Preliminary native SSL support

This adds a Redis::Connection::SSLSocket class which terminates SSL
natively using the Ruby OpenSSL extension.

This socket type is used when the "rediss://" URI scheme is specified.

Author: tarcieri

lib/redis/client.rb

@@ -392,7 +392,7 @@ def _parse_options(options)
 
         if uri.scheme == "unix"
           defaults[:path]   = uri.path
-        elsif uri.scheme == "redis"
+        elsif uri.scheme == "redis" || uri.scheme == "rediss"
           defaults[:scheme]   = uri.scheme
           defaults[:host]     = uri.host if uri.host
           defaults[:port]     = uri.port if uri.port
@@ -402,6 +402,8 @@ def _parse_options(options)
         else
           raise ArgumentError, "invalid uri scheme '#{uri.scheme}'"
         end
+
+        defaults[:ssl] = true if uri.scheme == "rediss"
       end
 
       # Use default when option is not specified or nil

lib/redis/connection/ruby.rb

@@ -2,13 +2,18 @@
 require "redis/connection/command_helper"
 require "redis/errors"
 require "socket"
+require "openssl"
 
 class Redis
   module Connection
     module SocketMixin
 
       CRLF = "\r\n".freeze
 
+      # Exceptions raised during non-blocking I/O ops that require retrying the op
+      NBIO_EXCEPTIONS = [Errno::EWOULDBLOCK, Errno::EAGAIN]
+      NBIO_EXCEPTIONS << IO::WaitReadable if RUBY_VERSION >= "1.9.3"
+
       def initialize(*args)
         super(*args)
 
@@ -45,10 +50,11 @@ def gets
       end
 
       def _read_from_socket(nbytes)
+
         begin
           read_nonblock(nbytes)
 
-        rescue Errno::EWOULDBLOCK, Errno::EAGAIN
+        rescue *NBIO_EXCEPTIONS
           if IO.select([self], nil, nil, @timeout)
             retry
           else
@@ -195,6 +201,25 @@ def self.connect(path, timeout)
 
     end
 
+    class SSLSocket < ::OpenSSL::SSL::SSLSocket
+      include SocketMixin
+
+      def self.connect(host, port, timeout, ssl_params)
+        # Note: this is using Redis::Connection::TCPSocket
+        tcp_sock = TCPSocket.connect(host, port, timeout)
+
+        ctx = OpenSSL::SSL::SSLContext.new
+        ctx.set_params(ssl_params) if ssl_params && !ssl_params.empty?
+
+        ssl_sock = new(tcp_sock, ctx)
+        ssl_sock.hostname = host
+        ssl_sock.connect
+        ssl_sock.post_connection_check(host)
+
+        ssl_sock
+      end
+    end
+
     class Ruby
       include Redis::Connection::CommandHelper
 
@@ -206,7 +231,10 @@ class Ruby
 
       def self.connect(config)
         if config[:scheme] == "unix"
+          raise ArgumentError, "SSL incompatible with unix sockets" if config[:ssl]
           sock = UNIXSocket.connect(config[:path], config[:connect_timeout])
+        elsif config[:scheme] == "rediss" || config[:ssl]
+          sock = SSLSocket.connect(config[:host], config[:port], config[:connect_timeout], config[:ssl_params])
         else
           sock = TCPSocket.connect(config[:host], config[:port], config[:connect_timeout])
         end

test/ssl_test.rb

@@ -0,0 +1,53 @@
+# encoding: UTF-8
+
+if RUBY_VERSION >= "1.9.3"
+  require File.expand_path("helper", File.dirname(__FILE__))
+
+  class SslTest < Test::Unit::TestCase
+
+    include Helper::Client
+
+    driver(:ruby) do
+
+      def test_verified_ssl_connection
+        RedisMock.start({ :ping => proc { "+PONG" } }, ssl_server_opts("trusted")) do |port|
+          redis = Redis.new(:port => port, :ssl => true, :ssl_params => { :ca_file => ssl_ca_file })
+          assert_equal redis.ping, "PONG"
+        end
+      end
+
+      def test_unverified_ssl_connection
+        assert_raise(OpenSSL::SSL::SSLError) do
+          RedisMock.start({ :ping => proc { "+PONG" } }, ssl_server_opts("untrusted")) do |port|
+            redis = Redis.new(:port => port, :ssl => true, :ssl_params => { :ca_file => ssl_ca_file })
+            redis.ping
+          end
+        end
+      end
+
+    end
+
+    private
+
+    def ssl_server_opts(prefix)
+      ssl_cert = File.join(cert_path, "#{prefix}-cert.crt")
+      ssl_key  = File.join(cert_path, "#{prefix}-cert.key")
+
+      {
+        :ssl => true,
+        :ssl_params => {
+          :cert => OpenSSL::X509::Certificate.new(File.read(ssl_cert)),
+          :key  => OpenSSL::PKey::RSA.new(File.read(ssl_key))
+        }
+      }
+    end
+
+    def ssl_ca_file
+      File.join(cert_path, "trusted-ca.crt")
+    end
+
+    def cert_path
+      File.expand_path("../support/ssl/", __FILE__)
+    end
+  end
+end

test/support/redis_mock.rb

@@ -3,8 +3,19 @@
 module RedisMock
   class Server
     def initialize(options = {}, &block)
-      @server = TCPServer.new(options[:host] || "127.0.0.1", 0)
-      @server.setsockopt(Socket::SOL_SOCKET, Socket::SO_REUSEADDR, true)
+      tcp_server = TCPServer.new(options[:host] || "127.0.0.1", 0)
+      tcp_server.setsockopt(Socket::SOL_SOCKET, Socket::SO_REUSEADDR, true)
+
+      if options[:ssl]
+        ctx = OpenSSL::SSL::SSLContext.new
+
+        ssl_params = options.fetch(:ssl_params, {})
+        ctx.set_params(ssl_params) unless ssl_params.empty?
+
+        @server = OpenSSL::SSL::SSLServer.new(tcp_server, ctx)
+      else
+        @server = tcp_server
+      end
     end
 
     def port

test/support/ssl/gen_certs.sh

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+get_subject() {
+  if [ "$1" = "trusted" ]
+  then
+    echo "/C=IT/ST=Sicily/L=Catania/O=Redis/OU=Security/CN=127.0.0.1"
+  else
+    echo "/C=XX/ST=Untrusted/L=Evilville/O=Evil Hacker/OU=Attack Department/CN=127.0.0.1"
+  fi
+}
+
+# Generate two CAs: one to be considered trusted, and one that's untrusted
+for type in trusted untrusted; do
+  rm -rf ./demoCA
+  mkdir -p ./demoCA
+  mkdir -p ./demoCA/certs
+  mkdir -p ./demoCA/crl
+  mkdir -p ./demoCA/newcerts
+  mkdir -p ./demoCA/private
+  touch ./demoCA/index.txt
+
+  openssl genrsa -out ${type}-ca.key 2048
+  openssl req -new -x509 -days 12500 -key ${type}-ca.key -out ${type}-ca.crt -subj "$(get_subject $type)"
+  openssl x509 -in ${type}-ca.crt -noout -next_serial -out ./demoCA/serial
+
+  openssl req -newkey rsa:2048 -keyout ${type}-cert.key -nodes -out ${type}-cert.req -subj "$(get_subject $type)"
+  openssl ca -days 12500 -cert ${type}-ca.crt -keyfile ${type}-ca.key -out ${type}-cert.crt -infiles ${type}-cert.req
+  rm ${type}-cert.req
+done
+
+rm -rf ./demoCA

test/support/ssl/trusted-ca.crt

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIJAM7kyjC89Qj/MA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
+BAYTAklUMQ8wDQYDVQQIEwZTaWNpbHkxEDAOBgNVBAcTB0NhdGFuaWExDjAMBgNV
+BAoTBVJlZGlzMREwDwYDVQQLEwhTZWN1cml0eTESMBAGA1UEAxMJMTI3LjAuMC4x
+MCAXDTE2MDQwMjAzMzQ0MVoYDzIwNTAwNjIzMDMzNDQxWjBnMQswCQYDVQQGEwJJ
+VDEPMA0GA1UECBMGU2ljaWx5MRAwDgYDVQQHEwdDYXRhbmlhMQ4wDAYDVQQKEwVS
+ZWRpczERMA8GA1UECxMIU2VjdXJpdHkxEjAQBgNVBAMTCTEyNy4wLjAuMTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMeibFqEG38mtN9DSXy6NZdd7AjH
+4/D+VdDzlbJlI5IBACCV9p6P2j5PFlFvkHFE6vr6biMaLXNAmUHYfDzeT95LODHH
+t+8HlR51cNYrnt9B3eiVwEnJ7+axuDHg6nUgLXeKeog+vEqreZwLnFibxt2qpFze
+xzyKJ37Pm+iAey5glCc/v7ECYQ4sWVVV+ciC+sAwmZDfZXCBQtRRokJ6ikqQDwWV
+DugGcV46feTpu79OmkLLM8PI3E7ow2F/3iv67gmdlO5m9wX1ahWzJKUapBTxgf4X
+QG0s60WbC9iJIvgXRGW7wWSsqSVJkfLYllDTPgfpLyl1+FR3A4awrsPiMVUCAwEA
+AaOBzDCByTAdBgNVHQ4EFgQU+YG9kJR3Vy31d7QVyxRAYyKTK18wgZkGA1UdIwSB
+kTCBjoAU+YG9kJR3Vy31d7QVyxRAYyKTK1+ha6RpMGcxCzAJBgNVBAYTAklUMQ8w
+DQYDVQQIEwZTaWNpbHkxEDAOBgNVBAcTB0NhdGFuaWExDjAMBgNVBAoTBVJlZGlz
+MREwDwYDVQQLEwhTZWN1cml0eTESMBAGA1UEAxMJMTI3LjAuMC4xggkAzuTKMLz1
+CP8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAeFKB7DUixmxbdvNw
+n/mNoHK+OOZXmfxZDCo0v2gcQ4WXUiCqL6MagrImCvkEz5RL6Fk2ZflEV2iGQ5Ds
+CmF2n47ISpqG29bfI5R1rcbfqK/5tazUIhQu12ThNmkEh7hCuW/0LqJrnmxpuRLy
+le9e3svCC96lwjFczzU/utWurKt7S7Di3C4P+AXAJJuszDMLMCBLaB/3j24cNpOx
+zzeZo02x4rpsD2+MMfRDWMWezVEyk63KnI0kt3JGnepsKCFc48ZOk09LwFk3Rfaq
+zuKSgEJJw1mfsdBfysM0HQw20yyjSdoTEfQq3bXctTNi+pEOgW6x7TMsnngYYLXV
+9XTrpg==
+-----END CERTIFICATE-----

test/support/ssl/trusted-ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAx6JsWoQbfya030NJfLo1l13sCMfj8P5V0POVsmUjkgEAIJX2
+no/aPk8WUW+QcUTq+vpuIxotc0CZQdh8PN5P3ks4Mce37weVHnVw1iue30Hd6JXA
+Scnv5rG4MeDqdSAtd4p6iD68Sqt5nAucWJvG3aqkXN7HPIonfs+b6IB7LmCUJz+/
+sQJhDixZVVX5yIL6wDCZkN9lcIFC1FGiQnqKSpAPBZUO6AZxXjp95Om7v06aQssz
+w8jcTujDYX/eK/ruCZ2U7mb3BfVqFbMkpRqkFPGB/hdAbSzrRZsL2Iki+BdEZbvB
+ZKypJUmR8tiWUNM+B+kvKXX4VHcDhrCuw+IxVQIDAQABAoIBAQCzbGHiQJXOA+XQ
+O9OSjHGaJ8n6Yl2VvaE3eZXzjj8X/Fo271GGVVgbZE10x8aUZxKim+3dEqwCx+52
+ZbHTqyMxcX2CEDRaWwBFLdxKQU467iIZ5m26ZAp/1v7rpXBT8KWsqQNT7L6ihdd4
+zl6orOlhVPsAlSGQYcL5kHJZ1w/fL0phEbwdISd3PYhGHXMNmqfXorzJYHDQA4R+
+yR7WpP1dmnUeEKrHc9FFcBZ75BGlWjdCPZMFKc7IndZumarhBpWH9yZMUxrUIo4V
+SCweRUFdD5H1lMZ0YiIAE25wKNEQ2iGd3Jfr8Vj1KFSHC9I2FJA3aFRRUgTwxx/W
+h0mJy1ZJAoGBAPYsSSlwQdxZjnyZiVkNSD4MoLdof//nRxeKGejq6AiXDvcsLyJy
+0MKk4YBFw2249TWm/KBbMAFiBE7d8uPtP5pPfjNVPX6VltH3AhSZ7Ugbpo6C3NFA
+GpzFVtNaWgCVDloDVdmsY7ssDFuAIih0paklPAqnLY+Ua9m1BiEPrB+bAoGBAM+a
+i+0NMR4AyKpuo1exdd+7BIHw5HNPwGmR1ggdGWduH0zsOhEawQKKFv1X9xKAcXxW
+PyeD56/Tmn7fkWvuE8dOu9E6em0vgmxhYyn4nyLAFYF5uKXYo78MpIEThdpl1ldT
+iHwG/25vunaBUHhwbHPUD+F989tmRuCjoFkuA5nPAoGAaqPIlcDhZvkMtoE0dHVC
+hE6oGIuWV17y9wmGK9YG6iG2A/EKAhxGvur6HL0b6Z4j6zgJW9Xkt9SkFR4kqAQQ
+d2JUQxx75SgcC5y7M/1yQrhnsHiT+7mPTbZW5HvRXUs0yl2DhSYeleiA+epJ4ciW
+Mu3EUsEVBYvAJLE8lHnbkF0CgYEAhyxpz3+3a4G3JsHDOWYjCfoLhVAEb9CNyC9c
+3QuVbvMVDlEBvgFdivm+3lZYWYOoYP0HQgNw59svzUxks5Hg7vUk9abN8CnvEgKX
+PszTUR0g450NzW6xr8PbmO/NR9bnKRUK2Tb1OkMldePdMY6CDykU7g3EqiZ+H+Zq
+kaaUUaECgYEAmk5W+S94q5jLemnfAChC5lva/0/aHdhtaoH4Lo+j0haMsdiy8/ZE
+sh+3gQ8pqwaCAwnKxAcppt/FNZ7tHRsH3oyY6biypn3WppQj+BA41nuzbspOKJhR
+ZDXKFCItbzUjyi23Dx4P4DgMivkpV+e88RMIuBnv4yjl5iOLq+vf4Rg=
+-----END RSA PRIVATE KEY-----

test/support/ssl/trusted-cert.crt

@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 14908262977180600576 (0xcee4ca30bcf50900)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=IT, ST=Sicily, L=Catania, O=Redis, OU=Security, CN=127.0.0.1
+        Validity
+            Not Before: Apr  2 03:34:42 2016 GMT
+            Not After : Jun 23 03:34:42 2050 GMT
+        Subject: C=IT, ST=Sicily, O=Redis, OU=Security, CN=127.0.0.1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ab:bf:ac:ef:dc:99:35:fa:07:3f:d5:33:86:f1:
+                    7d:9e:57:8b:d5:c1:10:04:0c:35:95:7c:61:ff:05:
+                    a6:f9:ef:71:5c:c5:83:68:a2:ad:5d:0f:a5:2b:b4:
+                    76:9f:36:8f:df:75:fb:d6:48:00:c0:f0:68:56:f6:
+                    49:84:4d:4e:e1:ca:dd:24:9f:2f:5e:7c:35:26:57:
+                    d6:d5:95:d1:3f:40:32:22:43:2c:8c:b7:8c:89:56:
+                    7c:d0:94:e5:f7:cf:4a:51:3f:60:b2:fe:1f:3b:38:
+                    d6:47:5d:2e:4f:38:75:d9:9b:c8:0f:d1:fd:91:5a:
+                    07:c3:94:95:1f:7b:f1:ae:dc:a1:83:e2:6b:78:05:
+                    34:b3:8b:87:86:31:9f:cc:8b:15:cd:18:2e:06:36:
+                    ca:f8:29:f8:6e:93:60:78:ec:8a:e8:a6:94:ad:24:
+                    a8:e3:d4:ac:42:da:52:0f:34:e8:d0:10:e5:53:db:
+                    f8:3a:56:48:10:33:df:80:70:1c:72:5e:1f:c3:11:
+                    bb:3b:b9:6b:0a:e0:82:eb:67:d4:8f:5c:30:d3:cf:
+                    17:6d:86:01:0e:ae:43:c1:d8:c0:5e:99:ef:fa:60:
+                    0a:f2:62:68:62:8b:05:f3:8b:b1:34:d8:70:78:35:
+                    74:76:c2:46:13:a3:1f:5d:7b:3b:49:20:1e:98:54:
+                    63:77
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                81:DE:C0:39:F9:8A:57:50:DB:B1:6A:B3:D0:5F:E9:2C:87:5A:1E:3D
+            X509v3 Authority Key Identifier: 
+                keyid:F9:81:BD:90:94:77:57:2D:F5:77:B4:15:CB:14:40:63:22:93:2B:5F
+
+    Signature Algorithm: sha1WithRSAEncryption
+         a3:0a:d7:22:5a:bc:cc:f6:ed:2f:f2:9f:dd:e0:46:02:73:14:
+         dd:a7:f5:39:b9:16:19:16:36:b6:22:5c:66:14:c0:d3:ac:55:
+         fc:52:2d:c3:b2:70:5f:cf:3d:23:71:78:e9:31:88:65:2c:2e:
+         4a:09:6e:4b:97:bb:4d:38:87:d8:25:ed:bb:ed:62:19:08:50:
+         f2:40:cc:39:ee:f9:a8:3a:5d:2b:e7:34:eb:8a:74:c7:c9:bc:
+         88:9b:9b:ca:5b:11:20:ca:53:b2:0b:20:49:fc:b9:f7:ec:03:
+         c9:5d:c1:24:75:27:f8:7c:70:dc:6a:2c:98:48:93:5f:7f:7e:
+         94:a1:cf:79:b3:24:e3:de:9e:f0:0f:d8:d6:3e:c9:52:30:31:
+         87:90:c2:d2:23:be:d8:7a:e9:e6:bb:4b:00:75:30:49:4b:98:
+         d5:f6:7d:b5:83:b5:57:85:20:98:00:51:55:c3:a2:81:ec:6c:
+         11:91:33:60:14:7b:d2:01:ee:5b:bf:5b:68:f5:e0:4e:45:0a:
+         68:cd:33:4f:29:72:fa:fe:6a:19:b6:84:70:90:a4:d5:7a:04:
+         2e:da:5b:98:4f:e4:aa:a6:c4:68:aa:5c:8c:a5:5e:df:20:94:
+         22:f7:37:45:71:a4:bc:72:34:ee:42:cf:9d:0f:fb:4a:39:d1:
+         8e:41:f3:3f
+-----BEGIN CERTIFICATE-----
+MIIDvDCCAqSgAwIBAgIJAM7kyjC89QkAMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNV
+BAYTAklUMQ8wDQYDVQQIEwZTaWNpbHkxEDAOBgNVBAcTB0NhdGFuaWExDjAMBgNV
+BAoTBVJlZGlzMREwDwYDVQQLEwhTZWN1cml0eTESMBAGA1UEAxMJMTI3LjAuMC4x
+MCAXDTE2MDQwMjAzMzQ0MloYDzIwNTAwNjIzMDMzNDQyWjBVMQswCQYDVQQGEwJJ
+VDEPMA0GA1UECBMGU2ljaWx5MQ4wDAYDVQQKEwVSZWRpczERMA8GA1UECxMIU2Vj
+dXJpdHkxEjAQBgNVBAMTCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKu/rO/cmTX6Bz/VM4bxfZ5Xi9XBEAQMNZV8Yf8FpvnvcVzFg2ii
+rV0PpSu0dp82j991+9ZIAMDwaFb2SYRNTuHK3SSfL158NSZX1tWV0T9AMiJDLIy3
+jIlWfNCU5ffPSlE/YLL+Hzs41kddLk84ddmbyA/R/ZFaB8OUlR978a7coYPia3gF
+NLOLh4Yxn8yLFc0YLgY2yvgp+G6TYHjsiuimlK0kqOPUrELaUg806NAQ5VPb+DpW
+SBAz34BwHHJeH8MRuzu5awrggutn1I9cMNPPF22GAQ6uQ8HYwF6Z7/pgCvJiaGKL
+BfOLsTTYcHg1dHbCRhOjH117O0kgHphUY3cCAwEAAaN7MHkwCQYDVR0TBAIwADAs
+BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
+VR0OBBYEFIHewDn5ildQ27Fqs9Bf6SyHWh49MB8GA1UdIwQYMBaAFPmBvZCUd1ct
+9Xe0FcsUQGMikytfMA0GCSqGSIb3DQEBBQUAA4IBAQCjCtciWrzM9u0v8p/d4EYC
+cxTdp/U5uRYZFja2IlxmFMDTrFX8Ui3DsnBfzz0jcXjpMYhlLC5KCW5Ll7tNOIfY
+Je277WIZCFDyQMw57vmoOl0r5zTrinTHybyIm5vKWxEgylOyCyBJ/Ln37APJXcEk
+dSf4fHDcaiyYSJNff36Uoc95syTj3p7wD9jWPslSMDGHkMLSI77Yeunmu0sAdTBJ
+S5jV9n21g7VXhSCYAFFVw6KB7GwRkTNgFHvSAe5bv1to9eBORQpozTNPKXL6/moZ
+toRwkKTVegQu2luYT+SqpsRoqlyMpV7fIJQi9zdFcaS8cjTuQs+dD/tKOdGOQfM/
+-----END CERTIFICATE-----

test/support/ssl/trusted-cert.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrv6zv3Jk1+gc/
+1TOG8X2eV4vVwRAEDDWVfGH/Bab573FcxYNooq1dD6UrtHafNo/fdfvWSADA8GhW
+9kmETU7hyt0kny9efDUmV9bVldE/QDIiQyyMt4yJVnzQlOX3z0pRP2Cy/h87ONZH
+XS5POHXZm8gP0f2RWgfDlJUfe/Gu3KGD4mt4BTSzi4eGMZ/MixXNGC4GNsr4Kfhu
+k2B47IroppStJKjj1KxC2lIPNOjQEOVT2/g6VkgQM9+AcBxyXh/DEbs7uWsK4ILr
+Z9SPXDDTzxdthgEOrkPB2MBeme/6YAryYmhiiwXzi7E02HB4NXR2wkYTox9deztJ
+IB6YVGN3AgMBAAECggEASmOxIgtoiQqMzUcpFE/Q2x6MQL9okng/VUoUoALwudzO
+OyKJsm6TrHU0U2PM5VUap+1QcRWqzebTKqduXFGn0wCtHEmemMwvsTXmpYhIo57I
+mDKEP0bZJjtBwI5dtSIhzGMpHR4YpOwPU8W2YzXPRbvFwaRwsd5O8pWOqZ5jphrQ
+DtkLNz4hIFsMihPeYFpuAjsZ2cMIGPtlY2qbfjyno7hd7LxNzL/2vMlDw5MHHtw4
+snxLN92KomC6rSUUydNDyemyMpg8iRwm7gmYzVoZf6aTbI2RdFcv2KZfpUWYdB+I
+yU8ZV1Sch7VQ+xLVy74SuY8AZ2Rq4S3M+EmEa5ghoQKBgQDfgOIyStulfYn6UC1A
+OYwcGoSOaVNfPE/m9BZN58xK0+XnEqQECMsyg/GYS65Zri4+KJYPxqv6f9ljLTGE
+0PxiA7wq+QWnv4EM+3aGShxwyVlmgJZyyBfJtAMr1iDm4JsidTT5GMdfxRICPGZY
+WVggcz/cVu39OxRrumREuTWAzwKBgQDEuGheZv68cYt5EkzOWxeFQyt1bzXn1CJg
+IXnIFZIekJhVGpBG+zMAYri9+hSheiDrwfIcSfTq9LxF6JNUvaU4qMrkwvW21jKs
+n7ofcA+VYq2mggoIuuvKVqXemLHorC0U/zCMnM6rycaa9sB5tsF+Js93uvf1TEJt
+veV0yCeM2QKBgF1M0iAoe7SDyXuCyMEMxN5ee4NvmGwjIz/IGR+Aahm6hziE4Y8F
+lL2LsujefvPU8FzmWG5Rgy1Y/YiXLxrAmvrXkE9oEOJL4TVoK7w3Z9P1Waqedy+H
+M9bxnHlKNAXtMRWbU/fATko+XBwu1pJ/CXjSY5A5gbO6W/X0ozLFFf6lAoGABRZ7
+5I0nY3pQUCZQBDpI5nJxSk1BCKjs5q2W97zPFalJt1HDj4JptEXZX1h7dh2xgkd2
+2pJzGiyQPgKg5N0uy8NZ1AbS0hLCJsLOzodYb9Wohhjw537mIEqTaalrWIgzdkqP
+V+OqWLkUQOfG3J8EbB3W2dLlHNwHD82MhLO0iikCgYEAvdK5LmpUdZXMVtiOMZO5
+t3M0vwi6vPhW7DV1QET51x/U+SyH4rvZGeqRl+gcKrZ8SreOlyICvsPgVmvLCrHE
+gJLPWJIzI8Mg6u91/KpiVmRahnJjOn3oHNuLSqFjn9lIhmA5dN7zQDXzPdYrWPNR
+u1QX+JLhlP33ejgdkdLsNiM=
+-----END PRIVATE KEY-----

test/support/ssl/untrusted-ca.crt

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEXDCCA0SgAwIBAgIJAIgFm03l5AJkMA0GCSqGSIb3DQEBCwUAMHsxCzAJBgNV
+BAYTAlhYMRIwEAYDVQQIEwlVbnRydXN0ZWQxEjAQBgNVBAcTCUV2aWx2aWxsZTEU
+MBIGA1UEChMLRXZpbCBIYWNrZXIxGjAYBgNVBAsTEUF0dGFjayBEZXBhcnRtZW50
+MRIwEAYDVQQDEwkxMjcuMC4wLjEwIBcNMTYwNDAyMDMzNDUxWhgPMjA1MDA2MjMw
+MzM0NTFaMHsxCzAJBgNVBAYTAlhYMRIwEAYDVQQIEwlVbnRydXN0ZWQxEjAQBgNV
+BAcTCUV2aWx2aWxsZTEUMBIGA1UEChMLRXZpbCBIYWNrZXIxGjAYBgNVBAsTEUF0
+dGFjayBEZXBhcnRtZW50MRIwEAYDVQQDEwkxMjcuMC4wLjEwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCtXxcEGUrGqAqlBK94B8IwSkB8OnLYC/c/6Tde
+WG46pzmZWZvffi0akcKKubRNcfoavOuqLuNnpQDkIlnJ37K/LZk8Q5+aMoUGBiQ2
+jSN1707sFqH3eTFvXOUzlDEcsBa7Y7RuaI8SXg1UGsnnCcj6H3BW2xKcXPN6/s30
+vhNw2CPqtXm4NOD3Zb5FkB9epAEejRg0OPn5DJ3mESVp/H2EqkptMZ+6cOk2/CMc
+e8AAfcxBGwKuOMXNODszTNxN+OuGCHOxx8+vR/eV35tonISwbkmO9WI6DC+pWT2s
+PvDhuQtqsrVofCP/pireb5Ce/7bP/FsZcNSMMfV5dponcYrrAgMBAAGjgeAwgd0w
+HQYDVR0OBBYEFLeDNvKpJKmuyPsamax2AZTijdkwMIGtBgNVHSMEgaUwgaKAFLeD
+NvKpJKmuyPsamax2AZTijdkwoX+kfTB7MQswCQYDVQQGEwJYWDESMBAGA1UECBMJ
+VW50cnVzdGVkMRIwEAYDVQQHEwlFdmlsdmlsbGUxFDASBgNVBAoTC0V2aWwgSGFj
+a2VyMRowGAYDVQQLExFBdHRhY2sgRGVwYXJ0bWVudDESMBAGA1UEAxMJMTI3LjAu
+MC4xggkAiAWbTeXkAmQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA
+FWYTrxi/h7PYIpp09QsbDiGdC7gmp04HTx82NvBaUFaLk8ygz4DUz5u7QyTDdAga
+yWviHghuyZ6vv5Ubaj7XLOzLM6rYsQjkVq5ltwP+9V/U/b5jOHvZdYqdatVXUXxR
+SO+e3QYiMpM4Vs/NNXhpUp6apD7VcoB2LgK3vGDJ526PBJjgw24311t8O7kDTwkt
+AwX56/KTolMI+k9rT8Ee6aucT6gBNf0judhNkPVo+6CYgjmEVRrN/xaFCUNSpv5E
+O6uIcxSSX6a5iOZ/EH+GyHb6kDmztn/Hes+UN9+gMuAK7+LgsD2mYbxn9Pnaerrs
+2nER8XurylLxi0GLvNWNdQ==
+-----END CERTIFICATE-----