Merge branch 'develop' into 373

* develop: (21 commits)
  Add OpenSSL version check for X509_check_host
  Try to update OpenSSL on Ubuntu$
  Add TLS config for client and server for hostname verification #420
  Add TLS hostname check and CApath #420 #418
  Add tests for wrong protocol name #294
  Check for bad protocol name #294
  Check for SSLOptions structure when SSL protocol prefix is used #334
  Update CONTRIBUTING.md CLA info
  Remove reference to exit() function #342
  Reinstate tests for appveyor
  Enclose references to OsWrapper in #if defines
  Squashed commit of the following:
  Package AppVeyor artifacts attempt 1
  Create /usr/local/include if it doesn't exist #275
  Remove 373 test from Makefile... add the test source for posterity #416
  Add doc for token in ResponseOptions #411
  Add missing string.h include to SSLSocket.c
  Try AppVeyor config again
  Update AppVeyor config for latest test broker updates
  Move ListRemove after where qe is used #339
  ...

# Conflicts:
#	src/SSLSocket.c
#	test/test_issue373.c
Signed-off-by: Juergen Kosel <juergen.kosel@softing.com>

CONTRIBUTING.md

@@ -10,12 +10,12 @@ In order for your contribution to be accepted, it must comply with the Eclipse F
 
 Please read the [Eclipse Foundation policy on accepting contributions via Git](http://wiki.eclipse.org/Development_Resources/Contributing_via_Git).
 
-1. Sign the [Eclipse CLA](http://www.eclipse.org/legal/CLA.php)
+1. Sign the [Eclipse ECA](http://www.eclipse.org/legal/ECA.php)
   1. Register for an Eclipse Foundation User ID. You can register [here](https://dev.eclipse.org/site_login/createaccount.php).
-  2. Log into the [Projects Portal](https://projects.eclipse.org/), and click on the '[Eclipse CLA](https://projects.eclipse.org/user/sign/cla)' link.
+  2. Log into the [Eclipse projects forge](https://www.eclipse.org/contribute/cla), and click on 'Eclipse Contributor Agreement'.
 2. Go to your [account settings](https://dev.eclipse.org/site_login/myaccount.php#open_tab_accountsettings) and add your GitHub username to your account.
 3. Make sure that you _sign-off_ your Git commits in the following format:
-  ``` Signed-off-by: John Smith <johnsmith@nowhere.com> ``` This is usually at the bottom of the commit message. You can automate this by adding the '-s' flag when you make the commits. e.g.   ```git commit -s -m "Adding a cool feature"```
+  ``` Signed-off-by: Alex Smith <alexsmith@nowhere.com> ``` This is usually at the bottom of the commit message. You can automate this by adding the '-s' flag when you make the commits. e.g.   ```git commit -s -m "Adding a cool feature"```
 4. Ensure that the email address that you make your commits with is the same one you used to sign up to the Eclipse Foundation website with.
 
 ## Contributing a change

Makefile

 #*******************************************************************************
-#  Copyright (c) 2009, 2017 IBM Corp.
+#  Copyright (c) 2009, 2018 IBM Corp.
 #
 #  All rights reserved. This program and the accompanying materials
 #  are made available under the terms of the Eclipse Public License v1.0
@@ -96,7 +96,7 @@ SYNC_TESTS = ${addprefix ${blddir}/test/,${TEST_FILES_C}}
 TEST_FILES_CS = test3
 SYNC_SSL_TESTS = ${addprefix ${blddir}/test/,${TEST_FILES_CS}}
 
-TEST_FILES_A = test4 test6 test9 test_mqtt4async test_issue373
+TEST_FILES_A = test4 test6 test9 test_mqtt4async
 ASYNC_TESTS = ${addprefix ${blddir}/test/,${TEST_FILES_A}}
 
 TEST_FILES_AS = test5
@@ -172,6 +172,8 @@ LDFLAGS_AS += -Wl,-install_name,lib${MQTTLIB_AS}.so.${MAJOR_VERSION} -L /usr/loc
 FLAGS_EXE += -DOSX
 FLAGS_EXES += -L /usr/local/opt/openssl/lib
 
+LDCONFIG = echo
+
 endif
 
 all: build
@@ -237,6 +239,7 @@ strip_options:
 install-strip: build strip_options install
 
 install: build
+	mkdir -p $(DESTDIR)$(PREFIX)${includedir}
 	$(INSTALL_DATA) ${INSTALL_OPTS} ${MQTTLIB_C_TARGET} $(DESTDIR)${libdir}
 	$(INSTALL_DATA) ${INSTALL_OPTS} ${MQTTLIB_CS_TARGET} $(DESTDIR)${libdir}
 	$(INSTALL_DATA) ${INSTALL_OPTS} ${MQTTLIB_A_TARGET} $(DESTDIR)${libdir}

appveyor.yml

@@ -2,29 +2,19 @@ version: 1.2.{build}
 image:
   - Visual Studio 2013
   - Visual Studio 2015
-configuration: Debug
-install:
-  - cmd: openssl version
-
-  - cmd: python --version
-
+configuration: Debug
+install:
+  - cmd: openssl version
+  - cmd: python --version
   - cmd: netsh advfirewall firewall add rule name="Python 2.7" dir=in action=allow program="C:\Python27\python.exe" enable=yes
-
   - cmd: netsh advfirewall firewall add rule name="Open Port 1883" dir=in action=allow protocol=TCP localport=1883
-
-  - cmd: netsh advfirewall set allprofiles state off
-
-  - ps: Start-Process python -ArgumentList 'test\mqttsas2.py'
-
-  - cmd: C:\Python36\python --version
-
-  - cmd: git clone https://github.com/eclipse/paho.mqtt.testing.git
-
-  - cmd: cd paho.mqtt.testing\interoperability
-
-  - ps: Start-Process C:\Python36\python -ArgumentList 'startbroker.py'
-
-  - cmd: cd ..\..
+  - cmd: netsh advfirewall set allprofiles state off
+  - ps: Start-Process python -ArgumentList 'test\mqttsas2.py'
+  - cmd: C:\Python36\python --version
+  - cmd: git clone https://github.com/eclipse/paho.mqtt.testing.git
+  - cmd: cd paho.mqtt.testing\interoperability
+  - ps: Start-Process C:\Python36\python -ArgumentList 'startbroker.py -c localhost_testing.conf'
+  - cmd: cd ..\..
 
 build_script:
 - cmd: >-
@@ -40,11 +30,47 @@ build_script:
 
     cmake -G "NMake Makefiles" -DPAHO_WITH_SSL=TRUE -DPAHO_BUILD_DOCUMENTATION=FALSE -DPAHO_BUILD_SAMPLES=TRUE -DCMAKE_BUILD_TYPE=Release -DCMAKE_VERBOSE_MAKEFILE=TRUE ..
 
-    nmake
+    nmake
 
     ctest -T test -VV
 
     cd ..
 
+after_build:
+- cmd: >-
+    set ZIPNAME=eclipse-paho-mqtt-c-windows.zip 
+
+    7z a %ZIPNAME% %APPVEYOR_BUILD_FOLDER%\*.html
+
+    7z a %ZIPNAME% %APPVEYOR_BUILD_FOLDER%\*.md
+
+    7z a %ZIPNAME% %APPVEYOR_BUILD_FOLDER%\*-v10
+
+    7z a %ZIPNAME% build.paho\src\*.dll
+
+    7z a %ZIPNAME% build.paho\src\*.lib
+
+    7z rn %ZIPNAME% build.paho\src lib
+
+    7z a %ZIPNAME% build.paho\src\samples\*.exe
+
+    7z rn %ZIPNAME% build.paho\src\samples bin
+
+    7z a %ZIPNAME% %APPVEYOR_BUILD_FOLDER%\build.paho\src\MQTTVersion.exe
+
+    7z rn %ZIPNAME% MQTTVersion.exe bin\MQTTVersion.exe
+
+    7z a %ZIPNAME% src\MQTTClient.h src\MQTTAsync.h src\MQTTClientPersistence.h
+
+    7z rn %ZIPNAME% src include
+
+    7z a %ZIPNAME% src\samples\*.c
+
+    7z rn %ZIPNAME% src\samples samples
+
+artifacts:
+- path: eclipse-paho-mqtt-c-windows.zip
+  name: paho-mqtt-c
+
 test:
   assemblies: build/Testing/*/Test.xml

src/MQTTAsync.c

 /*******************************************************************************
- * Copyright (c) 2009, 2017 IBM Corp.
+ * Copyright (c) 2009, 2018 IBM Corp.
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -33,6 +33,7 @@
  *    Ian Craggs - SNI support
  *    Ian Craggs - auto reconnect timing fix #218
  *    Ian Craggs - fix for issue #190
+ *    Ian Craggs - check for NULL SSL options #334
  *******************************************************************************/
 
 /**
@@ -464,6 +465,20 @@ int MQTTAsync_createWithOptions(MQTTAsync* handle, const char* serverURI, const
 		goto exit;
 	}
 
+	if (strstr(serverURI, "://") != NULL)
+	{
+		if (strncmp(URI_TCP, serverURI, strlen(URI_TCP)) != 0
+#if defined(OPENSSL)
+            && strncmp(URI_SSL, serverURI, strlen(URI_SSL)) != 0
+
+#endif
+			)
+		{
+			rc = MQTTASYNC_BAD_PROTOCOL;
+			goto exit;
+		}
+	}
+
 	if (options && (strncmp(options->struct_id, "MQCO", 4) != 0 || options->struct_version != 0))
 	{
 		rc = MQTTASYNC_BAD_STRUCTURE;
@@ -718,7 +733,7 @@ static MQTTAsync_queuedCommand* MQTTAsync_restoreCommand(char* buffer, int bufle
 		case SUBSCRIBE:
 			command->details.sub.count = *(int*)ptr;
 			ptr += sizeof(int);
-			
+
 			if (command->details.sub.count > 0)
 			{
 					command->details.sub.topics = (char **)malloc(sizeof(char *) * command->details.sub.count);
@@ -741,10 +756,10 @@ static MQTTAsync_queuedCommand* MQTTAsync_restoreCommand(char* buffer, int bufle
 		case UNSUBSCRIBE:
 			command->details.unsub.count = *(int*)ptr;
 			ptr += sizeof(int);
-			
+
 			if (command->details.unsub.count > 0)
 			{
-					command->details.unsub.topics = (char **)malloc(sizeof(char *) * command->details.unsub.count);					
+					command->details.unsub.topics = (char **)malloc(sizeof(char *) * command->details.unsub.count);
 			}
 
 			for (i = 0; i < command->details.unsub.count; ++i)
@@ -1753,8 +1768,8 @@ static int MQTTAsync_completeConnection(MQTTAsyncs* m, MQTTPacket* pack)
 
 				while (ListNextElement(m->c->outboundMsgs, &outcurrent))
 				{
-					Messages* m = (Messages*)(outcurrent->content);
-					m->lastTouch = 0;
+					Messages* messages = (Messages*)(outcurrent->content);
+					messages->lastTouch = 0;
 				}
 				MQTTProtocol_retry((time_t)0, 1, 1);
 				if (m->c->connected != 1)
@@ -1845,11 +1860,11 @@ static thread_return_type WINAPI MQTTAsync_receiveThread(void* n)
 
 				if (rc)
 				{
-					ListRemove(m->c->messageQueue, qe);
 #if !defined(NO_PERSISTENCE)
 					if (m->c->persistence)
 						MQTTPersistence_unpersistQueueEntry(m->c, (MQTTPersistence_qEntry*)qe);
 #endif
+					ListRemove(m->c->messageQueue, qe); /* qe is freed here */
 				}
 				else
 					Log(TRACE_MIN, -1, "False returned from messageArrived for client %s, message remains on queue",
@@ -2272,6 +2287,15 @@ int MQTTAsync_connect(MQTTAsync handle, const MQTTAsync_connectOptions* options)
 		rc = MQTTASYNC_BAD_STRUCTURE;
 		goto exit;
 	}
+
+#if defined(OPENSSL)
+	if (m->ssl && options->ssl == NULL)
+	{
+		rc = MQTTCLIENT_NULL_PARAMETER;
+		goto exit;
+	}
+#endif
+
 	if (options->will) /* check validity of will options structure */
 	{
 		if (strncmp(options->will->struct_id, "MQTW", 4) != 0 || (options->will->struct_version != 0 && options->will->struct_version != 1))
@@ -2287,7 +2311,7 @@ int MQTTAsync_connect(MQTTAsync handle, const MQTTAsync_connectOptions* options)
 	}
 	if (options->struct_version != 0 && options->ssl) /* check validity of SSL options structure */
 	{
-		if (strncmp(options->ssl->struct_id, "MQTS", 4) != 0 || options->ssl->struct_version < 0 || options->ssl->struct_version > 1)
+		if (strncmp(options->ssl->struct_id, "MQTS", 4) != 0 || options->ssl->struct_version < 0 || options->ssl->struct_version > 2)
 		{
 			rc = MQTTASYNC_BAD_STRUCTURE;
 			goto exit;
@@ -2387,6 +2411,12 @@ int MQTTAsync_connect(MQTTAsync handle, const MQTTAsync_connectOptions* options)
 			free((void*)m->c->sslopts->privateKeyPassword);
 		if (m->c->sslopts->enabledCipherSuites)
 			free((void*)m->c->sslopts->enabledCipherSuites);
+		if (m->c->sslopts->struct_version >= 2)
+		{
+			if (m->c->sslopts->CApath)
+				free((void*)m->c->sslopts->CApath);
+		}
+		free(m->c->sslopts);
 		free((void*)m->c->sslopts);
 		m->c->sslopts = NULL;
 	}
@@ -2409,6 +2439,12 @@ int MQTTAsync_connect(MQTTAsync handle, const MQTTAsync_connectOptions* options)
 		m->c->sslopts->enableServerCertAuth = options->ssl->enableServerCertAuth;
 		if (m->c->sslopts->struct_version >= 1)
 			m->c->sslopts->sslVersion = options->ssl->sslVersion;
+		if (m->c->sslopts->struct_version >= 2)
+		{
+			m->c->sslopts->verify = options->ssl->verify;
+			if (m->c->sslopts->CApath)
+				m->c->sslopts->CApath = MQTTStrdup(options->ssl->CApath);
+		}
 	}
 #else
 	if (options->struct_version != 0 && options->ssl)
@@ -2887,7 +2923,8 @@ static int MQTTAsync_connecting(MQTTAsyncs* m)
 				if (m->c->session != NULL)
 					if ((rc = SSL_set_session(m->c->net.ssl, m->c->session)) != 1)
 						Log(TRACE_MIN, -1, "Failed to set SSL session with stored data, non critical");
-				rc = SSLSocket_connect(m->c->net.ssl, m->c->net.socket);
+				rc = SSLSocket_connect(m->c->net.ssl, m->c->net.socket,
+						m->serverURI, m->c->sslopts->verify);
 				if (rc == TCPSOCKET_INTERRUPTED)
 				{
 					rc = MQTTCLIENT_SUCCESS; /* the connect is still in progress */
@@ -2930,7 +2967,8 @@ static int MQTTAsync_connecting(MQTTAsyncs* m)
 #if defined(OPENSSL)
 	else if (m->c->connect_state == 2) /* SSL connect sent - wait for completion */
 	{
-		if ((rc = SSLSocket_connect(m->c->net.ssl, m->c->net.socket)) != 1)
+		if ((rc = SSLSocket_connect(m->c->net.ssl, m->c->net.socket,
+				m->serverURI, m->c->sslopts->verify)) != 1)
 			goto exit;
 
 		if(!m->c->cleansession && m->c->session == NULL)

src/MQTTAsync.h

 /*******************************************************************************
- * Copyright (c) 2009, 2017 IBM Corp.
+ * Copyright (c) 2009, 2018 IBM Corp.
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -172,6 +172,11 @@
  * Return code: Attempting SSL connection using non-SSL version of library
  */
 #define MQTTASYNC_SSL_NOT_SUPPORTED -13
+/**
+ * Return code: protocol prefix in serverURI should be tcp:// or ssl://
+ */
+#define MQTTASYNC_BAD_PROTOCOL -14
+
 
 /**
  * Default MQTT version to connect with.  Use 3.1.1 then fall back to 3.1
@@ -455,13 +460,18 @@ typedef struct
     * completion will be received.
     */
 	MQTTAsync_onFailure* onFailure;
-	/**
-	* A pointer to any application-specific context. The
+  /**
+    * A pointer to any application-specific context. The
     * the <i>context</i> pointer is passed to success or failure callback functions to
     * provide access to the context information in the callback.
     */
 	void* context;
-	MQTTAsync_token token;   /* output */
+  /**
+    * A token is returned from the call.  It can be used to track
+    * the state of this request, both in the callbacks and in future calls
+    * such as ::MQTTAsync_waitForCompletion.
+    */
+	MQTTAsync_token token;
 } MQTTAsync_responseOptions;
 
 #define MQTTAsync_responseOptions_initializer { {'M', 'Q', 'T', 'R'}, 0, NULL, NULL, 0, 0 }
@@ -688,9 +698,22 @@ typedef struct
     */
     int sslVersion;
 
+    /**
+     * Whether to carry out post-connect checks, including that a certificate
+     * matches the given host name.
+     * Exists only if struct_version >= 2
+     */
+    int verify;
+
+    /**
+     * From the OpenSSL documentation:
+     * If CApath is not NULL, it points to a directory containing CA certificates in PEM format.
+     * Exists only if struct_version >= 2
+	 */
+	const char* CApath;
 } MQTTAsync_SSLOptions;
 
-#define MQTTAsync_SSLOptions_initializer { {'M', 'Q', 'T', 'S'}, 1, NULL, NULL, NULL, NULL, NULL, 1, MQTT_SSL_VERSION_DEFAULT }
+#define MQTTAsync_SSLOptions_initializer { {'M', 'Q', 'T', 'S'}, 2, NULL, NULL, NULL, NULL, NULL, 1, MQTT_SSL_VERSION_DEFAULT, 0, NULL }
 
 /**
  * MQTTAsync_connectOptions defines several settings that control the way the

src/MQTTClient.c

 /*******************************************************************************
- * Copyright (c) 2009, 2017 IBM Corp.
+ * Copyright (c) 2009, 2018 IBM Corp.
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -32,6 +32,7 @@
  *    Ian Craggs - SNI support, message queue unpersist bug
  *    Ian Craggs - binary will message support
  *    Ian Craggs - waitforCompletion fix #240
+ *    Ian Craggs - check for NULL SSL options #334
  *******************************************************************************/
 
 /**
@@ -319,6 +320,20 @@ int MQTTClient_create(MQTTClient* handle, const char* serverURI, const char* cli
 		goto exit;
 	}
 
+	if (strstr(serverURI, "://") != NULL)
+	{
+		if (strncmp(URI_TCP, serverURI, strlen(URI_TCP)) != 0
+#if defined(OPENSSL)
+            && strncmp(URI_SSL, serverURI, strlen(URI_SSL)) != 0
+
+#endif
+			)
+		{
+			rc = MQTTCLIENT_BAD_PROTOCOL;
+			goto exit;
+		}
+	}
+
 	if (!initialized)
 	{
 		#if defined(HEAP_H)
@@ -653,7 +668,8 @@ static thread_return_type WINAPI MQTTClient_run(void* n)
 #if defined(OPENSSL)
 			else if (m->c->connect_state == 2 && !Thread_check_sem(m->connect_sem))
 			{
-				rc = SSLSocket_connect(m->c->net.ssl, m->c->net.socket);
+				rc = SSLSocket_connect(m->c->net.ssl, m->c->net.socket,
+						m->serverURI, m->c->sslopts->verify);
 				if (rc == 1 || rc == SSL_FATAL)
 				{
 					if (rc == 1 && !m->c->cleansession && m->c->session == NULL)
@@ -894,7 +910,8 @@ static int MQTTClient_connectURIVersion(MQTTClient handle, MQTTClient_connectOpt
 				if (m->c->session != NULL)
 					if ((rc = SSL_set_session(m->c->net.ssl, m->c->session)) != 1)
 						Log(TRACE_MIN, -1, "Failed to set SSL session with stored data, non critical");
-				rc = SSLSocket_connect(m->c->net.ssl, m->c->net.socket);
+				rc = SSLSocket_connect(m->c->net.ssl, m->c->net.socket,
+						m->serverURI, m->c->sslopts->verify);
 				if (rc == TCPSOCKET_INTERRUPTED)
 					m->c->connect_state = 2;  /* the connect is still in progress */
 				else if (rc == SSL_FATAL)
@@ -1096,6 +1113,11 @@ static int MQTTClient_connectURI(MQTTClient handle, MQTTClient_connectOptions* o
 			free((void*)m->c->sslopts->privateKeyPassword);
 		if (m->c->sslopts->enabledCipherSuites)
 			free((void*)m->c->sslopts->enabledCipherSuites);
+		if (m->c->sslopts->struct_version >= 2)
+		{
+			if (m->c->sslopts->CApath)
+				free((void*)m->c->sslopts->CApath);
+		}
 		free(m->c->sslopts);
 		m->c->sslopts = NULL;
 	}
@@ -1118,6 +1140,12 @@ static int MQTTClient_connectURI(MQTTClient handle, MQTTClient_connectOptions* o
 		m->c->sslopts->enableServerCertAuth = options->ssl->enableServerCertAuth;
 		if (m->c->sslopts->struct_version >= 1)
 			m->c->sslopts->sslVersion = options->ssl->sslVersion;
+		if (m->c->sslopts->struct_version >= 2)
+		{
+			m->c->sslopts->verify = options->ssl->verify;
+			if (m->c->sslopts->CApath)
+				m->c->sslopts->CApath = MQTTStrdup(options->ssl->CApath);
+		}
 	}
 #endif
 
@@ -1171,6 +1199,14 @@ int MQTTClient_connect(MQTTClient handle, MQTTClient_connectOptions* options)
 		goto exit;
 	}
 
+#if defined(OPENSSL)
+	if (m->ssl && options->ssl == NULL)
+	{
+		rc = MQTTCLIENT_NULL_PARAMETER;
+		goto exit;
+	}
+#endif
+
 	if (options->will) /* check validity of will options structure */
 	{
 		if (strncmp(options->will->struct_id, "MQTW", 4) != 0 || (options->will->struct_version != 0 && options->will->struct_version != 1))
@@ -1180,10 +1216,11 @@ int MQTTClient_connect(MQTTClient handle, MQTTClient_connectOptions* options)
 		}
 	}
 
+
 #if defined(OPENSSL)
 	if (options->struct_version != 0 && options->ssl) /* check validity of SSL options structure */
 	{
-		if (strncmp(options->ssl->struct_id, "MQTS", 4) != 0 || options->ssl->struct_version < 0 || options->ssl->struct_version > 1)
+		if (strncmp(options->ssl->struct_id, "MQTS", 4) != 0 || options->ssl->struct_version < 0 || options->ssl->struct_version > 2)
 		{
 			rc = MQTTCLIENT_BAD_STRUCTURE;
 			goto exit;
@@ -1800,7 +1837,8 @@ static MQTTPacket* MQTTClient_waitfor(MQTTClient handle, int packet_type, int* r
 #if defined(OPENSSL)
 				else if (m->c->connect_state == 2)
 				{
-					*rc = SSLSocket_connect(m->c->net.ssl, sock);
+					*rc = SSLSocket_connect(m->c->net.ssl, sock,
+							m->serverURI, m->c->sslopts->verify);
 					if (*rc == SSL_FATAL)
 						break;
 					else if (*rc == 1) /* rc == 1 means SSL connect has finished and succeeded */

src/MQTTClient.h

 /*******************************************************************************
- * Copyright (c) 2009, 2017 IBM Corp.
+ * Copyright (c) 2009, 2018 IBM Corp.
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -175,6 +175,10 @@
  * Return code: Attempting SSL connection using non-SSL version of library
  */
 #define MQTTCLIENT_SSL_NOT_SUPPORTED -10
+/**
+ * Return code: protocol prefix in serverURI should be tcp:// or ssl://
+ */
+#define MQTTCLIENT_BAD_PROTOCOL -14
 
 /**
  * Default MQTT version to connect with.  Use 3.1.1 then fall back to 3.1
@@ -540,9 +544,23 @@ typedef struct
     */
     int sslVersion;
 
+    /**
+     * Whether to carry out post-connect checks, including that a certificate
+     * matches the given host name.
+     * Exists only if struct_version >= 2
+     */
+    int verify;
+
+    /**
+     * From the OpenSSL documentation:
+     * If CApath is not NULL, it points to a directory containing CA certificates in PEM format.
+     * Exists only if struct_version >= 2
+	 */
+	const char* CApath;
+
 } MQTTClient_SSLOptions;
 
-#define MQTTClient_SSLOptions_initializer { {'M', 'Q', 'T', 'S'}, 1, NULL, NULL, NULL, NULL, NULL, 1, MQTT_SSL_VERSION_DEFAULT }
+#define MQTTClient_SSLOptions_initializer { {'M', 'Q', 'T', 'S'}, 2, NULL, NULL, NULL, NULL, NULL, 1, MQTT_SSL_VERSION_DEFAULT, 0, NULL }
 
 /**
  * MQTTClient_connectOptions defines several settings that control the way the

src/MQTTProtocolClient.c

 /*******************************************************************************
- * Copyright (c) 2009, 2017 IBM Corp.
+ * Copyright (c) 2009, 2018 IBM Corp.
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -696,6 +696,11 @@ void MQTTProtocol_freeClient(Clients* client)
 			free((void*)client->sslopts->privateKeyPassword);
 		if (client->sslopts->enabledCipherSuites)
 			free((void*)client->sslopts->enabledCipherSuites);
+		if (client->sslopts->struct_version >= 2)
+		{
+			if (client->sslopts->CApath)
+				free((void*)client->sslopts->CApath);
+		}
 		free(client->sslopts);
                 client->sslopts = NULL;
 	}

src/MQTTProtocolOut.c

 /*******************************************************************************
- * Copyright (c) 2009, 2017 IBM Corp.
+ * Copyright (c) 2009, 2018 IBM Corp.
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -116,7 +116,8 @@ int MQTTProtocol_connect(const char* ip_address, Clients* aClient, int MQTTVersi
 		{
 			if (SSLSocket_setSocketForSSL(&aClient->net, aClient->sslopts, addr) == 1)
 			{
-				rc = SSLSocket_connect(aClient->net.ssl, aClient->net.socket);
+				rc = SSLSocket_connect(aClient->net.ssl, aClient->net.socket,
+						addr, aClient->sslopts->verify);
 				if (rc == TCPSOCKET_INTERRUPTED)
 					aClient->connect_state = 2; /* SSL connect called - wait for completion */
 			}

src/SSLSocket.c

 /*******************************************************************************
- * Copyright (c) 2009, 2017 IBM Corp.
+ * Copyright (c) 2009, 2018 IBM Corp.
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
- * and Eclipse Distribution License v1.0 which accompany this distribution. 
+ * and Eclipse Distribution License v1.0 which accompany this distribution.
  *
- * The Eclipse Public License is available at 
+ * The Eclipse Public License is available at
  *    http://www.eclipse.org/legal/epl-v10.html
- * and the Eclipse Distribution License is available at 
+ * and the Eclipse Distribution License is available at
  *   http://www.eclipse.org/org/documents/edl-v10.php.
  *
  * Contributors:
@@ -34,12 +34,15 @@
 #include "Log.h"
 #include "StackTrace.h"
 #include "Socket.h"
+char* MQTTProtocol_addressPort(const char* uri, int* port);
 
 #include "Heap.h"
 
+#include <string.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/crypto.h>
+#include <openssl/x509v3.h>
 
 extern Sockets s;
 
@@ -202,8 +205,8 @@ void SSL_CTX_info_callback(const SSL* ssl, int where, int ret)
 {
 	if (where & SSL_CB_LOOP)
 	{
-		Log(TRACE_PROTOCOL, 1, "SSL state %s:%s:%s", 
-                  (where & SSL_ST_CONNECT) ? "connect" : (where & SSL_ST_ACCEPT) ? "accept" : "undef", 
+		Log(TRACE_PROTOCOL, 1, "SSL state %s:%s:%s",
+                  (where & SSL_ST_CONNECT) ? "connect" : (where & SSL_ST_ACCEPT) ? "accept" : "undef",
                     SSL_state_string_long(ssl), SSL_get_cipher_name(ssl));
 	}
 	else if (where & SSL_CB_EXIT)
@@ -215,26 +218,26 @@ void SSL_CTX_info_callback(const SSL* ssl, int where, int ret)
 	else if (where & SSL_CB_ALERT)
 	{
 		Log(TRACE_PROTOCOL, 1, "SSL alert %s:%s:%s",
-                  (where & SSL_CB_READ) ? "read" : "write", 
+                  (where & SSL_CB_READ) ? "read" : "write",
                     SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
 	}
 	else if (where & SSL_CB_HANDSHAKE_START)
 	{
 		Log(TRACE_PROTOCOL, 1, "SSL handshake started %s:%s:%s",
-                  (where & SSL_CB_READ) ? "read" : "write", 
+                  (where & SSL_CB_READ) ? "read" : "write",
                     SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
 	}
 	else if (where & SSL_CB_HANDSHAKE_DONE)
 	{
-		Log(TRACE_PROTOCOL, 1, "SSL handshake done %s:%s:%s", 
+		Log(TRACE_PROTOCOL, 1, "SSL handshake done %s:%s:%s",
                   (where & SSL_CB_READ) ? "read" : "write",
                     SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
-		Log(TRACE_PROTOCOL, 1, "SSL certificate verification: %s", 
+		Log(TRACE_PROTOCOL, 1, "SSL certificate verification: %s",
                     SSL_get_verify_result_string(SSL_get_verify_result(ssl)));
 	}
 	else
 	{
-		Log(TRACE_PROTOCOL, 1, "SSL state %s:%s:%s", SSL_state_string_long(ssl), 
+		Log(TRACE_PROTOCOL, 1, "SSL state %s:%s:%s", SSL_state_string_long(ssl),
                    SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
 	}
 }
@@ -271,7 +274,7 @@ char* SSLSocket_get_version_string(int version)
 			break;
 		}
 	}
-	
+
 	if (retstring == NULL)
 	{
 		sprintf(buf, "%i", version);
@@ -281,11 +284,11 @@ char* SSLSocket_get_version_string(int version)
 }
 
 
-void SSL_CTX_msg_callback(int write_p, int version, int content_type, const void* buf, size_t len, 
+void SSL_CTX_msg_callback(int write_p, int version, int content_type, const void* buf, size_t len,
         SSL* ssl, void* arg)
-{  
+{
 
-/*  
+/*
 called by the SSL/TLS library for a protocol message, the function arguments have the following meaning:
 
 write_p
@@ -308,9 +311,9 @@ The user-defined argument optionally defined by SSL_CTX_set_msg_callback_arg() o
 
 */
 
-	Log(TRACE_PROTOCOL, -1, "%s %s %d buflen %d", (write_p ? "sent" : "received"), 
+	Log(TRACE_PROTOCOL, -1, "%s %s %d buflen %d", (write_p ? "sent" : "received"),
 		SSLSocket_get_version_string(version),
-		content_type, (int)len);	
+		content_type, (int)len);
 }
 
 
@@ -432,23 +435,23 @@ int SSLSocket_initialize(void)
 	/*int prc;*/
 	int i;
 	int lockMemSize;
-	
+
 	FUNC_ENTRY;
 
 	if (handle_openssl_init)
 	{
 		if ((rc = SSL_library_init()) != 1)
 			rc = -1;
-			
+
 		ERR_load_crypto_strings();
 		SSL_load_error_strings();
-		
-		/* OpenSSL 0.9.8o and 1.0.0a and later added SHA2 algorithms to SSL_library_init(). 
-		Applications which need to use SHA2 in earlier versions of OpenSSL should call 
+
+		/* OpenSSL 0.9.8o and 1.0.0a and later added SHA2 algorithms to SSL_library_init().
+		Applications which need to use SHA2 in earlier versions of OpenSSL should call
 		OpenSSL_add_all_algorithms() as well. */
-		
+
 		OpenSSL_add_all_algorithms();
-		
+
 		lockMemSize = CRYPTO_num_locks() * sizeof(ssl_mutex_type);
 
 		sslLocks = malloc(lockMemSize);
@@ -471,9 +474,9 @@ int SSLSocket_initialize(void)
 		CRYPTO_set_id_callback(SSLThread_id);
 #endif
 		CRYPTO_set_locking_callback(SSLLocks_callback);
-		
+
 	}
-	
+
 	SSL_create_mutex(&sslCoreMutex);
 
 exit:
@@ -484,7 +487,7 @@ exit:
 void SSLSocket_terminate(void)
 {
 	FUNC_ENTRY;
-	
+
 	if (handle_openssl_init)
 	{
 		EVP_cleanup();
@@ -501,9 +504,9 @@ void SSLSocket_terminate(void)
 			free(sslLocks);
 		}
 	}
-	
+
 	SSL_destroy_mutex(&sslCoreMutex);
-	
+
 	FUNC_EXIT;
 }
 
@@ -511,7 +514,7 @@ int SSLSocket_createContext(networkHandles* net, MQTTClient_SSLOptions* opts)
 {
 	int rc = 1;
 	const char* ciphers = NULL;
-	
+
 	FUNC_ENTRY;
 	if (net->ctx == NULL)
 	{
@@ -550,15 +553,15 @@ int SSLSocket_createContext(networkHandles* net, MQTTClient_SSLOptions* opts)
 			goto exit;
 		}
 	}
-	
+
 	if (opts->keyStore)
 	{
 		if ((rc = SSL_CTX_use_certificate_chain_file(net->ctx, opts->keyStore)) != 1)
 		{
 			SSLSocket_error("SSL_CTX_use_certificate_chain_file", NULL, net->socket, rc);
 			goto free_ctx; /*If we can't load the certificate (chain) file then loading the privatekey won't work either as it needs a matching cert already loaded */
-		}	
-			
+		}
+
 		if (opts->privateKey == NULL)
 			opts->privateKey = opts->keyStore;   /* the privateKey can be included in the keyStore */
 
@@ -567,7 +570,7 @@ int SSLSocket_createContext(networkHandles* net, MQTTClient_SSLOptions* opts)
 			SSL_CTX_set_default_passwd_cb(net->ctx, pem_passwd_cb);
 			SSL_CTX_set_default_passwd_cb_userdata(net->ctx, (void*)opts->privateKeyPassword);
 		}
-		
+
 		/* support for ASN.1 == DER format? DER can contain only one certificate? */
 		rc = SSL_CTX_use_PrivateKey_file(net->ctx, opts->privateKey, SSL_FILETYPE_PEM);
 		if (opts->privateKey == opts->keyStore)
@@ -576,7 +579,7 @@ int SSLSocket_createContext(networkHandles* net, MQTTClient_SSLOptions* opts)
 		{
 			SSLSocket_error("SSL_CTX_use_PrivateKey_file", NULL, net->socket, rc);
 			goto free_ctx;
-		}  
+		}
 	}
 
 	if (opts->trustStore)
@@ -585,7 +588,7 @@ int SSLSocket_createContext(networkHandles* net, MQTTClient_SSLOptions* opts)
 		{
 			SSLSocket_error("SSL_CTX_load_verify_locations", NULL, net->socket, rc);
 			goto free_ctx;
-		}                               
+		}
 	}
 	else if ((rc = SSL_CTX_set_default_verify_paths(net->ctx)) != 1)
 	{
@@ -594,7 +597,7 @@ int SSLSocket_createContext(networkHandles* net, MQTTClient_SSLOptions* opts)
 	}
 
 	if (opts->enabledCipherSuites == NULL)
-		ciphers = "DEFAULT"; 
+		ciphers = "DEFAULT";
 	else
 		ciphers = opts->enabledCipherSuites;
 
@@ -602,15 +605,15 @@ int SSLSocket_createContext(networkHandles* net, MQTTClient_SSLOptions* opts)
 	{
 		SSLSocket_error("SSL_CTX_set_cipher_list", NULL, net->socket, rc);
 		goto free_ctx;
-	}       
-	
+	}
+
 	SSL_CTX_set_mode(net->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 
 	goto exit;
 free_ctx:
 	SSL_CTX_free(net->ctx);
 	net->ctx = NULL;
-	
+
 exit:
 	FUNC_EXIT_RC(rc);
 	return rc;
@@ -620,18 +623,18 @@ exit:
 int SSLSocket_setSocketForSSL(networkHandles* net, MQTTClient_SSLOptions* opts, char* hostname)
 {
 	int rc = 1;
-	
+
 	FUNC_ENTRY;
-	
+
 	if (net->ctx != NULL || (rc = SSLSocket_createContext(net, opts)) == 1)
 	{
 		int i;
 
 		SSL_CTX_set_info_callback(net->ctx, SSL_CTX_info_callback);
 		SSL_CTX_set_msg_callback(net->ctx, SSL_CTX_msg_callback);
-   		if (opts->enableServerCertAuth) 
+   		if (opts->enableServerCertAuth)
 			SSL_CTX_set_verify(net->ctx, SSL_VERIFY_PEER, NULL);
-	
+
 		net->ssl = SSL_new(net->ctx);
 
 		/* Log all ciphers available to the SSL sessions (loaded in ctx) */
@@ -641,20 +644,22 @@ int SSLSocket_setSocketForSSL(networkHandles* net, MQTTClient_SSLOptions* opts,
 			if (cipher == NULL)
 				break;
 			Log(TRACE_PROTOCOL, 1, "SSL cipher available: %d:%s", i, cipher);
-	    	}	
+	    	}
 		if ((rc = SSL_set_fd(net->ssl, net->socket)) != 1)
 			SSLSocket_error("SSL_set_fd", net->ssl, net->socket, rc);
 
 		if ((rc = SSL_set_tlsext_host_name(net->ssl, hostname)) != 1)
 			SSLSocket_error("SSL_set_tlsext_host_name", NULL, net->socket, rc);
 	}
-		
+
 	FUNC_EXIT_RC(rc);
 	return rc;
 }
 
-
-int SSLSocket_connect(SSL* ssl, int sock)      
+/*
+ * Return value: 1 - success, TCPSOCKET_INTERRUPTED - try again, anything else is failure
+ */
+int SSLSocket_connect(SSL* ssl, int sock, char* hostname, int verify)
 {
 	int rc = 0;
 
@@ -670,6 +675,28 @@ int SSLSocket_connect(SSL* ssl, int sock)
 		if (error == SSL_ERROR_WANT_READ || error == SSL_ERROR_WANT_WRITE)
 			rc = TCPSOCKET_INTERRUPTED;
 	}
+#if (OPENSSL_VERSION_NUMBER >= 0x010002000) /* 1.0.2 and later */
+	else if (verify == 1)
+	{
+		char* peername = NULL;
+		int port;
+		char* addr = NULL;
+
+		X509* cert = SSL_get_peer_certificate(ssl);
+		addr = MQTTProtocol_addressPort(hostname, &port);
+
+		rc = X509_check_host(cert, addr, strlen(addr), 0, &peername);
+		if (rc == 0)
+			rc = SOCKET_ERROR;
+		Log(TRACE_MIN, -1, "rc from X509_check_host is %d", rc);
+		Log(TRACE_MIN, -1, "peername from X509_check_host is %s", peername);
+
+		if (cert)
+			X509_free(cert);
+		if (addr != hostname)
+			free(addr);
+	}
+#endif
 
 	FUNC_EXIT_RC(rc);
 	return rc;
@@ -798,7 +825,7 @@ int SSLSocket_close(networkHandles* net)
 }
 
 
-/* No SSL_writev() provided by OpenSSL. Boo. */  
+/* No SSL_writev() provided by OpenSSL. Boo. */
 int SSLSocket_putdatas(SSL* ssl, int socket, char* buf0, size_t buf0len, int count, char** buffers, size_t* buflens, int* frees)
 {
 	int rc = 0;
@@ -812,7 +839,7 @@ int SSLSocket_putdatas(SSL* ssl, int socket, char* buf0, size_t buf0len, int cou
 	for (i = 0; i < count; i++)
 		iovec.iov_len += (ULONG)buflens[i];
 
-	ptr = iovec.iov_base = (char *)malloc(iovec.iov_len);  
+	ptr = iovec.iov_base = (char *)malloc(iovec.iov_len);
 	memcpy(ptr, buf0, buf0len);
 	ptr += buf0len;
 	for (i = 0; i < count; i++)
@@ -824,10 +851,10 @@ int SSLSocket_putdatas(SSL* ssl, int socket, char* buf0, size_t buf0len, int cou
 	SSL_lock_mutex(&sslCoreMutex);
 	if ((rc = SSL_write(ssl, iovec.iov_base, iovec.iov_len)) == iovec.iov_len)
 		rc = TCPSOCKET_COMPLETE;
-	else 
-	{ 
+	else
+	{
 		sslerror = SSLSocket_error("SSL_write", ssl, socket, rc);
-		
+
 		if (sslerror == SSL_ERROR_WANT_WRITE)
 		{
 			int* sockmem = (int*)malloc(sizeof(int));
@@ -841,7 +868,7 @@ int SSLSocket_putdatas(SSL* ssl, int socket, char* buf0, size_t buf0len, int cou
 			FD_SET(socket, &(s.pending_wset));
 			rc = TCPSOCKET_INTERRUPTED;
 		}
-		else 
+		else
 			rc = SOCKET_ERROR;
 	}
 	SSL_unlock_mutex(&sslCoreMutex);
@@ -854,14 +881,14 @@ int SSLSocket_putdatas(SSL* ssl, int socket, char* buf0, size_t buf0len, int cou
 		free(buf0);
 		for (i = 0; i < count; ++i)
 		{
-			if (frees[i])
-                        {
-				free(buffers[i]);
-                                buffers[i] = NULL;
-                        }
+		    if (frees[i])
+		    {
+			free(buffers[i]);
+			buffers[i] = NULL;
+		    }
 		}	
 	}
-	FUNC_EXIT_RC(rc); 
+	FUNC_EXIT_RC(rc);
 	return rc;
 }
 
@@ -886,7 +913,7 @@ void SSLSocket_addPendingRead(int sock)
 int SSLSocket_getPendingRead(void)
 {
 	int sock = -1;
-	
+
 	if (pending_reads.count > 0)
 	{
 		sock = *(int*)(pending_reads.first->content);
@@ -898,8 +925,8 @@ int SSLSocket_getPendingRead(void)
 
 int SSLSocket_continueWrite(pending_writes* pw)
 {
-	int rc = 0; 
-	
+	int rc = 0;
+
 	FUNC_ENTRY;
 	if ((rc = SSL_write(pw->ssl, pw->iovecs[0].iov_base, pw->iovecs[0].iov_len)) == pw->iovecs[0].iov_len)
 	{

src/SSLSocket.h

 /*******************************************************************************
- * Copyright (c) 2009, 2017 IBM Corp.
+ * Copyright (c) 2009, 2018 IBM Corp.
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -13,6 +13,7 @@
  * Contributors:
  *    Ian Craggs, Allan Stockdill-Mander - initial implementation 
  *    Ian Craggs - SNI support
+ *    Ian Craggs - post connect checks and CApath
  *******************************************************************************/
 #if !defined(SSLSOCKET_H)
 #define SSLSOCKET_H
@@ -43,7 +44,7 @@ char *SSLSocket_getdata(SSL* ssl, int socket, size_t bytes, size_t* actual_len);
 
 int SSLSocket_close(networkHandles* net);
 int SSLSocket_putdatas(SSL* ssl, int socket, char* buf0, size_t buf0len, int count, char** buffers, size_t* buflens, int* frees);
-int SSLSocket_connect(SSL* ssl, int socket);
+int SSLSocket_connect(SSL* ssl, int sock, char* hostname, int verify);
 
 int SSLSocket_getPendingRead(void);
 int SSLSocket_continueWrite(pending_writes* pw);

src/Tree.c

 /*******************************************************************************
- * Copyright (c) 2009, 2013 IBM Corp.
+ * Copyright (c) 2009, 2018 IBM Corp.
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -34,8 +34,8 @@
 
 int isRed(Node* aNode);
 int isBlack(Node* aNode);
-int TreeWalk(Node* curnode, int depth);
-int TreeMaxDepth(Tree *aTree);
+/*int TreeWalk(Node* curnode, int depth);*/
+/*int TreeMaxDepth(Tree *aTree);*/
 void TreeRotate(Tree* aTree, Node* curnode, int direction, int index);
 Node* TreeBAASub(Tree* aTree, Node* curnode, int which, int index);
 void TreeBalanceAfterAdd(Tree* aTree, Node* curnode, int index);
@@ -110,7 +110,7 @@ int isBlack(Node* aNode)
 	return (aNode == NULL) || (aNode->red == 0);
 }
 
-
+#if 0
 int TreeWalk(Node* curnode, int depth)
 {
 	if (curnode)
@@ -141,7 +141,7 @@ int TreeMaxDepth(Tree *aTree)
 	}*/
 	return rc;
 }
-
+#endif
 
 void TreeRotate(Tree* aTree, Node* curnode, int direction, int index)
 {
@@ -231,7 +231,8 @@ void* TreeAddByIndex(Tree* aTree, void* content, size_t size, int index)
 	if (result == 0)
 	{
 		if (aTree->allow_duplicates)
-			exit(-99);
+			goto exit; /* exit(-99); */
+		else
 		{
 			newel = curnode;
 			rc = newel->content;
@@ -262,6 +263,7 @@ void* TreeAddByIndex(Tree* aTree, void* content, size_t size, int index)
 	newel->content = content;
 	newel->size = size;
 	TreeBalanceAfterAdd(aTree, newel, index);
+exit:
 	return rc;
 }
 

src/samples/MQTTAsync_publish.c

 /*******************************************************************************
- * Copyright (c) 2012, 2013 IBM Corp.
+ * Copyright (c) 2012, 2018 IBM Corp.
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -25,9 +25,11 @@
 #include <windows.h>
 #endif
 
+#if defined(_WRS_KERNEL)
 #include <OsWrapper.h>
+#endif
 
-#define ADDRESS     "tcp://m2m.eclipse.org:1883"
+#define ADDRESS     "tcp://iot.eclipse.org:1883"
 #define CLIENTID    "ExampleClientPub"
 #define TOPIC       "MQTT Examples"
 #define PAYLOAD     "Hello World!"

src/samples/MQTTAsync_subscribe.c

 /*******************************************************************************
- * Copyright (c) 2012, 2017 IBM Corp.
+ * Copyright (c) 2012, 2018 IBM Corp.
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -25,7 +25,9 @@
 #include <windows.h>
 #endif
 
+#if defined(_WRS_KERNEL)
 #include <OsWrapper.h>
+#endif
 
 #define ADDRESS     "tcp://localhost:1883"
 #define CLIENTID    "ExampleClientSub"

src/samples/paho_c_pub.c

 /*******************************************************************************
- * Copyright (c) 2012, 2016 IBM Corp.
+ * Copyright (c) 2012, 2018 IBM Corp.
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -53,7 +53,9 @@
 #include <unistd.h>
 #endif
 
+#if defined(_WRS_KERNEL)
 #include <OsWrapper.h>
+#endif
 
 volatile int toStop = 0;
 
@@ -153,7 +155,7 @@ void myconnect(MQTTAsync* client)
 	conn_opts.onFailure = onConnectFailure;
 	conn_opts.context = client;
 	ssl_opts.enableServerCertAuth = 0;
-	conn_opts.ssl = &ssl_opts;
+	//conn_opts.ssl = &ssl_opts; need to link with SSL library for this to work
 	conn_opts.automaticReconnect = 1;
 	connected = 0;
 	if ((rc = MQTTAsync_connect(*client, &conn_opts)) != MQTTASYNC_SUCCESS)
@@ -195,7 +197,7 @@ void connectionLost(void* context, char* cause)
 	conn_opts.onFailure = onConnectFailure;
 	conn_opts.context = client;
 	ssl_opts.enableServerCertAuth = 0;
-	conn_opts.ssl = &ssl_opts;
+	//conn_opts.ssl = &ssl_opts; need to link with SSL library for this to work
 	connected = 0;
 	if ((rc = MQTTAsync_connect(client, &conn_opts)) != MQTTASYNC_SUCCESS)
 	{

src/samples/paho_c_sub.c

 /*******************************************************************************
- * Copyright (c) 2012, 2013 IBM Corp.
+ * Copyright (c) 2012, 2018 IBM Corp.
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -56,7 +56,9 @@
 #include <unistd.h>
 #endif
 
+#if defined(_WRS_KERNEL)
 #include <OsWrapper.h>
+#endif
 
 volatile int finished = 0;
 char* topic = NULL;

test/ssl/all-ca.crt

+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Derbyshire, L=Derby, O=Mosquitto Project, OU=Testing, CN=Root CA
+        Validity
+            Not Before: Mar  1 18:53:36 2018 GMT
+            Not After : Feb 28 18:53:36 2023 GMT
+        Subject: C=GB, ST=Derbyshire, O=Mosquitto Project, OU=Testing, CN=Signing CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:af:ad:b0:e4:78:b8:73:01:6a:9e:78:1e:bf:36:
+                    5b:60:dc:ee:28:ce:16:3c:73:30:b3:02:cd:5c:07:
+                    a2:36:ee:a1:c5:43:32:0c:46:57:cb:fb:1c:52:db:
+                    4e:65:85:8a:5d:a6:cd:66:43:ad:bc:70:1b:e6:b0:
+                    11:0f:d8:54:1f:57:9e:29:4e:2b:1b:c5:70:b2:3d:
+                    38:a7:63:3f:1a:06:2f:6d:09:2c:7c:90:60:db:8c:
+                    3a:11:20:a7:db:20:25:d9:c6:97:74:50:5a:e0:fd:
+                    81:aa:de:ea:1d:e5:be:61:59:0d:76:e5:ab:7f:3b:
+                    b2:a6:38:b9:bb:32:aa:72:ef
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                9E:54:3E:E5:2F:E5:EA:40:4A:FC:37:96:6C:45:BB:1A:79:0E:CA:AB
+            X509v3 Authority Key Identifier: 
+                keyid:1C:B4:4E:8B:84:0D:1E:0F:C4:CC:F4:17:87:DB:CA:F2:55:F1:34:39
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         6c:2d:41:ca:7b:89:84:27:ca:b3:64:d5:73:b2:5b:dd:fc:6f:
+         d4:68:ae:f1:30:3e:9e:ca:28:2b:d3:2e:0c:61:3e:d5:9a:fd:
+         67:b1:60:e5:54:9f:a4:95:51:5b:00:2d:f9:46:82:de:49:df:
+         ce:2a:f3:f6:2e:8f:8f:64:2b:c9:2f:ce:ff:d2:53:a0:0a:c4:
+         4a:e9:20:fa:5e:79:45:21:18:c2:d6:c1:64:92:e4:67:3a:92:
+         04:46:5e:6a:39:84:c8:f1:0e:42:3c:fd:b2:c2:7b:e9:af:44:
+         2c:19:30:61:01:39:47:6d:38:85:90:4b:e5:04:f4:87:72:46:
+         4a:9a
 -----BEGIN CERTIFICATE-----
-MIICnTCCAgagAwIBAgIBATANBgkqhkiG9w0BAQUFADByMQswCQYDVQQGEwJHQjET
+MIICnTCCAgagAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJHQjET
 MBEGA1UECAwKRGVyYnlzaGlyZTEOMAwGA1UEBwwFRGVyYnkxGjAYBgNVBAoMEU1v
 c3F1aXR0byBQcm9qZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRAwDgYDVQQDDAdSb290
-IENBMB4XDTEzMDcyNDIzNTExNloXDTE4MDcyMzIzNTExNlowZTELMAkGA1UEBhMC
+IENBMB4XDTE4MDMwMTE4NTMzNloXDTIzMDIyODE4NTMzNlowZTELMAkGA1UEBhMC
 R0IxEzARBgNVBAgMCkRlcmJ5c2hpcmUxGjAYBgNVBAoMEU1vc3F1aXR0byBQcm9q
 ZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRMwEQYDVQQDDApTaWduaW5nIENBMIGfMA0G
-CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1Sir65IBDbm7bI4lHDakEoN0Y6DUg/Spz
-FoPe4cbixwS1pg3514X2srv9w03Kzp/obDOs/JzbqcPfOBAuiiPlMm1hw9az1B7N
-9lg/2DKHL/7Oq8IZUKsFjhbFAMjQd/PAZCkBO1FS1Y0jZes4/1fzlqq4rYItTie+
-YX8tTDc/7QIDAQABo1AwTjAdBgNVHQ4EFgQU5W621SksDwZxSpsZsFkm6/QuAQYw
-HwYDVR0jBBgwFoAUq92KK7UYT6V7F1mySt6+LWTPzr4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQUFAAOBgQBMcwdjElUOhXqoqlX1DWik58X73GHxjE52jao4BHRZ
-S+PpwOOjfnq4CfIXF1cMp95cK+Eh566lEJf2udlV1waKew578T86+UsRO/T/a0bb
-3FuuZH3TXnO+OjNMTWKMZ0iLQtPwNN4m9lszECrSgJ53yCIB6iq/zfXVSop7XFzd
-VQ==
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvrbDkeLhzAWqeeB6/Nltg3O4ozhY8czCz
+As1cB6I27qHFQzIMRlfL+xxS205lhYpdps1mQ628cBvmsBEP2FQfV54pTisbxXCy
+PTinYz8aBi9tCSx8kGDbjDoRIKfbICXZxpd0UFrg/YGq3uod5b5hWQ125at/O7Km
+OLm7Mqpy7wIDAQABo1AwTjAdBgNVHQ4EFgQUnlQ+5S/l6kBK/DeWbEW7GnkOyqsw
+HwYDVR0jBBgwFoAUHLROi4QNHg/EzPQXh9vK8lXxNDkwDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQsFAAOBgQBsLUHKe4mEJ8qzZNVzslvd/G/UaK7xMD6eyigr0y4M
+YT7Vmv1nsWDlVJ+klVFbAC35RoLeSd/OKvP2Lo+PZCvJL87/0lOgCsRK6SD6XnlF
+IRjC1sFkkuRnOpIERl5qOYTI8Q5CPP2ywnvpr0QsGTBhATlHbTiFkEvlBPSHckZK
+mg==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICqDCCAhGgAwIBAgIJAKrzwmdXIUxsMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNV
-BAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJieTEVMBMG
-A1UECgwMUGFobyBQcm9qZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRAwDgYDVQQDDAdS
-b290IENBMB4XDTEzMDcyOTE5MjEyOVoXDTIzMDcyNzE5MjEyOVowbTELMAkGA1UE
-BhMCR0IxEzARBgNVBAgMCkRlcmJ5c2hpcmUxDjAMBgNVBAcMBURlcmJ5MRUwEwYD
-VQQKDAxQYWhvIFByb2plY3QxEDAOBgNVBAsMB1Rlc3RpbmcxEDAOBgNVBAMMB1Jv
-b3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKbPzEEWCKsjjwjJ787u
-Q32k5EdqoDddMEjSVbZNSNEwUew1L7O8NTbmtCEeVFQjOLAdmdiF3rQbXHV+Zew0
-jt2g4vtPpl1GOG6jA/6YznKAyQdvGCdYfGZUN2tN+mbtVxWqkHZitQDQGaSHnx24
-NX649La2uyFy+7l9o8++xPONAgMBAAGjUDBOMB0GA1UdDgQWBBRKK2nWMR2jaOhG
-b/tL8462jVEOvzAfBgNVHSMEGDAWgBRKK2nWMR2jaOhGb/tL8462jVEOvzAMBgNV
-HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEd+gW86/W+fisz5PFHAeEw7zn9q
-dzLHm7+QZgNLZ9h7/ZbhObRUFMRtU2xm4amyh85h7hUE5R2E2uW2OXumic7/D4ZD
-6unjr4m5jwVWDTqTUYIcNSriyoDWAVlPfOWaU5NyUhqS1DM28tvOWVHVLCxmVcZl
-tJQqo5eHbQ/+Hjfx
+MIICtDCCAh2gAwIBAgIJAObVjC0tPL4iMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV
+BAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJieTEaMBgG
+A1UECgwRTW9zcXVpdHRvIFByb2plY3QxEDAOBgNVBAsMB1Rlc3RpbmcxEDAOBgNV
+BAMMB1Jvb3QgQ0EwIBcNMTgwMzAxMTg1MzM2WhgPMjEwMDA0MjAxODUzMzZaMHIx
+CzAJBgNVBAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJi
+eTEaMBgGA1UECgwRTW9zcXVpdHRvIFByb2plY3QxEDAOBgNVBAsMB1Rlc3Rpbmcx
+EDAOBgNVBAMMB1Jvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANSZ
+3aRYdHcnta24XXJGfomsg2OpYys3KkqK76aWEwhqRvdH2m54yBvHTZ2LsMLQro0q
+r4oGLyvlupC9fxwQF4ZDFHrn7VbxU947V+cipGkRaECXiGVO1ngUSpKti8nrIUkn
+FXkLmVaGuVv1jVOGBi6/6f3ct6LsNyFqXzaSw9DtAgMBAAGjUDBOMB0GA1UdDgQW
+BBQctE6LhA0eD8TM9BeH28ryVfE0OTAfBgNVHSMEGDAWgBQctE6LhA0eD8TM9BeH
+28ryVfE0OTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAHVShEeqQRjP
+IoMU8MFnnC1ZadADvSn1E6gRR7eoNU0MeMpTYmTA+TIklEzhaRHSkQqyPHAe/YMl
+WLmq1NqyxPv9uKekVlatJxYbm1ME4e+wGs3U9OGsIKX0nFcBO8iqpj5s7GZmSYyY
+u1YJnq1oe0C5IblVB9amcoB743/YyMme
 -----END CERTIFICATE-----
-

test/ssl/client-expired.crt

+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Derbyshire, O=Mosquitto Project, OU=Testing, CN=Signing CA
+        Validity
+            Not Before: Aug 20 00:00:00 2012 GMT
+            Not After : Aug 21 00:00:00 2012 GMT
+        Subject: C=GB, ST=Nottinghamshire, L=Nottingham, O=Server, OU=Production, CN=test client expired
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:b8:67:87:cf:05:35:29:81:b1:16:e3:0a:1c:59:
+                    83:36:dc:31:db:af:f2:a9:12:97:e7:96:c8:91:7c:
+                    a4:52:65:43:79:f4:20:e0:5f:ed:c0:b4:32:9d:c7:
+                    3d:21:9a:9e:92:6c:42:08:06:88:65:d5:4f:5e:70:
+                    d9:7d:e1:de:4b:be:26:e2:06:99:4a:54:f7:e7:1c:
+                    d6:7c:6f:d5:16:8d:b0:9d:ce:5d:29:f1:51:e9:12:
+                    fd:2f:ed:d6:fc:e1:cc:d6:31:0e:ce:0e:74:02:f3:
+                    1e:70:41:44:5d:67:ed:3b:9d:2f:43:b8:89:6f:90:
+                    52:9b:f1:e9:fc:ed:f8:35:d1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                27:DF:0F:D3:9A:8F:34:C8:9E:C1:6D:B9:29:99:0F:0D:3A:D1:BB:BD
+            X509v3 Authority Key Identifier: 
+                keyid:9E:54:3E:E5:2F:E5:EA:40:4A:FC:37:96:6C:45:BB:1A:79:0E:CA:AB
+
+    Signature Algorithm: sha256WithRSAEncryption
+         96:28:72:b2:16:af:2b:f2:92:d9:8b:e7:15:2c:e2:e1:55:48:
+         ce:45:d0:89:7a:80:41:ec:3e:b5:01:ee:b9:2e:62:44:7d:b5:
+         b2:f0:e5:83:62:1d:6f:3b:b5:69:4c:dd:c7:20:fb:b0:70:5a:
+         c5:f6:4a:97:14:4a:63:8f:da:3b:0d:27:e3:b9:06:a3:53:1c:
+         db:d3:9d:8a:8a:aa:7c:d7:a0:39:15:d5:03:8b:4f:0e:ab:78:
+         2f:05:69:8c:a3:5a:6b:70:6b:9e:b1:23:ad:d3:ef:a9:5d:01:
+         1b:37:7e:07:0f:97:cb:79:3a:7f:02:3d:40:62:20:63:a8:80:
+         92:da
+-----BEGIN CERTIFICATE-----
+MIIC1zCCAkCgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJHQjET
+MBEGA1UECAwKRGVyYnlzaGlyZTEaMBgGA1UECgwRTW9zcXVpdHRvIFByb2plY3Qx
+EDAOBgNVBAsMB1Rlc3RpbmcxEzARBgNVBAMMClNpZ25pbmcgQ0EwHhcNMTIwODIw
+MDAwMDAwWhcNMTIwODIxMDAwMDAwWjCBgDELMAkGA1UEBhMCR0IxGDAWBgNVBAgM
+D05vdHRpbmdoYW1zaGlyZTETMBEGA1UEBwwKTm90dGluZ2hhbTEPMA0GA1UECgwG
+U2VydmVyMRMwEQYDVQQLDApQcm9kdWN0aW9uMRwwGgYDVQQDDBN0ZXN0IGNsaWVu
+dCBleHBpcmVkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4Z4fPBTUpgbEW
+4wocWYM23DHbr/KpEpfnlsiRfKRSZUN59CDgX+3AtDKdxz0hmp6SbEIIBohl1U9e
+cNl94d5LvibiBplKVPfnHNZ8b9UWjbCdzl0p8VHpEv0v7db84czWMQ7ODnQC8x5w
+QURdZ+07nS9DuIlvkFKb8en87fg10QIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG
+SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
+FgQUJ98P05qPNMiewW25KZkPDTrRu70wHwYDVR0jBBgwFoAUnlQ+5S/l6kBK/DeW
+bEW7GnkOyqswDQYJKoZIhvcNAQELBQADgYEAlihyshavK/KS2YvnFSzi4VVIzkXQ
+iXqAQew+tQHuuS5iRH21svDlg2Idbzu1aUzdxyD7sHBaxfZKlxRKY4/aOw0n47kG
+o1Mc29OdioqqfNegORXVA4tPDqt4LwVpjKNaa3BrnrEjrdPvqV0BGzd+Bw+Xy3k6
+fwI9QGIgY6iAkto=
+-----END CERTIFICATE-----

test/ssl/client-expired.csr

+-----BEGIN CERTIFICATE REQUEST-----
+MIIBwTCCASoCAQAwgYAxCzAJBgNVBAYTAkdCMRgwFgYDVQQIDA9Ob3R0aW5naGFt
+c2hpcmUxEzARBgNVBAcMCk5vdHRpbmdoYW0xDzANBgNVBAoMBlNlcnZlcjETMBEG
+A1UECwwKUHJvZHVjdGlvbjEcMBoGA1UEAwwTdGVzdCBjbGllbnQgZXhwaXJlZDCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuGeHzwU1KYGxFuMKHFmDNtwx26/y
+qRKX55bIkXykUmVDefQg4F/twLQyncc9IZqekmxCCAaIZdVPXnDZfeHeS74m4gaZ
+SlT35xzWfG/VFo2wnc5dKfFR6RL9L+3W/OHM1jEOzg50AvMecEFEXWftO50vQ7iJ
+b5BSm/Hp/O34NdECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4GBAJApMCk6dQ5JLqES
+o3owRsIQb9cNv0D65uRFx02DK2kkC4j1k+QztieaXAcH6mlS3DlpeTvSw7HutypE
+L8XaG1yt+Yj11ZQydq1kb867nkIrRboGP16Zq5jiaI/q2OqmIz6kLU98mmDkgFdn
+ME6BEnpw2VeRojXkrTqUpCgbX9E8
+-----END CERTIFICATE REQUEST-----

test/ssl/client-revoked.crt

+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4 (0x4)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Derbyshire, O=Mosquitto Project, OU=Testing, CN=Signing CA
+        Validity
+            Not Before: Mar  1 18:53:51 2018 GMT
+            Not After : Feb 28 18:53:51 2023 GMT
+        Subject: C=GB, ST=Nottinghamshire, L=Nottingham, O=Server, OU=Production, CN=test client revoked
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:ca:88:c0:97:79:0c:af:97:dc:f2:06:5a:12:3d:
+                    07:bf:d0:ca:f3:90:e2:fa:a6:36:c7:67:0c:50:30:
+                    b6:98:1c:83:16:03:fa:7d:00:77:37:00:49:93:3d:
+                    20:0b:e8:fb:8f:20:a2:6a:29:df:ae:ee:38:38:a8:
+                    3b:76:b2:92:96:63:46:0b:b2:47:5f:5d:9b:8d:dc:
+                    31:95:3b:ac:e9:ab:c6:89:00:46:61:58:7f:b5:39:
+                    c6:97:7e:5c:f5:06:f0:ea:82:e6:11:27:18:1f:af:
+                    2c:cb:21:43:75:e3:cf:fa:41:d8:17:17:87:ce:29:
+                    df:7f:75:d6:1f:20:d7:29:03
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                53:1F:81:85:BB:93:78:8A:B4:22:F8:8C:E0:6C:99:5F:B6:AA:B5:9B
+            X509v3 Authority Key Identifier: 
+                keyid:9E:54:3E:E5:2F:E5:EA:40:4A:FC:37:96:6C:45:BB:1A:79:0E:CA:AB
+
+    Signature Algorithm: sha256WithRSAEncryption
+         24:f6:97:b8:b2:ac:eb:83:35:d8:fa:3e:86:13:a6:44:85:10:
+         c5:ba:33:c5:58:98:bc:6e:fe:30:60:12:41:ce:ac:3f:ed:38:
+         e6:5f:ff:b5:29:73:a7:f6:60:41:b2:10:23:da:74:f2:29:d6:
+         f1:bb:94:38:14:fc:75:50:64:f4:4d:d2:6a:3d:f0:da:e0:e8:
+         e2:b9:be:a4:30:b4:c7:c3:22:60:c4:a4:34:31:13:7b:46:9d:
+         bb:5f:8e:cd:21:9d:52:78:e5:e3:e9:e6:e8:62:16:a1:f0:af:
+         14:c8:2c:39:a6:2f:a9:f4:98:cf:8c:20:20:87:c2:15:78:e4:
+         53:23
+-----BEGIN CERTIFICATE-----
+MIIC1zCCAkCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJHQjET
+MBEGA1UECAwKRGVyYnlzaGlyZTEaMBgGA1UECgwRTW9zcXVpdHRvIFByb2plY3Qx
+EDAOBgNVBAsMB1Rlc3RpbmcxEzARBgNVBAMMClNpZ25pbmcgQ0EwHhcNMTgwMzAx
+MTg1MzUxWhcNMjMwMjI4MTg1MzUxWjCBgDELMAkGA1UEBhMCR0IxGDAWBgNVBAgM
+D05vdHRpbmdoYW1zaGlyZTETMBEGA1UEBwwKTm90dGluZ2hhbTEPMA0GA1UECgwG
+U2VydmVyMRMwEQYDVQQLDApQcm9kdWN0aW9uMRwwGgYDVQQDDBN0ZXN0IGNsaWVu
+dCByZXZva2VkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKiMCXeQyvl9zy
+BloSPQe/0MrzkOL6pjbHZwxQMLaYHIMWA/p9AHc3AEmTPSAL6PuPIKJqKd+u7jg4
+qDt2spKWY0YLskdfXZuN3DGVO6zpq8aJAEZhWH+1OcaXflz1BvDqguYRJxgfryzL
+IUN148/6QdgXF4fOKd9/ddYfINcpAwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG
+SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
+FgQUUx+BhbuTeIq0IviM4GyZX7aqtZswHwYDVR0jBBgwFoAUnlQ+5S/l6kBK/DeW
+bEW7GnkOyqswDQYJKoZIhvcNAQELBQADgYEAJPaXuLKs64M12Po+hhOmRIUQxboz
+xViYvG7+MGASQc6sP+045l//tSlzp/ZgQbIQI9p08inW8buUOBT8dVBk9E3Saj3w
+2uDo4rm+pDC0x8MiYMSkNDETe0adu1+OzSGdUnjl4+nm6GIWofCvFMgsOaYvqfSY
+z4wgIIfCFXjkUyM=
+-----END CERTIFICATE-----

test/ssl/client-revoked.csr

+-----BEGIN CERTIFICATE REQUEST-----
+MIIBwTCCASoCAQAwgYAxCzAJBgNVBAYTAkdCMRgwFgYDVQQIDA9Ob3R0aW5naGFt
+c2hpcmUxEzARBgNVBAcMCk5vdHRpbmdoYW0xDzANBgNVBAoMBlNlcnZlcjETMBEG
+A1UECwwKUHJvZHVjdGlvbjEcMBoGA1UEAwwTdGVzdCBjbGllbnQgcmV2b2tlZDCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyojAl3kMr5fc8gZaEj0Hv9DK85Di
++qY2x2cMUDC2mByDFgP6fQB3NwBJkz0gC+j7jyCiainfru44OKg7drKSlmNGC7JH
+X12bjdwxlTus6avGiQBGYVh/tTnGl35c9Qbw6oLmEScYH68syyFDdePP+kHYFxeH
+zinff3XWHyDXKQMCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4GBAGzSotjaZM3jQb4d
++RMmTpkWpOkhhyrhbFnzuMHN78hoS0VKdD/DsfQ+k7ARah3Y8CAicSZFc6IJHhic
+Cmj4m/jOQGAhq1sfuGiEd6FNdwOSJZb2bhhk+EKFaYM3Sool/u20Lt16R4xpBEVy
+K/zE75Uy+L9MzyXqzTee1ujLoPD+
+-----END CERTIFICATE REQUEST-----

test/ssl/client-revoked.key

+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDKiMCXeQyvl9zyBloSPQe/0MrzkOL6pjbHZwxQMLaYHIMWA/p9
+AHc3AEmTPSAL6PuPIKJqKd+u7jg4qDt2spKWY0YLskdfXZuN3DGVO6zpq8aJAEZh
+WH+1OcaXflz1BvDqguYRJxgfryzLIUN148/6QdgXF4fOKd9/ddYfINcpAwIDAQAB
+AoGAHsbvNVVwxxI1whWTBGh/z/dDkAW5aEtv0ZdoOJtec/kJNoQ+QVabxyDlDVnh
+j83ExHg6FhXs5uFOa9Wsy5nRSoGDIBcxsvz3aN1RKPxoT82D3+52oe5rXZCoemRX
+xYQYOvNoElms8GvqodUH/GfeAfpfK6LIxLhlFSPmrRAtEpkCQQD+hsbHWUwHZd10
+5vD12yYS4UGsnO8zMh5Fj3efRU63Jifyz+2x2aj3niSH8FOTmTvcnlrBAuwuNfA1
+vTXZqfBPAkEAy7TrjrrqyEEbSyS+gNtl7mZpOTjlxGlt0yGiLTuJuxExDc+b8hZw
+HUw8CHQuEIFYQhUa9e77THWe9PCA10B7DQJBAMKR3xT3U2J4YXGDNYKMU6+tGNpO
+YaDeWDvOr6BGiCUD+xfoEYmanUslTkHI2usDAbrmJvRTOp8cxpMeIDNTcIsCQQCQ
+olBt8wEoVjHO1LP+QcjJ0CT94AwjvMehlMvVWeSc0cQGjlWnOY84/hvR1MuwJGZJ
+5TpTS+9Zhlnqh6izLLExAkEAx/56MWBwhQQ+WIvKxHHe+u6rCSM4qRRZtAlKxqH1
+0KhILw+gtafscbyb4rfpvHr9TUY/g0v1OGgFERUXSj+jAA==
+-----END RSA PRIVATE KEY-----

test/ssl/client.crt

@@ -2,25 +2,25 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=GB, ST=Derbyshire, O=Paho Project, OU=Testing, CN=Signing CA
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Derbyshire, O=Mosquitto Project, OU=Testing, CN=Signing CA
         Validity
-            Not Before: Jul 29 19:21:31 2013 GMT
-            Not After : Jul 28 19:21:31 2018 GMT
+            Not Before: Mar  1 18:53:47 2018 GMT
+            Not After : Feb 28 18:53:47 2023 GMT
         Subject: C=GB, ST=Nottinghamshire, L=Nottingham, O=Server, OU=Production, CN=test client
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:dc:17:82:af:47:dc:71:77:73:c3:69:11:4b:ff:
-                    27:0e:29:4b:e6:6f:11:78:e4:56:88:c9:34:13:12:
-                    e1:82:ec:24:fe:65:c8:9d:bb:05:54:20:d0:b4:31:
-                    b9:4b:87:f8:4d:e5:c1:ba:99:f8:a2:cc:ff:8e:89:
-                    f2:7a:68:2f:53:42:4d:73:19:5e:ca:7e:b2:fe:3b:
-                    f7:d1:bc:e8:24:fa:77:47:ee:a4:89:cf:d1:dc:e9:
-                    99:3f:da:0e:d0:1e:c6:40:d2:60:ee:38:83:4e:a4:
-                    dd:46:a3:6a:ac:c9:61:af:d5:23:9d:23:14:b5:31:
-                    d5:ca:66:7a:30:3f:c2:ce:59
+                    00:b8:67:87:cf:05:35:29:81:b1:16:e3:0a:1c:59:
+                    83:36:dc:31:db:af:f2:a9:12:97:e7:96:c8:91:7c:
+                    a4:52:65:43:79:f4:20:e0:5f:ed:c0:b4:32:9d:c7:
+                    3d:21:9a:9e:92:6c:42:08:06:88:65:d5:4f:5e:70:
+                    d9:7d:e1:de:4b:be:26:e2:06:99:4a:54:f7:e7:1c:
+                    d6:7c:6f:d5:16:8d:b0:9d:ce:5d:29:f1:51:e9:12:
+                    fd:2f:ed:d6:fc:e1:cc:d6:31:0e:ce:0e:74:02:f3:
+                    1e:70:41:44:5d:67:ed:3b:9d:2f:43:b8:89:6f:90:
+                    52:9b:f1:e9:fc:ed:f8:35:d1
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -28,33 +28,34 @@ Certificate:
             Netscape Comment: 
                 OpenSSL Generated Certificate
             X509v3 Subject Key Identifier: 
-                17:CD:6D:67:FB:7D:77:59:0F:6C:F1:9B:0E:B0:EB:AE:BE:E0:9D:47
+                27:DF:0F:D3:9A:8F:34:C8:9E:C1:6D:B9:29:99:0F:0D:3A:D1:BB:BD
             X509v3 Authority Key Identifier: 
-                keyid:29:4D:6E:C7:F2:F7:71:72:DA:27:9C:9C:AB:DA:07:1D:47:9C:D8:41
+                keyid:9E:54:3E:E5:2F:E5:EA:40:4A:FC:37:96:6C:45:BB:1A:79:0E:CA:AB
 
-    Signature Algorithm: sha1WithRSAEncryption
-         b4:11:e8:8a:f5:21:d1:88:22:9e:f3:05:e6:47:c9:9d:87:10:
-         09:a1:9c:f1:38:5b:a0:5a:b4:f5:fd:8d:cf:ae:01:7d:b4:a8:
-         3c:dd:ed:17:b3:02:56:5b:4a:e6:17:58:8f:46:d4:02:97:95:
-         0b:00:0e:b4:77:3e:ad:f0:ce:06:25:38:2d:ff:df:a4:0e:3b:
-         83:73:f7:a3:da:c1:a1:24:68:a2:18:71:81:4e:3b:26:5a:e2:
-         10:9a:27:95:85:a8:3c:47:3a:60:49:21:2f:12:90:fc:4a:f0:
-         71:4d:bc:19:2a:06:07:f4:35:d9:8d:1d:b2:85:93:61:17:45:
-         26:9a
+    Signature Algorithm: sha256WithRSAEncryption
+         a1:0d:e1:4b:25:ef:4e:67:28:93:33:68:49:65:0e:18:eb:3f:
+         17:ae:47:68:75:4d:72:f5:41:6b:c5:f0:1d:06:0d:25:3d:fa:
+         ab:39:17:f4:e2:34:b7:49:9d:69:a1:92:4a:69:1b:17:42:5b:
+         c6:79:6f:20:31:81:5c:52:c2:58:6b:a0:ba:9a:fe:55:0e:8d:
+         0b:80:9f:4a:97:ed:05:05:90:a6:13:23:70:d0:56:93:a6:f4:
+         66:af:f0:96:05:8b:67:89:72:67:04:f4:5e:44:36:20:4e:b4:
+         97:b4:b2:3b:aa:e2:44:b1:ee:49:13:2c:af:e7:6d:37:e8:09:
+         50:6d
 -----BEGIN CERTIFICATE-----
-MIICyTCCAjKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJHQjET
-MBEGA1UECAwKRGVyYnlzaGlyZTEVMBMGA1UECgwMUGFobyBQcm9qZWN0MRAwDgYD
-VQQLDAdUZXN0aW5nMRMwEQYDVQQDDApTaWduaW5nIENBMB4XDTEzMDcyOTE5MjEz
-MVoXDTE4MDcyODE5MjEzMVoweDELMAkGA1UEBhMCR0IxGDAWBgNVBAgMD05vdHRp
-bmdoYW1zaGlyZTETMBEGA1UEBwwKTm90dGluZ2hhbTEPMA0GA1UECgwGU2VydmVy
-MRMwEQYDVQQLDApQcm9kdWN0aW9uMRQwEgYDVQQDDAt0ZXN0IGNsaWVudDCBnzAN
-BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3BeCr0fccXdzw2kRS/8nDilL5m8ReORW
-iMk0ExLhguwk/mXInbsFVCDQtDG5S4f4TeXBupn4osz/jonyemgvU0JNcxleyn6y
-/jv30bzoJPp3R+6kic/R3OmZP9oO0B7GQNJg7jiDTqTdRqNqrMlhr9UjnSMUtTHV
-ymZ6MD/CzlkCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl
-blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBfNbWf7fXdZD2zx
-mw6w666+4J1HMB8GA1UdIwQYMBaAFClNbsfy93Fy2iecnKvaBx1HnNhBMA0GCSqG
-SIb3DQEBBQUAA4GBALQR6Ir1IdGIIp7zBeZHyZ2HEAmhnPE4W6BatPX9jc+uAX20
-qDzd7RezAlZbSuYXWI9G1AKXlQsADrR3Pq3wzgYlOC3/36QOO4Nz96PawaEkaKIY
-cYFOOyZa4hCaJ5WFqDxHOmBJIS8SkPxK8HFNvBkqBgf0NdmNHbKFk2EXRSaa
+MIICzjCCAjegAwIBAgIBAjANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJHQjET
+MBEGA1UECAwKRGVyYnlzaGlyZTEaMBgGA1UECgwRTW9zcXVpdHRvIFByb2plY3Qx
+EDAOBgNVBAsMB1Rlc3RpbmcxEzARBgNVBAMMClNpZ25pbmcgQ0EwHhcNMTgwMzAx
+MTg1MzQ3WhcNMjMwMjI4MTg1MzQ3WjB4MQswCQYDVQQGEwJHQjEYMBYGA1UECAwP
+Tm90dGluZ2hhbXNoaXJlMRMwEQYDVQQHDApOb3R0aW5naGFtMQ8wDQYDVQQKDAZT
+ZXJ2ZXIxEzARBgNVBAsMClByb2R1Y3Rpb24xFDASBgNVBAMMC3Rlc3QgY2xpZW50
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4Z4fPBTUpgbEW4wocWYM23DHb
+r/KpEpfnlsiRfKRSZUN59CDgX+3AtDKdxz0hmp6SbEIIBohl1U9ecNl94d5Lvibi
+BplKVPfnHNZ8b9UWjbCdzl0p8VHpEv0v7db84czWMQ7ODnQC8x5wQURdZ+07nS9D
+uIlvkFKb8en87fg10QIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQf
+Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUJ98P05qP
+NMiewW25KZkPDTrRu70wHwYDVR0jBBgwFoAUnlQ+5S/l6kBK/DeWbEW7GnkOyqsw
+DQYJKoZIhvcNAQELBQADgYEAoQ3hSyXvTmcokzNoSWUOGOs/F65HaHVNcvVBa8Xw
+HQYNJT36qzkX9OI0t0mdaaGSSmkbF0JbxnlvIDGBXFLCWGugupr+VQ6NC4CfSpft
+BQWQphMjcNBWk6b0Zq/wlgWLZ4lyZwT0XkQ2IE60l7SyO6riRLHuSRMsr+dtN+gJ
+UG0=
 -----END CERTIFICATE-----

test/ssl/client.csr

+-----BEGIN CERTIFICATE REQUEST-----
+MIIBuDCCASECAQAweDELMAkGA1UEBhMCR0IxGDAWBgNVBAgMD05vdHRpbmdoYW1z
+aGlyZTETMBEGA1UEBwwKTm90dGluZ2hhbTEPMA0GA1UECgwGU2VydmVyMRMwEQYD
+VQQLDApQcm9kdWN0aW9uMRQwEgYDVQQDDAt0ZXN0IGNsaWVudDCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAuGeHzwU1KYGxFuMKHFmDNtwx26/yqRKX55bIkXyk
+UmVDefQg4F/twLQyncc9IZqekmxCCAaIZdVPXnDZfeHeS74m4gaZSlT35xzWfG/V
+Fo2wnc5dKfFR6RL9L+3W/OHM1jEOzg50AvMecEFEXWftO50vQ7iJb5BSm/Hp/O34
+NdECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4GBABHID597FhoqxMtsvA8ggyW3S1Cc
+v8ycjmt3hn0fEg1SkSsCKL3CY98fxnhL71Eprsx0j7CcuwLaRiOkxzEFflzMAdDU
+3nMFyKc0YVKh3+j2yzE2oSKWQVGtg17pGw1DX17gerDe7iKLpZt855agtwawHvCZ
+kdwNWoUR43fFT2i7
+-----END CERTIFICATE REQUEST-----

test/ssl/client.key

 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDcF4KvR9xxd3PDaRFL/ycOKUvmbxF45FaIyTQTEuGC7CT+Zcid
-uwVUINC0MblLh/hN5cG6mfiizP+OifJ6aC9TQk1zGV7KfrL+O/fRvOgk+ndH7qSJ
-z9Hc6Zk/2g7QHsZA0mDuOINOpN1Go2qsyWGv1SOdIxS1MdXKZnowP8LOWQIDAQAB
-AoGAa+NifoXdfAmwR7QzdGuJO5nmyPjdOcPE35yx2D/DKCiWIdbHNvq8q/bCF/Lg
-ADSQ9a6Q/uYHSdbv13Gr2XFE8MSOCex5cWe7xcQ4jHM9AR4soMxDLXoEqia6QtFg
-RLrVolER/h1QcqJ4pP3QC025JLADXTAvarKAJlkR4nQPigECQQD1xCdxY3mHkl0C
-KSVVjyALKrRHoqIxu2w1qivfTqA/S02Ws5tn6g+lkAEUa7Jg2s1/U2HybRAdGz5v
-fuIW7eOhAkEA5UGrc2z7TyfKIwO5I6aRLFMqwyMKVdO5v4RZlJGBhtGHLEd5nJMw
-ueKLVAUa5/1LaowfLQxYZD+yF8dWdpbvuQJAAbik+hNTR5LL2fcFzuqYs9tRteq6
-rhR89odBlWfMkYTqfzK01O57u5Idn9H9RtZheBHSbss6wKlvL4K4/KYf4QJAZKXk
-A5TA8Atj7uNfkIs8CN2qVGk5zFxbm/0a5uLKnsm2MnZeqaLlLXaL/KMRIPBO/8Ps
-m/Zjh/9+zHmzN/Uj4QJBAPFmzczJDxDviQcEo7qL9J6JAJtijqDAgv9u1XpqIfIx
-GveE+zuKYC2g2Absn1Art3dQgJAsttOF/40HykRLeGc=
+MIICXgIBAAKBgQC4Z4fPBTUpgbEW4wocWYM23DHbr/KpEpfnlsiRfKRSZUN59CDg
+X+3AtDKdxz0hmp6SbEIIBohl1U9ecNl94d5LvibiBplKVPfnHNZ8b9UWjbCdzl0p
+8VHpEv0v7db84czWMQ7ODnQC8x5wQURdZ+07nS9DuIlvkFKb8en87fg10QIDAQAB
+AoGAPTRfpx6bXoNlO6tvl6k+G99JzRjA+czqDjvFpkQwZgimNLwKjW5Jg0RL6IJQ
+j+654u97mx5P9zytczMRfO6S0RCd7Ba/bYzUr+zP3yAiZt1B71Iu+emOlrRtIglT
+P/jee3Z3017Hqe1K0l/xu0F/a2cKKEMxBDwEvMn3jhkvumECQQDhxKMHavo+nDAc
+YNrwE2VxWYhZApGVzsGzO8tgQ95IN/BlmYptGQPyssNNItWvbfF6EjB0rTwcMWF2
+hCEoeg2bAkEA0Rjws4kGaP9jwOi7lEOKIrutv5Dfb6euioyvhDD/YxXt7YCijVwG
+ATZLkVEiL8G0E5tvkMR7O4ho6hHft5V3AwJBAK9LIx4OVNCqKrzOAxAmrzwMPU6H
+LQy5JTKJ+cX7zCocrN3mElHU+3jEjdllc66rWbPjTZY6L5LgUIFZ4/juk4MCQQCM
+4x8b+VHGYX5XNvlc9v0WVhrGHtlOJE+orw58JX+OxfHgu3HLiZvKKUlVirNcNkod
+g/fyNVFLVahLPuvciOr9AkEA1gzbg9q7kxKlFLlOYtowbLbMS/u8BUsaQJv1g05A
+Yua6Wg8D4gr3/aNKQhLLXe7fHCAPs61n/KyD2aat8I2xBQ==
 -----END RSA PRIVATE KEY-----

test/ssl/client.pem

@@ -2,25 +2,25 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=GB, ST=Derbyshire, O=Paho Project, OU=Testing, CN=Signing CA
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Derbyshire, O=Mosquitto Project, OU=Testing, CN=Signing CA
         Validity
-            Not Before: Jul 29 19:21:31 2013 GMT
-            Not After : Jul 28 19:21:31 2018 GMT
+            Not Before: Mar  1 18:53:47 2018 GMT
+            Not After : Feb 28 18:53:47 2023 GMT
         Subject: C=GB, ST=Nottinghamshire, L=Nottingham, O=Server, OU=Production, CN=test client
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:dc:17:82:af:47:dc:71:77:73:c3:69:11:4b:ff:
-                    27:0e:29:4b:e6:6f:11:78:e4:56:88:c9:34:13:12:
-                    e1:82:ec:24:fe:65:c8:9d:bb:05:54:20:d0:b4:31:
-                    b9:4b:87:f8:4d:e5:c1:ba:99:f8:a2:cc:ff:8e:89:
-                    f2:7a:68:2f:53:42:4d:73:19:5e:ca:7e:b2:fe:3b:
-                    f7:d1:bc:e8:24:fa:77:47:ee:a4:89:cf:d1:dc:e9:
-                    99:3f:da:0e:d0:1e:c6:40:d2:60:ee:38:83:4e:a4:
-                    dd:46:a3:6a:ac:c9:61:af:d5:23:9d:23:14:b5:31:
-                    d5:ca:66:7a:30:3f:c2:ce:59
+                    00:b8:67:87:cf:05:35:29:81:b1:16:e3:0a:1c:59:
+                    83:36:dc:31:db:af:f2:a9:12:97:e7:96:c8:91:7c:
+                    a4:52:65:43:79:f4:20:e0:5f:ed:c0:b4:32:9d:c7:
+                    3d:21:9a:9e:92:6c:42:08:06:88:65:d5:4f:5e:70:
+                    d9:7d:e1:de:4b:be:26:e2:06:99:4a:54:f7:e7:1c:
+                    d6:7c:6f:d5:16:8d:b0:9d:ce:5d:29:f1:51:e9:12:
+                    fd:2f:ed:d6:fc:e1:cc:d6:31:0e:ce:0e:74:02:f3:
+                    1e:70:41:44:5d:67:ed:3b:9d:2f:43:b8:89:6f:90:
+                    52:9b:f1:e9:fc:ed:f8:35:d1
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -28,122 +28,124 @@ Certificate:
             Netscape Comment: 
                 OpenSSL Generated Certificate
             X509v3 Subject Key Identifier: 
-                17:CD:6D:67:FB:7D:77:59:0F:6C:F1:9B:0E:B0:EB:AE:BE:E0:9D:47
+                27:DF:0F:D3:9A:8F:34:C8:9E:C1:6D:B9:29:99:0F:0D:3A:D1:BB:BD
             X509v3 Authority Key Identifier: 
-                keyid:29:4D:6E:C7:F2:F7:71:72:DA:27:9C:9C:AB:DA:07:1D:47:9C:D8:41
+                keyid:9E:54:3E:E5:2F:E5:EA:40:4A:FC:37:96:6C:45:BB:1A:79:0E:CA:AB
 
-    Signature Algorithm: sha1WithRSAEncryption
-         b4:11:e8:8a:f5:21:d1:88:22:9e:f3:05:e6:47:c9:9d:87:10:
-         09:a1:9c:f1:38:5b:a0:5a:b4:f5:fd:8d:cf:ae:01:7d:b4:a8:
-         3c:dd:ed:17:b3:02:56:5b:4a:e6:17:58:8f:46:d4:02:97:95:
-         0b:00:0e:b4:77:3e:ad:f0:ce:06:25:38:2d:ff:df:a4:0e:3b:
-         83:73:f7:a3:da:c1:a1:24:68:a2:18:71:81:4e:3b:26:5a:e2:
-         10:9a:27:95:85:a8:3c:47:3a:60:49:21:2f:12:90:fc:4a:f0:
-         71:4d:bc:19:2a:06:07:f4:35:d9:8d:1d:b2:85:93:61:17:45:
-         26:9a
+    Signature Algorithm: sha256WithRSAEncryption
+         a1:0d:e1:4b:25:ef:4e:67:28:93:33:68:49:65:0e:18:eb:3f:
+         17:ae:47:68:75:4d:72:f5:41:6b:c5:f0:1d:06:0d:25:3d:fa:
+         ab:39:17:f4:e2:34:b7:49:9d:69:a1:92:4a:69:1b:17:42:5b:
+         c6:79:6f:20:31:81:5c:52:c2:58:6b:a0:ba:9a:fe:55:0e:8d:
+         0b:80:9f:4a:97:ed:05:05:90:a6:13:23:70:d0:56:93:a6:f4:
+         66:af:f0:96:05:8b:67:89:72:67:04:f4:5e:44:36:20:4e:b4:
+         97:b4:b2:3b:aa:e2:44:b1:ee:49:13:2c:af:e7:6d:37:e8:09:
+         50:6d
 -----BEGIN CERTIFICATE-----
-MIICyTCCAjKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJHQjET
-MBEGA1UECAwKRGVyYnlzaGlyZTEVMBMGA1UECgwMUGFobyBQcm9qZWN0MRAwDgYD
-VQQLDAdUZXN0aW5nMRMwEQYDVQQDDApTaWduaW5nIENBMB4XDTEzMDcyOTE5MjEz
-MVoXDTE4MDcyODE5MjEzMVoweDELMAkGA1UEBhMCR0IxGDAWBgNVBAgMD05vdHRp
-bmdoYW1zaGlyZTETMBEGA1UEBwwKTm90dGluZ2hhbTEPMA0GA1UECgwGU2VydmVy
-MRMwEQYDVQQLDApQcm9kdWN0aW9uMRQwEgYDVQQDDAt0ZXN0IGNsaWVudDCBnzAN
-BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3BeCr0fccXdzw2kRS/8nDilL5m8ReORW
-iMk0ExLhguwk/mXInbsFVCDQtDG5S4f4TeXBupn4osz/jonyemgvU0JNcxleyn6y
-/jv30bzoJPp3R+6kic/R3OmZP9oO0B7GQNJg7jiDTqTdRqNqrMlhr9UjnSMUtTHV
-ymZ6MD/CzlkCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl
-blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBfNbWf7fXdZD2zx
-mw6w666+4J1HMB8GA1UdIwQYMBaAFClNbsfy93Fy2iecnKvaBx1HnNhBMA0GCSqG
-SIb3DQEBBQUAA4GBALQR6Ir1IdGIIp7zBeZHyZ2HEAmhnPE4W6BatPX9jc+uAX20
-qDzd7RezAlZbSuYXWI9G1AKXlQsADrR3Pq3wzgYlOC3/36QOO4Nz96PawaEkaKIY
-cYFOOyZa4hCaJ5WFqDxHOmBJIS8SkPxK8HFNvBkqBgf0NdmNHbKFk2EXRSaa
+MIICzjCCAjegAwIBAgIBAjANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJHQjET
+MBEGA1UECAwKRGVyYnlzaGlyZTEaMBgGA1UECgwRTW9zcXVpdHRvIFByb2plY3Qx
+EDAOBgNVBAsMB1Rlc3RpbmcxEzARBgNVBAMMClNpZ25pbmcgQ0EwHhcNMTgwMzAx
+MTg1MzQ3WhcNMjMwMjI4MTg1MzQ3WjB4MQswCQYDVQQGEwJHQjEYMBYGA1UECAwP
+Tm90dGluZ2hhbXNoaXJlMRMwEQYDVQQHDApOb3R0aW5naGFtMQ8wDQYDVQQKDAZT
+ZXJ2ZXIxEzARBgNVBAsMClByb2R1Y3Rpb24xFDASBgNVBAMMC3Rlc3QgY2xpZW50
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4Z4fPBTUpgbEW4wocWYM23DHb
+r/KpEpfnlsiRfKRSZUN59CDgX+3AtDKdxz0hmp6SbEIIBohl1U9ecNl94d5Lvibi
+BplKVPfnHNZ8b9UWjbCdzl0p8VHpEv0v7db84czWMQ7ODnQC8x5wQURdZ+07nS9D
+uIlvkFKb8en87fg10QIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQf
+Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUJ98P05qP
+NMiewW25KZkPDTrRu70wHwYDVR0jBBgwFoAUnlQ+5S/l6kBK/DeWbEW7GnkOyqsw
+DQYJKoZIhvcNAQELBQADgYEAoQ3hSyXvTmcokzNoSWUOGOs/F65HaHVNcvVBa8Xw
+HQYNJT36qzkX9OI0t0mdaaGSSmkbF0JbxnlvIDGBXFLCWGugupr+VQ6NC4CfSpft
+BQWQphMjcNBWk6b0Zq/wlgWLZ4lyZwT0XkQ2IE60l7SyO6riRLHuSRMsr+dtN+gJ
+UG0=
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDcF4KvR9xxd3PDaRFL/ycOKUvmbxF45FaIyTQTEuGC7CT+Zcid
-uwVUINC0MblLh/hN5cG6mfiizP+OifJ6aC9TQk1zGV7KfrL+O/fRvOgk+ndH7qSJ
-z9Hc6Zk/2g7QHsZA0mDuOINOpN1Go2qsyWGv1SOdIxS1MdXKZnowP8LOWQIDAQAB
-AoGAa+NifoXdfAmwR7QzdGuJO5nmyPjdOcPE35yx2D/DKCiWIdbHNvq8q/bCF/Lg
-ADSQ9a6Q/uYHSdbv13Gr2XFE8MSOCex5cWe7xcQ4jHM9AR4soMxDLXoEqia6QtFg
-RLrVolER/h1QcqJ4pP3QC025JLADXTAvarKAJlkR4nQPigECQQD1xCdxY3mHkl0C
-KSVVjyALKrRHoqIxu2w1qivfTqA/S02Ws5tn6g+lkAEUa7Jg2s1/U2HybRAdGz5v
-fuIW7eOhAkEA5UGrc2z7TyfKIwO5I6aRLFMqwyMKVdO5v4RZlJGBhtGHLEd5nJMw
-ueKLVAUa5/1LaowfLQxYZD+yF8dWdpbvuQJAAbik+hNTR5LL2fcFzuqYs9tRteq6
-rhR89odBlWfMkYTqfzK01O57u5Idn9H9RtZheBHSbss6wKlvL4K4/KYf4QJAZKXk
-A5TA8Atj7uNfkIs8CN2qVGk5zFxbm/0a5uLKnsm2MnZeqaLlLXaL/KMRIPBO/8Ps
-m/Zjh/9+zHmzN/Uj4QJBAPFmzczJDxDviQcEo7qL9J6JAJtijqDAgv9u1XpqIfIx
-GveE+zuKYC2g2Absn1Art3dQgJAsttOF/40HykRLeGc=
+MIICXgIBAAKBgQC4Z4fPBTUpgbEW4wocWYM23DHbr/KpEpfnlsiRfKRSZUN59CDg
+X+3AtDKdxz0hmp6SbEIIBohl1U9ecNl94d5LvibiBplKVPfnHNZ8b9UWjbCdzl0p
+8VHpEv0v7db84czWMQ7ODnQC8x5wQURdZ+07nS9DuIlvkFKb8en87fg10QIDAQAB
+AoGAPTRfpx6bXoNlO6tvl6k+G99JzRjA+czqDjvFpkQwZgimNLwKjW5Jg0RL6IJQ
+j+654u97mx5P9zytczMRfO6S0RCd7Ba/bYzUr+zP3yAiZt1B71Iu+emOlrRtIglT
+P/jee3Z3017Hqe1K0l/xu0F/a2cKKEMxBDwEvMn3jhkvumECQQDhxKMHavo+nDAc
+YNrwE2VxWYhZApGVzsGzO8tgQ95IN/BlmYptGQPyssNNItWvbfF6EjB0rTwcMWF2
+hCEoeg2bAkEA0Rjws4kGaP9jwOi7lEOKIrutv5Dfb6euioyvhDD/YxXt7YCijVwG
+ATZLkVEiL8G0E5tvkMR7O4ho6hHft5V3AwJBAK9LIx4OVNCqKrzOAxAmrzwMPU6H
+LQy5JTKJ+cX7zCocrN3mElHU+3jEjdllc66rWbPjTZY6L5LgUIFZ4/juk4MCQQCM
+4x8b+VHGYX5XNvlc9v0WVhrGHtlOJE+orw58JX+OxfHgu3HLiZvKKUlVirNcNkod
+g/fyNVFLVahLPuvciOr9AkEA1gzbg9q7kxKlFLlOYtowbLbMS/u8BUsaQJv1g05A
+Yua6Wg8D4gr3/aNKQhLLXe7fHCAPs61n/KyD2aat8I2xBQ==
 -----END RSA PRIVATE KEY-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=GB, ST=Derbyshire, L=Derby, O=Paho Project, OU=Testing, CN=Root CA
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Derbyshire, L=Derby, O=Mosquitto Project, OU=Testing, CN=Root CA
         Validity
-            Not Before: Jul 29 19:21:30 2013 GMT
-            Not After : Jul 28 19:21:30 2018 GMT
-        Subject: C=GB, ST=Derbyshire, O=Paho Project, OU=Testing, CN=Signing CA
+            Not Before: Mar  1 18:53:36 2018 GMT
+            Not After : Feb 28 18:53:36 2023 GMT
+        Subject: C=GB, ST=Derbyshire, O=Mosquitto Project, OU=Testing, CN=Signing CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:dc:26:78:40:ae:b2:ad:2f:26:12:0a:d5:b1:18:
-                    80:16:d8:88:be:0b:42:ce:32:ad:12:d5:f5:78:1b:
-                    35:28:f2:13:1b:05:09:fb:7e:d7:d9:a1:8a:0d:4a:
-                    fe:95:37:d4:16:75:83:e4:6a:44:34:33:57:2e:49:
-                    ba:bc:b4:cf:d0:c0:87:e0:bc:f0:60:76:14:00:d6:
-                    eb:cb:f6:db:b3:43:f1:c8:4d:4a:0a:bb:e0:37:7c:
-                    8e:93:1f:a0:87:68:59:fe:0c:25:40:f3:7c:fd:71:
-                    90:55:ef:de:18:b4:08:86:c9:75:c2:99:2f:ce:12:
-                    bf:c5:5e:cf:5f:f1:06:53:07
+                    00:af:ad:b0:e4:78:b8:73:01:6a:9e:78:1e:bf:36:
+                    5b:60:dc:ee:28:ce:16:3c:73:30:b3:02:cd:5c:07:
+                    a2:36:ee:a1:c5:43:32:0c:46:57:cb:fb:1c:52:db:
+                    4e:65:85:8a:5d:a6:cd:66:43:ad:bc:70:1b:e6:b0:
+                    11:0f:d8:54:1f:57:9e:29:4e:2b:1b:c5:70:b2:3d:
+                    38:a7:63:3f:1a:06:2f:6d:09:2c:7c:90:60:db:8c:
+                    3a:11:20:a7:db:20:25:d9:c6:97:74:50:5a:e0:fd:
+                    81:aa:de:ea:1d:e5:be:61:59:0d:76:e5:ab:7f:3b:
+                    b2:a6:38:b9:bb:32:aa:72:ef
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                29:4D:6E:C7:F2:F7:71:72:DA:27:9C:9C:AB:DA:07:1D:47:9C:D8:41
+                9E:54:3E:E5:2F:E5:EA:40:4A:FC:37:96:6C:45:BB:1A:79:0E:CA:AB
             X509v3 Authority Key Identifier: 
-                keyid:4A:2B:69:D6:31:1D:A3:68:E8:46:6F:FB:4B:F3:8E:B6:8D:51:0E:BF
+                keyid:1C:B4:4E:8B:84:0D:1E:0F:C4:CC:F4:17:87:DB:CA:F2:55:F1:34:39
 
             X509v3 Basic Constraints: 
                 CA:TRUE
-    Signature Algorithm: sha1WithRSAEncryption
-         48:ec:d7:80:8a:8f:82:a6:42:b1:89:2c:b9:4b:6d:0a:37:b8:
-         72:19:05:de:75:80:0c:d6:41:97:b2:d7:fe:99:cb:7e:c4:0e:
-         77:97:09:a8:9f:87:ff:0b:de:3f:1c:dc:1e:fe:09:36:a7:f5:
-         54:9a:85:4e:fb:6f:27:fe:0f:29:45:61:8d:07:c6:0c:da:37:
-         3d:a3:69:4b:82:71:e6:24:e0:87:a6:ee:d5:87:61:dd:8f:08:
-         fe:33:a6:1f:ae:b2:ae:1f:d8:2c:20:c8:a6:fc:33:0e:82:68:
-         80:23:61:10:ad:5c:1d:80:d6:b1:5f:e4:af:66:6d:63:10:e4:
-         96:e4
+    Signature Algorithm: sha256WithRSAEncryption
+         6c:2d:41:ca:7b:89:84:27:ca:b3:64:d5:73:b2:5b:dd:fc:6f:
+         d4:68:ae:f1:30:3e:9e:ca:28:2b:d3:2e:0c:61:3e:d5:9a:fd:
+         67:b1:60:e5:54:9f:a4:95:51:5b:00:2d:f9:46:82:de:49:df:
+         ce:2a:f3:f6:2e:8f:8f:64:2b:c9:2f:ce:ff:d2:53:a0:0a:c4:
+         4a:e9:20:fa:5e:79:45:21:18:c2:d6:c1:64:92:e4:67:3a:92:
+         04:46:5e:6a:39:84:c8:f1:0e:42:3c:fd:b2:c2:7b:e9:af:44:
+         2c:19:30:61:01:39:47:6d:38:85:90:4b:e5:04:f4:87:72:46:
+         4a:9a
 -----BEGIN CERTIFICATE-----
-MIICkzCCAfygAwIBAgIBATANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJHQjET
-MBEGA1UECAwKRGVyYnlzaGlyZTEOMAwGA1UEBwwFRGVyYnkxFTATBgNVBAoMDFBh
-aG8gUHJvamVjdDEQMA4GA1UECwwHVGVzdGluZzEQMA4GA1UEAwwHUm9vdCBDQTAe
-Fw0xMzA3MjkxOTIxMzBaFw0xODA3MjgxOTIxMzBaMGAxCzAJBgNVBAYTAkdCMRMw
-EQYDVQQIDApEZXJieXNoaXJlMRUwEwYDVQQKDAxQYWhvIFByb2plY3QxEDAOBgNV
-BAsMB1Rlc3RpbmcxEzARBgNVBAMMClNpZ25pbmcgQ0EwgZ8wDQYJKoZIhvcNAQEB
-BQADgY0AMIGJAoGBANwmeECusq0vJhIK1bEYgBbYiL4LQs4yrRLV9XgbNSjyExsF
-Cft+19mhig1K/pU31BZ1g+RqRDQzVy5Jury0z9DAh+C88GB2FADW68v227ND8chN
-Sgq74Dd8jpMfoIdoWf4MJUDzfP1xkFXv3hi0CIbJdcKZL84Sv8Vez1/xBlMHAgMB
-AAGjUDBOMB0GA1UdDgQWBBQpTW7H8vdxctonnJyr2gcdR5zYQTAfBgNVHSMEGDAW
-gBRKK2nWMR2jaOhGb/tL8462jVEOvzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
-BQUAA4GBAEjs14CKj4KmQrGJLLlLbQo3uHIZBd51gAzWQZey1/6Zy37EDneXCaif
-h/8L3j8c3B7+CTan9VSahU77byf+DylFYY0HxgzaNz2jaUuCceYk4Iem7tWHYd2P
-CP4zph+usq4f2CwgyKb8Mw6CaIAjYRCtXB2A1rFf5K9mbWMQ5Jbk
+MIICnTCCAgagAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJHQjET
+MBEGA1UECAwKRGVyYnlzaGlyZTEOMAwGA1UEBwwFRGVyYnkxGjAYBgNVBAoMEU1v
+c3F1aXR0byBQcm9qZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRAwDgYDVQQDDAdSb290
+IENBMB4XDTE4MDMwMTE4NTMzNloXDTIzMDIyODE4NTMzNlowZTELMAkGA1UEBhMC
+R0IxEzARBgNVBAgMCkRlcmJ5c2hpcmUxGjAYBgNVBAoMEU1vc3F1aXR0byBQcm9q
+ZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRMwEQYDVQQDDApTaWduaW5nIENBMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvrbDkeLhzAWqeeB6/Nltg3O4ozhY8czCz
+As1cB6I27qHFQzIMRlfL+xxS205lhYpdps1mQ628cBvmsBEP2FQfV54pTisbxXCy
+PTinYz8aBi9tCSx8kGDbjDoRIKfbICXZxpd0UFrg/YGq3uod5b5hWQ125at/O7Km
+OLm7Mqpy7wIDAQABo1AwTjAdBgNVHQ4EFgQUnlQ+5S/l6kBK/DeWbEW7GnkOyqsw
+HwYDVR0jBBgwFoAUHLROi4QNHg/EzPQXh9vK8lXxNDkwDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQsFAAOBgQBsLUHKe4mEJ8qzZNVzslvd/G/UaK7xMD6eyigr0y4M
+YT7Vmv1nsWDlVJ+klVFbAC35RoLeSd/OKvP2Lo+PZCvJL87/0lOgCsRK6SD6XnlF
+IRjC1sFkkuRnOpIERl5qOYTI8Q5CPP2ywnvpr0QsGTBhATlHbTiFkEvlBPSHckZK
+mg==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICqDCCAhGgAwIBAgIJAKrzwmdXIUxsMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNV
-BAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJieTEVMBMG
-A1UECgwMUGFobyBQcm9qZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRAwDgYDVQQDDAdS
-b290IENBMB4XDTEzMDcyOTE5MjEyOVoXDTIzMDcyNzE5MjEyOVowbTELMAkGA1UE
-BhMCR0IxEzARBgNVBAgMCkRlcmJ5c2hpcmUxDjAMBgNVBAcMBURlcmJ5MRUwEwYD
-VQQKDAxQYWhvIFByb2plY3QxEDAOBgNVBAsMB1Rlc3RpbmcxEDAOBgNVBAMMB1Jv
-b3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKbPzEEWCKsjjwjJ787u
-Q32k5EdqoDddMEjSVbZNSNEwUew1L7O8NTbmtCEeVFQjOLAdmdiF3rQbXHV+Zew0
-jt2g4vtPpl1GOG6jA/6YznKAyQdvGCdYfGZUN2tN+mbtVxWqkHZitQDQGaSHnx24
-NX649La2uyFy+7l9o8++xPONAgMBAAGjUDBOMB0GA1UdDgQWBBRKK2nWMR2jaOhG
-b/tL8462jVEOvzAfBgNVHSMEGDAWgBRKK2nWMR2jaOhGb/tL8462jVEOvzAMBgNV
-HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEd+gW86/W+fisz5PFHAeEw7zn9q
-dzLHm7+QZgNLZ9h7/ZbhObRUFMRtU2xm4amyh85h7hUE5R2E2uW2OXumic7/D4ZD
-6unjr4m5jwVWDTqTUYIcNSriyoDWAVlPfOWaU5NyUhqS1DM28tvOWVHVLCxmVcZl
-tJQqo5eHbQ/+Hjfx
+MIICtDCCAh2gAwIBAgIJAObVjC0tPL4iMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV
+BAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJieTEaMBgG
+A1UECgwRTW9zcXVpdHRvIFByb2plY3QxEDAOBgNVBAsMB1Rlc3RpbmcxEDAOBgNV
+BAMMB1Jvb3QgQ0EwIBcNMTgwMzAxMTg1MzM2WhgPMjEwMDA0MjAxODUzMzZaMHIx
+CzAJBgNVBAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJi
+eTEaMBgGA1UECgwRTW9zcXVpdHRvIFByb2plY3QxEDAOBgNVBAsMB1Rlc3Rpbmcx
+EDAOBgNVBAMMB1Jvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANSZ
+3aRYdHcnta24XXJGfomsg2OpYys3KkqK76aWEwhqRvdH2m54yBvHTZ2LsMLQro0q
+r4oGLyvlupC9fxwQF4ZDFHrn7VbxU947V+cipGkRaECXiGVO1ngUSpKti8nrIUkn
+FXkLmVaGuVv1jVOGBi6/6f3ct6LsNyFqXzaSw9DtAgMBAAGjUDBOMB0GA1UdDgQW
+BBQctE6LhA0eD8TM9BeH28ryVfE0OTAfBgNVHSMEGDAWgBQctE6LhA0eD8TM9BeH
+28ryVfE0OTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAHVShEeqQRjP
+IoMU8MFnnC1ZadADvSn1E6gRR7eoNU0MeMpTYmTA+TIklEzhaRHSkQqyPHAe/YMl
+WLmq1NqyxPv9uKekVlatJxYbm1ME4e+wGs3U9OGsIKX0nFcBO8iqpj5s7GZmSYyY
+u1YJnq1oe0C5IblVB9amcoB743/YyMme
 -----END CERTIFICATE-----

test/ssl/crl.pem

+-----BEGIN X509 CRL-----
+MIIBUzCBvQIBATANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJHQjETMBEGA1UE
+CAwKRGVyYnlzaGlyZTEaMBgGA1UECgwRTW9zcXVpdHRvIFByb2plY3QxEDAOBgNV
+BAsMB1Rlc3RpbmcxEzARBgNVBAMMClNpZ25pbmcgQ0EXDTE4MDMwMTE4NTM1M1oX
+DTE4MDMzMTE4NTM1M1owFDASAgEEFw0xODAzMDExODUzNTNaoA4wDDAKBgNVHRQE
+AwIBATANBgkqhkiG9w0BAQsFAAOBgQBsUN/A26sGOL0rL7IOq2LoJ7bi4jfD+wjk
+M+UkOn9Q7dvJFkXmyqFUYj8DQCDrSNB20X0O76sW1KHkoJp3Xf2zwKQUXY6oqhtW
+nEOoB0ELViIo02VeboVoPIHSxt7nYEopAoVoqVMqUkVYugge9EVF/c++SMNvzy+L
+I7L8YKQ8/g==
+-----END X509 CRL-----

test/ssl/gen.sh

@@ -18,15 +18,15 @@ BBASESUBJ="/C=GB/ST=Nottinghamshire/L=Nottingham/O=Server/OU=Bridge"
 
 # The root CA
 openssl genrsa -out test-root-ca.key 1024
-openssl req -new -x509 -days 3650 -key test-root-ca.key -out test-root-ca.crt -config openssl.cnf -subj "${BASESUBJ}/CN=Root CA/"
+openssl req -new -x509 -days 30000 -key test-root-ca.key -out test-root-ca.crt -config openssl.cnf -subj "${BASESUBJ}/CN=Root CA/"
 
 # Another root CA that doesn't sign anything
 openssl genrsa -out test-bad-root-ca.key 1024
-openssl req -new -x509 -days 3650 -key test-bad-root-ca.key -out test-bad-root-ca.crt -config openssl.cnf -subj "${BASESUBJ}/CN=Bad Root CA/"
+openssl req -new -x509 -days 30000 -key test-bad-root-ca.key -out test-bad-root-ca.crt -config openssl.cnf -subj "${BASESUBJ}/CN=Bad Root CA/"
 
 # This is a root CA that has the exact same details as the real root CA, but is a different key and certificate. Effectively a "fake" CA.
 openssl genrsa -out test-fake-root-ca.key 1024
-openssl req -new -x509 -days 3650 -key test-fake-root-ca.key -out test-fake-root-ca.crt -config openssl.cnf -subj "${BASESUBJ}/CN=Root CA/"
+openssl req -new -x509 -days 30000 -key test-fake-root-ca.key -out test-fake-root-ca.crt -config openssl.cnf -subj "${BASESUBJ}/CN=Root CA/"
 
 # An intermediate CA, signed by the root CA, used to sign server/client csrs.
 openssl genrsa -out test-signing-ca.key 1024

test/ssl/mosquitto.conf

-log_type error
-log_type warning
-log_type notice
-log_type information
-log_type debug
-
-allow_anonymous true
-
-# non-SSL listener
-listener 18883
-
-# listener for mutual authentication
-listener 18884
-cafile /etc/mosquitto/tls-testing/keys/all-ca.crt
-certfile /etc/mosquitto/tls-testing/keys/server/server.crt
-keyfile /etc/mosquitto/tls-testing/keys/server/server.key
-require_certificate true
-
-# server authentication - no client authentication
-listener 18885
-cafile /etc/mosquitto/tls-testing/keys/all-ca.crt
-certfile /etc/mosquitto/tls-testing/keys/server/server.crt
-keyfile /etc/mosquitto/tls-testing/keys/server/server.key
-require_certificate false
-
-listener 18886
-cafile /etc/mosquitto/tls-testing/keys/all-ca.crt
-certfile /etc/mosquitto/tls-testing/keys/server/server.crt
-keyfile /etc/mosquitto/tls-testing/keys/server/server.key
-require_certificate false
-ciphers ADH-DES-CBC-SHA
-
-# server authentication - no client authentication - uses fake hostname to
-# simulate mitm attack. Clients should refuse to connect to this listener.
-listener 18887
-cafile /etc/mosquitto/tls-testing/keys/all-ca.crt
-certfile /etc/mosquitto/tls-testing/keys/server/server-mitm.crt
-keyfile /etc/mosquitto/tls-testing/keys/server/server-mitm.key
-require_certificate false
-

test/ssl/rootCA/crlnumber

+01

test/ssl/rootCA/index.txt

+V	230228185336Z		01	unknown	/C=GB/ST=Derbyshire/O=Mosquitto Project/OU=Testing/CN=Signing CA
+V	230228185342Z		02	unknown	/C=GB/ST=Derbyshire/O=Mosquitto Project/OU=Testing/CN=Alternative Signing CA

test/ssl/rootCA/index.txt.attr

+unique_subject = yes

test/ssl/rootCA/index.txt.attr.old

+unique_subject = yes

test/ssl/rootCA/index.txt.old

+V	230228185336Z		01	unknown	/C=GB/ST=Derbyshire/O=Mosquitto Project/OU=Testing/CN=Signing CA

test/ssl/all-ca.crt.text → test/ssl/rootCA/newcerts/01.pem

@@ -2,57 +2,57 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-        Signature Algorithm: sha1WithRSAEncryption
+    Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=GB, ST=Derbyshire, L=Derby, O=Mosquitto Project, OU=Testing, CN=Root CA
         Validity
-            Not Before: Jul 24 23:51:16 2013 GMT
-            Not After : Jul 23 23:51:16 2018 GMT
+            Not Before: Mar  1 18:53:36 2018 GMT
+            Not After : Feb 28 18:53:36 2023 GMT
         Subject: C=GB, ST=Derbyshire, O=Mosquitto Project, OU=Testing, CN=Signing CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:b5:4a:2a:fa:e4:80:43:6e:6e:db:23:89:47:0d:
-                    a9:04:a0:dd:18:e8:35:20:fd:2a:73:16:83:de:e1:
-                    c6:e2:c7:04:b5:a6:0d:f9:d7:85:f6:b2:bb:fd:c3:
-                    4d:ca:ce:9f:e8:6c:33:ac:fc:9c:db:a9:c3:df:38:
-                    10:2e:8a:23:e5:32:6d:61:c3:d6:b3:d4:1e:cd:f6:
-                    58:3f:d8:32:87:2f:fe:ce:ab:c2:19:50:ab:05:8e:
-                    16:c5:00:c8:d0:77:f3:c0:64:29:01:3b:51:52:d5:
-                    8d:23:65:eb:38:ff:57:f3:96:aa:b8:ad:82:2d:4e:
-                    27:be:61:7f:2d:4c:37:3f:ed
+                    00:af:ad:b0:e4:78:b8:73:01:6a:9e:78:1e:bf:36:
+                    5b:60:dc:ee:28:ce:16:3c:73:30:b3:02:cd:5c:07:
+                    a2:36:ee:a1:c5:43:32:0c:46:57:cb:fb:1c:52:db:
+                    4e:65:85:8a:5d:a6:cd:66:43:ad:bc:70:1b:e6:b0:
+                    11:0f:d8:54:1f:57:9e:29:4e:2b:1b:c5:70:b2:3d:
+                    38:a7:63:3f:1a:06:2f:6d:09:2c:7c:90:60:db:8c:
+                    3a:11:20:a7:db:20:25:d9:c6:97:74:50:5a:e0:fd:
+                    81:aa:de:ea:1d:e5:be:61:59:0d:76:e5:ab:7f:3b:
+                    b2:a6:38:b9:bb:32:aa:72:ef
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                E5:6E:B6:D5:29:2C:0F:06:71:4A:9B:19:B0:59:26:EB:F4:2E:01:06
+                9E:54:3E:E5:2F:E5:EA:40:4A:FC:37:96:6C:45:BB:1A:79:0E:CA:AB
             X509v3 Authority Key Identifier: 
-                keyid:AB:DD:8A:2B:B5:18:4F:A5:7B:17:59:B2:4A:DE:BE:2D:64:CF:CE:BE
+                keyid:1C:B4:4E:8B:84:0D:1E:0F:C4:CC:F4:17:87:DB:CA:F2:55:F1:34:39
 
             X509v3 Basic Constraints: 
                 CA:TRUE
-    Signature Algorithm: sha1WithRSAEncryption
-        4c:73:07:63:12:55:0e:85:7a:a8:aa:55:f5:0d:68:a4:e7:c5:
-        fb:dc:61:f1:8c:4e:76:8d:aa:38:04:74:59:4b:e3:e9:c0:e3:
-        a3:7e:7a:b8:09:f2:17:17:57:0c:a7:de:5c:2b:e1:21:e7:ae:
-        a5:10:97:f6:b9:d9:55:d7:06:8a:7b:0e:7b:f1:3f:3a:f9:4b:
-        11:3b:f4:ff:6b:46:db:dc:5b:ae:64:7d:d3:5e:73:be:3a:33:
-        4c:4d:62:8c:67:48:8b:42:d3:f0:34:de:26:f6:5b:33:10:2a:
-        d2:80:9e:77:c8:22:01:ea:2a:bf:cd:f5:d5:4a:8a:7b:5c:5c:
-        dd:55
+    Signature Algorithm: sha256WithRSAEncryption
+         6c:2d:41:ca:7b:89:84:27:ca:b3:64:d5:73:b2:5b:dd:fc:6f:
+         d4:68:ae:f1:30:3e:9e:ca:28:2b:d3:2e:0c:61:3e:d5:9a:fd:
+         67:b1:60:e5:54:9f:a4:95:51:5b:00:2d:f9:46:82:de:49:df:
+         ce:2a:f3:f6:2e:8f:8f:64:2b:c9:2f:ce:ff:d2:53:a0:0a:c4:
+         4a:e9:20:fa:5e:79:45:21:18:c2:d6:c1:64:92:e4:67:3a:92:
+         04:46:5e:6a:39:84:c8:f1:0e:42:3c:fd:b2:c2:7b:e9:af:44:
+         2c:19:30:61:01:39:47:6d:38:85:90:4b:e5:04:f4:87:72:46:
+         4a:9a
 -----BEGIN CERTIFICATE-----
-MIICnTCCAgagAwIBAgIBATANBgkqhkiG9w0BAQUFADByMQswCQYDVQQGEwJHQjET
+MIICnTCCAgagAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJHQjET
 MBEGA1UECAwKRGVyYnlzaGlyZTEOMAwGA1UEBwwFRGVyYnkxGjAYBgNVBAoMEU1v
 c3F1aXR0byBQcm9qZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRAwDgYDVQQDDAdSb290
-IENBMB4XDTEzMDcyNDIzNTExNloXDTE4MDcyMzIzNTExNlowZTELMAkGA1UEBhMC
+IENBMB4XDTE4MDMwMTE4NTMzNloXDTIzMDIyODE4NTMzNlowZTELMAkGA1UEBhMC
 R0IxEzARBgNVBAgMCkRlcmJ5c2hpcmUxGjAYBgNVBAoMEU1vc3F1aXR0byBQcm9q
 ZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRMwEQYDVQQDDApTaWduaW5nIENBMIGfMA0G
-CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1Sir65IBDbm7bI4lHDakEoN0Y6DUg/Spz
-FoPe4cbixwS1pg3514X2srv9w03Kzp/obDOs/JzbqcPfOBAuiiPlMm1hw9az1B7N
-9lg/2DKHL/7Oq8IZUKsFjhbFAMjQd/PAZCkBO1FS1Y0jZes4/1fzlqq4rYItTie+
-YX8tTDc/7QIDAQABo1AwTjAdBgNVHQ4EFgQU5W621SksDwZxSpsZsFkm6/QuAQYw
-HwYDVR0jBBgwFoAUq92KK7UYT6V7F1mySt6+LWTPzr4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQUFAAOBgQBMcwdjElUOhXqoqlX1DWik58X73GHxjE52jao4BHRZ
-S+PpwOOjfnq4CfIXF1cMp95cK+Eh566lEJf2udlV1waKew578T86+UsRO/T/a0bb
-3FuuZH3TXnO+OjNMTWKMZ0iLQtPwNN4m9lszECrSgJ53yCIB6iq/zfXVSop7XFzd
-VQ==
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvrbDkeLhzAWqeeB6/Nltg3O4ozhY8czCz
+As1cB6I27qHFQzIMRlfL+xxS205lhYpdps1mQ628cBvmsBEP2FQfV54pTisbxXCy
+PTinYz8aBi9tCSx8kGDbjDoRIKfbICXZxpd0UFrg/YGq3uod5b5hWQ125at/O7Km
+OLm7Mqpy7wIDAQABo1AwTjAdBgNVHQ4EFgQUnlQ+5S/l6kBK/DeWbEW7GnkOyqsw
+HwYDVR0jBBgwFoAUHLROi4QNHg/EzPQXh9vK8lXxNDkwDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQsFAAOBgQBsLUHKe4mEJ8qzZNVzslvd/G/UaK7xMD6eyigr0y4M
+YT7Vmv1nsWDlVJ+klVFbAC35RoLeSd/OKvP2Lo+PZCvJL87/0lOgCsRK6SD6XnlF
+IRjC1sFkkuRnOpIERl5qOYTI8Q5CPP2ywnvpr0QsGTBhATlHbTiFkEvlBPSHckZK
+mg==
 -----END CERTIFICATE-----

test/ssl/rootCA/newcerts/02.pem

+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Derbyshire, L=Derby, O=Mosquitto Project, OU=Testing, CN=Root CA
+        Validity
+            Not Before: Mar  1 18:53:42 2018 GMT
+            Not After : Feb 28 18:53:42 2023 GMT
+        Subject: C=GB, ST=Derbyshire, O=Mosquitto Project, OU=Testing, CN=Alternative Signing CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:bd:8b:92:ed:6a:d6:b7:73:88:e7:fa:80:bd:bc:
+                    ee:fb:6a:47:f4:36:4e:48:ab:88:8a:a6:66:98:84:
+                    6a:4c:a8:88:5f:cc:26:98:81:fe:8b:22:c4:c0:91:
+                    70:74:72:22:48:1d:e1:b8:44:71:23:74:17:59:bc:
+                    a6:51:18:97:4c:6d:50:8c:0a:c5:33:cc:28:2a:cf:
+                    78:04:a2:20:75:72:29:4a:46:7b:c7:46:a5:f5:5e:
+                    ec:6f:53:bc:d7:ad:b5:29:dd:22:24:4e:b7:88:e2:
+                    94:58:04:fe:6d:04:13:8d:c8:72:d0:74:2a:ef:18:
+                    87:6d:cf:ce:6e:4a:08:73:c3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                78:CC:8C:66:81:0F:8F:DA:56:5C:39:A2:30:C2:28:9E:53:A6:87:CA
+            X509v3 Authority Key Identifier: 
+                keyid:1C:B4:4E:8B:84:0D:1E:0F:C4:CC:F4:17:87:DB:CA:F2:55:F1:34:39
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         27:3c:17:44:29:8f:17:a7:c0:b7:81:eb:76:ca:53:85:9a:ad:
+         31:68:85:95:69:d6:ab:02:75:a8:ac:71:6f:4d:20:23:6d:5c:
+         09:1d:0a:85:f4:e6:6f:6e:1e:c1:1f:34:1e:87:6e:d3:b9:e0:
+         b2:2f:08:82:fb:4b:28:36:a9:68:54:18:9b:16:6a:f2:ab:ae:
+         bd:7a:40:d2:a7:64:46:4c:f5:cb:15:07:02:7b:3f:44:5e:e1:
+         35:83:99:3f:46:7d:99:76:d2:89:3c:9f:a6:70:13:dd:8e:bd:
+         d2:b1:51:ec:9c:db:2e:f4:fd:f7:1d:de:2c:27:f3:55:9b:81:
+         07:81
+-----BEGIN CERTIFICATE-----
+MIICqTCCAhKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJHQjET
+MBEGA1UECAwKRGVyYnlzaGlyZTEOMAwGA1UEBwwFRGVyYnkxGjAYBgNVBAoMEU1v
+c3F1aXR0byBQcm9qZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRAwDgYDVQQDDAdSb290
+IENBMB4XDTE4MDMwMTE4NTM0MloXDTIzMDIyODE4NTM0MlowcTELMAkGA1UEBhMC
+R0IxEzARBgNVBAgMCkRlcmJ5c2hpcmUxGjAYBgNVBAoMEU1vc3F1aXR0byBQcm9q
+ZWN0MRAwDgYDVQQLDAdUZXN0aW5nMR8wHQYDVQQDDBZBbHRlcm5hdGl2ZSBTaWdu
+aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9i5Ltata3c4jn+oC9
+vO77akf0Nk5Iq4iKpmaYhGpMqIhfzCaYgf6LIsTAkXB0ciJIHeG4RHEjdBdZvKZR
+GJdMbVCMCsUzzCgqz3gEoiB1cilKRnvHRqX1XuxvU7zXrbUp3SIkTreI4pRYBP5t
+BBONyHLQdCrvGIdtz85uSghzwwIDAQABo1AwTjAdBgNVHQ4EFgQUeMyMZoEPj9pW
+XDmiMMIonlOmh8owHwYDVR0jBBgwFoAUHLROi4QNHg/EzPQXh9vK8lXxNDkwDAYD
+VR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQAnPBdEKY8Xp8C3get2ylOFmq0x
+aIWVadarAnWorHFvTSAjbVwJHQqF9OZvbh7BHzQeh27TueCyLwiC+0soNqloVBib
+Fmryq669ekDSp2RGTPXLFQcCez9EXuE1g5k/Rn2ZdtKJPJ+mcBPdjr3SsVHsnNsu
+9P33Hd4sJ/NVm4EHgQ==
+-----END CERTIFICATE-----

test/ssl/rootCA/serial

+03

test/ssl/rootCA/serial.old

+02

test/ssl/server-expired.csr

+-----BEGIN CERTIFICATE REQUEST-----
+MIIBtjCCAR8CAQAwdjELMAkGA1UEBhMCR0IxGDAWBgNVBAgMD05vdHRpbmdoYW1z
+aGlyZTETMBEGA1UEBwwKTm90dGluZ2hhbTEPMA0GA1UECgwGU2VydmVyMRMwEQYD
+VQQLDApQcm9kdWN0aW9uMRIwEAYDVQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBAMkY4WrERVgOt2U6uG/fCthdGKpACNbVefrKeWuezlWF
+ydVPu39agcg8Xartf0iHwvFMYgDDjZqjwnclxnDM79GPF30bw6tmPpDwROOFi3eG
+IbLdCyztoBagFmNJubuQRUTx9x6tVxxFogiZEwXjE3bv883zOiFzIXUKLVjiCjo9
+AgMBAAGgADANBgkqhkiG9w0BAQsFAAOBgQCyLfIr0Ze/Vo1eswPb5khaZh9A6B54
+NmhmdGNCBC4z+PNfFM1UX47ttnU9f/7bhhKT92W6QhO0COzf9UzTkW0rRJipCOeR
+vatPpPC8WNoH4YHEeTdGey6YYG4448b3+Los22H/BtZSbHqluztE2yNPFA7S50xO
+JP/+Qtt+I+Y8JA==
+-----END CERTIFICATE REQUEST-----

test/ssl/server.crt

@@ -2,25 +2,25 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=GB, ST=Derbyshire, O=Paho Project, OU=Testing, CN=Signing CA
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Derbyshire, O=Mosquitto Project, OU=Testing, CN=Signing CA
         Validity
-            Not Before: Jul 29 19:21:30 2013 GMT
-            Not After : Jul 28 19:21:30 2018 GMT
+            Not Before: Mar  1 18:53:44 2018 GMT
+            Not After : Feb 28 18:53:44 2023 GMT
         Subject: C=GB, ST=Nottinghamshire, L=Nottingham, O=Server, OU=Production, CN=localhost
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:be:b7:65:98:5e:e1:e0:68:e7:14:04:e5:40:2d:
-                    d3:b4:f2:b2:dd:6e:5c:97:7a:5b:c5:4f:7a:45:11:
-                    99:4e:56:30:c6:d6:50:29:88:c3:31:6d:b0:f1:a8:
-                    5f:f5:fd:cc:d1:52:0f:40:70:04:cc:14:0d:98:45:
-                    62:a8:f9:88:0a:be:20:32:53:c5:48:fb:b0:e4:25:
-                    db:25:ec:0d:c4:6a:28:dc:af:d7:2d:63:99:b9:f4:
-                    c0:32:54:dc:be:4d:9f:7f:67:7e:2a:be:82:2d:de:
-                    37:35:0b:0d:7b:b8:9c:55:ff:cf:ab:fe:61:e9:8c:
-                    bf:c4:27:e2:56:2f:1a:73:87
+                    00:c9:18:e1:6a:c4:45:58:0e:b7:65:3a:b8:6f:df:
+                    0a:d8:5d:18:aa:40:08:d6:d5:79:fa:ca:79:6b:9e:
+                    ce:55:85:c9:d5:4f:bb:7f:5a:81:c8:3c:5d:aa:ed:
+                    7f:48:87:c2:f1:4c:62:00:c3:8d:9a:a3:c2:77:25:
+                    c6:70:cc:ef:d1:8f:17:7d:1b:c3:ab:66:3e:90:f0:
+                    44:e3:85:8b:77:86:21:b2:dd:0b:2c:ed:a0:16:a0:
+                    16:63:49:b9:bb:90:45:44:f1:f7:1e:ad:57:1c:45:
+                    a2:08:99:13:05:e3:13:76:ef:f3:cd:f3:3a:21:73:
+                    21:75:0a:2d:58:e2:0a:3a:3d
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
@@ -28,33 +28,33 @@ Certificate:
             Netscape Comment: 
                 OpenSSL Generated Certificate
             X509v3 Subject Key Identifier: 
-                A1:8C:9A:D1:28:58:68:C5:46:5B:FA:C5:48:01:96:67:55:97:65:8A
+                7E:42:6C:12:CB:42:12:36:54:03:29:B6:D8:21:CA:E1:65:48:C5:67
             X509v3 Authority Key Identifier: 
-                keyid:29:4D:6E:C7:F2:F7:71:72:DA:27:9C:9C:AB:DA:07:1D:47:9C:D8:41
+                keyid:9E:54:3E:E5:2F:E5:EA:40:4A:FC:37:96:6C:45:BB:1A:79:0E:CA:AB
 
-    Signature Algorithm: sha1WithRSAEncryption
-         78:f6:a1:34:ac:2c:a5:0a:1d:82:97:97:1f:f5:03:44:a7:c0:
-         4d:e8:8d:67:e7:71:50:30:3c:8b:77:eb:81:96:78:6b:ab:31:
-         5a:ba:7b:1c:ad:ec:fd:a6:5d:73:ef:99:2d:6f:9f:7e:13:ac:
-         b2:61:2f:e4:56:cc:28:f1:e4:7f:ea:a9:b2:f2:85:87:68:52:
-         65:b0:42:54:84:92:2f:fb:45:d4:36:e2:3c:0e:4c:a6:6d:82:
-         8f:72:c0:66:0c:5f:b2:a7:7c:9b:be:cd:19:55:5d:40:27:99:
-         14:e2:cf:59:cb:4b:40:e4:98:2d:f7:93:14:4a:50:dc:75:9c:
-         5c:9d
+    Signature Algorithm: sha256WithRSAEncryption
+         08:e1:a9:a0:e9:c4:1b:65:8d:b0:71:60:68:18:d8:af:49:8f:
+         0b:41:62:bb:f8:23:71:65:f2:c7:cf:59:23:63:48:fa:ba:26:
+         5f:2d:2e:4c:18:e4:f0:6e:cb:38:be:51:d0:e2:cc:76:ab:f6:
+         13:c2:49:68:e2:ef:da:86:a9:3d:80:29:9f:ee:33:be:cd:4c:
+         b2:4c:14:04:e3:46:46:46:ec:c1:4a:63:de:f3:5a:7b:0f:28:
+         a1:92:c8:96:07:b3:73:96:f4:9e:a0:bf:36:ea:f1:1a:8b:f7:
+         d5:ed:6c:e2:bf:cd:61:bc:a4:ca:ee:fa:75:af:ad:4c:54:4b:
+         af:18
 -----BEGIN CERTIFICATE-----
-MIICxzCCAjCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJHQjET
-MBEGA1UECAwKRGVyYnlzaGlyZTEVMBMGA1UECgwMUGFobyBQcm9qZWN0MRAwDgYD
-VQQLDAdUZXN0aW5nMRMwEQYDVQQDDApTaWduaW5nIENBMB4XDTEzMDcyOTE5MjEz
-MFoXDTE4MDcyODE5MjEzMFowdjELMAkGA1UEBhMCR0IxGDAWBgNVBAgMD05vdHRp
-bmdoYW1zaGlyZTETMBEGA1UEBwwKTm90dGluZ2hhbTEPMA0GA1UECgwGU2VydmVy
-MRMwEQYDVQQLDApQcm9kdWN0aW9uMRIwEAYDVQQDDAlsb2NhbGhvc3QwgZ8wDQYJ
-KoZIhvcNAQEBBQADgY0AMIGJAoGBAL63ZZhe4eBo5xQE5UAt07Tyst1uXJd6W8VP
-ekURmU5WMMbWUCmIwzFtsPGoX/X9zNFSD0BwBMwUDZhFYqj5iAq+IDJTxUj7sOQl
-2yXsDcRqKNyv1y1jmbn0wDJU3L5Nn39nfiq+gi3eNzULDXu4nFX/z6v+YemMv8Qn
-4lYvGnOHAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
-U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBShjJrRKFhoxUZb+sVI
-AZZnVZdlijAfBgNVHSMEGDAWgBQpTW7H8vdxctonnJyr2gcdR5zYQTANBgkqhkiG
-9w0BAQUFAAOBgQB49qE0rCylCh2Cl5cf9QNEp8BN6I1n53FQMDyLd+uBlnhrqzFa
-unscrez9pl1z75ktb59+E6yyYS/kVswo8eR/6qmy8oWHaFJlsEJUhJIv+0XUNuI8
-DkymbYKPcsBmDF+yp3ybvs0ZVV1AJ5kU4s9Zy0tA5Jgt95MUSlDcdZxcnQ==
+MIICzDCCAjWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJHQjET
+MBEGA1UECAwKRGVyYnlzaGlyZTEaMBgGA1UECgwRTW9zcXVpdHRvIFByb2plY3Qx
+EDAOBgNVBAsMB1Rlc3RpbmcxEzARBgNVBAMMClNpZ25pbmcgQ0EwHhcNMTgwMzAx
+MTg1MzQ0WhcNMjMwMjI4MTg1MzQ0WjB2MQswCQYDVQQGEwJHQjEYMBYGA1UECAwP
+Tm90dGluZ2hhbXNoaXJlMRMwEQYDVQQHDApOb3R0aW5naGFtMQ8wDQYDVQQKDAZT
+ZXJ2ZXIxEzARBgNVBAsMClByb2R1Y3Rpb24xEjAQBgNVBAMMCWxvY2FsaG9zdDCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyRjhasRFWA63ZTq4b98K2F0YqkAI
+1tV5+sp5a57OVYXJ1U+7f1qByDxdqu1/SIfC8UxiAMONmqPCdyXGcMzv0Y8XfRvD
+q2Y+kPBE44WLd4Yhst0LLO2gFqAWY0m5u5BFRPH3Hq1XHEWiCJkTBeMTdu/zzfM6
+IXMhdQotWOIKOj0CAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd
+T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFH5CbBLLQhI2
+VAMpttghyuFlSMVnMB8GA1UdIwQYMBaAFJ5UPuUv5epASvw3lmxFuxp5DsqrMA0G
+CSqGSIb3DQEBCwUAA4GBAAjhqaDpxBtljbBxYGgY2K9JjwtBYrv4I3Fl8sfPWSNj
+SPq6Jl8tLkwY5PBuyzi+UdDizHar9hPCSWji79qGqT2AKZ/uM77NTLJMFATjRkZG
+7MFKY97zWnsPKKGSyJYHs3OW9J6gvzbq8RqL99XtbOK/zWG8pMru+nWvrUxUS68Y
 -----END CERTIFICATE-----

test/ssl/server.csr

+-----BEGIN CERTIFICATE REQUEST-----
+MIIBtjCCAR8CAQAwdjELMAkGA1UEBhMCR0IxGDAWBgNVBAgMD05vdHRpbmdoYW1z
+aGlyZTETMBEGA1UEBwwKTm90dGluZ2hhbTEPMA0GA1UECgwGU2VydmVyMRMwEQYD
+VQQLDApQcm9kdWN0aW9uMRIwEAYDVQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBAMkY4WrERVgOt2U6uG/fCthdGKpACNbVefrKeWuezlWF
+ydVPu39agcg8Xartf0iHwvFMYgDDjZqjwnclxnDM79GPF30bw6tmPpDwROOFi3eG
+IbLdCyztoBagFmNJubuQRUTx9x6tVxxFogiZEwXjE3bv883zOiFzIXUKLVjiCjo9
+AgMBAAGgADANBgkqhkiG9w0BAQsFAAOBgQCyLfIr0Ze/Vo1eswPb5khaZh9A6B54
+NmhmdGNCBC4z+PNfFM1UX47ttnU9f/7bhhKT92W6QhO0COzf9UzTkW0rRJipCOeR
+vatPpPC8WNoH4YHEeTdGey6YYG4448b3+Los22H/BtZSbHqluztE2yNPFA7S50xO
+JP/+Qtt+I+Y8JA==
+-----END CERTIFICATE REQUEST-----

test/ssl/server.key

 -----BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQC+t2WYXuHgaOcUBOVALdO08rLdblyXelvFT3pFEZlOVjDG1lAp
-iMMxbbDxqF/1/czRUg9AcATMFA2YRWKo+YgKviAyU8VI+7DkJdsl7A3Eaijcr9ct
-Y5m59MAyVNy+TZ9/Z34qvoIt3jc1Cw17uJxV/8+r/mHpjL/EJ+JWLxpzhwIDAQAB
-AoGAW1dC1UM8M1qKsc/WbHKGXreOavccaYA0y79Q9BuFrTsiiVjDc+EIe3fpsxPN
-QeeYXPhMTbRY19US3cb9hahdOtPZc1zKRoloWl995v6X5XufTmgigBRUrRKG6rln
-wok6PYwKQmcG+yVaOjPwiJBx+4gfGjD6qO/fhK2sWWtyneECQQDrUEiaWvQE0uli
-EI34MhO3As0iYyw1qFHVck4bbFS4RT0gnhWYVeabd5mTKx1ztLlr0ykwaCf9FoMG
-U2liyV/VAkEAz3t0v8vZrlpotW9CRzBQ63vYW3+d8m5Hmkvsghrfem52je6MN0oL
-2Y7F3JrJh1bC9ZNgtkBF/mIQgv9jGBoP6wJASKTYRQ6fFn4mHmgN6/lJrM3olh0X
-oNj9qm9HPaAL53c4j8E92XFrZ8NcXdqJlRbNx0PBC3icH727ZVCK0DxqoQJABTRn
-nVgTwdfqwIJl+zsvDHky2Di/UZGKokg9SpY5/OxAdRcC1XA6E98M/5eybn6yrU5h
-IrFCEDuNhnu5lKUyuQJAAiNPFWPkl4XeghyzPDA1lUYMwKPr7oEwELqS8fIq/g4K
-BI10X7qlpioI4I6jA9lwlIdtR+q620UFZRlQts9nug==
+MIICWwIBAAKBgQDJGOFqxEVYDrdlOrhv3wrYXRiqQAjW1Xn6ynlrns5VhcnVT7t/
+WoHIPF2q7X9Ih8LxTGIAw42ao8J3JcZwzO/Rjxd9G8OrZj6Q8ETjhYt3hiGy3Qss
+7aAWoBZjSbm7kEVE8fcerVccRaIImRMF4xN27/PN8zohcyF1Ci1Y4go6PQIDAQAB
+AoGAFXX0SIKdq+IWLFVx7W5uJ9z3juO6jcLGe78z6gpOls3qVjtmFRdBlm7qyB0E
+YmcqpLm0E8TKzeAAFtsPLGaSiSg+EDoK/ov0d79FZ2h/lDl1xJUpJC5Up7kzJz5M
+P9iEUN1I1BWMkXUl0pYQFlbTQk77s1l5abKyYOqEMzH7oHkCQQDndfRgtFELix94
+mxHOqK1cenWBs4wDmlCA1Z2mG9OBHM+rs/eHymRJ6D/mGuyhtnLIfcglevzrVdek
+ySuuur73AkEA3mrVFIu1Ku8LIrPljoNzFU1qMqZsAX2uxlltFJd1iaAGh20yL9kJ
+CEUtXGpbnpGcDAIzAHNCP3cmVLuYOGefawJACerL5bjUICJ93rUGNkyT4Pp+Pmhq
+/1yFRn/gmVVn4ohRfZHgcTkCwwfodPuCWAtxL5X0FWcHny22Z6EW9g2aUQJATDCo
+gXtCOkzcsaySbHlXCOsV//fGc9RL9KJZnX4sw1JQKkAbuwxL7ctUuJ2ueOlEXVC7
+i+HvxbHZLZl9kYTdtQJAc/9z7pgMk7OQoQo+1dJEbrZ0+t1jAc7mAF2FjzyQ4XUU
+on/k8gVN8Ruy52qfzKP2MqwjlEJ9HOhENmknjlazUA==
 -----END RSA PRIVATE KEY-----

test/ssl/server.pem

-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=GB, ST=Derbyshire, O=Paho Project, OU=Testing, CN=Signing CA
-        Validity
-            Not Before: Jul 29 19:21:30 2013 GMT
-            Not After : Jul 28 19:21:30 2018 GMT
-        Subject: C=GB, ST=Nottinghamshire, L=Nottingham, O=Server, OU=Production, CN=localhost
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
-                Modulus:
-                    00:be:b7:65:98:5e:e1:e0:68:e7:14:04:e5:40:2d:
-                    d3:b4:f2:b2:dd:6e:5c:97:7a:5b:c5:4f:7a:45:11:
-                    99:4e:56:30:c6:d6:50:29:88:c3:31:6d:b0:f1:a8:
-                    5f:f5:fd:cc:d1:52:0f:40:70:04:cc:14:0d:98:45:
-                    62:a8:f9:88:0a:be:20:32:53:c5:48:fb:b0:e4:25:
-                    db:25:ec:0d:c4:6a:28:dc:af:d7:2d:63:99:b9:f4:
-                    c0:32:54:dc:be:4d:9f:7f:67:7e:2a:be:82:2d:de:
-                    37:35:0b:0d:7b:b8:9c:55:ff:cf:ab:fe:61:e9:8c:
-                    bf:c4:27:e2:56:2f:1a:73:87
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            Netscape Comment: 
-                OpenSSL Generated Certificate
-            X509v3 Subject Key Identifier: 
-                A1:8C:9A:D1:28:58:68:C5:46:5B:FA:C5:48:01:96:67:55:97:65:8A
-            X509v3 Authority Key Identifier: 
-                keyid:29:4D:6E:C7:F2:F7:71:72:DA:27:9C:9C:AB:DA:07:1D:47:9C:D8:41
-
-    Signature Algorithm: sha1WithRSAEncryption
-         78:f6:a1:34:ac:2c:a5:0a:1d:82:97:97:1f:f5:03:44:a7:c0:
-         4d:e8:8d:67:e7:71:50:30:3c:8b:77:eb:81:96:78:6b:ab:31:
-         5a:ba:7b:1c:ad:ec:fd:a6:5d:73:ef:99:2d:6f:9f:7e:13:ac:
-         b2:61:2f:e4:56:cc:28:f1:e4:7f:ea:a9:b2:f2:85:87:68:52:
-         65:b0:42:54:84:92:2f:fb:45:d4:36:e2:3c:0e:4c:a6:6d:82:
-         8f:72:c0:66:0c:5f:b2:a7:7c:9b:be:cd:19:55:5d:40:27:99:
-         14:e2:cf:59:cb:4b:40:e4:98:2d:f7:93:14:4a:50:dc:75:9c:
-         5c:9d
------BEGIN CERTIFICATE-----
-MIICxzCCAjCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJHQjET
-MBEGA1UECAwKRGVyYnlzaGlyZTEVMBMGA1UECgwMUGFobyBQcm9qZWN0MRAwDgYD
-VQQLDAdUZXN0aW5nMRMwEQYDVQQDDApTaWduaW5nIENBMB4XDTEzMDcyOTE5MjEz
-MFoXDTE4MDcyODE5MjEzMFowdjELMAkGA1UEBhMCR0IxGDAWBgNVBAgMD05vdHRp
-bmdoYW1zaGlyZTETMBEGA1UEBwwKTm90dGluZ2hhbTEPMA0GA1UECgwGU2VydmVy
-MRMwEQYDVQQLDApQcm9kdWN0aW9uMRIwEAYDVQQDDAlsb2NhbGhvc3QwgZ8wDQYJ
-KoZIhvcNAQEBBQADgY0AMIGJAoGBAL63ZZhe4eBo5xQE5UAt07Tyst1uXJd6W8VP
-ekURmU5WMMbWUCmIwzFtsPGoX/X9zNFSD0BwBMwUDZhFYqj5iAq+IDJTxUj7sOQl
-2yXsDcRqKNyv1y1jmbn0wDJU3L5Nn39nfiq+gi3eNzULDXu4nFX/z6v+YemMv8Qn
-4lYvGnOHAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
-U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBShjJrRKFhoxUZb+sVI
-AZZnVZdlijAfBgNVHSMEGDAWgBQpTW7H8vdxctonnJyr2gcdR5zYQTANBgkqhkiG
-9w0BAQUFAAOBgQB49qE0rCylCh2Cl5cf9QNEp8BN6I1n53FQMDyLd+uBlnhrqzFa
-unscrez9pl1z75ktb59+E6yyYS/kVswo8eR/6qmy8oWHaFJlsEJUhJIv+0XUNuI8
-DkymbYKPcsBmDF+yp3ybvs0ZVV1AJ5kU4s9Zy0tA5Jgt95MUSlDcdZxcnQ==
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=GB, ST=Derbyshire, L=Derby, O=Paho Project, OU=Testing, CN=Root CA
-        Validity
-            Not Before: Jul 29 19:21:30 2013 GMT
-            Not After : Jul 28 19:21:30 2018 GMT
-        Subject: C=GB, ST=Derbyshire, O=Paho Project, OU=Testing, CN=Signing CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
-                Modulus:
-                    00:dc:26:78:40:ae:b2:ad:2f:26:12:0a:d5:b1:18:
-                    80:16:d8:88:be:0b:42:ce:32:ad:12:d5:f5:78:1b:
-                    35:28:f2:13:1b:05:09:fb:7e:d7:d9:a1:8a:0d:4a:
-                    fe:95:37:d4:16:75:83:e4:6a:44:34:33:57:2e:49:
-                    ba:bc:b4:cf:d0:c0:87:e0:bc:f0:60:76:14:00:d6:
-                    eb:cb:f6:db:b3:43:f1:c8:4d:4a:0a:bb:e0:37:7c:
-                    8e:93:1f:a0:87:68:59:fe:0c:25:40:f3:7c:fd:71:
-                    90:55:ef:de:18:b4:08:86:c9:75:c2:99:2f:ce:12:
-                    bf:c5:5e:cf:5f:f1:06:53:07
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                29:4D:6E:C7:F2:F7:71:72:DA:27:9C:9C:AB:DA:07:1D:47:9C:D8:41
-            X509v3 Authority Key Identifier: 
-                keyid:4A:2B:69:D6:31:1D:A3:68:E8:46:6F:FB:4B:F3:8E:B6:8D:51:0E:BF
-
-            X509v3 Basic Constraints: 
-                CA:TRUE
-    Signature Algorithm: sha1WithRSAEncryption
-         48:ec:d7:80:8a:8f:82:a6:42:b1:89:2c:b9:4b:6d:0a:37:b8:
-         72:19:05:de:75:80:0c:d6:41:97:b2:d7:fe:99:cb:7e:c4:0e:
-         77:97:09:a8:9f:87:ff:0b:de:3f:1c:dc:1e:fe:09:36:a7:f5:
-         54:9a:85:4e:fb:6f:27:fe:0f:29:45:61:8d:07:c6:0c:da:37:
-         3d:a3:69:4b:82:71:e6:24:e0:87:a6:ee:d5:87:61:dd:8f:08:
-         fe:33:a6:1f:ae:b2:ae:1f:d8:2c:20:c8:a6:fc:33:0e:82:68:
-         80:23:61:10:ad:5c:1d:80:d6:b1:5f:e4:af:66:6d:63:10:e4:
-         96:e4
------BEGIN CERTIFICATE-----
-MIICkzCCAfygAwIBAgIBATANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJHQjET
-MBEGA1UECAwKRGVyYnlzaGlyZTEOMAwGA1UEBwwFRGVyYnkxFTATBgNVBAoMDFBh
-aG8gUHJvamVjdDEQMA4GA1UECwwHVGVzdGluZzEQMA4GA1UEAwwHUm9vdCBDQTAe
-Fw0xMzA3MjkxOTIxMzBaFw0xODA3MjgxOTIxMzBaMGAxCzAJBgNVBAYTAkdCMRMw
-EQYDVQQIDApEZXJieXNoaXJlMRUwEwYDVQQKDAxQYWhvIFByb2plY3QxEDAOBgNV
-BAsMB1Rlc3RpbmcxEzARBgNVBAMMClNpZ25pbmcgQ0EwgZ8wDQYJKoZIhvcNAQEB
-BQADgY0AMIGJAoGBANwmeECusq0vJhIK1bEYgBbYiL4LQs4yrRLV9XgbNSjyExsF
-Cft+19mhig1K/pU31BZ1g+RqRDQzVy5Jury0z9DAh+C88GB2FADW68v227ND8chN
-Sgq74Dd8jpMfoIdoWf4MJUDzfP1xkFXv3hi0CIbJdcKZL84Sv8Vez1/xBlMHAgMB
-AAGjUDBOMB0GA1UdDgQWBBQpTW7H8vdxctonnJyr2gcdR5zYQTAfBgNVHSMEGDAW
-gBRKK2nWMR2jaOhGb/tL8462jVEOvzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
-BQUAA4GBAEjs14CKj4KmQrGJLLlLbQo3uHIZBd51gAzWQZey1/6Zy37EDneXCaif
-h/8L3j8c3B7+CTan9VSahU77byf+DylFYY0HxgzaNz2jaUuCceYk4Iem7tWHYd2P
-CP4zph+usq4f2CwgyKb8Mw6CaIAjYRCtXB2A1rFf5K9mbWMQ5Jbk
------END CERTIFICATE-----

test/ssl/signingCA/crlnumber

+02

test/ssl/signingCA/crlnumber.old

+01

test/ssl/signingCA/index.txt

+V	230228185344Z		01	unknown	/C=GB/ST=Nottinghamshire/L=Nottingham/O=Server/OU=Production/CN=localhost
+V	230228185347Z		02	unknown	/C=GB/ST=Nottinghamshire/L=Nottingham/O=Server/OU=Production/CN=test client
+V	120821000000Z		03	unknown	/C=GB/ST=Nottinghamshire/L=Nottingham/O=Server/OU=Production/CN=test client expired
+R	230228185351Z	180301185353Z	04	unknown	/C=GB/ST=Nottinghamshire/L=Nottingham/O=Server/OU=Production/CN=test client revoked

test/ssl/signingCA/index.txt.attr

+unique_subject = yes

test/ssl/signingCA/index.txt.attr.old

+unique_subject = yes

test/ssl/signingCA/index.txt.old

+V	230228185344Z		01	unknown	/C=GB/ST=Nottinghamshire/L=Nottingham/O=Server/OU=Production/CN=localhost
+V	230228185347Z		02	unknown	/C=GB/ST=Nottinghamshire/L=Nottingham/O=Server/OU=Production/CN=test client
+V	120821000000Z		03	unknown	/C=GB/ST=Nottinghamshire/L=Nottingham/O=Server/OU=Production/CN=test client expired
+V	230228185351Z		04	unknown	/C=GB/ST=Nottinghamshire/L=Nottingham/O=Server/OU=Production/CN=test client revoked

test/ssl/signingCA/newcerts/01.pem

+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Derbyshire, O=Mosquitto Project, OU=Testing, CN=Signing CA
+        Validity
+            Not Before: Mar  1 18:53:44 2018 GMT
+            Not After : Feb 28 18:53:44 2023 GMT
+        Subject: C=GB, ST=Nottinghamshire, L=Nottingham, O=Server, OU=Production, CN=localhost
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:c9:18:e1:6a:c4:45:58:0e:b7:65:3a:b8:6f:df:
+                    0a:d8:5d:18:aa:40:08:d6:d5:79:fa:ca:79:6b:9e:
+                    ce:55:85:c9:d5:4f:bb:7f:5a:81:c8:3c:5d:aa:ed:
+                    7f:48:87:c2:f1:4c:62:00:c3:8d:9a:a3:c2:77:25:
+                    c6:70:cc:ef:d1:8f:17:7d:1b:c3:ab:66:3e:90:f0:
+                    44:e3:85:8b:77:86:21:b2:dd:0b:2c:ed:a0:16:a0:
+                    16:63:49:b9:bb:90:45:44:f1:f7:1e:ad:57:1c:45:
+                    a2:08:99:13:05:e3:13:76:ef:f3:cd:f3:3a:21:73:
+                    21:75:0a:2d:58:e2:0a:3a:3d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                7E:42:6C:12:CB:42:12:36:54:03:29:B6:D8:21:CA:E1:65:48:C5:67
+            X509v3 Authority Key Identifier: 
+                keyid:9E:54:3E:E5:2F:E5:EA:40:4A:FC:37:96:6C:45:BB:1A:79:0E:CA:AB
+
+    Signature Algorithm: sha256WithRSAEncryption
+         08:e1:a9:a0:e9:c4:1b:65:8d:b0:71:60:68:18:d8:af:49:8f:
+         0b:41:62:bb:f8:23:71:65:f2:c7:cf:59:23:63:48:fa:ba:26:
+         5f:2d:2e:4c:18:e4:f0:6e:cb:38:be:51:d0:e2:cc:76:ab:f6:
+         13:c2:49:68:e2:ef:da:86:a9:3d:80:29:9f:ee:33:be:cd:4c:
+         b2:4c:14:04:e3:46:46:46:ec:c1:4a:63:de:f3:5a:7b:0f:28:
+         a1:92:c8:96:07:b3:73:96:f4:9e:a0:bf:36:ea:f1:1a:8b:f7:
+         d5:ed:6c:e2:bf:cd:61:bc:a4:ca:ee:fa:75:af:ad:4c:54:4b:
+         af:18
+-----BEGIN CERTIFICATE-----
+MIICzDCCAjWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJHQjET
+MBEGA1UECAwKRGVyYnlzaGlyZTEaMBgGA1UECgwRTW9zcXVpdHRvIFByb2plY3Qx
+EDAOBgNVBAsMB1Rlc3RpbmcxEzARBgNVBAMMClNpZ25pbmcgQ0EwHhcNMTgwMzAx
+MTg1MzQ0WhcNMjMwMjI4MTg1MzQ0WjB2MQswCQYDVQQGEwJHQjEYMBYGA1UECAwP
+Tm90dGluZ2hhbXNoaXJlMRMwEQYDVQQHDApOb3R0aW5naGFtMQ8wDQYDVQQKDAZT
+ZXJ2ZXIxEzARBgNVBAsMClByb2R1Y3Rpb24xEjAQBgNVBAMMCWxvY2FsaG9zdDCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyRjhasRFWA63ZTq4b98K2F0YqkAI
+1tV5+sp5a57OVYXJ1U+7f1qByDxdqu1/SIfC8UxiAMONmqPCdyXGcMzv0Y8XfRvD
+q2Y+kPBE44WLd4Yhst0LLO2gFqAWY0m5u5BFRPH3Hq1XHEWiCJkTBeMTdu/zzfM6
+IXMhdQotWOIKOj0CAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd
+T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFH5CbBLLQhI2
+VAMpttghyuFlSMVnMB8GA1UdIwQYMBaAFJ5UPuUv5epASvw3lmxFuxp5DsqrMA0G
+CSqGSIb3DQEBCwUAA4GBAAjhqaDpxBtljbBxYGgY2K9JjwtBYrv4I3Fl8sfPWSNj
+SPq6Jl8tLkwY5PBuyzi+UdDizHar9hPCSWji79qGqT2AKZ/uM77NTLJMFATjRkZG
+7MFKY97zWnsPKKGSyJYHs3OW9J6gvzbq8RqL99XtbOK/zWG8pMru+nWvrUxUS68Y
+-----END CERTIFICATE-----

test/ssl/signingCA/newcerts/02.pem

+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Derbyshire, O=Mosquitto Project, OU=Testing, CN=Signing CA
+        Validity
+            Not Before: Mar  1 18:53:47 2018 GMT
+            Not After : Feb 28 18:53:47 2023 GMT
+        Subject: C=GB, ST=Nottinghamshire, L=Nottingham, O=Server, OU=Production, CN=test client
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:b8:67:87:cf:05:35:29:81:b1:16:e3:0a:1c:59:
+                    83:36:dc:31:db:af:f2:a9:12:97:e7:96:c8:91:7c:
+                    a4:52:65:43:79:f4:20:e0:5f:ed:c0:b4:32:9d:c7:
+                    3d:21:9a:9e:92:6c:42:08:06:88:65:d5:4f:5e:70:
+                    d9:7d:e1:de:4b:be:26:e2:06:99:4a:54:f7:e7:1c:
+                    d6:7c:6f:d5:16:8d:b0:9d:ce:5d:29:f1:51:e9:12:
+                    fd:2f:ed:d6:fc:e1:cc:d6:31:0e:ce:0e:74:02:f3:
+                    1e:70:41:44:5d:67:ed:3b:9d:2f:43:b8:89:6f:90:
+                    52:9b:f1:e9:fc:ed:f8:35:d1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                27:DF:0F:D3:9A:8F:34:C8:9E:C1:6D:B9:29:99:0F:0D:3A:D1:BB:BD
+            X509v3 Authority Key Identifier: 
+                keyid:9E:54:3E:E5:2F:E5:EA:40:4A:FC:37:96:6C:45:BB:1A:79:0E:CA:AB
+
+    Signature Algorithm: sha256WithRSAEncryption
+         a1:0d:e1:4b:25:ef:4e:67:28:93:33:68:49:65:0e:18:eb:3f:
+         17:ae:47:68:75:4d:72:f5:41:6b:c5:f0:1d:06:0d:25:3d:fa:
+         ab:39:17:f4:e2:34:b7:49:9d:69:a1:92:4a:69:1b:17:42:5b:
+         c6:79:6f:20:31:81:5c:52:c2:58:6b:a0:ba:9a:fe:55:0e:8d:
+         0b:80:9f:4a:97:ed:05:05:90:a6:13:23:70:d0:56:93:a6:f4:
+         66:af:f0:96:05:8b:67:89:72:67:04:f4:5e:44:36:20:4e:b4:
+         97:b4:b2:3b:aa:e2:44:b1:ee:49:13:2c:af:e7:6d:37:e8:09:
+         50:6d
+-----BEGIN CERTIFICATE-----
+MIICzjCCAjegAwIBAgIBAjANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJHQjET
+MBEGA1UECAwKRGVyYnlzaGlyZTEaMBgGA1UECgwRTW9zcXVpdHRvIFByb2plY3Qx
+EDAOBgNVBAsMB1Rlc3RpbmcxEzARBgNVBAMMClNpZ25pbmcgQ0EwHhcNMTgwMzAx
+MTg1MzQ3WhcNMjMwMjI4MTg1MzQ3WjB4MQswCQYDVQQGEwJHQjEYMBYGA1UECAwP
+Tm90dGluZ2hhbXNoaXJlMRMwEQYDVQQHDApOb3R0aW5naGFtMQ8wDQYDVQQKDAZT
+ZXJ2ZXIxEzARBgNVBAsMClByb2R1Y3Rpb24xFDASBgNVBAMMC3Rlc3QgY2xpZW50
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4Z4fPBTUpgbEW4wocWYM23DHb
+r/KpEpfnlsiRfKRSZUN59CDgX+3AtDKdxz0hmp6SbEIIBohl1U9ecNl94d5Lvibi
+BplKVPfnHNZ8b9UWjbCdzl0p8VHpEv0v7db84czWMQ7ODnQC8x5wQURdZ+07nS9D
+uIlvkFKb8en87fg10QIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQf
+Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUJ98P05qP
+NMiewW25KZkPDTrRu70wHwYDVR0jBBgwFoAUnlQ+5S/l6kBK/DeWbEW7GnkOyqsw
+DQYJKoZIhvcNAQELBQADgYEAoQ3hSyXvTmcokzNoSWUOGOs/F65HaHVNcvVBa8Xw
+HQYNJT36qzkX9OI0t0mdaaGSSmkbF0JbxnlvIDGBXFLCWGugupr+VQ6NC4CfSpft
+BQWQphMjcNBWk6b0Zq/wlgWLZ4lyZwT0XkQ2IE60l7SyO6riRLHuSRMsr+dtN+gJ
+UG0=
+-----END CERTIFICATE-----

test/ssl/signingCA/newcerts/03.pem

+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Derbyshire, O=Mosquitto Project, OU=Testing, CN=Signing CA
+        Validity
+            Not Before: Aug 20 00:00:00 2012 GMT
+            Not After : Aug 21 00:00:00 2012 GMT
+        Subject: C=GB, ST=Nottinghamshire, L=Nottingham, O=Server, OU=Production, CN=test client expired
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:b8:67:87:cf:05:35:29:81:b1:16:e3:0a:1c:59:
+                    83:36:dc:31:db:af:f2:a9:12:97:e7:96:c8:91:7c:
+                    a4:52:65:43:79:f4:20:e0:5f:ed:c0:b4:32:9d:c7:
+                    3d:21:9a:9e:92:6c:42:08:06:88:65:d5:4f:5e:70:
+                    d9:7d:e1:de:4b:be:26:e2:06:99:4a:54:f7:e7:1c:
+                    d6:7c:6f:d5:16:8d:b0:9d:ce:5d:29:f1:51:e9:12:
+                    fd:2f:ed:d6:fc:e1:cc:d6:31:0e:ce:0e:74:02:f3:
+                    1e:70:41:44:5d:67:ed:3b:9d:2f:43:b8:89:6f:90:
+                    52:9b:f1:e9:fc:ed:f8:35:d1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                27:DF:0F:D3:9A:8F:34:C8:9E:C1:6D:B9:29:99:0F:0D:3A:D1:BB:BD
+            X509v3 Authority Key Identifier: 
+                keyid:9E:54:3E:E5:2F:E5:EA:40:4A:FC:37:96:6C:45:BB:1A:79:0E:CA:AB
+
+    Signature Algorithm: sha256WithRSAEncryption
+         96:28:72:b2:16:af:2b:f2:92:d9:8b:e7:15:2c:e2:e1:55:48:
+         ce:45:d0:89:7a:80:41:ec:3e:b5:01:ee:b9:2e:62:44:7d:b5:
+         b2:f0:e5:83:62:1d:6f:3b:b5:69:4c:dd:c7:20:fb:b0:70:5a:
+         c5:f6:4a:97:14:4a:63:8f:da:3b:0d:27:e3:b9:06:a3:53:1c:
+         db:d3:9d:8a:8a:aa:7c:d7:a0:39:15:d5:03:8b:4f:0e:ab:78:
+         2f:05:69:8c:a3:5a:6b:70:6b:9e:b1:23:ad:d3:ef:a9:5d:01:
+         1b:37:7e:07:0f:97:cb:79:3a:7f:02:3d:40:62:20:63:a8:80:
+         92:da
+-----BEGIN CERTIFICATE-----
+MIIC1zCCAkCgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJHQjET
+MBEGA1UECAwKRGVyYnlzaGlyZTEaMBgGA1UECgwRTW9zcXVpdHRvIFByb2plY3Qx
+EDAOBgNVBAsMB1Rlc3RpbmcxEzARBgNVBAMMClNpZ25pbmcgQ0EwHhcNMTIwODIw
+MDAwMDAwWhcNMTIwODIxMDAwMDAwWjCBgDELMAkGA1UEBhMCR0IxGDAWBgNVBAgM
+D05vdHRpbmdoYW1zaGlyZTETMBEGA1UEBwwKTm90dGluZ2hhbTEPMA0GA1UECgwG
+U2VydmVyMRMwEQYDVQQLDApQcm9kdWN0aW9uMRwwGgYDVQQDDBN0ZXN0IGNsaWVu
+dCBleHBpcmVkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4Z4fPBTUpgbEW
+4wocWYM23DHbr/KpEpfnlsiRfKRSZUN59CDgX+3AtDKdxz0hmp6SbEIIBohl1U9e
+cNl94d5LvibiBplKVPfnHNZ8b9UWjbCdzl0p8VHpEv0v7db84czWMQ7ODnQC8x5w
+QURdZ+07nS9DuIlvkFKb8en87fg10QIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG
+SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
+FgQUJ98P05qPNMiewW25KZkPDTrRu70wHwYDVR0jBBgwFoAUnlQ+5S/l6kBK/DeW
+bEW7GnkOyqswDQYJKoZIhvcNAQELBQADgYEAlihyshavK/KS2YvnFSzi4VVIzkXQ
+iXqAQew+tQHuuS5iRH21svDlg2Idbzu1aUzdxyD7sHBaxfZKlxRKY4/aOw0n47kG
+o1Mc29OdioqqfNegORXVA4tPDqt4LwVpjKNaa3BrnrEjrdPvqV0BGzd+Bw+Xy3k6
+fwI9QGIgY6iAkto=
+-----END CERTIFICATE-----

test/ssl/signingCA/newcerts/04.pem

+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4 (0x4)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Derbyshire, O=Mosquitto Project, OU=Testing, CN=Signing CA
+        Validity
+            Not Before: Mar  1 18:53:51 2018 GMT
+            Not After : Feb 28 18:53:51 2023 GMT
+        Subject: C=GB, ST=Nottinghamshire, L=Nottingham, O=Server, OU=Production, CN=test client revoked
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:ca:88:c0:97:79:0c:af:97:dc:f2:06:5a:12:3d:
+                    07:bf:d0:ca:f3:90:e2:fa:a6:36:c7:67:0c:50:30:
+                    b6:98:1c:83:16:03:fa:7d:00:77:37:00:49:93:3d:
+                    20:0b:e8:fb:8f:20:a2:6a:29:df:ae:ee:38:38:a8:
+                    3b:76:b2:92:96:63:46:0b:b2:47:5f:5d:9b:8d:dc:
+                    31:95:3b:ac:e9:ab:c6:89:00:46:61:58:7f:b5:39:
+                    c6:97:7e:5c:f5:06:f0:ea:82:e6:11:27:18:1f:af:
+                    2c:cb:21:43:75:e3:cf:fa:41:d8:17:17:87:ce:29:
+                    df:7f:75:d6:1f:20:d7:29:03
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                53:1F:81:85:BB:93:78:8A:B4:22:F8:8C:E0:6C:99:5F:B6:AA:B5:9B
+            X509v3 Authority Key Identifier: 
+                keyid:9E:54:3E:E5:2F:E5:EA:40:4A:FC:37:96:6C:45:BB:1A:79:0E:CA:AB
+
+    Signature Algorithm: sha256WithRSAEncryption
+         24:f6:97:b8:b2:ac:eb:83:35:d8:fa:3e:86:13:a6:44:85:10:
+         c5:ba:33:c5:58:98:bc:6e:fe:30:60:12:41:ce:ac:3f:ed:38:
+         e6:5f:ff:b5:29:73:a7:f6:60:41:b2:10:23:da:74:f2:29:d6:
+         f1:bb:94:38:14:fc:75:50:64:f4:4d:d2:6a:3d:f0:da:e0:e8:
+         e2:b9:be:a4:30:b4:c7:c3:22:60:c4:a4:34:31:13:7b:46:9d:
+         bb:5f:8e:cd:21:9d:52:78:e5:e3:e9:e6:e8:62:16:a1:f0:af:
+         14:c8:2c:39:a6:2f:a9:f4:98:cf:8c:20:20:87:c2:15:78:e4:
+         53:23
+-----BEGIN CERTIFICATE-----
+MIIC1zCCAkCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJHQjET
+MBEGA1UECAwKRGVyYnlzaGlyZTEaMBgGA1UECgwRTW9zcXVpdHRvIFByb2plY3Qx
+EDAOBgNVBAsMB1Rlc3RpbmcxEzARBgNVBAMMClNpZ25pbmcgQ0EwHhcNMTgwMzAx
+MTg1MzUxWhcNMjMwMjI4MTg1MzUxWjCBgDELMAkGA1UEBhMCR0IxGDAWBgNVBAgM
+D05vdHRpbmdoYW1zaGlyZTETMBEGA1UEBwwKTm90dGluZ2hhbTEPMA0GA1UECgwG
+U2VydmVyMRMwEQYDVQQLDApQcm9kdWN0aW9uMRwwGgYDVQQDDBN0ZXN0IGNsaWVu
+dCByZXZva2VkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKiMCXeQyvl9zy
+BloSPQe/0MrzkOL6pjbHZwxQMLaYHIMWA/p9AHc3AEmTPSAL6PuPIKJqKd+u7jg4
+qDt2spKWY0YLskdfXZuN3DGVO6zpq8aJAEZhWH+1OcaXflz1BvDqguYRJxgfryzL
+IUN148/6QdgXF4fOKd9/ddYfINcpAwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG
+SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
+FgQUUx+BhbuTeIq0IviM4GyZX7aqtZswHwYDVR0jBBgwFoAUnlQ+5S/l6kBK/DeW
+bEW7GnkOyqswDQYJKoZIhvcNAQELBQADgYEAJPaXuLKs64M12Po+hhOmRIUQxboz
+xViYvG7+MGASQc6sP+045l//tSlzp/ZgQbIQI9p08inW8buUOBT8dVBk9E3Saj3w
+2uDo4rm+pDC0x8MiYMSkNDETe0adu1+OzSGdUnjl4+nm6GIWofCvFMgsOaYvqfSY
+z4wgIIfCFXjkUyM=
+-----END CERTIFICATE-----

test/ssl/signingCA/serial

+05

test/ssl/signingCA/serial.old

+04

test/ssl/test-alt-ca.crt

@@ -2,57 +2,57 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=GB, ST=Derbyshire, L=Derby, O=Paho Project, OU=Testing, CN=Root CA
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Derbyshire, L=Derby, O=Mosquitto Project, OU=Testing, CN=Root CA
         Validity
-            Not Before: Jul 29 19:21:30 2013 GMT
-            Not After : Jul 28 19:21:30 2018 GMT
-        Subject: C=GB, ST=Derbyshire, O=Paho Project, OU=Testing, CN=Alternative Signing CA
+            Not Before: Mar  1 18:53:42 2018 GMT
+            Not After : Feb 28 18:53:42 2023 GMT
+        Subject: C=GB, ST=Derbyshire, O=Mosquitto Project, OU=Testing, CN=Alternative Signing CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:d3:16:c8:c3:0c:90:e5:68:3d:11:13:a7:8e:fb:
-                    11:c5:de:aa:3f:4d:ac:95:4f:c4:c2:60:8a:df:95:
-                    b5:db:75:04:76:42:19:5f:d9:63:0e:e4:c0:8e:db:
-                    a5:5f:21:ec:f3:3d:a0:c1:82:8b:61:b4:1a:5b:3c:
-                    9e:42:bd:5f:5b:b4:a8:00:8d:e1:bf:99:93:c8:45:
-                    1f:6d:29:ab:67:f0:35:9c:48:0b:a0:a2:18:32:70:
-                    35:5e:ea:fe:1f:33:ab:b5:85:ef:1d:2a:a9:75:60:
-                    38:ed:3a:33:be:5d:40:89:cb:0b:b3:25:e8:e7:bc:
-                    13:6b:62:28:1d:a7:9c:aa:99
+                    00:bd:8b:92:ed:6a:d6:b7:73:88:e7:fa:80:bd:bc:
+                    ee:fb:6a:47:f4:36:4e:48:ab:88:8a:a6:66:98:84:
+                    6a:4c:a8:88:5f:cc:26:98:81:fe:8b:22:c4:c0:91:
+                    70:74:72:22:48:1d:e1:b8:44:71:23:74:17:59:bc:
+                    a6:51:18:97:4c:6d:50:8c:0a:c5:33:cc:28:2a:cf:
+                    78:04:a2:20:75:72:29:4a:46:7b:c7:46:a5:f5:5e:
+                    ec:6f:53:bc:d7:ad:b5:29:dd:22:24:4e:b7:88:e2:
+                    94:58:04:fe:6d:04:13:8d:c8:72:d0:74:2a:ef:18:
+                    87:6d:cf:ce:6e:4a:08:73:c3
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                3A:70:4C:5D:76:C6:B4:CF:E7:BC:4B:F4:CE:C6:B8:46:C2:95:41:9B
+                78:CC:8C:66:81:0F:8F:DA:56:5C:39:A2:30:C2:28:9E:53:A6:87:CA
             X509v3 Authority Key Identifier: 
-                keyid:4A:2B:69:D6:31:1D:A3:68:E8:46:6F:FB:4B:F3:8E:B6:8D:51:0E:BF
+                keyid:1C:B4:4E:8B:84:0D:1E:0F:C4:CC:F4:17:87:DB:CA:F2:55:F1:34:39
 
             X509v3 Basic Constraints: 
                 CA:TRUE
-    Signature Algorithm: sha1WithRSAEncryption
-         2f:74:dd:ef:da:03:cf:14:78:ae:6f:0d:04:29:75:db:c5:a2:
-         c0:fd:1e:46:bf:3c:25:3c:03:3b:a6:f4:f1:3a:89:54:83:e9:
-         3a:0f:d7:81:9a:8d:7f:2d:6b:b1:ca:17:7f:ef:93:18:c4:68:
-         b8:b2:1d:d2:9c:d9:9f:66:9d:18:25:18:b4:4f:72:bf:24:c5:
-         0c:2d:fc:cf:ad:c8:ff:25:f1:36:12:72:b4:46:e1:c9:17:19:
-         c5:1e:f5:26:8a:ae:33:5f:69:16:6f:62:ce:fc:ba:c3:a3:c5:
-         50:a3:a5:42:a9:02:6a:25:77:90:3e:e3:b7:e5:ac:7f:3f:bb:
-         1c:17
+    Signature Algorithm: sha256WithRSAEncryption
+         27:3c:17:44:29:8f:17:a7:c0:b7:81:eb:76:ca:53:85:9a:ad:
+         31:68:85:95:69:d6:ab:02:75:a8:ac:71:6f:4d:20:23:6d:5c:
+         09:1d:0a:85:f4:e6:6f:6e:1e:c1:1f:34:1e:87:6e:d3:b9:e0:
+         b2:2f:08:82:fb:4b:28:36:a9:68:54:18:9b:16:6a:f2:ab:ae:
+         bd:7a:40:d2:a7:64:46:4c:f5:cb:15:07:02:7b:3f:44:5e:e1:
+         35:83:99:3f:46:7d:99:76:d2:89:3c:9f:a6:70:13:dd:8e:bd:
+         d2:b1:51:ec:9c:db:2e:f4:fd:f7:1d:de:2c:27:f3:55:9b:81:
+         07:81
 -----BEGIN CERTIFICATE-----
-MIICnzCCAgigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJHQjET
-MBEGA1UECAwKRGVyYnlzaGlyZTEOMAwGA1UEBwwFRGVyYnkxFTATBgNVBAoMDFBh
-aG8gUHJvamVjdDEQMA4GA1UECwwHVGVzdGluZzEQMA4GA1UEAwwHUm9vdCBDQTAe
-Fw0xMzA3MjkxOTIxMzBaFw0xODA3MjgxOTIxMzBaMGwxCzAJBgNVBAYTAkdCMRMw
-EQYDVQQIDApEZXJieXNoaXJlMRUwEwYDVQQKDAxQYWhvIFByb2plY3QxEDAOBgNV
-BAsMB1Rlc3RpbmcxHzAdBgNVBAMMFkFsdGVybmF0aXZlIFNpZ25pbmcgQ0EwgZ8w
-DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANMWyMMMkOVoPRETp477EcXeqj9NrJVP
-xMJgit+Vtdt1BHZCGV/ZYw7kwI7bpV8h7PM9oMGCi2G0Gls8nkK9X1u0qACN4b+Z
-k8hFH20pq2fwNZxIC6CiGDJwNV7q/h8zq7WF7x0qqXVgOO06M75dQInLC7Ml6Oe8
-E2tiKB2nnKqZAgMBAAGjUDBOMB0GA1UdDgQWBBQ6cExddsa0z+e8S/TOxrhGwpVB
-mzAfBgNVHSMEGDAWgBRKK2nWMR2jaOhGb/tL8462jVEOvzAMBgNVHRMEBTADAQH/
-MA0GCSqGSIb3DQEBBQUAA4GBAC903e/aA88UeK5vDQQpddvFosD9Hka/PCU8Azum
-9PE6iVSD6ToP14GajX8ta7HKF3/vkxjEaLiyHdKc2Z9mnRglGLRPcr8kxQwt/M+t
-yP8l8TYScrRG4ckXGcUe9SaKrjNfaRZvYs78usOjxVCjpUKpAmold5A+47flrH8/
-uxwX
+MIICqTCCAhKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJHQjET
+MBEGA1UECAwKRGVyYnlzaGlyZTEOMAwGA1UEBwwFRGVyYnkxGjAYBgNVBAoMEU1v
+c3F1aXR0byBQcm9qZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRAwDgYDVQQDDAdSb290
+IENBMB4XDTE4MDMwMTE4NTM0MloXDTIzMDIyODE4NTM0MlowcTELMAkGA1UEBhMC
+R0IxEzARBgNVBAgMCkRlcmJ5c2hpcmUxGjAYBgNVBAoMEU1vc3F1aXR0byBQcm9q
+ZWN0MRAwDgYDVQQLDAdUZXN0aW5nMR8wHQYDVQQDDBZBbHRlcm5hdGl2ZSBTaWdu
+aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9i5Ltata3c4jn+oC9
+vO77akf0Nk5Iq4iKpmaYhGpMqIhfzCaYgf6LIsTAkXB0ciJIHeG4RHEjdBdZvKZR
+GJdMbVCMCsUzzCgqz3gEoiB1cilKRnvHRqX1XuxvU7zXrbUp3SIkTreI4pRYBP5t
+BBONyHLQdCrvGIdtz85uSghzwwIDAQABo1AwTjAdBgNVHQ4EFgQUeMyMZoEPj9pW
+XDmiMMIonlOmh8owHwYDVR0jBBgwFoAUHLROi4QNHg/EzPQXh9vK8lXxNDkwDAYD
+VR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQAnPBdEKY8Xp8C3get2ylOFmq0x
+aIWVadarAnWorHFvTSAjbVwJHQqF9OZvbh7BHzQeh27TueCyLwiC+0soNqloVBib
+Fmryq669ekDSp2RGTPXLFQcCez9EXuE1g5k/Rn2ZdtKJPJ+mcBPdjr3SsVHsnNsu
+9P33Hd4sJ/NVm4EHgQ==
 -----END CERTIFICATE-----

test/ssl/test-alt-ca.csr

+-----BEGIN CERTIFICATE REQUEST-----
+MIIBwjCCASsCAQAwgYExCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJl
+MQ4wDAYDVQQHDAVEZXJieTEaMBgGA1UECgwRTW9zcXVpdHRvIFByb2plY3QxEDAO
+BgNVBAsMB1Rlc3RpbmcxHzAdBgNVBAMMFkFsdGVybmF0aXZlIFNpZ25pbmcgQ0Ew
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL2Lku1q1rdziOf6gL287vtqR/Q2
+TkiriIqmZpiEakyoiF/MJpiB/osixMCRcHRyIkgd4bhEcSN0F1m8plEYl0xtUIwK
+xTPMKCrPeASiIHVyKUpGe8dGpfVe7G9TvNettSndIiROt4jilFgE/m0EE43IctB0
+Ku8Yh23Pzm5KCHPDAgMBAAGgADANBgkqhkiG9w0BAQsFAAOBgQCOf7hqhZDVZ4Iw
+wtZQy8AXgeHhRngSCWfIsCJqpm9LRK5FOz/cBuTCrwao5Ifds4ogwCu7wARXdF/B
+cLT9/LhaEV8lvFabF/01o3y4xcO4TOXWzz4YcfbtX1p3SA1xE1WeQJvsbm2CPhRI
+hzgxpLYJJ95ajM60tkmJS41+rlEohw==
+-----END CERTIFICATE REQUEST-----

test/ssl/test-alt-ca.key

 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDTFsjDDJDlaD0RE6eO+xHF3qo/TayVT8TCYIrflbXbdQR2Qhlf
-2WMO5MCO26VfIezzPaDBgothtBpbPJ5CvV9btKgAjeG/mZPIRR9tKatn8DWcSAug
-ohgycDVe6v4fM6u1he8dKql1YDjtOjO+XUCJywuzJejnvBNrYigdp5yqmQIDAQAB
-AoGAFaQtWwnrxQlF0X1hXWBSNyYX8DuHaRtvgboiIsAXj/NUTMeEEHaaGEnNkBfm
-wXUZ9OoplA1NOuwbE6WIWDFQGEgma/yLBdy4HYxQpAbJ1qnR7DyoxQ8NHPhBH+cW
-GI92g7NqDEphdoHrWYy5YZYCFVr3pTHXbxlBn/VTLBsQnIECQQDr9BcQxEnPfi6e
-Kk8cenA/54tGl7Ewpklb8XBrQrm/djfOAFt+CTMexerBv7BnfgriAg5wtlHtTkpK
-BLLULE3pAkEA5QXmZ2WvGl0kvgBYGdiOZAruMobOVxxVxF05gvh8Sw6fNj8pI9pn
-sbzyFZWIjcuDBfTLx+GVvkhqtQhs6ZYZMQJBAOSfjR3c45veKrNsUV1Jsavp4cST
-xMdbyCcDaSc07x/6HxZGuGAF7/d4VABJiVauBUN6NJ23uuhR/J99r/zvtMkCQCQe
-qhfkkZk213Sf2UU6QjrE/ow5dpGGhoBRs6BUUEYGKFYF4BcnevMtOYDt9HtofWGT
-GhCMI3G/OhUTHxo38gECQG0nSN+QQ4tddHcktz1rnfwbnmTuNloZLC4ahR67lz75
-uP42Ct0dXPjzakzDCGI2CgNk5QGk/IUO6fq4mYVxqRI=
+MIICXQIBAAKBgQC9i5Ltata3c4jn+oC9vO77akf0Nk5Iq4iKpmaYhGpMqIhfzCaY
+gf6LIsTAkXB0ciJIHeG4RHEjdBdZvKZRGJdMbVCMCsUzzCgqz3gEoiB1cilKRnvH
+RqX1XuxvU7zXrbUp3SIkTreI4pRYBP5tBBONyHLQdCrvGIdtz85uSghzwwIDAQAB
+AoGBAI4z+LdGQHDBrSTdO1keNe1Jf1Ioq/K5PmdHEBG8xkNc7XNxpkMkw+N+4j3W
+35d9SVrxkDa+omMG5b3dWqnc2SSf/kXIkkdK0EY8DDnfrHMJSdByeQEOLJUcr4TI
+R76PdddyGxrSe7x5IV2q+AAkqeIhgUCPALbW2jpxc7/VJ+gBAkEA/JMO8TS0sawM
+IQ3iuh/sxUSsfRrTwL+QehPopomONvMYOoDOR+mE8yo2iqY9rk6Q5TBFcxz2kvqr
+RaG7tP2HQQJBAMAdrWG/u1lXdawRtrZm5zKy/5uC1qlmldRpDgIw1eFzTv2WWwma
+XvasaDlWC102/6ktigDMS4ngTy7hYc/mXgMCQE0RHiURPPVdltHbJ8w9A4TpwGvn
+7KbKjO4C9yEhpcg0grcPKGIe6dc8kSnbMcTm6iVUhkxqkP4mCG6Vu+2s0kECQD4V
+mSFcr7PIkst/kfdSO+bjd70OxEZMU6EoLhHBLG1GMUG8JEFvNL8sqiXVS6jdDDPk
+9pMZclPlPFGfHlfsT3cCQQCbhnQwKusj7swD0Ca1I0Df2U+WKgiMOBrCbbl7dwmP
+tIdTr7/fy3mF3m2l2GY7PD/VXWH2dFcKWe4wa6b7cRB9
 -----END RSA PRIVATE KEY-----

test/ssl/test-bad-root-ca.crt

 -----BEGIN CERTIFICATE-----
-MIICsDCCAhmgAwIBAgIJANKB0fFTAhRpMA0GCSqGSIb3DQEBBQUAMHExCzAJBgNV
-BAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJieTEVMBMG
-A1UECgwMUGFobyBQcm9qZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRQwEgYDVQQDDAtC
-YWQgUm9vdCBDQTAeFw0xMzA3MjkxOTIxMjlaFw0yMzA3MjcxOTIxMjlaMHExCzAJ
-BgNVBAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJieTEV
-MBMGA1UECgwMUGFobyBQcm9qZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRQwEgYDVQQD
-DAtCYWQgUm9vdCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6+nf2D7S
-IP42qMVmfAEpKZw22qF0mLVjjL22bWVHwwE1CS5euzD/gBM7i0u7hvFgbvI13Yq4
-Du2ebfjv3n4TAIIQg+UOAY5NbzfUG0A+50J6tPpNtnTij3KXskhQRAlvjDSd3TlU
-UiONY2HMwaU56ktqXZzZE7prU0RICZ+DK8cCAwEAAaNQME4wHQYDVR0OBBYEFH/5
-0qkqiFd2x/lspeK61TO4PGF1MB8GA1UdIwQYMBaAFH/50qkqiFd2x/lspeK61TO4
-PGF1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEARtsgIzT+IVRJHYT1
-wP7C2PuXxbRXFG8a0qqGaA0f4SuICq7NvC3bF5l9zDh4yMvftj8keTiOIa3+alw3
-ucdTz25Jaq/ZER/c68cklMPqcgdwcb/RbxpY5t3PittU2J5wAn/MmFfRiqbsxhgW
-hkYbAtnqBXzJ8HdN/HmIyFW7+q4=
+MIICvDCCAiWgAwIBAgIJAIYNkcQqtmgUMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
+BAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJieTEaMBgG
+A1UECgwRTW9zcXVpdHRvIFByb2plY3QxEDAOBgNVBAsMB1Rlc3RpbmcxFDASBgNV
+BAMMC0JhZCBSb290IENBMCAXDTE4MDMwMTE4NTMzNloYDzIxMDAwNDIwMTg1MzM2
+WjB2MQswCQYDVQQGEwJHQjETMBEGA1UECAwKRGVyYnlzaGlyZTEOMAwGA1UEBwwF
+RGVyYnkxGjAYBgNVBAoMEU1vc3F1aXR0byBQcm9qZWN0MRAwDgYDVQQLDAdUZXN0
+aW5nMRQwEgYDVQQDDAtCYWQgUm9vdCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAqB3XEqOnZtKrVGgfHacwnruZtLKOsIdsL8ohLHIZfO/h+AZwbkTfrDry
+9MtpQRGSuGWPccaV6dAr+TTLqqJN0WidwB2Qu+29HLm6kJRycpJiXQSUlZdJMaxO
+WfX9s2TUKZtIYMX53SnD1050185JrotGW6rjsFZpItpn9j5EitECAwEAAaNQME4w
+HQYDVR0OBBYEFK1okpAhv8xOcMbCGv5TA6669bpzMB8GA1UdIwQYMBaAFK1okpAh
+v8xOcMbCGv5TA6669bpzMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEA
+WlQr7YtNie0ckbw/QOKU+lEtLezX0SkrYtZB1xbNCvMbFpFs93Id3yQkGRG673s4
+XpMK+uJxkdzaZR6EQtAg/3qLxpJSeHeZ5haywg0CpxQFXsKKczsspz86h9bF/uct
+qX+p/Jnfx9WxDG5TYLpmE3wJKJ5ZLP3z84XjZyIQDoU=
 -----END CERTIFICATE-----

test/ssl/test-bad-root-ca.key

 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDr6d/YPtIg/jaoxWZ8ASkpnDbaoXSYtWOMvbZtZUfDATUJLl67
-MP+AEzuLS7uG8WBu8jXdirgO7Z5t+O/efhMAghCD5Q4Bjk1vN9QbQD7nQnq0+k22
-dOKPcpeySFBECW+MNJ3dOVRSI41jYczBpTnqS2pdnNkTumtTREgJn4MrxwIDAQAB
-AoGBAJk4o/bqDkX5dfy1gPOHOXnaCNKEzJqmLMrrKIHypuIjdZPJ9yLzFu7TDvhQ
-rrJdMTm9vHhwMU0Yza41YW2LSsDpeCI0RkpMxG+Aqaxz+kRYPzwDFFI6YAX0NWpS
-O9iie9+sDp0MfOwPlDwtY9T7OegrPH/ngtxWxFp7R0YxVLQJAkEA+Or0TgAklxy/
-2LQV27OPFXc0ejYf67hLNdOC66PhTCO18avjEpDEeA00vF5DkqT+VXJVz2XyXX97
-+cCAf3sYhQJBAPKgM3pmHrhMxr+qgyqiTiKD42kASWLDGEDP0EP4tVaZNdwWH2XG
-tSanhf6eOdoHlq0+3c3tIDwJZ+uCr21ACtsCQAiUeLVTle9Lg2Vh17sJ9m2j/UAV
-K4aBhL4nO0UKEhMAzB23cg1KxirpMZ8olKWyYD3rwf9zISaN5WUXeJZsVM0CQQC5
-GEhNb0yuUzwoil+ojcvH/w/lUeeqZaXCBAghYsKMvzNcpK/tSAt44sKRfYoq8DEe
-F+DEscsuogpanAdS9FGTAkAt8POChqwkCSjXQ9TlPQhdL4bRcENBQz6xp9TEOYT+
-M+FFifLj/ke8sRWXjrar1k45u8VWJJmd/0gmsUSiWoaS
+MIICWwIBAAKBgQCoHdcSo6dm0qtUaB8dpzCeu5m0so6wh2wvyiEschl87+H4BnBu
+RN+sOvL0y2lBEZK4ZY9xxpXp0Cv5NMuqok3RaJ3AHZC77b0cubqQlHJykmJdBJSV
+l0kxrE5Z9f2zZNQpm0hgxfndKcPXTnTXzkmui0ZbquOwVmki2mf2PkSK0QIDAQAB
+AoGAGUEqTuWAv0SEclCV5Al6l03NQETWhJRDX0Z5B0k4pPkQNAcbmqUECMZuOvHX
+pOuz47l1+/x+Brq78FrLAZ4SHFXA6FhiH9XGMn+qX6+DnMoy/8yoLYLn/T/dB7or
+jp0JWex9DgvI4V8WhbF+6otlVxC140SicsPuwtGoisS5fbECQQDXNGxNsU7qofOe
+EfP2MLeQ73At/ZbgFCB2qEb7DiSzCxCheDNDi1Jxzwvg16We9xBQ9+tTTuoX5W7f
+FAIKVdbtAkEAx/xLRoMv9alj4OUjQ893FzFlwuf2zvywRidElr0XUzafmQfIzcph
+bTNCeDvC9jJwuJq7ejLWJe2KuuIMqjAC9QJARAuNWxt/Km0+zHI8w1EwGaG7xK70
+L7HteddHakZUkFAlWAjbnLXGwbmHtfY5pgPUouVhARxopFmlLt/yrTXrGQJAUk+X
+M/h+3t/PShtFfn1/iL4+IhCTVvJOIzG6W0iMtyU+XyADGCB6JRX5/76pKefs2S5m
+h48w8P9qIC02BT4pmQJAdrG3UOC4UT69WYsDDbKRU/6R6fMd4FS081T/KCwnUgLc
+/2mSl6TJNnxuiRYjpsgcP+2LZzuzhW26rZiCx6QJHw==
 -----END RSA PRIVATE KEY-----

test/ssl/test-fake-root-ca.crt

 -----BEGIN CERTIFICATE-----
-MIICqDCCAhGgAwIBAgIJALWM56dkMt5jMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNV
-BAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJieTEVMBMG
-A1UECgwMUGFobyBQcm9qZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRAwDgYDVQQDDAdS
-b290IENBMB4XDTEzMDcyOTE5MjEzMFoXDTIzMDcyNzE5MjEzMFowbTELMAkGA1UE
-BhMCR0IxEzARBgNVBAgMCkRlcmJ5c2hpcmUxDjAMBgNVBAcMBURlcmJ5MRUwEwYD
-VQQKDAxQYWhvIFByb2plY3QxEDAOBgNVBAsMB1Rlc3RpbmcxEDAOBgNVBAMMB1Jv
-b3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOpNNgRF6qhcGxndkPFE
-1uZVQZ2x9GV3UlARuTnG89MX+6W+fXQ0gfdcbKs1/puhFqvrcqrWmoIgRtM/lZR/
-YDs5EXfpb13V5pDDn8X7AD2+poUb9eHxcB6fKuRbyt1PsS42umwUlpIDtK6p6H8/
-ZfxSiOE73kyY6CUvJfTC4WHrAgMBAAGjUDBOMB0GA1UdDgQWBBSXmasVth7iUHhF
-8MDaBnSIGBV4qzAfBgNVHSMEGDAWgBSXmasVth7iUHhF8MDaBnSIGBV4qzAMBgNV
-HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBANAYCcz14fk3Y+9CBMm/kitCWAkI
-Ia54KL0A8ynqrLHssO3Ilq+wb10vSNLxhsdws3zNAfXteFxOvGm24Yu+8oTBQ26K
-QfTp/cH9yoF97ONMxg7rqANOJeYv0BeJdDcgjCMgmql5ETEz2cf9tTWBUAtd1ZZC
-YPS5aiNsetk+XuS9
+MIICtDCCAh2gAwIBAgIJAOKVfgVed/sFMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV
+BAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJieTEaMBgG
+A1UECgwRTW9zcXVpdHRvIFByb2plY3QxEDAOBgNVBAsMB1Rlc3RpbmcxEDAOBgNV
+BAMMB1Jvb3QgQ0EwIBcNMTgwMzAxMTg1MzM2WhgPMjEwMDA0MjAxODUzMzZaMHIx
+CzAJBgNVBAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJi
+eTEaMBgGA1UECgwRTW9zcXVpdHRvIFByb2plY3QxEDAOBgNVBAsMB1Rlc3Rpbmcx
+EDAOBgNVBAMMB1Jvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPRh
+wQ5WorDeUQv4jMGwpZRO/neV7g8+6Syrvmh25TtjRLr0hXiqX13F5NU5szZgLnwq
+IGYoj/UunirquStjWqkypaoP4hNmv0BuAD96ySZbu86u1BsnY+N4Am9awIUoEyjW
+qdyp7SRxWkIhpXcFdX2NtuN1mWoYeCvUy7orSVXtAgMBAAGjUDBOMB0GA1UdDgQW
+BBScKh34/EmyZHmLM5MwG60sHT3BCjAfBgNVHSMEGDAWgBScKh34/EmyZHmLM5Mw
+G60sHT3BCjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAFKGwkW7wCH4
+cM5Pt3P0TMmqV3qM5t+IfsWciK35crFwuy6/7GjCm+ptum+J4J10NfvJHtQxLjBi
+uoR7vCh0X9BAMqFZfFyfdNko6Kc9ggL3voduSORMYq4PDCUuawxN8gXvIr90aGbb
+zaYxDxaxBc0u54YJAFM3tuB0E86r03Ct
 -----END CERTIFICATE-----

test/ssl/test-fake-root-ca.key

 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDqTTYEReqoXBsZ3ZDxRNbmVUGdsfRld1JQEbk5xvPTF/ulvn10
-NIH3XGyrNf6boRar63Kq1pqCIEbTP5WUf2A7ORF36W9d1eaQw5/F+wA9vqaFG/Xh
-8XAenyrkW8rdT7EuNrpsFJaSA7Suqeh/P2X8UojhO95MmOglLyX0wuFh6wIDAQAB
-AoGBAMhOUgu9Kivc8l5eiXd6fq5T3NDQPjwwknJZdJzsda7WJhFAlUgvS50Jqu2E
-L7MlOJippVJgPZ9ZsLMQ/PQDIWRdLg2K9VLS4nPl3p7LzHoDmqDnMLPo9fUGBile
-EnWwSSCWrz8ATyDO1ct5oJmK/S9QRxdvtw+6SbmorhnzypihAkEA+9LNpjnpuOWf
-iF0TGWKhK53WPtiCBnuisXGZEZws9mzFGlfdR98sBDyekl7oHOb+JI0SDpPl3PBE
-hZXcF7VPtQJBAO4wA1sxXqfYUazt6SInUTzpaNZ9xPrK0p1PgxZLxJrZV6hZByvW
-FGb+cKGnOHIYq4tnCg0cyRe1xX4MJU6wrx8CQGRtNUZNYkAykuS2+Z7uDohucbqu
-bWxYchGB1CGJvwSnbBONZtn6znsCEdsdrkOYe1HoUIMvyEPMLgd4NEXgMOECQF+u
-y/pbR9IXVSAp5oiA0OKuRR49Id85kQf+xAM15sHp44vOT9ItSr7hIa/etA8pl+gF
-OYVw9dtfevmauXX2BjMCQQCrse1jUAp3xmsXwb1JieclSh/C/FcGeo6DYpIcm9bK
-RiVCmpzy3hOqYW137l5WvpUwZmN2wPvaKCacF/t75EiG
+MIICXAIBAAKBgQD0YcEOVqKw3lEL+IzBsKWUTv53le4PPuksq75oduU7Y0S69IV4
+ql9dxeTVObM2YC58KiBmKI/1Lp4q6rkrY1qpMqWqD+ITZr9AbgA/eskmW7vOrtQb
+J2PjeAJvWsCFKBMo1qncqe0kcVpCIaV3BXV9jbbjdZlqGHgr1Mu6K0lV7QIDAQAB
+AoGALsxBcgN5KDGKh6ZTHgw7yQjPhgr6CYVcladV0R9jilnaIYsNvCu0E3r/9S0V
+eoY0oKZYifeeia8hrspAJ2ThSUGQ1+tDk62ATxRNg2HB4+4C7dEs/ubYa4O8NC9h
+Dati+z1jsqE+D8x/weiChjkdnpO2XziuoQQI6qPvCcs5zAECQQD+DCgk32KM4P7y
+I8OoV14g15qLNcZwVd74ItHti2QmKlGsYwem+xXi6u4PujLU+qh+NgUSZhpgzIqI
+bf38GNJtAkEA9kKUenZfEn6TT0yPF9BbBNvidjcneYGWbTG9lT6nbIoEEyqkHiSV
+NxkTXF1HTBo7T53bLxCuWj9CjP6vH7xhgQJAMc7OXBRT7Qz7zxuF885VTRkYWqzL
+YCDl2z5wbCNFGlp3stWjnXBi5R9sVzcJWkpemIgczHOqPko76u2tuyxerQJBAOeT
+Uscam2rr5qEysHlHcOBP2lUqpo9nokrK9KntQkoaO5y+g5jo8/zdMsyv1wUkwdOr
+8VsAB8VMKcwnEA36+4ECQCUL6et8GrAuO2dlR3wV8cEU/dxo0LOzfzA9g6X/Ey09
+f2hq7sL85Ni3FmA9OutYVxTv6FAB52RCcj1qIoQyot8=
 -----END RSA PRIVATE KEY-----

test/ssl/test-root-ca.crt

 -----BEGIN CERTIFICATE-----
-MIICqDCCAhGgAwIBAgIJAKrzwmdXIUxsMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNV
-BAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJieTEVMBMG
-A1UECgwMUGFobyBQcm9qZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRAwDgYDVQQDDAdS
-b290IENBMB4XDTEzMDcyOTE5MjEyOVoXDTIzMDcyNzE5MjEyOVowbTELMAkGA1UE
-BhMCR0IxEzARBgNVBAgMCkRlcmJ5c2hpcmUxDjAMBgNVBAcMBURlcmJ5MRUwEwYD
-VQQKDAxQYWhvIFByb2plY3QxEDAOBgNVBAsMB1Rlc3RpbmcxEDAOBgNVBAMMB1Jv
-b3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKbPzEEWCKsjjwjJ787u
-Q32k5EdqoDddMEjSVbZNSNEwUew1L7O8NTbmtCEeVFQjOLAdmdiF3rQbXHV+Zew0
-jt2g4vtPpl1GOG6jA/6YznKAyQdvGCdYfGZUN2tN+mbtVxWqkHZitQDQGaSHnx24
-NX649La2uyFy+7l9o8++xPONAgMBAAGjUDBOMB0GA1UdDgQWBBRKK2nWMR2jaOhG
-b/tL8462jVEOvzAfBgNVHSMEGDAWgBRKK2nWMR2jaOhGb/tL8462jVEOvzAMBgNV
-HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEd+gW86/W+fisz5PFHAeEw7zn9q
-dzLHm7+QZgNLZ9h7/ZbhObRUFMRtU2xm4amyh85h7hUE5R2E2uW2OXumic7/D4ZD
-6unjr4m5jwVWDTqTUYIcNSriyoDWAVlPfOWaU5NyUhqS1DM28tvOWVHVLCxmVcZl
-tJQqo5eHbQ/+Hjfx
+MIICtDCCAh2gAwIBAgIJAObVjC0tPL4iMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV
+BAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJieTEaMBgG
+A1UECgwRTW9zcXVpdHRvIFByb2plY3QxEDAOBgNVBAsMB1Rlc3RpbmcxEDAOBgNV
+BAMMB1Jvb3QgQ0EwIBcNMTgwMzAxMTg1MzM2WhgPMjEwMDA0MjAxODUzMzZaMHIx
+CzAJBgNVBAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJi
+eTEaMBgGA1UECgwRTW9zcXVpdHRvIFByb2plY3QxEDAOBgNVBAsMB1Rlc3Rpbmcx
+EDAOBgNVBAMMB1Jvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANSZ
+3aRYdHcnta24XXJGfomsg2OpYys3KkqK76aWEwhqRvdH2m54yBvHTZ2LsMLQro0q
+r4oGLyvlupC9fxwQF4ZDFHrn7VbxU947V+cipGkRaECXiGVO1ngUSpKti8nrIUkn
+FXkLmVaGuVv1jVOGBi6/6f3ct6LsNyFqXzaSw9DtAgMBAAGjUDBOMB0GA1UdDgQW
+BBQctE6LhA0eD8TM9BeH28ryVfE0OTAfBgNVHSMEGDAWgBQctE6LhA0eD8TM9BeH
+28ryVfE0OTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAHVShEeqQRjP
+IoMU8MFnnC1ZadADvSn1E6gRR7eoNU0MeMpTYmTA+TIklEzhaRHSkQqyPHAe/YMl
+WLmq1NqyxPv9uKekVlatJxYbm1ME4e+wGs3U9OGsIKX0nFcBO8iqpj5s7GZmSYyY
+u1YJnq1oe0C5IblVB9amcoB743/YyMme
 -----END CERTIFICATE-----

test/ssl/test-root-ca.crt.text

-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            aa:f3:c2:67:57:21:4c:6c
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=GB, ST=Derbyshire, L=Derby, O=Paho Project, OU=Testing, CN=Root CA
-        Validity
-            Not Before: Jul 29 19:21:29 2013 GMT
-            Not After : Jul 27 19:21:29 2023 GMT
-        Subject: C=GB, ST=Derbyshire, L=Derby, O=Paho Project, OU=Testing, CN=Root CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
-                Modulus:
-                    00:a6:cf:cc:41:16:08:ab:23:8f:08:c9:ef:ce:ee:
-                    43:7d:a4:e4:47:6a:a0:37:5d:30:48:d2:55:b6:4d:
-                    48:d1:30:51:ec:35:2f:b3:bc:35:36:e6:b4:21:1e:
-                    54:54:23:38:b0:1d:99:d8:85:de:b4:1b:5c:75:7e:
-                    65:ec:34:8e:dd:a0:e2:fb:4f:a6:5d:46:38:6e:a3:
-                    03:fe:98:ce:72:80:c9:07:6f:18:27:58:7c:66:54:
-                    37:6b:4d:fa:66:ed:57:15:aa:90:76:62:b5:00:d0:
-                    19:a4:87:9f:1d:b8:35:7e:b8:f4:b6:b6:bb:21:72:
-                    fb:b9:7d:a3:cf:be:c4:f3:8d
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                4A:2B:69:D6:31:1D:A3:68:E8:46:6F:FB:4B:F3:8E:B6:8D:51:0E:BF
-            X509v3 Authority Key Identifier: 
-                keyid:4A:2B:69:D6:31:1D:A3:68:E8:46:6F:FB:4B:F3:8E:B6:8D:51:0E:BF
-
-            X509v3 Basic Constraints: 
-                CA:TRUE
-    Signature Algorithm: sha1WithRSAEncryption
-        47:7e:81:6f:3a:fd:6f:9f:8a:cc:f9:3c:51:c0:78:4c:3b:ce:
-        7f:6a:77:32:c7:9b:bf:90:66:03:4b:67:d8:7b:fd:96:e1:39:
-        b4:54:14:c4:6d:53:6c:66:e1:a9:b2:87:ce:61:ee:15:04:e5:
-        1d:84:da:e5:b6:39:7b:a6:89:ce:ff:0f:86:43:ea:e9:e3:af:
-        89:b9:8f:05:56:0d:3a:93:51:82:1c:35:2a:e2:ca:80:d6:01:
-        59:4f:7c:e5:9a:53:93:72:52:1a:92:d4:33:36:f2:db:ce:59:
-        51:d5:2c:2c:66:55:c6:65:b4:94:2a:a3:97:87:6d:0f:fe:1e:
-        37:f1
------BEGIN CERTIFICATE-----
-MIICqDCCAhGgAwIBAgIJAKrzwmdXIUxsMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNV
-BAYTAkdCMRMwEQYDVQQIDApEZXJieXNoaXJlMQ4wDAYDVQQHDAVEZXJieTEVMBMG
-A1UECgwMUGFobyBQcm9qZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRAwDgYDVQQDDAdS
-b290IENBMB4XDTEzMDcyOTE5MjEyOVoXDTIzMDcyNzE5MjEyOVowbTELMAkGA1UE
-BhMCR0IxEzARBgNVBAgMCkRlcmJ5c2hpcmUxDjAMBgNVBAcMBURlcmJ5MRUwEwYD
-VQQKDAxQYWhvIFByb2plY3QxEDAOBgNVBAsMB1Rlc3RpbmcxEDAOBgNVBAMMB1Jv
-b3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKbPzEEWCKsjjwjJ787u
-Q32k5EdqoDddMEjSVbZNSNEwUew1L7O8NTbmtCEeVFQjOLAdmdiF3rQbXHV+Zew0
-jt2g4vtPpl1GOG6jA/6YznKAyQdvGCdYfGZUN2tN+mbtVxWqkHZitQDQGaSHnx24
-NX649La2uyFy+7l9o8++xPONAgMBAAGjUDBOMB0GA1UdDgQWBBRKK2nWMR2jaOhG
-b/tL8462jVEOvzAfBgNVHSMEGDAWgBRKK2nWMR2jaOhGb/tL8462jVEOvzAMBgNV
-HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEd+gW86/W+fisz5PFHAeEw7zn9q
-dzLHm7+QZgNLZ9h7/ZbhObRUFMRtU2xm4amyh85h7hUE5R2E2uW2OXumic7/D4ZD
-6unjr4m5jwVWDTqTUYIcNSriyoDWAVlPfOWaU5NyUhqS1DM28tvOWVHVLCxmVcZl
-tJQqo5eHbQ/+Hjfx
------END CERTIFICATE-----

test/ssl/test-root-ca.key

 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQCmz8xBFgirI48Iye/O7kN9pORHaqA3XTBI0lW2TUjRMFHsNS+z
-vDU25rQhHlRUIziwHZnYhd60G1x1fmXsNI7doOL7T6ZdRjhuowP+mM5ygMkHbxgn
-WHxmVDdrTfpm7VcVqpB2YrUA0Bmkh58duDV+uPS2trshcvu5faPPvsTzjQIDAQAB
-AoGAFVhNqJ5rKYr5SISefPocBL3OwByyt6LjBM51TUiCYtIuCW2c1wDkRkwrDHnX
-DJUdMdv3za8DmkROBnLQE/N9vEVhrfrDpBpU6ne/0tbxRlmDi1ihH+zgBUZkIkQo
-kP5kQrV6Tfv7zhFv6cZzewRjGYzTwt8xWB54bKFlsJSlj/kCQQDY0AirnfIVyK+0
-mkqwYEiXWCQfkdRtbLBwpE8S/bbMQVb+Qxh8iCEdw3u1/c/GRFG/qUQ/54/Tetlx
-ZWTTusuXAkEAxPY1+EyW90I8cDSBsrL+S47meut5Qp1Z/WspKjuZgozT7YnECK1k
-JWyXIfBixMIqeQp+pVfVRtYSumvnVhAuewJAA3ylBw2NPShzGvZ4SQnjYPu76P4R
-aoka9VTPKMEH1ZUfbwtpM2eFENN6A91HICstHWX9gQGaYI5TPO2ih30zlQJBAIRH
-06FqVu3DJ3I4YW8R9eXrGHIvmaYapeikQuZhVs0uJdtf7i/hu+PClZIurzb0LLBU
-UxBa+Bt2BOf9NkY/4ecCQQCYLGMiKrfckXC6VtQalLuEXkeE8spcdh/NV22Qpim5
-xfir6M2ZcPDxaFpPmSDSS1TRTaeulX/djUE35EdNPVP8
+MIICXQIBAAKBgQDUmd2kWHR3J7WtuF1yRn6JrINjqWMrNypKiu+mlhMIakb3R9pu
+eMgbx02di7DC0K6NKq+KBi8r5bqQvX8cEBeGQxR65+1W8VPeO1fnIqRpEWhAl4hl
+TtZ4FEqSrYvJ6yFJJxV5C5lWhrlb9Y1ThgYuv+n93Lei7Dchal82ksPQ7QIDAQAB
+AoGANQkxVpdObo80bmLoxOI7HOMxX8JY3+YCIdhpEnirxNSmYXfGUPrGiM9+WEgJ
+z3+5m7PDWL5UNDI6CXOMaxbElyBKpMa6fnyexVvw1OOGWWl0Qi5GjOrmKl4ETVmv
+gTr37U4syzvAhDFdDz7YFwsjo59NZM+sXluGAc3/QOlLRg0CQQD0xquDOn0pj6kX
+VYQ1rZv7D3O7JFVlZuzZ/JKnGZ581z+O48YnRIki0+oQjKa/lEJ7f+GQ4yU4eEh4
+sAXiil6rAkEA3lmBhJ86MAgyZ6qfnLn4EqQXfxIaUVQHHVN5jPRO79A95GL4NA1m
+kCSiA7QfXDEVw1d1pGw4jlzyF2uYFpSuxwJBAJl5yCisD7ZzgU5ELHWLuXWdpq78
+hR7jfjbgCwQDKECWph9t6dzNOD9CKEzgI92TlGvjLwetpLTXlnk1xTraD6kCQCGj
+kve4izoXE2EhrDIu5HwVfUSJPZgOSWFDbsFHeOXJMIPsATcGy/yEvkonJxNwjaVX
+BwJQKSJIp4upiIHqDqMCQQDAPOg7FniJE+3ZA7IC1YEYTb2rCyOQe6HykDRo3zGa
+NEfQBes9GC74NqLNYK9cV2ajHcyg7oHnupt79iFgifin
 -----END RSA PRIVATE KEY-----

test/ssl/test-signing-ca.crt

@@ -2,56 +2,57 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=GB, ST=Derbyshire, L=Derby, O=Paho Project, OU=Testing, CN=Root CA
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Derbyshire, L=Derby, O=Mosquitto Project, OU=Testing, CN=Root CA
         Validity
-            Not Before: Jul 29 19:21:30 2013 GMT
-            Not After : Jul 28 19:21:30 2018 GMT
-        Subject: C=GB, ST=Derbyshire, O=Paho Project, OU=Testing, CN=Signing CA
+            Not Before: Mar  1 18:53:36 2018 GMT
+            Not After : Feb 28 18:53:36 2023 GMT
+        Subject: C=GB, ST=Derbyshire, O=Mosquitto Project, OU=Testing, CN=Signing CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:dc:26:78:40:ae:b2:ad:2f:26:12:0a:d5:b1:18:
-                    80:16:d8:88:be:0b:42:ce:32:ad:12:d5:f5:78:1b:
-                    35:28:f2:13:1b:05:09:fb:7e:d7:d9:a1:8a:0d:4a:
-                    fe:95:37:d4:16:75:83:e4:6a:44:34:33:57:2e:49:
-                    ba:bc:b4:cf:d0:c0:87:e0:bc:f0:60:76:14:00:d6:
-                    eb:cb:f6:db:b3:43:f1:c8:4d:4a:0a:bb:e0:37:7c:
-                    8e:93:1f:a0:87:68:59:fe:0c:25:40:f3:7c:fd:71:
-                    90:55:ef:de:18:b4:08:86:c9:75:c2:99:2f:ce:12:
-                    bf:c5:5e:cf:5f:f1:06:53:07
+                    00:af:ad:b0:e4:78:b8:73:01:6a:9e:78:1e:bf:36:
+                    5b:60:dc:ee:28:ce:16:3c:73:30:b3:02:cd:5c:07:
+                    a2:36:ee:a1:c5:43:32:0c:46:57:cb:fb:1c:52:db:
+                    4e:65:85:8a:5d:a6:cd:66:43:ad:bc:70:1b:e6:b0:
+                    11:0f:d8:54:1f:57:9e:29:4e:2b:1b:c5:70:b2:3d:
+                    38:a7:63:3f:1a:06:2f:6d:09:2c:7c:90:60:db:8c:
+                    3a:11:20:a7:db:20:25:d9:c6:97:74:50:5a:e0:fd:
+                    81:aa:de:ea:1d:e5:be:61:59:0d:76:e5:ab:7f:3b:
+                    b2:a6:38:b9:bb:32:aa:72:ef
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                29:4D:6E:C7:F2:F7:71:72:DA:27:9C:9C:AB:DA:07:1D:47:9C:D8:41
+                9E:54:3E:E5:2F:E5:EA:40:4A:FC:37:96:6C:45:BB:1A:79:0E:CA:AB
             X509v3 Authority Key Identifier: 
-                keyid:4A:2B:69:D6:31:1D:A3:68:E8:46:6F:FB:4B:F3:8E:B6:8D:51:0E:BF
+                keyid:1C:B4:4E:8B:84:0D:1E:0F:C4:CC:F4:17:87:DB:CA:F2:55:F1:34:39
 
             X509v3 Basic Constraints: 
                 CA:TRUE
-    Signature Algorithm: sha1WithRSAEncryption
-         48:ec:d7:80:8a:8f:82:a6:42:b1:89:2c:b9:4b:6d:0a:37:b8:
-         72:19:05:de:75:80:0c:d6:41:97:b2:d7:fe:99:cb:7e:c4:0e:
-         77:97:09:a8:9f:87:ff:0b:de:3f:1c:dc:1e:fe:09:36:a7:f5:
-         54:9a:85:4e:fb:6f:27:fe:0f:29:45:61:8d:07:c6:0c:da:37:
-         3d:a3:69:4b:82:71:e6:24:e0:87:a6:ee:d5:87:61:dd:8f:08:
-         fe:33:a6:1f:ae:b2:ae:1f:d8:2c:20:c8:a6:fc:33:0e:82:68:
-         80:23:61:10:ad:5c:1d:80:d6:b1:5f:e4:af:66:6d:63:10:e4:
-         96:e4
+    Signature Algorithm: sha256WithRSAEncryption
+         6c:2d:41:ca:7b:89:84:27:ca:b3:64:d5:73:b2:5b:dd:fc:6f:
+         d4:68:ae:f1:30:3e:9e:ca:28:2b:d3:2e:0c:61:3e:d5:9a:fd:
+         67:b1:60:e5:54:9f:a4:95:51:5b:00:2d:f9:46:82:de:49:df:
+         ce:2a:f3:f6:2e:8f:8f:64:2b:c9:2f:ce:ff:d2:53:a0:0a:c4:
+         4a:e9:20:fa:5e:79:45:21:18:c2:d6:c1:64:92:e4:67:3a:92:
+         04:46:5e:6a:39:84:c8:f1:0e:42:3c:fd:b2:c2:7b:e9:af:44:
+         2c:19:30:61:01:39:47:6d:38:85:90:4b:e5:04:f4:87:72:46:
+         4a:9a
 -----BEGIN CERTIFICATE-----
-MIICkzCCAfygAwIBAgIBATANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJHQjET
-MBEGA1UECAwKRGVyYnlzaGlyZTEOMAwGA1UEBwwFRGVyYnkxFTATBgNVBAoMDFBh
-aG8gUHJvamVjdDEQMA4GA1UECwwHVGVzdGluZzEQMA4GA1UEAwwHUm9vdCBDQTAe
-Fw0xMzA3MjkxOTIxMzBaFw0xODA3MjgxOTIxMzBaMGAxCzAJBgNVBAYTAkdCMRMw
-EQYDVQQIDApEZXJieXNoaXJlMRUwEwYDVQQKDAxQYWhvIFByb2plY3QxEDAOBgNV
-BAsMB1Rlc3RpbmcxEzARBgNVBAMMClNpZ25pbmcgQ0EwgZ8wDQYJKoZIhvcNAQEB
-BQADgY0AMIGJAoGBANwmeECusq0vJhIK1bEYgBbYiL4LQs4yrRLV9XgbNSjyExsF
-Cft+19mhig1K/pU31BZ1g+RqRDQzVy5Jury0z9DAh+C88GB2FADW68v227ND8chN
-Sgq74Dd8jpMfoIdoWf4MJUDzfP1xkFXv3hi0CIbJdcKZL84Sv8Vez1/xBlMHAgMB
-AAGjUDBOMB0GA1UdDgQWBBQpTW7H8vdxctonnJyr2gcdR5zYQTAfBgNVHSMEGDAW
-gBRKK2nWMR2jaOhGb/tL8462jVEOvzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
-BQUAA4GBAEjs14CKj4KmQrGJLLlLbQo3uHIZBd51gAzWQZey1/6Zy37EDneXCaif
-h/8L3j8c3B7+CTan9VSahU77byf+DylFYY0HxgzaNz2jaUuCceYk4Iem7tWHYd2P
-CP4zph+usq4f2CwgyKb8Mw6CaIAjYRCtXB2A1rFf5K9mbWMQ5Jbk
+MIICnTCCAgagAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJHQjET
+MBEGA1UECAwKRGVyYnlzaGlyZTEOMAwGA1UEBwwFRGVyYnkxGjAYBgNVBAoMEU1v
+c3F1aXR0byBQcm9qZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRAwDgYDVQQDDAdSb290
+IENBMB4XDTE4MDMwMTE4NTMzNloXDTIzMDIyODE4NTMzNlowZTELMAkGA1UEBhMC
+R0IxEzARBgNVBAgMCkRlcmJ5c2hpcmUxGjAYBgNVBAoMEU1vc3F1aXR0byBQcm9q
+ZWN0MRAwDgYDVQQLDAdUZXN0aW5nMRMwEQYDVQQDDApTaWduaW5nIENBMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvrbDkeLhzAWqeeB6/Nltg3O4ozhY8czCz
+As1cB6I27qHFQzIMRlfL+xxS205lhYpdps1mQ628cBvmsBEP2FQfV54pTisbxXCy
+PTinYz8aBi9tCSx8kGDbjDoRIKfbICXZxpd0UFrg/YGq3uod5b5hWQ125at/O7Km
+OLm7Mqpy7wIDAQABo1AwTjAdBgNVHQ4EFgQUnlQ+5S/l6kBK/DeWbEW7GnkOyqsw
+HwYDVR0jBBgwFoAUHLROi4QNHg/EzPQXh9vK8lXxNDkwDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQsFAAOBgQBsLUHKe4mEJ8qzZNVzslvd/G/UaK7xMD6eyigr0y4M
+YT7Vmv1nsWDlVJ+klVFbAC35RoLeSd/OKvP2Lo+PZCvJL87/0lOgCsRK6SD6XnlF
+IRjC1sFkkuRnOpIERl5qOYTI8Q5CPP2ywnvpr0QsGTBhATlHbTiFkEvlBPSHckZK
+mg==
 -----END CERTIFICATE-----

test/ssl/test-signing-ca.csr

+-----BEGIN CERTIFICATE REQUEST-----
+MIIBtTCCAR4CAQAwdTELMAkGA1UEBhMCR0IxEzARBgNVBAgMCkRlcmJ5c2hpcmUx
+DjAMBgNVBAcMBURlcmJ5MRowGAYDVQQKDBFNb3NxdWl0dG8gUHJvamVjdDEQMA4G
+A1UECwwHVGVzdGluZzETMBEGA1UEAwwKU2lnbmluZyBDQTCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAr62w5Hi4cwFqnngevzZbYNzuKM4WPHMwswLNXAeiNu6h
+xUMyDEZXy/scUttOZYWKXabNZkOtvHAb5rARD9hUH1eeKU4rG8Vwsj04p2M/GgYv
+bQksfJBg24w6ESCn2yAl2caXdFBa4P2Bqt7qHeW+YVkNduWrfzuypji5uzKqcu8C
+AwEAAaAAMA0GCSqGSIb3DQEBCwUAA4GBAKKZrxWCi6ydSuEw5xmt63XajvrmD6IE
+GvhJ8xbuGtV3wjVbzvZS3Ti6z/cmIw1pAzSTtSaaT8u013dO4+qf1ViGlZVr5+UN
+OK22B5PelCMium324HIJQnA5Q9UtbhCDuK7C77JlWpiqac7DyJBDMNAVFN7JnfDl
+h42vtity4W0i
+-----END CERTIFICATE REQUEST-----

test/ssl/test-signing-ca.key

 -----BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQDcJnhArrKtLyYSCtWxGIAW2Ii+C0LOMq0S1fV4GzUo8hMbBQn7
-ftfZoYoNSv6VN9QWdYPkakQ0M1cuSbq8tM/QwIfgvPBgdhQA1uvL9tuzQ/HITUoK
-u+A3fI6TH6CHaFn+DCVA83z9cZBV794YtAiGyXXCmS/OEr/FXs9f8QZTBwIDAQAB
-AoGAEEMDNPvylNpbvI9yU3+Uzps2FpusVqDlqfOGC1YvKhQflypbH2myNhA5q1uz
-zH/wOax6jp/O4/A6619k3NWaWBUSDeD1jczdzzDB6Eq1+6oj1szwLBA5EQHz5tuM
-0BIWVGv12bqY/LGBbYsIABBTr584rA3QSgM3K4SPxKKiyYECQQD6ELRf6hfd5qhs
-8RJY5f3yXaV6rSpz8meht4VwMguiYwNBHrHAHxgumMfLiJ2PWa+6aFUxcWs93RfL
-5Tzn2DtHAkEA4WADib1R05V3X2XcU9ursA0va5nPEtQ0fNJAUm4iJOtEElk61Ku4
-0KFokloTovpAgno+QxQdy1trwBz/ov2KQQJAaNeaGGCYUxPC57IHBDihSP1UROPX
-Wbd3FYlRK+H/mLy0f5fz5F3lEJxDoCUOEi0DDT9zAIDR+qT4tibNa1LwPwJAQDtT
-BtCUH487pE6tiqDSv6wiVbJSV/VuuBxcBKIqzQbYMbqIj9AZLiyyVvOhIRPditI4
-KHn1O93kSa56FQPZgQJAV0mCqYciPBU4z3qtLGIDqdzTszBh4U5cTu5M+TICrg20
-dtH2X0dETx7c2+7FDkr1ktVq9skJAXMw6mWM8FMYFg==
+MIICXAIBAAKBgQCvrbDkeLhzAWqeeB6/Nltg3O4ozhY8czCzAs1cB6I27qHFQzIM
+RlfL+xxS205lhYpdps1mQ628cBvmsBEP2FQfV54pTisbxXCyPTinYz8aBi9tCSx8
+kGDbjDoRIKfbICXZxpd0UFrg/YGq3uod5b5hWQ125at/O7KmOLm7Mqpy7wIDAQAB
+AoGAMoVxzJKHANPUdJQ4y2Z3aui+OM/jhyjdRW213xR26vM/ZHpJh0wnbYref1mA
+NyPrQbl5ckJeUUWwUGwry/G7ZvnEtyOdKB0GA2hSMa1C4jSRZK2pN1eYhJMNKY8F
+gdQY5rhEzLx2+oIZ0R3LjSSISQ2PYUsjg1hNH8qoq/leUtECQQDjnd253yHiX7tT
+xP+KMffXB6d5wF58nCVw3nwswC9kjtCA9IPmHyQuzTCgsFjwqwN3aABCsoqCPgKA
+qjIUyMdJAkEAxZXRoEXlBVydxnsV6zfDsbwb6DPiMSn/eY9TNU54ML9hYg8L8bpw
+0pzMnbSdjT2rhjn4E39JL7sGlFgyR5dQdwJAdPeVD4U4lmn3i866Orv+zoNibtCK
+PaLIIr5SNXT1Zcl2IC6G8WSjZWGQUaMNsW9QMrZBHAU/5DoVcyUC42dh8QJAJ+kp
+XMyBhGG+5Pa76LVs7BvpLzA7wl6PYkiXMC9Xi9E8pIgRi5RzcbeGhVyUbpFEcmqH
+N7kAWYnXvGNMVLW15QJBAKvlGhRxugM5E8qVRCf+0Pl/Dcet0JOHlG9taKY32rWN
+VDqpBBu2dzU+7pdFtARDxPqjJ7twfyTlhVAqEGk/s7U=
 -----END RSA PRIVATE KEY-----

test/test3.c

 /*******************************************************************************
- * Copyright (c) 2012, 2017 IBM Corp.
+ * Copyright (c) 2012, 2018 IBM Corp.
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -12,6 +12,7 @@
  *
  * Contributors:
  *    Allan Stockdill-Mander - initial API and implementation and/or initial documentation
+ *    Ian Craggs - add SSL options NULL test
  *******************************************************************************/
 
 /**
@@ -570,6 +571,9 @@ int test1(struct Options options)
 	fprintf(xml, "<testcase classname=\"test3\" name=\"SSL connect fail to nonSSL MQTT server\"");
 	global_start_time = start_clock();
 
+	rc = MQTTClient_create(&c, "a b://wrong protocol", "test1",	MQTTCLIENT_PERSISTENCE_DEFAULT, persistenceStore);
+	assert("bad rc from create", rc == MQTTCLIENT_BAD_PROTOCOL, "rc was %d \n", rc);
+
 	rc = MQTTClient_create(&c, options.connection, "test1",	MQTTCLIENT_PERSISTENCE_DEFAULT, persistenceStore);
 	if (!(assert("good rc from create", rc == MQTTCLIENT_SUCCESS, "rc was %d \n", rc)))
 		goto exit;
@@ -584,6 +588,10 @@ int test1(struct Options options)
 		opts.serverURIcount = options.hacount;
 	}
 
+	/* Try with ssl opts == NULL - should get error */
+	rc = MQTTClient_connect(c, &opts);
+	assert("Connect should fail", rc == MQTTCLIENT_NULL_PARAMETER, "rc was %d ", rc);
+
 	opts.ssl = &sslopts;
 	if (options.server_key_file != NULL)
 		opts.ssl->trustStore = options.server_key_file; /*file of certificates trusted by client*/

test/test5.c

 /*******************************************************************************
- * Copyright (c) 2012, 2017 IBM Corp.
+ * Copyright (c) 2012, 2018 IBM Corp.
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -613,6 +613,10 @@ int test1(struct Options options)
 	fprintf(xml, "<testcase classname=\"test5\" name=\"%s\"", testname);
 	global_start_time = start_clock();
 
+	rc = MQTTAsync_create(&c, "rubbish://wrong", "test1", MQTTCLIENT_PERSISTENCE_DEFAULT,
+			NULL);
+	assert("bad rc from create", rc == MQTTASYNC_BAD_PROTOCOL, "rc was %d \n", rc);
+
 	rc = MQTTAsync_create(&c, options.connection, "test1", MQTTCLIENT_PERSISTENCE_DEFAULT,
 			NULL);
 	assert("good rc from create", rc == MQTTASYNC_SUCCESS, "rc was %d \n", rc);
@@ -637,6 +641,9 @@ int test1(struct Options options)
 	opts.onFailure = test1OnFailure;
 	opts.context = c;
 
+	rc = MQTTAsync_connect(c, &opts);
+	assert("Bad rc from connect", rc == MQTTASYNC_NULL_PARAMETER, "rc was %d ", rc);
+
 	opts.ssl = &sslopts;
 	opts.ssl->enableServerCertAuth = 0;
 
@@ -742,6 +749,9 @@ int test2a(struct Options options)
 		opts.ssl->privateKeyPassword = options.client_key_pass;
 	//opts.ssl->enabledCipherSuites = "DEFAULT";
 	//opts.ssl->enabledServerCertAuth = 1;
+	opts.ssl->verify = 1;
+	MyLog(LOGA_DEBUG, "enableServerCertAuth %d\n", opts.ssl->enableServerCertAuth);
+	MyLog(LOGA_DEBUG, "verify %d\n", opts.ssl->verify);
 
 	rc = MQTTAsync_setCallbacks(c, &tc, NULL, asyncTestMessageArrived,
 			asyncTestOnDeliveryComplete);
@@ -1025,7 +1035,7 @@ int test2d(struct Options options)
 	{
 		count = 0;
 		MQTTAsync_setTraceLevel(MQTTASYNC_TRACE_ERROR);
-		
+
 		rc = MQTTAsync_create(&c, options.mutual_auth_connection,
 				      "test2d", MQTTCLIENT_PERSISTENCE_DEFAULT, NULL);
 		assert("good rc from create", rc == MQTTASYNC_SUCCESS, "rc was %d\n", rc);

test/test_issue373.c

@@ -58,8 +58,8 @@ struct Options
 	unsigned int iterrations;
 } options =
 {
-	"iot.eclipse.org:1883",
 	"localhost:1883",
+	"localhost:1884",
 	0,
 	0,
 	0,

test/tls-testing/mosquitto.conf

@@ -17,25 +17,25 @@ listener 18883
 
 # listener for mutual authentication
 listener 18884
-cafile test/tls-testing/keys/all-ca.crt
-certfile test/tls-testing/keys/server/server.crt
-keyfile test/tls-testing/keys/server/server.key
+cafile test/ssl/all-ca.crt
+certfile test/ssl/server.crt
+keyfile test/ssl/server.key
 require_certificate true
 use_identity_as_username false
 #tls_version tlsv1
 
 # server authentication - no client authentication
 listener 18885
-cafile test/tls-testing/keys/all-ca.crt
-certfile test/tls-testing/keys/server/server.crt
-keyfile test/tls-testing/keys/server/server.key
+cafile test/ssl/all-ca.crt
+certfile test/ssl/server.crt
+keyfile test/ssl/server.key
 require_certificate false
 #tls_version tlsv1
 
 listener 18886
 cafile test/tls-testing/keys/all-ca.crt
-certfile test/tls-testing/keys/server/server.crt
-keyfile test/tls-testing/keys/server/server.key
+certfile test/ssl/server.crt
+keyfile test/ssl/server.key
 require_certificate false
 #ciphers ADH-DES-CBC-SHA
 #tls_version tlsv1