git » kxd » commit e35f950

tests: Add tests for DNSNames='*'

author Alberto Bertogli
2024-08-15 19:06:30 UTC
committer Alberto Bertogli
2024-09-08 09:33:09 UTC
parent 30c1e2cc4e82f73f822568ec334a22c55575a3c8
tests: Add tests for DNSNames='*'

In kxd <= 0.16, by default kxgencert (and before than, the equivalent
scripts) would generate certificates with DNSNames='*', and everything
worked okay.

But in Go 1.23, the Go TLS library started to reject such certificates
(Go commit 375031d8dcec9ae74d2dbc437b201107dba3bb5f).

We still want to make sure that the server can handle such certificates,
as they might still be in use in the wild, so this patch adds an
explicit test for that scenario.

Note that the tests or the code hasn't been updated to fix the problem
yet, but having this test will ensure that kxd can handle these certs
after the fixes.
tests/run_tests +84 -14
tests/wildcard_test_certs_kxgencert/client/cert.pem +18 -0
tests/wildcard_test_certs_kxgencert/client/key.pem +27 -0
tests/wildcard_test_certs_kxgencert/server/.gitignore +2 -0
tests/wildcard_test_certs_kxgencert/server/cert.pem +18 -0
tests/wildcard_test_certs_kxgencert/server/key.pem +27 -0
tests/wildcard_test_certs_openssl/client/cert.pem +19 -0
tests/wildcard_test_certs_openssl/client/key.pem +28 -0
tests/wildcard_test_certs_openssl/server/.gitignore +2 -0
tests/wildcard_test_certs_openssl/server/cert.pem +19 -0
tests/wildcard_test_certs_openssl/server/key.pem +28 -0 
diff --git a/tests/run_tests b/tests/run_tests
index 1782cc2..9eba155 100755
--- a/tests/run_tests
+++ b/tests/run_tests
@@ -77,9 +77,11 @@ def pushd(path):
 
 
 class Config:
-    def __init__(self, name):
+    def __init__(self, name, host=""):
         self.path = tempfile.mkdtemp(prefix="config-%s-" % name, dir=TEMPDIR)
         self.name = name
+        self.host = host
+        self.keys = {}
 
     def gen_cert(self):
         try:
@@ -89,6 +91,8 @@ class Config:
                 "-key=" + self.key_path(),
                 "-cert=" + self.cert_path(),
             ]
+            if self.host:
+                cmd.append("-host=" + self.host)
             subprocess.check_output(cmd, stderr=subprocess.STDOUT)
         except subprocess.CalledProcessError as err:
             print("kxgencert call failed, output: %r" % err.output)
@@ -103,13 +107,6 @@ class Config:
     def cert(self):
         return read_all(self.path + "/cert.pem")
 
-
-class ServerConfig(Config):
-    def __init__(self, name="server"):
-        Config.__init__(self, name)
-        self.keys = {}
-        self.gen_cert()
-
     def new_key(self, name, allowed_clients=None, allowed_hosts=None):
         self.keys[name] = os.urandom(1024)
         key_path = self.path + "/data/" + name + "/"
@@ -128,12 +125,6 @@ class ServerConfig(Config):
                 for host in allowed_hosts:
                     hfd.write(host + "\n")
 
-
-class ClientConfig(Config):
-    def __init__(self, name="client"):
-        Config.__init__(self, name)
-        self.gen_cert()
-
     def call(self, server_cert, url):
         args = [
             BINS + "/kxc",
@@ -150,6 +141,37 @@ class ClientConfig(Config):
             raise
 
 
+class ServerConfig(Config):
+    def __init__(self, name="server", host=""):
+        Config.__init__(self, name, host)
+        self.gen_cert()
+
+    def call(self, server_cert, url):
+        # To prevent accidental calls and to enforce that the test cases
+        # don't mix server and client.
+        return NotImplementedError("ServerConfig does not support call")
+
+
+class ClientConfig(Config):
+    def __init__(self, name="client", host=""):
+        Config.__init__(self, name, host)
+        self.gen_cert()
+
+    def new_key(self, name, allowed_clients=None, allowed_hosts=None):
+        # To prevent accidental calls and to enforce that the test cases
+        # don't mix server and client.
+        raise NotImplementedError("ClientConfig does not support new_key")
+
+
+class StaticConfig(Config):
+    def __init__(self, path):
+        self.path = path
+        self.keys = {}
+
+    def gen_cert(self):
+        raise NotImplementedError("StaticConfig does not support gen_cert")
+
+
 def launch_daemon(cfg):
     args = [
         BINS + "/kxd",
@@ -265,6 +287,54 @@ class Simple(TestCase):
         )
 
 
+class WildcardHostnamesKxgencert(Simple):
+    """Tests for certificates with DNSNames='*'.
+
+    In kxd <= 0.16, by default kxgencert (and before than, the equivalent
+    scripts) would generate certificates with DNSNames='*', and everything
+    worked okay.
+
+    But in Go 1.23, the Go TLS library started to reject such certificates (Go
+    commit 375031d8dcec9ae74d2dbc437b201107dba3bb5f).
+
+    We changed the defaults since then, but we still want to make sure that
+    the server can handle such certificates, as they might still be in use in
+    the wild.
+
+    This test uses static certificates generated with the old defaults, to
+    be absolutely sure they survive even through changes in the key generation
+    code.
+    """
+
+    _cert_dir = "wildcard_test_certs_kxgencert"
+
+    def setUp(self):
+        test_dir = os.path.dirname(os.path.realpath(__file__))
+        self.server = StaticConfig(test_dir + "/" + self._cert_dir + "/server")
+        self.client = StaticConfig(test_dir + "/" + self._cert_dir + "/client")
+
+        self.daemon = None
+        self.ca = None  # pylint: disable=invalid-name
+        self.launch_server(self.server)
+
+    def test_minimal(self):
+        self.server.new_key(
+            "k1",
+            allowed_clients=[self.client.cert()],
+            allowed_hosts=["localhost"],
+        )
+        key = self.client.call(self.server.cert_path(), "kxd://localhost/k1")
+        self.assertEqual(key, self.server.keys["k1"])
+
+    # Reuse the rest of the Simple test cases.
+
+
+class WildcardHostnamesOpenSSL(WildcardHostnamesKxgencert):
+    """Tests for certificates with DNSNames='*' generated with OpenSSL."""
+
+    _cert_dir = "wildcard_test_certs_openssl"
+
+
 class Multiples(TestCase):
     """Tests for multiple clients and keys."""
 
diff --git a/tests/wildcard_test_certs_kxgencert/client/cert.pem b/tests/wildcard_test_certs_kxgencert/client/cert.pem
new file mode 100644
index 0000000..65902c3
--- /dev/null
+++ b/tests/wildcard_test_certs_kxgencert/client/cert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+zCCAeOgAwIBAgIINanW2Zy8uCMwDQYJKoZIhvcNAQELBQAwGzEZMBcGA1UE
+ChMQa3hkLXRlc3RzLWNsaWVudDAeFw0yNDA4MTUxOTAxMTdaFw0zNDA4MTMxOTAx
+MTdaMBsxGTAXBgNVBAoTEGt4ZC10ZXN0cy1jbGllbnQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDEH+gVG8EbdLsAlaO27nYxtEUH+hU6R971qg3zOWyn
+5+PyZ2HCz5GTSHMDNhCXBxpCZVEChxoyBbclZqo5OhPeJ3u8I/nsQD9WFLdHal8R
+8YXxUbp8WhvO67L5ojlQNUcxsXdF2jTgPYOfgHk0BbReafJ4xOa+xw/ClSdZ6bCs
+jIWwlkZ6VtRXhOy4vdi5cxvDYCnOr1tZfUs3iEhcyeIidruKEEVOu/EZ8igdJt5M
+DWDBRJk6BOQbCX0gTIRJodIQGrM2jlFaSS1buQF1ONFv+/H3+UClU7MUebObeYYS
+9gq+BiV6QRiIQ/hkMT/Ntzmj8i5/6/J075AGw5cm8f4rAgMBAAGjQzBBMA4GA1Ud
+DwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMAwG
+A1UdEQQFMAOCASowDQYJKoZIhvcNAQELBQADggEBAIrJ5T/PGBtvMfVcFZdut66s
+wOG4U9sW9EX9d4fTbHkr6ebG0XDf9IjjKCm3hSNsRxz07N7hv6ls3cOsYBsFcm2+
+1D73uYabNUfo7fE91AhMruYjXhTWB32zHv8iAGzgpLH+hhZxkUgpNPH8vsNc8onj
+SFl3beGuaM7dCkSIUWbYtfF8xRi+mZZxJMgcIFLJbSZmdglU+9HtOuvPiWQieiys
+tye4Vi/GHRHj+5Q5H06TDUdkhWd85TEzhjsMQ9+iuZ/QxJJtqcYxPNFgF4k+8Wim
+CR9ev4ecm/1mreDO9fMcx03D2vQk11ss5r5wfMSs1SwtVuuspM15PJ+uTaqEFIg=
+-----END CERTIFICATE-----
diff --git a/tests/wildcard_test_certs_kxgencert/client/key.pem b/tests/wildcard_test_certs_kxgencert/client/key.pem
new file mode 100644
index 0000000..6ccfc71
--- /dev/null
+++ b/tests/wildcard_test_certs_kxgencert/client/key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAxB/oFRvBG3S7AJWjtu52MbRFB/oVOkfe9aoN8zlsp+fj8mdh
+ws+Rk0hzAzYQlwcaQmVRAocaMgW3JWaqOToT3id7vCP57EA/VhS3R2pfEfGF8VG6
+fFobzuuy+aI5UDVHMbF3Rdo04D2Dn4B5NAW0XmnyeMTmvscPwpUnWemwrIyFsJZG
+elbUV4TsuL3YuXMbw2Apzq9bWX1LN4hIXMniIna7ihBFTrvxGfIoHSbeTA1gwUSZ
+OgTkGwl9IEyESaHSEBqzNo5RWkktW7kBdTjRb/vx9/lApVOzFHmzm3mGEvYKvgYl
+ekEYiEP4ZDE/zbc5o/Iuf+vydO+QBsOXJvH+KwIDAQABAoIBAG6CjANY4DbYT4bE
+yrsJIxBew4b7I3rzhG5oo/OpJ9B0mby9BBkBXMXgzO3CSRbQqbs/26XQ+rG1Br3M
+W55jW06ScOZSX0D/8rBOe/eBuJAjx5Vyt+HZ5FFz/iUrg5/uZW9a0BpMGf9Aqin1
++lWV4UxR5o6mZF6bTAYYhVPkmeifSNAhcPnKCR3TVGUM/BpOUI1oH49TYemOoL3B
+iiR1oBaqAXAiCvZTC9uzHNm/zsvj5URCdFDeHwpxk5nHxTjvp8Lh0ATbOaFysAy3
+GXA9luBK5Pe16js46mGAb7uV7bCYFl7ekXnRrMrGYGc11N7Pg/n1x1Vv9km7CXws
+HiRN0gECgYEA1CPjiGC15xT2ovYXH85Nt86sNbjf5wrRTolMh3IJq+fjh1TMzcpf
+gne3ARhBAF1A9R83s9V0zgvkoHgn4MONXUsyWtybnNoii3ckQ0wkzzvp28ixUvCN
+v4FOieHQLIFLCTgppbN2hliLJh/VuvfevWVIg3X9H4kLuC/znWCNQS0CgYEA7KxZ
+jnAt/rsJuZ57dMOWOvIXd+prut9qsg63e+JSl8B+oLoerQheMRUmWfPW8dEqI3q7
+T72dEHQvvtoWq4FGzu2oxMiRG3TAd03ncgT7HQ90i72Dltlaw+sptmXEklBoaBMG
+wbcE3k0X6Xc506qOmCFsbp8RWWYAjHm2gPtUY7cCgYBuRfWZx8PmyiPm1AtzMhd+
+K4WjK2XgQORKcd6BLctPO+wvRepsMv1w4XAUtpnbaZ5BjSe0aIoeLVp7+9mm4aAT
+VepoBvMxFscMPjNwdB1SSC+pWuqqVXcpjDraO7Kt38u0kCg+BUrgTRiQCc5dMUns
+o8CM7YFVqjSYWvzE2xKyRQKBgDMdPfI/VA+xwXXvPmaHX0i3xE3HuSCQ4/A0sXf1
+9zSDBFYeHEXuirk7Ah9nRELRk7I57X5ZSzSkgzNK0p6TuwEx3sMxNfWiD3c0wgmj
+/b/W+Kq9cVAA/VNW1Jlp/TxEVWg0w77OkiSYrdNkRn7qVQWSImL5w7t1BiVQnBPb
+M+ydAoGAHh3nUquGdIsR1/QcAs6i12XcxzmFokQIut5FTnd3OZxX+D7nMcupDdAg
+NA5yGzW1/uzH5nM28wdv9VU6Nxaam/cXPMu8luQaMheWkhcrBFr547w3qs+iQkTI
+FY2+8x2DCMQQGvbLK9JmeJnhvMkjB3y8iXrL6H60pjN59NlSdas=
+-----END RSA PRIVATE KEY-----
diff --git a/tests/wildcard_test_certs_kxgencert/server/.gitignore b/tests/wildcard_test_certs_kxgencert/server/.gitignore
new file mode 100644
index 0000000..fe3cad6
--- /dev/null
+++ b/tests/wildcard_test_certs_kxgencert/server/.gitignore
@@ -0,0 +1,2 @@
+log
+data/
diff --git a/tests/wildcard_test_certs_kxgencert/server/cert.pem b/tests/wildcard_test_certs_kxgencert/server/cert.pem
new file mode 100644
index 0000000..7438469
--- /dev/null
+++ b/tests/wildcard_test_certs_kxgencert/server/cert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+zCCAeOgAwIBAgIIJua2egAlPEQwDQYJKoZIhvcNAQELBQAwGzEZMBcGA1UE
+ChMQa3hkLXRlc3RzLXNlcnZlcjAeFw0yNDA4MTUxOTAxMTdaFw0zNDA4MTMxOTAx
+MTdaMBsxGTAXBgNVBAoTEGt4ZC10ZXN0cy1zZXJ2ZXIwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDy3sYvXUnIm591qIWWbn3iTUyKl7ncWmGSQJ8XWXaz
+NwbNuINBy6bTf8H6BP20sCWQWYRTKYELGmZLp4fUme33y0xNnFpcbR5tqKI8SQOX
+wvCk3ox3xUnBEr7t0gHhSDVrhPRMWsWVlgPw4t3MgoDk/J97uAwGnfCXiMWZL3tM
+fFgrJja73RmzsbjamS/yjp7A6jLLe0MH/o73zaNJsyTeit6uTwU9PBEHzLgH0Udi
+97y/MQ/MQs0Wn1JtTbvV5HQSHrlwVkSQY1feSNBERnCs/l5B9CYoPX3o3a3UtyyX
+jMy6eSt3bio0Du5jYR9VoIi94FJ8SJlNgPXVgnPLr8XjAgMBAAGjQzBBMA4GA1Ud
+DwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMAwG
+A1UdEQQFMAOCASowDQYJKoZIhvcNAQELBQADggEBACAGsja7xV92lyefwXDX3ZWw
+hQ5b/t5WGSXdQNG4oYWpU+EfTNU79j2Sr/RcZ/8YD6weYL75ONW2BeOTQ9Iev5du
+XAVcfgiAjz8zRru+hH7xausFJM1I5e3nhWSzAyBiyJxzSBcBUWhiNrSvStjvigTs
+XT34FYR9p+7ZGFljQlD5eeh7E5cV6UA9wIE2vXTshDCyZdoDqEoXj3HYw/sJtOdf
+kRZlOuK6GXJFxoZBIa5cJFSgq618UjwErFG7frsAKr9Da8sXBQMThMDz37mZlRST
+r3M2b4+Z13YRtFlWmqpg8HbOjBJEgPvWf6GfXiqWf6d9IxptMFk2u80IIDi38A8=
+-----END CERTIFICATE-----
diff --git a/tests/wildcard_test_certs_kxgencert/server/key.pem b/tests/wildcard_test_certs_kxgencert/server/key.pem
new file mode 100644
index 0000000..9696571
--- /dev/null
+++ b/tests/wildcard_test_certs_kxgencert/server/key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA8t7GL11JyJufdaiFlm594k1Mipe53FphkkCfF1l2szcGzbiD
+Qcum03/B+gT9tLAlkFmEUymBCxpmS6eH1Jnt98tMTZxaXG0ebaiiPEkDl8LwpN6M
+d8VJwRK+7dIB4Ug1a4T0TFrFlZYD8OLdzIKA5Pyfe7gMBp3wl4jFmS97THxYKyY2
+u90Zs7G42pkv8o6ewOoyy3tDB/6O982jSbMk3orerk8FPTwRB8y4B9FHYve8vzEP
+zELNFp9SbU271eR0Eh65cFZEkGNX3kjQREZwrP5eQfQmKD196N2t1Lcsl4zMunkr
+d24qNA7uY2EfVaCIveBSfEiZTYD11YJzy6/F4wIDAQABAoIBAFhcvPZWlpWqKSYB
+njjREnPXc9WoxjJpn746TKeOISWrC4qlavvxQE0K2mRAlJ28yK3wI7iuDQkhHb7A
+wSaUqoPRL329ORMPkFaNWBle5zO79RnG7oxU9zSLwXN9SLnSL71irg9ppyF5Zw2p
+PNE/We32C4BTwexWYkZ/uIS3RcDZdzLN3ouPkIIvnG7E4oNZdMkMknFVEhXYg8c0
+yaTN4FOXr5J55n8WReT24n5574BUsPAMHd56oV6TVLV+3P7ZNLlFkS6Mh83fOgRr
+uu3DfXWCJXVeliRBOzk9ZCfJmPp3SbNsqiqyhkLrlaGkqzSDbWBPoQZ8q2+G2KEH
+RoJK/EECgYEA9Rz8uUL5douMzLi+l0wgUbnvUBVNNsO3nKIbRDofhW1HVUieieDw
+gawfqXpcRK8MPhvKOlw+r4Z/sNFjKClwEzuLWRAN2AM6hxweBfbMG1deqXcNnqsh
+z0YMgTIB+8kSDVKHhlgsAW+BACzfnUlKEq6sQYnSjJ8NXRsAapxVLCkCgYEA/ahI
+e4Y5A0svzXGBFVy8dfh+IipEg8vqQIrFjxmhkW0kEP80caTohDNMb0B+WfzBAfVq
+uKLQy/71jVRqh1RvW7N24IZxf3b3g82oaeqMNQdLgCVuB07RvC4rbnV3jiCLy53Q
+xj18IDTAg8euVZYqYOPRO8jJFgqht/6T/gCR4ysCgYEAx6+w2AEPGJuBvnq3kqzL
+G6mdpCFmgTobSLjr+75aVan8VidOOUeOyCWAueJcbvwoviSHsNnbm8W4G0XKQTrY
++mIlGQ6yKIwgz1eBwhwYliGsleTOrLgAWEtZ/prN8OETGtVkYXdNinHbp1fnaMz/
+Uo8I+G+enz8odPR9d10bKlkCgYEAhwsvw6u68Lj3sy3JpmDf6QKpzHCqV2yZw1De
+Swg/T1hGylHETviX3cId4GD6o9f/vZY2AiSUeva7LkoSCQh33N9X28NX65+fuOkl
+z3XSvWyr0oaa5IMfAEuoTb92LhG/u2DCxLf5PIA5Oi917hTrbPf87hJAlF6GqJl9
+ms4c3U8CgYArvKICxvSN+XZdW0LXW4MPNkb4JhR1MY/A+WJG3CwS5DWD0K4iuXPW
+NtavHNtc57tiMukoHrdzFcYwOslrVEkLljlrKxmmXrxUuCTbd+H28T3PBEwaTC2e
+O9Rf3esazCnN4fsZ8daxQd314+yY5r9WJwoC982zCL1BP8y9dV7mvQ==
+-----END RSA PRIVATE KEY-----
diff --git a/tests/wildcard_test_certs_openssl/client/cert.pem b/tests/wildcard_test_certs_openssl/client/cert.pem
new file mode 100644
index 0000000..0789ba9
--- /dev/null
+++ b/tests/wildcard_test_certs_openssl/client/cert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHzCCAgegAwIBAgIUHpvfYnyEmyzzTaltXOgnEq8+r5swDQYJKoZIhvcNAQEL
+BQAwHzEKMAgGA1UEAwwBKjERMA8GA1UECwwIa3hjQHRlc3QwHhcNMjQwODE1MjMz
+NTE3WhcNMzQwODEzMjMzNTE3WjAfMQowCAYDVQQDDAEqMREwDwYDVQQLDAhreGNA
+dGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALBubPX4RwvOatpO
+c1eNHR5Wjz2x+NMzIlir+hkURTi/7VZ3q9S27J0y1wBk7ckLOdTVpAJkcopfOhNd
+dhUtWrUexi7ATsRuu+/JmVJ3hNhdFM76hT0Ne5op3fh6T3MuNgtu267rQ5S/4KJX
+afSOkslTTym2WnoTvkSx2gOu64ZE619jcI+8cbsM/D/K5+lNfdipuhuKAGFO6dKP
+xLkCIli1mxCSy6oIDBDhBlDB31tfAQkAJiIfC1UgXnEZFMbpQ4rnfJEhcHbGjKAq
+RMsSDw1ZoD40TBXFncRl2NtKjqAxHRV/rM/N8c6EiWDzBdW2LreN7hIRFkyRZ8MJ
+Nv+ujgMCAwEAAaNTMFEwHQYDVR0OBBYEFFh9Dlf/zK7Xp+SOybexQ3O2acndMB8G
+A1UdIwQYMBaAFFh9Dlf/zK7Xp+SOybexQ3O2acndMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBAAwZWshJJ6yu2N1ymPe66Dq/xHVIBDXqLCMB8Vhm
+rouj8ThkJuAwDxFwY516hQis918o6DPADiJPctnpJTgbgZYNTr02f44YngJbBXWp
+xGVH3FDKnzzJh0QJIXenMVDkJczf2bi7XK5FX4a/WCpa4z4CmXTHQSRYyNV3p7YM
+tuvqbzEOfGaFX7yoqFKk31+hSL5JxT7hzRtA7qzXEKHXUxMz+8wLifJPo90c2ayA
+dzfgml5g/BNjqfIXNT7N+d9RkLcjKNuWZnt7HsvBPx/QIkrTVfZipZBedi4AA1r8
+3iljopAaqt5fs1adqJrjOe/TWi3VrqIO9wfb+qI5ZCtGhNA=
+-----END CERTIFICATE-----
diff --git a/tests/wildcard_test_certs_openssl/client/key.pem b/tests/wildcard_test_certs_openssl/client/key.pem
new file mode 100644
index 0000000..a0f16c9
--- /dev/null
+++ b/tests/wildcard_test_certs_openssl/client/key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCwbmz1+EcLzmra
+TnNXjR0eVo89sfjTMyJYq/oZFEU4v+1Wd6vUtuydMtcAZO3JCznU1aQCZHKKXzoT
+XXYVLVq1HsYuwE7EbrvvyZlSd4TYXRTO+oU9DXuaKd34ek9zLjYLbtuu60OUv+Ci
+V2n0jpLJU08ptlp6E75EsdoDruuGROtfY3CPvHG7DPw/yufpTX3YqbobigBhTunS
+j8S5AiJYtZsQksuqCAwQ4QZQwd9bXwEJACYiHwtVIF5xGRTG6UOK53yRIXB2xoyg
+KkTLEg8NWaA+NEwVxZ3EZdjbSo6gMR0Vf6zPzfHOhIlg8wXVti63je4SERZMkWfD
+CTb/ro4DAgMBAAECggEARopwIEw7Q7otOMmjDj9KhCXBsb4lqXPJaMCiB0L2hkEe
+iLLiTfMxWYzJL8wq0nYdkj41DAvTTAXU94cnvkHbAY2jWW/kTl+j3rSxC6rjv4o/
+1p2NhiKM58+Tg1SLzZaNXzbcuOwxohixnNbscy5J/BrGDPxu4l5gdaDSdSSL4Kuk
+h6bHLzjZQVq4/Sx93i/uu8cXveIJRts0RAEs8u2aFZRU5B2+Gzh+T2WSqnAg5L4m
+HHDsOdid3TpdQN5/Eipwo/1JbN8454GsxB9h4WQlB81ISXet/Peh+6dmVArXa5z9
+6QCgEKH8vGDu9urVndZU5nIzBOi1F7FT5mNJZK6YaQKBgQDuigAw0odw1FVrsZF9
++aXsDcOZJmvpQi9dRK3D4z5dWZvtHGGZ/6AH1V8Q8PJDVQ+gSy554lbn3I/0iaX1
+nVpVrK1DlEtkQoOzF6X3nKWbtYxViA8rnL3bfUwfJ3QwMiGAqZU1F5tzkmoZnsAx
+6hxhixTFmS6O50F5VIfhPyi7dwKBgQC9WJWVwMhRm7HEjUWbMHDH5CVfsynNhrLg
+prkqZ6IhuHhGzxb6sOC82FW1yrSGLjM2eKNi7bJkxjj8970PiyoEni/GSat7hlUJ
+4Ge2/cT4pMaUPfTUdPNAnnL+L1syD3wNL3vmvel/r9mmMCGRqguiALkJ67Z+/WBP
+Rf9b1EcM1QKBgQC8H+4CkybqHyu3IXWjKo5m2nwWfqzAa8g7AH0ibkezC4bju2xm
+LaoiQ28UR1JpM959Bo4C5jSv681EiIJwcMbbprGHCJ9k1OhVCCOGYu5hHQ8uLX35
+YUaCohC0yULi98ZgWF4qXxHkVeaDiiX9t6rmau/Y3vRPE6cZb0cyp8MSBQKBgQCZ
+2Ze51aou/UZFgdC0F3kcQpnHl+l4kWFZPr8n4IsRwTUhu/Vc/0msyE9kZm+ms3Vz
+ZjTEFoWkcpgtnBLnxVj/5ZTGFmga93yziL5dJvfcXO7p1ynPU7Ovps+jD9GW7JQM
+lq+jPl6zHKzJ50Pveu721IWFtRxVNQYDg8nI0MRmfQKBgQDszoZa8EUh6cFhjwC0
+Fj94xqVXVmGqigTpUGbP344eo565UziA8O7IDJNFZdwmNuhzN/AbeRcdiyS+SY7g
+XVMiPw2+k4dNLt+P5aRqneuArgZ/Y0gy/X5rsDaLRVG8pjyn6bbd0AFcZIJtGr1M
++sOI8ta2NYMq+MYDLt4G4kLF3w==
+-----END PRIVATE KEY-----
diff --git a/tests/wildcard_test_certs_openssl/server/.gitignore b/tests/wildcard_test_certs_openssl/server/.gitignore
new file mode 100644
index 0000000..fe3cad6
--- /dev/null
+++ b/tests/wildcard_test_certs_openssl/server/.gitignore
@@ -0,0 +1,2 @@
+log
+data/
diff --git a/tests/wildcard_test_certs_openssl/server/cert.pem b/tests/wildcard_test_certs_openssl/server/cert.pem
new file mode 100644
index 0000000..a28b318
--- /dev/null
+++ b/tests/wildcard_test_certs_openssl/server/cert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHzCCAgegAwIBAgIUdtiBDx/LuGniRXGCkt+H6+bSwGcwDQYJKoZIhvcNAQEL
+BQAwHzEKMAgGA1UEAwwBKjERMA8GA1UECwwIa3hkQHRlc3QwHhcNMjQwODE1MjM0
+MTI5WhcNMzQwODEzMjM0MTI5WjAfMQowCAYDVQQDDAEqMREwDwYDVQQLDAhreGRA
+dGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+2PlECOw8qSqUj
+1uK0LgkGVMzijC9tmTEAL+eBjrcIdS3E0Ckg5nQiJ2wdfR7D2Qfvw/MmOTnFYnJ1
+X/7gqpbqe/Cgrit7DCQW3vf5WbULk4mKnT5i8no2btFZJ2la4IANJ41H19tKKq4Q
+9YPhJWPCTp2LqOPDQF7mZ+4MN/XyNeqKVvqTIR55b2Y2+y67NVkZVTTilRGbssqS
+JP84V8WZCn3zPriQFh1iIcQegE7j6/8VMZmDq+GSNKAcDDM7HGP0BBeRoQGAqUa1
+LYXSY9V0ygajeYUPwT13hM/lpr4q42Tfdl51HSN24I4SXI8qxpVfn94noCWa6TNb
+I0UU4pECAwEAAaNTMFEwHQYDVR0OBBYEFHZkBSlLn+r9qzQKrLMzZPGAYvLoMB8G
+A1UdIwQYMBaAFHZkBSlLn+r9qzQKrLMzZPGAYvLoMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBAEPSdGoT7yDw2nX9M1awsdxFQQsRRlQtznZSfl24
+QvMSvkFmOo7zEqdq7gIFbnEsv+BcuoFIBj7nrTg3SxAFRBfQamtjcBwLazwUe88n
+rWmBBhVmLTiGmZSD7n+m2NoJM1gR4U/sG1S+o8ez2Q91tZD/ttoqS+bO0Ww6eTQq
+0DoduTfwx0gf3G//aUzug3lS6mQ56DOAZwq4kmz2qU+o+xC1iZXvw4XNCFW4Mk4E
+SWeLFExiGmqb/DC8bjB/Y9rpqgRSbZA+VkHeqgO3Hk2Rean3VUFb7jsJdCULhw26
+mAjQHX7F7LEZgmTqAKnLAcdT8BPRQtaStsOX6ue089XUNVU=
+-----END CERTIFICATE-----
diff --git a/tests/wildcard_test_certs_openssl/server/key.pem b/tests/wildcard_test_certs_openssl/server/key.pem
new file mode 100644
index 0000000..299a3a2
--- /dev/null
+++ b/tests/wildcard_test_certs_openssl/server/key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPtj5RAjsPKkql
+I9bitC4JBlTM4owvbZkxAC/ngY63CHUtxNApIOZ0IidsHX0ew9kH78PzJjk5xWJy
+dV/+4KqW6nvwoK4rewwkFt73+Vm1C5OJip0+YvJ6Nm7RWSdpWuCADSeNR9fbSiqu
+EPWD4SVjwk6di6jjw0Be5mfuDDf18jXqilb6kyEeeW9mNvsuuzVZGVU04pURm7LK
+kiT/OFfFmQp98z64kBYdYiHEHoBO4+v/FTGZg6vhkjSgHAwzOxxj9AQXkaEBgKlG
+tS2F0mPVdMoGo3mFD8E9d4TP5aa+KuNk33ZedR0jduCOElyPKsaVX5/eJ6Almukz
+WyNFFOKRAgMBAAECggEAAwNnEIhKgIwRxKcKM0Q/ZbieitFfjMGXhxc0WrSttBiO
+kKEqDuqwBS/IqCAeZE+diqivDEw56M1lAfmTcLBkMSfKMAG4vR8+HBjr16eZpk96
+brSg1tqbH2xCO83CDVx45MqsD/fimQcQqvFKioT95J5ZQx5XTySSPr4zdEffmPUJ
+m4kPpSO1geLAnGYSbR9Y043cwUxoLsvs0Q5jv+M1G9/HsfTyu+yF1VurOgDleoId
+/9pUZDOJ6V1p5zh0PjU4j1RG+wAJXALeLI8kYODAyUGc2S9Bqaf3cIYCzrrBK3xE
+AAygYEe2l85G3uiuoCKxJVP9rFtP0aooq13jIQbuNQKBgQD+iWB2N7ZpZEjyibkS
+xhWb1UFsetylmSkIqPOoXNcSa+1Uy01a/6G1slc4WsXowQfYR3nhkyAhVKg3Tazn
+McPhwOo5CLVKFoqo7KJQgNtDU6syu/J42ShQmHeyC7RDHcVt/LTlh0G4vkI4FtX+
+QY2XxXBF6Ctq5v12o626lUfm/QKBgQDQ5/NfDtVGAZu4zGvqG0uc6EtWvmwgBG9E
+sTbfpdMaHKVL0H9Vc8vow36JX56az5nWMvlrwCFoPuAW3Zz+/w1WW3VqDKJ8d4V3
+uLN+khcOu7Sx75XqaeZ4ytgEpknIzdn8OM89MWEQ61Uw7l6fYPuM6eHA3BKk3BJI
+wGX9EpqAJQKBgQD7HG6U0kvcV7p7xJFYSyGgVlgv/FnX6W0JBR00uTrZCq7eW59a
+Kh3QEjxn9W2QPXdO0N0WRL6LA2jc/n2YrIjyHA826zdm+ywakTFkuGsYVd/ssmz4
++kwCjxhvB4r0N9fBtXCFjNWyu8i6axT8vJFC7N7hqLXExlPCCqJnE8UWxQKBgQDA
+JunjYKhpaSdMFrOYNR0aqUxK8IJR/OI/w+VeV4/SL9EW6COHfShs5Ayq3QntCdFN
+hbuIEcRot5S1U4iJwB4LdbqNHiwC4okgcwKfBE8zHRJ6rI4vfNMh/iouNKofisDb
+z4FHnvjScDP++vKMFM+scKBXHdYET+x9gIMPAaKdBQKBgC2pJ1WsCu/bGnqAiMoW
+gY4T8ypC7BYGHfSM682nowhQxJaQyhPx47OwjGNn9I4nK9ZHh+/DZRCbFqLdWiG9
+hOyFPXvLyphyx8JpxvexeWZIWCKliilV2MP/b6cHZZ2VvjLv7MW19g53J/QmZDh2
+ELZARJIIBOCzOq1j5i3BbykD
+-----END PRIVATE KEY-----