diff --git a/t/certs/6.cert.pem b/t/certs/6.cert.pem
new file mode 100644
index 0000000000000000000000000000000000000000..00301410865e702504c4562d99c3fc0528b83322
--- /dev/null
+++ b/t/certs/6.cert.pem
@@ -0,0 +1,71 @@
+-----BEGIN CERTIFICATE-----
+MIIIuzCCB6WgAwIBAgIEG7TGuDALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
+DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMTgwMzIwMTExMzIzWhcN
+MjIwOTI0MTUzOTM0WjA/MQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYD
+VQQDEwV0ZXN0MDESMBAGA1UEAxMJNDY0ODMyMTg0MIGfMA0GCSqGSIb3DQEBAQUA
+A4GNADCBiQKBgQCjFscRlPAh8MmHldBXxwkSVfkefwJPp28ZTWgaZfurY8PXoV+X
+biv+lo/A01+gwGDBsXYtIF1nfNLI1MTIB3aL48nmua79kKS7B9xw/ItIz5PtDt1N
+pdreA89AdsfQc2wb+ypImNN9w8trH/UYymX9jPm6IYwDLB70h/SQSz8+iwIDAQAB
+o4IGWTCCBlUwDgYDVR0PAQH/BAQDAgXgMB0GCCsGAQUFBwEOAQH/BA4wDDAKBggr
+BgEFBQcVATCCBiIGCisGAQQBvkVkZAUEggYSMIIGDjCCBgowggYGMIIE7gIBATA2
+oDQwL6QtMCsxCzAJBgNVBAYTAklUMQwwCgYDVQQKEwNJR0kxDjAMBgNVBAMTBXRl
+c3QwAgEJoDgwNqQ0MDIxCzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kxFTATBgNV
+BAMMDHZvbXMuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAIBezAiGA8yMDE4MDEwMTAw
+MDAwMFoYDzIwMzAwMTAxMDAwMDAwWjBVMFMGCisGAQQBvkVkZAQxRTBDoB6GHHRl
+c3Qudm86Ly92b21zLmV4YW1wbGU6MTUwMDAwIQQfL3Rlc3QvUm9sZT1OVUxML0Nh
+cGFiaWxpdHk9TlVMTDCCA+gwggOyBgorBgEEAb5FZGQKBIIDojCCA54wggOaMIID
+ljCCAn6gAwIBAgICAxMwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCSVQxDDAK
+BgNVBAoMA0lHSTEQMA4GA1UEAwwHVGVzdCBDQTAeFw0xNzEyMDYwOTQ2MzdaFw0y
+NzEyMDQwOTQ2MzdaMDIxCzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kxFTATBgNV
+BAMMDHZvbXMuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALx/yNoeDZNQtJgiGi+tI/SSK3KREpvv4aOipgMEvcfCf3hReP2UBtOq6N1Wjx3V
+HaVJP0yyTNE+aSxgwI9fD3xtpMtYDG7eM2psMhG70+FNAxO1H5k1HR+vtHvathta
+dnZUBPPo12BrxlXZ1BLre/I93+ye2tTfEK/u3J2WxxSMYBbYksopjN/3T4+Lp4AB
+5/d6TzwyQq/OLvgae7y16yCn1SjBpNNU09zA3JZ7xAnFny/I23NhAeQul7kFZBrc
+dgkJ66++bEe5W0GGwVHA/mUjK5SssIFGmZrCnm8LYgM001u12+esOA4xY+2BH268
+QWWJsY0vX/qK2ois+Ms/6ysCAwEAAaOBujCBtzAMBgNVHRMBAf8EAjAAMB0GA1Ud
+DgQWBBQzjAnUSZQBztH7C50ZXq3E1/WQxDAOBgNVHQ8BAf8EBAMCBeAwPgYDVR0l
+BDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMCBgorBgEEAYI3CgMDBglghkgBhvhCBAEG
+CCsGAQUFBwMEMB8GA1UdIwQYMBaAFJF3NnsutGnzJ+q39giLSiOiEUnGMBcGA1Ud
+EQQQMA6CDHZvbXMuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOCAQEA4MUI5JKbJgkE
+ZLmeySeCLJBMS/E8Gk3N9lr+ilhrNkI7e9DgZiruLa3QKllSyESFtpCvEknM3qRl
+qulug+HPINOYjz6ooYL49W6Xc3i+RqdapxAwtwETz7QDxnT35LhRITN5SojWAcvB
+Ijdunx0sPuvQCVE7Cl+1GbYaNWOVlPWZobwYvISqm3A6si3C7VAZIBaUIepJ4dhh
+EJ31KWURohUrivcUWkm4LVwP/Hcg5wM6FbghMdgz/I9wHKaQgISzrx8tKJ7G4opD
+7CYyv9dqqkJaLFApM1236Fgitsd7v6SsVTItUVga7p6A0k0kS2rjly6nXONQhDO1
+7KQgbnAd6TAJBgNVHTgEAgUAMCUGA1UdIwQeMByAGgQYMBaAFJF3NnsutGnzJ+q3
+9giLSiOiEUnGMA0GCSqGSIb3DQEBCwUAA4IBAQANktzYTJEmlA7Wb1kzvZ/8rw3R
+yeOVWs2pZ1Sn5XTo/M8QuBMk2nTpmOqjc2tkbKlJebpTyfQamE6Nj0lZRBZZQ/1w
+yvjsLkrpbGGgXXBg0v3PTNiniOnzdyyu2GCThVpe0208BclVvHTCnQRKILtZ+/Gr
+Hs7nwo+z5ypifut/SCeTjTeuinMD73B/0ju/ROAHAAn2v+Z1l+bkYPlJZQw6zE7V
+sr6E234dl8T57S/LLjOUvg/MWSf0mhGJsKgRSX2W5beHycNbTvRIMHNa/nda/vx+
+VRM1TeScF1qz6658WidR3axkAwx9Ir0TpqmbAc+7/2cGaiTlaQTI7WUkJAGOMAsG
+CSqGSIb3DQEBBQOCAQEAsNH03yAtJsXdnj8NENzP/MibM/KXDrG6m2xLj57n0mVy
+LlR7RndKSfvuDpkdPSaC0xs2gd3JyYj4xllKGd7MjX9hhIna7OwLvcAM1sjyiYdP
+n2KKZZ9VEoFE9vzcitbrtrbxhagMPDeLtAqnK+IfhcmqQjn25SMKBVl+U/6mR+sZ
+cvSrFQNbjebsPaKVwFGE9XkWmD3WarsIpU/SaNeB/UKnvZm4wMbcyf/vo9CCpUkQ
+0+HrEQ9Z/NuExLpsAVHOT3kzwB3gY3bGXIbM9RP09Mpr12D0T0s2httP0RGTIaGQ
+j6/ufzjJxgR390tfIo9Iyaw1DmJO84MZn8BEyfo+UQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
+MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX
+DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG
+A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw
+hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R
+BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc
+CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK
+2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al
+xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop
+kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG
+CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF
+BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe
+gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB
+AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx
+d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu
+SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf
+49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg
+C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N
+vDxcPMc/wmnMa+smNal0sJ6m
+-----END CERTIFICATE-----
diff --git a/t/certs/6.key.pem b/t/certs/6.key.pem
new file mode 100644
index 0000000000000000000000000000000000000000..d702fa7b2e8cdbc0eec605bc23d7037b562c14cf
--- /dev/null
+++ b/t/certs/6.key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCjFscRlPAh8MmHldBXxwkSVfkefwJPp28ZTWgaZfurY8PXoV+X
+biv+lo/A01+gwGDBsXYtIF1nfNLI1MTIB3aL48nmua79kKS7B9xw/ItIz5PtDt1N
+pdreA89AdsfQc2wb+ypImNN9w8trH/UYymX9jPm6IYwDLB70h/SQSz8+iwIDAQAB
+AoGABO4CVHC5FX2Oye9oXc7hYlGA90AFlNzNyekCFZIxmkuottLk7dHhuI9ahwyc
+nmJSSmiP1utch21JfdKYpCc9mQ5tuT2QBoUrFpzZGX6sp30Etvt8Y+BUZnA+s02Y
+Q5h+Y8KXNZd7QucOpoPljBvRShEVfl6nAFz4zwBE+qaCTxkCQQDr2BkP2KPRCbwK
++5I3V6LJRW9MMXJXSJxWMtVRKLuI4ZbfL8kfYHUWpyZ8BUZzbxVPrcJAWCp8XQ5L
+nWfcmUWvAkEAsQbpBdAjD2O3BCb/Gz+ENZPi63WIxEMR6OiXkCkzkw5Mo6vnadTw
+VyJBd9yx/FMPvCA7DyjcLdyGFIp4v63n5QJBAIjdDy4y+l4E2CtHcsLLCJzkvoHo
+8AHXEWK0fTZr/OiigXtjr8OVpl1PAvZV2VyDykpC+8d7YqxpFDKtVeieyeECQQCA
+KEWITM8k9AZpviWPP2NiOkbcOUGi+/86QzB+UCWjP4XiM7AboOnB2u3UbXR4/FT2
+18qJxgXoOa7jrf+OnMK1AkA6EkvdvCmFxBsxXudRMJdeJ8Fhq/y1+DE6Tk95TDEm
+oHz0uO9q+hjah/ue6Ik2+9L9DwnyoI6kf+zSM39tx5Ed
+-----END RSA PRIVATE KEY-----
diff --git a/t/certs/6.pem b/t/certs/6.pem
new file mode 100644
index 0000000000000000000000000000000000000000..8f98f19e9c1459eba5af48e43eef7d2c55b33382
--- /dev/null
+++ b/t/certs/6.pem
@@ -0,0 +1,86 @@
+-----BEGIN CERTIFICATE-----
+MIIIuzCCB6WgAwIBAgIEG7TGuDALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
+DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMTgwMzIwMTExMzIzWhcN
+MjIwOTI0MTUzOTM0WjA/MQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYD
+VQQDEwV0ZXN0MDESMBAGA1UEAxMJNDY0ODMyMTg0MIGfMA0GCSqGSIb3DQEBAQUA
+A4GNADCBiQKBgQCjFscRlPAh8MmHldBXxwkSVfkefwJPp28ZTWgaZfurY8PXoV+X
+biv+lo/A01+gwGDBsXYtIF1nfNLI1MTIB3aL48nmua79kKS7B9xw/ItIz5PtDt1N
+pdreA89AdsfQc2wb+ypImNN9w8trH/UYymX9jPm6IYwDLB70h/SQSz8+iwIDAQAB
+o4IGWTCCBlUwDgYDVR0PAQH/BAQDAgXgMB0GCCsGAQUFBwEOAQH/BA4wDDAKBggr
+BgEFBQcVATCCBiIGCisGAQQBvkVkZAUEggYSMIIGDjCCBgowggYGMIIE7gIBATA2
+oDQwL6QtMCsxCzAJBgNVBAYTAklUMQwwCgYDVQQKEwNJR0kxDjAMBgNVBAMTBXRl
+c3QwAgEJoDgwNqQ0MDIxCzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kxFTATBgNV
+BAMMDHZvbXMuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAIBezAiGA8yMDE4MDEwMTAw
+MDAwMFoYDzIwMzAwMTAxMDAwMDAwWjBVMFMGCisGAQQBvkVkZAQxRTBDoB6GHHRl
+c3Qudm86Ly92b21zLmV4YW1wbGU6MTUwMDAwIQQfL3Rlc3QvUm9sZT1OVUxML0Nh
+cGFiaWxpdHk9TlVMTDCCA+gwggOyBgorBgEEAb5FZGQKBIIDojCCA54wggOaMIID
+ljCCAn6gAwIBAgICAxMwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCSVQxDDAK
+BgNVBAoMA0lHSTEQMA4GA1UEAwwHVGVzdCBDQTAeFw0xNzEyMDYwOTQ2MzdaFw0y
+NzEyMDQwOTQ2MzdaMDIxCzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kxFTATBgNV
+BAMMDHZvbXMuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALx/yNoeDZNQtJgiGi+tI/SSK3KREpvv4aOipgMEvcfCf3hReP2UBtOq6N1Wjx3V
+HaVJP0yyTNE+aSxgwI9fD3xtpMtYDG7eM2psMhG70+FNAxO1H5k1HR+vtHvathta
+dnZUBPPo12BrxlXZ1BLre/I93+ye2tTfEK/u3J2WxxSMYBbYksopjN/3T4+Lp4AB
+5/d6TzwyQq/OLvgae7y16yCn1SjBpNNU09zA3JZ7xAnFny/I23NhAeQul7kFZBrc
+dgkJ66++bEe5W0GGwVHA/mUjK5SssIFGmZrCnm8LYgM001u12+esOA4xY+2BH268
+QWWJsY0vX/qK2ois+Ms/6ysCAwEAAaOBujCBtzAMBgNVHRMBAf8EAjAAMB0GA1Ud
+DgQWBBQzjAnUSZQBztH7C50ZXq3E1/WQxDAOBgNVHQ8BAf8EBAMCBeAwPgYDVR0l
+BDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMCBgorBgEEAYI3CgMDBglghkgBhvhCBAEG
+CCsGAQUFBwMEMB8GA1UdIwQYMBaAFJF3NnsutGnzJ+q39giLSiOiEUnGMBcGA1Ud
+EQQQMA6CDHZvbXMuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOCAQEA4MUI5JKbJgkE
+ZLmeySeCLJBMS/E8Gk3N9lr+ilhrNkI7e9DgZiruLa3QKllSyESFtpCvEknM3qRl
+qulug+HPINOYjz6ooYL49W6Xc3i+RqdapxAwtwETz7QDxnT35LhRITN5SojWAcvB
+Ijdunx0sPuvQCVE7Cl+1GbYaNWOVlPWZobwYvISqm3A6si3C7VAZIBaUIepJ4dhh
+EJ31KWURohUrivcUWkm4LVwP/Hcg5wM6FbghMdgz/I9wHKaQgISzrx8tKJ7G4opD
+7CYyv9dqqkJaLFApM1236Fgitsd7v6SsVTItUVga7p6A0k0kS2rjly6nXONQhDO1
+7KQgbnAd6TAJBgNVHTgEAgUAMCUGA1UdIwQeMByAGgQYMBaAFJF3NnsutGnzJ+q3
+9giLSiOiEUnGMA0GCSqGSIb3DQEBCwUAA4IBAQANktzYTJEmlA7Wb1kzvZ/8rw3R
+yeOVWs2pZ1Sn5XTo/M8QuBMk2nTpmOqjc2tkbKlJebpTyfQamE6Nj0lZRBZZQ/1w
+yvjsLkrpbGGgXXBg0v3PTNiniOnzdyyu2GCThVpe0208BclVvHTCnQRKILtZ+/Gr
+Hs7nwo+z5ypifut/SCeTjTeuinMD73B/0ju/ROAHAAn2v+Z1l+bkYPlJZQw6zE7V
+sr6E234dl8T57S/LLjOUvg/MWSf0mhGJsKgRSX2W5beHycNbTvRIMHNa/nda/vx+
+VRM1TeScF1qz6658WidR3axkAwx9Ir0TpqmbAc+7/2cGaiTlaQTI7WUkJAGOMAsG
+CSqGSIb3DQEBBQOCAQEAsNH03yAtJsXdnj8NENzP/MibM/KXDrG6m2xLj57n0mVy
+LlR7RndKSfvuDpkdPSaC0xs2gd3JyYj4xllKGd7MjX9hhIna7OwLvcAM1sjyiYdP
+n2KKZZ9VEoFE9vzcitbrtrbxhagMPDeLtAqnK+IfhcmqQjn25SMKBVl+U/6mR+sZ
+cvSrFQNbjebsPaKVwFGE9XkWmD3WarsIpU/SaNeB/UKnvZm4wMbcyf/vo9CCpUkQ
+0+HrEQ9Z/NuExLpsAVHOT3kzwB3gY3bGXIbM9RP09Mpr12D0T0s2httP0RGTIaGQ
+j6/ufzjJxgR390tfIo9Iyaw1DmJO84MZn8BEyfo+UQ==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCjFscRlPAh8MmHldBXxwkSVfkefwJPp28ZTWgaZfurY8PXoV+X
+biv+lo/A01+gwGDBsXYtIF1nfNLI1MTIB3aL48nmua79kKS7B9xw/ItIz5PtDt1N
+pdreA89AdsfQc2wb+ypImNN9w8trH/UYymX9jPm6IYwDLB70h/SQSz8+iwIDAQAB
+AoGABO4CVHC5FX2Oye9oXc7hYlGA90AFlNzNyekCFZIxmkuottLk7dHhuI9ahwyc
+nmJSSmiP1utch21JfdKYpCc9mQ5tuT2QBoUrFpzZGX6sp30Etvt8Y+BUZnA+s02Y
+Q5h+Y8KXNZd7QucOpoPljBvRShEVfl6nAFz4zwBE+qaCTxkCQQDr2BkP2KPRCbwK
++5I3V6LJRW9MMXJXSJxWMtVRKLuI4ZbfL8kfYHUWpyZ8BUZzbxVPrcJAWCp8XQ5L
+nWfcmUWvAkEAsQbpBdAjD2O3BCb/Gz+ENZPi63WIxEMR6OiXkCkzkw5Mo6vnadTw
+VyJBd9yx/FMPvCA7DyjcLdyGFIp4v63n5QJBAIjdDy4y+l4E2CtHcsLLCJzkvoHo
+8AHXEWK0fTZr/OiigXtjr8OVpl1PAvZV2VyDykpC+8d7YqxpFDKtVeieyeECQQCA
+KEWITM8k9AZpviWPP2NiOkbcOUGi+/86QzB+UCWjP4XiM7AboOnB2u3UbXR4/FT2
+18qJxgXoOa7jrf+OnMK1AkA6EkvdvCmFxBsxXudRMJdeJ8Fhq/y1+DE6Tk95TDEm
+oHz0uO9q+hjah/ue6Ik2+9L9DwnyoI6kf+zSM39tx5Ed
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
+MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX
+DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG
+A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw
+hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R
+BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc
+CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK
+2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al
+xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop
+kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG
+CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF
+BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe
+gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB
+AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx
+d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu
+SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf
+49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg
+C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N
+vDxcPMc/wmnMa+smNal0sJ6m
+-----END CERTIFICATE-----
diff --git a/t/certs/README.md b/t/certs/README.md
index 7b3f68a8821b5c8ba0e99a413b62f594956a6df3..4af2c7180640d997c252ffe17d5c109189fb2948 100644
--- a/t/certs/README.md
+++ b/t/certs/README.md
@@ -1,28 +1,32 @@
=======
# Certificates for ngx\_http\_voms\_module Testing
-Proxy certificates are generated using [VOMS client 3.3.0](http://italiangrid.github.io/voms/documentation/voms-clients-guide/3.0.3/):
+Proxy certificates are generated using [VOMS client 3.3.1](http://italiangrid.github.io/voms/documentation/voms-clients-guide/3.0.3/):
- * 0.pem: long-lived proxy certificate, without Attribute Certificate (AC);
+ * 0.pem: long-lived proxy certificate, without any Attribute Certificate (AC);
* 1.pem: long-lived proxy certificate, with an expired AC;
- * 2.pem: expired proxy certificate.
- * 3.pem: long-lived proxy with valid VOMS attributes
- * 4.pem: long-lived proxy with VOMS generic attributes containing reserved characters
- * 5.pem: long-lived proxy with VOMS AC signed by an untrusted CA
+ * 2.pem: expired proxy certificate;
+ * 3.pem: long-lived proxy with valid VOMS attributes;
+ * 4.pem: long-lived proxy with VOMS generic attributes containing reserved characters;
+ * 5.pem: long-lived proxy with valid VOMS attributes, `*.lsc` file missing in `vomsdir`.
+ * 6.pem: long-lived proxy with valid VOMS attributes, with an old format for fqans.
+
To obtain such certificates the following command is used:
- VOMS_CLIENTS_JAVA_OPTIONS="-Dvoms.fake.vo=test.vo -Dvoms.fake=true -Dvoms.fake.aaCert=<path_to_cert>/voms_example.cert.pem -Dvoms.fake.aaKey=<path_to_key>/voms_example.key.pem" voms-proxy-init3 -voms test.vo -cert <path_to_test0>/test0.p12 --valid <validity>
+ VOMS_CLIENTS_JAVA_OPTIONS="-Dvoms.fake.vo=test.vo -Dvoms.fake=true -Dvoms.fake.aaCert=<path_to_cert>/voms_example.cert.pem -Dvoms.fake.aaKey=<path_to_cert>/voms_example.key.pem -Dvoms.fake.notAfter=<AAAA-MM-GGT00:00:00 -Dvoms.fake.notBefore=AAAA-MM-GGT00:00:00 -Dvoms.fake.gas=<name>=<value>,<name>=<value> -Dvoms.fake.fqans=/<vo>/<fqan>,/<vo>/<fqan>/Role=<role> -Dvoms.fake.serial=<ac_serial_n>" voms-proxy-init -voms test.vo -cert <path_to_test0>/test0.p12 --valid <validity> --vomsdir <path_to_vomsdir>/vomsdir --certdir <path_to_trust_anchors>/trust-anchors/
-Once VOMS proxy certificates are generated in a `*.pem` format, they need to be split in certificates and key to be used in Openresty tests. `*.cert.pem` and `*.key.pem` files are obtained by simpling typing
+Once VOMS proxy certificates are generated in a `*.pem` format, they need to be split in certificates and key to be used in Openresty tests. `*.cert.pem` and `*.key.pem` files are obtained by simpling typing in `certs`
awk '/BEGIN RSA PRIVATE KEY/,/END RSA PRIVATE KEY/' <name>.pem > <name>.key.pem
awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/' <name>.pem > <name>.cert.pem
-in the `certs` folder, where `<name>` could be for instance `0,1,2` etc.
+where `<name>` could be for instance `0,1,2,etc..`
+
+*voms\_example.cert.pem* and *voms\_example.ket.pem* can be found in `certs`.
-*voms\_example.cert.pem* and *voms\_example.ket.pem* can be found in the `certs` folder.
+For *../untrusted.t*, *voms\_example\_2.cert.pem* and *voms\_example\_2.key.pem* are used as VOMS certificates and they are in `certs`.
-To perform correctly the VOMS AC validation, a \*.lsc or \*.pem file is needed in `/etc/grid-security/vomsdir`, see [VOMS client 3.3.0 User Guide](http://italiangrid.github.io/voms/documentation/voms-clients-guide/3.0.3/) for further details. An example of *voms.example.lsc* can be found in `vomsdir/test.vo`.
+To perform correctly the VOMS AC validation, a \*.lsc or \*.pem file is needed in `/etc/grid-security/vomsdir`, see [VOMS client 3.3.1 User Guide](http://italiangrid.github.io/voms/documentation/voms-clients-guide/3.0.3/) for further details. An example of *voms.example.lsc* can be found in `vomsdir/test.vo`.
Nginx server certificate and key are nginx\_voms\_example.cert.pem and nginx\_voms\_example\_key.pem.
diff --git a/t/encoding.t b/t/encoding.t
index dfd9e4de6a6ebddeb6131d11d466a66b03aab362..c7663819d29d7084cb5b85389412da1978378a52 100644
--- a/t/encoding.t
+++ b/t/encoding.t
@@ -26,6 +26,7 @@ __DATA__
}
--- config
location = / {
+ error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/4.cert.pem;
proxy_ssl_certificate_key ../../certs/4.key.pem;
diff --git a/t/expired.t b/t/expired.t
index 188502b569cf99352c5ce28c6c156b00a9ae8166..f3ac305ef730c139d7e03eff4033ac919146e7c2 100644
--- a/t/expired.t
+++ b/t/expired.t
@@ -24,6 +24,7 @@ __DATA__
}
--- config
location = / {
+ error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/2.cert.pem;
proxy_ssl_certificate_key ../../certs/2.key.pem;
diff --git a/t/expired_ac.t b/t/expired_ac.t
index 2b07a96348f9c058dab569ef0ddd5f1daf30ed45..348cb1f88bcbae1680b4701b396b579aaeedd3e1 100644
--- a/t/expired_ac.t
+++ b/t/expired_ac.t
@@ -26,7 +26,8 @@ __DATA__
}
}
--- config
- location = / {
+ location = / {
+ error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/1.cert.pem;
proxy_ssl_certificate_key ../../certs/1.key.pem;
diff --git a/t/no_ac.t b/t/no_ac.t
index c08fd21ea8dbec57b30b7e7fd275c95e44f38f9f..677673d827543ccca8eb9b63f64fd69520b63373 100644
--- a/t/no_ac.t
+++ b/t/no_ac.t
@@ -26,6 +26,7 @@ __DATA__
}
--- config
location = / {
+ error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/0.cert.pem;
proxy_ssl_certificate_key ../../certs/0.key.pem;
diff --git a/t/no_ssl.t b/t/no_ssl.t
index 26c696a10b430331e155f4fd0f884ec86c18afa4..1ae8c64de3b0198ffafe3e59596d32c91ba939d4 100644
--- a/t/no_ssl.t
+++ b/t/no_ssl.t
@@ -20,6 +20,7 @@ __DATA__
}
--- config
location = / {
+ error_log logs/error-proxy.log debug;
proxy_pass http://localhost:8443/;
}
--- request
diff --git a/t/no_ta.t b/t/no_ta.t
new file mode 100644
index 0000000000000000000000000000000000000000..441430a6647431598bc3a08fd9892e5b997b526d
--- /dev/null
+++ b/t/no_ta.t
@@ -0,0 +1,38 @@
+
+use Test::Nginx::Socket 'no_plan';
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: Valid proxy, wrong client trust-anchor
+--- main_config
+ env OPENSSL_ALLOW_PROXY_CERTS=1;
+ env X509_VOMS_DIR=t/vomsdir;
+ env X509_CERT_DIR=t/trust-anchors;
+--- http_config
+ server {
+ error_log logs/error.log debug;
+ listen 8443 ssl;
+ ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+ ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+ ssl_client_certificate ../../trust-anchors/igi-test-ca-2.pem;
+ ssl_verify_depth 10;
+ ssl_verify_client on;
+ location = / {
+ default_type text/plain;
+ echo $voms_fqans;
+ }
+ }
+--- config
+ location = / {
+ error_log logs/error-proxy.log debug;
+ proxy_pass https://localhost:8443/;
+ proxy_ssl_certificate ../../certs/3.cert.pem;
+ proxy_ssl_certificate_key ../../certs/3.key.pem;
+ }
+--- request
+GET /
+--- error_code: 400
+
+
diff --git a/t/pippo b/t/pippo
deleted file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000
diff --git a/t/ssl_no_client_authn.t b/t/ssl_no_client_authn.t
index e1042d60603ee70be8fb79af099ff1348365a497..d30f87fa79e5bd465c9f8c0acf66bbf7676b1c50 100644
--- a/t/ssl_no_client_authn.t
+++ b/t/ssl_no_client_authn.t
@@ -24,6 +24,7 @@ __DATA__
}
--- config
location = / {
+ error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
}
--- request
diff --git a/t/untrusted_ac.t b/t/untrusted_ac.t
index dd93118364daec6290c2e7a1829207aca3f7c949..f7a97b31ddaf8b08fa7e0ec9a1a4a9d7d5b5005e 100644
--- a/t/untrusted_ac.t
+++ b/t/untrusted_ac.t
@@ -5,7 +5,7 @@ run_tests();
__DATA__
-=== TEST 1: https with x509 client authentication, untrusted AC signature
+=== TEST 1: https with x509 client authentication, untrusted AC signature LSC missing
--- main_config
env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
@@ -26,12 +26,49 @@ __DATA__
}
--- config
location = / {
+ error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/5.cert.pem;
proxy_ssl_certificate_key ../../certs/5.key.pem;
}
--- request
GET /
+--- response_body_like eval
+qr/\n/
--- error_log
Cannot verify AC signature
--- error_code: 200
+
+=== TEST 2: Valid proxy, VOMS trust-anchor missing
+--- main_config
+ env OPENSSL_ALLOW_PROXY_CERTS=1;
+ env X509_VOMS_DIR=t/vomsdir;
+ env X509_CERT_DIR=t;
+--- http_config
+ server {
+ error_log logs/error.log debug;
+ listen 8443 ssl;
+ ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+ ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+ ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
+ ssl_verify_depth 10;
+ ssl_verify_client on;
+ location = / {
+ default_type text/plain;
+ echo $voms_fqans;
+ }
+ }
+--- config
+ location = / {
+ proxy_pass https://localhost:8443/;
+ proxy_ssl_certificate ../../certs/3.cert.pem;
+ proxy_ssl_certificate_key ../../certs/3.key.pem;
+ }
+--- request
+GET /
+--- response_body_like eval
+qr/\n/
+--- error_log
+Cannot verify AC signature
+--- error_code: 200
+
diff --git a/t/valid_ac.t b/t/valid_ac.t
index f84fb9707bcb2ac6a1930d08d0de79eadc65d309..60aceafa76aa2d76c9c6819c14d42a2e13f9f424 100644
--- a/t/valid_ac.t
+++ b/t/valid_ac.t
@@ -36,6 +36,7 @@ __DATA__
}
--- config
location = / {
+ error_log logs/error-proxy.log debug;
proxy_pass https://localhost:8443/;
proxy_ssl_certificate ../../certs/3.cert.pem;
proxy_ssl_certificate_key ../../certs/3.key.pem;