fluentd 1.10.1 → 1.11.1

data/test/plugin_helper/data/cert/cert_chains/ca-cert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPTCCAiWgAwIBAgILAJJ76Kpa6DYtsncwDQYJKoZIhvcNAQELBQAwUzELMAkG
+A1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MR8w
+HQYDVQQDDBZjYS50ZXN0aW5nLmZsdWVudGQub3JnMCAXDTcwMDEwMTAwMDAwMFoY
+DzIxMTgxMDI3MDgwNjU3WjBTMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAU
+BgNVBAcMDU1vdW50YWluIFZpZXcxHzAdBgNVBAMMFmNhLnRlc3RpbmcuZmx1ZW50
+ZC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbWKfypGoGt9iV
+EevU3p4ard3gKcp76VO3SwZtpvXrvSzT6HWUa2NafLqAtKe3k8FjfoJSgUHwy1Fy
+JUbbNSEH50Bl7gyy3l3Mk7pw41P+X9RJsJWtD/HybdjN4k2Pz18Jnv/umjwKkR+f
+XoEwB3pMxdlnw74MKC/dKWITLGmL0IuDY8rABXiXCS1sZ6dhp1YsVaO/lr5ASUUY
+f+27mNQOGCCiKyhAbJkKWzZWZuvpEf66LLyOzeDHL7liBu7CStC2Nt/DF7nISx3p
+GDM7yguqWjALAKufgI1pcXBplr++pxbNjguqIRYt+YWkVxJl2haOvVYewlL88zcD
+Il5rycCdAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
+AGPhEAc+vb9PHyet9t5gKJTZF7S4x207hKZ0zLqCQCLM7VjrTVBh/TUFT+saiPsv
+4k2TYSZKInYXh6tkSzdGlRyzk166hF1eOTOae/92Da5PEQMT0AC+SDRDHXrNTyD8
+ZxP2xOl0j+FNeKQDdNL+PCU56PYehY40dYZ/EjRyu4VjKaSCMHcVx7eMTyxU3wtB
+HbOa8UJdUXEjn4h7icz4aca22aqLedXNaDr6YX+mo25t1jsTO7cEMfr4Ce7GvxdA
+msey/b5jnsKcpL7/2uYz5+owD39JZQBRQt+1YAzIU+BNiz8yzdXJO4aQpGWTflIB
+jO31o7x4loEvaBTQbX3iP2g=
+-----END CERTIFICATE-----

data/test/plugin_helper/data/cert/cert_chains/cert-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAzQtGZgClcBIDKC0U1sQpznVV9HzAZANDVazrDGA8Euf8Kx4X
+dnVoE+HzwAviL4VLDPzNBLyoZ2wf3wg6D+1UAhA0DqPRCihhfJqBX0WgewakSl5a
+wrc1XIXtiMxcWE/5+XtodjO71gECBgmd/l0UtdFY7mMt/gArH8PQf29ABGiB1zzn
+d0MNgA0r2OlXICe4kDzTHqDBv7nFgQFro2vkI/QJD5fABbb62HRWgUfQ13DUShSG
+H5FPkMxTkCs5GShyjYCC5IhI+AKx5RWvb4kuMRsxWC7JHc/XKPdbeLkNWRCFzTnO
+OR09Qdp45tBbXtX0IjInxsnNOBzW0zTSg0xUtwIDAQABAoIBAG4N5zNIlYOZp2gh
+ClZb47SU9hXL/9euiK2rql1yKcxcB9V8yUsjqUFCvfoOZtDq0mWeKsyoFhusxU6I
+s+FomPaii85vzvuMwQaIR3hDfueJoRTpn/1zKIkIuX37cnVUN+/YdTE8g01SLSvg
+bZThkQQl4X3SbhUvMfZSu84qgEncdtJ08zx81CB1Fpn0HIjpmpRM1F9jjDwtkVUw
+1gVQm9g7fwbgRfqSUyKkEqKvCVYnLQx3X5inuAEps4zIzAXF8RtxFymyHfExzZqr
+Pj5uYjTbf/wkaU9nWQzXeCbRTz3ZrjvFnisFt1HI2uijd1DjJ7CB7Ls752RWekXS
+Yc9FFwECgYEA/gZ3Hx4dIb6NW6UmPKjiQex/tVqwCRaxGtpA7qensf187N2nn4FD
+jdQJ69XmoDRKr2X+e7tsgKpETGufdDQ8MNBHz2krfqXVSlsEIOjeLfRRqhh+8Bcr
+flri0sumVbk0X9bnXzyCc4AGcRhtT9U69HCMTlly2z0pjIlVvmFXARECgYEAzqNV
+FSHHbEU+5zToJK0jyTaE/F+u9n5YKDcRN9RrKrEYcoUzKbIYJrUulbRGfsqAxY5L
+KtIDRI9NmPDBYqBwqSFnm9LcLn8CgQH/rRSFJv1Iw+sPHd/Nrk1KWjpO0OYRgfiB
+oxcgGSzHp0OZP+e7Trtq1TKW6VyadEsPZ7oKeUcCgYB9TiMkrm4gXybLtkOOWKCD
+dG3qv7lmQlNKs66kCv+lxS0CirRM8i6on5flRbZmAGV28BEAaAu1zEe0isI1SC8I
+xTUnEvHpn1P/QbZfpX8zm/lMtpinRkamJZ8N7Hc4ggtb2152lBqlbtm+oBYL81sJ
+iRss6uLFUv5T3Mr3Bn0sgQKBgGr4xQf+h6V2J307t12dQCRfE/MueX3jpDGVaFV1
+otDkAxrt97GDH9uR+f7H56KlpIohAqq1M7nfUbV2FTbAhfIYd/GD9DYhzCMK7Ngm
+AlRP1MaPvjCh9nFgU7hn7PtZzwBwrHPIefZuZyEg7onVpfK5NTIPUW6XYOIJJX12
+IwvrAoGAGwg2Cq6Vs/KkiCDxoy42HVZLS/DS/iHfUTAXtekF88qwT1zHFqF1ImvO
++FEUx8IbxY1oifSQc3Jw9HYnmYqmFW1PThNG3CwyaOGgtlEFcvhHsNjLRGJSQbN2
+cUYBe2hHXii7OL8T8kIvLlCAKGA8IIfPGhsu3uUtrvMBo5c0WmQ=
+-----END RSA PRIVATE KEY-----

data/test/plugin_helper/data/cert/cert_chains/cert.pem

@@ -0,0 +1,40 @@
+-----BEGIN CERTIFICATE-----
+MIIDQjCCAiqgAwIBAgILANkmymLgb5e04tcwDQYJKoZIhvcNAQELBQAwVDELMAkG
+A1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MSAw
+HgYDVQQDDBdjYTIudGVzdGluZy5mbHVlbnRkLm9yZzAgFw03MDAxMDEwMDAwMDBa
+GA8yMTE4MTAyNzA4MDY1N1owVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYw
+FAYDVQQHDA1Nb3VudGFpbiBWaWV3MSMwIQYDVQQDDBpzZXJ2ZXIudGVzdGluZy5m
+bHVlbnRkLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0LRmYA
+pXASAygtFNbEKc51VfR8wGQDQ1Ws6wxgPBLn/CseF3Z1aBPh88AL4i+FSwz8zQS8
+qGdsH98IOg/tVAIQNA6j0QooYXyagV9FoHsGpEpeWsK3NVyF7YjMXFhP+fl7aHYz
+u9YBAgYJnf5dFLXRWO5jLf4AKx/D0H9vQARogdc853dDDYANK9jpVyAnuJA80x6g
+wb+5xYEBa6Nr5CP0CQ+XwAW2+th0VoFH0Ndw1EoUhh+RT5DMU5ArORkoco2AguSI
+SPgCseUVr2+JLjEbMVguyR3P1yj3W3i5DVkQhc05zjkdPUHaeObQW17V9CIyJ8bJ
+zTgc1tM00oNMVLcCAwEAAaMQMA4wDAYDVR0TBAUwAwEBADANBgkqhkiG9w0BAQsF
+AAOCAQEAMzoxZJqhu8zyKI20Hz5SAqva+jcHbZbR9AXlt4LWQEttsXy4S52XLZBB
+4Es/Fah4lyou9R1xdUfF6iGBV6HgDMIuh+QYfqA/jJ4HXNMKLtDXakS8xYp2A0Wn
+g0EnjGx44DNweBkKGB9asldgwOM7MYMoQvS3Nkyu3oFqpfLpuWpWB/3Vw3PMGEdx
+r/c8Ev5XoVtl2+dXszsEp2jwUOFo8+DZzFdBZdA2F7RmcP+zxbAHIw/jHf/ptDGg
+NtzHmLhxiLblGlJHw/4a0HhXa453jzLsD1+hQpqBRUNbXBp1qpjqEr5SF1iVNGpZ
+peWFawp53MkIBXRls66ViJsl//fPBg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDPTCCAiWgAwIBAgIKRbRr9ZfmrY72TjANBgkqhkiG9w0BAQsFADBTMQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxHzAd
+BgNVBAMMFmNhLnRlc3RpbmcuZmx1ZW50ZC5vcmcwIBcNNzAwMTAxMDAwMDAwWhgP
+MjExODEwMjcwODA2NTdaMFQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQG
+A1UEBwwNTW91bnRhaW4gVmlldzEgMB4GA1UEAwwXY2EyLnRlc3RpbmcuZmx1ZW50
+ZC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6gnGxD4RQuAA1
+fQNMl9mctiIvcJ0Dz5f3JtCJlKKqBDKJ17py7tjFZ2MZ5vytIl1DUU2oxHew8F/u
+U8s+8ljmL3seiXx2kMCOxCvSW3JYUQrzbTHKszna7Ffy94SzpRDh/4/2RGatnSqi
+n4fRpalrchhH6Ds6v486o7YcwEKPR2dlD+Ltd/V3lMAOAmoRoe2aQlLudOUQjHJU
+YWGim8XS2dNAEy4WR5DvjYEA+CwKEX7f9p0Dihs8FKBjB2TvBwUkdfILLEnwA1rs
+r0coUt3kwYt9TYNYv6/SZYvFtaYjM3BmLVHI3mtEchaA+Tij4V4gRZ573Ai1+Fb8
+rxn+oTsVAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
+AHID7VD2PS7svmCXRg4qe7MkhA0veIadZRE6WZgJo3Z64p9jUWu/Y3ZrlZuDg0qI
+yV65UgWrgUOiGN6RZmI5A850DH3ryjvQElPHWjRavm0GtrOxFhHYpX8N7DRFW7t0
+7mld7YvbKRj0BrovU3avPC1P9w8FpegMKh48HsoRCO3NhHvYwtAf2B767UuAaqnI
+DW9rMPRTZv+Pv+G+kJN+updOs6HiHFxeS8Bwb8GlADcwWNGMqyJJyKmaefYVzDKt
+xfBiKiwev6Hm8RVTk1H3rKVZox/ZkDiZfZhmBJqO4mdDR4LLFIRIPqjUPxENsKFJ
+MyrDcwH+0Aq9ZSiRaVyfCkQ=
+-----END CERTIFICATE-----

data/test/plugin_helper/data/cert/generate_cert.rb

@@ -7,6 +7,7 @@ end
 
 WITHOUT_CA_DIR = './without_ca'.freeze
 WITH_CA_DIR = './with_ca'.freeze
+WITH_CERT_CHAIN_DIR = './cert_chains'.freeze
 
 CA_OPTION = {
   private_key_length: 2048,
@@ -83,5 +84,42 @@ def create_with_ca
   create_server_pair_signed_by_ca(ca_cert_pass_path, ca_key_pass_path, 'orange', cert_pass_path, cert_key_pass_path, 'apple')
 end
 
+def create_cert_pair_chained_with_root_ca(ca_cert_path, ca_key_path, ca_key_passphrase, cert_path, private_key_path, passphrase)
+  root_cert, root_key, _ = CertUtil.cert_option_generate_ca_pair_self_signed(CA_OPTION)
+  write_cert_and_key(ca_cert_path, root_cert, ca_key_path, root_key, ca_key_passphrase)
+
+  intermediate_ca_options = CA_OPTION.dup
+  intermediate_ca_options[:common_name] = 'ca2.testing.fluentd.org'
+  chain_cert, chain_key = CertUtil.cert_option_generate_pair(intermediate_ca_options, root_cert.subject)
+  chain_cert.add_extension(OpenSSL::X509::Extension.new('basicConstraints', OpenSSL::ASN1.Sequence([OpenSSL::ASN1::Boolean(true)])))
+  chain_cert.sign(root_key, 'sha256')
+
+  cert, server_key, _ = CertUtil.cert_option_generate_pair(SERVER_OPTION, chain_cert.subject)
+  cert.add_extension OpenSSL::X509::Extension.new('basicConstraints', OpenSSL::ASN1.Sequence([OpenSSL::ASN1::Boolean(false)]))
+  cert.sign(chain_key, 'sha256')
+
+  # write chained cert
+  File.open(cert_path, 'w') do |f|
+    f.write(cert.to_pem)
+    f.write(chain_cert.to_pem)
+  end
+
+  key_str = passphrase ? server_key.export(OpenSSL::Cipher.new("AES-256-CBC"), passphrase) : server_key.export
+  File.open(private_key_path, "w") { |f| f.write(key_str) }
+  File.chmod(0600, cert_path, private_key_path)
+end
+
+def create_cert_chain
+  FileUtils.mkdir_p(WITH_CERT_CHAIN_DIR)
+  ca_cert_path = File.join(WITH_CERT_CHAIN_DIR, 'ca-cert.pem')
+  ca_key_path = File.join(WITH_CERT_CHAIN_DIR, 'ca-cert-key.pem')
+
+  cert_path = File.join(WITH_CERT_CHAIN_DIR, 'cert.pem')
+  private_key_path = File.join(WITH_CERT_CHAIN_DIR, 'cert-key.pem')
+
+  create_server_pair_chained_with_root_ca(ca_cert_path, ca_key_path, nil, cert_path, private_key_path, nil)
+end
+
 create_without_ca
 create_with_ca
+create_cert_chain

data/test/plugin_helper/http_server/test_app.rb

@@ -9,7 +9,7 @@ rescue LoadError => _
 end
 
 unless skip
-  class HtttpHelperAppTest < Test::Unit::TestCase
+  class HttpHelperAppTest < Test::Unit::TestCase
     NULL_LOGGER = Logger.new(nil)
 
     class DummyRounter

data/test/plugin_helper/http_server/test_route.rb

@@ -9,7 +9,7 @@ rescue LoadError => _
 end
 
 unless skip
-  class HtttpHelperRouterTest < Test::Unit::TestCase
+  class HttpHelperRouterTest < Test::Unit::TestCase
     sub_test_case '#mount' do
       test 'mount with method and path' do
         router = Fluent::PluginHelper::HttpServer::Router.new

data/test/plugin_helper/test_child_process.rb

@@ -818,5 +818,20 @@ class ChildProcessTest < Test::Unit::TestCase
       end
       assert File.exist?(@temp_path)
     end
+
+    test 'execute child process writing data to stdout which is unread' do
+      callback_called = false
+      exit_status = nil
+      prog = "echo writing to stdout"
+      callback = ->(status){ exit_status = status; callback_called = true }
+      Timeout.timeout(TEST_DEADLOCK_TIMEOUT) do
+        @d.child_process_execute(:out_exec_process, prog, stderr: :connect, immediate: true, parallel: true, mode: [], wait_timeout: 1, on_exit_callback: callback)
+        sleep TEST_WAIT_INTERVAL_FOR_BLOCK_RUNNING until callback_called
+      end
+      assert callback_called
+      assert exit_status
+      assert exit_status.success?
+      assert_equal 0, exit_status.exitstatus
+    end
   end
 end

data/test/plugin_helper/test_http_server_helper.rb

@@ -8,7 +8,7 @@ require 'uri'
 require 'openssl'
 require 'async'
 
-class HtttpHelperTest < Test::Unit::TestCase
+class HttpHelperTest < Test::Unit::TestCase
   PORT = unused_port
   NULL_LOGGER = Logger.new(nil)
   CERT_DIR = File.expand_path(File.dirname(__FILE__) + '/data/cert/without_ca')
@@ -110,7 +110,7 @@ class HtttpHelperTest < Test::Unit::TestCase
       end
 
       context.cert_store = cert_store
-      if !hostname && context.respond_to?(:verify_hostname=)
+      if !hostname
         context.verify_hostname = false # In test code, using hostname to be connected is very difficult
       end
 

data/test/plugin_helper/test_record_accessor.rb

@@ -194,4 +194,45 @@ class RecordAccessorHelperTest < Test::Unit::TestCase
       end
     end
   end
+
+  sub_test_case 'Fluent::PluginHelper::RecordAccessor::Accessor#set' do
+    setup do
+      @d = Dummy.new
+    end
+
+    data('normal' => 'key1',
+         'space' => 'ke y2',
+         'dot key' => 'this.is.key3')
+    test 'set top key' do |param|
+      r = {'key1' => 'v1', 'ke y2' => 'v2', 'this.is.key3' => 'v3'}
+      accessor = @d.record_accessor_create(param)
+      accessor.set(r, "test")
+      assert_equal "test", r[param]
+    end
+
+    test "set top key using bracket style" do
+      r = {'key1' => 'v1', 'ke y2' => 'v2', 'this.is.key3' => 'v3'}
+      accessor = @d.record_accessor_create('$["this.is.key3"]')
+      accessor.set(r, "test")
+      assert_equal "test", r["this.is.key3"]
+    end
+
+    data('bracket' => "$['key1'][0]['ke y2']",
+         'bracket w/ double quotes' => '$["key1"][0]["ke y2"]')
+    test "set nested keys ['key1', 0, 'ke y2']" do |param|
+      r = {'key1' => [{'ke y2' => "value"}]}
+      accessor = @d.record_accessor_create(param)
+      accessor.set(r, "nested_message")
+      assert_equal "nested_message", r['key1'][0]['ke y2']
+    end
+
+    test "don't raise an error when unexpected record is coming" do
+      r = {'key1' => [{'key3' => "value"}]}
+      accessor = @d.record_accessor_create("$['key1']['key2']['key3']")
+      assert_nothing_raised do
+        accessor.set(r, "unknown field")
+      end
+      assert_equal({'key1' => [{'key3' => "value"}]}, r)
+    end
+  end
 end

data/test/plugin_helper/test_server.rb

@@ -860,7 +860,7 @@ class ServerPluginHelperTest < Test::Unit::TestCase
       end
       context.verify_mode = OpenSSL::SSL::VERIFY_PEER
       context.cert_store = cert_store
-      if !hostname && context.respond_to?(:verify_hostname=)
+      if !hostname
         context.verify_hostname = false # In test code, using hostname to be connected is very difficult
       end
     else

data/test/plugin_helper/test_service_discovery.rb

@@ -4,9 +4,6 @@ require 'fluent/plugin_helper/service_discovery'
 require 'fluent/plugin/output'
 
 class ServiceDiscoveryHelper < Test::Unit::TestCase
-  PORT = unused_port
-  NULL_LOGGER = Logger.new(nil)
-
   class Dummy < Fluent::Plugin::TestBase
     helpers :service_discovery
 
@@ -30,6 +27,7 @@ class ServiceDiscoveryHelper < Test::Unit::TestCase
     if @d
       @d.stop unless @d.stopped?
       @d.shutdown unless @d.shutdown?
+      @d.after_shutdown unless @d.after_shutdown?
       @d.close unless @d.closed?
       @d.terminate unless @d.terminated?
     end
@@ -40,7 +38,7 @@ class ServiceDiscoveryHelper < Test::Unit::TestCase
 
     d.service_discovery_create_manager(
       :service_discovery_helper_test,
-      configurations: [{ type: :static, conf:  config_element('root', '', {}, [config_element('service', '', { 'host' => '127.0.0.1', 'port' => '1234' })]) }],
+      configurations: [{ type: :static, conf: config_element('root', '', {}, [config_element('service', '', { 'host' => '127.0.0.1', 'port' => '1234' })]) }],
     )
 
     assert_true !!d.discovery_manager
@@ -49,6 +47,7 @@ class ServiceDiscoveryHelper < Test::Unit::TestCase
     mock.proxy(d).timer_execute(:service_discovery_helper_test, anything).never
 
     d.start
+    d.event_loop_wait_until_start
 
     services = d.discovery_manager.services
     assert_equal 1, services.size
@@ -68,5 +67,39 @@ class ServiceDiscoveryHelper < Test::Unit::TestCase
     mock.proxy(d.discovery_manager).start.once
     mock(d).timer_execute(:service_discovery_helper_test, anything).once
     d.start
+    d.event_loop_wait_until_start
+  end
+
+  test 'exits service discovery instances without any errors' do
+    d = @d = Dummy.new
+    mockv = flexmock('dns_resolver', getaddress: '127.0.0.1')
+              .should_receive(:getresources)
+              .and_return([Resolv::DNS::Resource::IN::SRV.new(1, 10, 8081, 'service1.example.com')])
+              .mock
+    mock(Resolv::DNS).new { mockv }
+
+    d.service_discovery_create_manager(
+      :service_discovery_helper_test2,
+      configurations: [{ type: :srv, conf: config_element('service_discovery', '', { 'service' => 'service1', 'hostname' => 'example.com' }) }],
+    )
+
+    assert_true !!d.discovery_manager
+    mock.proxy(d.discovery_manager).start.once
+    mock(d).timer_execute(:service_discovery_helper_test2, anything).once
+
+    # To avoid claring `@logs` during `terminate` step
+    # https://github.com/fluent/fluentd/blob/bc78d889f93dad8c2a4e0ad1ca802546185dacba/lib/fluent/test/log.rb#L33
+    mock(d.log).reset.twice
+
+    d.start
+    d.event_loop_wait_until_start
+
+    d.stop unless d.stopped?
+    d.shutdown unless d.shutdown?
+    d.after_shutdown unless d.after_shutdown?
+    d.close unless d.closed?
+    d.terminate unless d.terminated?
+
+    assert_false(d.log.out.logs.any? { |e| e.match?(/thread doesn't exit correctly/) })
   end
 end

data/test/plugin_helper/test_socket.rb

@@ -0,0 +1,131 @@
+require_relative '../helper'
+require 'fluent/plugin_helper/socket'
+require 'fluent/plugin/base'
+
+require 'socket'
+require 'openssl'
+
+class SocketHelperTest < Test::Unit::TestCase
+  PORT = unused_port
+  CERT_DIR = File.expand_path(File.dirname(__FILE__) + '/data/cert/without_ca')
+  CA_CERT_DIR = File.expand_path(File.dirname(__FILE__) + '/data/cert/with_ca')
+  CERT_CHAINS_DIR = File.expand_path(File.dirname(__FILE__) + '/data/cert/cert_chains')
+
+  class SocketHelperTestPlugin < Fluent::Plugin::TestBase
+    helpers :socket
+  end
+
+  class EchoTLSServer
+    def initialize(host = '127.0.0.1', port = PORT, cert_path: nil, private_key_path: nil, ca_path: nil)
+      server = TCPServer.open(host, port)
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.cert = OpenSSL::X509::Certificate.new(File.open(cert_path)) if cert_path
+
+      cert_store = OpenSSL::X509::Store.new
+      cert_store.set_default_paths
+      cert_store.add_file(ca_path) if ca_path
+      ctx.cert_store = cert_store
+
+      ctx.key = OpenSSL::PKey::RSA.new(File.open(private_key_path)) if private_key_path
+      ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      ctx.verify_hostname = false
+
+      @server = OpenSSL::SSL::SSLServer.new(server, ctx)
+      @thread = nil
+      @r, @w = IO.pipe
+    end
+
+    def start
+      do_start
+
+      if block_given?
+        begin
+          yield
+          @thread.join(5)
+        ensure
+          stop
+        end
+      end
+    end
+
+    def stop
+      unless @w.closed?
+        @w.write('stop')
+      end
+
+      [@server, @w, @r].each do |s|
+        next if s.closed?
+        s.close
+      end
+
+      @thread.join(5)
+    end
+
+    private
+
+    def do_start
+      @thread = Thread.new(@server) do |s|
+        socks, _, _ = IO.select([s.accept, @r], nil, nil)
+
+        if socks.include?(@r)
+          break
+        end
+
+        sock = socks.first
+        buf = +''
+        loop do
+          b = sock.read_nonblock(1024, nil, exception: false)
+          if b == :wait_readable || b.nil?
+            break
+          end
+          buf << b
+        end
+
+        sock.write(buf)
+        sock.close
+      end
+    end
+  end
+
+  test 'with self-signed cert/key pair' do
+    cert_path = File.join(CERT_DIR, 'cert.pem')
+    private_key_path = File.join(CERT_DIR, 'cert-key.pem')
+
+    EchoTLSServer.new(cert_path: cert_path, private_key_path: private_key_path).start do
+      client = SocketHelperTestPlugin.new.socket_create_tls('127.0.0.1', PORT, verify_fqdn: false, cert_paths: [cert_path])
+      client.write('hello')
+      assert_equal 'hello', client.readpartial(100)
+      client.close
+    end
+  end
+
+  test 'with cert/key signed by self-signed CA' do
+    cert_path = File.join(CA_CERT_DIR, 'cert.pem')
+    private_key_path = File.join(CA_CERT_DIR, 'cert-key.pem')
+
+    ca_cert_path = File.join(CA_CERT_DIR, 'ca-cert.pem')
+
+    EchoTLSServer.new(cert_path: cert_path, private_key_path: private_key_path).start do
+      client = SocketHelperTestPlugin.new.socket_create_tls('127.0.0.1', PORT, verify_fqdn: false, cert_paths: [ca_cert_path])
+      client.write('hello')
+      assert_equal 'hello', client.readpartial(100)
+      client.close
+    end
+  end
+
+  test 'with cert/key signed by self-signed CA in server and client cert chain' do
+    cert_path = File.join(CERT_DIR, 'cert.pem')
+    private_key_path = File.join(CERT_DIR, 'cert-key.pem')
+
+    client_ca_cert_path = File.join(CERT_CHAINS_DIR, 'ca-cert.pem')
+    client_cert_path = File.join(CERT_CHAINS_DIR, 'cert.pem')
+    client_private_key_path = File.join(CERT_CHAINS_DIR, 'cert-key.pem')
+
+    EchoTLSServer.new(cert_path: cert_path, private_key_path: private_key_path, ca_path: client_ca_cert_path).start do
+      client = SocketHelperTestPlugin.new.socket_create_tls('127.0.0.1', PORT, verify_fqdn: false, cert_path: client_cert_path, private_key_path: client_private_key_path, cert_paths: [cert_path])
+      client.write('hello')
+      assert_equal 'hello', client.readpartial(100)
+      client.close
+    end
+  end
+end