Merge pull request #151 from alexmiller-apple/tlsplugin51

LibreSSL TLS Plugin
2018-04-13 16:51:07 -07:00 · 2018-04-13 16:51:07 -07:00 · fd588bd3b8
parent 57aa7ff8d4 5efd9fe3c4
commit fd588bd3b8
28 changed files with 3045 additions and 5 deletions
--- a/FDBLibTLS/FDBLibTLS.map
+++ b/FDBLibTLS/FDBLibTLS.map
@ -0,0 +1,6 @@
+{
+  global:
+    get_plugin;
+  local:
+    *;
+};
--- a/FDBLibTLS/FDBLibTLS.symbols
+++ b/FDBLibTLS/FDBLibTLS.symbols
@ -0,0 +1 @@
+_get_plugin
--- a/FDBLibTLS/FDBLibTLS.vcxproj
+++ b/FDBLibTLS/FDBLibTLS.vcxproj
@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|X64">
+      <Configuration>Debug</Configuration>
+      <Platform>X64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|X64">
+      <Configuration>Release</Configuration>
+      <Platform>X64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="FDBLibTLSPlugin.h" />
+    <ClCompile Include="FDBLibTLSPlugin.cpp" />
+    <ClInclude Include="FDBLibTLSPolicy.h" />
+    <ClCompile Include="FDBLibTLSPolicy.cpp" />
+    <ClInclude Include="FDBLibTLSSession.h" />
+    <ClCompile Include="FDBLibTLSSession.cpp" />
+  </ItemGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|X64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v140_xp</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|X64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v140_xp</PlatformToolset>
+  </PropertyGroup>
+</Project>
--- a/FDBLibTLS/FDBLibTLSPlugin.cpp
+++ b/FDBLibTLS/FDBLibTLSPlugin.cpp
@ -0,0 +1,32 @@
+// Apple Proprietary and Confidential Information
+
+#include "boost/config.hpp"
+
+#include "FDBLibTLSPlugin.h"
+#include "FDBLibTLSPolicy.h"
+
+#include <string.h>
+
+FDBLibTLSPlugin::FDBLibTLSPlugin() {
+	// tls_init is not currently thread safe - caller's responsibility.
+	rc = tls_init();
+}
+
+FDBLibTLSPlugin::~FDBLibTLSPlugin() {
+}
+
+ITLSPolicy *FDBLibTLSPlugin::create_policy(ITLSLogFunc logf) {
+	if (rc < 0) {
+		// Log the failure from tls_init during our constructor.
+		logf("FDBLibTLSInitError", NULL, true, "LibTLSErrorMessage", "failed to initialize libtls", NULL);
+		return NULL;
+	}
+	return new FDBLibTLSPolicy(Reference<FDBLibTLSPlugin>::addRef(this), logf);
+}
+
+extern "C" BOOST_SYMBOL_EXPORT void *get_plugin(const char *plugin_type_name_and_version) {
+	if (strcmp(plugin_type_name_and_version, FDBLibTLSPlugin::get_plugin_type_name_and_version()) == 0) {
+		return new FDBLibTLSPlugin;
+	}
+	return NULL;
+}
--- a/FDBLibTLS/FDBLibTLSPlugin.h
+++ b/FDBLibTLS/FDBLibTLSPlugin.h
@ -0,0 +1,25 @@
+// Apple Proprietary and Confidential Information
+
+#ifndef FDB_LIBTLS_PLUGIN_H
+#define FDB_LIBTLS_PLUGIN_H
+
+#pragma once
+
+#include "ITLSPlugin.h"
+#include "ReferenceCounted.h"
+
+#include <tls.h>
+
+struct FDBLibTLSPlugin : ITLSPlugin, ReferenceCounted<FDBLibTLSPlugin> {
+	FDBLibTLSPlugin();
+	virtual ~FDBLibTLSPlugin();
+
+	virtual void addref() { ReferenceCounted<FDBLibTLSPlugin>::addref(); }
+	virtual void delref() { ReferenceCounted<FDBLibTLSPlugin>::delref(); }
+
+	virtual ITLSPolicy *create_policy(ITLSLogFunc logf);
+
+	int rc;
+};
+
+#endif /* FDB_LIBTLS_PLUGIN_H */
--- a/FDBLibTLS/FDBLibTLSPolicy.cpp
+++ b/FDBLibTLS/FDBLibTLSPolicy.cpp
@ -0,0 +1,402 @@
+// Apple Proprietary and Confidential Information
+
+#include "FDBLibTLSPolicy.h"
+#include "FDBLibTLSSession.h"
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/obj_mac.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+
+#include <algorithm>
+#include <exception>
+#include <map>
+#include <string>
+#include <vector>
+
+
+FDBLibTLSPolicy::FDBLibTLSPolicy(Reference<FDBLibTLSPlugin> plugin, ITLSLogFunc logf):
+	plugin(plugin), logf(logf), tls_cfg(NULL), session_created(false), cert_data_set(false),
+	key_data_set(false), verify_peers_set(false), verify_cert(true), verify_time(true) {
+
+	if ((tls_cfg = tls_config_new()) == NULL) {
+		logf("FDBLibTLSConfigError", NULL, true, NULL);
+		throw std::runtime_error("FDBLibTLSConfigError");
+	}
+
+	// Require client certificates for authentication.
+	tls_config_verify_client(tls_cfg);
+
+	// Name verification is always manually handled (if requested via configuration).
+	tls_config_insecure_noverifyname(tls_cfg);
+}
+
+FDBLibTLSPolicy::~FDBLibTLSPolicy() {
+	tls_config_free(tls_cfg);
+}
+
+ITLSSession* FDBLibTLSPolicy::create_session(bool is_client, TLSSendCallbackFunc send_func, void* send_ctx, TLSRecvCallbackFunc recv_func, void* recv_ctx, void* uid) {
+	session_created = true;
+	try {
+		return new FDBLibTLSSession(Reference<FDBLibTLSPolicy>::addRef(this), is_client, send_func, send_ctx, recv_func, recv_ctx, uid);
+	} catch ( ... ) {
+		return NULL;
+	}
+}
+
+static int hexValue(char c) {
+	static char const digits[] = "0123456789ABCDEF";
+
+	if (c >= 'a' && c <= 'f')
+		c -= ('a' - 'A');
+
+	int value = std::find(digits, digits + 16, c) - digits;
+	if (value >= 16) {
+		throw std::runtime_error("hexValue");
+	}
+	return value;
+}
+
+// Does not handle "raw" form (e.g. #28C4D1), only escaped text
+static std::string de4514(std::string const& input, int start, int& out_end) {
+	std::string output;
+
+	if(input[start] == '#' || input[start] == ' ') {
+		out_end = start;
+		return output;
+	}
+
+	int space_count = 0;
+
+	for(int p = start; p < input.size();) {
+		switch(input[p]) {
+		case '\\': // Handle escaped sequence
+
+			// Backslash escaping nothing!
+			if(p == input.size() - 1) {
+				out_end = p;
+				goto FIN;
+			}
+
+			switch(input[p+1]) {
+			case ' ':
+			case '"':
+			case '#':
+			case '+':
+			case ',':
+			case ';':
+			case '<':
+			case '=':
+			case '>':
+			case '\\':
+				output += input[p+1];
+				p += 2;
+				space_count = 0;
+				continue;
+
+			default:
+				// Backslash escaping pair of hex digits requires two characters
+				if(p == input.size() - 2) {
+					out_end = p;
+					goto FIN;
+				}
+
+				try {
+					output += hexValue(input[p+1]) * 16 + hexValue(input[p+2]);
+					p += 3;
+					space_count = 0;
+					continue;
+				} catch( ... ) {
+					out_end = p;
+					goto FIN;
+				}
+			}
+
+		case '"':
+		case '+':
+		case ',':
+		case ';':
+		case '<':
+		case '>':
+		case 0:
+			// All of these must have been escaped
+			out_end = p;
+			goto FIN;
+
+		default:
+			// Character is what it is
+			output += input[p];
+			if(input[p] == ' ')
+				space_count++;
+			else
+				space_count = 0;
+			p++;
+		}
+	}
+
+	out_end = input.size();
+
+ FIN:
+	out_end -= space_count;
+	output.resize(output.size() - space_count);
+
+	return output;
+}
+
+static std::pair<std::string, std::string> splitPair(std::string const& input, char c) {
+	int p = input.find_first_of(c);
+	if(p == input.npos) {
+		throw std::runtime_error("splitPair");
+	}
+	return std::make_pair(input.substr(0, p), input.substr(p+1, input.size()));
+}
+
+static int abbrevToNID(std::string const& sn) {
+	int nid = NID_undef;
+
+	if (sn == "C" || sn == "CN" || sn == "L" || sn == "ST" || sn == "O" || sn == "OU")
+		nid = OBJ_sn2nid(sn.c_str());
+	if (nid == NID_undef)
+		throw std::runtime_error("abbrevToNID");
+
+	return nid;
+}
+
+void FDBLibTLSPolicy::parse_verify(std::string input) {
+	int s = 0;
+
+	while (s < input.size()) {
+		int eq = input.find('=', s);
+
+		if (eq == input.npos)
+			throw std::runtime_error("parse_verify");
+
+		std::string term = input.substr(s, eq - s);
+
+		if (term.find("Check.") == 0) {
+			if (eq + 2 > input.size())
+				throw std::runtime_error("parse_verify");
+			if (eq + 2 != input.size() && input[eq + 2] != ',')
+				throw std::runtime_error("parse_verify");
+
+			bool* flag;
+
+			if (term == "Check.Valid")
+				flag = &verify_cert;
+			else if (term == "Check.Unexpired")
+				flag = &verify_time;
+			else
+				throw std::runtime_error("parse_verify");
+
+			if (input[eq + 1] == '0')
+				*flag = false;
+			else if (input[eq + 1] == '1')
+				*flag = true;
+			else
+				throw std::runtime_error("parse_verify");
+
+			s = eq + 3;
+		} else {
+			std::map<int, std::string>* criteria = &subject_criteria;
+
+			if (term.find('.') != term.npos) {
+				auto scoped = splitPair(term, '.');
+
+				if (scoped.first == "S" || scoped.first == "Subject")
+					criteria = &subject_criteria;
+				else if (scoped.first == "I" || scoped.first == "Issuer")
+					criteria = &issuer_criteria;
+				else
+					throw std::runtime_error("parse_verify");
+
+				term = scoped.second;
+			}
+
+			int remain;
+			auto unesc = de4514(input, eq + 1, remain);
+
+			if (remain == eq + 1)
+				throw std::runtime_error("parse_verify");
+
+			criteria->insert(std::make_pair(abbrevToNID(term), unesc));
+
+			if (remain != input.size() && input[remain] != ',')
+				throw std::runtime_error("parse_verify");
+
+			s = remain + 1;
+		}
+	}
+}
+
+void FDBLibTLSPolicy::reset_verify() {
+        verify_cert = true;
+        verify_time = true;
+	subject_criteria = {};
+	issuer_criteria = {};
+}
+
+int password_cb(char *buf, int size, int rwflag, void *u) {
+	// A no-op password callback is provided simply to stop libcrypto
+	// from trying to use its own password reading functionality.
+	return 0;
+}
+
+bool FDBLibTLSPolicy::set_cert_data(const uint8_t* cert_data, int cert_len) {
+	struct stack_st_X509 *certs = NULL;
+	unsigned long errnum;
+	X509 *cert = NULL;
+	BIO *bio = NULL;
+	long data_len;
+	char *data;
+	bool rc = false;
+
+	// The cert data contains one or more PEM encoded certificates - the
+	// first certificate is for this host, with any additional certificates
+	// being the full certificate chain. As such, the last certificate
+	// is the trusted root certificate. If only one certificate is provided
+	// then it is required to be a self-signed certificate, which is also
+	// treated as the trusted root.
+
+	if (cert_data_set) {
+		logf("FDBLibTLSCertAlreadySet", NULL, true, NULL);
+		goto err;
+	}
+	if (session_created) {
+		logf("FDBLibTLSPolicyAlreadyActive", NULL, true, NULL);
+		goto err;
+	}
+
+	if ((certs = sk_X509_new_null()) == NULL) {
+		logf("FDBLibTLSOutOfMemory", NULL, true, NULL);
+		goto err;
+	}
+	if ((bio = BIO_new_mem_buf((void *)cert_data, cert_len)) == NULL) {
+		logf("FDBLibTLSOutOfMemory", NULL, true, NULL);
+		goto err;
+	}
+
+	ERR_clear_error();
+	while ((cert = PEM_read_bio_X509(bio, NULL, password_cb, NULL)) != NULL) {
+		if (!sk_X509_push(certs, cert)) {
+			logf("FDBLibTLSOutOfMemory", NULL, true, NULL);
+			goto err;
+		}
+	}
+
+	// Ensure that the NULL cert was caused by EOF and not some other failure.
+	errnum = ERR_peek_last_error();
+	if (ERR_GET_LIB(errnum) != ERR_LIB_PEM || ERR_GET_REASON(errnum) != PEM_R_NO_START_LINE) {
+		char errbuf[256];
+
+		ERR_error_string_n(errnum, errbuf, sizeof(errbuf));
+		logf("FDBLibTLSCertDataError", NULL, true, "LibcryptoErrorMessage", errbuf, NULL);
+		goto err;
+	}
+
+	if (sk_X509_num(certs) < 1) {
+		logf("FDBLibTLSNoCerts", NULL, true, NULL);
+		goto err;
+	}
+
+	BIO_free_all(bio);
+	if ((bio = BIO_new(BIO_s_mem())) == NULL) {
+		logf("FDBLibTLSOutOfMemory", NULL, true, NULL);
+		goto err;
+	}
+	if (!PEM_write_bio_X509(bio, sk_X509_value(certs, sk_X509_num(certs) - 1))) {
+		logf("FDBLibTLSCertWriteError", NULL, true, NULL);
+		goto err;
+	}
+	if ((data_len = BIO_get_mem_data(bio, &data)) <= 0) {
+		logf("FDBLibTLSCertError", NULL, true, NULL);
+		goto err;
+	}
+
+	if (tls_config_set_ca_mem(tls_cfg, (const uint8_t *)data, data_len) == -1) {
+		logf("FDBLibTLSSetCAError", NULL, true, "LibTLSErrorMessage", tls_config_error(tls_cfg), NULL);
+		goto err;
+	}
+
+	if (sk_X509_num(certs) > 1) {
+		BIO_free_all(bio);
+		if ((bio = BIO_new(BIO_s_mem())) == NULL) {
+			logf("FDBLibTLSOutOfMemory", NULL, true, NULL);
+			goto err;
+		}
+		for (int i = 0; i < sk_X509_num(certs) - 1; i++) {
+			if (!PEM_write_bio_X509(bio, sk_X509_value(certs, i))) {
+				logf("FDBLibTLSCertWriteError", NULL, true, NULL);
+				goto err;
+			}
+		}
+		if ((data_len = BIO_get_mem_data(bio, &data)) <= 0) {
+			logf("FDBLibTLSCertError", NULL, true, NULL);
+			goto err;
+		}
+	}
+
+	if (tls_config_set_cert_mem(tls_cfg, (const uint8_t *)data, data_len) == -1) {
+		logf("FDBLibTLSSetCertError", NULL, true, "LibTLSErrorMessage", tls_config_error(tls_cfg), NULL);
+		goto err;
+	}
+
+	rc = true;
+
+ err:
+	sk_X509_pop_free(certs, X509_free);
+	X509_free(cert);
+	BIO_free_all(bio);
+
+	return rc;
+}
+
+bool FDBLibTLSPolicy::set_key_data(const uint8_t* key_data, int key_len) {
+	if (key_data_set) {
+		logf("FDBLibTLSKeyAlreadySet", NULL, true, NULL);
+		return false;
+	}
+	if (session_created) {
+		logf("FDBLibTLSPolicyAlreadyActive", NULL, true, NULL);
+		return false;
+	}
+
+	if (tls_config_set_key_mem(tls_cfg, key_data, key_len) == -1) {
+		logf("FDBLibTLSKeyError", NULL, true, "LibTLSErrorMessage", tls_config_error(tls_cfg), NULL);
+		return false;
+	}
+
+	key_data_set = true;
+
+	return true;
+}
+
+bool FDBLibTLSPolicy::set_verify_peers(const uint8_t* verify_peers, int verify_peers_len) {
+	if (verify_peers_set) {
+		logf("FDBLibTLSVerifyPeersAlreadySet", NULL, true, NULL);
+		return false;
+	}
+	if (session_created) {
+		logf("FDBLibTLSPolicyAlreadyActive", NULL, true, NULL);
+		return false;
+	}
+
+	try {
+		parse_verify(std::string((const char*)verify_peers, verify_peers_len));
+	} catch ( const std::runtime_error& e ) {
+		reset_verify();
+		logf("FDBLibTLSVerifyPeersParseError", NULL, true, "Config", verify_peers, NULL);
+		return false;
+	}
+
+	if (!verify_cert)
+		tls_config_insecure_noverifycert(tls_cfg);
+
+	if (!verify_time)
+		tls_config_insecure_noverifytime(tls_cfg);
+
+	verify_peers_set = true;
+
+	return true;
+}
--- a/FDBLibTLS/FDBLibTLSPolicy.h
+++ b/FDBLibTLS/FDBLibTLSPolicy.h
@ -0,0 +1,49 @@
+// Apple Proprietary and Confidential Information
+
+#ifndef FDB_LIBTLS_POLICY_H
+#define FDB_LIBTLS_POLICY_H
+
+#pragma once
+
+#include "FDBLibTLSPlugin.h"
+#include "ITLSPlugin.h"
+#include "ReferenceCounted.h"
+
+#include <map>
+#include <string>
+
+struct FDBLibTLSPolicy: ITLSPolicy, ReferenceCounted<FDBLibTLSPolicy> {
+	FDBLibTLSPolicy(Reference<FDBLibTLSPlugin> plugin, ITLSLogFunc logf);
+	virtual ~FDBLibTLSPolicy();
+
+	virtual void addref() { ReferenceCounted<FDBLibTLSPolicy>::addref(); }
+	virtual void delref() { ReferenceCounted<FDBLibTLSPolicy>::delref(); }
+
+	Reference<FDBLibTLSPlugin> plugin;
+	ITLSLogFunc logf;
+
+	virtual ITLSSession* create_session(bool is_client, TLSSendCallbackFunc send_func, void* send_ctx, TLSRecvCallbackFunc recv_func, void* recv_ctx, void* uid);
+
+	void parse_verify(std::string input);
+	void reset_verify(void);
+
+	virtual bool set_cert_data(const uint8_t* cert_data, int cert_len);
+	virtual bool set_key_data(const uint8_t* key_data, int key_len);
+	virtual bool set_verify_peers(const uint8_t* verify_peers, int verify_peers_len);
+
+	struct tls_config *tls_cfg;
+
+	bool session_created;
+
+	bool cert_data_set;
+	bool key_data_set;
+	bool verify_peers_set;
+
+        bool verify_cert;
+        bool verify_time;
+
+	std::map<int, std::string> subject_criteria;
+	std::map<int, std::string> issuer_criteria;
+};
+
+#endif /* FDB_LIBTLS_POLICY_H */
--- a/FDBLibTLS/FDBLibTLSSession.cpp
+++ b/FDBLibTLS/FDBLibTLSSession.cpp
@ -0,0 +1,257 @@
+// Apple Proprietary and Confidential Information
+
+#include "FDBLibTLSSession.h"
+
+#include <openssl/bio.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+
+#include <exception>
+#include <iostream>
+
+#include <string.h>
+#include <limits.h>
+
+static ssize_t tls_read_func(struct tls *ctx, void *buf, size_t buflen, void *cb_arg)
+{
+	FDBLibTLSSession *session = (FDBLibTLSSession *)cb_arg;
+
+	int rv = session->recv_func(session->recv_ctx, (uint8_t *)buf, buflen);
+	if (rv < 0)
+		return 0;
+	if (rv == 0)
+		return TLS_WANT_POLLIN;
+	return (ssize_t)rv;
+}
+
+static ssize_t tls_write_func(struct tls *ctx, const void *buf, size_t buflen, void *cb_arg)
+{
+	FDBLibTLSSession *session = (FDBLibTLSSession *)cb_arg;
+
+	int rv = session->send_func(session->send_ctx, (const uint8_t *)buf, buflen);
+	if (rv < 0)
+		return 0;
+	if (rv == 0)
+		return TLS_WANT_POLLOUT;
+	return (ssize_t)rv;
+}
+
+FDBLibTLSSession::FDBLibTLSSession(Reference<FDBLibTLSPolicy> policy, bool is_client, TLSSendCallbackFunc send_func, void* send_ctx, TLSRecvCallbackFunc recv_func, void* recv_ctx, void* uid) :
+	tls_ctx(NULL), tls_sctx(NULL), policy(policy), send_func(send_func), send_ctx(send_ctx), recv_func(recv_func), recv_ctx(recv_ctx), handshake_completed(false), uid(uid) {
+
+	if (is_client) {
+		if ((tls_ctx = tls_client()) == NULL) {
+			policy->logf("FDBLibTLSClientError", uid, true, NULL);
+			throw std::runtime_error("FDBLibTLSClientError");
+		}
+		if (tls_configure(tls_ctx, policy->tls_cfg) == -1) {
+			policy->logf("FDBLibTLSConfigureError", uid, true, "LibTLSErrorMessage", tls_error(tls_ctx), NULL);
+			tls_free(tls_ctx);
+			throw std::runtime_error("FDBLibTLSConfigureError");
+		}
+		if (tls_connect_cbs(tls_ctx, tls_read_func, tls_write_func, this, NULL) == -1) {
+			policy->logf("FDBLibTLSConnectError", uid, true, "LibTLSErrorMessage", tls_error(tls_ctx), NULL);
+			tls_free(tls_ctx);
+			throw std::runtime_error("FDBLibTLSConnectError");
+		}
+	} else {
+		if ((tls_sctx = tls_server()) == NULL) {
+			policy->logf("FDBLibTLSServerError", uid, true, NULL);
+			throw std::runtime_error("FDBLibTLSServerError");
+		}
+		if (tls_configure(tls_sctx, policy->tls_cfg) == -1) {
+			policy->logf("FDBLibTLSConfigureError", uid, true, "LibTLSErrorMessage", tls_error(tls_sctx), NULL);
+			tls_free(tls_sctx);
+			throw std::runtime_error("FDBLibTLSConfigureError");
+		}
+		if (tls_accept_cbs(tls_sctx, &tls_ctx, tls_read_func, tls_write_func, this) == -1) {
+			policy->logf("FDBLibTLSAcceptError", uid, true, "LibTLSErrorMessage", tls_error(tls_sctx), NULL);
+			tls_free(tls_sctx);
+			throw std::runtime_error("FDBLibTLSAcceptError");
+		}
+	}
+}
+
+FDBLibTLSSession::~FDBLibTLSSession() {
+	// This would ideally call tls_close(), however that means either looping
+	// in a destructor or doing it opportunistically...
+	tls_free(tls_ctx);
+	tls_free(tls_sctx);
+}
+
+int password_cb(char *buf, int size, int rwflag, void *u);
+
+bool match_criteria(X509_NAME *name, int nid, const char *value, size_t len) {
+	unsigned char *name_entry_utf8 = NULL, *criteria_utf8 = NULL;
+	int name_entry_utf8_len, criteria_utf8_len;
+	ASN1_STRING *criteria = NULL;
+	X509_NAME_ENTRY *name_entry;
+	BIO *bio;
+	bool rc = false;
+	int idx;
+
+	if ((criteria = ASN1_IA5STRING_new()) == NULL)
+		goto err;
+	if (ASN1_STRING_set(criteria, value, len) != 1)
+		goto err;
+
+	// If name does not exist, or has multiple of this RDN, refuse to proceed.
+	if ((idx = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
+		goto err;
+	if (X509_NAME_get_index_by_NID(name, nid, idx) != -1)
+		goto err;
+	if ((name_entry = X509_NAME_get_entry(name, idx)) == NULL)
+		goto err;
+
+	// Convert both to UTF8 and compare.
+	if ((criteria_utf8_len = ASN1_STRING_to_UTF8(&criteria_utf8, criteria)) < 1)
+		goto err;
+	if ((name_entry_utf8_len = ASN1_STRING_to_UTF8(&name_entry_utf8, name_entry->value)) < 1)
+		goto err;
+	if (criteria_utf8_len == name_entry_utf8_len &&
+	    memcmp(criteria_utf8, name_entry_utf8, criteria_utf8_len) == 0)
+		rc = true;
+
+ err:
+	ASN1_STRING_free(criteria);
+	free(criteria_utf8);
+	free(name_entry_utf8);
+
+	return rc;
+}
+
+bool FDBLibTLSSession::check_criteria() {
+	X509_NAME *subject, *issuer;
+	const uint8_t *cert_pem;
+	size_t cert_pem_len;
+	X509 *cert = NULL;
+	BIO *bio = NULL;
+	bool rc = false;
+
+	// If certificate verification is disabled, there's nothing more to do.
+	if (!policy->verify_cert)
+		return true;
+
+	// If no criteria have been specified, then we're done.
+	if (policy->subject_criteria.size() == 0 && policy->issuer_criteria.size() == 0)
+		return true;
+
+	if ((cert_pem = tls_peer_cert_chain_pem(tls_ctx, &cert_pem_len)) == NULL) {
+		policy->logf("FDBLibTLSNoCertError", uid, true, NULL);
+		goto err;
+	}
+	if ((bio = BIO_new_mem_buf((void *)cert_pem, cert_pem_len)) == NULL) {
+		policy->logf("FDBLibTLSOutOfMemory", NULL, true, NULL);
+		goto err;
+	}
+	if ((cert = PEM_read_bio_X509(bio, NULL, password_cb, NULL)) == NULL) {
+		policy->logf("FDBLibTLSCertPEMError", uid, true, NULL);
+		goto err;
+	}
+
+	// Check subject criteria.
+	if ((subject = X509_get_subject_name(cert)) == NULL) {
+		policy->logf("FDBLibTLSCertSubjectError", uid, true, NULL);
+		goto err;
+	}
+	for (auto &pair: policy->subject_criteria) {
+		if (!match_criteria(subject, pair.first, pair.second.c_str(), pair.second.size())) {
+			policy->logf("FDBLibTLSCertSubjectMatchFailure", uid, true, NULL);
+			goto err;
+		}
+        }
+
+	// Check issuer criteria.
+	if ((issuer = X509_get_issuer_name(cert)) == NULL) {
+		policy->logf("FDBLibTLSCertIssuerError", uid, true, NULL);
+		goto err;
+	}
+	for (auto &pair: policy->issuer_criteria) {
+		if (!match_criteria(issuer, pair.first, pair.second.c_str(), pair.second.size())) {
+			policy->logf("FDBLibTLSCertIssuerMatchFailure", uid, true, NULL);
+			goto err;
+		}
+        }
+
+	// If we got this far, everything checked out...
+	rc = true;
+
+ err:
+	BIO_free_all(bio);
+	X509_free(cert);
+
+	return rc;
+}
+
+int FDBLibTLSSession::handshake() {
+	int rv = tls_handshake(tls_ctx);
+
+	switch (rv) {
+	case 0:
+		if (!check_criteria())
+			return FAILED;
+		handshake_completed = true;
+		return SUCCESS;
+	case TLS_WANT_POLLIN:
+		return WANT_READ;
+	case TLS_WANT_POLLOUT:
+		return WANT_WRITE;
+	default:
+		policy->logf("FDBLibTLSHandshakeError", uid, false, "LibTLSErrorMessage", tls_error(tls_ctx), NULL);
+		return FAILED;
+	}
+}
+
+int FDBLibTLSSession::read(uint8_t* data, int length) {
+	if (!handshake_completed) {
+		policy->logf("FDBLibTLSReadHandshakeError", uid, true, NULL);
+		return FAILED;
+	}
+
+	ssize_t n = tls_read(tls_ctx, data, length);
+	if (n > 0) {
+		if (n > INT_MAX) {
+			policy->logf("FDBLibTLSReadOverflow", uid, true, NULL);
+			return FAILED;
+		}
+		return (int)n;
+	}
+	if (n == 0) {
+		policy->logf("FDBLibTLSReadEOF", uid, false, NULL);
+		return FAILED;
+	}
+	if (n == TLS_WANT_POLLIN)
+		return WANT_READ;
+	if (n == TLS_WANT_POLLOUT)
+		return WANT_WRITE;
+
+	policy->logf("FDBLibTLSReadError", uid, false, "LibTLSErrorMessage", tls_error(tls_ctx), NULL);
+	return FAILED;
+}
+
+int FDBLibTLSSession::write(const uint8_t* data, int length) {
+	if (!handshake_completed) {
+		policy->logf("FDBLibTLSWriteHandshakeError", uid, true, NULL);
+		return FAILED;
+	}
+
+	ssize_t n = tls_write(tls_ctx, data, length);
+	if (n > 0) {
+		if (n > INT_MAX) {
+			policy->logf("FDBLibTLSWriteOverflow", uid, true, NULL);
+			return FAILED;
+		}
+		return (int)n;
+	}
+	if (n == 0) {
+		policy->logf("FDBLibTLSWriteEOF", uid, false, NULL);
+		return FAILED;
+	}
+	if (n == TLS_WANT_POLLIN)
+		return WANT_READ;
+	if (n == TLS_WANT_POLLOUT)
+		return WANT_WRITE;
+
+	policy->logf("FDBLibTLSWriteError", uid, false, "LibTLSErrorMessage", tls_error(tls_ctx), NULL);
+	return FAILED;
+}
--- a/FDBLibTLS/FDBLibTLSSession.h
+++ b/FDBLibTLS/FDBLibTLSSession.h
@ -0,0 +1,43 @@
+// Apple Proprietary and Confidential Information
+
+#ifndef FDB_LIBTLS_SESSION_H
+#define FDB_LIBTLS_SESSION_H
+
+#pragma once
+
+#include "ITLSPlugin.h"
+#include "ReferenceCounted.h"
+
+#include "FDBLibTLSPolicy.h"
+
+#include <tls.h>
+
+struct FDBLibTLSSession : ITLSSession, ReferenceCounted<FDBLibTLSSession> {
+	FDBLibTLSSession(Reference<FDBLibTLSPolicy> policy, bool is_client, TLSSendCallbackFunc send_func, void* send_ctx, TLSRecvCallbackFunc recv_func, void* recv_ctx, void* uid);
+	virtual ~FDBLibTLSSession();
+
+	virtual void addref() { ReferenceCounted<FDBLibTLSSession>::addref(); }
+	virtual void delref() { ReferenceCounted<FDBLibTLSSession>::delref(); }
+
+	bool check_criteria();
+
+	virtual int handshake();
+	virtual int read(uint8_t* data, int length);
+	virtual int write(const uint8_t* data, int length);
+
+	Reference<FDBLibTLSPolicy> policy;
+
+	struct tls *tls_ctx;
+	struct tls *tls_sctx;
+
+	TLSSendCallbackFunc send_func;
+	void* send_ctx;
+	TLSRecvCallbackFunc recv_func;
+	void* recv_ctx;
+
+	bool handshake_completed;
+
+	void* uid;
+};
+
+#endif /* FDB_LIBTLS_SESSION_H */
--- a/FDBLibTLS/ITLSPlugin.h
+++ b/FDBLibTLS/ITLSPlugin.h
@ -0,0 +1,122 @@
+// Apple Proprietary and Confidential Information
+
+#ifndef FDB_ITLSPLUGIN_H
+#define FDB_ITLSPLUGIN_H
+
+#pragma once
+
+#include <stdint.h>
+
+struct ITLSSession {
+	enum { SUCCESS = 0, WANT_READ = -1, WANT_WRITE = -2, FAILED = -3 };
+
+	virtual void addref() = 0;
+	virtual void delref() = 0;
+
+	// handshake should return SUCCESS if the handshake is complete,
+	// FAILED on fatal error, or one of WANT_READ or WANT_WRITE if the
+	// handshake should be reattempted after more data can be
+	// read/written on the underlying connection.
+	virtual int handshake() = 0;
+
+	// read should return the (non-zero) number of bytes read,
+	// WANT_READ or WANT_WRITE if the operation is blocked by the
+	// underlying stream, or FAILED if there is an error (including a
+	// closed connection).
+	virtual int read(uint8_t* data, int length) = 0;
+
+	// write should return the (non-zero) number of bytes written, or
+	// WANT_READ or WANT_WRITE if the operation is blocked by the
+	// underlying stream, or FAILED if there is an error.
+	virtual int write(const uint8_t* data, int length) = 0;
+};
+
+// Returns the number of bytes sent (possibly 0), or -1 on error
+// (including connection close)
+typedef int (*TLSSendCallbackFunc)(void* ctx, const uint8_t* buf, int len);
+
+// Returns the number of bytes read (possibly 0), or -1 on error
+// (including connection close)
+typedef int (*TLSRecvCallbackFunc)(void* ctx, uint8_t* buf, int len);
+
+struct ITLSPolicy {
+	virtual void addref() = 0;
+	virtual void delref() = 0;
+
+	// set_cert_data should import the provided certificate list and
+	// associate it with this policy. cert_data will point to a PEM
+	// encoded certificate list, ordered such that each certificate
+	// certifies the one before it.
+	//
+	// cert_data may additionally contain key information, which must
+	// be ignored.
+	//
+	// set_cert_data should return true if the operation succeeded,
+	// and false otherwise. After the first call to create_session for
+	// a given policy, set_cert_data should immediately return false
+	// if called.
+	virtual bool set_cert_data(const uint8_t* cert_data, int cert_len) = 0;
+
+	// set_key_data should import the provided private key and
+	// associate it with this policy. key_data will point to a PEM
+	// encoded key.
+	//
+	// key_data may additionally contain certificate information,
+	// which must be ignored.
+	//
+	// set_key_data should return true if the operation succeeded, and
+	// false otherwise. After the first call to create_session for a
+	// given policy, set_key_data should immediately return false if
+	// called.
+	virtual bool set_key_data(const uint8_t* key_data, int key_len) = 0;
+
+	// set_verify_peers should modify the validation rules for
+	// verifying a peer during connection handshake. The format of
+	// verify_peers is implementation specific.
+	//
+	// set_verify_peers should return true if the operation succeed,
+	// and false otherwise. After the first call to create_session for
+	// a given policy, set_verify_peers should immediately return
+	// false if called.
+	virtual bool set_verify_peers(const uint8_t* verify_peers, int verify_peers_len) = 0;
+
+	// create_session should return a new object that implements
+	// ITLSSession, associated with this policy. After the first call
+	// to create_session for a given policy, further calls to
+	// ITLSPolicy::set_* will fail and return false.
+	//
+	// The newly created session should use send_func and recv_func to
+	// send and receive data on the underlying transport, and must
+	// provide send_ctx/recv_ctx to the callbacks.
+	//
+	// uid should only be provided when invoking an ITLSLogFunc, which
+	// will use it to identify this session.
+	virtual ITLSSession* create_session(bool is_client, TLSSendCallbackFunc send_func, void* send_ctx, TLSRecvCallbackFunc recv_func, void* recv_ctx, void* uid ) = 0;
+};
+
+// Logs a message/error to the appropriate trace log.
+//
+// event must be a valid XML attribute value. uid may be NULL or the
+// uid provided to ITLSPolicy::create_session by the caller. is_error
+// should be true for errors and false for informational messages. The
+// remaining arguments must be pairs of (const char*); the first of
+// each pair must be a valid XML attribute name, and the second a
+// valid XML attribute value. The final parameter must be NULL.
+typedef void (*ITLSLogFunc)(const char* event, void* uid, bool is_error, ...);
+
+struct ITLSPlugin {
+	virtual void addref() = 0;
+	virtual void delref() = 0;
+
+	// create_policy should return a new object that implements
+	// ITLSPolicy.
+	//
+	// The newly created policy, and any session further created from
+	// the policy, should use logf to log any messages or errors that
+	// occur.
+	virtual ITLSPolicy* create_policy( ITLSLogFunc logf ) = 0;
+
+	static inline const char* get_plugin_type_name_and_version() { return "ITLSPlugin"; }
+};
+
+#endif /* FDB_ITLSPLUGIN_H */
--- a/FDBLibTLS/Makefile
+++ b/FDBLibTLS/Makefile
@ -0,0 +1,109 @@
+PROJECTPATH = $(dir $(realpath $(firstword $(MAKEFILE_LIST))))
+PLUGINPATH = $(PROJECTPATH)/$(PLUGIN)
+
+CFLAGS ?= -O2 -g
+
+CXXFLAGS ?= -std=c++0x
+
+CFLAGS += -I/usr/local/include
+LDFLAGS += -L/usr/local/lib
+
+LIBS += -ltls -lssl -lcrypto
+
+PLATFORM := $(shell uname)
+ifneq ($(PLATFORM),Darwin)
+	PLATFORM := $(shell uname -o)
+endif
+
+ifeq ($(PLATFORM),Cygwin)
+	HOST := x86_64-w64-mingw32
+	CC := $(HOST)-gcc
+	CXX := $(HOST)-g++
+	STRIP := $(HOST)-strip --strip-all
+
+	DYEXT = dll
+	PLUGINPATH = $(PLUGIN)
+
+	LIBS += -static-libstdc++ -static-libgcc
+	LIBS += -lws2_32
+
+	LINK_LDFLAGS = -shared
+	LINK_LDFLAGS += -Wl,-soname,$(PLUGIN)
+	LINK_LDFLAGS += -Wl,--version-script=FDBLibTLS.map
+	LINK_LDFLAGS += -Wl,-Bstatic $(LIBS) -Wl,-Bdynamic
+
+else ifeq ($(PLATFORM),Darwin)
+	CC := clang
+	CXX := clang++
+	STRIP := strip -S -x
+
+	CFLAGS += -fPIC
+
+	DYEXT = dylib
+
+	vpath %.a /usr/local/lib
+	.LIBPATTERNS = lib%.a lib%.dylib lib%.so
+
+	LINK_LDFLAGS = -shared
+	LINK_LDFLAGS += -Wl,-exported_symbols_list,FDBLibTLS.symbols
+	LINK_LDFLAGS += -Wl,-dylib_install_name,$(PLUGIN)
+	LINK_LDFLAGS += $(LIBS)
+
+else ifeq ($(PLATFORM),GNU/Linux)
+	CC := clang
+	CXX := clang++
+	STRIP := strip --strip-all
+
+	CFLAGS += -fPIC
+	DYEXT = so
+
+	LIBS += -static-libstdc++ -static-libgcc -lrt
+
+	LINK_LDFLAGS = -shared
+	LINK_LDFLAGS += -Wl,-soname,$(PLUGIN)
+	LINK_LDFLAGS += -Wl,--version-script=FDBLibTLS.map
+	LINK_LDFLAGS += -Wl,-Bstatic $(LIBS) -Wl,-Bdynamic
+
+else
+$(error Unknown platform $(PLATFORM))
+endif
+
+PLUGIN := FDBLibTLS.$(DYEXT)
+OBJECTS := FDBLibTLSPlugin.o FDBLibTLSPolicy.o FDBLibTLSSession.o
+LINKLINE := $(CXXFLAGS) $(CFLAGS) $(LDFLAGS) $(OBJECTS) $(LINK_LDFLAGS) -o $(PLUGIN)
+
+all: $(PLUGIN)
+
+build-depends-linux:
+	apt install clang make libboost-dev
+
+clean:
+	@rm -f *.o *.d $(PLUGIN) plugin-test verify-test
+	@rm -rf *.dSYM
+
+DEPS := $(patsubst %.o,%.d,$(OBJECTS))
+-include $(DEPS)
+
+$(OBJECTS): %.o: %.cpp Makefile
+	@echo "Compiling $<"
+	@$(CXX) $(CXXFLAGS) $(CFLAGS) $(INCLUDES) -c $< -o $@ -MD -MP
+
+$(PLUGIN): $(OBJECTS) Makefile
+	@echo "Linking   $@"
+	@$(CXX) $(LINKLINE)
+	@echo "Stripping $@"
+	@$(STRIP) $@
+
+test: test-plugin test-verify
+
+test-plugin: plugin-test.cpp $(PLUGIN) Makefile
+	@echo "Compiling plugin-test"
+	@$(CXX) $(CXXFLAGS) $(CFLAGS) plugin-test.cpp -ldl -o plugin-test
+	@echo "Running   plugin-test..."
+	@$(PROJECTPATH)/plugin-test $(PLUGINPATH)
+
+test-verify: verify-test.cpp $(OBJECTS) Makefile
+	@echo "Compiling verify-test"
+	@$(CXX) $(CXXFLAGS) $(CFLAGS) $(LDFLAGS) $(OBJECTS) verify-test.cpp $(LIBS) -o verify-test
+	@echo "Running   verify-test..."
+	@$(PROJECTPATH)/verify-test
--- a/FDBLibTLS/ReferenceCounted.h
+++ b/FDBLibTLS/ReferenceCounted.h
@ -0,0 +1,90 @@
+// Apple Proprietary and Confidential Information
+
+#ifndef FDB_REFERENCE_COUNTED_H
+#define FDB_REFERENCE_COUNTED_H
+
+#pragma once
+
+#include <stdlib.h>
+
+template <class T>
+struct ReferenceCounted {
+	void addref() { ++referenceCount; }
+	void delref() { if (--referenceCount == 0) { delete (T*)this; } }
+
+	ReferenceCounted() : referenceCount(1) {}
+
+private:
+	ReferenceCounted(const ReferenceCounted&) = delete;
+	void operator=(const ReferenceCounted&) = delete;
+	int32_t referenceCount;
+};
+
+template <class P>
+void addref(P* ptr) { ptr->addref(); }
+template <class P>
+void delref(P* ptr) { ptr->delref(); }
+
+template <class P>
+struct Reference {
+	Reference() : ptr(NULL) {}
+	explicit Reference( P* ptr ) : ptr(ptr) {}
+	static Reference<P> addRef( P* ptr ) { ptr->addref(); return Reference(ptr); }
+
+	Reference(const Reference& r) : ptr(r.getPtr()) { if (ptr) addref(ptr); }
+	Reference(Reference && r) : ptr(r.getPtr()) { r.ptr = NULL; }
+
+	template <class Q>
+	Reference(const Reference<Q>& r) : ptr(r.getPtr()) { if (ptr) addref(ptr); }
+	template <class Q>
+	Reference(Reference<Q> && r) : ptr(r.getPtr()) { r.setPtrUnsafe(NULL); }
+
+	~Reference() { if (ptr) delref(ptr); }
+	Reference& operator=(const Reference& r) {
+		P* oldPtr = ptr;
+		P* newPtr = r.ptr;
+		if (oldPtr != newPtr) {
+			if (newPtr) addref(newPtr);
+			ptr = newPtr;
+			if (oldPtr) delref(oldPtr);
+		}
+		return *this;
+	}
+	Reference& operator=(Reference&& r) {
+		P* oldPtr = ptr;
+		P* newPtr = r.ptr;
+		if (oldPtr != newPtr) {
+			r.ptr = NULL;
+			ptr = newPtr;
+			if (oldPtr) delref(oldPtr);
+		}
+		return *this;
+	}
+
+	void clear() {
+		P* oldPtr = ptr;
+		if (oldPtr) {
+			ptr = NULL;
+			delref(oldPtr);
+		}
+	}
+
+	P* operator->() const { return ptr; }
+	P& operator*() const { return *ptr; }
+	P* getPtr() const { return ptr; }
+
+	void setPtrUnsafe( P* p ) { ptr = p; }
+
+	P* extractPtr() { auto *p = ptr; ptr = NULL; return p; }
+
+	bool boolean_test() const { return ptr != 0; }
+private:
+	P *ptr;
+};
+
+template <class P> 
+bool operator==( const Reference<P>& lhs, const Reference<P>& rhs ) {
+	return lhs.getPtr() == rhs.getPtr();
+}
+
+#endif /* FDB_REFERENCE_COUNTED_H */
--- a/FDBLibTLS/local.mk
+++ b/FDBLibTLS/local.mk
@ -0,0 +1,11 @@
+FDBLibTLS_CFLAGS := -fPIC -I/usr/local/include -I$(BOOSTDIR)
+FDBLibTLS_STATIC_LIBS := -ltls -lssl -lcrypto
+FDBLibTLS_LDFLAGS := -L/usr/local/lib -static-libstdc++ -static-libgcc -lrt
+FDBLibTLS_LDFLAGS += -Wl,-soname,FDBLibTLS.so -Wl,--version-script=FDBLibTLS/FDBLibTLS.map
+
+# The plugin isn't a typical library, so it feels more sensible to have a copy
+# of it in bin/.
+bin/FDBLibTLS.$(DLEXT): lib/libFDBLibTLS.$(DLEXT)
+	@cp $< $@
+
+TARGETS += bin/FDBLibTLS.$(DLEXT)
--- a/FDBLibTLS/plugin-test.cpp
+++ b/FDBLibTLS/plugin-test.cpp
@ -0,0 +1,565 @@
+#include <exception>
+#include <fstream>
+#include <iostream>
+#include <sstream>
+#include <string>
+#include <vector>
+
+#include <stdarg.h>
+#include <dlfcn.h>
+
+#include <boost/circular_buffer.hpp>
+
+#include "ITLSPlugin.h"
+#include "ReferenceCounted.h"
+
+#include "FDBLibTLSPlugin.h"
+
+#define TESTDATA "./testdata/"
+
+static std::string load_file(std::string path)
+{
+	std::ifstream fs(path);
+	std::stringstream ss;
+
+	ss << fs.rdbuf();
+	fs.close();
+
+	return ss.str();
+}
+
+struct FDBLibTLSClientServerTest {
+	FDBLibTLSClientServerTest(bool client_success, bool server_success, std::string client_path, std::string server_path, std::string client_verify, std::string server_verify):
+		client_success(client_success), server_success(server_success), client_verify(client_verify), server_verify(server_verify) {
+		client_data = load_file(TESTDATA + client_path);
+		server_data = load_file(TESTDATA + server_path);
+	}
+	~FDBLibTLSClientServerTest() {}
+
+	bool client_success;
+	bool server_success;
+
+	std::string client_data;
+	std::string client_verify;
+	std::string server_data;
+	std::string server_verify;
+};
+
+struct FDBLibTLSPluginTest {
+        FDBLibTLSPluginTest(Reference<ITLSPlugin> plugin, ITLSLogFunc logf);
+        ~FDBLibTLSPluginTest();
+
+        Reference<ITLSPlugin> plugin;
+        ITLSLogFunc logf;
+
+	boost::circular_buffer<uint8_t> client_buffer;
+	boost::circular_buffer<uint8_t> server_buffer;
+
+	int circular_read(boost::circular_buffer<uint8_t> *cb, uint8_t* buf, int len);
+	int circular_write(boost::circular_buffer<uint8_t> *cb, const uint8_t* buf, int len);
+	int client_read(uint8_t* buf, int len);
+	int client_write(const uint8_t* buf, int len);
+	int server_read(uint8_t* buf, int len);
+	int server_write(const uint8_t* buf, int len);
+
+	Reference<ITLSPolicy> create_policy(void);
+	Reference<ITLSSession> create_client_session(Reference<ITLSPolicy> policy);
+	Reference<ITLSSession> create_server_session(Reference<ITLSPolicy> policy);
+
+	void circular_reset(void);
+	void circular_self_test(void);
+
+	int client_server_test(FDBLibTLSClientServerTest const& cst);
+	int set_cert_data_test(void);
+};
+
+FDBLibTLSPluginTest::FDBLibTLSPluginTest(Reference<ITLSPlugin> plugin, ITLSLogFunc logf) :
+	plugin(plugin), logf(logf)
+{
+	circular_reset();
+	circular_self_test();
+}
+
+FDBLibTLSPluginTest::~FDBLibTLSPluginTest()
+{
+}
+
+int FDBLibTLSPluginTest::circular_read(boost::circular_buffer<uint8_t> *cb, uint8_t* buf, int len)
+{
+	int n = 0;
+
+	for (n = 0; n < len; n++) {
+		if (cb->empty())
+			break;
+		buf[n] = (*cb)[0];
+		cb->pop_front();
+	}
+
+	return n;
+}
+
+int FDBLibTLSPluginTest::circular_write(boost::circular_buffer<uint8_t> *cb, const uint8_t* buf, int len)
+{
+	int n = 0;
+
+	for (n = 0; n < len; n++) {
+		if (cb->full())
+			break;
+		cb->push_back(buf[n]);
+	}
+
+	return n;
+}
+
+int FDBLibTLSPluginTest::client_read(uint8_t* buf, int len)
+{
+	// Read bytes from the server from the client's buffer.
+	return circular_read(&client_buffer, buf, len);
+}
+
+int FDBLibTLSPluginTest::client_write(const uint8_t* buf, int len)
+{
+	// Write bytes from the client into the server's buffer.
+	return circular_write(&server_buffer, buf, len);
+}
+
+int FDBLibTLSPluginTest::server_read(uint8_t* buf, int len)
+{
+	// Read bytes from the client from the server's buffer.
+	return circular_read(&server_buffer, buf, len);
+}
+
+int FDBLibTLSPluginTest::server_write(const uint8_t* buf, int len)
+{
+	// Write bytes from the server into the client's buffer.
+	return circular_write(&client_buffer, buf, len);
+}
+
+void FDBLibTLSPluginTest::circular_reset()
+{
+	client_buffer = boost::circular_buffer<uint8_t>(1024);
+	server_buffer = boost::circular_buffer<uint8_t>(1024);
+}
+
+void FDBLibTLSPluginTest::circular_self_test()
+{
+	uint8_t buf[1024] = {1, 2, 3};
+
+	std::cerr << "INFO: running circular buffer self tests...\n";
+
+	assert(server_read(buf, 3) == 0);
+
+	buf[0] = 1, buf[1] = 2, buf[2] = 3;
+	assert(client_write(buf, 2) == 2);
+
+	buf[0] = buf[1] = buf[2] = 255;
+	assert(server_read(buf, 3) == 2);
+	assert(buf[0] == 1 && buf[1] == 2 && buf[2] == 255);
+
+	assert(client_write(buf, 1024) == 1024);
+	assert(client_write(buf, 1) == 0);
+	assert(server_read(buf, 1) == 1);
+	assert(client_write(buf, 1) == 1);
+	assert(client_write(buf, 1) == 0);
+	assert(server_read(buf, 1024) == 1024);
+	assert(server_read(buf, 1024) == 0);
+
+	assert(client_read(buf, 3) == 0);
+
+	buf[0] = 1, buf[1] = 2, buf[2] = 3;
+	assert(server_write(buf, 2) == 2);
+
+	buf[0] = buf[1] = buf[2] = 255;
+	assert(client_read(buf, 3) == 2);
+	assert(buf[0] == 1 && buf[1] == 2 && buf[2] == 255);
+
+	assert(server_write(buf, 1024) == 1024);
+	assert(server_write(buf, 1) == 0);
+	assert(client_read(buf, 1) == 1);
+	assert(server_write(buf, 1) == 1);
+	assert(server_write(buf, 1) == 0);
+	assert(client_read(buf, 1024) == 1024);
+	assert(client_read(buf, 1024) == 0);
+}
+
+Reference<ITLSPolicy> FDBLibTLSPluginTest::create_policy(void)
+{
+	return Reference<ITLSPolicy>(plugin->create_policy((ITLSLogFunc)logf));
+}
+
+static int client_send_func(void* ctx, const uint8_t* buf, int len) {
+	FDBLibTLSPluginTest *pt = (FDBLibTLSPluginTest *)ctx;
+	try {
+		return pt->client_write(buf, len);
+	} catch ( const std::runtime_error& e ) {
+		return -1;
+	}
+}
+
+static int client_recv_func(void* ctx, uint8_t* buf, int len) {
+	FDBLibTLSPluginTest *pt = (FDBLibTLSPluginTest *)ctx;
+	try {
+		return pt->client_read(buf, len);
+	} catch ( const std::runtime_error& e ) {
+		return -1;
+	}
+}
+
+Reference<ITLSSession> FDBLibTLSPluginTest::create_client_session(Reference<ITLSPolicy> policy)
+{
+	return Reference<ITLSSession>(policy->create_session(true, client_send_func, this, client_recv_func, this, NULL));
+}
+
+static int server_send_func(void* ctx, const uint8_t* buf, int len) {
+	FDBLibTLSPluginTest *pt = (FDBLibTLSPluginTest *)ctx;
+	try {
+		return pt->server_write(buf, len);
+	} catch ( const std::runtime_error& e ) {
+		return -1;
+	}
+}
+
+static int server_recv_func(void* ctx, uint8_t* buf, int len) {
+	FDBLibTLSPluginTest *pt = (FDBLibTLSPluginTest *)ctx;
+	try {
+		return pt->server_read(buf, len);
+	} catch ( const std::runtime_error& e ) {
+		return -1;
+	}
+}
+
+Reference<ITLSSession> FDBLibTLSPluginTest::create_server_session(Reference<ITLSPolicy> policy)
+{
+	return Reference<ITLSSession>(policy->create_session(false, server_send_func, this, server_recv_func, this, NULL));
+}
+
+int FDBLibTLSPluginTest::client_server_test(FDBLibTLSClientServerTest const& cst)
+{
+	circular_reset();
+
+	Reference<ITLSPolicy> client_policy = create_policy();
+	if (!client_policy->set_cert_data((const uint8_t*)&cst.client_data[0], cst.client_data.size())) {
+		std::cerr << "FAIL: failed to set client cert data\n";
+		return 1;
+	}
+	if (!client_policy->set_key_data((const uint8_t*)&cst.client_data[0], cst.client_data.size())) {
+		std::cerr << "FAIL: failed to set client key data\n";
+		return 1;
+	}
+	if (!client_policy->set_verify_peers((const uint8_t*)&cst.client_verify[0], cst.client_verify.size())) {
+		std::cerr << "FAIL: failed to set client key data\n";
+		return 1;
+	}
+
+	Reference<ITLSPolicy> server_policy = create_policy();
+	if (!server_policy->set_cert_data((const uint8_t*)&cst.server_data[0], cst.server_data.size())) {
+		std::cerr << "FAIL: failed to set server cert data\n";
+		return 1;
+	}
+	if (!server_policy->set_key_data((const uint8_t*)&cst.server_data[0], cst.server_data.size())) {
+		std::cerr << "FAIL: failed to set server key data\n";
+		return 1;
+	}
+	if (!server_policy->set_verify_peers((const uint8_t*)&cst.server_verify[0], cst.server_verify.size())) {
+		std::cerr << "FAIL: failed to set client key data\n";
+		return 1;
+	}
+
+	Reference<ITLSSession> client_session = create_client_session(client_policy);
+	Reference<ITLSSession> server_session = create_server_session(server_policy);
+
+	if (client_session.getPtr() == NULL || server_session.getPtr() == NULL)
+		return 1;
+
+	std::cerr << "INFO: starting TLS handshake...\n";
+
+	bool client_done = false, server_done = false;
+	bool client_failed = false, server_failed = false;
+	int rc, i = 0;
+	do {
+		if (!client_done) {
+			rc = client_session->handshake();
+			if (rc == ITLSSession::SUCCESS) {
+				client_done = true;
+			} else if (rc == ITLSSession::FAILED) {
+				if (cst.client_success) {
+					std::cerr << "FAIL: failed to complete client handshake\n";
+					return 1;
+				} else {
+					std::cerr << "INFO: failed to complete client handshake (as expected)\n";
+					client_failed = true;
+					client_done = true;
+				}
+			} else if (rc != ITLSSession::WANT_READ && rc != ITLSSession::WANT_WRITE) {
+				std::cerr << "FAIL: client handshake returned unknown value: " << rc << "\n";
+				return 1;
+			}
+		}
+		if (!server_done) {
+			rc = server_session->handshake();
+			if (rc == ITLSSession::SUCCESS) {
+				server_done = true;
+			} else if (rc == ITLSSession::FAILED) {
+				if (cst.server_success) {
+					std::cerr << "FAIL: failed to complete server handshake\n";
+					return 1;
+				} else {
+					std::cerr << "INFO: failed to complete server handshake (as expected)\n";
+					server_failed = true;
+					server_done = true;
+				}
+			} else if (rc != ITLSSession::WANT_READ && rc != ITLSSession::WANT_WRITE) {
+				std::cerr << "FAIL: server handshake returned unknown value: " << rc << "\n";
+				return 1;
+			}
+		}
+	} while (i++ < 100 && (!client_done || !server_done));
+
+	if (!client_done || !server_done) {
+		std::cerr << "FAIL: failed to complete handshake\n";
+		return 1;
+	}
+
+	if (!cst.client_success && !client_failed)
+		std::cerr << "FAIL: client handshake succeeded when it should have failed\n";
+	if (!cst.server_success && !server_failed)
+		std::cerr << "FAIL: server handshake succeeded when it should have failed\n";
+	if (!cst.client_success || !cst.server_success)
+		return 0;
+
+	std::cerr << "INFO: handshake completed successfully\n";
+
+	//
+	// Write on client and read on server.
+	//
+	std::cerr << "INFO: starting client write test...\n";
+
+	std::string client_msg("FDBLibTLSPlugin Client Write Test");
+	std::string server_msg;
+	size_t cn = 0, sn = 0;
+	uint8_t buf[16];
+
+	client_done = false, server_done = false;
+	i = 0;
+	do {
+		if (!client_done) {
+			rc = client_session->write((const uint8_t*)&client_msg[cn], client_msg.size()-cn);
+			if (rc > 0) {
+				cn += rc;
+				if (cn >= client_msg.size())
+					client_done = true;
+			} else if (rc == ITLSSession::FAILED) {
+				std::cerr << "FAIL: failed to complete client write\n";
+				return 1;
+			} else if (rc != ITLSSession::WANT_READ && rc != ITLSSession::WANT_WRITE) {
+				std::cerr << "FAIL: client write returned unknown value: " << rc << "\n";
+				return 1;
+			}
+		}
+		if (!server_done) {
+			rc = server_session->read(buf, sizeof(buf));
+			if (rc > 0) {
+				sn += rc;
+				for (int j = 0; j < rc; j++)
+					server_msg += buf[j];
+				if (sn >= client_msg.size())
+					server_done = true;
+			} else if (rc == ITLSSession::FAILED) {
+				std::cerr << "FAIL: failed to complete server read\n";
+				return 1;
+			} else if (rc != ITLSSession::WANT_READ && rc != ITLSSession::WANT_WRITE) {
+				std::cerr << "FAIL: server read returned unknown value: " << rc << "\n";
+				return 1;
+			}
+		}
+	} while (i++ < 100 && (!client_done || !server_done));
+
+	if (client_msg != server_msg) {
+		std::cerr << "FAIL: got client msg '" << server_msg << "' want '" << client_msg << "'\n";
+		return 1;
+	}
+
+	std::cerr << "INFO: client write test completed successfully\n";
+
+	//
+	// Write on server and read on client.
+	//
+	std::cerr << "INFO: starting server write test...\n";
+
+	server_msg = "FDBLibTLSPlugin Server Write Test";
+	client_msg.clear();
+	cn = 0, sn = 0;
+
+	client_done = false, server_done = false;
+	i = 0;
+	do {
+		if (!server_done) {
+			rc = server_session->write((const uint8_t*)&server_msg[cn], server_msg.size()-cn);
+			if (rc > 0) {
+				cn += rc;
+				if (cn >= server_msg.size())
+					server_done = true;
+			} else if (rc == ITLSSession::FAILED) {
+				std::cerr << "FAIL: failed to complete server write\n";
+				return 1;
+			} else if (rc != ITLSSession::WANT_READ && rc != ITLSSession::WANT_WRITE) {
+				std::cerr << "FAIL: server write returned unknown value: " << rc << "\n";
+				return 1;
+			}
+		}
+		if (!client_done) {
+			rc = client_session->read(buf, sizeof(buf));
+			if (rc > 0) {
+				sn += rc;
+				for (int j = 0; j < rc; j++)
+					client_msg += buf[j];
+				if (sn >= server_msg.size())
+					client_done = true;
+			} else if (rc == ITLSSession::FAILED) {
+				std::cerr << "FAIL: failed to complete client read\n";
+				return 1;
+			} else if (rc != ITLSSession::WANT_READ && rc != ITLSSession::WANT_WRITE) {
+				std::cerr << "FAIL: client read returned unknown value: " << rc << "\n";
+				return 1;
+			}
+		}
+	} while (i++ < 100 && (!client_done || !server_done));
+
+	if (server_msg != client_msg) {
+		std::cerr << "FAIL: got server msg '" << client_msg << "' want '" << server_msg << "'\n";
+		return 1;
+	}
+
+	std::cerr << "INFO: server write test completed successfully\n";
+
+	return 0;
+}
+
+static void logf(const char* event, void* uid, int is_error, ...) {
+	va_list args;
+
+	std::string log_type ("INFO");
+	if (is_error)
+		log_type = "ERROR";
+
+	std::cerr << log_type << ": " << event;
+
+	va_start(args, is_error);
+
+	const char *s = va_arg(args, const char *);
+	while (s != NULL) {
+		std::cerr << " " << s;
+		s = va_arg(args, const char *);
+	}
+
+	std::cerr << "\n";
+
+	va_end(args);
+}
+
+int main(int argc, char **argv)
+{
+	void *pluginSO = NULL;
+	void *(*getPlugin)(const char*);
+	int failed = 0;
+
+	if (argc != 2) {
+		std::cerr << "usage: " << argv[0] << " <plugin_path>\n";
+		exit(1);
+	}
+
+	pluginSO = dlopen(argv[1], RTLD_LAZY | RTLD_LOCAL);
+	if (pluginSO == NULL) {
+		std::cerr << "failed to load plugin '" << argv[1] << "': " << dlerror() << "\n";
+		exit(1);
+	}
+
+	getPlugin = (void*(*)(const char*))dlsym( pluginSO, "get_plugin" );
+	if (getPlugin == NULL) {
+		std::cerr << "plugin '" << argv[1] << "' does not provide get_plugin()\n";
+		exit(1);
+	}
+
+	Reference<ITLSPlugin> plugin = Reference<ITLSPlugin>((ITLSPlugin *)getPlugin(ITLSPlugin::get_plugin_type_name_and_version()));
+
+	std::vector<FDBLibTLSClientServerTest> tests = {
+		// Valid - all use single root CA.
+		FDBLibTLSClientServerTest(true, true, "test-1-client.pem", "test-1-server.pem", "", ""),
+		FDBLibTLSClientServerTest(true, true, "test-1-client.pem", "test-2-server.pem", "", ""),
+		FDBLibTLSClientServerTest(true, true, "test-2-client.pem", "test-2-server.pem", "", ""),
+		FDBLibTLSClientServerTest(true, true, "test-2-client.pem", "test-1-server.pem", "", ""),
+
+		// Certificates terminate at different intermediate CAs.
+		FDBLibTLSClientServerTest(false, false, "test-4-client.pem", "test-5-server.pem", "", ""),
+		FDBLibTLSClientServerTest(false, false, "test-5-client.pem", "test-4-server.pem", "", ""),
+		FDBLibTLSClientServerTest(true, true, "test-4-client.pem", "test-5-server.pem",
+			"Check.Valid=0", "Check.Valid=0"),
+		FDBLibTLSClientServerTest(true, true, "test-5-client.pem", "test-4-server.pem",
+			"Check.Valid=0", "Check.Valid=0"),
+
+		// Expired certificates.
+		FDBLibTLSClientServerTest(false, false, "test-1-client.pem", "test-3-server.pem", "", ""),
+		FDBLibTLSClientServerTest(false, false, "test-3-client.pem", "test-1-server.pem", "", ""),
+		FDBLibTLSClientServerTest(true, true, "test-1-client.pem", "test-3-server.pem", "Check.Unexpired=0", ""),
+		FDBLibTLSClientServerTest(true, true, "test-3-client.pem", "test-1-server.pem", "", "Check.Unexpired=0"),
+		FDBLibTLSClientServerTest(true, true, "test-1-client.pem", "test-3-server.pem", "Check.Valid=0", ""),
+		FDBLibTLSClientServerTest(true, true, "test-3-client.pem", "test-1-server.pem", "", "Check.Valid=0"),
+
+		// Match on specific subject and/or issuer.
+		FDBLibTLSClientServerTest(true, true, "test-1-client.pem", "test-1-server.pem", "C=US", ""),
+		FDBLibTLSClientServerTest(false, true, "test-1-client.pem", "test-2-server.pem", "C=US", ""),
+		FDBLibTLSClientServerTest(true, true, "test-1-client.pem", "test-2-server.pem", "C=AU", ""),
+		FDBLibTLSClientServerTest(true, true, "test-1-client.pem", "test-2-server.pem",
+			"CN=FDB LibTLS Plugin Test Server 2\\, \\80 \\<\\01\\+\\02=\\03\\>", ""),
+		FDBLibTLSClientServerTest(false, true, "test-1-client.pem", "test-2-server.pem",
+			"CN=FDB LibTLS Plugin Test Server 2\\, \\80 \\<\\01\\+\\02=\\04\\>", ""),
+		FDBLibTLSClientServerTest(false, true, "test-1-client.pem", "test-2-server.pem",
+			"CN=FDB LibTLS Plugin Test Server 2\\, \\81 \\<\\01\\+\\02=\\04\\>", ""),
+		FDBLibTLSClientServerTest(false, true, "test-1-client.pem", "test-2-server.pem",
+			"CN=FDB LibTLS Plugin Test Server 2\\, \\80 \\<\\01\\+\\02=\\04", ""),
+		FDBLibTLSClientServerTest(true, true, "test-1-client.pem", "test-2-server.pem",
+			"CN=FDB LibTLS Plugin Test Server 2\\, \\80 \\<\\01\\+\\02=\\03\\>",
+			"CN=FDB LibTLS Plugin Test Client 1"),
+		FDBLibTLSClientServerTest(true, true, "test-1-client.pem", "test-1-server.pem",
+			"", "CN=FDB LibTLS Plugin Test Client 1"),
+		FDBLibTLSClientServerTest(true, false, "test-2-client.pem", "test-1-server.pem",
+			"", "O=Apple Pty Limited,OU=FDC Team"),
+		FDBLibTLSClientServerTest(true, true, "test-2-client.pem", "test-1-server.pem",
+			"O=Apple Inc.,OU=FDB Team", "O=Apple Pty Limited,OU=FDB Team"),
+		FDBLibTLSClientServerTest(false, false, "test-2-client.pem", "test-1-server.pem",
+			"O=Apple Inc.,OU=FDC Team", "O=Apple Pty Limited,OU=FDC Team"),
+		FDBLibTLSClientServerTest(true, true, "test-1-client.pem", "test-1-server.pem",
+			"I.C=US,I.ST=California,I.L=Cupertino,I.O=Apple Inc.,I.OU=FDB Team",
+			"I.C=US,I.ST=California,I.L=Cupertino,I.O=Apple Inc.,I.OU=FDB Team"),
+		FDBLibTLSClientServerTest(false, false, "test-1-client.pem", "test-1-server.pem",
+			"I.C=US,I.ST=California,I.L=Cupertino,I.O=Apple Inc.,I.OU=FDC Team",
+			"I.C=US,I.ST=California,I.L=Cupertino,I.O=Apple Inc.,I.OU=FDC Team"),
+		FDBLibTLSClientServerTest(true, true, "test-1-client.pem", "test-1-server.pem",
+			"I.CN=FDB LibTLS Plugin Test Intermediate CA 1",
+			"I.CN=FDB LibTLS Plugin Test Intermediate CA 1"),
+		FDBLibTLSClientServerTest(false, true, "test-1-client.pem", "test-1-server.pem",
+			"I.CN=FDB LibTLS Plugin Test Intermediate CA 2",
+			"I.CN=FDB LibTLS Plugin Test Intermediate CA 1"),
+		FDBLibTLSClientServerTest(true, true, "test-1-client.pem", "test-2-server.pem",
+			"I.CN=FDB LibTLS Plugin Test Intermediate CA 2",
+			"I.CN=FDB LibTLS Plugin Test Intermediate CA 1"),
+		FDBLibTLSClientServerTest(true, true, "test-1-client.pem", "test-2-server.pem",
+			"CN=FDB LibTLS Plugin Test Server 2\\, \\80 \\<\\01\\+\\02=\\03\\>,I.CN=FDB LibTLS Plugin Test Intermediate CA 2",
+			"I.CN=FDB LibTLS Plugin Test Intermediate CA 1,O=Apple Inc.,I.C=US,S.C=US"),
+		FDBLibTLSClientServerTest(false, true, "test-1-client.pem", "test-2-server.pem",
+			"CN=FDB LibTLS Plugin Test Server 2\\, \\80 \\<\\01\\+\\02=\\03\\>,I.CN=FDB LibTLS Plugin Test Intermediate CA 1",
+			"I.CN=FDB LibTLS Plugin Test Intermediate CA 1,O=Apple Inc.,I.C=US,S.C=US"),
+	};
+
+	FDBLibTLSPluginTest *pt = new FDBLibTLSPluginTest(plugin, (ITLSLogFunc)logf);
+
+	int test_num = 1;
+	for (auto &test: tests) {
+		std::cerr << "== Test " << test_num++ << " ==\n";
+		failed |= pt->client_server_test(test);
+	}
+
+	delete pt;
+
+	return (failed);
+}
--- a/FDBLibTLS/scripts/make-test-certs.sh
+++ b/FDBLibTLS/scripts/make-test-certs.sh
@ -0,0 +1,159 @@
+#!/bin/sh
+
+set -e
+set -u
+
+readonly SUBJECT="/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=FDB Team/CN=FDB LibTLS Plugin Test"
+readonly SUBJECT_ALT="/C=AU/ST=New South Wales/L=Sydney/O=Apple Pty Limited/OU=FDB Team/CN=FDB LibTLS Plugin Test"
+
+readonly TMPDIR=$(mktemp -d)
+
+cleanup() {
+        rm -rf "${TMPDIR}"
+}
+
+trap cleanup EXIT INT
+
+make_bundle() {
+  local bundle_file=$1;
+  local key_file=$2;
+  shift 2;
+
+  printf '' > "${bundle_file}"
+  for f in $@; do
+    openssl x509 -nameopt oneline -subject -issuer -noout -in "${TMPDIR}/${f}" >> "${bundle_file}"
+  done
+  for f in $@; do
+    cat "${TMPDIR}/${f}" >> "${bundle_file}"
+  done
+  cat "${TMPDIR}/${key_file}" >> "${bundle_file}"
+}
+
+echo '100001' > "${TMPDIR}/certserial"
+
+cat > "${TMPDIR}/openssl.cnf" <<EOF
+[ca]
+default_ca = fdb_test_ca
+
+[req]
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+
+[fdb_test_ca]
+unique_subject = no
+database = ${TMPDIR}/certindex
+default_md = sha256
+new_certs_dir = ${TMPDIR}/
+policy = fdb_test_ca_policy
+serial = ${TMPDIR}/certserial
+
+[fdb_test_ca_policy]
+
+[fdb_v3_ca]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, cRLSign, keyCertSign
+
+[fdb_v3_other]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:false
+keyUsage = critical, digitalSignature
+EOF
+
+# Root CA.
+openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 -x509 \
+  -subj "${SUBJECT} Root CA" -keyout "${TMPDIR}/ca-root.key" \
+  -config "${TMPDIR}/openssl.cnf" -extensions fdb_v3_ca \
+  -out "${TMPDIR}/ca-root.crt"
+
+# Intermediate CA 1.
+openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 \
+  -subj "${SUBJECT} Intermediate CA 1" -keyout "${TMPDIR}/ca-int-1.key" \
+  -out "${TMPDIR}/ca-int-1.csr"
+openssl x509 -req -days 3650 -CA "${TMPDIR}/ca-root.crt" -CAkey "${TMPDIR}/ca-root.key" \
+  -extfile "${TMPDIR}/openssl.cnf" -extensions fdb_v3_ca -days 3650 \
+  -CAcreateserial -in "${TMPDIR}/ca-int-1.csr" -out "${TMPDIR}/ca-int-1.crt"
+
+# Intermediate CA 2.
+openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 \
+  -subj "${SUBJECT} Intermediate CA 2" -keyout "${TMPDIR}/ca-int-2.key" \
+  -out "${TMPDIR}/ca-int-2.csr"
+openssl x509 -req -days 3650 -CA "${TMPDIR}/ca-root.crt" -CAkey "${TMPDIR}/ca-root.key" \
+  -extfile "${TMPDIR}/openssl.cnf" -extensions fdb_v3_ca -days 3650 \
+  -CAcreateserial -in "${TMPDIR}/ca-int-2.csr" -out "${TMPDIR}/ca-int-2.crt"
+
+# Server 1.
+openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 \
+  -subj "${SUBJECT} Server 1" -keyout "${TMPDIR}/server-1.key" \
+  -out "${TMPDIR}/server-1.csr"
+openssl x509 -req -days 3650 -CA "${TMPDIR}/ca-int-1.crt" -CAkey "${TMPDIR}/ca-int-1.key" \
+  -extfile "${TMPDIR}/openssl.cnf" -extensions fdb_v3_other -days 3650 \
+  -CAcreateserial -in "${TMPDIR}/server-1.csr" -out "${TMPDIR}/server-1.crt"
+
+# Server 2.
+openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 \
+  -subj "$(printf "${SUBJECT_ALT} Server 2, \200 <\001+\002=\003>")" -keyout "${TMPDIR}/server-2.key" \
+  -out "${TMPDIR}/server-2.csr"
+openssl x509 -req -days 3650 -CA "${TMPDIR}/ca-int-2.crt" -CAkey "${TMPDIR}/ca-int-2.key" \
+  -extfile "${TMPDIR}/openssl.cnf" -extensions fdb_v3_other \
+  -CAcreateserial -in "${TMPDIR}/server-2.csr" -out "${TMPDIR}/server-2.crt"
+
+# Server 3 (expired).
+openssl req -new -days 1 -nodes -newkey rsa:2048 -sha256 \
+  -subj "${SUBJECT} Server 3" -keyout "${TMPDIR}/server-3.key" \
+  -out "${TMPDIR}/server-3.csr"
+cp /dev/null "${TMPDIR}/certindex"
+printf "y\ny\n" | openssl ca -cert "${TMPDIR}/ca-int-1.crt" -keyfile "${TMPDIR}/ca-int-1.key" \
+  -startdate 20170101000000Z -enddate 20171231000000Z \
+  -config "${TMPDIR}/openssl.cnf" -notext \
+  -in "${TMPDIR}/server-3.csr" -out "${TMPDIR}/server-3.crt"
+
+# Client 1.
+openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 \
+  -subj "${SUBJECT} Client 1" -keyout "${TMPDIR}/client-1.key" \
+  -out "${TMPDIR}/client-1.csr"
+openssl x509 -req -days 3650 -CA "${TMPDIR}/ca-int-1.crt" -CAkey "${TMPDIR}/ca-int-1.key" \
+  -extfile "${TMPDIR}/openssl.cnf" -extensions fdb_v3_other \
+  -CAcreateserial -in "${TMPDIR}/client-1.csr" -out "${TMPDIR}/client-1.crt"
+
+# Client 2.
+openssl req -new -days 3650 -nodes -newkey rsa:2048 -sha256 \
+  -subj "$(printf "${SUBJECT_ALT} Client 2, \200 <\001+\002=\003>")" -keyout "${TMPDIR}/client-2.key" \
+  -out "${TMPDIR}/client-2.csr"
+openssl x509 -req -days 3650 -CA "${TMPDIR}/ca-int-2.crt" -CAkey "${TMPDIR}/ca-int-2.key" \
+  -extfile "${TMPDIR}/openssl.cnf" -extensions fdb_v3_other \
+  -CAcreateserial -in "${TMPDIR}/client-2.csr" -out "${TMPDIR}/client-2.crt"
+
+# Client 3 (expired).
+openssl req -new -days 1 -nodes -newkey rsa:2048 -sha256 \
+  -subj "${SUBJECT} Client 3" -keyout "${TMPDIR}/client-3.key" \
+  -out "${TMPDIR}/client-3.csr"
+cp /dev/null "${TMPDIR}/certindex"
+printf "y\ny\n" | openssl ca -cert "${TMPDIR}/ca-int-1.crt" -keyfile "${TMPDIR}/ca-int-1.key" \
+  -startdate 20170101000000Z -enddate 20171231000000Z \
+  -config "${TMPDIR}/openssl.cnf" \
+  -in "${TMPDIR}/client-3.csr" -out "${TMPDIR}/client-3.crt"
+
+#
+# Test Bundles
+#
+
+make_bundle 'test-1-server.pem' 'server-1.key' 'server-1.crt' 'ca-int-1.crt' 'ca-root.crt'
+make_bundle 'test-1-client.pem' 'client-1.key' 'client-1.crt' 'ca-int-1.crt' 'ca-root.crt'
+make_bundle 'test-2-server.pem' 'server-2.key' 'server-2.crt' 'ca-int-2.crt' 'ca-root.crt'
+make_bundle 'test-2-client.pem' 'client-2.key' 'client-2.crt' 'ca-int-2.crt' 'ca-root.crt'
+
+# Expired client/server.
+make_bundle 'test-3-client.pem' 'client-3.key' 'client-3.crt' 'ca-int-1.crt' 'ca-root.crt'
+make_bundle 'test-3-server.pem' 'server-3.key' 'server-3.crt' 'ca-int-1.crt' 'ca-root.crt'
+
+# Bundles that terminate at intermediate 1.
+make_bundle 'test-4-server.pem' 'server-1.key' 'server-1.crt' 'ca-int-1.crt'
+make_bundle 'test-4-client.pem' 'client-1.key' 'client-1.crt' 'ca-int-1.crt'
+
+# Bundles that terminate at intermediate 2.
+make_bundle 'test-5-server.pem' 'server-2.key' 'server-2.crt' 'ca-int-2.crt'
+make_bundle 'test-5-client.pem' 'client-2.key' 'client-2.crt' 'ca-int-2.crt'
--- a/FDBLibTLS/testdata/test-1-client.pem
+++ b/FDBLibTLS/testdata/test-1-client.pem
@ -0,0 +1,106 @@
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Client 1
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 1
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 1
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+-----BEGIN CERTIFICATE-----
+MIID/jCCAuagAwIBAgIJALOPTrQGpeslMA0GCSqGSIb3DQEBBQUAMIGRMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTExMC8GA1UE
+AwwoRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBJbnRlcm1lZGlhdGUgQ0EgMTAeFw0x
+ODA0MDcxNDE2MDJaFw0yODA0MDQxNDE2MDJaMIGIMQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5vMRMwEQYDVQQKDApB
+cHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEoMCYGA1UEAwwfRkRCIExpYlRM
+UyBQbHVnaW4gVGVzdCBDbGllbnQgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALVkdxOmWcd959NyirJ1iz7q5fkjdRUV+88KMMehQWc3f50GJIQ+eZo+
+7RhwVE+n8nd0i5iGfyY6LRuupdwoQUxoZ/5rUIDGKspNO62DVRW+tZqzpEa1+ub5
+75BMoc7I7l9sXDkuiMu1OYcPNKMv4F3mf+B3ourLqjUekKlUv8XIZXAvN+R19HlR
+FM8vs8rnhQXx7iWVP91frDvyD8G7lOf6R7R4homnB37kLom8WU+fCmcyA6em0qX0
+JeVP6xk2qXU1cMs7DL8WftdrWHv+a73/l4hytQHo5OvtGaLZhpPYpC/FMSaFHVSM
+irWSFK+ZtvaLi3LXc2HGANMokjPoRf8CAwEAAaNgMF4wHQYDVR0OBBYEFPtTL9KZ
+jn49cLediy1ixz7AXOI3MB8GA1UdIwQYMBaAFCXTF7f83Hd7xm9gR+O4QrvjNo8Q
+MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBBQUAA4IB
+AQA17a4d/tSWIlTkIfkrXziD21+1OsN6/dUrWQK7kxtEe21QXIutccW4bwpM0JDB
+M+bZiWkdgQ15+ZotX5UXlBcx9WWDU5RqSO06hhXu5b8gZwfVF4Od6tBdVxkn4KbU
+0YujOZrL8fDOrQHqCO7nhNlYgcEn7bKF5wjtOoiKhtA9sLSIZQR5g32kkJXXGvcY
+lLWMXygEg9FMQoldW9RHq4GbUiYEeqEq6k4S7cE03R1lvmQEOOAJ2S7LnaS4UHQT
+GmW6uvLnJJrG4HB9JGE+y1e9M+C7Enzhi39RGd8ylignGimkdw/1UEWnvKGCqoU7
+ufWGF7eUV8dCqO+jYghIY8rA
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIJALOPTrQGpeshMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMTEwLwYDVQQDDChGREIgTGliVExTIFBsdWdpbiBU
+ZXN0IEludGVybWVkaWF0ZSBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAyOwdOcYcH3wYou13CchsXh3lLWA85E550tT6/WwDnslQjiMZHFrKvUT2
+B8CUOR3Fr+4RG+cdw80rgojYEUuHKwmIGyjo5IotdaYbWzf6mvYThlIPPudCCkSU
+CTtqPv8Oq4QdIpCxHdix0MINKu7c+qt1rUwnDFQSv/gHhVnNxT4r8pwVp6T4hwka
+2YQaRNjzUuuFinMub0UtxnUX0rH8X5STlOSVn4Ksjo0OhQzsGEYDx86jVAXjgGcb
+2CgGGctgq04hVrngP5ahT1Xeh9YycMlQJXsckJJBxfUJebIjANSRyzxI5fYt+ZkY
+qoG5VLPREUQknxcpbT7Rsj0n+k0RhwIDAQABo2MwYTAdBgNVHQ4EFgQUJdMXt/zc
+d3vGb2BH47hCu+M2jxAwHwYDVR0jBBgwFoAUnqtGja3O5jGlh5vHgp3Tf8NCPKkw
+DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQAD
+ggEBAGwW7bRqB7aYUGsD1MOE9d5slp6Iw6wKyNLdg+mzoV+iCV2ZM7ejNRButiAy
+vPOxSQwXcibLm/g599e+LY1TiI1XXPbL2bFnTcnThqpHHFe+eRrDgqxO8qJyrcBp
+EfyMCJWq7jFg4bWoYTpLeC/RAKyi9fxlqY1NzQCp1bG3LiaDJ5VJd4uwkgX2a0yN
+3e0XEFNi7r4u4IHejwFjKWrDg8sstjbY+XOYC4EVQyUsbzeKZKSqnOdR2Jv1QZHH
+5O24G/efIFpsA6MVUOfRk0eq0RfKX7CdHn2a5p8aC6E6YMDhXL6xo146n49t9sYD
+HMUnfG6AEboTBa/l+zwCG/u4f/Y=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID9jCCAt6gAwIBAgIJALfRa36cuemYMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgYcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMScwJQYDVQQDDB5GREIgTGliVExTIFBsdWdpbiBU
+ZXN0IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/J+sL
+7POoXNdzYRsMZCI5juxMPOVue5vU2QPU9z/PHBsBICX6tVsCnkzk5CLdM6TxofgX
+F+MqRKxtcIqxBcKjjVecJlqHuNY+jS2r8UjcoQm+EQ5RsBWu8yaSnXIiZTccQNjB
+5T2awwt9Ptbn946MZfq6oEnn4ZPByu9/nCrlk7QXTkuGdpTnC6paQWt/lVxZfELM
+i0g76/K/f3e2Lv9UCvlxKOwFMye9XjwF3ekEmUuio5JZEdn+LIs9zB1zehFhGlYB
+TUXnkZ0LTOPbH9OxsOli04n31/n7UbYq1BSuoiXx5A2eHOunMppa0NDg7oXmDSKE
+A1zo+QtIu1YPXaLdAgMBAAGjYzBhMB0GA1UdDgQWBBSeq0aNrc7mMaWHm8eCndN/
+w0I8qTAfBgNVHSMEGDAWgBSeq0aNrc7mMaWHm8eCndN/w0I8qTAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAIOw1jC39
+VW+1fqGT+n44Y6Oh66lAowIvi/BEOW1I4iPAjkr0g6FbbdKeq0VLL7aMMu+q/AOv
+UETv7MdVh9xjTLqWZGN0R3Lr/n6ButI3E7MLKL5ByLNCoOhF42aBLINkpKSNFRrQ
+40iNoHm3BaNRLKS7poCk5HFkEMjvxdQ1AenNbUa21DTh7y9arHF4CPfi8Ity29jW
+ED8jYK/+bWIaO+YhGkRh8UuD3o5WnOti+9QK56qxkPtkqVTh9vMVHfD0DgVeLvMN
+nZpTplLTfhjzyFJELwE/U+HJ6KIslmqwarJ1Sla+1gHCmJEbzbsrnb6bLtrHtXCZ
+XvmR6B5iRkDVpw==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1ZHcTplnHfefT
+coqydYs+6uX5I3UVFfvPCjDHoUFnN3+dBiSEPnmaPu0YcFRPp/J3dIuYhn8mOi0b
+rqXcKEFMaGf+a1CAxirKTTutg1UVvrWas6RGtfrm+e+QTKHOyO5fbFw5LojLtTmH
+DzSjL+Bd5n/gd6Lqy6o1HpCpVL/FyGVwLzfkdfR5URTPL7PK54UF8e4llT/dX6w7
+8g/Bu5Tn+ke0eIaJpwd+5C6JvFlPnwpnMgOnptKl9CXlT+sZNql1NXDLOwy/Fn7X
+a1h7/mu9/5eIcrUB6OTr7Rmi2YaT2KQvxTEmhR1UjIq1khSvmbb2i4ty13NhxgDT
+KJIz6EX/AgMBAAECggEAEm2Mc2CZCl1OKfsfABZU+SVgC7mAcY30MQp1/jHxtQy8
+WDWBjDXUoMj3yV3QEu+bAGvEqtAvJrEOWBucGgu05pBM0FoSqaJ4QmkqQOxwvm7L
+gFXzwINIZCLMJbrDTYC4RtV5YQ3LM/bLS19OF64Lez6piyJcWMIsHo1mYO2NNgiD
+7f1x1uQw46Q0YHWeoHY58MPfmgfKsqnJDWc8cCuU9fJOWeU4dVrfW8dh9WVAoLZ7
+qAM5vvap11Qk8RXaRnmLjxN6H1M7iVNfcLVNKfG6XOBBepYjZr/qMkuN3ONuqBHl
+fC3Zia2zQZRfiuPspX0KhjCfYAKbIZC6oyrQM2uXgQKBgQDoD5voZiCOeGXJEMUk
+9JV4V8A96aE0xxy+OHMogVpysxBO4V0Nh0krSLTt9NXnpjawZQ+3pLQ4+2J2XM2e
+fJuJJ7Z+Mhjv6epnMM7FoxK1VF7oe+LE7Yk/kg/moCuVS/XhLdQrhZVBJhfEADS3
+oFybf7Q6rJYtN3OYsiFymyneHwKBgQDIGsY5kGdmx27LS5rPMwdw632TF8G5BGbu
+C3ty7LYkOWb/9/V4cuWjW4eLJQqCWbJQrzOvg0coxwXLUuEQik+IP2IkF0YlRS43
+VJuULwOxi3Cbj51RoapHhmYTO9fe2A1N9oJMAqEUHY1q/r9txPcguRWyuH2Yv9Ih
+OzHnc2DcIQKBgQCGW0MxMq/2zM5hs0vxMYq4ulWbgwDKxd1mZNiHwxzS+8mdYe22
+P3WlkdrvSqnuDNXtGxYWhU2zEBjZ3rFN6WdD6bJHLkox3YTRafjNhLT4N3kbsV6C
+FeU44SBDrsiNEAWz8gy9hgH8TknEOTpMdpQnk7CNqA7q7wgGiFvFNwDukQKBgG7i
+R03Gs0XE5aRJtPN0N39fPyqvU24O/mqSekno2dWg6W6WHLQuFwo6whVc5UHuKl2D
+eISdnmT+RDuzJXxg6El7tgqByyEEAOQwQjYPB2Du/+tz3Z1KlG0mEJI/6xNVbany
+G6m7Gz9mUOMlXzaYmsjLRzbN/OsUAIDhqHm0+cuBAoGAZCND80akS3xr3yC87GyX
+aA0RoHXbdB6dbP8Y6XYDXR4QFIA4kXwY5cCLaZA/0hP5FOzDhORmaoaPM8vUdNyb
+IYvbw2H6tODiU5oICWY6+HQQ2nXikucI4HDYDLbsiV2htZkEmBYWLilYq0Tb8jC5
+u+ehIIvZYLqKaY1GaKmF86A=
+-----END PRIVATE KEY-----
--- a/FDBLibTLS/testdata/test-1-server.pem
+++ b/FDBLibTLS/testdata/test-1-server.pem
@ -0,0 +1,106 @@
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Server 1
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 1
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 1
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+-----BEGIN CERTIFICATE-----
+MIID/jCCAuagAwIBAgIJALOPTrQGpesjMA0GCSqGSIb3DQEBBQUAMIGRMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTExMC8GA1UE
+AwwoRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBJbnRlcm1lZGlhdGUgQ0EgMTAeFw0x
+ODA0MDcxNDE2MDJaFw0yODA0MDQxNDE2MDJaMIGIMQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5vMRMwEQYDVQQKDApB
+cHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEoMCYGA1UEAwwfRkRCIExpYlRM
+UyBQbHVnaW4gVGVzdCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAJp26QAmlMusO7C8Py/I117r3kHvB+My5kIrj8g9sKpktwTzmsJGpvJU
+EaKISEdBsJHLGnZJhwIhr/+MG4WDEM4oFNCtBQZznV3wjIQWq1w4IO8/f3+nBPpW
+f14fjs1E911Uo/ZOL9bxvh1SIHkS6itgJi+tgVPx7C3s3W3mC5nU3omsE+Rx4DDm
+KUq1kyN1ELBIAceQ4wTmQ5B8dv6MSW7zt8Jdrhfhg2GJIPPB6XUZJ2yIOvgu55GW
+J5sMPa0uNDfCsWJ37fzFm+XJ/D96t7x8I49IyfzbIgcU9JYFlcqkryvKh5IpQGGm
+H/I6adIWa5xWpMhB2PA6kgtDD07Hu2sCAwEAAaNgMF4wHQYDVR0OBBYEFJ7S+FUz
+9ngzH/TNPVeM/cE7LeBGMB8GA1UdIwQYMBaAFCXTF7f83Hd7xm9gR+O4QrvjNo8Q
+MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBBQUAA4IB
+AQAx6WHwikVFAH0TRYCznwO6He+0t2pnlyfrI+24N28tzupMSrRPs086UbLgHLz1
+lbkYdheeOkLPzjWi5vfymL1Oua3E2iAXWEpMb4Sg7E5SVHp9yt6gZ0DTVwR+Gcu7
+uooroidAG3OFeOXL5ivU5J5ipaoEAiLprpKxtPzo4z/TxIqw3kJISC56qw9VTJNQ
+TQZvneUecykdIZuH61ih0cJLe5WRkEs/63Dgl8TBYiVDbvBSGRbsXoAXcspVlc2x
+XOLey5IVJ4/TH5ZBobShC6J1KrjZTNYvUgc44CocOgrc0ePPiQzB7JXxR1H8ATGl
+yKjWqT2PkrfHmjdcmsi2GIVt
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIJALOPTrQGpeshMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMTEwLwYDVQQDDChGREIgTGliVExTIFBsdWdpbiBU
+ZXN0IEludGVybWVkaWF0ZSBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAyOwdOcYcH3wYou13CchsXh3lLWA85E550tT6/WwDnslQjiMZHFrKvUT2
+B8CUOR3Fr+4RG+cdw80rgojYEUuHKwmIGyjo5IotdaYbWzf6mvYThlIPPudCCkSU
+CTtqPv8Oq4QdIpCxHdix0MINKu7c+qt1rUwnDFQSv/gHhVnNxT4r8pwVp6T4hwka
+2YQaRNjzUuuFinMub0UtxnUX0rH8X5STlOSVn4Ksjo0OhQzsGEYDx86jVAXjgGcb
+2CgGGctgq04hVrngP5ahT1Xeh9YycMlQJXsckJJBxfUJebIjANSRyzxI5fYt+ZkY
+qoG5VLPREUQknxcpbT7Rsj0n+k0RhwIDAQABo2MwYTAdBgNVHQ4EFgQUJdMXt/zc
+d3vGb2BH47hCu+M2jxAwHwYDVR0jBBgwFoAUnqtGja3O5jGlh5vHgp3Tf8NCPKkw
+DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQAD
+ggEBAGwW7bRqB7aYUGsD1MOE9d5slp6Iw6wKyNLdg+mzoV+iCV2ZM7ejNRButiAy
+vPOxSQwXcibLm/g599e+LY1TiI1XXPbL2bFnTcnThqpHHFe+eRrDgqxO8qJyrcBp
+EfyMCJWq7jFg4bWoYTpLeC/RAKyi9fxlqY1NzQCp1bG3LiaDJ5VJd4uwkgX2a0yN
+3e0XEFNi7r4u4IHejwFjKWrDg8sstjbY+XOYC4EVQyUsbzeKZKSqnOdR2Jv1QZHH
+5O24G/efIFpsA6MVUOfRk0eq0RfKX7CdHn2a5p8aC6E6YMDhXL6xo146n49t9sYD
+HMUnfG6AEboTBa/l+zwCG/u4f/Y=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID9jCCAt6gAwIBAgIJALfRa36cuemYMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgYcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMScwJQYDVQQDDB5GREIgTGliVExTIFBsdWdpbiBU
+ZXN0IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/J+sL
+7POoXNdzYRsMZCI5juxMPOVue5vU2QPU9z/PHBsBICX6tVsCnkzk5CLdM6TxofgX
+F+MqRKxtcIqxBcKjjVecJlqHuNY+jS2r8UjcoQm+EQ5RsBWu8yaSnXIiZTccQNjB
+5T2awwt9Ptbn946MZfq6oEnn4ZPByu9/nCrlk7QXTkuGdpTnC6paQWt/lVxZfELM
+i0g76/K/f3e2Lv9UCvlxKOwFMye9XjwF3ekEmUuio5JZEdn+LIs9zB1zehFhGlYB
+TUXnkZ0LTOPbH9OxsOli04n31/n7UbYq1BSuoiXx5A2eHOunMppa0NDg7oXmDSKE
+A1zo+QtIu1YPXaLdAgMBAAGjYzBhMB0GA1UdDgQWBBSeq0aNrc7mMaWHm8eCndN/
+w0I8qTAfBgNVHSMEGDAWgBSeq0aNrc7mMaWHm8eCndN/w0I8qTAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAIOw1jC39
+VW+1fqGT+n44Y6Oh66lAowIvi/BEOW1I4iPAjkr0g6FbbdKeq0VLL7aMMu+q/AOv
+UETv7MdVh9xjTLqWZGN0R3Lr/n6ButI3E7MLKL5ByLNCoOhF42aBLINkpKSNFRrQ
+40iNoHm3BaNRLKS7poCk5HFkEMjvxdQ1AenNbUa21DTh7y9arHF4CPfi8Ity29jW
+ED8jYK/+bWIaO+YhGkRh8UuD3o5WnOti+9QK56qxkPtkqVTh9vMVHfD0DgVeLvMN
+nZpTplLTfhjzyFJELwE/U+HJ6KIslmqwarJ1Sla+1gHCmJEbzbsrnb6bLtrHtXCZ
+XvmR6B5iRkDVpw==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCadukAJpTLrDuw
+vD8vyNde695B7wfjMuZCK4/IPbCqZLcE85rCRqbyVBGiiEhHQbCRyxp2SYcCIa//
+jBuFgxDOKBTQrQUGc51d8IyEFqtcOCDvP39/pwT6Vn9eH47NRPddVKP2Ti/W8b4d
+UiB5EuorYCYvrYFT8ewt7N1t5guZ1N6JrBPkceAw5ilKtZMjdRCwSAHHkOME5kOQ
+fHb+jElu87fCXa4X4YNhiSDzwel1GSdsiDr4LueRliebDD2tLjQ3wrFid+38xZvl
+yfw/ere8fCOPSMn82yIHFPSWBZXKpK8ryoeSKUBhph/yOmnSFmucVqTIQdjwOpIL
+Qw9Ox7trAgMBAAECggEAOZAMvsCh/NDfobpVddJL6JTPzBRvBQ1H3+rp9z5+ItHL
+nq3Fw5aeynnn5IETJnLlgT+GSgSWqoWxV/N3oia40YsATs/bqo7VW1e0ldj43TIR
+m/c25XRxl3U6m/H4vqhv4rkTLUvv6hNGvRiI/3W8DJQVRvlK0+S5FlhKIJV1R0sH
+tp5vmaPp09Ln+NVno3u3iaYkVgVME4Ukul2i03sQ9OgvZSBCaVr//fMpiPdBeeN6
+QY6XHjeGQRnP/UdzMYJ4Qz1yovL1ntneaTMdz/GkKuAFoNNh8Vr2kiEskW17OWPB
+ZGcIT6YpBEPo34xXUhUQt7ylFPxGH+zZyHZ3vb8j6QKBgQDJPeu/iPg+M5nz5gO5
+ge9gzYrhxK/1mwbFlD7qt1NjOSm6xWxUcss3STjuG7jB0c+NopIUoq/egsUnxrRm
+4l17uOCYNLbhTJ2ynfv6QnUMxW5Xkve3DkLa2bze/fhMUywTy8N4A7z0+y35qzm3
+lY4rLmQOQKPkmqWRnxU1u8fjFQKBgQDEfpOZ0fp2D/1gTG+D+/zrMEbjnNn3ZO8I
+wrjoXwRxcRggt7lJhxgQpwtDr98IqYkDzX7bvyMFJuyTii3NM6NYycpA1pHX70B/
+xMvOcrgJnIUAoJ7nl43Or7s8bFTPDLaD9PNGHjrlkF3JOXqSKEbw367jHVOa4SYr
+OjrogjrEfwKBgQDHU2a7ax5+9btqggx0ZQfGOTBzmM60lZ3qe4CqGXUl1YvIrB01
+tBImq4cRCTJB/9/1qO3KNK2/1oUTddRgB5ySnDcRaz0tASc9sQ/Q/JxVTwSRB0gG
+78A2Zu6VbLbQWp1Q6kWtDP7PJC+QmRFtDlwn1yZRm6L6HlcaWpi2hU1iVQKBgCEu
+ashv8Aad3qCzZ6V3GReyOFZZd2lSjxcAou8ClKJ/gZ6Mx+pFuOee/cT5XwV8c5nD
+yuda2JQXJZ4omGFtlej5coEOeuRnD5JD7lK3hqKA3ujjNtJPAnBjto+Wj5/DOtL/
+u1Ec6782aNABN9SUnp4wd7z8h9DAsoxcMfRvgXMLAoGBAJ9gGttfqZbuPz9V0rAo
+p05SPPado1i5+2dUOScIbNB6+vQij9IlR2Tzu1T9DwzrBqTDPPmSggeA/JXeTvh6
+Skb9fDukizeDfwPYUN2gljhiJEqFdpRBr5vP0lFi291+a0jMW1zldrumxCcGKMyU
+D5ReKLp/zSQSQi/Wt4FF1II7
+-----END PRIVATE KEY-----
--- a/FDBLibTLS/testdata/test-2-client.pem
+++ b/FDBLibTLS/testdata/test-2-client.pem
@ -0,0 +1,106 @@
+subject= C = AU, ST = New South Wales, L = Sydney, O = Apple Pty Limited, OU = FDB Team, CN = "FDB LibTLS Plugin Test Client 2, \C2\80 <\01+\02=\03>"
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 2
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 2
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+-----BEGIN CERTIFICATE-----
+MIIEEzCCAvugAwIBAgIJALOPTrQGpesmMA0GCSqGSIb3DQEBBQUAMIGRMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTExMC8GA1UE
+AwwoRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBJbnRlcm1lZGlhdGUgQ0EgMjAeFw0x
+ODA0MDcxNDE2MDJaFw0yODA0MDQxNDE2MDJaMIGdMQswCQYDVQQGEwJBVTEYMBYG
+A1UECAwPTmV3IFNvdXRoIFdhbGVzMQ8wDQYDVQQHDAZTeWRuZXkxGjAYBgNVBAoM
+EUFwcGxlIFB0eSBMaW1pdGVkMREwDwYDVQQLDAhGREIgVGVhbTE0MDIGA1UEAwwr
+RkRCIExpYlRMUyBQbHVnaW4gVGVzdCBDbGllbnQgMiwgwoAgPAErAj0DPjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALanLExQi/yK2PRyu6Mvdw2MRxUs
+26kJftYuK7KtYyltTO3vtj4kNKg1vZI1eezhqr2Ta/1DzE76eLVs8EOW0LAb5oWM
+zXdYBXBX4vG+K7pYfjuvZUd6jfX2bHW10xC96HgDTfRn6dof8GR0fILJ6DoEcyI3
+82xnKKxTsgAuXU4uvcsl0g0F78nXuIbk8ZktTV3LIdbOCIcLQfG7DdDyAfEA0T7Q
+Vg6eeLknIUvPePxyWkUdYeSCDP2d+3NIlHMxNPmH1q3+fCsEsy/kqdVO9e6KrZla
+CKqnc6yYTXvTffpPepC3Igz678iGg3dv9rLj0i4fyTr4tEOTJebO9Ka3TbMCAwEA
+AaNgMF4wHQYDVR0OBBYEFKO2/D1IhG8KWFwR6OdyoFqEzIWAMB8GA1UdIwQYMBaA
+FJFP+HFpDrD0BRU0yE606s6xkqFBMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQD
+AgeAMA0GCSqGSIb3DQEBBQUAA4IBAQAQV3FjsvZvwi5Oi/oSc7Du/BQS9nQ/D4j6
+IeYpd3M0y50awZB83BReYrhdC907xKkLRD0R8oEPDEg5SaSj3vRML4kaUUqnEINW
+4JQtv4wNO9CagYriGg8ygQa0xd683svHeXDet3ov11XN/Ms8lfDiOUp2291HgeTW
+8hqn1DaNfZrCb3EkdoNThwVKIUzQtEPBuPkLE+XT8kZP5d8KHmv8/9L39NdZY32d
+fzKGBeCxZ34pQS0cTap3rZ02nDfV2vNevODRyuqdhs7EQps2Oe1IfPB9GSE0OFUQ
+tdphxSjsv1BcHpTwBDpIITKarnceMIKxQjcZU3yPv5ibIaGCgZOt
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIJALOPTrQGpesiMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMTEwLwYDVQQDDChGREIgTGliVExTIFBsdWdpbiBU
+ZXN0IEludGVybWVkaWF0ZSBDQSAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEApTSBCiUb0amf+QRV2WY6b3bK93D/PSrm4KR/2m2V0lciU1DAk00/kZ52
+ZIZmq8g9EaE2+CaDtU0fMvDZpaZD+vTFRwsx4varehq0ZwX9Wt25i/3G/eGLNlD3
+9E4tDNruK5UQjum4nJ0SV+AdFEGkSfeU3ZJEHYH0NrcbyAUbh0KeWCSwHiYiFJJf
+gBYwRq/HdKNoS/4YvLXzTLR7BSm3YcqWlO5tdkJ2lcT/7Th/Hq1TCW/FKwdQJJBq
+JrbOYGlMrf1pLO7Drei/xhsYkwTQ899MhSjkBRhc+401p41Mky0n8wLkuPJGhoY3
+9QUOjT+Rmvq5yryg0eWGiFquk6Ru5QIDAQABo2MwYTAdBgNVHQ4EFgQUkU/4cWkO
+sPQFFTTITrTqzrGSoUEwHwYDVR0jBBgwFoAUnqtGja3O5jGlh5vHgp3Tf8NCPKkw
+DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQAD
+ggEBAJfCHU7dm2/2ASyt3wyxivQLxlV6FsEZcF7HcpbbxuB73frGOL4kEoOxvr2X
+fBGyjlPMotbc1MeAalAv+hVHdcAcBFPF7lxtYiV6D7YI5T5yVbWSASG3+DMAiW6S
+GdQi2eyeh00nH7Y1IkW+yaky0enBtWLzrw+XzHl6xT6DIEJnir//PNxvgXTJ5sjk
+6eFAm8HJIqkNQmgfChMQfUH6nm66WwULW6I117RCSkXhIgxZ7wzDq8bXcEdXCrZk
+yy5ket9OiVpbd38JgdYirBLmCQVq0uDOOPLz4ZJmNCzQzEt+38AAK2azAk/eb8W9
+JaKWH+5V8lhlyGw1zQKdNEP/wg8=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID9jCCAt6gAwIBAgIJALfRa36cuemYMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgYcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMScwJQYDVQQDDB5GREIgTGliVExTIFBsdWdpbiBU
+ZXN0IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/J+sL
+7POoXNdzYRsMZCI5juxMPOVue5vU2QPU9z/PHBsBICX6tVsCnkzk5CLdM6TxofgX
+F+MqRKxtcIqxBcKjjVecJlqHuNY+jS2r8UjcoQm+EQ5RsBWu8yaSnXIiZTccQNjB
+5T2awwt9Ptbn946MZfq6oEnn4ZPByu9/nCrlk7QXTkuGdpTnC6paQWt/lVxZfELM
+i0g76/K/f3e2Lv9UCvlxKOwFMye9XjwF3ekEmUuio5JZEdn+LIs9zB1zehFhGlYB
+TUXnkZ0LTOPbH9OxsOli04n31/n7UbYq1BSuoiXx5A2eHOunMppa0NDg7oXmDSKE
+A1zo+QtIu1YPXaLdAgMBAAGjYzBhMB0GA1UdDgQWBBSeq0aNrc7mMaWHm8eCndN/
+w0I8qTAfBgNVHSMEGDAWgBSeq0aNrc7mMaWHm8eCndN/w0I8qTAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAIOw1jC39
+VW+1fqGT+n44Y6Oh66lAowIvi/BEOW1I4iPAjkr0g6FbbdKeq0VLL7aMMu+q/AOv
+UETv7MdVh9xjTLqWZGN0R3Lr/n6ButI3E7MLKL5ByLNCoOhF42aBLINkpKSNFRrQ
+40iNoHm3BaNRLKS7poCk5HFkEMjvxdQ1AenNbUa21DTh7y9arHF4CPfi8Ity29jW
+ED8jYK/+bWIaO+YhGkRh8UuD3o5WnOti+9QK56qxkPtkqVTh9vMVHfD0DgVeLvMN
+nZpTplLTfhjzyFJELwE/U+HJ6KIslmqwarJ1Sla+1gHCmJEbzbsrnb6bLtrHtXCZ
+XvmR6B5iRkDVpw==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC2pyxMUIv8itj0
+crujL3cNjEcVLNupCX7WLiuyrWMpbUzt77Y+JDSoNb2SNXns4aq9k2v9Q8xO+ni1
+bPBDltCwG+aFjM13WAVwV+Lxviu6WH47r2VHeo319mx1tdMQveh4A030Z+naH/Bk
+dHyCyeg6BHMiN/NsZyisU7IALl1OLr3LJdINBe/J17iG5PGZLU1dyyHWzgiHC0Hx
+uw3Q8gHxANE+0FYOnni5JyFLz3j8clpFHWHkggz9nftzSJRzMTT5h9at/nwrBLMv
+5KnVTvXuiq2ZWgiqp3OsmE170336T3qQtyIM+u/IhoN3b/ay49IuH8k6+LRDkyXm
+zvSmt02zAgMBAAECggEAU2sYHSZwOH+FRGcd8RJdcg+N60rYa2QNzG27wVfUwPfN
+OaHP/qN0dRpOIPdRXvFVlE0+9aVAKxXTiTBers+zMascZgP/VrEZksxgtn1e5TVD
+OakKPVHogdvwfvXylmPVRvJjaOsIb3lExew5bVYfPFgJ6Sfagbi/Z6y1z8VdEbYb
+mI34KSZA4bBAMAHPZLa9TGEx/vbPsBlqpU6k8lcoy3cTkO5fCZW4ZZIpwBwef4uJ
+UozhRgtTtRBiUpk0F9IoOXonZY1Dtpg+HcDMti/FYgahBVe1hadJ+lbVTxH6GxyI
+NJYvptdq5S99UOoJDmCCih0v0ZCUNYWoO0I0vzNncQKBgQDemN7es2fIBstiPjOf
+p103DF5j9Uxq5YH9B3wli0CXf6Z2w5uosONoJWgJZKsHJ6f+YSuHsoE/eCrFF3U9
+lxT9Nie/wYYIGedly/VR143aCdiTXI44m5gxXgwaUcjvY1DpWyEAAmr5XNdoyZ5n
+LNTvOTb4vVo9SgDU7II7rdpRmwKBgQDSD9aBtIy/650suQK/9RiXRU0Kg7LXXVM5
+lavPgLvH55lufJeGSa8+ofCNeo31N4AaVuU4lkGeny9tLNBQbYAoyAz0lf51qK7B
+1u5JqBDyRrIpdkqwbT0FT1pu1LA3+Qg0KQBrTCnOx+YyyVSivR4YMZzJjmwZGKMg
+BWOi0PzhyQKBgGR44dfpaIWbs39zjf+ZHnTza0N4+/YgA60/DKUxloULRArFPeRF
+e0+N2siqnJvNJYGnQGuugbIxPjTZ4rxbDklAgW6HHkVX099Z0TAQuGFbIltZYoRg
+jrBxv8q9cZHD5Uh/LoT/kmNdqYkNwCbX0IDt9UcOyMVzOq7g1eO0FB/TAoGBAMaG
+tWIsMwGHOip0SAcHKtB8bI1NXo5v4yH/NDuOHOqXFcj383S02uzEu8XaV6Ozalx6
+V3SdfTLem0IBIneApajlOGlIAQ9N9qu358ixECMJcYQCCiCnfQ4xqvQoCss7judN
+ANpnRvPotMS2xkhvl6uh594NvlgRksnGjh3oibcRAoGBAJKiu5ajmIkelzAhFMEC
+Slxhg/E+djJ1/SG/FaF8zIyTOxre/QUvmTwFKtHe6A5EfKQo9GCTuHuAcJ1U7eQP
+l2BoY0POqJFpw3s/QOt4g/pOz0YjD9GD6awL5WDfO++s4mnI1Snc3wcu99N4Klax
+htsaEUECJBUF0ZpIFad73s2f
+-----END PRIVATE KEY-----
--- a/FDBLibTLS/testdata/test-2-server.pem
+++ b/FDBLibTLS/testdata/test-2-server.pem
@ -0,0 +1,106 @@
+subject= C = AU, ST = New South Wales, L = Sydney, O = Apple Pty Limited, OU = FDB Team, CN = "FDB LibTLS Plugin Test Server 2, \C2\80 <\01+\02=\03>"
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 2
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 2
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+-----BEGIN CERTIFICATE-----
+MIIEEzCCAvugAwIBAgIJALOPTrQGpeskMA0GCSqGSIb3DQEBBQUAMIGRMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTExMC8GA1UE
+AwwoRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBJbnRlcm1lZGlhdGUgQ0EgMjAeFw0x
+ODA0MDcxNDE2MDJaFw0yODA0MDQxNDE2MDJaMIGdMQswCQYDVQQGEwJBVTEYMBYG
+A1UECAwPTmV3IFNvdXRoIFdhbGVzMQ8wDQYDVQQHDAZTeWRuZXkxGjAYBgNVBAoM
+EUFwcGxlIFB0eSBMaW1pdGVkMREwDwYDVQQLDAhGREIgVGVhbTE0MDIGA1UEAwwr
+RkRCIExpYlRMUyBQbHVnaW4gVGVzdCBTZXJ2ZXIgMiwgwoAgPAErAj0DPjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALAolQZIGMeL5w/Bu2X6lHWjO58u
+HUDtBmr37So4jazhZBSFDBg+QlRMiYGLev9EhvCrUsVcRwtvtcuMI3wfKl7qgbi
+ZX8zmrzZ3YJo9U47NzCa05faOl8uSBvuXuXUBLU342WFP8XDB1W8yOBQMK73xoFv
+DkcxURx9ZtOhdC3EgYKrFqOB1Azl1DB4gLV3h9rHW5QpQ8SqD9CyggcDBpDeZQIP
+4l5YFE9Nb4kEUTscz2wGn4TdHMmcnVpfUxp1Y2o8Umvh4llXHIPhximGb3JJ4QQ
+Sir4ZXeeoooWoJG0sdlqVLroKav/VMGtEu9LyfbrNdKnTJq3ceVQ+HJ2hlMCAwEA
+AaNgMF4wHQYDVR0OBBYEFH61Z8O9vFsVdhM4MBU3poX2UMTEMB8GA1UdIwQYMBaA
+FJFP+HFpDrD0BRU0yE606s6xkqFBMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQD
+AgeAMA0GCSqGSIb3DQEBBQUAA4IBAQCVbxlLGIBCo6/XXjqoMyZc7uQZJj7pGnwh
+nIMs2izCLfax8j+QrThO2Qjn03zT/WF8eG6ibPbjgnw3VFwCkV6oQ+BXG6Yt0xqP
+4rz1LzxSio6HSm26gSk4SQUsVoAtz3OImoTCFVfz+Mixe87pyVXXEEtCYvfU74H9
+I1WGyNkWAxiJbqeIxF5PKoc3EdnT5mfdC6sdeGm7t2neeS8PDFQtJ4UfVIEK5z1C
+MOfQILNkLX2nBYxNqKpV66zf68VZNN9002ZH2FITGqImpj74BEws3sheiuZySdoI
+wnAwRnymIMfAmkf9C7Q2ugId0YMMyesaWrIwSlXlJOHGsA1VrBRD
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIJALOPTrQGpesiMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMTEwLwYDVQQDDChGREIgTGliVExTIFBsdWdpbiBU
+ZXN0IEludGVybWVkaWF0ZSBDQSAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEApTSBCiUb0amf+QRV2WY6b3bK93D/PSrm4KR/2m2V0lciU1DAk00/kZ52
+ZIZmq8g9EaE2+CaDtU0fMvDZpaZD+vTFRwsx4varehq0ZwX9Wt25i/3G/eGLNlD3
+9E4tDNruK5UQjum4nJ0SV+AdFEGkSfeU3ZJEHYH0NrcbyAUbh0KeWCSwHiYiFJJf
+gBYwRq/HdKNoS/4YvLXzTLR7BSm3YcqWlO5tdkJ2lcT/7Th/Hq1TCW/FKwdQJJBq
+JrbOYGlMrf1pLO7Drei/xhsYkwTQ899MhSjkBRhc+401p41Mky0n8wLkuPJGhoY3
+9QUOjT+Rmvq5yryg0eWGiFquk6Ru5QIDAQABo2MwYTAdBgNVHQ4EFgQUkU/4cWkO
+sPQFFTTITrTqzrGSoUEwHwYDVR0jBBgwFoAUnqtGja3O5jGlh5vHgp3Tf8NCPKkw
+DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQAD
+ggEBAJfCHU7dm2/2ASyt3wyxivQLxlV6FsEZcF7HcpbbxuB73frGOL4kEoOxvr2X
+fBGyjlPMotbc1MeAalAv+hVHdcAcBFPF7lxtYiV6D7YI5T5yVbWSASG3+DMAiW6S
+GdQi2eyeh00nH7Y1IkW+yaky0enBtWLzrw+XzHl6xT6DIEJnir//PNxvgXTJ5sjk
+6eFAm8HJIqkNQmgfChMQfUH6nm66WwULW6I117RCSkXhIgxZ7wzDq8bXcEdXCrZk
+yy5ket9OiVpbd38JgdYirBLmCQVq0uDOOPLz4ZJmNCzQzEt+38AAK2azAk/eb8W9
+JaKWH+5V8lhlyGw1zQKdNEP/wg8=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID9jCCAt6gAwIBAgIJALfRa36cuemYMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgYcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMScwJQYDVQQDDB5GREIgTGliVExTIFBsdWdpbiBU
+ZXN0IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/J+sL
+7POoXNdzYRsMZCI5juxMPOVue5vU2QPU9z/PHBsBICX6tVsCnkzk5CLdM6TxofgX
+F+MqRKxtcIqxBcKjjVecJlqHuNY+jS2r8UjcoQm+EQ5RsBWu8yaSnXIiZTccQNjB
+5T2awwt9Ptbn946MZfq6oEnn4ZPByu9/nCrlk7QXTkuGdpTnC6paQWt/lVxZfELM
+i0g76/K/f3e2Lv9UCvlxKOwFMye9XjwF3ekEmUuio5JZEdn+LIs9zB1zehFhGlYB
+TUXnkZ0LTOPbH9OxsOli04n31/n7UbYq1BSuoiXx5A2eHOunMppa0NDg7oXmDSKE
+A1zo+QtIu1YPXaLdAgMBAAGjYzBhMB0GA1UdDgQWBBSeq0aNrc7mMaWHm8eCndN/
+w0I8qTAfBgNVHSMEGDAWgBSeq0aNrc7mMaWHm8eCndN/w0I8qTAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAIOw1jC39
+VW+1fqGT+n44Y6Oh66lAowIvi/BEOW1I4iPAjkr0g6FbbdKeq0VLL7aMMu+q/AOv
+UETv7MdVh9xjTLqWZGN0R3Lr/n6ButI3E7MLKL5ByLNCoOhF42aBLINkpKSNFRrQ
+40iNoHm3BaNRLKS7poCk5HFkEMjvxdQ1AenNbUa21DTh7y9arHF4CPfi8Ity29jW
+ED8jYK/+bWIaO+YhGkRh8UuD3o5WnOti+9QK56qxkPtkqVTh9vMVHfD0DgVeLvMN
+nZpTplLTfhjzyFJELwE/U+HJ6KIslmqwarJ1Sla+1gHCmJEbzbsrnb6bLtrHtXCZ
+XvmR6B5iRkDVpw==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCwKJUGSBjHi+cP
+wbtl+pR1ozufLvh1A7QZq9+0qOI2s4WQUhQwYPkJUTImBi3r/RIbwq1LFXEcLb7X
+LjCN8Hype6oG4mV/M5q82d2CaPVOOzcwmtOX2jpfLkgb7l7l1AS1N+NlhT/FwwdV
+vMjgUDCu98aBbw5HMVEcfWbToXQtxIGCqxajgdQM5dQweIC1d4fax1uUKUPEqg/Q
+soIHAwaQ3mUCD/uJeWBRPTW+JBFE7HM9sBp+E3RzJnJ1aX1MadWNqPFJr4eJZVxy
+D4cYphm9ySeEEEoq+GV3nqKKFqCRtLHZalS66Cmr/1TBrRLvS8n26zXSp0yat3Hl
+UPhydoZTAgMBAAECggEAVD60NlLYduXzVNfDtVuHEFNGOjSOYfepc/V8gLubo6lr
+IMAAI7rcnpYUM5cU8x0OQfRyR8wzUdSWxfWzBs6R78PSZoRzIcgeIl7Wzn0/g3BS
+To5czuxwqgBKQAFZpPQmZDwcJfr5qqxAn8IvFweCoMqiRlhELcvqDIP0XxWBqDjc
+TNJ988XzZXQmJbjjpWOkUBy2Uqz8lZt8MmxKFpW7SW4tBJwPphnorgjWfjCV/VEh
+ORio0rG74NHFo4f1TSrdU2BcB2cbVJ4B+bcUYRdvYmS5bmokhGF8vir0l43gUEdz
+Fyk6MaPrTI6cinqzenm3q/0eRvNhBE56U0tiGLn14QKBgQDkCkt1Y4LEboSwsVYl
+IXriStqj9p9MOizihh0enhzRXTTQuLX82fNi+bh1LAluwv290Q57pvKa+hB/YciB
+o4s7QfSojxQY9DxqvXN7CvxPWXHTyFY5sL4Rm807+C/a9rd39MxBynz9u/7YRvsA
+s8v8Y/01qIHnTo+mpDvu6HttWwKBgQDFwdRkgstuE+dXZZe8g1ivh3RNPa968TE3
+b8rzF9/nOJV7f6B/n6YEmHD/cHF5mm1bR+zt/jtf1NCRMpazchw3vT3JzQZYMDnM
+SD6vxTs5rG47QLiNyTIRmmD4gsEWBpyvoyP8E/9QdfDT1bWI5zZnky9CquRlN+cu
+J1bTsefEaQKBgGJsRxFNd91MThztDV9NSfptkFyAT1TZLxI+DEdwusNqVSdY8cNG
+VpP7cC+yaAfURSwuFPAtqDxXfdNc4uuBKNDUsMInrubuUz1Gs5cBsNCWrFhZ+U1B
+CWgUNMqTXiRFo/40PAyRVs003NOAH0m4UGyIw3rrVdX9xGaKMAv3b35NAoGATkkl
+I4UDs1f9xQNaxi3Y9ePRjqJUzX6d1SxUU1eoM4ia5IDpsJwqxLb0RKrmwRT5JaGb
+kbuLFazRxCkar38E3Kv1weWAFXlB6DTRXBPgFjzEhoBgjwCO6ZkLulVIysdjT8Rt
+gmUINXn7FGENtFyTlP0XQHUWZVt0ETlRjgxni8ECgYBYv6MoSr0iPjQpxeKvwFDz
+d9zE+ZXN+3GwtkI340lKRSc/f0Uq1TlC2w+DzjyyXcrBwubMQKTKcQQSH9f3YbMu
+DuxVE9AXdlQ1gSQHGjS0qUWwsS/8Xcjk8ZuduAXPGr/MsvsW+FbbZqG8qdZTeMHu
+MSTpOxu9HXC8SHML+y0cpw==
+-----END PRIVATE KEY-----
--- a/FDBLibTLS/testdata/test-3-client.pem
+++ b/FDBLibTLS/testdata/test-3-client.pem
@ -0,0 +1,150 @@
+subject= 
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 1
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 1
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 1048578 (0x100002)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=Cupertino, O=Apple Inc., OU=FDB Team, CN=FDB LibTLS Plugin Test Intermediate CA 1
+        Validity
+            Not Before: Jan  1 00:00:00 2017 GMT
+            Not After : Dec 31 00:00:00 2017 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e4:6f:67:4b:e7:d2:1b:0a:ec:f8:92:ae:1e:d4:
+                    e9:00:6b:47:83:ad:4e:9e:e2:cc:52:b0:8a:04:46:
+                    57:1f:f7:32:37:cc:f0:cd:ec:c0:b9:b9:27:b4:19:
+                    33:a1:21:a7:4c:a2:6c:c7:56:31:c4:6a:4f:5f:fb:
+                    92:6c:22:8f:c4:eb:3f:d1:2b:06:c7:7b:6b:90:83:
+                    37:d3:59:1c:c0:da:de:85:a1:dc:e6:9d:e1:d8:fc:
+                    6f:d4:c0:b4:6e:37:3d:d2:d7:4e:4e:04:09:6a:fb:
+                    9f:d3:cf:b1:80:db:7a:78:97:65:e1:bc:8d:5a:fa:
+                    ec:b1:b6:ee:3f:c9:03:83:ab:0a:9a:8e:03:29:88:
+                    42:14:50:80:11:a7:d5:2d:87:c8:bd:25:32:9e:55:
+                    fb:22:ef:9c:64:a8:a4:62:3b:d6:86:43:1a:22:a3:
+                    1c:4b:ee:af:30:70:d3:9c:aa:da:b6:87:61:78:87:
+                    32:0c:0b:b7:44:16:9b:44:1b:4e:6d:f3:98:99:f8:
+                    ed:ae:41:02:5d:52:9a:98:49:c3:24:24:0b:18:7b:
+                    bf:40:ce:37:65:0f:32:0c:1c:5a:47:4b:b0:3f:db:
+                    17:b6:89:68:99:3c:0e:70:84:92:5c:33:cb:6d:2e:
+                    67:c8:af:47:41:87:bd:37:87:88:00:65:1f:7e:7b:
+                    d9:09
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha256WithRSAEncryption
+         0b:5a:f7:7e:e5:93:4b:25:dc:01:eb:20:37:cb:bd:a9:71:3a:
+         af:6d:73:d9:9e:3c:8b:5c:6d:74:45:76:72:02:64:7e:e6:41:
+         bf:29:d7:cd:f8:a7:2d:87:32:6d:25:3f:14:11:2b:95:5a:2e:
+         a8:8b:ba:b1:f9:52:79:b4:5b:ea:fe:b0:ee:b0:9c:14:53:ba:
+         5d:64:aa:b9:d9:ca:17:b2:99:da:34:18:31:56:83:d9:21:8f:
+         20:9e:6a:7f:09:41:2f:36:fa:ab:e7:d1:6c:76:50:d4:51:69:
+         b9:93:ae:9a:eb:8a:6f:a9:91:21:58:a9:3d:53:e8:c1:2c:6f:
+         88:25:65:03:8a:90:9c:8e:58:5d:9a:e2:67:8e:6a:f6:11:19:
+         24:8d:89:b7:11:5e:a8:dc:21:35:7a:9a:78:8a:94:c2:29:84:
+         bb:b7:a5:8e:04:79:dc:db:9d:d7:a7:a3:b7:39:e6:c3:a5:be:
+         83:ad:59:3a:ee:ea:4a:8a:bd:6e:71:c9:e4:a7:46:d5:a3:fd:
+         a0:b1:a3:54:8d:bc:01:fb:68:4c:5a:a2:f5:79:44:f7:b9:e9:
+         7b:db:91:91:74:5b:68:f6:3a:b2:70:ee:e6:49:f4:f1:a6:53:
+         66:13:ce:2f:9e:88:45:66:34:ae:fc:0d:14:02:6f:6a:c9:ac:
+         b5:3f:89:bc
+-----BEGIN CERTIFICATE-----
+MIIDCDCCAfACAxAAAjANBgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzAR
+BgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCUN1cGVydGlubzETMBEGA1UECgwK
+QXBwbGUgSW5jLjERMA8GA1UECwwIRkRCIFRlYW0xMTAvBgNVBAMMKEZEQiBMaWJU
+TFMgUGx1Z2luIFRlc3QgSW50ZXJtZWRpYXRlIENBIDEwHhcNMTcwMTAxMDAwMDAw
+WhcNMTcxMjMxMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEA5G9nS+fSGwrs+JKuHtTpAGtHg61OnuLMUrCKBEZXH/cyN8zwzezAubkntBkz
+oSGnTKJsx1YxxGpPX/uSbCKPxOs/0SsGx3trkIM301kcwNrehaHc5p3h2Pxv1MC0
+bjc90tdOTgQJavuf08+xgNt6eJdl4byNWvrssbbuP8kDg6sKmo4DKYhCFFCAEafV
+LYfIvSUynlX7Iu+cZKikYjvWhkMaIqMcS+6vMHDTnKratodheIcyDAu3RBabRBtO
+bfOYmfjtrkECXVKamEnDJCQLGHu/QM43ZQ8yDBxaR0uwP9sXtolomTwOcISSXDPL
+bS5nyK9HQYe9N4eIAGUffnvZCQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQALWvd+
+5ZNLJdwB6yA3y72pcTqvbXPZnjyLXG10RXZyAmR+5kG/KdfN+KcthzJtJT8UESuV
+Wi6oi7qx+VJ5tFvq/rDusJwUU7pdZKq52coXspnaNBgxVoPZIY8gnmp/CUEvNvqr
+59FsdlDUUWm5k66a64pvqZEhWKk9U+jBLG+IJWUDipCcjlhdmuJnjmr2ERkkjYm3
+EV6o3CE1epp4ipTCKYS7t6WOBHnc253Xp6O3OebDpb6DrVk67upKir1uccnkp0bV
+o/2gsaNUjbwB+2hMWqL1eUT3uel725GRdFto9jqycO7mSfTxplNmE84vnohFZjSu
+/A0UAm9qyay1P4m8
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIJALOPTrQGpeshMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMTEwLwYDVQQDDChGREIgTGliVExTIFBsdWdpbiBU
+ZXN0IEludGVybWVkaWF0ZSBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAyOwdOcYcH3wYou13CchsXh3lLWA85E550tT6/WwDnslQjiMZHFrKvUT2
+B8CUOR3Fr+4RG+cdw80rgojYEUuHKwmIGyjo5IotdaYbWzf6mvYThlIPPudCCkSU
+CTtqPv8Oq4QdIpCxHdix0MINKu7c+qt1rUwnDFQSv/gHhVnNxT4r8pwVp6T4hwka
+2YQaRNjzUuuFinMub0UtxnUX0rH8X5STlOSVn4Ksjo0OhQzsGEYDx86jVAXjgGcb
+2CgGGctgq04hVrngP5ahT1Xeh9YycMlQJXsckJJBxfUJebIjANSRyzxI5fYt+ZkY
+qoG5VLPREUQknxcpbT7Rsj0n+k0RhwIDAQABo2MwYTAdBgNVHQ4EFgQUJdMXt/zc
+d3vGb2BH47hCu+M2jxAwHwYDVR0jBBgwFoAUnqtGja3O5jGlh5vHgp3Tf8NCPKkw
+DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQAD
+ggEBAGwW7bRqB7aYUGsD1MOE9d5slp6Iw6wKyNLdg+mzoV+iCV2ZM7ejNRButiAy
+vPOxSQwXcibLm/g599e+LY1TiI1XXPbL2bFnTcnThqpHHFe+eRrDgqxO8qJyrcBp
+EfyMCJWq7jFg4bWoYTpLeC/RAKyi9fxlqY1NzQCp1bG3LiaDJ5VJd4uwkgX2a0yN
+3e0XEFNi7r4u4IHejwFjKWrDg8sstjbY+XOYC4EVQyUsbzeKZKSqnOdR2Jv1QZHH
+5O24G/efIFpsA6MVUOfRk0eq0RfKX7CdHn2a5p8aC6E6YMDhXL6xo146n49t9sYD
+HMUnfG6AEboTBa/l+zwCG/u4f/Y=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID9jCCAt6gAwIBAgIJALfRa36cuemYMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgYcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMScwJQYDVQQDDB5GREIgTGliVExTIFBsdWdpbiBU
+ZXN0IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/J+sL
+7POoXNdzYRsMZCI5juxMPOVue5vU2QPU9z/PHBsBICX6tVsCnkzk5CLdM6TxofgX
+F+MqRKxtcIqxBcKjjVecJlqHuNY+jS2r8UjcoQm+EQ5RsBWu8yaSnXIiZTccQNjB
+5T2awwt9Ptbn946MZfq6oEnn4ZPByu9/nCrlk7QXTkuGdpTnC6paQWt/lVxZfELM
+i0g76/K/f3e2Lv9UCvlxKOwFMye9XjwF3ekEmUuio5JZEdn+LIs9zB1zehFhGlYB
+TUXnkZ0LTOPbH9OxsOli04n31/n7UbYq1BSuoiXx5A2eHOunMppa0NDg7oXmDSKE
+A1zo+QtIu1YPXaLdAgMBAAGjYzBhMB0GA1UdDgQWBBSeq0aNrc7mMaWHm8eCndN/
+w0I8qTAfBgNVHSMEGDAWgBSeq0aNrc7mMaWHm8eCndN/w0I8qTAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAIOw1jC39
+VW+1fqGT+n44Y6Oh66lAowIvi/BEOW1I4iPAjkr0g6FbbdKeq0VLL7aMMu+q/AOv
+UETv7MdVh9xjTLqWZGN0R3Lr/n6ButI3E7MLKL5ByLNCoOhF42aBLINkpKSNFRrQ
+40iNoHm3BaNRLKS7poCk5HFkEMjvxdQ1AenNbUa21DTh7y9arHF4CPfi8Ity29jW
+ED8jYK/+bWIaO+YhGkRh8UuD3o5WnOti+9QK56qxkPtkqVTh9vMVHfD0DgVeLvMN
+nZpTplLTfhjzyFJELwE/U+HJ6KIslmqwarJ1Sla+1gHCmJEbzbsrnb6bLtrHtXCZ
+XvmR6B5iRkDVpw==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDkb2dL59IbCuz4
+kq4e1OkAa0eDrU6e4sxSsIoERlcf9zI3zPDN7MC5uSe0GTOhIadMomzHVjHEak9f
+5JsIo/E6z/RKwbHe2uQgzfTWRzA2t6FodzmneHY/G/UwLRuNz3S105OBAlq+5/T
+z7GA23p4l2XhvI1a+uyxtu4/yQODqwqajgMpiEIUUIARp9Uth8i9JTKeVfsi75xk
+qKRiO9aGQxoioxxL7q8wcNOcqtq2h2F4hzIMC7dEFptEG05t85iZ+O2uQQJdUpqY
+ScMkJAsYe79AzjdlDzIMHFpHS7A/2xe2iWiZPA5whJJcM8ttLmfIr0dBh703h4gA
+ZR9+e9kJAgMBAAECggEBAKC87x+PQN18g6CpfdH+GPINiuXR9ieBCSsKRCOb50R7
+6Z8wGyWbeUV2TsTAkv7HsnQPOqHNOfmuoKm2WKK0cxuqOV6SexO0+cxXONoDs2LU
+342ChvDTmY7YmkxHSO7g+iS5EcV9u67G3gDp/Unhpjzis3Ly/ThOpmyqftztMgbb
+6KKfgGi3VL+fZ2x8gQt0II2QcO6GIzrPcn9ruEM6tXJhQ50YaSCeCmseKBvKuWPW
+b/Gj7wgYhsiMW+nt8QjVam99eCQ6Q94CsapWRdGpj1Nrd4ISREbqr8x4fmcbiSO6
+6HZyUidxZIxr2Y4/BTd/BiIqXXdKAMoCVElmyE09P4ECgYEA9IkOkHq1jDLAmppd
+fNSC/ndmITS0imvwzTTubXKOTn3yZHVxk2/ld83aauGA3UwAueW4Hh0hJdIWqC0d
+IyaNj3EhcVbidyYwvXdChlPuQ1uccu/earhzsbaFwqNoLVgMrPcB5QcMKUs2/s4Q
+tBXOqNlFjDZ+bkHQyGXtFYJzknECgYEA7yUcJqf2jB5e4LWG4Se4zD1E/ccZH3t8
+nhuXa6nDsx2trZBknHpQmc85WzbBITD+LRaamlYpnB1Ueiyr7/Efamtls7NvnoQN
+14cNFnnj5HooTHJHgNBuL/M3hr/q8uK4lR6bu/DOfzUfRGowX3pj+POB01ObPdm8
+BUTFwmfJTBkCgYEAkakqccmGZxK8Q9t7oKX9uZJp1ZHNkT6m27WR6MP6HKtNPaXv
+l4Fp0KlgV5Yn6qohLJq3x8hWPG8ea+MjnhKS9ETRRPAaShsHoXRuvhE0tg7V7GkR
+tcRVtiAhIUWxAoGWW1lvWXuPNPHGupUIwhzTUyTJFrJHMWom8Zg1V0CzkyECgYEA
+0JpPXwzejEUlv9+4owhyM34ygyg8KvEduBEbWWfBdKmryR2OFczAKBrRzlYJy3kg
+DpaMD5qfOzV+bgAvjuKG496A3WrlL6HDLUD50qRKfQ9tvZll8+BcbWk8A0e/m1TX
+bARCFoOsrNvaxWPXhEGPmSZYFc31OdOHJhViZ/z+Y2kCgYEAphx6cPXLMcgv0ivj
+SgIG09vo3hGA5r06FkLtGL677CTvYsk/Equ5TkG0AIJ0acY9wiabk6zyM/9XjRAp
+Nf8qYzhaMxJiyw+JEXmud4Dc41DqjGm9bLV4tKSR+7xzPBP9Q/QLxfRvArBOKhiX
+L5fWmM5SQAoHsf124DTKckNirLI=
+-----END PRIVATE KEY-----
--- a/FDBLibTLS/testdata/test-3-server.pem
+++ b/FDBLibTLS/testdata/test-3-server.pem
@ -0,0 +1,101 @@
+subject= 
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 1
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 1
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+-----BEGIN CERTIFICATE-----
+MIIDCDCCAfACAxAAATANBgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzAR
+BgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCUN1cGVydGlubzETMBEGA1UECgwK
+QXBwbGUgSW5jLjERMA8GA1UECwwIRkRCIFRlYW0xMTAvBgNVBAMMKEZEQiBMaWJU
+TFMgUGx1Z2luIFRlc3QgSW50ZXJtZWRpYXRlIENBIDEwHhcNMTcwMTAxMDAwMDAw
+WhcNMTcxMjMxMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEA43+uFNDYKXQQ4fmSencxdm/mfM6FAlGwRBWotptutznfH0N+ulp5RhjRcbGb
+AHwPOBBNEBSIV3LhdPXep3NcmSkfaMdnPEgrurI0DLYbxZryEXdJZyoueT+w4TNx
+I5mNlZDKD5bH5rhV/dUAmK/+LpWuxWraWYaHBZBsuqpb0MF6IZJAN9Ve9JiKHeiY
+6ecz/o9XIrFFeWKMncHwBV1taPPoG2Ksjv8UlqqehrYXG+md958MXf69dkuQJLCS
+rojPOkhUroixvGiXJBRSFCyVhQxPCLyASsEv8qPEKMUiW4oY3w5R9RQmw97AHlA1
+7xB4mGZTZEjUIOYDdd8LyuRpawIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHMAsm
+zLtFnDaYaOgJdPpi9VAUkZpbSXcA3a02PzOvLN9VV1Fogf1+F0zYFlWbiYGIwcI4
+3YfuFr97/e0uEQd6pwGc8/a63q+CunGz+HPStWZm+2ZgmJhBH6i1RwmhA9rH6rGK
+j2UghYIYT83gn6S2XSfUwzV8gCw+JjJwczcjGpOf9dRCAEsRDcRwUX7rI16cE2tZ
+SLzYB/Kg3wSnUXTKXRJfg6VbVRPFXHQlRYpOxe2z5LWoTEo2uYuHgYO+DzSO9pEj
+WgyKBwcc+L3zIZFYCqc9EN//QrLlXsiwSDVMvtzVnzvIQKcGF7OE22NyojTaMzQL
+2h8UA9W0Mew5PTSl
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIJALOPTrQGpeshMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMTEwLwYDVQQDDChGREIgTGliVExTIFBsdWdpbiBU
+ZXN0IEludGVybWVkaWF0ZSBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAyOwdOcYcH3wYou13CchsXh3lLWA85E550tT6/WwDnslQjiMZHFrKvUT2
+B8CUOR3Fr+4RG+cdw80rgojYEUuHKwmIGyjo5IotdaYbWzf6mvYThlIPPudCCkSU
+CTtqPv8Oq4QdIpCxHdix0MINKu7c+qt1rUwnDFQSv/gHhVnNxT4r8pwVp6T4hwka
+2YQaRNjzUuuFinMub0UtxnUX0rH8X5STlOSVn4Ksjo0OhQzsGEYDx86jVAXjgGcb
+2CgGGctgq04hVrngP5ahT1Xeh9YycMlQJXsckJJBxfUJebIjANSRyzxI5fYt+ZkY
+qoG5VLPREUQknxcpbT7Rsj0n+k0RhwIDAQABo2MwYTAdBgNVHQ4EFgQUJdMXt/zc
+d3vGb2BH47hCu+M2jxAwHwYDVR0jBBgwFoAUnqtGja3O5jGlh5vHgp3Tf8NCPKkw
+DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQAD
+ggEBAGwW7bRqB7aYUGsD1MOE9d5slp6Iw6wKyNLdg+mzoV+iCV2ZM7ejNRButiAy
+vPOxSQwXcibLm/g599e+LY1TiI1XXPbL2bFnTcnThqpHHFe+eRrDgqxO8qJyrcBp
+EfyMCJWq7jFg4bWoYTpLeC/RAKyi9fxlqY1NzQCp1bG3LiaDJ5VJd4uwkgX2a0yN
+3e0XEFNi7r4u4IHejwFjKWrDg8sstjbY+XOYC4EVQyUsbzeKZKSqnOdR2Jv1QZHH
+5O24G/efIFpsA6MVUOfRk0eq0RfKX7CdHn2a5p8aC6E6YMDhXL6xo146n49t9sYD
+HMUnfG6AEboTBa/l+zwCG/u4f/Y=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID9jCCAt6gAwIBAgIJALfRa36cuemYMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgYcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMScwJQYDVQQDDB5GREIgTGliVExTIFBsdWdpbiBU
+ZXN0IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/J+sL
+7POoXNdzYRsMZCI5juxMPOVue5vU2QPU9z/PHBsBICX6tVsCnkzk5CLdM6TxofgX
+F+MqRKxtcIqxBcKjjVecJlqHuNY+jS2r8UjcoQm+EQ5RsBWu8yaSnXIiZTccQNjB
+5T2awwt9Ptbn946MZfq6oEnn4ZPByu9/nCrlk7QXTkuGdpTnC6paQWt/lVxZfELM
+i0g76/K/f3e2Lv9UCvlxKOwFMye9XjwF3ekEmUuio5JZEdn+LIs9zB1zehFhGlYB
+TUXnkZ0LTOPbH9OxsOli04n31/n7UbYq1BSuoiXx5A2eHOunMppa0NDg7oXmDSKE
+A1zo+QtIu1YPXaLdAgMBAAGjYzBhMB0GA1UdDgQWBBSeq0aNrc7mMaWHm8eCndN/
+w0I8qTAfBgNVHSMEGDAWgBSeq0aNrc7mMaWHm8eCndN/w0I8qTAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAIOw1jC39
+VW+1fqGT+n44Y6Oh66lAowIvi/BEOW1I4iPAjkr0g6FbbdKeq0VLL7aMMu+q/AOv
+UETv7MdVh9xjTLqWZGN0R3Lr/n6ButI3E7MLKL5ByLNCoOhF42aBLINkpKSNFRrQ
+40iNoHm3BaNRLKS7poCk5HFkEMjvxdQ1AenNbUa21DTh7y9arHF4CPfi8Ity29jW
+ED8jYK/+bWIaO+YhGkRh8UuD3o5WnOti+9QK56qxkPtkqVTh9vMVHfD0DgVeLvMN
+nZpTplLTfhjzyFJELwE/U+HJ6KIslmqwarJ1Sla+1gHCmJEbzbsrnb6bLtrHtXCZ
+XvmR6B5iRkDVpw==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDjf64U0NgpdBDh
+ZJ6dzF2b+Z8zoUCUbBEFai2m263Od8fQ366WnlGGNFxsZsAfA84EE0QFIhXcuF0
+9d6nc1yZKR9ox2c8SCu6sjQMthvFmvIRd0lnKi55P7DhM3EjmY2VkMoPlsfmuFX9
+1QCYr/4ula7FatpZhocFkGy6qlvQwXohkkA31V70mIod6Jjp5zP+j1cisUV5Yoyd
+wfAFXW1o8+gbYqyO/xSWqp6Gthcb6Z33nwxd/r12S5AksJKuiM86SFSuiLG8aJck
+FFIULJWFDE8IvIBKwS/yo8QoxSJbihjfDlH1FCbD3sAeUDXvEHiYZlNkSNQg5gN1
+3wvK5GlrAgMBAAECggEAAVjMKwthfD1XrD7SAy+Zd14KO0rttqnNJVoLealJ6oPJ
+MmIv6eKHPUcAVm/6vvH9FRPjoOi+NeZUN2ENRGiGb9GygehMUCsNNzm+3SRm3bCh
+JkFSie3SAJ3D6lFnphJOqEgHKjh2ToNg3vPX4Q+JrbTtJ/YN/OGzAvFr81721DGO
+L7Hs6foBHKrLeibbguVRdc5zc/WtWjGPFhNAmR9qincM3Q9DrUUHjbJzTS1UXDVT
+zssTUTZe9TLd4buqHjLLfmiPoTV8qzv5l4RwkmuuLIT+5mO7X41glwdOkBfk+Cum
+BZjrjgTDXbqLNXjMsvXkG1hCZQ6qwdT4GINYlYSiQQKBgQD4pJf7xLaX53rj+LDc
+HY3TbWDdyS7h7cq4ZoKa1xPt4Va3xIAIst20edTr6tBYtNygjFZwIkPFYGwdGKVK
+CqbpzTxVl8p5I3uoUmIFDo8hX7ChLC928K9lfD62agU85ZfP9Vly4zvDG2sIvxpw
+HUY/96VhdSG3fssWYvg3dYUGCQKBgQDqOuyrcTHaZujFMN+MIuUExgYOMS0R0O4T
+zCMtWIEkjntSk4CBMsHSb/dZH3CbFB90GjS+WklfTBd6kZ8tBO35vtM6nz5NPCEr
+2umqJR5hijHV2tB98qV9qJttJrH/z0VKuuZBa14S1rJwGpX9ZoOULwcOGK3VC9pQ
+YnH7Wdjw0wKBgFtBZXqE7xL/ZS4IVzjiK+xeJ4Ae13MaKB3XmbWknG7hFkep+ee3
+ZgFX+ZqAeukjsBnIh+zt1nu5cNSY+Akdsbb7mVo8tJYTPM5BNjJu7n8sNJJiuiTo
+HyebGxUuAjAgf8BWZvbwiT2JcZYrNVPSmrbdeDg1miNTiMv1lO4d1q2pAoGBANq8
+oFwSX24IAIR1+a2SwLDOhMUoI2Cp7ktKrecg6alL7drVqIH+9oYgzarK84u/JQh1
+mJ/TDQYTtzFdYHrYSaybCgOKxtG1v3yG+QNNmquYNKXzrBSSTv2kQVGTe1LbK2h4
+VaLuM3IAUa7jBQMZgvMVX89IOL3mTcAXzz3dT/zFAoGBAI/pVbABfPihWZ1MrmTN
+pnRmQ0461J0WGT+fIgAPR+R+umckHaOVAGiSQomfNrUBbsydoZYu/by7GhIGsDeO
+8XKwEP/HLRrABvZu4KLTxa+qTnW/t6BSIfFwQmrNMofxcFRbdzNAODKjyaJG2dqT
+ksg9s2SxReRrGOeb43CAw5SC
+-----END PRIVATE KEY-----
--- a/FDBLibTLS/testdata/test-4-client.pem
+++ b/FDBLibTLS/testdata/test-4-client.pem
@ -0,0 +1,80 @@
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Client 1
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 1
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 1
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+-----BEGIN CERTIFICATE-----
+MIID/jCCAuagAwIBAgIJALOPTrQGpeslMA0GCSqGSIb3DQEBBQUAMIGRMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTExMC8GA1UE
+AwwoRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBJbnRlcm1lZGlhdGUgQ0EgMTAeFw0x
+ODA0MDcxNDE2MDJaFw0yODA0MDQxNDE2MDJaMIGIMQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5vMRMwEQYDVQQKDApB
+cHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEoMCYGA1UEAwwfRkRCIExpYlRM
+UyBQbHVnaW4gVGVzdCBDbGllbnQgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALVkdxOmWcd959NyirJ1iz7q5fkjdRUV+88KMMehQWc3f50GJIQ+eZo+
+7RhwVE+n8nd0i5iGfyY6LRuupdwoQUxoZ/5rUIDGKspNO62DVRW+tZqzpEa1+ub5
+75BMoc7I7l9sXDkuiMu1OYcPNKMv4F3mf+B3ourLqjUekKlUv8XIZXAvN+R19HlR
+FM8vs8rnhQXx7iWVP91frDvyD8G7lOf6R7R4homnB37kLom8WU+fCmcyA6em0qX0
+JeVP6xk2qXU1cMs7DL8WftdrWHv+a73/l4hytQHo5OvtGaLZhpPYpC/FMSaFHVSM
+irWSFK+ZtvaLi3LXc2HGANMokjPoRf8CAwEAAaNgMF4wHQYDVR0OBBYEFPtTL9KZ
+jn49cLediy1ixz7AXOI3MB8GA1UdIwQYMBaAFCXTF7f83Hd7xm9gR+O4QrvjNo8Q
+MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBBQUAA4IB
+AQA17a4d/tSWIlTkIfkrXziD21+1OsN6/dUrWQK7kxtEe21QXIutccW4bwpM0JDB
+M+bZiWkdgQ15+ZotX5UXlBcx9WWDU5RqSO06hhXu5b8gZwfVF4Od6tBdVxkn4KbU
+0YujOZrL8fDOrQHqCO7nhNlYgcEn7bKF5wjtOoiKhtA9sLSIZQR5g32kkJXXGvcY
+lLWMXygEg9FMQoldW9RHq4GbUiYEeqEq6k4S7cE03R1lvmQEOOAJ2S7LnaS4UHQT
+GmW6uvLnJJrG4HB9JGE+y1e9M+C7Enzhi39RGd8ylignGimkdw/1UEWnvKGCqoU7
+ufWGF7eUV8dCqO+jYghIY8rA
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIJALOPTrQGpeshMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMTEwLwYDVQQDDChGREIgTGliVExTIFBsdWdpbiBU
+ZXN0IEludGVybWVkaWF0ZSBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAyOwdOcYcH3wYou13CchsXh3lLWA85E550tT6/WwDnslQjiMZHFrKvUT2
+B8CUOR3Fr+4RG+cdw80rgojYEUuHKwmIGyjo5IotdaYbWzf6mvYThlIPPudCCkSU
+CTtqPv8Oq4QdIpCxHdix0MINKu7c+qt1rUwnDFQSv/gHhVnNxT4r8pwVp6T4hwka
+2YQaRNjzUuuFinMub0UtxnUX0rH8X5STlOSVn4Ksjo0OhQzsGEYDx86jVAXjgGcb
+2CgGGctgq04hVrngP5ahT1Xeh9YycMlQJXsckJJBxfUJebIjANSRyzxI5fYt+ZkY
+qoG5VLPREUQknxcpbT7Rsj0n+k0RhwIDAQABo2MwYTAdBgNVHQ4EFgQUJdMXt/zc
+d3vGb2BH47hCu+M2jxAwHwYDVR0jBBgwFoAUnqtGja3O5jGlh5vHgp3Tf8NCPKkw
+DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQAD
+ggEBAGwW7bRqB7aYUGsD1MOE9d5slp6Iw6wKyNLdg+mzoV+iCV2ZM7ejNRButiAy
+vPOxSQwXcibLm/g599e+LY1TiI1XXPbL2bFnTcnThqpHHFe+eRrDgqxO8qJyrcBp
+EfyMCJWq7jFg4bWoYTpLeC/RAKyi9fxlqY1NzQCp1bG3LiaDJ5VJd4uwkgX2a0yN
+3e0XEFNi7r4u4IHejwFjKWrDg8sstjbY+XOYC4EVQyUsbzeKZKSqnOdR2Jv1QZHH
+5O24G/efIFpsA6MVUOfRk0eq0RfKX7CdHn2a5p8aC6E6YMDhXL6xo146n49t9sYD
+HMUnfG6AEboTBa/l+zwCG/u4f/Y=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1ZHcTplnHfefT
+coqydYs+6uX5I3UVFfvPCjDHoUFnN3+dBiSEPnmaPu0YcFRPp/J3dIuYhn8mOi0b
+rqXcKEFMaGf+a1CAxirKTTutg1UVvrWas6RGtfrm+e+QTKHOyO5fbFw5LojLtTmH
+DzSjL+Bd5n/gd6Lqy6o1HpCpVL/FyGVwLzfkdfR5URTPL7PK54UF8e4llT/dX6w7
+8g/Bu5Tn+ke0eIaJpwd+5C6JvFlPnwpnMgOnptKl9CXlT+sZNql1NXDLOwy/Fn7X
+a1h7/mu9/5eIcrUB6OTr7Rmi2YaT2KQvxTEmhR1UjIq1khSvmbb2i4ty13NhxgDT
+KJIz6EX/AgMBAAECggEAEm2Mc2CZCl1OKfsfABZU+SVgC7mAcY30MQp1/jHxtQy8
+WDWBjDXUoMj3yV3QEu+bAGvEqtAvJrEOWBucGgu05pBM0FoSqaJ4QmkqQOxwvm7L
+gFXzwINIZCLMJbrDTYC4RtV5YQ3LM/bLS19OF64Lez6piyJcWMIsHo1mYO2NNgiD
+7f1x1uQw46Q0YHWeoHY58MPfmgfKsqnJDWc8cCuU9fJOWeU4dVrfW8dh9WVAoLZ7
+qAM5vvap11Qk8RXaRnmLjxN6H1M7iVNfcLVNKfG6XOBBepYjZr/qMkuN3ONuqBHl
+fC3Zia2zQZRfiuPspX0KhjCfYAKbIZC6oyrQM2uXgQKBgQDoD5voZiCOeGXJEMUk
+9JV4V8A96aE0xxy+OHMogVpysxBO4V0Nh0krSLTt9NXnpjawZQ+3pLQ4+2J2XM2e
+fJuJJ7Z+Mhjv6epnMM7FoxK1VF7oe+LE7Yk/kg/moCuVS/XhLdQrhZVBJhfEADS3
+oFybf7Q6rJYtN3OYsiFymyneHwKBgQDIGsY5kGdmx27LS5rPMwdw632TF8G5BGbu
+C3ty7LYkOWb/9/V4cuWjW4eLJQqCWbJQrzOvg0coxwXLUuEQik+IP2IkF0YlRS43
+VJuULwOxi3Cbj51RoapHhmYTO9fe2A1N9oJMAqEUHY1q/r9txPcguRWyuH2Yv9Ih
+OzHnc2DcIQKBgQCGW0MxMq/2zM5hs0vxMYq4ulWbgwDKxd1mZNiHwxzS+8mdYe22
+P3WlkdrvSqnuDNXtGxYWhU2zEBjZ3rFN6WdD6bJHLkox3YTRafjNhLT4N3kbsV6C
+FeU44SBDrsiNEAWz8gy9hgH8TknEOTpMdpQnk7CNqA7q7wgGiFvFNwDukQKBgG7i
+R03Gs0XE5aRJtPN0N39fPyqvU24O/mqSekno2dWg6W6WHLQuFwo6whVc5UHuKl2D
+eISdnmT+RDuzJXxg6El7tgqByyEEAOQwQjYPB2Du/+tz3Z1KlG0mEJI/6xNVbany
+G6m7Gz9mUOMlXzaYmsjLRzbN/OsUAIDhqHm0+cuBAoGAZCND80akS3xr3yC87GyX
+aA0RoHXbdB6dbP8Y6XYDXR4QFIA4kXwY5cCLaZA/0hP5FOzDhORmaoaPM8vUdNyb
+IYvbw2H6tODiU5oICWY6+HQQ2nXikucI4HDYDLbsiV2htZkEmBYWLilYq0Tb8jC5
+u+ehIIvZYLqKaY1GaKmF86A=
+-----END PRIVATE KEY-----
--- a/FDBLibTLS/testdata/test-4-server.pem
+++ b/FDBLibTLS/testdata/test-4-server.pem
@ -0,0 +1,80 @@
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Server 1
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 1
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 1
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+-----BEGIN CERTIFICATE-----
+MIID/jCCAuagAwIBAgIJALOPTrQGpesjMA0GCSqGSIb3DQEBBQUAMIGRMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTExMC8GA1UE
+AwwoRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBJbnRlcm1lZGlhdGUgQ0EgMTAeFw0x
+ODA0MDcxNDE2MDJaFw0yODA0MDQxNDE2MDJaMIGIMQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5vMRMwEQYDVQQKDApB
+cHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEoMCYGA1UEAwwfRkRCIExpYlRM
+UyBQbHVnaW4gVGVzdCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAJp26QAmlMusO7C8Py/I117r3kHvB+My5kIrj8g9sKpktwTzmsJGpvJU
+EaKISEdBsJHLGnZJhwIhr/+MG4WDEM4oFNCtBQZznV3wjIQWq1w4IO8/f3+nBPpW
+f14fjs1E911Uo/ZOL9bxvh1SIHkS6itgJi+tgVPx7C3s3W3mC5nU3omsE+Rx4DDm
+KUq1kyN1ELBIAceQ4wTmQ5B8dv6MSW7zt8Jdrhfhg2GJIPPB6XUZJ2yIOvgu55GW
+J5sMPa0uNDfCsWJ37fzFm+XJ/D96t7x8I49IyfzbIgcU9JYFlcqkryvKh5IpQGGm
+H/I6adIWa5xWpMhB2PA6kgtDD07Hu2sCAwEAAaNgMF4wHQYDVR0OBBYEFJ7S+FUz
+9ngzH/TNPVeM/cE7LeBGMB8GA1UdIwQYMBaAFCXTF7f83Hd7xm9gR+O4QrvjNo8Q
+MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBBQUAA4IB
+AQAx6WHwikVFAH0TRYCznwO6He+0t2pnlyfrI+24N28tzupMSrRPs086UbLgHLz1
+lbkYdheeOkLPzjWi5vfymL1Oua3E2iAXWEpMb4Sg7E5SVHp9yt6gZ0DTVwR+Gcu7
+uooroidAG3OFeOXL5ivU5J5ipaoEAiLprpKxtPzo4z/TxIqw3kJISC56qw9VTJNQ
+TQZvneUecykdIZuH61ih0cJLe5WRkEs/63Dgl8TBYiVDbvBSGRbsXoAXcspVlc2x
+XOLey5IVJ4/TH5ZBobShC6J1KrjZTNYvUgc44CocOgrc0ePPiQzB7JXxR1H8ATGl
+yKjWqT2PkrfHmjdcmsi2GIVt
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIJALOPTrQGpeshMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMTEwLwYDVQQDDChGREIgTGliVExTIFBsdWdpbiBU
+ZXN0IEludGVybWVkaWF0ZSBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAyOwdOcYcH3wYou13CchsXh3lLWA85E550tT6/WwDnslQjiMZHFrKvUT2
+B8CUOR3Fr+4RG+cdw80rgojYEUuHKwmIGyjo5IotdaYbWzf6mvYThlIPPudCCkSU
+CTtqPv8Oq4QdIpCxHdix0MINKu7c+qt1rUwnDFQSv/gHhVnNxT4r8pwVp6T4hwka
+2YQaRNjzUuuFinMub0UtxnUX0rH8X5STlOSVn4Ksjo0OhQzsGEYDx86jVAXjgGcb
+2CgGGctgq04hVrngP5ahT1Xeh9YycMlQJXsckJJBxfUJebIjANSRyzxI5fYt+ZkY
+qoG5VLPREUQknxcpbT7Rsj0n+k0RhwIDAQABo2MwYTAdBgNVHQ4EFgQUJdMXt/zc
+d3vGb2BH47hCu+M2jxAwHwYDVR0jBBgwFoAUnqtGja3O5jGlh5vHgp3Tf8NCPKkw
+DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQAD
+ggEBAGwW7bRqB7aYUGsD1MOE9d5slp6Iw6wKyNLdg+mzoV+iCV2ZM7ejNRButiAy
+vPOxSQwXcibLm/g599e+LY1TiI1XXPbL2bFnTcnThqpHHFe+eRrDgqxO8qJyrcBp
+EfyMCJWq7jFg4bWoYTpLeC/RAKyi9fxlqY1NzQCp1bG3LiaDJ5VJd4uwkgX2a0yN
+3e0XEFNi7r4u4IHejwFjKWrDg8sstjbY+XOYC4EVQyUsbzeKZKSqnOdR2Jv1QZHH
+5O24G/efIFpsA6MVUOfRk0eq0RfKX7CdHn2a5p8aC6E6YMDhXL6xo146n49t9sYD
+HMUnfG6AEboTBa/l+zwCG/u4f/Y=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCadukAJpTLrDuw
+vD8vyNde695B7wfjMuZCK4/IPbCqZLcE85rCRqbyVBGiiEhHQbCRyxp2SYcCIa//
+jBuFgxDOKBTQrQUGc51d8IyEFqtcOCDvP39/pwT6Vn9eH47NRPddVKP2Ti/W8b4d
+UiB5EuorYCYvrYFT8ewt7N1t5guZ1N6JrBPkceAw5ilKtZMjdRCwSAHHkOME5kOQ
+fHb+jElu87fCXa4X4YNhiSDzwel1GSdsiDr4LueRliebDD2tLjQ3wrFid+38xZvl
+yfw/ere8fCOPSMn82yIHFPSWBZXKpK8ryoeSKUBhph/yOmnSFmucVqTIQdjwOpIL
+Qw9Ox7trAgMBAAECggEAOZAMvsCh/NDfobpVddJL6JTPzBRvBQ1H3+rp9z5+ItHL
+nq3Fw5aeynnn5IETJnLlgT+GSgSWqoWxV/N3oia40YsATs/bqo7VW1e0ldj43TIR
+m/c25XRxl3U6m/H4vqhv4rkTLUvv6hNGvRiI/3W8DJQVRvlK0+S5FlhKIJV1R0sH
+tp5vmaPp09Ln+NVno3u3iaYkVgVME4Ukul2i03sQ9OgvZSBCaVr//fMpiPdBeeN6
+QY6XHjeGQRnP/UdzMYJ4Qz1yovL1ntneaTMdz/GkKuAFoNNh8Vr2kiEskW17OWPB
+ZGcIT6YpBEPo34xXUhUQt7ylFPxGH+zZyHZ3vb8j6QKBgQDJPeu/iPg+M5nz5gO5
+ge9gzYrhxK/1mwbFlD7qt1NjOSm6xWxUcss3STjuG7jB0c+NopIUoq/egsUnxrRm
+4l17uOCYNLbhTJ2ynfv6QnUMxW5Xkve3DkLa2bze/fhMUywTy8N4A7z0+y35qzm3
+lY4rLmQOQKPkmqWRnxU1u8fjFQKBgQDEfpOZ0fp2D/1gTG+D+/zrMEbjnNn3ZO8I
+wrjoXwRxcRggt7lJhxgQpwtDr98IqYkDzX7bvyMFJuyTii3NM6NYycpA1pHX70B/
+xMvOcrgJnIUAoJ7nl43Or7s8bFTPDLaD9PNGHjrlkF3JOXqSKEbw367jHVOa4SYr
+OjrogjrEfwKBgQDHU2a7ax5+9btqggx0ZQfGOTBzmM60lZ3qe4CqGXUl1YvIrB01
+tBImq4cRCTJB/9/1qO3KNK2/1oUTddRgB5ySnDcRaz0tASc9sQ/Q/JxVTwSRB0gG
+78A2Zu6VbLbQWp1Q6kWtDP7PJC+QmRFtDlwn1yZRm6L6HlcaWpi2hU1iVQKBgCEu
+ashv8Aad3qCzZ6V3GReyOFZZd2lSjxcAou8ClKJ/gZ6Mx+pFuOee/cT5XwV8c5nD
+yuda2JQXJZ4omGFtlej5coEOeuRnD5JD7lK3hqKA3ujjNtJPAnBjto+Wj5/DOtL/
+u1Ec6782aNABN9SUnp4wd7z8h9DAsoxcMfRvgXMLAoGBAJ9gGttfqZbuPz9V0rAo
+p05SPPado1i5+2dUOScIbNB6+vQij9IlR2Tzu1T9DwzrBqTDPPmSggeA/JXeTvh6
+Skb9fDukizeDfwPYUN2gljhiJEqFdpRBr5vP0lFi291+a0jMW1zldrumxCcGKMyU
+D5ReKLp/zSQSQi/Wt4FF1II7
+-----END PRIVATE KEY-----
--- a/FDBLibTLS/testdata/test-5-client.pem
+++ b/FDBLibTLS/testdata/test-5-client.pem
@ -0,0 +1,80 @@
+subject= C = AU, ST = New South Wales, L = Sydney, O = Apple Pty Limited, OU = FDB Team, CN = "FDB LibTLS Plugin Test Client 2, \C2\80 <\01+\02=\03>"
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 2
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 2
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+-----BEGIN CERTIFICATE-----
+MIIEEzCCAvugAwIBAgIJALOPTrQGpesmMA0GCSqGSIb3DQEBBQUAMIGRMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTExMC8GA1UE
+AwwoRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBJbnRlcm1lZGlhdGUgQ0EgMjAeFw0x
+ODA0MDcxNDE2MDJaFw0yODA0MDQxNDE2MDJaMIGdMQswCQYDVQQGEwJBVTEYMBYG
+A1UECAwPTmV3IFNvdXRoIFdhbGVzMQ8wDQYDVQQHDAZTeWRuZXkxGjAYBgNVBAoM
+EUFwcGxlIFB0eSBMaW1pdGVkMREwDwYDVQQLDAhGREIgVGVhbTE0MDIGA1UEAwwr
+RkRCIExpYlRMUyBQbHVnaW4gVGVzdCBDbGllbnQgMiwgwoAgPAErAj0DPjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALanLExQi/yK2PRyu6Mvdw2MRxUs
+26kJftYuK7KtYyltTO3vtj4kNKg1vZI1eezhqr2Ta/1DzE76eLVs8EOW0LAb5oWM
+zXdYBXBX4vG+K7pYfjuvZUd6jfX2bHW10xC96HgDTfRn6dof8GR0fILJ6DoEcyI3
+82xnKKxTsgAuXU4uvcsl0g0F78nXuIbk8ZktTV3LIdbOCIcLQfG7DdDyAfEA0T7Q
+Vg6eeLknIUvPePxyWkUdYeSCDP2d+3NIlHMxNPmH1q3+fCsEsy/kqdVO9e6KrZla
+CKqnc6yYTXvTffpPepC3Igz678iGg3dv9rLj0i4fyTr4tEOTJebO9Ka3TbMCAwEA
+AaNgMF4wHQYDVR0OBBYEFKO2/D1IhG8KWFwR6OdyoFqEzIWAMB8GA1UdIwQYMBaA
+FJFP+HFpDrD0BRU0yE606s6xkqFBMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQD
+AgeAMA0GCSqGSIb3DQEBBQUAA4IBAQAQV3FjsvZvwi5Oi/oSc7Du/BQS9nQ/D4j6
+IeYpd3M0y50awZB83BReYrhdC907xKkLRD0R8oEPDEg5SaSj3vRML4kaUUqnEINW
+4JQtv4wNO9CagYriGg8ygQa0xd683svHeXDet3ov11XN/Ms8lfDiOUp2291HgeTW
+8hqn1DaNfZrCb3EkdoNThwVKIUzQtEPBuPkLE+XT8kZP5d8KHmv8/9L39NdZY32d
+fzKGBeCxZ34pQS0cTap3rZ02nDfV2vNevODRyuqdhs7EQps2Oe1IfPB9GSE0OFUQ
+tdphxSjsv1BcHpTwBDpIITKarnceMIKxQjcZU3yPv5ibIaGCgZOt
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIJALOPTrQGpesiMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMTEwLwYDVQQDDChGREIgTGliVExTIFBsdWdpbiBU
+ZXN0IEludGVybWVkaWF0ZSBDQSAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEApTSBCiUb0amf+QRV2WY6b3bK93D/PSrm4KR/2m2V0lciU1DAk00/kZ52
+ZIZmq8g9EaE2+CaDtU0fMvDZpaZD+vTFRwsx4varehq0ZwX9Wt25i/3G/eGLNlD3
+9E4tDNruK5UQjum4nJ0SV+AdFEGkSfeU3ZJEHYH0NrcbyAUbh0KeWCSwHiYiFJJf
+gBYwRq/HdKNoS/4YvLXzTLR7BSm3YcqWlO5tdkJ2lcT/7Th/Hq1TCW/FKwdQJJBq
+JrbOYGlMrf1pLO7Drei/xhsYkwTQ899MhSjkBRhc+401p41Mky0n8wLkuPJGhoY3
+9QUOjT+Rmvq5yryg0eWGiFquk6Ru5QIDAQABo2MwYTAdBgNVHQ4EFgQUkU/4cWkO
+sPQFFTTITrTqzrGSoUEwHwYDVR0jBBgwFoAUnqtGja3O5jGlh5vHgp3Tf8NCPKkw
+DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQAD
+ggEBAJfCHU7dm2/2ASyt3wyxivQLxlV6FsEZcF7HcpbbxuB73frGOL4kEoOxvr2X
+fBGyjlPMotbc1MeAalAv+hVHdcAcBFPF7lxtYiV6D7YI5T5yVbWSASG3+DMAiW6S
+GdQi2eyeh00nH7Y1IkW+yaky0enBtWLzrw+XzHl6xT6DIEJnir//PNxvgXTJ5sjk
+6eFAm8HJIqkNQmgfChMQfUH6nm66WwULW6I117RCSkXhIgxZ7wzDq8bXcEdXCrZk
+yy5ket9OiVpbd38JgdYirBLmCQVq0uDOOPLz4ZJmNCzQzEt+38AAK2azAk/eb8W9
+JaKWH+5V8lhlyGw1zQKdNEP/wg8=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC2pyxMUIv8itj0
+crujL3cNjEcVLNupCX7WLiuyrWMpbUzt77Y+JDSoNb2SNXns4aq9k2v9Q8xO+ni1
+bPBDltCwG+aFjM13WAVwV+Lxviu6WH47r2VHeo319mx1tdMQveh4A030Z+naH/Bk
+dHyCyeg6BHMiN/NsZyisU7IALl1OLr3LJdINBe/J17iG5PGZLU1dyyHWzgiHC0Hx
+uw3Q8gHxANE+0FYOnni5JyFLz3j8clpFHWHkggz9nftzSJRzMTT5h9at/nwrBLMv
+5KnVTvXuiq2ZWgiqp3OsmE170336T3qQtyIM+u/IhoN3b/ay49IuH8k6+LRDkyXm
+zvSmt02zAgMBAAECggEAU2sYHSZwOH+FRGcd8RJdcg+N60rYa2QNzG27wVfUwPfN
+OaHP/qN0dRpOIPdRXvFVlE0+9aVAKxXTiTBers+zMascZgP/VrEZksxgtn1e5TVD
+OakKPVHogdvwfvXylmPVRvJjaOsIb3lExew5bVYfPFgJ6Sfagbi/Z6y1z8VdEbYb
+mI34KSZA4bBAMAHPZLa9TGEx/vbPsBlqpU6k8lcoy3cTkO5fCZW4ZZIpwBwef4uJ
+UozhRgtTtRBiUpk0F9IoOXonZY1Dtpg+HcDMti/FYgahBVe1hadJ+lbVTxH6GxyI
+NJYvptdq5S99UOoJDmCCih0v0ZCUNYWoO0I0vzNncQKBgQDemN7es2fIBstiPjOf
+p103DF5j9Uxq5YH9B3wli0CXf6Z2w5uosONoJWgJZKsHJ6f+YSuHsoE/eCrFF3U9
+lxT9Nie/wYYIGedly/VR143aCdiTXI44m5gxXgwaUcjvY1DpWyEAAmr5XNdoyZ5n
+LNTvOTb4vVo9SgDU7II7rdpRmwKBgQDSD9aBtIy/650suQK/9RiXRU0Kg7LXXVM5
+lavPgLvH55lufJeGSa8+ofCNeo31N4AaVuU4lkGeny9tLNBQbYAoyAz0lf51qK7B
+1u5JqBDyRrIpdkqwbT0FT1pu1LA3+Qg0KQBrTCnOx+YyyVSivR4YMZzJjmwZGKMg
+BWOi0PzhyQKBgGR44dfpaIWbs39zjf+ZHnTza0N4+/YgA60/DKUxloULRArFPeRF
+e0+N2siqnJvNJYGnQGuugbIxPjTZ4rxbDklAgW6HHkVX099Z0TAQuGFbIltZYoRg
+jrBxv8q9cZHD5Uh/LoT/kmNdqYkNwCbX0IDt9UcOyMVzOq7g1eO0FB/TAoGBAMaG
+tWIsMwGHOip0SAcHKtB8bI1NXo5v4yH/NDuOHOqXFcj383S02uzEu8XaV6Ozalx6
+V3SdfTLem0IBIneApajlOGlIAQ9N9qu358ixECMJcYQCCiCnfQ4xqvQoCss7judN
+ANpnRvPotMS2xkhvl6uh594NvlgRksnGjh3oibcRAoGBAJKiu5ajmIkelzAhFMEC
+Slxhg/E+djJ1/SG/FaF8zIyTOxre/QUvmTwFKtHe6A5EfKQo9GCTuHuAcJ1U7eQP
+l2BoY0POqJFpw3s/QOt4g/pOz0YjD9GD6awL5WDfO++s4mnI1Snc3wcu99N4Klax
+htsaEUECJBUF0ZpIFad73s2f
+-----END PRIVATE KEY-----
--- a/FDBLibTLS/testdata/test-5-server.pem
+++ b/FDBLibTLS/testdata/test-5-server.pem
@ -0,0 +1,80 @@
+subject= C = AU, ST = New South Wales, L = Sydney, O = Apple Pty Limited, OU = FDB Team, CN = "FDB LibTLS Plugin Test Server 2, \C2\80 <\01+\02=\03>"
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 2
+subject= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Intermediate CA 2
+issuer= C = US, ST = California, L = Cupertino, O = Apple Inc., OU = FDB Team, CN = FDB LibTLS Plugin Test Root CA
+-----BEGIN CERTIFICATE-----
+MIIEEzCCAvugAwIBAgIJALOPTrQGpeskMA0GCSqGSIb3DQEBBQUAMIGRMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTExMC8GA1UE
+AwwoRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBJbnRlcm1lZGlhdGUgQ0EgMjAeFw0x
+ODA0MDcxNDE2MDJaFw0yODA0MDQxNDE2MDJaMIGdMQswCQYDVQQGEwJBVTEYMBYG
+A1UECAwPTmV3IFNvdXRoIFdhbGVzMQ8wDQYDVQQHDAZTeWRuZXkxGjAYBgNVBAoM
+EUFwcGxlIFB0eSBMaW1pdGVkMREwDwYDVQQLDAhGREIgVGVhbTE0MDIGA1UEAwwr
+RkRCIExpYlRMUyBQbHVnaW4gVGVzdCBTZXJ2ZXIgMiwgwoAgPAErAj0DPjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALAolQZIGMeL5w/Bu2X6lHWjO58u
+HUDtBmr37So4jazhZBSFDBg+QlRMiYGLev9EhvCrUsVcRwtvtcuMI3wfKl7qgbi
+ZX8zmrzZ3YJo9U47NzCa05faOl8uSBvuXuXUBLU342WFP8XDB1W8yOBQMK73xoFv
+DkcxURx9ZtOhdC3EgYKrFqOB1Azl1DB4gLV3h9rHW5QpQ8SqD9CyggcDBpDeZQIP
+4l5YFE9Nb4kEUTscz2wGn4TdHMmcnVpfUxp1Y2o8Umvh4llXHIPhximGb3JJ4QQ
+Sir4ZXeeoooWoJG0sdlqVLroKav/VMGtEu9LyfbrNdKnTJq3ceVQ+HJ2hlMCAwEA
+AaNgMF4wHQYDVR0OBBYEFH61Z8O9vFsVdhM4MBU3poX2UMTEMB8GA1UdIwQYMBaA
+FJFP+HFpDrD0BRU0yE606s6xkqFBMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQD
+AgeAMA0GCSqGSIb3DQEBBQUAA4IBAQCVbxlLGIBCo6/XXjqoMyZc7uQZJj7pGnwh
+nIMs2izCLfax8j+QrThO2Qjn03zT/WF8eG6ibPbjgnw3VFwCkV6oQ+BXG6Yt0xqP
+4rz1LzxSio6HSm26gSk4SQUsVoAtz3OImoTCFVfz+Mixe87pyVXXEEtCYvfU74H9
+I1WGyNkWAxiJbqeIxF5PKoc3EdnT5mfdC6sdeGm7t2neeS8PDFQtJ4UfVIEK5z1C
+MOfQILNkLX2nBYxNqKpV66zf68VZNN9002ZH2FITGqImpj74BEws3sheiuZySdoI
+wnAwRnymIMfAmkf9C7Q2ugId0YMMyesaWrIwSlXlJOHGsA1VrBRD
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIJALOPTrQGpesiMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5v
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMREwDwYDVQQLDAhGREIgVGVhbTEnMCUGA1UE
+AwweRkRCIExpYlRMUyBQbHVnaW4gVGVzdCBSb290IENBMB4XDTE4MDQwNzE0MTYw
+MVoXDTI4MDQwNDE0MTYwMVowgZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xEzARBgNVBAoMCkFwcGxlIEluYy4x
+ETAPBgNVBAsMCEZEQiBUZWFtMTEwLwYDVQQDDChGREIgTGliVExTIFBsdWdpbiBU
+ZXN0IEludGVybWVkaWF0ZSBDQSAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEApTSBCiUb0amf+QRV2WY6b3bK93D/PSrm4KR/2m2V0lciU1DAk00/kZ52
+ZIZmq8g9EaE2+CaDtU0fMvDZpaZD+vTFRwsx4varehq0ZwX9Wt25i/3G/eGLNlD3
+9E4tDNruK5UQjum4nJ0SV+AdFEGkSfeU3ZJEHYH0NrcbyAUbh0KeWCSwHiYiFJJf
+gBYwRq/HdKNoS/4YvLXzTLR7BSm3YcqWlO5tdkJ2lcT/7Th/Hq1TCW/FKwdQJJBq
+JrbOYGlMrf1pLO7Drei/xhsYkwTQ899MhSjkBRhc+401p41Mky0n8wLkuPJGhoY3
+9QUOjT+Rmvq5yryg0eWGiFquk6Ru5QIDAQABo2MwYTAdBgNVHQ4EFgQUkU/4cWkO
+sPQFFTTITrTqzrGSoUEwHwYDVR0jBBgwFoAUnqtGja3O5jGlh5vHgp3Tf8NCPKkw
+DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQAD
+ggEBAJfCHU7dm2/2ASyt3wyxivQLxlV6FsEZcF7HcpbbxuB73frGOL4kEoOxvr2X
+fBGyjlPMotbc1MeAalAv+hVHdcAcBFPF7lxtYiV6D7YI5T5yVbWSASG3+DMAiW6S
+GdQi2eyeh00nH7Y1IkW+yaky0enBtWLzrw+XzHl6xT6DIEJnir//PNxvgXTJ5sjk
+6eFAm8HJIqkNQmgfChMQfUH6nm66WwULW6I117RCSkXhIgxZ7wzDq8bXcEdXCrZk
+yy5ket9OiVpbd38JgdYirBLmCQVq0uDOOPLz4ZJmNCzQzEt+38AAK2azAk/eb8W9
+JaKWH+5V8lhlyGw1zQKdNEP/wg8=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCwKJUGSBjHi+cP
+wbtl+pR1ozufLvh1A7QZq9+0qOI2s4WQUhQwYPkJUTImBi3r/RIbwq1LFXEcLb7X
+LjCN8Hype6oG4mV/M5q82d2CaPVOOzcwmtOX2jpfLkgb7l7l1AS1N+NlhT/FwwdV
+vMjgUDCu98aBbw5HMVEcfWbToXQtxIGCqxajgdQM5dQweIC1d4fax1uUKUPEqg/Q
+soIHAwaQ3mUCD/uJeWBRPTW+JBFE7HM9sBp+E3RzJnJ1aX1MadWNqPFJr4eJZVxy
+D4cYphm9ySeEEEoq+GV3nqKKFqCRtLHZalS66Cmr/1TBrRLvS8n26zXSp0yat3Hl
+UPhydoZTAgMBAAECggEAVD60NlLYduXzVNfDtVuHEFNGOjSOYfepc/V8gLubo6lr
+IMAAI7rcnpYUM5cU8x0OQfRyR8wzUdSWxfWzBs6R78PSZoRzIcgeIl7Wzn0/g3BS
+To5czuxwqgBKQAFZpPQmZDwcJfr5qqxAn8IvFweCoMqiRlhELcvqDIP0XxWBqDjc
+TNJ988XzZXQmJbjjpWOkUBy2Uqz8lZt8MmxKFpW7SW4tBJwPphnorgjWfjCV/VEh
+ORio0rG74NHFo4f1TSrdU2BcB2cbVJ4B+bcUYRdvYmS5bmokhGF8vir0l43gUEdz
+Fyk6MaPrTI6cinqzenm3q/0eRvNhBE56U0tiGLn14QKBgQDkCkt1Y4LEboSwsVYl
+IXriStqj9p9MOizihh0enhzRXTTQuLX82fNi+bh1LAluwv290Q57pvKa+hB/YciB
+o4s7QfSojxQY9DxqvXN7CvxPWXHTyFY5sL4Rm807+C/a9rd39MxBynz9u/7YRvsA
+s8v8Y/01qIHnTo+mpDvu6HttWwKBgQDFwdRkgstuE+dXZZe8g1ivh3RNPa968TE3
+b8rzF9/nOJV7f6B/n6YEmHD/cHF5mm1bR+zt/jtf1NCRMpazchw3vT3JzQZYMDnM
+SD6vxTs5rG47QLiNyTIRmmD4gsEWBpyvoyP8E/9QdfDT1bWI5zZnky9CquRlN+cu
+J1bTsefEaQKBgGJsRxFNd91MThztDV9NSfptkFyAT1TZLxI+DEdwusNqVSdY8cNG
+VpP7cC+yaAfURSwuFPAtqDxXfdNc4uuBKNDUsMInrubuUz1Gs5cBsNCWrFhZ+U1B
+CWgUNMqTXiRFo/40PAyRVs003NOAH0m4UGyIw3rrVdX9xGaKMAv3b35NAoGATkkl
+I4UDs1f9xQNaxi3Y9ePRjqJUzX6d1SxUU1eoM4ia5IDpsJwqxLb0RKrmwRT5JaGb
+kbuLFazRxCkar38E3Kv1weWAFXlB6DTRXBPgFjzEhoBgjwCO6ZkLulVIysdjT8Rt
+gmUINXn7FGENtFyTlP0XQHUWZVt0ETlRjgxni8ECgYBYv6MoSr0iPjQpxeKvwFDz
+d9zE+ZXN+3GwtkI340lKRSc/f0Uq1TlC2w+DzjyyXcrBwubMQKTKcQQSH9f3YbMu
+DuxVE9AXdlQ1gSQHGjS0qUWwsS/8Xcjk8ZuduAXPGr/MsvsW+FbbZqG8qdZTeMHu
+MSTpOxu9HXC8SHML+y0cpw==
+-----END PRIVATE KEY-----
--- a/FDBLibTLS/verify-test.cpp
+++ b/FDBLibTLS/verify-test.cpp
@ -0,0 +1,137 @@
+#include <iostream>
+#include <string>
+#include <vector>
+
+#include <openssl/obj_mac.h>
+
+#include "ITLSPlugin.h"
+#include "ReferenceCounted.h"
+
+#include "FDBLibTLSPlugin.h"
+#include "FDBLibTLSPolicy.h"
+
+struct FDBLibTLSVerifyTest {
+	FDBLibTLSVerifyTest(std::string input):
+		input(input), valid(false), verify_cert(true), verify_time(true), subject_criteria({}), issuer_criteria({}) {};
+        FDBLibTLSVerifyTest(std::string input, bool verify_cert, bool verify_time, std::map<int, std::string> subject, std::map<int, std::string> issuer):
+		input(input), valid(true), verify_cert(verify_cert), verify_time(verify_time), subject_criteria(subject), issuer_criteria(issuer) {};
+        ~FDBLibTLSVerifyTest() {};
+
+	int run();
+
+	std::string input;
+
+	bool valid;
+	bool verify_cert;
+	bool verify_time;
+
+	std::map<int, std::string> subject_criteria;
+	std::map<int, std::string> issuer_criteria;
+};
+
+static std::string printable( std::string const& val ) {
+	static char const digits[] = "0123456789ABCDEF";
+	std::string s;
+
+	for ( int i = 0; i < val.size(); i++ ) {
+		uint8_t b = val[i];
+		if (b >= 32 && b < 127 && b != '\\')
+			s += (char)b;
+		else if (b == '\\')
+			s += "\\\\";
+		else {
+			s += "\\x";
+			s += digits[(b >> 4) & 15];
+			s += digits[b & 15];
+		}
+	}
+	return s;
+}
+
+static std::string criteriaToString(std::map<int, std::string> const& criteria) {
+	std::string s;
+	for (auto &pair: criteria) {
+		s += "{" + std::to_string(pair.first) + ":" + printable(pair.second) + "}";
+	}
+	return "{" + s + "}";
+}
+
+static void logf(const char* event, void* uid, int is_error, ...) {
+}
+
+int FDBLibTLSVerifyTest::run() {
+	FDBLibTLSPlugin *plugin = new FDBLibTLSPlugin();
+	FDBLibTLSPolicy *policy = new FDBLibTLSPolicy(Reference<FDBLibTLSPlugin>::addRef(plugin), (ITLSLogFunc)logf);
+
+	bool rc = policy->set_verify_peers((const uint8_t *)input.c_str(), input.size());
+	if (rc != valid) {
+		if (valid) {
+			std::cerr << "FAIL: Verify test failed, but should have succeeded - '" << input << "'\n";
+			return 1;
+		} else {
+			std::cerr << "FAIL: Verify test should have failed, but succeeded - '" << input << "'\n";
+			return 1;
+		}
+	}
+	if (policy->verify_cert != verify_cert) {
+		std::cerr << "FAIL: Got verify cert " << policy->verify_cert << ", want " << verify_cert << "\n";
+		return 1;
+	}
+	if (policy->verify_time != verify_time) {
+		std::cerr << "FAIL: Got verify time " << policy->verify_time << ", want " << verify_time << "\n";
+		return 1;
+	}
+	if (policy->subject_criteria != subject_criteria) {
+		std::cerr << "FAIL: Got subject criteria " << criteriaToString(policy->subject_criteria) << ", want " << criteriaToString(subject_criteria) << "\n";
+		return 1;
+	}
+	if (policy->issuer_criteria != issuer_criteria) {
+		std::cerr << "FAIL: Got issuer criteria " << criteriaToString(policy->issuer_criteria) << ", want " << criteriaToString(issuer_criteria) << "\n";
+		return 1;
+	}
+	return 0;
+}
+
+int main(int argc, char **argv)
+{
+	int failed = 0;
+
+	std::vector<FDBLibTLSVerifyTest> tests = {
+		FDBLibTLSVerifyTest("", true, true, {}, {}),
+		FDBLibTLSVerifyTest("Check.Valid=1", true, true, {}, {}),
+		FDBLibTLSVerifyTest("Check.Valid=0", false, true, {}, {}),
+		FDBLibTLSVerifyTest("Check.Unexpired=1", true, true, {}, {}),
+		FDBLibTLSVerifyTest("Check.Unexpired=0", true, false, {}, {}),
+		FDBLibTLSVerifyTest("Check.Valid=1,Check.Unexpired=0", true, false, {}, {}),
+		FDBLibTLSVerifyTest("Check.Unexpired=0,Check.Valid=0", false, false, {}, {}),
+		FDBLibTLSVerifyTest("Check.Unexpired=0,I.C=US,C=US,S.O=XYZCorp\\, LLC", true, false,
+			{{NID_countryName, "US"}, {NID_organizationName, "XYZCorp, LLC"}}, {{NID_countryName, "US"}}),
+		FDBLibTLSVerifyTest("Check.Unexpired=0,I.C=US,C=US,S.O=XYZCorp\\= LLC", true, false,
+			{{NID_countryName, "US"}, {NID_organizationName, "XYZCorp= LLC"}}, {{NID_countryName, "US"}}),
+		FDBLibTLSVerifyTest("Check.Unexpired=0,I.C=US,C=US,S.O=XYZCorp=LLC", true, false,
+			{{NID_countryName, "US"}, {NID_organizationName, "XYZCorp=LLC"}}, {{NID_countryName, "US"}}),
+		FDBLibTLSVerifyTest("I.C=US,C=US,Check.Unexpired=0,S.O=XYZCorp=LLC", true, false,
+			{{NID_countryName, "US"}, {NID_organizationName, "XYZCorp=LLC"}}, {{NID_countryName, "US"}}),
+		FDBLibTLSVerifyTest("I.C=US,C=US,S.O=XYZCorp\\, LLC", true, true,
+			{{NID_countryName, "US"}, {NID_organizationName, "XYZCorp, LLC"}}, {{NID_countryName, "US"}}),
+		FDBLibTLSVerifyTest("C=\\,S=abc", true, true, {{NID_countryName, ",S=abc"}}, {}),
+		FDBLibTLSVerifyTest("CN=\\61\\62\\63", true, true, {{NID_commonName, "abc"}}, {}),
+		FDBLibTLSVerifyTest("CN=a\\62c", true, true, {{NID_commonName, "abc"}}, {}),
+		FDBLibTLSVerifyTest("CN=a\\01c", true, true, {{NID_commonName, "a\001c"}}, {}),
+
+		// Invalid cases.
+		FDBLibTLSVerifyTest("Check.Invalid=0"),
+		FDBLibTLSVerifyTest("Valid=1"),
+		FDBLibTLSVerifyTest("C= US,S=abc"),
+		FDBLibTLSVerifyTest("C=#US,S=abc"),
+		FDBLibTLSVerifyTest("C=abc,S=\\"),
+		FDBLibTLSVerifyTest("XYZ=abc"),
+		FDBLibTLSVerifyTest("GN=abc"),
+		FDBLibTLSVerifyTest("CN=abc,Check.Expired=1"),
+	};
+
+	for (auto &test: tests)
+		failed |= test.run();
+
+	return (failed);
+}
--- a/4
+++ b/4
@ -92,7 +92,7 @@ STATIC_LIBS :=
 VPATH += $(addprefix :,$(filter-out lib,$(patsubst -L%,%,$(filter -L%,$(LDFLAGS)))))

 CS_PROJECTS := flow/actorcompiler flow/coveragetool fdbclient/vexillographer
-CPP_PROJECTS := flow fdbrpc fdbclient fdbbackup fdbserver fdbcli bindings/c bindings/java fdbmonitor bindings/flow/tester bindings/flow
+CPP_PROJECTS := flow fdbrpc fdbclient fdbbackup fdbserver fdbcli bindings/c bindings/java fdbmonitor bindings/flow/tester bindings/flow FDBLibTLS
 OTHER_PROJECTS := bindings/python bindings/ruby bindings/go

 CS_MK_GENERATED := $(CS_PROJECTS:=/generated.mk)
@ -148,7 +148,7 @@ clean: $(CLEAN_TARGETS) docpreview_clean
 	@echo "Cleaning       toplevel"
 	@rm -rf $(OBJDIR)
 	@rm -rf $(DEPSDIR)
-	@rm -rf lib/libstdc++.a
+	@rm -rf lib/
 	@rm -rf bin/coverage.*.xml

 targets:
--- a/build/Dockerfile
+++ b/build/Dockerfile
@ -2,7 +2,7 @@ FROM ubuntu:15.04

 RUN sed -i -e 's/archive.ubuntu.com\|security.ubuntu.com/old-releases.ubuntu.com/g' -e 's/us\.old/old/g' /etc/apt/sources.list && apt-get clean && apt-get update

-RUN apt-get --no-install-recommends install -y --force-yes bzip2 ca-certificates=20141019 adduser apt base-files base-passwd bash binutils build-essential cpp cpp-4.9 dpkg dos2unix fakeroot findutils g++=4:4.9.2-2ubuntu2 g++-4.9=4.9.2-10ubuntu13 gawk=1:4.1.1+dfsg-1 gcc-5-base gcc=4:4.9.2-2ubuntu2 gcc-4.9=4.9.2-10ubuntu13 gcc-4.9-base:amd64=4.9.2-10ubuntu13 gcc-5-base:amd64=5.1~rc1-0ubuntu1 gdb git golang golang-go golang-go-linux-amd64 golang-src grep gzip hostname java-common libasan1 liblsan0 libtsan0 libubsan0 libcilkrts5 libgcc-4.9-dev libstdc++-4.9-dev libgl1-mesa-dri libgl1-mesa-glx libmono-system-xml-linq4.0-cil libmono-system-data-datasetextensions4.0-cil libstdc++-4.9-pic locales login m4 make makedev mawk mono-dmcs npm openjdk-8-jdk passwd python-distlib python-gevent python-greenlet python-html5lib python-minimal python-pip python-pkg-resources python-requests python-setuptools python-six python-urllib3 python-yaml python2.7 python2.7-minimal rpm rpm2cpio ruby ruby2.1 rubygems-integration sed tar texinfo tzdata-java udev unzip util-linux valgrind vim wget golang-go.tools curl sphinx-common
+RUN apt-get --no-install-recommends install -y --force-yes bzip2 ca-certificates=20141019 adduser apt base-files base-passwd bash binutils build-essential cpp cpp-4.9 dpkg dos2unix fakeroot findutils g++=4:4.9.2-2ubuntu2 g++-4.9=4.9.2-10ubuntu13 gawk=1:4.1.1+dfsg-1 gcc-5-base gcc=4:4.9.2-2ubuntu2 gcc-4.9=4.9.2-10ubuntu13 gcc-4.9-base:amd64=4.9.2-10ubuntu13 gcc-5-base:amd64=5.1~rc1-0ubuntu1 gdb git golang golang-go golang-go-linux-amd64 golang-src grep gzip hostname java-common libasan1 liblsan0 libtsan0 libubsan0 libcilkrts5 libgcc-4.9-dev libstdc++-4.9-dev libgl1-mesa-dri libgl1-mesa-glx libmono-system-xml-linq4.0-cil libmono-system-data-datasetextensions4.0-cil libstdc++-4.9-pic locales login m4 make makedev mawk mono-dmcs npm openjdk-8-jdk passwd python-distlib python-gevent python-greenlet python-html5lib python-minimal python-pip python-pkg-resources python-requests python-setuptools python-six python-urllib3 python-yaml python2.7 python2.7-minimal rpm rpm2cpio ruby ruby2.1 rubygems-integration sed tar texinfo tzdata-java udev unzip util-linux valgrind vim wget golang-go.tools curl sphinx-common gnupg

 RUN adduser --disabled-password --gecos '' fdb && chown -R fdb /opt && chmod -R 0777 /opt

@ -14,10 +14,16 @@ USER root

 RUN pip install boto3==1.1.1

-RUN npm install -g npm@3.4.1
-
 RUN ln -s /usr/bin/nodejs /usr/bin/node

+RUN cd /opt/ && wget https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.6.4.tar.gz &&\
+    wget https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.6.4.tar.gz.asc &&\
+    wget https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl.asc &&\
+    gpg --import libressl.asc && gpg --verify libressl-2.6.4.tar.gz.asc libressl-2.6.4.tar.gz &&\
+    tar -xzf libressl-2.6.4.tar.gz && cd libressl-2.6.4 &&\
+    ./configure CFLAGS="-fPIC -O3" && make -j4 && make install &&\
+    cd /opt/ # && rm -r libressl-2.6.4/ libressl-2.6.4.tar.gz libressl-2.6.4.tar.gz.asc libressl.asc
+
 RUN LANGUAGE=en_US.UTF-8 LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 locale-gen en_US.UTF-8

 RUN dpkg-reconfigure locales