diff --git a/Makefile.am b/Makefile.am
index 557dc52d..68838231 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,6 +1,6 @@
 EXTRA_DIST = m4/lib-link.m4 LICENSE
 
-SUBDIRS = gl libopts src doc
+SUBDIRS = gl libopts src doc tests
 
 ACLOCAL_AMFLAGS = -I gl/m4 -I libopts/m4 -I m4
 
diff --git a/build-aux/depcomp b/build-aux/depcomp
index 06b0882d..4ebd5b3a 100755
--- a/build-aux/depcomp
+++ b/build-aux/depcomp
@@ -1,7 +1,7 @@
 #! /bin/sh
 # depcomp - compile a program generating dependencies as side-effects
 
-scriptversion=2012-10-18.11; # UTC
+scriptversion=2013-05-30.07; # UTC
 
 # Copyright (C) 1999-2013 Free Software Foundation, Inc.
 
@@ -552,6 +552,7 @@ $ {
   G
   p
 }' >> "$depfile"
+  echo >> "$depfile" # make sure the fragment doesn't end with a backslash
   rm -f "$tmpdepfile"
   ;;
 
diff --git a/build-aux/test-driver b/build-aux/test-driver
new file mode 100755
index 00000000..32bf39e8
--- /dev/null
+++ b/build-aux/test-driver
@@ -0,0 +1,127 @@
+#! /bin/sh
+# test-driver - basic testsuite driver script.
+
+scriptversion=2012-06-27.10; # UTC
+
+# Copyright (C) 2011-2013 Free Software Foundation, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# This file is maintained in Automake, please report
+# bugs to <bug-automake@gnu.org> or send patches to
+# <automake-patches@gnu.org>.
+
+# Make unconditional expansion of undefined variables an error.  This
+# helps a lot in preventing typo-related bugs.
+set -u
+
+usage_error ()
+{
+  echo "$0: $*" >&2
+  print_usage >&2
+  exit 2
+}
+
+print_usage ()
+{
+  cat <<END
+Usage:
+  test-driver --test-name=NAME --log-file=PATH --trs-file=PATH
+              [--expect-failure={yes|no}] [--color-tests={yes|no}]
+              [--enable-hard-errors={yes|no}] [--] TEST-SCRIPT
+The '--test-name', '--log-file' and '--trs-file' options are mandatory.
+END
+}
+
+# TODO: better error handling in option parsing (in particular, ensure
+# TODO: $log_file, $trs_file and $test_name are defined).
+test_name= # Used for reporting.
+log_file=  # Where to save the output of the test script.
+trs_file=  # Where to save the metadata of the test run.
+expect_failure=no
+color_tests=no
+enable_hard_errors=yes
+while test $# -gt 0; do
+  case $1 in
+  --help) print_usage; exit $?;;
+  --version) echo "test-driver $scriptversion"; exit $?;;
+  --test-name) test_name=$2; shift;;
+  --log-file) log_file=$2; shift;;
+  --trs-file) trs_file=$2; shift;;
+  --color-tests) color_tests=$2; shift;;
+  --expect-failure) expect_failure=$2; shift;;
+  --enable-hard-errors) enable_hard_errors=$2; shift;;
+  --) shift; break;;
+  -*) usage_error "invalid option: '$1'";;
+  esac
+  shift
+done
+
+if test $color_tests = yes; then
+  # Keep this in sync with 'lib/am/check.am:$(am__tty_colors)'.
+  red='[0;31m' # Red.
+  grn='[0;32m' # Green.
+  lgn='[1;32m' # Light green.
+  blu='[1;34m' # Blue.
+  mgn='[0;35m' # Magenta.
+  std='[m'     # No color.
+else
+  red= grn= lgn= blu= mgn= std=
+fi
+
+do_exit='rm -f $log_file $trs_file; (exit $st); exit $st'
+trap "st=129; $do_exit" 1
+trap "st=130; $do_exit" 2
+trap "st=141; $do_exit" 13
+trap "st=143; $do_exit" 15
+
+# Test script is run here.
+"$@" >$log_file 2>&1
+estatus=$?
+if test $enable_hard_errors = no && test $estatus -eq 99; then
+  estatus=1
+fi
+
+case $estatus:$expect_failure in
+  0:yes) col=$red res=XPASS recheck=yes gcopy=yes;;
+  0:*)   col=$grn res=PASS  recheck=no  gcopy=no;;
+  77:*)  col=$blu res=SKIP  recheck=no  gcopy=yes;;
+  99:*)  col=$mgn res=ERROR recheck=yes gcopy=yes;;
+  *:yes) col=$lgn res=XFAIL recheck=no  gcopy=yes;;
+  *:*)   col=$red res=FAIL  recheck=yes gcopy=yes;;
+esac
+
+# Report outcome to console.
+echo "${col}${res}${std}: $test_name"
+
+# Register the test result, and other relevant metadata.
+echo ":test-result: $res" > $trs_file
+echo ":global-test-result: $res" >> $trs_file
+echo ":recheck: $recheck" >> $trs_file
+echo ":copy-in-global-log: $gcopy" >> $trs_file
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-time-zone: "UTC"
+# time-stamp-end: "; # UTC"
+# End:
diff --git a/configure.ac b/configure.ac
index 8a8dc31c..e8da5ec0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -152,6 +152,7 @@ AC_CONFIG_FILES([
 	src/pcl/Makefile
 	doc/Makefile
 	gl/Makefile
+	tests/Makefile
 ])
 AC_OUTPUT
 
diff --git a/tests/Makefile.am b/tests/Makefile.am
new file mode 100644
index 00000000..f998c55e
--- /dev/null
+++ b/tests/Makefile.am
@@ -0,0 +1,6 @@
+EXTRA_DIST = ca-key.pem ca.pem common.sh server-cert.pem server-key.pem test1.config \
+	test1.passwd test2.config user-cert.pem user-key.pem
+
+dist_check_SCRIPTS = test1 test2
+
+TESTS = test1 test2
diff --git a/tests/ca-key.pem b/tests/ca-key.pem
new file mode 100644
index 00000000..9bd07541
--- /dev/null
+++ b/tests/ca-key.pem
@@ -0,0 +1,55 @@
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIFfgIBAAKCATEAtGsnmCWvwf8eyrB+9Ni87UOGZ1Rd2rQewpBfgzwCEfwTcoWy
+iKRlQQt2XyO+ip/+eUtzOy7HSzy/FsmXVTUX86FySzDC4CeUEvNWAObOgksRXaQe
+m/r6uRsqTRi1uqXmDMeoqKFtqoiE3JYOsmwcNarnx5Q9+dXHwqINS7NuevcIX8UJ
+zRWTGveY3ypMZokk7R/QFmOBZaVYO6HNJWKbmYFUCBcY7HwvCKI7KFcynRdHCob7
+YrFBmeb73qjqIH7zG+666pohZCmS8q1z5RkFnTdT4hGfGF8iuuKLDQCMni+nhz1A
+vkqipZIIDC5hwFh8mpnh1qyDOSXPPhvt66NtncvFON7Bx26bNBS+MD6CkB65Spp2
+5O8zDEaiMXL2w2EL+KpnifSl5XY3oSmfgHmqdQIDAQABAoIBMQCAiid3esIx0PW7
+KuwIvbI8yHMlgzIq81FHBV1HPqWq8pFYcnC0cYvCP8xiFDFYyoyfFmZOsBFFRU5P
+iejLyDv8U/X+JAtzcD9LERshIU/X/Guu75LvRm0DHJuSuhwfkrrIOCetnPVpHkKq
+di6aZ/PhOJZR1wggy3K69IHMgVYhPYc11EgbWVepSuYbeSNdmjA40QWMLfCu3V65
+SwpX0+LnFVc1eJmFrE5wYNe0pomce4J3FWsn8Yu3G5EumWV50KOGKSLklSd+pTdu
+VSxwQMRQn9oKBx3zgyr16PlhJkR4+Q+PA4WIN/IYIUV9SxfsMaij7wgLpxXLxJdM
+3gvxi36pv/Pkax6IdNKRXss4dzd8LBUy3uUKu23TxTCkDrW04MPrN7rRqlh1jvBw
+6KihBoEBAoGZAO02FxxbPPTRVFxjFHgV6EFSSvhPeEkRagoV9o6fn1N3kWTS08fl
+xKO1NDtFYCoZSnbRdgomrMinsYIukrLUQu1TKMrhJ1RDyZfRtfZT429k9iptXq87
+5hVtirC+QoePF+SYwenwvKO7qapODb8COagg6ds1lySj5IuzqVYFV68yyZUP+Flp
+MHn0YFWJF42UV6sSvuGqfuYlAoGZAMK1e+7cRZFnp/zIbgeYG8Ss+vQKgpeuyDJv
+qclkD7HztouQgCw791vMgaXW9y+Rgdkced7eheqI8RGenHbKGifNVQD3Mbl8mkEN
+pu8eVqbOX758fHZz0Iaum3ZWrkSihNpuUcl4dZRz5NfOdxPmltrJCI+7uHOMztzH
+oMu6gQhh+F3lSDUpHdvhWvIshZQu9EbyxFfNyDoRAoGZAILZPoBW19YYDlf0E5t2
+QiqeMVqtw6VSpNKxcNMVu/Z300zxev8egIzpbMlxKG2wi8HlIx7QXKlGz4UHGcbp
+jY2KPMtEzcQOrIpBlQUvGxscbynSMNOqz+1sAoAiQ2KxjTV9CiJ4uCX9Y8bczXpa
+yOE0Xqub8Sa1/WEOls8rnUW4VzgRmiX//0yWf/lO6R4hAQcODRtASEW9AoGZAJ6/
+ixkXfJztr3gZDiSg7tru0fjQ7OKwvUbp5btuGqHS+51UpjvqdGXjGj1VQ9oDv6N9
+ZRvBv9uV5T6hXB457xNOhSSxZlg98CJj+BvzV2DO2B8drfiBup1klRnp2FHbU4gn
+9ATYcr0jtIwDKPEPyyT8TT+rJNsJDcvR8xbHq9Zi0jXz72hwaojQdu8GP66ujbme
+y1hvTfWRAoGZALNT3AbF9EDnJmZlS30MWtBggw83UhszC8XN2tY30AsvsDOS6a0F
+/aQ45EKyCvnqtsCOmB6giDsKRaVncp6lIHSH4kHKT7UvlKadWDW5CNWGR3puoHLk
+UVhyNvBTKo6lPqXqUsVxp16TKeeQKF+DuYuuNZN3pXXsHTiHkRMDCRVEqz7UnZEc
+/Bq/Kh2aOkelkX2S27QzTZGL
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDtDCCAmygAwIBAgIETeC0yjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5H
+bnVUTFMgVGVzdCBDQTAeFw0xMTA1MjgwODM5MzlaFw0zODEwMTIwODM5NDBaMC8x
+LTArBgNVBAMTJEdudVRMUyBUZXN0IFNlcnZlciAoUlNBIGNlcnRpZmljYXRlKTCC
+AVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/HsqwfvTYvO1D
+hmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJl1U1F/Oh
+ckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq
+58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mB
+VAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03
+U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b7eujbZ3L
+xTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUC
+AwEAAaOBjTCBijAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAT
+BgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBR2
+B1hM6rUp9S2ABoyDSoINCeyT3jAfBgNVHSMEGDAWgBRNVrdqAFjxZ5L0pnVVG45T
+AQPvzzANBgkqhkiG9w0BAQsFAAOCATEAdNWmTsh5uIfngyhOWwm7pK2+vgUMY8nH
+gMoMFHt0yuxuImcUMXu3LRS1dZSoCJACBpTFGi/Dg2U0qvOHQcEmc3OwNqHB90R3
+LG5jUSCtq/bYW7h/6Gd9KeWCgZczaHbQ9IPTjLH1dLswVPt+fXKB6Eh0ggSrGATE
+/wRZT/XgDCW8t4C+2+TmJ8ZEzvU87KAPQ9rUBS1+p3EUAR/FfMApApsEig1IZ+ZD
+5joaGBW7zh1H0B9mEKidRvD7yuRJyzAcvD25nT15NLW0QR3dEeXosLc720xxJl1h
+h8NJ7YOvn323mOjR9er4i4D6iJlXmJ8tvN9vakCankWvBzb7plFn2sfMQqICFpRc
+w075D8hdQxfpGffL2tEeKSgjyNHXS7x3dFhUpN3IQjUi2x4f2e/ZXg==
+-----END CERTIFICATE-----
diff --git a/tests/ca.pem b/tests/ca.pem
new file mode 100644
index 00000000..c4058ee0
--- /dev/null
+++ b/tests/ca.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPzCCAfegAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
+QTAiGA8yMDEzMDcwNjE0NTA1MloYDzIwMjMwNTE1MTQ1MDUyWjANMQswCQYDVQQD
+EwJDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/Hsqw
+fvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJ
+l1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyW
+DrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuh
+zSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKt
+c+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b
+7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Ep
+n4B5qnUCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA
+MB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC
+ATEAa1kdd8E1PkM06Isw0S/thEll0rAYsNHwSX17IDUWocTTQlmVXBXcvLqM04QT
+z7WNG4eushLhRpSn8LJQkf4RgvAxOMIjHM9troDbPVoec6k8fZrJ8jfXurOgoOVP
+g+hScT3VDvxgiOVwgXSe2XBryGDaviRuSOHlfy5GPVirLJLZwpcX6RpsHMX9rrZX
+ghvf8dwm4To9H5wT0Le2FnZRoLOTMmpr49bfKJqy/U7AUHaf4saSdkdEIaGOxkPk
+x+SFlr9TjavnJvL0TApkvfNZ1aOVHRHINgaFYHQJ4U0jQ/g7lPmD+UtZWnvSMNXH
+yct5cKOyP4j7Kla1sKPs+oamOQ7pR1Z/GwBxe48FvO7VDi7EkugLwlzoXC2G+4Jg
+fJbi9Ui2FmXEeKkX34f1ONNj9Q==
+-----END CERTIFICATE-----
diff --git a/tests/common.sh b/tests/common.sh
new file mode 100644
index 00000000..257c4db2
--- /dev/null
+++ b/tests/common.sh
@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# Copyright (C) 2011-2012 Free Software Foundation, Inc.
+#
+# This file is part of GnuTLS.
+#
+# The launch_server() function was contributed by Cedric Arbogast.
+#
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This file is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this file; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+fail() {
+   PID=$1
+   shift;
+   echo "Failure: $1" >&2
+   kill $PID
+   exit 1
+}
+
+launch_server() {
+       PARENT=$1;
+       shift;
+       $SERV $* >/dev/null 2>&1 &
+       LOCALPID="$!";
+       trap "[ ! -z \"${LOCALPID}\" ] && kill ${LOCALPID};" 15
+       wait "${LOCALPID}"
+       LOCALRET="$?"
+       if [ "${LOCALRET}" != "0" ] && [ "${LOCALRET}" != "143" ] ; then
+               # Houston, we'v got a problem...
+               echo "Failed to launch the server !"
+               test -z "${PARENT}" || kill -10 ${PARENT}
+               exit 1
+       fi
+}
+
+wait_server() {
+	trap "kill $1" 1 15 2
+	sleep 2
+}
+
+trap "fail \"Failed to launch the server, aborting test... \"" 10 
diff --git a/tests/server-cert.pem b/tests/server-cert.pem
new file mode 100644
index 00000000..4acde02b
--- /dev/null
+++ b/tests/server-cert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkTCCAkmgAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
+QTAiGA8yMDEzMDcwNjE0NTEyOVoYDzIwMjMwNTE1MTQ1MTI5WjAUMRIwEAYDVQQD
+Ewlsb2NhbGhvc3QwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCnOivs
+PxSwLBn28W6QHb+OqfbpcIQJh/NQ81/DlFD6LGTWV4BY4Zb87tC9BBV+X3+lM/j8
+u5HvN3nDWtv4Ge0DryLW6Tcs6FPCt4srEfCkh5l54LrMmWbhFgkVlN5fTqoY0lnd
+YJx2X8WWldRjeL+8E7nFUcFStWrgi9AzgMFrjsL4pql97YAZRXcMoQXVjbRmzVLZ
+IVumQy7c+tl7Eqz8lx/xS/5Fx9tIRunqNS5jEUs8Nn5E6FvraAcy+eI0gXTGk759
+KNPYisSqAuFAmmt/XDTTvvOo6dpAseXqtR2/LjZJWOlXdiZ/yjHg5+RKQ5dt3dk5
+7lAIWER9egIOo/+GAkyek0ZJ5GWU6VxTsFcIl6oy3S7EtB0NCIM7hvhy32QrJ5ZU
+yNncTSf6qMVoedgdAgMBAAGjgY0wgYowDAYDVR0TAQH/BAIwADAUBgNVHREEDTAL
+gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweg
+ADAdBgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0
+UwqJMThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAK7dBCSwM/OJw+6s
+9MJAb7Ygi9xhHSq30Hg3M7DaPC7J9rZB6+IAVb3poOZAtDDtyTqvXH7qY5UMjJC9
+GsFmHPI/OSk2xuJJpG+ZJaP54b7kzTtUD6UCHETsgBk2aNuqNhjXR2fYnR9QME0C
+zZWIDV+5DFEBI97ln30N6PcXvIxp7Rsac3qwzvwt3zL+23kTwgM+DoRPoPO0PHr/
+eQ9hvRU5wA2Vc47zhUXIFy1Jmx7Sf//pw0/wq46VUAjDZ5B09EoCpzBNvOD7P+cF
+FQQ7SId8h8OQ2uOWxT2baeJX0pVbVv+qwOOB1F0q3sjx0dZa/2rxOUZ3wnHG9j8j
+LZSUkZxGpPQffCSpSPma5RhYff8/BncdA8soT0dyEfXIX5V91IXnrlI8XZrADvJM
+zzJKdNg=
+-----END CERTIFICATE-----
diff --git a/tests/server-key.pem b/tests/server-key.pem
new file mode 100644
index 00000000..0de36f5e
--- /dev/null
+++ b/tests/server-key.pem
@@ -0,0 +1,165 @@
+Public Key Info:
+	Public Key Algorithm: RSA
+	Key Security Level: Normal (2432 bits)
+
+modulus:
+	00:a7:3a:2b:ec:3f:14:b0:2c:19:f6:f1:6e:90:1d:
+	bf:8e:a9:f6:e9:70:84:09:87:f3:50:f3:5f:c3:94:
+	50:fa:2c:64:d6:57:80:58:e1:96:fc:ee:d0:bd:04:
+	15:7e:5f:7f:a5:33:f8:fc:bb:91:ef:37:79:c3:5a:
+	db:f8:19:ed:03:af:22:d6:e9:37:2c:e8:53:c2:b7:
+	8b:2b:11:f0:a4:87:99:79:e0:ba:cc:99:66:e1:16:
+	09:15:94:de:5f:4e:aa:18:d2:59:dd:60:9c:76:5f:
+	c5:96:95:d4:63:78:bf:bc:13:b9:c5:51:c1:52:b5:
+	6a:e0:8b:d0:33:80:c1:6b:8e:c2:f8:a6:a9:7d:ed:
+	80:19:45:77:0c:a1:05:d5:8d:b4:66:cd:52:d9:21:
+	5b:a6:43:2e:dc:fa:d9:7b:12:ac:fc:97:1f:f1:4b:
+	fe:45:c7:db:48:46:e9:ea:35:2e:63:11:4b:3c:36:
+	7e:44:e8:5b:eb:68:07:32:f9:e2:34:81:74:c6:93:
+	be:7d:28:d3:d8:8a:c4:aa:02:e1:40:9a:6b:7f:5c:
+	34:d3:be:f3:a8:e9:da:40:b1:e5:ea:b5:1d:bf:2e:
+	36:49:58:e9:57:76:26:7f:ca:31:e0:e7:e4:4a:43:
+	97:6d:dd:d9:39:ee:50:08:58:44:7d:7a:02:0e:a3:
+	ff:86:02:4c:9e:93:46:49:e4:65:94:e9:5c:53:b0:
+	57:08:97:aa:32:dd:2e:c4:b4:1d:0d:08:83:3b:86:
+	f8:72:df:64:2b:27:96:54:c8:d9:dc:4d:27:fa:a8:
+	c5:68:79:d8:1d:
+
+public exponent:
+	01:00:01:
+
+private exponent:
+	79:2b:86:6d:fd:5b:41:38:03:6c:52:8e:59:70:a4:
+	bf:7b:da:44:55:d9:e6:8a:12:bd:22:4b:ce:8c:66:
+	8c:8f:a4:55:47:3b:e1:ab:3c:5b:73:b3:de:71:da:
+	1d:22:97:7c:1e:07:99:21:54:61:f0:61:93:32:ff:
+	d6:6a:fa:b9:43:aa:cb:ec:5a:a5:78:86:50:bd:eb:
+	e2:3e:72:8e:d5:0e:59:28:84:52:02:09:70:a9:25:
+	d5:f4:73:98:bd:88:34:ca:1e:81:71:22:8e:07:61:
+	45:76:b5:59:8a:41:eb:c6:a3:42:1d:b6:25:f6:fc:
+	45:4e:29:83:58:15:4e:99:38:1f:31:ab:f8:6a:21:
+	fa:ad:c1:d0:6d:d0:ab:67:ad:43:1c:1d:9e:e5:33:
+	e2:68:f9:e2:fa:d8:9a:e7:36:e0:20:8c:25:4d:e9:
+	17:95:4b:71:38:df:18:71:cd:e0:a0:7f:b2:58:fe:
+	8b:c0:1c:d2:96:4a:17:14:bf:1c:3b:e8:b5:54:2b:
+	8d:47:50:a7:77:56:61:a8:e3:79:dd:70:88:5f:89:
+	a1:f8:78:0d:47:ef:32:98:c1:47:88:d8:33:ed:95:
+	10:90:7f:f1:57:cb:2b:18:c9:58:a1:de:ef:1c:70:
+	5a:58:3c:86:3d:96:17:ad:9c:fd:0b:eb:d8:33:a4:
+	5f:7f:db:97:c0:78:b4:94:56:56:0a:83:b3:d3:02:
+	c6:6f:08:dc:0d:22:8f:2a:4b:25:7a:34:97:8e:63:
+	49:8a:39:d1:c1:1e:9b:93:41:c5:9c:b6:50:9e:ff:
+	7a:37:e4:c1:
+
+prime1:
+	00:cb:13:4a:a3:8f:ad:5c:63:89:30:f3:3b:eb:25:
+	85:d9:6c:ad:6d:50:f8:03:00:d3:1e:e3:ae:ad:54:
+	7a:9b:21:1a:72:18:a6:54:e4:32:58:8d:66:37:65:
+	8c:f7:8f:37:65:ec:f8:ef:2e:a9:c1:78:bb:04:90:
+	aa:fe:0a:f2:7c:80:82:32:c7:db:ef:bc:10:c6:ff:
+	e0:d4:2e:b9:3a:0e:cc:29:28:81:b8:41:78:37:80:
+	69:39:5e:97:44:36:d6:cd:39:af:14:c2:df:f3:67:
+	b7:d4:a7:49:da:f4:d3:ee:14:10:e4:5c:3f:4a:62:
+	52:81:34:d0:8e:f3:7e:d4:42:0a:34:e2:f9:a7:bc:
+	03:f9:c0:48:e8:9b:7f:da:08:ec:db:82:fd:a2:aa:
+	0f:5d:71:
+
+prime2:
+	00:d2:cf:2d:81:00:28:43:76:b3:76:10:3f:04:57:
+	63:94:fa:bb:08:6a:a2:7d:99:4b:0f:ad:76:11:da:
+	5c:2a:2b:33:0a:05:0d:f8:51:9a:4d:b3:40:4b:53:
+	63:c8:c1:96:45:c7:42:35:cf:05:cf:8a:e2:aa:bd:
+	dc:96:c0:fd:c8:c4:dc:4c:0b:1f:43:74:04:cf:13:
+	f5:fa:ea:b6:0d:82:92:8c:03:bd:e9:7b:b1:f2:d0:
+	df:fd:c5:1b:6e:66:b7:ce:f6:12:65:34:c8:15:01:
+	da:36:5e:f9:d8:ad:37:86:52:2b:ea:9f:f5:75:6b:
+	91:b3:01:6f:52:e9:e9:07:16:db:ba:65:e2:49:cc:
+	4f:70:11:39:5c:fa:d2:da:d4:0c:24:17:c4:68:6f:
+	d4:7f:6d:
+
+coefficient:
+	3b:96:f2:06:96:22:14:a2:fe:27:09:2f:43:b0:22:
+	a6:f4:ae:33:c2:f8:be:d5:03:96:7d:4a:d1:eb:7b:
+	9d:51:bd:77:1d:3f:79:ef:62:1d:c3:e9:c2:9a:53:
+	df:ec:33:9b:32:36:f6:e7:40:e8:6c:1b:16:3d:4e:
+	94:97:94:02:5d:cc:23:45:6b:53:8d:b8:7c:0e:24:
+	f9:5c:30:e4:e3:76:5b:f6:1f:74:3d:ca:e7:ef:a0:
+	1e:d3:c8:a2:54:d2:db:06:4b:0d:b0:b9:64:ca:dd:
+	68:44:51:d6:07:c5:ac:5b:e7:11:4b:76:b0:78:ba:
+	aa:b1:af:06:64:0d:27:1a:85:2d:a8:5a:c1:d7:c1:
+	2e:f6:ef:fe:f6:0d:d6:f1:18:fc:0b:14:b1:d7:76:
+	51:1b:
+
+exp1:
+	76:ce:d4:8e:18:92:ee:48:75:8d:23:e0:dc:53:d9:
+	99:38:d1:c5:f0:e7:08:aa:c4:d9:7f:8f:44:6c:f6:
+	46:27:f9:d6:e2:c0:fd:4d:7c:7e:fe:4a:dd:02:16:
+	95:07:3e:fb:ec:c6:3e:f8:e7:eb:fe:fc:3b:51:80:
+	18:9c:c2:fd:40:19:ec:27:ad:6e:f6:72:42:5a:95:
+	68:cd:e5:24:28:60:1d:7c:4b:58:47:45:54:03:56:
+	8c:6f:e0:c3:d1:e9:9d:ab:af:d8:cf:a2:42:3f:5d:
+	f7:95:df:c9:b0:0f:05:6c:cb:ed:2e:63:00:db:c1:
+	35:42:76:fa:0b:4f:1a:53:80:b1:2c:51:af:66:7a:
+	54:f5:c0:32:06:37:a8:92:2c:30:c8:d4:27:04:a3:
+	74:a1:
+
+exp2:
+	18:07:41:5a:88:d8:0e:08:83:a0:1b:6d:f3:62:ba:
+	99:0a:93:32:fc:64:95:08:5a:03:e9:73:a1:c9:4f:
+	e4:06:94:84:b9:da:c3:c9:19:5b:6d:e9:10:2c:eb:
+	1c:c0:e4:0e:04:0e:49:ef:d4:eb:b9:1a:e8:f7:47:
+	23:6f:cf:fd:88:62:cb:d0:20:ba:21:89:42:c9:35:
+	aa:6a:02:62:3b:d5:d4:5b:c0:d3:d2:23:90:57:ba:
+	90:44:5d:42:12:37:35:41:db:0a:ea:1f:3c:35:bf:
+	d7:9e:af:bf:c0:ce:a9:62:c8:5a:af:ec:dc:7b:6c:
+	5a:08:f9:d5:6b:90:02:1c:da:e2:be:26:32:df:34:
+	d6:c3:3f:d4:97:4a:5d:62:fa:17:4b:16:3a:09:35:
+	21:69:
+
+
+Public Key ID: A8:25:47:F6:8F:44:D6:35:1B:EF:6C:AC:D1:D7:B9:6E:84:F9:DF:A3
+Public key's random art:
++--[ RSA 2432]----+
+|            +    |
+|         . . =   |
+|      o o . . .  |
+|     o =     =  o|
+|    . + S   . O.o|
+|     = . o   * o.|
+|    .   . . . o. |
+|              .+.|
+|             Eo.=|
++-----------------+
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIFegIBAAKCATEApzor7D8UsCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leA
+WOGW/O7QvQQVfl9/pTP4/LuR7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6
+zJlm4RYJFZTeX06qGNJZ3WCcdl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kap
+fe2AGUV3DKEF1Y20Zs1S2SFbpkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+
+ROhb62gHMvniNIF0xpO+fSjT2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjp
+V3Ymf8ox4OfkSkOXbd3ZOe5QCFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0u
+xLQdDQiDO4b4ct9kKyeWVMjZ3E0n+qjFaHnYHQIDAQABAoIBMHkrhm39W0E4A2xS
+jllwpL972kRV2eaKEr0iS86MZoyPpFVHO+GrPFtzs95x2h0il3weB5khVGHwYZMy
+/9Zq+rlDqsvsWqV4hlC96+I+co7VDlkohFICCXCpJdX0c5i9iDTKHoFxIo4HYUV2
+tVmKQevGo0IdtiX2/EVOKYNYFU6ZOB8xq/hqIfqtwdBt0KtnrUMcHZ7lM+Jo+eL6
+2JrnNuAgjCVN6ReVS3E43xhxzeCgf7JY/ovAHNKWShcUvxw76LVUK41HUKd3VmGo
+43ndcIhfiaH4eA1H7zKYwUeI2DPtlRCQf/FXyysYyVih3u8ccFpYPIY9lhetnP0L
+69gzpF9/25fAeLSUVlYKg7PTAsZvCNwNIo8qSyV6NJeOY0mKOdHBHpuTQcWctlCe
+/3o35MECgZkAyxNKo4+tXGOJMPM76yWF2WytbVD4AwDTHuOurVR6myEachimVOQy
+WI1mN2WM9483Zez47y6pwXi7BJCq/gryfICCMsfb77wQxv/g1C65Og7MKSiBuEF4
+N4BpOV6XRDbWzTmvFMLf82e31KdJ2vTT7hQQ5Fw/SmJSgTTQjvN+1EIKNOL5p7wD
++cBI6Jt/2gjs24L9oqoPXXECgZkA0s8tgQAoQ3azdhA/BFdjlPq7CGqifZlLD612
+EdpcKiszCgUN+FGaTbNAS1NjyMGWRcdCNc8Fz4riqr3clsD9yMTcTAsfQ3QEzxP1
++uq2DYKSjAO96Xux8tDf/cUbbma3zvYSZTTIFQHaNl752K03hlIr6p/1dWuRswFv
+UunpBxbbumXiScxPcBE5XPrS2tQMJBfEaG/Uf20CgZh2ztSOGJLuSHWNI+DcU9mZ
+ONHF8OcIqsTZf49EbPZGJ/nW4sD9TXx+/krdAhaVBz777MY++Ofr/vw7UYAYnML9
+QBnsJ61u9nJCWpVozeUkKGAdfEtYR0VUA1aMb+DD0emdq6/Yz6JCP133ld/JsA8F
+bMvtLmMA28E1Qnb6C08aU4CxLFGvZnpU9cAyBjeokiwwyNQnBKN0oQKBmBgHQVqI
+2A4Ig6AbbfNiupkKkzL8ZJUIWgPpc6HJT+QGlIS52sPJGVtt6RAs6xzA5A4EDknv
+1Ou5Guj3RyNvz/2IYsvQILohiULJNapqAmI71dRbwNPSI5BXupBEXUISNzVB2wrq
+Hzw1v9eer7/AzqliyFqv7Nx7bFoI+dVrkAIc2uK+JjLfNNbDP9SXSl1i+hdLFjoJ
+NSFpAoGYO5byBpYiFKL+JwkvQ7AipvSuM8L4vtUDln1K0et7nVG9dx0/ee9iHcPp
+wppT3+wzmzI29udA6GwbFj1OlJeUAl3MI0VrU424fA4k+Vww5ON2W/YfdD3K5++g
+HtPIolTS2wZLDbC5ZMrdaERR1gfFrFvnEUt2sHi6qrGvBmQNJxqFLahawdfBLvbv
+/vYN1vEY/AsUsdd2URs=
+-----END RSA PRIVATE KEY-----
diff --git a/tests/test1 b/tests/test1
new file mode 100755
index 00000000..ea1f8303
--- /dev/null
+++ b/tests/test1
@@ -0,0 +1,56 @@
+#!/bin/sh
+#
+# Copyright (C) 2013 Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+SERV="${SERV:-../src/ocserv}"
+
+#this test can only be run as root
+id|grep root >/dev/null 2>&1
+if [ $? != 0 ];then
+	exit 77
+fi
+
+if ! test -x /usr/sbin/openconnect;then
+	echo "You need openconnect to run this test"
+	exit 77
+fi
+
+. ./common.sh
+
+echo "Testing local backend with username-password..."
+
+launch_server -d -f -c test1.config & PID=$!
+wait_server $PID
+
+echo "Connecting to obtain cookie..."
+( echo "test" | openconnect -q localhost:4443 -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) ||
+	fail $PID "Could not receive cookie from server"
+
+echo "Connecting to obtain cookie with wrong password..."
+( echo "tost" | openconnect -q localhost:4443 -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) &&
+	fail $PID "Received cookie when we shouldn't"
+
+#echo "Normal connection..."
+#( echo "test" | openconnect -q localhost:4443 -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) ||
+#	fail $PID "Could not connect to server"
+
+kill $PID
+wait
+
+exit 0
diff --git a/tests/test1.config b/tests/test1.config
new file mode 100644
index 00000000..30c58859
--- /dev/null
+++ b/tests/test1.config
@@ -0,0 +1,183 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+#auth = "certificate"
+auth = "plain[./test1.passwd]"
+#auth = "pam"
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = [IP|HOSTNAME]
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = 4443
+udp-port = 4443
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = ./server-cert.pem
+server-key = ./server-key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+#ca-cert = /path/to/ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+#cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie validity time (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. This option sets the maximum lifetime
+# of that cookie.
+cookie-validity = 172800
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+use-utmp = true
+
+# PID file
+pid-file = /var/run/ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = /var/run/ocserv-socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = nobody
+run-as-group = nogroup
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = 192.168.1.0
+ipv4-netmask = 255.255.255.0
+# Use the keywork local to advertize the local P-t-P address as DNS server
+# ipv4-dns = 192.168.2.1
+ipv4-dns = local
+
+# The NBNS server (if any)
+#ipv4-nbns = 192.168.2.3
+
+#ipv6-address = 
+#ipv6-mask = 
+#ipv6-dns = 
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu = 
+
+route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. They are only available if the server is built 
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+#always-require-cert = false
+
diff --git a/tests/test1.passwd b/tests/test1.passwd
new file mode 100644
index 00000000..6e6faf17
--- /dev/null
+++ b/tests/test1.passwd
@@ -0,0 +1 @@
+test:tost:$5$i6SNmLDCgBNjyJ7q$SZ4bVJb7I/DLgXo3txHBVohRFBjOtdbxGQZp.DOnrA.
diff --git a/tests/test2 b/tests/test2
new file mode 100755
index 00000000..dfe9f502
--- /dev/null
+++ b/tests/test2
@@ -0,0 +1,61 @@
+#!/bin/sh
+#
+# Copyright (C) 2013 Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+SERV="${SERV:-../src/ocserv}"
+
+#this test can only be run as root
+id|grep root >/dev/null 2>&1
+if [ $? != 0 ];then
+	exit 77
+fi
+
+if ! test -x /usr/sbin/openconnect;then
+	echo "You need openconnect to run this test"
+	exit 77
+fi
+
+. ./common.sh
+
+echo "Testing local backend with username-password and certificate..."
+
+launch_server -d -f -c test2.config & PID=$!
+wait_server $PID
+
+echo -n "Connecting to obtain cookie (without certificate)..."
+( echo "test" | openconnect -q localhost:4443 -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) &&
+	fail $PID "Connected without certificate!"
+
+echo ok
+
+echo -n "Connecting to obtain cookie (with certificate)..."
+( echo "test" | openconnect -q localhost:4443 --sslkey ./user-key.pem -c ./user-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) ||
+	fail $PID "Could not connect with certificate!"
+
+echo ok
+
+
+#echo "Normal connection..."
+#( echo "test" | openconnect -q localhost:4443 -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) ||
+#	fail $PID "Could not connect to server"
+
+kill $PID
+wait
+
+exit 0
diff --git a/tests/test2.config b/tests/test2.config
new file mode 100644
index 00000000..b9de66e0
--- /dev/null
+++ b/tests/test2.config
@@ -0,0 +1,183 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+auth = "certificate"
+auth = "plain[./test1.passwd]"
+#auth = "pam"
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = [IP|HOSTNAME]
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = 4443
+udp-port = 4443
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = ./server-cert.pem
+server-key = ./server-key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+ca-cert = ./ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+#cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie validity time (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. This option sets the maximum lifetime
+# of that cookie.
+cookie-validity = 172800
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+use-utmp = true
+
+# PID file
+pid-file = /var/run/ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = /var/run/ocserv-socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = nobody
+run-as-group = nogroup
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = 192.168.1.0
+ipv4-netmask = 255.255.255.0
+# Use the keywork local to advertize the local P-t-P address as DNS server
+# ipv4-dns = 192.168.2.1
+ipv4-dns = local
+
+# The NBNS server (if any)
+#ipv4-nbns = 192.168.2.3
+
+#ipv6-address = 
+#ipv6-mask = 
+#ipv6-dns = 
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu = 
+
+route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. They are only available if the server is built 
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+#always-require-cert = false
+
diff --git a/tests/user-cert.pem b/tests/user-cert.pem
new file mode 100644
index 00000000..ef5114cb
--- /dev/null
+++ b/tests/user-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDjDCCAkSgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
+QTAiGA8yMDEzMDcwNjE0NTIwNVoYDzIwMjMwNTE1MTQ1MjA1WjAnMQ8wDQYDVQQD
+EwZBIHVzZXIxFDASBgoJkiaJk/IsZAEBEwR0ZXN0MIIBUjANBgkqhkiG9w0BAQEF
+AAOCAT8AMIIBOgKCATEAq1SY/KnGFZWdpsGUhJSReR542y1IUZllAQLAQFJJXetw
+vCbvaDkeBJHi28tvk0BFHiKOcVpYiSh5XhoyJT6LnTs0fxn40C83t2Iyt1OlQyzF
+Xeys+TX6FCs0ZvHWp6HQg5pW9BmDvL8RdDAtqChboqt6xs2cXPhR6akMSNtxu7E0
+d/fu3l14wEgKNw1lHjsrFAOJcvJS7V8AxQZg6oAg0EPsZrzSJtvwKT5q+WIgvlgm
+RLrXjG92pgUg5Ji3xHJ6Xd9PDSPsLpxx7DD5FF/IdQurZ/Z9+012ZEql1fq0CFCd
+E8ePwnmwtD4vidMzJ02fi9NgJAersnI9KaXESuw8BNJJPiYb7HoQPcpFWoCLTSqW
+Y08tYygPO0dHynwsFUEy1eDJvqVVLLNrRipWsRvtKQIDAQABo3YwdDAMBgNVHRMB
+Af8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHoAAwHQYD
+VR0OBBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4
+SlrqyrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQBrveOQ1xHPbA3jvfRhzVeD
+Qb4qkkbd+kRsYBzvPh4v4eJbRYhqHlAtjZbEx4B1WXtUa/uGsPFtRQnbSN4gCodg
+MF418FLEVUTB/+F8PdZtWMoc/b8EmpsQNQX80QE8r7tkMV5Zj+9vDTXlwAd3DjEg
+juMu8aZN8b6FW98ESJ2MycnBuOPi0ktVg+nYe3Evjon8TafxsL9Hm5fEhd3DPTgV
+NghzEIcI9uYcTimopfUkuA3p2bgZJx1zNf57gR9KgWqTzaJx12AOCO7qyCtEG+RF
+bP5EaNaGrYlPfp/5GiqXD2vrXW44s1sTueNKEDJb3Km0oU6z+U+R3rzMNpFEuuA0
+dPdotHsO207sKAMBzwpjxCN1C0tBneBos8u/tVw9UpMguuq48Iz3puzNo6pPKv8g
+-----END CERTIFICATE-----
diff --git a/tests/user-key.pem b/tests/user-key.pem
new file mode 100644
index 00000000..00dee1a1
--- /dev/null
+++ b/tests/user-key.pem
@@ -0,0 +1,165 @@
+Public Key Info:
+	Public Key Algorithm: RSA
+	Key Security Level: Normal (2432 bits)
+
+modulus:
+	00:ab:54:98:fc:a9:c6:15:95:9d:a6:c1:94:84:94:
+	91:79:1e:78:db:2d:48:51:99:65:01:02:c0:40:52:
+	49:5d:eb:70:bc:26:ef:68:39:1e:04:91:e2:db:cb:
+	6f:93:40:45:1e:22:8e:71:5a:58:89:28:79:5e:1a:
+	32:25:3e:8b:9d:3b:34:7f:19:f8:d0:2f:37:b7:62:
+	32:b7:53:a5:43:2c:c5:5d:ec:ac:f9:35:fa:14:2b:
+	34:66:f1:d6:a7:a1:d0:83:9a:56:f4:19:83:bc:bf:
+	11:74:30:2d:a8:28:5b:a2:ab:7a:c6:cd:9c:5c:f8:
+	51:e9:a9:0c:48:db:71:bb:b1:34:77:f7:ee:de:5d:
+	78:c0:48:0a:37:0d:65:1e:3b:2b:14:03:89:72:f2:
+	52:ed:5f:00:c5:06:60:ea:80:20:d0:43:ec:66:bc:
+	d2:26:db:f0:29:3e:6a:f9:62:20:be:58:26:44:ba:
+	d7:8c:6f:76:a6:05:20:e4:98:b7:c4:72:7a:5d:df:
+	4f:0d:23:ec:2e:9c:71:ec:30:f9:14:5f:c8:75:0b:
+	ab:67:f6:7d:fb:4d:76:64:4a:a5:d5:fa:b4:08:50:
+	9d:13:c7:8f:c2:79:b0:b4:3e:2f:89:d3:33:27:4d:
+	9f:8b:d3:60:24:07:ab:b2:72:3d:29:a5:c4:4a:ec:
+	3c:04:d2:49:3e:26:1b:ec:7a:10:3d:ca:45:5a:80:
+	8b:4d:2a:96:63:4f:2d:63:28:0f:3b:47:47:ca:7c:
+	2c:15:41:32:d5:e0:c9:be:a5:55:2c:b3:6b:46:2a:
+	56:b1:1b:ed:29:
+
+public exponent:
+	01:00:01:
+
+private exponent:
+	5d:97:20:db:24:82:a8:57:ca:7e:c5:50:33:fc:54:
+	5b:2d:62:27:98:5c:e0:f6:42:4e:83:0a:32:18:c1:
+	2b:24:e9:b8:5e:2c:79:6a:7a:13:54:fd:ef:c2:f9:
+	78:1e:ab:a3:02:8d:7d:2e:35:1e:f7:95:14:ea:8a:
+	69:fd:f8:96:33:39:42:15:15:ed:e3:5d:34:37:d8:
+	2c:7c:ec:d1:fd:2a:f3:5b:ce:41:74:52:df:a1:9a:
+	46:81:e5:18:3d:34:82:2f:55:40:92:8f:7c:13:83:
+	9d:4c:94:24:3f:a7:8e:fc:cd:5c:bc:04:a6:64:9f:
+	9a:5c:55:f1:96:ae:52:31:42:d0:26:07:be:40:a1:
+	2d:a8:2c:ac:56:0c:de:ae:c3:a1:73:2d:2a:35:65:
+	47:74:b0:9b:70:b9:d8:ad:12:74:50:b3:00:fb:86:
+	72:d5:00:e8:02:b2:d1:e3:d5:87:3f:cc:b6:f3:26:
+	fe:25:c1:b5:59:bd:e0:c9:fa:d9:ba:47:f8:43:ea:
+	af:cf:4d:92:ae:db:9d:11:49:ec:50:33:2a:b6:44:
+	40:ac:06:c7:f6:64:2e:42:25:81:20:d5:f6:76:79:
+	b9:fb:bd:d2:c5:5d:f7:28:16:9d:cc:13:cd:d9:55:
+	e3:ca:c7:d2:38:f1:92:32:d6:ba:db:73:b6:dc:b6:
+	5f:66:89:e3:4c:9e:d6:b8:d2:01:ee:a8:d2:69:64:
+	dd:5c:1a:7e:4c:e4:1d:5b:37:94:29:3c:93:3d:43:
+	bb:33:8f:10:23:14:12:b0:33:24:58:c3:ae:97:4c:
+	3d:c5:c1:81:
+
+prime1:
+	00:c1:9c:0d:4e:aa:1b:2e:c4:14:e6:78:ed:0b:76:
+	90:af:da:3d:5e:15:6f:7d:9c:97:4d:71:a3:1d:6a:
+	47:94:25:20:9d:98:f4:d0:3b:d6:be:be:12:39:e7:
+	d7:82:3d:54:3d:f7:76:06:e2:ac:5d:e6:1f:34:fd:
+	bc:9d:9c:8b:f5:4f:83:89:8f:79:ea:9e:5e:a5:5c:
+	e9:b4:71:ae:59:43:ff:ec:03:f6:57:3c:d6:33:0b:
+	ba:4d:39:3f:90:62:b2:4f:af:e0:21:7a:5a:0f:93:
+	f4:fc:5f:ba:29:b9:af:67:18:3f:0e:23:3d:de:d9:
+	bc:47:ad:de:56:11:d1:e3:c0:7e:29:bb:67:ac:1b:
+	6a:af:5a:30:19:0c:14:49:af:db:1a:82:10:60:e1:
+	d1:98:dd:
+
+prime2:
+	00:e2:8a:9d:80:b5:29:33:06:44:d2:e3:77:bd:34:
+	3e:c0:df:98:cc:ab:f3:ba:73:3c:19:5c:d8:ed:c8:
+	22:bc:b9:8f:4f:1a:d8:0d:08:e2:e2:ca:e8:3c:13:
+	aa:23:1b:3d:75:d4:7c:e2:4e:cd:ca:d0:fc:b7:77:
+	70:57:54:e1:1c:22:a2:3e:0f:a7:59:c0:5a:4f:b1:
+	e8:62:55:85:07:7d:03:a4:8f:82:eb:2d:21:fc:cb:
+	d5:b7:3c:77:a5:9d:67:a6:ab:95:5d:1e:d3:a3:49:
+	78:9b:75:2c:07:e9:bd:ba:0f:66:69:7e:2e:50:2f:
+	76:5f:e9:28:f8:e1:c9:ce:77:4a:48:ee:92:d1:d5:
+	dc:29:2f:3f:29:7a:12:b0:d6:f9:8d:68:e4:82:45:
+	ec:3a:bd:
+
+coefficient:
+	00:82:d2:e4:3b:e3:aa:9e:99:75:0d:73:e4:e9:38:
+	f5:5e:73:e4:c2:3a:24:55:4e:ea:58:f7:2a:f2:0f:
+	ff:42:d7:e2:ef:49:d2:25:8d:86:02:a7:2b:c9:45:
+	1e:ee:a0:1c:60:58:3e:4c:bb:40:99:42:20:ff:c7:
+	3f:4e:68:8c:8b:f4:e8:41:fe:f4:79:00:a4:7e:64:
+	67:95:8e:bf:c3:45:28:dc:da:57:b9:aa:20:ac:66:
+	b0:c8:11:b2:9a:c2:60:ac:24:32:7f:17:e4:6c:dc:
+	24:43:56:22:50:86:29:a7:38:fb:4e:8c:e1:9a:c8:
+	42:a4:59:ab:49:32:bd:0b:65:30:37:06:95:29:63:
+	88:09:11:0b:0a:f3:34:82:f6:54:68:cc:71:e9:ea:
+	9f:48:0f:
+
+exp1:
+	78:8e:dc:b6:74:34:32:fd:c4:69:f3:38:e0:1f:77:
+	5f:19:4d:87:4d:5f:bc:5f:0a:d4:1d:83:cd:a8:45:
+	64:19:6e:62:d4:40:f5:7d:9d:6d:ee:db:58:95:66:
+	5b:e2:26:97:e3:84:ea:2a:b1:dc:52:94:72:21:e2:
+	16:5e:c9:c3:fa:3c:55:27:33:6a:86:2d:37:59:50:
+	e9:9c:b4:4d:3f:8b:98:02:ab:9d:8c:f3:70:9b:c7:
+	e9:98:51:5d:6e:27:cc:79:1e:de:99:da:84:c2:c4:
+	15:76:e2:6c:63:04:b6:f4:a1:27:03:88:de:40:c4:
+	fd:f9:65:6e:40:f0:6a:9a:8d:b5:1c:ce:24:9c:79:
+	e5:31:0a:ac:3e:1a:4f:fc:22:3a:32:6d:52:76:ab:
+	56:3d:
+
+exp2:
+	00:9b:74:5b:58:72:f8:6e:97:22:ab:44:84:6a:45:
+	6b:ba:96:b5:17:dd:f7:46:3e:c5:42:f2:3f:ba:0b:
+	d8:2a:81:7b:21:e1:5d:d8:b3:fc:5d:7c:b7:98:62:
+	36:22:19:13:37:c4:34:5e:67:8d:38:5b:e8:cf:4d:
+	1a:be:12:f4:d6:85:bd:a7:b0:be:3a:0c:90:ec:97:
+	3c:cc:1d:bb:47:c4:35:b7:ba:f3:2f:c6:ac:c7:f8:
+	68:13:71:5e:f9:3a:e6:61:ac:e4:b6:1d:ed:44:e3:
+	a9:eb:a3:a0:2f:5d:ea:5f:bf:29:9b:c2:86:ad:67:
+	a4:67:74:6c:35:3d:5b:6a:5e:d9:8e:ea:87:bd:8e:
+	6f:a1:a3:56:48:74:08:57:69:6d:9d:e8:18:c6:7c:
+	8c:fa:51:
+
+
+Public Key ID: 8B:01:09:4B:3B:91:EC:E3:21:B9:1D:EC:8D:6B:4C:5D:9E:40:80:5E
+Public key's random art:
++--[ RSA 2432]----+
+| o=o             |
+|..oE..           |
+|.+=.o            |
+|o.*....          |
+| * B +..S        |
+|. * o oo .       |
+| o .  . .        |
+|  +              |
+| .               |
++-----------------+
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIFfAIBAAKCATEAq1SY/KnGFZWdpsGUhJSReR542y1IUZllAQLAQFJJXetwvCbv
+aDkeBJHi28tvk0BFHiKOcVpYiSh5XhoyJT6LnTs0fxn40C83t2Iyt1OlQyzFXeys
++TX6FCs0ZvHWp6HQg5pW9BmDvL8RdDAtqChboqt6xs2cXPhR6akMSNtxu7E0d/fu
+3l14wEgKNw1lHjsrFAOJcvJS7V8AxQZg6oAg0EPsZrzSJtvwKT5q+WIgvlgmRLrX
+jG92pgUg5Ji3xHJ6Xd9PDSPsLpxx7DD5FF/IdQurZ/Z9+012ZEql1fq0CFCdE8eP
+wnmwtD4vidMzJ02fi9NgJAersnI9KaXESuw8BNJJPiYb7HoQPcpFWoCLTSqWY08t
+YygPO0dHynwsFUEy1eDJvqVVLLNrRipWsRvtKQIDAQABAoIBMF2XINskgqhXyn7F
+UDP8VFstYieYXOD2Qk6DCjIYwSsk6bheLHlqehNU/e/C+Xgeq6MCjX0uNR73lRTq
+imn9+JYzOUIVFe3jXTQ32Cx87NH9KvNbzkF0Ut+hmkaB5Rg9NIIvVUCSj3wTg51M
+lCQ/p478zVy8BKZkn5pcVfGWrlIxQtAmB75AoS2oLKxWDN6uw6FzLSo1ZUd0sJtw
+uditEnRQswD7hnLVAOgCstHj1Yc/zLbzJv4lwbVZveDJ+tm6R/hD6q/PTZKu250R
+SexQMyq2RECsBsf2ZC5CJYEg1fZ2ebn7vdLFXfcoFp3ME83ZVePKx9I48ZIy1rrb
+c7bctl9mieNMnta40gHuqNJpZN1cGn5M5B1bN5QpPJM9Q7szjxAjFBKwMyRYw66X
+TD3FwYECgZkAwZwNTqobLsQU5njtC3aQr9o9XhVvfZyXTXGjHWpHlCUgnZj00DvW
+vr4SOefXgj1UPfd2BuKsXeYfNP28nZyL9U+DiY956p5epVzptHGuWUP/7AP2VzzW
+Mwu6TTk/kGKyT6/gIXpaD5P0/F+6KbmvZxg/DiM93tm8R63eVhHR48B+KbtnrBtq
+r1owGQwUSa/bGoIQYOHRmN0CgZkA4oqdgLUpMwZE0uN3vTQ+wN+YzKvzunM8GVzY
+7cgivLmPTxrYDQji4sroPBOqIxs9ddR84k7NytD8t3dwV1ThHCKiPg+nWcBaT7Ho
+YlWFB30DpI+C6y0h/MvVtzx3pZ1npquVXR7To0l4m3UsB+m9ug9maX4uUC92X+ko
++OHJzndKSO6S0dXcKS8/KXoSsNb5jWjkgkXsOr0CgZh4jty2dDQy/cRp8zjgH3df
+GU2HTV+8XwrUHYPNqEVkGW5i1ED1fZ1t7ttYlWZb4iaX44TqKrHcUpRyIeIWXsnD
++jxVJzNqhi03WVDpnLRNP4uYAqudjPNwm8fpmFFdbifMeR7emdqEwsQVduJsYwS2
+9KEnA4jeQMT9+WVuQPBqmo21HM4knHnlMQqsPhpP/CI6Mm1SdqtWPQKBmQCbdFtY
+cvhulyKrRIRqRWu6lrUX3fdGPsVC8j+6C9gqgXsh4V3Ys/xdfLeYYjYiGRM3xDRe
+Z404W+jPTRq+EvTWhb2nsL46DJDslzzMHbtHxDW3uvMvxqzH+GgTcV75OuZhrOS2
+He1E46nro6AvXepfvymbwoatZ6RndGw1PVtqXtmO6oe9jm+ho1ZIdAhXaW2d6BjG
+fIz6UQKBmQCC0uQ746qemXUNc+TpOPVec+TCOiRVTupY9yryD/9C1+LvSdIljYYC
+pyvJRR7uoBxgWD5Mu0CZQiD/xz9OaIyL9OhB/vR5AKR+ZGeVjr/DRSjc2le5qiCs
+ZrDIEbKawmCsJDJ/F+Rs3CRDViJQhimnOPtOjOGayEKkWatJMr0LZTA3BpUpY4gJ
+EQsK8zSC9lRozHHp6p9IDw==
+-----END RSA PRIVATE KEY-----