Merge branch 'origin-frame' into 'master'

HTTP/2 Origin frame

See merge request honeyryderchuck/httpx!58

docker-compose-ruby-2.3.yml

@@ -2,3 +2,7 @@ version: '3'
 services:
   httpx:
     image: ruby:2.3-alpine
+    environment:
+      - HTTPBIN_COALESCING_HOST=another
+    links:
+      - "nghttp2:another"

docker-compose-ruby-2.4.yml

@@ -2,3 +2,7 @@ version: '3'
 services:
   httpx:
     image: ruby:2.4-alpine
+    environment:
+      - HTTPBIN_COALESCING_HOST=another
+    links:
+      - "nghttp2:another"

docker-compose-ruby-2.5.yml

@@ -2,3 +2,7 @@ version: '3'
 services:
   httpx:
     image: ruby:2.5-alpine
+    environment:
+      - HTTPBIN_COALESCING_HOST=another
+    links:
+      - "nghttp2:another"

docker-compose-ruby-2.6.yml

@@ -2,3 +2,7 @@ version: '3'
 services:
   httpx:
     image: ruby:2.6-alpine
+    environment:
+      - HTTPBIN_COALESCING_HOST=another
+    links:
+      - "nghttp2:another"

docker-compose.yml

@@ -19,6 +19,7 @@ services:
       - BUNDLE_PATH=/usr/local/bundle
       - BUNDLE_SILENCE_ROOT_WARNING=1
       - BUNDLE_APP_CONFIG=/usr/local/bundle
+      - HTTPBIN_ALTSVC_HOST=another2
     image: ruby:alpine
     depends_on:
       - httpproxy 
@@ -27,10 +28,10 @@ services:
       - nghttp2
     volumes:
       - ./:/home
+    links:
+      - "altsvc-nghttp2:another2"
     entrypoint:
       /home/test/support/ci/build.sh
-    links:
-      - "nghttp2:another"
 
   sshproxy:
     build:
@@ -66,8 +67,22 @@ services:
     volumes:
       - ./test/support/ci:/home
     command:
-      --conf /home/nghttp.conf --no-ocsp
-          
+      --conf /home/nghttp.conf --no-ocsp --frontend 0.0.0.0,80;no-tls --frontend 0.0.0.0,443
+
+  altsvc-nghttp2:
+    image: registry.gitlab.com/honeyryderchuck/httpx/nghttp2:2
+    ports:
+      - 81:80
+      - 444:443
+    depends_on:
+      - httpbin
+    entrypoint:
+      /usr/local/bin/nghttpx
+    volumes:
+      - ./test/support/ci:/home
+    command:
+      --conf /home/nghttp.conf --no-ocsp --frontend 0.0.0.0,80;no-tls --frontend 0.0.0.0,443 --altsvc "h2,443,nghttp2"
+
   httpbin:
     environment:
       - DEBUG=True

integration/README.md

@@ -0,0 +1,3 @@
+# Integration
+
+This section is to test certain cases where we can't reliably reproduce in our test environments, but can be ran locally. 

integration/altsvc.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "httpx"
+
+URL = "https://blog.alteroot.org"
+# URL = "https://www.google.com/"
+
+HTTPX.with(max_concurrent_requests: 1) do |client|
+  puts client.get(URL, URL, URL).map(&:status)
+end
+

integration/coalescing.rb

@@ -0,0 +1,9 @@
+require "httpx"
+
+URLS  = %w[https://graph.facebook.com/ https://developers.facebook.com/]
+HTTPX.wrap do |http|
+  URLS.each do |url|
+    response = http.get(url)
+    puts "Status: #{response.status}"
+  end
+end

lib/httpx/connection.rb

@@ -80,7 +80,16 @@ module HTTPX
     def match?(uri, options)
       return false if @state == :closing || @state == :closed
 
-      (@origins.include?(uri.origin) || match_altsvcs?(uri)) && @options == options
+      (
+        (
+          @origins.include?(uri.origin) &&
+          # if there is more than one origin to match, it means that this connection
+          # was the result of coalescing. To prevent blind trust in the case where the
+          # origin came from an ORIGIN frame, we're going to verify the hostname with the
+          # SSL certificate
+          (@origins.size == 1 || @origin == uri.origin || @io.verify_hostname(uri.host))
+        ) || match_altsvcs?(uri)
+      ) && @options == options
     end
 
     def mergeable?(connection)
@@ -102,8 +111,8 @@ module HTTPX
     def merge(connection)
       @origins += connection.instance_variable_get(:@origins)
       pending = connection.instance_variable_get(:@pending)
-      pending.each do |req, args|
-        send(req, args)
+      pending.each do |req|
+        send(req)
       end
     end
 
@@ -275,6 +284,9 @@ module HTTPX
       parser.on(:promise) do |request, stream|
         request.emit(:promise, parser, stream)
       end
+      parser.on(:origin) do |origin|
+        @origins << origin
+      end
       parser.on(:close) do
         transition(:closing)
       end

lib/httpx/connection/http1.rb

@@ -9,6 +9,8 @@ module HTTPX
 
     CRLF = "\r\n"
 
+    attr_reader :pending
+
     def initialize(buffer, options)
       @options = Options.new(options)
       @max_concurrent_requests = @options.max_concurrent_requests

lib/httpx/connection/http2.rb

@@ -107,6 +107,7 @@ module HTTPX
       @connection.on(:frame, &method(:on_frame))
       @connection.on(:frame_sent, &method(:on_frame_sent))
       @connection.on(:frame_received, &method(:on_frame_received))
+      @connection.on(:origin, &method(:on_origin))
       @connection.on(:promise, &method(:on_promise))
       @connection.on(:altsvc) { |frame| on_altsvc(frame[:origin], frame) }
       @connection.on(:settings_ack, &method(:on_settings))
@@ -265,6 +266,10 @@ module HTTPX
       emit(:promise, @streams.key(stream.parent), stream)
     end
 
+    def on_origin(origin)
+      emit(:origin, origin)
+    end
+
     def respond_to_missing?(meth, *args)
       @connection.respond_to?(meth, *args) || super
     end

lib/httpx/pool.rb

@@ -90,6 +90,7 @@ module HTTPX
 
       if found_connection.state == :open
         coalesce_connections(found_connection, connection)
+        throw(:coalesced, found_connection)
       else
         found_connection.once(:open) do
           coalesce_connections(found_connection, connection)

lib/httpx/resolver/resolver_mixin.rb

@@ -32,7 +32,7 @@ module HTTPX
         end
         log(label: "resolver: ") { "answer #{connection.origin.host}: #{addresses.inspect}" }
         connection.addresses = addresses
-        emit(:resolve, connection)
+        catch(:coalesced) { emit(:resolve, connection) }
       end
 
       def early_resolve(connection, hostname: connection.origin.host)

lib/httpx/session.rb

@@ -140,15 +140,17 @@ module HTTPX
         when "https"
           "ssl"
         when "h2"
-          options = options.merge(ssl: { alpn_protocols: %w[h2] })
+          options = options.merge(ssl: SSL::TLS_OPTIONS)
           "ssl"
         else
           raise UnsupportedSchemeError, "#{uri}: #{uri.scheme}: unsupported URI scheme"
         end
       end
       connection = options.connection_class.new(type, uri, options)
-      pool.init_connection(connection, options)
-      connection
+      catch(:coalesced) do
+        pool.init_connection(connection, options)
+        connection
+      end
     end
 
     def send_requests(*requests, options)

test/http_test.rb

@@ -15,6 +15,7 @@ class HTTPTest < Minitest::Test
   include IO
   include Timeouts
   include Errors
+  include AltSvc if ENV.key?("HTTPBIN_ALTSVC_HOST")
 
   include Plugins::Proxy unless ENV.key?("HTTPX_NO_PROXY")
   include Plugins::Authentication

test/https_test.rb

@@ -13,6 +13,8 @@ class HTTPSTest < Minitest::Test
   include IO
   include Timeouts
   include Errors
+  # TODO: uncomment as soon as nghttpx supports altsvc for HTTP/2
+  # include AltSvc if ENV.key?("HTTPBIN_ALTSVC_HOST")
 
   include Plugins::Proxy unless ENV.key?("HTTPX_NO_PROXY")
   include Plugins::Authentication
@@ -23,6 +25,22 @@ class HTTPSTest < Minitest::Test
   include Plugins::Retries
   include Plugins::Multipart
 
+  def test_connection_coalescing
+    coalesced_origin = "https://#{ENV["HTTPBIN_COALESCING_HOST"]}"
+    HTTPX.wrap do |http|
+      response1 = http.get(origin)
+      verify_status(response1, 200)
+      response2 = http.get(coalesced_origin)
+      verify_status(response2, 200)
+      # introspection time
+      pool = http.__send__(:pool)
+      connections = pool.instance_variable_get(:@connections)
+      assert connections.any? { |conn|
+        conn.instance_variable_get(:@origins) == [origin, coalesced_origin]
+      }, "connections didn't coalesce (expected connection with both origins)"
+    end
+  end if ENV.key?("HTTPBIN_COALESCING_HOST")
+
   private
 
   def origin(orig = httpbin)

test/support/ci/certs/ca-bundle.crt

@@ -1,123 +1,97 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number:
-            98:cf:73:54:2c:1b:55:5b
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=PT, ST=Kingston, L=Babylon, O=Bumbaklat, OU=Orga, CN=Reefa/emailAddress=reef@reef.com
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=PT, ST=LX, L=Lisbon, O=nghttp2, OU=nghttp2, CN=nghttp2
         Validity
-            Not Before: Feb 10 19:47:59 2018 GMT
-            Not After : Nov 30 19:47:59 2020 GMT
-        Subject: C=PT, ST=Kingston, L=Babylon, O=Bumbaklat, OU=Orga, CN=Reefa/emailAddress=reef@reef.com
+            Not Before: Dec 15 15:06:21 2019 GMT
+            Not After : Dec 14 15:06:21 2020 GMT
+        Subject: C=PT, ST=LX, O=Bumbaklat, OU=nghttp2, CN=nghttp2
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:c0:8b:0e:f7:c1:1a:00:95:4f:b3:95:5d:2a:60:
-                    4e:1c:d5:98:4b:7d:16:3c:5c:90:93:b9:16:96:f4:
-                    87:c2:77:8e:5c:8c:12:a7:b6:57:a6:07:b2:21:85:
-                    cc:17:20:bc:8d:0f:8f:1b:94:7d:a1:2a:36:0f:a0:
-                    8d:53:80:6b:23:1d:59:59:63:a7:b0:aa:99:94:73:
-                    ce:f4:4d:23:b1:0f:ee:6a:8b:75:59:cf:91:32:41:
-                    2e:22:d3:20:41:0c:a5:43:d5:96:fe:ab:ea:31:df:
-                    47:40:30:2b:eb:09:ac:45:ba:da:e8:84:44:30:57:
-                    44:35:25:85:99:58:e2:c8:1f:ef:50:1f:4e:ef:0f:
-                    b2:b3:66:24:00:12:8f:de:7d:0f:c1:0b:94:99:fc:
-                    18:9e:3b:41:79:02:3c:94:7f:3d:e6:b1:ed:e7:d8:
-                    b9:01:93:67:09:49:6b:08:43:54:37:7c:a2:83:71:
-                    40:f9:9e:88:fa:ae:f3:4e:bd:cb:70:2e:87:ce:9d:
-                    e0:62:03:07:54:ca:da:25:1a:53:1b:76:71:44:81:
-                    48:89:5a:6f:83:3b:65:e5:5a:1f:14:58:42:08:16:
-                    3a:37:f6:a0:b9:90:00:aa:b5:ba:48:db:d9:0c:e6:
-                    7c:d9:d8:5d:9d:95:32:5e:35:2c:6b:9b:e0:77:3f:
-                    cd:6d:b4:f5:9d:09:23:ff:cd:4f:31:0e:8e:ef:4c:
-                    b3:33:56:1e:62:ff:0c:ca:01:3d:16:de:dc:51:62:
-                    5c:a2:f6:5e:5e:00:98:8f:31:55:eb:16:1d:5d:a1:
-                    87:25:4f:9b:76:d8:78:5d:a3:58:8f:34:b4:7e:4e:
-                    ab:89:bc:c6:cc:01:21:18:3b:68:0b:7b:ea:d6:d1:
-                    f4:79:b2:53:96:a1:53:14:d6:b1:ad:48:c9:e4:4e:
-                    77:d6:c1:b1:82:35:20:12:02:f0:b7:91:d0:ac:43:
-                    3f:34:2d:f4:f1:58:8c:31:75:bd:0b:7a:18:98:ab:
-                    c7:25:14:da:b1:02:b5:55:69:a2:68:85:02:c9:d7:
-                    db:e4:aa:86:02:ae:83:b1:18:0b:f0:e2:f1:da:23:
-                    54:4b:16:8f:22:11:5e:7c:3a:61:c5:e0:46:3d:9a:
-                    74:4b:ca:42:4e:8e:40:68:9e:96:30:79:3c:df:5f:
-                    d7:1e:6b:4f:13:a7:ad:38:53:fa:e2:0e:04:91:37:
-                    de:6f:d7:36:4e:00:b2:8a:61:eb:f5:c8:a6:40:38:
-                    2a:29:95:21:e5:fa:62:84:42:3a:72:4d:1f:9b:86:
-                    52:25:c6:cf:1a:d4:98:d0:26:6d:53:d7:89:08:c1:
-                    3b:d6:bf:eb:21:6c:22:ad:f1:b4:ec:97:a2:a2:32:
-                    52:bc:b3
+                    00:c1:1e:49:7f:b8:7e:23:04:4e:59:02:75:15:9b:
+                    ad:3f:0a:dd:36:a0:69:cc:40:23:3e:cb:02:af:34:
+                    3b:15:f0:52:9a:95:09:23:06:ed:ef:ec:0d:27:f2:
+                    e0:8a:b3:3a:67:f5:8f:8c:15:86:f0:a6:87:6a:be:
+                    e7:52:d5:fe:f4:c4:fc:ee:78:7a:e8:f7:23:5a:25:
+                    b5:14:65:6e:6e:79:33:2a:3d:d9:aa:cf:df:31:48:
+                    c7:7d:a9:b0:36:83:ef:91:6d:73:84:82:02:1c:d0:
+                    bb:8c:0f:9a:ed:34:3a:8b:b4:17:14:26:a0:d9:b8:
+                    8c:a4:f9:ee:72:34:ea:ef:e9:f6:23:0b:67:44:6d:
+                    dc:64:71:25:50:ae:3c:37:f8:c3:b5:bd:7e:e9:49:
+                    11:19:69:dc:bd:5a:ba:b1:9b:9d:f2:ce:6b:b2:b5:
+                    cd:ca:9b:a2:56:ee:ab:79:9e:a1:86:18:f8:4a:54:
+                    32:33:5d:6a:69:be:cf:b5:12:f3:fd:26:cc:77:19:
+                    08:33:d3:fd:6e:be:ec:b1:ce:03:0d:32:56:6d:03:
+                    7f:7c:67:64:3f:b9:b6:b7:ea:97:80:89:cd:12:11:
+                    d1:24:e2:09:82:dc:81:16:39:e8:35:19:8a:db:a4:
+                    dd:7f:1f:c9:70:19:df:bf:03:b9:88:7f:c8:20:a7:
+                    57:45
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                F9:73:66:C9:3C:56:45:07:95:E3:BE:67:B4:F2:DF:57:C4:FB:C8:F6
-            X509v3 Authority Key Identifier: 
-                keyid:F9:73:66:C9:3C:56:45:07:95:E3:BE:67:B4:F2:DF:57:C4:FB:C8:F6
-
             X509v3 Basic Constraints: 
-                CA:TRUE
-    Signature Algorithm: sha256WithRSAEncryption
-         48:91:ad:bd:a8:75:22:2f:d4:37:b1:97:a3:1a:fd:a2:29:68:
-         c7:e4:2d:39:b4:2d:ec:28:34:f1:17:56:c1:02:00:28:78:35:
-         c0:91:11:85:98:aa:00:69:84:e8:6d:51:ab:80:58:3c:b8:06:
-         cb:92:84:42:dc:58:e9:06:b7:95:89:00:28:ff:4d:6e:c0:f5:
-         1e:16:8b:13:e2:73:60:8b:2e:1f:cd:f2:eb:80:1a:bb:a6:bf:
-         b0:17:4e:a1:7a:0a:f0:0e:67:a7:13:b2:4a:fa:41:69:69:00:
-         0e:b0:cf:7a:9f:d4:c6:fd:5f:8e:a2:6c:22:91:ad:12:cc:f7:
-         a0:2a:74:39:60:6a:f8:be:e0:f0:d1:83:da:12:5b:a5:89:c7:
-         22:90:1f:0d:42:68:0f:05:e9:65:c3:47:c3:69:b1:64:c3:22:
-         99:c1:74:bd:b5:ad:0a:d6:43:a8:62:3d:6b:15:57:88:91:1f:
-         86:53:9f:51:9b:17:fe:e7:1d:65:d3:e5:99:c9:f1:81:f1:10:
-         e2:ec:58:77:08:ff:9e:04:54:2c:70:c0:4c:e6:69:95:82:fc:
-         b7:06:4c:43:dc:54:e9:47:52:0d:90:4d:b9:16:b7:ac:d9:16:
-         f1:f5:98:a8:1c:ec:dc:6a:47:11:98:90:16:eb:16:47:9c:ca:
-         6e:f3:ee:22:3d:b6:4d:6c:06:97:7e:b3:2a:75:d1:a9:e5:c9:
-         6b:81:c8:22:19:5f:a7:3c:02:bf:bb:2d:7c:e9:22:c6:c9:72:
-         8b:f4:32:d5:51:ff:e9:2c:3f:93:77:bb:36:16:21:b5:cf:1e:
-         65:bb:26:0f:e3:cc:2f:c2:36:15:30:48:a2:49:c1:51:9a:69:
-         4f:be:d9:d0:8d:61:6b:3e:dc:71:08:2f:58:26:57:86:4b:ed:
-         59:ae:92:99:27:0d:17:0a:5b:a6:31:84:7e:2d:d1:4a:fb:fe:
-         6b:1e:44:4d:10:3e:e1:33:dc:3b:3a:08:68:3d:f9:9b:b8:37:
-         59:ae:03:b2:aa:7d:fd:9b:6d:fa:e9:34:62:b3:f7:02:60:b4:
-         14:7e:37:b2:ae:6d:68:63:6c:dd:5f:b5:84:8f:59:99:09:74:
-         d8:f8:5f:aa:32:7c:2e:e0:75:26:27:ff:d5:16:e1:ae:d7:d2:
-         44:0f:60:af:13:56:9a:38:f1:f2:b2:1a:6b:a7:62:30:99:70:
-         1d:0c:cb:25:3d:d9:8d:5a:a0:86:71:3a:81:c5:a4:b2:11:9b:
-         71:14:f3:b7:5b:78:39:04:17:7d:52:5a:52:c0:d4:eb:f2:a5:
-         b7:58:10:51:f0:07:b3:7e:86:95:c4:00:e0:b8:79:65:d5:63:
-         0d:56:fd:0c:bb:a9:55:0b
+                CA:FALSE
+            X509v3 Subject Alternative Name: 
+                DNS:nghttp2, DNS:another, DNS:another2
+            X509v3 Subject Key Identifier: 
+                A7:48:14:0C:C7:98:26:7E:48:0B:BA:FB:AF:78:A3:E6:08:A1:5A:BE
+    Signature Algorithm: sha1WithRSAEncryption
+         bc:b3:e1:1d:50:ff:d5:b0:9d:b1:0f:74:71:a8:c1:52:c1:9e:
+         f2:79:88:4b:30:4c:17:d1:88:f7:e9:0a:f9:4d:53:94:a5:8d:
+         bc:30:35:ca:ca:24:3e:2b:02:d8:16:07:1c:f1:31:af:c5:db:
+         94:e2:d8:32:09:6e:b3:28:e5:35:14:3e:60:8b:db:65:cd:f0:
+         77:ec:7a:1f:0b:bb:a8:5e:bd:67:b3:16:5a:a3:b4:f6:fd:84:
+         26:05:27:27:ad:0b:fa:20:96:c7:0a:66:84:d4:19:1f:c4:f9:
+         12:82:0d:04:0d:f3:8a:90:f3:6a:2c:b1:aa:cd:f6:31:93:69:
+         13:f2:ec:31:61:e4:93:26:98:57:74:f0:f7:fa:01:45:fa:42:
+         65:8c:dd:72:e6:d5:3c:89:c8:ea:5f:26:f9:bf:ec:e2:8a:f7:
+         01:1f:fd:1d:76:65:80:6d:99:b4:b1:2a:31:e1:52:91:c1:14:
+         3a:d4:22:5a:d3:8b:7d:6d:4d:49:00:58:5a:db:5a:67:5a:5c:
+         53:aa:14:b8:10:0e:e8:e9:8b:6e:c3:4a:d8:40:a8:89:4a:aa:
+         95:bc:f3:d1:43:d9:d0:60:ad:f3:7c:e2:7a:6f:32:8a:48:f3:
+         8b:a1:8a:53:69:f3:14:ac:00:d3:d9:b4:83:df:28:34:6f:99:
+         0e:b2:c2:59
 -----BEGIN CERTIFICATE-----
-MIIF2zCCA8OgAwIBAgIJAJjPc1QsG1VbMA0GCSqGSIb3DQEBCwUAMIGDMQswCQYD
-VQQGEwJQVDERMA8GA1UECAwIS2luZ3N0b24xEDAOBgNVBAcMB0JhYnlsb24xEjAQ
-BgNVBAoMCUJ1bWJha2xhdDENMAsGA1UECwwET3JnYTEOMAwGA1UEAwwFUmVlZmEx
-HDAaBgkqhkiG9w0BCQEWDXJlZWZAcmVlZi5jb20wHhcNMTgwMjEwMTk0NzU5WhcN
-MjAxMTMwMTk0NzU5WjCBgzELMAkGA1UEBhMCUFQxETAPBgNVBAgMCEtpbmdzdG9u
-MRAwDgYDVQQHDAdCYWJ5bG9uMRIwEAYDVQQKDAlCdW1iYWtsYXQxDTALBgNVBAsM
-BE9yZ2ExDjAMBgNVBAMMBVJlZWZhMRwwGgYJKoZIhvcNAQkBFg1yZWVmQHJlZWYu
-Y29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwIsO98EaAJVPs5Vd
-KmBOHNWYS30WPFyQk7kWlvSHwneOXIwSp7ZXpgeyIYXMFyC8jQ+PG5R9oSo2D6CN
-U4BrIx1ZWWOnsKqZlHPO9E0jsQ/uaot1Wc+RMkEuItMgQQylQ9WW/qvqMd9HQDAr
-6wmsRbra6IREMFdENSWFmVjiyB/vUB9O7w+ys2YkABKP3n0PwQuUmfwYnjtBeQI8
-lH895rHt59i5AZNnCUlrCENUN3yig3FA+Z6I+q7zTr3LcC6Hzp3gYgMHVMraJRpT
-G3ZxRIFIiVpvgztl5VofFFhCCBY6N/aguZAAqrW6SNvZDOZ82dhdnZUyXjUsa5vg
-dz/NbbT1nQkj/81PMQ6O70yzM1YeYv8MygE9Ft7cUWJcovZeXgCYjzFV6xYdXaGH
-JU+bdth4XaNYjzS0fk6ribzGzAEhGDtoC3vq1tH0ebJTlqFTFNaxrUjJ5E531sGx
-gjUgEgLwt5HQrEM/NC308ViMMXW9C3oYmKvHJRTasQK1VWmiaIUCydfb5KqGAq6D
-sRgL8OLx2iNUSxaPIhFefDphxeBGPZp0S8pCTo5AaJ6WMHk831/XHmtPE6etOFP6
-4g4EkTfeb9c2TgCyimHr9cimQDgqKZUh5fpihEI6ck0fm4ZSJcbPGtSY0CZtU9eJ
-CME71r/rIWwirfG07JeiojJSvLMCAwEAAaNQME4wHQYDVR0OBBYEFPlzZsk8VkUH
-leO+Z7Ty31fE+8j2MB8GA1UdIwQYMBaAFPlzZsk8VkUHleO+Z7Ty31fE+8j2MAwG
-A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAEiRrb2odSIv1Dexl6Ma/aIp
-aMfkLTm0LewoNPEXVsECACh4NcCREYWYqgBphOhtUauAWDy4BsuShELcWOkGt5WJ
-ACj/TW7A9R4WixPic2CLLh/N8uuAGrumv7AXTqF6CvAOZ6cTskr6QWlpAA6wz3qf
-1Mb9X46ibCKRrRLM96AqdDlgavi+4PDRg9oSW6WJxyKQHw1CaA8F6WXDR8NpsWTD
-IpnBdL21rQrWQ6hiPWsVV4iRH4ZTn1GbF/7nHWXT5ZnJ8YHxEOLsWHcI/54EVCxw
-wEzmaZWC/LcGTEPcVOlHUg2QTbkWt6zZFvH1mKgc7NxqRxGYkBbrFkecym7z7iI9
-tk1sBpd+syp10anlyWuByCIZX6c8Ar+7LXzpIsbJcov0MtVR/+ksP5N3uzYWIbXP
-HmW7Jg/jzC/CNhUwSKJJwVGaaU++2dCNYWs+3HEIL1gmV4ZL7VmukpknDRcKW6Yx
-hH4t0Ur7/mseRE0QPuEz3Ds6CGg9+Zu4N1muA7Kqff2bbfrpNGKz9wJgtBR+N7Ku
-bWhjbN1ftYSPWZkJdNj4X6oyfC7gdSYn/9UW4a7X0kQPYK8TVpo48fKyGmunYjCZ
-cB0MyyU92Y1aoIZxOoHFpLIRm3EU87dbeDkEF31SWlLA1OvypbdYEFHwB7N+hpXE
-AOC4eWXVYw1W/Qy7qVUL
+MIIDgTCCAmmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJQVDEL
+MAkGA1UECAwCTFgxDzANBgNVBAcMBkxpc2JvbjEQMA4GA1UECgwHbmdodHRwMjEQ
+MA4GA1UECwwHbmdodHRwMjEQMA4GA1UEAwwHbmdodHRwMjAeFw0xOTEyMTUxNTA2
+MjFaFw0yMDEyMTQxNTA2MjFaMFIxCzAJBgNVBAYTAlBUMQswCQYDVQQIDAJMWDES
+MBAGA1UECgwJQnVtYmFrbGF0MRAwDgYDVQQLDAduZ2h0dHAyMRAwDgYDVQQDDAdu
+Z2h0dHAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwR5Jf7h+IwRO
+WQJ1FZutPwrdNqBpzEAjPssCrzQ7FfBSmpUJIwbt7+wNJ/LgirM6Z/WPjBWG8KaH
+ar7nUtX+9MT87nh66PcjWiW1FGVubnkzKj3Zqs/fMUjHfamwNoPvkW1zhIICHNC7
+jA+a7TQ6i7QXFCag2biMpPnucjTq7+n2IwtnRG3cZHElUK48N/jDtb1+6UkRGWnc
+vVq6sZud8s5rsrXNypuiVu6reZ6hhhj4SlQyM11qab7PtRLz/SbMdxkIM9P9br7s
+sc4DDTJWbQN/fGdkP7m2t+qXgInNEhHRJOIJgtyBFjnoNRmK26Tdfx/JcBnfvwO5
+iH/IIKdXRQIDAQABo1MwUTAJBgNVHRMEAjAAMCUGA1UdEQQeMByCB25naHR0cDKC
+B2Fub3RoZXKCCGFub3RoZXIyMB0GA1UdDgQWBBSnSBQMx5gmfkgLuvuveKPmCKFa
+vjANBgkqhkiG9w0BAQUFAAOCAQEAvLPhHVD/1bCdsQ90cajBUsGe8nmISzBMF9GI
+9+kK+U1TlKWNvDA1ysokPisC2BYHHPExr8XblOLYMglusyjlNRQ+YIvbZc3wd+x6
+Hwu7qF69Z7MWWqO09v2EJgUnJ60L+iCWxwpmhNQZH8T5EoINBA3zipDzaiyxqs32
+MZNpE/LsMWHkkyaYV3Tw9/oBRfpCZYzdcubVPInI6l8m+b/s4or3AR/9HXZlgG2Z
+tLEqMeFSkcEUOtQiWtOLfW1NSQBYWttaZ1pcU6oUuBAO6OmLbsNK2ECoiUqqlbzz
+0UPZ0GCt83ziem8yikjzi6GKU2nzFKwA09m0g98oNG+ZDrLCWQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDPjCCAiYCCQCp8Px254fXXjANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJQ
+VDELMAkGA1UECAwCTFgxDzANBgNVBAcMBkxpc2JvbjEQMA4GA1UECgwHbmdodHRw
+MjEQMA4GA1UECwwHbmdodHRwMjEQMA4GA1UEAwwHbmdodHRwMjAeFw0xOTEyMTUx
+NDA1MzVaFw0yMDAxMTQxNDA1MzVaMGExCzAJBgNVBAYTAlBUMQswCQYDVQQIDAJM
+WDEPMA0GA1UEBwwGTGlzYm9uMRAwDgYDVQQKDAduZ2h0dHAyMRAwDgYDVQQLDAdu
+Z2h0dHAyMRAwDgYDVQQDDAduZ2h0dHAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAwgs8euGDGpm5X7/xgFGzE0i+1m5NY2teqHSN2IdKMEYkEaFcogJW
+FuOrDDOb9Yu+iPsIT2UMmBILE0KeZBcpgp4iQr2A0zE/6hMJ5FOwpjtGrRJ+T6xi
+/wbpsQMlfWetF560t4eIqWnaRVU4MbzI26oCXS6I+hdJa77EVVv3p1XEuNrH0bwi
+om490+eFf6EgTNvGMgmccLS5jxGsFWZlGYBNzjb5VefGe931duTaHFR925Bb3Lvb
+9sJJ/ABq79rvlJlBVexABT2cu2idZ+E/62A9RFgbS4QD+L4+vjpIpYbA64HOJ5VZ
+peTXbYicu04yWhgWh0nN6lzKvFub0gTcdQIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
+AQBVUUbbMp2vXjgQ931bvqKx0bPn3pBn+m3Ps0fYHtZJcLdz/DFOBtzqTzJhiFYt
+JIl1jFZTVGEyMwPN7jcefpB0OJf/Yg2Jf7yP2AV92poVKk91N5oyn2WXHY/oT1Gh
+euNoNy9KZYK5BMol/1ZXTKXCHSbwbfCD37HA0KQfJVejaZPs0FzlnAHRoQ3/B6HN
++P8V+GOgZIS9GNZvQXZlA1gikJT+WfWmi5c+dpThN1qI4I5CeXvmo8WqwbvTOxou
+GC523JzPW0kDOgomtKy5wE98yNw4rNf2mz0SSjpMzShDdeW0B/5JDQYEopHJA4Hk
+OG8UvgFywbvI980WPlUI7/ZX
 -----END CERTIFICATE-----

test/support/ci/certs/ca.cnf

@@ -0,0 +1,85 @@
+# we use 'ca' as the default section because we're usign the ca command
+# we use 'ca' as the default section because we're usign the ca command
+[ ca ]
+default_ca = my_ca
+
+[ my_ca ]
+#  a text file containing the next serial number to use in hex. Mandatory.
+#  This file must be present and contain a valid serial number.
+serial = ./serial
+
+# the text database file to use. Mandatory. This file must be present though
+# initially it will be empty.
+database = ./index.txt
+
+# specifies the directory where new certificates will be placed. Mandatory.
+new_certs_dir = ./newcerts
+
+# the file containing the CA certificate. Mandatory
+certificate = ./ca.crt
+
+# the file contaning the CA private key. Mandatory
+private_key = ./ca.key
+
+# the message digest algorithm. Remember to not use MD5
+default_md = sha1
+
+# for how many days will the signed certificate be valid
+default_days = 365
+
+# a section with a set of variables corresponding to DN fields
+policy = my_policy
+
+[ my_policy ]
+# if the value is "match" then the field value must match the same field in the
+# CA certificate. If the value is "supplied" then it must be present.
+# Optional means it may be present. Any fields not mentioned are silently
+# deleted.
+countryName = match
+stateOrProvinceName = supplied
+organizationName = supplied
+commonName = supplied
+organizationalUnitName = optional
+commonName = supplied
+
+[ ca ]
+default_ca = my_ca
+
+[ my_ca ]
+#  a text file containing the next serial number to use in hex. Mandatory.
+#  This file must be present and contain a valid serial number.
+serial = ./serial
+
+# the text database file to use. Mandatory. This file must be present though
+# initially it will be empty.
+database = ./index.txt
+
+# specifies the directory where new certificates will be placed. Mandatory.
+new_certs_dir = ./newcerts
+
+# the file containing the CA certificate. Mandatory
+certificate = ./ca.crt
+
+# the file contaning the CA private key. Mandatory
+private_key = ./ca.key
+
+# the message digest algorithm. Remember to not use MD5
+default_md = sha1
+
+# for how many days will the signed certificate be valid
+default_days = 365
+
+# a section with a set of variables corresponding to DN fields
+policy = my_policy
+
+[ my_policy ]
+# if the value is "match" then the field value must match the same field in the
+# CA certificate. If the value is "supplied" then it must be present.
+# Optional means it may be present. Any fields not mentioned are silently
+# deleted.
+countryName = match
+stateOrProvinceName = supplied
+organizationName = supplied
+commonName = supplied
+organizationalUnitName = optional
+commonName = supplied

test/support/ci/certs/ca.crt

@@ -1,34 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIF2zCCA8OgAwIBAgIJAJjPc1QsG1VbMA0GCSqGSIb3DQEBCwUAMIGDMQswCQYD
-VQQGEwJQVDERMA8GA1UECAwIS2luZ3N0b24xEDAOBgNVBAcMB0JhYnlsb24xEjAQ
-BgNVBAoMCUJ1bWJha2xhdDENMAsGA1UECwwET3JnYTEOMAwGA1UEAwwFUmVlZmEx
-HDAaBgkqhkiG9w0BCQEWDXJlZWZAcmVlZi5jb20wHhcNMTgwMjEwMTk0NzU5WhcN
-MjAxMTMwMTk0NzU5WjCBgzELMAkGA1UEBhMCUFQxETAPBgNVBAgMCEtpbmdzdG9u
-MRAwDgYDVQQHDAdCYWJ5bG9uMRIwEAYDVQQKDAlCdW1iYWtsYXQxDTALBgNVBAsM
-BE9yZ2ExDjAMBgNVBAMMBVJlZWZhMRwwGgYJKoZIhvcNAQkBFg1yZWVmQHJlZWYu
-Y29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwIsO98EaAJVPs5Vd
-KmBOHNWYS30WPFyQk7kWlvSHwneOXIwSp7ZXpgeyIYXMFyC8jQ+PG5R9oSo2D6CN
-U4BrIx1ZWWOnsKqZlHPO9E0jsQ/uaot1Wc+RMkEuItMgQQylQ9WW/qvqMd9HQDAr
-6wmsRbra6IREMFdENSWFmVjiyB/vUB9O7w+ys2YkABKP3n0PwQuUmfwYnjtBeQI8
-lH895rHt59i5AZNnCUlrCENUN3yig3FA+Z6I+q7zTr3LcC6Hzp3gYgMHVMraJRpT
-G3ZxRIFIiVpvgztl5VofFFhCCBY6N/aguZAAqrW6SNvZDOZ82dhdnZUyXjUsa5vg
-dz/NbbT1nQkj/81PMQ6O70yzM1YeYv8MygE9Ft7cUWJcovZeXgCYjzFV6xYdXaGH
-JU+bdth4XaNYjzS0fk6ribzGzAEhGDtoC3vq1tH0ebJTlqFTFNaxrUjJ5E531sGx
-gjUgEgLwt5HQrEM/NC308ViMMXW9C3oYmKvHJRTasQK1VWmiaIUCydfb5KqGAq6D
-sRgL8OLx2iNUSxaPIhFefDphxeBGPZp0S8pCTo5AaJ6WMHk831/XHmtPE6etOFP6
-4g4EkTfeb9c2TgCyimHr9cimQDgqKZUh5fpihEI6ck0fm4ZSJcbPGtSY0CZtU9eJ
-CME71r/rIWwirfG07JeiojJSvLMCAwEAAaNQME4wHQYDVR0OBBYEFPlzZsk8VkUH
-leO+Z7Ty31fE+8j2MB8GA1UdIwQYMBaAFPlzZsk8VkUHleO+Z7Ty31fE+8j2MAwG
-A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAEiRrb2odSIv1Dexl6Ma/aIp
-aMfkLTm0LewoNPEXVsECACh4NcCREYWYqgBphOhtUauAWDy4BsuShELcWOkGt5WJ
-ACj/TW7A9R4WixPic2CLLh/N8uuAGrumv7AXTqF6CvAOZ6cTskr6QWlpAA6wz3qf
-1Mb9X46ibCKRrRLM96AqdDlgavi+4PDRg9oSW6WJxyKQHw1CaA8F6WXDR8NpsWTD
-IpnBdL21rQrWQ6hiPWsVV4iRH4ZTn1GbF/7nHWXT5ZnJ8YHxEOLsWHcI/54EVCxw
-wEzmaZWC/LcGTEPcVOlHUg2QTbkWt6zZFvH1mKgc7NxqRxGYkBbrFkecym7z7iI9
-tk1sBpd+syp10anlyWuByCIZX6c8Ar+7LXzpIsbJcov0MtVR/+ksP5N3uzYWIbXP
-HmW7Jg/jzC/CNhUwSKJJwVGaaU++2dCNYWs+3HEIL1gmV4ZL7VmukpknDRcKW6Yx
-hH4t0Ur7/mseRE0QPuEz3Ds6CGg9+Zu4N1muA7Kqff2bbfrpNGKz9wJgtBR+N7Ku
-bWhjbN1ftYSPWZkJdNj4X6oyfC7gdSYn/9UW4a7X0kQPYK8TVpo48fKyGmunYjCZ
-cB0MyyU92Y1aoIZxOoHFpLIRm3EU87dbeDkEF31SWlLA1OvypbdYEFHwB7N+hpXE
-AOC4eWXVYw1W/Qy7qVUL
+MIIDPjCCAiYCCQCp8Px254fXXjANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJQ
+VDELMAkGA1UECAwCTFgxDzANBgNVBAcMBkxpc2JvbjEQMA4GA1UECgwHbmdodHRw
+MjEQMA4GA1UECwwHbmdodHRwMjEQMA4GA1UEAwwHbmdodHRwMjAeFw0xOTEyMTUx
+NDA1MzVaFw0yMDAxMTQxNDA1MzVaMGExCzAJBgNVBAYTAlBUMQswCQYDVQQIDAJM
+WDEPMA0GA1UEBwwGTGlzYm9uMRAwDgYDVQQKDAduZ2h0dHAyMRAwDgYDVQQLDAdu
+Z2h0dHAyMRAwDgYDVQQDDAduZ2h0dHAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAwgs8euGDGpm5X7/xgFGzE0i+1m5NY2teqHSN2IdKMEYkEaFcogJW
+FuOrDDOb9Yu+iPsIT2UMmBILE0KeZBcpgp4iQr2A0zE/6hMJ5FOwpjtGrRJ+T6xi
+/wbpsQMlfWetF560t4eIqWnaRVU4MbzI26oCXS6I+hdJa77EVVv3p1XEuNrH0bwi
+om490+eFf6EgTNvGMgmccLS5jxGsFWZlGYBNzjb5VefGe931duTaHFR925Bb3Lvb
+9sJJ/ABq79rvlJlBVexABT2cu2idZ+E/62A9RFgbS4QD+L4+vjpIpYbA64HOJ5VZ
+peTXbYicu04yWhgWh0nN6lzKvFub0gTcdQIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
+AQBVUUbbMp2vXjgQ931bvqKx0bPn3pBn+m3Ps0fYHtZJcLdz/DFOBtzqTzJhiFYt
+JIl1jFZTVGEyMwPN7jcefpB0OJf/Yg2Jf7yP2AV92poVKk91N5oyn2WXHY/oT1Gh
+euNoNy9KZYK5BMol/1ZXTKXCHSbwbfCD37HA0KQfJVejaZPs0FzlnAHRoQ3/B6HN
++P8V+GOgZIS9GNZvQXZlA1gikJT+WfWmi5c+dpThN1qI4I5CeXvmo8WqwbvTOxou
+GC523JzPW0kDOgomtKy5wE98yNw4rNf2mz0SSjpMzShDdeW0B/5JDQYEopHJA4Hk
+OG8UvgFywbvI980WPlUI7/ZX
 -----END CERTIFICATE-----

test/support/ci/certs/ca.key

@@ -1,51 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIJJwIBAAKCAgEAwIsO98EaAJVPs5VdKmBOHNWYS30WPFyQk7kWlvSHwneOXIwS
-p7ZXpgeyIYXMFyC8jQ+PG5R9oSo2D6CNU4BrIx1ZWWOnsKqZlHPO9E0jsQ/uaot1
-Wc+RMkEuItMgQQylQ9WW/qvqMd9HQDAr6wmsRbra6IREMFdENSWFmVjiyB/vUB9O
-7w+ys2YkABKP3n0PwQuUmfwYnjtBeQI8lH895rHt59i5AZNnCUlrCENUN3yig3FA
-+Z6I+q7zTr3LcC6Hzp3gYgMHVMraJRpTG3ZxRIFIiVpvgztl5VofFFhCCBY6N/ag
-uZAAqrW6SNvZDOZ82dhdnZUyXjUsa5vgdz/NbbT1nQkj/81PMQ6O70yzM1YeYv8M
-ygE9Ft7cUWJcovZeXgCYjzFV6xYdXaGHJU+bdth4XaNYjzS0fk6ribzGzAEhGDto
-C3vq1tH0ebJTlqFTFNaxrUjJ5E531sGxgjUgEgLwt5HQrEM/NC308ViMMXW9C3oY
-mKvHJRTasQK1VWmiaIUCydfb5KqGAq6DsRgL8OLx2iNUSxaPIhFefDphxeBGPZp0
-S8pCTo5AaJ6WMHk831/XHmtPE6etOFP64g4EkTfeb9c2TgCyimHr9cimQDgqKZUh
-5fpihEI6ck0fm4ZSJcbPGtSY0CZtU9eJCME71r/rIWwirfG07JeiojJSvLMCAwEA
-AQKCAgAEG3NISbA6TvUSSZ9hJgjEiLHk+lgdFYRoAky/D5xNw6sfwkUrmrIn8oYU
-PPxrieE7yRcuaW58n5/jmXMqUtT2PMwJIh0TobABAK9rerHGNybI0wy/y7O3NLi9
-OW+4s4Ja/hVofVZTlgW5Es39B4nLOv8scpXZyiLEV3aQHNtJlZTPSruuUdFoDke6
-UKsM/fH2Fj8nQb9ssKrm3+tW55f0cds3VOItbG2IPy6vUHBddqUo1KOkL4OQhWbf
-SSEr1XJEMA33SUVAw8r/e55GObKU2YUomOtEC2JTECcVkgRmk8LOKs6m5rF88r90
-imwI4GnNY9YrZGFcrRmzefHB2XSSVw3QmSYUOwz+cgbY4wJomajJuAoHU1ndwnaH
-xqEjNQ3S6fxN4BGgvIQlWWU4Ey1OS4mzb3dlsgsJ6rQcISDidGj4jgmVYN2PqAPe
-4z8951/8S7M1MyFlJ24AvkSUxc2//UFc7538SQeVIhGT3s9SzNfxqUN5FgAgycNO
-bLCLDlqqyGAxR/1XRSJPbhn2U1tHrEx9hnzn4Jk1MrXzph2uIdRrw5aqy4qICXc2
-gzhC/uO3UKtkogw9vX+T86tuDuxQdln/lcT7FaFHBg01fNMAHw5gl1BfR6N1oJpV
-zHZq6QYcFNI62uvHtGDZ4RN3WktW5IYm6QeTZwgDoXPxZ64tkQKCAQEA5S5hDWCO
-r3qriTPtHKERGNaDFBpJldhdhlegnyg7GYvEQlR1Ro9aBGo/313AL4gdbLLwCDVz
-TIs/Kc9SqJuw1hY+hxdeiq7r5ofSMXVzyeZykOgVI2fACp/ViIPR9cq73vm0vmPS
-CZL+s/Ai98TbRVTjn0I8syCK2j4kgK/AmvARYhe8oXQ5H9hyOr0cE7h9I4gKgLo0
-DobyQdQeXhJGhnVpod+Xw/tVpB6wPCx1V+emhG2ncOePy0dCUhW2GNo5aNa66SfE
-O5BlPbP3IHBkjcB1dtZjum9e69DcgFn1Tv7J0tu72XUpE27dz93z8KSUdxgBZggl
-O9b+2Cx+XlWiRQKCAQEA1xMb8cBCZcE0B3/UzPMTNhFrTYLqYDAmDtn65Xa5f5wJ
-ewWAB27jcjmMz/mD0RTpMqOOWobhC408oKTCwTaJKyXGebEaXXfikuGvWx8dmequ
-DL7PBQuoU2FP6jHkjIOFM3covC755u1ejyFiRFwZurVW4NsObORaKEhHp+7rzr9R
-FevYzqVVY5FCvAkovD/aXxAddvDSRP6zq84OAifl/LCsambacPnGAhMTIdA87wct
-ER6DiFgsAvpjSLE3PxO/sr7WTM8F0A3h4GwVuVWMLoiIOfPeiikeAFp+8nR1m9qq
-KEQApbCKHMfYMefMV/jTtKxoUo7rHfw0h4FWElNOlwKCAQB4G2hNhG8C0/0V+Jqp
-SFgXdkRXwrcRysSo5T+OaZ0fdDo0sOKNSg9ZBP3YZ9+SiXkyQEy/YJO+Z7OAi+C7
-8Gwqppm6Xqrzb1y+AixMM0utYhJkktyRI4xnhQB5fOwKLmdrId5xcQrgbaMCVjVd
-OFPZ7/Uiv6nkDof2fF7Q+kqsaGgTynDXBHvzjpG+6uDODP+4IVGvyOYDPwGzMiGA
-F3/Sc7IaXX3B/fQSAOtHfd05ZnPEL1tzNkgLtpqxPiOivqsboH1wN6EFvlTwk2JO
-I9ju2RA2aYD2ceuDFoCY24xODAVldjbqbhZK0u14RM/VK8uK5o/FEzvAMpp4XEkV
-0zcpAoIBAGuRiSZubEcMTIN7sekXogIm0C4iTirxqfc/mrbtnHVwi2VWKOSO138n
-vX+/YehOtxu2pdotH51xdGM8RJPyPMSxzgTLSU56SX4BFn1SoLF8qLSDMnNpkzSw
-tRGDBrYoiZRmAp+sNx0Cl4qqvcVG8y9oxx0LMrnPtC/1hrE9U/9BvMJkBTnFg2Gb
-I298fT06CnQFUVdNtzz+zsoc8vCtF+A8VN+ataJPqnMbKzR8PB2ozyeCxXKJ9uk+
-Zi3TRLhtnjE+NVyRJm0apGBkbrEVUllrvAaQLDuZuQGgQWHuUWwz/2rIKDK2iz09
-zqmXL6LINspkeIDiLkH/BB7J10yvEd0CggEAWYyrDGdlk5zq4cmjGVUUsjhek33Q
-jNuLl6LO92KhAHLBa6JO+ed3vuBCfEZE70lvPqXxk3VpEohPm2riqDKwHcxRztNC
-SNGkbes8+TqM8o3WJ5aE7jyCIKF9KCQqwc38GR7N7L871H7znH8PLGw4HPtStfAf
-n/xcPySkslPgjcZnkj2ZfRRcieflLrHOVxuBWPQkB7yNjKU2LZXNF7c/rnj67/wE
-xOSJDyg0TxeCkF3H0Csism+YA4uIzLkzLR16AqZgL6nD6XNf9QNVc5WIVFiZy88z
-FgabNRobcvuPDKYkJPpTan64vHSNdxo4Y53Pn3jITaCkN5TqH5KaTyfyLg==
+MIIEpgIBAAKCAQEAwgs8euGDGpm5X7/xgFGzE0i+1m5NY2teqHSN2IdKMEYkEaFc
+ogJWFuOrDDOb9Yu+iPsIT2UMmBILE0KeZBcpgp4iQr2A0zE/6hMJ5FOwpjtGrRJ+
+T6xi/wbpsQMlfWetF560t4eIqWnaRVU4MbzI26oCXS6I+hdJa77EVVv3p1XEuNrH
+0bwiom490+eFf6EgTNvGMgmccLS5jxGsFWZlGYBNzjb5VefGe931duTaHFR925Bb
+3Lvb9sJJ/ABq79rvlJlBVexABT2cu2idZ+E/62A9RFgbS4QD+L4+vjpIpYbA64HO
+J5VZpeTXbYicu04yWhgWh0nN6lzKvFub0gTcdQIDAQABAoIBAQCswu5FBXUBgO4v
+lqhAs/y45aKrLaePJbAwUR1dNA7Ubg589+qOf4AAfxDyGxz3AEVSlhYvAeu1lRLx
+QfXdbVXS6lHck/YXkhiyoeLDu9NiHRJu0zFMZFH7dz8nD4MYZO8SQYXqhSwikZD4
++8e9WLSIBpR2PBFOgN8oo78PtIMJImHS+/MSScB8tUBaCOPowTSYdbzi0yBH1ags
+30ialkiBPM96XS7JribHvFTl2aaBw+BibqJwb53mdxmz1uI2bnIQNFBoEqmnnGXL
+1IvddysATni3ACBgPfDMfHAEAOhTyvqVG6umw4fMq7H4x6xeOPmGYkV80vaHf7c0
+3pnWVvbhAoGBAOAvwm4li5qRgbI6ToOXkxBR4L/cWYr6Akzts7ObUJyY2Z5GtoJB
+hVA4NbCxlJ0mSz2SLob8Qk73Q7eG01mojYeaN/m95MtXOxXLTUZD5k1m9EvRBov5
+Mc+7/pPtW8hnorgsop2sYG7hzdcfddj3bxiJ1fEYjJZbP0T/GegYh/SNAoGBAN2U
+dH+a35FKcIJRxCc/xqW0vuccjzlGaNtCsaLYJZuu25Xw9ov6Na6lrPFceWmJANt9
+RHMiWwxS/sr9UrPLglnepmedoathaz5dc8mFE9f/bu0vEIqafylXbomqzfEEQbHQ
+O0yjPam9UoNrjcKe1yOJ7eroodDy9Ul0NRgORDGJAoGBALK3wCL40VrORntjmfWz
+nuxyqV2p9sQg3DahhBFZbqD4BPv1WUdrnjA+LycF2fiRb4fNAkRf0yiKW7Rxygj+
+op0IZzkzlbI4fwS3xomOVYk82uGZ58MsS/ZT4vXgUbvoSkLSamyR32plniexj8wA
+LNN+BkymCmVOppiFWQy6iZ99AoGBAKKh4df+7nUPdADSzuwX7U+WmD+9QIpDWZcF
+HqhtiTz5XIZzNCKNZXVoeMU2oI6LVivDh8gRwU4MZKLMyDTa/DPGLdEDa7QEbth5
+cxDIMkZpXxuLXdK9jvPjDmjRCxMJksZWFhAsCIhbQwLeoE/mkfWtuQif8pUQnmRp
+fMbJQdgxAoGBAJRZtRS5hvcCqVRmF5bsGryaIoTUu7tZVWW8cjut9coBGpLaRTRN
+4x1dBL+fGslfWCcc++hhO5rLQMg5EMursfrM9RcHHFLX6stedJA/dA+K7Eow3Nu5
+bIby6bfysKbZtxmdpnf/Ma97xcZotsH95t+h6PV1ryT5tI1lTFdInrlA
 -----END RSA PRIVATE KEY-----

test/support/ci/certs/ca.srl

@@ -1 +1 @@
-D0B77084C1025AD0
+D0B77084C1025AD7

test/support/ci/certs/index.txt

@@ -0,0 +1 @@
+V	201214150621Z		01	unknown	/C=PT/ST=LX/O=Bumbaklat/OU=nghttp2/CN=nghttp2

test/support/ci/certs/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = yes

test/support/ci/certs/newcerts/01.pem

@@ -0,0 +1,77 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=PT, ST=LX, L=Lisbon, O=nghttp2, OU=nghttp2, CN=nghttp2
+        Validity
+            Not Before: Dec 15 15:06:21 2019 GMT
+            Not After : Dec 14 15:06:21 2020 GMT
+        Subject: C=PT, ST=LX, O=Bumbaklat, OU=nghttp2, CN=nghttp2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c1:1e:49:7f:b8:7e:23:04:4e:59:02:75:15:9b:
+                    ad:3f:0a:dd:36:a0:69:cc:40:23:3e:cb:02:af:34:
+                    3b:15:f0:52:9a:95:09:23:06:ed:ef:ec:0d:27:f2:
+                    e0:8a:b3:3a:67:f5:8f:8c:15:86:f0:a6:87:6a:be:
+                    e7:52:d5:fe:f4:c4:fc:ee:78:7a:e8:f7:23:5a:25:
+                    b5:14:65:6e:6e:79:33:2a:3d:d9:aa:cf:df:31:48:
+                    c7:7d:a9:b0:36:83:ef:91:6d:73:84:82:02:1c:d0:
+                    bb:8c:0f:9a:ed:34:3a:8b:b4:17:14:26:a0:d9:b8:
+                    8c:a4:f9:ee:72:34:ea:ef:e9:f6:23:0b:67:44:6d:
+                    dc:64:71:25:50:ae:3c:37:f8:c3:b5:bd:7e:e9:49:
+                    11:19:69:dc:bd:5a:ba:b1:9b:9d:f2:ce:6b:b2:b5:
+                    cd:ca:9b:a2:56:ee:ab:79:9e:a1:86:18:f8:4a:54:
+                    32:33:5d:6a:69:be:cf:b5:12:f3:fd:26:cc:77:19:
+                    08:33:d3:fd:6e:be:ec:b1:ce:03:0d:32:56:6d:03:
+                    7f:7c:67:64:3f:b9:b6:b7:ea:97:80:89:cd:12:11:
+                    d1:24:e2:09:82:dc:81:16:39:e8:35:19:8a:db:a4:
+                    dd:7f:1f:c9:70:19:df:bf:03:b9:88:7f:c8:20:a7:
+                    57:45
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Alternative Name: 
+                DNS:nghttp2, DNS:another, DNS:another2
+            X509v3 Subject Key Identifier: 
+                A7:48:14:0C:C7:98:26:7E:48:0B:BA:FB:AF:78:A3:E6:08:A1:5A:BE
+    Signature Algorithm: sha1WithRSAEncryption
+         bc:b3:e1:1d:50:ff:d5:b0:9d:b1:0f:74:71:a8:c1:52:c1:9e:
+         f2:79:88:4b:30:4c:17:d1:88:f7:e9:0a:f9:4d:53:94:a5:8d:
+         bc:30:35:ca:ca:24:3e:2b:02:d8:16:07:1c:f1:31:af:c5:db:
+         94:e2:d8:32:09:6e:b3:28:e5:35:14:3e:60:8b:db:65:cd:f0:
+         77:ec:7a:1f:0b:bb:a8:5e:bd:67:b3:16:5a:a3:b4:f6:fd:84:
+         26:05:27:27:ad:0b:fa:20:96:c7:0a:66:84:d4:19:1f:c4:f9:
+         12:82:0d:04:0d:f3:8a:90:f3:6a:2c:b1:aa:cd:f6:31:93:69:
+         13:f2:ec:31:61:e4:93:26:98:57:74:f0:f7:fa:01:45:fa:42:
+         65:8c:dd:72:e6:d5:3c:89:c8:ea:5f:26:f9:bf:ec:e2:8a:f7:
+         01:1f:fd:1d:76:65:80:6d:99:b4:b1:2a:31:e1:52:91:c1:14:
+         3a:d4:22:5a:d3:8b:7d:6d:4d:49:00:58:5a:db:5a:67:5a:5c:
+         53:aa:14:b8:10:0e:e8:e9:8b:6e:c3:4a:d8:40:a8:89:4a:aa:
+         95:bc:f3:d1:43:d9:d0:60:ad:f3:7c:e2:7a:6f:32:8a:48:f3:
+         8b:a1:8a:53:69:f3:14:ac:00:d3:d9:b4:83:df:28:34:6f:99:
+         0e:b2:c2:59
+-----BEGIN CERTIFICATE-----
+MIIDgTCCAmmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJQVDEL
+MAkGA1UECAwCTFgxDzANBgNVBAcMBkxpc2JvbjEQMA4GA1UECgwHbmdodHRwMjEQ
+MA4GA1UECwwHbmdodHRwMjEQMA4GA1UEAwwHbmdodHRwMjAeFw0xOTEyMTUxNTA2
+MjFaFw0yMDEyMTQxNTA2MjFaMFIxCzAJBgNVBAYTAlBUMQswCQYDVQQIDAJMWDES
+MBAGA1UECgwJQnVtYmFrbGF0MRAwDgYDVQQLDAduZ2h0dHAyMRAwDgYDVQQDDAdu
+Z2h0dHAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwR5Jf7h+IwRO
+WQJ1FZutPwrdNqBpzEAjPssCrzQ7FfBSmpUJIwbt7+wNJ/LgirM6Z/WPjBWG8KaH
+ar7nUtX+9MT87nh66PcjWiW1FGVubnkzKj3Zqs/fMUjHfamwNoPvkW1zhIICHNC7
+jA+a7TQ6i7QXFCag2biMpPnucjTq7+n2IwtnRG3cZHElUK48N/jDtb1+6UkRGWnc
+vVq6sZud8s5rsrXNypuiVu6reZ6hhhj4SlQyM11qab7PtRLz/SbMdxkIM9P9br7s
+sc4DDTJWbQN/fGdkP7m2t+qXgInNEhHRJOIJgtyBFjnoNRmK26Tdfx/JcBnfvwO5
+iH/IIKdXRQIDAQABo1MwUTAJBgNVHRMEAjAAMCUGA1UdEQQeMByCB25naHR0cDKC
+B2Fub3RoZXKCCGFub3RoZXIyMB0GA1UdDgQWBBSnSBQMx5gmfkgLuvuveKPmCKFa
+vjANBgkqhkiG9w0BAQUFAAOCAQEAvLPhHVD/1bCdsQ90cajBUsGe8nmISzBMF9GI
+9+kK+U1TlKWNvDA1ysokPisC2BYHHPExr8XblOLYMglusyjlNRQ+YIvbZc3wd+x6
+Hwu7qF69Z7MWWqO09v2EJgUnJ60L+iCWxwpmhNQZH8T5EoINBA3zipDzaiyxqs32
+MZNpE/LsMWHkkyaYV3Tw9/oBRfpCZYzdcubVPInI6l8m+b/s4or3AR/9HXZlgG2Z
+tLEqMeFSkcEUOtQiWtOLfW1NSQBYWttaZ1pcU6oUuBAO6OmLbsNK2ECoiUqqlbzz
+0UPZ0GCt83ziem8yikjzi6GKU2nzFKwA09m0g98oNG+ZDrLCWQ==
+-----END CERTIFICATE-----

test/support/ci/certs/serial

@@ -0,0 +1 @@
+02

test/support/ci/certs/serial.old

@@ -0,0 +1 @@
+01

test/support/ci/certs/server.cnf

@@ -0,0 +1,27 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = Country Name (2 letter code)
+countryName_default = PT
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = LX
+localityName = Locality Name (eg, city)
+localityName_default = Lisbon
+0.organizationName = Organizational Unit Name (eg, section)
+organizationalUnitName	= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Domain Control Validated
+commonName = Internet Widgits Ltd
+commonName_max	= 64
+
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = nghttp2
+DNS.2 = another
+DNS.3 = another2

test/support/ci/certs/server.crt

@@ -1,31 +1,77 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=PT, ST=LX, L=Lisbon, O=nghttp2, OU=nghttp2, CN=nghttp2
+        Validity
+            Not Before: Dec 15 15:06:21 2019 GMT
+            Not After : Dec 14 15:06:21 2020 GMT
+        Subject: C=PT, ST=LX, O=Bumbaklat, OU=nghttp2, CN=nghttp2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c1:1e:49:7f:b8:7e:23:04:4e:59:02:75:15:9b:
+                    ad:3f:0a:dd:36:a0:69:cc:40:23:3e:cb:02:af:34:
+                    3b:15:f0:52:9a:95:09:23:06:ed:ef:ec:0d:27:f2:
+                    e0:8a:b3:3a:67:f5:8f:8c:15:86:f0:a6:87:6a:be:
+                    e7:52:d5:fe:f4:c4:fc:ee:78:7a:e8:f7:23:5a:25:
+                    b5:14:65:6e:6e:79:33:2a:3d:d9:aa:cf:df:31:48:
+                    c7:7d:a9:b0:36:83:ef:91:6d:73:84:82:02:1c:d0:
+                    bb:8c:0f:9a:ed:34:3a:8b:b4:17:14:26:a0:d9:b8:
+                    8c:a4:f9:ee:72:34:ea:ef:e9:f6:23:0b:67:44:6d:
+                    dc:64:71:25:50:ae:3c:37:f8:c3:b5:bd:7e:e9:49:
+                    11:19:69:dc:bd:5a:ba:b1:9b:9d:f2:ce:6b:b2:b5:
+                    cd:ca:9b:a2:56:ee:ab:79:9e:a1:86:18:f8:4a:54:
+                    32:33:5d:6a:69:be:cf:b5:12:f3:fd:26:cc:77:19:
+                    08:33:d3:fd:6e:be:ec:b1:ce:03:0d:32:56:6d:03:
+                    7f:7c:67:64:3f:b9:b6:b7:ea:97:80:89:cd:12:11:
+                    d1:24:e2:09:82:dc:81:16:39:e8:35:19:8a:db:a4:
+                    dd:7f:1f:c9:70:19:df:bf:03:b9:88:7f:c8:20:a7:
+                    57:45
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Alternative Name: 
+                DNS:nghttp2, DNS:another, DNS:another2
+            X509v3 Subject Key Identifier: 
+                A7:48:14:0C:C7:98:26:7E:48:0B:BA:FB:AF:78:A3:E6:08:A1:5A:BE
+    Signature Algorithm: sha1WithRSAEncryption
+         bc:b3:e1:1d:50:ff:d5:b0:9d:b1:0f:74:71:a8:c1:52:c1:9e:
+         f2:79:88:4b:30:4c:17:d1:88:f7:e9:0a:f9:4d:53:94:a5:8d:
+         bc:30:35:ca:ca:24:3e:2b:02:d8:16:07:1c:f1:31:af:c5:db:
+         94:e2:d8:32:09:6e:b3:28:e5:35:14:3e:60:8b:db:65:cd:f0:
+         77:ec:7a:1f:0b:bb:a8:5e:bd:67:b3:16:5a:a3:b4:f6:fd:84:
+         26:05:27:27:ad:0b:fa:20:96:c7:0a:66:84:d4:19:1f:c4:f9:
+         12:82:0d:04:0d:f3:8a:90:f3:6a:2c:b1:aa:cd:f6:31:93:69:
+         13:f2:ec:31:61:e4:93:26:98:57:74:f0:f7:fa:01:45:fa:42:
+         65:8c:dd:72:e6:d5:3c:89:c8:ea:5f:26:f9:bf:ec:e2:8a:f7:
+         01:1f:fd:1d:76:65:80:6d:99:b4:b1:2a:31:e1:52:91:c1:14:
+         3a:d4:22:5a:d3:8b:7d:6d:4d:49:00:58:5a:db:5a:67:5a:5c:
+         53:aa:14:b8:10:0e:e8:e9:8b:6e:c3:4a:d8:40:a8:89:4a:aa:
+         95:bc:f3:d1:43:d9:d0:60:ad:f3:7c:e2:7a:6f:32:8a:48:f3:
+         8b:a1:8a:53:69:f3:14:ac:00:d3:d9:b4:83:df:28:34:6f:99:
+         0e:b2:c2:59
 -----BEGIN CERTIFICATE-----
-MIIFaTCCA1ECCQDQt3CEwQJa0DANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMC
-UFQxETAPBgNVBAgMCEtpbmdzdG9uMRAwDgYDVQQHDAdCYWJ5bG9uMRIwEAYDVQQK
-DAlCdW1iYWtsYXQxDTALBgNVBAsMBE9yZ2ExDjAMBgNVBAMMBVJlZWZhMRwwGgYJ
-KoZIhvcNAQkBFg1yZWVmQHJlZWYuY29tMB4XDTE4MDIxMTIyNTUzOVoXDTE5MDIx
-MTIyNTUzOVowaTELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0JhYnlsb24xEDAOBgNV
-BAcMB0JhYnlsb24xEjAQBgNVBAoMCUJ1bWJha2xhdDEQMA4GA1UECwwHbmdodHRw
-MjEQMA4GA1UEAwwHbmdodHRwMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
-ggIBAKt0753d3tpIlk9vmcYD1pWMJu1/R2uMwUR1rP9B2XhZr1RPYcSHp0x+fVdH
-qp3sP+U6sN9WmpWO3tda6cmAPyD4d184holhOp2WAfrMY7fHrY9U5EyCHtTYauHD
-CMXmB30CPoy7vy9h3IAkPLP4NRZOY4709gAzfvGymQ+qp430+AhXhUsAiqhEunVJ
-fLVBkscyxynINKUUC2oV41Zvc6jeGAgKGfX+WOU+l6dG/E+D1OigtZEYGMsrJpc1
-JTxAWQxZwCafOHX2OI8s5o5KLDALxFuSu03yIOEK5fXgcGj3cW9Q69DJZypTWPxe
-voVgw7HpTD6GzTfO0gVMYHcS4vYDal6eTy1XWTdxet3S46134YwZuDldXbzA54TK
-5EQY92EaPjDfC2qNoLmKY8eCuawIRJfSXug9jOu4CIvyD+Ca++2rW8T7KpfNrACA
-Lcw+bAj1/BTP2ug5WtGfBsSzFoJnDJJPULMWTo7/M2V1p1KW9qw4HQ3+QC8FvPJ1
-uuUQ2Swt3qSTkMe/SMOoh4U285Vg8uIWcm50oSpATBonX3duqTSBelHW5HjpUQGW
-+9+JofoKZTHeSxo0xjw+AowfvJq3ERQLagjezMDYsbj1YZHnZsqQgasCeWI8OGuv
-7PwVZfBKCb27T5HhiHED5eWh0IpByymqHFCvpfYLQurp8/zbAgMBAAEwDQYJKoZI
-hvcNAQELBQADggIBABMqrVdByaOGkoSk2Qug/3j9SSEOLE4E23bXDOYrSfI7od0N
-wjCTji6j5FBXQOsjQp9LJ3Xe5mtz45LKvoeFGnb8gYmv3az/0JW4LRE1zYUUAHnc
-t4gAgxMNdOdTbzjvvsx9mO20/dKNzu3/j/IfqBhs1eo89u8AzPrGlIP67erP8J/a
-nr0tKt+dnufqEqUSYWOn/vL29mVIx8kPE20HmCr/DvFer38UW7GHFZTqE0+LkzGd
-Scm/umvtFNcm512Ll74zpY0M+lLF6h5UcxD9pTa4Blc4O0NBUmAR6Zdj2t6zJz0n
-qaDI1WT/GbQgZSOlWPfxQB6kcsS91ll9gRP3tHx4tcj4Eyk7SlrVGn9G2JVT3XGA
-wp4+BmSIFqj+O0MPp0lXhRoZ1DexMVorMpT8ohSnFhuaDIL3xvkhbxh9gv6mHDv7
-/2Ic6pN1sp/5ZncXnqpm1CjIzuSx6vZRDlfKXpsaIwoEus0C9p5mqZKyoB3+uGXk
-HjQazKSh1LUB2ioMttmSxtheT4rGsiXRqTCT8e2MOpy5DLFZySRy3hvP2yA5RuKb
-xNw7hTAoOEl5a+NUILY8b6+pQ20mAn3+7kXH0WBSOqR0tbUeJ7seE3HRGty82Dsj
-Tjc/uyfY9ksR7e6KEic8ZX1VJ0apNDQNAumDD3u+Db9GSUt6bBRAxiTkSlIE
+MIIDgTCCAmmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJQVDEL
+MAkGA1UECAwCTFgxDzANBgNVBAcMBkxpc2JvbjEQMA4GA1UECgwHbmdodHRwMjEQ
+MA4GA1UECwwHbmdodHRwMjEQMA4GA1UEAwwHbmdodHRwMjAeFw0xOTEyMTUxNTA2
+MjFaFw0yMDEyMTQxNTA2MjFaMFIxCzAJBgNVBAYTAlBUMQswCQYDVQQIDAJMWDES
+MBAGA1UECgwJQnVtYmFrbGF0MRAwDgYDVQQLDAduZ2h0dHAyMRAwDgYDVQQDDAdu
+Z2h0dHAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwR5Jf7h+IwRO
+WQJ1FZutPwrdNqBpzEAjPssCrzQ7FfBSmpUJIwbt7+wNJ/LgirM6Z/WPjBWG8KaH
+ar7nUtX+9MT87nh66PcjWiW1FGVubnkzKj3Zqs/fMUjHfamwNoPvkW1zhIICHNC7
+jA+a7TQ6i7QXFCag2biMpPnucjTq7+n2IwtnRG3cZHElUK48N/jDtb1+6UkRGWnc
+vVq6sZud8s5rsrXNypuiVu6reZ6hhhj4SlQyM11qab7PtRLz/SbMdxkIM9P9br7s
+sc4DDTJWbQN/fGdkP7m2t+qXgInNEhHRJOIJgtyBFjnoNRmK26Tdfx/JcBnfvwO5
+iH/IIKdXRQIDAQABo1MwUTAJBgNVHRMEAjAAMCUGA1UdEQQeMByCB25naHR0cDKC
+B2Fub3RoZXKCCGFub3RoZXIyMB0GA1UdDgQWBBSnSBQMx5gmfkgLuvuveKPmCKFa
+vjANBgkqhkiG9w0BAQUFAAOCAQEAvLPhHVD/1bCdsQ90cajBUsGe8nmISzBMF9GI
+9+kK+U1TlKWNvDA1ysokPisC2BYHHPExr8XblOLYMglusyjlNRQ+YIvbZc3wd+x6
+Hwu7qF69Z7MWWqO09v2EJgUnJ60L+iCWxwpmhNQZH8T5EoINBA3zipDzaiyxqs32
+MZNpE/LsMWHkkyaYV3Tw9/oBRfpCZYzdcubVPInI6l8m+b/s4or3AR/9HXZlgG2Z
+tLEqMeFSkcEUOtQiWtOLfW1NSQBYWttaZ1pcU6oUuBAO6OmLbsNK2ECoiUqqlbzz
+0UPZ0GCt83ziem8yikjzi6GKU2nzFKwA09m0g98oNG+ZDrLCWQ==
 -----END CERTIFICATE-----

test/support/ci/certs/server.csr

@@ -1,28 +1,18 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIErjCCApYCAQAwaTELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0JhYnlsb24xEDAO
-BgNVBAcMB0JhYnlsb24xEjAQBgNVBAoMCUJ1bWJha2xhdDEQMA4GA1UECwwHbmdo
-dHRwMjEQMA4GA1UEAwwHbmdodHRwMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
-AgoCggIBAKt0753d3tpIlk9vmcYD1pWMJu1/R2uMwUR1rP9B2XhZr1RPYcSHp0x+
-fVdHqp3sP+U6sN9WmpWO3tda6cmAPyD4d184holhOp2WAfrMY7fHrY9U5EyCHtTY
-auHDCMXmB30CPoy7vy9h3IAkPLP4NRZOY4709gAzfvGymQ+qp430+AhXhUsAiqhE
-unVJfLVBkscyxynINKUUC2oV41Zvc6jeGAgKGfX+WOU+l6dG/E+D1OigtZEYGMsr
-Jpc1JTxAWQxZwCafOHX2OI8s5o5KLDALxFuSu03yIOEK5fXgcGj3cW9Q69DJZypT
-WPxevoVgw7HpTD6GzTfO0gVMYHcS4vYDal6eTy1XWTdxet3S46134YwZuDldXbzA
-54TK5EQY92EaPjDfC2qNoLmKY8eCuawIRJfSXug9jOu4CIvyD+Ca++2rW8T7KpfN
-rACALcw+bAj1/BTP2ug5WtGfBsSzFoJnDJJPULMWTo7/M2V1p1KW9qw4HQ3+QC8F
-vPJ1uuUQ2Swt3qSTkMe/SMOoh4U285Vg8uIWcm50oSpATBonX3duqTSBelHW5Hjp
-UQGW+9+JofoKZTHeSxo0xjw+AowfvJq3ERQLagjezMDYsbj1YZHnZsqQgasCeWI8
-OGuv7PwVZfBKCb27T5HhiHED5eWh0IpByymqHFCvpfYLQurp8/zbAgMBAAGgADAN
-BgkqhkiG9w0BAQsFAAOCAgEAIlSqAi3ZpWqVOojZk0w+NPilaIH8N6YcDjaDyGAD
-5Gg6uQeGfdIIS+0YPjH8WSD2Nz61KwiXub0VXvYJHqXpPNvQc4kacTR857YMsqbe
-/8H9IrCwlrIFu8eLa15jvNp++447FHxKtyGe+1FotdNa4MCDNUitjf4XCf4aNmrI
-1HovqT9YgHbfzXhAUFZvHaFyyEJGprSUAAAFSBhOp2PfWh1vEM0kbKOkSmjvTCc1
-pzqjXrwBbivOsgX8O0kLesbaZf8ILVLZ3mRsfKUNJ/zF31AK5/ieGoxCVV52BmBF
-DOF3hKadUeRhQwCzr7zOh3GZxAlvppyljd0k1huvNwu1X0MDO+HFJUdFbFjfQl6X
-b1qfwo49nj1whO5HeMh5Ii26sD60T+AhF3l5RW1DC3Yh8WN4KnXAzbHmjj+kQl1j
-kMyqf324JiMpTqc4xbi8QEzRXVvDRNb7uAtu+/nOKFmsTs/3TVXh2K0U92Rij6d0
-4AoIk9U1m1yIn+IT2Phrri/X7wytx/4JLNjxjiQc4DlML4eUjOwfHpG3yVQagN1d
-dJaeV9tF/vJChdnNH3FvvPoc/W48w6swQBDWRvXa6eFYxfqptb3VlAJccHLjh9DN
-IMNonlMrvFgz1o7SmVJwwW5aJ2LuyZ+6ALMWjWDt7wWnpZj0HHR8cJVK1SdYKJz1
-1PA=
+MIIC+DCCAeACAQAwYzELMAkGA1UEBhMCUFQxCzAJBgNVBAgMAkxYMQ8wDQYDVQQH
+DAZMaXNib24xEjAQBgNVBAoMCUJ1bWJha2xhdDEQMA4GA1UECwwHbmdodHRwMjEQ
+MA4GA1UEAwwHbmdodHRwMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMEeSX+4fiMETlkCdRWbrT8K3TagacxAIz7LAq80OxXwUpqVCSMG7e/sDSfy4Iqz
+Omf1j4wVhvCmh2q+51LV/vTE/O54euj3I1oltRRlbm55Myo92arP3zFIx32psDaD
+75Ftc4SCAhzQu4wPmu00Oou0FxQmoNm4jKT57nI06u/p9iMLZ0Rt3GRxJVCuPDf4
+w7W9fulJERlp3L1aurGbnfLOa7K1zcqbolbuq3meoYYY+EpUMjNdamm+z7US8/0m
+zHcZCDPT/W6+7LHOAw0yVm0Df3xnZD+5trfql4CJzRIR0STiCYLcgRY56DUZituk
+3X8fyXAZ378DuYh/yCCnV0UCAwEAAaBQME4GCSqGSIb3DQEJDjFBMD8wCQYDVR0T
+BAIwADALBgNVHQ8EBAMCBeAwJQYDVR0RBB4wHIIHbmdodHRwMoIHYW5vdGhlcoII
+YW5vdGhlcjIwDQYJKoZIhvcNAQELBQADggEBAKeKNisoqjFG0Ox4R9HsMs6QQvBz
+pfF96AyRNdF73zh9Vx5m4QYPKKAdPH4eO3RVmjvuROvpQ7jMC+jtBz5NrRMmSCmm
+SUrDgaCDdbw/LhjYxNgDgWZXYrmE0s3pT8VOis1tvY01dTXN4xkvR4dAOsgVhq7E
+NzwRnFqsTfH/y5fo4Ly/jD3jBMU5ITyrppdIFlsptE5PfSc6J/Y9SAk0OT8ZgRRs
+6ln2grjU5J7Atv3OucrfRx0CtFPI7VcLXYFtbdfGsXbBGI4i8b+QOOjo7oXnx9ZP
+qE0giAJTJXooSBHD2JJejYnWVUpDD/akr6CUeFiRZQFu6uUXur8S2NFrtyE=
 -----END CERTIFICATE REQUEST-----

test/support/ci/certs/server.extensions.cnf

@@ -0,0 +1,8 @@
+basicConstraints=CA:FALSE
+subjectAltName=@my_subject_alt_names
+subjectKeyIdentifier = hash
+
+[ my_subject_alt_names ]
+DNS.1 = nghttp2
+DNS.2 = another
+DNS.3 = another2

test/support/ci/certs/server.key

@@ -1,51 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIJJwIBAAKCAgEAq3Tvnd3e2kiWT2+ZxgPWlYwm7X9Ha4zBRHWs/0HZeFmvVE9h
-xIenTH59V0eqnew/5Tqw31aalY7e11rpyYA/IPh3XziGiWE6nZYB+sxjt8etj1Tk
-TIIe1Nhq4cMIxeYHfQI+jLu/L2HcgCQ8s/g1Fk5jjvT2ADN+8bKZD6qnjfT4CFeF
-SwCKqES6dUl8tUGSxzLHKcg0pRQLahXjVm9zqN4YCAoZ9f5Y5T6Xp0b8T4PU6KC1
-kRgYyysmlzUlPEBZDFnAJp84dfY4jyzmjkosMAvEW5K7TfIg4Qrl9eBwaPdxb1Dr
-0MlnKlNY/F6+hWDDselMPobNN87SBUxgdxLi9gNqXp5PLVdZN3F63dLjrXfhjBm4
-OV1dvMDnhMrkRBj3YRo+MN8Lao2guYpjx4K5rAhEl9Je6D2M67gIi/IP4Jr77atb
-xPsql82sAIAtzD5sCPX8FM/a6Dla0Z8GxLMWgmcMkk9QsxZOjv8zZXWnUpb2rDgd
-Df5ALwW88nW65RDZLC3epJOQx79Iw6iHhTbzlWDy4hZybnShKkBMGidfd26pNIF6
-UdbkeOlRAZb734mh+gplMd5LGjTGPD4CjB+8mrcRFAtqCN7MwNixuPVhkedmypCB
-qwJ5Yjw4a6/s/BVl8EoJvbtPkeGIcQPl5aHQikHLKaocUK+l9gtC6unz/NsCAwEA
-AQKCAgA38HD1Kpw4z5Hq3Nho2Hu8UvuoZOxiVIwBz/rfVRakw24GrdeSDUgyFtrC
-DSnHWHsISPvIAjNxNCnUTV8VVPhDw4z+zixmyggbvgNrVh/6p/UiXGoX5CQ3AVzt
-x3onRwOOb5sEw4R+6wjL7ga4GPUJEA4/aACS1DpIlSKHEACWuiPqZNOiQsz6VWIY
-Ph+n63r97r04Do/OhBmtRPLlEnvDzqI8jT8nGRLbyG4mL2zGbJacR0K10gzUzIFM
-uBQr8jqbYvTkJPKA2hJd9CJMrjp4en5X+imOJr8/bRTWAaHrPUAPN3GYrv0vu/2+
-aRLz5Twz4Y/0nnp6CMpQ3Dhk4Q6W+IhBeEysTemWVxtuffzJhDBkg0eOGPHjwxW+
-pTeLo0IhfH+GNWEhyN6/RFtW0rkQtryCtDmNRDJMRWhDIPYz4/sswNWAnNfM1mLM
-J00e3qSH6CSoD9dl9UuNEaaVcdjmqFh3D6a2nEUqc1xvsPjDs09BLLGNyRjd8vXJ
-bJcYCicgGtoh8NZUrUa966oYX7VNSNyiXg2WIhn4lnBEANW+SlI/2th8tUH7H4/H
-U26j3e8pLogvod8lqCZZSXxPHpfFuxA9WL0xYgcL+MVWVJT7NgWYyiB3nGrgJErz
-SiWSeaYHPVigAfU7s/Lv8bJfDIKx+JJUqvD1wOnwpeoNoSJskQKCAQEA1zefB/Yl
-UqGaLGpAZvgXfOVNdVYjhiFeHg6j5Oe+RXFMtOdcgFR4grKiRl73qNz7bdDa56te
-IFbyJ6y/mvW2VuJqMjcccLEesfafqhSNkJ1VkNLa2a7BSPiAbXeGIQlZkZhOu7x6
-O6P16zsz6raOAvjKyoSmzv1gCv2KY0Yk6PEQPjMAlmJ9Z9QSki6TWJjDjDNiHJ4X
-OOoIvQuEZu0RJLuN1NghVIJ5EENl1kGrny7f2NnCsOa+76z0DrQvM3PEDl3cd4WE
-RX5GBfhCk+9BHvSp0sBzktVrb8K6hy/hSKwA9GrBWroDdsOXSzW+uoF8o2iwWVkb
-XCaLB9owB5FYbwKCAQEAy/J0fOqEJOzRY/sqJ83mSBELeYtHYLTUlFF4fCtlxxlP
-lM+NvocpF9SKHlJPGJOLIZXLg8HRKb1O+wdiZCkSp1cqA2B04vi/H03/533ce1Z2
-5qzBgqqcKtEPZrjxs2EU/frwmreoeck9SgDrxeN4W+yWEpgcJ+0GDlBwZovHTPXN
-g+/4n9CGsEzVEoQYCjPfYdXNYhBxAJGsDkTXilt4aib/hcQgHBqW+PxJB/D5aQ95
-6Cjfhz/q1LL4Wlc9TeYuAG+vrQ2Cz/Hb7H96PKB19Ukr7VG0wW6baLz1XcqUF6U2
-Jf7MjSfXuUEUklLmVhVKi2RyTuY1R5/ehw1oZvhgVQKCAQAx3An03zqwVQ4Rwh/f
-exR98+WpDGa4eVyDnCKuMl4rWl9J/du5Q1iT9uyPXwsDTQbW3y8HwvTQizQYqvXM
-4aX3pQazUX8+QFp7IkbFMXPGkBy1q5PWIJ1Y2XFvauRhHPhqOZ3r8nNjA85CS/nw
-I5Ds8VSR7H90rtCkWy7HZwXADbEUp943+ONSvZf709yBBwsunOza8mkw309c9KEc
-80koeGcYa2X1XTDM6sBaDebDvylO5MwtDZgokKoOCgJxah1+spIUApOtQd7ZHTXX
-bfNpR4dccweTeewk/TkXfqkzm92wwla/PR72UcPoQbBJJxyIAwXv/SvQgoFtNUgx
-SKPzAoIBADWUB3g9n+OXd1bdx/BXDjVGjQ4sQd8tAl/Im297cyyAAMEmWaWBGpGR
-G4vlsbPSJw32rVV62Hkvq40VHosTozvlETt73pk2IfeWZTEqhn68c1YccmXibk5t
-R6+DzLOEQKCMiSMMNq1v6bMEVOxS2u7DU5Wk8lim0x11kmHOPNiCBrCvnVBW1tuA
-A8Xuf+ZGRFwOb/tgOF+e5WWGPl2xtAunHR/GK21WquzUUldMvikUkMEl47tDVmz0
-a3xISOmrG9CvhqZe00vPzSfvQWyl9vcuduTMv0DFzvwQECHIs2kW1QfcTV6T5f9c
-EoxyTOK2izPdeo4xujOL00kFg7TxcVUCggEAdFVa/9vp7Zm3pyLnXNHuMPtRD5RY
-fHXrNLu4LwqgoynGfG8elJnifV60CGZoqegeWXYrR/nAbqTR76zQXCMx41SfMq+d
-9SmXojyCv2r+jGLYKRIdVSeAOQJlbS0vwE3deIOJWK8Ye55wTlovpX9lJKspx+AX
-6m9inm/Kh59OlOU8QfRRb29D16NomFMcEeYJkyd/3Tsw4FJDyXvVDrDNdWyYVca3
-R4Nbzhm6U1qJcE8k2g5MixNJwHnjFJfqgUDWPGJHahIzMTvdivn7BzgE8TV7CLOX
-GSmZQGpybGhSv/h2bQDY+DmRdkBDDCuvBDiR5w9F8XUixdVm0zGppwA7Gg==
+MIIEpQIBAAKCAQEAwR5Jf7h+IwROWQJ1FZutPwrdNqBpzEAjPssCrzQ7FfBSmpUJ
+Iwbt7+wNJ/LgirM6Z/WPjBWG8KaHar7nUtX+9MT87nh66PcjWiW1FGVubnkzKj3Z
+qs/fMUjHfamwNoPvkW1zhIICHNC7jA+a7TQ6i7QXFCag2biMpPnucjTq7+n2Iwtn
+RG3cZHElUK48N/jDtb1+6UkRGWncvVq6sZud8s5rsrXNypuiVu6reZ6hhhj4SlQy
+M11qab7PtRLz/SbMdxkIM9P9br7ssc4DDTJWbQN/fGdkP7m2t+qXgInNEhHRJOIJ
+gtyBFjnoNRmK26Tdfx/JcBnfvwO5iH/IIKdXRQIDAQABAoIBAC8SGMwexe/3Drm3
+VZ6MsW+aUE0OUHtObsjRZrgZvQUd7KRtCysUd05xdMt18bEc+nF4cyKr5JYnoP4t
+xeh07I3wrc3aY+sAwgcpBbgQ+RfIRuZW6QUvYbF7kdRZVfATvILv8KYtoiIv5ma/
+Lv3+Kv7+SFnLCI3I488adDo2F8WeDgIdsFFGy+S9Ua4kY+VRTDug9LNpLN8k8kDl
+ztn4HX3p4CgtJizrmtWUQT4pZZaPshH/LM3to8yjnzUc2gIJFw3BsTjlUfNY5a/w
+NScRqzAiiPWlENyRCuGulVMIvO8Vp+/7MnS15MOnv9JYdoU9BMbUPQWvvz9OhLtE
+q4isgIECgYEA+0zm+qgXt3Izm+VfWNNHqUlUl+FPPF4n6WhIKX4efRDuakKuvmcv
+1qizMpstwTsi0AYz8grFWBrc+mHFLk01+nzwOWYjWNtwOU9HBtyAkojesnbePn+X
+pP9sGzm6iFqY7ig6w1cnQ8NxYlqt9O1sMPQOMKfFXJSleNgZlHvHNpUCgYEAxLrW
+uRqB+QrWQhymtdocjIvNQJQsd//qhacPju3S+Pod1TyowdpvGdYvDgha1AyyIfTv
+96OaUcyA6QaR9gomVGpk02Cj32FbUArFNnj1bEvFx+wmaz7N8PvgStOMofWD/gtx
+e9PQx9wWELOJWSHtxJ3mKyplrWSstzBkjeGU4fECgYEAlMM1iPSw9Xu5aXQjOWX5
+ahFq7m4GheoHHnkJHub2DXtUZ7sJztUu0JgVXMPYFid3uEWzwnj10e41GlN+cqZq
+adpEKvZ3vkZI7OQtW7Z0tkon6uXLMpw9nQNHb+aAse9P0Mwn3TNenxK3sE2V5QQX
+o/MV41+tydyFCECFBA0yJPECgYEAmHroatgs3UaVAvEKFfFUJ2tET0WJogjtUWJH
+INUcrHXQIbK+amJPsorcNdgr7idY+hDK3fokZjpHwFWjVDxRsSQ1udAxs7XV/Jgc
+ezgNoT6psWdL79vh62KOWfDWE8Ij6AgekYd/Tyk6wP8m+bree4KXH+XgoSBi7inI
+BmBN8UECgYEA0ozTP0iRwG17wJ2FkES8+mfYf1uQOHYg7cqE5ek2yWhpUMFlycff
+mrzKSOvP9lodbKctrVolL5BRR7nk4U1d3BwTfgHpGF2pKmESQm05Rfz3d66s3nCv
+PMJt5POf2EO2l03nihuY4A9k6Ji+GrAiiTaPEib5BWEMD7D31RagU64=
 -----END RSA PRIVATE KEY-----

test/support/ci/nghttp.conf

@@ -1,5 +1,3 @@
-frontend=0.0.0.0,80;no-tls
-frontend=0.0.0.0,443
 backend=httpbin,8000
 private-key-file=/home/certs/server.key
 certificate-file=/home/certs/server.crt

test/support/http_helpers.rb

@@ -8,8 +8,8 @@ module HTTPHelpers
 
   private
 
-  def build_uri(suffix = "/")
-    "#{origin}#{suffix || "/"}"
+  def build_uri(suffix = "/", uri_origin = origin)
+    "#{uri_origin}#{suffix || "/"}"
   end
 
   def json_body(response)

test/support/requests/altsvc.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Requests
+  module AltSvc
+    def test_altsvc_get
+      altsvc_origin = origin(ENV["HTTPBIN_ALTSVC_HOST"])
+
+      HTTPX.wrap do |http|
+        altsvc_uri = build_uri("/get", altsvc_origin)
+        response = http.get(altsvc_uri)
+        verify_status(response, 200)
+        # this is only needed for http/1.1
+        response2 = http.get(altsvc_uri)
+        verify_status(response2, 200)
+        # introspection time
+        pool = http.__send__(:pool)
+        connections = pool.instance_variable_get(:@connections)
+        origins = connections.map { |conn| conn.instance_variable_get(:@origin) }.uniq
+        assert origins.size == 2, "connection didn't follow altsvc (expected a connection for both origins)"
+      end
+    end
+  end
+end

test/test_helper.rb

@@ -14,9 +14,5 @@ end
 
 require "httpx"
 
-# TODO: remove this once ruby 2.5 bug is fixed:
-# https://github.com/ruby/openssl/issues/187
-ENV["CI"] && OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:verify_mode] = 0
-
 Dir[File.join(".", "test", "support", "*.rb")].each { |f| require f }
 Dir[File.join(".", "test", "support", "**", "*.rb")].each { |f| require f }