fluentd 0.14.11 → 0.14.12

data/test/plugin/test_storage_local.rb

@@ -84,7 +84,7 @@ class LocalStorageTest < Test::Unit::TestCase
     end
   end
 
-  sub_test_case 'configured with path' do
+  sub_test_case 'configured with file path' do
     test 'works as storage which stores data on disk' do
       storage_path = File.join(TMP_DIR, 'my_store.json')
       conf = config_element('ROOT', '', {}, [config_element('storage', '', {'path' => storage_path})])
@@ -127,6 +127,15 @@ class LocalStorageTest < Test::Unit::TestCase
       assert_equal '2', @p.get('key1')
       assert_equal 4, @p.get('key2')
     end
+
+    test 'raise configuration error if a file specified with multi worker configuration' do
+      storage_path = File.join(TMP_DIR, 'my_store.json')
+      conf = config_element('ROOT', '', {}, [config_element('storage', '', {'path' => storage_path})])
+      @d.system_config_override('workers' => 3)
+      assert_raise Fluent::ConfigError.new("Plugin 'local' does not support multi workers configuration (Fluent::Plugin::LocalStorage)") do
+        @d.configure(conf)
+      end
+    end
   end
 
   sub_test_case 'configured with root-dir and plugin id' do
@@ -177,6 +186,36 @@ class LocalStorageTest < Test::Unit::TestCase
       assert_equal '2', @p.get('key1')
       assert_equal 4, @p.get('key2')
     end
+
+    test 'works with customized path by specified usage' do
+      root_dir = File.join(TMP_DIR, 'root')
+      expected_storage_path = File.join(root_dir, 'worker0', 'local_storage_test', 'storage.usage.json')
+      conf = config_element('ROOT', 'usage', {'@id' => 'local_storage_test'})
+      Fluent::SystemConfig.overwrite_system_config('root_dir' => root_dir) do
+        @d.configure(conf)
+      end
+      @d.start
+      @p = @d.storage_create(usage: 'usage', type: 'local')
+
+      assert_equal expected_storage_path, @p.path
+      assert @p.store.empty?
+    end
+  end
+
+  sub_test_case 'configured with root-dir and plugin id, and multi workers' do
+    test 'works as storage which stores data under root dir, also in workers' do
+      root_dir = File.join(TMP_DIR, 'root')
+      expected_storage_path = File.join(root_dir, 'worker1', 'local_storage_test', 'storage.json')
+      conf = config_element('ROOT', '', {'@id' => 'local_storage_test'})
+      with_worker_config(root_dir: root_dir, workers: 2, worker_id: 1) do
+        @d.configure(conf)
+      end
+      @d.start
+      @p = @d.storage_create()
+
+      assert_equal expected_storage_path, @p.path
+      assert @p.store.empty?
+    end
   end
 
   sub_test_case 'persistent specified' do

data/test/plugin_helper/test_child_process.rb

@@ -630,17 +630,15 @@ class ChildProcessTest < Test::Unit::TestCase
 
       str = nil
 
-      Timeout.timeout(TEST_DEADLOCK_TIMEOUT) do
-        pid = nil
-        @d.child_process_execute(:st1, "ruby", arguments: args, mode: [:read], on_exit_callback: cb) do |readio|
-          pid = @d.instance_eval{ child_process_id }
-          str = readio.read.chomp
-          block_exits = true
-        end
-        sleep TEST_WAIT_INTERVAL_FOR_BLOCK_RUNNING while @d.child_process_exist?(pid) # to get exit status
-        sleep TEST_WAIT_INTERVAL_FOR_BLOCK_RUNNING until block_exits
-        sleep TEST_WAIT_INTERVAL_FOR_BLOCK_RUNNING until callback_called
+      pid = nil
+      @d.child_process_execute(:st1, "ruby", arguments: args, mode: [:read], on_exit_callback: cb) do |readio|
+        pid = @d.instance_eval{ child_process_id }
+        str = readio.read.chomp
+        block_exits = true
       end
+      waiting(TEST_DEADLOCK_TIMEOUT){ sleep TEST_WAIT_INTERVAL_FOR_BLOCK_RUNNING while @d.child_process_exist?(pid) } # to get exit status
+      waiting(TEST_DEADLOCK_TIMEOUT){ sleep TEST_WAIT_INTERVAL_FOR_BLOCK_RUNNING until block_exits }
+      waiting(TEST_DEADLOCK_TIMEOUT){ sleep TEST_WAIT_INTERVAL_FOR_BLOCK_RUNNING until callback_called }
 
       assert callback_called
       assert exit_status
@@ -658,32 +656,35 @@ class ChildProcessTest < Test::Unit::TestCase
       block_exits = false
       callback_called = false
       exit_status = nil
-      args = ['-e', 'sleep ARGV[0].to_i; puts "yay"; File.unlink ARGV[1]', '25', @temp_path]
+      args = ['-e', 'sleep ARGV[0].to_i; puts "yay"; File.unlink ARGV[1]', '100', @temp_path]
       cb = ->(status){ exit_status = status; callback_called = true }
 
       str = nil
 
-      Timeout.timeout(TEST_DEADLOCK_TIMEOUT) do
-        pid = nil
-        @d.child_process_execute(:st1, "ruby", arguments: args, mode: [:read], on_exit_callback: cb) do |readio|
-          pid = @d.instance_eval{ child_process_id }
-          Process.kill(:QUIT, pid)
-          Process.kill(:QUIT, pid) rescue nil # once more to kill certainly
-          str = readio.read.chomp rescue nil # empty string before EOF
-          block_exits = true
-        end
-        sleep TEST_WAIT_INTERVAL_FOR_BLOCK_RUNNING while @d.child_process_exist?(pid) # to get exit status
-        sleep TEST_WAIT_INTERVAL_FOR_BLOCK_RUNNING until block_exits
-        sleep TEST_WAIT_INTERVAL_FOR_BLOCK_RUNNING until callback_called
-      end
+      pid = nil
+      @d.child_process_execute(:st1, "ruby", arguments: args, mode: [:read], on_exit_callback: cb) do |readio|
+        pid = @d.instance_eval{ child_process_id }
+        sleep 10 # to run child process correctly
+        Process.kill(:QUIT, pid)
+        sleep 1
+        Process.kill(:QUIT, pid) rescue nil # once more to send kill
+        sleep 1
+        Process.kill(:QUIT, pid) rescue nil # just like sync
+        str = readio.read.chomp rescue nil # empty string before EOF
+        block_exits = true
+      end
+      waiting(TEST_DEADLOCK_TIMEOUT){ sleep TEST_WAIT_INTERVAL_FOR_BLOCK_RUNNING while @d.child_process_exist?(pid) } # to get exit status
+      waiting(TEST_DEADLOCK_TIMEOUT){ sleep TEST_WAIT_INTERVAL_FOR_BLOCK_RUNNING until block_exits }
+      waiting(TEST_DEADLOCK_TIMEOUT){ sleep TEST_WAIT_INTERVAL_FOR_BLOCK_RUNNING until callback_called }
 
       assert callback_called
       assert exit_status
 
-      assert_equal [nil, 3], [exit_status.exitstatus, exit_status.termsig] # SIGQUIT
-
-      assert File.exist?(@temp_path)
-      assert_equal "", str
+      # This test sometimes fails on TravisCI
+      #    with [nil, 11] # SIGSEGV
+      # or with [1, nil]  # ???
+      assert_equal [nil, 3, true, ""], [exit_status.exitstatus, exit_status.termsig, File.exist?(@temp_path), str] # SIGQUIT
+      # SIGSEGV looks a kind of BUG of ruby...
     end
 
     test 'calls on_exit_callback for each process exits for interval call using on_exit_callback' do

data/test/plugin_helper/test_compat_parameters.rb

@@ -109,7 +109,7 @@ class CompatParameterTest < Test::Unit::TestCase
       assert @i.buffer_config.flush_at_shutdown
 
       assert_equal 8*1024*1024, @i.buffer.chunk_limit_size
-      assert_equal 1024, @i.buffer.queue_length_limit
+      assert_equal 1024, @i.buffer.queue_limit_length
     end
   end
 

data/test/plugin_helper/test_inject.rb

@@ -59,6 +59,8 @@ class InjectHelperTest < Test::Unit::TestCase
     @d.start
     assert_nil @d.instance_eval{ @_inject_hostname_key }
     assert_nil @d.instance_eval{ @_inject_hostname }
+    assert_nil @d.instance_eval{ @_inject_worker_id_key }
+    assert_nil @d.instance_eval{ @_inject_worker_id }
     assert_nil @d.instance_eval{ @_inject_tag_key }
     assert_nil @d.instance_eval{ @_inject_time_key }
     assert_nil @d.instance_eval{ @_inject_time_formatter }
@@ -85,18 +87,23 @@ class InjectHelperTest < Test::Unit::TestCase
   end
 
   test 'can be configured as specified' do
-    @d.configure(config_inject_section(
-        "hostname_key" => "hostname",
-        "hostname" => "myhost.local",
-        "tag_key" => "tag",
-        "time_key" => "time",
-        "time_type" => "string",
-        "time_format" => "%Y-%m-%d %H:%M:%S.%N",
-        "timezone" => "-0700",
-    ))
+    with_worker_config(workers: 1, worker_id: 0) do
+      @d.configure(config_inject_section(
+          "hostname_key" => "hostname",
+          "hostname" => "myhost.local",
+          "worker_id_key" => "worker_id",
+          "tag_key" => "tag",
+          "time_key" => "time",
+          "time_type" => "string",
+          "time_format" => "%Y-%m-%d %H:%M:%S.%N",
+          "timezone" => "-0700",
+      ))
+    end
 
     assert_equal "hostname", @d.instance_eval{ @_inject_hostname_key }
     assert_equal "myhost.local", @d.instance_eval{ @_inject_hostname }
+    assert_equal "worker_id", @d.instance_eval{ @_inject_worker_id_key }
+    assert_equal 0, @d.instance_eval{ @_inject_worker_id }
     assert_equal "tag", @d.instance_eval{ @_inject_tag_key }
     assert_equal "time", @d.instance_eval{ @_inject_time_key }
     assert_equal :string, @d.instance_eval{ @inject_config.time_type }
@@ -136,6 +143,17 @@ class InjectHelperTest < Test::Unit::TestCase
       assert_equal record.merge({"host" => "myhost.yay.local"}), @d.inject_values_to_record('tag', time, record)
     end
 
+    test 'injects worker id' do
+      with_worker_config(workers: 3, worker_id: 2) do
+        @d.configure(config_inject_section("worker_id_key" => "workerid"))
+      end
+      @d.start
+
+      time = event_time()
+      record = {"key1" => "value1", "key2" => 2}
+      assert_equal record.merge({"workerid" => 2}), @d.inject_values_to_record('tag', time, record)
+    end
+
     test 'injects tag into specified key' do
       @d.configure(config_inject_section("tag_key" => "mytag"))
       @d.start

data/test/plugin_helper/test_server.rb

@@ -1,5 +1,6 @@
 require_relative '../helper'
 require 'fluent/plugin_helper/server'
+require 'fluent/plugin_helper/cert_option' # to create certs for tests
 require 'fluent/plugin/base'
 require 'timeout'
 
@@ -11,6 +12,8 @@ class ServerPluginHelperTest < Test::Unit::TestCase
     helpers :server
   end
 
+  TMP_DIR = File.expand_path(File.dirname(__FILE__) + "/../tmp/plugin_helper_server")
+
   PORT = unused_port
 
   setup do
@@ -27,12 +30,12 @@ class ServerPluginHelperTest < Test::Unit::TestCase
   end
 
   teardown do
-    @d.stopped? || @d.stop
-    @d.before_shutdown? || @d.before_shutdown
-    @d.shutdown? || @d.shutdown
-    @d.after_shutdown? || @d.after_shutdown
-    @d.closed? || @d.close
-    @d.terminated? || @d.terminate
+    (@d.stopped? || @d.stop) rescue nil
+    (@d.before_shutdown? || @d.before_shutdown) rescue nil
+    (@d.shutdown? || @d.shutdown) rescue nil
+    (@d.after_shutdown? || @d.after_shutdown) rescue nil
+    (@d.closed? || @d.close) rescue nil
+    (@d.terminated? || @d.terminate) rescue nil
 
     @socket_manager_server.close
     if @socket_manager_server.is_a?(String) && File.exist?(@socket_manager_path)
@@ -141,11 +144,49 @@ class ServerPluginHelperTest < Test::Unit::TestCase
       assert created_server.is_a?(Coolio::TCPServer)
     end
 
-    # tests about "proto: :udp" is in #server_create
+    data(methods)
+    test 'creates tls server in default if transport section and tcp protocol specified' do |m|
+      @d = d = Dummy.new
+      transport_conf = config_element('transport', 'tcp', {}, [])
+      d.configure(config_element('ROOT', '', {}, [transport_conf]))
+      d.start
+      d.after_start
+
+      d.__send__(m, :myserver, PORT){|x| x }
+
+      created_server_info = @d._servers.first
+      assert_equal :tcp, created_server_info.proto
+      created_server = created_server_info.server
+      assert created_server.is_a?(Coolio::TCPServer)
+    end
 
     data(methods)
     test 'creates tls server if specified in proto' do |m|
-      # pend "not implemented yet"
+      assert_raise(ArgumentError.new("BUG: TLS transport specified, but certification options are not specified")) do
+        @d.__send__(m, :myserver, PORT, proto: :tls){|x| x }
+      end
+      @d.__send__(m, :myserver, PORT, proto: :tls, tls_options: {insecure: true}){|x| x }
+
+      created_server_info = @d._servers.first
+      assert_equal :tls, created_server_info.proto
+      created_server = created_server_info.server
+      assert created_server.is_a?(Coolio::TCPServer) # yes, TCP here
+    end
+
+    data(methods)
+    test 'creates tls server in default if transport section and tls protocol specified' do |m|
+      @d = d = Dummy.new
+      transport_conf = config_element('transport', 'tls', {'insecure' => 'true'}, [])
+      d.configure(config_element('ROOT', '', {}, [transport_conf]))
+      d.start
+      d.after_start
+
+      d.__send__(m, :myserver, PORT){|x| x }
+
+      created_server_info = @d._servers.first
+      assert_equal :tls, created_server_info.proto
+      created_server = created_server_info.server
+      assert created_server.is_a?(Coolio::TCPServer) # OK, it's Coolio::TCPServer
     end
 
     data(methods)
@@ -162,10 +203,10 @@ class ServerPluginHelperTest < Test::Unit::TestCase
 
     data(
       'server_create tcp' => [:server_create, :tcp],
-      # 'server_create tls' => [:server_create, :tls],
+      'server_create tls' => [:server_create, :tls],
       # 'server_create unix' => [:server_create, :unix],
       'server_create_connection tcp' => [:server_create_connection, :tcp],
-      # 'server_create_connection tcp' => [:server_create_connection, :tls],
+      'server_create_connection tls' => [:server_create_connection, :tls],
       # 'server_create_connection tcp' => [:server_create_connection, :unix],
     )
     test 'raise error if udp options specified for tcp/tls/unix' do |(m, proto)|
@@ -203,17 +244,17 @@ class ServerPluginHelperTest < Test::Unit::TestCase
       # 'server_create_connection unix' => [:server_create_connection, :unix, {}],
     )
     test 'raise error if tls options specified for tcp/udp/unix' do |(m, proto, kwargs)|
-      assert_raise(ArgumentError.new("BUG: certopts is available only for tls")) do
-        @d.__send__(m, :myserver, PORT, proto: proto, certopts: {}, **kwargs){|x| x }
+      assert_raise(ArgumentError.new("BUG: tls_options is available only for tls")) do
+        @d.__send__(m, :myserver, PORT, proto: proto, tls_options: {}, **kwargs){|x| x }
       end
     end
 
     data(
       'server_create tcp' => [:server_create, :tcp, {}],
       'server_create udp' => [:server_create, :udp, {max_bytes: 128}],
-      # 'server_create tls' => [:server_create, :tls, {}],
+      'server_create tls' => [:server_create, :tls, {tls_options: {insecure: true}}],
       'server_create_connection tcp' => [:server_create_connection, :tcp, {}],
-      # 'server_create_connection tls' => [:server_create_connection, :tls, {}],
+      'server_create_connection tls' => [:server_create_connection, :tls, {tls_options: {insecure: true}}],
     )
     test 'can bind specified IPv4 address' do |(m, proto, kwargs)|
       @d.__send__(m, :myserver, PORT, proto: proto, bind: "127.0.0.1", **kwargs){|x| x }
@@ -224,9 +265,9 @@ class ServerPluginHelperTest < Test::Unit::TestCase
     data(
       'server_create tcp' => [:server_create, :tcp, {}],
       'server_create udp' => [:server_create, :udp, {max_bytes: 128}],
-      # 'server_create tls' => [:server_create, :tls, {}],
+      'server_create tls' => [:server_create, :tls, {tls_options: {insecure: true}}],
       'server_create_connection tcp' => [:server_create_connection, :tcp, {}],
-      # 'server_create_connection tls' => [:server_create_connection, :tls, {}],
+      'server_create_connection tls' => [:server_create_connection, :tls, {tls_options: {insecure: true}}],
     )
     test 'can bind specified IPv6 address' do |(m, proto, kwargs)| # if available
       omit "IPv6 unavailable here" unless ipv6_enabled?
@@ -238,10 +279,10 @@ class ServerPluginHelperTest < Test::Unit::TestCase
     data(
       'server_create tcp' => [:server_create, :tcp, {}],
       'server_create udp' => [:server_create, :udp, {max_bytes: 128}],
-      # 'server_create tls' => [:server_create, :tls, {}],
+      'server_create tls' => [:server_create, :tls, {tls_options: {insecure: true}}],
       # 'server_create unix' => [:server_create, :unix, {}],
       'server_create_connection tcp' => [:server_create, :tcp, {}],
-      # 'server_create_connection tls' => [:server_create, :tls, {}],
+      'server_create_connection tls' => [:server_create, :tls, {tls_options: {insecure: true}}],
       # 'server_create_connection unix' => [:server_create, :unix, {}],
     )
     test 'can create 2 or more servers which share same bind address and port if shared option is true' do |(m, proto, kwargs)|
@@ -260,10 +301,10 @@ class ServerPluginHelperTest < Test::Unit::TestCase
     data(
       'server_create tcp' => [:server_create, :tcp, {}],
       'server_create udp' => [:server_create, :udp, {max_bytes: 128}],
-      # 'server_create tls' => [:server_create, :tls, {}],
+      'server_create tls' => [:server_create, :tls, {tls_options: {insecure: true}}],
       # 'server_create unix' => [:server_create, :unix, {}],
       'server_create_connection tcp' => [:server_create, :tcp, {}],
-      # 'server_create_connection tls' => [:server_create, :tls, {}],
+      'server_create_connection tls' => [:server_create, :tls, {tls_options: {insecure: true}}],
       # 'server_create_connection unix' => [:server_create, :unix, {}],
     )
     test 'cannot create 2 or more servers using same bind address and port if shared option is false' do |(m, proto, kwargs)|
@@ -286,7 +327,7 @@ class ServerPluginHelperTest < Test::Unit::TestCase
     data(
       'tcp' => [:tcp, {}],
       'udp' => [:udp, {max_bytes: 128}],
-      # 'tls' => [:tls, {}],
+      'tls' => [:tls, {tls_options: {insecure: true}}],
       # 'unix' => [:unix, {}],
     )
     test 'raise error if block argument is not specified or too many' do |(proto, kwargs)|
@@ -428,7 +469,7 @@ class ServerPluginHelperTest < Test::Unit::TestCase
       end
       waiting(10){ sleep 0.1 until received.bytesize == 4 || errors.size == 1 }
       assert_equal "foo\n", received
-      assert_equal 1, errors.size
+      assert{ errors.size > 0 } # it might be called twice (or more) when connection was accepted, and then data arrived (or more)
       assert_equal "data callback can be registered just once, but registered twice", errors.first.message
     end
 
@@ -645,7 +686,7 @@ class ServerPluginHelperTest < Test::Unit::TestCase
       sock.write "foo\n"
       sock.close
 
-      waiting(10){ sleep 0.1 until received.bytesize == 4 || errors.size == 1 }
+      waiting(10){ sleep 0.1 until received.bytesize == 4 && errors.size == 1 }
       assert_equal "foo\n", received
       assert_equal 1, errors.size
       assert_equal "BUG: this event is disabled for udp: data", errors.first.message
@@ -667,7 +708,7 @@ class ServerPluginHelperTest < Test::Unit::TestCase
       sock.write "foo\n"
       sock.close
 
-      waiting(10){ sleep 0.1 until received.bytesize == 4 || errors.size == 1 }
+      waiting(10){ sleep 0.1 until received.bytesize == 4 && errors.size == 1 }
       assert_equal "foo\n", received
       assert_equal 1, errors.size
       assert_equal "BUG: this event is disabled for udp: write_complete", errors.first.message
@@ -689,32 +730,665 @@ class ServerPluginHelperTest < Test::Unit::TestCase
       sock.write "foo\n"
       sock.close
 
-      waiting(10){ sleep 0.1 until received.bytesize == 4 || errors.size == 1 }
+      waiting(10){ sleep 0.1 until received.bytesize == 4 && errors.size == 1 }
       assert_equal "foo\n", received
       assert_equal 1, errors.size
       assert_equal "BUG: this event is disabled for udp: close", errors.first.message
     end
   end
 
+  module CertUtil
+    extend Fluent::PluginHelper::CertOption
+  end
+
+  def create_ca_options
+    {
+      private_key_length: 2048,
+      country: 'US',
+      state: 'CA',
+      locality: 'Mountain View',
+      common_name: 'ca.testing.fluentd.org',
+      expiration: 30 * 86400,
+      digest: :sha256,
+    }
+  end
+
+  def create_server_options
+    {
+      private_key_length: 2048,
+      country: 'US',
+      state: 'CA',
+      locality: 'Mountain View',
+      common_name: 'server.testing.fluentd.org',
+      expiration: 30 * 86400,
+      digest: :sha256,
+    }
+  end
+
+  def write_cert_and_key(cert_path, cert, key_path, key, passphrase)
+    File.open(cert_path, "w"){|f| f.write(cert.to_pem) }
+    # Encrypt secret key by AES256, and write it in PEM format
+    File.open(key_path, "w"){|f| f.write(key.export(OpenSSL::Cipher.new("AES-256-CBC"), passphrase)) }
+    File.chmod(0600, cert_path, key_path)
+  end
+
+  def create_server_pair_signed_by_self(cert_path, private_key_path, passphrase)
+    cert, key, _ = CertUtil.cert_option_generate_server_pair_self_signed(create_server_options)
+    write_cert_and_key(cert_path, cert, private_key_path, key, passphrase)
+  end
+
+  def create_ca_pair_signed_by_self(cert_path, private_key_path, passphrase)
+    cert, key, _ = CertUtil.cert_option_generate_ca_pair_self_signed(create_ca_options)
+    write_cert_and_key(cert_path, cert, private_key_path, key, passphrase)
+  end
+
+  def create_server_pair_signed_by_ca(ca_cert_path, ca_key_path, ca_key_passphrase, cert_path, private_key_path, passphrase)
+    cert, key, _ = CertUtil.cert_option_generate_server_pair_by_ca(ca_cert_path, ca_key_path, ca_key_passphrase, create_server_options)
+    write_cert_and_key(cert_path, cert, private_key_path, key, passphrase)
+  end
+
+  def create_server_pair_chained_with_root_ca(ca_cert_path, ca_key_path, ca_key_passphrase, cert_path, private_key_path, passphrase)
+    root_cert, root_key, _ = CertUtil.cert_option_generate_ca_pair_self_signed(create_ca_options)
+    write_cert_and_key(ca_cert_path, root_cert, ca_key_path, root_key, ca_key_passphrase)
+
+    intermediate_ca_options = create_ca_options
+    intermediate_ca_options[:common_name] = 'ca2.testing.fluentd.org'
+    chain_cert, chain_key = CertUtil.cert_option_generate_pair(intermediate_ca_options, root_cert.subject)
+    chain_cert.add_extension OpenSSL::X509::Extension.new('basicConstraints', OpenSSL::ASN1.Sequence([OpenSSL::ASN1::Boolean(true)]))
+    chain_cert.sign(root_key, "sha256")
+
+    server_cert, server_key, _ = CertUtil.cert_option_generate_pair(create_server_options, chain_cert.subject)
+    server_cert.add_extension OpenSSL::X509::Extension.new('basicConstraints', OpenSSL::ASN1.Sequence([OpenSSL::ASN1::Boolean(false)]))
+    server_cert.add_extension OpenSSL::X509::Extension.new('nsCertType', 'server')
+    server_cert.sign(chain_key, "sha256")
+
+    # write chained cert
+    File.open(cert_path, "w") do |f|
+      f.write server_cert.to_pem
+      f.write chain_cert.to_pem
+    end
+    File.open(private_key_path, "w"){|f| f.write(server_key.export(OpenSSL::Cipher.new("AES-256-CBC"), passphrase)) }
+    File.chmod(0600, cert_path, private_key_path)
+  end
+
+  def open_tls_session(addr, port, verify: true, cert_path: nil, selfsigned: true, hostname: nil)
+    context = OpenSSL::SSL::SSLContext.new
+    context.set_params({})
+    if verify
+      cert_store = OpenSSL::X509::Store.new
+      cert_store.set_default_paths
+      if selfsigned && OpenSSL::X509.const_defined?('V_FLAG_CHECK_SS_SIGNATURE')
+        cert_store.flags = OpenSSL::X509::V_FLAG_CHECK_SS_SIGNATURE
+      end
+      if cert_path
+        cert_store.add_file(cert_path)
+      end
+      context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      context.cert_store = cert_store
+      if !hostname && context.respond_to?(:verify_hostname=)
+        context.verify_hostname = false # In test code, using hostname to be connected is very difficult
+      end
+    else
+      context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    end
+
+    sock = OpenSSL::SSL::SSLSocket.new(TCPSocket.new(addr, port), context)
+    sock.hostname = hostname if hostname && sock.respond_to?(:hostname)
+    sock.connect
+    yield sock
+  ensure
+    sock.close rescue nil
+  end
+
+  sub_test_case '#server_create_tls with various certificate options' do
+    setup do
+      @d = Dummy.new # to get plugin not configured/started yet
+
+      @certs_dir = File.join(TMP_DIR, "tls_certs")
+      @server_cert_dir = File.join(@certs_dir, "server")
+      FileUtils.rm_rf @certs_dir
+      FileUtils.mkdir_p @server_cert_dir
+    end
+
+    sub_test_case 'using tls_options arguments to specify cert options' do
+      setup do
+        @d.configure(config_element()); @d.start; @d.after_start
+      end
+
+      test 'create dynamic self-signed cert/key pair (without any verification from clients)' do
+        # insecure
+        tls_options = {
+          protocol: :tls,
+          version: 'TLSv1_2',
+          ciphers: 'ALL:!aNULL:!eNULL:!SSLv2',
+          insecure: true,
+          generate_private_key_length: 2048,
+          generate_cert_country: 'US',
+          generate_cert_state: 'CA',
+          generate_cert_locality: 'Mountain View',
+          generate_cert_common_name: 'myserver.testing.fluentd.org',
+          generate_cert_expiration: 10 * 365 * 86400,
+          generate_cert_digest: :sha256,
+        }
+
+        received = ""
+        @d.server_create_tls(:s, PORT, tls_options: tls_options) do |data, conn|
+          received << data
+        end
+        assert_raise "" do
+          open_tls_session('127.0.0.1', PORT) do |sock|
+            sock.post_connection_check('myserver.testing.fluentd.org')
+            # cannot connect ....
+          end
+        end
+        open_tls_session('127.0.0.1', PORT, verify: false) do |sock|
+          sock.puts "yay"
+          sock.puts "foo"
+        end
+        waiting(10){ sleep 0.1 until received.bytesize == 8 }
+        assert_equal "yay\nfoo\n", received
+      end
+
+      test 'load self-signed cert/key pair (files), verified from clients using cert files' do
+        cert_path = File.join(@server_cert_dir, "cert.pem")
+        private_key_path = File.join(@certs_dir, "server.key.pem")
+        private_key_passphrase = "yaaaaaaaaaaaaaaaaaaay"
+        create_server_pair_signed_by_self(cert_path, private_key_path, private_key_passphrase)
+
+        tls_options = {
+          protocol: :tls,
+          version: 'TLSv1_2',
+          ciphers: 'ALL:!aNULL:!eNULL:!SSLv2',
+          insecure: false,
+          cert_path: cert_path,
+          private_key_path: private_key_path,
+          private_key_passphrase: private_key_passphrase,
+        }
+        received = ""
+        @d.server_create_tls(:s, PORT, tls_options: tls_options) do |data, conn|
+          received << data
+        end
+        assert_raise "" do
+          open_tls_session('127.0.0.1', PORT) do |sock|
+            sock.post_connection_check('server.testing.fluentd.org')
+            # cannot connect by failing verification without server cert
+          end
+        end
+        open_tls_session('127.0.0.1', PORT, cert_path: cert_path) do |sock|
+          sock.puts "yay"
+          sock.puts "foo"
+        end
+        waiting(10){ sleep 0.1 until received.bytesize == 8 }
+        assert_equal "yay\nfoo\n", received
+      end
+
+      test 'create dynamic server cert by private CA cert file, verified from clients using CA cert file' do
+        ca_cert_path = File.join(@certs_dir, "ca_cert.pem")
+        ca_key_path = File.join(@certs_dir, "ca.key.pem")
+        ca_key_passphrase = "fooooooooooooooooooooooooo"
+        create_ca_pair_signed_by_self(ca_cert_path, ca_key_path, ca_key_passphrase)
+
+        tls_options = {
+          protocol: :tls,
+          version: 'TLSv1_2',
+          ciphers: 'ALL:!aNULL:!eNULL:!SSLv2',
+          insecure: false,
+          ca_cert_path: ca_cert_path,
+          ca_private_key_path: ca_key_path,
+          ca_private_key_passphrase: ca_key_passphrase,
+          generate_private_key_length: 2048,
+        }
+        received = ""
+        @d.server_create_tls(:s, PORT, tls_options: tls_options) do |data, conn|
+          received << data
+        end
+        open_tls_session('127.0.0.1', PORT, cert_path: ca_cert_path) do |sock|
+          sock.puts "yay"
+          sock.puts "foo"
+        end
+        waiting(10){ sleep 0.1 until received.bytesize == 8 }
+        assert_equal "yay\nfoo\n", received
+      end
+
+      test 'load static server cert by private CA cert file, verified from clients using CA cert file' do
+        ca_cert_path = File.join(@certs_dir, "ca_cert.pem")
+        ca_key_path = File.join(@certs_dir, "ca.key.pem")
+        ca_key_passphrase = "foooooooo"
+        create_ca_pair_signed_by_self(ca_cert_path, ca_key_path, ca_key_passphrase)
+
+        cert_path = File.join(@server_cert_dir, "cert.pem")
+        private_key_path = File.join(@certs_dir, "server.key.pem")
+        private_key_passphrase = "yaaaaaaaaaaaaaaaaaaay"
+        create_server_pair_signed_by_ca(ca_cert_path, ca_key_path, ca_key_passphrase, cert_path, private_key_path, private_key_passphrase)
+
+        tls_options = {
+          protocol: :tls,
+          version: 'TLSv1_2',
+          ciphers: 'ALL:!aNULL:!eNULL:!SSLv2',
+          insecure: false,
+          cert_path: cert_path,
+          private_key_path: private_key_path,
+          private_key_passphrase: private_key_passphrase,
+        }
+        received = ""
+        @d.server_create_tls(:s, PORT, tls_options: tls_options) do |data, conn|
+          received << data
+        end
+        open_tls_session('127.0.0.1', PORT, cert_path: ca_cert_path) do |sock|
+          sock.puts "yay"
+          sock.puts "foo"
+        end
+        waiting(10){ sleep 0.1 until received.bytesize == 8 }
+        assert_equal "yay\nfoo\n", received
+      end
+
+      test 'load chained server cert by private CA cert file, verified from clients using CA cert file as root' do
+        ca_cert_path = File.join(@certs_dir, "ca_cert.pem")
+        ca_key_path = File.join(@certs_dir, "ca.key.pem")
+        ca_key_passphrase = "foooooooo"
+        cert_path = File.join(@server_cert_dir, "cert.pem")
+        private_key_path = File.join(@certs_dir, "server.key.pem")
+        private_key_passphrase = "yaaaaaaaaaaaaaaaaaaay"
+        create_server_pair_chained_with_root_ca(ca_cert_path, ca_key_path, ca_key_passphrase, cert_path, private_key_path, private_key_passphrase)
+
+        tls_options = {
+          protocol: :tls,
+          version: 'TLSv1_2',
+          ciphers: 'ALL:!aNULL:!eNULL:!SSLv2',
+          insecure: false,
+          cert_path: cert_path,
+          private_key_path: private_key_path,
+          private_key_passphrase: private_key_passphrase,
+        }
+        received = ""
+        @d.server_create_tls(:s, PORT, tls_options: tls_options) do |data, conn|
+          received << data
+        end
+        open_tls_session('127.0.0.1', PORT, cert_path: ca_cert_path) do |sock|
+          sock.puts "yay"
+          sock.puts "foo"
+        end
+        waiting(10){ sleep 0.1 until received.bytesize == 8 }
+        assert_equal "yay\nfoo\n", received
+      end
+    end
+
+    sub_test_case 'using configurations to specify cert options' do
+      test 'create dynamic self-signed cert/key pair (without any verification from clients)' do
+        # insecure
+        transport_opts = {
+          'insecure' => 'true',
+        }
+        transport_conf = config_element('transport', 'tls', transport_opts)
+        conf = config_element('match', 'tag.*', {}, [transport_conf])
+
+        @d.configure(conf); @d.start; @d.after_start
+
+        received = ""
+        @d.server_create_tls(:s, PORT) do |data, conn|
+          received << data
+        end
+        assert_raise "" do
+          open_tls_session('127.0.0.1', PORT) do |sock|
+            sock.post_connection_check('myserver.testing.fluentd.org')
+            # cannot connect ....
+          end
+        end
+        open_tls_session('127.0.0.1', PORT, verify: false) do |sock|
+          sock.puts "yay"
+          sock.puts "foo"
+        end
+        waiting(10){ sleep 0.1 until received.bytesize == 8 }
+        assert_equal "yay\nfoo\n", received
+      end
+
+      test 'load self-signed cert/key pair (files), verified from clients using cert files' do
+        cert_path = File.join(@server_cert_dir, "cert.pem")
+        private_key_path = File.join(@certs_dir, "server.key.pem")
+        private_key_passphrase = "yaaaaaaaaaaaaaaaaaaay"
+        create_server_pair_signed_by_self(cert_path, private_key_path, private_key_passphrase)
+
+        transport_opts = {
+          'cert_path' => cert_path,
+          'private_key_path' => private_key_path,
+          'private_key_passphrase' => private_key_passphrase,
+        }
+        transport_conf = config_element('transport', 'tls', transport_opts)
+        conf = config_element('match', 'tag.*', {}, [transport_conf])
+
+        @d.configure(conf); @d.start; @d.after_start
+
+        received = ""
+        @d.server_create_tls(:s, PORT) do |data, conn|
+          received << data
+        end
+        assert_raise "" do
+          open_tls_session('127.0.0.1', PORT) do |sock|
+            sock.post_connection_check('server.testing.fluentd.org')
+            # cannot connect by failing verification without server cert
+          end
+        end
+        open_tls_session('127.0.0.1', PORT, cert_path: cert_path) do |sock|
+          sock.puts "yay"
+          sock.puts "foo"
+        end
+        waiting(10){ sleep 0.1 until received.bytesize == 8 }
+        assert_equal "yay\nfoo\n", received
+      end
+
+      test 'create dynamic server cert by private CA cert file, verified from clients using CA cert file' do
+        ca_cert_path = File.join(@certs_dir, "ca_cert.pem")
+        ca_key_path = File.join(@certs_dir, "ca.key.pem")
+        ca_key_passphrase = "fooooooooooooooooooooooooo"
+        create_ca_pair_signed_by_self(ca_cert_path, ca_key_path, ca_key_passphrase)
+
+        transport_opts = {
+          'ca_cert_path' => ca_cert_path,
+          'ca_private_key_path' => ca_key_path,
+          'ca_private_key_passphrase' => ca_key_passphrase,
+        }
+        transport_conf = config_element('transport', 'tls', transport_opts)
+        conf = config_element('match', 'tag.*', {}, [transport_conf])
+
+        @d.configure(conf); @d.start; @d.after_start
+
+        received = ""
+        @d.server_create_tls(:s, PORT) do |data, conn|
+          received << data
+        end
+        open_tls_session('127.0.0.1', PORT, cert_path: ca_cert_path) do |sock|
+          sock.puts "yay"
+          sock.puts "foo"
+        end
+        waiting(10){ sleep 0.1 until received.bytesize == 8 }
+        assert_equal "yay\nfoo\n", received
+      end
+
+      test 'load static server cert by private CA cert file, verified from clients using CA cert file' do
+        ca_cert_path = File.join(@certs_dir, "ca_cert.pem")
+        ca_key_path = File.join(@certs_dir, "ca.key.pem")
+        ca_key_passphrase = "foooooooo"
+        create_ca_pair_signed_by_self(ca_cert_path, ca_key_path, ca_key_passphrase)
+
+        cert_path = File.join(@server_cert_dir, "cert.pem")
+        private_key_path = File.join(@certs_dir, "server.key.pem")
+        private_key_passphrase = "yaaaaaaaaaaaaaaaaaaay"
+        create_server_pair_signed_by_ca(ca_cert_path, ca_key_path, ca_key_passphrase, cert_path, private_key_path, private_key_passphrase)
+
+        transport_opts = {
+          'cert_path' => cert_path,
+          'private_key_path' => private_key_path,
+          'private_key_passphrase' => private_key_passphrase,
+        }
+        transport_conf = config_element('transport', 'tls', transport_opts)
+        conf = config_element('match', 'tag.*', {}, [transport_conf])
+
+        @d.configure(conf); @d.start; @d.after_start
+
+        received = ""
+        @d.server_create_tls(:s, PORT) do |data, conn|
+          received << data
+        end
+        open_tls_session('127.0.0.1', PORT, cert_path: ca_cert_path) do |sock|
+          sock.puts "yay"
+          sock.puts "foo"
+        end
+        waiting(10){ sleep 0.1 until received.bytesize == 8 }
+        assert_equal "yay\nfoo\n", received
+      end
+
+      test 'load chained server cert by private CA cert file, verified from clients using CA cert file as root' do
+        ca_cert_path = File.join(@certs_dir, "ca_cert.pem")
+        ca_key_path = File.join(@certs_dir, "ca.key.pem")
+        ca_key_passphrase = "foooooooo"
+        cert_path = File.join(@server_cert_dir, "cert.pem")
+        private_key_path = File.join(@certs_dir, "server.key.pem")
+        private_key_passphrase = "yaaaaaaaaaaaaaaaaaaay"
+        create_server_pair_chained_with_root_ca(ca_cert_path, ca_key_path, ca_key_passphrase, cert_path, private_key_path, private_key_passphrase)
+
+        transport_opts = {
+          'cert_path' => cert_path,
+          'private_key_path' => private_key_path,
+          'private_key_passphrase' => private_key_passphrase,
+        }
+        transport_conf = config_element('transport', 'tls', transport_opts)
+        conf = config_element('match', 'tag.*', {}, [transport_conf])
+
+        @d.configure(conf); @d.start; @d.after_start
+
+        received = ""
+        @d.server_create_tls(:s, PORT) do |data, conn|
+          received << data
+        end
+        open_tls_session('127.0.0.1', PORT, cert_path: ca_cert_path) do |sock|
+          sock.puts "yay"
+          sock.puts "foo"
+        end
+        waiting(10){ sleep 0.1 until received.bytesize == 8 }
+        assert_equal "yay\nfoo\n", received
+      end
+    end
+  end
+
   sub_test_case '#server_create_tls' do
-    # not implemented yet
+    setup do
+      @certs_dir = File.join(TMP_DIR, "tls_certs")
+      FileUtils.rm_rf @certs_dir
+      FileUtils.mkdir_p @certs_dir
+
+      @server_cert_dir = File.join(@certs_dir, "server")
+      FileUtils.mkdir_p @server_cert_dir
+
+      @cert_path = File.join(@server_cert_dir, "cert.pem")
+      private_key_path = File.join(@certs_dir, "server.key.pem")
+      private_key_passphrase = "yaaaaaaaaaaaaaaaaaaay"
+      create_server_pair_signed_by_self(@cert_path, private_key_path, private_key_passphrase)
+
+      @default_hostname = ::Socket.gethostname
+
+      @tls_options = {
+        protocol: :tls,
+        version: 'TLSv1_2',
+        ciphers: 'ALL:!aNULL:!eNULL:!SSLv2',
+        insecure: false,
+        cert_path: @cert_path,
+        private_key_path: private_key_path,
+        private_key_passphrase: private_key_passphrase,
+      }
+    end
 
-    # test 'can accept all keyword arguments valid for tcp/tls server'
-    # test 'creates a tls server just to read data'
-    # test 'creates a tls server to read and write data'
-    # test 'creates a tls server to read and write data using IPv6'
+    test 'can accept all keyword arguments valid for tcp/tls server' do
+      assert_nothing_raised do
+        @d.server_create_tls(:s, PORT, bind: '127.0.0.1', shared: false, resolve_name: true, linger_timeout: 10, backlog: 500, tls_options: @tls_options) do |data, conn|
+          # ...
+        end
+      end
+    end
+
+    test 'creates a tls server just to read data' do
+      received = ""
+      @d.server_create_tls(:s, PORT, tls_options: @tls_options) do |data, conn|
+        received << data
+      end
+      3.times do
+        open_tls_session('127.0.0.1', PORT, cert_path: @cert_path) do |sock|
+          sock.puts "yay"
+          sock.puts "foo"
+        end
+      end
+      waiting(10){ sleep 0.1 until received.bytesize == 24 }
+      assert_equal 3, received.scan("yay\n").size
+      assert_equal 3, received.scan("foo\n").size
+    end
 
-    # many tests about certops
+    test 'creates a tls server to read and write data' do
+      received = ""
+      responses = []
+      @d.server_create_tls(:s, PORT, tls_options: @tls_options) do |data, conn|
+        received << data
+        conn.write "ack\n"
+      end
+      3.times do
+        # open_tls_session('127.0.0.1', PORT, cert_path: @cert_path, hostname: @default_hostname) do |sock|
+        open_tls_session('127.0.0.1', PORT, cert_path: @cert_path) do |sock|
+          sock.puts "yay"
+          sock.puts "foo"
+          responses << sock.readline
+        end
+      end
+      waiting(10){ sleep 0.1 until received.bytesize == 24 }
+      assert_equal 3, received.scan("yay\n").size
+      assert_equal 3, received.scan("foo\n").size
+      assert_equal ["ack\n","ack\n","ack\n"], responses
+    end
 
-    # test 'does not resolve name of client address in default'
-    # test 'does resolve name of client address if resolve_name is true'
-    # test 'can keep connections alive for tls if keepalive specified' do
-    #   pend "not implemented yet"
-    # end
+    test 'creates a tls server to read and write data using IPv6' do
+      omit "IPv6 unavailable here" unless ipv6_enabled?
 
-    # test 'raises error if plugin registers data callback for connection object from #server_create'
-    # test 'can call write_complete callback if registered'
-    # test 'can call close callback if registered'
+      received = ""
+      responses = []
+      @d.server_create_tls(:s, PORT, bind: "::1",  tls_options: @tls_options) do |data, conn|
+        received << data
+        conn.write "ack\n"
+      end
+      3.times do
+        # open_tls_session('::1', PORT, cert_path: @cert_path, hostname: @default_hostname) do |sock|
+        open_tls_session('::1', PORT, cert_path: @cert_path) do |sock|
+          sock.puts "yay"
+          sock.puts "foo"
+          responses << sock.readline
+        end
+      end
+      waiting(10){ sleep 0.1 until received.bytesize == 24 }
+      assert_equal 3, received.scan("yay\n").size
+      assert_equal 3, received.scan("foo\n").size
+      assert_equal ["ack\n","ack\n","ack\n"], responses
+    end
+
+    test 'does not resolve name of client address in default' do
+      received = ""
+      sources = []
+      @d.server_create_tls(:s, PORT, tls_options: @tls_options) do |data, conn|
+        received << data
+        sources << conn.remote_host
+      end
+      3.times do
+        # open_tls_session('127.0.0.1', PORT, cert_path: @cert_path, hostname: @default_hostname) do |sock|
+        open_tls_session('127.0.0.1', PORT, cert_path: @cert_path) do |sock|
+          sock.puts "yay"
+        end
+      end
+      waiting(10){ sleep 0.1 until received.bytesize == 12 }
+      assert_equal 3, received.scan("yay\n").size
+      assert{ sources.all?{|s| s == "127.0.0.1" } }
+    end
+
+    test 'does resolve name of client address if resolve_name is true' do
+      hostname = Socket.getnameinfo([nil, nil, nil, "127.0.0.1"])[0]
+
+      received = ""
+      sources = []
+      @d.server_create_tls(:s, PORT, resolve_name: true, tls_options: @tls_options) do |data, conn|
+        received << data
+        sources << conn.remote_host
+      end
+      3.times do
+        # open_tls_session('127.0.0.1', PORT, cert_path: @cert_path, hostname: @default_hostname) do |sock|
+        open_tls_session('127.0.0.1', PORT, cert_path: @cert_path) do |sock|
+          sock.puts "yay"
+        end
+      end
+      waiting(10){ sleep 0.1 until received.bytesize == 12 }
+      assert_equal 3, received.scan("yay\n").size
+      assert{ sources.all?{|s| s == hostname } }
+    end
+
+    test 'can keep connections alive for tls if keepalive specified' do
+      # pend "not implemented yet"
+    end
+
+    test 'raises error if plugin registers data callback for connection object from #server_create' do
+      received = ""
+      errors = []
+      @d.server_create_tls(:s, PORT, tls_options: @tls_options) do |data, conn|
+        received << data
+        begin
+          conn.data{|d| received << d.upcase }
+        rescue => e
+          errors << e
+        end
+      end
+      open_tls_session('127.0.0.1', PORT, cert_path: @cert_path) do |sock|
+        sock.puts "foo"
+      end
+      waiting(10){ sleep 0.1 until received.bytesize == 4 || errors.size == 1 }
+      assert_equal "foo\n", received
+      assert_equal 1, errors.size
+      assert_equal "data callback can be registered just once, but registered twice", errors.first.message
+    end
+
+    test 'can call write_complete callback if registered' do
+      buffer = ""
+      lines = []
+      responses = []
+      response_completes = []
+      @d.server_create_tls(:s, PORT, tls_options: @tls_options) do |data, conn|
+        conn.on(:write_complete){|c| response_completes << true }
+        buffer << data
+        if idx = buffer.index("\n")
+          lines << buffer.slice!(0,idx+1)
+          conn.write "ack\n"
+        end
+      end
+      3.times do
+        open_tls_session('127.0.0.1', PORT, cert_path: @cert_path) do |sock|
+          sock.write "yay"
+          sock.write "foo\n"
+          begin
+            responses << sock.readline
+          rescue EOFError, IOError, Errno::ECONNRESET
+            # ignore
+          end
+          sock.close
+        end
+      end
+      waiting(10){ sleep 0.1 until lines.size == 3 && response_completes.size == 3 }
+      assert_equal ["yayfoo\n", "yayfoo\n", "yayfoo\n"], lines
+      assert_equal ["ack\n","ack\n","ack\n"], responses
+      assert_equal [true, true, true], response_completes
+    end
+
+    test 'can call close callback if registered' do
+      buffer = ""
+      lines = []
+      callback_results = []
+      @d.server_create_tls(:s, PORT, tls_options: @tls_options) do |data, conn|
+        conn.on(:close){|c| callback_results << "closed" }
+        buffer << data
+        if idx = buffer.index("\n")
+          lines << buffer.slice!(0,idx+1)
+          conn.write "ack\n"
+        end
+      end
+      3.times do
+        open_tls_session('127.0.0.1', PORT, cert_path: @cert_path) do |sock|
+          sock.write "yay"
+          sock.write "foo\n"
+          begin
+            while line = sock.readline
+              if line == "ack\n"
+                sock.close
+              end
+            end
+          rescue EOFError, IOError, Errno::ECONNRESET
+            # ignore
+          end
+        end
+      end
+      waiting(10){ sleep 0.1 until lines.size == 3 && callback_results.size == 3 }
+      assert_equal ["yayfoo\n", "yayfoo\n", "yayfoo\n"], lines
+      assert_equal ["closed", "closed", "closed"], callback_results
+    end
   end
 
   sub_test_case '#server_create_unix' do
@@ -729,6 +1403,22 @@ class ServerPluginHelperTest < Test::Unit::TestCase
     # test 'can call close callback if registered'
   end
 
+  def open_client(proto, addr, port)
+    client = case proto
+             when :tcp
+               TCPSocket.open(addr, port)
+             when :tls
+               c = OpenSSL::SSL::SSLSocket.new(TCPSocket.open(addr, port))
+               c.sync_close = true
+               c.connect
+             else
+               raise ArgumentError, "unknown proto:#{proto}"
+             end
+    yield client
+  ensure
+    client.close rescue nil
+  end
+
   # run tests for tcp, tls and unix
   sub_test_case '#server_create_connection' do
     test 'raise error if udp is specified in proto' do
@@ -737,10 +1427,10 @@ class ServerPluginHelperTest < Test::Unit::TestCase
       end
     end
 
-    # def server_create_connection(title, port, proto: :tcp, bind: '0.0.0.0', shared: true, certopts: nil, resolve_name: false, linger_timeout: 0, backlog: nil, &block)
+    # def server_create_connection(title, port, proto: :tcp, bind: '0.0.0.0', shared: true, tls_options: nil, resolve_name: false, linger_timeout: 0, backlog: nil, &block)
     protocols = {
       'tcp' => [:tcp, {}],
-      # 'tls' => [:tls, {certopts: {}}],
+      'tls' => [:tls, {tls_options: {insecure: true}}],
       # 'unix' => [:unix, {path: ""}],
     }
 
@@ -766,7 +1456,7 @@ class ServerPluginHelperTest < Test::Unit::TestCase
         end
       end
       3.times do
-        TCPSocket.open("127.0.0.1", PORT) do |sock|
+        open_client(proto, "127.0.0.1", PORT) do |sock|
           sock.puts "yay"
         end
       end
@@ -788,7 +1478,7 @@ class ServerPluginHelperTest < Test::Unit::TestCase
         end
       end
       3.times do
-        TCPSocket.open("127.0.0.1", PORT) do |sock|
+        open_client(proto, "127.0.0.1", PORT) do |sock|
           sock.puts "yay"
         end
       end
@@ -816,20 +1506,26 @@ class ServerPluginHelperTest < Test::Unit::TestCase
       end
       replied = []
       disconnecteds = []
-      3.times do
-        TCPSocket.open("127.0.0.1", PORT) do |sock|
+      3.times do |i|
+        open_client(proto, "127.0.0.1", PORT) do |sock|
           sock.puts "yay"
           while line = sock.readline
             replied << line
             break
           end
           sock.write "x"
+          connection_closed = false
           begin
-            sock.read
+            data = sock.read
+            if data.empty?
+              connection_closed = true
+            end
           rescue => e
             if e.is_a?(Errno::ECONNRESET)
-              disconnecteds << e.class
+              connection_closed = true
             end
+          ensure
+            disconnecteds << connection_closed
           end
         end
       end
@@ -838,7 +1534,7 @@ class ServerPluginHelperTest < Test::Unit::TestCase
       waiting(10){ sleep 0.1 until disconnecteds.size == 3 }
       assert_equal ["yay\n", "yay\n", "yay\n"], lines
       assert_equal ["foo!\n", "foo!\n", "foo!\n"], replied
-      assert_equal [Errno::ECONNRESET, Errno::ECONNRESET, Errno::ECONNRESET], disconnecteds
+      assert_equal [true, true, true], disconnecteds
     end
 
     data(protocols)
@@ -860,7 +1556,7 @@ class ServerPluginHelperTest < Test::Unit::TestCase
       end
       replied = []
       3.times do
-        TCPSocket.open("127.0.0.1", PORT) do |sock|
+        open_client(proto, "127.0.0.1", PORT) do |sock|
           sock.puts "yay"
           while line = sock.readline
             replied << line
@@ -888,7 +1584,7 @@ class ServerPluginHelperTest < Test::Unit::TestCase
         end
       end
       3.times do
-        TCPSocket.open("127.0.0.1", PORT) do |sock|
+        open_client(proto, "127.0.0.1", PORT) do |sock|
           sock.puts "yay"
         end
       end
@@ -897,6 +1593,82 @@ class ServerPluginHelperTest < Test::Unit::TestCase
       assert_equal 0, @d.instance_eval{ @_server_connections.size }
     end
 
+    data(protocols)
+    test 'will refuse more connect requests after stop, but read data from sockets already connected, in non-shared server' do |(proto, kwargs)|
+      connected = false
+      begin
+        open_client(proto, "127.0.0.1", PORT) do |sock|
+          # expected behavior is connection refused...
+          connected = true
+        end
+      rescue
+      end
+
+      assert_false connected
+
+      received = ""
+      @d.server_create_connection(:s, PORT, proto: proto, shared: false, **kwargs) do |conn|
+        conn.on(:data) do |data|
+          received << data
+          conn.write "ack\n"
+        end
+      end
+
+      th0 = Thread.new do
+        open_client(proto, "127.0.0.1", PORT) do |sock|
+          sock.puts "yay"
+          sock.readline
+        end
+      end
+
+      value0 = waiting(5){ th0.value }
+      assert_equal "ack\n", value0
+
+      stopped = false
+      sleeping = false
+      ending = false
+
+      th1 = Thread.new do
+        open_client(proto, "127.0.0.1", PORT) do |sock|
+          sleeping = true
+          sleep 0.1 until stopped
+          sock.puts "yay"
+          res = sock.readline
+          ending = true
+          res
+        end
+      end
+
+      sleep 0.1 until sleeping
+
+      @d.stop
+      assert @d.stopped?
+      stopped = true
+
+      sleep 0.1 until ending
+
+      @d.before_shutdown
+      @d.shutdown
+
+      th2 = Thread.new do
+        begin
+          open_client(proto, "127.0.0.1", PORT) do |sock|
+            sock.puts "foo"
+          end
+          false # failed
+        rescue
+          true # success
+        end
+      end
+
+      value1 = waiting(5){ th1.value }
+      value2 = waiting(5){ th2.value }
+
+      assert_equal "yay\nyay\n", received
+      assert_equal "ack\n", value1
+      assert value2, "should be truthy value to show connection was correctly refused"
+    end
+
     test 'can keep connections alive for tcp/tls if keepalive specified' do
       # pend "not implemented yet"
     end