tls: add ECDH ciphers support

Switch test fixtures to 1024 bit keys.

doc/api/tls.markdown

@@ -117,9 +117,9 @@ automatically set as a listener for the [secureConnection][] event.  The
     conjunction with the `honorCipherOrder` option described below to
     prioritize the non-CBC cipher.
 
-    Defaults to `AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH`.
+    Defaults to `ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH`.
     Consult the [OpenSSL cipher list format documentation] for details on the
-    format. ECDH (Elliptic Curve Diffie-Hellman) ciphers are not yet supported.
+    format.
 
 
     `AES128-GCM-SHA256` is used when node.js is linked against OpenSSL 1.0.1
@@ -129,6 +129,17 @@ automatically set as a listener for the [secureConnection][] event.  The
     acceptable cipher. Unfortunately, `AES256-SHA` is a CBC cipher and therefore
     susceptible to BEAST attacks. Do *not* use it.
 
+  - `ecdhCurve`: A string describing a named curve to use for ECDH ciphers or
+    false to disable all ECDH ciphers.
+
+    This is required to support ECDH (Elliptic Curve Diffie-Hellman) ciphers.
+    ECDH ciphers are a newer alternative to RSA. The advantages of ECDH over
+    RSA is that it offers [Forward secrecy]. Forward secrecy means that for an
+    attacker it won't be possible to decrypt your previous data exchanges if
+    they get access to your private key.
+
+    Defaults to `prime256v1`. Consult [RFC 4492] for more details.
+
   - `handshakeTimeout`: Abort the connection if the SSL/TLS handshake does not
     finish in this many milliseconds. The default is 120 seconds.
 
@@ -629,3 +640,5 @@ The numeric representation of the local port.
 [SSL_METHODS]: http://www.openssl.org/docs/ssl/ssl.html#DEALING_WITH_PROTOCOL_METHODS
 [tls.Server]: #tls_class_tls_server
 [SSL_CTX_set_timeout]: http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html
+[RFC 4492]: http://www.rfc-editor.org/rfc/rfc4492.txt
+[Forward secrecy]: http://en.wikipedia.org/wiki/Perfect_forward_secrecy

lib/_tls_wrap.js

@@ -478,6 +478,8 @@ function Server(/* [options], listener */) {
     cert: self.cert,
     ca: self.ca,
     ciphers: self.ciphers || tls.DEFAULT_CIPHERS,
+    ecdhCurve: util.isUndefined(self.ecdhCurve) ?
+        tls.DEFAULT_ECDH_CURVE : self.ecdhCurve,
     secureProtocol: self.secureProtocol,
     secureOptions: self.secureOptions,
     crl: self.crl,
@@ -580,6 +582,8 @@ Server.prototype.setOptions = function(options) {
   if (options.secureProtocol) this.secureProtocol = options.secureProtocol;
   if (options.crl) this.crl = options.crl;
   if (options.ciphers) this.ciphers = options.ciphers;
+  if (!util.isUndefined(options.ecdhCurve))
+    this.ecdhCurve = options.ecdhCurve;
   if (options.sessionTimeout) this.sessionTimeout = options.sessionTimeout;
   var secureOptions = options.secureOptions || 0;
   if (options.honorCipherOrder) {

lib/crypto.js

@@ -99,6 +99,8 @@ exports.createCredentials = function(options, context) {
 
   if (options.ciphers) c.context.setCiphers(options.ciphers);
 
+  if (options.ecdhCurve) c.context.setECDHCurve(options.ecdhCurve);
+
   if (options.ca) {
     if (util.isArray(options.ca)) {
       for (var i = 0, len = options.ca.length; i < len; i++) {

lib/tls.js

@@ -27,6 +27,8 @@ exports.DEFAULT_CIPHERS =
     'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:' + // TLS 1.2
     'RC4:HIGH:!MD5:!aNULL:!EDH';                   // TLS 1.0
 
+exports.DEFAULT_ECDH_CURVE = 'prime256v1';
+
 // Allow {CLIENT_RENEG_LIMIT} client-initiated session renegotiations
 // every {CLIENT_RENEG_WINDOW} seconds. An error event is emitted if more
 // renegotations are seen. The settings are applied to all remote client

src/node_crypto.cc

@@ -220,6 +220,7 @@ void SecureContext::Initialize(Environment* env, Handle<Object> target) {
   NODE_SET_PROTOTYPE_METHOD(t, "addCRL", SecureContext::AddCRL);
   NODE_SET_PROTOTYPE_METHOD(t, "addRootCerts", SecureContext::AddRootCerts);
   NODE_SET_PROTOTYPE_METHOD(t, "setCiphers", SecureContext::SetCiphers);
+  NODE_SET_PROTOTYPE_METHOD(t, "setECDHCurve", SecureContext::SetECDHCurve);
   NODE_SET_PROTOTYPE_METHOD(t, "setOptions", SecureContext::SetOptions);
   NODE_SET_PROTOTYPE_METHOD(t, "setSessionIdContext",
                                SecureContext::SetSessionIdContext);
@@ -614,6 +615,33 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {
 }
 
 
+void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {
+  HandleScope scope(node_isolate);
+
+  SecureContext* sc = Unwrap<SecureContext>(args.This());
+
+  if (args.Length() != 1 || !args[0]->IsString())
+    return ThrowTypeError("First argument should be a string");
+
+  String::Utf8Value curve(args[0]);
+
+  int nid = OBJ_sn2nid(*curve);
+
+  if (nid == NID_undef)
+    return ThrowTypeError("First argument should be a valid curve name");
+
+  EC_KEY* ecdh = EC_KEY_new_by_curve_name(nid);
+
+  if (ecdh == NULL)
+    return ThrowTypeError("First argument should be a valid curve name");
+
+  SSL_CTX_set_options(sc->ctx_, SSL_OP_SINGLE_ECDH_USE);
+  SSL_CTX_set_tmp_ecdh(sc->ctx_, ecdh);
+
+  EC_KEY_free(ecdh);
+}
+
+
 void SecureContext::SetOptions(const FunctionCallbackInfo<Value>& args) {
   HandleScope scope(node_isolate);
 

src/node_crypto.h

@@ -78,6 +78,7 @@ class SecureContext : public WeakObject {
   static void AddCRL(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void AddRootCerts(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetCiphers(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void SetECDHCurve(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetOptions(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetSessionIdContext(
       const v8::FunctionCallbackInfo<v8::Value>& args);

test/fixtures/keys/agent1-cert.pem

@@ -1,14 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIICKjCCAZMCCQDQ8o4kHKdCPDANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV
+MIICbjCCAdcCCQCahKvPuKcqtTANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV
 UzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAO
 BgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMTEgMB4GCSqGSIb3DQEJARYRcnlA
-dGlueWNsb3Vkcy5vcmcwHhcNMTEwMzE0MTgyOTEyWhcNMzgwNzI5MTgyOTEyWjB9
+dGlueWNsb3Vkcy5vcmcwHhcNMTMwODAxMTExODU5WhcNNDAxMjE2MTExODU5WjB9
 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQK
 EwZKb3llbnQxEDAOBgNVBAsTB05vZGUuanMxDzANBgNVBAMTBmFnZW50MTEgMB4G
-CSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwXDANBgkqhkiG9w0BAQEFAANL
-ADBIAkEAnzpAqcoXZxWJz/WFK7BXwD23jlREyG11x7gkydteHvn6PrVBbB5yfu6c
-bk8w3/Ar608AcyMQ9vHjkLQKH7cjEQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAKha
-HqjCfTIut+m/idKy3AoFh48tBHo3p9Nl5uBjQJmahKdZAaiksL24Pl+NzPQ8LIU+
-FyDHFp6OeJKN6HzZ72Bh9wpBVu6Uj1hwhZhincyTXT80wtSI/BoUAW8Ls2kwPdus
-64LsJhhxqj2m4vPKNRbHB2QxnNrGi30CUf3kt3Ia
+CSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBAMNQTWAcktNJlmpEbu0xKJzjpI0MJfWZauUg5GXD6/CXRGOEQ/Im
+uqG7Ar23LrFK/y2goHCF+/ffJKaFzJ4iuv2nAlly/HTriQJUtP/dxacfqrC5A1GH
+EYAA/S1VShPUtpljADZWyEemWBzZacC2SQ5cChkXTmqJ9t3wYBSw/guHAgMBAAEw
+DQYJKoZIhvcNAQEFBQADgYEAbuPFhXlMbdYX0XpcPiiRamvO2Qha2GEBRSfqg1Qe
+fZo5oRXlOd+QVh4O8A3AFY06ERKE72Ho01B+KM2MwpJk0izQhmC4a0pks0jrBuyW
+dGoVczyK8eCtbw3Y2uiALV+60EidhCbOqml+3kIDVF0cXkCYi5FVbHRTls7wL0gR
+Fe0=
 -----END CERTIFICATE-----

test/fixtures/keys/agent1-csr.pem

@@ -1,10 +1,13 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBXTCCAQcCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
+MIIB4jCCAUsCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
 EwJTRjEPMA0GA1UEChMGSm95ZW50MRAwDgYDVQQLEwdOb2RlLmpzMQ8wDQYDVQQD
-EwZhZ2VudDExIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMFwwDQYJ
-KoZIhvcNAQEBBQADSwAwSAJBAJ86QKnKF2cVic/1hSuwV8A9t45URMhtdce4JMnb
-Xh75+j61QWwecn7unG5PMN/wK+tPAHMjEPbx45C0Ch+3IxECAwEAAaAlMCMGCSqG
-SIb3DQEJBzEWExRBIGNoYWxsZW5nZSBwYXNzd29yZDANBgkqhkiG9w0BAQUFAANB
-AF+AfG64hNyYHum46m6i7RgnUBrJSOynGjs23TekV4he3QdMSAAPPqbll8W14+y3
-vOo7/yQ2v2uTqxCjakUNPPs=
+EwZhZ2VudDExIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDUE1gHJLTSZZqRG7tMSic46SNDCX1mWrl
+IORlw+vwl0RjhEPyJrqhuwK9ty6xSv8toKBwhfv33ySmhcyeIrr9pwJZcvx064kC
+VLT/3cWnH6qwuQNRhxGAAP0tVUoT1LaZYwA2VshHplgc2WnAtkkOXAoZF05qifbd
+8GAUsP4LhwIDAQABoCUwIwYJKoZIhvcNAQkHMRYTFEEgY2hhbGxlbmdlIHBhc3N3
+b3JkMA0GCSqGSIb3DQEBBQUAA4GBAFRwfX09wCEqB5fOGTLSAQqK7/Tm47t8TcFy
+PsCoHcYSHCSSthknJgdnK9nQaVVVqVpDRgmUFmcWC27JOAFQLt79FqOYNLGrmvR/
+ZaRbz3BBi4TBHClalnyBBzaYJJQz16qbT4j48TmzRQvBGR/gT2FpPoLVDWKU+U6E
+oU6hMCpb
 -----END CERTIFICATE REQUEST-----

test/fixtures/keys/agent1-key.pem

@@ -1,9 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIBOwIBAAJBAJ86QKnKF2cVic/1hSuwV8A9t45URMhtdce4JMnbXh75+j61QWwe
-cn7unG5PMN/wK+tPAHMjEPbx45C0Ch+3IxECAwEAAQJBAI2cU1IuR+4IO87WPyAB
-76kruoo87AeNQkjjvuQ/00+b/6IS45mcEP5Kw0NukbqBhIw2di9uQ9J51DJ/ZfQr
-+YECIQDUHaN3ZjIdJ7/w8Yq9Zzz+3kY2F/xEz6e4ftOFW8bY2QIhAMAref+WYckC
-oECgOLAvAxB1lI4j7oCbAaawfxKdnPj5AiEAi95rXx09aGpAsBGmSdScrPdG1v6j
-83/2ebrvoZ1uFqkCIB0AssnrRVjUB6GZTNTyU3ERfdkx/RX1zvr8WkFR/lXpAiB7
-cUZ1i8ZkZrPrdVgw2cb28UJM7qZHQnXcMHTXFFvxeQ==
+MIICXAIBAAKBgQDDUE1gHJLTSZZqRG7tMSic46SNDCX1mWrlIORlw+vwl0RjhEPy
+JrqhuwK9ty6xSv8toKBwhfv33ySmhcyeIrr9pwJZcvx064kCVLT/3cWnH6qwuQNR
+hxGAAP0tVUoT1LaZYwA2VshHplgc2WnAtkkOXAoZF05qifbd8GAUsP4LhwIDAQAB
+AoGAJI+nrFIs+fhQe9wLl8MYAyZp6y1W/b6WUAX0O0iNph/q4WYlAfNWBGhpfvIH
+f5C2a+ghoG60WBYhWjq5rvB5aCX/DchIATuaVHgaWcBf7y9NXnWDH9JMtDOTaVI6
+s7inJwjqIJAHbloa82NGuwz/EN4Ncng6wTmf1gbF6UtOqGECQQD15UNAtpRqpGPz
+xPAZwT3TkY4gYLlZvqn21r/92P5XVbTJXyBTo9pwY4F7o/pNZAQcq3sPUrZW7T4X
+t8nPT4RrAkEAy1bvewVS3U10V8ffzCl7F5WiaTEMa39F4e0QqBKOXdnDS2T1FJZl
+VSVSXiVMd4qFQf4IVgBZCwihS1hpPSo8VQJBAL7vpBY27+4S8k4SaUIGbITBLHR1
+xtcqFv5F6NUrTuvv8C7Bf++Sdwb4LU4dmTnI5OyCN09Bsba0B5gRLVKd8zsCQAu4
+AetEHkd0zEy2zzYT+e0dCZQoaH/VgPCJWhlloGDWSQQSWHGMTWC/2uRkH+kPyahI
+/LAAKyGQqMMP4FjPE1UCQAyPkF3dJy+KRZSQ2rz0bpBVGoUV31hl+SvMigCy0yUy
+QwvJxgN14LQJP+pCcuJGaSdiPsOjxqhPX7KMg3SiSlA=
 -----END RSA PRIVATE KEY-----

test/fixtures/keys/agent2-cert.pem

@@ -1,13 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIIB7DCCAZYCCQC7gs0MDNn6MTANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJV
+MIICcTCCAdoCCQDTgzSLdDTF0TANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJV
 UzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAO
 BgNVBAsTB05vZGUuanMxDzANBgNVBAMTBmFnZW50MjEgMB4GCSqGSIb3DQEJARYR
-cnlAdGlueWNsb3Vkcy5vcmcwHhcNMTEwMzE0MTgyOTEyWhcNMzgwNzI5MTgyOTEy
+cnlAdGlueWNsb3Vkcy5vcmcwHhcNMTMwODAxMTExOTAwWhcNNDAxMjE2MTExOTAw
 WjB9MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYD
 VQQKEwZKb3llbnQxEDAOBgNVBAsTB05vZGUuanMxDzANBgNVBAMTBmFnZW50MjEg
-MB4GCSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwXDANBgkqhkiG9w0BAQEF
-AANLADBIAkEAyXb8FrRdKbhrKLgLSsn61i1C7w7fVVVd7OQsmV/7p9WB2lWFiDlC
-WKGU9SiIz/A6wNZDUAuc2E+VwtpCT561AQIDAQABMA0GCSqGSIb3DQEBBQUAA0EA
-C8HzpuNhFLCI3A5KkBS5zHAQax6TFUOhbpBCR0aTDbJ6F1liDTK1lmU/BjvPoj+9
-1LHwrmh29rK8kBPEjmymCQ==
+MB4GCSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBAKGYRnu2BdY2R8flqKPLICWO/7NoRVGH4KZBY1uBF/VYXyA2
+VT5O7461mt6oA372BItGyNxdbMEvQBRcLiXTueKF5D+KYu30bWem6A/AxxYvnqU4
+tP+uhsXNuGNQTp8i0vBDM/nUx7QGeP1Kda6C936PCNt7wbGPKPNyACNMbnptAgMB
+AAEwDQYJKoZIhvcNAQEFBQADgYEATzjDAPocPA2Jm8wrLBW+fOC478wMo9gT3Y3N
+ZU6fnF2dEPFLNETCMtDxnKhi4hnBpaiZ0fu0oaR1cSDRIVtlyW4azNjny4495C0F
+JLuP5P5pz+rJe+ImKw+mO1ARA9fUAL3VN6/kVXY/EspwWJcLbJ5jdsDmkRbV52hX
+Th4jkAI=
 -----END CERTIFICATE-----

test/fixtures/keys/agent2-csr.pem

@@ -1,10 +1,13 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBXTCCAQcCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
+MIIB4jCCAUsCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
 EwJTRjEPMA0GA1UEChMGSm95ZW50MRAwDgYDVQQLEwdOb2RlLmpzMQ8wDQYDVQQD
-EwZhZ2VudDIxIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMFwwDQYJ
-KoZIhvcNAQEBBQADSwAwSAJBAMl2/Ba0XSm4ayi4C0rJ+tYtQu8O31VVXezkLJlf
-+6fVgdpVhYg5QlihlPUoiM/wOsDWQ1ALnNhPlcLaQk+etQECAwEAAaAlMCMGCSqG
-SIb3DQEJBzEWExRBIGNoYWxsZW5nZSBwYXNzd29yZDANBgkqhkiG9w0BAQUFAANB
-AJnll2pt5l0pzskQSpjjLVTlFDFmJr/AZ3UK8v0WxBjYjCe5Jx4YehkChpxIyDUm
-U3J9q9MDUf0+Y2+EGkssFfk=
+EwZhZ2VudDIxIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQChmEZ7tgXWNkfH5aijyyAljv+zaEVRh+Cm
+QWNbgRf1WF8gNlU+Tu+OtZreqAN+9gSLRsjcXWzBL0AUXC4l07niheQ/imLt9G1n
+pugPwMcWL56lOLT/robFzbhjUE6fItLwQzP51Me0Bnj9SnWugvd+jwjbe8Gxjyjz
+cgAjTG56bQIDAQABoCUwIwYJKoZIhvcNAQkHMRYTFEEgY2hhbGxlbmdlIHBhc3N3
+b3JkMA0GCSqGSIb3DQEBBQUAA4GBAEBfLsByEqL79HRr4QwPTARMW51ohh29kCUU
+OunEyxM8Ti3lBPGOePXLBGjq6e/eLmoOfKsOXKjE+Z3Rpj2L0IKJgpBBcvD2BCyM
+920PdvIHHgWXGSGiDGL/nMbX3SZrYNP/ERawg/Tzqh4QorPj91RKYez9NNLoOncm
+Ug1MI/t9
 -----END CERTIFICATE REQUEST-----

test/fixtures/keys/agent2-key.pem

@@ -1,9 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIBOgIBAAJBAMl2/Ba0XSm4ayi4C0rJ+tYtQu8O31VVXezkLJlf+6fVgdpVhYg5
-QlihlPUoiM/wOsDWQ1ALnNhPlcLaQk+etQECAwEAAQJBAMT6Bf34+UHKY1ObpsbH
-9u2jsVblFq1rWvs8GPMY6oertzvwm3DpuSUp7PTgOB1nLTLYtCERbQ4ovtN8tn3p
-OHUCIQDzIEGsoCr5vlxXvy2zJwu+fxYuhTZWMVuo1397L0VyhwIhANQh+yzqUgaf
-WRtSB4T2W7ADtJI35ET61jKBty3CqJY3AiAIwju7dVW3A5WeD6Qc1SZGKZvp9yCb
-AFI2BfVwwaY11wIgXF3PeGcvACMyMWsuSv7aPXHfliswAbkWuzcwA4TW01ECIGWa
-cgsDvVFxmfM5NPSuT/UDTa6R5BFISB5ea0N0AR3I
+MIICXQIBAAKBgQChmEZ7tgXWNkfH5aijyyAljv+zaEVRh+CmQWNbgRf1WF8gNlU+
+Tu+OtZreqAN+9gSLRsjcXWzBL0AUXC4l07niheQ/imLt9G1npugPwMcWL56lOLT/
+robFzbhjUE6fItLwQzP51Me0Bnj9SnWugvd+jwjbe8GxjyjzcgAjTG56bQIDAQAB
+AoGAd19C6g5731N30T5hRqY+GCC72a90TZc/p/Fz0Vva8/4VP3mDnSS4qMaVIlgh
+RP++OZjPtqI5PbiG8MNrv7vZe0UXlV7oZE0IA+jomUXsplbwMFf6pkrqdyHi+cbm
+rBudhmKeLUgNA6peMGVA83C5g2SMqU5kB+tWzZT7Rs9rsyECQQDWpXxZgULqbFZv
+wjpIDGWjOpQZrv123bJ9TQ+VoskCu4vlyDJqDJPwnscl8NnzpFJriDARn0WrB2sd
+8GCX1yEpAkEAwLo/MYG5elkNRsE5/vINSIo04Gu6tP/Sd7EBtHYAPHUPjs/MhhVX
+tMIGtACheHMwjGRPyr8pboEp2LEap4GjpQJBALNsy+CJ0+TfwPVU96EIc+GZcvlx
+NMErGyvwwclEtSDKo2vmCHZrozLtlu1ZQueOgbMPuZbRe8w2vEzfhe8HTtkCQAYy
+NrPlwsvPLyEWN0IeEBVD9D0+2WrWSrL0auSdYpaPAOgLgDzTVNWH42VIG+jeczIg
+S3xuNuvJlUnVL9Ew1s0CQQCly+gduXtvOYip1/Stm/65kT7d8ICQgjh0XSPw/kUC
+llVMQY3z1iFCaj/z0Csr0t0kJ534bH7GP3LOoNruV0p9
 -----END RSA PRIVATE KEY-----

test/fixtures/keys/agent3-cert.pem

@@ -1,14 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIICKjCCAZMCCQCDBr594bsJmTANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV
+MIICbjCCAdcCCQDuvizlIRoS9jANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV
 UzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAO
 BgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMjEgMB4GCSqGSIb3DQEJARYRcnlA
-dGlueWNsb3Vkcy5vcmcwHhcNMTEwMzE0MTgyOTEyWhcNMzgwNzI5MTgyOTEyWjB9
+dGlueWNsb3Vkcy5vcmcwHhcNMTMwODAxMTExOTAwWhcNNDAxMjE2MTExOTAwWjB9
 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQK
 EwZKb3llbnQxEDAOBgNVBAsTB05vZGUuanMxDzANBgNVBAMTBmFnZW50MzEgMB4G
-CSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwXDANBgkqhkiG9w0BAQEFAANL
-ADBIAkEAtlNDZ+bHeBI0B2gD/IWqA7Aq1hwsnS4+XpnLesjTQcL2JwFFpkR0oWrw
-yjrYhCogi7c5gjKrLZF1d2JD5JgHgQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJoK
-bXwsImk7vJz9649yrmsXwnuGbEKVYMvqcGyjaZNP9lYEG41y5CeRzxhWy2rlYdhE
-f2nqE2lg75oJP7LQqfQY7aCqwahM3q/GQbsfKVCGjF7TVyq9TQzd8iW+FEJIQzSE
-3aN85hR67+3VAXeSzmkGSVBO2m1SJIug4qftIkc2
+CSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBAM8KaJS9K/7LKuV1c8Jsliy9o3ubBGHGguBLmtHLgsAhsvbB/lE7
+cuxbBXPHLgegopcOrbsp4EuHURcN2WAkGcXpBIE5msYOxmImy2FifuUi0Vj4b2Ey
+cpmkADXZrAOygwPw3WH16wNlR/vsL1GFubQ6EIdK4gv9fhBBdMFKm7LRAgMBAAEw
+DQYJKoZIhvcNAQEFBQADgYEAQJHyY0ghxICN5uu8GC9YRygzhiW/6xwKiHTQf9gH
+pET7LrJZhWmAFh19z9CEgvyWe7RQ8SfjHJX3fFZPNIO3OPYWuY+kr6wudBXrcnAj
+XLOj050lMSv3KVWI/TerEDPX1nR+rA2xzp73iJ/SC77Q02JZcVysoBB056nuHp38
+WNI=
 -----END CERTIFICATE-----

test/fixtures/keys/agent3-csr.pem

@@ -1,10 +1,13 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBXTCCAQcCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
+MIIB4jCCAUsCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
 EwJTRjEPMA0GA1UEChMGSm95ZW50MRAwDgYDVQQLEwdOb2RlLmpzMQ8wDQYDVQQD
-EwZhZ2VudDMxIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMFwwDQYJ
-KoZIhvcNAQEBBQADSwAwSAJBALZTQ2fmx3gSNAdoA/yFqgOwKtYcLJ0uPl6Zy3rI
-00HC9icBRaZEdKFq8Mo62IQqIIu3OYIyqy2RdXdiQ+SYB4ECAwEAAaAlMCMGCSqG
-SIb3DQEJBzEWExRBIGNoYWxsZW5nZSBwYXNzd29yZDANBgkqhkiG9w0BAQUFAANB
-AEGo76iH+a8pnE+RWQT+wg9/BL+iIuqrcFXLs0rbGonqderrwXAe15ODwql/Bfu3
-zgMt8ooTsgMPcMX9EgmubEM=
+EwZhZ2VudDMxIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPCmiUvSv+yyrldXPCbJYsvaN7mwRhxoLg
+S5rRy4LAIbL2wf5RO3LsWwVzxy4HoKKXDq27KeBLh1EXDdlgJBnF6QSBOZrGDsZi
+JsthYn7lItFY+G9hMnKZpAA12awDsoMD8N1h9esDZUf77C9Rhbm0OhCHSuIL/X4Q
+QXTBSpuy0QIDAQABoCUwIwYJKoZIhvcNAQkHMRYTFEEgY2hhbGxlbmdlIHBhc3N3
+b3JkMA0GCSqGSIb3DQEBBQUAA4GBAKcTs/vSdImZFlC0sBzFjqofQJI8uDZrOhkh
+Stv3k0TmlRB51zSFlOmb0ReZa3JyUzOkpvx1nIl6HeZ1lZFZhAr2WCib31H7iJF/
+rbUpCjqQ9gBXSaXxQ6QkJSIEjM+QRiDiRQ7Uphq5qsa9uzGTJI9Jv/Ej8h2pYfRD
+eDO3k0+c
 -----END CERTIFICATE REQUEST-----

test/fixtures/keys/agent3-key.pem

@@ -1,9 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIBOwIBAAJBALZTQ2fmx3gSNAdoA/yFqgOwKtYcLJ0uPl6Zy3rI00HC9icBRaZE
-dKFq8Mo62IQqIIu3OYIyqy2RdXdiQ+SYB4ECAwEAAQJAIk+G9s2SKgFa8y3a2jGZ
-LfqABSzmJGooaIsOpLuYLd6eCC31XUDlT4rPVGRhysKQCQ4+NMjgdnj9ZqNnvXY/
-RQIhAOgbdltr3Ey2hy7RuDW5rmOeJTuVqCrZ7QI8ifyCEbYTAiEAyRfvWSvvASeP
-kZTMUhATRUpuyDQW+058NE0oJSinTpsCIQCR/FPhBGI3TcaQyA9Ym0T4GwvIAkUX
-TqInefRAAX8qSQIgZVJPAdIWGbHSL9sWW97HpukLCorcbYEtKbkamiZyrjMCIQCX
-lX76ttkeId5OsJGQcF67eFMMr2UGZ1WMf6M39lCYHQ==
+MIICXQIBAAKBgQDPCmiUvSv+yyrldXPCbJYsvaN7mwRhxoLgS5rRy4LAIbL2wf5R
+O3LsWwVzxy4HoKKXDq27KeBLh1EXDdlgJBnF6QSBOZrGDsZiJsthYn7lItFY+G9h
+MnKZpAA12awDsoMD8N1h9esDZUf77C9Rhbm0OhCHSuIL/X4QQXTBSpuy0QIDAQAB
+AoGBALlX+wl0VCdTX8Jso8WgicvhtLGZs5GIMW9zn1RCmHlBccG/Jtk3nAkE7tuX
+qpg/cG5EQLi1o0paB/jYeAm+J6bMypiXNeakjW8McD55XJuqmotgbZ+IhZQzr0TF
+h7zDBhhzLqIuIAjsQ0H8JFR+p3vrruchCZeQ6jxE05CeSZ/VAkEA8tyL+UvEozCh
+QmokAshXLhZkFn24Ss9//xQ3iu6EE+ZIQyKy87msZhD4/rJ4GO+U1dzG7yQNeym2
+S+yHSzDUjwJBANo9xPCWBGYFbwZ/GWuwwV6nBjx35//3oEKg4PW11KSHm4cFRWV4
+JCO0q1sJEQCgzFGvNAwP63/onMJT3y1gcp8CQEgKA7s/LmT519vLgEMTCkkxex7w
+y+nlAyK27ILZnXQJqwW/FTYWrXzZLALhDZ7X8l49zwTAvP77sId08ezr3yECQQCV
+Cvw1Ze5pEirpn+Fnd1YH4z9SCn1phN5wwlf/1gb7uhTQGBx1mJ/ttpQT3tQ6vpXq
+7yE3X6PwPZbY69iNr8F3AkBbymGXgt66Lv7gdea0UlRFjEWhuP2OC0WOtg4entvZ
+1KHxsgMNIrYoPjvPq/3ReCZapnKpQfMuR564BCOY4bnX
 -----END RSA PRIVATE KEY-----

test/fixtures/keys/agent4-cert.pem

@@ -1,15 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIICSDCCAbGgAwIBAgIJAIMGvn3huwmaMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
+MIICjDCCAfWgAwIBAgIJAO6+LOUhGhL3MA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
 BAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCU0YxDzANBgNVBAoTBkpveWVu
 dDEQMA4GA1UECxMHTm9kZS5qczEMMAoGA1UEAxMDY2EyMSAwHgYJKoZIhvcNAQkB
-FhFyeUB0aW55Y2xvdWRzLm9yZzAeFw0xMTAzMTQxODI5MTJaFw0zODA3MjkxODI5
-MTJaMH0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCU0YxDzAN
+FhFyeUB0aW55Y2xvdWRzLm9yZzAeFw0xMzA4MDExMTE5MDFaFw00MDEyMTYxMTE5
+MDFaMH0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCU0YxDzAN
 BgNVBAoTBkpveWVudDEQMA4GA1UECxMHTm9kZS5qczEPMA0GA1UEAxMGYWdlbnQ0
-MSAwHgYJKoZIhvcNAQkBFhFyeUB0aW55Y2xvdWRzLm9yZzBcMA0GCSqGSIb3DQEB
-AQUAA0sAMEgCQQDN/yMfmQ8zdvmjlGk7b3Mn6wY2FjaMb4c5ENJX15vyYhKS1zhx
-6n0kQIn2vf6yqG7tO5Okz2IJiD9Sa06mK6GrAgMBAAGjFzAVMBMGA1UdJQQMMAoG
-CCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAA8FXpRmdrHBdlofNvxa14zLvv0N
-WnUGUmxVklFLKXvpVWTanOhVgI2TDCMrT5WvCRTD25iT1EUKWxjDhFJrklQJ+IfC
-KC6fsgO7AynuxWSfSkc8/acGiAH+20vW9QxR53HYiIDMXEV/wnE0KVcr3t/d70lr
-ImanTrunagV+3O4O
+MSAwHgYJKoZIhvcNAQkBFhFyeUB0aW55Y2xvdWRzLm9yZzCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAmRNV3/oxV+YEXxo0wXHbA45gm4SyPhxlxi0ZXd4Xasmu
+D2u4G57LV3uuEQ7fT34OhiOm1zr/Mv5IE8d3d0upRjpFUru45zxKg4nbqO1e07jM
+2Yq5awwfk8BZpo7BEYVZ6SOiJO+tq/RFCPoTtjagwsDgUqHw9W7oVxXWeU0NmmMC
+AwEAAaMXMBUwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEA
+Ll7QpD8qb6+BshGdca+SBV6lGhQBDYV6BIwU7V6LIsMkyoSLXVO59sdahtLMI9zv
+pIE3IIVztY5/kBLYQxIfR+a1lL4/jraHrZp3mRTyh0nzgT567k+EeD2Q4UG+eDkM
+hcEXm5jGqOm/sMC1Jx/JUIeI3RF2TuV5OhR5Y94tMjM=
 -----END CERTIFICATE-----

test/fixtures/keys/agent4-csr.pem

@@ -1,10 +1,13 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBXTCCAQcCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
+MIIB4jCCAUsCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
 EwJTRjEPMA0GA1UEChMGSm95ZW50MRAwDgYDVQQLEwdOb2RlLmpzMQ8wDQYDVQQD
-EwZhZ2VudDQxIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMFwwDQYJ
-KoZIhvcNAQEBBQADSwAwSAJBAM3/Ix+ZDzN2+aOUaTtvcyfrBjYWNoxvhzkQ0lfX
-m/JiEpLXOHHqfSRAifa9/rKobu07k6TPYgmIP1JrTqYroasCAwEAAaAlMCMGCSqG
-SIb3DQEJBzEWExRBIGNoYWxsZW5nZSBwYXNzd29yZDANBgkqhkiG9w0BAQUFAANB
-AMzo7GUOBtGm5MSck1rrEE2C1bU3qoVvXVuiN3A/57zXeNeq24FZMLnkDeL9U+/b
-Kj646XFou04gla982Xp74p0=
+EwZhZ2VudDQxIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZE1Xf+jFX5gRfGjTBcdsDjmCbhLI+HGXG
+LRld3hdqya4Pa7gbnstXe64RDt9Pfg6GI6bXOv8y/kgTx3d3S6lGOkVSu7jnPEqD
+iduo7V7TuMzZirlrDB+TwFmmjsERhVnpI6Ik762r9EUI+hO2NqDCwOBSofD1buhX
+FdZ5TQ2aYwIDAQABoCUwIwYJKoZIhvcNAQkHMRYTFEEgY2hhbGxlbmdlIHBhc3N3
+b3JkMA0GCSqGSIb3DQEBBQUAA4GBAG9Jbj7/DGM14TC4kT9BbCF624Tgyo7LdZVa
+b31rd5q3n5DkxorUq3ALlX3AMQ4sgbYYV8SysQSloldpW4TgjXZl2ohMU/xmXhfH
+WPbUk/T3eNVAohzC5YMbSWp5Kgd7T4Q8meyYYYC97akjAbPIY3pkPdxTxFi0lO69
+dOQSg6cj
 -----END CERTIFICATE REQUEST-----

test/fixtures/keys/agent4-key.pem

@@ -1,9 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIBOQIBAAJBAM3/Ix+ZDzN2+aOUaTtvcyfrBjYWNoxvhzkQ0lfXm/JiEpLXOHHq
-fSRAifa9/rKobu07k6TPYgmIP1JrTqYroasCAwEAAQJAN8RQb+dx1A7rejtdWbfM
-Rww7PD07Oz2eL/a72wgFsdIabRuVypIoHunqV0sAegYtNJt9yu+VhREw0R5tx/qz
-EQIhAPY+nmzp0b4iFRk7mtGUmCTr9iwwzoqzITwphE7FpQnFAiEA1ihUHFT9YPHO
-f85skM6qZv77NEgXHO8NJmQZ5GX1ZK8CICzle+Mluo0tD6W7HV4q9pZ8wzSJbY8S
-W/PpKetm09F1AiAWTw8sAGKAtc/IGo3Oq+iuYAN1F8lolzJsfGMCGujsOwIgAJKP
-t3eXilwX3ZlsDWSklWNZ7iYcfYrvAc3JqU6gFCE=
+MIICWwIBAAKBgQCZE1Xf+jFX5gRfGjTBcdsDjmCbhLI+HGXGLRld3hdqya4Pa7gb
+nstXe64RDt9Pfg6GI6bXOv8y/kgTx3d3S6lGOkVSu7jnPEqDiduo7V7TuMzZirlr
+DB+TwFmmjsERhVnpI6Ik762r9EUI+hO2NqDCwOBSofD1buhXFdZ5TQ2aYwIDAQAB
+AoGAHkS7g1l2rlnWXXPSILpBw3dA1R+tGykEWuaKEIyc9snAeF4lfpisvrS/G7Jk
+J9TWTGH6WK7azZuIZxjXH6i/ZMxOjd2r0P5RFo0Gjn3VtlCFw1c21TndIEhT/VbB
+IfnFmPS2j/tNAq03Bn+VyB665XcbO/GCJFIxEDt+Nsx6yVkCQQDJOd8TXZ1bbsEJ
+KsN/XZSKgP+qqqxh1Bx7+7/a8nbhCfSV41qt/zyUMBFlB6xKaU9dRU3FErtIH7pU
+8pa0WMPNAkEAwr4rGDGX3e7ihc4pjj2I8J7xEU1q30UK8YzTMJt8BipUAHhFqpQa
+RJvvsCUS3If3d+ZDaTQBSogqFjOW1/gG7wJAbLhw15S/3VPExkAtqlYUWJUEDeDz
+DFQ/I5nMee6A3muzk3xoVRRPVb122IBBzV6Cu+Ei+LR7Lae+1ADR/hTrjQJAaAzD
+acHVqragQW3NtjoamLXTh7Mdjv2Mw1LC5A2vTnv/NeENF/7Zqh7HCg5E7Z+YEW/u
+RJ+MsQ3frs0Ro4LZ8QJAehOewhlYbd3REtJ/6QxbsfsURnGzdEjYS94qgNGyPUs5
+KwcroVGbGSu+K7xtKqOuz+ILihRDkX33VNGtDnKVlw==
 -----END RSA PRIVATE KEY-----

test/fixtures/keys/ca1-cert.pem

@@ -1,15 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIICazCCAdQCCQDTlFdg2h0DBjANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV
+MIICazCCAdQCCQCK8euGRwPfJzANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV
 UzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAO
 BgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMTEgMB4GCSqGSIb3DQEJARYRcnlA
-dGlueWNsb3Vkcy5vcmcwHhcNMTEwMzE0MTgyOTEyWhcNMzgwNzI5MTgyOTEyWjB6
+dGlueWNsb3Vkcy5vcmcwHhcNMTMwODAxMTExODU5WhcNNDAxMjE2MTExODU5WjB6
 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQK
 EwZKb3llbnQxEDAOBgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMTEgMB4GCSqG
 SIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
-MIGJAoGBAKxbsLdJbi53pcP1pzg8lgJhLEvcNlV2ogr97WURp+gPjK+HFXj2xl9w
-qDQrxpmvTya+urBG7OagTjV1E7dRE7PTr4TkEqehmxF026Opb0PZewuIBOKX4UgG
-PSfk0fksrje6YJb+OkiBfA/q7eznZF8cmq7MRrs7LWe9A6Bic/apAgMBAAEwDQYJ
-KoZIhvcNAQEFBQADgYEAk6hlYgjCBihG4dM+3324W1WsvjU8QscsTXu8SGL0y9b6
-82zZikj0W9FU6u98WHtXwuFt3mKlGCcou2pluZvj02T2iVKSMs2oYL8JOlvM8hVf
-GEeg2EriLlzmdxNz4/I86DlBiyoTijZh8/qrItsK7+a56P0exH8ouXzlhL1Bhjw=
+MIGJAoGBAKk8iURIH5aHTpddeVkyMUUkiaP4W9M3x2nBqjvFTw7oP1mJYvab52ed
+/2rA7fRt3kZyf7+lRt4OtXG7emsBj2F6d/iHKnWUfdMZl+cQ61Mtx6/DeO3F55aT
+QrCeqDpyAOY6FvfhdflZItrEMQa9+PbsbyRBSxDJ/Qs7qhevnlqBAgMBAAEwDQYJ
+KoZIhvcNAQEFBQADgYEAZwg19wn9cU9Lb7pNw50qi9DeJhUvo4/Jua8FjikvoKX5
+oQSQ+J/7+83OEuJi2Ii1xH2fAlNN7ZoJzOHY/JU2tx64OmnhEPvnX/nb1/jK3zyn
+gwJDHcYG6AU6nHGWRewQpkoYYIQ7YQNx26OGQF0QdAJi2ltKZpQKIv/75XWfKrQ=
 -----END CERTIFICATE-----

test/fixtures/keys/ca1-cert.srl

@@ -1 +1 @@
-D0F28E241CA7423C
+9A84ABCFB8A72AB5

test/fixtures/keys/ca1-key.pem

@@ -1,17 +1,17 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIrulhMUmafvECAggA
-MBQGCCqGSIb3DQMHBAjsjahmkf3zGwSCAoANt0xX8ZZT2CxeyUadbOuku6NrHoFy
-YBvnEFvuq3TGm3NB72BxprvfMUNR5Xi6e6rJgtRQttPRX6oN2qfB8+W11vFBeFWG
-gxarEotklca4bujPMwxRowyMT20n+yXvRc+Fd5tYrMcaBeweQZD69J242HJMJJmq
-Lzvo2qYGaOxjpc8aUDzeDsv8cnlh5Xk1ZcRucRPM9j26KOPSt0wOd4RdN83AE8cW
-Xu+k5TSMlPQLWihjS+KzEQ8Rs9CuubxrdmecF6DM70u0kYCLZ1Ex7+kBZu06CUpJ
-PODaLca4W92XkBq4X25WgAAaCAj4nZZmgn0X0Fwl1lBqjOK5nEnYpjxuwjjJ2KVz
-3j+kBK5tW6RBE4BM37r7NiM1FAzi8sgNYSVS9oa4m1qGfadEEQdhaMsAfM0SZ/8M
-6NUPKlQmoDda9aCO7rqRuQ7pYQ9mpNxcWEBQi0cG6/3VXtqi/TewAKT1T5DToAzg
-pL4eOTqeDp4VKif5r2u7Nj0EiM4j2TT88onGsdgRtjgUpNmJCRWYaCzs3QZggdYE
-nLZt7ZRXpJ11tERKG3b28qrIw9jHULRAjjWEkEGbxYTpAlrgXklV/04XXnxxAVOP
-0YjDzbfx5QCRCq5UHV4Gl3ELoBaOuxcIIN8YrE2oC1CY9uV/HSk4CSlxHNtWyxbA
-WbCU2SoEHnwBVlTPbZyfErM33c3u4LJyNx6ah7NzMh5AoQ+cPXlzxFBEGIyAmW37
-pItxDNwL1PzXHGpfOM/QZ5wjzGIwXsh8j94jDNB+TIMG4+dm4aXkolevPjJrYAeG
-XZC5mvfMsntNGNFszT/8iXLwt7tlMlQQQl/2b5m6L5yffy6m39wGqTVa
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIWE2PsdhhEj8CAggA
+MBQGCCqGSIb3DQMHBAjAnjC7zH2c+ASCAoB/e9OPJqGdm2yw6CwNrdNF+besbvTB
+3aLesJXqttUb7GkIG8D0wmIUfW1BgcROFyvD+Jz31NRES4/KmRpwybEoWOBtpYAZ
+AbcLFAJm+RYWO6XMwq9kMnQ7I4QtXZzCywJ7TSFQlDt5BJWvhqp5rbQTj6gTGMLl
+CwB12/GhpEviX9kDj49FvlylLAjkVR151nhAil2Nv9O4Ww/WV0y21tscaajFS2sb
+2sZ+3iZIZL+PF8qFoBtffJHeEWIKlHtnbjl1BqMtSt67CbS0CJSqtGss3+eVq9Y1
+OzeG8EAwTCP+HwOBgGNRssJxwnz+SaAZnb7te3x3yn7zac6+8PmZLdPcYBps2krS
+nDVZUBW0kybi7qGWW02SYdDXKOCBVAqlSILMdhMdArQqF7P3tAac2PJNFLBf/31w
+bVeqaXHmijbobcTsR7TV8SUMVPJXcDYg5qSsbGa+PLIPPFmQ/ZSSVXn+V7yVfUT5
+S/HjwBm9jdPj5l9uI6uInD8O1OFXvaP/usjKFAB/B2b3aTjtiBdqXQMAIaFKtVXs
+BP3GgXxkVjrFWcVE6BXJUNRpx9EeBLz/7s86I3SUKuGduRe7aAfO0Q76dPqh6mwJ
+zvOuPJXlARTU5BVWiV7FP53KQZ6a+35urMOdnsq/Fzf4qg9yZcXp9hxJAspHgn8P
+3QKCJ6HnHvl9wpjQLxjLnQgIYBNeYW6vo/hUVRfTruN8VjeKWqoNQVEAOJ5Br4i9
+/Nsjl8aw0kaRXonYtmlSD6lQycckkV7WkhFlXej8Q+mGTE60ut1gJ85cM+JHwTlk
+XFDe6qYCSZk17l6MMLNwbYeJjTqSbT0UAYx2lyTtAC4L+L/H8hFedwFp
 -----END ENCRYPTED PRIVATE KEY-----

test/fixtures/keys/ca2-cert.pem

@@ -1,15 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIICazCCAdQCCQDVGbMO4Y2VUTANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV
+MIICazCCAdQCCQDSApRM2wt5kDANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV
 UzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAO
 BgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMjEgMB4GCSqGSIb3DQEJARYRcnlA
-dGlueWNsb3Vkcy5vcmcwHhcNMTEwMzE0MTgyOTEyWhcNMzgwNzI5MTgyOTEyWjB6
+dGlueWNsb3Vkcy5vcmcwHhcNMTMwODAxMTExOTAwWhcNNDAxMjE2MTExOTAwWjB6
 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQK
 EwZKb3llbnQxEDAOBgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMjEgMB4GCSqG
 SIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
-MIGJAoGBAMOOtRmmjoBZmyYreB1D1fjftMW6sEGBzfSKZRcn+kiEpqXELq21O/TV
-jLJGbo+0PDqxECQyDbOgoQZXcCevFnFhdsSQOYb+0O2kAiMVYGxDtqoKM5g8wj0D
-BiE6fnyZoQTDv5lEuvfG0+youCtXlxiK/9cfhikI+hVXuTgwQXt9AgMBAAEwDQYJ
-KoZIhvcNAQEFBQADgYEAbMrLydFajwfZXDH3PfpKtDPCm+yV3qvEMGWLfjBdN50g
-PwsZE/OIp+KJttdS+MjMG1TfwfWIqa5zGG2ctxx+fHsKH+t3NsO76Eol1p+dKqZp
-PdFp2UhViMgURkrpP593AsTTO9BGaz+awSaESDHm8pO+cLaeGKQp93W0sgC0lHQ=
+MIGJAoGBALmu6bos5wqBAFKo+xjCvepdN+wpveHocCMBbMTAbJztT9i1dayQdun6
+iPq7zjn6MfFhtvy3yN1HtHjI5PiheZmEx9iZ19qTabA9EDXCRVIeryapmj87PMiD
+UAo4NApT3r7DBNzwfH6xTJA81ZzkrgAcMSy5/FPhhWQw5Ovx9xcZAgMBAAEwDQYJ
+KoZIhvcNAQEFBQADgYEAt6EyYlKqjoPgr/R0hmDciYRebV5K72XNlKDIFPGRhcwh
+ICQDg7OYjE8kAluLV6QorjX5JA2/wx3DcZ7gevJIwBzlM/nrojOeF3ufhjogL9Fk
+DqZhkZ/EodPzd1amO9wbGkEz4eyqChmxmQg9gbb2iEEqPOAflTM2qiq2muaU8tE=
 -----END CERTIFICATE-----

test/fixtures/keys/ca2-cert.srl

@@ -1 +1 @@
-8306BE7DE1BB099A
+EEBE2CE5211A12F7

test/fixtures/keys/ca2-crl.pem

@@ -2,9 +2,9 @@
 MIIBXTCBxzANBgkqhkiG9w0BAQQFADB6MQswCQYDVQQGEwJVUzELMAkGA1UECBMC
 Q0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAOBgNVBAsTB05vZGUu
 anMxDDAKBgNVBAMTA2NhMjEgMB4GCSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5v
-cmcXDTExMDMxNDE4MjkxNloXDTEzMTIwNzE4MjkxNlowHDAaAgkAgwa+feG7CZoX
-DTExMDMxNDE4MjkxNFowDQYJKoZIhvcNAQEEBQADgYEArRKuEkOla61fm4zlZtHe
-LTXFV0Hgo21PScHAp6JqPol4rN5R9+EmUkv7gPCVVBJ9VjIgxSosHiLsDiz3zR+u
-txHemhzbdIVANAIiChnFct8sEqH2eL4N6XNUIlMIR06NjNl7NbN8w8haqiearnuT
-wmnaL4TThPmpbpKAF7N7JqQ=
+cmcXDTEzMDgwMTExMTkwMVoXDTE2MDQyNjExMTkwMVowHDAaAgkA7r4s5SEaEvcX
+DTEzMDgwMTExMTkwMVowDQYJKoZIhvcNAQEEBQADgYEAlaBfn4ZNvhcfTL2Ayt0B
+diipUlM12tU3L4EGfYb1FSFIz1tbL0wZwCElagBO/b+H6w3hY6C1xskTfoJedsZE
+EKPCeY/CbZA8x2gccJH86b9IXpmEctOSlbMICsgToJGwY1SnML27fn/n3szHCPI0
+BZok7a8EmBOBx0dyCKNZT70=
 -----END X509 CRL-----

test/fixtures/keys/ca2-database.txt

@@ -1 +1 @@
-R	380729182912Z	110314182914Z	8306BE7DE1BB099A	unknown	/C=US/ST=CA/L=SF/O=Joyent/OU=Node.js/CN=agent4/emailAddress=ry@tinyclouds.org
+R	401216111901Z	130801111901Z	EEBE2CE5211A12F7	unknown	/C=US/ST=CA/L=SF/O=Joyent/OU=Node.js/CN=agent4/emailAddress=ry@tinyclouds.org

test/fixtures/keys/ca2-key.pem

@@ -1,17 +1,17 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIbhsCgrscf9MCAggA
-MBQGCCqGSIb3DQMHBAjz0LdWOB2KVQSCAoDu+sHRLP6v6QiEwqynnF43yP02/F+8
-Jssz6cgFPpm4MWm+xwzvMsS4ET0UYE68OTZz/QgihwH0mp/34tkUnP0HqtdbnTH1
-fkG47hb8fVSEyDQSzs1ha/u31GIachNURKyhWR5mr15AJxu2B94Z3ldNv1yjI+Fy
-M1muuyx/cdkKTdpfpYr6n//wF1tup2u8Y7nkKsFus/mCuRlpItxKcRb1+nvW0s+K
-3bSR8CTlEWd1Tx6Qx+ogRbP8gwqd6gelcz/Zj8nInx/Y0gTkQ4eodmLJ5iqsvC36
-SgQB5LuP12ujTyXB3Hwqb8LJ4lULERX6AYHAa7h0c+fxuFr0W9/8atplrd22hoiP
-zZhgPHeH3R1fibB4M4xW2xgtbysOHj74RYlhQm1TCXLlqvzKkvT2oQ1bk7tUUqoR
-ozRxVzdL9oKWLzvR4LF8S67i35JlnOPU1AhcxD2+5ywRvTpugPyCE1mZOeVLHlGW
-2pdmSKbdd2gm2iSfadDPJ1DPdHLp844jRg/D6XDs4rlBnt9FjMWaXYo+ELmokoYe
-Yljv2MGfy6zsb5iKcNsx+llu04xGXfZ9BAuG+aT6DLCIcDIVvE0d6asc4Lz1xZli
-BrgyB8el2a/PomPbbf1vI2vtDi3Rg/pQhu/2++ODI08jI9Rudz1EltQQ4Lo38Ton
-nSZegTAy6afXiEh2ty09KxMo4sWs+F2I46e5Q3zGY9b/K19bbQTFxeBf2Rfwa8BF
-cf8Xs+DlcOMz5w0U2iBQfT1cV7dWLlaop7avYkpQ0fLa1pConlNhpguezcaAB8Lb
-VCfpoTh6VfHRtCLokQlkq0mlKPUSlMr/JAyVdvppp/T6Abt0VirM9ILV
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI8bZHR2S/7CECAggA
+MBQGCCqGSIb3DQMHBAj7VxqGH8gLKwSCAoCV4n2KmHtVe/Rs+mfz9qdElGc5YBz3
+k5WmqsfyXFUqf/AU710aorwHH/RGvBTGBtP6zYdcN+ZNCk80LBgSskLewfPUQm2c
+/0y1ZHrvPm8LNXVHPiQnWXIh8k/QU/UHywYcZCpuJZjPk7iKVLDNUkmvr3h9pQfH
+1H+Q8qfV85o4ZReyXkj0meaDMckc8JfHZ9hhSB9sm/Jbyyo5WQISiqGWXNA67yUf
+qU3bmbTWWaUC8vH8ZBXJUUsZMQlhF+DVg+SIOallJ4iTxecwp1xSZQjTvriEb9Ov
+r3Azs6E4UedChQLvC3HC6SSmQJEKRcYdT8t1TKkwy1mGAjqE288XqdP51zYh0ViL
+5z33K1UHkkEizNxsfFFD2VA8sOqAyRssGFA2l6wI/NwHnZ+jAZJlbHC2m6cCJ9f+
+mvDkznPgO2OzPBEbdNjWzMgMFT99PfDeZIQmXLXBU81QXGWje9fdb8zp0vi9sUo3
+W0UNN0eupPTCIbBQywqDqcP+kzOLzii913UFIY1NO9xx5DgekfbnT+Zko9uU8v6F
+yKLGdnYD0Dqsk6adddzIAuVNU7bwhsDV9LN4IuONU+9sL6GZvR6lz1w8uUnp/I6H
+v3RMLr1FhQw3BRT+H8muoaSZw6pzF1drdBN06jCP5r/etSxEXFzPY7RDmnNMx61s
+hzsI4Nu/GGJ1nxuBjke5BUGH9vTVXkm2GYYwUbE4lckwULHOdkzUMT4XR9226Tdh
+FzTYgPd7v6oFdzyXGxq1Li4hxvdDMhdMIGTNHD8xrRQBVMeZeQfi01aSVFoOvo61
+MO7r+K2zOZvHRXNjCZzkFi+oH62BacqMyx2/VLD8gh5y/LxQmuhdEBSL
 -----END ENCRYPTED PRIVATE KEY-----

test/simple/test-tls-ecdh-disable.js

@@ -0,0 +1,61 @@
+// Copyright Joyent, Inc. and other Node contributors.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a
+// copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to permit
+// persons to whom the Software is furnished to do so, subject to the
+// following conditions:
+//
+// The above copyright notice and this permission notice shall be included
+// in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+// USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+var common = require('../common');
+var assert = require('assert');
+var exec = require('child_process').exec;
+var tls = require('tls');
+var fs = require('fs');
+
+if (process.platform === 'win32') {
+  console.log("Skipping test, you probably don't have openssl installed.");
+  process.exit();
+}
+
+var options = {
+  key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
+  cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
+  ciphers: 'ECDHE-RSA-RC4-SHA',
+  ecdhCurve: false
+};
+
+var nconns = 0;
+
+process.on('exit', function() {
+  assert.equal(nconns, 0);
+});
+
+var server = tls.createServer(options, function(conn) {
+  conn.end();
+  nconns++;
+});
+
+server.listen(common.PORT, '127.0.0.1', function() {
+  var cmd = 'openssl s_client -cipher ' + options.ciphers +
+            ' -connect 127.0.0.1:' + common.PORT;
+
+  exec(cmd, function(err, stdout, stderr) {
+    // Old versions of openssl will still exit with 0 so we
+    // can't just check if err is not null.
+    assert.notEqual(stderr.indexOf('handshake failure'), -1);
+    server.close();
+  });
+});

test/simple/test-tls-ecdh.js

@@ -0,0 +1,63 @@
+// Copyright Joyent, Inc. and other Node contributors.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a
+// copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to permit
+// persons to whom the Software is furnished to do so, subject to the
+// following conditions:
+//
+// The above copyright notice and this permission notice shall be included
+// in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+// USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+var common = require('../common');
+var assert = require('assert');
+var exec = require('child_process').exec;
+var tls = require('tls');
+var fs = require('fs');
+
+if (process.platform === 'win32') {
+  console.log("Skipping test, you probably don't have openssl installed.");
+  process.exit();
+}
+
+var options = {
+  key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
+  cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
+  ciphers: '-ALL:ECDHE-RSA-RC4-SHA',
+  ecdhCurve: 'prime256v1'
+};
+
+var reply = 'I AM THE WALRUS'; // something recognizable
+var nconns = 0;
+var response = '';
+
+process.on('exit', function() {
+  assert.equal(nconns, 1);
+  assert.notEqual(response.indexOf(reply), -1);
+});
+
+var server = tls.createServer(options, function(conn) {
+  conn.end(reply);
+  nconns++;
+});
+
+server.listen(common.PORT, '127.0.0.1', function() {
+  var cmd = 'openssl s_client -cipher ' + options.ciphers +
+            ' -connect 127.0.0.1:' + common.PORT;
+
+  exec(cmd, function(err, stdout, stderr) {
+    if (err) throw err;
+    response = stdout;
+    server.close();
+  });
+});