[PATCH] test/ssl: rework the sslfiles Makefile target
Started by Jacob Championalmost 5 years ago31 messages
Hello all,
Andrew pointed out elsewhere [1]/messages/by-id/fd96ae76-a8e3-ef8e-a642-a592f5b76771@dunslane.net that it's pretty difficult to add new
certificates to the test/ssl suite without blowing away the current
state and starting over. I needed new cases for the NSS backend work,
and ran into the same pain, so here is my attempt to improve the
situation.
For the common case -- adding a new certificate/key pair -- all you
have to do now is drop one new .config file into the test/ssl
directory, add it to either the CLIENTS or SERVERS list, and run `make
sslfiles`. No cleaning necessary.
The core architectural addition: by making use of both order-only
dependencies and intermediate file cleanup, the CA state will be
recreated (exactly once) on demand for each Make run, assign serial
numbers to new certificates in increasing order, and then be
automatically removed at the end of the Make run. So it should be much
harder to accumulate junk state during incremental development.
== Improvements ==
- The sslfiles target no longer needs to be preceded by sslfiles-clean
to work correctly.
- I've removed some incorrect dependencies, added missing ones, and
moved others to order-only (such as the CA state files -- we need them
to exist, but the changes they accumulate should not force other
certificates to be regenerated).
- Most of the copy-paste recipes have been consolidated, and some
existing copy-paste cruft has disappeared as a result. The unused
server-ss certificate has been removed entirely.
- Serial number collisions are less likely, thanks to Andrew's idea to
use the current clock time as the initial serial number in a series.
- All the .config files are now self-contained (i.e. they contain all
the required extension information), which simplifies the OpenSSL
recipes significantly. No more -extfile wrangling.
== Downsides ==
- I am making _heavy_ use of GNU Make-isms, which does not improve
long-term maintainability.
== Possible Future Work ==
- I haven't quite fixed the dependency situation for the CRL hash
directories -- there are situations where they could be incorrectly
remade. (Relying on directories' timestamps is perilous.) But I think I
have not made the situation worse than it is today.
- Because all of these generated files are still checked in, if you run
`make sslfiles` after checking out the ssl artifacts directory for the
first time, Make may decide to regenerate some files due to the more
recent timestamps. I don't see an easy way around this. You can reset
Make's view of things with a `touch ssl/*`, but it'd be nice if it
didn't happen to begin with.
I recommend using a diff driver for the new certificates and CRLs so
that you can see the actual changes -- the only things that should have
changed are the serial numbers, the timestamps, and the signature
blobs.
WDYT? I missed the boat slightly for the current commitfest, so I'll
add this patch to the next one.
--Jacob
[1]: /messages/by-id/fd96ae76-a8e3-ef8e-a642-a592f5b76771@dunslane.net
Attachments:
0001-test-ssl-rework-the-sslfiles-Makefile-target.patchtext/x-patch; name=0001-test-ssl-rework-the-sslfiles-Makefile-target.patchDownload
From 3414796bf8e5ea0134bdf524cf932a15f6227354 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Fri, 26 Feb 2021 15:25:28 -0800
Subject: [PATCH] test/ssl: rework the sslfiles Makefile target
Adding a new certificate is as easy as dropping in a new .config file,
adding it to the top of the Makefile, and running `make sslfiles`.
Improvements:
- Interfile dependencies should be fixed, with the exception of the CRL
dirs.
- New certificates have serial numbers based on the current time,
reducing the chance of collision.
- The CA index state is created on demand and cleaned up automatically
at the end of the Make run.
- *.config files are now self-contained; one certificate needs one
config file instead of two.
- Duplication is reduced, and along with it some unneeded code (and
possible copy-paste errors), such as the unused server-ss cert.
---
src/Makefile.global.in | 5 +-
src/test/ssl/Makefile | 254 +++++++++++-------
src/test/ssl/README | 3 -
src/test/ssl/cas.config | 10 +-
src/test/ssl/client-revoked.config | 13 +
src/test/ssl/client.config | 1 -
src/test/ssl/client_ca.config | 5 +
src/test/ssl/root_ca.config | 1 +
src/test/ssl/server-cn-only.config | 3 +-
src/test/ssl/server-no-names.config | 5 +-
src/test/ssl/server-revoked.config | 3 +-
src/test/ssl/server_ca.config | 5 +
src/test/ssl/ssl/both-cas-1.crt | 86 +++---
src/test/ssl/ssl/both-cas-2.crt | 86 +++---
src/test/ssl/ssl/client+client_ca.crt | 65 ++---
src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 | 18 +-
src/test/ssl/ssl/client-revoked.crt | 31 +--
src/test/ssl/ssl/client.crl | 18 +-
src/test/ssl/ssl/client.crt | 31 +--
src/test/ssl/ssl/client_ca.crt | 34 +--
.../ssl/ssl/root+client-crldir/9bb9e3c3.r0 | 18 +-
.../ssl/ssl/root+client-crldir/a3d11bff.r0 | 16 +-
src/test/ssl/ssl/root+client.crl | 34 +--
src/test/ssl/ssl/root+client_ca.crt | 52 ++--
.../ssl/ssl/root+server-crldir/a3d11bff.r0 | 16 +-
.../ssl/ssl/root+server-crldir/a836cc2d.r0 | 18 +-
src/test/ssl/ssl/root+server.crl | 34 +--
src/test/ssl/ssl/root+server_ca.crt | 52 ++--
src/test/ssl/ssl/root.crl | 16 +-
src/test/ssl/ssl/root_ca.crt | 18 +-
src/test/ssl/ssl/server-cn-and-alt-names.crt | 36 +--
src/test/ssl/ssl/server-cn-only.crt | 33 +--
src/test/ssl/ssl/server-crldir/a836cc2d.r0 | 18 +-
.../ssl/ssl/server-multiple-alt-names.crt | 36 +--
src/test/ssl/ssl/server-no-names.crt | 32 +--
src/test/ssl/ssl/server-revoked.crt | 33 +--
src/test/ssl/ssl/server-single-alt-name.crt | 34 +--
src/test/ssl/ssl/server-ss.crt | 19 --
src/test/ssl/ssl/server-ss.key | 27 --
src/test/ssl/ssl/server.crl | 18 +-
src/test/ssl/ssl/server_ca.crt | 34 +--
src/test/ssl/t/001_ssltests.pl | 7 +-
42 files changed, 651 insertions(+), 627 deletions(-)
create mode 100644 src/test/ssl/client-revoked.config
delete mode 100644 src/test/ssl/ssl/server-ss.crt
delete mode 100644 src/test/ssl/ssl/server-ss.key
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index 74b3a6acd2..e9ff5fa61d 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -32,8 +32,11 @@ all:
# started to update the file.
.DELETE_ON_ERROR:
-# Never delete any intermediate files automatically.
+# Never delete any intermediate files automatically unless the Makefile
+# explicitly asks for it.
+ifneq ($(clean_intermediates),yes)
.SECONDARY:
+endif
# PostgreSQL version number
VERSION = @PACKAGE_VERSION@
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 4b53fdf6c0..7da801ef36 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -11,167 +11,213 @@
subdir = src/test/ssl
top_builddir = ../../..
+
+clean_intermediates := yes
include $(top_builddir)/src/Makefile.global
export with_ssl
-CERTIFICATES := server_ca server-cn-and-alt-names \
+#
+# To add a new server or client certificate, add a new <name>.config file in
+# this directory, then add <name> to either SERVERS or CLIENTS below. A
+# key/certificate pair will be generated for you, signed by the appropriate CA.
+#
+SERVERS := server-cn-and-alt-names \
server-cn-only server-single-alt-name server-multiple-alt-names \
- server-no-names server-revoked server-ss \
- client_ca client client-revoked \
- root_ca
+ server-no-names server-revoked
+CLIENTS := client client-revoked
+
+#
+# To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe
+# for creating it to the "Special-case keys" section below.
+#
+SPECIAL_KEYS := ssl/server-password.key \
+ ssl/client-der.key ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
-SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
- ssl/server-password.key \
- ssl/client.crl ssl/server.crl ssl/root.crl \
+#
+# These files are just concatenations of other files. You can add new ones to
+# COMBINATIONS here, then declare the constituent files as dependencies in the
+# "Combined files" section below.
+#
+COMBINATIONS := \
ssl/both-cas-1.crt ssl/both-cas-2.crt \
ssl/root+server_ca.crt ssl/root+server.crl \
ssl/root+client_ca.crt ssl/root+client.crl \
- ssl/client+client_ca.crt ssl/client-der.key \
- ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
+ ssl/client+client_ca.crt
+CERTIFICATES := root_ca server_ca client_ca $(SERVERS) $(CLIENTS)
+STANDARD_CERTS := $(CERTIFICATES:%=ssl/%.crt)
+STANDARD_KEYS := $(CERTIFICATES:%=ssl/%.key)
+CRLS := ssl/root.crl ssl/client.crl ssl/server.crl
+
+SSLFILES := $(STANDARD_CERTS) $(STANDARD_KEYS) $(SPECIAL_KEYS) $(COMBINATIONS) $(CRLS)
SSLDIRS := ssl/client-crldir ssl/server-crldir \
ssl/root+client-crldir ssl/root+server-crldir
# This target re-generates all the key and certificate files. Usually we just
# use the ones that are committed to the tree without rebuilding them.
#
-# This target will fail unless preceded by sslfiles-clean.
-#
+.PHONY: sslfiles
sslfiles: $(SSLFILES) $(SSLDIRS)
-# OpenSSL requires a directory to put all generated certificates in. We don't
-# use this for anything, but we need a location.
-ssl/new_certs_dir:
- mkdir ssl/new_certs_dir
+#
+# Special-case certificates
+#
-# Rule for creating private/public key pairs.
-ssl/%.key:
- openssl genrsa -out $@ 2048
- chmod 0600 $@
+# Root CA is self-signed.
+ssl/root_ca.crt: ssl/root_ca.key root_ca.config
+ openssl req -new -x509 -config root_ca.config -days 10000 -key $< -out $@
-# Root CA certificate
-ssl/root_ca.crt: ssl/root_ca.key cas.config
- touch ssl/root_ca-certindex
- openssl req -new -out ssl/root_ca.crt -x509 -config cas.config -config root_ca.config -key ssl/root_ca.key -days 10000 -extensions v3_ca
- echo "01" > ssl/root_ca.srl
-
-# Client and server CAs
-ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir
- touch ssl/$*_ca-certindex
- echo "unique_subject=no" > ssl/$*_ca-certindex.attr
- openssl req -new -out ssl/temp_ca.crt -config cas.config -config $*_ca.config -key ssl/$*_ca.key
-# Sign the certificate with the root CA
- openssl ca -name root_ca -batch -config cas.config -in ssl/temp_ca.crt -out ssl/temp_ca_signed.crt -extensions v3_ca
- openssl x509 -in ssl/temp_ca_signed.crt -out ssl/$*_ca.crt # to keep just the PEM cert
- rm ssl/temp_ca.crt ssl/temp_ca_signed.crt
- echo "01" > ssl/$*_ca.srl
-
-# Server certificates, signed by server CA:
-ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config
- openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config
- openssl ca -name server_ca -batch -config cas.config -in ssl/server-$*.csr -out ssl/temp.crt -extensions v3_req -extfile server-$*.config
- openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert
- rm ssl/server-$*.csr
-
-# Self-signed version of server-cn-only.crt
-ssl/server-ss.crt: ssl/server-cn-only.key ssl/server-cn-only.crt server-cn-only.config
- openssl req -new -key ssl/server-cn-only.key -out ssl/server-ss.csr -config server-cn-only.config
- openssl x509 -req -days 10000 -in ssl/server-ss.csr -signkey ssl/server-cn-only.key -out ssl/server-ss.crt -extensions v3_req -extfile server-cn-only.config
- rm ssl/server-ss.csr
+#
+# Special-case keys
+#
+# All targets here are contained in $(SPECIAL_KEYS).
+#
# Password-protected version of server-cn-only.key
ssl/server-password.key: ssl/server-cn-only.key
openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
-# Client certificate, signed by the client CA:
-ssl/client.crt: ssl/client.key ssl/client_ca.crt
- openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client.csr
- openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert
- rm ssl/client.csr ssl/temp.crt
-
-# Another client certificate, signed by the client CA. This one is revoked.
-ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config
- openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-revoked.csr
- openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert
- rm ssl/client-revoked.csr ssl/temp.crt
-
-# Convert the key to DER, to test our behaviour there too
+# DER-encoded version of client.key
ssl/client-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -out ssl/client-der.key
+ openssl rsa -in $< -outform DER -out $@
-# Convert the existing key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
+# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
# to test libpq's support for the sslpassword= option.
-ssl/client-encrypted-pem.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-pem.key
+ssl/client-encrypted-pem.key: outform := PEM
+ssl/client-encrypted-der.key: outform := DER
+ssl/client-encrypted-pem.key ssl/client-encrypted-der.key: ssl/client.key
+ openssl rsa -in $< -outform $(outform) -aes128 -passout 'pass:dUmmyP^#+' -out $@
-ssl/client-encrypted-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-der.key
+#
+# Combined files
+#
+# All targets in $(COMBINATIONS) share a single recipe; just declare the
+# necessary dependencies and they'll be smashed together.
+#
-# Root certificate files that contains both CA certificates, for testing
+# Root certificate file that contains both CA certificates, for testing
# that multiple certificates can be used.
ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
- cat $^ > $@
# The same, but the certs are in different order
ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
- cat $^ > $@
# A root certificate file for the client, to validate server certs.
ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
- cat $^ > $@
# and for the server, to validate client certs
ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
- cat $^ > $@
+# and for the client, to present to the server
ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
- cat $^ > $@
-
-#### CRLs
-
-ssl/client.crl: ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl
-
-ssl/server.crl: ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl
-
-ssl/root.crl: ssl/root_ca.crt
- openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl
# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
# chain, even if some of them are empty.
ssl/root+server.crl: ssl/root.crl ssl/server.crl
- cat $^ > $@
ssl/root+client.crl: ssl/root.crl ssl/client.crl
+
+$(COMBINATIONS):
cat $^ > $@
-ssl/root+server-crldir: ssl/server.crl ssl/root.crl
- mkdir ssl/root+server-crldir
- cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
- cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+#
+# Standard keys
+#
-ssl/root+client-crldir: ssl/client.crl ssl/root.crl
- mkdir ssl/root+client-crldir
- cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
- cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+$(STANDARD_KEYS):
+ openssl genrsa -out $@ 2048
+ chmod 0600 $@
-ssl/server-crldir: ssl/server.crl
- mkdir ssl/server-crldir
- cp ssl/server.crl ssl/server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
+#
+# Standard certificates
+#
+
+SERVER_CERTS := $(SERVERS:%=ssl/%.crt)
+CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)
+
+ssl/server_ca.crt ssl/client_ca.crt: ca := root_ca
+$(SERVER_CERTS): ca := server_ca
+$(CLIENT_CERTS): ca := client_ca
+
+ca_state_files = ssl/$(ca)-certindex ssl/$(ca)-certindex.attr ssl/$(ca).srl
+
+# This is the workhorse recipe. `openssl ca` can't be safely run from parallel
+# processes, so we must mark the entire Makefile .NOTPARALLEL. Enable
+# .SECONDEXPANSION so that the correct dependencies are determined by the value
+# of $(ca).
+.NOTPARALLEL:
+.SECONDEXPANSION: $(STANDARD_CERTS)
+ssl/%.crt: ssl/%.csr %.config ssl/$$(ca).crt | ssl/new_certs_dir $$(ca_state_files)
+ openssl ca -batch -config cas.config -name $(ca) -notext -in $< -out $@
+
+ssl/%.csr: ssl/%.key %.config
+ openssl req -new -key $< -out $@ -config $*.config
+
+#
+# CA State
+#
+# All of these are intended to be order-only dependencies; additionally, the
+# pattern recipes are intended to be intermediates, so do not name them
+# explicitly somewhere else in the Makefile. The goal is for Make to create the
+# state files once for each CA, allow them to accumulate whatever state is
+# needed, and then automatically remove them at the end of the run.
+#
+
+# OpenSSL requires a directory to put all generated certificates in. We don't
+# use this for anything, but we need a location.
+ssl/new_certs_dir:
+ mkdir $@
+ssl/%-certindex:
+ touch $@
+
+ssl/%-certindex.attr:
+ echo "unique_subject=no" > $@
+
+# The first serial number for each CA is based on the current timestamp, to
+# avoid collisions across Make runs.
+ssl/%.srl:
+ date +%Y%m%d%H%M%S00 > $@
+
+#
+# CRLs
+#
+
+ssl/root.crl: revoked :=
+ssl/root.crl: ca := root_ca
+
+ssl/client.crl: revoked := ssl/client-revoked.crt
+ssl/client.crl: ca := client_ca
+
+ssl/server.crl: revoked := ssl/server-revoked.crt
+ssl/server.crl: ca := server_ca
+
+.SECONDEXPANSION: $(CRLS)
+ssl/%.crl: ssl/$$(ca).crt $$(revoked) | $$(ca_state_files)
+ $(foreach cert,$(revoked),openssl ca -config cas.config -name $(ca) -revoke $(cert) &&) true
+ openssl ca -config cas.config -name $(ca) -gencrl -out $@
+
+#
+# CRL hash directories
+#
+
+ssl/root+server-crldir: ssl/server.crl ssl/root.crl
+ssl/root+client-crldir: ssl/client.crl ssl/root.crl
+ssl/server-crldir: ssl/server.crl
ssl/client-crldir: ssl/client.crl
- mkdir ssl/client-crldir
- cp ssl/client.crl ssl/client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
+
+crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
+
+ssl/%-crldir:
+ mkdir -p $@
+ rm -f $@/*.r0
+ $(foreach crl,$^,cp $(crl) $@/$(call crlhashfile,$(crl)) &&) true
+ touch $@
.PHONY: sslfiles-clean
sslfiles-clean:
- rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
- rm -rf $(SSLDIRS)
+ rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex*
+ rm -rf $(SSLDIRS) ssl/new_certs_dir
clean distclean maintainer-clean:
rm -rf tmp_check
diff --git a/src/test/ssl/README b/src/test/ssl/README
index 84baa478ce..b9d96a637d 100644
--- a/src/test/ssl/README
+++ b/src/test/ssl/README
@@ -52,9 +52,6 @@ server-no-names
server certificates, with small variations in the hostnames present
in the certificate. Signed by server_ca.
-server-ss
- same as server-cn-only, but self-signed.
-
server-password
same as server-cn-only, but password-protected.
diff --git a/src/test/ssl/cas.config b/src/test/ssl/cas.config
index 8c0ef6d82b..2c4851033a 100644
--- a/src/test/ssl/cas.config
+++ b/src/test/ssl/cas.config
@@ -1,12 +1,5 @@
# This file contains the configuration for all the CAs.
-[ req ]
-prompt = no
-
-# Extensions for CA certs
-[ v3_ca ]
-basicConstraints = CA:true
-
# Root CA, used to sign the certificates of the intermediary server and
# client CAs.
[ root_ca ]
@@ -21,6 +14,7 @@ private_key = ./ssl/root_ca.key
new_certs_dir = ./ssl/new_certs_dir
policy = policy_match
email_in_dn = no
+copy_extensions = copy
# CA used to sign all the server certificates.
[ server_ca ]
@@ -35,6 +29,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/server_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/server.crl
@@ -51,6 +46,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/client_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/client.crl
diff --git a/src/test/ssl/client-revoked.config b/src/test/ssl/client-revoked.config
new file mode 100644
index 0000000000..3b82b57103
--- /dev/null
+++ b/src/test/ssl/client-revoked.config
@@ -0,0 +1,13 @@
+# An OpenSSL format CSR config file for creating a client certificate.
+#
+# This is identical to the client.config certificate, but this one is revoked
+# later.
+
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+CN = ssltestuser
+
+# no extensions in client certs
diff --git a/src/test/ssl/client.config b/src/test/ssl/client.config
index 2e9d40d299..26fc2571f5 100644
--- a/src/test/ssl/client.config
+++ b/src/test/ssl/client.config
@@ -10,4 +10,3 @@ prompt = no
CN = ssltestuser
# no extensions in client certs
-[ v3_req ]
diff --git a/src/test/ssl/client_ca.config b/src/test/ssl/client_ca.config
index ef93d598c2..5990f06000 100644
--- a/src/test/ssl/client_ca.config
+++ b/src/test/ssl/client_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test client certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/root_ca.config b/src/test/ssl/root_ca.config
index 187a9b8a46..e193186f8b 100644
--- a/src/test/ssl/root_ca.config
+++ b/src/test/ssl/root_ca.config
@@ -4,6 +4,7 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+x509_extensions = v3_ca
[ req_distinguished_name ]
CN = Test root CA for PostgreSQL SSL regression test suite
diff --git a/src/test/ssl/server-cn-only.config b/src/test/ssl/server-cn-only.config
index 1e5d582213..9edb7b7aca 100644
--- a/src/test/ssl/server-cn-only.config
+++ b/src/test/ssl/server-cn-only.config
@@ -9,5 +9,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-no-names.config b/src/test/ssl/server-no-names.config
index 2a71125a42..89075dec83 100644
--- a/src/test/ssl/server-no-names.config
+++ b/src/test/ssl/server-no-names.config
@@ -10,7 +10,4 @@ prompt = no
[ req_distinguished_name ]
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
-
-[ alt_names ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-revoked.config b/src/test/ssl/server-revoked.config
index 47ef6462dc..c9e1f5d431 100644
--- a/src/test/ssl/server-revoked.config
+++ b/src/test/ssl/server-revoked.config
@@ -11,5 +11,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server_ca.config b/src/test/ssl/server_ca.config
index d6126d5195..496aaba29f 100644
--- a/src/test/ssl/server_ca.config
+++ b/src/test/ssl/server_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test server certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/ssl/both-cas-1.crt b/src/test/ssl/ssl/both-cas-1.crt
index 37ffa10174..4f4bc707d6 100644
--- a/src/test/ssl/ssl/both-cas-1.crt
+++ b/src/test/ssl/ssl/both-cas-1.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/both-cas-2.crt b/src/test/ssl/ssl/both-cas-2.crt
index 2f2723f2b1..01d0c4d6a4 100644
--- a/src/test/ssl/ssl/both-cas-2.crt
+++ b/src/test/ssl/ssl/both-cas-2.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client+client_ca.crt b/src/test/ssl/ssl/client+client_ca.crt
index 2804527f3e..7fafa14de1 100644
--- a/src/test/ssl/ssl/client+client_ca.crt
+++ b/src/test/ssl/ssl/client+client_ca.crt
@@ -1,36 +1,37 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client-revoked.crt b/src/test/ssl/ssl/client-revoked.crt
index 14857a33a2..51ebe924a6 100644
--- a/src/test/ssl/ssl/client-revoked.crt
+++ b/src/test/ssl/ssl/client-revoked.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoBcmY2Z+qa+l
-UB5YSYnGLt96S7axkoDvIzLJkwJugGqw1U72A6lAUTyAPVntsmbhoMpDEHK6ylg8
-U4HC3L1hbhSpFriTITJ3TzH4+wdDH1KZYlM2k0gfrKrksJyZ7ftAyuBvzBRlFbBe
-xopR9VQjqgAuNKByJswldOe0KwP0nmb/TtT9lkAt7XjrSut5MUezFVnvTxabm7tQ
-ciDG+8QqE0b8lH3N3VOXWZWCeXPRrwboO3baAmcue4V20N0ALARP+QZNElBa7Jq+
-l77VNjneRk07jjaE7PCGVlWfPggppZos1Ay1sb2JhK0S9pZrynQT/ck3qhG4QuKp
-cmn/Bbe/8wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBySTwOO9zSFCtfRjbbblDx
-AK2ttILR0ZJXnvzjNjuErsT9qeXaq2t/iG/vmhH5XDjaefXFLCLqFunvcg6cIz1A
-HhAw+JInfyk3TUpDaX6M0X8qj184e4kXzVc83Afa3LiP5JkirzCSv6ErqAHw2VVd
-bZbZUwMfQLpWHVqXK89Pb7q791H4VeEx9CLxtZ2PSr2GCdpFbVMJvdBPChD2Re1A
-ELcbMZ9iOq2AUN/gxrt7HnE3dRoGQk6AJOfvhi2eZcVWiLtITScdPk1nYcNxGid3
-BWW+tdLbjmSe2FXNfDwBTvuHh5A9S399X5l/nLAng2iTGSvIm1OgUnC2oWsok3EI
+MIIC0zCCAbsCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKAX
+JmNmfqmvpVAeWEmJxi7feku2sZKA7yMyyZMCboBqsNVO9gOpQFE8gD1Z7bJm4aDK
+QxByuspYPFOBwty9YW4UqRa4kyEyd08x+PsHQx9SmWJTNpNIH6yq5LCcme37QMrg
+b8wUZRWwXsaKUfVUI6oALjSgcibMJXTntCsD9J5m/07U/ZZALe1460rreTFHsxVZ
+708Wm5u7UHIgxvvEKhNG/JR9zd1Tl1mVgnlz0a8G6Dt22gJnLnuFdtDdACwET/kG
+TRJQWuyavpe+1TY53kZNO442hOzwhlZVnz4IKaWaLNQMtbG9iYStEvaWa8p0E/3J
+N6oRuELiqXJp/wW3v/MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcVhPcu55HcSf
+Mci38T/fOBaiDUvzWwG/XlQRzFxcS+ZY/vYMbgor6PliGlCFBF4Mca2qtTs7zXRz
+8aLNVX53p98Cnnn97mW4aYNbNdM87R76IqJdj40brEolu1JNOyFJRYzoaebABf9r
+R64FTt3YVM9qjJrHG/apYwKwgAMxVzZ/M+3ujahP/8mOYD/Utj+lYHnXJmuHAYE6
+EnTxTSb2J+IsK8KuPoGjUPNZRW8zIUE0luMpJahvtmFVW91Vue7dW0AOmHpjmGUB
+J9Vwxe7KJRW5/4dz6kMD2pKY3D9sBgXeku/QDVz/hdyB5YT0WChFiZn20DZyhOtu
+moHgw8OJzg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client.crl b/src/test/ssl/ssl/client.crl
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client.crl
+++ b/src/test/ssl/ssl/client.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client.crt b/src/test/ssl/ssl/client.crt
index 4d0a6ef419..1f6ae05fe4 100644
--- a/src/test/ssl/ssl/client.crt
+++ b/src/test/ssl/ssl/client.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client_ca.crt b/src/test/ssl/ssl/client_ca.crt
index 1ef3771261..ef48749f76 100644
--- a/src/test/ssl/ssl/client_ca.crt
+++ b/src/test/ssl/ssl/client_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client.crl b/src/test/ssl/ssl/root+client.crl
index 854d77b71e..02eff4d326 100644
--- a/src/test/ssl/ssl/root+client.crl
+++ b/src/test/ssl/ssl/root+client.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client_ca.crt b/src/test/ssl/ssl/root+client_ca.crt
index 1867cd9c31..7819c54828 100644
--- a/src/test/ssl/ssl/root+client_ca.crt
+++ b/src/test/ssl/ssl/root+client_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server.crl b/src/test/ssl/ssl/root+server.crl
index 9720b3023c..8b0c716d63 100644
--- a/src/test/ssl/ssl/root+server.crl
+++ b/src/test/ssl/ssl/root+server.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server_ca.crt b/src/test/ssl/ssl/root+server_ca.crt
index 861eba80d0..5074f4fa9b 100644
--- a/src/test/ssl/ssl/root+server_ca.crt
+++ b/src/test/ssl/ssl/root+server_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root.crl b/src/test/ssl/ssl/root.crl
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root.crl
+++ b/src/test/ssl/ssl/root.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root_ca.crt b/src/test/ssl/ssl/root_ca.crt
index 402d7dab89..5ee9870d6f 100644
--- a/src/test/ssl/ssl/root_ca.crt
+++ b/src/test/ssl/ssl/root_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,10 +10,10 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-and-alt-names.crt b/src/test/ssl/ssl/server-cn-and-alt-names.crt
index 2bb206e413..12d1ec363e 100644
--- a/src/test/ssl/ssl/server-cn-and-alt-names.crt
+++ b/src/test/ssl/ssl/server-cn-and-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDTjCCAjagAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowRjEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1z
-c2x0ZXN0LnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBURL6
-YPWJjVQEZY0uy4HEaTI4ZMjVf+xdwJRntos4aRcdhq2JRNwitI00BLnIK9ur8D8L
-U24PDn2etTZOK1wsHHkAiHPvgRX7G/+78a5fSC8nMNaH/oR4zMMhwksiruISA7x9
-/l+4DO7C42C5mRfnUmMGJdzau1+A8jcIxTWWoJtva9b1k3g+bvBGq9138X+bJKIW
-YsWwHgcuEIZk3z287hxuyU3j5isYoRwd5cZZFrG/qBJdukSBRil5/PP5AHsB6lTl
-pae2bdf4TXB7kActIpyTBR0G5Pm5iCZlxgD+QILj/1FLTaNOW7hV+t1J6YfC6jZR
-Dk4MnHMCFasSXcXhAgMBAAGjSzBJMEcGA1UdEQRAMD6CHWRuczEuYWx0LW5hbWUu
-cGctc3NsdGVzdC50ZXN0gh1kbnMyLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDAN
-BgkqhkiG9w0BAQsFAAOCAQEAQeKHXoyipubldf4HUDCXrcIk6KiEs9DMH1DXRk7L
-z2Hr0TljmKoGG5P6OrF4eP82bhXZlQmwHVclB7Pfo5DvoMYmYjSHxcEAeyJ7etxb
-pV11yEkMkCbQpBVtdMqyTpckXM49GTwqD9US5p1E350snq4Duj3O7fSpE4HMfSd8
-dCkYdaCHq2NWH4/MfEBRy096oOIFxqgm6tRCU95ZI8KeeK4WwPXiGV2mb2rHj1kv
-uBRC+sJGSnsLdbZzkpdAN1qnWrJoLezAMdhTmNRUJ7Cq8hAkroFIp+LE+JyxR9Nw
-m6jD3eEwCAQi0pPGLEn4Rq4B8kxzL5F/jTq7PONRvOAdIg==
+MIIDVTCCAj2gAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMEYxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5h
+bWUucGctc3NsdGVzdC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwVES+mD1iY1UBGWNLsuBxGkyOGTI1X/sXcCUZ7aLOGkXHYatiUTcIrSNNAS5
+yCvbq/A/C1NuDw59nrU2TitcLBx5AIhz74EV+xv/u/GuX0gvJzDWh/6EeMzDIcJL
+Iq7iEgO8ff5fuAzuwuNguZkX51JjBiXc2rtfgPI3CMU1lqCbb2vW9ZN4Pm7wRqvd
+d/F/mySiFmLFsB4HLhCGZN89vO4cbslN4+YrGKEcHeXGWRaxv6gSXbpEgUYpefzz
++QB7AepU5aWntm3X+E1we5AHLSKckwUdBuT5uYgmZcYA/kCC4/9RS02jTlu4Vfrd
+SemHwuo2UQ5ODJxzAhWrEl3F4QIDAQABo0swSTBHBgNVHREEQDA+gh1kbnMxLmFs
+dC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0ZXN0
+LnRlc3QwDQYJKoZIhvcNAQELBQADggEBAG3dFQ/DqjFbjzIOni079R3I94lAZqbc
+cRUumDPSzihKwvCCnU5quqnYkOFISqBZsYmxR5fiHx4wT+jmWvLSltkaeS6gcGC1
+zuO8GFzL+PATUX63js8IfE3WYJE/bjmDVVzJOBArrbsExofdE2F2kkkLkjhk0ylg
+/TrAKtyqpsob0b4ZjMloR5JFHQXGHN/922x6Do1vduHMXlGckmR0sX6Mg/fiChVh
+vixUJje4W9ohft8G7lj3GnzI1gHEMp2PYKM+wqOug/gXEQuMIFlhjp2Mc6bAvFsD
+grgdAgcYUvgKukF9efJHq2V5XjqBWrmGAOQkiH1y+9gxhiHUiw+vojY=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-only.crt b/src/test/ssl/ssl/server-cn-only.crt
index 67bf0b1645..acdf6f1a75 100644
--- a/src/test/ssl/ssl/server-cn-only.crt
+++ b/src/test/ssl/ssl/server-cn-only.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bNU8yTuLl/5
-bR4Rp1ET5NMC2wgrTwKQsxSeOzvMmTGeebpEYFc/Hq8rcCQAiL7AbhiZeNg/ca4y
-JdouOdaHaTMFJ8hFDI1tNOGeFK7ecOMBWQ97GxKs/KIqKYW42AN+QZ7l1Apr0CDZ
-K5VTi931JjE4wCIgUgLi2zgwtZYl/kP896F1K5zR7kx773U2dvP3SeV2ziUe+4NH
-5oqdmVMeZyHfB+Fe/uU1AiYgHN/CXfop39tYHR8ARUWx7eJlaaKBoj/0UqH/9Yir
-jdM0vGfrw4JCjIx78caNkNH9fCjesTqODr+IDBJaJv3Jpt9g8puqrYagXLppiaYS
-q5oOAu5fuQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCTxkqpNNuO15osb+Lyw2aQ
-RikYZiSJ4uJcOIya6DqSYSNf8wrgGMJAKz9TkCGEG7SszLCASaSIS/s+sR1+bE19
-f6BxoBnppPW8uIkTtQvmGhhcWHO13zMUs8bmg9OY7MvFYJdQAmSqfYebUCYR73So
-OthALxV8h+boW5/xc2XM1NObpcuShQ9/uynm2dL3EbrNjvcoXOwu865FmVMffEn9
-+zhE8xl4kMKObQvB3r2utCmlAmJLaU2ejADncS9Y4ZwRMa7x+vfvekF/FvLEXUal
-QcDlfrZ0xsw/HK7n0/UFXf5fUXq3hgUGcXEdWW7/yTA43qNxednfa+fMqlFztupt
+MIIDAzCCAesCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANWz
+VPMk7i5f+W0eEadRE+TTAtsIK08CkLMUnjs7zJkxnnm6RGBXPx6vK3AkAIi+wG4Y
+mXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu3nDjAVkPexsSrPyiKimFuNgDfkGe
+5dQKa9Ag2SuVU4vd9SYxOMAiIFIC4ts4MLWWJf5D/PehdSuc0e5Me+91Nnbz90nl
+ds4lHvuDR+aKnZlTHmch3wfhXv7lNQImIBzfwl36Kd/bWB0fAEVFse3iZWmigaI/
+9FKh//WIq43TNLxn68OCQoyMe/HGjZDR/Xwo3rE6jg6/iAwSWib9yabfYPKbqq2G
+oFy6aYmmEquaDgLuX7kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA2AZrD9cTQXTW
+4j2tT8N/TTc6WK2ncN4h22NTte6vK7MVwsZJCtw5ndYkmxcWkXAqiclzWyMdayds
+WOa12CEH7jKAhivF4Hcw3oO3JHM5BA6KzLWBVz9uZksOM6mPqn29DTKvA/Y1V8tj
+mxK/KUA68h/u6inu3mo4ywBpb/tqHxxg2cjyR0faCmM0pwRM0HBr/16fUMfO83nj
+QG8g9J/bybu5sYso/aSoC5nUNp4XjmDMdVLdqg/nTe/ejS8IfFr0WQxBlqooqFgx
+MSE+kX2e2fHsuOWSU/9eClt6FpQrwoC2C8F+/4g1Uz7Liqc4yMHPwjgeP9ewrrLO
+iIhlNNPqpQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server-multiple-alt-names.crt b/src/test/ssl/ssl/server-multiple-alt-names.crt
index 158153d10c..58799e49f8 100644
--- a/src/test/ssl/ssl/server-multiple-alt-names.crt
+++ b/src/test/ssl/ssl/server-multiple-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDRDCCAiygAwIBAgIBBDANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA10iQpfVf4nCqjkRcLXP9ONQqdhMPMdjHasKqmsFTx83SZLKUzKMOb56j
-3bg83stqGoId4MIxtqnDKaSg1+kseQ1HCi0cu/E3lHLEkPibl9dyVGhXVnPDBdOp
-eUQLCvPNgay3/ua4Mz0Nf7S9cgC9AZu/EEYjQIEzfO0cEANeVIWtgZfM3+2j0pmZ
-46AEYlEZJkmDT0/mnHk3YTj3I6qQhr34wZvqcrwouYRN5NiOVYJLpb6gPSoalm+P
-YXOKjP4+fWr18HdZLrzsa4xPRa9XcsDNyffjWvQTfptR/2vFKN8Ffv3XUqxUx6av
-VCyRKa8xAUS/pHVGnzFQY+oqWREn2wIDAQABo2cwZTBjBgNVHREEXDBagh1kbnMx
-LmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0
-ZXN0LnRlc3SCGioud2lsZGNhcmQucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEB
-CwUAA4IBAQAuV+4TNADB/AinkjQVyzPtmeWDWZJDByRSGIzGlrYtzzrJzdRkohlL
-svZi0QQWbYq3pkRoUncYXXp/JvS48Ft1jRi87RpLRiPRxJC9Eq77kMS5UKCIs86W
-0nuYQ2tNmgHb7gnLHEr2t9gFEXcLwUAnRfNJK56KVmCl/v3/4kcVDLlL6L+pL80r
-WGKGvixNy3bDCJ/YGJu6NH+H7NMlqFcg07nEWUHgMzETGGycTcPy3S6mY5P/1Ep1
-MCSTucUKoBIte2t5p9vM6bsFIioQDAYABhacmC62Z5xNW8evmNVtBDPLR1THsWhq
-UjzdIzjpDgv1KUCVEPc1uVrZ5eju+aoU
+MIIDSzCCAjOgAwIBAgIIICEDAxQSBwMwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBANdIkKX1X+Jwqo5EXC1z/TjUKnYTDzHYx2rCqprBU8fN0mSy
+lMyjDm+eo924PN7LahqCHeDCMbapwymkoNfpLHkNRwotHLvxN5RyxJD4m5fXclRo
+V1ZzwwXTqXlECwrzzYGst/7muDM9DX+0vXIAvQGbvxBGI0CBM3ztHBADXlSFrYGX
+zN/to9KZmeOgBGJRGSZJg09P5px5N2E49yOqkIa9+MGb6nK8KLmETeTYjlWCS6W+
+oD0qGpZvj2Fzioz+Pn1q9fB3WS687GuMT0WvV3LAzcn341r0E36bUf9rxSjfBX79
+11KsVMemr1QskSmvMQFEv6R1Rp8xUGPqKlkRJ9sCAwEAAaNnMGUwYwYDVR0RBFww
+WoIdZG5zMS5hbHQtbmFtZS5wZy1zc2x0ZXN0LnRlc3SCHWRuczIuYWx0LW5hbWUu
+cGctc3NsdGVzdC50ZXN0ghoqLndpbGRjYXJkLnBnLXNzbHRlc3QudGVzdDANBgkq
+hkiG9w0BAQsFAAOCAQEAuRAyYBwAZLKERoYDy/kE9LKddJfLhledTJ7+cIWs6T9V
+KBfWBHZYxfxmdBYwqVZfog8c5uHREfWiUPoF/aMq3ARay96aMh4xXJ+2a7HAmknF
+9AJWRieoc3H/QkMzAuT8IDTmoEarsr8vsX1MGabobZte/B9tEjq/z5t3GfLrHMVX
+5092U6Ka40ii4U1VwjR8YnRBwjm3UpLmZJAjvXjw13/XucNV5O8Plo1yvS+G0AMh
+KdMxExiItVtjZteiA0pJf0YGAzTFyzvwBljTcs4NfZ2M0ta9i0r4BF7wQ8tDezN7
+VxdJVPc5xPqncp0cMdUAE2xDmYlKEqB0kuAHNwH5/Q==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-no-names.crt b/src/test/ssl/ssl/server-no-names.crt
index 97e11176f6..b5d0589090 100644
--- a/src/test/ssl/ssl/server-no-names.crt
+++ b/src/test/ssl/ssl/server-no-names.crt
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIIC1jCCAb4CAQUwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMCAxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AJ85/vh52iDZAeQmWt47o0kR7VVlRLGf4sF4cfxPl+eIWIzhib1fajdcqFiy81LC
-+t9bAyRqMyR3dve9RGK6IDFjMH/0DBf3tFSRnxN+5TdSAhKIJslmtUdOl8kS/smF
-4+BikCg509aq0U+ac79e/q42OyvH9X/cI6i9SPd4hzJDMCX54LZT1Of/90nSQX6E
-Oc5Hcj/d7psBugmMBW8uXYAGvJpq14e5RoK78F/mYbUNqtc1c8pi4/4quSMeEfQp
-Dgmzee7ts8SIbQT8mYJHjnaPvZYpv4+Ikc7F0wzLO1neTpsYaVvDrSMLBCdQkCU8
-vgb1T6WlVgbp/sfE5okSxx8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh+erODlf
-+mEK2toZhaAmikNJ3Toj9P7I0C0Mo/tl2aVz8jQc/ft5t3blwZHfRzC9WmgnZLdY
-yiCVgUlf9Kwhi836Btbczj3cK6MrngQneFBzSnCzsj40CuQAw5TOI8XRFFGL+fpl
-o7ZnbmMZRhkPqDmNWXfpu7CYOFQyExkDoo0lTfqM+tF8zuKVTmsuWWvZpjuvqWFQ
-/L+XRXi0cvhh+DY9vJiKNRg4exF7/tSedTJmLA8skuaXgAVez4rqzX4k1XnQo6Vi
-YpAIQ4dGiijY24fDq2I/6pO3xlWtN+Lwu44Mnn2vWRtXijT69P5R12W8XS7+ciTU
-NXu/iOo8f7mNDA==
+MIIC3TCCAcUCCCAhAwMUEgcEMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAgMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCfOf74edog2QHkJlreO6NJEe1VZUSxn+LBeHH8T5fniFiM4Ym9X2o3
+XKhYsvNSwvrfWwMkajMkd3b3vURiuiAxYzB/9AwX97RUkZ8TfuU3UgISiCbJZrVH
+TpfJEv7JhePgYpAoOdPWqtFPmnO/Xv6uNjsrx/V/3COovUj3eIcyQzAl+eC2U9Tn
+//dJ0kF+hDnOR3I/3e6bAboJjAVvLl2ABryaateHuUaCu/Bf5mG1DarXNXPKYuP+
+KrkjHhH0KQ4Js3nu7bPEiG0E/JmCR452j72WKb+PiJHOxdMMyztZ3k6bGGlbw60j
+CwQnUJAlPL4G9U+lpVYG6f7HxOaJEscfAgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AJAwYwIL4oj3NisXCXkEp9zqDXiZvNW9yW3bY8lFFCpU7o5n92tCf2OFAkKaYhF1
+Eb2weyDULtW7W/wgdlOZL9npayYKzTusl6e8xfTQyjRCsoKWvnWOEkPH7VraZJ8c
+Ko1KhaVWX98VLdlUh5giYAEkdhk0qPYKsQ32unBXXJu0pX63pnPDoaUBiZUWr/3l
+CfkjgGY5YA8YxiDlHGNF1qlcX2fQKloDlvtH0L5Enwt25w2/IvWhTN6YxDR+rgdD
+XYbQr6o6vsmnZTJ3zUZ6XFo98sZq5L9oy1pcC8roV7w0AUVxraTWYILyGfNgruG8
+xsok/hu1L2VnktveEW/qoVs=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-revoked.crt b/src/test/ssl/ssl/server-revoked.crt
index 1ca5e6d3ef..3bb0f164a6 100644
--- a/src/test/ssl/ssl/server-revoked.crt
+++ b/src/test/ssl/ssl/server-revoked.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQYwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAooPO8lSz434p
-4PBYBbTN8jkLW3cHEpTCH4yvC0V40hzGEl30HPLp82e+kxr+Q0+gd82fvc4Yth5I
-PKINznp28GMs5/E9cUU3hMK4jFhKLMiOeIve3M/9ryHK874qpNjJoSxxPz7+s2eq
-WoFc2px0KFIamTTLfi7Ju9aPb/AMlZNsUnbRsj7fQc7EJ8rwOnezw2Wy5VK4soX+
-qpuJ0Nm44ApzT8YmjYX/kAX0yQxgQuYbpcBWr9cOQjegu3FAqHqRh9ye7d8jQzCv
-34Wg/ar4rkqyQDcokuWAE7KQbnk51t7omzhM8eswFOAL1pas/8jWBvy0VjYVU34P
-9aXxP8GiHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAS9abT/PhJgwAnm46Rzu16
-lL7tDb3SeR1RL25xZLzCexHcYJFi7aDZix3QlLRvf6HPqqUPuPYRICTBF4+fieEh
-r5LotdAnadfYONwoB5GiYy2d93VGqlLosI27R6/tVvImXupviPpIYMDgBBRr1pZc
-ykQOjog6T+xk9TqsfFQDe2/VKF7a5RxOA/V77GZ5qge5Nlx9jSXQ/WUG9vDQj9BA
-d4nOwvjauKlcSqUU/3uVKntXQTNjmyq7S75eBitS920LLfjTL9LInLugDikFa/J/
-yPBkJLa/+rNMPikcnF3ci4Oi/XwLA8kGdGZAADuiIOeyORMuLFoTk7KpOYGKS5/U
+MIIDAzCCAesCCCAhAwMUEgcFMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKD
+zvJUs+N+KeDwWAW0zfI5C1t3BxKUwh+MrwtFeNIcxhJd9Bzy6fNnvpMa/kNPoHfN
+n73OGLYeSDyiDc56dvBjLOfxPXFFN4TCuIxYSizIjniL3tzP/a8hyvO+KqTYyaEs
+cT8+/rNnqlqBXNqcdChSGpk0y34uybvWj2/wDJWTbFJ20bI+30HOxCfK8Dp3s8Nl
+suVSuLKF/qqbidDZuOAKc0/GJo2F/5AF9MkMYELmG6XAVq/XDkI3oLtxQKh6kYfc
+nu3fI0Mwr9+FoP2q+K5KskA3KJLlgBOykG55Odbe6Js4TPHrMBTgC9aWrP/I1gb8
+tFY2FVN+D/Wl8T/Boh0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAxVHoqX25W4Hx
+pMNjv2AJzcB7D+c+dUXAmLLJ7jh6szWeL0M2E5qX4dLc8LzQKnXv5ZcT4i/akjDX
+etdzuqh03kvDJvUkHclSWffmowmWMTG6GCA6S/2TQzSibIptkwqs74aIkayVJaC4
+jCBR+PVT8+cE2FMD6dAWu//fyEcpTg6XpZ/Upgu9OITGNaEQUGz8pSRkTgspfO0Q
+AKPmql6dpywReIlr5mzy9liCzf/BbAVHGmP/pBGIkLn2AzvPLCQ/UFZYT6aH7l5J
+nzmFhgRC3U5wPMdelHGrPMXg6OHCcyrQY0kEi7N/GQ5+jZkICoQuPJ7APKEZAUgO
+XRwVulaWJQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-single-alt-name.crt b/src/test/ssl/ssl/server-single-alt-name.crt
index e7403f3a6b..7affdd68e7 100644
--- a/src/test/ssl/ssl/server-single-alt-name.crt
+++ b/src/test/ssl/ssl/server-single-alt-name.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDCzCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAxYocLWWuiDsDzJ7wLc0zfwkGJAEy4hlHjTA5GXSEnGPlOnx1fxejZOGL
-1HLff5h8zB+SQXrplHCcwwRrxVgGY7P59kXMXX1akTwXUJHc/EoTtqLO+6fHLygz
-F1d0i5NPO3xrk1wMt7bYLhiPbWpplWiHXzbJy8wf3dXgzCwtxXf8Z1UqjtCnA/Zk
-J/kPWuHJxzH5OvDJvZsq+Fbkl3catFpwUlAV9TKsC78W/K5I+afzppsmSvsIKAWW
-Dp7g71IVjvJeI6Aui2yhDn9iuJMuKe9RMYIwJLFqiX3urHcjaBSkJm6Lsf7gO30v
-kVwIyyGXRNTfZ2yPDoSXVZvOnq+gKwIDAQABoy4wLDAqBgNVHREEIzAhgh9zaW5n
-bGUuYWx0LW5hbWUucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQBU
-8wp8KZfS8vClx2gYSRlbXu3J1oAu4EBh45OuuRuLOJUhQZYcjFB3d/s0R1kcCQkB
-EekV9X1iQSzk/HQq4uWi6ViUzxTR67Q6TXEFo8iuqJ6Rag7R7G6fhRD1upf1lev+
-rz7F9GsoWLyLAg8//DUfq1kfQUyy6TxamoRs0vipZ4s0p4G8rbRCxKT1WTRLJFdd
-fSDVuMNuQQKTQXNdp6cYn+ikEhbUv/gG2S7Xiy2UM8oR7DR54nZBAKxgujWJZPfX
-/ieSwLxnLFyePwtwgk9xMmywFBjHWTxSdyI1UnJwWC917BSw4M00djsRv5COsBX7
-v/Co7oiMyTrCqyCsWOBu
+MIIDEjCCAfqgAwIBAgIIICEDAxQSBwIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMWKHC1lrog7A8ye8C3NM38JBiQBMuIZR40wORl0hJxj5Tp8
+dX8Xo2Thi9Ry33+YfMwfkkF66ZRwnMMEa8VYBmOz+fZFzF19WpE8F1CR3PxKE7ai
+zvunxy8oMxdXdIuTTzt8a5NcDLe22C4Yj21qaZVoh182ycvMH93V4MwsLcV3/GdV
+Ko7QpwP2ZCf5D1rhyccx+Trwyb2bKvhW5Jd3GrRacFJQFfUyrAu/FvyuSPmn86ab
+Jkr7CCgFlg6e4O9SFY7yXiOgLotsoQ5/YriTLinvUTGCMCSxaol97qx3I2gUpCZu
+i7H+4Dt9L5FcCMshl0TU32dsjw6El1Wbzp6voCsCAwEAAaMuMCwwKgYDVR0RBCMw
+IYIfc2luZ2xlLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDANBgkqhkiG9w0BAQsF
+AAOCAQEAUIhBQLzQgd7wHlT9DARxcC7SZwQtnk2BVqMYTRBU4uIa0i2HVyetpe1P
+rREthYq5sgaSqdonD9Splg8BLUlah9y3v9j6DBxkxNnz/3AZuA5oPaC/TZ+lwlX3
+QNWWFNaNZdcQbvjUvoPXIbJ6U9UDfByOJdoN4kJ6xe8Faj1Mp5Euqzr1ErrMtPWJ
+XLnXLV4WyAx+iMAbofXNlCyUorPGA8lRudzQ7bKdrhMZDE66VYwlwsUejEiODt7M
+NGTDs4aAZz9cBRjMeXhvX60cFQoykjAvWbieUKOgaFmJJyKemFj12cLeWyxvUodI
+kYtgAdzftiCSrbDjl1pzPSM6RC/E/A==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-ss.crt b/src/test/ssl/ssl/server-ss.crt
deleted file mode 100644
index d775e6029a..0000000000
--- a/src/test/ssl/ssl/server-ss.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDGDCCAgCgAwIBAgIUVR71MjsbvBO6T1gJQaL/6hMwhqQwDQYJKoZIhvcNAQEL
-BQAwRjEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVzdC50ZXN0MR4wHAYD
-VQQLDBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYw
-NDE0MTM0MDU0WjBGMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1zc2x0ZXN0LnRl
-c3QxHjAcBgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBANWzVPMk7i5f+W0eEadRE+TTAtsIK08CkLMUnjs7
-zJkxnnm6RGBXPx6vK3AkAIi+wG4YmXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu
-3nDjAVkPexsSrPyiKimFuNgDfkGe5dQKa9Ag2SuVU4vd9SYxOMAiIFIC4ts4MLWW
-Jf5D/PehdSuc0e5Me+91Nnbz90nlds4lHvuDR+aKnZlTHmch3wfhXv7lNQImIBzf
-wl36Kd/bWB0fAEVFse3iZWmigaI/9FKh//WIq43TNLxn68OCQoyMe/HGjZDR/Xwo
-3rE6jg6/iAwSWib9yabfYPKbqq2GoFy6aYmmEquaDgLuX7kCAwEAATANBgkqhkiG
-9w0BAQsFAAOCAQEAtHR6o4UIO/aWEAzcmnJKsQDC999jbQGiqs9+v62mz5TvCk/1
-gL9/s/yfGY+pnDGW1ijI2xiL9KCJzjd8YB+F8iUViVQ6uHBxghxC1H2qOIr2UPFQ
-gQRu7d0DByQBsiXMOdw10luGo1oHhqMe5J7VyMVG/7aRpr6zYKrH7PzsB8ucvxzv
-Lm8ez0WBPebV69sim431iJcVcxxBbFd4qUJ9cHIc7VO2mSaazsIOzbd400POF/vk
-gfpDs48GfnZ+X3hgoQA4u7eudLqttI+j1xV+IHlCtaa1nDHymUrN/FhI1x+6c1SU
-V12eHqVatPMe0d+OCJPqIL9lbe+sGXlxDkMqAQ==
------END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-ss.key b/src/test/ssl/ssl/server-ss.key
deleted file mode 100644
index a5e7f4bbfa..0000000000
--- a/src/test/ssl/ssl/server-ss.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAttI8Qu3wJgwp9RqLEqgO5GlYdA4bG+OyB4y+Bx4DQ7fhaJvJ
-vwBfY8ig+nPZU5WJNDyoaPtDg2uQwWbUq9WXkdktAxelrisQ/oJiCscPARlAIM6U
-XPOXai10XQ6QsMaaa6cXIGkMZVfhYEbuN0Q8TJSC1MbSQ/TtCnWxMRmktRv5xx8y
-2DgGbYRSiuBNE0vneQMjBJeRs19k/V8Alk49vOk8T8Ep0PFkAQglpUc7/LFueKry
-sVW+6ptdmqqHUZTdZhU/IojKEhUF8dtyGpGF9bE0kfjB7vXth8LKQ9Utik7VS1tQ
-E8fK2ttvxAqDf8s3MChnXbMN6QrzaGSS44oZKwIDAQABAoIBAQCsMhjQcYxgSdS7
-J+UWDXT5bsABj8e43R4yPj4+NeadQfTtss6zOIagVbhKLhPkxlQU/40gVIminw4Z
-G+H0d5nrpcLfxsYm5il7jxMJU7SuNDpSrEDRzB4xw952R+HAn0+TVi5SOJ+UVNHS
-/Pwi0gJ5nugbwakKmQcrcu8ScDTS34yFScMIRUYiKQ44TDiDtwyL07sc4ob1X/uY
-na1GnyOBjYEg+9nRwmV+QZwPjyP3Qe81rvH7saV2R2oc4uFU151KtoIT96V4FnpD
-CsFPGVul4i428zYDEguzEMWvPkOKrfFA63gfYl3JRbPYE9ISdZXU8UX6XEE3Y6sU
-VmeXK/IBAoGBAPLELsFdMqMhycXxrGuQ4HiH5/vQ2RhFcOf842a8qysopFC5kluf
-Y83dMy9GP8BLgt/NMseBDFcaGgaZPhD10kpW0BCg5GKdkcBfuIE5C/rfe4m82TqC
-VkriGimG8FkTCQS9ghGwbDWYZnMZbqyJ2iRt/+M9Lvfd1tYTCQtNuI/TAoGBAMDJ
-g/vS12j4uJ+SDy7QY6suSOjkQoGO8qonhx9W/2XJSH4KL1ubeOt4eOJksHnwueCW
-YD+2+T4+NDumMnmT7Rl8is1RfnnWNH91tylPB9I5Hyff/+PU5rUSoRfpmeckH3pc
-5EmfoaqT7V436hjkZF1uY1QJjDMopSyg3TSVmtJJAoGBAOAVAAdSDGSR0ppYuktL
-njcDU7mXjFwf9NjeD9UL/39F823j7NmPpWMnc5CGamAIE1SbJu0KDCb2G+HNX4Hu
-Nd6ShVlj+YuhYCDO+hKlYo597J016Nld52MVkwqT2JSPwnpSppXHYAqUkrRZXFP8
-ppOLyW+qUQlQBnbxeR6q7dorAoGAU/gxzYCDJIyY1Z/njwtjLg8l4JJzSTz7AxPe
-bc8VxL7MHWHQSMVKAL3jYTBcEXDBdUnqODY5D1xGoeh8uamtrtkpF860GNss2Its
-MMjkbjNFF7ggG5sCtcGceu7bguqf70sAf/TQlJyD2fLeuuLXuD45c0QJVcsRToPu
-dVXoLkkCgYEA5JkhCPE9a2ssrqi1ZFt3FAayulycM+r+wJY7zNIwv/ydzbE5D4Ar
-s8YOjhwyBoyorrEztcvIKF5XA89ZIwHiKZQxJTWGeFKq/PYTclzwlOXAimkdYNXn
-Nc/5RLjEeophXb4f3WPjMBliYGX0tOPhT+buHep+f0enxgO8Z2a4Omg=
------END RSA PRIVATE KEY-----
diff --git a/src/test/ssl/ssl/server.crl b/src/test/ssl/ssl/server.crl
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server.crl
+++ b/src/test/ssl/ssl/server.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server_ca.crt b/src/test/ssl/ssl/server_ca.crt
index 9f727bf9e9..0d6d7a6f82 100644
--- a/src/test/ssl/ssl/server_ca.crt
+++ b/src/test/ssl/ssl/server_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 864f6e209f..e7cd684a9b 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -479,6 +479,11 @@ TODO:
}
# pg_stat_ssl
+
+my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`;
+$serialno =~ s/^serial=//;
+$serialno = hex($serialno); # OpenSSL prints serial numbers in hexadecimal
+
command_like(
[
'psql',
@@ -494,7 +499,7 @@ command_like(
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
],
qr{^pid,ssl,version,cipher,bits,compression,client_dn,client_serial,issuer_dn\r?\n
- ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,f,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
+ ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,f,/CN=ssltestuser,$serialno,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
'pg_stat_ssl with client certificate');
# client key with wrong permissions
--
2.25.1
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Thu, 2021-03-04 at 00:03 +0000, Jacob Champion wrote:
Hello all,
Andrew pointed out elsewhere [1] that it's pretty difficult to add new
certificates to the test/ssl suite without blowing away the current
state and starting over. I needed new cases for the NSS backend work,
and ran into the same pain, so here is my attempt to improve the
situation.
v2 is a rebase to resolve conflicts around SSL compression and the new
client-dn test case.
--Jacob
Attachments:
v2-0001-test-ssl-rework-the-sslfiles-Makefile-target.patchtext/x-patch; name=v2-0001-test-ssl-rework-the-sslfiles-Makefile-target.patchDownload
From bf1c350008ad49ba0e343c3e1d50a8cf1ff368d0 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Fri, 26 Feb 2021 15:25:28 -0800
Subject: [PATCH v2] test/ssl: rework the sslfiles Makefile target
Adding a new certificate is as easy as dropping in a new .config file,
adding it to the top of the Makefile, and running `make sslfiles`.
Improvements:
- Interfile dependencies should be fixed, with the exception of the CRL
dirs.
- New certificates have serial numbers based on the current time,
reducing the chance of collision.
- The CA index state is created on demand and cleaned up automatically
at the end of the Make run.
- *.config files are now self-contained; one certificate needs one
config file instead of two.
- Duplication is reduced, and along with it some unneeded code (and
possible copy-paste errors), such as the unused server-ss cert.
---
src/Makefile.global.in | 5 +-
src/test/ssl/Makefile | 261 ++++++++++--------
src/test/ssl/README | 3 -
src/test/ssl/cas.config | 10 +-
src/test/ssl/client-dn.config | 1 -
src/test/ssl/client-revoked.config | 13 +
src/test/ssl/client.config | 1 -
src/test/ssl/client_ca.config | 5 +
src/test/ssl/root_ca.config | 1 +
src/test/ssl/server-cn-only.config | 3 +-
src/test/ssl/server-no-names.config | 5 +-
src/test/ssl/server-revoked.config | 3 +-
src/test/ssl/server_ca.config | 5 +
src/test/ssl/ssl/both-cas-1.crt | 86 +++---
src/test/ssl/ssl/both-cas-2.crt | 86 +++---
src/test/ssl/ssl/client+client_ca.crt | 65 ++---
src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 | 18 +-
src/test/ssl/ssl/client-dn.crt | 34 +--
src/test/ssl/ssl/client-revoked.crt | 31 ++-
src/test/ssl/ssl/client.crl | 18 +-
src/test/ssl/ssl/client.crt | 31 ++-
src/test/ssl/ssl/client_ca.crt | 34 +--
.../ssl/ssl/root+client-crldir/9bb9e3c3.r0 | 18 +-
.../ssl/ssl/root+client-crldir/a3d11bff.r0 | 16 +-
src/test/ssl/ssl/root+client.crl | 34 +--
src/test/ssl/ssl/root+client_ca.crt | 52 ++--
.../ssl/ssl/root+server-crldir/a3d11bff.r0 | 16 +-
.../ssl/ssl/root+server-crldir/a836cc2d.r0 | 18 +-
src/test/ssl/ssl/root+server.crl | 34 +--
src/test/ssl/ssl/root+server_ca.crt | 52 ++--
src/test/ssl/ssl/root.crl | 16 +-
src/test/ssl/ssl/root_ca.crt | 18 +-
src/test/ssl/ssl/server-cn-and-alt-names.crt | 36 +--
src/test/ssl/ssl/server-cn-only.crt | 33 +--
src/test/ssl/ssl/server-crldir/a836cc2d.r0 | 18 +-
.../ssl/ssl/server-multiple-alt-names.crt | 36 +--
src/test/ssl/ssl/server-no-names.crt | 32 +--
src/test/ssl/ssl/server-revoked.crt | 33 +--
src/test/ssl/ssl/server-single-alt-name.crt | 34 +--
src/test/ssl/ssl/server-ss.crt | 19 --
src/test/ssl/ssl/server-ss.key | 27 --
src/test/ssl/ssl/server.crl | 18 +-
src/test/ssl/ssl/server_ca.crt | 34 +--
src/test/ssl/t/001_ssltests.pl | 7 +-
44 files changed, 668 insertions(+), 652 deletions(-)
create mode 100644 src/test/ssl/client-revoked.config
delete mode 100644 src/test/ssl/ssl/server-ss.crt
delete mode 100644 src/test/ssl/ssl/server-ss.key
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index 8f05840821..0e4b331a80 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -32,8 +32,11 @@ all:
# started to update the file.
.DELETE_ON_ERROR:
-# Never delete any intermediate files automatically.
+# Never delete any intermediate files automatically unless the Makefile
+# explicitly asks for it.
+ifneq ($(clean_intermediates),yes)
.SECONDARY:
+endif
# PostgreSQL version number
VERSION = @PACKAGE_VERSION@
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index a517756c94..6e67013f61 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -11,174 +11,213 @@
subdir = src/test/ssl
top_builddir = ../../..
+
+clean_intermediates := yes
include $(top_builddir)/src/Makefile.global
export with_ssl
-CERTIFICATES := server_ca server-cn-and-alt-names \
+#
+# To add a new server or client certificate, add a new <name>.config file in
+# this directory, then add <name> to either SERVERS or CLIENTS below. A
+# key/certificate pair will be generated for you, signed by the appropriate CA.
+#
+SERVERS := server-cn-and-alt-names \
server-cn-only server-single-alt-name server-multiple-alt-names \
- server-no-names server-revoked server-ss \
- client_ca client client-dn client-revoked \
- root_ca
+ server-no-names server-revoked
+CLIENTS := client client-dn client-revoked
+
+#
+# To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe
+# for creating it to the "Special-case keys" section below.
+#
+SPECIAL_KEYS := ssl/server-password.key \
+ ssl/client-der.key ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
-SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
- ssl/server-password.key \
- ssl/client.crl ssl/server.crl ssl/root.crl \
+#
+# These files are just concatenations of other files. You can add new ones to
+# COMBINATIONS here, then declare the constituent files as dependencies in the
+# "Combined files" section below.
+#
+COMBINATIONS := \
ssl/both-cas-1.crt ssl/both-cas-2.crt \
ssl/root+server_ca.crt ssl/root+server.crl \
ssl/root+client_ca.crt ssl/root+client.crl \
- ssl/client+client_ca.crt ssl/client-der.key \
- ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
+ ssl/client+client_ca.crt
+CERTIFICATES := root_ca server_ca client_ca $(SERVERS) $(CLIENTS)
+STANDARD_CERTS := $(CERTIFICATES:%=ssl/%.crt)
+STANDARD_KEYS := $(CERTIFICATES:%=ssl/%.key)
+CRLS := ssl/root.crl ssl/client.crl ssl/server.crl
+
+SSLFILES := $(STANDARD_CERTS) $(STANDARD_KEYS) $(SPECIAL_KEYS) $(COMBINATIONS) $(CRLS)
SSLDIRS := ssl/client-crldir ssl/server-crldir \
ssl/root+client-crldir ssl/root+server-crldir
# This target re-generates all the key and certificate files. Usually we just
# use the ones that are committed to the tree without rebuilding them.
#
-# This target will fail unless preceded by sslfiles-clean.
-#
+.PHONY: sslfiles
sslfiles: $(SSLFILES) $(SSLDIRS)
-# OpenSSL requires a directory to put all generated certificates in. We don't
-# use this for anything, but we need a location.
-ssl/new_certs_dir:
- mkdir ssl/new_certs_dir
+#
+# Special-case certificates
+#
-# Rule for creating private/public key pairs.
-ssl/%.key:
- openssl genrsa -out $@ 2048
- chmod 0600 $@
+# Root CA is self-signed.
+ssl/root_ca.crt: ssl/root_ca.key root_ca.config
+ openssl req -new -x509 -config root_ca.config -days 10000 -key $< -out $@
-# Root CA certificate
-ssl/root_ca.crt: ssl/root_ca.key cas.config
- touch ssl/root_ca-certindex
- openssl req -new -out ssl/root_ca.crt -x509 -config cas.config -config root_ca.config -key ssl/root_ca.key -days 10000 -extensions v3_ca
- echo "01" > ssl/root_ca.srl
-
-# Client and server CAs
-ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir
- touch ssl/$*_ca-certindex
- echo "unique_subject=no" > ssl/$*_ca-certindex.attr
- openssl req -new -out ssl/temp_ca.crt -config cas.config -config $*_ca.config -key ssl/$*_ca.key
-# Sign the certificate with the root CA
- openssl ca -name root_ca -batch -config cas.config -in ssl/temp_ca.crt -out ssl/temp_ca_signed.crt -extensions v3_ca
- openssl x509 -in ssl/temp_ca_signed.crt -out ssl/$*_ca.crt # to keep just the PEM cert
- rm ssl/temp_ca.crt ssl/temp_ca_signed.crt
- echo "01" > ssl/$*_ca.srl
-
-# Server certificates, signed by server CA:
-ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config
- openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config
- openssl ca -name server_ca -batch -config cas.config -in ssl/server-$*.csr -out ssl/temp.crt -extensions v3_req -extfile server-$*.config
- openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert
- rm ssl/server-$*.csr
-
-# Self-signed version of server-cn-only.crt
-ssl/server-ss.crt: ssl/server-cn-only.key ssl/server-cn-only.crt server-cn-only.config
- openssl req -new -key ssl/server-cn-only.key -out ssl/server-ss.csr -config server-cn-only.config
- openssl x509 -req -days 10000 -in ssl/server-ss.csr -signkey ssl/server-cn-only.key -out ssl/server-ss.crt -extensions v3_req -extfile server-cn-only.config
- rm ssl/server-ss.csr
+#
+# Special-case keys
+#
+# All targets here are contained in $(SPECIAL_KEYS).
+#
# Password-protected version of server-cn-only.key
ssl/server-password.key: ssl/server-cn-only.key
openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
-# Client certificate, signed by the client CA:
-ssl/client.crt: ssl/client.key ssl/client_ca.crt
- openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client.csr
- openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert
- rm ssl/client.csr ssl/temp.crt
-
-# Client certificate with multi-part DN, signed by the client CA:
-ssl/client-dn.crt: ssl/client-dn.key ssl/client_ca.crt
- openssl req -new -key ssl/client-dn.key -out ssl/client-dn.csr -config client-dn.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-dn.csr
- openssl x509 -in ssl/temp.crt -out ssl/client-dn.crt # to keep just the PEM cert
- rm ssl/client-dn.csr ssl/temp.crt
-
-# Another client certificate, signed by the client CA. This one is revoked.
-ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config
- openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-revoked.csr
- openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert
- rm ssl/client-revoked.csr ssl/temp.crt
-
-# Convert the key to DER, to test our behaviour there too
+# DER-encoded version of client.key
ssl/client-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -out ssl/client-der.key
+ openssl rsa -in $< -outform DER -out $@
-# Convert the existing key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
+# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
# to test libpq's support for the sslpassword= option.
-ssl/client-encrypted-pem.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-pem.key
+ssl/client-encrypted-pem.key: outform := PEM
+ssl/client-encrypted-der.key: outform := DER
+ssl/client-encrypted-pem.key ssl/client-encrypted-der.key: ssl/client.key
+ openssl rsa -in $< -outform $(outform) -aes128 -passout 'pass:dUmmyP^#+' -out $@
-ssl/client-encrypted-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-der.key
+#
+# Combined files
+#
+# All targets in $(COMBINATIONS) share a single recipe; just declare the
+# necessary dependencies and they'll be smashed together.
+#
-# Root certificate files that contains both CA certificates, for testing
+# Root certificate file that contains both CA certificates, for testing
# that multiple certificates can be used.
ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
- cat $^ > $@
# The same, but the certs are in different order
ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
- cat $^ > $@
# A root certificate file for the client, to validate server certs.
ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
- cat $^ > $@
# and for the server, to validate client certs
ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
- cat $^ > $@
+# and for the client, to present to the server
ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
- cat $^ > $@
-
-#### CRLs
-
-ssl/client.crl: ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl
-
-ssl/server.crl: ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl
-
-ssl/root.crl: ssl/root_ca.crt
- openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl
# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
# chain, even if some of them are empty.
ssl/root+server.crl: ssl/root.crl ssl/server.crl
- cat $^ > $@
ssl/root+client.crl: ssl/root.crl ssl/client.crl
+
+$(COMBINATIONS):
cat $^ > $@
-ssl/root+server-crldir: ssl/server.crl ssl/root.crl
- mkdir ssl/root+server-crldir
- cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
- cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+#
+# Standard keys
+#
-ssl/root+client-crldir: ssl/client.crl ssl/root.crl
- mkdir ssl/root+client-crldir
- cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
- cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+$(STANDARD_KEYS):
+ openssl genrsa -out $@ 2048
+ chmod 0600 $@
-ssl/server-crldir: ssl/server.crl
- mkdir ssl/server-crldir
- cp ssl/server.crl ssl/server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
+#
+# Standard certificates
+#
+
+SERVER_CERTS := $(SERVERS:%=ssl/%.crt)
+CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)
+
+ssl/server_ca.crt ssl/client_ca.crt: ca := root_ca
+$(SERVER_CERTS): ca := server_ca
+$(CLIENT_CERTS): ca := client_ca
+
+ca_state_files = ssl/$(ca)-certindex ssl/$(ca)-certindex.attr ssl/$(ca).srl
+
+# This is the workhorse recipe. `openssl ca` can't be safely run from parallel
+# processes, so we must mark the entire Makefile .NOTPARALLEL. Enable
+# .SECONDEXPANSION so that the correct dependencies are determined by the value
+# of $(ca).
+.NOTPARALLEL:
+.SECONDEXPANSION: $(STANDARD_CERTS)
+ssl/%.crt: ssl/%.csr %.config ssl/$$(ca).crt | ssl/new_certs_dir $$(ca_state_files)
+ openssl ca -batch -config cas.config -name $(ca) -notext -in $< -out $@
+
+ssl/%.csr: ssl/%.key %.config
+ openssl req -new -key $< -out $@ -config $*.config
+
+#
+# CA State
+#
+# All of these are intended to be order-only dependencies; additionally, the
+# pattern recipes are intended to be intermediates, so do not name them
+# explicitly somewhere else in the Makefile. The goal is for Make to create the
+# state files once for each CA, allow them to accumulate whatever state is
+# needed, and then automatically remove them at the end of the run.
+#
+
+# OpenSSL requires a directory to put all generated certificates in. We don't
+# use this for anything, but we need a location.
+ssl/new_certs_dir:
+ mkdir $@
+ssl/%-certindex:
+ touch $@
+
+ssl/%-certindex.attr:
+ echo "unique_subject=no" > $@
+
+# The first serial number for each CA is based on the current timestamp, to
+# avoid collisions across Make runs.
+ssl/%.srl:
+ date +%Y%m%d%H%M%S00 > $@
+
+#
+# CRLs
+#
+
+ssl/root.crl: revoked :=
+ssl/root.crl: ca := root_ca
+
+ssl/client.crl: revoked := ssl/client-revoked.crt
+ssl/client.crl: ca := client_ca
+
+ssl/server.crl: revoked := ssl/server-revoked.crt
+ssl/server.crl: ca := server_ca
+
+.SECONDEXPANSION: $(CRLS)
+ssl/%.crl: ssl/$$(ca).crt $$(revoked) | $$(ca_state_files)
+ $(foreach cert,$(revoked),openssl ca -config cas.config -name $(ca) -revoke $(cert) &&) true
+ openssl ca -config cas.config -name $(ca) -gencrl -out $@
+
+#
+# CRL hash directories
+#
+
+ssl/root+server-crldir: ssl/server.crl ssl/root.crl
+ssl/root+client-crldir: ssl/client.crl ssl/root.crl
+ssl/server-crldir: ssl/server.crl
ssl/client-crldir: ssl/client.crl
- mkdir ssl/client-crldir
- cp ssl/client.crl ssl/client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
+
+crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
+
+ssl/%-crldir:
+ mkdir -p $@
+ rm -f $@/*.r0
+ $(foreach crl,$^,cp $(crl) $@/$(call crlhashfile,$(crl)) &&) true
+ touch $@
.PHONY: sslfiles-clean
sslfiles-clean:
- rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
- rm -rf $(SSLDIRS)
+ rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex*
+ rm -rf $(SSLDIRS) ssl/new_certs_dir
clean distclean maintainer-clean:
rm -rf tmp_check
diff --git a/src/test/ssl/README b/src/test/ssl/README
index 84baa478ce..b9d96a637d 100644
--- a/src/test/ssl/README
+++ b/src/test/ssl/README
@@ -52,9 +52,6 @@ server-no-names
server certificates, with small variations in the hostnames present
in the certificate. Signed by server_ca.
-server-ss
- same as server-cn-only, but self-signed.
-
server-password
same as server-cn-only, but password-protected.
diff --git a/src/test/ssl/cas.config b/src/test/ssl/cas.config
index 8c0ef6d82b..2c4851033a 100644
--- a/src/test/ssl/cas.config
+++ b/src/test/ssl/cas.config
@@ -1,12 +1,5 @@
# This file contains the configuration for all the CAs.
-[ req ]
-prompt = no
-
-# Extensions for CA certs
-[ v3_ca ]
-basicConstraints = CA:true
-
# Root CA, used to sign the certificates of the intermediary server and
# client CAs.
[ root_ca ]
@@ -21,6 +14,7 @@ private_key = ./ssl/root_ca.key
new_certs_dir = ./ssl/new_certs_dir
policy = policy_match
email_in_dn = no
+copy_extensions = copy
# CA used to sign all the server certificates.
[ server_ca ]
@@ -35,6 +29,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/server_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/server.crl
@@ -51,6 +46,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/client_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/client.crl
diff --git a/src/test/ssl/client-dn.config b/src/test/ssl/client-dn.config
index ee2df54bd6..0c71d83127 100644
--- a/src/test/ssl/client-dn.config
+++ b/src/test/ssl/client-dn.config
@@ -13,4 +13,3 @@ O = PGDG
CN = ssltestuser-dn
# no extensions in client certs
-[ v3_req ]
diff --git a/src/test/ssl/client-revoked.config b/src/test/ssl/client-revoked.config
new file mode 100644
index 0000000000..3b82b57103
--- /dev/null
+++ b/src/test/ssl/client-revoked.config
@@ -0,0 +1,13 @@
+# An OpenSSL format CSR config file for creating a client certificate.
+#
+# This is identical to the client.config certificate, but this one is revoked
+# later.
+
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+CN = ssltestuser
+
+# no extensions in client certs
diff --git a/src/test/ssl/client.config b/src/test/ssl/client.config
index 2e9d40d299..26fc2571f5 100644
--- a/src/test/ssl/client.config
+++ b/src/test/ssl/client.config
@@ -10,4 +10,3 @@ prompt = no
CN = ssltestuser
# no extensions in client certs
-[ v3_req ]
diff --git a/src/test/ssl/client_ca.config b/src/test/ssl/client_ca.config
index ef93d598c2..5990f06000 100644
--- a/src/test/ssl/client_ca.config
+++ b/src/test/ssl/client_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test client certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/root_ca.config b/src/test/ssl/root_ca.config
index 187a9b8a46..e193186f8b 100644
--- a/src/test/ssl/root_ca.config
+++ b/src/test/ssl/root_ca.config
@@ -4,6 +4,7 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+x509_extensions = v3_ca
[ req_distinguished_name ]
CN = Test root CA for PostgreSQL SSL regression test suite
diff --git a/src/test/ssl/server-cn-only.config b/src/test/ssl/server-cn-only.config
index 1e5d582213..9edb7b7aca 100644
--- a/src/test/ssl/server-cn-only.config
+++ b/src/test/ssl/server-cn-only.config
@@ -9,5 +9,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-no-names.config b/src/test/ssl/server-no-names.config
index 2a71125a42..89075dec83 100644
--- a/src/test/ssl/server-no-names.config
+++ b/src/test/ssl/server-no-names.config
@@ -10,7 +10,4 @@ prompt = no
[ req_distinguished_name ]
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
-
-[ alt_names ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-revoked.config b/src/test/ssl/server-revoked.config
index 47ef6462dc..c9e1f5d431 100644
--- a/src/test/ssl/server-revoked.config
+++ b/src/test/ssl/server-revoked.config
@@ -11,5 +11,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server_ca.config b/src/test/ssl/server_ca.config
index d6126d5195..496aaba29f 100644
--- a/src/test/ssl/server_ca.config
+++ b/src/test/ssl/server_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test server certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/ssl/both-cas-1.crt b/src/test/ssl/ssl/both-cas-1.crt
index 37ffa10174..4f4bc707d6 100644
--- a/src/test/ssl/ssl/both-cas-1.crt
+++ b/src/test/ssl/ssl/both-cas-1.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/both-cas-2.crt b/src/test/ssl/ssl/both-cas-2.crt
index 2f2723f2b1..01d0c4d6a4 100644
--- a/src/test/ssl/ssl/both-cas-2.crt
+++ b/src/test/ssl/ssl/both-cas-2.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client+client_ca.crt b/src/test/ssl/ssl/client+client_ca.crt
index 2804527f3e..7fafa14de1 100644
--- a/src/test/ssl/ssl/client+client_ca.crt
+++ b/src/test/ssl/ssl/client+client_ca.crt
@@ -1,36 +1,37 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client-dn.crt b/src/test/ssl/ssl/client-dn.crt
index f2f6a62dad..0db14e5977 100644
--- a/src/test/ssl/ssl/client-dn.crt
+++ b/src/test/ssl/ssl/client-dn.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDBjCCAe4CAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0yMTAzMDUyMDUyNDVaFw00ODA3MjEyMDUyNDVaMFAxDTALBgNVBAoMBFBHREcx
-FDASBgNVBAsMC0VuZ2luZWVyaW5nMRAwDgYDVQQLDAdUZXN0aW5nMRcwFQYDVQQD
-DA5zc2x0ZXN0dXNlci1kbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AMRLriq2Sh8+N4bhVtRUp/MAEsLQK6u/GotMSmiSr9K31YBYOvNzw8liKt4Rmnh5
-zmsdXJBW8erPNpkUAy9tFRCAx0YobhWCSfyX3orEdrhDrLFihA62zXQC69T0u4Yp
-PSXGd0yCAcOZERQ4CQVgqnsh7Kmx5QaQnqxaz4OVPArWFJP4RQBT/l+r+kCeAn6h
-qvbSbxY3FoCElQq0EF5x1F2pjL+HcBvjeI+GP430gVeJJX0RaG14Fp4v9MQT6zv/
-gvvjHC8l7YSJUROjeUzLZpUnj/ik4yrtT4av/TDGTSOpGs5qEATqk4hxAUEWw6TJ
-RoLh3Oq2N5KuzDmKBBskLX0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAL2H54oyx
-pNkcgFF79lwc4c/Jda7j0wrZQIw5CWwO0MdCozJGRIEAA5WXA8b5THo1ZkaWv+sh
-lWnCOflBtGnEpD7dUpMW9lxGL5clMeMf3CoNYBb7zBofm+oTJytCzXHNftB4hCZj
-pvN79bNT4msWbmxDyi75nfbEfzK1BKnfCg+DWBBjEnHC8VzgDq6ACN6FEoyFb+fr
-dlDoof+S7k8jYAzhxwySI5DnMzr9OIwnepWfx9HENsasAighc8vFSEouShvsOlYS
-L0OIb9Tn6M5q1tWoLHulQsQYDPzaO/1M7ubsr5xCx1ReDK4gaNwS3YXn/2KE9Kco
-aKCrL89AjQrJPA==
+MIIDDTCCAfUCCCAhBikTA0IAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwNjI5MjAwMzQyWhcNNDgxMTE0MjAwMzQyWjBQMQ0wCwYDVQQK
+DARQR0RHMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEQMA4GA1UECwwHVGVzdGluZzEX
+MBUGA1UEAwwOc3NsdGVzdHVzZXItZG4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDES64qtkofPjeG4VbUVKfzABLC0CurvxqLTEpokq/St9WAWDrzc8PJ
+YireEZp4ec5rHVyQVvHqzzaZFAMvbRUQgMdGKG4Vgkn8l96KxHa4Q6yxYoQOts10
+AuvU9LuGKT0lxndMggHDmREUOAkFYKp7IeypseUGkJ6sWs+DlTwK1hST+EUAU/5f
+q/pAngJ+oar20m8WNxaAhJUKtBBecdRdqYy/h3Ab43iPhj+N9IFXiSV9EWhteBae
+L/TEE+s7/4L74xwvJe2EiVETo3lMy2aVJ4/4pOMq7U+Gr/0wxk0jqRrOahAE6pOI
+cQFBFsOkyUaC4dzqtjeSrsw5igQbJC19AgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AECbQQ9rBzCexNI3VKDVA+CZa0ib48XbcJwXmva3spvjjCB5cGPToyF1B+4mVg1H
+1uM/XRAoQmNRtB+xKEAceMSxJA02tBlwMOclXlO0oGLYyc+S61K+UEPSk6Kka4aC
+NpeLSqN5ahC9z8C5uMJl36pFf13aU05uRkXKcI4gkn02I4jRc/a8gF7URdhdf920
+KmYSUh1V0B3pPAB6ArqJ60iHOqkCYIIIbi2EpVP53IKkoB9tr4ud8oMoN6ggIXU1
+2oHvnaKJ7RZaQNefS3WweyHxr4cCVtEour/ELph48OuW6Y5jqPT+5Ln3Qz0e6KW9
+o3thBx0aKSYlmt9gH254M9M=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-revoked.crt b/src/test/ssl/ssl/client-revoked.crt
index 14857a33a2..51ebe924a6 100644
--- a/src/test/ssl/ssl/client-revoked.crt
+++ b/src/test/ssl/ssl/client-revoked.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoBcmY2Z+qa+l
-UB5YSYnGLt96S7axkoDvIzLJkwJugGqw1U72A6lAUTyAPVntsmbhoMpDEHK6ylg8
-U4HC3L1hbhSpFriTITJ3TzH4+wdDH1KZYlM2k0gfrKrksJyZ7ftAyuBvzBRlFbBe
-xopR9VQjqgAuNKByJswldOe0KwP0nmb/TtT9lkAt7XjrSut5MUezFVnvTxabm7tQ
-ciDG+8QqE0b8lH3N3VOXWZWCeXPRrwboO3baAmcue4V20N0ALARP+QZNElBa7Jq+
-l77VNjneRk07jjaE7PCGVlWfPggppZos1Ay1sb2JhK0S9pZrynQT/ck3qhG4QuKp
-cmn/Bbe/8wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBySTwOO9zSFCtfRjbbblDx
-AK2ttILR0ZJXnvzjNjuErsT9qeXaq2t/iG/vmhH5XDjaefXFLCLqFunvcg6cIz1A
-HhAw+JInfyk3TUpDaX6M0X8qj184e4kXzVc83Afa3LiP5JkirzCSv6ErqAHw2VVd
-bZbZUwMfQLpWHVqXK89Pb7q791H4VeEx9CLxtZ2PSr2GCdpFbVMJvdBPChD2Re1A
-ELcbMZ9iOq2AUN/gxrt7HnE3dRoGQk6AJOfvhi2eZcVWiLtITScdPk1nYcNxGid3
-BWW+tdLbjmSe2FXNfDwBTvuHh5A9S399X5l/nLAng2iTGSvIm1OgUnC2oWsok3EI
+MIIC0zCCAbsCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKAX
+JmNmfqmvpVAeWEmJxi7feku2sZKA7yMyyZMCboBqsNVO9gOpQFE8gD1Z7bJm4aDK
+QxByuspYPFOBwty9YW4UqRa4kyEyd08x+PsHQx9SmWJTNpNIH6yq5LCcme37QMrg
+b8wUZRWwXsaKUfVUI6oALjSgcibMJXTntCsD9J5m/07U/ZZALe1460rreTFHsxVZ
+708Wm5u7UHIgxvvEKhNG/JR9zd1Tl1mVgnlz0a8G6Dt22gJnLnuFdtDdACwET/kG
+TRJQWuyavpe+1TY53kZNO442hOzwhlZVnz4IKaWaLNQMtbG9iYStEvaWa8p0E/3J
+N6oRuELiqXJp/wW3v/MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcVhPcu55HcSf
+Mci38T/fOBaiDUvzWwG/XlQRzFxcS+ZY/vYMbgor6PliGlCFBF4Mca2qtTs7zXRz
+8aLNVX53p98Cnnn97mW4aYNbNdM87R76IqJdj40brEolu1JNOyFJRYzoaebABf9r
+R64FTt3YVM9qjJrHG/apYwKwgAMxVzZ/M+3ujahP/8mOYD/Utj+lYHnXJmuHAYE6
+EnTxTSb2J+IsK8KuPoGjUPNZRW8zIUE0luMpJahvtmFVW91Vue7dW0AOmHpjmGUB
+J9Vwxe7KJRW5/4dz6kMD2pKY3D9sBgXeku/QDVz/hdyB5YT0WChFiZn20DZyhOtu
+moHgw8OJzg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client.crl b/src/test/ssl/ssl/client.crl
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client.crl
+++ b/src/test/ssl/ssl/client.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client.crt b/src/test/ssl/ssl/client.crt
index 4d0a6ef419..1f6ae05fe4 100644
--- a/src/test/ssl/ssl/client.crt
+++ b/src/test/ssl/ssl/client.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client_ca.crt b/src/test/ssl/ssl/client_ca.crt
index 1ef3771261..ef48749f76 100644
--- a/src/test/ssl/ssl/client_ca.crt
+++ b/src/test/ssl/ssl/client_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client.crl b/src/test/ssl/ssl/root+client.crl
index 854d77b71e..02eff4d326 100644
--- a/src/test/ssl/ssl/root+client.crl
+++ b/src/test/ssl/ssl/root+client.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client_ca.crt b/src/test/ssl/ssl/root+client_ca.crt
index 1867cd9c31..7819c54828 100644
--- a/src/test/ssl/ssl/root+client_ca.crt
+++ b/src/test/ssl/ssl/root+client_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server.crl b/src/test/ssl/ssl/root+server.crl
index 9720b3023c..8b0c716d63 100644
--- a/src/test/ssl/ssl/root+server.crl
+++ b/src/test/ssl/ssl/root+server.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server_ca.crt b/src/test/ssl/ssl/root+server_ca.crt
index 861eba80d0..5074f4fa9b 100644
--- a/src/test/ssl/ssl/root+server_ca.crt
+++ b/src/test/ssl/ssl/root+server_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root.crl b/src/test/ssl/ssl/root.crl
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root.crl
+++ b/src/test/ssl/ssl/root.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root_ca.crt b/src/test/ssl/ssl/root_ca.crt
index 402d7dab89..5ee9870d6f 100644
--- a/src/test/ssl/ssl/root_ca.crt
+++ b/src/test/ssl/ssl/root_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,10 +10,10 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-and-alt-names.crt b/src/test/ssl/ssl/server-cn-and-alt-names.crt
index 2bb206e413..12d1ec363e 100644
--- a/src/test/ssl/ssl/server-cn-and-alt-names.crt
+++ b/src/test/ssl/ssl/server-cn-and-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDTjCCAjagAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowRjEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1z
-c2x0ZXN0LnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBURL6
-YPWJjVQEZY0uy4HEaTI4ZMjVf+xdwJRntos4aRcdhq2JRNwitI00BLnIK9ur8D8L
-U24PDn2etTZOK1wsHHkAiHPvgRX7G/+78a5fSC8nMNaH/oR4zMMhwksiruISA7x9
-/l+4DO7C42C5mRfnUmMGJdzau1+A8jcIxTWWoJtva9b1k3g+bvBGq9138X+bJKIW
-YsWwHgcuEIZk3z287hxuyU3j5isYoRwd5cZZFrG/qBJdukSBRil5/PP5AHsB6lTl
-pae2bdf4TXB7kActIpyTBR0G5Pm5iCZlxgD+QILj/1FLTaNOW7hV+t1J6YfC6jZR
-Dk4MnHMCFasSXcXhAgMBAAGjSzBJMEcGA1UdEQRAMD6CHWRuczEuYWx0LW5hbWUu
-cGctc3NsdGVzdC50ZXN0gh1kbnMyLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDAN
-BgkqhkiG9w0BAQsFAAOCAQEAQeKHXoyipubldf4HUDCXrcIk6KiEs9DMH1DXRk7L
-z2Hr0TljmKoGG5P6OrF4eP82bhXZlQmwHVclB7Pfo5DvoMYmYjSHxcEAeyJ7etxb
-pV11yEkMkCbQpBVtdMqyTpckXM49GTwqD9US5p1E350snq4Duj3O7fSpE4HMfSd8
-dCkYdaCHq2NWH4/MfEBRy096oOIFxqgm6tRCU95ZI8KeeK4WwPXiGV2mb2rHj1kv
-uBRC+sJGSnsLdbZzkpdAN1qnWrJoLezAMdhTmNRUJ7Cq8hAkroFIp+LE+JyxR9Nw
-m6jD3eEwCAQi0pPGLEn4Rq4B8kxzL5F/jTq7PONRvOAdIg==
+MIIDVTCCAj2gAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMEYxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5h
+bWUucGctc3NsdGVzdC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwVES+mD1iY1UBGWNLsuBxGkyOGTI1X/sXcCUZ7aLOGkXHYatiUTcIrSNNAS5
+yCvbq/A/C1NuDw59nrU2TitcLBx5AIhz74EV+xv/u/GuX0gvJzDWh/6EeMzDIcJL
+Iq7iEgO8ff5fuAzuwuNguZkX51JjBiXc2rtfgPI3CMU1lqCbb2vW9ZN4Pm7wRqvd
+d/F/mySiFmLFsB4HLhCGZN89vO4cbslN4+YrGKEcHeXGWRaxv6gSXbpEgUYpefzz
++QB7AepU5aWntm3X+E1we5AHLSKckwUdBuT5uYgmZcYA/kCC4/9RS02jTlu4Vfrd
+SemHwuo2UQ5ODJxzAhWrEl3F4QIDAQABo0swSTBHBgNVHREEQDA+gh1kbnMxLmFs
+dC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0ZXN0
+LnRlc3QwDQYJKoZIhvcNAQELBQADggEBAG3dFQ/DqjFbjzIOni079R3I94lAZqbc
+cRUumDPSzihKwvCCnU5quqnYkOFISqBZsYmxR5fiHx4wT+jmWvLSltkaeS6gcGC1
+zuO8GFzL+PATUX63js8IfE3WYJE/bjmDVVzJOBArrbsExofdE2F2kkkLkjhk0ylg
+/TrAKtyqpsob0b4ZjMloR5JFHQXGHN/922x6Do1vduHMXlGckmR0sX6Mg/fiChVh
+vixUJje4W9ohft8G7lj3GnzI1gHEMp2PYKM+wqOug/gXEQuMIFlhjp2Mc6bAvFsD
+grgdAgcYUvgKukF9efJHq2V5XjqBWrmGAOQkiH1y+9gxhiHUiw+vojY=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-only.crt b/src/test/ssl/ssl/server-cn-only.crt
index 67bf0b1645..acdf6f1a75 100644
--- a/src/test/ssl/ssl/server-cn-only.crt
+++ b/src/test/ssl/ssl/server-cn-only.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bNU8yTuLl/5
-bR4Rp1ET5NMC2wgrTwKQsxSeOzvMmTGeebpEYFc/Hq8rcCQAiL7AbhiZeNg/ca4y
-JdouOdaHaTMFJ8hFDI1tNOGeFK7ecOMBWQ97GxKs/KIqKYW42AN+QZ7l1Apr0CDZ
-K5VTi931JjE4wCIgUgLi2zgwtZYl/kP896F1K5zR7kx773U2dvP3SeV2ziUe+4NH
-5oqdmVMeZyHfB+Fe/uU1AiYgHN/CXfop39tYHR8ARUWx7eJlaaKBoj/0UqH/9Yir
-jdM0vGfrw4JCjIx78caNkNH9fCjesTqODr+IDBJaJv3Jpt9g8puqrYagXLppiaYS
-q5oOAu5fuQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCTxkqpNNuO15osb+Lyw2aQ
-RikYZiSJ4uJcOIya6DqSYSNf8wrgGMJAKz9TkCGEG7SszLCASaSIS/s+sR1+bE19
-f6BxoBnppPW8uIkTtQvmGhhcWHO13zMUs8bmg9OY7MvFYJdQAmSqfYebUCYR73So
-OthALxV8h+boW5/xc2XM1NObpcuShQ9/uynm2dL3EbrNjvcoXOwu865FmVMffEn9
-+zhE8xl4kMKObQvB3r2utCmlAmJLaU2ejADncS9Y4ZwRMa7x+vfvekF/FvLEXUal
-QcDlfrZ0xsw/HK7n0/UFXf5fUXq3hgUGcXEdWW7/yTA43qNxednfa+fMqlFztupt
+MIIDAzCCAesCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANWz
+VPMk7i5f+W0eEadRE+TTAtsIK08CkLMUnjs7zJkxnnm6RGBXPx6vK3AkAIi+wG4Y
+mXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu3nDjAVkPexsSrPyiKimFuNgDfkGe
+5dQKa9Ag2SuVU4vd9SYxOMAiIFIC4ts4MLWWJf5D/PehdSuc0e5Me+91Nnbz90nl
+ds4lHvuDR+aKnZlTHmch3wfhXv7lNQImIBzfwl36Kd/bWB0fAEVFse3iZWmigaI/
+9FKh//WIq43TNLxn68OCQoyMe/HGjZDR/Xwo3rE6jg6/iAwSWib9yabfYPKbqq2G
+oFy6aYmmEquaDgLuX7kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA2AZrD9cTQXTW
+4j2tT8N/TTc6WK2ncN4h22NTte6vK7MVwsZJCtw5ndYkmxcWkXAqiclzWyMdayds
+WOa12CEH7jKAhivF4Hcw3oO3JHM5BA6KzLWBVz9uZksOM6mPqn29DTKvA/Y1V8tj
+mxK/KUA68h/u6inu3mo4ywBpb/tqHxxg2cjyR0faCmM0pwRM0HBr/16fUMfO83nj
+QG8g9J/bybu5sYso/aSoC5nUNp4XjmDMdVLdqg/nTe/ejS8IfFr0WQxBlqooqFgx
+MSE+kX2e2fHsuOWSU/9eClt6FpQrwoC2C8F+/4g1Uz7Liqc4yMHPwjgeP9ewrrLO
+iIhlNNPqpQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server-multiple-alt-names.crt b/src/test/ssl/ssl/server-multiple-alt-names.crt
index 158153d10c..58799e49f8 100644
--- a/src/test/ssl/ssl/server-multiple-alt-names.crt
+++ b/src/test/ssl/ssl/server-multiple-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDRDCCAiygAwIBAgIBBDANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA10iQpfVf4nCqjkRcLXP9ONQqdhMPMdjHasKqmsFTx83SZLKUzKMOb56j
-3bg83stqGoId4MIxtqnDKaSg1+kseQ1HCi0cu/E3lHLEkPibl9dyVGhXVnPDBdOp
-eUQLCvPNgay3/ua4Mz0Nf7S9cgC9AZu/EEYjQIEzfO0cEANeVIWtgZfM3+2j0pmZ
-46AEYlEZJkmDT0/mnHk3YTj3I6qQhr34wZvqcrwouYRN5NiOVYJLpb6gPSoalm+P
-YXOKjP4+fWr18HdZLrzsa4xPRa9XcsDNyffjWvQTfptR/2vFKN8Ffv3XUqxUx6av
-VCyRKa8xAUS/pHVGnzFQY+oqWREn2wIDAQABo2cwZTBjBgNVHREEXDBagh1kbnMx
-LmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0
-ZXN0LnRlc3SCGioud2lsZGNhcmQucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEB
-CwUAA4IBAQAuV+4TNADB/AinkjQVyzPtmeWDWZJDByRSGIzGlrYtzzrJzdRkohlL
-svZi0QQWbYq3pkRoUncYXXp/JvS48Ft1jRi87RpLRiPRxJC9Eq77kMS5UKCIs86W
-0nuYQ2tNmgHb7gnLHEr2t9gFEXcLwUAnRfNJK56KVmCl/v3/4kcVDLlL6L+pL80r
-WGKGvixNy3bDCJ/YGJu6NH+H7NMlqFcg07nEWUHgMzETGGycTcPy3S6mY5P/1Ep1
-MCSTucUKoBIte2t5p9vM6bsFIioQDAYABhacmC62Z5xNW8evmNVtBDPLR1THsWhq
-UjzdIzjpDgv1KUCVEPc1uVrZ5eju+aoU
+MIIDSzCCAjOgAwIBAgIIICEDAxQSBwMwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBANdIkKX1X+Jwqo5EXC1z/TjUKnYTDzHYx2rCqprBU8fN0mSy
+lMyjDm+eo924PN7LahqCHeDCMbapwymkoNfpLHkNRwotHLvxN5RyxJD4m5fXclRo
+V1ZzwwXTqXlECwrzzYGst/7muDM9DX+0vXIAvQGbvxBGI0CBM3ztHBADXlSFrYGX
+zN/to9KZmeOgBGJRGSZJg09P5px5N2E49yOqkIa9+MGb6nK8KLmETeTYjlWCS6W+
+oD0qGpZvj2Fzioz+Pn1q9fB3WS687GuMT0WvV3LAzcn341r0E36bUf9rxSjfBX79
+11KsVMemr1QskSmvMQFEv6R1Rp8xUGPqKlkRJ9sCAwEAAaNnMGUwYwYDVR0RBFww
+WoIdZG5zMS5hbHQtbmFtZS5wZy1zc2x0ZXN0LnRlc3SCHWRuczIuYWx0LW5hbWUu
+cGctc3NsdGVzdC50ZXN0ghoqLndpbGRjYXJkLnBnLXNzbHRlc3QudGVzdDANBgkq
+hkiG9w0BAQsFAAOCAQEAuRAyYBwAZLKERoYDy/kE9LKddJfLhledTJ7+cIWs6T9V
+KBfWBHZYxfxmdBYwqVZfog8c5uHREfWiUPoF/aMq3ARay96aMh4xXJ+2a7HAmknF
+9AJWRieoc3H/QkMzAuT8IDTmoEarsr8vsX1MGabobZte/B9tEjq/z5t3GfLrHMVX
+5092U6Ka40ii4U1VwjR8YnRBwjm3UpLmZJAjvXjw13/XucNV5O8Plo1yvS+G0AMh
+KdMxExiItVtjZteiA0pJf0YGAzTFyzvwBljTcs4NfZ2M0ta9i0r4BF7wQ8tDezN7
+VxdJVPc5xPqncp0cMdUAE2xDmYlKEqB0kuAHNwH5/Q==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-no-names.crt b/src/test/ssl/ssl/server-no-names.crt
index 97e11176f6..b5d0589090 100644
--- a/src/test/ssl/ssl/server-no-names.crt
+++ b/src/test/ssl/ssl/server-no-names.crt
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIIC1jCCAb4CAQUwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMCAxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AJ85/vh52iDZAeQmWt47o0kR7VVlRLGf4sF4cfxPl+eIWIzhib1fajdcqFiy81LC
-+t9bAyRqMyR3dve9RGK6IDFjMH/0DBf3tFSRnxN+5TdSAhKIJslmtUdOl8kS/smF
-4+BikCg509aq0U+ac79e/q42OyvH9X/cI6i9SPd4hzJDMCX54LZT1Of/90nSQX6E
-Oc5Hcj/d7psBugmMBW8uXYAGvJpq14e5RoK78F/mYbUNqtc1c8pi4/4quSMeEfQp
-Dgmzee7ts8SIbQT8mYJHjnaPvZYpv4+Ikc7F0wzLO1neTpsYaVvDrSMLBCdQkCU8
-vgb1T6WlVgbp/sfE5okSxx8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh+erODlf
-+mEK2toZhaAmikNJ3Toj9P7I0C0Mo/tl2aVz8jQc/ft5t3blwZHfRzC9WmgnZLdY
-yiCVgUlf9Kwhi836Btbczj3cK6MrngQneFBzSnCzsj40CuQAw5TOI8XRFFGL+fpl
-o7ZnbmMZRhkPqDmNWXfpu7CYOFQyExkDoo0lTfqM+tF8zuKVTmsuWWvZpjuvqWFQ
-/L+XRXi0cvhh+DY9vJiKNRg4exF7/tSedTJmLA8skuaXgAVez4rqzX4k1XnQo6Vi
-YpAIQ4dGiijY24fDq2I/6pO3xlWtN+Lwu44Mnn2vWRtXijT69P5R12W8XS7+ciTU
-NXu/iOo8f7mNDA==
+MIIC3TCCAcUCCCAhAwMUEgcEMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAgMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCfOf74edog2QHkJlreO6NJEe1VZUSxn+LBeHH8T5fniFiM4Ym9X2o3
+XKhYsvNSwvrfWwMkajMkd3b3vURiuiAxYzB/9AwX97RUkZ8TfuU3UgISiCbJZrVH
+TpfJEv7JhePgYpAoOdPWqtFPmnO/Xv6uNjsrx/V/3COovUj3eIcyQzAl+eC2U9Tn
+//dJ0kF+hDnOR3I/3e6bAboJjAVvLl2ABryaateHuUaCu/Bf5mG1DarXNXPKYuP+
+KrkjHhH0KQ4Js3nu7bPEiG0E/JmCR452j72WKb+PiJHOxdMMyztZ3k6bGGlbw60j
+CwQnUJAlPL4G9U+lpVYG6f7HxOaJEscfAgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AJAwYwIL4oj3NisXCXkEp9zqDXiZvNW9yW3bY8lFFCpU7o5n92tCf2OFAkKaYhF1
+Eb2weyDULtW7W/wgdlOZL9npayYKzTusl6e8xfTQyjRCsoKWvnWOEkPH7VraZJ8c
+Ko1KhaVWX98VLdlUh5giYAEkdhk0qPYKsQ32unBXXJu0pX63pnPDoaUBiZUWr/3l
+CfkjgGY5YA8YxiDlHGNF1qlcX2fQKloDlvtH0L5Enwt25w2/IvWhTN6YxDR+rgdD
+XYbQr6o6vsmnZTJ3zUZ6XFo98sZq5L9oy1pcC8roV7w0AUVxraTWYILyGfNgruG8
+xsok/hu1L2VnktveEW/qoVs=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-revoked.crt b/src/test/ssl/ssl/server-revoked.crt
index 1ca5e6d3ef..3bb0f164a6 100644
--- a/src/test/ssl/ssl/server-revoked.crt
+++ b/src/test/ssl/ssl/server-revoked.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQYwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAooPO8lSz434p
-4PBYBbTN8jkLW3cHEpTCH4yvC0V40hzGEl30HPLp82e+kxr+Q0+gd82fvc4Yth5I
-PKINznp28GMs5/E9cUU3hMK4jFhKLMiOeIve3M/9ryHK874qpNjJoSxxPz7+s2eq
-WoFc2px0KFIamTTLfi7Ju9aPb/AMlZNsUnbRsj7fQc7EJ8rwOnezw2Wy5VK4soX+
-qpuJ0Nm44ApzT8YmjYX/kAX0yQxgQuYbpcBWr9cOQjegu3FAqHqRh9ye7d8jQzCv
-34Wg/ar4rkqyQDcokuWAE7KQbnk51t7omzhM8eswFOAL1pas/8jWBvy0VjYVU34P
-9aXxP8GiHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAS9abT/PhJgwAnm46Rzu16
-lL7tDb3SeR1RL25xZLzCexHcYJFi7aDZix3QlLRvf6HPqqUPuPYRICTBF4+fieEh
-r5LotdAnadfYONwoB5GiYy2d93VGqlLosI27R6/tVvImXupviPpIYMDgBBRr1pZc
-ykQOjog6T+xk9TqsfFQDe2/VKF7a5RxOA/V77GZ5qge5Nlx9jSXQ/WUG9vDQj9BA
-d4nOwvjauKlcSqUU/3uVKntXQTNjmyq7S75eBitS920LLfjTL9LInLugDikFa/J/
-yPBkJLa/+rNMPikcnF3ci4Oi/XwLA8kGdGZAADuiIOeyORMuLFoTk7KpOYGKS5/U
+MIIDAzCCAesCCCAhAwMUEgcFMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKD
+zvJUs+N+KeDwWAW0zfI5C1t3BxKUwh+MrwtFeNIcxhJd9Bzy6fNnvpMa/kNPoHfN
+n73OGLYeSDyiDc56dvBjLOfxPXFFN4TCuIxYSizIjniL3tzP/a8hyvO+KqTYyaEs
+cT8+/rNnqlqBXNqcdChSGpk0y34uybvWj2/wDJWTbFJ20bI+30HOxCfK8Dp3s8Nl
+suVSuLKF/qqbidDZuOAKc0/GJo2F/5AF9MkMYELmG6XAVq/XDkI3oLtxQKh6kYfc
+nu3fI0Mwr9+FoP2q+K5KskA3KJLlgBOykG55Odbe6Js4TPHrMBTgC9aWrP/I1gb8
+tFY2FVN+D/Wl8T/Boh0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAxVHoqX25W4Hx
+pMNjv2AJzcB7D+c+dUXAmLLJ7jh6szWeL0M2E5qX4dLc8LzQKnXv5ZcT4i/akjDX
+etdzuqh03kvDJvUkHclSWffmowmWMTG6GCA6S/2TQzSibIptkwqs74aIkayVJaC4
+jCBR+PVT8+cE2FMD6dAWu//fyEcpTg6XpZ/Upgu9OITGNaEQUGz8pSRkTgspfO0Q
+AKPmql6dpywReIlr5mzy9liCzf/BbAVHGmP/pBGIkLn2AzvPLCQ/UFZYT6aH7l5J
+nzmFhgRC3U5wPMdelHGrPMXg6OHCcyrQY0kEi7N/GQ5+jZkICoQuPJ7APKEZAUgO
+XRwVulaWJQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-single-alt-name.crt b/src/test/ssl/ssl/server-single-alt-name.crt
index e7403f3a6b..7affdd68e7 100644
--- a/src/test/ssl/ssl/server-single-alt-name.crt
+++ b/src/test/ssl/ssl/server-single-alt-name.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDCzCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAxYocLWWuiDsDzJ7wLc0zfwkGJAEy4hlHjTA5GXSEnGPlOnx1fxejZOGL
-1HLff5h8zB+SQXrplHCcwwRrxVgGY7P59kXMXX1akTwXUJHc/EoTtqLO+6fHLygz
-F1d0i5NPO3xrk1wMt7bYLhiPbWpplWiHXzbJy8wf3dXgzCwtxXf8Z1UqjtCnA/Zk
-J/kPWuHJxzH5OvDJvZsq+Fbkl3catFpwUlAV9TKsC78W/K5I+afzppsmSvsIKAWW
-Dp7g71IVjvJeI6Aui2yhDn9iuJMuKe9RMYIwJLFqiX3urHcjaBSkJm6Lsf7gO30v
-kVwIyyGXRNTfZ2yPDoSXVZvOnq+gKwIDAQABoy4wLDAqBgNVHREEIzAhgh9zaW5n
-bGUuYWx0LW5hbWUucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQBU
-8wp8KZfS8vClx2gYSRlbXu3J1oAu4EBh45OuuRuLOJUhQZYcjFB3d/s0R1kcCQkB
-EekV9X1iQSzk/HQq4uWi6ViUzxTR67Q6TXEFo8iuqJ6Rag7R7G6fhRD1upf1lev+
-rz7F9GsoWLyLAg8//DUfq1kfQUyy6TxamoRs0vipZ4s0p4G8rbRCxKT1WTRLJFdd
-fSDVuMNuQQKTQXNdp6cYn+ikEhbUv/gG2S7Xiy2UM8oR7DR54nZBAKxgujWJZPfX
-/ieSwLxnLFyePwtwgk9xMmywFBjHWTxSdyI1UnJwWC917BSw4M00djsRv5COsBX7
-v/Co7oiMyTrCqyCsWOBu
+MIIDEjCCAfqgAwIBAgIIICEDAxQSBwIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMWKHC1lrog7A8ye8C3NM38JBiQBMuIZR40wORl0hJxj5Tp8
+dX8Xo2Thi9Ry33+YfMwfkkF66ZRwnMMEa8VYBmOz+fZFzF19WpE8F1CR3PxKE7ai
+zvunxy8oMxdXdIuTTzt8a5NcDLe22C4Yj21qaZVoh182ycvMH93V4MwsLcV3/GdV
+Ko7QpwP2ZCf5D1rhyccx+Trwyb2bKvhW5Jd3GrRacFJQFfUyrAu/FvyuSPmn86ab
+Jkr7CCgFlg6e4O9SFY7yXiOgLotsoQ5/YriTLinvUTGCMCSxaol97qx3I2gUpCZu
+i7H+4Dt9L5FcCMshl0TU32dsjw6El1Wbzp6voCsCAwEAAaMuMCwwKgYDVR0RBCMw
+IYIfc2luZ2xlLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDANBgkqhkiG9w0BAQsF
+AAOCAQEAUIhBQLzQgd7wHlT9DARxcC7SZwQtnk2BVqMYTRBU4uIa0i2HVyetpe1P
+rREthYq5sgaSqdonD9Splg8BLUlah9y3v9j6DBxkxNnz/3AZuA5oPaC/TZ+lwlX3
+QNWWFNaNZdcQbvjUvoPXIbJ6U9UDfByOJdoN4kJ6xe8Faj1Mp5Euqzr1ErrMtPWJ
+XLnXLV4WyAx+iMAbofXNlCyUorPGA8lRudzQ7bKdrhMZDE66VYwlwsUejEiODt7M
+NGTDs4aAZz9cBRjMeXhvX60cFQoykjAvWbieUKOgaFmJJyKemFj12cLeWyxvUodI
+kYtgAdzftiCSrbDjl1pzPSM6RC/E/A==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-ss.crt b/src/test/ssl/ssl/server-ss.crt
deleted file mode 100644
index d775e6029a..0000000000
--- a/src/test/ssl/ssl/server-ss.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDGDCCAgCgAwIBAgIUVR71MjsbvBO6T1gJQaL/6hMwhqQwDQYJKoZIhvcNAQEL
-BQAwRjEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVzdC50ZXN0MR4wHAYD
-VQQLDBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYw
-NDE0MTM0MDU0WjBGMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1zc2x0ZXN0LnRl
-c3QxHjAcBgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBANWzVPMk7i5f+W0eEadRE+TTAtsIK08CkLMUnjs7
-zJkxnnm6RGBXPx6vK3AkAIi+wG4YmXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu
-3nDjAVkPexsSrPyiKimFuNgDfkGe5dQKa9Ag2SuVU4vd9SYxOMAiIFIC4ts4MLWW
-Jf5D/PehdSuc0e5Me+91Nnbz90nlds4lHvuDR+aKnZlTHmch3wfhXv7lNQImIBzf
-wl36Kd/bWB0fAEVFse3iZWmigaI/9FKh//WIq43TNLxn68OCQoyMe/HGjZDR/Xwo
-3rE6jg6/iAwSWib9yabfYPKbqq2GoFy6aYmmEquaDgLuX7kCAwEAATANBgkqhkiG
-9w0BAQsFAAOCAQEAtHR6o4UIO/aWEAzcmnJKsQDC999jbQGiqs9+v62mz5TvCk/1
-gL9/s/yfGY+pnDGW1ijI2xiL9KCJzjd8YB+F8iUViVQ6uHBxghxC1H2qOIr2UPFQ
-gQRu7d0DByQBsiXMOdw10luGo1oHhqMe5J7VyMVG/7aRpr6zYKrH7PzsB8ucvxzv
-Lm8ez0WBPebV69sim431iJcVcxxBbFd4qUJ9cHIc7VO2mSaazsIOzbd400POF/vk
-gfpDs48GfnZ+X3hgoQA4u7eudLqttI+j1xV+IHlCtaa1nDHymUrN/FhI1x+6c1SU
-V12eHqVatPMe0d+OCJPqIL9lbe+sGXlxDkMqAQ==
------END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-ss.key b/src/test/ssl/ssl/server-ss.key
deleted file mode 100644
index a5e7f4bbfa..0000000000
--- a/src/test/ssl/ssl/server-ss.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAttI8Qu3wJgwp9RqLEqgO5GlYdA4bG+OyB4y+Bx4DQ7fhaJvJ
-vwBfY8ig+nPZU5WJNDyoaPtDg2uQwWbUq9WXkdktAxelrisQ/oJiCscPARlAIM6U
-XPOXai10XQ6QsMaaa6cXIGkMZVfhYEbuN0Q8TJSC1MbSQ/TtCnWxMRmktRv5xx8y
-2DgGbYRSiuBNE0vneQMjBJeRs19k/V8Alk49vOk8T8Ep0PFkAQglpUc7/LFueKry
-sVW+6ptdmqqHUZTdZhU/IojKEhUF8dtyGpGF9bE0kfjB7vXth8LKQ9Utik7VS1tQ
-E8fK2ttvxAqDf8s3MChnXbMN6QrzaGSS44oZKwIDAQABAoIBAQCsMhjQcYxgSdS7
-J+UWDXT5bsABj8e43R4yPj4+NeadQfTtss6zOIagVbhKLhPkxlQU/40gVIminw4Z
-G+H0d5nrpcLfxsYm5il7jxMJU7SuNDpSrEDRzB4xw952R+HAn0+TVi5SOJ+UVNHS
-/Pwi0gJ5nugbwakKmQcrcu8ScDTS34yFScMIRUYiKQ44TDiDtwyL07sc4ob1X/uY
-na1GnyOBjYEg+9nRwmV+QZwPjyP3Qe81rvH7saV2R2oc4uFU151KtoIT96V4FnpD
-CsFPGVul4i428zYDEguzEMWvPkOKrfFA63gfYl3JRbPYE9ISdZXU8UX6XEE3Y6sU
-VmeXK/IBAoGBAPLELsFdMqMhycXxrGuQ4HiH5/vQ2RhFcOf842a8qysopFC5kluf
-Y83dMy9GP8BLgt/NMseBDFcaGgaZPhD10kpW0BCg5GKdkcBfuIE5C/rfe4m82TqC
-VkriGimG8FkTCQS9ghGwbDWYZnMZbqyJ2iRt/+M9Lvfd1tYTCQtNuI/TAoGBAMDJ
-g/vS12j4uJ+SDy7QY6suSOjkQoGO8qonhx9W/2XJSH4KL1ubeOt4eOJksHnwueCW
-YD+2+T4+NDumMnmT7Rl8is1RfnnWNH91tylPB9I5Hyff/+PU5rUSoRfpmeckH3pc
-5EmfoaqT7V436hjkZF1uY1QJjDMopSyg3TSVmtJJAoGBAOAVAAdSDGSR0ppYuktL
-njcDU7mXjFwf9NjeD9UL/39F823j7NmPpWMnc5CGamAIE1SbJu0KDCb2G+HNX4Hu
-Nd6ShVlj+YuhYCDO+hKlYo597J016Nld52MVkwqT2JSPwnpSppXHYAqUkrRZXFP8
-ppOLyW+qUQlQBnbxeR6q7dorAoGAU/gxzYCDJIyY1Z/njwtjLg8l4JJzSTz7AxPe
-bc8VxL7MHWHQSMVKAL3jYTBcEXDBdUnqODY5D1xGoeh8uamtrtkpF860GNss2Its
-MMjkbjNFF7ggG5sCtcGceu7bguqf70sAf/TQlJyD2fLeuuLXuD45c0QJVcsRToPu
-dVXoLkkCgYEA5JkhCPE9a2ssrqi1ZFt3FAayulycM+r+wJY7zNIwv/ydzbE5D4Ar
-s8YOjhwyBoyorrEztcvIKF5XA89ZIwHiKZQxJTWGeFKq/PYTclzwlOXAimkdYNXn
-Nc/5RLjEeophXb4f3WPjMBliYGX0tOPhT+buHep+f0enxgO8Z2a4Omg=
------END RSA PRIVATE KEY-----
diff --git a/src/test/ssl/ssl/server.crl b/src/test/ssl/ssl/server.crl
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server.crl
+++ b/src/test/ssl/ssl/server.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server_ca.crt b/src/test/ssl/ssl/server_ca.crt
index 9f727bf9e9..0d6d7a6f82 100644
--- a/src/test/ssl/ssl/server_ca.crt
+++ b/src/test/ssl/ssl/server_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 44daefb002..0ff3564742 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -485,6 +485,11 @@ TODO:
}
# pg_stat_ssl
+
+my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`;
+$serialno =~ s/^serial=//;
+$serialno = hex($serialno); # OpenSSL prints serial numbers in hexadecimal
+
command_like(
[
'psql',
@@ -500,7 +505,7 @@ command_like(
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
],
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n
- ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
+ ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,$serialno,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
'pg_stat_ssl with client certificate');
# client key with wrong permissions
--
2.25.1
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On 4 Mar 2021, at 01:03, Jacob Champion <pchampion@vmware.com> wrote:
Andrew pointed out elsewhere [1] that it's pretty difficult to add new
certificates to the test/ssl suite without blowing away the current
state and starting over. I needed new cases for the NSS backend work,
and ran into the same pain, so here is my attempt to improve the
situation.
Thanks for working on this, I second the pain cited. I've just started to look
at this, so only a few comments thus far.
The unused server-ss certificate has been removed entirely.
Nice catch, this seems to have been unused since the original import of the SSL
test suite. To cut down scope of the patch (even if only a small bit) I
propose to apply this separately first, as per the attached.
- Serial number collisions are less likely, thanks to Andrew's idea to
use the current clock time as the initial serial number in a series.
+my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`;
+$serialno =~ s/^serial=//;
+$serialno = hex($serialno); # OpenSSL prints serial numbers in hexadecimalWill that work on Windows? We don't currently require the openssl binary to be
in PATH unless one wants to rebuild sslfiles (which it is quite likely to be
but there should at least be errorhandling covering when it's not).
- I am making _heavy_ use of GNU Make-isms, which does not improve
long-term maintainability.
GNU Make is already a requirement, I don't see this shifting the needle in any
direction.
--
Daniel Gustafsson https://vmware.com/
Attachments:
ssl-remove-server-ss.patchapplication/octet-stream; name=ssl-remove-server-ss.patch; x-unix-mode=0644Download
From 9a4149d6df6c3cb0021c3a8c38b9493afa1b8892 Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <daniel@yesql.se>
Date: Tue, 27 Jul 2021 02:50:14 +0200
Subject: [PATCH] Remove unused regression test certificate server-ss
The server-ss certificate was included in e39250c64 but was never
used in the TLS regression tests so remove.
Author: Jacob Champion
Discussion: https://postgr.es/m/d15a9838344ba090e09fd866abf913584ea19fb7.camel@vmware.com
---
src/test/ssl/Makefile | 8 +-------
src/test/ssl/README | 3 ---
src/test/ssl/ssl/server-ss.crt | 19 -------------------
src/test/ssl/ssl/server-ss.key | 27 ---------------------------
4 files changed, 1 insertion(+), 56 deletions(-)
delete mode 100644 src/test/ssl/ssl/server-ss.crt
delete mode 100644 src/test/ssl/ssl/server-ss.key
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index a517756c94..c216560dcc 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -17,7 +17,7 @@ export with_ssl
CERTIFICATES := server_ca server-cn-and-alt-names \
server-cn-only server-single-alt-name server-multiple-alt-names \
- server-no-names server-revoked server-ss \
+ server-no-names server-revoked \
client_ca client client-dn client-revoked \
root_ca
@@ -74,12 +74,6 @@ ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config
openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert
rm ssl/server-$*.csr
-# Self-signed version of server-cn-only.crt
-ssl/server-ss.crt: ssl/server-cn-only.key ssl/server-cn-only.crt server-cn-only.config
- openssl req -new -key ssl/server-cn-only.key -out ssl/server-ss.csr -config server-cn-only.config
- openssl x509 -req -days 10000 -in ssl/server-ss.csr -signkey ssl/server-cn-only.key -out ssl/server-ss.crt -extensions v3_req -extfile server-cn-only.config
- rm ssl/server-ss.csr
-
# Password-protected version of server-cn-only.key
ssl/server-password.key: ssl/server-cn-only.key
openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
diff --git a/src/test/ssl/README b/src/test/ssl/README
index 84baa478ce..b9d96a637d 100644
--- a/src/test/ssl/README
+++ b/src/test/ssl/README
@@ -52,9 +52,6 @@ server-no-names
server certificates, with small variations in the hostnames present
in the certificate. Signed by server_ca.
-server-ss
- same as server-cn-only, but self-signed.
-
server-password
same as server-cn-only, but password-protected.
diff --git a/src/test/ssl/ssl/server-ss.crt b/src/test/ssl/ssl/server-ss.crt
deleted file mode 100644
index d775e6029a..0000000000
--- a/src/test/ssl/ssl/server-ss.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDGDCCAgCgAwIBAgIUVR71MjsbvBO6T1gJQaL/6hMwhqQwDQYJKoZIhvcNAQEL
-BQAwRjEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVzdC50ZXN0MR4wHAYD
-VQQLDBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYw
-NDE0MTM0MDU0WjBGMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1zc2x0ZXN0LnRl
-c3QxHjAcBgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBANWzVPMk7i5f+W0eEadRE+TTAtsIK08CkLMUnjs7
-zJkxnnm6RGBXPx6vK3AkAIi+wG4YmXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu
-3nDjAVkPexsSrPyiKimFuNgDfkGe5dQKa9Ag2SuVU4vd9SYxOMAiIFIC4ts4MLWW
-Jf5D/PehdSuc0e5Me+91Nnbz90nlds4lHvuDR+aKnZlTHmch3wfhXv7lNQImIBzf
-wl36Kd/bWB0fAEVFse3iZWmigaI/9FKh//WIq43TNLxn68OCQoyMe/HGjZDR/Xwo
-3rE6jg6/iAwSWib9yabfYPKbqq2GoFy6aYmmEquaDgLuX7kCAwEAATANBgkqhkiG
-9w0BAQsFAAOCAQEAtHR6o4UIO/aWEAzcmnJKsQDC999jbQGiqs9+v62mz5TvCk/1
-gL9/s/yfGY+pnDGW1ijI2xiL9KCJzjd8YB+F8iUViVQ6uHBxghxC1H2qOIr2UPFQ
-gQRu7d0DByQBsiXMOdw10luGo1oHhqMe5J7VyMVG/7aRpr6zYKrH7PzsB8ucvxzv
-Lm8ez0WBPebV69sim431iJcVcxxBbFd4qUJ9cHIc7VO2mSaazsIOzbd400POF/vk
-gfpDs48GfnZ+X3hgoQA4u7eudLqttI+j1xV+IHlCtaa1nDHymUrN/FhI1x+6c1SU
-V12eHqVatPMe0d+OCJPqIL9lbe+sGXlxDkMqAQ==
------END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-ss.key b/src/test/ssl/ssl/server-ss.key
deleted file mode 100644
index a5e7f4bbfa..0000000000
--- a/src/test/ssl/ssl/server-ss.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAttI8Qu3wJgwp9RqLEqgO5GlYdA4bG+OyB4y+Bx4DQ7fhaJvJ
-vwBfY8ig+nPZU5WJNDyoaPtDg2uQwWbUq9WXkdktAxelrisQ/oJiCscPARlAIM6U
-XPOXai10XQ6QsMaaa6cXIGkMZVfhYEbuN0Q8TJSC1MbSQ/TtCnWxMRmktRv5xx8y
-2DgGbYRSiuBNE0vneQMjBJeRs19k/V8Alk49vOk8T8Ep0PFkAQglpUc7/LFueKry
-sVW+6ptdmqqHUZTdZhU/IojKEhUF8dtyGpGF9bE0kfjB7vXth8LKQ9Utik7VS1tQ
-E8fK2ttvxAqDf8s3MChnXbMN6QrzaGSS44oZKwIDAQABAoIBAQCsMhjQcYxgSdS7
-J+UWDXT5bsABj8e43R4yPj4+NeadQfTtss6zOIagVbhKLhPkxlQU/40gVIminw4Z
-G+H0d5nrpcLfxsYm5il7jxMJU7SuNDpSrEDRzB4xw952R+HAn0+TVi5SOJ+UVNHS
-/Pwi0gJ5nugbwakKmQcrcu8ScDTS34yFScMIRUYiKQ44TDiDtwyL07sc4ob1X/uY
-na1GnyOBjYEg+9nRwmV+QZwPjyP3Qe81rvH7saV2R2oc4uFU151KtoIT96V4FnpD
-CsFPGVul4i428zYDEguzEMWvPkOKrfFA63gfYl3JRbPYE9ISdZXU8UX6XEE3Y6sU
-VmeXK/IBAoGBAPLELsFdMqMhycXxrGuQ4HiH5/vQ2RhFcOf842a8qysopFC5kluf
-Y83dMy9GP8BLgt/NMseBDFcaGgaZPhD10kpW0BCg5GKdkcBfuIE5C/rfe4m82TqC
-VkriGimG8FkTCQS9ghGwbDWYZnMZbqyJ2iRt/+M9Lvfd1tYTCQtNuI/TAoGBAMDJ
-g/vS12j4uJ+SDy7QY6suSOjkQoGO8qonhx9W/2XJSH4KL1ubeOt4eOJksHnwueCW
-YD+2+T4+NDumMnmT7Rl8is1RfnnWNH91tylPB9I5Hyff/+PU5rUSoRfpmeckH3pc
-5EmfoaqT7V436hjkZF1uY1QJjDMopSyg3TSVmtJJAoGBAOAVAAdSDGSR0ppYuktL
-njcDU7mXjFwf9NjeD9UL/39F823j7NmPpWMnc5CGamAIE1SbJu0KDCb2G+HNX4Hu
-Nd6ShVlj+YuhYCDO+hKlYo597J016Nld52MVkwqT2JSPwnpSppXHYAqUkrRZXFP8
-ppOLyW+qUQlQBnbxeR6q7dorAoGAU/gxzYCDJIyY1Z/njwtjLg8l4JJzSTz7AxPe
-bc8VxL7MHWHQSMVKAL3jYTBcEXDBdUnqODY5D1xGoeh8uamtrtkpF860GNss2Its
-MMjkbjNFF7ggG5sCtcGceu7bguqf70sAf/TQlJyD2fLeuuLXuD45c0QJVcsRToPu
-dVXoLkkCgYEA5JkhCPE9a2ssrqi1ZFt3FAayulycM+r+wJY7zNIwv/ydzbE5D4Ar
-s8YOjhwyBoyorrEztcvIKF5XA89ZIwHiKZQxJTWGeFKq/PYTclzwlOXAimkdYNXn
-Nc/5RLjEeophXb4f3WPjMBliYGX0tOPhT+buHep+f0enxgO8Z2a4Omg=
------END RSA PRIVATE KEY-----
--
2.30.1 (Apple Git-130)
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Wed, 2021-07-28 at 00:24 +0200, Daniel Gustafsson wrote:
On 4 Mar 2021, at 01:03, Jacob Champion <pchampion@vmware.com> wrote:
Andrew pointed out elsewhere [1] that it's pretty difficult to add new
certificates to the test/ssl suite without blowing away the current
state and starting over. I needed new cases for the NSS backend work,
and ran into the same pain, so here is my attempt to improve the
situation.Thanks for working on this, I second the pain cited. I've just started to look
at this, so only a few comments thus far.The unused server-ss certificate has been removed entirely.
Nice catch, this seems to have been unused since the original import of the SSL
test suite. To cut down scope of the patch (even if only a small bit) I
propose to apply this separately first, as per the attached.
LGTM.
- Serial number collisions are less likely, thanks to Andrew's idea to
use the current clock time as the initial serial number in a series.+my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`; +$serialno =~ s/^serial=//; +$serialno = hex($serialno); # OpenSSL prints serial numbers in hexadecimalWill that work on Windows? We don't currently require the openssl binary to be
in PATH unless one wants to rebuild sslfiles (which it is quite likely to be
but there should at least be errorhandling covering when it's not).
Hm, that's a good point. It should be easy enough for me to add a
fallback if the invocation fails; I'll give it a shot tomorrow.
- I am making _heavy_ use of GNU Make-isms, which does not improve
long-term maintainability.GNU Make is already a requirement, I don't see this shifting the needle in any
direction.
As long as the .SECONDARYEXPANSION magic is clear enough to others, I'm
happy.
Thanks!
--Jacob
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On 7/28/21 4:10 PM, Jacob Champion wrote:
- I am making _heavy_ use of GNU Make-isms, which does not improve
long-term maintainability.GNU Make is already a requirement, I don't see this shifting the needle in any
direction.As long as the .SECONDARYEXPANSION magic is clear enough to others, I'm
happy.
We don't currently have any, and so many of us (including me) will have
to learn to understand it. But that's not to say it's unacceptable. If
there's no new infrastructure requirement then I'm OK with it.
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
Jacob Champion <pchampion@vmware.com> writes:
On Wed, 2021-07-28 at 00:24 +0200, Daniel Gustafsson wrote:
GNU Make is already a requirement, I don't see this shifting the needle in any
direction.
Um ... the existing requirement is for gmake 3.80 or newer;
if you want to use newer features we'd have to have a discussion
about whether it's worthwhile to move that goalpost.
As long as the .SECONDARYEXPANSION magic is clear enough to others, I'm
happy.
After reading the gmake docs about that, I'd have to say it's
likely to be next door to unmaintainable. Do we really have
to be that cute? And, AFAICT, it's not in 3.80.
regards, tom lane
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On 28 Jul 2021, at 23:02, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Jacob Champion <pchampion@vmware.com> writes:
As long as the .SECONDARYEXPANSION magic is clear enough to others, I'm
happy.After reading the gmake docs about that, I'd have to say it's likely to be next
door to unmaintainable.
Personally, I don’t think it’s that bad, but mileage varies. It’s obviously a
show-stopper if maintainers don’t feel comfortable with it.
And, AFAICT, it's not in 3.80.
That however, is a very good point that I missed. I think it’s a good tool,
but probably not enough to bump the requirement.
--
Daniel Gustafsson https://vmware.com/
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Wed, 2021-07-28 at 23:09 +0200, Daniel Gustafsson wrote:
On 28 Jul 2021, at 23:02, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Jacob Champion <pchampion@vmware.com> writes:As long as the .SECONDARYEXPANSION magic is clear enough to others, I'm
happy.After reading the gmake docs about that, I'd have to say it's likely to be next
door to unmaintainable.Personally, I don’t think it’s that bad, but mileage varies. It’s obviously a
show-stopper if maintainers don’t feel comfortable with it.And, AFAICT, it's not in 3.80.
That however, is a very good point that I missed. I think it’s a good tool,
but probably not enough to bump the requirement.
No worries, it's easy enough to unroll the expansion manually. The
annoyances without secondary expansion are the duplicated lines for
each individual CA and the need to introduce .INTERMEDIATE targets so
that cleanup works as intended.
Attached is a v3 that does that, and introduces a fallback in case
openssl isn't on the PATH. I also missed a Makefile dependency on
cas.config the first time through, which has been fixed. The patch you
pulled out earlier is 0001 in the set.
--Jacob
Attachments:
since-v2.diff.txttext/plain; name=since-v2.diff.txtDownload
commit df27e4a27da2c2761c667fcbe775b77fadf25cfe
Author: Jacob Champion <pchampion@vmware.com>
Date: Fri Jul 30 10:55:10 2021 -0400
squash! test/ssl: rework the sslfiles Makefile target
Feedback:
- don't use .SECONDARYEXPANSION; unroll recipes for each CA
- don't fail tests if openssl isn't functional on the PATH
Also add a dependency on cas.config for the recipes that use it.
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 6e67013f61..458520dc6d 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -132,24 +132,29 @@ $(STANDARD_KEYS):
# Standard certificates
#
+CA_CERTS := ssl/server_ca.crt ssl/client_ca.crt
SERVER_CERTS := $(SERVERS:%=ssl/%.crt)
CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)
-ssl/server_ca.crt ssl/client_ca.crt: ca := root_ca
-$(SERVER_CERTS): ca := server_ca
-$(CLIENT_CERTS): ca := client_ca
+# See the "CA State" section below.
+root_ca_state_files := ssl/root_ca-certindex ssl/root_ca-certindex.attr ssl/root_ca.srl
+server_ca_state_files := ssl/server_ca-certindex ssl/server_ca-certindex.attr ssl/server_ca.srl
+client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ssl/client_ca.srl
-ca_state_files = ssl/$(ca)-certindex ssl/$(ca)-certindex.attr ssl/$(ca).srl
-
-# This is the workhorse recipe. `openssl ca` can't be safely run from parallel
-# processes, so we must mark the entire Makefile .NOTPARALLEL. Enable
-# .SECONDEXPANSION so that the correct dependencies are determined by the value
-# of $(ca).
+# These are the workhorse recipes. `openssl ca` can't be safely run from
+# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
.NOTPARALLEL:
-.SECONDEXPANSION: $(STANDARD_CERTS)
-ssl/%.crt: ssl/%.csr %.config ssl/$$(ca).crt | ssl/new_certs_dir $$(ca_state_files)
- openssl ca -batch -config cas.config -name $(ca) -notext -in $< -out $@
+$(CA_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
+ openssl ca -batch -config cas.config -name root_ca -notext -in $< -out $@
+
+$(SERVER_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
+ openssl ca -batch -config cas.config -name server_ca -notext -in $< -out $@
+
+$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
+ openssl ca -batch -config cas.config -name client_ca -notext -in $< -out $@
+# The CSRs don't need to persist after a build.
+.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
ssl/%.csr: ssl/%.key %.config
openssl req -new -key $< -out $@ -config $*.config
@@ -157,12 +162,13 @@ ssl/%.csr: ssl/%.key %.config
# CA State
#
# All of these are intended to be order-only dependencies; additionally, the
-# pattern recipes are intended to be intermediates, so do not name them
-# explicitly somewhere else in the Makefile. The goal is for Make to create the
-# state files once for each CA, allow them to accumulate whatever state is
-# needed, and then automatically remove them at the end of the run.
+# pattern recipes are marked as explicit intermediates. The goal is for Make to
+# create the state files once for each CA, allow them to accumulate whatever
+# state is needed, and then automatically remove them at the end of the run.
#
+.INTERMEDIATE: $(root_ca_state_files) $(server_ca_state_files) $(client_ca_state_files)
+
# OpenSSL requires a directory to put all generated certificates in. We don't
# use this for anything, but we need a location.
ssl/new_certs_dir:
@@ -183,19 +189,16 @@ ssl/%.srl:
# CRLs
#
-ssl/root.crl: revoked :=
-ssl/root.crl: ca := root_ca
-
-ssl/client.crl: revoked := ssl/client-revoked.crt
-ssl/client.crl: ca := client_ca
+ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
+ openssl ca -config cas.config -name root_ca -gencrl -out $@
-ssl/server.crl: revoked := ssl/server-revoked.crt
-ssl/server.crl: ca := server_ca
+ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
+ openssl ca -config cas.config -name server_ca -revoke $<
+ openssl ca -config cas.config -name server_ca -gencrl -out $@
-.SECONDEXPANSION: $(CRLS)
-ssl/%.crl: ssl/$$(ca).crt $$(revoked) | $$(ca_state_files)
- $(foreach cert,$(revoked),openssl ca -config cas.config -name $(ca) -revoke $(cert) &&) true
- openssl ca -config cas.config -name $(ca) -gencrl -out $@
+ssl/client.crl: ssl/client-revoked.crt ssl/client_ca.crt | $(client_ca_state_files)
+ openssl ca -config cas.config -name client_ca -revoke $<
+ openssl ca -config cas.config -name client_ca -gencrl -out $@
#
# CRL hash directories
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 0ff3564742..4d8fdd7620 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -487,8 +487,18 @@ TODO:
# pg_stat_ssl
my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`;
-$serialno =~ s/^serial=//;
-$serialno = hex($serialno); # OpenSSL prints serial numbers in hexadecimal
+if ($? == 0)
+{
+ $serialno =~ s/^serial=//;
+ $serialno = hex($serialno); # OpenSSL prints serial numbers in hexadecimal
+}
+else
+{
+ # OpenSSL isn't functioning on the user's PATH. This probably isn't worth
+ # skipping the test over, so just fall back to a generic integer match.
+ warn 'couldn\'t run `openssl x509` to get client cert serialno';
+ $serialno = '\d+';
+}
command_like(
[
v3-0001-Remove-unused-regression-test-certificate-server-.patchtext/x-patch; name=v3-0001-Remove-unused-regression-test-certificate-server-.patchDownload
From 6c9ede67cb3e2e666c783d3ba8185110354d95c4 Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <daniel@yesql.se>
Date: Tue, 27 Jul 2021 02:50:14 +0200
Subject: [PATCH v3 1/2] Remove unused regression test certificate server-ss
The server-ss certificate was included in e39250c64 but was never
used in the TLS regression tests so remove.
Author: Jacob Champion
Discussion: https://postgr.es/m/d15a9838344ba090e09fd866abf913584ea19fb7.camel@vmware.com
---
src/test/ssl/Makefile | 8 +-------
src/test/ssl/README | 3 ---
src/test/ssl/ssl/server-ss.crt | 19 -------------------
src/test/ssl/ssl/server-ss.key | 27 ---------------------------
4 files changed, 1 insertion(+), 56 deletions(-)
delete mode 100644 src/test/ssl/ssl/server-ss.crt
delete mode 100644 src/test/ssl/ssl/server-ss.key
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index a517756c94..c216560dcc 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -17,7 +17,7 @@ export with_ssl
CERTIFICATES := server_ca server-cn-and-alt-names \
server-cn-only server-single-alt-name server-multiple-alt-names \
- server-no-names server-revoked server-ss \
+ server-no-names server-revoked \
client_ca client client-dn client-revoked \
root_ca
@@ -74,12 +74,6 @@ ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config
openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert
rm ssl/server-$*.csr
-# Self-signed version of server-cn-only.crt
-ssl/server-ss.crt: ssl/server-cn-only.key ssl/server-cn-only.crt server-cn-only.config
- openssl req -new -key ssl/server-cn-only.key -out ssl/server-ss.csr -config server-cn-only.config
- openssl x509 -req -days 10000 -in ssl/server-ss.csr -signkey ssl/server-cn-only.key -out ssl/server-ss.crt -extensions v3_req -extfile server-cn-only.config
- rm ssl/server-ss.csr
-
# Password-protected version of server-cn-only.key
ssl/server-password.key: ssl/server-cn-only.key
openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
diff --git a/src/test/ssl/README b/src/test/ssl/README
index 84baa478ce..b9d96a637d 100644
--- a/src/test/ssl/README
+++ b/src/test/ssl/README
@@ -52,9 +52,6 @@ server-no-names
server certificates, with small variations in the hostnames present
in the certificate. Signed by server_ca.
-server-ss
- same as server-cn-only, but self-signed.
-
server-password
same as server-cn-only, but password-protected.
diff --git a/src/test/ssl/ssl/server-ss.crt b/src/test/ssl/ssl/server-ss.crt
deleted file mode 100644
index d775e6029a..0000000000
--- a/src/test/ssl/ssl/server-ss.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDGDCCAgCgAwIBAgIUVR71MjsbvBO6T1gJQaL/6hMwhqQwDQYJKoZIhvcNAQEL
-BQAwRjEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVzdC50ZXN0MR4wHAYD
-VQQLDBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYw
-NDE0MTM0MDU0WjBGMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1zc2x0ZXN0LnRl
-c3QxHjAcBgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBANWzVPMk7i5f+W0eEadRE+TTAtsIK08CkLMUnjs7
-zJkxnnm6RGBXPx6vK3AkAIi+wG4YmXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu
-3nDjAVkPexsSrPyiKimFuNgDfkGe5dQKa9Ag2SuVU4vd9SYxOMAiIFIC4ts4MLWW
-Jf5D/PehdSuc0e5Me+91Nnbz90nlds4lHvuDR+aKnZlTHmch3wfhXv7lNQImIBzf
-wl36Kd/bWB0fAEVFse3iZWmigaI/9FKh//WIq43TNLxn68OCQoyMe/HGjZDR/Xwo
-3rE6jg6/iAwSWib9yabfYPKbqq2GoFy6aYmmEquaDgLuX7kCAwEAATANBgkqhkiG
-9w0BAQsFAAOCAQEAtHR6o4UIO/aWEAzcmnJKsQDC999jbQGiqs9+v62mz5TvCk/1
-gL9/s/yfGY+pnDGW1ijI2xiL9KCJzjd8YB+F8iUViVQ6uHBxghxC1H2qOIr2UPFQ
-gQRu7d0DByQBsiXMOdw10luGo1oHhqMe5J7VyMVG/7aRpr6zYKrH7PzsB8ucvxzv
-Lm8ez0WBPebV69sim431iJcVcxxBbFd4qUJ9cHIc7VO2mSaazsIOzbd400POF/vk
-gfpDs48GfnZ+X3hgoQA4u7eudLqttI+j1xV+IHlCtaa1nDHymUrN/FhI1x+6c1SU
-V12eHqVatPMe0d+OCJPqIL9lbe+sGXlxDkMqAQ==
------END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-ss.key b/src/test/ssl/ssl/server-ss.key
deleted file mode 100644
index a5e7f4bbfa..0000000000
--- a/src/test/ssl/ssl/server-ss.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAttI8Qu3wJgwp9RqLEqgO5GlYdA4bG+OyB4y+Bx4DQ7fhaJvJ
-vwBfY8ig+nPZU5WJNDyoaPtDg2uQwWbUq9WXkdktAxelrisQ/oJiCscPARlAIM6U
-XPOXai10XQ6QsMaaa6cXIGkMZVfhYEbuN0Q8TJSC1MbSQ/TtCnWxMRmktRv5xx8y
-2DgGbYRSiuBNE0vneQMjBJeRs19k/V8Alk49vOk8T8Ep0PFkAQglpUc7/LFueKry
-sVW+6ptdmqqHUZTdZhU/IojKEhUF8dtyGpGF9bE0kfjB7vXth8LKQ9Utik7VS1tQ
-E8fK2ttvxAqDf8s3MChnXbMN6QrzaGSS44oZKwIDAQABAoIBAQCsMhjQcYxgSdS7
-J+UWDXT5bsABj8e43R4yPj4+NeadQfTtss6zOIagVbhKLhPkxlQU/40gVIminw4Z
-G+H0d5nrpcLfxsYm5il7jxMJU7SuNDpSrEDRzB4xw952R+HAn0+TVi5SOJ+UVNHS
-/Pwi0gJ5nugbwakKmQcrcu8ScDTS34yFScMIRUYiKQ44TDiDtwyL07sc4ob1X/uY
-na1GnyOBjYEg+9nRwmV+QZwPjyP3Qe81rvH7saV2R2oc4uFU151KtoIT96V4FnpD
-CsFPGVul4i428zYDEguzEMWvPkOKrfFA63gfYl3JRbPYE9ISdZXU8UX6XEE3Y6sU
-VmeXK/IBAoGBAPLELsFdMqMhycXxrGuQ4HiH5/vQ2RhFcOf842a8qysopFC5kluf
-Y83dMy9GP8BLgt/NMseBDFcaGgaZPhD10kpW0BCg5GKdkcBfuIE5C/rfe4m82TqC
-VkriGimG8FkTCQS9ghGwbDWYZnMZbqyJ2iRt/+M9Lvfd1tYTCQtNuI/TAoGBAMDJ
-g/vS12j4uJ+SDy7QY6suSOjkQoGO8qonhx9W/2XJSH4KL1ubeOt4eOJksHnwueCW
-YD+2+T4+NDumMnmT7Rl8is1RfnnWNH91tylPB9I5Hyff/+PU5rUSoRfpmeckH3pc
-5EmfoaqT7V436hjkZF1uY1QJjDMopSyg3TSVmtJJAoGBAOAVAAdSDGSR0ppYuktL
-njcDU7mXjFwf9NjeD9UL/39F823j7NmPpWMnc5CGamAIE1SbJu0KDCb2G+HNX4Hu
-Nd6ShVlj+YuhYCDO+hKlYo597J016Nld52MVkwqT2JSPwnpSppXHYAqUkrRZXFP8
-ppOLyW+qUQlQBnbxeR6q7dorAoGAU/gxzYCDJIyY1Z/njwtjLg8l4JJzSTz7AxPe
-bc8VxL7MHWHQSMVKAL3jYTBcEXDBdUnqODY5D1xGoeh8uamtrtkpF860GNss2Its
-MMjkbjNFF7ggG5sCtcGceu7bguqf70sAf/TQlJyD2fLeuuLXuD45c0QJVcsRToPu
-dVXoLkkCgYEA5JkhCPE9a2ssrqi1ZFt3FAayulycM+r+wJY7zNIwv/ydzbE5D4Ar
-s8YOjhwyBoyorrEztcvIKF5XA89ZIwHiKZQxJTWGeFKq/PYTclzwlOXAimkdYNXn
-Nc/5RLjEeophXb4f3WPjMBliYGX0tOPhT+buHep+f0enxgO8Z2a4Omg=
------END RSA PRIVATE KEY-----
--
2.25.1
v3-0002-test-ssl-rework-the-sslfiles-Makefile-target.patchtext/x-patch; name=v3-0002-test-ssl-rework-the-sslfiles-Makefile-target.patchDownload
From b8525c2aa332617c142cfe80e13b91bee304ff52 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Fri, 26 Feb 2021 15:25:28 -0800
Subject: [PATCH v3 2/2] test/ssl: rework the sslfiles Makefile target
Adding a new certificate is as easy as dropping in a new .config file,
adding it to the top of the Makefile, and running `make sslfiles`.
Improvements:
- Interfile dependencies should be fixed, with the exception of the CRL
dirs.
- New certificates have serial numbers based on the current time,
reducing the chance of collision.
- The CA index state is created on demand and cleaned up automatically
at the end of the Make run.
- *.config files are now self-contained; one certificate needs one
config file instead of two.
- Duplication is reduced, and along with it some unneeded code (and
possible copy-paste errors).
---
src/Makefile.global.in | 5 +-
src/test/ssl/Makefile | 258 +++++++++++-------
src/test/ssl/cas.config | 10 +-
src/test/ssl/client-dn.config | 1 -
src/test/ssl/client-revoked.config | 13 +
src/test/ssl/client.config | 1 -
src/test/ssl/client_ca.config | 5 +
src/test/ssl/root_ca.config | 1 +
src/test/ssl/server-cn-only.config | 3 +-
src/test/ssl/server-no-names.config | 5 +-
src/test/ssl/server-revoked.config | 3 +-
src/test/ssl/server_ca.config | 5 +
src/test/ssl/ssl/both-cas-1.crt | 86 +++---
src/test/ssl/ssl/both-cas-2.crt | 86 +++---
src/test/ssl/ssl/client+client_ca.crt | 65 ++---
src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 | 18 +-
src/test/ssl/ssl/client-dn.crt | 34 +--
src/test/ssl/ssl/client-revoked.crt | 31 ++-
src/test/ssl/ssl/client.crl | 18 +-
src/test/ssl/ssl/client.crt | 31 ++-
src/test/ssl/ssl/client_ca.crt | 34 +--
.../ssl/ssl/root+client-crldir/9bb9e3c3.r0 | 18 +-
.../ssl/ssl/root+client-crldir/a3d11bff.r0 | 16 +-
src/test/ssl/ssl/root+client.crl | 34 +--
src/test/ssl/ssl/root+client_ca.crt | 52 ++--
.../ssl/ssl/root+server-crldir/a3d11bff.r0 | 16 +-
.../ssl/ssl/root+server-crldir/a836cc2d.r0 | 18 +-
src/test/ssl/ssl/root+server.crl | 34 +--
src/test/ssl/ssl/root+server_ca.crt | 52 ++--
src/test/ssl/ssl/root.crl | 16 +-
src/test/ssl/ssl/root_ca.crt | 18 +-
src/test/ssl/ssl/server-cn-and-alt-names.crt | 36 +--
src/test/ssl/ssl/server-cn-only.crt | 33 +--
src/test/ssl/ssl/server-crldir/a836cc2d.r0 | 18 +-
.../ssl/ssl/server-multiple-alt-names.crt | 36 +--
src/test/ssl/ssl/server-no-names.crt | 32 +--
src/test/ssl/ssl/server-revoked.crt | 33 +--
src/test/ssl/ssl/server-single-alt-name.crt | 34 +--
src/test/ssl/ssl/server.crl | 18 +-
src/test/ssl/ssl/server_ca.crt | 34 +--
src/test/ssl/t/001_ssltests.pl | 17 +-
41 files changed, 681 insertions(+), 597 deletions(-)
create mode 100644 src/test/ssl/client-revoked.config
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index 6e2f224cc4..cf349d19e4 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -32,8 +32,11 @@ all:
# started to update the file.
.DELETE_ON_ERROR:
-# Never delete any intermediate files automatically.
+# Never delete any intermediate files automatically unless the Makefile
+# explicitly asks for it.
+ifneq ($(clean_intermediates),yes)
.SECONDARY:
+endif
# PostgreSQL version number
VERSION = @PACKAGE_VERSION@
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index c216560dcc..458520dc6d 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -11,168 +11,216 @@
subdir = src/test/ssl
top_builddir = ../../..
+
+clean_intermediates := yes
include $(top_builddir)/src/Makefile.global
export with_ssl
-CERTIFICATES := server_ca server-cn-and-alt-names \
+#
+# To add a new server or client certificate, add a new <name>.config file in
+# this directory, then add <name> to either SERVERS or CLIENTS below. A
+# key/certificate pair will be generated for you, signed by the appropriate CA.
+#
+SERVERS := server-cn-and-alt-names \
server-cn-only server-single-alt-name server-multiple-alt-names \
- server-no-names server-revoked \
- client_ca client client-dn client-revoked \
- root_ca
+ server-no-names server-revoked
+CLIENTS := client client-dn client-revoked
+
+#
+# To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe
+# for creating it to the "Special-case keys" section below.
+#
+SPECIAL_KEYS := ssl/server-password.key \
+ ssl/client-der.key ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
-SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
- ssl/server-password.key \
- ssl/client.crl ssl/server.crl ssl/root.crl \
+#
+# These files are just concatenations of other files. You can add new ones to
+# COMBINATIONS here, then declare the constituent files as dependencies in the
+# "Combined files" section below.
+#
+COMBINATIONS := \
ssl/both-cas-1.crt ssl/both-cas-2.crt \
ssl/root+server_ca.crt ssl/root+server.crl \
ssl/root+client_ca.crt ssl/root+client.crl \
- ssl/client+client_ca.crt ssl/client-der.key \
- ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
+ ssl/client+client_ca.crt
+CERTIFICATES := root_ca server_ca client_ca $(SERVERS) $(CLIENTS)
+STANDARD_CERTS := $(CERTIFICATES:%=ssl/%.crt)
+STANDARD_KEYS := $(CERTIFICATES:%=ssl/%.key)
+CRLS := ssl/root.crl ssl/client.crl ssl/server.crl
+
+SSLFILES := $(STANDARD_CERTS) $(STANDARD_KEYS) $(SPECIAL_KEYS) $(COMBINATIONS) $(CRLS)
SSLDIRS := ssl/client-crldir ssl/server-crldir \
ssl/root+client-crldir ssl/root+server-crldir
# This target re-generates all the key and certificate files. Usually we just
# use the ones that are committed to the tree without rebuilding them.
#
-# This target will fail unless preceded by sslfiles-clean.
-#
+.PHONY: sslfiles
sslfiles: $(SSLFILES) $(SSLDIRS)
-# OpenSSL requires a directory to put all generated certificates in. We don't
-# use this for anything, but we need a location.
-ssl/new_certs_dir:
- mkdir ssl/new_certs_dir
+#
+# Special-case certificates
+#
-# Rule for creating private/public key pairs.
-ssl/%.key:
- openssl genrsa -out $@ 2048
- chmod 0600 $@
+# Root CA is self-signed.
+ssl/root_ca.crt: ssl/root_ca.key root_ca.config
+ openssl req -new -x509 -config root_ca.config -days 10000 -key $< -out $@
-# Root CA certificate
-ssl/root_ca.crt: ssl/root_ca.key cas.config
- touch ssl/root_ca-certindex
- openssl req -new -out ssl/root_ca.crt -x509 -config cas.config -config root_ca.config -key ssl/root_ca.key -days 10000 -extensions v3_ca
- echo "01" > ssl/root_ca.srl
-
-# Client and server CAs
-ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir
- touch ssl/$*_ca-certindex
- echo "unique_subject=no" > ssl/$*_ca-certindex.attr
- openssl req -new -out ssl/temp_ca.crt -config cas.config -config $*_ca.config -key ssl/$*_ca.key
-# Sign the certificate with the root CA
- openssl ca -name root_ca -batch -config cas.config -in ssl/temp_ca.crt -out ssl/temp_ca_signed.crt -extensions v3_ca
- openssl x509 -in ssl/temp_ca_signed.crt -out ssl/$*_ca.crt # to keep just the PEM cert
- rm ssl/temp_ca.crt ssl/temp_ca_signed.crt
- echo "01" > ssl/$*_ca.srl
-
-# Server certificates, signed by server CA:
-ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config
- openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config
- openssl ca -name server_ca -batch -config cas.config -in ssl/server-$*.csr -out ssl/temp.crt -extensions v3_req -extfile server-$*.config
- openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert
- rm ssl/server-$*.csr
+#
+# Special-case keys
+#
+# All targets here are contained in $(SPECIAL_KEYS).
+#
# Password-protected version of server-cn-only.key
ssl/server-password.key: ssl/server-cn-only.key
openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
-# Client certificate, signed by the client CA:
-ssl/client.crt: ssl/client.key ssl/client_ca.crt
- openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client.csr
- openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert
- rm ssl/client.csr ssl/temp.crt
-
-# Client certificate with multi-part DN, signed by the client CA:
-ssl/client-dn.crt: ssl/client-dn.key ssl/client_ca.crt
- openssl req -new -key ssl/client-dn.key -out ssl/client-dn.csr -config client-dn.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-dn.csr
- openssl x509 -in ssl/temp.crt -out ssl/client-dn.crt # to keep just the PEM cert
- rm ssl/client-dn.csr ssl/temp.crt
-
-# Another client certificate, signed by the client CA. This one is revoked.
-ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config
- openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-revoked.csr
- openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert
- rm ssl/client-revoked.csr ssl/temp.crt
-
-# Convert the key to DER, to test our behaviour there too
+# DER-encoded version of client.key
ssl/client-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -out ssl/client-der.key
+ openssl rsa -in $< -outform DER -out $@
-# Convert the existing key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
+# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
# to test libpq's support for the sslpassword= option.
-ssl/client-encrypted-pem.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-pem.key
+ssl/client-encrypted-pem.key: outform := PEM
+ssl/client-encrypted-der.key: outform := DER
+ssl/client-encrypted-pem.key ssl/client-encrypted-der.key: ssl/client.key
+ openssl rsa -in $< -outform $(outform) -aes128 -passout 'pass:dUmmyP^#+' -out $@
-ssl/client-encrypted-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-der.key
+#
+# Combined files
+#
+# All targets in $(COMBINATIONS) share a single recipe; just declare the
+# necessary dependencies and they'll be smashed together.
+#
-# Root certificate files that contains both CA certificates, for testing
+# Root certificate file that contains both CA certificates, for testing
# that multiple certificates can be used.
ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
- cat $^ > $@
# The same, but the certs are in different order
ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
- cat $^ > $@
# A root certificate file for the client, to validate server certs.
ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
- cat $^ > $@
# and for the server, to validate client certs
ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
- cat $^ > $@
+# and for the client, to present to the server
ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
- cat $^ > $@
-
-#### CRLs
-
-ssl/client.crl: ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl
-
-ssl/server.crl: ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl
-
-ssl/root.crl: ssl/root_ca.crt
- openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl
# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
# chain, even if some of them are empty.
ssl/root+server.crl: ssl/root.crl ssl/server.crl
- cat $^ > $@
ssl/root+client.crl: ssl/root.crl ssl/client.crl
+
+$(COMBINATIONS):
cat $^ > $@
-ssl/root+server-crldir: ssl/server.crl ssl/root.crl
- mkdir ssl/root+server-crldir
- cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
- cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+#
+# Standard keys
+#
-ssl/root+client-crldir: ssl/client.crl ssl/root.crl
- mkdir ssl/root+client-crldir
- cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
- cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+$(STANDARD_KEYS):
+ openssl genrsa -out $@ 2048
+ chmod 0600 $@
-ssl/server-crldir: ssl/server.crl
- mkdir ssl/server-crldir
- cp ssl/server.crl ssl/server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
+#
+# Standard certificates
+#
+
+CA_CERTS := ssl/server_ca.crt ssl/client_ca.crt
+SERVER_CERTS := $(SERVERS:%=ssl/%.crt)
+CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)
+
+# See the "CA State" section below.
+root_ca_state_files := ssl/root_ca-certindex ssl/root_ca-certindex.attr ssl/root_ca.srl
+server_ca_state_files := ssl/server_ca-certindex ssl/server_ca-certindex.attr ssl/server_ca.srl
+client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ssl/client_ca.srl
+
+# These are the workhorse recipes. `openssl ca` can't be safely run from
+# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
+.NOTPARALLEL:
+$(CA_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
+ openssl ca -batch -config cas.config -name root_ca -notext -in $< -out $@
+
+$(SERVER_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
+ openssl ca -batch -config cas.config -name server_ca -notext -in $< -out $@
+
+$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
+ openssl ca -batch -config cas.config -name client_ca -notext -in $< -out $@
+# The CSRs don't need to persist after a build.
+.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
+ssl/%.csr: ssl/%.key %.config
+ openssl req -new -key $< -out $@ -config $*.config
+
+#
+# CA State
+#
+# All of these are intended to be order-only dependencies; additionally, the
+# pattern recipes are marked as explicit intermediates. The goal is for Make to
+# create the state files once for each CA, allow them to accumulate whatever
+# state is needed, and then automatically remove them at the end of the run.
+#
+
+.INTERMEDIATE: $(root_ca_state_files) $(server_ca_state_files) $(client_ca_state_files)
+
+# OpenSSL requires a directory to put all generated certificates in. We don't
+# use this for anything, but we need a location.
+ssl/new_certs_dir:
+ mkdir $@
+
+ssl/%-certindex:
+ touch $@
+
+ssl/%-certindex.attr:
+ echo "unique_subject=no" > $@
+
+# The first serial number for each CA is based on the current timestamp, to
+# avoid collisions across Make runs.
+ssl/%.srl:
+ date +%Y%m%d%H%M%S00 > $@
+
+#
+# CRLs
+#
+
+ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
+ openssl ca -config cas.config -name root_ca -gencrl -out $@
+
+ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
+ openssl ca -config cas.config -name server_ca -revoke $<
+ openssl ca -config cas.config -name server_ca -gencrl -out $@
+
+ssl/client.crl: ssl/client-revoked.crt ssl/client_ca.crt | $(client_ca_state_files)
+ openssl ca -config cas.config -name client_ca -revoke $<
+ openssl ca -config cas.config -name client_ca -gencrl -out $@
+
+#
+# CRL hash directories
+#
+
+ssl/root+server-crldir: ssl/server.crl ssl/root.crl
+ssl/root+client-crldir: ssl/client.crl ssl/root.crl
+ssl/server-crldir: ssl/server.crl
ssl/client-crldir: ssl/client.crl
- mkdir ssl/client-crldir
- cp ssl/client.crl ssl/client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
+
+crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
+
+ssl/%-crldir:
+ mkdir -p $@
+ rm -f $@/*.r0
+ $(foreach crl,$^,cp $(crl) $@/$(call crlhashfile,$(crl)) &&) true
+ touch $@
.PHONY: sslfiles-clean
sslfiles-clean:
- rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
- rm -rf $(SSLDIRS)
+ rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex*
+ rm -rf $(SSLDIRS) ssl/new_certs_dir
clean distclean maintainer-clean:
rm -rf tmp_check
diff --git a/src/test/ssl/cas.config b/src/test/ssl/cas.config
index 8c0ef6d82b..2c4851033a 100644
--- a/src/test/ssl/cas.config
+++ b/src/test/ssl/cas.config
@@ -1,12 +1,5 @@
# This file contains the configuration for all the CAs.
-[ req ]
-prompt = no
-
-# Extensions for CA certs
-[ v3_ca ]
-basicConstraints = CA:true
-
# Root CA, used to sign the certificates of the intermediary server and
# client CAs.
[ root_ca ]
@@ -21,6 +14,7 @@ private_key = ./ssl/root_ca.key
new_certs_dir = ./ssl/new_certs_dir
policy = policy_match
email_in_dn = no
+copy_extensions = copy
# CA used to sign all the server certificates.
[ server_ca ]
@@ -35,6 +29,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/server_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/server.crl
@@ -51,6 +46,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/client_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/client.crl
diff --git a/src/test/ssl/client-dn.config b/src/test/ssl/client-dn.config
index ee2df54bd6..0c71d83127 100644
--- a/src/test/ssl/client-dn.config
+++ b/src/test/ssl/client-dn.config
@@ -13,4 +13,3 @@ O = PGDG
CN = ssltestuser-dn
# no extensions in client certs
-[ v3_req ]
diff --git a/src/test/ssl/client-revoked.config b/src/test/ssl/client-revoked.config
new file mode 100644
index 0000000000..3b82b57103
--- /dev/null
+++ b/src/test/ssl/client-revoked.config
@@ -0,0 +1,13 @@
+# An OpenSSL format CSR config file for creating a client certificate.
+#
+# This is identical to the client.config certificate, but this one is revoked
+# later.
+
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+CN = ssltestuser
+
+# no extensions in client certs
diff --git a/src/test/ssl/client.config b/src/test/ssl/client.config
index 2e9d40d299..26fc2571f5 100644
--- a/src/test/ssl/client.config
+++ b/src/test/ssl/client.config
@@ -10,4 +10,3 @@ prompt = no
CN = ssltestuser
# no extensions in client certs
-[ v3_req ]
diff --git a/src/test/ssl/client_ca.config b/src/test/ssl/client_ca.config
index ef93d598c2..5990f06000 100644
--- a/src/test/ssl/client_ca.config
+++ b/src/test/ssl/client_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test client certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/root_ca.config b/src/test/ssl/root_ca.config
index 187a9b8a46..e193186f8b 100644
--- a/src/test/ssl/root_ca.config
+++ b/src/test/ssl/root_ca.config
@@ -4,6 +4,7 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+x509_extensions = v3_ca
[ req_distinguished_name ]
CN = Test root CA for PostgreSQL SSL regression test suite
diff --git a/src/test/ssl/server-cn-only.config b/src/test/ssl/server-cn-only.config
index 1e5d582213..9edb7b7aca 100644
--- a/src/test/ssl/server-cn-only.config
+++ b/src/test/ssl/server-cn-only.config
@@ -9,5 +9,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-no-names.config b/src/test/ssl/server-no-names.config
index 2a71125a42..89075dec83 100644
--- a/src/test/ssl/server-no-names.config
+++ b/src/test/ssl/server-no-names.config
@@ -10,7 +10,4 @@ prompt = no
[ req_distinguished_name ]
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
-
-[ alt_names ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-revoked.config b/src/test/ssl/server-revoked.config
index 47ef6462dc..c9e1f5d431 100644
--- a/src/test/ssl/server-revoked.config
+++ b/src/test/ssl/server-revoked.config
@@ -11,5 +11,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server_ca.config b/src/test/ssl/server_ca.config
index d6126d5195..496aaba29f 100644
--- a/src/test/ssl/server_ca.config
+++ b/src/test/ssl/server_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test server certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/ssl/both-cas-1.crt b/src/test/ssl/ssl/both-cas-1.crt
index 37ffa10174..4f4bc707d6 100644
--- a/src/test/ssl/ssl/both-cas-1.crt
+++ b/src/test/ssl/ssl/both-cas-1.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/both-cas-2.crt b/src/test/ssl/ssl/both-cas-2.crt
index 2f2723f2b1..01d0c4d6a4 100644
--- a/src/test/ssl/ssl/both-cas-2.crt
+++ b/src/test/ssl/ssl/both-cas-2.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client+client_ca.crt b/src/test/ssl/ssl/client+client_ca.crt
index 2804527f3e..7fafa14de1 100644
--- a/src/test/ssl/ssl/client+client_ca.crt
+++ b/src/test/ssl/ssl/client+client_ca.crt
@@ -1,36 +1,37 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client-dn.crt b/src/test/ssl/ssl/client-dn.crt
index f2f6a62dad..0db14e5977 100644
--- a/src/test/ssl/ssl/client-dn.crt
+++ b/src/test/ssl/ssl/client-dn.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDBjCCAe4CAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0yMTAzMDUyMDUyNDVaFw00ODA3MjEyMDUyNDVaMFAxDTALBgNVBAoMBFBHREcx
-FDASBgNVBAsMC0VuZ2luZWVyaW5nMRAwDgYDVQQLDAdUZXN0aW5nMRcwFQYDVQQD
-DA5zc2x0ZXN0dXNlci1kbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AMRLriq2Sh8+N4bhVtRUp/MAEsLQK6u/GotMSmiSr9K31YBYOvNzw8liKt4Rmnh5
-zmsdXJBW8erPNpkUAy9tFRCAx0YobhWCSfyX3orEdrhDrLFihA62zXQC69T0u4Yp
-PSXGd0yCAcOZERQ4CQVgqnsh7Kmx5QaQnqxaz4OVPArWFJP4RQBT/l+r+kCeAn6h
-qvbSbxY3FoCElQq0EF5x1F2pjL+HcBvjeI+GP430gVeJJX0RaG14Fp4v9MQT6zv/
-gvvjHC8l7YSJUROjeUzLZpUnj/ik4yrtT4av/TDGTSOpGs5qEATqk4hxAUEWw6TJ
-RoLh3Oq2N5KuzDmKBBskLX0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAL2H54oyx
-pNkcgFF79lwc4c/Jda7j0wrZQIw5CWwO0MdCozJGRIEAA5WXA8b5THo1ZkaWv+sh
-lWnCOflBtGnEpD7dUpMW9lxGL5clMeMf3CoNYBb7zBofm+oTJytCzXHNftB4hCZj
-pvN79bNT4msWbmxDyi75nfbEfzK1BKnfCg+DWBBjEnHC8VzgDq6ACN6FEoyFb+fr
-dlDoof+S7k8jYAzhxwySI5DnMzr9OIwnepWfx9HENsasAighc8vFSEouShvsOlYS
-L0OIb9Tn6M5q1tWoLHulQsQYDPzaO/1M7ubsr5xCx1ReDK4gaNwS3YXn/2KE9Kco
-aKCrL89AjQrJPA==
+MIIDDTCCAfUCCCAhBikTA0IAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwNjI5MjAwMzQyWhcNNDgxMTE0MjAwMzQyWjBQMQ0wCwYDVQQK
+DARQR0RHMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEQMA4GA1UECwwHVGVzdGluZzEX
+MBUGA1UEAwwOc3NsdGVzdHVzZXItZG4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDES64qtkofPjeG4VbUVKfzABLC0CurvxqLTEpokq/St9WAWDrzc8PJ
+YireEZp4ec5rHVyQVvHqzzaZFAMvbRUQgMdGKG4Vgkn8l96KxHa4Q6yxYoQOts10
+AuvU9LuGKT0lxndMggHDmREUOAkFYKp7IeypseUGkJ6sWs+DlTwK1hST+EUAU/5f
+q/pAngJ+oar20m8WNxaAhJUKtBBecdRdqYy/h3Ab43iPhj+N9IFXiSV9EWhteBae
+L/TEE+s7/4L74xwvJe2EiVETo3lMy2aVJ4/4pOMq7U+Gr/0wxk0jqRrOahAE6pOI
+cQFBFsOkyUaC4dzqtjeSrsw5igQbJC19AgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AECbQQ9rBzCexNI3VKDVA+CZa0ib48XbcJwXmva3spvjjCB5cGPToyF1B+4mVg1H
+1uM/XRAoQmNRtB+xKEAceMSxJA02tBlwMOclXlO0oGLYyc+S61K+UEPSk6Kka4aC
+NpeLSqN5ahC9z8C5uMJl36pFf13aU05uRkXKcI4gkn02I4jRc/a8gF7URdhdf920
+KmYSUh1V0B3pPAB6ArqJ60iHOqkCYIIIbi2EpVP53IKkoB9tr4ud8oMoN6ggIXU1
+2oHvnaKJ7RZaQNefS3WweyHxr4cCVtEour/ELph48OuW6Y5jqPT+5Ln3Qz0e6KW9
+o3thBx0aKSYlmt9gH254M9M=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-revoked.crt b/src/test/ssl/ssl/client-revoked.crt
index 14857a33a2..51ebe924a6 100644
--- a/src/test/ssl/ssl/client-revoked.crt
+++ b/src/test/ssl/ssl/client-revoked.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoBcmY2Z+qa+l
-UB5YSYnGLt96S7axkoDvIzLJkwJugGqw1U72A6lAUTyAPVntsmbhoMpDEHK6ylg8
-U4HC3L1hbhSpFriTITJ3TzH4+wdDH1KZYlM2k0gfrKrksJyZ7ftAyuBvzBRlFbBe
-xopR9VQjqgAuNKByJswldOe0KwP0nmb/TtT9lkAt7XjrSut5MUezFVnvTxabm7tQ
-ciDG+8QqE0b8lH3N3VOXWZWCeXPRrwboO3baAmcue4V20N0ALARP+QZNElBa7Jq+
-l77VNjneRk07jjaE7PCGVlWfPggppZos1Ay1sb2JhK0S9pZrynQT/ck3qhG4QuKp
-cmn/Bbe/8wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBySTwOO9zSFCtfRjbbblDx
-AK2ttILR0ZJXnvzjNjuErsT9qeXaq2t/iG/vmhH5XDjaefXFLCLqFunvcg6cIz1A
-HhAw+JInfyk3TUpDaX6M0X8qj184e4kXzVc83Afa3LiP5JkirzCSv6ErqAHw2VVd
-bZbZUwMfQLpWHVqXK89Pb7q791H4VeEx9CLxtZ2PSr2GCdpFbVMJvdBPChD2Re1A
-ELcbMZ9iOq2AUN/gxrt7HnE3dRoGQk6AJOfvhi2eZcVWiLtITScdPk1nYcNxGid3
-BWW+tdLbjmSe2FXNfDwBTvuHh5A9S399X5l/nLAng2iTGSvIm1OgUnC2oWsok3EI
+MIIC0zCCAbsCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKAX
+JmNmfqmvpVAeWEmJxi7feku2sZKA7yMyyZMCboBqsNVO9gOpQFE8gD1Z7bJm4aDK
+QxByuspYPFOBwty9YW4UqRa4kyEyd08x+PsHQx9SmWJTNpNIH6yq5LCcme37QMrg
+b8wUZRWwXsaKUfVUI6oALjSgcibMJXTntCsD9J5m/07U/ZZALe1460rreTFHsxVZ
+708Wm5u7UHIgxvvEKhNG/JR9zd1Tl1mVgnlz0a8G6Dt22gJnLnuFdtDdACwET/kG
+TRJQWuyavpe+1TY53kZNO442hOzwhlZVnz4IKaWaLNQMtbG9iYStEvaWa8p0E/3J
+N6oRuELiqXJp/wW3v/MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcVhPcu55HcSf
+Mci38T/fOBaiDUvzWwG/XlQRzFxcS+ZY/vYMbgor6PliGlCFBF4Mca2qtTs7zXRz
+8aLNVX53p98Cnnn97mW4aYNbNdM87R76IqJdj40brEolu1JNOyFJRYzoaebABf9r
+R64FTt3YVM9qjJrHG/apYwKwgAMxVzZ/M+3ujahP/8mOYD/Utj+lYHnXJmuHAYE6
+EnTxTSb2J+IsK8KuPoGjUPNZRW8zIUE0luMpJahvtmFVW91Vue7dW0AOmHpjmGUB
+J9Vwxe7KJRW5/4dz6kMD2pKY3D9sBgXeku/QDVz/hdyB5YT0WChFiZn20DZyhOtu
+moHgw8OJzg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client.crl b/src/test/ssl/ssl/client.crl
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client.crl
+++ b/src/test/ssl/ssl/client.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client.crt b/src/test/ssl/ssl/client.crt
index 4d0a6ef419..1f6ae05fe4 100644
--- a/src/test/ssl/ssl/client.crt
+++ b/src/test/ssl/ssl/client.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client_ca.crt b/src/test/ssl/ssl/client_ca.crt
index 1ef3771261..ef48749f76 100644
--- a/src/test/ssl/ssl/client_ca.crt
+++ b/src/test/ssl/ssl/client_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client.crl b/src/test/ssl/ssl/root+client.crl
index 854d77b71e..02eff4d326 100644
--- a/src/test/ssl/ssl/root+client.crl
+++ b/src/test/ssl/ssl/root+client.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client_ca.crt b/src/test/ssl/ssl/root+client_ca.crt
index 1867cd9c31..7819c54828 100644
--- a/src/test/ssl/ssl/root+client_ca.crt
+++ b/src/test/ssl/ssl/root+client_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server.crl b/src/test/ssl/ssl/root+server.crl
index 9720b3023c..8b0c716d63 100644
--- a/src/test/ssl/ssl/root+server.crl
+++ b/src/test/ssl/ssl/root+server.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server_ca.crt b/src/test/ssl/ssl/root+server_ca.crt
index 861eba80d0..5074f4fa9b 100644
--- a/src/test/ssl/ssl/root+server_ca.crt
+++ b/src/test/ssl/ssl/root+server_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root.crl b/src/test/ssl/ssl/root.crl
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root.crl
+++ b/src/test/ssl/ssl/root.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root_ca.crt b/src/test/ssl/ssl/root_ca.crt
index 402d7dab89..5ee9870d6f 100644
--- a/src/test/ssl/ssl/root_ca.crt
+++ b/src/test/ssl/ssl/root_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,10 +10,10 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-and-alt-names.crt b/src/test/ssl/ssl/server-cn-and-alt-names.crt
index 2bb206e413..12d1ec363e 100644
--- a/src/test/ssl/ssl/server-cn-and-alt-names.crt
+++ b/src/test/ssl/ssl/server-cn-and-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDTjCCAjagAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowRjEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1z
-c2x0ZXN0LnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBURL6
-YPWJjVQEZY0uy4HEaTI4ZMjVf+xdwJRntos4aRcdhq2JRNwitI00BLnIK9ur8D8L
-U24PDn2etTZOK1wsHHkAiHPvgRX7G/+78a5fSC8nMNaH/oR4zMMhwksiruISA7x9
-/l+4DO7C42C5mRfnUmMGJdzau1+A8jcIxTWWoJtva9b1k3g+bvBGq9138X+bJKIW
-YsWwHgcuEIZk3z287hxuyU3j5isYoRwd5cZZFrG/qBJdukSBRil5/PP5AHsB6lTl
-pae2bdf4TXB7kActIpyTBR0G5Pm5iCZlxgD+QILj/1FLTaNOW7hV+t1J6YfC6jZR
-Dk4MnHMCFasSXcXhAgMBAAGjSzBJMEcGA1UdEQRAMD6CHWRuczEuYWx0LW5hbWUu
-cGctc3NsdGVzdC50ZXN0gh1kbnMyLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDAN
-BgkqhkiG9w0BAQsFAAOCAQEAQeKHXoyipubldf4HUDCXrcIk6KiEs9DMH1DXRk7L
-z2Hr0TljmKoGG5P6OrF4eP82bhXZlQmwHVclB7Pfo5DvoMYmYjSHxcEAeyJ7etxb
-pV11yEkMkCbQpBVtdMqyTpckXM49GTwqD9US5p1E350snq4Duj3O7fSpE4HMfSd8
-dCkYdaCHq2NWH4/MfEBRy096oOIFxqgm6tRCU95ZI8KeeK4WwPXiGV2mb2rHj1kv
-uBRC+sJGSnsLdbZzkpdAN1qnWrJoLezAMdhTmNRUJ7Cq8hAkroFIp+LE+JyxR9Nw
-m6jD3eEwCAQi0pPGLEn4Rq4B8kxzL5F/jTq7PONRvOAdIg==
+MIIDVTCCAj2gAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMEYxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5h
+bWUucGctc3NsdGVzdC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwVES+mD1iY1UBGWNLsuBxGkyOGTI1X/sXcCUZ7aLOGkXHYatiUTcIrSNNAS5
+yCvbq/A/C1NuDw59nrU2TitcLBx5AIhz74EV+xv/u/GuX0gvJzDWh/6EeMzDIcJL
+Iq7iEgO8ff5fuAzuwuNguZkX51JjBiXc2rtfgPI3CMU1lqCbb2vW9ZN4Pm7wRqvd
+d/F/mySiFmLFsB4HLhCGZN89vO4cbslN4+YrGKEcHeXGWRaxv6gSXbpEgUYpefzz
++QB7AepU5aWntm3X+E1we5AHLSKckwUdBuT5uYgmZcYA/kCC4/9RS02jTlu4Vfrd
+SemHwuo2UQ5ODJxzAhWrEl3F4QIDAQABo0swSTBHBgNVHREEQDA+gh1kbnMxLmFs
+dC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0ZXN0
+LnRlc3QwDQYJKoZIhvcNAQELBQADggEBAG3dFQ/DqjFbjzIOni079R3I94lAZqbc
+cRUumDPSzihKwvCCnU5quqnYkOFISqBZsYmxR5fiHx4wT+jmWvLSltkaeS6gcGC1
+zuO8GFzL+PATUX63js8IfE3WYJE/bjmDVVzJOBArrbsExofdE2F2kkkLkjhk0ylg
+/TrAKtyqpsob0b4ZjMloR5JFHQXGHN/922x6Do1vduHMXlGckmR0sX6Mg/fiChVh
+vixUJje4W9ohft8G7lj3GnzI1gHEMp2PYKM+wqOug/gXEQuMIFlhjp2Mc6bAvFsD
+grgdAgcYUvgKukF9efJHq2V5XjqBWrmGAOQkiH1y+9gxhiHUiw+vojY=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-only.crt b/src/test/ssl/ssl/server-cn-only.crt
index 67bf0b1645..acdf6f1a75 100644
--- a/src/test/ssl/ssl/server-cn-only.crt
+++ b/src/test/ssl/ssl/server-cn-only.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bNU8yTuLl/5
-bR4Rp1ET5NMC2wgrTwKQsxSeOzvMmTGeebpEYFc/Hq8rcCQAiL7AbhiZeNg/ca4y
-JdouOdaHaTMFJ8hFDI1tNOGeFK7ecOMBWQ97GxKs/KIqKYW42AN+QZ7l1Apr0CDZ
-K5VTi931JjE4wCIgUgLi2zgwtZYl/kP896F1K5zR7kx773U2dvP3SeV2ziUe+4NH
-5oqdmVMeZyHfB+Fe/uU1AiYgHN/CXfop39tYHR8ARUWx7eJlaaKBoj/0UqH/9Yir
-jdM0vGfrw4JCjIx78caNkNH9fCjesTqODr+IDBJaJv3Jpt9g8puqrYagXLppiaYS
-q5oOAu5fuQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCTxkqpNNuO15osb+Lyw2aQ
-RikYZiSJ4uJcOIya6DqSYSNf8wrgGMJAKz9TkCGEG7SszLCASaSIS/s+sR1+bE19
-f6BxoBnppPW8uIkTtQvmGhhcWHO13zMUs8bmg9OY7MvFYJdQAmSqfYebUCYR73So
-OthALxV8h+boW5/xc2XM1NObpcuShQ9/uynm2dL3EbrNjvcoXOwu865FmVMffEn9
-+zhE8xl4kMKObQvB3r2utCmlAmJLaU2ejADncS9Y4ZwRMa7x+vfvekF/FvLEXUal
-QcDlfrZ0xsw/HK7n0/UFXf5fUXq3hgUGcXEdWW7/yTA43qNxednfa+fMqlFztupt
+MIIDAzCCAesCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANWz
+VPMk7i5f+W0eEadRE+TTAtsIK08CkLMUnjs7zJkxnnm6RGBXPx6vK3AkAIi+wG4Y
+mXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu3nDjAVkPexsSrPyiKimFuNgDfkGe
+5dQKa9Ag2SuVU4vd9SYxOMAiIFIC4ts4MLWWJf5D/PehdSuc0e5Me+91Nnbz90nl
+ds4lHvuDR+aKnZlTHmch3wfhXv7lNQImIBzfwl36Kd/bWB0fAEVFse3iZWmigaI/
+9FKh//WIq43TNLxn68OCQoyMe/HGjZDR/Xwo3rE6jg6/iAwSWib9yabfYPKbqq2G
+oFy6aYmmEquaDgLuX7kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA2AZrD9cTQXTW
+4j2tT8N/TTc6WK2ncN4h22NTte6vK7MVwsZJCtw5ndYkmxcWkXAqiclzWyMdayds
+WOa12CEH7jKAhivF4Hcw3oO3JHM5BA6KzLWBVz9uZksOM6mPqn29DTKvA/Y1V8tj
+mxK/KUA68h/u6inu3mo4ywBpb/tqHxxg2cjyR0faCmM0pwRM0HBr/16fUMfO83nj
+QG8g9J/bybu5sYso/aSoC5nUNp4XjmDMdVLdqg/nTe/ejS8IfFr0WQxBlqooqFgx
+MSE+kX2e2fHsuOWSU/9eClt6FpQrwoC2C8F+/4g1Uz7Liqc4yMHPwjgeP9ewrrLO
+iIhlNNPqpQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server-multiple-alt-names.crt b/src/test/ssl/ssl/server-multiple-alt-names.crt
index 158153d10c..58799e49f8 100644
--- a/src/test/ssl/ssl/server-multiple-alt-names.crt
+++ b/src/test/ssl/ssl/server-multiple-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDRDCCAiygAwIBAgIBBDANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA10iQpfVf4nCqjkRcLXP9ONQqdhMPMdjHasKqmsFTx83SZLKUzKMOb56j
-3bg83stqGoId4MIxtqnDKaSg1+kseQ1HCi0cu/E3lHLEkPibl9dyVGhXVnPDBdOp
-eUQLCvPNgay3/ua4Mz0Nf7S9cgC9AZu/EEYjQIEzfO0cEANeVIWtgZfM3+2j0pmZ
-46AEYlEZJkmDT0/mnHk3YTj3I6qQhr34wZvqcrwouYRN5NiOVYJLpb6gPSoalm+P
-YXOKjP4+fWr18HdZLrzsa4xPRa9XcsDNyffjWvQTfptR/2vFKN8Ffv3XUqxUx6av
-VCyRKa8xAUS/pHVGnzFQY+oqWREn2wIDAQABo2cwZTBjBgNVHREEXDBagh1kbnMx
-LmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0
-ZXN0LnRlc3SCGioud2lsZGNhcmQucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEB
-CwUAA4IBAQAuV+4TNADB/AinkjQVyzPtmeWDWZJDByRSGIzGlrYtzzrJzdRkohlL
-svZi0QQWbYq3pkRoUncYXXp/JvS48Ft1jRi87RpLRiPRxJC9Eq77kMS5UKCIs86W
-0nuYQ2tNmgHb7gnLHEr2t9gFEXcLwUAnRfNJK56KVmCl/v3/4kcVDLlL6L+pL80r
-WGKGvixNy3bDCJ/YGJu6NH+H7NMlqFcg07nEWUHgMzETGGycTcPy3S6mY5P/1Ep1
-MCSTucUKoBIte2t5p9vM6bsFIioQDAYABhacmC62Z5xNW8evmNVtBDPLR1THsWhq
-UjzdIzjpDgv1KUCVEPc1uVrZ5eju+aoU
+MIIDSzCCAjOgAwIBAgIIICEDAxQSBwMwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBANdIkKX1X+Jwqo5EXC1z/TjUKnYTDzHYx2rCqprBU8fN0mSy
+lMyjDm+eo924PN7LahqCHeDCMbapwymkoNfpLHkNRwotHLvxN5RyxJD4m5fXclRo
+V1ZzwwXTqXlECwrzzYGst/7muDM9DX+0vXIAvQGbvxBGI0CBM3ztHBADXlSFrYGX
+zN/to9KZmeOgBGJRGSZJg09P5px5N2E49yOqkIa9+MGb6nK8KLmETeTYjlWCS6W+
+oD0qGpZvj2Fzioz+Pn1q9fB3WS687GuMT0WvV3LAzcn341r0E36bUf9rxSjfBX79
+11KsVMemr1QskSmvMQFEv6R1Rp8xUGPqKlkRJ9sCAwEAAaNnMGUwYwYDVR0RBFww
+WoIdZG5zMS5hbHQtbmFtZS5wZy1zc2x0ZXN0LnRlc3SCHWRuczIuYWx0LW5hbWUu
+cGctc3NsdGVzdC50ZXN0ghoqLndpbGRjYXJkLnBnLXNzbHRlc3QudGVzdDANBgkq
+hkiG9w0BAQsFAAOCAQEAuRAyYBwAZLKERoYDy/kE9LKddJfLhledTJ7+cIWs6T9V
+KBfWBHZYxfxmdBYwqVZfog8c5uHREfWiUPoF/aMq3ARay96aMh4xXJ+2a7HAmknF
+9AJWRieoc3H/QkMzAuT8IDTmoEarsr8vsX1MGabobZte/B9tEjq/z5t3GfLrHMVX
+5092U6Ka40ii4U1VwjR8YnRBwjm3UpLmZJAjvXjw13/XucNV5O8Plo1yvS+G0AMh
+KdMxExiItVtjZteiA0pJf0YGAzTFyzvwBljTcs4NfZ2M0ta9i0r4BF7wQ8tDezN7
+VxdJVPc5xPqncp0cMdUAE2xDmYlKEqB0kuAHNwH5/Q==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-no-names.crt b/src/test/ssl/ssl/server-no-names.crt
index 97e11176f6..b5d0589090 100644
--- a/src/test/ssl/ssl/server-no-names.crt
+++ b/src/test/ssl/ssl/server-no-names.crt
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIIC1jCCAb4CAQUwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMCAxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AJ85/vh52iDZAeQmWt47o0kR7VVlRLGf4sF4cfxPl+eIWIzhib1fajdcqFiy81LC
-+t9bAyRqMyR3dve9RGK6IDFjMH/0DBf3tFSRnxN+5TdSAhKIJslmtUdOl8kS/smF
-4+BikCg509aq0U+ac79e/q42OyvH9X/cI6i9SPd4hzJDMCX54LZT1Of/90nSQX6E
-Oc5Hcj/d7psBugmMBW8uXYAGvJpq14e5RoK78F/mYbUNqtc1c8pi4/4quSMeEfQp
-Dgmzee7ts8SIbQT8mYJHjnaPvZYpv4+Ikc7F0wzLO1neTpsYaVvDrSMLBCdQkCU8
-vgb1T6WlVgbp/sfE5okSxx8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh+erODlf
-+mEK2toZhaAmikNJ3Toj9P7I0C0Mo/tl2aVz8jQc/ft5t3blwZHfRzC9WmgnZLdY
-yiCVgUlf9Kwhi836Btbczj3cK6MrngQneFBzSnCzsj40CuQAw5TOI8XRFFGL+fpl
-o7ZnbmMZRhkPqDmNWXfpu7CYOFQyExkDoo0lTfqM+tF8zuKVTmsuWWvZpjuvqWFQ
-/L+XRXi0cvhh+DY9vJiKNRg4exF7/tSedTJmLA8skuaXgAVez4rqzX4k1XnQo6Vi
-YpAIQ4dGiijY24fDq2I/6pO3xlWtN+Lwu44Mnn2vWRtXijT69P5R12W8XS7+ciTU
-NXu/iOo8f7mNDA==
+MIIC3TCCAcUCCCAhAwMUEgcEMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAgMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCfOf74edog2QHkJlreO6NJEe1VZUSxn+LBeHH8T5fniFiM4Ym9X2o3
+XKhYsvNSwvrfWwMkajMkd3b3vURiuiAxYzB/9AwX97RUkZ8TfuU3UgISiCbJZrVH
+TpfJEv7JhePgYpAoOdPWqtFPmnO/Xv6uNjsrx/V/3COovUj3eIcyQzAl+eC2U9Tn
+//dJ0kF+hDnOR3I/3e6bAboJjAVvLl2ABryaateHuUaCu/Bf5mG1DarXNXPKYuP+
+KrkjHhH0KQ4Js3nu7bPEiG0E/JmCR452j72WKb+PiJHOxdMMyztZ3k6bGGlbw60j
+CwQnUJAlPL4G9U+lpVYG6f7HxOaJEscfAgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AJAwYwIL4oj3NisXCXkEp9zqDXiZvNW9yW3bY8lFFCpU7o5n92tCf2OFAkKaYhF1
+Eb2weyDULtW7W/wgdlOZL9npayYKzTusl6e8xfTQyjRCsoKWvnWOEkPH7VraZJ8c
+Ko1KhaVWX98VLdlUh5giYAEkdhk0qPYKsQ32unBXXJu0pX63pnPDoaUBiZUWr/3l
+CfkjgGY5YA8YxiDlHGNF1qlcX2fQKloDlvtH0L5Enwt25w2/IvWhTN6YxDR+rgdD
+XYbQr6o6vsmnZTJ3zUZ6XFo98sZq5L9oy1pcC8roV7w0AUVxraTWYILyGfNgruG8
+xsok/hu1L2VnktveEW/qoVs=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-revoked.crt b/src/test/ssl/ssl/server-revoked.crt
index 1ca5e6d3ef..3bb0f164a6 100644
--- a/src/test/ssl/ssl/server-revoked.crt
+++ b/src/test/ssl/ssl/server-revoked.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQYwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAooPO8lSz434p
-4PBYBbTN8jkLW3cHEpTCH4yvC0V40hzGEl30HPLp82e+kxr+Q0+gd82fvc4Yth5I
-PKINznp28GMs5/E9cUU3hMK4jFhKLMiOeIve3M/9ryHK874qpNjJoSxxPz7+s2eq
-WoFc2px0KFIamTTLfi7Ju9aPb/AMlZNsUnbRsj7fQc7EJ8rwOnezw2Wy5VK4soX+
-qpuJ0Nm44ApzT8YmjYX/kAX0yQxgQuYbpcBWr9cOQjegu3FAqHqRh9ye7d8jQzCv
-34Wg/ar4rkqyQDcokuWAE7KQbnk51t7omzhM8eswFOAL1pas/8jWBvy0VjYVU34P
-9aXxP8GiHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAS9abT/PhJgwAnm46Rzu16
-lL7tDb3SeR1RL25xZLzCexHcYJFi7aDZix3QlLRvf6HPqqUPuPYRICTBF4+fieEh
-r5LotdAnadfYONwoB5GiYy2d93VGqlLosI27R6/tVvImXupviPpIYMDgBBRr1pZc
-ykQOjog6T+xk9TqsfFQDe2/VKF7a5RxOA/V77GZ5qge5Nlx9jSXQ/WUG9vDQj9BA
-d4nOwvjauKlcSqUU/3uVKntXQTNjmyq7S75eBitS920LLfjTL9LInLugDikFa/J/
-yPBkJLa/+rNMPikcnF3ci4Oi/XwLA8kGdGZAADuiIOeyORMuLFoTk7KpOYGKS5/U
+MIIDAzCCAesCCCAhAwMUEgcFMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKD
+zvJUs+N+KeDwWAW0zfI5C1t3BxKUwh+MrwtFeNIcxhJd9Bzy6fNnvpMa/kNPoHfN
+n73OGLYeSDyiDc56dvBjLOfxPXFFN4TCuIxYSizIjniL3tzP/a8hyvO+KqTYyaEs
+cT8+/rNnqlqBXNqcdChSGpk0y34uybvWj2/wDJWTbFJ20bI+30HOxCfK8Dp3s8Nl
+suVSuLKF/qqbidDZuOAKc0/GJo2F/5AF9MkMYELmG6XAVq/XDkI3oLtxQKh6kYfc
+nu3fI0Mwr9+FoP2q+K5KskA3KJLlgBOykG55Odbe6Js4TPHrMBTgC9aWrP/I1gb8
+tFY2FVN+D/Wl8T/Boh0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAxVHoqX25W4Hx
+pMNjv2AJzcB7D+c+dUXAmLLJ7jh6szWeL0M2E5qX4dLc8LzQKnXv5ZcT4i/akjDX
+etdzuqh03kvDJvUkHclSWffmowmWMTG6GCA6S/2TQzSibIptkwqs74aIkayVJaC4
+jCBR+PVT8+cE2FMD6dAWu//fyEcpTg6XpZ/Upgu9OITGNaEQUGz8pSRkTgspfO0Q
+AKPmql6dpywReIlr5mzy9liCzf/BbAVHGmP/pBGIkLn2AzvPLCQ/UFZYT6aH7l5J
+nzmFhgRC3U5wPMdelHGrPMXg6OHCcyrQY0kEi7N/GQ5+jZkICoQuPJ7APKEZAUgO
+XRwVulaWJQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-single-alt-name.crt b/src/test/ssl/ssl/server-single-alt-name.crt
index e7403f3a6b..7affdd68e7 100644
--- a/src/test/ssl/ssl/server-single-alt-name.crt
+++ b/src/test/ssl/ssl/server-single-alt-name.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDCzCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAxYocLWWuiDsDzJ7wLc0zfwkGJAEy4hlHjTA5GXSEnGPlOnx1fxejZOGL
-1HLff5h8zB+SQXrplHCcwwRrxVgGY7P59kXMXX1akTwXUJHc/EoTtqLO+6fHLygz
-F1d0i5NPO3xrk1wMt7bYLhiPbWpplWiHXzbJy8wf3dXgzCwtxXf8Z1UqjtCnA/Zk
-J/kPWuHJxzH5OvDJvZsq+Fbkl3catFpwUlAV9TKsC78W/K5I+afzppsmSvsIKAWW
-Dp7g71IVjvJeI6Aui2yhDn9iuJMuKe9RMYIwJLFqiX3urHcjaBSkJm6Lsf7gO30v
-kVwIyyGXRNTfZ2yPDoSXVZvOnq+gKwIDAQABoy4wLDAqBgNVHREEIzAhgh9zaW5n
-bGUuYWx0LW5hbWUucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQBU
-8wp8KZfS8vClx2gYSRlbXu3J1oAu4EBh45OuuRuLOJUhQZYcjFB3d/s0R1kcCQkB
-EekV9X1iQSzk/HQq4uWi6ViUzxTR67Q6TXEFo8iuqJ6Rag7R7G6fhRD1upf1lev+
-rz7F9GsoWLyLAg8//DUfq1kfQUyy6TxamoRs0vipZ4s0p4G8rbRCxKT1WTRLJFdd
-fSDVuMNuQQKTQXNdp6cYn+ikEhbUv/gG2S7Xiy2UM8oR7DR54nZBAKxgujWJZPfX
-/ieSwLxnLFyePwtwgk9xMmywFBjHWTxSdyI1UnJwWC917BSw4M00djsRv5COsBX7
-v/Co7oiMyTrCqyCsWOBu
+MIIDEjCCAfqgAwIBAgIIICEDAxQSBwIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMWKHC1lrog7A8ye8C3NM38JBiQBMuIZR40wORl0hJxj5Tp8
+dX8Xo2Thi9Ry33+YfMwfkkF66ZRwnMMEa8VYBmOz+fZFzF19WpE8F1CR3PxKE7ai
+zvunxy8oMxdXdIuTTzt8a5NcDLe22C4Yj21qaZVoh182ycvMH93V4MwsLcV3/GdV
+Ko7QpwP2ZCf5D1rhyccx+Trwyb2bKvhW5Jd3GrRacFJQFfUyrAu/FvyuSPmn86ab
+Jkr7CCgFlg6e4O9SFY7yXiOgLotsoQ5/YriTLinvUTGCMCSxaol97qx3I2gUpCZu
+i7H+4Dt9L5FcCMshl0TU32dsjw6El1Wbzp6voCsCAwEAAaMuMCwwKgYDVR0RBCMw
+IYIfc2luZ2xlLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDANBgkqhkiG9w0BAQsF
+AAOCAQEAUIhBQLzQgd7wHlT9DARxcC7SZwQtnk2BVqMYTRBU4uIa0i2HVyetpe1P
+rREthYq5sgaSqdonD9Splg8BLUlah9y3v9j6DBxkxNnz/3AZuA5oPaC/TZ+lwlX3
+QNWWFNaNZdcQbvjUvoPXIbJ6U9UDfByOJdoN4kJ6xe8Faj1Mp5Euqzr1ErrMtPWJ
+XLnXLV4WyAx+iMAbofXNlCyUorPGA8lRudzQ7bKdrhMZDE66VYwlwsUejEiODt7M
+NGTDs4aAZz9cBRjMeXhvX60cFQoykjAvWbieUKOgaFmJJyKemFj12cLeWyxvUodI
+kYtgAdzftiCSrbDjl1pzPSM6RC/E/A==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server.crl b/src/test/ssl/ssl/server.crl
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server.crl
+++ b/src/test/ssl/ssl/server.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server_ca.crt b/src/test/ssl/ssl/server_ca.crt
index 9f727bf9e9..0d6d7a6f82 100644
--- a/src/test/ssl/ssl/server_ca.crt
+++ b/src/test/ssl/ssl/server_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 3bc711f4a7..a901077469 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -485,6 +485,21 @@ TODO:
}
# pg_stat_ssl
+
+my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`;
+if ($? == 0)
+{
+ $serialno =~ s/^serial=//;
+ $serialno = hex($serialno); # OpenSSL prints serial numbers in hexadecimal
+}
+else
+{
+ # OpenSSL isn't functioning on the user's PATH. This probably isn't worth
+ # skipping the test over, so just fall back to a generic integer match.
+ warn 'couldn\'t run `openssl x509` to get client cert serialno';
+ $serialno = '\d+';
+}
+
command_like(
[
'psql',
@@ -500,7 +515,7 @@ command_like(
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
],
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n
- ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
+ ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,$serialno,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
'pg_stat_ssl with client certificate');
# client key with wrong permissions
--
2.25.1
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Fri, Jul 30, 2021 at 03:11:49PM +0000, Jacob Champion wrote:
No worries, it's easy enough to unroll the expansion manually. The
annoyances without secondary expansion are the duplicated lines for
each individual CA and the need to introduce .INTERMEDIATE targets so
that cleanup works as intended.Attached is a v3 that does that, and introduces a fallback in case
openssl isn't on the PATH. I also missed a Makefile dependency on
cas.config the first time through, which has been fixed. The patch you
pulled out earlier is 0001 in the set.
Patch 0001 is a good cleanup. Daniel, are you planning to apply that?
Regarding 0002, I am not sure. Even if this reduces a lot of
duplication, which is really nice, enforcing .SECONDARY to not trigger
with a change impacting Makefile.global.in does not sound very
appealing to me in the long-run, TBH.
--
Michael
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On 10 Aug 2021, at 09:22, Michael Paquier <michael@paquier.xyz> wrote:
On Fri, Jul 30, 2021 at 03:11:49PM +0000, Jacob Champion wrote:
No worries, it's easy enough to unroll the expansion manually. The
annoyances without secondary expansion are the duplicated lines for
each individual CA and the need to introduce .INTERMEDIATE targets so
that cleanup works as intended.Attached is a v3 that does that, and introduces a fallback in case
openssl isn't on the PATH. I also missed a Makefile dependency on
cas.config the first time through, which has been fixed. The patch you
pulled out earlier is 0001 in the set.Patch 0001 is a good cleanup. Daniel, are you planning to apply that?
Yes, it’s on my todo for today.
Regarding 0002, I am not sure. Even if this reduces a lot of
duplication, which is really nice, enforcing .SECONDARY to not trigger
with a change impacting Makefile.global.in does not sound very
appealing to me in the long-run, TBH.
I personally think the increased readability and usability from what we have
today warrants the changes. Is it the use of .SECONDARY or the change in the
global Makefile you object to (or both)?
--
Daniel Gustafsson https://vmware.com/
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
Michael Paquier <michael@paquier.xyz> writes:
Regarding 0002, I am not sure. Even if this reduces a lot of
duplication, which is really nice, enforcing .SECONDARY to not trigger
with a change impacting Makefile.global.in does not sound very
appealing to me in the long-run, TBH.
Yeah, I don't like that change either. It would be one thing if
we had several places in which suppressing .SECONDARY was useful,
but if there's only one then it seems better to design around it.
As a concrete example of why this might be a bad idea, how sure
are you that noplace in Makefile.global depends on that behavior?
regards, tom lane
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Tue, Aug 10, 2021 at 09:36:14AM +0200, Daniel Gustafsson wrote:
I personally think the increased readability and usability from what we have
today warrants the changes. Is it the use of .SECONDARY or the change in the
global Makefile you object to (or both)?
The part I am mainly objecting to is the change in Makefile.global.in,
but I have to admit after thinking about it that enforcing SECONDARY
may not be a good idea if other parts of the system rely on that, so
encouraging the use of clean_intermediates may be dangerous (Tom's
point from upthread).
I have not tried so I am not sure, but perhaps we should just focus on
reducing the number of openssl commands rather than making easier the
integration of new files? It could be possible to close the gap with
the addition of new files with some more documentation for future
hackers then?
--
Michael
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Tue, 2021-08-10 at 16:22 +0900, Michael Paquier wrote:
Regarding 0002, I am not sure. Even if this reduces a lot of
duplication, which is really nice, enforcing .SECONDARY to not trigger
with a change impacting Makefile.global.in does not sound very
appealing to me in the long-run, TBH.
De-duplication isn't the primary goal of the .SECONDARY change. It
definitely helps with that, but the major improvement is that Make can
maintain the CA state with less hair-pulling:
1. Developer updates an arbitrary number of certificates and runs
`make sslfiles`.
2. Make sees that the CA state is missing, and creates it once at the
start of the run.
3. Make runs multiple `openssl ca` commands, depending on the
certificates being changed, which modify the CA state as they go.
4. After Make is finished, it removes all the CA files, putting your
local state back the way it was before you ran Make.
Doing it this way has several advantages:
- The magic state files don't persist to influence a future Make run,
so there's less chance of "I generated with local changes, then
pulled in the changes you made, and now everything's busted in weird
ways because my CA state disagrees with what's in the tree".
- Order-only intermediates do The Right Thing in this case -- create
once when needed, accumulate state during the run, remove at the end
-- whether you add a single certificate, or regenerate the entire
tree, or even Ctrl-C halfway through. That's going to be very hard to
imitate by sprinkling `rm`s like the current Makefile does, though
I've been the weeds long enough that maybe I'm missing an obvious
workaround.
- If, after all that, something still goes wrong (your machine crashes
so Make can't clean up), `git status` will now help you debug
dependency problems because it's no longer "normal" to carry the
intermediate litter in your source tree.
What it doesn't fix is the fact that we're still checking in generated
files that have interdependencies, so the timestamps Make is looking at
are still going to be wrong during initial checkout. That problem
existed before and will persist after this change.
On Wed, 2021-08-11 at 09:47 +0900, Michael Paquier wrote:
The part I am mainly objecting to is the change in Makefile.global.in,
but I have to admit after thinking about it that enforcing SECONDARY
may not be a good idea if other parts of the system rely on that, so
encouraging the use of clean_intermediates may be dangerous (Tom's
point from upthread).
I don't really want to encourage the use of clean_intermediates. I just
want Make to have its default, useful behavior for this one Makefile.
I have not tried so I am not sure, but perhaps we should just focus on
reducing the number of openssl commands rather than making easier the
integration of new files? It could be possible to close the gap with
the addition of new files with some more documentation for future
hackers then?
I'd rather fix the dependency/state bugs than document how to work
around them. I know the workarounds; it doesn't make working with this
Makefile any less maddening.
--Jacob
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Tue, 2021-08-10 at 11:26 -0400, Tom Lane wrote:
Yeah, I don't like that change either. It would be one thing if
we had several places in which suppressing .SECONDARY was useful,
but if there's only one then it seems better to design around it.
Maybe. The current Makefile already tried to design around it, with
`rm`s inserted various places. That strategy won't work for the CA
state, and my personal interest in trying to manually replicate built-
in Make features is... low.
As a concrete example of why this might be a bad idea, how sure
are you that noplace in Makefile.global depends on that behavior?
I was hoping that, by scoping the change to only a single Makefile with
the clean_intermediates flag, I could simplify that question to "does
any place in that one Makefile rely on an affected rule from
Makefile.global?" And the answer to that appears to be "no" at the
moment, because that Makefile doesn't really need the globals for
anything but the prove_ macros.
(Things would get hairier if someone included the SSL Makefile
somewhere else, but I don't see anyone doing that now and I don't know
why someone would.)
But -- if I do spend the time to answer your broader question, does it
actually help my case? Someone could always add more stuff to
Makefile.global. It sounds like the actual fear is that we don't
understand what might be interacting with a very broad global target,
and that fear is too great to try a scoped change, in a niche Makefile,
early in a release cycle, to improve a development issue multiple
committers have now complained about.
If _that's_ the case, then our build system is holding all of us
hostage. Which is frustrating to me. Should I shift focus to help with
that, first?
--Jacob
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Fri, Aug 13, 2021 at 12:08:16AM +0000, Jacob Champion wrote:
(Things would get hairier if someone included the SSL Makefile
somewhere else, but I don't see anyone doing that now and I don't know
why someone would.)
That would not happen. Hopefully.
But -- if I do spend the time to answer your broader question, does it
actually help my case? Someone could always add more stuff to
Makefile.global. It sounds like the actual fear is that we don't
understand what might be interacting with a very broad global target,
and that fear is too great to try a scoped change, in a niche Makefile,
early in a release cycle, to improve a development issue multiple
committers have now complained about.If _that's_ the case, then our build system is holding all of us
hostage. Which is frustrating to me. Should I shift focus to help with
that, first?
Fresh ideas in this area are welcome, yes. FWIW, I'll try to spend a
couple of hours on what you had upthread in 0002 for the
simplification of SSL stuff generation and see if I can come up with
something.
--
Michael
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Fri, 2021-08-27 at 15:02 +0900, Michael Paquier wrote:
On Fri, Aug 13, 2021 at 12:08:16AM +0000, Jacob Champion wrote:
(Things would get hairier if someone included the SSL Makefile
somewhere else, but I don't see anyone doing that now and I don't know
why someone would.)That would not happen. Hopefully.
:)
FWIW, I'll try to spend a
couple of hours on what you had upthread in 0002 for the
simplification of SSL stuff generation and see if I can come up with
something.
Thanks! The two-patch v3 no longer applies so I've attached a v4 to
make the cfbot happy.
--Jacob
Attachments:
v4-0001-test-ssl-rework-the-sslfiles-Makefile-target.patchtext/x-patch; name=v4-0001-test-ssl-rework-the-sslfiles-Makefile-target.patchDownload
From 6e038173717798dcd375e3741862152979c414fb Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Fri, 26 Feb 2021 15:25:28 -0800
Subject: [PATCH v4] test/ssl: rework the sslfiles Makefile target
Adding a new certificate is as easy as dropping in a new .config file,
adding it to the top of the Makefile, and running `make sslfiles`.
Improvements:
- Interfile dependencies should be fixed, with the exception of the CRL
dirs.
- New certificates have serial numbers based on the current time,
reducing the chance of collision.
- The CA index state is created on demand and cleaned up automatically
at the end of the Make run.
- *.config files are now self-contained; one certificate needs one
config file instead of two.
- Duplication is reduced, and along with it some unneeded code (and
possible copy-paste errors).
---
src/Makefile.global.in | 5 +-
src/test/ssl/Makefile | 258 +++++++++++-------
src/test/ssl/cas.config | 10 +-
src/test/ssl/client-dn.config | 1 -
src/test/ssl/client-revoked.config | 13 +
src/test/ssl/client.config | 1 -
src/test/ssl/client_ca.config | 5 +
src/test/ssl/root_ca.config | 1 +
src/test/ssl/server-cn-only.config | 3 +-
src/test/ssl/server-no-names.config | 5 +-
src/test/ssl/server-revoked.config | 3 +-
src/test/ssl/server_ca.config | 5 +
src/test/ssl/ssl/both-cas-1.crt | 86 +++---
src/test/ssl/ssl/both-cas-2.crt | 86 +++---
src/test/ssl/ssl/client+client_ca.crt | 65 ++---
src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 | 18 +-
src/test/ssl/ssl/client-dn.crt | 34 +--
src/test/ssl/ssl/client-revoked.crt | 31 ++-
src/test/ssl/ssl/client.crl | 18 +-
src/test/ssl/ssl/client.crt | 31 ++-
src/test/ssl/ssl/client_ca.crt | 34 +--
.../ssl/ssl/root+client-crldir/9bb9e3c3.r0 | 18 +-
.../ssl/ssl/root+client-crldir/a3d11bff.r0 | 16 +-
src/test/ssl/ssl/root+client.crl | 34 +--
src/test/ssl/ssl/root+client_ca.crt | 52 ++--
.../ssl/ssl/root+server-crldir/a3d11bff.r0 | 16 +-
.../ssl/ssl/root+server-crldir/a836cc2d.r0 | 18 +-
src/test/ssl/ssl/root+server.crl | 34 +--
src/test/ssl/ssl/root+server_ca.crt | 52 ++--
src/test/ssl/ssl/root.crl | 16 +-
src/test/ssl/ssl/root_ca.crt | 18 +-
src/test/ssl/ssl/server-cn-and-alt-names.crt | 36 +--
src/test/ssl/ssl/server-cn-only.crt | 33 +--
src/test/ssl/ssl/server-crldir/a836cc2d.r0 | 18 +-
.../ssl/ssl/server-multiple-alt-names.crt | 36 +--
src/test/ssl/ssl/server-no-names.crt | 32 +--
src/test/ssl/ssl/server-revoked.crt | 33 +--
src/test/ssl/ssl/server-single-alt-name.crt | 34 +--
src/test/ssl/ssl/server.crl | 18 +-
src/test/ssl/ssl/server_ca.crt | 34 +--
src/test/ssl/t/001_ssltests.pl | 17 +-
41 files changed, 681 insertions(+), 597 deletions(-)
create mode 100644 src/test/ssl/client-revoked.config
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index 6e2f224cc4..cf349d19e4 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -32,8 +32,11 @@ all:
# started to update the file.
.DELETE_ON_ERROR:
-# Never delete any intermediate files automatically.
+# Never delete any intermediate files automatically unless the Makefile
+# explicitly asks for it.
+ifneq ($(clean_intermediates),yes)
.SECONDARY:
+endif
# PostgreSQL version number
VERSION = @PACKAGE_VERSION@
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index c216560dcc..458520dc6d 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -11,168 +11,216 @@
subdir = src/test/ssl
top_builddir = ../../..
+
+clean_intermediates := yes
include $(top_builddir)/src/Makefile.global
export with_ssl
-CERTIFICATES := server_ca server-cn-and-alt-names \
+#
+# To add a new server or client certificate, add a new <name>.config file in
+# this directory, then add <name> to either SERVERS or CLIENTS below. A
+# key/certificate pair will be generated for you, signed by the appropriate CA.
+#
+SERVERS := server-cn-and-alt-names \
server-cn-only server-single-alt-name server-multiple-alt-names \
- server-no-names server-revoked \
- client_ca client client-dn client-revoked \
- root_ca
+ server-no-names server-revoked
+CLIENTS := client client-dn client-revoked
+
+#
+# To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe
+# for creating it to the "Special-case keys" section below.
+#
+SPECIAL_KEYS := ssl/server-password.key \
+ ssl/client-der.key ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
-SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
- ssl/server-password.key \
- ssl/client.crl ssl/server.crl ssl/root.crl \
+#
+# These files are just concatenations of other files. You can add new ones to
+# COMBINATIONS here, then declare the constituent files as dependencies in the
+# "Combined files" section below.
+#
+COMBINATIONS := \
ssl/both-cas-1.crt ssl/both-cas-2.crt \
ssl/root+server_ca.crt ssl/root+server.crl \
ssl/root+client_ca.crt ssl/root+client.crl \
- ssl/client+client_ca.crt ssl/client-der.key \
- ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
+ ssl/client+client_ca.crt
+CERTIFICATES := root_ca server_ca client_ca $(SERVERS) $(CLIENTS)
+STANDARD_CERTS := $(CERTIFICATES:%=ssl/%.crt)
+STANDARD_KEYS := $(CERTIFICATES:%=ssl/%.key)
+CRLS := ssl/root.crl ssl/client.crl ssl/server.crl
+
+SSLFILES := $(STANDARD_CERTS) $(STANDARD_KEYS) $(SPECIAL_KEYS) $(COMBINATIONS) $(CRLS)
SSLDIRS := ssl/client-crldir ssl/server-crldir \
ssl/root+client-crldir ssl/root+server-crldir
# This target re-generates all the key and certificate files. Usually we just
# use the ones that are committed to the tree without rebuilding them.
#
-# This target will fail unless preceded by sslfiles-clean.
-#
+.PHONY: sslfiles
sslfiles: $(SSLFILES) $(SSLDIRS)
-# OpenSSL requires a directory to put all generated certificates in. We don't
-# use this for anything, but we need a location.
-ssl/new_certs_dir:
- mkdir ssl/new_certs_dir
+#
+# Special-case certificates
+#
-# Rule for creating private/public key pairs.
-ssl/%.key:
- openssl genrsa -out $@ 2048
- chmod 0600 $@
+# Root CA is self-signed.
+ssl/root_ca.crt: ssl/root_ca.key root_ca.config
+ openssl req -new -x509 -config root_ca.config -days 10000 -key $< -out $@
-# Root CA certificate
-ssl/root_ca.crt: ssl/root_ca.key cas.config
- touch ssl/root_ca-certindex
- openssl req -new -out ssl/root_ca.crt -x509 -config cas.config -config root_ca.config -key ssl/root_ca.key -days 10000 -extensions v3_ca
- echo "01" > ssl/root_ca.srl
-
-# Client and server CAs
-ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir
- touch ssl/$*_ca-certindex
- echo "unique_subject=no" > ssl/$*_ca-certindex.attr
- openssl req -new -out ssl/temp_ca.crt -config cas.config -config $*_ca.config -key ssl/$*_ca.key
-# Sign the certificate with the root CA
- openssl ca -name root_ca -batch -config cas.config -in ssl/temp_ca.crt -out ssl/temp_ca_signed.crt -extensions v3_ca
- openssl x509 -in ssl/temp_ca_signed.crt -out ssl/$*_ca.crt # to keep just the PEM cert
- rm ssl/temp_ca.crt ssl/temp_ca_signed.crt
- echo "01" > ssl/$*_ca.srl
-
-# Server certificates, signed by server CA:
-ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config
- openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config
- openssl ca -name server_ca -batch -config cas.config -in ssl/server-$*.csr -out ssl/temp.crt -extensions v3_req -extfile server-$*.config
- openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert
- rm ssl/server-$*.csr
+#
+# Special-case keys
+#
+# All targets here are contained in $(SPECIAL_KEYS).
+#
# Password-protected version of server-cn-only.key
ssl/server-password.key: ssl/server-cn-only.key
openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
-# Client certificate, signed by the client CA:
-ssl/client.crt: ssl/client.key ssl/client_ca.crt
- openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client.csr
- openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert
- rm ssl/client.csr ssl/temp.crt
-
-# Client certificate with multi-part DN, signed by the client CA:
-ssl/client-dn.crt: ssl/client-dn.key ssl/client_ca.crt
- openssl req -new -key ssl/client-dn.key -out ssl/client-dn.csr -config client-dn.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-dn.csr
- openssl x509 -in ssl/temp.crt -out ssl/client-dn.crt # to keep just the PEM cert
- rm ssl/client-dn.csr ssl/temp.crt
-
-# Another client certificate, signed by the client CA. This one is revoked.
-ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config
- openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-revoked.csr
- openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert
- rm ssl/client-revoked.csr ssl/temp.crt
-
-# Convert the key to DER, to test our behaviour there too
+# DER-encoded version of client.key
ssl/client-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -out ssl/client-der.key
+ openssl rsa -in $< -outform DER -out $@
-# Convert the existing key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
+# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
# to test libpq's support for the sslpassword= option.
-ssl/client-encrypted-pem.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-pem.key
+ssl/client-encrypted-pem.key: outform := PEM
+ssl/client-encrypted-der.key: outform := DER
+ssl/client-encrypted-pem.key ssl/client-encrypted-der.key: ssl/client.key
+ openssl rsa -in $< -outform $(outform) -aes128 -passout 'pass:dUmmyP^#+' -out $@
-ssl/client-encrypted-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-der.key
+#
+# Combined files
+#
+# All targets in $(COMBINATIONS) share a single recipe; just declare the
+# necessary dependencies and they'll be smashed together.
+#
-# Root certificate files that contains both CA certificates, for testing
+# Root certificate file that contains both CA certificates, for testing
# that multiple certificates can be used.
ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
- cat $^ > $@
# The same, but the certs are in different order
ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
- cat $^ > $@
# A root certificate file for the client, to validate server certs.
ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
- cat $^ > $@
# and for the server, to validate client certs
ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
- cat $^ > $@
+# and for the client, to present to the server
ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
- cat $^ > $@
-
-#### CRLs
-
-ssl/client.crl: ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl
-
-ssl/server.crl: ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl
-
-ssl/root.crl: ssl/root_ca.crt
- openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl
# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
# chain, even if some of them are empty.
ssl/root+server.crl: ssl/root.crl ssl/server.crl
- cat $^ > $@
ssl/root+client.crl: ssl/root.crl ssl/client.crl
+
+$(COMBINATIONS):
cat $^ > $@
-ssl/root+server-crldir: ssl/server.crl ssl/root.crl
- mkdir ssl/root+server-crldir
- cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
- cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+#
+# Standard keys
+#
-ssl/root+client-crldir: ssl/client.crl ssl/root.crl
- mkdir ssl/root+client-crldir
- cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
- cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+$(STANDARD_KEYS):
+ openssl genrsa -out $@ 2048
+ chmod 0600 $@
-ssl/server-crldir: ssl/server.crl
- mkdir ssl/server-crldir
- cp ssl/server.crl ssl/server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
+#
+# Standard certificates
+#
+
+CA_CERTS := ssl/server_ca.crt ssl/client_ca.crt
+SERVER_CERTS := $(SERVERS:%=ssl/%.crt)
+CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)
+
+# See the "CA State" section below.
+root_ca_state_files := ssl/root_ca-certindex ssl/root_ca-certindex.attr ssl/root_ca.srl
+server_ca_state_files := ssl/server_ca-certindex ssl/server_ca-certindex.attr ssl/server_ca.srl
+client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ssl/client_ca.srl
+
+# These are the workhorse recipes. `openssl ca` can't be safely run from
+# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
+.NOTPARALLEL:
+$(CA_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
+ openssl ca -batch -config cas.config -name root_ca -notext -in $< -out $@
+
+$(SERVER_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
+ openssl ca -batch -config cas.config -name server_ca -notext -in $< -out $@
+
+$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
+ openssl ca -batch -config cas.config -name client_ca -notext -in $< -out $@
+# The CSRs don't need to persist after a build.
+.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
+ssl/%.csr: ssl/%.key %.config
+ openssl req -new -key $< -out $@ -config $*.config
+
+#
+# CA State
+#
+# All of these are intended to be order-only dependencies; additionally, the
+# pattern recipes are marked as explicit intermediates. The goal is for Make to
+# create the state files once for each CA, allow them to accumulate whatever
+# state is needed, and then automatically remove them at the end of the run.
+#
+
+.INTERMEDIATE: $(root_ca_state_files) $(server_ca_state_files) $(client_ca_state_files)
+
+# OpenSSL requires a directory to put all generated certificates in. We don't
+# use this for anything, but we need a location.
+ssl/new_certs_dir:
+ mkdir $@
+
+ssl/%-certindex:
+ touch $@
+
+ssl/%-certindex.attr:
+ echo "unique_subject=no" > $@
+
+# The first serial number for each CA is based on the current timestamp, to
+# avoid collisions across Make runs.
+ssl/%.srl:
+ date +%Y%m%d%H%M%S00 > $@
+
+#
+# CRLs
+#
+
+ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
+ openssl ca -config cas.config -name root_ca -gencrl -out $@
+
+ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
+ openssl ca -config cas.config -name server_ca -revoke $<
+ openssl ca -config cas.config -name server_ca -gencrl -out $@
+
+ssl/client.crl: ssl/client-revoked.crt ssl/client_ca.crt | $(client_ca_state_files)
+ openssl ca -config cas.config -name client_ca -revoke $<
+ openssl ca -config cas.config -name client_ca -gencrl -out $@
+
+#
+# CRL hash directories
+#
+
+ssl/root+server-crldir: ssl/server.crl ssl/root.crl
+ssl/root+client-crldir: ssl/client.crl ssl/root.crl
+ssl/server-crldir: ssl/server.crl
ssl/client-crldir: ssl/client.crl
- mkdir ssl/client-crldir
- cp ssl/client.crl ssl/client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
+
+crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
+
+ssl/%-crldir:
+ mkdir -p $@
+ rm -f $@/*.r0
+ $(foreach crl,$^,cp $(crl) $@/$(call crlhashfile,$(crl)) &&) true
+ touch $@
.PHONY: sslfiles-clean
sslfiles-clean:
- rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
- rm -rf $(SSLDIRS)
+ rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex*
+ rm -rf $(SSLDIRS) ssl/new_certs_dir
clean distclean maintainer-clean:
rm -rf tmp_check
diff --git a/src/test/ssl/cas.config b/src/test/ssl/cas.config
index 8c0ef6d82b..2c4851033a 100644
--- a/src/test/ssl/cas.config
+++ b/src/test/ssl/cas.config
@@ -1,12 +1,5 @@
# This file contains the configuration for all the CAs.
-[ req ]
-prompt = no
-
-# Extensions for CA certs
-[ v3_ca ]
-basicConstraints = CA:true
-
# Root CA, used to sign the certificates of the intermediary server and
# client CAs.
[ root_ca ]
@@ -21,6 +14,7 @@ private_key = ./ssl/root_ca.key
new_certs_dir = ./ssl/new_certs_dir
policy = policy_match
email_in_dn = no
+copy_extensions = copy
# CA used to sign all the server certificates.
[ server_ca ]
@@ -35,6 +29,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/server_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/server.crl
@@ -51,6 +46,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/client_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/client.crl
diff --git a/src/test/ssl/client-dn.config b/src/test/ssl/client-dn.config
index ee2df54bd6..0c71d83127 100644
--- a/src/test/ssl/client-dn.config
+++ b/src/test/ssl/client-dn.config
@@ -13,4 +13,3 @@ O = PGDG
CN = ssltestuser-dn
# no extensions in client certs
-[ v3_req ]
diff --git a/src/test/ssl/client-revoked.config b/src/test/ssl/client-revoked.config
new file mode 100644
index 0000000000..3b82b57103
--- /dev/null
+++ b/src/test/ssl/client-revoked.config
@@ -0,0 +1,13 @@
+# An OpenSSL format CSR config file for creating a client certificate.
+#
+# This is identical to the client.config certificate, but this one is revoked
+# later.
+
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+CN = ssltestuser
+
+# no extensions in client certs
diff --git a/src/test/ssl/client.config b/src/test/ssl/client.config
index 2e9d40d299..26fc2571f5 100644
--- a/src/test/ssl/client.config
+++ b/src/test/ssl/client.config
@@ -10,4 +10,3 @@ prompt = no
CN = ssltestuser
# no extensions in client certs
-[ v3_req ]
diff --git a/src/test/ssl/client_ca.config b/src/test/ssl/client_ca.config
index ef93d598c2..5990f06000 100644
--- a/src/test/ssl/client_ca.config
+++ b/src/test/ssl/client_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test client certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/root_ca.config b/src/test/ssl/root_ca.config
index 187a9b8a46..e193186f8b 100644
--- a/src/test/ssl/root_ca.config
+++ b/src/test/ssl/root_ca.config
@@ -4,6 +4,7 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+x509_extensions = v3_ca
[ req_distinguished_name ]
CN = Test root CA for PostgreSQL SSL regression test suite
diff --git a/src/test/ssl/server-cn-only.config b/src/test/ssl/server-cn-only.config
index 1e5d582213..9edb7b7aca 100644
--- a/src/test/ssl/server-cn-only.config
+++ b/src/test/ssl/server-cn-only.config
@@ -9,5 +9,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-no-names.config b/src/test/ssl/server-no-names.config
index 2a71125a42..89075dec83 100644
--- a/src/test/ssl/server-no-names.config
+++ b/src/test/ssl/server-no-names.config
@@ -10,7 +10,4 @@ prompt = no
[ req_distinguished_name ]
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
-
-[ alt_names ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-revoked.config b/src/test/ssl/server-revoked.config
index 47ef6462dc..c9e1f5d431 100644
--- a/src/test/ssl/server-revoked.config
+++ b/src/test/ssl/server-revoked.config
@@ -11,5 +11,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server_ca.config b/src/test/ssl/server_ca.config
index d6126d5195..496aaba29f 100644
--- a/src/test/ssl/server_ca.config
+++ b/src/test/ssl/server_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test server certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/ssl/both-cas-1.crt b/src/test/ssl/ssl/both-cas-1.crt
index 37ffa10174..4f4bc707d6 100644
--- a/src/test/ssl/ssl/both-cas-1.crt
+++ b/src/test/ssl/ssl/both-cas-1.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/both-cas-2.crt b/src/test/ssl/ssl/both-cas-2.crt
index 2f2723f2b1..01d0c4d6a4 100644
--- a/src/test/ssl/ssl/both-cas-2.crt
+++ b/src/test/ssl/ssl/both-cas-2.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client+client_ca.crt b/src/test/ssl/ssl/client+client_ca.crt
index 2804527f3e..7fafa14de1 100644
--- a/src/test/ssl/ssl/client+client_ca.crt
+++ b/src/test/ssl/ssl/client+client_ca.crt
@@ -1,36 +1,37 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client-dn.crt b/src/test/ssl/ssl/client-dn.crt
index f2f6a62dad..0db14e5977 100644
--- a/src/test/ssl/ssl/client-dn.crt
+++ b/src/test/ssl/ssl/client-dn.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDBjCCAe4CAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0yMTAzMDUyMDUyNDVaFw00ODA3MjEyMDUyNDVaMFAxDTALBgNVBAoMBFBHREcx
-FDASBgNVBAsMC0VuZ2luZWVyaW5nMRAwDgYDVQQLDAdUZXN0aW5nMRcwFQYDVQQD
-DA5zc2x0ZXN0dXNlci1kbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AMRLriq2Sh8+N4bhVtRUp/MAEsLQK6u/GotMSmiSr9K31YBYOvNzw8liKt4Rmnh5
-zmsdXJBW8erPNpkUAy9tFRCAx0YobhWCSfyX3orEdrhDrLFihA62zXQC69T0u4Yp
-PSXGd0yCAcOZERQ4CQVgqnsh7Kmx5QaQnqxaz4OVPArWFJP4RQBT/l+r+kCeAn6h
-qvbSbxY3FoCElQq0EF5x1F2pjL+HcBvjeI+GP430gVeJJX0RaG14Fp4v9MQT6zv/
-gvvjHC8l7YSJUROjeUzLZpUnj/ik4yrtT4av/TDGTSOpGs5qEATqk4hxAUEWw6TJ
-RoLh3Oq2N5KuzDmKBBskLX0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAL2H54oyx
-pNkcgFF79lwc4c/Jda7j0wrZQIw5CWwO0MdCozJGRIEAA5WXA8b5THo1ZkaWv+sh
-lWnCOflBtGnEpD7dUpMW9lxGL5clMeMf3CoNYBb7zBofm+oTJytCzXHNftB4hCZj
-pvN79bNT4msWbmxDyi75nfbEfzK1BKnfCg+DWBBjEnHC8VzgDq6ACN6FEoyFb+fr
-dlDoof+S7k8jYAzhxwySI5DnMzr9OIwnepWfx9HENsasAighc8vFSEouShvsOlYS
-L0OIb9Tn6M5q1tWoLHulQsQYDPzaO/1M7ubsr5xCx1ReDK4gaNwS3YXn/2KE9Kco
-aKCrL89AjQrJPA==
+MIIDDTCCAfUCCCAhBikTA0IAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwNjI5MjAwMzQyWhcNNDgxMTE0MjAwMzQyWjBQMQ0wCwYDVQQK
+DARQR0RHMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEQMA4GA1UECwwHVGVzdGluZzEX
+MBUGA1UEAwwOc3NsdGVzdHVzZXItZG4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDES64qtkofPjeG4VbUVKfzABLC0CurvxqLTEpokq/St9WAWDrzc8PJ
+YireEZp4ec5rHVyQVvHqzzaZFAMvbRUQgMdGKG4Vgkn8l96KxHa4Q6yxYoQOts10
+AuvU9LuGKT0lxndMggHDmREUOAkFYKp7IeypseUGkJ6sWs+DlTwK1hST+EUAU/5f
+q/pAngJ+oar20m8WNxaAhJUKtBBecdRdqYy/h3Ab43iPhj+N9IFXiSV9EWhteBae
+L/TEE+s7/4L74xwvJe2EiVETo3lMy2aVJ4/4pOMq7U+Gr/0wxk0jqRrOahAE6pOI
+cQFBFsOkyUaC4dzqtjeSrsw5igQbJC19AgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AECbQQ9rBzCexNI3VKDVA+CZa0ib48XbcJwXmva3spvjjCB5cGPToyF1B+4mVg1H
+1uM/XRAoQmNRtB+xKEAceMSxJA02tBlwMOclXlO0oGLYyc+S61K+UEPSk6Kka4aC
+NpeLSqN5ahC9z8C5uMJl36pFf13aU05uRkXKcI4gkn02I4jRc/a8gF7URdhdf920
+KmYSUh1V0B3pPAB6ArqJ60iHOqkCYIIIbi2EpVP53IKkoB9tr4ud8oMoN6ggIXU1
+2oHvnaKJ7RZaQNefS3WweyHxr4cCVtEour/ELph48OuW6Y5jqPT+5Ln3Qz0e6KW9
+o3thBx0aKSYlmt9gH254M9M=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-revoked.crt b/src/test/ssl/ssl/client-revoked.crt
index 14857a33a2..51ebe924a6 100644
--- a/src/test/ssl/ssl/client-revoked.crt
+++ b/src/test/ssl/ssl/client-revoked.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoBcmY2Z+qa+l
-UB5YSYnGLt96S7axkoDvIzLJkwJugGqw1U72A6lAUTyAPVntsmbhoMpDEHK6ylg8
-U4HC3L1hbhSpFriTITJ3TzH4+wdDH1KZYlM2k0gfrKrksJyZ7ftAyuBvzBRlFbBe
-xopR9VQjqgAuNKByJswldOe0KwP0nmb/TtT9lkAt7XjrSut5MUezFVnvTxabm7tQ
-ciDG+8QqE0b8lH3N3VOXWZWCeXPRrwboO3baAmcue4V20N0ALARP+QZNElBa7Jq+
-l77VNjneRk07jjaE7PCGVlWfPggppZos1Ay1sb2JhK0S9pZrynQT/ck3qhG4QuKp
-cmn/Bbe/8wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBySTwOO9zSFCtfRjbbblDx
-AK2ttILR0ZJXnvzjNjuErsT9qeXaq2t/iG/vmhH5XDjaefXFLCLqFunvcg6cIz1A
-HhAw+JInfyk3TUpDaX6M0X8qj184e4kXzVc83Afa3LiP5JkirzCSv6ErqAHw2VVd
-bZbZUwMfQLpWHVqXK89Pb7q791H4VeEx9CLxtZ2PSr2GCdpFbVMJvdBPChD2Re1A
-ELcbMZ9iOq2AUN/gxrt7HnE3dRoGQk6AJOfvhi2eZcVWiLtITScdPk1nYcNxGid3
-BWW+tdLbjmSe2FXNfDwBTvuHh5A9S399X5l/nLAng2iTGSvIm1OgUnC2oWsok3EI
+MIIC0zCCAbsCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKAX
+JmNmfqmvpVAeWEmJxi7feku2sZKA7yMyyZMCboBqsNVO9gOpQFE8gD1Z7bJm4aDK
+QxByuspYPFOBwty9YW4UqRa4kyEyd08x+PsHQx9SmWJTNpNIH6yq5LCcme37QMrg
+b8wUZRWwXsaKUfVUI6oALjSgcibMJXTntCsD9J5m/07U/ZZALe1460rreTFHsxVZ
+708Wm5u7UHIgxvvEKhNG/JR9zd1Tl1mVgnlz0a8G6Dt22gJnLnuFdtDdACwET/kG
+TRJQWuyavpe+1TY53kZNO442hOzwhlZVnz4IKaWaLNQMtbG9iYStEvaWa8p0E/3J
+N6oRuELiqXJp/wW3v/MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcVhPcu55HcSf
+Mci38T/fOBaiDUvzWwG/XlQRzFxcS+ZY/vYMbgor6PliGlCFBF4Mca2qtTs7zXRz
+8aLNVX53p98Cnnn97mW4aYNbNdM87R76IqJdj40brEolu1JNOyFJRYzoaebABf9r
+R64FTt3YVM9qjJrHG/apYwKwgAMxVzZ/M+3ujahP/8mOYD/Utj+lYHnXJmuHAYE6
+EnTxTSb2J+IsK8KuPoGjUPNZRW8zIUE0luMpJahvtmFVW91Vue7dW0AOmHpjmGUB
+J9Vwxe7KJRW5/4dz6kMD2pKY3D9sBgXeku/QDVz/hdyB5YT0WChFiZn20DZyhOtu
+moHgw8OJzg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client.crl b/src/test/ssl/ssl/client.crl
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client.crl
+++ b/src/test/ssl/ssl/client.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client.crt b/src/test/ssl/ssl/client.crt
index 4d0a6ef419..1f6ae05fe4 100644
--- a/src/test/ssl/ssl/client.crt
+++ b/src/test/ssl/ssl/client.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client_ca.crt b/src/test/ssl/ssl/client_ca.crt
index 1ef3771261..ef48749f76 100644
--- a/src/test/ssl/ssl/client_ca.crt
+++ b/src/test/ssl/ssl/client_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client.crl b/src/test/ssl/ssl/root+client.crl
index 854d77b71e..02eff4d326 100644
--- a/src/test/ssl/ssl/root+client.crl
+++ b/src/test/ssl/ssl/root+client.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client_ca.crt b/src/test/ssl/ssl/root+client_ca.crt
index 1867cd9c31..7819c54828 100644
--- a/src/test/ssl/ssl/root+client_ca.crt
+++ b/src/test/ssl/ssl/root+client_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server.crl b/src/test/ssl/ssl/root+server.crl
index 9720b3023c..8b0c716d63 100644
--- a/src/test/ssl/ssl/root+server.crl
+++ b/src/test/ssl/ssl/root+server.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server_ca.crt b/src/test/ssl/ssl/root+server_ca.crt
index 861eba80d0..5074f4fa9b 100644
--- a/src/test/ssl/ssl/root+server_ca.crt
+++ b/src/test/ssl/ssl/root+server_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root.crl b/src/test/ssl/ssl/root.crl
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root.crl
+++ b/src/test/ssl/ssl/root.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root_ca.crt b/src/test/ssl/ssl/root_ca.crt
index 402d7dab89..5ee9870d6f 100644
--- a/src/test/ssl/ssl/root_ca.crt
+++ b/src/test/ssl/ssl/root_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,10 +10,10 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-and-alt-names.crt b/src/test/ssl/ssl/server-cn-and-alt-names.crt
index 2bb206e413..12d1ec363e 100644
--- a/src/test/ssl/ssl/server-cn-and-alt-names.crt
+++ b/src/test/ssl/ssl/server-cn-and-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDTjCCAjagAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowRjEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1z
-c2x0ZXN0LnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBURL6
-YPWJjVQEZY0uy4HEaTI4ZMjVf+xdwJRntos4aRcdhq2JRNwitI00BLnIK9ur8D8L
-U24PDn2etTZOK1wsHHkAiHPvgRX7G/+78a5fSC8nMNaH/oR4zMMhwksiruISA7x9
-/l+4DO7C42C5mRfnUmMGJdzau1+A8jcIxTWWoJtva9b1k3g+bvBGq9138X+bJKIW
-YsWwHgcuEIZk3z287hxuyU3j5isYoRwd5cZZFrG/qBJdukSBRil5/PP5AHsB6lTl
-pae2bdf4TXB7kActIpyTBR0G5Pm5iCZlxgD+QILj/1FLTaNOW7hV+t1J6YfC6jZR
-Dk4MnHMCFasSXcXhAgMBAAGjSzBJMEcGA1UdEQRAMD6CHWRuczEuYWx0LW5hbWUu
-cGctc3NsdGVzdC50ZXN0gh1kbnMyLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDAN
-BgkqhkiG9w0BAQsFAAOCAQEAQeKHXoyipubldf4HUDCXrcIk6KiEs9DMH1DXRk7L
-z2Hr0TljmKoGG5P6OrF4eP82bhXZlQmwHVclB7Pfo5DvoMYmYjSHxcEAeyJ7etxb
-pV11yEkMkCbQpBVtdMqyTpckXM49GTwqD9US5p1E350snq4Duj3O7fSpE4HMfSd8
-dCkYdaCHq2NWH4/MfEBRy096oOIFxqgm6tRCU95ZI8KeeK4WwPXiGV2mb2rHj1kv
-uBRC+sJGSnsLdbZzkpdAN1qnWrJoLezAMdhTmNRUJ7Cq8hAkroFIp+LE+JyxR9Nw
-m6jD3eEwCAQi0pPGLEn4Rq4B8kxzL5F/jTq7PONRvOAdIg==
+MIIDVTCCAj2gAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMEYxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5h
+bWUucGctc3NsdGVzdC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwVES+mD1iY1UBGWNLsuBxGkyOGTI1X/sXcCUZ7aLOGkXHYatiUTcIrSNNAS5
+yCvbq/A/C1NuDw59nrU2TitcLBx5AIhz74EV+xv/u/GuX0gvJzDWh/6EeMzDIcJL
+Iq7iEgO8ff5fuAzuwuNguZkX51JjBiXc2rtfgPI3CMU1lqCbb2vW9ZN4Pm7wRqvd
+d/F/mySiFmLFsB4HLhCGZN89vO4cbslN4+YrGKEcHeXGWRaxv6gSXbpEgUYpefzz
++QB7AepU5aWntm3X+E1we5AHLSKckwUdBuT5uYgmZcYA/kCC4/9RS02jTlu4Vfrd
+SemHwuo2UQ5ODJxzAhWrEl3F4QIDAQABo0swSTBHBgNVHREEQDA+gh1kbnMxLmFs
+dC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0ZXN0
+LnRlc3QwDQYJKoZIhvcNAQELBQADggEBAG3dFQ/DqjFbjzIOni079R3I94lAZqbc
+cRUumDPSzihKwvCCnU5quqnYkOFISqBZsYmxR5fiHx4wT+jmWvLSltkaeS6gcGC1
+zuO8GFzL+PATUX63js8IfE3WYJE/bjmDVVzJOBArrbsExofdE2F2kkkLkjhk0ylg
+/TrAKtyqpsob0b4ZjMloR5JFHQXGHN/922x6Do1vduHMXlGckmR0sX6Mg/fiChVh
+vixUJje4W9ohft8G7lj3GnzI1gHEMp2PYKM+wqOug/gXEQuMIFlhjp2Mc6bAvFsD
+grgdAgcYUvgKukF9efJHq2V5XjqBWrmGAOQkiH1y+9gxhiHUiw+vojY=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-only.crt b/src/test/ssl/ssl/server-cn-only.crt
index 67bf0b1645..acdf6f1a75 100644
--- a/src/test/ssl/ssl/server-cn-only.crt
+++ b/src/test/ssl/ssl/server-cn-only.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bNU8yTuLl/5
-bR4Rp1ET5NMC2wgrTwKQsxSeOzvMmTGeebpEYFc/Hq8rcCQAiL7AbhiZeNg/ca4y
-JdouOdaHaTMFJ8hFDI1tNOGeFK7ecOMBWQ97GxKs/KIqKYW42AN+QZ7l1Apr0CDZ
-K5VTi931JjE4wCIgUgLi2zgwtZYl/kP896F1K5zR7kx773U2dvP3SeV2ziUe+4NH
-5oqdmVMeZyHfB+Fe/uU1AiYgHN/CXfop39tYHR8ARUWx7eJlaaKBoj/0UqH/9Yir
-jdM0vGfrw4JCjIx78caNkNH9fCjesTqODr+IDBJaJv3Jpt9g8puqrYagXLppiaYS
-q5oOAu5fuQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCTxkqpNNuO15osb+Lyw2aQ
-RikYZiSJ4uJcOIya6DqSYSNf8wrgGMJAKz9TkCGEG7SszLCASaSIS/s+sR1+bE19
-f6BxoBnppPW8uIkTtQvmGhhcWHO13zMUs8bmg9OY7MvFYJdQAmSqfYebUCYR73So
-OthALxV8h+boW5/xc2XM1NObpcuShQ9/uynm2dL3EbrNjvcoXOwu865FmVMffEn9
-+zhE8xl4kMKObQvB3r2utCmlAmJLaU2ejADncS9Y4ZwRMa7x+vfvekF/FvLEXUal
-QcDlfrZ0xsw/HK7n0/UFXf5fUXq3hgUGcXEdWW7/yTA43qNxednfa+fMqlFztupt
+MIIDAzCCAesCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANWz
+VPMk7i5f+W0eEadRE+TTAtsIK08CkLMUnjs7zJkxnnm6RGBXPx6vK3AkAIi+wG4Y
+mXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu3nDjAVkPexsSrPyiKimFuNgDfkGe
+5dQKa9Ag2SuVU4vd9SYxOMAiIFIC4ts4MLWWJf5D/PehdSuc0e5Me+91Nnbz90nl
+ds4lHvuDR+aKnZlTHmch3wfhXv7lNQImIBzfwl36Kd/bWB0fAEVFse3iZWmigaI/
+9FKh//WIq43TNLxn68OCQoyMe/HGjZDR/Xwo3rE6jg6/iAwSWib9yabfYPKbqq2G
+oFy6aYmmEquaDgLuX7kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA2AZrD9cTQXTW
+4j2tT8N/TTc6WK2ncN4h22NTte6vK7MVwsZJCtw5ndYkmxcWkXAqiclzWyMdayds
+WOa12CEH7jKAhivF4Hcw3oO3JHM5BA6KzLWBVz9uZksOM6mPqn29DTKvA/Y1V8tj
+mxK/KUA68h/u6inu3mo4ywBpb/tqHxxg2cjyR0faCmM0pwRM0HBr/16fUMfO83nj
+QG8g9J/bybu5sYso/aSoC5nUNp4XjmDMdVLdqg/nTe/ejS8IfFr0WQxBlqooqFgx
+MSE+kX2e2fHsuOWSU/9eClt6FpQrwoC2C8F+/4g1Uz7Liqc4yMHPwjgeP9ewrrLO
+iIhlNNPqpQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server-multiple-alt-names.crt b/src/test/ssl/ssl/server-multiple-alt-names.crt
index 158153d10c..58799e49f8 100644
--- a/src/test/ssl/ssl/server-multiple-alt-names.crt
+++ b/src/test/ssl/ssl/server-multiple-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDRDCCAiygAwIBAgIBBDANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA10iQpfVf4nCqjkRcLXP9ONQqdhMPMdjHasKqmsFTx83SZLKUzKMOb56j
-3bg83stqGoId4MIxtqnDKaSg1+kseQ1HCi0cu/E3lHLEkPibl9dyVGhXVnPDBdOp
-eUQLCvPNgay3/ua4Mz0Nf7S9cgC9AZu/EEYjQIEzfO0cEANeVIWtgZfM3+2j0pmZ
-46AEYlEZJkmDT0/mnHk3YTj3I6qQhr34wZvqcrwouYRN5NiOVYJLpb6gPSoalm+P
-YXOKjP4+fWr18HdZLrzsa4xPRa9XcsDNyffjWvQTfptR/2vFKN8Ffv3XUqxUx6av
-VCyRKa8xAUS/pHVGnzFQY+oqWREn2wIDAQABo2cwZTBjBgNVHREEXDBagh1kbnMx
-LmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0
-ZXN0LnRlc3SCGioud2lsZGNhcmQucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEB
-CwUAA4IBAQAuV+4TNADB/AinkjQVyzPtmeWDWZJDByRSGIzGlrYtzzrJzdRkohlL
-svZi0QQWbYq3pkRoUncYXXp/JvS48Ft1jRi87RpLRiPRxJC9Eq77kMS5UKCIs86W
-0nuYQ2tNmgHb7gnLHEr2t9gFEXcLwUAnRfNJK56KVmCl/v3/4kcVDLlL6L+pL80r
-WGKGvixNy3bDCJ/YGJu6NH+H7NMlqFcg07nEWUHgMzETGGycTcPy3S6mY5P/1Ep1
-MCSTucUKoBIte2t5p9vM6bsFIioQDAYABhacmC62Z5xNW8evmNVtBDPLR1THsWhq
-UjzdIzjpDgv1KUCVEPc1uVrZ5eju+aoU
+MIIDSzCCAjOgAwIBAgIIICEDAxQSBwMwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBANdIkKX1X+Jwqo5EXC1z/TjUKnYTDzHYx2rCqprBU8fN0mSy
+lMyjDm+eo924PN7LahqCHeDCMbapwymkoNfpLHkNRwotHLvxN5RyxJD4m5fXclRo
+V1ZzwwXTqXlECwrzzYGst/7muDM9DX+0vXIAvQGbvxBGI0CBM3ztHBADXlSFrYGX
+zN/to9KZmeOgBGJRGSZJg09P5px5N2E49yOqkIa9+MGb6nK8KLmETeTYjlWCS6W+
+oD0qGpZvj2Fzioz+Pn1q9fB3WS687GuMT0WvV3LAzcn341r0E36bUf9rxSjfBX79
+11KsVMemr1QskSmvMQFEv6R1Rp8xUGPqKlkRJ9sCAwEAAaNnMGUwYwYDVR0RBFww
+WoIdZG5zMS5hbHQtbmFtZS5wZy1zc2x0ZXN0LnRlc3SCHWRuczIuYWx0LW5hbWUu
+cGctc3NsdGVzdC50ZXN0ghoqLndpbGRjYXJkLnBnLXNzbHRlc3QudGVzdDANBgkq
+hkiG9w0BAQsFAAOCAQEAuRAyYBwAZLKERoYDy/kE9LKddJfLhledTJ7+cIWs6T9V
+KBfWBHZYxfxmdBYwqVZfog8c5uHREfWiUPoF/aMq3ARay96aMh4xXJ+2a7HAmknF
+9AJWRieoc3H/QkMzAuT8IDTmoEarsr8vsX1MGabobZte/B9tEjq/z5t3GfLrHMVX
+5092U6Ka40ii4U1VwjR8YnRBwjm3UpLmZJAjvXjw13/XucNV5O8Plo1yvS+G0AMh
+KdMxExiItVtjZteiA0pJf0YGAzTFyzvwBljTcs4NfZ2M0ta9i0r4BF7wQ8tDezN7
+VxdJVPc5xPqncp0cMdUAE2xDmYlKEqB0kuAHNwH5/Q==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-no-names.crt b/src/test/ssl/ssl/server-no-names.crt
index 97e11176f6..b5d0589090 100644
--- a/src/test/ssl/ssl/server-no-names.crt
+++ b/src/test/ssl/ssl/server-no-names.crt
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIIC1jCCAb4CAQUwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMCAxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AJ85/vh52iDZAeQmWt47o0kR7VVlRLGf4sF4cfxPl+eIWIzhib1fajdcqFiy81LC
-+t9bAyRqMyR3dve9RGK6IDFjMH/0DBf3tFSRnxN+5TdSAhKIJslmtUdOl8kS/smF
-4+BikCg509aq0U+ac79e/q42OyvH9X/cI6i9SPd4hzJDMCX54LZT1Of/90nSQX6E
-Oc5Hcj/d7psBugmMBW8uXYAGvJpq14e5RoK78F/mYbUNqtc1c8pi4/4quSMeEfQp
-Dgmzee7ts8SIbQT8mYJHjnaPvZYpv4+Ikc7F0wzLO1neTpsYaVvDrSMLBCdQkCU8
-vgb1T6WlVgbp/sfE5okSxx8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh+erODlf
-+mEK2toZhaAmikNJ3Toj9P7I0C0Mo/tl2aVz8jQc/ft5t3blwZHfRzC9WmgnZLdY
-yiCVgUlf9Kwhi836Btbczj3cK6MrngQneFBzSnCzsj40CuQAw5TOI8XRFFGL+fpl
-o7ZnbmMZRhkPqDmNWXfpu7CYOFQyExkDoo0lTfqM+tF8zuKVTmsuWWvZpjuvqWFQ
-/L+XRXi0cvhh+DY9vJiKNRg4exF7/tSedTJmLA8skuaXgAVez4rqzX4k1XnQo6Vi
-YpAIQ4dGiijY24fDq2I/6pO3xlWtN+Lwu44Mnn2vWRtXijT69P5R12W8XS7+ciTU
-NXu/iOo8f7mNDA==
+MIIC3TCCAcUCCCAhAwMUEgcEMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAgMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCfOf74edog2QHkJlreO6NJEe1VZUSxn+LBeHH8T5fniFiM4Ym9X2o3
+XKhYsvNSwvrfWwMkajMkd3b3vURiuiAxYzB/9AwX97RUkZ8TfuU3UgISiCbJZrVH
+TpfJEv7JhePgYpAoOdPWqtFPmnO/Xv6uNjsrx/V/3COovUj3eIcyQzAl+eC2U9Tn
+//dJ0kF+hDnOR3I/3e6bAboJjAVvLl2ABryaateHuUaCu/Bf5mG1DarXNXPKYuP+
+KrkjHhH0KQ4Js3nu7bPEiG0E/JmCR452j72WKb+PiJHOxdMMyztZ3k6bGGlbw60j
+CwQnUJAlPL4G9U+lpVYG6f7HxOaJEscfAgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AJAwYwIL4oj3NisXCXkEp9zqDXiZvNW9yW3bY8lFFCpU7o5n92tCf2OFAkKaYhF1
+Eb2weyDULtW7W/wgdlOZL9npayYKzTusl6e8xfTQyjRCsoKWvnWOEkPH7VraZJ8c
+Ko1KhaVWX98VLdlUh5giYAEkdhk0qPYKsQ32unBXXJu0pX63pnPDoaUBiZUWr/3l
+CfkjgGY5YA8YxiDlHGNF1qlcX2fQKloDlvtH0L5Enwt25w2/IvWhTN6YxDR+rgdD
+XYbQr6o6vsmnZTJ3zUZ6XFo98sZq5L9oy1pcC8roV7w0AUVxraTWYILyGfNgruG8
+xsok/hu1L2VnktveEW/qoVs=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-revoked.crt b/src/test/ssl/ssl/server-revoked.crt
index 1ca5e6d3ef..3bb0f164a6 100644
--- a/src/test/ssl/ssl/server-revoked.crt
+++ b/src/test/ssl/ssl/server-revoked.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQYwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAooPO8lSz434p
-4PBYBbTN8jkLW3cHEpTCH4yvC0V40hzGEl30HPLp82e+kxr+Q0+gd82fvc4Yth5I
-PKINznp28GMs5/E9cUU3hMK4jFhKLMiOeIve3M/9ryHK874qpNjJoSxxPz7+s2eq
-WoFc2px0KFIamTTLfi7Ju9aPb/AMlZNsUnbRsj7fQc7EJ8rwOnezw2Wy5VK4soX+
-qpuJ0Nm44ApzT8YmjYX/kAX0yQxgQuYbpcBWr9cOQjegu3FAqHqRh9ye7d8jQzCv
-34Wg/ar4rkqyQDcokuWAE7KQbnk51t7omzhM8eswFOAL1pas/8jWBvy0VjYVU34P
-9aXxP8GiHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAS9abT/PhJgwAnm46Rzu16
-lL7tDb3SeR1RL25xZLzCexHcYJFi7aDZix3QlLRvf6HPqqUPuPYRICTBF4+fieEh
-r5LotdAnadfYONwoB5GiYy2d93VGqlLosI27R6/tVvImXupviPpIYMDgBBRr1pZc
-ykQOjog6T+xk9TqsfFQDe2/VKF7a5RxOA/V77GZ5qge5Nlx9jSXQ/WUG9vDQj9BA
-d4nOwvjauKlcSqUU/3uVKntXQTNjmyq7S75eBitS920LLfjTL9LInLugDikFa/J/
-yPBkJLa/+rNMPikcnF3ci4Oi/XwLA8kGdGZAADuiIOeyORMuLFoTk7KpOYGKS5/U
+MIIDAzCCAesCCCAhAwMUEgcFMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKD
+zvJUs+N+KeDwWAW0zfI5C1t3BxKUwh+MrwtFeNIcxhJd9Bzy6fNnvpMa/kNPoHfN
+n73OGLYeSDyiDc56dvBjLOfxPXFFN4TCuIxYSizIjniL3tzP/a8hyvO+KqTYyaEs
+cT8+/rNnqlqBXNqcdChSGpk0y34uybvWj2/wDJWTbFJ20bI+30HOxCfK8Dp3s8Nl
+suVSuLKF/qqbidDZuOAKc0/GJo2F/5AF9MkMYELmG6XAVq/XDkI3oLtxQKh6kYfc
+nu3fI0Mwr9+FoP2q+K5KskA3KJLlgBOykG55Odbe6Js4TPHrMBTgC9aWrP/I1gb8
+tFY2FVN+D/Wl8T/Boh0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAxVHoqX25W4Hx
+pMNjv2AJzcB7D+c+dUXAmLLJ7jh6szWeL0M2E5qX4dLc8LzQKnXv5ZcT4i/akjDX
+etdzuqh03kvDJvUkHclSWffmowmWMTG6GCA6S/2TQzSibIptkwqs74aIkayVJaC4
+jCBR+PVT8+cE2FMD6dAWu//fyEcpTg6XpZ/Upgu9OITGNaEQUGz8pSRkTgspfO0Q
+AKPmql6dpywReIlr5mzy9liCzf/BbAVHGmP/pBGIkLn2AzvPLCQ/UFZYT6aH7l5J
+nzmFhgRC3U5wPMdelHGrPMXg6OHCcyrQY0kEi7N/GQ5+jZkICoQuPJ7APKEZAUgO
+XRwVulaWJQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-single-alt-name.crt b/src/test/ssl/ssl/server-single-alt-name.crt
index e7403f3a6b..7affdd68e7 100644
--- a/src/test/ssl/ssl/server-single-alt-name.crt
+++ b/src/test/ssl/ssl/server-single-alt-name.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDCzCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAxYocLWWuiDsDzJ7wLc0zfwkGJAEy4hlHjTA5GXSEnGPlOnx1fxejZOGL
-1HLff5h8zB+SQXrplHCcwwRrxVgGY7P59kXMXX1akTwXUJHc/EoTtqLO+6fHLygz
-F1d0i5NPO3xrk1wMt7bYLhiPbWpplWiHXzbJy8wf3dXgzCwtxXf8Z1UqjtCnA/Zk
-J/kPWuHJxzH5OvDJvZsq+Fbkl3catFpwUlAV9TKsC78W/K5I+afzppsmSvsIKAWW
-Dp7g71IVjvJeI6Aui2yhDn9iuJMuKe9RMYIwJLFqiX3urHcjaBSkJm6Lsf7gO30v
-kVwIyyGXRNTfZ2yPDoSXVZvOnq+gKwIDAQABoy4wLDAqBgNVHREEIzAhgh9zaW5n
-bGUuYWx0LW5hbWUucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQBU
-8wp8KZfS8vClx2gYSRlbXu3J1oAu4EBh45OuuRuLOJUhQZYcjFB3d/s0R1kcCQkB
-EekV9X1iQSzk/HQq4uWi6ViUzxTR67Q6TXEFo8iuqJ6Rag7R7G6fhRD1upf1lev+
-rz7F9GsoWLyLAg8//DUfq1kfQUyy6TxamoRs0vipZ4s0p4G8rbRCxKT1WTRLJFdd
-fSDVuMNuQQKTQXNdp6cYn+ikEhbUv/gG2S7Xiy2UM8oR7DR54nZBAKxgujWJZPfX
-/ieSwLxnLFyePwtwgk9xMmywFBjHWTxSdyI1UnJwWC917BSw4M00djsRv5COsBX7
-v/Co7oiMyTrCqyCsWOBu
+MIIDEjCCAfqgAwIBAgIIICEDAxQSBwIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMWKHC1lrog7A8ye8C3NM38JBiQBMuIZR40wORl0hJxj5Tp8
+dX8Xo2Thi9Ry33+YfMwfkkF66ZRwnMMEa8VYBmOz+fZFzF19WpE8F1CR3PxKE7ai
+zvunxy8oMxdXdIuTTzt8a5NcDLe22C4Yj21qaZVoh182ycvMH93V4MwsLcV3/GdV
+Ko7QpwP2ZCf5D1rhyccx+Trwyb2bKvhW5Jd3GrRacFJQFfUyrAu/FvyuSPmn86ab
+Jkr7CCgFlg6e4O9SFY7yXiOgLotsoQ5/YriTLinvUTGCMCSxaol97qx3I2gUpCZu
+i7H+4Dt9L5FcCMshl0TU32dsjw6El1Wbzp6voCsCAwEAAaMuMCwwKgYDVR0RBCMw
+IYIfc2luZ2xlLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDANBgkqhkiG9w0BAQsF
+AAOCAQEAUIhBQLzQgd7wHlT9DARxcC7SZwQtnk2BVqMYTRBU4uIa0i2HVyetpe1P
+rREthYq5sgaSqdonD9Splg8BLUlah9y3v9j6DBxkxNnz/3AZuA5oPaC/TZ+lwlX3
+QNWWFNaNZdcQbvjUvoPXIbJ6U9UDfByOJdoN4kJ6xe8Faj1Mp5Euqzr1ErrMtPWJ
+XLnXLV4WyAx+iMAbofXNlCyUorPGA8lRudzQ7bKdrhMZDE66VYwlwsUejEiODt7M
+NGTDs4aAZz9cBRjMeXhvX60cFQoykjAvWbieUKOgaFmJJyKemFj12cLeWyxvUodI
+kYtgAdzftiCSrbDjl1pzPSM6RC/E/A==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server.crl b/src/test/ssl/ssl/server.crl
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server.crl
+++ b/src/test/ssl/ssl/server.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server_ca.crt b/src/test/ssl/ssl/server_ca.crt
index 9f727bf9e9..0d6d7a6f82 100644
--- a/src/test/ssl/ssl/server_ca.crt
+++ b/src/test/ssl/ssl/server_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 3bc711f4a7..a901077469 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -485,6 +485,21 @@ TODO:
}
# pg_stat_ssl
+
+my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`;
+if ($? == 0)
+{
+ $serialno =~ s/^serial=//;
+ $serialno = hex($serialno); # OpenSSL prints serial numbers in hexadecimal
+}
+else
+{
+ # OpenSSL isn't functioning on the user's PATH. This probably isn't worth
+ # skipping the test over, so just fall back to a generic integer match.
+ warn 'couldn\'t run `openssl x509` to get client cert serialno';
+ $serialno = '\d+';
+}
+
command_like(
[
'psql',
@@ -500,7 +515,7 @@ command_like(
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
],
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n
- ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
+ ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,$serialno,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
'pg_stat_ssl with client certificate');
# client key with wrong permissions
--
2.25.1
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Fri, 2021-08-27 at 15:02 +0900, Michael Paquier wrote:
On Fri, Aug 13, 2021 at 12:08:16AM +0000, Jacob Champion wrote:
If _that's_ the case, then our build system is holding all of us
hostage. Which is frustrating to me. Should I shift focus to help with
that, first?Fresh ideas in this area are welcome, yes.
Since the sslfiles target is its own little island in the dependency
graph (it doesn't need anything from Makefile.global), would it be
acceptable to just move it to a standalone sslfiles.mk that the
Makefile defers to? E.g.
sslfiles:
$(MAKE) -f sslfiles.mk
Then we wouldn't have to touch Makefile.global at all, because
sslfiles.mk wouldn't need to include it. This also reduces .NOTPARALLEL
pollution as a bonus.
--Jacob
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On 9/1/21 8:09 PM, Jacob Champion wrote:
On Fri, 2021-08-27 at 15:02 +0900, Michael Paquier wrote:
On Fri, Aug 13, 2021 at 12:08:16AM +0000, Jacob Champion wrote:
If _that's_ the case, then our build system is holding all of us
hostage. Which is frustrating to me. Should I shift focus to help with
that, first?Fresh ideas in this area are welcome, yes.
Since the sslfiles target is its own little island in the dependency
graph (it doesn't need anything from Makefile.global), would it be
acceptable to just move it to a standalone sslfiles.mk that the
Makefile defers to? E.g.sslfiles:
$(MAKE) -f sslfiles.mk
Then we wouldn't have to touch Makefile.global at all, because
sslfiles.mk wouldn't need to include it. This also reduces .NOTPARALLEL
pollution as a bonus.
I had he same thought yesterday, so I like the idea :-)
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Thu, 2021-09-02 at 07:09 -0400, Andrew Dunstan wrote:
I had he same thought yesterday, so I like the idea :-)
Done that way in v5. It's a lot of moved code, so I've kept it as two
commits for review purposes.
Thanks!
--Jacob
Attachments:
v5-0001-test-ssl-rework-the-sslfiles-Makefile-target.patchtext/x-patch; name=v5-0001-test-ssl-rework-the-sslfiles-Makefile-target.patchDownload
From 6e038173717798dcd375e3741862152979c414fb Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Fri, 26 Feb 2021 15:25:28 -0800
Subject: [PATCH v5 1/2] test/ssl: rework the sslfiles Makefile target
Adding a new certificate is as easy as dropping in a new .config file,
adding it to the top of the Makefile, and running `make sslfiles`.
Improvements:
- Interfile dependencies should be fixed, with the exception of the CRL
dirs.
- New certificates have serial numbers based on the current time,
reducing the chance of collision.
- The CA index state is created on demand and cleaned up automatically
at the end of the Make run.
- *.config files are now self-contained; one certificate needs one
config file instead of two.
- Duplication is reduced, and along with it some unneeded code (and
possible copy-paste errors).
---
src/Makefile.global.in | 5 +-
src/test/ssl/Makefile | 258 +++++++++++-------
src/test/ssl/cas.config | 10 +-
src/test/ssl/client-dn.config | 1 -
src/test/ssl/client-revoked.config | 13 +
src/test/ssl/client.config | 1 -
src/test/ssl/client_ca.config | 5 +
src/test/ssl/root_ca.config | 1 +
src/test/ssl/server-cn-only.config | 3 +-
src/test/ssl/server-no-names.config | 5 +-
src/test/ssl/server-revoked.config | 3 +-
src/test/ssl/server_ca.config | 5 +
src/test/ssl/ssl/both-cas-1.crt | 86 +++---
src/test/ssl/ssl/both-cas-2.crt | 86 +++---
src/test/ssl/ssl/client+client_ca.crt | 65 ++---
src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 | 18 +-
src/test/ssl/ssl/client-dn.crt | 34 +--
src/test/ssl/ssl/client-revoked.crt | 31 ++-
src/test/ssl/ssl/client.crl | 18 +-
src/test/ssl/ssl/client.crt | 31 ++-
src/test/ssl/ssl/client_ca.crt | 34 +--
.../ssl/ssl/root+client-crldir/9bb9e3c3.r0 | 18 +-
.../ssl/ssl/root+client-crldir/a3d11bff.r0 | 16 +-
src/test/ssl/ssl/root+client.crl | 34 +--
src/test/ssl/ssl/root+client_ca.crt | 52 ++--
.../ssl/ssl/root+server-crldir/a3d11bff.r0 | 16 +-
.../ssl/ssl/root+server-crldir/a836cc2d.r0 | 18 +-
src/test/ssl/ssl/root+server.crl | 34 +--
src/test/ssl/ssl/root+server_ca.crt | 52 ++--
src/test/ssl/ssl/root.crl | 16 +-
src/test/ssl/ssl/root_ca.crt | 18 +-
src/test/ssl/ssl/server-cn-and-alt-names.crt | 36 +--
src/test/ssl/ssl/server-cn-only.crt | 33 +--
src/test/ssl/ssl/server-crldir/a836cc2d.r0 | 18 +-
.../ssl/ssl/server-multiple-alt-names.crt | 36 +--
src/test/ssl/ssl/server-no-names.crt | 32 +--
src/test/ssl/ssl/server-revoked.crt | 33 +--
src/test/ssl/ssl/server-single-alt-name.crt | 34 +--
src/test/ssl/ssl/server.crl | 18 +-
src/test/ssl/ssl/server_ca.crt | 34 +--
src/test/ssl/t/001_ssltests.pl | 17 +-
41 files changed, 681 insertions(+), 597 deletions(-)
create mode 100644 src/test/ssl/client-revoked.config
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index 6e2f224cc4..cf349d19e4 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -32,8 +32,11 @@ all:
# started to update the file.
.DELETE_ON_ERROR:
-# Never delete any intermediate files automatically.
+# Never delete any intermediate files automatically unless the Makefile
+# explicitly asks for it.
+ifneq ($(clean_intermediates),yes)
.SECONDARY:
+endif
# PostgreSQL version number
VERSION = @PACKAGE_VERSION@
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index c216560dcc..458520dc6d 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -11,168 +11,216 @@
subdir = src/test/ssl
top_builddir = ../../..
+
+clean_intermediates := yes
include $(top_builddir)/src/Makefile.global
export with_ssl
-CERTIFICATES := server_ca server-cn-and-alt-names \
+#
+# To add a new server or client certificate, add a new <name>.config file in
+# this directory, then add <name> to either SERVERS or CLIENTS below. A
+# key/certificate pair will be generated for you, signed by the appropriate CA.
+#
+SERVERS := server-cn-and-alt-names \
server-cn-only server-single-alt-name server-multiple-alt-names \
- server-no-names server-revoked \
- client_ca client client-dn client-revoked \
- root_ca
+ server-no-names server-revoked
+CLIENTS := client client-dn client-revoked
+
+#
+# To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe
+# for creating it to the "Special-case keys" section below.
+#
+SPECIAL_KEYS := ssl/server-password.key \
+ ssl/client-der.key ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
-SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
- ssl/server-password.key \
- ssl/client.crl ssl/server.crl ssl/root.crl \
+#
+# These files are just concatenations of other files. You can add new ones to
+# COMBINATIONS here, then declare the constituent files as dependencies in the
+# "Combined files" section below.
+#
+COMBINATIONS := \
ssl/both-cas-1.crt ssl/both-cas-2.crt \
ssl/root+server_ca.crt ssl/root+server.crl \
ssl/root+client_ca.crt ssl/root+client.crl \
- ssl/client+client_ca.crt ssl/client-der.key \
- ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
+ ssl/client+client_ca.crt
+CERTIFICATES := root_ca server_ca client_ca $(SERVERS) $(CLIENTS)
+STANDARD_CERTS := $(CERTIFICATES:%=ssl/%.crt)
+STANDARD_KEYS := $(CERTIFICATES:%=ssl/%.key)
+CRLS := ssl/root.crl ssl/client.crl ssl/server.crl
+
+SSLFILES := $(STANDARD_CERTS) $(STANDARD_KEYS) $(SPECIAL_KEYS) $(COMBINATIONS) $(CRLS)
SSLDIRS := ssl/client-crldir ssl/server-crldir \
ssl/root+client-crldir ssl/root+server-crldir
# This target re-generates all the key and certificate files. Usually we just
# use the ones that are committed to the tree without rebuilding them.
#
-# This target will fail unless preceded by sslfiles-clean.
-#
+.PHONY: sslfiles
sslfiles: $(SSLFILES) $(SSLDIRS)
-# OpenSSL requires a directory to put all generated certificates in. We don't
-# use this for anything, but we need a location.
-ssl/new_certs_dir:
- mkdir ssl/new_certs_dir
+#
+# Special-case certificates
+#
-# Rule for creating private/public key pairs.
-ssl/%.key:
- openssl genrsa -out $@ 2048
- chmod 0600 $@
+# Root CA is self-signed.
+ssl/root_ca.crt: ssl/root_ca.key root_ca.config
+ openssl req -new -x509 -config root_ca.config -days 10000 -key $< -out $@
-# Root CA certificate
-ssl/root_ca.crt: ssl/root_ca.key cas.config
- touch ssl/root_ca-certindex
- openssl req -new -out ssl/root_ca.crt -x509 -config cas.config -config root_ca.config -key ssl/root_ca.key -days 10000 -extensions v3_ca
- echo "01" > ssl/root_ca.srl
-
-# Client and server CAs
-ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir
- touch ssl/$*_ca-certindex
- echo "unique_subject=no" > ssl/$*_ca-certindex.attr
- openssl req -new -out ssl/temp_ca.crt -config cas.config -config $*_ca.config -key ssl/$*_ca.key
-# Sign the certificate with the root CA
- openssl ca -name root_ca -batch -config cas.config -in ssl/temp_ca.crt -out ssl/temp_ca_signed.crt -extensions v3_ca
- openssl x509 -in ssl/temp_ca_signed.crt -out ssl/$*_ca.crt # to keep just the PEM cert
- rm ssl/temp_ca.crt ssl/temp_ca_signed.crt
- echo "01" > ssl/$*_ca.srl
-
-# Server certificates, signed by server CA:
-ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config
- openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config
- openssl ca -name server_ca -batch -config cas.config -in ssl/server-$*.csr -out ssl/temp.crt -extensions v3_req -extfile server-$*.config
- openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert
- rm ssl/server-$*.csr
+#
+# Special-case keys
+#
+# All targets here are contained in $(SPECIAL_KEYS).
+#
# Password-protected version of server-cn-only.key
ssl/server-password.key: ssl/server-cn-only.key
openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
-# Client certificate, signed by the client CA:
-ssl/client.crt: ssl/client.key ssl/client_ca.crt
- openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client.csr
- openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert
- rm ssl/client.csr ssl/temp.crt
-
-# Client certificate with multi-part DN, signed by the client CA:
-ssl/client-dn.crt: ssl/client-dn.key ssl/client_ca.crt
- openssl req -new -key ssl/client-dn.key -out ssl/client-dn.csr -config client-dn.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-dn.csr
- openssl x509 -in ssl/temp.crt -out ssl/client-dn.crt # to keep just the PEM cert
- rm ssl/client-dn.csr ssl/temp.crt
-
-# Another client certificate, signed by the client CA. This one is revoked.
-ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config
- openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-revoked.csr
- openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert
- rm ssl/client-revoked.csr ssl/temp.crt
-
-# Convert the key to DER, to test our behaviour there too
+# DER-encoded version of client.key
ssl/client-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -out ssl/client-der.key
+ openssl rsa -in $< -outform DER -out $@
-# Convert the existing key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
+# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
# to test libpq's support for the sslpassword= option.
-ssl/client-encrypted-pem.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-pem.key
+ssl/client-encrypted-pem.key: outform := PEM
+ssl/client-encrypted-der.key: outform := DER
+ssl/client-encrypted-pem.key ssl/client-encrypted-der.key: ssl/client.key
+ openssl rsa -in $< -outform $(outform) -aes128 -passout 'pass:dUmmyP^#+' -out $@
-ssl/client-encrypted-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-der.key
+#
+# Combined files
+#
+# All targets in $(COMBINATIONS) share a single recipe; just declare the
+# necessary dependencies and they'll be smashed together.
+#
-# Root certificate files that contains both CA certificates, for testing
+# Root certificate file that contains both CA certificates, for testing
# that multiple certificates can be used.
ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
- cat $^ > $@
# The same, but the certs are in different order
ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
- cat $^ > $@
# A root certificate file for the client, to validate server certs.
ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
- cat $^ > $@
# and for the server, to validate client certs
ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
- cat $^ > $@
+# and for the client, to present to the server
ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
- cat $^ > $@
-
-#### CRLs
-
-ssl/client.crl: ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl
-
-ssl/server.crl: ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl
-
-ssl/root.crl: ssl/root_ca.crt
- openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl
# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
# chain, even if some of them are empty.
ssl/root+server.crl: ssl/root.crl ssl/server.crl
- cat $^ > $@
ssl/root+client.crl: ssl/root.crl ssl/client.crl
+
+$(COMBINATIONS):
cat $^ > $@
-ssl/root+server-crldir: ssl/server.crl ssl/root.crl
- mkdir ssl/root+server-crldir
- cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
- cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+#
+# Standard keys
+#
-ssl/root+client-crldir: ssl/client.crl ssl/root.crl
- mkdir ssl/root+client-crldir
- cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
- cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+$(STANDARD_KEYS):
+ openssl genrsa -out $@ 2048
+ chmod 0600 $@
-ssl/server-crldir: ssl/server.crl
- mkdir ssl/server-crldir
- cp ssl/server.crl ssl/server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
+#
+# Standard certificates
+#
+
+CA_CERTS := ssl/server_ca.crt ssl/client_ca.crt
+SERVER_CERTS := $(SERVERS:%=ssl/%.crt)
+CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)
+
+# See the "CA State" section below.
+root_ca_state_files := ssl/root_ca-certindex ssl/root_ca-certindex.attr ssl/root_ca.srl
+server_ca_state_files := ssl/server_ca-certindex ssl/server_ca-certindex.attr ssl/server_ca.srl
+client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ssl/client_ca.srl
+
+# These are the workhorse recipes. `openssl ca` can't be safely run from
+# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
+.NOTPARALLEL:
+$(CA_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
+ openssl ca -batch -config cas.config -name root_ca -notext -in $< -out $@
+
+$(SERVER_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
+ openssl ca -batch -config cas.config -name server_ca -notext -in $< -out $@
+
+$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
+ openssl ca -batch -config cas.config -name client_ca -notext -in $< -out $@
+# The CSRs don't need to persist after a build.
+.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
+ssl/%.csr: ssl/%.key %.config
+ openssl req -new -key $< -out $@ -config $*.config
+
+#
+# CA State
+#
+# All of these are intended to be order-only dependencies; additionally, the
+# pattern recipes are marked as explicit intermediates. The goal is for Make to
+# create the state files once for each CA, allow them to accumulate whatever
+# state is needed, and then automatically remove them at the end of the run.
+#
+
+.INTERMEDIATE: $(root_ca_state_files) $(server_ca_state_files) $(client_ca_state_files)
+
+# OpenSSL requires a directory to put all generated certificates in. We don't
+# use this for anything, but we need a location.
+ssl/new_certs_dir:
+ mkdir $@
+
+ssl/%-certindex:
+ touch $@
+
+ssl/%-certindex.attr:
+ echo "unique_subject=no" > $@
+
+# The first serial number for each CA is based on the current timestamp, to
+# avoid collisions across Make runs.
+ssl/%.srl:
+ date +%Y%m%d%H%M%S00 > $@
+
+#
+# CRLs
+#
+
+ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
+ openssl ca -config cas.config -name root_ca -gencrl -out $@
+
+ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
+ openssl ca -config cas.config -name server_ca -revoke $<
+ openssl ca -config cas.config -name server_ca -gencrl -out $@
+
+ssl/client.crl: ssl/client-revoked.crt ssl/client_ca.crt | $(client_ca_state_files)
+ openssl ca -config cas.config -name client_ca -revoke $<
+ openssl ca -config cas.config -name client_ca -gencrl -out $@
+
+#
+# CRL hash directories
+#
+
+ssl/root+server-crldir: ssl/server.crl ssl/root.crl
+ssl/root+client-crldir: ssl/client.crl ssl/root.crl
+ssl/server-crldir: ssl/server.crl
ssl/client-crldir: ssl/client.crl
- mkdir ssl/client-crldir
- cp ssl/client.crl ssl/client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
+
+crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
+
+ssl/%-crldir:
+ mkdir -p $@
+ rm -f $@/*.r0
+ $(foreach crl,$^,cp $(crl) $@/$(call crlhashfile,$(crl)) &&) true
+ touch $@
.PHONY: sslfiles-clean
sslfiles-clean:
- rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
- rm -rf $(SSLDIRS)
+ rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex*
+ rm -rf $(SSLDIRS) ssl/new_certs_dir
clean distclean maintainer-clean:
rm -rf tmp_check
diff --git a/src/test/ssl/cas.config b/src/test/ssl/cas.config
index 8c0ef6d82b..2c4851033a 100644
--- a/src/test/ssl/cas.config
+++ b/src/test/ssl/cas.config
@@ -1,12 +1,5 @@
# This file contains the configuration for all the CAs.
-[ req ]
-prompt = no
-
-# Extensions for CA certs
-[ v3_ca ]
-basicConstraints = CA:true
-
# Root CA, used to sign the certificates of the intermediary server and
# client CAs.
[ root_ca ]
@@ -21,6 +14,7 @@ private_key = ./ssl/root_ca.key
new_certs_dir = ./ssl/new_certs_dir
policy = policy_match
email_in_dn = no
+copy_extensions = copy
# CA used to sign all the server certificates.
[ server_ca ]
@@ -35,6 +29,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/server_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/server.crl
@@ -51,6 +46,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/client_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/client.crl
diff --git a/src/test/ssl/client-dn.config b/src/test/ssl/client-dn.config
index ee2df54bd6..0c71d83127 100644
--- a/src/test/ssl/client-dn.config
+++ b/src/test/ssl/client-dn.config
@@ -13,4 +13,3 @@ O = PGDG
CN = ssltestuser-dn
# no extensions in client certs
-[ v3_req ]
diff --git a/src/test/ssl/client-revoked.config b/src/test/ssl/client-revoked.config
new file mode 100644
index 0000000000..3b82b57103
--- /dev/null
+++ b/src/test/ssl/client-revoked.config
@@ -0,0 +1,13 @@
+# An OpenSSL format CSR config file for creating a client certificate.
+#
+# This is identical to the client.config certificate, but this one is revoked
+# later.
+
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+CN = ssltestuser
+
+# no extensions in client certs
diff --git a/src/test/ssl/client.config b/src/test/ssl/client.config
index 2e9d40d299..26fc2571f5 100644
--- a/src/test/ssl/client.config
+++ b/src/test/ssl/client.config
@@ -10,4 +10,3 @@ prompt = no
CN = ssltestuser
# no extensions in client certs
-[ v3_req ]
diff --git a/src/test/ssl/client_ca.config b/src/test/ssl/client_ca.config
index ef93d598c2..5990f06000 100644
--- a/src/test/ssl/client_ca.config
+++ b/src/test/ssl/client_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test client certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/root_ca.config b/src/test/ssl/root_ca.config
index 187a9b8a46..e193186f8b 100644
--- a/src/test/ssl/root_ca.config
+++ b/src/test/ssl/root_ca.config
@@ -4,6 +4,7 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+x509_extensions = v3_ca
[ req_distinguished_name ]
CN = Test root CA for PostgreSQL SSL regression test suite
diff --git a/src/test/ssl/server-cn-only.config b/src/test/ssl/server-cn-only.config
index 1e5d582213..9edb7b7aca 100644
--- a/src/test/ssl/server-cn-only.config
+++ b/src/test/ssl/server-cn-only.config
@@ -9,5 +9,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-no-names.config b/src/test/ssl/server-no-names.config
index 2a71125a42..89075dec83 100644
--- a/src/test/ssl/server-no-names.config
+++ b/src/test/ssl/server-no-names.config
@@ -10,7 +10,4 @@ prompt = no
[ req_distinguished_name ]
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
-
-[ alt_names ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-revoked.config b/src/test/ssl/server-revoked.config
index 47ef6462dc..c9e1f5d431 100644
--- a/src/test/ssl/server-revoked.config
+++ b/src/test/ssl/server-revoked.config
@@ -11,5 +11,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server_ca.config b/src/test/ssl/server_ca.config
index d6126d5195..496aaba29f 100644
--- a/src/test/ssl/server_ca.config
+++ b/src/test/ssl/server_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test server certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/ssl/both-cas-1.crt b/src/test/ssl/ssl/both-cas-1.crt
index 37ffa10174..4f4bc707d6 100644
--- a/src/test/ssl/ssl/both-cas-1.crt
+++ b/src/test/ssl/ssl/both-cas-1.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/both-cas-2.crt b/src/test/ssl/ssl/both-cas-2.crt
index 2f2723f2b1..01d0c4d6a4 100644
--- a/src/test/ssl/ssl/both-cas-2.crt
+++ b/src/test/ssl/ssl/both-cas-2.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client+client_ca.crt b/src/test/ssl/ssl/client+client_ca.crt
index 2804527f3e..7fafa14de1 100644
--- a/src/test/ssl/ssl/client+client_ca.crt
+++ b/src/test/ssl/ssl/client+client_ca.crt
@@ -1,36 +1,37 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client-dn.crt b/src/test/ssl/ssl/client-dn.crt
index f2f6a62dad..0db14e5977 100644
--- a/src/test/ssl/ssl/client-dn.crt
+++ b/src/test/ssl/ssl/client-dn.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDBjCCAe4CAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0yMTAzMDUyMDUyNDVaFw00ODA3MjEyMDUyNDVaMFAxDTALBgNVBAoMBFBHREcx
-FDASBgNVBAsMC0VuZ2luZWVyaW5nMRAwDgYDVQQLDAdUZXN0aW5nMRcwFQYDVQQD
-DA5zc2x0ZXN0dXNlci1kbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AMRLriq2Sh8+N4bhVtRUp/MAEsLQK6u/GotMSmiSr9K31YBYOvNzw8liKt4Rmnh5
-zmsdXJBW8erPNpkUAy9tFRCAx0YobhWCSfyX3orEdrhDrLFihA62zXQC69T0u4Yp
-PSXGd0yCAcOZERQ4CQVgqnsh7Kmx5QaQnqxaz4OVPArWFJP4RQBT/l+r+kCeAn6h
-qvbSbxY3FoCElQq0EF5x1F2pjL+HcBvjeI+GP430gVeJJX0RaG14Fp4v9MQT6zv/
-gvvjHC8l7YSJUROjeUzLZpUnj/ik4yrtT4av/TDGTSOpGs5qEATqk4hxAUEWw6TJ
-RoLh3Oq2N5KuzDmKBBskLX0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAL2H54oyx
-pNkcgFF79lwc4c/Jda7j0wrZQIw5CWwO0MdCozJGRIEAA5WXA8b5THo1ZkaWv+sh
-lWnCOflBtGnEpD7dUpMW9lxGL5clMeMf3CoNYBb7zBofm+oTJytCzXHNftB4hCZj
-pvN79bNT4msWbmxDyi75nfbEfzK1BKnfCg+DWBBjEnHC8VzgDq6ACN6FEoyFb+fr
-dlDoof+S7k8jYAzhxwySI5DnMzr9OIwnepWfx9HENsasAighc8vFSEouShvsOlYS
-L0OIb9Tn6M5q1tWoLHulQsQYDPzaO/1M7ubsr5xCx1ReDK4gaNwS3YXn/2KE9Kco
-aKCrL89AjQrJPA==
+MIIDDTCCAfUCCCAhBikTA0IAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwNjI5MjAwMzQyWhcNNDgxMTE0MjAwMzQyWjBQMQ0wCwYDVQQK
+DARQR0RHMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEQMA4GA1UECwwHVGVzdGluZzEX
+MBUGA1UEAwwOc3NsdGVzdHVzZXItZG4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDES64qtkofPjeG4VbUVKfzABLC0CurvxqLTEpokq/St9WAWDrzc8PJ
+YireEZp4ec5rHVyQVvHqzzaZFAMvbRUQgMdGKG4Vgkn8l96KxHa4Q6yxYoQOts10
+AuvU9LuGKT0lxndMggHDmREUOAkFYKp7IeypseUGkJ6sWs+DlTwK1hST+EUAU/5f
+q/pAngJ+oar20m8WNxaAhJUKtBBecdRdqYy/h3Ab43iPhj+N9IFXiSV9EWhteBae
+L/TEE+s7/4L74xwvJe2EiVETo3lMy2aVJ4/4pOMq7U+Gr/0wxk0jqRrOahAE6pOI
+cQFBFsOkyUaC4dzqtjeSrsw5igQbJC19AgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AECbQQ9rBzCexNI3VKDVA+CZa0ib48XbcJwXmva3spvjjCB5cGPToyF1B+4mVg1H
+1uM/XRAoQmNRtB+xKEAceMSxJA02tBlwMOclXlO0oGLYyc+S61K+UEPSk6Kka4aC
+NpeLSqN5ahC9z8C5uMJl36pFf13aU05uRkXKcI4gkn02I4jRc/a8gF7URdhdf920
+KmYSUh1V0B3pPAB6ArqJ60iHOqkCYIIIbi2EpVP53IKkoB9tr4ud8oMoN6ggIXU1
+2oHvnaKJ7RZaQNefS3WweyHxr4cCVtEour/ELph48OuW6Y5jqPT+5Ln3Qz0e6KW9
+o3thBx0aKSYlmt9gH254M9M=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-revoked.crt b/src/test/ssl/ssl/client-revoked.crt
index 14857a33a2..51ebe924a6 100644
--- a/src/test/ssl/ssl/client-revoked.crt
+++ b/src/test/ssl/ssl/client-revoked.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoBcmY2Z+qa+l
-UB5YSYnGLt96S7axkoDvIzLJkwJugGqw1U72A6lAUTyAPVntsmbhoMpDEHK6ylg8
-U4HC3L1hbhSpFriTITJ3TzH4+wdDH1KZYlM2k0gfrKrksJyZ7ftAyuBvzBRlFbBe
-xopR9VQjqgAuNKByJswldOe0KwP0nmb/TtT9lkAt7XjrSut5MUezFVnvTxabm7tQ
-ciDG+8QqE0b8lH3N3VOXWZWCeXPRrwboO3baAmcue4V20N0ALARP+QZNElBa7Jq+
-l77VNjneRk07jjaE7PCGVlWfPggppZos1Ay1sb2JhK0S9pZrynQT/ck3qhG4QuKp
-cmn/Bbe/8wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBySTwOO9zSFCtfRjbbblDx
-AK2ttILR0ZJXnvzjNjuErsT9qeXaq2t/iG/vmhH5XDjaefXFLCLqFunvcg6cIz1A
-HhAw+JInfyk3TUpDaX6M0X8qj184e4kXzVc83Afa3LiP5JkirzCSv6ErqAHw2VVd
-bZbZUwMfQLpWHVqXK89Pb7q791H4VeEx9CLxtZ2PSr2GCdpFbVMJvdBPChD2Re1A
-ELcbMZ9iOq2AUN/gxrt7HnE3dRoGQk6AJOfvhi2eZcVWiLtITScdPk1nYcNxGid3
-BWW+tdLbjmSe2FXNfDwBTvuHh5A9S399X5l/nLAng2iTGSvIm1OgUnC2oWsok3EI
+MIIC0zCCAbsCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKAX
+JmNmfqmvpVAeWEmJxi7feku2sZKA7yMyyZMCboBqsNVO9gOpQFE8gD1Z7bJm4aDK
+QxByuspYPFOBwty9YW4UqRa4kyEyd08x+PsHQx9SmWJTNpNIH6yq5LCcme37QMrg
+b8wUZRWwXsaKUfVUI6oALjSgcibMJXTntCsD9J5m/07U/ZZALe1460rreTFHsxVZ
+708Wm5u7UHIgxvvEKhNG/JR9zd1Tl1mVgnlz0a8G6Dt22gJnLnuFdtDdACwET/kG
+TRJQWuyavpe+1TY53kZNO442hOzwhlZVnz4IKaWaLNQMtbG9iYStEvaWa8p0E/3J
+N6oRuELiqXJp/wW3v/MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcVhPcu55HcSf
+Mci38T/fOBaiDUvzWwG/XlQRzFxcS+ZY/vYMbgor6PliGlCFBF4Mca2qtTs7zXRz
+8aLNVX53p98Cnnn97mW4aYNbNdM87R76IqJdj40brEolu1JNOyFJRYzoaebABf9r
+R64FTt3YVM9qjJrHG/apYwKwgAMxVzZ/M+3ujahP/8mOYD/Utj+lYHnXJmuHAYE6
+EnTxTSb2J+IsK8KuPoGjUPNZRW8zIUE0luMpJahvtmFVW91Vue7dW0AOmHpjmGUB
+J9Vwxe7KJRW5/4dz6kMD2pKY3D9sBgXeku/QDVz/hdyB5YT0WChFiZn20DZyhOtu
+moHgw8OJzg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client.crl b/src/test/ssl/ssl/client.crl
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client.crl
+++ b/src/test/ssl/ssl/client.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client.crt b/src/test/ssl/ssl/client.crt
index 4d0a6ef419..1f6ae05fe4 100644
--- a/src/test/ssl/ssl/client.crt
+++ b/src/test/ssl/ssl/client.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client_ca.crt b/src/test/ssl/ssl/client_ca.crt
index 1ef3771261..ef48749f76 100644
--- a/src/test/ssl/ssl/client_ca.crt
+++ b/src/test/ssl/ssl/client_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client.crl b/src/test/ssl/ssl/root+client.crl
index 854d77b71e..02eff4d326 100644
--- a/src/test/ssl/ssl/root+client.crl
+++ b/src/test/ssl/ssl/root+client.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client_ca.crt b/src/test/ssl/ssl/root+client_ca.crt
index 1867cd9c31..7819c54828 100644
--- a/src/test/ssl/ssl/root+client_ca.crt
+++ b/src/test/ssl/ssl/root+client_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server.crl b/src/test/ssl/ssl/root+server.crl
index 9720b3023c..8b0c716d63 100644
--- a/src/test/ssl/ssl/root+server.crl
+++ b/src/test/ssl/ssl/root+server.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server_ca.crt b/src/test/ssl/ssl/root+server_ca.crt
index 861eba80d0..5074f4fa9b 100644
--- a/src/test/ssl/ssl/root+server_ca.crt
+++ b/src/test/ssl/ssl/root+server_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root.crl b/src/test/ssl/ssl/root.crl
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root.crl
+++ b/src/test/ssl/ssl/root.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root_ca.crt b/src/test/ssl/ssl/root_ca.crt
index 402d7dab89..5ee9870d6f 100644
--- a/src/test/ssl/ssl/root_ca.crt
+++ b/src/test/ssl/ssl/root_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,10 +10,10 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-and-alt-names.crt b/src/test/ssl/ssl/server-cn-and-alt-names.crt
index 2bb206e413..12d1ec363e 100644
--- a/src/test/ssl/ssl/server-cn-and-alt-names.crt
+++ b/src/test/ssl/ssl/server-cn-and-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDTjCCAjagAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowRjEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1z
-c2x0ZXN0LnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBURL6
-YPWJjVQEZY0uy4HEaTI4ZMjVf+xdwJRntos4aRcdhq2JRNwitI00BLnIK9ur8D8L
-U24PDn2etTZOK1wsHHkAiHPvgRX7G/+78a5fSC8nMNaH/oR4zMMhwksiruISA7x9
-/l+4DO7C42C5mRfnUmMGJdzau1+A8jcIxTWWoJtva9b1k3g+bvBGq9138X+bJKIW
-YsWwHgcuEIZk3z287hxuyU3j5isYoRwd5cZZFrG/qBJdukSBRil5/PP5AHsB6lTl
-pae2bdf4TXB7kActIpyTBR0G5Pm5iCZlxgD+QILj/1FLTaNOW7hV+t1J6YfC6jZR
-Dk4MnHMCFasSXcXhAgMBAAGjSzBJMEcGA1UdEQRAMD6CHWRuczEuYWx0LW5hbWUu
-cGctc3NsdGVzdC50ZXN0gh1kbnMyLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDAN
-BgkqhkiG9w0BAQsFAAOCAQEAQeKHXoyipubldf4HUDCXrcIk6KiEs9DMH1DXRk7L
-z2Hr0TljmKoGG5P6OrF4eP82bhXZlQmwHVclB7Pfo5DvoMYmYjSHxcEAeyJ7etxb
-pV11yEkMkCbQpBVtdMqyTpckXM49GTwqD9US5p1E350snq4Duj3O7fSpE4HMfSd8
-dCkYdaCHq2NWH4/MfEBRy096oOIFxqgm6tRCU95ZI8KeeK4WwPXiGV2mb2rHj1kv
-uBRC+sJGSnsLdbZzkpdAN1qnWrJoLezAMdhTmNRUJ7Cq8hAkroFIp+LE+JyxR9Nw
-m6jD3eEwCAQi0pPGLEn4Rq4B8kxzL5F/jTq7PONRvOAdIg==
+MIIDVTCCAj2gAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMEYxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5h
+bWUucGctc3NsdGVzdC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwVES+mD1iY1UBGWNLsuBxGkyOGTI1X/sXcCUZ7aLOGkXHYatiUTcIrSNNAS5
+yCvbq/A/C1NuDw59nrU2TitcLBx5AIhz74EV+xv/u/GuX0gvJzDWh/6EeMzDIcJL
+Iq7iEgO8ff5fuAzuwuNguZkX51JjBiXc2rtfgPI3CMU1lqCbb2vW9ZN4Pm7wRqvd
+d/F/mySiFmLFsB4HLhCGZN89vO4cbslN4+YrGKEcHeXGWRaxv6gSXbpEgUYpefzz
++QB7AepU5aWntm3X+E1we5AHLSKckwUdBuT5uYgmZcYA/kCC4/9RS02jTlu4Vfrd
+SemHwuo2UQ5ODJxzAhWrEl3F4QIDAQABo0swSTBHBgNVHREEQDA+gh1kbnMxLmFs
+dC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0ZXN0
+LnRlc3QwDQYJKoZIhvcNAQELBQADggEBAG3dFQ/DqjFbjzIOni079R3I94lAZqbc
+cRUumDPSzihKwvCCnU5quqnYkOFISqBZsYmxR5fiHx4wT+jmWvLSltkaeS6gcGC1
+zuO8GFzL+PATUX63js8IfE3WYJE/bjmDVVzJOBArrbsExofdE2F2kkkLkjhk0ylg
+/TrAKtyqpsob0b4ZjMloR5JFHQXGHN/922x6Do1vduHMXlGckmR0sX6Mg/fiChVh
+vixUJje4W9ohft8G7lj3GnzI1gHEMp2PYKM+wqOug/gXEQuMIFlhjp2Mc6bAvFsD
+grgdAgcYUvgKukF9efJHq2V5XjqBWrmGAOQkiH1y+9gxhiHUiw+vojY=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-only.crt b/src/test/ssl/ssl/server-cn-only.crt
index 67bf0b1645..acdf6f1a75 100644
--- a/src/test/ssl/ssl/server-cn-only.crt
+++ b/src/test/ssl/ssl/server-cn-only.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bNU8yTuLl/5
-bR4Rp1ET5NMC2wgrTwKQsxSeOzvMmTGeebpEYFc/Hq8rcCQAiL7AbhiZeNg/ca4y
-JdouOdaHaTMFJ8hFDI1tNOGeFK7ecOMBWQ97GxKs/KIqKYW42AN+QZ7l1Apr0CDZ
-K5VTi931JjE4wCIgUgLi2zgwtZYl/kP896F1K5zR7kx773U2dvP3SeV2ziUe+4NH
-5oqdmVMeZyHfB+Fe/uU1AiYgHN/CXfop39tYHR8ARUWx7eJlaaKBoj/0UqH/9Yir
-jdM0vGfrw4JCjIx78caNkNH9fCjesTqODr+IDBJaJv3Jpt9g8puqrYagXLppiaYS
-q5oOAu5fuQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCTxkqpNNuO15osb+Lyw2aQ
-RikYZiSJ4uJcOIya6DqSYSNf8wrgGMJAKz9TkCGEG7SszLCASaSIS/s+sR1+bE19
-f6BxoBnppPW8uIkTtQvmGhhcWHO13zMUs8bmg9OY7MvFYJdQAmSqfYebUCYR73So
-OthALxV8h+boW5/xc2XM1NObpcuShQ9/uynm2dL3EbrNjvcoXOwu865FmVMffEn9
-+zhE8xl4kMKObQvB3r2utCmlAmJLaU2ejADncS9Y4ZwRMa7x+vfvekF/FvLEXUal
-QcDlfrZ0xsw/HK7n0/UFXf5fUXq3hgUGcXEdWW7/yTA43qNxednfa+fMqlFztupt
+MIIDAzCCAesCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANWz
+VPMk7i5f+W0eEadRE+TTAtsIK08CkLMUnjs7zJkxnnm6RGBXPx6vK3AkAIi+wG4Y
+mXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu3nDjAVkPexsSrPyiKimFuNgDfkGe
+5dQKa9Ag2SuVU4vd9SYxOMAiIFIC4ts4MLWWJf5D/PehdSuc0e5Me+91Nnbz90nl
+ds4lHvuDR+aKnZlTHmch3wfhXv7lNQImIBzfwl36Kd/bWB0fAEVFse3iZWmigaI/
+9FKh//WIq43TNLxn68OCQoyMe/HGjZDR/Xwo3rE6jg6/iAwSWib9yabfYPKbqq2G
+oFy6aYmmEquaDgLuX7kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA2AZrD9cTQXTW
+4j2tT8N/TTc6WK2ncN4h22NTte6vK7MVwsZJCtw5ndYkmxcWkXAqiclzWyMdayds
+WOa12CEH7jKAhivF4Hcw3oO3JHM5BA6KzLWBVz9uZksOM6mPqn29DTKvA/Y1V8tj
+mxK/KUA68h/u6inu3mo4ywBpb/tqHxxg2cjyR0faCmM0pwRM0HBr/16fUMfO83nj
+QG8g9J/bybu5sYso/aSoC5nUNp4XjmDMdVLdqg/nTe/ejS8IfFr0WQxBlqooqFgx
+MSE+kX2e2fHsuOWSU/9eClt6FpQrwoC2C8F+/4g1Uz7Liqc4yMHPwjgeP9ewrrLO
+iIhlNNPqpQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server-multiple-alt-names.crt b/src/test/ssl/ssl/server-multiple-alt-names.crt
index 158153d10c..58799e49f8 100644
--- a/src/test/ssl/ssl/server-multiple-alt-names.crt
+++ b/src/test/ssl/ssl/server-multiple-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDRDCCAiygAwIBAgIBBDANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA10iQpfVf4nCqjkRcLXP9ONQqdhMPMdjHasKqmsFTx83SZLKUzKMOb56j
-3bg83stqGoId4MIxtqnDKaSg1+kseQ1HCi0cu/E3lHLEkPibl9dyVGhXVnPDBdOp
-eUQLCvPNgay3/ua4Mz0Nf7S9cgC9AZu/EEYjQIEzfO0cEANeVIWtgZfM3+2j0pmZ
-46AEYlEZJkmDT0/mnHk3YTj3I6qQhr34wZvqcrwouYRN5NiOVYJLpb6gPSoalm+P
-YXOKjP4+fWr18HdZLrzsa4xPRa9XcsDNyffjWvQTfptR/2vFKN8Ffv3XUqxUx6av
-VCyRKa8xAUS/pHVGnzFQY+oqWREn2wIDAQABo2cwZTBjBgNVHREEXDBagh1kbnMx
-LmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0
-ZXN0LnRlc3SCGioud2lsZGNhcmQucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEB
-CwUAA4IBAQAuV+4TNADB/AinkjQVyzPtmeWDWZJDByRSGIzGlrYtzzrJzdRkohlL
-svZi0QQWbYq3pkRoUncYXXp/JvS48Ft1jRi87RpLRiPRxJC9Eq77kMS5UKCIs86W
-0nuYQ2tNmgHb7gnLHEr2t9gFEXcLwUAnRfNJK56KVmCl/v3/4kcVDLlL6L+pL80r
-WGKGvixNy3bDCJ/YGJu6NH+H7NMlqFcg07nEWUHgMzETGGycTcPy3S6mY5P/1Ep1
-MCSTucUKoBIte2t5p9vM6bsFIioQDAYABhacmC62Z5xNW8evmNVtBDPLR1THsWhq
-UjzdIzjpDgv1KUCVEPc1uVrZ5eju+aoU
+MIIDSzCCAjOgAwIBAgIIICEDAxQSBwMwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBANdIkKX1X+Jwqo5EXC1z/TjUKnYTDzHYx2rCqprBU8fN0mSy
+lMyjDm+eo924PN7LahqCHeDCMbapwymkoNfpLHkNRwotHLvxN5RyxJD4m5fXclRo
+V1ZzwwXTqXlECwrzzYGst/7muDM9DX+0vXIAvQGbvxBGI0CBM3ztHBADXlSFrYGX
+zN/to9KZmeOgBGJRGSZJg09P5px5N2E49yOqkIa9+MGb6nK8KLmETeTYjlWCS6W+
+oD0qGpZvj2Fzioz+Pn1q9fB3WS687GuMT0WvV3LAzcn341r0E36bUf9rxSjfBX79
+11KsVMemr1QskSmvMQFEv6R1Rp8xUGPqKlkRJ9sCAwEAAaNnMGUwYwYDVR0RBFww
+WoIdZG5zMS5hbHQtbmFtZS5wZy1zc2x0ZXN0LnRlc3SCHWRuczIuYWx0LW5hbWUu
+cGctc3NsdGVzdC50ZXN0ghoqLndpbGRjYXJkLnBnLXNzbHRlc3QudGVzdDANBgkq
+hkiG9w0BAQsFAAOCAQEAuRAyYBwAZLKERoYDy/kE9LKddJfLhledTJ7+cIWs6T9V
+KBfWBHZYxfxmdBYwqVZfog8c5uHREfWiUPoF/aMq3ARay96aMh4xXJ+2a7HAmknF
+9AJWRieoc3H/QkMzAuT8IDTmoEarsr8vsX1MGabobZte/B9tEjq/z5t3GfLrHMVX
+5092U6Ka40ii4U1VwjR8YnRBwjm3UpLmZJAjvXjw13/XucNV5O8Plo1yvS+G0AMh
+KdMxExiItVtjZteiA0pJf0YGAzTFyzvwBljTcs4NfZ2M0ta9i0r4BF7wQ8tDezN7
+VxdJVPc5xPqncp0cMdUAE2xDmYlKEqB0kuAHNwH5/Q==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-no-names.crt b/src/test/ssl/ssl/server-no-names.crt
index 97e11176f6..b5d0589090 100644
--- a/src/test/ssl/ssl/server-no-names.crt
+++ b/src/test/ssl/ssl/server-no-names.crt
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIIC1jCCAb4CAQUwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMCAxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AJ85/vh52iDZAeQmWt47o0kR7VVlRLGf4sF4cfxPl+eIWIzhib1fajdcqFiy81LC
-+t9bAyRqMyR3dve9RGK6IDFjMH/0DBf3tFSRnxN+5TdSAhKIJslmtUdOl8kS/smF
-4+BikCg509aq0U+ac79e/q42OyvH9X/cI6i9SPd4hzJDMCX54LZT1Of/90nSQX6E
-Oc5Hcj/d7psBugmMBW8uXYAGvJpq14e5RoK78F/mYbUNqtc1c8pi4/4quSMeEfQp
-Dgmzee7ts8SIbQT8mYJHjnaPvZYpv4+Ikc7F0wzLO1neTpsYaVvDrSMLBCdQkCU8
-vgb1T6WlVgbp/sfE5okSxx8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh+erODlf
-+mEK2toZhaAmikNJ3Toj9P7I0C0Mo/tl2aVz8jQc/ft5t3blwZHfRzC9WmgnZLdY
-yiCVgUlf9Kwhi836Btbczj3cK6MrngQneFBzSnCzsj40CuQAw5TOI8XRFFGL+fpl
-o7ZnbmMZRhkPqDmNWXfpu7CYOFQyExkDoo0lTfqM+tF8zuKVTmsuWWvZpjuvqWFQ
-/L+XRXi0cvhh+DY9vJiKNRg4exF7/tSedTJmLA8skuaXgAVez4rqzX4k1XnQo6Vi
-YpAIQ4dGiijY24fDq2I/6pO3xlWtN+Lwu44Mnn2vWRtXijT69P5R12W8XS7+ciTU
-NXu/iOo8f7mNDA==
+MIIC3TCCAcUCCCAhAwMUEgcEMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAgMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCfOf74edog2QHkJlreO6NJEe1VZUSxn+LBeHH8T5fniFiM4Ym9X2o3
+XKhYsvNSwvrfWwMkajMkd3b3vURiuiAxYzB/9AwX97RUkZ8TfuU3UgISiCbJZrVH
+TpfJEv7JhePgYpAoOdPWqtFPmnO/Xv6uNjsrx/V/3COovUj3eIcyQzAl+eC2U9Tn
+//dJ0kF+hDnOR3I/3e6bAboJjAVvLl2ABryaateHuUaCu/Bf5mG1DarXNXPKYuP+
+KrkjHhH0KQ4Js3nu7bPEiG0E/JmCR452j72WKb+PiJHOxdMMyztZ3k6bGGlbw60j
+CwQnUJAlPL4G9U+lpVYG6f7HxOaJEscfAgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AJAwYwIL4oj3NisXCXkEp9zqDXiZvNW9yW3bY8lFFCpU7o5n92tCf2OFAkKaYhF1
+Eb2weyDULtW7W/wgdlOZL9npayYKzTusl6e8xfTQyjRCsoKWvnWOEkPH7VraZJ8c
+Ko1KhaVWX98VLdlUh5giYAEkdhk0qPYKsQ32unBXXJu0pX63pnPDoaUBiZUWr/3l
+CfkjgGY5YA8YxiDlHGNF1qlcX2fQKloDlvtH0L5Enwt25w2/IvWhTN6YxDR+rgdD
+XYbQr6o6vsmnZTJ3zUZ6XFo98sZq5L9oy1pcC8roV7w0AUVxraTWYILyGfNgruG8
+xsok/hu1L2VnktveEW/qoVs=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-revoked.crt b/src/test/ssl/ssl/server-revoked.crt
index 1ca5e6d3ef..3bb0f164a6 100644
--- a/src/test/ssl/ssl/server-revoked.crt
+++ b/src/test/ssl/ssl/server-revoked.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQYwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAooPO8lSz434p
-4PBYBbTN8jkLW3cHEpTCH4yvC0V40hzGEl30HPLp82e+kxr+Q0+gd82fvc4Yth5I
-PKINznp28GMs5/E9cUU3hMK4jFhKLMiOeIve3M/9ryHK874qpNjJoSxxPz7+s2eq
-WoFc2px0KFIamTTLfi7Ju9aPb/AMlZNsUnbRsj7fQc7EJ8rwOnezw2Wy5VK4soX+
-qpuJ0Nm44ApzT8YmjYX/kAX0yQxgQuYbpcBWr9cOQjegu3FAqHqRh9ye7d8jQzCv
-34Wg/ar4rkqyQDcokuWAE7KQbnk51t7omzhM8eswFOAL1pas/8jWBvy0VjYVU34P
-9aXxP8GiHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAS9abT/PhJgwAnm46Rzu16
-lL7tDb3SeR1RL25xZLzCexHcYJFi7aDZix3QlLRvf6HPqqUPuPYRICTBF4+fieEh
-r5LotdAnadfYONwoB5GiYy2d93VGqlLosI27R6/tVvImXupviPpIYMDgBBRr1pZc
-ykQOjog6T+xk9TqsfFQDe2/VKF7a5RxOA/V77GZ5qge5Nlx9jSXQ/WUG9vDQj9BA
-d4nOwvjauKlcSqUU/3uVKntXQTNjmyq7S75eBitS920LLfjTL9LInLugDikFa/J/
-yPBkJLa/+rNMPikcnF3ci4Oi/XwLA8kGdGZAADuiIOeyORMuLFoTk7KpOYGKS5/U
+MIIDAzCCAesCCCAhAwMUEgcFMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKD
+zvJUs+N+KeDwWAW0zfI5C1t3BxKUwh+MrwtFeNIcxhJd9Bzy6fNnvpMa/kNPoHfN
+n73OGLYeSDyiDc56dvBjLOfxPXFFN4TCuIxYSizIjniL3tzP/a8hyvO+KqTYyaEs
+cT8+/rNnqlqBXNqcdChSGpk0y34uybvWj2/wDJWTbFJ20bI+30HOxCfK8Dp3s8Nl
+suVSuLKF/qqbidDZuOAKc0/GJo2F/5AF9MkMYELmG6XAVq/XDkI3oLtxQKh6kYfc
+nu3fI0Mwr9+FoP2q+K5KskA3KJLlgBOykG55Odbe6Js4TPHrMBTgC9aWrP/I1gb8
+tFY2FVN+D/Wl8T/Boh0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAxVHoqX25W4Hx
+pMNjv2AJzcB7D+c+dUXAmLLJ7jh6szWeL0M2E5qX4dLc8LzQKnXv5ZcT4i/akjDX
+etdzuqh03kvDJvUkHclSWffmowmWMTG6GCA6S/2TQzSibIptkwqs74aIkayVJaC4
+jCBR+PVT8+cE2FMD6dAWu//fyEcpTg6XpZ/Upgu9OITGNaEQUGz8pSRkTgspfO0Q
+AKPmql6dpywReIlr5mzy9liCzf/BbAVHGmP/pBGIkLn2AzvPLCQ/UFZYT6aH7l5J
+nzmFhgRC3U5wPMdelHGrPMXg6OHCcyrQY0kEi7N/GQ5+jZkICoQuPJ7APKEZAUgO
+XRwVulaWJQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-single-alt-name.crt b/src/test/ssl/ssl/server-single-alt-name.crt
index e7403f3a6b..7affdd68e7 100644
--- a/src/test/ssl/ssl/server-single-alt-name.crt
+++ b/src/test/ssl/ssl/server-single-alt-name.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDCzCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAxYocLWWuiDsDzJ7wLc0zfwkGJAEy4hlHjTA5GXSEnGPlOnx1fxejZOGL
-1HLff5h8zB+SQXrplHCcwwRrxVgGY7P59kXMXX1akTwXUJHc/EoTtqLO+6fHLygz
-F1d0i5NPO3xrk1wMt7bYLhiPbWpplWiHXzbJy8wf3dXgzCwtxXf8Z1UqjtCnA/Zk
-J/kPWuHJxzH5OvDJvZsq+Fbkl3catFpwUlAV9TKsC78W/K5I+afzppsmSvsIKAWW
-Dp7g71IVjvJeI6Aui2yhDn9iuJMuKe9RMYIwJLFqiX3urHcjaBSkJm6Lsf7gO30v
-kVwIyyGXRNTfZ2yPDoSXVZvOnq+gKwIDAQABoy4wLDAqBgNVHREEIzAhgh9zaW5n
-bGUuYWx0LW5hbWUucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQBU
-8wp8KZfS8vClx2gYSRlbXu3J1oAu4EBh45OuuRuLOJUhQZYcjFB3d/s0R1kcCQkB
-EekV9X1iQSzk/HQq4uWi6ViUzxTR67Q6TXEFo8iuqJ6Rag7R7G6fhRD1upf1lev+
-rz7F9GsoWLyLAg8//DUfq1kfQUyy6TxamoRs0vipZ4s0p4G8rbRCxKT1WTRLJFdd
-fSDVuMNuQQKTQXNdp6cYn+ikEhbUv/gG2S7Xiy2UM8oR7DR54nZBAKxgujWJZPfX
-/ieSwLxnLFyePwtwgk9xMmywFBjHWTxSdyI1UnJwWC917BSw4M00djsRv5COsBX7
-v/Co7oiMyTrCqyCsWOBu
+MIIDEjCCAfqgAwIBAgIIICEDAxQSBwIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMWKHC1lrog7A8ye8C3NM38JBiQBMuIZR40wORl0hJxj5Tp8
+dX8Xo2Thi9Ry33+YfMwfkkF66ZRwnMMEa8VYBmOz+fZFzF19WpE8F1CR3PxKE7ai
+zvunxy8oMxdXdIuTTzt8a5NcDLe22C4Yj21qaZVoh182ycvMH93V4MwsLcV3/GdV
+Ko7QpwP2ZCf5D1rhyccx+Trwyb2bKvhW5Jd3GrRacFJQFfUyrAu/FvyuSPmn86ab
+Jkr7CCgFlg6e4O9SFY7yXiOgLotsoQ5/YriTLinvUTGCMCSxaol97qx3I2gUpCZu
+i7H+4Dt9L5FcCMshl0TU32dsjw6El1Wbzp6voCsCAwEAAaMuMCwwKgYDVR0RBCMw
+IYIfc2luZ2xlLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDANBgkqhkiG9w0BAQsF
+AAOCAQEAUIhBQLzQgd7wHlT9DARxcC7SZwQtnk2BVqMYTRBU4uIa0i2HVyetpe1P
+rREthYq5sgaSqdonD9Splg8BLUlah9y3v9j6DBxkxNnz/3AZuA5oPaC/TZ+lwlX3
+QNWWFNaNZdcQbvjUvoPXIbJ6U9UDfByOJdoN4kJ6xe8Faj1Mp5Euqzr1ErrMtPWJ
+XLnXLV4WyAx+iMAbofXNlCyUorPGA8lRudzQ7bKdrhMZDE66VYwlwsUejEiODt7M
+NGTDs4aAZz9cBRjMeXhvX60cFQoykjAvWbieUKOgaFmJJyKemFj12cLeWyxvUodI
+kYtgAdzftiCSrbDjl1pzPSM6RC/E/A==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server.crl b/src/test/ssl/ssl/server.crl
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server.crl
+++ b/src/test/ssl/ssl/server.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server_ca.crt b/src/test/ssl/ssl/server_ca.crt
index 9f727bf9e9..0d6d7a6f82 100644
--- a/src/test/ssl/ssl/server_ca.crt
+++ b/src/test/ssl/ssl/server_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 3bc711f4a7..a901077469 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -485,6 +485,21 @@ TODO:
}
# pg_stat_ssl
+
+my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`;
+if ($? == 0)
+{
+ $serialno =~ s/^serial=//;
+ $serialno = hex($serialno); # OpenSSL prints serial numbers in hexadecimal
+}
+else
+{
+ # OpenSSL isn't functioning on the user's PATH. This probably isn't worth
+ # skipping the test over, so just fall back to a generic integer match.
+ warn 'couldn\'t run `openssl x509` to get client cert serialno';
+ $serialno = '\d+';
+}
+
command_like(
[
'psql',
@@ -500,7 +515,7 @@ command_like(
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
],
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n
- ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
+ ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,$serialno,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
'pg_stat_ssl with client certificate');
# client key with wrong permissions
--
2.25.1
v5-0002-squash-test-ssl-rework-the-sslfiles-Makefile-targ.patchtext/x-patch; name=v5-0002-squash-test-ssl-rework-the-sslfiles-Makefile-targ.patchDownload
From b17dcc1b80663d3de4cebb97f6c996886daed531 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Thu, 2 Sep 2021 09:09:42 -0700
Subject: [PATCH v5 2/2] squash! test/ssl: rework the sslfiles Makefile target
Move sslfiles/-clean into a separate Makefile, removing the need to
"escape" the Makefile.global targets.
---
src/Makefile.global.in | 5 +-
src/test/ssl/Makefile | 215 ++----------------------------------
src/test/ssl/sslfiles.mk | 229 +++++++++++++++++++++++++++++++++++++++
3 files changed, 237 insertions(+), 212 deletions(-)
create mode 100644 src/test/ssl/sslfiles.mk
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index cf349d19e4..6e2f224cc4 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -32,11 +32,8 @@ all:
# started to update the file.
.DELETE_ON_ERROR:
-# Never delete any intermediate files automatically unless the Makefile
-# explicitly asks for it.
-ifneq ($(clean_intermediates),yes)
+# Never delete any intermediate files automatically.
.SECONDARY:
-endif
# PostgreSQL version number
VERSION = @PACKAGE_VERSION@
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 458520dc6d..de35b876bd 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -11,222 +11,21 @@
subdir = src/test/ssl
top_builddir = ../../..
-
-clean_intermediates := yes
include $(top_builddir)/src/Makefile.global
export with_ssl
-#
-# To add a new server or client certificate, add a new <name>.config file in
-# this directory, then add <name> to either SERVERS or CLIENTS below. A
-# key/certificate pair will be generated for you, signed by the appropriate CA.
-#
-SERVERS := server-cn-and-alt-names \
- server-cn-only server-single-alt-name server-multiple-alt-names \
- server-no-names server-revoked
-CLIENTS := client client-dn client-revoked
-
-#
-# To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe
-# for creating it to the "Special-case keys" section below.
-#
-SPECIAL_KEYS := ssl/server-password.key \
- ssl/client-der.key ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
-
-#
-# These files are just concatenations of other files. You can add new ones to
-# COMBINATIONS here, then declare the constituent files as dependencies in the
-# "Combined files" section below.
-#
-COMBINATIONS := \
- ssl/both-cas-1.crt ssl/both-cas-2.crt \
- ssl/root+server_ca.crt ssl/root+server.crl \
- ssl/root+client_ca.crt ssl/root+client.crl \
- ssl/client+client_ca.crt
-
-CERTIFICATES := root_ca server_ca client_ca $(SERVERS) $(CLIENTS)
-STANDARD_CERTS := $(CERTIFICATES:%=ssl/%.crt)
-STANDARD_KEYS := $(CERTIFICATES:%=ssl/%.key)
-CRLS := ssl/root.crl ssl/client.crl ssl/server.crl
-
-SSLFILES := $(STANDARD_CERTS) $(STANDARD_KEYS) $(SPECIAL_KEYS) $(COMBINATIONS) $(CRLS)
-SSLDIRS := ssl/client-crldir ssl/server-crldir \
- ssl/root+client-crldir ssl/root+server-crldir
-
-# This target re-generates all the key and certificate files. Usually we just
-# use the ones that are committed to the tree without rebuilding them.
-#
-.PHONY: sslfiles
-sslfiles: $(SSLFILES) $(SSLDIRS)
-
-#
-# Special-case certificates
-#
-
-# Root CA is self-signed.
-ssl/root_ca.crt: ssl/root_ca.key root_ca.config
- openssl req -new -x509 -config root_ca.config -days 10000 -key $< -out $@
-
-#
-# Special-case keys
-#
-# All targets here are contained in $(SPECIAL_KEYS).
-#
-
-# Password-protected version of server-cn-only.key
-ssl/server-password.key: ssl/server-cn-only.key
- openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
-
-# DER-encoded version of client.key
-ssl/client-der.key: ssl/client.key
- openssl rsa -in $< -outform DER -out $@
-
-# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
-# to test libpq's support for the sslpassword= option.
-ssl/client-encrypted-pem.key: outform := PEM
-ssl/client-encrypted-der.key: outform := DER
-ssl/client-encrypted-pem.key ssl/client-encrypted-der.key: ssl/client.key
- openssl rsa -in $< -outform $(outform) -aes128 -passout 'pass:dUmmyP^#+' -out $@
-
-#
-# Combined files
-#
-# All targets in $(COMBINATIONS) share a single recipe; just declare the
-# necessary dependencies and they'll be smashed together.
-#
-
-# Root certificate file that contains both CA certificates, for testing
-# that multiple certificates can be used.
-ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
-
-# The same, but the certs are in different order
-ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
-
-# A root certificate file for the client, to validate server certs.
-ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
-
-# and for the server, to validate client certs
-ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
-
-# and for the client, to present to the server
-ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
-
-# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
-# chain, even if some of them are empty.
-ssl/root+server.crl: ssl/root.crl ssl/server.crl
-ssl/root+client.crl: ssl/root.crl ssl/client.crl
-
-$(COMBINATIONS):
- cat $^ > $@
-
-#
-# Standard keys
-#
-
-$(STANDARD_KEYS):
- openssl genrsa -out $@ 2048
- chmod 0600 $@
-
-#
-# Standard certificates
-#
-
-CA_CERTS := ssl/server_ca.crt ssl/client_ca.crt
-SERVER_CERTS := $(SERVERS:%=ssl/%.crt)
-CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)
-
-# See the "CA State" section below.
-root_ca_state_files := ssl/root_ca-certindex ssl/root_ca-certindex.attr ssl/root_ca.srl
-server_ca_state_files := ssl/server_ca-certindex ssl/server_ca-certindex.attr ssl/server_ca.srl
-client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ssl/client_ca.srl
-
-# These are the workhorse recipes. `openssl ca` can't be safely run from
-# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
-.NOTPARALLEL:
-$(CA_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
- openssl ca -batch -config cas.config -name root_ca -notext -in $< -out $@
-
-$(SERVER_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
- openssl ca -batch -config cas.config -name server_ca -notext -in $< -out $@
-
-$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
- openssl ca -batch -config cas.config -name client_ca -notext -in $< -out $@
-
-# The CSRs don't need to persist after a build.
-.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
-ssl/%.csr: ssl/%.key %.config
- openssl req -new -key $< -out $@ -config $*.config
-
-#
-# CA State
-#
-# All of these are intended to be order-only dependencies; additionally, the
-# pattern recipes are marked as explicit intermediates. The goal is for Make to
-# create the state files once for each CA, allow them to accumulate whatever
-# state is needed, and then automatically remove them at the end of the run.
-#
-
-.INTERMEDIATE: $(root_ca_state_files) $(server_ca_state_files) $(client_ca_state_files)
-
-# OpenSSL requires a directory to put all generated certificates in. We don't
-# use this for anything, but we need a location.
-ssl/new_certs_dir:
- mkdir $@
-
-ssl/%-certindex:
- touch $@
-
-ssl/%-certindex.attr:
- echo "unique_subject=no" > $@
-
-# The first serial number for each CA is based on the current timestamp, to
-# avoid collisions across Make runs.
-ssl/%.srl:
- date +%Y%m%d%H%M%S00 > $@
-
-#
-# CRLs
-#
-
-ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
- openssl ca -config cas.config -name root_ca -gencrl -out $@
-
-ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
- openssl ca -config cas.config -name server_ca -revoke $<
- openssl ca -config cas.config -name server_ca -gencrl -out $@
-
-ssl/client.crl: ssl/client-revoked.crt ssl/client_ca.crt | $(client_ca_state_files)
- openssl ca -config cas.config -name client_ca -revoke $<
- openssl ca -config cas.config -name client_ca -gencrl -out $@
-
-#
-# CRL hash directories
-#
-
-ssl/root+server-crldir: ssl/server.crl ssl/root.crl
-ssl/root+client-crldir: ssl/client.crl ssl/root.crl
-ssl/server-crldir: ssl/server.crl
-ssl/client-crldir: ssl/client.crl
-
-crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
-
-ssl/%-crldir:
- mkdir -p $@
- rm -f $@/*.r0
- $(foreach crl,$^,cp $(crl) $@/$(call crlhashfile,$(crl)) &&) true
- touch $@
-
-.PHONY: sslfiles-clean
-sslfiles-clean:
- rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex*
- rm -rf $(SSLDIRS) ssl/new_certs_dir
+# The sslfiles targets are separated into their own file due to interactions
+# with settings in Makefile.global.
+.PHONY: sslfiles sslfiles-clean
+sslfiles sslfiles-clean:
+ $(MAKE) -f sslfiles.mk $@
clean distclean maintainer-clean:
rm -rf tmp_check
- rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key
+ $(MAKE) -f sslfiles.mk clean
-# Doesn't depend on $(SSLFILES) because we don't rebuild them by default
+# Doesn't depend on sslfiles because we don't rebuild them by default
check:
$(prove_check)
diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk
new file mode 100644
index 0000000000..f3f0d1f8c0
--- /dev/null
+++ b/src/test/ssl/sslfiles.mk
@@ -0,0 +1,229 @@
+#-------------------------------------------------------------------------
+#
+# Makefile for sslfiles
+#
+# The SSL test files are completely disjoint from the rest of the build; they
+# don't rely on other targets or on Makefile.global. Since these recipes rely
+# on some default Make behavior that's disabled in the main build tree, such
+# as intermediate cleanup, they've been moved into their own separate file.
+# The main Makefile in this directory defers to this helper file when building
+# the sslfiles-related targets.
+#
+# Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+# Portions Copyright (c) 1994, Regents of the University of California
+#
+# src/test/ssl/sslfiles.mk
+#
+#-------------------------------------------------------------------------
+
+#
+# To add a new server or client certificate, add a new <name>.config file in
+# this directory, then add <name> to either SERVERS or CLIENTS below. A
+# key/certificate pair will be generated for you, signed by the appropriate CA.
+#
+SERVERS := server-cn-and-alt-names \
+ server-cn-only server-single-alt-name server-multiple-alt-names \
+ server-no-names server-revoked
+CLIENTS := client client-dn client-revoked
+
+#
+# To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe
+# for creating it to the "Special-case keys" section below.
+#
+SPECIAL_KEYS := ssl/server-password.key \
+ ssl/client-der.key ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
+
+#
+# These files are just concatenations of other files. You can add new ones to
+# COMBINATIONS here, then declare the constituent files as dependencies in the
+# "Combined files" section below.
+#
+COMBINATIONS := \
+ ssl/both-cas-1.crt ssl/both-cas-2.crt \
+ ssl/root+server_ca.crt ssl/root+server.crl \
+ ssl/root+client_ca.crt ssl/root+client.crl \
+ ssl/client+client_ca.crt
+
+CERTIFICATES := root_ca server_ca client_ca $(SERVERS) $(CLIENTS)
+STANDARD_CERTS := $(CERTIFICATES:%=ssl/%.crt)
+STANDARD_KEYS := $(CERTIFICATES:%=ssl/%.key)
+CRLS := ssl/root.crl ssl/client.crl ssl/server.crl
+
+SSLFILES := $(STANDARD_CERTS) $(STANDARD_KEYS) $(SPECIAL_KEYS) $(COMBINATIONS) $(CRLS)
+SSLDIRS := ssl/client-crldir ssl/server-crldir \
+ ssl/root+client-crldir ssl/root+server-crldir
+
+# This target re-generates all the key and certificate files. Usually we just
+# use the ones that are committed to the tree without rebuilding them.
+#
+.PHONY: sslfiles
+sslfiles: $(SSLFILES) $(SSLDIRS)
+
+#
+# Special-case certificates
+#
+
+# Root CA is self-signed.
+ssl/root_ca.crt: ssl/root_ca.key root_ca.config
+ openssl req -new -x509 -config root_ca.config -days 10000 -key $< -out $@
+
+#
+# Special-case keys
+#
+# All targets here are contained in $(SPECIAL_KEYS).
+#
+
+# Password-protected version of server-cn-only.key
+ssl/server-password.key: ssl/server-cn-only.key
+ openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
+
+# DER-encoded version of client.key
+ssl/client-der.key: ssl/client.key
+ openssl rsa -in $< -outform DER -out $@
+
+# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
+# to test libpq's support for the sslpassword= option.
+ssl/client-encrypted-pem.key: outform := PEM
+ssl/client-encrypted-der.key: outform := DER
+ssl/client-encrypted-pem.key ssl/client-encrypted-der.key: ssl/client.key
+ openssl rsa -in $< -outform $(outform) -aes128 -passout 'pass:dUmmyP^#+' -out $@
+
+#
+# Combined files
+#
+# All targets in $(COMBINATIONS) share a single recipe; just declare the
+# necessary dependencies and they'll be smashed together.
+#
+
+# Root certificate file that contains both CA certificates, for testing
+# that multiple certificates can be used.
+ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
+
+# The same, but the certs are in different order
+ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
+
+# A root certificate file for the client, to validate server certs.
+ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
+
+# and for the server, to validate client certs
+ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
+
+# and for the client, to present to the server
+ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
+
+# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
+# chain, even if some of them are empty.
+ssl/root+server.crl: ssl/root.crl ssl/server.crl
+ssl/root+client.crl: ssl/root.crl ssl/client.crl
+
+$(COMBINATIONS):
+ cat $^ > $@
+
+#
+# Standard keys
+#
+
+$(STANDARD_KEYS):
+ openssl genrsa -out $@ 2048
+ chmod 0600 $@
+
+#
+# Standard certificates
+#
+
+CA_CERTS := ssl/server_ca.crt ssl/client_ca.crt
+SERVER_CERTS := $(SERVERS:%=ssl/%.crt)
+CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)
+
+# See the "CA State" section below.
+root_ca_state_files := ssl/root_ca-certindex ssl/root_ca-certindex.attr ssl/root_ca.srl
+server_ca_state_files := ssl/server_ca-certindex ssl/server_ca-certindex.attr ssl/server_ca.srl
+client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ssl/client_ca.srl
+
+# These are the workhorse recipes. `openssl ca` can't be safely run from
+# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
+.NOTPARALLEL:
+$(CA_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
+ openssl ca -batch -config cas.config -name root_ca -notext -in $< -out $@
+
+$(SERVER_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
+ openssl ca -batch -config cas.config -name server_ca -notext -in $< -out $@
+
+$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
+ openssl ca -batch -config cas.config -name client_ca -notext -in $< -out $@
+
+# The CSRs don't need to persist after a build.
+.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
+ssl/%.csr: ssl/%.key %.config
+ openssl req -new -key $< -out $@ -config $*.config
+
+#
+# CA State
+#
+# All of these are intended to be order-only dependencies; additionally, the
+# pattern recipes are marked as explicit intermediates. The goal is for Make to
+# create the state files once for each CA, allow them to accumulate whatever
+# state is needed, and then automatically remove them at the end of the run.
+#
+
+.INTERMEDIATE: $(root_ca_state_files) $(server_ca_state_files) $(client_ca_state_files)
+
+# OpenSSL requires a directory to put all generated certificates in. We don't
+# use this for anything, but we need a location.
+ssl/new_certs_dir:
+ mkdir $@
+
+ssl/%-certindex:
+ touch $@
+
+ssl/%-certindex.attr:
+ echo "unique_subject=no" > $@
+
+# The first serial number for each CA is based on the current timestamp, to
+# avoid collisions across Make runs.
+ssl/%.srl:
+ date +%Y%m%d%H%M%S00 > $@
+
+#
+# CRLs
+#
+
+ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
+ openssl ca -config cas.config -name root_ca -gencrl -out $@
+
+ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
+ openssl ca -config cas.config -name server_ca -revoke $<
+ openssl ca -config cas.config -name server_ca -gencrl -out $@
+
+ssl/client.crl: ssl/client-revoked.crt ssl/client_ca.crt | $(client_ca_state_files)
+ openssl ca -config cas.config -name client_ca -revoke $<
+ openssl ca -config cas.config -name client_ca -gencrl -out $@
+
+#
+# CRL hash directories
+#
+
+ssl/root+server-crldir: ssl/server.crl ssl/root.crl
+ssl/root+client-crldir: ssl/client.crl ssl/root.crl
+ssl/server-crldir: ssl/server.crl
+ssl/client-crldir: ssl/client.crl
+
+crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
+
+ssl/%-crldir:
+ mkdir -p $@
+ rm -f $@/*.r0
+ $(foreach crl,$^,cp $(crl) $@/$(call crlhashfile,$(crl)) &&) true
+ touch $@
+
+.PHONY: sslfiles-clean
+sslfiles-clean:
+ rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex*
+ rm -rf $(SSLDIRS) ssl/new_certs_dir
+
+# The difference between clean and sslfiles-clean is that the clean target will
+# be run during a "standard" recursive clean run from the main build tree. The
+# sslfiles-clean target must be run explicitly from this directory.
+.PHONY: clean
+clean:
+ rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key
--
2.25.1
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Thu, Sep 02, 2021 at 04:42:14PM +0000, Jacob Champion wrote:
Done that way in v5. It's a lot of moved code, so I've kept it as two
commits for review purposes.
Nice. This is neat. The split helps a lot to understand how you've
changed things from the original implementation. As a whole, this
looks rather committable to me.
One small-ish comment that I have is about all the .config files we
have at the root of src/test/ssl/, bloating the whole. I think that
it would be a bit cleaner to put all of them in a different
sub-directory, say just config/ or conf/.
--
Michael
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Fri, 2021-09-03 at 09:46 +0900, Michael Paquier wrote:
Nice. This is neat. The split helps a lot to understand how you've
changed things from the original implementation. As a whole, this
looks rather committable to me.
Great!
One small-ish comment that I have is about all the .config files we
have at the root of src/test/ssl/, bloating the whole. I think that
it would be a bit cleaner to put all of them in a different
sub-directory, say just config/ or conf/.
That sounds reasonable. I won't be able to get to it before the holiday
weekend, but I can put up a patch sometime next week.
Thanks,
--Jacob
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Fri, 2021-09-03 at 23:21 +0000, Jacob Champion wrote:
One small-ish comment that I have is about all the .config files we
have at the root of src/test/ssl/, bloating the whole. I think that
it would be a bit cleaner to put all of them in a different
sub-directory, say just config/ or conf/.That sounds reasonable. I won't be able to get to it before the holiday
weekend, but I can put up a patch sometime next week.
Done in v6, a three-patch squashable set. I chose conf/ as the
directory.
--Jacob
Attachments:
v6-0001-test-ssl-rework-the-sslfiles-Makefile-target.patchtext/x-patch; name=v6-0001-test-ssl-rework-the-sslfiles-Makefile-target.patchDownload
From 6e5c10b0ccf0ecb55d840f4cea96ab555968afbc Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Fri, 26 Feb 2021 15:25:28 -0800
Subject: [PATCH v6 1/3] test/ssl: rework the sslfiles Makefile target
Adding a new certificate is as easy as dropping in a new .config file,
adding it to the top of the Makefile, and running `make sslfiles`.
Improvements:
- Interfile dependencies should be fixed, with the exception of the CRL
dirs.
- New certificates have serial numbers based on the current time,
reducing the chance of collision.
- The CA index state is created on demand and cleaned up automatically
at the end of the Make run.
- *.config files are now self-contained; one certificate needs one
config file instead of two.
- Duplication is reduced, and along with it some unneeded code (and
possible copy-paste errors).
---
src/Makefile.global.in | 5 +-
src/test/ssl/Makefile | 258 +++++++++++-------
src/test/ssl/cas.config | 10 +-
src/test/ssl/client-dn.config | 1 -
src/test/ssl/client-revoked.config | 13 +
src/test/ssl/client.config | 1 -
src/test/ssl/client_ca.config | 5 +
src/test/ssl/root_ca.config | 1 +
src/test/ssl/server-cn-only.config | 3 +-
src/test/ssl/server-no-names.config | 5 +-
src/test/ssl/server-revoked.config | 3 +-
src/test/ssl/server_ca.config | 5 +
src/test/ssl/ssl/both-cas-1.crt | 86 +++---
src/test/ssl/ssl/both-cas-2.crt | 86 +++---
src/test/ssl/ssl/client+client_ca.crt | 65 ++---
src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 | 18 +-
src/test/ssl/ssl/client-dn.crt | 34 +--
src/test/ssl/ssl/client-revoked.crt | 31 ++-
src/test/ssl/ssl/client.crl | 18 +-
src/test/ssl/ssl/client.crt | 31 ++-
src/test/ssl/ssl/client_ca.crt | 34 +--
.../ssl/ssl/root+client-crldir/9bb9e3c3.r0 | 18 +-
.../ssl/ssl/root+client-crldir/a3d11bff.r0 | 16 +-
src/test/ssl/ssl/root+client.crl | 34 +--
src/test/ssl/ssl/root+client_ca.crt | 52 ++--
.../ssl/ssl/root+server-crldir/a3d11bff.r0 | 16 +-
.../ssl/ssl/root+server-crldir/a836cc2d.r0 | 18 +-
src/test/ssl/ssl/root+server.crl | 34 +--
src/test/ssl/ssl/root+server_ca.crt | 52 ++--
src/test/ssl/ssl/root.crl | 16 +-
src/test/ssl/ssl/root_ca.crt | 18 +-
src/test/ssl/ssl/server-cn-and-alt-names.crt | 36 +--
src/test/ssl/ssl/server-cn-only.crt | 33 +--
src/test/ssl/ssl/server-crldir/a836cc2d.r0 | 18 +-
.../ssl/ssl/server-multiple-alt-names.crt | 36 +--
src/test/ssl/ssl/server-no-names.crt | 32 +--
src/test/ssl/ssl/server-revoked.crt | 33 +--
src/test/ssl/ssl/server-single-alt-name.crt | 34 +--
src/test/ssl/ssl/server.crl | 18 +-
src/test/ssl/ssl/server_ca.crt | 34 +--
src/test/ssl/t/001_ssltests.pl | 17 +-
41 files changed, 681 insertions(+), 597 deletions(-)
create mode 100644 src/test/ssl/client-revoked.config
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index 6e2f224cc4..cf349d19e4 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -32,8 +32,11 @@ all:
# started to update the file.
.DELETE_ON_ERROR:
-# Never delete any intermediate files automatically.
+# Never delete any intermediate files automatically unless the Makefile
+# explicitly asks for it.
+ifneq ($(clean_intermediates),yes)
.SECONDARY:
+endif
# PostgreSQL version number
VERSION = @PACKAGE_VERSION@
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index c216560dcc..458520dc6d 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -11,168 +11,216 @@
subdir = src/test/ssl
top_builddir = ../../..
+
+clean_intermediates := yes
include $(top_builddir)/src/Makefile.global
export with_ssl
-CERTIFICATES := server_ca server-cn-and-alt-names \
+#
+# To add a new server or client certificate, add a new <name>.config file in
+# this directory, then add <name> to either SERVERS or CLIENTS below. A
+# key/certificate pair will be generated for you, signed by the appropriate CA.
+#
+SERVERS := server-cn-and-alt-names \
server-cn-only server-single-alt-name server-multiple-alt-names \
- server-no-names server-revoked \
- client_ca client client-dn client-revoked \
- root_ca
+ server-no-names server-revoked
+CLIENTS := client client-dn client-revoked
+
+#
+# To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe
+# for creating it to the "Special-case keys" section below.
+#
+SPECIAL_KEYS := ssl/server-password.key \
+ ssl/client-der.key ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
-SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
- ssl/server-password.key \
- ssl/client.crl ssl/server.crl ssl/root.crl \
+#
+# These files are just concatenations of other files. You can add new ones to
+# COMBINATIONS here, then declare the constituent files as dependencies in the
+# "Combined files" section below.
+#
+COMBINATIONS := \
ssl/both-cas-1.crt ssl/both-cas-2.crt \
ssl/root+server_ca.crt ssl/root+server.crl \
ssl/root+client_ca.crt ssl/root+client.crl \
- ssl/client+client_ca.crt ssl/client-der.key \
- ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
+ ssl/client+client_ca.crt
+CERTIFICATES := root_ca server_ca client_ca $(SERVERS) $(CLIENTS)
+STANDARD_CERTS := $(CERTIFICATES:%=ssl/%.crt)
+STANDARD_KEYS := $(CERTIFICATES:%=ssl/%.key)
+CRLS := ssl/root.crl ssl/client.crl ssl/server.crl
+
+SSLFILES := $(STANDARD_CERTS) $(STANDARD_KEYS) $(SPECIAL_KEYS) $(COMBINATIONS) $(CRLS)
SSLDIRS := ssl/client-crldir ssl/server-crldir \
ssl/root+client-crldir ssl/root+server-crldir
# This target re-generates all the key and certificate files. Usually we just
# use the ones that are committed to the tree without rebuilding them.
#
-# This target will fail unless preceded by sslfiles-clean.
-#
+.PHONY: sslfiles
sslfiles: $(SSLFILES) $(SSLDIRS)
-# OpenSSL requires a directory to put all generated certificates in. We don't
-# use this for anything, but we need a location.
-ssl/new_certs_dir:
- mkdir ssl/new_certs_dir
+#
+# Special-case certificates
+#
-# Rule for creating private/public key pairs.
-ssl/%.key:
- openssl genrsa -out $@ 2048
- chmod 0600 $@
+# Root CA is self-signed.
+ssl/root_ca.crt: ssl/root_ca.key root_ca.config
+ openssl req -new -x509 -config root_ca.config -days 10000 -key $< -out $@
-# Root CA certificate
-ssl/root_ca.crt: ssl/root_ca.key cas.config
- touch ssl/root_ca-certindex
- openssl req -new -out ssl/root_ca.crt -x509 -config cas.config -config root_ca.config -key ssl/root_ca.key -days 10000 -extensions v3_ca
- echo "01" > ssl/root_ca.srl
-
-# Client and server CAs
-ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir
- touch ssl/$*_ca-certindex
- echo "unique_subject=no" > ssl/$*_ca-certindex.attr
- openssl req -new -out ssl/temp_ca.crt -config cas.config -config $*_ca.config -key ssl/$*_ca.key
-# Sign the certificate with the root CA
- openssl ca -name root_ca -batch -config cas.config -in ssl/temp_ca.crt -out ssl/temp_ca_signed.crt -extensions v3_ca
- openssl x509 -in ssl/temp_ca_signed.crt -out ssl/$*_ca.crt # to keep just the PEM cert
- rm ssl/temp_ca.crt ssl/temp_ca_signed.crt
- echo "01" > ssl/$*_ca.srl
-
-# Server certificates, signed by server CA:
-ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config
- openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config
- openssl ca -name server_ca -batch -config cas.config -in ssl/server-$*.csr -out ssl/temp.crt -extensions v3_req -extfile server-$*.config
- openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert
- rm ssl/server-$*.csr
+#
+# Special-case keys
+#
+# All targets here are contained in $(SPECIAL_KEYS).
+#
# Password-protected version of server-cn-only.key
ssl/server-password.key: ssl/server-cn-only.key
openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
-# Client certificate, signed by the client CA:
-ssl/client.crt: ssl/client.key ssl/client_ca.crt
- openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client.csr
- openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert
- rm ssl/client.csr ssl/temp.crt
-
-# Client certificate with multi-part DN, signed by the client CA:
-ssl/client-dn.crt: ssl/client-dn.key ssl/client_ca.crt
- openssl req -new -key ssl/client-dn.key -out ssl/client-dn.csr -config client-dn.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-dn.csr
- openssl x509 -in ssl/temp.crt -out ssl/client-dn.crt # to keep just the PEM cert
- rm ssl/client-dn.csr ssl/temp.crt
-
-# Another client certificate, signed by the client CA. This one is revoked.
-ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config
- openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-revoked.csr
- openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert
- rm ssl/client-revoked.csr ssl/temp.crt
-
-# Convert the key to DER, to test our behaviour there too
+# DER-encoded version of client.key
ssl/client-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -out ssl/client-der.key
+ openssl rsa -in $< -outform DER -out $@
-# Convert the existing key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
+# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
# to test libpq's support for the sslpassword= option.
-ssl/client-encrypted-pem.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-pem.key
+ssl/client-encrypted-pem.key: outform := PEM
+ssl/client-encrypted-der.key: outform := DER
+ssl/client-encrypted-pem.key ssl/client-encrypted-der.key: ssl/client.key
+ openssl rsa -in $< -outform $(outform) -aes128 -passout 'pass:dUmmyP^#+' -out $@
-ssl/client-encrypted-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-der.key
+#
+# Combined files
+#
+# All targets in $(COMBINATIONS) share a single recipe; just declare the
+# necessary dependencies and they'll be smashed together.
+#
-# Root certificate files that contains both CA certificates, for testing
+# Root certificate file that contains both CA certificates, for testing
# that multiple certificates can be used.
ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
- cat $^ > $@
# The same, but the certs are in different order
ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
- cat $^ > $@
# A root certificate file for the client, to validate server certs.
ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
- cat $^ > $@
# and for the server, to validate client certs
ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
- cat $^ > $@
+# and for the client, to present to the server
ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
- cat $^ > $@
-
-#### CRLs
-
-ssl/client.crl: ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl
-
-ssl/server.crl: ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl
-
-ssl/root.crl: ssl/root_ca.crt
- openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl
# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
# chain, even if some of them are empty.
ssl/root+server.crl: ssl/root.crl ssl/server.crl
- cat $^ > $@
ssl/root+client.crl: ssl/root.crl ssl/client.crl
+
+$(COMBINATIONS):
cat $^ > $@
-ssl/root+server-crldir: ssl/server.crl ssl/root.crl
- mkdir ssl/root+server-crldir
- cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
- cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+#
+# Standard keys
+#
-ssl/root+client-crldir: ssl/client.crl ssl/root.crl
- mkdir ssl/root+client-crldir
- cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
- cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+$(STANDARD_KEYS):
+ openssl genrsa -out $@ 2048
+ chmod 0600 $@
-ssl/server-crldir: ssl/server.crl
- mkdir ssl/server-crldir
- cp ssl/server.crl ssl/server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
+#
+# Standard certificates
+#
+
+CA_CERTS := ssl/server_ca.crt ssl/client_ca.crt
+SERVER_CERTS := $(SERVERS:%=ssl/%.crt)
+CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)
+
+# See the "CA State" section below.
+root_ca_state_files := ssl/root_ca-certindex ssl/root_ca-certindex.attr ssl/root_ca.srl
+server_ca_state_files := ssl/server_ca-certindex ssl/server_ca-certindex.attr ssl/server_ca.srl
+client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ssl/client_ca.srl
+
+# These are the workhorse recipes. `openssl ca` can't be safely run from
+# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
+.NOTPARALLEL:
+$(CA_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
+ openssl ca -batch -config cas.config -name root_ca -notext -in $< -out $@
+
+$(SERVER_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
+ openssl ca -batch -config cas.config -name server_ca -notext -in $< -out $@
+
+$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
+ openssl ca -batch -config cas.config -name client_ca -notext -in $< -out $@
+# The CSRs don't need to persist after a build.
+.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
+ssl/%.csr: ssl/%.key %.config
+ openssl req -new -key $< -out $@ -config $*.config
+
+#
+# CA State
+#
+# All of these are intended to be order-only dependencies; additionally, the
+# pattern recipes are marked as explicit intermediates. The goal is for Make to
+# create the state files once for each CA, allow them to accumulate whatever
+# state is needed, and then automatically remove them at the end of the run.
+#
+
+.INTERMEDIATE: $(root_ca_state_files) $(server_ca_state_files) $(client_ca_state_files)
+
+# OpenSSL requires a directory to put all generated certificates in. We don't
+# use this for anything, but we need a location.
+ssl/new_certs_dir:
+ mkdir $@
+
+ssl/%-certindex:
+ touch $@
+
+ssl/%-certindex.attr:
+ echo "unique_subject=no" > $@
+
+# The first serial number for each CA is based on the current timestamp, to
+# avoid collisions across Make runs.
+ssl/%.srl:
+ date +%Y%m%d%H%M%S00 > $@
+
+#
+# CRLs
+#
+
+ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
+ openssl ca -config cas.config -name root_ca -gencrl -out $@
+
+ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
+ openssl ca -config cas.config -name server_ca -revoke $<
+ openssl ca -config cas.config -name server_ca -gencrl -out $@
+
+ssl/client.crl: ssl/client-revoked.crt ssl/client_ca.crt | $(client_ca_state_files)
+ openssl ca -config cas.config -name client_ca -revoke $<
+ openssl ca -config cas.config -name client_ca -gencrl -out $@
+
+#
+# CRL hash directories
+#
+
+ssl/root+server-crldir: ssl/server.crl ssl/root.crl
+ssl/root+client-crldir: ssl/client.crl ssl/root.crl
+ssl/server-crldir: ssl/server.crl
ssl/client-crldir: ssl/client.crl
- mkdir ssl/client-crldir
- cp ssl/client.crl ssl/client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
+
+crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
+
+ssl/%-crldir:
+ mkdir -p $@
+ rm -f $@/*.r0
+ $(foreach crl,$^,cp $(crl) $@/$(call crlhashfile,$(crl)) &&) true
+ touch $@
.PHONY: sslfiles-clean
sslfiles-clean:
- rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
- rm -rf $(SSLDIRS)
+ rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex*
+ rm -rf $(SSLDIRS) ssl/new_certs_dir
clean distclean maintainer-clean:
rm -rf tmp_check
diff --git a/src/test/ssl/cas.config b/src/test/ssl/cas.config
index 8c0ef6d82b..2c4851033a 100644
--- a/src/test/ssl/cas.config
+++ b/src/test/ssl/cas.config
@@ -1,12 +1,5 @@
# This file contains the configuration for all the CAs.
-[ req ]
-prompt = no
-
-# Extensions for CA certs
-[ v3_ca ]
-basicConstraints = CA:true
-
# Root CA, used to sign the certificates of the intermediary server and
# client CAs.
[ root_ca ]
@@ -21,6 +14,7 @@ private_key = ./ssl/root_ca.key
new_certs_dir = ./ssl/new_certs_dir
policy = policy_match
email_in_dn = no
+copy_extensions = copy
# CA used to sign all the server certificates.
[ server_ca ]
@@ -35,6 +29,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/server_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/server.crl
@@ -51,6 +46,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/client_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/client.crl
diff --git a/src/test/ssl/client-dn.config b/src/test/ssl/client-dn.config
index ee2df54bd6..0c71d83127 100644
--- a/src/test/ssl/client-dn.config
+++ b/src/test/ssl/client-dn.config
@@ -13,4 +13,3 @@ O = PGDG
CN = ssltestuser-dn
# no extensions in client certs
-[ v3_req ]
diff --git a/src/test/ssl/client-revoked.config b/src/test/ssl/client-revoked.config
new file mode 100644
index 0000000000..3b82b57103
--- /dev/null
+++ b/src/test/ssl/client-revoked.config
@@ -0,0 +1,13 @@
+# An OpenSSL format CSR config file for creating a client certificate.
+#
+# This is identical to the client.config certificate, but this one is revoked
+# later.
+
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+CN = ssltestuser
+
+# no extensions in client certs
diff --git a/src/test/ssl/client.config b/src/test/ssl/client.config
index 2e9d40d299..26fc2571f5 100644
--- a/src/test/ssl/client.config
+++ b/src/test/ssl/client.config
@@ -10,4 +10,3 @@ prompt = no
CN = ssltestuser
# no extensions in client certs
-[ v3_req ]
diff --git a/src/test/ssl/client_ca.config b/src/test/ssl/client_ca.config
index ef93d598c2..5990f06000 100644
--- a/src/test/ssl/client_ca.config
+++ b/src/test/ssl/client_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test client certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/root_ca.config b/src/test/ssl/root_ca.config
index 187a9b8a46..e193186f8b 100644
--- a/src/test/ssl/root_ca.config
+++ b/src/test/ssl/root_ca.config
@@ -4,6 +4,7 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+x509_extensions = v3_ca
[ req_distinguished_name ]
CN = Test root CA for PostgreSQL SSL regression test suite
diff --git a/src/test/ssl/server-cn-only.config b/src/test/ssl/server-cn-only.config
index 1e5d582213..9edb7b7aca 100644
--- a/src/test/ssl/server-cn-only.config
+++ b/src/test/ssl/server-cn-only.config
@@ -9,5 +9,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-no-names.config b/src/test/ssl/server-no-names.config
index 2a71125a42..89075dec83 100644
--- a/src/test/ssl/server-no-names.config
+++ b/src/test/ssl/server-no-names.config
@@ -10,7 +10,4 @@ prompt = no
[ req_distinguished_name ]
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
-
-[ alt_names ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-revoked.config b/src/test/ssl/server-revoked.config
index 47ef6462dc..c9e1f5d431 100644
--- a/src/test/ssl/server-revoked.config
+++ b/src/test/ssl/server-revoked.config
@@ -11,5 +11,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server_ca.config b/src/test/ssl/server_ca.config
index d6126d5195..496aaba29f 100644
--- a/src/test/ssl/server_ca.config
+++ b/src/test/ssl/server_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test server certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/ssl/both-cas-1.crt b/src/test/ssl/ssl/both-cas-1.crt
index 37ffa10174..4f4bc707d6 100644
--- a/src/test/ssl/ssl/both-cas-1.crt
+++ b/src/test/ssl/ssl/both-cas-1.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/both-cas-2.crt b/src/test/ssl/ssl/both-cas-2.crt
index 2f2723f2b1..01d0c4d6a4 100644
--- a/src/test/ssl/ssl/both-cas-2.crt
+++ b/src/test/ssl/ssl/both-cas-2.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client+client_ca.crt b/src/test/ssl/ssl/client+client_ca.crt
index 2804527f3e..7fafa14de1 100644
--- a/src/test/ssl/ssl/client+client_ca.crt
+++ b/src/test/ssl/ssl/client+client_ca.crt
@@ -1,36 +1,37 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client-dn.crt b/src/test/ssl/ssl/client-dn.crt
index f2f6a62dad..0db14e5977 100644
--- a/src/test/ssl/ssl/client-dn.crt
+++ b/src/test/ssl/ssl/client-dn.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDBjCCAe4CAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0yMTAzMDUyMDUyNDVaFw00ODA3MjEyMDUyNDVaMFAxDTALBgNVBAoMBFBHREcx
-FDASBgNVBAsMC0VuZ2luZWVyaW5nMRAwDgYDVQQLDAdUZXN0aW5nMRcwFQYDVQQD
-DA5zc2x0ZXN0dXNlci1kbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AMRLriq2Sh8+N4bhVtRUp/MAEsLQK6u/GotMSmiSr9K31YBYOvNzw8liKt4Rmnh5
-zmsdXJBW8erPNpkUAy9tFRCAx0YobhWCSfyX3orEdrhDrLFihA62zXQC69T0u4Yp
-PSXGd0yCAcOZERQ4CQVgqnsh7Kmx5QaQnqxaz4OVPArWFJP4RQBT/l+r+kCeAn6h
-qvbSbxY3FoCElQq0EF5x1F2pjL+HcBvjeI+GP430gVeJJX0RaG14Fp4v9MQT6zv/
-gvvjHC8l7YSJUROjeUzLZpUnj/ik4yrtT4av/TDGTSOpGs5qEATqk4hxAUEWw6TJ
-RoLh3Oq2N5KuzDmKBBskLX0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAL2H54oyx
-pNkcgFF79lwc4c/Jda7j0wrZQIw5CWwO0MdCozJGRIEAA5WXA8b5THo1ZkaWv+sh
-lWnCOflBtGnEpD7dUpMW9lxGL5clMeMf3CoNYBb7zBofm+oTJytCzXHNftB4hCZj
-pvN79bNT4msWbmxDyi75nfbEfzK1BKnfCg+DWBBjEnHC8VzgDq6ACN6FEoyFb+fr
-dlDoof+S7k8jYAzhxwySI5DnMzr9OIwnepWfx9HENsasAighc8vFSEouShvsOlYS
-L0OIb9Tn6M5q1tWoLHulQsQYDPzaO/1M7ubsr5xCx1ReDK4gaNwS3YXn/2KE9Kco
-aKCrL89AjQrJPA==
+MIIDDTCCAfUCCCAhBikTA0IAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwNjI5MjAwMzQyWhcNNDgxMTE0MjAwMzQyWjBQMQ0wCwYDVQQK
+DARQR0RHMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEQMA4GA1UECwwHVGVzdGluZzEX
+MBUGA1UEAwwOc3NsdGVzdHVzZXItZG4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDES64qtkofPjeG4VbUVKfzABLC0CurvxqLTEpokq/St9WAWDrzc8PJ
+YireEZp4ec5rHVyQVvHqzzaZFAMvbRUQgMdGKG4Vgkn8l96KxHa4Q6yxYoQOts10
+AuvU9LuGKT0lxndMggHDmREUOAkFYKp7IeypseUGkJ6sWs+DlTwK1hST+EUAU/5f
+q/pAngJ+oar20m8WNxaAhJUKtBBecdRdqYy/h3Ab43iPhj+N9IFXiSV9EWhteBae
+L/TEE+s7/4L74xwvJe2EiVETo3lMy2aVJ4/4pOMq7U+Gr/0wxk0jqRrOahAE6pOI
+cQFBFsOkyUaC4dzqtjeSrsw5igQbJC19AgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AECbQQ9rBzCexNI3VKDVA+CZa0ib48XbcJwXmva3spvjjCB5cGPToyF1B+4mVg1H
+1uM/XRAoQmNRtB+xKEAceMSxJA02tBlwMOclXlO0oGLYyc+S61K+UEPSk6Kka4aC
+NpeLSqN5ahC9z8C5uMJl36pFf13aU05uRkXKcI4gkn02I4jRc/a8gF7URdhdf920
+KmYSUh1V0B3pPAB6ArqJ60iHOqkCYIIIbi2EpVP53IKkoB9tr4ud8oMoN6ggIXU1
+2oHvnaKJ7RZaQNefS3WweyHxr4cCVtEour/ELph48OuW6Y5jqPT+5Ln3Qz0e6KW9
+o3thBx0aKSYlmt9gH254M9M=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-revoked.crt b/src/test/ssl/ssl/client-revoked.crt
index 14857a33a2..51ebe924a6 100644
--- a/src/test/ssl/ssl/client-revoked.crt
+++ b/src/test/ssl/ssl/client-revoked.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoBcmY2Z+qa+l
-UB5YSYnGLt96S7axkoDvIzLJkwJugGqw1U72A6lAUTyAPVntsmbhoMpDEHK6ylg8
-U4HC3L1hbhSpFriTITJ3TzH4+wdDH1KZYlM2k0gfrKrksJyZ7ftAyuBvzBRlFbBe
-xopR9VQjqgAuNKByJswldOe0KwP0nmb/TtT9lkAt7XjrSut5MUezFVnvTxabm7tQ
-ciDG+8QqE0b8lH3N3VOXWZWCeXPRrwboO3baAmcue4V20N0ALARP+QZNElBa7Jq+
-l77VNjneRk07jjaE7PCGVlWfPggppZos1Ay1sb2JhK0S9pZrynQT/ck3qhG4QuKp
-cmn/Bbe/8wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBySTwOO9zSFCtfRjbbblDx
-AK2ttILR0ZJXnvzjNjuErsT9qeXaq2t/iG/vmhH5XDjaefXFLCLqFunvcg6cIz1A
-HhAw+JInfyk3TUpDaX6M0X8qj184e4kXzVc83Afa3LiP5JkirzCSv6ErqAHw2VVd
-bZbZUwMfQLpWHVqXK89Pb7q791H4VeEx9CLxtZ2PSr2GCdpFbVMJvdBPChD2Re1A
-ELcbMZ9iOq2AUN/gxrt7HnE3dRoGQk6AJOfvhi2eZcVWiLtITScdPk1nYcNxGid3
-BWW+tdLbjmSe2FXNfDwBTvuHh5A9S399X5l/nLAng2iTGSvIm1OgUnC2oWsok3EI
+MIIC0zCCAbsCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKAX
+JmNmfqmvpVAeWEmJxi7feku2sZKA7yMyyZMCboBqsNVO9gOpQFE8gD1Z7bJm4aDK
+QxByuspYPFOBwty9YW4UqRa4kyEyd08x+PsHQx9SmWJTNpNIH6yq5LCcme37QMrg
+b8wUZRWwXsaKUfVUI6oALjSgcibMJXTntCsD9J5m/07U/ZZALe1460rreTFHsxVZ
+708Wm5u7UHIgxvvEKhNG/JR9zd1Tl1mVgnlz0a8G6Dt22gJnLnuFdtDdACwET/kG
+TRJQWuyavpe+1TY53kZNO442hOzwhlZVnz4IKaWaLNQMtbG9iYStEvaWa8p0E/3J
+N6oRuELiqXJp/wW3v/MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcVhPcu55HcSf
+Mci38T/fOBaiDUvzWwG/XlQRzFxcS+ZY/vYMbgor6PliGlCFBF4Mca2qtTs7zXRz
+8aLNVX53p98Cnnn97mW4aYNbNdM87R76IqJdj40brEolu1JNOyFJRYzoaebABf9r
+R64FTt3YVM9qjJrHG/apYwKwgAMxVzZ/M+3ujahP/8mOYD/Utj+lYHnXJmuHAYE6
+EnTxTSb2J+IsK8KuPoGjUPNZRW8zIUE0luMpJahvtmFVW91Vue7dW0AOmHpjmGUB
+J9Vwxe7KJRW5/4dz6kMD2pKY3D9sBgXeku/QDVz/hdyB5YT0WChFiZn20DZyhOtu
+moHgw8OJzg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client.crl b/src/test/ssl/ssl/client.crl
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client.crl
+++ b/src/test/ssl/ssl/client.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client.crt b/src/test/ssl/ssl/client.crt
index 4d0a6ef419..1f6ae05fe4 100644
--- a/src/test/ssl/ssl/client.crt
+++ b/src/test/ssl/ssl/client.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client_ca.crt b/src/test/ssl/ssl/client_ca.crt
index 1ef3771261..ef48749f76 100644
--- a/src/test/ssl/ssl/client_ca.crt
+++ b/src/test/ssl/ssl/client_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client.crl b/src/test/ssl/ssl/root+client.crl
index 854d77b71e..02eff4d326 100644
--- a/src/test/ssl/ssl/root+client.crl
+++ b/src/test/ssl/ssl/root+client.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client_ca.crt b/src/test/ssl/ssl/root+client_ca.crt
index 1867cd9c31..7819c54828 100644
--- a/src/test/ssl/ssl/root+client_ca.crt
+++ b/src/test/ssl/ssl/root+client_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server.crl b/src/test/ssl/ssl/root+server.crl
index 9720b3023c..8b0c716d63 100644
--- a/src/test/ssl/ssl/root+server.crl
+++ b/src/test/ssl/ssl/root+server.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server_ca.crt b/src/test/ssl/ssl/root+server_ca.crt
index 861eba80d0..5074f4fa9b 100644
--- a/src/test/ssl/ssl/root+server_ca.crt
+++ b/src/test/ssl/ssl/root+server_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root.crl b/src/test/ssl/ssl/root.crl
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root.crl
+++ b/src/test/ssl/ssl/root.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root_ca.crt b/src/test/ssl/ssl/root_ca.crt
index 402d7dab89..5ee9870d6f 100644
--- a/src/test/ssl/ssl/root_ca.crt
+++ b/src/test/ssl/ssl/root_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,10 +10,10 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-and-alt-names.crt b/src/test/ssl/ssl/server-cn-and-alt-names.crt
index 2bb206e413..12d1ec363e 100644
--- a/src/test/ssl/ssl/server-cn-and-alt-names.crt
+++ b/src/test/ssl/ssl/server-cn-and-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDTjCCAjagAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowRjEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1z
-c2x0ZXN0LnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBURL6
-YPWJjVQEZY0uy4HEaTI4ZMjVf+xdwJRntos4aRcdhq2JRNwitI00BLnIK9ur8D8L
-U24PDn2etTZOK1wsHHkAiHPvgRX7G/+78a5fSC8nMNaH/oR4zMMhwksiruISA7x9
-/l+4DO7C42C5mRfnUmMGJdzau1+A8jcIxTWWoJtva9b1k3g+bvBGq9138X+bJKIW
-YsWwHgcuEIZk3z287hxuyU3j5isYoRwd5cZZFrG/qBJdukSBRil5/PP5AHsB6lTl
-pae2bdf4TXB7kActIpyTBR0G5Pm5iCZlxgD+QILj/1FLTaNOW7hV+t1J6YfC6jZR
-Dk4MnHMCFasSXcXhAgMBAAGjSzBJMEcGA1UdEQRAMD6CHWRuczEuYWx0LW5hbWUu
-cGctc3NsdGVzdC50ZXN0gh1kbnMyLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDAN
-BgkqhkiG9w0BAQsFAAOCAQEAQeKHXoyipubldf4HUDCXrcIk6KiEs9DMH1DXRk7L
-z2Hr0TljmKoGG5P6OrF4eP82bhXZlQmwHVclB7Pfo5DvoMYmYjSHxcEAeyJ7etxb
-pV11yEkMkCbQpBVtdMqyTpckXM49GTwqD9US5p1E350snq4Duj3O7fSpE4HMfSd8
-dCkYdaCHq2NWH4/MfEBRy096oOIFxqgm6tRCU95ZI8KeeK4WwPXiGV2mb2rHj1kv
-uBRC+sJGSnsLdbZzkpdAN1qnWrJoLezAMdhTmNRUJ7Cq8hAkroFIp+LE+JyxR9Nw
-m6jD3eEwCAQi0pPGLEn4Rq4B8kxzL5F/jTq7PONRvOAdIg==
+MIIDVTCCAj2gAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMEYxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5h
+bWUucGctc3NsdGVzdC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwVES+mD1iY1UBGWNLsuBxGkyOGTI1X/sXcCUZ7aLOGkXHYatiUTcIrSNNAS5
+yCvbq/A/C1NuDw59nrU2TitcLBx5AIhz74EV+xv/u/GuX0gvJzDWh/6EeMzDIcJL
+Iq7iEgO8ff5fuAzuwuNguZkX51JjBiXc2rtfgPI3CMU1lqCbb2vW9ZN4Pm7wRqvd
+d/F/mySiFmLFsB4HLhCGZN89vO4cbslN4+YrGKEcHeXGWRaxv6gSXbpEgUYpefzz
++QB7AepU5aWntm3X+E1we5AHLSKckwUdBuT5uYgmZcYA/kCC4/9RS02jTlu4Vfrd
+SemHwuo2UQ5ODJxzAhWrEl3F4QIDAQABo0swSTBHBgNVHREEQDA+gh1kbnMxLmFs
+dC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0ZXN0
+LnRlc3QwDQYJKoZIhvcNAQELBQADggEBAG3dFQ/DqjFbjzIOni079R3I94lAZqbc
+cRUumDPSzihKwvCCnU5quqnYkOFISqBZsYmxR5fiHx4wT+jmWvLSltkaeS6gcGC1
+zuO8GFzL+PATUX63js8IfE3WYJE/bjmDVVzJOBArrbsExofdE2F2kkkLkjhk0ylg
+/TrAKtyqpsob0b4ZjMloR5JFHQXGHN/922x6Do1vduHMXlGckmR0sX6Mg/fiChVh
+vixUJje4W9ohft8G7lj3GnzI1gHEMp2PYKM+wqOug/gXEQuMIFlhjp2Mc6bAvFsD
+grgdAgcYUvgKukF9efJHq2V5XjqBWrmGAOQkiH1y+9gxhiHUiw+vojY=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-only.crt b/src/test/ssl/ssl/server-cn-only.crt
index 67bf0b1645..acdf6f1a75 100644
--- a/src/test/ssl/ssl/server-cn-only.crt
+++ b/src/test/ssl/ssl/server-cn-only.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bNU8yTuLl/5
-bR4Rp1ET5NMC2wgrTwKQsxSeOzvMmTGeebpEYFc/Hq8rcCQAiL7AbhiZeNg/ca4y
-JdouOdaHaTMFJ8hFDI1tNOGeFK7ecOMBWQ97GxKs/KIqKYW42AN+QZ7l1Apr0CDZ
-K5VTi931JjE4wCIgUgLi2zgwtZYl/kP896F1K5zR7kx773U2dvP3SeV2ziUe+4NH
-5oqdmVMeZyHfB+Fe/uU1AiYgHN/CXfop39tYHR8ARUWx7eJlaaKBoj/0UqH/9Yir
-jdM0vGfrw4JCjIx78caNkNH9fCjesTqODr+IDBJaJv3Jpt9g8puqrYagXLppiaYS
-q5oOAu5fuQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCTxkqpNNuO15osb+Lyw2aQ
-RikYZiSJ4uJcOIya6DqSYSNf8wrgGMJAKz9TkCGEG7SszLCASaSIS/s+sR1+bE19
-f6BxoBnppPW8uIkTtQvmGhhcWHO13zMUs8bmg9OY7MvFYJdQAmSqfYebUCYR73So
-OthALxV8h+boW5/xc2XM1NObpcuShQ9/uynm2dL3EbrNjvcoXOwu865FmVMffEn9
-+zhE8xl4kMKObQvB3r2utCmlAmJLaU2ejADncS9Y4ZwRMa7x+vfvekF/FvLEXUal
-QcDlfrZ0xsw/HK7n0/UFXf5fUXq3hgUGcXEdWW7/yTA43qNxednfa+fMqlFztupt
+MIIDAzCCAesCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANWz
+VPMk7i5f+W0eEadRE+TTAtsIK08CkLMUnjs7zJkxnnm6RGBXPx6vK3AkAIi+wG4Y
+mXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu3nDjAVkPexsSrPyiKimFuNgDfkGe
+5dQKa9Ag2SuVU4vd9SYxOMAiIFIC4ts4MLWWJf5D/PehdSuc0e5Me+91Nnbz90nl
+ds4lHvuDR+aKnZlTHmch3wfhXv7lNQImIBzfwl36Kd/bWB0fAEVFse3iZWmigaI/
+9FKh//WIq43TNLxn68OCQoyMe/HGjZDR/Xwo3rE6jg6/iAwSWib9yabfYPKbqq2G
+oFy6aYmmEquaDgLuX7kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA2AZrD9cTQXTW
+4j2tT8N/TTc6WK2ncN4h22NTte6vK7MVwsZJCtw5ndYkmxcWkXAqiclzWyMdayds
+WOa12CEH7jKAhivF4Hcw3oO3JHM5BA6KzLWBVz9uZksOM6mPqn29DTKvA/Y1V8tj
+mxK/KUA68h/u6inu3mo4ywBpb/tqHxxg2cjyR0faCmM0pwRM0HBr/16fUMfO83nj
+QG8g9J/bybu5sYso/aSoC5nUNp4XjmDMdVLdqg/nTe/ejS8IfFr0WQxBlqooqFgx
+MSE+kX2e2fHsuOWSU/9eClt6FpQrwoC2C8F+/4g1Uz7Liqc4yMHPwjgeP9ewrrLO
+iIhlNNPqpQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server-multiple-alt-names.crt b/src/test/ssl/ssl/server-multiple-alt-names.crt
index 158153d10c..58799e49f8 100644
--- a/src/test/ssl/ssl/server-multiple-alt-names.crt
+++ b/src/test/ssl/ssl/server-multiple-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDRDCCAiygAwIBAgIBBDANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA10iQpfVf4nCqjkRcLXP9ONQqdhMPMdjHasKqmsFTx83SZLKUzKMOb56j
-3bg83stqGoId4MIxtqnDKaSg1+kseQ1HCi0cu/E3lHLEkPibl9dyVGhXVnPDBdOp
-eUQLCvPNgay3/ua4Mz0Nf7S9cgC9AZu/EEYjQIEzfO0cEANeVIWtgZfM3+2j0pmZ
-46AEYlEZJkmDT0/mnHk3YTj3I6qQhr34wZvqcrwouYRN5NiOVYJLpb6gPSoalm+P
-YXOKjP4+fWr18HdZLrzsa4xPRa9XcsDNyffjWvQTfptR/2vFKN8Ffv3XUqxUx6av
-VCyRKa8xAUS/pHVGnzFQY+oqWREn2wIDAQABo2cwZTBjBgNVHREEXDBagh1kbnMx
-LmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0
-ZXN0LnRlc3SCGioud2lsZGNhcmQucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEB
-CwUAA4IBAQAuV+4TNADB/AinkjQVyzPtmeWDWZJDByRSGIzGlrYtzzrJzdRkohlL
-svZi0QQWbYq3pkRoUncYXXp/JvS48Ft1jRi87RpLRiPRxJC9Eq77kMS5UKCIs86W
-0nuYQ2tNmgHb7gnLHEr2t9gFEXcLwUAnRfNJK56KVmCl/v3/4kcVDLlL6L+pL80r
-WGKGvixNy3bDCJ/YGJu6NH+H7NMlqFcg07nEWUHgMzETGGycTcPy3S6mY5P/1Ep1
-MCSTucUKoBIte2t5p9vM6bsFIioQDAYABhacmC62Z5xNW8evmNVtBDPLR1THsWhq
-UjzdIzjpDgv1KUCVEPc1uVrZ5eju+aoU
+MIIDSzCCAjOgAwIBAgIIICEDAxQSBwMwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBANdIkKX1X+Jwqo5EXC1z/TjUKnYTDzHYx2rCqprBU8fN0mSy
+lMyjDm+eo924PN7LahqCHeDCMbapwymkoNfpLHkNRwotHLvxN5RyxJD4m5fXclRo
+V1ZzwwXTqXlECwrzzYGst/7muDM9DX+0vXIAvQGbvxBGI0CBM3ztHBADXlSFrYGX
+zN/to9KZmeOgBGJRGSZJg09P5px5N2E49yOqkIa9+MGb6nK8KLmETeTYjlWCS6W+
+oD0qGpZvj2Fzioz+Pn1q9fB3WS687GuMT0WvV3LAzcn341r0E36bUf9rxSjfBX79
+11KsVMemr1QskSmvMQFEv6R1Rp8xUGPqKlkRJ9sCAwEAAaNnMGUwYwYDVR0RBFww
+WoIdZG5zMS5hbHQtbmFtZS5wZy1zc2x0ZXN0LnRlc3SCHWRuczIuYWx0LW5hbWUu
+cGctc3NsdGVzdC50ZXN0ghoqLndpbGRjYXJkLnBnLXNzbHRlc3QudGVzdDANBgkq
+hkiG9w0BAQsFAAOCAQEAuRAyYBwAZLKERoYDy/kE9LKddJfLhledTJ7+cIWs6T9V
+KBfWBHZYxfxmdBYwqVZfog8c5uHREfWiUPoF/aMq3ARay96aMh4xXJ+2a7HAmknF
+9AJWRieoc3H/QkMzAuT8IDTmoEarsr8vsX1MGabobZte/B9tEjq/z5t3GfLrHMVX
+5092U6Ka40ii4U1VwjR8YnRBwjm3UpLmZJAjvXjw13/XucNV5O8Plo1yvS+G0AMh
+KdMxExiItVtjZteiA0pJf0YGAzTFyzvwBljTcs4NfZ2M0ta9i0r4BF7wQ8tDezN7
+VxdJVPc5xPqncp0cMdUAE2xDmYlKEqB0kuAHNwH5/Q==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-no-names.crt b/src/test/ssl/ssl/server-no-names.crt
index 97e11176f6..b5d0589090 100644
--- a/src/test/ssl/ssl/server-no-names.crt
+++ b/src/test/ssl/ssl/server-no-names.crt
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIIC1jCCAb4CAQUwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMCAxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AJ85/vh52iDZAeQmWt47o0kR7VVlRLGf4sF4cfxPl+eIWIzhib1fajdcqFiy81LC
-+t9bAyRqMyR3dve9RGK6IDFjMH/0DBf3tFSRnxN+5TdSAhKIJslmtUdOl8kS/smF
-4+BikCg509aq0U+ac79e/q42OyvH9X/cI6i9SPd4hzJDMCX54LZT1Of/90nSQX6E
-Oc5Hcj/d7psBugmMBW8uXYAGvJpq14e5RoK78F/mYbUNqtc1c8pi4/4quSMeEfQp
-Dgmzee7ts8SIbQT8mYJHjnaPvZYpv4+Ikc7F0wzLO1neTpsYaVvDrSMLBCdQkCU8
-vgb1T6WlVgbp/sfE5okSxx8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh+erODlf
-+mEK2toZhaAmikNJ3Toj9P7I0C0Mo/tl2aVz8jQc/ft5t3blwZHfRzC9WmgnZLdY
-yiCVgUlf9Kwhi836Btbczj3cK6MrngQneFBzSnCzsj40CuQAw5TOI8XRFFGL+fpl
-o7ZnbmMZRhkPqDmNWXfpu7CYOFQyExkDoo0lTfqM+tF8zuKVTmsuWWvZpjuvqWFQ
-/L+XRXi0cvhh+DY9vJiKNRg4exF7/tSedTJmLA8skuaXgAVez4rqzX4k1XnQo6Vi
-YpAIQ4dGiijY24fDq2I/6pO3xlWtN+Lwu44Mnn2vWRtXijT69P5R12W8XS7+ciTU
-NXu/iOo8f7mNDA==
+MIIC3TCCAcUCCCAhAwMUEgcEMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAgMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCfOf74edog2QHkJlreO6NJEe1VZUSxn+LBeHH8T5fniFiM4Ym9X2o3
+XKhYsvNSwvrfWwMkajMkd3b3vURiuiAxYzB/9AwX97RUkZ8TfuU3UgISiCbJZrVH
+TpfJEv7JhePgYpAoOdPWqtFPmnO/Xv6uNjsrx/V/3COovUj3eIcyQzAl+eC2U9Tn
+//dJ0kF+hDnOR3I/3e6bAboJjAVvLl2ABryaateHuUaCu/Bf5mG1DarXNXPKYuP+
+KrkjHhH0KQ4Js3nu7bPEiG0E/JmCR452j72WKb+PiJHOxdMMyztZ3k6bGGlbw60j
+CwQnUJAlPL4G9U+lpVYG6f7HxOaJEscfAgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AJAwYwIL4oj3NisXCXkEp9zqDXiZvNW9yW3bY8lFFCpU7o5n92tCf2OFAkKaYhF1
+Eb2weyDULtW7W/wgdlOZL9npayYKzTusl6e8xfTQyjRCsoKWvnWOEkPH7VraZJ8c
+Ko1KhaVWX98VLdlUh5giYAEkdhk0qPYKsQ32unBXXJu0pX63pnPDoaUBiZUWr/3l
+CfkjgGY5YA8YxiDlHGNF1qlcX2fQKloDlvtH0L5Enwt25w2/IvWhTN6YxDR+rgdD
+XYbQr6o6vsmnZTJ3zUZ6XFo98sZq5L9oy1pcC8roV7w0AUVxraTWYILyGfNgruG8
+xsok/hu1L2VnktveEW/qoVs=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-revoked.crt b/src/test/ssl/ssl/server-revoked.crt
index 1ca5e6d3ef..3bb0f164a6 100644
--- a/src/test/ssl/ssl/server-revoked.crt
+++ b/src/test/ssl/ssl/server-revoked.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQYwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAooPO8lSz434p
-4PBYBbTN8jkLW3cHEpTCH4yvC0V40hzGEl30HPLp82e+kxr+Q0+gd82fvc4Yth5I
-PKINznp28GMs5/E9cUU3hMK4jFhKLMiOeIve3M/9ryHK874qpNjJoSxxPz7+s2eq
-WoFc2px0KFIamTTLfi7Ju9aPb/AMlZNsUnbRsj7fQc7EJ8rwOnezw2Wy5VK4soX+
-qpuJ0Nm44ApzT8YmjYX/kAX0yQxgQuYbpcBWr9cOQjegu3FAqHqRh9ye7d8jQzCv
-34Wg/ar4rkqyQDcokuWAE7KQbnk51t7omzhM8eswFOAL1pas/8jWBvy0VjYVU34P
-9aXxP8GiHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAS9abT/PhJgwAnm46Rzu16
-lL7tDb3SeR1RL25xZLzCexHcYJFi7aDZix3QlLRvf6HPqqUPuPYRICTBF4+fieEh
-r5LotdAnadfYONwoB5GiYy2d93VGqlLosI27R6/tVvImXupviPpIYMDgBBRr1pZc
-ykQOjog6T+xk9TqsfFQDe2/VKF7a5RxOA/V77GZ5qge5Nlx9jSXQ/WUG9vDQj9BA
-d4nOwvjauKlcSqUU/3uVKntXQTNjmyq7S75eBitS920LLfjTL9LInLugDikFa/J/
-yPBkJLa/+rNMPikcnF3ci4Oi/XwLA8kGdGZAADuiIOeyORMuLFoTk7KpOYGKS5/U
+MIIDAzCCAesCCCAhAwMUEgcFMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKD
+zvJUs+N+KeDwWAW0zfI5C1t3BxKUwh+MrwtFeNIcxhJd9Bzy6fNnvpMa/kNPoHfN
+n73OGLYeSDyiDc56dvBjLOfxPXFFN4TCuIxYSizIjniL3tzP/a8hyvO+KqTYyaEs
+cT8+/rNnqlqBXNqcdChSGpk0y34uybvWj2/wDJWTbFJ20bI+30HOxCfK8Dp3s8Nl
+suVSuLKF/qqbidDZuOAKc0/GJo2F/5AF9MkMYELmG6XAVq/XDkI3oLtxQKh6kYfc
+nu3fI0Mwr9+FoP2q+K5KskA3KJLlgBOykG55Odbe6Js4TPHrMBTgC9aWrP/I1gb8
+tFY2FVN+D/Wl8T/Boh0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAxVHoqX25W4Hx
+pMNjv2AJzcB7D+c+dUXAmLLJ7jh6szWeL0M2E5qX4dLc8LzQKnXv5ZcT4i/akjDX
+etdzuqh03kvDJvUkHclSWffmowmWMTG6GCA6S/2TQzSibIptkwqs74aIkayVJaC4
+jCBR+PVT8+cE2FMD6dAWu//fyEcpTg6XpZ/Upgu9OITGNaEQUGz8pSRkTgspfO0Q
+AKPmql6dpywReIlr5mzy9liCzf/BbAVHGmP/pBGIkLn2AzvPLCQ/UFZYT6aH7l5J
+nzmFhgRC3U5wPMdelHGrPMXg6OHCcyrQY0kEi7N/GQ5+jZkICoQuPJ7APKEZAUgO
+XRwVulaWJQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-single-alt-name.crt b/src/test/ssl/ssl/server-single-alt-name.crt
index e7403f3a6b..7affdd68e7 100644
--- a/src/test/ssl/ssl/server-single-alt-name.crt
+++ b/src/test/ssl/ssl/server-single-alt-name.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDCzCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAxYocLWWuiDsDzJ7wLc0zfwkGJAEy4hlHjTA5GXSEnGPlOnx1fxejZOGL
-1HLff5h8zB+SQXrplHCcwwRrxVgGY7P59kXMXX1akTwXUJHc/EoTtqLO+6fHLygz
-F1d0i5NPO3xrk1wMt7bYLhiPbWpplWiHXzbJy8wf3dXgzCwtxXf8Z1UqjtCnA/Zk
-J/kPWuHJxzH5OvDJvZsq+Fbkl3catFpwUlAV9TKsC78W/K5I+afzppsmSvsIKAWW
-Dp7g71IVjvJeI6Aui2yhDn9iuJMuKe9RMYIwJLFqiX3urHcjaBSkJm6Lsf7gO30v
-kVwIyyGXRNTfZ2yPDoSXVZvOnq+gKwIDAQABoy4wLDAqBgNVHREEIzAhgh9zaW5n
-bGUuYWx0LW5hbWUucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQBU
-8wp8KZfS8vClx2gYSRlbXu3J1oAu4EBh45OuuRuLOJUhQZYcjFB3d/s0R1kcCQkB
-EekV9X1iQSzk/HQq4uWi6ViUzxTR67Q6TXEFo8iuqJ6Rag7R7G6fhRD1upf1lev+
-rz7F9GsoWLyLAg8//DUfq1kfQUyy6TxamoRs0vipZ4s0p4G8rbRCxKT1WTRLJFdd
-fSDVuMNuQQKTQXNdp6cYn+ikEhbUv/gG2S7Xiy2UM8oR7DR54nZBAKxgujWJZPfX
-/ieSwLxnLFyePwtwgk9xMmywFBjHWTxSdyI1UnJwWC917BSw4M00djsRv5COsBX7
-v/Co7oiMyTrCqyCsWOBu
+MIIDEjCCAfqgAwIBAgIIICEDAxQSBwIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMWKHC1lrog7A8ye8C3NM38JBiQBMuIZR40wORl0hJxj5Tp8
+dX8Xo2Thi9Ry33+YfMwfkkF66ZRwnMMEa8VYBmOz+fZFzF19WpE8F1CR3PxKE7ai
+zvunxy8oMxdXdIuTTzt8a5NcDLe22C4Yj21qaZVoh182ycvMH93V4MwsLcV3/GdV
+Ko7QpwP2ZCf5D1rhyccx+Trwyb2bKvhW5Jd3GrRacFJQFfUyrAu/FvyuSPmn86ab
+Jkr7CCgFlg6e4O9SFY7yXiOgLotsoQ5/YriTLinvUTGCMCSxaol97qx3I2gUpCZu
+i7H+4Dt9L5FcCMshl0TU32dsjw6El1Wbzp6voCsCAwEAAaMuMCwwKgYDVR0RBCMw
+IYIfc2luZ2xlLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDANBgkqhkiG9w0BAQsF
+AAOCAQEAUIhBQLzQgd7wHlT9DARxcC7SZwQtnk2BVqMYTRBU4uIa0i2HVyetpe1P
+rREthYq5sgaSqdonD9Splg8BLUlah9y3v9j6DBxkxNnz/3AZuA5oPaC/TZ+lwlX3
+QNWWFNaNZdcQbvjUvoPXIbJ6U9UDfByOJdoN4kJ6xe8Faj1Mp5Euqzr1ErrMtPWJ
+XLnXLV4WyAx+iMAbofXNlCyUorPGA8lRudzQ7bKdrhMZDE66VYwlwsUejEiODt7M
+NGTDs4aAZz9cBRjMeXhvX60cFQoykjAvWbieUKOgaFmJJyKemFj12cLeWyxvUodI
+kYtgAdzftiCSrbDjl1pzPSM6RC/E/A==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server.crl b/src/test/ssl/ssl/server.crl
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server.crl
+++ b/src/test/ssl/ssl/server.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server_ca.crt b/src/test/ssl/ssl/server_ca.crt
index 9f727bf9e9..0d6d7a6f82 100644
--- a/src/test/ssl/ssl/server_ca.crt
+++ b/src/test/ssl/ssl/server_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 3bc711f4a7..a901077469 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -485,6 +485,21 @@ TODO:
}
# pg_stat_ssl
+
+my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`;
+if ($? == 0)
+{
+ $serialno =~ s/^serial=//;
+ $serialno = hex($serialno); # OpenSSL prints serial numbers in hexadecimal
+}
+else
+{
+ # OpenSSL isn't functioning on the user's PATH. This probably isn't worth
+ # skipping the test over, so just fall back to a generic integer match.
+ warn 'couldn\'t run `openssl x509` to get client cert serialno';
+ $serialno = '\d+';
+}
+
command_like(
[
'psql',
@@ -500,7 +515,7 @@ command_like(
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
],
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n
- ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
+ ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,$serialno,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
'pg_stat_ssl with client certificate');
# client key with wrong permissions
--
2.25.1
v6-0002-squash-test-ssl-rework-the-sslfiles-Makefile-targ.patchtext/x-patch; name=v6-0002-squash-test-ssl-rework-the-sslfiles-Makefile-targ.patchDownload
From c1401578779b967b8ed595465a1c660f91d1dd55 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Thu, 2 Sep 2021 09:09:42 -0700
Subject: [PATCH v6 2/3] squash! test/ssl: rework the sslfiles Makefile target
Move sslfiles/-clean into a separate Makefile, removing the need to
"escape" the Makefile.global targets.
---
src/Makefile.global.in | 5 +-
src/test/ssl/Makefile | 215 ++----------------------------------
src/test/ssl/sslfiles.mk | 229 +++++++++++++++++++++++++++++++++++++++
3 files changed, 237 insertions(+), 212 deletions(-)
create mode 100644 src/test/ssl/sslfiles.mk
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index cf349d19e4..6e2f224cc4 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -32,11 +32,8 @@ all:
# started to update the file.
.DELETE_ON_ERROR:
-# Never delete any intermediate files automatically unless the Makefile
-# explicitly asks for it.
-ifneq ($(clean_intermediates),yes)
+# Never delete any intermediate files automatically.
.SECONDARY:
-endif
# PostgreSQL version number
VERSION = @PACKAGE_VERSION@
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 458520dc6d..de35b876bd 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -11,222 +11,21 @@
subdir = src/test/ssl
top_builddir = ../../..
-
-clean_intermediates := yes
include $(top_builddir)/src/Makefile.global
export with_ssl
-#
-# To add a new server or client certificate, add a new <name>.config file in
-# this directory, then add <name> to either SERVERS or CLIENTS below. A
-# key/certificate pair will be generated for you, signed by the appropriate CA.
-#
-SERVERS := server-cn-and-alt-names \
- server-cn-only server-single-alt-name server-multiple-alt-names \
- server-no-names server-revoked
-CLIENTS := client client-dn client-revoked
-
-#
-# To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe
-# for creating it to the "Special-case keys" section below.
-#
-SPECIAL_KEYS := ssl/server-password.key \
- ssl/client-der.key ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
-
-#
-# These files are just concatenations of other files. You can add new ones to
-# COMBINATIONS here, then declare the constituent files as dependencies in the
-# "Combined files" section below.
-#
-COMBINATIONS := \
- ssl/both-cas-1.crt ssl/both-cas-2.crt \
- ssl/root+server_ca.crt ssl/root+server.crl \
- ssl/root+client_ca.crt ssl/root+client.crl \
- ssl/client+client_ca.crt
-
-CERTIFICATES := root_ca server_ca client_ca $(SERVERS) $(CLIENTS)
-STANDARD_CERTS := $(CERTIFICATES:%=ssl/%.crt)
-STANDARD_KEYS := $(CERTIFICATES:%=ssl/%.key)
-CRLS := ssl/root.crl ssl/client.crl ssl/server.crl
-
-SSLFILES := $(STANDARD_CERTS) $(STANDARD_KEYS) $(SPECIAL_KEYS) $(COMBINATIONS) $(CRLS)
-SSLDIRS := ssl/client-crldir ssl/server-crldir \
- ssl/root+client-crldir ssl/root+server-crldir
-
-# This target re-generates all the key and certificate files. Usually we just
-# use the ones that are committed to the tree without rebuilding them.
-#
-.PHONY: sslfiles
-sslfiles: $(SSLFILES) $(SSLDIRS)
-
-#
-# Special-case certificates
-#
-
-# Root CA is self-signed.
-ssl/root_ca.crt: ssl/root_ca.key root_ca.config
- openssl req -new -x509 -config root_ca.config -days 10000 -key $< -out $@
-
-#
-# Special-case keys
-#
-# All targets here are contained in $(SPECIAL_KEYS).
-#
-
-# Password-protected version of server-cn-only.key
-ssl/server-password.key: ssl/server-cn-only.key
- openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
-
-# DER-encoded version of client.key
-ssl/client-der.key: ssl/client.key
- openssl rsa -in $< -outform DER -out $@
-
-# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
-# to test libpq's support for the sslpassword= option.
-ssl/client-encrypted-pem.key: outform := PEM
-ssl/client-encrypted-der.key: outform := DER
-ssl/client-encrypted-pem.key ssl/client-encrypted-der.key: ssl/client.key
- openssl rsa -in $< -outform $(outform) -aes128 -passout 'pass:dUmmyP^#+' -out $@
-
-#
-# Combined files
-#
-# All targets in $(COMBINATIONS) share a single recipe; just declare the
-# necessary dependencies and they'll be smashed together.
-#
-
-# Root certificate file that contains both CA certificates, for testing
-# that multiple certificates can be used.
-ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
-
-# The same, but the certs are in different order
-ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
-
-# A root certificate file for the client, to validate server certs.
-ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
-
-# and for the server, to validate client certs
-ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
-
-# and for the client, to present to the server
-ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
-
-# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
-# chain, even if some of them are empty.
-ssl/root+server.crl: ssl/root.crl ssl/server.crl
-ssl/root+client.crl: ssl/root.crl ssl/client.crl
-
-$(COMBINATIONS):
- cat $^ > $@
-
-#
-# Standard keys
-#
-
-$(STANDARD_KEYS):
- openssl genrsa -out $@ 2048
- chmod 0600 $@
-
-#
-# Standard certificates
-#
-
-CA_CERTS := ssl/server_ca.crt ssl/client_ca.crt
-SERVER_CERTS := $(SERVERS:%=ssl/%.crt)
-CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)
-
-# See the "CA State" section below.
-root_ca_state_files := ssl/root_ca-certindex ssl/root_ca-certindex.attr ssl/root_ca.srl
-server_ca_state_files := ssl/server_ca-certindex ssl/server_ca-certindex.attr ssl/server_ca.srl
-client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ssl/client_ca.srl
-
-# These are the workhorse recipes. `openssl ca` can't be safely run from
-# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
-.NOTPARALLEL:
-$(CA_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
- openssl ca -batch -config cas.config -name root_ca -notext -in $< -out $@
-
-$(SERVER_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
- openssl ca -batch -config cas.config -name server_ca -notext -in $< -out $@
-
-$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
- openssl ca -batch -config cas.config -name client_ca -notext -in $< -out $@
-
-# The CSRs don't need to persist after a build.
-.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
-ssl/%.csr: ssl/%.key %.config
- openssl req -new -key $< -out $@ -config $*.config
-
-#
-# CA State
-#
-# All of these are intended to be order-only dependencies; additionally, the
-# pattern recipes are marked as explicit intermediates. The goal is for Make to
-# create the state files once for each CA, allow them to accumulate whatever
-# state is needed, and then automatically remove them at the end of the run.
-#
-
-.INTERMEDIATE: $(root_ca_state_files) $(server_ca_state_files) $(client_ca_state_files)
-
-# OpenSSL requires a directory to put all generated certificates in. We don't
-# use this for anything, but we need a location.
-ssl/new_certs_dir:
- mkdir $@
-
-ssl/%-certindex:
- touch $@
-
-ssl/%-certindex.attr:
- echo "unique_subject=no" > $@
-
-# The first serial number for each CA is based on the current timestamp, to
-# avoid collisions across Make runs.
-ssl/%.srl:
- date +%Y%m%d%H%M%S00 > $@
-
-#
-# CRLs
-#
-
-ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
- openssl ca -config cas.config -name root_ca -gencrl -out $@
-
-ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
- openssl ca -config cas.config -name server_ca -revoke $<
- openssl ca -config cas.config -name server_ca -gencrl -out $@
-
-ssl/client.crl: ssl/client-revoked.crt ssl/client_ca.crt | $(client_ca_state_files)
- openssl ca -config cas.config -name client_ca -revoke $<
- openssl ca -config cas.config -name client_ca -gencrl -out $@
-
-#
-# CRL hash directories
-#
-
-ssl/root+server-crldir: ssl/server.crl ssl/root.crl
-ssl/root+client-crldir: ssl/client.crl ssl/root.crl
-ssl/server-crldir: ssl/server.crl
-ssl/client-crldir: ssl/client.crl
-
-crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
-
-ssl/%-crldir:
- mkdir -p $@
- rm -f $@/*.r0
- $(foreach crl,$^,cp $(crl) $@/$(call crlhashfile,$(crl)) &&) true
- touch $@
-
-.PHONY: sslfiles-clean
-sslfiles-clean:
- rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex*
- rm -rf $(SSLDIRS) ssl/new_certs_dir
+# The sslfiles targets are separated into their own file due to interactions
+# with settings in Makefile.global.
+.PHONY: sslfiles sslfiles-clean
+sslfiles sslfiles-clean:
+ $(MAKE) -f sslfiles.mk $@
clean distclean maintainer-clean:
rm -rf tmp_check
- rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key
+ $(MAKE) -f sslfiles.mk clean
-# Doesn't depend on $(SSLFILES) because we don't rebuild them by default
+# Doesn't depend on sslfiles because we don't rebuild them by default
check:
$(prove_check)
diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk
new file mode 100644
index 0000000000..f3f0d1f8c0
--- /dev/null
+++ b/src/test/ssl/sslfiles.mk
@@ -0,0 +1,229 @@
+#-------------------------------------------------------------------------
+#
+# Makefile for sslfiles
+#
+# The SSL test files are completely disjoint from the rest of the build; they
+# don't rely on other targets or on Makefile.global. Since these recipes rely
+# on some default Make behavior that's disabled in the main build tree, such
+# as intermediate cleanup, they've been moved into their own separate file.
+# The main Makefile in this directory defers to this helper file when building
+# the sslfiles-related targets.
+#
+# Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+# Portions Copyright (c) 1994, Regents of the University of California
+#
+# src/test/ssl/sslfiles.mk
+#
+#-------------------------------------------------------------------------
+
+#
+# To add a new server or client certificate, add a new <name>.config file in
+# this directory, then add <name> to either SERVERS or CLIENTS below. A
+# key/certificate pair will be generated for you, signed by the appropriate CA.
+#
+SERVERS := server-cn-and-alt-names \
+ server-cn-only server-single-alt-name server-multiple-alt-names \
+ server-no-names server-revoked
+CLIENTS := client client-dn client-revoked
+
+#
+# To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe
+# for creating it to the "Special-case keys" section below.
+#
+SPECIAL_KEYS := ssl/server-password.key \
+ ssl/client-der.key ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
+
+#
+# These files are just concatenations of other files. You can add new ones to
+# COMBINATIONS here, then declare the constituent files as dependencies in the
+# "Combined files" section below.
+#
+COMBINATIONS := \
+ ssl/both-cas-1.crt ssl/both-cas-2.crt \
+ ssl/root+server_ca.crt ssl/root+server.crl \
+ ssl/root+client_ca.crt ssl/root+client.crl \
+ ssl/client+client_ca.crt
+
+CERTIFICATES := root_ca server_ca client_ca $(SERVERS) $(CLIENTS)
+STANDARD_CERTS := $(CERTIFICATES:%=ssl/%.crt)
+STANDARD_KEYS := $(CERTIFICATES:%=ssl/%.key)
+CRLS := ssl/root.crl ssl/client.crl ssl/server.crl
+
+SSLFILES := $(STANDARD_CERTS) $(STANDARD_KEYS) $(SPECIAL_KEYS) $(COMBINATIONS) $(CRLS)
+SSLDIRS := ssl/client-crldir ssl/server-crldir \
+ ssl/root+client-crldir ssl/root+server-crldir
+
+# This target re-generates all the key and certificate files. Usually we just
+# use the ones that are committed to the tree without rebuilding them.
+#
+.PHONY: sslfiles
+sslfiles: $(SSLFILES) $(SSLDIRS)
+
+#
+# Special-case certificates
+#
+
+# Root CA is self-signed.
+ssl/root_ca.crt: ssl/root_ca.key root_ca.config
+ openssl req -new -x509 -config root_ca.config -days 10000 -key $< -out $@
+
+#
+# Special-case keys
+#
+# All targets here are contained in $(SPECIAL_KEYS).
+#
+
+# Password-protected version of server-cn-only.key
+ssl/server-password.key: ssl/server-cn-only.key
+ openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
+
+# DER-encoded version of client.key
+ssl/client-der.key: ssl/client.key
+ openssl rsa -in $< -outform DER -out $@
+
+# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
+# to test libpq's support for the sslpassword= option.
+ssl/client-encrypted-pem.key: outform := PEM
+ssl/client-encrypted-der.key: outform := DER
+ssl/client-encrypted-pem.key ssl/client-encrypted-der.key: ssl/client.key
+ openssl rsa -in $< -outform $(outform) -aes128 -passout 'pass:dUmmyP^#+' -out $@
+
+#
+# Combined files
+#
+# All targets in $(COMBINATIONS) share a single recipe; just declare the
+# necessary dependencies and they'll be smashed together.
+#
+
+# Root certificate file that contains both CA certificates, for testing
+# that multiple certificates can be used.
+ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
+
+# The same, but the certs are in different order
+ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
+
+# A root certificate file for the client, to validate server certs.
+ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
+
+# and for the server, to validate client certs
+ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
+
+# and for the client, to present to the server
+ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
+
+# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
+# chain, even if some of them are empty.
+ssl/root+server.crl: ssl/root.crl ssl/server.crl
+ssl/root+client.crl: ssl/root.crl ssl/client.crl
+
+$(COMBINATIONS):
+ cat $^ > $@
+
+#
+# Standard keys
+#
+
+$(STANDARD_KEYS):
+ openssl genrsa -out $@ 2048
+ chmod 0600 $@
+
+#
+# Standard certificates
+#
+
+CA_CERTS := ssl/server_ca.crt ssl/client_ca.crt
+SERVER_CERTS := $(SERVERS:%=ssl/%.crt)
+CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)
+
+# See the "CA State" section below.
+root_ca_state_files := ssl/root_ca-certindex ssl/root_ca-certindex.attr ssl/root_ca.srl
+server_ca_state_files := ssl/server_ca-certindex ssl/server_ca-certindex.attr ssl/server_ca.srl
+client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ssl/client_ca.srl
+
+# These are the workhorse recipes. `openssl ca` can't be safely run from
+# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
+.NOTPARALLEL:
+$(CA_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
+ openssl ca -batch -config cas.config -name root_ca -notext -in $< -out $@
+
+$(SERVER_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
+ openssl ca -batch -config cas.config -name server_ca -notext -in $< -out $@
+
+$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
+ openssl ca -batch -config cas.config -name client_ca -notext -in $< -out $@
+
+# The CSRs don't need to persist after a build.
+.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
+ssl/%.csr: ssl/%.key %.config
+ openssl req -new -key $< -out $@ -config $*.config
+
+#
+# CA State
+#
+# All of these are intended to be order-only dependencies; additionally, the
+# pattern recipes are marked as explicit intermediates. The goal is for Make to
+# create the state files once for each CA, allow them to accumulate whatever
+# state is needed, and then automatically remove them at the end of the run.
+#
+
+.INTERMEDIATE: $(root_ca_state_files) $(server_ca_state_files) $(client_ca_state_files)
+
+# OpenSSL requires a directory to put all generated certificates in. We don't
+# use this for anything, but we need a location.
+ssl/new_certs_dir:
+ mkdir $@
+
+ssl/%-certindex:
+ touch $@
+
+ssl/%-certindex.attr:
+ echo "unique_subject=no" > $@
+
+# The first serial number for each CA is based on the current timestamp, to
+# avoid collisions across Make runs.
+ssl/%.srl:
+ date +%Y%m%d%H%M%S00 > $@
+
+#
+# CRLs
+#
+
+ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
+ openssl ca -config cas.config -name root_ca -gencrl -out $@
+
+ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
+ openssl ca -config cas.config -name server_ca -revoke $<
+ openssl ca -config cas.config -name server_ca -gencrl -out $@
+
+ssl/client.crl: ssl/client-revoked.crt ssl/client_ca.crt | $(client_ca_state_files)
+ openssl ca -config cas.config -name client_ca -revoke $<
+ openssl ca -config cas.config -name client_ca -gencrl -out $@
+
+#
+# CRL hash directories
+#
+
+ssl/root+server-crldir: ssl/server.crl ssl/root.crl
+ssl/root+client-crldir: ssl/client.crl ssl/root.crl
+ssl/server-crldir: ssl/server.crl
+ssl/client-crldir: ssl/client.crl
+
+crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
+
+ssl/%-crldir:
+ mkdir -p $@
+ rm -f $@/*.r0
+ $(foreach crl,$^,cp $(crl) $@/$(call crlhashfile,$(crl)) &&) true
+ touch $@
+
+.PHONY: sslfiles-clean
+sslfiles-clean:
+ rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex*
+ rm -rf $(SSLDIRS) ssl/new_certs_dir
+
+# The difference between clean and sslfiles-clean is that the clean target will
+# be run during a "standard" recursive clean run from the main build tree. The
+# sslfiles-clean target must be run explicitly from this directory.
+.PHONY: clean
+clean:
+ rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key
--
2.25.1
v6-0003-squash-squash-test-ssl-rework-the-sslfiles-Makefi.patchtext/x-patch; name=v6-0003-squash-squash-test-ssl-rework-the-sslfiles-Makefi.patchDownload
From 70e35a05649784ad427873f9ea8289ed8d924dcf Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Wed, 8 Sep 2021 12:26:01 -0700
Subject: [PATCH v6 3/3] squash! squash! test/ssl: rework the sslfiles Makefile
target
Move all configuration files underneath the conf/ directory.
---
src/test/ssl/{ => conf}/cas.config | 0
src/test/ssl/{ => conf}/client-dn.config | 0
src/test/ssl/{ => conf}/client-revoked.config | 0
src/test/ssl/{ => conf}/client.config | 0
src/test/ssl/{ => conf}/client_ca.config | 0
src/test/ssl/{ => conf}/root_ca.config | 0
.../{ => conf}/server-cn-and-alt-names.config | 0
src/test/ssl/{ => conf}/server-cn-only.config | 0
.../server-multiple-alt-names.config | 0
.../ssl/{ => conf}/server-no-names.config | 0
src/test/ssl/{ => conf}/server-revoked.config | 0
.../{ => conf}/server-single-alt-name.config | 0
src/test/ssl/{ => conf}/server_ca.config | 0
src/test/ssl/sslfiles.mk | 32 +++++++++----------
14 files changed, 16 insertions(+), 16 deletions(-)
rename src/test/ssl/{ => conf}/cas.config (100%)
rename src/test/ssl/{ => conf}/client-dn.config (100%)
rename src/test/ssl/{ => conf}/client-revoked.config (100%)
rename src/test/ssl/{ => conf}/client.config (100%)
rename src/test/ssl/{ => conf}/client_ca.config (100%)
rename src/test/ssl/{ => conf}/root_ca.config (100%)
rename src/test/ssl/{ => conf}/server-cn-and-alt-names.config (100%)
rename src/test/ssl/{ => conf}/server-cn-only.config (100%)
rename src/test/ssl/{ => conf}/server-multiple-alt-names.config (100%)
rename src/test/ssl/{ => conf}/server-no-names.config (100%)
rename src/test/ssl/{ => conf}/server-revoked.config (100%)
rename src/test/ssl/{ => conf}/server-single-alt-name.config (100%)
rename src/test/ssl/{ => conf}/server_ca.config (100%)
diff --git a/src/test/ssl/cas.config b/src/test/ssl/conf/cas.config
similarity index 100%
rename from src/test/ssl/cas.config
rename to src/test/ssl/conf/cas.config
diff --git a/src/test/ssl/client-dn.config b/src/test/ssl/conf/client-dn.config
similarity index 100%
rename from src/test/ssl/client-dn.config
rename to src/test/ssl/conf/client-dn.config
diff --git a/src/test/ssl/client-revoked.config b/src/test/ssl/conf/client-revoked.config
similarity index 100%
rename from src/test/ssl/client-revoked.config
rename to src/test/ssl/conf/client-revoked.config
diff --git a/src/test/ssl/client.config b/src/test/ssl/conf/client.config
similarity index 100%
rename from src/test/ssl/client.config
rename to src/test/ssl/conf/client.config
diff --git a/src/test/ssl/client_ca.config b/src/test/ssl/conf/client_ca.config
similarity index 100%
rename from src/test/ssl/client_ca.config
rename to src/test/ssl/conf/client_ca.config
diff --git a/src/test/ssl/root_ca.config b/src/test/ssl/conf/root_ca.config
similarity index 100%
rename from src/test/ssl/root_ca.config
rename to src/test/ssl/conf/root_ca.config
diff --git a/src/test/ssl/server-cn-and-alt-names.config b/src/test/ssl/conf/server-cn-and-alt-names.config
similarity index 100%
rename from src/test/ssl/server-cn-and-alt-names.config
rename to src/test/ssl/conf/server-cn-and-alt-names.config
diff --git a/src/test/ssl/server-cn-only.config b/src/test/ssl/conf/server-cn-only.config
similarity index 100%
rename from src/test/ssl/server-cn-only.config
rename to src/test/ssl/conf/server-cn-only.config
diff --git a/src/test/ssl/server-multiple-alt-names.config b/src/test/ssl/conf/server-multiple-alt-names.config
similarity index 100%
rename from src/test/ssl/server-multiple-alt-names.config
rename to src/test/ssl/conf/server-multiple-alt-names.config
diff --git a/src/test/ssl/server-no-names.config b/src/test/ssl/conf/server-no-names.config
similarity index 100%
rename from src/test/ssl/server-no-names.config
rename to src/test/ssl/conf/server-no-names.config
diff --git a/src/test/ssl/server-revoked.config b/src/test/ssl/conf/server-revoked.config
similarity index 100%
rename from src/test/ssl/server-revoked.config
rename to src/test/ssl/conf/server-revoked.config
diff --git a/src/test/ssl/server-single-alt-name.config b/src/test/ssl/conf/server-single-alt-name.config
similarity index 100%
rename from src/test/ssl/server-single-alt-name.config
rename to src/test/ssl/conf/server-single-alt-name.config
diff --git a/src/test/ssl/server_ca.config b/src/test/ssl/conf/server_ca.config
similarity index 100%
rename from src/test/ssl/server_ca.config
rename to src/test/ssl/conf/server_ca.config
diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk
index f3f0d1f8c0..b2ac7986e8 100644
--- a/src/test/ssl/sslfiles.mk
+++ b/src/test/ssl/sslfiles.mk
@@ -18,7 +18,7 @@
#
# To add a new server or client certificate, add a new <name>.config file in
-# this directory, then add <name> to either SERVERS or CLIENTS below. A
+# the conf/ directory, then add <name> to either SERVERS or CLIENTS below. A
# key/certificate pair will be generated for you, signed by the appropriate CA.
#
SERVERS := server-cn-and-alt-names \
@@ -64,8 +64,8 @@ sslfiles: $(SSLFILES) $(SSLDIRS)
#
# Root CA is self-signed.
-ssl/root_ca.crt: ssl/root_ca.key root_ca.config
- openssl req -new -x509 -config root_ca.config -days 10000 -key $< -out $@
+ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config
+ openssl req -new -x509 -config conf/root_ca.config -days 10000 -key $< -out $@
#
# Special-case keys
@@ -143,19 +143,19 @@ client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ss
# These are the workhorse recipes. `openssl ca` can't be safely run from
# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
.NOTPARALLEL:
-$(CA_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
- openssl ca -batch -config cas.config -name root_ca -notext -in $< -out $@
+$(CA_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
+ openssl ca -batch -config conf/cas.config -name root_ca -notext -in $< -out $@
-$(SERVER_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
- openssl ca -batch -config cas.config -name server_ca -notext -in $< -out $@
+$(SERVER_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
+ openssl ca -batch -config conf/cas.config -name server_ca -notext -in $< -out $@
-$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr %.config cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
- openssl ca -batch -config cas.config -name client_ca -notext -in $< -out $@
+$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
+ openssl ca -batch -config conf/cas.config -name client_ca -notext -in $< -out $@
# The CSRs don't need to persist after a build.
.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
-ssl/%.csr: ssl/%.key %.config
- openssl req -new -key $< -out $@ -config $*.config
+ssl/%.csr: ssl/%.key conf/%.config
+ openssl req -new -key $< -out $@ -config conf/$*.config
#
# CA State
@@ -189,15 +189,15 @@ ssl/%.srl:
#
ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
- openssl ca -config cas.config -name root_ca -gencrl -out $@
+ openssl ca -config conf/cas.config -name root_ca -gencrl -out $@
ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
- openssl ca -config cas.config -name server_ca -revoke $<
- openssl ca -config cas.config -name server_ca -gencrl -out $@
+ openssl ca -config conf/cas.config -name server_ca -revoke $<
+ openssl ca -config conf/cas.config -name server_ca -gencrl -out $@
ssl/client.crl: ssl/client-revoked.crt ssl/client_ca.crt | $(client_ca_state_files)
- openssl ca -config cas.config -name client_ca -revoke $<
- openssl ca -config cas.config -name client_ca -gencrl -out $@
+ openssl ca -config conf/cas.config -name client_ca -revoke $<
+ openssl ca -config conf/cas.config -name client_ca -gencrl -out $@
#
# CRL hash directories
--
2.25.1
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Wed, Sep 08, 2021 at 07:32:03PM +0000, Jacob Champion wrote:
On Fri, 2021-09-03 at 23:21 +0000, Jacob Champion wrote:
One small-ish comment that I have is about all the .config files we
have at the root of src/test/ssl/, bloating the whole. I think that
it would be a bit cleaner to put all of them in a different
sub-directory, say just config/ or conf/.That sounds reasonable. I won't be able to get to it before the holiday
weekend, but I can put up a patch sometime next week.Done in v6, a three-patch squashable set. I chose conf/ as the
directory.
Looks sensible to me. One thing I can see, while poking at it, is
that the README mentions sslfiles to recreate the set of files. But
it is necessary to do sslfiles-clean once, as sslfiles is a no-op if
the set of files exists.
I have not been able to check that this is compatible across all the
versions of OpenSSL we support on HEAD. By looking at the code, that
should be fine but it would be good to be sure.
Daniel, you are registered as a reviewer of this thread
(https://commitfest.postgresql.org/34/3029/). So I guess that you
would prefer to look at that by yourself and perhaps take care of the
commit?
--
Michael
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On 9 Sep 2021, at 03:32, Michael Paquier <michael@paquier.xyz> wrote:
On Wed, Sep 08, 2021 at 07:32:03PM +0000, Jacob Champion wrote:
On Fri, 2021-09-03 at 23:21 +0000, Jacob Champion wrote:
One small-ish comment that I have is about all the .config files we
have at the root of src/test/ssl/, bloating the whole. I think that
it would be a bit cleaner to put all of them in a different
sub-directory, say just config/ or conf/.That sounds reasonable. I won't be able to get to it before the holiday
weekend, but I can put up a patch sometime next week.Done in v6, a three-patch squashable set. I chose conf/ as the
directory.Looks sensible to me.
I concur, I like this more readable approach and it makes adding new keys and
certificates easier.
One thing I can see, while poking at it, is
that the README mentions sslfiles to recreate the set of files. But
it is necessary to do sslfiles-clean once, as sslfiles is a no-op if
the set of files exists.
A few things noted (and fixed as per the attached, which is v6 squashed and
rebased on HEAD; commitmessage hasn't been addressed yet) while reviewing:
* Various comment reflowing to fit within 79 characters
* Pass through the clean targets into sslfiles.mk rather than rewrite them to
make clean (even if they are the same in sslfiles.mk).
* Moved the lists of keys/certs to be one object per line to match the style
introduced in 01368e5d9. The previous Makefile was violating that as well, but
when we're fixing this file for other things we might as well fix that too.
* Bumped the password protected key output to AES256 to match the server files,
since it's more realistic to see than AES128 (and I was fiddling around here
anyways testing different things, see below).
I have not been able to check that this is compatible across all the
versions of OpenSSL we support on HEAD. By looking at the code, that
should be fine but it would be good to be sure.
The submitted patch works for 1.0.1, 1.0.2 and 1.1.1 when running the below
sequence:
make check
make ssfiles-clean
make sslfiles
make check
Testing what's in the tree, recreating the keys/certs and testing against the
new ones.
In OpenSSL 3.0.0, the final make check on the generated files breaks on the
encrypted DER key. The key generates fine, and running "openssl rsa ..
-check" validates it, but it fails to load into postgres. Removing the
explicit selection of cipher makes the test pass again (also included in the
attached). I haven't been able to track down exactly what the issue is, but I
have a suspicion that it's in OpenSSL rather than libpq. This issue is present
in master too, so fixing it is orthogonal to this work, but it needs to be
figured out.
Another point of interest here is that 3.0.0 put "openssl rsa" in maintenance
mode, so maybe we'll have to look at supporting "openssl pkeyutl" as well for
some parts should future bugs remain unfixed in the rsa command.
Daniel, you are registered as a reviewer of this thread
(https://commitfest.postgresql.org/34/3029/). So I guess that you
would prefer to look at that by yourself and perhaps take care of the
commit?
Sure, I can take care of it.
--
Daniel Gustafsson https://vmware.com/
Attachments:
v7-0001-test-ssl-rework-the-sslfiles-Makefile-target.patchapplication/octet-stream; name=v7-0001-test-ssl-rework-the-sslfiles-Makefile-target.patch; x-unix-mode=0644Download
From 27fcdc7ff3c73f0b2427c4f68dd755536fde6123 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchampion@vmware.com>
Date: Fri, 26 Feb 2021 15:25:28 -0800
Subject: [PATCH v7] test/ssl: rework the sslfiles Makefile target
Adding a new certificate is as easy as dropping in a new .config file,
adding it to the top of the Makefile, and running `make sslfiles`.
Improvements:
- Interfile dependencies should be fixed, with the exception of the CRL
dirs.
- New certificates have serial numbers based on the current time,
reducing the chance of collision.
- The CA index state is created on demand and cleaned up automatically
at the end of the Make run.
- *.config files are now self-contained; one certificate needs one
config file instead of two.
- Duplication is reduced, and along with it some unneeded code (and
possible copy-paste errors).
squash! test/ssl: rework the sslfiles Makefile target
Move sslfiles/-clean into a separate Makefile, removing the need to
"escape" the Makefile.global targets.
squash! squash! test/ssl: rework the sslfiles Makefile target
Move all configuration files underneath the conf/ directory.
---
src/test/ssl/Makefile | 167 +-----------
src/test/ssl/README | 3 +-
src/test/ssl/{ => conf}/cas.config | 10 +-
src/test/ssl/{ => conf}/client-dn.config | 1 -
src/test/ssl/conf/client-revoked.config | 13 +
src/test/ssl/{ => conf}/client.config | 1 -
src/test/ssl/{ => conf}/client_ca.config | 5 +
src/test/ssl/{ => conf}/root_ca.config | 1 +
.../{ => conf}/server-cn-and-alt-names.config | 0
src/test/ssl/{ => conf}/server-cn-only.config | 3 +-
.../server-multiple-alt-names.config | 0
.../ssl/{ => conf}/server-no-names.config | 5 +-
src/test/ssl/{ => conf}/server-revoked.config | 3 +-
.../{ => conf}/server-single-alt-name.config | 0
src/test/ssl/{ => conf}/server_ca.config | 5 +
src/test/ssl/ssl/both-cas-1.crt | 86 +++----
src/test/ssl/ssl/both-cas-2.crt | 86 +++----
src/test/ssl/ssl/client+client_ca.crt | 65 ++---
src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 | 18 +-
src/test/ssl/ssl/client-dn.crt | 34 +--
src/test/ssl/ssl/client-revoked.crt | 31 +--
src/test/ssl/ssl/client.crl | 18 +-
src/test/ssl/ssl/client.crt | 31 +--
src/test/ssl/ssl/client_ca.crt | 34 +--
.../ssl/ssl/root+client-crldir/9bb9e3c3.r0 | 18 +-
.../ssl/ssl/root+client-crldir/a3d11bff.r0 | 16 +-
src/test/ssl/ssl/root+client.crl | 34 +--
src/test/ssl/ssl/root+client_ca.crt | 52 ++--
.../ssl/ssl/root+server-crldir/a3d11bff.r0 | 16 +-
.../ssl/ssl/root+server-crldir/a836cc2d.r0 | 18 +-
src/test/ssl/ssl/root+server.crl | 34 +--
src/test/ssl/ssl/root+server_ca.crt | 52 ++--
src/test/ssl/ssl/root.crl | 16 +-
src/test/ssl/ssl/root_ca.crt | 18 +-
src/test/ssl/ssl/server-cn-and-alt-names.crt | 36 +--
src/test/ssl/ssl/server-cn-only.crt | 33 +--
src/test/ssl/ssl/server-crldir/a836cc2d.r0 | 18 +-
.../ssl/ssl/server-multiple-alt-names.crt | 36 +--
src/test/ssl/ssl/server-no-names.crt | 32 +--
src/test/ssl/ssl/server-revoked.crt | 33 +--
src/test/ssl/ssl/server-single-alt-name.crt | 34 +--
src/test/ssl/ssl/server.crl | 18 +-
src/test/ssl/ssl/server_ca.crt | 34 +--
src/test/ssl/sslfiles.mk | 242 ++++++++++++++++++
src/test/ssl/t/001_ssltests.pl | 17 +-
45 files changed, 775 insertions(+), 652 deletions(-)
rename src/test/ssl/{ => conf}/cas.config (93%)
rename src/test/ssl/{ => conf}/client-dn.config (97%)
create mode 100644 src/test/ssl/conf/client-revoked.config
rename src/test/ssl/{ => conf}/client.config (96%)
rename src/test/ssl/{ => conf}/client_ca.config (81%)
rename src/test/ssl/{ => conf}/root_ca.config (92%)
rename src/test/ssl/{ => conf}/server-cn-and-alt-names.config (100%)
rename src/test/ssl/{ => conf}/server-cn-only.config (85%)
rename src/test/ssl/{ => conf}/server-multiple-alt-names.config (100%)
rename src/test/ssl/{ => conf}/server-no-names.config (85%)
rename src/test/ssl/{ => conf}/server-revoked.config (88%)
rename src/test/ssl/{ => conf}/server-single-alt-name.config (100%)
rename src/test/ssl/{ => conf}/server_ca.config (81%)
create mode 100644 src/test/ssl/sslfiles.mk
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index c216560dcc..3592c0d184 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -15,170 +15,17 @@ include $(top_builddir)/src/Makefile.global
export with_ssl
-CERTIFICATES := server_ca server-cn-and-alt-names \
- server-cn-only server-single-alt-name server-multiple-alt-names \
- server-no-names server-revoked \
- client_ca client client-dn client-revoked \
- root_ca
-
-SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
- ssl/server-password.key \
- ssl/client.crl ssl/server.crl ssl/root.crl \
- ssl/both-cas-1.crt ssl/both-cas-2.crt \
- ssl/root+server_ca.crt ssl/root+server.crl \
- ssl/root+client_ca.crt ssl/root+client.crl \
- ssl/client+client_ca.crt ssl/client-der.key \
- ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
-
-SSLDIRS := ssl/client-crldir ssl/server-crldir \
- ssl/root+client-crldir ssl/root+server-crldir
-
-# This target re-generates all the key and certificate files. Usually we just
-# use the ones that are committed to the tree without rebuilding them.
-#
-# This target will fail unless preceded by sslfiles-clean.
-#
-sslfiles: $(SSLFILES) $(SSLDIRS)
-
-# OpenSSL requires a directory to put all generated certificates in. We don't
-# use this for anything, but we need a location.
-ssl/new_certs_dir:
- mkdir ssl/new_certs_dir
-
-# Rule for creating private/public key pairs.
-ssl/%.key:
- openssl genrsa -out $@ 2048
- chmod 0600 $@
-
-# Root CA certificate
-ssl/root_ca.crt: ssl/root_ca.key cas.config
- touch ssl/root_ca-certindex
- openssl req -new -out ssl/root_ca.crt -x509 -config cas.config -config root_ca.config -key ssl/root_ca.key -days 10000 -extensions v3_ca
- echo "01" > ssl/root_ca.srl
-
-# Client and server CAs
-ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir
- touch ssl/$*_ca-certindex
- echo "unique_subject=no" > ssl/$*_ca-certindex.attr
- openssl req -new -out ssl/temp_ca.crt -config cas.config -config $*_ca.config -key ssl/$*_ca.key
-# Sign the certificate with the root CA
- openssl ca -name root_ca -batch -config cas.config -in ssl/temp_ca.crt -out ssl/temp_ca_signed.crt -extensions v3_ca
- openssl x509 -in ssl/temp_ca_signed.crt -out ssl/$*_ca.crt # to keep just the PEM cert
- rm ssl/temp_ca.crt ssl/temp_ca_signed.crt
- echo "01" > ssl/$*_ca.srl
-
-# Server certificates, signed by server CA:
-ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config
- openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config
- openssl ca -name server_ca -batch -config cas.config -in ssl/server-$*.csr -out ssl/temp.crt -extensions v3_req -extfile server-$*.config
- openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert
- rm ssl/server-$*.csr
-
-# Password-protected version of server-cn-only.key
-ssl/server-password.key: ssl/server-cn-only.key
- openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
-
-# Client certificate, signed by the client CA:
-ssl/client.crt: ssl/client.key ssl/client_ca.crt
- openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client.csr
- openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert
- rm ssl/client.csr ssl/temp.crt
-
-# Client certificate with multi-part DN, signed by the client CA:
-ssl/client-dn.crt: ssl/client-dn.key ssl/client_ca.crt
- openssl req -new -key ssl/client-dn.key -out ssl/client-dn.csr -config client-dn.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-dn.csr
- openssl x509 -in ssl/temp.crt -out ssl/client-dn.crt # to keep just the PEM cert
- rm ssl/client-dn.csr ssl/temp.crt
-
-# Another client certificate, signed by the client CA. This one is revoked.
-ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config
- openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-revoked.csr
- openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert
- rm ssl/client-revoked.csr ssl/temp.crt
-
-# Convert the key to DER, to test our behaviour there too
-ssl/client-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -out ssl/client-der.key
-
-# Convert the existing key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
-# to test libpq's support for the sslpassword= option.
-ssl/client-encrypted-pem.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-pem.key
-
-ssl/client-encrypted-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-der.key
-
-# Root certificate files that contains both CA certificates, for testing
-# that multiple certificates can be used.
-ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
- cat $^ > $@
-
-# The same, but the certs are in different order
-ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
- cat $^ > $@
-
-# A root certificate file for the client, to validate server certs.
-ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
- cat $^ > $@
-
-# and for the server, to validate client certs
-ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
- cat $^ > $@
-
-ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
- cat $^ > $@
-
-#### CRLs
-
-ssl/client.crl: ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl
-
-ssl/server.crl: ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl
-
-ssl/root.crl: ssl/root_ca.crt
- openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl
-
-# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
-# chain, even if some of them are empty.
-ssl/root+server.crl: ssl/root.crl ssl/server.crl
- cat $^ > $@
-ssl/root+client.crl: ssl/root.crl ssl/client.crl
- cat $^ > $@
-
-ssl/root+server-crldir: ssl/server.crl ssl/root.crl
- mkdir ssl/root+server-crldir
- cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
- cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
-
-ssl/root+client-crldir: ssl/client.crl ssl/root.crl
- mkdir ssl/root+client-crldir
- cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
- cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
-
-ssl/server-crldir: ssl/server.crl
- mkdir ssl/server-crldir
- cp ssl/server.crl ssl/server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
-
-ssl/client-crldir: ssl/client.crl
- mkdir ssl/client-crldir
- cp ssl/client.crl ssl/client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
-
-.PHONY: sslfiles-clean
-sslfiles-clean:
- rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
- rm -rf $(SSLDIRS)
+# The sslfiles targets are separated into their own file due to interactions
+# with settings in Makefile.global.
+.PHONY: sslfiles sslfiles-clean
+sslfiles sslfiles-clean:
+ $(MAKE) -f sslfiles.mk $@
clean distclean maintainer-clean:
rm -rf tmp_check
- rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key
+ $(MAKE) -f sslfiles.mk $@
-# Doesn't depend on $(SSLFILES) because we don't rebuild them by default
+# Doesn't depend on sslfiles because we don't rebuild them by default
check:
$(prove_check)
diff --git a/src/test/ssl/README b/src/test/ssl/README
index b9d96a637d..9a072fd8fc 100644
--- a/src/test/ssl/README
+++ b/src/test/ssl/README
@@ -85,7 +85,8 @@ There are also CRLs for each of the CAs: root.crl, server.crl and client.crl.
For convenience, all of these keypairs and certificates are included in the
ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to
-recreate them if you need to make changes.
+recreate them if you need to make changes. "make sslfiles-clean" is required
+in order to recreate.
TODO
====
diff --git a/src/test/ssl/cas.config b/src/test/ssl/conf/cas.config
similarity index 93%
rename from src/test/ssl/cas.config
rename to src/test/ssl/conf/cas.config
index 8c0ef6d82b..2c4851033a 100644
--- a/src/test/ssl/cas.config
+++ b/src/test/ssl/conf/cas.config
@@ -1,12 +1,5 @@
# This file contains the configuration for all the CAs.
-[ req ]
-prompt = no
-
-# Extensions for CA certs
-[ v3_ca ]
-basicConstraints = CA:true
-
# Root CA, used to sign the certificates of the intermediary server and
# client CAs.
[ root_ca ]
@@ -21,6 +14,7 @@ private_key = ./ssl/root_ca.key
new_certs_dir = ./ssl/new_certs_dir
policy = policy_match
email_in_dn = no
+copy_extensions = copy
# CA used to sign all the server certificates.
[ server_ca ]
@@ -35,6 +29,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/server_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/server.crl
@@ -51,6 +46,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/client_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/client.crl
diff --git a/src/test/ssl/client-dn.config b/src/test/ssl/conf/client-dn.config
similarity index 97%
rename from src/test/ssl/client-dn.config
rename to src/test/ssl/conf/client-dn.config
index ee2df54bd6..0c71d83127 100644
--- a/src/test/ssl/client-dn.config
+++ b/src/test/ssl/conf/client-dn.config
@@ -13,4 +13,3 @@ O = PGDG
CN = ssltestuser-dn
# no extensions in client certs
-[ v3_req ]
diff --git a/src/test/ssl/conf/client-revoked.config b/src/test/ssl/conf/client-revoked.config
new file mode 100644
index 0000000000..3b82b57103
--- /dev/null
+++ b/src/test/ssl/conf/client-revoked.config
@@ -0,0 +1,13 @@
+# An OpenSSL format CSR config file for creating a client certificate.
+#
+# This is identical to the client.config certificate, but this one is revoked
+# later.
+
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+CN = ssltestuser
+
+# no extensions in client certs
diff --git a/src/test/ssl/client.config b/src/test/ssl/conf/client.config
similarity index 96%
rename from src/test/ssl/client.config
rename to src/test/ssl/conf/client.config
index 2e9d40d299..26fc2571f5 100644
--- a/src/test/ssl/client.config
+++ b/src/test/ssl/conf/client.config
@@ -10,4 +10,3 @@ prompt = no
CN = ssltestuser
# no extensions in client certs
-[ v3_req ]
diff --git a/src/test/ssl/client_ca.config b/src/test/ssl/conf/client_ca.config
similarity index 81%
rename from src/test/ssl/client_ca.config
rename to src/test/ssl/conf/client_ca.config
index ef93d598c2..5990f06000 100644
--- a/src/test/ssl/client_ca.config
+++ b/src/test/ssl/conf/client_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test client certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/root_ca.config b/src/test/ssl/conf/root_ca.config
similarity index 92%
rename from src/test/ssl/root_ca.config
rename to src/test/ssl/conf/root_ca.config
index 187a9b8a46..e193186f8b 100644
--- a/src/test/ssl/root_ca.config
+++ b/src/test/ssl/conf/root_ca.config
@@ -4,6 +4,7 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+x509_extensions = v3_ca
[ req_distinguished_name ]
CN = Test root CA for PostgreSQL SSL regression test suite
diff --git a/src/test/ssl/server-cn-and-alt-names.config b/src/test/ssl/conf/server-cn-and-alt-names.config
similarity index 100%
rename from src/test/ssl/server-cn-and-alt-names.config
rename to src/test/ssl/conf/server-cn-and-alt-names.config
diff --git a/src/test/ssl/server-cn-only.config b/src/test/ssl/conf/server-cn-only.config
similarity index 85%
rename from src/test/ssl/server-cn-only.config
rename to src/test/ssl/conf/server-cn-only.config
index 1e5d582213..9edb7b7aca 100644
--- a/src/test/ssl/server-cn-only.config
+++ b/src/test/ssl/conf/server-cn-only.config
@@ -9,5 +9,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-multiple-alt-names.config b/src/test/ssl/conf/server-multiple-alt-names.config
similarity index 100%
rename from src/test/ssl/server-multiple-alt-names.config
rename to src/test/ssl/conf/server-multiple-alt-names.config
diff --git a/src/test/ssl/server-no-names.config b/src/test/ssl/conf/server-no-names.config
similarity index 85%
rename from src/test/ssl/server-no-names.config
rename to src/test/ssl/conf/server-no-names.config
index 2a71125a42..89075dec83 100644
--- a/src/test/ssl/server-no-names.config
+++ b/src/test/ssl/conf/server-no-names.config
@@ -10,7 +10,4 @@ prompt = no
[ req_distinguished_name ]
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
-
-[ alt_names ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-revoked.config b/src/test/ssl/conf/server-revoked.config
similarity index 88%
rename from src/test/ssl/server-revoked.config
rename to src/test/ssl/conf/server-revoked.config
index 47ef6462dc..c9e1f5d431 100644
--- a/src/test/ssl/server-revoked.config
+++ b/src/test/ssl/conf/server-revoked.config
@@ -11,5 +11,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-single-alt-name.config b/src/test/ssl/conf/server-single-alt-name.config
similarity index 100%
rename from src/test/ssl/server-single-alt-name.config
rename to src/test/ssl/conf/server-single-alt-name.config
diff --git a/src/test/ssl/server_ca.config b/src/test/ssl/conf/server_ca.config
similarity index 81%
rename from src/test/ssl/server_ca.config
rename to src/test/ssl/conf/server_ca.config
index d6126d5195..496aaba29f 100644
--- a/src/test/ssl/server_ca.config
+++ b/src/test/ssl/conf/server_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test server certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/ssl/both-cas-1.crt b/src/test/ssl/ssl/both-cas-1.crt
index 37ffa10174..4f4bc707d6 100644
--- a/src/test/ssl/ssl/both-cas-1.crt
+++ b/src/test/ssl/ssl/both-cas-1.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/both-cas-2.crt b/src/test/ssl/ssl/both-cas-2.crt
index 2f2723f2b1..01d0c4d6a4 100644
--- a/src/test/ssl/ssl/both-cas-2.crt
+++ b/src/test/ssl/ssl/both-cas-2.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client+client_ca.crt b/src/test/ssl/ssl/client+client_ca.crt
index 2804527f3e..7fafa14de1 100644
--- a/src/test/ssl/ssl/client+client_ca.crt
+++ b/src/test/ssl/ssl/client+client_ca.crt
@@ -1,36 +1,37 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client-dn.crt b/src/test/ssl/ssl/client-dn.crt
index f2f6a62dad..0db14e5977 100644
--- a/src/test/ssl/ssl/client-dn.crt
+++ b/src/test/ssl/ssl/client-dn.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDBjCCAe4CAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0yMTAzMDUyMDUyNDVaFw00ODA3MjEyMDUyNDVaMFAxDTALBgNVBAoMBFBHREcx
-FDASBgNVBAsMC0VuZ2luZWVyaW5nMRAwDgYDVQQLDAdUZXN0aW5nMRcwFQYDVQQD
-DA5zc2x0ZXN0dXNlci1kbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AMRLriq2Sh8+N4bhVtRUp/MAEsLQK6u/GotMSmiSr9K31YBYOvNzw8liKt4Rmnh5
-zmsdXJBW8erPNpkUAy9tFRCAx0YobhWCSfyX3orEdrhDrLFihA62zXQC69T0u4Yp
-PSXGd0yCAcOZERQ4CQVgqnsh7Kmx5QaQnqxaz4OVPArWFJP4RQBT/l+r+kCeAn6h
-qvbSbxY3FoCElQq0EF5x1F2pjL+HcBvjeI+GP430gVeJJX0RaG14Fp4v9MQT6zv/
-gvvjHC8l7YSJUROjeUzLZpUnj/ik4yrtT4av/TDGTSOpGs5qEATqk4hxAUEWw6TJ
-RoLh3Oq2N5KuzDmKBBskLX0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAL2H54oyx
-pNkcgFF79lwc4c/Jda7j0wrZQIw5CWwO0MdCozJGRIEAA5WXA8b5THo1ZkaWv+sh
-lWnCOflBtGnEpD7dUpMW9lxGL5clMeMf3CoNYBb7zBofm+oTJytCzXHNftB4hCZj
-pvN79bNT4msWbmxDyi75nfbEfzK1BKnfCg+DWBBjEnHC8VzgDq6ACN6FEoyFb+fr
-dlDoof+S7k8jYAzhxwySI5DnMzr9OIwnepWfx9HENsasAighc8vFSEouShvsOlYS
-L0OIb9Tn6M5q1tWoLHulQsQYDPzaO/1M7ubsr5xCx1ReDK4gaNwS3YXn/2KE9Kco
-aKCrL89AjQrJPA==
+MIIDDTCCAfUCCCAhBikTA0IAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwNjI5MjAwMzQyWhcNNDgxMTE0MjAwMzQyWjBQMQ0wCwYDVQQK
+DARQR0RHMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEQMA4GA1UECwwHVGVzdGluZzEX
+MBUGA1UEAwwOc3NsdGVzdHVzZXItZG4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDES64qtkofPjeG4VbUVKfzABLC0CurvxqLTEpokq/St9WAWDrzc8PJ
+YireEZp4ec5rHVyQVvHqzzaZFAMvbRUQgMdGKG4Vgkn8l96KxHa4Q6yxYoQOts10
+AuvU9LuGKT0lxndMggHDmREUOAkFYKp7IeypseUGkJ6sWs+DlTwK1hST+EUAU/5f
+q/pAngJ+oar20m8WNxaAhJUKtBBecdRdqYy/h3Ab43iPhj+N9IFXiSV9EWhteBae
+L/TEE+s7/4L74xwvJe2EiVETo3lMy2aVJ4/4pOMq7U+Gr/0wxk0jqRrOahAE6pOI
+cQFBFsOkyUaC4dzqtjeSrsw5igQbJC19AgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AECbQQ9rBzCexNI3VKDVA+CZa0ib48XbcJwXmva3spvjjCB5cGPToyF1B+4mVg1H
+1uM/XRAoQmNRtB+xKEAceMSxJA02tBlwMOclXlO0oGLYyc+S61K+UEPSk6Kka4aC
+NpeLSqN5ahC9z8C5uMJl36pFf13aU05uRkXKcI4gkn02I4jRc/a8gF7URdhdf920
+KmYSUh1V0B3pPAB6ArqJ60iHOqkCYIIIbi2EpVP53IKkoB9tr4ud8oMoN6ggIXU1
+2oHvnaKJ7RZaQNefS3WweyHxr4cCVtEour/ELph48OuW6Y5jqPT+5Ln3Qz0e6KW9
+o3thBx0aKSYlmt9gH254M9M=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-revoked.crt b/src/test/ssl/ssl/client-revoked.crt
index 14857a33a2..51ebe924a6 100644
--- a/src/test/ssl/ssl/client-revoked.crt
+++ b/src/test/ssl/ssl/client-revoked.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoBcmY2Z+qa+l
-UB5YSYnGLt96S7axkoDvIzLJkwJugGqw1U72A6lAUTyAPVntsmbhoMpDEHK6ylg8
-U4HC3L1hbhSpFriTITJ3TzH4+wdDH1KZYlM2k0gfrKrksJyZ7ftAyuBvzBRlFbBe
-xopR9VQjqgAuNKByJswldOe0KwP0nmb/TtT9lkAt7XjrSut5MUezFVnvTxabm7tQ
-ciDG+8QqE0b8lH3N3VOXWZWCeXPRrwboO3baAmcue4V20N0ALARP+QZNElBa7Jq+
-l77VNjneRk07jjaE7PCGVlWfPggppZos1Ay1sb2JhK0S9pZrynQT/ck3qhG4QuKp
-cmn/Bbe/8wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBySTwOO9zSFCtfRjbbblDx
-AK2ttILR0ZJXnvzjNjuErsT9qeXaq2t/iG/vmhH5XDjaefXFLCLqFunvcg6cIz1A
-HhAw+JInfyk3TUpDaX6M0X8qj184e4kXzVc83Afa3LiP5JkirzCSv6ErqAHw2VVd
-bZbZUwMfQLpWHVqXK89Pb7q791H4VeEx9CLxtZ2PSr2GCdpFbVMJvdBPChD2Re1A
-ELcbMZ9iOq2AUN/gxrt7HnE3dRoGQk6AJOfvhi2eZcVWiLtITScdPk1nYcNxGid3
-BWW+tdLbjmSe2FXNfDwBTvuHh5A9S399X5l/nLAng2iTGSvIm1OgUnC2oWsok3EI
+MIIC0zCCAbsCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKAX
+JmNmfqmvpVAeWEmJxi7feku2sZKA7yMyyZMCboBqsNVO9gOpQFE8gD1Z7bJm4aDK
+QxByuspYPFOBwty9YW4UqRa4kyEyd08x+PsHQx9SmWJTNpNIH6yq5LCcme37QMrg
+b8wUZRWwXsaKUfVUI6oALjSgcibMJXTntCsD9J5m/07U/ZZALe1460rreTFHsxVZ
+708Wm5u7UHIgxvvEKhNG/JR9zd1Tl1mVgnlz0a8G6Dt22gJnLnuFdtDdACwET/kG
+TRJQWuyavpe+1TY53kZNO442hOzwhlZVnz4IKaWaLNQMtbG9iYStEvaWa8p0E/3J
+N6oRuELiqXJp/wW3v/MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcVhPcu55HcSf
+Mci38T/fOBaiDUvzWwG/XlQRzFxcS+ZY/vYMbgor6PliGlCFBF4Mca2qtTs7zXRz
+8aLNVX53p98Cnnn97mW4aYNbNdM87R76IqJdj40brEolu1JNOyFJRYzoaebABf9r
+R64FTt3YVM9qjJrHG/apYwKwgAMxVzZ/M+3ujahP/8mOYD/Utj+lYHnXJmuHAYE6
+EnTxTSb2J+IsK8KuPoGjUPNZRW8zIUE0luMpJahvtmFVW91Vue7dW0AOmHpjmGUB
+J9Vwxe7KJRW5/4dz6kMD2pKY3D9sBgXeku/QDVz/hdyB5YT0WChFiZn20DZyhOtu
+moHgw8OJzg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client.crl b/src/test/ssl/ssl/client.crl
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client.crl
+++ b/src/test/ssl/ssl/client.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client.crt b/src/test/ssl/ssl/client.crt
index 4d0a6ef419..1f6ae05fe4 100644
--- a/src/test/ssl/ssl/client.crt
+++ b/src/test/ssl/ssl/client.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client_ca.crt b/src/test/ssl/ssl/client_ca.crt
index 1ef3771261..ef48749f76 100644
--- a/src/test/ssl/ssl/client_ca.crt
+++ b/src/test/ssl/ssl/client_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client.crl b/src/test/ssl/ssl/root+client.crl
index 854d77b71e..02eff4d326 100644
--- a/src/test/ssl/ssl/root+client.crl
+++ b/src/test/ssl/ssl/root+client.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client_ca.crt b/src/test/ssl/ssl/root+client_ca.crt
index 1867cd9c31..7819c54828 100644
--- a/src/test/ssl/ssl/root+client_ca.crt
+++ b/src/test/ssl/ssl/root+client_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server.crl b/src/test/ssl/ssl/root+server.crl
index 9720b3023c..8b0c716d63 100644
--- a/src/test/ssl/ssl/root+server.crl
+++ b/src/test/ssl/ssl/root+server.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server_ca.crt b/src/test/ssl/ssl/root+server_ca.crt
index 861eba80d0..5074f4fa9b 100644
--- a/src/test/ssl/ssl/root+server_ca.crt
+++ b/src/test/ssl/ssl/root+server_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root.crl b/src/test/ssl/ssl/root.crl
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root.crl
+++ b/src/test/ssl/ssl/root.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root_ca.crt b/src/test/ssl/ssl/root_ca.crt
index 402d7dab89..5ee9870d6f 100644
--- a/src/test/ssl/ssl/root_ca.crt
+++ b/src/test/ssl/ssl/root_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,10 +10,10 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-and-alt-names.crt b/src/test/ssl/ssl/server-cn-and-alt-names.crt
index 2bb206e413..12d1ec363e 100644
--- a/src/test/ssl/ssl/server-cn-and-alt-names.crt
+++ b/src/test/ssl/ssl/server-cn-and-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDTjCCAjagAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowRjEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1z
-c2x0ZXN0LnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBURL6
-YPWJjVQEZY0uy4HEaTI4ZMjVf+xdwJRntos4aRcdhq2JRNwitI00BLnIK9ur8D8L
-U24PDn2etTZOK1wsHHkAiHPvgRX7G/+78a5fSC8nMNaH/oR4zMMhwksiruISA7x9
-/l+4DO7C42C5mRfnUmMGJdzau1+A8jcIxTWWoJtva9b1k3g+bvBGq9138X+bJKIW
-YsWwHgcuEIZk3z287hxuyU3j5isYoRwd5cZZFrG/qBJdukSBRil5/PP5AHsB6lTl
-pae2bdf4TXB7kActIpyTBR0G5Pm5iCZlxgD+QILj/1FLTaNOW7hV+t1J6YfC6jZR
-Dk4MnHMCFasSXcXhAgMBAAGjSzBJMEcGA1UdEQRAMD6CHWRuczEuYWx0LW5hbWUu
-cGctc3NsdGVzdC50ZXN0gh1kbnMyLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDAN
-BgkqhkiG9w0BAQsFAAOCAQEAQeKHXoyipubldf4HUDCXrcIk6KiEs9DMH1DXRk7L
-z2Hr0TljmKoGG5P6OrF4eP82bhXZlQmwHVclB7Pfo5DvoMYmYjSHxcEAeyJ7etxb
-pV11yEkMkCbQpBVtdMqyTpckXM49GTwqD9US5p1E350snq4Duj3O7fSpE4HMfSd8
-dCkYdaCHq2NWH4/MfEBRy096oOIFxqgm6tRCU95ZI8KeeK4WwPXiGV2mb2rHj1kv
-uBRC+sJGSnsLdbZzkpdAN1qnWrJoLezAMdhTmNRUJ7Cq8hAkroFIp+LE+JyxR9Nw
-m6jD3eEwCAQi0pPGLEn4Rq4B8kxzL5F/jTq7PONRvOAdIg==
+MIIDVTCCAj2gAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMEYxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5h
+bWUucGctc3NsdGVzdC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwVES+mD1iY1UBGWNLsuBxGkyOGTI1X/sXcCUZ7aLOGkXHYatiUTcIrSNNAS5
+yCvbq/A/C1NuDw59nrU2TitcLBx5AIhz74EV+xv/u/GuX0gvJzDWh/6EeMzDIcJL
+Iq7iEgO8ff5fuAzuwuNguZkX51JjBiXc2rtfgPI3CMU1lqCbb2vW9ZN4Pm7wRqvd
+d/F/mySiFmLFsB4HLhCGZN89vO4cbslN4+YrGKEcHeXGWRaxv6gSXbpEgUYpefzz
++QB7AepU5aWntm3X+E1we5AHLSKckwUdBuT5uYgmZcYA/kCC4/9RS02jTlu4Vfrd
+SemHwuo2UQ5ODJxzAhWrEl3F4QIDAQABo0swSTBHBgNVHREEQDA+gh1kbnMxLmFs
+dC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0ZXN0
+LnRlc3QwDQYJKoZIhvcNAQELBQADggEBAG3dFQ/DqjFbjzIOni079R3I94lAZqbc
+cRUumDPSzihKwvCCnU5quqnYkOFISqBZsYmxR5fiHx4wT+jmWvLSltkaeS6gcGC1
+zuO8GFzL+PATUX63js8IfE3WYJE/bjmDVVzJOBArrbsExofdE2F2kkkLkjhk0ylg
+/TrAKtyqpsob0b4ZjMloR5JFHQXGHN/922x6Do1vduHMXlGckmR0sX6Mg/fiChVh
+vixUJje4W9ohft8G7lj3GnzI1gHEMp2PYKM+wqOug/gXEQuMIFlhjp2Mc6bAvFsD
+grgdAgcYUvgKukF9efJHq2V5XjqBWrmGAOQkiH1y+9gxhiHUiw+vojY=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-only.crt b/src/test/ssl/ssl/server-cn-only.crt
index 67bf0b1645..acdf6f1a75 100644
--- a/src/test/ssl/ssl/server-cn-only.crt
+++ b/src/test/ssl/ssl/server-cn-only.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bNU8yTuLl/5
-bR4Rp1ET5NMC2wgrTwKQsxSeOzvMmTGeebpEYFc/Hq8rcCQAiL7AbhiZeNg/ca4y
-JdouOdaHaTMFJ8hFDI1tNOGeFK7ecOMBWQ97GxKs/KIqKYW42AN+QZ7l1Apr0CDZ
-K5VTi931JjE4wCIgUgLi2zgwtZYl/kP896F1K5zR7kx773U2dvP3SeV2ziUe+4NH
-5oqdmVMeZyHfB+Fe/uU1AiYgHN/CXfop39tYHR8ARUWx7eJlaaKBoj/0UqH/9Yir
-jdM0vGfrw4JCjIx78caNkNH9fCjesTqODr+IDBJaJv3Jpt9g8puqrYagXLppiaYS
-q5oOAu5fuQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCTxkqpNNuO15osb+Lyw2aQ
-RikYZiSJ4uJcOIya6DqSYSNf8wrgGMJAKz9TkCGEG7SszLCASaSIS/s+sR1+bE19
-f6BxoBnppPW8uIkTtQvmGhhcWHO13zMUs8bmg9OY7MvFYJdQAmSqfYebUCYR73So
-OthALxV8h+boW5/xc2XM1NObpcuShQ9/uynm2dL3EbrNjvcoXOwu865FmVMffEn9
-+zhE8xl4kMKObQvB3r2utCmlAmJLaU2ejADncS9Y4ZwRMa7x+vfvekF/FvLEXUal
-QcDlfrZ0xsw/HK7n0/UFXf5fUXq3hgUGcXEdWW7/yTA43qNxednfa+fMqlFztupt
+MIIDAzCCAesCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANWz
+VPMk7i5f+W0eEadRE+TTAtsIK08CkLMUnjs7zJkxnnm6RGBXPx6vK3AkAIi+wG4Y
+mXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu3nDjAVkPexsSrPyiKimFuNgDfkGe
+5dQKa9Ag2SuVU4vd9SYxOMAiIFIC4ts4MLWWJf5D/PehdSuc0e5Me+91Nnbz90nl
+ds4lHvuDR+aKnZlTHmch3wfhXv7lNQImIBzfwl36Kd/bWB0fAEVFse3iZWmigaI/
+9FKh//WIq43TNLxn68OCQoyMe/HGjZDR/Xwo3rE6jg6/iAwSWib9yabfYPKbqq2G
+oFy6aYmmEquaDgLuX7kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA2AZrD9cTQXTW
+4j2tT8N/TTc6WK2ncN4h22NTte6vK7MVwsZJCtw5ndYkmxcWkXAqiclzWyMdayds
+WOa12CEH7jKAhivF4Hcw3oO3JHM5BA6KzLWBVz9uZksOM6mPqn29DTKvA/Y1V8tj
+mxK/KUA68h/u6inu3mo4ywBpb/tqHxxg2cjyR0faCmM0pwRM0HBr/16fUMfO83nj
+QG8g9J/bybu5sYso/aSoC5nUNp4XjmDMdVLdqg/nTe/ejS8IfFr0WQxBlqooqFgx
+MSE+kX2e2fHsuOWSU/9eClt6FpQrwoC2C8F+/4g1Uz7Liqc4yMHPwjgeP9ewrrLO
+iIhlNNPqpQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server-multiple-alt-names.crt b/src/test/ssl/ssl/server-multiple-alt-names.crt
index 158153d10c..58799e49f8 100644
--- a/src/test/ssl/ssl/server-multiple-alt-names.crt
+++ b/src/test/ssl/ssl/server-multiple-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDRDCCAiygAwIBAgIBBDANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA10iQpfVf4nCqjkRcLXP9ONQqdhMPMdjHasKqmsFTx83SZLKUzKMOb56j
-3bg83stqGoId4MIxtqnDKaSg1+kseQ1HCi0cu/E3lHLEkPibl9dyVGhXVnPDBdOp
-eUQLCvPNgay3/ua4Mz0Nf7S9cgC9AZu/EEYjQIEzfO0cEANeVIWtgZfM3+2j0pmZ
-46AEYlEZJkmDT0/mnHk3YTj3I6qQhr34wZvqcrwouYRN5NiOVYJLpb6gPSoalm+P
-YXOKjP4+fWr18HdZLrzsa4xPRa9XcsDNyffjWvQTfptR/2vFKN8Ffv3XUqxUx6av
-VCyRKa8xAUS/pHVGnzFQY+oqWREn2wIDAQABo2cwZTBjBgNVHREEXDBagh1kbnMx
-LmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0
-ZXN0LnRlc3SCGioud2lsZGNhcmQucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEB
-CwUAA4IBAQAuV+4TNADB/AinkjQVyzPtmeWDWZJDByRSGIzGlrYtzzrJzdRkohlL
-svZi0QQWbYq3pkRoUncYXXp/JvS48Ft1jRi87RpLRiPRxJC9Eq77kMS5UKCIs86W
-0nuYQ2tNmgHb7gnLHEr2t9gFEXcLwUAnRfNJK56KVmCl/v3/4kcVDLlL6L+pL80r
-WGKGvixNy3bDCJ/YGJu6NH+H7NMlqFcg07nEWUHgMzETGGycTcPy3S6mY5P/1Ep1
-MCSTucUKoBIte2t5p9vM6bsFIioQDAYABhacmC62Z5xNW8evmNVtBDPLR1THsWhq
-UjzdIzjpDgv1KUCVEPc1uVrZ5eju+aoU
+MIIDSzCCAjOgAwIBAgIIICEDAxQSBwMwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBANdIkKX1X+Jwqo5EXC1z/TjUKnYTDzHYx2rCqprBU8fN0mSy
+lMyjDm+eo924PN7LahqCHeDCMbapwymkoNfpLHkNRwotHLvxN5RyxJD4m5fXclRo
+V1ZzwwXTqXlECwrzzYGst/7muDM9DX+0vXIAvQGbvxBGI0CBM3ztHBADXlSFrYGX
+zN/to9KZmeOgBGJRGSZJg09P5px5N2E49yOqkIa9+MGb6nK8KLmETeTYjlWCS6W+
+oD0qGpZvj2Fzioz+Pn1q9fB3WS687GuMT0WvV3LAzcn341r0E36bUf9rxSjfBX79
+11KsVMemr1QskSmvMQFEv6R1Rp8xUGPqKlkRJ9sCAwEAAaNnMGUwYwYDVR0RBFww
+WoIdZG5zMS5hbHQtbmFtZS5wZy1zc2x0ZXN0LnRlc3SCHWRuczIuYWx0LW5hbWUu
+cGctc3NsdGVzdC50ZXN0ghoqLndpbGRjYXJkLnBnLXNzbHRlc3QudGVzdDANBgkq
+hkiG9w0BAQsFAAOCAQEAuRAyYBwAZLKERoYDy/kE9LKddJfLhledTJ7+cIWs6T9V
+KBfWBHZYxfxmdBYwqVZfog8c5uHREfWiUPoF/aMq3ARay96aMh4xXJ+2a7HAmknF
+9AJWRieoc3H/QkMzAuT8IDTmoEarsr8vsX1MGabobZte/B9tEjq/z5t3GfLrHMVX
+5092U6Ka40ii4U1VwjR8YnRBwjm3UpLmZJAjvXjw13/XucNV5O8Plo1yvS+G0AMh
+KdMxExiItVtjZteiA0pJf0YGAzTFyzvwBljTcs4NfZ2M0ta9i0r4BF7wQ8tDezN7
+VxdJVPc5xPqncp0cMdUAE2xDmYlKEqB0kuAHNwH5/Q==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-no-names.crt b/src/test/ssl/ssl/server-no-names.crt
index 97e11176f6..b5d0589090 100644
--- a/src/test/ssl/ssl/server-no-names.crt
+++ b/src/test/ssl/ssl/server-no-names.crt
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIIC1jCCAb4CAQUwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMCAxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AJ85/vh52iDZAeQmWt47o0kR7VVlRLGf4sF4cfxPl+eIWIzhib1fajdcqFiy81LC
-+t9bAyRqMyR3dve9RGK6IDFjMH/0DBf3tFSRnxN+5TdSAhKIJslmtUdOl8kS/smF
-4+BikCg509aq0U+ac79e/q42OyvH9X/cI6i9SPd4hzJDMCX54LZT1Of/90nSQX6E
-Oc5Hcj/d7psBugmMBW8uXYAGvJpq14e5RoK78F/mYbUNqtc1c8pi4/4quSMeEfQp
-Dgmzee7ts8SIbQT8mYJHjnaPvZYpv4+Ikc7F0wzLO1neTpsYaVvDrSMLBCdQkCU8
-vgb1T6WlVgbp/sfE5okSxx8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh+erODlf
-+mEK2toZhaAmikNJ3Toj9P7I0C0Mo/tl2aVz8jQc/ft5t3blwZHfRzC9WmgnZLdY
-yiCVgUlf9Kwhi836Btbczj3cK6MrngQneFBzSnCzsj40CuQAw5TOI8XRFFGL+fpl
-o7ZnbmMZRhkPqDmNWXfpu7CYOFQyExkDoo0lTfqM+tF8zuKVTmsuWWvZpjuvqWFQ
-/L+XRXi0cvhh+DY9vJiKNRg4exF7/tSedTJmLA8skuaXgAVez4rqzX4k1XnQo6Vi
-YpAIQ4dGiijY24fDq2I/6pO3xlWtN+Lwu44Mnn2vWRtXijT69P5R12W8XS7+ciTU
-NXu/iOo8f7mNDA==
+MIIC3TCCAcUCCCAhAwMUEgcEMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAgMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCfOf74edog2QHkJlreO6NJEe1VZUSxn+LBeHH8T5fniFiM4Ym9X2o3
+XKhYsvNSwvrfWwMkajMkd3b3vURiuiAxYzB/9AwX97RUkZ8TfuU3UgISiCbJZrVH
+TpfJEv7JhePgYpAoOdPWqtFPmnO/Xv6uNjsrx/V/3COovUj3eIcyQzAl+eC2U9Tn
+//dJ0kF+hDnOR3I/3e6bAboJjAVvLl2ABryaateHuUaCu/Bf5mG1DarXNXPKYuP+
+KrkjHhH0KQ4Js3nu7bPEiG0E/JmCR452j72WKb+PiJHOxdMMyztZ3k6bGGlbw60j
+CwQnUJAlPL4G9U+lpVYG6f7HxOaJEscfAgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AJAwYwIL4oj3NisXCXkEp9zqDXiZvNW9yW3bY8lFFCpU7o5n92tCf2OFAkKaYhF1
+Eb2weyDULtW7W/wgdlOZL9npayYKzTusl6e8xfTQyjRCsoKWvnWOEkPH7VraZJ8c
+Ko1KhaVWX98VLdlUh5giYAEkdhk0qPYKsQ32unBXXJu0pX63pnPDoaUBiZUWr/3l
+CfkjgGY5YA8YxiDlHGNF1qlcX2fQKloDlvtH0L5Enwt25w2/IvWhTN6YxDR+rgdD
+XYbQr6o6vsmnZTJ3zUZ6XFo98sZq5L9oy1pcC8roV7w0AUVxraTWYILyGfNgruG8
+xsok/hu1L2VnktveEW/qoVs=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-revoked.crt b/src/test/ssl/ssl/server-revoked.crt
index 1ca5e6d3ef..3bb0f164a6 100644
--- a/src/test/ssl/ssl/server-revoked.crt
+++ b/src/test/ssl/ssl/server-revoked.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQYwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAooPO8lSz434p
-4PBYBbTN8jkLW3cHEpTCH4yvC0V40hzGEl30HPLp82e+kxr+Q0+gd82fvc4Yth5I
-PKINznp28GMs5/E9cUU3hMK4jFhKLMiOeIve3M/9ryHK874qpNjJoSxxPz7+s2eq
-WoFc2px0KFIamTTLfi7Ju9aPb/AMlZNsUnbRsj7fQc7EJ8rwOnezw2Wy5VK4soX+
-qpuJ0Nm44ApzT8YmjYX/kAX0yQxgQuYbpcBWr9cOQjegu3FAqHqRh9ye7d8jQzCv
-34Wg/ar4rkqyQDcokuWAE7KQbnk51t7omzhM8eswFOAL1pas/8jWBvy0VjYVU34P
-9aXxP8GiHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAS9abT/PhJgwAnm46Rzu16
-lL7tDb3SeR1RL25xZLzCexHcYJFi7aDZix3QlLRvf6HPqqUPuPYRICTBF4+fieEh
-r5LotdAnadfYONwoB5GiYy2d93VGqlLosI27R6/tVvImXupviPpIYMDgBBRr1pZc
-ykQOjog6T+xk9TqsfFQDe2/VKF7a5RxOA/V77GZ5qge5Nlx9jSXQ/WUG9vDQj9BA
-d4nOwvjauKlcSqUU/3uVKntXQTNjmyq7S75eBitS920LLfjTL9LInLugDikFa/J/
-yPBkJLa/+rNMPikcnF3ci4Oi/XwLA8kGdGZAADuiIOeyORMuLFoTk7KpOYGKS5/U
+MIIDAzCCAesCCCAhAwMUEgcFMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKD
+zvJUs+N+KeDwWAW0zfI5C1t3BxKUwh+MrwtFeNIcxhJd9Bzy6fNnvpMa/kNPoHfN
+n73OGLYeSDyiDc56dvBjLOfxPXFFN4TCuIxYSizIjniL3tzP/a8hyvO+KqTYyaEs
+cT8+/rNnqlqBXNqcdChSGpk0y34uybvWj2/wDJWTbFJ20bI+30HOxCfK8Dp3s8Nl
+suVSuLKF/qqbidDZuOAKc0/GJo2F/5AF9MkMYELmG6XAVq/XDkI3oLtxQKh6kYfc
+nu3fI0Mwr9+FoP2q+K5KskA3KJLlgBOykG55Odbe6Js4TPHrMBTgC9aWrP/I1gb8
+tFY2FVN+D/Wl8T/Boh0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAxVHoqX25W4Hx
+pMNjv2AJzcB7D+c+dUXAmLLJ7jh6szWeL0M2E5qX4dLc8LzQKnXv5ZcT4i/akjDX
+etdzuqh03kvDJvUkHclSWffmowmWMTG6GCA6S/2TQzSibIptkwqs74aIkayVJaC4
+jCBR+PVT8+cE2FMD6dAWu//fyEcpTg6XpZ/Upgu9OITGNaEQUGz8pSRkTgspfO0Q
+AKPmql6dpywReIlr5mzy9liCzf/BbAVHGmP/pBGIkLn2AzvPLCQ/UFZYT6aH7l5J
+nzmFhgRC3U5wPMdelHGrPMXg6OHCcyrQY0kEi7N/GQ5+jZkICoQuPJ7APKEZAUgO
+XRwVulaWJQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-single-alt-name.crt b/src/test/ssl/ssl/server-single-alt-name.crt
index e7403f3a6b..7affdd68e7 100644
--- a/src/test/ssl/ssl/server-single-alt-name.crt
+++ b/src/test/ssl/ssl/server-single-alt-name.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDCzCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAxYocLWWuiDsDzJ7wLc0zfwkGJAEy4hlHjTA5GXSEnGPlOnx1fxejZOGL
-1HLff5h8zB+SQXrplHCcwwRrxVgGY7P59kXMXX1akTwXUJHc/EoTtqLO+6fHLygz
-F1d0i5NPO3xrk1wMt7bYLhiPbWpplWiHXzbJy8wf3dXgzCwtxXf8Z1UqjtCnA/Zk
-J/kPWuHJxzH5OvDJvZsq+Fbkl3catFpwUlAV9TKsC78W/K5I+afzppsmSvsIKAWW
-Dp7g71IVjvJeI6Aui2yhDn9iuJMuKe9RMYIwJLFqiX3urHcjaBSkJm6Lsf7gO30v
-kVwIyyGXRNTfZ2yPDoSXVZvOnq+gKwIDAQABoy4wLDAqBgNVHREEIzAhgh9zaW5n
-bGUuYWx0LW5hbWUucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQBU
-8wp8KZfS8vClx2gYSRlbXu3J1oAu4EBh45OuuRuLOJUhQZYcjFB3d/s0R1kcCQkB
-EekV9X1iQSzk/HQq4uWi6ViUzxTR67Q6TXEFo8iuqJ6Rag7R7G6fhRD1upf1lev+
-rz7F9GsoWLyLAg8//DUfq1kfQUyy6TxamoRs0vipZ4s0p4G8rbRCxKT1WTRLJFdd
-fSDVuMNuQQKTQXNdp6cYn+ikEhbUv/gG2S7Xiy2UM8oR7DR54nZBAKxgujWJZPfX
-/ieSwLxnLFyePwtwgk9xMmywFBjHWTxSdyI1UnJwWC917BSw4M00djsRv5COsBX7
-v/Co7oiMyTrCqyCsWOBu
+MIIDEjCCAfqgAwIBAgIIICEDAxQSBwIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMWKHC1lrog7A8ye8C3NM38JBiQBMuIZR40wORl0hJxj5Tp8
+dX8Xo2Thi9Ry33+YfMwfkkF66ZRwnMMEa8VYBmOz+fZFzF19WpE8F1CR3PxKE7ai
+zvunxy8oMxdXdIuTTzt8a5NcDLe22C4Yj21qaZVoh182ycvMH93V4MwsLcV3/GdV
+Ko7QpwP2ZCf5D1rhyccx+Trwyb2bKvhW5Jd3GrRacFJQFfUyrAu/FvyuSPmn86ab
+Jkr7CCgFlg6e4O9SFY7yXiOgLotsoQ5/YriTLinvUTGCMCSxaol97qx3I2gUpCZu
+i7H+4Dt9L5FcCMshl0TU32dsjw6El1Wbzp6voCsCAwEAAaMuMCwwKgYDVR0RBCMw
+IYIfc2luZ2xlLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDANBgkqhkiG9w0BAQsF
+AAOCAQEAUIhBQLzQgd7wHlT9DARxcC7SZwQtnk2BVqMYTRBU4uIa0i2HVyetpe1P
+rREthYq5sgaSqdonD9Splg8BLUlah9y3v9j6DBxkxNnz/3AZuA5oPaC/TZ+lwlX3
+QNWWFNaNZdcQbvjUvoPXIbJ6U9UDfByOJdoN4kJ6xe8Faj1Mp5Euqzr1ErrMtPWJ
+XLnXLV4WyAx+iMAbofXNlCyUorPGA8lRudzQ7bKdrhMZDE66VYwlwsUejEiODt7M
+NGTDs4aAZz9cBRjMeXhvX60cFQoykjAvWbieUKOgaFmJJyKemFj12cLeWyxvUodI
+kYtgAdzftiCSrbDjl1pzPSM6RC/E/A==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server.crl b/src/test/ssl/ssl/server.crl
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server.crl
+++ b/src/test/ssl/ssl/server.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server_ca.crt b/src/test/ssl/ssl/server_ca.crt
index 9f727bf9e9..0d6d7a6f82 100644
--- a/src/test/ssl/ssl/server_ca.crt
+++ b/src/test/ssl/ssl/server_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk
new file mode 100644
index 0000000000..b71c1ea159
--- /dev/null
+++ b/src/test/ssl/sslfiles.mk
@@ -0,0 +1,242 @@
+#-------------------------------------------------------------------------
+#
+# Makefile for sslfiles
+#
+# The SSL test files are completely disjoint from the rest of the build; they
+# don't rely on other targets or on Makefile.global. Since these recipes rely
+# on some default Make behavior that's disabled in the main build tree, such
+# as intermediate cleanup, they've been moved into their own separate file.
+# The main Makefile in this directory defers to this helper file when
+# building the sslfiles-related targets.
+#
+# Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+# Portions Copyright (c) 1994, Regents of the University of California
+#
+# src/test/ssl/sslfiles.mk
+#
+#-------------------------------------------------------------------------
+
+#
+# To add a new server or client certificate, add a new <name>.config file in
+# the conf/ directory, then add <name> to either SERVERS or CLIENTS below. A
+# key/certificate pair will be generated for you, signed by the appropriate CA.
+#
+SERVERS := server-cn-and-alt-names \
+ server-cn-only \
+ server-single-alt-name \
+ server-multiple-alt-names \
+ server-no-names \
+ server-revoked
+CLIENTS := client client-dn client-revoked
+
+#
+# To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe
+# for creating it to the "Special-case keys" section below.
+#
+SPECIAL_KEYS := ssl/server-password.key \
+ ssl/client-der.key \
+ ssl/client-encrypted-pem.key \
+ ssl/client-encrypted-der.key
+
+#
+# These files are just concatenations of other files. You can add new ones to
+# COMBINATIONS here, then declare the constituent files as dependencies in the
+# "Combined files" section below.
+#
+COMBINATIONS := \
+ ssl/both-cas-1.crt \
+ ssl/both-cas-2.crt \
+ ssl/root+server_ca.crt \
+ ssl/root+server.crl \
+ ssl/root+client_ca.crt \
+ ssl/root+client.crl \
+ ssl/client+client_ca.crt
+
+CERTIFICATES := root_ca server_ca client_ca $(SERVERS) $(CLIENTS)
+STANDARD_CERTS := $(CERTIFICATES:%=ssl/%.crt)
+STANDARD_KEYS := $(CERTIFICATES:%=ssl/%.key)
+CRLS := ssl/root.crl \
+ ssl/client.crl \
+ ssl/server.crl
+
+SSLFILES := $(STANDARD_CERTS) $(STANDARD_KEYS) $(SPECIAL_KEYS) $(COMBINATIONS) $(CRLS)
+SSLDIRS := ssl/client-crldir \
+ ssl/server-crldir \
+ ssl/root+client-crldir \
+ ssl/root+server-crldir
+
+# This target re-generates all the key and certificate files. Usually we just
+# use the ones that are committed to the tree without rebuilding them.
+#
+.PHONY: sslfiles
+sslfiles: $(SSLFILES) $(SSLDIRS)
+
+#
+# Special-case certificates
+#
+
+# Root CA is self-signed.
+ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config
+ openssl req -new -x509 -config conf/root_ca.config -days 10000 -key $< -out $@
+
+#
+# Special-case keys
+#
+# All targets here are contained in $(SPECIAL_KEYS).
+#
+
+# Password-protected version of server-cn-only.key
+ssl/server-password.key: ssl/server-cn-only.key
+ openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
+
+# DER-encoded version of client.key
+ssl/client-der.key: ssl/client.key
+ openssl rsa -in $< -outform DER -out $@
+
+# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1)
+# formats to test libpq's support for the sslpassword= option.
+ssl/client-encrypted-pem.key ssl/client-encrypted-der.key: ssl/client.key
+ openssl rsa -in $< -outform PEM -aes256 -passout 'pass:dUmmyP^#+' -out $@
+ssl/client-encrypted-der.key: ssl/client.key
+ openssl rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@
+
+#
+# Combined files
+#
+# All targets in $(COMBINATIONS) share a single recipe; just declare the
+# necessary dependencies and they'll be smashed together.
+#
+
+# Root certificate file that contains both CA certificates, for testing
+# that multiple certificates can be used.
+ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
+
+# The same, but the certs are in different order
+ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
+
+# A root certificate file for the client, to validate server certs.
+ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
+
+# and for the server, to validate client certs
+ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
+
+# and for the client, to present to the server
+ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
+
+# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
+# chain, even if some of them are empty.
+ssl/root+server.crl: ssl/root.crl ssl/server.crl
+ssl/root+client.crl: ssl/root.crl ssl/client.crl
+
+$(COMBINATIONS):
+ cat $^ > $@
+
+#
+# Standard keys
+#
+
+$(STANDARD_KEYS):
+ openssl genrsa -out $@ 2048
+ chmod 0600 $@
+
+#
+# Standard certificates
+#
+
+CA_CERTS := ssl/server_ca.crt ssl/client_ca.crt
+SERVER_CERTS := $(SERVERS:%=ssl/%.crt)
+CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)
+
+# See the "CA State" section below.
+root_ca_state_files := ssl/root_ca-certindex ssl/root_ca-certindex.attr ssl/root_ca.srl
+server_ca_state_files := ssl/server_ca-certindex ssl/server_ca-certindex.attr ssl/server_ca.srl
+client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ssl/client_ca.srl
+
+# These are the workhorse recipes. `openssl ca` can't be safely run from
+# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
+.NOTPARALLEL:
+$(CA_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
+ openssl ca -batch -config conf/cas.config -name root_ca -notext -in $< -out $@
+
+$(SERVER_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
+ openssl ca -batch -config conf/cas.config -name server_ca -notext -in $< -out $@
+
+$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
+ openssl ca -batch -config conf/cas.config -name client_ca -notext -in $< -out $@
+
+# The CSRs don't need to persist after a build.
+.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
+ssl/%.csr: ssl/%.key conf/%.config
+ openssl req -new -key $< -out $@ -config conf/$*.config
+
+#
+# CA State
+#
+# All of these are intended to be order-only dependencies; additionally, the
+# pattern recipes are marked as explicit intermediates. The goal is for Make to
+# create the state files once for each CA, allow them to accumulate whatever
+# state is needed, and then automatically remove them at the end of the run.
+#
+
+.INTERMEDIATE: $(root_ca_state_files) $(server_ca_state_files) $(client_ca_state_files)
+
+# OpenSSL requires a directory to put all generated certificates in. We don't
+# use this for anything, but we need a location.
+ssl/new_certs_dir:
+ mkdir $@
+
+ssl/%-certindex:
+ touch $@
+
+ssl/%-certindex.attr:
+ echo "unique_subject=no" > $@
+
+# The first serial number for each CA is based on the current timestamp, to
+# avoid collisions across Make runs.
+ssl/%.srl:
+ date +%Y%m%d%H%M%S00 > $@
+
+#
+# CRLs
+#
+
+ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
+ openssl ca -config conf/cas.config -name root_ca -gencrl -out $@
+
+ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
+ openssl ca -config conf/cas.config -name server_ca -revoke $<
+ openssl ca -config conf/cas.config -name server_ca -gencrl -out $@
+
+ssl/client.crl: ssl/client-revoked.crt ssl/client_ca.crt | $(client_ca_state_files)
+ openssl ca -config conf/cas.config -name client_ca -revoke $<
+ openssl ca -config conf/cas.config -name client_ca -gencrl -out $@
+
+#
+# CRL hash directories
+#
+
+ssl/root+server-crldir: ssl/server.crl ssl/root.crl
+ssl/root+client-crldir: ssl/client.crl ssl/root.crl
+ssl/server-crldir: ssl/server.crl
+ssl/client-crldir: ssl/client.crl
+
+crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
+
+ssl/%-crldir:
+ mkdir -p $@
+ rm -f $@/*.r0
+ $(foreach crl,$^,cp $(crl) $@/$(call crlhashfile,$(crl)) &&) true
+ touch $@
+
+.PHONY: sslfiles-clean
+sslfiles-clean:
+ rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex*
+ rm -rf $(SSLDIRS) ssl/new_certs_dir
+
+# The difference between the below clean targets and sslfiles-clean is that the
+# clean targets will be run during a "standard" recursive clean run from the
+# main build tree. The sslfiles-clean target must be run explicitly from this
+# directory.
+.PHONY: clean distclean maintainer-clean
+clean distclean maintainer-clean:
+ rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 3bc711f4a7..a901077469 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -485,6 +485,21 @@ TODO:
}
# pg_stat_ssl
+
+my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`;
+if ($? == 0)
+{
+ $serialno =~ s/^serial=//;
+ $serialno = hex($serialno); # OpenSSL prints serial numbers in hexadecimal
+}
+else
+{
+ # OpenSSL isn't functioning on the user's PATH. This probably isn't worth
+ # skipping the test over, so just fall back to a generic integer match.
+ warn 'couldn\'t run `openssl x509` to get client cert serialno';
+ $serialno = '\d+';
+}
+
command_like(
[
'psql',
@@ -500,7 +515,7 @@ command_like(
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
],
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n
- ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
+ ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,$serialno,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
'pg_stat_ssl with client certificate');
# client key with wrong permissions
--
2.24.3 (Apple Git-128)
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Mon, 2021-09-13 at 15:04 +0200, Daniel Gustafsson wrote:
A few things noted (and fixed as per the attached, which is v6 squashed and
rebased on HEAD; commitmessage hasn't been addressed yet) while reviewing:* Various comment reflowing to fit within 79 characters
* Pass through the clean targets into sslfiles.mk rather than rewrite them to
make clean (even if they are the same in sslfiles.mk).* Moved the lists of keys/certs to be one object per line to match the style
introduced in 01368e5d9. The previous Makefile was violating that as well, but
when we're fixing this file for other things we might as well fix that too.
Looks good, thanks!
* Bumped the password protected key output to AES256 to match the server files,
since it's more realistic to see than AES128 (and I was fiddling around here
anyways testing different things, see below).
Few thoughts about this part of the diff:
-# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats -# to test libpq's support for the sslpassword= option. -ssl/client-encrypted-pem.key: outform := PEM -ssl/client-encrypted-der.key: outform := DER +# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) +# formats to test libpq's support for the sslpassword= option. ssl/client-encrypted-pem.key ssl/client-encrypted-der.key: ssl/client.key - openssl rsa -in $< -outform $(outform) -aes128 -passout 'pass:dUmmyP^#+' -out $@ + openssl rsa -in $< -outform PEM -aes256 -passout 'pass:dUmmyP^#+' -out $@ +ssl/client-encrypted-der.key: ssl/client.key + openssl rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@
1. Should the DER key be AES256 as well?
2. The ssl/client-encrypted-der.key target for the first recipe should
be removed; I get a duplication warning from Make.
3. The new client key will need to be included in the patch; the one
there now is still the AES128 version.
And one doc comment:
ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to -recreate them if you need to make changes. +recreate them if you need to make changes. "make sslfiles-clean" is required +in order to recreate.
This is only true if you need to rebuild the entire tree; if you just
want to recreate a single cert pair, you can just touch the config file
for it (or remove the key, if you want to regenerate the pair) and
`make sslfiles` again.
The submitted patch works for 1.0.1, 1.0.2 and 1.1.1 when running the below
sequence:make check
make ssfiles-clean
make sslfiles
make checkTesting what's in the tree, recreating the keys/certs and testing against the
new ones.
Great, thanks!
In OpenSSL 3.0.0, the final make check on the generated files breaks on the
encrypted DER key. The key generates fine, and running "openssl rsa ..
-check" validates it, but it fails to load into postgres. Removing the
explicit selection of cipher makes the test pass again (also included in the
attached). I haven't been able to track down exactly what the issue is, but I
have a suspicion that it's in OpenSSL rather than libpq. This issue is present
in master too, so fixing it is orthogonal to this work, but it needs to be
figured out.Another point of interest here is that 3.0.0 put "openssl rsa" in maintenance
mode, so maybe we'll have to look at supporting "openssl pkeyutl" as well for
some parts should future bugs remain unfixed in the rsa command.
Good to know. Agreed that it should be a separate patch.
--Jacob
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On 15 Sep 2021, at 00:14, Jacob Champion <pchampion@vmware.com> wrote:
On Mon, 2021-09-13 at 15:04 +0200, Daniel Gustafsson wrote:
-# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats -# to test libpq's support for the sslpassword= option. -ssl/client-encrypted-pem.key: outform := PEM -ssl/client-encrypted-der.key: outform := DER +# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) +# formats to test libpq's support for the sslpassword= option. ssl/client-encrypted-pem.key ssl/client-encrypted-der.key: ssl/client.key - openssl rsa -in $< -outform $(outform) -aes128 -passout 'pass:dUmmyP^#+' -out $@ + openssl rsa -in $< -outform PEM -aes256 -passout 'pass:dUmmyP^#+' -out $@ +ssl/client-encrypted-der.key: ssl/client.key + openssl rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@1. Should the DER key be AES256 as well?
It should, but then it fails to load by postgres, my email wasn't clear about
this, sorry. The diff to revert from aes256 (and aes128 for that matter) is to
make the key load at all.
2. The ssl/client-encrypted-der.key target for the first recipe should
be removed; I get a duplication warning from Make.
Interesting, I didn't see that, will check.
3. The new client key will need to be included in the patch; the one
there now is still the AES128 version.
Good point, that's a reason to keep it aes128 until the encrypter DER key in
3.0.0 issue has been fixed.
And one doc comment:
ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to -recreate them if you need to make changes. +recreate them if you need to make changes. "make sslfiles-clean" is required +in order to recreate.This is only true if you need to rebuild the entire tree; if you just
want to recreate a single cert pair, you can just touch the config file
for it (or remove the key, if you want to regenerate the pair) and
`make sslfiles` again.
Correct. In my head, "rebuild" is when dealing with individually changed files
and "recreate" means rebuild everything regardless. Thats just my in my head
though, so clearly the wording should be expanded. Will do.
--
Daniel Gustafsson https://vmware.com/
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Wed, Sep 15, 2021 at 12:31:31AM +0200, Daniel Gustafsson wrote:
Correct. In my head, "rebuild" is when dealing with individually changed files
and "recreate" means rebuild everything regardless. Thats just my in my head
though, so clearly the wording should be expanded. Will do.
So this will be addressed and perhaps merged into the tree, right?
--
Michael
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On 1 Oct 2021, at 08:59, Michael Paquier <michael@paquier.xyz> wrote:
On Wed, Sep 15, 2021 at 12:31:31AM +0200, Daniel Gustafsson wrote:
Correct. In my head, "rebuild" is when dealing with individually changed files
and "recreate" means rebuild everything regardless. Thats just my in my head
though, so clearly the wording should be expanded. Will do.So this will be addressed and perhaps merged into the tree, right?
Yes, I'm finalizing testing of this patch across platforms and OpenSSL versions.
--
Daniel Gustafsson https://vmware.com/
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On 1 Oct 2021, at 09:02, Daniel Gustafsson <daniel@yesql.se> wrote:
On 1 Oct 2021, at 08:59, Michael Paquier <michael@paquier.xyz> wrote:
On Wed, Sep 15, 2021 at 12:31:31AM +0200, Daniel Gustafsson wrote:
Correct. In my head, "rebuild" is when dealing with individually changed files
and "recreate" means rebuild everything regardless. Thats just my in my head
though, so clearly the wording should be expanded. Will do.So this will be addressed and perhaps merged into the tree, right?
Yes, I'm finalizing testing of this patch across platforms and OpenSSL versions.
The attached contains the requested fixes, and has been tested on all (by us)
supported versions of OpenSSL. Unless there are objections I will apply this
to master shortly.
--
Daniel Gustafsson https://vmware.com/
Attachments:
v8-0001-Refactor-the-sslfiles-Makefile-target-for-ease-of.patchapplication/octet-stream; name=v8-0001-Refactor-the-sslfiles-Makefile-target-for-ease-of.patch; x-unix-mode=0644Download
From a5965a96e1666508f8a1ec1d00e76d481e2c185c Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <daniel@yesql.se>
Date: Fri, 15 Oct 2021 13:49:13 +0200
Subject: [PATCH v8] Refactor the sslfiles Makefile target for ease of use
The Makefile handling of certificate and keypairs used for TLS tests
had become quite difficult to work with, especially adding a new cert
without regenerating everything. This patch makes adding a new cert
as easy as dropping in a new .config file, adding it to the top of the
Makefile, and running `make sslfiles`.
Improvements:
- Interfile dependencies should be fixed, with the exception of the CRL
dirs.
- New certificates have serial numbers based on the current time,
reducing the chance of collision.
- The CA index state is created on demand and cleaned up automatically
at the end of the Make run.
- *.config files are now self-contained; one certificate needs one
config file instead of two.
- Duplication is reduced, and along with it some unneeded code (and
possible copy-paste errors).
- all configuration files underneath the conf/ directory.
Author: Jacob Champion <pchampion@vmware.com>
Discussion: https://postgr.es/m/d15a9838344ba090e09fd866abf913584ea19fb7.camel@vmware.com
---
src/test/ssl/Makefile | 167 +-----------
src/test/ssl/README | 4 +-
src/test/ssl/{ => conf}/cas.config | 10 +-
src/test/ssl/{ => conf}/client-dn.config | 1 -
src/test/ssl/conf/client-revoked.config | 13 +
src/test/ssl/{ => conf}/client.config | 1 -
src/test/ssl/{ => conf}/client_ca.config | 5 +
src/test/ssl/{ => conf}/root_ca.config | 1 +
.../{ => conf}/server-cn-and-alt-names.config | 0
src/test/ssl/{ => conf}/server-cn-only.config | 3 +-
.../server-multiple-alt-names.config | 0
.../ssl/{ => conf}/server-no-names.config | 5 +-
src/test/ssl/{ => conf}/server-revoked.config | 3 +-
.../{ => conf}/server-single-alt-name.config | 0
src/test/ssl/{ => conf}/server_ca.config | 5 +
src/test/ssl/ssl/both-cas-1.crt | 86 +++---
src/test/ssl/ssl/both-cas-2.crt | 86 +++---
src/test/ssl/ssl/client+client_ca.crt | 65 ++---
src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 | 18 +-
src/test/ssl/ssl/client-dn.crt | 34 +--
src/test/ssl/ssl/client-revoked.crt | 31 +--
src/test/ssl/ssl/client.crl | 18 +-
src/test/ssl/ssl/client.crt | 31 +--
src/test/ssl/ssl/client_ca.crt | 34 +--
.../ssl/ssl/root+client-crldir/9bb9e3c3.r0 | 18 +-
.../ssl/ssl/root+client-crldir/a3d11bff.r0 | 16 +-
src/test/ssl/ssl/root+client.crl | 34 +--
src/test/ssl/ssl/root+client_ca.crt | 52 ++--
.../ssl/ssl/root+server-crldir/a3d11bff.r0 | 16 +-
.../ssl/ssl/root+server-crldir/a836cc2d.r0 | 18 +-
src/test/ssl/ssl/root+server.crl | 34 +--
src/test/ssl/ssl/root+server_ca.crt | 52 ++--
src/test/ssl/ssl/root.crl | 16 +-
src/test/ssl/ssl/root_ca.crt | 18 +-
src/test/ssl/ssl/server-cn-and-alt-names.crt | 36 +--
src/test/ssl/ssl/server-cn-only.crt | 33 +--
src/test/ssl/ssl/server-crldir/a836cc2d.r0 | 18 +-
.../ssl/ssl/server-multiple-alt-names.crt | 36 +--
src/test/ssl/ssl/server-no-names.crt | 32 +--
src/test/ssl/ssl/server-revoked.crt | 33 +--
src/test/ssl/ssl/server-single-alt-name.crt | 34 +--
src/test/ssl/ssl/server.crl | 18 +-
src/test/ssl/ssl/server_ca.crt | 34 +--
src/test/ssl/sslfiles.mk | 244 ++++++++++++++++++
src/test/ssl/t/001_ssltests.pl | 17 +-
45 files changed, 778 insertions(+), 652 deletions(-)
rename src/test/ssl/{ => conf}/cas.config (93%)
rename src/test/ssl/{ => conf}/client-dn.config (97%)
create mode 100644 src/test/ssl/conf/client-revoked.config
rename src/test/ssl/{ => conf}/client.config (96%)
rename src/test/ssl/{ => conf}/client_ca.config (81%)
rename src/test/ssl/{ => conf}/root_ca.config (92%)
rename src/test/ssl/{ => conf}/server-cn-and-alt-names.config (100%)
rename src/test/ssl/{ => conf}/server-cn-only.config (85%)
rename src/test/ssl/{ => conf}/server-multiple-alt-names.config (100%)
rename src/test/ssl/{ => conf}/server-no-names.config (85%)
rename src/test/ssl/{ => conf}/server-revoked.config (88%)
rename src/test/ssl/{ => conf}/server-single-alt-name.config (100%)
rename src/test/ssl/{ => conf}/server_ca.config (81%)
create mode 100644 src/test/ssl/sslfiles.mk
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index c216560dcc..3592c0d184 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -15,170 +15,17 @@ include $(top_builddir)/src/Makefile.global
export with_ssl
-CERTIFICATES := server_ca server-cn-and-alt-names \
- server-cn-only server-single-alt-name server-multiple-alt-names \
- server-no-names server-revoked \
- client_ca client client-dn client-revoked \
- root_ca
-
-SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
- ssl/server-password.key \
- ssl/client.crl ssl/server.crl ssl/root.crl \
- ssl/both-cas-1.crt ssl/both-cas-2.crt \
- ssl/root+server_ca.crt ssl/root+server.crl \
- ssl/root+client_ca.crt ssl/root+client.crl \
- ssl/client+client_ca.crt ssl/client-der.key \
- ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
-
-SSLDIRS := ssl/client-crldir ssl/server-crldir \
- ssl/root+client-crldir ssl/root+server-crldir
-
-# This target re-generates all the key and certificate files. Usually we just
-# use the ones that are committed to the tree without rebuilding them.
-#
-# This target will fail unless preceded by sslfiles-clean.
-#
-sslfiles: $(SSLFILES) $(SSLDIRS)
-
-# OpenSSL requires a directory to put all generated certificates in. We don't
-# use this for anything, but we need a location.
-ssl/new_certs_dir:
- mkdir ssl/new_certs_dir
-
-# Rule for creating private/public key pairs.
-ssl/%.key:
- openssl genrsa -out $@ 2048
- chmod 0600 $@
-
-# Root CA certificate
-ssl/root_ca.crt: ssl/root_ca.key cas.config
- touch ssl/root_ca-certindex
- openssl req -new -out ssl/root_ca.crt -x509 -config cas.config -config root_ca.config -key ssl/root_ca.key -days 10000 -extensions v3_ca
- echo "01" > ssl/root_ca.srl
-
-# Client and server CAs
-ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir
- touch ssl/$*_ca-certindex
- echo "unique_subject=no" > ssl/$*_ca-certindex.attr
- openssl req -new -out ssl/temp_ca.crt -config cas.config -config $*_ca.config -key ssl/$*_ca.key
-# Sign the certificate with the root CA
- openssl ca -name root_ca -batch -config cas.config -in ssl/temp_ca.crt -out ssl/temp_ca_signed.crt -extensions v3_ca
- openssl x509 -in ssl/temp_ca_signed.crt -out ssl/$*_ca.crt # to keep just the PEM cert
- rm ssl/temp_ca.crt ssl/temp_ca_signed.crt
- echo "01" > ssl/$*_ca.srl
-
-# Server certificates, signed by server CA:
-ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config
- openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config
- openssl ca -name server_ca -batch -config cas.config -in ssl/server-$*.csr -out ssl/temp.crt -extensions v3_req -extfile server-$*.config
- openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert
- rm ssl/server-$*.csr
-
-# Password-protected version of server-cn-only.key
-ssl/server-password.key: ssl/server-cn-only.key
- openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
-
-# Client certificate, signed by the client CA:
-ssl/client.crt: ssl/client.key ssl/client_ca.crt
- openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client.csr
- openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert
- rm ssl/client.csr ssl/temp.crt
-
-# Client certificate with multi-part DN, signed by the client CA:
-ssl/client-dn.crt: ssl/client-dn.key ssl/client_ca.crt
- openssl req -new -key ssl/client-dn.key -out ssl/client-dn.csr -config client-dn.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-dn.csr
- openssl x509 -in ssl/temp.crt -out ssl/client-dn.crt # to keep just the PEM cert
- rm ssl/client-dn.csr ssl/temp.crt
-
-# Another client certificate, signed by the client CA. This one is revoked.
-ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config
- openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config
- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-revoked.csr
- openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert
- rm ssl/client-revoked.csr ssl/temp.crt
-
-# Convert the key to DER, to test our behaviour there too
-ssl/client-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -out ssl/client-der.key
-
-# Convert the existing key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
-# to test libpq's support for the sslpassword= option.
-ssl/client-encrypted-pem.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-pem.key
-
-ssl/client-encrypted-der.key: ssl/client.key
- openssl rsa -in ssl/client.key -outform DER -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-der.key
-
-# Root certificate files that contains both CA certificates, for testing
-# that multiple certificates can be used.
-ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
- cat $^ > $@
-
-# The same, but the certs are in different order
-ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
- cat $^ > $@
-
-# A root certificate file for the client, to validate server certs.
-ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
- cat $^ > $@
-
-# and for the server, to validate client certs
-ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
- cat $^ > $@
-
-ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
- cat $^ > $@
-
-#### CRLs
-
-ssl/client.crl: ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt
- openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl
-
-ssl/server.crl: ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt
- openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl
-
-ssl/root.crl: ssl/root_ca.crt
- openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl
-
-# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
-# chain, even if some of them are empty.
-ssl/root+server.crl: ssl/root.crl ssl/server.crl
- cat $^ > $@
-ssl/root+client.crl: ssl/root.crl ssl/client.crl
- cat $^ > $@
-
-ssl/root+server-crldir: ssl/server.crl ssl/root.crl
- mkdir ssl/root+server-crldir
- cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
- cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
-
-ssl/root+client-crldir: ssl/client.crl ssl/root.crl
- mkdir ssl/root+client-crldir
- cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
- cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
-
-ssl/server-crldir: ssl/server.crl
- mkdir ssl/server-crldir
- cp ssl/server.crl ssl/server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
-
-ssl/client-crldir: ssl/client.crl
- mkdir ssl/client-crldir
- cp ssl/client.crl ssl/client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
-
-.PHONY: sslfiles-clean
-sslfiles-clean:
- rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
- rm -rf $(SSLDIRS)
+# The sslfiles targets are separated into their own file due to interactions
+# with settings in Makefile.global.
+.PHONY: sslfiles sslfiles-clean
+sslfiles sslfiles-clean:
+ $(MAKE) -f sslfiles.mk $@
clean distclean maintainer-clean:
rm -rf tmp_check
- rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key
+ $(MAKE) -f sslfiles.mk $@
-# Doesn't depend on $(SSLFILES) because we don't rebuild them by default
+# Doesn't depend on sslfiles because we don't rebuild them by default
check:
$(prove_check)
diff --git a/src/test/ssl/README b/src/test/ssl/README
index b9d96a637d..f3f196e214 100644
--- a/src/test/ssl/README
+++ b/src/test/ssl/README
@@ -85,7 +85,9 @@ There are also CRLs for each of the CAs: root.crl, server.crl and client.crl.
For convenience, all of these keypairs and certificates are included in the
ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to
-recreate them if you need to make changes.
+recreate them if you need to make changes. "make sslfiles-clean" is required
+in order to recreate the full set of keypairs and certificates. To rebuild
+separate files, touch (or remove) the files in question and run "make sslfiles".
TODO
====
diff --git a/src/test/ssl/cas.config b/src/test/ssl/conf/cas.config
similarity index 93%
rename from src/test/ssl/cas.config
rename to src/test/ssl/conf/cas.config
index 8c0ef6d82b..2c4851033a 100644
--- a/src/test/ssl/cas.config
+++ b/src/test/ssl/conf/cas.config
@@ -1,12 +1,5 @@
# This file contains the configuration for all the CAs.
-[ req ]
-prompt = no
-
-# Extensions for CA certs
-[ v3_ca ]
-basicConstraints = CA:true
-
# Root CA, used to sign the certificates of the intermediary server and
# client CAs.
[ root_ca ]
@@ -21,6 +14,7 @@ private_key = ./ssl/root_ca.key
new_certs_dir = ./ssl/new_certs_dir
policy = policy_match
email_in_dn = no
+copy_extensions = copy
# CA used to sign all the server certificates.
[ server_ca ]
@@ -35,6 +29,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/server_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/server.crl
@@ -51,6 +46,7 @@ new_certs_dir = ./ssl/new_certs_dir
serial = ./ssl/client_ca.srl
policy = policy_match
email_in_dn = no
+copy_extensions = copy
unique_subject = no
crl = ./ssl/client.crl
diff --git a/src/test/ssl/client-dn.config b/src/test/ssl/conf/client-dn.config
similarity index 97%
rename from src/test/ssl/client-dn.config
rename to src/test/ssl/conf/client-dn.config
index ee2df54bd6..0c71d83127 100644
--- a/src/test/ssl/client-dn.config
+++ b/src/test/ssl/conf/client-dn.config
@@ -13,4 +13,3 @@ O = PGDG
CN = ssltestuser-dn
# no extensions in client certs
-[ v3_req ]
diff --git a/src/test/ssl/conf/client-revoked.config b/src/test/ssl/conf/client-revoked.config
new file mode 100644
index 0000000000..3b82b57103
--- /dev/null
+++ b/src/test/ssl/conf/client-revoked.config
@@ -0,0 +1,13 @@
+# An OpenSSL format CSR config file for creating a client certificate.
+#
+# This is identical to the client.config certificate, but this one is revoked
+# later.
+
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+CN = ssltestuser
+
+# no extensions in client certs
diff --git a/src/test/ssl/client.config b/src/test/ssl/conf/client.config
similarity index 96%
rename from src/test/ssl/client.config
rename to src/test/ssl/conf/client.config
index 2e9d40d299..26fc2571f5 100644
--- a/src/test/ssl/client.config
+++ b/src/test/ssl/conf/client.config
@@ -10,4 +10,3 @@ prompt = no
CN = ssltestuser
# no extensions in client certs
-[ v3_req ]
diff --git a/src/test/ssl/client_ca.config b/src/test/ssl/conf/client_ca.config
similarity index 81%
rename from src/test/ssl/client_ca.config
rename to src/test/ssl/conf/client_ca.config
index ef93d598c2..5990f06000 100644
--- a/src/test/ssl/client_ca.config
+++ b/src/test/ssl/conf/client_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test client certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/root_ca.config b/src/test/ssl/conf/root_ca.config
similarity index 92%
rename from src/test/ssl/root_ca.config
rename to src/test/ssl/conf/root_ca.config
index 187a9b8a46..e193186f8b 100644
--- a/src/test/ssl/root_ca.config
+++ b/src/test/ssl/conf/root_ca.config
@@ -4,6 +4,7 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+x509_extensions = v3_ca
[ req_distinguished_name ]
CN = Test root CA for PostgreSQL SSL regression test suite
diff --git a/src/test/ssl/server-cn-and-alt-names.config b/src/test/ssl/conf/server-cn-and-alt-names.config
similarity index 100%
rename from src/test/ssl/server-cn-and-alt-names.config
rename to src/test/ssl/conf/server-cn-and-alt-names.config
diff --git a/src/test/ssl/server-cn-only.config b/src/test/ssl/conf/server-cn-only.config
similarity index 85%
rename from src/test/ssl/server-cn-only.config
rename to src/test/ssl/conf/server-cn-only.config
index 1e5d582213..9edb7b7aca 100644
--- a/src/test/ssl/server-cn-only.config
+++ b/src/test/ssl/conf/server-cn-only.config
@@ -9,5 +9,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-multiple-alt-names.config b/src/test/ssl/conf/server-multiple-alt-names.config
similarity index 100%
rename from src/test/ssl/server-multiple-alt-names.config
rename to src/test/ssl/conf/server-multiple-alt-names.config
diff --git a/src/test/ssl/server-no-names.config b/src/test/ssl/conf/server-no-names.config
similarity index 85%
rename from src/test/ssl/server-no-names.config
rename to src/test/ssl/conf/server-no-names.config
index 2a71125a42..89075dec83 100644
--- a/src/test/ssl/server-no-names.config
+++ b/src/test/ssl/conf/server-no-names.config
@@ -10,7 +10,4 @@ prompt = no
[ req_distinguished_name ]
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
-
-[ alt_names ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-revoked.config b/src/test/ssl/conf/server-revoked.config
similarity index 88%
rename from src/test/ssl/server-revoked.config
rename to src/test/ssl/conf/server-revoked.config
index 47ef6462dc..c9e1f5d431 100644
--- a/src/test/ssl/server-revoked.config
+++ b/src/test/ssl/conf/server-revoked.config
@@ -11,5 +11,4 @@ prompt = no
CN = common-name.pg-ssltest.test
OU = PostgreSQL test suite
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names
diff --git a/src/test/ssl/server-single-alt-name.config b/src/test/ssl/conf/server-single-alt-name.config
similarity index 100%
rename from src/test/ssl/server-single-alt-name.config
rename to src/test/ssl/conf/server-single-alt-name.config
diff --git a/src/test/ssl/server_ca.config b/src/test/ssl/conf/server_ca.config
similarity index 81%
rename from src/test/ssl/server_ca.config
rename to src/test/ssl/conf/server_ca.config
index d6126d5195..496aaba29f 100644
--- a/src/test/ssl/server_ca.config
+++ b/src/test/ssl/conf/server_ca.config
@@ -6,6 +6,11 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no
+req_extensions = v3_ca
[ req_distinguished_name ]
CN = Test CA for PostgreSQL SSL regression test server certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/src/test/ssl/ssl/both-cas-1.crt b/src/test/ssl/ssl/both-cas-1.crt
index 37ffa10174..4f4bc707d6 100644
--- a/src/test/ssl/ssl/both-cas-1.crt
+++ b/src/test/ssl/ssl/both-cas-1.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/both-cas-2.crt b/src/test/ssl/ssl/both-cas-2.crt
index 2f2723f2b1..01d0c4d6a4 100644
--- a/src/test/ssl/ssl/both-cas-2.crt
+++ b/src/test/ssl/ssl/both-cas-2.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,48 +10,48 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client+client_ca.crt b/src/test/ssl/ssl/client+client_ca.crt
index 2804527f3e..7fafa14de1 100644
--- a/src/test/ssl/ssl/client+client_ca.crt
+++ b/src/test/ssl/ssl/client+client_ca.crt
@@ -1,36 +1,37 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client-dn.crt b/src/test/ssl/ssl/client-dn.crt
index f2f6a62dad..0db14e5977 100644
--- a/src/test/ssl/ssl/client-dn.crt
+++ b/src/test/ssl/ssl/client-dn.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDBjCCAe4CAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0yMTAzMDUyMDUyNDVaFw00ODA3MjEyMDUyNDVaMFAxDTALBgNVBAoMBFBHREcx
-FDASBgNVBAsMC0VuZ2luZWVyaW5nMRAwDgYDVQQLDAdUZXN0aW5nMRcwFQYDVQQD
-DA5zc2x0ZXN0dXNlci1kbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AMRLriq2Sh8+N4bhVtRUp/MAEsLQK6u/GotMSmiSr9K31YBYOvNzw8liKt4Rmnh5
-zmsdXJBW8erPNpkUAy9tFRCAx0YobhWCSfyX3orEdrhDrLFihA62zXQC69T0u4Yp
-PSXGd0yCAcOZERQ4CQVgqnsh7Kmx5QaQnqxaz4OVPArWFJP4RQBT/l+r+kCeAn6h
-qvbSbxY3FoCElQq0EF5x1F2pjL+HcBvjeI+GP430gVeJJX0RaG14Fp4v9MQT6zv/
-gvvjHC8l7YSJUROjeUzLZpUnj/ik4yrtT4av/TDGTSOpGs5qEATqk4hxAUEWw6TJ
-RoLh3Oq2N5KuzDmKBBskLX0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAL2H54oyx
-pNkcgFF79lwc4c/Jda7j0wrZQIw5CWwO0MdCozJGRIEAA5WXA8b5THo1ZkaWv+sh
-lWnCOflBtGnEpD7dUpMW9lxGL5clMeMf3CoNYBb7zBofm+oTJytCzXHNftB4hCZj
-pvN79bNT4msWbmxDyi75nfbEfzK1BKnfCg+DWBBjEnHC8VzgDq6ACN6FEoyFb+fr
-dlDoof+S7k8jYAzhxwySI5DnMzr9OIwnepWfx9HENsasAighc8vFSEouShvsOlYS
-L0OIb9Tn6M5q1tWoLHulQsQYDPzaO/1M7ubsr5xCx1ReDK4gaNwS3YXn/2KE9Kco
-aKCrL89AjQrJPA==
+MIIDDTCCAfUCCCAhBikTA0IAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwNjI5MjAwMzQyWhcNNDgxMTE0MjAwMzQyWjBQMQ0wCwYDVQQK
+DARQR0RHMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEQMA4GA1UECwwHVGVzdGluZzEX
+MBUGA1UEAwwOc3NsdGVzdHVzZXItZG4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDES64qtkofPjeG4VbUVKfzABLC0CurvxqLTEpokq/St9WAWDrzc8PJ
+YireEZp4ec5rHVyQVvHqzzaZFAMvbRUQgMdGKG4Vgkn8l96KxHa4Q6yxYoQOts10
+AuvU9LuGKT0lxndMggHDmREUOAkFYKp7IeypseUGkJ6sWs+DlTwK1hST+EUAU/5f
+q/pAngJ+oar20m8WNxaAhJUKtBBecdRdqYy/h3Ab43iPhj+N9IFXiSV9EWhteBae
+L/TEE+s7/4L74xwvJe2EiVETo3lMy2aVJ4/4pOMq7U+Gr/0wxk0jqRrOahAE6pOI
+cQFBFsOkyUaC4dzqtjeSrsw5igQbJC19AgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AECbQQ9rBzCexNI3VKDVA+CZa0ib48XbcJwXmva3spvjjCB5cGPToyF1B+4mVg1H
+1uM/XRAoQmNRtB+xKEAceMSxJA02tBlwMOclXlO0oGLYyc+S61K+UEPSk6Kka4aC
+NpeLSqN5ahC9z8C5uMJl36pFf13aU05uRkXKcI4gkn02I4jRc/a8gF7URdhdf920
+KmYSUh1V0B3pPAB6ArqJ60iHOqkCYIIIbi2EpVP53IKkoB9tr4ud8oMoN6ggIXU1
+2oHvnaKJ7RZaQNefS3WweyHxr4cCVtEour/ELph48OuW6Y5jqPT+5Ln3Qz0e6KW9
+o3thBx0aKSYlmt9gH254M9M=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-revoked.crt b/src/test/ssl/ssl/client-revoked.crt
index 14857a33a2..51ebe924a6 100644
--- a/src/test/ssl/ssl/client-revoked.crt
+++ b/src/test/ssl/ssl/client-revoked.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoBcmY2Z+qa+l
-UB5YSYnGLt96S7axkoDvIzLJkwJugGqw1U72A6lAUTyAPVntsmbhoMpDEHK6ylg8
-U4HC3L1hbhSpFriTITJ3TzH4+wdDH1KZYlM2k0gfrKrksJyZ7ftAyuBvzBRlFbBe
-xopR9VQjqgAuNKByJswldOe0KwP0nmb/TtT9lkAt7XjrSut5MUezFVnvTxabm7tQ
-ciDG+8QqE0b8lH3N3VOXWZWCeXPRrwboO3baAmcue4V20N0ALARP+QZNElBa7Jq+
-l77VNjneRk07jjaE7PCGVlWfPggppZos1Ay1sb2JhK0S9pZrynQT/ck3qhG4QuKp
-cmn/Bbe/8wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBySTwOO9zSFCtfRjbbblDx
-AK2ttILR0ZJXnvzjNjuErsT9qeXaq2t/iG/vmhH5XDjaefXFLCLqFunvcg6cIz1A
-HhAw+JInfyk3TUpDaX6M0X8qj184e4kXzVc83Afa3LiP5JkirzCSv6ErqAHw2VVd
-bZbZUwMfQLpWHVqXK89Pb7q791H4VeEx9CLxtZ2PSr2GCdpFbVMJvdBPChD2Re1A
-ELcbMZ9iOq2AUN/gxrt7HnE3dRoGQk6AJOfvhi2eZcVWiLtITScdPk1nYcNxGid3
-BWW+tdLbjmSe2FXNfDwBTvuHh5A9S399X5l/nLAng2iTGSvIm1OgUnC2oWsok3EI
+MIIC0zCCAbsCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKAX
+JmNmfqmvpVAeWEmJxi7feku2sZKA7yMyyZMCboBqsNVO9gOpQFE8gD1Z7bJm4aDK
+QxByuspYPFOBwty9YW4UqRa4kyEyd08x+PsHQx9SmWJTNpNIH6yq5LCcme37QMrg
+b8wUZRWwXsaKUfVUI6oALjSgcibMJXTntCsD9J5m/07U/ZZALe1460rreTFHsxVZ
+708Wm5u7UHIgxvvEKhNG/JR9zd1Tl1mVgnlz0a8G6Dt22gJnLnuFdtDdACwET/kG
+TRJQWuyavpe+1TY53kZNO442hOzwhlZVnz4IKaWaLNQMtbG9iYStEvaWa8p0E/3J
+N6oRuELiqXJp/wW3v/MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcVhPcu55HcSf
+Mci38T/fOBaiDUvzWwG/XlQRzFxcS+ZY/vYMbgor6PliGlCFBF4Mca2qtTs7zXRz
+8aLNVX53p98Cnnn97mW4aYNbNdM87R76IqJdj40brEolu1JNOyFJRYzoaebABf9r
+R64FTt3YVM9qjJrHG/apYwKwgAMxVzZ/M+3ujahP/8mOYD/Utj+lYHnXJmuHAYE6
+EnTxTSb2J+IsK8KuPoGjUPNZRW8zIUE0luMpJahvtmFVW91Vue7dW0AOmHpjmGUB
+J9Vwxe7KJRW5/4dz6kMD2pKY3D9sBgXeku/QDVz/hdyB5YT0WChFiZn20DZyhOtu
+moHgw8OJzg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client.crl b/src/test/ssl/ssl/client.crl
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/client.crl
+++ b/src/test/ssl/ssl/client.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client.crt b/src/test/ssl/ssl/client.crt
index 4d0a6ef419..1f6ae05fe4 100644
--- a/src/test/ssl/ssl/client.crt
+++ b/src/test/ssl/ssl/client.crt
@@ -1,17 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
-c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
-vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
-b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
-UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
-XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
-ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD
+DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL
+oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct
+bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm
+rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen
+koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN
+NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X
+I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB
+rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u
+4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog
+A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN
+u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV
+8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI
+ac+HriJv5w==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client_ca.crt b/src/test/ssl/ssl/client_ca.crt
index 1ef3771261..ef48749f76 100644
--- a/src/test/ssl/ssl/client_ca.crt
+++ b/src/test/ssl/ssl/client_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
index a667680e04..d93791b88a 100644
--- a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
+++ b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client.crl b/src/test/ssl/ssl/root+client.crl
index 854d77b71e..02eff4d326 100644
--- a/src/test/ssl/ssl/root+client.crl
+++ b/src/test/ssl/ssl/root+client.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client_ca.crt b/src/test/ssl/ssl/root+client_ca.crt
index 1867cd9c31..7819c54828 100644
--- a/src/test/ssl/ssl/root+client_ca.crt
+++ b/src/test/ssl/ssl/root+client_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
-1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
-1EfqCZTu1+gF0SdG5cHuJ2Rtg4oisLSF221v/msPONAa1dObChWsJwme87VaFrL+
-B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
-P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
-kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
-RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+Y2xpZW50IGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ce
+8rkNfoCvI9Wjug9pxsptsdjhZ4s7ZZ8eD5VlloryK2JccusQIX61XY8I3OZjLTgq
+1SpZbHQvktRH6gmU7tfoBdEnRuXB7idkbYOKIrC0hdttb/5rDzjQGtXTmwoVrCcJ
+nvO1Whay/gdsoqX1tT1MTPWu/6dfQkQXA0PizVvmBasAEQchxqtcH2rSc6TPE13v
+lxJ0X1vSlz92uT6kenrxUDs43AH/kASdIQBHXVA4XWBAm7NRqwKX7BBwbsF2m3Qh
++NY9Bf9MnJHLcnVnwZdlW5nd7H7BTB43XvkiYascqusYki+fY58eGSprZ/VUjmGx
+pgQnQXWCu0U3JyUL/QIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQC1syY2Rk02m5PGtfkMUIU7ZSe0mM+g0BgWAyCF/mFFYdfY0xHtqy0x
+QWkW9OR0KBl4JpphDDolHoNL3TLydH3t4inX8SAOpaUdsjMcIPKqjT1htQm0Pk5r
+vFYvKuVrxMnV0F+wMmZRuziKWrZlVDwBMfCAchzuVexDWfcjTmUQmhZxJuUzORw3
+swgh9HIpxjMkgdlHodbMAEpMIkkoeJnph3I9uTocXZbK/lAInggQdm0Q+on1ZT0A
+ljO/6jisDZzIguE4ZAQ2DfYsGI8H3tz/+76uIwwBNOmu0woUDSWXVcPWiviq49Bi
+GmH0KlUfWAphj86IfTWXT1HRay3eZQt3
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server.crl b/src/test/ssl/ssl/root+server.crl
index 9720b3023c..8b0c716d63 100644
--- a/src/test/ssl/ssl/root+server.crl
+++ b/src/test/ssl/ssl/root+server.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server_ca.crt b/src/test/ssl/ssl/root+server_ca.crt
index 861eba80d0..5074f4fa9b 100644
--- a/src/test/ssl/ssl/root+server_ca.crt
+++ b/src/test/ssl/ssl/root+server_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,29 +10,29 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root.crl b/src/test/ssl/ssl/root.crl
index e879cf25a7..5b42d3803f 100644
--- a/src/test/ssl/ssl/root.crl
+++ b/src/test/ssl/ssl/root.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMTAzMDMy
+MjEyMDdaFw00ODA3MTkyMjEyMDdaMA0GCSqGSIb3DQEBCwUAA4IBAQACkv0Nnerr
+ZkacIUbRaANYLIsYAGfKuBYDAp4I4CCC2hvXL64KLDMZbVfB4vp3hvM2FZdT2AwT
+SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
+40qbmw8RU062ZbyFamBO7VTY7IFBA8PxuTgAH/3OYa5Jne8umyPQT5fKnqyRBz/A
+6/b5RCxuPOWFm0MJKrEaAeLk6eaCxUUqXQP+8mHscphqZTOynjAW0NPH+/x2NpxS
+/C5LTeOzJ28k8X434h323G18n/CFERWnhW1UyR1Pt6oSGMZqU5UwbSrwTsf8tSSc
++GrJP3XxJ1OC
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root_ca.crt b/src/test/ssl/ssl/root_ca.crt
index 402d7dab89..5ee9870d6f 100644
--- a/src/test/ssl/ssl/root_ca.crt
+++ b/src/test/ssl/ssl/root_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUF+e8lCA0vD0zKtxIDVPdDY/IkgUwDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIx
+MjA3WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,10 +10,10 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAY6h2MurDkE2LAG3TPhTrAczflR3np6y1cDxeRzRi
+br2bczXVfgWDsBZDhKXdIQldYQhAUU7u09GtAtujWnkJguPuVtlhEfuW/eXpcBI2
+XQnrkaTqjD/DDMJGijNVAXEHSecEls6uEuuSCxmm7hVD781Aqo0HlLPDhTEkko6r
+IYFO0QyFG+oFSVhUp2KuarQNHVgopOmWbtbrq2KqaL5Gm5AXPSRzEhIeobYdSnTe
+OCZhKLxVZiZmO71BBwsTgwtU58/G9e2ciGGdltI8ANlmVfdtwgRz3b7H9EUZat6s
+kubl/m5HWBsKJEWEzFWrWkQV3ipoTmorJ6KCGABBCeVYmg==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-and-alt-names.crt b/src/test/ssl/ssl/server-cn-and-alt-names.crt
index 2bb206e413..12d1ec363e 100644
--- a/src/test/ssl/ssl/server-cn-and-alt-names.crt
+++ b/src/test/ssl/ssl/server-cn-and-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDTjCCAjagAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowRjEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1z
-c2x0ZXN0LnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBURL6
-YPWJjVQEZY0uy4HEaTI4ZMjVf+xdwJRntos4aRcdhq2JRNwitI00BLnIK9ur8D8L
-U24PDn2etTZOK1wsHHkAiHPvgRX7G/+78a5fSC8nMNaH/oR4zMMhwksiruISA7x9
-/l+4DO7C42C5mRfnUmMGJdzau1+A8jcIxTWWoJtva9b1k3g+bvBGq9138X+bJKIW
-YsWwHgcuEIZk3z287hxuyU3j5isYoRwd5cZZFrG/qBJdukSBRil5/PP5AHsB6lTl
-pae2bdf4TXB7kActIpyTBR0G5Pm5iCZlxgD+QILj/1FLTaNOW7hV+t1J6YfC6jZR
-Dk4MnHMCFasSXcXhAgMBAAGjSzBJMEcGA1UdEQRAMD6CHWRuczEuYWx0LW5hbWUu
-cGctc3NsdGVzdC50ZXN0gh1kbnMyLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDAN
-BgkqhkiG9w0BAQsFAAOCAQEAQeKHXoyipubldf4HUDCXrcIk6KiEs9DMH1DXRk7L
-z2Hr0TljmKoGG5P6OrF4eP82bhXZlQmwHVclB7Pfo5DvoMYmYjSHxcEAeyJ7etxb
-pV11yEkMkCbQpBVtdMqyTpckXM49GTwqD9US5p1E350snq4Duj3O7fSpE4HMfSd8
-dCkYdaCHq2NWH4/MfEBRy096oOIFxqgm6tRCU95ZI8KeeK4WwPXiGV2mb2rHj1kv
-uBRC+sJGSnsLdbZzkpdAN1qnWrJoLezAMdhTmNRUJ7Cq8hAkroFIp+LE+JyxR9Nw
-m6jD3eEwCAQi0pPGLEn4Rq4B8kxzL5F/jTq7PONRvOAdIg==
+MIIDVTCCAj2gAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMEYxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5h
+bWUucGctc3NsdGVzdC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwVES+mD1iY1UBGWNLsuBxGkyOGTI1X/sXcCUZ7aLOGkXHYatiUTcIrSNNAS5
+yCvbq/A/C1NuDw59nrU2TitcLBx5AIhz74EV+xv/u/GuX0gvJzDWh/6EeMzDIcJL
+Iq7iEgO8ff5fuAzuwuNguZkX51JjBiXc2rtfgPI3CMU1lqCbb2vW9ZN4Pm7wRqvd
+d/F/mySiFmLFsB4HLhCGZN89vO4cbslN4+YrGKEcHeXGWRaxv6gSXbpEgUYpefzz
++QB7AepU5aWntm3X+E1we5AHLSKckwUdBuT5uYgmZcYA/kCC4/9RS02jTlu4Vfrd
+SemHwuo2UQ5ODJxzAhWrEl3F4QIDAQABo0swSTBHBgNVHREEQDA+gh1kbnMxLmFs
+dC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0ZXN0
+LnRlc3QwDQYJKoZIhvcNAQELBQADggEBAG3dFQ/DqjFbjzIOni079R3I94lAZqbc
+cRUumDPSzihKwvCCnU5quqnYkOFISqBZsYmxR5fiHx4wT+jmWvLSltkaeS6gcGC1
+zuO8GFzL+PATUX63js8IfE3WYJE/bjmDVVzJOBArrbsExofdE2F2kkkLkjhk0ylg
+/TrAKtyqpsob0b4ZjMloR5JFHQXGHN/922x6Do1vduHMXlGckmR0sX6Mg/fiChVh
+vixUJje4W9ohft8G7lj3GnzI1gHEMp2PYKM+wqOug/gXEQuMIFlhjp2Mc6bAvFsD
+grgdAgcYUvgKukF9efJHq2V5XjqBWrmGAOQkiH1y+9gxhiHUiw+vojY=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-only.crt b/src/test/ssl/ssl/server-cn-only.crt
index 67bf0b1645..acdf6f1a75 100644
--- a/src/test/ssl/ssl/server-cn-only.crt
+++ b/src/test/ssl/ssl/server-cn-only.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bNU8yTuLl/5
-bR4Rp1ET5NMC2wgrTwKQsxSeOzvMmTGeebpEYFc/Hq8rcCQAiL7AbhiZeNg/ca4y
-JdouOdaHaTMFJ8hFDI1tNOGeFK7ecOMBWQ97GxKs/KIqKYW42AN+QZ7l1Apr0CDZ
-K5VTi931JjE4wCIgUgLi2zgwtZYl/kP896F1K5zR7kx773U2dvP3SeV2ziUe+4NH
-5oqdmVMeZyHfB+Fe/uU1AiYgHN/CXfop39tYHR8ARUWx7eJlaaKBoj/0UqH/9Yir
-jdM0vGfrw4JCjIx78caNkNH9fCjesTqODr+IDBJaJv3Jpt9g8puqrYagXLppiaYS
-q5oOAu5fuQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCTxkqpNNuO15osb+Lyw2aQ
-RikYZiSJ4uJcOIya6DqSYSNf8wrgGMJAKz9TkCGEG7SszLCASaSIS/s+sR1+bE19
-f6BxoBnppPW8uIkTtQvmGhhcWHO13zMUs8bmg9OY7MvFYJdQAmSqfYebUCYR73So
-OthALxV8h+boW5/xc2XM1NObpcuShQ9/uynm2dL3EbrNjvcoXOwu865FmVMffEn9
-+zhE8xl4kMKObQvB3r2utCmlAmJLaU2ejADncS9Y4ZwRMa7x+vfvekF/FvLEXUal
-QcDlfrZ0xsw/HK7n0/UFXf5fUXq3hgUGcXEdWW7/yTA43qNxednfa+fMqlFztupt
+MIIDAzCCAesCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANWz
+VPMk7i5f+W0eEadRE+TTAtsIK08CkLMUnjs7zJkxnnm6RGBXPx6vK3AkAIi+wG4Y
+mXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu3nDjAVkPexsSrPyiKimFuNgDfkGe
+5dQKa9Ag2SuVU4vd9SYxOMAiIFIC4ts4MLWWJf5D/PehdSuc0e5Me+91Nnbz90nl
+ds4lHvuDR+aKnZlTHmch3wfhXv7lNQImIBzfwl36Kd/bWB0fAEVFse3iZWmigaI/
+9FKh//WIq43TNLxn68OCQoyMe/HGjZDR/Xwo3rE6jg6/iAwSWib9yabfYPKbqq2G
+oFy6aYmmEquaDgLuX7kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA2AZrD9cTQXTW
+4j2tT8N/TTc6WK2ncN4h22NTte6vK7MVwsZJCtw5ndYkmxcWkXAqiclzWyMdayds
+WOa12CEH7jKAhivF4Hcw3oO3JHM5BA6KzLWBVz9uZksOM6mPqn29DTKvA/Y1V8tj
+mxK/KUA68h/u6inu3mo4ywBpb/tqHxxg2cjyR0faCmM0pwRM0HBr/16fUMfO83nj
+QG8g9J/bybu5sYso/aSoC5nUNp4XjmDMdVLdqg/nTe/ejS8IfFr0WQxBlqooqFgx
+MSE+kX2e2fHsuOWSU/9eClt6FpQrwoC2C8F+/4g1Uz7Liqc4yMHPwjgeP9ewrrLO
+iIhlNNPqpQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server-crldir/a836cc2d.r0
+++ b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server-multiple-alt-names.crt b/src/test/ssl/ssl/server-multiple-alt-names.crt
index 158153d10c..58799e49f8 100644
--- a/src/test/ssl/ssl/server-multiple-alt-names.crt
+++ b/src/test/ssl/ssl/server-multiple-alt-names.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDRDCCAiygAwIBAgIBBDANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA10iQpfVf4nCqjkRcLXP9ONQqdhMPMdjHasKqmsFTx83SZLKUzKMOb56j
-3bg83stqGoId4MIxtqnDKaSg1+kseQ1HCi0cu/E3lHLEkPibl9dyVGhXVnPDBdOp
-eUQLCvPNgay3/ua4Mz0Nf7S9cgC9AZu/EEYjQIEzfO0cEANeVIWtgZfM3+2j0pmZ
-46AEYlEZJkmDT0/mnHk3YTj3I6qQhr34wZvqcrwouYRN5NiOVYJLpb6gPSoalm+P
-YXOKjP4+fWr18HdZLrzsa4xPRa9XcsDNyffjWvQTfptR/2vFKN8Ffv3XUqxUx6av
-VCyRKa8xAUS/pHVGnzFQY+oqWREn2wIDAQABo2cwZTBjBgNVHREEXDBagh1kbnMx
-LmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0
-ZXN0LnRlc3SCGioud2lsZGNhcmQucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEB
-CwUAA4IBAQAuV+4TNADB/AinkjQVyzPtmeWDWZJDByRSGIzGlrYtzzrJzdRkohlL
-svZi0QQWbYq3pkRoUncYXXp/JvS48Ft1jRi87RpLRiPRxJC9Eq77kMS5UKCIs86W
-0nuYQ2tNmgHb7gnLHEr2t9gFEXcLwUAnRfNJK56KVmCl/v3/4kcVDLlL6L+pL80r
-WGKGvixNy3bDCJ/YGJu6NH+H7NMlqFcg07nEWUHgMzETGGycTcPy3S6mY5P/1Ep1
-MCSTucUKoBIte2t5p9vM6bsFIioQDAYABhacmC62Z5xNW8evmNVtBDPLR1THsWhq
-UjzdIzjpDgv1KUCVEPc1uVrZ5eju+aoU
+MIIDSzCCAjOgAwIBAgIIICEDAxQSBwMwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBANdIkKX1X+Jwqo5EXC1z/TjUKnYTDzHYx2rCqprBU8fN0mSy
+lMyjDm+eo924PN7LahqCHeDCMbapwymkoNfpLHkNRwotHLvxN5RyxJD4m5fXclRo
+V1ZzwwXTqXlECwrzzYGst/7muDM9DX+0vXIAvQGbvxBGI0CBM3ztHBADXlSFrYGX
+zN/to9KZmeOgBGJRGSZJg09P5px5N2E49yOqkIa9+MGb6nK8KLmETeTYjlWCS6W+
+oD0qGpZvj2Fzioz+Pn1q9fB3WS687GuMT0WvV3LAzcn341r0E36bUf9rxSjfBX79
+11KsVMemr1QskSmvMQFEv6R1Rp8xUGPqKlkRJ9sCAwEAAaNnMGUwYwYDVR0RBFww
+WoIdZG5zMS5hbHQtbmFtZS5wZy1zc2x0ZXN0LnRlc3SCHWRuczIuYWx0LW5hbWUu
+cGctc3NsdGVzdC50ZXN0ghoqLndpbGRjYXJkLnBnLXNzbHRlc3QudGVzdDANBgkq
+hkiG9w0BAQsFAAOCAQEAuRAyYBwAZLKERoYDy/kE9LKddJfLhledTJ7+cIWs6T9V
+KBfWBHZYxfxmdBYwqVZfog8c5uHREfWiUPoF/aMq3ARay96aMh4xXJ+2a7HAmknF
+9AJWRieoc3H/QkMzAuT8IDTmoEarsr8vsX1MGabobZte/B9tEjq/z5t3GfLrHMVX
+5092U6Ka40ii4U1VwjR8YnRBwjm3UpLmZJAjvXjw13/XucNV5O8Plo1yvS+G0AMh
+KdMxExiItVtjZteiA0pJf0YGAzTFyzvwBljTcs4NfZ2M0ta9i0r4BF7wQ8tDezN7
+VxdJVPc5xPqncp0cMdUAE2xDmYlKEqB0kuAHNwH5/Q==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-no-names.crt b/src/test/ssl/ssl/server-no-names.crt
index 97e11176f6..b5d0589090 100644
--- a/src/test/ssl/ssl/server-no-names.crt
+++ b/src/test/ssl/ssl/server-no-names.crt
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIIC1jCCAb4CAQUwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMCAxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AJ85/vh52iDZAeQmWt47o0kR7VVlRLGf4sF4cfxPl+eIWIzhib1fajdcqFiy81LC
-+t9bAyRqMyR3dve9RGK6IDFjMH/0DBf3tFSRnxN+5TdSAhKIJslmtUdOl8kS/smF
-4+BikCg509aq0U+ac79e/q42OyvH9X/cI6i9SPd4hzJDMCX54LZT1Of/90nSQX6E
-Oc5Hcj/d7psBugmMBW8uXYAGvJpq14e5RoK78F/mYbUNqtc1c8pi4/4quSMeEfQp
-Dgmzee7ts8SIbQT8mYJHjnaPvZYpv4+Ikc7F0wzLO1neTpsYaVvDrSMLBCdQkCU8
-vgb1T6WlVgbp/sfE5okSxx8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh+erODlf
-+mEK2toZhaAmikNJ3Toj9P7I0C0Mo/tl2aVz8jQc/ft5t3blwZHfRzC9WmgnZLdY
-yiCVgUlf9Kwhi836Btbczj3cK6MrngQneFBzSnCzsj40CuQAw5TOI8XRFFGL+fpl
-o7ZnbmMZRhkPqDmNWXfpu7CYOFQyExkDoo0lTfqM+tF8zuKVTmsuWWvZpjuvqWFQ
-/L+XRXi0cvhh+DY9vJiKNRg4exF7/tSedTJmLA8skuaXgAVez4rqzX4k1XnQo6Vi
-YpAIQ4dGiijY24fDq2I/6pO3xlWtN+Lwu44Mnn2vWRtXijT69P5R12W8XS7+ciTU
-NXu/iOo8f7mNDA==
+MIIC3TCCAcUCCCAhAwMUEgcEMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAgMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCfOf74edog2QHkJlreO6NJEe1VZUSxn+LBeHH8T5fniFiM4Ym9X2o3
+XKhYsvNSwvrfWwMkajMkd3b3vURiuiAxYzB/9AwX97RUkZ8TfuU3UgISiCbJZrVH
+TpfJEv7JhePgYpAoOdPWqtFPmnO/Xv6uNjsrx/V/3COovUj3eIcyQzAl+eC2U9Tn
+//dJ0kF+hDnOR3I/3e6bAboJjAVvLl2ABryaateHuUaCu/Bf5mG1DarXNXPKYuP+
+KrkjHhH0KQ4Js3nu7bPEiG0E/JmCR452j72WKb+PiJHOxdMMyztZ3k6bGGlbw60j
+CwQnUJAlPL4G9U+lpVYG6f7HxOaJEscfAgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AJAwYwIL4oj3NisXCXkEp9zqDXiZvNW9yW3bY8lFFCpU7o5n92tCf2OFAkKaYhF1
+Eb2weyDULtW7W/wgdlOZL9npayYKzTusl6e8xfTQyjRCsoKWvnWOEkPH7VraZJ8c
+Ko1KhaVWX98VLdlUh5giYAEkdhk0qPYKsQ32unBXXJu0pX63pnPDoaUBiZUWr/3l
+CfkjgGY5YA8YxiDlHGNF1qlcX2fQKloDlvtH0L5Enwt25w2/IvWhTN6YxDR+rgdD
+XYbQr6o6vsmnZTJ3zUZ6XFo98sZq5L9oy1pcC8roV7w0AUVxraTWYILyGfNgruG8
+xsok/hu1L2VnktveEW/qoVs=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-revoked.crt b/src/test/ssl/ssl/server-revoked.crt
index 1ca5e6d3ef..3bb0f164a6 100644
--- a/src/test/ssl/ssl/server-revoked.crt
+++ b/src/test/ssl/ssl/server-revoked.crt
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC/DCCAeQCAQYwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
-cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
-dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAooPO8lSz434p
-4PBYBbTN8jkLW3cHEpTCH4yvC0V40hzGEl30HPLp82e+kxr+Q0+gd82fvc4Yth5I
-PKINznp28GMs5/E9cUU3hMK4jFhKLMiOeIve3M/9ryHK874qpNjJoSxxPz7+s2eq
-WoFc2px0KFIamTTLfi7Ju9aPb/AMlZNsUnbRsj7fQc7EJ8rwOnezw2Wy5VK4soX+
-qpuJ0Nm44ApzT8YmjYX/kAX0yQxgQuYbpcBWr9cOQjegu3FAqHqRh9ye7d8jQzCv
-34Wg/ar4rkqyQDcokuWAE7KQbnk51t7omzhM8eswFOAL1pas/8jWBvy0VjYVU34P
-9aXxP8GiHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAS9abT/PhJgwAnm46Rzu16
-lL7tDb3SeR1RL25xZLzCexHcYJFi7aDZix3QlLRvf6HPqqUPuPYRICTBF4+fieEh
-r5LotdAnadfYONwoB5GiYy2d93VGqlLosI27R6/tVvImXupviPpIYMDgBBRr1pZc
-ykQOjog6T+xk9TqsfFQDe2/VKF7a5RxOA/V77GZ5qge5Nlx9jSXQ/WUG9vDQj9BA
-d4nOwvjauKlcSqUU/3uVKntXQTNjmyq7S75eBitS920LLfjTL9LInLugDikFa/J/
-yPBkJLa/+rNMPikcnF3ci4Oi/XwLA8kGdGZAADuiIOeyORMuLFoTk7KpOYGKS5/U
+MIIDAzCCAesCCCAhAwMUEgcFMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
+Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBGMR4wHAYDVQQL
+DBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUxJDAiBgNVBAMMG2NvbW1vbi1uYW1lLnBn
+LXNzbHRlc3QudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKD
+zvJUs+N+KeDwWAW0zfI5C1t3BxKUwh+MrwtFeNIcxhJd9Bzy6fNnvpMa/kNPoHfN
+n73OGLYeSDyiDc56dvBjLOfxPXFFN4TCuIxYSizIjniL3tzP/a8hyvO+KqTYyaEs
+cT8+/rNnqlqBXNqcdChSGpk0y34uybvWj2/wDJWTbFJ20bI+30HOxCfK8Dp3s8Nl
+suVSuLKF/qqbidDZuOAKc0/GJo2F/5AF9MkMYELmG6XAVq/XDkI3oLtxQKh6kYfc
+nu3fI0Mwr9+FoP2q+K5KskA3KJLlgBOykG55Odbe6Js4TPHrMBTgC9aWrP/I1gb8
+tFY2FVN+D/Wl8T/Boh0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAxVHoqX25W4Hx
+pMNjv2AJzcB7D+c+dUXAmLLJ7jh6szWeL0M2E5qX4dLc8LzQKnXv5ZcT4i/akjDX
+etdzuqh03kvDJvUkHclSWffmowmWMTG6GCA6S/2TQzSibIptkwqs74aIkayVJaC4
+jCBR+PVT8+cE2FMD6dAWu//fyEcpTg6XpZ/Upgu9OITGNaEQUGz8pSRkTgspfO0Q
+AKPmql6dpywReIlr5mzy9liCzf/BbAVHGmP/pBGIkLn2AzvPLCQ/UFZYT6aH7l5J
+nzmFhgRC3U5wPMdelHGrPMXg6OHCcyrQY0kEi7N/GQ5+jZkICoQuPJ7APKEZAUgO
+XRwVulaWJQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-single-alt-name.crt b/src/test/ssl/ssl/server-single-alt-name.crt
index e7403f3a6b..7affdd68e7 100644
--- a/src/test/ssl/ssl/server-single-alt-name.crt
+++ b/src/test/ssl/ssl/server-single-alt-name.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDCzCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
-IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
-UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAxYocLWWuiDsDzJ7wLc0zfwkGJAEy4hlHjTA5GXSEnGPlOnx1fxejZOGL
-1HLff5h8zB+SQXrplHCcwwRrxVgGY7P59kXMXX1akTwXUJHc/EoTtqLO+6fHLygz
-F1d0i5NPO3xrk1wMt7bYLhiPbWpplWiHXzbJy8wf3dXgzCwtxXf8Z1UqjtCnA/Zk
-J/kPWuHJxzH5OvDJvZsq+Fbkl3catFpwUlAV9TKsC78W/K5I+afzppsmSvsIKAWW
-Dp7g71IVjvJeI6Aui2yhDn9iuJMuKe9RMYIwJLFqiX3urHcjaBSkJm6Lsf7gO30v
-kVwIyyGXRNTfZ2yPDoSXVZvOnq+gKwIDAQABoy4wLDAqBgNVHREEIzAhgh9zaW5n
-bGUuYWx0LW5hbWUucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQBU
-8wp8KZfS8vClx2gYSRlbXu3J1oAu4EBh45OuuRuLOJUhQZYcjFB3d/s0R1kcCQkB
-EekV9X1iQSzk/HQq4uWi6ViUzxTR67Q6TXEFo8iuqJ6Rag7R7G6fhRD1upf1lev+
-rz7F9GsoWLyLAg8//DUfq1kfQUyy6TxamoRs0vipZ4s0p4G8rbRCxKT1WTRLJFdd
-fSDVuMNuQQKTQXNdp6cYn+ikEhbUv/gG2S7Xiy2UM8oR7DR54nZBAKxgujWJZPfX
-/ieSwLxnLFyePwtwgk9xMmywFBjHWTxSdyI1UnJwWC917BSw4M00djsRv5COsBX7
-v/Co7oiMyTrCqyCsWOBu
+MIIDEjCCAfqgAwIBAgIIICEDAxQSBwIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAeFw0yMTAzMDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMCAxHjAc
+BgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMWKHC1lrog7A8ye8C3NM38JBiQBMuIZR40wORl0hJxj5Tp8
+dX8Xo2Thi9Ry33+YfMwfkkF66ZRwnMMEa8VYBmOz+fZFzF19WpE8F1CR3PxKE7ai
+zvunxy8oMxdXdIuTTzt8a5NcDLe22C4Yj21qaZVoh182ycvMH93V4MwsLcV3/GdV
+Ko7QpwP2ZCf5D1rhyccx+Trwyb2bKvhW5Jd3GrRacFJQFfUyrAu/FvyuSPmn86ab
+Jkr7CCgFlg6e4O9SFY7yXiOgLotsoQ5/YriTLinvUTGCMCSxaol97qx3I2gUpCZu
+i7H+4Dt9L5FcCMshl0TU32dsjw6El1Wbzp6voCsCAwEAAaMuMCwwKgYDVR0RBCMw
+IYIfc2luZ2xlLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDANBgkqhkiG9w0BAQsF
+AAOCAQEAUIhBQLzQgd7wHlT9DARxcC7SZwQtnk2BVqMYTRBU4uIa0i2HVyetpe1P
+rREthYq5sgaSqdonD9Splg8BLUlah9y3v9j6DBxkxNnz/3AZuA5oPaC/TZ+lwlX3
+QNWWFNaNZdcQbvjUvoPXIbJ6U9UDfByOJdoN4kJ6xe8Faj1Mp5Euqzr1ErrMtPWJ
+XLnXLV4WyAx+iMAbofXNlCyUorPGA8lRudzQ7bKdrhMZDE66VYwlwsUejEiODt7M
+NGTDs4aAZz9cBRjMeXhvX60cFQoykjAvWbieUKOgaFmJJyKemFj12cLeWyxvUodI
+kYtgAdzftiCSrbDjl1pzPSM6RC/E/A==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server.crl b/src/test/ssl/ssl/server.crl
index 717951c26a..331a83cb62 100644
--- a/src/test/ssl/ssl/server.crl
+++ b/src/test/ssl/ssl/server.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
-MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMTAz
+MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwUXDTIxMDMwMzIy
+MTIwN1owDQYJKoZIhvcNAQELBQADggEBAJxj0taZYIIxUsCuXR5CN2OymjMvRwmV
++10VOkyBQ3VkzHlXeJkmZsU2Dvmc205l9OYouh/faL0TfK2NyhmBo+MrTizL9TBo
+4u2es/0oJGj2wyNMkRs0SlSJelakvGFBvSKfqoV0l2O1WDV7M4KtdC8ZVZipmL4R
+ac4hBMK0ifHuTS5Od6o0C2RijEPCHMXaS/LkWpBqcStI2oirhjo+Th1wxTMGUVFy
+imVvt6D6QqqHCUYrvcNEN0xBNFwJGq/0cgSy+w5szt/RRehmJKX8MbNeZxrznIIx
+B18ch9rbBltz+Y4R63rCN9MdsnGXf6PQ6a6doZhSI1pnDrui12MOQrU=
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server_ca.crt b/src/test/ssl/ssl/server_ca.crt
index 9f727bf9e9..0d6d7a6f82 100644
--- a/src/test/ssl/ssl/server_ca.crt
+++ b/src/test/ssl/ssl/server_ca.crt
@@ -1,19 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
-IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
-c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
-Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
-Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
-t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
-/prp8Hs2mmHqEfLuI9lvTT0Dz+VMmfFI8Lf278r+w+qOtVloAkX7AOyoLEJlNS0B
-QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
-SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
-h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+MIIDFDCCAfygAwIBAgIIICEDAxQSBwAwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE
+Aww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRl
+c3Qgc3VpdGUwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjBCMUAwPgYD
+VQQDDDdUZXN0IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qg
+c2VydmVyIGNlcnRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4kp2
+GW5nPb6QrSrtbClfZeutyQnHrm4TMPBoNepFdIVxBX/04BguM5ImDRze/huOWA+z
+atJAQqt3R7dsDwnOnPKUKCOuHX6a1aj5L86HtVgaWTXrZFE5NtL9PIzXkWu13UW0
+UesHtbPVRv6a6fB7Npph6hHy7iPZb009A8/lTJnxSPC39u/K/sPqjrVZaAJF+wDs
+qCxCZTUtAUFvWFnR/TeXLWlFzBupS1djgI7PltbJqSn6SKTAgNZTxpRJbu9Icp6J
+/50ELwT++0n0KWVXNHrDNfI5Gaa+SxClAsPsei2jLKpgR6QFC3wn38Z9q9LjAVuC
++FWhoN1uhYeoricEXwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCdCA/EoXrustoV4jJGbkdXDuOUkBurwggSNBAqUBSDvCohRoD77Ecb
+QVuzPNxWKG+E4PwfUq2ha+2yPONEJ28ZgsbHq5qlJDMJ43wlcjn6wmmAJNeSpO8F
+0V9d2X/4wNZty9/zbwTnw26KChgDHumQ0WIbCoBtdqy8KDswYOvpgws6dqc021I7
+UrFo6vZek7VoApbJgkDL6qYADa6ApfW43ThH4sViFITeYt/kSHgmy2Udhs34jMM8
+xsFP/uYpRi1b1glenwSIKiHjD4/C9vnWQt5K3gRBvYukEj2Bw9VkNRpBVCi0cOoA
+OuwX3bwzNYNbZQv4K66oRpvuoEjCNeHg
-----END CERTIFICATE-----
diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk
new file mode 100644
index 0000000000..81c20aac9e
--- /dev/null
+++ b/src/test/ssl/sslfiles.mk
@@ -0,0 +1,244 @@
+#-------------------------------------------------------------------------
+#
+# Makefile for sslfiles
+#
+# The SSL test files are completely disjoint from the rest of the build; they
+# don't rely on other targets or on Makefile.global. Since these recipes rely
+# on some default Make behavior that's disabled in the main build tree, such
+# as intermediate cleanup, they've been moved into their own separate file.
+# The main Makefile in this directory defers to this helper file when
+# building the sslfiles-related targets.
+#
+# Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+# Portions Copyright (c) 1994, Regents of the University of California
+#
+# src/test/ssl/sslfiles.mk
+#
+#-------------------------------------------------------------------------
+
+#
+# To add a new server or client certificate, add a new <name>.config file in
+# the conf/ directory, then add <name> to either SERVERS or CLIENTS below. A
+# key/certificate pair will be generated for you, signed by the appropriate CA.
+#
+SERVERS := server-cn-and-alt-names \
+ server-cn-only \
+ server-single-alt-name \
+ server-multiple-alt-names \
+ server-no-names \
+ server-revoked
+CLIENTS := client client-dn client-revoked
+
+#
+# To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe
+# for creating it to the "Special-case keys" section below.
+#
+SPECIAL_KEYS := ssl/server-password.key \
+ ssl/client-der.key \
+ ssl/client-encrypted-pem.key \
+ ssl/client-encrypted-der.key
+
+#
+# These files are just concatenations of other files. You can add new ones to
+# COMBINATIONS here, then declare the constituent files as dependencies in the
+# "Combined files" section below.
+#
+COMBINATIONS := \
+ ssl/both-cas-1.crt \
+ ssl/both-cas-2.crt \
+ ssl/root+server_ca.crt \
+ ssl/root+server.crl \
+ ssl/root+client_ca.crt \
+ ssl/root+client.crl \
+ ssl/client+client_ca.crt
+
+CERTIFICATES := root_ca server_ca client_ca $(SERVERS) $(CLIENTS)
+STANDARD_CERTS := $(CERTIFICATES:%=ssl/%.crt)
+STANDARD_KEYS := $(CERTIFICATES:%=ssl/%.key)
+CRLS := ssl/root.crl \
+ ssl/client.crl \
+ ssl/server.crl
+
+SSLFILES := $(STANDARD_CERTS) $(STANDARD_KEYS) $(SPECIAL_KEYS) $(COMBINATIONS) $(CRLS)
+SSLDIRS := ssl/client-crldir \
+ ssl/server-crldir \
+ ssl/root+client-crldir \
+ ssl/root+server-crldir
+
+# This target re-generates all the key and certificate files. Usually we just
+# use the ones that are committed to the tree without rebuilding them.
+#
+.PHONY: sslfiles
+sslfiles: $(SSLFILES) $(SSLDIRS)
+
+#
+# Special-case certificates
+#
+
+# Root CA is self-signed.
+ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config
+ openssl req -new -x509 -config conf/root_ca.config -days 10000 -key $< -out $@
+
+#
+# Special-case keys
+#
+# All targets here are contained in $(SPECIAL_KEYS).
+#
+
+# Password-protected version of server-cn-only.key
+ssl/server-password.key: ssl/server-cn-only.key
+ openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
+
+# DER-encoded version of client.key
+ssl/client-der.key: ssl/client.key
+ openssl rsa -in $< -outform DER -out $@
+
+# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1)
+# formats to test libpq's support for the sslpassword= option.
+ssl/client-encrypted-pem.key: ssl/client.key
+ openssl rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@
+# TODO Explicitly choosing -aes128 generates a key unusable to PostgreSQL with
+# OpenSSL 3.0.0, so fall back on the default for now.
+ssl/client-encrypted-der.key: ssl/client.key
+ openssl rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@
+
+#
+# Combined files
+#
+# All targets in $(COMBINATIONS) share a single recipe; just declare the
+# necessary dependencies and they'll be smashed together.
+#
+
+# Root certificate file that contains both CA certificates, for testing
+# that multiple certificates can be used.
+ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
+
+# The same, but the certs are in different order
+ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
+
+# A root certificate file for the client, to validate server certs.
+ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
+
+# and for the server, to validate client certs
+ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
+
+# and for the client, to present to the server
+ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
+
+# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
+# chain, even if some of them are empty.
+ssl/root+server.crl: ssl/root.crl ssl/server.crl
+ssl/root+client.crl: ssl/root.crl ssl/client.crl
+
+$(COMBINATIONS):
+ cat $^ > $@
+
+#
+# Standard keys
+#
+
+$(STANDARD_KEYS):
+ openssl genrsa -out $@ 2048
+ chmod 0600 $@
+
+#
+# Standard certificates
+#
+
+CA_CERTS := ssl/server_ca.crt ssl/client_ca.crt
+SERVER_CERTS := $(SERVERS:%=ssl/%.crt)
+CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)
+
+# See the "CA State" section below.
+root_ca_state_files := ssl/root_ca-certindex ssl/root_ca-certindex.attr ssl/root_ca.srl
+server_ca_state_files := ssl/server_ca-certindex ssl/server_ca-certindex.attr ssl/server_ca.srl
+client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ssl/client_ca.srl
+
+# These are the workhorse recipes. `openssl ca` can't be safely run from
+# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
+.NOTPARALLEL:
+$(CA_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
+ openssl ca -batch -config conf/cas.config -name root_ca -notext -in $< -out $@
+
+$(SERVER_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
+ openssl ca -batch -config conf/cas.config -name server_ca -notext -in $< -out $@
+
+$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
+ openssl ca -batch -config conf/cas.config -name client_ca -notext -in $< -out $@
+
+# The CSRs don't need to persist after a build.
+.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
+ssl/%.csr: ssl/%.key conf/%.config
+ openssl req -new -key $< -out $@ -config conf/$*.config
+
+#
+# CA State
+#
+# All of these are intended to be order-only dependencies; additionally, the
+# pattern recipes are marked as explicit intermediates. The goal is for Make to
+# create the state files once for each CA, allow them to accumulate whatever
+# state is needed, and then automatically remove them at the end of the run.
+#
+
+.INTERMEDIATE: $(root_ca_state_files) $(server_ca_state_files) $(client_ca_state_files)
+
+# OpenSSL requires a directory to put all generated certificates in. We don't
+# use this for anything, but we need a location.
+ssl/new_certs_dir:
+ mkdir $@
+
+ssl/%-certindex:
+ touch $@
+
+ssl/%-certindex.attr:
+ echo "unique_subject=no" > $@
+
+# The first serial number for each CA is based on the current timestamp, to
+# avoid collisions across Make runs.
+ssl/%.srl:
+ date +%Y%m%d%H%M%S00 > $@
+
+#
+# CRLs
+#
+
+ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
+ openssl ca -config conf/cas.config -name root_ca -gencrl -out $@
+
+ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
+ openssl ca -config conf/cas.config -name server_ca -revoke $<
+ openssl ca -config conf/cas.config -name server_ca -gencrl -out $@
+
+ssl/client.crl: ssl/client-revoked.crt ssl/client_ca.crt | $(client_ca_state_files)
+ openssl ca -config conf/cas.config -name client_ca -revoke $<
+ openssl ca -config conf/cas.config -name client_ca -gencrl -out $@
+
+#
+# CRL hash directories
+#
+
+ssl/root+server-crldir: ssl/server.crl ssl/root.crl
+ssl/root+client-crldir: ssl/client.crl ssl/root.crl
+ssl/server-crldir: ssl/server.crl
+ssl/client-crldir: ssl/client.crl
+
+crlhashfile = $(shell openssl crl -hash -noout -in $(1)).r0
+
+ssl/%-crldir:
+ mkdir -p $@
+ rm -f $@/*.r0
+ $(foreach crl,$^,cp $(crl) $@/$(call crlhashfile,$(crl)) &&) true
+ touch $@
+
+.PHONY: sslfiles-clean
+sslfiles-clean:
+ rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex*
+ rm -rf $(SSLDIRS) ssl/new_certs_dir
+
+# The difference between the below clean targets and sslfiles-clean is that the
+# clean targets will be run during a "standard" recursive clean run from the
+# main build tree. The sslfiles-clean target must be run explicitly from this
+# directory.
+.PHONY: clean distclean maintainer-clean
+clean distclean maintainer-clean:
+ rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 3bc711f4a7..a901077469 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -485,6 +485,21 @@ TODO:
}
# pg_stat_ssl
+
+my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`;
+if ($? == 0)
+{
+ $serialno =~ s/^serial=//;
+ $serialno = hex($serialno); # OpenSSL prints serial numbers in hexadecimal
+}
+else
+{
+ # OpenSSL isn't functioning on the user's PATH. This probably isn't worth
+ # skipping the test over, so just fall back to a generic integer match.
+ warn 'couldn\'t run `openssl x509` to get client cert serialno';
+ $serialno = '\d+';
+}
+
command_like(
[
'psql',
@@ -500,7 +515,7 @@ command_like(
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
],
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n
- ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
+ ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,$serialno,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
'pg_stat_ssl with client certificate');
# client key with wrong permissions
--
2.24.3 (Apple Git-128)
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On 15 Oct 2021, at 14:01, Daniel Gustafsson <daniel@yesql.se> wrote:
The attached contains the requested fixes, and has been tested on all (by us)
supported versions of OpenSSL. Unless there are objections I will apply this
to master shortly.
Which is now done.
--
Daniel Gustafsson https://vmware.com/
Re: [PATCH] test/ssl: rework the sslfiles Makefile target
On Tue, 2021-10-19 at 20:21 +0200, Daniel Gustafsson wrote:
On 15 Oct 2021, at 14:01, Daniel Gustafsson <daniel@yesql.se> wrote:
The attached contains the requested fixes, and has been tested on all (by us)
supported versions of OpenSSL. Unless there are objections I will apply this
to master shortly.Which is now done.
Thanks very much! Hopefully this makes that area of the code easier on
everyone.
--Jacob