From 237370533c38cb67a9e64c3b080e8508fe7fc712 Mon Sep 17 00:00:00 2001
From: Sergio Benitez <sb@sergio.bz>
Date: Fri, 1 Sep 2017 03:11:48 -0700
Subject: [PATCH] Update cert in 'tls' example for new 'rustls'.

The latest version of `rustls` acts on the SNI extension to TLS without
the apparent ability to disable the behavior. `rustls` requires that the
server's certificate match the client's requested server. The matching
is done by looking at DNS names in the `subjectAltName` extension and
checking if the requested server name is present. Since the certificate
in the `tls` example did not have the `subjectAltName` extension, this
check always failed, and the TLS connection was aborted. This commit
adds the extension to the certificate with a DNS name of `localhost`,
ensuring that TLS succeeds on `localhost`.
---
 examples/tls/Rocket.toml         |  6 +-
 examples/tls/private/ca_cert.pem | 33 +++++++++++
 examples/tls/private/ca_key.pem  | 51 +++++++++++++++++
 examples/tls/private/cert.pem    | 63 +++++++++-----------
 examples/tls/private/gen_cert.sh | 21 +++++++
 examples/tls/private/key.pem     | 98 ++++++++++++++++----------------
 lib/Cargo.toml                   |  2 +-
 7 files changed, 185 insertions(+), 89 deletions(-)
 create mode 100644 examples/tls/private/ca_cert.pem
 create mode 100644 examples/tls/private/ca_key.pem
 create mode 100755 examples/tls/private/gen_cert.sh

diff --git a/examples/tls/Rocket.toml b/examples/tls/Rocket.toml
index 14c7fa63..4077d1cf 100644
--- a/examples/tls/Rocket.toml
+++ b/examples/tls/Rocket.toml
@@ -1,7 +1,5 @@
-# The certificate/private key pair used here was generated via openssl:
-#
-#     openssl req -x509 -newkey rsa:4096 -nodes -sha256 -days 3650 \
-#         -keyout key.pem -out cert.pem
+# The certificate/private key pair used here was generated via openssl using the
+# `gen_cert.sh` script located in the `private/` subdirectory.
 #
 # The certificate is self-signed. As such, you will need to trust it directly
 # for your browser to refer to the connection as secure. You should NEVER use
diff --git a/examples/tls/private/ca_cert.pem b/examples/tls/private/ca_cert.pem
new file mode 100644
index 00000000..8dd268b1
--- /dev/null
+++ b/examples/tls/private/ca_cert.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFuzCCA6OgAwIBAgIJAKGZ7Q2UtrXSMA0GCSqGSIb3DQEBBQUAMEcxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEChMJUm9ja2V0IENBMRcwFQYDVQQD
+Ew5Sb2NrZXQgUm9vdCBDQTAeFw0xNzA5MDExMDAyMjRaFw0yNzA4MzAxMDAyMjRa
+MEcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEChMJUm9ja2V0IENB
+MRcwFQYDVQQDEw5Sb2NrZXQgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIP
+ADCCAgoCggIBANpHgKt28+RYw3z+RyvsBqQXCLfJfv7a8ZXnuIScNapjxisTih4u
+HqiuC2DsUg6jF1zYzEBwCUKKjAXhPBKl2sRPxvTOK4kOy3a9kde/a/vLFkdt3CSJ
+CDhJk3CxT1HEDi7e62G8jNZw6DlEwpWpYwkiQccL5Myi8GIn7vw/hNZ//wzFsYSj
+G4ztAubN5dnbsdI0kpYp+QZ3RmDGx6T/FCpocWmCPt7qJqvwpcPTK7CfOVhF4ecg
+lFs55CPn821ckFnHpzO1ffI//fiS9ZqOnpOt0zs8nGPIX+Mu+YHnvb6af6A8cqBm
+odm32mcwCx67f7Cgob+MqfPSTe/tTxgA49IcLDZaybPWv3POngh9T5yRPdDKLsSb
+oHRTE2+6H+Dg5HDkSz9OTCWbMx+ItjvxfYFgIlpqjEQYoKh9iuiTx6qI1k9Drdxk
+Ymps+108xwCwkKuLqCE91lR8gWPNziv5Ja90VMjhi9/HrtIQAC5RCVMUZwE1Lz3S
+PJy/z6hByQG0aIeT6KdLiwHQKSdzTwwc49fEjtRI2mX2m7JQrtS/vllcdeslYsUu
+HBIrXbI/F3sD2N09fJnG2A74eWtC9tQ3eo2EKveB9FFRO20aWP5Ho3P+wo1eWdRJ
+qItpgV0h+d+bpsEJP1LBsNhhaLkSJYAibejYX0fYSxd+mtQmDKT5WGSfAgMBAAGj
+gakwgaYwHQYDVR0OBBYEFHcd2x5m+UOJOXvSsVpeCzs5lMJoMHcGA1UdIwRwMG6A
+FHcd2x5m+UOJOXvSsVpeCzs5lMJooUukSTBHMQswCQYDVQQGEwJVUzELMAkGA1UE
+CBMCQ0ExEjAQBgNVBAoTCVJvY2tldCBDQTEXMBUGA1UEAxMOUm9ja2V0IFJvb3Qg
+Q0GCCQChme0NlLa10jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQC4
+OPHtrvRp2nX437zfCRZXz5RcHWm0LgjpbLVE77BihgE1GUT9/DxxvkbgRaP/Mu7e
+Ox3mXJuD0eJMW3HK0N7blk25pDm7KLPhGmaSMEHmnsYkEbxwYez5t1xdumA+IwGp
+uKscB0ymeIO6Z72IxXhyb5BmjjzeCChOiEWmann6JTGs9Y0C4ZBd2+3JoC6v6yzz
+nnqYqlfxklAQ9FL4hbDsVib8cClVnyIBM9CEsdav8fzb1e5a8jv6pxMXFeTPYNay
+fgdo2AvST+1PMZBU5tMrp9DY+GQo3RG1eU08v8wZQSFGfPr8Tu3Ak1WYGUT4cV5/
+lJMNFdtYLMDcOvrTZz2mLCjQx8H2cN+PPZWkG/aCIrhmGYNdNbksCPVFg1B3uNwh
+kUcbxgBuDXxiz1gAeDbx5/GeVMRhTDFH9VnGdeBnUo3MAzH5Vg/OBcm74Mqcsljc
+oUm4H7wZghLnA8Gb3zsR5LvFfF+pCSNkVMPuVGyl+k7su+3ibX04DhrPR0b2vqNJ
+G2m0sabQZGdGst5LNcBbSMxBk+qDClGgRPgA3z+2aElswFR1a8Kj+fBb7lNqPc5H
+ZygN3ZFWY0QyKyWR6CPat/vYKu8HuIT5Ad6nb9q/JH3Qllsk7tUoIASujjHMGZaf
+GOik+8ewqlk60rcVbtUlkakpRu57hB6STj9K5HoeWw==
+-----END CERTIFICATE-----
diff --git a/examples/tls/private/ca_key.pem b/examples/tls/private/ca_key.pem
new file mode 100644
index 00000000..09033c6f
--- /dev/null
+++ b/examples/tls/private/ca_key.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJJwIBAAKCAgEA2keAq3bz5FjDfP5HK+wGpBcIt8l+/trxlee4hJw1qmPGKxOK
+Hi4eqK4LYOxSDqMXXNjMQHAJQoqMBeE8EqXaxE/G9M4riQ7Ldr2R179r+8sWR23c
+JIkIOEmTcLFPUcQOLt7rYbyM1nDoOUTClaljCSJBxwvkzKLwYifu/D+E1n//DMWx
+hKMbjO0C5s3l2dux0jSSlin5BndGYMbHpP8UKmhxaYI+3uomq/Clw9MrsJ85WEXh
+5yCUWznkI+fzbVyQWcenM7V98j/9+JL1mo6ek63TOzycY8hf4y75gee9vpp/oDxy
+oGah2bfaZzALHrt/sKChv4yp89JN7+1PGADj0hwsNlrJs9a/c86eCH1PnJE90Mou
+xJugdFMTb7of4ODkcORLP05MJZszH4i2O/F9gWAiWmqMRBigqH2K6JPHqojWT0Ot
+3GRiamz7XTzHALCQq4uoIT3WVHyBY83OK/klr3RUyOGL38eu0hAALlEJUxRnATUv
+PdI8nL/PqEHJAbRoh5Pop0uLAdApJ3NPDBzj18SO1EjaZfabslCu1L++WVx16yVi
+xS4cEitdsj8XewPY3T18mcbYDvh5a0L21Dd6jYQq94H0UVE7bRpY/kejc/7CjV5Z
+1Emoi2mBXSH535umwQk/UsGw2GFouRIlgCJt6NhfR9hLF36a1CYMpPlYZJ8CAwEA
+AQKCAgA0w4gE6rI2Bobq1gSaR2mrjK3cz2ZVcNNpKyRdWe1XDNtAWm7OsNNUbw3t
+FfMX+rCRDw8AnJSAc0E5wqJk15a0UZyEXLoFXYAtadGxV2Jg8UynY5UNd9p20MJF
+QXctCrlq9xPrAksBIzXfchGfX9zCvncsCGH8XX7CG2kXrLsNps8eZUNuDoeAX2KO
+LENdkE/BwleU2PyLZZWrmyFzbv2O6sRPft53wB4s/fT0Cz3KahLQlcPvvN5f1vSh
+AVbEntV9/lcalsqlHnbj+ZJJFCSdCi2/af1b2XnkTtydXElvo6UqNLJ4t5Z0LI8s
+1l45xZUuOwYeaYBDohiY4MJ3yO9IzqCTJ7/l+/lQF+Bxg/k3Tx4XT8Tnirw8uZdu
+GE08eD61o0FeHy0E3pxzC+kuJlx08s4kvVk9fwO3LCu/edu3/ydG05eL4Sdw7/SN
+JqtD/T3k82uAt1OxQTkt1Q0uYZ1M5FY8+x6kEUPGHtF2QMmNDdbr6lI/GKDeuFaR
+DnolDw4f1CtAL+pOw2FAu2QWrJQCPIfnpQXvMt3ywpca7v4Iv9Dn0OAl15eoJfHq
+y37D6ivgfenYd4hzgbxnFsadV+c28EkO3hCB90ycCwnl9hL4+Fl7aDwVCG2papBi
+v0E/dKrHpUlb2MpAU/L3x52BFz2tgrsJ9IqD318D0UPAWPHRUQKCAQEA7pd8uUyE
+m7I6IGUXiZpZ93uR95N2DzXjtTgQNKQN9u5HwIkYc5F/9XoM3d2Kl/EipGsuoSkz
+r3XJW88/VKHWilIdSrC2Y37dIqjGinil57A1P2BPrq0W0dtEX4a7hHiFhxMDUSnG
+t+gvQHTXoL7tuWJ0ig6BXGIKHW7H2KaaJ3oqosgHCKDxMiwE/skec0iW+S8WxAEo
+NoU+bGtvtKolroHXsnt6dqa057XnKy8OnUZy9c4puz8GnFa5/Knv6evo0Oe8qY0c
++n9wzPKDiEcVvQfsT19d3B9kheMIFRedxcHnrJkH1yIO+qhg7sMnPjMySMW7qsjj
+MPYz4TEf4Re+VQKCAQEA6jScidB5qervAQw4qVRxjhGliQMxFEogDUIvd5jmDiPU
+Xfs0hEHFz5ZV2mJfEpkVJ4wAAJ7n0FfKzgs8kFBtVaDUjmTvDLJDg/S3SWx3JxbJ
+mHMPNfQhkQNIJjDjwfTnc8A/YqAZYudBhT/S4xl3oC5f2qJo90KeYQIgawWVU83V
+8KhUEPkloTAqK0ZSvv2ek21gS6aHZIqU2TZYb+5syjS4YIO0eBa0qWUjpEjfkiyA
+jSE6qgLs+4j4Iae9MDwWLk067JSUfcyC4o3cQTyEVvSU0GqvwPj6iyoG2AKADR+h
+7vl2vRVH7XgM/JzdpYSM3NVsgwR542VLKwqdfATjIwKCAQAoJ8rQDPbMlYR+60S4
+3geCRYPdnS3jhXhbiaIAmhPXmWbuGqTI3pYgpHgB50VqKSVhcsCYUyzlvPc0wn6w
+KcTH5uYTKgaoXDOvn6Q6re+OPPPZRMZkabFLhJHPWge5VedzQlnukQ9m6Gb7fC7G
+WRv9dXqTubk/6Sg2p+xupCuRtVfzqaK1axDtFseIciTz1iXCrpAwUNmJw4csDDDy
+wSgyZJv+6BVGXuxXix/q/rKA+dhjUl1nrEXajiYjRh6gyhmW/0mbZ6qW5lf/xlko
+2H3qIKk++pf7cjUi64Dyu9TL8cSiIedV59+JhEk8JhA2wbsW0GCzb7f9B5LXtcLd
+yXc5AoIBAEM4Wn2Lon/MeFC6q0CehgEau4I5skp6g/yKNImFDvKcAgX/ZbFYF2hf
+Y8DMXzE9Ur8JBa8n7Kz1pbXBr95T1y2ufZNpENt6BrrG8BxYz1Iezjm9PG5l5YRz
+hq+/dH9kxVGJqieqf97NNRcDnIml85m79bMQzkO5kS+Spq9Q6O0mtPLfvVEp0U0U
+P+Yvxuweavcxe2P7Jf0LcXFuka9+pSbcPtckthWJnszHxJUQfWq87yCSmv3U3SPM
+yjsOo9RGSq97ZyAj/QKmQiK4SLFIp0s148h19n/SdkafB1vUS+B4ZcfrPdNDWmOk
+A0Y117/77Vosv3pTPJCxsANoho7j8DUCggEAH1TGo5pi5oC5cKa5mAZ8yrAtmOn3
+cqrA7MZOciRkynKH3UZm84MTG4uWEEZ+goIsp4QJP6PPL3h7pfwCIVkXRwwYDNUh
+RH0n2wy2/1PxVfx0KsvXpkVwNT+v8DQaFxHaZ06oEXknB7AhFYbgXKotdiTX9MIo
+tve0XKsyS2v4iDnkARI5Yeb4feZTOPVCBNdOhwQAP1sUnN+aTD475JGflTQQAZdU
+n5LKKJXbAIn2Q2/+2QJ6T4bgUkMrNd9yGlGLKlt23EG5f7VZFIZG41as1jO2Mhgw
+zLlv/26y/wlk010tkrcxopQ+0F1FN435sCEXFqQyh79VwSgUqenR3Q1ACQ==
+-----END RSA PRIVATE KEY-----
diff --git a/examples/tls/private/cert.pem b/examples/tls/private/cert.pem
index 3019e697..17552ab2 100644
--- a/examples/tls/private/cert.pem
+++ b/examples/tls/private/cert.pem
@@ -1,37 +1,30 @@
 -----BEGIN CERTIFICATE-----
-MIIGXjCCBEagAwIBAgIJAJBTO2YLMz4tMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTdGFuZm9yZDEP
-MA0GA1UEChMGUm9ja2V0MRcwFQYDVQQDEw5TZXJnaW8gQmVuaXRlejEbMBkGCSqG
-SIb3DQEJARYMc2JAcm9ja2V0LnJzMB4XDTE3MDQwOTA0MTIxM1oXDTI3MDQwNzA0
-MTIxM1owfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNV
-BAcTCFN0YW5mb3JkMQ8wDQYDVQQKEwZSb2NrZXQxFzAVBgNVBAMTDlNlcmdpbyBC
-ZW5pdGV6MRswGQYJKoZIhvcNAQkBFgxzYkByb2NrZXQucnMwggIiMA0GCSqGSIb3
-DQEBAQUAA4ICDwAwggIKAoICAQCzdm0ZxLNP4TlJBI2IpeVT4S6hZeBkem/aj4NZ
-mhHA06HXVqcUw3W03YQklhO7E305uU/BTRz5q0BIa2DCPyZDUCkwTjOZAuFiiZzc
-AZz/zhu2RwLWeYttlvjKewrIe0k9zrPaPXpdcFe0xq2mcUon0fyRztL1H8EYEScb
-/TJqM1LkWKGSJEOMDeEYMVnJn/x9yFgfC82u/4GBc3q3Si2uRLCMkTLsg6TC27EF
-kCVuOISf1+CvAKgk2x29SGm/nYoTe+j6YLm12h41S6JlGO9zJnORlwb4Mz5h+72p
-NBaVER72kNxwskTNg2IWur7NM2Xi/nAfZ7+YOopgwosRuZl8Nw6CcpWDkGdLnO7X
-H18Wy/BXOamXVa65tWefwlCiJ8bkqZgik8AHX36KZzTzkDO5g/4JAQDh4G56paGu
-hcd1LXkGvTDuaSN4BkHDuYucr89aliWV/AKzum4BJkyKk3lVWDb9nfwyTRegsZg5
-ipTW7xLhvxzjeoLuDHybRzsw+2NFQoHA4PUouzC1n2/+eJIVysa6p5UZXTcTNGVd
-rdU3GmifpFDBv4NwQrQ1y2izw0b+dbZ7DBAQIqW3toHeBUmmTiHSmQR5QT3Dz9HA
-l2npMu4S2ZKQYJj+zqxyETzrOgz76LW1yZ3uAbX7z0OxlOoC67XYGAAWlDyU4pZc
-qcnR1QIDAQABo4HiMIHfMB0GA1UdDgQWBBSUdwqW1sNXbeS29wXaJL0P9glPmTCB
-rwYDVR0jBIGnMIGkgBSUdwqW1sNXbeS29wXaJL0P9glPmaGBgKR+MHwxCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTdGFuZm9yZDEP
-MA0GA1UEChMGUm9ja2V0MRcwFQYDVQQDEw5TZXJnaW8gQmVuaXRlejEbMBkGCSqG
-SIb3DQEJARYMc2JAcm9ja2V0LnJzggkAkFM7ZgszPi0wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAgEAXfsz3a1iDWoyyobVlFV3NvVD5CeZ9oWh/IvmbgfB
-XMEB3ZLy3Cqn4op1u6Kbo/L8E+YYMlIGdqUtAlpJrtF1k3KeVGBScx6YebCPWcuL
-aRO/l1qUR70RhA/Yrz0iNqcTSkC2n9YYFtr7tOiTzS3kqN03XB6fJBsYnVG4LzR5
-1EdNjgGoISSVmKJwQh0Sjy+GuHDnsjtL5xPxf5OFA6bgJiYkpMgxv0VDzC3Bl6NL
-oTYwnQ+/19yzoSZANlvwKi8UftHEpBXMAW2Yr3jEfKuSQIe3FPr2js2JWfpl12yQ
-JZnDPEJOamxD4hvvWljENwcVMss9X9FGiQCoFIYmGja4JXZ7KqvOlgdSaS8TUqCp
-qHcSJpEiJQAJQton607EjWxBBWVEMEQYZx5nLFifxwexxv1jpbGeh+ehAwRlvrZU
-nXR9miv/ohw6HmopNXmXcTCJsT8/OHb4g7cUs3scUmuySMZe1dKht+o+XmkWfF9b
-fgqNz9so1ls9oyg/qjuMwh5wNNUsPQJGITmzTOfGGu7engyil744flO5aQFfSwcm
-zQ7ZzRh+jDPI/rG8xbrYpXXK3+xln03O/96AC6iEELA0+A2PeworEkz47nEPrqlC
-Fr17Aya+rJsrN9JXL1Uz87k3XfySNc6xT8zitNGzgxtgKthUg6fU9oOt/79HuOeL
-g+Y=
+MIIFITCCAwmgAwIBAgIJAII1fQkonYEEMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEChMJUm9ja2V0IENBMRcwFQYDVQQD
+Ew5Sb2NrZXQgUm9vdCBDQTAeFw0xNzA5MDExMDAyMjhaFw0yNzA4MzAxMDAyMjha
+MD8xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGUm9ja2V0MRIw
+EAYDVQQDEwlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQDqe/Ps0tJf11HBuxJ4HvgC4VJeeiSl3D4P8ZT6uamCj8XD0MPtfRjGgfZPRjfY
+ksiYRs4Wg3Wy3aiQR6IVrNAxtfU1ZA3vRGCBwV0oWkfyPJKQOtF0Ih0/MhmYdiWG
+gDqs5qF/6B9K8qbinexal8v1oXpwQC5dod/NOuSLZQtQfkiYIeNqo0BbxtcaNE2u
+kgOYg1Cvc9ui3KPNA2JTN+Uzq6A8n4Pej6erG2NeCAoov9nrkPyustDWLQ76wdTp
+5YU6zwwsl+fJtb5scNUmagujoXTTqn06WoCMDUsSjC/jlGMIrzmx90Wq8Dg6HBGn
+Cscz3M/AUXYzJtShkxMNZCsdxH+8x5oyO/RrtyeRyN8iDiOolz+SfQROVXMU0zkx
+nRl7hIxgB/QeDi6MMXGLTd08vpIAohk3hnycsGgTwTCT5LxWJnorpm4wdr1bDmCY
+InUO5hX0rFWtS0ij78GTUbpajkNTEXIXXwa1VnSE2kIeUX6aiKhJsm3KWp496JuM
+ahIR7XCP9PyGclWI+Pa0eq5L8nnuSfqUAwCeOvvwdBOxUvKmecly1IHLoUXGnhy0
+46MjYo80yYFqrGgop6lUEZ0ThYpDpMxq+JIeUoyGaCJFDvundzt0u0sh9i+hUCVe
+v3zsgxwvBeJy0L1G1uGkpCqERkYJQt9O+qLM8i7hf7ONkQIDAQABoxgwFjAUBgNV
+HREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggIBAAcXycXdWVvwLl+7
+ryG8V7FpB9bp0lHNA4q3DpEINCNyuA2cbnVU/u2L3ddvroTcrPjE+hhNbcVaz/NH
+w4sQqlDzkV+G9kZ4qBTlk5zon6aGGow181J+B5SVznt6lO4/KYYpEN0vX+uMvsgK
+OG7ydsRMDxPpsnVS9SFx0Ke8AlmUet5S/NGYCfedd4rwCu+oJHUWhXNwFZqLF3Yn
+s8lg3xdM0kJt8g4m1/KUpunanX3w+DdZaIwbltEZs4NriXn0VVbEPRpHyiGMosgf
+mEUV2z49f6S2joEnSn2Y/ILOdKFQ2mKFXtXJP43Qzj8Mr5mSb2bXyABlrn0pl/+o
+HBkyVyDx5BKqWKe5uK3YCDsbIJj026AkCdTKF+BSBWfB+EqdSIOvVrpHtQK7BwFx
+pS5rdQBLA86f1NC0e235L6pwFKm+imazr6Jn7fbbwq1y9PSL36rUn4e/+R2Yoia9
+S7zDOqGbnyv9h7eE3Muiy26kJsJfCrjse/dmce+6YnB1FC5RKPn7kM86t7MyDrgx
+W60xRMdgmcGfPjei2V4MdVM6ysOlNoeh39DizjkV9+r8iGl4vngplJrPgAIvywQz
+v1pLk6dSlSOwgqY94hqxqNvG80xSoYsmMjDrPmtBVERjhbffsdIDHjcPVsJKH6l6
+8wg+/u6aK2bMHt41f3XE/UTY+A57
 -----END CERTIFICATE-----
diff --git a/examples/tls/private/gen_cert.sh b/examples/tls/private/gen_cert.sh
new file mode 100755
index 00000000..a2f25cfe
--- /dev/null
+++ b/examples/tls/private/gen_cert.sh
@@ -0,0 +1,21 @@
+#! /bin/bash
+
+# TODO: `rustls` (really, `webpki`) doesn't currently use the CN in the subject
+# to check if a certificate is valid for a server name sent via SNI. It's not
+# clear if this is intended, since certificates _should_ have a `subjectAltName`
+# with a DNS name, or if it simply hasn't been implemented yet. See
+# https://bugzilla.mozilla.org/show_bug.cgi?id=552346 for a bit more info.
+
+CA_SUBJECT="/C=US/ST=CA/O=Rocket CA/CN=Rocket Root CA"
+SUBJECT="/C=US/ST=CA/O=Rocket/CN=localhost"
+ALT="DNS:localhost"
+
+openssl genrsa -out ca_key.pem 4096
+openssl req -new -x509 -days 3650 -key ca_key.pem -subj "${CA_SUBJECT}" -out ca_cert.pem
+
+openssl req -newkey rsa:4096 -nodes -sha256 -keyout key.pem -subj "${SUBJECT}" -out server.csr
+openssl x509 -req -sha256 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
+    -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
+    -in server.csr -out cert.pem
+
+rm ca_cert.srl server.csr
diff --git a/examples/tls/private/key.pem b/examples/tls/private/key.pem
index 13ee4c54..afcf14a3 100644
--- a/examples/tls/private/key.pem
+++ b/examples/tls/private/key.pem
@@ -1,51 +1,51 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIJKQIBAAKCAgEAs3ZtGcSzT+E5SQSNiKXlU+EuoWXgZHpv2o+DWZoRwNOh11an
-FMN1tN2EJJYTuxN9OblPwU0c+atASGtgwj8mQ1ApME4zmQLhYomc3AGc/84btkcC
-1nmLbZb4ynsKyHtJPc6z2j16XXBXtMatpnFKJ9H8kc7S9R/BGBEnG/0yajNS5Fih
-kiRDjA3hGDFZyZ/8fchYHwvNrv+BgXN6t0otrkSwjJEy7IOkwtuxBZAlbjiEn9fg
-rwCoJNsdvUhpv52KE3vo+mC5tdoeNUuiZRjvcyZzkZcG+DM+Yfu9qTQWlREe9pDc
-cLJEzYNiFrq+zTNl4v5wH2e/mDqKYMKLEbmZfDcOgnKVg5BnS5zu1x9fFsvwVzmp
-l1WuubVnn8JQoifG5KmYIpPAB19+imc085AzuYP+CQEA4eBueqWhroXHdS15Br0w
-7mkjeAZBw7mLnK/PWpYllfwCs7puASZMipN5VVg2/Z38Mk0XoLGYOYqU1u8S4b8c
-43qC7gx8m0c7MPtjRUKBwOD1KLswtZ9v/niSFcrGuqeVGV03EzRlXa3VNxpon6RQ
-wb+DcEK0Nctos8NG/nW2ewwQECKlt7aB3gVJpk4h0pkEeUE9w8/RwJdp6TLuEtmS
-kGCY/s6schE86zoM++i1tcmd7gG1+89DsZTqAuu12BgAFpQ8lOKWXKnJ0dUCAwEA
-AQKCAgBIdkLrKq80S75zqzDywfls+vl3FcmbCIztdREWNs2ATHOGnWhtS9bVJrRa
-iXaCDQZ9LkPzyw0uCmW0WBcDl7f9afqXlJvk5nLW9LWvZ79a0oACA34z13Pi1hiy
-uSfLd2xFVpbsQfKMk/X1+lrXX9sPZQxUW2x2qVGwRAzEkmGu2/ZWWSsz9QyJGnmO
-6S5V6RFsQF7EemGcjXJfMJ+WLo9vVDDtMRucwDLgsxAxLNjQPmXenK4OO3epGghS
-C1EXm6bK4zdZEYEq2l1kK5vwsjbNCfOUD6Uyxo4jxh/4mB2eJwGXkTpRDsoVKT2L
-6+9qr5wuIYpoQ93qu4hwNV0t1QERp4HYTrX6WzDPLCtoHlIfCfzXH05jYa9n/nJD
-Ow4eeeK5RE7/9/fKJWX2/R45iz87QKeS2H+ps3IOirK1P4Y/4FdIoHVyHjaCeoGp
-YeSXjTWz6OEcHX9qcShdVu8ILkJlBJ4xftxNKWw8d/jKG3xOaxVNAnTGGAx113Pa
-RIZcGNfroQcceV0mRAQTTpZyV7jj+lvC9lXqyP4tJJc4YjSWG6ITPrYfKVYBAhNC
-K8MutrCaEH87SzIssY3DvpSzIeZMafvR4VYHZbBsDpI8+9iIijXLzDR0IQUANcah
-bLWzjhDXrE5f1Et1hyHCAkCzsPIyx67QugYpJ8zTDUp6oYVaaQKCAQEA3XjPYrAJ
-kokPk8ErDYTe0lMRGKvIrV3TH5hkfTIlkMfn4M6wVS3WQYYEMwgcJHVILpHkxtuD
-ZcNIrey5f3IlwvSGo30w9L4IQCt5nzU0GpYqeN4Uty+0jDO0pygPYRrNAedSQSYa
-jgSwoQCiu/qVzb+fPD2n6Hfxn/+cBP/mw6JBZZRb4aIhAluIt958J7NB/AwY+o03
-rG6lq41UUYDtydt/yP3q7QlRBFkY+anm7O7Iy80e4oPciXbettsMuHPa8/zF1TWJ
-IxG2v9C4Q++tvj9zKP66l/5JVKVdtexGtPJS9i8lIkPkqX7K9peOUDNwyVAyG4kB
-2SxKysu4sTq5ZwKCAQEAz3D6UTbTnzkrQFDnKaYUpMW4jfKUFr/n+s5iIN3FPk9t
-ZuZ3YbrIroW50KxmVYFG+x1vyEZvB+Bdb7apCnqK4z2x4vbpl4bsE/uW8Kk+rQxx
-gbUfuih1r0FMVE0kGL8MxJEL/4owOZM9G8hinxkVst4LswNe0MPwfJHgeLrx/xAM
-lHq4hS5Pb4SYb+Z6iUJlzJpsQPX+JLW3cDqlfUBB9ckijtNkTbwsq7ETWRglnAP1
-flOCBe6l1aSDPiSa3fRSwA0PHTztVZt2TwnhDD2v40tTxCfeAwafeEwpUUgWivt0
-Doq0Tni5lZiPjqNfmbZSa8BKyeEtPuKZcKT4QMSJYwKCAQA8+TTHa8XG5Rs3x5fN
-ygX6i8oKK8k9CbbFXRRVb4fuG0tYli7v1IXHVlkzn4j39J4hzCLbKLY9Pw10bNcJ
-ImkJCn9C5YWj6+mjmRSL437rzun0itfTMzwW2WlkF+BcEJ/eZUw9CXuIG/xw5xbm
-f+/cTGRPln3yv4rzTNEsgzOKKtKsX7MIJLXHy2GRlZxC5dRFyyLZYCWywGe2Glvb
-cI6G43qD4HxcNBNtCgaZPdCI7Ji1m0xken8uDV71ossWwTbHs5DXyTxvPkI8/v6s
-HYGM/jT7VV4T2Hth5YEuQ9WXnZt/ka08iMqca37/cuxIYlEr63tQH2E15D7XJE09
-5fgDAoIBAQDKC2hDofsMokoWIraEQlbpBgtzdkn2voPcLRg2msp6njIYf3DXp22/
-TlBlhwVFUt0nyMwPbUrHiSh4npiWtDSCkJyqS4PJKojWDb4+ORnqwqvrgdadIrs9
-L4SAt4Ho+GwfKIdfJeFCsr5aSRqFi5Eu3kbW3PmErNOXAR55eNwrah5WoBEI5spH
-/AXdN8cx2ZH9borx2qbmand4wCZfkC6ujnEyW4Lek+GOeLI3nOVEyDZcDEogLQko
-xUtvQ4fzlvziQdXuzGD9eKYK5bxkh9DAuaWk8I+0ssawDL5RhL0wMSog38guhjd8
-FVP9wfJjbMlqWah+aOwAzARXStbhfouxAoIBAQCw0HQEHJL0nTLT0SdkEAZF12Fo
-NMdTh68xtQ1y2papT87L6J8/WmK1/O32KAJ3XXikl0QMTkhjHqf+eA+27C8L+jIR
-HPhB4OGdlOufk1QXoaX1Z4vVHfyyXASspfZ1ecxFsQdC/lPnQ+ir/skHI1NNC9oO
-Q39d37tyoKCOyZUhD0IsT5+6vVgyj6EcwiCmgwZ7PI3MKKoXx7HmkZ9e4hVYbXP6
-WsNsF2VKPHCre56T2FRT3xLxzN5uZOz0Hrau50Y/3RNuYiJJ2aufAYmv1r6HT/0W
-BP2kmzmWlg1JJaU9vS9jZXabQZPp8bJ+fDtSZSa69AJESKRE9e3e895uW3gY
+MIIJKAIBAAKCAgEA6nvz7NLSX9dRwbsSeB74AuFSXnokpdw+D/GU+rmpgo/Fw9DD
+7X0YxoH2T0Y32JLImEbOFoN1st2okEeiFazQMbX1NWQN70RggcFdKFpH8jySkDrR
+dCIdPzIZmHYlhoA6rOahf+gfSvKm4p3sWpfL9aF6cEAuXaHfzTrki2ULUH5ImCHj
+aqNAW8bXGjRNrpIDmINQr3PbotyjzQNiUzflM6ugPJ+D3o+nqxtjXggKKL/Z65D8
+rrLQ1i0O+sHU6eWFOs8MLJfnybW+bHDVJmoLo6F006p9OlqAjA1LEowv45RjCK85
+sfdFqvA4OhwRpwrHM9zPwFF2MybUoZMTDWQrHcR/vMeaMjv0a7cnkcjfIg4jqJc/
+kn0ETlVzFNM5MZ0Ze4SMYAf0Hg4ujDFxi03dPL6SAKIZN4Z8nLBoE8Ewk+S8ViZ6
+K6ZuMHa9Ww5gmCJ1DuYV9KxVrUtIo+/Bk1G6Wo5DUxFyF18GtVZ0hNpCHlF+moio
+SbJtylqePeibjGoSEe1wj/T8hnJViPj2tHquS/J57kn6lAMAnjr78HQTsVLypnnJ
+ctSBy6FFxp4ctOOjI2KPNMmBaqxoKKepVBGdE4WKQ6TMaviSHlKMhmgiRQ77p3c7
+dLtLIfYvoVAlXr987IMcLwXictC9RtbhpKQqhEZGCULfTvqizPIu4X+zjZECAwEA
+AQKCAgAxmpc3ekHW1I4PFawKjUKaGWB7bAtkqvrWFJ0XjT82x4NmsTtBej1LgSLC
+EnCt+B9HV3MxgA3eENYf74dyXmSMn5mH+eqYuzZPPMCgULj3najDqi21C6J0Q/z2
+K8g0c9v1x7RSgqBcEokLV60wXPxgshBcvrcQR7Y4jETc2DtUg+KHjGO3o2FyCNZo
+TLhCPdFU6jKfazsDcPmV3SlnwWNTUvNK39PduTYXFGwo8Dp19F/9XWaW7m0PYejR
+Uz/fWxacIkDJDjmSikgGWLg+sCBWNUmpnV9wgMTA2+8NtWpMEpAAvlDOPSkXyEmc
+wWNamwUZC5VHcfQ3TfedVqepJY+ZDNNaZ6O+GH7Qe33jxdyXbt8CSEI52lDDotfX
+rwjI8//qnoDGmwzBNThBTjXyrAbwn/KzfYXvPMfMd1GB2YPG0WmcZhFNuEm6f4Pf
+5vhQldT/Wd1RBbGTVDYo/49uSNAwTu9ObW7o50obUfyW0bUgopBaZBwRfOBFJ1QU
+PFCRqCv16STPr8AaeP2nlZawsC5ECbzdBRxvHG6P2FCOdgclWhZNlMdRydFTI5QJ
+aAfgkHYT8DFtZ/P0fbc2csFaOWNd3vSp07TCgqff6vgR8jGJDRnC+Oq4Q8rERiFw
+A7O/TzjYskY8aMkM4mvSfmnqo7Qqv+XPgDbfWi9tq8nrDYzSAQKCAQEA+VAUqyCN
+DvtkMGbd8AyYNx738K3Sea+/t+y2X1V1q93+TKypcrpZ0KhrnKGxf2UnJZx31NOX
+vdXUwNu/I9/lnOuJlR7yVC0E185v+j0GQRZRjwTv6qUEBnHRViEkpy0j3INiVg8t
+aLbrg5NoD4vlgocSFP2IDD+dFkDS4oKebXfuQFtvW8qd769RzjQAGHTje+Fk1US/
+ADgDPINoZOyhuyA9r8Q9BfrhksliB80a3q+ieHPpaYAa+9NT6B3SZfVgzblj4mfs
+nHDAor4ZYpJ6sLB5pcUG5DILVx1ncO2S0qO53w3P5j4jatz4KZWheOSQQkSCWwP5
+qAEMw28tv0ezmQKCAQEA8MYM8v/3FRlct/lLCzA+Smq+ZvdXyTpM9fICvSaBD6WT
+/xYguTUbzWB8WBzMCDK3quttBrWCMIRWzEfEPE51db+0MycoAjM7sw2nql3tgFy5
+OZV4g5lzPnWsh76ba8xq2x5h8j1sbsvTWZoxD5/fcXEEAvwMFTvgm39T+NyMoAZ0
+PMO3x7sZiI5GLLZ5wmjlb1dEbxHujPIJNuSJtdNjecRhyhPcairK8dfjQaStgyE3
+O9hGCBYOzz0n4O76dJmH1g1HAmG4RvZU6zC3lDITXhgQ9pVH50qS1oI7jLhn3QoY
+SfdZ+LDC/8nDVcPLX+JFL95ha80o/K5PQ7uWXXNkuQKCAQEAuASwzMLg+x75C3TR
++d4B+CWGkoJqaWEcnHA/CEz25t2bVxLWm5UKuCWoEFuUvNh3tZ4xIMjxJrCPMa7A
+/YTEYTfFPGk0Kod0HKoGIukqFZ6YonzdbQ9R0kPuZKlf+XkrEBd13NmlBbaGTX7e
+/yKeS+LQqOedpJTLqOI+BeytbVVpaN1Ua6c5PfHk6tOdAnA8fHKYT4ZHiKzPTrob
+suqqUYlxnqu08xYDq6mzDtkILTfsLwY3UaS5xghs1VY1twYP5qkhHbrhfXMH7Ndt
+u0EtB/+qOn4cIREDJ9DPSh5BEfLBPe9e9a4FzFm/XkpQfgAOrqsMoItlmej0d8g3
+NwmAeQKCAQBNfiDK0RFQLCKIX+cESdmyj9qKP090x5vfiK3S/SKKy6rvbcrIcUxq
+dIRww4vzk4dDrpQflam6Pc3F389L7aCmbjXsRMz+sEiln154WdTH/I/s9audB3Vt
+A+iso+9X6an2rjeuBJDytA1pCFSEB9udolc9Mqwc5XGr+nYnYaytEIa2y/NJiHF2
+Xvw9Bdn4dVRq2nZ/HRFfMcM/dJzR9aBNn6QtqujFDtLUtbxB82OZEca6LyiTD65i
+ivdb0O6xOnzaqtlQ7eymgj/gloRvYRKUtUA4bOGAkqLiAXZzGyLqpIYewEqn3RRV
+yTViVCsPyD6mYneOf7CSavO+BBEoMKyZAoIBAAF2bGafAIIfxG2wT19Trd6NTFeA
+5GuejnWZBJUJPlIMiwhiorOMOxhJjsfDQxVv/jhWOf86gpLctMIFBHqwIVAwLRVB
+SX0vx6/BUkDsnqEEsyp8x2MKsojvG63QX2R5DJTlP6/YrtVJj46euboygc6j+mV8
+alhiH3UfKKs2GtbIhd34tafRYs9/SvJ95QeoJyVoYy7mLgrFgQN2g2TMwDle/F2h
+kmko+yuLbj5CNe/x4/9pTRTFdoF75RLkaWuf81FHO4c1Z5D5niEX+0a94Y3LglWe
+2YIWhS3TbGPAfyGsnmnTsDtsbriNDwLkmMW7wr6Um+L/LoRVeJhoKxv8LsQ=
 -----END RSA PRIVATE KEY-----
diff --git a/lib/Cargo.toml b/lib/Cargo.toml
index 0213353d..9c53f7bc 100644
--- a/lib/Cargo.toml
+++ b/lib/Cargo.toml
@@ -33,7 +33,7 @@ pear_codegen = "0.0.11"
 rustls = { version = "0.11.0", optional = true }
 cookie = { version = "0.10.0", features = ["percent-encode", "secure"] }
 hyper = { version = "0.10.13", default-features = false }
-hyper-sync-rustls = { version = "0.2", features = ["server"], optional = true }
+hyper-sync-rustls = { version = "0.2.1", features = ["server"], optional = true }
 ordermap = "0.2"
 isatty = "0.1"