Merge pull request etcd-io#10392 from mitake/cn-gateway

*: grpc gateway and CN based auth

embed/config.go

@@ -318,6 +318,9 @@ type Config struct {
 	loggerCore        zapcore.Core
 	loggerWriteSyncer zapcore.WriteSyncer
 
+	// EnableGRPCGateway is false to disable grpc gateway.
+	EnableGRPCGateway bool `json:"enable-grpc-gateway"`
+
 	// TO BE DEPRECATED
 
 	// LogPkgLevels is being deprecated in v3.5.

embed/etcd.go

@@ -200,6 +200,7 @@ func StartEtcd(inCfg *Config) (e *Etcd, err error) {
 		LoggerWriteSyncer:          cfg.loggerWriteSyncer,
 		Debug:                      cfg.Debug,
 		ForceNewCluster:            cfg.ForceNewCluster,
+		EnableGRPCGateway:          cfg.EnableGRPCGateway,
 	}
 	print(e.cfg.logger, *cfg, srvcfg, memberInitialized)
 	if e.Server, err = etcdserver.NewServer(srvcfg); err != nil {

embed/serve.go

@@ -118,9 +118,11 @@ func (sctx *serveCtx) serve(
 		go func() { errHandler(gs.Serve(grpcl)) }()
 
 		var gwmux *gw.ServeMux
-		gwmux, err = sctx.registerGateway([]grpc.DialOption{grpc.WithInsecure()})
-		if err != nil {
-			return err
+		if s.Cfg.EnableGRPCGateway {
+			gwmux, err = sctx.registerGateway([]grpc.DialOption{grpc.WithInsecure()})
+			if err != nil {
+				return err
+			}
 		}
 
 		httpmux := sctx.createMux(gwmux, handler)
@@ -156,15 +158,17 @@ func (sctx *serveCtx) serve(
 		}
 		handler = grpcHandlerFunc(gs, handler)
 
-		dtls := tlscfg.Clone()
-		// trust local server
-		dtls.InsecureSkipVerify = true
-		creds := credentials.NewTLS(dtls)
-		opts := []grpc.DialOption{grpc.WithTransportCredentials(creds)}
 		var gwmux *gw.ServeMux
-		gwmux, err = sctx.registerGateway(opts)
-		if err != nil {
-			return err
+		if s.Cfg.EnableGRPCGateway {
+			dtls := tlscfg.Clone()
+			// trust local server
+			dtls.InsecureSkipVerify = true
+			creds := credentials.NewTLS(dtls)
+			opts := []grpc.DialOption{grpc.WithTransportCredentials(creds)}
+			gwmux, err = sctx.registerGateway(opts)
+			if err != nil {
+				return err
+			}
 		}
 
 		var tlsl net.Listener
@@ -270,19 +274,21 @@ func (sctx *serveCtx) createMux(gwmux *gw.ServeMux, handler http.Handler) *http.
 		httpmux.Handle(path, h)
 	}
 
-	httpmux.Handle(
-		"/v3/",
-		wsproxy.WebsocketProxy(
-			gwmux,
-			wsproxy.WithRequestMutator(
-				// Default to the POST method for streams
-				func(_ *http.Request, outgoing *http.Request) *http.Request {
-					outgoing.Method = "POST"
-					return outgoing
-				},
+	if gwmux != nil {
+		httpmux.Handle(
+			"/v3/",
+			wsproxy.WebsocketProxy(
+				gwmux,
+				wsproxy.WithRequestMutator(
+					// Default to the POST method for streams
+					func(_ *http.Request, outgoing *http.Request) *http.Request {
+						outgoing.Method = "POST"
+						return outgoing
+					},
+				),
 			),
-		),
-	)
+		)
+	}
 	if handler != nil {
 		httpmux.Handle("/", handler)
 	}
@@ -325,6 +331,17 @@ func (ac *accessController) ServeHTTP(rw http.ResponseWriter, req *http.Request)
 			http.Error(rw, errCVE20185702(host), 421)
 			return
 		}
+	} else if ac.s.Cfg.ClientCertAuthEnabled && ac.s.Cfg.EnableGRPCGateway &&
+		ac.s.AuthStore().IsAuthEnabled() && strings.HasPrefix(req.URL.Path, "/v3/") {
+		for _, chains := range req.TLS.VerifiedChains {
+			if len(chains) < 1 {
+				continue
+			}
+			if len(chains[0].Subject.CommonName) != 0 {
+				http.Error(rw, "CommonName of client sending a request against gateway will be ignored and not used as expected", 400)
+				return
+			}
+		}
 	}
 
 	// Write CORS header.

etcdmain/config.go

@@ -241,6 +241,9 @@ func newConfig() *config {
 	fs.StringVar(&cfg.ec.AuthToken, "auth-token", cfg.ec.AuthToken, "Specify auth token specific options.")
 	fs.UintVar(&cfg.ec.BcryptCost, "bcrypt-cost", cfg.ec.BcryptCost, "Specify bcrypt algorithm cost factor for auth password hashing.")
 
+	// gateway
+	fs.BoolVar(&cfg.ec.EnableGRPCGateway, "enable-grpc-gateway", true, "Enable GRPC gateway.")
+
 	// experimental
 	fs.BoolVar(&cfg.ec.ExperimentalInitialCorruptCheck, "experimental-initial-corrupt-check", cfg.ec.ExperimentalInitialCorruptCheck, "Enable to check data corruption before serving any client/peer traffic.")
 	fs.DurationVar(&cfg.ec.ExperimentalCorruptCheckTime, "experimental-corrupt-check-time", cfg.ec.ExperimentalCorruptCheckTime, "Duration of time between cluster corruption check passes.")

etcdserver/config.go

@@ -148,6 +148,8 @@ type ServerConfig struct {
 
 	// LeaseCheckpointInterval time.Duration is the wait duration between lease checkpoints.
 	LeaseCheckpointInterval time.Duration
+
+	EnableGRPCGateway bool
 }
 
 // VerifyBootstrap sanity-checks the initial config for bootstrap case

integration/fixtures/ca.crt

@@ -1,23 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIID0jCCArqgAwIBAgIUOJwZrjY0viD0A34jOYtZb/aNy+YwDQYJKoZIhvcNAQEL
+MIIDrjCCApagAwIBAgIUM24Z44NdsHtDQisQRIH+mmhXLHYwDQYJKoZIhvcNAQEL
 BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
 Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl
-Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xODA0MTMxODUzMDBaFw0yODA0MTAxODUz
+Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xOTAxMjExNDQwMDBaFw0yOTAxMTgxNDQw
 MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
 BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT
 ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQCu5s9vCEwShwELpyEXbP5A69ENrkqe3qU1AR3DzWY4gFkkec+QnCdid16Z
-Ayp0Xg1t1GOxTMMGjadyJampzhB/l3oCiIQyQNOy0bCJvn02lBwDFIXDzvdMUfob
-OaTYGwG9vQD6b+ohwzWneF6Ov7UrqAGvRSmTP2Id5vzqGA1+nRA2J4+WOH4ouwZD
-1d53fFk/eBkuHyZO/SEPWH5Ch2J9bZ7jGiTpuroqjbkJXhBfHheEV2NBxIWGWRvh
-JXazBbHwogrR1Op0NkeXPamm9Y3GEL0z/e6hhTGSLFKDioy6P2QrF7C890ru0cX8
-QfLFXj7nBMB+mW6/b4dhywnFwjdpAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjAS
-BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQdqL0i7KF7tmBTUvtR2FpL+Csm
-2zAfBgNVHSMEGDAWgBQdqL0i7KF7tmBTUvtR2FpL+Csm2zANBgkqhkiG9w0BAQsF
-AAOCAQEAjSy+ijzcO3Hu809GvmVl/+aRL/e6iKZ8WC3kpY42ZdyAbhCSYnWmUdHX
-smBVOvjZmQnEtXrrOrzBcbTFdnMzswgoPwtYPKqAqP0vxARbmnbDDuzFstaKSIYm
-T2Tw6r30ivbG7dIyitewCGmTXcdgMLmYgx+zOOj8BmbK1o1jW+qFudggC95qkkiq
-ismo8Ao1/Uw6bDbg/0l30V16bfI7jvPxK6+S2FUlB+ggfQtd2dfKVXNUtfBG8wf0
-1BQdiLPAQGDiprmEpAoUyRfNkMPSZD+WeBYkb0Ji2MyzJ3pUtBPwb57UcbIyp9S5
-MSqy3ciMv+FyBaX6EB2mP8GMgW5WaQ==
+AoIBAQCsWG1qafiCwfmKEltvpmslNqOlWgMp9H7VIP7cExbhsW4P1L4Jlfcz7rFH
+2MFpwktbxppoYI/4umTj5r7dx/K6mttUBtiLY5VwSCo/asZvLaOLFN2QP4cwkpLI
+lFDy4Pez2Uu+NnmMF6SLq+M6mOaHSbURNvphP1zWX9SLKo1OV8GT6r/oHYmcR+xy
+skWd/+6B73S0pbG/d3ME/WoovZtOXqaZtJn8YIBXE6LGd4NBkSK3Jg9c4QzlErTM
+j6ItTs7t9aPjXd2kiq8IY6UN2TrLwssWkGM4Oop+mlp5zcKIDLhDrfsRga5hxx2Z
+i0coNWBKNjvVaCO0L7Qn1nIHA1KtAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
+BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTdZTAnocY85lHhyR/A7lJkp3t2mjAN
+BgkqhkiG9w0BAQsFAAOCAQEABCTckIi6zoE7uSy71uNO93RC/Pcb+YzmRSNQzl60
+ngUlUrd+18bjp3O9u8jQ8ikhWT3jfn5e4I1nqLKFqKP6xyMPwk2ZJXF3WeBvtuHW
+BonDscbYwMpL6RDgcUU1+2ZtZYlo+NZkeXQdTO0Pa8qoo/EtNXb+Bg1FFqnrLrVI
+EhY3Bd5+jvC0WkjJFMFeOUkZDmtKLX24P/901ZP+6HN2bA+MIBKmIDKbctP54J73
+tncuOOFBfyWkckIMISM4D+Mi9Ezju2Hq4thV7XJeyWTRiXG8+LhVRWJaz7St1FIw
+ViEST3A84CBLjiPyGqzqQCtr+HNhr7su+Tmcq550xU11Ug==
 -----END CERTIFICATE-----

integration/fixtures/gencerts.sh

@@ -52,6 +52,15 @@ cfssl gencert \
 mv server2.pem server2.crt
 mv server2-key.pem server2.key.insecure
 
+# generate DNS: localhost, IP: 127.0.0.1, CN: "" certificates
+cfssl gencert \
+  --ca ./ca.crt \
+  --ca-key ./ca-key.pem \
+  --config ./gencert.json \
+  ./server-ca-csr3.json | cfssljson --bare ./server3
+mv server3.pem server3.crt
+mv server3-key.pem server3.key.insecure
+
 # generate revoked certificates and crl
 cfssl gencert --ca ./ca.crt \
   --ca-key ./ca-key.pem \

integration/fixtures/server-ca-csr3.json

@@ -0,0 +1,20 @@
+{
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "O": "etcd",
+      "OU": "etcd Security",
+      "L": "San Francisco",
+      "ST": "California",
+      "C": "USA"
+    }
+  ],
+  "CN": "",
+  "hosts": [
+    "127.0.0.1",
+    "localhost"
+  ]
+}

integration/fixtures/server-ecdsa.crt

@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDRzCCAi+gAwIBAgIUK5XUt/HZQ3IpLbDFI1EIU4jiAxIwDQYJKoZIhvcNAQEL
+MIIDRzCCAi+gAwIBAgIUMEJ5c+Tt0TyOcLL+dIUuE2nOuukwDQYJKoZIhvcNAQEL
 BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
 Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl
-Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xODA2MTkxNjIwMDBaFw0yODA2MTYxNjIw
+Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xOTAxMjExNDQwMDBaFw0yOTAxMTgxNDQw
 MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
 BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT
 ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjO
-PQMBBwNCAARDiiEQNXiH6eYz5Tws31IeU/OZ0sf7gHIJNvbST/cpXtjo4oFGcu0t
-TY4+FAMk0ku07s/kX9r55TgKr1VljG31o4GcMIGZMA4GA1UdDwEB/wQEAwIFoDAd
+PQMBBwNCAAS/sa5Guqq+tML3vUYITeBQ7gURu5yJa0gKALVIpQ75AJXG9fp1dMD1
++3M7HiT56p5omwDPqe8zFsCvPSm6TSEPo4GcMIGZMA4GA1UdDwEB/wQEAwIFoDAd
 BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
-HQ4EFgQUzo0YV8GX/aN/WRsyygA8QVZaMQQwHwYDVR0jBBgwFoAURt/EV2KWh7I1
-N8NXXowk6J1QtvgwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3
-DQEBCwUAA4IBAQCbUYjMwKuHQjNEFTvx4jQB/LZTr1Mn53C1etR0qLd50v9TXVzb
-FeZoo0g4mXln0BrLVMLatw0CTlGBCw+yJQ+5iJB5z3bKEl4ADwzRFDxwCMXXG8lV
-wQOS/eaTBcAkzf/BWITLB1mIIp3kKZwXM6IW53yDkPFDpnExPY+ycoNp58U1JxOJ
-ySM3/zyr0Ac8qCNqAakT2WacJ+AdB7pgoupbVF2WKT6qYbF1yvYY8x/zr8ePHznS
-fvuO+80wYPbyw13s6rpNv4d0L1k7GDcXVs3lHC47hSNn7OBhf4Xkku101MtP3DhO
-gFqW7p7vigK20tZKy4NYF6+nW3xJmOlw3gJF
+HQ4EFgQUOErhH7Ot6qYob29cUsijrKhSGawwHwYDVR0jBBgwFoAU3WUwJ6HGPOZR
+4ckfwO5SZKd7dpowGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3
+DQEBCwUAA4IBAQBOjMqQ2AGHTOvHiG1eumKDaxGzXGb7znMcnpKYuz0OT97IoZSw
+EggwwUbqaK+9DotDcAWaqkReP18P3T9TgzZMfFDFctSKB5rM4EU2iPpAHdA6EEB8
+87HutlAeFphjsRlUMRLZ2YvTutR0jVeniEDTmTUB9crhGuUrCbg5H8jsVjvDKDut
+si3l6jsm598EWYa2P7ac5/MXQ5/Z9QCMogE/zOPzbnHNuAbf6ZdGFHNM6cgUgHvs
+C8L6hnuOCouFfcNDRK+7WjpIde18LNwLC0AwCKXbwFdWErRWJ8W978t6htdBYS9p
+cvvxQXBuMRmAykhjKaE+rvjdV3IJqQU8mGLY
 -----END CERTIFICATE-----

integration/fixtures/server-ecdsa.key.insecure

@@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIIZcM3NsBY+ZjW2t+AqdvW1lqYhD5l4zT6xr/eBIoh1aoAoGCCqGSM49
-AwEHoUQDQgAEQ4ohEDV4h+nmM+U8LN9SHlPzmdLH+4ByCTb20k/3KV7Y6OKBRnLt
-LU2OPhQDJNJLtO7P5F/a+eU4Cq9VZYxt9Q==
+MHcCAQEEINToOjKwxXFyCQHkiWoL55IPdPoYhm1TFmDylAUIhJWZoAoGCCqGSM49
+AwEHoUQDQgAEv7GuRrqqvrTC971GCE3gUO4FEbuciWtICgC1SKUO+QCVxvX6dXTA
+9ftzOx4k+eqeaJsAz6nvMxbArz0puk0hDw==
 -----END EC PRIVATE KEY-----

integration/fixtures/server-ip.crt

@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEBjCCAu6gAwIBAgITULCLY8OCPd8L4ZLShYUI99ZIFjANBgkqhkiG9w0BAQsF
-ADBvMQwwCgYDVQQGEwNVU0ExEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
-DVNhbiBGcmFuY2lzY28xDTALBgNVBAoTBGV0Y2QxFjAUBgNVBAsTDWV0Y2QgU2Vj
-dXJpdHkxCzAJBgNVBAMTAmNhMB4XDTE4MDQxMzE4NTMwMFoXDTI4MDQxMDE4NTMw
-MFoweDEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
+MIIEBzCCAu+gAwIBAgIUGZReOLZEaMEZ2PfqR25XMrEdBIMwDQYJKoZIhvcNAQEL
+BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
 Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl
-Y3VyaXR5MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAKs3eBWGM6rsQsYOPy48fuFDEg71hNbUw1YCfNQueHpz/jqJ
-E4RDfjb/Ou3V6m/MIsfmdWua+mZ/H3EXwnz0eAXSuspyNHOEaYkgqDYOVGnMD99y
-+JhEVhSb+hRR4vR8qoL8fnJWdoINxaLAHm6K/93RPwyvn+m5fjUIt6yRnZ9PZaGv
-CtdQKo82VoNcJyB4Fz4Ahwy4FxKBE+zPOhR/TuBia2E4r/G4qqVf+DPStXFKxrlG
-Mcw9QxSCsOXArrp+E6zya875HSRBvHJO3+ECpEpP9oymisIg2xswCs0r/v5J3RS6
-EQ07vhOr/6Ez5UmCohlnsiUuj1XEqiCRFUFCa0cCAwEAAaOBkTCBjjAOBgNVHQ8B
-Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB
-/wQCMAAwHQYDVR0OBBYEFF/PxASI1qkJfBdnZmtsZWyR90etMB8GA1UdIwQYMBaA
-FB2ovSLsoXu2YFNS+1HYWkv4KybbMA8GA1UdEQQIMAaHBH8AAAEwDQYJKoZIhvcN
-AQELBQADggEBAJHrPCBhY9AMfKdh3ZRVMFxRsNCK9OzcWRMGxJ6OG/blUQZdW9FT
-aeAcCuhbu+0VYjfM2hpQ2DWPRjgi2nA0BRbVHY3nExUBgZxGZ8weQWCeZVEbV6Vs
-FLNBCcWIaX53bKPNFqraX7HWot9xvIb9fCc4w3z42fY8XxDg33E829Oe6F3e6+6L
-b04WQ89U/0Nd7vqkUKgsCqBVIg1PW6AbkNmv/uL4eSlcaV1nafXc0BY2i4XOmNBG
-fih23YHubjuLVuURBN+gDm/3bbyGWcCAnInq5/QM2aMd6GaU2Q80sw1W1PgMR+qE
-QiZ+goMjqqkDljEe4+NiP1s0jKtBTGLQFc0=
+Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xOTAxMjExNDQwMDBaFw0yOTAxMTgxNDQw
+MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
+BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT
+ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDPXZtt7WyGbsRRzkKHTKqeqAGaFdVJpeLCiLpq15hGiOGl
+RJFFrQ/SxEH2y8CmoKLcY96uKYxzVWHpPStK0wa/3DMTE0sxhdWFixD/eRTNgA/o
+ovvSEPTX/ya//DfrgvrKNeSCG/E3hDXitVdiexeUiIB8DZHwdAg82Zg9eJ41ck+G
+WD9u//PwUqS8epqs15xXaHMQphjATnkLa/0mIjwo6JPddtGopBQRADaorjvpaoUu
+SzL7TQaHzCVuj47szr7BmNK1mwoHXJk7d+BlBJz6SiSGBLLq3h3SmoX9/yDLNU7t
+rCi9Yl55/ITJEfY56ZZ6L/BLm83b9r03lv1vYYr/AgMBAAGjgZEwgY4wDgYDVR0P
+AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
+Af8EAjAAMB0GA1UdDgQWBBRn6Ksd8Ra9fiY7fCZnmq2OylkQmTAfBgNVHSMEGDAW
+gBTdZTAnocY85lHhyR/A7lJkp3t2mjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3
+DQEBCwUAA4IBAQCj+s26SaG99nC/OAHJtXQqxyqDfoKNwO6iwK4UGGzwlKAK9+a7
+8ObVOIyAbFtHUFjFJ6cIBMg+Tw+9++bRPyliOcrIDiv9ytNEzMVIQq07oj0Kx7Qw
+sSYcIeFRF439ftiHC0LAULFEV/hDBveuTVfdt3t5RnEzp8PiTjXvhSpgFOhkuln8
+n3NK4UoolN6gJ/sSCP91Oka90l4xagPYK37mksYfzbTBNmPB88rMgioee5ZU1nCG
+09fHiNWg/U8c0R6Iflpjy3lsUlnst3+VZp7HZ1mO+hBp7p0lduAdJqZs0ev9gjhi
+odfA+/2O8LPUTTXz6lpdnou2kXl0B4I0jG2v
 -----END CERTIFICATE-----

integration/fixtures/server-ip.key.insecure

@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAqzd4FYYzquxCxg4/Ljx+4UMSDvWE1tTDVgJ81C54enP+OokT
-hEN+Nv867dXqb8wix+Z1a5r6Zn8fcRfCfPR4BdK6ynI0c4RpiSCoNg5UacwP33L4
-mERWFJv6FFHi9Hyqgvx+clZ2gg3FosAebor/3dE/DK+f6bl+NQi3rJGdn09loa8K
-11AqjzZWg1wnIHgXPgCHDLgXEoET7M86FH9O4GJrYTiv8biqpV/4M9K1cUrGuUYx
-zD1DFIKw5cCuun4TrPJrzvkdJEG8ck7f4QKkSk/2jKaKwiDbGzAKzSv+/kndFLoR
-DTu+E6v/oTPlSYKiGWeyJS6PVcSqIJEVQUJrRwIDAQABAoIBAE01MTh7kPcFnULU
-j9cYvppz9UO7oVCDFybE7md8ISYPAliBEcT17od8ZqVzbklFw3VjThXdCAeKUbJc
-5X4Ve74cfdDm2RIyZqjIijH+GkCvHYVEwidfwXV/tLDPEEnxoa55j8edh8kzzqiK
-e+6bTbBIOGdPFwx9chUWPkVaULrShQRkZOMeyQyI1vhL2/TSOk+MsZPcrgQOQh9N
-v3xmmXA+IPNkO2GS5I3MZlLKDIkktejsdkudiE+uDHYzHPOFmu14LYPjZCTyl0Nx
-p6YP77ya/Um7f3zYyakXedGXBXX3h/zS8CarCpwNfzPwEADtommhhi6dR0rnCTfU
-t+aMTakCgYEA1eF1bgd0bKySigm3xx+UXxoOEjV1chdLwnwEL0M2XNvsMsm7Vh+m
-FmrY0I1m5n4bYv0UuEkPM3aUFnJuBW3fr3ypEDSfhLlP6eKX5gpyavJwC/eC+2e4
-ImxbsfRVbjLT7vMgbmMcjqe2B1rwYMDMSVMXieOxpi1ndViRAIpqjaUCgYEAzO8n
-heU7OddugNV5RMn6Gg/pMfiQpoROReFNMln34BZubpAMDHDnbjQOuqZA2UYbsNnb
-2Eu3TwqL+wr0CmQC0/nt1vR5dJZNX6VI61b4Qt4BdUUigonZxSHAnWjMzXmZ3Lvr
-5wgZO1Tq+9KBeMMMTQR5nfw+z5E+4Mh3+IzqWXsCgYAEkaRojVA3YhhfSoXagxow
-TeYvDWVM4qKDrRKJz+3BXhFVpGmUFWj+4ZlwGxUvp1H+c1mV9jmU59uR/y/KfeZh
-YVBbQESIGU1Tubt09pQrJLKwDsGFjVmpopby3j1U9VEBsb/nm8ZoZbzFu3OXHYc/
-qb6++1Y4LpAfOZ0fXdWY4QKBgFM5oGxg/p9r3OWXTCtidx5UbdisYFovivYYHFih
-bufjVC+0ciAvTd1UaNLmJ5nVPfOhVgXOIgCIgPaPqTH7EabybeOI3zY4v+1i220v
-oZzOOftc+znWL8k9/tIuOFYN1y1sZ84oXM7amp9wCsJ3O6yfb6B4Sy3Sh52T7BzV
-ZWq3AoGAeXHNJZj5CpH5tlgoJ2+3OXPTUuIUu7bJezmYkTaerKAtq+/NAlO90P5y
-cUkUETOZuc/jyyD3VLX5Emi5gma4GcRiMJzaZY/apYrr+I9I0A5KPexhzBVdJls9
-2Lk1fTDdilopP6p3W8rRiqlDp7q/iiTvVtdj0tOMZEclmdtZH6Q=
+MIIEpAIBAAKCAQEAz12bbe1shm7EUc5Ch0yqnqgBmhXVSaXiwoi6ateYRojhpUSR
+Ra0P0sRB9svApqCi3GPerimMc1Vh6T0rStMGv9wzExNLMYXVhYsQ/3kUzYAP6KL7
+0hD01/8mv/w364L6yjXkghvxN4Q14rVXYnsXlIiAfA2R8HQIPNmYPXieNXJPhlg/
+bv/z8FKkvHqarNecV2hzEKYYwE55C2v9JiI8KOiT3XbRqKQUEQA2qK476WqFLksy
++00Gh8wlbo+O7M6+wZjStZsKB1yZO3fgZQSc+kokhgSy6t4d0pqF/f8gyzVO7awo
+vWJeefyEyRH2OemWei/wS5vN2/a9N5b9b2GK/wIDAQABAoIBABMnzIHdGtdYSB5e
+dVrWRDSfxHYdajSBdG8P/lh8Tf7GCkIgEWNkVz/bDVTlAYji8eh1+U4RXH4S9xZ6
+phMlZ0w15Snv8FREzrKlZA6Vesx49f9Bfw2qr1N8qHG3tNq2oMApNlCmkCPWvLuS
+kN3yDP2VlnjfMAoMTe6BE0UqbUL2f58h2LBo8x04FYRye5VtroO+lM/9cHUB0xAJ
+Lsp7hiu5wWsORyn6pkpC5B/Fw2sqOdEKtImcs9CkimkbZAfQXq97Rd/jAkAoVaEB
+j4lKri9bKwiTH7Xi9LyH8Ix445lqC3uT7728yltTiyPHME0O6RsP5AdfZRmGCrEg
+cMuplFECgYEA1gUmENbRx6zQdQ0CiwgRloRzceLd3l0lJCxaohqKfX28/keBjMJY
+BB/EM+Qv+aBwrOshSAAW6EttBdqKMs3/EIngCpvMQfAKN7flECqfPZpGJX5BV+E/
+51E4wjwCrxpmkYlQ8qj7lt8wcNPU55Tw9bfKelEgQ+dfyD6TpWV9pnsCgYEA+ApP
+XfGsSkeaFsx6LJIy3ptYxrcd4Xus7ELv6ifTmCKsgi83OeTzrEccHF1niw/9RU6P
+FYH3jxUzGe1AxBfcAcgA8u4L6+Z/uHtnfU+y8od0H1kHwzAR90Rgc0/sCLlHo93+
+4yDPpS3JsLLrhrn6e0uHwEOTyoecyIXcyEL16E0CgYEAiH5uIY0v633u0MgEWDFE
+Lk+45OhAgiG7n09eWkY9Dv3TPATUvbXwtmigFEwywKyvT8kBx86uzWXVWUdgnjg8
+tQqJxZpJccAqdBCnWWElf/9VP3I/MFHrFJb7cP0e5RgcVDNUWf6lvjoHxd2DylJ2
+PvABhXMZ9dSphKdMOM76jOMCgYEAzPlIKSwj4qZVEe4cMGUIoKjjriN5D/LyLbQL
+KweKdjiBMnvuOWuYao/BDTeq72JhPDr1RyLF/3nXZt+HHAVTjC1Ji3doZqNufHeO
+SCHqkT2amqUqIwTAdAQPaHttZLAoIaS8k9lzft7dw6W3uPhLpEQAhMPTiBSVXagx
+kVS0fikCgYAhgIEyMauBbFeEA4kR8AuvpGfB8nMxJV7wljxGzLV1FJxmMsB+nkcE
+BgUUkMLRmqqbqfyTj4p8zNtsnjeNd6ka4Un9uYJoxLpbHhe7NxqGiMGaUMPszaKV
+/Q7vs7YissxWZxhhoTCMkd//YNikdHBUeMTYIC3CS6ahgX7+ueydhg==
 -----END RSA PRIVATE KEY-----

integration/fixtures/server-revoked.crt

@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEEjCCAvqgAwIBAgIUShTszZYdtp48XQGfhqa4kLRaZV0wDQYJKoZIhvcNAQEL
+MIIEEjCCAvqgAwIBAgIUKhJ1faf58PSD3a0vfyrIDojJ/kswDQYJKoZIhvcNAQEL
 BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
 Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl
-Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xODA0MTMxODUzMDBaFw0yODA0MTAxODUz
+Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xOTAxMjExNDQwMDBaFw0yOTAxMTgxNDQw
 MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
 BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT
 ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
-A4IBDwAwggEKAoIBAQCmIdtfFvZZUzvu6NH+VO38UTmmYoU9XCUuHX+t0B/EgKwp
-SDieV+N7HxCepkyYhYfNnX2gjXaIV5h/EPSXhk2Pw13oadq6IO6CmaRFtLx+6ZVo
-/dz9Gj/FBlXA915Z7gBvOM0HatBGqG2uKIvYdLmP8lqL8PCnU5bCd/HnlILKJmM1
-y2P79ZMZ8gkp9A+69fUGJeoXyBGFXT+KnNErCJHvu7GXGt5IU3qlqXZE+eWY3WYh
-BhzWU3y0e/Fp6A74kVcUQm37pUr+rCH0AisdeEELtFDajmB1BKzoQdkfSQ6Sn073
-OyekwEXXc8oavFatU4MzM3CliBf+UeOLry3IU12LAgMBAAGjgZwwgZkwDgYDVR0P
+A4IBDwAwggEKAoIBAQCczqeCNBDCkgqgJuhfIKlo1uw6NAvAN8tBSoxmYH6t51bM
++XDJzuw8iQm8UuarHI68O2qjUSiVNvEoilYi/xSu78Yj5vRsNc6i4+FBs09WdSH5
+fieQ8kGVKRJwBDDNiMUQnG3DrEXH/cd7NLegyFdnO17yjTeAt8Fl482QKIFDuInT
+tGLBR+NKYcSM347Vz0tmJIuD+1Ri1DPhOrnrS0KaLKVvaDYpFVdNy0xS2zX+p4Ti
+QyznXjqXOXiFIDOU06huNerWJEzr8Z/ylRPz3pA0bGqcJpIXxzJcGJWN6Jfh6izf
+ONszTSgchoN9sn7iah8cHitEdYQs4LTKjyqu+9QXAgMBAAGjgZwwgZkwDgYDVR0P
 AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
-Af8EAjAAMB0GA1UdDgQWBBTQW3VmF/IW/pABaCAEQtdBXtg2fDAfBgNVHSMEGDAW
-gBQdqL0i7KF7tmBTUvtR2FpL+Csm2zAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8A
-AAEwDQYJKoZIhvcNAQELBQADggEBABP8eEr/s7RNNt8WHhwKfbntBFQRRNTuMWkA
-L0/4YhofSuq2eRYHRk5ZodLrMIloSiOErCX9MeVzAhdOcwadW/MGSdoaU5S5RIOL
-OHO2ZlZueP4NRc2qYcQc+HNkakEE32aDQH1oJcGjenDUDz9yPoRWnbwNE7cjSMQ/
-qSfPIP/2X8Lf+zXQT8OzcLYF6Cp9wkm0zqS0BcIRXUpD8wDcqlfUN0DDA6mYS3jL
-OoVDVj7ddrqhXTZidjlQHnd7Ig9sVDYO9upFpo55BKRxPAZf5gIk9GQl4b38oIV1
-OEZ9mO9BneodZ6HpwzhTtsaiZNeeqcfVlsi3Pccd8bn+wotHlwI=
+Af8EAjAAMB0GA1UdDgQWBBTdwPxrHxU94wYrwQBOjp6ma6EAajAfBgNVHSMEGDAW
+gBTdZTAnocY85lHhyR/A7lJkp3t2mjAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8A
+AAEwDQYJKoZIhvcNAQELBQADggEBAJB6rG/9kScmQi1TQMFJa0ZAsG+/9m7Rczye
+RApBF6pG5nf8FJiCt7sNYT8r8i+kby2H0CLII16dXSZxPG3giRN4TviM++/YXW/j
+rW1SueyhS+bxajOQfRVLxTnBk7TVDvacwJdFy/VI28i6hoV8E12g9jslAMiWREWd
+nhgk3zIyXFlVuiHIRYqKFWeo75/cEyTZ5XWs06r5Odawzo2L094CT4uxgu8mRCwN
+sJKa408ev6CUEW7YXZVtJ8IwtFfJCWAbe5Tsq/9K/m1puHLOiVRwYBl6rCUTLjGO
++iKZYsV3wVf75iENevyv7rQ9OkomJokdWxhi5e+VxC4x+zwbvKU=
 -----END CERTIFICATE-----