add mtls support on dnstap, tcp client

dnsutils/config.go

@@ -316,6 +316,9 @@ type Config struct {
 			TlsSupport        bool   `yaml:"tls-support"`
 			TlsInsecure       bool   `yaml:"tls-insecure"`
 			TlsMinVersion     string `yaml:"tls-min-version"`
+			CAFile            string `yaml:"ca-file"`
+			CertFile          string `yaml:"cert-file"`
+			KeyFile           string `yaml:"key-file"`
 			ServerId          string `yaml:"server-id"`
 			OverwriteIdentity bool   `yaml:"overwrite-identity"`
 			BufferSize        int    `yaml:"buffer-size"`
@@ -331,6 +334,9 @@ type Config struct {
 			TlsSupport        bool   `yaml:"tls-support"`
 			TlsInsecure       bool   `yaml:"tls-insecure"`
 			TlsMinVersion     string `yaml:"tls-min-version"`
+			CAFile            string `yaml:"ca-file"`
+			CertFile          string `yaml:"cert-file"`
+			KeyFile           string `yaml:"key-file"`
 			Mode              string `yaml:"mode"`
 			TextFormat        string `yaml:"text-format"`
 			PayloadDelimiter  string `yaml:"delimiter"`
@@ -594,6 +600,9 @@ func (c *Config) SetDefault() {
 	c.Loggers.Dnstap.TlsSupport = false
 	c.Loggers.Dnstap.TlsInsecure = false
 	c.Loggers.Dnstap.TlsMinVersion = TLS_v12
+	c.Loggers.Dnstap.CAFile = ""
+	c.Loggers.Dnstap.CertFile = ""
+	c.Loggers.Dnstap.KeyFile = ""
 	c.Loggers.Dnstap.ServerId = ""
 	c.Loggers.Dnstap.OverwriteIdentity = false
 	c.Loggers.Dnstap.BufferSize = 100
@@ -650,6 +659,9 @@ func (c *Config) SetDefault() {
 	c.Loggers.TcpClient.TlsSupport = false
 	c.Loggers.TcpClient.TlsInsecure = false
 	c.Loggers.TcpClient.TlsMinVersion = TLS_v12
+	c.Loggers.TcpClient.CAFile = ""
+	c.Loggers.TcpClient.CertFile = ""
+	c.Loggers.TcpClient.KeyFile = ""
 	c.Loggers.TcpClient.Mode = MODE_JSON
 	c.Loggers.TcpClient.TextFormat = ""
 	c.Loggers.TcpClient.PayloadDelimiter = "\n"

dnsutils/tls_config_test.go

@@ -0,0 +1,26 @@
+package dnsutils
+
+import (
+	"crypto/tls"
+	"reflect"
+	"testing"
+)
+
+func TestConfigClientTLSNoVerify(t *testing.T) {
+	tlsConfig, err := TlsClientConfig(TlsOptions{InsecureSkipVerify: true})
+
+	if err != nil || tlsConfig == nil {
+		t.Fatal("Unable to configure client TLS", err)
+	}
+
+	if !reflect.DeepEqual(tlsConfig.CipherSuites, clientCipherSuites) {
+		t.Fatal("Unexpected client cipher suites")
+	}
+	if tlsConfig.MinVersion != tls.VersionTLS12 {
+		t.Fatal("Unexpected client TLS version")
+	}
+
+	if tlsConfig.Certificates != nil {
+		t.Fatal("Somehow client certificates were set")
+	}
+}

docs/loggers/logger_dnstap.md

@@ -16,6 +16,9 @@ Options:
 * `tls-support`: (boolean) enable tls
 * `tls-insecure`: (boolean) insecure skip verify
 * `tls-min-version`: (string) min tls version, default to 1.2
+* `ca-file`: (string) provide CA file to verify the server certificate
+* `cert-file`: (string) provide client certificate file for mTLS
+* `key-file`: (string) provide client private key file for mTLS
 * `server-id`: (string) server identity
 * `overwrite-identity`: (boolean) overwrite original identity
 * `buffer-size`: (integer) how many DNS messages will be buffered before being sent
@@ -34,6 +37,9 @@ dnstap:
   tls-support: false
   tls-insecure: false
   tls-min-version: 1.2
+  ca-file: ""
+  cert-file: ""
+  key-file: ""
   server-id: "dnscollector"
   overwrite-identity: false
   buffer-size: 100

docs/loggers/logger_tcp.md

@@ -20,6 +20,9 @@ Options:
 * `tls-support`: (boolean) enable tls
 * `tls-insecure`: (boolean) insecure skip verify
 * `tls-min-version`: (string) min tls version, default to 1.2
+* `ca-file`: (string) provide CA file to verify the server certificate
+* `cert-file`: (string) provide client certificate file for mTLS
+* `key-file`: (string) provide client private key file for mTLS
 * `mode`: (string) output format: text, json, or flat-json
 * `text-format`: (string) output text format, please refer to the default text format to see all available directives, use this parameter if you want a specific format
 * `buffer-size`: (integer) how many DNS messages will be buffered before being sent
@@ -39,6 +42,9 @@ tcpclient:
   tls-support: false
   tls-insecure: false
   tls-min-version: 1.2
+  ca-file: ""
+  cert-file: ""
+  key-file: ""
   mode: json
   text-format: ""
   buffer-size: 100

loggers/dnstapclient.go

@@ -133,21 +133,27 @@ func (o *DnstapSender) ConnectToRemote() {
 			o.transportConn = nil
 		}
 
-		o.LogInfo("connecting to %s", address)
 		var conn net.Conn
 		var err error
+		var tlsConfig *tls.Config
 		if o.config.Loggers.Dnstap.TlsSupport {
-			tlsConfig := &tls.Config{
-				InsecureSkipVerify: false,
-				MinVersion:         tls.VersionTLS12,
+			o.LogInfo("connecting to tls://%s", transport, address)
+
+			tlsOptions := dnsutils.TlsOptions{
+				InsecureSkipVerify: o.config.Loggers.Dnstap.TlsInsecure,
+				MinVersion:         o.config.Loggers.Dnstap.TlsMinVersion,
+				CAFile:             o.config.Loggers.Dnstap.CAFile,
+				CertFile:           o.config.Loggers.Dnstap.CertFile,
+				KeyFile:            o.config.Loggers.Dnstap.KeyFile,
 			}
-			tlsConfig.InsecureSkipVerify = o.config.Loggers.Dnstap.TlsInsecure
-			tlsConfig.MinVersion = dnsutils.TLS_VERSION[o.config.Loggers.Dnstap.TlsMinVersion]
 
-			dialer := &net.Dialer{Timeout: connTimeout}
-			conn, err = tls.DialWithDialer(dialer, transport, address, tlsConfig)
+			tlsConfig, err = dnsutils.TlsClientConfig(tlsOptions)
+			if err == nil {
+				dialer := &net.Dialer{Timeout: connTimeout}
+				conn, err = tls.DialWithDialer(dialer, transport, address, tlsConfig)
+			}
 		} else {
-
+			o.LogInfo("connecting to %s://%s", transport, address)
 			conn, err = net.DialTimeout(transport, address, connTimeout)
 		}
 

loggers/statsd.go

@@ -305,10 +305,10 @@ PROCESS_LOOP:
 			address := o.config.Loggers.Statsd.RemoteAddress + ":" + strconv.Itoa(o.config.Loggers.Statsd.RemotePort)
 
 			// make the connection
-			o.LogInfo("dial to %s", address)
 			var conn net.Conn
 			var err error
 			if o.config.Loggers.Statsd.TlsSupport {
+				o.LogInfo("dial to tls://%s", address)
 				tlsConfig := &tls.Config{
 					MinVersion:         tls.VersionTLS12,
 					InsecureSkipVerify: false,
@@ -318,6 +318,7 @@ PROCESS_LOOP:
 
 				conn, err = tls.Dial(o.config.Loggers.Statsd.Transport, address, tlsConfig)
 			} else {
+				o.LogInfo("dial to %s://%s", o.config.Loggers.Statsd.Transport, address)
 				conn, err = net.Dial(o.config.Loggers.Statsd.Transport, address)
 			}
 

loggers/tcpclient.go

@@ -122,20 +122,27 @@ func (o *TcpClient) ConnectToRemote() {
 		}
 
 		// make the connection
-		o.LogInfo("connecting to %s", address)
 		var conn net.Conn
 		var err error
+		var tlsConfig *tls.Config
 		if o.config.Loggers.TcpClient.TlsSupport {
-			tlsConfig := &tls.Config{
-				MinVersion:         tls.VersionTLS12,
-				InsecureSkipVerify: false,
+			o.LogInfo("connecting to tls://%s", address)
+
+			tlsOptions := dnsutils.TlsOptions{
+				InsecureSkipVerify: o.config.Loggers.TcpClient.TlsInsecure,
+				MinVersion:         o.config.Loggers.TcpClient.TlsMinVersion,
+				CAFile:             o.config.Loggers.TcpClient.CAFile,
+				CertFile:           o.config.Loggers.TcpClient.CertFile,
+				KeyFile:            o.config.Loggers.TcpClient.KeyFile,
 			}
-			tlsConfig.InsecureSkipVerify = o.config.Loggers.TcpClient.TlsInsecure
-			tlsConfig.MinVersion = dnsutils.TLS_VERSION[o.config.Loggers.TcpClient.TlsMinVersion]
 
-			dialer := &net.Dialer{Timeout: connTimeout}
-			conn, err = tls.DialWithDialer(dialer, o.config.Loggers.TcpClient.Transport, address, tlsConfig)
+			tlsConfig, err = dnsutils.TlsClientConfig(tlsOptions)
+			if err == nil {
+				dialer := &net.Dialer{Timeout: connTimeout}
+				conn, err = tls.DialWithDialer(dialer, o.config.Loggers.TcpClient.Transport, address, tlsConfig)
+			}
 		} else {
+			o.LogInfo("connecting to tcp://%s", address)
 			conn, err = net.DialTimeout(o.config.Loggers.TcpClient.Transport, address, connTimeout)
 		}
 

testsdata/certs/ca.crt

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDyzCCArMCFFAqleYbCESdNX1TxODvs9no/qhDMA0GCSqGSIb3DQEBCwUAMIGh
+MQswCQYDVQQGEwJGUjESMBAGA1UECAwJTm9ybWFuZGllMQ0wCwYDVQQHDARDYWVu
+MRUwEwYDVQQKDAxETlNjb2xsZWN0b3IxDDAKBgNVBAsMA0ROUzEjMCEGA1UEAwwa
+dHJ1c3RlZGNhLmRuc2NvbGxlY3Rvci5kZXYxJTAjBgkqhkiG9w0BCQEWFmFkbWlu
+QGRuc2NvbGxlY3Rvci5kZXYwHhcNMjMxMTAxMTkyMjMwWhcNMzMxMDI5MTkyMjMw
+WjCBoTELMAkGA1UEBhMCRlIxEjAQBgNVBAgMCU5vcm1hbmRpZTENMAsGA1UEBwwE
+Q2FlbjEVMBMGA1UECgwMRE5TY29sbGVjdG9yMQwwCgYDVQQLDANETlMxIzAhBgNV
+BAMMGnRydXN0ZWRjYS5kbnNjb2xsZWN0b3IuZGV2MSUwIwYJKoZIhvcNAQkBFhZh
+ZG1pbkBkbnNjb2xsZWN0b3IuZGV2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA+k/41ckZ3HOSMlCRBnTyHmcPjZ0EjMOJMQz6drLPCN9yobemxGsbhJ4R
+DDmt+WeGnbk+GLyOaFyLwICH3BKvO1f7czQvCBoxnzVQqQjKOAT2gjblrA/OlfnU
+fp0np/MkRbp+1wGYqSjTP6TtUVpy4GckpyaaH+ReV7vDSMlPAwI7ni61EPtQyUop
+6BpqrKaoJo51BxrqaoQlvY2Hy794Pj3sgMNUcEVnrp8J19pd+rWmrMX82mgRpLyh
+koDndphZEdVCB2S6441UGWsSux9FC9tTOr15aXmJ/5DUBCl12Uz2VWzMKVyYo2nh
+/oUppZV02TZjqvVMqJDgntl6/JzFlwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBh
+8XfMwVqqqkfowIcVqiAyblEnAR0ERbjJeutZPXC6yFjkF0WddLEwxSoFK6dRFfxC
+BHR8h8vNF1kyBW51qy3gMdSwZBHiTaEjXxoIA0QilEHY9hPPVp0JP/5QbLMM9dlp
+NAAv519mclzZPUdF1IYQtnx8PcX1idg9a3OTjXVcdrrbo7NR5nsB4ls+JDe9EZBE
+T03Zu0LyoUkRZhSxbc4Vr+QirtBVlyu4Alh+6SSg7UwOk5LpqYwVNIGnFUPLMBvO
+LuZcIK7YuxKIgumFeF7jDSdc48UF+dRw73QLpkhR8eXlHSehrZA0cjPIOkUKXoY3
+PDv/yyR2yPDAAlvkXADg
+-----END CERTIFICATE-----

testsdata/certs/ca.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD6T/jVyRncc5Iy
+UJEGdPIeZw+NnQSMw4kxDPp2ss8I33Kht6bEaxuEnhEMOa35Z4aduT4YvI5oXIvA
+gIfcEq87V/tzNC8IGjGfNVCpCMo4BPaCNuWsD86V+dR+nSen8yRFun7XAZipKNM/
+pO1RWnLgZySnJpof5F5Xu8NIyU8DAjueLrUQ+1DJSinoGmqspqgmjnUHGupqhCW9
+jYfLv3g+PeyAw1RwRWeunwnX2l36taasxfzaaBGkvKGSgOd2mFkR1UIHZLrjjVQZ
+axK7H0UL21M6vXlpeYn/kNQEKXXZTPZVbMwpXJijaeH+hSmllXTZNmOq9UyokOCe
+2Xr8nMWXAgMBAAECggEAI4HRof3fYcKxI9sC34AaUk67SZLS8ObR4LffFZRiwvbz
+a1ZCXU12P1cuwuWxtJXHZjs/QEILD2nFVz7ERucNnWTrIdnuq/8PN+7XrMq26MBn
+eWwxIzmwy9x/FKDVXcEjTZLZaEVtMt28LaSHF4m1jviCngVfSpPaACb92ibYQuw3
+2EJK3RqxrAfT44VUg8gdJxq4cv6f2Kx/fhqjRnRvkv6URogqisa5Vbf0mQYA7KM7
+afGPJZOMYenTH4V889aT7yuzX2X9Ujroel1yV5DY2FlI1ojYnaOW6mTomqCUkfrk
+uptQ2qBVOOdRbnTTukFYz1aNhzRfzQBq/FyfF2bWZQKBgQD+X2/g7HOSjVDgwiND
+EriGQsh8ZjfvCJdLfW8nkIoOzb401n+NdvNITA9wRGFS/5WLdYecQeU8ZyVzGHBh
+GFxpDGSzx2xjVUGODFcxBcxs5LGuyMRAqQEDk/p4tlAzX1SPqESgOb62CyXfV2b+
+QQrZNi/sTC5aHkPEXdFC2LgI9QKBgQD76eK4WMDHZeKuDIddw5OllKKAczNI8lzC
+Yvoq8bS3O+0S/UN8bqLKNsFEtPSQCXtV9jAKrQHV/DKZyy+rk2FTXmimuk7fK7TS
+jypqSu2iN0S00jKFxh/B3B+FDLDCvkcHJlHPHAr960MGCEahYze0jYzL8ZvBTpuz
+twa4RTcs2wKBgQDq2nqVFDpwaIDvws6DstkjPK2WDVo/G5N0Y08pHE4a9OJULmZ9
+2gEsEu1+HeQtmUQdClo2brCTYDg3V60KOE+5vXOMeOcdny1zVPl7jXr8XvmeAkcP
+2/nPr+RlZw4NIEsWh6k0tZvav9grqKqyvKKjgWAlrwBsu9ydhHEcYrMnsQKBgQC3
+q4yhShyshW2j5wCfbaRt+pQMwXGoAwV8uTubKgXP/0JYMQ4OYIASnZ+GX8Vca31g
+bJIUhpWrFikylsGYAGnaph/5SCePccdyKe4L97uRJWjTydoKTS0EZGEa2eja5G7X
+GKpXLiQZhHmmoUwWCUgpPXdljzA33f+KJa0hl12mNwKBgBAeytz9bzWrK5QqXr0g
+lss6GDI7tK+VeCi2a5IDOE4Mgvl5dX79fxhvgjtT1oc4K4JN8oFA4+Y/P/khZ3jv
+JCXMcgGC8YJ2cD2A7rBwG09ORfLLgY5Jha1+wGfNu4dWtugNovflNHyKUDPnnVfD
+ruzFSUNgmN8ilg0mvSif9iR9
+-----END PRIVATE KEY-----

testsdata/certs/client.crt

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDyDCCArACFHLjKhuNZEN5cgVU/TJvmZb64xYPMA0GCSqGSIb3DQEBCwUAMIGh
+MQswCQYDVQQGEwJGUjESMBAGA1UECAwJTm9ybWFuZGllMQ0wCwYDVQQHDARDYWVu
+MRUwEwYDVQQKDAxETlNjb2xsZWN0b3IxDDAKBgNVBAsMA0ROUzEjMCEGA1UEAwwa
+dHJ1c3RlZGNhLmRuc2NvbGxlY3Rvci5kZXYxJTAjBgkqhkiG9w0BCQEWFmFkbWlu
+QGRuc2NvbGxlY3Rvci5kZXYwHhcNMjMxMTAxMTkyNDQxWhcNMzMxMDI5MTkyNDQx
+WjCBnjELMAkGA1UEBhMCRlIxEjAQBgNVBAgMCU5vcm1hbmRpZTENMAsGA1UEBwwE
+Q2FlbjEVMBMGA1UECgwMRE5TY29sbGVjdG9yMQwwCgYDVQQLDANETlMxIDAeBgNV
+BAMMF2NsaWVudC5kbnNjb2xsZWN0b3IuZGV2MSUwIwYJKoZIhvcNAQkBFhZhZG1p
+bkBkbnNjb2xsZWN0b3IuZGV2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEArCyiT2D6R1OZylhk/JCZ+9Zfl+lzpIASTxGDAKG1nVns2AdPgD0GlmSn76KG
+l4yAR83qovkJQT56YGjaJqXEs7336DPCyGqLUtzjh2QWcdaLV3RmvkQTWbi4mp85
+cw+TUVK0fQpfvh/hZU2V2OI3+4oS8tUZTUldPfibiGNBzPx2Gq8nqxGxh2+7IBfC
+EcmfA/5JbUENI8A8G0HaIzPOv30uHGlwN5PZTr2H6lbHOpB++J7k889WdIs3hgRv
+EZEgSFhvCrsrRX29Mz3xyyy8X94hHJV85GYIz9wfZlbjDKNb8jplDTxWoboyg9cw
+6eboFZ0PsFcxQaSdJPZHGJFjHwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDjSn0P
+pbz+Ck/e/otHwKE0G55QIOdGBcXkhAL3YXZBG28rGwtTZLUlWU11xd0ViXvATulW
+yUf2OxTtqtxz6ZWh1IaGCj4icZgocfDLe6yLMZnm3FAw5fipiWtMWnLoe0VjUgjl
+XtdDe7hdi/Pa4Zz2jn2GebjYLzLGEmuklUioVB/hzm5/CgIeK9OdTGLNvBtcxL+E
+F2hx0hihCbaG6R53SuEInhaLFBVr9LZ10WCDv9fdoSNwf8czCZq54/Cq+VGiKTgh
++DS5M5hSBxuo3bJvOUxV5GKUAJClE1xZQetz1RCo2VqWNbmtPslzeXJ1ZvL6Ey3J
+co948SGcsrpi1qRn
+-----END CERTIFICATE-----

testsdata/certs/client.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCsLKJPYPpHU5nK
+WGT8kJn71l+X6XOkgBJPEYMAobWdWezYB0+APQaWZKfvooaXjIBHzeqi+QlBPnpg
+aNompcSzvffoM8LIaotS3OOHZBZx1otXdGa+RBNZuLianzlzD5NRUrR9Cl++H+Fl
+TZXY4jf7ihLy1RlNSV09+JuIY0HM/HYaryerEbGHb7sgF8IRyZ8D/kltQQ0jwDwb
+QdojM86/fS4caXA3k9lOvYfqVsc6kH74nuTzz1Z0izeGBG8RkSBIWG8KuytFfb0z
+PfHLLLxf3iEclXzkZgjP3B9mVuMMo1vyOmUNPFahujKD1zDp5ugVnQ+wVzFBpJ0k
+9kcYkWMfAgMBAAECggEAC+MoW7GsO14kHp/cF8IGF6iqlfWk1IU707YM+kSv94q8
+uwJE32uXN61Vw5+likjFl0Tk1SwQ6FkfdZDtCuu5Y9g9tGGqf6WM3q495Ab+3mI7
+4aW5mEZhTaRe09zNcx/EAe04upoLl+K3Ra7F0KEh0LNXm+jRo+U+U6farop9LGFe
+6bgdesWvq2VrCM4eSPb4E1xoEjX1VwgyEE4vAcdMAowbSQBXVVFAmDVrCdyQR17E
+5FC/MuIL9Du8obtYWgFcgRKI/pX5q53QwW4rGUJXGQrKiyFK7zUUwnj469R+Hmiv
+GJcqKUBW7ndVrFwUO64LnQCQQBo9AGSdVyOES7YbNQKBgQDVG5hIvzaaqyL+WuzS
+tW7TQyDYzYLE82itWVJ5lzg54yLw+PMltwZr5GJaFHFfFpIv5WLYMyHpd8Y1rbJ2
+US2HDFVLeWs3s45J4aoATmDBFkk1d4xtXrBPIE9TWoh8pI4vxbvsNYuNX1e9WmcN
+SRn9NyIYW/KJQg0s4m4ym3MbKwKBgQDO0/BIn1ErCO8M45QWSk1AwQ36JVQc7VWZ
+r6zTRunpyoifT9IKGXluunVl1KLfxpUldU1om2EpAQyVllplmqPvZR9Wr+5yJ7kP
+Kf9VZ+7Schs4HzZpoUyu5TpmLnuyf5K8GUfq+zYUc4Z1+KLFIWSVOmhM5uPCX+NN
+1mcb5ZVN3QKBgQCW+wDt8UKfW8XkDMkiE1acKD/6Ocd+/7BWuCS9bkxwfqJ/tPCW
+9M+A2wJvLXKQ2q3hbxOTds582NW9q/z25FZsCmnXmgNDKFwTreRCaUUVJ1PgpH0B
+84bX2F07AbYXEIKICAA2vkzLcRP5XDYMbJEUG951AZeYdQpelWFbS1TGlwKBgESh
+mWNP0oxYO5LoVbSL1VS+exfdmSq8KqKD4/J73pTgyzMqNoV5bI0svFYdGCrvZ4B1
+i0lB/hywJ2/f44FBrlJ7GMoYOSSSP9tjUUIS6fHVQWj/Gnw0tRB4KkfL9uoFYTif
+nvi/gXOJ3j15UvHdIdZO+ltCZqOSVAf5NF/ScBfVAoGAT8t1ELlsr2IJWgbm6k3Q
+7Wgxl0rCBJiNEhC+oCU7dexDo5jYHTZ9fSiOF54xxYfFOrEsyZYUjXM3QHi4suKr
+titzjWtCLyxvNd6+aLfM0PhOsSJJd5WGiPYnvvwOAASmYiKOgDQr98z0xt/ODjBs
+DlU9acy42t8I9ijJvLLap0A=
+-----END PRIVATE KEY-----

testsdata/certs/server.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE9zCCA9+gAwIBAgIUbNgGGY1YBPyELmFO3mDgbyFAAqcwDQYJKoZIhvcNAQEL
+BQAwgaExCzAJBgNVBAYTAkZSMRIwEAYDVQQIDAlOb3JtYW5kaWUxDTALBgNVBAcM
+BENhZW4xFTATBgNVBAoMDEROU2NvbGxlY3RvcjEMMAoGA1UECwwDRE5TMSMwIQYD
+VQQDDBp0cnVzdGVkY2EuZG5zY29sbGVjdG9yLmRldjElMCMGCSqGSIb3DQEJARYW
+YWRtaW5AZG5zY29sbGVjdG9yLmRldjAeFw0yMzExMDExOTIzMzJaFw0zMzEwMjkx
+OTIzMzJaMIGeMQswCQYDVQQGEwJGUjESMBAGA1UECAwJTm9ybWFuZGllMQ0wCwYD
+VQQHDARDYWVuMRUwEwYDVQQKDAxETlNjb2xsZWN0b3IxDDAKBgNVBAsMA0ROUzEg
+MB4GA1UEAwwXc2VydmVyLmRuc2NvbGxlY3Rvci5kZXYxJTAjBgkqhkiG9w0BCQEW
+FmFkbWluQGRuc2NvbGxlY3Rvci5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDPODZnJo36ImVa/Dt1CPuhm38qQZlX/8mg10JrE49YkcvTExDb6/2t
+q9dzjUiG9+K+1buBTAYXFr1kO1NRLkWDNpdALqN5YVo1TTxUPKGTrRt0MXo1qJaK
+LLuRnDKrC2C2cBvrA9HlaGTb0nx0Zmna7h4r8TKAL5W8k5dUnlmpsc6KOEr2hsXr
+unMNVleHvnBYIxapET+olGS8fl5j7xAyqFz0Rc887YfsrNu+r845A6THthKzRFgN
+6uBCBetVBx0uSVs2HB4djJLYw8DQXGQkMo6kyMLd+I/ikXfXi1ZThFnJsRYyJ39o
+6s19H7QCZ5EgmjFzMCzY7/laL5nyGW5TAgMBAAGjggEmMIIBIjAzBgNVHREELDAq
+ghdzZXJ2ZXIuZG5zY29sbGVjdG9yLmRldoIJbG9jYWxob3N0hwR/AAABMB0GA1Ud
+DgQWBBRgZkplOUkohcgQirVFGjYd+NGoxjCBywYDVR0jBIHDMIHAoYGnpIGkMIGh
+MQswCQYDVQQGEwJGUjESMBAGA1UECAwJTm9ybWFuZGllMQ0wCwYDVQQHDARDYWVu
+MRUwEwYDVQQKDAxETlNjb2xsZWN0b3IxDDAKBgNVBAsMA0ROUzEjMCEGA1UEAwwa
+dHJ1c3RlZGNhLmRuc2NvbGxlY3Rvci5kZXYxJTAjBgkqhkiG9w0BCQEWFmFkbWlu
+QGRuc2NvbGxlY3Rvci5kZXaCFFAqleYbCESdNX1TxODvs9no/qhDMA0GCSqGSIb3
+DQEBCwUAA4IBAQBckWnazPMbdgU4F2Vk7BY2wFbj+rRDsmGbmcQNf55FvDAbD+E7
+yLi+Go7WfDt8Lt3bWa/wp596op1SmiGAfhcEWR7ij0+C1yVxFCkizcCVxgNNOVTr
+Aif2xM3JNz4SdrRO9+rcZRWuV62FEts/927RvjUSPJcBZdHyK7KCQLhlBjILsBVK
+440n5/GHl2podrbS+XXZVpeixTTVGQXzPEUk8o2rhV59urXIpwgs9Brf2y2o83i2
+Nn6QjJd0D2atDWskN2Zpx7yh3Zq+7lKxZ6o5xORgoek5uzwKog1xpGOvT+BMEzKi
+WXLzl3FIWZfOJKtOz/cmqW2Jbcrs6E8t02G1
+-----END CERTIFICATE-----

testsdata/certs/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPODZnJo36ImVa
+/Dt1CPuhm38qQZlX/8mg10JrE49YkcvTExDb6/2tq9dzjUiG9+K+1buBTAYXFr1k
+O1NRLkWDNpdALqN5YVo1TTxUPKGTrRt0MXo1qJaKLLuRnDKrC2C2cBvrA9HlaGTb
+0nx0Zmna7h4r8TKAL5W8k5dUnlmpsc6KOEr2hsXrunMNVleHvnBYIxapET+olGS8
+fl5j7xAyqFz0Rc887YfsrNu+r845A6THthKzRFgN6uBCBetVBx0uSVs2HB4djJLY
+w8DQXGQkMo6kyMLd+I/ikXfXi1ZThFnJsRYyJ39o6s19H7QCZ5EgmjFzMCzY7/la
+L5nyGW5TAgMBAAECggEAFziFYCnB3zXbhcaeIw9Oo115cpLHTEUtowh8OOOIPLSZ
+0p1gVkSruLp4+knqxrUgg6IP0P1j8VJrBsBfJcm5oGqNqHORfhiasz5kdEwXDyVm
+3i5tM3Yg6Hr6yeZnByPPQqJtfnh/HOYF51w+9gxD8HSejO4KarLqZKdlXeYgxhMj
+IfSJawZnCRpoHjeUj3tzpsltfp8P01cmzX6kuRe9dOTNiDvaDvr0EOhVPfNd/7od
+JHMlaWAk+Z7C6j82wWO49FT1RpB00A3kz4ZNjr+MYYkX6A6CfG/VCYD3fmm1ROq+
+UpRduq52yJ2U9m+81d8omyZN6yM6uVg5xYMHz2ZLgQKBgQDjHbmGeIVtwUw46nVT
+ShzRDOPgB3VxyWqk2QhgzjSqsVyciprz8hL3BZ5+SHisjOjyZc5dqa+5dergMOTw
+XhkG+4GhGTZ9n/pTXJnwIP7HkPXcQMRlGSYr7sffSDyK61+SqYbm6+P13qTYOK6I
+6AvPRzWQTouKG9t0kLu/pl1b7QKBgQDpkrYk/tkdnvJeFp6Mo7I+ulZ9LtXc2Mjo
+cO9/0zPBFz9lmvqIXsHrZlhUUambtU2PS5XvKbxGsGj5nilPuBk6umHibQLKTYMF
+A04ra2xIUcqXBYlMGPV576yPGZV/mlbcabElRLkrCUjUx1iDllCn1YbklCZiKS2C
+E74f7YsrPwKBgBSj6uxxn46t9oNlq2v6XEwTY9JEW0QQDgUVRFGn69lnbQc9AYAS
+C+8vL4xCgdUMqU7+OZcBiNrOAJ6HUwcVRikASnOdmvonw9Q3ojXUidMRNYbiy/Z0
+Jqfvd3KvWfE2GuV1SrFJ1tnNdiXAYPxIOmqICjInMT9H8NXTIXz1XZ6xAoGBALSM
+TrWsNWIbMlgeffJSuv6YBTEA2hm7jRl36vnQ5UmV0dCViqGNNbLjytVqxoNxEwH4
+OG7FwR6XUJ3bby2LLh1iYzWmdCiy39spIeyYPfxtFP/GLMog5Oebp7R530Diqc/4
+9xDK3aNxqtWnPjmBINmLSZk5F657DA1ne2issw37AoGBAMeCoGcmwEtfI/W2CcYU
+t8xgAEt8XMDwQ/nu5JnV+8hGCaZDjuZVfnivRUYb1MAV0mcFhpGqLcX8vTJlbyFS
++1yAFseX8FQY3F/gsP/CT2qWV17LeYaQF3GLgjOx3zzyhOBxE08YY34EF6gURj6M
+KpvBpSfRAPM9IKW0FlJWDnyY
+-----END PRIVATE KEY-----