summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJose <jose@zeroc.com>2017-02-22 10:49:10 +0100
committerJose <jose@zeroc.com>2017-02-22 10:49:10 +0100
commitc5b5faca606e38ecaa7049f54641f1587c1517c8 (patch)
treecf5b56fdf1cd547d8acefbe9bd61ae5393d27410
parentAnother fix for compiler flag ordering (diff)
downloadice-c5b5faca606e38ecaa7049f54641f1587c1517c8.tar.bz2
ice-c5b5faca606e38ecaa7049f54641f1587c1517c8.tar.xz
ice-c5b5faca606e38ecaa7049f54641f1587c1517c8.zip
Fix (6462) - Consider changing some IceSSL checks to use native APIs
Diffstat
-rw-r--r--CHANGELOG-3.7.md3
-rwxr-xr-xcpp/src/Ice/Network.cpp16
-rwxr-xr-xcpp/src/Ice/Network.h3
-rw-r--r--cpp/src/IceSSL/OpenSSLTransceiverI.cpp23
-rw-r--r--cpp/src/IceSSL/SSLEngine.cpp98
-rw-r--r--cpp/src/IceSSL/SecureTransportTransceiverI.cpp8
-rw-r--r--cpp/src/IceSSL/UWPTransceiverI.cpp11
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn1.p12bin3948 -> 0 bytes
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn1.pem52
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn1_key.pem60
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn2.p12bin3948 -> 0 bytes
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn2.pem52
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn2_key.pem60
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn3.pem28
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn3_key.pem30
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn4.pem28
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn4_key.pem30
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn5.pem28
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn5_key.pem30
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn6.pem28
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn6_key.pem30
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn7.pem28
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn7_key.pem30
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn8.pem28
-rw-r--r--cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn8_key.pem30
-rwxr-xr-xcpp/test/IceSSL/certs/makecerts.py18
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn1.p12bin2892 -> 2892 bytes
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn1_priv.pem55
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn1_pub.pem52
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn2.p12bin2892 -> 2892 bytes
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn2_priv.pem55
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn2_pub.pem52
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn3.p12bin0 -> 2908 bytes
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn3_priv.pem28
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn3_pub.pem28
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn4.p12bin0 -> 2916 bytes
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn4_priv.pem28
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn4_pub.pem28
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn5.p12bin0 -> 2916 bytes
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn5_priv.pem28
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn5_pub.pem28
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn6.p12bin0 -> 2908 bytes
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn6_priv.pem28
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn6_pub.pem28
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn7.p12bin0 -> 2908 bytes
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn7_priv.pem28
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn7_pub.pem28
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn8.p12bin0 -> 2892 bytes
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn8_priv.pem28
-rw-r--r--cpp/test/IceSSL/certs/s_rsa_ca1_cn8_pub.pem28
-rw-r--r--cpp/test/IceSSL/configuration/AllTests.cpp177
-rw-r--r--csharp/src/IceSSL/SSLEngine.cs197
-rw-r--r--csharp/src/IceSSL/TransceiverI.cs11
-rw-r--r--[-rwxr-xr-x]csharp/test/IceSSL/certs/c_rsa_cai2.p12bin5414 -> 5414 bytes
-rw-r--r--[-rwxr-xr-x]csharp/test/IceSSL/certs/cacerts.pem0
-rwxr-xr-xcsharp/test/IceSSL/certs/makecerts.py14
-rw-r--r--csharp/test/IceSSL/certs/s_rsa_ca1_cn1.p12bin2892 -> 2892 bytes
-rw-r--r--csharp/test/IceSSL/certs/s_rsa_ca1_cn2.p12bin2892 -> 2892 bytes
-rw-r--r--csharp/test/IceSSL/certs/s_rsa_ca1_cn3.p12bin0 -> 2908 bytes
-rw-r--r--csharp/test/IceSSL/certs/s_rsa_ca1_cn4.p12bin0 -> 2916 bytes
-rw-r--r--csharp/test/IceSSL/certs/s_rsa_ca1_cn5.p12bin0 -> 2916 bytes
-rw-r--r--csharp/test/IceSSL/certs/s_rsa_ca1_cn6.p12bin0 -> 2908 bytes
-rw-r--r--csharp/test/IceSSL/certs/s_rsa_ca1_cn7.p12bin0 -> 2908 bytes
-rw-r--r--csharp/test/IceSSL/certs/s_rsa_ca1_cn8.p12bin0 -> 2892 bytes
-rw-r--r--[-rwxr-xr-x]csharp/test/IceSSL/certs/s_rsa_cai1.p12bin4150 -> 4150 bytes
-rw-r--r--[-rwxr-xr-x]csharp/test/IceSSL/certs/s_rsa_cai2.p12bin5414 -> 5414 bytes
-rw-r--r--[-rwxr-xr-x]csharp/test/IceSSL/certs/s_rsa_wroot_ca1.p12bin3948 -> 3948 bytes
-rw-r--r--csharp/test/IceSSL/configuration/AllTests.cs164
-rw-r--r--java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java145
-rwxr-xr-xjava-compat/test/src/main/java/test/IceSSL/certs/makecerts.py14
-rw-r--r--java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn1.jksbin2560 -> 2557 bytes
-rw-r--r--java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn2.jksbin2558 -> 2561 bytes
-rw-r--r--java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn3.jksbin0 -> 2577 bytes
-rw-r--r--java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn4.jksbin0 -> 2584 bytes
-rw-r--r--java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn5.jksbin0 -> 2583 bytes
-rw-r--r--java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn6.jksbin0 -> 2574 bytes
-rw-r--r--java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn7.jksbin0 -> 2572 bytes
-rw-r--r--java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn8.jksbin0 -> 2558 bytes
-rw-r--r--java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_exp.jksbin2555 -> 2555 bytes
-rw-r--r--java-compat/test/src/main/java/test/IceSSL/configuration/AllTests.java162
-rw-r--r--java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java151
-rwxr-xr-xjava/test/src/main/java/test/IceSSL/certs/makecerts.py14
-rw-r--r--java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn1.jksbin2560 -> 2557 bytes
-rw-r--r--java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn2.jksbin2558 -> 2561 bytes
-rw-r--r--java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn3.jksbin0 -> 2577 bytes
-rw-r--r--java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn4.jksbin0 -> 2584 bytes
-rw-r--r--java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn5.jksbin0 -> 2583 bytes
-rw-r--r--java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn6.jksbin0 -> 2574 bytes
-rw-r--r--java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn7.jksbin0 -> 2572 bytes
-rw-r--r--java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn8.jksbin0 -> 2558 bytes
-rw-r--r--java/test/src/main/java/test/IceSSL/configuration/AllTests.java159
91 files changed, 1685 insertions, 825 deletions
diff --git a/CHANGELOG-3.7.md b/CHANGELOG-3.7.md
index 4b70ad7d7a4..8fc944a087f 100644
--- a/CHANGELOG-3.7.md
+++ b/CHANGELOG-3.7.md
@@ -152,6 +152,9 @@ These are the changes since Ice 3.6.3.
- IcePatch2 and IceGrid's distribution mechanism have been deprecated.
+- Update IceSSL hostname verification to use the SSL platform engine native
+ checks.
+
## C++ Changes
- The Ice::Communicator and Ice::ObjectAdapter destroy methods are now
diff --git a/cpp/src/Ice/Network.cpp b/cpp/src/Ice/Network.cpp
index c64d9fa7cb2..05abc9528f9 100755
--- a/cpp/src/Ice/Network.cpp
+++ b/cpp/src/Ice/Network.cpp
@@ -3056,3 +3056,19 @@ IceInternal::doFinishConnectAsync(SOCKET fd, AsyncInfo& info)
}
}
#endif
+
+
+bool
+IceInternal::isIpAddress(const string& name)
+{
+#ifdef ICE_OS_UWP
+ HostName^ hostname = ref new HostName(ref new String(stringToWstring(name,
+ getProcessStringConverter()).c_str()));
+ return hostname->Type == HostNameType::Ipv4 || hostname->Type == HostNameType::Ipv6;
+#else
+ in_addr addr;
+ in6_addr addr6;
+
+ return inet_pton(AF_INET, name.c_str(), &addr) > 0 || inet_pton(AF_INET6, name.c_str(), &addr6) > 0;
+#endif
+} \ No newline at end of file
diff --git a/cpp/src/Ice/Network.h b/cpp/src/Ice/Network.h
index 9a5099a9eb3..df07941f73d 100755
--- a/cpp/src/Ice/Network.h
+++ b/cpp/src/Ice/Network.h
@@ -368,6 +368,9 @@ ICE_API void runSync(Windows::Foundation::IAsyncAction^ action);
ICE_API void doConnectAsync(SOCKET, const Address&, const Address&, AsyncInfo&);
ICE_API void doFinishConnectAsync(SOCKET, AsyncInfo&);
#endif
+
+ICE_API bool isIpAddress(const std::string&);
+
}
#endif
diff --git a/cpp/src/IceSSL/OpenSSLTransceiverI.cpp b/cpp/src/IceSSL/OpenSSLTransceiverI.cpp
index e2a48cf7eea..0f8359f3638 100644
--- a/cpp/src/IceSSL/OpenSSLTransceiverI.cpp
+++ b/cpp/src/IceSSL/OpenSSLTransceiverI.cpp
@@ -20,6 +20,7 @@
#include <Ice/LoggerUtil.h>
#include <Ice/Buffer.h>
#include <Ice/LocalException.h>
+#include <Ice/Network.h>
#ifdef ICE_USE_OPENSSL
@@ -97,9 +98,6 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
if(!_ssl)
{
- //
- // This static_cast is necessary due to 64bit windows. There SOCKET is a non-int type.
- //
SOCKET fd = _delegate->getNativeInfo()->fd();
if(fd == INVALID_SOCKET)
{
@@ -154,6 +152,25 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
assert(false);
}
}
+
+ //
+ // Hostname verification was included in OpenSSL 1.0.2
+ //
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10002000L
+ if(_engine->getCheckCertName() && !_host.empty() && (sslVerifyMode & SSL_VERIFY_PEER))
+ {
+ X509_VERIFY_PARAM* param = SSL_get0_param(_ssl);
+ if(IceInternal::isIpAddress(_host))
+ {
+ X509_VERIFY_PARAM_set1_ip_asc(param, _host.c_str());
+ }
+ else
+ {
+ X509_VERIFY_PARAM_set1_host(param, _host.c_str(), 0);
+ }
+ }
+#endif
+
SSL_set_verify(_ssl, sslVerifyMode, IceSSL_opensslVerifyCallback);
}
}
diff --git a/cpp/src/IceSSL/SSLEngine.cpp b/cpp/src/IceSSL/SSLEngine.cpp
index 2bc0b574627..c8342073d35 100644
--- a/cpp/src/IceSSL/SSLEngine.cpp
+++ b/cpp/src/IceSSL/SSLEngine.cpp
@@ -132,12 +132,14 @@ IceSSL::SSLEngine::verifyPeer(const string& address, const NativeConnectionInfoP
{
const CertificateVerifierPtr verifier = getCertificateVerifier();
-#if !defined(ICE_USE_SECURE_TRANSPORT_IOS)
+#if defined(ICE_USE_SCHANNEL) || \
+ (defined(ICE_USE_OPENSSL) && defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10002000L)
+
//
// For an outgoing connection, we compare the proxy address (if any) against
// fields in the server's certificate (if any).
//
- if(!info->nativeCerts.empty() && !address.empty())
+ if(_checkCertName && !info->nativeCerts.empty() && !address.empty())
{
const CertificatePtr cert = info->nativeCerts[0];
//
@@ -159,82 +161,56 @@ IceSSL::SSLEngine::verifyPeer(const string& address, const NativeConnectionInfoP
}
}
- //
- // Compare the peer's address against the common name.
- //
bool certNameOK = false;
string dn;
+ bool isIpAddress = IceInternal::isIpAddress(address);
string addrLower = IceUtilInternal::toLower(address);
- {
- DistinguishedName d = cert->getSubjectDN();
- dn = IceUtilInternal::toLower(string(d));
- string cn = "cn=" + addrLower;
- string::size_type pos = dn.find(cn);
- if(pos != string::npos)
- {
- //
- // Ensure we match the entire common name.
- //
- certNameOK = (pos + cn.size() == dn.size()) || (dn[pos + cn.size()] == ',');
- }
- }
-
//
- // Compare the peer's address against the dnsName and ipAddress
- // values in the subject alternative name.
+ // If address is and IP address compare it to the subject alt name IP adddress
//
- if(!certNameOK)
+ if(isIpAddress)
{
certNameOK = find(ipAddresses.begin(), ipAddresses.end(), addrLower) != ipAddresses.end();
}
- if(!certNameOK)
- {
- certNameOK = find(dnsNames.begin(), dnsNames.end(), addrLower) != dnsNames.end();
- }
-
- //
- // Log a message if the name comparison fails. If CheckCertName is defined,
- // we also raise an exception to abort the connection. Don't log a message if
- // CheckCertName is not defined and a verifier is present.
- //
- if(!certNameOK && (_checkCertName || (_securityTraceLevel >= 1 && !verifier)))
+ else
{
- ostringstream ostr;
- ostr << "IceSSL: ";
- if(!_checkCertName)
+ //
+ // If subjectAlt is empty compare it ot the subject CN, othewise
+ // compare it to the to the subject alt name dnsNames
+ //
+ if(dnsNames.empty())
{
- ostr << "ignoring ";
+ DistinguishedName d = cert->getSubjectDN();
+ dn = IceUtilInternal::toLower(string(d));
+ string cn = "cn=" + addrLower;
+ string::size_type pos = dn.find(cn);
+ if(pos != string::npos)
+ {
+ //
+ // Ensure we match the entire common name.
+ //
+ certNameOK = (pos + cn.size() == dn.size()) || (dn[pos + cn.size()] == ',');
+ }
}
- ostr << "certificate validation failure:\npeer certificate does not have `" << address
- << "' as its commonName or in its subjectAltName extension";
- if(!dn.empty())
+ else
{
- ostr << "\nSubject DN: " << dn;
+ certNameOK = find(dnsNames.begin(), dnsNames.end(), addrLower) != dnsNames.end();
}
- if(!dnsNames.empty())
+ }
+
+ if(!certNameOK)
+ {
+ ostringstream ostr;
+ ostr << "IceSSL: certificate validation failure: ";
+ if(isIpAddress)
{
- ostr << "\nDNS names found in certificate: ";
- for(vector<string>::const_iterator p = dnsNames.begin(); p != dnsNames.end(); ++p)
- {
- if(p != dnsNames.begin())
- {
- ostr << ", ";
- }
- ostr << *p;
- }
+ ostr << "IP address mismatch";
}
- if(!ipAddresses.empty())
+ else
{
- ostr << "\nIP addresses found in certificate: ";
- for(vector<string>::const_iterator p = ipAddresses.begin(); p != ipAddresses.end(); ++p)
- {
- if(p != ipAddresses.begin())
- {
- ostr << ", ";
- }
- ostr << *p;
- }
+ ostr << "Hostname mismatch";
}
+
string msg = ostr.str();
if(_securityTraceLevel >= 1)
{
diff --git a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp
index 5de85f884c2..123d5a09a22 100644
--- a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp
+++ b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp
@@ -117,12 +117,11 @@ checkTrustResult(SecTrustRef trust, const SecureTransportEnginePtr& engine, cons
throw SecurityException(__FILE__, __LINE__, "IceSSL: handshake failure:\n" + errorToString(err));
}
-#if defined(ICE_USE_SECURE_TRANSPORT_IOS)
+ //
+ // Add SSL trust policy if we need to check the certificate name.
+ //
if(engine->getCheckCertName() && !host.empty())
{
- //
- // Add SSL trust policy if we need to check the certificate name.
- //
UniqueRef<SecPolicyRef> policy(SecPolicyCreateSSL(false, toCFString(host)));
UniqueRef<CFArrayRef> policies;
if((err = SecTrustCopyPolicies(trust, &policies.get())))
@@ -136,7 +135,6 @@ checkTrustResult(SecTrustRef trust, const SecureTransportEnginePtr& engine, cons
throw SecurityException(__FILE__, __LINE__, "IceSSL: handshake failure:\n" + errorToString(err));
}
}
-#endif
//
// Evaluate the trust
diff --git a/cpp/src/IceSSL/UWPTransceiverI.cpp b/cpp/src/IceSSL/UWPTransceiverI.cpp
index b58a688733f..91945bd7fce 100644
--- a/cpp/src/IceSSL/UWPTransceiverI.cpp
+++ b/cpp/src/IceSSL/UWPTransceiverI.cpp
@@ -167,7 +167,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
// Ignore InvalidName errors here SSLEngine::verifyPeer already checks that
// using IceSSL.CheckCertName settings.
//
- if(result != ChainValidationResult::InvalidName && result != ChainValidationResult::Success)
+ if(result != ChainValidationResult::Success)
{
if(_engine->getVerifyPeer() == 0)
{
@@ -259,7 +259,10 @@ IceSSL::TransceiverI::startWrite(IceInternal::Buffer& buf)
//
stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::Expired);
stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::IncompleteChain);
- stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::InvalidName);
+ if(!_engine->getCheckCertName())
+ {
+ stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::InvalidName);
+ }
stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::RevocationFailure);
stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::RevocationInformationMissing);
stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::Untrusted);
@@ -292,6 +295,10 @@ IceSSL::TransceiverI::finishWrite(IceInternal::Buffer& buf)
IceInternal::AsyncInfo* asyncInfo = getNativeInfo()->getAsyncInfo(IceInternal::SocketOperationWrite);
if(asyncInfo->count == SOCKET_ERROR)
{
+ if(CERT_E_CN_NO_MATCH == asyncInfo->error)
+ {
+ throw SecurityException(__FILE__, __LINE__, "Hostname mismatch");
+ }
IceInternal::checkErrorCode(__FILE__, __LINE__, asyncInfo->error);
}
return;
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn1.p12 b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn1.p12
deleted file mode 100644
index 63ce4672787..00000000000
--- a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn1.p12
+++ /dev/null
Binary files differ
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn1.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn1.pem
index 337d8b48e66..65100bab23f 100644
--- a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn1.pem
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn1.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEtTCCA52gAwIBAgIJANEJuarXnGShMA0GCSqGSIb3DQEBCwUAMIGOMRgwFgYD
-VQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVy
-b0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJ
-BgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0xNTA0
-MTQxOTIwMzBaFw0yMDA0MTIxOTIwMzBaMIGIMRIwEAYDVQQDDAkxMjcuMC4wLjEx
-DDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1
-cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcN
-AQkBFg5pbmZvQHplcm9jLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBANeK0ZahjAszXRN95TCwneiMyPvgSAb5OpJtO9G7FYvIWUUap46uYVx5Adv6
-eGi5k+vixScHwfTHUpeGOlWO1QUYPNLa4bsqf1T7s8a8+2HNude5uskJPLurZYG9
-b3C8V1dSWxqtrUYsX/xCn45ScBBno8q9Gqjm8abFxa3bXjE72tcAQQimu/IFQcyZ
-Ffk2kbtNdJWpZHoUFKMPbG6EHDeS0yhvmo7b6eNp6YTzFx9a4OnjUUbPwYFZH3IV
-eDIftNZtQN2niDrKcOKeLPeweIGv+9JNdkqN1kGrJt2lLJQE+ALLhp55d4lX+S0w
-fhrLQGVTHtDbF9KGizF+z+h+atUCAwEAAaOCARgwggEUMB0GA1UdDgQWBBR7piAe
-mqqX28rsqrZhGMfDp2ynFTCBwgYDVR0jBIG6MIG3gBT+18YGVbtNwpbjJcDU4KEv
-6GJiGaGBlKSBkTCBjjEYMBYGA1UEAwwPWmVyb0MgVGVzdCBDQSAxMQwwCgYDVQQL
-DANJY2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAw
-DgYDVQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5m
-b0B6ZXJvYy5jb22CCGnuK/IUHTttMAsGA1UdDwQEAwIF4DAhBgNVHRIEGjAYhwR/
-AAABgRBpc3N1ZXJAemVyb2MuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCFFCYmn6R5
-XwXe8DjMWeAvP+JpQUfqPqQ5Yil11SA+8eGsJqUfgx9+90+sZ48c7kohDtNWSJKs
-ZofvFiTbSykjbKuyDaCElv71MtdZpR0kxAxNF1K+N7/F5SWsvOb43dWfhHqkWdCw
-Xo2m+igL5zwmMqGRFrnJLrYs6+Fusm+cgpznG4XzaLsR21j+hu3DTcOQNoTBMaUs
-7xKTjXRLY2wFXvzQ3d32Ga4niMEqweQsv2eJHRbUqzUhRNJ0UXuwxs0sXNpVCaYS
-Hg8IdkAEwLKH2I9yN8obmhBHlStP9jfzSYOw4a7KeLWyQ9iRj4rkkXUQ570wnasv
-zFeZFMVF5Y41
+MIIEtDCCA5ygAwIBAgIIQoFWIYE7CvkwDQYJKoZIhvcNAQELBQAwgY4xGDAWBgNV
+BAMMD1plcm9DIFRlc3QgQ0EgMTEMMAoGA1UECwwDSWNlMRQwEgYDVQQKDAtaZXJv
+QywgSW5jLjEQMA4GA1UEBwwHSnVwaXRlcjEQMA4GA1UECAwHRmxvcmlkYTELMAkG
+A1UEBhMCVVMxHTAbBgkqhkiG9w0BCQEWDmluZm9AemVyb2MuY29tMB4XDTE3MDIy
+MTIxMDEyN1oXDTIyMDIyMDIxMDEyN1owgYgxEjAQBgNVBAMMCWxvY2FsaG9zdDEM
+MAoGA1UECwwDSWNlMRQwEgYDVQQKDAtaZXJvQywgSW5jLjEQMA4GA1UEBwwHSnVw
+aXRlcjEQMA4GA1UECAwHRmxvcmlkYTELMAkGA1UEBhMCVVMxHTAbBgkqhkiG9w0B
+CQEWDmluZm9AemVyb2MuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAnRBH5lEj+LJC0JfOFBXGj5Ik1XB/hiGAe0wb3qM7x84paim4merjRHXuCX5i
+tzsIKaUi0pNw/JBUPkGJr59qvbMYhc3PzvKLJHX2KOi9beDtRBKsiRwSU1qkyw8f
+Kwrly0V71ne3p2z74/z3FkaeNyb5IEQxcrpRi3xXTFl/nNnGyHAZd3okImjh0gfN
+ElscDp++JnY5W3RDWTi+v4Nmq1fZzs20nJ/4r93LnZfrCqm/hNZJz94cYSSLztnK
+hSVdS+vo6ilWgaEMcsi4SnQK/yvYj4H12SwaW/Vc3/FX6fxmq1Y72vggYTo+MOt6
+dGT66FnnLfA/ojl8qsqesMBRdwIDAQABo4IBGDCCARQwHQYDVR0OBBYEFB5ynD4W
+cyfHqU/g3UKI0i1EMv9tMIHCBgNVHSMEgbowgbeAFP7XxgZVu03CluMlwNTgoS/o
+YmIZoYGUpIGRMIGOMRgwFgYDVQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsM
+A0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAO
+BgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZv
+QHplcm9jLmNvbYIIae4r8hQdO20wCwYDVR0PBAQDAgXgMCEGA1UdEgQaMBiHBH8A
+AAGBEGlzc3VlckB6ZXJvYy5jb20wDQYJKoZIhvcNAQELBQADggEBAIJlyxl6DxnM
+zUVtEn/We+qqU5qIqiRDbxPoV2rPNiAvkexTXAC2qQfqmdtHW1EcBUPptHpApBJt
+P+0jYxkCjZ7YgjZ8LcxXkzW+TAKYtkhz5wlkEPCsfv4kgdHOAMOwDzQ8cyMuYVRv
+oGiEm3OlCgqPhJDPlpyx+S5yw7Ezt6uJj6AhISaXuUNrPYOZ9+sE57Ka/kMyVKvL
+JoB62iMx1aWQIUqWdEMn7CP6GK3lJVM//uMK8V64t3jaJbD7a3VX31jMbGXvxfbP
+n/AGDHGHj6pCcftL/XTsqGPzelRSz3bjXsUdwd+IAikkSrNF09ljozWY48ildJvY
+TDrqQafWBpc=
-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn1_key.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn1_key.pem
index a681a486b85..1366eaffd9a 100644
--- a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn1_key.pem
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn1_key.pem
@@ -1,30 +1,30 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,5F83839A3F7CBBBA
-
-FQXNM3MPK8jqVRH0nfoJZFHPSugipU5O9eiqxJhBwjXmBz9qhTwLUVgQ75gKQP5/
-c2ed9E9pghpc937mstBqhSfV+gQlcQFtuztqE1Jhye+NRAKtFC4i8Br8/OcJCvBy
-PuxjVMhhZpcrtDbji6dUAtYL+GAkdpo5DxO5N5MAgRVlm3KK0p1XzCFRtSFtn69z
-+NFX8SjZ+eqfr19tMn3kSXyEiRCalml8Nc+MPTL66RTHK4iNvqVQDgeOTK/8GDns
-qpRhzgDtDqNZDQi/5JKbriouvIDObVKKXS0KlesfrfT7uPC9y7wyOzGEydoRdLS7
-hMzfyh3aAJ4PLUt8MrXbuZA69NedwBQpWZvSTT56vgwKapqIh30hGSeTqaHiQhjn
-zM2JqVOBNYgkXZMhZWmwUlrcBO5ps+ENbTLqDEkjevUYDoVlAxcCNVP2guN9Zl5/
-/8w7CFKmlSownwypQdsHNw5xwEu2A6yTfzqprKsBCcY98VpFgGIz0EVAuk9B/HWX
-8wOwr+vJScth3u3Su2BTf6fSEKBV2DmEFUYY8Mv1XC3Oy7KSsCWStLiwQ0u7JPmV
-jkdjmTghlOmzYk/J+e2hkC3XP+6Z2auDFHXKRpkME7sOWJ5fwzdmWqZXP7VD+HQZ
-GxE8eK4BcqVmuVBnDTcZAifeA3DyTPLAy2mMRqMpyH5BTrH9Krg5ZDHRvACtZS3S
-WmZnA735MPISNG5XKTGfd8SjIBDUsrTzKEbtFSQps+jly6j/L+u00DoZt0jxnnRG
-mlzzFfR6H8++fs/bXsVaF2CA97aUWbB2qajKpgluzQSddsMNE1A215QDep2xPMWe
-lmvFCttpeFOaSsy0uU2vnTgCi2vMznT6vEmvOwn5NOVhkJmgWkG7RRfNtAlc8rUA
-+YLfw4VHHpR1StYmmfc7eJNpDZ4Vh20InXaa01iRLYmDyEqfgiz+J42Cctlu2PXZ
-+tPQ23cyjn3OT7jmC4SZzUlhglnmYVayJlf4ZF0No1NwDsPakzytEtJo2fssjYLk
-Rdop9NotXw8jb6ByzOf8cEDdQrZ3mdRn6sPwD27IXrMQWNEmlwyPPvXK/v1Alp89
-iz5K/LHUcYGZAGCoAgiApyXW9G2CSku2OJk4OsB4fTtL4eiPNm2rVuipNsCGN0Mm
-UAcIHcge6MpUY+i285eYPKiKynR7DJAi4MIlqXkJMwhnanWfB6P2hEhPB81PYWVp
-x0NagC3r02Lel5u5y/W1PpysQWhHiriDxFOhqY3HX1NWKJSvwE8IgQhxX8Nj5qwQ
-S8Yz1ilDR1eSq/wpOUM4yEdkGdoG5jg2nphO95qiYibjnU3uML/Kwq6gjShh+g2s
-kuW4M3eY5Xj+pGb3+JkVOZw3Ze/fUYZAbnlCY0wH77t047sUoSWTtTM8ZdK8kuxM
-ehZPbGuucQHAQ8m5j2BLn1H609RsIlFB79GQtjXfFhbpEQl2OJltfl6PUQea3brB
-cmXs0/bMFohCv3eIVC3yGp5XyqTdaJQPuS0lkUYkchQQoIPKCPPmrjGN5dVy/yS1
-kt4WvsnT2HUXNMc0dUO9S8lL+UtePNoh8bbDaGSA43vVLThcMAlueEhL2i5qcHy2
------END RSA PRIVATE KEY-----
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIYdepdCOWSksCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECAIj1PZFUHjtBIIEyDOImuCflkIe
+ofcntpJNEiXZ3I4/OFc9BL59wy3KFaMoLRUeTC0/BZJqb39DYArHXYZa87pb+l7J
+Gy1IidCI/3dj1fj42mqz6Z65aWpQ13pVO6H8KAewqGJkZyptLMLpFEXhrx5j9reI
+XMheBQC9UAlgfWIO6+kGmZ3fdGwgNUZkILF6lp3v6oeXvW5t9uHcd1zhS09IW4Ks
+ly2ijSjUxoqo7pRH/r00jxBmS7Jw0M0gYH81mBblgsWrkvLoUB7Df4c/RZuGevor
+cahy1uPd+8gd5TUpviiopgguBbgnq0BisCiXU3vidcc4HfKBXrevvVOk3eTqYmE0
+AH8vGIm+pZVlkKPyj04fi7q8If7dRuHWbPCDsAyGEChcVXIZjSHR4+PNjtln5Qqv
++ZjG8HmHin1ynbvowDSghPWcKvWr3vlbjIXRbpsbPgcm0YpnEHbSIocPhxbO+6oL
+/l0fB6aJcXMFXIiUzFj0Hcug95y5TtdDxjIHtc+r64K9vq6l1WHv8iHVzws7rBXX
+ahu3d2i8ciLeOdWk21BT1IfatxQYZC3pxiuM9Pnc1pJJHeCF6iOardiDnD7WKqsQ
+j3tOGXmpnYd841ulAcRlYDq7Et9/s7pOl/eHLZSLXxNHkms9Gw5GWoFX2Nmwq6Zj
+TSV4j+qTLx/xAfScwItfrWb6eeLWjEuhSOHYC9sDSjmnD7AM0QSgkYFvfpj+gsqP
+f2gJgDWppFMjkKRPli1LETaSj5GDIBEF+0dIJ0NR5ERpO7pb1GAHUBx5tkW8U0qJ
+7yaco/nkm3KY0trHkC0oLVVRbuf9HzNS/cvPEfUfwmcexggZhuKoVVr/H0i4bvLs
+9KmzxWvzIKUp1CrTu+VNcsM/ZOIXflJqJFLB2ePj6aHusJVzG2KduC6aGmPl/D1M
+Om456l+3NiMs6DR3caV6EkFYeLm16Cl8zDpnBoigRt1dprBOHC9G/V+ul45k3yv6
+BTwf0IS9+1bvSWrMoHZ8KiaoJi7vk8s+3laYsi6JrAe0HtviCm1C1lMKfCQPcYkV
+0SPcHKbLFxv2ei3lQ4LltjG4QmjyRNWq1pwAzfupqAdDXc5+R1D8VVjp6XoEtrV9
+B7xQJTbZnIeLMT59lX4bomn9ktrv1LQ+dmaFgwb/fToFP5VbQEuNtfUG7Fs6LBmy
+L3+RLF+ZQb2ECiRMIwCmA+Dgwvi4cMCw48xe8eBHnuDt75L02LxmZDiI2OU9+eP3
+h6Apbow1Gs/mRCKvw6Oi5YYEYJDlQMv4OtKIr+a49eHoHke2IybbAhSL77rMfY8W
+jKxBi4zzctqL010mTcMlN1+ijk8BCUTu+7VIXqygnHjm0n/FvMgvssNUxkf6iciY
+LmpkamQ9+JHy+w3j/iNkyTogoesyBSZFW5XbhKsRfrSrEzEK/mAr/bz/ayEORJ0c
+ma1EAtZrNxdCBcTDRoTr40jnyHOXTzY6xCcdkVMPp3+Y6oAahVe6ODi5m6rccdXh
+v/IjnsC19OpqE/ZMUxeK4aft0wUgeYFClRT2gfuseXsvGtyitms49QywkjSF3ix2
+OFaue1h7Bmrit98zxGvEfdOCcyXEOQ0Wo0UsVCPA0obaZJf/kQ5f2zeM67J9wj9I
+wYmo37xaBlp+NNCeJG2Tew==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn2.p12 b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn2.p12
deleted file mode 100644
index 6785193d1e0..00000000000
--- a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn2.p12
+++ /dev/null
Binary files differ
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn2.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn2.pem
index c54f190670c..43f43851545 100644
--- a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn2.pem
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn2.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEtTCCA52gAwIBAgIIJoFRkbPzeYgwDQYJKoZIhvcNAQELBQAwgY4xGDAWBgNV
-BAMMD1plcm9DIFRlc3QgQ0EgMTEMMAoGA1UECwwDSWNlMRQwEgYDVQQKDAtaZXJv
-QywgSW5jLjEQMA4GA1UEBwwHSnVwaXRlcjEQMA4GA1UECAwHRmxvcmlkYTELMAkG
-A1UEBhMCVVMxHTAbBgkqhkiG9w0BCQEWDmluZm9AemVyb2MuY29tMB4XDTE1MDQx
-NDE5MjAzMFoXDTIwMDQxMjE5MjAzMFowgYkxEzARBgNVBAMMCjEyNy4wLjAuMTEx
-DDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1
-cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcN
-AQkBFg5pbmZvQHplcm9jLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAL78jI+GvD8e+WV/e+nftq930TOAtYalz7ewqiIey2/+8I2OSz1BcybYloO2
-WF8vBAIwULAEDKZs1SBIRRLl8TbRWzxKiRt9cwYuwLU7eccnpc3RkyzR3/riwQ9P
-fGqfBzuvWRMFES9OO0qYSDsxMTbTuqGe45wllgSjxCxyRbZ/e0MWZZfOIktNG+UY
-oirSGW/omwQ1KLqfoQkawIAmMDxkxmZZx7QSAjwB4MKPQx+bpOyGqzI5A5lYAFzu
-mJfqOnusvw0ZPu6RjnquTHYnkXPQ3wzhbF+P97UrpH5G2wLtoptGURntUiIv7B/E
-0SmOGmyVQA5fB8/C6IehVWuTRG0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBQ8Ub4X
-Mn1Tae99mxRpu2zlipF/BTCBwgYDVR0jBIG6MIG3gBT+18YGVbtNwpbjJcDU4KEv
-6GJiGaGBlKSBkTCBjjEYMBYGA1UEAwwPWmVyb0MgVGVzdCBDQSAxMQwwCgYDVQQL
-DANJY2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAw
-DgYDVQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5m
-b0B6ZXJvYy5jb22CCGnuK/IUHTttMAsGA1UdDwQEAwIF4DAhBgNVHRIEGjAYhwR/
-AAABgRBpc3N1ZXJAemVyb2MuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAZnA9BsWpC
-44mCDBEtS0J1UfKQoG8yH67tVul4YdqDC5aYfw2GOSTT/vPPUNmI/3Wa/Jb3CRvU
-WUiqVWoRyKB50gGnbE0kUQj2jv3IaNhsnmEZ0xKkbq5h2rNkKuhEd8Erj3FC83iP
-rzJVO7qjboYGVkukIcTsMpU3wtwohCB+8v1NDOlMv/Z9vZSeGwjebWJtDAD32oWN
-bmAbnjxEF5Uei3MO/fWK9wvElSa4TAXVS7+ovAzvs7o+ikD+cLcbtfXhMBZH0cg+
-y2Ht1A5mP1AsK04W96fs/ZIdZxiaVIjRR2hN4BUZYOxar0wxwy2oyDcyHTjuLKNn
-DohtzPbwUer8
+MIIEtjCCA56gAwIBAgIJAJQs7Na56PxiMA0GCSqGSIb3DQEBCwUAMIGOMRgwFgYD
+VQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVy
+b0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJ
+BgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0xNzAy
+MjEyMTAxMjdaFw0yMjAyMjAyMTAxMjdaMIGJMRMwEQYDVQQDDApsb2NhbGhvc3R4
+MQwwCgYDVQQLDANJY2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdK
+dXBpdGVyMRAwDgYDVQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3
+DQEJARYOaW5mb0B6ZXJvYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC2HWyUPZ5KsvjKh4vsTHAWfvI63g5pdYN+cHUaKAvpWnEXQRYSYnLP4YcJ
+JWNZFG/ZafzTt9Y3K00nb/P2nmueosX48EN+RoYsBpcNcrsyLnf28Fi2nQdZQbp7
+t912IcZKrabZTYEYPoL8C8F3aEuDde2bJa5wTlaanV6DlbZptNFJBrNGgZSNB4Zu
+5Qc0rIHUM8TJYNWU1SrTmf9DNtZBTI3HTtDpw09Y9FthPD6/xRRfjDCHJNHOtL+k
+MAcJ0m8UbWKJpAhhdZFPZDawd3fjjKK/RmE/GFQqJDScDsyvAiZF5jDo3yPUNUwF
+CQRGInpiTyMQcCwSirrHASZN0rppAgMBAAGjggEYMIIBFDAdBgNVHQ4EFgQUKhSg
+z/uqY16GSxIx7T/RQWaFoygwgcIGA1UdIwSBujCBt4AU/tfGBlW7TcKW4yXA1OCh
+L+hiYhmhgZSkgZEwgY4xGDAWBgNVBAMMD1plcm9DIFRlc3QgQ0EgMTEMMAoGA1UE
+CwwDSWNlMRQwEgYDVQQKDAtaZXJvQywgSW5jLjEQMA4GA1UEBwwHSnVwaXRlcjEQ
+MA4GA1UECAwHRmxvcmlkYTELMAkGA1UEBhMCVVMxHTAbBgkqhkiG9w0BCQEWDmlu
+Zm9AemVyb2MuY29tgghp7ivyFB07bTALBgNVHQ8EBAMCBeAwIQYDVR0SBBowGIcE
+fwAAAYEQaXNzdWVyQHplcm9jLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAWXAtNYyL
+ZIw7drl3McU9O8wRungv4DrLiddGvFnuK/Oy+m1AySQyFyjOyUaQVTy6zhOa1dBd
+3AN5TRX7bX9PKhrVxtoOeFsPec7JxetbS+tG+ov9bxCaRrbwe+EsyJNDr/dc690g
+x4YYJ8siDba6TDYA/T8oTMv2MQREta7TWHH78yEAvS4jUJHtfroiDb3GwIJdb5d3
+oNBMgVJwMcFe0A2voWOOVKsXoNBRDj3p0EU6a6F64G+yWY1JFcEgHxConAngTqlk
+Fl5TCcdGBcrGidqclPC836/OnV9w4Xr+Wr0MWdD8RkdqDSRT0PdnQCucFYNSrszJ
+nZPjAhCNBO50Gw==
-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn2_key.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn2_key.pem
index 5ef923b79a1..db7728382b6 100644
--- a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn2_key.pem
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn2_key.pem
@@ -1,30 +1,30 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,70386A3E57A24D9F
-
-822rA3E1/F5d1pVnZ+rsuSS3WwVsyvRZyKIAvyluWnZShI6gIbRcHtg9nDjQO8P1
-xoZVN2yQHclKWS48Z1yLIcAklK2GU4wxYNQYSeKeMX6DRRIDeMjW7L4C4o97G9ot
-hhUVrktDF/vRO6W/Rq1AjEH9hv/4u/Ci+JOvMpAi7g7V80UJI1KuuqguZtBdbRAM
-oUOkM87WdQnGLTekS4mngkUpOJhiBaCn5gCQuTw26ji7VNFjmw3r5fhTA3XNEwqL
-clk01wdlkNtrVd5fl0OW2G9KRO8Z3V5+QQ5q6rZaPZqcU/wvTbgtrsIujrqizRiS
-6Po+/l0yl9DQhfFBaPcVFher8fozRGsywniMrzxh1RucXVE7PgleJhlSz+AFerzX
-x/BPHeYk7ZDubgP9uTVZ9SpBoqzwpUajdXZz3ByqcbE8V24NMKBxvV/B6Q0eZ8GT
-wuRz7SmkHGRqTKnXwJNMeDCR5wHAMYyUgGW5HGimxQVOQQN54ND3egMSdNIoZhYn
-aYBDwupXN+JVAVtvRhiSq1fgtu9uP1/+mXS4z8ZjomIkfDdXk+Izq36KMwsg/MZk
-J2YibPTNFAn7d+m7BktcOgDOd3oHGvZcWHLjV1jVLaHM9ZTnXUBUL251d5v/UQNJ
-1a18skMpNTAcnitPiuYnB5/De50IIdX92HWbLMtSVTZ1syaO12eS7wWq3/RPYo17
-PyRr+/S4mSa1maXSYqSsJKQ9OdpWbBxLiqoNULQXTNCb7WRWDx6YE8o9wv42ygqA
-gBXkKkBU8npYn6+RvvOuJPWMQloEgy7GXDC8X0XKMrd//Gd65QNUadtDeVmrWXTC
-UnaN86IGbO1ejf7Klj2lhJz7ZSuA920Ouyx1NjU+rj5KGP2ifyHoQTLzs3MK00/+
-hlqnswsddLARZqW9aRfnu2fxJ2KzP826xRrZssTsE2Sf1/ZAU82czg2z8u/Extkg
-pSSXKZ4rTupDBtaKIMpbZEnTN+YnfHJJw/6L8ANl+2POKvDOO+slBw5fFIX4VNZF
-LqRig+HwfrD5notMiURRT6IgepYuxufVjDTzEsCjs+JA/zXpTq7jj4EB58D/7oQW
-oW5qpkLf4FYB/T9DrJfdcJZihPlGaeRb1FkG5NBN/A2rmOnrnAgxBpcFH6wQYeRA
-Lf8yrkk7zGl4oF5FLwlwDR7Ys1urAWRPACpvWprqwSYV4jrNQb421G/pY+/zYU3M
-ZdAgTO7VW6eN2D5Jb5zyr6v1CT5wfoQ0FRSIdNzoxFxfpkfflAhx2hxUvTu7EJHo
-PaL1R+2v75A1FJ+NEgfAFHL4c40aHf/V6smFDc5JTrksjezwVlvhyUb52ziCARM7
-XU11+iXWpBPUdJik4qHD5MGphXYl3TC+R3lzGJPHZSwfKlfLvm3l7wn3vZ/GgX/u
-NxFoRGEXCuI7My/eVNjLRFr/7zy8Y8O6kEekQIFAkNLhGQpl8BwY670cuj6qJr4r
-1tWyCY8+XCKtRPkGb6SOq4S8T5hOwS8JjSS3sCF+VX3T2INKVF92jEz74A9XpWsc
-GDFpOSipROrHFoSwg+NU8n/xU4kOCZozR/lbw0PAfqk7mrVv5CKvSw==
------END RSA PRIVATE KEY-----
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIx66Ud+88lJ8CAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECNV+TdKyQ5gcBIIEyJ3ESTa9fjfb
++BwE6s1wws7avYDaYyhpX6IPyoE6DjucCWz98C7v2CcwGDA/lEMVChHQcDp8VXkG
+2l+k9MIHoVB2y5dlZfCBQKlMwbPeBVFUR83U/Osnn3qNquPhnPJFCOXxwo28qNp5
+TX1lcDxGlzuQ8lluQmQ4OINRCsJRwJpaBkzoip0sFoVAGGICvpWvkhR3OrLpGVeJ
+9HxcZfyJeyqYdFZBrIv1AFi2qNjxIZTQS2kxMuxWSdh9alYSorINzUxA1rVScCV2
+pqEYPWAHqnHUOs0hFUxDYB17k7sGjQvSF2qBuPkpy8taQa1TcgLsIEkm/NkpV2YA
+lVHj6viLr79U45ukJ6Sac33vYvvowRnLBVg33mC+f40KneWXK7eIZCoH10ubTkjZ
+Iots/gEdVWjM0x9+1R/yTzeeKb2YeC+XTKNbCpGdGt/hHdtKWriQDDHG4ZKncBWr
+tynYz9kA3N5xtqt8XPDSBWrdvzIihpX67yllTW4C6VQ6VrGeyMMJmj7BrsaPdIqw
+3x/IVDUSRm6om55ROmwCQzOtQhlxXstSehw+v/ZjzE0SBPuIZ7milzX9riaWeDHL
+tmCZH0gvuTP16FRVtARCDkBuyZDhSqV/Xr39mfAD4w9r8YQzBhXBX+Du7nOeCcdo
+hJAdi0GfnD6N+sgL0TVNFx5MR0A9ekHOOIsEbhHf0zjgqLj1vHP2a9zWPtQYXC4p
+B9U5vviFtPyq9Tdg08JyPUUNbiBwpzM2a+N4tL33GMy8s5Fq0TMemrAlpKXP9Fdp
+EXBUMvef7vPsG1BrpMhkOiSMXI2yk92+Pg2S+wVCsERmoWz4SlvGNuJ6FK93W58d
++JJKBn1e+vI3WeN4Md71/Mfhlf3pvYa3GtOapBiZdd4cYfTQZqTURQ6qrIM1kT/4
+Cnv0O0iS/Iok7rV+vCOGwu8WMEx1JylYXHax3L1thxC/Z37juA+qDyyiR9Wb0kRz
+o5vzUyG7pnthYx5C3Tn/WRc7Nq4pDNfZuNV4HOkht5YVbE2vI2af+MUKkNwYb4ac
+TYvax4YWl5Rb7YJ+hJxXDfvxuKqy2NBTs8vHsjtHt5C1Ona7d4m0MnKNPmq7CrV9
+qJqdAD59Y0g0Hx0jfphzBAa9fkzudcBGxW7ZvelJA+ckw1LcMhBC3EgsPRnTEfyl
+mOhPxS8hac+r5w6cO0A6fOCsuAc3H5BNapT2MlNQ7v8ZvJzPiwGNHxNNE0BvVs68
+DjLBgYDOQQxUdVrTxWLOzTpyTAhE3gIfX1DAqd5gRqU0R23Yxpfj6r3aik74QzWk
+YRcv43VoRBBiZZ1FokvxsdhvX034Bjf+QiUs+M+AOGDCyxba83hbKJMj29PUGykC
+MPE/1qSN2Fy6B4VhHD05nwSumKxBBJXvpqFkAnrysOmJfeqroaSdDV8hNPvPl2gx
+2qk3MulenHE7iXQvP7i74yunjbPEAUxRTdnlOMqs6xJaEcfemJxXrzwWnqGkkkh4
+yBvdV2d826WaxPes3WDRCU96mgK58EiTTkFQVjIQNs/45nMeq4uYTEHNlLFQf8GY
+Z59PhvnJsWlDdZ3XXYfwjoTN+U3uB8Y1HL6LGq05lkfVDTpqj031FRoy6UlX8Y/O
+ltvDij4FNeLJRuYPmIbeow==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn3.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn3.pem
new file mode 100644
index 00000000000..a06c101a83a
--- /dev/null
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn3.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEyDCCA7CgAwIBAgIJAIFeKa69VILFMA0GCSqGSIb3DQEBCwUAMIGOMRgwFgYD
+VQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVy
+b0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJ
+BgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0xNzAy
+MjEyMTAxMjdaFw0yMjAyMjAyMTAxMjdaMIGFMQ8wDQYDVQQDDAZTZXJ2ZXIxDDAK
+BgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0
+ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkB
+Fg5pbmZvQHplcm9jLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AO4z2dCqCl6q1DQkSQ9n0O4ARD2lQMZiyLPxQdBjzlokmH8xgueo8KgfqRrnceZA
+jtejPIIZ3F4E4s77f3/0rrbu+hVsC4WoQnRQ9ozInSPVOUHunufOjf11bhlVCLnL
+RoPbTMEpR0sYQzXlJUcEV5v4PKNFG+DrLBPxPpJHO9/wY5vJEVYizEcl/6zmA8Jc
+zdZMCBg6cjcd659HfnzdDkXkhIvY4wE693nomP0nrpTuZUnDDYOnSlVeCM71wNyt
+4lQstH+fcFh1r1cGNpf0JrV/EoxOcLH6fVuwMYFuJafI2kdfGK2W39TREhA8s7s4
+wI88PVHa03cMennSsNlfBPMCAwEAAaOCAS4wggEqMB0GA1UdDgQWBBTLldzy1rEH
+NhpECcN86858xyGqnDCBwgYDVR0jBIG6MIG3gBT+18YGVbtNwpbjJcDU4KEv6GJi
+GaGBlKSBkTCBjjEYMBYGA1UEAwwPWmVyb0MgVGVzdCBDQSAxMQwwCgYDVQQLDANJ
+Y2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAwDgYD
+VQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5mb0B6
+ZXJvYy5jb22CCGnuK/IUHTttMAsGA1UdDwQEAwIF4DAUBgNVHREEDTALgglsb2Nh
+bGhvc3QwIQYDVR0SBBowGIcEfwAAAYEQaXNzdWVyQHplcm9jLmNvbTANBgkqhkiG
+9w0BAQsFAAOCAQEARG6kEexSM3smfskWc/py1oWn9E/czk9DeS3gomAHAXqwLky8
+5FxsDB1W762LR/39qA9TDO0GPK8ouXv52RPHg5l6p52SDAD3wk32PuBgORN/WN4d
+ZN8qVjwmDiob9SZH92QULN11gKGkM6EMixGzqRxitbCtkkRixlkkvs6M3SOeMWSo
+e31+LNSVVI9Rc+MJlvx5GysRWRPF9Lr63R+9rs7UvAJjuR8c5jeeA5H517RzzvSQ
+V8KMy9Bu7Ukn/BPwsp+QOwvj5Q1AHianoWQ7PcDeo3P+wPW9BPQWm6+DMUHybwVP
+MPnM1+HaYjwqvgodrcif2c+rpzHvSzsTiq4Okg==
+-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn3_key.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn3_key.pem
new file mode 100644
index 00000000000..90b1053dd82
--- /dev/null
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn3_key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI1O+lddZKi0kCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECMVxKeXz7rJwBIIEyFIF23iFbqEn
+wNOcZb6zlwnrUpauAC0sI82sJNtaZOmj6c6FwbMy47w0KJ3JvCDAzypcvQ3wWGtn
+vySqUMiOuNAYMuWGu/rmSfcHAnGhoDBRVJKyDbJMfbpL5n+8jWyipWwN8NzbYmkB
+tGWhIr+2dORzs5NVXWSt/yogpGWMWcDY142VrL7MqQLD/SD1yk/SBYgbF9LhnmPI
+agS8aXrN45pzJPCqANvkSHdMzSr+soXOWKRNUWt6btQyev2iwEdQ2AuRYOuia8Tc
+jixVov4jJzGvejOtXPSNN5PhhH4GQoJgo4BNyJU3ieObyWurYDw92V74aNbVvWCw
+rAEoa+o3v3AHkOIn32vXY9aQyyGV0ZiCBLF0FoRXMRdfvjzntqvS38c+S2PwbU3V
+g6BbiI3+RX0t1M0Kj1dSif5SGc7so7fZOyGXbYRFGI3A9A4pzsbsQOeCdoEtLW+w
+6rSclzbX1MflU9j6bEypOKBhFf+K7Y5cUGEvqzTKLB5p6TWCMAuCQJBTbwhBXmCt
+mlkCC2BVLVa3IXs2JXODN1JFGjX1Vd10uojPJ+bU3vhN84+8rvOxV04ZXASdRXT7
+c0xprqGxZGtwHyYH4eou8b43GMxYiRVz4/lHknGXGMYFu+69NsHICCatGfUrC4Z2
+TY2y/EtiYycPMDJfIiWcSoaWGPxXxydgv8OmC1OJDz7sFqHi8Xt9wb5DSvYrsBhF
+SKkCnL1xqjZxb881h8kcCQ3TymJp8VDc0KQzTTSqx8VKBilxPlyJ5ytVrASbsxeO
+kCGWbg2MIWFBRQXjSaZy6Z6I6aRwwZXIqWEFXXMJMzr7rPV18pRN4Fx6toerig3u
+r8cXld5iXttZOEFtVFgP/DakhD0hHNgroLnBEaTWyVoPfefYIvmcR6JKcTOlueT9
+4NoPgD0o6zDf88Tlc0pMuZhAyEWd3IMUQzKarRJX2OKi1SuvBePGQ/XggZDjwzKV
+5TgXrk1BURlGU/xxDJBh2U0fU402fTKQBFPyXzOMy9HWgyLpgkQLIIItWu11+WUU
+yumKPacJ4SjsuT005iS6ldIJZGsCdd+GZDVAKd2oPoi4XYCMFYsBxKfqjWbTXbgN
+UA5rWAXK/HZQUh3l/e6+trSgQcQFmeOVtlPMvCGs2iU6kK4h40I8jeNsopN7a4Zv
+y1OxhgZOfbD+dX2mfZepaTGTghcCRtZTiw5xglL2WuS4O7JecscmfeitFf0P7uju
+wwHPiZ9dlJlH0am77wsclt+j+SHk2Fs/TgE7it4J4yowFPxi1yEv773OTHBB9LWD
+9PoRiXvhab0TTQiHREtAhq7iPdAFKokrUV0PIiEW9HdJU2dOqeuNScVOLdEOaahh
+flMq/WSKmjqlmDPAGKnVYwff/eIXV5iw1PtcVWPWlT4+h4HwfZqrufgB5xGFnux6
+d2MI6YtuJBIKXJHf/5MShRAP8aTp0eUvoNjIQCNzWkSSdbugNsQQqJBYse0ulU4K
+1xDvRNFMb+B04WrXhnpST5BHUD2fg5z8xN3qEFQD7TNizN0js6qpTF7Sq1+COYVg
+/ZzdsUIT1TtkPU8YTErEdzhgJ8fyOB+B8dkPG1hIsdpwqwIxMcsOLqokIFUlACL7
+613X0AD/30SWVU14Ld2SJw==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn4.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn4.pem
new file mode 100644
index 00000000000..d7eede37947
--- /dev/null
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn4.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEzjCCA7agAwIBAgIJALxy0DDzJCx/MA0GCSqGSIb3DQEBCwUAMIGOMRgwFgYD
+VQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVy
+b0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJ
+BgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0xNzAy
+MjEyMTAxMjdaFw0yMjAyMjAyMTAxMjdaMIGIMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
+DDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1
+cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcN
+AQkBFg5pbmZvQHplcm9jLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAM2WV+BXTbdK3gcb/Ptifpn7ejL6vgsK65bCzNJU6PeBy9pwl08xV+Ihx+cr
+qTlCvLPTZbSIU7yRVBiApju4a1sD4+q9J94A7jrTxGb2MltaaMTGzrHsQlfL0Es9
+cYHEWxP0NzCYwwbJFU7e0wwk4VoSW1A0bQ4u2b6aRrRhrfkM3vuIcxIdKK3i6+gA
+JIpIEjLpM3Jl51dSptOiM2Oc+Fm++Jrh/5oahSBhi8Epi7Ewd3FipUlutS4A8XeK
+9wJSttHNa0nQK9bcF/RwWvX4DnqkGaqS9rFILFpxMXRQI9hvpcqML/fUTPHTrWxZ
+cgHbBwllp9qwzwup2KUVPLoaC1sCAwEAAaOCATEwggEtMB0GA1UdDgQWBBQ+j72z
+Nw64fmS9w2CFMNJdGWw68jCBwgYDVR0jBIG6MIG3gBT+18YGVbtNwpbjJcDU4KEv
+6GJiGaGBlKSBkTCBjjEYMBYGA1UEAwwPWmVyb0MgVGVzdCBDQSAxMQwwCgYDVQQL
+DANJY2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAw
+DgYDVQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5m
+b0B6ZXJvYy5jb22CCGnuK/IUHTttMAsGA1UdDwQEAwIF4DAXBgNVHREEEDAOhwR/
+AAABggZzZXJ2ZXIwIQYDVR0SBBowGIcEfwAAAYEQaXNzdWVyQHplcm9jLmNvbTAN
+BgkqhkiG9w0BAQsFAAOCAQEAmg7UiewzGSHnT5LaEPmzojVYAZd1LDqGL4/f/qlH
++FdhZRHsrHG7hXxnapP5P+jPuYfaRFtc77YOqilHVlOSXwLHy2zd84Qy1s9pSBwF
+A+4o6eIzKZzNKHf2yiyaV2TMYzxxCWLDf7F4JRyCFy5eUBui44QJY8j6MZhiq+dJ
+CbVLHggSGlyCnCKH5Nx8FIcKHnAQiaBFVG7jQsm3ucmS8OJbt6A4ebmCj6eoOe1I
+HabuT0nceUrJpU8hKPsj+2DXUPzI0ph9nwaJ+uJ0o5jXs2r5zj2YxhXvmEqogqCR
+V9ExMQwcXuDDjxkZDGjtpB4a3G3xIfQx/Fyl68q/9UI3Iw==
+-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn4_key.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn4_key.pem
new file mode 100644
index 00000000000..fd764949a21
--- /dev/null
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn4_key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIyeuz+wehOvcCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECL9uJ80nDy0UBIIEyFUUBZQ4teRf
+C9Ob9SSXnv5bgiKRg2DvUNaiS/ryVIjIbCXDN0hZo3jSgkqeSkIA4DGPwF0zCkJy
+zWHDnRUjSWMiI1wpwJF7vsdk18Yr1gif1XsXigQisFKDI8zeRrQL+DztQqRqo+Pe
+SPSgnRobR8Qgui5LebZtHXknRYtSkkilxW/RfwwPuLGMEmr2KD1Eq2oCzeHNaXM5
+iV0jbVAYWMnON8uCBgeIIfoZQrmJFKDTYMZXRBeh+OiCWtjEm58HFHedGq7/BRPf
+dwYXFXN2N+mK3cq6TMXnX1TU51AS6ZCmhSszMldxtvDzLl5JOVh1sol/T03AHjtq
+KU/Iqy4avPN3vctrVZLeg7urIUJYqueMSjTgH8FjxjS89UF4KJ4fu6CZmy9/pp6d
+2BWya5AjwMBYBb0wy6MIvytwgIjWKotlfUOoJMkTMZ0WGxnX4p4a23ppACnBkx9g
+qsJxutmXFerQZHVSY7AAPfCB39VDFobwhw3RcaY7XDgJmVobEGJ/GlXTHEBroOTO
+BsDJhsjrLOpYg4Igt0TU70u08hztQtNN12mDs9T6iFqZKhKdPECea65hmjc9G+ub
+0jYgWhgJc0EJTMmY0qBB2SujpsV6WOrDWP87Bio94uYa0bK23FWsQswdSBFmythV
+c0WVekU1lUX+fByOSv24hy9o83ehjlF1KLmHQboDL8VRjN9qYVk2KkADE324n4bs
+0d+FvrgErQMyuv2DAdtvbul0b6T0+5Mr2WaEcnWlXOGRjoa/w9QzyvBZ715pvabf
+vmv8LQLWe7q653oRShNcwLEJzG3fjEzopRZ4Y6OXXSerQlxn9RRwNjBWjygJGPWQ
+Fwz15VrMmNjNEjk+0ZRxwxJWnf6YVPsZYyyjMZUmwEbp30m6UvKtmFGnXCgleAUp
+7hrm03QeWdUa5QHsAgD5z5SIeaNkGSIjqK5ln5EFC/lx6o4G/+dvjwC+Ps0ZqIcU
+2QvBdowj9XO73g2XVwo68rYF/ND3Z9WpyL2YRI1fuz9gJdnioecBK9tizlmiv8Cm
+k+x0Y9qJoaq8E+2kweGn6opuOHTdkuuRXA6utf168ohR86wnhN6wnmdCJMDbOLv5
+23Sw/FD8Yi5FasxPEfQhT1v8Ll4aB5ObegwufllMH0PpAAGOSFD3ZYe14DwOOGgX
+7p1CwGP0kkE0oCNRCfzyllOrO7DhaC34QDpyBtUVdn2jC1I3gS4TM8LKeuu5k9Fs
+R+Y/d0rt5VB/FU+AfWB9WCXh+6Vf6MCYgYhsX5T867S2V1S381VcJCgW/n3INs0e
+P4h08RWYSImSfcJhgkmi0tYhKQpVozcEC1qbY2S3WNHhHyG5UheDQMfaSijFCJ3l
+1GSsvFT1mFvkcd2u+qo9iG4ZqV2fIdkT+Eiy2WPV2SStQ74EVkjlVgnZurNc17kE
+BO8wTk4CETK6BW2HLFdg2v1P2hbFgljnKEX4SUX5WKHBy2zkE0FYhZVXb98ToVNN
+0UB6mWMNuA0IX5yZVzSJFVgVf9i2AEGVBcc2eEVyeRIJV+D5wLGySPH0y3bWZ4xt
+awJB5djDh+XD9qi9jqktk0wq5d1pYwPmlWS/5tl+vsMfKtgGVGrXKBdeAbA9k6sI
+Db+whlf07r/vmVSwsY+U5w==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn5.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn5.pem
new file mode 100644
index 00000000000..85c395be386
--- /dev/null
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn5.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEzTCCA7WgAwIBAgIJAPjdB2ZZ+e6eMA0GCSqGSIb3DQEBCwUAMIGOMRgwFgYD
+VQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVy
+b0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJ
+BgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0xNzAy
+MjEyMTAzMThaFw0yMjAyMjAyMTAzMThaMIGIMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
+DDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1
+cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcN
+AQkBFg5pbmZvQHplcm9jLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAKsVuocDMy6GHOy6sOSWHhola/IbFgKIWru7eb1klOa77ztlSkphRt4CI/r5
+4P1LmRtaV29iWUrUKjTbOKC26CsdGJMWXKKQP5xec65sqfUMsETNpLHIKMnTiZo2
+aR4XP2rpDI8ujuh3W2BfWM6IveovaqhqN1xyyhkA2qb9JRyp+ZK6jHC3YP8pvf7e
+O2+3g9UDkzX20ecl5smt+HfH18DkZcKO6B5afx9B7K0z7K2K0OrCJxKRJKw5IAVD
+IRjCaYyYHsukrWny1efaH7XdFW7A9JdduhO2JQTDvzNMcji40QSjHG/xqMVR4aIX
+5vyE8l/6FN/8gzrDcxy/PQRPN6cCAwEAAaOCATAwggEsMB0GA1UdDgQWBBTjb2Qn
+McDS174FV0n28AWppRPWmjCBwgYDVR0jBIG6MIG3gBT+18YGVbtNwpbjJcDU4KEv
+6GJiGaGBlKSBkTCBjjEYMBYGA1UEAwwPWmVyb0MgVGVzdCBDQSAxMQwwCgYDVQQL
+DANJY2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAw
+DgYDVQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5m
+b0B6ZXJvYy5jb22CCGnuK/IUHTttMAsGA1UdDwQEAwIF4DAWBgNVHREEDzANggts
+b2NhbGhvc3RYWDAhBgNVHRIEGjAYhwR/AAABgRBpc3N1ZXJAemVyb2MuY29tMA0G
+CSqGSIb3DQEBCwUAA4IBAQA0l0h7YkvQkSGzgadyNrNO3PpUQW0hKe297L0eM2fJ
+ES3OkgQLU5C3XeR4Hwm6r+1qwD8CGeAGs2s0RsQXY34RV6OFKPyeM0xAVWLOem82
+AizOKeG/IlP84TTHhOWZfaIqZr1T10BpKrbwaPG1QZiKqxgwssvPHHOtI5TazrIk
+fP3ma9s2okxtNqMn6Vk/QjDGgUSGzZFxx6gcIcBfMFK3Nwp8v+FynjGLb6F0CsnQ
+lOlfZd4Z2qMMG8kIvx6Oxuqhmu+geR7/IWmlCUG6HIeFE5Pu1m7FOUJIVkTOiOYV
+cQIKzCqGt9JHQYjmIGyrIWyRJbg25ZCej+11t5wAIAFd
+-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn5_key.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn5_key.pem
new file mode 100644
index 00000000000..45921a8b9ef
--- /dev/null
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn5_key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQInmQOgfW/q6sCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECPD8x4AP2oViBIIEyMA8T2EZNuH3
+2BKDoUBJfiXtvirStp1uYLF5VITZ5L3sEBPMbm3xXC7R3HP3KVyyGsvCd0V+H0/+
+Y6GVyB13C3kyBcjrlJtbrzBzsYV8jRLi5aSNRjQdG06QEFSHPKBpK4EkajK3K9VG
+Mdwkz/sm4ybpf/a7uWLTrx39Ybzsp/poO9CH1m+7uRO9EB0f/xbovO+oLtfozA52
+v/n42wZSkILHw5MsQtwOcy/iFGJ0JECKZ0Q9/GqRHZW2AZGEuRSxlXdEjmsEZB4G
+JOH9GHa6V0eGnktpJbiu0SGqcTgvUFm8Z7v4oPYI1Z40LaljAwd/8pv7karWbp0N
+ZUEdUKCp9kzwvcUBJifAFxerkY/cdBraB/w0GA2qGkmGtpG6frBu+R68F35X6jb5
+uVB3dJTmI902PMBeAMm7LrqSVgr6nRotdGBU7UvA4AaWmtckP0hsTltkU/HT5DIa
+dl3+EPc1gfYGyV7v42woyYSWCfwEO56h5kL4INdKUafJ5liix9y4zorbRs66NO/a
+H4HNv3NBSEwBzFYvYtekXN8uuOuPBaIWl1kZ8JgGSogSnxCq0wt2D9XbrGmhSQnR
+yTNS8Ntn7xMIO8OrqMsHWvH9JyYv18s3O6jdP3rWYUSeSF8xkddJaJJDRmbyplkU
+P0zsjluMoftFvMeBgRzcE71QX4UbXZfD7Bo8AsE23INVXUzut+wg5+F0WPKW3oOU
+zDQLp9G/eYRzvE6i87am9ZOTkoB3hCIHhG7yXJKehbg/ESsxWx+V/g9bhfbCJd6t
+q4UOJLz2BCnKh3uI6sloF0OQJqJEUShsSMCsQTzt2lEmO2RP9HPSGZH0nKisMLWl
+qpCaA118O2fIg2ZsWX/ongyP9XKpg52xCob+t0vglbE+mx3Ew0DwPDjuG+7OGulN
+g97uE7+sdMrz2sJkpqu3qqoh3Z+Xpg59yu7pGcAZ+3vZKdBj13oFcYIlnVukgn3k
+4WqlpXQ0Bvjwh6toZy876wQTkVEJMv+3eJqKzLBZmRRdCMUhCQdcRqGJ9KHEOwtY
+DCcu2j7qwN3ll0bGQ6rQiHaWKVWUzzOEyY9HWkCdHchjcwSmMP5ODD7QzF+wGUvv
+R/t1bbYsoI2INyNPTIXp7ji0mtVUu9s9SsP0jrXUQM5WWtxlxYVD1xxj0euHIEvs
+tkuzNr8q3ngpJNob2v6lnK+dj7XFA7P6+uu+e84KNnIFKk+4do+ZRzElb0btg3LS
+gWs2m/TtCnolwi0kX+tF6Yyr70ddDOsCqHCqsfGJiN2BP0Meo8ozqNs7zGYuZo1o
+Yk6KbgGwcpTlpG1vZ2KrB10zblLInMlE333TQdwp/vftmwz0DoP5E1wJZmPEkTxh
+nRo7zbC67Wl0B7YAi72ZQPLB4ipYyRaNU50ycNcL/0plU24qeGogOrcTAW8BA5RU
+uQGW3adLqw7eRHO/S0cJP0TW1SwOHwzuiA1UEiv+HW7K7b9EiZnLSGL/3KyIAXQn
+LoN/4iSJlj6C7TJhu+7kMnZwCvuOGz2T+y2x9w8HyoRDUg9EeLyBy3xqBrKDlAHy
+/Yy3z+Y1dbJSMch80ZkHPAG6WL6/Px6AI02qIm4Z2EumPOwn/o4WXgpSaTo4Avtu
+OWYT5NrDG1MGB0Kpr2NfgQ==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn6.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn6.pem
new file mode 100644
index 00000000000..1d06cdac957
--- /dev/null
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn6.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEwzCCA6ugAwIBAgIJAP2BPBPs9/CvMA0GCSqGSIb3DQEBCwUAMIGOMRgwFgYD
+VQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVy
+b0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJ
+BgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0xNzAy
+MjEyMTAzMThaFw0yMjAyMjAyMTAzMThaMIGFMQ8wDQYDVQQDDAZTZXJ2ZXIxDDAK
+BgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0
+ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkB
+Fg5pbmZvQHplcm9jLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AKB566ZcFEHBv1PXwC6MIdriYjbz0HNNqnWtjT6b7xuZiw8sghuTCho5KP1MF6ss
+qgEWL/kJwLXQLTDFFE7Ou+eyhNOqBqXJTNFgZ7Bn/JLc1i5QtvfMqmcHenVm3UT5
+iUENLnDU+3v+soxV8GUbLDd+JCs5tY5dnvqAbumQInLbFKC0g69GSfHzC1PceaKY
+Umb5ZJh/Q7Zx/GqAEP+/KGuHucax9jsGa8xBpFYulZxlu/J4dGm7DWMPUm1Ht9oZ
+8YA0m4VsymP+XDZMA5X8hTtXzaEdwaBf0201AY8GKWTGJvPzmlBaTCycQdayDH1M
+gQMFOU7K2AiPSdV1BsHaqH8CAwEAAaOCASkwggElMB0GA1UdDgQWBBTqbh1yow2p
+Yn5ArkIbcUNQVF9wVjCBwgYDVR0jBIG6MIG3gBT+18YGVbtNwpbjJcDU4KEv6GJi
+GaGBlKSBkTCBjjEYMBYGA1UEAwwPWmVyb0MgVGVzdCBDQSAxMQwwCgYDVQQLDANJ
+Y2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAwDgYD
+VQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5mb0B6
+ZXJvYy5jb22CCGnuK/IUHTttMAsGA1UdDwQEAwIF4DAPBgNVHREECDAGhwR/AAAB
+MCEGA1UdEgQaMBiHBH8AAAGBEGlzc3VlckB6ZXJvYy5jb20wDQYJKoZIhvcNAQEL
+BQADggEBAH/UDYumjsPfFxjUee3Q+Jehv4EXgWidOmT4/ORG7cm3DuFJhsiErv4b
+Nyuet+LfAlM7/U2Li0SH/eedjz/C7nLDaGWO88v32lqYzR4L/qYQZNhlNlDdIV9S
+Upa4oXTY3Y1fWt8PSK4lsYVXDpNRyiUqqI5xHYAncEGrAolrG+KG7y5jX8b7pid1
+Xct9dhcRNikoIcm+ePZNpZOJT1jvCO/r28g67Pc9wdTjvJSWzDnaZFFHrICvsW6Z
+g6ZxPq1TMN9yqMZb8o54ab1BHAlkGS33qZ+pcNQ1vkCpuFTzazAGuztVHNkFF88h
+WCmPLrqKZADr+WorGTJYTbTZoUXIkuk=
+-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn6_key.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn6_key.pem
new file mode 100644
index 00000000000..91c0be73c4f
--- /dev/null
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn6_key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI7azkUeN8YQ8CAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECEa2VJQTz7BeBIIEyBO0Mvi3c++5
+PoDMTAq/WLP0UZXxq9jo6E+c0uV/FCsReEbN8b80L0JdKV7Dkk/+ccYwnb7uvirR
+y90BQakj0x/RBllis7oG/4aEhXCaSF4xHGzo70t2QdcW2B8KZcthOVNyF6XKQUt4
+gsJLoZg/wDyvY/9xM3GmeyWfJ8YBY9WfhDPO87omNCo+PEJg1Oi8jOlkev2Czsra
+HywQqu47AKTgFQXi9e5+sONo5sa0kpFtinbc9NQSIWFcSmEsWoANZ0AirV3FJ1TL
+CPSiXfphLLbV3yiaC2bfOCFKxNnkvY2V6salrB643AT34V5WPxmCfm4KAXRzfTGo
+LGYRBajqeyNWs6N3T0BF/MlH8XZ62OOMdqeZ0feXFPOmHLZp25zmfXpnCKOFUTCw
+qNZG8qnBmzIe/XvNGLIYpjuO6Zv+aBk1dIL7JrGSk9534kxZI762dF8s3R1KE9sS
+mSZ1EDFljifqgWM8/jcNgac6tBFsEGA91KbdL869yIKblXbgUcCE2SADFy767Jxi
+zpSNQCJ/BThnSVyVS59ZL4iSY7IrHS0RtMr+c6cvM/2JsqUC8CCbouBn+8qjSzRZ
+LozKamJuXpeQcjhwD9ksS7s+niPpIbFlobPK0yPCVFKwLZOK+fg2HCxZnAs0goCp
+YCiZtzRy2zVA0tPpbNksB6cr0SQKgkG9ReVSQcb5iowpfz64UnBdnjFSjc6P/4ro
+W4KWb4Db+G2lZe1ubFurLkm5Ug9/FASP2FkEx5i7y0+UerWIFnYpsdwL0PeBI468
+KfBScWBoKYuwqFDkEiMezp7P2R8hgyDIX/0INWZfHFB/V8gwrctkx+2abqLVtyHO
+btkmYw9pdCsAxLh6UNfUVtZKjCSYMPHRykEW5uuxG1ECkD3W0BtNkHEhfiwLnbMe
+dF7LQObRxV1QXuJT+k57E91qQitEMvD5krtXf2YkG73+pITsvtGJXmp/a3XGcXyk
+Mu3cdLWvG/XctTUeOVm0xSudJWEWDb2o2IPt6I/jHtHmnqJ+naDkeOsl7NWOhmzv
+yfAZBsTNCVTyxJWwp0T0xZOVBHHjsYOsdQRGobZSh81bhloSAXi07erotx54PpHt
+WLdCU+1F58c7irVfmysrO8N/NmdDFS24oeA8gEmxV1Hc4FAFjM/kM63DGXNAyBCa
+4G6HGGv5kscq7lPe+N8/QoeGzRbrf6tN+LDHS6rLMG2x7OgvlbJeWf++CQj07QnK
+0J8QvWbM+w2dLyu+bFnSsL89WWsOew3B4+A24JXbeGZhZdTpIU+uAhYFnWMvMpum
+/6ZofPFsEaf3aS0zcug4vsvE/TGELODaJXdOtm/WKCd0aCRfhlsnhvvuID94YhyE
+R2t3jqJwJ/nHc3ghv9HfIQJbR6foLR/+3mH3ICaOACbadv7SPr4mF+LGt3O/1w99
+GQjnq/Srhun+scN6CrAdTJszSqrpfq8fZjQBAW0al52J27zz941MZhoqjOcwffXf
+kDG1v4JFUOWmtSBPumySWN5cfzxze5DNHrCT3r0cyfra92nzwZ2hU2kYal4qDHV7
+3MhMxDR4ll7/S2jhM8cRGPPVWVDlhf839c4JRXkJ3kc4rFSLqioxIOZkKCip5Apm
+b/aziV/B3nRV/9kCAyUzWQ==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn7.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn7.pem
new file mode 100644
index 00000000000..5dea1614fa9
--- /dev/null
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn7.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEwjCCA6qgAwIBAgIIL9LiO0uZDNgwDQYJKoZIhvcNAQELBQAwgY4xGDAWBgNV
+BAMMD1plcm9DIFRlc3QgQ0EgMTEMMAoGA1UECwwDSWNlMRQwEgYDVQQKDAtaZXJv
+QywgSW5jLjEQMA4GA1UEBwwHSnVwaXRlcjEQMA4GA1UECAwHRmxvcmlkYTELMAkG
+A1UEBhMCVVMxHTAbBgkqhkiG9w0BCQEWDmluZm9AemVyb2MuY29tMB4XDTE3MDIy
+MTIxMDMxOFoXDTIyMDIyMDIxMDMxOFowgYUxDzANBgNVBAMMBlNlcnZlcjEMMAoG
+A1UECwwDSWNlMRQwEgYDVQQKDAtaZXJvQywgSW5jLjEQMA4GA1UEBwwHSnVwaXRl
+cjEQMA4GA1UECAwHRmxvcmlkYTELMAkGA1UEBhMCVVMxHTAbBgkqhkiG9w0BCQEW
+DmluZm9AemVyb2MuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+xFzwRFE7O3o3GiVKYZiRBD1+h5hrKFhckGyEzqdVutdPnTWUX1pChwT+isX2vi0c
+fss4tHM2dc0l6xQp50Cuhm37rTlY5sdNoRk0zzRNY+3UY5IeJLTgpmO1f6+YvrvU
+uAaTfHsiFZQATiHHjWgFK3xx13/8Wdn31lpDmf7oZdf459+PveUpLxK9iQz8V6UX
+tDL+rcTUsFD2N5GMH0h9fuUTrkLVqBodK6feD9qQyIteR28TwKDYxIlc+Wwx5KxF
+Z+AeYvJ2wtCKimy6g+G0cQwg3dtJ4N3OtN4EbWcHU2FLs99roMfXVh6Eh+eD0/Qf
+7ZAf/dqCSkOoFz3XQUinAwIDAQABo4IBKTCCASUwHQYDVR0OBBYEFGSele0L170R
+6PexXhcNTBSZxsl6MIHCBgNVHSMEgbowgbeAFP7XxgZVu03CluMlwNTgoS/oYmIZ
+oYGUpIGRMIGOMRgwFgYDVQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0lj
+ZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNV
+BAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHpl
+cm9jLmNvbYIIae4r8hQdO20wCwYDVR0PBAQDAgXgMA8GA1UdEQQIMAaHBH8AAAIw
+IQYDVR0SBBowGIcEfwAAAYEQaXNzdWVyQHplcm9jLmNvbTANBgkqhkiG9w0BAQsF
+AAOCAQEApBbKAoPRP18nR0p3BKPEFcgH330IwOXdVliooRUjXi0KDKLhBs2RkKud
+D6xEAplksh/k4roqh3imKc6gsFGiz81pS9+GhpcWkBMqPruvypaNzoPnU1XRD0xZ
+HaR8LybWX8OkEmTEFxuJcp2oBD+rSAS0RBGQrC7Psh+dOONONC/eU6NKD9En+hdR
+n3avyHfTQHrJSQTP1GiNjnoDanma0tIlSIzPsaqRJddpK/zGffmQrpQ1WeIKQImM
+Bjk8cNvisE0u6jS4BG8yc7ua4iUpU71JwJw09dLXGtorXjHQw588LiR9IUzoIbOc
+2HLYROu9hIM3Ub2SQHvXOHJv7VAE5A==
+-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn7_key.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn7_key.pem
new file mode 100644
index 00000000000..db692f2b091
--- /dev/null
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn7_key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIW5zetLue/0cCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECOPdNyEWVmg1BIIEyI1AZlwwVgQ6
+39cUktU4lp7lXM2cQenF0dOVkzDhqL7mBxJl6vGSUr5H15MkE8L9hjZOi3MVw0IN
+RFpDNHOB7oHWU04sjEHa6Pd18E8lEWuim/hHcTUzCIUod+OG8DjsLSFqADtK5oZP
+Dw90Kt1lYEUD7lprMRyZgeTTNarrhVrhgPqmEyNiwbTYIvPJUBmPiXMZFdibSs2n
+H7kIlDRXf61JfP5H62iIGGjnA35YweQNSvrjwgGjvMeqBrTE7FqK4feOMB6YS7Nc
+Kexg+lFuzPSta3HwKjkDdUFVshRXDPivF4sb1iw/Cl/Xc8J4eTUDaz5rZlRGeL/8
+ngqijBCerxOlosVdAaebM+e2AGRngEbnB9UHnC3AFuxMCxsxD2JH9QcuJJuRLvxb
+/zWQ4dWPzB7Qer9ng6/dlWc6zKQQ9YqgbCEvh1Kr/ulpuzrY6pIxHE/+RAfd4vg6
+pydJJfR7/v0Cry8JhlhUAYyTvEJiEk0BNJnUJuVX/xGpMN5AW0KcccNTqFudCyhj
+S69cjplggR+6um3oxl5g/gPkM5b6WBImurDdrAGYallsERdikkEZ0FBGKIaHpjNK
+gRLsKvw+U7PaWOHWELqiiD36+uUTSHlMq18mDO+YpWyMk2yvr9huQOUN1/mOnR5T
+aAmodQREx5YQ0AJ4ItnR1WqKJJZBrcC8FObBjeWS3t5N+7M0foOZo102LZcVM7Aj
+Sc0RlVo95wHu8fhFv6a7vVJpwOF6y64GiyOuo7OvSizELdo5QUdK9OypW5Np03zT
+ZU/pWvk/oiTE2bnVHoxAA8UelF2KHhGurKH5J8iP3wLycOeIQiL0xXwx+KhYg6+d
+GUJxTA5UzAhTlXbL0l6xE5QxhWrZd/cAWVU2h9AzNsYqqGZgS2TlGwHLL4xOLlBY
+7MzEVdrLHFyd7j3WwtbCu2mq7P/2sebqOr5dOPdE4Iqo9vS7XTxw11rc6yM9zCcN
+wZajSMn+nbAA2tTrXYcNH3bli7NLodlLfnDkXZD1BF0nCWVUUyEkfBfnclNScoow
+cKQyBsIGig5YuJJ7XUJRgJFDAOLR8LJKI5kcnXrspMYcHNj4moUBYDfKdUly01pm
+q8SjVbhqCmD5leTUpAKKVnFIDiR0tOkzwTA2AuREkzxuXvMGPNIczl9SmDRlgauD
+fVgs5VpZ2RGG5FlGiA4nv8XsPIy/cdlINt24uqmVGEbSL3seQQRKqqWF4eoiE25I
+dMuKwDM2pBw3xAubQ0uN4SmmqGCGG/CK6fBWJvWSUwTPxdBEgtRF/oila2E4ZDTM
+EcmmSnZjnPDXN5n+dwReAThmumRyxUOkWI0uyB5DhpP9mYY7aZZsx5fpmRvJYvwh
+OyJHYx87pBvIFXmRl7CCzM+SUurRcOpc6/hz0udWBNQR9PKusPjfKaWX6m8wTsuK
+PVth1s/V9/xINjP/62qgvhVyYQrvsX8Ab3flvuQsNSdE6vdTGRclBJozrU4wZAQ5
+FvCwH6ESsed+6JzVi4OyvJY0pdTabp7P5rooJICg5uHV6SHs984qQaD1yNwJiyoW
+0U473owT1+fxBPUizquODQsKycLt4WQyJ02YW0jV+T+toQS9SbwHoRTaghia9Eax
+2D6wwl7LMu+sWmuq/cFEkQ==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn8.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn8.pem
new file mode 100644
index 00000000000..45888275f1c
--- /dev/null
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn8.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEtTCCA52gAwIBAgIJANJXqxY7yVqIMA0GCSqGSIb3DQEBCwUAMIGOMRgwFgYD
+VQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVy
+b0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJ
+BgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0xNzAy
+MjEyMTAzMThaFw0yMjAyMjAyMTAzMThaMIGIMRIwEAYDVQQDDAkxMjcuMC4wLjEx
+DDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1
+cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcN
+AQkBFg5pbmZvQHplcm9jLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAJjPEKUpvrb8X8j/WdXJC+Cgm7Ij/w4cVbolZjoLYY8IhavW81HGMzdXngr8
+aW74I98/p2h+1KRSlUMUIRgHmjYyMbwPNCGeV0PMmE8kNLc1XUyxX0LjJvPevuMM
+pTxw9OsV7ghEUoJN2JjD6rd02Qp0jiKSCQEf3ie/UR8z8Xb2le4FvOgM6AXGQgha
++9d0WZjPRrMmkKIKkVhLTzk6w8BEJ6KUyfQQrcDIXpElPVGoDWhSRBEEl5etzgYE
+7+lmO6yZw12D0w0QPSvssa0xWYcCgpzh1RKChCO+sXuaZYRpO5zMP1u97/8wSEoB
+kRK9v4Q+j6RBo7wte6jr/S7zVLsCAwEAAaOCARgwggEUMB0GA1UdDgQWBBSSAvEG
+QkNtNxBSnx4BehPz/zoLTjCBwgYDVR0jBIG6MIG3gBT+18YGVbtNwpbjJcDU4KEv
+6GJiGaGBlKSBkTCBjjEYMBYGA1UEAwwPWmVyb0MgVGVzdCBDQSAxMQwwCgYDVQQL
+DANJY2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAw
+DgYDVQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5m
+b0B6ZXJvYy5jb22CCGnuK/IUHTttMAsGA1UdDwQEAwIF4DAhBgNVHRIEGjAYhwR/
+AAABgRBpc3N1ZXJAemVyb2MuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAgUyzmA3jQ
+ftTT39Y+FG3/EJicTJUIyjuj7MBPmXHnj0X3fm5cXvHiOnW3U7z0BiqXjsoGFn0f
+kNcLrDqZ9ahiDdIMtwO4e+l5YWZyXbuFVoo4ANNe6JJjPVaiWhPiItrYUQiyCpO3
+eu3atDvaOWyCYElhdEkh1XMbPjLbxcZzujww5D4dnp6BI7adbAsATp1vmKyBmA9s
+s1DwHC+yLVJ9MJkiZhN04yk5y/+3Uq1ZXlLb81qft3S26pGJNAO4InRfDx1rO5p0
+eYnsfHMKLTEOqDeLYp0kYwCxe8uwOi5GBmrsc3e6AwxflHMSt9mmEE+FPYN6EMaY
+8eXMy+3ByCCG
+-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn8_key.pem b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn8_key.pem
new file mode 100644
index 00000000000..37d3d7941fa
--- /dev/null
+++ b/cpp/test/IceSSL/certs/db/ca1/s_rsa_ca1_cn8_key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIqrf5RQ/gXcgCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECL6/X/P50cPqBIIEyGwoWYqFMB5Z
+WgxMkoGPDZC7izJdi+yILy3D0QtxBmH3nHWr4LM3HOM39sFPAaXwY7yRH3jGP5nb
+wXuolUJVY7mnySnlhyHH+O1JyZ60tSKr6LS0X3kEtgGcHSyFIBfwczUPczeYEVUV
+HtAxf9YVjm3JwtGvmh00FNLbksj4H7LWRlXTvvsNm/6OISvL8zvGGSyPyZb/hHpU
+YfE1W1UDCULjQRMmH9x38mEFZXS1dZTDRn2Te8Ls5doNEu9C35FAmWGRXkHi3W+c
+IYs8t4I6aqsy8HFpiBx/2dDnVMAwgmbTSuxro+BZENI0Z2PHOZTvHRSNPNnoV/WH
+SZHUTwRkydkX7ofvU+VAYjUlS1qERRaGPygDbLO3qgPu0gB5xkUfwYXB4JnyhH6c
+yISVnM1DQDplWaAvoXLKBLtPqMwJITZZ8hadvXKxyGEdGaVdx7PYdwZWf3VuusuG
+4wFtfnCT220UXeeI0SLPNuE/W7ECaQIwhikZSLwHPQC+wFXHn6UPxl896BMIMr9C
+SL8hFT+tkwakQZ7TlO8cMzajX6OhTB64KzVDWrSH93lh+bbYCM/YB6InlsZBZQGW
+972pkfLos8oIE2gm/GlMdaVRk80KB/i5LOqSUc9/gqkJdU/kt95W+JnvcGvc0WDZ
+WfQk8Wzm8Z1IbZAjrmfxTcBKi/8AWdIrWPpS21L2antFZ9zIzjCU8tKPz+jCCS7r
+kvgENsdVLgu6nwCUnH3DmckmuxkD3djMwf5Ml3RQl9YDJtz/+I0RosG1ZPXD7oPr
+ni63CyXrrFZ/Ka7hWPwfiQJWmxoexWxW5NziJdkDWgvv2k5qDSCkWzXMd/bhAW7h
+1Zfmvholi8iOOo1Xxd4PESFeCQsMVzedTrA1JfCWjWEvAAc7k6TchiNygSBUuPiF
+eVyUGSRJYcr8ZiaqimQcMQv5hbNK8p2vkSdBGhGhqA5hLRx7uBIym5k0HYmRDdAL
+TBnWRNMplh+qzVQYa/QqsHm1rBzPuNARLGcwWLmAr9DT8x4F9jlggl/tktSGmx6W
+nykJAcyYKgV8u9vPSo3byhRI87pX40dRhJzFrVS6VEd0UbEVlfFkei9e7jwBtYbr
+ea/mmCRyhuAhwkngj+r8e/nDeV2iagbfnXcWkM6+HU7XMlI4zQQAtxS/8PNvxGeG
+5A9m2A6wgdChQPbkTcHExHWjy+wzKGpEg9H96UJ+YsuHa46GKinKjzm19cb4qLZI
+OAsIN4ZKB29JHtA9XiS/r0XcdRwknvRgyZf9nUAbx4WPwdKGvAdHpiK0XuA07Egx
+SExLJpKbYAg8iHc4AorCxfnibAWf2bSdq82UnogrBMLcvXHm2qT61XU9hVk5cVvU
+hG+toBmFjDfpjXyBi20fJ6jdocowIV6VeL65H5yyvpkt11aSsXIVUAl77M1WwziS
+kMHv5t/gcqirxSUAdoKK2gHTipXP11vrOdJpQ/7zlu68fCiGr6bDflWW4z1QRYzO
+4KSOeszEvHDH8M7kxdlynA9fzx/GJdj8orlXjRm/CqWCOiQJ5V2a/3862aTvyRlQ
+q0ASscp6NhZaFHzJ74riUOsrjAb3eMDfuslJNi2GJ5fVFAiCYO88yVtfve483S4c
+9ajj72N6HEm5gjzFUc6l+w==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/makecerts.py b/cpp/test/IceSSL/certs/makecerts.py
index 265c4cf9c83..dd4766156cc 100755
--- a/cpp/test/IceSSL/certs/makecerts.py
+++ b/cpp/test/IceSSL/certs/makecerts.py
@@ -102,8 +102,16 @@ certs = [
(ca1, "c_rsa_ca1", { "cn": "Client", "ip": "127.0.0.1", "dns": "client", "serial": 2 }),
(ca1, "s_rsa_ca1_exp", { "cn": "Server", "validity": -1 }), # Expired certificate
(ca1, "c_rsa_ca1_exp", { "cn": "Client", "validity": -1 }), # Expired certificate
- (ca1, "s_rsa_ca1_cn1", { "cn": "127.0.0.1" }), # No subjectAltName, CN=127.0.0.1
- (ca1, "s_rsa_ca1_cn2", { "cn": "127.0.0.11" }), # No subjectAltName, CN=127.0.0.11
+
+ (ca1, "s_rsa_ca1_cn1", { "cn": "Server", "dns": "localhost" }), # DNS subjectAltName localhost
+ (ca1, "s_rsa_ca1_cn2", { "cn": "Server", "dns": "localhostXX" }), # DNS subjectAltName localhostXX
+ (ca1, "s_rsa_ca1_cn3", { "cn": "localhost" }), # No subjectAltName, CN=localhost
+ (ca1, "s_rsa_ca1_cn4", { "cn": "localhostXX" }), # No subjectAltName, CN=localhostXX
+ (ca1, "s_rsa_ca1_cn5", { "cn": "localhost", "dns": "localhostXX" }), # DNS subjectAltName localhostXX, CN=localhost
+ (ca1, "s_rsa_ca1_cn6", { "cn": "Server", "ip": "127.0.0.1" }), # IP subjectAltName 127.0.0.1
+ (ca1, "s_rsa_ca1_cn7", { "cn": "Server", "ip": "127.0.0.2" }), # IP subjectAltName 127.0.0.2
+ (ca1, "s_rsa_ca1_cn8", { "cn": "127.0.0.1" }), # No subjectAltName, CN=127.0.0.1
+
(ca2, "s_rsa_ca2", { "cn": "Server", "ip": "127.0.0.1", "dns": "server" }),
(ca2, "c_rsa_ca2", { "cn": "Client", "ip": "127.0.0.1", "dns": "client" }),
(dsaca, "s_dsa_ca1", { "cn": "Server", "ip": "127.0.0.1", "dns": "server" }), # DSA
@@ -127,6 +135,12 @@ savecerts = [
(ca1, "c_rsa_ca1_exp", None, {}),
(ca1, "s_rsa_ca1_cn1", None, {}),
(ca1, "s_rsa_ca1_cn2", None, {}),
+ (ca1, "s_rsa_ca1_cn3", None, {}),
+ (ca1, "s_rsa_ca1_cn4", None, {}),
+ (ca1, "s_rsa_ca1_cn5", None, {}),
+ (ca1, "s_rsa_ca1_cn6", None, {}),
+ (ca1, "s_rsa_ca1_cn7", None, {}),
+ (ca1, "s_rsa_ca1_cn8", None, {}),
(ca2, "s_rsa_ca2", None, {}),
(ca2, "c_rsa_ca2", None, {}),
(dsaca, "s_dsa_ca1", None, {}),
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn1.p12 b/cpp/test/IceSSL/certs/s_rsa_ca1_cn1.p12
index e88bd852150..31b77a4e6de 100644
--- a/cpp/test/IceSSL/certs/s_rsa_ca1_cn1.p12
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn1.p12
Binary files differ
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn1_priv.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn1_priv.pem
index c4756f51b86..5766c5258f9 100644
--- a/cpp/test/IceSSL/certs/s_rsa_ca1_cn1_priv.pem
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn1_priv.pem
@@ -1,27 +1,28 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA14rRlqGMCzNdE33lMLCd6IzI++BIBvk6km070bsVi8hZRRqn
-jq5hXHkB2/p4aLmT6+LFJwfB9MdSl4Y6VY7VBRg80trhuyp/VPuzxrz7Yc2517m6
-yQk8u6tlgb1vcLxXV1JbGq2tRixf/EKfjlJwEGejyr0aqObxpsXFrdteMTva1wBB
-CKa78gVBzJkV+TaRu010lalkehQUow9sboQcN5LTKG+ajtvp42nphPMXH1rg6eNR
-Rs/BgVkfchV4Mh+01m1A3aeIOspw4p4s97B4ga/70k12So3WQasm3aUslAT4AsuG
-nnl3iVf5LTB+GstAZVMe0NsX0oaLMX7P6H5q1QIDAQABAoIBABtJptkkIJ+2Y/04
-vhBY+9TaJgPFVDkVynWJQL5/qe2lcq/N/RKSPx8+7p5T6nSPsgt2DTGwyLxdk7Y9
-Nxtn1s4rUF/9eACDE9XFe/AYMtch/XozOFOFSNwViedP/VDPd1tFwOTywfIVYh2E
-rcCN7UQWauUa5comWsebWDh3gkhHKSXlBd1/6a+OotxmT16Jkp2SYqLQILcOL2y5
-yErJD0XFrnA1+JKyRtvljo90zgtgLBXPqRqKey9artgPV0CfGq21wmSgIPxMgHWt
-DNAOHFaxnQG9X3iMpVtyaEHfyofaAAnYDeeXdG/nv7mNqUS7eGtvFEnnt6ILFON3
-8o6s3m0CgYEA7AgafFnFoaSr1sklnn+tqbtuSbv185gDSWbcByuOvE7JhbB2pgFP
-AoHAot1T9MgpQV6Zd6H0Fg1d8shfi8mhwxHtLY14KAvEFhEhSj7z8XshgS8TECGD
-denORKEy3hVWzngYbkaVhFfD1NkIopqgGSnQKJ4+88hXQbVpJtV0VIcCgYEA6cb2
-b+jcn4R59Oa4XzpQztk96kvugtWyLdlWIx9vH/P86m3PB9jm28ZbihJOKAsJxps/
-hDuAsC3KiqdcKHPGErHxdm/bRz1zH9mOVY8Vzuw1UZcXMANVK6vy3H0N7KKj7AXO
-aLr0BjhEs/J9PMXYnNpV1IFJ7X8SCf/+JgQXuMMCgYEArErSApmJMRBCO3wDEOrE
-etSNkhc5VwJMy+Tgkf9SptSgOA1y3oSwBvVuB7SmF1WQ/92tCu3Wfc5uGM35KNIb
-WYiZaBoPbrQAA9enREolyc0GzQTu1mSQUJ9F6UT+G6zZ+8cglkbB16Q1GAcBTaiv
-Ww7xmuTAsTU5tIZW5nkD/LsCgYEAjRbwapAOfxOUCzMn+QkX9g70qDAVjc7tD3DI
-5L+28IDvloiZV3IXunJXktgDZXVr+/p8dhD3VNz+DXp+S0e8NlJAmatemvtCPOmv
-VoHZtp2mfEyEyQxp3caT93Bd9AAgkHTcoyaZ2hshk7z4yrHZTqkS/gLdnEGBoJlo
-SIdVzcMCgYBUnJDvQy7XwWhXZIpPWgZiKL2IC0xDPOq1Bm9oJRY7zx8RdU26oiqk
-my3DwWuHFgHUdBjuDQtbWaXfOpMQidrIUxB22JP1sovxJdS6T4mYZaleDg63SBM9
-q2yt+RgaRQcITLl38aEXIvJC3EGZjgn8K16wxHyAlccrrnw/BKex6Q==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCdEEfmUSP4skLQ
+l84UFcaPkiTVcH+GIYB7TBveozvHzilqKbiZ6uNEde4JfmK3OwgppSLSk3D8kFQ+
+QYmvn2q9sxiFzc/O8oskdfYo6L1t4O1EEqyJHBJTWqTLDx8rCuXLRXvWd7enbPvj
+/PcWRp43JvkgRDFyulGLfFdMWX+c2cbIcBl3eiQiaOHSB80SWxwOn74mdjlbdENZ
+OL6/g2arV9nOzbScn/iv3cudl+sKqb+E1knP3hxhJIvO2cqFJV1L6+jqKVaBoQxy
+yLhKdAr/K9iPgfXZLBpb9Vzf8Vfp/GarVjva+CBhOj4w63p0ZProWect8D+iOXyq
+yp6wwFF3AgMBAAECggEAR3aP8Fh88HxTcEuSBYt+4/ZP8hmUvHfj2LXhfGRzH89L
+ArXm+4lnTNAHtaQe0FX4udIcTQmvAAu/ePAi8JitXZDumHrzkarD6pwNm8GB50vP
+SQjiHiR6phh5ILdJrDDyK5H67bNdCb3Jwotn9We+N0PxWGAOy6/AyKGTqvaR3NB3
+Xd+Uz8egOurtbYbK1APtOteZjZyxQG0ufvXHt/XL2I7wDjgSklLKzsVTJRZna9mZ
+SxqfD4wupdjDGf2BaA0DHj8J6oCBl+1BHcPQ75PjMSaYVhS711Eergx0wGO/WdHP
+U1impztsu8SW4QFFWS8M82eky85VSlXs6ieYG7huSQKBgQDNbZ9m4ub5XwrcHnHv
+I1pd7wOZCEgwJzhgzwe6jlwX2EQC7VoN/xsX2Li3IfhyPW0MKBHPK9B/M2qTDlbt
+sJqY1GQlf5nEny6DEOeLJ0Mt0loiJlAJ92T3Zz2UW48oO+iPiprt1iVvUxdBWIjH
+1Qdx8BnOecy2tUt64+0qvbnP0wKBgQDDuqbHcp3uxjC/+k7OBLeANaHb+rZpc28W
+WZAbqEsnCblFAmaADlvf5CZyHgyEDfxp+Hw+C6gM2o8L5iJ079JvRkJIUWlOHB1y
+9TN1cla1jes5LrIA7qfplrFAb4AOX5dCoSglpNuWC3SRDcikpFvGIFRJeNB/qApw
+UXnn9R2VTQKBgHIyjnpTiLL38sGK6ytVK9csF4Pq5rZeFyk57cH3gZp/zs8Rww4k
+0prfD1A+wi4/l286lyvj33PW0VgOkKRxmH99Em8GECUNmH2j2BOzL9U5KoHxam0f
+6jDeY40lmN907kNdeeLdONI6DqN05BSyiAD+yFnPu82V2u/l5OHttm2hAoGAV6Yq
+MX6eQuL1ycKpr5BlLEDYLs5jCW3r/TI2WmxO2zh7gu/EPuwvMF/W55uVNz2cH0hr
+Os21f6wQCuAP5hXPQo1P+VqbsaLdfTFYzetZ8QuQnpbOl6RIBU66KYTE76rW7buF
+YvYkb1jJ5nspsrD3eA3aMNytYb06j3mtAba+fLECgYAvRpgmaKJ4zyvkZFfaFbDi
+j5dUVVWj7c84TZIhK+EzAksAc+F4Ij717+jH5iXLJsfZlJKaXHZPPper3a1yu9U1
+6Ch5mrs/6bEqLgWuGrdRgF75zzWlPYZlxARHWsHXZBlMC0Qg65ck+G3S1s3v5JfA
+3zaN3fRi/0upkmi2El1ofw==
+-----END PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn1_pub.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn1_pub.pem
index 337d8b48e66..65100bab23f 100644
--- a/cpp/test/IceSSL/certs/s_rsa_ca1_cn1_pub.pem
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn1_pub.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEtTCCA52gAwIBAgIJANEJuarXnGShMA0GCSqGSIb3DQEBCwUAMIGOMRgwFgYD
-VQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVy
-b0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJ
-BgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0xNTA0
-MTQxOTIwMzBaFw0yMDA0MTIxOTIwMzBaMIGIMRIwEAYDVQQDDAkxMjcuMC4wLjEx
-DDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1
-cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcN
-AQkBFg5pbmZvQHplcm9jLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBANeK0ZahjAszXRN95TCwneiMyPvgSAb5OpJtO9G7FYvIWUUap46uYVx5Adv6
-eGi5k+vixScHwfTHUpeGOlWO1QUYPNLa4bsqf1T7s8a8+2HNude5uskJPLurZYG9
-b3C8V1dSWxqtrUYsX/xCn45ScBBno8q9Gqjm8abFxa3bXjE72tcAQQimu/IFQcyZ
-Ffk2kbtNdJWpZHoUFKMPbG6EHDeS0yhvmo7b6eNp6YTzFx9a4OnjUUbPwYFZH3IV
-eDIftNZtQN2niDrKcOKeLPeweIGv+9JNdkqN1kGrJt2lLJQE+ALLhp55d4lX+S0w
-fhrLQGVTHtDbF9KGizF+z+h+atUCAwEAAaOCARgwggEUMB0GA1UdDgQWBBR7piAe
-mqqX28rsqrZhGMfDp2ynFTCBwgYDVR0jBIG6MIG3gBT+18YGVbtNwpbjJcDU4KEv
-6GJiGaGBlKSBkTCBjjEYMBYGA1UEAwwPWmVyb0MgVGVzdCBDQSAxMQwwCgYDVQQL
-DANJY2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAw
-DgYDVQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5m
-b0B6ZXJvYy5jb22CCGnuK/IUHTttMAsGA1UdDwQEAwIF4DAhBgNVHRIEGjAYhwR/
-AAABgRBpc3N1ZXJAemVyb2MuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCFFCYmn6R5
-XwXe8DjMWeAvP+JpQUfqPqQ5Yil11SA+8eGsJqUfgx9+90+sZ48c7kohDtNWSJKs
-ZofvFiTbSykjbKuyDaCElv71MtdZpR0kxAxNF1K+N7/F5SWsvOb43dWfhHqkWdCw
-Xo2m+igL5zwmMqGRFrnJLrYs6+Fusm+cgpznG4XzaLsR21j+hu3DTcOQNoTBMaUs
-7xKTjXRLY2wFXvzQ3d32Ga4niMEqweQsv2eJHRbUqzUhRNJ0UXuwxs0sXNpVCaYS
-Hg8IdkAEwLKH2I9yN8obmhBHlStP9jfzSYOw4a7KeLWyQ9iRj4rkkXUQ570wnasv
-zFeZFMVF5Y41
+MIIEtDCCA5ygAwIBAgIIQoFWIYE7CvkwDQYJKoZIhvcNAQELBQAwgY4xGDAWBgNV
+BAMMD1plcm9DIFRlc3QgQ0EgMTEMMAoGA1UECwwDSWNlMRQwEgYDVQQKDAtaZXJv
+QywgSW5jLjEQMA4GA1UEBwwHSnVwaXRlcjEQMA4GA1UECAwHRmxvcmlkYTELMAkG
+A1UEBhMCVVMxHTAbBgkqhkiG9w0BCQEWDmluZm9AemVyb2MuY29tMB4XDTE3MDIy
+MTIxMDEyN1oXDTIyMDIyMDIxMDEyN1owgYgxEjAQBgNVBAMMCWxvY2FsaG9zdDEM
+MAoGA1UECwwDSWNlMRQwEgYDVQQKDAtaZXJvQywgSW5jLjEQMA4GA1UEBwwHSnVw
+aXRlcjEQMA4GA1UECAwHRmxvcmlkYTELMAkGA1UEBhMCVVMxHTAbBgkqhkiG9w0B
+CQEWDmluZm9AemVyb2MuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAnRBH5lEj+LJC0JfOFBXGj5Ik1XB/hiGAe0wb3qM7x84paim4merjRHXuCX5i
+tzsIKaUi0pNw/JBUPkGJr59qvbMYhc3PzvKLJHX2KOi9beDtRBKsiRwSU1qkyw8f
+Kwrly0V71ne3p2z74/z3FkaeNyb5IEQxcrpRi3xXTFl/nNnGyHAZd3okImjh0gfN
+ElscDp++JnY5W3RDWTi+v4Nmq1fZzs20nJ/4r93LnZfrCqm/hNZJz94cYSSLztnK
+hSVdS+vo6ilWgaEMcsi4SnQK/yvYj4H12SwaW/Vc3/FX6fxmq1Y72vggYTo+MOt6
+dGT66FnnLfA/ojl8qsqesMBRdwIDAQABo4IBGDCCARQwHQYDVR0OBBYEFB5ynD4W
+cyfHqU/g3UKI0i1EMv9tMIHCBgNVHSMEgbowgbeAFP7XxgZVu03CluMlwNTgoS/o
+YmIZoYGUpIGRMIGOMRgwFgYDVQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsM
+A0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAO
+BgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZv
+QHplcm9jLmNvbYIIae4r8hQdO20wCwYDVR0PBAQDAgXgMCEGA1UdEgQaMBiHBH8A
+AAGBEGlzc3VlckB6ZXJvYy5jb20wDQYJKoZIhvcNAQELBQADggEBAIJlyxl6DxnM
+zUVtEn/We+qqU5qIqiRDbxPoV2rPNiAvkexTXAC2qQfqmdtHW1EcBUPptHpApBJt
+P+0jYxkCjZ7YgjZ8LcxXkzW+TAKYtkhz5wlkEPCsfv4kgdHOAMOwDzQ8cyMuYVRv
+oGiEm3OlCgqPhJDPlpyx+S5yw7Ezt6uJj6AhISaXuUNrPYOZ9+sE57Ka/kMyVKvL
+JoB62iMx1aWQIUqWdEMn7CP6GK3lJVM//uMK8V64t3jaJbD7a3VX31jMbGXvxfbP
+n/AGDHGHj6pCcftL/XTsqGPzelRSz3bjXsUdwd+IAikkSrNF09ljozWY48ildJvY
+TDrqQafWBpc=
-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn2.p12 b/cpp/test/IceSSL/certs/s_rsa_ca1_cn2.p12
index e2a53b6eac0..6597e476b00 100644
--- a/cpp/test/IceSSL/certs/s_rsa_ca1_cn2.p12
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn2.p12
Binary files differ
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn2_priv.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn2_priv.pem
index e8716ca4b40..625fe5b3626 100644
--- a/cpp/test/IceSSL/certs/s_rsa_ca1_cn2_priv.pem
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn2_priv.pem
@@ -1,27 +1,28 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAvvyMj4a8Px75ZX976d+2r3fRM4C1hqXPt7CqIh7Lb/7wjY5L
-PUFzJtiWg7ZYXy8EAjBQsAQMpmzVIEhFEuXxNtFbPEqJG31zBi7AtTt5xyelzdGT
-LNHf+uLBD098ap8HO69ZEwURL047SphIOzExNtO6oZ7jnCWWBKPELHJFtn97QxZl
-l84iS00b5RiiKtIZb+ibBDUoup+hCRrAgCYwPGTGZlnHtBICPAHgwo9DH5uk7Iar
-MjkDmVgAXO6Yl+o6e6y/DRk+7pGOeq5MdieRc9DfDOFsX4/3tSukfkbbAu2im0ZR
-Ge1SIi/sH8TRKY4abJVADl8Hz8Loh6FVa5NEbQIDAQABAoIBACuL7ATBxORjjJv+
-8GMIFmB14mZq33j/D5ijmHdFLD+yEmlEW5Vw+e+OjOslRYsWbkSNfahUlAnSYNoG
-gHFpqpFENRhPKmnxNavgNyJbmE23lY+TTIp4pChRUZHLHuQ0tHKAbb/vdNajcNN2
-W2nbsov8xN4bG2y8CTOvn4g+2fRdQTRAi0jtMgpBVcJD4FQPJsyZNFo3nwDe1sjy
-/TUCDVxJYEK7EJtavoJGD7Zy0nWKa3Jl5D+3rN79IdtS9TQ22XfvdSjshhz3VB6k
-FHaL/CzjZ6UmG6sGpZr8jpkFIvF08/5/L7lVk/63Lh1JkZZmpPQbaKJIU0q0i+eF
-Pl0SsWECgYEA+2PSBLjQ3zywFMC7Mm0xEK3ASvHvljCum71H8RPJeaRh7IJeIfjb
-NHWfGZJfkSRwFXoaBK4rcG7p/vcbjf+HA/Yl70Yrosqxg4+fjM+k1qNJ9STi65VR
-LTEv3FQlH8XjWTho0jyOn3HEhJJD9++51/GPAUuARWq+jC+iq5ERgekCgYEAwn0o
-ZJ1mkk0I/fddt7H9BGCBnxwxBxPsZqjettJ2iqmB1uzIfHQlPv+dAlpFGCp5GVOZ
-O71/RLDc1WDgYMPd96+afpDiAtYxMcGljswJ53ZNGhsES/hxuuowWWo57A3GgXNk
-739G7jvwCqOgOAz9x/D4bJxxvXXKs64qP6pZN+UCgYAsa0rkwrNFfreuMw/grSKK
-S+k6VN18sEVqB1v64QAsmjsjSzXO0uYIsu/V2ONCBio34UdPpGbQiwiVoJwhzxDQ
-RmIVkVSMgzwyfuI2Q0phEqEyy7282rlpPtOyHrwgjRrK3QjIfSLGUZfjxOR1nso7
-udcG54xWt7HLm28m2Y86YQKBgAGoraKGESzoSU5ZQMxjUUQrSo+/3s8vpVGO2S94
-BhjSr0/U/zTIjNTHu2AcwwAcxKGpq+HtkNtWItwTEnbg1NDbB5dSxwq9JvhErZPV
-O7Rktu2lE1lOijHM85KfrFTOHUZXZKICVOmNS1Pb527y9WsyK/xJLVMvYQY9UxDt
-9ArdAoGAQQZb5WdO0zeWB2GT6DKS0aiokokZJExpTgYmt1+doy6iUj7U9zfYOrZ0
-/x9YDw+m0yIAgPeWTjVAVx6tzYjwxn2/xwgi4tF/5kk32qv3uIwkYaE7z5wshwGu
-RQ+L2daqEy9uNfVQBKAgsWq4D1J1GySGyiCJz9EdYfoRUxioGvM=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC2HWyUPZ5KsvjK
+h4vsTHAWfvI63g5pdYN+cHUaKAvpWnEXQRYSYnLP4YcJJWNZFG/ZafzTt9Y3K00n
+b/P2nmueosX48EN+RoYsBpcNcrsyLnf28Fi2nQdZQbp7t912IcZKrabZTYEYPoL8
+C8F3aEuDde2bJa5wTlaanV6DlbZptNFJBrNGgZSNB4Zu5Qc0rIHUM8TJYNWU1SrT
+mf9DNtZBTI3HTtDpw09Y9FthPD6/xRRfjDCHJNHOtL+kMAcJ0m8UbWKJpAhhdZFP
+ZDawd3fjjKK/RmE/GFQqJDScDsyvAiZF5jDo3yPUNUwFCQRGInpiTyMQcCwSirrH
+ASZN0rppAgMBAAECggEBAIxfI7kjwaYMS244imaqCF+em/E6BdvNw3wrDGgL5BqL
+Js5o0a18CsknKeGn2urnsMrhQgqjEc/WZZL3XRGDzKorBvO5phxoGbVHoxivjZDB
+dqB1Y7vmT6rB2g7QizgqEmCvdwLaFZ5tWKMUIJx8XHBI7st+gPV5vJFSqW49cKwK
+cUkbaLrQDXtWDHMJzztpwhBRzzCOYsncZj3OrzlN4cChsnZ9m1v7S2f/Q5EE5GR3
+PZO+/tBjHUlixMnTADOVQK0Wx40XzXt4ZpSk5joypczOEeWHJYSf8jYjS2Ew/zCL
+x54FLYW5tEkki5HMWKQS2ZM7S+TN3tqiFuBwgEPvjrECgYEA4/ARQln9lmLo7hY/
+pecyvNd+Ezbto8LmtVjwRiz6JHKMzqM0mdb5VGy4wdcZvh7RfGlECHS8/jafphee
+yXZRUqSt23Vc8rfeZXS5HsxEepc6VVk60vjPTx+HND6czxmSRR+oaeTpGz9PcD1a
++T/hpmoFBdczJs9+WZPoMY6cBL0CgYEAzIkntFMUMMjqmHEu2RBVKtrJWVwtDKbL
+HEecPhN//AsRmzrJGHiVJXh3MwbTYcD8qi0ARu2EdMnFnZKMZUTyMAgvcRXprAcf
+WRLtuwIcJ2jF1aNrywdM3KaRN1aLzIecuoyH5sFvVM/xljzmBlwjzSnVPrS/OBwT
+xq39YOlwhR0CgYAM8tdYKJqST34iAFuPRioItkkwOD+ZvPm0NaA4rFdteKBtILJd
+RuwVErQQNvL8bO3DnotB27fczSeWnOLlWPZXtok13V3xX+afZtkZWctOF4c10ALa
+d033lbftjN0FmtNHX/wGP/3KEXemzaV8YVelR4KPiWEbhFAOMKvRHOPaFQKBgEJ8
+82My/oU9SsVzRX9aR9U+eeWKiTprner7fFbRj/Emx/pmCajiydj8aAM2XNCSI5BO
+QKDN5Rjx3kNyuCDTYMcsYf+o1+UMC6yw8oawEObesDDahtfg76NqohoTEC7UhqY9
+uI/SoZY4YpgsA7pdiWXQC3nu15otxl/3fz5ZpDIhAoGBAI06xgXhMcT4goOoOFLl
+z71SqsuoLfiB7Gk0xvFPpK21eW7szuWZ1YIVmlcDPGA5l5D+YRyiANPe1vQsqFpS
+1P/QD99Ufi6zb3GpfKNzAlPwfYVuFWaY1xg4dOSScaWiyItDwCNaPwiMlqOU0Js6
+Kzz4BwYTBjcwjLPzSJYZ7OHR
+-----END PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn2_pub.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn2_pub.pem
index c54f190670c..43f43851545 100644
--- a/cpp/test/IceSSL/certs/s_rsa_ca1_cn2_pub.pem
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn2_pub.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEtTCCA52gAwIBAgIIJoFRkbPzeYgwDQYJKoZIhvcNAQELBQAwgY4xGDAWBgNV
-BAMMD1plcm9DIFRlc3QgQ0EgMTEMMAoGA1UECwwDSWNlMRQwEgYDVQQKDAtaZXJv
-QywgSW5jLjEQMA4GA1UEBwwHSnVwaXRlcjEQMA4GA1UECAwHRmxvcmlkYTELMAkG
-A1UEBhMCVVMxHTAbBgkqhkiG9w0BCQEWDmluZm9AemVyb2MuY29tMB4XDTE1MDQx
-NDE5MjAzMFoXDTIwMDQxMjE5MjAzMFowgYkxEzARBgNVBAMMCjEyNy4wLjAuMTEx
-DDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1
-cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcN
-AQkBFg5pbmZvQHplcm9jLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAL78jI+GvD8e+WV/e+nftq930TOAtYalz7ewqiIey2/+8I2OSz1BcybYloO2
-WF8vBAIwULAEDKZs1SBIRRLl8TbRWzxKiRt9cwYuwLU7eccnpc3RkyzR3/riwQ9P
-fGqfBzuvWRMFES9OO0qYSDsxMTbTuqGe45wllgSjxCxyRbZ/e0MWZZfOIktNG+UY
-oirSGW/omwQ1KLqfoQkawIAmMDxkxmZZx7QSAjwB4MKPQx+bpOyGqzI5A5lYAFzu
-mJfqOnusvw0ZPu6RjnquTHYnkXPQ3wzhbF+P97UrpH5G2wLtoptGURntUiIv7B/E
-0SmOGmyVQA5fB8/C6IehVWuTRG0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBQ8Ub4X
-Mn1Tae99mxRpu2zlipF/BTCBwgYDVR0jBIG6MIG3gBT+18YGVbtNwpbjJcDU4KEv
-6GJiGaGBlKSBkTCBjjEYMBYGA1UEAwwPWmVyb0MgVGVzdCBDQSAxMQwwCgYDVQQL
-DANJY2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAw
-DgYDVQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5m
-b0B6ZXJvYy5jb22CCGnuK/IUHTttMAsGA1UdDwQEAwIF4DAhBgNVHRIEGjAYhwR/
-AAABgRBpc3N1ZXJAemVyb2MuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAZnA9BsWpC
-44mCDBEtS0J1UfKQoG8yH67tVul4YdqDC5aYfw2GOSTT/vPPUNmI/3Wa/Jb3CRvU
-WUiqVWoRyKB50gGnbE0kUQj2jv3IaNhsnmEZ0xKkbq5h2rNkKuhEd8Erj3FC83iP
-rzJVO7qjboYGVkukIcTsMpU3wtwohCB+8v1NDOlMv/Z9vZSeGwjebWJtDAD32oWN
-bmAbnjxEF5Uei3MO/fWK9wvElSa4TAXVS7+ovAzvs7o+ikD+cLcbtfXhMBZH0cg+
-y2Ht1A5mP1AsK04W96fs/ZIdZxiaVIjRR2hN4BUZYOxar0wxwy2oyDcyHTjuLKNn
-DohtzPbwUer8
+MIIEtjCCA56gAwIBAgIJAJQs7Na56PxiMA0GCSqGSIb3DQEBCwUAMIGOMRgwFgYD
+VQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVy
+b0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJ
+BgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0xNzAy
+MjEyMTAxMjdaFw0yMjAyMjAyMTAxMjdaMIGJMRMwEQYDVQQDDApsb2NhbGhvc3R4
+MQwwCgYDVQQLDANJY2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdK
+dXBpdGVyMRAwDgYDVQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3
+DQEJARYOaW5mb0B6ZXJvYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC2HWyUPZ5KsvjKh4vsTHAWfvI63g5pdYN+cHUaKAvpWnEXQRYSYnLP4YcJ
+JWNZFG/ZafzTt9Y3K00nb/P2nmueosX48EN+RoYsBpcNcrsyLnf28Fi2nQdZQbp7
+t912IcZKrabZTYEYPoL8C8F3aEuDde2bJa5wTlaanV6DlbZptNFJBrNGgZSNB4Zu
+5Qc0rIHUM8TJYNWU1SrTmf9DNtZBTI3HTtDpw09Y9FthPD6/xRRfjDCHJNHOtL+k
+MAcJ0m8UbWKJpAhhdZFPZDawd3fjjKK/RmE/GFQqJDScDsyvAiZF5jDo3yPUNUwF
+CQRGInpiTyMQcCwSirrHASZN0rppAgMBAAGjggEYMIIBFDAdBgNVHQ4EFgQUKhSg
+z/uqY16GSxIx7T/RQWaFoygwgcIGA1UdIwSBujCBt4AU/tfGBlW7TcKW4yXA1OCh
+L+hiYhmhgZSkgZEwgY4xGDAWBgNVBAMMD1plcm9DIFRlc3QgQ0EgMTEMMAoGA1UE
+CwwDSWNlMRQwEgYDVQQKDAtaZXJvQywgSW5jLjEQMA4GA1UEBwwHSnVwaXRlcjEQ
+MA4GA1UECAwHRmxvcmlkYTELMAkGA1UEBhMCVVMxHTAbBgkqhkiG9w0BCQEWDmlu
+Zm9AemVyb2MuY29tgghp7ivyFB07bTALBgNVHQ8EBAMCBeAwIQYDVR0SBBowGIcE
+fwAAAYEQaXNzdWVyQHplcm9jLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAWXAtNYyL
+ZIw7drl3McU9O8wRungv4DrLiddGvFnuK/Oy+m1AySQyFyjOyUaQVTy6zhOa1dBd
+3AN5TRX7bX9PKhrVxtoOeFsPec7JxetbS+tG+ov9bxCaRrbwe+EsyJNDr/dc690g
+x4YYJ8siDba6TDYA/T8oTMv2MQREta7TWHH78yEAvS4jUJHtfroiDb3GwIJdb5d3
+oNBMgVJwMcFe0A2voWOOVKsXoNBRDj3p0EU6a6F64G+yWY1JFcEgHxConAngTqlk
+Fl5TCcdGBcrGidqclPC836/OnV9w4Xr+Wr0MWdD8RkdqDSRT0PdnQCucFYNSrszJ
+nZPjAhCNBO50Gw==
-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn3.p12 b/cpp/test/IceSSL/certs/s_rsa_ca1_cn3.p12
new file mode 100644
index 00000000000..e5444b048fb
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn3.p12
Binary files differ
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn3_priv.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn3_priv.pem
new file mode 100644
index 00000000000..bf7cbc0e015
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn3_priv.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDuM9nQqgpeqtQ0
+JEkPZ9DuAEQ9pUDGYsiz8UHQY85aJJh/MYLnqPCoH6ka53HmQI7XozyCGdxeBOLO
++39/9K627voVbAuFqEJ0UPaMyJ0j1TlB7p7nzo39dW4ZVQi5y0aD20zBKUdLGEM1
+5SVHBFeb+DyjRRvg6ywT8T6SRzvf8GObyRFWIsxHJf+s5gPCXM3WTAgYOnI3Heuf
+R3583Q5F5ISL2OMBOvd56Jj9J66U7mVJww2Dp0pVXgjO9cDcreJULLR/n3BYda9X
+BjaX9Ca1fxKMTnCx+n1bsDGBbiWnyNpHXxitlt/U0RIQPLO7OMCPPD1R2tN3DHp5
+0rDZXwTzAgMBAAECggEAa/HdXD0ic+IQRgzHew691I0UX6c6omxzrW/ANnJ0Oc9p
+uAI040xgup+WX5XQvNo2oSvdKMwVXBn0un2oOtEkN8w2UmzjD8+/RbzG7eefpnRi
+/Sjoo/2rxNdpbFtnl+KxcuF3d/V/1F0LYCoWaYdjOFAXEpon1xZbpDHn/BwB2ynR
+9qZrzp9B8pYscOD5HyMSUGP7eVQQsOmZ6IfNIgfXntm4BJ84rn7e+GpKWSPbInoF
+pve/W8/6BpdY0dIgKxRy4u4AVu8v2jtaoGZZDsx6Zu1cOPPDOWBE1WgdHapBrkaE
+w1ZU81GsP+92bLPNcGacNP3kmmjxAi4bObB6/yzd0QKBgQD5j5W0v2rGFCl6zE3l
+oCrEr17KWuCjwidYP7EGJ4UR0jmZ5FiVRxvkSn83yeolzap3n15zfhdD/Mwq5Lb4
+CV62+RQHXS0zvn3zWVP+doDDmFTjtj1Koaf5GXCBczOwXqNyaP6lmrlgfbrRHWrX
+bqWqpbhKAV4IvyHSt6PRhmFyGQKBgQD0WT3DCPCDex/nNjYX1xSn0CYA/AeMIKip
+pVeDiC8AfRGmFKkXCWbW6+zBoo4RH7HY4iASPwLDvFl/kdUNynONzK5DJ4k4EFVS
+KLNe0K2sMqfx38gaUobji4jxa+wtuCrsDgjwScbW8mAdI+78VlTudD3vZf09pTpV
+WtWBOX6I6wKBgEl0g+IRvYHUCWmFnSALhsshu0rgeOJ6kU4eYSKomzhlomKznYdC
+yOjnLI7lNbAu2xAerpRb9skiLY4qh9h2GZTNt6F7QYTLexMXpetuQfRQcBweVegT
+sPdXD5BqsjolgQJ5+QoRgqLuHwDSIdKLVOPnp1jREjaM243EU8mmPiRxAoGAc/ys
+kZj7uh3G7hTQpo5k8qeecpcv6fdSuHyQxxHs5bl4mDJ0dUf0Ng71apEECOLXpBDq
+kl6wrEMK5MBPtuUj5uqCycPJogA2z/Ib+uTpm7TL/cdxD/WerAJ/NcI58RXb4gNj
+gNQ0e7G/p/V3qvY8CJjLEYmDJTD6OKwObvHgu5MCgYAf2NZB3qVhnslNC9sEmaoo
+iyopm9+prAr9RG0CdkEyMxwngOJi4z9Rw1Ym3hQoGPM89L99SxeBBhIuxuMpjmj1
+Wj883WNx6LEpO0fCAYkiuk1gMw5KVHqygrTCea0iuXuILtLegOVQMYn8V33u9pdc
+anhzXQENhVCt4Ng7o9zkUQ==
+-----END PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn3_pub.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn3_pub.pem
new file mode 100644
index 00000000000..a06c101a83a
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn3_pub.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEyDCCA7CgAwIBAgIJAIFeKa69VILFMA0GCSqGSIb3DQEBCwUAMIGOMRgwFgYD
+VQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVy
+b0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJ
+BgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0xNzAy
+MjEyMTAxMjdaFw0yMjAyMjAyMTAxMjdaMIGFMQ8wDQYDVQQDDAZTZXJ2ZXIxDDAK
+BgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0
+ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkB
+Fg5pbmZvQHplcm9jLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AO4z2dCqCl6q1DQkSQ9n0O4ARD2lQMZiyLPxQdBjzlokmH8xgueo8KgfqRrnceZA
+jtejPIIZ3F4E4s77f3/0rrbu+hVsC4WoQnRQ9ozInSPVOUHunufOjf11bhlVCLnL
+RoPbTMEpR0sYQzXlJUcEV5v4PKNFG+DrLBPxPpJHO9/wY5vJEVYizEcl/6zmA8Jc
+zdZMCBg6cjcd659HfnzdDkXkhIvY4wE693nomP0nrpTuZUnDDYOnSlVeCM71wNyt
+4lQstH+fcFh1r1cGNpf0JrV/EoxOcLH6fVuwMYFuJafI2kdfGK2W39TREhA8s7s4
+wI88PVHa03cMennSsNlfBPMCAwEAAaOCAS4wggEqMB0GA1UdDgQWBBTLldzy1rEH
+NhpECcN86858xyGqnDCBwgYDVR0jBIG6MIG3gBT+18YGVbtNwpbjJcDU4KEv6GJi
+GaGBlKSBkTCBjjEYMBYGA1UEAwwPWmVyb0MgVGVzdCBDQSAxMQwwCgYDVQQLDANJ
+Y2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAwDgYD
+VQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5mb0B6
+ZXJvYy5jb22CCGnuK/IUHTttMAsGA1UdDwQEAwIF4DAUBgNVHREEDTALgglsb2Nh
+bGhvc3QwIQYDVR0SBBowGIcEfwAAAYEQaXNzdWVyQHplcm9jLmNvbTANBgkqhkiG
+9w0BAQsFAAOCAQEARG6kEexSM3smfskWc/py1oWn9E/czk9DeS3gomAHAXqwLky8
+5FxsDB1W762LR/39qA9TDO0GPK8ouXv52RPHg5l6p52SDAD3wk32PuBgORN/WN4d
+ZN8qVjwmDiob9SZH92QULN11gKGkM6EMixGzqRxitbCtkkRixlkkvs6M3SOeMWSo
+e31+LNSVVI9Rc+MJlvx5GysRWRPF9Lr63R+9rs7UvAJjuR8c5jeeA5H517RzzvSQ
+V8KMy9Bu7Ukn/BPwsp+QOwvj5Q1AHianoWQ7PcDeo3P+wPW9BPQWm6+DMUHybwVP
+MPnM1+HaYjwqvgodrcif2c+rpzHvSzsTiq4Okg==
+-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn4.p12 b/cpp/test/IceSSL/certs/s_rsa_ca1_cn4.p12
new file mode 100644
index 00000000000..225fe79c8ee
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn4.p12
Binary files differ
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn4_priv.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn4_priv.pem
new file mode 100644
index 00000000000..cb43b1321d6
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn4_priv.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDNllfgV023St4H
+G/z7Yn6Z+3oy+r4LCuuWwszSVOj3gcvacJdPMVfiIcfnK6k5Qryz02W0iFO8kVQY
+gKY7uGtbA+PqvSfeAO4608Rm9jJbWmjExs6x7EJXy9BLPXGBxFsT9DcwmMMGyRVO
+3tMMJOFaEltQNG0OLtm+mka0Ya35DN77iHMSHSit4uvoACSKSBIy6TNyZedXUqbT
+ojNjnPhZvvia4f+aGoUgYYvBKYuxMHdxYqVJbrUuAPF3ivcCUrbRzWtJ0CvW3Bf0
+cFr1+A56pBmqkvaxSCxacTF0UCPYb6XKjC/31Ezx061sWXIB2wcJZafasM8Lqdil
+FTy6GgtbAgMBAAECggEAd4WBX07CQt6GyFFQOYHgonreZ0b5N4hIwORNmbZ9nm9a
+aYttnD/OnQwQoOf0QPL4q/8psNRVAlrnLjuU6UFlQIu5dJ410E5wMckt9MILMqsU
+H9qJDk2RoGNAnI2DMPNMFAS2FU2qjIZZGfpXbkb+sJPdfHqOMGGye6pLktD7CL+U
+9z6UfEEEUI0p6iwSCGVw4GgQTQxuqk+hKhEaENDMtO2HBJXWNbA5WfkRqm5/JMyK
+819xi9GKo17Uz4VoN1KJZXUY8BP6q+UqfFcLsOdxFyAYyO+4bmrgv0c3v18twxvv
+j6Erz1seYaSqLbyGPacBkgBxL9Pt4xuER4lFRLECmQKBgQDtaT4rf6uDkMoowpTT
+OU82A5LJtHaRhkan6ZAuFXFJEgLuwpJb5FSdK9helxOMTqGPuYdXZPMRjg6nvwUV
+Gbv2J2xNEMAzBeyr0xJeIc13P6fhBLAEfN1zz1jOZbFzQXgx0B3GiW7mx/NODisO
+gzcB19rWXppnbdxtGOzIM8DlZQKBgQDdrzYyxyTuNl7N99ueC0C0UMPQQmo2w18q
+t6msjFJ4SYNzmCOZEgPcjvm/qyEwA9fCwfPgSmqEIHUQp3LV/asBaOLYdWEXh4t9
+BnKDjuSLnb8PGPqztC7Yzo3ZGVZP3+4aOOZE0pp+hzkVn9Waqb9/2vDyEenRyh/1
+0S2vEUuBvwKBgCyplNmIDhMVJQLgADFwYZduuqmZeojL8vTZupcAz6wIaGbUUcZZ
+wRVET1MUJshJbplkNLLbOeL+j4E9LU6X5cVcC0LAOPggUDLO5XCx+T5KymFJiXd+
+qgaEZleFyAk/ssXkOgXEiwl9aicwASecxbdiDTgw2elFQKeBfeH34n0FAoGAecXl
+X79E6hWzvjCI0ygbQvGanqvc7HglrrF04vOx2aGIM9c+trbOqDlht4epk1aJDtK7
+xFkcabfqlltlGWdeqEeVVJIl42bxmJwSC3JS2N6uNPzjuhMgKLhN8xOX9ghsIrte
+wi9t7lMZaGeETpEwQGtkL5Tne/Yr2DwvfBtj/sECgYEAoqIThi0mYtlsQMlWZxIT
+8lzub9FWxSnTcXQIbNCCZeNKDRoGUUS3K/iuIAJ/i/38AzzU+k6z4xQkilIo7Jyi
+bJr7Ur1Bdg4kdG1zAXphiAuyLovxVgvID65fVam7kPiecojXXnv0yDr4DaRKyave
+d/F1R47wMTjk+TWgTfm8bl4=
+-----END PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn4_pub.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn4_pub.pem
new file mode 100644
index 00000000000..d7eede37947
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn4_pub.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEzjCCA7agAwIBAgIJALxy0DDzJCx/MA0GCSqGSIb3DQEBCwUAMIGOMRgwFgYD
+VQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVy
+b0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJ
+BgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0xNzAy
+MjEyMTAxMjdaFw0yMjAyMjAyMTAxMjdaMIGIMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
+DDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1
+cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcN
+AQkBFg5pbmZvQHplcm9jLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAM2WV+BXTbdK3gcb/Ptifpn7ejL6vgsK65bCzNJU6PeBy9pwl08xV+Ihx+cr
+qTlCvLPTZbSIU7yRVBiApju4a1sD4+q9J94A7jrTxGb2MltaaMTGzrHsQlfL0Es9
+cYHEWxP0NzCYwwbJFU7e0wwk4VoSW1A0bQ4u2b6aRrRhrfkM3vuIcxIdKK3i6+gA
+JIpIEjLpM3Jl51dSptOiM2Oc+Fm++Jrh/5oahSBhi8Epi7Ewd3FipUlutS4A8XeK
+9wJSttHNa0nQK9bcF/RwWvX4DnqkGaqS9rFILFpxMXRQI9hvpcqML/fUTPHTrWxZ
+cgHbBwllp9qwzwup2KUVPLoaC1sCAwEAAaOCATEwggEtMB0GA1UdDgQWBBQ+j72z
+Nw64fmS9w2CFMNJdGWw68jCBwgYDVR0jBIG6MIG3gBT+18YGVbtNwpbjJcDU4KEv
+6GJiGaGBlKSBkTCBjjEYMBYGA1UEAwwPWmVyb0MgVGVzdCBDQSAxMQwwCgYDVQQL
+DANJY2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAw
+DgYDVQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5m
+b0B6ZXJvYy5jb22CCGnuK/IUHTttMAsGA1UdDwQEAwIF4DAXBgNVHREEEDAOhwR/
+AAABggZzZXJ2ZXIwIQYDVR0SBBowGIcEfwAAAYEQaXNzdWVyQHplcm9jLmNvbTAN
+BgkqhkiG9w0BAQsFAAOCAQEAmg7UiewzGSHnT5LaEPmzojVYAZd1LDqGL4/f/qlH
++FdhZRHsrHG7hXxnapP5P+jPuYfaRFtc77YOqilHVlOSXwLHy2zd84Qy1s9pSBwF
+A+4o6eIzKZzNKHf2yiyaV2TMYzxxCWLDf7F4JRyCFy5eUBui44QJY8j6MZhiq+dJ
+CbVLHggSGlyCnCKH5Nx8FIcKHnAQiaBFVG7jQsm3ucmS8OJbt6A4ebmCj6eoOe1I
+HabuT0nceUrJpU8hKPsj+2DXUPzI0ph9nwaJ+uJ0o5jXs2r5zj2YxhXvmEqogqCR
+V9ExMQwcXuDDjxkZDGjtpB4a3G3xIfQx/Fyl68q/9UI3Iw==
+-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn5.p12 b/cpp/test/IceSSL/certs/s_rsa_ca1_cn5.p12
new file mode 100644
index 00000000000..d325aac9b5e
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn5.p12
Binary files differ
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn5_priv.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn5_priv.pem
new file mode 100644
index 00000000000..d9cce8f327b
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn5_priv.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrFbqHAzMuhhzs
+urDklh4aJWvyGxYCiFq7u3m9ZJTmu+87ZUpKYUbeAiP6+eD9S5kbWldvYllK1Co0
+2zigtugrHRiTFlyikD+cXnOubKn1DLBEzaSxyCjJ04maNmkeFz9q6QyPLo7od1tg
+X1jOiL3qL2qoajdccsoZANqm/SUcqfmSuoxwt2D/Kb3+3jtvt4PVA5M19tHnJebJ
+rfh3x9fA5GXCjugeWn8fQeytM+ytitDqwicSkSSsOSAFQyEYwmmMmB7LpK1p8tXn
+2h+13RVuwPSXXboTtiUEw78zTHI4uNEEoxxv8ajFUeGiF+b8hPJf+hTf/IM6w3Mc
+vz0ETzenAgMBAAECggEAfLI2pOdRK6y2cljUS5ea0yXJWsohLbFiqIhJgCBKYy5B
+fQIjtrjWJURcIzZzpUqvin87UUTWnjKrnKDX0lPePmZTngljdV077+Xr3Qr4iVI5
+O7zDOI0SJaCYH51e2n7JS0wXSlj98jPklwaHvOlvurvaumvIdAp6gOTdeW7y2MNc
+qETrU5HP0Uf7HcVDvvrQ1wr3RhpJuvbYwXtNmi7q7RyipzRXZ1g128QRVk+N5Gwt
+ENcIJJh7PKhwZK7+lX6Kc1gnBjGLSZpQI2tthFEEQkMR3u3wnOHT5aF18Dnx/epU
+tDV/ZUTncRWTBLnMD4+nglL7snKIF4v+X+92uBFUGQKBgQDjyI9qr+2Rd6a4yIrQ
+mwNY7HpPwJ2gbUHSoCZVdwHW2p3+5xKAXIbA6RdU947oawERpThwzXdabIzHVTas
+ti1VjTWWXp0itPzTXOcwrDKjQP6J2eZ7foj93fvFQijVYUcl4YgcK6hfPc6N4hm0
+VmX4E3+37cUt65tBrCIS0947pQKBgQDARyaYOsWPAfU516Pj+Oc2BN9CBu6eP4To
+sNekAKs45jENKKe+O15VrXiiiI029aAtw+ZvJePRIn5JtSjN3LXjamyGsAdr3PBB
+YJBvQvRSUOCjOkZ7ccaIh0TZ+aECcIK5V4TRcYBiBCp+0kpvi5ahUq0VdfrYQPWq
+ZTnmmuC0WwKBgB82+9hd9YtqvzExYjyGEaZc+cH2HmO+tTd89OPfZCQiX2ZwGgv3
+IgxLpQPizPWyvDnDz4E91u5QU9Z5Kf3vFTVVHZPWsWfxL3hzkccMwf+3R2pyrvAb
+fgB0LC1zDI95PjvFtVZO8Urj+GtfIbCh6mVdnrIA5nWNhQAx65Vy7VB1AoGAKDD3
+NUzbrNfo7Y1Qub92fQkprcCLMlLuskD84lAtejhLuodsAMyiHGClXbwTYJCZSdew
+HD2cUEPYiAmxHM7syjudsc2rz3UgV1oa9tbVATvcqOHuh7Exoao8zx9p83uXJ6zO
+m4URI+vhAh9s5cIU22XPvjOqGngBofuEzdpD7A8CgYEAkBURXs1q8PtRXRGZ7xKm
+Nqt07zAy0Io1+60wfUJXW+Npi6Z3OQy0hzTkFkH3trtU3VjhhBWzk6KjhdbGdnTm
+Hgy9S0s+iftPlIMV/H/LQMu0UxnBqObKH/vhgnygbDs+ppI1nVHXi3DK1zSUVnVg
+tARo1+NjxkBAHSGi+Fx6Ot0=
+-----END PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn5_pub.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn5_pub.pem
new file mode 100644
index 00000000000..85c395be386
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn5_pub.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEzTCCA7WgAwIBAgIJAPjdB2ZZ+e6eMA0GCSqGSIb3DQEBCwUAMIGOMRgwFgYD
+VQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVy
+b0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJ
+BgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0xNzAy
+MjEyMTAzMThaFw0yMjAyMjAyMTAzMThaMIGIMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
+DDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1
+cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcN
+AQkBFg5pbmZvQHplcm9jLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAKsVuocDMy6GHOy6sOSWHhola/IbFgKIWru7eb1klOa77ztlSkphRt4CI/r5
+4P1LmRtaV29iWUrUKjTbOKC26CsdGJMWXKKQP5xec65sqfUMsETNpLHIKMnTiZo2
+aR4XP2rpDI8ujuh3W2BfWM6IveovaqhqN1xyyhkA2qb9JRyp+ZK6jHC3YP8pvf7e
+O2+3g9UDkzX20ecl5smt+HfH18DkZcKO6B5afx9B7K0z7K2K0OrCJxKRJKw5IAVD
+IRjCaYyYHsukrWny1efaH7XdFW7A9JdduhO2JQTDvzNMcji40QSjHG/xqMVR4aIX
+5vyE8l/6FN/8gzrDcxy/PQRPN6cCAwEAAaOCATAwggEsMB0GA1UdDgQWBBTjb2Qn
+McDS174FV0n28AWppRPWmjCBwgYDVR0jBIG6MIG3gBT+18YGVbtNwpbjJcDU4KEv
+6GJiGaGBlKSBkTCBjjEYMBYGA1UEAwwPWmVyb0MgVGVzdCBDQSAxMQwwCgYDVQQL
+DANJY2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAw
+DgYDVQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5m
+b0B6ZXJvYy5jb22CCGnuK/IUHTttMAsGA1UdDwQEAwIF4DAWBgNVHREEDzANggts
+b2NhbGhvc3RYWDAhBgNVHRIEGjAYhwR/AAABgRBpc3N1ZXJAemVyb2MuY29tMA0G
+CSqGSIb3DQEBCwUAA4IBAQA0l0h7YkvQkSGzgadyNrNO3PpUQW0hKe297L0eM2fJ
+ES3OkgQLU5C3XeR4Hwm6r+1qwD8CGeAGs2s0RsQXY34RV6OFKPyeM0xAVWLOem82
+AizOKeG/IlP84TTHhOWZfaIqZr1T10BpKrbwaPG1QZiKqxgwssvPHHOtI5TazrIk
+fP3ma9s2okxtNqMn6Vk/QjDGgUSGzZFxx6gcIcBfMFK3Nwp8v+FynjGLb6F0CsnQ
+lOlfZd4Z2qMMG8kIvx6Oxuqhmu+geR7/IWmlCUG6HIeFE5Pu1m7FOUJIVkTOiOYV
+cQIKzCqGt9JHQYjmIGyrIWyRJbg25ZCej+11t5wAIAFd
+-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn6.p12 b/cpp/test/IceSSL/certs/s_rsa_ca1_cn6.p12
new file mode 100644
index 00000000000..ac0395851f1
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn6.p12
Binary files differ
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn6_priv.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn6_priv.pem
new file mode 100644
index 00000000000..7364e617834
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn6_priv.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCgeeumXBRBwb9T
+18AujCHa4mI289BzTap1rY0+m+8bmYsPLIIbkwoaOSj9TBerLKoBFi/5CcC10C0w
+xRROzrvnsoTTqgalyUzRYGewZ/yS3NYuULb3zKpnB3p1Zt1E+YlBDS5w1Pt7/rKM
+VfBlGyw3fiQrObWOXZ76gG7pkCJy2xSgtIOvRknx8wtT3HmimFJm+WSYf0O2cfxq
+gBD/vyhrh7nGsfY7BmvMQaRWLpWcZbvyeHRpuw1jD1JtR7faGfGANJuFbMpj/lw2
+TAOV/IU7V82hHcGgX9NtNQGPBilkxibz85pQWkwsnEHWsgx9TIEDBTlOytgIj0nV
+dQbB2qh/AgMBAAECggEAfw9Jp9SsLUxsYsQm5DQL8jTgssXlPAY4eyhI91ObxGyU
+EBWbhp2rmAu+CqAe9WdNy8J3hWVVch88SKsiYyuI1/Ee/kBXNxjle7orHx+Weenk
+o5NA637fROhE64PgmmZBaII5TRk1bX3CfR7mUgdrwRxdIuR0fh5ea9UY/FElFW5j
+8jbDW7TXKfQAWT6AKp7V2D6xjKgTOQdGpHmcda0YGJs3bvHmx1Z3kPiOkpxHBnPj
+8id7HTqKL8db8FiKn6KpSWWfJ1U+VIZ265UgpCjl9ZeKD5auUgmtUvekZiSdz54n
+DAPanGs7fuG+hc+lhGhtNbnD+fPDSVhhIsW6W2W1AQKBgQDTDcTOMNR7eqqcHaXQ
+K/g9vFunTMBvuvk9q/mr8ztOBtsI67k5V8VK85iXNjZeeKQ7yTKU7kUB+l1i8RuZ
+wmInHbl+PeUygXVU42S74Nr/+5mfbQCr31fHD0SnF5qVbk6IK2QBrUTVOXXP1Vmo
+/NTCLi8Ef0qOpilqPNWEosABPwKBgQDCpsP9gtMUy1CNsdpg6lxPy1Kc59f4RxSJ
+hdFjrk6P+kWeo9kL23aS0rhEusx8jPQd04L2nfAudwYzh453oAtXCfMQqiYMrpnn
+aeS0JlFf/6EiOCzX0zTeE9o8ETZqJ68mCjEi19f2wb/uC7wCbgRGBM4vlRl3VGNv
+E6kfgUBIwQKBgQCbx3ztSEN9xMPrKUL7TYkUYFQyP0eG8LYJHEfT8Ftks1C22+7C
+cZNxSC3n5p7oyhlG+7G3FcufsyF850QdEMoL3zfMA3mJ9t4YwyLWPhjHevkgIH+v
+XNHYXt+oiZaTF3EltwlA55h33cqklfBw9/U+QoJ3ylDIy8Kj5LUhClO4VwKBgHhV
+ZkZb0ShCxKrEL4/Icob12D2d6lrXfm/CJX8tK+5ANzfqbOyyoOwFjtsWbAH3lZa2
+wni5jNj8xf2nKMD1VO1a/kPoHBus+QIh6bwhEB97xd6Ewdwu+rjrpveJYI1huRqY
+JGY4747hmkiMQo9x+fxbTigGUbb+mXX6vov2eIpBAoGBAMXpJEfMu+qKG/Ir3HPA
+3eut8frAd59ZNJrX5QS9/jk8aktDktW4FjHy/qI8E4nVZef0knP8BBE1JoRh8iA/
+OOWkgmgZcK67QtzwMuowVyGAF9bhNCo9i5uuvaJTPQ1jgzaHYc/bXGnVX4lTLU4t
+LgFtdfUEu4DRRbUbSZ09kN6f
+-----END PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn6_pub.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn6_pub.pem
new file mode 100644
index 00000000000..1d06cdac957
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn6_pub.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEwzCCA6ugAwIBAgIJAP2BPBPs9/CvMA0GCSqGSIb3DQEBCwUAMIGOMRgwFgYD
+VQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVy
+b0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJ
+BgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0xNzAy
+MjEyMTAzMThaFw0yMjAyMjAyMTAzMThaMIGFMQ8wDQYDVQQDDAZTZXJ2ZXIxDDAK
+BgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0
+ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkB
+Fg5pbmZvQHplcm9jLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AKB566ZcFEHBv1PXwC6MIdriYjbz0HNNqnWtjT6b7xuZiw8sghuTCho5KP1MF6ss
+qgEWL/kJwLXQLTDFFE7Ou+eyhNOqBqXJTNFgZ7Bn/JLc1i5QtvfMqmcHenVm3UT5
+iUENLnDU+3v+soxV8GUbLDd+JCs5tY5dnvqAbumQInLbFKC0g69GSfHzC1PceaKY
+Umb5ZJh/Q7Zx/GqAEP+/KGuHucax9jsGa8xBpFYulZxlu/J4dGm7DWMPUm1Ht9oZ
+8YA0m4VsymP+XDZMA5X8hTtXzaEdwaBf0201AY8GKWTGJvPzmlBaTCycQdayDH1M
+gQMFOU7K2AiPSdV1BsHaqH8CAwEAAaOCASkwggElMB0GA1UdDgQWBBTqbh1yow2p
+Yn5ArkIbcUNQVF9wVjCBwgYDVR0jBIG6MIG3gBT+18YGVbtNwpbjJcDU4KEv6GJi
+GaGBlKSBkTCBjjEYMBYGA1UEAwwPWmVyb0MgVGVzdCBDQSAxMQwwCgYDVQQLDANJ
+Y2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAwDgYD
+VQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5mb0B6
+ZXJvYy5jb22CCGnuK/IUHTttMAsGA1UdDwQEAwIF4DAPBgNVHREECDAGhwR/AAAB
+MCEGA1UdEgQaMBiHBH8AAAGBEGlzc3VlckB6ZXJvYy5jb20wDQYJKoZIhvcNAQEL
+BQADggEBAH/UDYumjsPfFxjUee3Q+Jehv4EXgWidOmT4/ORG7cm3DuFJhsiErv4b
+Nyuet+LfAlM7/U2Li0SH/eedjz/C7nLDaGWO88v32lqYzR4L/qYQZNhlNlDdIV9S
+Upa4oXTY3Y1fWt8PSK4lsYVXDpNRyiUqqI5xHYAncEGrAolrG+KG7y5jX8b7pid1
+Xct9dhcRNikoIcm+ePZNpZOJT1jvCO/r28g67Pc9wdTjvJSWzDnaZFFHrICvsW6Z
+g6ZxPq1TMN9yqMZb8o54ab1BHAlkGS33qZ+pcNQ1vkCpuFTzazAGuztVHNkFF88h
+WCmPLrqKZADr+WorGTJYTbTZoUXIkuk=
+-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn7.p12 b/cpp/test/IceSSL/certs/s_rsa_ca1_cn7.p12
new file mode 100644
index 00000000000..0eda88aa84b
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn7.p12
Binary files differ
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn7_priv.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn7_priv.pem
new file mode 100644
index 00000000000..f50a64f084b
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn7_priv.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEXPBEUTs7ejca
+JUphmJEEPX6HmGsoWFyQbITOp1W610+dNZRfWkKHBP6Kxfa+LRx+yzi0czZ1zSXr
+FCnnQK6GbfutOVjmx02hGTTPNE1j7dRjkh4ktOCmY7V/r5i+u9S4BpN8eyIVlABO
+IceNaAUrfHHXf/xZ2ffWWkOZ/uhl1/jn34+95SkvEr2JDPxXpRe0Mv6txNSwUPY3
+kYwfSH1+5ROuQtWoGh0rp94P2pDIi15HbxPAoNjEiVz5bDHkrEVn4B5i8nbC0IqK
+bLqD4bRxDCDd20ng3c603gRtZwdTYUuz32ugx9dWHoSH54PT9B/tkB/92oJKQ6gX
+PddBSKcDAgMBAAECggEAAYyOJKvTYMu9BYrHxG9UrYjip6UvKzlPOaBxh8PQLFIo
+gZ/7lKj8n14NuACJysRGVkW6I8pI4rMEmo8lKXrcJZlWg+5Q4jkuRpgRT5UlCyXE
+KCjt7fIzV3yv4Nr8xHxs2CrNHQ1Hno31Vqhzj40DhW1M5JtQ3VCX4OwDXoKhSLRg
+65kkdnDRxGfFTMGdJzn4sbMBfPmEqzc/1miNEp/Gg1y+qgieMlYD+gqfPWevhggs
+Anso/AiBdBJwL0GwQtSgjn4uyhr+7fAVU6tYkL8kn+sNYc4k6vsLe58xKackWmJ1
+6K8jFtuYRuhBJmXUCRfbUzw72EaF72DDYCs1PevLwQKBgQDjtPlLIbH9NqVorP4z
+qGTQqX4SxWMCvUFTnWvJEHefHVL8UwLsTiJKg5A3xQSGkp+zhK+Ry0vhkJ0lt0xE
+J7XCtfqSfcw/9O+JtoEAyjD1Ma7F5j1geBgLA08z8gaj2hUlNadKG7ROyvh+kLSu
+uugOvMmR+6b49oP9J2SEQdc6YQKBgQDcwvYVR+HcogCKklIry+isN+pOdIKtcGDQ
+0mdhbHolndpfQ9ZT1adzjoriMZ6d6NNiJLTg7yWvHjBr5ZeAi4B4PKv3sr+yoNAJ
+XjvTbZRWvM0dJGqNPzJ4l/hkHiJ9dO7qAuaKf0puDR0U/iRCEqnRRMzzwqNW3otN
+YnAlYPjD4wKBgALnmBaBQ4f7XnjLXCLEjySqRNVwdybdyyuJ4ooaD6yT7y8Q0AS7
+qmxQ6VIMzVX6INdlZefyM/GYqqiEghCMgSEOuTeNK0HVmgijr1mXOrCmBZi4qyfD
+4GqjjCsZd0Q3z/U9jfjACbjHlgvnRKbF85fciKW4FBUw79YW3o1hWaGBAoGAH/ND
+hE7z/Geh5mxI4jfPw+UPzy0DoLBsAq0A81Os1fbjnPgHc/ivFIVjylreFwKUXVbs
+qsVR0edvoJ4I8DzAaiZ1yRKgteyaT1DJHc91MZx/nyEfHrQvzM5Jz8uguEGNNmcX
+EKJdllHljJ0/iCSFWVk4xGq+ExuAU8HUc0R2nHsCgYEArMOVdnMpS1brpaBzBd0B
+i2ejaX0c0thjzL0lGBGH2v/eSaanqGDCtfRnMUcpPbC/B9zKWwj7QRd7T1jgRkWE
+/unoVDHsg1rRnwdxyXOjOCBmHybivXaJ3G2t7YrrTgFJbQrIM0GA5OV1YOYPc14Y
+IbvyHHPx9GquYbxIAlxT9bM=
+-----END PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn7_pub.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn7_pub.pem
new file mode 100644
index 00000000000..5dea1614fa9
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn7_pub.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEwjCCA6qgAwIBAgIIL9LiO0uZDNgwDQYJKoZIhvcNAQELBQAwgY4xGDAWBgNV
+BAMMD1plcm9DIFRlc3QgQ0EgMTEMMAoGA1UECwwDSWNlMRQwEgYDVQQKDAtaZXJv
+QywgSW5jLjEQMA4GA1UEBwwHSnVwaXRlcjEQMA4GA1UECAwHRmxvcmlkYTELMAkG
+A1UEBhMCVVMxHTAbBgkqhkiG9w0BCQEWDmluZm9AemVyb2MuY29tMB4XDTE3MDIy
+MTIxMDMxOFoXDTIyMDIyMDIxMDMxOFowgYUxDzANBgNVBAMMBlNlcnZlcjEMMAoG
+A1UECwwDSWNlMRQwEgYDVQQKDAtaZXJvQywgSW5jLjEQMA4GA1UEBwwHSnVwaXRl
+cjEQMA4GA1UECAwHRmxvcmlkYTELMAkGA1UEBhMCVVMxHTAbBgkqhkiG9w0BCQEW
+DmluZm9AemVyb2MuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+xFzwRFE7O3o3GiVKYZiRBD1+h5hrKFhckGyEzqdVutdPnTWUX1pChwT+isX2vi0c
+fss4tHM2dc0l6xQp50Cuhm37rTlY5sdNoRk0zzRNY+3UY5IeJLTgpmO1f6+YvrvU
+uAaTfHsiFZQATiHHjWgFK3xx13/8Wdn31lpDmf7oZdf459+PveUpLxK9iQz8V6UX
+tDL+rcTUsFD2N5GMH0h9fuUTrkLVqBodK6feD9qQyIteR28TwKDYxIlc+Wwx5KxF
+Z+AeYvJ2wtCKimy6g+G0cQwg3dtJ4N3OtN4EbWcHU2FLs99roMfXVh6Eh+eD0/Qf
+7ZAf/dqCSkOoFz3XQUinAwIDAQABo4IBKTCCASUwHQYDVR0OBBYEFGSele0L170R
+6PexXhcNTBSZxsl6MIHCBgNVHSMEgbowgbeAFP7XxgZVu03CluMlwNTgoS/oYmIZ
+oYGUpIGRMIGOMRgwFgYDVQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0lj
+ZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNV
+BAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHpl
+cm9jLmNvbYIIae4r8hQdO20wCwYDVR0PBAQDAgXgMA8GA1UdEQQIMAaHBH8AAAIw
+IQYDVR0SBBowGIcEfwAAAYEQaXNzdWVyQHplcm9jLmNvbTANBgkqhkiG9w0BAQsF
+AAOCAQEApBbKAoPRP18nR0p3BKPEFcgH330IwOXdVliooRUjXi0KDKLhBs2RkKud
+D6xEAplksh/k4roqh3imKc6gsFGiz81pS9+GhpcWkBMqPruvypaNzoPnU1XRD0xZ
+HaR8LybWX8OkEmTEFxuJcp2oBD+rSAS0RBGQrC7Psh+dOONONC/eU6NKD9En+hdR
+n3avyHfTQHrJSQTP1GiNjnoDanma0tIlSIzPsaqRJddpK/zGffmQrpQ1WeIKQImM
+Bjk8cNvisE0u6jS4BG8yc7ua4iUpU71JwJw09dLXGtorXjHQw588LiR9IUzoIbOc
+2HLYROu9hIM3Ub2SQHvXOHJv7VAE5A==
+-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn8.p12 b/cpp/test/IceSSL/certs/s_rsa_ca1_cn8.p12
new file mode 100644
index 00000000000..4c0037359ba
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn8.p12
Binary files differ
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn8_priv.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn8_priv.pem
new file mode 100644
index 00000000000..0eef4f76ddc
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn8_priv.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCYzxClKb62/F/I
+/1nVyQvgoJuyI/8OHFW6JWY6C2GPCIWr1vNRxjM3V54K/Glu+CPfP6doftSkUpVD
+FCEYB5o2MjG8DzQhnldDzJhPJDS3NV1MsV9C4ybz3r7jDKU8cPTrFe4IRFKCTdiY
+w+q3dNkKdI4ikgkBH94nv1EfM/F29pXuBbzoDOgFxkIIWvvXdFmYz0azJpCiCpFY
+S085OsPARCeilMn0EK3AyF6RJT1RqA1oUkQRBJeXrc4GBO/pZjusmcNdg9MNED0r
+7LGtMVmHAoKc4dUSgoQjvrF7mmWEaTuczD9bve//MEhKAZESvb+EPo+kQaO8LXuo
+6/0u81S7AgMBAAECggEABAufTjAPu3ps8r5H25AJ/3VhCdNIIlB/uIDa9vhsKcQ4
+/bagFG8h1fo81d+ezvBEytk9jlelO4BwMSlsQt2YqIylomvonmc5ujLFaXr05lDE
+Wo5rjjLDSjuAZDRmf3YiFcMr3Q4p/Qcgj9LH+Plf8ZXqWWHyWRRF5ll7RU8zukl8
+bxFJOAsjx1nFMaLyl6XLfusyMNy9Sg5Cfmsx0NCdL5TcvwiKgakT3COLyJFZSRu5
+AxbBDiHYul+G9vmL4kELQMm4rhAXpmEBRD6QLl/QjYUW/PsxUXX5i0w2hhw/Vs3J
+5tXJ6hf07g8gCu5meBsYt847ih0vYOS30fTRMtskWQKBgQDKMsNFIPBBV3J9OaU9
+vO7nIhAuNgqaV3oofIUWcBIla4UGvR8CNMuZQOtWGE8QFgvcUVVKv65+kU+Qi/lA
+hQjVUHJBarWXCoRBwia3NoNc9E1BNYawX6WauHPktGLNUdUYVXNdP0hsv0hImMX3
+Wv77uw/N190oZKSViVrjdHoVNwKBgQDBeASaG8DA32FpHl3EzZchy8fuuSwrllLy
+kguJMwlWcfRYicnzr/xokj9QKiw4YRYyvZtr+y5tZCwrslWg9ifDovt38mWEF7KL
+iH0sWEjs4iSUwl4ynpr0vYN8UMSWH9InBeFng52kl/xYgmTbAgbxZLVFqEiFqKxa
+cOuscRc+nQKBgD161+LyE/taMoae+35dLyr6MX9LkUfCp3MeAX2EEBBus+ELqh0K
+nol3stbXx1p1yZ9w34U96Tm0x0OFPAGBMeFid4sqfhJx8SrpdMoqeiDOa5sTQmPo
+gTsdMKfurUgOxMOEX/KPZl8ifkEMqsz+Tx+Njk2hgC5jA6QwQoF8jg5bAoGAdxa+
+lnIg61hVaNRlWeBHeGksz5iyRL5KnsAhU7nTtJ9+jgV7B4K7t07WpCzhfW7dsCwg
+gI5kHLf9rIQgy2zaO0WWz1WpAW9o2xUQH/zUHuRxKhSe0T/qGF6TkjFRYSuDO7wV
+7JcKsadQkNbq6BjOV0brgk49HfEe7qj1mPcgHM0CgYB2NOcOcm93soJTyldlGuyH
+yunysmWotJQjEQvzdb60UZvCSElbZC2yHFQLKV6IzNXkQjrMhhOZ1dlCYl3rzT+5
+qhJofhGCI3u30T/1o6dF6RO+r+8GhQ9h2O99YksPNd5WHFt63Emz1+ur4k7dlnJp
+jlKsW6Xbm41luaeJuzY12A==
+-----END PRIVATE KEY-----
diff --git a/cpp/test/IceSSL/certs/s_rsa_ca1_cn8_pub.pem b/cpp/test/IceSSL/certs/s_rsa_ca1_cn8_pub.pem
new file mode 100644
index 00000000000..45888275f1c
--- /dev/null
+++ b/cpp/test/IceSSL/certs/s_rsa_ca1_cn8_pub.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEtTCCA52gAwIBAgIJANJXqxY7yVqIMA0GCSqGSIb3DQEBCwUAMIGOMRgwFgYD
+VQQDDA9aZXJvQyBUZXN0IENBIDExDDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVy
+b0MsIEluYy4xEDAOBgNVBAcMB0p1cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJ
+BgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHplcm9jLmNvbTAeFw0xNzAy
+MjEyMTAzMThaFw0yMjAyMjAyMTAzMThaMIGIMRIwEAYDVQQDDAkxMjcuMC4wLjEx
+DDAKBgNVBAsMA0ljZTEUMBIGA1UECgwLWmVyb0MsIEluYy4xEDAOBgNVBAcMB0p1
+cGl0ZXIxEDAOBgNVBAgMB0Zsb3JpZGExCzAJBgNVBAYTAlVTMR0wGwYJKoZIhvcN
+AQkBFg5pbmZvQHplcm9jLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAJjPEKUpvrb8X8j/WdXJC+Cgm7Ij/w4cVbolZjoLYY8IhavW81HGMzdXngr8
+aW74I98/p2h+1KRSlUMUIRgHmjYyMbwPNCGeV0PMmE8kNLc1XUyxX0LjJvPevuMM
+pTxw9OsV7ghEUoJN2JjD6rd02Qp0jiKSCQEf3ie/UR8z8Xb2le4FvOgM6AXGQgha
++9d0WZjPRrMmkKIKkVhLTzk6w8BEJ6KUyfQQrcDIXpElPVGoDWhSRBEEl5etzgYE
+7+lmO6yZw12D0w0QPSvssa0xWYcCgpzh1RKChCO+sXuaZYRpO5zMP1u97/8wSEoB
+kRK9v4Q+j6RBo7wte6jr/S7zVLsCAwEAAaOCARgwggEUMB0GA1UdDgQWBBSSAvEG
+QkNtNxBSnx4BehPz/zoLTjCBwgYDVR0jBIG6MIG3gBT+18YGVbtNwpbjJcDU4KEv
+6GJiGaGBlKSBkTCBjjEYMBYGA1UEAwwPWmVyb0MgVGVzdCBDQSAxMQwwCgYDVQQL
+DANJY2UxFDASBgNVBAoMC1plcm9DLCBJbmMuMRAwDgYDVQQHDAdKdXBpdGVyMRAw
+DgYDVQQIDAdGbG9yaWRhMQswCQYDVQQGEwJVUzEdMBsGCSqGSIb3DQEJARYOaW5m
+b0B6ZXJvYy5jb22CCGnuK/IUHTttMAsGA1UdDwQEAwIF4DAhBgNVHRIEGjAYhwR/
+AAABgRBpc3N1ZXJAemVyb2MuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAgUyzmA3jQ
+ftTT39Y+FG3/EJicTJUIyjuj7MBPmXHnj0X3fm5cXvHiOnW3U7z0BiqXjsoGFn0f
+kNcLrDqZ9ahiDdIMtwO4e+l5YWZyXbuFVoo4ANNe6JJjPVaiWhPiItrYUQiyCpO3
+eu3atDvaOWyCYElhdEkh1XMbPjLbxcZzujww5D4dnp6BI7adbAsATp1vmKyBmA9s
+s1DwHC+yLVJ9MJkiZhN04yk5y/+3Uq1ZXlLb81qft3S26pGJNAO4InRfDx1rO5p0
+eYnsfHMKLTEOqDeLYp0kYwCxe8uwOi5GBmrsc3e6AwxflHMSt9mmEE+FPYN6EMaY
+8eXMy+3ByCCG
+-----END CERTIFICATE-----
diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp
index e460532d584..95214c79a20 100644
--- a/cpp/test/IceSSL/configuration/AllTests.cpp
+++ b/cpp/test/IceSSL/configuration/AllTests.cpp
@@ -1165,14 +1165,19 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12)
comm->destroy();
//
- // Test IceSSL.CheckCertName. The test certificates for the server contain "127.0.0.1"
- // as the common name or as a subject alternative name, so we only perform this test when
- // the default host is "127.0.0.1".
+ // Test Hostname verification only when Ice.DefaultHost is 127.0.0.1
+ // as that is the IP address used in the test certificates.
//
if(defaultHost == "127.0.0.1")
{
//
- // Test subject alternative name.
+ // Test using localhost as target host
+ //
+ Ice::PropertiesPtr props = defaultProps->clone();
+ props->setProperty("Ice.Default.Host", "localhost");
+
+ //
+ // Target host matches the certificate DNS altName
//
initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1");
initData.properties->setProperty("IceSSL.CheckCertName", "1");
@@ -1180,21 +1185,47 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12)
fact = ICE_CHECKED_CAST(Test::ServerFactoryPrx, comm->stringToProxy(factoryRef));
test(fact);
- d = createServerProps(defaultProps, p12, "s_rsa_ca1", "cacert1");
+ d = createServerProps(props, p12, "s_rsa_ca1_cn1", "cacert1");
server = fact->createServer(d);
try
{
server->ice_ping();
}
- catch(const LocalException&)
+ catch(const Ice::LocalException&)
{
test(false);
}
+
fact->destroyServer(server);
comm->destroy();
+
+ //
+ // Target host does not match the certificate DNS altName
+ //
+ initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1");
+ initData.properties->setProperty("IceSSL.CheckCertName", "1");
+ comm = initialize(initData);
+
+ fact = ICE_CHECKED_CAST(Test::ServerFactoryPrx, comm->stringToProxy(factoryRef));
+ test(fact);
+ d = createServerProps(props, p12, "s_rsa_ca1_cn2", "cacert1");
+ server = fact->createServer(d);
+ try
+ {
+ server->ice_ping();
+ test(false);
+ }
+ catch(const Ice::SecurityException&)
+ {
+ // Expected
+ }
+ fact->destroyServer(server);
+ comm->destroy();
+
//
- // Test common name.
+ // Target host matches the certificate Common Name and the certificate does not
+ // include a DNS altName
//
initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1");
initData.properties->setProperty("IceSSL.CheckCertName", "1");
@@ -1202,23 +1233,48 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12)
fact = ICE_CHECKED_CAST(Test::ServerFactoryPrx, comm->stringToProxy(factoryRef));
test(fact);
- d = createServerProps(defaultProps, p12, "s_rsa_ca1_cn1", "cacert1");
+ d = createServerProps(props, p12, "s_rsa_ca1_cn3", "cacert1");
server = fact->createServer(d);
try
{
server->ice_ping();
}
- catch(const LocalException& ex)
+ catch(const Ice::LocalException&)
{
- cerr << ex << endl;
test(false);
}
+
fact->destroyServer(server);
comm->destroy();
+
+ //
+ // Target host does not match the certificate Common Name and the certificate does not
+ // include a DNS altName
+ //
+ initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1");
+ initData.properties->setProperty("IceSSL.CheckCertName", "1");
+ comm = initialize(initData);
+
+ fact = ICE_CHECKED_CAST(Test::ServerFactoryPrx, comm->stringToProxy(factoryRef));
+ test(fact);
+ d = createServerProps(props, p12, "s_rsa_ca1_cn4", "cacert1");
+ server = fact->createServer(d);
+ try
+ {
+ server->ice_ping();
+ test(false);
+ }
+ catch(const Ice::SecurityException&)
+ {
+ // Expected
+ }
+ fact->destroyServer(server);
+ comm->destroy();
+
//
- // Test common name again. The certificate used in this test has "127.0.0.11" as its
- // common name, therefore the address "127.0.0.1" must NOT match.
+ // Target host matches the certificate Common Name and the certificate has
+ // a DNS altName that does not matches the target host
//
initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1");
initData.properties->setProperty("IceSSL.CheckCertName", "1");
@@ -1226,17 +1282,108 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12)
fact = ICE_CHECKED_CAST(Test::ServerFactoryPrx, comm->stringToProxy(factoryRef));
test(fact);
- d = createServerProps(defaultProps, p12, "s_rsa_ca1_cn2", "cacert1");
+ d = createServerProps(props, p12, "s_rsa_ca1_cn5", "cacert1");
server = fact->createServer(d);
try
{
server->ice_ping();
test(false);
}
- catch(const LocalException&)
+ catch(const Ice::SecurityException&)
+ {
+ // Expected
+ }
+
+ fact->destroyServer(server);
+ comm->destroy();
+
+ //
+ // Test using 127.0.0.1 as target host
+ //
+
+ //
+ // Target host matches the certificate IP altName
+ //
+ initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1");
+ initData.properties->setProperty("IceSSL.CheckCertName", "1");
+ comm = initialize(initData);
+
+ fact = ICE_CHECKED_CAST(Test::ServerFactoryPrx, comm->stringToProxy(factoryRef));
+ test(fact);
+ d = createServerProps(defaultProps, p12, "s_rsa_ca1_cn6", "cacert1");
+ server = fact->createServer(d);
+ try
+ {
+ server->ice_ping();
+ }
+ catch(const Ice::LocalException&)
+ {
+ test(false);
+ }
+
+ fact->destroyServer(server);
+ comm->destroy();
+
+ //
+ // Target host does not match the certificate IP altName
+ //
+ initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1");
+ initData.properties->setProperty("IceSSL.CheckCertName", "1");
+ comm = initialize(initData);
+
+ fact = ICE_CHECKED_CAST(Test::ServerFactoryPrx, comm->stringToProxy(factoryRef));
+ test(fact);
+ d = createServerProps(defaultProps, p12, "s_rsa_ca1_cn7", "cacert1");
+ server = fact->createServer(d);
+ try
+ {
+ server->ice_ping();
+ test(false);
+ }
+ catch(const Ice::SecurityException&)
+ {
+ // Expected
+ }
+
+ fact->destroyServer(server);
+ comm->destroy();
+
+ //
+ // Target host is an IP addres that matches the CN and the certificate doesn't
+ // include an IP altName.
+ //
+ // UWP and SecureTransport implementation the target IP will match with the Certificate
+ // CN and the test will pass. With other implementations IP address is only match with
+ // the Certificate IP altName and the test will fail.
+ //
+ initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1");
+ initData.properties->setProperty("IceSSL.CheckCertName", "1");
+ comm = initialize(initData);
+
+ fact = ICE_CHECKED_CAST(Test::ServerFactoryPrx, comm->stringToProxy(factoryRef));
+ test(fact);
+ d = createServerProps(defaultProps, p12, "s_rsa_ca1_cn8", "cacert1");
+ server = fact->createServer(d);
+#if defined(ICE_OS_UWP) || defined(ICE_USE_SECURE_TRANSPORT)
+ try
{
- // Expected.
+ server->ice_ping();
+ }
+ catch(const Ice::LocalException&)
+ {
+ test(false);
+ }
+#else
+ try
+ {
+ server->ice_ping();
+ test(false);
+ }
+ catch(const Ice::SecurityException&)
+ {
+ // Expected
}
+#endif
fact->destroyServer(server);
comm->destroy();
}
diff --git a/csharp/src/IceSSL/SSLEngine.cs b/csharp/src/IceSSL/SSLEngine.cs
index 6e2fe6d954f..a958d117ec6 100644
--- a/csharp/src/IceSSL/SSLEngine.cs
+++ b/csharp/src/IceSSL/SSLEngine.cs
@@ -407,6 +407,11 @@ namespace IceSSL
return _verifier;
}
+ internal bool getCheckCertName()
+ {
+ return _checkCertName;
+ }
+
internal void setPasswordCallback(PasswordCallback callback)
{
_passwordCallback = callback;
@@ -474,197 +479,7 @@ namespace IceSSL
internal void verifyPeer(string address, NativeConnectionInfo info, string desc)
{
- //
- // For an outgoing connection, we compare the proxy address (if any) against
- // fields in the server's certificate (if any).
- //
- if(info.nativeCerts != null && info.nativeCerts.Length > 0 && address.Length > 0)
- {
- //
- // Extract the IP addresses and the DNS names from the subject
- // alternative names.
- //
- List<string> dnsNames = null;
- List<string> ipAddresses = null;
-
- //
- // Search for "subject alternative name" extensions. The OID value
- // of interest is 2.5.29.17 and the encoded data has the following
- // ASN.1 syntax:
- //
- // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
- //
- // GeneralName ::= CHOICE {
- // otherName [0] OtherName,
- // rfc822Name [1] IA5String,
- // dNSName [2] IA5String,
- // x400Address [3] ORAddress,
- // directoryName [4] Name,
- // ediPartyName [5] EDIPartyName,
- // uniformResourceIdentifier [6] IA5String,
- // iPAddress [7] OCTET STRING,
- // registeredID [8] OBJECT IDENTIFIER
- // }
- //
- foreach(X509Extension ext in info.nativeCerts[0].Extensions)
- {
- if(ext.Oid.Value.Equals("2.5.29.17") && ext.RawData.Length > 0)
- {
- byte[] data = ext.RawData;
- if(data.Length < 2 || data[0] != 0x30) // ASN.1 sequence
- {
- continue;
- }
-
- int seqLen, pos;
- if(!decodeASN1Length(data, 1, out seqLen, out pos))
- {
- continue;
- }
-
- while(pos < data.Length)
- {
- int tag = data[pos];
-
- int len;
- if(!decodeASN1Length(data, pos + 1, out len, out pos))
- {
- break;
- }
-
- if(tag == 0x82)
- {
- //
- // Extract DNS name.
- //
- StringBuilder b = new StringBuilder();
- for(int j = pos; j < pos + len; ++j)
- {
- b.Append((char)data[j]);
- }
- if(dnsNames == null)
- {
- dnsNames = new List<string>();
- }
- dnsNames.Add(b.ToString().ToUpperInvariant());
- }
- else if(tag == 0x87)
- {
- //
- // Extract IP address.
- //
- char sep = len == 4 ? '.' : ':';
- StringBuilder b = new StringBuilder();
- for(int j = pos; j < pos + len; ++j)
- {
- if(j > pos)
- {
- b.Append(sep);
- }
- b.Append(data[j].ToString(CultureInfo.InvariantCulture));
- }
- if(ipAddresses == null)
- {
- ipAddresses = new List<string>();
- }
- ipAddresses.Add(b.ToString().ToUpperInvariant());
- }
-
- pos += len;
- }
- }
- }
-
- //
- // Compare the peer's address against the common name as well as
- // the dnsName and ipAddress values in the subject alternative name.
- //
- string dn = info.nativeCerts[0].Subject;
- string addrLower = address.ToUpperInvariant();
- bool certNameOK = false;
- {
- string cn = "cn=" + addrLower;
- int pos = dn.ToLower(CultureInfo.InvariantCulture).IndexOf(cn, StringComparison.Ordinal);
- if(pos >= 0)
- {
- //
- // Ensure we match the entire common name.
- //
- certNameOK = (pos + cn.Length == dn.Length) || (dn[pos + cn.Length] == ',');
- }
- }
-
- //
- // Compare the peer's address against the dnsName and ipAddress
- // values in the subject alternative name.
- //
- if(!certNameOK && ipAddresses != null)
- {
- certNameOK = ipAddresses.Contains(addrLower);
- }
- if(!certNameOK && dnsNames != null)
- {
- certNameOK = dnsNames.Contains(addrLower);
- }
-
- //
- // Log a message if the name comparison fails. If CheckCertName is defined,
- // we also raise an exception to abort the connection. Don't log a message if
- // CheckCertName is not defined and a verifier is present.
- //
- if(!certNameOK && (_checkCertName || (_securityTraceLevel >= 1 && _verifier == null)))
- {
- StringBuilder sb = new StringBuilder();
- sb.Append("IceSSL: ");
- if(!_checkCertName)
- {
- sb.Append("ignoring ");
- }
- sb.Append("certificate validation failure:\npeer certificate does not have `");
- sb.Append(address);
- sb.Append("' as its commonName or in its subjectAltName extension");
- if(dn.Length > 0)
- {
- sb.Append("\nSubject DN: ");
- sb.Append(dn);
- }
- if(dnsNames != null)
- {
- sb.Append("\nDNS names found in certificate: ");
- for(int j = 0; j < dnsNames.Count; ++j)
- {
- if(j > 0)
- {
- sb.Append(", ");
- }
- sb.Append(dnsNames[j]);
- }
- }
- if(ipAddresses != null)
- {
- sb.Append("\nIP addresses found in certificate: ");
- for(int j = 0; j < ipAddresses.Count; ++j)
- {
- if(j > 0)
- {
- sb.Append(", ");
- }
- sb.Append(ipAddresses[j]);
- }
- }
- string msg = sb.ToString();
- if(_securityTraceLevel >= 1)
- {
- _logger.trace(_securityTraceCategory, msg);
- }
- if(_checkCertName)
- {
- Ice.SecurityException ex = new Ice.SecurityException();
- ex.reason = msg;
- throw ex;
- }
- }
- }
+
if(_verifyDepthMax > 0 && info.nativeCerts != null && info.nativeCerts.Length > _verifyDepthMax)
{
diff --git a/csharp/src/IceSSL/TransceiverI.cs b/csharp/src/IceSSL/TransceiverI.cs
index 83b68981f1d..c659d491376 100644
--- a/csharp/src/IceSSL/TransceiverI.cs
+++ b/csharp/src/IceSSL/TransceiverI.cs
@@ -547,7 +547,7 @@ namespace IceSSL
_chain.Build(new X509Certificate2(certificate));
if(_chain.ChainStatus != null && _chain.ChainStatus.Length > 0)
{
- errors = (int)SslPolicyErrors.RemoteCertificateChainErrors;
+ errors |= (int)SslPolicyErrors.RemoteCertificateChainErrors;
}
else if(_instance.engine().caCerts() != null)
{
@@ -605,10 +605,11 @@ namespace IceSSL
if((errors & (int)SslPolicyErrors.RemoteCertificateNameMismatch) > 0)
{
- //
- // Ignore this error here; we'll check the peer certificate in verifyPeer().
- //
- errors ^= (int)SslPolicyErrors.RemoteCertificateNameMismatch;
+ if(_instance.engine().getCheckCertName())
+ {
+ message = "SSL certificate validation failed - Hostname mismatch";
+ return false;
+ }
}
diff --git a/csharp/test/IceSSL/certs/c_rsa_cai2.p12 b/csharp/test/IceSSL/certs/c_rsa_cai2.p12
index 16b09ea6b97..16b09ea6b97 100755..100644
--- a/csharp/test/IceSSL/certs/c_rsa_cai2.p12
+++ b/csharp/test/IceSSL/certs/c_rsa_cai2.p12
Binary files differ
diff --git a/csharp/test/IceSSL/certs/cacerts.pem b/csharp/test/IceSSL/certs/cacerts.pem
index 29a3a849c04..29a3a849c04 100755..100644
--- a/csharp/test/IceSSL/certs/cacerts.pem
+++ b/csharp/test/IceSSL/certs/cacerts.pem
diff --git a/csharp/test/IceSSL/certs/makecerts.py b/csharp/test/IceSSL/certs/makecerts.py
index 3534d2d26af..8c2a674893d 100755
--- a/csharp/test/IceSSL/certs/makecerts.py
+++ b/csharp/test/IceSSL/certs/makecerts.py
@@ -15,9 +15,9 @@ except:
sys.exit(1)
toplevel="."
-while(toplevel != "/"):
+while(os.path.abspath(toplevel) != "/"):
toplevel = os.path.normpath(os.path.join("..", toplevel))
- if os.path.exists(os.path.join(toplevel, "scripts", "TestUtil.py")):
+ if os.path.exists(os.path.join(toplevel, "scripts", "Util.py")):
break
else:
raise RuntimeError("can't find toplevel directory!")
@@ -78,8 +78,14 @@ certs = [
(ca1, "c_rsa_ca1", None, {}),
(ca1, "s_rsa_ca1_exp", None, {}), # Expired certificate
(ca1, "c_rsa_ca1_exp", None, {}), # Expired certificate
- (ca1, "s_rsa_ca1_cn1", None, {}), # No subjectAltName, CN=127.0.0.1
- (ca1, "s_rsa_ca1_cn2", None, {}), # No subjectAltName, CN=127.0.0.11
+ (ca1, "s_rsa_ca1_cn1", None, {}),
+ (ca1, "s_rsa_ca1_cn2", None, {}),
+ (ca1, "s_rsa_ca1_cn3", None, {}),
+ (ca1, "s_rsa_ca1_cn4", None, {}),
+ (ca1, "s_rsa_ca1_cn5", None, {}),
+ (ca1, "s_rsa_ca1_cn6", None, {}),
+ (ca1, "s_rsa_ca1_cn7", None, {}),
+ (ca1, "s_rsa_ca1_cn8", None, {}),
(ca2, "s_rsa_ca2", None, {}),
(ca2, "c_rsa_ca2", None, {}),
(cai1, "s_rsa_cai1", None, {}),
diff --git a/csharp/test/IceSSL/certs/s_rsa_ca1_cn1.p12 b/csharp/test/IceSSL/certs/s_rsa_ca1_cn1.p12
index dd78b2d98e8..9c3343da312 100644
--- a/csharp/test/IceSSL/certs/s_rsa_ca1_cn1.p12
+++ b/csharp/test/IceSSL/certs/s_rsa_ca1_cn1.p12
Binary files differ
diff --git a/csharp/test/IceSSL/certs/s_rsa_ca1_cn2.p12 b/csharp/test/IceSSL/certs/s_rsa_ca1_cn2.p12
index 6f8a2074b09..b4aef38457a 100644
--- a/csharp/test/IceSSL/certs/s_rsa_ca1_cn2.p12
+++ b/csharp/test/IceSSL/certs/s_rsa_ca1_cn2.p12
Binary files differ
diff --git a/csharp/test/IceSSL/certs/s_rsa_ca1_cn3.p12 b/csharp/test/IceSSL/certs/s_rsa_ca1_cn3.p12
new file mode 100644
index 00000000000..8cee94b67d1
--- /dev/null
+++ b/csharp/test/IceSSL/certs/s_rsa_ca1_cn3.p12
Binary files differ
diff --git a/csharp/test/IceSSL/certs/s_rsa_ca1_cn4.p12 b/csharp/test/IceSSL/certs/s_rsa_ca1_cn4.p12
new file mode 100644
index 00000000000..f21368b924e
--- /dev/null
+++ b/csharp/test/IceSSL/certs/s_rsa_ca1_cn4.p12
Binary files differ
diff --git a/csharp/test/IceSSL/certs/s_rsa_ca1_cn5.p12 b/csharp/test/IceSSL/certs/s_rsa_ca1_cn5.p12
new file mode 100644
index 00000000000..6e4d831fff1
--- /dev/null
+++ b/csharp/test/IceSSL/certs/s_rsa_ca1_cn5.p12
Binary files differ
diff --git a/csharp/test/IceSSL/certs/s_rsa_ca1_cn6.p12 b/csharp/test/IceSSL/certs/s_rsa_ca1_cn6.p12
new file mode 100644
index 00000000000..91140818f87
--- /dev/null
+++ b/csharp/test/IceSSL/certs/s_rsa_ca1_cn6.p12
Binary files differ
diff --git a/csharp/test/IceSSL/certs/s_rsa_ca1_cn7.p12 b/csharp/test/IceSSL/certs/s_rsa_ca1_cn7.p12
new file mode 100644
index 00000000000..801a9cfbd64
--- /dev/null
+++ b/csharp/test/IceSSL/certs/s_rsa_ca1_cn7.p12
Binary files differ
diff --git a/csharp/test/IceSSL/certs/s_rsa_ca1_cn8.p12 b/csharp/test/IceSSL/certs/s_rsa_ca1_cn8.p12
new file mode 100644
index 00000000000..ff78f6fb788
--- /dev/null
+++ b/csharp/test/IceSSL/certs/s_rsa_ca1_cn8.p12
Binary files differ
diff --git a/csharp/test/IceSSL/certs/s_rsa_cai1.p12 b/csharp/test/IceSSL/certs/s_rsa_cai1.p12
index ef726b757a4..ef726b757a4 100755..100644
--- a/csharp/test/IceSSL/certs/s_rsa_cai1.p12
+++ b/csharp/test/IceSSL/certs/s_rsa_cai1.p12
Binary files differ
diff --git a/csharp/test/IceSSL/certs/s_rsa_cai2.p12 b/csharp/test/IceSSL/certs/s_rsa_cai2.p12
index 0baa8966798..0baa8966798 100755..100644
--- a/csharp/test/IceSSL/certs/s_rsa_cai2.p12
+++ b/csharp/test/IceSSL/certs/s_rsa_cai2.p12
Binary files differ
diff --git a/csharp/test/IceSSL/certs/s_rsa_wroot_ca1.p12 b/csharp/test/IceSSL/certs/s_rsa_wroot_ca1.p12
index 214026acf7c..214026acf7c 100755..100644
--- a/csharp/test/IceSSL/certs/s_rsa_wroot_ca1.p12
+++ b/csharp/test/IceSSL/certs/s_rsa_wroot_ca1.p12
Binary files differ
diff --git a/csharp/test/IceSSL/configuration/AllTests.cs b/csharp/test/IceSSL/configuration/AllTests.cs
index 52c4d9f2bad..b02a6cec16c 100644
--- a/csharp/test/IceSSL/configuration/AllTests.cs
+++ b/csharp/test/IceSSL/configuration/AllTests.cs
@@ -543,20 +543,19 @@ public class AllTests
comm.destroy();
//
- // NOTE: We can't test IceSSL.CheckCertName here because the common name (CN) field of
- // the server's certificate has the value "Server" and we can't use "Server" as a host
- // name in an endpoint (it almost certainly wouldn't resolve correctly).
- //
-
- //
- // Test IceSSL.CheckCertName. The test certificates for the server contain "127.0.0.1"
- // as the common name or as a subject alternative name, so we only perform this test when
- // the default host is "127.0.0.1".
+ // Test Hostname verification only when Ice.DefaultHost is 127.0.0.1
+ // as that is the IP address used in the test certificates.
//
if(defaultHost.Equals("127.0.0.1"))
{
//
- // Test subject alternative name.
+ // Test using localhost as target host
+ //
+ Ice.Properties props = defaultProperties.ice_clone_();
+ props.setProperty("Ice.Default.Host", "localhost");
+
+ //
+ // Target host matches the certificate DNS altName
//
{
initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
@@ -565,7 +564,7 @@ public class AllTests
fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
test(fact != null);
- d = createServerProps(defaultProperties, "s_rsa_ca1", "cacert1");
+ d = createServerProps(props, "s_rsa_ca1_cn1", "cacert1");
d["IceSSL.CheckCertName"] = "1";
server = fact.createServer(d);
try
@@ -580,7 +579,7 @@ public class AllTests
comm.destroy();
}
//
- // Test common name.
+ // Target host does not match the certificate DNS altName
//
{
initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
@@ -589,7 +588,33 @@ public class AllTests
fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
test(fact != null);
- d = createServerProps(defaultProperties, "s_rsa_ca1_cn1", "cacert1");
+ d = createServerProps(props, "s_rsa_ca1_cn2", "cacert1");
+ d["IceSSL.CheckCertName"] = "1";
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ test(false);
+ }
+ catch(Ice.SecurityException)
+ {
+ // Expected
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+ //
+ // Target host matches the certificate Common Name and the certificate does not
+ // include a DNS altName
+ //
+ {
+ initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Ice.Util.initialize(ref args, initData);
+
+ fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(props, "s_rsa_ca1_cn3", "cacert1");
d["IceSSL.CheckCertName"] = "1";
server = fact.createServer(d);
try
@@ -604,8 +629,34 @@ public class AllTests
comm.destroy();
}
//
- // Test common name again. The certificate used in this test has "127.0.0.11" as its
- // common name, therefore the address "127.0.0.1" must NOT match.
+ // Target host does not match the certificate Common Name and the certificate does not
+ // include a DNS altName
+ //
+ {
+ initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Ice.Util.initialize(ref args, initData);
+
+ fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(props, "s_rsa_ca1_cn4", "cacert1");
+ d["IceSSL.CheckCertName"] = "1";
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ test(false);
+ }
+ catch(Ice.SecurityException)
+ {
+ // Expected
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+ //
+ // Target host matches the certificate Common Name and the certificate has
+ // a DNS altName that does not matches the target host
//
{
initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
@@ -614,7 +665,7 @@ public class AllTests
fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
test(fact != null);
- d = createServerProps(defaultProperties, "s_rsa_ca1_cn2", "cacert1");
+ d = createServerProps(props, "s_rsa_ca1_cn5", "cacert1");
d["IceSSL.CheckCertName"] = "1";
server = fact.createServer(d);
try
@@ -622,9 +673,88 @@ public class AllTests
server.ice_ping();
test(false);
}
+ catch(Ice.SecurityException)
+ {
+ // Expected
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+
+ //
+ // Test using 127.0.0.1 as target host
+ //
+
+ //
+ // Target host matches the certificate IP altName
+ //
+ {
+ initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Ice.Util.initialize(ref args, initData);
+
+ fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, "s_rsa_ca1_cn6", "cacert1");
+ d["IceSSL.CheckCertName"] = "1";
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ }
catch(Ice.LocalException)
{
- // Expected.
+ test(false);
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+ //
+ // Target host does not match the certificate IP altName
+ //
+ {
+ initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Ice.Util.initialize(ref args, initData);
+
+ fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, "s_rsa_ca1_cn7", "cacert1");
+ d["IceSSL.CheckCertName"] = "1";
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ test(false);
+ }
+ catch(Ice.SecurityException)
+ {
+ // Expected
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+ //
+ // Target host is an IP addres that matches the CN and the certificate doesn't
+ // include an IP altName.
+ //
+ {
+ initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Ice.Util.initialize(ref args, initData);
+
+ fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, "s_rsa_ca1_cn8", "cacert1");
+ d["IceSSL.CheckCertName"] = "1";
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ }
+ catch(Ice.SecurityException)
+ {
+ test(false);
}
fact.destroyServer(server);
comm.destroy();
diff --git a/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java b/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java
index 99cee153f94..d1396f1648d 100644
--- a/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java
+++ b/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java
@@ -13,6 +13,7 @@ import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
import java.security.cert.*;
+import javax.net.ssl.SSLParameters;
class SSLEngine
{
@@ -790,6 +791,16 @@ class SSLEngine
}
engine.setUseClientMode(!incoming);
+ //
+ // Enable the HTTPS hostname verification algorithm
+ //
+ if(_checkCertName)
+ {
+ SSLParameters params = new SSLParameters();
+ params.setEndpointIdentificationAlgorithm("HTTPS");
+ engine.setSSLParameters(params);
+ }
+
String[] cipherSuites = filterCiphers(engine.getSupportedCipherSuites(), engine.getEnabledCipherSuites());
try
{
@@ -969,140 +980,6 @@ class SSLEngine
}
}
- //
- // For an outgoing connection, we compare the proxy address (if any) against
- // fields in the server's certificate (if any).
- //
- if(info.nativeCerts != null && info.nativeCerts.length > 0 && address.length() > 0)
- {
- X509Certificate cert = (X509Certificate)info.nativeCerts[0];
-
- //
- // Extract the IP addresses and the DNS names from the subject
- // alternative names.
- //
- java.util.ArrayList<String> ipAddresses = new java.util.ArrayList<String>();
- java.util.ArrayList<String> dnsNames = new java.util.ArrayList<String>();
- try
- {
- java.util.Collection<java.util.List<?> > subjectAltNames = cert.getSubjectAlternativeNames();
- if(subjectAltNames != null)
- {
- for(java.util.List<?> l : subjectAltNames)
- {
- assert(!l.isEmpty());
- Integer n = (Integer)l.get(0);
- if(n.intValue() == 7)
- {
- ipAddresses.add((String)l.get(1));
- }
- else if(n.intValue() == 2)
- {
- dnsNames.add(((String)l.get(1)).toLowerCase());
- }
- }
- }
- }
- catch(CertificateParsingException ex)
- {
- assert(false);
- }
-
- //
- // Compare the peer's address against the common name as well as
- // the dnsName and ipAddress values in the subject alternative name.
- //
- boolean certNameOK = false;
- String dn = "";
- String addrLower = address.toLowerCase();
- {
- javax.security.auth.x500.X500Principal principal = cert.getSubjectX500Principal();
- dn = principal.getName(javax.security.auth.x500.X500Principal.CANONICAL);
- //
- // Canonical format is already in lower case.
- //
- String cn = "cn=" + addrLower;
- int pos = dn.indexOf(cn);
- if(pos >= 0)
- {
- //
- // Ensure we match the entire common name.
- //
- certNameOK = (pos + cn.length() == dn.length()) || (dn.charAt(pos + cn.length()) == ',');
- }
- }
-
- //
- // Compare the peer's address against the dnsName and ipAddress
- // values in the subject alternative name.
- //
- if(!certNameOK)
- {
- certNameOK = ipAddresses.contains(addrLower);
- }
- if(!certNameOK)
- {
- certNameOK = dnsNames.contains(addrLower);
- }
-
- //
- // Log a message if the name comparison fails. If CheckCertName is defined,
- // we also raise an exception to abort the connection. Don't log a message if
- // CheckCertName is not defined and a verifier is present.
- //
- if(!certNameOK && (_checkCertName || (_securityTraceLevel >= 1 && _verifier == null)))
- {
- StringBuilder sb = new StringBuilder(128);
- sb.append("IceSSL: ");
- if(!_checkCertName)
- {
- sb.append("ignoring ");
- }
- sb.append("certificate validation failure:\npeer certificate does not have `");
- sb.append(address);
- sb.append("' as its commonName or in its subjectAltName extension");
- if(dn.length() > 0)
- {
- sb.append("\nSubject DN: ");
- sb.append(dn);
- }
- if(!dnsNames.isEmpty())
- {
- sb.append("\nDNS names found in certificate: ");
- for(int j = 0; j < dnsNames.size(); ++j)
- {
- if(j > 0)
- {
- sb.append(", ");
- }
- sb.append(dnsNames.get(j));
- }
- }
- if(!ipAddresses.isEmpty())
- {
- sb.append("\nIP addresses found in certificate: ");
- for(int j = 0; j < ipAddresses.size(); ++j)
- {
- if(j > 0)
- {
- sb.append(", ");
- }
- sb.append(ipAddresses.get(j));
- }
- }
- if(_securityTraceLevel >= 1)
- {
- _logger.trace(_securityTraceCategory, sb.toString());
- }
- if(_checkCertName)
- {
- Ice.SecurityException ex = new Ice.SecurityException();
- ex.reason = sb.toString();
- throw ex;
- }
- }
- }
-
if(_verifyDepthMax > 0 && info.nativeCerts != null && info.nativeCerts.length > _verifyDepthMax)
{
String msg = (info.incoming ? "incoming" : "outgoing") + " connection rejected:\n" +
diff --git a/java-compat/test/src/main/java/test/IceSSL/certs/makecerts.py b/java-compat/test/src/main/java/test/IceSSL/certs/makecerts.py
index 4db218bfffc..8647c9639a3 100755
--- a/java-compat/test/src/main/java/test/IceSSL/certs/makecerts.py
+++ b/java-compat/test/src/main/java/test/IceSSL/certs/makecerts.py
@@ -15,9 +15,9 @@ except:
sys.exit(1)
toplevel="."
-while(toplevel != "/"):
+while(os.path.abspath(toplevel) != "/"):
toplevel = os.path.normpath(os.path.join("..", toplevel))
- if os.path.exists(os.path.join(toplevel, "scripts", "TestUtil.py")):
+ if os.path.exists(os.path.join(toplevel, "scripts", "Util.py")):
break
else:
raise RuntimeError("can't find toplevel directory!")
@@ -72,8 +72,14 @@ certs = [
(ca1, "c_rsa_ca1", None, {}),
(ca1, "s_rsa_ca1_exp", None, {}), # Expired certificate
(ca1, "c_rsa_ca1_exp", None, {}), # Expired certificate
- (ca1, "s_rsa_ca1_cn1", None, {}), # No subjectAltName, CN=127.0.0.1
- (ca1, "s_rsa_ca1_cn2", None, {}), # No subjectAltName, CN=127.0.0.11
+ (ca1, "s_rsa_ca1_cn1", None, {}),
+ (ca1, "s_rsa_ca1_cn2", None, {}),
+ (ca1, "s_rsa_ca1_cn3", None, {}),
+ (ca1, "s_rsa_ca1_cn4", None, {}),
+ (ca1, "s_rsa_ca1_cn5", None, {}),
+ (ca1, "s_rsa_ca1_cn6", None, {}),
+ (ca1, "s_rsa_ca1_cn7", None, {}),
+ (ca1, "s_rsa_ca1_cn8", None, {}),
(ca2, "s_rsa_ca2", None, {}),
(ca2, "c_rsa_ca2", None, {}),
(ca1, "s_dsa_ca1", None, {}),
diff --git a/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn1.jks b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn1.jks
index 55b336e308c..ffed07bb4f8 100644
--- a/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn1.jks
+++ b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn1.jks
Binary files differ
diff --git a/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn2.jks b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn2.jks
index a33ed0dfc84..8647c387bfb 100644
--- a/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn2.jks
+++ b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn2.jks
Binary files differ
diff --git a/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn3.jks b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn3.jks
new file mode 100644
index 00000000000..8eba8766e62
--- /dev/null
+++ b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn3.jks
Binary files differ
diff --git a/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn4.jks b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn4.jks
new file mode 100644
index 00000000000..7f417a1a999
--- /dev/null
+++ b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn4.jks
Binary files differ
diff --git a/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn5.jks b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn5.jks
new file mode 100644
index 00000000000..3ade920c683
--- /dev/null
+++ b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn5.jks
Binary files differ
diff --git a/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn6.jks b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn6.jks
new file mode 100644
index 00000000000..d9e5548aa98
--- /dev/null
+++ b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn6.jks
Binary files differ
diff --git a/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn7.jks b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn7.jks
new file mode 100644
index 00000000000..8ef1d8e622f
--- /dev/null
+++ b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn7.jks
Binary files differ
diff --git a/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn8.jks b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn8.jks
new file mode 100644
index 00000000000..036500b917f
--- /dev/null
+++ b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn8.jks
Binary files differ
diff --git a/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_exp.jks b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_exp.jks
index 77a50df3907..2a41cd525db 100644
--- a/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_exp.jks
+++ b/java-compat/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_exp.jks
Binary files differ
diff --git a/java-compat/test/src/main/java/test/IceSSL/configuration/AllTests.java b/java-compat/test/src/main/java/test/IceSSL/configuration/AllTests.java
index bbc1892ae36..1ce41753de6 100644
--- a/java-compat/test/src/main/java/test/IceSSL/configuration/AllTests.java
+++ b/java-compat/test/src/main/java/test/IceSSL/configuration/AllTests.java
@@ -504,23 +504,76 @@ public class AllTests
comm.destroy();
//
- // Test IceSSL.CheckCertName. The test certificates for the server contain "127.0.0.1"
- // as the common name or as a subject alternative name, so we only perform this test when
- // the default host is "127.0.0.1".
+ // Test Hostname verification only when Ice.DefaultHost is 127.0.0.1
+ // as that is the IP address used in the test certificates.
//
if(defaultHost.equals("127.0.0.1"))
{
//
- // Test subject alternative name.
+ // Test using localhost as target host
+ //
+
+ //
+ // Target host matches the certificate DNS altName
//
{
- initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1");
+ initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Ice.Util.initialize(args, initData);
+
+ fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn1", "cacert1");
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ }
+ catch(Ice.LocalException ex)
+ {
+ test(false);
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+
+ //
+ // Target host does not match the certificate DNS altName
+ //
+ {
+ initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Ice.Util.initialize(args, initData);
+
+ fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn2", "cacert1");
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ test(false);
+ }
+ catch(Ice.SecurityException ex)
+ {
+ // Expected
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+
+ //
+ // Target host matches the certificate Common Name and the certificate does not
+ // include a DNS altName
+ //
+ {
+ initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1");
initData.properties.setProperty("IceSSL.CheckCertName", "1");
comm = Ice.Util.initialize(args, initData);
fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
test(fact != null);
- d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", "cacert1");
+ d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn3", "cacert1");
server = fact.createServer(d);
try
{
@@ -533,8 +586,65 @@ public class AllTests
fact.destroyServer(server);
comm.destroy();
}
+
+ //
+ // Target host does not match the certificate Common Name and the certificate does not
+ // include a DNS altName
+ //
+ {
+ initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Ice.Util.initialize(args, initData);
+
+ fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn4", "cacert1");
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ test(false);
+ }
+ catch(Ice.SecurityException ex)
+ {
+ // Expected
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+
+ //
+ // Target host matches the certificate Common Name and the certificate has
+ // a DNS altName that does not matches the target host
+ //
+ {
+ initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Ice.Util.initialize(args, initData);
+
+ fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn5", "cacert1");
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ test(false);
+ }
+ catch(Ice.SecurityException ex)
+ {
+ // Expected
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+
+ //
+ // Test using 127.0.0.1 as target host
//
- // Test common name.
+
+ //
+ // Target host matches the certificate IP altName
//
{
initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1");
@@ -543,7 +653,7 @@ public class AllTests
fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
test(fact != null);
- d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1_cn1", "cacert1");
+ d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1_cn6", "cacert1");
server = fact.createServer(d);
try
{
@@ -556,9 +666,9 @@ public class AllTests
fact.destroyServer(server);
comm.destroy();
}
+
//
- // Test common name again. The certificate used in this test has "127.0.0.11" as its
- // common name, therefore the address "127.0.0.1" must NOT match.
+ // Target host does not match the certificate IP altName
//
{
initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1");
@@ -567,16 +677,42 @@ public class AllTests
fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
test(fact != null);
- d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1_cn2", "cacert1");
+ d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1_cn7", "cacert1");
server = fact.createServer(d);
try
{
server.ice_ping();
test(false);
}
- catch(Ice.LocalException ex)
+ catch(Ice.SecurityException ex)
+ {
+ // Expected
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+
+ //
+ // Target host is an IP addres that matches the CN and the certificate doesn't
+ // include an IP altName
+ //
+ {
+ initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Ice.Util.initialize(args, initData);
+
+ fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1_cn8", "cacert1");
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ test(false);
+ }
+ catch(Ice.SecurityException ex)
{
- // Expected.
+ // Expected
}
fact.destroyServer(server);
comm.destroy();
diff --git a/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java b/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java
index ec35d2a688a..001d3a24f76 100644
--- a/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java
+++ b/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java
@@ -13,6 +13,7 @@ import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
import java.security.cert.*;
+import javax.net.ssl.SSLParameters;
import com.zeroc.Ice.PluginInitializationException;
class SSLEngine
@@ -796,6 +797,16 @@ class SSLEngine
}
engine.setUseClientMode(!incoming);
+ //
+ // Enable the HTTPS hostname verification algorithm
+ //
+ if(_checkCertName)
+ {
+ SSLParameters params = new SSLParameters();
+ params.setEndpointIdentificationAlgorithm("HTTPS");
+ engine.setSSLParameters(params);
+ }
+
String[] cipherSuites = filterCiphers(engine.getSupportedCipherSuites(), engine.getEnabledCipherSuites());
try
{
@@ -835,8 +846,10 @@ class SSLEngine
// Disable SSLv3
//
List<String> protocols = new ArrayList<>(java.util.Arrays.asList(engine.getEnabledProtocols()));
- protocols.remove("SSLv3");
- engine.setEnabledProtocols(protocols.toArray(new String[protocols.size()]));
+ if(protocols.remove("SSLv3"))
+ {
+ engine.setEnabledProtocols(protocols.toArray(new String[protocols.size()]));
+ }
}
@@ -975,140 +988,6 @@ class SSLEngine
}
}
- //
- // For an outgoing connection, we compare the proxy address (if any) against
- // fields in the server's certificate (if any).
- //
- if(info.nativeCerts != null && info.nativeCerts.length > 0 && address.length() > 0)
- {
- X509Certificate cert = (X509Certificate)info.nativeCerts[0];
-
- //
- // Extract the IP addresses and the DNS names from the subject
- // alternative names.
- //
- java.util.ArrayList<String> ipAddresses = new java.util.ArrayList<>();
- java.util.ArrayList<String> dnsNames = new java.util.ArrayList<>();
- try
- {
- java.util.Collection<java.util.List<?> > subjectAltNames = cert.getSubjectAlternativeNames();
- if(subjectAltNames != null)
- {
- for(java.util.List<?> l : subjectAltNames)
- {
- assert(!l.isEmpty());
- Integer n = (Integer)l.get(0);
- if(n.intValue() == 7)
- {
- ipAddresses.add((String)l.get(1));
- }
- else if(n.intValue() == 2)
- {
- dnsNames.add(((String)l.get(1)).toLowerCase());
- }
- }
- }
- }
- catch(CertificateParsingException ex)
- {
- assert(false);
- }
-
- //
- // Compare the peer's address against the common name as well as
- // the dnsName and ipAddress values in the subject alternative name.
- //
- boolean certNameOK = false;
- String dn = "";
- String addrLower = address.toLowerCase();
- {
- javax.security.auth.x500.X500Principal principal = cert.getSubjectX500Principal();
- dn = principal.getName(javax.security.auth.x500.X500Principal.CANONICAL);
- //
- // Canonical format is already in lower case.
- //
- String cn = "cn=" + addrLower;
- int pos = dn.indexOf(cn);
- if(pos >= 0)
- {
- //
- // Ensure we match the entire common name.
- //
- certNameOK = (pos + cn.length() == dn.length()) || (dn.charAt(pos + cn.length()) == ',');
- }
- }
-
- //
- // Compare the peer's address against the dnsName and ipAddress
- // values in the subject alternative name.
- //
- if(!certNameOK)
- {
- certNameOK = ipAddresses.contains(addrLower);
- }
- if(!certNameOK)
- {
- certNameOK = dnsNames.contains(addrLower);
- }
-
- //
- // Log a message if the name comparison fails. If CheckCertName is defined,
- // we also raise an exception to abort the connection. Don't log a message if
- // CheckCertName is not defined and a verifier is present.
- //
- if(!certNameOK && (_checkCertName || (_securityTraceLevel >= 1 && _verifier == null)))
- {
- StringBuilder sb = new StringBuilder(128);
- sb.append("IceSSL: ");
- if(!_checkCertName)
- {
- sb.append("ignoring ");
- }
- sb.append("certificate validation failure:\npeer certificate does not have `");
- sb.append(address);
- sb.append("' as its commonName or in its subjectAltName extension");
- if(dn.length() > 0)
- {
- sb.append("\nSubject DN: ");
- sb.append(dn);
- }
- if(!dnsNames.isEmpty())
- {
- sb.append("\nDNS names found in certificate: ");
- for(int j = 0; j < dnsNames.size(); ++j)
- {
- if(j > 0)
- {
- sb.append(", ");
- }
- sb.append(dnsNames.get(j));
- }
- }
- if(!ipAddresses.isEmpty())
- {
- sb.append("\nIP addresses found in certificate: ");
- for(int j = 0; j < ipAddresses.size(); ++j)
- {
- if(j > 0)
- {
- sb.append(", ");
- }
- sb.append(ipAddresses.get(j));
- }
- }
- if(_securityTraceLevel >= 1)
- {
- _logger.trace(_securityTraceCategory, sb.toString());
- }
- if(_checkCertName)
- {
- com.zeroc.Ice.SecurityException ex = new com.zeroc.Ice.SecurityException();
- ex.reason = sb.toString();
- throw ex;
- }
- }
- }
-
if(_verifyDepthMax > 0 && info.nativeCerts != null && info.nativeCerts.length > _verifyDepthMax)
{
String msg = (info.incoming ? "incoming" : "outgoing") + " connection rejected:\n" +
diff --git a/java/test/src/main/java/test/IceSSL/certs/makecerts.py b/java/test/src/main/java/test/IceSSL/certs/makecerts.py
index 4db218bfffc..8647c9639a3 100755
--- a/java/test/src/main/java/test/IceSSL/certs/makecerts.py
+++ b/java/test/src/main/java/test/IceSSL/certs/makecerts.py
@@ -15,9 +15,9 @@ except:
sys.exit(1)
toplevel="."
-while(toplevel != "/"):
+while(os.path.abspath(toplevel) != "/"):
toplevel = os.path.normpath(os.path.join("..", toplevel))
- if os.path.exists(os.path.join(toplevel, "scripts", "TestUtil.py")):
+ if os.path.exists(os.path.join(toplevel, "scripts", "Util.py")):
break
else:
raise RuntimeError("can't find toplevel directory!")
@@ -72,8 +72,14 @@ certs = [
(ca1, "c_rsa_ca1", None, {}),
(ca1, "s_rsa_ca1_exp", None, {}), # Expired certificate
(ca1, "c_rsa_ca1_exp", None, {}), # Expired certificate
- (ca1, "s_rsa_ca1_cn1", None, {}), # No subjectAltName, CN=127.0.0.1
- (ca1, "s_rsa_ca1_cn2", None, {}), # No subjectAltName, CN=127.0.0.11
+ (ca1, "s_rsa_ca1_cn1", None, {}),
+ (ca1, "s_rsa_ca1_cn2", None, {}),
+ (ca1, "s_rsa_ca1_cn3", None, {}),
+ (ca1, "s_rsa_ca1_cn4", None, {}),
+ (ca1, "s_rsa_ca1_cn5", None, {}),
+ (ca1, "s_rsa_ca1_cn6", None, {}),
+ (ca1, "s_rsa_ca1_cn7", None, {}),
+ (ca1, "s_rsa_ca1_cn8", None, {}),
(ca2, "s_rsa_ca2", None, {}),
(ca2, "c_rsa_ca2", None, {}),
(ca1, "s_dsa_ca1", None, {}),
diff --git a/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn1.jks b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn1.jks
index 55b336e308c..f0ec624bd87 100644
--- a/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn1.jks
+++ b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn1.jks
Binary files differ
diff --git a/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn2.jks b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn2.jks
index a33ed0dfc84..4df543f34d0 100644
--- a/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn2.jks
+++ b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn2.jks
Binary files differ
diff --git a/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn3.jks b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn3.jks
new file mode 100644
index 00000000000..19adec51edb
--- /dev/null
+++ b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn3.jks
Binary files differ
diff --git a/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn4.jks b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn4.jks
new file mode 100644
index 00000000000..c1d3ac3f794
--- /dev/null
+++ b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn4.jks
Binary files differ
diff --git a/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn5.jks b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn5.jks
new file mode 100644
index 00000000000..e5974419fcd
--- /dev/null
+++ b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn5.jks
Binary files differ
diff --git a/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn6.jks b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn6.jks
new file mode 100644
index 00000000000..7534bd73e3f
--- /dev/null
+++ b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn6.jks
Binary files differ
diff --git a/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn7.jks b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn7.jks
new file mode 100644
index 00000000000..a6864564d1e
--- /dev/null
+++ b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn7.jks
Binary files differ
diff --git a/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn8.jks b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn8.jks
new file mode 100644
index 00000000000..eee1ab83143
--- /dev/null
+++ b/java/test/src/main/java/test/IceSSL/certs/s_rsa_ca1_cn8.jks
Binary files differ
diff --git a/java/test/src/main/java/test/IceSSL/configuration/AllTests.java b/java/test/src/main/java/test/IceSSL/configuration/AllTests.java
index 7674ea5e1d2..4279307e2de 100644
--- a/java/test/src/main/java/test/IceSSL/configuration/AllTests.java
+++ b/java/test/src/main/java/test/IceSSL/configuration/AllTests.java
@@ -501,14 +501,18 @@ public class AllTests
comm.destroy();
//
- // Test IceSSL.CheckCertName. The test certificates for the server contain "127.0.0.1"
- // as the common name or as a subject alternative name, so we only perform this test when
- // the default host is "127.0.0.1".
+ // Test Hostname verification only when Ice.DefaultHost is 127.0.0.1
+ // as that is the IP address used in the test certificates.
//
if(defaultHost.equals("127.0.0.1"))
{
//
- // Test subject alternative name.
+ // Test using localhost as target host
+ //
+ com.zeroc.Ice.Properties props = defaultProperties._clone();
+ props.setProperty("Ice.Default.Host", "localhost");
+ //
+ // Target host matches the certificate DNS altName
//
{
initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
@@ -517,7 +521,7 @@ public class AllTests
fact = ServerFactoryPrx.checkedCast(comm.stringToProxy(factoryRef));
test(fact != null);
- d = createServerProps(defaultProperties, "s_rsa_ca1", "cacert1");
+ d = createServerProps(props, "s_rsa_ca1_cn1", "cacert1");
server = fact.createServer(d);
try
{
@@ -530,8 +534,35 @@ public class AllTests
fact.destroyServer(server);
comm.destroy();
}
+
+ //
+ // Target host does not match the certificate DNS altName
+ //
+ {
+ initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Util.initialize(args, initData);
+
+ fact = ServerFactoryPrx.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(props, "s_rsa_ca1_cn2", "cacert1");
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ test(false);
+ }
+ catch(com.zeroc.Ice.SecurityException ex)
+ {
+ // Expected
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+
//
- // Test common name.
+ // Target host matches the certificate Common Name and the certificate does not
+ // include a DNS altName
//
{
initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
@@ -540,7 +571,7 @@ public class AllTests
fact = ServerFactoryPrx.checkedCast(comm.stringToProxy(factoryRef));
test(fact != null);
- d = createServerProps(defaultProperties, "s_rsa_ca1_cn1", "cacert1");
+ d = createServerProps(props, "s_rsa_ca1_cn3", "cacert1");
server = fact.createServer(d);
try
{
@@ -553,9 +584,36 @@ public class AllTests
fact.destroyServer(server);
comm.destroy();
}
+
+ //
+ // Target host does not match the certificate Common Name and the certificate does not
+ // include a DNS altName
+ //
+ {
+ initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Util.initialize(args, initData);
+
+ fact = ServerFactoryPrx.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(props, "s_rsa_ca1_cn4", "cacert1");
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ test(false);
+ }
+ catch(com.zeroc.Ice.SecurityException ex)
+ {
+ // Expected
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+
//
- // Test common name again. The certificate used in this test has "127.0.0.11" as its
- // common name, therefore the address "127.0.0.1" must NOT match.
+ // Target host matches the certificate Common Name and the certificate has
+ // a DNS altName that does not matches the target host
//
{
initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
@@ -564,16 +622,95 @@ public class AllTests
fact = ServerFactoryPrx.checkedCast(comm.stringToProxy(factoryRef));
test(fact != null);
- d = createServerProps(defaultProperties, "s_rsa_ca1_cn2", "cacert1");
+ d = createServerProps(props, "s_rsa_ca1_cn5", "cacert1");
server = fact.createServer(d);
try
{
server.ice_ping();
test(false);
}
+ catch(com.zeroc.Ice.SecurityException ex)
+ {
+ // Expected
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+
+ //
+ // Test using 127.0.0.1 as target host
+ //
+
+ //
+ // Target host matches the certificate IP altName
+ //
+ {
+ initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Util.initialize(args, initData);
+
+ fact = ServerFactoryPrx.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, "s_rsa_ca1_cn6", "cacert1");
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ }
catch(com.zeroc.Ice.LocalException ex)
{
- // Expected.
+ test(false);
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+
+ //
+ // Target host does not match the certificate IP altName
+ //
+ {
+ initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Util.initialize(args, initData);
+
+ fact = ServerFactoryPrx.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, "s_rsa_ca1_cn7", "cacert1");
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ test(false);
+ }
+ catch(com.zeroc.Ice.SecurityException ex)
+ {
+ // Expected
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+
+ //
+ // Target host is an IP addres that matches the CN and the certificate doesn't
+ // include an IP altName
+ //
+ {
+ initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ comm = Util.initialize(args, initData);
+
+ fact = ServerFactoryPrx.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, "s_rsa_ca1_cn8", "cacert1");
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ test(false);
+ }
+ catch(com.zeroc.Ice.SecurityException ex)
+ {
+ // Expected
}
fact.destroyServer(server);
comm.destroy();
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-03 21:19:36 +0000