From 8d6693c156ed161603fbf0624c526e096d606f7f Mon Sep 17 00:00:00 2001
From: Seonah Moon <seonah1.moon@samsung.com>
Date: Thu, 8 Jun 2017 11:05:32 +0900
Subject: [PATCH] Imported Upstream version 2.50.0

Change-Id: I7cf4e6cca519e630046f83ade0b2cf283be97547
---
 .gitignore                                       |    6 +-
 LICENSE_EXCEPTION                                |   14 +
 Makefile.am                                      |    5 +
 NEWS                                             |  220 +++++
 autogen.sh                                       |    1 -
 configure.ac                                     |   47 +-
 glib-networking.doap                             |    2 +
 glib-networking.mk                               |    1 +
 glib.mk                                          |  109 +--
 m4/glibtests.m4                                  |    2 +-
 po/LINGUAS                                       |    4 +
 po/Makevars                                      |   78 ++
 po/bn_IN.po                                      |    1 +
 po/bs.po                                         |  146 +++
 po/ca@valencia.po                                |    2 +-
 po/cs.po                                         |    4 +-
 po/de.po                                         |    2 +-
 po/el.po                                         |   70 +-
 po/en_CA.po                                      |    1 +
 po/en_GB.po                                      |   85 +-
 po/eo.po                                         |    1 +
 po/es.po                                         |    2 +-
 po/fa.po                                         |    2 +-
 po/fr.po                                         |    2 +-
 po/fur.po                                        |  120 ++-
 po/gd.po                                         |  153 +++
 po/gu.po                                         |    1 +
 po/hu.po                                         |    2 +-
 po/it.po                                         |    2 +-
 po/ja.po                                         |   80 +-
 po/kk.po                                         |  149 +++
 po/km.po                                         |    1 +
 po/kn.po                                         |    1 +
 po/lt.po                                         |    2 +-
 po/nb.po                                         |    2 +-
 po/oc.po                                         |  158 +++
 po/pa.po                                         |    2 +-
 po/pl.po                                         |   97 +-
 po/pt.po                                         |   79 +-
 po/sl.po                                         |    2 +-
 po/sr@latin.po                                   |    2 +-
 po/sv.po                                         |   78 +-
 po/tg.po                                         |   94 +-
 po/ug.po                                         |    2 +-
 po/zh_CN.po                                      |   53 +-
 po/zh_HK.po                                      |    2 +-
 po/zh_TW.po                                      |    2 +-
 proxy/gnome/gnome-proxy-module.c                 |   19 +
 proxy/gnome/gproxyresolvergnome.c                |    1 +
 proxy/libproxy/Makefile.am                       |   10 +
 proxy/libproxy/glib-pacrunner.service.in         |    7 +
 proxy/libproxy/glibpacrunner.c                   |   13 +-
 proxy/libproxy/glibproxyresolver.c               |    2 +
 proxy/libproxy/libproxy-module.c                 |   19 +
 proxy/libproxy/org.gtk.GLib.PACRunner.service.in |    1 +
 tap-driver.sh                                    |  652 +++++++++++++
 tap-test                                         |    5 +
 tls/gnutls/gnutls-module.c                       |   21 +
 tls/gnutls/gtlsbackend-gnutls-pkcs11.c           |    3 +
 tls/gnutls/gtlsbackend-gnutls-pkcs11.h           |    3 +
 tls/gnutls/gtlsbackend-gnutls.c                  |    3 +
 tls/gnutls/gtlsbackend-gnutls.h                  |    3 +
 tls/gnutls/gtlscertificate-gnutls-pkcs11.c       |    3 +
 tls/gnutls/gtlscertificate-gnutls-pkcs11.h       |    5 +
 tls/gnutls/gtlscertificate-gnutls.c              |  229 ++++-
 tls/gnutls/gtlscertificate-gnutls.h              |    7 +
 tls/gnutls/gtlsclientconnection-gnutls.c         |  156 ++-
 tls/gnutls/gtlsclientconnection-gnutls.h         |    3 +
 tls/gnutls/gtlsconnection-gnutls.c               |  375 +++++---
 tls/gnutls/gtlsconnection-gnutls.h               |   24 +-
 tls/gnutls/gtlsdatabase-gnutls-pkcs11.c          |  475 +++++++--
 tls/gnutls/gtlsdatabase-gnutls-pkcs11.h          |    3 +
 tls/gnutls/gtlsdatabase-gnutls.c                 |  324 +------
 tls/gnutls/gtlsdatabase-gnutls.h                 |   20 +-
 tls/gnutls/gtlsfiledatabase-gnutls.c             |  268 +++---
 tls/gnutls/gtlsfiledatabase-gnutls.h             |    3 +
 tls/gnutls/gtlsinputstream-gnutls.c              |  156 ++-
 tls/gnutls/gtlsinputstream-gnutls.h              |    3 +
 tls/gnutls/gtlsoutputstream-gnutls.c             |  158 ++-
 tls/gnutls/gtlsoutputstream-gnutls.h             |    3 +
 tls/gnutls/gtlsserverconnection-gnutls.c         |   17 +-
 tls/gnutls/gtlsserverconnection-gnutls.h         |    3 +
 tls/pkcs11/gpkcs11array.c                        |    3 +
 tls/pkcs11/gpkcs11array.h                        |    3 +
 tls/pkcs11/gpkcs11pin.c                          |    3 +
 tls/pkcs11/gpkcs11pin.h                          |    3 +
 tls/pkcs11/gpkcs11slot.c                         |    3 +
 tls/pkcs11/gpkcs11slot.h                         |    3 +
 tls/pkcs11/gpkcs11util.c                         |    3 +
 tls/pkcs11/gpkcs11util.h                         |    3 +
 tls/pkcs11/pkcs11-trust-assertions.h             |    3 +
 tls/tests/Makefile.am                            |   42 +-
 tls/tests/certificate.c                          |  170 +++-
 tls/tests/connection.c                           | 1118 ++++++++++++++++++++--
 tls/tests/file-database.c                        |   84 +-
 tls/tests/files/ca-alternative.pem               |   24 +
 tls/tests/files/ca-key.pem                       |   15 +
 tls/tests/files/ca-roots-bad.pem                 |   90 ++
 tls/tests/files/ca-roots.pem                     |   45 +-
 tls/tests/files/ca.pem                           |   38 +-
 tls/tests/files/chain.pem                        |   59 ++
 tls/tests/files/client-and-key.pem               |   82 +-
 tls/tests/files/client-future.pem                |   32 +-
 tls/tests/files/client-key.pem                   |   27 +
 tls/tests/files/client-past.pem                  |   32 +-
 tls/tests/files/client.pem                       |   32 +-
 tls/tests/files/create-files.sh                  |  186 ++++
 tls/tests/files/intermediate-ca-csr.pem          |   12 +
 tls/tests/files/intermediate-ca-key.pem          |    9 +
 tls/tests/files/intermediate-ca.pem              |   22 +
 tls/tests/files/non-ca.pem                       |  138 ++-
 tls/tests/files/old-ca-key.pem                   |   15 +
 tls/tests/files/old-ca.pem                       |   24 +
 tls/tests/files/root-ca-csr.pem                  |   14 +
 tls/tests/files/server-and-key.pem               |   43 +-
 tls/tests/files/server-intermediate-csr.pem      |    9 +
 tls/tests/files/server-intermediate-key.pem      |    9 +
 tls/tests/files/server-intermediate.pem          |   14 +
 tls/tests/files/server-key.der                   |  Bin 318 -> 319 bytes
 tls/tests/files/server-key.pem                   |   19 +-
 tls/tests/files/server-self.pem                  |   16 +-
 tls/tests/files/server.der                       |  Bin 554 -> 571 bytes
 tls/tests/files/server.pem                       |   24 +-
 tls/tests/files/ssl/ca.conf                      |   31 +
 tls/tests/files/ssl/client.conf                  |   14 +
 tls/tests/files/ssl/intermediate-ca.conf         |   31 +
 tls/tests/files/ssl/old-ca.conf                  |   31 +
 tls/tests/files/ssl/server-intermediate.conf     |   27 +
 tls/tests/files/ssl/server.conf                  |   27 +
 tls/tests/mock-interaction.c                     |  114 ++-
 tls/tests/mock-interaction.h                     |   11 +-
 tls/tests/mock-pkcs11.c                          |    3 +
 tls/tests/pkcs11-array.c                         |    3 +
 tls/tests/pkcs11-pin.c                           |    3 +
 tls/tests/pkcs11-slot.c                          |    5 +-
 tls/tests/pkcs11-util.c                          |    3 +
 136 files changed, 6022 insertions(+), 1640 deletions(-)
 create mode 100644 LICENSE_EXCEPTION
 create mode 100644 po/Makevars
 create mode 100644 po/bs.po
 create mode 100644 po/gd.po
 create mode 100644 po/kk.po
 create mode 100644 po/oc.po
 create mode 100644 proxy/libproxy/glib-pacrunner.service.in
 create mode 100755 tap-driver.sh
 create mode 100755 tap-test
 create mode 100644 tls/tests/files/ca-alternative.pem
 create mode 100644 tls/tests/files/ca-key.pem
 create mode 100644 tls/tests/files/ca-roots-bad.pem
 create mode 100644 tls/tests/files/chain.pem
 create mode 100644 tls/tests/files/client-key.pem
 create mode 100755 tls/tests/files/create-files.sh
 create mode 100644 tls/tests/files/intermediate-ca-csr.pem
 create mode 100644 tls/tests/files/intermediate-ca-key.pem
 create mode 100644 tls/tests/files/intermediate-ca.pem
 create mode 100644 tls/tests/files/old-ca-key.pem
 create mode 100644 tls/tests/files/old-ca.pem
 create mode 100644 tls/tests/files/root-ca-csr.pem
 create mode 100644 tls/tests/files/server-intermediate-csr.pem
 create mode 100644 tls/tests/files/server-intermediate-key.pem
 create mode 100644 tls/tests/files/server-intermediate.pem
 create mode 100644 tls/tests/files/ssl/ca.conf
 create mode 100644 tls/tests/files/ssl/client.conf
 create mode 100644 tls/tests/files/ssl/intermediate-ca.conf
 create mode 100644 tls/tests/files/ssl/old-ca.conf
 create mode 100644 tls/tests/files/ssl/server-intermediate.conf
 create mode 100644 tls/tests/files/ssl/server.conf

diff --git a/.gitignore b/.gitignore
index 9af6520..ebf44ce 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,8 @@ Makefile
 *.lo
 *.la
 *.test
+*.log
+*.trs
 
 # autofoo stuff here
 compile
@@ -30,11 +32,11 @@ test-driver
 
 INSTALL
 ChangeLog
-m4/intltool.m4
 m4/libtool.m4
 m4/lt*.m4
 
 proxy/libproxy/glib-pacrunner
+proxy/libproxy/glib-pacrunner.service
 proxy/libproxy/org.gtk.GLib.PACRunner.service
 proxy/tests/gnome
 proxy/tests/libproxy
@@ -47,3 +49,5 @@ proxy/tests/libproxy
 /tls/tests/pkcs11-pin
 /tls/tests/pkcs11-slot
 /tls/tests/pkcs11-util
+/tls/tests/files/server-csr.pem
+/tls/tests/files/client-csr.pem
diff --git a/LICENSE_EXCEPTION b/LICENSE_EXCEPTION
new file mode 100644
index 0000000..dea39f5
--- /dev/null
+++ b/LICENSE_EXCEPTION
@@ -0,0 +1,14 @@
+
+		LICENSE EXCEPTION FOR OPENSSL
+
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU Library General Public License in all respects
+ * for all of the code used other than OpenSSL.  If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so.  If you
+ * do not wish to do so, delete this exception statement from your
+ * version.  If you delete this exception statement from all source
+ * files in the program, then also delete it here.
diff --git a/Makefile.am b/Makefile.am
index 42405bf..a9826c0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -33,3 +33,8 @@ uninstall-hook:
 	if test -n "$(GIO_QUERYMODULES)" -a -z "$(DESTDIR)"; then \
 		$(GIO_QUERYMODULES) $(GIO_MODULE_DIR) ;           \
 	fi
+
+EXTRA_DIST +=		\
+	tap-driver.sh	\
+	tap-test	\
+	$(NULL)
diff --git a/NEWS b/NEWS
index ba6cd79..786a6b9 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,223 @@
+2.50.0
+======
+  * New stable release.
+
+  * Updated translations: British English, Polish
+
+2.49.90
+=======
+  * Ported to use upstream gettext rather than intltool/glib-gettext
+    [#768708, Javier JardÃ³n]
+
+  * Updated po files for future gettext versions [Piotr DrÄg]
+
+  * Fixed translation lookup on Windows [#765466, Chun-wei Fan]
+
+  * Updated translations: Occitan
+
+2.48.2
+======
+  * gnutls: Fixed an infinite loop if a server sent two identical
+    copies of its CA certificate [#765317, Carlos Garcia Campos]
+
+  * New/updated translations: Occitan, Scottish Gaelic
+
+2.48.1
+======
+  * Fixed translations in non-UTF-8 domains [#765466, Ting-Wei Lan]
+
+  * Fixed bash-ism in configure [#765396, Patrick Welche]
+
+  * Updated translations: Friulian
+
+2.48.0
+======
+  * New stable release. (No changes since 2.47.90)
+
+2.47.90
+=======
+  * gnutls: The non-PKCS#11 TLS plugin now uses gnutls's certificate
+    validation code directly, rather than attempting to build a
+    certificate chain itself first. [#753260 and others, Dan Winship]
+
+  * gnutls: Fixed a leak when closing a connection during an implicit
+    handshake [#736809, Philip Withnall]
+
+  * gnutls: Fixed "make check" without PKCS#11 support [#728977,
+    Gilles Dartiguelongue]
+
+  * gnutls: Various changes in preparation for DTLS support (but not
+    the actual DTLS support itself) [#697908, #735754, Philip
+    Withnall, Olivier CrÃªte]
+
+  * Updated translations: Occitan
+
+2.47.1
+======
+  * Fixed a certificate chain validation problem that affected
+    Facebook in Epiphany. [#750457, Carlos Garcia Campos]
+
+  * Added a systemd service file for glib-pacrunner [#755740, Simon
+    McVittie]
+
+2.46.0
+======
+  * Various minor cleanups and small memory leak fixes
+
+  * Added a new test case for client certificate chain handling
+    [#754129, Michael Catanzaro]
+
+  * New/updated translations:
+    Japanese, Occitan, Portuguese
+
+2.45.1
+======
+  * tls/gnutls: Implement g_tls_client_connection_copy_session_state(),
+    to allow implementing FTP-over-TLS in gvfs. (#745255, Ross
+    Lagerwall)
+
+2.44.0
+======
+  * New stable release. (No changes since 2.43.92)
+
+2.43.92
+=======
+  * Fix TLS session caching when using session tickets (#745099, Ross
+    Lagerwall)
+
+  * Updated translations:
+	Bosnian
+
+2.43.91
+=======
+  * tls/gnutls: Removed a workaround for connecting to servers with
+    weak DH parameters, which was apparently only needed because
+    gnutls was prioritizing DHE over RSA. (Michael Catanzaro)
+    (https://bugzilla.redhat.com/show_bug.cgi?id=1177964#c8)
+
+  * tls/gnutls: We now require gnutls 3.x again. (In fact, 2.42.1
+    and 2.43.1 accidentally used a 3.x-only function, so we already
+    required it, we were just failing to declare that fact.)
+
+  * tls/tests: Skip certain tests when running against old gnutls or
+    GLib releases. (glib-networking 2.43.91 itself does not require
+    GLib 2.43, but one of the test cases does.)
+
+  * Updated translations:
+	Friulian
+
+2.43.1
+======
+
+  * The GTlsClientConnection "use-ssl3" property now falls back to TLS
+    1.0 if SSL 3.0 has been disabled, rather than just failing. Also,
+    we now use the gnutls %LATEST_RECORD_VERSION option by default (to
+    allow connecting to certain servers that were incorrectly patched
+    for the POODLE attack), but also make sure to remove that option
+    in the fallback ("use-ssl3") mode (to allow connecting to other
+    servers that are differently broken). (#738633, #740087, Dan
+    Winship)
+
+  * tls/gnutls: Miscellaneous warning, debugging, and leak fixes
+    (#736757, #736809, #737106, Philip Withnall)
+
+  * New/updated translations:
+	Kazakh
+
+2.42.0
+======
+  * New stable release. (No changes since 2.41.92)
+
+2.41.92
+=======
+  * tls/gnutls: Incorrectly-ordered certificate chains are now
+    accepted (#683266, Michael Catanzaro)
+
+  * tls/gnutls: Closing an already-closed GTlsConnection now correctly
+    returns TRUE rather than G_IO_ERROR_CLOSED (#735754, Olivier
+    CrÃªte)
+
+2.41.4
+======
+  * tls/gnutls: certificates with IP address subject altnames are now
+    supported (#726596, Aleix Conchillo FlaquÃ©)
+
+  * tls/tests: added a script to re-generate the certificates, and
+    regenerated them (since the key for the existing CA certificate
+    had been lost, so it wasn't possible to add new test certificates,
+    eg, for IP SAN). (#733365, Aleix Conchillo FlaquÃ©)
+
+  * Updated translations:
+	Greek
+
+2.41.3
+======
+  * tls/gnutls: g_tls_backend_get_default_database() should never
+    return %NULL; if glib-networking was built without a
+    ca-certificates file, then the default GTlsDatabase should just be
+    empty. (#727282, Olivier CrÃªte)
+
+  * tls/gnutls: If a server's certificate includes an issuer chain, we
+    now send the entire chain to the client. (#724708, Aleix Conchillo
+    FlaquÃ©)
+
+  * Updated translations:
+	Swedish
+
+2.40.0
+======
+  * New stable release. (No changes since 2.39.90)
+
+2.39.90
+=======
+  * tls/gnutls: Avoid trying to update a destroyed GSource (#723774,
+    Philip Withnall)
+
+  * tls/tests: Fix another flaky test (#722336)
+
+  * tests: use the TAP driver
+
+  * Updated translations:
+	Chinese, Czech
+
+2.39.3
+======
+  * tls/tests: Fix one sporadic bug in the connection test (#720081)
+    and make it properly fail rather than hanging forever when another
+    sporadic bug happens (which I don't actually know the cause of)
+    (#719727)
+
+  * tls/gnutls: Fix for -Werror=format-nonliteral (#720081, Ryan
+    Lortie)
+
+2.39.1
+======
+  * tls/gnutls: Use g_tls_interaction_invoke_request_certificate()
+    when processing a certificate request. (#637257, Stef Walter)
+
+  * tls/gnutls: Handle G_IO_ERROR_TIMED_OUT on a GTlsConnection
+    correctly rather than reporting "The specified session has
+    been invalidated for some reason". (#710700, Aleix Concillo
+    Flaque)
+
+  * tls/tests: Fix to previous installed-tests fix, which resulted
+    in some files getting installed even when installed tests weren't
+    enabled. (#710197)
+
+  * tls/tests: add a test for a fix made in glib (#710691, Aleix
+    Conchillo Flaque).
+
+2.38.1
+======
+  * glibpacrunner: Don't crash if there is an internal libproxy error.
+    (rhbz #866927)
+
+  * tls/tests: Fix installed tests to not accidentally depend on
+    having the source tree still exist. (#709628)
+
+  * Updated translations:
+	Tajik
+
 2.38.0
 ======
   * New stable release. (No changes since 2.37.5)
diff --git a/autogen.sh b/autogen.sh
index 16d8287..e8cfe3e 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -15,7 +15,6 @@ fi
 
 mkdir -p m4
 autoreconf --force --install --verbose || exit $?
-intltoolize --copy --force --automake || exit $?
 
 cd "$olddir"
 test -n "$NOCONFIGURE" || "$srcdir/configure" "$@"
diff --git a/configure.ac b/configure.ac
index 9b6a924..c6f49ca 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
 AC_PREREQ(2.65)
 AC_CONFIG_MACRO_DIR([m4])
 
-AC_INIT([glib-networking],[2.38.0],[http://bugzilla.gnome.org/enter_bug.cgi?product=glib&component=network])
+AC_INIT([glib-networking],[2.50.0],[http://bugzilla.gnome.org/enter_bug.cgi?product=glib&component=network])
 
 AC_CONFIG_SRCDIR([proxy/libproxy/glibproxyresolver.h])
 AC_CONFIG_HEADERS([config.h])
@@ -20,24 +20,23 @@ AC_PROG_CPP
 dnl Checks for libraries.
 
 dnl ****************************
-dnl *** Checks for intltool  ***
+dnl *** Checks for gettext   ***
 dnl ****************************
+AM_GNU_GETTEXT_VERSION([0.19.4])
+AM_GNU_GETTEXT([external])
 
-IT_PROG_INTLTOOL([0.35.0])
 GETTEXT_PACKAGE=glib-networking
-
 AC_SUBST([GETTEXT_PACKAGE])
 AC_DEFINE_UNQUOTED([GETTEXT_PACKAGE],["$GETTEXT_PACKAGE"],[The gettext domain name])
-AM_GLIB_GNU_GETTEXT
 
 dnl *****************************
 dnl *** Check GLib GIO        ***
 dnl *****************************
-AM_PATH_GLIB_2_0(2.38.0,,AC_MSG_ERROR(GLIB not found),gio)
-GLIB_CFLAGS="$GLIB_CFLAGS -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_36"
+AM_PATH_GLIB_2_0(2.46.0,,AC_MSG_ERROR(GLIB not found),gio)
+GLIB_CFLAGS="$GLIB_CFLAGS -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_46"
 
 GIO_MODULE_DIR=$($PKG_CONFIG --variable giomoduledir gio-2.0)
-AS_IF([test "x$GIO_MODULE_DIR" = "x"],
+AS_IF([test "$GIO_MODULE_DIR" = ""],
       [AC_MSG_FAILURE(GIO_MODULE_DIR is missing from gio-2.0.pc)])
 AC_SUBST(GIO_MODULE_DIR)
 
@@ -55,12 +54,12 @@ AC_ARG_WITH(libproxy,
                     [support for libproxy @<:@default=check@:>@])],
     [],
     [with_libproxy=check])
-AS_IF([test "x$with_libproxy" != "xno"],
+AS_IF([test "$with_libproxy" != "no"],
     [PKG_CHECK_MODULES(LIBPROXY, [libproxy-1.0 >= 0.3.1],
         [with_libproxy=yes; proxy_support=libproxy],
-        [AS_IF([test "x$with_libproxy" = "xyes"],
+        [AS_IF([test "$with_libproxy" = "yes"],
                [AC_MSG_FAILURE("$LIBPROXY_PKG_ERRORS")])])])
-AM_CONDITIONAL(HAVE_LIBPROXY, [test "x$with_libproxy" = "xyes"])
+AM_CONDITIONAL(HAVE_LIBPROXY, [test "$with_libproxy" = "yes"])
 AC_SUBST(LIBPROXY_CFLAGS)
 AC_SUBST(LIBPROXY_LIBS)
 
@@ -72,38 +71,38 @@ AC_ARG_WITH(gnome-proxy,
                     [support for GNOME proxy configuration @<:@default=check@:>@])],
     [],
     [with_gnome_proxy=check])
-AS_IF([test "x$with_gnome_proxy" != "xno"],
+AS_IF([test "$with_gnome_proxy" != "no"],
     [PKG_CHECK_MODULES(GSETTINGS_DESKTOP_SCHEMAS, [gsettings-desktop-schemas],
         [with_gnome_proxy=yes; proxy_support="gnome $proxy_support"],
-	[AS_IF([test "x$with_gnome_proxy" = "xyes"],
+	[AS_IF([test "$with_gnome_proxy" = "yes"],
                [AC_MSG_FAILURE("$GSETTINGS_DESKTOP_SCHEMAS_PKG_ERRORS")])])])
-AM_CONDITIONAL(HAVE_GNOME_PROXY, [test "x$with_gnome_proxy" = "xyes"])
+AM_CONDITIONAL(HAVE_GNOME_PROXY, [test "$with_gnome_proxy" = "yes"])
 AC_SUBST(GSETTINGS_DESKTOP_SCHEMAS_CFLAGS)
 
 dnl *****************************
 dnl *** Checks for GNUTLS     ***
 dnl *****************************
 
-GNUTLS_MIN_REQUIRED=2.12.8
+GNUTLS_MIN_REQUIRED=3.0
 
 AC_ARG_WITH(gnutls,
     [AC_HELP_STRING([--with-gnutls],
                     [support for GNUTLS @<:@default=yes@:>@])],
     [],
     [with_gnutls=yes])
-if test "x$with_gnutls" != "xno"; then
+if test "$with_gnutls" != "no"; then
 	PKG_CHECK_MODULES(GNUTLS,
 	                  [gnutls >= $GNUTLS_MIN_REQUIRED],
 	                  [with_gnutls=yes
 	                   tls_support="${tls_support}gnutls "],
-	                  [AS_IF([test "x$with_gnutls" = "xyes"],
+	                  [AS_IF([test "$with_gnutls" = "yes"],
 	                         [AC_MSG_FAILURE("$GNUTLS_PKG_ERRORS")])])
 fi
-AM_CONDITIONAL(HAVE_GNUTLS, [test "x$with_gnutls" = "xyes"])
+AM_CONDITIONAL(HAVE_GNUTLS, [test "$with_gnutls" = "yes"])
 AC_SUBST(GNUTLS_CFLAGS)
 AC_SUBST(GNUTLS_LIBS)
 
-if test "x$with_gnutls" = "xyes"; then
+if test "$with_gnutls" = "yes"; then
     AC_MSG_CHECKING([location of system Certificate Authority list])
     AC_ARG_WITH(ca-certificates,
 		[AC_HELP_STRING([--with-ca-certificates=@<:@path@:>@],
@@ -140,20 +139,20 @@ AC_ARG_WITH(pkcs11,
 	                [support for pkcs11 @<:@default=check@:>@])],
 	                [],
 	                [with_pkcs11=check])
-if test "x$with_pkcs11" != "xno"; then
+if test "$with_pkcs11" != "no"; then
 	PKG_CHECK_MODULES(PKCS11,
 	                  [p11-kit-1 >= $P11_KIT_REQUIRED],
 	                  [with_pkcs11=yes
 	                   pkcs11_support=p11-kit
 	                   tls_support="${tls_support}gnutls-pkcs11 "
 	                   AC_DEFINE_UNQUOTED([HAVE_PKCS11], [1], [Building with PKCS#11 support])],
-	                  [AS_IF([test "x$with_pkcs11" = "xyes"],
+	                  [AS_IF([test "$with_pkcs11" = "yes"],
 	                         [AC_MSG_FAILURE("$PKCS11_PKG_ERRORS")])
 	                   pkcs11_support=no])
 else
 	pkcs11_support=no
 fi
-AM_CONDITIONAL(HAVE_PKCS11, [test "x$with_pkcs11" = "xyes"])
+AM_CONDITIONAL(HAVE_PKCS11, [test "$with_pkcs11" = "yes"])
 AC_SUBST(PKCS11_CFLAGS)
 AC_SUBST(PKCS11_LIBS)
 
@@ -166,7 +165,7 @@ AC_ARG_ENABLE(gcov,
 		 [Enable gcov]),
   [use_gcov=$enableval], [use_gcov=no])
 
-if test "x$use_gcov" = "xyes"; then
+if test "$use_gcov" = "yes"; then
   dnl we need gcc:
   if test "$GCC" != "yes"; then
     AC_MSG_ERROR([GCC is required for --enable-gcov])
@@ -253,7 +252,7 @@ echo     "  TLS support:       ${tls_support:-no}"
 if test "$tls_support" != "no"; then
     echo "  PKCS#11 Support:   $pkcs11_support"
     echo "  TLS CA file:       ${with_ca_certificates:-(none)}"
-    if test -n "$with_ca_certificates"; then
+    if test "x$with_ca_certificates" != xno -a -n "$with_ca_certificates"; then
 	if ! test -f "$with_ca_certificates"; then
 	    AC_MSG_WARN([Specified certificate authority file '$with_ca_certificates' does not exist])
 	fi
diff --git a/glib-networking.doap b/glib-networking.doap
index 048b5de..5d687f6 100644
--- a/glib-networking.doap
+++ b/glib-networking.doap
@@ -12,6 +12,8 @@ Currently it contains a GNUTLS-based implementation of GTlsBackend, a libproxy-b
 
   <download-page rdf:resource="http://download.gnome.org/sources/glib-networking" />
   <bug-database rdf:resource="http://bugzilla.gnome.org/browse.cgi?product=glib" />
+  <category rdf:resource="http://api.gnome.org/doap-extensions#core" />
+  <programming-language>C</programming-language>
 
   <maintainer>
     <foaf:Person>
diff --git a/glib-networking.mk b/glib-networking.mk
index 29b6a6a..f6b8253 100644
--- a/glib-networking.mk
+++ b/glib-networking.mk
@@ -6,6 +6,7 @@ giomoduledir = $(GIO_MODULE_DIR)
 
 AM_CPPFLAGS =                          \
        -DG_LOG_DOMAIN=\"GLib-Net\"     \
+       -DLOCALE_DIR=\""$(localedir)"\" \
        -DG_DISABLE_DEPRECATED          \
        $(GLIB_CFLAGS)                  \
        $(NULL)
diff --git a/glib.mk b/glib.mk
index 490bcf8..016cb91 100644
--- a/glib.mk
+++ b/glib.mk
@@ -1,9 +1,14 @@
 # GLIB - Library of useful C routines
 
-GTESTER = gtester 			# for non-GLIB packages
-GTESTER_REPORT = gtester-report        # for non-GLIB packages
-#GTESTER = $(top_builddir)/glib/gtester			# for the GLIB package
-#GTESTER_REPORT = $(top_builddir)/glib/gtester-report	# for the GLIB package
+TESTS_ENVIRONMENT= \
+	G_TEST_SRCDIR="$(abs_srcdir)" 		\
+	G_TEST_BUILDDIR="$(abs_builddir)" 	\
+	G_DEBUG=gc-friendly 			\
+	MALLOC_CHECK_=2 			\
+	MALLOC_PERTURB_=$$(($${RANDOM:-256} % 256))
+LOG_DRIVER = env AM_TAP_AWK='$(AWK)' $(SHELL) $(top_srcdir)/tap-driver.sh
+LOG_COMPILER = $(top_srcdir)/tap-test
+
 NULL =
 
 # initialize variables for unconditional += appending
@@ -13,7 +18,7 @@ CLEANFILES = *.log *.trs
 DISTCLEANFILES =
 MAINTAINERCLEANFILES =
 EXTRA_DIST =
-TEST_PROGS =
+TESTS =
 
 installed_test_LTLIBRARIES =
 installed_test_PROGRAMS =
@@ -30,92 +35,6 @@ check_PROGRAMS =
 check_SCRIPTS =
 check_DATA =
 
-TESTS =
-
-### testing rules
-
-# test: run all tests in cwd and subdirs
-test: test-nonrecursive
-	@ for subdir in $(SUBDIRS) . ; do \
-	    test "$$subdir" = "." -o "$$subdir" = "po" || \
-	    ( cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $@ ) || exit $? ; \
-	  done
-
-# test-nonrecursive: run tests only in cwd
-test-nonrecursive: ${TEST_PROGS}
-	@test -z "${TEST_PROGS}" || G_TEST_SRCDIR="$(abs_srcdir)" G_TEST_BUILDDIR="$(abs_builddir)" G_DEBUG=gc-friendly MALLOC_CHECK_=2 MALLOC_PERTURB_=$$(($${RANDOM:-256} % 256)) ${GTESTER} --verbose ${TEST_PROGS}
-
-# test-report: run tests in subdirs and generate report
-# perf-report: run tests in subdirs with -m perf and generate report
-# full-report: like test-report: with -m perf and -m slow
-test-report perf-report full-report:	${TEST_PROGS}
-	@test -z "${TEST_PROGS}" || { \
-	  case $@ in \
-	  test-report) test_options="-k";; \
-	  perf-report) test_options="-k -m=perf";; \
-	  full-report) test_options="-k -m=perf -m=slow";; \
-	  esac ; \
-	  if test -z "$$GTESTER_LOGDIR" ; then	\
-	    G_TEST_SRCDIR="$(abs_srcdir)" G_TEST_BUILDDIR="$(abs_builddir)" ${GTESTER} --verbose $$test_options -o test-report.xml ${TEST_PROGS} ; \
-	  elif test -n "${TEST_PROGS}" ; then \
-	    G_TEST_SRCDIR="$(abs_srcdir)" G_TEST_BUILDDIR="$(abs_builddir)" ${GTESTER} --verbose $$test_options -o `mktemp "$$GTESTER_LOGDIR/log-XXXXXX"` ${TEST_PROGS} ; \
-	  fi ; \
-	}
-	@ ignore_logdir=true ; \
-	  if test -z "$$GTESTER_LOGDIR" ; then \
-	    GTESTER_LOGDIR=`mktemp -d "\`pwd\`/.testlogs-XXXXXX"`; export GTESTER_LOGDIR ; \
-	    ignore_logdir=false ; \
-	  fi ; \
-	  if test -d "$(top_srcdir)/.git" ; then \
-	    REVISION=`git describe` ; \
-	  else \
-	    REVISION=$(VERSION) ; \
-	  fi ; \
-	  for subdir in $(SUBDIRS) . ; do \
-	    test "$$subdir" = "." -o "$$subdir" = "po" || \
-	    ( cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $@ ) || exit $? ; \
-	  done ; \
-	  $$ignore_logdir || { \
-	    echo '<?xml version="1.0"?>'              > $@.xml ; \
-	    echo '<report-collection>'               >> $@.xml ; \
-	    echo '<info>'                            >> $@.xml ; \
-	    echo '  <package>$(PACKAGE)</package>'   >> $@.xml ; \
-	    echo '  <version>$(VERSION)</version>'   >> $@.xml ; \
-	    echo "  <revision>$$REVISION</revision>" >> $@.xml ; \
-	    echo '</info>'                           >> $@.xml ; \
-	    for lf in `ls -L "$$GTESTER_LOGDIR"/.` ; do \
-	      sed '1,1s/^<?xml\b[^>?]*?>//' <"$$GTESTER_LOGDIR"/"$$lf" >> $@.xml ; \
-	    done ; \
-	    echo >> $@.xml ; \
-	    echo '</report-collection>' >> $@.xml ; \
-	    rm -rf "$$GTESTER_LOGDIR"/ ; \
-	    ${GTESTER_REPORT} --version 2>/dev/null 1>&2 ; test "$$?" != 0 || ${GTESTER_REPORT} $@.xml >$@.html ; \
-	  }
-.PHONY: test test-report perf-report full-report test-nonrecursive
-
-.PHONY: lcov genlcov lcov-clean
-# use recursive makes in order to ignore errors during check
-lcov:
-	-$(MAKE) $(AM_MAKEFLAGS) -k check
-	$(MAKE) $(AM_MAKEFLAGS) genlcov
-
-# we have to massage the lcov.info file slightly to hide the effect of libtool
-# placing the objects files in the .libs/ directory separate from the *.c
-# we also have to delete tests/.libs/libmoduletestplugin_*.gcda
-genlcov:
-	rm -f $(top_builddir)/tests/.libs/libmoduletestplugin_*.gcda
-	$(LTP) --directory $(top_builddir) --capture --output-file glib-lcov.info --test-name GLIB_PERF --no-checksum --compat-libtool
-	LANG=C $(LTP_GENHTML) --prefix $(top_builddir) --output-directory glib-lcov --title "GLib Code Coverage" --legend --show-details glib-lcov.info
-	@echo "file://$(abs_top_builddir)/glib-lcov/index.html"
-
-lcov-clean:
-	-$(LTP) --directory $(top_builddir) -z
-	-rm -rf glib-lcov.info glib-lcov
-	-find -name '*.gcda' -print | xargs rm
-
-# run tests in cwd as part of make check
-check-local: test-nonrecursive
-
 # We support a fairly large range of possible variables.  It is expected that all types of files in a test suite
 # will belong in exactly one of the following variables.
 #
@@ -156,9 +75,8 @@ check-local: test-nonrecursive
 # variants) will be run as part of the in-tree 'make check'.  These are all assumed to be runnable under
 # gtester.  That's a bit strange for scripts, but it's possible.
 
-# we use test -z "$(TEST_PROGS)" above, so make sure we have no extra whitespace...
-TEST_PROGS += $(strip $(test_programs) $(test_scripts) $(uninstalled_test_programs) $(uninstalled_test_scripts) \
-                      $(dist_test_scripts) $(dist_uninstalled_test_scripts))
+TESTS += $(test_programs) $(test_scripts) $(uninstalled_test_programs) $(uninstalled_test_scripts) \
+         $(dist_test_scripts) $(dist_uninstalled_test_scripts)
 
 # Note: build even the installed-only targets during 'make check' to ensure that they still work.
 # We need to do a bit of trickery here and manage disting via EXTRA_DIST instead of using dist_ prefixes to
@@ -209,7 +127,8 @@ installed_test_meta_DATA = $(installed_testcases:=.test)
 %.test: %$(EXEEXT) Makefile
 	$(AM_V_GEN) (echo '[Test]' > $@.tmp; \
 	echo 'Type=session' >> $@.tmp; \
-	echo 'Exec=$(installed_testdir)/$<' >> $@.tmp; \
+	echo 'Exec=$(installed_testdir)/$(notdir $<) --tap' >> $@.tmp; \
+	echo 'Output=TAP' >> $@.tmp; \
 	mv $@.tmp $@)
 
 CLEANFILES += $(installed_test_meta_DATA)
diff --git a/m4/glibtests.m4 b/m4/glibtests.m4
index 27e9024..7d5920a 100644
--- a/m4/glibtests.m4
+++ b/m4/glibtests.m4
@@ -21,7 +21,7 @@ AC_DEFUN([GLIB_TESTS],
                   *) AC_MSG_ERROR([bad value ${enableval} for --enable-always-build-tests]) ;;
                  esac])
   AM_CONDITIONAL([ENABLE_ALWAYS_BUILD_TESTS], test "$ENABLE_ALWAYS_BUILD_TESTS" = "1")
-  if test "$ENABLE_INSTALLED_TESTS" == "1"; then
+  if test "$ENABLE_INSTALLED_TESTS" = "1"; then
     AC_SUBST(installed_test_metadir, [${datadir}/installed-tests/]AC_PACKAGE_NAME)
     AC_SUBST(installed_testdir, [${libexecdir}/installed-tests/]AC_PACKAGE_NAME)
   fi
diff --git a/po/LINGUAS b/po/LINGUAS
index 153fa9b..e8830a7 100644
--- a/po/LINGUAS
+++ b/po/LINGUAS
@@ -4,6 +4,7 @@ as
 be
 bg
 bn_IN
+bs
 ca
 ca@valencia
 cs
@@ -20,6 +21,7 @@ fa
 fi
 fr
 fur
+gd
 gl
 gu
 he
@@ -28,6 +30,7 @@ hu
 id
 it
 ja
+kk
 km
 kn
 ko
@@ -37,6 +40,7 @@ ml
 mr
 nb
 nl
+oc
 or
 pa
 pl
diff --git a/po/Makevars b/po/Makevars
new file mode 100644
index 0000000..10357d6
--- /dev/null
+++ b/po/Makevars
@@ -0,0 +1,78 @@
+# Makefile variables for PO directory in any package using GNU gettext.
+
+# Usually the message domain is the same as the package name.
+DOMAIN = $(PACKAGE)
+
+# These two variables depend on the location of this directory.
+subdir = po
+top_builddir = ..
+
+# These options get passed to xgettext.
+XGETTEXT_OPTIONS = --from-code=UTF-8 --keyword=_ --keyword=N_ --keyword=C_:1c,2 --keyword=NC_:1c,2 --keyword=g_dngettext:2,3 --add-comments
+
+# This is the copyright holder that gets inserted into the header of the
+# $(DOMAIN).pot file.  Set this to the copyright holder of the surrounding
+# package.  (Note that the msgstr strings, extracted from the package's
+# sources, belong to the copyright holder of the package.)  Translators are
+# expected to transfer the copyright for their translations to this person
+# or entity, or to disclaim their copyright.  The empty string stands for
+# the public domain; in this case the translators are expected to disclaim
+# their copyright.
+COPYRIGHT_HOLDER = Free Software Foundation, Inc.
+
+# This tells whether or not to prepend "GNU " prefix to the package
+# name that gets inserted into the header of the $(DOMAIN).pot file.
+# Possible values are "yes", "no", or empty.  If it is empty, try to
+# detect it automatically by scanning the files in $(top_srcdir) for
+# "GNU packagename" string.
+PACKAGE_GNU =
+
+# This is the email address or URL to which the translators shall report
+# bugs in the untranslated strings:
+# - Strings which are not entire sentences, see the maintainer guidelines
+#   in the GNU gettext documentation, section 'Preparing Strings'.
+# - Strings which use unclear terms or require additional context to be
+#   understood.
+# - Strings which make invalid assumptions about notation of date, time or
+#   money.
+# - Pluralisation problems.
+# - Incorrect English spelling.
+# - Incorrect formatting.
+# It can be your email address, or a mailing list address where translators
+# can write to without being subscribed, or the URL of a web page through
+# which the translators can contact you.
+MSGID_BUGS_ADDRESS =
+
+# This is the list of locale categories, beyond LC_MESSAGES, for which the
+# message catalogs shall be used.  It is usually empty.
+EXTRA_LOCALE_CATEGORIES =
+
+# This tells whether the $(DOMAIN).pot file contains messages with an 'msgctxt'
+# context.  Possible values are "yes" and "no".  Set this to yes if the
+# package uses functions taking also a message context, like pgettext(), or
+# if in $(XGETTEXT_OPTIONS) you define keywords with a context argument.
+USE_MSGCTXT = no
+
+# These options get passed to msgmerge.
+# Useful options are in particular:
+#   --previous            to keep previous msgids of translated messages,
+#   --quiet               to reduce the verbosity.
+MSGMERGE_OPTIONS =
+
+# These options get passed to msginit.
+# If you want to disable line wrapping when writing PO files, add
+# --no-wrap to MSGMERGE_OPTIONS, XGETTEXT_OPTIONS, and
+# MSGINIT_OPTIONS.
+MSGINIT_OPTIONS =
+
+# This tells whether or not to regenerate a PO file when $(DOMAIN).pot
+# has changed.  Possible values are "yes" and "no".  Set this to no if
+# the POT file is checked in the repository and the version control
+# program ignores timestamps.
+PO_DEPENDS_ON_POT = no
+
+# This tells whether or not to forcibly update $(DOMAIN).pot and
+# regenerate PO files on "make dist".  Possible values are "yes" and
+# "no".  Set this to no if the POT file and PO files are maintained
+# externally.
+DIST_DEPENDS_ON_UPDATE_PO = no
diff --git a/po/bn_IN.po b/po/bn_IN.po
index b0f462d..720d479 100644
--- a/po/bn_IN.po
+++ b/po/bn_IN.po
@@ -12,6 +12,7 @@ msgstr ""
 "PO-Revision-Date: 2011-02-11 13:52+0530\n"
 "Last-Translator: \n"
 "Language-Team: Bengali (India) <bn_IN@li.org>\n"
+"Language: bn_IN\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/bs.po b/po/bs.po
new file mode 100644
index 0000000..30d4d18
--- /dev/null
+++ b/po/bs.po
@@ -0,0 +1,146 @@
+msgid ""
+msgstr ""
+"Project-Id-Version: glib-networking\n"
+"Report-Msgid-Bugs-To: http://bugzilla.gnome.org/enter_bug.cgi?"
+"product=glib&keywords=I18N+L10N&component=network\n"
+"POT-Creation-Date: 2015-02-27 06:51+0000\n"
+"PO-Revision-Date: 2015-02-04 14:27+0000\n"
+"Last-Translator: Samir RibiÄ <Unknown>\n"
+"Language-Team: Bosnian <bs@li.org>\n"
+"Language: bs\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2015-02-05 07:01+0000\n"
+"X-Generator: Launchpad (build 17331)\n"
+
+#: ../proxy/libproxy/glibproxyresolver.c:157
+msgid "Proxy resolver internal error."
+msgstr "Interna greÅ¡ka bliskog razrjeÅ¡ivaÄa."
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:173
+#, c-format
+msgid "Could not parse DER certificate: %s"
+msgstr "Ne mogu analizirati DER certifikate: %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:194
+#, c-format
+msgid "Could not parse PEM certificate: %s"
+msgstr "Ne mogu analizirati PEM certifikate:: %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:225
+#, c-format
+msgid "Could not parse DER private key: %s"
+msgstr "Ne mogu analizirati DER privatni kljuÄ:: %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:256
+#, c-format
+msgid "Could not parse PEM private key: %s"
+msgstr "Ne mogu analizirati PEM privatni kljuÄ: %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:296
+msgid "No certificate data provided"
+msgstr "Nema datih certifikacijskih podataka"
+
+#: ../tls/gnutls/gtlsclientconnection-gnutls.c:324
+msgid "Server required TLS certificate"
+msgstr "Server zahtijeva TLS certifikat"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:305
+#, c-format
+msgid "Could not create TLS connection: %s"
+msgstr "Ne mogu kreirati TLS vezu: %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:572
+msgid "Connection is closed"
+msgstr "Veza je zatvorena"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:635
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1504
+msgid "Operation would block"
+msgstr "Operacija bi se blokirala"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:774
+#: ../tls/gnutls/gtlsconnection-gnutls.c:813
+msgid "Peer failed to perform TLS handshake"
+msgstr "Saradnik neuspio da obavi TLS usaglaÅ¡avanje"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:792
+msgid "Peer requested illegal TLS rehandshake"
+msgstr "Saradnik zahtijevao neispravno TLS ponovno usaglaÅ¡avanje"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:819
+msgid "TLS connection closed unexpectedly"
+msgstr "TLS veza neoÄekivano zatvorena"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:829
+msgid "TLS connection peer did not send a certificate"
+msgstr "Saradnik u TLS konekciji nije poslao certifikat"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1212
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1245
+#, c-format
+msgid "Error performing TLS handshake: %s"
+msgstr "GreÅ¡ka u TLS usaglaÅ¡avanju: %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1255
+msgid "Server did not return a valid TLS certificate"
+msgstr "Server nije vratio vaÅ¾eÄi TLS certifikat"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1330
+msgid "Unacceptable TLS certificate"
+msgstr "Neprihvatljiv TLS certifikat"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1538
+#, c-format
+msgid "Error reading data from TLS socket: %s"
+msgstr "GreÅ¡ka u Äitanju podataka iz TLS soketa: %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1567
+#, c-format
+msgid "Error writing data to TLS socket: %s"
+msgstr "GreÅ¡ka u pisnju podataka u TLS soket: %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1619
+#, c-format
+msgid "Error performing TLS close: %s"
+msgstr "GreÅ¡ka u obavljanju TLS zatvaranja: %s"
+
+#: ../tls/gnutls/gtlsserverconnection-gnutls.c:103
+msgid "Certificate has no private key"
+msgstr "Certifikat nema privatnog kljuÄa"
+
+#: ../tls/pkcs11/gpkcs11pin.c:108
+msgid ""
+"This is the last chance to enter the PIN correctly before the token is "
+"locked."
+msgstr ""
+"Ovo je zadnja Å¡ansa da pravilno unesete PIN prije nego se token zakljuÄa."
+
+#: ../tls/pkcs11/gpkcs11pin.c:110
+msgid ""
+"Several PIN attempts have been incorrect, and the token will be locked after "
+"further failures."
+msgstr ""
+"Nekoliko PIN pokuÅ¡aja je bilo netaÄni, a token Äe biti zakljuÄan nakon "
+"daljih greÅ¡aka."
+
+#: ../tls/pkcs11/gpkcs11pin.c:112
+msgid "The PIN entered is incorrect."
+msgstr "Uneseni PIN je neispravan."
+
+#: ../tls/pkcs11/gpkcs11slot.c:446
+msgid "Module"
+msgstr "Modul"
+
+#: ../tls/pkcs11/gpkcs11slot.c:447
+msgid "PKCS#11 Module Pointer"
+msgstr "PKCS#11 Module Pointer"
+
+#: ../tls/pkcs11/gpkcs11slot.c:454
+msgid "Slot ID"
+msgstr "IB slota"
+
+#: ../tls/pkcs11/gpkcs11slot.c:455
+msgid "PKCS#11 Slot Identifier"
+msgstr "PKCS#11 Identifikator slota"
diff --git a/po/ca@valencia.po b/po/ca@valencia.po
index e2bf8ea..89319b4 100644
--- a/po/ca@valencia.po
+++ b/po/ca@valencia.po
@@ -12,7 +12,7 @@ msgstr ""
 "PO-Revision-Date: 2012-08-16 19:02+0200\n"
 "Last-Translator: Gil Forcada <gilforcada@guifi.net>\n"
 "Language-Team: Catalan <gnome-dl@llistes.softcatala.org>\n"
-"Language: ca-XV\n"
+"Language: ca@valencia\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/cs.po b/po/cs.po
index a140d96..be201c1 100644
--- a/po/cs.po
+++ b/po/cs.po
@@ -124,14 +124,14 @@ msgstr "CertifikÃ¡t nemÃ¡ soukromÃ½ klÃ­Ä"
 msgid ""
 "This is the last chance to enter the PIN correctly before the token is "
 "locked."
-msgstr "MÃ¡te poslednÃ­ pokus zadat PIN sprÃ¡vnÄ, pak bude kupon zablokovÃ¡n."
+msgstr "MÃ¡te poslednÃ­ pokus zadat PIN sprÃ¡vnÄ, pak bude tiket zablokovÃ¡n."
 
 #: ../tls/pkcs11/gpkcs11pin.c:110
 msgid ""
 "Several PIN attempts have been incorrect, and the token will be locked after "
 "further failures."
 msgstr ""
-"NÄkolik pokusÅ¯ PIN bylo nesprÃ¡vnÃ½ch a po dalÅ¡Ã­m neÃºspÄchu bude kupon "
+"NÄkolik pokusÅ¯ PIN bylo nesprÃ¡vnÃ½ch a po dalÅ¡Ã­m neÃºspÄchu bude tiket "
 "zablokovÃ¡n."
 
 #: ../tls/pkcs11/gpkcs11pin.c:112
diff --git a/po/de.po b/po/de.po
index 7a0f693..4bcc3b1 100644
--- a/po/de.po
+++ b/po/de.po
@@ -14,7 +14,7 @@ msgstr ""
 "PO-Revision-Date: 2013-03-04 08:30+0100\n"
 "Last-Translator: Mario BlÃ¤ttermann <mario.blaettermann@gmail.com>\n"
 "Language-Team: Deutsch <gnome-de@gnome.org>\n"
-"Language: \n"
+"Language: de\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/el.po b/po/el.po
index 5234177..6bc68a9 100644
--- a/po/el.po
+++ b/po/el.po
@@ -7,21 +7,21 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: glib-networking master\n"
-"Report-Msgid-Bugs-To: http://bugzilla.gnome.org/enter_bug.cgi?product=glib&k"
-"eywords=I18N+L10N&component=network\n"
-"POT-Creation-Date: 2012-11-29 22:09+0000\n"
-"PO-Revision-Date: 2012-12-24 17:24+0300\n"
-"Last-Translator: Dimitris Spingos (ÎÎ·Î¼Î®ÏÏÎ·Ï Î£ÏÎ¯Î³Î³Î¿Ï) <dmtrs32@gmail.com>\n"
+"Report-Msgid-Bugs-To: http://bugzilla.gnome.org/enter_bug.cgi?"
+"product=glib&keywords=I18N+L10N&component=network\n"
+"POT-Creation-Date: 2014-07-09 05:52+0000\n"
+"PO-Revision-Date: 2014-07-09 14:43+0200\n"
+"Last-Translator: Tom Tryfonidis <tomtryf@gmail.com>\n"
 "Language-Team: team@gnome.gr\n"
 "Language: el\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Virtaal 0.7.1\n"
+"X-Generator: Poedit 1.6.5\n"
 "X-Project-Style: gnome\n"
 
-#: ../proxy/libproxy/glibproxyresolver.c:150
+#: ../proxy/libproxy/glibproxyresolver.c:157
 msgid "Proxy resolver internal error."
 msgstr "ÎÏÏÏÎµÏÎ¹ÎºÏ ÏÏÎ¬Î»Î¼Î± ÎµÏÎ¯Î»ÏÏÎ·Ï Î´Î¹Î±Î¼ÎµÏÎ¿Î»Î±Î²Î·ÏÎ®."
 
@@ -49,70 +49,70 @@ msgstr "ÎÎ´ÏÎ½Î±Î¼Î¯Î± Î±Î½Î¬Î»ÏÏÎ·Ï Î¹Î´Î¹ÏÏÎ¹ÎºÎ¿Ï ÎºÎ»ÎµÎ¹Î´Î¹Î¿Ï PE
 msgid "No certificate data provided"
 msgstr "ÎÎµÎ½ ÏÎ±ÏÎ­ÏÎ¿Î½ÏÎ±Î¹ Î´ÎµÎ´Î¿Î¼Î­Î½Î± ÏÎ¹ÏÏÎ¿ÏÎ¿Î¹Î·ÏÎ¹ÎºÎ¿Ï"
 
-#: ../tls/gnutls/gtlsclientconnection-gnutls.c:309
+#: ../tls/gnutls/gtlsclientconnection-gnutls.c:324
 msgid "Server required TLS certificate"
 msgstr "Î Î´Î¹Î±ÎºÎ¿Î¼Î¹ÏÏÎ®Ï Î±ÏÎ±Î¯ÏÎ·ÏÎµ ÏÎ¹ÏÏÎ¿ÏÎ¿Î¹Î·ÏÎ¹ÎºÏ TLS"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:254
+#: ../tls/gnutls/gtlsconnection-gnutls.c:267
 #, c-format
 msgid "Could not create TLS connection: %s"
 msgstr "ÎÎ´ÏÎ½Î±ÏÎ· Î· Î´Î·Î¼Î¹Î¿ÏÏÎ³Î¯Î± ÏÏÎ½Î´ÎµÏÎ·Ï TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:514
+#: ../tls/gnutls/gtlsconnection-gnutls.c:531
 msgid "Connection is closed"
 msgstr "Î ÏÏÎ½Î´ÎµÏÎ· Î­ÎºÎ»ÎµÎ¹ÏÎµ"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:576
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1382
+#: ../tls/gnutls/gtlsconnection-gnutls.c:594
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1465
 msgid "Operation would block"
 msgstr "Î Î»ÎµÎ¹ÏÎ¿ÏÏÎ³Î¯Î± Î¸Î± Î¼ÏÎ»Î¿ÎºÎ±ÏÎ¹ÏÏÎµÎ¯"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:703
+#: ../tls/gnutls/gtlsconnection-gnutls.c:733
+#: ../tls/gnutls/gtlsconnection-gnutls.c:772
 msgid "Peer failed to perform TLS handshake"
-msgstr "Î Î¬Î»Î»Î¿Ï ÏÏÎ¿Î»Î¿Î³Î¹ÏÏÎ®Ï Î±ÏÎ­ÏÏÏÎµ Î½Î± ÎµÎºÏÎµÎ»Î­ÏÎµÎ¹ Â«ÏÎµÎ¹ÏÎ±ÏÎ¯Î±Â» TLS"
+msgstr "Î Î¿Î¼ÏÏÎ¹Î¼Î¿Ï ÏÏÎ¿Î»Î¿Î³Î¹ÏÏÎ®Ï Î±ÏÎ­ÏÏÏÎµ Î½Î± ÎµÎºÏÎµÎ»Î­ÏÎµÎ¹ Â«ÏÎµÎ¹ÏÎ±ÏÎ¯Î±Â» TLS"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:720
+#: ../tls/gnutls/gtlsconnection-gnutls.c:751
 msgid "Peer requested illegal TLS rehandshake"
-msgstr "Î Î¬Î»Î»Î¿Ï ÏÏÎ¿Î»Î¿Î³Î¹ÏÏÎ®Ï Î±ÏÎ±Î¯ÏÎ·ÏÎµ ÏÎ±ÏÎ¬ÏÏÏÎ· Â«ÏÎµÎ¹ÏÎ±ÏÎ¯Î±Â» TLS"
+msgstr "Î Î¿Î¼ÏÏÎ¹Î¼Î¿Ï ÏÏÎ¿Î»Î¿Î³Î¹ÏÏÎ®Ï Î±ÏÎ±Î¯ÏÎ·ÏÎµ ÏÎ±ÏÎ¬ÏÏÏÎ· Â«ÏÎµÎ¹ÏÎ±ÏÎ¯Î±Â» TLS"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:746
+#: ../tls/gnutls/gtlsconnection-gnutls.c:778
 msgid "TLS connection closed unexpectedly"
 msgstr "Î ÏÏÎ½Î´ÎµÏÎ· TLS ÏÎµÏÎ¼Î±ÏÎ¯ÏÏÎ·ÎºÎµ Î±ÏÏÏÏÎ¼ÎµÎ½Î±"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:756
-#| msgid "Server did not return a valid TLS certificate"
+#: ../tls/gnutls/gtlsconnection-gnutls.c:788
 msgid "TLS connection peer did not send a certificate"
 msgstr "Î Î¿Î¼ÏÏÎ¹Î¼Î· ÏÏÎ½Î´ÎµÏÎ· TLS Î´ÎµÎ½ Î­ÏÏÎµÎ¹Î»Îµ ÏÎ¹ÏÏÎ¿ÏÎ¿Î¹Î·ÏÎ¹ÎºÏ"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1064
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1083
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1178
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1211
 #, c-format
 msgid "Error performing TLS handshake: %s"
 msgstr "Î£ÏÎ¬Î»Î¼Î± ÎºÎ±ÏÎ¬ ÏÎ· Â«ÏÎµÎ¹ÏÎ±ÏÎ¯Î±Â» TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1228
-msgid "Unacceptable TLS certificate"
-msgstr "ÎÎ· Î±ÏÎ¿Î´ÎµÎºÏÏ ÏÎ¹ÏÏÎ¿ÏÎ¿Î¹Î·ÏÎ¹ÎºÏ TLS"
-
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1239
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1221
 msgid "Server did not return a valid TLS certificate"
 msgstr "Î Î´Î¹Î±ÎºÎ¿Î¼Î¹ÏÏÎ®Ï Î´ÎµÎ½ ÎµÏÎ­ÏÏÏÎµÏÎµ Î­Î½Î± Î­Î³ÎºÏÏÎ¿ ÏÎ¹ÏÏÎ¿ÏÎ¿Î¹Î·ÏÎ¹ÎºÏ TLS"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1405
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1296
+msgid "Unacceptable TLS certificate"
+msgstr "ÎÎ· Î±ÏÎ¿Î´ÎµÎºÏÏ ÏÎ¹ÏÏÎ¿ÏÎ¿Î¹Î·ÏÎ¹ÎºÏ TLS"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1499
 #, c-format
 msgid "Error reading data from TLS socket: %s"
 msgstr "Î£ÏÎ¬Î»Î¼Î± ÎºÎ±ÏÎ¬ ÏÎ·Î½ Î±Î½Î¬Î³Î½ÏÏÎ· Î´ÎµÎ´Î¿Î¼Î­Î½ÏÎ½ Î±ÏÏ ÏÎ·Î½ ÏÏÎ¿Î´Î¿ÏÎ® TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1434
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1528
 #, c-format
 msgid "Error writing data to TLS socket: %s"
 msgstr "Î£ÏÎ¬Î»Î¼Î± ÎºÎ±ÏÎ¬ ÏÎ·Î½ ÎµÎ³Î³ÏÎ±ÏÎ® Î´ÎµÎ´Î¿Î¼Î­Î½ÏÎ½ ÏÏÎ·Î½ ÏÏÎ¿Î´Î¿ÏÎ® TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1478
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1572
 msgid "Connection is already closed"
 msgstr "Î ÏÏÎ½Î´ÎµÏÎ· Î­ÏÎµÎ¹ Î®Î´Î· ÎºÎ»ÎµÎ¯ÏÎµÎ¹"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1488
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1582
 #, c-format
 msgid "Error performing TLS close: %s"
 msgstr "Î£ÏÎ¬Î»Î¼Î± ÎºÎ±ÏÎ¬ ÏÎ¿ ÎºÎ»ÎµÎ¯ÏÎ¹Î¼Î¿ TLS: %s"
@@ -127,19 +127,19 @@ msgid ""
 "locked."
 msgstr ""
 "ÎÏÏÎ® ÎµÎ¯Î½Î±Î¹ Î· ÏÎµÎ»ÎµÏÏÎ±Î¯Î± ÏÎ±Ï ÎµÏÎºÎ±Î¹ÏÎ¯Î± Î½Î± ÏÎ»Î·ÎºÏÏÎ¿Î»Î¿Î³Î®ÏÎµÏÎµ ÏÏÏÏÎ¬ ÏÎ¿ PIN ÏÏÎ¹Î½ Î½Î± "
-"ÎºÎ»ÎµÎ¹Î´ÏÎ¸ÎµÎ¯ ÏÎ¿ token."
+"ÎºÎ»ÎµÎ¹Î´ÏÎ¸ÎµÎ¯ ÏÎ¿ Î´Î¹Î±ÎºÏÎ¹ÏÎ¹ÎºÏ."
 
 #: ../tls/pkcs11/gpkcs11pin.c:110
 msgid ""
 "Several PIN attempts have been incorrect, and the token will be locked after "
 "further failures."
 msgstr ""
-"ÎÏÎºÎµÏÎ­Ï ÏÏÎ¿ÏÏÎ¬Î¸ÎµÎ¹ÎµÏ PIN Î®ÏÎ±Î½ ÎµÏÏÎ±Î»Î¼Î­Î½ÎµÏ, ÎºÎ±Î¹ ÏÎ¿ token Î¸Î± ÎºÎ»ÎµÎ¹Î´ÏÎ¸ÎµÎ¯ Î¼ÎµÏÎ¬ Î±ÏÏ "
-"ÏÎµÏÎ±Î¹ÏÎ­ÏÏ Î±ÏÎ¿ÏÏÏÎ¯ÎµÏ."
+"ÎÏÎºÎµÏÎ­Ï ÏÏÎ¿ÏÏÎ¬Î¸ÎµÎ¹ÎµÏ PIN Î®ÏÎ±Î½ ÎµÏÏÎ±Î»Î¼Î­Î½ÎµÏ, ÎºÎ±Î¹ ÏÎ¿ Î´Î¹Î±ÎºÏÎ¹ÏÎ¹ÎºÏ Î¸Î± ÎºÎ»ÎµÎ¹Î´ÏÎ¸ÎµÎ¯ Î¼ÎµÏÎ¬ "
+"Î±ÏÏ ÏÎµÏÎ±Î¹ÏÎ­ÏÏ Î±ÏÎ¿ÏÏÏÎ¯ÎµÏ."
 
 #: ../tls/pkcs11/gpkcs11pin.c:112
 msgid "The PIN entered is incorrect."
-msgstr "Î¤Î¿ PIN ÏÎ¿Ï ÎµÎ¹ÏÎ¬Î³Î±ÏÎµ Î´ÎµÎ½ ÎµÎ¯Î½Î±Î¹ Î­Î³ÎºÏÏÎ¿."
+msgstr "ÎÎµÎ½ ÎµÎ¯Î½Î±Î¹ Î­Î³ÎºÏÏÎ¿ ÏÎ¿ PIN ÏÎ¿Ï ÏÎ»Î·ÎºÏÏÎ¿Î»Î¿Î³Î®ÏÎ±ÏÎµ."
 
 #: ../tls/pkcs11/gpkcs11slot.c:446
 msgid "Module"
@@ -151,7 +151,7 @@ msgstr "ÎÎµÎ¯ÎºÏÎ·Ï Î±ÏÎ¸ÏÏÎ¼Î±ÏÎ¿Ï PKCS#11"
 
 #: ../tls/pkcs11/gpkcs11slot.c:454
 msgid "Slot ID"
-msgstr "ID ÏÏÎ¿Î´Î¿ÏÎ®Ï"
+msgstr "ÎÎ½Î±Î³Î½ÏÏÎ¹ÏÏÎ¹ÎºÏ ÏÏÎ¿Î´Î¿ÏÎ®Ï"
 
 #: ../tls/pkcs11/gpkcs11slot.c:455
 msgid "PKCS#11 Slot Identifier"
diff --git a/po/en_CA.po b/po/en_CA.po
index c251c5d..d0e5d47 100644
--- a/po/en_CA.po
+++ b/po/en_CA.po
@@ -12,6 +12,7 @@ msgstr ""
 "PO-Revision-Date: 2010-08-13 17:42-0400\n"
 "Last-Translator: Nicolas Dufresne <nicolasd@git.gnome.org>\n"
 "Language-Team: Canadian English <nicolasd@git.gnome.org>\n"
+"Language: en_CA\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/en_GB.po b/po/en_GB.po
index e29a429..ccd2580 100644
--- a/po/en_GB.po
+++ b/po/en_GB.po
@@ -5,10 +5,11 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: glib-networking\n"
-"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2012-09-05 19:36+0100\n"
-"PO-Revision-Date: 2012-09-05 19:36+0100\n"
-"Last-Translator: Bruce Cowan <bruce@bcowan.me.uk>\n"
+"Report-Msgid-Bugs-To: http://bugzilla.gnome.org/enter_bug.cgi?"
+"product=glib&keywords=I18N+L10N&component=network\n"
+"POT-Creation-Date: 2016-08-15 21:53+0000\n"
+"PO-Revision-Date: 2016-09-18 12:18+0200\n"
+"Last-Translator: David King <amigadave@amigadave.com>\n"
 "Language-Team: British English <en@li.org>\n"
 "Language: en_GB\n"
 "MIME-Version: 1.0\n"
@@ -17,102 +18,103 @@ msgstr ""
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
 "X-Generator: Virtaal 0.7.1\n"
 
-#: ../proxy/libproxy/glibproxyresolver.c:150
+#: proxy/libproxy/glibproxyresolver.c:157
 msgid "Proxy resolver internal error."
 msgstr "Proxy resolver internal error."
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:173
+#: tls/gnutls/gtlscertificate-gnutls.c:176
 #, c-format
 msgid "Could not parse DER certificate: %s"
 msgstr "Could not parse DER certificate: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:194
+#: tls/gnutls/gtlscertificate-gnutls.c:197
 #, c-format
 msgid "Could not parse PEM certificate: %s"
 msgstr "Could not parse PEM certificate: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:225
+#: tls/gnutls/gtlscertificate-gnutls.c:228
 #, c-format
 msgid "Could not parse DER private key: %s"
 msgstr "Could not parse DER private key: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:256
+#: tls/gnutls/gtlscertificate-gnutls.c:259
 #, c-format
 msgid "Could not parse PEM private key: %s"
 msgstr "Could not parse PEM private key: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:296
+#: tls/gnutls/gtlscertificate-gnutls.c:299
 msgid "No certificate data provided"
 msgstr "No certificate data provided"
 
-#: ../tls/gnutls/gtlsclientconnection-gnutls.c:309
+#: tls/gnutls/gtlsclientconnection-gnutls.c:375
 msgid "Server required TLS certificate"
 msgstr "Server required TLS certificate"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:254
+#: tls/gnutls/gtlsconnection-gnutls.c:323
 #, c-format
 msgid "Could not create TLS connection: %s"
 msgstr "Could not create TLS connection: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:514
+#: tls/gnutls/gtlsconnection-gnutls.c:585
 msgid "Connection is closed"
 msgstr "Connection is closed"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:574
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1377
+#: tls/gnutls/gtlsconnection-gnutls.c:658
+#: tls/gnutls/gtlsconnection-gnutls.c:1537
 msgid "Operation would block"
 msgstr "Operation would block"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:701
+#: tls/gnutls/gtlsconnection-gnutls.c:808
+#: tls/gnutls/gtlsconnection-gnutls.c:847
 msgid "Peer failed to perform TLS handshake"
 msgstr "Peer failed to perform TLS handshake"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:718
+#: tls/gnutls/gtlsconnection-gnutls.c:826
 msgid "Peer requested illegal TLS rehandshake"
 msgstr "Peer requested illegal TLS rehandshake"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:744
+#: tls/gnutls/gtlsconnection-gnutls.c:853
 msgid "TLS connection closed unexpectedly"
 msgstr "TLS connection closed unexpectedly"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1055
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1074
+#: tls/gnutls/gtlsconnection-gnutls.c:863
+msgid "TLS connection peer did not send a certificate"
+msgstr "TLS connection peer did not send a certificate"
+
+#: tls/gnutls/gtlsconnection-gnutls.c:1250
+#: tls/gnutls/gtlsconnection-gnutls.c:1283
 #, c-format
 msgid "Error performing TLS handshake: %s"
 msgstr "Error performing TLS handshake: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1210
-msgid "Unacceptable TLS certificate"
-msgstr "Unacceptable TLS certificate"
-
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1221
+#: tls/gnutls/gtlsconnection-gnutls.c:1293
 msgid "Server did not return a valid TLS certificate"
 msgstr "Server did not return a valid TLS certificate"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1400
+#: tls/gnutls/gtlsconnection-gnutls.c:1363
+msgid "Unacceptable TLS certificate"
+msgstr "Unacceptable TLS certificate"
+
+#: tls/gnutls/gtlsconnection-gnutls.c:1571
 #, c-format
 msgid "Error reading data from TLS socket: %s"
 msgstr "Error reading data from TLS socket: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1429
+#: tls/gnutls/gtlsconnection-gnutls.c:1600
 #, c-format
 msgid "Error writing data to TLS socket: %s"
 msgstr "Error writing data to TLS socket: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1473
-msgid "Connection is already closed"
-msgstr "Connection is already closed"
-
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1483
+#: tls/gnutls/gtlsconnection-gnutls.c:1664
 #, c-format
 msgid "Error performing TLS close: %s"
 msgstr "Error performing TLS close: %s"
 
-#: ../tls/gnutls/gtlsserverconnection-gnutls.c:103
+#: tls/gnutls/gtlsserverconnection-gnutls.c:107
 msgid "Certificate has no private key"
 msgstr "Certificate has no private key"
 
-#: ../tls/pkcs11/gpkcs11pin.c:108
+#: tls/pkcs11/gpkcs11pin.c:111
 msgid ""
 "This is the last chance to enter the PIN correctly before the token is "
 "locked."
@@ -120,7 +122,7 @@ msgstr ""
 "This is the last chance to enter the PIN correctly before the token is "
 "locked."
 
-#: ../tls/pkcs11/gpkcs11pin.c:110
+#: tls/pkcs11/gpkcs11pin.c:113
 msgid ""
 "Several PIN attempts have been incorrect, and the token will be locked after "
 "further failures."
@@ -128,22 +130,25 @@ msgstr ""
 "Several PIN attempts have been incorrect, and the token will be locked after "
 "further failures."
 
-#: ../tls/pkcs11/gpkcs11pin.c:112
+#: tls/pkcs11/gpkcs11pin.c:115
 msgid "The PIN entered is incorrect."
 msgstr "The PIN entered is incorrect."
 
-#: ../tls/pkcs11/gpkcs11slot.c:446
+#: tls/pkcs11/gpkcs11slot.c:449
 msgid "Module"
 msgstr "Module"
 
-#: ../tls/pkcs11/gpkcs11slot.c:447
+#: tls/pkcs11/gpkcs11slot.c:450
 msgid "PKCS#11 Module Pointer"
 msgstr "PKCS#11 Module Pointer"
 
-#: ../tls/pkcs11/gpkcs11slot.c:454
+#: tls/pkcs11/gpkcs11slot.c:457
 msgid "Slot ID"
 msgstr "Slot ID"
 
-#: ../tls/pkcs11/gpkcs11slot.c:455
+#: tls/pkcs11/gpkcs11slot.c:458
 msgid "PKCS#11 Slot Identifier"
 msgstr "PKCS#11 Slot Identifier"
+
+#~ msgid "Connection is already closed"
+#~ msgstr "Connection is already closed"
diff --git a/po/eo.po b/po/eo.po
index 8440cdc..a5e722d 100644
--- a/po/eo.po
+++ b/po/eo.po
@@ -12,6 +12,7 @@ msgstr ""
 "PO-Revision-Date: 2011-05-15 15:54+0200\n"
 "Last-Translator: Kristjan SCHMIDT <kristjan.schmidt@googlemail.com>\n"
 "Language-Team: Esperanto <ubuntu-l10n-eo@lists.launchpad.net>\n"
+"Language: eo\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/es.po b/po/es.po
index 1e8bbec..7ea986c 100644
--- a/po/es.po
+++ b/po/es.po
@@ -13,7 +13,7 @@ msgstr ""
 "PO-Revision-Date: 2012-12-02 19:10+0100\n"
 "Last-Translator: Daniel Mustieles <daniel.mustieles@gmail.com>\n"
 "Language-Team: EspaÃ±ol; Castellano <gnome-es-list@gnome.org>\n"
-"Language: \n"
+"Language: es\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/fa.po b/po/fa.po
index 6731a3b..cc45089 100644
--- a/po/fa.po
+++ b/po/fa.po
@@ -12,7 +12,7 @@ msgstr ""
 "PO-Revision-Date: 2013-03-23 18:10+0330\n"
 "Last-Translator: Arash Mousavi <mousavi.arash@gmail.com>\n"
 "Language-Team: Persian\n"
-"Language: fa_IR\n"
+"Language: fa\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/fr.po b/po/fr.po
index 5508c7a..4d10ea0 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -12,7 +12,7 @@ msgstr ""
 "PO-Revision-Date: 2013-02-25 20:13+0100\n"
 "Last-Translator: Claude Paroz <claude@2xlibre.net>\n"
 "Language-Team: GNOME French Team <gnomefr@traduc.org>\n"
-"Language: \n"
+"Language: fr\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/fur.po b/po/fur.po
index 3ecf4b5..b4fcef4 100644
--- a/po/fur.po
+++ b/po/fur.po
@@ -8,125 +8,120 @@ msgstr ""
 "Project-Id-Version: glib-networking master\n"
 "Report-Msgid-Bugs-To: http://bugzilla.gnome.org/enter_bug.cgi?"
 "product=glib&keywords=I18N+L10N&component=network\n"
-"POT-Creation-Date: 2013-03-25 12:43+0000\n"
-"PO-Revision-Date: 2013-03-26 13:02+0100\n"
+"POT-Creation-Date: 2016-04-08 06:55+0000\n"
+"PO-Revision-Date: 2016-04-08 18:19+0200\n"
 "Last-Translator: Fabio Tomat <f.t.public@gmail.com>\n"
 "Language-Team: Friulian <fur@li.org>\n"
 "Language: fur\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Generator: Poedit 1.5.4\n"
+"X-Generator: Poedit 1.8.5\n"
 
-#: ../proxy/libproxy/glibproxyresolver.c:150
+#: ../proxy/libproxy/glibproxyresolver.c:157
 msgid "Proxy resolver internal error."
-msgstr ""
+msgstr "ErÃ´r interni dal resolver proxy."
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:173
+#: ../tls/gnutls/gtlscertificate-gnutls.c:176
 #, c-format
 msgid "Could not parse DER certificate: %s"
-msgstr ""
+msgstr "Impussibil analizÃ¢ il certificÃ¢t DER: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:194
+#: ../tls/gnutls/gtlscertificate-gnutls.c:197
 #, c-format
 msgid "Could not parse PEM certificate: %s"
-msgstr ""
+msgstr "Impussibil analizÃ¢ il certificÃ¢t PEM: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:225
+#: ../tls/gnutls/gtlscertificate-gnutls.c:228
 #, c-format
 msgid "Could not parse DER private key: %s"
-msgstr ""
+msgstr "Impussibil analizÃ¢ la clÃ¢f privade DER: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:256
+#: ../tls/gnutls/gtlscertificate-gnutls.c:259
 #, c-format
 msgid "Could not parse PEM private key: %s"
-msgstr ""
+msgstr "Impussibil analizÃ¢ la clÃ¢f privade PEM: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:296
+#: ../tls/gnutls/gtlscertificate-gnutls.c:299
 msgid "No certificate data provided"
 msgstr "Nissun dÃ¢t di certificÃ¢t dÃ¢t"
 
-#: ../tls/gnutls/gtlsclientconnection-gnutls.c:309
+#: ../tls/gnutls/gtlsclientconnection-gnutls.c:375
 msgid "Server required TLS certificate"
 msgstr "Il server al domande un certificÃ¢t TLS"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:258
+#: ../tls/gnutls/gtlsconnection-gnutls.c:323
 #, c-format
 msgid "Could not create TLS connection: %s"
 msgstr "Impussibil creÃ¢ la conession TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:520
+#: ../tls/gnutls/gtlsconnection-gnutls.c:585
 msgid "Connection is closed"
-msgstr "La conession a je sierade"
+msgstr "La conession e je sierade"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:582
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1425
+#: ../tls/gnutls/gtlsconnection-gnutls.c:658
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1537
 msgid "Operation would block"
-msgstr "Le operazion a podares blocasi"
+msgstr "Le operazion e podarÃ¨s blocÃ¢si"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:712
-#: ../tls/gnutls/gtlsconnection-gnutls.c:755
+#: ../tls/gnutls/gtlsconnection-gnutls.c:808
+#: ../tls/gnutls/gtlsconnection-gnutls.c:847
 msgid "Peer failed to perform TLS handshake"
-msgstr ""
+msgstr "Il grop nol Ã¨ rivÃ¢t a eseguÃ® il handshake TLS"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:729
+#: ../tls/gnutls/gtlsconnection-gnutls.c:826
 msgid "Peer requested illegal TLS rehandshake"
-msgstr ""
+msgstr "Il grop al Ã  domandÃ¢t un rehandshake TLS no lecit"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:761
+#: ../tls/gnutls/gtlsconnection-gnutls.c:853
 msgid "TLS connection closed unexpectedly"
-msgstr ""
+msgstr "Sieradure inspietade de conession TLS"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:771
+#: ../tls/gnutls/gtlsconnection-gnutls.c:863
 msgid "TLS connection peer did not send a certificate"
-msgstr "Il grop di conession TLS nol a inviÃ¢t un certificÃ¢t"
+msgstr "Il grop di conession TLS nol Ã  inviÃ¢t un certificÃ¢t"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1152
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1171
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1250
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1283
 #, c-format
 msgid "Error performing TLS handshake: %s"
 msgstr "ErÃ´r tal eseguÃ® il handshake TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1181
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1293
 msgid "Server did not return a valid TLS certificate"
-msgstr "Il server nol a tornÃ¢t un certificÃ¢t TLS valit"
+msgstr "Il server nol Ã  tornÃ¢t un certificÃ¢t TLS valit"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1256
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1363
 msgid "Unacceptable TLS certificate"
-msgstr ""
+msgstr "certificÃ¢t TLS no acetabil"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1448
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1571
 #, c-format
 msgid "Error reading data from TLS socket: %s"
 msgstr "ErÃ´r tal lei dÃ¢ts tal socket TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1477
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1600
 #, c-format
 msgid "Error writing data to TLS socket: %s"
 msgstr "ErÃ´r tal scrivi dÃ¢ts tal socket TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1521
-msgid "Connection is already closed"
-msgstr "La conession a je za sierade"
-
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1531
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1664
 #, c-format
 msgid "Error performing TLS close: %s"
-msgstr ""
+msgstr "ErÃ´r tal sierÃ¢ TLS: %s"
 
-#: ../tls/gnutls/gtlsserverconnection-gnutls.c:103
+#: ../tls/gnutls/gtlsserverconnection-gnutls.c:107
 msgid "Certificate has no private key"
-msgstr "Il certificÃ¢t a nol a une clÃ¢f privade"
+msgstr "Il certificÃ¢t nol Ã  une clÃ¢f privade"
 
-#: ../tls/pkcs11/gpkcs11pin.c:108
+#: ../tls/pkcs11/gpkcs11pin.c:111
 msgid ""
-"This is the last chance to enter the PIN correctly before the token is "
-"locked."
+"This is the last chance to enter the PIN correctly before the token is locked."
 msgstr ""
-"Cheste a je l'ultime pussibilitÃ¢t par inserÃ® il PIN coret prime che al vegni "
+"Cheste e je la ultime pussibilitÃ¢t par inserÃ® il PIN coret prime che al vegni "
 "blocÃ¢t il token."
 
-#: ../tls/pkcs11/gpkcs11pin.c:110
+#: ../tls/pkcs11/gpkcs11pin.c:113
 msgid ""
 "Several PIN attempts have been incorrect, and the token will be locked after "
 "further failures."
@@ -134,22 +129,25 @@ msgstr ""
 "A son stÃ¢ts fats une vore di tentatÃ®fs par meti il PIN, il token al sarÃ  "
 "blocÃ¢t dopo altris faliments."
 
-#: ../tls/pkcs11/gpkcs11pin.c:112
+#: ../tls/pkcs11/gpkcs11pin.c:115
 msgid "The PIN entered is incorrect."
-msgstr "Il PIN dÃ¢t a nol Ã¨ coret."
+msgstr "Il PIN dÃ¢t nol Ã¨ coret."
 
-#: ../tls/pkcs11/gpkcs11slot.c:446
+#: ../tls/pkcs11/gpkcs11slot.c:449
 msgid "Module"
-msgstr ""
+msgstr "Modul"
 
-#: ../tls/pkcs11/gpkcs11slot.c:447
+#: ../tls/pkcs11/gpkcs11slot.c:450
 msgid "PKCS#11 Module Pointer"
-msgstr ""
+msgstr "PontadÃ´r modul PKCS#11"
 
-#: ../tls/pkcs11/gpkcs11slot.c:454
+#: ../tls/pkcs11/gpkcs11slot.c:457
 msgid "Slot ID"
-msgstr ""
+msgstr "ID dal slot"
 
-#: ../tls/pkcs11/gpkcs11slot.c:455
+#: ../tls/pkcs11/gpkcs11slot.c:458
 msgid "PKCS#11 Slot Identifier"
-msgstr ""
+msgstr "IdentificadÃ´r Slot PKCS#11"
+
+#~ msgid "Connection is already closed"
+#~ msgstr "La conession a je za sierade"
diff --git a/po/gd.po b/po/gd.po
new file mode 100644
index 0000000..a1ed032
--- /dev/null
+++ b/po/gd.po
@@ -0,0 +1,153 @@
+# Scottish Gaelic translation for glib-networking.
+# Copyright (C) 2016 glib-networking's COPYRIGHT HOLDER
+# This file is distributed under the same license as the glib-networking package.
+# GunChleoc <fios@foramnagaidhlig.net>, 2016.
+msgid ""
+msgstr ""
+"Project-Id-Version: glib-networking master\n"
+"Report-Msgid-Bugs-To: http://bugzilla.gnome.org/enter_bug.cgi?product=glib&k"
+"eywords=I18N+L10N&component=network\n"
+"POT-Creation-Date: 2016-04-28 06:59+0000\n"
+"PO-Revision-Date: 2016-04-28 15:01+0100\n"
+"Last-Translator: GunChleoc <fios@foramnagaidhlig.net>\n"
+"Language-Team: FÃ²ram na GÃ idhlig\n"
+"Language: gd\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=4; plural=(n==1 || n==11) ? 0 : (n==2 || n==12) ? 1 : "
+"(n > 2 && n < 20) ? 2 : 3;\n"
+"X-Generator: Virtaal 0.7.1\n"
+"X-Project-Style: gnome\n"
+
+#: ../proxy/libproxy/glibproxyresolver.c:157
+msgid "Proxy resolver internal error."
+msgstr "Mearachd taobh a-stagh an fhuasglaiche progsaidh."
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:176
+#, c-format
+msgid "Could not parse DER certificate: %s"
+msgstr "Cha deach leinn teisteanas DER a pharsadh: %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:197
+#, c-format
+msgid "Could not parse PEM certificate: %s"
+msgstr "Cha deach leinn teisteanas PEM a pharsadh: %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:228
+#, c-format
+msgid "Could not parse DER private key: %s"
+msgstr "Cha deach leinn iuchair phrÃ¬obhaideach DER a pharsadh: %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:259
+#, c-format
+msgid "Could not parse PEM private key: %s"
+msgstr "Cha deach leinn iuchair phrÃ¬obhaideach PEM a pharsadh: %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:299
+msgid "No certificate data provided"
+msgstr "Cha deach dÃ ta teisteanais a thoirt seachad"
+
+#: ../tls/gnutls/gtlsclientconnection-gnutls.c:375
+msgid "Server required TLS certificate"
+msgstr "Dh'iarr am frithealaiche teisteanas TLS"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:323
+#, c-format
+msgid "Could not create TLS connection: %s"
+msgstr "Cha b' urrainn dhuinn ceangal TLS a chruthachadh: %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:585
+msgid "Connection is closed"
+msgstr "Chaidh an ceangal a dhÃ¹nadh"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:658
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1537
+msgid "Operation would block"
+msgstr "DhÃ¨anadh an t-obrachadh bacadh"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:808
+#: ../tls/gnutls/gtlsconnection-gnutls.c:847
+msgid "Peer failed to perform TLS handshake"
+msgstr "Cha do rinn an seise crathadh-lÃ imhe TLS"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:826
+msgid "Peer requested illegal TLS rehandshake"
+msgstr "Dh'iarr an seise ath-chrathadh-lÃ imhe TLS mÃ¬-dhligheach"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:853
+msgid "TLS connection closed unexpectedly"
+msgstr "Chaidh an ceangal TLS a dhÃ¹nadh gun dÃ¹il"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:863
+msgid "TLS connection peer did not send a certificate"
+msgstr "Cha do chuir seise a' cheangail TLS teisteanas"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1250
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1283
+#, c-format
+msgid "Error performing TLS handshake: %s"
+msgstr "Mearachd le crathadh-lÃ imhe TLS: %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1293
+msgid "Server did not return a valid TLS certificate"
+msgstr "Cha do thill am frithealaiche teisteanas TLS dligheach"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1363
+msgid "Unacceptable TLS certificate"
+msgstr "Teisteanas TLS ris nach gabhar"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1571
+#, c-format
+msgid "Error reading data from TLS socket: %s"
+msgstr "Mearachd a' leughadh dÃ ta on t-socaid TLS: %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1600
+#, c-format
+msgid "Error writing data to TLS socket: %s"
+msgstr "Mearachd a' sgrÃ¬obhadh dÃ ta dhan t-socaid TLS: %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1664
+#, c-format
+msgid "Error performing TLS close: %s"
+msgstr "Mearachd le dÃ¹nadh TLS: %s"
+
+#: ../tls/gnutls/gtlsserverconnection-gnutls.c:107
+msgid "Certificate has no private key"
+msgstr "Chan eil iuchair phrÃ¬obhaideach aig an teisteanas"
+
+#: ../tls/pkcs11/gpkcs11pin.c:111
+msgid ""
+"This is the last chance to enter the PIN correctly before the token is "
+"locked."
+msgstr ""
+"Seo an cothrom mu dheireadh gus am PIN a chur a-steach mar bu chÃ²ir mus dÃ¨id "
+"an tÃ²can a ghlasadh."
+
+#: ../tls/pkcs11/gpkcs11pin.c:113
+msgid ""
+"Several PIN attempts have been incorrect, and the token will be locked after "
+"further failures."
+msgstr ""
+"Chaidh iomadh oidhirp air a' PIN gu cearr agus thÃ¨id an tÃ²can a ghlasadh ma "
+"bhios e cearr a-rithist."
+
+#: ../tls/pkcs11/gpkcs11pin.c:115
+msgid "The PIN entered is incorrect."
+msgstr "Chan eil am PIN a chaidh a chur a-steach mar bu chÃ²ir."
+
+#: ../tls/pkcs11/gpkcs11slot.c:449
+msgid "Module"
+msgstr "MÃ²ideal"
+
+#: ../tls/pkcs11/gpkcs11slot.c:450
+msgid "PKCS#11 Module Pointer"
+msgstr "Tomhaire mÃ²ideil PKCS#11"
+
+#: ../tls/pkcs11/gpkcs11slot.c:457
+msgid "Slot ID"
+msgstr "ID an t-slota"
+
+#: ../tls/pkcs11/gpkcs11slot.c:458
+msgid "PKCS#11 Slot Identifier"
+msgstr "Aithnichear an t-slota PKCS#11"
diff --git a/po/gu.po b/po/gu.po
index 6ff66ad..dac5f09 100644
--- a/po/gu.po
+++ b/po/gu.po
@@ -12,6 +12,7 @@ msgstr ""
 "PO-Revision-Date: 2011-02-08 12:18+0530\n"
 "Last-Translator: Sweta Kothari <swkothar@redhat.com>\n"
 "Language-Team: Gujarati\n"
+"Language: gu\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/hu.po b/po/hu.po
index a982830..f103912 100644
--- a/po/hu.po
+++ b/po/hu.po
@@ -13,7 +13,7 @@ msgstr ""
 "PO-Revision-Date: 2012-12-31 19:04+0100\n"
 "Last-Translator: BalÃ¡zs Ãr <urbalazs at gmail dot com>\n"
 "Language-Team: Hungarian <gnome-hu-list at gnome dot org>\n"
-"Language: \n"
+"Language: hu\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/it.po b/po/it.po
index ccb4261..ad0bdf8 100644
--- a/po/it.po
+++ b/po/it.po
@@ -12,7 +12,7 @@ msgstr ""
 "PO-Revision-Date: 2013-01-24 22:41+0100\n"
 "Last-Translator: Milo Casagrande <milo@ubuntu.com>\n"
 "Language-Team: Italian <tp@lists.linux.it>\n"
-"Language: \n"
+"Language: it\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8-bit\n"
diff --git a/po/ja.po b/po/ja.po
index 502d620..301d7c4 100644
--- a/po/ja.po
+++ b/po/ja.po
@@ -4,14 +4,15 @@
 # Takayuki KUSANO <AE5T-KSN@asahi-net.or.jp>, 2011-2012.
 # Hideki Yamane <henrich@debian.org>, 2011-2012.
 # Yoji TOYODA <bsyamato@sea.plala.or.jp>, 2012.
+# Jiro Matsuzawa <jmatsuzawa@gnome.org>, 2015.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: glib-networking master\n"
 "Report-Msgid-Bugs-To: http://bugzilla.gnome.org/enter_bug.cgi?product=glib&keywords=I18N+L10N&component=network\n"
-"POT-Creation-Date: 2012-08-30 12:32+0000\n"
-"PO-Revision-Date: 2012-08-30 21:54+0900\n"
-"Last-Translator: Yoji TOYODA <bsyamato@sea.plala.or.jp>\n"
+"POT-Creation-Date: 2015-09-14 06:04+0000\n"
+"PO-Revision-Date: 2015-09-15 01:29+0900\n"
+"Last-Translator: Jiro Matsuzawa <jmatsuzawa@gnome.org>\n"
 "Language-Team: Japanese <gnome-translation@gnome.gr.jp>\n"
 "Language: ja\n"
 "MIME-Version: 1.0\n"
@@ -19,125 +20,126 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
 
-#: ../proxy/libproxy/glibproxyresolver.c:150
+#: ../proxy/libproxy/glibproxyresolver.c:157
 msgid "Proxy resolver internal error."
 msgstr "ãã­ã­ã·ãªã¾ã«ãã¼ã§ã®åé¨ã¨ã©ã¼ã"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:173
+#: ../tls/gnutls/gtlscertificate-gnutls.c:176
 #, c-format
 msgid "Could not parse DER certificate: %s"
 msgstr "DER å½¢å¼ã®è¨¼ææ¸ãè§£æã§ãã¾ããã§ãã: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:194
+#: ../tls/gnutls/gtlscertificate-gnutls.c:197
 #, c-format
 msgid "Could not parse PEM certificate: %s"
 msgstr "PEM å½¢å¼ã®è¨¼ææ¸ãè§£æã§ãã¾ããã§ãã: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:225
+#: ../tls/gnutls/gtlscertificate-gnutls.c:228
 #, c-format
 msgid "Could not parse DER private key: %s"
 msgstr "DER å½¢å¼ã®ç§å¯éµãè§£æã§ãã¾ããã§ãã: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:256
+#: ../tls/gnutls/gtlscertificate-gnutls.c:259
 #, c-format
 msgid "Could not parse PEM private key: %s"
 msgstr "PEM å½¢å¼ã®ç§å¯éµãè§£æã§ãã¾ããã§ãã: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:296
+#: ../tls/gnutls/gtlscertificate-gnutls.c:299
 msgid "No certificate data provided"
 msgstr "è¨¼ææ¸ã®ãã¼ã¿ãä¸ãããã¦ãã¾ãã"
 
-#: ../tls/gnutls/gtlsclientconnection-gnutls.c:309
+#: ../tls/gnutls/gtlsclientconnection-gnutls.c:340
 msgid "Server required TLS certificate"
 msgstr "ãµã¼ãã¼ã TLS è¨¼ææ¸ãè¦æ±ãã¾ãã"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:254
+#: ../tls/gnutls/gtlsconnection-gnutls.c:311
 #, c-format
 msgid "Could not create TLS connection: %s"
 msgstr "TLS ã³ãã¯ã·ã§ã³ãç¢ºç«ã§ãã¾ããã§ãã: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:514
+#: ../tls/gnutls/gtlsconnection-gnutls.c:578
 msgid "Connection is closed"
 msgstr "ã³ãã¯ã·ã§ã³ãåæ­ããã¦ãã¾ã"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:574
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1377
+#: ../tls/gnutls/gtlsconnection-gnutls.c:641
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1505
 msgid "Operation would block"
 msgstr "æä½ããã­ãã¯ããã¾ã"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:701
+#: ../tls/gnutls/gtlsconnection-gnutls.c:780
+#: ../tls/gnutls/gtlsconnection-gnutls.c:819
 msgid "Peer failed to perform TLS handshake"
 msgstr "éä¿¡ç¸æã TLS ãã³ãã·ã§ã¤ã¯ã®å®è¡ã«å¤±æãã¾ãã"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:718
+#: ../tls/gnutls/gtlsconnection-gnutls.c:798
 msgid "Peer requested illegal TLS rehandshake"
 msgstr "éä¿¡ç¸æãä¸å½ãª TLS ã®åãã³ãã·ã§ã¤ã¯ãè¦æ±ãã¾ãã"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:744
+#: ../tls/gnutls/gtlsconnection-gnutls.c:825
 msgid "TLS connection closed unexpectedly"
 msgstr "TLS ã³ãã¯ã·ã§ã³ãçªç¶éãããã¾ãã"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1055
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1074
+#: ../tls/gnutls/gtlsconnection-gnutls.c:835
+msgid "TLS connection peer did not send a certificate"
+msgstr "TLS ã®éä¿¡ç¸æãè¨¼ææ¸ãéä¿¡ãã¾ããã§ããã"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1218
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1251
 #, c-format
 msgid "Error performing TLS handshake: %s"
 msgstr "TLS ãã³ãã·ã§ã¤ã¯å®è¡ä¸­ã®ã¨ã©ã¼: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1210
-msgid "Unacceptable TLS certificate"
-msgstr "åãä»ããããªã TLS è¨¼ææ¸ã§ã"
-
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1221
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1261
 msgid "Server did not return a valid TLS certificate"
 msgstr "ãµã¼ãã¼ãæå¹ãª TLS è¨¼ææ¸ãè¿ãã¾ããã§ããã"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1400
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1331
+msgid "Unacceptable TLS certificate"
+msgstr "åãä»ããããªã TLS è¨¼ææ¸ã§ã"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1539
 #, c-format
 msgid "Error reading data from TLS socket: %s"
 msgstr "TLS ã½ã±ããããã®ãã¼ã¿èª­ã¿è¾¼ã¿ä¸­ã®ã¨ã©ã¼: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1429
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1568
 #, c-format
 msgid "Error writing data to TLS socket: %s"
 msgstr "TLS ã½ã±ããã¸ã®ãã¼ã¿æ¸ãåºãä¸­ã®ã¨ã©ã¼: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1473
-msgid "Connection is already closed"
-msgstr "ã³ãã¯ã·ã§ã³ã¯ãã§ã«åæ­ããã¦ãã¾ã"
-
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1483
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1620
 #, c-format
 msgid "Error performing TLS close: %s"
 msgstr "TLS ã¯ã­ã¼ãºå®è¡ä¸­ã®ã¨ã©ã¼: %s"
 
-#: ../tls/gnutls/gtlsserverconnection-gnutls.c:103
+#: ../tls/gnutls/gtlsserverconnection-gnutls.c:106
 msgid "Certificate has no private key"
 msgstr "è¨¼ææ¸ã«ç§å¯éµãããã¾ãã"
 
-#: ../tls/pkcs11/gpkcs11pin.c:108
+#: ../tls/pkcs11/gpkcs11pin.c:111
 msgid "This is the last chance to enter the PIN correctly before the token is locked."
 msgstr "ããããã¼ã¯ã³ãã­ãã¯ãããåã«æ­£ãã PIN ã³ã¼ããå¥åããæå¾ã®ãã£ã³ã¹ã§ãã"
 
-#: ../tls/pkcs11/gpkcs11pin.c:110
+#: ../tls/pkcs11/gpkcs11pin.c:113
 msgid "Several PIN attempts have been incorrect, and the token will be locked after further failures."
 msgstr "æ­£ãããªã PIN ã³ã¼ãã®å¥åãè¤æ°åè¡ãããã®ã§ãããã«å¤±æããã¨ãã¼ã¯ã³ã¯ã­ãã¯ããã¾ãã"
 
-#: ../tls/pkcs11/gpkcs11pin.c:112
+#: ../tls/pkcs11/gpkcs11pin.c:115
 msgid "The PIN entered is incorrect."
 msgstr "å¥åããã PIN ã³ã¼ããæ­£ããããã¾ããã"
 
-#: ../tls/pkcs11/gpkcs11slot.c:446
+#: ../tls/pkcs11/gpkcs11slot.c:449
 msgid "Module"
 msgstr "ã¢ã¸ã¥ã¼ã«"
 
-#: ../tls/pkcs11/gpkcs11slot.c:447
+#: ../tls/pkcs11/gpkcs11slot.c:450
 msgid "PKCS#11 Module Pointer"
 msgstr "PKCS#11 ã¢ã¸ã¥ã¼ã«ãã¤ã³ã¿ã¼"
 
-#: ../tls/pkcs11/gpkcs11slot.c:454
+#: ../tls/pkcs11/gpkcs11slot.c:457
 msgid "Slot ID"
 msgstr "ã¹ã­ãã ID"
 
-#: ../tls/pkcs11/gpkcs11slot.c:455
+#: ../tls/pkcs11/gpkcs11slot.c:458
 msgid "PKCS#11 Slot Identifier"
 msgstr "PKCS#11 ã¹ã­ãã ID"
diff --git a/po/kk.po b/po/kk.po
new file mode 100644
index 0000000..3ca90bb
--- /dev/null
+++ b/po/kk.po
@@ -0,0 +1,149 @@
+# Kazakh translation for glib-networking.
+# Copyright (C) 2014 glib-networking's COPYRIGHT HOLDER
+# This file is distributed under the same license as the glib-networking package.
+# Baurzhan Muftakhidinov <baurthefirst@gmail.com>, 2014.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: glib-networking master\n"
+"Report-Msgid-Bugs-To: http://bugzilla.gnome.org/enter_bug.cgi?"
+"product=glib&keywords=I18N+L10N&component=network\n"
+"POT-Creation-Date: 2014-11-06 18:42+0000\n"
+"PO-Revision-Date: 2014-11-07 09:12+0600\n"
+"Last-Translator: Baurzhan Muftakhidinov <baurthefirst@gmail.com>\n"
+"Language-Team: Kazakh <kk_KZ@googlegroups.com>\n"
+"Language: kk\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 1.6.9\n"
+
+#: ../proxy/libproxy/glibproxyresolver.c:157
+msgid "Proxy resolver internal error."
+msgstr "ÐÑÐ¾ÐºÑÐ¸ ÑÐµÑÑÑÑÑÑÐ½ÑÒ£ ÑÑÐºÑ ÒÐ°ÑÐµÑÑ."
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:173
+#, c-format
+msgid "Could not parse DER certificate: %s"
+msgstr "DER ÑÐµÑÑÐ¸ÑÐ¸ÐºÐ°ÑÑÐ½ ÑÐ°Ð»Ð´Ð°Ñ ÒÐ°ÑÐµÑÑ: %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:194
+#, c-format
+msgid "Could not parse PEM certificate: %s"
+msgstr "PEM ÑÐµÑÑÐ¸ÑÐ¸ÐºÐ°ÑÑÐ½ ÑÐ°Ð»Ð´Ð°Ñ ÒÐ°ÑÐµÑÑ: %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:225
+#, c-format
+msgid "Could not parse DER private key: %s"
+msgstr "DER Ð¶ÐµÐºÐµ ÐºÑÐ»ÑÑÐ½ ÑÐ°Ð»Ð´Ð°Ñ ÒÐ°ÑÐµÑÑ: %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:256
+#, c-format
+msgid "Could not parse PEM private key: %s"
+msgstr "PEM Ð¶ÐµÐºÐµ ÐºÑÐ»ÑÑÐ½ ÑÐ°Ð»Ð´Ð°Ñ ÒÐ°ÑÐµÑÑ: %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:296
+msgid "No certificate data provided"
+msgstr "Ð¡ÐµÑÑÐ¸ÑÐ¸ÐºÐ°Ñ Ò±ÑÑÐ½ÑÐ»Ð¼Ð°Ð´Ñ"
+
+#: ../tls/gnutls/gtlsclientconnection-gnutls.c:324
+msgid "Server required TLS certificate"
+msgstr "Ð¡ÐµÑÐ²ÐµÑ TLS ÑÐµÑÑÐ¸ÑÐ¸ÐºÐ°ÑÑÐ½ ÑÐ°Ð»Ð°Ð¿ ÐµÑÐµÐ´Ñ"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:267
+#, c-format
+msgid "Could not create TLS connection: %s"
+msgstr "ÐÐ°Ò£Ð° TLS  Ð±Ð°Ð¹Ð»Ð°Ð½ÑÑÑÐ½ Ð¶Ð°ÑÐ°Ñ Ð¼Ò¯Ð¼ÐºÑÐ½ ÐµÐ¼ÐµÑ: %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:539
+msgid "Connection is closed"
+msgstr "ÐÐ°Ð¹Ð»Ð°Ð½ÑÑ Ð¶Ð°Ð±ÑÐ»Ð´Ñ"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:602
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1471
+msgid "Operation would block"
+msgstr "ÓÑÐµÐºÐµÑ Ð±Ð»Ð¾ÐºÑÐ°Ð¹Ð´Ñ"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:741
+#: ../tls/gnutls/gtlsconnection-gnutls.c:780
+msgid "Peer failed to perform TLS handshake"
+msgstr "Ð¢Ð¾ÑÐ°Ð¿ TLS Ð±Ð°Ð¹Ð»Ð°Ð½ÑÑÑÑ Ð¾ÑÐ½Ð°ÑÑ ÑÓÐ»ÐµÐ¼Ð´ÐµÐ¼ÐµÑÑÐ½ Ð¾ÑÑÐ½Ð´Ð°Ð¹ Ð°Ð»Ð¼Ð°Ð´Ñ"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:759
+msgid "Peer requested illegal TLS rehandshake"
+msgstr "Ð¢Ð¾ÑÐ°Ð¿ Ð¶Ð°ÑÐ°Ð¼ÑÑ TLS ÒÐ°Ð¹ÑÐ° Ð±Ð°Ð¹Ð»Ð°Ð½ÑÑÑÑ Ð¾ÑÐ½Ð°ÑÑ ÑÓÐ»ÐµÐ¼Ð´ÐµÐ¼ÐµÑÑÐ½ ÑÒ±ÑÐ°Ð´Ñ"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:786
+msgid "TLS connection closed unexpectedly"
+msgstr "TLS Ð±Ð°Ð¹Ð»Ð°Ð½ÑÑÑÑ ÐºÒ¯ÑÐ¿ÐµÐ³ÐµÐ½Ð´Ðµ Ð¶Ð°Ð±ÑÐ»Ð´Ñ"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:796
+msgid "TLS connection peer did not send a certificate"
+msgstr "TLS Ð±Ð°Ð¹Ð»Ð°Ð½ÑÑÑÐ½ÑÒ£ ÑÐ¾ÑÐ°Ð±Ñ ÑÐµÑÑÐ¸ÑÐ¸ÐºÐ°ÑÑÑ Ð¶ÑÐ±ÐµÑÐ¼ÐµÐ³ÐµÐ½"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1179
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1212
+#, c-format
+msgid "Error performing TLS handshake: %s"
+msgstr "TLS Ð±Ð°Ð¹Ð»Ð°Ð½ÑÑÑÑ Ð¾ÑÐ½Ð°ÑÑ ÑÓÐ»ÐµÐ¼Ð´ÐµÐ¼ÐµÑÑÐ½ Ð¾ÑÑÐ½Ð´Ð°Ñ ÒÐ°ÑÐµÑÑ: %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1222
+msgid "Server did not return a valid TLS certificate"
+msgstr "Ð¡ÐµÑÐ²ÐµÑ Ð¶Ð°ÑÐ°Ð¼Ð´Ñ TLS ÑÐµÑÑÐ¸ÑÐ¸ÐºÐ°ÑÑÐ½ ÒÐ°Ð¹ÑÐ°ÑÐ¼Ð°Ð´Ñ"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1297
+msgid "Unacceptable TLS certificate"
+msgstr "ÐÐ°ÑÐ°Ð¼ÑÑÐ· TLS ÑÐµÑÑÐ¸ÑÐ¸ÐºÐ°ÑÑ"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1505
+#, c-format
+msgid "Error reading data from TLS socket: %s"
+msgstr "TLS ÑÐ¾ÐºÐµÑÑÐ½ÐµÐ½ Ð´ÐµÑÐµÐºÑÐµÑÐ´Ñ Ð¾ÒÑ ÒÐ°ÑÐµÑÑ: %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1534
+#, c-format
+msgid "Error writing data to TLS socket: %s"
+msgstr "TLS ÑÐ¾ÐºÐµÑÑÐ½Ðµ Ð´ÐµÑÐµÐºÑÐµÑÐ´Ñ Ð¶Ð°Ð·Ñ ÒÐ°ÑÐµÑÑ: %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1586
+#, c-format
+msgid "Error performing TLS close: %s"
+msgstr "TLS Ð¶Ð°Ð±Ñ ÓÑÐµÐºÐµÑÑÐ½ Ð¾ÑÑÐ½Ð´Ð°Ñ ÒÐ°ÑÐµÑÑ: %s"
+
+#: ../tls/gnutls/gtlsserverconnection-gnutls.c:103
+msgid "Certificate has no private key"
+msgstr "Ð¡ÐµÑÑÐ¸ÑÐ¸ÐºÐ°ÑÑÐ° Ð¶ÐµÐºÐµ ÐºÑÐ»Ñ Ð¶Ð¾Ò"
+
+#: ../tls/pkcs11/gpkcs11pin.c:108
+msgid ""
+"This is the last chance to enter the PIN correctly before the token is "
+"locked."
+msgstr "Ð¢Ð¾ÐºÐµÐ½ Ð±Ð»Ð¾ÐºÑÐ°Ð»ÑÒÐ° Ð´ÐµÐ¹ÑÐ½Ð³Ñ PIN ÐºÐ¾Ð´ÑÐ½ ÐµÐ½Ð³ÑÐ·ÑÐ´ÑÒ£ ÑÐ¾Ò£ÒÑ Ð¼Ò¯Ð¼ÐºÑÐ½Ð´ÑÐ³Ñ ÒÐ°Ð»Ð´Ñ."
+
+#: ../tls/pkcs11/gpkcs11pin.c:110
+msgid ""
+"Several PIN attempts have been incorrect, and the token will be locked after "
+"further failures."
+msgstr ""
+"ÐÑÑÐ½ÐµÑÐµ PIN ÐµÐ½Ð³ÑÐ·Ñ ÑÐ°Ð»Ð°Ð¿ÑÐ°ÑÑ ÑÓÑÑÑÐ· Ð±Ð¾Ð»Ð´Ñ, ÑÐ¾ÐºÐµÐ½ ÐºÐµÐ»ÐµÑÑ ÑÓÑÑÑÐ· ÐµÐ½Ð³ÑÐ·ÑÐ»ÐµÑÐ´Ðµ "
+"Ð±Ð»Ð¾ÐºÑÐ°Ð»Ð°ÑÑÐ½ Ð±Ð¾Ð»Ð°Ð´Ñ."
+
+#: ../tls/pkcs11/gpkcs11pin.c:112
+msgid "The PIN entered is incorrect."
+msgstr "ÐÐ½Ð³ÑÐ·ÑÐ»Ð³ÐµÐ½ PIN ÐºÐ¾Ð´Ñ Ð´Ò±ÑÑÑ ÐµÐ¼ÐµÑ."
+
+#: ../tls/pkcs11/gpkcs11slot.c:446
+msgid "Module"
+msgstr "ÐÐ¾Ð´ÑÐ»Ñ"
+
+#: ../tls/pkcs11/gpkcs11slot.c:447
+msgid "PKCS#11 Module Pointer"
+msgstr "PKCS#11 Ð¼Ð¾Ð´ÑÐ»Ñ ÐºÓ©ÑÑÐµÑÐºÑÑÑ"
+
+#: ../tls/pkcs11/gpkcs11slot.c:454
+msgid "Slot ID"
+msgstr "Ð¡Ð»Ð¾Ñ ID-Ñ"
+
+#: ../tls/pkcs11/gpkcs11slot.c:455
+msgid "PKCS#11 Slot Identifier"
+msgstr "PKCS#11 ÑÐ»Ð¾Ñ Ð¸Ð´ÐµÐ½ÑÐ¸ÑÐ¸ÐºÐ°ÑÐ¾ÑÑ"
diff --git a/po/km.po b/po/km.po
index ca236b5..13cbf2b 100644
--- a/po/km.po
+++ b/po/km.po
@@ -11,6 +11,7 @@ msgstr ""
 "PO-Revision-Date: 2012-02-20 09:22+0700\n"
 "Last-Translator: Seng Sutha <sutha@khmeros.info>\n"
 "Language-Team: Khmer <support@khmeros.info>\n"
+"Language: km\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/kn.po b/po/kn.po
index 9ed7192..3059c58 100644
--- a/po/kn.po
+++ b/po/kn.po
@@ -12,6 +12,7 @@ msgstr ""
 "PO-Revision-Date: 2011-03-31 22:40+0530\n"
 "Last-Translator: Shankar Prasad <svenkate@redhat.com>\n"
 "Language-Team: Kannada <kn@li.org>\n"
+"Language: kn\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/lt.po b/po/lt.po
index 0f56c04..e6d5e80 100644
--- a/po/lt.po
+++ b/po/lt.po
@@ -12,7 +12,7 @@ msgstr ""
 "PO-Revision-Date: 2012-11-30 21:55+0300\n"
 "Last-Translator: Aurimas Äernius <aurisc4@gmail.com>\n"
 "Language-Team: LietuviÅ³ <>\n"
-"Language: \n"
+"Language: lt\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/nb.po b/po/nb.po
index 6ca6509..a690491 100644
--- a/po/nb.po
+++ b/po/nb.po
@@ -11,7 +11,7 @@ msgstr ""
 "PO-Revision-Date: 2013-01-21 12:27+0100\n"
 "Last-Translator: Kjartan Maraas <kmaraas@gnome.org>\n"
 "Language-Team: Norwegian bokmÃ¥l <i18n-nb@lister.ping.uio.no>\n"
-"Language: \n"
+"Language: nb\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/oc.po b/po/oc.po
new file mode 100644
index 0000000..41a5201
--- /dev/null
+++ b/po/oc.po
@@ -0,0 +1,158 @@
+# Occitan translation for glib-networking.
+# Copyright (C) 2011-2012 Listed translators
+# This file is distributed under the same license as the glib-networking package.
+# CÃ©dric Valmary <cvalmary@yahoo.fr>, 2015.
+# CÃ©dric Valmary (Tot en Ã²c) <cvalmary@yahoo.fr>, 2015.
+# CÃ©dric Valmary (totenoc.eu) <cvalmary@yahoo.fr>, 2016.
+msgid ""
+msgstr ""
+"Project-Id-Version: glib-networking master\n"
+"Report-Msgid-Bugs-To: http://bugzilla.gnome.org/enter_bug.cgi?"
+"product=glib&keywords=I18N+L10N&component=network\n"
+"POT-Creation-Date: 2016-05-19 06:54+0000\n"
+"PO-Revision-Date: 2016-05-05 21:48+0200\n"
+"Last-Translator: CÃ©dric Valmary (totenoc.eu) <cvalmary@yahoo.fr>\n"
+"Language-Team: Tot En Ãc\n"
+"Language: oc\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"X-Generator: Virtaal 0.7.1\n"
+"X-Launchpad-Export-Date: 2015-05-21 17:44+0000\n"
+"X-Project-Style: gnome\n"
+
+#: ../proxy/libproxy/glibproxyresolver.c:157
+msgid "Proxy resolver internal error."
+msgstr "Error intÃ¨rna del resolvedor de servidor mandatari."
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:176
+#, c-format
+msgid "Could not parse DER certificate: %s"
+msgstr "Impossible d'analisar lo certificat DERÂ : %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:197
+#, c-format
+msgid "Could not parse PEM certificate: %s"
+msgstr "Impossible d'analisar lo certificat PEMÂ : %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:228
+#, c-format
+msgid "Could not parse DER private key: %s"
+msgstr "Impossible d'analisar la clau privada DERÂ : %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:259
+#, c-format
+msgid "Could not parse PEM private key: %s"
+msgstr "Impossible d'analisar la clau privada PEMÂ : %s"
+
+#: ../tls/gnutls/gtlscertificate-gnutls.c:299
+msgid "No certificate data provided"
+msgstr "Cap de donada de certificat pas provesida"
+
+#: ../tls/gnutls/gtlsclientconnection-gnutls.c:375
+msgid "Server required TLS certificate"
+msgstr "Lo servidor requerÃ­s un certificat TLS"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:323
+#, c-format
+msgid "Could not create TLS connection: %s"
+msgstr "Impossible de crear una connexion TLSÂ : %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:585
+msgid "Connection is closed"
+msgstr "La connexion es tampada"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:658
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1537
+msgid "Operation would block"
+msgstr "L'operacion se poiriÃ¡ blocar"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:808
+#: ../tls/gnutls/gtlsconnection-gnutls.c:847
+msgid "Peer failed to perform TLS handshake"
+msgstr "La negociacion TLS amb lo servidor par a fracassat"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:826
+msgid "Peer requested illegal TLS rehandshake"
+msgstr "Lo servidor par a demandat una renegociacion TLS pas autorizada"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:853
+msgid "TLS connection closed unexpectedly"
+msgstr "La connexion TLS es estada tampada d'un biais imprevist"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:863
+msgid "TLS connection peer did not send a certificate"
+msgstr "Lo par TLS a pas mandat cap de certificat"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1250
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1283
+#, c-format
+msgid "Error performing TLS handshake: %s"
+msgstr "Error al moment de la negociacion TLSÂ : %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1293
+msgid "Server did not return a valid TLS certificate"
+msgstr "Lo servidor a pas renviat cap de certificat TLS valid"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1363
+msgid "Unacceptable TLS certificate"
+msgstr "Certificat TLS inacceptable"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1571
+#, c-format
+msgid "Error reading data from TLS socket: %s"
+msgstr "Error al moment de la lectura de donadas del connectador TLSÂ : %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1600
+#, c-format
+msgid "Error writing data to TLS socket: %s"
+msgstr "Error al moment de l'escritura de donadas sul connectador TLSÂ : %s"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1664
+#, c-format
+msgid "Error performing TLS close: %s"
+msgstr "Error al moment de la tampadura TLSÂ : %s"
+
+#: ../tls/gnutls/gtlsserverconnection-gnutls.c:107
+msgid "Certificate has no private key"
+msgstr "Lo certificat a pas cap de clau privada"
+
+#: ../tls/pkcs11/gpkcs11pin.c:111
+msgid ""
+"This is the last chance to enter the PIN correctly before the token is "
+"locked."
+msgstr ""
+"Es la darriÃ¨ra chanÃ§a d'entrar lo PIN corrÃ¨cte abans que la carta de piuse "
+"siÃ¡ verrolhada."
+
+#: ../tls/pkcs11/gpkcs11pin.c:113
+msgid ""
+"Several PIN attempts have been incorrect, and the token will be locked after "
+"further failures."
+msgstr ""
+"Mantun PIN incorrÃ¨ctes son estats picats, tota novÃ¨la error provocarÃ  lo "
+"verrolhatge de la carta de piuse."
+
+#: ../tls/pkcs11/gpkcs11pin.c:115
+msgid "The PIN entered is incorrect."
+msgstr "Lo PIN picat es incorrÃ¨cte."
+
+#: ../tls/pkcs11/gpkcs11slot.c:449
+msgid "Module"
+msgstr "Modul"
+
+#: ../tls/pkcs11/gpkcs11slot.c:450
+msgid "PKCS#11 Module Pointer"
+msgstr "Puntador de modul PKCS#11"
+
+#: ../tls/pkcs11/gpkcs11slot.c:457
+msgid "Slot ID"
+msgstr "ID del connectador"
+
+#: ../tls/pkcs11/gpkcs11slot.c:458
+msgid "PKCS#11 Slot Identifier"
+msgstr "Identificant d'emplaÃ§ament PKCS#11"
+
+#~ msgid "Connection is already closed"
+#~ msgstr "La connexion es ja tampada"
diff --git a/po/pa.po b/po/pa.po
index 02cd604..b894476 100644
--- a/po/pa.po
+++ b/po/pa.po
@@ -12,7 +12,7 @@ msgstr ""
 "PO-Revision-Date: 2013-02-26 07:18+0530\n"
 "Last-Translator: A S Alam <aalam@users.sf.net>\n"
 "Language-Team: Punjabi/Panjabi <punjabi-users@lists.sf.net>\n"
-"Language: paX-Generator: Lokalize 1.2\n"
+"Language: pa\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/pl.po b/po/pl.po
index cfa3614..1c65377 100644
--- a/po/pl.po
+++ b/po/pl.po
@@ -1,128 +1,121 @@
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-# Aviary.pl
-# JeÅli masz jakiekolwiek uwagi odnoszÄce siÄ do tÅumaczenia lub chcesz
-# pomÃ³c w jego rozwijaniu i pielÄgnowaniu, napisz do nas:
-# gnomepl@aviary.pl
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-# Piotr DrÄg <piotrdrag@gmail.com>, 2011-2012.
-# Aviary.pl <gnomepl@aviary.pl>, 2011-2012.
+# Polish translation for glib-networking.
+# Copyright Â© 2011-2016 the glib-networking authors.
+# This file is distributed under the same license as the glib-networking package.
+# Piotr DrÄg <piotrdrag@gmail.com>, 2011-2016.
+# Aviary.pl <community-poland@mozilla.org>, 2011-2016.
+#
 msgid ""
 msgstr ""
 "Project-Id-Version: glib-networking\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2012-12-02 05:57+0100\n"
-"PO-Revision-Date: 2012-12-02 05:58+0100\n"
+"POT-Creation-Date: 2016-08-15 21:53+0000\n"
+"PO-Revision-Date: 2016-08-16 10:35+0200\n"
 "Last-Translator: Piotr DrÄg <piotrdrag@gmail.com>\n"
-"Language-Team: Polish <gnomepl@aviary.pl>\n"
+"Language-Team: Polish <community-poland@mozilla.org>\n"
 "Language: pl\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 "
 "|| n%100>=20) ? 1 : 2);\n"
-"X-Poedit-Language: Polish\n"
-"X-Poedit-Country: Poland\n"
 
-#: ../proxy/libproxy/glibproxyresolver.c:150
+#: proxy/libproxy/glibproxyresolver.c:157
 msgid "Proxy resolver internal error."
 msgstr "WewnÄtrzny bÅÄd rozwiÄzywania poÅrednika."
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:173
+#: tls/gnutls/gtlscertificate-gnutls.c:176
 #, c-format
 msgid "Could not parse DER certificate: %s"
 msgstr "Nie moÅ¼na przetworzyÄ certyfikatu DER: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:194
+#: tls/gnutls/gtlscertificate-gnutls.c:197
 #, c-format
 msgid "Could not parse PEM certificate: %s"
 msgstr "Nie moÅ¼na przetworzyÄ certyfikatu PEM: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:225
+#: tls/gnutls/gtlscertificate-gnutls.c:228
 #, c-format
 msgid "Could not parse DER private key: %s"
 msgstr "Nie moÅ¼na przetworzyÄ klucza prywatnego DER: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:256
+#: tls/gnutls/gtlscertificate-gnutls.c:259
 #, c-format
 msgid "Could not parse PEM private key: %s"
 msgstr "Nie moÅ¼na przetworzyÄ klucza prywatnego PEM: %s"
 
-#: ../tls/gnutls/gtlscertificate-gnutls.c:296
+#: tls/gnutls/gtlscertificate-gnutls.c:299
 msgid "No certificate data provided"
 msgstr "Nie podano danych certyfikatu"
 
-#: ../tls/gnutls/gtlsclientconnection-gnutls.c:309
+#: tls/gnutls/gtlsclientconnection-gnutls.c:375
 msgid "Server required TLS certificate"
 msgstr "Serwer wymaga certyfikatu TLS"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:254
+#: tls/gnutls/gtlsconnection-gnutls.c:323
 #, c-format
 msgid "Could not create TLS connection: %s"
 msgstr "Nie moÅ¼na utworzyÄ poÅÄczenia TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:514
+#: tls/gnutls/gtlsconnection-gnutls.c:585
 msgid "Connection is closed"
 msgstr "PoÅÄczenie jest zamkniÄte"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:577
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1383
+#: tls/gnutls/gtlsconnection-gnutls.c:658
+#: tls/gnutls/gtlsconnection-gnutls.c:1537
 msgid "Operation would block"
 msgstr "DziaÅanie zablokowaÅoby"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:704
+#: tls/gnutls/gtlsconnection-gnutls.c:808
+#: tls/gnutls/gtlsconnection-gnutls.c:847
 msgid "Peer failed to perform TLS handshake"
 msgstr "Wykonanie powitania TLS przez partnera siÄ nie powiodÅo"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:721
+#: tls/gnutls/gtlsconnection-gnutls.c:826
 msgid "Peer requested illegal TLS rehandshake"
 msgstr "Partner zaÅ¼ÄdaÅ niedozwolonego ponownego powitania TLS"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:747
+#: tls/gnutls/gtlsconnection-gnutls.c:853
 msgid "TLS connection closed unexpectedly"
 msgstr "PoÅÄczenie TLS zostaÅo nieoczekiwanie zamkniÄte"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:757
+#: tls/gnutls/gtlsconnection-gnutls.c:863
 msgid "TLS connection peer did not send a certificate"
 msgstr "Partner poÅÄczenia TLS nie wysÅaÅ certyfikatu"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1065
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1084
+#: tls/gnutls/gtlsconnection-gnutls.c:1250
+#: tls/gnutls/gtlsconnection-gnutls.c:1283
 #, c-format
 msgid "Error performing TLS handshake: %s"
 msgstr "BÅÄd podczas wykonywania powitania TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1229
-msgid "Unacceptable TLS certificate"
-msgstr "Nieakceptowalny certyfikat TLS"
-
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1240
+#: tls/gnutls/gtlsconnection-gnutls.c:1293
 msgid "Server did not return a valid TLS certificate"
 msgstr "Serwer nie zwrÃ³ciÅ prawidÅowego certyfikatu TLS"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1406
+#: tls/gnutls/gtlsconnection-gnutls.c:1363
+msgid "Unacceptable TLS certificate"
+msgstr "Nieakceptowalny certyfikat TLS"
+
+#: tls/gnutls/gtlsconnection-gnutls.c:1571
 #, c-format
 msgid "Error reading data from TLS socket: %s"
-msgstr "BÅÄd podczas odczytywania danych z gniazda TLS: %s"
+msgstr "BÅÄd podczas odczytywania danych zÂ gniazda TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1435
+#: tls/gnutls/gtlsconnection-gnutls.c:1600
 #, c-format
 msgid "Error writing data to TLS socket: %s"
 msgstr "BÅÄd podczas zapisywania danych do gniazda TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1479
-msgid "Connection is already closed"
-msgstr "PoÅÄczenie jest juÅ¼ zamkniÄte"
-
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1489
+#: tls/gnutls/gtlsconnection-gnutls.c:1664
 #, c-format
 msgid "Error performing TLS close: %s"
 msgstr "BÅÄd podczas wykonywania zamkniÄcia TLS: %s"
 
-#: ../tls/gnutls/gtlsserverconnection-gnutls.c:103
+#: tls/gnutls/gtlsserverconnection-gnutls.c:107
 msgid "Certificate has no private key"
-msgstr "Certyfikat nie posiada klucza prywatnego"
+msgstr "Certyfikat nie ma klucza prywatnego"
 
-#: ../tls/pkcs11/gpkcs11pin.c:108
+#: tls/pkcs11/gpkcs11pin.c:111
 msgid ""
 "This is the last chance to enter the PIN correctly before the token is "
 "locked."
@@ -130,7 +123,7 @@ msgstr ""
 "To jest ostatnia szansa na poprawne wpisanie kodu PIN przed zablokowaniem "
 "tokena."
 
-#: ../tls/pkcs11/gpkcs11pin.c:110
+#: tls/pkcs11/gpkcs11pin.c:113
 msgid ""
 "Several PIN attempts have been incorrect, and the token will be locked after "
 "further failures."
@@ -138,22 +131,22 @@ msgstr ""
 "Przeprowadzono kilka niepoprawnych prÃ³b wpisania kodu PIN. Token zostanie "
 "zablokowany po dalszych niepowodzeniach."
 
-#: ../tls/pkcs11/gpkcs11pin.c:112
+#: tls/pkcs11/gpkcs11pin.c:115
 msgid "The PIN entered is incorrect."
 msgstr "Wpisany kod PIN jest niepoprawny."
 
-#: ../tls/pkcs11/gpkcs11slot.c:446
+#: tls/pkcs11/gpkcs11slot.c:449
 msgid "Module"
 msgstr "ModuÅ"
 
-#: ../tls/pkcs11/gpkcs11slot.c:447
+#: tls/pkcs11/gpkcs11slot.c:450
 msgid "PKCS#11 Module Pointer"
 msgstr "WskaÅºnik moduÅu PKCS#11"
 
-#: ../tls/pkcs11/gpkcs11slot.c:454
+#: tls/pkcs11/gpkcs11slot.c:457
 msgid "Slot ID"
 msgstr "Identyfikator gniazda"
 
-#: ../tls/pkcs11/gpkcs11slot.c:455
+#: tls/pkcs11/gpkcs11slot.c:458
 msgid "PKCS#11 Slot Identifier"
 msgstr "Identyfikator gniazda PKCS#11"
diff --git a/po/pt.po b/po/pt.po
index 8c6c529..3773e03 100644
--- a/po/pt.po
+++ b/po/pt.po
@@ -3,112 +3,112 @@
 # This file is distributed under the same license as the glib-networking package.
 # Duarte Loreto <happyguy_pt@hotmail.com>, 2011, 2012, 2013.
 # 
+# Pedro Albuquerque <palbuquerque73@openmailbox.com>, 2015.
+#
 msgid ""
 msgstr ""
 "Project-Id-Version: 3.8\n"
-"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2013-03-15 12:42+0000\n"
-"PO-Revision-Date: 2013-03-15 12:45+0000\n"
-"Last-Translator: Duarte Loreto <happyguy_pt@hotmail.com>\n"
-"Language-Team: Portuguese <gnome_pt@yahoogroups.com>\n"
+"Report-Msgid-Bugs-To: http://bugzilla.gnome.org/enter_bug.cgi?"
+"product=glib&keywords=I18N+L10N&component=network\n"
+"POT-Creation-Date: 2015-06-07 17:56+0000\n"
+"PO-Revision-Date: 2015-06-24 09:24+0100\n"
+"Last-Translator: Pedro Albuquerque <palbuquerque73@openmailbox.com>\n"
+"Language-Team: PortuguÃªs <palbuquerque73@openmailbox.com>\n"
 "Language: pt\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"X-Generator: Gtranslator 2.91.6\n"
 
-#: ../proxy/libproxy/glibproxyresolver.c:150
+#: ../proxy/libproxy/glibproxyresolver.c:157
 msgid "Proxy resolver internal error."
 msgstr "Erro interno do solucionador de proxies."
 
 #: ../tls/gnutls/gtlscertificate-gnutls.c:173
 #, c-format
 msgid "Could not parse DER certificate: %s"
-msgstr "Incapaz de processar o certificado DER: %s"
+msgstr "ImpossÃ­vel processar o certificado DER: %s"
 
 #: ../tls/gnutls/gtlscertificate-gnutls.c:194
 #, c-format
 msgid "Could not parse PEM certificate: %s"
-msgstr "Incapaz de processar o certificado PEM: %s"
+msgstr "ImpossÃ­vel processar o certificado PEM: %s"
 
 #: ../tls/gnutls/gtlscertificate-gnutls.c:225
 #, c-format
 msgid "Could not parse DER private key: %s"
-msgstr "Incapaz de processar a chave privada DER: %s"
+msgstr "ImpossÃ­vel processar a chave privada DER: %s"
 
 #: ../tls/gnutls/gtlscertificate-gnutls.c:256
 #, c-format
 msgid "Could not parse PEM private key: %s"
-msgstr "Incapaz de processar a chave privada PEM: %s"
+msgstr "ImpossÃ­vel processar a chave privada PEM: %s"
 
 #: ../tls/gnutls/gtlscertificate-gnutls.c:296
 msgid "No certificate data provided"
 msgstr "NÃ£o foram indicados quaisquer dados de certificado"
 
-#: ../tls/gnutls/gtlsclientconnection-gnutls.c:309
+#: ../tls/gnutls/gtlsclientconnection-gnutls.c:337
 msgid "Server required TLS certificate"
 msgstr "O servidor requer um certificado TLS"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:258
+#: ../tls/gnutls/gtlsconnection-gnutls.c:305
 #, c-format
 msgid "Could not create TLS connection: %s"
-msgstr "Incapaz de criar uma ligaÃ§Ã£o TLS: %s"
+msgstr "ImpossÃ­vel criar uma ligaÃ§Ã£o TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:520
+#: ../tls/gnutls/gtlsconnection-gnutls.c:572
 msgid "Connection is closed"
 msgstr "A ligaÃ§Ã£o estÃ¡ fechada"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:582
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1425
+#: ../tls/gnutls/gtlsconnection-gnutls.c:635
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1504
 msgid "Operation would block"
 msgstr "OperaÃ§Ã£o iria bloquear"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:712
-#: ../tls/gnutls/gtlsconnection-gnutls.c:755
+#: ../tls/gnutls/gtlsconnection-gnutls.c:774
+#: ../tls/gnutls/gtlsconnection-gnutls.c:813
 msgid "Peer failed to perform TLS handshake"
-msgstr "O destino falhao ao estabelecer a ligaÃ§Ã£o (handshake) TLS"
+msgstr "O destino falhou ao estabelecer a ligaÃ§Ã£o (handshake) TLS"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:729
+#: ../tls/gnutls/gtlsconnection-gnutls.c:792
 msgid "Peer requested illegal TLS rehandshake"
 msgstr "Destino requereu novo handshake TLS ilegal"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:761
+#: ../tls/gnutls/gtlsconnection-gnutls.c:819
 msgid "TLS connection closed unexpectedly"
 msgstr "LigaÃ§Ã£o TLS terminada inesperadamente"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:771
+#: ../tls/gnutls/gtlsconnection-gnutls.c:829
 msgid "TLS connection peer did not send a certificate"
 msgstr "O parceiro de ligaÃ§Ã£o TLS nÃ£o enviou um certificado"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1152
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1171
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1212
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1245
 #, c-format
 msgid "Error performing TLS handshake: %s"
 msgstr "Erro ao estabelecer a ligaÃ§Ã£o TLS (handshake): %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1181
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1255
 msgid "Server did not return a valid TLS certificate"
 msgstr "O servidor nÃ£o devolveu um certificado TLS vÃ¡lido"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1256
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1330
 msgid "Unacceptable TLS certificate"
 msgstr "Certificado TLS inaceitÃ¡vel"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1448
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1538
 #, c-format
 msgid "Error reading data from TLS socket: %s"
 msgstr "Erro ao ler dados do socket TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1477
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1567
 #, c-format
 msgid "Error writing data to TLS socket: %s"
 msgstr "Erro ao escrever dados no socket TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1521
-msgid "Connection is already closed"
-msgstr "A ligaÃ§Ã£o jÃ¡ estÃ¡ fechada"
-
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1531
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1619
 #, c-format
 msgid "Error performing TLS close: %s"
 msgstr "Erro ao terminar a ligaÃ§Ã£o TLS: %s"
@@ -123,14 +123,14 @@ msgid ""
 "locked."
 msgstr ""
 "Esta Ã© a Ãºltima oportunidade para introduzir corretamente o PIN antes de que "
-"o token seja trancado."
+"o sÃ­mbolo seja trancado."
 
 #: ../tls/pkcs11/gpkcs11pin.c:110
 msgid ""
 "Several PIN attempts have been incorrect, and the token will be locked after "
 "further failures."
 msgstr ""
-"Foram introduzidos vÃ¡rios PINs incorretos e o token serÃ¡ trancado caso "
+"Foram introduzidos vÃ¡rios PINs incorretos e o sÃ­mbolo serÃ¡ trancado caso "
 "ocorram mais falhas."
 
 #: ../tls/pkcs11/gpkcs11pin.c:112
@@ -143,12 +143,15 @@ msgstr "MÃ³dulo"
 
 #: ../tls/pkcs11/gpkcs11slot.c:447
 msgid "PKCS#11 Module Pointer"
-msgstr "Apontador de MÃ³dulo PKCS#11"
+msgstr "Ponteiro de mÃ³dulo PKCS#11"
 
 #: ../tls/pkcs11/gpkcs11slot.c:454
 msgid "Slot ID"
-msgstr "ID de Slot"
+msgstr "ID de slot"
 
 #: ../tls/pkcs11/gpkcs11slot.c:455
 msgid "PKCS#11 Slot Identifier"
-msgstr "Identificador de Slot PKCS#11"
+msgstr "Identificador de slot PKCS#11"
+
+#~ msgid "Connection is already closed"
+#~ msgstr "A ligaÃ§Ã£o jÃ¡ estÃ¡ fechada"
diff --git a/po/sl.po b/po/sl.po
index 6342e54..0bae053 100644
--- a/po/sl.po
+++ b/po/sl.po
@@ -13,7 +13,7 @@ msgstr ""
 "PO-Revision-Date: 2012-12-18 08:24+0100\n"
 "Last-Translator: Matej UrbanÄiÄ <mateju@svn.gnome.org>\n"
 "Language-Team: Slovenian GNOME Translation Team <gnome-si@googlegroups.com>\n"
-"Language: sl_SI\n"
+"Language: sl\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/sr@latin.po b/po/sr@latin.po
index 1da645a..5b7cb3d 100644
--- a/po/sr@latin.po
+++ b/po/sr@latin.po
@@ -11,7 +11,7 @@ msgstr ""
 "PO-Revision-Date: 2013-01-18 11:59+0200\n"
 "Last-Translator: Miroslav NikoliÄ <miroslavnikolic@rocketmail.com>\n"
 "Language-Team: Serbian <gnom@prevod.org>\n"
-"Language: sr\n"
+"Language: sr@latin\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/sv.po b/po/sv.po
index e3f40fc..8888e86 100644
--- a/po/sv.po
+++ b/po/sv.po
@@ -1,22 +1,25 @@
 # Swedish translation for glib-networking.
-# Copyright (C) 2011 Free Software Foundation, Inc.
+# Copyright Â© 2011, 2014 Free Software Foundation, Inc.
 # This file is distributed under the same license as the glib-networking package.
 # Daniel Nylander <po@danielnylander.se>, 2011.
+# Anders Jonsson <anders.jonsson@norsjovallen.se>, 2014.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: glib-networking\n"
-"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2011-11-25 09:51+0100\n"
-"PO-Revision-Date: 2011-11-25 09:54+0100\n"
-"Last-Translator: Daniel Nylander <po@danielnylander.se>\n"
+"Report-Msgid-Bugs-To: http://bugzilla.gnome.org/enter_bug.cgi?"
+"product=glib&keywords=I18N+L10N&component=network\n"
+"POT-Creation-Date: 2014-05-16 17:51+0000\n"
+"PO-Revision-Date: 2014-05-17 00:56+0100\n"
+"Last-Translator: Anders Jonsson <anders.jonsson@norsjovallen.se>\n"
 "Language-Team: Swedish <tp-sv@listor.tp-sv.se>\n"
-"Language: \n"
+"Language: sv\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 1.6.4\n"
 
-#: ../proxy/libproxy/glibproxyresolver.c:150
+#: ../proxy/libproxy/glibproxyresolver.c:157
 msgid "Proxy resolver internal error."
 msgstr "Internt fel i proxyuppslag."
 
@@ -44,63 +47,93 @@ msgstr "Kunde inte tolka privat PEM-nyckel: %s"
 msgid "No certificate data provided"
 msgstr "Inget certifikatdata tillhandahÃ¶lls"
 
-#: ../tls/gnutls/gtlsclientconnection-gnutls.c:385
+#: ../tls/gnutls/gtlsclientconnection-gnutls.c:324
 msgid "Server required TLS certificate"
 msgstr "Servern krÃ¤vde TLS-certifikat"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:279
+#: ../tls/gnutls/gtlsconnection-gnutls.c:267
 #, c-format
 msgid "Could not create TLS connection: %s"
 msgstr "Kunde inte skapa TLS-anslutning: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:558
+#: ../tls/gnutls/gtlsconnection-gnutls.c:531
+msgid "Connection is closed"
+msgstr "Anslutningen Ã¤r stÃ¤ngd"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:594
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1465
+msgid "Operation would block"
+msgstr "Operationen skulle blockera"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:733
+#: ../tls/gnutls/gtlsconnection-gnutls.c:772
 msgid "Peer failed to perform TLS handshake"
 msgstr "Motparten misslyckades med att genomfÃ¶ra TLS-handskakning"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:576
+#: ../tls/gnutls/gtlsconnection-gnutls.c:751
 msgid "Peer requested illegal TLS rehandshake"
 msgstr "Motparten begÃ¤rde otillÃ¥ten TLS-Ã¥terhandskakning"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:594
+#: ../tls/gnutls/gtlsconnection-gnutls.c:778
 msgid "TLS connection closed unexpectedly"
 msgstr "TLS-anslutningen stÃ¤ngdes ovÃ¤ntat"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:888
-#: ../tls/gnutls/gtlsconnection-gnutls.c:914
+#: ../tls/gnutls/gtlsconnection-gnutls.c:788
+#| msgid "TLS connection closed unexpectedly"
+msgid "TLS connection peer did not send a certificate"
+msgstr "TLS-anslutningens motpart sÃ¤nde inte ett certifikat"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1178
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1211
 #, c-format
 msgid "Error performing TLS handshake: %s"
 msgstr "Fel vid genomfÃ¶rande av TLS-handskakning: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:962
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1221
+#| msgid "Server required TLS certificate"
+msgid "Server did not return a valid TLS certificate"
+msgstr "Servern returnerade inte ett giltigt TLS-certifikat"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1296
 msgid "Unacceptable TLS certificate"
 msgstr "Ej acceptabelt TLS-certifikat"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1099
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1499
 #, c-format
 msgid "Error reading data from TLS socket: %s"
 msgstr "Fel vid lÃ¤sning av data frÃ¥n TLS-uttag: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1125
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1528
 #, c-format
 msgid "Error writing data to TLS socket: %s"
 msgstr "Fel vid skrivning av data till TLS-uttag: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1171
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1572
+msgid "Connection is already closed"
+msgstr "Anslutningen Ã¤r redan stÃ¤ngd"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1582
 #, c-format
 msgid "Error performing TLS close: %s"
 msgstr "Fel vid genomfÃ¶rande av TLS-stÃ¤ngning: %s"
 
-#: ../tls/gnutls/gtlsserverconnection-gnutls.c:138
+#: ../tls/gnutls/gtlsserverconnection-gnutls.c:103
 msgid "Certificate has no private key"
 msgstr "Certifikatet har ingen privat nyckel"
 
 #: ../tls/pkcs11/gpkcs11pin.c:108
-msgid "This is the last chance to enter the PIN correctly before the token is locked."
+msgid ""
+"This is the last chance to enter the PIN correctly before the token is "
+"locked."
 msgstr "Detta Ã¤r sista fÃ¶rsÃ¶ket att ange PIN-koden korrekt innan kortet lÃ¥ses."
 
 #: ../tls/pkcs11/gpkcs11pin.c:110
-msgid "Several PIN attempts have been incorrect, and the token will be locked after further failures."
-msgstr "Flera PIN-kodsfÃ¶rsÃ¶k har varit felaktiga och kortet kommer att lÃ¥sas vid ytterligare felaktiga fÃ¶rsÃ¶k."
+msgid ""
+"Several PIN attempts have been incorrect, and the token will be locked after "
+"further failures."
+msgstr ""
+"Flera PIN-kodsfÃ¶rsÃ¶k har varit felaktiga och kortet kommer att lÃ¥sas vid "
+"ytterligare felaktiga fÃ¶rsÃ¶k."
 
 #: ../tls/pkcs11/gpkcs11pin.c:112
 msgid "The PIN entered is incorrect."
@@ -121,4 +154,3 @@ msgstr "Plats-id"
 #: ../tls/pkcs11/gpkcs11slot.c:455
 msgid "PKCS#11 Slot Identifier"
 msgstr "PKCS#11-platsidentifierare"
-
diff --git a/po/tg.po b/po/tg.po
index 2cc6215..3107433 100644
--- a/po/tg.po
+++ b/po/tg.po
@@ -8,39 +8,39 @@ msgstr ""
 "Project-Id-Version: Tajik Gnome\n"
 "Report-Msgid-Bugs-To: http://bugzilla.gnome.org/enter_bug.cgi?"
 "product=glib&keywords=I18N+L10N&component=network\n"
-"POT-Creation-Date: 2013-03-05 15:28+0000\n"
-"PO-Revision-Date: 2013-01-21 18:03+0500\n"
+"POT-Creation-Date: 2013-07-22 13:02+0000\n"
+"PO-Revision-Date: 2013-10-09 14:52+0500\n"
 "Last-Translator: Victor Ibragimov <victor.ibragimov@gmail.com>\n"
 "Language-Team: \n"
 "Language: tg\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Generator: Poedit 1.5.4\n"
+"X-Generator: Poedit 1.5.7\n"
 
-#: ../proxy/libproxy/glibproxyresolver.c:150
+#: ../proxy/libproxy/glibproxyresolver.c:157
 msgid "Proxy resolver internal error."
-msgstr ""
+msgstr "Ð¥Ð°ÑÐ¾Ð¸ Ð´Ð°ÑÑÐ½Ð¸Ð¸ Ð¸ÑÐ»Ð¾Ò³ÐºÑÐ½Ð°Ð½Ð´Ð°Ð¸ Proxy."
 
 #: ../tls/gnutls/gtlscertificate-gnutls.c:173
 #, c-format
 msgid "Could not parse DER certificate: %s"
-msgstr ""
+msgstr "ÐÑÐ²Ð¾Ò³Ð¸Ð½Ð¾Ð¼Ð°Ð¸ DER ÑÐ°Ò·Ð·Ð¸Ñ ÐºÐ°ÑÐ´Ð° Ð½Ð°ÑÑÐ´: %s"
 
 #: ../tls/gnutls/gtlscertificate-gnutls.c:194
 #, c-format
 msgid "Could not parse PEM certificate: %s"
-msgstr ""
+msgstr "ÐÑÐ²Ð¾Ò³Ð¸Ð½Ð¾Ð¼Ð°Ð¸ PEM ÑÐ°Ò·Ð·Ð¸Ñ ÐºÐ°ÑÐ´Ð° Ð½Ð°ÑÑÐ´: %s"
 
 #: ../tls/gnutls/gtlscertificate-gnutls.c:225
 #, c-format
 msgid "Could not parse DER private key: %s"
-msgstr ""
+msgstr "ÐÐ°Ð»Ð¸Ð´Ð¸ ÑÐ°ÑÑÐ¸Ð¸ DER ÑÐ°Ò·Ð·Ð¸Ñ ÐºÐ°ÑÐ´Ð° Ð½Ð°ÑÑÐ´: %s"
 
 #: ../tls/gnutls/gtlscertificate-gnutls.c:256
 #, c-format
 msgid "Could not parse PEM private key: %s"
-msgstr ""
+msgstr "ÐÐ°Ð»Ð¸Ð´Ð¸ ÑÐ°ÑÑÐ¸Ð¸ PEM ÑÐ°Ò·Ð·Ð¸Ñ ÐºÐ°ÑÐ´Ð° Ð½Ð°ÑÑÐ´: %s"
 
 #: ../tls/gnutls/gtlscertificate-gnutls.c:296
 msgid "No certificate data provided"
@@ -50,89 +50,93 @@ msgstr "Ð¯Ð³Ð¾Ð½ Ð¸ÑÑÐ¸Ð»Ð¾Ð¾ÑÐ¸ Ð³ÑÐ²Ð¾Ò³Ð¸Ð½Ð¾Ð¼Ð° ÑÐ°ÑÐ¼Ð¸Ð½ Ð½Ð°ÑÑÐ´
 msgid "Server required TLS certificate"
 msgstr "Ð¡ÐµÑÐ²ÐµÑ Ð³ÑÐ²Ð¾Ò³Ð¸Ð½Ð¾Ð¼Ð°Ð¸ TLS-ÑÐ¾ Ð´Ð°ÑÑÐ¾ÑÑ ÐºÐ°ÑÐ´Ð°Ð°ÑÑ"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:258
+#: ../tls/gnutls/gtlsconnection-gnutls.c:266
 #, c-format
 msgid "Could not create TLS connection: %s"
-msgstr ""
+msgstr "ÐÐ°Ð¹Ð²Ð°ÑÑÐ¸ TLS ÑÒ·Ð¾Ð´ ÐºÐ°ÑÐ´Ð° Ð½Ð°ÑÑÐ´: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:520
+#: ../tls/gnutls/gtlsconnection-gnutls.c:530
 msgid "Connection is closed"
-msgstr ""
+msgstr "ÐÐ°Ð¹Ð²Ð°ÑÑ Ð¿Ó¯ÑÐ¾Ð½Ð¸Ð´Ð° ÑÑÐ´Ð°Ð°ÑÑ"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:582
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1425
+#: ../tls/gnutls/gtlsconnection-gnutls.c:593
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1445
 msgid "Operation would block"
-msgstr ""
+msgstr "ÐÐ¼Ð°Ð»Ð¸ÑÑ Ð±Ð°ÑÑÐ° Ð¼ÐµÑÐ°Ð²Ð°Ð´"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:712
-#: ../tls/gnutls/gtlsconnection-gnutls.c:755
+#: ../tls/gnutls/gtlsconnection-gnutls.c:723
+#: ../tls/gnutls/gtlsconnection-gnutls.c:761
 msgid "Peer failed to perform TLS handshake"
-msgstr ""
+msgstr "Ò²Ð°Ð¼ÑÐ¾Ð½ Ð´Ð°ÑÐ²Ð°ÑÐ¸ TLS-ÑÐ¾ Ð¸Ò·ÑÐ¾ ÐºÐ°ÑÐ´Ð° Ð½Ð°ÑÐ°Ð²Ð¾Ð½Ð¸ÑÑ"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:729
+#: ../tls/gnutls/gtlsconnection-gnutls.c:740
 msgid "Peer requested illegal TLS rehandshake"
-msgstr ""
+msgstr "Ò²Ð°Ð¼ÑÐ¾Ð½ Ð´Ð°ÑÐ²Ð°ÑÐ¸ Ð´Ð°ÑÑÐ½Ð¾ÑÐ°ÑÐ¸ TLS-ÑÐ¾ Ð´Ð°ÑÑÐ¾ÑÑ ÐºÐ°ÑÐ´"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:761
+#: ../tls/gnutls/gtlsconnection-gnutls.c:767
 msgid "TLS connection closed unexpectedly"
-msgstr ""
+msgstr "ÐÐ°Ð¹Ð²Ð°ÑÑÐ¸ TLS Ð½Ð¾Ð³Ð°Ò³Ð¾Ð½ Ð¿Ó¯ÑÐ¸Ð´Ð° ÑÑÐ´Ð°Ð°ÑÑ"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:771
+#: ../tls/gnutls/gtlsconnection-gnutls.c:777
 msgid "TLS connection peer did not send a certificate"
-msgstr ""
+msgstr "Ò²Ð°Ð¼ÑÐ¾Ð½Ð¸ Ð¿Ð°Ð¹Ð²Ð°ÑÐ¸ TLS Ð³ÑÐ²Ð¾Ò³Ð¸Ð½Ð¾Ð¼Ð°ÑÐ¾ ÑÐ¸ÑÐ¸ÑÑÐ¾Ð´Ð° Ð½Ð°ÐºÐ°ÑÐ´"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1152
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1171
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1158
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1191
 #, c-format
 msgid "Error performing TLS handshake: %s"
-msgstr ""
+msgstr "ÐÐ°ÑÐ²Ð°ÑÐ¸ TLS Ð±Ð¾ ÑÐ°ÑÐ¾ Ð¸Ò·ÑÐ¾ ÐºÐ°ÑÐ´Ð° ÑÑÐ´: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1181
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1201
 msgid "Server did not return a valid TLS certificate"
-msgstr ""
+msgstr "Ð¡ÐµÑÐ²ÐµÑ Ð±Ð¾ Ð³ÑÐ²Ð¾Ò³Ð¸Ð½Ð¾Ð¼Ð°Ð¸ TLS-Ð¸ Ð±Ð¾ÑÑÑÐ¸Ð±Ð¾Ñ Ò·Ð°Ð²Ð¾Ð± Ð½Ð°Ð´Ð¾Ð´"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1256
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1276
 msgid "Unacceptable TLS certificate"
-msgstr ""
+msgstr "ÐÑÐ²Ð¾Ò³Ð¸Ð½Ð¾Ð¼Ð°Ð¸ TLS-Ð¸ Ð½Ð¾ÑÐ°Ð²Ð¾"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1448
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1479
 #, c-format
 msgid "Error reading data from TLS socket: %s"
-msgstr ""
+msgstr "Ð¥Ð°ÑÐ¾Ð¸ ÑÐ¾Ð½Ð¸ÑÐ¸ Ð¼Ð°ÑÐ»ÑÐ¼Ð¾Ñ Ð°Ð· Ð±Ð°ÑÑÐ°Ð³Ð¾Ò³Ð¸ TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1477
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1508
 #, c-format
 msgid "Error writing data to TLS socket: %s"
-msgstr ""
+msgstr "Ð¥Ð°ÑÐ¾Ð¸ Ð½Ð°Ð²Ð¸ÑÑÐ¸ Ð¼Ð°ÑÐ»ÑÐ¼Ð¾Ñ Ð±Ð° Ð±Ð°ÑÑÐ°Ð³Ð¾Ò³Ð¸ TLS: %s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1521
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1552
 msgid "Connection is already closed"
-msgstr ""
+msgstr "ÐÐ°Ð¹Ð²Ð°ÑÑ Ð°Ð»Ð»Ð°ÐºÐ°Ð¹ Ð¿Ó¯ÑÐ¸Ð´Ð° ÑÑÐ´Ð°Ð°ÑÑ"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1531
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1562
 #, c-format
 msgid "Error performing TLS close: %s"
-msgstr ""
+msgstr "ÐÓ¯ÑÐ¸Ð´Ð°Ð½Ð¸ TLS Ð±Ð¾ ÑÐ°ÑÐ¾ Ð¸Ò·ÑÐ¾ ÐºÐ°ÑÐ´Ð° ÑÑÐ´Ð°Ð°ÑÑ: %s"
 
 #: ../tls/gnutls/gtlsserverconnection-gnutls.c:103
 msgid "Certificate has no private key"
-msgstr ""
+msgstr "ÐÑÐ²Ð¾Ò³Ð¸Ð½Ð¾Ð¼Ð° ÐºÐ°Ð»Ð¸Ð´Ð¸ ÑÐ°ÑÑÓ£ Ð½Ð°Ð´ÑÐ°Ð´"
 
 #: ../tls/pkcs11/gpkcs11pin.c:108
 msgid ""
 "This is the last chance to enter the PIN correctly before the token is "
 "locked."
 msgstr ""
+"ÐÐ½ Ð¼Ð°ÑÐ¾ÑÐ¸Ð±Ð°Ð¸ Ð¾ÑÐ¸ÑÐ¸Ð½ Ð±Ð°ÑÐ¾Ð¸ Ð²Ð¾ÑÐ¸Ð´Ð¸ ÑÐ°Ð¼Ð·Ð¸ PIN-Ð¸ Ð´ÑÑÑÑÑ Ð¿ÐµÑ Ð°Ð· ÒÑÐ»ÑÐ¸ Ð²ÑÑÑÐ´ "
+"Ð¼ÐµÐ±Ð¾ÑÐ°Ð´."
 
 #: ../tls/pkcs11/gpkcs11pin.c:110
 msgid ""
 "Several PIN attempts have been incorrect, and the token will be locked after "
 "further failures."
 msgstr ""
+"ÐÐ°ÑÐ·Ðµ ÐºÓ¯ÑÐ¸ÑÒ³Ð¾Ð¸ Ð²Ð¾ÑÐ¸Ð´Ð¸ PIN Ð±Ð¾ ÑÐ°ÑÐ¾ Ð¸Ò·ÑÐ¾ ÑÑÐ´Ð°Ð°Ð½Ð´ Ð²Ð° Ð²ÑÑÑÐ´ Ð±Ð°ÑÐ´ Ð°Ð· ÐºÓ¯ÑÐ¸ÑÒ³Ð¾Ð¸ "
+"Ð½Ð¾ÐºÐ¾Ð¼Ð¸Ð¸ Ð½Ð°Ð²Ð±Ð°ÑÓ£ ÒÑÐ»Ñ Ð¼ÐµÑÐ°Ð²Ð°Ð´."
 
 #: ../tls/pkcs11/gpkcs11pin.c:112
 msgid "The PIN entered is incorrect."
-msgstr ""
+msgstr "Ð Ð°Ð¼Ð·Ð¸ PIN-Ð¸ Ð²Ð¾ÑÐ¸Ð´ÑÑÐ´Ð° Ð½Ð¾Ð´ÑÑÑÑÑ Ð°ÑÑ."
 
 #: ../tls/pkcs11/gpkcs11slot.c:446
 msgid "Module"
@@ -140,12 +144,12 @@ msgstr "ÐÐ¾Ð´ÑÐ»"
 
 #: ../tls/pkcs11/gpkcs11slot.c:447
 msgid "PKCS#11 Module Pointer"
-msgstr ""
+msgstr "ÐÐ¸ÑÐ¾Ð½Ð´Ð¸Ò³Ð°Ð½Ð´Ð°Ð¸ Ð¼Ð¾Ð´ÑÐ»Ð¸ PKCS#11"
 
 #: ../tls/pkcs11/gpkcs11slot.c:454
 msgid "Slot ID"
-msgstr ""
+msgstr "ÐÐ¾Ð²Ð¾ÐºÐ¸Ð¸ ÑÐ°Ð¼Ð·Ð¸ ID"
 
 #: ../tls/pkcs11/gpkcs11slot.c:455
 msgid "PKCS#11 Slot Identifier"
-msgstr ""
+msgstr "ÐÐ´ÐµÐ½ÑÐ¸ÑÐ¸ÐºÐ°ÑÐ¾ÑÐ¸ ÐºÐ¾Ð²Ð¾ÐºÐ¸Ð¸ PKCS#11"
diff --git a/po/ug.po b/po/ug.po
index 9f955b2..81112a6 100644
--- a/po/ug.po
+++ b/po/ug.po
@@ -11,7 +11,7 @@ msgstr ""
 "PO-Revision-Date: 2013-02-22 22:21+0900\n"
 "Last-Translator: Gheyret Kenji <gheyret@gmail.com>\n"
 "Language-Team: Uyghur Computer Science Association <UKIJ@yahoogroups.com>\n"
-"Language: \n"
+"Language: ug\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/zh_CN.po b/po/zh_CN.po
index 709c7e2..a52961a 100644
--- a/po/zh_CN.po
+++ b/po/zh_CN.po
@@ -9,18 +9,18 @@ msgstr ""
 "Project-Id-Version: glib-networking master\n"
 "Report-Msgid-Bugs-To: http://bugzilla.gnome.org/enter_bug.cgi?"
 "product=glib&keywords=I18N+L10N&component=network\n"
-"POT-Creation-Date: 2012-07-18 21:47+0000\n"
-"PO-Revision-Date: 2012-09-23 04:06+0800\n"
+"POT-Creation-Date: 2013-12-18 19:40+0000\n"
+"PO-Revision-Date: 2014-01-24 21:26+0800\n"
 "Last-Translator: YunQiang Su <wzssyqa@gmail.com>\n"
 "Language-Team: Chinese (simplified) <i18n-zh@googlegroups.com>\n"
-"Language: \n"
+"Language: zh_CN\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bits\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
 "X-Generator: Gtranslator 2.91.5\n"
 
-#: ../proxy/libproxy/glibproxyresolver.c:150
+#: ../proxy/libproxy/glibproxyresolver.c:157
 msgid "Proxy resolver internal error."
 msgstr "ä»£çæå¡å¨è§£æå¨åé¨éè¯¯ã"
 
@@ -48,66 +48,71 @@ msgstr "æ æ³åæ PEM ç§é¥ï¼%s"
 msgid "No certificate data provided"
 msgstr "æ²¡ææä¾è¯ä¹¦æ°æ®"
 
-#: ../tls/gnutls/gtlsclientconnection-gnutls.c:309
+#: ../tls/gnutls/gtlsclientconnection-gnutls.c:324
 msgid "Server required TLS certificate"
 msgstr "æå¡å¨éè¦ TLS è¯ä¹¦"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:248
+#: ../tls/gnutls/gtlsconnection-gnutls.c:267
 #, c-format
 msgid "Could not create TLS connection: %s"
 msgstr "æ æ³åå»º TLS è¿æ¥ï¼%s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:508
+#: ../tls/gnutls/gtlsconnection-gnutls.c:531
 msgid "Connection is closed"
 msgstr "è¿æ¥è¢«å³é­"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:568
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1371
+#: ../tls/gnutls/gtlsconnection-gnutls.c:594
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1461
 msgid "Operation would block"
 msgstr "æä½è¢«é»å¡"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:695
+#: ../tls/gnutls/gtlsconnection-gnutls.c:733
+#: ../tls/gnutls/gtlsconnection-gnutls.c:772
 msgid "Peer failed to perform TLS handshake"
 msgstr "æ§è¡ TLS æ¡æå¤±è´¥"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:712
+#: ../tls/gnutls/gtlsconnection-gnutls.c:751
 msgid "Peer requested illegal TLS rehandshake"
 msgstr "è¯·æ±äºæ æç TLS åæ¡æ"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:738
+#: ../tls/gnutls/gtlsconnection-gnutls.c:778
 msgid "TLS connection closed unexpectedly"
 msgstr "TLS è¿æ¥è¢«å¼å¸¸å³é­"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1049
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1068
+#: ../tls/gnutls/gtlsconnection-gnutls.c:788
+#| msgid "Server did not return a valid TLS certificate"
+msgid "TLS connection peer did not send a certificate"
+msgstr "TLS è¿æ¥çå¯¹æ¹æªåéè¯ä¹¦"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1174
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1207
 #, c-format
 msgid "Error performing TLS handshake: %s"
 msgstr "æ§è¡ TLS æ¡ææ¶åºéï¼%s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1204
-msgid "Unacceptable TLS certificate"
-msgstr "æ æ³æ¥åç TLS è¯ä¹¦"
-
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1215
-#| msgid "Server required TLS certificate"
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1217
 msgid "Server did not return a valid TLS certificate"
 msgstr "æå¡å¨æªè¿åææç TLS è¯ä¹¦"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1394
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1292
+msgid "Unacceptable TLS certificate"
+msgstr "æ æ³æ¥åç TLS è¯ä¹¦"
+
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1495
 #, c-format
 msgid "Error reading data from TLS socket: %s"
 msgstr "ä» TLS å¥æ¥å­è¯»åæ°æ®æ¶åºéï¼%s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1423
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1524
 #, c-format
 msgid "Error writing data to TLS socket: %s"
 msgstr "å TLS å¥æ¥å­åå¥æ°æ®æ¶åºéï¼%s"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1467
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1568
 msgid "Connection is already closed"
 msgstr "è¿æ¥å·²ç»å³é­"
 
-#: ../tls/gnutls/gtlsconnection-gnutls.c:1477
+#: ../tls/gnutls/gtlsconnection-gnutls.c:1578
 #, c-format
 msgid "Error performing TLS close: %s"
 msgstr "æ§è¡ TLS å³é­æ¶åºéï¼%s"
diff --git a/po/zh_HK.po b/po/zh_HK.po
index 24bbc6d..b8d29ac 100644
--- a/po/zh_HK.po
+++ b/po/zh_HK.po
@@ -11,7 +11,7 @@ msgstr ""
 "PO-Revision-Date: 2013-03-01 22:24+0800\n"
 "Last-Translator: Chao-Hsiung Liao <j_h_liau@yahoo.com.tw>\n"
 "Language-Team: Chinese (Hong Kong) <community@linuxhall.org>\n"
-"Language: \n"
+"Language: zh_HK\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/po/zh_TW.po b/po/zh_TW.po
index 2e37ec0..a231471 100644
--- a/po/zh_TW.po
+++ b/po/zh_TW.po
@@ -11,7 +11,7 @@ msgstr ""
 "PO-Revision-Date: 2013-02-28 09:41+0800\n"
 "Last-Translator: Chao-Hsiung Liao <j_h_liau@yahoo.com.tw>\n"
 "Language-Team: Chinese (Taiwan) <chinese-l10n@googlegroups.com>\n"
-"Language: \n"
+"Language: zh_TW\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff --git a/proxy/gnome/gnome-proxy-module.c b/proxy/gnome/gnome-proxy-module.c
index 88d0a27..f5f2469 100644
--- a/proxy/gnome/gnome-proxy-module.c
+++ b/proxy/gnome/gnome-proxy-module.c
@@ -19,13 +19,32 @@
 
 #include "config.h"
 
+#include <glib/gi18n-lib.h>
+
 #include "gproxyresolvergnome.h"
 
 
 void
 g_io_module_load (GIOModule *module)
 {
+  gchar *locale_dir;
+#ifdef G_OS_WIN32
+  gchar *base_dir;
+#endif
+
   g_proxy_resolver_gnome_register (module);
+
+#ifdef G_OS_WIN32
+  base_dir = g_win32_get_package_installation_directory_of_module (NULL);
+  locale_dir = g_build_filename (base_dir, "share", "locale", NULL);
+  g_free (base_dir);
+#else
+  locale_dir = g_strdup (LOCALE_DIR);
+#endif
+
+  bindtextdomain (GETTEXT_PACKAGE, locale_dir);
+  bind_textdomain_codeset (GETTEXT_PACKAGE, "UTF-8");
+  g_free (locale_dir);
 }
 
 void
diff --git a/proxy/gnome/gproxyresolvergnome.c b/proxy/gnome/gproxyresolvergnome.c
index 464e3d6..0f5559f 100644
--- a/proxy/gnome/gproxyresolvergnome.c
+++ b/proxy/gnome/gproxyresolvergnome.c
@@ -472,6 +472,7 @@ g_proxy_resolver_gnome_lookup_async (GProxyResolver      *proxy_resolver,
   GError *error = NULL;
 
   task = g_task_new (resolver, cancellable, callback, user_data);
+  g_task_set_source_tag (task, g_proxy_resolver_gnome_lookup_async);
 
    if (!g_proxy_resolver_gnome_lookup_internal (resolver, uri,
 						&proxies, &pacrunner, &autoconfig_url,
diff --git a/proxy/libproxy/Makefile.am b/proxy/libproxy/Makefile.am
index 7d0453e..a386827 100644
--- a/proxy/libproxy/Makefile.am
+++ b/proxy/libproxy/Makefile.am
@@ -40,3 +40,13 @@ CLEANFILES += $(service_DATA)
 
 org.gtk.GLib.PACRunner.service: org.gtk.GLib.PACRunner.service.in Makefile
 	$(AM_V_GEN) sed -e "s|\@libexecdir\@|$(libexecdir)|" $< > $@
+
+systemd_userdir = $(prefix)/lib/systemd/user
+systemd_user_in_files = glib-pacrunner.service.in
+systemd_user_DATA = $(systemd_user_in_files:.service.in=.service)
+
+EXTRA_DIST += $(systemd_user_in_files)
+CLEANFILES += $(systemd_user_DATA)
+
+glib-pacrunner.service: glib-pacrunner.service.in Makefile
+	$(AM_V_GEN) sed -e "s|\@libexecdir\@|$(libexecdir)|" $< > $@
diff --git a/proxy/libproxy/glib-pacrunner.service.in b/proxy/libproxy/glib-pacrunner.service.in
new file mode 100644
index 0000000..0f289de
--- /dev/null
+++ b/proxy/libproxy/glib-pacrunner.service.in
@@ -0,0 +1,7 @@
+[Unit]
+Description=GLib proxy auto-configuration service
+
+[Service]
+Type=dbus
+BusName=org.gtk.GLib.PACRunner
+ExecStart=@libexecdir@/glib-pacrunner
diff --git a/proxy/libproxy/glibpacrunner.c b/proxy/libproxy/glibpacrunner.c
index 0e2cda5..2b88a1d 100644
--- a/proxy/libproxy/glibpacrunner.c
+++ b/proxy/libproxy/glibpacrunner.c
@@ -48,11 +48,14 @@ got_proxies (GObject      *source,
   GError *error = NULL;
 
   proxies = g_proxy_resolver_lookup_finish (resolver, result, &error);
-  g_assert (!error);
-
-  g_dbus_method_invocation_return_value (invocation,
-					 g_variant_new ("(^as)", proxies));
-  g_strfreev (proxies);
+  if (error)
+    g_dbus_method_invocation_take_error (invocation, error);
+  else
+    {
+      g_dbus_method_invocation_return_value (invocation,
+					     g_variant_new ("(^as)", proxies));
+      g_strfreev (proxies);
+    }
 }
 
 static void
diff --git a/proxy/libproxy/glibproxyresolver.c b/proxy/libproxy/glibproxyresolver.c
index 5daee5d..edbda64 100644
--- a/proxy/libproxy/glibproxyresolver.c
+++ b/proxy/libproxy/glibproxyresolver.c
@@ -170,6 +170,7 @@ g_libproxy_resolver_lookup (GProxyResolver  *iresolver,
   gchar **proxies;
 
   task = g_task_new (resolver, cancellable, NULL, NULL);
+  g_task_set_source_tag (task, g_libproxy_resolver_lookup);
   g_task_set_task_data (task, g_strdup (uri), g_free);
   g_task_set_return_on_cancel (task, TRUE);
 
@@ -190,6 +191,7 @@ g_libproxy_resolver_lookup_async (GProxyResolver      *resolver,
   GTask *task;
 
   task = g_task_new (resolver, cancellable, callback, user_data);
+  g_task_set_source_tag (task, g_libproxy_resolver_lookup_async);
   g_task_set_task_data (task, g_strdup (uri), g_free);
   g_task_set_return_on_cancel (task, TRUE);
   g_task_run_in_thread (task, get_libproxy_proxies);
diff --git a/proxy/libproxy/libproxy-module.c b/proxy/libproxy/libproxy-module.c
index 6957644..11f36f1 100644
--- a/proxy/libproxy/libproxy-module.c
+++ b/proxy/libproxy/libproxy-module.c
@@ -21,13 +21,32 @@
 
 #include "config.h"
 
+#include <glib/gi18n-lib.h>
+
 #include "glibproxyresolver.h"
 
 
 void
 g_io_module_load (GIOModule *module)
 {
+  gchar *locale_dir;
+#ifdef G_OS_WIN32
+  gchar *base_dir;
+#endif
+
   g_libproxy_resolver_register (module);
+
+#ifdef G_OS_WIN32
+  base_dir = g_win32_get_package_installation_directory_of_module (NULL);
+  locale_dir = g_build_filename (base_dir, "share", "locale", NULL);
+  g_free (base_dir);
+#else
+  locale_dir = g_strdup (LOCALE_DIR);
+#endif
+
+  bindtextdomain (GETTEXT_PACKAGE, locale_dir);
+  bind_textdomain_codeset (GETTEXT_PACKAGE, "UTF-8");
+  g_free (locale_dir);
 }
 
 void
diff --git a/proxy/libproxy/org.gtk.GLib.PACRunner.service.in b/proxy/libproxy/org.gtk.GLib.PACRunner.service.in
index df736ce..f1bd699 100644
--- a/proxy/libproxy/org.gtk.GLib.PACRunner.service.in
+++ b/proxy/libproxy/org.gtk.GLib.PACRunner.service.in
@@ -1,3 +1,4 @@
 [D-BUS Service]
 Name=org.gtk.GLib.PACRunner
 Exec=@libexecdir@/glib-pacrunner
+SystemdService=glib-pacrunner.service
diff --git a/tap-driver.sh b/tap-driver.sh
new file mode 100755
index 0000000..19aa531
--- /dev/null
+++ b/tap-driver.sh
@@ -0,0 +1,652 @@
+#! /bin/sh
+# Copyright (C) 2011-2013 Free Software Foundation, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# This file is maintained in Automake, please report
+# bugs to <bug-automake@gnu.org> or send patches to
+# <automake-patches@gnu.org>.
+
+scriptversion=2011-12-27.17; # UTC
+
+# Make unconditional expansion of undefined variables an error.  This
+# helps a lot in preventing typo-related bugs.
+set -u
+
+me=tap-driver.sh
+
+fatal ()
+{
+  echo "$me: fatal: $*" >&2
+  exit 1
+}
+
+usage_error ()
+{
+  echo "$me: $*" >&2
+  print_usage >&2
+  exit 2
+}
+
+print_usage ()
+{
+  cat <<END
+Usage:
+  tap-driver.sh --test-name=NAME --log-file=PATH --trs-file=PATH
+                [--expect-failure={yes|no}] [--color-tests={yes|no}]
+                [--enable-hard-errors={yes|no}] [--ignore-exit]
+                [--diagnostic-string=STRING] [--merge|--no-merge]
+                [--comments|--no-comments] [--] TEST-COMMAND
+The \`--test-name', \`--log-file' and \`--trs-file' options are mandatory.
+END
+}
+
+# TODO: better error handling in option parsing (in particular, ensure
+# TODO: $log_file, $trs_file and $test_name are defined).
+test_name= # Used for reporting.
+log_file=  # Where to save the result and output of the test script.
+trs_file=  # Where to save the metadata of the test run.
+expect_failure=0
+color_tests=0
+merge=0
+ignore_exit=0
+comments=0
+diag_string='#'
+while test $# -gt 0; do
+  case $1 in
+  --help) print_usage; exit $?;;
+  --version) echo "$me $scriptversion"; exit $?;;
+  --test-name) test_name=$2; shift;;
+  --log-file) log_file=$2; shift;;
+  --trs-file) trs_file=$2; shift;;
+  --color-tests) color_tests=$2; shift;;
+  --expect-failure) expect_failure=$2; shift;;
+  --enable-hard-errors) shift;; # No-op.
+  --merge) merge=1;;
+  --no-merge) merge=0;;
+  --ignore-exit) ignore_exit=1;;
+  --comments) comments=1;;
+  --no-comments) comments=0;;
+  --diagnostic-string) diag_string=$2; shift;;
+  --) shift; break;;
+  -*) usage_error "invalid option: '$1'";;
+  esac
+  shift
+done
+
+test $# -gt 0 || usage_error "missing test command"
+
+case $expect_failure in
+  yes) expect_failure=1;;
+    *) expect_failure=0;;
+esac
+
+if test $color_tests = yes; then
+  init_colors='
+    color_map["red"]="[0;31m" # Red.
+    color_map["grn"]="[0;32m" # Green.
+    color_map["lgn"]="[1;32m" # Light green.
+    color_map["blu"]="[1;34m" # Blue.
+    color_map["mgn"]="[0;35m" # Magenta.
+    color_map["std"]="[m"     # No color.
+    color_for_result["ERROR"] = "mgn"
+    color_for_result["PASS"]  = "grn"
+    color_for_result["XPASS"] = "red"
+    color_for_result["FAIL"]  = "red"
+    color_for_result["XFAIL"] = "lgn"
+    color_for_result["SKIP"]  = "blu"'
+else
+  init_colors=''
+fi
+
+# :; is there to work around a bug in bash 3.2 (and earlier) which
+# does not always set '$?' properly on redirection failure.
+# See the Autoconf manual for more details.
+:;{
+  (
+    # Ignore common signals (in this subshell only!), to avoid potential
+    # problems with Korn shells.  Some Korn shells are known to propagate
+    # to themselves signals that have killed a child process they were
+    # waiting for; this is done at least for SIGINT (and usually only for
+    # it, in truth).  Without the `trap' below, such a behaviour could
+    # cause a premature exit in the current subshell, e.g., in case the
+    # test command it runs gets terminated by a SIGINT.  Thus, the awk
+    # script we are piping into would never seen the exit status it
+    # expects on its last input line (which is displayed below by the
+    # last `echo $?' statement), and would thus die reporting an internal
+    # error.
+    # For more information, see the Autoconf manual and the threads:
+    # <http://lists.gnu.org/archive/html/bug-autoconf/2011-09/msg00004.html>
+    # <http://mail.opensolaris.org/pipermail/ksh93-integration-discuss/2009-February/004121.html>
+    trap : 1 3 2 13 15
+    if test $merge -gt 0; then
+      exec 2>&1
+    else
+      exec 2>&3
+    fi
+    "$@"
+    echo $?
+  ) | LC_ALL=C ${AM_TAP_AWK-awk} \
+        -v me="$me" \
+        -v test_script_name="$test_name" \
+        -v log_file="$log_file" \
+        -v trs_file="$trs_file" \
+        -v expect_failure="$expect_failure" \
+        -v merge="$merge" \
+        -v ignore_exit="$ignore_exit" \
+        -v comments="$comments" \
+        -v diag_string="$diag_string" \
+'
+# FIXME: the usages of "cat >&3" below could be optimized when using
+# FIXME: GNU awk, and/on on systems that supports /dev/fd/.
+
+# Implementation note: in what follows, `result_obj` will be an
+# associative array that (partly) simulates a TAP result object
+# from the `TAP::Parser` perl module.
+
+## ----------- ##
+##  FUNCTIONS  ##
+## ----------- ##
+
+function fatal(msg)
+{
+  print me ": " msg | "cat >&2"
+  exit 1
+}
+
+function abort(where)
+{
+  fatal("internal error " where)
+}
+
+# Convert a boolean to a "yes"/"no" string.
+function yn(bool)
+{
+  return bool ? "yes" : "no";
+}
+
+function add_test_result(result)
+{
+  if (!test_results_index)
+    test_results_index = 0
+  test_results_list[test_results_index] = result
+  test_results_index += 1
+  test_results_seen[result] = 1;
+}
+
+# Whether the test script should be re-run by "make recheck".
+function must_recheck()
+{
+  for (k in test_results_seen)
+    if (k != "XFAIL" && k != "PASS" && k != "SKIP")
+      return 1
+  return 0
+}
+
+# Whether the content of the log file associated to this test should
+# be copied into the "global" test-suite.log.
+function copy_in_global_log()
+{
+  for (k in test_results_seen)
+    if (k != "PASS")
+      return 1
+  return 0
+}
+
+# FIXME: this can certainly be improved ...
+function get_global_test_result()
+{
+    if ("ERROR" in test_results_seen)
+      return "ERROR"
+    if ("FAIL" in test_results_seen || "XPASS" in test_results_seen)
+      return "FAIL"
+    all_skipped = 1
+    for (k in test_results_seen)
+      if (k != "SKIP")
+        all_skipped = 0
+    if (all_skipped)
+      return "SKIP"
+    return "PASS";
+}
+
+function stringify_result_obj(result_obj)
+{
+  if (result_obj["is_unplanned"] || result_obj["number"] != testno)
+    return "ERROR"
+
+  if (plan_seen == LATE_PLAN)
+    return "ERROR"
+
+  if (result_obj["directive"] == "TODO")
+    return result_obj["is_ok"] ? "XPASS" : "XFAIL"
+
+  if (result_obj["directive"] == "SKIP")
+    return result_obj["is_ok"] ? "SKIP" : COOKED_FAIL;
+
+  if (length(result_obj["directive"]))
+      abort("in function stringify_result_obj()")
+
+  return result_obj["is_ok"] ? COOKED_PASS : COOKED_FAIL
+}
+
+function decorate_result(result)
+{
+  color_name = color_for_result[result]
+  if (color_name)
+    return color_map[color_name] "" result "" color_map["std"]
+  # If we are not using colorized output, or if we do not know how
+  # to colorize the given result, we should return it unchanged.
+  return result
+}
+
+function report(result, details)
+{
+  if (result ~ /^(X?(PASS|FAIL)|SKIP|ERROR)/)
+    {
+      msg = ": " test_script_name
+      add_test_result(result)
+    }
+  else if (result == "#")
+    {
+      msg = " " test_script_name ":"
+    }
+  else
+    {
+      abort("in function report()")
+    }
+  if (length(details))
+    msg = msg " " details
+  # Output on console might be colorized.
+  print decorate_result(result) msg
+  # Log the result in the log file too, to help debugging (this is
+  # especially true when said result is a TAP error or "Bail out!").
+  print result msg | "cat >&3";
+}
+
+function testsuite_error(error_message)
+{
+  report("ERROR", "- " error_message)
+}
+
+function handle_tap_result()
+{
+  details = result_obj["number"];
+  if (length(result_obj["description"]))
+    details = details " " result_obj["description"]
+
+  if (plan_seen == LATE_PLAN)
+    {
+      details = details " # AFTER LATE PLAN";
+    }
+  else if (result_obj["is_unplanned"])
+    {
+       details = details " # UNPLANNED";
+    }
+  else if (result_obj["number"] != testno)
+    {
+       details = sprintf("%s # OUT-OF-ORDER (expecting %d)",
+                         details, testno);
+    }
+  else if (result_obj["directive"])
+    {
+      details = details " # " result_obj["directive"];
+      if (length(result_obj["explanation"]))
+        details = details " " result_obj["explanation"]
+    }
+
+  report(stringify_result_obj(result_obj), details)
+}
+
+# `skip_reason` should be empty whenever planned > 0.
+function handle_tap_plan(planned, skip_reason)
+{
+  planned += 0 # Avoid getting confused if, say, `planned` is "00"
+  if (length(skip_reason) && planned > 0)
+    abort("in function handle_tap_plan()")
+  if (plan_seen)
+    {
+      # Error, only one plan per stream is acceptable.
+      testsuite_error("multiple test plans")
+      return;
+    }
+  planned_tests = planned
+  # The TAP plan can come before or after *all* the TAP results; we speak
+  # respectively of an "early" or a "late" plan.  If we see the plan line
+  # after at least one TAP result has been seen, assume we have a late
+  # plan; in this case, any further test result seen after the plan will
+  # be flagged as an error.
+  plan_seen = (testno >= 1 ? LATE_PLAN : EARLY_PLAN)
+  # If testno > 0, we have an error ("too many tests run") that will be
+  # automatically dealt with later, so do not worry about it here.  If
+  # $plan_seen is true, we have an error due to a repeated plan, and that
+  # has already been dealt with above.  Otherwise, we have a valid "plan
+  # with SKIP" specification, and should report it as a particular kind
+  # of SKIP result.
+  if (planned == 0 && testno == 0)
+    {
+      if (length(skip_reason))
+        skip_reason = "- "  skip_reason;
+      report("SKIP", skip_reason);
+    }
+}
+
+function extract_tap_comment(line)
+{
+  if (index(line, diag_string) == 1)
+    {
+      # Strip leading `diag_string` from `line`.
+      line = substr(line, length(diag_string) + 1)
+      # And strip any leading and trailing whitespace left.
+      sub("^[ \t]*", "", line)
+      sub("[ \t]*$", "", line)
+      # Return what is left (if any).
+      return line;
+    }
+  return "";
+}
+
+# When this function is called, we know that line is a TAP result line,
+# so that it matches the (perl) RE "^(not )?ok\b".
+function setup_result_obj(line)
+{
+  # Get the result, and remove it from the line.
+  result_obj["is_ok"] = (substr(line, 1, 2) == "ok" ? 1 : 0)
+  sub("^(not )?ok[ \t]*", "", line)
+
+  # If the result has an explicit number, get it and strip it; otherwise,
+  # automatically assing the next progresive number to it.
+  if (line ~ /^[0-9]+$/ || line ~ /^[0-9]+[^a-zA-Z0-9_]/)
+    {
+      match(line, "^[0-9]+")
+      # The final `+ 0` is to normalize numbers with leading zeros.
+      result_obj["number"] = substr(line, 1, RLENGTH) + 0
+      line = substr(line, RLENGTH + 1)
+    }
+  else
+    {
+      result_obj["number"] = testno
+    }
+
+  if (plan_seen == LATE_PLAN)
+    # No further test results are acceptable after a "late" TAP plan
+    # has been seen.
+    result_obj["is_unplanned"] = 1
+  else if (plan_seen && testno > planned_tests)
+    result_obj["is_unplanned"] = 1
+  else
+    result_obj["is_unplanned"] = 0
+
+  # Strip trailing and leading whitespace.
+  sub("^[ \t]*", "", line)
+  sub("[ \t]*$", "", line)
+
+  # This will have to be corrected if we have a "TODO"/"SKIP" directive.
+  result_obj["description"] = line
+  result_obj["directive"] = ""
+  result_obj["explanation"] = ""
+
+  if (index(line, "#") == 0)
+    return # No possible directive, nothing more to do.
+
+  # Directives are case-insensitive.
+  rx = "[ \t]*#[ \t]*([tT][oO][dD][oO]|[sS][kK][iI][pP])[ \t]*"
+
+  # See whether we have the directive, and if yes, where.
+  pos = match(line, rx "$")
+  if (!pos)
+    pos = match(line, rx "[^a-zA-Z0-9_]")
+
+  # If there was no TAP directive, we have nothing more to do.
+  if (!pos)
+    return
+
+  # Let`s now see if the TAP directive has been escaped.  For example:
+  #  escaped:     ok \# SKIP
+  #  not escaped: ok \\# SKIP
+  #  escaped:     ok \\\\\# SKIP
+  #  not escaped: ok \ # SKIP
+  if (substr(line, pos, 1) == "#")
+    {
+      bslash_count = 0
+      for (i = pos; i > 1 && substr(line, i - 1, 1) == "\\"; i--)
+        bslash_count += 1
+      if (bslash_count % 2)
+        return # Directive was escaped.
+    }
+
+  # Strip the directive and its explanation (if any) from the test
+  # description.
+  result_obj["description"] = substr(line, 1, pos - 1)
+  # Now remove the test description from the line, that has been dealt
+  # with already.
+  line = substr(line, pos)
+  # Strip the directive, and save its value (normalized to upper case).
+  sub("^[ \t]*#[ \t]*", "", line)
+  result_obj["directive"] = toupper(substr(line, 1, 4))
+  line = substr(line, 5)
+  # Now get the explanation for the directive (if any), with leading
+  # and trailing whitespace removed.
+  sub("^[ \t]*", "", line)
+  sub("[ \t]*$", "", line)
+  result_obj["explanation"] = line
+}
+
+function get_test_exit_message(status)
+{
+  if (status == 0)
+    return ""
+  if (status !~ /^[1-9][0-9]*$/)
+    abort("getting exit status")
+  if (status < 127)
+    exit_details = ""
+  else if (status == 127)
+    exit_details = " (command not found?)"
+  else if (status >= 128 && status <= 255)
+    exit_details = sprintf(" (terminated by signal %d?)", status - 128)
+  else if (status > 256 && status <= 384)
+    # We used to report an "abnormal termination" here, but some Korn
+    # shells, when a child process die due to signal number n, can leave
+    # in $? an exit status of 256+n instead of the more standard 128+n.
+    # Apparently, both behaviours are allowed by POSIX (2008), so be
+    # prepared to handle them both.  See also Austing Group report ID
+    # 0000051 <http://www.austingroupbugs.net/view.php?id=51>
+    exit_details = sprintf(" (terminated by signal %d?)", status - 256)
+  else
+    # Never seen in practice.
+    exit_details = " (abnormal termination)"
+  return sprintf("exited with status %d%s", status, exit_details)
+}
+
+function write_test_results()
+{
+  print ":global-test-result: " get_global_test_result() > trs_file
+  print ":recheck: "  yn(must_recheck()) > trs_file
+  print ":copy-in-global-log: " yn(copy_in_global_log()) > trs_file
+  for (i = 0; i < test_results_index; i += 1)
+    print ":test-result: " test_results_list[i] > trs_file
+  close(trs_file);
+}
+
+BEGIN {
+
+## ------- ##
+##  SETUP  ##
+## ------- ##
+
+'"$init_colors"'
+
+# Properly initialized once the TAP plan is seen.
+planned_tests = 0
+
+COOKED_PASS = expect_failure ? "XPASS": "PASS";
+COOKED_FAIL = expect_failure ? "XFAIL": "FAIL";
+
+# Enumeration-like constants to remember which kind of plan (if any)
+# has been seen.  It is important that NO_PLAN evaluates "false" as
+# a boolean.
+NO_PLAN = 0
+EARLY_PLAN = 1
+LATE_PLAN = 2
+
+testno = 0     # Number of test results seen so far.
+bailed_out = 0 # Whether a "Bail out!" directive has been seen.
+
+# Whether the TAP plan has been seen or not, and if yes, which kind
+# it is ("early" is seen before any test result, "late" otherwise).
+plan_seen = NO_PLAN
+
+## --------- ##
+##  PARSING  ##
+## --------- ##
+
+is_first_read = 1
+
+while (1)
+  {
+    # Involutions required so that we are able to read the exit status
+    # from the last input line.
+    st = getline
+    if (st < 0) # I/O error.
+      fatal("I/O error while reading from input stream")
+    else if (st == 0) # End-of-input
+      {
+        if (is_first_read)
+          abort("in input loop: only one input line")
+        break
+      }
+    if (is_first_read)
+      {
+        is_first_read = 0
+        nextline = $0
+        continue
+      }
+    else
+      {
+        curline = nextline
+        nextline = $0
+        $0 = curline
+      }
+    # Copy any input line verbatim into the log file.
+    print | "cat >&3"
+    # Parsing of TAP input should stop after a "Bail out!" directive.
+    if (bailed_out)
+      continue
+
+    # TAP test result.
+    if ($0 ~ /^(not )?ok$/ || $0 ~ /^(not )?ok[^a-zA-Z0-9_]/)
+      {
+        testno += 1
+        setup_result_obj($0)
+        handle_tap_result()
+      }
+    # TAP plan (normal or "SKIP" without explanation).
+    else if ($0 ~ /^1\.\.[0-9]+[ \t]*$/)
+      {
+        # The next two lines will put the number of planned tests in $0.
+        sub("^1\\.\\.", "")
+        sub("[^0-9]*$", "")
+        handle_tap_plan($0, "")
+        continue
+      }
+    # TAP "SKIP" plan, with an explanation.
+    else if ($0 ~ /^1\.\.0+[ \t]*#/)
+      {
+        # The next lines will put the skip explanation in $0, stripping
+        # any leading and trailing whitespace.  This is a little more
+        # tricky in truth, since we want to also strip a potential leading
+        # "SKIP" string from the message.
+        sub("^[^#]*#[ \t]*(SKIP[: \t][ \t]*)?", "")
+        sub("[ \t]*$", "");
+        handle_tap_plan(0, $0)
+      }
+    # "Bail out!" magic.
+    # Older versions of prove and TAP::Harness (e.g., 3.17) did not
+    # recognize a "Bail out!" directive when preceded by leading
+    # whitespace, but more modern versions (e.g., 3.23) do.  So we
+    # emulate the latter, "more modern" behaviour.
+    else if ($0 ~ /^[ \t]*Bail out!/)
+      {
+        bailed_out = 1
+        # Get the bailout message (if any), with leading and trailing
+        # whitespace stripped.  The message remains stored in `$0`.
+        sub("^[ \t]*Bail out![ \t]*", "");
+        sub("[ \t]*$", "");
+        # Format the error message for the
+        bailout_message = "Bail out!"
+        if (length($0))
+          bailout_message = bailout_message " " $0
+        testsuite_error(bailout_message)
+      }
+    # Maybe we have too look for dianogtic comments too.
+    else if (comments != 0)
+      {
+        comment = extract_tap_comment($0);
+        if (length(comment))
+          report("#", comment);
+      }
+  }
+
+## -------- ##
+##  FINISH  ##
+## -------- ##
+
+# A "Bail out!" directive should cause us to ignore any following TAP
+# error, as well as a non-zero exit status from the TAP producer.
+if (!bailed_out)
+  {
+    if (!plan_seen)
+      {
+        testsuite_error("missing test plan")
+      }
+    else if (planned_tests != testno)
+      {
+        bad_amount = testno > planned_tests ? "many" : "few"
+        testsuite_error(sprintf("too %s tests run (expected %d, got %d)",
+                                bad_amount, planned_tests, testno))
+      }
+    if (!ignore_exit)
+      {
+        # Fetch exit status from the last line.
+        exit_message = get_test_exit_message(nextline)
+        if (exit_message)
+          testsuite_error(exit_message)
+      }
+  }
+
+write_test_results()
+
+exit 0
+
+} # End of "BEGIN" block.
+'
+
+# TODO: document that we consume the file descriptor 3 :-(
+} 3>"$log_file"
+
+test $? -eq 0 || fatal "I/O or internal error"
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-time-zone: "UTC"
+# time-stamp-end: "; # UTC"
+# End:
diff --git a/tap-test b/tap-test
new file mode 100755
index 0000000..481e333
--- /dev/null
+++ b/tap-test
@@ -0,0 +1,5 @@
+#! /bin/sh
+
+# run a GTest in tap mode. The test binary is passed as $1
+
+$1 -k --tap
diff --git a/tls/gnutls/gnutls-module.c b/tls/gnutls/gnutls-module.c
index a725f9b..6a56a9a 100644
--- a/tls/gnutls/gnutls-module.c
+++ b/tls/gnutls/gnutls-module.c
@@ -15,11 +15,15 @@
  * You should have received a copy of the GNU Lesser General
  * Public License along with this library; if not, see
  * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #include "config.h"
 
 #include <gio/gio.h>
+#include <glib/gi18n-lib.h>
 
 #include "gtlsbackend-gnutls.h"
 #include "gtlsbackend-gnutls-pkcs11.h"
@@ -28,10 +32,27 @@
 void
 g_io_module_load (GIOModule *module)
 {
+  gchar *locale_dir;
+#ifdef G_OS_WIN32
+  gchar *base_dir;
+#endif
+
   g_tls_backend_gnutls_register (module);
 #ifdef HAVE_PKCS11
   g_tls_backend_gnutls_pkcs11_register (module);
 #endif
+
+#ifdef G_OS_WIN32
+  base_dir = g_win32_get_package_installation_directory_of_module (NULL);
+  locale_dir = g_build_filename (base_dir, "share", "locale", NULL);
+  g_free (base_dir);
+#else
+  locale_dir = g_strdup (LOCALE_DIR);
+#endif
+
+  bindtextdomain (GETTEXT_PACKAGE, locale_dir);
+  bind_textdomain_codeset (GETTEXT_PACKAGE, "UTF-8");
+  g_free (locale_dir);
 }
 
 void
diff --git a/tls/gnutls/gtlsbackend-gnutls-pkcs11.c b/tls/gnutls/gtlsbackend-gnutls-pkcs11.c
index 48be45e..680ab08 100644
--- a/tls/gnutls/gtlsbackend-gnutls-pkcs11.c
+++ b/tls/gnutls/gtlsbackend-gnutls-pkcs11.c
@@ -17,6 +17,9 @@
  * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
  * Boston, MA 02111-1307, USA.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stef@collabora.co.uk>
  */
 
diff --git a/tls/gnutls/gtlsbackend-gnutls-pkcs11.h b/tls/gnutls/gtlsbackend-gnutls-pkcs11.h
index 219a74c..f26d6ce 100644
--- a/tls/gnutls/gtlsbackend-gnutls-pkcs11.h
+++ b/tls/gnutls/gtlsbackend-gnutls-pkcs11.h
@@ -9,6 +9,9 @@
  *
  * See the included COPYING file for more information.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stef@collabora.co.uk>
  */
 
diff --git a/tls/gnutls/gtlsbackend-gnutls.c b/tls/gnutls/gtlsbackend-gnutls.c
index 55ec1a5..332ca05 100644
--- a/tls/gnutls/gtlsbackend-gnutls.c
+++ b/tls/gnutls/gtlsbackend-gnutls.c
@@ -15,6 +15,9 @@
  * You should have received a copy of the GNU Lesser General
  * Public License along with this library; if not, see
  * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #include "config.h"
diff --git a/tls/gnutls/gtlsbackend-gnutls.h b/tls/gnutls/gtlsbackend-gnutls.h
index 22caa00..4d6f24c 100644
--- a/tls/gnutls/gtlsbackend-gnutls.h
+++ b/tls/gnutls/gtlsbackend-gnutls.h
@@ -8,6 +8,9 @@
  * your option) any later version.
  *
  * See the included COPYING file for more information.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #ifndef __G_TLS_BACKEND_GNUTLS_H__
diff --git a/tls/gnutls/gtlscertificate-gnutls-pkcs11.c b/tls/gnutls/gtlscertificate-gnutls-pkcs11.c
index 38c4075..993bd5c 100644
--- a/tls/gnutls/gtlscertificate-gnutls-pkcs11.c
+++ b/tls/gnutls/gtlscertificate-gnutls-pkcs11.c
@@ -17,6 +17,9 @@
  * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
  * Boston, MA 02111-1307, USA.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
diff --git a/tls/gnutls/gtlscertificate-gnutls-pkcs11.h b/tls/gnutls/gtlscertificate-gnutls-pkcs11.h
index 4e1df63..aaac044 100644
--- a/tls/gnutls/gtlscertificate-gnutls-pkcs11.h
+++ b/tls/gnutls/gtlscertificate-gnutls-pkcs11.h
@@ -9,6 +9,9 @@
  *
  * See the included COPYING file for more information.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
@@ -18,6 +21,8 @@
 #include <gio/gio.h>
 #include <gnutls/gnutls.h>
 
+#include "gtlscertificate-gnutls.h"
+
 G_BEGIN_DECLS
 
 #define G_TYPE_TLS_CERTIFICATE_GNUTLS_PKCS11            (g_tls_certificate_gnutls_pkcs11_get_type ())
diff --git a/tls/gnutls/gtlscertificate-gnutls.c b/tls/gnutls/gtlscertificate-gnutls.c
index c2786e7..8dd0544 100644
--- a/tls/gnutls/gtlscertificate-gnutls.c
+++ b/tls/gnutls/gtlscertificate-gnutls.c
@@ -15,6 +15,9 @@
  * You should have received a copy of the GNU Lesser General
  * Public License along with this library; if not, see
  * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #include "config.h"
@@ -310,7 +313,7 @@ g_tls_certificate_gnutls_verify (GTlsCertificate     *cert,
   gnutls_x509_crt_t *chain;
   GTlsCertificateFlags gtls_flags;
   time_t t, now;
-  
+
   cert_gnutls = G_TLS_CERTIFICATE_GNUTLS (cert);
   for (num_certs = 0; cert_gnutls; cert_gnutls = cert_gnutls->priv->issuer)
     num_certs++;
@@ -370,24 +373,47 @@ g_tls_certificate_gnutls_real_copy (GTlsCertificateGnutls    *gnutls,
                                     const gchar              *interaction_id,
                                     gnutls_retr2_st          *st)
 {
+  GTlsCertificateGnutls *chain;
   gnutls_x509_crt_t cert;
   gnutls_datum_t data;
+  guint num_certs = 0;
   size_t size = 0;
+  int status;
 
-  gnutls_x509_crt_export (gnutls->priv->cert, GNUTLS_X509_FMT_DER,
-                          NULL, &size);
-  data.data = g_malloc (size);
-  data.size = size;
-  gnutls_x509_crt_export (gnutls->priv->cert, GNUTLS_X509_FMT_DER,
-                          data.data, &size);
+  /* We will do this loop twice. It's probably more efficient than
+   * re-allocating memory.
+   */
+  chain = gnutls;
+  while (chain != NULL)
+    {
+      num_certs++;
+      chain = chain->priv->issuer;
+    }
 
-  gnutls_x509_crt_init (&cert);
-  gnutls_x509_crt_import (cert, &data, GNUTLS_X509_FMT_DER);
-  g_free (data.data);
+  st->ncerts = 0;
+  st->cert.x509 = gnutls_malloc (sizeof (gnutls_x509_crt_t) * num_certs);
 
-  st->ncerts = 1;
-  st->cert.x509 = gnutls_malloc (sizeof (gnutls_x509_crt_t));
-  st->cert.x509[0] = cert;
+  /* Now do the actual copy of the whole chain. */
+  chain = gnutls;
+  while (chain != NULL)
+    {
+      gnutls_x509_crt_export (chain->priv->cert, GNUTLS_X509_FMT_DER,
+                              NULL, &size);
+      data.data = g_malloc (size);
+      data.size = size;
+      gnutls_x509_crt_export (chain->priv->cert, GNUTLS_X509_FMT_DER,
+                              data.data, &size);
+
+      gnutls_x509_crt_init (&cert);
+      status = gnutls_x509_crt_import (cert, &data, GNUTLS_X509_FMT_DER);
+      g_warn_if_fail (status == 0);
+      g_free (data.data);
+
+      st->cert.x509[st->ncerts] = cert;
+      st->ncerts++;
+
+      chain = chain->priv->issuer;
+    }
 
   if (gnutls->priv->key != NULL)
     {
@@ -485,7 +511,8 @@ static const struct {
   { GNUTLS_CERT_NOT_ACTIVATED, G_TLS_CERTIFICATE_NOT_ACTIVATED },
   { GNUTLS_CERT_EXPIRED, G_TLS_CERTIFICATE_EXPIRED },
   { GNUTLS_CERT_REVOKED, G_TLS_CERTIFICATE_REVOKED },
-  { GNUTLS_CERT_INSECURE_ALGORITHM, G_TLS_CERTIFICATE_INSECURE }
+  { GNUTLS_CERT_INSECURE_ALGORITHM, G_TLS_CERTIFICATE_INSECURE },
+  { GNUTLS_CERT_UNEXPECTED_OWNER, G_TLS_CERTIFICATE_BAD_IDENTITY }
 };
 static const int flags_map_size = G_N_ELEMENTS (flags_map);
 
@@ -519,9 +546,9 @@ g_tls_certificate_gnutls_convert_flags (guint gnutls_flags)
   return gtls_flags;
 }
 
-GTlsCertificateFlags
-g_tls_certificate_gnutls_verify_identity (GTlsCertificateGnutls *gnutls,
-					  GSocketConnectable    *identity)
+static gboolean
+verify_identity_hostname (GTlsCertificateGnutls *gnutls,
+			  GSocketConnectable    *identity)
 {
   const char *hostname;
 
@@ -530,14 +557,72 @@ g_tls_certificate_gnutls_verify_identity (GTlsCertificateGnutls *gnutls,
   else if (G_IS_NETWORK_SERVICE (identity))
     hostname = g_network_service_get_domain (G_NETWORK_SERVICE (identity));
   else
-    hostname = NULL;
+    return FALSE;
+
+  return gnutls_x509_crt_check_hostname (gnutls->priv->cert, hostname);
+}
+
+static gboolean
+verify_identity_ip (GTlsCertificateGnutls *gnutls,
+		    GSocketConnectable    *identity)
+{
+  GInetAddress *addr;
+  int i, ret = 0;
+  gsize addr_size;
+  const guint8 *addr_bytes;
+
+  if (G_IS_INET_SOCKET_ADDRESS (identity))
+    addr = g_object_ref (g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (identity)));
+  else {
+    const char *hostname;
+
+    if (G_IS_NETWORK_ADDRESS (identity))
+      hostname = g_network_address_get_hostname (G_NETWORK_ADDRESS (identity));
+    else if (G_IS_NETWORK_SERVICE (identity))
+      hostname = g_network_service_get_domain (G_NETWORK_SERVICE (identity));
+    else
+      return FALSE;
+
+    addr = g_inet_address_new_from_string (hostname);
+    if (!addr)
+      return FALSE;
+  }
 
-  if (hostname)
+  addr_bytes = g_inet_address_to_bytes (addr);
+  addr_size = g_inet_address_get_native_size (addr);
+
+  for (i = 0; ret >= 0; i++)
     {
-      if (gnutls_x509_crt_check_hostname (gnutls->priv->cert, hostname))
-	return 0;
+      char san[500];
+      size_t san_size;
+
+      san_size = sizeof (san);
+      ret = gnutls_x509_crt_get_subject_alt_name (gnutls->priv->cert, i,
+						  san, &san_size, NULL);
+
+      if ((ret == GNUTLS_SAN_IPADDRESS) && (addr_size == san_size))
+	{
+	  if (memcmp (addr_bytes, san, addr_size) == 0)
+	    {
+	      g_object_unref (addr);
+	      return TRUE;
+	    }
+	}
     }
 
+  g_object_unref (addr);
+  return FALSE;
+}
+
+GTlsCertificateFlags
+g_tls_certificate_gnutls_verify_identity (GTlsCertificateGnutls *gnutls,
+					  GSocketConnectable    *identity)
+{
+  if (verify_identity_hostname (gnutls, identity))
+    return 0;
+  else if (verify_identity_ip (gnutls, identity))
+    return 0;
+
   /* FIXME: check sRVName and uniformResourceIdentifier
    * subjectAltNames, if appropriate for @identity.
    */
@@ -570,3 +655,105 @@ g_tls_certificate_gnutls_get_bytes (GTlsCertificateGnutls *gnutls)
   g_object_get (gnutls, "certificate", &array, NULL);
   return g_byte_array_free_to_bytes (array);
 }
+
+static gnutls_x509_crt_t *
+convert_data_to_gnutls_certs (const gnutls_datum_t  *certs,
+                              guint                  num_certs,
+                              gnutls_x509_crt_fmt_t  format)
+{
+  gnutls_x509_crt_t *gnutls_certs;
+  guint i;
+
+  gnutls_certs = g_new (gnutls_x509_crt_t, num_certs);
+
+  for (i = 0; i < num_certs; i++)
+    {
+      if (gnutls_x509_crt_init (&gnutls_certs[i]) < 0)
+        {
+          i--;
+          goto error;
+        }
+    }
+
+  for (i = 0; i < num_certs; i++)
+    {
+      if (gnutls_x509_crt_import (gnutls_certs[i], &certs[i], format) < 0)
+        {
+          i = num_certs - 1;
+          goto error;
+        }
+    }
+
+  return gnutls_certs;
+
+error:
+  for (; i != G_MAXUINT; i--)
+    gnutls_x509_crt_deinit (gnutls_certs[i]);
+  g_free (gnutls_certs);
+  return NULL;
+}
+
+GTlsCertificateGnutls *
+g_tls_certificate_gnutls_build_chain (const gnutls_datum_t  *certs,
+                                      guint                  num_certs,
+                                      gnutls_x509_crt_fmt_t  format)
+{
+  GPtrArray *glib_certs;
+  gnutls_x509_crt_t *gnutls_certs;
+  GTlsCertificateGnutls *issuer;
+  GTlsCertificateGnutls *result;
+  guint i, j;
+
+  g_return_val_if_fail (certs, NULL);
+
+  gnutls_certs = convert_data_to_gnutls_certs (certs, num_certs, format);
+  if (!gnutls_certs)
+    return NULL;
+
+  glib_certs = g_ptr_array_new_full (num_certs, g_object_unref);
+  for (i = 0; i < num_certs; i++)
+    g_ptr_array_add (glib_certs, g_tls_certificate_gnutls_new (&certs[i], NULL));
+
+  /* Some servers send certs out of order, or will send duplicate
+   * certs, so we need to be careful when assigning the issuer of
+   * our new GTlsCertificateGnutls.
+   */
+  for (i = 0; i < num_certs; i++)
+    {
+      issuer = NULL;
+
+      /* Check if the cert issued itself */
+      if (gnutls_x509_crt_check_issuer (gnutls_certs[i], gnutls_certs[i]))
+        continue;
+
+      if (i < num_certs - 1 &&
+          gnutls_x509_crt_check_issuer (gnutls_certs[i], gnutls_certs[i + 1]))
+        {
+          issuer = glib_certs->pdata[i + 1];
+        }
+      else
+        {
+          for (j = 0; j < num_certs; j++)
+            {
+              if (j != i &&
+                  gnutls_x509_crt_check_issuer (gnutls_certs[i], gnutls_certs[j]))
+                {
+                  issuer = glib_certs->pdata[j];
+                  break;
+                }
+            }
+        }
+
+      if (issuer)
+        g_tls_certificate_gnutls_set_issuer (glib_certs->pdata[i], issuer);
+    }
+
+  result = g_object_ref (glib_certs->pdata[0]);
+  g_ptr_array_unref (glib_certs);
+
+  for (i = 0; i < num_certs; i++)
+    gnutls_x509_crt_deinit (gnutls_certs[i]);
+  g_free (gnutls_certs);
+
+  return result;
+}
diff --git a/tls/gnutls/gtlscertificate-gnutls.h b/tls/gnutls/gtlscertificate-gnutls.h
index 94fddeb..d1439e7 100644
--- a/tls/gnutls/gtlscertificate-gnutls.h
+++ b/tls/gnutls/gtlscertificate-gnutls.h
@@ -8,6 +8,9 @@
  * your option) any later version.
  *
  * See the included COPYING file for more information.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #ifndef __G_TLS_CERTIFICATE_GNUTLS_H__
@@ -71,6 +74,10 @@ void                         g_tls_certificate_gnutls_set_issuer      (GTlsCerti
 
 GTlsCertificateGnutls*       g_tls_certificate_gnutls_steal_issuer    (GTlsCertificateGnutls *gnutls);
 
+GTlsCertificateGnutls*       g_tls_certificate_gnutls_build_chain     (const gnutls_datum_t  *certs,
+                                                                       guint                  num_certs,
+                                                                       gnutls_x509_crt_fmt_t  format);
+
 G_END_DECLS
 
 #endif /* __G_TLS_CERTIFICATE_GNUTLS_H___ */
diff --git a/tls/gnutls/gtlsclientconnection-gnutls.c b/tls/gnutls/gtlsclientconnection-gnutls.c
index 07a3a00..d5d63fa 100644
--- a/tls/gnutls/gtlsclientconnection-gnutls.c
+++ b/tls/gnutls/gtlsclientconnection-gnutls.c
@@ -15,6 +15,9 @@
  * You should have received a copy of the GNU Lesser General
  * Public License along with this library; if not, see
  * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #include "config.h"
@@ -39,6 +42,8 @@ enum
   PROP_ACCEPTED_CAS
 };
 
+static void     g_tls_client_connection_gnutls_initable_interface_init (GInitableIface  *iface);
+
 static void g_tls_client_connection_gnutls_client_connection_interface_init (GTlsClientConnectionInterface *iface);
 
 static int g_tls_client_connection_gnutls_retrieve_function (gnutls_session_t             session,
@@ -48,7 +53,11 @@ static int g_tls_client_connection_gnutls_retrieve_function (gnutls_session_t
 							     int                          pk_algos_length,
 							     gnutls_retr2_st             *st);
 
+static GInitableIface *g_tls_client_connection_gnutls_parent_initable_iface;
+
 G_DEFINE_TYPE_WITH_CODE (GTlsClientConnectionGnutls, g_tls_client_connection_gnutls, G_TYPE_TLS_CONNECTION_GNUTLS,
+			 G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
+						g_tls_client_connection_gnutls_initable_interface_init)
 			 G_IMPLEMENT_INTERFACE (G_TYPE_TLS_CLIENT_CONNECTION,
 						g_tls_client_connection_gnutls_client_connection_interface_init));
 
@@ -57,10 +66,13 @@ struct _GTlsClientConnectionGnutlsPrivate
   GTlsCertificateFlags validation_flags;
   GSocketConnectable *server_identity;
   gboolean use_ssl3;
+  gboolean session_data_override;
 
   GBytes *session_id;
+  GBytes *session_data;
 
   gboolean cert_requested;
+  GError *cert_error;
   GPtrArray *accepted_cas;
 };
 
@@ -137,16 +149,39 @@ g_tls_client_connection_gnutls_finalize (GObject *object)
 {
   GTlsClientConnectionGnutls *gnutls = G_TLS_CLIENT_CONNECTION_GNUTLS (object);
 
-  if (gnutls->priv->server_identity)
-    g_object_unref (gnutls->priv->server_identity);
-  if (gnutls->priv->accepted_cas)
-    g_ptr_array_unref (gnutls->priv->accepted_cas);
-  if (gnutls->priv->session_id)
-    g_bytes_unref (gnutls->priv->session_id);
+  g_clear_object (&gnutls->priv->server_identity);
+  g_clear_pointer (&gnutls->priv->accepted_cas, g_ptr_array_unref);
+  g_clear_pointer (&gnutls->priv->session_id, g_bytes_unref);
+  g_clear_pointer (&gnutls->priv->session_data, g_bytes_unref);
+  g_clear_error (&gnutls->priv->cert_error);
 
   G_OBJECT_CLASS (g_tls_client_connection_gnutls_parent_class)->finalize (object);
 }
 
+static gboolean
+g_tls_client_connection_gnutls_initable_init (GInitable       *initable,
+					      GCancellable    *cancellable,
+					      GError         **error)
+{
+  GTlsConnectionGnutls *gnutls = G_TLS_CONNECTION_GNUTLS (initable);
+  gnutls_session_t session;
+  const gchar *hostname;
+
+  if (!g_tls_client_connection_gnutls_parent_initable_iface->
+      init (initable, cancellable, error))
+    return FALSE;
+
+  session = g_tls_connection_gnutls_get_session (gnutls);
+  hostname = get_server_identity (G_TLS_CLIENT_CONNECTION_GNUTLS (gnutls));
+  if (hostname)
+    {
+      gnutls_server_name_set (session, GNUTLS_NAME_DNS,
+                              hostname, strlen (hostname));
+    }
+
+  return TRUE;
+}
+
 static void
 g_tls_client_connection_gnutls_get_property (GObject    *object,
 					     guint       prop_id,
@@ -215,8 +250,13 @@ g_tls_client_connection_gnutls_set_property (GObject      *object,
 	{
 	  gnutls_session_t session = g_tls_connection_gnutls_get_session (G_TLS_CONNECTION_GNUTLS (gnutls));
 
-	  gnutls_server_name_set (session, GNUTLS_NAME_DNS,
-				  hostname, strlen (hostname));
+	  /* This will only be triggered if the identity is set after
+	   * initialization */
+	  if (session)
+            {
+              gnutls_server_name_set (session, GNUTLS_NAME_DNS,
+                                      hostname, strlen (hostname));
+            }
 	}
       break;
 
@@ -238,6 +278,7 @@ g_tls_client_connection_gnutls_retrieve_function (gnutls_session_t             s
 						  gnutls_retr2_st             *st)
 {
   GTlsClientConnectionGnutls *gnutls = gnutls_transport_get_ptr (session);
+  GTlsConnectionGnutls *conn = G_TLS_CONNECTION_GNUTLS (gnutls);
   GPtrArray *accepted_cas;
   GByteArray *dn;
   int i;
@@ -257,7 +298,15 @@ g_tls_client_connection_gnutls_retrieve_function (gnutls_session_t             s
   gnutls->priv->accepted_cas = accepted_cas;
   g_object_notify (G_OBJECT (gnutls), "accepted-cas");
 
-  g_tls_connection_gnutls_get_certificate (G_TLS_CONNECTION_GNUTLS (gnutls), st);
+  g_tls_connection_gnutls_get_certificate (conn, st);
+
+  if (st->ncerts == 0)
+    {
+      g_clear_error (&gnutls->priv->cert_error);
+      if (g_tls_connection_gnutls_request_certificate (conn, &gnutls->priv->cert_error))
+        g_tls_connection_gnutls_get_certificate (conn, st);
+    }
+
   return 0;
 }
 
@@ -266,6 +315,8 @@ g_tls_client_connection_gnutls_failed (GTlsConnectionGnutls *conn)
 {
   GTlsClientConnectionGnutls *gnutls = G_TLS_CLIENT_CONNECTION_GNUTLS (conn);
 
+  gnutls->priv->session_data_override = FALSE;
+  g_clear_pointer (&gnutls->priv->session_data, g_bytes_unref);
   if (gnutls->priv->session_id)
     g_tls_backend_gnutls_remove_session (GNUTLS_CLIENT, gnutls->priv->session_id);
 }
@@ -276,7 +327,13 @@ g_tls_client_connection_gnutls_begin_handshake (GTlsConnectionGnutls *conn)
   GTlsClientConnectionGnutls *gnutls = G_TLS_CLIENT_CONNECTION_GNUTLS (conn);
 
   /* Try to get a cached session */
-  if (gnutls->priv->session_id)
+  if (gnutls->priv->session_data_override)
+    {
+      gnutls_session_set_data (g_tls_connection_gnutls_get_session (conn),
+                               g_bytes_get_data (gnutls->priv->session_data, NULL),
+                               g_bytes_get_size (gnutls->priv->session_data));
+    }
+  else if (gnutls->priv->session_id)
     {
       GBytes *session_data;
 
@@ -286,7 +343,8 @@ g_tls_client_connection_gnutls_begin_handshake (GTlsConnectionGnutls *conn)
 	  gnutls_session_set_data (g_tls_connection_gnutls_get_session (conn),
 				   g_bytes_get_data (session_data, NULL),
 				   g_bytes_get_size (session_data));
-	  g_bytes_unref (session_data);
+          g_clear_pointer (&gnutls->priv->session_data, g_bytes_unref);
+          gnutls->priv->session_data = session_data;
 	}
     }
 
@@ -298,6 +356,7 @@ g_tls_client_connection_gnutls_finish_handshake (GTlsConnectionGnutls  *conn,
 						 GError               **inout_error)
 {
   GTlsClientConnectionGnutls *gnutls = G_TLS_CLIENT_CONNECTION_GNUTLS (conn);
+  int resumed;
 
   g_assert (inout_error != NULL);
 
@@ -305,27 +364,63 @@ g_tls_client_connection_gnutls_finish_handshake (GTlsConnectionGnutls  *conn,
       gnutls->priv->cert_requested)
     {
       g_clear_error (inout_error);
-      g_set_error_literal (inout_error, G_TLS_ERROR, G_TLS_ERROR_CERTIFICATE_REQUIRED,
-			   _("Server required TLS certificate"));
+      if (gnutls->priv->cert_error)
+	{
+	  *inout_error = gnutls->priv->cert_error;
+	  gnutls->priv->cert_error = NULL;
+	}
+      else
+	{
+	  g_set_error_literal (inout_error, G_TLS_ERROR, G_TLS_ERROR_CERTIFICATE_REQUIRED,
+			       _("Server required TLS certificate"));
+	}
     }
 
-  if (gnutls->priv->session_id)
+  resumed = gnutls_session_is_resumed (g_tls_connection_gnutls_get_session (conn));
+  if (*inout_error || !resumed)
+    {
+      /* Clear session data since the server did not accept what we provided. */
+      gnutls->priv->session_data_override = FALSE;
+      g_clear_pointer (&gnutls->priv->session_data, g_bytes_unref);
+      if (gnutls->priv->session_id)
+        g_tls_backend_gnutls_remove_session (GNUTLS_CLIENT, gnutls->priv->session_id);
+    }
+
+  if (!*inout_error && !resumed)
     {
       gnutls_datum_t session_datum;
 
-      if (!*inout_error &&
-	  gnutls_session_get_data2 (g_tls_connection_gnutls_get_session (conn),
-				    &session_datum) == 0)
-	{
-	  GBytes *session_data = g_bytes_new_with_free_func (session_datum.data, session_datum.size,
-							     (GDestroyNotify)gnutls_free, session_datum.data);
+      if (gnutls_session_get_data2 (g_tls_connection_gnutls_get_session (conn),
+                                    &session_datum) == 0)
+        {
+          gnutls->priv->session_data = g_bytes_new_with_free_func (session_datum.data,
+                                                                   session_datum.size,
+                                                                   (GDestroyNotify)gnutls_free,
+                                                                   session_datum.data);
+
+          g_tls_backend_gnutls_store_session (GNUTLS_CLIENT,
+                                              gnutls->priv->session_id,
+                                              gnutls->priv->session_data);
+        }
+    }
+}
 
-	  g_tls_backend_gnutls_store_session (GNUTLS_CLIENT, gnutls->priv->session_id,
-					      session_data);
-	  g_bytes_unref (session_data);
-	}
-      else
-	g_tls_backend_gnutls_remove_session (GNUTLS_CLIENT, gnutls->priv->session_id);
+static void
+g_tls_client_connection_gnutls_copy_session_state (GTlsClientConnection *conn,
+                                                   GTlsClientConnection *source)
+{
+  GTlsClientConnectionGnutls *gnutls = G_TLS_CLIENT_CONNECTION_GNUTLS (conn);
+  GTlsClientConnectionGnutls *gnutls_source = G_TLS_CLIENT_CONNECTION_GNUTLS (source);
+
+  if (gnutls_source->priv->session_data)
+    {
+      gnutls->priv->session_data_override = TRUE;
+      gnutls->priv->session_data = g_bytes_ref (gnutls_source->priv->session_data);
+
+      if (gnutls->priv->session_id)
+        g_tls_backend_gnutls_store_session (GNUTLS_CLIENT,
+                                            gnutls->priv->session_id,
+                                            gnutls->priv->session_data);
     }
 }
 
@@ -355,4 +450,13 @@ g_tls_client_connection_gnutls_class_init (GTlsClientConnectionGnutlsClass *klas
 static void
 g_tls_client_connection_gnutls_client_connection_interface_init (GTlsClientConnectionInterface *iface)
 {
+  iface->copy_session_state = g_tls_client_connection_gnutls_copy_session_state;
+}
+
+static void
+g_tls_client_connection_gnutls_initable_interface_init (GInitableIface  *iface)
+{
+  g_tls_client_connection_gnutls_parent_initable_iface = g_type_interface_peek_parent (iface);
+
+  iface->init = g_tls_client_connection_gnutls_initable_init;
 }
diff --git a/tls/gnutls/gtlsclientconnection-gnutls.h b/tls/gnutls/gtlsclientconnection-gnutls.h
index a01a132..b8898ae 100644
--- a/tls/gnutls/gtlsclientconnection-gnutls.h
+++ b/tls/gnutls/gtlsclientconnection-gnutls.h
@@ -8,6 +8,9 @@
  * your option) any later version.
  *
  * See the included COPYING file for more information.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #ifndef __G_TLS_CLIENT_CONNECTION_GNUTLS_H__
diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c
index 35bcaad..ca4730b 100644
--- a/tls/gnutls/gtlsconnection-gnutls.c
+++ b/tls/gnutls/gtlsconnection-gnutls.c
@@ -15,12 +15,16 @@
  * You should have received a copy of the GNU Lesser General
  * Public License along with this library; if not, see
  * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #include "config.h"
 #include "glib.h"
 
 #include <errno.h>
+#include <stdarg.h>
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
 
@@ -36,6 +40,16 @@
 #include "pkcs11/gpkcs11pin.h"
 #endif
 
+#ifdef G_OS_WIN32
+#include <winsock2.h>
+#include <winerror.h>
+
+/* It isnât clear whether MinGW always defines EMSGSIZE. */
+#ifndef EMSGSIZE
+#define EMSGSIZE WSAEMSGSIZE
+#endif
+#endif
+
 #include <glib/gi18n-lib.h>
 
 static ssize_t g_tls_connection_gnutls_push_func (gnutls_transport_ptr_t  transport_data,
@@ -110,9 +124,9 @@ struct _GTlsConnectionGnutlsPrivate
   gboolean database_is_unset;
 
   /* need_handshake means the next claim_op() will get diverted into
-   * an implicit handshake (unless it's an OP_HANDSHAKE or OP_CLOSE).
+   * an implicit handshake (unless it's an OP_HANDSHAKE or OP_CLOSE*).
    * need_finish_handshake means the next claim_op() will get diverted
-   * into finish_handshake() (unless it's an OP_CLOSE).
+   * into finish_handshake() (unless it's an OP_CLOSE*).
    *
    * handshaking is TRUE as soon as a handshake thread is queued. For
    * a sync handshake it becomes FALSE after finish_handshake()
@@ -136,7 +150,10 @@ struct _GTlsConnectionGnutlsPrivate
   GError *handshake_error;
   GByteArray *app_data_buf;
 
-  gboolean closing, closed;
+  /* read_closed means the read direction has closed; write_closed similarly.
+   * If (and only if) both are set, the entire GTlsConnection is closed. */
+  gboolean read_closing, read_closed;
+  gboolean write_closing, write_closed;
 
   GInputStream *tls_istream;
   GOutputStream *tls_ostream;
@@ -193,52 +210,93 @@ g_tls_connection_gnutls_init (GTlsConnectionGnutls *gnutls)
   g_mutex_init (&gnutls->priv->op_mutex);
 }
 
-/* First field is "ssl3 only", second is "allow unsafe rehandshaking" */
+/* First field is "fallback", second is "allow unsafe rehandshaking" */
 static gnutls_priority_t priorities[2][2];
 
+#define DEFAULT_BASE_PRIORITY "NORMAL:%COMPAT:%LATEST_RECORD_VERSION"
+
 static void
 g_tls_connection_gnutls_init_priorities (void)
 {
   const gchar *base_priority;
-  gchar *ssl3_priority, *unsafe_rehandshake_priority, *ssl3_unsafe_rehandshake_priority;
-  int ret;
+  gchar *fallback_priority, *unsafe_rehandshake_priority, *fallback_unsafe_rehandshake_priority;
+  const guint *protos;
+  int ret, i, nprotos, fallback_proto;
 
   base_priority = g_getenv ("G_TLS_GNUTLS_PRIORITY");
   if (!base_priority)
-    base_priority = "NORMAL:%COMPAT";
+    base_priority = DEFAULT_BASE_PRIORITY;
   ret = gnutls_priority_init (&priorities[FALSE][FALSE], base_priority, NULL);
   if (ret == GNUTLS_E_INVALID_REQUEST)
     {
       g_warning ("G_TLS_GNUTLS_PRIORITY is invalid; ignoring!");
-      base_priority = "NORMAL:%COMPAT";
-      gnutls_priority_init (&priorities[FALSE][FALSE], base_priority, NULL);
+      base_priority = DEFAULT_BASE_PRIORITY;
+      ret = gnutls_priority_init (&priorities[FALSE][FALSE], base_priority, NULL);
+      g_warn_if_fail (ret == 0);
     }
 
-  ssl3_priority = g_strdup_printf ("%s:!VERS-TLS1.2:!VERS-TLS1.1:!VERS-TLS1.0", base_priority);
   unsafe_rehandshake_priority = g_strdup_printf ("%s:%%UNSAFE_RENEGOTIATION", base_priority);
-  ssl3_unsafe_rehandshake_priority = g_strdup_printf ("%s:!VERS-TLS1.2:!VERS-TLS1.1:!VERS-TLS1.0:%%UNSAFE_RENEGOTIATION", base_priority);
+  ret = gnutls_priority_init (&priorities[FALSE][TRUE], unsafe_rehandshake_priority, NULL);
+  g_warn_if_fail (ret == 0);
+  g_free (unsafe_rehandshake_priority);
+
+  /* Figure out the lowest SSl/TLS version supported by base_priority */
+  nprotos = gnutls_priority_protocol_list (priorities[FALSE][FALSE], &protos);
+  fallback_proto = G_MAXUINT;
+  for (i = 0; i < nprotos; i++)
+    {
+      if (protos[i] < fallback_proto)
+	fallback_proto = protos[i];
+    }
+  if (fallback_proto == G_MAXUINT)
+    {
+      g_warning ("All GNUTLS protocol versions disabled?");
+      fallback_priority = g_strdup (base_priority);
+    }
+  else
+    {
+      gchar *cleaned_base, *p, *rest;
+
+      /* fallback_priority should be based on base_priority, except
+       * that we don't want %LATEST_RECORD_VERSION in it.
+       */
+      cleaned_base = g_strdup (base_priority);
+      p = strstr (cleaned_base, ":%LATEST_RECORD_VERSION");
+      if (p)
+	{
+	  rest = p + strlen (":%LATEST_RECORD_VERSION");
+	  memmove (p, rest, strlen (rest) + 1);
+	}
 
-  gnutls_priority_init (&priorities[TRUE][FALSE], ssl3_priority, NULL);
-  gnutls_priority_init (&priorities[FALSE][TRUE], unsafe_rehandshake_priority, NULL);
-  gnutls_priority_init (&priorities[TRUE][TRUE], ssl3_unsafe_rehandshake_priority, NULL);
+      fallback_priority = g_strdup_printf ("%s:%%COMPAT:!VERS-TLS-ALL:+VERS-%s",
+					   cleaned_base,
+					   gnutls_protocol_get_name (fallback_proto));
 
-  g_free (ssl3_priority);
-  g_free (unsafe_rehandshake_priority);
-  g_free (ssl3_unsafe_rehandshake_priority);
+      g_free (cleaned_base);
+    }
+  fallback_unsafe_rehandshake_priority = g_strdup_printf ("%s:%%UNSAFE_RENEGOTIATION",
+							  fallback_priority);
+
+  ret = gnutls_priority_init (&priorities[TRUE][FALSE], fallback_priority, NULL);
+  g_warn_if_fail (ret == 0);
+  ret = gnutls_priority_init (&priorities[TRUE][TRUE], fallback_unsafe_rehandshake_priority, NULL);
+  g_warn_if_fail (ret == 0);
+  g_free (fallback_priority);
+  g_free (fallback_unsafe_rehandshake_priority);
 }
 
 static void
 g_tls_connection_gnutls_set_handshake_priority (GTlsConnectionGnutls *gnutls)
 {
-  gboolean use_ssl3, unsafe_rehandshake;
+  gboolean fallback, unsafe_rehandshake;
 
   if (G_IS_TLS_CLIENT_CONNECTION (gnutls))
-    use_ssl3 = g_tls_client_connection_get_use_ssl3 (G_TLS_CLIENT_CONNECTION (gnutls));
+    fallback = g_tls_client_connection_get_use_ssl3 (G_TLS_CLIENT_CONNECTION (gnutls));
   else
-    use_ssl3 = FALSE;
+    fallback = FALSE;
   unsafe_rehandshake = (gnutls->priv->rehandshake_mode == G_TLS_REHANDSHAKE_UNSAFELY);
   gnutls_priority_set (gnutls->priv->session,
-		       priorities[use_ssl3][unsafe_rehandshake]);
+		       priorities[fallback][unsafe_rehandshake]);
 }
 
 static gboolean
@@ -247,15 +305,14 @@ g_tls_connection_gnutls_initable_init (GInitable     *initable,
 				       GError       **error)
 {
   GTlsConnectionGnutls *gnutls = G_TLS_CONNECTION_GNUTLS (initable);
+  gboolean client = G_IS_TLS_CLIENT_CONNECTION (gnutls);
+  guint flags = client ? GNUTLS_CLIENT : GNUTLS_SERVER;
   int status;
 
   g_return_val_if_fail (gnutls->priv->base_istream != NULL &&
 			gnutls->priv->base_ostream != NULL, FALSE);
 
-  /* Make sure gnutls->priv->session has been initialized (it may have
-   * already been initialized by a construct-time property setter).
-   */
-  g_tls_connection_gnutls_get_session (gnutls);
+  gnutls_init (&gnutls->priv->session, flags);
 
   status = gnutls_credentials_set (gnutls->priv->session,
 				   GNUTLS_CRD_CERTIFICATE,
@@ -268,11 +325,6 @@ g_tls_connection_gnutls_initable_init (GInitable     *initable,
       return FALSE;
     }
 
-  /* Some servers (especially on embedded devices) use tiny keys that
-   * gnutls will reject by default. We want it to accept them.
-   */
-  gnutls_dh_set_prime_bits (gnutls->priv->session, 256);
-
   gnutls_transport_set_push_function (gnutls->priv->session,
 				      g_tls_connection_gnutls_push_func);
   gnutls_transport_set_pull_function (gnutls->priv->session,
@@ -318,6 +370,14 @@ g_tls_connection_gnutls_finalize (GObject *object)
   g_clear_error (&gnutls->priv->read_error);
   g_clear_error (&gnutls->priv->write_error);
 
+  /* This must always be NULL at this, as it holds a referehce to @gnutls as
+   * its source object. However, we clear it anyway just in case this changes
+   * in future. */
+  g_clear_object (&gnutls->priv->implicit_handshake);
+
+  g_clear_object (&gnutls->priv->read_cancellable);
+  g_clear_object (&gnutls->priv->write_cancellable);
+
   g_clear_object (&gnutls->priv->waiting_for_op);
   g_mutex_clear (&gnutls->priv->op_mutex);
 
@@ -473,18 +533,6 @@ g_tls_connection_gnutls_get_credentials (GTlsConnectionGnutls *gnutls)
 gnutls_session_t
 g_tls_connection_gnutls_get_session (GTlsConnectionGnutls *gnutls)
 {
-  /* Ideally we would initialize gnutls->priv->session from
-   * g_tls_connection_gnutls_init(), but we can't tell if it's a
-   * client or server connection at that point... And
-   * g_tls_connection_gnutls_initiable_init() is too late, because
-   * construct-time property setters may need to modify it.
-   */
-  if (!gnutls->priv->session)
-    {
-      gboolean client = G_IS_TLS_CLIENT_CONNECTION (gnutls);
-      gnutls_init (&gnutls->priv->session, client ? GNUTLS_CLIENT : GNUTLS_SERVER);
-    }
-
   return gnutls->priv->session;
 }
 
@@ -508,7 +556,9 @@ typedef enum {
   G_TLS_CONNECTION_GNUTLS_OP_HANDSHAKE,
   G_TLS_CONNECTION_GNUTLS_OP_READ,
   G_TLS_CONNECTION_GNUTLS_OP_WRITE,
-  G_TLS_CONNECTION_GNUTLS_OP_CLOSE,
+  G_TLS_CONNECTION_GNUTLS_OP_CLOSE_READ,
+  G_TLS_CONNECTION_GNUTLS_OP_CLOSE_WRITE,
+  G_TLS_CONNECTION_GNUTLS_OP_CLOSE_BOTH,
 } GTlsConnectionGnutlsOp;
 
 static gboolean
@@ -524,7 +574,12 @@ claim_op (GTlsConnectionGnutls    *gnutls,
 
   g_mutex_lock (&gnutls->priv->op_mutex);
 
-  if (gnutls->priv->closing || gnutls->priv->closed)
+  if (((op == G_TLS_CONNECTION_GNUTLS_OP_HANDSHAKE ||
+        op == G_TLS_CONNECTION_GNUTLS_OP_READ) &&
+       (gnutls->priv->read_closing || gnutls->priv->read_closed)) ||
+      ((op == G_TLS_CONNECTION_GNUTLS_OP_HANDSHAKE ||
+        op == G_TLS_CONNECTION_GNUTLS_OP_WRITE) &&
+       (gnutls->priv->write_closing || gnutls->priv->write_closed)))
     {
       g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_CLOSED,
 			   _("Connection is closed"));
@@ -532,7 +587,10 @@ claim_op (GTlsConnectionGnutls    *gnutls,
       return FALSE;
     }
 
-  if (gnutls->priv->handshake_error && op != G_TLS_CONNECTION_GNUTLS_OP_CLOSE)
+  if (gnutls->priv->handshake_error &&
+      op != G_TLS_CONNECTION_GNUTLS_OP_CLOSE_BOTH &&
+      op != G_TLS_CONNECTION_GNUTLS_OP_CLOSE_READ &&
+      op != G_TLS_CONNECTION_GNUTLS_OP_CLOSE_WRITE)
     {
       if (error)
 	*error = g_error_copy (gnutls->priv->handshake_error);
@@ -540,10 +598,12 @@ claim_op (GTlsConnectionGnutls    *gnutls,
       return FALSE;
     }
 
-  if (op != G_TLS_CONNECTION_GNUTLS_OP_HANDSHAKE &&
-      op != G_TLS_CONNECTION_GNUTLS_OP_CLOSE)
+  if (op != G_TLS_CONNECTION_GNUTLS_OP_HANDSHAKE)
     {
-      if (gnutls->priv->need_handshake)
+      if (op != G_TLS_CONNECTION_GNUTLS_OP_CLOSE_BOTH &&
+          op != G_TLS_CONNECTION_GNUTLS_OP_CLOSE_READ &&
+          op != G_TLS_CONNECTION_GNUTLS_OP_CLOSE_WRITE &&
+          gnutls->priv->need_handshake)
 	{
 	  gnutls->priv->need_handshake = FALSE;
 	  gnutls->priv->handshaking = TRUE;
@@ -567,12 +627,17 @@ claim_op (GTlsConnectionGnutls    *gnutls,
 	  g_clear_object (&gnutls->priv->implicit_handshake);
 	  g_mutex_lock (&gnutls->priv->op_mutex);
 
-	  if (!success || g_cancellable_set_error_if_cancelled (cancellable, &my_error))
+	  if (op != G_TLS_CONNECTION_GNUTLS_OP_CLOSE_BOTH &&
+	      op != G_TLS_CONNECTION_GNUTLS_OP_CLOSE_READ &&
+	      op != G_TLS_CONNECTION_GNUTLS_OP_CLOSE_WRITE &&
+	      (!success || g_cancellable_set_error_if_cancelled (cancellable, &my_error)))
 	    {
 	      g_propagate_error (error, my_error);
 	      g_mutex_unlock (&gnutls->priv->op_mutex);
 	      return FALSE;
 	    }
+
+          g_clear_error (&my_error);
 	}
     }
 
@@ -599,8 +664,11 @@ claim_op (GTlsConnectionGnutls    *gnutls,
 	nfds = 2;
       else
 	nfds = 1;
+
       g_poll (fds, nfds, -1);
-      g_cancellable_release_fd (cancellable);
+
+      if (nfds > 1)
+        g_cancellable_release_fd (cancellable);
 
       goto try_again;
     }
@@ -610,8 +678,12 @@ claim_op (GTlsConnectionGnutls    *gnutls,
       gnutls->priv->handshaking = TRUE;
       gnutls->priv->need_handshake = FALSE;
     }
-  if (op == G_TLS_CONNECTION_GNUTLS_OP_CLOSE)
-    gnutls->priv->closing = TRUE;
+  if (op == G_TLS_CONNECTION_GNUTLS_OP_CLOSE_BOTH ||
+      op == G_TLS_CONNECTION_GNUTLS_OP_CLOSE_READ)
+    gnutls->priv->read_closing = TRUE;
+  if (op == G_TLS_CONNECTION_GNUTLS_OP_CLOSE_BOTH ||
+      op == G_TLS_CONNECTION_GNUTLS_OP_CLOSE_WRITE)
+    gnutls->priv->write_closing = TRUE;
 
   if (op != G_TLS_CONNECTION_GNUTLS_OP_WRITE)
     gnutls->priv->reading = TRUE;
@@ -630,8 +702,12 @@ yield_op (GTlsConnectionGnutls   *gnutls,
 
   if (op == G_TLS_CONNECTION_GNUTLS_OP_HANDSHAKE)
     gnutls->priv->handshaking = FALSE;
-  if (op == G_TLS_CONNECTION_GNUTLS_OP_CLOSE)
-    gnutls->priv->closing = FALSE;
+  if (op == G_TLS_CONNECTION_GNUTLS_OP_CLOSE_BOTH ||
+      op == G_TLS_CONNECTION_GNUTLS_OP_CLOSE_READ)
+    gnutls->priv->read_closing = FALSE;
+  if (op == G_TLS_CONNECTION_GNUTLS_OP_CLOSE_BOTH ||
+      op == G_TLS_CONNECTION_GNUTLS_OP_CLOSE_WRITE)
+    gnutls->priv->write_closing = FALSE;
 
   if (op != G_TLS_CONNECTION_GNUTLS_OP_WRITE)
     gnutls->priv->reading = FALSE;
@@ -667,10 +743,19 @@ begin_gnutls_io (GTlsConnectionGnutls  *gnutls,
 
 static int
 end_gnutls_io (GTlsConnectionGnutls  *gnutls,
-	       GIOCondition           direction,
-	       int                    status,
-	       const char            *errmsg,
-	       GError               **error)
+               GIOCondition           direction,
+               int                    status,
+               GError               **error,
+               const char            *err_fmt,
+               ...) G_GNUC_PRINTF(5, 6);
+
+static int
+end_gnutls_io (GTlsConnectionGnutls  *gnutls,
+               GIOCondition           direction,
+               int                    status,
+               GError               **error,
+               const char            *err_fmt,
+               ...)
 {
   GError *my_error = NULL;
 
@@ -727,7 +812,8 @@ end_gnutls_io (GTlsConnectionGnutls  *gnutls,
 
   if (my_error)
     {
-      if (!g_error_matches (my_error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK))
+      if (!g_error_matches (my_error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK) &&
+          !g_error_matches (my_error, G_IO_ERROR, G_IO_ERROR_TIMED_OUT))
 	G_TLS_CONNECTION_GNUTLS_GET_CLASS (gnutls)->failed (gnutls);
       g_propagate_error (error, my_error);
       return status;
@@ -780,8 +866,11 @@ end_gnutls_io (GTlsConnectionGnutls  *gnutls,
 
   if (error)
     {
-      g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
-                   errmsg, gnutls_strerror (status));
+      va_list ap;
+
+      va_start (ap, err_fmt);
+      *error = g_error_new_valist (G_TLS_ERROR, G_TLS_ERROR_MISC, err_fmt, ap);
+      va_end (ap);
     }
   return status;
 }
@@ -791,7 +880,7 @@ end_gnutls_io (GTlsConnectionGnutls  *gnutls,
   do {
 
 #define END_GNUTLS_IO(gnutls, direction, ret, errmsg, err)		\
-  } while ((ret = end_gnutls_io (gnutls, direction, ret, errmsg, err)) == GNUTLS_E_AGAIN);
+  } while ((ret = end_gnutls_io (gnutls, direction, ret, err, errmsg, gnutls_strerror (ret))) == GNUTLS_E_AGAIN);
 
 gboolean
 g_tls_connection_gnutls_check (GTlsConnectionGnutls  *gnutls,
@@ -804,7 +893,11 @@ g_tls_connection_gnutls_check (GTlsConnectionGnutls  *gnutls,
   /* If a handshake or close is in progress, then tls_istream and
    * tls_ostream are blocked, regardless of the base stream status.
    */
-  if (gnutls->priv->handshaking || gnutls->priv->closing)
+  if (gnutls->priv->handshaking)
+    return FALSE;
+
+  if (((condition & G_IO_IN) && gnutls->priv->read_closing) ||
+      ((condition & G_IO_OUT) && gnutls->priv->write_closing))
     return FALSE;
 
   if (condition & G_IO_IN)
@@ -846,6 +939,10 @@ gnutls_source_sync (GTlsConnectionGnutlsSource *gnutls_source)
   GTlsConnectionGnutls *gnutls = gnutls_source->gnutls;
   gboolean io_waiting, op_waiting;
 
+  /* Was the source destroyed earlier in this main context iteration? */
+  if (g_source_is_destroyed ((GSource *) gnutls_source))
+    return;
+
   g_mutex_lock (&gnutls->priv->op_mutex);
   if (((gnutls_source->condition & G_IO_IN) && gnutls->priv->reading) ||
       ((gnutls_source->condition & G_IO_OUT) && gnutls->priv->writing) ||
@@ -994,6 +1091,8 @@ set_gnutls_error (GTlsConnectionGnutls *gnutls,
     gnutls_transport_set_errno (gnutls->priv->session, EINTR);
   else if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK))
     gnutls_transport_set_errno (gnutls->priv->session, EINTR);
+  else if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_TIMED_OUT))
+    gnutls_transport_set_errno (gnutls->priv->session, EINTR);
   else
     gnutls_transport_set_errno (gnutls->priv->session, EIO);
 }
@@ -1052,29 +1151,22 @@ g_tls_connection_gnutls_push_func (gnutls_transport_ptr_t  transport_data,
   return ret;
 }
 
-
 static GTlsCertificate *
 get_peer_certificate_from_session (GTlsConnectionGnutls *gnutls)
 {
-  GTlsCertificate *chain, *cert;
   const gnutls_datum_t *certs;
+  GTlsCertificateGnutls *chain;
   unsigned int num_certs;
-  int i;
 
   certs = gnutls_certificate_get_peers (gnutls->priv->session, &num_certs);
   if (!certs || !num_certs)
     return NULL;
 
-  chain = NULL;
-  for (i = num_certs - 1; i >= 0; i--)
-    {
-      cert = g_tls_certificate_gnutls_new (&certs[i], chain);
-      if (chain)
-	g_object_unref (chain);
-      chain = cert;
-    }
+  chain = g_tls_certificate_gnutls_build_chain (certs, num_certs, GNUTLS_X509_FMT_DER);
+  if (!chain)
+    return NULL;
 
-  return chain;
+  return G_TLS_CERTIFICATE (chain);
 }
 
 static GTlsCertificateFlags
@@ -1220,7 +1312,7 @@ accept_peer_certificate (GTlsConnectionGnutls *gnutls,
 			 GTlsCertificate      *peer_certificate,
 			 GTlsCertificateFlags  peer_certificate_errors)
 {
-  gboolean accepted;
+  gboolean accepted = FALSE;
 
   if (G_IS_TLS_CLIENT_CONNECTION (gnutls))
     {
@@ -1229,14 +1321,9 @@ accept_peer_certificate (GTlsConnectionGnutls *gnutls,
 
       if ((peer_certificate_errors & validation_flags) == 0)
 	accepted = TRUE;
-      else
-	{
-	  accepted = g_tls_connection_emit_accept_certificate (G_TLS_CONNECTION (gnutls),
-							       peer_certificate,
-							       peer_certificate_errors);
-	}
     }
-  else
+
+  if (!accepted)
     {
       accepted = g_tls_connection_emit_accept_certificate (G_TLS_CONNECTION (gnutls),
 							   peer_certificate,
@@ -1299,6 +1386,7 @@ g_tls_connection_gnutls_handshake (GTlsConnection   *conn,
   GError *my_error = NULL;
 
   task = g_task_new (conn, cancellable, NULL, NULL);
+  g_task_set_source_tag (task, g_tls_connection_gnutls_handshake);
   begin_handshake (gnutls);
   g_task_run_in_thread_sync (task, handshake_thread);
   success = finish_handshake (gnutls, task, &my_error);
@@ -1384,12 +1472,14 @@ g_tls_connection_gnutls_handshake_async (GTlsConnection       *conn,
   GTask *thread_task, *caller_task;
 
   caller_task = g_task_new (conn, cancellable, callback, user_data);
+  g_task_set_source_tag (caller_task, g_tls_connection_gnutls_handshake_async);
   g_task_set_priority (caller_task, io_priority);
 
   begin_handshake (G_TLS_CONNECTION_GNUTLS (conn));
 
   thread_task = g_task_new (conn, cancellable,
 			    handshake_thread_completed, caller_task);
+  g_task_set_source_tag (thread_task, g_tls_connection_gnutls_handshake_async);
   g_task_set_priority (thread_task, io_priority);
   g_task_run_in_thread (thread_task, async_handshake_thread);
   g_object_unref (thread_task);
@@ -1414,6 +1504,8 @@ do_implicit_handshake (GTlsConnectionGnutls  *gnutls,
   /* We have op_mutex */
 
   gnutls->priv->implicit_handshake = g_task_new (gnutls, cancellable, NULL, NULL);
+  g_task_set_source_tag (gnutls->priv->implicit_handshake,
+                         do_implicit_handshake);
 
   begin_handshake (gnutls);
 
@@ -1533,47 +1625,88 @@ g_tls_connection_gnutls_get_output_stream (GIOStream *stream)
   return gnutls->priv->tls_ostream;
 }
 
-static gboolean
-g_tls_connection_gnutls_close (GIOStream     *stream,
-			       GCancellable  *cancellable,
-			       GError       **error)
+gboolean
+g_tls_connection_gnutls_close_internal (GIOStream     *stream,
+                                        GTlsDirection  direction,
+                                        GCancellable  *cancellable,
+                                        GError       **error)
 {
   GTlsConnectionGnutls *gnutls = G_TLS_CONNECTION_GNUTLS (stream);
-  gboolean success;
+  GTlsConnectionGnutlsOp op;
+  gboolean success = TRUE;
   int ret = 0;
+  GError *gnutls_error = NULL, *stream_error = NULL;
 
-  if (!claim_op (gnutls, G_TLS_CONNECTION_GNUTLS_OP_CLOSE,
-		 TRUE, cancellable, error))
-    return FALSE;
+  /* This can be called from g_io_stream_close(), g_input_stream_close() or
+   * g_output_stream_close(). In all cases, we only do the gnutls_bye() for
+   * writing. The difference is how we set the flags on this class and how
+   * the underlying stream is closed.
+   */
 
-  if (gnutls->priv->closed)
-    {
-      g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_CLOSED,
-			   _("Connection is already closed"));
-      yield_op (gnutls, G_TLS_CONNECTION_GNUTLS_OP_CLOSE);
-      return FALSE;
-    }
+  g_return_val_if_fail (direction != G_TLS_DIRECTION_NONE, FALSE);
 
-  if (gnutls->priv->ever_handshaked)
+  if (direction == G_TLS_DIRECTION_BOTH)
+    op = G_TLS_CONNECTION_GNUTLS_OP_CLOSE_BOTH;
+  else if (direction == G_TLS_DIRECTION_READ)
+    op = G_TLS_CONNECTION_GNUTLS_OP_CLOSE_READ;
+  else
+    op = G_TLS_CONNECTION_GNUTLS_OP_CLOSE_WRITE;
+
+  if (!claim_op (gnutls, op, TRUE, cancellable, error))
+    return FALSE;
+
+  if (gnutls->priv->ever_handshaked && !gnutls->priv->write_closed &&
+      direction & G_TLS_DIRECTION_WRITE)
     {
       BEGIN_GNUTLS_IO (gnutls, G_IO_IN | G_IO_OUT, TRUE, cancellable);
       ret = gnutls_bye (gnutls->priv->session, GNUTLS_SHUT_WR);
       END_GNUTLS_IO (gnutls, G_IO_IN | G_IO_OUT, ret,
-		     _("Error performing TLS close: %s"), error);
-    }
+		     _("Error performing TLS close: %s"), &gnutls_error);
 
-  gnutls->priv->closed = TRUE;
+      gnutls->priv->write_closed = TRUE;
+    }
 
+  if (!gnutls->priv->read_closed && direction & G_TLS_DIRECTION_READ)
+    gnutls->priv->read_closed = TRUE;
+
+  /* Close the underlying streams. Do this even if the gnutls_bye() call failed,
+   * as the parent GIOStream will have set its internal closed flag and hence
+   * this implementation will never be called again. */
+  if (direction == G_TLS_DIRECTION_BOTH)
+    success = g_io_stream_close (gnutls->priv->base_io_stream,
+                                 cancellable, &stream_error);
+  else if (direction & G_TLS_DIRECTION_READ)
+    success = g_input_stream_close (g_io_stream_get_input_stream (gnutls->priv->base_io_stream),
+                                    cancellable, &stream_error);
+  else if (direction & G_TLS_DIRECTION_WRITE)
+    success = g_output_stream_close (g_io_stream_get_output_stream (gnutls->priv->base_io_stream),
+                                     cancellable, &stream_error);
+
+  yield_op (gnutls, op);
+
+  /* Propagate errors. */
   if (ret != 0)
     {
-      yield_op (gnutls, G_TLS_CONNECTION_GNUTLS_OP_CLOSE);
-      return FALSE;
+      g_propagate_error (error, gnutls_error);
+      g_clear_error (&stream_error);
+    }
+  else if (!success)
+    {
+      g_propagate_error (error, stream_error);
+      g_clear_error (&gnutls_error);
     }
 
-  success = g_io_stream_close (gnutls->priv->base_io_stream,
-			       cancellable, error);
-  yield_op (gnutls, G_TLS_CONNECTION_GNUTLS_OP_CLOSE);
-  return success;
+  return success && (ret == 0);
+}
+
+static gboolean
+g_tls_connection_gnutls_close (GIOStream     *stream,
+                               GCancellable  *cancellable,
+                               GError       **error)
+{
+	return g_tls_connection_gnutls_close_internal (stream,
+	                                               G_TLS_DIRECTION_BOTH,
+	                                               cancellable, error);
 }
 
 /* We do async close as synchronous-in-a-thread so we don't need to
@@ -1589,7 +1722,8 @@ close_thread (GTask        *task,
   GIOStream *stream = object;
   GError *error = NULL;
 
-  if (!g_tls_connection_gnutls_close (stream, cancellable, &error))
+  if (!g_tls_connection_gnutls_close_internal (stream, G_TLS_DIRECTION_BOTH,
+                                               cancellable, &error))
     g_task_return_error (task, error);
   else
     g_task_return_boolean (task, TRUE);
@@ -1605,6 +1739,7 @@ g_tls_connection_gnutls_close_async (GIOStream           *stream,
   GTask *task;
 
   task = g_task_new (stream, cancellable, callback, user_data);
+  g_task_set_source_tag (task, g_tls_connection_gnutls_close_async);
   g_task_set_priority (task, io_priority);
   g_task_run_in_thread (task, close_thread);
   g_object_unref (task);
@@ -1659,6 +1794,7 @@ on_pin_prompt_callback (const char     *pinfile,
       pin = NULL;
       break;
     case G_TLS_INTERACTION_UNHANDLED:
+    default:
       pin = NULL;
       break;
     case G_TLS_INTERACTION_HANDLED:
@@ -1711,3 +1847,24 @@ g_tls_connection_gnutls_initable_iface_init (GInitableIface *iface)
 {
   iface->init = g_tls_connection_gnutls_initable_init;
 }
+
+gboolean
+g_tls_connection_gnutls_request_certificate (GTlsConnectionGnutls  *self,
+					     GError               **error)
+{
+  GTlsInteractionResult res = G_TLS_INTERACTION_UNHANDLED;
+  GTlsInteraction *interaction;
+  GTlsConnection *conn;
+
+  g_return_val_if_fail (G_IS_TLS_CONNECTION_GNUTLS (self), FALSE);
+
+  conn = G_TLS_CONNECTION (self);
+
+  interaction = g_tls_connection_get_interaction (conn);
+  if (!interaction)
+    return FALSE;
+
+  res = g_tls_interaction_invoke_request_certificate (interaction, conn, 0,
+						      self->priv->read_cancellable, error);
+  return res != G_TLS_INTERACTION_FAILED;
+}
diff --git a/tls/gnutls/gtlsconnection-gnutls.h b/tls/gnutls/gtlsconnection-gnutls.h
index 3aa8473..a7323a8 100644
--- a/tls/gnutls/gtlsconnection-gnutls.h
+++ b/tls/gnutls/gtlsconnection-gnutls.h
@@ -8,6 +8,9 @@
  * your option) any later version.
  *
  * See the included COPYING file for more information.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #ifndef __G_TLS_CONNECTION_GNUTLS_H__
@@ -50,8 +53,12 @@ GType g_tls_connection_gnutls_get_type (void) G_GNUC_CONST;
 
 gnutls_certificate_credentials_t g_tls_connection_gnutls_get_credentials (GTlsConnectionGnutls *connection);
 gnutls_session_t                 g_tls_connection_gnutls_get_session     (GTlsConnectionGnutls *connection);
-void                             g_tls_connection_gnutls_get_certificate (GTlsConnectionGnutls *gnutls,
-                                                                        gnutls_retr2_st      *st);
+
+void     g_tls_connection_gnutls_get_certificate     (GTlsConnectionGnutls  *gnutls,
+						      gnutls_retr2_st       *st);
+
+gboolean g_tls_connection_gnutls_request_certificate (GTlsConnectionGnutls  *gnutls,
+						      GError               **error);
 
 gssize   g_tls_connection_gnutls_read          (GTlsConnectionGnutls  *gnutls,
 						void                  *buffer,
@@ -72,6 +79,19 @@ GSource *g_tls_connection_gnutls_create_source (GTlsConnectionGnutls  *gnutls,
 						GIOCondition           condition,
 						GCancellable          *cancellable);
 
+typedef enum {
+	G_TLS_DIRECTION_NONE = 0,
+	G_TLS_DIRECTION_READ = 1 << 0,
+	G_TLS_DIRECTION_WRITE = 1 << 1,
+} GTlsDirection;
+
+#define G_TLS_DIRECTION_BOTH (G_TLS_DIRECTION_READ | G_TLS_DIRECTION_WRITE)
+
+gboolean g_tls_connection_gnutls_close_internal (GIOStream            *stream,
+                                                 GTlsDirection         direction,
+                                                 GCancellable         *cancellable,
+                                                 GError              **error);
+
 G_END_DECLS
 
 #endif /* __G_TLS_CONNECTION_GNUTLS_H___ */
diff --git a/tls/gnutls/gtlsdatabase-gnutls-pkcs11.c b/tls/gnutls/gtlsdatabase-gnutls-pkcs11.c
index bc15709..919eccd 100644
--- a/tls/gnutls/gtlsdatabase-gnutls-pkcs11.c
+++ b/tls/gnutls/gtlsdatabase-gnutls-pkcs11.c
@@ -17,6 +17,9 @@
  * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
  * Boston, MA 02111-1307, USA.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
@@ -37,11 +40,11 @@
 #include "pkcs11/gpkcs11util.h"
 #include "pkcs11/pkcs11-trust-assertions.h"
 
-const static CK_ATTRIBUTE_TYPE CERTIFICATE_ATTRIBUTE_TYPES[] = {
+static const CK_ATTRIBUTE_TYPE CERTIFICATE_ATTRIBUTE_TYPES[] = {
     CKA_ID, CKA_LABEL, CKA_CLASS, CKA_VALUE
 };
 
-const static CK_ATTRIBUTE_TYPE KEY_ATTRIBUTE_TYPES[] = {
+static const CK_ATTRIBUTE_TYPE KEY_ATTRIBUTE_TYPES[] = {
     CKA_ID, CKA_LABEL, CKA_CLASS, CKA_KEY_TYPE
 };
 
@@ -143,7 +146,7 @@ discover_module_slots_and_options (GTlsDatabaseGnutlsPkcs11   *self,
 }
 
 static GTlsCertificate *
-create_database_pkcs11_certificate (GPkcs11Slot *slot,
+create_database_pkcs11_certificate (GPkcs11Slot  *slot,
                                     GPkcs11Array *certificate_attrs,
                                     GPkcs11Array *private_key_attrs)
 {
@@ -209,7 +212,7 @@ create_database_pkcs11_certificate (GPkcs11Slot *slot,
   return certificate;
 }
 
-static const gchar*
+static const gchar *
 calculate_peer_for_identity (GSocketConnectable *identity)
 {
   const char *peer;
@@ -255,56 +258,56 @@ g_tls_database_gnutls_pkcs11_init (GTlsDatabaseGnutlsPkcs11 *self)
 }
 
 static gboolean
-accumulate_stop (gpointer     result,
-                 gpointer     user_data)
+accumulate_stop (gpointer result,
+                 gpointer user_data)
 {
   return FALSE; /* stop enumeration */
 }
 
 static gboolean
-accumulate_exists (gpointer     result,
-                   gpointer     user_data)
+accumulate_exists (gpointer result,
+                   gpointer user_data)
 {
-  gboolean *exists = (gboolean*)user_data;
+  gboolean *exists = (gboolean *)user_data;
   *exists = TRUE;
   return FALSE; /* stop enumeration */
 }
 
 static gboolean
-accumulate_first_attributes (gpointer   result,
-                             gpointer   user_data)
+accumulate_first_attributes (gpointer result,
+                             gpointer user_data)
 {
-  GPkcs11Array** attributes = (GPkcs11Array**)user_data;
+  GPkcs11Array **attributes = (GPkcs11Array **)user_data;
   g_assert (attributes);
   *attributes = g_pkcs11_array_ref (result);
   return FALSE; /* stop enumeration */
 }
 
 static gboolean
-accumulate_list_attributes (gpointer    result,
-                            gpointer    user_data)
+accumulate_list_attributes (gpointer result,
+                            gpointer user_data)
 {
-  GList **results = (GList**)user_data;
+  GList **results = (GList **)user_data;
   g_assert (results);
   *results = g_list_append (*results, g_pkcs11_array_ref (result));
   return TRUE; /* continue enumeration */
 }
 
 static gboolean
-accumulate_first_object (gpointer   result,
-                         gpointer   user_data)
+accumulate_first_object (gpointer result,
+                         gpointer user_data)
 {
-  GObject** object = (GObject**)user_data;
+  GObject **object = (GObject **)user_data;
   g_assert (object);
   *object = g_object_ref (result);
   return FALSE; /* stop enumeration */
 }
 
 static gboolean
-accumulate_list_objects (gpointer    result,
-                         gpointer    user_data)
+accumulate_list_objects (gpointer result,
+                         gpointer user_data)
 {
-  GList **results = (GList**)user_data;
+  GList **results = (GList **)user_data;
   g_assert (results);
   *results = g_list_append (*results, g_object_ref (result));
   return TRUE; /* continue enumeration */
@@ -312,8 +315,8 @@ accumulate_list_objects (gpointer    result,
 
 static GPkcs11EnumerateState
 enumerate_call_accumulator (GPkcs11Accumulator accumulator,
-                            gpointer result,
-                            gpointer user_data)
+                            gpointer           result,
+                            gpointer           user_data)
 {
   g_assert (accumulator);
 
@@ -324,13 +327,13 @@ enumerate_call_accumulator (GPkcs11Accumulator accumulator,
 }
 
 static GPkcs11EnumerateState
-enumerate_assertion_exists_in_slot (GPkcs11Slot              *slot,
-                                    GTlsInteraction          *interaction,
-                                    GPkcs11Array             *match,
-                                    GPkcs11Accumulator        accumulator,
-                                    gpointer                  user_data,
-                                    GCancellable             *cancellable,
-                                    GError                  **error)
+enumerate_assertion_exists_in_slot (GPkcs11Slot         *slot,
+                                    GTlsInteraction     *interaction,
+                                    GPkcs11Array        *match,
+                                    GPkcs11Accumulator   accumulator,
+                                    gpointer             user_data,
+                                    GCancellable        *cancellable,
+                                    GError             **error)
 {
   GPkcs11EnumerateState state;
 
@@ -383,15 +386,14 @@ enumerate_assertion_exists_in_database (GTlsDatabaseGnutlsPkcs11   *self,
 }
 
 static gboolean
-g_tls_database_gnutls_pkcs11_lookup_assertion (GTlsDatabaseGnutls          *database,
-                                               GTlsCertificateGnutls       *certificate,
-                                               GTlsDatabaseGnutlsAssertion  assertion,
-                                               const gchar                 *purpose,
-                                               GSocketConnectable          *identity,
-                                               GCancellable                *cancellable,
-                                               GError                     **error)
+g_tls_database_gnutls_pkcs11_lookup_assertion (GTlsDatabaseGnutlsPkcs11     *self,
+                                               GTlsCertificateGnutls        *certificate,
+                                               GTlsDatabaseGnutlsAssertion   assertion,
+                                               const gchar                  *purpose,
+                                               GSocketConnectable           *identity,
+                                               GCancellable                 *cancellable,
+                                               GError                      **error)
 {
-  GTlsDatabaseGnutlsPkcs11 *self = G_TLS_DATABASE_GNUTLS_PKCS11 (database);
   GByteArray *der = NULL;
   gboolean found, ready;
   GPkcs11Array *match;
@@ -437,13 +439,13 @@ g_tls_database_gnutls_pkcs11_lookup_assertion (GTlsDatabaseGnutls          *data
 }
 
 static GPkcs11EnumerateState
-enumerate_keypair_for_certificate (GPkcs11Slot              *slot,
-                                   GTlsInteraction          *interaction,
-                                   GPkcs11Array             *match_certificate,
-                                   GPkcs11Accumulator        accumulator,
-                                   gpointer                  user_data,
-                                   GCancellable             *cancellable,
-                                   GError                  **error)
+enumerate_keypair_for_certificate (GPkcs11Slot         *slot,
+                                   GTlsInteraction     *interaction,
+                                   GPkcs11Array        *match_certificate,
+                                   GPkcs11Accumulator   accumulator,
+                                   gpointer             user_data,
+                                   GCancellable        *cancellable,
+                                   GError             **error)
 {
   static CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY;
   GPkcs11Array *private_key_attrs = NULL;
@@ -500,14 +502,14 @@ enumerate_keypair_for_certificate (GPkcs11Slot              *slot,
 }
 
 static GPkcs11EnumerateState
-enumerate_keypairs_in_slot (GPkcs11Slot              *slot,
-                            GTlsInteraction          *interaction,
-                            CK_ATTRIBUTE_PTR          match,
-                            CK_ULONG                  match_count,
-                            GPkcs11Accumulator        accumulator,
-                            gpointer                  user_data,
-                            GCancellable             *cancellable,
-                            GError                  **error)
+enumerate_keypairs_in_slot (GPkcs11Slot         *slot,
+                            GTlsInteraction     *interaction,
+                            CK_ATTRIBUTE_PTR     match,
+                            CK_ULONG             match_count,
+                            GPkcs11Accumulator   accumulator,
+                            gpointer             user_data,
+                            GCancellable        *cancellable,
+                            GError             **error)
 {
   GPkcs11EnumerateState state;
   GList *results = NULL;
@@ -573,14 +575,14 @@ accumulate_wrap_into_certificate (gpointer result,
 }
 
 static GPkcs11EnumerateState
-enumerate_certificates_in_slot (GPkcs11Slot              *slot,
-                                GTlsInteraction          *interaction,
-                                CK_ATTRIBUTE_PTR          match,
-                                CK_ULONG                  match_count,
-                                GPkcs11Accumulator        accumulator,
-                                gpointer                  user_data,
-                                GCancellable             *cancellable,
-                                GError                  **error)
+enumerate_certificates_in_slot (GPkcs11Slot         *slot,
+                                GTlsInteraction     *interaction,
+                                CK_ATTRIBUTE_PTR     match,
+                                CK_ULONG             match_count,
+                                GPkcs11Accumulator   accumulator,
+                                gpointer             user_data,
+                                GCancellable        *cancellable,
+                                GError             **error)
 {
   enumerate_certificates_closure closure = { accumulator, user_data, slot };
 
@@ -599,16 +601,16 @@ enumerate_certificates_in_slot (GPkcs11Slot              *slot,
 }
 
 static GPkcs11EnumerateState
-enumerate_certificates_in_database (GTlsDatabaseGnutlsPkcs11 *self,
-                                    GTlsInteraction          *interaction,
-                                    GTlsDatabaseLookupFlags   flags,
-                                    CK_ATTRIBUTE_PTR          match,
-                                    CK_ULONG                  match_count,
-                                    P11KitUri                *match_slot_to_uri,
-                                    GPkcs11Accumulator        accumulator,
-                                    gpointer                  user_data,
-                                    GCancellable             *cancellable,
-                                    GError                  **error)
+enumerate_certificates_in_database (GTlsDatabaseGnutlsPkcs11  *self,
+                                    GTlsInteraction           *interaction,
+                                    GTlsDatabaseLookupFlags    flags,
+                                    CK_ATTRIBUTE_PTR           match,
+                                    CK_ULONG                   match_count,
+                                    P11KitUri                 *match_slot_to_uri,
+                                    GPkcs11Accumulator         accumulator,
+                                    gpointer                   user_data,
+                                    GCancellable              *cancellable,
+                                    GError                   **error)
 {
   GPkcs11EnumerateState state = G_PKCS11_ENUMERATE_CONTINUE;
   GPkcs11Slot *slot;
@@ -650,13 +652,13 @@ enumerate_certificates_in_database (GTlsDatabaseGnutlsPkcs11 *self,
   return state;
 }
 
-static GTlsCertificate*
-g_tls_database_gnutls_pkcs11_lookup_certificate_issuer (GTlsDatabase           *database,
-                                                        GTlsCertificate        *certificate,
-                                                        GTlsInteraction        *interaction,
-                                                        GTlsDatabaseLookupFlags flags,
-                                                        GCancellable           *cancellable,
-                                                        GError                **error)
+static GTlsCertificate *
+g_tls_database_gnutls_pkcs11_lookup_certificate_issuer (GTlsDatabase             *database,
+                                                        GTlsCertificate          *certificate,
+                                                        GTlsInteraction          *interaction,
+                                                        GTlsDatabaseLookupFlags   flags,
+                                                        GCancellable             *cancellable,
+                                                        GError                  **error)
 {
   GTlsDatabaseGnutlsPkcs11 *self = G_TLS_DATABASE_GNUTLS_PKCS11 (database);
   GTlsCertificate *result = NULL;
@@ -689,13 +691,13 @@ g_tls_database_gnutls_pkcs11_lookup_certificate_issuer (GTlsDatabase           *
   return result;
 }
 
-static GList*
-g_tls_database_gnutls_pkcs11_lookup_certificates_issued_by (GTlsDatabase           *database,
-                                                            GByteArray             *issuer_subject,
-                                                            GTlsInteraction        *interaction,
-                                                            GTlsDatabaseLookupFlags flags,
-                                                            GCancellable           *cancellable,
-                                                            GError                **error)
+static GList *
+g_tls_database_gnutls_pkcs11_lookup_certificates_issued_by (GTlsDatabase             *database,
+                                                            GByteArray               *issuer_subject,
+                                                            GTlsInteraction          *interaction,
+                                                            GTlsDatabaseLookupFlags   flags,
+                                                            GCancellable             *cancellable,
+                                                            GError                  **error)
 {
   GTlsDatabaseGnutlsPkcs11 *self = G_TLS_DATABASE_GNUTLS_PKCS11 (database);
   GList *l, *results = NULL;
@@ -726,9 +728,9 @@ g_tls_database_gnutls_pkcs11_lookup_certificates_issued_by (GTlsDatabase
   return results;
 }
 
-static gchar*
-g_tls_database_gnutls_pkcs11_create_certificate_handle (GTlsDatabase            *database,
-                                                        GTlsCertificate         *certificate)
+static gchar *
+g_tls_database_gnutls_pkcs11_create_certificate_handle (GTlsDatabase    *database,
+                                                        GTlsCertificate *certificate)
 {
   GTlsCertificateGnutlsPkcs11 *pkcs11_cert;
 
@@ -739,13 +741,13 @@ g_tls_database_gnutls_pkcs11_create_certificate_handle (GTlsDatabase
   return g_tls_certificate_gnutls_pkcs11_build_certificate_uri (pkcs11_cert, NULL);
 }
 
-static GTlsCertificate*
-g_tls_database_gnutls_pkcs11_lookup_certificate_for_handle (GTlsDatabase           *database,
-                                                            const gchar            *handle,
-                                                            GTlsInteraction        *interaction,
-                                                            GTlsDatabaseLookupFlags flags,
-                                                            GCancellable           *cancellable,
-                                                            GError                **error)
+static GTlsCertificate *
+g_tls_database_gnutls_pkcs11_lookup_certificate_for_handle (GTlsDatabase             *database,
+                                                            const gchar              *handle,
+                                                            GTlsInteraction          *interaction,
+                                                            GTlsDatabaseLookupFlags   flags,
+                                                            GCancellable             *cancellable,
+                                                            GError                  **error)
 {
   GTlsDatabaseGnutlsPkcs11 *self = G_TLS_DATABASE_GNUTLS_PKCS11 (database);
   GTlsCertificate *result = NULL;
@@ -787,12 +789,289 @@ g_tls_database_gnutls_pkcs11_lookup_certificate_for_handle (GTlsDatabase
   return result;
 }
 
+#define BUILD_CERTIFICATE_CHAIN_RECURSION_LIMIT 10
+
+enum {
+  STATUS_FAILURE,
+  STATUS_INCOMPLETE,
+  STATUS_SELFSIGNED,
+  STATUS_ANCHORED,
+  STATUS_RECURSION_LIMIT_REACHED
+};
+
+static gboolean
+is_self_signed (GTlsCertificateGnutls *certificate)
+{
+  const gnutls_x509_crt_t cert = g_tls_certificate_gnutls_get_cert (certificate);
+  return (gnutls_x509_crt_check_issuer (cert, cert) > 0);
+}
+
+static gint
+build_certificate_chain (GTlsDatabaseGnutlsPkcs11  *self,
+                         GTlsCertificateGnutls     *certificate,
+                         GTlsCertificateGnutls     *previous,
+                         gboolean                   certificate_is_from_db,
+                         guint                      recursion_depth,
+                         const gchar               *purpose,
+                         GSocketConnectable        *identity,
+                         GTlsInteraction           *interaction,
+                         GCancellable              *cancellable,
+                         GTlsCertificateGnutls    **anchor,
+                         GError                   **error)
+{
+  GTlsCertificate *issuer;
+  gint status;
+
+  if (recursion_depth++ > BUILD_CERTIFICATE_CHAIN_RECURSION_LIMIT)
+    return STATUS_RECURSION_LIMIT_REACHED;
+
+  if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    return STATUS_FAILURE;
+
+  /* Look up whether this certificate is an anchor */
+  if (g_tls_database_gnutls_pkcs11_lookup_assertion (self, certificate,
+						     G_TLS_DATABASE_GNUTLS_ANCHORED_CERTIFICATE,
+						     purpose, identity, cancellable, error))
+    {
+      g_tls_certificate_gnutls_set_issuer (certificate, NULL);
+      *anchor = certificate;
+      return STATUS_ANCHORED;
+    }
+  else if (*error)
+    {
+      return STATUS_FAILURE;
+    }
+
+  /* Is it self-signed? */
+  if (is_self_signed (certificate))
+    {
+      /*
+       * Since at this point we would fail with 'self-signed', can we replace
+       * this certificate with one from the database and do better?
+       */
+      if (previous && !certificate_is_from_db)
+        {
+          issuer = g_tls_database_lookup_certificate_issuer (G_TLS_DATABASE (self),
+                                                             G_TLS_CERTIFICATE (previous),
+                                                             interaction,
+                                                             G_TLS_DATABASE_LOOKUP_NONE,
+                                                             cancellable, error);
+          if (*error)
+            {
+              return STATUS_FAILURE;
+            }
+          else if (issuer)
+            {
+              /* Replaced with certificate in the db, restart step again with this certificate */
+              g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE);
+              certificate = G_TLS_CERTIFICATE_GNUTLS (issuer);
+              g_tls_certificate_gnutls_set_issuer (previous, certificate);
+              g_object_unref (issuer);
+
+              return build_certificate_chain (self, certificate, previous, TRUE, recursion_depth,
+                                              purpose, identity, interaction, cancellable, anchor, error);
+            }
+        }
+
+      g_tls_certificate_gnutls_set_issuer (certificate, NULL);
+      return STATUS_SELFSIGNED;
+    }
+
+  previous = certificate;
+
+  /* Bring over the next certificate in the chain */
+  issuer = g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (certificate));
+  if (issuer)
+    {
+      g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE);
+      certificate = G_TLS_CERTIFICATE_GNUTLS (issuer);
+
+      status = build_certificate_chain (self, certificate, previous, FALSE, recursion_depth,
+                                        purpose, identity, interaction, cancellable, anchor, error);
+      if (status != STATUS_INCOMPLETE)
+        {
+          return status;
+        }
+    }
+
+  /* Search for the next certificate in chain */
+  issuer = g_tls_database_lookup_certificate_issuer (G_TLS_DATABASE (self),
+                                                     G_TLS_CERTIFICATE (certificate),
+                                                     interaction,
+                                                     G_TLS_DATABASE_LOOKUP_NONE,
+                                                     cancellable, error);
+  if (*error)
+    return STATUS_FAILURE;
+
+  if (!issuer)
+    return STATUS_INCOMPLETE;
+
+  g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE);
+  g_tls_certificate_gnutls_set_issuer (certificate, G_TLS_CERTIFICATE_GNUTLS (issuer));
+  certificate = G_TLS_CERTIFICATE_GNUTLS (issuer);
+  g_object_unref (issuer);
+
+  return build_certificate_chain (self, certificate, previous, TRUE, recursion_depth,
+                                  purpose, identity, interaction, cancellable, anchor, error);
+}
+
+static GTlsCertificateFlags
+double_check_before_after_dates (GTlsCertificateGnutls *chain)
+{
+  GTlsCertificateFlags gtls_flags = 0;
+  gnutls_x509_crt_t cert;
+  time_t t, now;
+
+  now = time (NULL);
+  while (chain)
+    {
+      cert = g_tls_certificate_gnutls_get_cert (chain);
+      t = gnutls_x509_crt_get_activation_time (cert);
+      if (t == (time_t) -1 || t > now)
+        gtls_flags |= G_TLS_CERTIFICATE_NOT_ACTIVATED;
+
+      t = gnutls_x509_crt_get_expiration_time (cert);
+      if (t == (time_t) -1 || t < now)
+        gtls_flags |= G_TLS_CERTIFICATE_EXPIRED;
+
+      chain = G_TLS_CERTIFICATE_GNUTLS (g_tls_certificate_get_issuer
+                                        (G_TLS_CERTIFICATE (chain)));
+    }
+
+  return gtls_flags;
+}
+
+static void
+convert_certificate_chain_to_gnutls (GTlsCertificateGnutls  *chain,
+                                     gnutls_x509_crt_t     **gnutls_chain,
+                                     guint                  *gnutls_chain_length)
+{
+  GTlsCertificate *cert;
+  guint i;
+
+  g_assert (gnutls_chain);
+  g_assert (gnutls_chain_length);
+
+  for (*gnutls_chain_length = 0, cert = G_TLS_CERTIFICATE (chain);
+       cert; cert = g_tls_certificate_get_issuer (cert))
+    ++(*gnutls_chain_length);
+
+  *gnutls_chain = g_new0 (gnutls_x509_crt_t, *gnutls_chain_length);
+
+  for (i = 0, cert = G_TLS_CERTIFICATE (chain);
+       cert; cert = g_tls_certificate_get_issuer (cert), ++i)
+    (*gnutls_chain)[i] = g_tls_certificate_gnutls_get_cert (G_TLS_CERTIFICATE_GNUTLS (cert));
+
+  g_assert (i == *gnutls_chain_length);
+}
+
+static GTlsCertificateFlags
+g_tls_database_gnutls_pkcs11_verify_chain (GTlsDatabase             *database,
+					   GTlsCertificate          *chain,
+					   const gchar              *purpose,
+					   GSocketConnectable       *identity,
+					   GTlsInteraction          *interaction,
+					   GTlsDatabaseVerifyFlags   flags,
+					   GCancellable             *cancellable,
+					   GError                  **error)
+{
+  GTlsDatabaseGnutlsPkcs11 *self;
+  GTlsCertificateFlags result;
+  GTlsCertificateGnutls *certificate;
+  GError *err = NULL;
+  GTlsCertificateGnutls *anchor;
+  guint gnutls_result;
+  gnutls_x509_crt_t *certs, *anchors;
+  guint certs_length, anchors_length;
+  gint status, gerr;
+  guint recursion_depth = 0;
+
+  g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (chain),
+                        G_TLS_CERTIFICATE_GENERIC_ERROR);
+  g_assert (purpose);
+
+  self = G_TLS_DATABASE_GNUTLS_PKCS11 (database);
+  certificate = G_TLS_CERTIFICATE_GNUTLS (chain);
+
+  /* First check for pinned certificate */
+  if (g_tls_database_gnutls_pkcs11_lookup_assertion (self, certificate,
+						     G_TLS_DATABASE_GNUTLS_PINNED_CERTIFICATE,
+						     purpose, identity, cancellable, &err))
+    {
+      /*
+       * A pinned certificate is verified on its own, without any further
+       * verification.
+       */
+      g_tls_certificate_gnutls_set_issuer (certificate, NULL);
+      return 0;
+    }
+
+  if (err)
+    {
+      g_propagate_error (error, err);
+      return G_TLS_CERTIFICATE_GENERIC_ERROR;
+    }
+
+  anchor = NULL;
+  status = build_certificate_chain (self, certificate, NULL, FALSE, recursion_depth,
+                                    purpose, identity, interaction, cancellable, &anchor, &err);
+  if (status == STATUS_FAILURE)
+    {
+      g_propagate_error (error, err);
+      return G_TLS_CERTIFICATE_GENERIC_ERROR;
+    }
+
+  if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    return G_TLS_CERTIFICATE_GENERIC_ERROR;
+
+  convert_certificate_chain_to_gnutls (G_TLS_CERTIFICATE_GNUTLS (chain),
+                                       &certs, &certs_length);
+
+  if (anchor)
+    {
+      g_assert (g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (anchor)) == NULL);
+      convert_certificate_chain_to_gnutls (G_TLS_CERTIFICATE_GNUTLS (anchor),
+                                           &anchors, &anchors_length);
+    }
+  else
+    {
+      anchors = NULL;
+      anchors_length = 0;
+    }
+
+  gerr = gnutls_x509_crt_list_verify (certs, certs_length,
+                                      anchors, anchors_length,
+                                      NULL, 0, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+                                      &gnutls_result);
+
+  g_free (certs);
+  g_free (anchors);
+
+  if (gerr != 0)
+    return G_TLS_CERTIFICATE_GENERIC_ERROR;
+  else if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    return G_TLS_CERTIFICATE_GENERIC_ERROR;
+
+  result = g_tls_certificate_gnutls_convert_flags (gnutls_result);
+
+  /*
+   * We have to check these ourselves since gnutls_x509_crt_list_verify
+   * won't bother if it gets an UNKNOWN_CA.
+   */
+  result |= double_check_before_after_dates (G_TLS_CERTIFICATE_GNUTLS (chain));
+
+  if (identity)
+    result |= g_tls_certificate_gnutls_verify_identity (G_TLS_CERTIFICATE_GNUTLS (chain),
+                                                        identity);
+
+  return result;
+}
+
 static void
 g_tls_database_gnutls_pkcs11_class_init (GTlsDatabaseGnutlsPkcs11Class *klass)
 {
   GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
   GTlsDatabaseClass *database_class = G_TLS_DATABASE_CLASS (klass);
-  GTlsDatabaseGnutlsClass *gnutls_class = G_TLS_DATABASE_GNUTLS_CLASS (klass);
 
   g_type_class_add_private (klass, sizeof (GTlsDatabaseGnutlsPkcs11Private));
 
@@ -802,7 +1081,7 @@ g_tls_database_gnutls_pkcs11_class_init (GTlsDatabaseGnutlsPkcs11Class *klass)
   database_class->lookup_certificate_issuer = g_tls_database_gnutls_pkcs11_lookup_certificate_issuer;
   database_class->lookup_certificates_issued_by = g_tls_database_gnutls_pkcs11_lookup_certificates_issued_by;
   database_class->lookup_certificate_for_handle = g_tls_database_gnutls_pkcs11_lookup_certificate_for_handle;
-  gnutls_class->lookup_assertion = g_tls_database_gnutls_pkcs11_lookup_assertion;
+  database_class->verify_chain = g_tls_database_gnutls_pkcs11_verify_chain;
 }
 
 static gboolean
@@ -860,7 +1139,7 @@ g_tls_database_gnutls_pkcs11_initable_iface_init (GInitableIface *iface)
   iface->init = g_tls_database_gnutls_pkcs11_initable_init;
 }
 
-GTlsDatabase*
+GTlsDatabase *
 g_tls_database_gnutls_pkcs11_new (GError **error)
 {
   g_return_val_if_fail (!error || !*error, NULL);
diff --git a/tls/gnutls/gtlsdatabase-gnutls-pkcs11.h b/tls/gnutls/gtlsdatabase-gnutls-pkcs11.h
index 0b31f10..a273d39 100644
--- a/tls/gnutls/gtlsdatabase-gnutls-pkcs11.h
+++ b/tls/gnutls/gtlsdatabase-gnutls-pkcs11.h
@@ -9,6 +9,9 @@
  *
  * See the included COPYING file for more information.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
diff --git a/tls/gnutls/gtlsdatabase-gnutls.c b/tls/gnutls/gtlsdatabase-gnutls.c
index 5ea7b24..7d25f59 100644
--- a/tls/gnutls/gtlsdatabase-gnutls.c
+++ b/tls/gnutls/gtlsdatabase-gnutls.c
@@ -16,342 +16,24 @@
  * Public License along with this library; if not, see
  * <http://www.gnu.org/licenses/>.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
 #include "config.h"
 
-#include <gnutls/gnutls.h>
-#include <gnutls/x509.h>
-
 #include "gtlsdatabase-gnutls.h"
 
-#include "gtlscertificate-gnutls.h"
-
-#include <glib/gi18n-lib.h>
-
 G_DEFINE_ABSTRACT_TYPE (GTlsDatabaseGnutls, g_tls_database_gnutls, G_TYPE_TLS_DATABASE);
 
-enum {
-  STATUS_FAILURE,
-  STATUS_INCOMPLETE,
-  STATUS_SELFSIGNED,
-  STATUS_PINNED,
-  STATUS_ANCHORED,
-};
-
 static void
 g_tls_database_gnutls_init (GTlsDatabaseGnutls *self)
 {
-
-}
-
-static gboolean
-is_self_signed (GTlsCertificateGnutls *certificate)
-{
-  const gnutls_x509_crt_t cert = g_tls_certificate_gnutls_get_cert (certificate);
-  return (gnutls_x509_crt_check_issuer (cert, cert) > 0);
-}
-
-static gint
-build_certificate_chain (GTlsDatabaseGnutls      *self,
-                         GTlsCertificateGnutls   *chain,
-                         const gchar             *purpose,
-                         GSocketConnectable      *identity,
-                         GTlsInteraction         *interaction,
-                         GTlsDatabaseVerifyFlags  flags,
-                         GCancellable            *cancellable,
-                         GTlsCertificateGnutls  **anchor,
-                         GError                 **error)
-{
-
-  GTlsCertificateGnutls *certificate;
-  GTlsCertificateGnutls *previous;
-  GTlsCertificate *issuer;
-  gboolean certificate_is_from_db;
-
-  g_assert (anchor);
-  g_assert (chain);
-  g_assert (purpose);
-  g_assert (error);
-  g_assert (!*error);
-
-  /*
-   * Remember that the first certificate never changes in the chain.
-   * When we find a self-signed, pinned or anchored certificate, all
-   * issuers are truncated from the chain.
-   */
-
-  *anchor = NULL;
-  previous = NULL;
-  certificate = chain;
-  certificate_is_from_db = FALSE;
-
-  /* First check for pinned certificate */
-  if (g_tls_database_gnutls_lookup_assertion (self, certificate,
-                                              G_TLS_DATABASE_GNUTLS_PINNED_CERTIFICATE,
-                                              purpose, identity, cancellable, error))
-    {
-      g_tls_certificate_gnutls_set_issuer (certificate, NULL);
-      return STATUS_PINNED;
-    }
-  else if (*error)
-    {
-      return STATUS_FAILURE;
-    }
-
-  for (;;)
-    {
-      if (g_cancellable_set_error_if_cancelled (cancellable, error))
-        return STATUS_FAILURE;
-
-      /* Look up whether this certificate is an anchor */
-      if (g_tls_database_gnutls_lookup_assertion (self, certificate,
-                                                  G_TLS_DATABASE_GNUTLS_ANCHORED_CERTIFICATE,
-                                                  purpose, identity, cancellable, error))
-        {
-          g_tls_certificate_gnutls_set_issuer (certificate, NULL);
-          *anchor = certificate;
-          return STATUS_ANCHORED;
-        }
-      else if (*error)
-        {
-          return STATUS_FAILURE;
-        }
-
-      /* Is it self-signed? */
-      if (is_self_signed (certificate))
-        {
-          /*
-           * Since at this point we would fail with 'self-signed', can we replace
-           * this certificate with one from the database and do better?
-           */
-          if (previous && !certificate_is_from_db)
-            {
-              issuer = g_tls_database_lookup_certificate_issuer (G_TLS_DATABASE (self),
-                                                                 G_TLS_CERTIFICATE (previous),
-                                                                 interaction,
-                                                                 G_TLS_DATABASE_LOOKUP_NONE,
-                                                                 cancellable, error);
-              if (*error)
-                {
-                  return STATUS_FAILURE;
-                }
-              else if (issuer)
-                {
-                  /* Replaced with certificate in the db, restart step again with this certificate */
-                  g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE);
-                  g_tls_certificate_gnutls_set_issuer (previous, G_TLS_CERTIFICATE_GNUTLS (issuer));
-                  certificate = G_TLS_CERTIFICATE_GNUTLS (issuer);
-                  certificate_is_from_db = TRUE;
-                  continue;
-                }
-            }
-
-          g_tls_certificate_gnutls_set_issuer (certificate, NULL);
-          return STATUS_SELFSIGNED;
-        }
-
-      previous = certificate;
-
-      /* Bring over the next certificate in the chain */
-      issuer = g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (certificate));
-      if (issuer)
-        {
-          g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE);
-          certificate = G_TLS_CERTIFICATE_GNUTLS (issuer);
-          certificate_is_from_db = FALSE;
-        }
-
-      /* Search for the next certificate in chain */
-      else
-        {
-          issuer = g_tls_database_lookup_certificate_issuer (G_TLS_DATABASE (self),
-                                                             G_TLS_CERTIFICATE (certificate),
-                                                             interaction,
-                                                             G_TLS_DATABASE_LOOKUP_NONE,
-                                                             cancellable, error);
-          if (*error)
-            return STATUS_FAILURE;
-          else if (!issuer)
-            return STATUS_INCOMPLETE;
-
-          /* Found a certificate in chain, use for next step */
-          g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE);
-          g_tls_certificate_gnutls_set_issuer (certificate, G_TLS_CERTIFICATE_GNUTLS (issuer));
-          certificate = G_TLS_CERTIFICATE_GNUTLS (issuer);
-          certificate_is_from_db = TRUE;
-          g_object_unref (issuer);
-        }
-    }
-
-  g_assert_not_reached ();
-}
-
-static GTlsCertificateFlags
-double_check_before_after_dates (GTlsCertificateGnutls *chain)
-{
-  GTlsCertificateFlags gtls_flags = 0;
-  gnutls_x509_crt_t cert;
-  time_t t, now;
-
-  now = time (NULL);
-  while (chain)
-    {
-      cert = g_tls_certificate_gnutls_get_cert (chain);
-      t = gnutls_x509_crt_get_activation_time (cert);
-      if (t == (time_t) -1 || t > now)
-        gtls_flags |= G_TLS_CERTIFICATE_NOT_ACTIVATED;
-
-      t = gnutls_x509_crt_get_expiration_time (cert);
-      if (t == (time_t) -1 || t < now)
-        gtls_flags |= G_TLS_CERTIFICATE_EXPIRED;
-
-      chain = G_TLS_CERTIFICATE_GNUTLS (g_tls_certificate_get_issuer
-                                        (G_TLS_CERTIFICATE (chain)));
-    }
-
-  return gtls_flags;
-}
-
-static void
-convert_certificate_chain_to_gnutls (GTlsCertificateGnutls    *chain,
-                                     gnutls_x509_crt_t       **gnutls_chain,
-                                     guint                    *gnutls_chain_length)
-{
-  GTlsCertificate *cert;
-  guint i;
-
-  g_assert (gnutls_chain);
-  g_assert (gnutls_chain_length);
-
-  for (*gnutls_chain_length = 0, cert = G_TLS_CERTIFICATE (chain);
-      cert; cert = g_tls_certificate_get_issuer (cert))
-    ++(*gnutls_chain_length);
-
-  *gnutls_chain = g_new0 (gnutls_x509_crt_t, *gnutls_chain_length);
-
-  for (i = 0, cert = G_TLS_CERTIFICATE (chain);
-      cert; cert = g_tls_certificate_get_issuer (cert), ++i)
-    (*gnutls_chain)[i] = g_tls_certificate_gnutls_get_cert (G_TLS_CERTIFICATE_GNUTLS (cert));
-
-  g_assert (i == *gnutls_chain_length);
-}
-
-static GTlsCertificateFlags
-g_tls_database_gnutls_verify_chain (GTlsDatabase           *database,
-                                    GTlsCertificate        *chain,
-                                    const gchar            *purpose,
-                                    GSocketConnectable     *identity,
-                                    GTlsInteraction        *interaction,
-                                    GTlsDatabaseVerifyFlags flags,
-                                    GCancellable           *cancellable,
-                                    GError                **error)
-{
-  GTlsDatabaseGnutls *self;
-  GTlsCertificateFlags result;
-  GError *err = NULL;
-  GTlsCertificateGnutls *anchor;
-  guint gnutls_result;
-  gnutls_x509_crt_t *certs, *anchors;
-  guint certs_length, anchors_length;
-  gint status, gerr;
-
-  g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (chain),
-                        G_TLS_CERTIFICATE_GENERIC_ERROR);
-
-  self = G_TLS_DATABASE_GNUTLS (database);
-  anchor = NULL;
-
-  status = build_certificate_chain (self, G_TLS_CERTIFICATE_GNUTLS (chain), purpose,
-                                    identity, interaction, flags, cancellable, &anchor, &err);
-  if (status == STATUS_FAILURE)
-    {
-      g_propagate_error (error, err);
-      return G_TLS_CERTIFICATE_GENERIC_ERROR;
-    }
-
-  /*
-   * A pinned certificate is verified on its own, without any further
-   * verification.
-   */
-  if (status == STATUS_PINNED)
-      return 0;
-
-  if (g_cancellable_set_error_if_cancelled (cancellable, error))
-    return G_TLS_CERTIFICATE_GENERIC_ERROR;
-
-  convert_certificate_chain_to_gnutls (G_TLS_CERTIFICATE_GNUTLS (chain),
-                                       &certs, &certs_length);
-
-  if (anchor)
-    {
-      g_assert (g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (anchor)) == NULL);
-      convert_certificate_chain_to_gnutls (G_TLS_CERTIFICATE_GNUTLS (anchor),
-                                           &anchors, &anchors_length);
-    }
-  else
-    {
-      anchors = NULL;
-      anchors_length = 0;
-    }
-
-  gerr = gnutls_x509_crt_list_verify (certs, certs_length,
-                                      anchors, anchors_length,
-                                      NULL, 0, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
-                                      &gnutls_result);
-
-  g_free (certs);
-  g_free (anchors);
-
-  if (gerr != 0)
-      return G_TLS_CERTIFICATE_GENERIC_ERROR;
-  else if (g_cancellable_set_error_if_cancelled (cancellable, error))
-    return G_TLS_CERTIFICATE_GENERIC_ERROR;
-
-  result = g_tls_certificate_gnutls_convert_flags (gnutls_result);
-
-  /*
-   * We have to check these ourselves since gnutls_x509_crt_list_verify
-   * won't bother if it gets an UNKNOWN_CA.
-   */
-  result |= double_check_before_after_dates (G_TLS_CERTIFICATE_GNUTLS (chain));
-
-  if (identity)
-    result |= g_tls_certificate_gnutls_verify_identity (G_TLS_CERTIFICATE_GNUTLS (chain),
-                                                        identity);
-
-  return result;
 }
 
 static void
 g_tls_database_gnutls_class_init (GTlsDatabaseGnutlsClass *klass)
 {
-  GTlsDatabaseClass *database_class = G_TLS_DATABASE_CLASS (klass);
-  database_class->verify_chain = g_tls_database_gnutls_verify_chain;
-}
-
-gboolean
-g_tls_database_gnutls_lookup_assertion (GTlsDatabaseGnutls          *self,
-                                        GTlsCertificateGnutls       *certificate,
-                                        GTlsDatabaseGnutlsAssertion  assertion,
-                                        const gchar                 *purpose,
-                                        GSocketConnectable          *identity,
-                                        GCancellable                *cancellable,
-                                        GError                     **error)
-{
-  g_return_val_if_fail (G_IS_TLS_DATABASE_GNUTLS (self), FALSE);
-  g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (certificate), FALSE);
-  g_return_val_if_fail (purpose, FALSE);
-  g_return_val_if_fail (!identity || G_IS_SOCKET_CONNECTABLE (identity), FALSE);
-  g_return_val_if_fail (!cancellable || G_IS_CANCELLABLE (cancellable), FALSE);
-  g_return_val_if_fail (!error || !*error, FALSE);
-  g_return_val_if_fail (G_TLS_DATABASE_GNUTLS_GET_CLASS (self)->lookup_assertion, FALSE);
-  return G_TLS_DATABASE_GNUTLS_GET_CLASS (self)->lookup_assertion (self,
-                                                                   certificate,
-                                                                   assertion,
-                                                                   purpose,
-                                                                   identity,
-                                                                   cancellable,
-                                                                   error);
 }
diff --git a/tls/gnutls/gtlsdatabase-gnutls.h b/tls/gnutls/gtlsdatabase-gnutls.h
index 99752ff..ce668ff 100644
--- a/tls/gnutls/gtlsdatabase-gnutls.h
+++ b/tls/gnutls/gtlsdatabase-gnutls.h
@@ -9,6 +9,9 @@
  *
  * See the included COPYING file for more information.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
@@ -40,32 +43,15 @@ typedef struct _GTlsDatabaseGnutls                          GTlsDatabaseGnutls;
 struct _GTlsDatabaseGnutlsClass
 {
   GTlsDatabaseClass parent_class;
-
-  gboolean       (*lookup_assertion)      (GTlsDatabaseGnutls          *self,
-                                           GTlsCertificateGnutls       *certificate,
-                                           GTlsDatabaseGnutlsAssertion  assertion,
-                                           const gchar                 *purpose,
-                                           GSocketConnectable          *identity,
-                                           GCancellable                *cancellable,
-                                           GError                     **error);
 };
 
 struct _GTlsDatabaseGnutls
 {
   GTlsDatabase parent_instance;
-  GTlsDatabaseGnutlsPrivate *priv;
 };
 
 GType          g_tls_database_gnutls_get_type              (void) G_GNUC_CONST;
 
-gboolean       g_tls_database_gnutls_lookup_assertion      (GTlsDatabaseGnutls          *self,
-                                                            GTlsCertificateGnutls       *certificate,
-                                                            GTlsDatabaseGnutlsAssertion  assertion,
-                                                            const gchar                 *purpose,
-                                                            GSocketConnectable          *identity,
-                                                            GCancellable                *cancellable,
-                                                            GError                     **error);
-
 G_END_DECLS
 
 #endif /* __G_TLS_DATABASE_GNUTLS_H___ */
diff --git a/tls/gnutls/gtlsfiledatabase-gnutls.c b/tls/gnutls/gtlsfiledatabase-gnutls.c
index 9e1e03c..f4d252f 100644
--- a/tls/gnutls/gtlsfiledatabase-gnutls.c
+++ b/tls/gnutls/gtlsfiledatabase-gnutls.c
@@ -16,6 +16,9 @@
  * Public License along with this library; if not, see
  * <http://www.gnu.org/licenses/>.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
@@ -27,6 +30,8 @@
 #include <glib/gi18n-lib.h>
 #include <gnutls/x509.h>
 
+#include "gtlscertificate-gnutls.h"
+
 static void g_tls_file_database_gnutls_file_database_interface_init (GTlsFileDatabaseInterface *iface);
 
 static void g_tls_file_database_gnutls_initable_interface_init (GInitableIface *iface);
@@ -36,7 +41,7 @@ G_DEFINE_TYPE_WITH_CODE (GTlsFileDatabaseGnutls, g_tls_file_database_gnutls, G_T
                                                 g_tls_file_database_gnutls_file_database_interface_init);
                          G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
                                                 g_tls_file_database_gnutls_initable_interface_init);
-);
+			 );
 
 enum
 {
@@ -48,6 +53,7 @@ struct _GTlsFileDatabaseGnutlsPrivate
 {
   /* read-only after construct */
   gchar *anchor_filename;
+  gnutls_x509_trust_list_t trust_list;
 
   /* protected by mutex */
   GMutex mutex;
@@ -118,7 +124,7 @@ bytes_multi_table_lookup_ref_all (GHashTable *table,
 {
   GPtrArray *multi;
   GList *list = NULL;
-  gint i;
+  guint i;
 
   multi = g_hash_table_lookup (table, key);
   if (multi == NULL)
@@ -180,11 +186,11 @@ create_handles_array_unlocked (const gchar *filename,
 }
 
 static gboolean
-load_anchor_file (const gchar *filename,
-                  GHashTable  *subjects,
-                  GHashTable  *issuers,
-                  GHashTable  *complete,
-                  GError     **error)
+load_anchor_file (const gchar  *filename,
+                  GHashTable   *subjects,
+                  GHashTable   *issuers,
+                  GHashTable   *complete,
+                  GError      **error)
 {
   GList *list, *l;
   gnutls_x509_crt_t cert;
@@ -253,25 +259,15 @@ g_tls_file_database_gnutls_finalize (GObject *object)
 {
   GTlsFileDatabaseGnutls *self = G_TLS_FILE_DATABASE_GNUTLS (object);
 
-  if (self->priv->subjects)
-    g_hash_table_destroy (self->priv->subjects);
-  self->priv->subjects = NULL;
-
-  if (self->priv->issuers)
-    g_hash_table_destroy (self->priv->issuers);
-  self->priv->issuers = NULL;
-
-  if (self->priv->complete)
-    g_hash_table_destroy (self->priv->complete);
-  self->priv->complete = NULL;
-
-  if (self->priv->handles)
-    g_hash_table_destroy (self->priv->handles);
-  self->priv->handles = NULL;
-
-  g_free (self->priv->anchor_filename);
-  self->priv->anchor_filename = NULL;
-
+  g_clear_pointer (&self->priv->subjects, g_hash_table_destroy);
+  g_clear_pointer (&self->priv->issuers, g_hash_table_destroy);
+  g_clear_pointer (&self->priv->complete, g_hash_table_destroy);
+  g_clear_pointer (&self->priv->handles, g_hash_table_destroy);
+  if (self->priv->anchor_filename)
+    {
+      g_free (self->priv->anchor_filename);
+      gnutls_x509_trust_list_deinit (self->priv->trust_list, 1);
+    }
   g_mutex_clear (&self->priv->mutex);
 
   G_OBJECT_CLASS (g_tls_file_database_gnutls_parent_class)->finalize (object);
@@ -302,21 +298,29 @@ g_tls_file_database_gnutls_set_property (GObject      *object,
                                          GParamSpec   *pspec)
 {
   GTlsFileDatabaseGnutls *self = G_TLS_FILE_DATABASE_GNUTLS (object);
-  gchar *anchor_path;
+  const char *anchor_path;
 
   switch (prop_id)
     {
     case PROP_ANCHORS:
-      anchor_path = g_value_dup_string (value);
+      anchor_path = g_value_get_string (value);
       if (anchor_path && !g_path_is_absolute (anchor_path))
-        {
-          g_warning ("The anchor file name for used with a GTlsFileDatabase "
-                     "must be an absolute path, and not relative: %s", anchor_path);
-        }
-      else
-        {
-          self->priv->anchor_filename = anchor_path;
-        }
+	{
+	  g_warning ("The anchor file name used with a GTlsFileDatabase "
+		     "must be an absolute path, and not relative: %s", anchor_path);
+	  return;
+	}
+
+      if (self->priv->anchor_filename)
+	{
+	  g_free (self->priv->anchor_filename);
+	  gnutls_x509_trust_list_deinit (self->priv->trust_list, 1);
+	}
+      self->priv->anchor_filename = g_strdup (anchor_path);
+      gnutls_x509_trust_list_init (&self->priv->trust_list, 0);
+      gnutls_x509_trust_list_add_trust_file (self->priv->trust_list,
+					     anchor_path, NULL,
+					     GNUTLS_X509_FMT_PEM, 0, 0);
       break;
     default:
       G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
@@ -332,9 +336,9 @@ g_tls_file_database_gnutls_init (GTlsFileDatabaseGnutls *self)
   g_mutex_init (&self->priv->mutex);
 }
 
-static gchar*
-g_tls_file_database_gnutls_create_certificate_handle (GTlsDatabase            *database,
-                                                      GTlsCertificate         *certificate)
+static gchar *
+g_tls_file_database_gnutls_create_certificate_handle (GTlsDatabase    *database,
+                                                      GTlsCertificate *certificate)
 {
   GTlsFileDatabaseGnutls *self = G_TLS_FILE_DATABASE_GNUTLS (database);
   GBytes *der;
@@ -359,13 +363,13 @@ g_tls_file_database_gnutls_create_certificate_handle (GTlsDatabase            *d
   return handle;
 }
 
-static GTlsCertificate*
-g_tls_file_database_gnutls_lookup_certificate_for_handle (GTlsDatabase            *database,
-                                                          const gchar             *handle,
-                                                          GTlsInteraction         *interaction,
-                                                          GTlsDatabaseLookupFlags  flags,
-                                                          GCancellable            *cancellable,
-                                                          GError                 **error)
+static GTlsCertificate *
+g_tls_file_database_gnutls_lookup_certificate_for_handle (GTlsDatabase             *database,
+                                                          const gchar              *handle,
+                                                          GTlsInteraction          *interaction,
+                                                          GTlsDatabaseLookupFlags   flags,
+                                                          GCancellable             *cancellable,
+                                                          GError                  **error)
 {
   GTlsFileDatabaseGnutls *self = G_TLS_FILE_DATABASE_GNUTLS (database);
   GTlsCertificate *cert;
@@ -407,53 +411,13 @@ g_tls_file_database_gnutls_lookup_certificate_for_handle (GTlsDatabase
   return cert;
 }
 
-static gboolean
-g_tls_file_database_gnutls_lookup_assertion (GTlsDatabaseGnutls          *database,
-                                             GTlsCertificateGnutls       *certificate,
-                                             GTlsDatabaseGnutlsAssertion  assertion,
-                                             const gchar                 *purpose,
-                                             GSocketConnectable          *identity,
-                                             GCancellable                *cancellable,
-                                             GError                     **error)
-{
-  GTlsFileDatabaseGnutls *self = G_TLS_FILE_DATABASE_GNUTLS (database);
-  GBytes *der = NULL;
-  gboolean contains;
-
-  if (g_cancellable_set_error_if_cancelled (cancellable, error))
-    return FALSE;
-
-  /* We only have anchored certificate assertions here */
-  if (assertion != G_TLS_DATABASE_GNUTLS_ANCHORED_CERTIFICATE)
-    return FALSE;
-
-  /*
-   * TODO: We should be parsing any Extended Key Usage attributes and
-   * comparing them to the purpose.
-   */
-
-  der = g_tls_certificate_gnutls_get_bytes (certificate);
-
-  g_mutex_lock (&self->priv->mutex);
-  contains = g_hash_table_lookup (self->priv->complete, der) ? TRUE : FALSE;
-  g_mutex_unlock (&self->priv->mutex);
-
-  g_bytes_unref (der);
-
-  if (g_cancellable_set_error_if_cancelled (cancellable, error))
-    return FALSE;
-
-  /* All certificates in our file are anchored certificates */
-  return contains;
-}
-
-static GTlsCertificate*
-g_tls_file_database_gnutls_lookup_certificate_issuer (GTlsDatabase           *database,
-                                                      GTlsCertificate        *certificate,
-                                                      GTlsInteraction        *interaction,
-                                                      GTlsDatabaseLookupFlags flags,
-                                                      GCancellable           *cancellable,
-                                                      GError                **error)
+static GTlsCertificate *
+g_tls_file_database_gnutls_lookup_certificate_issuer (GTlsDatabase             *database,
+                                                      GTlsCertificate          *certificate,
+                                                      GTlsInteraction          *interaction,
+                                                      GTlsDatabaseLookupFlags   flags,
+                                                      GCancellable             *cancellable,
+                                                      GError                  **error)
 {
   GTlsFileDatabaseGnutls *self = G_TLS_FILE_DATABASE_GNUTLS (database);
   gnutls_datum_t dn = { NULL, 0 };
@@ -506,13 +470,13 @@ g_tls_file_database_gnutls_lookup_certificate_issuer (GTlsDatabase           *da
   return issuer;
 }
 
-static GList*
-g_tls_file_database_gnutls_lookup_certificates_issued_by (GTlsDatabase           *database,
-                                                          GByteArray             *issuer_raw_dn,
-                                                          GTlsInteraction        *interaction,
-                                                          GTlsDatabaseLookupFlags flags,
-                                                          GCancellable           *cancellable,
-                                                          GError                **error)
+static GList *
+g_tls_file_database_gnutls_lookup_certificates_issued_by (GTlsDatabase             *database,
+                                                          GByteArray               *issuer_raw_dn,
+                                                          GTlsInteraction          *interaction,
+                                                          GTlsDatabaseLookupFlags   flags,
+                                                          GCancellable             *cancellable,
+                                                          GError                  **error)
 {
   GTlsFileDatabaseGnutls *self = G_TLS_FILE_DATABASE_GNUTLS (database);
   GBytes *issuer;
@@ -557,11 +521,98 @@ g_tls_file_database_gnutls_lookup_certificates_issued_by (GTlsDatabase
 }
 
 static void
+convert_certificate_chain_to_gnutls (GTlsCertificateGnutls  *chain,
+                                     gnutls_x509_crt_t     **gnutls_chain,
+                                     guint                  *gnutls_chain_length)
+{
+  GTlsCertificate *cert;
+  guint i;
+
+  g_assert (gnutls_chain);
+  g_assert (gnutls_chain_length);
+
+  for (*gnutls_chain_length = 0, cert = G_TLS_CERTIFICATE (chain);
+       cert; cert = g_tls_certificate_get_issuer (cert))
+    ++(*gnutls_chain_length);
+
+  *gnutls_chain = g_new0 (gnutls_x509_crt_t, *gnutls_chain_length);
+
+  for (i = 0, cert = G_TLS_CERTIFICATE (chain);
+       cert; cert = g_tls_certificate_get_issuer (cert), ++i)
+    (*gnutls_chain)[i] = g_tls_certificate_gnutls_get_cert (G_TLS_CERTIFICATE_GNUTLS (cert));
+
+  g_assert (i == *gnutls_chain_length);
+}
+
+static GTlsCertificateFlags
+g_tls_file_database_gnutls_verify_chain (GTlsDatabase             *database,
+					 GTlsCertificate          *chain,
+					 const gchar              *purpose,
+					 GSocketConnectable       *identity,
+					 GTlsInteraction          *interaction,
+					 GTlsDatabaseVerifyFlags   flags,
+					 GCancellable             *cancellable,
+					 GError                  **error)
+{
+  GTlsFileDatabaseGnutls *self;
+  GTlsCertificateFlags result;
+  guint gnutls_result;
+  gnutls_x509_crt_t *certs;
+  guint certs_length;
+  const char *hostname = NULL;
+  char *free_hostname = NULL;
+  int gerr;
+
+  g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (chain),
+                        G_TLS_CERTIFICATE_GENERIC_ERROR);
+  g_assert (purpose);
+
+  if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    return G_TLS_CERTIFICATE_GENERIC_ERROR;
+
+  self = G_TLS_FILE_DATABASE_GNUTLS (database);
+
+  convert_certificate_chain_to_gnutls (G_TLS_CERTIFICATE_GNUTLS (chain),
+                                       &certs, &certs_length);
+  gerr = gnutls_x509_trust_list_verify_crt (self->priv->trust_list,
+					    certs, certs_length,
+					    0, &gnutls_result, NULL);
+
+  if (gerr != 0 || g_cancellable_set_error_if_cancelled (cancellable, error))
+    {
+      g_free (certs);
+      return G_TLS_CERTIFICATE_GENERIC_ERROR;
+    }
+
+  result = g_tls_certificate_gnutls_convert_flags (gnutls_result);
+
+  if (G_IS_NETWORK_ADDRESS (identity))
+    hostname = g_network_address_get_hostname (G_NETWORK_ADDRESS (identity));
+  else if (G_IS_NETWORK_SERVICE (identity))
+    hostname = g_network_service_get_domain (G_NETWORK_SERVICE (identity));
+  else if (G_IS_INET_SOCKET_ADDRESS (identity))
+    {
+      GInetAddress *addr;
+
+      addr = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (identity));
+      hostname = free_hostname = g_inet_address_to_string (addr);
+    }
+  if (hostname)
+    {
+      if (!gnutls_x509_crt_check_hostname (certs[0], hostname))
+	result |= G_TLS_CERTIFICATE_BAD_IDENTITY;
+      g_free (free_hostname);
+    }
+
+  g_free (certs);
+  return result;
+}
+
+static void
 g_tls_file_database_gnutls_class_init (GTlsFileDatabaseGnutlsClass *klass)
 {
   GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
   GTlsDatabaseClass *database_class = G_TLS_DATABASE_CLASS (klass);
-  GTlsDatabaseGnutlsClass *gnutls_class = G_TLS_DATABASE_GNUTLS_CLASS (klass);
 
   g_type_class_add_private (klass, sizeof (GTlsFileDatabaseGnutlsPrivate));
 
@@ -573,7 +624,7 @@ g_tls_file_database_gnutls_class_init (GTlsFileDatabaseGnutlsClass *klass)
   database_class->lookup_certificate_for_handle = g_tls_file_database_gnutls_lookup_certificate_for_handle;
   database_class->lookup_certificate_issuer = g_tls_file_database_gnutls_lookup_certificate_issuer;
   database_class->lookup_certificates_issued_by = g_tls_file_database_gnutls_lookup_certificates_issued_by;
-  gnutls_class->lookup_assertion = g_tls_file_database_gnutls_lookup_assertion;
+  database_class->verify_chain = g_tls_file_database_gnutls_verify_chain;
 
   g_object_class_override_property (gobject_class, PROP_ANCHORS, "anchors");
 }
@@ -585,9 +636,9 @@ g_tls_file_database_gnutls_file_database_interface_init (GTlsFileDatabaseInterfa
 }
 
 static gboolean
-g_tls_file_database_gnutls_initable_init (GInitable    *initable,
-                                          GCancellable *cancellable,
-                                          GError      **error)
+g_tls_file_database_gnutls_initable_init (GInitable     *initable,
+                                          GCancellable  *cancellable,
+                                          GError       **error)
 {
   GTlsFileDatabaseGnutls *self = G_TLS_FILE_DATABASE_GNUTLS (initable);
   GHashTable *subjects, *issuers, *complete;
@@ -603,8 +654,11 @@ g_tls_file_database_gnutls_initable_init (GInitable    *initable,
                                     (GDestroyNotify)g_bytes_unref,
                                     (GDestroyNotify)g_bytes_unref);
 
-  result = load_anchor_file (self->priv->anchor_filename, subjects, issuers,
-                             complete, error);
+  if (self->priv->anchor_filename)
+    result = load_anchor_file (self->priv->anchor_filename, subjects, issuers,
+        complete, error);
+  else
+    result = TRUE;
 
   if (g_cancellable_set_error_if_cancelled (cancellable, error))
     result = FALSE;
diff --git a/tls/gnutls/gtlsfiledatabase-gnutls.h b/tls/gnutls/gtlsfiledatabase-gnutls.h
index 83f4cfb..362e500 100644
--- a/tls/gnutls/gtlsfiledatabase-gnutls.h
+++ b/tls/gnutls/gtlsfiledatabase-gnutls.h
@@ -9,6 +9,9 @@
  *
  * See the included COPYING file for more information.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
diff --git a/tls/gnutls/gtlsinputstream-gnutls.c b/tls/gnutls/gtlsinputstream-gnutls.c
index e102775..ca9cbe2 100644
--- a/tls/gnutls/gtlsinputstream-gnutls.c
+++ b/tls/gnutls/gtlsinputstream-gnutls.c
@@ -15,6 +15,9 @@
  * You should have received a copy of the GNU Lesser General
  * Public License along with this library; if not, see
  * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #include "config.h"
@@ -28,7 +31,7 @@ G_DEFINE_TYPE_WITH_CODE (GTlsInputStreamGnutls, g_tls_input_stream_gnutls, G_TYP
 
 struct _GTlsInputStreamGnutlsPrivate
 {
-  GTlsConnectionGnutls *conn;
+  GWeakRef weak_conn;
 };
 
 static void
@@ -36,16 +39,21 @@ g_tls_input_stream_gnutls_dispose (GObject *object)
 {
   GTlsInputStreamGnutls *stream = G_TLS_INPUT_STREAM_GNUTLS (object);
 
-  if (stream->priv->conn)
-    {
-      g_object_remove_weak_pointer (G_OBJECT (stream->priv->conn),
-				    (gpointer *)&stream->priv->conn);
-      stream->priv->conn = NULL;
-    }
+  g_weak_ref_set (&stream->priv->weak_conn, NULL);
 
   G_OBJECT_CLASS (g_tls_input_stream_gnutls_parent_class)->dispose (object);
 }
 
+static void
+g_tls_input_stream_gnutls_finalize (GObject *object)
+{
+  GTlsInputStreamGnutls *stream = G_TLS_INPUT_STREAM_GNUTLS (object);
+
+  g_weak_ref_clear (&stream->priv->weak_conn);
+
+  G_OBJECT_CLASS (g_tls_input_stream_gnutls_parent_class)->finalize (object);
+}
+
 static gssize
 g_tls_input_stream_gnutls_read (GInputStream  *stream,
 				void          *buffer,
@@ -54,22 +62,33 @@ g_tls_input_stream_gnutls_read (GInputStream  *stream,
 				GError       **error)
 {
   GTlsInputStreamGnutls *tls_stream = G_TLS_INPUT_STREAM_GNUTLS (stream);
+  GTlsConnectionGnutls *conn;
+  gssize ret;
 
-  g_return_val_if_fail (tls_stream->priv->conn != NULL, -1);
+  conn = g_weak_ref_get (&tls_stream->priv->weak_conn);
+  g_return_val_if_fail (conn != NULL, -1);
 
-  return g_tls_connection_gnutls_read (tls_stream->priv->conn,
-				       buffer, count, TRUE,
-				       cancellable, error);
+  ret = g_tls_connection_gnutls_read (conn,
+                                      buffer, count, TRUE,
+                                      cancellable, error);
+  g_object_unref (conn);
+  return ret;
 }
 
 static gboolean
 g_tls_input_stream_gnutls_pollable_is_readable (GPollableInputStream *pollable)
 {
   GTlsInputStreamGnutls *tls_stream = G_TLS_INPUT_STREAM_GNUTLS (pollable);
+  GTlsConnectionGnutls *conn;
+  gboolean ret;
 
-  g_return_val_if_fail (tls_stream->priv->conn != NULL, FALSE);
+  conn = g_weak_ref_get (&tls_stream->priv->weak_conn);
+  g_return_val_if_fail (conn != NULL, FALSE);
 
-  return g_tls_connection_gnutls_check (tls_stream->priv->conn, G_IO_IN); 
+  ret = g_tls_connection_gnutls_check (conn, G_IO_IN);
+
+  g_object_unref (conn);
+  return ret;
 }
 
 static GSource *
@@ -77,12 +96,15 @@ g_tls_input_stream_gnutls_pollable_create_source (GPollableInputStream *pollable
 						  GCancellable         *cancellable)
 {
   GTlsInputStreamGnutls *tls_stream = G_TLS_INPUT_STREAM_GNUTLS (pollable);
+  GTlsConnectionGnutls *conn;
+  GSource *ret;
 
-  g_return_val_if_fail (tls_stream->priv->conn != NULL, NULL);
+  conn = g_weak_ref_get (&tls_stream->priv->weak_conn);
+  g_return_val_if_fail (conn != NULL, NULL);
 
-  return g_tls_connection_gnutls_create_source (tls_stream->priv->conn,
-						G_IO_IN,
-						cancellable);
+  ret = g_tls_connection_gnutls_create_source (conn, G_IO_IN, cancellable);
+  g_object_unref (conn);
+  return ret;
 }
 
 static gssize
@@ -92,10 +114,96 @@ g_tls_input_stream_gnutls_pollable_read_nonblocking (GPollableInputStream  *poll
 						     GError               **error)
 {
   GTlsInputStreamGnutls *tls_stream = G_TLS_INPUT_STREAM_GNUTLS (pollable);
+  GTlsConnectionGnutls *conn;
+  gssize ret;
+
+  conn = g_weak_ref_get (&tls_stream->priv->weak_conn);
+  g_return_val_if_fail (conn != NULL, -1);
+
+  ret = g_tls_connection_gnutls_read (conn, buffer, size, FALSE, NULL, error);
+
+  g_object_unref (conn);
+  return ret;
+}
+
+static gboolean
+g_tls_input_stream_gnutls_close (GInputStream            *stream,
+                                 GCancellable             *cancellable,
+                                 GError                  **error)
+{
+  GTlsInputStreamGnutls *tls_stream = G_TLS_INPUT_STREAM_GNUTLS (stream);
+  GIOStream *conn;
+  gboolean ret;
+
+  conn = g_weak_ref_get (&tls_stream->priv->weak_conn);
+
+  /* Special case here because this is called by the finalize
+   * of the main GTlsConnection object.
+   */
+  if (conn == NULL)
+    return TRUE;
+
+  ret = g_tls_connection_gnutls_close_internal (conn, G_TLS_DIRECTION_READ,
+                                                cancellable, error);
+
+  g_object_unref (conn);
+  return ret;
+}
+
+/* We do async close as synchronous-in-a-thread so we don't need to
+ * implement G_IO_IN/G_IO_OUT flip-flopping just for this one case
+ * (since handshakes are also done synchronously now).
+ */
+static void
+close_thread (GTask        *task,
+              gpointer      object,
+              gpointer      task_data,
+              GCancellable *cancellable)
+{
+  GTlsInputStreamGnutls *tls_stream = object;
+  GError *error = NULL;
+  GIOStream *conn;
+
+  conn = g_weak_ref_get (&tls_stream->priv->weak_conn);
+
+  if (conn && !g_tls_connection_gnutls_close_internal (conn,
+                                                       G_TLS_DIRECTION_READ,
+                                                       cancellable, &error))
+    g_task_return_error (task, error);
+  else
+    g_task_return_boolean (task, TRUE);
+
+  if (conn)
+    g_object_unref (conn);
+}
+
+
+static void
+g_tls_input_stream_gnutls_close_async (GInputStream            *stream,
+                                       int                       io_priority,
+                                       GCancellable             *cancellable,
+                                       GAsyncReadyCallback       callback,
+                                       gpointer                  user_data)
+{
+  GTask *task;
+
+  task = g_task_new (stream, cancellable, callback, user_data);
+  g_task_set_source_tag (task, g_tls_input_stream_gnutls_close_async);
+  g_task_set_priority (task, io_priority);
+  g_task_run_in_thread (task, close_thread);
+  g_object_unref (task);
+}
+
+static gboolean
+g_tls_input_stream_gnutls_close_finish (GInputStream            *stream,
+                                        GAsyncResult             *result,
+                                        GError                  **error)
+{
+  g_return_val_if_fail (g_task_is_valid (result, stream), FALSE);
+  g_return_val_if_fail (g_task_get_source_tag (G_TASK (result)) ==
+                        g_tls_input_stream_gnutls_close_async, FALSE);
 
-  return g_tls_connection_gnutls_read (tls_stream->priv->conn,
-				       buffer, size, FALSE,
-				       NULL, error);
+  return g_task_propagate_boolean (G_TASK (result), error);
 }
 
 static void
@@ -107,8 +215,12 @@ g_tls_input_stream_gnutls_class_init (GTlsInputStreamGnutlsClass *klass)
   g_type_class_add_private (klass, sizeof (GTlsInputStreamGnutlsPrivate));
 
   gobject_class->dispose = g_tls_input_stream_gnutls_dispose;
+  gobject_class->finalize = g_tls_input_stream_gnutls_finalize;
 
   input_stream_class->read_fn = g_tls_input_stream_gnutls_read;
+  input_stream_class->close_fn = g_tls_input_stream_gnutls_close;
+  input_stream_class->close_async = g_tls_input_stream_gnutls_close_async;
+  input_stream_class->close_finish = g_tls_input_stream_gnutls_close_finish;
 }
 
 static void
@@ -131,9 +243,7 @@ g_tls_input_stream_gnutls_new (GTlsConnectionGnutls *conn)
   GTlsInputStreamGnutls *tls_stream;
 
   tls_stream = g_object_new (G_TYPE_TLS_INPUT_STREAM_GNUTLS, NULL);
-  tls_stream->priv->conn = conn;
-  g_object_add_weak_pointer (G_OBJECT (conn),
-			     (gpointer *)&tls_stream->priv->conn);
+  g_weak_ref_init (&tls_stream->priv->weak_conn, conn);
 
   return G_INPUT_STREAM (tls_stream);
 }
diff --git a/tls/gnutls/gtlsinputstream-gnutls.h b/tls/gnutls/gtlsinputstream-gnutls.h
index a8dfc22..d95f7cb 100644
--- a/tls/gnutls/gtlsinputstream-gnutls.h
+++ b/tls/gnutls/gtlsinputstream-gnutls.h
@@ -8,6 +8,9 @@
  * your option) any later version.
  *
  * See the included COPYING file for more information.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #ifndef __G_TLS_INPUT_STREAM_GNUTLS_H__
diff --git a/tls/gnutls/gtlsoutputstream-gnutls.c b/tls/gnutls/gtlsoutputstream-gnutls.c
index 76bd09d..aa60f08 100644
--- a/tls/gnutls/gtlsoutputstream-gnutls.c
+++ b/tls/gnutls/gtlsoutputstream-gnutls.c
@@ -15,6 +15,9 @@
  * You should have received a copy of the GNU Lesser General
  * Public License along with this library; if not, see
  * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #include "config.h"
@@ -28,7 +31,7 @@ G_DEFINE_TYPE_WITH_CODE (GTlsOutputStreamGnutls, g_tls_output_stream_gnutls, G_T
 
 struct _GTlsOutputStreamGnutlsPrivate
 {
-  GTlsConnectionGnutls *conn;
+  GWeakRef weak_conn;
 };
 
 static void
@@ -36,16 +39,21 @@ g_tls_output_stream_gnutls_dispose (GObject *object)
 {
   GTlsOutputStreamGnutls *stream = G_TLS_OUTPUT_STREAM_GNUTLS (object);
 
-  if (stream->priv->conn)
-    {
-      g_object_remove_weak_pointer (G_OBJECT (stream->priv->conn),
-				    (gpointer *)&stream->priv->conn);
-      stream->priv->conn = NULL;
-    }
+  g_weak_ref_set (&stream->priv->weak_conn, NULL);
 
   G_OBJECT_CLASS (g_tls_output_stream_gnutls_parent_class)->dispose (object);
 }
 
+static void
+g_tls_output_stream_gnutls_finalize (GObject *object)
+{
+  GTlsOutputStreamGnutls *stream = G_TLS_OUTPUT_STREAM_GNUTLS (object);
+
+  g_weak_ref_clear (&stream->priv->weak_conn);
+
+  G_OBJECT_CLASS (g_tls_output_stream_gnutls_parent_class)->finalize (object);
+}
+
 static gssize
 g_tls_output_stream_gnutls_write (GOutputStream  *stream,
 				  const void     *buffer,
@@ -54,22 +62,33 @@ g_tls_output_stream_gnutls_write (GOutputStream  *stream,
 				  GError        **error)
 {
   GTlsOutputStreamGnutls *tls_stream = G_TLS_OUTPUT_STREAM_GNUTLS (stream);
+  GTlsConnectionGnutls *conn;
+  gssize ret;
 
-  g_return_val_if_fail (tls_stream->priv->conn != NULL, -1);
+  conn = g_weak_ref_get (&tls_stream->priv->weak_conn);
+  g_return_val_if_fail (conn != NULL, -1);
 
-  return g_tls_connection_gnutls_write (tls_stream->priv->conn,
-					buffer, count, TRUE,
-					cancellable, error);
+  ret = g_tls_connection_gnutls_write (conn, buffer, count, TRUE,
+                                       cancellable, error);
+  g_object_unref (conn);
+  return ret;
 }
 
 static gboolean
 g_tls_output_stream_gnutls_pollable_is_writable (GPollableOutputStream *pollable)
 {
   GTlsOutputStreamGnutls *tls_stream = G_TLS_OUTPUT_STREAM_GNUTLS (pollable);
+  GTlsConnectionGnutls *conn;
+  gboolean ret;
+
+  conn = g_weak_ref_get (&tls_stream->priv->weak_conn);
+  g_return_val_if_fail (conn != NULL, FALSE);
 
-  g_return_val_if_fail (tls_stream->priv->conn != NULL, FALSE);
+  ret = g_tls_connection_gnutls_check (conn, G_IO_OUT);
 
-  return g_tls_connection_gnutls_check (tls_stream->priv->conn, G_IO_OUT); 
+  g_object_unref (conn);
+
+  return ret;
 }
 
 static GSource *
@@ -77,12 +96,17 @@ g_tls_output_stream_gnutls_pollable_create_source (GPollableOutputStream *pollab
 						   GCancellable         *cancellable)
 {
   GTlsOutputStreamGnutls *tls_stream = G_TLS_OUTPUT_STREAM_GNUTLS (pollable);
+  GTlsConnectionGnutls *conn;
+  GSource *ret;
 
-  g_return_val_if_fail (tls_stream->priv->conn != NULL, NULL);
+  conn = g_weak_ref_get (&tls_stream->priv->weak_conn);
+  g_return_val_if_fail (conn != NULL, NULL);
 
-  return g_tls_connection_gnutls_create_source (tls_stream->priv->conn,
-						G_IO_OUT,
-						cancellable);
+  ret = g_tls_connection_gnutls_create_source (conn,
+                                               G_IO_OUT,
+                                               cancellable);
+  g_object_unref (conn);
+  return ret;
 }
 
 static gssize
@@ -92,10 +116,96 @@ g_tls_output_stream_gnutls_pollable_write_nonblocking (GPollableOutputStream  *p
 						       GError                **error)
 {
   GTlsOutputStreamGnutls *tls_stream = G_TLS_OUTPUT_STREAM_GNUTLS (pollable);
+  GTlsConnectionGnutls *conn;
+  gssize ret;
+
+  conn = g_weak_ref_get (&tls_stream->priv->weak_conn);
+  g_return_val_if_fail (conn != NULL, -1);
+
+  ret = g_tls_connection_gnutls_write (conn, buffer, size, FALSE, NULL, error);
+
+  g_object_unref (conn);
+  return ret;
+}
+
+static gboolean
+g_tls_output_stream_gnutls_close (GOutputStream            *stream,
+                                  GCancellable             *cancellable,
+                                  GError                  **error)
+{
+  GTlsOutputStreamGnutls *tls_stream = G_TLS_OUTPUT_STREAM_GNUTLS (stream);
+  GIOStream *conn;
+  gboolean ret;
+
+  conn = g_weak_ref_get (&tls_stream->priv->weak_conn);
+
+  /* Special case here because this is called by the finalize
+   * of the main GTlsConnection object.
+   */
+  if (conn == NULL)
+    return TRUE;
+
+  ret = g_tls_connection_gnutls_close_internal (conn, G_TLS_DIRECTION_WRITE,
+                                                cancellable, error);
+
+  g_object_unref (conn);
+  return ret;
+}
+
+/* We do async close as synchronous-in-a-thread so we don't need to
+ * implement G_IO_IN/G_IO_OUT flip-flopping just for this one case
+ * (since handshakes are also done synchronously now).
+ */
+static void
+close_thread (GTask        *task,
+	      gpointer      object,
+	      gpointer      task_data,
+	      GCancellable *cancellable)
+{
+  GTlsOutputStreamGnutls *tls_stream = object;
+  GError *error = NULL;
+  GIOStream *conn;
+
+  conn = g_weak_ref_get (&tls_stream->priv->weak_conn);
+
+  if (conn && !g_tls_connection_gnutls_close_internal (conn,
+                                                       G_TLS_DIRECTION_WRITE,
+                                                       cancellable, &error))
+    g_task_return_error (task, error);
+  else
+    g_task_return_boolean (task, TRUE);
+
+  if (conn)
+    g_object_unref (conn);
+}
+
+
+static void
+g_tls_output_stream_gnutls_close_async (GOutputStream            *stream,
+                                        int                       io_priority,
+                                        GCancellable             *cancellable,
+                                        GAsyncReadyCallback       callback,
+                                        gpointer                  user_data)
+{
+  GTask *task;
+
+  task = g_task_new (stream, cancellable, callback, user_data);
+  g_task_set_source_tag (task, g_tls_output_stream_gnutls_close_async);
+  g_task_set_priority (task, io_priority);
+  g_task_run_in_thread (task, close_thread);
+  g_object_unref (task);
+}
+
+static gboolean
+g_tls_output_stream_gnutls_close_finish (GOutputStream            *stream,
+                                         GAsyncResult             *result,
+                                         GError                  **error)
+{
+  g_return_val_if_fail (g_task_is_valid (result, stream), FALSE);
+  g_return_val_if_fail (g_task_get_source_tag (G_TASK (result)) ==
+                        g_tls_output_stream_gnutls_close_async, FALSE);
 
-  return g_tls_connection_gnutls_write (tls_stream->priv->conn,
-					buffer, size, FALSE,
-					NULL, error);
+  return g_task_propagate_boolean (G_TASK (result), error);
 }
 
 static void
@@ -107,8 +217,12 @@ g_tls_output_stream_gnutls_class_init (GTlsOutputStreamGnutlsClass *klass)
   g_type_class_add_private (klass, sizeof (GTlsOutputStreamGnutlsPrivate));
 
   gobject_class->dispose = g_tls_output_stream_gnutls_dispose;
+  gobject_class->finalize = g_tls_output_stream_gnutls_finalize;
 
   output_stream_class->write_fn = g_tls_output_stream_gnutls_write;
+  output_stream_class->close_fn = g_tls_output_stream_gnutls_close;
+  output_stream_class->close_async = g_tls_output_stream_gnutls_close_async;
+  output_stream_class->close_finish = g_tls_output_stream_gnutls_close_finish;
 }
 
 static void
@@ -131,9 +245,7 @@ g_tls_output_stream_gnutls_new (GTlsConnectionGnutls *conn)
   GTlsOutputStreamGnutls *tls_stream;
 
   tls_stream = g_object_new (G_TYPE_TLS_OUTPUT_STREAM_GNUTLS, NULL);
-  tls_stream->priv->conn = conn;
-  g_object_add_weak_pointer (G_OBJECT (conn),
-			     (gpointer *)&tls_stream->priv->conn);
+  g_weak_ref_init (&tls_stream->priv->weak_conn, conn);
 
   return G_OUTPUT_STREAM (tls_stream);
 }
diff --git a/tls/gnutls/gtlsoutputstream-gnutls.h b/tls/gnutls/gtlsoutputstream-gnutls.h
index 1501409..812cba3 100644
--- a/tls/gnutls/gtlsoutputstream-gnutls.h
+++ b/tls/gnutls/gtlsoutputstream-gnutls.h
@@ -8,6 +8,9 @@
  * your option) any later version.
  *
  * See the included COPYING file for more information.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #ifndef __G_TLS_OUTPUT_STREAM_GNUTLS_H__
diff --git a/tls/gnutls/gtlsserverconnection-gnutls.c b/tls/gnutls/gtlsserverconnection-gnutls.c
index 566b922..aea76fb 100644
--- a/tls/gnutls/gtlsserverconnection-gnutls.c
+++ b/tls/gnutls/gtlsserverconnection-gnutls.c
@@ -15,6 +15,9 @@
  * You should have received a copy of the GNU Lesser General
  * Public License along with this library; if not, see
  * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #include "config.h"
@@ -72,17 +75,11 @@ static void
 g_tls_server_connection_gnutls_init (GTlsServerConnectionGnutls *gnutls)
 {
   gnutls_certificate_credentials_t creds;
-  gnutls_session_t session;
 
   gnutls->priv = G_TYPE_INSTANCE_GET_PRIVATE (gnutls, G_TYPE_TLS_SERVER_CONNECTION_GNUTLS, GTlsServerConnectionGnutlsPrivate);
 
   creds = g_tls_connection_gnutls_get_credentials (G_TLS_CONNECTION_GNUTLS (gnutls));
   gnutls_certificate_set_retrieve_function (creds, g_tls_server_connection_gnutls_retrieve_function);
-
-  session = g_tls_connection_gnutls_get_session (G_TLS_CONNECTION_GNUTLS (gnutls));
-  gnutls_db_set_retrieve_function (session, g_tls_server_connection_gnutls_db_retrieve);
-  gnutls_db_set_store_function (session, g_tls_server_connection_gnutls_db_store);
-  gnutls_db_set_remove_function (session, g_tls_server_connection_gnutls_db_remove);
 }
 
 static gboolean
@@ -90,12 +87,19 @@ g_tls_server_connection_gnutls_initable_init (GInitable       *initable,
 					      GCancellable    *cancellable,
 					      GError         **error)
 {
+  GTlsConnectionGnutls *gnutls = G_TLS_CONNECTION_GNUTLS (initable);
   GTlsCertificate *cert;
+  gnutls_session_t session;
 
   if (!g_tls_server_connection_gnutls_parent_initable_iface->
       init (initable, cancellable, error))
     return FALSE;
 
+  session = g_tls_connection_gnutls_get_session (G_TLS_CONNECTION_GNUTLS (gnutls));
+  gnutls_db_set_retrieve_function (session, g_tls_server_connection_gnutls_db_retrieve);
+  gnutls_db_set_store_function (session, g_tls_server_connection_gnutls_db_store);
+  gnutls_db_set_remove_function (session, g_tls_server_connection_gnutls_db_remove);
+
   cert = g_tls_connection_get_certificate (G_TLS_CONNECTION (initable));
   if (cert && !g_tls_certificate_gnutls_has_key (G_TLS_CERTIFICATE_GNUTLS (cert)))
     {
@@ -178,6 +182,7 @@ g_tls_server_connection_gnutls_begin_handshake (GTlsConnectionGnutls *conn)
     case G_TLS_AUTHENTICATION_REQUIRED:
       req_mode = GNUTLS_CERT_REQUIRE;
       break;
+    case G_TLS_AUTHENTICATION_NONE:
     default:
       req_mode = GNUTLS_CERT_IGNORE;
       break;
diff --git a/tls/gnutls/gtlsserverconnection-gnutls.h b/tls/gnutls/gtlsserverconnection-gnutls.h
index 20414b1..d999195 100644
--- a/tls/gnutls/gtlsserverconnection-gnutls.h
+++ b/tls/gnutls/gtlsserverconnection-gnutls.h
@@ -8,6 +8,9 @@
  * your option) any later version.
  *
  * See the included COPYING file for more information.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #ifndef __G_TLS_SERVER_CONNECTION_GNUTLS_H__
diff --git a/tls/pkcs11/gpkcs11array.c b/tls/pkcs11/gpkcs11array.c
index e2b7e2f..f46399c 100644
--- a/tls/pkcs11/gpkcs11array.c
+++ b/tls/pkcs11/gpkcs11array.c
@@ -17,6 +17,9 @@
  * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
  * Boston, MA 02111-1307, USA.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
diff --git a/tls/pkcs11/gpkcs11array.h b/tls/pkcs11/gpkcs11array.h
index 90a95d3..38ee1e1 100644
--- a/tls/pkcs11/gpkcs11array.h
+++ b/tls/pkcs11/gpkcs11array.h
@@ -9,6 +9,9 @@
  *
  * See the included COPYING file for more information.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
diff --git a/tls/pkcs11/gpkcs11pin.c b/tls/pkcs11/gpkcs11pin.c
index 48e54be..856b73c 100644
--- a/tls/pkcs11/gpkcs11pin.c
+++ b/tls/pkcs11/gpkcs11pin.c
@@ -17,6 +17,9 @@
  * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
  * Boston, MA 02111-1307, USA.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
diff --git a/tls/pkcs11/gpkcs11pin.h b/tls/pkcs11/gpkcs11pin.h
index 6012e82..7208837 100644
--- a/tls/pkcs11/gpkcs11pin.h
+++ b/tls/pkcs11/gpkcs11pin.h
@@ -9,6 +9,9 @@
  *
  * See the included COPYING file for more information.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
diff --git a/tls/pkcs11/gpkcs11slot.c b/tls/pkcs11/gpkcs11slot.c
index c72a8bc..ff9e88a 100644
--- a/tls/pkcs11/gpkcs11slot.c
+++ b/tls/pkcs11/gpkcs11slot.c
@@ -17,6 +17,9 @@
  * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
  * Boston, MA 02111-1307, USA.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
diff --git a/tls/pkcs11/gpkcs11slot.h b/tls/pkcs11/gpkcs11slot.h
index b22f9fc..27d9daf 100644
--- a/tls/pkcs11/gpkcs11slot.h
+++ b/tls/pkcs11/gpkcs11slot.h
@@ -9,6 +9,9 @@
  *
  * See the included COPYING file for more information.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
diff --git a/tls/pkcs11/gpkcs11util.c b/tls/pkcs11/gpkcs11util.c
index 42b90e7..58fa52e 100644
--- a/tls/pkcs11/gpkcs11util.c
+++ b/tls/pkcs11/gpkcs11util.c
@@ -17,6 +17,9 @@
  * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
  * Boston, MA 02111-1307, USA.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
diff --git a/tls/pkcs11/gpkcs11util.h b/tls/pkcs11/gpkcs11util.h
index 044e464..37b5de7 100644
--- a/tls/pkcs11/gpkcs11util.h
+++ b/tls/pkcs11/gpkcs11util.h
@@ -9,6 +9,9 @@
  *
  * See the included COPYING file for more information.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
diff --git a/tls/pkcs11/pkcs11-trust-assertions.h b/tls/pkcs11/pkcs11-trust-assertions.h
index ed8bb6b..cfc916b 100644
--- a/tls/pkcs11/pkcs11-trust-assertions.h
+++ b/tls/pkcs11/pkcs11-trust-assertions.h
@@ -10,6 +10,9 @@
  * WITHOUT ANY WARRANTY, to the extent permitted by law; without even
  * the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
  * PURPOSE.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 /*
diff --git a/tls/tests/Makefile.am b/tls/tests/Makefile.am
index ef91554..55e5032 100644
--- a/tls/tests/Makefile.am
+++ b/tls/tests/Makefile.am
@@ -1,13 +1,15 @@
 include $(top_srcdir)/glib-networking.mk
 
 AM_CPPFLAGS +=					\
+	$(GNUTLS_CFLAGS)			\
 	-I$(top_srcdir)/tls			\
 	-I$(top_builddir)/tls			\
 	-DSRCDIR=\""$(abs_srcdir)"\"		\
 	-DTOP_BUILDDIR=\""$(top_builddir)"\"
 
 LDADD  = \
-	$(GLIB_LIBS)
+	$(GLIB_LIBS) \
+	$(GNUTLS_LIBS)
 
 test_programs =       \
 	certificate   \
@@ -15,6 +17,9 @@ test_programs =       \
 	connection    \
 	$(NULL)
 
+connection_SOURCES = connection.c \
+	mock-interaction.c mock-interaction.h
+
 if HAVE_PKCS11
 
 test_programs +=           \
@@ -24,8 +29,7 @@ test_programs +=           \
 	pkcs11-slot
 
 AM_CPPFLAGS +=			\
-	$(PKCS11_CFLAGS)	\
-	$(GNUTLS_CFLAGS)
+	$(PKCS11_CFLAGS)
 
 LDADD += $(top_builddir)/tls/pkcs11/libgiopkcs11.la $(PKCS11_LIBS)
 
@@ -35,6 +39,34 @@ pkcs11_slot_SOURCES = pkcs11-slot.c \
 
 endif
 
-EXTRA_DIST += \
-	files \
+testfiles_data =				\
+	files/ca.pem				\
+	files/ca-alternative.pem		\
+	files/ca-key.pem			\
+	files/ca-roots.pem			\
+	files/ca-roots-bad.pem			\
+	files/ca-verisign-sha1.pem		\
+	files/chain.pem				\
+	files/chain-with-verisign-md2.pem	\
+	files/client-and-key.pem		\
+	files/client-future.pem			\
+	files/client-past.pem			\
+	files/client.pem			\
+	files/intermediate-ca.pem		\
+	files/non-ca.pem			\
+	files/server-and-key.pem		\
+	files/server.der			\
+	files/server-intermediate.pem		\
+	files/server-intermediate-key.pem	\
+	files/server-key.der			\
+	files/server-key.pem			\
+	files/server.pem			\
+	files/server-self.pem			\
 	$(NULL)
+
+if ENABLE_INSTALLED_TESTS
+testfilesdir = $(installed_testdir)/files
+testfiles_DATA = $(testfiles_data)
+endif
+
+EXTRA_DIST += $(testfiles_data)
diff --git a/tls/tests/certificate.c b/tls/tests/certificate.c
index 408f3e2..ae4c621 100644
--- a/tls/tests/certificate.c
+++ b/tls/tests/certificate.c
@@ -16,6 +16,9 @@
  * Public License along with this library; if not, see
  * <http://www.gnu.org/licenses/>.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
@@ -24,7 +27,28 @@
 #include <sys/types.h>
 #include <string.h>
 
-#define TEST_FILE(name) (SRCDIR "/files/" name)
+static const gchar *
+tls_test_file_path (const char *name)
+{
+  const gchar *const_path;
+  gchar *path;
+
+  path = g_test_build_filename (G_TEST_DIST, "files", name, NULL);
+  if (!g_path_is_absolute (path))
+    {
+      gchar *cwd, *abs;
+
+      cwd = g_get_current_dir ();
+      abs = g_build_filename (cwd, path, NULL);
+      g_free (cwd);
+      g_free (path);
+      path = abs;
+    }
+
+  const_path = g_intern_string (path);
+  g_free (path);
+  return const_path;
+}
 
 typedef struct {
   GTlsBackend *backend;
@@ -47,11 +71,11 @@ setup_certificate (TestCertificate *test, gconstpointer data)
   test->backend = g_tls_backend_get_default ();
   test->cert_gtype = g_tls_backend_get_certificate_type (test->backend);
 
-  g_file_get_contents (TEST_FILE ("server.pem"), &test->cert_pem,
+  g_file_get_contents (tls_test_file_path ("server.pem"), &test->cert_pem,
                        &test->cert_pem_length, &error);
   g_assert_no_error (error);
 
-  g_file_get_contents (TEST_FILE ("server.der"),
+  g_file_get_contents (tls_test_file_path ("server.der"),
 		       &contents, &length, &error);
   g_assert_no_error (error);
 
@@ -59,11 +83,11 @@ setup_certificate (TestCertificate *test, gconstpointer data)
   g_byte_array_append (test->cert_der, (guint8 *)contents, length);
   g_free (contents);
 
-  g_file_get_contents (TEST_FILE ("server-key.pem"), &test->key_pem,
+  g_file_get_contents (tls_test_file_path ("server-key.pem"), &test->key_pem,
                        &test->key_pem_length, &error);
   g_assert_no_error (error);
 
-  g_file_get_contents (TEST_FILE ("server-key.der"),
+  g_file_get_contents (tls_test_file_path ("server-key.der"),
                        &contents, &length, &error);
   g_assert_no_error (error);
 
@@ -175,7 +199,7 @@ test_create_certificate_with_issuer (TestCertificate   *test,
   GTlsCertificate *cert, *issuer, *check;
   GError *error = NULL;
 
-  issuer = g_tls_certificate_new_from_file (TEST_FILE ("ca.pem"), &error);
+  issuer = g_tls_certificate_new_from_file (tls_test_file_path ("ca.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (issuer));
 
@@ -199,6 +223,91 @@ test_create_certificate_with_issuer (TestCertificate   *test,
   g_assert (issuer == NULL);
 }
 
+static void
+test_create_certificate_chain (void)
+{
+  GTlsCertificate *cert, *intermediate, *root;
+  GError *error = NULL;
+
+  if (glib_check_version (2, 43, 0))
+    {
+      g_test_skip ("This test requires glib 2.43");
+      return;
+    }
+
+  cert = g_tls_certificate_new_from_file (tls_test_file_path ("chain.pem"), &error);
+  g_assert_no_error (error);
+  g_assert (G_IS_TLS_CERTIFICATE (cert));
+
+  intermediate = g_tls_certificate_get_issuer (cert);
+  g_assert (G_IS_TLS_CERTIFICATE (intermediate));
+
+  root = g_tls_certificate_get_issuer (intermediate);
+  g_assert (G_IS_TLS_CERTIFICATE (root));
+
+  g_assert (g_tls_certificate_get_issuer (root) == NULL);
+
+  g_object_unref (cert);
+}
+
+static void
+test_create_certificate_no_chain (void)
+{
+  GTlsCertificate *cert, *issuer;
+  GError *error = NULL;
+  gchar *cert_pem;
+  gsize cert_pem_length;
+
+  cert = g_tls_certificate_new_from_file (tls_test_file_path ("non-ca.pem"), &error);
+  g_assert_no_error (error);
+  g_assert (G_IS_TLS_CERTIFICATE (cert));
+
+  issuer = g_tls_certificate_get_issuer (cert);
+  g_assert (issuer == NULL);
+  g_object_unref (cert);
+
+  /* Truncate a valid chain certificate file. We should only get the
+   * first certificate.
+   */
+  g_file_get_contents (tls_test_file_path ("chain.pem"), &cert_pem,
+                       &cert_pem_length, &error);
+  g_assert_no_error (error);
+
+  cert = g_tls_certificate_new_from_pem (cert_pem, cert_pem_length - 100, &error);
+  g_free (cert_pem);
+  g_assert_no_error (error);
+  g_assert (G_IS_TLS_CERTIFICATE (cert));
+
+  issuer = g_tls_certificate_get_issuer (cert);
+  g_assert (issuer == NULL);
+  g_object_unref (cert);
+}
+
+static void
+test_create_list (void)
+{
+  GList *list;
+  GError *error = NULL;
+
+  list = g_tls_certificate_list_new_from_file (tls_test_file_path ("ca-roots.pem"), &error);
+  g_assert_no_error (error);
+  g_assert_cmpint (g_list_length (list), ==, 8);
+
+  g_list_free_full (list, g_object_unref);
+}
+
+static void
+test_create_list_bad (void)
+{
+  GList *list;
+  GError *error = NULL;
+
+  list = g_tls_certificate_list_new_from_file (tls_test_file_path ("ca-roots-bad.pem"), &error);
+  g_assert_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE);
+  g_assert_null (list);
+  g_error_free (error);
+}
+
 /* -----------------------------------------------------------------------------
  * CERTIFICATE VERIFY
  */
@@ -216,16 +325,16 @@ setup_verify (TestVerify     *test,
 {
   GError *error = NULL;
 
-  test->cert = g_tls_certificate_new_from_file (TEST_FILE ("server.pem"), &error);
+  test->cert = g_tls_certificate_new_from_file (tls_test_file_path ("server.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (test->cert));
 
   test->identity = g_network_address_new ("server.example.com", 80);
 
-  test->anchor = g_tls_certificate_new_from_file (TEST_FILE ("ca.pem"), &error);
+  test->anchor = g_tls_certificate_new_from_file (tls_test_file_path ("ca.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (test->anchor));
-  test->database = g_tls_file_database_new (TEST_FILE ("ca.pem"), &error);
+  test->database = g_tls_file_database_new (tls_test_file_path ("ca.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_DATABASE (test->database));
 }
@@ -262,6 +371,8 @@ static void
 test_verify_certificate_good (TestVerify      *test,
                               gconstpointer    data)
 {
+  GSocketConnectable *identity;
+  GSocketAddress *addr;
   GTlsCertificateFlags errors;
 
   errors = g_tls_certificate_verify (test->cert, test->identity, test->anchor);
@@ -269,6 +380,16 @@ test_verify_certificate_good (TestVerify      *test,
 
   errors = g_tls_certificate_verify (test->cert, NULL, test->anchor);
   g_assert_cmpuint (errors, ==, 0);
+
+  identity = g_network_address_new ("192.168.1.10", 80);
+  errors = g_tls_certificate_verify (test->cert, identity, test->anchor);
+  g_assert_cmpuint (errors, ==, 0);
+  g_object_unref (identity);
+
+  addr = g_inet_socket_address_new_from_string ("192.168.1.10", 80);
+  errors = g_tls_certificate_verify (test->cert, G_SOCKET_CONNECTABLE (addr), test->anchor);
+  g_assert_cmpuint (errors, ==, 0);
+  g_object_unref (addr);
 }
 
 static void
@@ -277,13 +398,22 @@ test_verify_certificate_bad_identity (TestVerify      *test,
 {
   GSocketConnectable *identity;
   GTlsCertificateFlags errors;
+  GSocketAddress *addr;
 
   identity = g_network_address_new ("other.example.com", 80);
-
   errors = g_tls_certificate_verify (test->cert, identity, test->anchor);
   g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_BAD_IDENTITY);
+  g_object_unref (identity);
 
+  identity = g_network_address_new ("127.0.0.1", 80);
+  errors = g_tls_certificate_verify (test->cert, identity, test->anchor);
+  g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_BAD_IDENTITY);
   g_object_unref (identity);
+
+  addr = g_inet_socket_address_new_from_string ("127.0.0.1", 80);
+  errors = g_tls_certificate_verify (test->cert, G_SOCKET_CONNECTABLE (addr), test->anchor);
+  g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_BAD_IDENTITY);
+  g_object_unref (addr);
 }
 
 static void
@@ -295,7 +425,7 @@ test_verify_certificate_bad_ca (TestVerify      *test,
   GError *error = NULL;
 
   /* Use a client certificate as the CA, which is wrong */
-  cert = g_tls_certificate_new_from_file (TEST_FILE ("client.pem"), &error);
+  cert = g_tls_certificate_new_from_file (tls_test_file_path ("client.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (cert));
 
@@ -314,7 +444,7 @@ test_verify_certificate_bad_before (TestVerify      *test,
   GError *error = NULL;
 
   /* This is a certificate in the future */
-  cert = g_tls_certificate_new_from_file (TEST_FILE ("client-future.pem"), &error);
+  cert = g_tls_certificate_new_from_file (tls_test_file_path ("client-future.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (cert));
 
@@ -333,7 +463,7 @@ test_verify_certificate_bad_expired (TestVerify      *test,
   GError *error = NULL;
 
   /* This is a certificate in the future */
-  cert = g_tls_certificate_new_from_file (TEST_FILE ("client-past.pem"), &error);
+  cert = g_tls_certificate_new_from_file (tls_test_file_path ("client-past.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (cert));
 
@@ -353,12 +483,12 @@ test_verify_certificate_bad_combo (TestVerify      *test,
   GTlsCertificateFlags errors;
   GError *error = NULL;
 
-  cert = g_tls_certificate_new_from_file (TEST_FILE ("client-past.pem"), &error);
+  cert = g_tls_certificate_new_from_file (tls_test_file_path ("client-past.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (cert));
 
   /* Unrelated cert used as certificate authority */
-  cacert = g_tls_certificate_new_from_file (TEST_FILE ("server-self.pem"), &error);
+  cacert = g_tls_certificate_new_from_file (tls_test_file_path ("server-self.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (cacert));
 
@@ -387,13 +517,13 @@ test_certificate_is_same (void)
   GTlsCertificate *three;
   GError *error = NULL;
 
-  one = g_tls_certificate_new_from_file (TEST_FILE ("client.pem"), &error);
+  one = g_tls_certificate_new_from_file (tls_test_file_path ("client.pem"), &error);
   g_assert_no_error (error);
 
-  two = g_tls_certificate_new_from_file (TEST_FILE ("client-and-key.pem"), &error);
+  two = g_tls_certificate_new_from_file (tls_test_file_path ("client-and-key.pem"), &error);
   g_assert_no_error (error);
 
-  three = g_tls_certificate_new_from_file (TEST_FILE ("server.pem"), &error);
+  three = g_tls_certificate_new_from_file (tls_test_file_path ("server.pem"), &error);
   g_assert_no_error (error);
 
   g_assert (g_tls_certificate_is_same (one, two) == TRUE);
@@ -428,6 +558,10 @@ main (int   argc,
               setup_certificate, test_create_with_key_der, teardown_certificate);
   g_test_add ("/tls/certificate/create-with-issuer", TestCertificate, NULL,
               setup_certificate, test_create_certificate_with_issuer, teardown_certificate);
+  g_test_add_func ("/tls/certificate/create-chain", test_create_certificate_chain);
+  g_test_add_func ("/tls/certificate/create-no-chain", test_create_certificate_no_chain);
+  g_test_add_func ("/tls/certificate/create-list", test_create_list);
+  g_test_add_func ("/tls/certificate/create-list-bad", test_create_list_bad);
 
   g_test_add ("/tls/certificate/verify-good", TestVerify, NULL,
               setup_verify, test_verify_certificate_good, teardown_verify);
diff --git a/tls/tests/connection.c b/tls/tests/connection.c
index 6236f83..d2bf8cb 100644
--- a/tls/tests/connection.c
+++ b/tls/tests/connection.c
@@ -16,20 +16,50 @@
  * Public License along with this library; if not, see
  * <http://www.gnu.org/licenses/>.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
+#include "config.h"
+
+#include "mock-interaction.h"
+
 #include <gio/gio.h>
+#include <gnutls/gnutls.h>
 
 #include <sys/types.h>
 #include <string.h>
 
-#define TEST_FILE(name) (SRCDIR "/files/" name)
+static const gchar *
+tls_test_file_path (const char *name)
+{
+  const gchar *const_path;
+  gchar *path;
+
+  path = g_test_build_filename (G_TEST_DIST, "files", name, NULL);
+  if (!g_path_is_absolute (path))
+    {
+      gchar *cwd, *abs;
+
+      cwd = g_get_current_dir ();
+      abs = g_build_filename (cwd, path, NULL);
+      g_free (cwd);
+      g_free (path);
+      path = abs;
+    }
+
+  const_path = g_intern_string (path);
+  g_free (path);
+  return const_path;
+}
 
 #define TEST_DATA "You win again, gravity!\n"
 #define TEST_DATA_LENGTH 24
 
 typedef struct {
+  GMainContext *context;
   GMainLoop *loop;
   GSocketService *service;
   GTlsDatabase *database;
@@ -43,7 +73,9 @@ typedef struct {
   GError *read_error;
   gboolean expect_server_error;
   GError *server_error;
-  gboolean server_closed;
+  gboolean server_should_close;
+  gboolean server_running;
+  GTlsCertificate *server_certificate;
 
   char buf[128];
   gssize nread, nwrote;
@@ -52,23 +84,26 @@ typedef struct {
 static void
 setup_connection (TestConnection *test, gconstpointer data)
 {
-  GInetAddress *inet;
-  guint16 port;
-
-  test->loop = g_main_loop_new (NULL, FALSE);
-
+  test->context = g_main_context_default ();
+  test->loop = g_main_loop_new (test->context, FALSE);
   test->auth_mode = G_TLS_AUTHENTICATION_NONE;
-
-  /* This is where the server listens and the client connects */
-  port = g_random_int_range (50000, 65000);
-  inet = g_inet_address_new_from_string ("127.0.0.1");
-  test->address = G_SOCKET_ADDRESS (g_inet_socket_address_new (inet, port));
-  g_object_unref (inet);
-
-  /* The identity matches the server certificate */
-  test->identity = g_network_address_new ("server.example.com", port);
 }
 
+/* Waits about 10 seconds for @var to be NULL/FALSE */
+#define WAIT_UNTIL_UNSET(var)				\
+  if (var)						\
+    {							\
+      int i;						\
+							\
+      for (i = 0; i < 13 && (var); i++)			\
+	{						\
+	  g_usleep (1000 * (1 << i));			\
+	  g_main_context_iteration (NULL, FALSE);	\
+	}						\
+							\
+      g_assert (!(var));				\
+    }
+
 static void
 teardown_connection (TestConnection *test, gconstpointer data)
 {
@@ -80,50 +115,70 @@ teardown_connection (TestConnection *test, gconstpointer data)
        */
       g_object_add_weak_pointer (G_OBJECT (test->service), (gpointer *)&test->service);
       g_object_unref (test->service);
-      while (test->service)
-	g_main_context_iteration (NULL, FALSE);
+      WAIT_UNTIL_UNSET (test->service);
     }
 
   if (test->server_connection)
     {
-      while (!test->server_closed)
-	g_main_context_iteration (NULL, FALSE);
+      WAIT_UNTIL_UNSET (test->server_running);
 
-      g_assert (G_IS_TLS_SERVER_CONNECTION (test->server_connection));
       g_object_add_weak_pointer (G_OBJECT (test->server_connection),
 				 (gpointer *)&test->server_connection);
       g_object_unref (test->server_connection);
-      while (test->server_connection)
-	g_main_context_iteration (NULL, FALSE);
+      WAIT_UNTIL_UNSET (test->server_connection);
     }
 
   if (test->client_connection)
     {
-      g_assert (G_IS_TLS_CLIENT_CONNECTION (test->client_connection));
       g_object_add_weak_pointer (G_OBJECT (test->client_connection),
 				 (gpointer *)&test->client_connection);
       g_object_unref (test->client_connection);
-      while (test->client_connection)
-	g_main_context_iteration (NULL, FALSE);
+      WAIT_UNTIL_UNSET (test->client_connection);
     }
 
   if (test->database)
     {
-      g_assert (G_IS_TLS_DATABASE (test->database));
       g_object_add_weak_pointer (G_OBJECT (test->database),
 				 (gpointer *)&test->database);
       g_object_unref (test->database);
-      while (test->database)
-	g_main_context_iteration (NULL, FALSE);
+      WAIT_UNTIL_UNSET (test->database);
     }
 
-  g_object_unref (test->address);
-  g_object_unref (test->identity);
+  g_clear_object (&test->address);
+  g_clear_object (&test->identity);
+  g_clear_object (&test->server_certificate);
   g_main_loop_unref (test->loop);
   g_clear_error (&test->read_error);
   g_clear_error (&test->server_error);
 }
 
+static void
+start_server (TestConnection *test)
+{
+  GInetAddress *inet;
+  GSocketAddress *addr;
+  GInetSocketAddress *iaddr;
+  GError *error = NULL;
+
+  inet = g_inet_address_new_from_string ("127.0.0.1");
+  addr = g_inet_socket_address_new (inet, 0);
+  g_object_unref (inet);
+
+  g_socket_listener_add_address (G_SOCKET_LISTENER (test->service), addr,
+                                 G_SOCKET_TYPE_STREAM, G_SOCKET_PROTOCOL_TCP,
+                                 NULL, &test->address, &error);
+  g_assert_no_error (error);
+
+  g_object_unref (addr);
+
+  /* The hostname in test->identity matches the server certificate. */
+  iaddr = G_INET_SOCKET_ADDRESS (test->address);
+  test->identity = g_network_address_new ("server.example.com",
+					  g_inet_socket_address_get_port (iaddr));
+
+  test->server_running = TRUE;
+}
+
 static gboolean
 on_accept_certificate (GTlsClientConnection *conn, GTlsCertificate *cert,
                        GTlsCertificateFlags errors, gpointer user_data)
@@ -168,7 +223,14 @@ on_server_close_finish (GObject        *object,
     g_assert (error != NULL);
   else
     g_assert_no_error (error);
-  test->server_closed = TRUE;
+  test->server_running = FALSE;
+}
+
+static void
+close_server_connection (TestConnection *test)
+{
+  g_io_stream_close_async (test->server_connection, G_PRIORITY_DEFAULT, NULL,
+                           on_server_close_finish, test);
 }
 
 static void
@@ -190,8 +252,8 @@ on_output_write_finish (GObject        *object,
       return;
     }
 
-  g_io_stream_close_async (test->server_connection, G_PRIORITY_DEFAULT, NULL,
-                           on_server_close_finish, test);
+  if (test->server_should_close)
+    close_server_connection (test);
 }
 
 static gboolean
@@ -205,8 +267,15 @@ on_incoming_connection (GSocketService     *service,
   GTlsCertificate *cert;
   GError *error = NULL;
 
-  cert = g_tls_certificate_new_from_file (TEST_FILE ("server-and-key.pem"), &error);
-  g_assert_no_error (error);
+  if (test->server_certificate)
+    {
+      cert = g_object_ref (test->server_certificate);
+    }
+  else
+    {
+      cert = g_tls_certificate_new_from_file (tls_test_file_path ("server-and-key.pem"), &error);
+      g_assert_no_error (error);
+    }
 
   test->server_connection = g_tls_server_connection_new (G_IO_STREAM (connection),
                                                          cert, &error);
@@ -223,36 +292,35 @@ on_incoming_connection (GSocketService     *service,
   stream = g_io_stream_get_output_stream (test->server_connection);
 
   g_output_stream_write_async (stream, TEST_DATA,
-			       test->rehandshake ? TEST_DATA_LENGTH / 2 : TEST_DATA_LENGTH,
+                               test->rehandshake ? TEST_DATA_LENGTH / 2 : TEST_DATA_LENGTH,
                                G_PRIORITY_DEFAULT, NULL,
                                on_output_write_finish, test);
   return FALSE;
 }
 
 static void
-start_async_server_service (TestConnection *test, GTlsAuthenticationMode auth_mode)
+start_async_server_service (TestConnection *test, GTlsAuthenticationMode auth_mode,
+                            gboolean should_close)
 {
-  GError *error = NULL;
-
   test->service = g_socket_service_new ();
-  g_socket_listener_add_address (G_SOCKET_LISTENER (test->service),
-                                 G_SOCKET_ADDRESS (test->address),
-                                 G_SOCKET_TYPE_STREAM, G_SOCKET_PROTOCOL_TCP,
-                                 NULL, NULL, &error);
-  g_assert_no_error (error);
+  start_server (test);
 
   test->auth_mode = auth_mode;
   g_signal_connect (test->service, "incoming", G_CALLBACK (on_incoming_connection), test);
+
+  test->server_should_close = should_close;
 }
 
 static GIOStream *
-start_async_server_and_connect_to_it (TestConnection *test, GTlsAuthenticationMode auth_mode)
+start_async_server_and_connect_to_it (TestConnection *test,
+                                      GTlsAuthenticationMode auth_mode,
+                                      gboolean should_close)
 {
   GSocketClient *client;
   GError *error = NULL;
   GSocketConnection *connection;
 
-  start_async_server_service (test, auth_mode);
+  start_async_server_service (test, auth_mode, should_close);
 
   client = g_socket_client_new ();
   connection = g_socket_client_connect (client, G_SOCKET_CONNECTABLE (test->address),
@@ -278,8 +346,15 @@ run_echo_server (GThreadedSocketService *service,
   gssize nread, nwrote, total;
   gchar buf[128];
 
-  cert = g_tls_certificate_new_from_file (TEST_FILE ("server-and-key.pem"), &error);
-  g_assert_no_error (error);
+  if (test->server_certificate)
+    {
+      cert = g_object_ref (test->server_certificate);
+    }
+  else
+    {
+      cert = g_tls_certificate_new_from_file (tls_test_file_path ("server-and-key.pem"), &error);
+      g_assert_no_error (error);
+    }
 
   test->server_connection = g_tls_server_connection_new (G_IO_STREAM (connection),
                                                          cert, &error);
@@ -318,20 +393,14 @@ run_echo_server (GThreadedSocketService *service,
 
   g_io_stream_close (test->server_connection, NULL, &error);
   g_assert_no_error (error);
-  test->server_closed = TRUE;
+  test->server_running = FALSE;
 }
 
 static void
 start_echo_server_service (TestConnection *test)
 {
-  GError *error = NULL;
-
   test->service = g_threaded_socket_service_new (5);
-  g_socket_listener_add_address (G_SOCKET_LISTENER (test->service),
-                                 G_SOCKET_ADDRESS (test->address),
-                                 G_SOCKET_TYPE_STREAM, G_SOCKET_PROTOCOL_TCP,
-                                 NULL, NULL, &error);
-  g_assert_no_error (error);
+  start_server (test);
 
   g_signal_connect (test->service, "run", G_CALLBACK (run_echo_server), test);
 }
@@ -390,7 +459,7 @@ on_input_read_finish (GObject        *object,
     }
 
   g_io_stream_close_async (test->client_connection, G_PRIORITY_DEFAULT,
-			   NULL, on_client_connection_close_finish, test);
+                           NULL, on_client_connection_close_finish, test);
 }
 
 static void
@@ -413,7 +482,7 @@ test_basic_connection (TestConnection *test,
   GIOStream *connection;
   GError *error = NULL;
 
-  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_NONE);
+  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_NONE, TRUE);
   test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
   g_assert_no_error (error);
   g_object_unref (connection);
@@ -436,11 +505,11 @@ test_verified_connection (TestConnection *test,
   GIOStream *connection;
   GError *error = NULL;
 
-  test->database = g_tls_file_database_new (TEST_FILE ("ca-roots.pem"), &error);
+  test->database = g_tls_file_database_new (tls_test_file_path ("ca-roots.pem"), &error);
   g_assert_no_error (error);
   g_assert (test->database);
 
-  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_NONE);
+  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_NONE, TRUE);
   test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
   g_assert_no_error (error);
   g_assert (test->client_connection);
@@ -460,6 +529,377 @@ test_verified_connection (TestConnection *test,
 }
 
 static void
+test_verified_chain (TestConnection *test,
+		     gconstpointer   data)
+{
+  GTlsBackend *backend;
+  GTlsCertificate *server_cert;
+  GTlsCertificate *intermediate_cert;
+  char *cert_data = NULL;
+  char *key_data = NULL;
+  GError *error = NULL;
+
+  backend = g_tls_backend_get_default ();
+
+  /* Prepare the intermediate cert. */
+  intermediate_cert = g_tls_certificate_new_from_file (tls_test_file_path ("intermediate-ca.pem"), &error);
+  g_assert_no_error (error);
+  g_assert (intermediate_cert);
+
+  /* Prepare the server cert. */
+  g_clear_pointer (&cert_data, g_free);
+  g_file_get_contents (tls_test_file_path ("server-intermediate.pem"),
+		       &cert_data, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (cert_data);
+
+  g_file_get_contents (tls_test_file_path ("server-intermediate-key.pem"),
+		       &key_data, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (key_data);
+
+  server_cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
+				NULL, &error,
+                                "issuer", intermediate_cert,
+                                "certificate-pem", cert_data,
+                                "private-key-pem", key_data,
+                                NULL);
+  g_assert_no_error (error);
+  g_assert (server_cert);
+
+  g_object_unref (intermediate_cert);
+  g_free (cert_data);
+  g_free (key_data);
+
+  test->server_certificate = server_cert;
+  test_verified_connection (test, data);
+}
+
+static void
+test_verified_chain_with_redundant_root_cert (TestConnection *test,
+					      gconstpointer   data)
+{
+  GTlsBackend *backend;
+  GTlsCertificate *server_cert;
+  GTlsCertificate *intermediate_cert;
+  GTlsCertificate *root_cert;
+  char *cert_data = NULL;
+  char *key_data = NULL;
+  GError *error = NULL;
+
+  backend = g_tls_backend_get_default ();
+
+  /* The root is redundant. It should not hurt anything. */
+  root_cert = g_tls_certificate_new_from_file (tls_test_file_path ("ca.pem"), &error);
+  g_assert_no_error (error);
+  g_assert (root_cert);
+
+  /* Prepare the intermediate cert. */
+  g_file_get_contents (tls_test_file_path ("intermediate-ca.pem"),
+		       &cert_data, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (cert_data);
+
+  intermediate_cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
+				      NULL, &error,
+				      "issuer", root_cert,
+				      "certificate-pem", cert_data,
+				      NULL);
+  g_assert_no_error (error);
+  g_assert (intermediate_cert);
+
+  /* Prepare the server cert. */
+  g_clear_pointer (&cert_data, g_free);
+  g_file_get_contents (tls_test_file_path ("server-intermediate.pem"),
+		       &cert_data, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (cert_data);
+
+  g_file_get_contents (tls_test_file_path ("server-intermediate-key.pem"),
+		       &key_data, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (key_data);
+
+  server_cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
+				NULL, &error,
+                                "issuer", intermediate_cert,
+                                "certificate-pem", cert_data,
+                                "private-key-pem", key_data,
+                                NULL);
+  g_assert_no_error (error);
+  g_assert (server_cert);
+
+  g_object_unref (intermediate_cert);
+  g_object_unref (root_cert);
+  g_free (cert_data);
+  g_free (key_data);
+
+  test->server_certificate = server_cert;
+  test_verified_connection (test, data);
+}
+
+static void
+test_verified_chain_with_duplicate_server_cert (TestConnection *test,
+						gconstpointer   data)
+{
+  /* This is another common server misconfiguration. Apache reads certificates
+   * from two configuration files: one for the server cert, and one for the rest
+   * of the chain. If the server cert is pasted into both files, it will be sent
+   * twice. We should be tolerant of this. */
+
+  GTlsBackend *backend;
+  GTlsCertificate *server_cert;
+  GTlsCertificate *extra_server_cert;
+  GTlsCertificate *intermediate_cert;
+  char *cert_data = NULL;
+  char *key_data = NULL;
+  GError *error = NULL;
+
+  backend = g_tls_backend_get_default ();
+
+  /* Prepare the intermediate cert. */
+  intermediate_cert = g_tls_certificate_new_from_file (tls_test_file_path ("intermediate-ca.pem"), &error);
+  g_assert_no_error (error);
+  g_assert (intermediate_cert);
+
+  /* Prepare the server cert. */
+  g_clear_pointer (&cert_data, g_free);
+  g_file_get_contents (tls_test_file_path ("server-intermediate.pem"),
+		       &cert_data, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (cert_data);
+
+  g_file_get_contents (tls_test_file_path ("server-intermediate-key.pem"),
+		       &key_data, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (key_data);
+
+  server_cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
+				NULL, &error,
+                                "issuer", intermediate_cert,
+                                "certificate-pem", cert_data,
+                                NULL);
+  g_assert_no_error (error);
+  g_assert (server_cert);
+
+  /* Prepare the server cert... again. Private key must go on this one. */
+  extra_server_cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
+				      NULL, &error,
+				      "issuer", server_cert,
+				      "certificate-pem", cert_data,
+				      "private-key-pem", key_data,
+				      NULL);
+  g_assert_no_error (error);
+  g_assert (extra_server_cert);
+
+  g_object_unref (intermediate_cert);
+  g_object_unref (server_cert);
+  g_free (cert_data);
+  g_free (key_data);
+
+  test->server_certificate = extra_server_cert;
+  test_verified_connection (test, data);
+}
+
+static void
+test_verified_unordered_chain (TestConnection *test,
+			       gconstpointer   data)
+{
+  GTlsBackend *backend;
+  GTlsCertificate *server_cert;
+  GTlsCertificate *intermediate_cert;
+  GTlsCertificate *root_cert;
+  char *cert_data = NULL;
+  char *key_data = NULL;
+  GError *error = NULL;
+
+  backend = g_tls_backend_get_default ();
+
+  /* Prepare the intermediate cert (to be sent last, out of order)! */
+  intermediate_cert = g_tls_certificate_new_from_file (tls_test_file_path ("intermediate-ca.pem"),
+						       &error);
+  g_assert_no_error (error);
+  g_assert (intermediate_cert);
+
+  g_file_get_contents (tls_test_file_path ("ca.pem"), &cert_data, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (cert_data);
+
+  /* Prepare the root cert (to be sent in the middle of the chain). */
+  root_cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
+			      NULL, &error,
+                              "issuer", intermediate_cert,
+                              "certificate-pem", cert_data,
+                              NULL);
+  g_assert_no_error (error);
+  g_assert (root_cert);
+
+  g_clear_pointer (&cert_data, g_free);
+  g_file_get_contents (tls_test_file_path ("server-intermediate.pem"),
+		       &cert_data, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (cert_data);
+
+  g_file_get_contents (tls_test_file_path ("server-intermediate-key.pem"),
+		       &key_data, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (key_data);
+
+  /* Prepare the server cert. */
+  server_cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
+				NULL, &error,
+                                "issuer", root_cert,
+                                "certificate-pem", cert_data,
+                                "private-key-pem", key_data,
+                                NULL);
+  g_assert_no_error (error);
+  g_assert (server_cert);
+
+  g_object_unref (intermediate_cert);
+  g_object_unref (root_cert);
+  g_free (cert_data);
+  g_free (key_data);
+
+  test->server_certificate = server_cert;
+  test_verified_connection (test, data);
+}
+
+static void
+test_verified_chain_with_alternative_ca_cert (TestConnection *test,
+					      gconstpointer   data)
+{
+  GTlsBackend *backend;
+  GTlsCertificate *server_cert;
+  GTlsCertificate *intermediate_cert;
+  GTlsCertificate *root_cert;
+  char *cert_data = NULL;
+  char *key_data = NULL;
+  GError *error = NULL;
+
+  backend = g_tls_backend_get_default ();
+
+  /* This "root" cert is issued by a CA that is not in the trust store. So it's
+   * not really a root, but it has the same public key as a cert in the trust
+   * store. If the client insists on a traditional chain of trust, this will
+   * fail, since the issuer is untrusted. */
+  root_cert = g_tls_certificate_new_from_file (tls_test_file_path ("ca-alternative.pem"), &error);
+  g_assert_no_error (error);
+  g_assert (root_cert);
+
+  /* Prepare the intermediate cert. Modern TLS libraries are expected to notice
+   * that it is signed by the same public key as a certificate in the root
+   * store, and accept the certificate, ignoring the untrusted "root" sent next
+   * in the chain, which servers send for compatibility with clients that don't
+   * have the new CA cert in the trust store yet. (In this scenario, the old
+   * client still trusts the old CA cert.) */
+  g_file_get_contents (tls_test_file_path ("intermediate-ca.pem"),
+		       &cert_data, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (cert_data);
+
+  intermediate_cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
+				      NULL, &error,
+				      "issuer", root_cert,
+				      "certificate-pem", cert_data,
+				      NULL);
+  g_assert_no_error (error);
+  g_assert (intermediate_cert);
+
+  /* Prepare the server cert. */
+  g_clear_pointer (&cert_data, g_free);
+  g_file_get_contents (tls_test_file_path ("server-intermediate.pem"),
+		       &cert_data, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (cert_data);
+
+  g_file_get_contents (tls_test_file_path ("server-intermediate-key.pem"),
+		       &key_data, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (key_data);
+
+  server_cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
+				NULL, &error,
+                                "issuer", intermediate_cert,
+                                "certificate-pem", cert_data,
+                                "private-key-pem", key_data,
+                                NULL);
+  g_assert_no_error (error);
+  g_assert (server_cert);
+
+  g_object_unref (intermediate_cert);
+  g_object_unref (root_cert);
+  g_free (cert_data);
+  g_free (key_data);
+
+  test->server_certificate = server_cert;
+  test_verified_connection (test, data);
+}
+
+static void
+test_invalid_chain_with_alternative_ca_cert (TestConnection *test,
+					     gconstpointer   data)
+{
+  GTlsBackend *backend;
+  GTlsCertificate *server_cert;
+  GTlsCertificate *root_cert;
+  GIOStream *connection;
+  char *cert_data = NULL;
+  char *key_data = NULL;
+  GError *error = NULL;
+
+  backend = g_tls_backend_get_default ();
+
+  /* This certificate has the same public key as a certificate in the root store. */
+  root_cert = g_tls_certificate_new_from_file (tls_test_file_path ("ca-alternative.pem"), &error);
+  g_assert_no_error (error);
+  g_assert (root_cert);
+
+  /* The intermediate cert is not sent. The chain should be rejected, since without intermediate.pem
+   * there is no proof that ca-alternative.pem signed server-intermediate.pem. */
+  g_file_get_contents (tls_test_file_path ("server-intermediate.pem"),
+		       &cert_data, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (cert_data);
+
+  g_file_get_contents (tls_test_file_path ("server-intermediate-key.pem"),
+		       &key_data, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (key_data);
+
+  server_cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
+				NULL, &error,
+                                "issuer", root_cert,
+                                "certificate-pem", cert_data,
+                                "private-key-pem", key_data,
+                                NULL);
+  g_assert_no_error (error);
+  g_assert (server_cert);
+
+  g_object_unref (root_cert);
+  g_free (cert_data);
+  g_free (key_data);
+
+  test->server_certificate = server_cert;
+  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_NONE, TRUE);
+  test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
+  g_assert_no_error (error);
+  g_assert (test->client_connection);
+  g_object_unref (connection);
+
+  g_tls_connection_set_database (G_TLS_CONNECTION (test->client_connection), test->database);
+
+  /* Make sure this test doesn't expire. */
+  g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION (test->client_connection),
+                                                G_TLS_CERTIFICATE_VALIDATE_ALL & ~G_TLS_CERTIFICATE_EXPIRED);
+
+  read_test_data_async (test);
+  g_main_loop_run (test->loop);
+
+  g_assert_error (test->read_error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE);
+  g_assert_no_error (test->server_error);
+}
+
+static void
 on_notify_accepted_cas (GObject *obj,
                         GParamSpec *spec,
                         gpointer user_data)
@@ -479,11 +919,11 @@ test_client_auth_connection (TestConnection *test,
   GTlsCertificate *peer;
   gboolean cas_changed;
 
-  test->database = g_tls_file_database_new (TEST_FILE ("ca-roots.pem"), &error);
+  test->database = g_tls_file_database_new (tls_test_file_path ("ca-roots.pem"), &error);
   g_assert_no_error (error);
   g_assert (test->database);
 
-  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_REQUIRED);
+  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_REQUIRED, TRUE);
   test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
   g_assert_no_error (error);
   g_assert (test->client_connection);
@@ -491,7 +931,7 @@ test_client_auth_connection (TestConnection *test,
 
   g_tls_connection_set_database (G_TLS_CONNECTION (test->client_connection), test->database);
 
-  cert = g_tls_certificate_new_from_file (TEST_FILE ("client-and-key.pem"), &error);
+  cert = g_tls_certificate_new_from_file (tls_test_file_path ("client-and-key.pem"), &error);
   g_assert_no_error (error);
 
   g_tls_connection_set_certificate (G_TLS_CONNECTION (test->client_connection), cert);
@@ -534,11 +974,11 @@ test_client_auth_failure (TestConnection *test,
   GError *error = NULL;
   gboolean accepted_changed;
 
-  test->database = g_tls_file_database_new (TEST_FILE ("ca-roots.pem"), &error);
+  test->database = g_tls_file_database_new (tls_test_file_path ("ca-roots.pem"), &error);
   g_assert_no_error (error);
   g_assert (test->database);
 
-  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_REQUIRED);
+  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_REQUIRED, TRUE);
   test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
   g_assert_no_error (error);
   g_assert (test->client_connection);
@@ -566,13 +1006,103 @@ test_client_auth_failure (TestConnection *test,
 }
 
 static void
+test_client_auth_request_cert (TestConnection *test,
+                               gconstpointer   data)
+{
+  GIOStream *connection;
+  GError *error = NULL;
+  GTlsCertificate *cert;
+  GTlsCertificate *peer;
+  GTlsInteraction *interaction;
+  gboolean cas_changed;
+
+  test->database = g_tls_file_database_new (tls_test_file_path ("ca-roots.pem"), &error);
+  g_assert_no_error (error);
+  g_assert (test->database);
+
+  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_REQUIRED, TRUE);
+  test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
+  g_assert_no_error (error);
+  g_assert (test->client_connection);
+  g_object_unref (connection);
+
+  g_tls_connection_set_database (G_TLS_CONNECTION (test->client_connection), test->database);
+
+  /* Have the interaction return a certificate */
+  cert = g_tls_certificate_new_from_file (tls_test_file_path ("client-and-key.pem"), &error);
+  g_assert_no_error (error);
+  interaction = mock_interaction_new_static_certificate (cert);
+  g_tls_connection_set_interaction (G_TLS_CONNECTION (test->client_connection), interaction);
+  g_object_unref (interaction);
+
+  /* All validation in this test */
+  g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION (test->client_connection),
+                                                G_TLS_CERTIFICATE_VALIDATE_ALL);
+
+  cas_changed = FALSE;
+  g_signal_connect (test->client_connection, "notify::accepted-cas",
+                    G_CALLBACK (on_notify_accepted_cas), &cas_changed);
+
+  read_test_data_async (test);
+  g_main_loop_run (test->loop);
+
+  g_assert_no_error (test->read_error);
+  g_assert_no_error (test->server_error);
+
+  peer = g_tls_connection_get_peer_certificate (G_TLS_CONNECTION (test->server_connection));
+  g_assert (peer != NULL);
+  g_assert (g_tls_certificate_is_same (peer, cert));
+  g_assert (cas_changed == TRUE);
+
+  g_object_unref (cert);
+}
+
+static void
+test_client_auth_request_fail (TestConnection *test,
+                               gconstpointer   data)
+{
+  GIOStream *connection;
+  GError *error = NULL;
+  GTlsInteraction *interaction;
+
+  test->database = g_tls_file_database_new (tls_test_file_path ("ca-roots.pem"), &error);
+  g_assert_no_error (error);
+  g_assert (test->database);
+
+  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_REQUIRED, TRUE);
+  test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
+  g_assert_no_error (error);
+  g_assert (test->client_connection);
+  g_object_unref (connection);
+
+  g_tls_connection_set_database (G_TLS_CONNECTION (test->client_connection), test->database);
+
+  /* Have the interaction return an error */
+  interaction = mock_interaction_new_static_error (G_FILE_ERROR, G_FILE_ERROR_ACCES, "Request message");
+  g_tls_connection_set_interaction (G_TLS_CONNECTION (test->client_connection), interaction);
+  g_object_unref (interaction);
+
+  /* All validation in this test */
+  g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION (test->client_connection),
+                                                G_TLS_CERTIFICATE_VALIDATE_ALL);
+
+  read_test_data_async (test);
+  g_main_loop_run (test->loop);
+
+  g_assert_error (test->read_error, G_FILE_ERROR, G_FILE_ERROR_ACCES);
+
+  g_io_stream_close (test->server_connection, NULL, NULL);
+  g_io_stream_close (test->client_connection, NULL, NULL);
+}
+
+static void
 test_connection_no_database (TestConnection *test,
                              gconstpointer   data)
 {
   GIOStream *connection;
   GError *error = NULL;
 
-  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_NONE);
+  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_NONE, TRUE);
   test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
   g_assert_no_error (error);
   g_assert (test->client_connection);
@@ -620,7 +1150,7 @@ test_failed_connection (TestConnection *test,
   GError *error = NULL;
   GSocketConnectable *bad_addr;
 
-  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_NONE);
+  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_NONE, TRUE);
 
   bad_addr = g_network_address_new ("wrong.example.com", 80);
   test->client_connection = g_tls_client_connection_new (connection, bad_addr, &error);
@@ -670,7 +1200,7 @@ test_connection_socket_client (TestConnection *test,
   GIOStream *base;
   GError *error = NULL;
 
-  start_async_server_service (test, G_TLS_AUTHENTICATION_NONE);
+  start_async_server_service (test, G_TLS_AUTHENTICATION_NONE, TRUE);
   client = g_socket_client_new ();
   g_socket_client_set_tls (client, TRUE);
   flags = G_TLS_CERTIFICATE_VALIDATE_ALL & ~G_TLS_CERTIFICATE_UNKNOWN_CA;
@@ -718,7 +1248,7 @@ test_connection_socket_client_failed (TestConnection *test,
 {
   GSocketClient *client;
 
-  start_async_server_service (test, G_TLS_AUTHENTICATION_NONE);
+  start_async_server_service (test, G_TLS_AUTHENTICATION_NONE, TRUE);
   client = g_socket_client_new ();
   g_socket_client_set_tls (client, TRUE);
   /* this time we don't adjust the validation flags */
@@ -731,6 +1261,92 @@ test_connection_socket_client_failed (TestConnection *test,
 }
 
 static void
+socket_client_timed_out_write (GObject      *source,
+                               GAsyncResult *result,
+                               gpointer      user_data)
+{
+  TestConnection *test = user_data;
+  GSocketConnection *connection;
+  GInputStream *input_stream;
+  GOutputStream *output_stream;
+  GError *error = NULL;
+  gchar buffer[TEST_DATA_LENGTH];
+  gssize size;
+
+  connection = g_socket_client_connect_finish (G_SOCKET_CLIENT (source),
+					       result, &error);
+  g_assert_no_error (error);
+  test->client_connection = G_IO_STREAM (connection);
+
+  input_stream = g_io_stream_get_input_stream (test->client_connection);
+  output_stream = g_io_stream_get_output_stream (test->client_connection);
+
+  /* read TEST_DATA_LENGTH once */
+  size = g_input_stream_read (input_stream, &buffer, TEST_DATA_LENGTH,
+                              NULL, &error);
+  g_assert_no_error (error);
+  g_assert_cmpint (size, ==, TEST_DATA_LENGTH);
+
+  /* read TEST_DATA_LENGTH again to cause the time out */
+  size = g_input_stream_read (input_stream, &buffer, TEST_DATA_LENGTH,
+                              NULL, &error);
+  g_assert_error (error, G_IO_ERROR, G_IO_ERROR_TIMED_OUT);
+  g_assert_cmpint (size, ==, -1);
+  g_clear_error (&error);
+
+  /* write after a timeout, session should still be valid */
+  size = g_output_stream_write (output_stream, TEST_DATA, TEST_DATA_LENGTH,
+                                NULL, &error);
+  g_assert_no_error (error);
+  g_assert_cmpint (size, ==, TEST_DATA_LENGTH);
+
+  g_main_loop_quit (test->loop);
+}
+
+static void
+test_connection_read_time_out_write (TestConnection *test,
+                                     gconstpointer   data)
+{
+  GSocketClient *client;
+  GTlsCertificateFlags flags;
+  GSocketConnection *connection;
+  GIOStream *base;
+  GError *error = NULL;
+
+  /* Don't close the server connection after writing TEST_DATA. */
+  start_async_server_service (test, G_TLS_AUTHENTICATION_NONE, FALSE);
+  client = g_socket_client_new ();
+  /* Set a 1 second time out on the socket */
+  g_socket_client_set_timeout (client, 1);
+  g_socket_client_set_tls (client, TRUE);
+  flags = G_TLS_CERTIFICATE_VALIDATE_ALL & ~G_TLS_CERTIFICATE_UNKNOWN_CA;
+  /* test->address doesn't match the server's cert */
+  flags = flags & ~G_TLS_CERTIFICATE_BAD_IDENTITY;
+  g_socket_client_set_tls_validation_flags (client, flags);
+
+  g_socket_client_connect_async (client, G_SOCKET_CONNECTABLE (test->address),
+				 NULL, socket_client_timed_out_write, test);
+
+  g_main_loop_run (test->loop);
+
+  /* Close the server now */
+  close_server_connection (test);
+
+  connection = (GSocketConnection *)test->client_connection;
+  test->client_connection = NULL;
+
+  g_assert (G_IS_TCP_WRAPPER_CONNECTION (connection));
+  base = g_tcp_wrapper_connection_get_base_io_stream (G_TCP_WRAPPER_CONNECTION (connection));
+  g_assert (G_IS_TLS_CONNECTION (base));
+
+  g_io_stream_close (G_IO_STREAM (connection), NULL, &error);
+  g_assert_no_error (error);
+  g_object_unref (connection);
+
+  g_object_unref (client);
+}
+
+static void
 simul_async_read_complete (GObject      *object,
 			   GAsyncResult *result,
 			   gpointer      user_data)
@@ -823,10 +1439,29 @@ test_simultaneous_async (TestConnection *test,
   g_assert_cmpstr (test->buf, ==, TEST_DATA);
 }
 
+static gboolean
+check_gnutls_has_rehandshaking_bug (void)
+{
+  const char *version = gnutls_check_version (NULL);
+
+  return (!strcmp (version, "3.1.27") ||
+	  !strcmp (version, "3.1.28") ||
+	  !strcmp (version, "3.2.19") ||
+	  !strcmp (version, "3.3.8") ||
+	  !strcmp (version, "3.3.9") ||
+          !strcmp (version, "3.3.10"));
+}
+
 static void
 test_simultaneous_async_rehandshake (TestConnection *test,
 				     gconstpointer   data)
 {
+  if (check_gnutls_has_rehandshaking_bug ())
+    {
+      g_test_skip ("test would fail due to gnutls bug 108690");
+      return;
+    }
+
   test->rehandshake = TRUE;
   test_simultaneous_async (test, data);
 }
@@ -921,6 +1556,12 @@ static void
 test_simultaneous_sync_rehandshake (TestConnection *test,
 				    gconstpointer   data)
 {
+  if (check_gnutls_has_rehandshaking_bug ())
+    {
+      g_test_skip ("test would fail due to gnutls bug 108690");
+      return;
+    }
+
   test->rehandshake = TRUE;
   test_simultaneous_sync (test, data);
 }
@@ -932,7 +1573,7 @@ test_close_immediately (TestConnection *test,
   GIOStream *connection;
   GError *error = NULL;
 
-  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_NONE);
+  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_NONE, TRUE);
   test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
   g_assert_no_error (error);
   g_object_unref (connection);
@@ -956,6 +1597,17 @@ quit_loop_on_notify (GObject *obj,
 }
 
 static void
+handshake_completed (GObject      *object,
+		     GAsyncResult *result,
+		     gpointer      user_data)
+{
+  gboolean *complete = user_data;
+
+  *complete = TRUE;
+  return;
+}
+
+static void
 test_close_during_handshake (TestConnection *test,
 			     gconstpointer   data)
 {
@@ -963,10 +1615,11 @@ test_close_during_handshake (TestConnection *test,
   GError *error = NULL;
   GMainContext *context;
   GMainLoop *loop;
+  gboolean handshake_complete = FALSE;
 
   g_test_bug ("688751");
 
-  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_REQUESTED);
+  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_REQUESTED, TRUE);
   test->expect_server_error = TRUE;
   test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
   g_assert_no_error (error);
@@ -979,8 +1632,8 @@ test_close_during_handshake (TestConnection *test,
   context = g_main_context_new ();
   g_main_context_push_thread_default (context);
   g_tls_connection_handshake_async (G_TLS_CONNECTION (test->client_connection),
-				    G_PRIORITY_DEFAULT,
-				    NULL, NULL, NULL);
+				    G_PRIORITY_DEFAULT, NULL,
+				    handshake_completed, &handshake_complete);
   g_main_context_pop_thread_default (context);
 
   /* Now run the (default GMainContext) loop, which is needed for
@@ -1002,10 +1655,64 @@ test_close_during_handshake (TestConnection *test,
   /* We have to let the handshake_async() call finish now, or
    * teardown_connection() will assert.
    */
-  g_main_context_iteration (context, TRUE);
+  while (!handshake_complete)
+    g_main_context_iteration (context, TRUE);
+  g_main_context_unref (context);
+}
+
+static void
+test_output_stream_close_during_handshake (TestConnection *test,
+                                           gconstpointer   data)
+{
+  GIOStream *connection;
+  GError *error = NULL;
+  GMainContext *context;
+  GMainLoop *loop;
+  gboolean handshake_complete = FALSE;
+
+  g_test_bug ("688751");
+
+  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_REQUESTED, TRUE);
+  test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
+  g_assert_no_error (error);
+  g_object_unref (connection);
+
+  loop = g_main_loop_new (NULL, FALSE);
+  g_signal_connect (test->client_connection, "notify::accepted-cas",
+                    G_CALLBACK (quit_loop_on_notify), loop);
+
+  context = g_main_context_new ();
+  g_main_context_push_thread_default (context);
+  g_tls_connection_handshake_async (G_TLS_CONNECTION (test->client_connection),
+				    G_PRIORITY_DEFAULT, NULL,
+				    handshake_completed, &handshake_complete);
+  g_main_context_pop_thread_default (context);
+
+  /* Now run the (default GMainContext) loop, which is needed for
+   * the server side of things. The client-side handshake will run in
+   * a thread, but its callback will never be invoked because its
+   * context isn't running.
+   */
+  g_main_loop_run (loop);
+  g_main_loop_unref (loop);
+
+  /* At this point handshake_thread() has started (and maybe
+   * finished), but handshake_thread_completed() (and thus
+   * finish_handshake()) has not yet run. Make sure close doesn't
+   * block.
+   */
+  g_output_stream_close (g_io_stream_get_output_stream (test->client_connection), NULL, &error);
+  g_assert_no_error (error);
+
+  /* We have to let the handshake_async() call finish now, or
+   * teardown_connection() will assert.
+   */
+  while (!handshake_complete)
+    g_main_context_iteration (context, TRUE);
   g_main_context_unref (context);
 }
 
+
 static void
 test_write_during_handshake (TestConnection *test,
 			    gconstpointer   data)
@@ -1015,10 +1722,11 @@ test_write_during_handshake (TestConnection *test,
   GMainContext *context;
   GMainLoop *loop;
   GOutputStream *ostream;
+  gboolean handshake_complete = FALSE;
 
   g_test_bug ("697754");
 
-  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_REQUESTED);
+  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_REQUESTED, TRUE);
   test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
   g_assert_no_error (error);
   g_object_unref (connection);
@@ -1030,8 +1738,8 @@ test_write_during_handshake (TestConnection *test,
   context = g_main_context_new ();
   g_main_context_push_thread_default (context);
   g_tls_connection_handshake_async (G_TLS_CONNECTION (test->client_connection),
-				    G_PRIORITY_DEFAULT,
-				    NULL, NULL, NULL);
+				    G_PRIORITY_DEFAULT, NULL,
+				    handshake_completed, &handshake_complete);
   g_main_context_pop_thread_default (context);
 
   /* Now run the (default GMainContext) loop, which is needed for
@@ -1056,15 +1764,230 @@ test_write_during_handshake (TestConnection *test,
   /* We have to let the handshake_async() call finish now, or
    * teardown_connection() will assert.
    */
-  g_main_context_iteration (context, TRUE);
+  while (!handshake_complete)
+    g_main_context_iteration (context, TRUE);
   g_main_context_unref (context);
 }
 
+static gboolean
+async_implicit_handshake_dispatch (GPollableInputStream *stream,
+                                   gpointer user_data)
+{
+  TestConnection *test = user_data;
+  GError *error = NULL;
+  gchar buffer[TEST_DATA_LENGTH];
+  gssize size;
+  gboolean keep_running;
+
+  size = g_pollable_input_stream_read_nonblocking (stream, buffer,
+                                                   TEST_DATA_LENGTH,
+                                                   NULL, &error);
+
+  keep_running = (-1 == size);
+
+  if (keep_running)
+    {
+      g_assert_error (error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK);
+      g_error_free (error);
+    }
+  else
+    {
+      g_assert_no_error (error);
+      g_assert_cmpint (size, ==, TEST_DATA_LENGTH);
+      g_main_loop_quit (test->loop);
+    }
+
+  return keep_running;
+}
+
+static void
+test_async_implicit_handshake (TestConnection *test, gconstpointer   data)
+{
+  GTlsCertificateFlags flags;
+  GIOStream *stream;
+  GInputStream *input_stream;
+  GSource *input_source;
+  GError *error = NULL;
+
+  g_test_bug ("710691");
+
+  stream = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_NONE, TRUE);
+  test->client_connection = g_tls_client_connection_new (stream, test->identity, &error);
+  g_assert_no_error (error);
+  g_object_unref (stream);
+
+  flags = G_TLS_CERTIFICATE_VALIDATE_ALL &
+    ~(G_TLS_CERTIFICATE_UNKNOWN_CA | G_TLS_CERTIFICATE_BAD_IDENTITY);
+  g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION (test->client_connection),
+                                                flags);
+
+  /**
+   * Create a source from the client's input stream. The dispatch
+   * callback will be called a first time, which will perform a
+   * non-blocking read triggering the asynchronous implicit
+   * handshaking.
+   */
+  input_stream = g_io_stream_get_input_stream (test->client_connection);
+  input_source =
+    g_pollable_input_stream_create_source (G_POLLABLE_INPUT_STREAM (input_stream),
+                                           NULL);
+
+  g_source_set_callback (input_source,
+                         (GSourceFunc) async_implicit_handshake_dispatch,
+                         test, NULL);
+
+  g_source_attach (input_source, NULL);
+
+  g_main_loop_run (test->loop);
+
+  g_io_stream_close (G_IO_STREAM (test->client_connection), NULL, &error);
+  g_assert_no_error (error);
+  g_object_unref (test->client_connection);
+  test->client_connection = NULL;
+}
+
+static void
+quit_on_handshake_complete (GObject      *object,
+			    GAsyncResult *result,
+			    gpointer      user_data)
+{
+  TestConnection *test = user_data;
+  GError *error = NULL;
+
+  g_tls_connection_handshake_finish (G_TLS_CONNECTION (object), result, &error);
+  g_assert_no_error (error);
+
+  g_main_loop_quit (test->loop);
+  return;
+}
+
+#define PRIORITY_SSL_FALLBACK "NORMAL:+VERS-SSL3.0"
+#define PRIORITY_TLS_FALLBACK "NORMAL:+VERS-TLS-ALL:-VERS-SSL3.0"
+
+static void
+test_fallback (gconstpointer data)
+{
+  const char *priority_string = (const char *) data;
+  char *test_name;
+
+  test_name = g_strdup_printf ("/tls/connection/fallback/subprocess/%s", priority_string);
+  g_test_trap_subprocess (test_name, 0, 0);
+  g_test_trap_assert_passed ();
+  g_free (test_name);
+}
+
+static void
+test_fallback_subprocess (TestConnection *test,
+			  gconstpointer   data)
+{
+  GIOStream *connection;
+  GTlsConnection *tlsconn;
+  GError *error = NULL;
+
+  connection = start_echo_server_and_connect_to_it (test);
+  test->client_connection = g_tls_client_connection_new (connection, NULL, &error);
+  g_assert_no_error (error);
+  tlsconn = G_TLS_CONNECTION (test->client_connection);
+  g_object_unref (connection);
+
+  g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION (test->client_connection),
+                                                0);
+  g_tls_client_connection_set_use_ssl3 (G_TLS_CLIENT_CONNECTION (test->client_connection),
+					TRUE);
+  g_tls_connection_handshake_async (tlsconn, G_PRIORITY_DEFAULT, NULL,
+				    quit_on_handshake_complete, test);
+  g_main_loop_run (test->loop);
+
+  /* In 2.42 we don't have the API to test that the correct version was negotiated,
+   * so we merely test that the connection succeeded at all.
+   */
+
+  g_io_stream_close (test->client_connection, NULL, &error);
+  g_assert_no_error (error);
+}
+
+static void
+test_output_stream_close (TestConnection *test,
+                          gconstpointer   data)
+{
+  GIOStream *connection;
+  GError *error = NULL;
+  gboolean ret;
+  gboolean handshake_complete = FALSE;
+  gssize size;
+
+  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_NONE, TRUE);
+  test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
+  g_assert_no_error (error);
+  g_object_unref (connection);
+
+  /* No validation at all in this test */
+  g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION (test->client_connection),
+                                                0);
+
+  g_tls_connection_handshake_async (G_TLS_CONNECTION (test->client_connection),
+                                    G_PRIORITY_DEFAULT, NULL,
+                                    handshake_completed, &handshake_complete);
+
+  while (!handshake_complete)
+    g_main_context_iteration (NULL, TRUE);
+
+  ret = g_output_stream_close (g_io_stream_get_output_stream (test->client_connection),
+      NULL, &error);
+  g_assert_no_error (error);
+  g_assert (ret);
+
+
+  /* Verify that double close returns TRUE */
+  ret = g_output_stream_close (g_io_stream_get_output_stream (test->client_connection),
+      NULL, &error);
+  g_assert_no_error (error);
+  g_assert (ret);
+
+  size = g_output_stream_write (g_io_stream_get_output_stream (test->client_connection),
+                                "data", 4, NULL, &error);
+  g_assert (size == -1);
+  g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CLOSED);
+  g_clear_error (&error);
+
+  /* We closed the output stream, but not the input stream, so receiving
+   * data should still work.
+   */
+  read_test_data_async (test);
+  g_main_loop_run (test->loop);
+
+  g_assert_no_error (test->read_error);
+  g_assert_no_error (test->server_error);
+
+  ret = g_io_stream_close (test->client_connection, NULL, &error);
+  g_assert_no_error (error);
+  g_assert (ret);
+}
+
 int
 main (int   argc,
       char *argv[])
 {
   int ret;
+  int i;
+
+  /* Check if this is a subprocess, and set G_TLS_GNUTLS_PRIORITY
+   * appropriately if so.
+   */
+  for (i = 1; i < argc - 1; i++)
+    {
+      if (!strcmp (argv[i], "-p"))
+	{
+	  const char *priority = argv[i + 1];
+
+	  priority = strrchr (priority, '/');
+	  if (priority++ &&
+	      (g_str_has_prefix (priority, "NORMAL:") ||
+	       g_str_has_prefix (priority, "NONE:")))
+	    g_setenv ("G_TLS_GNUTLS_PRIORITY", priority, TRUE);
+	  break;
+	}
+    }
 
   g_test_init (&argc, &argv, NULL);
   g_test_bug_base ("http://bugzilla.gnome.org/");
@@ -1077,12 +2000,28 @@ main (int   argc,
               setup_connection, test_basic_connection, teardown_connection);
   g_test_add ("/tls/connection/verified", TestConnection, NULL,
               setup_connection, test_verified_connection, teardown_connection);
+  g_test_add ("/tls/connection/verified-chain", TestConnection, NULL,
+	      setup_connection, test_verified_chain, teardown_connection);
+  g_test_add ("/tls/connection/verified-chain-with-redundant-root-cert", TestConnection, NULL,
+	      setup_connection, test_verified_chain_with_redundant_root_cert, teardown_connection);
+  g_test_add ("/tls/connection/verified-chain-with-duplicate-server-cert", TestConnection, NULL,
+	      setup_connection, test_verified_chain_with_duplicate_server_cert, teardown_connection);
+  g_test_add ("/tls/connection/verified-unordered-chain", TestConnection, NULL,
+	      setup_connection, test_verified_unordered_chain, teardown_connection);
+  g_test_add ("/tls/connection/verified-chain-with-alternative-ca-cert", TestConnection, NULL,
+	      setup_connection, test_verified_chain_with_alternative_ca_cert, teardown_connection);
+  g_test_add ("/tls/connection/invalid-chain-with-alternative-ca-cert", TestConnection, NULL,
+	      setup_connection, test_invalid_chain_with_alternative_ca_cert, teardown_connection);
   g_test_add ("/tls/connection/client-auth", TestConnection, NULL,
               setup_connection, test_client_auth_connection, teardown_connection);
   g_test_add ("/tls/connection/client-auth-rehandshake", TestConnection, NULL,
               setup_connection, test_client_auth_rehandshake, teardown_connection);
   g_test_add ("/tls/connection/client-auth-failure", TestConnection, NULL,
               setup_connection, test_client_auth_failure, teardown_connection);
+  g_test_add ("/tls/connection/client-auth-request-cert", TestConnection, NULL,
+              setup_connection, test_client_auth_request_cert, teardown_connection);
+  g_test_add ("/tls/connection/client-auth-request-fail", TestConnection, NULL,
+              setup_connection, test_client_auth_request_fail, teardown_connection);
   g_test_add ("/tls/connection/no-database", TestConnection, NULL,
               setup_connection, test_connection_no_database, teardown_connection);
   g_test_add ("/tls/connection/failed", TestConnection, NULL,
@@ -1091,20 +2030,37 @@ main (int   argc,
               setup_connection, test_connection_socket_client, teardown_connection);
   g_test_add ("/tls/connection/socket-client-failed", TestConnection, NULL,
               setup_connection, test_connection_socket_client_failed, teardown_connection);
+  g_test_add ("/tls/connection/read-time-out-then-write", TestConnection, NULL,
+              setup_connection, test_connection_read_time_out_write, teardown_connection);
   g_test_add ("/tls/connection/simultaneous-async", TestConnection, NULL,
               setup_connection, test_simultaneous_async, teardown_connection);
   g_test_add ("/tls/connection/simultaneous-sync", TestConnection, NULL,
-	      setup_connection, test_simultaneous_sync, teardown_connection);
+              setup_connection, test_simultaneous_sync, teardown_connection);
   g_test_add ("/tls/connection/simultaneous-async-rehandshake", TestConnection, NULL,
               setup_connection, test_simultaneous_async_rehandshake, teardown_connection);
   g_test_add ("/tls/connection/simultaneous-sync-rehandshake", TestConnection, NULL,
-	      setup_connection, test_simultaneous_sync_rehandshake, teardown_connection);
+              setup_connection, test_simultaneous_sync_rehandshake, teardown_connection);
   g_test_add ("/tls/connection/close-immediately", TestConnection, NULL,
               setup_connection, test_close_immediately, teardown_connection);
   g_test_add ("/tls/connection/close-during-handshake", TestConnection, NULL,
               setup_connection, test_close_during_handshake, teardown_connection);
+  g_test_add ("/tls/connection/close-output-stream-during-handshake", TestConnection, NULL,
+              setup_connection, test_output_stream_close_during_handshake, teardown_connection);
   g_test_add ("/tls/connection/write-during-handshake", TestConnection, NULL,
               setup_connection, test_write_during_handshake, teardown_connection);
+  g_test_add ("/tls/connection/async-implicit-handshake", TestConnection, NULL,
+              setup_connection, test_async_implicit_handshake, teardown_connection);
+  g_test_add ("/tls/connection/output-stream-close", TestConnection, NULL,
+              setup_connection, test_output_stream_close, teardown_connection);
+
+  g_test_add_data_func ("/tls/connection/fallback/SSL", PRIORITY_SSL_FALLBACK, test_fallback);
+  g_test_add ("/tls/connection/fallback/subprocess/" PRIORITY_SSL_FALLBACK,
+	      TestConnection, NULL,
+              setup_connection, test_fallback_subprocess, teardown_connection);
+  g_test_add_data_func ("/tls/connection/fallback/TLS", PRIORITY_TLS_FALLBACK, test_fallback);
+  g_test_add ("/tls/connection/fallback/subprocess/" PRIORITY_TLS_FALLBACK,
+	      TestConnection, NULL,
+              setup_connection, test_fallback_subprocess, teardown_connection);
 
   ret = g_test_run();
 
diff --git a/tls/tests/file-database.c b/tls/tests/file-database.c
index 5b6756f..40e292a 100644
--- a/tls/tests/file-database.c
+++ b/tls/tests/file-database.c
@@ -16,6 +16,9 @@
  * Public License along with this library; if not, see
  * <http://www.gnu.org/licenses/>.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
@@ -28,7 +31,28 @@
 #include <sys/types.h>
 #include <string.h>
 
-#define TEST_FILE(name) (SRCDIR "/files/" name)
+static const gchar *
+tls_test_file_path (const char *name)
+{
+  const gchar *const_path;
+  gchar *path;
+
+  path = g_test_build_filename (G_TEST_DIST, "files", name, NULL);
+  if (!g_path_is_absolute (path))
+    {
+      gchar *cwd, *abs;
+
+      cwd = g_get_current_dir ();
+      abs = g_build_filename (cwd, path, NULL);
+      g_free (cwd);
+      g_free (path);
+      path = abs;
+    }
+
+  const_path = g_intern_string (path);
+  g_free (path);
+  return const_path;
+}
 
 /* -----------------------------------------------------------------------------
  * CERTIFICATE VERIFY
@@ -46,13 +70,13 @@ setup_verify (TestVerify     *test,
 {
   GError *error = NULL;
 
-  test->cert = g_tls_certificate_new_from_file (TEST_FILE ("server.pem"), &error);
+  test->cert = g_tls_certificate_new_from_file (tls_test_file_path ("server.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (test->cert));
 
   test->identity = g_network_address_new ("server.example.com", 80);
 
-  test->database = g_tls_file_database_new (TEST_FILE ("ca.pem"), &error);
+  test->database = g_tls_file_database_new (tls_test_file_path ("ca.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_DATABASE (test->database));
 }
@@ -126,7 +150,7 @@ test_verify_database_bad_ca (TestVerify      *test,
   GError *error = NULL;
 
   /* Use another certificate which isn't in our CA list */
-  cert = g_tls_certificate_new_from_file (TEST_FILE ("server-self.pem"), &error);
+  cert = g_tls_certificate_new_from_file (tls_test_file_path ("server-self.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (cert));
 
@@ -148,7 +172,7 @@ test_verify_database_bad_before (TestVerify      *test,
   GError *error = NULL;
 
   /* This is a certificate in the future */
-  cert = g_tls_certificate_new_from_file (TEST_FILE ("client-future.pem"), &error);
+  cert = g_tls_certificate_new_from_file (tls_test_file_path ("client-future.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (cert));
 
@@ -170,7 +194,7 @@ test_verify_database_bad_expired (TestVerify      *test,
   GError *error = NULL;
 
   /* This is a certificate in the future */
-  cert = g_tls_certificate_new_from_file (TEST_FILE ("client-past.pem"), &error);
+  cert = g_tls_certificate_new_from_file (tls_test_file_path ("client-past.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (cert));
 
@@ -192,7 +216,7 @@ test_verify_database_bad_combo (TestVerify      *test,
   GTlsCertificateFlags errors;
   GError *error = NULL;
 
-  cert = g_tls_certificate_new_from_file (TEST_FILE ("server-self.pem"), &error);
+  cert = g_tls_certificate_new_from_file (tls_test_file_path ("server-self.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (cert));
 
@@ -219,7 +243,7 @@ load_certificate_chain (const char  *filename,
                         GError     **error)
 {
   GList *certificates;
-  GTlsCertificate *chain = NULL;
+  GTlsCertificate *chain = NULL, *prev_chain = NULL;
   GTlsBackend *backend;
   GByteArray *der;
   GList *l;
@@ -232,12 +256,14 @@ load_certificate_chain (const char  *filename,
   certificates = g_list_reverse (certificates);
   for (l = certificates; l != NULL; l = g_list_next (l))
     {
+      prev_chain = chain;
       g_object_get (l->data, "certificate", &der, NULL);
       chain = g_object_new (g_tls_backend_get_certificate_type (backend),
                             "certificate", der,
-                            "issuer", chain,
+                            "issuer", prev_chain,
                             NULL);
       g_byte_array_unref (der);
+      g_clear_object (&prev_chain);
     }
 
   g_list_free_full (certificates, g_object_unref);
@@ -272,11 +298,11 @@ test_verify_with_incorrect_root_in_chain (void)
    * This database contains a single anchor certificate of:
    * C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
    */
-  database = g_tls_file_database_new (TEST_FILE ("ca-verisign-sha1.pem"), &error);
+  database = g_tls_file_database_new (tls_test_file_path ("ca-verisign-sha1.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_DATABASE (database));
 
-  ca_verisign_sha1 = g_tls_certificate_new_from_file (TEST_FILE ("ca-verisign-sha1.pem"), &error);
+  ca_verisign_sha1 = g_tls_certificate_new_from_file (tls_test_file_path ("ca-verisign-sha1.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (ca_verisign_sha1));
 
@@ -288,7 +314,7 @@ test_verify_with_incorrect_root_in_chain (void)
    * verify this chain as valid, since the issuer fields and signatures should chain up
    * to the certificate in our database.
    */
-  chain = load_certificate_chain (TEST_FILE ("chain-with-verisign-md2.pem"), &error);
+  chain = load_certificate_chain (tls_test_file_path ("chain-with-verisign-md2.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (chain));
 
@@ -328,7 +354,7 @@ setup_file_database (TestFileDatabase *test,
 {
   GError *error = NULL;
 
-  test->path = TEST_FILE ("ca-roots.pem");
+  test->path = tls_test_file_path ("ca-roots.pem");
   test->database = g_tls_file_database_new (test->path, &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_DATABASE (test->database));
@@ -360,7 +386,7 @@ test_file_database_handle (TestFileDatabase *test,
    * is 'in' the database.
    */
 
-  certificate = g_tls_certificate_new_from_file (TEST_FILE ("ca.pem"), &error);
+  certificate = g_tls_certificate_new_from_file (tls_test_file_path ("ca.pem"), &error);
   g_assert_no_error (error);
   g_assert (G_IS_TLS_CERTIFICATE (certificate));
 
@@ -404,11 +430,11 @@ test_anchors_property (void)
   gchar *anchor_filename = NULL;
   GError *error = NULL;
 
-  database = g_tls_file_database_new (TEST_FILE ("ca.pem"), &error);
+  database = g_tls_file_database_new (tls_test_file_path ("ca.pem"), &error);
   g_assert_no_error (error);
 
   g_object_get (database, "anchors", &anchor_filename, NULL);
-  g_assert_cmpstr (anchor_filename, ==, TEST_FILE ("ca.pem"));
+  g_assert_cmpstr (anchor_filename, ==, tls_test_file_path ("ca.pem"));
   g_free (anchor_filename);
 
   g_object_unref (database);
@@ -440,14 +466,21 @@ certificate_is_in_list (GList *certificates,
 static void
 test_lookup_certificates_issued_by (void)
 {
-  /* This data is generated from the frob-certificate test tool in gcr library */
+  /* This data is generated from the frob-certificate test tool in gcr library.
+   * To regenerate (from e.g. a directory containing gcr and glib-networking):
+   *
+   * $ gcr/frob-certificate glib-networking/tls/tests/files/ca.pem
+   *
+   * Then copy the hex that is printed after "subject" (not "issuer"!) and add
+   * the missing 'x's.
+   */
   const guchar ISSUER[] = "\x30\x81\x86\x31\x13\x30\x11\x06\x0A\x09\x92\x26\x89\x93\xF2"
                           "\x2C\x64\x01\x19\x16\x03\x43\x4F\x4D\x31\x17\x30\x15\x06\x0A"
                           "\x09\x92\x26\x89\x93\xF2\x2C\x64\x01\x19\x16\x07\x45\x58\x41"
-                          "\x4D\x50\x4C\x45\x31\x1E\x30\x1C\x06\x03\x55\x04\x0B\x13\x15"
+                          "\x4D\x50\x4C\x45\x31\x1E\x30\x1C\x06\x03\x55\x04\x0B\x0C\x15"
                           "\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74"
                           "\x68\x6F\x72\x69\x74\x79\x31\x17\x30\x15\x06\x03\x55\x04\x03"
-                          "\x13\x0E\x63\x61\x2E\x65\x78\x61\x6D\x70\x6C\x65\x2E\x63\x6F"
+                          "\x0C\x0E\x63\x61\x2E\x65\x78\x61\x6D\x70\x6C\x65\x2E\x63\x6F"
                           "\x6D\x31\x1D\x30\x1B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09"
                           "\x01\x16\x0E\x63\x61\x40\x65\x78\x61\x6D\x70\x6C\x65\x2E\x63"
                           "\x6F\x6D";
@@ -457,7 +490,7 @@ test_lookup_certificates_issued_by (void)
   GTlsDatabase *database;
   GError *error = NULL;
 
-  database = g_tls_file_database_new (TEST_FILE ("non-ca.pem"), &error);
+  database = g_tls_file_database_new (tls_test_file_path ("non-ca.pem"), &error);
   g_assert_no_error (error);
 
   issuer_dn = g_byte_array_new ();
@@ -472,15 +505,14 @@ test_lookup_certificates_issued_by (void)
 
   g_assert_cmpuint (g_list_length (certificates), ==, 4);
 
-  g_assert (certificate_is_in_list (certificates, TEST_FILE ("client.pem")));
-  g_assert (certificate_is_in_list (certificates, TEST_FILE ("client-future.pem")));
-  g_assert (certificate_is_in_list (certificates, TEST_FILE ("client-past.pem")));
-  g_assert (certificate_is_in_list (certificates, TEST_FILE ("server.pem")));
-  g_assert (!certificate_is_in_list (certificates, TEST_FILE ("server-self.pem")));
+  g_assert (certificate_is_in_list (certificates, tls_test_file_path ("client.pem")));
+  g_assert (certificate_is_in_list (certificates, tls_test_file_path ("client-future.pem")));
+  g_assert (certificate_is_in_list (certificates, tls_test_file_path ("client-past.pem")));
+  g_assert (certificate_is_in_list (certificates, tls_test_file_path ("server.pem")));
+  g_assert (!certificate_is_in_list (certificates, tls_test_file_path ("server-self.pem")));
 
   g_list_free_full (certificates, g_object_unref);
   g_object_unref (database);
-  g_byte_array_unref (issuer_dn);
 }
 
 static void
diff --git a/tls/tests/files/ca-alternative.pem b/tls/tests/files/ca-alternative.pem
new file mode 100644
index 0000000..695fc37
--- /dev/null
+++ b/tls/tests/files/ca-alternative.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID8DCCA1mgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnzETMBEGCgmSJomT8ixk
+ARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUxLDAqBgNVBAsMI09sZCBV
+bnRydXN0ZWQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSIwIAYDVQQDDBlvbmNlLndh
+cy5hLmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLmNv
+bTAeFw0xNTA4MzAwMDIyMzFaFw00NTA4MjIwMDIyMzFaMIGGMRMwEQYKCZImiZPy
+LGQBGRYDQ09NMRcwFQYKCZImiZPyLGQBGRYHRVhBTVBMRTEeMBwGA1UECwwVQ2Vy
+dGlmaWNhdGUgQXV0aG9yaXR5MRcwFQYDVQQDDA5jYS5leGFtcGxlLmNvbTEdMBsG
+CSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAL2qSsuOcbcaJ9+uvbKan/v5186d6u1i5kIk3dPu4etHegHpDG5baq+C
+IUdY1AyCcz6OL61J1lbB3Ksk6eyo9woKHHto0BJ9IVEb7K7pT+gau7QeS15MUK5m
+NfueUfIdXTCNpHez6Nzt4H57bgqJJrJnHnondOuEalEFgDtOBqilAgMBAAGjggFR
+MIIBTTAdBgNVHQ4EFgQUmAbQgRwBOJuIai3NygAtGQ9xlbEwgdQGA1UdIwSBzDCB
+yYAULu6rFocDkpwOJyAjyQrCxuefLW+hgaWkgaIwgZ8xEzARBgoJkiaJk/IsZAEZ
+FgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMSwwKgYDVQQLDCNPbGQgVW50
+cnVzdGVkIENlcnRpZmljYXRlIEF1dGhvcml0eTEiMCAGA1UEAwwZb25jZS53YXMu
+YS5jYS5leGFtcGxlLmNvbTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb22C
+CQD9kIwlfKYqXDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAZBgNV
+HREEEjAQgQ5jYUBleGFtcGxlLmNvbTAZBgNVHRIEEjAQgQ5jYUBleGFtcGxlLmNv
+bTANBgkqhkiG9w0BAQUFAAOBgQA9CNpCI5kLKsccy73SZWyp2fEwMDrZHMJvChdv
+1CWaE1BYlLQWtr1bSy2aEPZujMVzUW5XtoRlLWpTBxUB7o888u7FJmFVhEv4Apq2
+DZ8yDlIy4yHFOShIQfmfdeDzYSoxXgoUINqxQDpfKXrQCB9OqQjI4yrJkw+lO7fs
+eIIk5w==
+-----END CERTIFICATE-----
diff --git a/tls/tests/files/ca-key.pem b/tls/tests/files/ca-key.pem
new file mode 100644
index 0000000..306604e
--- /dev/null
+++ b/tls/tests/files/ca-key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC9qkrLjnG3Giffrr2ymp/7+dfOnertYuZCJN3T7uHrR3oB6Qxu
+W2qvgiFHWNQMgnM+ji+tSdZWwdyrJOnsqPcKChx7aNASfSFRG+yu6U/oGru0Hkte
+TFCuZjX7nlHyHV0wjaR3s+jc7eB+e24KiSayZx56J3TrhGpRBYA7TgaopQIDAQAB
+AoGAY6BlA4HCV9TkZwnJ2VyBdwFpC75F3gYaP1pQL3gGsejsvL4m6n0YkDKBupF9
+aUjIsm5LuvHTJeVVPYz5V3f1syZr4fYYpmwoWjHkb6g55R9iAgmSd29gQwu0OdsP
+EhothysqPMvhWQi2gLHAz14U+EZVH9zKCZ50GW7bTrZoc20CQQD2LkPn6S2HQhPl
+Ks9HmPAsFkd0dKE0zE2IKvgsCiBsfvd4H1u0QO17ZWNR8AK9x16gnrDv0Xjpsw6H
+V9xaMsY7AkEAxTrzZKdaeu1BFDuLdgGuEj5YOUbhXjmldDwvw/xFXPU03MjCVDjo
+4V6MDZJ1HlpwWBCYO+pIyRd5NADXh33+nwJBAPT8d6FbYG6BKJFfd+V1YlVNWpCe
+3CpRwjpnII+bCEdQVu9YrYcFMhAhhqRs6B16QUYwhj4yRFS1VxkDK4srii8CQCdm
+U2D0HZsY8js8eeulAkUatz0Z78OG+Ipzy4b3SlP7mAfTAx8YD02WOZwsecEKiA7P
+odm2P7wMOGYvFN84SDkCQQCYg8rdrLdM1Wx+/k9aiFku1LmyHLZPtq39je4S/EJN
+ibWCMmhysz6cuIKykUYI7DKolQnxu4BWLnn9ff60T1xp
+-----END RSA PRIVATE KEY-----
diff --git a/tls/tests/files/ca-roots-bad.pem b/tls/tests/files/ca-roots-bad.pem
new file mode 100644
index 0000000..0f8d7cc
--- /dev/null
+++ b/tls/tests/files/ca-roots-bad.pem
@@ -0,0 +1,90 @@
+-----BEGIN CERTIFICATE-----
+MIIDxjCCAy+gAwIBAgIJAO+Cui0EIECvMA0GCSqGSIb3DQEBBQUAMIGGMRMwEQYK
+CZImiZPyLGQBGRYDQ09NMRcwFQYKCZImiZPyLGQBGRYHRVhBTVBMRTEeMBwGA1UE
+CwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRcwFQYDVQQDDA5jYS5leGFtcGxlLmNv
+bTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhcNMTUwODMwMDAyMjMx
+WhcNNDUwODIyMDAyMjMxWjCBhjETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmS
+JomT8ixkARkWB0VYQU1QTEUxHjAcBgNVBAsMFUNlcnRpZmljYXRlIEF1dGhvcml0
+eTEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20xHTAbBgkqhkiG9w0BCQEWDmNhQGV4
+YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9qkrLjnG3Giff
+rr2ymp/7+dfOnertYuZCJN3T7uHrR3oB6QxuW2qvgiFHWNQMgnM+ji+tSdZWwdyr
+JOnsqPcKChx7aNASfSFRG+yu6U/oGru0HkteTFCuZjX7nlHyHV0wjaR3s+jc7eB+
+e24KiSayZx56J3TrhGpRBYA7TgaopQIDAQABo4IBODCCATQwHQYDVR0OBBYEFJgG
+0IEcATibiGotzcoALRkPcZWxMIG7BgNVHSMEgbMwgbCAFJgG0IEcATibiGotzcoA
+LRkPcZWxoYGMpIGJMIGGMRMwEQYKCZImiZPyLGQBGRYDQ09NMRcwFQYKCZImiZPy
+LGQBGRYHRVhBTVBMRTEeMBwGA1UECwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRcw
+FQYDVQQDDA5jYS5leGFtcGxlLmNvbTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBs
+ZS5jb22CCQDvgrotBCBArzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
+BjAZBgNVHREEEjAQgQ5jYUBleGFtcGxlLmNvbTAZBgNVHRIEEjAQgQ5jYUBleGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAAOBgQCuwCsxZxXctjLr059fFd94Yb6lDyPr
+Gd9H4luK9G4NNf2QiD94SfYAEy8C3Lw2/VIYf5kuNPJE2+0AOpCJ3pD3id2JC8Qf
+lnIsGHCclrxldY5NX3S/p2T8wsgBdz5wfzDGm1GANdI5M1YrTN0ExebOspXnXGed
+9jx8rdTVQwErTw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
+IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
+IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
+Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
+BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
+MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
+ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
+8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
+zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
+fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
+w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
+G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
+epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
+laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
+QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
+fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
+YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w
+ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY
+gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe
+MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0
+IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
+dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw
+czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0
+dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl
+aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC
+AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
+b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB
+ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc
+nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg
+18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c
+gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl
+Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY
+sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T
+SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF
+CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum
+GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk
+zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW
+omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGCDCCA/CgAwIBAgIBATANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
+IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
+IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
+Y2FjZXJ0Lm9yZzAeFw0wNTEwMTQwNzM2NTVaFw0zMzAzMjgwNzM2NTVaMFQxFDAS
+BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v
+cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9
+4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB
+Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J
+0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ
+FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx
+bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q
+SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb
+6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV
+m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g
+eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG
+kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7
+6QIDAQABo4G/MIG8MA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMG
+CCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYc
+aHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQB
+gZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5w
+aHA/aWQ9MTAwDQYJKoZIhvcNAQEEBQADggIBAH8IiKHaGlBJ2on7oQhy84r3HsQ6
+tHlbIDCxRd7CXdNlafHCXVRUPIVfuXtCkcKZ/RtRm6tGpaEQU55tiKxzbiwzpvD0
+nuB1wT6IRanhZkP+VlrRekF490DaSjrxC1uluxYG5sLnk7mFTZdPsR44Q4Dvmw2M
+77inYACHV30eRBzLI++bPJmdr7UpHEV5FpZNJ23xHGzDwlVks7wU4vOkHx4y/CcV
diff --git a/tls/tests/files/ca-roots.pem b/tls/tests/files/ca-roots.pem
index cf9e9d5..435a1da 100644
--- a/tls/tests/files/ca-roots.pem
+++ b/tls/tests/files/ca-roots.pem
@@ -1,26 +1,31 @@
+These are some CA certificates
+
 -----BEGIN CERTIFICATE-----
-MIIDxjCCAy+gAwIBAgIJAOpd4Em2fjp3MA0GCSqGSIb3DQEBBQUAMIGGMRMwEQYK
+MIIDxjCCAy+gAwIBAgIJAO+Cui0EIECvMA0GCSqGSIb3DQEBBQUAMIGGMRMwEQYK
 CZImiZPyLGQBGRYDQ09NMRcwFQYKCZImiZPyLGQBGRYHRVhBTVBMRTEeMBwGA1UE
-CxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRcwFQYDVQQDEw5jYS5leGFtcGxlLmNv
-bTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhcNMDcxMjIwMTc1NjA2
-WhcNMzUwNTA4MTc1NjA2WjCBhjETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmS
-JomT8ixkARkWB0VYQU1QTEUxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0
-eTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20xHTAbBgkqhkiG9w0BCQEWDmNhQGV4
-YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD5OjHuXXN2LG3s
-FHISaZZ6L1RSYgRdTenu1nvqkMn/xvzOz385oede1z/7f6BoXyM0kNWCf4SOXtXr
-EIGmQoeURhFfLCnoK8NHfNcel3IPyMPhdJUMJlc3gfpWm+QxjkyqVyMhyYxC9Pmg
-QC7zx4ZKcQrL3zVGYtg8wxmaKY2HwQIDAQABo4IBODCCATQwHQYDVR0OBBYEFNSE
-nYhMCPaaFynFeQ2R5y25+AcFMIG7BgNVHSMEgbMwgbCAFNSEnYhMCPaaFynFeQ2R
-5y25+AcFoYGMpIGJMIGGMRMwEQYKCZImiZPyLGQBGRYDQ09NMRcwFQYKCZImiZPy
-LGQBGRYHRVhBTVBMRTEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRcw
-FQYDVQQDEw5jYS5leGFtcGxlLmNvbTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBs
-ZS5jb22CCQDqXeBJtn46dzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
+CwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRcwFQYDVQQDDA5jYS5leGFtcGxlLmNv
+bTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhcNMTUwODMwMDAyMjMx
+WhcNNDUwODIyMDAyMjMxWjCBhjETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmS
+JomT8ixkARkWB0VYQU1QTEUxHjAcBgNVBAsMFUNlcnRpZmljYXRlIEF1dGhvcml0
+eTEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20xHTAbBgkqhkiG9w0BCQEWDmNhQGV4
+YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9qkrLjnG3Giff
+rr2ymp/7+dfOnertYuZCJN3T7uHrR3oB6QxuW2qvgiFHWNQMgnM+ji+tSdZWwdyr
+JOnsqPcKChx7aNASfSFRG+yu6U/oGru0HkteTFCuZjX7nlHyHV0wjaR3s+jc7eB+
+e24KiSayZx56J3TrhGpRBYA7TgaopQIDAQABo4IBODCCATQwHQYDVR0OBBYEFJgG
+0IEcATibiGotzcoALRkPcZWxMIG7BgNVHSMEgbMwgbCAFJgG0IEcATibiGotzcoA
+LRkPcZWxoYGMpIGJMIGGMRMwEQYKCZImiZPyLGQBGRYDQ09NMRcwFQYKCZImiZPy
+LGQBGRYHRVhBTVBMRTEeMBwGA1UECwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRcw
+FQYDVQQDDA5jYS5leGFtcGxlLmNvbTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBs
+ZS5jb22CCQDvgrotBCBArzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
 BjAZBgNVHREEEjAQgQ5jYUBleGFtcGxlLmNvbTAZBgNVHRIEEjAQgQ5jYUBleGFt
-cGxlLmNvbTANBgkqhkiG9w0BAQUFAAOBgQA6xjU2aPgMOh2yyz2KCb6d5gNNvfr4
-pLGpZWilbRkA36OOG43zxeRZoumh1ybyOvhm73cMvNihDUyOf7vQe75Qtp5koGPS
-V3mSruhsRGvOZxcV+SJnBj1exKyH3mdaZA74Xg4y5qkUkywPqnP5Y+E6UMJM7Nmw
-kHk2bKJC5vjxoA==
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAAOBgQCuwCsxZxXctjLr059fFd94Yb6lDyPr
+Gd9H4luK9G4NNf2QiD94SfYAEy8C3Lw2/VIYf5kuNPJE2+0AOpCJ3pD3id2JC8Qf
+lnIsGHCclrxldY5NX3S/p2T8wsgBdz5wfzDGm1GANdI5M1YrTN0ExebOspXnXGed
+9jx8rdTVQwErTw==
 -----END CERTIFICATE-----
+
+GLib shouldn't care about this comment
+
 -----BEGIN CERTIFICATE-----
 MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
 IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
@@ -200,3 +205,5 @@ TSEwjsrZqG9JGubaUeNgcGyEYRGhGshIPllDfU+VPaGLtwtimHp1it2ITk6e
 QNuozDJ0uW8NxuOzRAvZim+aKZuZGCg70eNAKJpaPNW15yAbi8qkq43pUdni
 TCxZqdq5snUb9kLy78fyGPmJvKP/iiMucEc=
 -----END CERTIFICATE-----
+
+Thank you for loading this list of CA certificates.
diff --git a/tls/tests/files/ca.pem b/tls/tests/files/ca.pem
index b8d6008..be5d6fc 100644
--- a/tls/tests/files/ca.pem
+++ b/tls/tests/files/ca.pem
@@ -1,23 +1,23 @@
 -----BEGIN CERTIFICATE-----
-MIIDxjCCAy+gAwIBAgIJAOpd4Em2fjp3MA0GCSqGSIb3DQEBBQUAMIGGMRMwEQYK
+MIIDxjCCAy+gAwIBAgIJAO+Cui0EIECvMA0GCSqGSIb3DQEBBQUAMIGGMRMwEQYK
 CZImiZPyLGQBGRYDQ09NMRcwFQYKCZImiZPyLGQBGRYHRVhBTVBMRTEeMBwGA1UE
-CxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRcwFQYDVQQDEw5jYS5leGFtcGxlLmNv
-bTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhcNMDcxMjIwMTc1NjA2
-WhcNMzUwNTA4MTc1NjA2WjCBhjETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmS
-JomT8ixkARkWB0VYQU1QTEUxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0
-eTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20xHTAbBgkqhkiG9w0BCQEWDmNhQGV4
-YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD5OjHuXXN2LG3s
-FHISaZZ6L1RSYgRdTenu1nvqkMn/xvzOz385oede1z/7f6BoXyM0kNWCf4SOXtXr
-EIGmQoeURhFfLCnoK8NHfNcel3IPyMPhdJUMJlc3gfpWm+QxjkyqVyMhyYxC9Pmg
-QC7zx4ZKcQrL3zVGYtg8wxmaKY2HwQIDAQABo4IBODCCATQwHQYDVR0OBBYEFNSE
-nYhMCPaaFynFeQ2R5y25+AcFMIG7BgNVHSMEgbMwgbCAFNSEnYhMCPaaFynFeQ2R
-5y25+AcFoYGMpIGJMIGGMRMwEQYKCZImiZPyLGQBGRYDQ09NMRcwFQYKCZImiZPy
-LGQBGRYHRVhBTVBMRTEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRcw
-FQYDVQQDEw5jYS5leGFtcGxlLmNvbTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBs
-ZS5jb22CCQDqXeBJtn46dzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
+CwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRcwFQYDVQQDDA5jYS5leGFtcGxlLmNv
+bTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhcNMTUwODMwMDAyMjMx
+WhcNNDUwODIyMDAyMjMxWjCBhjETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmS
+JomT8ixkARkWB0VYQU1QTEUxHjAcBgNVBAsMFUNlcnRpZmljYXRlIEF1dGhvcml0
+eTEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20xHTAbBgkqhkiG9w0BCQEWDmNhQGV4
+YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9qkrLjnG3Giff
+rr2ymp/7+dfOnertYuZCJN3T7uHrR3oB6QxuW2qvgiFHWNQMgnM+ji+tSdZWwdyr
+JOnsqPcKChx7aNASfSFRG+yu6U/oGru0HkteTFCuZjX7nlHyHV0wjaR3s+jc7eB+
+e24KiSayZx56J3TrhGpRBYA7TgaopQIDAQABo4IBODCCATQwHQYDVR0OBBYEFJgG
+0IEcATibiGotzcoALRkPcZWxMIG7BgNVHSMEgbMwgbCAFJgG0IEcATibiGotzcoA
+LRkPcZWxoYGMpIGJMIGGMRMwEQYKCZImiZPyLGQBGRYDQ09NMRcwFQYKCZImiZPy
+LGQBGRYHRVhBTVBMRTEeMBwGA1UECwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRcw
+FQYDVQQDDA5jYS5leGFtcGxlLmNvbTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBs
+ZS5jb22CCQDvgrotBCBArzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
 BjAZBgNVHREEEjAQgQ5jYUBleGFtcGxlLmNvbTAZBgNVHRIEEjAQgQ5jYUBleGFt
-cGxlLmNvbTANBgkqhkiG9w0BAQUFAAOBgQA6xjU2aPgMOh2yyz2KCb6d5gNNvfr4
-pLGpZWilbRkA36OOG43zxeRZoumh1ybyOvhm73cMvNihDUyOf7vQe75Qtp5koGPS
-V3mSruhsRGvOZxcV+SJnBj1exKyH3mdaZA74Xg4y5qkUkywPqnP5Y+E6UMJM7Nmw
-kHk2bKJC5vjxoA==
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAAOBgQCuwCsxZxXctjLr059fFd94Yb6lDyPr
+Gd9H4luK9G4NNf2QiD94SfYAEy8C3Lw2/VIYf5kuNPJE2+0AOpCJ3pD3id2JC8Qf
+lnIsGHCclrxldY5NX3S/p2T8wsgBdz5wfzDGm1GANdI5M1YrTN0ExebOspXnXGed
+9jx8rdTVQwErTw==
 -----END CERTIFICATE-----
diff --git a/tls/tests/files/chain.pem b/tls/tests/files/chain.pem
new file mode 100644
index 0000000..9fedf90
--- /dev/null
+++ b/tls/tests/files/chain.pem
@@ -0,0 +1,59 @@
+-----BEGIN CERTIFICATE-----
+MIICHTCCAcegAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrTETMBEGCgmSJomT8ixk
+ARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUxKzApBgNVBAsMIkludGVy
+bWVkaWF0ZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJDAiBgNVBAMMG2ludGVybWVk
+aWF0ZS1jYS5leGFtcGxlLmNvbTEqMCgGCSqGSIb3DQEJARYbaW50ZXJtZWRpYXRl
+LWNhQGV4YW1wbGUuY29tMB4XDTE1MDgzMDAwMjIzOVoXDTQwMDgyMzAwMjIzOVow
+SzETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUx
+GzAZBgNVBAMMEnNlcnZlci5leGFtcGxlLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA
+MEgCQQDNj0xKKyi/+5iG2FTs/lOgwKPorRg69o4zsmMcVOfvwI1IN4FRSsPpqaJN
+urHcGNqvGoj07hNBdWxdoixF4pmnAgMBAAGjMzAxMAkGA1UdEwQCMAAwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgwBocEwKgBFjANBgkqhkiG9w0BAQUFAANB
+ALl1WO7IZYOvPwhyQ4EpCLjSsTuGBcfbWFtw4XiQueZ8TILHcZARH4nW1tKoVWzc
+rIGhqRjNMWRmaH1wgSCGRiE=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDrjCCAxegAwIBAgIBBjANBgkqhkiG9w0BAQUFADCBhjETMBEGCgmSJomT8ixk
+ARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUxHjAcBgNVBAsMFUNlcnRp
+ZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20xHTAbBgkq
+hkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tMB4XDTE1MDgzMDAwMjIzOVoXDTQwMDgy
+MzAwMjIzOVowga0xEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZ
+FgdFWEFNUExFMSswKQYDVQQLDCJJbnRlcm1lZGlhdGUgQ2VydGlmaWNhdGUgQXV0
+aG9yaXR5MSQwIgYDVQQDDBtpbnRlcm1lZGlhdGUtY2EuZXhhbXBsZS5jb20xKjAo
+BgkqhkiG9w0BCQEWG2ludGVybWVkaWF0ZS1jYUBleGFtcGxlLmNvbTBcMA0GCSqG
+SIb3DQEBAQUAA0sAMEgCQQDRMidrtJAZ27tI9gA3hhIP7S5EtfjhMHUi8mDNL2Ju
+V7nMDGoAEUfHV3x/+Eb/TeymvBiRzlUD6YGQRK+2C8+LAgMBAAGjggFFMIIBQTAd
+BgNVHQ4EFgQUXfcpYB1wgmZiB/WN7EW342wlZwEwgbsGA1UdIwSBszCBsIAUmAbQ
+gRwBOJuIai3NygAtGQ9xlbGhgYykgYkwgYYxEzARBgoJkiaJk/IsZAEZFgNDT00x
+FzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBB
+dXRob3JpdHkxFzAVBgNVBAMMDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcNAQkB
+Fg5jYUBleGFtcGxlLmNvbYIJAO+Cui0EIECvMA8GA1UdEwEB/wQFMAMBAf8wDgYD
+VR0PAQH/BAQDAgEGMCYGA1UdEQQfMB2BG2ludGVybWVkaWF0ZS1jYUBleGFtcGxl
+LmNvbTAZBgNVHRIEEjAQgQ5jYUBleGFtcGxlLmNvbTANBgkqhkiG9w0BAQUFAAOB
+gQAmXVdwAZalZGtXBkdICHaWyVRmgCFRZfzVbGBOkeW+TEBiMgG+XrwlMQs5yyf/
+T8Mmw8TcqBJYdQhqcctbgFcSxejVAL7DnEfFcvH6acXy0K9l48pKAnYgcHstOAX2
+Fb+rSpmMDXgWuhKNudJyoOVQ/5H9LJyg6JYqoG5jqS9iQg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDxjCCAy+gAwIBAgIJAO+Cui0EIECvMA0GCSqGSIb3DQEBBQUAMIGGMRMwEQYK
+CZImiZPyLGQBGRYDQ09NMRcwFQYKCZImiZPyLGQBGRYHRVhBTVBMRTEeMBwGA1UE
+CwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRcwFQYDVQQDDA5jYS5leGFtcGxlLmNv
+bTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhcNMTUwODMwMDAyMjMx
+WhcNNDUwODIyMDAyMjMxWjCBhjETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmS
+JomT8ixkARkWB0VYQU1QTEUxHjAcBgNVBAsMFUNlcnRpZmljYXRlIEF1dGhvcml0
+eTEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20xHTAbBgkqhkiG9w0BCQEWDmNhQGV4
+YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9qkrLjnG3Giff
+rr2ymp/7+dfOnertYuZCJN3T7uHrR3oB6QxuW2qvgiFHWNQMgnM+ji+tSdZWwdyr
+JOnsqPcKChx7aNASfSFRG+yu6U/oGru0HkteTFCuZjX7nlHyHV0wjaR3s+jc7eB+
+e24KiSayZx56J3TrhGpRBYA7TgaopQIDAQABo4IBODCCATQwHQYDVR0OBBYEFJgG
+0IEcATibiGotzcoALRkPcZWxMIG7BgNVHSMEgbMwgbCAFJgG0IEcATibiGotzcoA
+LRkPcZWxoYGMpIGJMIGGMRMwEQYKCZImiZPyLGQBGRYDQ09NMRcwFQYKCZImiZPy
+LGQBGRYHRVhBTVBMRTEeMBwGA1UECwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRcw
+FQYDVQQDDA5jYS5leGFtcGxlLmNvbTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBs
+ZS5jb22CCQDvgrotBCBArzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
+BjAZBgNVHREEEjAQgQ5jYUBleGFtcGxlLmNvbTAZBgNVHRIEEjAQgQ5jYUBleGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQUFAAOBgQCuwCsxZxXctjLr059fFd94Yb6lDyPr
+Gd9H4luK9G4NNf2QiD94SfYAEy8C3Lw2/VIYf5kuNPJE2+0AOpCJ3pD3id2JC8Qf
+lnIsGHCclrxldY5NX3S/p2T8wsgBdz5wfzDGm1GANdI5M1YrTN0ExebOspXnXGed
+9jx8rdTVQwErTw==
+-----END CERTIFICATE-----
diff --git a/tls/tests/files/client-and-key.pem b/tls/tests/files/client-and-key.pem
index 897b5f2..86a405d 100644
--- a/tls/tests/files/client-and-key.pem
+++ b/tls/tests/files/client-and-key.pem
@@ -1,45 +1,45 @@
 -----BEGIN CERTIFICATE-----
-MIIC3DCCAkUCAQkwDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
-T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLExVDZXJ0aWZpY2F0
-ZSBBdXRob3JpdHkxFzAVBgNVBAMTDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
-AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0xMTAxMTgwNjA0MTFaFw0yMTAxMTUwNjA0
-MTFaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
-UExFMQ8wDQYDVQQDEwZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
-cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEgNDM/dg3t
-9DHNAPz/b87LSxEaKhoZ8AcNBym3LEOdCnXGEnKf0b9lkT5caXu5GAM84ahTCJ7n
-79RVNrqGKM7jbBdSX+ZUfkqJQPhOXD2+0niYQicH92nz78kxmjlbizvd3fM1BlO+
-C/++NWf2EAhORVAjvJrHNokJp3PTNRJ1WWteHeU9PwfGmWHKVc1IgvRFMH08604I
-ZzX5CcxIg/b56g27A7CBPh/KO/qKTDLFFNGc1T2asvY/P3+PeN6y+leFHStCTu7R
-Bi/l4hczZdnwq3BGT6mnjEN7wau2s7pA067SXimNOkYi5fgwspMHi8fJWmYyBypU
-mQBRzwfm77ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQA3LuElj2QB9wQvmIxk2Jmb
-IPP2/WS8dwPoCv/N3+6nTx8yRsrILf4QsnEbbsxoYO5jW4r9Kt8m8B/M7YgnBDE9
-zlm7JbXKZf2isSm5TyT627Ymzxrzs5d+7o2eS7SN1DB6PyvRh2ye7EMbyEYD8ULi
-itDUkYkssNCVivYwVvJoMg==
+MIIC3DCCAkUCAQMwDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
+T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLDBVDZXJ0aWZpY2F0
+ZSBBdXRob3JpdHkxFzAVBgNVBAMMDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
+AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0xNTA4MzAwMDIyMzJaFw00MDA4MjMwMDIy
+MzJaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
+UExFMQ8wDQYDVQQDDAZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOKRyGJ1ScDr
+yD07f0vAvjNU/GBvZEbeTAan3ZlYvgcFuaHbi+Svay+SaJmwXaHI4zgOF9aNl4zH
+IHUWAg+Y44lMPptNrffec4r2C+8gnmjot2ot5GrAfLrdR7xmKkqFx4Qr02sRPgy8
+AvSlbyW1qiW0/DKwb/JMsuejzUyMIB/T6UxPzUq3nrM18ltaSrWd6XjFRVep6soM
+ciUISr+eF0n0mhlonxDiegKXAbIXvKWTTAPIJADoeyPiX11tGecSbWBLzHWDK0VM
+85aEd3axkPdPj6RwQEa7FUTyLrU1Nj6k8Pl7NVyNWXbg5IKEMZB6V5pXESasV6nS
+i7vW4JYpA+ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQA53KGbz0v7blt33ht62Ez9
+onmLHkegWW39OgRfNPircb9+pIOtkuksPr1yE2iBmWuGPg0OwNjqHROeOodoN1xC
+vSt1kUshtpPXiK8AuYmkv53FThyEEai8kpsGp6mLEY2ISaYRD0O6B6PyV2dT/nE2
+CWob7aQ/SlFQ+txnwJtOnA==
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAwSA0Mz92De30Mc0A/P9vzstLERoqGhnwBw0HKbcsQ50KdcYS
-cp/Rv2WRPlxpe7kYAzzhqFMInufv1FU2uoYozuNsF1Jf5lR+SolA+E5cPb7SeJhC
-Jwf3afPvyTGaOVuLO93d8zUGU74L/741Z/YQCE5FUCO8msc2iQmnc9M1EnVZa14d
-5T0/B8aZYcpVzUiC9EUwfTzrTghnNfkJzEiD9vnqDbsDsIE+H8o7+opMMsUU0ZzV
-PZqy9j8/f4943rL6V4UdK0JO7tEGL+XiFzNl2fCrcEZPqaeMQ3vBq7azukDTrtJe
-KY06RiLl+DCykweLx8laZjIHKlSZAFHPB+bvsQIDAQABAoIBAQCQUI1RYnHIdPFO
-qZ+8bvDQ+g8tR30ApjM8QZsBrDRyjg579bhhWVY2jSJdFFdqseTkvoDt9KZzgGQy
-Kj9MYOZru3xRbSfmiWsaLbiUFJJPPaIvpa+BVS2oSjX8BYn2pJbF9MRfclc5CsIS
-qMNl3XUbj8mx2hKdIpJ5EvLD1adKE4Se6peqSZAmEHONNCsrMrQ0GSQqV3viInJr
-tc3kp3HcPffSROWqmc6jAJ77Cs3ApgJavL5RGjx30Kd+dKVq4PXZ+IhWM8dOSput
-wcyxEosiP/W2g0rDgNW2mGOVOwa/D5SnOolicHifdV7idjwLAjkyYgvmBMNSsECj
-yKBkE0gxAoGBAN8iHMumyvriHuj9bSLZ1bcyYFz7jIwUxpHTT7VqN/j/Y1BoBIBy
-ZZLDGMa+ID/brpRHzJQAKSNtbFQ0S1HTSKcFud5OWE8Rp3pQJU+sdeO3pCMWAD1z
-Q4ggF07JjTSSnK+4fcXgEN9P2OdfXy7Rj3HFpSahql55Kp5udoUdzUVFAoGBAN2S
-krlcEuqsEYjqsCJw5pctIwPMvCM51JgirrdETwSGquMklSrobH0PHMlR67gsA/9I
-UGShT0LL4UWYpBn/4xLrLbua5aHIBfQQZp9K6jDZddWS+EFL5JkO/Up4/qM6fUbH
-CuweVv1gd6i2Ti35K60mgx6MqVunaB1k8Q9P3Pl9AoGALSVtxha9Qv21W1bLWh3R
-C/v5W1baHQ2nD6I9omsXYB3sLjydjI+Y1ZT70lptk/4S2JWeYuOVb0GYhYD/LFMf
-hAu4i642V+kuhaTpp7ExOR3S6/ZrngNQSp6TmLFXDKgNY9BkQkEPqN8y971oOMTV
-zSM8QxC6s9q4MM4Q1OYuvjECgYEAsO2V1AW95T45Ukd1FktpFlaomyQlJ0vKgyFO
-unEFV+vhETfpFTY7SzGCHxAXVh1vo62u5Gwayo/a9qQIhepa/IRnJGNv8luyxU1D
-ZPeBQjija0PMkPd1NvNNNuafDuBpoNbX1ev0MqeRZVsN2pAZXE5gbUiNA+8NqEsu
-Yre3EFECgYEA13rXE76zZgsefx+2spjqJDUWEmTDd1460xTtxCCgL9dy4rW5bgwo
-MvINphSUXOwSkn8Oja/IvpN28zSj9W/ci5wU52P5w4blkBmuj8UoCjP2FN1b1OBa
-86mkwVsCYUyyI2apuwrHP77yeb8jXZb+reqSns3hU+HyO/nUTVmnews=
+MIIEpAIBAAKCAQEA4pHIYnVJwOvIPTt/S8C+M1T8YG9kRt5MBqfdmVi+BwW5oduL
+5K9rL5JombBdocjjOA4X1o2XjMcgdRYCD5jjiUw+m02t995zivYL7yCeaOi3ai3k
+asB8ut1HvGYqSoXHhCvTaxE+DLwC9KVvJbWqJbT8MrBv8kyy56PNTIwgH9PpTE/N
+SreeszXyW1pKtZ3peMVFV6nqygxyJQhKv54XSfSaGWifEOJ6ApcBshe8pZNMA8gk
+AOh7I+JfXW0Z5xJtYEvMdYMrRUzzloR3drGQ90+PpHBARrsVRPIutTU2PqTw+Xs1
+XI1ZduDkgoQxkHpXmlcRJqxXqdKLu9bglikD4QIDAQABAoIBAQDXQfxpFtgIs7rd
++j4aAbhzWqYhFRPnhOIkXK5cOATq9RSF4+nITqV+YBKDGh4LTKocIr+hN4sp1DJR
+K6SvnulnE4pT0PydB7ss5lE2Uv5N2/QOrCVdCx42B3BVXZeGkA2b1GucSJh0Tthc
+CSVNZYiPJKGLozfos9gx3d16gZMvyEM4xGFcB8FVWm00Aunc8NOpO8oCQv5URF1x
+Imvp3JkhBAV9EIr4BftjT+hSOGgrZwx2ZzU8A1EpXAg6Hja6dQAleq0WTFJS6Ez2
+UjFFI9qF5YMxDDdLZ8p8G3BFw/m5zKE8wrnSdgf7iP9JPgZZA3Y5GLQkKA/Q6wnP
+Bj3MbBr1AoGBAPDrF5D5VFle/LrYsAdfwdW2mby2qlB0AAlZwxUnatVFWmgnDq5B
+NpK+dp06tllv5qd0EtQMqHxPkVr7YEZ26Jex5hmLMb+LuSowq1BchNpoMGwSiyRz
+11IUYRY5BwNW7/zFv2r5ZFe/OxI2V3scYAyJ/7mqY7sWqafVGCa7pRjLAoGBAPDA
+vR0EBJL+d7mk/suOjcnVjcFmU/Jwg+O5f0Ao6ctb1rFyYL/FgheeqewZRjveLn/s
+Gz6/KieWa/k6XlxkZtJUE9RFjLWn/n79fqL0WDjSzeiSgHRj6bABjXSX3827Mud5
+uzZrVZkHcWnXQX1WREIGSOwAC/4MpU3ad87joXyDAoGBAOZ0zHdGujQ/k9ycWU7E
+f+QSp1+JEMSjIkHPlriOmzhl/kRxUC7KfQzEmyxuNG67h1WZyEUF0soPRwlUO1VM
+e9RYPbcjmrQTUU4VflsCFafjUKag2m9FTKzch769UIMWT71p4GDRLfZuHHCggPBo
+RUzZWUFex8X4uNOuGUs75oMfAoGASZeQ90qgH1K7xDqkTBLSUqz9vO2LoaM1Hao5
+NKKM/MWg9fLxkg1Mu+2bIXmEV46OBjplBaQnvZwkezWVXIawS4C54vwzi9/DUowo
+ZqVsRkph+MK3k1xrNYrz83ztQ5UCdXFngbYDn1iAGYtcEHULPmdvaPyGreytpwOt
+9cbtOQMCgYAJ0DPq4E+nICf11QsNJELqRBpx9uQjxI87/ba6z0BqtGIIwqZ1KtgI
+7LVvae89MufsxZCe8A1noSiFTQXvrLVQhzu+pBHvRQnmonqo6D/uA3viOkTqhR8X
+As2n7JVN64j/g6+c9SIfeiNscmZBRqAvgLvVGdoKrbXWkQ1S5+KgHQ==
 -----END RSA PRIVATE KEY-----
diff --git a/tls/tests/files/client-future.pem b/tls/tests/files/client-future.pem
index de1cb75..bf08f8c 100644
--- a/tls/tests/files/client-future.pem
+++ b/tls/tests/files/client-future.pem
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC3DCCAkUCAQowDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
-T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLExVDZXJ0aWZpY2F0
-ZSBBdXRob3JpdHkxFzAVBgNVBAMTDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
-AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0yMDAxMTgxNzI3MDNaFw0yMTAxMTcxNzI3
-MDNaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
-UExFMQ8wDQYDVQQDEwZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
-cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEgNDM/dg3t
-9DHNAPz/b87LSxEaKhoZ8AcNBym3LEOdCnXGEnKf0b9lkT5caXu5GAM84ahTCJ7n
-79RVNrqGKM7jbBdSX+ZUfkqJQPhOXD2+0niYQicH92nz78kxmjlbizvd3fM1BlO+
-C/++NWf2EAhORVAjvJrHNokJp3PTNRJ1WWteHeU9PwfGmWHKVc1IgvRFMH08604I
-ZzX5CcxIg/b56g27A7CBPh/KO/qKTDLFFNGc1T2asvY/P3+PeN6y+leFHStCTu7R
-Bi/l4hczZdnwq3BGT6mnjEN7wau2s7pA067SXimNOkYi5fgwspMHi8fJWmYyBypU
-mQBRzwfm77ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBvt8v930fQtxR7f7Vcb1Hg
-irq1CtffsBqtKYupYg6IgloiRA6U5wdU0e6faA3Ppsmd4SmNKb9ZavIgnDBfx8MP
-1/IpsNOkg0366bP/zzkAhcXspo7PU8yZIqep//wT4TOFz04N8Lshqm8HUejShFdA
-fB8C0LX5Y/2219ZVMaaEbw==
+MIIC4DCCAkkCAQUwDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
+T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLDBVDZXJ0aWZpY2F0
+ZSBBdXRob3JpdHkxFzAVBgNVBAMMDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
+AQkBFg5jYUBleGFtcGxlLmNvbTAiGA8yMDYwMDcxNzIzMDAwMFoYDzIwNjEwNzE3
+MjMwMDAwWjBiMRMwEQYKCZImiZPyLGQBGRYDQ09NMRcwFQYKCZImiZPyLGQBGRYH
+RVhBTVBMRTEPMA0GA1UEAwwGQ2xpZW50MSEwHwYJKoZIhvcNAQkBFhJjbGllbnRA
+ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDikchi
+dUnA68g9O39LwL4zVPxgb2RG3kwGp92ZWL4HBbmh24vkr2svkmiZsF2hyOM4DhfW
+jZeMxyB1FgIPmOOJTD6bTa333nOK9gvvIJ5o6LdqLeRqwHy63Ue8ZipKhceEK9Nr
+ET4MvAL0pW8ltaoltPwysG/yTLLno81MjCAf0+lMT81Kt56zNfJbWkq1nel4xUVX
+qerKDHIlCEq/nhdJ9JoZaJ8Q4noClwGyF7ylk0wDyCQA6Hsj4l9dbRnnEm1gS8x1
+gytFTPOWhHd2sZD3T4+kcEBGuxVE8i61NTY+pPD5ezVcjVl24OSChDGQeleaVxEm
+rFep0ou71uCWKQPhAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAaL1TVP7GBU/+Ujxm
+s1d6XlsczXcRTsK2SKPc7Ke8K30o7E85m5gTXtDVVdk2aCWFsrmqCW+sKSAl3TLr
+nWWlvI0k2Y3Ei81W1xkCSA8rX95K8m1FaVXz1ml5J8TjemHd/j+btzp4qjnF/S2M
+cbRhKzUoJD6FBuUq7OXOO+4T30c=
 -----END CERTIFICATE-----
diff --git a/tls/tests/files/client-key.pem b/tls/tests/files/client-key.pem
new file mode 100644
index 0000000..a9740dc
--- /dev/null
+++ b/tls/tests/files/client-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA4pHIYnVJwOvIPTt/S8C+M1T8YG9kRt5MBqfdmVi+BwW5oduL
+5K9rL5JombBdocjjOA4X1o2XjMcgdRYCD5jjiUw+m02t995zivYL7yCeaOi3ai3k
+asB8ut1HvGYqSoXHhCvTaxE+DLwC9KVvJbWqJbT8MrBv8kyy56PNTIwgH9PpTE/N
+SreeszXyW1pKtZ3peMVFV6nqygxyJQhKv54XSfSaGWifEOJ6ApcBshe8pZNMA8gk
+AOh7I+JfXW0Z5xJtYEvMdYMrRUzzloR3drGQ90+PpHBARrsVRPIutTU2PqTw+Xs1
+XI1ZduDkgoQxkHpXmlcRJqxXqdKLu9bglikD4QIDAQABAoIBAQDXQfxpFtgIs7rd
++j4aAbhzWqYhFRPnhOIkXK5cOATq9RSF4+nITqV+YBKDGh4LTKocIr+hN4sp1DJR
+K6SvnulnE4pT0PydB7ss5lE2Uv5N2/QOrCVdCx42B3BVXZeGkA2b1GucSJh0Tthc
+CSVNZYiPJKGLozfos9gx3d16gZMvyEM4xGFcB8FVWm00Aunc8NOpO8oCQv5URF1x
+Imvp3JkhBAV9EIr4BftjT+hSOGgrZwx2ZzU8A1EpXAg6Hja6dQAleq0WTFJS6Ez2
+UjFFI9qF5YMxDDdLZ8p8G3BFw/m5zKE8wrnSdgf7iP9JPgZZA3Y5GLQkKA/Q6wnP
+Bj3MbBr1AoGBAPDrF5D5VFle/LrYsAdfwdW2mby2qlB0AAlZwxUnatVFWmgnDq5B
+NpK+dp06tllv5qd0EtQMqHxPkVr7YEZ26Jex5hmLMb+LuSowq1BchNpoMGwSiyRz
+11IUYRY5BwNW7/zFv2r5ZFe/OxI2V3scYAyJ/7mqY7sWqafVGCa7pRjLAoGBAPDA
+vR0EBJL+d7mk/suOjcnVjcFmU/Jwg+O5f0Ao6ctb1rFyYL/FgheeqewZRjveLn/s
+Gz6/KieWa/k6XlxkZtJUE9RFjLWn/n79fqL0WDjSzeiSgHRj6bABjXSX3827Mud5
+uzZrVZkHcWnXQX1WREIGSOwAC/4MpU3ad87joXyDAoGBAOZ0zHdGujQ/k9ycWU7E
+f+QSp1+JEMSjIkHPlriOmzhl/kRxUC7KfQzEmyxuNG67h1WZyEUF0soPRwlUO1VM
+e9RYPbcjmrQTUU4VflsCFafjUKag2m9FTKzch769UIMWT71p4GDRLfZuHHCggPBo
+RUzZWUFex8X4uNOuGUs75oMfAoGASZeQ90qgH1K7xDqkTBLSUqz9vO2LoaM1Hao5
+NKKM/MWg9fLxkg1Mu+2bIXmEV46OBjplBaQnvZwkezWVXIawS4C54vwzi9/DUowo
+ZqVsRkph+MK3k1xrNYrz83ztQ5UCdXFngbYDn1iAGYtcEHULPmdvaPyGreytpwOt
+9cbtOQMCgYAJ0DPq4E+nICf11QsNJELqRBpx9uQjxI87/ba6z0BqtGIIwqZ1KtgI
+7LVvae89MufsxZCe8A1noSiFTQXvrLVQhzu+pBHvRQnmonqo6D/uA3viOkTqhR8X
+As2n7JVN64j/g6+c9SIfeiNscmZBRqAvgLvVGdoKrbXWkQ1S5+KgHQ==
+-----END RSA PRIVATE KEY-----
diff --git a/tls/tests/files/client-past.pem b/tls/tests/files/client-past.pem
index 2dbb4d1..f2e29e1 100644
--- a/tls/tests/files/client-past.pem
+++ b/tls/tests/files/client-past.pem
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC3DCCAkUCAQswDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
-T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLExVDZXJ0aWZpY2F0
-ZSBBdXRob3JpdHkxFzAVBgNVBAMTDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
-AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0wMDAxMTgxNzI3NDdaFw0wMTAxMTcxNzI3
-NDdaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
-UExFMQ8wDQYDVQQDEwZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
-cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEgNDM/dg3t
-9DHNAPz/b87LSxEaKhoZ8AcNBym3LEOdCnXGEnKf0b9lkT5caXu5GAM84ahTCJ7n
-79RVNrqGKM7jbBdSX+ZUfkqJQPhOXD2+0niYQicH92nz78kxmjlbizvd3fM1BlO+
-C/++NWf2EAhORVAjvJrHNokJp3PTNRJ1WWteHeU9PwfGmWHKVc1IgvRFMH08604I
-ZzX5CcxIg/b56g27A7CBPh/KO/qKTDLFFNGc1T2asvY/P3+PeN6y+leFHStCTu7R
-Bi/l4hczZdnwq3BGT6mnjEN7wau2s7pA067SXimNOkYi5fgwspMHi8fJWmYyBypU
-mQBRzwfm77ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBC3BOULAOkRFLKLajHIIB2
-VB0tHOFWuflP/LXso3ogGA8ItqbjacqjRHdTGK79etbxSTdi7k8owMVMPavJnBYk
-TraOkf/xxHo2zWy3XES1lniTUfGgKpjYNlALB6K6DJseZorSOmGA4KllL46MYwNu
-jsLO+5HkS/uNxlKo2l+xGw==
+MIIC3DCCAkUCAQQwDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
+T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLDBVDZXJ0aWZpY2F0
+ZSBBdXRob3JpdHkxFzAVBgNVBAMMDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
+AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0wMDA3MTcyMzAwMDBaFw0wMTA3MTcyMzAw
+MDBaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
+UExFMQ8wDQYDVQQDDAZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOKRyGJ1ScDr
+yD07f0vAvjNU/GBvZEbeTAan3ZlYvgcFuaHbi+Svay+SaJmwXaHI4zgOF9aNl4zH
+IHUWAg+Y44lMPptNrffec4r2C+8gnmjot2ot5GrAfLrdR7xmKkqFx4Qr02sRPgy8
+AvSlbyW1qiW0/DKwb/JMsuejzUyMIB/T6UxPzUq3nrM18ltaSrWd6XjFRVep6soM
+ciUISr+eF0n0mhlonxDiegKXAbIXvKWTTAPIJADoeyPiX11tGecSbWBLzHWDK0VM
+85aEd3axkPdPj6RwQEa7FUTyLrU1Nj6k8Pl7NVyNWXbg5IKEMZB6V5pXESasV6nS
+i7vW4JYpA+ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQAXsez9MUY7+zHe4CevgYHk
+VUGFl2BV/cncVO5M42qlYvGhzPNb3VSXlrIk0CZP/A1UrB+7+vMFQCccoXE2Yb//
+hOcumZkz4OJjz+qgsWlksaUjCnpGPIfsrW3jYBRKvL1iYo5Si1aIiQ+ej93a2Bsg
+Iy/P6Hx0b2bZ5H6v/y6bqw==
 -----END CERTIFICATE-----
diff --git a/tls/tests/files/client.pem b/tls/tests/files/client.pem
index 04bc8ac..75fae57 100644
--- a/tls/tests/files/client.pem
+++ b/tls/tests/files/client.pem
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC3DCCAkUCAQkwDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
-T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLExVDZXJ0aWZpY2F0
-ZSBBdXRob3JpdHkxFzAVBgNVBAMTDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
-AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0xMTAxMTgwNjA0MTFaFw0yMTAxMTUwNjA0
-MTFaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
-UExFMQ8wDQYDVQQDEwZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
-cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEgNDM/dg3t
-9DHNAPz/b87LSxEaKhoZ8AcNBym3LEOdCnXGEnKf0b9lkT5caXu5GAM84ahTCJ7n
-79RVNrqGKM7jbBdSX+ZUfkqJQPhOXD2+0niYQicH92nz78kxmjlbizvd3fM1BlO+
-C/++NWf2EAhORVAjvJrHNokJp3PTNRJ1WWteHeU9PwfGmWHKVc1IgvRFMH08604I
-ZzX5CcxIg/b56g27A7CBPh/KO/qKTDLFFNGc1T2asvY/P3+PeN6y+leFHStCTu7R
-Bi/l4hczZdnwq3BGT6mnjEN7wau2s7pA067SXimNOkYi5fgwspMHi8fJWmYyBypU
-mQBRzwfm77ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQA3LuElj2QB9wQvmIxk2Jmb
-IPP2/WS8dwPoCv/N3+6nTx8yRsrILf4QsnEbbsxoYO5jW4r9Kt8m8B/M7YgnBDE9
-zlm7JbXKZf2isSm5TyT627Ymzxrzs5d+7o2eS7SN1DB6PyvRh2ye7EMbyEYD8ULi
-itDUkYkssNCVivYwVvJoMg==
+MIIC3DCCAkUCAQMwDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
+T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLDBVDZXJ0aWZpY2F0
+ZSBBdXRob3JpdHkxFzAVBgNVBAMMDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
+AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0xNTA4MzAwMDIyMzJaFw00MDA4MjMwMDIy
+MzJaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
+UExFMQ8wDQYDVQQDDAZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOKRyGJ1ScDr
+yD07f0vAvjNU/GBvZEbeTAan3ZlYvgcFuaHbi+Svay+SaJmwXaHI4zgOF9aNl4zH
+IHUWAg+Y44lMPptNrffec4r2C+8gnmjot2ot5GrAfLrdR7xmKkqFx4Qr02sRPgy8
+AvSlbyW1qiW0/DKwb/JMsuejzUyMIB/T6UxPzUq3nrM18ltaSrWd6XjFRVep6soM
+ciUISr+eF0n0mhlonxDiegKXAbIXvKWTTAPIJADoeyPiX11tGecSbWBLzHWDK0VM
+85aEd3axkPdPj6RwQEa7FUTyLrU1Nj6k8Pl7NVyNWXbg5IKEMZB6V5pXESasV6nS
+i7vW4JYpA+ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQA53KGbz0v7blt33ht62Ez9
+onmLHkegWW39OgRfNPircb9+pIOtkuksPr1yE2iBmWuGPg0OwNjqHROeOodoN1xC
+vSt1kUshtpPXiK8AuYmkv53FThyEEai8kpsGp6mLEY2ISaYRD0O6B6PyV2dT/nE2
+CWob7aQ/SlFQ+txnwJtOnA==
 -----END CERTIFICATE-----
diff --git a/tls/tests/files/create-files.sh b/tls/tests/files/create-files.sh
new file mode 100755
index 0000000..0a7140f
--- /dev/null
+++ b/tls/tests/files/create-files.sh
@@ -0,0 +1,186 @@
+#!/bin/sh
+
+msg() {
+  echo
+  echo "* $1 ..."
+}
+
+cd `dirname $0`
+
+echo
+echo "This script re-generates all private keys and certificates"
+echo "needed to run the Unit Test."
+echo
+echo "                   *** IMPORTANT ***"
+echo
+echo "This script will change the system date momentarily to generate"
+echo "a couple of certificates (sudo password will be requested). This"
+echo "is because it uses the OpenSSL x509 utility instead of the ca"
+echo "utility which allows to set a starting date for the certificates."
+echo
+echo "A few manual changes need to be made. The first certificate"
+echo "in ca-roots.pem and ca-roots-bad.pem need to be replaced by"
+echo "the contents of ca.pem."
+echo
+echo "Also, file-database.c:test_lookup_certificates_issued_by has"
+echo "an ISSUER variable that needs to be changed by the CA identifier"
+echo "(read the comment in that function) if you modify this script."
+echo
+echo "                   *** IMPORTANT ***"
+echo
+
+read -p "Press [Enter] key to continue..." key
+
+#######################################################################
+### Obsolete/Untrusted Root CA
+#######################################################################
+
+echo "00" > serial
+
+msg "Creating CA private key for obsolete/untrusted CA"
+openssl genrsa -out old-ca-key.pem 1024
+
+msg "Creating CA certificate for obsolete/untrusted CA"
+openssl req -x509 -new -config ssl/old-ca.conf -days 10950 -key old-ca-key.pem -out old-ca.pem
+
+#######################################################################
+### New Root CA
+#######################################################################
+
+msg "Creating CA private key"
+openssl genrsa -out ca-key.pem 1024
+
+msg "Creating CA certificate"
+openssl req -x509 -new -config ssl/ca.conf -days 10950 -key ca-key.pem -out ca.pem
+
+#######################################################################
+### New Root CA, issued by Obsolete/Untrusted Root CA
+#######################################################################
+
+msg "Creating CA certificate request"
+openssl req -config ssl/ca.conf -key ca-key.pem -new -out root-ca-csr.pem
+
+msg "Creating alternative certificate with same keys as CA"
+openssl x509 -req -in root-ca-csr.pem -days 10950 -CA old-ca.pem -CAkey old-ca-key.pem -CAserial serial -extfile ssl/ca.conf -extensions v3_req_ext -out ca-alternative.pem
+
+#######################################################################
+### Server
+#######################################################################
+
+msg "Creating server private key"
+openssl genrsa -out server-key.pem 512
+
+msg "Creating server certificate request"
+openssl req -config ssl/server.conf -key server-key.pem -new -out server-csr.pem
+
+msg "Creating server certificate"
+openssl x509 -req -in server-csr.pem -days 9125 -CA ca.pem -CAkey ca-key.pem -CAserial serial -extfile ssl/server.conf -extensions v3_req_ext -out server.pem
+
+msg "Concatenating server certificate and private key into a single file"
+cat server.pem > server-and-key.pem
+cat server-key.pem >> server-and-key.pem
+
+msg "Converting server certificate from PEM to DER"
+openssl x509 -in server.pem -outform DER -out server.der
+
+msg "Converting server private key from PEM to DER"
+openssl rsa -in server-key.pem -outform DER -out server-key.der
+
+#######################################################################
+### Server (self-signed)
+#######################################################################
+
+msg "Creating server self-signed certificate"
+openssl x509 -req -days 9125 -in server-csr.pem -signkey server-key.pem -out server-self.pem
+
+#######################################################################
+### Client
+#######################################################################
+
+msg "Creating client private key"
+openssl genrsa -out client-key.pem 2048
+
+msg "Creating client certificate request"
+openssl req -config ssl/client.conf -key client-key.pem -new -out client-csr.pem
+
+msg "Creating client certificate"
+openssl x509 -req -in client-csr.pem -days 9125 -CA ca.pem -CAkey ca-key.pem -CAserial serial -out client.pem
+
+msg "Concatenating client certificate and private key into a single file"
+cat client.pem > client-and-key.pem
+cat client-key.pem >> client-and-key.pem
+
+# It is not possible to specify the start and end date using the "x509" tool.
+# It would be better to use the "ca" tool. Sorry!
+msg "Creating client certificate (past)"
+sudo date -s "17 JUL 2000 18:00:00"
+openssl x509 -req -in client-csr.pem -days 365 -startdate -enddate -CA ca.pem -CAkey ca-key.pem -CAserial serial -out client-past.pem
+sudo hwclock -s
+touch client-past.pem
+
+msg "Creating client certificate (future)"
+sudo date -s "17 JUL 2060 18:00:00"
+openssl x509 -req -in client-csr.pem -days 365 -startdate -enddate -CA ca.pem -CAkey ca-key.pem -CAserial serial -out client-future.pem
+sudo hwclock -s
+touch client-future.pem
+
+#######################################################################
+### Concatenate all non-CA certificates
+#######################################################################
+
+msg "Concatenating all non-CA certificates into a single file"
+echo "client.pem:" > non-ca.pem
+cat client.pem >> non-ca.pem
+echo >> non-ca.pem
+echo "client-future.pem:" >> non-ca.pem
+cat client-future.pem >> non-ca.pem
+echo >> non-ca.pem
+echo "client-past.pem:" >> non-ca.pem
+cat client-past.pem >> non-ca.pem
+echo >> non-ca.pem
+echo "server.pem:" >> non-ca.pem
+cat server.pem >> non-ca.pem
+echo >> non-ca.pem
+echo "server-self.pem:" >> non-ca.pem
+cat server-self.pem >> non-ca.pem
+
+#######################################################################
+### Intermediate CA
+#######################################################################
+
+echo "00" > intermediate-serial
+
+msg "Creating intermediate CA private key"
+openssl genrsa -out intermediate-ca-key.pem 512
+
+msg "Creating intermediate CA certificate request"
+openssl req -config ssl/intermediate-ca.conf -key intermediate-ca-key.pem -new -out intermediate-ca-csr.pem
+
+msg "Creating intermediate CA certificate"
+openssl x509 -req -in intermediate-ca-csr.pem -days 9125 -CA ca.pem -CAkey ca-key.pem -CAserial serial -extfile ssl/intermediate-ca.conf -extensions v3_req_ext -out intermediate-ca.pem
+
+#######################################################################
+### Server (signed by Intermediate CA)
+#######################################################################
+
+msg "Creating server (intermediate CA) private key"
+openssl genrsa -out server-intermediate-key.pem 512
+
+msg "Creating server (intermediate CA) certificate request"
+openssl req -config ssl/server-intermediate.conf -key server-intermediate-key.pem -new -out server-intermediate-csr.pem
+
+msg "Creating server (intermediate CA) certificate"
+openssl x509 -req -in server-intermediate-csr.pem -days 9125 -CA intermediate-ca.pem -CAkey intermediate-ca-key.pem -CAserial intermediate-serial -extfile ssl/server-intermediate.conf -extensions v3_req_ext -out server-intermediate.pem
+
+msg "Concatenating server (intermediate CA) chain into a file"
+cat server-intermediate.pem > chain.pem
+cat intermediate-ca.pem >> chain.pem
+cat ca.pem >> chain.pem
+
+#######################################################################
+### Cleanup
+#######################################################################
+
+# We don't need the serial files anymore
+rm -f serial
+rm -f intermediate-serial
diff --git a/tls/tests/files/intermediate-ca-csr.pem b/tls/tests/files/intermediate-ca-csr.pem
new file mode 100644
index 0000000..189a2d3
--- /dev/null
+++ b/tls/tests/files/intermediate-ca-csr.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBujCCAWQCAQAwga0xEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/Is
+ZAEZFgdFWEFNUExFMSswKQYDVQQLDCJJbnRlcm1lZGlhdGUgQ2VydGlmaWNhdGUg
+QXV0aG9yaXR5MSQwIgYDVQQDDBtpbnRlcm1lZGlhdGUtY2EuZXhhbXBsZS5jb20x
+KjAoBgkqhkiG9w0BCQEWG2ludGVybWVkaWF0ZS1jYUBleGFtcGxlLmNvbTBcMA0G
+CSqGSIb3DQEBAQUAA0sAMEgCQQDRMidrtJAZ27tI9gA3hhIP7S5EtfjhMHUi8mDN
+L2JuV7nMDGoAEUfHV3x/+Eb/TeymvBiRzlUD6YGQRK+2C8+LAgMBAAGgUTBPBgkq
+hkiG9w0BCQ4xQjBAMB0GA1UdDgQWBBRd9ylgHXCCZmIH9Y3sRbfjbCVnATAPBgNV
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAANBAIp7
+2/fnWAYyd4QxpW8qqajTKyuGiS5rwm5knLZvriM3qR6mAtuI3vluk431YcQ1G/jn
+QdPf5uYuttJC1GzrZDE=
+-----END CERTIFICATE REQUEST-----
diff --git a/tls/tests/files/intermediate-ca-key.pem b/tls/tests/files/intermediate-ca-key.pem
new file mode 100644
index 0000000..e449282
--- /dev/null
+++ b/tls/tests/files/intermediate-ca-key.pem
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBANEyJ2u0kBnbu0j2ADeGEg/tLkS1+OEwdSLyYM0vYm5XucwMagAR
+R8dXfH/4Rv9N7Ka8GJHOVQPpgZBEr7YLz4sCAwEAAQJAUPmw+Kfz/45meF+Axf1H
+kJKmjkJCDCjNrrFTdxkYaM0pCDPjHeclMHZ9mhtKQs2/8ER4tvdNIUCba/f9n4lI
+QQIhAO6s3jWb4JVobvpC0r5OE/HLOLgnnieQPQGl/sBoqL6fAiEA4GF+A8XaSF/C
+V5tFTFMDN1hw9bvOxhwaVAgcBNzHA5UCIFI5t+wcIYkXi3QoZVYuq+xXKNk4vOHA
+bWQN/e/nnordAiEA26qWU9s+99vHxzybez1JyMUs0WYr6IdavymxRJFfxIECIEra
+zEU8vYbm02cECN2fB6SRAlyD8Gb6KAMP+A4RXVWO
+-----END RSA PRIVATE KEY-----
diff --git a/tls/tests/files/intermediate-ca.pem b/tls/tests/files/intermediate-ca.pem
new file mode 100644
index 0000000..179d030
--- /dev/null
+++ b/tls/tests/files/intermediate-ca.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDrjCCAxegAwIBAgIBBjANBgkqhkiG9w0BAQUFADCBhjETMBEGCgmSJomT8ixk
+ARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUxHjAcBgNVBAsMFUNlcnRp
+ZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20xHTAbBgkq
+hkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tMB4XDTE1MDgzMDAwMjIzOVoXDTQwMDgy
+MzAwMjIzOVowga0xEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZ
+FgdFWEFNUExFMSswKQYDVQQLDCJJbnRlcm1lZGlhdGUgQ2VydGlmaWNhdGUgQXV0
+aG9yaXR5MSQwIgYDVQQDDBtpbnRlcm1lZGlhdGUtY2EuZXhhbXBsZS5jb20xKjAo
+BgkqhkiG9w0BCQEWG2ludGVybWVkaWF0ZS1jYUBleGFtcGxlLmNvbTBcMA0GCSqG
+SIb3DQEBAQUAA0sAMEgCQQDRMidrtJAZ27tI9gA3hhIP7S5EtfjhMHUi8mDNL2Ju
+V7nMDGoAEUfHV3x/+Eb/TeymvBiRzlUD6YGQRK+2C8+LAgMBAAGjggFFMIIBQTAd
+BgNVHQ4EFgQUXfcpYB1wgmZiB/WN7EW342wlZwEwgbsGA1UdIwSBszCBsIAUmAbQ
+gRwBOJuIai3NygAtGQ9xlbGhgYykgYkwgYYxEzARBgoJkiaJk/IsZAEZFgNDT00x
+FzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBB
+dXRob3JpdHkxFzAVBgNVBAMMDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcNAQkB
+Fg5jYUBleGFtcGxlLmNvbYIJAO+Cui0EIECvMA8GA1UdEwEB/wQFMAMBAf8wDgYD
+VR0PAQH/BAQDAgEGMCYGA1UdEQQfMB2BG2ludGVybWVkaWF0ZS1jYUBleGFtcGxl
+LmNvbTAZBgNVHRIEEjAQgQ5jYUBleGFtcGxlLmNvbTANBgkqhkiG9w0BAQUFAAOB
+gQAmXVdwAZalZGtXBkdICHaWyVRmgCFRZfzVbGBOkeW+TEBiMgG+XrwlMQs5yyf/
+T8Mmw8TcqBJYdQhqcctbgFcSxejVAL7DnEfFcvH6acXy0K9l48pKAnYgcHstOAX2
+Fb+rSpmMDXgWuhKNudJyoOVQ/5H9LJyg6JYqoG5jqS9iQg==
+-----END CERTIFICATE-----
diff --git a/tls/tests/files/non-ca.pem b/tls/tests/files/non-ca.pem
index 42c2070..068263b 100644
--- a/tls/tests/files/non-ca.pem
+++ b/tls/tests/files/non-ca.pem
@@ -1,90 +1,88 @@
 client.pem:
 -----BEGIN CERTIFICATE-----
-MIIC3DCCAkUCAQkwDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
-T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLExVDZXJ0aWZpY2F0
-ZSBBdXRob3JpdHkxFzAVBgNVBAMTDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
-AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0xMTAxMTgwNjA0MTFaFw0yMTAxMTUwNjA0
-MTFaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
-UExFMQ8wDQYDVQQDEwZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
-cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEgNDM/dg3t
-9DHNAPz/b87LSxEaKhoZ8AcNBym3LEOdCnXGEnKf0b9lkT5caXu5GAM84ahTCJ7n
-79RVNrqGKM7jbBdSX+ZUfkqJQPhOXD2+0niYQicH92nz78kxmjlbizvd3fM1BlO+
-C/++NWf2EAhORVAjvJrHNokJp3PTNRJ1WWteHeU9PwfGmWHKVc1IgvRFMH08604I
-ZzX5CcxIg/b56g27A7CBPh/KO/qKTDLFFNGc1T2asvY/P3+PeN6y+leFHStCTu7R
-Bi/l4hczZdnwq3BGT6mnjEN7wau2s7pA067SXimNOkYi5fgwspMHi8fJWmYyBypU
-mQBRzwfm77ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQA3LuElj2QB9wQvmIxk2Jmb
-IPP2/WS8dwPoCv/N3+6nTx8yRsrILf4QsnEbbsxoYO5jW4r9Kt8m8B/M7YgnBDE9
-zlm7JbXKZf2isSm5TyT627Ymzxrzs5d+7o2eS7SN1DB6PyvRh2ye7EMbyEYD8ULi
-itDUkYkssNCVivYwVvJoMg==
+MIIC3DCCAkUCAQMwDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
+T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLDBVDZXJ0aWZpY2F0
+ZSBBdXRob3JpdHkxFzAVBgNVBAMMDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
+AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0xNTA4MzAwMDIyMzJaFw00MDA4MjMwMDIy
+MzJaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
+UExFMQ8wDQYDVQQDDAZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOKRyGJ1ScDr
+yD07f0vAvjNU/GBvZEbeTAan3ZlYvgcFuaHbi+Svay+SaJmwXaHI4zgOF9aNl4zH
+IHUWAg+Y44lMPptNrffec4r2C+8gnmjot2ot5GrAfLrdR7xmKkqFx4Qr02sRPgy8
+AvSlbyW1qiW0/DKwb/JMsuejzUyMIB/T6UxPzUq3nrM18ltaSrWd6XjFRVep6soM
+ciUISr+eF0n0mhlonxDiegKXAbIXvKWTTAPIJADoeyPiX11tGecSbWBLzHWDK0VM
+85aEd3axkPdPj6RwQEa7FUTyLrU1Nj6k8Pl7NVyNWXbg5IKEMZB6V5pXESasV6nS
+i7vW4JYpA+ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQA53KGbz0v7blt33ht62Ez9
+onmLHkegWW39OgRfNPircb9+pIOtkuksPr1yE2iBmWuGPg0OwNjqHROeOodoN1xC
+vSt1kUshtpPXiK8AuYmkv53FThyEEai8kpsGp6mLEY2ISaYRD0O6B6PyV2dT/nE2
+CWob7aQ/SlFQ+txnwJtOnA==
 -----END CERTIFICATE-----
 
 client-future.pem:
 -----BEGIN CERTIFICATE-----
-MIIC3DCCAkUCAQowDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
-T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLExVDZXJ0aWZpY2F0
-ZSBBdXRob3JpdHkxFzAVBgNVBAMTDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
-AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0yMDAxMTgxNzI3MDNaFw0yMTAxMTcxNzI3
-MDNaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
-UExFMQ8wDQYDVQQDEwZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
-cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEgNDM/dg3t
-9DHNAPz/b87LSxEaKhoZ8AcNBym3LEOdCnXGEnKf0b9lkT5caXu5GAM84ahTCJ7n
-79RVNrqGKM7jbBdSX+ZUfkqJQPhOXD2+0niYQicH92nz78kxmjlbizvd3fM1BlO+
-C/++NWf2EAhORVAjvJrHNokJp3PTNRJ1WWteHeU9PwfGmWHKVc1IgvRFMH08604I
-ZzX5CcxIg/b56g27A7CBPh/KO/qKTDLFFNGc1T2asvY/P3+PeN6y+leFHStCTu7R
-Bi/l4hczZdnwq3BGT6mnjEN7wau2s7pA067SXimNOkYi5fgwspMHi8fJWmYyBypU
-mQBRzwfm77ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBvt8v930fQtxR7f7Vcb1Hg
-irq1CtffsBqtKYupYg6IgloiRA6U5wdU0e6faA3Ppsmd4SmNKb9ZavIgnDBfx8MP
-1/IpsNOkg0366bP/zzkAhcXspo7PU8yZIqep//wT4TOFz04N8Lshqm8HUejShFdA
-fB8C0LX5Y/2219ZVMaaEbw==
+MIIC4DCCAkkCAQUwDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
+T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLDBVDZXJ0aWZpY2F0
+ZSBBdXRob3JpdHkxFzAVBgNVBAMMDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
+AQkBFg5jYUBleGFtcGxlLmNvbTAiGA8yMDYwMDcxNzIzMDAwMFoYDzIwNjEwNzE3
+MjMwMDAwWjBiMRMwEQYKCZImiZPyLGQBGRYDQ09NMRcwFQYKCZImiZPyLGQBGRYH
+RVhBTVBMRTEPMA0GA1UEAwwGQ2xpZW50MSEwHwYJKoZIhvcNAQkBFhJjbGllbnRA
+ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDikchi
+dUnA68g9O39LwL4zVPxgb2RG3kwGp92ZWL4HBbmh24vkr2svkmiZsF2hyOM4DhfW
+jZeMxyB1FgIPmOOJTD6bTa333nOK9gvvIJ5o6LdqLeRqwHy63Ue8ZipKhceEK9Nr
+ET4MvAL0pW8ltaoltPwysG/yTLLno81MjCAf0+lMT81Kt56zNfJbWkq1nel4xUVX
+qerKDHIlCEq/nhdJ9JoZaJ8Q4noClwGyF7ylk0wDyCQA6Hsj4l9dbRnnEm1gS8x1
+gytFTPOWhHd2sZD3T4+kcEBGuxVE8i61NTY+pPD5ezVcjVl24OSChDGQeleaVxEm
+rFep0ou71uCWKQPhAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAaL1TVP7GBU/+Ujxm
+s1d6XlsczXcRTsK2SKPc7Ke8K30o7E85m5gTXtDVVdk2aCWFsrmqCW+sKSAl3TLr
+nWWlvI0k2Y3Ei81W1xkCSA8rX95K8m1FaVXz1ml5J8TjemHd/j+btzp4qjnF/S2M
+cbRhKzUoJD6FBuUq7OXOO+4T30c=
 -----END CERTIFICATE-----
 
 client-past.pem:
 -----BEGIN CERTIFICATE-----
-MIIC3DCCAkUCAQswDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
-T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLExVDZXJ0aWZpY2F0
-ZSBBdXRob3JpdHkxFzAVBgNVBAMTDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
-AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0wMDAxMTgxNzI3NDdaFw0wMTAxMTcxNzI3
-NDdaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
-UExFMQ8wDQYDVQQDEwZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
-cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEgNDM/dg3t
-9DHNAPz/b87LSxEaKhoZ8AcNBym3LEOdCnXGEnKf0b9lkT5caXu5GAM84ahTCJ7n
-79RVNrqGKM7jbBdSX+ZUfkqJQPhOXD2+0niYQicH92nz78kxmjlbizvd3fM1BlO+
-C/++NWf2EAhORVAjvJrHNokJp3PTNRJ1WWteHeU9PwfGmWHKVc1IgvRFMH08604I
-ZzX5CcxIg/b56g27A7CBPh/KO/qKTDLFFNGc1T2asvY/P3+PeN6y+leFHStCTu7R
-Bi/l4hczZdnwq3BGT6mnjEN7wau2s7pA067SXimNOkYi5fgwspMHi8fJWmYyBypU
-mQBRzwfm77ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBC3BOULAOkRFLKLajHIIB2
-VB0tHOFWuflP/LXso3ogGA8ItqbjacqjRHdTGK79etbxSTdi7k8owMVMPavJnBYk
-TraOkf/xxHo2zWy3XES1lniTUfGgKpjYNlALB6K6DJseZorSOmGA4KllL46MYwNu
-jsLO+5HkS/uNxlKo2l+xGw==
+MIIC3DCCAkUCAQQwDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
+T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLDBVDZXJ0aWZpY2F0
+ZSBBdXRob3JpdHkxFzAVBgNVBAMMDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
+AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0wMDA3MTcyMzAwMDBaFw0wMTA3MTcyMzAw
+MDBaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
+UExFMQ8wDQYDVQQDDAZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOKRyGJ1ScDr
+yD07f0vAvjNU/GBvZEbeTAan3ZlYvgcFuaHbi+Svay+SaJmwXaHI4zgOF9aNl4zH
+IHUWAg+Y44lMPptNrffec4r2C+8gnmjot2ot5GrAfLrdR7xmKkqFx4Qr02sRPgy8
+AvSlbyW1qiW0/DKwb/JMsuejzUyMIB/T6UxPzUq3nrM18ltaSrWd6XjFRVep6soM
+ciUISr+eF0n0mhlonxDiegKXAbIXvKWTTAPIJADoeyPiX11tGecSbWBLzHWDK0VM
+85aEd3axkPdPj6RwQEa7FUTyLrU1Nj6k8Pl7NVyNWXbg5IKEMZB6V5pXESasV6nS
+i7vW4JYpA+ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQAXsez9MUY7+zHe4CevgYHk
+VUGFl2BV/cncVO5M42qlYvGhzPNb3VSXlrIk0CZP/A1UrB+7+vMFQCccoXE2Yb//
+hOcumZkz4OJjz+qgsWlksaUjCnpGPIfsrW3jYBRKvL1iYo5Si1aIiQ+ej93a2Bsg
+Iy/P6Hx0b2bZ5H6v/y6bqw==
 -----END CERTIFICATE-----
 
 server.pem:
 -----BEGIN CERTIFICATE-----
-MIICJjCCAY+gAwIBAgIBBzANBgkqhkiG9w0BAQUFADCBhjETMBEGCgmSJomT8ixk
-ARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUxHjAcBgNVBAsTFUNlcnRp
-ZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20xHTAbBgkq
-hkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tMB4XDTExMDExNzE5NDcxN1oXDTIxMDEx
-NDE5NDcxN1owSzETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmSJomT8ixkARkW
-B0VYQU1QTEUxGzAZBgNVBAMTEnNlcnZlci5leGFtcGxlLmNvbTBcMA0GCSqGSIb3
-DQEBAQUAA0sAMEgCQQDYScTxk55XBmbDM9zzwO+grVySE4rudWuzH2PpObIonqbf
-hRoAalKVluG9jvbHI81eXxCdSObv1KBP1sbN5RzpAgMBAAGjIjAgMAkGA1UdEwQC
-MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEAYx6fMqT1
-Gvo0jq88E8mc+bmp4LfXD4wJ7KxYeadQxt75HFRpj4FhFO3DOpVRFgzHlOEo3Fwk
-PZOKjvkT0cbcoEq5whLH25dHoQxGoVQgFyAP5s+7Vp5AlHh8Y/vAoXeEVyy/RCIH
-QkhUlAflfDMcrrYjsmwoOPSjhx6Mm/AopX4=
+MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBhjETMBEGCgmSJomT8ixk
+ARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUxHjAcBgNVBAsMFUNlcnRp
+ZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20xHTAbBgkq
+hkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tMB4XDTE1MDgzMDAwMjIzMVoXDTQwMDgy
+MzAwMjIzMVowSzETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmSJomT8ixkARkW
+B0VYQU1QTEUxGzAZBgNVBAMMEnNlcnZlci5leGFtcGxlLmNvbTBcMA0GCSqGSIb3
+DQEBAQUAA0sAMEgCQQDk6Op18H8aRZvr8jfjhSkw3P4Gy070eb3hrpkIiZl05UxO
+crI+cO3SaE5zgmcW18UPpXfwWl4uy/Q6nagkZDXvAgMBAAGjMzAxMAkGA1UdEwQC
+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgwBocEwKgBCjANBgkqhkiG
+9w0BAQUFAAOBgQBmJQF4mdpoinkWTB5khs2ZVWZWf4QPLH2I/sP8IY1pWIVNtOVG
+YiTURtsdIHffSAoJ+9H+KrZhxk7TO9v7LR2Au1fGC6FuGjRizYb6UTe7tpoaZvlj
+JZj3sE/Rw/zCHCjA9xNTeYvQlKBzuohbUVGS+kEhxI7ScDmd7ylKSLIbBQ==
 -----END CERTIFICATE-----
 
-
 server-self.pem:
 -----BEGIN CERTIFICATE-----
-MIIBiDCCATICCQDJ4QeFpYPYljANBgkqhkiG9w0BAQUFADBLMRMwEQYKCZImiZPy
-LGQBGRYDQ09NMRcwFQYKCZImiZPyLGQBGRYHRVhBTVBMRTEbMBkGA1UEAxMSc2Vy
-dmVyLmV4YW1wbGUuY29tMB4XDTExMDExOTAzMTYzOFoXDTIxMDExNjAzMTYzOFow
+MIIBiDCCATICCQD8Rn+cHcihijANBgkqhkiG9w0BAQUFADBLMRMwEQYKCZImiZPy
+LGQBGRYDQ09NMRcwFQYKCZImiZPyLGQBGRYHRVhBTVBMRTEbMBkGA1UEAwwSc2Vy
+dmVyLmV4YW1wbGUuY29tMB4XDTE1MDgzMDAwMjIzMVoXDTQwMDgyMzAwMjIzMVow
 SzETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUx
-GzAZBgNVBAMTEnNlcnZlci5leGFtcGxlLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA
-MEgCQQDYScTxk55XBmbDM9zzwO+grVySE4rudWuzH2PpObIonqbfhRoAalKVluG9
-jvbHI81eXxCdSObv1KBP1sbN5RzpAgMBAAEwDQYJKoZIhvcNAQEFBQADQQAagc2P
-/lCfDwT3max+D2M7++KMDfGqiO3gI+hMarf/jAaQpcKO/9G95AnNo4lTd6W6/7yj
-YYvUupv+0vi4CtQG
+GzAZBgNVBAMMEnNlcnZlci5leGFtcGxlLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA
+MEgCQQDk6Op18H8aRZvr8jfjhSkw3P4Gy070eb3hrpkIiZl05UxOcrI+cO3SaE5z
+gmcW18UPpXfwWl4uy/Q6nagkZDXvAgMBAAEwDQYJKoZIhvcNAQEFBQADQQADBJbF
+pDpocLDuQo5DXoXVlloJAputR6oKQLtTFRorEr0iASEr/8DEXfFoOI+US/8EZ/IT
+6JR2XOHSot4zsr68
 -----END CERTIFICATE-----
-
diff --git a/tls/tests/files/old-ca-key.pem b/tls/tests/files/old-ca-key.pem
new file mode 100644
index 0000000..c0eb15d
--- /dev/null
+++ b/tls/tests/files/old-ca-key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDAcmBlQzZO0JXytrD6hG7mLM4UOcv/Mq0Spdko3VfLkBXMJKF5
+TC8gJYFw5/YhWH5rQ3hQoSUq/GbaHZh1XrJpHBYHQn4sS0m4Nlrd/q1pyvSMNr0s
+Ywe+McBw9TFqGgimV6rgDGsjqz3uxqOlo5goovOS7BT9XxcHMBW3/uQuIQIDAQAB
+AoGBAIxYXTg8BfUAZPo2hWaNAhtWfYt+gui/WjyJOo90rDxF/b98z02YY527/GQM
+phC3aqpq7+lNO7/XhmJ2xuKBhvWgw7sVjhEG5bqigofH8Rc3W/SvNyo1xh658HDF
+3IgpUVAMKVb3puvZNOqBn+3WxfFP7cawSPH+gU2GTdk+e5nJAkEA4LWOlU3vlVnp
+Rd3ngQNrfrh0MR2tD34Pu0xvvpNq9KWUjREVtcNGCFx0M4WYl1caiwtmWUtmdfhy
+Yd49v0E1VwJBANs+ujWmjh8hfwAZ1lQ5DfJROAvmxYrrn98sdj9RzuhnGdFoE+Ld
+BkpAQU1PvTPp2ot60633pwEDLZzd7tfb1UcCQDUcdIDxlMkWIT60Pj2OE2A2NLBP
+NVJOF2XLoTXIHiWI5V2aRilZ6DmdsJFk6DYNDmcC4MQGQEdt24sqPinwPa0CQE6S
+kWtu0FpJx9kCaXRvqhbgkqR5ROx/eyEhLxOMPwm9AVyx3wabzYhItN5/KEB1m7QH
+Bdu/+GL9f5hLVTCZATsCQQCyc9HNvPb2V4q4ksn+RuQH7VHI/cOtqTvldBXm1HhV
+XlM4brBTQjS1WbSmjlTcnzwfaLQXk+pGsqThOgbLwDvq
+-----END RSA PRIVATE KEY-----
diff --git a/tls/tests/files/old-ca.pem b/tls/tests/files/old-ca.pem
new file mode 100644
index 0000000..cdee6c2
--- /dev/null
+++ b/tls/tests/files/old-ca.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEETCCA3qgAwIBAgIJAP2QjCV8pipcMA0GCSqGSIb3DQEBBQUAMIGfMRMwEQYK
+CZImiZPyLGQBGRYDQ09NMRcwFQYKCZImiZPyLGQBGRYHRVhBTVBMRTEsMCoGA1UE
+CwwjT2xkIFVudHJ1c3RlZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIjAgBgNVBAMM
+GW9uY2Uud2FzLmEuY2EuZXhhbXBsZS5jb20xHTAbBgkqhkiG9w0BCQEWDmNhQGV4
+YW1wbGUuY29tMB4XDTE1MDgzMDAwMjIzMVoXDTQ1MDgyMjAwMjIzMVowgZ8xEzAR
+BgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMSwwKgYD
+VQQLDCNPbGQgVW50cnVzdGVkIENlcnRpZmljYXRlIEF1dGhvcml0eTEiMCAGA1UE
+AwwZb25jZS53YXMuYS5jYS5leGFtcGxlLmNvbTEdMBsGCSqGSIb3DQEJARYOY2FA
+ZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMByYGVDNk7Q
+lfK2sPqEbuYszhQ5y/8yrRKl2SjdV8uQFcwkoXlMLyAlgXDn9iFYfmtDeFChJSr8
+ZtodmHVesmkcFgdCfixLSbg2Wt3+rWnK9Iw2vSxjB74xwHD1MWoaCKZXquAMayOr
+Pe7Go6WjmCii85LsFP1fFwcwFbf+5C4hAgMBAAGjggFRMIIBTTAdBgNVHQ4EFgQU
+Lu6rFocDkpwOJyAjyQrCxuefLW8wgdQGA1UdIwSBzDCByYAULu6rFocDkpwOJyAj
+yQrCxuefLW+hgaWkgaIwgZ8xEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJ
+k/IsZAEZFgdFWEFNUExFMSwwKgYDVQQLDCNPbGQgVW50cnVzdGVkIENlcnRpZmlj
+YXRlIEF1dGhvcml0eTEiMCAGA1UEAwwZb25jZS53YXMuYS5jYS5leGFtcGxlLmNv
+bTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb22CCQD9kIwlfKYqXDAPBgNV
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAZBgNVHREEEjAQgQ5jYUBleGFt
+cGxlLmNvbTAZBgNVHRIEEjAQgQ5jYUBleGFtcGxlLmNvbTANBgkqhkiG9w0BAQUF
+AAOBgQAQLX3HpbnxH3gLf6rhj7IQEizZhAEGpvLMURlDdUdoH9ZYPsQ49rZ2kcjD
+FFUKa4Y9/smcBOkF1Za9xepinsftz8ALhsfyo3azXUJTm7sRcQzQkwaSsAh0smIv
+UbmMskbCbFVDwW8xu+SCRJac/+NAuxjxkgrytZksJPvQB545XQ==
+-----END CERTIFICATE-----
diff --git a/tls/tests/files/root-ca-csr.pem b/tls/tests/files/root-ca-csr.pem
new file mode 100644
index 0000000..48f5365
--- /dev/null
+++ b/tls/tests/files/root-ca-csr.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICGDCCAYECAQAwgYYxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/Is
+ZAEZFgdFWEFNUExFMR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFzAV
+BgNVBAMMDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxl
+LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvapKy45xtxon3669spqf
++/nXzp3q7WLmQiTd0+7h60d6AekMbltqr4IhR1jUDIJzPo4vrUnWVsHcqyTp7Kj3
+Cgoce2jQEn0hURvsrulP6Bq7tB5LXkxQrmY1+55R8h1dMI2kd7Po3O3gfntuCokm
+smceeid064RqUQWAO04GqKUCAwEAAaBRME8GCSqGSIb3DQEJDjFCMEAwHQYDVR0O
+BBYEFJgG0IEcATibiGotzcoALRkPcZWxMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
+AQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACd9IesNyKrVhriex7hMBZv+1M1A
+9/1ZPstHARbjRJ4AhOKQGvu3Bz7yiuzWUyVaY+naMYlu1rPcA01588xbKdBCGF9Z
+noOeVHlTZwu1OOV57KjwoilRBtjNNbmUUl3t4nlw6+sz5pPjyVYPBunMiig3n1Ke
+8jYPdl0bW/kX+8ve
+-----END CERTIFICATE REQUEST-----
diff --git a/tls/tests/files/server-and-key.pem b/tls/tests/files/server-and-key.pem
index d09b0b5..a74436a 100644
--- a/tls/tests/files/server-and-key.pem
+++ b/tls/tests/files/server-and-key.pem
@@ -1,24 +1,23 @@
 -----BEGIN CERTIFICATE-----
-MIICJjCCAY+gAwIBAgIBBzANBgkqhkiG9w0BAQUFADCBhjETMBEGCgmSJomT8ixk
-ARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUxHjAcBgNVBAsTFUNlcnRp
-ZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20xHTAbBgkq
-hkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tMB4XDTExMDExNzE5NDcxN1oXDTIxMDEx
-NDE5NDcxN1owSzETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmSJomT8ixkARkW
-B0VYQU1QTEUxGzAZBgNVBAMTEnNlcnZlci5leGFtcGxlLmNvbTBcMA0GCSqGSIb3
-DQEBAQUAA0sAMEgCQQDYScTxk55XBmbDM9zzwO+grVySE4rudWuzH2PpObIonqbf
-hRoAalKVluG9jvbHI81eXxCdSObv1KBP1sbN5RzpAgMBAAGjIjAgMAkGA1UdEwQC
-MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEAYx6fMqT1
-Gvo0jq88E8mc+bmp4LfXD4wJ7KxYeadQxt75HFRpj4FhFO3DOpVRFgzHlOEo3Fwk
-PZOKjvkT0cbcoEq5whLH25dHoQxGoVQgFyAP5s+7Vp5AlHh8Y/vAoXeEVyy/RCIH
-QkhUlAflfDMcrrYjsmwoOPSjhx6Mm/AopX4=
+MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBhjETMBEGCgmSJomT8ixk
+ARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUxHjAcBgNVBAsMFUNlcnRp
+ZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20xHTAbBgkq
+hkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tMB4XDTE1MDgzMDAwMjIzMVoXDTQwMDgy
+MzAwMjIzMVowSzETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmSJomT8ixkARkW
+B0VYQU1QTEUxGzAZBgNVBAMMEnNlcnZlci5leGFtcGxlLmNvbTBcMA0GCSqGSIb3
+DQEBAQUAA0sAMEgCQQDk6Op18H8aRZvr8jfjhSkw3P4Gy070eb3hrpkIiZl05UxO
+crI+cO3SaE5zgmcW18UPpXfwWl4uy/Q6nagkZDXvAgMBAAGjMzAxMAkGA1UdEwQC
+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgwBocEwKgBCjANBgkqhkiG
+9w0BAQUFAAOBgQBmJQF4mdpoinkWTB5khs2ZVWZWf4QPLH2I/sP8IY1pWIVNtOVG
+YiTURtsdIHffSAoJ+9H+KrZhxk7TO9v7LR2Au1fGC6FuGjRizYb6UTe7tpoaZvlj
+JZj3sE/Rw/zCHCjA9xNTeYvQlKBzuohbUVGS+kEhxI7ScDmd7ylKSLIbBQ==
 -----END CERTIFICATE-----
------BEGIN PRIVATE KEY-----
-MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEA2EnE8ZOeVwZmwzPc
-88DvoK1ckhOK7nVrsx9j6TmyKJ6m34UaAGpSlZbhvY72xyPNXl8QnUjm79SgT9bG
-zeUc6QIDAQABAkBRFJZ32VbqWMP9OVwDJLiwC01AlYLnka0mIQZbT/2xq9dUc9GW
-U3kiVw4lL8v/+sPjtTPCYYdzHHOyDen6znVhAiEA9qJT7BtQvRxCvGrAhr9MS022
-tTdPbW829BoUtIeH64cCIQDggG5i48v7HPacPBIH1RaSVhXl8qHCpQD3qrIw3FMw
-DwIga8PqH5Sf5sHedy2+CiK0V4MRfoU4c3zQ6kArI+bEgSkCIQCLA1vXBiE31B5s
-bdHoYa1BXebfZVd+1Hd95IfEM5mbRwIgSkDuQwV55BBlvWph3U8wVIMIb4GStaH8
-W535W8UBbEg=
------END PRIVATE KEY-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBAOTo6nXwfxpFm+vyN+OFKTDc/gbLTvR5veGumQiJmXTlTE5ysj5w
+7dJoTnOCZxbXxQ+ld/BaXi7L9DqdqCRkNe8CAwEAAQJBAIbwSm411Cc/i3eeNJX5
+hFuammCU7rktHuLv0qR2wLBn8Sj2XXtJPlBEdolhQdO+YECBMxUG8f92LeJ4T2OF
+YhkCIQD/2tu/Sq5iVLkrocnCpppbxcZ5JUYDgnD2TrbvSghj+wIhAOUKJVyo5xRH
+DpyAfthRJa6VDUip3hVUz+Zz8PDmkp+dAiAX2nGuTeogJMH2vWiwCxRNBg1Q8haq
+8RhS/lezy3UozQIhANa8QHMzWBNG24gXYNVmnzGjRSUPPcw6DAFASnFRe75xAiAq
+c0wJZWOMbezOsSgAwPt/xsabERIVXSNhzt1il/lPjA==
+-----END RSA PRIVATE KEY-----
diff --git a/tls/tests/files/server-intermediate-csr.pem b/tls/tests/files/server-intermediate-csr.pem
new file mode 100644
index 0000000..c112d6c
--- /dev/null
+++ b/tls/tests/files/server-intermediate-csr.pem
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBNjCB4QIBADBLMRMwEQYKCZImiZPyLGQBGRYDQ09NMRcwFQYKCZImiZPyLGQB
+GRYHRVhBTVBMRTEbMBkGA1UEAwwSc2VydmVyLmV4YW1wbGUuY29tMFwwDQYJKoZI
+hvcNAQEBBQADSwAwSAJBAM2PTEorKL/7mIbYVOz+U6DAo+itGDr2jjOyYxxU5+/A
+jUg3gVFKw+mpok26sdwY2q8aiPTuE0F1bF2iLEXimacCAwEAAaAxMC8GCSqGSIb3
+DQEJDjEiMCAwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG
+9w0BAQUFAANBADtTaSyvJDUzCuim8Wlk8MVVsGQzC2czFRshO5JcPgjq08gN9FXM
+KUYeUQYLGGVnVXkTqWdAOog769XukpDGv2g=
+-----END CERTIFICATE REQUEST-----
diff --git a/tls/tests/files/server-intermediate-key.pem b/tls/tests/files/server-intermediate-key.pem
new file mode 100644
index 0000000..32661d5
--- /dev/null
+++ b/tls/tests/files/server-intermediate-key.pem
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOQIBAAJBAM2PTEorKL/7mIbYVOz+U6DAo+itGDr2jjOyYxxU5+/AjUg3gVFK
+w+mpok26sdwY2q8aiPTuE0F1bF2iLEXimacCAwEAAQJACu1/RMIenHYnmaOOgDrU
+/0q+a/QnwZqx3JWzJyJsYhZmAJRw7/0MjsrD+UoPggvliu77FmnYihYEPxdlM39D
+QQIhAPE0Lu0W1vhiXxuEwIP7w7ix/IlTgZ/xIhoOltfwKSMPAiEA2itd/y6MvNgq
+39ZZDiAn5mjyDoSNJuafRi1FNY4fP+kCIGcNRH9HItE8NiYrsZSyHAzs/lgttVQA
+UfGQCiJ4GRtBAiBc+I4d6KBg+V2L9bQNqPZX4fEE7seYBD9rkG8l22LFwQIgOKPr
+BUkGlw/IMHWVXhQkPKSAPoSLHEvGiQCIyIckCMc=
+-----END RSA PRIVATE KEY-----
diff --git a/tls/tests/files/server-intermediate.pem b/tls/tests/files/server-intermediate.pem
new file mode 100644
index 0000000..6e4246a
--- /dev/null
+++ b/tls/tests/files/server-intermediate.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHTCCAcegAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrTETMBEGCgmSJomT8ixk
+ARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUxKzApBgNVBAsMIkludGVy
+bWVkaWF0ZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJDAiBgNVBAMMG2ludGVybWVk
+aWF0ZS1jYS5leGFtcGxlLmNvbTEqMCgGCSqGSIb3DQEJARYbaW50ZXJtZWRpYXRl
+LWNhQGV4YW1wbGUuY29tMB4XDTE1MDgzMDAwMjIzOVoXDTQwMDgyMzAwMjIzOVow
+SzETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUx
+GzAZBgNVBAMMEnNlcnZlci5leGFtcGxlLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA
+MEgCQQDNj0xKKyi/+5iG2FTs/lOgwKPorRg69o4zsmMcVOfvwI1IN4FRSsPpqaJN
+urHcGNqvGoj07hNBdWxdoixF4pmnAgMBAAGjMzAxMAkGA1UdEwQCMAAwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgwBocEwKgBFjANBgkqhkiG9w0BAQUFAANB
+ALl1WO7IZYOvPwhyQ4EpCLjSsTuGBcfbWFtw4XiQueZ8TILHcZARH4nW1tKoVWzc
+rIGhqRjNMWRmaH1wgSCGRiE=
+-----END CERTIFICATE-----
diff --git a/tls/tests/files/server-key.der b/tls/tests/files/server-key.der
index ec4efb76fdaddd24763d5c8a106c32f5bb410e98..abd1336df4a23646c262bfc9fded5297126f82d8 100644
GIT binary patch
literal 319
zcmV-F0l@w+f&n`M0RRF)0OaWEb?|>0MVssLH{*pVFx>tI%TDxpz2UBz2#J|=<xEa;
zvOaL_(r8X|f@c=j#Sf)-@LFCj%k(;(s3c@H?*an>009C)0EX~NZZ*^=KZ|#sG?n>;
zTbi0+l<v7L9^&uPq;|ltXYnZZU3*DBP(*f#VL{WrU_gO06$bJDb}iy~Ph*8*83G{y
z|JvKXO0Hs5xhtW`!ls&A#m0FhMgxLy_D;6%N(f{70wDn93ME{q=M+Z{oPd7VQ6;XG
z4M?fp6;#jWbMWxylAoOdAQ#$ku1)G7B*FH*Xs`<uO$H56@)oM`7*hUMv&(fT%>p3+
z*1SM-GguQw+lUun)n=bDqeUeTJ<K``0YFM|QG32|0w5}LObKOUjBV`Bu_yq*`+vs9
Rn-LNfT_a)6-C~#dPmJZbl0X0e

literal 318
zcmV-E0m1$-f&n@L0RRF)0N6>y@splc24=%E-1ETipsiez6N>J2YqK9?={d3}o~GZ0
z8USiim6qYXj`qhR&0b#+ok-^I)Syq+#?9p%=>h`*009C(Q52SU*;eXU!~Hp210=Yx
z3r#?kg6EN~CLsn}PyMm0*Hm-SmQ#5mR}LjF%m4br<FzxwVTW@ZbFvNT`p$J>0wDnQ
zqEqY}P`w;NylTLPzf4O_wzW4;ZErU88WgmLhwFy|ApqcjZeruh`yBS1JQ4@h7LryK
z<?^Azr2zM;vM}6JFb@JCYs2avl%M9o-ghm&3L>;ugAsm(ICFf^>Od<a=EQ+10wDm4
z16$VyAve?>Y;Do#VXZ-3=HF#ke$;n;<cGvFnVUxfAWA^)Lj`%{5M{k;VckzKRD%d_
Qfs(bM{9B#*Tg3rvNGQ3LRR910

diff --git a/tls/tests/files/server-key.pem b/tls/tests/files/server-key.pem
index 3a19b3a..93a9cc5 100644
--- a/tls/tests/files/server-key.pem
+++ b/tls/tests/files/server-key.pem
@@ -1,10 +1,9 @@
------BEGIN PRIVATE KEY-----
-MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEA2EnE8ZOeVwZmwzPc
-88DvoK1ckhOK7nVrsx9j6TmyKJ6m34UaAGpSlZbhvY72xyPNXl8QnUjm79SgT9bG
-zeUc6QIDAQABAkBRFJZ32VbqWMP9OVwDJLiwC01AlYLnka0mIQZbT/2xq9dUc9GW
-U3kiVw4lL8v/+sPjtTPCYYdzHHOyDen6znVhAiEA9qJT7BtQvRxCvGrAhr9MS022
-tTdPbW829BoUtIeH64cCIQDggG5i48v7HPacPBIH1RaSVhXl8qHCpQD3qrIw3FMw
-DwIga8PqH5Sf5sHedy2+CiK0V4MRfoU4c3zQ6kArI+bEgSkCIQCLA1vXBiE31B5s
-bdHoYa1BXebfZVd+1Hd95IfEM5mbRwIgSkDuQwV55BBlvWph3U8wVIMIb4GStaH8
-W535W8UBbEg=
------END PRIVATE KEY-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBAOTo6nXwfxpFm+vyN+OFKTDc/gbLTvR5veGumQiJmXTlTE5ysj5w
+7dJoTnOCZxbXxQ+ld/BaXi7L9DqdqCRkNe8CAwEAAQJBAIbwSm411Cc/i3eeNJX5
+hFuammCU7rktHuLv0qR2wLBn8Sj2XXtJPlBEdolhQdO+YECBMxUG8f92LeJ4T2OF
+YhkCIQD/2tu/Sq5iVLkrocnCpppbxcZ5JUYDgnD2TrbvSghj+wIhAOUKJVyo5xRH
+DpyAfthRJa6VDUip3hVUz+Zz8PDmkp+dAiAX2nGuTeogJMH2vWiwCxRNBg1Q8haq
+8RhS/lezy3UozQIhANa8QHMzWBNG24gXYNVmnzGjRSUPPcw6DAFASnFRe75xAiAq
+c0wJZWOMbezOsSgAwPt/xsabERIVXSNhzt1il/lPjA==
+-----END RSA PRIVATE KEY-----
diff --git a/tls/tests/files/server-self.pem b/tls/tests/files/server-self.pem
index 20b3500..3827cda 100644
--- a/tls/tests/files/server-self.pem
+++ b/tls/tests/files/server-self.pem
@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIIBiDCCATICCQDJ4QeFpYPYljANBgkqhkiG9w0BAQUFADBLMRMwEQYKCZImiZPy
-LGQBGRYDQ09NMRcwFQYKCZImiZPyLGQBGRYHRVhBTVBMRTEbMBkGA1UEAxMSc2Vy
-dmVyLmV4YW1wbGUuY29tMB4XDTExMDExOTAzMTYzOFoXDTIxMDExNjAzMTYzOFow
+MIIBiDCCATICCQD8Rn+cHcihijANBgkqhkiG9w0BAQUFADBLMRMwEQYKCZImiZPy
+LGQBGRYDQ09NMRcwFQYKCZImiZPyLGQBGRYHRVhBTVBMRTEbMBkGA1UEAwwSc2Vy
+dmVyLmV4YW1wbGUuY29tMB4XDTE1MDgzMDAwMjIzMVoXDTQwMDgyMzAwMjIzMVow
 SzETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUx
-GzAZBgNVBAMTEnNlcnZlci5leGFtcGxlLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA
-MEgCQQDYScTxk55XBmbDM9zzwO+grVySE4rudWuzH2PpObIonqbfhRoAalKVluG9
-jvbHI81eXxCdSObv1KBP1sbN5RzpAgMBAAEwDQYJKoZIhvcNAQEFBQADQQAagc2P
-/lCfDwT3max+D2M7++KMDfGqiO3gI+hMarf/jAaQpcKO/9G95AnNo4lTd6W6/7yj
-YYvUupv+0vi4CtQG
+GzAZBgNVBAMMEnNlcnZlci5leGFtcGxlLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA
+MEgCQQDk6Op18H8aRZvr8jfjhSkw3P4Gy070eb3hrpkIiZl05UxOcrI+cO3SaE5z
+gmcW18UPpXfwWl4uy/Q6nagkZDXvAgMBAAEwDQYJKoZIhvcNAQEFBQADQQADBJbF
+pDpocLDuQo5DXoXVlloJAputR6oKQLtTFRorEr0iASEr/8DEXfFoOI+US/8EZ/IT
+6JR2XOHSot4zsr68
 -----END CERTIFICATE-----
diff --git a/tls/tests/files/server.der b/tls/tests/files/server.der
index cf2de653f78d8b6c9e7ad799889c547ff3aabcfd..a3a4b39a998cb7fd854078d4d0bbd4437c9a5828 100644
GIT binary patch
delta 313
zcmV-90mlBS1iJ(fFoFU%FoFS~paTK{0s;X7kq}7%43SzN0Su9PGa5B8I5RLXFfuYT
zF<KW5G%zqYGBYqRGBPtUk;gg#43h!@EJ@_(>UHpc8bzDy@;Bp!DKOmr2Fp(LdA;GT
znFxuQbmdG=a<V>f?b2vYbAo3U*ToN|cko(XF3a>fov0*aHSYog0RRD`GcYlecL5=P
z4+aBO9T5ZwFb0PNz^DNVFbxI?Duzgg_YDC71qA>Dfq?*KB>{Mu+GvV-7EB&whRvB(
zW>$ZM4=jC%{=@tsjcHhgO|<1kVkFc?+Z`Zx-$)7x`_cX?wqeFj(>vSyEggWnSH=sW
zZW=UV&4&6>H@mi)8fN)pC7AcHPtn69{K6b4!1ohVd5h4LpmVy2TTxMx`avPYj?!>B
Lo$o11NU|FRI%9gf

delta 296
zcmV+@0oVS!1gZoOFoFUmFoFS(paTK{0s;XCkq}7%6OmdU0TYpWGa4~4F)=qWIW#vh
zH(D1BGBGeQF*GqbG&eCfk;gg#6O#e~EJ@f&#PO4!R|aOoGu-pQ@1U(*k`s#Vb!)R9
zW9d1vD4wR@g&F{AQk9nBy^i+BBh6l45S>Wo@6@1A*2c}{9O(iB0RRD`A}}D6cL5=P
z4F(A+hDe6@4FLfK1potqfdFG3pE9KN8u~PjuRIgUocXz_;J4Qgj0x<lSb3*V#@_iH
zRB4ZaVHEAdI+alt49Aq=DBN5mJ(G%#`4iE`+@MOi!V<^Zmq(!tMxj(77a$Mj&%0Kh
uK$LiVWBb6NcZ63gzeFMjLP%7U2jzSdGaRnABeHBLIP{~39*mptD5ZW~GkEj>

diff --git a/tls/tests/files/server.pem b/tls/tests/files/server.pem
index d4bd526..56be360 100644
--- a/tls/tests/files/server.pem
+++ b/tls/tests/files/server.pem
@@ -1,14 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIICJjCCAY+gAwIBAgIBBzANBgkqhkiG9w0BAQUFADCBhjETMBEGCgmSJomT8ixk
-ARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUxHjAcBgNVBAsTFUNlcnRp
-ZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20xHTAbBgkq
-hkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tMB4XDTExMDExNzE5NDcxN1oXDTIxMDEx
-NDE5NDcxN1owSzETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmSJomT8ixkARkW
-B0VYQU1QTEUxGzAZBgNVBAMTEnNlcnZlci5leGFtcGxlLmNvbTBcMA0GCSqGSIb3
-DQEBAQUAA0sAMEgCQQDYScTxk55XBmbDM9zzwO+grVySE4rudWuzH2PpObIonqbf
-hRoAalKVluG9jvbHI81eXxCdSObv1KBP1sbN5RzpAgMBAAGjIjAgMAkGA1UdEwQC
-MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEAYx6fMqT1
-Gvo0jq88E8mc+bmp4LfXD4wJ7KxYeadQxt75HFRpj4FhFO3DOpVRFgzHlOEo3Fwk
-PZOKjvkT0cbcoEq5whLH25dHoQxGoVQgFyAP5s+7Vp5AlHh8Y/vAoXeEVyy/RCIH
-QkhUlAflfDMcrrYjsmwoOPSjhx6Mm/AopX4=
+MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBhjETMBEGCgmSJomT8ixk
+ARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUxHjAcBgNVBAsMFUNlcnRp
+ZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20xHTAbBgkq
+hkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tMB4XDTE1MDgzMDAwMjIzMVoXDTQwMDgy
+MzAwMjIzMVowSzETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmSJomT8ixkARkW
+B0VYQU1QTEUxGzAZBgNVBAMMEnNlcnZlci5leGFtcGxlLmNvbTBcMA0GCSqGSIb3
+DQEBAQUAA0sAMEgCQQDk6Op18H8aRZvr8jfjhSkw3P4Gy070eb3hrpkIiZl05UxO
+crI+cO3SaE5zgmcW18UPpXfwWl4uy/Q6nagkZDXvAgMBAAGjMzAxMAkGA1UdEwQC
+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgwBocEwKgBCjANBgkqhkiG
+9w0BAQUFAAOBgQBmJQF4mdpoinkWTB5khs2ZVWZWf4QPLH2I/sP8IY1pWIVNtOVG
+YiTURtsdIHffSAoJ+9H+KrZhxk7TO9v7LR2Au1fGC6FuGjRizYb6UTe7tpoaZvlj
+JZj3sE/Rw/zCHCjA9xNTeYvQlKBzuohbUVGS+kEhxI7ScDmd7ylKSLIbBQ==
 -----END CERTIFICATE-----
diff --git a/tls/tests/files/ssl/ca.conf b/tls/tests/files/ssl/ca.conf
new file mode 100644
index 0000000..8e1844e
--- /dev/null
+++ b/tls/tests/files/ssl/ca.conf
@@ -0,0 +1,31 @@
+# Root CA
+
+[ req ]
+default_md              = sha1
+utf8                    = yes
+string_mask             = utf8only
+prompt                  = no
+distinguished_name      = req_dn
+req_extensions          = req_ext
+x509_extensions         = v3_req_ext 
+
+[ req_dn ]
+0.domainComponent       = "COM"
+1.domainComponent       = "EXAMPLE"
+organizationalUnitName	= "Certificate Authority"
+commonName              = "ca.example.com"
+emailAddress            = "ca@example.com"
+
+[ req_ext ]
+subjectKeyIdentifier    = hash
+#authorityKeyIdentifier  = keyid:always,issuer:always
+basicConstraints        = critical,CA:true
+keyUsage                = critical,keyCertSign,cRLSign
+
+[ v3_req_ext ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer:always
+basicConstraints        = critical,CA:true
+keyUsage                = critical,keyCertSign,cRLSign
+subjectAltName          = email:ca@example.com
+issuerAltName           = issuer:copy
diff --git a/tls/tests/files/ssl/client.conf b/tls/tests/files/ssl/client.conf
new file mode 100644
index 0000000..be59460
--- /dev/null
+++ b/tls/tests/files/ssl/client.conf
@@ -0,0 +1,14 @@
+# Client
+
+[ req ]
+default_md              = sha1
+utf8                    = yes
+string_mask             = utf8only
+prompt                  = no
+distinguished_name      = req_dn
+
+[ req_dn ]
+0.domainComponent       = "COM"
+1.domainComponent       = "EXAMPLE"
+commonName              = "Client"
+emailAddress            = client@example.com
diff --git a/tls/tests/files/ssl/intermediate-ca.conf b/tls/tests/files/ssl/intermediate-ca.conf
new file mode 100644
index 0000000..f766c14
--- /dev/null
+++ b/tls/tests/files/ssl/intermediate-ca.conf
@@ -0,0 +1,31 @@
+# Intermediate Root CA
+
+[ req ]
+default_md              = sha1
+utf8                    = yes
+string_mask             = utf8only
+prompt                  = no
+distinguished_name      = req_dn
+req_extensions          = req_ext
+x509_extensions         = v3_req_ext
+
+[ req_dn ]
+0.domainComponent       = "COM"
+1.domainComponent       = "EXAMPLE"
+organizationalUnitName	= "Intermediate Certificate Authority"
+commonName              = "intermediate-ca.example.com"
+emailAddress            = "intermediate-ca@example.com"
+
+[ req_ext ]
+subjectKeyIdentifier    = hash
+#authorityKeyIdentifier  = keyid:always,issuer:always
+basicConstraints        = critical,CA:true
+keyUsage                = critical,keyCertSign,cRLSign
+
+[ v3_req_ext ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer:always
+basicConstraints        = critical,CA:true
+keyUsage                = critical,keyCertSign,cRLSign
+subjectAltName          = email:intermediate-ca@example.com
+issuerAltName           = issuer:copy
diff --git a/tls/tests/files/ssl/old-ca.conf b/tls/tests/files/ssl/old-ca.conf
new file mode 100644
index 0000000..b1d155a
--- /dev/null
+++ b/tls/tests/files/ssl/old-ca.conf
@@ -0,0 +1,31 @@
+# Root CA
+
+[ req ]
+default_md              = sha1
+utf8                    = yes
+string_mask             = utf8only
+prompt                  = no
+distinguished_name      = req_dn
+req_extensions          = req_ext
+x509_extensions         = v3_req_ext
+
+[ req_dn ]
+0.domainComponent       = "COM"
+1.domainComponent       = "EXAMPLE"
+organizationalUnitName	= "Old Untrusted Certificate Authority"
+commonName              = "once.was.a.ca.example.com"
+emailAddress            = "ca@example.com"
+
+[ req_ext ]
+subjectKeyIdentifier    = hash
+#authorityKeyIdentifier  = keyid:always,issuer:always
+basicConstraints        = critical,CA:true
+keyUsage                = critical,keyCertSign,cRLSign
+
+[ v3_req_ext ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer:always
+basicConstraints        = critical,CA:true
+keyUsage                = critical,keyCertSign,cRLSign
+subjectAltName          = email:ca@example.com
+issuerAltName           = issuer:copy
diff --git a/tls/tests/files/ssl/server-intermediate.conf b/tls/tests/files/ssl/server-intermediate.conf
new file mode 100644
index 0000000..d899a0f
--- /dev/null
+++ b/tls/tests/files/ssl/server-intermediate.conf
@@ -0,0 +1,27 @@
+# Server
+
+[ req ]
+default_md              = sha1
+utf8                    = yes
+string_mask             = utf8only
+prompt                  = no
+distinguished_name      = req_dn
+req_extensions          = req_ext
+x509_extensions         = v3_req_ext
+
+[ req_dn ]
+0.domainComponent       = "COM"
+1.domainComponent       = "EXAMPLE"
+commonName              = "server.example.com"
+
+[ req_ext ]
+basicConstraints        = CA:false
+extendedKeyUsage        = serverAuth
+
+[ v3_req_ext ]
+basicConstraints        = CA:false
+extendedKeyUsage        = serverAuth
+subjectAltName          = @alt_names
+
+[ alt_names ]
+IP.0                    = 192.168.1.22
diff --git a/tls/tests/files/ssl/server.conf b/tls/tests/files/ssl/server.conf
new file mode 100644
index 0000000..6a98029
--- /dev/null
+++ b/tls/tests/files/ssl/server.conf
@@ -0,0 +1,27 @@
+# Server
+
+[ req ]
+default_md              = sha1
+utf8                    = yes
+string_mask             = utf8only
+prompt                  = no
+distinguished_name      = req_dn
+req_extensions          = req_ext
+x509_extensions         = v3_req_ext 
+
+[ req_dn ]
+0.domainComponent       = "COM"
+1.domainComponent       = "EXAMPLE"
+commonName              = "server.example.com"
+
+[ req_ext ]
+basicConstraints        = CA:false
+extendedKeyUsage        = serverAuth
+
+[ v3_req_ext ]
+basicConstraints        = CA:false
+extendedKeyUsage        = serverAuth
+subjectAltName          = @alt_names
+
+[ alt_names ]
+IP.0                    = 192.168.1.10
diff --git a/tls/tests/mock-interaction.c b/tls/tests/mock-interaction.c
index ee518a5..1bcb729 100644
--- a/tls/tests/mock-interaction.c
+++ b/tls/tests/mock-interaction.c
@@ -16,6 +16,9 @@
  * Free Software Foundation, Inc., 59 Temple Place - Suite 330,
  * Boston, MA 02111-1307, USA.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
@@ -40,8 +43,12 @@ mock_interaction_ask_password_async (GTlsInteraction    *interaction,
 
   task = g_task_new (interaction, cancellable, callback, user_data);
 
-  g_tls_password_set_value (password, (const guchar *)self->static_password, -1);
+  if (self->static_error)
+    g_task_return_error (task, g_error_copy (self->static_error));
+  else
+    g_tls_password_set_value (password, (const guchar *)self->static_password, -1);
   g_task_return_boolean (task, TRUE);
+  g_object_unref (task);
 }
 
 static GTlsInteractionResult
@@ -72,8 +79,77 @@ mock_interaction_ask_password (GTlsInteraction    *interaction,
   if (g_cancellable_set_error_if_cancelled (cancellable, error))
     return G_TLS_INTERACTION_FAILED;
 
-  g_tls_password_set_value (password, (const guchar *)self->static_password, -1);
-  return G_TLS_INTERACTION_HANDLED;
+  if (self->static_error)
+    {
+      g_propagate_error (error, g_error_copy (self->static_error));
+      return G_TLS_INTERACTION_FAILED;
+    }
+  else
+    {
+      g_tls_password_set_value (password, (const guchar *)self->static_password, -1);
+      return G_TLS_INTERACTION_HANDLED;
+    }
+}
+
+static void
+mock_interaction_request_certificate_async (GTlsInteraction            *interaction,
+                                            GTlsConnection             *connection,
+                                            GTlsCertificateRequestFlags flags,
+                                            GCancellable               *cancellable,
+                                            GAsyncReadyCallback         callback,
+                                            gpointer                    user_data)
+{
+  MockInteraction *self = MOCK_INTERACTION (interaction);
+  GTask *task;
+
+  task = g_task_new (interaction, cancellable, callback, user_data);
+
+  if (self->static_error)
+    g_task_return_error (task, g_error_copy (self->static_error));
+  else
+    {
+      g_tls_connection_set_certificate (connection, self->static_certificate);
+      g_task_return_boolean (task, TRUE);
+    }
+  g_object_unref (task);
+}
+
+static GTlsInteractionResult
+mock_interaction_request_certificate_finish (GTlsInteraction    *interaction,
+                                             GAsyncResult       *result,
+                                             GError            **error)
+{
+  g_return_val_if_fail (g_task_is_valid (result, interaction),
+                        G_TLS_INTERACTION_UNHANDLED);
+
+  if (!g_task_propagate_boolean (G_TASK (result), error))
+    return G_TLS_INTERACTION_FAILED;
+  else
+    return G_TLS_INTERACTION_HANDLED;
+}
+
+static GTlsInteractionResult
+mock_interaction_request_certificate (GTlsInteraction            *interaction,
+                                      GTlsConnection             *connection,
+                                      GTlsCertificateRequestFlags flags,
+                                      GCancellable               *cancellable,
+                                      GError                    **error)
+{
+  MockInteraction *self = MOCK_INTERACTION (interaction);
+
+  if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    return G_TLS_INTERACTION_FAILED;
+
+  if (self->static_error)
+    {
+      g_propagate_error (error, g_error_copy (self->static_error));
+      return G_TLS_INTERACTION_FAILED;
+    }
+  else
+    {
+      g_tls_connection_set_certificate (connection, self->static_certificate);
+      return G_TLS_INTERACTION_HANDLED;
+    }
 }
 
 static void
@@ -88,6 +164,8 @@ mock_interaction_finalize (GObject *object)
   MockInteraction *self = MOCK_INTERACTION (object);
 
   g_free (self->static_password);
+  g_clear_object (&self->static_certificate);
+  g_clear_error (&self->static_error);
 
   G_OBJECT_CLASS (mock_interaction_parent_class)->finalize (object);
 }
@@ -103,11 +181,13 @@ mock_interaction_class_init (MockInteractionClass *klass)
   interaction_class->ask_password = mock_interaction_ask_password;
   interaction_class->ask_password_async = mock_interaction_ask_password_async;
   interaction_class->ask_password_finish = mock_interaction_ask_password_finish;
-
+  interaction_class->request_certificate = mock_interaction_request_certificate;
+  interaction_class->request_certificate_async = mock_interaction_request_certificate_async;
+  interaction_class->request_certificate_finish = mock_interaction_request_certificate_finish;
 }
 
 GTlsInteraction *
-mock_interaction_new_static (const gchar *password)
+mock_interaction_new_static_password (const gchar *password)
 {
   MockInteraction *self;
 
@@ -116,3 +196,27 @@ mock_interaction_new_static (const gchar *password)
   self->static_password = g_strdup (password);
   return G_TLS_INTERACTION (self);
 }
+
+GTlsInteraction *
+mock_interaction_new_static_certificate (GTlsCertificate *cert)
+{
+  MockInteraction *self;
+
+  self = g_object_new (MOCK_TYPE_INTERACTION, NULL);
+
+  self->static_certificate = cert ? g_object_ref (cert) : NULL;
+  return G_TLS_INTERACTION (self);
+}
+
+GTlsInteraction *
+mock_interaction_new_static_error (GQuark domain,
+                                   gint code,
+                                   const gchar *message)
+{
+  MockInteraction *self;
+
+  self = g_object_new (MOCK_TYPE_INTERACTION, NULL);
+
+  self->static_error = g_error_new (domain, code, "%s", message);
+  return G_TLS_INTERACTION (self);
+}
diff --git a/tls/tests/mock-interaction.h b/tls/tests/mock-interaction.h
index 90668c7..f357d8a 100644
--- a/tls/tests/mock-interaction.h
+++ b/tls/tests/mock-interaction.h
@@ -41,6 +41,8 @@ struct _MockInteraction
 {
   GTlsInteraction parent_instance;
   gchar *static_password;
+  GTlsCertificate *static_certificate;
+  GError *static_error;
 };
 
 struct _MockInteractionClass
@@ -50,7 +52,14 @@ struct _MockInteractionClass
 
 
 GType            mock_interaction_get_type   (void);
-GTlsInteraction *mock_interaction_new_static       (const gchar *password);
+
+GTlsInteraction *mock_interaction_new_static_password       (const gchar *password);
+
+GTlsInteraction *mock_interaction_new_static_certificate    (GTlsCertificate *cert);
+
+GTlsInteraction *mock_interaction_new_static_error          (GQuark domain,
+                                                             gint code,
+                                                             const gchar *message);
 
 G_END_DECLS
 
diff --git a/tls/tests/mock-pkcs11.c b/tls/tests/mock-pkcs11.c
index 7aecbf1..4eaeb99 100644
--- a/tls/tests/mock-pkcs11.c
+++ b/tls/tests/mock-pkcs11.c
@@ -16,6 +16,9 @@
  * License along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
  */
 
 #include "config.h"
diff --git a/tls/tests/pkcs11-array.c b/tls/tests/pkcs11-array.c
index b5d5c3b..a2f6372 100644
--- a/tls/tests/pkcs11-array.c
+++ b/tls/tests/pkcs11-array.c
@@ -17,6 +17,9 @@
  * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
  * Boston, MA 02111-1307, USA.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
diff --git a/tls/tests/pkcs11-pin.c b/tls/tests/pkcs11-pin.c
index 7888788..76e894f 100644
--- a/tls/tests/pkcs11-pin.c
+++ b/tls/tests/pkcs11-pin.c
@@ -17,6 +17,9 @@
  * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
  * Boston, MA 02111-1307, USA.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
diff --git a/tls/tests/pkcs11-slot.c b/tls/tests/pkcs11-slot.c
index 0d80044..1a5785a 100644
--- a/tls/tests/pkcs11-slot.c
+++ b/tls/tests/pkcs11-slot.c
@@ -17,6 +17,9 @@
  * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
  * Boston, MA 02111-1307, USA.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
@@ -463,7 +466,7 @@ test_enumerate_private (TestSlot     *test,
 
   /* This time we log in, and should have a match */
   results = g_ptr_array_new_with_free_func ((GDestroyNotify)g_pkcs11_array_unref);
-  interaction = mock_interaction_new_static (MOCK_SLOT_ONE_PIN);
+  interaction = mock_interaction_new_static_password (MOCK_SLOT_ONE_PIN);
 
   state = g_pkcs11_slot_enumerate (test->slot, interaction,
                                    match->attrs, match->count, TRUE,
diff --git a/tls/tests/pkcs11-util.c b/tls/tests/pkcs11-util.c
index c27d8c1..28c7026 100644
--- a/tls/tests/pkcs11-util.c
+++ b/tls/tests/pkcs11-util.c
@@ -17,6 +17,9 @@
  * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
  * Boston, MA 02111-1307, USA.
  *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
  * Author: Stef Walter <stefw@collabora.co.uk>
  */
 
-- 
2.7.4