excon · geemus · Jan 27, 2023 · Jan 27, 2023
diff --git a/README.md b/README.md
@@ -446,14 +446,24 @@ connection = Excon.new('https://example.com',
 
 `client_key_pass` is optional.
 
-If you already have loaded the certificate and key into memory, then pass it through like:
+Optionally, you can also pass the whole chain by passing the extra certificates through `client_chain`:
+
+```ruby
+connection = Excon.new('https://example.com',
+                       client_cert: 'mycert.pem',
+                       client_chain: 'mychain.pem',
+                       client_key: 'mycert.key')
+```
+
+If you already have loaded the certificate, key and chain into memory, then pass it through like:
 
 ```ruby
 client_cert_data = File.load 'mycert.pem'
 client_key_data = File.load 'mycert.key'
 
 connection = Excon.new('https://example.com',
                        client_cert_data: client_cert_data,
+                       client_chain_data: client_chain_data,
                        client_key_data: client_key_data)
 ```
 

diff --git a/lib/excon/constants.rb b/lib/excon/constants.rb
@@ -72,6 +72,8 @@ module Excon
     :client_key_pass,
     :client_cert,
     :client_cert_data,
+    :client_chain,
+    :client_chain_data,
     :certificate,
     :certificate_path,
     :disable_proxy,

diff --git a/lib/excon/ssl_socket.rb b/lib/excon/ssl_socket.rb
@@ -90,6 +90,14 @@ def initialize(data = {})
         else
           ssl_context.key = OpenSSL::PKey::RSA.new(client_key_data, client_key_pass)
         end
+        if client_chain_data && OpenSSL::X509::Certificate.respond_to?(:load)
+          ssl_context.extra_chain_cert = OpenSSL::X509::Certificate.load(client_chain_data)
+        elsif client_chain_data
+          certs = client_chain_data.scan(/-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/)
+          ssl_context.extra_chain_cert = certs.map do |cert|
+            OpenSSL::X509::Certificate.new(cert)
+          end
+        end
       elsif @data.key?(:certificate) && @data.key?(:private_key)
         ssl_context.cert = OpenSSL::X509::Certificate.new(@data[:certificate])
         if OpenSSL::PKey.respond_to? :read
@@ -171,6 +179,14 @@ def client_cert_data
                             end
     end
 
+    def client_chain_data
+      @client_chain_data ||= if (ccd = @data[:client_chain_data])
+                               ccd
+                             elsif (path = @data[:client_chain])
+                               File.read path
+                             end
+    end
+
     def connect
       # backwards compatability for things lacking nonblock
       @nonblock = HAVE_NONBLOCK && @nonblock

diff --git a/tests/basic_tests.rb b/tests/basic_tests.rb
@@ -193,6 +193,33 @@
   end
 end
 
+Shindo.tests('Excon basics (ssl chain)',['focus']) do
+  with_rackup('ssl_verify_peer_with_chain.ru') do
+
+    tests('GET /content-length/100').raises(Excon::Errors::SocketError) do
+      connection = Excon::Connection.new({
+        :host             => '127.0.0.1',
+        :hostname         => '127.0.0.1',
+        :nonblock         => false,
+        :port             => 8443,
+        :scheme           => 'https',
+        :ssl_verify_peer  => false
+      })
+      connection.request(:method => :get, :path => '/content-length/100')
+    end
+
+    cert_key_path = File.join(File.dirname(__FILE__), 'data', 'excon_client.cert.key')
+    cert_crt_path = File.join(File.dirname(__FILE__), 'data', 'excon_client.cert.crt')
+    chain_crt_path = File.join(File.dirname(__FILE__), 'data', 'excon_intermediate.cert.crt')
+    basic_tests('https://127.0.0.1:8443', client_key: cert_key_path, client_cert: cert_crt_path, client_chain: chain_crt_path)
+
+    cert_key_data = File.read cert_key_path
+    cert_crt_data = File.read cert_crt_path
+    chain_crt_data = File.read chain_crt_path
+    basic_tests('https://127.0.0.1:8443', client_key_data: cert_key_data, client_cert_data: cert_crt_data, client_chain_data: chain_crt_data)
+  end
+end
+
 Shindo.tests('Excon basics (ssl file paths)',['focus']) do
   with_rackup('ssl_verify_peer.ru') do
 

diff --git a/tests/data/excon_client.cert.crt b/tests/data/excon_client.cert.crt
@@ -0,0 +1,79 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O=excon, CN=excon intermediate
+        Validity
+            Not Before: Jan 23 14:19:58 2023 GMT
+            Not After : Jan 20 14:19:58 2033 GMT
+        Subject: O=excon, CN=excon client
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:be:f3:a4:f7:78:8b:b9:7d:c3:9a:8e:24:f1:a6:
+                    ac:44:8a:c7:db:8a:d3:ca:d3:f4:e2:b1:0e:47:0c:
+                    3d:0a:31:20:91:7f:b5:53:ee:a4:ac:00:a1:40:37:
+                    39:5a:ee:be:92:68:a0:6e:d3:f3:e9:dc:08:c0:91:
+                    66:76:89:37:8b:95:ed:fd:f7:e0:e9:c6:e5:d1:b7:
+                    1b:b5:88:d9:e5:69:fb:77:48:f1:8c:19:01:db:d5:
+                    59:8f:a3:7b:92:99:c8:cc:ec:ac:74:4d:31:4b:46:
+                    0f:c7:85:c1:96:09:bb:96:66:52:3a:ac:21:cd:e9:
+                    a8:41:90:b8:cf:d9:02:fc:3b:5e:df:27:af:1a:5b:
+                    23:cb:28:a7:09:3b:d1:6b:35:6c:f2:84:57:a0:e6:
+                    27:27:3a:92:18:44:b0:c4:82:1b:e4:be:ca:53:67:
+                    52:1d:e2:61:50:84:d1:37:75:9f:9f:39:8a:73:94:
+                    2b:7d:cf:b6:23:5f:cb:a1:1c:51:83:90:6c:70:9c:
+                    e1:5d:08:55:45:98:08:10:87:3d:b3:e6:33:b7:6e:
+                    8c:0c:38:eb:11:07:2a:64:4c:58:76:a6:ea:93:7f:
+                    a3:4a:55:a6:f6:e7:69:e6:08:ec:15:26:25:3d:42:
+                    5c:14:08:50:0a:c9:06:02:a0:ad:f5:c9:45:58:3a:
+                    e4:e7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                40:EF:5A:7C:EB:7B:86:E1:31:35:43:8D:4A:3F:31:A0:3B:C6:5F:1D
+            X509v3 Authority Key Identifier: 
+                keyid:4B:17:8E:D4:A8:69:61:D1:BE:59:A7:53:84:0C:82:D1:6E:B2:A4:67
+
+    Signature Algorithm: sha256WithRSAEncryption
+         93:79:26:7e:35:7b:52:89:93:b7:89:0a:f5:1e:3b:c3:13:b8:
+         de:d4:c5:0c:56:14:10:7e:a6:de:91:93:27:01:85:8c:7e:e9:
+         60:59:61:f6:bd:58:f9:b9:74:3a:d8:5b:8d:ed:fc:56:22:25:
+         18:6b:2d:52:83:af:02:8d:b5:c9:4e:08:6c:0d:a3:2a:39:58:
+         9a:f7:44:1c:d6:2e:03:69:57:d6:b1:b9:b6:db:b9:ab:f7:40:
+         43:ab:6e:ae:c2:27:6b:3d:82:85:eb:bf:54:4b:df:b2:44:64:
+         a8:a5:e4:fc:d0:70:30:f7:74:47:73:c4:3f:9d:97:1e:85:91:
+         ac:74:83:c2:ac:c4:40:f4:07:a5:50:a8:d5:24:69:ce:c2:02:
+         e8:67:21:6b:6b:19:9e:4a:a8:a4:b2:5c:eb:0f:b8:04:e5:9f:
+         1e:94:18:16:09:37:a3:82:5b:ea:ea:fd:57:dc:d7:6a:34:11:
+         fc:39:92:62:21:78:18:fa:14:49:7f:9b:21:28:8c:df:9c:3f:
+         16:2e:5a:7b:8d:7e:22:ef:e7:46:68:8d:29:58:c7:59:04:d6:
+         10:7f:8c:49:99:8a:aa:a3:b3:7b:52:63:89:e8:57:5e:13:3f:
+         ee:03:1e:ca:49:52:a8:34:8f:4a:f2:65:eb:51:ac:9a:e9:93:
+         f9:a4:4f:df
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMQ4wDAYDVQQKDAVleGNv
+bjEbMBkGA1UEAwwSZXhjb24gaW50ZXJtZWRpYXRlMB4XDTIzMDEyMzE0MTk1OFoX
+DTMzMDEyMDE0MTk1OFowJzEOMAwGA1UECgwFZXhjb24xFTATBgNVBAMMDGV4Y29u
+IGNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL7zpPd4i7l9
+w5qOJPGmrESKx9uK08rT9OKxDkcMPQoxIJF/tVPupKwAoUA3OVruvpJooG7T8+nc
+CMCRZnaJN4uV7f334OnG5dG3G7WI2eVp+3dI8YwZAdvVWY+je5KZyMzsrHRNMUtG
+D8eFwZYJu5ZmUjqsIc3pqEGQuM/ZAvw7Xt8nrxpbI8sopwk70Ws1bPKEV6DmJyc6
+khhEsMSCG+S+ylNnUh3iYVCE0Td1n585inOUK33PtiNfy6EcUYOQbHCc4V0IVUWY
+CBCHPbPmM7dujAw46xEHKmRMWHam6pN/o0pVpvbnaeYI7BUmJT1CXBQIUArJBgKg
+rfXJRVg65OcCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl
+blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFEDvWnzre4bhMTVD
+jUo/MaA7xl8dMB8GA1UdIwQYMBaAFEsXjtSoaWHRvlmnU4QMgtFusqRnMA0GCSqG
+SIb3DQEBCwUAA4IBAQCTeSZ+NXtSiZO3iQr1HjvDE7je1MUMVhQQfqbekZMnAYWM
+fulgWWH2vVj5uXQ62FuN7fxWIiUYay1Sg68CjbXJTghsDaMqOVia90Qc1i4DaVfW
+sbm227mr90BDq26uwidrPYKF679US9+yRGSopeT80HAw93RHc8Q/nZcehZGsdIPC
+rMRA9AelUKjVJGnOwgLoZyFraxmeSqikslzrD7gE5Z8elBgWCTejglvq6v1X3Ndq
+NBH8OZJiIXgY+hRJf5shKIzfnD8WLlp7jX4i7+dGaI0pWMdZBNYQf4xJmYqqo7N7
+UmOJ6FdeEz/uAx7KSVKoNI9K8mXrUaya6ZP5pE/f
+-----END CERTIFICATE-----
diff --git a/tests/data/excon_client.cert.key b/tests/data/excon_client.cert.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAvvOk93iLuX3Dmo4k8aasRIrH24rTytP04rEORww9CjEgkX+1
+U+6krAChQDc5Wu6+kmigbtPz6dwIwJFmdok3i5Xt/ffg6cbl0bcbtYjZ5Wn7d0jx
+jBkB29VZj6N7kpnIzOysdE0xS0YPx4XBlgm7lmZSOqwhzemoQZC4z9kC/Dte3yev
+GlsjyyinCTvRazVs8oRXoOYnJzqSGESwxIIb5L7KU2dSHeJhUITRN3WfnzmKc5Qr
+fc+2I1/LoRxRg5BscJzhXQhVRZgIEIc9s+Yzt26MDDjrEQcqZExYdqbqk3+jSlWm
+9udp5gjsFSYlPUJcFAhQCskGAqCt9clFWDrk5wIDAQABAoIBAGzYWyeJOjQwwQff
+kKWCeV3UsdmuB83tBgEWJepPypd9q2/kmQrP1GQLM99z2yi/QDgalaC3Bqk+eGq0
+NvDIhLX3b6K94iG/846YTp4q9PG1eNbk6HMQaiPSOGwNJ0pIiNJu8lqVCc07kZEM
+6G1K/PfdOXAiYF6MmxFMmlw3+mClxtyowV6OgCUR7SeNxCfexsXgHHMYbNk3R9aS
+ja/SU9LSEv0gvSzhi88F/Lj6hmSsX9QZE7j5OtlU5ishY0LsyXYLwCFGn3Z71vj7
+GvZTXYByPhpMGNl61I+NIC8SPZ9tnWD3DAAj9zQ421A7uKlWVqJH4HxP3FoW5LkJ
+KYc5tkECgYEA5FSStVcqHslgmvIZyldi5o14wUnj0lLHR8ZQSvkoXXxCqFs0EunT
+JAIVmy4lmgdGZ8f1uknqUSr6e0IWIGvSAo1r8MjFYiXe9nHuNJJ0bcFCwnIzyqcz
+gMVtI1BO8pw2AHWpLNryYIMF4+KBSZHnBnqdoJXGZqefXxWBEnT53ccCgYEA1hd8
+JdLmJB1gjgJgV5Yrf0+xVy0cqQMac0RA1Pw7QhOpYg42lsci3jaKRIX/YCUjuaXj
+/9RlUtyBsB5IMDomwG6/OSSsGA9NMh+irY3B7L/u0j1EGlL7VUmViPVJ05f07E8x
+J32W17PjXlD7J/YPI2e3fH3T0fa4NeluabidP+ECgYBsC6kwroJ79wcDyzRxD1D5
+kFBoBrMLv6gVSr6L+8MiGb7hM+c8W/FRxLq8p+WbMX4bdf/Nm1SJ/DBzSx51URAb
+rRg65IainxEWxWrW7cayeRVCNhBUATLZ6JJwd3wkSc80AHmBhEnVaarL308WpTgR
+VMxqRPWRdhhwQhjFxxzF2QKBgQCHHldaP9rEHE5eEh3f6YUWWqOgU3ZtLOo6qW8J
+fQ+hSmty2WmWi6Pz/xQQ30kn0wjTGGHnipNQUp7/Gn2RAoKGnN7PH9gFb1LXOaQg
+SQGFfDUsN0KOIqVBVKmtwLGRe6w2oFxzgg37oSr00cNRmzg+rizdw0Q2lbH5RJRM
+4RlNwQKBgQCHZzGe6kUr6gN2VvgmrH5hrw7OasaWYgmfflAmckRU0ml5rB68wzAi
+PgMIsMU1cjy0LvW2BAfp6Qp5yAWhnf+U8rihj9WWlFrir5tGDnvsPmbDIMNgz6oo
+YWemKQr9m8Cq9rQHaZRU/vMrGdH1g6kIcPDoU+SxfysabAiQT2YwKQ==
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data/excon_intermediate.cert.crt b/tests/data/excon_intermediate.cert.crt
@@ -0,0 +1,79 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=excon, O=excon
+        Validity
+            Not Before: Jan 23 14:19:36 2023 GMT
+            Not After : Jan 20 14:19:36 2033 GMT
+        Subject: O=excon, CN=excon intermediate
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:eb:2f:8b:63:e5:d1:94:3a:3e:32:5e:83:0d:63:
+                    5f:e0:a1:87:96:86:65:2e:c2:0a:10:f3:61:84:1d:
+                    88:6c:53:c8:dc:b2:d8:8e:81:3b:77:7e:32:7c:17:
+                    fe:5b:d7:25:72:22:f7:af:dd:8c:8c:6a:b9:69:c3:
+                    5b:dd:1a:42:0a:50:fd:df:24:0c:60:0b:94:94:8b:
+                    30:f4:46:99:52:ff:56:fb:04:e4:77:80:a5:2e:85:
+                    90:31:57:71:0a:c9:eb:1b:1d:83:cd:09:59:1e:dd:
+                    c6:42:a1:a7:e2:ef:98:85:02:4a:02:44:01:49:f2:
+                    1f:04:dd:df:64:b8:6a:19:5d:67:7e:d1:64:f9:50:
+                    eb:b8:d1:24:f9:32:d4:c4:a4:36:aa:d3:90:ee:22:
+                    e9:a1:59:94:f9:aa:d9:e9:a6:c0:30:f2:0e:8b:6e:
+                    8b:1a:fc:ef:5c:a4:7b:68:3e:74:59:34:86:7b:23:
+                    32:ec:de:5b:93:b0:32:68:fb:44:89:28:ea:8f:ff:
+                    6b:e4:91:46:7b:c4:ad:20:24:8e:89:aa:e3:bd:61:
+                    9f:17:93:28:d7:53:50:d9:7a:2b:44:40:9e:6c:86:
+                    96:2a:8d:11:ef:f2:28:e0:21:bb:34:35:e4:e8:7e:
+                    f8:9a:d3:86:dd:cb:09:56:0f:5e:f8:44:65:dd:36:
+                    8d:85
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                4B:17:8E:D4:A8:69:61:D1:BE:59:A7:53:84:0C:82:D1:6E:B2:A4:67
+            X509v3 Authority Key Identifier: 
+                keyid:EC:A2:11:50:60:AA:58:87:36:EC:69:6E:8B:73:82:39:64:2A:C4:ED
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         20:af:b7:a9:00:80:f2:ac:e7:04:3b:32:5d:81:c1:0a:8c:d5:
+         32:89:e1:f9:6e:73:3d:c5:35:cd:f5:4f:33:67:1c:00:55:94:
+         d2:62:e3:48:97:63:36:01:59:10:3b:a7:aa:ec:74:fa:3c:dc:
+         7a:1d:8a:11:07:16:dd:98:bf:64:82:3a:49:bb:b9:02:be:30:
+         23:bd:c3:45:70:a6:5c:93:5e:85:cc:27:80:82:ad:1e:3d:3f:
+         d2:43:18:07:b5:33:c8:f2:29:f6:5e:b6:7d:e9:a0:7a:fd:0d:
+         a7:c5:3f:8d:f7:d3:da:ee:59:e7:33:fa:1f:44:29:62:6f:62:
+         03:4c:4e:46:7a:b2:f4:23:43:68:ef:ec:0b:49:fe:5e:7c:f3:
+         d0:a2:52:57:84:31:9b:b7:30:5f:6e:5b:be:25:f1:4b:9e:eb:
+         df:aa:07:f7:84:94:88:fd:d1:a0:a4:07:09:0b:2b:b0:99:31:
+         05:3c:45:bd:12:9b:62:7b:20:d6:c4:84:e6:8f:61:1c:c8:67:
+         c7:40:00:04:9b:53:f3:b6:ea:7f:b9:1d:b4:bc:ff:d9:df:05:
+         47:71:5d:44:39:a0:f2:f2:aa:12:45:61:43:95:5f:a0:34:40:
+         2f:ee:d7:c2:e0:77:5b:92:df:e3:9e:f8:d7:af:26:da:ef:40:
+         99:7f:65:38
+-----BEGIN CERTIFICATE-----
+MIIDLjCCAhagAwIBAgIBATANBgkqhkiG9w0BAQsFADAgMQ4wDAYDVQQDDAVleGNv
+bjEOMAwGA1UECgwFZXhjb24wHhcNMjMwMTIzMTQxOTM2WhcNMzMwMTIwMTQxOTM2
+WjAtMQ4wDAYDVQQKDAVleGNvbjEbMBkGA1UEAwwSZXhjb24gaW50ZXJtZWRpYXRl
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6y+LY+XRlDo+Ml6DDWNf
+4KGHloZlLsIKEPNhhB2IbFPI3LLYjoE7d34yfBf+W9clciL3r92MjGq5acNb3RpC
+ClD93yQMYAuUlIsw9EaZUv9W+wTkd4ClLoWQMVdxCsnrGx2DzQlZHt3GQqGn4u+Y
+hQJKAkQBSfIfBN3fZLhqGV1nftFk+VDruNEk+TLUxKQ2qtOQ7iLpoVmU+arZ6abA
+MPIOi26LGvzvXKR7aD50WTSGeyMy7N5bk7AyaPtEiSjqj/9r5JFGe8StICSOiarj
+vWGfF5Mo11NQ2XorRECebIaWKo0R7/Io4CG7NDXk6H74mtOG3csJVg9e+ERl3TaN
+hQIDAQABo2YwZDAdBgNVHQ4EFgQUSxeO1KhpYdG+WadThAyC0W6ypGcwHwYDVR0j
+BBgwFoAU7KIRUGCqWIc27Glui3OCOWQqxO0wEgYDVR0TAQH/BAgwBgEB/wIBADAO
+BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBACCvt6kAgPKs5wQ7Ml2B
+wQqM1TKJ4flucz3FNc31TzNnHABVlNJi40iXYzYBWRA7p6rsdPo83HodihEHFt2Y
+v2SCOkm7uQK+MCO9w0VwplyTXoXMJ4CCrR49P9JDGAe1M8jyKfZetn3poHr9DafF
+P43309ruWecz+h9EKWJvYgNMTkZ6svQjQ2jv7AtJ/l5889CiUleEMZu3MF9uW74l
+8Uue69+qB/eElIj90aCkBwkLK7CZMQU8Rb0Sm2J7INbEhOaPYRzIZ8dAAASbU/O2
+6n+5HbS8/9nfBUdxXUQ5oPLyqhJFYUOVX6A0QC/u18Lgd1uS3+Oe+NevJtrvQJl/
+ZTg=
+-----END CERTIFICATE-----
diff --git a/tests/data/excon_intermediate.cert.key b/tests/data/excon_intermediate.cert.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA6y+LY+XRlDo+Ml6DDWNf4KGHloZlLsIKEPNhhB2IbFPI3LLY
+joE7d34yfBf+W9clciL3r92MjGq5acNb3RpCClD93yQMYAuUlIsw9EaZUv9W+wTk
+d4ClLoWQMVdxCsnrGx2DzQlZHt3GQqGn4u+YhQJKAkQBSfIfBN3fZLhqGV1nftFk
++VDruNEk+TLUxKQ2qtOQ7iLpoVmU+arZ6abAMPIOi26LGvzvXKR7aD50WTSGeyMy
+7N5bk7AyaPtEiSjqj/9r5JFGe8StICSOiarjvWGfF5Mo11NQ2XorRECebIaWKo0R
+7/Io4CG7NDXk6H74mtOG3csJVg9e+ERl3TaNhQIDAQABAoIBAB9bbXhaUgEzasuI
+cmy8jTIEF3HoZWFAmdr8uEnHLkNTQHq8lccaT/V0rAKDqHRSUTnQk7mtDmpCaIpD
+c+Ic+CUr+01fHw9HO/46OMK5DwRT6yL42gVc76kuQbVydS39Eg3Bd6tEzc8hvqdv
+qlTFoU5Kqdd3fbyAPcaGVpy1QeAzpHvtJDNaa0BvewBuVGRv+ySHc13DB6NnUP4e
+NUn8iH1lXRYa6CZ9JDdk5PztQ8Y8N+TnS2krPmac6FBIR6dPGNdZPH30ak4IBF+Y
+y1DT9xZDJeu3LeqmVrZ+ARYff0BUT96ETiuL+ZHou201N2U8agvUxlVlEQZJcfHY
+jp1Ha9kCgYEA/VQZ378ycYdBGVFw8+AQ23GBEs35NARvMud4S8lB2ROj48+v/sS9
+d5oxa6Jqc2VU0nmow2k2H/YLQEHC8uF2BBN7yGtCDN3or9l6V+xzwiT8/L3jh6hd
+TvBdndJKF6HtArFEUk0pHmUMwUY+uGSiYD1WZabKj/jR7q7JsSgZoTcCgYEA7ap2
+1AW3oEFNnZ392vPMnZjBalf99PDpjRibkvv0GBoHQNbQtH3v7yjmIVs8sRpP6HlE
+/PK7wes+b83JhLP7UaSXNr7zsU/6RVvXifJf22Rpqv8+Bn+jaF5HocYWepvaqz0p
+NFxZrauW5mtW110i3wXsoWo7LHLKABlbwSJkFSMCgYEAkD4GzYPMcSAWTRg2PGZk
+ss6aM97b+mZb+pwZvu1FdRjdxKVJDMNxLly5rxO3kSUtevqSwVFy5BfwqBHJswn1
+bLS7Uo7f+PuRti8anl2gO/dbpX1pxKB1ILF0XJyUW4hzr4jH4iTVON1IufQJWmzS
+mAHU4+RoijmfL0yOwzSWA1kCgYAlTw04W21oCthUVejz5jHIy6IRP57uRKNlMue5
+OzQmVG+vDgnVS6/Oq2z0742nf6nrpJ3f13sCBhvXEUcBPf/F4UCbp34554QyPyim
+zxWdKzYrUcY63u6YA7TbAG2m8bByETfWsGijirw1j8QiKsy+lf9/l12SrLJpMZHl
+z7BGYQKBgQCYYnlBkxgSitJsg9FEbqzmyheZiddHqzSLvYiDH+d+mqgBFereCwB0
+ilAvRVVBEf2k2OMRb1zf7vJo2f15WE+jUQww3DFmUAhAPjtWeATfqDS7wueZT/g5
+SkHsULoHoJu4qqAHcLYSqwMJDnSZx69nSeTSFxlPFY2Ewfwblrp8MQ==
+-----END RSA PRIVATE KEY-----
diff --git a/tests/rackups/ssl_verify_peer_with_chain.ru b/tests/rackups/ssl_verify_peer_with_chain.ru
@@ -0,0 +1,17 @@
+require 'openssl'
+require 'webrick'
+require 'webrick/https'
+
+require File.join(File.dirname(__FILE__), 'basic')
+key_file = File.join(File.dirname(__FILE__), '..', 'data', 'excon_client.cert.key')
+cert_file = File.join(File.dirname(__FILE__), '..', 'data', 'excon_client.cert.crt')
+cacert_file = File.join(File.dirname(__FILE__), '..', 'data', 'excon.cert.crt')
+Rack::Handler::WEBrick.run(Basic,
+  :Port             => 8443,
+  :SSLCertName      => [["CN", WEBrick::Utils::getservername]],
+  :SSLEnable        => true,
+  :SSLPrivateKey => OpenSSL::PKey::RSA.new(File.open(key_file).read),
+  :SSLCertificate => OpenSSL::X509::Certificate.new(File.open(cert_file).read),
+  :SSLCACertificateFile => cacert_file,
+  :SSLVerifyClient => OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+)