Ubuntu Push Notifications

Merge lp:~pedronis/ubuntu-push/http-ssl into lp:ubuntu-push/automatic

http-ssl
Merge into automatic

Proposed by Samuele Pedroni on 2014-09-04

Status:	Merged
Approved by:	Samuele Pedroni on 2014-09-10
Approved revision:	328
Merged at revision:	333
Proposed branch:	lp:~pedronis/ubuntu-push/http-ssl
Merge into:	lp:ubuntu-push/automatic
Diff against target:	655 lines (+198/-138) 17 files modified client/session/session_test.go (+4/-25) sampleconfigs/dev.json (+1/-1) server/acceptance/acceptance_test.go (+1/-1) server/acceptance/ssl/README (+1/-1) server/acceptance/ssl/testing.cert (+7/-7) server/acceptance/ssl/testing.key (+7/-7) server/acceptance/suites/broadcast.go (+1/-1) server/acceptance/suites/suite.go (+1/-1) server/config_test.go (+12/-11) server/dev/server.go (+2/-2) server/listener/listener.go (+4/-13) server/listener/listener_test.go (+9/-17) server/runner_devices.go (+2/-29) server/runner_http.go (+6/-1) server/runner_test.go (+45/-6) server/tlsconfig.go (+53/-0) testing/tls.go (+42/-15)
To merge this branch:	bzr merge lp:~pedronis/ubuntu-push/http-ssl
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Guillermo Gonzalez		2014-09-04	Approve on 2014-09-10
Review via email: mp+233403@code.launchpad.net

Commit message

- let the http runner serve over tls optionally
- more realistic testing cert/key
- review how we setup tls in tests

Description of the change

- let the http runner serve over tls optionally
- more realistic testing cert/key
- review how we setup tls in tests

lp:~pedronis/ubuntu-push/http-ssl updated on 2014-09-04

327. By Samuele Pedroni on 2014-09-04: comment tweak
328. By Samuele Pedroni on 2014-09-04: fix, thanks verterok

Revision history for this message

Guillermo Gonzalez (verterok) wrote on 2014-09-10:

looks good.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Samuele Pedroni

Ubuntu Push Hackers

 === modified file 'client/session/session_test.go'
 --- client/session/session_test.go	2014-08-26 16:05:28 +0000
 +++ client/session/session_test.go	2014-09-04 19:21:18 +0000
@@ -1489,14 +1489,7 @@
  func (cs *clientSessionSuite) TestDialBadServerName(c *C) {
  	// a borked server name
--	cert, err := tls.X509KeyPair(helpers.TestCertPEMBlock, helpers.TestKeyPEMBlock)
--	c.Assert(err, IsNil)
--	tlsCfg := &tls.Config{
--		Certificates:           []tls.Certificate{cert},
--		SessionTicketsDisabled: true,
--	}
--
--	lst, err := tls.Listen("tcp", "localhost:0", tlsCfg)
++	lst, err := tls.Listen("tcp", "localhost:0", helpers.TestTLSServerConfig)
  	c.Assert(err, IsNil)
  	// advertise
  	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -1541,19 +1534,12 @@
  func (cs *clientSessionSuite) TestDialWorks(c *C) {
  	// happy path thoughts
--	cert, err := tls.X509KeyPair(helpers.TestCertPEMBlock, helpers.TestKeyPEMBlock)
--	c.Assert(err, IsNil)
--	tlsCfg := &tls.Config{
--		Certificates:           []tls.Certificate{cert},
--		SessionTicketsDisabled: true,
--	}
--
--	lst, err := tls.Listen("tcp", "localhost:0", tlsCfg)
++	lst, err := tls.Listen("tcp", "localhost:0", helpers.TestTLSServerConfig)
  	c.Assert(err, IsNil)
  	// advertise
  	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  		b, err := json.Marshal(map[string]interface{}{
--			"domain": "localhost",
++			"domain": "push-delivery",
  			"hosts":  []string{"nowhere", lst.Addr().String()},
  		})
  		if err != nil {
@@ -1649,14 +1635,7 @@
  func (cs *clientSessionSuite) TestDialWorksDirect(c *C) {
  	// happy path thoughts
--	cert, err := tls.X509KeyPair(helpers.TestCertPEMBlock, helpers.TestKeyPEMBlock)
--	c.Assert(err, IsNil)
--	tlsCfg := &tls.Config{
--		Certificates:           []tls.Certificate{cert},
--		SessionTicketsDisabled: true,
--	}
--
--	lst, err := tls.Listen("tcp", "localhost:0", tlsCfg)
++	lst, err := tls.Listen("tcp", "localhost:0", helpers.TestTLSServerConfig)
  	c.Assert(err, IsNil)
  	sess, err := NewSession(lst.Addr().String(), dialTestConf, "wah", cs.lvls, cs.log)
  	c.Assert(err, IsNil)
 === modified file 'sampleconfigs/dev.json'
 --- sampleconfigs/dev.json	2014-07-15 17:14:07 +0000
 +++ sampleconfigs/dev.json	2014-09-04 19:21:18 +0000
@@ -10,5 +10,5 @@
      "http_read_timeout": "5s",
      "http_write_timeout": "5s",
      "max_notifications_per_app": 25,
--    "delivery_domain": "localhost"
++    "delivery_domain": "push-delivery"
+ }
 === modified file 'server/acceptance/acceptance_test.go'
 --- server/acceptance/acceptance_test.go	2014-05-02 09:56:49 +0000
 +++ server/acceptance/acceptance_test.go	2014-09-04 19:21:18 +0000
@@ -34,7 +34,7 @@
  	cfg := make(map[string]interface{})
  	suites.FillServerConfig(cfg, addr)
  	suites.FillHTTPServerConfig(cfg, httpAddr)
--	cfg["delivery_domain"] = "localhost"
++	cfg["delivery_domain"] = "push-delivery"
  	return cfg
+ }
 === modified file 'server/acceptance/ssl/README'
 --- server/acceptance/ssl/README	2014-02-21 16:17:28 +0000
 +++ server/acceptance/ssl/README	2014-09-04 19:21:18 +0000
@@ -3,6 +3,6 @@
  Generated with:
--  go run /usr/lib/go/src/pkg/crypto/tls/generate_cert.go -ca -host localhost -rsa-bits 512 -duration 87600h
++  go run /usr/lib/go/src/pkg/crypto/tls/generate_cert.go -ca -host push-delivery -rsa-bits 512 -duration 87600h
  and then renamed.
 === modified file 'server/acceptance/ssl/testing.cert'
 --- server/acceptance/ssl/testing.cert	2014-01-14 15:35:20 +0000
 +++ server/acceptance/ssl/testing.cert	2014-09-04 19:21:18 +0000
@@ -1,10 +1,10 @@
  -----BEGIN CERTIFICATE-----
  MIIBYzCCAQ+gAwIBAgIBADALBgkqhkiG9w0BAQUwEjEQMA4GA1UEChMHQWNtZSBD
--bzAeFw0xMzEyMTkyMDU1NDNaFw0yMzEyMTcyMDU1NDNaMBIxEDAOBgNVBAoTB0Fj
--bWUgQ28wWjALBgkqhkiG9w0BAQEDSwAwSAJBAPw+niki17X2qALE2A2AzE1q5dvK
--9CI4OduRtT9IgbFLC6psqAT21NA+QbY17nWSSpyP65zkMkwKXrbDzstwLPkCAwEA
--AaNUMFIwDgYDVR0PAQH/BAQDAgCkMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1Ud
--EwEB/wQFMAMBAf8wGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMAsGCSqGSIb3
--DQEBBQNBAFqiVI+Km2XPSO+pxITaPvhmuzg+XG3l1+2di3gL+HlDobocjBqRctRU
--YySO32W07acjGJmCHUKpCJuq9X8hpmk=
++bzAeFw0xNDA4MjkxMjQyMDFaFw0yNDA4MjYxMjQyMDFaMBIxEDAOBgNVBAoTB0Fj
++bWUgQ28wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1FT6lkow0eky+Dnj2Z4nTrTF
++DgcKOt9Wr4B4gRH1bWmRqScOPxyHA5YodN7O1w8X8sdWko9puf59I1sWWr5LNwID
++AQABo1IwUDAOBgNVHQ8BAf8EBAMCAKQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYD
++VR0TAQH/BAUwAwEB/zAYBgNVHREEETAPgg1wdXNoLWRlbGl2ZXJ5MAsGCSqGSIb3
++DQEBBQNBABtWCdMFkhIO8+oM3vugOWle9WJZ1FCRWD+cMl76mI1lhmNF4lvEZG47
++xUjekA1+heU39WpOEzZSybrOdiEaGbI=
  -----END CERTIFICATE-----
 === modified file 'server/acceptance/ssl/testing.key'
 --- server/acceptance/ssl/testing.key	2014-01-14 15:35:20 +0000
 +++ server/acceptance/ssl/testing.key	2014-09-04 19:21:18 +0000
@@ -1,9 +1,9 @@
  -----BEGIN RSA PRIVATE KEY-----
--MIIBPAIBAAJBAPw+niki17X2qALE2A2AzE1q5dvK9CI4OduRtT9IgbFLC6psqAT2
--1NA+QbY17nWSSpyP65zkMkwKXrbDzstwLPkCAwEAAQJAKwXbIBULScP6QA6m8xam
--wgWbkvN41GVWqPafPV32kPBvKwSc+M1e+JR7g3/xPZE7TCELcfYi4yXEHZZI3Pbh
--oQIhAP/UsgJbsfH1GFv8Y8qGl5l/kmwwkwHhuKvEC87Yur9FAiEA/GlQv3ZfaXnT
--lcCFT0aL02O0RDiRYyMUG/JAZQJs6CUCIQCHO5SZYIUwxIGK5mCNxxXOAzyQSiD7
--hqkKywf+4FvfDQIhALa0TLyqJFom0t7c4iIGAIRc8UlIYQSPiajI64+x9775AiEA
--0v4fgSK/Rq059zW1753JjuB6aR0Uh+3RqJII4dUR1Wg=
++MIIBOgIBAAJBANRU+pZKMNHpMvg549meJ060xQ4HCjrfVq+AeIER9W1pkaknDj8c
++hwOWKHTeztcPF/LHVpKPabn+fSNbFlq+SzcCAwEAAQJBAIOO+4xu/3yv/rKqO7C0
++Oyqa+pVMa1w60R0AfqmKFQTqiTgevM77uqjpW1+t0hpK20nyj6MUIPaL+9kZgp7t
++mnECIQDqw79PXSzudf10XGy9ve5bRazINHxQYgJ7FvlTT6JhdQIhAOeJxq9zcKni
++69ueO1ualz0hn8w6uHPsG9FlZ8C+7Jh7AiAWJgebjjfZ+4nA+6NKt2uQct9dOA5u
++awC+6ij1ojK4rQIgNEqAbcWDj0qpe8sLms+aEntSjJxCZiPP0IW3XeeApZsCIDwo
++x+YyxXQWJlf9L5TNYPRo+KFEdk3Cew0lv6QNs+xe
  -----END RSA PRIVATE KEY-----
 === modified file 'server/acceptance/suites/broadcast.go'
 --- server/acceptance/suites/broadcast.go	2014-08-15 09:33:48 +0000
 +++ server/acceptance/suites/broadcast.go	2014-09-04 19:21:18 +0000
@@ -261,7 +261,7 @@
  	host, err := gh.Get()
  	c.Assert(err, IsNil)
  	expected := &gethosts.Host{
--		Domain: "localhost",
++		Domain: "push-delivery",
  		Hosts:  []string{s.ServerAddr},
+ 	}
  	c.Check(host, DeepEquals, expected)
 === modified file 'server/acceptance/suites/suite.go'
 --- server/acceptance/suites/suite.go	2014-08-27 21:19:51 +0000
 +++ server/acceptance/suites/suite.go	2014-09-04 19:21:18 +0000
@@ -111,7 +111,7 @@
+ }
  func testClientSession(addr string, deviceId, model, imageChannel string, reportPings bool) *acceptance.ClientSession {
--	tlsConfig, err := kit.MakeTLSConfig("", false, helpers.SourceRelative("../ssl/testing.cert"), "")
++	tlsConfig, err := kit.MakeTLSConfig("push-delivery", false, helpers.SourceRelative("../ssl/testing.cert"), "")
  	if err != nil {
  		panic(fmt.Sprintf("could not read ssl/testing.cert: %v", err))
+ 	}
 === modified file 'server/config_test.go'
 --- server/config_test.go	2014-02-10 23:19:08 +0000
 +++ server/config_test.go	2014-09-04 19:21:18 +0000
@@ -26,6 +26,7 @@
  	. "launchpad.net/gocheck"
  	"launchpad.net/ubuntu-push/config"
++	helpers "launchpad.net/ubuntu-push/testing"
+ )
  type configSuite struct{}
@@ -52,22 +53,22 @@
  	c.Check(cfg.Addr(), Equals, "127.0.0.1:9999")
+ }
--func (s *configSuite) TestDevicesParsedConfigLoadFinish(c *C) {
++func (s *configSuite) TestTLSParsedConfigLoadPEMs(c *C) {
  	tmpDir := c.MkDir()
--	cfg := &DevicesParsedConfig{
++	cfg := &TLSParsedConfig{
  		ParsedKeyPEMFile:  "key.key",
  		ParsedCertPEMFile: "cert.cert",
+ 	}
--	err := cfg.FinishLoad(tmpDir)
++	err := cfg.LoadPEMs(tmpDir)
  	c.Check(err, ErrorMatches, "reading key_pem_file:.*no such file.*")
--	err = ioutil.WriteFile(filepath.Join(tmpDir, "key.key"), []byte("KeY"), os.ModePerm)
++	err = ioutil.WriteFile(filepath.Join(tmpDir, "key.key"), helpers.TestKeyPEMBlock, os.ModePerm)
  	c.Assert(err, IsNil)
--	err = cfg.FinishLoad(tmpDir)
++	err = cfg.LoadPEMs(tmpDir)
  	c.Check(err, ErrorMatches, "reading cert_pem_file:.*no such file.*")
--	err = ioutil.WriteFile(filepath.Join(tmpDir, "cert.cert"), []byte("CeRt"), os.ModePerm)
--	c.Assert(err, IsNil)
--	err = cfg.FinishLoad(tmpDir)
--	c.Assert(err, IsNil)
--	c.Check(string(cfg.KeyPEMBlock()), Equals, "KeY")
--	c.Check(string(cfg.CertPEMBlock()), Equals, "CeRt")
++	err = ioutil.WriteFile(filepath.Join(tmpDir, "cert.cert"), helpers.TestCertPEMBlock, os.ModePerm)
++	c.Assert(err, IsNil)
++	err = cfg.LoadPEMs(tmpDir)
++	c.Assert(err, IsNil)
++	tlsCfg := cfg.TLSServerConfig()
++	c.Check(tlsCfg.Certificates, HasLen, 1)
+ }
 === modified file 'server/dev/server.go'
 --- server/dev/server.go	2014-07-08 15:08:52 +0000
 +++ server/dev/server.go	2014-09-04 19:21:18 +0000
@@ -64,7 +64,7 @@
  	if err != nil {
  		server.BootLogFatalf("reading config: %v", err)
+ 	}
--	err = cfg.DevicesParsedConfig.FinishLoad(filepath.Dir(cfgFpaths[len(cfgFpaths)-1]))
++	err = cfg.DevicesParsedConfig.LoadPEMs(filepath.Dir(cfgFpaths[len(cfgFpaths)-1]))
  	if err != nil {
  		server.BootLogFatalf("reading config: %v", err)
+ 	}
@@ -95,7 +95,7 @@
  		})
  	})
  	handler := api.PanicTo500Handler(mux, logger)
--	go server.HTTPServeRunner(nil, handler, &cfg.HTTPServeParsedConfig)()
++	go server.HTTPServeRunner(nil, handler, &cfg.HTTPServeParsedConfig, nil)()
  	// listen for device connections
  	server.DevicesRunner(lst, func(conn net.Conn) error {
  		track := session.NewTracker(logger)
 === modified file 'server/listener/listener.go'
 --- server/listener/listener.go	2014-03-06 19:21:44 +0000
 +++ server/listener/listener.go	2014-09-04 19:21:18 +0000
@@ -30,10 +30,8 @@
  type DeviceListenerConfig interface {
  	// Addr to listen on.
  	Addr() string
--	// TLS key
--	KeyPEMBlock() []byte
--	// TLS cert
--	CertPEMBlock() []byte
++	// TLS config
++	TLSServerConfig() *tls.Config
+ }
  // DeviceListener listens and setup sessions from device connections.
@@ -52,15 +50,8 @@
  			return nil, err
+ 		}
+ 	}
--	cert, err := tls.X509KeyPair(cfg.CertPEMBlock(), cfg.KeyPEMBlock())
--	if err != nil {
--		return nil, err
--	}
--	tlsCfg := &tls.Config{
--		Certificates:           []tls.Certificate{cert},
--		SessionTicketsDisabled: true,
--	}
--	return &DeviceListener{tls.NewListener(lst, tlsCfg)}, err
++	tlsCfg := cfg.TLSServerConfig()
++	return &DeviceListener{tls.NewListener(lst, tlsCfg)}, nil
+ }
  // handleTemporary checks and handles if the error is just a temporary network
 === modified file 'server/listener/listener_test.go'
 --- server/listener/listener_test.go	2014-08-04 14:47:00 +0000
 +++ server/listener/listener_test.go	2014-09-04 19:21:18 +0000
@@ -18,7 +18,6 @@
  import (
  	"crypto/tls"
--	"crypto/x509"
  	"net"
  	"os/exec"
  	"regexp"
@@ -68,12 +67,8 @@
  	return cfg.addr
+ }
--func (cfg *testDevListenerCfg) KeyPEMBlock() []byte {
--	return helpers.TestKeyPEMBlock
--}
--
--func (cfg *testDevListenerCfg) CertPEMBlock() []byte {
--	return helpers.TestCertPEMBlock
++func (cfg *testDevListenerCfg) TLSServerConfig() *tls.Config {
++	return helpers.TestTLSServerConfig
+ }
  func (s *listenerSuite) TestDeviceListen(c *C) {
@@ -130,11 +125,8 @@
  	return err
+ }
--func testTlsDial(c *C, addr string) (net.Conn, error) {
--	cp := x509.NewCertPool()
--	ok := cp.AppendCertsFromPEM((&testDevListenerCfg{}).CertPEMBlock())
--	c.Assert(ok, Equals, true)
--	return tls.Dial("tcp", addr, &tls.Config{RootCAs: cp})
++func testTlsDial(addr string) (net.Conn, error) {
++	return tls.Dial("tcp", addr, helpers.TestTLSClientConfig)
+ }
  func testWriteByte(c *C, conn net.Conn, toWrite uint32) {
@@ -159,11 +151,11 @@
  		errCh <- lst.AcceptLoop(testSession, s.testlog)
  	}()
  	listenerAddr := lst.Addr().String()
--	conn1, err := testTlsDial(c, listenerAddr)
++	conn1, err := testTlsDial(listenerAddr)
  	c.Assert(err, IsNil)
  	defer conn1.Close()
  	testWriteByte(c, conn1, '1')
--	conn2, err := testTlsDial(c, listenerAddr)
++	conn2, err := testTlsDial(listenerAddr)
  	c.Assert(err, IsNil)
  	defer conn2.Close()
  	testWriteByte(c, conn2, '2')
@@ -203,7 +195,7 @@
  	res, err := cmd.Output()
  	c.Assert(err, IsNil)
  	c.Assert(string(res), Matches, "(?s).*timed out.*")
--	conn2, err := testTlsDial(c, listenerAddr)
++	conn2, err := testTlsDial(listenerAddr)
  	c.Assert(err, IsNil)
  	defer conn2.Close()
  	testWriteByte(c, conn2, '2')
@@ -225,7 +217,7 @@
  		}, s.testlog)
  	}()
  	listenerAddr := lst.Addr().String()
--	_, err = testTlsDial(c, listenerAddr)
++	_, err = testTlsDial(listenerAddr)
  	c.Assert(err, Not(IsNil))
  	lst.Close()
  	c.Check(<-errCh, ErrorMatches, ".*use of closed.*")
@@ -244,7 +236,7 @@
  	}()
  	listenerAddr := lst.Addr().String()
  	c.Check(listenerAddr, Equals, foreignLst.Addr().String())
--	conn1, err := testTlsDial(c, listenerAddr)
++	conn1, err := testTlsDial(listenerAddr)
  	c.Assert(err, IsNil)
  	defer conn1.Close()
  	testWriteByte(c, conn1, '1')
 === modified file 'server/runner_devices.go'
 --- server/runner_devices.go	2014-03-12 12:34:18 +0000
 +++ server/runner_devices.go	2014-09-04 19:21:18 +0000
@@ -17,7 +17,6 @@
  package server
  import (
--	"fmt"
  	"net"
  	"syscall"
  	"time"
@@ -36,26 +35,8 @@
  	ParsedSessionQueueSize config.ConfigQueueSize `json:"session_queue_size"`
  	ParsedBrokerQueueSize  config.ConfigQueueSize `json:"broker_queue_size"`
  	// device listener configuration
--	ParsedAddr        config.ConfigHostPort `json:"addr"`
--	ParsedKeyPEMFile  string                `json:"key_pem_file"`
--	ParsedCertPEMFile string                `json:"cert_pem_file"`
--	// private post-processed config
--	certPEMBlock []byte
--	keyPEMBlock  []byte
--}
--
--func (cfg *DevicesParsedConfig) FinishLoad(baseDir string) error {
--	keyPEMBlock, err := config.LoadFile(cfg.ParsedKeyPEMFile, baseDir)
--	if err != nil {
--		return fmt.Errorf("reading key_pem_file: %v", err)
--	}
--	certPEMBlock, err := config.LoadFile(cfg.ParsedCertPEMFile, baseDir)
--	if err != nil {
--		return fmt.Errorf("reading cert_pem_file: %v", err)
--	}
--	cfg.keyPEMBlock = keyPEMBlock
--	cfg.certPEMBlock = certPEMBlock
--	return nil
++	ParsedAddr config.ConfigHostPort `json:"addr"`
++	TLSParsedConfig
+ }
  func (cfg *DevicesParsedConfig) PingInterval() time.Duration {
@@ -78,14 +59,6 @@
  	return cfg.ParsedAddr.HostPort()
+ }
--func (cfg *DevicesParsedConfig) KeyPEMBlock() []byte {
--	return cfg.keyPEMBlock
--}
--
--func (cfg *DevicesParsedConfig) CertPEMBlock() []byte {
--	return cfg.certPEMBlock
--}
--
  // DevicesRunner returns a function to accept device connections.
  // If adoptLst is not nil it will be used as the underlying listener, instead
  // of creating one, wrapped in a TLS layer.
 === modified file 'server/runner_http.go'
 --- server/runner_http.go	2014-03-25 19:02:18 +0000
 +++ server/runner_http.go	2014-09-04 19:21:18 +0000
@@ -17,6 +17,7 @@
  package server
  import (
++	"crypto/tls"
  	"net"
  	"net/http"
@@ -32,7 +33,8 @@
  // HTTPServeRunner returns a function to serve HTTP requests.
  // If httpLst is not nil it will be used as the underlying listener.
--func HTTPServeRunner(httpLst net.Listener, h http.Handler, parsedCfg *HTTPServeParsedConfig) func() {
++// If tlsCfg is not nit server over TLS with the config.
++func HTTPServeRunner(httpLst net.Listener, h http.Handler, parsedCfg *HTTPServeParsedConfig, tlsCfg *tls.Config) func() {
  	if httpLst == nil {
  		var err error
  		httpLst, err = net.Listen("tcp", parsedCfg.ParsedHTTPAddr.HostPort())
@@ -46,6 +48,9 @@
  		ReadTimeout:  parsedCfg.ParsedHTTPReadTimeout.TimeDuration(),
  		WriteTimeout: parsedCfg.ParsedHTTPWriteTimeout.TimeDuration(),
+ 	}
++	if tlsCfg != nil {
++		httpLst = tls.NewListener(httpLst, tlsCfg)
++	}
  	return func() {
  		err := srv.Serve(httpLst)
  		if err != nil {
 === modified file 'server/runner_test.go'
 --- server/runner_test.go	2014-03-25 19:02:18 +0000
 +++ server/runner_test.go	2014-09-04 19:21:18 +0000
@@ -17,6 +17,7 @@
  package server
  import (
++	"crypto/tls"
  	"fmt"
  	"io/ioutil"
  	"net"
@@ -68,7 +69,7 @@
  func (s *runnerSuite) TestHTTPServeRunner(c *C) {
  	errCh := make(chan interface{}, 1)
  	h := http.HandlerFunc(testHandle)
--	runner := HTTPServeRunner(nil, h, &testHTTPServeParsedConfig)
++	runner := HTTPServeRunner(nil, h, &testHTTPServeParsedConfig, nil)
  	c.Assert(s.lst, Not(IsNil))
  	defer s.lst.Close()
  	c.Check(s.kind, Equals, "http")
@@ -89,16 +90,25 @@
  	c.Check(<-errCh, Matches, "accepting http connections:.*closed.*")
+ }
++func cert() tls.Certificate {
++	cert, err := tls.X509KeyPair(helpers.TestCertPEMBlock, helpers.TestKeyPEMBlock)
++	if err != nil {
++		panic(err)
++	}
++	return cert
++}
++
  var testDevicesParsedConfig = DevicesParsedConfig{
  	ParsedPingInterval:     config.ConfigTimeDuration{60 * time.Second},
  	ParsedExchangeTimeout:  config.ConfigTimeDuration{10 * time.Second},
  	ParsedBrokerQueueSize:  config.ConfigQueueSize(1000),
  	ParsedSessionQueueSize: config.ConfigQueueSize(10),
  	ParsedAddr:             "127.0.0.1:0",
--	ParsedKeyPEMFile:       "",
--	ParsedCertPEMFile:      "",
--	keyPEMBlock:            helpers.TestKeyPEMBlock,
--	certPEMBlock:           helpers.TestCertPEMBlock,
++	TLSParsedConfig: TLSParsedConfig{
++		ParsedKeyPEMFile:  "",
++		ParsedCertPEMFile: "",
++		cert:              cert(),
++	},
+ }
  func (s *runnerSuite) TestDevicesRunner(c *C) {
@@ -135,7 +145,36 @@
  	lst0, err := net.Listen("tcp", "127.0.0.1:0")
  	c.Assert(err, IsNil)
  	defer lst0.Close()
--	HTTPServeRunner(lst0, nil, &testHTTPServeParsedConfig)
++	HTTPServeRunner(lst0, nil, &testHTTPServeParsedConfig, nil)
  	c.Assert(s.lst, Equals, lst0)
  	c.Check(s.kind, Equals, "http")
+ }
++
++func (s *runnerSuite) TestHTTPServeRunnerTLS(c *C) {
++	errCh := make(chan interface{}, 1)
++	h := http.HandlerFunc(testHandle)
++	runner := HTTPServeRunner(nil, h, &testHTTPServeParsedConfig, helpers.TestTLSServerConfig)
++	c.Assert(s.lst, Not(IsNil))
++	defer s.lst.Close()
++	c.Check(s.kind, Equals, "http")
++	go func() {
++		defer func() {
++			errCh <- recover()
++		}()
++		runner()
++	}()
++	cli := http.Client{
++		Transport: &http.Transport{
++			TLSClientConfig: helpers.TestTLSClientConfig,
++		},
++	}
++	resp, err := cli.Get(fmt.Sprintf("https://%s/", s.lst.Addr()))
++	c.Assert(err, IsNil)
++	defer resp.Body.Close()
++	c.Assert(resp.StatusCode, Equals, 200)
++	body, err := ioutil.ReadAll(resp.Body)
++	c.Assert(err, IsNil)
++	c.Check(string(body), Equals, "yay!\n")
++	s.lst.Close()
++	c.Check(<-errCh, Matches, "accepting http connections:.*closed.*")
++}
 === added file 'server/tlsconfig.go'
 --- server/tlsconfig.go	1970-01-01 00:00:00 +0000
 +++ server/tlsconfig.go	2014-09-04 19:21:18 +0000
@@ -0,0 +1,53 @@
++/*
++ Copyright 2013-2014 Canonical Ltd.
++
++ This program is free software: you can redistribute it and/or modify it
++ under the terms of the GNU General Public License version 3, as published
++ by the Free Software Foundation.
++
++ This program is distributed in the hope that it will be useful, but
++ WITHOUT ANY WARRANTY; without even the implied warranties of
++ MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR
++ PURPOSE.  See the GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License along
++ with this program.  If not, see <http://www.gnu.org/licenses/>.
++*/
++
++package server
++
++import (
++	"crypto/tls"
++	"fmt"
++
++	"launchpad.net/ubuntu-push/config"
++)
++
++// A TLSParsedConfig holds and can be used to parse a tls server config.
++type TLSParsedConfig struct {
++	ParsedKeyPEMFile  string `json:"key_pem_file"`
++	ParsedCertPEMFile string `json:"cert_pem_file"`
++	// private post-processed config
++	cert tls.Certificate
++}
++
++func (cfg *TLSParsedConfig) LoadPEMs(baseDir string) error {
++	keyPEMBlock, err := config.LoadFile(cfg.ParsedKeyPEMFile, baseDir)
++	if err != nil {
++		return fmt.Errorf("reading key_pem_file: %v", err)
++	}
++	certPEMBlock, err := config.LoadFile(cfg.ParsedCertPEMFile, baseDir)
++	if err != nil {
++		return fmt.Errorf("reading cert_pem_file: %v", err)
++	}
++	cfg.cert, err = tls.X509KeyPair(certPEMBlock, keyPEMBlock)
++	return err
++}
++
++func (cfg *TLSParsedConfig) TLSServerConfig() *tls.Config {
++	tlsCfg := &tls.Config{
++		Certificates:           []tls.Certificate{cfg.cert},
++		SessionTicketsDisabled: true,
++	}
++	return tlsCfg
++}
 === modified file 'testing/tls.go'
 --- testing/tls.go	2014-01-21 21:36:07 +0000
 +++ testing/tls.go	2014-09-04 19:21:18 +0000
@@ -16,26 +16,53 @@
  package testing
--// key&cert generated with go run /usr/lib/go/src/pkg/crypto/tls/generate_cert.go -ca -host localhost -rsa-bits 512 -duration 87600h
++import (
++	"crypto/tls"
++	"crypto/x509"
++)
++
++// key&cert generated with go run /usr/lib/go/src/pkg/crypto/tls/generate_cert.go -ca -host push-delivery -rsa-bits 512 -duration 87600h
  var (
  	TestKeyPEMBlock = []byte(`-----BEGIN RSA PRIVATE KEY-----
--MIIBPAIBAAJBAPw+niki17X2qALE2A2AzE1q5dvK9CI4OduRtT9IgbFLC6psqAT2
--1NA+QbY17nWSSpyP65zkMkwKXrbDzstwLPkCAwEAAQJAKwXbIBULScP6QA6m8xam
--wgWbkvN41GVWqPafPV32kPBvKwSc+M1e+JR7g3/xPZE7TCELcfYi4yXEHZZI3Pbh
--oQIhAP/UsgJbsfH1GFv8Y8qGl5l/kmwwkwHhuKvEC87Yur9FAiEA/GlQv3ZfaXnT
--lcCFT0aL02O0RDiRYyMUG/JAZQJs6CUCIQCHO5SZYIUwxIGK5mCNxxXOAzyQSiD7
--hqkKywf+4FvfDQIhALa0TLyqJFom0t7c4iIGAIRc8UlIYQSPiajI64+x9775AiEA
--0v4fgSK/Rq059zW1753JjuB6aR0Uh+3RqJII4dUR1Wg=
++MIIBOgIBAAJBANRU+pZKMNHpMvg549meJ060xQ4HCjrfVq+AeIER9W1pkaknDj8c
++hwOWKHTeztcPF/LHVpKPabn+fSNbFlq+SzcCAwEAAQJBAIOO+4xu/3yv/rKqO7C0
++Oyqa+pVMa1w60R0AfqmKFQTqiTgevM77uqjpW1+t0hpK20nyj6MUIPaL+9kZgp7t
++mnECIQDqw79PXSzudf10XGy9ve5bRazINHxQYgJ7FvlTT6JhdQIhAOeJxq9zcKni
++69ueO1ualz0hn8w6uHPsG9FlZ8C+7Jh7AiAWJgebjjfZ+4nA+6NKt2uQct9dOA5u
++awC+6ij1ojK4rQIgNEqAbcWDj0qpe8sLms+aEntSjJxCZiPP0IW3XeeApZsCIDwo
++x+YyxXQWJlf9L5TNYPRo+KFEdk3Cew0lv6QNs+xe
  -----END RSA PRIVATE KEY-----`)
  	TestCertPEMBlock = []byte(`-----BEGIN CERTIFICATE-----
  MIIBYzCCAQ+gAwIBAgIBADALBgkqhkiG9w0BAQUwEjEQMA4GA1UEChMHQWNtZSBD
--bzAeFw0xMzEyMTkyMDU1NDNaFw0yMzEyMTcyMDU1NDNaMBIxEDAOBgNVBAoTB0Fj
--bWUgQ28wWjALBgkqhkiG9w0BAQEDSwAwSAJBAPw+niki17X2qALE2A2AzE1q5dvK
--9CI4OduRtT9IgbFLC6psqAT21NA+QbY17nWSSpyP65zkMkwKXrbDzstwLPkCAwEA
--AaNUMFIwDgYDVR0PAQH/BAQDAgCkMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1Ud
--EwEB/wQFMAMBAf8wGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMAsGCSqGSIb3
--DQEBBQNBAFqiVI+Km2XPSO+pxITaPvhmuzg+XG3l1+2di3gL+HlDobocjBqRctRU
--YySO32W07acjGJmCHUKpCJuq9X8hpmk=
++bzAeFw0xNDA4MjkxMjQyMDFaFw0yNDA4MjYxMjQyMDFaMBIxEDAOBgNVBAoTB0Fj
++bWUgQ28wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1FT6lkow0eky+Dnj2Z4nTrTF
++DgcKOt9Wr4B4gRH1bWmRqScOPxyHA5YodN7O1w8X8sdWko9puf59I1sWWr5LNwID
++AQABo1IwUDAOBgNVHQ8BAf8EBAMCAKQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYD
++VR0TAQH/BAUwAwEB/zAYBgNVHREEETAPgg1wdXNoLWRlbGl2ZXJ5MAsGCSqGSIb3
++DQEBBQNBABtWCdMFkhIO8+oM3vugOWle9WJZ1FCRWD+cMl76mI1lhmNF4lvEZG47
++xUjekA1+heU39WpOEzZSybrOdiEaGbI=
  -----END CERTIFICATE-----`)
+ )
++
++// test tls server & client config
++var TestTLSServerConfig, TestTLSClientConfig *tls.Config
++
++func init() {
++	cert, err := tls.X509KeyPair(TestCertPEMBlock, TestKeyPEMBlock)
++	if err != nil {
++		panic(err)
++	}
++	TestTLSServerConfig = &tls.Config{
++		Certificates: []tls.Certificate{cert},
++	}
++	cp := x509.NewCertPool()
++	ok := cp.AppendCertsFromPEM(TestCertPEMBlock)
++	if !ok {
++		panic("failed to parse test cert")
++	}
++	TestTLSClientConfig = &tls.Config{
++		RootCAs:    cp,
++		ServerName: "push-delivery",
++	}
++}