From f0f8d7eb232b023d7cb9dfb16851b7e02d822922 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 30 2018 04:50:29 +0000 Subject: import curl-7.29.0-51.el7 --- diff --git a/SOURCES/0057-curl-7.29.0-nss-obj-leak.patch b/SOURCES/0057-curl-7.29.0-nss-obj-leak.patch new file mode 100644 index 0000000..4b1baf2 --- /dev/null +++ b/SOURCES/0057-curl-7.29.0-nss-obj-leak.patch @@ -0,0 +1,102 @@ +From 543ba995e5beb83a754a8f844491446747c83572 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Thu, 8 Feb 2018 11:23:49 +0100 +Subject: [PATCH] nss: use PK11_CreateManagedGenericObject() if available + +... so that the memory allocated by applications using libcurl does not +grow per each TLS connection. + +Bug: https://bugzilla.redhat.com/1510247 + +Closes #2297 + +Upstream-commit: 1605d93a7b8ac4b7f348e304e018e9d15ffaabf0 +Signed-off-by: Kamil Dudka +--- + configure | 10 ++++++++++ + configure.ac | 9 +++++++++ + lib/curl_config.h.in | 3 +++ + lib/nss.c | 12 +++++++++++- + 4 files changed, 33 insertions(+), 1 deletion(-) + +diff --git a/configure b/configure +index fc260ee..3c77748 100755 +--- a/configure ++++ b/configure +@@ -23753,6 +23753,16 @@ $as_echo "$as_me: detected NSS version $version" >&6;} + NSS_LIBS=$addlib + + ++ ac_fn_c_check_func "$LINENO" "PK11_CreateManagedGenericObject" "ac_cv_func_PK11_CreateManagedGenericObject" ++if test "x$ac_cv_func_PK11_CreateManagedGenericObject" = xyes; then : ++ ++ ++$as_echo "#define HAVE_PK11_CREATEMANAGEDGENERICOBJECT 1" >>confdefs.h ++ ++ ++fi ++ ++ + if test "x$cross_compiling" != "xyes"; then + LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$nssprefix/lib$libsuff" + export LD_LIBRARY_PATH +diff --git a/configure.ac b/configure.ac +index 9612c2f..887ded9 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2216,6 +2216,15 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then + NSS_LIBS=$addlib + AC_SUBST([NSS_LIBS]) + ++ dnl PK11_CreateManagedGenericObject() was introduced in NSS 3.34 because ++ dnl PK11_DestroyGenericObject() does not release resources allocated by ++ dnl PK11_CreateGenericObject() early enough. ++ AC_CHECK_FUNC(PK11_CreateManagedGenericObject, ++ [ ++ AC_DEFINE(HAVE_PK11_CREATEMANAGEDGENERICOBJECT, 1, ++ [if you have the PK11_CreateManagedGenericObject function]) ++ ]) ++ + dnl when shared libs were found in a path that the run-time + dnl linker doesn't search through, we need to add it to + dnl LD_LIBRARY_PATH to prevent further configure tests to fail +diff --git a/lib/curl_config.h.in b/lib/curl_config.h.in +index 19b66fa..9db354b 100644 +--- a/lib/curl_config.h.in ++++ b/lib/curl_config.h.in +@@ -503,6 +503,9 @@ + /* Define to 1 if you have the `pipe' function. */ + #undef HAVE_PIPE + ++/* if you have the PK11_CreateManagedGenericObject function */ ++#undef HAVE_PK11_CREATEMANAGEDGENERICOBJECT ++ + /* Define to 1 if you have a working poll function. */ + #undef HAVE_POLL + +diff --git a/lib/nss.c b/lib/nss.c +index 1b8abd3..31e5d75 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -399,7 +399,17 @@ static CURLcode nss_create_object(struct ssl_connect_data *ssl, + PK11_SETATTRS(attrs, attr_cnt, CKA_TRUST, pval, sizeof(*pval)); + } + +- obj = PK11_CreateGenericObject(slot, attrs, attr_cnt, PR_FALSE); ++ /* PK11_CreateManagedGenericObject() was introduced in NSS 3.34 because ++ * PK11_DestroyGenericObject() does not release resources allocated by ++ * PK11_CreateGenericObject() early enough. */ ++ obj = ++#ifdef HAVE_PK11_CREATEMANAGEDGENERICOBJECT ++ PK11_CreateManagedGenericObject ++#else ++ PK11_CreateGenericObject ++#endif ++ (slot, attrs, attr_cnt, PR_FALSE); ++ + PK11_FreeSlot(slot); + if(!obj) + return err; +-- +2.13.6 + diff --git a/SOURCES/0058-curl-7.29.0-test-certs.patch b/SOURCES/0058-curl-7.29.0-test-certs.patch new file mode 100644 index 0000000..657e27b --- /dev/null +++ b/SOURCES/0058-curl-7.29.0-test-certs.patch @@ -0,0 +1,1793 @@ +From 8c0be699968463c2c2baf31f7b454e6280a7ef3b Mon Sep 17 00:00:00 2001 +From: Dan Fandrich +Date: Sat, 21 Mar 2015 16:20:34 +0100 +Subject: [PATCH] tests/certs: rebuild certificates with modified key usage + bits + +The certificates were missing the digitalSignature and keyAgreement +usage types, of which at least digitalSignature was checked by CyaSSL. +This caused the test server in test 310 (among others) to fail the +startup verification and therefore run (see +http://curl.haxx.se/mail/lib-2014-07/0303.html). + +Upstream-commit: f9251a5c86f86388bb9aaa078738fcf49870ca3f +Signed-off-by: Kamil Dudka +--- + tests/certs/EdelCurlRoot-ca.cacert | 119 ++++++++++++++--------------- + tests/certs/EdelCurlRoot-ca.crt | 119 ++++++++++++++--------------- + tests/certs/EdelCurlRoot-ca.csr | 30 ++++---- + tests/certs/EdelCurlRoot-ca.key | 50 ++++++------ + tests/certs/EdelCurlRoot-ca.prm | 2 +- + tests/certs/Makefile.am | 2 - + tests/certs/Server-localhost-sv.crl | 29 ++++--- + tests/certs/Server-localhost-sv.crt | 101 ++++++++++++------------ + tests/certs/Server-localhost-sv.csr | 14 ++-- + tests/certs/Server-localhost-sv.dhp | 5 -- + tests/certs/Server-localhost-sv.key | 26 +++---- + tests/certs/Server-localhost-sv.pem | 136 ++++++++++++++++----------------- + tests/certs/Server-localhost-sv.prm | 4 +- + tests/certs/Server-localhost.nn-sv.crl | 30 +++++--- + tests/certs/Server-localhost.nn-sv.crt | 101 ++++++++++++------------ + tests/certs/Server-localhost.nn-sv.csr | 14 ++-- + tests/certs/Server-localhost.nn-sv.dhp | 5 -- + tests/certs/Server-localhost.nn-sv.key | 26 +++---- + tests/certs/Server-localhost.nn-sv.pem | 136 ++++++++++++++++----------------- + tests/certs/Server-localhost.nn-sv.prm | 4 +- + tests/certs/Server-localhost0h-sv.crl | 32 +++++--- + tests/certs/Server-localhost0h-sv.crt | 101 ++++++++++++------------ + tests/certs/Server-localhost0h-sv.csr | 14 ++-- + tests/certs/Server-localhost0h-sv.dhp | 5 -- + tests/certs/Server-localhost0h-sv.key | 26 +++---- + tests/certs/Server-localhost0h-sv.pem | 136 ++++++++++++++++----------------- + tests/certs/Server-localhost0h-sv.prm | 4 +- + 27 files changed, 628 insertions(+), 643 deletions(-) + +diff --git a/tests/certs/EdelCurlRoot-ca.cacert b/tests/certs/EdelCurlRoot-ca.cacert +index 8bcbc18..d3ec4d3 100644 +--- a/tests/certs/EdelCurlRoot-ca.cacert ++++ b/tests/certs/EdelCurlRoot-ca.cacert +@@ -1,42 +1,41 @@ + Certificate: + Data: + Version: 3 (0x2) +- Serial Number: +- 0b:98:94:f5:ab:a6 +- Signature Algorithm: sha1WithRSAEncryption ++ Serial Number: 14269504311616 (0xcfa60bc5140) ++ Signature Algorithm: sha1WithRSAEncryption + Issuer: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +- commonName = Nothern Nowhere Trust Anchor ++ commonName = Northern Nowhere Trust Anchor + Validity +- Not Before: May 27 21:36:46 2010 GMT +- Not After : Oct 30 21:36:46 2026 GMT ++ Not Before: Mar 21 15:07:11 2015 GMT ++ Not After : Aug 24 15:07:11 2031 GMT + Subject: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +- commonName = Nothern Nowhere Trust Anchor ++ commonName = Northern Nowhere Trust Anchor + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: +- 00:c1:a9:0a:ef:76:06:7d:fe:78:3a:f1:0e:40:6d: +- c2:5b:ae:8f:8d:7f:f0:d5:89:9e:42:2a:f0:17:94: +- d9:2e:67:c7:2d:01:1c:95:a3:b1:a6:86:d4:12:3c: +- 47:3a:70:e6:7b:1f:11:06:d3:73:ae:df:ca:24:19: +- 03:e4:62:0a:eb:67:d4:dc:ef:9d:2d:e0:82:77:fe: +- 2a:30:5a:fb:57:e5:b8:4f:36:52:4c:2f:57:ad:12: +- 6a:94:3e:e4:48:a7:ad:a5:c0:3a:d0:4e:00:99:88: +- 8f:bd:4a:70:be:3b:5b:6b:ff:5e:6f:29:6d:0c:a7: +- 55:4a:e2:43:e7:49:0f:99:54:59:68:81:34:d8:a9: +- fb:c8:0d:14:5a:40:cb:70:1e:f5:3b:c0:42:39:06: +- f9:63:ad:d9:29:14:53:af:42:10:1d:18:95:b6:15: +- 8a:d8:41:d8:37:31:0a:97:5a:1b:10:90:ac:1d:ff: +- 6e:71:33:6b:7e:88:18:20:ed:be:35:ff:e7:69:48: +- 05:c0:78:2e:04:46:f4:c2:8d:4d:70:6e:42:fa:93: +- eb:ce:12:3b:d1:f5:ce:3f:29:5c:8c:bd:59:83:e4: +- a1:c1:3c:8e:3e:38:55:f3:99:18:b0:df:f6:74:c9: +- 8e:28:f4:38:0d:45:20:d6:db:c0:73:a2:e6:8c:6e: +- 98:9f ++ 00:e1:4c:d9:74:1a:a4:a3:42:57:a4:7a:2e:74:02: ++ 08:49:6a:6a:1d:db:de:c3:43:d6:48:60:12:30:ed: ++ d6:6e:74:16:81:16:4e:50:b9:6c:b9:36:0d:19:a4: ++ f7:85:99:40:46:26:46:33:86:ce:0c:27:71:e4:8f: ++ 0f:b4:3a:99:6d:af:78:48:b7:cb:c4:d3:60:7d:d0: ++ 17:6f:23:bc:89:c0:bc:16:b8:94:f0:b2:10:8d:c8: ++ e0:35:97:ed:8f:c6:db:9b:cd:aa:f6:8c:45:dc:0f: ++ ee:a0:78:12:be:f6:7d:f4:f7:b6:8c:4e:e5:7d:32: ++ e8:f7:f7:1e:04:46:9e:08:cd:cb:ec:e2:9a:c3:35: ++ 3f:ce:a1:01:e3:10:0a:ec:d9:ab:13:09:eb:e6:39: ++ 6b:92:30:c7:08:bd:8a:32:ef:0b:b2:61:6f:11:43: ++ 95:cf:31:ea:19:01:cc:1a:6d:d2:d5:57:35:da:c0: ++ ae:46:39:d3:33:ed:f8:c0:1e:ad:3d:68:6f:a8:53: ++ 24:ac:d6:f9:dd:2b:51:50:77:e4:b7:5d:ad:48:80: ++ 5d:65:57:e5:eb:07:82:7d:cb:72:4f:06:6a:34:d4: ++ 38:c8:6b:ed:8a:3a:68:5e:35:e3:78:14:da:5d:86: ++ 9f:e5:d4:1c:dd:90:c2:7c:a2:00:d4:95:65:04:85: ++ ff:83 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical +@@ -44,42 +43,42 @@ Certificate: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: +- AD:3E:E2:39:07:B8:5C:AA:26:90:94:4C:26:69:21:83:E2:4E:36:94 ++ 12:CA:BA:4B:46:04:A7:75:8A:2C:E8:0E:54:94:BC:12:65:A6:7B:CE + Signature Algorithm: sha1WithRSAEncryption +- 86:1f:9d:dd:45:11:c8:6b:f1:97:1a:f0:25:b2:0c:f7:1f:58: +- c4:6a:a5:56:07:32:cb:2d:7a:8c:ae:47:1e:7d:e7:73:6c:3b: +- 96:1e:75:b4:e5:89:05:a7:7e:b6:52:56:5a:e2:6b:38:e4:18: +- 3c:64:6f:be:bd:d3:01:76:b4:83:7f:7a:1e:9c:cb:40:1b:9a: +- dd:43:cb:9a:db:8a:f8:76:50:ab:ad:85:7f:cf:3a:6f:4b:e2: +- 27:b0:8c:a9:0a:e0:d8:45:00:05:5e:29:ab:a0:8a:78:e5:09: +- 89:48:8a:0d:42:49:1e:ad:c2:85:2f:29:9d:af:2e:c8:ef:b9: +- dc:74:33:eb:e9:45:e9:a2:b3:00:ba:76:0b:74:59:c9:a8:96: +- 4c:f3:cd:9b:34:5a:4a:87:b2:6a:52:74:5b:be:f3:81:f8:32: +- d0:1f:c9:cc:9f:8a:6a:eb:6e:f3:6d:2c:54:20:86:f6:87:62: +- c0:ed:55:03:9d:97:a9:5a:ae:39:a0:7e:e4:a6:95:e9:26:19: +- 91:e6:0f:b6:18:f7:49:6c:a7:ce:fd:c1:04:c2:f9:27:27:4c: +- 59:e9:bf:7a:f6:65:a0:d9:a0:71:a6:54:c6:6f:9a:5d:23:19: +- 57:49:59:2c:06:91:3e:28:9b:c1:6f:f2:2d:9a:24:a7:0b:da: +- cd:cc:f3:bc ++ d4:d0:22:19:78:2e:2e:1d:83:c6:79:89:c1:a8:23:43:4e:86: ++ 76:16:31:bd:b7:c0:44:2c:b9:2c:79:99:2f:02:48:33:1e:a7: ++ d7:0e:d9:f1:cb:ed:39:1a:34:b3:50:af:c9:8d:64:bf:ff:72: ++ 1b:1d:e0:5d:40:3b:b5:00:7c:d1:78:ff:45:ee:d9:05:3f:32: ++ f6:cd:f4:d3:79:58:d8:44:94:65:f5:c3:a9:5d:d8:13:d9:57: ++ e7:13:18:fa:f3:72:0b:cf:a3:4a:f4:6e:5e:74:30:3c:cb:76: ++ 28:f9:44:9a:ba:3e:b7:3e:01:79:3e:cb:5c:df:5a:d4:6c:34: ++ aa:bd:c0:6d:25:85:e5:28:f6:15:e1:9d:af:a7:f7:a7:6c:2a: ++ 1d:1d:93:1e:89:71:66:c7:0b:e4:ce:36:c1:21:c4:73:5d:2b: ++ 24:a9:3d:26:df:1c:e8:60:69:e3:82:98:c3:5b:91:9e:da:bd: ++ 27:ee:e0:fd:64:ea:7d:35:91:fd:5e:1e:33:82:24:39:7b:49: ++ af:23:05:fc:6e:53:7e:07:69:f4:e7:e3:1f:f0:1c:59:87:4c: ++ b6:74:c9:60:ed:f5:ab:a0:31:8a:05:d4:64:9f:1e:16:b6:9f: ++ f8:7e:0d:ac:b7:d9:16:b9:b3:bc:0b:03:6b:24:e9:46:81:dc: ++ d8:52:63:75 + -----BEGIN CERTIFICATE----- +-MIIDkDCCAnigAwIBAgIGC5iU9aumMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNVBAYT ++MIIDkjCCAnqgAwIBAgIGDPpgvFFAMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYT + Ak5OMTEwLwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNo +-IENsb3VkMSUwIwYDVQQDDBxOb3RoZXJuIE5vd2hlcmUgVHJ1c3QgQW5jaG9yMB4X +-DTEwMDUyNzIxMzY0NloXDTI2MTAzMDIxMzY0NlowZzELMAkGA1UEBhMCTk4xMTAv +-BgNVBAoMKEVkZWwgQ3VybCBBcmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQx +-JTAjBgNVBAMMHE5vdGhlcm4gTm93aGVyZSBUcnVzdCBBbmNob3IwggEiMA0GCSqG +-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBqQrvdgZ9/ng68Q5AbcJbro+Nf/DViZ5C +-KvAXlNkuZ8ctARyVo7GmhtQSPEc6cOZ7HxEG03Ou38okGQPkYgrrZ9Tc750t4IJ3 +-/iowWvtX5bhPNlJML1etEmqUPuRIp62lwDrQTgCZiI+9SnC+O1tr/15vKW0Mp1VK +-4kPnSQ+ZVFlogTTYqfvIDRRaQMtwHvU7wEI5BvljrdkpFFOvQhAdGJW2FYrYQdg3 +-MQqXWhsQkKwd/25xM2t+iBgg7b41/+dpSAXAeC4ERvTCjU1wbkL6k+vOEjvR9c4/ +-KVyMvVmD5KHBPI4+OFXzmRiw3/Z0yY4o9DgNRSDW28BzouaMbpifAgMBAAGjQjBA +-MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBStPuI5 +-B7hcqiaQlEwmaSGD4k42lDANBgkqhkiG9w0BAQUFAAOCAQEAhh+d3UURyGvxlxrw +-JbIM9x9YxGqlVgcyyy16jK5HHn3nc2w7lh51tOWJBad+tlJWWuJrOOQYPGRvvr3T +-AXa0g396HpzLQBua3UPLmtuK+HZQq62Ff886b0viJ7CMqQrg2EUABV4pq6CKeOUJ +-iUiKDUJJHq3ChS8pna8uyO+53HQz6+lF6aKzALp2C3RZyaiWTPPNmzRaSoeyalJ0 +-W77zgfgy0B/JzJ+Kautu820sVCCG9odiwO1VA52XqVquOaB+5KaV6SYZkeYPthj3 +-SWynzv3BBML5JydMWem/evZloNmgcaZUxm+aXSMZV0lZLAaRPiibwW/yLZokpwva +-zczzvA== ++IENsb3VkMSYwJAYDVQQDDB1Ob3J0aGVybiBOb3doZXJlIFRydXN0IEFuY2hvcjAe ++Fw0xNTAzMjExNTA3MTFaFw0zMTA4MjQxNTA3MTFaMGgxCzAJBgNVBAYTAk5OMTEw ++LwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNoIENsb3Vk ++MSYwJAYDVQQDDB1Ob3J0aGVybiBOb3doZXJlIFRydXN0IEFuY2hvcjCCASIwDQYJ ++KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOFM2XQapKNCV6R6LnQCCElqah3b3sND ++1khgEjDt1m50FoEWTlC5bLk2DRmk94WZQEYmRjOGzgwnceSPD7Q6mW2veEi3y8TT ++YH3QF28jvInAvBa4lPCyEI3I4DWX7Y/G25vNqvaMRdwP7qB4Er72ffT3toxO5X0y ++6Pf3HgRGngjNy+zimsM1P86hAeMQCuzZqxMJ6+Y5a5Iwxwi9ijLvC7JhbxFDlc8x ++6hkBzBpt0tVXNdrArkY50zPt+MAerT1ob6hTJKzW+d0rUVB35LddrUiAXWVX5esH ++gn3Lck8GajTUOMhr7Yo6aF4143gU2l2Gn+XUHN2QwnyiANSVZQSF/4MCAwEAAaNC ++MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLK ++uktGBKd1iizoDlSUvBJlpnvOMA0GCSqGSIb3DQEBBQUAA4IBAQDU0CIZeC4uHYPG ++eYnBqCNDToZ2FjG9t8BELLkseZkvAkgzHqfXDtnxy+05GjSzUK/JjWS//3IbHeBd ++QDu1AHzReP9F7tkFPzL2zfTTeVjYRJRl9cOpXdgT2VfnExj683ILz6NK9G5edDA8 ++y3Yo+USauj63PgF5Pstc31rUbDSqvcBtJYXlKPYV4Z2vp/enbCodHZMeiXFmxwvk ++zjbBIcRzXSskqT0m3xzoYGnjgpjDW5Ge2r0n7uD9ZOp9NZH9Xh4zgiQ5e0mvIwX8 ++blN+B2n05+Mf8BxZh0y2dMlg7fWroDGKBdRknx4Wtp/4fg2st9kWubO8CwNrJOlG ++gdzYUmN1 + -----END CERTIFICATE----- +diff --git a/tests/certs/EdelCurlRoot-ca.crt b/tests/certs/EdelCurlRoot-ca.crt +index 8bcbc18..d3ec4d3 100644 +--- a/tests/certs/EdelCurlRoot-ca.crt ++++ b/tests/certs/EdelCurlRoot-ca.crt +@@ -1,42 +1,41 @@ + Certificate: + Data: + Version: 3 (0x2) +- Serial Number: +- 0b:98:94:f5:ab:a6 +- Signature Algorithm: sha1WithRSAEncryption ++ Serial Number: 14269504311616 (0xcfa60bc5140) ++ Signature Algorithm: sha1WithRSAEncryption + Issuer: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +- commonName = Nothern Nowhere Trust Anchor ++ commonName = Northern Nowhere Trust Anchor + Validity +- Not Before: May 27 21:36:46 2010 GMT +- Not After : Oct 30 21:36:46 2026 GMT ++ Not Before: Mar 21 15:07:11 2015 GMT ++ Not After : Aug 24 15:07:11 2031 GMT + Subject: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +- commonName = Nothern Nowhere Trust Anchor ++ commonName = Northern Nowhere Trust Anchor + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: +- 00:c1:a9:0a:ef:76:06:7d:fe:78:3a:f1:0e:40:6d: +- c2:5b:ae:8f:8d:7f:f0:d5:89:9e:42:2a:f0:17:94: +- d9:2e:67:c7:2d:01:1c:95:a3:b1:a6:86:d4:12:3c: +- 47:3a:70:e6:7b:1f:11:06:d3:73:ae:df:ca:24:19: +- 03:e4:62:0a:eb:67:d4:dc:ef:9d:2d:e0:82:77:fe: +- 2a:30:5a:fb:57:e5:b8:4f:36:52:4c:2f:57:ad:12: +- 6a:94:3e:e4:48:a7:ad:a5:c0:3a:d0:4e:00:99:88: +- 8f:bd:4a:70:be:3b:5b:6b:ff:5e:6f:29:6d:0c:a7: +- 55:4a:e2:43:e7:49:0f:99:54:59:68:81:34:d8:a9: +- fb:c8:0d:14:5a:40:cb:70:1e:f5:3b:c0:42:39:06: +- f9:63:ad:d9:29:14:53:af:42:10:1d:18:95:b6:15: +- 8a:d8:41:d8:37:31:0a:97:5a:1b:10:90:ac:1d:ff: +- 6e:71:33:6b:7e:88:18:20:ed:be:35:ff:e7:69:48: +- 05:c0:78:2e:04:46:f4:c2:8d:4d:70:6e:42:fa:93: +- eb:ce:12:3b:d1:f5:ce:3f:29:5c:8c:bd:59:83:e4: +- a1:c1:3c:8e:3e:38:55:f3:99:18:b0:df:f6:74:c9: +- 8e:28:f4:38:0d:45:20:d6:db:c0:73:a2:e6:8c:6e: +- 98:9f ++ 00:e1:4c:d9:74:1a:a4:a3:42:57:a4:7a:2e:74:02: ++ 08:49:6a:6a:1d:db:de:c3:43:d6:48:60:12:30:ed: ++ d6:6e:74:16:81:16:4e:50:b9:6c:b9:36:0d:19:a4: ++ f7:85:99:40:46:26:46:33:86:ce:0c:27:71:e4:8f: ++ 0f:b4:3a:99:6d:af:78:48:b7:cb:c4:d3:60:7d:d0: ++ 17:6f:23:bc:89:c0:bc:16:b8:94:f0:b2:10:8d:c8: ++ e0:35:97:ed:8f:c6:db:9b:cd:aa:f6:8c:45:dc:0f: ++ ee:a0:78:12:be:f6:7d:f4:f7:b6:8c:4e:e5:7d:32: ++ e8:f7:f7:1e:04:46:9e:08:cd:cb:ec:e2:9a:c3:35: ++ 3f:ce:a1:01:e3:10:0a:ec:d9:ab:13:09:eb:e6:39: ++ 6b:92:30:c7:08:bd:8a:32:ef:0b:b2:61:6f:11:43: ++ 95:cf:31:ea:19:01:cc:1a:6d:d2:d5:57:35:da:c0: ++ ae:46:39:d3:33:ed:f8:c0:1e:ad:3d:68:6f:a8:53: ++ 24:ac:d6:f9:dd:2b:51:50:77:e4:b7:5d:ad:48:80: ++ 5d:65:57:e5:eb:07:82:7d:cb:72:4f:06:6a:34:d4: ++ 38:c8:6b:ed:8a:3a:68:5e:35:e3:78:14:da:5d:86: ++ 9f:e5:d4:1c:dd:90:c2:7c:a2:00:d4:95:65:04:85: ++ ff:83 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical +@@ -44,42 +43,42 @@ Certificate: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: +- AD:3E:E2:39:07:B8:5C:AA:26:90:94:4C:26:69:21:83:E2:4E:36:94 ++ 12:CA:BA:4B:46:04:A7:75:8A:2C:E8:0E:54:94:BC:12:65:A6:7B:CE + Signature Algorithm: sha1WithRSAEncryption +- 86:1f:9d:dd:45:11:c8:6b:f1:97:1a:f0:25:b2:0c:f7:1f:58: +- c4:6a:a5:56:07:32:cb:2d:7a:8c:ae:47:1e:7d:e7:73:6c:3b: +- 96:1e:75:b4:e5:89:05:a7:7e:b6:52:56:5a:e2:6b:38:e4:18: +- 3c:64:6f:be:bd:d3:01:76:b4:83:7f:7a:1e:9c:cb:40:1b:9a: +- dd:43:cb:9a:db:8a:f8:76:50:ab:ad:85:7f:cf:3a:6f:4b:e2: +- 27:b0:8c:a9:0a:e0:d8:45:00:05:5e:29:ab:a0:8a:78:e5:09: +- 89:48:8a:0d:42:49:1e:ad:c2:85:2f:29:9d:af:2e:c8:ef:b9: +- dc:74:33:eb:e9:45:e9:a2:b3:00:ba:76:0b:74:59:c9:a8:96: +- 4c:f3:cd:9b:34:5a:4a:87:b2:6a:52:74:5b:be:f3:81:f8:32: +- d0:1f:c9:cc:9f:8a:6a:eb:6e:f3:6d:2c:54:20:86:f6:87:62: +- c0:ed:55:03:9d:97:a9:5a:ae:39:a0:7e:e4:a6:95:e9:26:19: +- 91:e6:0f:b6:18:f7:49:6c:a7:ce:fd:c1:04:c2:f9:27:27:4c: +- 59:e9:bf:7a:f6:65:a0:d9:a0:71:a6:54:c6:6f:9a:5d:23:19: +- 57:49:59:2c:06:91:3e:28:9b:c1:6f:f2:2d:9a:24:a7:0b:da: +- cd:cc:f3:bc ++ d4:d0:22:19:78:2e:2e:1d:83:c6:79:89:c1:a8:23:43:4e:86: ++ 76:16:31:bd:b7:c0:44:2c:b9:2c:79:99:2f:02:48:33:1e:a7: ++ d7:0e:d9:f1:cb:ed:39:1a:34:b3:50:af:c9:8d:64:bf:ff:72: ++ 1b:1d:e0:5d:40:3b:b5:00:7c:d1:78:ff:45:ee:d9:05:3f:32: ++ f6:cd:f4:d3:79:58:d8:44:94:65:f5:c3:a9:5d:d8:13:d9:57: ++ e7:13:18:fa:f3:72:0b:cf:a3:4a:f4:6e:5e:74:30:3c:cb:76: ++ 28:f9:44:9a:ba:3e:b7:3e:01:79:3e:cb:5c:df:5a:d4:6c:34: ++ aa:bd:c0:6d:25:85:e5:28:f6:15:e1:9d:af:a7:f7:a7:6c:2a: ++ 1d:1d:93:1e:89:71:66:c7:0b:e4:ce:36:c1:21:c4:73:5d:2b: ++ 24:a9:3d:26:df:1c:e8:60:69:e3:82:98:c3:5b:91:9e:da:bd: ++ 27:ee:e0:fd:64:ea:7d:35:91:fd:5e:1e:33:82:24:39:7b:49: ++ af:23:05:fc:6e:53:7e:07:69:f4:e7:e3:1f:f0:1c:59:87:4c: ++ b6:74:c9:60:ed:f5:ab:a0:31:8a:05:d4:64:9f:1e:16:b6:9f: ++ f8:7e:0d:ac:b7:d9:16:b9:b3:bc:0b:03:6b:24:e9:46:81:dc: ++ d8:52:63:75 + -----BEGIN CERTIFICATE----- +-MIIDkDCCAnigAwIBAgIGC5iU9aumMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNVBAYT ++MIIDkjCCAnqgAwIBAgIGDPpgvFFAMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYT + Ak5OMTEwLwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNo +-IENsb3VkMSUwIwYDVQQDDBxOb3RoZXJuIE5vd2hlcmUgVHJ1c3QgQW5jaG9yMB4X +-DTEwMDUyNzIxMzY0NloXDTI2MTAzMDIxMzY0NlowZzELMAkGA1UEBhMCTk4xMTAv +-BgNVBAoMKEVkZWwgQ3VybCBBcmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQx +-JTAjBgNVBAMMHE5vdGhlcm4gTm93aGVyZSBUcnVzdCBBbmNob3IwggEiMA0GCSqG +-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBqQrvdgZ9/ng68Q5AbcJbro+Nf/DViZ5C +-KvAXlNkuZ8ctARyVo7GmhtQSPEc6cOZ7HxEG03Ou38okGQPkYgrrZ9Tc750t4IJ3 +-/iowWvtX5bhPNlJML1etEmqUPuRIp62lwDrQTgCZiI+9SnC+O1tr/15vKW0Mp1VK +-4kPnSQ+ZVFlogTTYqfvIDRRaQMtwHvU7wEI5BvljrdkpFFOvQhAdGJW2FYrYQdg3 +-MQqXWhsQkKwd/25xM2t+iBgg7b41/+dpSAXAeC4ERvTCjU1wbkL6k+vOEjvR9c4/ +-KVyMvVmD5KHBPI4+OFXzmRiw3/Z0yY4o9DgNRSDW28BzouaMbpifAgMBAAGjQjBA +-MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBStPuI5 +-B7hcqiaQlEwmaSGD4k42lDANBgkqhkiG9w0BAQUFAAOCAQEAhh+d3UURyGvxlxrw +-JbIM9x9YxGqlVgcyyy16jK5HHn3nc2w7lh51tOWJBad+tlJWWuJrOOQYPGRvvr3T +-AXa0g396HpzLQBua3UPLmtuK+HZQq62Ff886b0viJ7CMqQrg2EUABV4pq6CKeOUJ +-iUiKDUJJHq3ChS8pna8uyO+53HQz6+lF6aKzALp2C3RZyaiWTPPNmzRaSoeyalJ0 +-W77zgfgy0B/JzJ+Kautu820sVCCG9odiwO1VA52XqVquOaB+5KaV6SYZkeYPthj3 +-SWynzv3BBML5JydMWem/evZloNmgcaZUxm+aXSMZV0lZLAaRPiibwW/yLZokpwva +-zczzvA== ++IENsb3VkMSYwJAYDVQQDDB1Ob3J0aGVybiBOb3doZXJlIFRydXN0IEFuY2hvcjAe ++Fw0xNTAzMjExNTA3MTFaFw0zMTA4MjQxNTA3MTFaMGgxCzAJBgNVBAYTAk5OMTEw ++LwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNoIENsb3Vk ++MSYwJAYDVQQDDB1Ob3J0aGVybiBOb3doZXJlIFRydXN0IEFuY2hvcjCCASIwDQYJ ++KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOFM2XQapKNCV6R6LnQCCElqah3b3sND ++1khgEjDt1m50FoEWTlC5bLk2DRmk94WZQEYmRjOGzgwnceSPD7Q6mW2veEi3y8TT ++YH3QF28jvInAvBa4lPCyEI3I4DWX7Y/G25vNqvaMRdwP7qB4Er72ffT3toxO5X0y ++6Pf3HgRGngjNy+zimsM1P86hAeMQCuzZqxMJ6+Y5a5Iwxwi9ijLvC7JhbxFDlc8x ++6hkBzBpt0tVXNdrArkY50zPt+MAerT1ob6hTJKzW+d0rUVB35LddrUiAXWVX5esH ++gn3Lck8GajTUOMhr7Yo6aF4143gU2l2Gn+XUHN2QwnyiANSVZQSF/4MCAwEAAaNC ++MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLK ++uktGBKd1iizoDlSUvBJlpnvOMA0GCSqGSIb3DQEBBQUAA4IBAQDU0CIZeC4uHYPG ++eYnBqCNDToZ2FjG9t8BELLkseZkvAkgzHqfXDtnxy+05GjSzUK/JjWS//3IbHeBd ++QDu1AHzReP9F7tkFPzL2zfTTeVjYRJRl9cOpXdgT2VfnExj683ILz6NK9G5edDA8 ++y3Yo+USauj63PgF5Pstc31rUbDSqvcBtJYXlKPYV4Z2vp/enbCodHZMeiXFmxwvk ++zjbBIcRzXSskqT0m3xzoYGnjgpjDW5Ge2r0n7uD9ZOp9NZH9Xh4zgiQ5e0mvIwX8 ++blN+B2n05+Mf8BxZh0y2dMlg7fWroDGKBdRknx4Wtp/4fg2st9kWubO8CwNrJOlG ++gdzYUmN1 + -----END CERTIFICATE----- +diff --git a/tests/certs/EdelCurlRoot-ca.csr b/tests/certs/EdelCurlRoot-ca.csr +index 2df94f5..7d5e300 100644 +--- a/tests/certs/EdelCurlRoot-ca.csr ++++ b/tests/certs/EdelCurlRoot-ca.csr +@@ -1,17 +1,17 @@ + -----BEGIN CERTIFICATE REQUEST----- +-MIICrDCCAZQCAQAwZzELMAkGA1UEBhMCTk4xMTAvBgNVBAoMKEVkZWwgQ3VybCBB +-cmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQxJTAjBgNVBAMMHE5vdGhlcm4g +-Tm93aGVyZSBUcnVzdCBBbmNob3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +-AoIBAQDBqQrvdgZ9/ng68Q5AbcJbro+Nf/DViZ5CKvAXlNkuZ8ctARyVo7GmhtQS +-PEc6cOZ7HxEG03Ou38okGQPkYgrrZ9Tc750t4IJ3/iowWvtX5bhPNlJML1etEmqU +-PuRIp62lwDrQTgCZiI+9SnC+O1tr/15vKW0Mp1VK4kPnSQ+ZVFlogTTYqfvIDRRa +-QMtwHvU7wEI5BvljrdkpFFOvQhAdGJW2FYrYQdg3MQqXWhsQkKwd/25xM2t+iBgg +-7b41/+dpSAXAeC4ERvTCjU1wbkL6k+vOEjvR9c4/KVyMvVmD5KHBPI4+OFXzmRiw +-3/Z0yY4o9DgNRSDW28BzouaMbpifAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA +-eFMy55kFke/e9mrGloRUh1o8dxmzSiVwVCw5DTZQzTFNAMSOZXIId8k2IeHSUd84 +-ZyJ1UNyJn2EFcwgaYaMtvZ8xMWR2W0C7lBvOOcjvWmiGze9F2Z5XMQzL8cjkK4jW +-RKIq9b0W6TC8lLO5F2eJpW6BoTQ8cBCDiVIDlCm7xZxPRjHowuyM0Tpewq2PltC1 +-p8DbQipZWl5LPaHBSZSmIuUgOBU9porH/Vn0oWXxYfts59103VJY5YKkdz0PiqqA +-5kWYCMFDZyL+nZ2aIol4r8nXkN9MuPOU12aHqPGcDlaGS2i5zfm2Ywsg110k+NCk +-AmqhjnrQjvJhif3rGO4+qw== ++MIICrTCCAZUCAQAwaDELMAkGA1UEBhMCTk4xMTAvBgNVBAoMKEVkZWwgQ3VybCBB ++cmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQxJjAkBgNVBAMMHU5vcnRoZXJu ++IE5vd2hlcmUgVHJ1c3QgQW5jaG9yMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB ++CgKCAQEA4UzZdBqko0JXpHoudAIISWpqHdvew0PWSGASMO3WbnQWgRZOULlsuTYN ++GaT3hZlARiZGM4bODCdx5I8PtDqZba94SLfLxNNgfdAXbyO8icC8FriU8LIQjcjg ++NZftj8bbm82q9oxF3A/uoHgSvvZ99Pe2jE7lfTLo9/ceBEaeCM3L7OKawzU/zqEB ++4xAK7NmrEwnr5jlrkjDHCL2KMu8LsmFvEUOVzzHqGQHMGm3S1Vc12sCuRjnTM+34 ++wB6tPWhvqFMkrNb53StRUHfkt12tSIBdZVfl6weCfctyTwZqNNQ4yGvtijpoXjXj ++eBTaXYaf5dQc3ZDCfKIA1JVlBIX/gwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEB ++ANpolqnyNQ2zhqURf1ImBOTKLqN77neGe01rdkMrQfNP+ZSr5pxcoOZgMjUGrhyQ ++C6RWexcjwMFvr+16bsEyiBgw/PxTziw6ozvJZkDVQanKZet9+6o8P6AzfjOfwIiU ++8OkLYDaNJ0M807fTNFWdt/yDY1WNfNAxIX3gMMJ1dRvvLvgIJVE4RRAaW/pEMHky ++sQTfExs99Xooqh3E6CWyR1bVHWuid0a02LcD2Q0bKTBmi3xyBjEaq3vXxS6j1fDs ++aWpwznwuuX+J7K+MHYJH9DQIg/QY6rQzxokZ92wJGFdzL3m+kou6++OAPu1plpTL ++im5n/e87gdjerEJgCqoP4S8= + -----END CERTIFICATE REQUEST----- +diff --git a/tests/certs/EdelCurlRoot-ca.key b/tests/certs/EdelCurlRoot-ca.key +index 9a1303a..bf46d1e 100644 +--- a/tests/certs/EdelCurlRoot-ca.key ++++ b/tests/certs/EdelCurlRoot-ca.key +@@ -1,27 +1,27 @@ + -----BEGIN RSA PRIVATE KEY----- +-MIIEowIBAAKCAQEAwakK73YGff54OvEOQG3CW66PjX/w1YmeQirwF5TZLmfHLQEc +-laOxpobUEjxHOnDmex8RBtNzrt/KJBkD5GIK62fU3O+dLeCCd/4qMFr7V+W4TzZS +-TC9XrRJqlD7kSKetpcA60E4AmYiPvUpwvjtba/9ebyltDKdVSuJD50kPmVRZaIE0 +-2Kn7yA0UWkDLcB71O8BCOQb5Y63ZKRRTr0IQHRiVthWK2EHYNzEKl1obEJCsHf9u +-cTNrfogYIO2+Nf/naUgFwHguBEb0wo1NcG5C+pPrzhI70fXOPylcjL1Zg+ShwTyO +-PjhV85kYsN/2dMmOKPQ4DUUg1tvAc6LmjG6YnwIDAQABAoIBAEQculXigwIJYCwK +-4GJUuEkaqi6wUvonvtuy0mLY3VHu+iSgAXe37SGOxkPro3mwf7/J+2kVMdjNqQDt +-M2s9+G03Ray3MecS0ZB2ekwrk78kcqCZkHRvKj0a/xVI0W2kW/SyGX1uEdPuLe/7 +-oI+nvM3NMV+TiGEs8Vi3H/7WuX/JiEpBFNtgKqlT1ZdTblj+igrAT30on9FBfOyo +-NtkxIL7YY1TAZ7YjdpZWrAAyo7gBjXAmeslnJ9IHzKPBsuSXQ4A7JjGOAGyv3INi +-D8mwoa/8pNaZTxFCCRnvezA3JvVa4gWigZtb0JX5Z+H1nERZWoJq4Cj4kMa3ERuC +-iyVXijECgYEA4q5bkQTrQ7liRCrNETmbVspmbuBc6XaAFrYwbrxlzvl2nyumCgKg +-GaPeP2Skh5nPz+1x1EXmYAqXsAfLoE4z6kk1D1Ws4FWxxaAuwlWTmoJ2HXl2dcbR +-f0HLgQ/oswYtNVaP7HASmEf5Y3DeGLDrojh1aOE8kq/MpBHsO28qTA0CgYEA2rVV +-eTfj4VV5tpVlfiU5D947qIERVwIQ+FW8Epokwct1VgUeWwXMQFJFX6KWQdkB+Ktj +-vknBSrN+VmwBMMhuUTpMxvaZFL5UCyLUUt2K8azNDdg9FcfH8dSZnnNoo8aH9k6A +-v5gFk+QQ7VgGVBeLv22PG1zknj4SsGZhzx9H0FsCgYB/8uq8cIpbL8jHsWEO1/VW +-h+hJrVrEbJ7gMvYjizPsH+NU9M5D2DeGQXixT52O7MLgGqalqs7eZxw3wC6vzXSA +-SdIpVbK+7Z/qbP/3sVYfYIRLHsQ+tnqJ2hmEP/aZFmNuN+4FBz13tyiNeKfkR/i5 +-GCUtjfUi1xgrg/JTmevGAQKBgQC9QEh0Gj7gj9xAeEpYu9ECwCUTjIv6pFkW6ulR +-l3zTDUG9a7R2wy+ZQReyx7gJxsSD75rh4GSYRXW/RrpJAkcjlrU1PdH9Nyz2be8Y +-vYgr1IGjx0gkfrmvs24yxF75ySOBqTCTmfLJpIJZPuBLCAzvWtiIrvtNSx1U82MT +-nVfBHQKBgDJZQmr5lqdo5Zv/VP+w+VtxeX2oCgw7Mn56TW4IzDEL6ly+sKNNs+Ji +-pp/c2XYw24o7318yV70oWVWscay1SOjK7RdoCat590iuTGMSYyY8pMkgK+QuDqDe +-1Hhyb0iPorMS5wZXx/TROS4+4GOIHLAtZOZ8B+20tczp7HGqUIK1 ++MIIEpAIBAAKCAQEA4UzZdBqko0JXpHoudAIISWpqHdvew0PWSGASMO3WbnQWgRZO ++ULlsuTYNGaT3hZlARiZGM4bODCdx5I8PtDqZba94SLfLxNNgfdAXbyO8icC8FriU ++8LIQjcjgNZftj8bbm82q9oxF3A/uoHgSvvZ99Pe2jE7lfTLo9/ceBEaeCM3L7OKa ++wzU/zqEB4xAK7NmrEwnr5jlrkjDHCL2KMu8LsmFvEUOVzzHqGQHMGm3S1Vc12sCu ++RjnTM+34wB6tPWhvqFMkrNb53StRUHfkt12tSIBdZVfl6weCfctyTwZqNNQ4yGvt ++ijpoXjXjeBTaXYaf5dQc3ZDCfKIA1JVlBIX/gwIDAQABAoIBAQDGGcWGgjrLVnUr ++qUcZOARDUW9XK9IWjZpn7xlvrmECo8552Lwp3LDNtcoVB2mhLhxG0jad7eVU6IYL ++ewNK7M+lk0lHX1yrh1Trq0I/tgN8eFyp+cj0Tw2hLcR/O0RmTGsi9tdhi/uNQPEI ++ZivNf31HHVyEyIae7FnOVpotFk6022EElQd8F8GeeKpo9pQs8sHAVOUVC8Mf2sr+ ++bFyo9nzU0XkSay72ozU9O5Iw2d5aVrN5f3NS+JG9OpzvouNwkaAMOUsLVvZlUTqY ++0ve5CY2rB3D72h4GJfM2aHi8hwj56yBOsyIhBSXNYJM8nXKEbJaK5ulVv/a7KKTk ++KzSdk/mJAoGBAPXPLLJgx0mZKXNXqSvSsvgVzcpLrJh8figoF4rMzq8+5bN9Y6KU ++Lvb2ODIm/oGCIiGDdFTYqBJ0/EpauaAJgdzIwYnMZXmVB97pmwni9KrDPDwWTOqS ++3Yzh0t4C8DAgwZE4X6Ad/fmn7V06dfJZZJynL9exPp8RF7ptJ2yOnlbdAoGBAOqk ++AfRWuPGeZL9rFkd45+j03MDHglE2xKhsbRobHANItHo7r26D/Ov7QkM+lGlqdrNg ++tTPPtHs50Ek+Sb0X31/Fj45IqQroxctpbZAaJchVl88tvKXA8fkk14a9GLiow3Bk ++UGA5DFRmsIMXEengzRJoxcHAbbciGWdeSneH49nfAoGAVMypHcyXU8Ob8ieuu+iP ++R1i2SvC6VUy1dQMHxCGNuBVZxwcd5Ut7vEUK8/pR2LndLnScIF0x9lQXaUtNOHGv ++NEypv/EcnMoWEgfDLbD3OSXrVMtYs6ABAIYzadXXqLLUNFYfXyyZnpQZJg1x/S5r ++sENZFO8XrGaIKg9YB3JYG50CgYBUQweMpmQOKNKHRz6d9hZaOyzXcg4jeiaPUTiw ++6lFaAI8HYk2yw2VdnUKDgYKshJYR/sWz0IBAzFc3Jk42wM7vxrOx5fgGuebmEHtP ++B4TP96TnusYHRE3hKdDYSyoIjlp5Dx0qIPKDkMkMmolNUvRyCvwRgzgjTvSOgXb+ ++i+dQQwKBgQCKn04xYbhkMOiHxNP/DUf6+XmV1V7KbpjIySychbxcTKCV98c9q491 ++YjF8FJgi2JdV5XOHWaKti2Qg/tYz7CBtqkQdeNjtfKkOUA8ZyZeiNZdPIza9tzmr ++t6mCthH1oT3jyiddhSYxyfUBW3olPhBPj8YBblmq1QHE8y2j3CNjvw== + -----END RSA PRIVATE KEY----- +diff --git a/tests/certs/EdelCurlRoot-ca.prm b/tests/certs/EdelCurlRoot-ca.prm +index 4c53ef5..d0eff48 100644 +--- a/tests/certs/EdelCurlRoot-ca.prm ++++ b/tests/certs/EdelCurlRoot-ca.prm +@@ -10,7 +10,7 @@ countryName_value = NN + organizationName = "Organization Name" + organizationName_value = Edel Curl Arctic Illudium Research Cloud + commonName = "Common Name" +-commonName_value = Nothern Nowhere Trust Anchor ++commonName_value = Northern Nowhere Trust Anchor + [ x509v3 ] + basicConstraints = critical,CA:true + keyUsage = critical,keyCertSign,cRLSign +diff --git a/tests/certs/Makefile.am b/tests/certs/Makefile.am +index cd35bdf..3337276 100644 +--- a/tests/certs/Makefile.am ++++ b/tests/certs/Makefile.am +@@ -37,7 +37,6 @@ CERTFILES = \ + Server-localhost-sv.der \ + Server-localhost-sv.dhp \ + Server-localhost-sv.key \ +- Server-localhost-sv.p12 \ + Server-localhost-sv.pem \ + Server-localhost-sv.prm \ + Server-localhost.nn-sv.crl \ +@@ -54,7 +53,6 @@ CERTFILES = \ + Server-localhost0h-sv.der \ + Server-localhost0h-sv.dhp \ + Server-localhost0h-sv.key \ +- Server-localhost0h-sv.p12 \ + Server-localhost0h-sv.pem \ + Server-localhost0h-sv.prm + +diff --git a/tests/certs/Server-localhost-sv.crl b/tests/certs/Server-localhost-sv.crl +index 804655d..3e75229 100644 +--- a/tests/certs/Server-localhost-sv.crl ++++ b/tests/certs/Server-localhost-sv.crl +@@ -1,12 +1,21 @@ + -----BEGIN X509 CRL----- +-MIIB2zCBxAIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJOTjExMC8GA1UE +-CgwoRWRlbCBDdXJsIEFyY3RpYyBJbGx1ZGl1bSBSZXNlYXJjaCBDbG91ZDElMCMG +-A1UEAwwcTm90aGVybiBOb3doZXJlIFRydXN0IEFuY2hvchcNMTAwNTI3MjEzNzEx +-WhcNMTAwNjI2MjEzNzExWjAZMBcCBguYlPl8ahcNMTAwNTI3MjEzNzExWqAOMAww +-CgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADggEBAFuPZJ/cNNCeAzkSxVvPPPRX +-Wsv9T6Dt61C5Fmq9eSNN2kRf7/dq5A5nqTIlHbXXiLdj3UqNhUHXe2oA1UpbdHz9 +-0JlfwWm1Y/gMr1fh1n0oFebEtCuOgDRpd07Uiz8AqOUBykDNDUlMvVwR9raHL8hj +-NRwzugsfIxl0CvLLqrBpUWMxW3qemk4cWW39yrDdZgKo6eOZAOR3FQYlLIrw6Jcr +-Kmm0PjdcJIfRgJvNysgyx1dIIKe7QXvFTR/QzdHWIWTkiYIW7wUKSzSICvDCr094 +-eo3nr3n9BtOqT61Z1m6FGCP6Mm0wFl6xLTCNd6ygfFo7pcAdWlUsdBgKzics0Kc= ++MIIDbzCCAlcCAQEwDQYJKoZIhvcNAQEFBQAwaDELMAkGA1UEBhMCTk4xMTAvBgNV ++BAoMKEVkZWwgQ3VybCBBcmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQxJjAk ++BgNVBAMMHU5vcnRoZXJuIE5vd2hlcmUgVHJ1c3QgQW5jaG9yFw0xNTAzMjExNTA3 ++MTFaFw0xNTA0MjAxNTA3MTFaMIIBqTAXAgYM+ly45CIXDTE1MDMyMTEzMTQ1N1ow ++FwIGDPpcwXH8Fw0xNTAzMjExMzE1NTNaMBcCBgz6XO7ujBcNMTUwMzIxMTMyMDUx ++WjAXAgYM+lzu7p0XDTE1MDMyMTEzMjA1MVowFwIGDPpc7u6uFw0xNTAzMjExMzIw ++NTFaMBcCBgz6XZyD1RcNMTUwMzIxMTMzOTQ5WjAXAgYM+l4OXa8XDTE1MDMyMTEz ++NTIxNVowFwIGDPpeJlPZFw0xNTAzMjExMzU0NTJaMBcCBgz6XiZT6hcNMTUwMzIx ++MTM1NDUyWjAXAgYM+l4mU/sXDTE1MDMyMTEzNTQ1MlowFwIGDPpemKKEFw0xNTAz ++MjExNDA3MjFaMBcCBgz6XpiilRcNMTUwMzIxMTQwNzIxWjAXAgYM+l6YoqYXDTE1 ++MDMyMTE0MDcyMVowFwIGDPpffssxFw0xNTAzMjExNDMyMzBaMBcCBgz6X37yUxcN ++MTUwMzIxMTQzMjMxWjAXAgYM+l9+8mYXDTE1MDMyMTE0MzIzMVowFwIGDPpgvFFL ++Fw0xNTAzMjExNTA3MTFaoA4wDDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUFAAOC ++AQEAllslrhWUoq49PC+KQghVDAeFREP3pKPUlSebVVR8PCtCKrFtc53dUaTl8qhK ++1wOLodr80lfr2kEgzTEDt2CfXryl3orLPeMWe0OWTBsPbuwj+d7m3uq4B43laqJn ++JM5ebRvzHWMJkVNkwiXiadPTW5ZMUqu2Bs97rdcjklUrEcamf9aMLqb6sPGtU4EO ++o/GxGW2eypYwncFmzAc5W3NDRePGPhN5rUDfqm5Id4T9FKmGcNmI7qlLQi+jp23F ++V6RvrqANIemopQQ4kYGy7pzilDYm6+R+fPCIh2H/0eqCDY8NdjygXtWW+pJ58axV ++MPZ2mFPcH5UHiqmi8kRstnA8KQ== + -----END X509 CRL----- +diff --git a/tests/certs/Server-localhost-sv.crt b/tests/certs/Server-localhost-sv.crt +index 9a3d944..abf6924 100644 +--- a/tests/certs/Server-localhost-sv.crt ++++ b/tests/certs/Server-localhost-sv.crt +@@ -1,16 +1,15 @@ + Certificate: + Data: + Version: 3 (0x2) +- Serial Number: +- 0b:98:94:f9:7c:6a +- Signature Algorithm: sha1WithRSAEncryption ++ Serial Number: 14269504311627 (0xcfa60bc514b) ++ Signature Algorithm: sha1WithRSAEncryption + Issuer: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +- commonName = Nothern Nowhere Trust Anchor ++ commonName = Northern Nowhere Trust Anchor + Validity +- Not Before: May 27 21:37:11 2010 GMT +- Not After : Aug 13 21:37:11 2018 GMT ++ Not Before: Mar 21 15:07:11 2015 GMT ++ Not After : Jun 7 15:07:11 2023 GMT + Subject: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +@@ -19,63 +18,63 @@ Certificate: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: +- 00:b0:27:79:26:2c:b9:e4:d1:81:0a:09:d2:76:fe: +- 9a:e1:05:68:01:b3:72:77:97:38:e4:60:1c:71:9d: +- 99:f7:26:7b:21:b5:6d:aa:9f:14:76:07:6c:a4:2a: +- 2d:7d:ee:f6:6f:8a:58:c4:93:de:fe:a1:25:0f:ff: +- 57:49:c0:d9:94:d9:07:79:bf:8c:6d:fa:f1:18:82: +- 67:a0:3f:d7:31:03:82:ec:b9:39:69:07:ec:ec:93: +- 17:5b:1a:72:91:93:b2:6b:98:66:63:fe:61:29:e7: +- ad:86:0e:04:ba:bf:8b:55:57:61:a5:4a:f6:ca:e7: +- c6:d1:b8:65:42:ab:67:64:17 ++ 00:ba:5f:4b:69:74:31:99:4d:f4:b4:b7:2a:65:b8: ++ b7:31:c1:38:cf:36:37:bb:5e:18:e3:52:1f:52:aa: ++ 5a:25:2f:0c:66:88:32:b0:ef:b2:2c:90:38:5e:6e: ++ 6f:0e:e4:3b:3f:f0:2e:f1:7a:3d:5e:c3:64:86:3f: ++ 68:b7:cf:0b:b3:ea:0a:ca:94:16:d4:2b:6a:02:e3: ++ a1:b3:c7:d1:d0:06:b8:ff:df:dc:e0:32:2a:e7:dd: ++ 62:cc:71:c4:e8:cf:9d:de:5c:75:69:9d:b6:ce:e2: ++ 42:d8:a7:bd:50:54:78:2d:55:67:7f:00:7b:8f:9c: ++ 11:d1:9e:ce:be:1e:fe:cf:37 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:localhost + X509v3 Key Usage: +- Key Encipherment ++ Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Key Identifier: +- BC:69:86:84:70:3A:AD:DE:08:2A:70:C6:3B:47:8C:11:3F:E0:9A:6D ++ 7E:42:8D:AC:2E:93:AD:4C:E0:09:AC:C6:08:F1:82:E0:B7:B7:C6:7F + X509v3 Authority Key Identifier: +- keyid:AD:3E:E2:39:07:B8:5C:AA:26:90:94:4C:26:69:21:83:E2:4E:36:94 ++ keyid:12:CA:BA:4B:46:04:A7:75:8A:2C:E8:0E:54:94:BC:12:65:A6:7B:CE + +- X509v3 Basic Constraints: critical ++ X509v3 Basic Constraints: + CA:FALSE + Signature Algorithm: sha1WithRSAEncryption +- 7b:f0:b0:a0:d9:d0:91:38:9b:fe:cf:78:c8:d6:30:5d:87:9d: +- b3:b9:6e:8b:5a:73:74:93:cb:30:49:d1:00:79:9d:5a:c2:71: +- a3:93:5f:de:d3:5a:0c:fb:6d:41:83:89:1b:4f:0d:1c:65:0c: +- 1a:0c:0f:96:79:62:90:e1:74:04:dd:c6:d8:cf:0f:5f:0f:28: +- 87:d7:86:56:90:b4:d0:88:80:f1:a7:cd:fd:0b:13:58:bb:6d: +- e6:ab:44:f6:9b:d6:cc:c7:db:3d:3a:90:c4:20:72:f4:38:38: +- c0:ef:80:1d:60:3f:4e:30:40:11:56:29:70:aa:17:91:90:5f: +- 70:0b:89:51:af:17:a8:ed:20:4e:76:bb:cf:a8:88:9a:25:0f: +- 3a:96:26:17:50:2a:af:f3:8b:21:9c:cf:ff:f9:20:fc:fe:c0: +- 37:95:c7:cd:0d:7a:53:d9:26:12:38:2c:f6:03:95:1b:da:d0: +- 08:f7:32:91:07:a7:35:0c:14:00:44:c7:43:fb:23:2e:14:44: +- e6:ee:a9:c9:20:37:09:b8:ae:21:4f:4b:b7:86:4d:e3:41:84: +- 15:4e:1a:29:00:03:a8:92:99:3c:75:ea:43:0f:e3:2b:f7:17: +- b1:1b:87:80:04:d3:a7:73:b1:5e:85:38:7d:89:01:16:19:f6: +- c4:e1:1b:75 ++ 00:fe:c4:fc:4b:28:b8:bc:39:8c:6f:f1:72:d3:76:da:28:27: ++ e2:97:94:bb:ad:2f:91:c4:db:df:33:4b:48:4e:97:5b:4c:4c: ++ be:fc:e4:b7:19:5c:b8:83:6e:ef:2c:b0:d5:7c:fc:0d:cb:7e: ++ 29:ed:fd:4d:ef:05:1c:89:15:31:78:9b:18:29:d3:37:83:c7: ++ 39:f4:78:27:b7:00:75:d1:fb:f0:29:88:79:e4:e9:a7:d4:65: ++ 04:bf:d5:a1:dc:05:b2:17:c4:a9:da:61:10:22:5f:8f:50:fc: ++ 1f:ab:f6:39:dd:ab:35:a6:94:54:63:5c:6d:25:f0:dc:3a:0a: ++ 70:4e:49:ef:be:fa:2c:0a:cd:ce:a6:2d:26:cd:f8:24:89:77: ++ 2c:ea:6e:19:b6:5c:8c:1a:08:ea:a8:9f:2c:1b:c7:fc:13:6c: ++ fe:a7:90:08:e5:98:83:30:52:86:ac:83:0b:cb:25:92:21:94: ++ 80:13:d7:e8:d0:42:56:83:55:d3:09:9b:e8:c5:96:82:15:64: ++ 6b:83:77:eb:99:e5:52:dc:1b:36:29:a0:c9:da:8b:d3:0d:77: ++ 24:f2:c3:df:2e:c4:93:e0:34:47:a9:9b:54:d3:75:d5:c7:de: ++ 88:a1:ef:7b:40:2f:dc:e9:28:8c:69:be:eb:71:4a:c2:30:50: ++ 99:36:52:69 + -----BEGIN CERTIFICATE----- +-MIIDQTCCAimgAwIBAgIGC5iU+XxqMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNVBAYT ++MIIDPzCCAiegAwIBAgIGDPpgvFFLMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYT + Ak5OMTEwLwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNo +-IENsb3VkMSUwIwYDVQQDDBxOb3RoZXJuIE5vd2hlcmUgVHJ1c3QgQW5jaG9yMB4X +-DTEwMDUyNzIxMzcxMVoXDTE4MDgxMzIxMzcxMVowVDELMAkGA1UEBhMCTk4xMTAv +-BgNVBAoMKEVkZWwgQ3VybCBBcmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQx +-EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA +-sCd5Jiy55NGBCgnSdv6a4QVoAbNyd5c45GAccZ2Z9yZ7IbVtqp8UdgdspCotfe72 +-b4pYxJPe/qElD/9XScDZlNkHeb+MbfrxGIJnoD/XMQOC7Lk5aQfs7JMXWxpykZOy +-a5hmY/5hKeethg4Eur+LVVdhpUr2yufG0bhlQqtnZBcCAwEAAaOBiTCBhjAUBgNV +-HREEDTALgglsb2NhbGhvc3QwCwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUF +-BwMBMB0GA1UdDgQWBBS8aYaEcDqt3ggqcMY7R4wRP+CabTAfBgNVHSMEGDAWgBSt +-PuI5B7hcqiaQlEwmaSGD4k42lDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUA +-A4IBAQB78LCg2dCROJv+z3jI1jBdh52zuW6LWnN0k8swSdEAeZ1awnGjk1/e01oM +-+21Bg4kbTw0cZQwaDA+WeWKQ4XQE3cbYzw9fDyiH14ZWkLTQiIDxp839CxNYu23m +-q0T2m9bMx9s9OpDEIHL0ODjA74AdYD9OMEARVilwqheRkF9wC4lRrxeo7SBOdrvP +-qIiaJQ86liYXUCqv84shnM//+SD8/sA3lcfNDXpT2SYSOCz2A5Ub2tAI9zKRB6c1 +-DBQARMdD+yMuFETm7qnJIDcJuK4hT0u3hk3jQYQVThopAAOokpk8depDD+Mr9xex +-G4eABNOnc7FehTh9iQEWGfbE4Rt1 ++IENsb3VkMSYwJAYDVQQDDB1Ob3J0aGVybiBOb3doZXJlIFRydXN0IEFuY2hvcjAe ++Fw0xNTAzMjExNTA3MTFaFw0yMzA2MDcxNTA3MTFaMFQxCzAJBgNVBAYTAk5OMTEw ++LwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNoIENsb3Vk ++MRIwEAYDVQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB ++ALpfS2l0MZlN9LS3KmW4tzHBOM82N7teGONSH1KqWiUvDGaIMrDvsiyQOF5ubw7k ++Oz/wLvF6PV7DZIY/aLfPC7PqCsqUFtQragLjobPH0dAGuP/f3OAyKufdYsxxxOjP ++nd5cdWmdts7iQtinvVBUeC1VZ38Ae4+cEdGezr4e/s83AgMBAAGjgYYwgYMwFAYD ++VR0RBA0wC4IJbG9jYWxob3N0MAsGA1UdDwQEAwIDqDATBgNVHSUEDDAKBggrBgEF ++BQcDATAdBgNVHQ4EFgQUfkKNrC6TrUzgCazGCPGC4Le3xn8wHwYDVR0jBBgwFoAU ++Esq6S0YEp3WKLOgOVJS8EmWme84wCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOC ++AQEAAP7E/EsouLw5jG/xctN22ign4peUu60vkcTb3zNLSE6XW0xMvvzktxlcuINu ++7yyw1Xz8Dct+Ke39Te8FHIkVMXibGCnTN4PHOfR4J7cAddH78CmIeeTpp9RlBL/V ++odwFshfEqdphECJfj1D8H6v2Od2rNaaUVGNcbSXw3DoKcE5J7776LArNzqYtJs34 ++JIl3LOpuGbZcjBoI6qifLBvH/BNs/qeQCOWYgzBShqyDC8slkiGUgBPX6NBCVoNV ++0wmb6MWWghVka4N365nlUtwbNimgydqL0w13JPLD3y7Ek+A0R6mbVNN11cfeiKHv ++e0Av3OkojGm+63FKwjBQmTZSaQ== + -----END CERTIFICATE----- +diff --git a/tests/certs/Server-localhost-sv.csr b/tests/certs/Server-localhost-sv.csr +index a8773f5..f919409 100644 +--- a/tests/certs/Server-localhost-sv.csr ++++ b/tests/certs/Server-localhost-sv.csr +@@ -1,11 +1,11 @@ + -----BEGIN CERTIFICATE REQUEST----- + MIIBkzCB/QIBADBUMQswCQYDVQQGEwJOTjExMC8GA1UECgwoRWRlbCBDdXJsIEFy + Y3RpYyBJbGx1ZGl1bSBSZXNlYXJjaCBDbG91ZDESMBAGA1UEAwwJbG9jYWxob3N0 +-MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwJ3kmLLnk0YEKCdJ2/prhBWgB +-s3J3lzjkYBxxnZn3JnshtW2qnxR2B2ykKi197vZviljEk97+oSUP/1dJwNmU2Qd5 +-v4xt+vEYgmegP9cxA4LsuTlpB+zskxdbGnKRk7JrmGZj/mEp562GDgS6v4tVV2Gl +-SvbK58bRuGVCq2dkFwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEAlIivGkhU8iph +-eZQAaiwakIwPx1TPA3+Dl4tbStTr3Ludd8rjZMGPRXKU+wjvfhCmDlyk90yOun2C +-lPIT8W/ibXNgRF1vz+eFofjM0hZtNPOX4G18wwD5y0OTr7obyqJPKAZsJZh6L3YE +-aARr27RCoFv92hFwVr181wAU+bVCekA= ++MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6X0tpdDGZTfS0typluLcxwTjP ++Nje7XhjjUh9SqlolLwxmiDKw77IskDhebm8O5Ds/8C7xej1ew2SGP2i3zwuz6grK ++lBbUK2oC46Gzx9HQBrj/39zgMirn3WLMccToz53eXHVpnbbO4kLYp71QVHgtVWd/ ++AHuPnBHRns6+Hv7PNwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEAsJ+ypJAE5YiR ++A1niVNXKoqXmIQsXGJv9BA39AjT+cdqvdd+WTKCaZ9QXucDArhG9B9Dp66bfSgvT ++WVz6F85ju5HQekZrS2ZxdR1+muWAFE/vDgi22QwTysXvTWUfsqBQ0ZGEmdzyPJJq ++7AGzbAWx8JDhgGg2jStvQJBLhtYxhoY= + -----END CERTIFICATE REQUEST----- +diff --git a/tests/certs/Server-localhost-sv.dhp b/tests/certs/Server-localhost-sv.dhp +index b61c28b..e69de29 100644 +--- a/tests/certs/Server-localhost-sv.dhp ++++ b/tests/certs/Server-localhost-sv.dhp +@@ -1,5 +0,0 @@ +------BEGIN DH PARAMETERS----- +-MIGHAoGBAP5mA7oYimErFUulbvNC8V0HwyB62NCj6TZb6YXJwElCksQc8RyHnkrY +-9Wx2+lduFqHjUWalgVF7Gma7CfR/pt+fiU6Jn2vWR2v7KT6hYeRKsJrONJlth+NK +-V7/d4zyvleJ/VSp0TuuSxmMMQ6hG3i5YhSGXyCh4h0pl4Wu/hdVTAgEC +------END DH PARAMETERS----- +diff --git a/tests/certs/Server-localhost-sv.key b/tests/certs/Server-localhost-sv.key +index 8ade26a..3540179 100644 +--- a/tests/certs/Server-localhost-sv.key ++++ b/tests/certs/Server-localhost-sv.key +@@ -1,15 +1,15 @@ + -----BEGIN RSA PRIVATE KEY----- +-MIICXQIBAAKBgQCwJ3kmLLnk0YEKCdJ2/prhBWgBs3J3lzjkYBxxnZn3JnshtW2q +-nxR2B2ykKi197vZviljEk97+oSUP/1dJwNmU2Qd5v4xt+vEYgmegP9cxA4LsuTlp +-B+zskxdbGnKRk7JrmGZj/mEp562GDgS6v4tVV2GlSvbK58bRuGVCq2dkFwIDAQAB +-AoGBAKa0JHWZHC9MiSa71t5f4qiTGjOJ5AkDJocR4bkv4dZAJ4TmEqvGsnFkY08U +-z0p/i95Q+eLG4eDtFYsHJU8Z343odktK99BUJzkDzqWT9RMzJ5Ykx6LbldJyW5NN +-IwvhDuW3rq8fbCMr+NGe9chc1Rg2lrfeEJDwjki/drBQs7zpAkEA3R6QEcuST7Gq +-JzjfU9uLD2tHLYZFNzS4dm4PvwC2aK7OdEOm7VkXFwUyP97QjwPV7fabrQ2QjwGg +-ek+nVEdH9QJBAMvxFickez9eqgiMfZbfY8t5I+Dxz69ZVGsPvl/6xhiUvgxjREM7 +-EnScf86HwlBnteoUtMptAKu7Dbq5inPbkFsCQCV8FuRNZGJKNhQsGf/3Sd21S/21 +-s2omb9bz1YuFrWaVq74d8eBup/FpGhmlxilYdx2+Hqn5kLYNiozxj+ZDpzkCQQC8 +-7VJAYKNsSR3rXXra0Yd5b3e1Y02qe26g36zU7VOmYeTNRQhv38FxFamwgkOYiPsV +-Jql0/RWqAVburAN+4OARAkB9FwUtKyhs7FM4N9bXi+c8m42hkBv+dSim534tPijS +-UCcCONLEQTv4yjlCOwTKMVDoajkWH1A2e7psTmIR+zwc ++MIICXgIBAAKBgQC6X0tpdDGZTfS0typluLcxwTjPNje7XhjjUh9SqlolLwxmiDKw ++77IskDhebm8O5Ds/8C7xej1ew2SGP2i3zwuz6grKlBbUK2oC46Gzx9HQBrj/39zg ++Mirn3WLMccToz53eXHVpnbbO4kLYp71QVHgtVWd/AHuPnBHRns6+Hv7PNwIDAQAB ++AoGBAJdWRGVIPfJP1BJe3eWl3dRgI2JXk1/pY+pLSDYXMIYbM0Wa+RamPRdksPE1 ++WadM+zPLNENP0L+/iERe/wiq7sNxKQLwH5eE3tUxC+iC8GO6gQ2zHaWVNu3R79CM ++t8YZhlmG2o+xC4CGYzuITgPE16m24CYauLZHO/YVDzG6yNApAkEA6K0db5bZmIaU ++TJW/jEnPJSubDx8kE1YncTOAKaAeoJwaaSfFphVKNGNrZHu3jBhKFgVNBNxGUWrW ++0pIkDrb3hQJBAM0N7+ghZ/7vaOoKqYHQI2z8SgPsUjQjmubCBALe/Ys3kg9PPpyz ++umJSAOYjC4X1dSlkAkciJqRS0Y6uKgSH4osCQQCVIWftft1GsnNYxt43t5MKOvGu ++doIz1pN/LcgmZddbj9IptfErqxedjl9lzxnstCDADnO3+ssjIfxAiKSNvd3VAkA3 ++3yFMTbXpZ9BdXPRc05qjeoasVPr9C+qMD7dKFPpesZCRrVTxG6OgYJmwG0JriLsY ++wRBB05NV2N8SknAOdfwLAkEAw5Hqxc/Xlh6xhy9tBdJXDtuptV10mg6EbO98x9/7 ++gyuAArSguhXna+aRqjLRelCwVB9f9aZ1XVoDKWVCsnfCbQ== + -----END RSA PRIVATE KEY----- +diff --git a/tests/certs/Server-localhost-sv.pem b/tests/certs/Server-localhost-sv.pem +index 86b48b3..6ef1fd5 100644 +--- a/tests/certs/Server-localhost-sv.pem ++++ b/tests/certs/Server-localhost-sv.pem +@@ -1,11 +1,11 @@ + extensions = x509v3 + [ x509v3 ] + subjectAltName = DNS:localhost +-keyUsage = keyEncipherment ++keyUsage = keyEncipherment,digitalSignature,keyAgreement + extendedKeyUsage = serverAuth + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid +-basicConstraints = critical,CA:false ++basicConstraints = CA:false + [ req ] + default_bits = 1024 + distinguished_name = req_DN +@@ -24,33 +24,32 @@ commonName_value = localhost + # the certficate + # some dhparam + -----BEGIN RSA PRIVATE KEY----- +-MIICXQIBAAKBgQCwJ3kmLLnk0YEKCdJ2/prhBWgBs3J3lzjkYBxxnZn3JnshtW2q +-nxR2B2ykKi197vZviljEk97+oSUP/1dJwNmU2Qd5v4xt+vEYgmegP9cxA4LsuTlp +-B+zskxdbGnKRk7JrmGZj/mEp562GDgS6v4tVV2GlSvbK58bRuGVCq2dkFwIDAQAB +-AoGBAKa0JHWZHC9MiSa71t5f4qiTGjOJ5AkDJocR4bkv4dZAJ4TmEqvGsnFkY08U +-z0p/i95Q+eLG4eDtFYsHJU8Z343odktK99BUJzkDzqWT9RMzJ5Ykx6LbldJyW5NN +-IwvhDuW3rq8fbCMr+NGe9chc1Rg2lrfeEJDwjki/drBQs7zpAkEA3R6QEcuST7Gq +-JzjfU9uLD2tHLYZFNzS4dm4PvwC2aK7OdEOm7VkXFwUyP97QjwPV7fabrQ2QjwGg +-ek+nVEdH9QJBAMvxFickez9eqgiMfZbfY8t5I+Dxz69ZVGsPvl/6xhiUvgxjREM7 +-EnScf86HwlBnteoUtMptAKu7Dbq5inPbkFsCQCV8FuRNZGJKNhQsGf/3Sd21S/21 +-s2omb9bz1YuFrWaVq74d8eBup/FpGhmlxilYdx2+Hqn5kLYNiozxj+ZDpzkCQQC8 +-7VJAYKNsSR3rXXra0Yd5b3e1Y02qe26g36zU7VOmYeTNRQhv38FxFamwgkOYiPsV +-Jql0/RWqAVburAN+4OARAkB9FwUtKyhs7FM4N9bXi+c8m42hkBv+dSim534tPijS +-UCcCONLEQTv4yjlCOwTKMVDoajkWH1A2e7psTmIR+zwc ++MIICXgIBAAKBgQC6X0tpdDGZTfS0typluLcxwTjPNje7XhjjUh9SqlolLwxmiDKw ++77IskDhebm8O5Ds/8C7xej1ew2SGP2i3zwuz6grKlBbUK2oC46Gzx9HQBrj/39zg ++Mirn3WLMccToz53eXHVpnbbO4kLYp71QVHgtVWd/AHuPnBHRns6+Hv7PNwIDAQAB ++AoGBAJdWRGVIPfJP1BJe3eWl3dRgI2JXk1/pY+pLSDYXMIYbM0Wa+RamPRdksPE1 ++WadM+zPLNENP0L+/iERe/wiq7sNxKQLwH5eE3tUxC+iC8GO6gQ2zHaWVNu3R79CM ++t8YZhlmG2o+xC4CGYzuITgPE16m24CYauLZHO/YVDzG6yNApAkEA6K0db5bZmIaU ++TJW/jEnPJSubDx8kE1YncTOAKaAeoJwaaSfFphVKNGNrZHu3jBhKFgVNBNxGUWrW ++0pIkDrb3hQJBAM0N7+ghZ/7vaOoKqYHQI2z8SgPsUjQjmubCBALe/Ys3kg9PPpyz ++umJSAOYjC4X1dSlkAkciJqRS0Y6uKgSH4osCQQCVIWftft1GsnNYxt43t5MKOvGu ++doIz1pN/LcgmZddbj9IptfErqxedjl9lzxnstCDADnO3+ssjIfxAiKSNvd3VAkA3 ++3yFMTbXpZ9BdXPRc05qjeoasVPr9C+qMD7dKFPpesZCRrVTxG6OgYJmwG0JriLsY ++wRBB05NV2N8SknAOdfwLAkEAw5Hqxc/Xlh6xhy9tBdJXDtuptV10mg6EbO98x9/7 ++gyuAArSguhXna+aRqjLRelCwVB9f9aZ1XVoDKWVCsnfCbQ== + -----END RSA PRIVATE KEY----- + Certificate: + Data: + Version: 3 (0x2) +- Serial Number: +- 0b:98:94:f9:7c:6a +- Signature Algorithm: sha1WithRSAEncryption ++ Serial Number: 14269504311627 (0xcfa60bc514b) ++ Signature Algorithm: sha1WithRSAEncryption + Issuer: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +- commonName = Nothern Nowhere Trust Anchor ++ commonName = Northern Nowhere Trust Anchor + Validity +- Not Before: May 27 21:37:11 2010 GMT +- Not After : Aug 13 21:37:11 2018 GMT ++ Not Before: Mar 21 15:07:11 2015 GMT ++ Not After : Jun 7 15:07:11 2023 GMT + Subject: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +@@ -59,68 +58,63 @@ Certificate: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: +- 00:b0:27:79:26:2c:b9:e4:d1:81:0a:09:d2:76:fe: +- 9a:e1:05:68:01:b3:72:77:97:38:e4:60:1c:71:9d: +- 99:f7:26:7b:21:b5:6d:aa:9f:14:76:07:6c:a4:2a: +- 2d:7d:ee:f6:6f:8a:58:c4:93:de:fe:a1:25:0f:ff: +- 57:49:c0:d9:94:d9:07:79:bf:8c:6d:fa:f1:18:82: +- 67:a0:3f:d7:31:03:82:ec:b9:39:69:07:ec:ec:93: +- 17:5b:1a:72:91:93:b2:6b:98:66:63:fe:61:29:e7: +- ad:86:0e:04:ba:bf:8b:55:57:61:a5:4a:f6:ca:e7: +- c6:d1:b8:65:42:ab:67:64:17 ++ 00:ba:5f:4b:69:74:31:99:4d:f4:b4:b7:2a:65:b8: ++ b7:31:c1:38:cf:36:37:bb:5e:18:e3:52:1f:52:aa: ++ 5a:25:2f:0c:66:88:32:b0:ef:b2:2c:90:38:5e:6e: ++ 6f:0e:e4:3b:3f:f0:2e:f1:7a:3d:5e:c3:64:86:3f: ++ 68:b7:cf:0b:b3:ea:0a:ca:94:16:d4:2b:6a:02:e3: ++ a1:b3:c7:d1:d0:06:b8:ff:df:dc:e0:32:2a:e7:dd: ++ 62:cc:71:c4:e8:cf:9d:de:5c:75:69:9d:b6:ce:e2: ++ 42:d8:a7:bd:50:54:78:2d:55:67:7f:00:7b:8f:9c: ++ 11:d1:9e:ce:be:1e:fe:cf:37 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:localhost + X509v3 Key Usage: +- Key Encipherment ++ Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Key Identifier: +- BC:69:86:84:70:3A:AD:DE:08:2A:70:C6:3B:47:8C:11:3F:E0:9A:6D ++ 7E:42:8D:AC:2E:93:AD:4C:E0:09:AC:C6:08:F1:82:E0:B7:B7:C6:7F + X509v3 Authority Key Identifier: +- keyid:AD:3E:E2:39:07:B8:5C:AA:26:90:94:4C:26:69:21:83:E2:4E:36:94 ++ keyid:12:CA:BA:4B:46:04:A7:75:8A:2C:E8:0E:54:94:BC:12:65:A6:7B:CE + +- X509v3 Basic Constraints: critical ++ X509v3 Basic Constraints: + CA:FALSE + Signature Algorithm: sha1WithRSAEncryption +- 7b:f0:b0:a0:d9:d0:91:38:9b:fe:cf:78:c8:d6:30:5d:87:9d: +- b3:b9:6e:8b:5a:73:74:93:cb:30:49:d1:00:79:9d:5a:c2:71: +- a3:93:5f:de:d3:5a:0c:fb:6d:41:83:89:1b:4f:0d:1c:65:0c: +- 1a:0c:0f:96:79:62:90:e1:74:04:dd:c6:d8:cf:0f:5f:0f:28: +- 87:d7:86:56:90:b4:d0:88:80:f1:a7:cd:fd:0b:13:58:bb:6d: +- e6:ab:44:f6:9b:d6:cc:c7:db:3d:3a:90:c4:20:72:f4:38:38: +- c0:ef:80:1d:60:3f:4e:30:40:11:56:29:70:aa:17:91:90:5f: +- 70:0b:89:51:af:17:a8:ed:20:4e:76:bb:cf:a8:88:9a:25:0f: +- 3a:96:26:17:50:2a:af:f3:8b:21:9c:cf:ff:f9:20:fc:fe:c0: +- 37:95:c7:cd:0d:7a:53:d9:26:12:38:2c:f6:03:95:1b:da:d0: +- 08:f7:32:91:07:a7:35:0c:14:00:44:c7:43:fb:23:2e:14:44: +- e6:ee:a9:c9:20:37:09:b8:ae:21:4f:4b:b7:86:4d:e3:41:84: +- 15:4e:1a:29:00:03:a8:92:99:3c:75:ea:43:0f:e3:2b:f7:17: +- b1:1b:87:80:04:d3:a7:73:b1:5e:85:38:7d:89:01:16:19:f6: +- c4:e1:1b:75 ++ 00:fe:c4:fc:4b:28:b8:bc:39:8c:6f:f1:72:d3:76:da:28:27: ++ e2:97:94:bb:ad:2f:91:c4:db:df:33:4b:48:4e:97:5b:4c:4c: ++ be:fc:e4:b7:19:5c:b8:83:6e:ef:2c:b0:d5:7c:fc:0d:cb:7e: ++ 29:ed:fd:4d:ef:05:1c:89:15:31:78:9b:18:29:d3:37:83:c7: ++ 39:f4:78:27:b7:00:75:d1:fb:f0:29:88:79:e4:e9:a7:d4:65: ++ 04:bf:d5:a1:dc:05:b2:17:c4:a9:da:61:10:22:5f:8f:50:fc: ++ 1f:ab:f6:39:dd:ab:35:a6:94:54:63:5c:6d:25:f0:dc:3a:0a: ++ 70:4e:49:ef:be:fa:2c:0a:cd:ce:a6:2d:26:cd:f8:24:89:77: ++ 2c:ea:6e:19:b6:5c:8c:1a:08:ea:a8:9f:2c:1b:c7:fc:13:6c: ++ fe:a7:90:08:e5:98:83:30:52:86:ac:83:0b:cb:25:92:21:94: ++ 80:13:d7:e8:d0:42:56:83:55:d3:09:9b:e8:c5:96:82:15:64: ++ 6b:83:77:eb:99:e5:52:dc:1b:36:29:a0:c9:da:8b:d3:0d:77: ++ 24:f2:c3:df:2e:c4:93:e0:34:47:a9:9b:54:d3:75:d5:c7:de: ++ 88:a1:ef:7b:40:2f:dc:e9:28:8c:69:be:eb:71:4a:c2:30:50: ++ 99:36:52:69 + -----BEGIN CERTIFICATE----- +-MIIDQTCCAimgAwIBAgIGC5iU+XxqMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNVBAYT ++MIIDPzCCAiegAwIBAgIGDPpgvFFLMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYT + Ak5OMTEwLwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNo +-IENsb3VkMSUwIwYDVQQDDBxOb3RoZXJuIE5vd2hlcmUgVHJ1c3QgQW5jaG9yMB4X +-DTEwMDUyNzIxMzcxMVoXDTE4MDgxMzIxMzcxMVowVDELMAkGA1UEBhMCTk4xMTAv +-BgNVBAoMKEVkZWwgQ3VybCBBcmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQx +-EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA +-sCd5Jiy55NGBCgnSdv6a4QVoAbNyd5c45GAccZ2Z9yZ7IbVtqp8UdgdspCotfe72 +-b4pYxJPe/qElD/9XScDZlNkHeb+MbfrxGIJnoD/XMQOC7Lk5aQfs7JMXWxpykZOy +-a5hmY/5hKeethg4Eur+LVVdhpUr2yufG0bhlQqtnZBcCAwEAAaOBiTCBhjAUBgNV +-HREEDTALgglsb2NhbGhvc3QwCwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUF +-BwMBMB0GA1UdDgQWBBS8aYaEcDqt3ggqcMY7R4wRP+CabTAfBgNVHSMEGDAWgBSt +-PuI5B7hcqiaQlEwmaSGD4k42lDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUA +-A4IBAQB78LCg2dCROJv+z3jI1jBdh52zuW6LWnN0k8swSdEAeZ1awnGjk1/e01oM +-+21Bg4kbTw0cZQwaDA+WeWKQ4XQE3cbYzw9fDyiH14ZWkLTQiIDxp839CxNYu23m +-q0T2m9bMx9s9OpDEIHL0ODjA74AdYD9OMEARVilwqheRkF9wC4lRrxeo7SBOdrvP +-qIiaJQ86liYXUCqv84shnM//+SD8/sA3lcfNDXpT2SYSOCz2A5Ub2tAI9zKRB6c1 +-DBQARMdD+yMuFETm7qnJIDcJuK4hT0u3hk3jQYQVThopAAOokpk8depDD+Mr9xex +-G4eABNOnc7FehTh9iQEWGfbE4Rt1 ++IENsb3VkMSYwJAYDVQQDDB1Ob3J0aGVybiBOb3doZXJlIFRydXN0IEFuY2hvcjAe ++Fw0xNTAzMjExNTA3MTFaFw0yMzA2MDcxNTA3MTFaMFQxCzAJBgNVBAYTAk5OMTEw ++LwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNoIENsb3Vk ++MRIwEAYDVQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB ++ALpfS2l0MZlN9LS3KmW4tzHBOM82N7teGONSH1KqWiUvDGaIMrDvsiyQOF5ubw7k ++Oz/wLvF6PV7DZIY/aLfPC7PqCsqUFtQragLjobPH0dAGuP/f3OAyKufdYsxxxOjP ++nd5cdWmdts7iQtinvVBUeC1VZ38Ae4+cEdGezr4e/s83AgMBAAGjgYYwgYMwFAYD ++VR0RBA0wC4IJbG9jYWxob3N0MAsGA1UdDwQEAwIDqDATBgNVHSUEDDAKBggrBgEF ++BQcDATAdBgNVHQ4EFgQUfkKNrC6TrUzgCazGCPGC4Le3xn8wHwYDVR0jBBgwFoAU ++Esq6S0YEp3WKLOgOVJS8EmWme84wCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOC ++AQEAAP7E/EsouLw5jG/xctN22ign4peUu60vkcTb3zNLSE6XW0xMvvzktxlcuINu ++7yyw1Xz8Dct+Ke39Te8FHIkVMXibGCnTN4PHOfR4J7cAddH78CmIeeTpp9RlBL/V ++odwFshfEqdphECJfj1D8H6v2Od2rNaaUVGNcbSXw3DoKcE5J7776LArNzqYtJs34 ++JIl3LOpuGbZcjBoI6qifLBvH/BNs/qeQCOWYgzBShqyDC8slkiGUgBPX6NBCVoNV ++0wmb6MWWghVka4N365nlUtwbNimgydqL0w13JPLD3y7Ek+A0R6mbVNN11cfeiKHv ++e0Av3OkojGm+63FKwjBQmTZSaQ== + -----END CERTIFICATE----- +------BEGIN DH PARAMETERS----- +-MIGHAoGBAP5mA7oYimErFUulbvNC8V0HwyB62NCj6TZb6YXJwElCksQc8RyHnkrY +-9Wx2+lduFqHjUWalgVF7Gma7CfR/pt+fiU6Jn2vWR2v7KT6hYeRKsJrONJlth+NK +-V7/d4zyvleJ/VSp0TuuSxmMMQ6hG3i5YhSGXyCh4h0pl4Wu/hdVTAgEC +------END DH PARAMETERS----- +diff --git a/tests/certs/Server-localhost-sv.prm b/tests/certs/Server-localhost-sv.prm +index 6351025..97e64ce 100644 +--- a/tests/certs/Server-localhost-sv.prm ++++ b/tests/certs/Server-localhost-sv.prm +@@ -1,11 +1,11 @@ + extensions = x509v3 + [ x509v3 ] + subjectAltName = DNS:localhost +-keyUsage = keyEncipherment ++keyUsage = keyEncipherment,digitalSignature,keyAgreement + extendedKeyUsage = serverAuth + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid +-basicConstraints = critical,CA:false ++basicConstraints = CA:false + [ req ] + default_bits = 1024 + distinguished_name = req_DN +diff --git a/tests/certs/Server-localhost.nn-sv.crl b/tests/certs/Server-localhost.nn-sv.crl +index db40831..0676f73 100644 +--- a/tests/certs/Server-localhost.nn-sv.crl ++++ b/tests/certs/Server-localhost.nn-sv.crl +@@ -1,13 +1,21 @@ + -----BEGIN X509 CRL----- +-MIIB9DCB3QIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJOTjExMC8GA1UE +-CgwoRWRlbCBDdXJsIEFyY3RpYyBJbGx1ZGl1bSBSZXNlYXJjaCBDbG91ZDElMCMG +-A1UEAwwcTm90aGVybiBOb3doZXJlIFRydXN0IEFuY2hvchcNMTAwNTI3MjEzNzI0 +-WhcNMTAwNjI2MjEzNzI0WjAyMBcCBguYlPl8ahcNMTAwNTI3MjEzNzExWjAXAgYL +-mJT7eF8XDTEwMDUyNzIxMzcyNFqgDjAMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB +-BQUAA4IBAQCo8mBpkZqiYWJMkJsZ1qqqOqVRne4iWhPOJSDGDgxoCTA4RgN1sQUv +-/MxO2LgSEyo9GopCpgWlhig+wzQmYCUf7HDw8sLzClUG4XUKRSW2Uq6q5BF5fwIu +-vHksi/RIPdcMx/+3dGIFeoccZZd5o7xgryGySAN6wHy6lY7LeeW7acpaDU43D7yi +-wQipBczrlH/jJDy6ja5FFBrAvvyRc4zC2X1/Rh3f0vNqnX9PLC524HxRmasCKYM8 +-vgcPbvJ7Z/HRGOYRu9vTp5X0+lPPj24WE8vX3AZdjyI6qpinHzrsYen/qs6c0v3k +-FKYuzuVlUAy+5aZDhx+GHr+KW+y2T/ol ++MIIDiDCCAnACAQEwDQYJKoZIhvcNAQEFBQAwaDELMAkGA1UEBhMCTk4xMTAvBgNV ++BAoMKEVkZWwgQ3VybCBBcmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQxJjAk ++BgNVBAMMHU5vcnRoZXJuIE5vd2hlcmUgVHJ1c3QgQW5jaG9yFw0xNTAzMjExNTA3 ++MTFaFw0xNTA0MjAxNTA3MTFaMIIBwjAXAgYM+ly45CIXDTE1MDMyMTEzMTQ1N1ow ++FwIGDPpcwXH8Fw0xNTAzMjExMzE1NTNaMBcCBgz6XO7ujBcNMTUwMzIxMTMyMDUx ++WjAXAgYM+lzu7p0XDTE1MDMyMTEzMjA1MVowFwIGDPpc7u6uFw0xNTAzMjExMzIw ++NTFaMBcCBgz6XZyD1RcNMTUwMzIxMTMzOTQ5WjAXAgYM+l4OXa8XDTE1MDMyMTEz ++NTIxNVowFwIGDPpeJlPZFw0xNTAzMjExMzU0NTJaMBcCBgz6XiZT6hcNMTUwMzIx ++MTM1NDUyWjAXAgYM+l4mU/sXDTE1MDMyMTEzNTQ1MlowFwIGDPpemKKEFw0xNTAz ++MjExNDA3MjFaMBcCBgz6XpiilRcNMTUwMzIxMTQwNzIxWjAXAgYM+l6YoqYXDTE1 ++MDMyMTE0MDcyMVowFwIGDPpffssxFw0xNTAzMjExNDMyMzBaMBcCBgz6X37yUxcN ++MTUwMzIxMTQzMjMxWjAXAgYM+l9+8mYXDTE1MDMyMTE0MzIzMVowFwIGDPpgvFFL ++Fw0xNTAzMjExNTA3MTFaMBcCBgz6YLxRXBcNMTUwMzIxMTUwNzExWqAOMAwwCgYD ++VR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADggEBANd1Fp3lPmLALcGvEB4kB4Uo6vhM ++ZWcAUE96oerpW0OnZ6v7o8ghLvs/pJfIoD+7hV3RuAgUUBqv2N8VTaL2IYarom/H ++CK78oLrIwwej/7K1pIfG53bJuaYyim5Lpl/YzGwhdC2vO2kBXHC1gVj5hN3uM/2A +++cFPTDMsDU7szGq1bHObEKumXXzG5LfwGJGaHNGdvglV7zKthRjk/plYKE4/F0Ah ++jRQys6crClCKC5vug1GbzKbQue/Pbw1e3Rm/e0DVeOCREdvcHat43SIPf5yUYLsz ++b7P7pIOIoSgiIgEdbmj2pi1xdtxrYRyJJk0H7XQJHDehkyZsy6l62mKam/E= + -----END X509 CRL----- +diff --git a/tests/certs/Server-localhost.nn-sv.crt b/tests/certs/Server-localhost.nn-sv.crt +index 722aeeb..69bd40d 100644 +--- a/tests/certs/Server-localhost.nn-sv.crt ++++ b/tests/certs/Server-localhost.nn-sv.crt +@@ -1,16 +1,15 @@ + Certificate: + Data: + Version: 3 (0x2) +- Serial Number: +- 0b:98:94:fb:78:5f +- Signature Algorithm: sha1WithRSAEncryption ++ Serial Number: 14269504311644 (0xcfa60bc515c) ++ Signature Algorithm: sha1WithRSAEncryption + Issuer: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +- commonName = Nothern Nowhere Trust Anchor ++ commonName = Northern Nowhere Trust Anchor + Validity +- Not Before: May 27 21:37:24 2010 GMT +- Not After : Aug 13 21:37:24 2018 GMT ++ Not Before: Mar 21 15:07:11 2015 GMT ++ Not After : Jun 7 15:07:11 2023 GMT + Subject: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +@@ -19,63 +18,63 @@ Certificate: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: +- 00:d3:d4:4e:db:63:5c:3f:3a:3a:5e:38:09:94:e6: +- 4d:70:9d:0d:af:49:e6:82:5d:07:b7:f5:cd:a0:df: +- af:71:f1:cf:bf:d5:9a:bd:af:7c:78:5d:55:3f:14: +- bd:bb:2c:0e:73:9d:d6:82:9a:d5:e6:f6:21:5d:08: +- 92:a2:71:5f:80:5f:5c:ce:f0:c2:37:37:79:0f:4d: +- 3d:d4:f2:80:6d:47:36:45:d1:d2:8b:7a:2e:12:71: +- 4b:47:86:f5:8c:99:af:e7:0e:cf:b5:c9:4d:7a:75: +- f7:b2:74:0c:41:e3:ab:bb:2c:9d:6f:54:08:13:5a: +- 3a:ef:7c:27:f7:3f:0b:0b:71 ++ 00:ac:cc:11:70:74:29:ed:7b:00:44:8a:c0:47:03: ++ 50:9d:6f:51:b7:c9:7b:dd:7e:ee:29:67:5b:91:9b: ++ c7:c5:e6:9d:59:3e:6b:33:25:b7:7c:39:7c:84:79: ++ dd:15:98:e7:27:63:93:10:3a:3a:40:a0:dd:d0:1e: ++ 6e:60:f4:1e:a4:f7:1e:0a:0b:84:44:77:e7:05:16: ++ 39:aa:de:bd:1e:c7:bc:c9:e1:4e:8c:86:1c:3f:d6: ++ cd:e3:f2:68:02:5b:17:53:49:51:29:a8:89:f3:d0: ++ e1:5e:71:07:9f:15:47:08:40:e9:ac:49:e4:21:ac: ++ 65:29:09:ca:a2:dc:9e:ab:89 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:localhost.nn + X509v3 Key Usage: +- Key Encipherment ++ Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Key Identifier: +- 81:26:F9:75:CC:9C:2D:3C:36:64:68:41:F7:07:3C:66:86:E5:4A:C1 ++ 12:AF:44:46:B1:04:69:61:64:83:39:A2:BD:5D:97:2B:F4:1D:D4:6C + X509v3 Authority Key Identifier: +- keyid:AD:3E:E2:39:07:B8:5C:AA:26:90:94:4C:26:69:21:83:E2:4E:36:94 ++ keyid:12:CA:BA:4B:46:04:A7:75:8A:2C:E8:0E:54:94:BC:12:65:A6:7B:CE + +- X509v3 Basic Constraints: critical ++ X509v3 Basic Constraints: + CA:FALSE + Signature Algorithm: sha1WithRSAEncryption +- 65:05:8c:48:14:58:8c:1a:d4:95:67:1c:29:52:ed:5a:6e:14: +- 41:bc:2b:16:20:c4:89:3a:6e:cb:c1:ff:ab:61:79:5f:ce:27: +- 93:3c:ff:29:7a:25:68:00:27:04:f3:68:17:30:f0:fd:ff:09: +- 0e:15:2a:25:b1:45:18:93:ab:12:8e:0c:13:11:9a:b8:a4:75: +- d0:17:1b:ca:f2:66:6b:73:15:dd:8b:bb:34:d6:70:dc:34:1b: +- e7:7a:30:ea:50:50:2f:88:67:b3:f8:b3:55:62:44:7e:3e:df: +- 59:4f:a8:57:83:40:9f:bf:52:bf:fd:2c:18:6e:bd:0c:41:b7: +- 78:1c:9b:fa:c4:ff:c3:2b:46:a4:8f:0c:19:a7:3d:75:81:29: +- 6b:cf:07:f0:1d:65:d4:0e:19:51:87:92:a8:3d:7e:80:04:84: +- ad:5e:4e:b6:ef:9a:02:c3:84:95:ec:c3:e8:a1:69:1f:42:cb: +- da:63:1a:35:6f:d0:ba:62:9e:73:36:63:58:0f:cc:25:c8:59: +- 73:df:3b:c2:b9:5a:da:3d:e1:3f:0a:1f:0f:41:c4:88:2d:92: +- 06:88:d4:54:81:e1:12:57:53:ab:6b:f8:c8:90:3e:30:4c:f5: +- 72:cf:f0:d4:18:70:c1:78:85:30:9c:fe:94:f4:1b:c2:6c:14: +- 49:7a:0e:27 ++ 44:54:d7:d7:75:14:60:a5:1a:1d:1e:a9:dc:6f:b1:b1:d8:13: ++ e2:10:22:9a:f5:ca:b6:38:3c:d9:ac:2e:dc:ce:38:bc:cc:38: ++ a1:cc:a8:9c:73:37:f9:b6:a8:42:87:d9:80:21:45:81:43:9d: ++ 73:3c:67:cf:cd:c5:c3:91:df:60:6b:6d:69:f9:be:a1:92:cc: ++ 5d:ea:bc:67:f3:c7:bc:ea:41:d1:11:7b:e3:f1:b8:a7:8d:9a: ++ d0:23:6c:df:0e:2a:35:98:50:c1:a6:8b:d2:07:aa:a6:2f:cb: ++ 98:a9:a3:8d:a0:8c:87:ab:ec:e1:c5:0b:25:e2:e9:a9:08:13: ++ 30:86:1b:e5:b6:ac:03:85:35:0c:9a:5d:5b:82:c4:04:6a:05: ++ 4c:f3:f7:b3:b5:ac:92:3b:46:71:a8:7f:54:c7:96:37:dc:38: ++ 2c:a2:18:23:10:00:de:f8:21:40:52:99:94:ad:b2:b6:e5:87: ++ 8e:29:0b:3b:b3:8a:52:67:54:dc:0a:e9:75:60:33:ff:13:9a: ++ 61:a4:15:0c:d0:6f:de:0d:06:23:a8:44:ad:f0:68:60:93:6b: ++ 75:06:24:5b:47:9a:b9:3a:ef:d9:4f:df:31:d5:65:3a:e2:94: ++ 03:be:88:94:49:7c:6a:d0:da:c0:d0:62:81:f5:61:50:96:5a: ++ d0:ee:22:39 + -----BEGIN CERTIFICATE----- +-MIIDRzCCAi+gAwIBAgIGC5iU+3hfMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNVBAYT ++MIIDRTCCAi2gAwIBAgIGDPpgvFFcMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYT + Ak5OMTEwLwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNo +-IENsb3VkMSUwIwYDVQQDDBxOb3RoZXJuIE5vd2hlcmUgVHJ1c3QgQW5jaG9yMB4X +-DTEwMDUyNzIxMzcyNFoXDTE4MDgxMzIxMzcyNFowVzELMAkGA1UEBhMCTk4xMTAv +-BgNVBAoMKEVkZWwgQ3VybCBBcmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQx +-FTATBgNVBAMMDGxvY2FsaG9zdC5ubjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC +-gYEA09RO22NcPzo6XjgJlOZNcJ0Nr0nmgl0Ht/XNoN+vcfHPv9Wava98eF1VPxS9 +-uywOc53WgprV5vYhXQiSonFfgF9czvDCNzd5D0091PKAbUc2RdHSi3ouEnFLR4b1 +-jJmv5w7PtclNenX3snQMQeOruyydb1QIE1o673wn9z8LC3ECAwEAAaOBjDCBiTAX +-BgNVHREEEDAOggxsb2NhbGhvc3Qubm4wCwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoG +-CCsGAQUFBwMBMB0GA1UdDgQWBBSBJvl1zJwtPDZkaEH3BzxmhuVKwTAfBgNVHSME +-GDAWgBStPuI5B7hcqiaQlEwmaSGD4k42lDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3 +-DQEBBQUAA4IBAQBlBYxIFFiMGtSVZxwpUu1abhRBvCsWIMSJOm7Lwf+rYXlfzieT +-PP8peiVoACcE82gXMPD9/wkOFSolsUUYk6sSjgwTEZq4pHXQFxvK8mZrcxXdi7s0 +-1nDcNBvnejDqUFAviGez+LNVYkR+Pt9ZT6hXg0Cfv1K//SwYbr0MQbd4HJv6xP/D +-K0akjwwZpz11gSlrzwfwHWXUDhlRh5KoPX6ABIStXk6275oCw4SV7MPooWkfQsva +-Yxo1b9C6Yp5zNmNYD8wlyFlz3zvCuVraPeE/Ch8PQcSILZIGiNRUgeESV1Ora/jI +-kD4wTPVyz/DUGHDBeIUwnP6U9BvCbBRJeg4n ++IENsb3VkMSYwJAYDVQQDDB1Ob3J0aGVybiBOb3doZXJlIFRydXN0IEFuY2hvcjAe ++Fw0xNTAzMjExNTA3MTFaFw0yMzA2MDcxNTA3MTFaMFcxCzAJBgNVBAYTAk5OMTEw ++LwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNoIENsb3Vk ++MRUwEwYDVQQDDAxsb2NhbGhvc3Qubm4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ ++AoGBAKzMEXB0Ke17AESKwEcDUJ1vUbfJe91+7ilnW5Gbx8XmnVk+azMlt3w5fIR5 ++3RWY5ydjkxA6OkCg3dAebmD0HqT3HgoLhER35wUWOarevR7HvMnhToyGHD/WzePy ++aAJbF1NJUSmoifPQ4V5xB58VRwhA6axJ5CGsZSkJyqLcnquJAgMBAAGjgYkwgYYw ++FwYDVR0RBBAwDoIMbG9jYWxob3N0Lm5uMAsGA1UdDwQEAwIDqDATBgNVHSUEDDAK ++BggrBgEFBQcDATAdBgNVHQ4EFgQUEq9ERrEEaWFkgzmivV2XK/Qd1GwwHwYDVR0j ++BBgwFoAUEsq6S0YEp3WKLOgOVJS8EmWme84wCQYDVR0TBAIwADANBgkqhkiG9w0B ++AQUFAAOCAQEARFTX13UUYKUaHR6p3G+xsdgT4hAimvXKtjg82awu3M44vMw4ocyo ++nHM3+baoQofZgCFFgUOdczxnz83Fw5HfYGttafm+oZLMXeq8Z/PHvOpB0RF74/G4 ++p42a0CNs3w4qNZhQwaaL0geqpi/LmKmjjaCMh6vs4cULJeLpqQgTMIYb5basA4U1 ++DJpdW4LEBGoFTPP3s7WskjtGcah/VMeWN9w4LKIYIxAA3vghQFKZlK2ytuWHjikL ++O7OKUmdU3ArpdWAz/xOaYaQVDNBv3g0GI6hErfBoYJNrdQYkW0eauTrv2U/fMdVl ++OuKUA76IlEl8atDawNBigfVhUJZa0O4iOQ== + -----END CERTIFICATE----- +diff --git a/tests/certs/Server-localhost.nn-sv.csr b/tests/certs/Server-localhost.nn-sv.csr +index 6424343..7f2fa77 100644 +--- a/tests/certs/Server-localhost.nn-sv.csr ++++ b/tests/certs/Server-localhost.nn-sv.csr +@@ -1,11 +1,11 @@ + -----BEGIN CERTIFICATE REQUEST----- + MIIBlzCCAQACAQAwVzELMAkGA1UEBhMCTk4xMTAvBgNVBAoMKEVkZWwgQ3VybCBB + cmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQxFTATBgNVBAMMDGxvY2FsaG9z +-dC5ubjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA09RO22NcPzo6XjgJlOZN +-cJ0Nr0nmgl0Ht/XNoN+vcfHPv9Wava98eF1VPxS9uywOc53WgprV5vYhXQiSonFf +-gF9czvDCNzd5D0091PKAbUc2RdHSi3ouEnFLR4b1jJmv5w7PtclNenX3snQMQeOr +-uyydb1QIE1o673wn9z8LC3ECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4GBAM5PenDC +-AtDhzdVKrX6DcJINWck5XFEnvWQksSYU7iDeiQVycQxR+LYKGZiy04u+9C+MN7eq +-JmHAIi+88r7/ZaGJLujqSUOJn8ocZ+vwhJOwh2XBhhLaCjIW/H05g0aNlk80Ye6m +-OA9DCIZUINF0lDQaJCpKXxwNVcz4Rifp5/9T ++dC5ubjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArMwRcHQp7XsARIrARwNQ ++nW9Rt8l73X7uKWdbkZvHxeadWT5rMyW3fDl8hHndFZjnJ2OTEDo6QKDd0B5uYPQe ++pPceCguERHfnBRY5qt69Hse8yeFOjIYcP9bN4/JoAlsXU0lRKaiJ89DhXnEHnxVH ++CEDprEnkIaxlKQnKotyeq4kCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4GBADnob1ds ++8MytEcgSZdkgP4iQ2L+aPXTPBqTThaV7Zto1mAhwG/D6rTiGq6t+IlZQNoDdZPp3 ++r1WDQJj6ed54xUY4Im4m1Np8oURamt5NJMKURDbv0xOQHW8EOoN+F8rfKyu2Hk1O ++hJulv+cBz75yi3+LVu+IEuSFQIQUZiy6V+Il + -----END CERTIFICATE REQUEST----- +diff --git a/tests/certs/Server-localhost.nn-sv.dhp b/tests/certs/Server-localhost.nn-sv.dhp +index 5d54840..e69de29 100644 +--- a/tests/certs/Server-localhost.nn-sv.dhp ++++ b/tests/certs/Server-localhost.nn-sv.dhp +@@ -1,5 +0,0 @@ +------BEGIN DH PARAMETERS----- +-MIGHAoGBAPrtEVPhZfEczB9JnWXbln79YnTh/V6ehXMWe414wyn/VT1ow25sLEev +-H2+eT84aDp5e+TfBSFjA6or96/lyQvsgAE+cE6f6uuw9ApVG2MK+BCn4snxHBb6G +-LFQf+9qHZ4BEkpBL60p1fkGu8BM1wXGXEaeYhgGumNA9fm5YJrl7AgEC +------END DH PARAMETERS----- +diff --git a/tests/certs/Server-localhost.nn-sv.key b/tests/certs/Server-localhost.nn-sv.key +index bf1cc7e..6a75071 100644 +--- a/tests/certs/Server-localhost.nn-sv.key ++++ b/tests/certs/Server-localhost.nn-sv.key +@@ -1,15 +1,15 @@ + -----BEGIN RSA PRIVATE KEY----- +-MIICXgIBAAKBgQDT1E7bY1w/OjpeOAmU5k1wnQ2vSeaCXQe39c2g369x8c+/1Zq9 +-r3x4XVU/FL27LA5zndaCmtXm9iFdCJKicV+AX1zO8MI3N3kPTT3U8oBtRzZF0dKL +-ei4ScUtHhvWMma/nDs+1yU16dfeydAxB46u7LJ1vVAgTWjrvfCf3PwsLcQIDAQAB +-AoGBALr1HQxAq8AaMj3KE5rZkOudkeBtxwaz+QYB6hTcl8pnc8aKTmKwKZlKNtzP +-/4zdG3wriJII+lU4UsX7tP+uNGxKxALrDQRuBPyi8XQfUT1nJth6qkp8g3V/ixfE +-Yah3od9dL3+xsOH28RKKUC5kjmnNupO9KQZ6/CyYfUHAEG+pAkEA+PP+7FIvpPQ+ +-7bbG4IIqn7QKVxGbtaFY8pdLnsUkrnIqwEIbZoU12iEKm5qMoXNv30GknXrvxU53 +-tdIZU5Z28wJBANnTTMb/jac+Q1SaqmWQnrpcmvuPZ/8xRM6xeSJh+MDpK768WpYe +-nivHvinQjQZBQmNM3IPYbJ33nTAdJylmFQsCQQCn4crATPAKOheRsJdO4RijWAM9 +-EgfCJUtZVMPPDr0c0qqXujzGFwDo1y1TH5bEbZc8pATBmhzFHpRFzaf8oVQXAkAX +-Hch5GefDhuUIVn2c17MwneFIrxhfSbA+qzDqyDDo8BXXYQ/P/KHWjZUNxPciYcyU +-0zRXvaERRpTk5UMhrpavAkEAy4ZyhH1UViuWsmTQaRjc5mDs8aXkd2y85A7jnfWA +-8r7CL+sOe4TU1/CVyJf2FJaqHfD/GG6fqqeFoHuaqwTyiw== ++MIICXQIBAAKBgQCszBFwdCntewBEisBHA1Cdb1G3yXvdfu4pZ1uRm8fF5p1ZPmsz ++Jbd8OXyEed0VmOcnY5MQOjpAoN3QHm5g9B6k9x4KC4REd+cFFjmq3r0ex7zJ4U6M ++hhw/1s3j8mgCWxdTSVEpqInz0OFecQefFUcIQOmsSeQhrGUpCcqi3J6riQIDAQAB ++AoGAK7nYD+TVV0rw3mdeEJo+JBivTRqnRX2BNuj4uvf4rZOV7adl6SN6Mu05HSzZ ++TUXL+KOx60FQzFnox2lr9QzRU/LelLQ3H9fgVTVmGUCEAoDVRoWas8XlYGZsiHZ/ ++yJn+9Z3yQYpufSb0LQiSt73sgrTNPu50gMxe/ZSAbSscyyECQQDV8juKzWmizlTh +++wVs/pihE0+BX1BRCsezs7FCdDEWle3XidBtYlYyUIm5wx6v8xM/F7Q/nwgymOnV ++A62PtfyjAkEAzsM3DsuJ9dG5n+EPTH3kDdfr0eYy76XPYz4HK8/FgiKPWy55BRCH ++biLcbDAe06olJiCzEvwggFigthrIqj0t4wJBALDTUi74c3SiADn+FI/vJQsMQMv2 ++kRVKSZ/WxozcJ645IKjiOKgPfJp9QjeMcxKNXrzoxItIz6eyBqGONqbujO0CQQCh ++b6azdJR5TJEklfL+BGVlsas8rgIjP1FX6Xxr5sQNwbIwvW5cV/WGNs3n4wKOvZBX ++3rwzHIy76XdB+FOpKC+FAkBDVbicC19LE6+tBzOyx4uTEm3N7N8vh566VaOpok02 ++Io7F/WYL7WSCXAtvmueWV+FJyVUMN1f2nWfWqaEXP2ag + -----END RSA PRIVATE KEY----- +diff --git a/tests/certs/Server-localhost.nn-sv.pem b/tests/certs/Server-localhost.nn-sv.pem +index b5c2531..b3712f7 100644 +--- a/tests/certs/Server-localhost.nn-sv.pem ++++ b/tests/certs/Server-localhost.nn-sv.pem +@@ -1,11 +1,11 @@ + extensions = x509v3 + [ x509v3 ] + subjectAltName = DNS:localhost.nn +-keyUsage = keyEncipherment ++keyUsage = keyEncipherment,digitalSignature,keyAgreement + extendedKeyUsage = serverAuth + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid +-basicConstraints = critical,CA:false ++basicConstraints = CA:false + [ req ] + default_bits = 1024 + distinguished_name = req_DN +@@ -24,33 +24,32 @@ commonName_value = localhost.nn + # the certficate + # some dhparam + -----BEGIN RSA PRIVATE KEY----- +-MIICXgIBAAKBgQDT1E7bY1w/OjpeOAmU5k1wnQ2vSeaCXQe39c2g369x8c+/1Zq9 +-r3x4XVU/FL27LA5zndaCmtXm9iFdCJKicV+AX1zO8MI3N3kPTT3U8oBtRzZF0dKL +-ei4ScUtHhvWMma/nDs+1yU16dfeydAxB46u7LJ1vVAgTWjrvfCf3PwsLcQIDAQAB +-AoGBALr1HQxAq8AaMj3KE5rZkOudkeBtxwaz+QYB6hTcl8pnc8aKTmKwKZlKNtzP +-/4zdG3wriJII+lU4UsX7tP+uNGxKxALrDQRuBPyi8XQfUT1nJth6qkp8g3V/ixfE +-Yah3od9dL3+xsOH28RKKUC5kjmnNupO9KQZ6/CyYfUHAEG+pAkEA+PP+7FIvpPQ+ +-7bbG4IIqn7QKVxGbtaFY8pdLnsUkrnIqwEIbZoU12iEKm5qMoXNv30GknXrvxU53 +-tdIZU5Z28wJBANnTTMb/jac+Q1SaqmWQnrpcmvuPZ/8xRM6xeSJh+MDpK768WpYe +-nivHvinQjQZBQmNM3IPYbJ33nTAdJylmFQsCQQCn4crATPAKOheRsJdO4RijWAM9 +-EgfCJUtZVMPPDr0c0qqXujzGFwDo1y1TH5bEbZc8pATBmhzFHpRFzaf8oVQXAkAX +-Hch5GefDhuUIVn2c17MwneFIrxhfSbA+qzDqyDDo8BXXYQ/P/KHWjZUNxPciYcyU +-0zRXvaERRpTk5UMhrpavAkEAy4ZyhH1UViuWsmTQaRjc5mDs8aXkd2y85A7jnfWA +-8r7CL+sOe4TU1/CVyJf2FJaqHfD/GG6fqqeFoHuaqwTyiw== ++MIICXQIBAAKBgQCszBFwdCntewBEisBHA1Cdb1G3yXvdfu4pZ1uRm8fF5p1ZPmsz ++Jbd8OXyEed0VmOcnY5MQOjpAoN3QHm5g9B6k9x4KC4REd+cFFjmq3r0ex7zJ4U6M ++hhw/1s3j8mgCWxdTSVEpqInz0OFecQefFUcIQOmsSeQhrGUpCcqi3J6riQIDAQAB ++AoGAK7nYD+TVV0rw3mdeEJo+JBivTRqnRX2BNuj4uvf4rZOV7adl6SN6Mu05HSzZ ++TUXL+KOx60FQzFnox2lr9QzRU/LelLQ3H9fgVTVmGUCEAoDVRoWas8XlYGZsiHZ/ ++yJn+9Z3yQYpufSb0LQiSt73sgrTNPu50gMxe/ZSAbSscyyECQQDV8juKzWmizlTh +++wVs/pihE0+BX1BRCsezs7FCdDEWle3XidBtYlYyUIm5wx6v8xM/F7Q/nwgymOnV ++A62PtfyjAkEAzsM3DsuJ9dG5n+EPTH3kDdfr0eYy76XPYz4HK8/FgiKPWy55BRCH ++biLcbDAe06olJiCzEvwggFigthrIqj0t4wJBALDTUi74c3SiADn+FI/vJQsMQMv2 ++kRVKSZ/WxozcJ645IKjiOKgPfJp9QjeMcxKNXrzoxItIz6eyBqGONqbujO0CQQCh ++b6azdJR5TJEklfL+BGVlsas8rgIjP1FX6Xxr5sQNwbIwvW5cV/WGNs3n4wKOvZBX ++3rwzHIy76XdB+FOpKC+FAkBDVbicC19LE6+tBzOyx4uTEm3N7N8vh566VaOpok02 ++Io7F/WYL7WSCXAtvmueWV+FJyVUMN1f2nWfWqaEXP2ag + -----END RSA PRIVATE KEY----- + Certificate: + Data: + Version: 3 (0x2) +- Serial Number: +- 0b:98:94:fb:78:5f +- Signature Algorithm: sha1WithRSAEncryption ++ Serial Number: 14269504311644 (0xcfa60bc515c) ++ Signature Algorithm: sha1WithRSAEncryption + Issuer: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +- commonName = Nothern Nowhere Trust Anchor ++ commonName = Northern Nowhere Trust Anchor + Validity +- Not Before: May 27 21:37:24 2010 GMT +- Not After : Aug 13 21:37:24 2018 GMT ++ Not Before: Mar 21 15:07:11 2015 GMT ++ Not After : Jun 7 15:07:11 2023 GMT + Subject: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +@@ -59,68 +58,63 @@ Certificate: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: +- 00:d3:d4:4e:db:63:5c:3f:3a:3a:5e:38:09:94:e6: +- 4d:70:9d:0d:af:49:e6:82:5d:07:b7:f5:cd:a0:df: +- af:71:f1:cf:bf:d5:9a:bd:af:7c:78:5d:55:3f:14: +- bd:bb:2c:0e:73:9d:d6:82:9a:d5:e6:f6:21:5d:08: +- 92:a2:71:5f:80:5f:5c:ce:f0:c2:37:37:79:0f:4d: +- 3d:d4:f2:80:6d:47:36:45:d1:d2:8b:7a:2e:12:71: +- 4b:47:86:f5:8c:99:af:e7:0e:cf:b5:c9:4d:7a:75: +- f7:b2:74:0c:41:e3:ab:bb:2c:9d:6f:54:08:13:5a: +- 3a:ef:7c:27:f7:3f:0b:0b:71 ++ 00:ac:cc:11:70:74:29:ed:7b:00:44:8a:c0:47:03: ++ 50:9d:6f:51:b7:c9:7b:dd:7e:ee:29:67:5b:91:9b: ++ c7:c5:e6:9d:59:3e:6b:33:25:b7:7c:39:7c:84:79: ++ dd:15:98:e7:27:63:93:10:3a:3a:40:a0:dd:d0:1e: ++ 6e:60:f4:1e:a4:f7:1e:0a:0b:84:44:77:e7:05:16: ++ 39:aa:de:bd:1e:c7:bc:c9:e1:4e:8c:86:1c:3f:d6: ++ cd:e3:f2:68:02:5b:17:53:49:51:29:a8:89:f3:d0: ++ e1:5e:71:07:9f:15:47:08:40:e9:ac:49:e4:21:ac: ++ 65:29:09:ca:a2:dc:9e:ab:89 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:localhost.nn + X509v3 Key Usage: +- Key Encipherment ++ Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Key Identifier: +- 81:26:F9:75:CC:9C:2D:3C:36:64:68:41:F7:07:3C:66:86:E5:4A:C1 ++ 12:AF:44:46:B1:04:69:61:64:83:39:A2:BD:5D:97:2B:F4:1D:D4:6C + X509v3 Authority Key Identifier: +- keyid:AD:3E:E2:39:07:B8:5C:AA:26:90:94:4C:26:69:21:83:E2:4E:36:94 ++ keyid:12:CA:BA:4B:46:04:A7:75:8A:2C:E8:0E:54:94:BC:12:65:A6:7B:CE + +- X509v3 Basic Constraints: critical ++ X509v3 Basic Constraints: + CA:FALSE + Signature Algorithm: sha1WithRSAEncryption +- 65:05:8c:48:14:58:8c:1a:d4:95:67:1c:29:52:ed:5a:6e:14: +- 41:bc:2b:16:20:c4:89:3a:6e:cb:c1:ff:ab:61:79:5f:ce:27: +- 93:3c:ff:29:7a:25:68:00:27:04:f3:68:17:30:f0:fd:ff:09: +- 0e:15:2a:25:b1:45:18:93:ab:12:8e:0c:13:11:9a:b8:a4:75: +- d0:17:1b:ca:f2:66:6b:73:15:dd:8b:bb:34:d6:70:dc:34:1b: +- e7:7a:30:ea:50:50:2f:88:67:b3:f8:b3:55:62:44:7e:3e:df: +- 59:4f:a8:57:83:40:9f:bf:52:bf:fd:2c:18:6e:bd:0c:41:b7: +- 78:1c:9b:fa:c4:ff:c3:2b:46:a4:8f:0c:19:a7:3d:75:81:29: +- 6b:cf:07:f0:1d:65:d4:0e:19:51:87:92:a8:3d:7e:80:04:84: +- ad:5e:4e:b6:ef:9a:02:c3:84:95:ec:c3:e8:a1:69:1f:42:cb: +- da:63:1a:35:6f:d0:ba:62:9e:73:36:63:58:0f:cc:25:c8:59: +- 73:df:3b:c2:b9:5a:da:3d:e1:3f:0a:1f:0f:41:c4:88:2d:92: +- 06:88:d4:54:81:e1:12:57:53:ab:6b:f8:c8:90:3e:30:4c:f5: +- 72:cf:f0:d4:18:70:c1:78:85:30:9c:fe:94:f4:1b:c2:6c:14: +- 49:7a:0e:27 ++ 44:54:d7:d7:75:14:60:a5:1a:1d:1e:a9:dc:6f:b1:b1:d8:13: ++ e2:10:22:9a:f5:ca:b6:38:3c:d9:ac:2e:dc:ce:38:bc:cc:38: ++ a1:cc:a8:9c:73:37:f9:b6:a8:42:87:d9:80:21:45:81:43:9d: ++ 73:3c:67:cf:cd:c5:c3:91:df:60:6b:6d:69:f9:be:a1:92:cc: ++ 5d:ea:bc:67:f3:c7:bc:ea:41:d1:11:7b:e3:f1:b8:a7:8d:9a: ++ d0:23:6c:df:0e:2a:35:98:50:c1:a6:8b:d2:07:aa:a6:2f:cb: ++ 98:a9:a3:8d:a0:8c:87:ab:ec:e1:c5:0b:25:e2:e9:a9:08:13: ++ 30:86:1b:e5:b6:ac:03:85:35:0c:9a:5d:5b:82:c4:04:6a:05: ++ 4c:f3:f7:b3:b5:ac:92:3b:46:71:a8:7f:54:c7:96:37:dc:38: ++ 2c:a2:18:23:10:00:de:f8:21:40:52:99:94:ad:b2:b6:e5:87: ++ 8e:29:0b:3b:b3:8a:52:67:54:dc:0a:e9:75:60:33:ff:13:9a: ++ 61:a4:15:0c:d0:6f:de:0d:06:23:a8:44:ad:f0:68:60:93:6b: ++ 75:06:24:5b:47:9a:b9:3a:ef:d9:4f:df:31:d5:65:3a:e2:94: ++ 03:be:88:94:49:7c:6a:d0:da:c0:d0:62:81:f5:61:50:96:5a: ++ d0:ee:22:39 + -----BEGIN CERTIFICATE----- +-MIIDRzCCAi+gAwIBAgIGC5iU+3hfMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNVBAYT ++MIIDRTCCAi2gAwIBAgIGDPpgvFFcMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYT + Ak5OMTEwLwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNo +-IENsb3VkMSUwIwYDVQQDDBxOb3RoZXJuIE5vd2hlcmUgVHJ1c3QgQW5jaG9yMB4X +-DTEwMDUyNzIxMzcyNFoXDTE4MDgxMzIxMzcyNFowVzELMAkGA1UEBhMCTk4xMTAv +-BgNVBAoMKEVkZWwgQ3VybCBBcmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQx +-FTATBgNVBAMMDGxvY2FsaG9zdC5ubjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC +-gYEA09RO22NcPzo6XjgJlOZNcJ0Nr0nmgl0Ht/XNoN+vcfHPv9Wava98eF1VPxS9 +-uywOc53WgprV5vYhXQiSonFfgF9czvDCNzd5D0091PKAbUc2RdHSi3ouEnFLR4b1 +-jJmv5w7PtclNenX3snQMQeOruyydb1QIE1o673wn9z8LC3ECAwEAAaOBjDCBiTAX +-BgNVHREEEDAOggxsb2NhbGhvc3Qubm4wCwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoG +-CCsGAQUFBwMBMB0GA1UdDgQWBBSBJvl1zJwtPDZkaEH3BzxmhuVKwTAfBgNVHSME +-GDAWgBStPuI5B7hcqiaQlEwmaSGD4k42lDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3 +-DQEBBQUAA4IBAQBlBYxIFFiMGtSVZxwpUu1abhRBvCsWIMSJOm7Lwf+rYXlfzieT +-PP8peiVoACcE82gXMPD9/wkOFSolsUUYk6sSjgwTEZq4pHXQFxvK8mZrcxXdi7s0 +-1nDcNBvnejDqUFAviGez+LNVYkR+Pt9ZT6hXg0Cfv1K//SwYbr0MQbd4HJv6xP/D +-K0akjwwZpz11gSlrzwfwHWXUDhlRh5KoPX6ABIStXk6275oCw4SV7MPooWkfQsva +-Yxo1b9C6Yp5zNmNYD8wlyFlz3zvCuVraPeE/Ch8PQcSILZIGiNRUgeESV1Ora/jI +-kD4wTPVyz/DUGHDBeIUwnP6U9BvCbBRJeg4n ++IENsb3VkMSYwJAYDVQQDDB1Ob3J0aGVybiBOb3doZXJlIFRydXN0IEFuY2hvcjAe ++Fw0xNTAzMjExNTA3MTFaFw0yMzA2MDcxNTA3MTFaMFcxCzAJBgNVBAYTAk5OMTEw ++LwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNoIENsb3Vk ++MRUwEwYDVQQDDAxsb2NhbGhvc3Qubm4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ ++AoGBAKzMEXB0Ke17AESKwEcDUJ1vUbfJe91+7ilnW5Gbx8XmnVk+azMlt3w5fIR5 ++3RWY5ydjkxA6OkCg3dAebmD0HqT3HgoLhER35wUWOarevR7HvMnhToyGHD/WzePy ++aAJbF1NJUSmoifPQ4V5xB58VRwhA6axJ5CGsZSkJyqLcnquJAgMBAAGjgYkwgYYw ++FwYDVR0RBBAwDoIMbG9jYWxob3N0Lm5uMAsGA1UdDwQEAwIDqDATBgNVHSUEDDAK ++BggrBgEFBQcDATAdBgNVHQ4EFgQUEq9ERrEEaWFkgzmivV2XK/Qd1GwwHwYDVR0j ++BBgwFoAUEsq6S0YEp3WKLOgOVJS8EmWme84wCQYDVR0TBAIwADANBgkqhkiG9w0B ++AQUFAAOCAQEARFTX13UUYKUaHR6p3G+xsdgT4hAimvXKtjg82awu3M44vMw4ocyo ++nHM3+baoQofZgCFFgUOdczxnz83Fw5HfYGttafm+oZLMXeq8Z/PHvOpB0RF74/G4 ++p42a0CNs3w4qNZhQwaaL0geqpi/LmKmjjaCMh6vs4cULJeLpqQgTMIYb5basA4U1 ++DJpdW4LEBGoFTPP3s7WskjtGcah/VMeWN9w4LKIYIxAA3vghQFKZlK2ytuWHjikL ++O7OKUmdU3ArpdWAz/xOaYaQVDNBv3g0GI6hErfBoYJNrdQYkW0eauTrv2U/fMdVl ++OuKUA76IlEl8atDawNBigfVhUJZa0O4iOQ== + -----END CERTIFICATE----- +------BEGIN DH PARAMETERS----- +-MIGHAoGBAPrtEVPhZfEczB9JnWXbln79YnTh/V6ehXMWe414wyn/VT1ow25sLEev +-H2+eT84aDp5e+TfBSFjA6or96/lyQvsgAE+cE6f6uuw9ApVG2MK+BCn4snxHBb6G +-LFQf+9qHZ4BEkpBL60p1fkGu8BM1wXGXEaeYhgGumNA9fm5YJrl7AgEC +------END DH PARAMETERS----- +diff --git a/tests/certs/Server-localhost.nn-sv.prm b/tests/certs/Server-localhost.nn-sv.prm +index e515ea1..399e38a 100644 +--- a/tests/certs/Server-localhost.nn-sv.prm ++++ b/tests/certs/Server-localhost.nn-sv.prm +@@ -1,11 +1,11 @@ + extensions = x509v3 + [ x509v3 ] + subjectAltName = DNS:localhost.nn +-keyUsage = keyEncipherment ++keyUsage = keyEncipherment,digitalSignature,keyAgreement + extendedKeyUsage = serverAuth + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid +-basicConstraints = critical,CA:false ++basicConstraints = CA:false + [ req ] + default_bits = 1024 + distinguished_name = req_DN +diff --git a/tests/certs/Server-localhost0h-sv.crl b/tests/certs/Server-localhost0h-sv.crl +index 87a1859..319af89 100644 +--- a/tests/certs/Server-localhost0h-sv.crl ++++ b/tests/certs/Server-localhost0h-sv.crl +@@ -1,14 +1,22 @@ + -----BEGIN X509 CRL----- +-MIICDTCB9gIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJOTjExMC8GA1UE +-CgwoRWRlbCBDdXJsIEFyY3RpYyBJbGx1ZGl1bSBSZXNlYXJjaCBDbG91ZDElMCMG +-A1UEAwwcTm90aGVybiBOb3doZXJlIFRydXN0IEFuY2hvchcNMTAwNTI3MjEzNzU0 +-WhcNMTAwNjI2MjEzNzU0WjBLMBcCBguYlPl8ahcNMTAwNTI3MjEzNzExWjAXAgYL +-mJT7eF8XDTEwMDUyNzIxMzcyNFowFwIGC5iVAAx+Fw0xMDA1MjcyMTM3NTRaoA4w +-DDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUFAAOCAQEAWBL4VhArwJkUv91oyMIo +-xyyRmVl+1oY5IjEpLGd+mNIgqXuljQmbp8cS8A+jWinJPOWZqvsHa+mLCl4OuwhP +-JbAtIQ22OQRaVqWRuguG2T1sh3Dd7a1GcupIGKc/zgnY45D4pY4UNZv+KmY3bF0S +-83zn6YoQtBTzF9y2Nq5R0UTdxl6+j5swpo1ttvQPz40yqIlmjmW/llkaD4UBaegl +-zSxmnR5xCjAR7nYm+HyWW9SLSWGptUOd32B9TPJPLDhJa9lfBb8H9l5k7kx9ECJG +-LyujleeXIucfqOgE2cB0zCjExqrGWRp8ZgEWfpdSkDEpXBCDo88TA3dIr2f3Zxwp +-QA== ++MIIDoTCCAokCAQEwDQYJKoZIhvcNAQEFBQAwaDELMAkGA1UEBhMCTk4xMTAvBgNV ++BAoMKEVkZWwgQ3VybCBBcmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQxJjAk ++BgNVBAMMHU5vcnRoZXJuIE5vd2hlcmUgVHJ1c3QgQW5jaG9yFw0xNTAzMjExNTA3 ++MTFaFw0xNTA0MjAxNTA3MTFaMIIB2zAXAgYM+ly45CIXDTE1MDMyMTEzMTQ1N1ow ++FwIGDPpcwXH8Fw0xNTAzMjExMzE1NTNaMBcCBgz6XO7ujBcNMTUwMzIxMTMyMDUx ++WjAXAgYM+lzu7p0XDTE1MDMyMTEzMjA1MVowFwIGDPpc7u6uFw0xNTAzMjExMzIw ++NTFaMBcCBgz6XZyD1RcNMTUwMzIxMTMzOTQ5WjAXAgYM+l4OXa8XDTE1MDMyMTEz ++NTIxNVowFwIGDPpeJlPZFw0xNTAzMjExMzU0NTJaMBcCBgz6XiZT6hcNMTUwMzIx ++MTM1NDUyWjAXAgYM+l4mU/sXDTE1MDMyMTEzNTQ1MlowFwIGDPpemKKEFw0xNTAz ++MjExNDA3MjFaMBcCBgz6XpiilRcNMTUwMzIxMTQwNzIxWjAXAgYM+l6YoqYXDTE1 ++MDMyMTE0MDcyMVowFwIGDPpffssxFw0xNTAzMjExNDMyMzBaMBcCBgz6X37yUxcN ++MTUwMzIxMTQzMjMxWjAXAgYM+l9+8mYXDTE1MDMyMTE0MzIzMVowFwIGDPpgvFFL ++Fw0xNTAzMjExNTA3MTFaMBcCBgz6YLxRXBcNMTUwMzIxMTUwNzExWjAXAgYM+mC8 ++UW4XDTE1MDMyMTE1MDcxMVqgDjAMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUA ++A4IBAQDER99gBe9w8a9X1pQQnzC87kYnW7R0K8wFr4KqCYP0De8tKxhCGrXaoQDK ++AvHQcT3RpCR5PAK5J1InxlCumJJjvo39OLTsaCbSyoynmAMGCXS0earSL83biquG ++jJ29ROXukT3fGE6HO+cKAaHyHeJa6OZEibmCvCls/YvvQTW2jlceOZmi22AL3jYN ++w6UVHRpbHDHupF5YxhwFG1GVTOd9cuik8CqVxPkOfIxeQbEV+qEiDWzjyy2aU3X7 ++dLhZE47P5tYgb8nIsXb5PATqiK9vdv4EOyVKiiCmyFemrGGU7MqbTtTjJVB9nS2R ++QMWLS24xr3IcHt7FOX1w8UF/GXiP + -----END X509 CRL----- +diff --git a/tests/certs/Server-localhost0h-sv.crt b/tests/certs/Server-localhost0h-sv.crt +index 0dcb5df..b00859a 100644 +--- a/tests/certs/Server-localhost0h-sv.crt ++++ b/tests/certs/Server-localhost0h-sv.crt +@@ -1,16 +1,15 @@ + Certificate: + Data: + Version: 3 (0x2) +- Serial Number: +- 0b:98:95:00:0c:7e +- Signature Algorithm: sha1WithRSAEncryption ++ Serial Number: 14269504311662 (0xcfa60bc516e) ++ Signature Algorithm: sha1WithRSAEncryption + Issuer: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +- commonName = Nothern Nowhere Trust Anchor ++ commonName = Northern Nowhere Trust Anchor + Validity +- Not Before: May 27 21:37:54 2010 GMT +- Not After : Aug 13 21:37:54 2018 GMT ++ Not Before: Mar 21 15:07:11 2015 GMT ++ Not After : Jun 7 15:07:11 2023 GMT + Subject: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +@@ -19,63 +18,63 @@ Certificate: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: +- 00:cc:a9:91:2b:22:e8:90:2b:e5:4c:dc:ae:6d:da: +- 4c:f3:32:cc:a5:68:67:5a:3b:b9:86:a3:95:88:3e: +- e8:63:c3:ed:00:60:19:03:2b:5d:5b:56:8a:da:21: +- 5e:71:5c:d1:e3:de:51:18:c1:17:14:b1:33:90:00: +- 5c:9a:e5:73:0b:a8:88:9c:d0:0b:54:bc:ea:3a:39: +- dd:f6:65:81:4b:29:99:4c:71:d3:f7:69:7f:80:e8: +- e8:6d:61:41:83:87:eb:ac:2c:bd:0f:eb:1b:fd:a2: +- 37:97:6d:31:56:ba:4b:51:dd:b1:01:eb:89:f8:25: +- de:5b:a3:e5:b2:3f:4c:77:53 ++ 00:e3:c7:52:fb:7d:02:b1:a7:0b:4c:2d:a6:2a:b0: ++ 57:6b:5e:0b:f9:9e:4b:e7:d0:ac:55:43:47:fa:b1: ++ e0:fc:b0:63:30:84:31:f5:95:44:90:9a:b7:22:01: ++ 6f:c7:17:16:be:5a:19:ee:47:35:90:a5:5e:27:ba: ++ 86:47:3b:c5:63:d2:f2:c6:a1:db:ac:be:b1:2f:4c: ++ c2:98:86:19:72:d5:f9:12:45:09:bc:23:e2:00:eb: ++ 4d:ba:99:71:b5:4a:fb:49:8c:4d:f3:0b:4e:cf:48: ++ 7b:c8:06:37:92:35:ff:bb:4f:ea:98:af:13:ac:a8: ++ cd:9f:a7:e0:78:db:15:bc:3b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:localhost + X509v3 Key Usage: +- Key Encipherment ++ Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Key Identifier: +- 3B:2B:84:0D:23:3C:46:F9:9B:E5:C2:FA:B7:30:E7:AC:E3:ED:09:C3 ++ 23:D7:CE:D8:B2:D0:F8:8E:3C:82:26:6C:F1:F5:2A:8A:48:90:58:66 + X509v3 Authority Key Identifier: +- keyid:AD:3E:E2:39:07:B8:5C:AA:26:90:94:4C:26:69:21:83:E2:4E:36:94 ++ keyid:12:CA:BA:4B:46:04:A7:75:8A:2C:E8:0E:54:94:BC:12:65:A6:7B:CE + +- X509v3 Basic Constraints: critical ++ X509v3 Basic Constraints: + CA:FALSE + Signature Algorithm: sha1WithRSAEncryption +- a2:fa:61:4e:c0:10:1f:f8:38:2c:fd:a6:74:85:df:8e:ee:41: +- 90:a1:d7:c9:32:65:5d:61:d5:13:51:3b:11:1c:7b:01:06:70: +- 9f:93:52:54:15:bd:93:3a:f8:40:e3:e2:ab:01:96:fb:73:c5: +- 42:2c:ad:ce:e8:52:57:db:b6:15:90:75:e3:e5:75:99:b0:83: +- ed:b0:fc:f2:d0:d9:3d:68:1c:d9:b4:cd:a1:a9:40:19:44:46: +- 14:8b:11:6e:2e:1c:65:85:73:45:f0:8b:4f:ea:01:2d:61:0f: +- ae:0d:70:0c:d3:3c:1c:1f:24:66:a3:0b:62:d1:87:1e:8e:96: +- f6:43:cf:1c:24:e7:94:d0:7e:b0:ee:1b:6f:14:1f:04:35:e8: +- fc:3c:c8:9e:e3:6e:0e:4c:7d:a9:23:97:2d:6e:b1:4d:e3:05: +- 1b:ce:86:2f:2f:b3:c9:60:47:58:ac:ea:4c:cb:c2:7b:0f:08: +- b8:a7:90:e7:22:32:70:f6:09:3e:f9:54:94:b0:37:50:22:60: +- 49:1c:84:9e:1a:22:0c:3e:a9:16:7c:5e:b1:50:13:6b:82:14: +- d3:8a:3d:4d:ed:18:ca:40:59:d6:b9:72:9f:64:e5:0b:e7:a6: +- b8:ee:29:b5:6a:ec:82:b2:94:56:36:e3:87:b3:07:aa:69:b8: +- 2c:ef:0c:14 ++ 28:b9:77:ea:4a:8d:d6:a5:fb:72:5b:d6:cd:60:40:33:56:bf: ++ dd:23:ff:bf:e8:2e:10:cd:30:ab:24:a4:43:d8:98:71:e3:59: ++ 66:3e:38:bd:b8:fb:19:1a:13:8f:a1:c8:39:93:b5:83:8d:62: ++ 52:a9:7a:5b:0d:69:47:40:5c:51:4c:3a:be:a7:c9:5f:7b:93: ++ 49:20:59:23:30:7c:d9:4a:dd:29:2c:ed:96:fd:cb:b8:13:ff: ++ 36:2c:27:ce:28:c3:a6:d0:d8:ba:8c:38:9f:78:ff:54:c7:76: ++ 05:37:47:f5:d3:55:9c:2c:12:41:81:14:ca:48:a2:b7:6d:05: ++ 49:2b:c5:f5:7b:63:6d:6f:cd:3f:f4:8d:74:51:07:ff:e1:40: ++ d5:96:60:d8:c8:38:5a:15:f9:c5:fd:e1:5e:a3:02:95:90:4b: ++ fc:8a:42:de:72:31:72:3d:dd:a2:df:19:42:c8:fa:a8:77:11: ++ 67:e6:64:8c:d0:fd:45:fd:f0:49:8c:e1:85:e6:f5:1f:47:c6: ++ ae:f2:70:c3:e8:99:d0:cd:9d:88:6b:33:ba:b9:65:3d:f4:b1: ++ f4:d0:3c:76:9c:18:9e:9e:c8:62:29:43:8e:f7:2f:2c:12:37: ++ 39:02:26:4e:4b:b0:14:30:80:bb:2d:cc:fc:93:dc:c9:8b:c0: ++ 69:12:71:36 + -----BEGIN CERTIFICATE----- +-MIIDQzCCAiugAwIBAgIGC5iVAAx+MA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNVBAYT ++MIIDQTCCAimgAwIBAgIGDPpgvFFuMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYT + Ak5OMTEwLwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNo +-IENsb3VkMSUwIwYDVQQDDBxOb3RoZXJuIE5vd2hlcmUgVHJ1c3QgQW5jaG9yMB4X +-DTEwMDUyNzIxMzc1NFoXDTE4MDgxMzIxMzc1NFowVDELMAkGA1UEBhMCTk4xMTAv +-BgNVBAoMKEVkZWwgQ3VybCBBcmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQx +-EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA +-zKmRKyLokCvlTNyubdpM8zLMpWhnWju5hqOViD7oY8PtAGAZAytdW1aK2iFecVzR +-495RGMEXFLEzkABcmuVzC6iInNALVLzqOjnd9mWBSymZTHHT92l/gOjobWFBg4fr +-rCy9D+sb/aI3l20xVrpLUd2xAeuJ+CXeW6Plsj9Md1MCAwEAAaOBizCBiDAWBgNV +-HREEDzANggtsb2NhbGhvc3QAaDALBgNVHQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYB +-BQUHAwEwHQYDVR0OBBYEFDsrhA0jPEb5m+XC+rcw56zj7QnDMB8GA1UdIwQYMBaA +-FK0+4jkHuFyqJpCUTCZpIYPiTjaUMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEF +-BQADggEBAKL6YU7AEB/4OCz9pnSF347uQZCh18kyZV1h1RNROxEcewEGcJ+TUlQV +-vZM6+EDj4qsBlvtzxUIsrc7oUlfbthWQdePldZmwg+2w/PLQ2T1oHNm0zaGpQBlE +-RhSLEW4uHGWFc0Xwi0/qAS1hD64NcAzTPBwfJGajC2LRhx6OlvZDzxwk55TQfrDu +-G28UHwQ16Pw8yJ7jbg5Mfakjly1usU3jBRvOhi8vs8lgR1is6kzLwnsPCLinkOci +-MnD2CT75VJSwN1AiYEkchJ4aIgw+qRZ8XrFQE2uCFNOKPU3tGMpAWda5cp9k5Qvn +-prjuKbVq7IKylFY244ezB6ppuCzvDBQ= ++IENsb3VkMSYwJAYDVQQDDB1Ob3J0aGVybiBOb3doZXJlIFRydXN0IEFuY2hvcjAe ++Fw0xNTAzMjExNTA3MTFaFw0yMzA2MDcxNTA3MTFaMFQxCzAJBgNVBAYTAk5OMTEw ++LwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNoIENsb3Vk ++MRIwEAYDVQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB ++AOPHUvt9ArGnC0wtpiqwV2teC/meS+fQrFVDR/qx4PywYzCEMfWVRJCatyIBb8cX ++Fr5aGe5HNZClXie6hkc7xWPS8sah26y+sS9MwpiGGXLV+RJFCbwj4gDrTbqZcbVK +++0mMTfMLTs9Ie8gGN5I1/7tP6pivE6yozZ+n4HjbFbw7AgMBAAGjgYgwgYUwFgYD ++VR0RBA8wDYILbG9jYWxob3N0AGgwCwYDVR0PBAQDAgOoMBMGA1UdJQQMMAoGCCsG ++AQUFBwMBMB0GA1UdDgQWBBQj187YstD4jjyCJmzx9SqKSJBYZjAfBgNVHSMEGDAW ++gBQSyrpLRgSndYos6A5UlLwSZaZ7zjAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUA ++A4IBAQAouXfqSo3WpftyW9bNYEAzVr/dI/+/6C4QzTCrJKRD2Jhx41lmPji9uPsZ ++GhOPocg5k7WDjWJSqXpbDWlHQFxRTDq+p8lfe5NJIFkjMHzZSt0pLO2W/cu4E/82 ++LCfOKMOm0Ni6jDifeP9Ux3YFN0f101WcLBJBgRTKSKK3bQVJK8X1e2Ntb80/9I10 ++UQf/4UDVlmDYyDhaFfnF/eFeowKVkEv8ikLecjFyPd2i3xlCyPqodxFn5mSM0P1F ++/fBJjOGF5vUfR8au8nDD6JnQzZ2IazO6uWU99LH00Dx2nBienshiKUOO9y8sEjc5 ++AiZOS7AUMIC7Lcz8k9zJi8BpEnE2 + -----END CERTIFICATE----- +diff --git a/tests/certs/Server-localhost0h-sv.csr b/tests/certs/Server-localhost0h-sv.csr +index edf776f..d075157 100644 +--- a/tests/certs/Server-localhost0h-sv.csr ++++ b/tests/certs/Server-localhost0h-sv.csr +@@ -1,11 +1,11 @@ + -----BEGIN CERTIFICATE REQUEST----- + MIIBkzCB/QIBADBUMQswCQYDVQQGEwJOTjExMC8GA1UECgwoRWRlbCBDdXJsIEFy + Y3RpYyBJbGx1ZGl1bSBSZXNlYXJjaCBDbG91ZDESMBAGA1UEAwwJbG9jYWxob3N0 +-MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMqZErIuiQK+VM3K5t2kzzMsyl +-aGdaO7mGo5WIPuhjw+0AYBkDK11bVoraIV5xXNHj3lEYwRcUsTOQAFya5XMLqIic +-0AtUvOo6Od32ZYFLKZlMcdP3aX+A6OhtYUGDh+usLL0P6xv9ojeXbTFWuktR3bEB +-64n4Jd5bo+WyP0x3UwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEAPor+2apn3kPJ +-ZdjyyT/iXETRTrN87PuBaujcV+oVeVSWW+YgGUzDHi+RkEKTxWdz3leW2goE41X9 +-2D/n66ASQGs1x8wXwIMIX83MjkWtjqdfcrJVi1l6T7NjzZt6EyJdvreRntCUu8zc +-J5tK3rl/tIeudKUE2COc0Ngu9JUB1j8= ++MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDjx1L7fQKxpwtMLaYqsFdrXgv5 ++nkvn0KxVQ0f6seD8sGMwhDH1lUSQmrciAW/HFxa+WhnuRzWQpV4nuoZHO8Vj0vLG ++odusvrEvTMKYhhly1fkSRQm8I+IA6026mXG1SvtJjE3zC07PSHvIBjeSNf+7T+qY ++rxOsqM2fp+B42xW8OwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEAC6NxWuiENuj/ ++oPsopZy/tVZzbioXZP/S9ECCbdgy33bg9zKwQYLeHOSgXxJzES+RhJwQCliFV17j ++jM1CH7heggwkPAx5KelyZ20DeoeaYOi/xv7TjozrZ+EkmivHKBJi3+qNjNYH0ul9 ++HhQBO5+sSDAGLMkWL/nAfYKbf/8KSvA= + -----END CERTIFICATE REQUEST----- +diff --git a/tests/certs/Server-localhost0h-sv.dhp b/tests/certs/Server-localhost0h-sv.dhp +index 99e6107..e69de29 100644 +--- a/tests/certs/Server-localhost0h-sv.dhp ++++ b/tests/certs/Server-localhost0h-sv.dhp +@@ -1,5 +0,0 @@ +------BEGIN DH PARAMETERS----- +-MIGHAoGBAL/3hRxvWX+Mdyu/aBPU1JeeA5sg4nXtA7B24eCql9Tq53Lks1/HJ5B+ +-xSapGAFd+22xhBsNkJihf74oiPEVr9nNoLjFV/DZe259+JYgs+pBTFN+Cp13ALUi +-CeZxX2mlxlstD1SBRTKgxA/j4ttR1Chn8knn+RVdFE9YFKCYPyLrAgEC +------END DH PARAMETERS----- +diff --git a/tests/certs/Server-localhost0h-sv.key b/tests/certs/Server-localhost0h-sv.key +index 95c4666..5fcc9c5 100644 +--- a/tests/certs/Server-localhost0h-sv.key ++++ b/tests/certs/Server-localhost0h-sv.key +@@ -1,15 +1,15 @@ + -----BEGIN RSA PRIVATE KEY----- +-MIICXAIBAAKBgQDMqZErIuiQK+VM3K5t2kzzMsylaGdaO7mGo5WIPuhjw+0AYBkD +-K11bVoraIV5xXNHj3lEYwRcUsTOQAFya5XMLqIic0AtUvOo6Od32ZYFLKZlMcdP3 +-aX+A6OhtYUGDh+usLL0P6xv9ojeXbTFWuktR3bEB64n4Jd5bo+WyP0x3UwIDAQAB +-AoGAGT+OBilPUYHoztumtSyqM5J/xqQjo/EcSSzjJKTGHJCuK06vp0FxSfRaOuDE +-+u09g4QIsyoXA9l8h/ZTdlR6Jax5nc+iRFs/21isrgKAsZYj4DghjgXJ9LWGHXnb +-7xstVFkFBGnOaeY7dVr54907TYUQwtJg4fk7Vror05gb1qECQQDykAxr2D/CxLk9 +-RjWDi/P6JnfF0ZxZzCe0yATvuZ89+rpWQ5uxEJDq5FqwW4QXX+0G2aWDv64YExPS +-JmWQTlojAkEA2AAHDv2KBWFcXeTlWnKZTdzUOniE8PzS5zipi2ssiqXScrj9NX2U +-yCCOkv/42blPXBKbaVnfWBEhtj7pQxHJEQJBAOTvXjnfVXafs/IINPPegLyF2B/G +-EZqTXJp8+mPEP28BGSPYFbdN2mlIc+vlxEtHh3AitdweatNgFiIPiWZk/R8CQEIf +-EAoYtw2alknv7f3YIvHg7d7QUfHrkyxQ/iW9sy7mQBv6YRjkzozM2phJX4ZW4eJP +-l9+SMXqmE+nULFfps+ECQFVkjPDF065x++Fh3BVtNJ0goYStTJM6IcmYKflap+Ux +-cORZUWJ8tvDavlSSwQQYK8kOVTINC6iFwwEQ41HlYLE= ++MIICXAIBAAKBgQDjx1L7fQKxpwtMLaYqsFdrXgv5nkvn0KxVQ0f6seD8sGMwhDH1 ++lUSQmrciAW/HFxa+WhnuRzWQpV4nuoZHO8Vj0vLGodusvrEvTMKYhhly1fkSRQm8 ++I+IA6026mXG1SvtJjE3zC07PSHvIBjeSNf+7T+qYrxOsqM2fp+B42xW8OwIDAQAB ++AoGAHdkk2qfLDpShOl5RBA8PpZYxY4iG0d3ad2HVsNhWb0Z9+QGZumDRF1Hu5Zni ++l+hCprcP5tWWA1poODSNHBCNEQRYZcHrfZlh+sDiV6ZmexBg7x9D5azyRbn20vr1 ++79UxmisRxnDQQHCfOmgZtgs1EZXnFOs0OotoZAHFr+GLtQECQQD+R2TaWMCEPKJc ++IswGBqLGL8cyy+v2d5Glt5l+xzb/KCdY9cbOR/B9wq//0Nvqyiq1I1jUBVw9NJi/ ++eBx/OYxhAkEA5VIC6uMpIck0Qxpbj7/H3k2pBf1HROgmLEq+cVLFgY62CIpTgleO ++SAzTmn0vDXir0jQHJn+JTokvn0PxyNquGwJBAJW+77rSl5WIq8j8yRAnakayrmnQ ++w8ZjBggExsVthorfV8TBAPJMVWmKdOF/W3O62UnRZid+fKKize28S3P1LSECQDF8 ++3FJSSWsYH6YnhwDjkz9fJQ281eeB7dL7IlQUV7kY0iHPsCvdtz/HPNcHEuNmWjYX ++sj9VoI0JP/Sv1frRbmcCQDPaeWowPGf1Xtj0oTSlA6KQsKZPO7t15nivgX/AnZWQ ++01l8q6GPHeYwyG/caD3BZwAavsVLg9nhKx0lf0wExM0= + -----END RSA PRIVATE KEY----- +diff --git a/tests/certs/Server-localhost0h-sv.pem b/tests/certs/Server-localhost0h-sv.pem +index 45be9c3..a953370 100644 +--- a/tests/certs/Server-localhost0h-sv.pem ++++ b/tests/certs/Server-localhost0h-sv.pem +@@ -2,11 +2,11 @@ extensions = x509v3 + [ x509v3 ] + #subjectAltName = DNS:localhost\0h + subjectAltName = DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68 +-keyUsage = keyEncipherment ++keyUsage = keyEncipherment,digitalSignature,keyAgreement + extendedKeyUsage = serverAuth + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid +-basicConstraints = critical,CA:false ++basicConstraints = CA:false + [ req ] + default_bits = 1024 + distinguished_name = req_DN +@@ -25,33 +25,32 @@ commonName_value = localhost + # the certificate + # some dhparam + -----BEGIN RSA PRIVATE KEY----- +-MIICXAIBAAKBgQDMqZErIuiQK+VM3K5t2kzzMsylaGdaO7mGo5WIPuhjw+0AYBkD +-K11bVoraIV5xXNHj3lEYwRcUsTOQAFya5XMLqIic0AtUvOo6Od32ZYFLKZlMcdP3 +-aX+A6OhtYUGDh+usLL0P6xv9ojeXbTFWuktR3bEB64n4Jd5bo+WyP0x3UwIDAQAB +-AoGAGT+OBilPUYHoztumtSyqM5J/xqQjo/EcSSzjJKTGHJCuK06vp0FxSfRaOuDE +-+u09g4QIsyoXA9l8h/ZTdlR6Jax5nc+iRFs/21isrgKAsZYj4DghjgXJ9LWGHXnb +-7xstVFkFBGnOaeY7dVr54907TYUQwtJg4fk7Vror05gb1qECQQDykAxr2D/CxLk9 +-RjWDi/P6JnfF0ZxZzCe0yATvuZ89+rpWQ5uxEJDq5FqwW4QXX+0G2aWDv64YExPS +-JmWQTlojAkEA2AAHDv2KBWFcXeTlWnKZTdzUOniE8PzS5zipi2ssiqXScrj9NX2U +-yCCOkv/42blPXBKbaVnfWBEhtj7pQxHJEQJBAOTvXjnfVXafs/IINPPegLyF2B/G +-EZqTXJp8+mPEP28BGSPYFbdN2mlIc+vlxEtHh3AitdweatNgFiIPiWZk/R8CQEIf +-EAoYtw2alknv7f3YIvHg7d7QUfHrkyxQ/iW9sy7mQBv6YRjkzozM2phJX4ZW4eJP +-l9+SMXqmE+nULFfps+ECQFVkjPDF065x++Fh3BVtNJ0goYStTJM6IcmYKflap+Ux +-cORZUWJ8tvDavlSSwQQYK8kOVTINC6iFwwEQ41HlYLE= ++MIICXAIBAAKBgQDjx1L7fQKxpwtMLaYqsFdrXgv5nkvn0KxVQ0f6seD8sGMwhDH1 ++lUSQmrciAW/HFxa+WhnuRzWQpV4nuoZHO8Vj0vLGodusvrEvTMKYhhly1fkSRQm8 ++I+IA6026mXG1SvtJjE3zC07PSHvIBjeSNf+7T+qYrxOsqM2fp+B42xW8OwIDAQAB ++AoGAHdkk2qfLDpShOl5RBA8PpZYxY4iG0d3ad2HVsNhWb0Z9+QGZumDRF1Hu5Zni ++l+hCprcP5tWWA1poODSNHBCNEQRYZcHrfZlh+sDiV6ZmexBg7x9D5azyRbn20vr1 ++79UxmisRxnDQQHCfOmgZtgs1EZXnFOs0OotoZAHFr+GLtQECQQD+R2TaWMCEPKJc ++IswGBqLGL8cyy+v2d5Glt5l+xzb/KCdY9cbOR/B9wq//0Nvqyiq1I1jUBVw9NJi/ ++eBx/OYxhAkEA5VIC6uMpIck0Qxpbj7/H3k2pBf1HROgmLEq+cVLFgY62CIpTgleO ++SAzTmn0vDXir0jQHJn+JTokvn0PxyNquGwJBAJW+77rSl5WIq8j8yRAnakayrmnQ ++w8ZjBggExsVthorfV8TBAPJMVWmKdOF/W3O62UnRZid+fKKize28S3P1LSECQDF8 ++3FJSSWsYH6YnhwDjkz9fJQ281eeB7dL7IlQUV7kY0iHPsCvdtz/HPNcHEuNmWjYX ++sj9VoI0JP/Sv1frRbmcCQDPaeWowPGf1Xtj0oTSlA6KQsKZPO7t15nivgX/AnZWQ ++01l8q6GPHeYwyG/caD3BZwAavsVLg9nhKx0lf0wExM0= + -----END RSA PRIVATE KEY----- + Certificate: + Data: + Version: 3 (0x2) +- Serial Number: +- 0b:98:95:00:0c:7e +- Signature Algorithm: sha1WithRSAEncryption ++ Serial Number: 14269504311662 (0xcfa60bc516e) ++ Signature Algorithm: sha1WithRSAEncryption + Issuer: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +- commonName = Nothern Nowhere Trust Anchor ++ commonName = Northern Nowhere Trust Anchor + Validity +- Not Before: May 27 21:37:54 2010 GMT +- Not After : Aug 13 21:37:54 2018 GMT ++ Not Before: Mar 21 15:07:11 2015 GMT ++ Not After : Jun 7 15:07:11 2023 GMT + Subject: + countryName = NN + organizationName = Edel Curl Arctic Illudium Research Cloud +@@ -60,68 +59,63 @@ Certificate: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: +- 00:cc:a9:91:2b:22:e8:90:2b:e5:4c:dc:ae:6d:da: +- 4c:f3:32:cc:a5:68:67:5a:3b:b9:86:a3:95:88:3e: +- e8:63:c3:ed:00:60:19:03:2b:5d:5b:56:8a:da:21: +- 5e:71:5c:d1:e3:de:51:18:c1:17:14:b1:33:90:00: +- 5c:9a:e5:73:0b:a8:88:9c:d0:0b:54:bc:ea:3a:39: +- dd:f6:65:81:4b:29:99:4c:71:d3:f7:69:7f:80:e8: +- e8:6d:61:41:83:87:eb:ac:2c:bd:0f:eb:1b:fd:a2: +- 37:97:6d:31:56:ba:4b:51:dd:b1:01:eb:89:f8:25: +- de:5b:a3:e5:b2:3f:4c:77:53 ++ 00:e3:c7:52:fb:7d:02:b1:a7:0b:4c:2d:a6:2a:b0: ++ 57:6b:5e:0b:f9:9e:4b:e7:d0:ac:55:43:47:fa:b1: ++ e0:fc:b0:63:30:84:31:f5:95:44:90:9a:b7:22:01: ++ 6f:c7:17:16:be:5a:19:ee:47:35:90:a5:5e:27:ba: ++ 86:47:3b:c5:63:d2:f2:c6:a1:db:ac:be:b1:2f:4c: ++ c2:98:86:19:72:d5:f9:12:45:09:bc:23:e2:00:eb: ++ 4d:ba:99:71:b5:4a:fb:49:8c:4d:f3:0b:4e:cf:48: ++ 7b:c8:06:37:92:35:ff:bb:4f:ea:98:af:13:ac:a8: ++ cd:9f:a7:e0:78:db:15:bc:3b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:localhost + X509v3 Key Usage: +- Key Encipherment ++ Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Key Identifier: +- 3B:2B:84:0D:23:3C:46:F9:9B:E5:C2:FA:B7:30:E7:AC:E3:ED:09:C3 ++ 23:D7:CE:D8:B2:D0:F8:8E:3C:82:26:6C:F1:F5:2A:8A:48:90:58:66 + X509v3 Authority Key Identifier: +- keyid:AD:3E:E2:39:07:B8:5C:AA:26:90:94:4C:26:69:21:83:E2:4E:36:94 ++ keyid:12:CA:BA:4B:46:04:A7:75:8A:2C:E8:0E:54:94:BC:12:65:A6:7B:CE + +- X509v3 Basic Constraints: critical ++ X509v3 Basic Constraints: + CA:FALSE + Signature Algorithm: sha1WithRSAEncryption +- a2:fa:61:4e:c0:10:1f:f8:38:2c:fd:a6:74:85:df:8e:ee:41: +- 90:a1:d7:c9:32:65:5d:61:d5:13:51:3b:11:1c:7b:01:06:70: +- 9f:93:52:54:15:bd:93:3a:f8:40:e3:e2:ab:01:96:fb:73:c5: +- 42:2c:ad:ce:e8:52:57:db:b6:15:90:75:e3:e5:75:99:b0:83: +- ed:b0:fc:f2:d0:d9:3d:68:1c:d9:b4:cd:a1:a9:40:19:44:46: +- 14:8b:11:6e:2e:1c:65:85:73:45:f0:8b:4f:ea:01:2d:61:0f: +- ae:0d:70:0c:d3:3c:1c:1f:24:66:a3:0b:62:d1:87:1e:8e:96: +- f6:43:cf:1c:24:e7:94:d0:7e:b0:ee:1b:6f:14:1f:04:35:e8: +- fc:3c:c8:9e:e3:6e:0e:4c:7d:a9:23:97:2d:6e:b1:4d:e3:05: +- 1b:ce:86:2f:2f:b3:c9:60:47:58:ac:ea:4c:cb:c2:7b:0f:08: +- b8:a7:90:e7:22:32:70:f6:09:3e:f9:54:94:b0:37:50:22:60: +- 49:1c:84:9e:1a:22:0c:3e:a9:16:7c:5e:b1:50:13:6b:82:14: +- d3:8a:3d:4d:ed:18:ca:40:59:d6:b9:72:9f:64:e5:0b:e7:a6: +- b8:ee:29:b5:6a:ec:82:b2:94:56:36:e3:87:b3:07:aa:69:b8: +- 2c:ef:0c:14 ++ 28:b9:77:ea:4a:8d:d6:a5:fb:72:5b:d6:cd:60:40:33:56:bf: ++ dd:23:ff:bf:e8:2e:10:cd:30:ab:24:a4:43:d8:98:71:e3:59: ++ 66:3e:38:bd:b8:fb:19:1a:13:8f:a1:c8:39:93:b5:83:8d:62: ++ 52:a9:7a:5b:0d:69:47:40:5c:51:4c:3a:be:a7:c9:5f:7b:93: ++ 49:20:59:23:30:7c:d9:4a:dd:29:2c:ed:96:fd:cb:b8:13:ff: ++ 36:2c:27:ce:28:c3:a6:d0:d8:ba:8c:38:9f:78:ff:54:c7:76: ++ 05:37:47:f5:d3:55:9c:2c:12:41:81:14:ca:48:a2:b7:6d:05: ++ 49:2b:c5:f5:7b:63:6d:6f:cd:3f:f4:8d:74:51:07:ff:e1:40: ++ d5:96:60:d8:c8:38:5a:15:f9:c5:fd:e1:5e:a3:02:95:90:4b: ++ fc:8a:42:de:72:31:72:3d:dd:a2:df:19:42:c8:fa:a8:77:11: ++ 67:e6:64:8c:d0:fd:45:fd:f0:49:8c:e1:85:e6:f5:1f:47:c6: ++ ae:f2:70:c3:e8:99:d0:cd:9d:88:6b:33:ba:b9:65:3d:f4:b1: ++ f4:d0:3c:76:9c:18:9e:9e:c8:62:29:43:8e:f7:2f:2c:12:37: ++ 39:02:26:4e:4b:b0:14:30:80:bb:2d:cc:fc:93:dc:c9:8b:c0: ++ 69:12:71:36 + -----BEGIN CERTIFICATE----- +-MIIDQzCCAiugAwIBAgIGC5iVAAx+MA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNVBAYT ++MIIDQTCCAimgAwIBAgIGDPpgvFFuMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYT + Ak5OMTEwLwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNo +-IENsb3VkMSUwIwYDVQQDDBxOb3RoZXJuIE5vd2hlcmUgVHJ1c3QgQW5jaG9yMB4X +-DTEwMDUyNzIxMzc1NFoXDTE4MDgxMzIxMzc1NFowVDELMAkGA1UEBhMCTk4xMTAv +-BgNVBAoMKEVkZWwgQ3VybCBBcmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQx +-EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA +-zKmRKyLokCvlTNyubdpM8zLMpWhnWju5hqOViD7oY8PtAGAZAytdW1aK2iFecVzR +-495RGMEXFLEzkABcmuVzC6iInNALVLzqOjnd9mWBSymZTHHT92l/gOjobWFBg4fr +-rCy9D+sb/aI3l20xVrpLUd2xAeuJ+CXeW6Plsj9Md1MCAwEAAaOBizCBiDAWBgNV +-HREEDzANggtsb2NhbGhvc3QAaDALBgNVHQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYB +-BQUHAwEwHQYDVR0OBBYEFDsrhA0jPEb5m+XC+rcw56zj7QnDMB8GA1UdIwQYMBaA +-FK0+4jkHuFyqJpCUTCZpIYPiTjaUMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEF +-BQADggEBAKL6YU7AEB/4OCz9pnSF347uQZCh18kyZV1h1RNROxEcewEGcJ+TUlQV +-vZM6+EDj4qsBlvtzxUIsrc7oUlfbthWQdePldZmwg+2w/PLQ2T1oHNm0zaGpQBlE +-RhSLEW4uHGWFc0Xwi0/qAS1hD64NcAzTPBwfJGajC2LRhx6OlvZDzxwk55TQfrDu +-G28UHwQ16Pw8yJ7jbg5Mfakjly1usU3jBRvOhi8vs8lgR1is6kzLwnsPCLinkOci +-MnD2CT75VJSwN1AiYEkchJ4aIgw+qRZ8XrFQE2uCFNOKPU3tGMpAWda5cp9k5Qvn +-prjuKbVq7IKylFY244ezB6ppuCzvDBQ= ++IENsb3VkMSYwJAYDVQQDDB1Ob3J0aGVybiBOb3doZXJlIFRydXN0IEFuY2hvcjAe ++Fw0xNTAzMjExNTA3MTFaFw0yMzA2MDcxNTA3MTFaMFQxCzAJBgNVBAYTAk5OMTEw ++LwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNoIENsb3Vk ++MRIwEAYDVQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB ++AOPHUvt9ArGnC0wtpiqwV2teC/meS+fQrFVDR/qx4PywYzCEMfWVRJCatyIBb8cX ++Fr5aGe5HNZClXie6hkc7xWPS8sah26y+sS9MwpiGGXLV+RJFCbwj4gDrTbqZcbVK +++0mMTfMLTs9Ie8gGN5I1/7tP6pivE6yozZ+n4HjbFbw7AgMBAAGjgYgwgYUwFgYD ++VR0RBA8wDYILbG9jYWxob3N0AGgwCwYDVR0PBAQDAgOoMBMGA1UdJQQMMAoGCCsG ++AQUFBwMBMB0GA1UdDgQWBBQj187YstD4jjyCJmzx9SqKSJBYZjAfBgNVHSMEGDAW ++gBQSyrpLRgSndYos6A5UlLwSZaZ7zjAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUA ++A4IBAQAouXfqSo3WpftyW9bNYEAzVr/dI/+/6C4QzTCrJKRD2Jhx41lmPji9uPsZ ++GhOPocg5k7WDjWJSqXpbDWlHQFxRTDq+p8lfe5NJIFkjMHzZSt0pLO2W/cu4E/82 ++LCfOKMOm0Ni6jDifeP9Ux3YFN0f101WcLBJBgRTKSKK3bQVJK8X1e2Ntb80/9I10 ++UQf/4UDVlmDYyDhaFfnF/eFeowKVkEv8ikLecjFyPd2i3xlCyPqodxFn5mSM0P1F ++/fBJjOGF5vUfR8au8nDD6JnQzZ2IazO6uWU99LH00Dx2nBienshiKUOO9y8sEjc5 ++AiZOS7AUMIC7Lcz8k9zJi8BpEnE2 + -----END CERTIFICATE----- +------BEGIN DH PARAMETERS----- +-MIGHAoGBAL/3hRxvWX+Mdyu/aBPU1JeeA5sg4nXtA7B24eCql9Tq53Lks1/HJ5B+ +-xSapGAFd+22xhBsNkJihf74oiPEVr9nNoLjFV/DZe259+JYgs+pBTFN+Cp13ALUi +-CeZxX2mlxlstD1SBRTKgxA/j4ttR1Chn8knn+RVdFE9YFKCYPyLrAgEC +------END DH PARAMETERS----- +diff --git a/tests/certs/Server-localhost0h-sv.prm b/tests/certs/Server-localhost0h-sv.prm +index 5e8944b..619d825 100644 +--- a/tests/certs/Server-localhost0h-sv.prm ++++ b/tests/certs/Server-localhost0h-sv.prm +@@ -2,11 +2,11 @@ extensions = x509v3 + [ x509v3 ] + #subjectAltName = DNS:localhost\0h + subjectAltName = DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68 +-keyUsage = keyEncipherment ++keyUsage = keyEncipherment,digitalSignature,keyAgreement + extendedKeyUsage = serverAuth + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid +-basicConstraints = critical,CA:false ++basicConstraints = CA:false + [ req ] + default_bits = 1024 + distinguished_name = req_DN +-- +2.14.3 + diff --git a/SOURCES/0059-curl-7.29.0-tlsauthtype-doc.patch b/SOURCES/0059-curl-7.29.0-tlsauthtype-doc.patch new file mode 100644 index 0000000..5296f63 --- /dev/null +++ b/SOURCES/0059-curl-7.29.0-tlsauthtype-doc.patch @@ -0,0 +1,32 @@ +From 3ba5c596cb6610c883335a07c0e04335b8372563 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 12 Feb 2018 13:31:59 +0100 +Subject: [PATCH] tlsauthtype.d: works only if libcurl is built with TLS-SRP + support + +Bug: https://bugzilla.redhat.com/1542256 + +Closes #2306 + +Upstream-commit: 08029a7e73f8768b1b4e37876b34c6ff6ef32ece +Signed-off-by: Kamil Dudka +--- + docs/curl.1 | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/docs/curl.1 b/docs/curl.1 +index 7906f1f..a26b03c 100644 +--- a/docs/curl.1 ++++ b/docs/curl.1 +@@ -1446,6 +1446,8 @@ If this option is used several times, the last one will be used. + Set TLS authentication type. Currently, the only supported option is "SRP", + for TLS-SRP (RFC 5054). If \fI--tlsuser\fP and \fI--tlspassword\fP are + specified but \fI--tlsauthtype\fP is not, then this option defaults to "SRP". ++This option works only if the underlying libcurl is built with TLS-SRP support, ++which requires OpenSSL or GnuTLS with TLS-SRP support. + (Added in 7.21.4) + .IP "--tlspassword " + Set password for use with the TLS authentication method specified with +-- +2.14.3 + diff --git a/SOURCES/0060-curl-7.29.0-CVE-2018-1000007.patch b/SOURCES/0060-curl-7.29.0-CVE-2018-1000007.patch new file mode 100644 index 0000000..616a65e --- /dev/null +++ b/SOURCES/0060-curl-7.29.0-CVE-2018-1000007.patch @@ -0,0 +1,322 @@ +From e6968d1d220891230bcca5340bfd364183ceaa31 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 19 Jan 2018 13:19:25 +0100 +Subject: [PATCH] http: prevent custom Authorization headers in redirects + +... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how +curl already handles Authorization headers created internally. + +Note: this changes behavior slightly, for the sake of reducing mistakes. + +Added test 317 and 318 to verify. + +Reported-by: Craig de Stigter +Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html + +Upstream-commit: af32cd3859336ab963591ca0df9b1e33a7ee066b +Signed-off-by: Kamil Dudka +--- + docs/libcurl/curl_easy_setopt.3 | 10 +++++ + lib/http.c | 10 ++++- + lib/url.c | 2 +- + lib/urldata.h | 2 +- + tests/data/Makefile.am | 3 +- + tests/data/test317 | 94 ++++++++++++++++++++++++++++++++++++++++ + tests/data/test318 | 95 +++++++++++++++++++++++++++++++++++++++++ + 7 files changed, 212 insertions(+), 4 deletions(-) + create mode 100644 tests/data/test317 + create mode 100644 tests/data/test318 + +diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 +index 4ce8207..cbebfba 100644 +--- a/docs/libcurl/curl_easy_setopt.3 ++++ b/docs/libcurl/curl_easy_setopt.3 +@@ -67,6 +67,16 @@ this when you debug/report problems. Another neat option for debugging is the + A parameter set to 1 tells the library to include the header in the body + output. This is only relevant for protocols that actually have headers + preceding the data (like HTTP). ++ ++Custom headers are sent in all requests done by the easy handles, which ++implies that if you tell libcurl to follow redirects ++(\fICURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent ++in the subsequent request. Redirects can of course go to other hosts and thus ++those servers will get all the contents of your custom headers too. ++ ++Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers ++from being sent to other hosts than the first used one, unless specifically ++permitted with the \fICURLOPT_UNRESTRICTED_AUTH(3)\fP option. + .IP CURLOPT_NOPROGRESS + Pass a long. If set to 1, it tells the library to shut off the progress meter + completely. It will also prevent the \fICURLOPT_PROGRESSFUNCTION\fP from +diff --git a/lib/http.c b/lib/http.c +index b73e58c..c15208d 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -666,7 +666,7 @@ Curl_http_output_auth(struct connectdata *conn, + if(!data->state.this_is_a_follow || + conn->bits.netrc || + !data->state.first_host || +- data->set.http_disable_hostname_check_before_authentication || ++ data->set.allow_auth_to_other_hosts || + Curl_raw_equal(data->state.first_host, conn->host.name)) { + result = output_auth_headers(conn, authhost, request, path, FALSE); + } +@@ -1550,6 +1550,14 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn, + Connection: */ + checkprefix("Connection", headers->data)) + ; ++ else if(checkprefix("Authorization:", headers->data) && ++ /* be careful of sending this potentially sensitive header to ++ other hosts */ ++ (conn->data->state.this_is_a_follow && ++ conn->data->state.first_host && ++ !conn->data->set.allow_auth_to_other_hosts && ++ !strequal(conn->data->state.first_host, conn->host.name))) ++ ; + else { + CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n", + headers->data); +diff --git a/lib/url.c b/lib/url.c +index 71d4d8b..ba53131 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -912,7 +912,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, + * Send authentication (user+password) when following locations, even when + * hostname changed. + */ +- data->set.http_disable_hostname_check_before_authentication = ++ data->set.allow_auth_to_other_hosts = + (0 != va_arg(param, long))?TRUE:FALSE; + break; + +diff --git a/lib/urldata.h b/lib/urldata.h +index b4f18e7..1dd62ae 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1528,7 +1528,7 @@ struct UserDefined { + bool http_fail_on_error; /* fail on HTTP error codes >= 300 */ + bool http_follow_location; /* follow HTTP redirects */ + bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */ +- bool http_disable_hostname_check_before_authentication; ++ bool allow_auth_to_other_hosts; + bool include_header; /* include received protocol headers in data output */ + bool http_set_referer; /* is a custom referer used */ + bool http_auto_referer; /* set "correct" referer when following location: */ +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index 3b31581..56cb286 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -36,7 +36,8 @@ test276 test277 test278 test279 test280 test281 test282 test283 test284 \ + test285 test286 test287 test288 test289 test290 test291 test292 test293 \ + test294 test295 test296 test297 test298 test299 test300 test301 test302 \ + test303 test304 test305 test306 test307 test308 test309 test310 test311 \ +-test312 test313 test320 test321 test322 test323 test324 test350 test351 \ ++test312 test313 test317 test318 \ ++test320 test321 test322 test323 test324 test350 test351 \ + test352 test353 test354 test400 test401 test402 test403 test404 test405 \ + test406 test407 test408 test409 test500 test501 test502 test503 test504 \ + test505 test506 test507 test508 test510 test511 test512 test513 test514 \ +diff --git a/tests/data/test317 b/tests/data/test317 +new file mode 100644 +index 0000000..c6d8697 +--- /dev/null ++++ b/tests/data/test317 +@@ -0,0 +1,94 @@ ++ ++ ++ ++HTTP ++HTTP proxy ++HTTP Basic auth ++HTTP proxy Basic auth ++followlocation ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 302 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Location: http://goto.second.host.now/3170002 ++Content-Length: 8 ++Connection: close ++ ++contents ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Content-Length: 9 ++ ++contents ++ ++ ++ ++HTTP/1.1 302 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Location: http://goto.second.host.now/3170002 ++Content-Length: 8 ++Connection: close ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Content-Length: 9 ++ ++contents ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with custom Authorization: and redirect to new host ++ ++ ++http://first.host.it.is/we/want/that/page/317 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++GET http://first.host.it.is/we/want/that/page/317 HTTP/1.1 ++Proxy-Authorization: Basic dGVzdGluZzp0aGlz ++Host: first.host.it.is ++Accept: */* ++Proxy-Connection: Keep-Alive ++Authorization: s3cr3t ++ ++GET http://goto.second.host.now/3170002 HTTP/1.1 ++Proxy-Authorization: Basic dGVzdGluZzp0aGlz ++Host: goto.second.host.now ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +diff --git a/tests/data/test318 b/tests/data/test318 +new file mode 100644 +index 0000000..838d1ba +--- /dev/null ++++ b/tests/data/test318 +@@ -0,0 +1,95 @@ ++ ++ ++ ++HTTP ++HTTP proxy ++HTTP Basic auth ++HTTP proxy Basic auth ++followlocation ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 302 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Location: http://goto.second.host.now/3180002 ++Content-Length: 8 ++Connection: close ++ ++contents ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Content-Length: 9 ++ ++contents ++ ++ ++ ++HTTP/1.1 302 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Location: http://goto.second.host.now/3180002 ++Content-Length: 8 ++Connection: close ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Content-Length: 9 ++ ++contents ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with custom Authorization: and redirect to new host ++ ++ ++http://first.host.it.is/we/want/that/page/318 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location-trusted ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++GET http://first.host.it.is/we/want/that/page/318 HTTP/1.1 ++Proxy-Authorization: Basic dGVzdGluZzp0aGlz ++Host: first.host.it.is ++Accept: */* ++Proxy-Connection: Keep-Alive ++Authorization: s3cr3t ++ ++GET http://goto.second.host.now/3180002 HTTP/1.1 ++Proxy-Authorization: Basic dGVzdGluZzp0aGlz ++Host: goto.second.host.now ++Accept: */* ++Proxy-Connection: Keep-Alive ++Authorization: s3cr3t ++ ++ ++ ++ +-- +2.13.6 + diff --git a/SOURCES/0061-curl-7.29.0-CVE-2018-1000122.patch b/SOURCES/0061-curl-7.29.0-CVE-2018-1000122.patch new file mode 100644 index 0000000..74e9fa7 --- /dev/null +++ b/SOURCES/0061-curl-7.29.0-CVE-2018-1000122.patch @@ -0,0 +1,667 @@ +From 9f163418fabbe6219ab04cfe9bf81d2f33bd54d7 Mon Sep 17 00:00:00 2001 +From: Richy Kim +Date: Tue, 20 Dec 2016 05:48:15 -0500 +Subject: [PATCH 1/7] CURLOPT_BUFFERSIZE: support enlarging receive buffer + +Replace use of fixed macro BUFSIZE to define the size of the receive +buffer. Reappropriate CURLOPT_BUFFERSIZE to include enlarging receive +buffer size. Upon setting, resize buffer if larger than the current +default size up to a MAX_BUFSIZE (512KB). This can benefit protocols +like SFTP. + +Closes #1222 + +Upstream-commit: 6b7616690e5370c21e3a760321af6bf4edbabfb6 +Signed-off-by: Kamil Dudka +--- + docs/libcurl/curl_easy_setopt.3 | 12 ++++++------ + docs/libcurl/symbols-in-versions | 1 + + include/curl/curl.h | 5 +++++ + lib/easy.c | 6 ++++++ + lib/file.c | 2 +- + lib/ftp.c | 4 ++-- + lib/http.c | 3 ++- + lib/telnet.c | 5 +++-- + lib/url.c | 28 +++++++++++++++++++++++----- + lib/urldata.h | 5 ++++- + 10 files changed, 53 insertions(+), 18 deletions(-) + +diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 +index cbebfba..17b632f 100644 +--- a/docs/libcurl/curl_easy_setopt.3 ++++ b/docs/libcurl/curl_easy_setopt.3 +@@ -938,12 +938,12 @@ to using the share interface instead! See \fICURLOPT_SHARE\fP and + .IP CURLOPT_BUFFERSIZE + Pass a long specifying your preferred size (in bytes) for the receive buffer + in libcurl. The main point of this would be that the write callback gets +-called more often and with smaller chunks. This is just treated as a request, +-not an order. You cannot be guaranteed to actually get the given size. (Added +-in 7.10) +- +-This size is by default set as big as possible (CURL_MAX_WRITE_SIZE), so it +-only makes sense to use this option if you want it smaller. ++called more often and with smaller chunks. Secondly, for some protocols, ++there's a benefit of having a larger buffer for performance. This is just ++treated as a request, not an order. You cannot be guaranteed to actually get ++the given size. This buffer size is by default \fICURL_MAX_WRITE_SIZE\fP ++(16kB). The maximum buffer size allowed to set is \fICURL_MAX_READ_SIZE\fP ++(512kB). (Added in 7.10) + .IP CURLOPT_PORT + Pass a long specifying what remote port number to connect to, instead of the + one specified in the URL or the default port for the used protocol. +diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions +index b0b6232..e2cce4c 100644 +--- a/docs/libcurl/symbols-in-versions ++++ b/docs/libcurl/symbols-in-versions +@@ -639,6 +639,7 @@ CURL_LOCK_TYPE_DNS 7.10 - 7.10.2 + CURL_LOCK_TYPE_NONE 7.10 - 7.10.2 + CURL_LOCK_TYPE_SSL_SESSION 7.10 - 7.10.2 + CURL_MAX_HTTP_HEADER 7.19.7 ++CURL_MAX_READ_SIZE 7.53.0 + CURL_MAX_WRITE_SIZE 7.9.7 + CURL_NETRC_IGNORED 7.9.8 + CURL_NETRC_OPTIONAL 7.9.8 +diff --git a/include/curl/curl.h b/include/curl/curl.h +index 0375a64..8b639fa 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -170,6 +170,11 @@ typedef int (*curl_progress_callback)(void *clientp, + double ultotal, + double ulnow); + ++#ifndef CURL_MAX_READ_SIZE ++ /* The maximum receive buffer size configurable via CURLOPT_BUFFERSIZE. */ ++#define CURL_MAX_READ_SIZE 524288 ++#endif ++ + #ifndef CURL_MAX_WRITE_SIZE + /* Tests have proven that 20K is a very bad buffer size for uploads on + Windows, while 16K for some odd reason performed a lot better. +diff --git a/lib/easy.c b/lib/easy.c +index 0e9ba18..5d4d5ae 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -563,6 +563,11 @@ CURL *curl_easy_duphandle(CURL *incurl) + * get setup on-demand in the code, as that would probably decrease + * the likeliness of us forgetting to init a buffer here in the future. + */ ++ outcurl->set.buffer_size = data->set.buffer_size; ++ outcurl->state.buffer = malloc(CURL_BUFSIZE(outcurl->set.buffer_size) + 1); ++ if(!outcurl->state.buffer) ++ goto fail; ++ + outcurl->state.headerbuff = malloc(HEADERSIZE); + if(!outcurl->state.headerbuff) + goto fail; +@@ -633,6 +638,7 @@ CURL *curl_easy_duphandle(CURL *incurl) + if(outcurl) { + curl_slist_free_all(outcurl->change.cookielist); + outcurl->change.cookielist = NULL; ++ Curl_safefree(outcurl->state.buffer); + Curl_safefree(outcurl->state.headerbuff); + Curl_safefree(outcurl->change.url); + Curl_safefree(outcurl->change.referer); +diff --git a/lib/file.c b/lib/file.c +index 038bf42..1ad4758 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -473,7 +473,7 @@ static CURLcode file_do(struct connectdata *conn, bool *done) + date. */ + if(data->set.opt_no_body && data->set.include_header && fstated) { + CURLcode result; +- snprintf(buf, sizeof(data->state.buffer), ++ snprintf(buf, CURL_BUFSIZE(data->set.buffer_size), + "Content-Length: %" FORMAT_OFF_T "\r\n", expected_size); + result = Curl_client_write(conn, CLIENTWRITE_BOTH, buf, 0); + if(result) +diff --git a/lib/ftp.c b/lib/ftp.c +index a9826ce..730b695 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -2136,7 +2136,7 @@ static CURLcode ftp_state_mdtm_resp(struct connectdata *conn, + /* we have a time, reformat it */ + time_t secs=time(NULL); + /* using the good old yacc/bison yuck */ +- snprintf(buf, sizeof(conn->data->state.buffer), ++ snprintf(buf, CURL_BUFSIZE(conn->data->set.buffer_size), + "%04d%02d%02d %02d:%02d:%02d GMT", + year, month, day, hour, minute, second); + /* now, convert this into a time() value: */ +@@ -2347,7 +2347,7 @@ static CURLcode ftp_state_size_resp(struct connectdata *conn, + if(instate == FTP_SIZE) { + #ifdef CURL_FTP_HTTPSTYLE_HEAD + if(-1 != filesize) { +- snprintf(buf, sizeof(data->state.buffer), ++ snprintf(buf, CURL_BUFSIZE(data->set.buffer_size), + "Content-Length: %" FORMAT_OFF_T "\r\n", filesize); + result = Curl_client_write(conn, CLIENTWRITE_BOTH, buf, 0); + if(result) +diff --git a/lib/http.c b/lib/http.c +index 1487fb2..f4368c4 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -247,7 +247,8 @@ static CURLcode http_output_basic(struct connectdata *conn, bool proxy) + pwd = conn->passwd; + } + +- snprintf(data->state.buffer, sizeof(data->state.buffer), "%s:%s", user, pwd); ++ snprintf(data->state.buffer, CURL_BUFSIZE(data->set.buffer_size), ++ "%s:%s", user, pwd); + + error = Curl_base64_encode(data, + data->state.buffer, strlen(data->state.buffer), +diff --git a/lib/telnet.c b/lib/telnet.c +index 77d8b7b..89452dd 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1421,6 +1421,7 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done) + + /* Keep on listening and act on events */ + while(keepon) { ++ const size_t buf_size = CURL_BUFSIZE(data->set.buffer_size); + waitret = WaitForMultipleObjects(obj_count, objs, FALSE, wait_timeout); + switch(waitret) { + case WAIT_TIMEOUT: +@@ -1455,7 +1456,7 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done) + if(!readfile_read) + break; + +- if(!ReadFile(stdin_handle, buf, sizeof(data->state.buffer), ++ if(!ReadFile(stdin_handle, buf, buf_size, + &readfile_read, NULL)) { + keepon = FALSE; + code = CURLE_READ_ERROR; +@@ -1474,7 +1475,7 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done) + + case WAIT_OBJECT_0 + 1: + { +- if(!ReadFile(stdin_handle, buf, sizeof(data->state.buffer), ++ if(!ReadFile(stdin_handle, buf, buf_size, + &readfile_read, NULL)) { + keepon = FALSE; + code = CURLE_READ_ERROR; +diff --git a/lib/url.c b/lib/url.c +index 89958a7..32e7e2e 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -441,6 +441,7 @@ CURLcode Curl_close(struct SessionHandle *data) + } + data->change.url = NULL; + ++ Curl_safefree(data->state.buffer); + Curl_safefree(data->state.headerbuff); + + Curl_flush_cookies(data, 1); +@@ -612,6 +613,12 @@ CURLcode Curl_open(struct SessionHandle **curl) + + /* We do some initial setup here, all those fields that can't be just 0 */ + ++ data->state.buffer = malloc(BUFSIZE + 1); ++ if(!data->state.buffer) { ++ DEBUGF(fprintf(stderr, "Error: malloc of buffer failed\n")); ++ res = CURLE_OUT_OF_MEMORY; ++ } ++ + data->state.headerbuff = malloc(HEADERSIZE); + if(!data->state.headerbuff) { + DEBUGF(fprintf(stderr, "Error: malloc of headerbuff failed\n")); +@@ -642,8 +649,8 @@ CURLcode Curl_open(struct SessionHandle **curl) + + if(res) { + Curl_resolver_cleanup(data->state.resolver); +- if(data->state.headerbuff) +- free(data->state.headerbuff); ++ free(data->state.buffer); ++ free(data->state.headerbuff); + Curl_freeset(data); + free(data); + data = NULL; +@@ -1960,9 +1967,20 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, + */ + data->set.buffer_size = va_arg(param, long); + +- if((data->set.buffer_size> (BUFSIZE -1 )) || +- (data->set.buffer_size < 1)) +- data->set.buffer_size = 0; /* huge internal default */ ++ if(data->set.buffer_size > MAX_BUFSIZE) ++ data->set.buffer_size = MAX_BUFSIZE; /* huge internal default */ ++ else if(data->set.buffer_size < 1) ++ data->set.buffer_size = BUFSIZE; ++ ++ /* Resize only if larger than default buffer size. */ ++ if(data->set.buffer_size > BUFSIZE) { ++ data->state.buffer = realloc(data->state.buffer, ++ data->set.buffer_size + 1); ++ if(!data->state.buffer) { ++ DEBUGF(fprintf(stderr, "Error: realloc of buffer failed\n")); ++ result = CURLE_OUT_OF_MEMORY; ++ } ++ } + + break; + +diff --git a/lib/urldata.h b/lib/urldata.h +index 7431825..a7807cf 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -196,6 +196,9 @@ + /* Download buffer size, keep it fairly big for speed reasons */ + #undef BUFSIZE + #define BUFSIZE CURL_MAX_WRITE_SIZE ++#undef MAX_BUFSIZE ++#define MAX_BUFSIZE CURL_MAX_READ_SIZE ++#define CURL_BUFSIZE(x) ((x)?(x):(BUFSIZE)) + + /* Initial size of the buffer to store headers in, it'll be enlarged in case + of need. */ +@@ -1174,7 +1177,7 @@ struct UrlState { + char *headerbuff; /* allocated buffer to store headers in */ + size_t headersize; /* size of the allocation */ + +- char buffer[BUFSIZE+1]; /* download buffer */ ++ char *buffer; /* download buffer */ + char uploadbuffer[BUFSIZE+1]; /* upload buffer */ + curl_off_t current_speed; /* the ProgressShow() funcion sets this, + bytes / second */ +-- +2.14.3 + + +From f175a713c964d351012baaf8c78c1b468cc6aba0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 24 Apr 2017 15:33:57 +0200 +Subject: [PATCH 2/7] http: use private user:password output buffer + +Don't clobber the receive buffer. + +Upstream-commit: 94460878cc634b590a7282e3fe60ceafb62d141a +Signed-off-by: Kamil Dudka +--- + lib/http.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index f4368c4..12e7dc3 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -234,7 +234,8 @@ static CURLcode http_output_basic(struct connectdata *conn, bool proxy) + char **userp; + const char *user; + const char *pwd; +- CURLcode error; ++ CURLcode result; ++ char *out; + + if(proxy) { + userp = &conn->allocptr.proxyuserpwd; +@@ -247,27 +248,32 @@ static CURLcode http_output_basic(struct connectdata *conn, bool proxy) + pwd = conn->passwd; + } + +- snprintf(data->state.buffer, CURL_BUFSIZE(data->set.buffer_size), +- "%s:%s", user, pwd); ++ out = aprintf("%s:%s", user, pwd); ++ if(!out) ++ return CURLE_OUT_OF_MEMORY; + +- error = Curl_base64_encode(data, +- data->state.buffer, strlen(data->state.buffer), +- &authorization, &size); +- if(error) +- return error; ++ result = Curl_base64_encode(data, out, strlen(out), &authorization, &size); ++ if(result) ++ goto fail; + +- if(!authorization) +- return CURLE_REMOTE_ACCESS_DENIED; ++ if(!authorization) { ++ result = CURLE_REMOTE_ACCESS_DENIED; ++ goto fail; ++ } + + Curl_safefree(*userp); + *userp = aprintf("%sAuthorization: Basic %s\r\n", + proxy?"Proxy-":"", + authorization); + free(authorization); +- if(!*userp) +- return CURLE_OUT_OF_MEMORY; ++ if(!*userp) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto fail; ++ } + +- return CURLE_OK; ++ fail: ++ free(out); ++ return result; + } + + /* pickoneauth() selects the most favourable authentication method from the +-- +2.14.3 + + +From 6ff175806c338223a2a9a69f6ae8ae2b91dc2b56 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 24 Apr 2017 16:05:46 +0200 +Subject: [PATCH 3/7] ftp: use private buffer for temp storage, not receive + buffer + +Upstream-commit: 349789e645a306a6ee467ef90a57f6cc306ca92e +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/lib/ftp.c b/lib/ftp.c +index 730b695..10a21ce 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -2130,17 +2130,17 @@ static CURLcode ftp_state_mdtm_resp(struct connectdata *conn, + /* we got a time. Format should be: "YYYYMMDDHHMMSS[.sss]" where the + last .sss part is optional and means fractions of a second */ + int year, month, day, hour, minute, second; +- char *buf = data->state.buffer; +- if(6 == sscanf(buf+4, "%04d%02d%02d%02d%02d%02d", ++ if(6 == sscanf(&data->state.buffer[4], "%04d%02d%02d%02d%02d%02d", + &year, &month, &day, &hour, &minute, &second)) { + /* we have a time, reformat it */ ++ char timebuf[24]; + time_t secs=time(NULL); +- /* using the good old yacc/bison yuck */ +- snprintf(buf, CURL_BUFSIZE(conn->data->set.buffer_size), ++ ++ snprintf(timebuf, sizeof(timebuf), + "%04d%02d%02d %02d:%02d:%02d GMT", + year, month, day, hour, minute, second); + /* now, convert this into a time() value: */ +- data->info.filetime = (long)curl_getdate(buf, &secs); ++ data->info.filetime = (long)curl_getdate(timebuf, &secs); + } + + #ifdef CURL_FTP_HTTPSTYLE_HEAD +@@ -2151,6 +2151,7 @@ static CURLcode ftp_state_mdtm_resp(struct connectdata *conn, + ftpc->file && + data->set.get_filetime && + (data->info.filetime>=0) ) { ++ char headerbuf[128]; + time_t filetime = (time_t)data->info.filetime; + struct tm buffer; + const struct tm *tm = &buffer; +@@ -2160,7 +2161,7 @@ static CURLcode ftp_state_mdtm_resp(struct connectdata *conn, + return result; + + /* format: "Tue, 15 Nov 1994 12:45:26" */ +- snprintf(buf, BUFSIZE-1, ++ snprintf(headerbuf, sizeof(headerbuf), + "Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT\r\n", + Curl_wkday[tm->tm_wday?tm->tm_wday-1:6], + tm->tm_mday, +@@ -2169,7 +2170,7 @@ static CURLcode ftp_state_mdtm_resp(struct connectdata *conn, + tm->tm_hour, + tm->tm_min, + tm->tm_sec); +- result = Curl_client_write(conn, CLIENTWRITE_BOTH, buf, 0); ++ result = Curl_client_write(conn, CLIENTWRITE_BOTH, headerbuf, 0); + if(result) + return result; + } /* end of a ridiculous amount of conditionals */ +@@ -2347,9 +2348,10 @@ static CURLcode ftp_state_size_resp(struct connectdata *conn, + if(instate == FTP_SIZE) { + #ifdef CURL_FTP_HTTPSTYLE_HEAD + if(-1 != filesize) { +- snprintf(buf, CURL_BUFSIZE(data->set.buffer_size), ++ char clbuf[128]; ++ snprintf(clbuf, sizeof(clbuf), + "Content-Length: %" FORMAT_OFF_T "\r\n", filesize); +- result = Curl_client_write(conn, CLIENTWRITE_BOTH, buf, 0); ++ result = Curl_client_write(conn, CLIENTWRITE_BOTH, clbuf, 0); + if(result) + return result; + } +@@ -2450,7 +2452,6 @@ static CURLcode ftp_state_get_resp(struct connectdata *conn, + CURLcode result = CURLE_OK; + struct SessionHandle *data = conn->data; + struct FTP *ftp = data->state.proto.ftp; +- char *buf = data->state.buffer; + + if((ftpcode == 150) || (ftpcode == 125)) { + +@@ -2494,6 +2495,7 @@ static CURLcode ftp_state_get_resp(struct connectdata *conn, + * + * Example D above makes this parsing a little tricky */ + char *bytes; ++ char *buf = data->state.buffer; + bytes=strstr(buf, " bytes"); + if(bytes--) { + long in=(long)(bytes-buf); +-- +2.14.3 + + +From b67324919089fc4f9bb7a38a6a31174883a4bc24 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 25 Apr 2017 00:09:22 +0200 +Subject: [PATCH 4/7] CURLOPT_BUFFERSIZE: 1024 bytes is now the minimum size + +The buffer is needed to receive FTP, HTTP CONNECT responses etc so +already at this size things risk breaking and smaller is certainly not +wise. + +Upstream-commit: c2ddc12d6086b522703c8b80a72ab791680f1a28 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 15 +++++++++------ + lib/urldata.h | 1 + + 2 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 32e7e2e..f87dca4 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1965,15 +1965,17 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, + * The application kindly asks for a differently sized receive buffer. + * If it seems reasonable, we'll use it. + */ +- data->set.buffer_size = va_arg(param, long); ++ arg = va_arg(param, long); + +- if(data->set.buffer_size > MAX_BUFSIZE) +- data->set.buffer_size = MAX_BUFSIZE; /* huge internal default */ +- else if(data->set.buffer_size < 1) +- data->set.buffer_size = BUFSIZE; ++ if(arg > MAX_BUFSIZE) ++ arg = MAX_BUFSIZE; /* huge internal default */ ++ else if(arg < 1) ++ arg = BUFSIZE; ++ else if(arg < MIN_BUFSIZE) ++ arg = BUFSIZE; + + /* Resize only if larger than default buffer size. */ +- if(data->set.buffer_size > BUFSIZE) { ++ if(arg > BUFSIZE) { + data->state.buffer = realloc(data->state.buffer, + data->set.buffer_size + 1); + if(!data->state.buffer) { +@@ -1981,6 +1983,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, + result = CURLE_OUT_OF_MEMORY; + } + } ++ data->set.buffer_size = arg; + + break; + +diff --git a/lib/urldata.h b/lib/urldata.h +index a7807cf..cd96e8f 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -198,6 +198,7 @@ + #define BUFSIZE CURL_MAX_WRITE_SIZE + #undef MAX_BUFSIZE + #define MAX_BUFSIZE CURL_MAX_READ_SIZE ++#define MIN_BUFSIZE 1024 + #define CURL_BUFSIZE(x) ((x)?(x):(BUFSIZE)) + + /* Initial size of the buffer to store headers in, it'll be enlarged in case +-- +2.14.3 + + +From 9798012315c087168c5a4a1dc56eacfe82c69626 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 25 Apr 2017 00:15:28 +0200 +Subject: [PATCH 5/7] file: use private buffer for C-L output + +... instead of clobbering the download buffer. + +Upstream-commit: 7c312f84ea930d89c0f0f774b50032c4f9ae30e4 +Signed-off-by: Kamil Dudka +--- + lib/file.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/lib/file.c b/lib/file.c +index 1ad4758..b6bf18e 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -473,9 +473,10 @@ static CURLcode file_do(struct connectdata *conn, bool *done) + date. */ + if(data->set.opt_no_body && data->set.include_header && fstated) { + CURLcode result; +- snprintf(buf, CURL_BUFSIZE(data->set.buffer_size), ++ char header[80]; ++ snprintf(header, sizeof(header), + "Content-Length: %" FORMAT_OFF_T "\r\n", expected_size); +- result = Curl_client_write(conn, CLIENTWRITE_BOTH, buf, 0); ++ result = Curl_client_write(conn, CLIENTWRITE_BOTH, header, 0); + if(result) + return result; + +@@ -493,7 +494,7 @@ static CURLcode file_do(struct connectdata *conn, bool *done) + return result; + + /* format: "Tue, 15 Nov 1994 12:45:26 GMT" */ +- snprintf(buf, BUFSIZE-1, ++ snprintf(header, sizeof(header), + "Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT\r\n", + Curl_wkday[tm->tm_wday?tm->tm_wday-1:6], + tm->tm_mday, +-- +2.14.3 + + +From f4868e737e9f8d719cb9897506da2c7f92dfd87d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 25 Apr 2017 00:16:10 +0200 +Subject: [PATCH 6/7] buffer_size: make sure it always has the correct size + +Removes the need for CURL_BUFSIZE + +Upstream-commit: f535f4f5fc6cbdce1aec5a3481cec37369dca468 +Signed-off-by: Kamil Dudka +--- + lib/easy.c | 2 +- + lib/telnet.c | 2 +- + lib/url.c | 2 ++ + lib/urldata.h | 1 - + 4 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/lib/easy.c b/lib/easy.c +index 5d4d5ae..9cad5f1 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -564,7 +564,7 @@ CURL *curl_easy_duphandle(CURL *incurl) + * the likeliness of us forgetting to init a buffer here in the future. + */ + outcurl->set.buffer_size = data->set.buffer_size; +- outcurl->state.buffer = malloc(CURL_BUFSIZE(outcurl->set.buffer_size) + 1); ++ outcurl->state.buffer = malloc(outcurl->set.buffer_size + 1); + if(!outcurl->state.buffer) + goto fail; + +diff --git a/lib/telnet.c b/lib/telnet.c +index 89452dd..e43b423 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1421,7 +1421,7 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done) + + /* Keep on listening and act on events */ + while(keepon) { +- const size_t buf_size = CURL_BUFSIZE(data->set.buffer_size); ++ const size_t buf_size = (DWORD)data->set.buffer_size; + waitret = WaitForMultipleObjects(obj_count, objs, FALSE, wait_timeout); + switch(waitret) { + case WAIT_TIMEOUT: +diff --git a/lib/url.c b/lib/url.c +index f87dca4..81de7c2 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -577,6 +577,8 @@ CURLcode Curl_init_userdefined(struct UserDefined *set) + set->tcp_keepintvl = 60; + set->tcp_keepidle = 60; + ++ set->buffer_size = BUFSIZE; ++ + return res; + } + +diff --git a/lib/urldata.h b/lib/urldata.h +index cd96e8f..fbe69c2 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -199,7 +199,6 @@ + #undef MAX_BUFSIZE + #define MAX_BUFSIZE CURL_MAX_READ_SIZE + #define MIN_BUFSIZE 1024 +-#define CURL_BUFSIZE(x) ((x)?(x):(BUFSIZE)) + + /* Initial size of the buffer to store headers in, it'll be enlarged in case + of need. */ +-- +2.14.3 + + +From 9f3810bae5fad685e848a39750863557e17a0163 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 8 Mar 2018 10:33:16 +0100 +Subject: [PATCH 7/7] readwrite: make sure excess reads don't go beyond buffer + end + +CVE-2018-1000122 +Bug: https://curl.haxx.se/docs/adv_2018-b047.html + +Detected by OSS-fuzz + +Upstream-commit: d52dc4760f6d9ca1937eefa2093058a952465128 +Signed-off-by: Kamil Dudka +--- + lib/transfer.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index dff6838..7ad6e3c 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -738,10 +738,15 @@ static CURLcode readwrite_data(struct SessionHandle *data, + + } /* if(! header and data to read ) */ + +- if(conn->handler->readwrite && +- (excess > 0 && !conn->bits.stream_was_rewound)) { ++ if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) { + /* Parse the excess data */ + k->str += nread; ++ ++ if(&k->str[excess] > &k->buf[data->set.buffer_size]) { ++ /* the excess amount was too excessive(!), make sure ++ it doesn't read out of buffer */ ++ excess = &k->buf[data->set.buffer_size] - k->str; ++ } + nread = (ssize_t)excess; + + result = conn->handler->readwrite(data, conn, &nread, &readmore); +-- +2.14.3 + diff --git a/SOURCES/0062-curl-7.29.0-CVE-2018-1000121.patch b/SOURCES/0062-curl-7.29.0-CVE-2018-1000121.patch new file mode 100644 index 0000000..763b568 --- /dev/null +++ b/SOURCES/0062-curl-7.29.0-CVE-2018-1000121.patch @@ -0,0 +1,45 @@ +From 1d7bcc866591aba5788dc6c701ef8b564d09e329 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 6 Mar 2018 23:02:16 +0100 +Subject: [PATCH] openldap: check ldap_get_attribute_ber() results for NULL + before using + +CVE-2018-1000121 +Reported-by: Dario Weisser +Bug: https://curl.haxx.se/docs/adv_2018-97a2.html + +Upstream-commit: 9889db043393092e9d4b5a42720bba0b3d58deba +Signed-off-by: Kamil Dudka +--- + lib/openldap.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lib/openldap.c b/lib/openldap.c +index 369309c..d71946d 100644 +--- a/lib/openldap.c ++++ b/lib/openldap.c +@@ -435,7 +435,7 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf, + + for(ent = ldap_first_message(li->ld, result); ent; + ent = ldap_next_message(li->ld, ent)) { +- struct berval bv, *bvals, **bvp = &bvals; ++ struct berval bv, *bvals; + int binary = 0, msgtype; + + msgtype = ldap_msgtype(ent); +@@ -481,9 +481,9 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf, + Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\n", 1); + data->req.bytecount += bv.bv_len + 5; + +- for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp); +- rc == LDAP_SUCCESS; +- rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp)) { ++ for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals); ++ (rc == LDAP_SUCCESS) && bvals; ++ rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals)) { + int i; + + if(bv.bv_val == NULL) break; +-- +2.14.3 + diff --git a/SOURCES/0063-curl-7.29.0-CVE-2018-1000120.patch b/SOURCES/0063-curl-7.29.0-CVE-2018-1000120.patch new file mode 100644 index 0000000..da3e4fe --- /dev/null +++ b/SOURCES/0063-curl-7.29.0-CVE-2018-1000120.patch @@ -0,0 +1,446 @@ +From 5452fdc5ae93f3571074c591fdf28cdf630796a0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 12 Sep 2017 09:29:01 +0200 +Subject: [PATCH 1/3] FTP: URL decode path for dir listing in nocwd mode + +Reported-by: Zenju on github + +Test 244 added to verify +Fixes #1974 +Closes #1976 + +Upstream-commit: ecf21c551fa3426579463abe34b623111b8d487c +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 93 +++++++++++++++++++++++--------------------------- + tests/data/Makefile.am | 3 +- + tests/data/test244 | 54 +++++++++++++++++++++++++++++ + 3 files changed, 99 insertions(+), 51 deletions(-) + create mode 100644 tests/data/test244 + +diff --git a/lib/ftp.c b/lib/ftp.c +index bcba6bb..fb3a716 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1003,7 +1003,7 @@ static CURLcode ftp_state_use_port(struct connectdata *conn, + char *port_start = NULL; + char *port_sep = NULL; + +- addr = calloc(addrlen+1, 1); ++ addr = calloc(addrlen + 1, 1); + if(!addr) + return CURLE_OUT_OF_MEMORY; + +@@ -1041,7 +1041,7 @@ static CURLcode ftp_state_use_port(struct connectdata *conn, + /* parse the port */ + if(ip_end != NULL) { + if((port_start = strchr(ip_end, ':')) != NULL) { +- port_min = curlx_ultous(strtoul(port_start+1, NULL, 10)); ++ port_min = curlx_ultous(strtoul(port_start + 1, NULL, 10)); + if((port_sep = strchr(port_start, '-')) != NULL) { + port_max = curlx_ultous(strtoul(port_sep + 1, NULL, 10)); + } +@@ -1469,25 +1469,22 @@ static CURLcode ftp_state_post_listtype(struct connectdata *conn) + then just do LIST (in that case: nothing to do here) + */ + char *cmd,*lstArg,*slashPos; ++ const char *inpath = data->state.path; + + lstArg = NULL; + if((data->set.ftp_filemethod == FTPFILE_NOCWD) && +- data->state.path && +- data->state.path[0] && +- strchr(data->state.path,'/')) { +- +- lstArg = strdup(data->state.path); +- if(!lstArg) +- return CURLE_OUT_OF_MEMORY; ++ inpath && inpath[0] && strchr(inpath, '/')) { ++ size_t n = strlen(inpath); + + /* Check if path does not end with /, as then we cut off the file part */ +- if(lstArg[strlen(lstArg) - 1] != '/') { +- ++ if(inpath[n - 1] != '/') { + /* chop off the file part if format is dir/dir/file */ +- slashPos = strrchr(lstArg,'/'); +- if(slashPos) +- *(slashPos+1) = '\0'; ++ slashPos = strrchr(inpath, '/'); ++ n = slashPos - inpath; + } ++ result = Curl_urldecode(data, inpath, n, &lstArg, NULL, FALSE); ++ if(result) ++ return result; + } + + cmd = aprintf( "%s%s%s", +@@ -3327,12 +3324,10 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status, + } + + /* get the "raw" path */ +- path = curl_easy_unescape(data, path_to_use, 0, NULL); +- if(!path) { ++ result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); ++ if(result) { + /* out of memory, but we can limp along anyway (and should try to + * since we may already be in the out of memory cleanup path) */ +- if(!result) +- result = CURLE_OUT_OF_MEMORY; + ftpc->ctl_valid = FALSE; /* mark control connection as bad */ + conn->bits.close = TRUE; /* mark for connection closure */ + ftpc->prevpath = NULL; /* no path remembering */ +@@ -3643,7 +3638,7 @@ static CURLcode ftp_range(struct connectdata *conn) + } + else { + /* X-Y */ +- data->req.maxdownload = (to-from)+1; /* include last byte */ ++ data->req.maxdownload = (to - from) + 1; /* include last byte */ + data->state.resume_from = from; + DEBUGF(infof(conn->data, "FTP RANGE from %" FORMAT_OFF_T + " getting %" FORMAT_OFF_T " bytes\n", +@@ -4332,20 +4327,22 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) + } + slash_pos=strrchr(cur_pos, '/'); + if(slash_pos || !*cur_pos) { ++ CURLcode result; + ftpc->dirs = calloc(1, sizeof(ftpc->dirs[0])); + if(!ftpc->dirs) + return CURLE_OUT_OF_MEMORY; + +- ftpc->dirs[0] = curl_easy_unescape(conn->data, slash_pos ? cur_pos : "/", +- slash_pos ? +- curlx_sztosi(slash_pos-cur_pos) : 1, +- NULL); +- if(!ftpc->dirs[0]) { ++ result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/", ++ slash_pos ? ++ curlx_sztosi(slash_pos-cur_pos) : 1, ++ &ftpc->dirs[0], NULL, ++ FALSE); ++ if(result) { + freedirs(ftpc); +- return CURLE_OUT_OF_MEMORY; ++ return result; + } + ftpc->dirdepth = 1; /* we consider it to be a single dir */ +- filename = slash_pos ? slash_pos+1 : cur_pos; /* rest is file name */ ++ filename = slash_pos ? slash_pos + 1 : cur_pos; /* rest is file name */ + } + else + filename = cur_pos; /* this is a file name only */ +@@ -4377,18 +4374,15 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) + /* we skip empty path components, like "x//y" since the FTP command + CWD requires a parameter and a non-existent parameter a) doesn't + work on many servers and b) has no effect on the others. */ +- int len = curlx_sztosi(slash_pos - cur_pos + absolute_dir); +- ftpc->dirs[ftpc->dirdepth] = +- curl_easy_unescape(conn->data, cur_pos - absolute_dir, len, NULL); +- if(!ftpc->dirs[ftpc->dirdepth]) { /* run out of memory ... */ +- failf(data, "no memory"); +- freedirs(ftpc); +- return CURLE_OUT_OF_MEMORY; +- } +- if(isBadFtpString(ftpc->dirs[ftpc->dirdepth])) { ++ size_t len = slash_pos - cur_pos + absolute_dir; ++ CURLcode result = ++ Curl_urldecode(conn->data, cur_pos - absolute_dir, len, ++ &ftpc->dirs[ftpc->dirdepth], NULL, ++ TRUE); ++ if(result) { + free(ftpc->dirs[ftpc->dirdepth]); + freedirs(ftpc); +- return CURLE_URL_MALFORMAT; ++ return result; + } + } + else { +@@ -4415,15 +4409,12 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) + } /* switch */ + + if(filename && *filename) { +- ftpc->file = curl_easy_unescape(conn->data, filename, 0, NULL); +- if(NULL == ftpc->file) { +- freedirs(ftpc); +- failf(data, "no memory"); +- return CURLE_OUT_OF_MEMORY; +- } +- if(isBadFtpString(ftpc->file)) { ++ CURLcode result = ++ Curl_urldecode(conn->data, filename, 0, &ftpc->file, NULL, TRUE); ++ ++ if(result) { + freedirs(ftpc); +- return CURLE_URL_MALFORMAT; ++ return result; + } + } + else +@@ -4441,15 +4432,17 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) + if(ftpc->prevpath) { + /* prevpath is "raw" so we convert the input path before we compare the + strings */ +- int dlen; +- char *path = curl_easy_unescape(conn->data, data->state.path, 0, &dlen); +- if(!path) { ++ size_t dlen; ++ char *path; ++ CURLcode result = ++ Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE); ++ if(result) { + freedirs(ftpc); +- return CURLE_OUT_OF_MEMORY; ++ return result; + } + +- dlen -= ftpc->file?curlx_uztosi(strlen(ftpc->file)):0; +- if((dlen == curlx_uztosi(strlen(ftpc->prevpath))) && ++ dlen -= ftpc->file?strlen(ftpc->file):0; ++ if((dlen == strlen(ftpc->prevpath)) && + strnequal(path, ftpc->prevpath, dlen)) { + infof(data, "Request has same path as previous transfer\n"); + ftpc->cwddone = TRUE; +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index 56cb286..e7955ee 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -28,7 +28,8 @@ test200 test201 test202 test203 test204 test205 test206 test207 test208 \ + test209 test210 test211 test212 test213 test214 test215 test216 test217 \ + test218 test220 test221 test222 test223 test224 test225 test226 test227 \ + test228 test229 test231 test233 test234 test235 test236 test237 test238 \ +-test239 test240 test241 test242 test243 test245 test246 test247 test248 \ ++test239 test240 test241 test242 test243 \ ++test244 test245 test246 test247 test248 \ + test249 test250 test251 test252 test253 test254 test255 test256 test257 \ + test258 test259 test260 test261 test262 test263 test264 test265 test266 \ + test267 test268 test269 test270 test271 test272 test273 test274 test275 \ +diff --git a/tests/data/test244 b/tests/data/test244 +new file mode 100644 +index 0000000..8ce4b63 +--- /dev/null ++++ b/tests/data/test244 +@@ -0,0 +1,54 @@ ++ ++ ++ ++FTP ++PASV ++CWD ++--ftp-method ++nocwd ++ ++ ++# ++# Server-side ++ ++ ++total 20 ++drwxr-xr-x 8 98 98 512 Oct 22 13:06 . ++drwxr-xr-x 8 98 98 512 Oct 22 13:06 .. ++drwxr-xr-x 2 98 98 512 May 2 1996 .NeXT ++-r--r--r-- 1 0 1 35 Jul 16 1996 README ++lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin ++dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev ++drwxrwxrwx 2 98 98 512 May 29 16:04 download.html ++dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc ++drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub ++dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr ++ ++ ++ ++# Client-side ++ ++ ++ftp ++ ++ ++FTP dir listing with nocwd and URL encoded path ++ ++ ++--ftp-method nocwd ftp://%HOSTIP:%FTPPORT/fir%23t/th%69rd/244/ ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++EPSV ++TYPE A ++LIST fir#t/third/244/ ++QUIT ++ ++ ++ +-- +2.14.3 + + +From 295fc8b0dc5c94a1cbf6688bfba768128b13cde6 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 2 Nov 2016 07:22:27 +0100 +Subject: [PATCH 2/3] ftp_done: don't clobber the passed in error code + +Coverity CID 1374359 pointed out the unused result value. + +Upstream-commit: f81a8364618caf99b4691ffd494a9b2d4c9fb1f6 +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/ftp.c b/lib/ftp.c +index 9da5a24..0259a14 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -3323,11 +3323,12 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status, + ftpc->known_filesize = -1; + } + +- /* get the "raw" path */ +- result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); ++ if(!result) ++ /* get the "raw" path */ ++ result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); + if(result) { +- /* out of memory, but we can limp along anyway (and should try to +- * since we may already be in the out of memory cleanup path) */ ++ /* We can limp along anyway (and should try to since we may already be in ++ * the error path) */ + ftpc->ctl_valid = FALSE; /* mark control connection as bad */ + conn->bits.close = TRUE; /* mark for connection closure */ + ftpc->prevpath = NULL; /* no path remembering */ +-- +2.14.4 + + +From 9534442aae1da4e6cf2ce815e47dbcd82695c3d4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 31 Jan 2018 08:40:11 +0100 +Subject: [PATCH 3/3] FTP: reject path components with control codes + +Refuse to operate when given path components featuring byte values lower +than 32. + +Previously, inserting a %00 sequence early in the directory part when +using the 'singlecwd' ftp method could make curl write a zero byte +outside of the allocated buffer. + +Test case 340 verifies. + +CVE-2018-1000120 +Reported-by: Duy Phan Thanh +Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html + +Upstream-commit: 535432c0adb62fe167ec09621500470b6fa4eb0f +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 8 ++++---- + tests/data/Makefile.am | 1 + + tests/data/test340 | 40 ++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 45 insertions(+), 4 deletions(-) + create mode 100644 tests/data/test340 + +diff --git a/lib/ftp.c b/lib/ftp.c +index fb3a716..268efdd 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1482,7 +1482,7 @@ static CURLcode ftp_state_post_listtype(struct connectdata *conn) + slashPos = strrchr(inpath, '/'); + n = slashPos - inpath; + } +- result = Curl_urldecode(data, inpath, n, &lstArg, NULL, FALSE); ++ result = Curl_urldecode(data, inpath, n, &lstArg, NULL, TRUE); + if(result) + return result; + } +@@ -3325,7 +3325,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status, + + if(!result) + /* get the "raw" path */ +- result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); ++ result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE); + if(result) { + /* We can limp along anyway (and should try to since we may already be in + * the error path) */ +@@ -4337,7 +4337,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) + slash_pos ? + curlx_sztosi(slash_pos-cur_pos) : 1, + &ftpc->dirs[0], NULL, +- FALSE); ++ TRUE); + if(result) { + freedirs(ftpc); + return result; +@@ -4436,7 +4436,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) + size_t dlen; + char *path; + CURLcode result = +- Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE); ++ Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE); + if(result) { + freedirs(ftpc); + return result; +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index e7955ee..910db5b 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -39,6 +39,7 @@ test294 test295 test296 test297 test298 test299 test300 test301 test302 \ + test303 test304 test305 test306 test307 test308 test309 test310 test311 \ + test312 test313 test317 test318 \ + test320 test321 test322 test323 test324 test350 test351 \ ++test340 \ + test352 test353 test354 test400 test401 test402 test403 test404 test405 \ + test406 test407 test408 test409 test500 test501 test502 test503 test504 \ + test505 test506 test507 test508 test510 test511 test512 test513 test514 \ +diff --git a/tests/data/test340 b/tests/data/test340 +new file mode 100644 +index 0000000..d834d76 +--- /dev/null ++++ b/tests/data/test340 +@@ -0,0 +1,40 @@ ++ ++ ++ ++FTP ++PASV ++CWD ++--ftp-method ++singlecwd ++ ++ ++# ++# Server-side ++ ++ ++ ++# Client-side ++ ++ ++ftp ++ ++ ++FTP using %00 in path with singlecwd ++ ++ ++--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340 ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++ ++ ++3 ++ ++ ++ +-- +2.14.3 + diff --git a/SOURCES/0064-curl-7.29.0-CVE-2018-1000301.patch b/SOURCES/0064-curl-7.29.0-CVE-2018-1000301.patch new file mode 100644 index 0000000..9a06ee6 --- /dev/null +++ b/SOURCES/0064-curl-7.29.0-CVE-2018-1000301.patch @@ -0,0 +1,48 @@ +From 5815730864a2010872840bae24797983e892eb90 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 24 Mar 2018 23:47:41 +0100 +Subject: [PATCH 1/2] http: restore buffer pointer when bad response-line is + parsed + +... leaving the k->str could lead to buffer over-reads later on. + +CVE: CVE-2018-1000301 +Assisted-by: Max Dymond + +Detected by OSS-Fuzz. +Bug: https://curl.haxx.se/docs/adv_2018-b138.html +Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 + +Upstream-commit: 8c7b3737d29ed5c0575bf592063de8a51450812d +Signed-off-by: Kamil Dudka +--- + lib/http.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index 841f6cc..dc10f5f 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2789,6 +2789,8 @@ CURLcode Curl_http_readwrite_headers(struct SessionHandle *data, + { + CURLcode result; + struct SingleRequest *k = &data->req; ++ ssize_t onread = *nread; ++ char *ostr = k->str; + + /* header line within buffer loop */ + do { +@@ -2853,7 +2855,9 @@ CURLcode Curl_http_readwrite_headers(struct SessionHandle *data, + else { + /* this was all we read so it's all a bad header */ + k->badheader = HEADER_ALLBAD; +- *nread = (ssize_t)rest_length; ++ *nread = onread; ++ k->str = ostr; ++ return CURLE_OK; + } + break; + } +-- +2.14.3 + diff --git a/SOURCES/0065-curl-7.29.0-tftp-speed-limit.patch b/SOURCES/0065-curl-7.29.0-tftp-speed-limit.patch new file mode 100644 index 0000000..d1af5ec --- /dev/null +++ b/SOURCES/0065-curl-7.29.0-tftp-speed-limit.patch @@ -0,0 +1,275 @@ +From 71e1317a4b44d9d81ec99c46038ada32c0e51bc9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 22 Aug 2013 19:23:08 +0200 +Subject: [PATCH 1/2] tftpd: support "writedelay" within + +Upstream-commit: 06d1b10cbefaa7c54c73e09df746ae79b7f14e14 +Signed-off-by: Kamil Dudka +--- + tests/FILEFORMAT | 4 +++ + tests/server/tftpd.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 84 insertions(+), 3 deletions(-) + +diff --git a/tests/FILEFORMAT b/tests/FILEFORMAT +index 702368f..4759668 100644 +--- a/tests/FILEFORMAT ++++ b/tests/FILEFORMAT +@@ -137,6 +137,10 @@ rtp: part [num] channel [num] size [num] + connection-monitor When used, this will log [DISCONNECT] to the server.input + log when the connection is disconnected. + ++ ++For TFTP: ++writedelay: [secs] delay this amount between reply packets (each packet being ++ 512 bytes payload) + + + +diff --git a/tests/server/tftpd.c b/tests/server/tftpd.c +index 48950c5..e2ec628 100644 +--- a/tests/server/tftpd.c ++++ b/tests/server/tftpd.c +@@ -107,8 +107,10 @@ struct testcase { + size_t bufsize; /* size of the data in buffer */ + char *rptr; /* read pointer into the buffer */ + size_t rcount; /* amount of data left to read of the file */ +- long num; /* test case number */ ++ long testno; /* test case number */ + int ofile; /* file descriptor for output file when uploading to us */ ++ ++ int writedelay; /* number of seconds between each packet */ + }; + + struct formats { +@@ -579,7 +581,7 @@ static ssize_t write_behind(struct testcase *test, int convert) + + if(!test->ofile) { + char outfile[256]; +- snprintf(outfile, sizeof(outfile), "log/upload.%ld", test->num); ++ snprintf(outfile, sizeof(outfile), "log/upload.%ld", test->testno); + test->ofile=open(outfile, O_CREAT|O_RDWR, 0777); + if(test->ofile == -1) { + logmsg("Couldn't create and/or open file %s for upload!", outfile); +@@ -1026,6 +1028,73 @@ again: + return 0; + } + ++/* Based on the testno, parse the correct server commands. */ ++static int parse_servercmd(struct testcase *req) ++{ ++ FILE *stream; ++ char *filename; ++ int error; ++ ++ filename = test2file(req->testno); ++ ++ stream=fopen(filename, "rb"); ++ if(!stream) { ++ error = errno; ++ logmsg("fopen() failed with error: %d %s", error, strerror(error)); ++ logmsg(" [1] Error opening file: %s", filename); ++ logmsg(" Couldn't open test file %ld", req->testno); ++ return 1; /* done */ ++ } ++ else { ++ char *orgcmd = NULL; ++ char *cmd = NULL; ++ size_t cmdsize = 0; ++ int num=0; ++ ++ /* get the custom server control "commands" */ ++ error = getpart(&orgcmd, &cmdsize, "reply", "servercmd", stream); ++ fclose(stream); ++ if(error) { ++ logmsg("getpart() failed with error: %d", error); ++ return 1; /* done */ ++ } ++ ++ cmd = orgcmd; ++ while(cmd && cmdsize) { ++ char *check; ++ if(1 == sscanf(cmd, "writedelay: %d", &num)) { ++ logmsg("instructed to delay %d secs between packets", num); ++ req->writedelay = num; ++ } ++ else { ++ logmsg("Unknown instruction found: %s", cmd); ++ } ++ /* try to deal with CRLF or just LF */ ++ check = strchr(cmd, '\r'); ++ if(!check) ++ check = strchr(cmd, '\n'); ++ ++ if(check) { ++ /* get to the letter following the newline */ ++ while((*check == '\r') || (*check == '\n')) ++ check++; ++ ++ if(!*check) ++ /* if we reached a zero, get out */ ++ break; ++ cmd = check; ++ } ++ else ++ break; ++ } ++ if(orgcmd) ++ free(orgcmd); ++ } ++ ++ return 0; /* OK! */ ++} ++ ++ + /* + * Validate file access. + */ +@@ -1076,7 +1145,9 @@ static int validate_access(struct testcase *test, + + logmsg("requested test number %ld part %ld", testno, partno); + +- test->num = testno; ++ test->testno = testno; ++ ++ (void)parse_servercmd(test); + + file = test2file(testno); + +@@ -1147,6 +1218,12 @@ static void sendtftp(struct testcase *test, struct formats *pf) + #ifdef HAVE_SIGSETJMP + (void) sigsetjmp(timeoutbuf, 1); + #endif ++ if(test->writedelay) { ++ logmsg("Pausing %d seconds before %d bytes", test->writedelay, ++ size); ++ wait_ms(1000*test->writedelay); ++ } ++ + send_data: + if (swrite(peer, sdp, size + 4) != size + 4) { + logmsg("write"); +-- +2.14.4 + + +From fd692a86883109c1ab5b57b9b9ab19ae0ab15a1f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 22 Aug 2013 22:40:38 +0200 +Subject: [PATCH 2/2] TFTP: make the CURLOPT_LOW_SPEED* options work + +... this also makes sure that the progess callback gets called more +often during TFTP transfers. + +Added test 1238 to verify. + +Bug: http://curl.haxx.se/bug/view.cgi?id=1269 +Reported-by: Jo3 + +Upstream-commit: 4bea91fc677359f3dcedb05a431258b6cd5d98f3 +Signed-off-by: Kamil Dudka +--- + lib/tftp.c | 10 ++++++++++ + tests/data/Makefile.am | 2 +- + tests/data/test1238 | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 60 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test1238 + +diff --git a/lib/tftp.c b/lib/tftp.c +index ef740b8..79b4f41 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -56,6 +56,7 @@ + #include "multiif.h" + #include "url.h" + #include "rawstr.h" ++#include "speedcheck.h" + + #define _MPRINTF_REPLACE /* use our functions only */ + #include +@@ -1259,6 +1260,15 @@ static CURLcode tftp_doing(struct connectdata *conn, bool *dophase_done) + if(*dophase_done) { + DEBUGF(infof(conn->data, "DO phase is complete\n")); + } ++ else { ++ /* The multi code doesn't have this logic for the DOING state so we ++ provide it for TFTP since it may do the entire transfer in this ++ state. */ ++ if(Curl_pgrsUpdate(conn)) ++ result = CURLE_ABORTED_BY_CALLBACK; ++ else ++ result = Curl_speedcheck(conn->data, Curl_tvnow()); ++ } + return result; + } + +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index 677564b..9d9b9ea 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -81,7 +81,7 @@ test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ + test1126 test1127 test1128 test1129 test1130 test1131 test1132 test1133 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ + test1208 test1209 test1210 test1211 test1213 test1214 test1216 test1218 \ +-test1220 test1221 test1222 test1223 test1233 test1236 \ ++test1220 test1221 test1222 test1223 test1233 test1236 test1238 \ + test1300 test1301 test1302 test1303 test1304 test1305 \ + test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ + test1314 test1315 test1316 test1317 test1318 test1319 test1320 test1321 \ +diff --git a/tests/data/test1238 b/tests/data/test1238 +new file mode 100644 +index 0000000..1859339 +--- /dev/null ++++ b/tests/data/test1238 +@@ -0,0 +1,49 @@ ++ ++ ++ ++TFTP ++TFTP RRQ ++ ++ ++ ++# ++# Server-side ++ ++ ++writedelay: 2 ++ ++# ~1200 bytes (so that they don't fit in two 512 byte chunks) ++ ++012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 ++ ++ ++ ++# ++# Client-side ++ ++ ++tftp ++ ++ ++slow TFTP retrieve cancel due to -Y and -y ++ ++# if less than 1000 bytes/sec within 2 seconds, abort! ++ ++tftp://%HOSTIP:%TFTPPORT//1238 -Y1000 -y2 ++ ++ ++ ++# ++# Verify pseudo protocol after the test has been "shot" ++ ++ ++opcode: 1 ++filename: /1238 ++mode: octet ++ ++# 28 = CURLE_OPERATION_TIMEDOUT ++ ++28 ++ ++ ++ +-- +2.14.4 + diff --git a/SPECS/curl.spec b/SPECS/curl.spec index 8aa74bc..5bab6fa 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.29.0 -Release: 46%{?dist} +Release: 51%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma @@ -175,6 +175,33 @@ Patch55: 0055-curl-7.29.0-CVE-2017-1000257.patch # reset authentication state when HTTP transfer is done (#1511523) Patch56: 0056-curl-7.29.0-0afbcfd8.patch +# make NSS deallocate PKCS #11 objects early enough (#1510247) +Patch57: 0057-curl-7.29.0-nss-obj-leak.patch + +# update certificates in the test-suite because they expire soon (#1572723) +Patch58: 0058-curl-7.29.0-test-certs.patch + +# doc: --tlsauthtype works only if built with TLS-SRP support (#1542256) +Patch59: 0059-curl-7.29.0-tlsauthtype-doc.patch + +# http: prevent custom Authorization headers in redirects (CVE-2018-1000007) +Patch60: 0060-curl-7.29.0-CVE-2018-1000007.patch + +# fix RTSP RTP buffer over-read (CVE-2018-1000122) +Patch61: 0061-curl-7.29.0-CVE-2018-1000122.patch + +# fix LDAP NULL pointer dereference (CVE-2018-1000121) +Patch62: 0062-curl-7.29.0-CVE-2018-1000121.patch + +# fix FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) +Patch63: 0063-curl-7.29.0-CVE-2018-1000120.patch + +# fix RTSP bad headers buffer over-read (CVE-2018-1000301) +Patch64: 0064-curl-7.29.0-CVE-2018-1000301.patch + +# make curl --speed-limit work with TFTP (#1584750) +Patch65: 0065-curl-7.29.0-tftp-speed-limit.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.29.0-multilib.patch @@ -255,6 +282,9 @@ Summary: A library for getting files from web servers Group: Development/Libraries Requires: libssh2%{?_isa} >= %{libssh2_version} +# require a new enough version of nss-pem to avoid regression in yum (#1610998) +Requires: nss-pem%{?_isa} >= 1.0.3-5 + %description -n libcurl libcurl is a free and easy-to-use client-side URL transfer library, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, @@ -358,6 +388,15 @@ documentation of the library, too. %patch54 -p1 %patch55 -p1 %patch56 -p1 +%patch57 -p1 +%patch58 -p1 +%patch59 -p1 +%patch60 -p1 +%patch61 -p1 +%patch62 -p1 +%patch63 -p1 +%patch64 -p1 +%patch65 -p1 # regenerate Makefile.in files aclocal -I m4 @@ -473,6 +512,28 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Wed Aug 08 2018 Kamil Dudka - 7.29.0-51 +- require a new enough version of nss-pem to avoid regression in yum (#1610998) + +* Thu Jun 07 2018 Kamil Dudka - 7.29.0-50 +- remove dead code, detected by Coverity Analysis +- remove unused variable, detected by GCC and Clang + +* Wed Jun 06 2018 Kamil Dudka - 7.29.0-49 +- make curl --speed-limit work with TFTP (#1584750) + +* Wed May 30 2018 Kamil Dudka - 7.29.0-48 +- fix RTSP bad headers buffer over-read (CVE-2018-1000301) +- fix FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) +- fix LDAP NULL pointer dereference (CVE-2018-1000121) +- fix RTSP RTP buffer over-read (CVE-2018-1000122) +- http: prevent custom Authorization headers in redirects (CVE-2018-1000007) +- doc: --tlsauthtype works only if built with TLS-SRP support (#1542256) +- update certificates in the test-suite because they expire soon (#1572723) + +* Fri Mar 02 2018 Kamil Dudka - 7.29.0-47 +- make NSS deallocate PKCS #11 objects early enough (#1510247) + * Mon Dec 11 2017 Kamil Dudka - 7.29.0-46 - reset authentication state when HTTP transfer is done (#1511523)