Reinoud Koornstra | 23 Oct 21:24 2014
Picon

man page and options.c contradict

Hello Everyone,

I read the manpage here: doc/openvpn.8

<connection>
remote 198.19.34.56 443 tcp
</connection>

However, when you configure this in your configuration file, you cannot do this:

in src/openvpn/options.c:

  /*
   * If "proto tcp" is specified, make sure we know whether it is
   * tcp-client or tcp-server.
   */
  if (ce->proto == PROTO_TCPv4)
    msg (M_USAGE, "--proto tcp is ambiguous in this context.  Please specify --proto tcp-server or --proto tcp-client");
  if (ce->proto == PROTO_TCPv6)
    msg (M_USAGE, "--proto tcp6 is ambiguous in this context.  Please specify --proto tcp6-server or --proto tcp6-client");


So the man page isn't correct?
The only thing I can reliably use in p2p mode is remote host 1194 udp
If I fill out a different port.
The idea in my case is to have a point-to-point connection where both hosts listen on port 443 tcp instead of port 1194 udp to setup the point-to-point connection.
Thanks,

Reinoud.
------------------------------------------------------------------------------
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Lisa Minogue | 23 Oct 07:30 2014
Picon

Are OpenVPN 2.3.4 I005 and I605 builit with OpenSSL 1.0.1j and "no-ssl3" flag?

Hi Samuli

I'm no expert of OpenVPN or OpenSSL and it be nice of you if you could tell me whether the latest OpenVPN's
installers for Microsoft Windows OS have been built with "no-ssl3" flag in OpenSSL 1.0.1j.

Regards.

Lisa
-----------------------------------------------------
Mail.be, WebMail and Virtual Office
http://www.mail.be

------------------------------------------------------------------------------
Steffan Karger | 23 Oct 00:16 2014

[PATCH] Modernize sample keys and sample configs

I kept most of the certificate properties equal to the old
certs, since some people's test scripts might rely on them (and
it does not require any creativity from my part).

Changes:
 * Add script to generate fresh test/sample keys
   (but keep sample keys in git for simple testing)
 * Switch from 1024 to 4096 bits RSA CA
 * Switch from 1024 to 2048 bits client/server RSA keys
 * Switch from 1024 to 2048 bits Diffie-Hellman parameters
 * Generate EC client and server cert, but sign with RSA CA
   (lets us test EC <-> RSA interoperability)
 * Remove 3DES cipher from 'sample' config
 * Add 'remote-cert-tls server' to client config
 * Update config files to deprecate nsCertType in favour of the
   keyUsage and extendedKeyUsage extensions.
 * Make naming more consistent

Signed-off-by: Steffan Karger <steffan <at> karger.me>
---
 sample/sample-config-files/client.conf     |  17 ++--
 sample/sample-config-files/loopback-client |   2 +-
 sample/sample-config-files/loopback-server |   3 +-
 sample/sample-config-files/server.conf     |   6 +-
 sample/sample-config-files/tls-office.conf |   2 +-
 sample/sample-keys/.gitignore              |   1 +
 sample/sample-keys/README                  |  17 ++--
 sample/sample-keys/ca.crt                  |  48 ++++++----
 sample/sample-keys/ca.key                  |  67 ++++++++++----
 sample/sample-keys/client-ec.crt           |  85 ++++++++++++++++++
 sample/sample-keys/client-ec.key           |   5 ++
 sample/sample-keys/client-pass.key         |  30 +++++++
 sample/sample-keys/client.crt              | 126 +++++++++++++++++---------
 sample/sample-keys/client.key              |  43 +++++----
 sample/sample-keys/client.p12              | Bin 0 -> 4533 bytes
 sample/sample-keys/dh1024.pem              |   5 --
 sample/sample-keys/dh2048.pem              |   8 ++
 sample/sample-keys/ec-ca.crt               |  13 ---
 sample/sample-keys/ec-ca.key               |   6 --
 sample/sample-keys/ec-client.crt           |  61 -------------
 sample/sample-keys/ec-client.key           |   6 --
 sample/sample-keys/ec-server.crt           |  61 -------------
 sample/sample-keys/ec-server.key           |   6 --
 sample/sample-keys/gen-sample-keys.sh      |  74 +++++++++++++++
 sample/sample-keys/openssl.cnf             | 139 +++++++++++++++++++++++++++++
 sample/sample-keys/pass.crt                |  65 --------------
 sample/sample-keys/pass.key                |  18 ----
 sample/sample-keys/pkcs12.p12              | Bin 2685 -> 0 bytes
 sample/sample-keys/server-ec.crt           |  96 ++++++++++++++++++++
 sample/sample-keys/server-ec.key           |   5 ++
 sample/sample-keys/server.crt              | 130 ++++++++++++++++++---------
 sample/sample-keys/server.key              |  43 +++++----
 32 files changed, 778 insertions(+), 410 deletions(-)
 create mode 100644 sample/sample-keys/.gitignore
 create mode 100644 sample/sample-keys/client-ec.crt
 create mode 100644 sample/sample-keys/client-ec.key
 create mode 100644 sample/sample-keys/client-pass.key
 create mode 100644 sample/sample-keys/client.p12
 delete mode 100644 sample/sample-keys/dh1024.pem
 create mode 100644 sample/sample-keys/dh2048.pem
 delete mode 100644 sample/sample-keys/ec-ca.crt
 delete mode 100644 sample/sample-keys/ec-ca.key
 delete mode 100644 sample/sample-keys/ec-client.crt
 delete mode 100644 sample/sample-keys/ec-client.key
 delete mode 100644 sample/sample-keys/ec-server.crt
 delete mode 100644 sample/sample-keys/ec-server.key
 create mode 100755 sample/sample-keys/gen-sample-keys.sh
 create mode 100644 sample/sample-keys/openssl.cnf
 delete mode 100644 sample/sample-keys/pass.crt
 delete mode 100644 sample/sample-keys/pass.key
 delete mode 100644 sample/sample-keys/pkcs12.p12
 create mode 100644 sample/sample-keys/server-ec.crt
 create mode 100644 sample/sample-keys/server-ec.key

diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf
index 58b2038..050ef60 100644
--- a/sample/sample-config-files/client.conf
+++ b/sample/sample-config-files/client.conf
 <at>  <at>  -89,18 +89,19  <at>  <at>  ca ca.crt
 cert client.crt
 key client.key
 
-# Verify server certificate by checking
-# that the certicate has the nsCertType
-# field set to "server".  This is an
-# important precaution to protect against
+# Verify server certificate by checking that the
+# certicate has the correct key usage set.
+# This is an important precaution to protect against
 # a potential attack discussed here:
 #  http://openvpn.net/howto.html#mitm
 #
 # To use this feature, you will need to generate
-# your server certificates with the nsCertType
-# field set to "server".  The build-key-server
-# script in the easy-rsa folder will do this.
-ns-cert-type server
+# your server certificates with the keyUsage set to
+#   digitalSignature, keyEncipherment
+# and the extendedKeyUsage to
+#   serverAuth
+# EasyRSA can do this for you.
+remote-cert-tls server
 
 # If a tls-auth key is used on the server
 # then every client must also have the key.
diff --git a/sample/sample-config-files/loopback-client b/sample/sample-config-files/loopback-client
index d7f59e6..ebbd1cf 100644
--- a/sample/sample-config-files/loopback-client
+++ b/sample/sample-config-files/loopback-client
 <at>  <at>  -17,9 +17,9  <at>  <at>  dev null
 verb 3
 reneg-sec 10
 tls-client
+remote-cert-tls server
 ca sample-keys/ca.crt
 key sample-keys/client.key
 cert sample-keys/client.crt
-cipher DES-EDE3-CBC
 ping 1
 inactive 120 10000000
diff --git a/sample/sample-config-files/loopback-server b/sample/sample-config-files/loopback-server
index 9d21bce..8cb97be 100644
--- a/sample/sample-config-files/loopback-server
+++ b/sample/sample-config-files/loopback-server
 <at>  <at>  -17,10 +17,9  <at>  <at>  dev null
 verb 3
 reneg-sec 10
 tls-server
-dh sample-keys/dh1024.pem
+dh sample-keys/dh2048.pem
 ca sample-keys/ca.crt
 key sample-keys/server.key
 cert sample-keys/server.crt
-cipher DES-EDE3-CBC
 ping 1
 inactive 120 10000000
diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf
index 467d5b8..701be3c 100644
--- a/sample/sample-config-files/server.conf
+++ b/sample/sample-config-files/server.conf
 <at>  <at>  -81,10 +81,8  <at>  <at>  key server.key  # This file should be kept secret
 
 # Diffie hellman parameters.
 # Generate your own with:
-#   openssl dhparam -out dh1024.pem 1024
-# Substitute 2048 for 1024 if you are using
-# 2048 bit keys.
-dh dh1024.pem
+#   openssl dhparam -out dh2048.pem 2048
+dh dh2048.pem
 
 # Network topology
 # Should be subnet (addressing via IP)
diff --git a/sample/sample-config-files/tls-office.conf b/sample/sample-config-files/tls-office.conf
index f790f46..d196144 100644
--- a/sample/sample-config-files/tls-office.conf
+++ b/sample/sample-config-files/tls-office.conf
 <at>  <at>  -26,7 +26,7  <at>  <at>  up ./office.up
 tls-server
 
 # Diffie-Hellman Parameters (tls-server only)
-dh dh1024.pem
+dh dh2048.pem
 
 # Certificate Authority file
 ca my-ca.crt
diff --git a/sample/sample-keys/.gitignore b/sample/sample-keys/.gitignore
new file mode 100644
index 0000000..f148752
--- /dev/null
+++ b/sample/sample-keys/.gitignore
 <at>  <at>  -0,0 +1  <at>  <at> 
+sample-ca/
diff --git a/sample/sample-keys/README b/sample/sample-keys/README
index 9f4f918..66dd945 100644
--- a/sample/sample-keys/README
+++ b/sample/sample-keys/README
 <at>  <at>  -1,14 +1,19  <at>  <at> 
 Sample RSA and EC keys.
 
+Run ./gen-sample-keys.sh to generate fresh test keys.
+
 See the examples section of the man page for usage examples.
 
 NOTE: THESE KEYS ARE FOR TESTING PURPOSES ONLY.
       DON'T USE THEM FOR ANY REAL WORK BECAUSE
       THEY ARE TOTALLY INSECURE!
 
-ca.{crt,key}     -- sample CA key/cert
-client.{crt,key} -- sample client key/cert
-server.{crt,key} -- sample server key/cert (nsCertType=server)
-pass.{crt,key}   -- sample client key/cert with password-encrypted key
-                    password = "password"
-ec-*.{crt,key}   -- sample elliptic curve variants of the above
+ca.{crt,key}        -- sample CA key/cert
+server.{crt,key}    -- sample server key/cert
+client.{crt,key}    -- sample client key/cert
+client-pass.key     -- sample client key with password-encrypted key
+                       password = "password"
+client.p12          -- sample client pkcs12 bundle
+                       password = "password"
+client-ec.{crt,key} -- sample elliptic curve client key/cert
+server-ec.{crt,key} -- sample elliptic curve server key/cert
diff --git a/sample/sample-keys/ca.crt b/sample/sample-keys/ca.crt
index e063ccc..a11bafa 100644
--- a/sample/sample-keys/ca.crt
+++ b/sample/sample-keys/ca.crt
 <at>  <at>  -1,19 +1,35  <at>  <at> 
 -----BEGIN CERTIFICATE-----
-MIIDBjCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJLRzEL
+MIIGKDCCBBCgAwIBAgIJAKFO3vqQ8q6BMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV
+BAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMM
+T3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4w
+HhcNMTQxMDIyMjE1OTUyWhcNMjQxMDE5MjE1OTUyWjBmMQswCQYDVQQGEwJLRzEL
 MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t
-VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTA0MTEy
-NTE0NDA1NVoXDTE0MTEyMzE0NDA1NVowZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgT
-Ak5BMRAwDgYDVQQHEwdCSVNIS0VLMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxITAf
-BgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjCBnzANBgkqhkiG9w0BAQEF
-AAOBjQAwgYkCgYEAqPjWJnesPu6bR/iec4FMz3opVaPdBHxg+ORKNmrnVZPh0t8/
-ZT34KXkYoI9B82scurp8UlZVXG8JdUsz+yai8ti9+g7vcuyKUtcCIjn0HLgmdPu5
-gFX25lB0pXw+XIU031dOfPvtROdG5YZN5yCErgCy7TE7zntLnkEDuRmyU6cCAwEA
-AaOBwzCBwDAdBgNVHQ4EFgQUiaZg47rqPq/8ZH9MvYzSSI3gzEYwgZAGA1UdIwSB
-iDCBhYAUiaZg47rqPq/8ZH9MvYzSSI3gzEahaqRoMGYxCzAJBgNVBAYTAktHMQsw
-CQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMMT3BlblZQTi1U
-RVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CAQAwDAYDVR0T
-BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBfJoiWYrYdjM0mKPEzUQk0nLYTovBP
-I0es/2rfGrin1zbcFY+4dhVBd1E/StebnG+CP8r7QeEIwu7x8gYDdOLLsZn+2vBL
-e4jNU1ClI6Q0L7jrzhhunQ5mAaZztVyYwFB15odYcdN2iO0tP7jtEsvrRqxICNy3
-8itzViPTf5W4sA==
+VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsJVPCqt3vtoDW2U0DII1QIh2Qs0dqh88
+8nivxAIm2LTq93e9fJhsq3P/UVYAYSeCIrekXypR0EQgSgcNTvGBMe20BoHO5yvb
+GjKPmjfLj6XRotCOGy8EDl/hLgRY9efiA8wsVfuvF2q/FblyJQPR/gPiDtTmUiqF
+qXa7AJmMrqFsnWppOuGd7Qc6aTsae4TF1e/gUTCTraa7NeHowDaKhdyFmEEnCYR5
+CeUsx2JlFWAH8PCrxBpHYbmGyvS0kH3+rQkaSM/Pzc2bS4ayHaOYRK5XsGq8XiNG
+KTTLnSaCdPeHsI+3xMHmEh+u5Og2DFGgvyD22gde6W2ezvEKCUDrzR7bsnYqqyUy
+n7LxnkPXGyvR52T06G8KzLKQRmDlPIXhzKMO07qkHmIonXTdF7YI1azwHpAtN4dS
+rUe1bvjiTSoEsQPfOAyvD0RMK/CBfgEZUzAB50e/IlbZ84c0DJfUMOm4xCyft1HF
+YpYeyCf5dxoIjweCPOoP426+aTXM7kqq0ieIr6YxnKV6OGGLKEY+VNZh1DS7enqV
+HP5i8eimyuUYPoQhbK9xtDGMgghnc6Hn8BldPMcvz98HdTEH4rBfA3yNuCxLSNow
+4jJuLjNXh2QeiUtWtkXja7ec+P7VqKTduJoRaX7cs+8E3ImigiRnvmK+npk7Nt1y
+YE9hBRhSoLsCAwEAAaOB2DCB1TAdBgNVHQ4EFgQUK0DlyX319JY46S/jL9lAZMmO
+BZswgZgGA1UdIwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJ
+BgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UE
+ChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h
+aW6CCQChTt76kPKugTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG
+9w0BAQsFAAOCAgEABc77f4C4P8fIS+V8qCJmVNSDU44UZBc+D+J6ZTgW8JeOHUIj
+Bh++XDg3gwat7pIWQ8AU5R7h+fpBI9n3dadyIsMHGwSogHY9Gw7di2RVtSFajEth
+rvrq0JbzpwoYedMh84sJ2qI/DGKW9/Is9+O52fR+3z3dY3gNRDPQ5675BQ5CQW9I
+AJgLOqzD8Q0qrXYi7HaEqzNx6p7RDTuhFgvTd+vS5d5+28Z5fm2umnq+GKHF8W5P
+ylp2Js119FTVO7brusAMKPe5emc7tC2ov8OFFemQvfHR41PLryap2VD81IOgmt/J
+kX/j/y5KGux5HZ3lxXqdJbKcAq4NKYQT0mCkRD4l6szaCEJ+k0SiM9DdTcBDefhR
+9q+pCOyMh7d8QjQ1075mF7T+PGkZQUW1DUjEfrZhICnKgq+iEoUmM0Ee5WtRqcnu
+5BTGQ2mSfc6rV+Vr+eYXqcg7Nxb3vFXYSTod1UhefonVqwdmyJ2sC79zp36Tbo2+
+65NW2WJK7KzPUyOJU0U9bcu0utvDOvGWmG+aHbymJgcoFzvZmlXqMXn97pSFn4jV
+y3SLRgJXOw1QLXL2Y5abcuoBVr4gCOxxk2vBeVxOMRXNqSWZOFIF1bu/PxuDA+Sa
+hEi44aHbPXt9opdssz/hdGfd8Wo7vEJrbg7c6zR6C/Akav1Rzy9oohIdgOw=
 -----END CERTIFICATE-----
diff --git a/sample/sample-keys/ca.key b/sample/sample-keys/ca.key
index b4bf792..8b11bc2 100644
--- a/sample/sample-keys/ca.key
+++ b/sample/sample-keys/ca.key
 <at>  <at>  -1,15 +1,52  <at>  <at> 
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQCo+NYmd6w+7ptH+J5zgUzPeilVo90EfGD45Eo2audVk+HS3z9l
-PfgpeRigj0Hzaxy6unxSVlVcbwl1SzP7JqLy2L36Du9y7IpS1wIiOfQcuCZ0+7mA
-VfbmUHSlfD5chTTfV058++1E50blhk3nIISuALLtMTvOe0ueQQO5GbJTpwIDAQAB
-AoGAQuVREyWp4bhhbZr2UFBOco2ws6EOLWp4kdD/uI+WSoEjlHKiDJj+GJ1CrL5K
-o+4yD5MpCQf4/4FOQ0ukprfjJpDwDinTG6vzuWSLTHNiTgvksW3vy7IsNMJx97hT
-4D2QOOl9HhA50Qqg70teMPYXOgLRMVsdCIV7p7zDNy4nM+ECQQDX8m5ZcQmPtUDA
-38dPTfpL4U7kMB94FItJYH/Lk5kMW1/J33xymNhL+BHaG064ol9n2ubGW4XEO5t2
-qE1IOsVpAkEAyE/x/OBVSI1s75aYGlEwMd87p3qaDdtXT7WzujjRY7r8Y1ynkMU6
-GtMeneBX/lk4BY/6I+5bhAzce+hqhaXejwJBAL5Wg+c4GApf41xdogqHm7doNyYw
-OHyZ9w9NDDc+uGbI30xLPSCxEe0cEXgiG6foDpm2uzRZFTWaqHPU8pFYpAkCQGNX
-cpWM0/7VVK9Fqk1y8knpgfY/UWOJ4jU/0dCLGR0ywLSuYNPlXDmtdkOp3TnhGW14
-x/9F2NEWZ8pzq1B4wHUCQQC5ztD4m/rpiIpinoewUJODoeBJXYBKqx1+mdrALCq6
-ESvK1WRiusMaY3xmsdv4J2TB5iUPryELbn3jU12WGcQc
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCwlU8Kq3e+2gNb
+ZTQMgjVAiHZCzR2qHzzyeK/EAibYtOr3d718mGyrc/9RVgBhJ4Iit6RfKlHQRCBK
+Bw1O8YEx7bQGgc7nK9saMo+aN8uPpdGi0I4bLwQOX+EuBFj15+IDzCxV+68Xar8V
+uXIlA9H+A+IO1OZSKoWpdrsAmYyuoWydamk64Z3tBzppOxp7hMXV7+BRMJOtprs1
+4ejANoqF3IWYQScJhHkJ5SzHYmUVYAfw8KvEGkdhuYbK9LSQff6tCRpIz8/NzZtL
+hrIdo5hErlewarxeI0YpNMudJoJ094ewj7fEweYSH67k6DYMUaC/IPbaB17pbZ7O
+8QoJQOvNHtuydiqrJTKfsvGeQ9cbK9HnZPTobwrMspBGYOU8heHMow7TuqQeYiid
+dN0XtgjVrPAekC03h1KtR7Vu+OJNKgSxA984DK8PREwr8IF+ARlTMAHnR78iVtnz
+hzQMl9Qw6bjELJ+3UcVilh7IJ/l3GgiPB4I86g/jbr5pNczuSqrSJ4ivpjGcpXo4
+YYsoRj5U1mHUNLt6epUc/mLx6KbK5Rg+hCFsr3G0MYyCCGdzoefwGV08xy/P3wd1
+MQfisF8DfI24LEtI2jDiMm4uM1eHZB6JS1a2ReNrt5z4/tWopN24mhFpftyz7wTc
+iaKCJGe+Yr6emTs23XJgT2EFGFKguwIDAQABAoICAQCEYPqnihI0PqZjnwQdGIQp
+g+P8gl7pyY9cS0OhUueicEbyDI8+V9qn0kcmx61zKDY0Jq4QNd6tnlUCijTc6Mot
+DwF2G1xsC4GvKxZiy89MOkhloanXETEeQZzDbbjvaM4UgL0AHLWPfZQRCjxbKXkE
+0A5phgvAr2YSvBLHCVXhGN0fScXnwXouVsvgVdGtpcTWdIUa+KrNdQBGDbz6VCkW
+31I76SQFy40d8PPX6ZjUJHDvnM14LycySO6XOkofRIVnXTqaOUiVBb2VKj5fX+Ro
+ILdWZz4d6J3RiGXYwyTr4SGVKLjgxWfgUGZB7x+NrqgugNzuaLYrkuWKSEN42nWq
+yoP6x6xtbAsmB6Fvdqwm/d8BmLhUweaVc0L7AYzXNsOBuT3kubJHMmu3Jv4xgyWk
+l/MAGJQc7i7QQweGgsYZgR8WlbkWkSFpUcgQBDzDibb6nsD2jnYijQrnrrmiEjEI
+R7MO551V+nFw9utiM8U9WIWwqzY0d98ujWkGjVe7uz9ZBVyg0DEAEj/zRi9T54aG
+1V6CB2Cjyw+HzzsDw7yWroWzo4U9YfjbPKCoBsXlqQFLFwY8oL6mEZ7UOobaV1Zl
+WtuHyYw3UNFxuSGPPyxJkFePIQLLvfKvh2R+V0DrT3UJRoKKlt9RejRSN0tOh0Cm
+2YD6d7T/DXnQHomIQKhKEQKCAQEA3sgsDg0eKDK8pUyVE+9wW5kql12nTzpBtnCM
+eg5J9OJcXKhCD/NIyUTIMXoMvZQpLwGUAYLgu4gE04zKWHDouf7MRSFltD5LJ7F2
+7nuYKHZXk0BhgMhdnQot3FKcOMrKCnZcM+RWX9ZJa8wO6whCaYCw7DtS0SSVODQk
+9EwAgX6/Hq60V7ujPZJCyNd3o0bIdAA/0AQRTZUADP3AHgUzh71aysYJt+UKt1v0
+Xc7l6hn7Dn7Ewzpf+WdZ2pV7d3JUSBVKiTDxLV904nDBNOxjMhz0rW01ojR6bzpn
+XhkFPqnmh+yEYGRgfSAAzkvSsSJEAtBFSicupA/6n83Lo2YvswKCAQEAyumuxP4Z
+a7s8x8DFba7vuQ+KVxpkKgEz1sxnGRNQJm18/ss/Y5JiaLFYT3E72VkQfBQ2ngu+
+GrJL3OhiNhzy1KLGS6mrwULtKiuud5MMQDL0Pvkncr9NTy4rBnWzhp2XyPeETu8n
+JpL2i2OK6lY/lgpBckXuap9gAl0fXk+y+BkZ71OoYaGnKpPjs+Xcq/qgPgZ7O3NW
+1g+Bd2AVPSxQpXjuy5rgtQURCN733vkNBzFedKREx7Z6l8UPlK/Exuc7BMIHfn5V
+dd0R3Th+82fkMNVJz6MKmHJ6CJI53M7co/YdAvIkxOFRIPGbO3arL2R69nRgAZBE
+zLawx1JJTRIG2QKCAQATtZXgMFzopYR3A011FAvWrrhL5+czZS4HG/Hxom38kkIl
+mGUv0BAybjlf1zJlW0RBelxDvfZv4Nq8dIo6RNLyEY601v2OcqxneJXTB3AwtDeP
+OXTm1dMiX5IrGcvkYlx5jHsfxCW4GNcqCEWRmYt2lgIRBDaRdjEVZdeXHVo2GqaB
+6mbeFCWe/t+VsSpOcaauTI9YseNt/66fd5uVjFRAwAnWQqr9b/AAxMvbuMAyc9X4
+NFLoCrQO9ovGgM8JhD3cmrWbaY8MupM2rU8KhZdJCbLD3ROPpCDo0jvu4TvLjXBt
+ugkEFh1LNJedqKudLDDkJtTaeJjxvtAnbyeC7zltAoIBAC9TIyzUqq8io0FfZ2x2
+cXiy9CvuftABKcr+L0l85KOhw5ZVZvpdKNCMFDGrEi9WA28886QWzwbA8Mqb9FP0
+mnoXYLJC50kSx+ee+nju9dt/RtHtIFM15N0DwosmJnHODZmUiOo0AuiPPCs0UzDm
+Xrwqtirlvn5ln2nNuEQxyGbuy8qys0HaBvf6OBA8GySNNpRgxJsQAn+4bBSgdzOm
+Q0TkmKUqASCXBusPvbXmVjCIRiRkL5p4p8z/6+tct0NAqNYqPr80zc/IeKMkyw8P
++vucszNXLmBxyp53JEGoiXNAMnH+ca7tchOB5hePTMun3rneWInk0PcB4OcL/QaZ
+nrkCggEBAN67+SvcWtM1BoLXSz5/apFAE+DicCv94PrvMBOhfvu1oBrElR1rBjiN
+2B83SktkF4WhCXr10GP+RUpjaqPBtT7NW4r3fL5B8EPsHeabL+pg9e6wG1rH8GqG
+toWecmfC9uqK7l1A59h5Oveq5K19bZTRZRjQtv2e4KQknlJR6cwy+TGUU5kAUlMt
+vcivyjzxc0UQwq7zKktJq+xW/TZiSLgd3B32p0sXX378qFUJ4SO2UZ1OCh8R7PY1
+Fx25K/89Q1yGdbYiXb/Dx0a2WB9rP+b6alMl/dxPdqDKj2QXXkdh8+yvhVpQTyZw
+B1RaqQXwzqrCH0F/vw3lRceYhcQvzcQ=
+-----END PRIVATE KEY-----
diff --git a/sample/sample-keys/client-ec.crt b/sample/sample-keys/client-ec.crt
new file mode 100644
index 0000000..edc6fe3
--- /dev/null
+++ b/sample/sample-keys/client-ec.crt
 <at>  <at>  -0,0 +1,85  <at>  <at> 
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4 (0x4)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me <at> myhost.mydomain
+        Validity
+            Not Before: Oct 22 21:59:53 2014 GMT
+            Not After : Oct 19 21:59:53 2024 GMT
+        Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client-EC/emailAddress=me <at> myhost.mydomain
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub: 
+                    04:3b:ce:62:5d:6f:87:82:75:24:c2:58:f5:0e:88:
+                    4d:57:0d:06:b2:71:88:87:58:19:bb:de:5f:7f:52:
+                    62:51:a2:48:91:83:48:91:90:3e:87:02:0f:15:51:
+                    f9:68:97:12:0a:fd:d2:3c:87:83:4b:65:54:00:44:
+                    8d:28:76:49:05
+                ASN1 OID: secp256k1
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                64:F6:49:88:E7:74:C1:AB:A5:FA:4F:2B:71:3C:25:13:3D:C8:94:C5
+            X509v3 Authority Key Identifier: 
+                keyid:2B:40:E5:C9:7D:F5:F4:96:38:E9:2F:E3:2F:D9:40:64:C9:8E:05:9B
+                DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me <at> myhost.mydomain
+                serial:A1:4E:DE:FA:90:F2:AE:81
+
+    Signature Algorithm: sha256WithRSAEncryption
+         32:3d:f0:08:67:dd:03:73:76:cc:76:52:0a:f6:97:d1:c6:fa:
+         5f:d3:e6:28:c9:75:a7:08:a8:34:49:69:cf:eb:ab:da:86:b3:
+         2e:65:17:ee:7e:b6:b5:6b:15:0b:dc:11:3a:b9:5a:b3:80:b8:
+         bb:f4:6c:cf:88:3a:10:83:7e:10:a0:82:87:6e:06:ec:78:62:
+         d4:d1:44:27:dd:2c:19:d8:1a:a1:ae:f4:a0:00:7f:53:5a:40:
+         8a:c2:83:77:4b:26:7d:53:b0:d3:0f:2f:7c:28:70:ef:74:58:
+         5b:de:81:94:4c:63:19:f0:79:cb:6c:b2:ec:32:1b:4b:e4:62:
+         22:4f:ad:ac:4a:6f:a9:6e:c4:2a:8d:8a:88:19:09:fd:88:93:
+         3c:27:4d:91:95:ff:57:84:13:fd:4a:68:db:20:df:10:e6:81:
+         1d:fd:e7:1d:35:fb:19:02:dd:b5:5f:a0:c1:07:ec:74:b4:ef:
+         8b:f9:33:9a:f2:a6:3b:6e:b6:4a:52:ab:5d:99:76:64:62:c4:
+         d5:3a:c6:81:8d:eb:c8:4b:02:af:e1:ca:60:e9:8d:c7:a9:2b:
+         ea:4f:56:31:d3:9a:11:c2:9c:83:5c:a2:8d:98:fe:cc:a5:ad:
+         1f:51:c4:6e:cf:ff:a0:51:64:c8:7f:7f:32:05:4c:8d:7f:bf:
+         b8:ed:e5:81:5f:81:bd:1d:9b:3f:8a:83:27:26:b4:69:84:8b:
+         e5:d9:ea:fd:08:a8:aa:e4:3a:dc:29:4d:80:6c:13:f7:45:ce:
+         92:f2:a9:f3:5f:90:83:d6:23:0f:50:e5:40:09:4c:6b:f2:73:
+         aa:d8:49:a7:a9:81:6e:bb:f2:e4:a5:7f:19:39:1d:65:f3:11:
+         97:b1:2b:7c:2f:36:77:7f:75:fd:88:44:90:7c:f2:33:8d:cd:
+         2c:f6:76:60:33:d3:f4:b3:8c:81:d7:85:89:cc:d7:d5:2c:94:
+         a9:31:3f:d3:63:a7:dc:82:3f:0a:d8:c5:71:97:69:3b:c1:69:
+         cb:f0:1b:be:15:c0:be:aa:fd:e8:13:2c:0c:3f:72:7b:7d:9c:
+         3b:7f:b8:82:36:4b:ad:4d:16:19:b9:1c:b3:2d:d7:5f:8b:f8:
+         14:ce:d4:13:e5:82:7a:1d:40:28:08:65:4a:19:d7:7a:35:09:
+         db:36:48:4b:96:44:bd:1f:12:b2:39:08:1e:5b:66:25:9b:e0:
+         16:d3:79:05:e3:f6:90:da:95:95:33:a1:53:a8:3c:a9:f0:b2:
+         f5:d0:aa:80:a0:96:ca:8c:45:62:c2:74:04:91:68:27:fb:e9:
+         97:be:3a:87:8a:85:28:2d:6e:a9:60:9b:63:ba:65:98:5e:bb:
+         02:ee:ac:ba:be:f6:42:26
+-----BEGIN CERTIFICATE-----
+MIIESTCCAjGgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL
+MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t
+VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE0MTAy
+MjIxNTk1M1oXDTI0MTAxOTIxNTk1M1owbTELMAkGA1UEBhMCS0cxCzAJBgNVBAgT
+Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFzAVBgNVBAMTDlRlc3QtQ2xpZW50
+LUVDMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wVjAQBgcqhkjO
+PQIBBgUrgQQACgNCAAQ7zmJdb4eCdSTCWPUOiE1XDQaycYiHWBm73l9/UmJRokiR
+g0iRkD6HAg8VUflolxIK/dI8h4NLZVQARI0odkkFo4HIMIHFMAkGA1UdEwQCMAAw
+HQYDVR0OBBYEFGT2SYjndMGrpfpPK3E8JRM9yJTFMIGYBgNVHSMEgZAwgY2AFCtA
+5cl99fSWOOkv4y/ZQGTJjgWboWqkaDBmMQswCQYDVQQGEwJLRzELMAkGA1UECBMC
+TkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4tVEVTVDEhMB8G
+CSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluggkAoU7e+pDyroEwDQYJKoZI
+hvcNAQELBQADggIBADI98Ahn3QNzdsx2Ugr2l9HG+l/T5ijJdacIqDRJac/rq9qG
+sy5lF+5+trVrFQvcETq5WrOAuLv0bM+IOhCDfhCggoduBux4YtTRRCfdLBnYGqGu
+9KAAf1NaQIrCg3dLJn1TsNMPL3wocO90WFvegZRMYxnwectssuwyG0vkYiJPraxK
+b6luxCqNiogZCf2IkzwnTZGV/1eEE/1KaNsg3xDmgR395x01+xkC3bVfoMEH7HS0
+74v5M5rypjtutkpSq12ZdmRixNU6xoGN68hLAq/hymDpjcepK+pPVjHTmhHCnINc
+oo2Y/sylrR9RxG7P/6BRZMh/fzIFTI1/v7jt5YFfgb0dmz+KgycmtGmEi+XZ6v0I
+qKrkOtwpTYBsE/dFzpLyqfNfkIPWIw9Q5UAJTGvyc6rYSaepgW678uSlfxk5HWXz
+EZexK3wvNnd/df2IRJB88jONzSz2dmAz0/SzjIHXhYnM19UslKkxP9Njp9yCPwrY
+xXGXaTvBacvwG74VwL6q/egTLAw/cnt9nDt/uII2S61NFhm5HLMt11+L+BTO1BPl
+gnodQCgIZUoZ13o1Cds2SEuWRL0fErI5CB5bZiWb4BbTeQXj9pDalZUzoVOoPKnw
+svXQqoCglsqMRWLCdASRaCf76Ze+OoeKhSgtbqlgm2O6ZZheuwLurLq+9kIm
+-----END CERTIFICATE-----
diff --git a/sample/sample-keys/client-ec.key b/sample/sample-keys/client-ec.key
new file mode 100644
index 0000000..8131380
--- /dev/null
+++ b/sample/sample-keys/client-ec.key
 <at>  <at>  -0,0 +1,5  <at>  <at> 
+-----BEGIN PRIVATE KEY-----
+MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQg2RVk/d0yok086M9bLPIi
+eu4DfcBUwphOnkje1/7VSY+hRANCAAQ7zmJdb4eCdSTCWPUOiE1XDQaycYiHWBm7
+3l9/UmJRokiRg0iRkD6HAg8VUflolxIK/dI8h4NLZVQARI0odkkF
+-----END PRIVATE KEY-----
diff --git a/sample/sample-keys/client-pass.key b/sample/sample-keys/client-pass.key
new file mode 100644
index 0000000..2bb8d4e
--- /dev/null
+++ b/sample/sample-keys/client-pass.key
 <at>  <at>  -0,0 +1,30  <at>  <at> 
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,ECC1F209896FC2621233FFF6F1FFD045
+
+i6t7VKTyNNELTvrBO464e02nFg9rvYwumxd0sfqcPtaKmRK2mrZmEd/Xh0Nv1WyB
+PyuJo78qQixAtxObRbkSNINzTr5C8IDrE6+wQYCJinvO54U0o+ksv0tsyLngz1cb
+is8ZqHXrRgJ3qGFQWmFRtFKFQvSXOTDX3fLkEB53HfeblQCxBCnJ82Sp7ivnVR/j
+Q8qQRy1RMbzIN0trEGf0Zi4tHEvXL1u7Y+olQzSlmWWaQt20hhXUOMLhMtlRsAo7
+AwjlE94JjAfJ1q1dwIcRN4c9Lk8GkiX6w7nDpRACDpk2S8ifCqi69eGe4+g7owhL
+74bgs64PmM9a2sNXy1v6WE3c/t6sSrZiMvrGsqMo4sBlrQ9WXe0Naon7heBkPcdS
+px0YJjnyBXHMIH+ASmALSJ5JXq9vt2xRFf0dOsGapxhP+7bZJ5Pwyk/yUu5uHFbM
+/aBemlrZJzlKeYiiwpwx2whQAtDwN41zMG+r27EzSU/AaDV40NPiwwycpWt/Bp1e
+z1ag0JuS0an+PK4jmREtzT5U5BeAVM91x8YttOPpmUIpahAa1zwdYPRAIkbmPJ4z
+ZH+9YoPH4hoBQKdIhshYktjdI++xNiKXAUGUz5YoX8S68SsLdmKvhnQ7fu5VvOkA
+2pb7taXGy7zfn+a/fWauhuceV9HPlAXMIu3GsssODoNly3vpcFeiMySKppygJ3Eg
+A3o9n8UepD+jXflKG/R/t7U3hT6LqSIvQWqBqYMEVFMCNzSsJ/ce/4veFvx343zT
+qdxuzYqyiXM74cynpfqHdVa9SFICTesNdVDI0FdOXhSQ4bHJc7Xp9FFJdS0lMRw4
+ACwKxvs8lo4Gx1WFyCqH5OxosKtDHQYzdUJfSWVJlhhOFR3GncR9qSe3O5fkhJfs
+TALnC+xTJyCkSB2k0/bxVLIhlkPdCwzsrN/B6X2CDBdg0mQIo0LaPzGF8VneM20d
+XebYn751XSiL3HKyq8G5AEFwj9AO3Q8gKuP2fPoWdngJ2GT+mt1m2fIw9Igu39J0
+ZMegyUN0wSIiA5AkgryK9U+PJEiJmLzOJ/NGr7E5tPF18eZWapK4KZ8TXC4RNiye
+g+apGa+xZJz2VQp/Mrcdj9D4UDJFQjrvKaS0PXJDoYUXFBoMv3rxijzRVxlhhuJY
+yZ0At+UqZD5wpuWW6DRrgJIpy0HNhbaLmgsU0Co0HKviB0x8hvMJbi/uCoPTOdPz
+sPB7CN2i3oXe7xw1HfSTSFWb4leqjlKwNgfV42ox0QUjkkADeeuY+56g/B2+QmdE
+vXrc6sDwfNUwRUzeMn8yfum/aW1y/wrqF/qPTBQqFd85vlzS+NfXIKDg04cAljTu
++2BLzvizh9Bb68iG4PykNXbjbAir1EbQG1tCzq1eKhERjgrxdv6+XqAmvchMCeL5
+L6hvfQFBPCo/4xnMpU5wooFarO/kGdKlGr5rXOydgfL618Td18BIX+FHQFb3zzVU
+y2NR4++DslJAZgAU+512zzpW1m3JtaRoyqyoLE2YFPlW804Xc1PBB3Ix6Wyzcegy
+D4qMk5qxjBkXEsBBSCYfVbWoMBeMhnvxkz0b9wkPtAW/jEJCB2Kkn/5yMC0DkePO
+-----END RSA PRIVATE KEY-----
diff --git a/sample/sample-keys/client.crt b/sample/sample-keys/client.crt
index c047446..1744cb2 100644
--- a/sample/sample-keys/client.crt
+++ b/sample/sample-keys/client.crt
 <at>  <at>  -2,64 +2,102  <at>  <at>  Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
-        Signature Algorithm: md5WithRSAEncryption
+    Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me <at> myhost.mydomain
         Validity
-            Not Before: Nov 25 14:46:49 2004 GMT
-            Not After : Nov 23 14:46:49 2014 GMT
+            Not Before: Oct 22 21:59:53 2014 GMT
+            Not After : Oct 19 21:59:53 2024 GMT
         Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client/emailAddress=me <at> myhost.mydomain
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:d2:12:5c:c6:4d:13:34:ae:cf:fa:ab:fe:cb:de:
-                    8c:f1:4b:4a:95:28:60:87:82:2c:b8:c1:e5:8e:c6:
-                    5d:11:58:61:a4:a5:f1:42:d7:86:74:6c:9d:9c:7a:
-                    f0:3a:5c:29:e6:53:3b:5e:6d:d8:f0:45:06:2c:23:
-                    ee:09:bc:02:8f:0e:b8:d5:33:1f:c3:4a:11:02:48:
-                    0b:cc:4b:ad:6e:74:e0:a2:53:b1:d6:cc:89:b9:e2:
-                    6f:db:15:b3:19:1e:57:04:79:48:3a:da:76:31:fc:
-                    bf:d3:34:21:e7:32:d8:9e:06:4e:be:f3:e3:79:b0:
-                    54:fd:d1:42:32:aa:3e:7a:c1
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ec:65:8f:e9:12:c2:1a:5b:e6:56:2a:08:a9:82:
+                    3a:2d:44:78:a3:00:3b:b0:9f:e7:27:10:40:93:ef:
+                    f1:cc:3e:a0:aa:04:a2:80:1b:13:a9:e6:fe:81:d6:
+                    70:90:a8:d8:d4:de:30:d8:35:00:d2:be:62:f0:48:
+                    da:fc:15:8d:c4:c6:6d:0b:99:f1:2b:83:00:0a:d3:
+                    2a:23:0b:e5:cd:f9:35:df:43:61:15:72:ad:95:98:
+                    f6:73:21:41:5e:a0:dd:47:27:a0:d5:9a:d4:41:a8:
+                    1c:1d:57:20:71:17:8f:f7:28:9e:3e:07:ce:ec:d5:
+                    0e:42:4f:1e:74:47:8e:47:9d:d2:14:28:27:2c:14:
+                    10:f5:d1:96:b5:93:74:84:ef:f9:04:de:8d:4a:6f:
+                    df:77:ab:ea:d1:58:d3:44:fe:5a:04:01:ff:06:7a:
+                    97:f7:fd:e3:57:48:e1:f0:df:40:13:9f:66:23:5a:
+                    e3:55:54:3d:54:39:ee:00:f9:12:f1:d2:df:74:2e:
+                    ba:d7:f0:8d:c6:dd:18:58:1c:93:22:0b:75:fa:a8:
+                    d6:e0:b5:2f:2d:b9:d4:fe:b9:4f:86:e2:75:48:16:
+                    60:fb:3f:c9:b4:30:42:29:fb:3b:b3:2b:b9:59:81:
+                    6a:46:f3:45:83:bf:fd:d5:1a:ff:37:0c:6f:5b:fd:
+                    61:f1
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
                 CA:FALSE
-            Netscape Comment: 
-                OpenSSL Generated Certificate
             X509v3 Subject Key Identifier: 
-                17:B7:3F:C7:62:A0:A9:FD:A4:31:0E:58:D7:D9:94:7B:4B:3F:CB:56
+                D2:B4:36:0F:B1:FC:DD:A5:EA:2A:F7:C7:23:89:FA:E3:FA:7A:44:1D
             X509v3 Authority Key Identifier: 
-                keyid:89:A6:60:E3:BA:EA:3E:AF:FC:64:7F:4C:BD:8C:D2:48:8D:E0:CC:46
+                keyid:2B:40:E5:C9:7D:F5:F4:96:38:E9:2F:E3:2F:D9:40:64:C9:8E:05:9B
                 DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me <at> myhost.mydomain
-                serial:00
+                serial:A1:4E:DE:FA:90:F2:AE:81
 
-    Signature Algorithm: md5WithRSAEncryption
-        61:c6:d1:fa:24:0f:c7:be:09:3b:d8:04:17:63:31:17:07:f9:
-        56:99:af:4c:67:fa:db:cb:94:cf:55:a5:7b:16:20:8b:42:64:
-        13:23:62:45:28:93:5e:36:f7:db:02:95:a1:e9:fd:e3:0f:8d:
-        73:a1:7b:0e:55:78:4d:a5:c4:b7:22:12:a0:ee:55:e0:b8:0e:
-        c9:9b:12:e3:b0:ef:9b:68:93:57:6e:6c:ad:16:68:8e:8d:30:
-        33:fe:2a:1b:c3:03:8f:b6:0a:2d:0c:b1:3c:bb:f9:58:3f:8c:
-        81:59:6b:14:dd:62:b5:c2:93:ed:5d:c6:19:0f:9b:4b:52:b3:
-        7c:78
+    Signature Algorithm: sha256WithRSAEncryption
+         7f:e0:fe:84:a7:ec:df:62:a5:cd:3c:c1:e6:42:b1:31:12:f0:
+         b9:da:a7:9e:3f:bd:96:52:b6:fc:55:74:64:3e:e4:ff:7e:aa:
+         f7:3e:06:18:5f:73:85:f8:c8:e0:67:1b:4d:97:ca:05:d0:37:
+         07:33:64:9b:e6:78:77:14:9a:55:bb:2a:ac:c3:7f:c9:15:08:
+         83:5c:c8:c2:61:d3:71:4c:05:0b:2b:cb:a3:87:6d:a0:32:ed:
+         b0:b3:27:97:4a:55:8d:01:2a:30:56:68:ab:f2:da:5c:10:73:
+         c9:aa:0a:9c:4b:4c:a0:5b:51:6e:0a:7e:6c:53:80:b0:00:e1:
+         1e:9a:4c:0a:37:9e:20:89:bc:c5:e5:79:58:b7:45:ff:d3:c4:
+         a1:fd:d9:78:3d:45:16:74:df:82:44:1d:1d:81:50:5a:b9:32:
+         4c:e2:4f:3f:0e:3a:65:5a:64:83:3b:29:31:c4:99:88:bc:c5:
+         84:39:f2:19:12:e1:66:d0:ea:fb:75:b1:d2:27:be:91:59:a3:
+         2b:09:d5:5c:bf:46:8e:d6:67:d6:0b:ec:da:ab:f0:80:19:87:
+         64:07:a9:77:b1:5e:0c:e2:c5:1d:6a:ac:5d:23:f3:30:75:36:
+         4e:ca:c3:4e:b0:4d:8c:2c:ce:52:61:63:de:d5:f5:ef:ef:0a:
+         6b:23:25:26:3c:3a:f2:c3:c2:16:19:3f:a9:32:ba:68:f9:c9:
+         12:3c:3e:c6:1f:ff:9b:4e:f4:90:b0:63:f5:d1:33:00:30:5a:
+         e8:24:fa:35:44:9b:6a:80:f3:a6:cc:7b:3c:73:5f:50:c4:30:
+         71:d8:74:90:27:0a:01:4e:a5:5e:b1:f8:da:c2:61:81:11:ae:
+         29:a3:8f:fa:7e:4c:4e:62:b1:00:de:92:e3:8f:6a:2e:da:d9:
+         38:5d:6b:7c:0d:e4:01:aa:c8:c6:6d:8b:cd:c0:c8:6e:e4:57:
+         21:8a:f6:46:30:d9:ad:51:a1:87:96:a6:53:c9:1e:c6:bb:c3:
+         eb:55:fe:8c:d6:5c:d5:c6:f3:ca:b0:60:d2:d4:2a:1f:88:94:
+         d3:4c:1a:da:0c:94:fe:c1:5d:0d:2a:db:99:29:5d:f6:dd:16:
+         c4:c8:4d:74:9e:80:d9:d0:aa:ed:7b:e3:30:e4:47:d8:f5:15:
+         c1:71:b8:c6:fd:ee:fc:9e:b2:5f:b5:b7:92:ed:ff:ca:37:f6:
+         c7:82:b4:54:13:9b:83:cd:87:8b:7e:64:f6:2e:54:3a:22:b1:
+         c5:c1:f4:a5:25:53:9a:4d:a8:0f:e7:35:4b:89:df:19:83:66:
+         64:d9:db:d1:61:2b:24:1b:1d:44:44:fb:49:30:87:b7:49:23:
+         08:02:8a:e0:25:f3:f4:43
 -----BEGIN CERTIFICATE-----
-MIIDNTCCAp6gAwIBAgIBAjANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJLRzEL
+MIIFFDCCAvygAwIBAgIBAjANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL
 MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t
-VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTA0MTEy
-NTE0NDY0OVoXDTE0MTEyMzE0NDY0OVowajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT
+VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE0MTAy
+MjIxNTk1M1oXDTI0MTAxOTIxNTk1M1owajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT
 Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtQ2xpZW50
-MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wgZ8wDQYJKoZIhvcN
-AQEBBQADgY0AMIGJAoGBANISXMZNEzSuz/qr/svejPFLSpUoYIeCLLjB5Y7GXRFY
-YaSl8ULXhnRsnZx68DpcKeZTO15t2PBFBiwj7gm8Ao8OuNUzH8NKEQJIC8xLrW50
-4KJTsdbMibnib9sVsxkeVwR5SDradjH8v9M0Iecy2J4GTr7z43mwVP3RQjKqPnrB
-AgMBAAGjge4wgeswCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
-ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBe3P8dioKn9pDEOWNfZlHtL
-P8tWMIGQBgNVHSMEgYgwgYWAFImmYOO66j6v/GR/TL2M0kiN4MxGoWqkaDBmMQsw
-CQYDVQQGEwJLRzELMAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNV
-BAoTDE9wZW5WUE4tVEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9t
-YWluggEAMA0GCSqGSIb3DQEBBAUAA4GBAGHG0fokD8e+CTvYBBdjMRcH+VaZr0xn
-+tvLlM9VpXsWIItCZBMjYkUok14299sClaHp/eMPjXOhew5VeE2lxLciEqDuVeC4
-DsmbEuOw75tok1dubK0WaI6NMDP+KhvDA4+2Ci0MsTy7+Vg/jIFZaxTdYrXCk+1d
-xhkPm0tSs3x4
+MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDsZY/pEsIaW+ZWKgipgjotRHijADuwn+cnEECT
+7/HMPqCqBKKAGxOp5v6B1nCQqNjU3jDYNQDSvmLwSNr8FY3Exm0LmfErgwAK0yoj
+C+XN+TXfQ2EVcq2VmPZzIUFeoN1HJ6DVmtRBqBwdVyBxF4/3KJ4+B87s1Q5CTx50
+R45HndIUKCcsFBD10Za1k3SE7/kE3o1Kb993q+rRWNNE/loEAf8Gepf3/eNXSOHw
+30ATn2YjWuNVVD1UOe4A+RLx0t90LrrX8I3G3RhYHJMiC3X6qNbgtS8tudT+uU+G
+4nVIFmD7P8m0MEIp+zuzK7lZgWpG80WDv/3VGv83DG9b/WHxAgMBAAGjgcgwgcUw
+CQYDVR0TBAIwADAdBgNVHQ4EFgQU0rQ2D7H83aXqKvfHI4n64/p6RB0wgZgGA1Ud
+IwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJBgNVBAYTAktH
+MQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMMT3BlblZQ
+Ti1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQChTt76
+kPKugTANBgkqhkiG9w0BAQsFAAOCAgEAf+D+hKfs32KlzTzB5kKxMRLwudqnnj+9
+llK2/FV0ZD7k/36q9z4GGF9zhfjI4GcbTZfKBdA3BzNkm+Z4dxSaVbsqrMN/yRUI
+g1zIwmHTcUwFCyvLo4dtoDLtsLMnl0pVjQEqMFZoq/LaXBBzyaoKnEtMoFtRbgp+
+bFOAsADhHppMCjeeIIm8xeV5WLdF/9PEof3ZeD1FFnTfgkQdHYFQWrkyTOJPPw46
+ZVpkgzspMcSZiLzFhDnyGRLhZtDq+3Wx0ie+kVmjKwnVXL9GjtZn1gvs2qvwgBmH
+ZAepd7FeDOLFHWqsXSPzMHU2TsrDTrBNjCzOUmFj3tX17+8KayMlJjw68sPCFhk/
+qTK6aPnJEjw+xh//m070kLBj9dEzADBa6CT6NUSbaoDzpsx7PHNfUMQwcdh0kCcK
+AU6lXrH42sJhgRGuKaOP+n5MTmKxAN6S449qLtrZOF1rfA3kAarIxm2LzcDIbuRX
+IYr2RjDZrVGhh5amU8kexrvD61X+jNZc1cbzyrBg0tQqH4iU00wa2gyU/sFdDSrb
+mSld9t0WxMhNdJ6A2dCq7XvjMORH2PUVwXG4xv3u/J6yX7W3ku3/yjf2x4K0VBOb
+g82Hi35k9i5UOiKxxcH0pSVTmk2oD+c1S4nfGYNmZNnb0WErJBsdRET7STCHt0kj
+CAKK4CXz9EM=
 -----END CERTIFICATE-----
diff --git a/sample/sample-keys/client.key b/sample/sample-keys/client.key
index 17b9509..6d31489 100644
--- a/sample/sample-keys/client.key
+++ b/sample/sample-keys/client.key
 <at>  <at>  -1,15 +1,28  <at>  <at> 
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDSElzGTRM0rs/6q/7L3ozxS0qVKGCHgiy4weWOxl0RWGGkpfFC
-14Z0bJ2cevA6XCnmUztebdjwRQYsI+4JvAKPDrjVMx/DShECSAvMS61udOCiU7HW
-zIm54m/bFbMZHlcEeUg62nYx/L/TNCHnMtieBk6+8+N5sFT90UIyqj56wQIDAQAB
-AoGBAK8RoIGekCfym99DYYfTg9A/t/tQeAnWYaDj7oSrKbqf1lgZ91OGPEZgkoVr
-KzLnxf9uU+bhUs8CJx+4HdO8/L9rAJA+oD9QNuMp0elN4AKuEGE1Eq3a0e3cmgPI
-+VIoXM6WVAGgK9I03Zu/UerYQ/DdXWGOIsKhFe8qyQoG9pKxAkEA9ld6O9MHQt3d
-JAjJkgCNn4psozxjrfLWy2huXd3H3CRqGMjLITDGzdkVSgXjHokBYroi0+TZTu4M
-ulJSJaWwBQJBANpO2DAexH2zRHw5Z6QyeEVxz7B3/FzU4GgJx9BH+FSBh+F0G5Ln
-ir5Vst8vZ/LGcgpYjHQLNAvZVgUjiQ4Y6I0CQGvwMJL+CHR4GmmroAblTyjU0n1D
-/Lk/anZ+L73Za7U+D28ErFzCrpmLwRRKOBYtGfpUbOZDpCQ9kj4hy/TLALECQCcL
-9ysUNbzt9Y/qjJkX1d9F7gn4TBEmmkTBixW76bTjvjQbGlt6Qpyso2O8DPGlgPxM
-vkJ7RoHgC7y7kGYPGnkCQBVxSNGIjLx4NQBgN4HD0y4+fars1PTUGnckBcS4npb9
-onLNyerBlWdBwbARyBS7WPIbyyf5VCrn3yIqWxaARO0=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDsZY/pEsIaW+ZW
+KgipgjotRHijADuwn+cnEECT7/HMPqCqBKKAGxOp5v6B1nCQqNjU3jDYNQDSvmLw
+SNr8FY3Exm0LmfErgwAK0yojC+XN+TXfQ2EVcq2VmPZzIUFeoN1HJ6DVmtRBqBwd
+VyBxF4/3KJ4+B87s1Q5CTx50R45HndIUKCcsFBD10Za1k3SE7/kE3o1Kb993q+rR
+WNNE/loEAf8Gepf3/eNXSOHw30ATn2YjWuNVVD1UOe4A+RLx0t90LrrX8I3G3RhY
+HJMiC3X6qNbgtS8tudT+uU+G4nVIFmD7P8m0MEIp+zuzK7lZgWpG80WDv/3VGv83
+DG9b/WHxAgMBAAECggEBAIOdaCpUD02trOh8LqZxowJhBOl7z7/ex0uweMPk67LT
+i5AdVHwOlzwZJ8oSIknoOBEMRBWcLQEojt1JMuL2/R95emzjIKshHHzqZKNulFvB
+TIUpdnwChTKtH0mqUkLlPU3Ienty4IpNlpmfUKimfbkWHERdBJBHbtDsTABhdo3X
+9pCF/yRKqJS2Fy/Mkl3gv1y/NB1OL4Jhl7vQbf+kmgfQN2qdOVe2BOKQ8NlPUDmE
+/1XNIDaE3s6uvUaoFfwowzsCCwN2/8QrRMMKkjvV+lEVtNmQdYxj5Xj5IwS0vkK0
+6icsngW87cpZxxc1zsRWcSTloy5ohub4FgKhlolmigECgYEA+cBlxzLvaMzMlBQY
+kCac9KQMvVL+DIFHlZA5i5L/9pRVp4JJwj3GUoehFJoFhsxnKr8HZyLwBKlCmUVm
+VxnshRWiAU18emUmeAtSGawlAS3QXhikVZDdd/L20YusLT+DXV81wlKR97/r9+17
+klQOLkSdPm9wcMDOWMNHX8bUg8kCgYEA8k+hQv6+TR/+Beao2IIctFtw/EauaJiJ
+wW5ql1cpCLPMAOQUvjs0Km3zqctfBF8mUjdkcyJ4uhL9FZtfywY22EtRIXOJ/8VR
+we65mVo6RLR8YVM54sihanuFOnlyF9LIBWB+9pUfh1/Y7DSebh7W73uxhAxQhi3Y
+QwfIQIFd8OkCgYBalH4VXhLYhpaYCiXSej6ot6rrK2N6c5Tb2MAWMA1nh+r84tMP
+gMoh+pDgYPAqMI4mQbxUmqZEeoLuBe6VHpDav7rPECRaW781AJ4ZM4cEQ3Jz/inz
+4qOAMn10CF081/Ez9ykPPlU0bsYNWHNd4eB2xWnmUBKOwk7UgJatVPaUiQKBgQCI
+f18CVGpzG9CHFnaK8FCnMNOm6VIaTcNcGY0mD81nv5Dt943P054BQMsAHTY7SjZW
+HioRyZtkhonXAB2oSqnekh7zzxgv4sG5k3ct8evdBCcE1FNJc2eqikZ0uDETRoOy
+s7cRxNNr+QxDkyikM+80HOPU1PMPgwfOSrX90GJQ8QKBgEBKohGMV/sNa4t14Iau
+qO8aagoqh/68K9GFXljsl3/iCSa964HIEREtW09Qz1w3dotEgp2w8bsDa+OwWrLy
+0SY7T5jRViM3cDWRlUBLrGGiL0FiwsfqiRiji60y19erJgrgyGVIb1kIgIBRkgFM
+2MMweASzTmZcri4PA/5C0HYb
+-----END PRIVATE KEY-----
diff --git a/sample/sample-keys/client.p12 b/sample/sample-keys/client.p12
new file mode 100644
index 0000000000000000000000000000000000000000..8458c79770a08e832e10205ae1c43e8059cca082
GIT binary patch
literal 4533
zcmV;m5lZebf)TL-0Ru3C5qAa&Duzgg_YDCD0ic2rXas^0WH5peU <at> (FV7X}F`hDe6 <at> 
z4FLxRpn?ntFoFyO0s#Opf(!iy2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=o?0Gd
zI2*;=0s;sCfPxFqP42^P0Fo+4$NqJRddSJSl#H$YLRhM0*>KZ1!3FrYzVTx;+~<9X
zHC&0kC=Q)Zxu{oL`xLM;b_oD>(X&8Ta-#O3&p;;Aa3+^0d5fSLOs3>{(_ <at> SyxHDGK
z2?mB_IU!{$1Sf&CfNA0|znHybfRqP5blsg?Z{1w#hHzm2WPm <at> -k>~Fs9L`8P!8d0*
zf18!wochm&3uJ;eC{gw3d+=?v`?TP`azbPA8uS#SvF>zu7QrQ#$t<4KatJksK>dI*
ziMISYR+%EK<vdQWAH_>GJw7P#F#ep~$fBbb6Y*_W)JH+UB%-XoF0lb%KM36b^Ml3z
zdI#>W)o{)xhylZ4OHKChQ3 <at> qS{v(AQB <at> VaJ?ARCe`Ss=S%-q5T5+I3#R#G1YJlYRV
zDTZ` <at> `U38{ <at> bSL;>xUioK!F94XIBfJNFiIhM&9nvb{1l0O6GqR&cLY4NFEuZS(DxH
z=W!uJ(?gK8gs^*{5_cl5Z(=wW&Q)XqS-~>m0O$kp(m_Cz>zwzHL-IYyDH=}xGVl+4
zq3STnMt<?Hu(MKc <at> 0}O=+SOgwb9ciM <at> M4>7Am$3#DF7{7%Lk3imYa+y7?D;AsNHiG
zn<Pk<=8L8O8bLSWTRMYjAr147E?9!=!8xCjW&Rt}P1G4yKA2el8%Z#!i?O-I%bY3u
ze}EeqFzNG`%%2`feCA2|669L4WH3axOzLsnR{2`^v?3Sf>YdO(f <at> M<&g*jh|95N+F
zs_~5PPb? <at> 91h)&uXAR5t`>ZG>Uz4i)rF)c|;osz49745f=)!}UDtm5M!ZPf8NHf-q
zBu9VT(aN+vpUdkJ*gO8FPMV2QD1&zIpdi0sGch)W2;I$z%}w_LA6?gziR|D2-^A$7
zK+7hz{knM <at> Bqwfx3dirENcVSGhV{VXU4Jr29-tm$-2M^>mnD_r5Lj>iwRX!<9CFRg
z9{(YStoDvOuR <at> (O4i9CiwMU(U-1=C!cAqZ-t <at> IfXDXxcbaLeLYLcmYuyDc37) <at> bc}
zgo <at> WkW=MyVE1)F <at> B()zN_MxMHwJS(AR3ip3I+3Rm(|=OM&()I982?Ca-YME*$jcai
z5>TYla+%{gDkflN^F;$b#Qn!EsPXE?fs <at> D=Sd<B``<<chZC5b5VFKbh2K6kY7?K3;
zv5_F`(^P~!G1NikPncT9r#;SmMJ <at> f%Prj#Uc{m7xeQANV0K8+ojXQSMT1t*R&uV`S
z-a_ZWh-DQno_e$da>VMjI=w_}8&SK!u012g>$5F;owS>RW$?|5{~rl&$f}d%d>$9i
z7(P0*PhMARQef&fdz)sTC<Lxa5`F2&hqQLcJp#ikxf;udtXqUu6cOT-BO(BK`7h=?
zDbI?zgxg*~0$om9lkR)a-7%wHj&G~`U*39UJOt~jxs$VpQaqb)Y!11<7NJ;nxwK+f
zimu>$;%$WGWRFUiOQ+WO;A%{B*ZINIEs08%b-Fb1;6M5Z<_`ge4ELfx*V8?Qo?OBP
zB<m3&JH7$rGqlacJDUb4J^aF+$1F5Fq1BEWLf~B?AU5ccNREIEhWWFpY~t?SmGZi!
z+_Bv45Wnp <at> ^L9d#ov%dRyPva3GUZyOBKdi&t0zyQ-jp*M&n!<8>?YAsG0gnH9<Z0S
z34D1$5L-hatRI$ <at> 6j43xOX~=Ue!pzJ_)e*2;oPP-Jt%B~H*490;ChZmyCq4v3R}?{
zc%U{&f8?Nh&k>6b5g <at> >h2#}&DOvoiL8%)<~q7ehzHh_`~a2Izn=bjHq;TkMIoDt-)
z$u8yg;zHv$;?HL0J6h2aH`EK>az+?|SAZS7*?6)?BsZ8yxec)dO^fx~b|xRBKv <at> !>
zN|H <at> j <at> OZPg_<ybv-HNQS5$N <at> =J{hvL<!M_~BR7$uR)1P?SUJk^fttz^d1%ND_VN$$
z28yu4B=;NI-W7y*sy2dS6^$EJ{)yWxMf7wfvI_wsZ89XZlK~8n%r4)^eonEw2DGo~
zjKS~WOnU}9sPh2P#+I2oX4TWo2NAs$hrb8{T^kZeI <at> 2}Jtc8o? <at> wh2ORT%pAFfSL4
zF1~~3hhzo^be)F{>Xe6%y9Pyj1HI_jCpGGJ+r}qJ(Qm^(w#q#n4;fGT9J)MId6%;&
zhPes$n_zQIQ!}^}4G`^Wz7CGC <at> !ARFDKj^9 <at> L!~Q664CYzu=8Ev-yow*fp9UOsLHG
z-BX<D-hZ6KxIA%F5~CWcz|%QmBCt0vMQK#PYY9XsaJ3(}e;=lyMTDz8NEu <at> M3zUNR
zBTx_4BwT-RH%(I350dV3ea|XNP6YEOFyDzqfWrv_j6~`PF4!_puV5C_RkWVl#=LzN
zCn~sV+ht*A?D_2ZTy;=F_fv8<_4f`NjG$iQJ`jYg1O#mw4EYb0Mh# <at> $sjRlQkKJQo
zCbD(tZmv8Qv$&NNhSgU}$`rTnqcvf`wxr^&C&;Fp=5Yh`(eE{7KCj6?xingFo(wqh
zsvrza+Q>cmrr~=}pV<`ImbU <at> e;g_= <at> a)XeuKL1x92`ruL2r&K(ct*Kk <at> IjesmCfch
zG_=`43h3M^{O*UA{yi2s5fjtWXMOov>#rUwy(A49RjMsrwLLq>wy(A6bJnieJpm*K
zLL!(_!FKzh-$!YZdEcBK1F(> <at> we-M9%w^x#=H#}9Lc8NQ<BjftBjnh4ar}b3i+vXc
z{W>X2580FRsm3z}$v|1;BqjKiO00Ft{;FSiOWy|y=&D|>#PfODLKzOym9LWY;M#(=
z`T4NzCiGy4Je$gf+HwRg2c<5NBvatkd<oeEbqXy8^TV#bM^e&RCYW(w9gO&yYjX5?
z%nQKFIXw{H7UJzU>mb+(-NL)S<-&!Jq+i>}L3McC!=`WXZgNw}W3)t-k4o9(UzHmA
zq`4KU&&3!B$jn*}C9IgPAZDOKa4d3Z!m^><O=W&A+i>_uvW(Gg?u{!Zc28~KnlZY|
zW><Tb!KwKt8QoTnbcG?7D028`)ggh1eeM8r <at> uC%|k0fBmAmT5c(1mQ9lEXQ5OXd?;
z^CHjw%k!RCxFaT~aUa_d{oq#QOssTE3<rMFyeZ`^PjPynYR_KVSN <at> eQDbJ1#b>Ouf
zWGfR <at> 9_i5T8$;AzQkfiya1EQ_>+Bl-?jKt}^_7hPmkxyS <at> d~^h=708E3`{=Wth%v-
z? <at> iOBIjVj4-#bcG%9d)#)>ITY*E8dBUmpjRV)C+>Jt32pJ`o-1#>e3Um|*mUJl)zl
zzj+A{saen+`EP}bD_BH <at> It(cb-`Ha9p{rll <at> #k}4#rAwI;U5&{_(dvPfry4r*OR(g
zir1=%D70<3l-Vmdno7L-k9AWle8;LS6163q{gLq<MLcS_5kCD+V <at> jp3)Z4K_T+}0D
z^did?rKv`zAu <at> r}c$!y9^Lh|+tz8}+Z%B~F4O}J=a=6}v>ZK?WsvR6Z`rzHr <at> <!Tg
zr!DhMH=-r9Uq71K!AtPC3zo{oX3n#EYevQcL9~(v;6h5Pq%J*^gs-6!fq3Gog$<8b
z9g5=S4zlZ?y%K!>Mc&6F6kj#?qqpe;SHD(h=!j(z <at> ^CR=i=KDGw>Bgokqi9zPX(uX
z|8`K|fAgElC|rkyhB5 <at> b+ <at> }LZAfPl$+hDkByi%)V5=IaI1H{6vl7?ZBye!AqHLicO
zaCsg%BIm|>MA3R <at> |GjKRc3d&Xa4bb>L3UelPWRoILk&ICGoo4lwV <at> zP{{fLLaZL&+
znSPhW04KckjD)a}19>2aT|WH_ltW=y7#46Gu!-xzwtb6TmG$I_MlQkGWG4!7F2!_C
z^ngv5DN5VpziF0tnU2m8BpCW*8j$_TsVU%Wf(C_FTqJpP%DVRx*1n=yY6jVZP^~&u
zj+O<-)gVFOKz}2cqLfZKD1W%|44A(?o?C-zVkbOT+V1eU!Th4e58g?qy0IDLgSs <at> (
z>a3QZ_~$!6a_yYA03n <at> Qdp;&JCvDXIMz74j$40}k$6D5*AIe~-NPq>l=p{+`{qB*E
z)dA_uyb!%xms+1|*hgXfvXAI&FoFd^1_>&LNQU<f0S5t~f(0 <at> Jf(0%xf(0rtf(0f9
z3o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg_YDCI0Ru1&1PH71K9D&o|1tss2ml0v
z1jw3_VuA6wE <at> W*qp8m7%=>t!ahU6DY<c$m^W{&SL-}Av-!V6Mej({Vh^I65-r7>jl
zj#2E$ <at> cqS#ot;itB65=}T$c#Fvn6>(Hu7jv5#?nqND^i{<zGDn+bGDInORh%$|<TU
z)0ArgXLA;(_k}K_mlCfE0Y&Ec4gxI|biRQj4^q <at> zluH>4Z%>zfnT?a?P>WmWgPqNu
zt;=6U3*t>n)oqy#bC<px2zJip8afy*7*z$B{ma3e57nY2u4{E__iFC0=vmJwi1VYX
zJ^u9%A=Rjf0y-*9fV{WtT;tb1T0|T~;c%SH5qJ2+_GKkn#{LX}MbS`UJ+# <at> hq#_P <at> 
z=VN$u <at> Y7N|?(z7UQ*UT5!yd!df-`=;Pg3G;+}! <at> XBTK <at> (XtDanPon_36N?ceJ<?w0
zNK3soS#I5O8%nUS5XWVt%LptQsfi0a{wtPGi{fq;)jwb;5tx!nQZ5RBwItDChWNTA
zj>Fo89J#H&5w(j6)Gb05d4Wuav-;Ae*N4CvCH7Bf7qsT7$-eiNbQFjxma-5lFy&Kf
zuGdIbq=SxP#B5y9i$6kWIXa%j=^H(Q8<<q_M*`R%ZVP8(B}EBCF <at> U58tkC9jOtQ?w
z <at> W2jpswJDCtH$yFWg(e-HC0;102vJ;ImFQO7 <at> 1MJ<i79$sGU(S!1~*(w+q4OwO-ox
zWwM2kH5?dxWXufo3Q9ZIy_U`Ql+5rjkKA=C7U__H<)N5z$Rb{}rn?dsvsv <at> ywoU=<
zU%-OKA3|-2osy2Vwh#)*s+9to<L%b6U5k5Fzx|JW;HHBRq|s|t(&(g4xMFzgvvtbc
zQ-TBf=dLqXp>pKX1|T1Ncg_%F+OOU1K%=lJvk25edtPll^?C8iOY4l+gHVw-jwS{5
zc1H%A0AcxAK4?I%10%GT9KyndW;=S4Hs$Bt3ppdV?5;*?C+IU>_jrB|%iA <at> ^j-Ydr
zP#Vq!z4lf1B59em!RbNV^|P^F7)gXU({v-B^T{ObdazrO(+w5OWS;WuWNRLYYIn{T
z*P_`Mm4F+5C)d0&C_P&q3l;Vwjmo9lrsR8}rTM}q1!7wAp-KZ++#udhr| <at> C8HVGgC
z^(J(<tv$K47<r2(#bphive7uMRA&}ky <at> tqaC7~lV4``Zu%!1BUIf_Z=)*`CBf-+5F
zTyVg} <at> k=0bc9s}%M9iRHnOdEO4AU3z0GZg~26X=;y_v(F&Px}&8ufGahoEQe_>Wa-
zy{M9YD^`ZYTH01LwfQ?{ZuZQ~vaO&Jq$O&~PN%MO(9m%~EMFTMC(A&MRujojT{YuB
z`u5e( <at> ~<aXbTu5Xpgn-u0;$_2;&dZV4?%UszI6qIM+zSz->|Ph<<tw;;-I!bhQUfx
z-T|#dTHlxbD <at> 3~1qB#O+9=PN}23-_|*ehcIXa5a)>w_vbRv_LVvmsQhWA5OYqtUvR
zb2`hE <at> >8knqkGmwqPuasz=MUx2NN7PM|$lkN60Vj_=3UYPS<Wb*D(aS{nk}POUoch
z5<OVHe&P<YCYq5dQgsKygF+90>r6ZIGje(Qd3rIw(m)l~LebaOD9`;d#2Rt>_%?X|
z;FA9GDiVuwAnk9Bh!BAEfMz{Mdq$b`Xzrmam}W60Fe3&DDuzgg_YDCF6)_eB6jtCP
zdB1(YHnjhMGVV2R_)j7)j4&}UAutIB1uG5%0vZJX1Qaaz-GykChO4Gdh~Eic3wrIs
TMJxme++Sbdrv3y90s;sCVF#Wx

literal 0
HcmV?d00001

diff --git a/sample/sample-keys/dh1024.pem b/sample/sample-keys/dh1024.pem
deleted file mode 100644
index 7ce05f0..0000000
--- a/sample/sample-keys/dh1024.pem
+++ /dev/null
 <at>  <at>  -1,5 +0,0  <at>  <at> 
------BEGIN DH PARAMETERS-----
-MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh
-1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32
-9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC
------END DH PARAMETERS-----
diff --git a/sample/sample-keys/dh2048.pem b/sample/sample-keys/dh2048.pem
new file mode 100644
index 0000000..8eda59a
--- /dev/null
+++ b/sample/sample-keys/dh2048.pem
 <at>  <at>  -0,0 +1,8  <at>  <at> 
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEArdnA32xujHPlPI+jPffHSoMUZ+b5gRz1H1Lw9//Gugm5TAsRiYrB
+t2BDSsMKvAjyqN+i5SJv4TOk98kRRKB27iPvyXmiL945VaDQl/UehCySjYlGFUjW
+9nuo+JwQxeSbw0TLiSYoYJZQ8X1CxPl9mgJl277O4cW1Gc8I/bWa+ipU/4K5wv3h
+GI8nt+6A0jN3M/KebotMP101G4k0l0qsY4oRMTmP+z3oAP0qU9NZ1jiuMFVzRlNp
+5FdYF7ctrH+tBF+QmyT4SRKSED4wE4oX6gp420NaBhIEQifIj75wlMDtxQlpkN+x
+QkjsEbPlaPKHGQ4uupssChVUi8IM2yq5EwIBAg==
+-----END DH PARAMETERS-----
diff --git a/sample/sample-keys/ec-ca.crt b/sample/sample-keys/ec-ca.crt
deleted file mode 100644
index e190801..0000000
--- a/sample/sample-keys/ec-ca.crt
+++ /dev/null
 <at>  <at>  -1,13 +0,0  <at>  <at> 
------BEGIN CERTIFICATE-----
-MIIB4jCCAWmgAwIBAgIJALGEGB2g6cAXMAoGCCqGSM49BAMCMBUxEzARBgNVBAMT
-CkVDLVRlc3QgQ0EwHhcNMTQwMTE4MTYwMTUzWhcNMjQwMTE2MTYwMTUzWjAVMRMw
-EQYDVQQDEwpFQy1UZXN0IENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE2S4AZT7j
-ZlPG/CXpT12CzCNSySyKmJt+fWyW/wzbRulVJpGHXRHpZZj2VNOUE72kqGUeshh6
-Um1o7lHGDSAkHOJpeW5FtryiKhwFc+4dsOCLTNLVFXQsEtY3gY14Uquio4GEMIGB
-MB0GA1UdDgQWBBS0mkFcuCZ8SLWZRAD/8LpBQcgGPDBFBgNVHSMEPjA8gBS0mkFc
-uCZ8SLWZRAD/8LpBQcgGPKEZpBcwFTETMBEGA1UEAxMKRUMtVGVzdCBDQYIJALGE
-GB2g6cAXMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA2cA
-MGQCMHWlVTi0xNZstR8ZNH+7z0WlyIXyZe23ne3EXkO0thZLdv86kpxFMPW/llB+
-RMRKuQIweN97n7FQy5DTenr91U98KDFJ5Av4mDFRL1mkXiu3W1//4XD8yEYDQTRz
-/GARuOLL
------END CERTIFICATE-----
diff --git a/sample/sample-keys/ec-ca.key b/sample/sample-keys/ec-ca.key
deleted file mode 100644
index 51a72e1..0000000
--- a/sample/sample-keys/ec-ca.key
+++ /dev/null
 <at>  <at>  -1,6 +0,0  <at>  <at> 
------BEGIN PRIVATE KEY-----
-MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDASU6X/mh2m2PayviL3
-teoml5soyIUcZfwZpVn6oNtnrLcAbIRsAJbM4xyGVp77G/6hZANiAATZLgBlPuNm
-U8b8JelPXYLMI1LJLIqYm359bJb/DNtG6VUmkYddEellmPZU05QTvaSoZR6yGHpS
-bWjuUcYNICQc4ml5bkW2vKIqHAVz7h2w4ItM0tUVdCwS1jeBjXhSq6I=
------END PRIVATE KEY-----
diff --git a/sample/sample-keys/ec-client.crt b/sample/sample-keys/ec-client.crt
deleted file mode 100644
index b797b02..0000000
--- a/sample/sample-keys/ec-client.crt
+++ /dev/null
 <at>  <at>  -1,61 +0,0  <at>  <at> 
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 2 (0x2)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: CN=EC-Test CA
-        Validity
-            Not Before: Jan 18 16:02:37 2014 GMT
-            Not After : Jan 16 16:02:37 2024 GMT
-        Subject: CN=ec-client
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub:
-                    04:40:d9:b9:a2:44:1b:01:39:2c:14:ee:aa:70:6b:
-                    31:98:28:44:c9:61:bc:b7:0b:b5:53:49:c2:c0:0a:
-                    43:b0:08:50:cd:80:2f:5d:a4:89:f1:ff:7d:11:78:
-                    f5:0c:b2:86:e2:59:f8:17:76:1b:22:f2:23:67:e7:
-                    55:90:ea:ce:0a:aa:da:05:f4:85:19:c9:ed:ae:6d:
-                    a3:ad:56:7a:f6:33:c6:cf:bb:c7:39:fa:e4:d3:67:
-                    df:f0:b8:4a:88:57:98
-                ASN1 OID: secp384r1
-        X509v3 extensions:
-            X509v3 Basic Constraints:
-                CA:FALSE
-            X509v3 Subject Key Identifier:
-                D8:E2:35:7B:CA:66:71:6B:D8:5B:F5:12:13:82:2D:ED:CD:E5:ED:7F
-            X509v3 Authority Key Identifier:
-                keyid:B4:9A:41:5C:B8:26:7C:48:B5:99:44:00:FF:F0:BA:41:41:C8:06:3C
-                DirName:/CN=EC-Test CA
-                serial:B1:84:18:1D:A0:E9:C0:17
-
-            X509v3 Extended Key Usage:
-                TLS Web Client Authentication
-            X509v3 Key Usage:
-                Digital Signature
-            Netscape Comment:
-                Easy-RSA Generated Certificate
-            Netscape Cert Type:
-                SSL Client
-    Signature Algorithm: ecdsa-with-SHA256
-         30:64:02:30:41:8b:1a:fd:97:a8:bb:7c:d0:eb:1c:a2:ba:c0:
-         ac:2f:6d:80:07:5b:5c:ef:55:59:1a:92:56:66:94:ce:49:6a:
-         a9:57:49:b2:41:73:64:7e:01:ac:31:3a:7c:2a:bf:a5:02:30:
-         2b:c4:a6:b1:0c:03:82:e3:e4:03:39:fb:19:d7:76:21:1b:7e:
-         7f:aa:22:5d:90:a4:e1:2e:cd:ca:92:0f:b6:3f:80:dc:26:d2:
-         09:34:8c:d1:61:bb:9d:ac:6d:8f:68:f0
------BEGIN CERTIFICATE-----
-MIICLTCCAbSgAwIBAgIBAjAKBggqhkjOPQQDAjAVMRMwEQYDVQQDEwpFQy1UZXN0
-IENBMB4XDTE0MDExODE2MDIzN1oXDTI0MDExNjE2MDIzN1owFDESMBAGA1UEAxMJ
-ZWMtY2xpZW50MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEQNm5okQbATksFO6qcGsx
-mChEyWG8twu1U0nCwApDsAhQzYAvXaSJ8f99EXj1DLKG4ln4F3YbIvIjZ+dVkOrO
-CqraBfSFGcntrm2jrVZ69jPGz7vHOfrk02ff8LhKiFeYo4HYMIHVMAkGA1UdEwQC
-MAAwHQYDVR0OBBYEFNjiNXvKZnFr2Fv1EhOCLe3N5e1/MEUGA1UdIwQ+MDyAFLSa
-QVy4JnxItZlEAP/wukFByAY8oRmkFzAVMRMwEQYDVQQDEwpFQy1UZXN0IENBggkA
-sYQYHaDpwBcwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMC0GCWCG
-SAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwEQYJYIZI
-AYb4QgEBBAQDAgeAMAoGCCqGSM49BAMCA2cAMGQCMEGLGv2XqLt80OscorrArC9t
-gAdbXO9VWRqSVmaUzklqqVdJskFzZH4BrDE6fCq/pQIwK8SmsQwDguPkAzn7Gdd2
-IRt+f6oiXZCk4S7NypIPtj+A3CbSCTSM0WG7naxtj2jw
------END CERTIFICATE-----
diff --git a/sample/sample-keys/ec-client.key b/sample/sample-keys/ec-client.key
deleted file mode 100644
index 60636ed..0000000
--- a/sample/sample-keys/ec-client.key
+++ /dev/null
 <at>  <at>  -1,6 +0,0  <at>  <at> 
------BEGIN PRIVATE KEY-----
-MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDD9Agj8nr/8sIr0XHky
-mcn1oMb3vqOh2axFBaIvmOHYmqs11SIH1tKYelkNYy9zHTChZANiAARA2bmiRBsB
-OSwU7qpwazGYKETJYby3C7VTScLACkOwCFDNgC9dpInx/30RePUMsobiWfgXdhsi
-8iNn51WQ6s4KqtoF9IUZye2ubaOtVnr2M8bPu8c5+uTTZ9/wuEqIV5g=
------END PRIVATE KEY-----
diff --git a/sample/sample-keys/ec-server.crt b/sample/sample-keys/ec-server.crt
deleted file mode 100644
index 9999472..0000000
--- a/sample/sample-keys/ec-server.crt
+++ /dev/null
 <at>  <at>  -1,61 +0,0  <at>  <at> 
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: CN=EC-Test CA
-        Validity
-            Not Before: Jan 18 16:02:31 2014 GMT
-            Not After : Jan 16 16:02:31 2024 GMT
-        Subject: CN=ec-server
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub:
-                    04:bd:8c:3a:af:2e:2f:2e:de:cf:d2:39:8d:b9:a6:
-                    13:96:80:6d:b5:b2:ee:97:62:3b:a2:32:38:77:1e:
-                    fb:2a:ef:86:4b:d0:9e:4b:55:e0:9b:07:f9:64:2f:
-                    6b:a7:17:fd:65:dd:50:3f:1c:fa:fa:2f:39:2e:97:
-                    d4:86:e5:4e:5a:d2:50:0b:f4:d7:08:62:67:53:44:
-                    62:e3:25:f2:fa:36:84:87:1d:03:e3:e9:9d:d9:66:
-                    51:dd:b4:c4:db:0b:05
-                ASN1 OID: secp384r1
-        X509v3 extensions:
-            X509v3 Basic Constraints:
-                CA:FALSE
-            X509v3 Subject Key Identifier:
-                EA:DF:7E:A3:D4:61:73:D7:01:AF:6E:0A:38:8D:33:D0:BD:24:4B:E1
-            X509v3 Authority Key Identifier:
-                keyid:B4:9A:41:5C:B8:26:7C:48:B5:99:44:00:FF:F0:BA:41:41:C8:06:3C
-                DirName:/CN=EC-Test CA
-                serial:B1:84:18:1D:A0:E9:C0:17
-
-            X509v3 Extended Key Usage:
-                TLS Web Server Authentication
-            X509v3 Key Usage:
-                Digital Signature, Key Encipherment
-            Netscape Comment:
-                Easy-RSA Generated Certificate
-            Netscape Cert Type:
-                SSL Server
-    Signature Algorithm: ecdsa-with-SHA256
-         30:64:02:30:20:39:12:92:cc:a2:ca:45:b9:1a:8f:e0:c1:e7:
-         b7:4a:79:4d:07:07:81:72:08:b4:d4:7b:46:53:d7:72:32:d0:
-         d7:3e:e8:88:2b:c9:ba:8b:d5:94:4f:41:6c:d0:2e:a4:02:30:
-         75:ff:c3:8a:c1:f5:79:1c:1a:08:16:31:c2:c1:6e:d4:33:dc:
-         9f:04:0f:90:94:d9:75:c1:6d:71:28:62:cc:f6:89:7c:91:86:
-         a4:96:45:34:a0:8d:92:7e:dd:e3:da:4d
------BEGIN CERTIFICATE-----
-MIICLTCCAbSgAwIBAgIBATAKBggqhkjOPQQDAjAVMRMwEQYDVQQDEwpFQy1UZXN0
-IENBMB4XDTE0MDExODE2MDIzMVoXDTI0MDExNjE2MDIzMVowFDESMBAGA1UEAxMJ
-ZWMtc2VydmVyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEvYw6ry4vLt7P0jmNuaYT
-loBttbLul2I7ojI4dx77Ku+GS9CeS1Xgmwf5ZC9rpxf9Zd1QPxz6+i85LpfUhuVO
-WtJQC/TXCGJnU0Ri4yXy+jaEhx0D4+md2WZR3bTE2wsFo4HYMIHVMAkGA1UdEwQC
-MAAwHQYDVR0OBBYEFOrffqPUYXPXAa9uCjiNM9C9JEvhMEUGA1UdIwQ+MDyAFLSa
-QVy4JnxItZlEAP/wukFByAY8oRmkFzAVMRMwEQYDVQQDEwpFQy1UZXN0IENBggkA
-sYQYHaDpwBcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMC0GCWCG
-SAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwEQYJYIZI
-AYb4QgEBBAQDAgZAMAoGCCqGSM49BAMCA2cAMGQCMCA5EpLMospFuRqP4MHnt0p5
-TQcHgXIItNR7RlPXcjLQ1z7oiCvJuovVlE9BbNAupAIwdf/DisH1eRwaCBYxwsFu
-1DPcnwQPkJTZdcFtcShizPaJfJGGpJZFNKCNkn7d49pN
------END CERTIFICATE-----
diff --git a/sample/sample-keys/ec-server.key b/sample/sample-keys/ec-server.key
deleted file mode 100644
index bb3cdf1..0000000
--- a/sample/sample-keys/ec-server.key
+++ /dev/null
 <at>  <at>  -1,6 +0,0  <at>  <at> 
------BEGIN PRIVATE KEY-----
-MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDD8bQlwrFrXHPmem0bt
-cBcU6nYfaZQbPdIDAB7edOOyevvzYH0qMtbaW95iSZLMRVWhZANiAAS9jDqvLi8u
-3s/SOY25phOWgG21su6XYjuiMjh3Hvsq74ZL0J5LVeCbB/lkL2unF/1l3VA/HPr6
-Lzkul9SG5U5a0lAL9NcIYmdTRGLjJfL6NoSHHQPj6Z3ZZlHdtMTbCwU=
------END PRIVATE KEY-----
diff --git a/sample/sample-keys/gen-sample-keys.sh b/sample/sample-keys/gen-sample-keys.sh
new file mode 100755
index 0000000..87bde1d
--- /dev/null
+++ b/sample/sample-keys/gen-sample-keys.sh
 <at>  <at>  -0,0 +1,74  <at>  <at> 
+#!/bin/sh
+#
+# Run this script to set up a test CA, and test key-certificate pair for a
+# server, and various clients.
+#
+# Copyright (C) 2014 Steffan Karger <steffan <at> karger.me>
+set -eu
+
+if [ ! -f openssl.cnf ]
+then
+    echo "Please run this script from the sample directory"
+    exit 1
+fi
+
+# Create required directories and files
+mkdir -p sample-ca
+rm -f sample-ca/index.txt
+touch sample-ca/index.txt
+echo "01" > sample-ca/serial
+
+# Generate CA key and cert
+openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \
+    -extensions easyrsa_ca -keyout sample-ca/ca.key -out sample-ca/ca.crt \
+    -subj "/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me <at> myhost.mydomain" \
+    -config openssl.cnf
+
+# Create server key and cert
+openssl req -new -nodes -config openssl.cnf -extensions server \
+    -keyout sample-ca/server.key -out sample-ca/server.csr \
+    -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me <at> myhost.mydomain"
+openssl ca -batch -config openssl.cnf -extensions server \
+    -out sample-ca/server.crt -in sample-ca/server.csr
+
+# Create client key and cert
+openssl req -new -nodes -config openssl.cnf \
+    -keyout sample-ca/client.key -out sample-ca/client.csr \
+    -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client/emailAddress=me <at> myhost.mydomain"
+openssl ca -batch -config openssl.cnf \
+    -out sample-ca/client.crt -in sample-ca/client.csr
+
+# Create password protected key file
+openssl rsa -aes256 -passout pass:password \
+    -in sample-ca/client.key -out sample-ca/client-pass.key
+
+# Create pkcs#12 client bundle
+openssl pkcs12 -export -nodes -password pass:password \
+    -out sample-ca/client.p12 -inkey sample-ca/client.key \
+    -in sample-ca/client.crt -certfile sample-ca/ca.crt
+
+
+# Create EC server and client cert (signed by 'regular' RSA CA)
+openssl ecparam -out sample-ca/secp256k1.pem -name secp256k1
+
+openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \
+    -extensions server \
+    -keyout sample-ca/server-ec.key -out sample-ca/server-ec.csr \
+    -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server-EC/emailAddress=me <at> myhost.mydomain"
+openssl ca -batch -config openssl.cnf -extensions server \
+    -out sample-ca/server-ec.crt -in sample-ca/server-ec.csr
+
+openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \
+    -keyout sample-ca/client-ec.key -out sample-ca/client-ec.csr \
+    -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client-EC/emailAddress=me <at> myhost.mydomain"
+openssl ca -batch -config openssl.cnf \
+    -out sample-ca/client-ec.crt -in sample-ca/client-ec.csr
+
+# Generate DH parameters
+openssl dhparam -out dh2048.pem 2048
+
+# Copy keys and certs to working directory
+cp sample-ca/*.key .
+cp sample-ca/*.crt .
+cp sample-ca/*.p12 .
+
diff --git a/sample/sample-keys/openssl.cnf b/sample/sample-keys/openssl.cnf
new file mode 100644
index 0000000..aabfd48
--- /dev/null
+++ b/sample/sample-keys/openssl.cnf
 <at>  <at>  -0,0 +1,139  <at>  <at> 
+# Heavily borrowed from EasyRSA 3, for use with OpenSSL 1.0.*
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= sample-ca		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= basic_exts		# The extentions to add to the cert
+
+# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
+# is designed for will. In return, we get the Issuer attached to CRLs.
+crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the 'anything' policy, which defines allowed DN fields
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+# Easy-RSA request handling
+# We key off $DN_MODE to determine how to format the DN
+[ req ]
+default_bits		= 2048
+default_keyfile		= privkey.pem
+default_md		= sha256
+distinguished_name	= cn_only
+x509_extensions		= easyrsa_ca	# The extentions to add to the self signed cert
+
+# A placeholder to handle the $EXTRA_EXTS feature:
+#%EXTRA_EXTS%	# Do NOT remove or change this line as $EXTRA_EXTS support requires it
+
+####################################################################
+# Easy-RSA DN (Subject) handling
+
+# Easy-RSA DN for cn_only support:
+[ cn_only ]
+commonName		= Common Name (eg: your user, host, or server name)
+commonName_max		= 64
+commonName_default	= changeme
+
+# Easy-RSA DN for org support:
+[ org ]
+countryName			= Country Name (2 letter code)
+countryName_default		= KG
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= NA
+
+localityName			= Locality Name (eg, city)
+localityName_default		= BISHKEK
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= OpenVPN-TEST
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	=
+
+commonName			= Common Name (eg: your user, host, or server name)
+commonName_max			= 64
+commonName_default		=
+
+emailAddress			= Email Address
+emailAddress_default		= me <at> myhost.mydomain
+emailAddress_max		= 64
+
+####################################################################
+
+[ basic_exts ]
+basicConstraints	= CA:FALSE
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid,issuer:always
+
+# The Easy-RSA CA extensions
+[ easyrsa_ca ]
+
+# PKIX recommendations:
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This could be marked critical, but it's nice to support reading by any
+# broken clients who attempt to do so.
+basicConstraints = CA:true
+
+# Limit key usage to CA tasks. If you really want to use the generated pair as
+# a self-signed cert, comment this out.
+keyUsage = cRLSign, keyCertSign
+
+# CRL extensions.
+[ crl_ext ]
+
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+
+# Server extensions.
+[ server ]
+
+basicConstraints       = CA:FALSE
+nsCertType             = server
+nsComment              = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage       = serverAuth
+keyUsage               = digitalSignature, keyEncipherment
diff --git a/sample/sample-keys/pass.crt b/sample/sample-keys/pass.crt
deleted file mode 100644
index 8bb7b17..0000000
--- a/sample/sample-keys/pass.crt
+++ /dev/null
 <at>  <at>  -1,65 +0,0  <at>  <at> 
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 3 (0x3)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me <at> myhost.mydomain
-        Validity
-            Not Before: Nov 25 14:48:55 2004 GMT
-            Not After : Nov 23 14:48:55 2014 GMT
-        Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client-Password/emailAddress=me <at> myhost.mydomain
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:ca:b4:05:67:7b:51:c1:d2:fe:21:57:b1:a5:57:
-                    5c:c0:86:38:05:a8:91:cf:e7:a4:bd:7a:76:d8:3b:
-                    cf:fe:f3:78:65:24:d6:72:7d:1b:6d:b6:da:04:f2:
-                    a8:f6:b4:04:78:d2:24:a7:21:2f:ca:29:46:96:0f:
-                    0b:91:31:66:1e:4d:22:9a:5d:05:17:99:9c:a0:7e:
-                    e0:2a:be:78:0c:a1:b9:d4:04:c4:ec:f8:61:79:62:
-                    b5:52:2d:f5:41:af:db:9f:8c:ab:08:1b:b7:95:b8:
-                    c1:f0:29:d3:da:fb:00:3f:8e:5c:27:e3:8d:fa:ee:
-                    dc:b4:3b:0b:8b:e0:ab:c1:c1
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            Netscape Comment: 
-                OpenSSL Generated Certificate
-            X509v3 Subject Key Identifier: 
-                40:57:F1:8C:9C:86:B2:DA:E0:3F:A7:B8:D7:85:43:45:07:8A:40:73
-            X509v3 Authority Key Identifier: 
-                keyid:89:A6:60:E3:BA:EA:3E:AF:FC:64:7F:4C:BD:8C:D2:48:8D:E0:CC:46
-                DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me <at> myhost.mydomain
-                serial:00
-
-    Signature Algorithm: md5WithRSAEncryption
-        a5:79:72:7f:a2:08:28:8e:66:da:e1:d0:be:bb:97:3d:65:9f:
-        ab:1e:19:ac:f1:66:44:14:8f:4e:7c:eb:ea:1e:2f:57:ea:44:
-        46:4c:b9:56:5b:c0:0c:58:d2:45:87:26:6d:82:de:8c:64:b8:
-        8b:22:61:61:c6:68:36:08:9d:5a:fd:2f:e5:21:e1:a2:0c:7f:
-        3e:ca:e1:06:ea:9f:81:62:3d:a0:ce:f1:1e:0d:ab:86:89:ed:
-        9a:89:34:32:c9:e9:6d:7d:f5:11:c3:5d:7e:a5:f7:f1:a6:83:
-        77:1b:94:67:d9:0f:5c:ac:0e:08:4a:88:98:65:49:eb:66:9e:
-        2d:28
------BEGIN CERTIFICATE-----
-MIIDPjCCAqegAwIBAgIBAzANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJLRzEL
-MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t
-VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTA0MTEy
-NTE0NDg1NVoXDTE0MTEyMzE0NDg1NVowczELMAkGA1UEBhMCS0cxCzAJBgNVBAgT
-Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxHTAbBgNVBAMTFFRlc3QtQ2xpZW50
-LVBhc3N3b3JkMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wgZ8w
-DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMq0BWd7UcHS/iFXsaVXXMCGOAWokc/n
-pL16dtg7z/7zeGUk1nJ9G2222gTyqPa0BHjSJKchL8opRpYPC5ExZh5NIppdBReZ
-nKB+4Cq+eAyhudQExOz4YXlitVIt9UGv25+Mqwgbt5W4wfAp09r7AD+OXCfjjfru
-3LQ7C4vgq8HBAgMBAAGjge4wgeswCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd
-T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFEBX8YychrLa
-4D+nuNeFQ0UHikBzMIGQBgNVHSMEgYgwgYWAFImmYOO66j6v/GR/TL2M0kiN4MxG
-oWqkaDBmMQswCQYDVQQGEwJLRzELMAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hL
-RUsxFTATBgNVBAoTDE9wZW5WUE4tVEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlo
-b3N0Lm15ZG9tYWluggEAMA0GCSqGSIb3DQEBBAUAA4GBAKV5cn+iCCiOZtrh0L67
-lz1ln6seGazxZkQUj0586+oeL1fqREZMuVZbwAxY0kWHJm2C3oxkuIsiYWHGaDYI
-nVr9L+Uh4aIMfz7K4Qbqn4FiPaDO8R4Nq4aJ7ZqJNDLJ6W199RHDXX6l9/Gmg3cb
-lGfZD1ysDghKiJhlSetmni0o
------END CERTIFICATE-----
diff --git a/sample/sample-keys/pass.key b/sample/sample-keys/pass.key
deleted file mode 100644
index 4916364..0000000
--- a/sample/sample-keys/pass.key
+++ /dev/null
 <at>  <at>  -1,18 +0,0  <at>  <at> 
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,959F7365DBBFDB77
-
-nGm57l+rR/8dAZOHL/1x/6dt11zUca7rphjsgw6XRnSf3M/CWmHvHVjApWcNLEs5
-SWNMp1xfUogtGzsKoMBbnlZLDA7RVHUYD6dVMyCpc64UjzT08LmdZhtQYLAKmlUC
-PT1VXS4Ae+SrqCPUqJkw1xP3kr0F1EVCXNu0nhOBAuuTGOS7PPEyW2N+k4nRHtsR
-IaPp8GCuIeoR6CdymTFTq6d/GeCiEcyrUM4BNrG4GtRRrURxxOrzQFEOS5sjBPSg
-Km1lwa6zBQFRLg9dKjRBL4teKuPY5Z2Nmpcml/aN4CkdkVEso4lW6/UHLE/joOMQ
-0MdpdYtu8wnt1WI/Z4immQfl3MF+QcPMkqXXzCEhGG/5SbAo89KC46UXvu1Z5OhS
-8XFHhvYBivOYWgZ3XUQqyZ0ulF60mFX7aE1Ph/eEbhWBHmU39hGjxzop1UoPwqLx
-ahvtfvCkR3ZeqlWO9SHzCA3MlrKwQ1p1UL6nG6AJhNN9jSevH6by+8wr07NBZOqX
-fJx+J/8EdVsUCFG2UJxPwM83ZSwAsvKRqph6CuWEl9ndUb7rw6khmRIoY0Iz3LbU
-1MlcDoJNcJas6lYDr1UeFSk86g0SiGCHXZIqsjyUgq6HIy4YrAYiQUthnlF8tp2Q
-nNQBPLo1GsHf0dC2MqKfDFASu7ST+Bl+yajHcIiUXvUJPxWbjkWYG9Q2p2ZBLzZD
-uqeRr66OKxTzUS4go/QbHDNsAulXl61gQIEOdZw5uy/Jl11kyAI6EQbzmehagKdH
-EshTgKp8ks62y0bBHgy3FMKyidJ5Hm58ZDhBxrwN0w+vhRoTGOepTA==
------END RSA PRIVATE KEY-----
diff --git a/sample/sample-keys/pkcs12.p12 b/sample/sample-keys/pkcs12.p12
deleted file mode 100644
index 253d4081a3aeffab7d17e8c0a308ee1e85d6456f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2685
zcmY+FX*3j!8pmgb83vhTUnbc_G)!b{*|LOW9U`x+nHmjQ1`%T<W0xfcjmmCh7ugCC
zdJ&0)EMrR;Yxb*i?!E85AD;7^^ZTFY`Sd^Mhaj*7f`AMN0?QQ$ROYea<DFALCLo2t
zf?y=DTsXnf2m+JTKM{mNVB$MLTp%FeWS#ma0V0GTEdTz%281Bk8JTZzui!YHif({F
z%z!Wg<cF6_a`HQ&-}0i(xAKxjpEU+B5NPvT7ptk55iSO <at> bYlD#^pTwD>)*8*R!qdL
z42fKOorCYJc=T4J+l;Z>x <at> 72{LvCNkwZ7MJ{eDgmCW|XX+3GT!YUko$TXTGuE6Cmo
z9 <at> F-=9<6!6cWi% <at> u>Dp-$JP2s6t=kvz6-OMl <at> ~mEaEXG22le(Tfl <at> yhU{VQ#pue <at> v
z$S`$H)k#B#icbEdGUTOJNtg8r2HVyl<L=KiZIZ{}D6=w)Cr?cr?f_CJAI>~u|5a%&
z|9r54eca0dbeyd4`o{LK4N|e%U2!+rmvxC_ve9`q;d+UYx?t$mH)yUk-qpOnl`yp`
z6mivqIZ>KlXGlc!9*DRZGrJ8ENY!3w!PQRJQYJN)m0bubO9Gq)!dpG`51#4fNteWj
z)Uy{{o)tgT)cfGn <at> (n)(as)Oir2jGwc=aG2L+~IbIcV%&c5G| <at> P{*{Jd?#H>P7lkl
zqLP8(ve$BRfwQ=WmCMw1W!aWKiK;iH%ej(rhXL~D<1btDIJpqh`U$seQ1fvjn;X <at> ~
zYBzzfQFps3x>N1~k|{r05Ej#luDsl5o+E5o6W}y((|9?EHOt+r>fDQx&b7jzQ$DN>
zB}mx=v1cW#Y}5;W1wVL}RxO)q& <at> +=uH(=%CV{+~qJFCmm>+q;_TVOBY$s0EFSdS;7
z&mqBKauOn(=lG*zP=4q^v2<1rBH%Edi*`-;3;k~BXqk <at> hzD0o_VXVQwVwfjD`Zs~A
z*lzbt<Lz*?oKpFwtf0bMAHn6Pn_bV_(qucN^dt>kpmn`Y<JKcdnQLS< <at> 1i>h <at> Gtz7
zEdZh~R0=kRsU4vUgW$I1u <at> |raEQEzz&hBqHE<e_`V*VvwZZK_?v#9 <at> YReN(OGuds8
zq <at> `uGfPUcv*)58>tEs$w^vz4cAHezuzgvmuh)lb`_LM{yoz0Ij*wf}VZB9stQ6roq
zhXDK5d)_MN2W5P|{wWcWta=?Is<$R6Ihym*+(~37OaRsIhbf-b8ck`;d~mN-TmSKH
zAkCx?E}l3w*$}9L3^26R;TBK#i <at> n|Af(ggGixifT9?AFEFm1R)6{ia%&96Y_^kl<Z
zO|2vnP&e9h$B#-ZOGJ})^bdG_L!CP?tY <at> pa3mHzA)+zmUojTmJjmc4zn6DhJtkU*2
zTyOtzc?4-O5*u>1WMq;EV3-lRXEM}xv(^O~!7!1)I|9!h9%_2p<}KW$RKr|`YcLw}
z<t#*oq1A`dE={byczot?YG(pSA(HR+V9kE4w4CN#78PlH7 <at> y60rmE6#)P^RUmeu>0
zVEA183^cHZa*3$N9%A*|4roE^WV?ltK2PQvtg$I&eq(wH*W%4sXR2^rp <at> ?LgRIi$c
z6%zNK^m$$X <at> &e` <at> P3O2H0YrU%8V)t=MmkiK;#rsB0!5%g)<#Kehh}i <at> <=mHXsKMvG
z>eU}MNQy!ZO;oXNw(nZ<bk2lI6SjTIljmfn0{qR9p3ED1Sz&?R`~alg3 <at> A6YeK#^Z
z`}cg57$n3>+J6q <at> )D4;l+}O_xHM_Z5tKoRYcpNO)&2;YaS1hNtXHcG&rv)Y1tsGBu
zH <at>  <at> nN^V!H%fJ=zM7xONAJ <at> hLH*$%sBw&?k)KQXv{!oF~wZcUek*9AzOQ5GBOcPsmu
zx>J0`U(5 <at> 9N3B>CkbfL4%WYBl*?wB7 <at> VbDxSU7fg+%J1>zfC|fk<4tarku$KHFg`)
z32;tRbzJ8+W1aCRdY>%w%VrGgsHNyd4EbT#Qqh=VeTVcd!bI2!ts#EONaY-#AwEJ$
zmV8E7g}dIaW$9T6mz_<cPyHH)vI(Gj!HGil32(YPF#3E^f5PEvZ8`K+AeaNE4Y{JZ
zq+-*=9IuO> <at> 2(aI>^megR`|b;#<jFHG7)`Rd8LiIqXgc} <at> <>#4x0GX*bjvl8tur0T
zFi`8aRMRgtF^;s*U;`8O&uP <at> e(S <at> 36;o#rX^|4v%b5bALTjthLt;I)IZQOg5sH58X
z <at> 3eD>)V+B%k!v42GexdYt2hT)KhBqlrh)t$to8;ngHput4!Yrk-gY=}e^$|C-Y <at> i=
z-l_T>3 <at> =KG>-JMVvEsG%_OrA4k <at> ZYjRLbqC$RFdzXTFsv^5fJuNl`nhSt&uYLCr>Z
z%rdbJyB06(7buBJ`C6EtGF<4J?VJGCxLiP)aL?oQ96Llg9qZ6=h3stpHJ6e={Ewg1
zK+RSh? <at> GwJkQg&4zkgxJv+S4#fuv~Wlw&XBTWrIZVu<M<6^$$4j9FZSxaRM>_7~R1
z1hL~0b#})ulH*=gO69)OAwLx|pJlgtw5t9Z)?-pY?gb~g{M^?K=_s7xMG!!{|06^S
z0kp(O0L`7?>64j&u>MDnEI`mnn12Fa{GT-${#f&L#3IK5UMTvHHBZjN(4|GIJ8#*0
zEL~S%gL8a#5<fZ6(5MkHV?G~ynw>P7p0Bg+ozfQ|)o`WbEdFq=Pn+~*x}eSHDn>}0
za#bssC46DP>glYKit?*q(ylFaU(}~Odzjx2#k+auqmLOM8 <at> t)YFzplKD0QtM(F_Uu
zRHv^yDq*$`c$xNo;O1uEWTg5NnUR9^wRyLx4G&J3O$l?Ff&Sgd*Ux|{yu}Tc_kRAx
zZ4_A <at> 4NuEp$)Ek?$5BMzMT0ZfU+`%1_OIaTg-c`D3Utjws&do{_7d*j_LS6U+DKir
z <at> E6#p!oOstM}_SmVJ?vyvMMumfm9By?=?AtkFJ4R`)DJQf3HPtrO>CLF*ghb-Z{VT
z <at> &g3d`$hMvAw9wa-+X=cZug%2QLG(iT8okLHeD64iE06J24#}WG;%v0qN;o~J#X}X
zYrX|$IsBw!A%<DK8BxUAB#r~6R2VbwU(5j!Z&%wNb{;g|?T5+<F1~+I0vu7#x&Fvm
ze1ONAR~^|B&Qq0=ujo8B;e~P=3$o9GB)Cn*7-hG1(ZUGyCPoz>gBYC6=L-yXI_1c)
z+V2 <at> }l1I9 <at> ^i#Ub8wuxSinPw-x7vv^wsW3}5xqf+AKwPmn+)MXcW9$*)7<p)X-4r0
z(}vuxaH}l=5mD9p6kTY6tV<=+{T09Rcf}dj;zzR*T|iIve0t3uU^!skyK<X( <at> 4$hD
zjLKXu4dS7hQnxGPoJKwgMg4 <at> Kq41ACLrqgV5^3R(;eyD;4^ur4ohCZxY|q1QA*+PG
z$SOGWw^n~{mai?yyFC!zxHo3~sLTIe)p*v~5PJ8vr85%;Nxo4%n<t_$^k`z?bVG;}
z=Y3=zfQmI$kU)t2x7AQ?1s+B&c~qWv*&*FkE5g%9wN}Fw%x7DNP(X+vpb)SuI|E1n
p3}EC!RO5XI2(vRh7cV|04Ibx-bA*{OGGFY`Qh)u6xbdgm{{pfR_hSG6

diff --git a/sample/sample-keys/server-ec.crt b/sample/sample-keys/server-ec.crt
new file mode 100644
index 0000000..a72c341
--- /dev/null
+++ b/sample/sample-keys/server-ec.crt
 <at>  <at>  -0,0 +1,96  <at>  <at> 
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me <at> myhost.mydomain
+        Validity
+            Not Before: Oct 22 21:59:53 2014 GMT
+            Not After : Oct 19 21:59:53 2024 GMT
+        Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server-EC/emailAddress=me <at> myhost.mydomain
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub: 
+                    04:21:09:ac:27:e6:00:3a:57:f4:f6:c7:78:a9:b1:
+                    f4:d7:d7:45:59:39:e4:a3:d3:2c:94:f9:61:4a:e6:
+                    b9:e9:87:57:c8:0f:88:03:a0:56:ee:34:e7:e4:4e:
+                    20:63:6c:c1:6e:c1:04:ac:b9:2f:a9:76:69:d3:7d:
+                    49:ff:f1:34:cb
+                ASN1 OID: secp256k1
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                OpenSSL Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                33:1A:42:61:9E:88:08:3F:6F:1F:98:88:3A:DD:2D:C7:07:3D:F6:9B
+            X509v3 Authority Key Identifier: 
+                keyid:2B:40:E5:C9:7D:F5:F4:96:38:E9:2F:E3:2F:D9:40:64:C9:8E:05:9B
+                DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me <at> myhost.mydomain
+                serial:A1:4E:DE:FA:90:F2:AE:81
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         9d:89:f6:7e:0b:43:05:22:63:e5:b3:45:a8:d9:ef:33:3c:b7:
+         19:37:28:87:27:43:43:86:a3:3f:b9:23:27:0f:96:4f:de:01:
+         80:38:6b:d9:c8:94:77:1f:06:08:34:65:77:ad:57:0c:23:99:
+         f1:51:12:5f:32:d8:9c:7c:93:f1:f6:72:2a:05:61:ff:62:aa:
+         33:aa:ef:a3:4d:d6:93:56:40:ff:38:2e:73:1c:69:fb:71:a1:
+         fa:64:19:6a:04:1c:8b:20:a8:ee:a5:18:63:f8:84:f4:ca:84:
+         8e:b6:05:48:c6:f3:f7:81:90:4d:9e:00:cd:4a:92:83:d4:93:
+         67:05:dc:16:8b:78:fa:b1:82:48:c6:86:74:44:b1:06:7e:8a:
+         c8:64:0b:82:3a:e2:f5:56:60:ea:50:70:03:da:9f:fc:28:20:
+         6b:7d:04:e0:eb:8d:e2:f1:be:82:2f:ba:51:50:2b:6c:d2:fc:
+         11:cd:69:85:3b:9e:14:19:dd:bc:14:cf:61:b0:7a:07:cb:e8:
+         e0:fc:c3:1f:a4:cb:cf:c1:e9:62:0f:d2:53:f8:ce:06:f4:f8:
+         2f:55:13:aa:67:44:b6:b8:e8:3e:82:af:66:f5:f0:7c:fe:41:
+         e6:9d:c0:9f:78:fd:00:85:02:40:63:37:fa:00:e6:3c:a6:9f:
+         35:4f:1d:a6:f1:cb:8b:04:e0:67:98:56:d1:87:58:b6:39:f6:
+         d3:fe:a8:40:50:80:7f:e6:4a:36:d0:c0:a5:61:64:1d:3a:87:
+         ad:78:72:c9:3f:98:44:35:f9:cf:32:b2:18:4c:b0:72:fa:5e:
+         6c:62:1e:d4:31:0c:c8:9b:74:f0:00:9e:70:c3:1e:c7:a4:9d:
+         03:a4:ac:1a:09:1f:86:23:65:51:34:50:86:68:1e:68:4d:9a:
+         4b:78:10:1c:bd:51:09:bb:fe:16:a3:c7:19:b4:05:44:a1:e6:
+         c6:23:76:d5:b8:3a:eb:a5:17:1d:2b:2e:fe:85:7c:88:4f:f1:
+         e8:34:32:e0:c5:96:87:c3:e8:c9:5f:89:24:10:0e:1e:07:0b:
+         2c:f8:d0:49:1b:63:5e:63:44:e9:2a:43:e2:9c:d6:f2:43:99:
+         47:f8:9b:49:1a:a7:d1:e0:53:67:1d:cb:14:b6:b0:2c:4d:b3:
+         f2:c5:62:c2:a6:09:7a:c0:6c:59:3e:73:83:0c:6c:de:30:77:
+         4d:1b:ed:b0:7f:77:87:8d:55:1d:d3:ed:f7:66:bd:06:2a:f8:
+         fd:00:e7:c0:31:e2:ff:53:9e:25:97:c6:64:84:9d:8d:61:8e:
+         c9:1f:6c:55:a1:7c:59:aa:eb:e8:2a:b2:2d:c7:09:cd:b5:3d:
+         d8:74:4f:6e:9c:3b:d5:6d
+-----BEGIN CERTIFICATE-----
+MIIEtTCCAp2gAwIBAgIBAzANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL
+MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t
+VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE0MTAy
+MjIxNTk1M1oXDTI0MTAxOTIxNTk1M1owbTELMAkGA1UEBhMCS0cxCzAJBgNVBAgT
+Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFzAVBgNVBAMTDlRlc3QtU2VydmVy
+LUVDMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wVjAQBgcqhkjO
+PQIBBgUrgQQACgNCAAQhCawn5gA6V/T2x3ipsfTX10VZOeSj0yyU+WFK5rnph1fI
+D4gDoFbuNOfkTiBjbMFuwQSsuS+pdmnTfUn/8TTLo4IBMzCCAS8wCQYDVR0TBAIw
+ADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2Vu
+ZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUMxpCYZ6ICD9vH5iI
+Ot0txwc99pswgZgGA1UdIwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRo
+MGYxCzAJBgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEV
+MBMGA1UEChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3Qu
+bXlkb21haW6CCQChTt76kPKugTATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8E
+BAMCBaAwDQYJKoZIhvcNAQELBQADggIBAJ2J9n4LQwUiY+WzRajZ7zM8txk3KIcn
+Q0OGoz+5IycPlk/eAYA4a9nIlHcfBgg0ZXetVwwjmfFREl8y2Jx8k/H2cioFYf9i
+qjOq76NN1pNWQP84LnMcaftxofpkGWoEHIsgqO6lGGP4hPTKhI62BUjG8/eBkE2e
+AM1KkoPUk2cF3BaLePqxgkjGhnREsQZ+ishkC4I64vVWYOpQcAPan/woIGt9BODr
+jeLxvoIvulFQK2zS/BHNaYU7nhQZ3bwUz2GwegfL6OD8wx+ky8/B6WIP0lP4zgb0
++C9VE6pnRLa46D6Cr2b18Hz+QeadwJ94/QCFAkBjN/oA5jymnzVPHabxy4sE4GeY
+VtGHWLY59tP+qEBQgH/mSjbQwKVhZB06h614csk/mEQ1+c8yshhMsHL6XmxiHtQx
+DMibdPAAnnDDHseknQOkrBoJH4YjZVE0UIZoHmhNmkt4EBy9UQm7/hajxxm0BUSh
+5sYjdtW4OuulFx0rLv6FfIhP8eg0MuDFlofD6MlfiSQQDh4HCyz40EkbY15jROkq
+Q+Kc1vJDmUf4m0kap9HgU2cdyxS2sCxNs/LFYsKmCXrAbFk+c4MMbN4wd00b7bB/
+d4eNVR3T7fdmvQYq+P0A58Ax4v9TniWXxmSEnY1hjskfbFWhfFmq6+gqsi3HCc21
+Pdh0T26cO9Vt
+-----END CERTIFICATE-----
diff --git a/sample/sample-keys/server-ec.key b/sample/sample-keys/server-ec.key
new file mode 100644
index 0000000..8f2c914
--- /dev/null
+++ b/sample/sample-keys/server-ec.key
 <at>  <at>  -0,0 +1,5  <at>  <at> 
+-----BEGIN PRIVATE KEY-----
+MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQgLHGYqSlzoRaogmJfrC+E
+ozTothB9bORaQ1C/3FmeQ6ehRANCAAQhCawn5gA6V/T2x3ipsfTX10VZOeSj0yyU
++WFK5rnph1fID4gDoFbuNOfkTiBjbMFuwQSsuS+pdmnTfUn/8TTL
+-----END PRIVATE KEY-----
diff --git a/sample/sample-keys/server.crt b/sample/sample-keys/server.crt
index 28bb4d9..03e2023 100644
--- a/sample/sample-keys/server.crt
+++ b/sample/sample-keys/server.crt
 <at>  <at>  -2,25 +2,34  <at>  <at>  Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
-        Signature Algorithm: md5WithRSAEncryption
+    Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me <at> myhost.mydomain
         Validity
-            Not Before: Nov 25 14:42:22 2004 GMT
-            Not After : Nov 23 14:42:22 2014 GMT
+            Not Before: Oct 22 21:59:52 2014 GMT
+            Not After : Oct 19 21:59:52 2024 GMT
         Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server/emailAddress=me <at> myhost.mydomain
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:cb:4e:ac:f9:83:57:f6:69:d2:32:29:b4:bc:ad:
-                    e6:f7:26:21:89:33:30:43:40:a3:35:d9:de:26:01:
-                    d6:b4:f0:bc:0a:19:55:99:3b:f1:4c:91:60:b6:fd:
-                    74:34:8d:5a:c7:62:ec:ce:f2:d6:02:ce:57:32:f4:
-                    35:8c:71:a0:6d:65:2a:e7:80:ae:29:59:cf:36:73:
-                    f8:7c:4a:73:90:fc:30:28:d5:46:7d:35:a4:4e:c9:
-                    9f:90:7b:e2:09:21:36:c5:a8:ec:85:82:9a:32:b4:
-                    91:3b:c1:d6:4f:9f:d1:f8:6f:68:f4:1d:d2:06:91:
-                    32:cc:9a:48:fd:cd:98:7f:2f
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a5:b8:a2:ee:ce:b1:a6:0f:6a:b2:9f:d3:22:17:
+                    79:de:09:98:71:78:fa:a7:ce:36:51:54:57:c7:31:
+                    99:56:d1:8a:d6:c5:fd:52:e6:88:0e:7b:f9:ea:27:
+                    7a:bf:3f:14:ec:aa:d2:ff:8b:56:58:ac:ca:51:77:
+                    c5:3c:b6:e4:83:6f:22:06:2d:5b:eb:e7:59:d4:ab:
+                    42:c8:d5:a9:87:73:b3:73:36:51:2f:a5:d0:90:a2:
+                    87:64:54:6c:12:d3:b8:76:47:69:af:ae:8f:00:b3:
+                    70:b9:e7:67:3f:8c:6a:3d:79:5f:81:27:a3:0e:aa:
+                    a7:3d:81:48:10:b1:18:6c:38:2e:8f:7a:7b:c5:3d:
+                    21:c8:f9:a0:7f:17:2b:88:4f:ba:f2:ec:6d:24:8e:
+                    6c:f1:0a:5c:d9:5b:b1:b0:fc:49:cb:4a:d2:58:c6:
+                    2a:25:b0:97:84:c3:9e:ff:34:8c:10:46:7f:0f:fb:
+                    3c:59:7a:a6:29:0c:ae:8e:50:3a:f2:53:84:40:2d:
+                    d5:91:7b:0a:37:8e:82:77:ce:66:2f:34:77:5c:a5:
+                    45:3b:00:19:a7:07:d1:92:e6:66:b9:3b:4e:e9:63:
+                    fc:33:98:1a:ae:7b:08:7d:0a:df:7a:ba:aa:59:6d:
+                    86:82:0a:64:2b:da:59:a7:4c:4e:ef:3d:bd:04:a2:
+                    4b:31
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
 <at>  <at>  -30,38 +39,75  <at>  <at>  Certificate:
             Netscape Comment: 
                 OpenSSL Generated Server Certificate
             X509v3 Subject Key Identifier: 
-                69:11:FE:E7:9F:89:7B:71:34:69:C0:DC:82:F8:D0:5D:4D:FB:78:DF
+                B3:9D:81:E6:16:92:64:C4:86:87:F5:29:10:1B:5E:2F:74:F7:ED:B1
             X509v3 Authority Key Identifier: 
-                keyid:89:A6:60:E3:BA:EA:3E:AF:FC:64:7F:4C:BD:8C:D2:48:8D:E0:CC:46
+                keyid:2B:40:E5:C9:7D:F5:F4:96:38:E9:2F:E3:2F:D9:40:64:C9:8E:05:9B
                 DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me <at> myhost.mydomain
-                serial:00
+                serial:A1:4E:DE:FA:90:F2:AE:81
 
-    Signature Algorithm: md5WithRSAEncryption
-        35:5c:75:da:57:ef:b5:79:f2:a2:db:36:e4:75:e8:c7:bc:73:
-        26:cf:30:36:4b:2e:51:46:37:60:2f:4e:2b:f6:71:a2:23:db:
-        8e:d8:5c:d5:af:2e:22:28:dd:30:a8:89:66:3a:cc:5b:3c:0f:
-        96:12:20:de:5e:41:52:74:35:ed:4c:26:40:19:ca:73:df:54:
-        b1:30:96:9c:a5:14:d0:38:28:3f:ab:30:07:d7:de:98:d2:7f:
-        7f:90:b2:52:1d:e5:95:88:ed:ba:8a:6a:14:85:66:76:ec:75:
-        30:e8:ae:94:f4:e1:76:fa:4b:0e:f1:53:d7:95:be:fb:69:fa:
-        3d:32
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         4e:25:80:1b:cb:b0:42:ff:bb:3f:e8:0d:58:c1:80:db:cf:d0:
+         90:df:ca:c1:e6:41:e1:48:7f:a7:1e:c7:35:9f:9c:6d:7c:3e:
+         82:e8:de:7e:ae:82:16:00:33:0f:02:23:f1:9d:fe:2b:06:16:
+         05:55:16:89:dc:63:ac:5f:1a:31:13:79:21:a3:6e:60:28:e8:
+         e7:6b:54:00:22:a1:b7:69:5a:17:31:ce:0f:c2:a6:dd:a3:6f:
+         de:ea:19:6c:d2:d2:cb:35:9d:dd:87:51:33:68:cd:c3:9b:90:
+         55:f1:80:3d:5c:b8:09:b6:e1:3c:13:a4:5d:4a:ce:a5:11:9e:
+         f9:08:ee:be:e3:54:1d:06:4c:bb:1b:72:13:ee:7d:a0:45:cc:
+         fe:d1:3b:02:03:c1:d4:ea:45:2d:a8:c9:97:e7:f3:8a:7a:a0:
+         2f:dd:48:3a:75:c9:42:28:94:fc:af:44:52:16:68:98:d6:ad:
+         a8:65:b1:cd:ac:60:41:70:e5:44:e8:5a:f2:e7:fc:3b:fe:45:
+         89:17:1d:6d:85:c6:f0:fc:69:87:d1:1d:07:f3:cb:7b:54:8d:
+         aa:a3:cc:e3:c6:fc:d6:05:76:35:d0:26:63:8e:d1:a8:b7:ff:
+         61:42:8a:2c:63:1f:d4:ec:14:47:6b:1e:e3:81:61:12:3b:8c:
+         16:b5:cf:87:6a:2d:42:21:83:9c:0e:3a:90:3a:1e:c1:36:61:
+         41:f9:fb:4e:5d:ea:f4:df:23:92:33:2b:9b:14:9f:a0:f5:d3:
+         c4:f8:1f:2f:9c:11:36:af:2a:22:61:95:32:0b:c4:1c:2d:b1:
+         c1:0a:2a:97:c0:43:4a:6c:3e:db:00:cd:29:15:9e:7e:41:75:
+         36:a8:56:86:8c:82:9e:46:20:e5:06:1e:60:d2:03:5f:9f:9e:
+         69:bb:bf:c2:b4:43:e2:7d:85:17:83:18:41:b0:cb:a9:04:1b:
+         18:52:9f:89:8b:76:9f:94:59:81:4f:60:5b:33:18:fc:c7:52:
+         d0:d2:69:fc:0b:a2:63:32:75:43:99:e9:d7:f8:6d:c7:55:31:
+         0c:f3:ef:1a:71:e1:0a:57:e1:9d:13:b2:1e:fe:1d:ef:e4:f1:
+         51:d9:95:b3:fd:28:28:93:91:4a:29:c5:37:0e:ab:d8:85:6a:
+         fe:a8:83:1f:7b:80:5d:1f:04:79:b7:a9:08:6e:0d:d6:2e:aa:
+         7c:f6:63:7d:41:de:70:13:32:ce:dd:58:cc:a6:73:d4:72:7e:
+         d7:ac:74:a8:35:ba:c3:1b:2a:64:d7:5a:37:97:56:94:34:2b:
+         2a:71:60:bc:69:ab:00:85:b9:4f:67:32:17:51:c3:da:57:3a:
+         37:89:66:c4:7a:51:da:5f
 -----BEGIN CERTIFICATE-----
-MIIDUTCCArqgAwIBAgIBATANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJLRzEL
+MIIFgDCCA2igAwIBAgIBATANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL
 MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t
-VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTA0MTEy
-NTE0NDIyMloXDTE0MTEyMzE0NDIyMlowajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT
+VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE0MTAy
+MjIxNTk1MloXDTI0MTAxOTIxNTk1MlowajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT
 Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtU2VydmVy
-MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wgZ8wDQYJKoZIhvcN
-AQEBBQADgY0AMIGJAoGBAMtOrPmDV/Zp0jIptLyt5vcmIYkzMENAozXZ3iYB1rTw
-vAoZVZk78UyRYLb9dDSNWsdi7M7y1gLOVzL0NYxxoG1lKueArilZzzZz+HxKc5D8
-MCjVRn01pE7Jn5B74gkhNsWo7IWCmjK0kTvB1k+f0fhvaPQd0gaRMsyaSP3NmH8v
-AgMBAAGjggEJMIIBBTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglg
-hkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRl
-MB0GA1UdDgQWBBRpEf7nn4l7cTRpwNyC+NBdTft43zCBkAYDVR0jBIGIMIGFgBSJ
-pmDjuuo+r/xkf0y9jNJIjeDMRqFqpGgwZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgT
-Ak5BMRAwDgYDVQQHEwdCSVNIS0VLMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxITAf
-BgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpboIBADANBgkqhkiG9w0BAQQF
-AAOBgQA1XHXaV++1efKi2zbkdejHvHMmzzA2Sy5RRjdgL04r9nGiI9uO2FzVry4i
-KN0wqIlmOsxbPA+WEiDeXkFSdDXtTCZAGcpz31SxMJacpRTQOCg/qzAH196Y0n9/
-kLJSHeWViO26imoUhWZ27HUw6K6U9OF2+ksO8VPXlb77afo9Mg==
+MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCluKLuzrGmD2qyn9MiF3neCZhxePqnzjZRVFfH
+MZlW0YrWxf1S5ogOe/nqJ3q/PxTsqtL/i1ZYrMpRd8U8tuSDbyIGLVvr51nUq0LI
+1amHc7NzNlEvpdCQoodkVGwS07h2R2mvro8As3C552c/jGo9eV+BJ6MOqqc9gUgQ
+sRhsOC6PenvFPSHI+aB/FyuIT7ry7G0kjmzxClzZW7Gw/EnLStJYxiolsJeEw57/
+NIwQRn8P+zxZeqYpDK6OUDryU4RALdWRewo3joJ3zmYvNHdcpUU7ABmnB9GS5ma5
+O07pY/wzmBquewh9Ct96uqpZbYaCCmQr2lmnTE7vPb0EoksxAgMBAAGjggEzMIIB
+LzAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYk
+T3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBSz
+nYHmFpJkxIaH9SkQG14vdPftsTCBmAYDVR0jBIGQMIGNgBQrQOXJffX0ljjpL+Mv
+2UBkyY4Fm6FqpGgwZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgTAk5BMRAwDgYDVQQH
+EwdCSVNIS0VLMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxITAfBgkqhkiG9w0BCQEW
+Em1lQG15aG9zdC5teWRvbWFpboIJAKFO3vqQ8q6BMBMGA1UdJQQMMAoGCCsGAQUF
+BwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQsFAAOCAgEATiWAG8uwQv+7P+gN
+WMGA28/QkN/KweZB4Uh/px7HNZ+cbXw+gujefq6CFgAzDwIj8Z3+KwYWBVUWidxj
+rF8aMRN5IaNuYCjo52tUACKht2laFzHOD8Km3aNv3uoZbNLSyzWd3YdRM2jNw5uQ
+VfGAPVy4CbbhPBOkXUrOpRGe+QjuvuNUHQZMuxtyE+59oEXM/tE7AgPB1OpFLajJ
+l+fzinqgL91IOnXJQiiU/K9EUhZomNatqGWxzaxgQXDlROha8uf8O/5FiRcdbYXG
+8Pxph9EdB/PLe1SNqqPM48b81gV2NdAmY47RqLf/YUKKLGMf1OwUR2se44FhEjuM
+FrXPh2otQiGDnA46kDoewTZhQfn7Tl3q9N8jkjMrmxSfoPXTxPgfL5wRNq8qImGV
+MgvEHC2xwQoql8BDSmw+2wDNKRWefkF1NqhWhoyCnkYg5QYeYNIDX5+eabu/wrRD
+4n2FF4MYQbDLqQQbGFKfiYt2n5RZgU9gWzMY/MdS0NJp/AuiYzJ1Q5np1/htx1Ux
+DPPvGnHhClfhnROyHv4d7+TxUdmVs/0oKJORSinFNw6r2IVq/qiDH3uAXR8Eebep
+CG4N1i6qfPZjfUHecBMyzt1YzKZz1HJ+16x0qDW6wxsqZNdaN5dWlDQrKnFgvGmr
+AIW5T2cyF1HD2lc6N4lmxHpR2l8=
 -----END CERTIFICATE-----
diff --git a/sample/sample-keys/server.key b/sample/sample-keys/server.key
index 976acab..011df12 100644
--- a/sample/sample-keys/server.key
+++ b/sample/sample-keys/server.key
 <at>  <at>  -1,15 +1,28  <at>  <at> 
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDLTqz5g1f2adIyKbS8reb3JiGJMzBDQKM12d4mAda08LwKGVWZ
-O/FMkWC2/XQ0jVrHYuzO8tYCzlcy9DWMcaBtZSrngK4pWc82c/h8SnOQ/DAo1UZ9
-NaROyZ+Qe+IJITbFqOyFgpoytJE7wdZPn9H4b2j0HdIGkTLMmkj9zZh/LwIDAQAB
-AoGBAKP1ljA/iY/zNY447kZ/5NWKzd7tBk4mcbl7M9no/7O6tZtbZRoIKoi6cYoC
-C1ZabUyBbkNTud5XdCFmq0zRUjOWvoFMZ9VZfd2kRPvl4TGczBtJAq65b+EYMGui
-q6T9p61xPdtzu0vM+Ecj127pAMk5XcJyxu8XQK7lZWmG5UoJAkEA8CxXNZN+A3qD
-bMBPI3VdwKCNSjNVEQEnygMbNgw7VLdxPpspzZziqJEGdzsM4dsnOBwKxIWFLN2h
-lbGBOquAswJBANi0atGWM8VUxDjvqqHCTS9RUXWgnvYhee4/xraJBQPBSivjC9P0
-vKT7PjBHU6djtKSLKGaHn1vHqmyY7PCMjZUCQQCNVSqExqSzG1dXmdt4PErNXi2G
-6qo2dX2arTVIGu6XLdQgSWLSMm5XT/CEHWW5SyPLKwVTHFeATXQXCPvJML9tAkEA
-k0yXax0g1ZoXwufN4SQUmPw6Va03P/BjU/nP1ZVvbiz9gLVU/d7WN4J7tA9XomkY
-idv5OzAmtxkSE70jGSNAvQJAWhCf9+iHkzOHRyKKOYlh1DHUwDfSEp+hlZYg9H03
-P2sraQzUxgWDY/DIY63KvW78ny863baFz7onz21MYGgJXg==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCluKLuzrGmD2qy
+n9MiF3neCZhxePqnzjZRVFfHMZlW0YrWxf1S5ogOe/nqJ3q/PxTsqtL/i1ZYrMpR
+d8U8tuSDbyIGLVvr51nUq0LI1amHc7NzNlEvpdCQoodkVGwS07h2R2mvro8As3C5
+52c/jGo9eV+BJ6MOqqc9gUgQsRhsOC6PenvFPSHI+aB/FyuIT7ry7G0kjmzxClzZ
+W7Gw/EnLStJYxiolsJeEw57/NIwQRn8P+zxZeqYpDK6OUDryU4RALdWRewo3joJ3
+zmYvNHdcpUU7ABmnB9GS5ma5O07pY/wzmBquewh9Ct96uqpZbYaCCmQr2lmnTE7v
+Pb0EoksxAgMBAAECggEAPMOMin+jR75TYxeTNObiunVOPh0b2zeTVxLT9KfND7ZZ
+cBK8pg79SEJRCnhbW5BnvbeNEkIm8PC6ZlDCM1bkRwUStq0fDUqQ95esLzOYq5/S
+5qW98viblszhU/pYfja/Zi8dI1uf96PT63Zbt0NnGQ9N42+DLDeKhtTGdchZqiQA
+LeSR0bQanY4tUUtCNYvBT8E3pzhoIsUzVwzIK53oovRpcOX3pMXVYZsmNhXdFFRy
+YkjMXpj7fGyaAJK0QsC+PsgrKuhXDzDttsG2lI/mq9+7RXB3d/pzhmBVWynVH2lw
+iQ7ONkSz7akDz/4I4WmxJep+FfQJYgK6rnLAlQqauQKBgQDammSAprnvDvNhSEp8
+W+xt7jQnFqaENbGgP0/D/OZMXc4khgexqlKFmSnBCRDmQ6JvLTWqDXC4+aqAbFQz
+zAIjiKaT+so8xvFRob+rBMJY5JLYKNa+zUUanfORUNYLFJPvFqnrWGaJ9uufdaM7
+0a5bu95PN74NXee3DBbpBv8HLwKBgQDCEk+IjNbjMT+Neq0ywUeM5rFrUKi92abe
+AgsVpjbighRV+6jA2lZFJcize+xYJ9wiOR1/TEI9PZ2OtBkqpwVdvTEHTagRLcvd
+NfGcptREDnNLoNWA22buQpztiEduutACWQsrd+JQmqbUicUdW4zw86/oCMbYCW3V
+QmYOLns7nwKBgHHUX20WZE91S4pmqFKlUzHTDdkk1ESX6Qx2q0R01j8BwawHFs6O
+0DW9EZ7w55nfsh+OPRl1sjK/3ubMgfQO0TZLm+IGf3Sya0qEnVeiPMkpDMX+TgRA
+wzEe+ou6uho+9uFSvdxMxeglaYA5M2ycvNwLsbEyZ4ZyVYxdgTiKahYFAoGAcIfP
+iD0qKQiYcj/tB94cz+3AeJqHjbYT1O1YYhBECOkmQ4kuG80+cs/q5W/45lEOiuWV
+Xgfo7Lu6jVGOujWoneci87oqtvNYH4e09oGh2WiLoBG9Wv9dWtBTUERSLzmxfXsG
+SAk2uEhEbj8IhfJc8iZLHH9iVUh6YEslBBodqL8CgYEAlAhvcqAvw5SzsfBR5Mcu
+4Nql6mXEVhHCvS4hdFCGaNF0z9A6eBORKJpdLWnqhpquDQDsghWE+Ga4QKSNFIi1
+fnAaykmZuY3ToqNOIaVlYM6HpMEz0wHQbTWfDLGcTFcElLZgMAk7VlDyiYVOco+E
+QX9lXOO1PGpLzXhlDxSe63Y=
+-----END PRIVATE KEY-----
--

-- 
1.9.1


------------------------------------------------------------------------------
samuli | 22 Oct 09:07 2014
Picon

[PATCH 0/2] tap-windows6 interoperability patches

These patches fix serious interoperability issues with tap-windows6. Backported
versions of these patches were tested with OpenVPN 2.3.4 because openvpn-build
is currently unable to build from Git "master".

[PATCH 1/2] Modification to address bug where OpenVPN enters state
[PATCH 2/2] Revised fix for code=995 sped bug.

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
Selva Nair | 21 Oct 18:08 2014
Picon

Fwd: New OpenVPN Windows installers (I004 and I604) released

Hi,

On Tue, Oct 21, 2014 at 10:26 AM, Gert Doering <gert <at> greenie.muc.de> wrote:

> On Tue, Oct 21, 2014 at 09:55:09AM -0400, Selva Nair wrote:
>> Currently OpneVPN-MI-GUI does work without elevated privileges using
>> openvpn service and the management interface. I have a small user-base who
>> have been happily using it this way for more than a year now. In my view if
>> OpenVPN distribution could bundle the MI-GUI, it would be of great help.

>Well, that works, but runs OpenVPN as privileged user - so a bug in
>OpenVPN (or a config that runs scripts) could be used to attack the
>system...

Sure, the "log term" plan of having OpenVPN run as a normal user is great, but the 
current situation of every windows user needing admin privilege to run the UI is
hard to meet in many installations. 

The MI-GUI solves that problem right now as opposed to sometime in future. 

(Plus, traditionally using the service will not work with username+password
input, but if MI does that via management interface, it can be done)

That's exactly what MI-GUI it does -- both certificate password and username/password 
are passed through the management interface. Locally, I have patched it to pass the 
certificate key as well although we don't normally use that option.

Selva

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Samuli Seppänen | 20 Oct 15:07 2014
Picon

New OpenVPN Windows installers (I004 and I604) released


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

New Windows installers with OpenSSL 1.0.1j have been released:

<http://openvpn.net/index.php/download/community-downloads.html>

Two of the issues fixed in OpenSSL may impact OpenVPN. More details here:

<http://thread.gmane.org/gmane.network.openvpn.devel/9133>

Let me know if there are any issues with these installers.

Best regards,

- -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlRFCSEACgkQwp2X7RmNIqPYCgCg4H2uIUnpO2pQzwwdS0H3VyLl
lSQAn1w8BWUgofRJr4SsXL47zPEhe1He
=5sXk
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
Samuli Seppänen | 20 Oct 11:06 2014
Picon

Topics for next Thursday's (23rd Oct 2014) community meeting


Hi,

We're having an IRC meeting on Thursday, starting at 18:00 UTC on
#openvpn-devel <at> irc.freenode.net. Current topic list is here:

<https://community.openvpn.net/openvpn/wiki/Topics-2014-10-23>

If you have any other things you'd like to bring up, respond to this
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments
on the topics by responding to this email or to the summary email sent
after the meeting. Whenever possible, we'll also respond to existing,
related email threads.

NOTE: It's required to use a registered Freenode IRC nickname to join
#openvpn-devel - look here for details:

<https://community.openvpn.net/openvpn/wiki/GettingHelp#DeveloperIRCchannel>

--

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
Samuli Seppänen | 20 Oct 10:57 2014
Picon

Regarding OpenVPN 2.3.5 release and tap-windows6-related fixes


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

People have encountered a few rather serious issues with OpenVPN 2.3.x
for Windows. These issues only materialize when one is using OpenVPN
2.3.x with tap-windows6:

<https://community.openvpn.net/openvpn/ticket/430>
<https://community.openvpn.net/openvpn/ticket/432>

The underlying issue is that OpenVPN 2.3.x does not handle return code
995 from tap-windows6 at all. According to the driver author most s.c.
tap-windows6 issues stem from this single omission in OpenVPN 2.3.x itself.

There are now tentative fixes for the 995 issue here:

<https://github.com/TDivine/openvpn/commit/c391f10e79d88d01405eedbc6822bc92cf8a210d>
<https://github.com/TDivine/openvpn/commit/44b56c14c66201074805a4c5b97da2cfb1e1f248>

However, those fixes are for the Git "master" branch, which cannot
currently be built using "openvpn-build" (i.e. for Windows). A few weeks
ago I backported the above patches to OpenVPN 2.3.4 and released test
installers[1] which apparently fixed the primary issue[2]. Do we / can
we merge the patches to "master" without testing based on the fact that
they worked for OpenVPN 2.3.4?

We'd also need to backport these fixes to 2.3 and make a new release.
Looks like there's quite a lot of stuff in the pipe for 2.3.5, so it
probably makes sense to release all of it along with these
tap-windows6-related fixes in one go. Anything blocking 2.3.5 release atm?

- -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[1]
<http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.4-I603-i686.exe>
<http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.4-I603-x86_64.exe>
[2] <https://community.openvpn.net/openvpn/ticket/430#comment:11>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlREzmUACgkQwp2X7RmNIqNguACeLDF/720Obl6IrNNs0OWYU88N
6GoAn3PQSgxKX+M2UxY6WJKujLXtOTOI
=Xb+t
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
Lisa Minogue | 17 Oct 13:16 2014
Picon

New OpenVPN bundles for Windows platform that incorporate OpenSSL 1.0.1j

Hi Samuli

I just wish to thank you in advance for preparing and compiling new OpenVPN bundles for Microsoft Windows OS
that incorporate OpenSSL 1.0.1j.

Best regards.

Lisa
-----------------------------------------------------
Mail.be, WebMail and Virtual Office
http://www.mail.be

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
David Sommerseth | 16 Oct 18:06 2014
Picon

Some systemd patches backported from master to release/2.3


This is just an short update on a few cherry-picks I've done to improve
the systemd implementation in OpenVPN 2.3.x.  All the commits have been
cherry picked from the master branch into the stable release/2.3 branch.

* Commit 027dd7f6368d7a7fc8a4ca5e0fadd8de2c7c88da
  systemd: Use systemd functions to consider systemd availability

  Merged backport of master commit 55480682b9bfa5894402954f4c740
  + master commit f33ee6bcb12fdc3869b17b7c528a2

* Commit a83103043c11d66099565bcf4b63f54db0629913
  Add systemd unit file for OpenVPN

  Master commit 8a4566ce4f01a434ac9ea841eae74330368398a0

* Commit f54cdc9f5316906c664a782abf8fdac028a80860
  Don't let openvpn_popen() keep zombies around

  Master commit d886d468849051af525bb8ff1b9080f6c934e3ab

* Commit ef21281b290c2984523c36be06f62b24ca253001
  Add configure check for the path to systemd-ask-password

  Master commit ba79c71d1255651bfcb8570519b4033c763d47d3

--

-- 
kind regards,

David Sommerseth

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Alexander Pyhalov | 13 Oct 11:47 2014
Picon

Default gateway can't be determined on illumos/solaris

Hello.
In openvpn 2.3.4 on illumos/Solaris clients gateway for client can't be 
determined, because default stub is used instead of 
get_default_gateway() function. This means that the following push route 
option in server config is not working:
push "route remote_host 255.255.255.255 net_gateway"

OpenVPN  client says that it doesn't know net_gateway.
The following patch mostly uses existing FreeBSD code to add 
get_default_gateway() implementation:

https://github.com/pyhalov/oi-userland/blob/openvpn/components/openvpn/patches/get_default_gateway.patch 
.

The difference is that on Solaris there's no sa_len field.
I'm not absolutely sure that patch is correct, but as I see in route.c 
only sockaddr_in structures are supposed to be passed to NEXTADDR and 
ADVANCE macroses. This patch works for me.
--

-- 
Best regards,
Alexander Pyhalov,
system administrator of Southern Federal University IT department

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://p.sf.net/sfu/Zoho

Gmane