tls: enable multiple SSL certificate support.

api/envoy/api/v2/auth/cert.proto

@@ -227,8 +227,9 @@ message CommonTlsContext {
  // TLS protocol versions, cipher suites etc.
  TlsParameters tls_params = 1;
 
- // Multiple TLS certificates can be associated with the same context.
- // E.g. to allow both RSA and ECDSA certificates, two TLS certificates can be configured.
+ // :ref:`Multiple TLS certificates <arch_overview_ssl_multi_cert>` can be associated with the same
+ // context.B E.g. to allow both RSA and ECDSA certificates, two TLS certificates can be
+ // configured.
  //
  // Only a single TLS certificate is supported in client contexts. In server contexts, the first
  // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is

docs/root/intro/arch_overview/ssl.rst

@@ -85,6 +85,29 @@ standard Debian installations. Common paths for system CA bundles on Linux and B
 See the reference for :ref:`UpstreamTlsContexts <envoy_api_msg_auth.UpstreamTlsContext>` and
 :ref:`DownstreamTlsContexts <envoy_api_msg_auth.DownstreamTlsContext>` for other TLS options.
 
+.. _arch_overview_ssl_multi_cert: 
+
+Multiple certificates
+---------------------
+
+:ref:`UpstreamTlsContexts <envoy_api_msg_auth.UpstreamTlsContext>` support multiple TLS
+certificates. These may be a mix of RSA and P-256 ECDSA certificates. The following rules apply:
+
+* Only the first certificate of a particular type (RSA or ECDSA) is considered.
+* Non-P256 server ECDSA certificates are rejected.
+* The client must indicate P-256 support to be considered ECDSA capable.
+* If the client supports P-256 ECDSA, a P-256 ECDSA certificate will be selected if present in the
+ :ref:`UpstreamTlsContext <envoy_api_msg_auth.UpstreamTlsContext>`.
+* If the client only supports RSA certificate, an RSA certificate will be selected if present in the
+ :ref:`UpstreamTlsContext <envoy_api_msg_auth.UpstreamTlsContext>`.
+* Otherwise, the first certificate listed is used. This will result in a failed handshake if the
+ client only supports RSA certificates and the server only has ECDSA certificates.
+* Static and SDS certificates may not be mixed in a given :ref:`UpstreamTlsContext
+ <envoy_api_msg_auth.UpstreamTlsContext>`.
+
+Only a single TLS certificate is supported today for :ref:`DownstreamTlsContexts
+<envoy_api_msg_auth.DownstreamTlsContext>`.
+
 Secret discovery service (SDS)
 ------------------------------
 

docs/root/intro/version_history.rst

@@ -78,6 +78,7 @@ Version history
 * tls: added support for CRLs in :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
 * tls: added support for :ref:`password encrypted private keys <envoy_api_field_auth.TlsCertificate.password>`.
 * tls: added ssl.versions.<version> to :ref:`listener metrics <config_listener_stats>` to track TLS versions in use.
+* tls: added support for :ref:`multiple server TLS certificates <arch_overview_ssl_multi_cert>`.
 * tracing: added support to the Zipkin tracer for the :ref:`b3 <config_http_conn_man_headers_b3>` single header format.
 * tracing: added support for :ref:`Datadog <arch_overview_tracing>` tracer.
 * upstream: added :ref:`scale_locality_weight<envoy_api_field_Cluster.LbSubsetConfig.scale_locality_weight>` to enable

source/common/ssl/context_config_impl.cc

@@ -308,13 +308,12 @@ ServerContextConfigImpl::ServerContextConfigImpl(
 
  return ret;
  }()) {
- // TODO(PiotrSikora): Support multiple TLS certificates.
  if ((config.common_tls_context().tls_certificates().size() +
  config.common_tls_context().tls_certificate_sds_secret_configs().size()) == 0) {
  throw EnvoyException("No TLS certificates found for server context");
- } else if ((config.common_tls_context().tls_certificates().size() +
-  config.common_tls_context().tls_certificate_sds_secret_configs().size()) > 1) {
- throw EnvoyException("A single TLS certificate is required for server contexts");
+ } else if (!config.common_tls_context().tls_certificates().empty() &&
+ !config.common_tls_context().tls_certificate_sds_secret_configs().empty()) {
+ throw EnvoyException("Static and dynamic TLS certificates may not be mixed in server contexts");
  }
 }
 

test/common/ssl/context_impl_test.cc

@@ -20,6 +20,7 @@
 #include "openssl/x509v3.h"
 
 using Envoy::Protobuf::util::MessageDifferencer;
+using testing::EndsWith;
 using testing::NiceMock;
 using testing::ReturnRef;
 
@@ -881,28 +882,37 @@ TEST(ClientContextConfigImplTest, MissingStaticCertificateValidationContext) {
  "Unknown static certificate validation context: missing");
 }
 
-// Multiple TLS certificates are not yet supported, but one is expected for
-// server.
-// TODO(PiotrSikora): Support multiple TLS certificates.
+// Multiple TLS certificates are supported.
 TEST(ServerContextConfigImplTest, MultipleTlsCertificates) {
  envoy::api::v2::auth::DownstreamTlsContext tls_context;
  NiceMock<Server::Configuration::MockTransportSocketFactoryContext> factory_context;
  EXPECT_THROW_WITH_MESSAGE(
  ServerContextConfigImpl client_context_config(tls_context, factory_context), EnvoyException,
  "No TLS certificates found for server context");
- const std::string tls_certificate_yaml = R"EOF(
+ const std::string rsa_tls_certificate_yaml = R"EOF(
  certificate_chain:
  filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"
  private_key:
  filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"
  )EOF";
- MessageUtil::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml),
+ const std::string ecdsa_tls_certificate_yaml = R"EOF(
+ certificate_chain:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert_ecdsa_p256.pem"
+ private_key:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key_ecdsa_p256.pem"
+ )EOF";
+ MessageUtil::loadFromYaml(TestEnvironment::substitute(rsa_tls_certificate_yaml),
  *tls_context.mutable_common_tls_context()->add_tls_certificates());
- MessageUtil::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml),
+ MessageUtil::loadFromYaml(TestEnvironment::substitute(ecdsa_tls_certificate_yaml),
  *tls_context.mutable_common_tls_context()->add_tls_certificates());
- EXPECT_THROW_WITH_MESSAGE(
- ServerContextConfigImpl client_context_config(tls_context, factory_context), EnvoyException,
- "A single TLS certificate is required for server contexts");
+ MessageUtil::loadFromYaml(TestEnvironment::substitute(rsa_tls_certificate_yaml),
+ *tls_context.mutable_common_tls_context()->add_tls_certificates());
+ ServerContextConfigImpl server_context_config(tls_context, factory_context);
+ auto tls_certs = server_context_config.tlsCertificates();
+ ASSERT_EQ(3, tls_certs.size());
+ EXPECT_THAT(tls_certs[0].get().privateKeyPath(), EndsWith("selfsigned_key.pem"));
+ EXPECT_THAT(tls_certs[1].get().privateKeyPath(), EndsWith("selfsigned_key_ecdsa_p256.pem"));
+ EXPECT_THAT(tls_certs[2].get().privateKeyPath(), EndsWith("selfsigned_key.pem"));
 }
 
 TEST(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) {
@@ -922,7 +932,7 @@ TEST(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) {
  tls_context.mutable_common_tls_context()->add_tls_certificate_sds_secret_configs();
  EXPECT_THROW_WITH_MESSAGE(
  ServerContextConfigImpl server_context_config(tls_context, factory_context), EnvoyException,
- "A single TLS certificate is required for server contexts");
+ "Static and dynamic TLS certificates may not be mixed in server contexts");
 }
 
 TEST(ServerContextConfigImplTest, SecretNotReady) {

test/common/ssl/ssl_socket_test.cc

@@ -656,6 +656,116 @@ TEST_P(SslSocketTest, NoCert) {
  GetParam());
 }
 
+// The first RSA certificate is picked when multiple RSA certificates are
+// present. We validate TLSv1.2 only here, since we validate the e2e behavior on
+// TLSv1.2/1.3 in ssl_integration_test.
+TEST_P(SslSocketTest, MultiCertFirstRsa) {
+ const std::string client_ctx_yaml = R"EOF(
+ common_tls_context:
+ tls_params:
+ tls_minimum_protocol_version: TLSv1_2
+ tls_maximum_protocol_version: TLSv1_2
+ cipher_suites: ECDHE-RSA-AES128-GCM-SHA256
+ validation_context:
+ verify_certificate_hash:
+ AB:6A:9F:1A:F4:C8:9E:81:A2:06:E9:E1:05:7E:BD:63:3E:8D:54:4A:E8:F0:50:5A:A3:58:63:25:17:B6:23:12
+ )EOF";
+
+ const std::string server_ctx_yaml = R"EOF(
+ common_tls_context:
+ tls_certificates:
+ - certificate_chain:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert_ecdsa_p256.pem"
+ private_key:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key_ecdsa_p256.pem"
+ - certificate_chain:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"
+ private_key:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"
+ - certificate_chain:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert2.pem"
+ private_key:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"
+)EOF";
+
+ testUtil(client_ctx_yaml, server_ctx_yaml, "", "", "", "", "", "", "", "ssl.no_certificate", true,
+ GetParam());
+}
+
+// The first ECDSA certificate is picked when multiple ECDSA certificates are
+// present. We validate TLSv1.2 only here, since we validate the e2e behavior on
+// TLSv1.2/1.3 in ssl_integration_test.
+TEST_P(SslSocketTest, MultiCertFirstEcdsa) {
+ const std::string client_ctx_yaml = R"EOF(
+ common_tls_context:
+ tls_params:
+ tls_minimum_protocol_version: TLSv1_2
+ tls_maximum_protocol_version: TLSv1_2
+ cipher_suites: ECDHE-ECDSA-AES128-GCM-SHA256
+ validation_context:
+ verify_certificate_hash:
+ 49:D0:E5:82:F1:0F:29:D8:C5:64:33:8F:14:2A:3E:53:87:CD:E2:E6:0E:8B:C7:83:CF:6F:88:BD:50:4E:11:E2
+ )EOF";
+
+ const std::string server_ctx_yaml = R"EOF(
+ common_tls_context:
+ tls_certificates:
+ - certificate_chain:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"
+ private_key:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"
+ - certificate_chain:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert_ecdsa_p256.pem"
+ private_key:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key_ecdsa_p256.pem"
+ - certificate_chain:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert2_ecdsa_p256.pem"
+ private_key:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key_ecdsa_p256.pem"
+)EOF";
+
+ testUtil(client_ctx_yaml, server_ctx_yaml, "", "", "", "", "", "", "", "ssl.no_certificate", true,
+ GetParam());
+}
+
+// Prefer ECDSA certificate when multiple RSA certificates are present and the
+// client is RSA/ECDSA capable. We validate TLSv1.2 only here, since we validate
+// the e2e behavior on TLSv1.2/1.3 in ssl_integration_test.
+TEST_P(SslSocketTest, MultiCertPreferEcdsa) {
+ const std::string client_ctx_yaml = R"EOF(
+ common_tls_context:
+ tls_params:
+ tls_minimum_protocol_version: TLSv1_2
+ tls_maximum_protocol_version: TLSv1_2
+ cipher_suites:
+ - ECDHE-ECDSA-AES128-GCM-SHA256
+ - ECDHE-RSA-AES128-GCM-SHA256
+ validation_context:
+ verify_certificate_hash:
+ 49:D0:E5:82:F1:0F:29:D8:C5:64:33:8F:14:2A:3E:53:87:CD:E2:E6:0E:8B:C7:83:CF:6F:88:BD:50:4E:11:E2
+ )EOF";
+
+ const std::string server_ctx_yaml = R"EOF(
+ common_tls_context:
+ tls_certificates:
+ - certificate_chain:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"
+ private_key:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"
+ - certificate_chain:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert_ecdsa_p256.pem"
+ private_key:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key_ecdsa_p256.pem"
+ - certificate_chain:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert2.pem"
+ private_key:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"
+)EOF";
+
+ testUtil(client_ctx_yaml, server_ctx_yaml, "", "", "", "", "", "", "", "ssl.no_certificate", true,
+ GetParam());
+}
+
 TEST_P(SslSocketTest, GetUriWithLocalUriSan) {
  const std::string client_ctx_yaml = R"EOF(
  common_tls_context:

test/common/ssl/test_data/certs.sh

@@ -69,11 +69,13 @@ openssl x509 -req -days 730 -in san_only_dns_cert.csr -sha256 -CA ca_cert.pem -C
 openssl req -new -key san_uri_key.pem -out san_uri_cert.csr -config san_uri_cert.cfg -batch -sha256
 openssl x509 -req -days 730 -in san_uri_cert.csr -sha256 -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial -out san_uri_cert.pem -extensions v3_ca -extfile san_uri_cert.cfg
 
-# Generate selfsigned_cert.pem.
+# Generate selfsigned_cert*.pem.
 openssl req -new -x509 -days 730 -key selfsigned_key.pem -out selfsigned_cert.pem -config selfsigned_cert.cfg -batch -sha256
+openssl req -new -x509 -days 730 -key selfsigned_key.pem -out selfsigned_cert2.pem -config selfsigned_cert.cfg -batch -sha256
 
-# Generate selfsigned_cert_ecdsa_p256.pem.
+# Generate selfsigned_cert*_ecdsa_p256.pem.
 openssl req -new -x509 -days 730 -key selfsigned_key_ecdsa_p256.pem -out selfsigned_cert_ecdsa_p256.pem -config selfsigned_cert.cfg -batch -sha256
+openssl req -new -x509 -days 730 -key selfsigned_key_ecdsa_p256.pem -out selfsigned_cert2_ecdsa_p256.pem -config selfsigned_cert.cfg -batch -sha256
 
 # Generate selfsigned_cert_ecdsa_p384.pem.
 openssl req -new -x509 -days 730 -key selfsigned_key_ecdsa_p384.pem -out selfsigned_cert_ecdsa_p384.pem -config selfsigned_cert.cfg -batch -sha256

test/common/ssl/test_data/selfsigned_cert2.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEDCCAnmgAwIBAgIJAJ1VrEXUcUiBMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
+c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRQw
+EgYDVQQDDAtUZXN0IFNlcnZlcjAeFw0xODEyMTYwNDQ4MjdaFw0yMDEyMTUwNDQ4
+MjdaMHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH
+DA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVu
+Z2luZWVyaW5nMRQwEgYDVQQDDAtUZXN0IFNlcnZlcjCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEAqy+9qxHrAhi/o4GlshCoalUxMXxHBmE2vyxMs1rejBfwOl3y
+IyA9r7oaHtMrqXxfF5TdjRvKWpj7dbAwGjhSOrPKXRjhT543BCAbSisCpMlA/CP7
+GaNfYLOtgBHU5mz8BlXY2fLBUORnHRlFbL/myIl3oeNhuLsUNjIlJSSflL0CAwEA
+AaOBnTCBmjAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggr
+BgEFBQcDAgYIKwYBBQUHAwEwHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxlLmNv
+bTAdBgNVHQ4EFgQU8/1SRZup5ukZHvtfSaI/OXXXUJIwHwYDVR0jBBgwFoAU8/1S
+RZup5ukZHvtfSaI/OXXXUJIwDQYJKoZIhvcNAQELBQADgYEAIWOd7GevpE1RH54w
+/P/Pvg3kyW3AA7YLpqJ2TmKkzquFNphxzkYlyGvG0b5SY+XnWTJ2XtedmOB6lsMB
+mpZFnvTCzzSqKHUessfpFoCiEC/oq1tA8iz4Zzj5vdQ67Fklr7DfY7c2MJZMQ79w
+n9Rlw5/zEeURPi5HA274+57OOiI=
+-----END CERTIFICATE-----

test/common/ssl/test_data/selfsigned_cert2_ecdsa_p256.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICiDCCAi+gAwIBAgIJAN04uvKQrwj7MAoGCCqGSM49BAMCMHoxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
+MQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRQwEgYD
+VQQDDAtUZXN0IFNlcnZlcjAeFw0xODEyMTYwNDQ4MjdaFw0yMDEyMTUwNDQ4Mjda
+MHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T
+YW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2lu
+ZWVyaW5nMRQwEgYDVQQDDAtUZXN0IFNlcnZlcjBZMBMGByqGSM49AgEGCCqGSM49
+AwEHA0IABK64d3LUKGgoZW6+SmRmomON7VKNpnLrzxnab+YDSVaIa6Ra5wKfwpPl
+lY13E/pvImznLi7CGeqDnAOlR1FfoLKjgZ0wgZowDAYDVR0TAQH/BAIwADALBgNV
+HQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB4GA1UdEQQX
+MBWCE3NlcnZlcjEuZXhhbXBsZS5jb20wHQYDVR0OBBYEFL4/swsRcOIQC1vhhteF
+lW+xYkx5MB8GA1UdIwQYMBaAFL4/swsRcOIQC1vhhteFlW+xYkx5MAoGCCqGSM49
+BAMCA0cAMEQCIEOAdoVvPioRujN4PPCO7XfbI0tVkvG+s6gz5sPstzFIAiAUQW+C
+94PF5iyAemvKtE674ehQNDDCv024NmdO2K2pNg==
+-----END CERTIFICATE-----

test/config/integration/certs/cacert.pem

@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIICzTCCAjagAwIBAgIJANI6/WtezQ2/MA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
+MIICzTCCAjagAwIBAgIJAPmiZ4jz1XVSMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
 BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
 c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw
-DgYDVQQDDAdUZXN0IENBMB4XDTE4MTEyNzE1MjMxMFoXDTIwMTEyNjE1MjMxMFow
+DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNjAyMTIxOVoXDTIwMTIxNTAyMTIxOVow
 djELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh
 biBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5naW5l
 ZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
-AoGBAMny8RRgQj5XRwI6FghrH1ZMWQxTnTR7qjvOaORM0/JbdK6ogz2J7GW7Kwt5
-D1EkVfuBD38aTK+2U/029tV1ZMYaM/WdvdUXM9gqAhwfdeePbbG5iU4JTz/Hh+zF
-IVdhE66XGiobM+z1LASvXjn+ZXQN2xpFtwrWAkWibbq+ASBtAgMBAAGjYzBhMA8G
-A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQNmhpLfi64
-Pw/YagZdVaA8zyZMfzAfBgNVHSMEGDAWgBQNmhpLfi64Pw/YagZdVaA8zyZMfzAN
-BgkqhkiG9w0BAQsFAAOBgQALipnMELDx4Im9xX8stxlt+vM9J44CIzUN6nMTmY7F
-CUId2s0VtHhaBhoRr/31zaEu10e+7KP3Cf1U8u1iZ/L8w3w9qspJC47AMUkbgVf2
-tsQg/jDYiz+bsmoTGPeBYIoH1OMcOEapXqgA0esuqPsTKFJh8WivWrpbeeFYMYBR
-7A==
+AoGBANtVpfbHmKM0b5XO6C8gEniF2fmtW8AgCwK/y2xPhqxj8lHC3esKLH89tc/W
+6g52xKpC3Z2wMYfc2uLgKysw2WARdC3OgZ98GSYxhuBUjS9DwNlMqkDlKcjyFLBY
+C9xSJ/LdNlf77P/LthDn5lwn9ss8zqERAqBoGMg9VayOn043AgMBAAGjYzBhMA8G
+A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTWRDt+nal2
+jB8E8iz03ieef0S6ejAfBgNVHSMEGDAWgBTWRDt+nal2jB8E8iz03ieef0S6ejAN
+BgkqhkiG9w0BAQsFAAOBgQCwikkLinPmWv5V77HX6SqsxShr20V1EPgLkFo6SmAT
+iOBfv14GBNqckXE8bvDoJ+1o0SljpRJ8xVSzKVVD3SQVLMTW4PIRyPwSFvSHiM92
+QTCrt1AbQ1tRI+6Yzkgs+cPqIhuUeXqXYSI2TDbalyztOMBJFAmMFKVY9ZNeW7mU
+vQ==
 -----END CERTIFICATE-----

test/config/integration/certs/cakey.pem

@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDJ8vEUYEI+V0cCOhYIax9WTFkMU500e6o7zmjkTNPyW3SuqIM9
-iexluysLeQ9RJFX7gQ9/GkyvtlP9NvbVdWTGGjP1nb3VFzPYKgIcH3Xnj22xuYlO
-CU8/x4fsxSFXYROulxoqGzPs9SwEr145/mV0DdsaRbcK1gJFom26vgEgbQIDAQAB
-AoGBAKkV1/QPhGdd+/5JVBlIV7yRwB0qBP3kbOwWLoy4Jt1M5a03OmtUB7JFvAyn
-F8QAgF1L+gWZp4uXRUtFsfWXjP8z/vlMaiwkUcehf1WUBCWW19b7fSXE+V5Kid4K
-zG1+pj2u9T3NO+fk2CEYdTRmY37vnxFEoJk+T64cJtdNxVGhAkEA6+NWe/gX5Xmy
-IROXbWG3q3F+RVfkHky0C19P6VbiqPNvz9U7ZSYydmoy22drv5O2zWoWZStO2ojG
-bzrh4spkowJBANsq02fsg+j+boBVYq20OLjjil04UAsJjCCYPmi2ObJl6FBE6QbG
-mpSNw2shji6VjKRwkChr8eHUSJ2Vg3oAp68CQQDEPO+A2IdAv7oh7EOImseK2DMd
-Cx5a2qLZ5yP60e5kcYjuVM1Bu8I1YuoGPwaTbRah0wToi1vhT/INLOYonwmTAkAK
-M/0xil49u5KTYOY+JfS6DsXDPzriuKgQYGYPY+RdvMbK7dpXWWma3tqpIx/GZWnt
-wdvENfpFxCc5RtufE2a7AkEAjMRXZyWMv1t9mzILWIezbTrQHT32znGVwIV/Y1Ej
-AtfGtC6UBwr1/pfBBlMKFSPxCNSCuxej+3K7BVWpO6Ve6A==
+MIICXgIBAAKBgQDbVaX2x5ijNG+VzugvIBJ4hdn5rVvAIAsCv8tsT4asY/JRwt3r
+Cix/PbXP1uoOdsSqQt2dsDGH3Nri4CsrMNlgEXQtzoGffBkmMYbgVI0vQ8DZTKpA
+5SnI8hSwWAvcUify3TZX++z/y7YQ5+ZcJ/bLPM6hEQKgaBjIPVWsjp9ONwIDAQAB
+AoGBAI+l9n47luI8s2AgFLzYeoBo2avGODMKSWvRhT84jnFVPB0ETSdkkGP9XJf0
+n3I9ouwHwvFFtgrPQKQaQOuWoKYt4OjtewFaV98dCx1DMD92fbiKUJ5IYdOFO9lX
+o+UG/XbRlOKI4gzE71AVByW9OQ64WF5pMKSmzHbti1kD9A5hAkEA9vvICcAa8Cvx
+v6EhycTKOwRNKoU5dJ8F9bkRnjjAwrFKiUdwbGcFeTw6PY90tw6DCzHn8J+M3c9f
+Q7pXVqZqyQJBAONXeEFvKFqtjpiOhTw5Tpqav1rJZtzRQqbDDLLmDukp7AEsnE3s
+pkRsbLmvK9ZnNvjx3Xa1RwDpAS8g+k2LcP8CQQC7GLTKnhpKAiAaGIgt/sNrvbBv
+G4kQzT6IjG/KOhfb5M4f/Fwv4kMFOhisdbXmzjl7C402fMcLaII0Hj73Rw3xAkBn
+SWMyX103LWj+uKmhveuPZEUR6zTXmB8vAqjvUoRtvIUj12/AG4dCyPvwtLw28bfR
+DJnwh9WVfUbzcYkm1/ZjAkEAmPqsx/kh0gIAnGPvRi1k3FJZmca+8GG/7NKLuWxI
+pxC0WV+hXKZKtnSlq5v26F42HP7Lv1+bAu8uZeXxkfWvZg==
 -----END RSA PRIVATE KEY-----

test/config/integration/certs/certs.sh

@@ -41,6 +41,11 @@ rm -f server_ecdsacert.cfg
 # Generate cert for the client.
 generate_rsa_key client ca
 generate_x509_cert client ca
+# Generate ECDSA cert for the celitn.
+cp -f clientcert.cfg client_ecdsacert.cfg
+generate_ecdsa_key client_ecdsa ca
+generate_x509_cert client_ecdsa ca
+rm -f client_ecdsacert.cfg
 
 # Generate cert for the upstream CA.
 generate_ca upstreamca