgoA8CQQCWsTDPb1hWvL/GQA4wARlo+cQ73n1Uz6fzQJf2WBoV
-7HSTpTULFpCaUJLyD3fvA8ofGvzD1mmKgxgsyBe494RA
+MIIEpAIBAAKCAQEAnX1Ba7auCkV9od7dGurkX3GCWWOaAe1piisEH9zi+rY1+Y4a
+07ESBCY/ihYKXA/ByEQUe5T4LN3O0V+/HcznAjXKlpkW5IKpcK1pSycoJfcHgMXX
+dErk2clJSXPVM5Z85iv5csRMbuFOwkI+ZZkT+3wtAThVqyuJS/bHJuvH6ytiZnWY
+94vap0LUvnks8QzoEpSaXzVtpOesdXihJAXmhcjRicyfYXKIDeh1hjtFGt22XGlG
+HPmgutaHyR676FF+KKEHjUoCL3bbfMhWG48Jhbjy5c+G3jQQeiBOevLWA3+TTp4U
+Z6UBfJX5ZBhnmKh5hwxUyUwSrxBstE3cBqy9LQIDAQABAoIBAFx7UnCDXR5xAj6N
+FgAZkbQufuIpKCYbmY9mhUyEtNGPMJD0jvJjF/ZR05wuJzU6l4wX1oNfzoDiW/H9
+rMg+LCXTGr1m9teHlyKw4pUcUGpC7ygChewnks4FcsDsgXWC2KN9jUWE2nF+Y3aV
+2fhldSOIHxGJWF1k+oIeT4KekM6axqEFCpOEUpvlmeqmiJdSwKnanAFobIyyXF7a
+awg9TY8i0b5oqOHlUAmJFFyVaIt8NvHq4nIwqWAJG+2AL/3m51+E4PBIUy8FE+VU
+UylAI1HLMYOgeC5bVm9mG50Dl40hlLGugRdCiAY/iMJzNJWj1eASZKleFRDOXaJ9
+6NCiX00CgYEAygIP8aIrzwN1d7l5Zlyyvi5zqR+Jzp1sYI+2p+7qwtFGVuAF6VgC
+pnju69++XkyU1AneNcYKja1osMQ7bzEXlwP+JuidVciDUFMFd6NoYo9n6SiDaluk
+BQbYRvbfAfjzTctlqScEXfqHZBxc4wqX1Oglhlv/7gWwBkIzOdtC2Q8CgYEAx5UZ
+IDBdTCEEV8hj6ZU9xD7Tez/yaVV9Uyqo8WZ84LeWRrCm0doB5EpQBTFE1pGxmk0M
+ws+KHuvp0a4gNwKFLKjlJ4gtA063caFZLgC2n3/IPSIv+0jjCtp4JkD1PtwkoqvZ
+YKTodTSQlPzU9GAH4QcRuEVarnUVML0nfwzkrgMCgYEAtfz5pDT3xr5U+5Fq318v
+4Mo0hO7W1f9Y/f07Dzvc37pt5iJY8QnLCXL1vCaMeKQBiK2DNWq/YzgQkv+Wk+vk
+VrbQJvl1lSzZsGm7CTd7+R88+/71tcHtmGG8QuJxsnM3rqRJaASwmIH1q6kpvZlz
+g+nItKz5etRA6sKFJ+By7t0CgYEAqQaFu/QZ35KKyglFTJp/MAeBNX1nwHuNYvTb
+FW6Vzf7NP1r2PP1j4sJo2KzsPsgu4J3mc8oukJd9c34DfHMe9D6pq/wxGv78bziV
+fVdPUu92VwfwGOGWnyd83/DdgnoQcNAXjji7Qh/dXsBtXfVCVvqUsDnUXbF828Um
+gPwbY58CgYAOOW43ND0kIM+N3PoseyLDZtz1hZVeQyJRJ63NVEM070U5h5zzbDFV
+KqIL+qtczNbhY9aPq6pcz6ZwwP5LF9HaYu4axwCQXP+c21rNiIPkEbDpatxXYeke
+fIMgm2V5wYQg4VLTfWRZCoQxscux1MCIpMubFsV7fE9hBL+t/PrelA==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
diff --git a/t/certs/README.md b/t/certs/README.md
index ac9e76cdba4c57347b0c35f9a500491b01bf6633..4938a4e1059c190087d7aa855d7099326c8b12d1 100644
--- a/t/certs/README.md
+++ b/t/certs/README.md
@@ -1,35 +1,51 @@
-=======
-# Certificates for ngx\_http\_voms\_module Testing
+# Certificates for `ngx_http_voms_module` testing
-Proxy certificates are generated using [VOMS client 3.3.1](http://italiangrid.github.io/voms/documentation/voms-clients-guide/3.0.3/):
+This directory contains the certificates and the proxy certificates used in the unit tests of the `ngx_http_voms_module`.
- * 0.pem: long-lived proxy certificate, without any Attribute Certificate (AC);
- * 1.pem: long-lived proxy certificate, with an expired AC;
- * 2.pem: expired proxy certificate;
- * 3.pem: long-lived proxy with valid VOMS attributes;
- * 4.pem: long-lived proxy with VOMS generic attributes containing reserved characters;
- * 5.pem: long-lived proxy with valid VOMS attributes, `*.lsc` file missing in `vomsdir`.
- * 6.pem: long-lived proxy with valid VOMS attributes, with an old format for fqans.
- * 7.pem: long-lived proxy (3 delegations), without VOMS attributes;
- * 8.pem: long-lived proxy (3 delegations), without VOMS attributes, plus CA
- certificate included in the chain;
- * 9.pem: EEC plus CA certificate included in the chain.
+The proxy certificates are generated using the [VOMS
+clients](http://italiangrid.github.io/voms/documentation/voms-clients-guide/), using the following command template:
-To obtain such certificates the following command is used:
+```shell
+$ VOMS_CLIENTS_JAVA_OPTIONS="-Dvoms.fake.vo=test.vo -Dvoms.fake=true -Dvoms.fake.aaCert=<path_to_cert>/voms_example.cert.pem -Dvoms.fake.aaKey=<path_to_cert>/voms_example.key.pem -Dvoms.fake.notAfter=<AAAA-MM-GGT00:00:00 -Dvoms.fake.notBefore=AAAA-MM-GGT00:00:00 -Dvoms.fake.gas=<name>=<value>,<name>=<value> -Dvoms.fake.fqans=/<vo>/<fqan>,/<vo>/<fqan>/Role=<role> -Dvoms.fake.serial=<ac_serial_n>" voms-proxy-init -voms test.vo -cert <path_to test0.p12> --valid <validity> --vomsdir <path_to_vomsdir> --certdir <path_to_trust_anchors>
+```
- VOMS_CLIENTS_JAVA_OPTIONS="-Dvoms.fake.vo=test.vo -Dvoms.fake=true -Dvoms.fake.aaCert=<path_to_cert>/voms_example.cert.pem -Dvoms.fake.aaKey=<path_to_cert>/voms_example.key.pem -Dvoms.fake.notAfter=<AAAA-MM-GGT00:00:00 -Dvoms.fake.notBefore=AAAA-MM-GGT00:00:00 -Dvoms.fake.gas=<name>=<value>,<name>=<value> -Dvoms.fake.fqans=/<vo>/<fqan>,/<vo>/<fqan>/Role=<role> -Dvoms.fake.serial=<ac_serial_n>" voms-proxy-init -voms test.vo -cert <path_to_test0>/test0.p12 --valid <validity> --vomsdir <path_to_vomsdir>/vomsdir --certdir <path_to_trust_anchors>/trust-anchors/
+See below for some concrete examples.
-Once VOMS proxy certificates are generated in a `*.pem` format, they need to be split in certificates and key to be used in Openresty tests. `*.cert.pem` and `*.key.pem` files are obtained by simpling typing in `certs`
+As usual, the command generates a proxy certificate in `/tmp` in PEM format. To be used in these tests, they need to be
+split in the corresponding certificate and key and eventually moved into this directory. Given a `name.pem` file,
+`name.cert.pem` and `name.key.pem` can be obtained using the following commands:
- awk '/BEGIN RSA PRIVATE KEY/,/END RSA PRIVATE KEY/' <name>.pem > <name>.key.pem
- awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/' <name>.pem > <name>.cert.pem
+```shell
+$ awk '/BEGIN RSA PRIVATE KEY/,/END RSA PRIVATE KEY/' name.pem > name.key.pem
+$ awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/' name.pem > name.cert.pem
+```
-where `<name>` could be for instance `0,1,2,etc..`
+The following certificates and proxy certificates are used in these tests:
-*voms\_example.cert.pem* and *voms\_example.ket.pem* can be found in `certs`.
+ * `0.pem`: long-lived proxy certificate, without any Attribute Certificate (AC)
+ * `1.pem`: long-lived proxy certificate, with an expired AC
+ * `2.pem`: expired proxy certificate
+ * `3.pem`: long-lived proxy with valid VOMS attributes. Obtained with:
-For *../untrusted.t*, *voms\_example\_2.cert.pem* and *voms\_example\_2.key.pem* are used as VOMS certificates and they are in `certs`.
+```shell
+$ VOMS_CLIENTS_JAVA_OPTIONS="-Dvoms.fake.vo=test.vo -Dvoms.fake=true -Dvoms.fake.aaCert=t/certs/voms_example.cert.pem -Dvoms.fake.aaKey=t/certs/voms_example.key.pem -Dvoms.fake.notAfter=2031-12-31T00:00:00 -Dvoms.fake.notBefore=2021-11-10T00:00:00 -Dvoms.fake.gas=nickname=newland,nickname=giaco -Dvoms.fake.fqans=/test.vo/exp1,/test.vo/exp2,/test.vo/exp3/Role=PIPPO -Dvoms.fake.serial=123456" voms-proxy-init -voms test.vo -cert t/certs/test0.p12 --valid 10000:0 --vomsdir t/vomsdir --certdir t/trust-anchors --vomses t/vomses
+```
-To perform correctly the VOMS AC validation, a \*.lsc or \*.pem file is needed in `/etc/grid-security/vomsdir`, see [VOMS client 3.3.1 User Guide](http://italiangrid.github.io/voms/documentation/voms-clients-guide/3.0.3/) for further details. An example of *voms.example.lsc* can be found in `vomsdir/test.vo`.
+ * `4.pem`: long-lived proxy with VOMS generic attributes containing special characters. Obtained with:
-Nginx server certificate and key are nginx\_voms\_example.cert.pem and nginx\_voms\_example\_key.pem.
+```shell
+$ VOMS_CLIENTS_JAVA_OPTIONS="-Dvoms.fake.vo=test.vo -Dvoms.fake=true -Dvoms.fake.aaCert=t/certs/voms_example.cert.pem -Dvoms.fake.aaKey=t/certs/voms_example.key.pem -Dvoms.fake.notAfter=2031-12-31T00:00:00 -Dvoms.fake.notBefore=2021-11-10T00:00:00 -Dvoms.fake.fqans=/test.vo -Dvoms.fake.gas=nickname=newland86,title=assegnista%di%ricerca@CNAF -Dvoms.fake.serial=123457" voms-proxy-init -voms test.vo -cert t/certs/test0.p12 --valid 10000:0 --vomsdir t/vomsdir --certdir t/trust-anchors --vomses t/vomses
+```
+
+ * `5.pem`: long-lived proxy with valid VOMS attributes
+ * `6.pem`: long-lived proxy with valid VOMS attributes, with an old format for FQANs
+ * `7.pem`: long-lived proxy (3 delegations), without VOMS attributes
+ * `8.pem`: long-lived proxy (3 delegations), without VOMS attributes, plus a CA
+ certificate included in the chain
+ * `9.pem`: EEC plus CA certificate included in the chain
+
+`voms_example.cert.pem` and `voms_example.key.pem` are the credentials of a trusted VOMS server.
+
+`voms_example_2.cert.pem` and `voms_example_2.key.pem` are the credentials of an untrusted VOMS server.
+
+`nginx_voms_example.cert.pem` and `nginx_voms_example.key.pem` are the Nginx server credentials.
diff --git a/t/ssl_log_voms_plain_http.t b/t/ssl_log_voms_plain_http.t
index 1989c41f1a81397ded908dd3b19bf8279f61361a..00d25ec5a06dc727c64e0276aa384a1c4bde1226 100644
--- a/t/ssl_log_voms_plain_http.t
+++ b/t/ssl_log_voms_plain_http.t
@@ -1,10 +1,4 @@
-# This test is always successful because, for some reason (a bug?)
-# the error.log as seen in Test::Nginx doesn't contain the entries for
-# the master process, although they are evailable in the actual file.
-# As a consequence the no_error_log check is always satisfied,
-# even if the segmentation fault were present
-
use Test::Nginx::Socket 'no_plan';
master_on();
@@ -55,7 +49,5 @@ GET /lua
--- error_log
client prematurely closed connection
retrieve_voms_ac_from_proxy
-plain http
---- no_error_log
-signal 11
+plain HTTP
--- error_code: 200
diff --git a/t/valid_ac.t b/t/valid_ac.t
index 5241d3f7c22dfffd025b5df49d2adab740ffcf13..7af1ef04e760a343a001116530a6cd3650673bbd 100644
--- a/t/valid_ac.t
+++ b/t/valid_ac.t
@@ -45,14 +45,14 @@ GET /
--- response_body
/C=IT/O=IGI/CN=test0
/C=IT/O=IGI/CN=Test CA
-/test/exp1,/test/exp2,/test/exp3/Role=PIPPO
+/test.vo/exp1,/test.vo/exp2,/test.vo/exp3/Role=PIPPO
/C=IT/O=IGI/CN=voms.example
/C=IT/O=IGI/CN=Test CA
test.vo
voms.example:15000
-20180101000000Z
-20300101000000Z
+20211110000000Z
+20311231000000Z
n=nickname v=newland q=test.vo,n=nickname v=giaco q=test.vo
-7B
+01E240
--- error_code: 200
diff --git a/t/vomses b/t/vomses
new file mode 100644
index 0000000000000000000000000000000000000000..657acafb52d7308e60fbb635923270beeac45cd4
--- /dev/null
+++ b/t/vomses
@@ -0,0 +1 @@
+"test.vo" "voms.example" "15000" "/C=IT/O=IGI/CN=voms.example" "test.vo"