From c287fff034b598c06ef87bda78dc9851a51da94f Mon Sep 17 00:00:00 2001
From: Ignasi Marimon-Clos <ignasi@lightbend.com>
Date: Fri, 5 Jun 2020 17:34:44 +0200
Subject: [PATCH] k8s-friendly SSLEngine provider (simplified) (#29152)

Co-authored-by: Arnout Engelen <github@bzzt.net>
Co-authored-by: James Roper <james@jazzy.id.au>
---
 akka-remote/src/main/resources/reference.conf |  58 +++-
 .../artery/tcp/ConfigSSLEngineProvider.scala  | 158 +++++++++
 .../remote/artery/tcp/SSLEngineProvider.scala | 182 +---------
 .../artery/tcp/SecureRandomFactory.scala      |  58 ++++
 .../artery/tcp/ssl/PemManagersProvider.scala  |  91 +++++
 .../ssl/RotatingKeysSSLEngineProvider.scala   | 174 ++++++++++
 .../artery/tcp/ssl/SSLEngineConfig.scala      |  41 +++
 .../artery/tcp/ssl/SessionVerifier.scala      |  68 ++++
 .../remote/artery/tcp/ssl/X509Readers.scala   |  44 +++
 akka-remote/src/test/resources/Makefile       |  17 +-
 akka-remote/src/test/resources/domain.crt     |  20 ++
 akka-remote/src/test/resources/keystore       | Bin 1573 -> 2421 bytes
 akka-remote/src/test/resources/ssl/README.md  |   7 +
 .../artery-node001.example.com.crt            |  21 ++
 .../artery-node001.example.com.p12            | Bin 0 -> 4143 bytes
 .../artery-node001.example.com.pem            |  27 ++
 .../artery-node002.example.com.crt            |  21 ++
 .../artery-node002.example.com.p12            | Bin 0 -> 4143 bytes
 .../artery-node002.example.com.pem            |  27 ++
 .../artery-node003.example.com.crt            |  21 ++
 .../artery-node003.example.com.p12            | Bin 0 -> 4143 bytes
 .../artery-node003.example.com.pem            |  27 ++
 .../test/resources/ssl/client.example.com.crt |  16 +
 .../test/resources/ssl/client.example.com.p12 | Bin 0 -> 2708 bytes
 .../src/test/resources/ssl/exampleca.crt      |  14 +
 .../src/test/resources/ssl/exampleca.p12      | Bin 0 -> 1114 bytes
 .../ssl/gen-artery-nodes.example.com.sh       |  21 ++
 .../src/test/resources/ssl/gen-functions.sh   | 102 ++++++
 akka-remote/src/test/resources/ssl/genca.sh   |  27 ++
 .../src/test/resources/ssl/gencerts.sh        |  27 ++
 .../test/resources/ssl/island.example.com.crt |  16 +
 .../test/resources/ssl/island.example.com.p12 | Bin 0 -> 2700 bytes
 .../test/resources/ssl/node.example.com.crt   |  21 ++
 .../test/resources/ssl/node.example.com.p12   | Bin 0 -> 4075 bytes
 .../test/resources/ssl/node.example.com.pem   |  27 ++
 .../test/resources/ssl/one.example.com.crt    |  16 +
 .../test/resources/ssl/one.example.com.p12    | Bin 0 -> 2694 bytes
 akka-remote/src/test/resources/ssl/password   |   1 +
 .../src/test/resources/ssl/pem/README.md      |  14 +
 .../src/test/resources/ssl/pem/pkcs1.pem      |  27 ++
 .../ssl/pem/selfsigned-certificate.pem        |  19 +
 .../resources/ssl/rsa-client.example.com.crt  |  21 ++
 .../resources/ssl/rsa-client.example.com.p12  | Bin 0 -> 4103 bytes
 .../resources/ssl/rsa-client.example.com.pem  |  27 ++
 .../test/resources/ssl/two.example.com.crt    |  16 +
 .../test/resources/ssl/two.example.com.p12    | Bin 0 -> 2694 bytes
 akka-remote/src/test/resources/truststore     | Bin 621 -> 1114 bytes
 .../remote/artery/ArterySpecSupport.scala     |   3 +
 .../artery/tcp/SecureRandomFactorySpec.scala  |  79 +++++
 .../akka/remote/artery/tcp/TlsTcpSpec.scala   | 124 +++----
 .../tcp/ssl/CipherSuiteSupportCheck.scala     |  68 ++++
 .../tcp/ssl/PeerSubjectVerifierSpec.scala     |  67 ++++
 .../tcp/ssl/PemManagersProviderSpec.scala     |  55 +++
 .../RotatingKeysSSLEngineProviderSpec.scala   | 326 ++++++++++++++++++
 .../artery/tcp/ssl/TlsResourcesSpec.scala     |  94 +++++
 .../artery/tcp/ssl/X509ReadersSpec.scala      |  35 ++
 build.sbt                                     |   1 +
 project/Dependencies.scala                    |   4 +-
 58 files changed, 2064 insertions(+), 266 deletions(-)
 create mode 100644 akka-remote/src/main/scala/akka/remote/artery/tcp/ConfigSSLEngineProvider.scala
 create mode 100644 akka-remote/src/main/scala/akka/remote/artery/tcp/SecureRandomFactory.scala
 create mode 100644 akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/PemManagersProvider.scala
 create mode 100644 akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/RotatingKeysSSLEngineProvider.scala
 create mode 100644 akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/SSLEngineConfig.scala
 create mode 100644 akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/SessionVerifier.scala
 create mode 100644 akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/X509Readers.scala
 create mode 100644 akka-remote/src/test/resources/domain.crt
 create mode 100644 akka-remote/src/test/resources/ssl/README.md
 create mode 100644 akka-remote/src/test/resources/ssl/artery-nodes/artery-node001.example.com.crt
 create mode 100644 akka-remote/src/test/resources/ssl/artery-nodes/artery-node001.example.com.p12
 create mode 100644 akka-remote/src/test/resources/ssl/artery-nodes/artery-node001.example.com.pem
 create mode 100644 akka-remote/src/test/resources/ssl/artery-nodes/artery-node002.example.com.crt
 create mode 100644 akka-remote/src/test/resources/ssl/artery-nodes/artery-node002.example.com.p12
 create mode 100644 akka-remote/src/test/resources/ssl/artery-nodes/artery-node002.example.com.pem
 create mode 100644 akka-remote/src/test/resources/ssl/artery-nodes/artery-node003.example.com.crt
 create mode 100644 akka-remote/src/test/resources/ssl/artery-nodes/artery-node003.example.com.p12
 create mode 100644 akka-remote/src/test/resources/ssl/artery-nodes/artery-node003.example.com.pem
 create mode 100644 akka-remote/src/test/resources/ssl/client.example.com.crt
 create mode 100644 akka-remote/src/test/resources/ssl/client.example.com.p12
 create mode 100644 akka-remote/src/test/resources/ssl/exampleca.crt
 create mode 100644 akka-remote/src/test/resources/ssl/exampleca.p12
 create mode 100755 akka-remote/src/test/resources/ssl/gen-artery-nodes.example.com.sh
 create mode 100644 akka-remote/src/test/resources/ssl/gen-functions.sh
 create mode 100755 akka-remote/src/test/resources/ssl/genca.sh
 create mode 100755 akka-remote/src/test/resources/ssl/gencerts.sh
 create mode 100644 akka-remote/src/test/resources/ssl/island.example.com.crt
 create mode 100644 akka-remote/src/test/resources/ssl/island.example.com.p12
 create mode 100644 akka-remote/src/test/resources/ssl/node.example.com.crt
 create mode 100644 akka-remote/src/test/resources/ssl/node.example.com.p12
 create mode 100644 akka-remote/src/test/resources/ssl/node.example.com.pem
 create mode 100644 akka-remote/src/test/resources/ssl/one.example.com.crt
 create mode 100644 akka-remote/src/test/resources/ssl/one.example.com.p12
 create mode 100644 akka-remote/src/test/resources/ssl/password
 create mode 100644 akka-remote/src/test/resources/ssl/pem/README.md
 create mode 100644 akka-remote/src/test/resources/ssl/pem/pkcs1.pem
 create mode 100644 akka-remote/src/test/resources/ssl/pem/selfsigned-certificate.pem
 create mode 100644 akka-remote/src/test/resources/ssl/rsa-client.example.com.crt
 create mode 100644 akka-remote/src/test/resources/ssl/rsa-client.example.com.p12
 create mode 100644 akka-remote/src/test/resources/ssl/rsa-client.example.com.pem
 create mode 100644 akka-remote/src/test/resources/ssl/two.example.com.crt
 create mode 100644 akka-remote/src/test/resources/ssl/two.example.com.p12
 create mode 100644 akka-remote/src/test/scala/akka/remote/artery/tcp/SecureRandomFactorySpec.scala
 create mode 100644 akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/CipherSuiteSupportCheck.scala
 create mode 100644 akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/PeerSubjectVerifierSpec.scala
 create mode 100644 akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/PemManagersProviderSpec.scala
 create mode 100644 akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/RotatingKeysSSLEngineProviderSpec.scala
 create mode 100644 akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/TlsResourcesSpec.scala
 create mode 100644 akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/X509ReadersSpec.scala

diff --git a/akka-remote/src/main/resources/reference.conf b/akka-remote/src/main/resources/reference.conf
index 8e74e151c8..06a0248730 100644
--- a/akka-remote/src/main/resources/reference.conf
+++ b/akka-remote/src/main/resources/reference.conf
@@ -1098,7 +1098,6 @@ akka {
           outbound-client-hostname = ""
         }
 
-
       }
 
       # SSL configuration that is used when transport=tls-tcp.
@@ -1176,6 +1175,63 @@ akka {
           hostname-verification = off
         }
 
+        # Config of akka.remote.artery.tcp.ssl.RotatingKeysSSLEngineProvider
+        # This engine provider reads PEM files from a mount point shared with the secret
+        # manager. The constructed SSLContext is cached some time (configurable) so when
+        # the credentials rotate the new credentials are eventually picked up.
+        # By default mTLS is enabled.
+        # This provider also includes a verification fase that runs after the TLS handshake
+        # phase. In this verification, both peers run an authorization and verify they are
+        # part of the same akka cluster. The verification happens via comparing the subject
+        # names in the peer's certificate with the name on the own certificate so if you
+        # use this SSLEngineProvider you should make sure all nodes on the cluster include
+        # at least one common subject name (CN or SAN).
+        # The Key setup this implementation supports has some limitations:
+        #   1. the private key must be provided on a PKCS#1 or a non-encrypted PKCS#8 PEM-formatted file
+        #   2. the private key must be be of an algorythm supported by `akka-pki` tools (e.g. "RSA", not "EC")
+        #   3. the node certificate must be issued by a root CA (not an intermediate CA)
+        #   4. both the node and the CA certificates must be provided in PEM-formatted files
+        rotating-keys-engine {
+
+          # This is a convention that people may follow if they wish to save themselves some configuration
+          secret-mount-point = /var/run/secrets/akka-tls/rotating-keys-engine
+
+          # The absolute path the PEM file with the private key.
+          key-file = ${akka.remote.artery.ssl.rotating-keys-engine.secret-mount-point}/tls.key
+          # The absolute path to the PEM file of the certificate for the private key above.
+          cert-file = ${akka.remote.artery.ssl.rotating-keys-engine.secret-mount-point}/tls.crt
+          # The absolute path to the PEM file of the certificate of the CA that emited
+          # the node certificate above.
+          ca-cert-file = ${akka.remote.artery.ssl.rotating-keys-engine.secret-mount-point}/ca.crt
+
+          # There are two options, and the default SecureRandom is recommended:
+          # "" or "SecureRandom" => (default)
+          # "SHA1PRNG" => Can be slow because of blocking issues on Linux
+          #
+          # Setting a value here may require you to supply the appropriate cipher
+          # suite (see enabled-algorithms section)
+          random-number-generator = ""
+
+          # Example: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+          #   "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+          #   "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+          #   "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
+          # If you use a JDK 8 prior to 8u161 you need to install
+          # the JCE Unlimited Strength Jurisdiction Policy Files to use AES 256.
+          # More info here:
+          # https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
+          enabled-algorithms = ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
+
+          # Protocol to use for SSL encryption, choose from:
+          # TLS 1.2 is available since JDK7, and default since JDK8:
+          # https://blogs.oracle.com/java-platform-group/entry/java_8_will_use_tls
+          protocol = "TLSv1.2"
+
+          # How long should an SSLContext instance be cached. When rotating keys and certificates,
+          # there must a time overlap between the old certificate/key and the new ones. The
+          # value of this setting should be lower than duration of that overlap.
+          ssl-context-cache-ttl = 5m
+        }
       }
     }
   }
diff --git a/akka-remote/src/main/scala/akka/remote/artery/tcp/ConfigSSLEngineProvider.scala b/akka-remote/src/main/scala/akka/remote/artery/tcp/ConfigSSLEngineProvider.scala
new file mode 100644
index 0000000000..cf79ba5b3b
--- /dev/null
+++ b/akka-remote/src/main/scala/akka/remote/artery/tcp/ConfigSSLEngineProvider.scala
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2020 Lightbend Inc. <https://www.lightbend.com>
+ */
+
+package akka.remote.artery.tcp
+
+import java.io.FileNotFoundException
+import java.io.IOException
+import java.nio.file.Files
+import java.nio.file.Paths
+import java.security.GeneralSecurityException
+import java.security.KeyStore
+import java.security.SecureRandom
+
+import akka.actor.ActorSystem
+import akka.event.LogMarker
+import akka.event.Logging
+import akka.event.MarkerLoggingAdapter
+import akka.remote.artery.tcp.ssl.SSLEngineConfig
+import akka.stream.TLSRole
+import com.typesafe.config.Config
+import javax.net.ssl.KeyManager
+import javax.net.ssl.KeyManagerFactory
+import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLEngine
+import javax.net.ssl.SSLSession
+import javax.net.ssl.TrustManager
+import javax.net.ssl.TrustManagerFactory
+
+import scala.util.Try
+
+/**
+ * Config in akka.remote.artery.ssl.config-ssl-engine
+ *
+ * Subclass may override protected methods to replace certain parts, such as key and trust manager.
+ */
+class ConfigSSLEngineProvider(protected val config: Config, protected val log: MarkerLoggingAdapter)
+    extends SSLEngineProvider {
+
+  def this(system: ActorSystem) =
+    this(
+      system.settings.config.getConfig("akka.remote.artery.ssl.config-ssl-engine"),
+      Logging.withMarker(system, classOf[ConfigSSLEngineProvider].getName))
+
+  private val sslEngineConfig = new SSLEngineConfig(config)
+
+  val SSLKeyStore: String = config.getString("key-store")
+  val SSLTrustStore: String = config.getString("trust-store")
+  val SSLKeyStorePassword: String = config.getString("key-store-password")
+  val SSLKeyPassword: String = config.getString("key-password")
+  val SSLTrustStorePassword: String = config.getString("trust-store-password")
+  val SSLEnabledAlgorithms: Set[String] = sslEngineConfig.SSLEnabledAlgorithms
+  val SSLProtocol: String = sslEngineConfig.SSLProtocol
+  val SSLRandomNumberGenerator: String = sslEngineConfig.SSLRandomNumberGenerator
+  val SSLRequireMutualAuthentication: Boolean = sslEngineConfig.SSLRequireMutualAuthentication
+  val HostnameVerification: Boolean = sslEngineConfig.HostnameVerification
+
+  private lazy val sslContext: SSLContext = {
+    // log hostname verification warning once
+    if (HostnameVerification)
+      log.debug("TLS/SSL hostname verification is enabled.")
+    else
+      log.info(
+        LogMarker.Security,
+        "TLS/SSL hostname verification is disabled. See Akka reference documentation for more information.")
+
+    constructContext()
+  }
+
+  private def constructContext(): SSLContext = {
+    try {
+      val rng = createSecureRandom()
+      val ctx = SSLContext.getInstance(SSLProtocol)
+      ctx.init(keyManagers, trustManagers, rng)
+      ctx
+    } catch {
+      case e: FileNotFoundException =>
+        throw new SslTransportException(
+          "Server SSL connection could not be established because key store could not be loaded",
+          e)
+      case e: IOException =>
+        throw new SslTransportException("Server SSL connection could not be established because: " + e.getMessage, e)
+      case e: GeneralSecurityException =>
+        throw new SslTransportException(
+          "Server SSL connection could not be established because SSL context could not be constructed",
+          e)
+    }
+  }
+
+  /**
+   * Subclass may override to customize loading of `KeyStore`
+   */
+  protected def loadKeystore(filename: String, password: String): KeyStore = {
+    val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
+    val fin = Files.newInputStream(Paths.get(filename))
+    try keyStore.load(fin, password.toCharArray)
+    finally Try(fin.close())
+    keyStore
+  }
+
+  /**
+   * Subclass may override to customize `KeyManager`
+   */
+  protected def keyManagers: Array[KeyManager] = {
+    val factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
+    factory.init(loadKeystore(SSLKeyStore, SSLKeyStorePassword), SSLKeyPassword.toCharArray)
+    factory.getKeyManagers
+  }
+
+  /**
+   * Subclass may override to customize `TrustManager`
+   */
+  protected def trustManagers: Array[TrustManager] = {
+    val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
+    trustManagerFactory.init(loadKeystore(SSLTrustStore, SSLTrustStorePassword))
+    trustManagerFactory.getTrustManagers
+  }
+
+  def createSecureRandom(): SecureRandom =
+    SecureRandomFactory.createSecureRandom(SSLRandomNumberGenerator, log)
+
+  override def createServerSSLEngine(hostname: String, port: Int): SSLEngine =
+    createSSLEngine(akka.stream.Server, hostname, port)
+
+  override def createClientSSLEngine(hostname: String, port: Int): SSLEngine =
+    createSSLEngine(akka.stream.Client, hostname, port)
+
+  private def createSSLEngine(role: TLSRole, hostname: String, port: Int): SSLEngine = {
+    createSSLEngine(sslContext, role, hostname, port)
+  }
+
+  private def createSSLEngine(sslContext: SSLContext, role: TLSRole, hostname: String, port: Int): SSLEngine = {
+
+    val engine = sslContext.createSSLEngine(hostname, port)
+
+    if (HostnameVerification && role == akka.stream.Client) {
+      val sslParams = sslContext.getDefaultSSLParameters
+      sslParams.setEndpointIdentificationAlgorithm("HTTPS")
+      engine.setSSLParameters(sslParams)
+    }
+
+    engine.setUseClientMode(role == akka.stream.Client)
+    engine.setEnabledCipherSuites(SSLEnabledAlgorithms.toArray)
+    engine.setEnabledProtocols(Array(SSLProtocol))
+
+    if ((role != akka.stream.Client) && SSLRequireMutualAuthentication)
+      engine.setNeedClientAuth(true)
+
+    engine
+  }
+
+  override def verifyClientSession(hostname: String, session: SSLSession): Option[Throwable] =
+    None
+
+  override def verifyServerSession(hostname: String, session: SSLSession): Option[Throwable] =
+    None
+
+}
diff --git a/akka-remote/src/main/scala/akka/remote/artery/tcp/SSLEngineProvider.scala b/akka-remote/src/main/scala/akka/remote/artery/tcp/SSLEngineProvider.scala
index 29767e1f1d..8e624eb904 100644
--- a/akka-remote/src/main/scala/akka/remote/artery/tcp/SSLEngineProvider.scala
+++ b/akka-remote/src/main/scala/akka/remote/artery/tcp/SSLEngineProvider.scala
@@ -5,35 +5,11 @@
 package akka.remote.artery
 package tcp
 
-import java.io.FileNotFoundException
-import java.io.IOException
-import java.nio.file.Files
-import java.nio.file.Paths
-import java.security.GeneralSecurityException
-import java.security.KeyStore
-import java.security.SecureRandom
-import javax.net.ssl.KeyManager
-import javax.net.ssl.KeyManagerFactory
-import javax.net.ssl.SSLContext
-import javax.net.ssl.SSLEngine
-import javax.net.ssl.SSLSession
-import javax.net.ssl.TrustManager
-import javax.net.ssl.TrustManagerFactory
-
-import scala.util.Try
-
-import com.typesafe.config.Config
-
-import akka.actor.ActorSystem
 import akka.actor.ExtendedActorSystem
 import akka.actor.setup.Setup
-import akka.annotation.InternalApi
-import akka.event.LogMarker
-import akka.event.Logging
-import akka.event.MarkerLoggingAdapter
-import akka.japi.Util.immutableSeq
-import akka.stream.TLSRole
 import akka.util.ccompat._
+import javax.net.ssl.SSLEngine
+import javax.net.ssl.SSLSession
 
 @ccompatUsedUntil213
 trait SSLEngineProvider {
@@ -60,132 +36,6 @@ trait SSLEngineProvider {
 
 class SslTransportException(message: String, cause: Throwable) extends RuntimeException(message, cause)
 
-/**
- * Config in akka.remote.artery.ssl.config-ssl-engine
- *
- * Subclass may override protected methods to replace certain parts, such as key and trust manager.
- */
-class ConfigSSLEngineProvider(protected val config: Config, protected val log: MarkerLoggingAdapter)
-    extends SSLEngineProvider {
-
-  def this(system: ActorSystem) =
-    this(
-      system.settings.config.getConfig("akka.remote.artery.ssl.config-ssl-engine"),
-      Logging.withMarker(system, classOf[ConfigSSLEngineProvider].getName))
-
-  val SSLKeyStore: String = config.getString("key-store")
-  val SSLTrustStore: String = config.getString("trust-store")
-  val SSLKeyStorePassword: String = config.getString("key-store-password")
-  val SSLKeyPassword: String = config.getString("key-password")
-  val SSLTrustStorePassword: String = config.getString("trust-store-password")
-  val SSLEnabledAlgorithms: Set[String] = immutableSeq(config.getStringList("enabled-algorithms")).to(Set)
-  val SSLProtocol: String = config.getString("protocol")
-  val SSLRandomNumberGenerator: String = config.getString("random-number-generator")
-  val SSLRequireMutualAuthentication: Boolean = config.getBoolean("require-mutual-authentication")
-  val HostnameVerification: Boolean = config.getBoolean("hostname-verification")
-
-  private lazy val sslContext: SSLContext = {
-    // log hostname verification warning once
-    if (HostnameVerification)
-      log.debug("TLS/SSL hostname verification is enabled.")
-    else
-      log.info(
-        LogMarker.Security,
-        "TLS/SSL hostname verification is disabled. See Akka reference documentation for more information.")
-
-    constructContext()
-  }
-
-  private def constructContext(): SSLContext = {
-    try {
-      val rng = createSecureRandom()
-      val ctx = SSLContext.getInstance(SSLProtocol)
-      ctx.init(keyManagers, trustManagers, rng)
-      ctx
-    } catch {
-      case e: FileNotFoundException =>
-        throw new SslTransportException(
-          "Server SSL connection could not be established because key store could not be loaded",
-          e)
-      case e: IOException =>
-        throw new SslTransportException("Server SSL connection could not be established because: " + e.getMessage, e)
-      case e: GeneralSecurityException =>
-        throw new SslTransportException(
-          "Server SSL connection could not be established because SSL context could not be constructed",
-          e)
-    }
-  }
-
-  /**
-   * Subclass may override to customize loading of `KeyStore`
-   */
-  protected def loadKeystore(filename: String, password: String): KeyStore = {
-    val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
-    val fin = Files.newInputStream(Paths.get(filename))
-    try keyStore.load(fin, password.toCharArray)
-    finally Try(fin.close())
-    keyStore
-  }
-
-  /**
-   * Subclass may override to customize `KeyManager`
-   */
-  protected def keyManagers: Array[KeyManager] = {
-    val factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
-    factory.init(loadKeystore(SSLKeyStore, SSLKeyStorePassword), SSLKeyPassword.toCharArray)
-    factory.getKeyManagers
-  }
-
-  /**
-   * Subclass may override to customize `TrustManager`
-   */
-  protected def trustManagers: Array[TrustManager] = {
-    val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
-    trustManagerFactory.init(loadKeystore(SSLTrustStore, SSLTrustStorePassword))
-    trustManagerFactory.getTrustManagers
-  }
-
-  def createSecureRandom(): SecureRandom =
-    SecureRandomFactory.createSecureRandom(SSLRandomNumberGenerator, log)
-
-  override def createServerSSLEngine(hostname: String, port: Int): SSLEngine =
-    createSSLEngine(akka.stream.Server, hostname, port)
-
-  override def createClientSSLEngine(hostname: String, port: Int): SSLEngine =
-    createSSLEngine(akka.stream.Client, hostname, port)
-
-  private def createSSLEngine(role: TLSRole, hostname: String, port: Int): SSLEngine = {
-    createSSLEngine(sslContext, role, hostname, port)
-  }
-
-  private def createSSLEngine(sslContext: SSLContext, role: TLSRole, hostname: String, port: Int): SSLEngine = {
-
-    val engine = sslContext.createSSLEngine(hostname, port)
-
-    if (HostnameVerification && role == akka.stream.Client) {
-      val sslParams = sslContext.getDefaultSSLParameters
-      sslParams.setEndpointIdentificationAlgorithm("HTTPS")
-      engine.setSSLParameters(sslParams)
-    }
-
-    engine.setUseClientMode(role == akka.stream.Client)
-    engine.setEnabledCipherSuites(SSLEnabledAlgorithms.toArray)
-    engine.setEnabledProtocols(Array(SSLProtocol))
-
-    if ((role != akka.stream.Client) && SSLRequireMutualAuthentication)
-      engine.setNeedClientAuth(true)
-
-    engine
-  }
-
-  override def verifyClientSession(hostname: String, session: SSLSession): Option[Throwable] =
-    None
-
-  override def verifyServerSession(hostname: String, session: SSLSession): Option[Throwable] =
-    None
-
-}
-
 object SSLEngineProviderSetup {
 
   /**
@@ -214,31 +64,3 @@ object SSLEngineProviderSetup {
  * Constructor is *Internal API*, use factories in [[SSLEngineProviderSetup]]
  */
 class SSLEngineProviderSetup private (val sslEngineProvider: ExtendedActorSystem => SSLEngineProvider) extends Setup
-
-/**
- * INTERNAL API
- */
-@InternalApi private[akka] object SecureRandomFactory {
-  def createSecureRandom(randomNumberGenerator: String, log: MarkerLoggingAdapter): SecureRandom = {
-    val rng = randomNumberGenerator match {
-      case s @ ("SHA1PRNG" | "NativePRNG") =>
-        log.debug("SSL random number generator set to: {}", s)
-        // SHA1PRNG needs /dev/urandom to be the source on Linux to prevent problems with /dev/random blocking
-        // However, this also makes the seed source insecure as the seed is reused to avoid blocking (not a problem on FreeBSD).
-        SecureRandom.getInstance(s)
-
-      case "" | "SecureRandom" =>
-        log.debug("SSL random number generator set to [SecureRandom]")
-        new SecureRandom
-
-      case unknown =>
-        log.warning(
-          LogMarker.Security,
-          "Unknown SSL random number generator [{}] falling back to SecureRandom",
-          unknown)
-        new SecureRandom
-    }
-    rng.nextInt() // prevent stall on first access
-    rng
-  }
-}
diff --git a/akka-remote/src/main/scala/akka/remote/artery/tcp/SecureRandomFactory.scala b/akka-remote/src/main/scala/akka/remote/artery/tcp/SecureRandomFactory.scala
new file mode 100644
index 0000000000..a9879372dc
--- /dev/null
+++ b/akka-remote/src/main/scala/akka/remote/artery/tcp/SecureRandomFactory.scala
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2020 Lightbend Inc. <https://www.lightbend.com>
+ */
+
+package akka.remote.artery.tcp
+
+import java.security.SecureRandom
+
+import akka.annotation.InternalApi
+import akka.event.LogMarker
+import akka.event.MarkerLoggingAdapter
+import com.typesafe.config.Config
+
+/**
+ * INTERNAL API
+ */
+@InternalApi private[akka] object SecureRandomFactory {
+
+  val GeneratorSha1Prng = "SHA1PRNG"
+  val GeneratorNativePrng = "NativePRNG"
+  val GeneratorJdkSecureRandom = "SecureRandom"
+
+  /**
+   * INTERNAL API
+   */
+  @InternalApi
+  // extracted as a method for testing
+  private[tcp] def rngConfig(config: Config) = {
+    config.getString("random-number-generator")
+  }
+
+  def createSecureRandom(config: Config, log: MarkerLoggingAdapter): SecureRandom = {
+    createSecureRandom(rngConfig(config), log)
+  }
+
+  def createSecureRandom(randomNumberGenerator: String, log: MarkerLoggingAdapter): SecureRandom = {
+    val rng = randomNumberGenerator match {
+      case s @ (GeneratorSha1Prng | GeneratorNativePrng) =>
+        log.debug("SSL random number generator set to: {}", s)
+        // SHA1PRNG needs /dev/urandom to be the source on Linux to prevent problems with /dev/random blocking
+        // However, this also makes the seed source insecure as the seed is reused to avoid blocking (not a problem on FreeBSD).
+        SecureRandom.getInstance(s)
+
+      case "" | GeneratorJdkSecureRandom =>
+        log.debug("SSL random number generator set to [SecureRandom]")
+        new SecureRandom
+
+      case unknown =>
+        log.warning(
+          LogMarker.Security,
+          "Unknown SSL random number generator [{}] falling back to SecureRandom",
+          unknown)
+        new SecureRandom
+    }
+    rng.nextInt() // prevent stall on first access
+    rng
+  }
+}
diff --git a/akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/PemManagersProvider.scala b/akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/PemManagersProvider.scala
new file mode 100644
index 0000000000..5b803721c8
--- /dev/null
+++ b/akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/PemManagersProvider.scala
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2020 Lightbend Inc. <https://www.lightbend.com>
+ */
+
+package akka.remote.artery.tcp.ssl
+
+import java.io.ByteArrayInputStream
+import java.io.File
+import java.nio.charset.Charset
+import java.nio.file.Files
+import java.security.KeyStore
+import java.security.PrivateKey
+import java.security.cert.Certificate
+import java.security.cert.CertificateFactory
+import java.security.cert.X509Certificate
+
+import akka.annotation.InternalApi
+import akka.pki.pem.DERPrivateKeyLoader
+import akka.pki.pem.PEMDecoder
+import javax.net.ssl.KeyManager
+import javax.net.ssl.KeyManagerFactory
+import javax.net.ssl.TrustManager
+import javax.net.ssl.TrustManagerFactory
+
+import scala.concurrent.blocking
+
+/**
+ * INTERNAL API
+ */
+@InternalApi
+private[ssl] object PemManagersProvider {
+
+  /**
+   * INTERNAL API
+   */
+  @InternalApi
+  private[ssl] def buildKeyManagers(
+      privateKey: PrivateKey,
+      cert: X509Certificate,
+      cacert: Certificate): Array[KeyManager] = {
+    val keyStore = KeyStore.getInstance("JKS")
+    keyStore.load(null)
+
+    keyStore.setCertificateEntry("cert", cert)
+    keyStore.setCertificateEntry("cacert", cacert)
+    keyStore.setKeyEntry("private-key", privateKey, "changeit".toCharArray, Array(cert, cacert))
+
+    val kmf =
+      KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
+    kmf.init(keyStore, "changeit".toCharArray)
+    val keyManagers = kmf.getKeyManagers
+    keyManagers
+  }
+
+  /**
+   * INTERNAL API
+   */
+  @InternalApi
+  private[ssl] def buildTrustManagers(cacert: Certificate): Array[TrustManager] = {
+    val trustStore = KeyStore.getInstance("JKS")
+    trustStore.load(null)
+    trustStore.setCertificateEntry("cacert", cacert)
+
+    val tmf =
+      TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
+    tmf.init(trustStore)
+    tmf.getTrustManagers
+  }
+
+  /**
+   * INTERNAL API
+   */
+  @InternalApi
+  private[ssl] def loadPrivateKey(filename: String): PrivateKey = blocking {
+    val bytes = Files.readAllBytes(new File(filename).toPath)
+    val pemData = new String(bytes, Charset.forName("UTF-8"))
+    DERPrivateKeyLoader.load(PEMDecoder.decode(pemData))
+  }
+
+  private val certFactory = CertificateFactory.getInstance("X.509")
+
+  /**
+   * INTERNAL API
+   */
+  @InternalApi
+  private[ssl] def loadCertificate(filename: String): Certificate = blocking {
+    val bytes = Files.readAllBytes(new File(filename).toPath)
+    certFactory.generateCertificate(new ByteArrayInputStream(bytes))
+  }
+
+}
diff --git a/akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/RotatingKeysSSLEngineProvider.scala b/akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/RotatingKeysSSLEngineProvider.scala
new file mode 100644
index 0000000000..631d8f63a5
--- /dev/null
+++ b/akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/RotatingKeysSSLEngineProvider.scala
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) 2020 Lightbend Inc. <https://www.lightbend.com>
+ */
+
+package akka.remote.artery.tcp.ssl
+
+import java.io.FileNotFoundException
+import java.io.IOException
+import java.security.GeneralSecurityException
+import java.security.PrivateKey
+import java.security.SecureRandom
+import java.security.cert.Certificate
+import java.security.cert.X509Certificate
+
+import akka.actor.ActorSystem
+import akka.annotation.ApiMayChange
+import akka.annotation.InternalApi
+import akka.event.Logging
+import akka.event.MarkerLoggingAdapter
+import akka.remote.artery.tcp.SSLEngineProvider
+import akka.remote.artery.tcp.SecureRandomFactory
+import akka.remote.artery.tcp.SslTransportException
+import akka.remote.artery.tcp.ssl.RotatingKeysSSLEngineProvider.CachedContext
+import akka.remote.artery.tcp.ssl.RotatingKeysSSLEngineProvider.ConfiguredContext
+import akka.stream.TLSRole
+import com.typesafe.config.Config
+import javax.net.ssl.KeyManager
+import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLEngine
+import javax.net.ssl.SSLSession
+import javax.net.ssl.TrustManager
+
+import scala.concurrent.duration._
+
+/**
+ * Variation on ConfigSSLEngineProvider that will periodically reload the keys and certificates
+ * from disk, to facilitate rolling updates of certificates.
+ *
+ * This class is still ApiMayChange because it can likely be further harmonized with
+ * the standard ConfigSSLEngineProvider. Also the location and default values of the
+ * configuration may change in future versions of Akka.
+ *
+ * This provider does not perform hostname verification, but instead allows checking
+ * that the remote certificate has a subject name that matches the subject name of
+ * the configured certificate.
+ */
+@ApiMayChange
+final class RotatingKeysSSLEngineProvider(val config: Config, protected val log: MarkerLoggingAdapter)
+    extends SSLEngineProvider {
+
+  def this(system: ActorSystem) =
+    this(
+      system.settings.config.getConfig("akka.remote.artery.ssl.rotating-keys-engine"),
+      Logging.withMarker(system, classOf[RotatingKeysSSLEngineProvider].getName))
+
+  // read config
+
+  private val SSLKeyFile: String = config.getString("key-file")
+  private val SSLCertFile: String = config.getString("cert-file")
+  private val SSLCACertFile: String = config.getString("ca-cert-file")
+
+  private val sslEngineConfig = new SSLEngineConfig(config)
+  import sslEngineConfig._
+
+  // build a PRNG (created once, reused on every instance of SSLContext
+  private val rng: SecureRandom = SecureRandomFactory.createSecureRandom(SSLRandomNumberGenerator, log)
+
+  // handle caching
+  @volatile private var cachedContext: Option[CachedContext] = None
+
+  /** INTERNAL API */
+  @InternalApi
+  private[ssl] def getSSLContext() = getContext().context
+  private def getContext(): ConfiguredContext = {
+    cachedContext match {
+      case Some(CachedContext(_, expired)) if expired.isOverdue() =>
+        // Multiple connection requests arriving when the cache is overdue will
+        // create different CachedContext instances and only the last one will
+        // be cached. This is fine.
+        val context = constructContext()
+        cachedContext = Some(CachedContext(context, SSLContextCacheTime.fromNow))
+        context
+      case Some(CachedContext(cached, _)) => cached
+      case None                           =>
+        // Multiple connection requests arriving when the cache is empty will
+        // create different CachedContext instances. This is fine.
+        val context = constructContext()
+        cachedContext = Some(CachedContext(context, SSLContextCacheTime.fromNow))
+        context
+    }
+  }
+
+  // Construct the cached instance
+  private def constructContext(): ConfiguredContext = {
+    val (privateKey, cert, cacert) = readFiles()
+    try {
+      val keyManagers: Array[KeyManager] = PemManagersProvider.buildKeyManagers(privateKey, cert, cacert)
+      val trustManagers: Array[TrustManager] = PemManagersProvider.buildTrustManagers(cacert)
+
+      val sessionVerifier = new PeerSubjectVerifier(cert)
+
+      val ctx = SSLContext.getInstance(SSLProtocol)
+      ctx.init(keyManagers, trustManagers, rng)
+      ConfiguredContext(ctx, sessionVerifier)
+    } catch {
+      case e: GeneralSecurityException =>
+        throw new SslTransportException(
+          "Server SSL connection could not be established because SSL context could not be constructed",
+          e)
+      case e: IllegalArgumentException =>
+        throw new SslTransportException("Server SSL connection could not be established because: " + e.getMessage, e)
+    }
+  }
+
+  private def readFiles(): (PrivateKey, X509Certificate, Certificate) = {
+    try {
+      val cacert: Certificate = PemManagersProvider.loadCertificate(SSLCACertFile)
+      val cert: X509Certificate = PemManagersProvider.loadCertificate(SSLCertFile).asInstanceOf[X509Certificate]
+      val privateKey: PrivateKey = PemManagersProvider.loadPrivateKey(SSLKeyFile)
+      (privateKey, cert, cacert)
+    } catch {
+      case e: FileNotFoundException =>
+        throw new SslTransportException(
+          "Server SSL connection could not be established because a key or cert could not be loaded",
+          e)
+      case e: IOException =>
+        throw new SslTransportException("Server SSL connection could not be established because: " + e.getMessage, e)
+    }
+  }
+
+  // Implement the SSLEngine create methods from the trait
+  override def createServerSSLEngine(hostname: String, port: Int): SSLEngine =
+    createSSLEngine(akka.stream.Server, hostname, port)(getContext().context)
+
+  override def createClientSSLEngine(hostname: String, port: Int): SSLEngine =
+    createSSLEngine(akka.stream.Client, hostname, port)(getContext().context)
+
+  private def createSSLEngine(role: TLSRole, hostname: String, port: Int)(sslContext: SSLContext) = {
+
+    val engine = sslContext.createSSLEngine(hostname, port)
+
+    engine.setUseClientMode(role == akka.stream.Client)
+    engine.setEnabledCipherSuites(SSLEnabledAlgorithms.toArray)
+    engine.setEnabledProtocols(Array(SSLProtocol))
+
+    if (role != akka.stream.Client) engine.setNeedClientAuth(true)
+
+    engine
+  }
+
+  // Implement the post-handshake verification methods from the trait
+  override def verifyClientSession(hostname: String, session: SSLSession): Option[Throwable] =
+    getContext().sessionVerifier.verifyClientSession(hostname, session)
+
+  override def verifyServerSession(hostname: String, session: SSLSession): Option[Throwable] =
+    getContext().sessionVerifier.verifyServerSession(hostname, session)
+
+}
+
+object RotatingKeysSSLEngineProvider {
+
+  /**
+   * INTERNAL API
+   */
+  @InternalApi
+  private case class CachedContext(cached: ConfiguredContext, expires: Deadline)
+
+  /**
+   * INTERNAL API
+   */
+  @InternalApi
+  private case class ConfiguredContext(context: SSLContext, sessionVerifier: SessionVerifier)
+
+}
diff --git a/akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/SSLEngineConfig.scala b/akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/SSLEngineConfig.scala
new file mode 100644
index 0000000000..82a475bd5f
--- /dev/null
+++ b/akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/SSLEngineConfig.scala
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2020 Lightbend Inc. <https://www.lightbend.com>
+ */
+
+package akka.remote.artery.tcp.ssl
+
+import akka.annotation.InternalApi
+import akka.japi.Util.immutableSeq
+import com.typesafe.config.Config
+
+import scala.concurrent.duration.FiniteDuration
+import scala.concurrent.duration._
+
+/**
+ * INTERNAL API
+ */
+@InternalApi
+private[tcp] class SSLEngineConfig(config: Config) {
+  private[tcp] val SSLRandomNumberGenerator: String = config.getString("random-number-generator")
+
+  private[tcp] val SSLProtocol: String = config.getString("protocol")
+  private[tcp] val SSLEnabledAlgorithms: Set[String] =
+    immutableSeq(config.getStringList("enabled-algorithms")).toSet
+  private[tcp] val SSLRequireMutualAuthentication: Boolean = {
+    if (config.hasPath("require-mutual-authentication"))
+      config.getBoolean("require-mutual-authentication")
+    else
+      false
+  }
+  private[tcp] val HostnameVerification: Boolean = {
+    if (config.hasPath("hostname-verification"))
+      config.getBoolean("hostname-verification")
+    else
+      false
+  }
+  private[tcp] val SSLContextCacheTime: FiniteDuration =
+    if (config.hasPath("ssl-context-cache-ttl"))
+      config.getDuration("ssl-context-cache-ttl").toMillis.millis
+    else
+      1024.days // a lot of days (not Inf, because `Inf` is not a FiniteDuration
+}
diff --git a/akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/SessionVerifier.scala b/akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/SessionVerifier.scala
new file mode 100644
index 0000000000..2a2771d08e
--- /dev/null
+++ b/akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/SessionVerifier.scala
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2020 Lightbend Inc. <https://www.lightbend.com>
+ */
+
+package akka.remote.artery.tcp.ssl
+
+import java.security.cert.X509Certificate
+
+import akka.annotation.InternalApi
+import javax.net.ssl.SSLSession
+
+/**
+ * Allows hooking in extra verification before finishing the SSL handshake.
+ *
+ * INTERNAL API
+ */
+@InternalApi
+private[ssl] trait SessionVerifier {
+  def verifyClientSession(hostname: String, session: SSLSession): Option[Throwable]
+  def verifyServerSession(hostname: String, session: SSLSession): Option[Throwable]
+}
+
+/**
+ * This verifier approves all sessions.
+ *
+ * INTERNAL API
+ */
+@InternalApi
+private[ssl] final object NoopSessionVerifier extends SessionVerifier {
+  override def verifyClientSession(hostname: String, session: SSLSession): Option[Throwable] = None
+  override def verifyServerSession(hostname: String, session: SSLSession): Option[Throwable] = None
+}
+
+/**
+ * This is a TLS session verifier that checks the peer has a subject name that matches
+ * the subject name of the given certificate. This can be useful to prevent accidentally
+ * connecting with other nodes that have certificates that, while being signed by the
+ * same certificate authority, belong to different clusters.
+ *
+ * INTERNAL API
+ */
+@InternalApi
+private[ssl] final class PeerSubjectVerifier(peerCertificate: X509Certificate) extends SessionVerifier {
+  override def verifyClientSession(hostname: String, session: SSLSession): Option[Throwable] =
+    verifyPeerCertificates(session)
+  override def verifyServerSession(hostname: String, session: SSLSession): Option[Throwable] =
+    verifyPeerCertificates(session)
+
+  private def verifyPeerCertificates(session: SSLSession) = {
+    val mySubjectNames = X509Readers.getAllSubjectNames(peerCertificate)
+    if (session.getPeerCertificates.length == 0) {
+      Some(new IllegalArgumentException("No peer certificates"))
+    }
+    session.getPeerCertificates()(0) match {
+      case x509: X509Certificate =>
+        val peerSubjectNames =
+          X509Readers.getAllSubjectNames(x509)
+        if (mySubjectNames.exists(peerSubjectNames)) None
+        else
+          Some(
+            new IllegalArgumentException(
+              s"None of the peer subject names $peerSubjectNames were in local subject names $mySubjectNames"))
+      case other =>
+        Some(new IllegalArgumentException(s"Unknown certificate type: ${other.getClass}"))
+    }
+  }
+
+}
diff --git a/akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/X509Readers.scala b/akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/X509Readers.scala
new file mode 100644
index 0000000000..51f44374e2
--- /dev/null
+++ b/akka-remote/src/main/scala/akka/remote/artery/tcp/ssl/X509Readers.scala
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2020 Lightbend Inc. <https://www.lightbend.com>
+ */
+
+package akka.remote.artery.tcp.ssl
+
+import java.security.cert.X509Certificate
+import java.util
+
+import akka.annotation.InternalApi
+import javax.naming.ldap.LdapName
+import akka.util.ccompat.JavaConverters._
+
+/**
+ * INTERNAL API
+ */
+@InternalApi
+private[akka] object X509Readers {
+
+  def getAllSubjectNames(cert: X509Certificate): Set[String] = {
+    val maybeCommonName =
+      new LdapName(cert.getSubjectX500Principal.getName).getRdns.asScala.collectFirst {
+        case attr if attr.getType.equalsIgnoreCase("CN") =>
+          attr.getValue.toString
+      }
+
+    val iterable: Iterable[util.List[_]] = Option(cert.getSubjectAlternativeNames).map(_.asScala).getOrElse(Nil)
+    val alternates = iterable.collect {
+      // See the javadocs of cert.getSubjectAlternativeNames for what this list contains,
+      // first element should be an integer, if that integer is 2, then the second element
+      // is a String containing the DNS name.
+      case list if list.size() == 2 && list.get(0) == 2 =>
+        list.get(1) match {
+          case dnsName: String => dnsName
+          case other =>
+            throw new IllegalArgumentException(
+              s"Error reading Subject Alternative Name, expected dns name to be a String, but instead got a ${other.getClass}")
+        }
+    }
+
+    maybeCommonName.toSet ++ alternates
+  }
+
+}
diff --git a/akka-remote/src/test/resources/Makefile b/akka-remote/src/test/resources/Makefile
index 5343762ec5..86edcc4eaf 100644
--- a/akka-remote/src/test/resources/Makefile
+++ b/akka-remote/src/test/resources/Makefile
@@ -1,3 +1,5 @@
+# Documents how truststore and keystore were created
+
 all: truststore keystore
 
 truststore: domain.crt
@@ -6,12 +8,17 @@ truststore: domain.crt
 keystore: domain.crt domain.key
 	openssl pkcs12 -export -inkey domain.key -passin pass:changeme -in domain.crt -out keystore -passout pass:changeme
 
-domain.crt: domain.csr domain.key
-	openssl x509 -req -in domain.csr -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:localhost")) -out domain.crt -extensions SAN -signkey domain.key
+domain.crt: domain.csr domain.key domain.cnf
+	openssl x509 -req -in domain.csr -sha256 -extfile domain.cnf -out domain.crt -extensions SAN -signkey domain.key
 
-domain.csr:
-	openssl req -new -sha256 -key domain.key -subj "/C=ZA/ST=web/O=Lightbend/CN=akka-remote" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:localhost")) -out domain.csr -passout pass:changeme
+domain.cnf:
+	cat /etc/ssl/openssl.cnf > domain.cnf
+	echo "[SAN]" >> domain.cnf
+	echo "subjectAltName=DNS:localhost" >> domain.cnf
+
+domain.csr: domain.cnf
+	openssl req -new -newkey rsa:2048 -keyout domain.key -subj "/C=ZA/ST=web/O=Lightbend/CN=akka-remote" -reqexts SAN -config domain.cnf -out domain.csr -passout pass:changeme
 
 .PHONY: clean
 clean:
-	rm domain.crt domain.csr keystore truststore
+	rm domain.key domain.crt domain.csr keystore truststore domain.cnf
diff --git a/akka-remote/src/test/resources/domain.crt b/akka-remote/src/test/resources/domain.crt
new file mode 100644
index 0000000000..facd3f74a6
--- /dev/null
+++ b/akka-remote/src/test/resources/domain.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMDCCAhigAwIBAgIULYjj2NGVQ1r1MzK9j03lmw/s9AAwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCWkExDDAKBgNVBAgMA3dlYjESMBAGA1UECgwJTGlnaHRi
+ZW5kMRQwEgYDVQQDDAtha2thLXJlbW90ZTAeFw0yMDA2MDIxMTA1MDVaFw0yMDA3
+MDIxMTA1MDVaMEUxCzAJBgNVBAYTAlpBMQwwCgYDVQQIDAN3ZWIxEjAQBgNVBAoM
+CUxpZ2h0YmVuZDEUMBIGA1UEAwwLYWtrYS1yZW1vdGUwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC8bahFbJFC31YWoyJGdOasMnZHE+D3jjnTmGS+E6Ev
+YxQ1zR+ja2CpDv1M5VjOS4qzVXBXm/2OM35Er6sE+cAdtO8qXq39hzhNoS5nvHIo
+hl881MHIbndohtMZm2NsKM2yHnqnFI4jMnlEK9d8gmn25PsqUwOC9g9h4HOp+qys
+mqDzMmyZSS3qotyximOPBIQcRan6xh9i3Zhi3VRIxMl9WNR1gU5sbOeO4G7xsKyY
+FjfEeVjyDOG1pYHpnBVtqTDJoNzs5jZIslzpZU/iCW1fF2r5VwCuwMj/fgSxz7Qv
+LXqw70QDKeDkebgaTmhqAtYbAT20JXwMCuiE+8Lo4hGbAgMBAAGjGDAWMBQGA1Ud
+EQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAm97sH2qjazMJV66X
+wJfxk72qHpZIXyzGIAcORcF8lxDOKaqO8q85cZa9uNhq+CtSOEN41KupBKVk4dfa
+ZZ7IWFqptXKsztQ6Ff+ruEX3ZeW3ZsZp72+PuauC6ClNmxZG4/bUA0uKKd8s5yPK
+jqJ3KR6ZuYykBvT2dQrHdI4LQPC4Sh+AZtfizTh21dYz4F1HPe/aBoDx0eAO6oyF
+S0V6Mm8d/ydCg5wS+s0NmNniia3sww2fud+PyR3AaaubSBKhThQg6pQhFiaxjKSz
+IMCg9Yicy8vem5w+HqOJqoyiPDSdxtInyeNKskxcB7ayOpcWj/TX/W379FWABxeo
+rt8eZw==
+-----END CERTIFICATE-----
diff --git a/akka-remote/src/test/resources/keystore b/akka-remote/src/test/resources/keystore
index a76d66d7ab4dcc60e5d8baf937df526e002e09ce..14a0e51f7f159fcf237d284e2886745a7e0be84a 100644
GIT binary patch
literal 2421
zcmXqL;w)rhWHxBxG-u<~YV&CO&dbQoxS)wsgQba6#h{5(!JvuxIzozVK@;-{gC^!9
zOpFW$P0V`{GK>Z?Y+O(ico^9X_*ghD|NE0TrF}~l6B7qRLlg6aJ)fqoj`n6sakv@U
zv*KO)BFp<XIP9+M|CV^FChpF&6LFl!9ff(SmpCf3ewlWwHAB3TZ%5FAn=yC)1w_74
zak%6AD&p%7o9zPeat#+2Dy9A4o<8&0PPfdvmlVY7E6<koeJ{8);iUNDh3Aj%xSqXh
z;tt0`%k%RqnOE6*&ax4IbiR~9LYsq~NBj9v#nNcQ3v<$c9^38EqO^E*;;FhBM#&Lx
zox~b1Snpc+{dO_KnXctds;P^oy_y&Mb=sZhSHs@+ZnL*IpnLh0l|cFB+(jjBY!!J+
z7+V?`_DfAUTRms;*UH47kMFK~*!S9LWqx@2g}ME8mwGzi)okbesI+OxdLNA_w$p~S
z_VNJ+pR=x}2Y#rJ)%uv15ySSvHtR<OvlUO_lx>%v?75hB#^#r~EFWh?f)v-CZ$)!h
zgN`mzx;5QNU}yF2^4ESriz-7qrb>CAd*|$X>gM+C61LJCN*7<Tx)^?H4`<ZTJLcVQ
zk9Ixx&}w<KH1F`<AC_xRU;o1D?J`gQzWy_bfHn6`onOq9mJEsE4?LmSlI?nS=QY18
zn_4;*`qyzx<_|j;lW;)&RC1u~CD*G=0{<QF3(MM{li3?%KV{a0kKMl%CK*f<S?_Ii
z=gIan6(zHT^kl2H6{ZD;2*jJ-R<Y$;7Ji+>rDBKabQ#080P9oseO8mrTILE0yQn&E
z5i)(q^ZAyCfzsslD*Nrv-7pOPmb+rze5?NXyFTRYe75zG(&WkaSMLqEb@frb%>niM
z<(ZZK^Hl-@>-!&Aekxs9`M!&Ftxs<EF7t0sUgZR&Fl~-3a7yfEzPWnJokJ1VmZYw{
zRonQ(?3mr<PJ_7mN$o7xvfun$eboDbc-w~?^Vj-4Ee-k?)g15Tz!I0Aeb&lU$w;^M
zhuR0WrP;eDoHQ_d?^D0aZ{^KXO8K?Re<evXeDzXdahmM8QfW=qpVaG3Jw1MZZbXN_
zI#?r7W1YP8p2yc^f4?8x=N)8G_k!ty{gIDWCPr<g2^sY~=XcvIG5&aw-~VS<ppK5?
z@ePY@=Wb7Up&?ab@~=qZyTtzGw`0HV-x~RHpNUNQ)GtC$SI>yp##ARF>b*%#?qC*2
zJ5%xeMXztQF4#C<^P^r~gP+@%n0KdEPupc_q~c<HcY#gXjH%P>s~Gn_vc7Sk<kbIp
z{VT$a%~ZU6gFpW$O_6oKdBbdv&&;O`+m=kfD!8sBv$Y`ON+;Lk`B_}Qo<A*ZsXuo$
zqA>Z{si3Q00-dc+KIJfIVs%8yzzdpKjaZsk^$eO=wG5hA)!4XU*_n%xX+aaqJA)>c
zS17rh8I;Q{qm>-1gC`sV<#LuLmJ=o)^{xv9+S+b!SR4|?dgGUit>anlSDWRTeD>=f
z+V%71*_IV$&f6zez5f|;{;mJQK2F7?!||JyRv-8+edt+2v(sW9r_zhF?6$^SJoIRB
z(;dbwwXgFULT=PfkKXZX#s08Lv1Rsbue;06Zk#7NF`Tb*`Lo*hljAC8u3t4_!cjie
z>bP@j)^vY+EPAELc-rhbhd7BZ?(^Pi)IJwo|JCEu@&hMi_e)EgOJ$WuU*SKzU*<w;
zZ^71OA3L~i%|5oIF>>z0wOg*YX8f<?eO$9HQ|FkTy5`Q5#QC%4x~@&C(MW$}vOlur
z`JLxn)80nD<j@pS<$0EJX1&%4eP^-nQ&tH!rnk-Of5p&X`$g@`!=)!vHqL9yJfjx)
z<jl^vzj>Ca_s@ptlt?FPo^;l~JYj{y_1cX_2J=ltCa&Jil089DaCWE}^FNVnB?~G4
zGc%JHDk;wLEBODTq;vYB+2N8q%-0@g>QzzTTT_27W={rl=x6>9>!d{|UWwWt#}N{L
z=Vj_^uYyQVm8}ONG7ogeu%)N+y?%EjjPFCpm#tNKH-Zx<ne*f+tT|Zi8RN+_Hz+@3
z$FKF5I~PfG<`%>}o%O`FP(SFEV6UM2=`0bMscP;EmPH4)Ij-BO^d#o=nU5>>e%-NJ
zLgkA~Kzm#B(vKFETlepsu6QKvYIs)qj*ie{(LerN6~7Xy++Fbce@rHakI=4NAKr^E
zJEUe_v%7HTsi`M#B&o})M;(6sAw?i#&jk<H)jems*M6QMSe2T+msdwyVB5q6)<?|W
z3g254-5PVlwC9!D|9jT<<vdc|teQogeCtHc+E}OSC+s~E<*?&o_Og%9EK`JaQVKV;
z&vdeQa&uYLd#5#0%#(VZ-+WoJ+-2t<tDrufBCp8}8hVp;m;GG1%i<2Jo98C!IcnOx
zH+DLNHQ3Kl`>%K)F?^S0paN@U<hhK_btgZ^-^)MZ+U#J>6tMM&_gh7ef4R4IZo8A4
z)_!;S)$KVmy6w))k&RB{@x1@qEpK~3ZiTsC>)zib?+Xu?Px=zur991d*PKajAMgGX
zP|LFEPD9L#K8EM3ng!QiUna_4y(&Ro=K<%w=%c|+C5pcLxdoO7Y+oQP_vwg~N|>>G
zNLLf@G(WDN$_JyS*~`v2{mpQLNd3ua4-#HRNq;<0UbxiA=jyLLt&wi}wRZ7uvffCZ
z+uWVrwra|S%@ItT+x!0<e|tlG;pccJV+~(T|5eg!dcLf)+Pdr7Hjx#kUzXILPkQ~=
z(XaE&?^Xw!Yce@K21h$B61(2q%{AXL$Du~AKxR>5Rq{`p-&4}RtlZ$wV=muXv2fLd
z8nYXJr(Q}}-QIO1|G&?aL!l<pOS=CUE#9?xvEcNwq`iDB+hTPd&0y|lULwu;^Fg?i
z(@nL_1t$&%B^-|sJNN%${kun#T3HUb`c4&UIe7N(1gV>nipwNy?}qZ-{BC+V^zbF2
zFCvjjufA=$A$+{rPAwwlXcqIy^XWVf?lL{z)VpQz_Qr?*PBiq?I@B@gU-0W_+~0po
znuV1|T5;a>_RX74XvtTd)44S5cHpm#XBgk!VSMz7`<{*cYq2Yi;oq_jblKV1y73CT
zg%nu!Dz5POQ?PMzg`aU%;V#AM=K{g`kFt*oODUN5+<F+n!MD7x(j=5)|MHrf_M20}
z;@xjGu2kpMwzt+#GgLKDhL?_<qK0BDA|-4Jr`tLoFFZceK={Yz*K72OuXY$18YmiY
yvaxFOF*8ZAGO&m|Z`mhzpDpf8&-Tb|6`zA_3o=fwVBxU%_vPgtPwrq)DG30Rg?{S*

literal 1573
zcmXqLVpC*dWHxAGea^<I)#lOmotKfFaX}O74VEU>D+W!h7Yv%1&LgDQ7Bn#(Flb`h
z!^Fs7(8RPAA;V}O!^Q<QfrpXJfRBZv+oQ5?{-6B+OiUaM4NXiP4^--(ZoRJW?<T7g
zdu8UlZ?@hCIUQAIWN!7{p_n=UZK3g|=TT0IH~q7nmmGRgBwh9L$`_9dIUk?CbMAJ~
z4(l`7ws?yDJUbU%+x^mS9o1Z$rbJE@-pYM##|2f!*Ia8K?Ye7t|Kxh^Wyc=uTNnL3
zu~R>0mGi-0%~xh#E2u8^dr>)IUs(W8T*i@vr`PtUglU~Iw-hnD^tFGf$nLFEi%dEX
zGTc9#GDX-&Y(<z^dJtEgk;1Iww?bln=HI(LvGqz>R@=JOW!Lw&Uk?n5DO;P^cYwvX
zPiZOl8RKI{T&&zJ7Tp@x^nIQgpD0U_m06>xP`KOJDS~P0)JUB<RZ`0uG`DK#pJLy3
zvT%Oz^ZPQZrM{od*l%~aq%XNhULt?S|LWwIMKh+YxT0(vcx%INwi3zzkMxaR`Yu?O
z8a{LJD}kaHZ%@en@Xa_{$!}-;cGvlWPdj4x_e_f7z4X4G{qih+$>-wjk6v7P*|=Kp
z)8j|A8iD2fY2|zW^v{b|PcnL|arucsZ`rqr8o@{QZ7Y7cUCL{bwWWUMzru+98(-aO
z>uXr?r@HTfOl#4G)j4bVYuE(~%=;Zw6b%*~eSTrn?}|zD4G$Q7-_n#2k>mg9{}&#y
zJ{_LuHBz$ad<J)lt%`o}v5L(K72I*Z)Ae@V3C4v|H=cYud5x`P{++oxUzaP_lpTJq
z7JFgpOt-v6@2yk?S^D<(AK17prhK}@$A(=V-Z{xH7DzPdCpB$pTY2YviD;o;$&cz;
z6Xq&!vU&aeYU<h#`tg^ultUgkGREh0O*=CA>CA&IlFiqwo4hLzux1BX9Qb1Ju{`qP
zKE8v(hUpHSK}?o&F3UAPdZhYkdgJyw`HL+g`PGY-r_DSnGPyVNk6o!~$6h~!CZ?ZA
z33ovg(<_!Hre_9COpgqjnC`K0!;&!<Bh!K=rey|AOp8!bH!~=8zdNjXT<~2$Bq(*W
zG%+<i@N_@dca))>Yx(~8`q!NAd&*1?_^UpjH}n5(<KSmnqQP-$*IR$>JiB_y+{&#Q
z`SS#(>^}bT{sP8&fm+$5y$kESkBM&)HvRr|+pnxuk2p>l=4lw)Y<A7hx$w-!EnZ0I
zNQL4&rPCL7GxbWG)cGSK<dUwD=4WahD4?-<jmP8b87i~h#h0(zQTe?4cn5!pvcApo
z1&2>={If;*cU^wZhG(DRHt1Y_Hrw6c=a%{Hcb2~B`nxww(rE2o#T4Bb!P&R;JLC?{
zH<}t+dnWbN_uCH57x(;aGGKbGI_<#i<$3a9m&LVW4{mA|$T`sX;-5~JeEYwWLfe%B
zI|Tn1ZL^oUGyC1qC3dTNn!V%~y9C>8oxGR-(<B8x<3gU?vPtQ0g8K|k1-RU2mXJEI
z?D&mn&dR*G!EYp#D_r}WtLjCMn;qQsXF=dksXcD>#Z!(sT$OvZoRi<lU}o^FN~dmB
z{%a4qrL!m1|A`2@)Otp-aH5p%)65XA|DJ!ff;`z+dNQ9%r?{NT<o(w(Y1Rh^M$=1-
zi|%gObWXPALd(3+hslR!Z<I#5m0sul!@GR(L=%-VmZdHcHO|$X-v#Gs+@28~v*)6I
zmU!HSs$0&E%a=Xrn9OEz%w+8iJMD%ybxZYSnS5S2lt_Kc^=)3ci*fPMEoFI^H5NJu
z9ATc6D5-ZSv}<GQp=zb%Q;${&=5N}fzFI<Jf0oK->6Ct*IiH-4#Lvo{+Io{Y<m~>%
zsc&B&Q!rg`@jFRB<(QX$f76-;{=YdY^u6}ndgpuS`=8@W(xz^El>4aY@t0F+OY2rO
z$2f#rZQAnorP0lfclMzxxa{V&e|YKiSM0H@aJF22m)Gv4>O9t!_X{FFpHy|ym@Tqd
z!^lw8KpCE@IYkY{SVXStXtVj9+Py-o&Eo002~0PqiHEH)Ff>p!;ACUf=3{1(Vr5_v
nX?l9tZShpkch--7Pky=6_>6AQ!F?<o+b^X~)9WlM2BmHQwsY0f

diff --git a/akka-remote/src/test/resources/ssl/README.md b/akka-remote/src/test/resources/ssl/README.md
new file mode 100644
index 0000000000..d305c7aac5
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/README.md
@@ -0,0 +1,7 @@
+# Testing Resources
+
+This folder contains a diverse set of keys, certificates and keystores generated using scripts inspired by 
+those from https://github.com/playframework/play-samples/tree/2.8.x/play-scala-tls-example/scripts. 
+
+The resources in this folder are build with a few restrictions. See `TlsResourcesSpec.scala` for some 
+tests asserting the certificates and keys in this folder fulfill the required restrictions.  
diff --git a/akka-remote/src/test/resources/ssl/artery-nodes/artery-node001.example.com.crt b/akka-remote/src/test/resources/ssl/artery-nodes/artery-node001.example.com.crt
new file mode 100644
index 0000000000..0b60498c80
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/artery-nodes/artery-node001.example.com.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgjCCAyagAwIBAgIEba7KPTAMBggqhkjOPQQDAgUAMH4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRgw
+FgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxFDASBgNVBAsTC0V4YW1wbGUgT3JnMRIw
+EAYDVQQDEwlleGFtcGxlQ0EwHhcNMjAwNjAxMTU1MDI3WhcNMzAwNTMwMTU1MDI3
+WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
+DVNhbiBGcmFuY2lzY28xGDAWBgNVBAoTD0V4YW1wbGUgQ29tcGFueTEUMBIGA1UE
+CxMLRXhhbXBsZSBPcmcxIzAhBgNVBAMTGmFydGVyeS1ub2RlMDAxLmV4YW1wbGUu
+Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjUrn0eQmYrrDg8gP
+CtDOQblPbjVgfKR0SzBUCCBfIZOWy+YYm51LldRSKwg644IkU0O2eTeEDzo4qVf9
+9RWPQ+C2SIdc40fv2AEQTKsmah+tfW3HFQsFsR6DBfFJAYbscHis1vKBl+xo2OZp
+YV2K21+UfI44Je2m7fLrPq0rKY9c5zXCATLNMQOeGV3yrtNqX4cTKSGH3nlDkY3L
+MpAeYP+agnCMt+wBejxgx44PtQaWOHNwa1A8DwfDB2WIk2dXr90lpODfTREmB5vj
+v+eBQ2gM2ObgIy8za2Kr8HQwAV+jtPIZLwAHftqBY5VrVWe3th3wMUEJPdhJ9Sqi
+3MGVwwIDAQABo4GyMIGvMB8GA1UdIwQYMBaAFNkRJB4AQDAmCIvHYS0AKD4/AqUU
+MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAw
+PgYDVR0RBDcwNYIaYXJ0ZXJ5LW5vZGUwMDEuZXhhbXBsZS5jb22CF2FydGVyeS1u
+b2RlLmV4YW1wbGUuY29tMB0GA1UdDgQWBBSjukxB7Goxnv8D7rthlKtLV8/kCzAM
+BggqhkjOPQQDAgUAA0gAMEUCIQCNaZmqT7X/4iUUTXp01qoWHP6rLQnPV1gM7m4Z
+C0flhwIgW3xLzxKTEEusX1hOuAxvSXBkKRnKdu1/XeJ9xXj3DrI=
+-----END CERTIFICATE-----
diff --git a/akka-remote/src/test/resources/ssl/artery-nodes/artery-node001.example.com.p12 b/akka-remote/src/test/resources/ssl/artery-nodes/artery-node001.example.com.p12
new file mode 100644
index 0000000000000000000000000000000000000000..271cd410e9f8cb5d6e2eeba9c9d3aaa6df6a91eb
GIT binary patch
literal 4143
zcmXqL63}L1WHxBxf5OJ8)#lOmotKfFaX}ORRhB0Hiv~^nXAPQIC!$EPHnB9Z))_Rh
zRv9$0ma%a|b@6a9GA(Fg`EAg|^4&m_jSD8s$ZR0ZA~J8&$|KRudzO{0?Vh!2ot#j)
zSG6b;GsEEkmL`@H^)q`XT@te1&-c2xw)9bijp)(1LpR--xF0EKWi_0)>UF(SFtI1m
zp>DxX-SV9Eriy)Q*JS_s@3#CZ&&p)Y_QvM7AvreLzn5-&pLjm%dgkqQx3^l}&=p+q
zuW|;*l+Kg-n)N<vd#(x^zJIQ-@ciG6warJD9$j`lndSQxg|cn_W`FhvUnq+<Nxl@L
z@I*jh&vVc8!?rmLo8HU3`F%KKx#XNP$tAyBXIF8F+Z}okqa!F(^yxO=%Gq}WEi9rX
z@4qb2-L`Z0<*O6J4u9;QDL?I*zIJujOjg6oJB_m^Zb~bfQ&hV$^ka9CK+(&J&4*3)
zExc+rH$Jsd`Ok(k_3w_C9*?moh>~2$xxqiT`qt$~N6sy(T@d%r<WZlq=*hi-)w1(b
zc>Zo%y!B$o^R<B<roKV{rtx#O)nABN>bqJ0SdjRN_ho(W6&3mTY^ML+DDA(U<<rWA
zO$Hj9<EB_0xptAUBG+m9qiBDl*Sh=J1gtK{*8W{9bvZfEKj0zH?I(tLeHB6<CY8sq
z+8WP2vc_-gpE{A*GtIwQXuQAYn~)o`Cn8TjT64__q4{4Y*yR}J?Xlx3W6>>@JI2!d
zze+r1k$qY>%lH4&Z>*dCy)Vwx_-Wab^}ho0W&bqKZxc4zZx?#-^Q5J*R#MY7?kt|2
za_EV-O61I>--~`s*RA9-wmt80_{G{YEx}Cxq_$>P{1n-9_eX!p!o02jzJ4}zn531y
zKq@dy_Fv>7&(Ak=j?TD0(_r4J>y}T}-rw6G|D8SUXcGT#<_&p%;+t74(rr@I%(C)c
zT)A;CMlM*+Yxl`hhn*w@xg`Xz&-YGS)%Sv3;j7KkoU1E+_6N2|G5+21;`ht9>EA^U
zx+PgXcpM-;A=*?VIc53%sKiH;?yJ0ZDG_3<u)2MtQ7nFr0iX4EyM{g9HGv78*O)e~
z`Ye;xnLN3GwepQZnQ^fHyESQ5E&Rtmo>_J7lJG6(2hW-(zptK`t9aJxdgI^ktxg-x
zYWn%V_-%Lc&~=5fC+jBtSekY(u2ik4^qlLeO7`ik?Q;7flyA)5ePO}MSYvHrjSbW5
z?z)F;RrPO3{U+Jq=Jn5cOR;KAWPIpjOP|FqUMUrS*y?PH?uY88>Rnd5`(f{iCh5(Z
zg<V3C&+C>rKUUn|*mn5(bOm$X-rEf#0&%N9mmF^VbNlJfeKRkV&gq<#VGz-ioaU`?
zyPt0}!&)7`E!i97&RdIe7W_*$pF4LB!^_7F$!z&e`MiPE+N)kozFT2b*d!z5YNTk!
zI=@@`m6$hE?cZwGiLx4-EDH{r<(*zCYUXK`Df;L+TV-9VyGVuNALp=%`(~T0Jl?Ut
z<4E7q@0z>4g#!GybH3tvX_35db%E~WY1dLtp5LPoeDh4c`SFutzTJNwFR|G&Wkd0c
zPg`m>u0QGA_A5^-?sohp>*#eAvNt!*SvzY}Mo49)M_NmHNBT9D+rQL=9Fxr6)Xz1k
zJ(YTuPs97G&GE#n_3Mv+`&2ybrs08t<)%zGXMb-nz8kSw`LS-|$K7uh^Q5m>87}QP
zIYZu7a6{jMxt!rI?b82EzmcpoRsS9nvs|*ni65Syx_2M&<uQICcy(FIHHPp~w|tSD
z1D@YyRkEu@{|P6(<5XT%@o@D~rd9X7)uV5if0I!Q4wUr&p84a#-Sblx2QT9NuV|N8
zcg!%uz!_dta*7z5$(b-DG88eCFr+dRF;p_>GUPGjGo&!2G8ixzFc>oEF{Cn7FeEbM
zG88c6Fr+f*F(fnOGvpd5A`B5V6k!nx$;?evFf_F^G%zwVGqNzVG&gACGJz{%XIs$3
zrE1W`rO3p{V9>-Rg^*!HDT&!YB{5&V)3j|G?VXE{34HrfzxC~HrArIJC2>O&=YuJa
zFZ!}hx%RI+Wv^~=D4S93(mVGXzp07$3AB9A^`CoVO1$z{sTozRU3VusSvB}pGZ#rb
z*46zMUaDpy&24|>$jnpak9JSzeA^^aR<a`{^JXxgxTr>Wh}Nxw`8y9vyp?V@l9}MO
zu6IRg;K2t=BNJzIMl{Fhu6MBxDZOXw`_$~rri+VQr#1?t1SR~lk90C(Hj*y?e?H4u
z;)kGw*EBO01D~Bm4pBEcRxdIsYB+c#k@K*~>U`EI|7UKPb4q8y(<PB>9?pHJoH)02
z($Z$7BU@FvQv%a2Px4qOJKZsC&6dn#g1%J}{9VDpzIVhN=QCJj?|=MAFK_PZnK2#p
z%mV9JG<ds~e0-L`t+wfT!p-jwuKtoV$t?ZgcE-2ROib9&Va3OrCm4%T-1wjDxw-l}
zUxfD|pV+$&JCrXQcnds!t6Ubv{iL?=>(Q9@)aUbfSsC6P`eFa%cF63?RF*HltX$IO
zNla*daI@^oX~}D^SRY6oI&C4hY4Q|_vK2@2H4p#mI3HQIMy6HkO2XWFv)jMF7Dq>3
zzAW<mMTpP!eGyK@Eb|OHoBUQz-|W-6I6dWq$1Igf#u5#mok2c_;sZ*Iy>H%_U#_O)
z5VQR0Es>=@dw*}+Bj{G26#hWw&RITHdu`4Zc7@!3yQG!NCo=4?IxCR4{a4re44-Yk
z3#F%t%{%AGpJ}Vl?{O-#B~((jW7A#M&xvOYdK37At+o3vaMtk03X3YooqSf~r+G?D
z{_=9y>7ix^3K#D1ShFr~ZBf~o4^y?o*0)Dkm28$iku*g|xt;w{>nYa$Cr_XK-@SKo
z%|WJ3R-#`F<u@dEJt<I1`g)Fcn`HK@%U_<SyO}JXU+|!R``oksYmR0sRg}N5s#v&@
zqhs%?_Of+{J)^#+Jz1yyQsUo_LxCG_6oowPeRg#JEtdO^681qK1RpJ0DWIx5Pbnlx
z^217@Tc%b?XT`ROx~N|Zt5c1h|JqrQX`bfC17febroY#16#N@qJ7J1o{;HJ2FDh1j
zO!nKghi6_{Y2n-6!)^f`{L2dEg*tR*Gr!3(E49jhSU1DXD&qagldmu37+c=H^moEb
zhj|CZFDg`>^7qn76=ZAR^p(!s{xI!bnA6#w1-se3FJHQ))wi~3?v$5j?}xii(Q-__
z_M(RCZNQ@5&t~%ze}7CVkiQx)v;Lj*y?gHj690LswwWew+q=iV`(Fp=3BAOqsxP9S
zex6*dc5`miKFc@nW(Ylf%=|CtY4vo^j}s4Mx!G91I&%Kqq6c%{t<^lf_aw*P3xZo0
zOjFN294bHi@X>gguRLXwrT<#0UU(Yj$)x`~QdzlvYQNN`*G<a~pIH@s_QLZX*@e=c
zV%yFN&))ARv&s5~_0u3FNs*`j3N|FmSo7BX52@<h_n{-3f8(kYjS_{L-B%3nEWG;4
zK8r<tyKCX0<^vz)&i(7#uy|nz*R0&9le*IF5BZ<HRCK@2vr*J`^V8ie+@`!!Dxx)C
z_P2-!Z`ganuudVit8#(6F*pAa?=_oEpDNyG%}DdideE-=d+Gbd^LHE*R8sC~?o2=P
z)_dZY4O1s?`}uN*sYpccZ^p;#IzoE)D(BweI#_t|$`6ihms@Ylk$Q4D@#Pf_lZj!?
zArF*h3wa*4*c<QR>g8j3>G4Wq>+g3377A2G@*Wc^<W61v_($kfMzP&qv1U(y_+~|J
zlV^6$_*t3x>jpnV_3H35uhIgf6s>co{FaE9Gu9QI6*P5)^CIoJ$B$$i->g5*QT^OZ
zTF33$+r^s}bUtN0y--fMzHpn0YeID7orndsnO0iQ4UV2OE@W|g$9&#W=9KLLTW7Pk
z+;je(P&+ioY{}o8;NCp3Uw_vnPn!J2G~z+e`ct2MFDf@rS6ZqN@}cbZjf)>y&YXW(
z{8ZL*c0fq+{L7NNU!`#x_@|YbWgHE4@yV<^*>rQNx^u$iKIV{B?^oTwQgwQ-%j?|}
zk`5jD$vcmyheiJWgS~#sbxX=7X61`CFU>kF+qHL3h{FZ@$}Rtnz7Vjy5IpN1la@n+
z@6EOT+qfSYZ!J5UnYGh;d)}EW#jEck?^$Z>{=V;y*mAk9;0@cJXB?R|eaGucZ@*K2
z)-#>qxb63R@$qB1yB~{aiY@7Wd)NK*`E3nt3n~{>tnNPG+}GlE`}m8WA$9LVCry~}
zruc8A@0W}d53Pk_UsT$zxMMzZ*9y0S|JA)-N7tMB%ca!X#b3-7pOrLWn^@BP>4IL~
z*8W@%&-L?)y?C(qqW%X~E{}ZMJEbiymkaE^|C=tGC~nNBdQrvpX$P~?&rD&9kMp0E
zElKoEEAY#*vs<*NQu^eExe+UmwK-J0E$dA7I2(NDPu|SvU9A`I<npmtZF~5v;@~3T
zS4n?b(;^H%a`)_uzsVYwAY^#qd46j7+8LV8aeX^Jg{)OxA(_+^`E+e<@13C3)akeT
zWv3obc=r3qozJDwmht;1@*C<F25z$7S9JT@0;YCpGn4esxig<nj$mT2RXpA|<@Ze`
zPT3#IrLzjQ6i?3bNab?dG-dY_N!DVKm-QL}mmc2@-?(N`;G3<FmmlYvXCo*d{7P=3
zm*`8?v&R(jr!mOwZ0FzW8aDC&;hiEX!aFYo?R5DV#nfdIa!5RA^LNvaNyof3*`9sW
zeG_!%kt;`qA{XaU70#rymFep01}lHCE@1ckdeQrh+79+dvstb^;50pT!0U}M!<whB
z9%-w{E?bhWGKY&Hub0h?Q^7O!qZ9{2$Ax@vmMMwr(|q6d92TrTqI&c4lVYdfnUi1k
zT=`ewxqOO>#=d2C3shnbiY7nEO1F+koy9bVWn&E6^-~2(vpJuCT4^!SVUhZxg)tk1
zzqT@ecyqB%eXsME2NxJ7Tc65**KAw#@QgkG3r4per_X6bb<dDEWGcNP<NV5I&DqDp
z692va#%{AUMb>4}S49QmYwn8H>T^G>&iOHIYVkdO%h{TZF(Mv|7D@Xk{C>B&QsZX+
zxA*NcIZpqmHnUGX_xyRq&Nbc}=K4*jk*_hZz5luSY;^p)+Z_KML<Oq;ni~HszIXxS
zG?|;d63mJdFS%%@+dltU_<d&XQ_rOzJZ3-JbB!ndz~=UId7o<k&*r+OcEs&|<NFB5
zC98fMJHamSBg8h^)Jpxna1YN+b)(*yyX0)%nX*I_>c~G<d%Mwkx!0ptYu_!B3}NTi
zQfFDwczANF%f0GN%?{TLnwPe(e6iifg-t|m--NdTp?{^;3OHPww$$Uzfqi@KUsw5f
z_3wi$`;7}V9qmMpPq<g<*YTZQ+^5({v20aIN!X9iEw&rl82a{F)iX!?%-t|Ks>ma0
z-Tfmw-dwSddZ==SZC<4K<PfiO;Y%9tD_jcP`exUC+aoIb-M(ZSY_C$Sm|Zv{u;;gf
z;jL#jzYW(~WxmWfBCt11=i2)ZN>TAMW=C9~woqu>>E4wBbK=b;>~1N~Ual}Zk!Sy$
z{^VKN;mKFBuL$_F8Q2*p8gR0)YV$EONwG4ph;UoIGEv)mUH|^Byz8mVtNw+k<S4R;
eoUO6c&wnAn?wAs#A0>6^X2Xj`Sxn4~Z3_ULz_(uj

literal 0
HcmV?d00001

diff --git a/akka-remote/src/test/resources/ssl/artery-nodes/artery-node001.example.com.pem b/akka-remote/src/test/resources/ssl/artery-nodes/artery-node001.example.com.pem
new file mode 100644
index 0000000000..501ac638a7
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/artery-nodes/artery-node001.example.com.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAjUrn0eQmYrrDg8gPCtDOQblPbjVgfKR0SzBUCCBfIZOWy+YY
+m51LldRSKwg644IkU0O2eTeEDzo4qVf99RWPQ+C2SIdc40fv2AEQTKsmah+tfW3H
+FQsFsR6DBfFJAYbscHis1vKBl+xo2OZpYV2K21+UfI44Je2m7fLrPq0rKY9c5zXC
+ATLNMQOeGV3yrtNqX4cTKSGH3nlDkY3LMpAeYP+agnCMt+wBejxgx44PtQaWOHNw
+a1A8DwfDB2WIk2dXr90lpODfTREmB5vjv+eBQ2gM2ObgIy8za2Kr8HQwAV+jtPIZ
+LwAHftqBY5VrVWe3th3wMUEJPdhJ9Sqi3MGVwwIDAQABAoIBABSX5lHhPvcE4ZpD
+fm3FIUrTB5C4lueT0J9k29qTXUo3iLMPRmbn9ixQVemPuYWPYlwAcogYX1cY1UlZ
+Wdpu2gK6rdbEY/V8dqi0/vstttug4lh1t56JjLrUB6TGFi3yzGNYM1jg36KVAnMa
+oiFe0O5IcAv3bpeYm8vyq/bmpnPYCUwOAyTGJ6JBUs98YEQu5qGdWVYGk20G346m
+AW37bAeIE9oTMHD06aXZRBtaFQjvCeCg+aM9FhTo6hOD4mTADeV2qfjUPrhE3jal
+c6Ul84m0RG5A2M7isBK/JmQ0hZ9uJIEGBSWdAG6g0sDLN02pdNtTWG0nuA+XHolV
+9KznWYECgYEA3Y11PmyiCpZyHLN3y30Gw62aQ+MW41XVNUcb3Dn42UkKbhgnoFbI
+rNhZp+jAJapIZTTB3xfE3dwvPlYHHfwwTxcmg20cx0CpNlpqCigVGQqe2FxhWRq8
+ZR9YHS5mseOmmdJYdfG58TsSmjveEmgbC+Q+1roBVwNNpfIeyYUg43cCgYEAo0LU
+QsFXZVOTFb6vRaAGrfiSd0bmzFEMWS9H6G6ZJUhNodoECCQaeF0ypJermVg/nfD2
+wobSTP4hA7dtRDHzNecQRS3zfVdaCmIN+50jpfrT+av6Z07k5bxpFHUAyzI0bj/M
+gDGjZ9seDo/4vQfdiqxYWjPr8DXYvANazbARuxUCgYAH83uxsdRe7OdLgGVcODB1
+9VUD+rJnlj0AnHyzeqEjqytkqBlD99lb2qfdDs1WjLXsa+hJSWEXVT+czRmUSeix
+7fLD5LaTsA5ilPwZQTcAnxD0UtxrhjocpvNSmMe2uqTQAGyMTxCNR8FzJ5LgtjvC
+QX6/1g0WQlgXDIluUgjMIQKBgQCPQoFH4qhx/Zg/qIfcrMOvvUOo7spv117ik56h
+0wsHsB6PO+P10Nh5bi6WR5EIimuoiF2/7NZ1QTpvLHHxOXOVhSC908ip4BDes5RZ
+ilZRu3xuxf6A0LYC8gWzMch0haWEaO9mPiiJZblGRgeauGAq43jUDmOm8VkyAi+X
+9jxY0QKBgQDTJHTw1KFklidDFQ1v9V+uORLmyVP4Ms/TPMNJsuTqc3lnBSU9Zxfz
+Vw20aBMZdfno1z5Uvirg++Zt1B7hVUj+MB2VslV6HqLjj3fL96xXrYPsjMYtwTOD
+//jalt23mVJorMXpKBMfgEUPyw3Ca4R0mL/D4miv88XXZLlUJwwUyA==
+-----END RSA PRIVATE KEY-----
diff --git a/akka-remote/src/test/resources/ssl/artery-nodes/artery-node002.example.com.crt b/akka-remote/src/test/resources/ssl/artery-nodes/artery-node002.example.com.crt
new file mode 100644
index 0000000000..db18c33158
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/artery-nodes/artery-node002.example.com.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgTCCAyagAwIBAgIEOqBQVjAMBggqhkjOPQQDAgUAMH4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRgw
+FgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxFDASBgNVBAsTC0V4YW1wbGUgT3JnMRIw
+EAYDVQQDEwlleGFtcGxlQ0EwHhcNMjAwNjAxMTU1MDMwWhcNMzAwNTMwMTU1MDMw
+WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
+DVNhbiBGcmFuY2lzY28xGDAWBgNVBAoTD0V4YW1wbGUgQ29tcGFueTEUMBIGA1UE
+CxMLRXhhbXBsZSBPcmcxIzAhBgNVBAMTGmFydGVyeS1ub2RlMDAyLmV4YW1wbGUu
+Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3pjLzJbVB78E4A1D
+7AU4mn4XV8aWZHHRfyPf2yL62WtqLLktzdB27c/QdgV8G6oKW50MU4HmyaZqvxK1
+RD4Q0QSVGy/Dz8MFxJz3k38YWFICqyBYNQcU4NsFMwO/yguQHY21Oyxk4liWtA1p
+U9ZYn51Tozd7jFtzbYVKC4PucjuV26nb6ufLZZtVZYw+nuz1Uyv4LychKXSZHSqB
+XSH9rj4piOyO7t7IPdQqYLDFS1OBkBhk3q/YnfzYBHZjkYApLO1t9Jf4S74mtJ2Q
+TpISxIdpKzizXcr9OfVybeoCOwQXeNNs74zX5qa5nd1ZuqC42qBsNFUeSwqcJv2z
+HhBScwIDAQABo4GyMIGvMB8GA1UdIwQYMBaAFNkRJB4AQDAmCIvHYS0AKD4/AqUU
+MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAw
+PgYDVR0RBDcwNYIaYXJ0ZXJ5LW5vZGUwMDIuZXhhbXBsZS5jb22CF2FydGVyeS1u
+b2RlLmV4YW1wbGUuY29tMB0GA1UdDgQWBBQgG8h6MjX1T0N/vGI+YYqi27oivDAM
+BggqhkjOPQQDAgUAA0cAMEQCIBJGrfxFjZFHIr0ZeBlYJylly9CypDJnFOgxEZpY
+B0ETAiABn94e6yDwRMVOdC3UgnMq8E94LfqJU+tduEPH30qB3Q==
+-----END CERTIFICATE-----
diff --git a/akka-remote/src/test/resources/ssl/artery-nodes/artery-node002.example.com.p12 b/akka-remote/src/test/resources/ssl/artery-nodes/artery-node002.example.com.p12
new file mode 100644
index 0000000000000000000000000000000000000000..bbc0d4172a4920956708db8572730ee50dd72606
GIT binary patch
literal 4143
zcmXqL63}L1WHxBxf5OJ8)#lOmotKfFaX}ORRhB0Hiv~^nXAPQIC!$EPHnB9Z))_Rh
zRv9$0ma%a|b@6a9GA(Fg`EAg|^4&m_jSD8s$ZR0ZBJ!*(TRTLsSD$a9%*iD#Xa8Ng
z7+J`~%y2k>rHSQ4puxSwRfgNNI_}I*b!YMXs$uK!!ZK&aGyf+nca+|#AC~cAaWjdL
zc`Dv^{H4o>CAX@}r!rpXRAcRas~9Qqgln};S8q=F-vdDxZ)^~nX}Igx=~+jDrZ5Xe
zoNr#<TK`Pt_{r5R_o8O*I6AlJ-lkk(RmRr)>u;o6{nD?f-#KH4rBK?uM_Y~^-;yxn
zOhjnk4!e&mN5fJSuYF2gE6$oS)63}(bD?bK!fSUHPApVUKDwf*NV2t}MYUm4!kKl`
z1z49q=6+oeyXu4aH&sTi4vDf~CI^!IcIkbQs?YuUol!{1mPz!8z2mEg?|XLoTh`ZH
zHlM|Mk74yzYjL4(%T83E7i?JN?b|0)9A@dX$5e%7{mlIVHhVe5X2e-=%xT(CCA30g
z{icRbA8Sl1zCZlHz4hvSnW9<A*QQ)jD%5XOdhz1zVrjG7Q#Z>5|9h1xt~|2j&0~?x
z?4MY5zQk5OUw&fo|CHB14IU&O-H_U{Z<^fnp3Qzmo($KoGxzr0+R?Y7!v5=~uV)wY
z3hIS-Z7LP=_x8^*Ie({Yj;QsVZmG=WADO@0GPGZ}fwM%i{D4H*2cNJI^M0M{j+a<h
zmc;UI5qcmHa<tp#<4XRgmXmh>72oKswMWTj%HK;|b1m#zFU89nYvzYcmyY~WbL;*;
ztB(m82`iuU{&sM-m2kNbrk`@{u26cEu@AG|8r%LI##&up45FiKPP<;KYHclAeg4?g
zA6y%B&g$)&an1aM%)@tyiwk?sx`z3jw%a;Ub(T4o*_+?RT+9a>oCR+5F-`5*m~4Jq
zP$oG^^|0d49L@*kc8Mkn$~2@_96opS<jHMUq%0W^&6z0mwER!SG>-N1=B6>rk}bHU
zuP_C(n9t@fH+uU1^3OM`<D$~18`%4Z9IxWNf4X(sjmwkw=pXvK?vCB8XF87+_+H9?
zvy9EV&z;F;x@~?O%gvRwU*vLf*kYI$&r)ED;uN)ccqW(s>ERyxrMstzNJ$)HS$Tx}
z+^vR;BIi;|Bei{3_g&}oV+~#1yU^mcs9ME^e`%S~Mn6J6i8?q5GRQ}MKGBoC;qbhp
zyA^Iru70D|Yr6X7B(?L|_3YOKzHPX^BDi#+%=75F<X9uE7iLn=J`1%9*W_%Tt^fDb
z0SDvrj_0{%^xfWA+Yx)$|N2Rmh&vLy))f8;G@WwlCvS4KxZBQ>-Zz>FG55p-j<|7h
z6$Lym+S<OyBF*f*=>BGfwMSd`J#xPJAZ^{TR&B=PvZuqh>F`VNGT)eagW=l>iLdpo
ztPZaxoLyBGdMPG`>FVDQo7o>FHb02@C-~N%U3;!^N7<L-7dCy=d#ADET3C>7`~5A?
zKc9GfT6CwsdRk#~VafmOSB|Di{j=orvhN3G#yz`Gz53XX8@Y;K76t}?KlkSDCgmo+
z>8nMrD(n<$n!w*Z<DWv@rBe~><kqk)f0uHYIU!IjLrUyOQ}N5)vzL84bLwD0fz11^
zW0qX+jL-4>mS*7A{-C^ZhFWzi!|In|HX@t0Tr_m^JhM8JS25Fm_YqFMJ^e~iPv&lz
z^5k5_j8G;E<%9Myd5`tHjX9R*%$b$FJRsZDPSfPi(O>WHKa5mY&9tgjsm<{H)7Eyi
zEZ(qahFey9O+k<Sl&$;Tbo@Qe8Kjb6JU>m?`mfxi7y8D25ubPuC8$T=i&faXu_9Qv
z%P_;h8D3O!iWr*7nJ^?W6fu-Aq%ssSR5Iu?<T2zkq%fp17%&(x7%}KEq%u@6Br@bO
z6fop4q%!C+Bs1hQ<Qga<3=uUHVG#<+%uQ7=G_^D|FfubUHn21?H)!HAfh%HXThPR%
zYS6@`$i&EC(8MK$kYPkAiP=CU@ynRR3%QJz2W|hKFaFkgdifK>Y%Op}+|b1NU~SGv
zj>U5>Pq-wgDJ(6p$?|i}Q;%C!%XX;d`iKVH+o#A>_V&#rt<BSF-~VLwf8sLl@CEy)
zrsb(_Z(l@l%&oY0sx7X^N{i!-QcOZ)!<UY-Zviv?T;^n)U~uZ1da~gx@9R@XS6VqG
zPs^TTsW$K0^EIzF+WoYfe9lSzcud=-15;cYKYmcW9~ZDgO*v2g^QTvCpPIQo<nfy|
zOQ^Dio)q;un6u#J#1%_kiEx|=T)i^ftY^{0-|1!>FJvV|wTcTq>b-O6iR-z(4Y%64
z7Yi!5{%0w0Ro)w-ewcr+#-_)|KAze3<H38e+sUd1A0Hoo;h-XWaP{XG+ty@oSG-;r
zAzM`FbNAerrBlxeTs%Hm^wP`q*S8sD+?p!KG(UKilKk7#&y+&0vHbUpyS?|m&)&(F
zwp)d7^IzG&$?xyhmhB4<nEX~=*r#yoPmnAhQ|{fo{6GVa^&O{<uA5TMEb`jD&wbO?
zML8$bA4wcGUTfj$TyHkJwI-~rdBwA{N%J_m8u!<lKFj2~l6fi5XQq|x)IAAbr46>~
zIEhUtWyy2hzp#1PD!;>X*J`V(epTBmkteG>;i<Ap`cX~~@uC}Nzij5P+!3}!My-c&
zV~nY-=dw$8`gPW>+qhZseB$Oa(vg)6I}N4Z-Rxdmw50C`pFz^<cE`^*-~Nb5GJN%7
zVd&O%Ve*@fW;$)TTIjamgNkK3TX7rH+ZDG&r|o$k*lg%|tZS*s;`_f9?JPeRR2N;1
z*~#{3%gN4r6D;1ev&P<!%XgbHw>|P5PmK63`#pBg<UALi`!u^r`y;o|KfSm6<lX&s
zHOiN-QQWymgi$X3Y4mj-7T0BaoW7l6tuX$*&CfQzf>kv<bE4_~ZJ#Q3&Y0N{P_Air
za<P!={1vj<+F`LbOy6<^`I_WL2Oi{bJk!?4r1dApOT>m%xk|2X`qQHi{L|AX`b6wL
zY3O;YIJY2ewd=FXq5DdFuGDJJ4GQZrRZ*&c%C^#6k>f%`5Bt=OrE;I<$t-C;CA4P7
z((4LJfu$B9sjsRg&s;lU^Nq3_F0I-2&%;xuu5@31XCLn_?x0n7r_`#R+%anzd$q5q
z&v$S3>dp-nj>Rf77Svhssm>4HouZy&@V4xyu{Fy{o2!Z6kKHWl+xXY0uh;Xz)%UfY
z3*I@u$UOLPL*%?}*X^tMn>-%2Xx!M&=}?<?XkN#k&E22mcJDm6;mFmsGgKKEe*L?d
zaWH;vIsf55?}TU0ymL1?$eWp2Jip^!)Pj=Ay+6C<0{=8s_~q2I*X<4XE^)1u?dC=4
z$g?3Q_zll2N?ZME_9OqVLF{i{?^Un-=Q>9+H`IYA#*UG#xnaSH=HUKE-9l?+LRQIK
z(lMM@dGBfRhIGNqwVZRpGgnBN*d2PhcrwGJ;}dO+r~lf`dnNkdzf`^bucVGGFmk=#
z7#etD<F5Ay&DKc1P3TGH2y^%_adXJTp48{UtY2>h@7rOXJ27?R(|ZSHTEF<$PCqBK
zb93wG-%j&dYKq0vw>@S}T4~9@%ur2#@xO(KGxu^vn@P6s3VZHy<y~Q$h0wDXM@$_q
zm)x(YerPkj`^2m4_<LfyNp;KrGx2_x_G?JudLQ}Z*p5BCcdmWWvRxu=AhUvF&9Ber
zxOa%IHxM?ws=qWL_Ug)9^&@ph8W*$ht`<tQnp)K8Kjn$+&bPsz|2N$9HJR3R`|P~M
zhd3VQ-hC!KJyWYd$D?8DM-jpIQMneOImYMyZkQ&NC%=1-?W4-r_|)0A^D`etyezo#
zgoW?k6ETf6?uyPmdBz8o-t`<-?e}gu79>|Qg{P%@)|VN)tQD-2S=C=p-t?uJ`S~C2
z0()MEmnRe&4qR-Wn<+Nc_H@_B$<=QA&uwFA@_#<_%(oxfrit;N|4ICo;NrDA8@zn~
z;)M_QCB2;zv9^5bh8=U~1<815TxkhyyJr|3zbogxX~ry(Hxim5UsZU|PWizWeSM>#
zLdyaE486l!=B@jZucAMTua$4A=$_NdeR%B-{fq207x8KFo$D;{{%;nSU|H?ACpYEJ
z_+8HrV)~$!B>mrQZ6<e{-0ps*JtwWro0fYSIn*tUweRC(TI02Kjt^76&|%l4O+QS{
z1*?8<dMoyncc#zAE9n8#c0ApynQ}wvq}ooVz=e0TB0bk0>*e?+YWM4bjoa?6vHWhA
zUbvjvZEs<z9`f)Jr!AMjKh^X@TnxT}5{xW{Mz0Npuis|qop^^uZu!#p*2|Xscb7Y^
z?2`GUCF{M={XZF#|18aZKB?^>zYb63v^dRDUf1*;dh;Ux9z1Ya>$5_@at`xv_vdcX
zPGDKBt+_*Vc4WyWaaEa>`-Sb7s&C|A-9E+dGe^vay}GB=&F`=`6+ha(Pf_Yz#+>kN
zMqi(AoG1G`(P}OK=Of$}6DD-8KRr!h<GLgkAN}^blbV?O{#FDX{9U%|*|}>8=KlM2
zLKSP`qV$fOH+WuB^C|C<z^RL8Dzd9}O!M;h#<~94m7<#^7-SgucdEGV<xW@D(?Q`S
zvc^{v8WycCWthW#ZGp>mvo%iU?DKEj6ihq0aO=`D4;S5?)XTyt60H^1I{iHZhuM+q
zopmPh92?v=Z+1OjRdO&$L%@3V>73oGI(NP6Wjpexblaw%Q;uDq$nok-|KuCXJd3i<
zm6U$i?5pv2EqB{*PE|{Vm}`blGL58<`NXsCu5?(<%enRfqi2n3+106wVl56#-gQ~^
zO~V=EM~+JN%TFA;uRe2;-h^_uGuNMn<t|&LDR#0}HsQ(_H=(Y3wXJ&%=GrM)FYI}C
z|7B;yj<zhpUonYOM9uFWv77e&=;uAH`%O(M<Im=qs7-xu%i>ylW%fKlu5BLmPN9~2
zj{VqYr1WhSgF?Nsqq2UQ>!)BLro$7X-XB`h7*S=$5ttif#?0Srt@-tyR8q!Mrm4+K
zm6>{lJ~gb`+ftHdIe)XxdF4c<VBzLNX6G*phU_u9l*(bN&Ms&ZBUBz9zJhtl>q)}S
zleB~nuXJ@3u-x-?@t2mZm$iSEl_~ChBd|4m+po><cYNviTk(8#R0^Y3edY94!&zzy
zi_<>ta20Vc=E#iUJp5{JZqScBhbn#Eqp2223A+?8%=5RcN)3MXp|xyM%G}4<>fzC)
zoevIF%t#UWEKz=|GR4$=)s>S)wH24Q>^UPOdg!{tG`7|`byhcczAtDBo^4ggxbC_~
zU+M4OnC(H*cbBhBvRdfCVJY9q^=^V!d$BUlvwwE~US9KEu6<xi;;J9#o@K;6S=F9g
zy;odxZNK>ePwC*Ms0}yQHLW>$_HU0|ckQX$OnW6`uX{E8I-R0+DV6zS@(-bFsT<7I
zWOhfNaf>;~eNy_kYxA)ss=QJ!K0a@s<(77&ymqIw<&0TfpHe(ucekcquXnv%nD|ES
z_FkSnPgb)2bjytB@B8>~=bs|K%X=4FO;_aO)&958ud^&9dCtn#FE`E<wS0VcYQd?v
zhr-)q4R3~31@ADhGf*_(WMkFlV`h?KWndAh6tBBK`IpL9z8=$NFV)$xyFO=Tu!u}h
d{A5!)>8GSw%FgYAD=q(Z6`vJkVrFbx001LSpeFzT

literal 0
HcmV?d00001

diff --git a/akka-remote/src/test/resources/ssl/artery-nodes/artery-node002.example.com.pem b/akka-remote/src/test/resources/ssl/artery-nodes/artery-node002.example.com.pem
new file mode 100644
index 0000000000..a126038d82
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/artery-nodes/artery-node002.example.com.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA3pjLzJbVB78E4A1D7AU4mn4XV8aWZHHRfyPf2yL62WtqLLkt
+zdB27c/QdgV8G6oKW50MU4HmyaZqvxK1RD4Q0QSVGy/Dz8MFxJz3k38YWFICqyBY
+NQcU4NsFMwO/yguQHY21Oyxk4liWtA1pU9ZYn51Tozd7jFtzbYVKC4PucjuV26nb
+6ufLZZtVZYw+nuz1Uyv4LychKXSZHSqBXSH9rj4piOyO7t7IPdQqYLDFS1OBkBhk
+3q/YnfzYBHZjkYApLO1t9Jf4S74mtJ2QTpISxIdpKzizXcr9OfVybeoCOwQXeNNs
+74zX5qa5nd1ZuqC42qBsNFUeSwqcJv2zHhBScwIDAQABAoIBAHdr0iq44SF+wcbS
+VxZQ1sVL0Iou6JCK37IuNPMEGUB7+EJ2NrSsmqGLVHN9DdBpsZTk9K/4iTC2L57D
+EqzB/5OjubsULSFRp86Lx+dB0HXRycy1VZ1dZz4bQvbTlBl5ip/QXuKYNqeYj4GZ
+kGCCJpm7dhuisI3kolCnqcnzxgFSJhgcQHYZkpJH09CZNxUtF7AIWtMRkj2IIKjV
+/MzQDJz8EINBQzWIDTviu0Qkd7V2dStJ/GfnFkUeRgxHQUJtXM6p5vRIxObzd+fi
+HRYF8c2t3HQcnVlqjRWeHPtdh9jKKzETCVABTc8WzLu7DyONnGgE3w3DoMAJKHVL
+77ziqEECgYEA9kSHfagEviqTd1aYkhD1T9Q1FS04SefdQc2RzvF3FIVDNyv45fxk
+tbC89X0MoOfdbQbwPoY4p2unjV9tNjwp7WqDnGHSDz56qxbuJEaclq4gPDIciXAM
+Qi4PvSp1YZ+3na2j5bDomPmjo54s3mh5nitq0Jw52MQGRBebx8ynyXcCgYEA52TK
+d8G8fJKeRxOTN7iEKds6m77MnFDVvONwlM9pQUCuqPm+FT0vb8cMNDLNWouMmmCB
+gSP1bc1bNbcN2teH+5lbn5wYQ7AQaF6lbOdgUBV5N49S6AGbvAkT/w2O0Mo7YU5Q
+mIWvYxhQpPquevtFOAAbSVQrebDiJhg0Rjy2feUCgYEA3YUBN3eWZJSZt4Quk10r
+vJYO9bCKbHhjnxhR6wtq6QuCTbOBHSduU7zaDBxi6q4GkFbobeWAOqDsw48uBtYR
+hN0F6/pV4J5760AiEIFvw1534o3U+4/Nhw413BvAIINxwCT8Q9VhNJGBr+DNTXY+
+x5cYavPMWP7jAAcYep3N47sCgYB7evjk0XkhTSizq0mLmabFo1zyUe5kmGqHAyRH
+9SspDDhoqeV69gzDbIghrt6RLBkbJNbXMHY/YzACSS5Wk1/Yru0LDsSQEnufBqrm
+o85szhjCwnQupPUTchC+seB9oP3xHla6HdULX6VhdPj5Xe+BQ+VLy2Pr662zQIVc
+2fdU1QKBgQCWCPSc8byqtYsIg3b59iyTYbR3rW49ZUHNNjm3fKIXkEpHZQSg9/v2
+aNAUpVqm9k/Tt0OJ1+OceDRBlBgVPFIJRuqJ37V9pmicsjVN2biqc+2RQtdpgzcl
+lkz3cnp1Jdg9tGDmnip5XplLcjh3gaxMYNsQRAmHE0j19ck6Rcx2rw==
+-----END RSA PRIVATE KEY-----
diff --git a/akka-remote/src/test/resources/ssl/artery-nodes/artery-node003.example.com.crt b/akka-remote/src/test/resources/ssl/artery-nodes/artery-node003.example.com.crt
new file mode 100644
index 0000000000..83d4472930
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/artery-nodes/artery-node003.example.com.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgTCCAyagAwIBAgIEPjDg6zAMBggqhkjOPQQDAgUAMH4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRgw
+FgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxFDASBgNVBAsTC0V4YW1wbGUgT3JnMRIw
+EAYDVQQDEwlleGFtcGxlQ0EwHhcNMjAwNjAxMTU1MDMyWhcNMzAwNTMwMTU1MDMy
+WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
+DVNhbiBGcmFuY2lzY28xGDAWBgNVBAoTD0V4YW1wbGUgQ29tcGFueTEUMBIGA1UE
+CxMLRXhhbXBsZSBPcmcxIzAhBgNVBAMTGmFydGVyeS1ub2RlMDAzLmV4YW1wbGUu
+Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA24C7726icyAGM/Vp
+baY79OaRUihFm6H4iYDuhdZ66QqBOOTNqLXZnetddJ55mS+LndoSxNYNNhD7XiyI
+Orcn1ETtzfZmtjJVYb2JB0lHj3awTYN4Lgchny+GGTjb+mEihyGv/6Csu/mMcrxS
+PZDcwy2pHO4TJ8lQ0yg9SDFneWxzDTOxIn15cSHSiexunL6s8wzw9WzjR6kNF7Ig
+qHWK/cLabvsZr7cLuNmaWBNpGyaAxqXbOhrhBmDxaY1mCtRSKzPCPGAM83F1mtEa
+mX64W7WEEw/h71q/u32o9qgmhQqodbZqt5So2RFpU3MVPuYfQQPdTeqkpcwPsDiE
+NqfdQQIDAQABo4GyMIGvMB8GA1UdIwQYMBaAFNkRJB4AQDAmCIvHYS0AKD4/AqUU
+MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAw
+PgYDVR0RBDcwNYIaYXJ0ZXJ5LW5vZGUwMDMuZXhhbXBsZS5jb22CF2FydGVyeS1u
+b2RlLmV4YW1wbGUuY29tMB0GA1UdDgQWBBSx8rKQxZJ9SjW3ghqxtwZuNMhwhTAM
+BggqhkjOPQQDAgUAA0cAMEQCIDr0T5OrW7BRXFWosw8clK6jVafAJHJSmysM7iV5
+4FDIAiBGdRE1iTqcvA1ya3H89gvqAOn2K41RuYf3xSR1tU1zhw==
+-----END CERTIFICATE-----
diff --git a/akka-remote/src/test/resources/ssl/artery-nodes/artery-node003.example.com.p12 b/akka-remote/src/test/resources/ssl/artery-nodes/artery-node003.example.com.p12
new file mode 100644
index 0000000000000000000000000000000000000000..63b32d5ba7ae9844e03926e485930566a3195687
GIT binary patch
literal 4143
zcmXqL63}L1WHxBxf5OJ8)#lOmotKfFaX}ORRhB0Hiv~^nXAPQIC!$EPHnB9Z))_Rh
zRv9$0ma%a|b@6a9GA(Fg`EAg|^4&m_jSD8s$ZR0ZBJ$&^U#G3i2F?2~C+xlCS}bR?
zU$l~mnc;8%OB2h92^aS={b>2@p0PZTPs;n_ytgTjs&_>MojUR6=bKe>cYaSTtJo+1
z@luP-0h^G{c;jUE7kw^GCni6P<MdoBVOaj}=GEF<#a_<Vdz<80G>?6_Ha+*u%blKb
zmzgEM<eN-8d!=E|jVo<Gy*y`fmK=78_%mB<i!mpQe_=<&`^mX8ByaQZvy~=YHf7pS
zzjXciZwK!xY-VFsP~_aQ=jLX!KfJg9seD+d`c|@8N9E_wTv_9c+e?y<%hdFq*m}9)
zn%E8Jeu>(OpQ~25Z|Q!_GNbD1+GAat{@I1^wq;nEf1xvN_Qu)ICdsG25M8q3ZsPfO
zA`;zlE*JN)73*$jT>hAs>v^#H{Br{TH`H92zae1GyWgAp=e4#?zAI3_uQ0DpPf_VX
zP4SY;YxXHdJ9?C;O&9&?uloDK0rC6@^Z57i=R1$Z-eidjDy_c2@mb-KdBw|)$1%2k
zGp%lJ)nm$7RJ&(Uwr97`t3Rw<(*)#}uF>U`H=QIf`>@1+^^8wD7vBvtuM$bva8o|s
z>FncGA|d;7xPm!8mKKyotXNg!^Xb(J@rn)B;;fdFKQjtXOW$(ijY`H|%fw098>Q!*
zoE~WF{9?)5-8YT5&1wF%WnQ)Y{Rb12WOi{`$w+M8eu-z1Z40{qhwRqwC%X65RQjK!
ze#|^7Il;-xL@E8zlWNC!4I>k;jV<-*KD+otEY=zBoFlRD=!=GR4@IiJt<IDC&iEnR
z^K|Ws7?;cKrt_;CT26)5uC;$7Aamr->v^xASXfWwKcBki{;R5}DTnnI`sD4)uHP?{
z|8VKbJD#E++*&rRtB*<DvwF`DUcJh>GUalNk3T=0wWT{gp(FMF&VA7phOX=h?+$yJ
z+q>OAVX<M?++8bURCr_)*mbz1wQ4uMFxs>I-PBE6|2>}8E`3$x--3XryJdpUcjfQc
z?@&2e)PQsT*#`%7r`#}Gaar=Z-o&Tc#(RrGo=*C4upl}^KJIHyzkkMpgKsM~=lwh4
z&i5<lymZ7q26cZEZ}rLdt73P5P>$77W{(u#q0D1%wdcy|SKH)D7>}Q6F}}vd!L+dG
z!$YA<YqB@-FIma1_-9Y=`&iw8lz+=Ee9lj~a^?1v121`AD5lnQufM)sE$_&E<NEcR
zg7#gTqA$8zHb+;mNap?Jq?(CeOyn*KH_6QQ(mDR-JjcD_S5bo79vDnMxBR*K<n`%p
zMrRg!Zq##JG{N@c5{H%5Ki{00qkbky*?jMh)e9E2tDe$v-??;}SbK@64TJ8=Syv+V
z$ChurruCRPsE#!>Dm1EEaC>%ahIYXoZ=vjZ`2{^3eOn%KX9OLU;;ldW==#ka%bvL{
z^)jmpW>4$VW|<OSY^Al6K{@~9!j94f*FQeJw)q&_>B$lCZ|8M=wE8XAkeGby_}9l0
zPnpabqe9}>tM!<%U*{0NZdQJJ)4dn00<P=jj5p1_s*p9e^#7DN&FN|Uk*>3+$xAbp
z%#qt)o17dGd}zmorp@|6Nn5vbY%Khrecr`UX6cgD2S*AXpHKd-&LJeR|9z};Y3)Us
z%TsP9eETmcd-}<|Z5Q8qtmI|4%C5?>{Pw%~q}=woeEg+7IlKS2th&Y0@ZsL&g_Ad&
z+a|uKp3}>DS>L2ezPgT`355avoag@XOfK9XYv?1M?kS?Ss<mpCE7#Xq(|vTC{jD??
z_8fI{HOw$@h8LBbB8FyiCJc!TMGPejsSHI7l?=KJc?|gsDGaF$1`Gxa#teE4sSFhi
zi43_61q?Y1sSJ7y$qe}nxdw^|LqrWlScF0{b5j)zO)U)#jLgi8jg3r=44Sx1;ELGU
z7Bq3G8Z>b!GBGk3G;v8GWEfFOVm44oyf3&dSkCXntj@`ERz`d|IQx@KkPf&cZfN3s
zur|(T(;eTv&l#%EmehTp-xl32R;C~HZnsu=8vk*-jx+ABuRS}L68g=az4+1RNX~6x
zOcpz4te2VjPA|hL>1<U^$o}jno+pm<CC}c!e~RAUot{bFH(&V)Gr#To^JIBGZ^4P%
zZ_WQ_S>AdoEwt}O*uk7HJCl?zowAo=xTjI7TRTzX&&%_x?-lH^U$TDhM;qxBi^-zN
z_dYMWD*eau%lR1Y2^!KBwd;(k-wQpL`L5L;c~0kY{^xZCO34p|4v0^9Zhv`(!?S+@
zH~*$}MW6b%WJy4y)z9gM|9(6SygW~1`}xzyOBltb>#K*{Kkjp=pU1Gn+C7g~!&SN8
z^z_m<Old|h7tcxx4_JH7#ilsoRovFoWx3AR|K+IM+<t5G<@TL=taGpUPd+Dfbhm?4
z@`Sk(C&XNT2Cs2r@%cTw$!&LQgUT;SBet_MRF=-pk4p)4oz8wkrIJN2MTkY$^>6F^
z)Wyq^n(RAOiw=G;Iw*5wf!l#qri)I$NHcnKE?9oT<889FGcvALsM?C?sUO|kq#01K
zap^o++0&U5=fAsrWrFkBFKp8`T-zA?ro`=gTlCH!h9>7t%c^#4O)|DBs14^|_kF=4
z|N57~rkzE}Ci9w)vRit3npE$$>t0#nQ<eKeTzTcz@6698e7xMz_x8U;o6j{VmM0v3
zTinAMgWq`MUG~rGv6p5R`l)eA@km1J#>y>wY~t;UX8Ufo)DAd%Hv9F=pr92uLtQsp
zs!mTjHtADb+;+vMLhaQ%?>=0A_2})){;m3dL~9Z~F7ITXAb#`pmEVu<>z-!i`u23m
zzS-%5BJStDs3n~KeCO5V^)u|kUcY?2JE*;WS@fYZJRVbamzo*>@Z0gl*|B`-mF%+W
z<wA3&aXx)#=p7Qe?N|5a1+zVW-7wuz_~1o@S=-#zc`v7I+%2~;n6rtg`C7!j_fw+M
z%Qr1PKmDkXb?2Kqk$1g|ru{rykbA!T#g1%^t{Y0l5BzSvdts)Wk$E_*M(-$N@v4(|
zergKkPSx6(yC8DCW~1VM?>v)4O`jkm6Wfhz-e^pGGcDcZ_3=F#J)fg?ALQ?g&+7}F
zaQ7|ix0J%wtP{<aHx|t>UUf;@%AxceXK9UkZM8*EwY0R#?cLL!ajLt2may+<ygNBt
zOWD%<Bj=PCzuwDC3l={0utW0S3niXwY#~P#@60w<<Z0j9(Awa<^~l0Smd-O??CCA^
zWwL%7cJJX-`{ij4Gj4z1o29(@!2IYM#*U@_Q-2<p+vuMnY2jO;engtvHlXAplL@<J
zqS?%hqyKon-rmsC*>Yp<;r%b?XtK&XugZGAaXVM^K@0!Fve=1c4EZfGQ#9VpIB&i&
zW$I<IUE4k-AN>}6n8VP_UYBJ`U3{beq4O)F4}4X9kX(7sN9y0ggRd9=)Y2+wV2R)n
zJF(tEE%}>-;K5pv6qDZxRhwQZq))Ey%djnb^JC2|u7dg_%i>(@cL{$v^Ega?|0c<~
z!XNFY#MNYEsoeM{@o++_gUZ)QZ|?LkZ#r`P&5l(4@)>biW~+nMzrSK#EdTA2xy#|C
z`O$7(qHWC<^IX%nI!{nPXvmPDU@cqf&MBYn;E;C7_eu7PuFR(^_p2OJXpsA6uEse_
z`*?r%+zC-EJA;+PGtd61eyppna^hFynoF69-=r9>K0g_E|L2Yq4U&R&`+plQoO)vI
zt(v)J#nTnOb3VI2V|DlTTT*^rid8K79?$0OwijHR7;M7)z53ns>iE=0-L{haF_DY`
zJJ=`GFZ#$N#i6+(Z>yZs%AXbrT|25<Dm8DMGKpLE%;Zya+p!rpH7>C<^2iqD%O=F{
z-Oc6@k*&wIDD#O#|D3ujSJwSkj50CYSP-VOir=P5^m@VJ=XILT&y;$~Zs%-ve(^Oq
zKU1#i{>P`!l`3M~4V8M``i=HYS$6!LLiqR9cRTNX^nYUgdXu)Q>K@q~gS)+K=iAs`
z-wCl-vGy{z<!xiBntDGVVp^4xoTtcKmf7rvOp9I}kUu^@p5<`ti+thG|FSFCuki*w
z-g)TclAezzOJckd-d|BOFA+MIx>hy&=Mf&cr^-hA%Wfs=Ub?ofNG|54?>fg<YoC3p
zsW$ml8XNq0V&mM<1DkGqsGoo3DwB^?>VZp%aT70OmYwdn<$R|4M|A#Sy)~}46=z6q
z-QL2+;BzKd`$2tnXr_3({P}XJGrs3N9gbyPW%<ytGG|Iv$KmCB+7xFt&wBrD+Jrmy
z6S9}D|17^)Gv(O5^DXPH&f5KucTs+K<*dNQlLjA|93D)W<79X)=wXbnuekP`lh0SK
zjny|)uDRRuyFH%2pseVM?S^AFBzk$>8~bY2(?hL1`sVMp>PtGja`Lax@Vj46s1-N6
z&ENkd?9!py^H&*U%}za=a)ZS@EJ6NC;uR*xm!j{v@`YzMTJ@{M7C$MA_jPdVJ*`}O
zbkEH@yrQ2<-Fc7ixD?<naqVFKO1<KzN`JVHocX#YCCbaauBhHCo^$){J&{}PESh%w
ziM{P9qsr5Y_YO_^x;uHjpwRcuB{Kz9mnI}k6SF%gy>aEIt`$=^?NYpNb7-sW-|&C)
zm#l1HG_|{9RoDAM`uOB-pGz9=tOVjX1Onm?@Xz-T(wO-D#DiJZpU)p$TmM$-@j9<r
z{u)a*A6wFB^Pj)N^s3U&SDDi7oC}^8e=~S?!d7I0m*I~2+j^6kcvO{k=>^9<)LU}q
zu-Y?&nUR-yuA4UIwNK&RDNvn$&Mq}XP9Q9?vcUdparP$Z2f9B!az)#dF8z)cnXdXt
z`b7)7ev7t!)!oYyyENvfO!&QVhusZ689x2HwO_LC`Db(2UJdEzFG!en`?iD9z5=z1
zH}&y{u87`$_;$x-_iYm@MfIEfZU~=UBR?Z)YgX;=g!v16E;5@i?~4>m+$@pivoJm6
zu2-SZ1a^jaE1{Xz+MoWvdfImJfYJB*shmpFUR(^Xv_3!agWa+}4aKROLuc53E!gYo
zQRNkxUeh1TulUVLT<r83gFk1A7ckpLA8)8--Kz4^z2wZVLmPrt|NK=FaiQm|FvG2g
z6K_1Z{kdzCuX=6y_0oHqL-w*i=I<wj%FS}P8m9h^iK}?B%UPxgI`3UGUy8_0e0;Dd
zd5fxoyt1*whLuZI1Ni@OMrvQtm-`j==4$koSGw9;U9PK?FDmG`QFMT(Np%0WMPgq9
zkD9e4pZuR+{ovRto!<UAj8oqh)nsrjw|7!o<*}OYrk1MF`i07T)BJtPcQk(5rY&rC
zpy$aMQRDTGw(Wb}qkZ(<lUKbNUJIH|%g<TPbFjH}{ey*HeY805-72&AWIe^%NjW;;
zR7YXUsz<KH<-6~zpLzE;Qg!c-#nVHt@dWa?boEF4zR_Rs$|LjQ?WRd>>$Bpf&QLB_
zkg_f-XE9adUi9a#z)GD>6;2kr=6?Hm^+)cUkA8m+_sb~<rIc*G6xMP#|N4y&CGy|r
zU3YlVd5__8<|(-??0XFC3=|DG*;uvtn3<$l8CXQF$$q*a;4+WN=#cuNw;sBG%Qq`I
hvxrQS=QDA8;&bfFQw~+**AI@qdzQMCiJ7r&0RUN6y-ffB

literal 0
HcmV?d00001

diff --git a/akka-remote/src/test/resources/ssl/artery-nodes/artery-node003.example.com.pem b/akka-remote/src/test/resources/ssl/artery-nodes/artery-node003.example.com.pem
new file mode 100644
index 0000000000..bf0154e93e
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/artery-nodes/artery-node003.example.com.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA24C7726icyAGM/VpbaY79OaRUihFm6H4iYDuhdZ66QqBOOTN
+qLXZnetddJ55mS+LndoSxNYNNhD7XiyIOrcn1ETtzfZmtjJVYb2JB0lHj3awTYN4
+Lgchny+GGTjb+mEihyGv/6Csu/mMcrxSPZDcwy2pHO4TJ8lQ0yg9SDFneWxzDTOx
+In15cSHSiexunL6s8wzw9WzjR6kNF7IgqHWK/cLabvsZr7cLuNmaWBNpGyaAxqXb
+OhrhBmDxaY1mCtRSKzPCPGAM83F1mtEamX64W7WEEw/h71q/u32o9qgmhQqodbZq
+t5So2RFpU3MVPuYfQQPdTeqkpcwPsDiENqfdQQIDAQABAoIBAGKjBNDhPGrTdzYe
+D9RQIR06Bw+OPUlkjZTstUK7UNwr9kmkt64amcHXJFXlaOsnbGvwtQJy1dj35J07
+EbSg3WsL1nj5QsqY77lOPKdjjJ6xTSRn8bdtSPSJnI70+BUZVTS4NKiAgV6vEyfz
+7FjyIeIrQJVZfo4gbwuUR4WLfd4XwratfkHEi7otHbTpnkU3O7TbV1I6EyqUQtZx
+2xhThAV4utTyKJFyYgaqzTQZ5djIk2a93eyaoz4tnouUIKYzG1XWyz5t82UD+ViH
+72rHDJGNy39Wok+lOVQ3WpJYJJkdJcf5vfuF4mQ+JdIhRpYsh+q2y68obaYOONPU
+sMF6SAECgYEA8wjOxj61aviIFSrHhrZI01u00BfAhil7DcZjarKjykxMSXS3uXsb
+1OoScieHXaQWs1xKXuiS3naiRi0CmdVTs9CLAlddzTK9p2e8Uc9H8Ae5U5yugKdD
+3ekpbXOih+iHQWYP/9nPN9VEb/q3aMy7iRKYgELC68m6Tp03bZnoeuECgYEA5zaM
+nh9NVl7ur5FBN2V7fgEORg6Z3va4RLs7DUkXELWp9HWsbC/9rBSboATzyK6NYCMD
+mL1Q3WbdPldhH3b+zkt7CLGoyQluVIyspXBuhpsj8MmImsFbSQJBMEiQ5zgh2Gd3
+xdVFXS1P9H5hXhy1GGePGrf7gQfqnKszQer5DmECgYAHnAr9YhFEHCwGnaRJr4Nw
+OrramSPKD5puv/t058sBFop88k6eXCBu9jVFpb8zS2P6kbUya43NsWE7WUVvk6Jf
+SvRPSnUBa8lMaI8Y8KiL93HyEEHWfWY+mIJXjvtTzhAOGCgAFs3KLb9K0krT2TU2
+AYMM4QpBX7uZooqNv/frgQKBgQDi4XdIriSgjVUgOKPLLSzp7zVHb4pz7JvS7fq7
+Ra55ehnExTeljc4ZbrtrYZCqqwYVgSZFWfgg2ZBeXTXzvzu3yP94/4RFiZiXJNdB
+HDuIoHG7FLeUTAo8cRbwvzRZf45OoPE50tZW4WDk5KK8y+S0huI48LK94bvJcoFA
+vMcZ4QKBgFbrlcgi7XcjfKo9+JzXx7Q8p7gC1j1qNevq9qpkGDgAn5Txdi1PFqNM
+g39aHjiaYA2+GOB61MEGelaZkhtwCl/4cpCV9uVodhhxTUb3bQLM6KuvuB5gW7Qi
+yGPxI9HnFuakK0Cs250rdQMoTriXRwK+NYahDqmvOqRihZdbS6E2
+-----END RSA PRIVATE KEY-----
diff --git a/akka-remote/src/test/resources/ssl/client.example.com.crt b/akka-remote/src/test/resources/ssl/client.example.com.crt
new file mode 100644
index 0000000000..f29b0b8af9
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/client.example.com.crt
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICkDCCAjWgAwIBAgIEOro4SzAMBggqhkjOPQQDAgUAMH4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRgw
+FgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxFDASBgNVBAsTC0V4YW1wbGUgT3JnMRIw
+EAYDVQQDEwlleGFtcGxlQ0EwHhcNMjAwNjAxMTU1MDIwWhcNMzAwNTMwMTU1MDIw
+WjCBhzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
+DVNhbiBGcmFuY2lzY28xGDAWBgNVBAoTD0V4YW1wbGUgQ29tcGFueTEUMBIGA1UE
+CxMLRXhhbXBsZSBPcmcxGzAZBgNVBAMTEmNsaWVudC5leGFtcGxlLmNvbTBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABAaveLe/GP5gV9905DmI6wCOUrEcK0TCnbUo
+4uHCl5lRX6m3v6pY/CyvK/UDLu30qfBvsJhWD5Ggr28wQZYyfOyjgZQwgZEwHwYD
+VR0jBBgwFoAU2REkHgBAMCYIi8dhLQAoPj8CpRQwEwYDVR0lBAwwCgYIKwYBBQUH
+AwIwDgYDVR0PAQH/BAQDAgWgMCoGA1UdEQQjMCGCEmNsaWVudC5leGFtcGxlLmNv
+bYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFOMNZuBCz5J+ar98ruHnFkQAekAQMAwG
+CCqGSM49BAMCBQADRwAwRAIgfrnQChNQsf2ft/zA4ln5pUzdy3mGmp0eCD4lBN64
+pVQCIB5ARpTUKetQmj7YkU7etM02TPVpKjAslxmYuMQEpbrt
+-----END CERTIFICATE-----
diff --git a/akka-remote/src/test/resources/ssl/client.example.com.p12 b/akka-remote/src/test/resources/ssl/client.example.com.p12
new file mode 100644
index 0000000000000000000000000000000000000000..f3ed429260019785acb1fca5d1ff2817f178c409
GIT binary patch
literal 2708
zcmXqL;+nw3$ZXKW<;ljW)#lOmotKfFaX}N86-yJBnL!hmkwN2kWSPd7ERD|$8Xp@p
zK49a9YT)5wWLi*eP->vb#sw2%WHyjy5!s|P{pu%|WiQ$4_}FsO)w5HT^Y1e;GaL?J
z@%X>jVx4cXfM4&e)hrfg_oz=_HYIXLz|<ou(^{XrpK(G?UwG}}r!n^@3zv02&=>iT
zcqhH<hT;75LS40MKPH_~5%rqz@sUF5?7M~$2F7p)a*7zL$*C|TGvqL2GNdx(F_bXq
zF{Cn7FeEbMG88c6Fr+f*F(fnOGvpd5A~cB_im(WUWag$S7@Ard8W@?G85x?HSr{~N
zn!pvYvn^=iR5fVgRAgdgFlgeGLdY<p_?r#n?<>piUwkJRdCK{UiSqAXJdGdtf4hPG
z-O$AGAo=lpHoYTTw%a<r{$OzC-7nd*O^aq3S#ksfJ`ib45=gO~&7=42(9AP!seXKB
zOfG8EerssnI=j>F{JHlf<>wmmU!MHYd-9zz6MyRa_gfY-XPq$#Z01?gzE$Cj{pZhn
z7IppT7Sak2{GIBvCP;GH{Pqgts=AwxI5QXDo!c}^qx-SZ+U757{+zv##TnwnzGY_1
z=9P=4NS*hZZfLUM)q%_R{3g9{IJ)!x0@s`Do5S9lA7A{n+{$oL(DA)njqIm%Zs;=$
znxvT8bIozrlj*XoH{Tj@g<Uxn&(!*=abIBWyGuJ0o}Z5JoV+Juje*|9Z!*VSzL_ao
za<16x)z!V=T>!UtzH#B2NxvSQtvJ5sQsE?KtD=)z_KCU{yu3Z5;zxF4Yl7KdhND&=
zH*!AImio{Ba-B&tpTRoORTjKQ;$9jq=2<Pf+iuZ~(0xnX|J`}=H+EvCs%N<Jdl`*l
zpOaT)1FJ7wk-Zbc^m5<*MS{`NiRqywAGqeWY@FG}^i%NL`)#v1Zswfh@H?Ph!^C9z
z?&n9-gcPmFZMUY&<yv<!R$MS~5q)-YUE0Bnr{?c@^PRuSX`Z_3uGjR6V`-XT%_p}b
z>wOCpmfX{f^48v0?Wo@`HoHjvq)x?EAKTpbubOY!J$<S5df#8YwOOV6_RgN_I%i$A
zuf$GYU-$cxqA&7yJblk|@a^K;N40j$O+4MStChF(iLRN@)hpkpPOmt<DQ{gwp6HEd
z!uw(rdqdYBW!r7}?dY9P+7mxT@0Txc6uUU}(0UQKl`G=IVm0cwzZQ)zb}rae-J+LO
zb$#BGa9LyKH)e(6CPy{IE_hh1{o1F)9r<sf4m)$-rT!`AThwO0nep7{#x?7gNw4n4
z-qAjqCtM)EuF``2kb^-=%+~z=UUvW8*P@#8!V>FiC6ugq*d}WgX1?H>uE}_2I-`Wy
z?f`4|eenT{J15r{A2Q#2ecuD7NkWJFbC36|bf`U?mr?1`_j2C+LSxtI+!pUd3-?z1
zEi~8OGk4acIlRF&zK70LTXlHm-!srxd{A33_3NwJV<(+so7ZyB2ojr|R&rlsjqwIK
zC8cVHS;ttilN>JHiB5iS>wHB|NVdJ#wug^Czge}`kU3KM>c<<_LEnyCaw_BtoHR!-
zhHYvb`vQx3qVt7{`aJzRW2)Pfq|aR9e8RM*t!;Z}l*FOx+nYBP{9o4cQ;{vQJg_16
zbE}?d%iX)S_qHz=TXih_$cp7`4i5iMb}pS}lNqWx^H|$v1y7rd11tBh-Kg5-<}f8f
z>rr*bq%)_AZslmRc!h4gnI-V{1Ka&RwsaA<4H>^8xSitidAny6-P3sZkZ+^?j_%vp
zpVrSQ<BQ;9V4lkG|61r;!MmYFvYl5HF8d$Z^8Sza(oZEhyJUUU7x{jE+m$Ap^X`Lm
z!w&uWG~qp`AI$rGg7cF9p~!t3G7}E}oK^PxVE^~zD~`F5PnZ1PdVhQEyqhfjH`A`q
z*cw^;=dZl4U!zO!RgQE^U)#M?CdS07&eMGS_MY&PB$kqz^MWCrGm8%defq0-W%bS5
z+jrlzb7=Un-dn1GUD4@J;G%=GZT=TYEn7P!i|JcJ_1mirVZ4E#j-89mE4FkiIL@zd
z>5Rs!l*&WW$;q!5<)4-n&p(sAcYE@>c{{GyPu8hg_c5mb-NFiGyGx}NpU=r1@40h3
zF<#rE^{d8#`Cs(7uV`)X_DG0}`fyg;=JOgIkByxD-}PUawX~G!R!PWPa_1*cJghkB
zltsuy$qG)@TW%5;@)Ztn^{?WID|ZSOUlF=3retsU!$~it9;NYQ`Rw*Tt97eHc;~rj
z?k%&7I(yx&&TpSS(|(0w?c~k7P0p>jwEjl@<Zqd0F8!Unp6}DfZ%=32WXzBh;QO^#
z^s6}o^N(})UoyTi<9qxiT83-Sx3fPqCW^Q%uKlJ~?O$Cmv9Kw3?VPuvNmuukv{$Cq
zEf1P4^vd>m|H~zI(NoWE?rS`<@8pN0Yfm-kP5!jn#I2K&`(KWJLzcZvUqG^@hX?bC
z6^E-&ss}yDs?QfzJbb}M-%IbE&4TN`aZTr<0~*RU^`E`6Gvi4N&(Xj)X<~&{vmVX$
zcXq2kb8glSxj8!jeWnE09%=6HeIjFX^s(ZNnBHagrZcFE=$TK-TP1e(&hduGt+Dfz
z_E|hhy<_oBz<upk*;Bv19TWD<&wQiY^+-Lwy0y>t1w&qywa{6UGJ}%R8($x>xVo|(
z)jV>bY<+aQt?IIeixa0!ELa~RP%K*zaD|oM`ehK?HinNinx|D6_kFy$>`TT$o4#%8
zzKNeM<xbo8;OO?Vl2@La+*b`L_*H%1&i}?)#>XG$2L(Nm2=|(lW}Z`bq9ai$kcEqH
z@81;+OIEeWAK|FWpRc&}i0XqGss|fBzj~bfQE^F>nX^_Qhr_G&3!-!$um13rf88xZ
z*LA-aE(mlNGTJJ$bkY$v?&F>9yU*`x^ZDf2csTX3e?x56MRR?%qxUOVRpo4$c3$jW
zzNxr+{l9dnXX|<{&wF#{s;=VUm6CT8E^OK^*dtV$Rdhp*Z%Ww5AAje++`L>b(t2WE
z+_%;V>L=!$WK)~qwUYPdM|Q#8yK1+p2pRjV4PO$geP-{o{AFJhGF8hauJSm%a>3c1
zDkU$kaTWfVre%KX(TROV0^D&<VmoZUI<Grld9(lM#p$~mu30&#2KO$>Y}_ODVDEfe
zy@pt+d3)CI`(9EwIKRtIM4<i1Lm!V%wxatJm+<+=l!njzUB@hU$fzs&^i4Ca2|28>
zrR>6eEGd5CavyTddJk(CSRYPTto!~_FpoQ$+fMtr_>r(>`H|fh*GjUUYFz1K)+{_d
zygPd0|4S~jZmauUnfd7du9b80<#T><@K;>BvF4A@U)vQ8x_h%<#a_s>oOeh{=^U$_
z2v7UP4oUVTe?3MITdT!+*S}^KxyD-g36%IOob#+=S;>`1zh!4Fe+g<eN3>hbIjtP3
zBHZ@QZPmd*^D|uU)gCSr5Y80QuSzYSzexStE>F%a;&V*;<Q;P=c9pzs61ca$%xmAv
zIBvF^qDuNpXLEnq{h7h>U10GA**_=VrR;QTx?j??(&51w`^S+?CmY+Zf3nnT@IGeZ
z>v&iAPeR{C13Lpn15P$pZ9ZluDOLs+k!jUmF3nrc^sz4__N(CZmq~B8Cq82lah52!
beJGRZ`V*zcU6oOG7bX70YA`V~wk-evsU7*m

literal 0
HcmV?d00001

diff --git a/akka-remote/src/test/resources/ssl/exampleca.crt b/akka-remote/src/test/resources/ssl/exampleca.crt
new file mode 100644
index 0000000000..6dcee07369
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/exampleca.crt
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICNDCCAdigAwIBAgIEKYhR+DAMBggqhkjOPQQDAgUAMH4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRgw
+FgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxFDASBgNVBAsTC0V4YW1wbGUgT3JnMRIw
+EAYDVQQDEwlleGFtcGxlQ0EwHhcNMjAwNjAxMTU1MDEzWhcNNDcxMDE3MTU1MDEz
+WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
+U2FuIEZyYW5jaXNjbzEYMBYGA1UEChMPRXhhbXBsZSBDb21wYW55MRQwEgYDVQQL
+EwtFeGFtcGxlIE9yZzESMBAGA1UEAxMJZXhhbXBsZUNBMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAE9K81J2BKaFGTI/4qgUr31mr3Jpl6YK+7pCmy2LNiW0Jufova
+p41ERTrT9IynJF3NlJpzuKhmuA+80ZM5NSR4QqNCMEAwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFNkRJB4AQDAmCIvHYS0AKD4/AqUU
+MAwGCCqGSM49BAMCBQADSAAwRQIhAP2Uf206YbhJ2pb5MvehuLanJzFydOAq5uC4
+AXmspW+EAiAuPLFIAPyB+6gpr/mQ8V+yyh3aCJV3bvFq8aorrQyC3Q==
+-----END CERTIFICATE-----
diff --git a/akka-remote/src/test/resources/ssl/exampleca.p12 b/akka-remote/src/test/resources/ssl/exampleca.p12
new file mode 100644
index 0000000000000000000000000000000000000000..b936601bb34096e54d746a89035e4d1e99d674e6
GIT binary patch
literal 1114
zcmXqLVhLknWHxAG;b-I2YV&CO&dbQoxS)xJfu)K0k3kdj4}-?1$TE%BSsJexG+s1l
zJjccj)xg8W$h4r`pwvK<jSD8k$ZR0ZB62=%Ra#Z*R>@-DzImDat8O25<=e)@%y2k>
z#Y2X1hj)`t)wW}cJ(aS9s${+xyjSeIBY%7L8BXbDy|nP0wweAS+s*_q6+ipTv`+MU
zkC^_6nX=axFTP@{YFNT@!~XMSt#^ByWDVU66yXl!6fqQ$6JkhZs9;EB$Ym&C$YDrj
zNM=YxRw8OB!XgxsnVYI$XliL_U}R=yXl!U`Y0$*X12>1AZ9x;$UxOy5pG=Gl22D(#
z5HgG?zGMUW^2n2{__Te-zb(IPsaf50LH>YS$X>878=9DQ6g{6&$iUt%*0OwesP;^Q
zdX4_T177o%P5<@LzDaH|(`{+K1!regS~acPHD&eR^r`EOViGI5g`NdV+Of8^y`6gJ
zV_(JruB+vB55Ic<DqOcUROP3Cj<a(|-qWtn^Zw^;Hgi6j?(hBPXF`xRpVqq^8S5E;
zigF7suxBS6$Z?(**R-impZ|&9y2p&%mloOb1$}&IFQ9SjR|V^JCy(s(tZIk8ZM8|i
zbJL^mZ50n>wor4L6#ksyf!bP^1@#|<FQ%7xD^EK8Zrg;_`;u2m#Tp6EEw%C3wqxO`
zIqr)LA{Ne{{b99snbrB)c=nJNuigeE$EP$0<nG$}%YZN7!NesS7|o5B)ofWlp>~PD
zh1`WxS#DnA%aDzGta9#xdR=b9slD$u<v1E$VJ|655tZ}mT;(s>Zn;V5ZhiCFq>D~j
zJ`0#anU>Cvy3lah=a;pjWcVI68UGDh?PaX*!lny6zha=B8|=b$m&rKQ=aAsM@EuNq
z(N~}5u5^k~7Y+WNo%CzMxivzw_dd$pXZ0dVZ@t-!nG3>Zu&*$=5@K=Xm~gwgc4S)R
zDlefe>C7ip@7h}=Sw3{EG<Gn2vXuM8Wz~b9o@T4?ta`s<uS?VY$u?OV0@>qxbN_S8
z^}XDDRqscA^P}`9OJ1sTJ?>fa<>kj6qNnDSs_)xj-7B^J%<-j1+r)3rnEknP*Y8aM
z-+%Y?%BbxKkN+Q=r&S=sCQ$NoqxNY@n<<L-Uq4)XfA`6ATV-ZVzx#O|OLk<~Q_YV(
zYDuvZqklh}kgeG0GO1|3R0=<n!10I|dxO)jZT)wublX|sBVEtx(_<dJ{aSHYbsJ9_
ztH}vQA=h~u`e&OIJ!#In|6}<U=R+2cLLYD6clvv$=<>@#+w-ohKK^y9=Xdk1j-l)S
zGM7wuH@MV!+Wi!#N!h_qf&4-rB~1>=hks12mbvzJxdGQ!!J_bz+06!a28srpY^>UR
z%uG_O3@jqj?grw)*Z%$AUF=q=x#na|*w=FmEFxxY=kI*_k)&~@#`D5Wi=Mxddrv7a
JF*CL;0080}<o5so

literal 0
HcmV?d00001

diff --git a/akka-remote/src/test/resources/ssl/gen-artery-nodes.example.com.sh b/akka-remote/src/test/resources/ssl/gen-artery-nodes.example.com.sh
new file mode 100755
index 0000000000..c43e1fba5f
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/gen-artery-nodes.example.com.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+export PW=`cat password`
+
+. gen-functions.sh
+
+
+function createArteryNodeKeySet() {
+  PREFIX=$1
+  createExampleRSAKeySet $PREFIX "serverAuth,clientAuth" "DNS:$PREFIX.example.com,DNS:artery-node.example.com"
+}
+
+rm -rf artery-nodes
+
+## Then create array few artery-nodes (in ./ssl/artery-nodes folder)
+createArteryNodeKeySet "artery-node001"
+createArteryNodeKeySet "artery-node002"
+createArteryNodeKeySet "artery-node003"
+
+mkdir -p artery-nodes
+mv artery-node00* artery-nodes/.
diff --git a/akka-remote/src/test/resources/ssl/gen-functions.sh b/akka-remote/src/test/resources/ssl/gen-functions.sh
new file mode 100644
index 0000000000..7edd22681f
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/gen-functions.sh
@@ -0,0 +1,102 @@
+#!/bin/bash
+
+function createKeySet() {
+  PREFIX=$1
+  KEYALG=$2
+  KEYLENGTH=$3
+  KeyUsage=$4
+  ExtendedKeyUsage=$5
+  SubjectAlternativeNames=$6
+
+  # Create a certificate used for peer-to-peer, under the example.com CA
+  keytool -genkeypair -v \
+    -alias $PREFIX.example.com \
+    -dname "CN=$PREFIX.example.com, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US" \
+    -keystore $PREFIX.example.com.p12 \
+    -storetype PKCS12 \
+    -keypass:env PW \
+    -storepass:env PW \
+    -storetype PKCS12 \
+    -keyalg $KEYALG \
+    -keysize $KEYLENGTH \
+    -validity 3650
+
+  # Create a certificate signing request for $PREFIX.example.com
+  keytool -certreq -v \
+    -alias $PREFIX.example.com \
+    -keypass:env PW \
+    -storepass:env PW \
+    -keystore $PREFIX.example.com.p12 \
+    -file $PREFIX.example.com.csr
+
+  # Tell exampleCA to sign the certificate.
+  keytool -gencert -v \
+    -alias exampleca \
+    -keypass:env PW \
+    -storepass:env PW \
+    -keystore exampleca.p12 \
+    -infile $PREFIX.example.com.csr \
+    -outfile $PREFIX.example.com.crt \
+    -ext KeyUsage:critical=$4 \
+    -ext EKU=$5 \
+    -ext SAN=$6 \
+    -rfc \
+    -validity 3650
+
+  rm $PREFIX.example.com.csr
+
+  # Tell $PREFIX.example.com.p12 it can trust exampleca as a signer.
+  keytool -import -v \
+    -alias exampleca \
+    -file exampleca.crt \
+    -keystore $PREFIX.example.com.p12 \
+    -storetype PKCS12 \
+    -storepass:env PW << EOF
+yes
+EOF
+
+  # Import the signed certificate back into $PREFIX.example.com.p12
+  keytool -import -v \
+    -alias $PREFIX.example.com \
+    -file $PREFIX.example.com.crt \
+    -keystore $PREFIX.example.com.p12 \
+    -storetype PKCS12 \
+    -storepass:env PW
+
+}
+
+function exportRSAPrivateKeyAsPem {
+  PREFIX=$1
+  # Export the private key as a PEM. This export adds some extra PKCS#12 bag info.
+  openssl pkcs12 -in $PREFIX.example.com.p12 -nodes -nocerts -out tmp.pem -passin pass:kLnCu3rboe
+  # A second pass extracts the PKCS#12 bag information and produces a clean PEM file.
+  openssl rsa -in tmp.pem -out $PREFIX.example.com.pem
+  rm tmp.pem
+}
+
+function createExampleRSAKeySet() {
+  PREFIX=$1
+  EKU=$2
+  SAN=$3
+  createKeySet $PREFIX \
+    RSA \
+    2048 \
+    "digitalSignature,keyEncipherment" \
+    $EKU \
+    $SAN
+  exportRSAPrivateKeyAsPem $PREFIX
+}
+
+
+function createExampleECKeySet() {
+  PREFIX=$1
+  EKU=$2
+  SAN=$3
+  createKeySet $PREFIX \
+    EC \
+    256 \
+    "digitalSignature,keyEncipherment" \
+    $EKU \
+    $SAN
+}
+
diff --git a/akka-remote/src/test/resources/ssl/genca.sh b/akka-remote/src/test/resources/ssl/genca.sh
new file mode 100755
index 0000000000..e7a77cafd0
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/genca.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+export PW=`cat password`
+
+# Create a self signed key pair root CA certificate.
+keytool -genkeypair -v \
+  -alias exampleca \
+  -dname "CN=exampleCA, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US" \
+  -keystore exampleca.p12 \
+  -storetype PKCS12 \
+  -keypass:env PW \
+  -storepass:env PW \
+  -keyalg EC \
+  -keysize 256 \
+  -ext KeyUsage:critical="keyCertSign" \
+  -ext BasicConstraints:critical="ca:true" \
+  -validity 9999
+
+# Export the exampleCA public certificate
+keytool -export -v \
+  -alias exampleca \
+  -file exampleca.crt \
+  -keypass:env PW \
+  -storepass:env PW \
+  -keystore exampleca.p12 \
+  -storetype PKCS12 \
+  -rfc
diff --git a/akka-remote/src/test/resources/ssl/gencerts.sh b/akka-remote/src/test/resources/ssl/gencerts.sh
new file mode 100755
index 0000000000..beee48132a
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/gencerts.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+export PW=`cat password`
+
+. gen-functions.sh
+
+rm *.crt
+rm *.p12
+rm *.pem
+
+./genca.sh
+
+## some server certificates
+createExampleECKeySet "one" "serverAuth" "DNS:one.example.com,DNS:example.com"
+createExampleECKeySet "two" "serverAuth" "DNS:two.example.com,DNS:example.com"
+createExampleECKeySet "island" "serverAuth" "DNS:island.example.com"
+
+## a client certificate
+createExampleECKeySet "client" "clientAuth" "DNS:client.example.com,DNS:example.com"
+
+## node.example.com is part of the example.com dataset (in ./ssl/ folder) but not the artery-nodes
+createExampleRSAKeySet "node" "serverAuth,clientAuth" "DNS:node.example.com,DNS:example.com"
+createExampleRSAKeySet "rsa-client" "clientAuth" "DNS:rsa-client.example.com,DNS:example.com"
+
+## a certificate valid for both server and client (peer-to-peer)
+## with RSA keys
+./gen-artery-nodes.example.com.sh
diff --git a/akka-remote/src/test/resources/ssl/island.example.com.crt b/akka-remote/src/test/resources/ssl/island.example.com.crt
new file mode 100644
index 0000000000..33521a8064
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/island.example.com.crt
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIIChDCCAiigAwIBAgIEJnvhJzAMBggqhkjOPQQDAgUAMH4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRgw
+FgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxFDASBgNVBAsTC0V4YW1wbGUgT3JnMRIw
+EAYDVQQDEwlleGFtcGxlQ0EwHhcNMjAwNjAxMTU1MDE4WhcNMzAwNTMwMTU1MDE4
+WjCBhzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
+DVNhbiBGcmFuY2lzY28xGDAWBgNVBAoTD0V4YW1wbGUgQ29tcGFueTEUMBIGA1UE
+CxMLRXhhbXBsZSBPcmcxGzAZBgNVBAMTEmlzbGFuZC5leGFtcGxlLmNvbTBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABIkVH3HvRjaESvuOGGT/fusdHKWMLIPL9bW8
+xY/Xn0R8vfSd11u4DuXAJyXHXoh9nr446gZEnkIJChp8UiR3F6SjgYcwgYQwHwYD
+VR0jBBgwFoAU2REkHgBAMCYIi8dhLQAoPj8CpRQwEwYDVR0lBAwwCgYIKwYBBQUH
+AwEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdEQQWMBSCEmlzbGFuZC5leGFtcGxlLmNv
+bTAdBgNVHQ4EFgQU18dwseHFcZuh+t7OL5S4qArmonEwDAYIKoZIzj0EAwIFAANI
+ADBFAiAG9sYgiBMx8burgPmM7miEdIxVRWSMcoHFYpt7GP9JyAIhAMu0VjMAsvXj
+P5ToFhlgEza2dL6spd9rerToqevTBvOm
+-----END CERTIFICATE-----
diff --git a/akka-remote/src/test/resources/ssl/island.example.com.p12 b/akka-remote/src/test/resources/ssl/island.example.com.p12
new file mode 100644
index 0000000000000000000000000000000000000000..dfe50c9de87cd999a9933dae7ee5dc28a2bc5d33
GIT binary patch
literal 2700
zcmXqL;_6^xWHxBxa%AJwYV&CO&dbQoxS)y4h^2{3&!CA*%b@W)vP|Pkmd0lWjgJi)
zAFy#lHSlmTGA$@KC^gVz<AMn>G8;&<h^R}-mU6TfN_aVxx9q%n{p6$+1|cS9hQk3Y
z9x?43etm6B-fo`k6q>X{)lNB~A+b6~X|ru$(w?YXzPjfAit5#V?OJyhxYZel6czuk
zDV=inte9%N@w`_Hn^i1&H-68sv3zsJFv7qX?m$ivLp3=ShD?THh8%`OhCGH820eyU
zh6;v6hFpdMh8%`e20eykhJ1!x14V=;Q9}_Hp^(hnR0Ts*OG5)AGc!X=Gh<_eCQco=
zB6hX~O`Ng@O`MWUj0^@%oI(g0MihUuf&9HLoh|O?H?NDYU8bKtV>Bb-nO|rQ*xwCJ
z95)V5yDOW$il4(UB<_gSzJouXYs)1H1b1J{e<Ej>=*!#Zl@q;xht7U}H}Ox?c1h2=
zT~i?V=w!?S6DHNT;CmMylr+ZG2sU1N5|*^dv?7J!{{^qB&YugMPs=w=`_IVw@!kK3
z3zc=rj4pm=MLa$ePS)SwXQQ@!x8TC<Cu7}u7sRdH`OLm*!~TH%_p~+`eTXxe{KRs`
zqS-NCY)T8(MCEp{P4Smd41HVnFw-DbyfpBBczwkp!`CVe5@$nmXC1n-?0>OBi=Xkw
zT~jXP)ay&lt31!(D0s0`Ls|LY{^;_eS<0MK%;Ma(D!V(?AI~_$I>&g=es7&47P|F2
zSFJyOZRzDb$2bxnzS^}?cH$e6lln`lX1si275(SvuR`IC4$l+>PakN>yH($md47`b
zac#w^lbR;Y*3<a5ukV&iPyIfP>#Mg1YemeG7i7_$wkfFhqIdLh9Sf11)q5W2MEi4z
z=(p7GW<NHABir;3vv-2QA*-GxXEn?`k^(sQFOobMv`3?5Uh=t)O}e`kvixrZz7o{>
z|7CWKcK7T({{0`0KK&TP+Wp~CR2_5KDZbaik`~wZG{;Lld%NfH8l%^HSBg(NDVw_1
zM(O3b9%1Jn|NTCun3{c-Yi2K9-Oyc;B{=_od7g_*)WyI*8B;{(KM!+1RJ0|*(4A}T
z@@cZu`?B1{maEj?(6l<u|Lpf{v2Rmm-A_p}Ep4$?_Wkm{?t9>&Gd-^+Y;+9SAj(j_
z=tRC#m}I%rz9pqw3+`I{Ry2)xI?uw<N8-`fhB`Nv61Msc;Tdk{v#OS|99vs{<b?a4
zm@<PqKP;9>?@0-Jlln+HzN^^em!8EkeT`PB;G=9SpFcanet7bx<%@i+7&<40yPey@
z7*LXY{D84*k#F1IGq39F)6doM%Utah628zrS$*9^4dI7Ne`TmmIrLaybIFIu-Fqcg
z-@AQq{=ym46P%v!xxdL?+vBwBmfFtxzw=uSFMo@d{l7|8H*l%&<5o@Qc{+P8->$Cc
z<vXYUMRm43-;DDaZCBV--?4pidp)ze@!h6^3^CV+<LlX{-ZA{)zoc{iGJ~C-uQyIT
zk#XzG&X99_Tc`KMv^un{G2XyB{l@Pv-T9LbZ1mn*QSw6P+KNXj_tpq*dRV}?=pU=0
zSk9Zt@!^XN+5L8jt+{pQ&E5McG0AgoIg~RC^on2kd%b67|AD86J=V{hdF0x*trCXf
zlepvdv)WYu=90bs`4OAmYSrXVQ<hHM>H9C!U@DhTAj`@P7O%yoX<1C(d8EZgwCW$1
z5Nq0>kB3)Ou4LEM+<cr{u>a9%L){~3a+&4siPufrxe8D9T>s6R|KpSU?TlI3xkfks
zNj_29_Kss7=cHc_6Sel4$9>qPul?jNbKWAA6geHAXYmfp<71-R!~gG@k)tR5?7%E8
z-spvY1-x^Z?(VL6v86}iOzC<zckb3*9t+>QKlCi9HvPEUuGi$Mp#?V+i|%uVr|KDt
z^;W%Tk&VpKvD#@^mTyyK_$~PJ<x5X@o(t^%Cojey@!o$gzwxzD8HUct-J5L^%Xe0r
zvz!xR3KR)^`g5C%!?6ooYV%lDCZ;)TR<>Km%OAqQQM+{x<EA%qj5jjA*W}(WSR;`3
zx@F3%<V9|0+!8)`-}Sg@JXN&T??}P6C;d*_|ERyXQ<!hsc=PHmxqN*&E~{F{1*`dm
zvRo#zSKlj_*r;{1p-}SripzE!dUM6++B$hUJf1h9H9a|kVYkhK|L+gi@7}V1IbU~y
zi%PtSvUSZ4rh|HWW-7JuUhl|p_||{K<j{=so912Pi<vw3+SOV4KUA-#%wPXxMe_oc
z!*3>4TsfK4_N=^HlXF_ew#B?TJ?CcYUEx!D;kY3@V*6#mo9l~KO?vnIx%e@KhSbxt
znrU%zc{_6Tm&`xL@ZJApzizmdx|6r%spw<7+Y6cxbH12#<zRKp2Bx;op8Lrb+niR;
zt`HRrJ2-LO6@jbXZ0Gqdl-mSf3w#oBPOUfVFw4Qp<O+_njaMuuORQ{JE&6Lc@1wfC
z50~$Jw(mt?v_i<+&q}s`jJ`fv+-6mye@kh?&X>-A7JZ*;!*%bzVm{ZI0JfT@-BS~9
z>3aRGxc2y#_G+i8b)GCY{@m5$e)>vh$ATSGF8n^0R`B%`Bd<tnp_NMhxkR7NQ{Ubm
zTGn{{bf=Q<&6~eECrjBj^vsfa<8(~n+ssBow)uywPD)-nb7XgA@8N%*Vpr#D8KkB(
zcr0Jj(zA8;<?XVGX*=X(T$jH2P*Aru^FzhywJ}WY_Y-`+T3%pbOXAH4(Uh^fC*wS6
z!EYh?1CMnMa_im=Yg`ex&-C9uH>FLz0sAzrb;=xJx%X(Jn{$Fy#s72`3FW{~a@yj3
zzf08buR9f?(SD~!aNf%09i5WWt9{NL+xgvg!eWD<Gw<ik_}1Lrd4h2-UsRc9k7oSB
zpTDI0K79>8k#F{*<wL@(H4`+S+1Go%bcuaBLElJB*7SqWf(1qInEEE$t)HF3xzBXr
zJm26w({)vSyriWbmL)#8EbAV%-q)$yMd<SR<rdz$A)EdO{G5FHS%9gI)R$RXgT(&N
z3A5EbtmVa`C4KDOw71vh><h>>3VS-wJ$#o?MKXJN5p%y(!b7IaL~o{zoL5bo3^k{l
z*PS(AAhO!tN%WhCz`0HPLS6;$Vk=$#$1ZW^o%aV;7q>lL!1M0ih5Zv44{9mjte*Jf
z#?rsXU)HFk|9`ZYDc<V1)E|lDQ>W6W@7(SFk}18!jqRBIcgyNFyZ*zge3(<Em>p|o
zAKhbrrN;Qm+yCJ&m~ZmyGEbX*YsT@motz(!7V3uH$qPR*yK{QQ72}o_+nCNCcT<?Y
zVzFuQ+CBT%_MC`dVbxQ-+f(%4{)lnCzC~|e{qJA0ha(E7v#wrHv-oOm1J{g<ePX-(
z_bBjX{NL_rcQR$&i%07N?)YoTdWX%OB2ln>dEAsRu1ouG#AqzOQ2mGfVD?+Ls*AN<
z%hKMa#IQz}Ejq_1dUl^`u;l4=i+%k&y=N@CdiB<1Nx4$p#WVh|_^b0_N5!Wn3ij5{
zleLdWM|C&*s9$k7aQob$iCw(jQQd8;-LkJd{&O|!%%RLI)91goZfbD7bosA^$E-yL
zb_R+DoNTPxe9TNztPCt7sZ!M|nKj?ZTTVNv8yjIJr!w7!gGD5Ad+Wz783K*x=k|F0
R*e$bl3+uZVOw5dJ3jlW1>KXt5

literal 0
HcmV?d00001

diff --git a/akka-remote/src/test/resources/ssl/node.example.com.crt b/akka-remote/src/test/resources/ssl/node.example.com.crt
new file mode 100644
index 0000000000..0bf0ff16fa
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/node.example.com.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAwagAwIBAgIEfzq/RjAMBggqhkjOPQQDAgUAMH4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRgw
+FgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxFDASBgNVBAsTC0V4YW1wbGUgT3JnMRIw
+EAYDVQQDEwlleGFtcGxlQ0EwHhcNMjAwNjAxMTU1MDIzWhcNMzAwNTMwMTU1MDIz
+WjCBhTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
+DVNhbiBGcmFuY2lzY28xGDAWBgNVBAoTD0V4YW1wbGUgQ29tcGFueTEUMBIGA1UE
+CxMLRXhhbXBsZSBPcmcxGTAXBgNVBAMTEG5vZGUuZXhhbXBsZS5jb20wggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt1BnrLQGu6QaqTYilJufamlpVqW43
+fjibKUA62FRzoD56rTST5fnn3XK0PHWcr6DyVIEFUuz22DsnXEJazy0Edt2AwKsu
+aP5An+1zMBBYu9mvYEFXTu1VczFIN5PzYIb8pIWHsuchAhHYVFZmUAWbSCvR8hns
+VSW1n/bLxnXIfvnrmv5hHMsPgoEdG9gw5V7OA4wDAWwc5nb8fC61E/CSSPnKoWN7
+Vm8f1laTfh/mKOViO66dKy1zeYXvfgt7BoolfmibG8zkrxqeDQRmedzJYyobbVV6
+YHFjsAAtqVqmSj6sLfgKUGq6Oq/0+NJqKp8QhEBdPIwyekh+ijpDGirZAgMBAAGj
+gZwwgZkwHwYDVR0jBBgwFoAU2REkHgBAMCYIi8dhLQAoPj8CpRQwHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAoBgNVHREEITAf
+ghBub2RlLmV4YW1wbGUuY29tggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQUuZLgycb7
+6NYNriONSXH0cyN+kXwwDAYIKoZIzj0EAwIFAANIADBFAiEAhHn3vyQz4RzQAz8n
+6Xn01+GwKYX9crzifo2N90rcWD4CIDSw8zaDacsYroUhS+Z7UqRSYYVLynv5pK98
+E0Pb8Y9B
+-----END CERTIFICATE-----
diff --git a/akka-remote/src/test/resources/ssl/node.example.com.p12 b/akka-remote/src/test/resources/ssl/node.example.com.p12
new file mode 100644
index 0000000000000000000000000000000000000000..ca90e540a15addd033e8c92f7c863e73e13c2a1d
GIT binary patch
literal 4075
zcmXqL;(yM>$ZXKWzkrQXtIebBJ1-+U<ANssi7ZY0y#`JEod!*;wJ1`oc`Qw=Sq4q4
zX$DQKNo?FuT|8WjObeP=ej7Bgd^gZ!<AMn@G8;&<h<H!=>cIYe&N4oiyPqz9e^k>o
z$8G@=GsEEkmL`@Hv3dnl-!;v+wuwbb^nagbQ0lw0_EjEh)LlL&e|h(5eiE<7yOXJv
zjY}Bo*9Y>Sf54G`u_JF)MnSmT_fNIIqt88XFrRt1>PM)zLjlLKy1WkN7nA=@m@dy|
zDXRW!)z!&QuRlz4Q&DW}oVk4W*Vn50Vjq^ioqx3K6Vn6rd#B1e<^9fF;NSQ3eM#`~
zdFLFiH(oR`m#X>c+^yw)<v<LtO1{~@pN1v#<P{|~dN1&t{lc>=Z;HUfrp))n9ErwU
z$37`t`^z1A;MQIy*^0H_tke?^ys2b7db@Yd-+O5fuC%S|ywY_dI#rMN*w&wHOQm$f
z7o<lX|8V%zB)!Cm+UxEXzTbE4r)2Oo-Gq9P>!y=h{^$6!=#@n+eLDF>YWMr3^UMDl
zz2dk2AhwTVf<CW%)vUhNrZxXgRW?21b#UiB9U(P+_q@Pfk$;Qtc?n<Mv)A(P-u~Kz
zh@W4DIt4cwwKqD26;77%RH#zfJ~ODsE?efZw3|(#xsXh=)<y0w=fXFASySaY@5I{U
z*<$ZoHcsrzsoQA1e9JPaMH=yv3A-z{{aN{ULuq_==sfG_DZ#(yZ07u<9QilQ`sA@Z
z@k9Hkq>1@A-dS>+#qpeBQ1DIlWBp><6MwzfaP#$*&pjRNQ#5xJ%zGK(mNO&pI9Je$
zka{uG386=__oig7vEKNv`O4l;sWt&pw)b6=W#oP+GY5aW!)c}P@6MMf?b>?^&dWX>
zI(&L>nnOam;Xlq0?oBKL=kLyD$yjv!bo0L>9V`rYLLUbuoqF-np7F+$E2ee{b07D=
z>-jq^+bZ4d$l>3C>6YnxRzCJx{jDyg<5OGvnl-2SJ_$+OzUI%R^2vf>m%ywWj2|kO
z-Zfmj@>tOF+ZHKb8x$P>h(+Zccqbop$@0`c)6b9h>DNx%Jz-{j@1~z}=XtjKSRCVg
zy{T0E#>!xc^^S>xH$6}83Jj8bZ(ZBuZ^T`v_Ds<_GrUynt1ypMl;}I2Q!$%YI=iK(
zr7rJ({xzlVE8qU``@Q@;cYf{&UpULZ*gDqpxxxd@U&}O<Dzbjby_ux_;&1B71#4B+
zx&;n0-S}%-Z+hy=lZI_q(|KGuAIO-TvU!#)B9wX2CT`9IzKW*b0l#X`>^-nybwsy-
zlHhBxU0?eDmFB#0uwk=^e{Z8Pqs7X0@6(sIRklaCkH7CZKmDrof7v<a)-k$C8ZGMb
zPkOE}T88FqU~p3C>3sZ3CB)83<GxRTT*Ue8>1`iO8YXZ0k{@oRd-LoKDdzprO3yk(
zbYB#)<(!^UqxAhVQ}C3?&tF8>hF$$TS6zuilkd1`RDbAR7LIvOCu`d(h<GVh8^%mw
zd%Q!FRk1e6FYUy8UZ(rP73ov-)>=<{8Pw-iWj*Qc+}?<%vAks~532boxyyT``g66v
zUH0p~ed(Wb8*hu0ZZWy6E|T3QT^gI+dVyW~-t~&Nd~TJWd)8}6eiaB-TK#yM|I8Y#
zmydS^sD5L;lzOq_@uOSZUsv!(o}Fu#Sv1A;SzJcb&nv3W7|M)8H4RpJw|?EBo?$Jl
zEK%gN@SIm{pF*wp%z#6?SBo4-&{8~i-}H(=#|oJr%|(4TKU$jB{(PZaG*jtH<DA+R
z|FmnDb#03&ob|=a;<Qb2+`qs@AC@OY&HcG#({m?gzFU14XNK@DuM^02>Ja_3?6C3Y
z)rKJk`tYKXQ^Zh7PJtnhA)g_IA(cUoA(f$mA(0`Mp@1O=%ui;>XUH{BL}(B-6k!nx
z$;?evFf_F^G%zwVGcvX`G%{%7Vu34SXIs$3`PHC_^CJ@@gFzGLD})RqN~y~RDs^8d
zd}@m5-B!^tssCzFaBk?6mKjyxQn#UrbA#K}Hy2n!3zN#bxtOCxFR=$Dzu0=$+VkJ#
zfIO{N)`4%PW=S6xzWT?5lj-D5S!rK!CAN3x+eD7(8cr}vDa{C$n10cGih1JfH=Zv`
zSgz$HF#qN$biXA$yD^}1nth=9VlNK<<=tD(KN6qp`by(N{}kypcLkF6{4Q^FWbD0u
zOhMc*F5!0V!inM!*3ReI9G&&mv%_Di=$KE%oVFj&w&mXroxIOTS~PiAsnwpH?`NLi
zo12>I**Z12?%2K6N`IE}ekl5~_S&=FT@yto+G+*=QN8ie_aA?k>GtX!fqVIxwPX8U
z`R6S<`279bjHU-FDm!~L`b+u3uEyoM`IYKzii=hCkyx?ZVp{1U_b-=E%5QRfckFDH
zkUxKNLizvXdH1{?SzGihvdx}i&>`{mv5w9R2HzD{Z#K*FCY2N&H*9BI)4JVvMM`$~
zN1oXaGo}7s&o|#^^_qRQjLM9-KUZV)zBH!)o?+*4<EP?pTipw_mlczZms(HDo@8Wm
zC^&3u<$bLy^X53bK3?+XOzuB5-|o+L3&eNWEe~BDl3TWw>AUdH>(K(C^X8;WzGI!3
zws|Jc``r9x&V|fT`u})Vc5iXICVFzp?SFzVj!aT@-5aop+xN2PPnU|_I*MMrn=}PC
zr&+BQE%99!u~;dz<x|T8-z$kb@|Uh=O4{E3{Pf=b-U#Q;t__mu>voAqPjc3qwq~uU
z(2fL~XP=o@b_8*<ncD3*zcXvk&x@6gcIgjzV&-!xTm3&CxxPwZrxdHv$^*7_b8cts
z<diB54Gl>BTPMF>!SLSR>mCxOy=T=$ZgA!WUo}@%6G+q1o}auUr#gJXLDl}l7uH?P
zSJZnIUZ3(WVM&<gvAc=pS>E4w8rm!~R=0h6V%eXW@2)O*<R5W+|NEue?1j~rd2)AF
z_Ahc{+WWk5$MlBIz}A{`0v4eX-&Z$uc#5g4Q~AEllr{G16ty^2{fSflvwcb9FtfO$
zT4%4j`B>$%ecJbhKM5rMC=Up2K3uzCdY;T#-iv&vQl!89x%L0Zyk3^JoPDRKvG9NQ
zskuMtf`kgI?0<$y6+7~e3hgi!e!uZ7$6MLJ%+1e*3qPnmwi2KJ@95rF=B^7qoJ*UP
zk$n1i*wG8gra1~*B8#6J9~XN3WyKbrn%}3MHXFUW{FD8Cm7B!w%HGbEf0u^v#>W1P
zTHCYFV~)>1re5}x$+7vL3=DX-3q3QIN?65kK`6AI=ceMjBIA8eSCpM*Pv>e`yH~wu
zcH<+aUcU|h_N7b2ttzjnS?u&9<Il&GqN7o9HJ|O`X6h<Vy|G>OVczTI8r3tzicI$@
z_4kQ%+*lACtz`0xGbu0Xx<jkqbmqfrj{gdgD%&Q`{QW4idudh7``c6GUf-I%PISKK
zqk`u??|=BQPG>xSKJ@k7`oAexc#Zt!ubXwSb|%c;`A*=kwQj|RD>BNrOlGX8I3V-z
z*qq3fv-eIi^5&RYr&)S2Bq=&ED!6X@=1XS<{Czzx^(=Yernl?S>gTL=UmidDxNhz1
zmZEn(Jt8?y8&=sb`W?dRA-Qp)@E<9jldGqBo&NUNUS8Jh<<ZMKp7+&xq;}lipJ`XN
zm~le>&6}2%wNKY?+!Ld|HK3JwdTP4ZvHvm&jW^Q`w9kFe_xF&CdY^Oq(0XTK)xyb}
zHngp4v$i$laQHFDAyRPmuY*5TSaZbJy`8eNy!FE2?w|Y&)#nbc$(?>j-z55O*UCV%
zT?e)=c(d0)_H(d!;>|PL=X<S86D@opaC+au<{MHA)2IKGQQWjx;N8XNp7*ZSb+)T)
zm$=dA`Nv55+5vg7g&QP(_9*QQsXx)r#1+gtS-z_K|IfdBKIq=LWqxyyrq;g`pN@F&
zGR`ZEyfb0#-U}UB&)o$)6O>ZZ8B-N?dSidxG29_%dE>?Psw1}VJAO_zy*YQ*v3bmC
zZ@+2;y)w@hoV%;O?#qiGt$OQaI%V!@-6^@b`hTA;``ywV+k@X4B(uL@=2LP!VyZ7c
z`C!<exEI#TwqC1vTB&v7{Z`i%eJ;hk=a)0Tx*V~K*<g!?d)IsKjqA!{iiP(mxBA@Q
zr+Qwl`$oFv@3k?#TKmI}PU5=3>^93@=4g@e9q%Q2&np(RPvlPs(oj)}F)_V6@wq8?
zoZ_7}<=M{zpYZK2UH$EWUH7@b1r2W&96Guw>3XWjSAU<-jFOU{sdIy0E}Lxj?Qx#h
zoI}hZ*Z1#Jeao_(`?o1m_NE2V8Y|Cw^W}3rTfXrIZ(#o&pM1?UtFEiZSHCN|X=nEE
ze;t4A#T6-+cYdq&ZgctI*YVN$TUSCzm+aM5hJBv{`Ybe<Q+_S|yKU7kS?}cm!u7Yh
zOs|BxZ+~SK&+ig=)~iNM=4#pH%DtB)MGBv7_b+B{2#WG&yLTdP*B{?)*S)f*I(=d_
z_^KpoI6-;xrj4vWl4>VxI1}*DH;Y4gb6mSd)x-;Ob0Tl4)Y^Wn;F%rB%O!gDa)ddv
zZ052fFTFQs^6}hn%vD(~W%%TX`<$!^#*<PH+f691*m--^66f!eWS(w2_#^FB?H}K^
zEi2dNZeT9?sy~1Cy#D=5Zj|4!wC-5RU;oYbOqs(ugCmnQ-)v8>ZL>9c_W9JN*3`wT
zugsHBF}+h(`SrE%ufEkrRqA&nSN>Y-WVd~N?9|HwHY#Ud`o7DWqRR1V-NY`rjR($%
zDfix5x9-vzrq)AqeloZ|V4vqLe^6UH%F6Umu=*5lmf43E7%cc{-u~i#Z^vwv14<&N
zYb%!=tuf!>ozxyV^U2e{Q#Y%LHD6>cH!PePW6JMWQh(-%b^hwfHy-fu>HH{36Q1~J
zo$}`(8TQ-#`xl?Pebce9QaS6X>FpBNM{iHPkACQHw=D1d(+mlV4?L5ft(woV^YG?X
zlRofi2OCVvd>tLHGlyZ9?AJT1-p=25B&KJ}uXZot{6#6g+wLB-@G3M~o!L8Ux7)9Z
zw26*}iKh?WE6mnc+sYhKF7li`{`6{hj*`Pto>79q*=?>y`QE&ZTfelq=W9x^2u=I3
z_3^5wLOPF`e`SjEav5Il+;LoX&%whFN;Z4Hb)Wmgrb{~NWRCHI=MKvfOd>iTN1sS9
zVl2JG;m9y~t3VWITbL?Cv(f)9#rpqTYdj}~34avpyUZRUa{1`>s<eG`Yu0Sm&R-a?
z{h6dWgZ|^F_2IFr_rICGY=gjoguH;4oO7k`y_WT`(#+nV*)BJC$z#b@51$8(e<Zo*
z9*UW{Rjp`S0^_SAe(QfmdDgP$C-ty?vr)*N)pGKa%ig~4-LsCY^!$)_yd@#bB4Sq5
z4Eu|Ia=*WQ6k4K@>vha~cB3e(hL>X6J30BgY(fY6c;2_Pzn`6*|4{hxLfvEACvYUx
zKEEW$v&+}yMO$0Zy@iuw{=C_`RqBiJfqNz%f91ZF>g4S-j?3=QGq5vIG~i@o)#hVn
zl450G5ow)%H`icC=@s6&Y!;<D$2@&KSNgGt?Ej%{nJg=HW25RRu1~l3Z<*cjlbMN`
Hv26hWzi*of

literal 0
HcmV?d00001

diff --git a/akka-remote/src/test/resources/ssl/node.example.com.pem b/akka-remote/src/test/resources/ssl/node.example.com.pem
new file mode 100644
index 0000000000..0cb4b4c999
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/node.example.com.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEArdQZ6y0BrukGqk2IpSbn2ppaValuN344mylAOthUc6A+eq00
+k+X5591ytDx1nK+g8lSBBVLs9tg7J1xCWs8tBHbdgMCrLmj+QJ/tczAQWLvZr2BB
+V07tVXMxSDeT82CG/KSFh7LnIQIR2FRWZlAFm0gr0fIZ7FUltZ/2y8Z1yH7565r+
+YRzLD4KBHRvYMOVezgOMAwFsHOZ2/HwutRPwkkj5yqFje1ZvH9ZWk34f5ijlYjuu
+nSstc3mF734LewaKJX5omxvM5K8ang0EZnncyWMqG21VemBxY7AALalapko+rC34
+ClBqujqv9PjSaiqfEIRAXTyMMnpIfoo6Qxoq2QIDAQABAoIBAGvzmNUQckcpuFXz
+KLVH4B1GVmt0eVpFLOpPR/BDgM796U9OWaSv4e84+48rLO9NsupLyISB51+1Ead0
+CFFU8GQhXZYkESsVUTDZISGz67LvllTvtiR+g63Zh/WNbnhqreogUjzfweIh4usy
+FSYc9B5nR69uZuL6ThzpZt9ONL958U9u6atG6mCDssT3i7ncqbluoQ9qgT1Cqamj
+33VVziG5x+jM9j5TyWvy28/yO+uaR46lsPYGgAttYJ2SpEvssniWubsZ9X+BxAV8
+RtGm+0eGgKDzi64qLU/vRq1xBuSBB1zA4XhnIE/jN/ifWpzO5VF3mVtQbHKT554m
+8BjW18ECgYEA/YT5CXcJuxhzWApupXNr+mQAsIeaNjuduQCFkPYrirZQyjmSWmhW
++50IPQtQrvzV5mC98XGzBOfnJ9FL+q73GMJQqx2FGwFrenjATLQJ/OcfYxrr1MEq
+RdANX7ZTdBRVlR6EF3FCbwVYDyhkPy/W0PGMsgqdZHDwBJc6U+8RutUCgYEAr4eD
+1WaPnh75gJ/iJ6+ouGJPYKO2NTPCHouXJ0LWXJp6tD4geiV6O25/2sQYVTlkyhBg
+u3XyC0wpDIGoE/nrk0T6wIX+cyFWeSCxjkWilzT0GHj4LVvOnbz4DYD5PEEkqvns
+nK8KWxFs9QJ6CVOUBkZv06UCL3YPC1tVJNn9afUCgYB9TKZlVi86CHihr+5F2ckp
+ZRmuJidC3K40jJx3LCQTF87QVCoQgvdSvqcevKPxCMeTaIcYeTCYoSFvXZNm3+kC
+lK+YEywBT+9WBa5NesJg+75Yliqu6ZXCEXU6s/uFKLOv0vhIOdMy2fpO65C4ZiWO
++YOnT3XA+cy3CCNs7oDdzQKBgQCAKGd/JhTyFBeDbDkJVN3RUiY2nxFoItQ2zSCd
+j9VHY5r3guzfggGO5wz+w3Iot3D5f5/A/0qsKP1HnlsDytPPgOu8KZkwokSqx84b
+3Ifr8sPOInTBWWiwDsrlwSc4cS++jh/N/peHCmANO7Oyn41ST5dSZgYEdSRi3Fp8
+P5UhCQKBgQCj8Hp7UINSAd6SjM+PT2wLiTtzbxAkl37cCwdLAjuEXOkwicxLCfQ/
+kxcdkHsUnXWsr51gEP24aVcUsODAiEz/0w3ebrgQsFIwZ8S3cZ9/lCVpXmwpyiQv
+/zOpqsQFbJ1ags5CfQ4cFehoHR0rk/ZOsf65T7mmedBcbaMFeucflA==
+-----END RSA PRIVATE KEY-----
diff --git a/akka-remote/src/test/resources/ssl/one.example.com.crt b/akka-remote/src/test/resources/ssl/one.example.com.crt
new file mode 100644
index 0000000000..6769ef66bd
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/one.example.com.crt
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICjDCCAi+gAwIBAgIETEztzDAMBggqhkjOPQQDAgUAMH4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRgw
+FgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxFDASBgNVBAsTC0V4YW1wbGUgT3JnMRIw
+EAYDVQQDEwlleGFtcGxlQ0EwHhcNMjAwNjAxMTU1MDE0WhcNMzAwNTMwMTU1MDE0
+WjCBhDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
+DVNhbiBGcmFuY2lzY28xGDAWBgNVBAoTD0V4YW1wbGUgQ29tcGFueTEUMBIGA1UE
+CxMLRXhhbXBsZSBPcmcxGDAWBgNVBAMTD29uZS5leGFtcGxlLmNvbTBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABFWOb1oYjnJHzx1UMQTFbYhFdlEirsWGt0do/ujO
+/mXk8kMOQz+p9AtrfKR5AUCsZt19EDAtomXPdmepiOf9+7OjgZEwgY4wHwYDVR0j
+BBgwFoAU2REkHgBAMCYIi8dhLQAoPj8CpRQwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
+DgYDVR0PAQH/BAQDAgWgMCcGA1UdEQQgMB6CD29uZS5leGFtcGxlLmNvbYILZXhh
+bXBsZS5jb20wHQYDVR0OBBYEFC72gRAyHCLjripkjmxa9fLT7Ov5MAwGCCqGSM49
+BAMCBQADSQAwRgIhAP2ltiw9l9mYWpIzoMAP0jBVWBBBKxajHAY0vYA0myaGAiEA
+8fPcYmmsb0dfSOnoR5LXiegG33Tih7HBiG86Gai+ozA=
+-----END CERTIFICATE-----
diff --git a/akka-remote/src/test/resources/ssl/one.example.com.p12 b/akka-remote/src/test/resources/ssl/one.example.com.p12
new file mode 100644
index 0000000000000000000000000000000000000000..6a641005ccce0e8819d2560edb93d09aafa99b7f
GIT binary patch
literal 2694
zcmXqL;%Z`IWHxBxvS#DdYV&CO&dbQoxS)wkhoy;2!=Q;v#h~#cvP|P+mc|DLjdu+i
zZ?SPhHSlmTGA$@KC^gVz<AMn>G8;&<hzOXTooCFoYW>mjeJTrQ>lGRAOp0b=W;h(c
z;t_B(?(-buo%LqZZ*XU<+~VA$RmiB8w5R`}z~L74HUC#BS?w+G>2?u5!78b-zcrt~
z$S$F&h~vfH;Pcx;tMw|CtqiXv`t_eXZy02t3wI!=h@pa<978@s9z!aF9z!Za1w$f3
zE<*uB4w#?Jkk627pomZ|YAC`Y6q1>ns$ghpX=q?%W@cz=Vqs*^#Hj;U#Ll*$iBr~~
ziBpn^k-?yeQwSl$h~i^5kdJx(huhWWhToWezJ+<4-XdF;h5y*WK5l5@xY2I2_h`#&
zJ3~X(HY-KGC$jSmd#rbEKg!kJJo|LdM4#OXjSNB&vFDpvBMNipY)@UFqa=3t8`qNH
zs9y=M_zkzq-V9p5Eg*rbX7`!qWb<p9p}d_;th=21yc)R<FPAS!UAwWn^Tm%9T%5^n
zk!MfVy!tr9W=FuZkSTX#_8!~j{KENTe7PCFhN)29Tc_W@50-qeiCH@T`_65S+_JHo
z+DZg9+P}z6YG3E%eBV>>QS2)3eX)KoSq`;WD3$QGwYc4%QC<JjN7j4F4b}tVM<OPC
zUaS+<z0qcS{1W@8uj4IRo(o;Sd^z{%%f5Ei1E(`z-A-uQnY1WY>x_D6#O}#=l=u34
zIglwGJSSvvi&y=<!UqL!-`s4rGCfgvyyltOrHOkdy|8os6;-je$>D>;^9@-#IZN`}
zzAUqK&r14{xaQ&F`hHIJvuaspVPfq+d2jC(PY|x!tmB=pn_>RmDC<c26}iXB{BBo8
zl*-F3+4FwBzWgPvztgSvmCf`OMT;-L7UjJ?TUnuJXTr6`Qmd~@A5fEut>HC2sa3Ng
zN9~JC$;ZnP=Q&H>$YpNq+905?>uiCq!g*uQn>8<WWQx4@sOc;a`x~B9W%!as_wz30
zwaFK)mKpkqS@rH@p2;1`_Ai);`D5Lm7xT3A<~^HwiDBd2j7iB$t3=Nzt4!8Z$_!Hd
z@Z{Kb$GFnHJZ~RXAL!lIbMAG?-NIWHD=zx&o$nHNf+5Ljan%#6<}lkeU;Co7ryV>I
zeQ>RO@HHNZk5Buu-t?<8JY@UMrQ!6Q*Cj#V{^I11FIMQkTo#;OS{2>JcgfuC$<;$&
z8$A_LCspjba{KEuK9xQ8MH!-+Zs*zKd#|ob<8qu)sB~^qLelA1LK@fiC#G!>HJ*}I
zaKmurTA?ZH68$-MYHvB3vCmzrm+f@l#jTdv3x6hU4!HHYi(!`Vk@U~qiB)C(47xkN
zN90zdMLw09ymKzEh6Bfj#)lu@8(KsZoG_h}A{>x;n<HrMY%eMCj322FxRh7UFaKd)
z_x`23$QfbV`0v~Ht48xKjD2lTvEts+n#t4C3YKLx28sv>ot=Kfan&xflNp)qIeVNR
z?a|8BKY!x9!lSe;jyt9Z*T4L>PxSiywAWXIlRp0zb>DFL7>m||j=TFGYhF5gWxHC>
zl@rHb-fGqS{WJBba1O(oy9Rw;T6_OZIym#hhYdByIkVzt8LmD0_1{vtzqM){yHvg&
zyLUQw;;~mO70b)iS<){DY<F8<8TjMdhO(}tOLmt}TAb70|KjoCJz=-H*BuF*@Iz>w
z7`xsY4xIysI8A19eh#(@R@vxw|JJFE+z$-yuKZx>`Aw;h-8QS&YSTI4rh`|`zWc57
zcFiXLbMti^_aw$%xy*T``+fZBmA8d?be}yb|LAOU_xOXjlXs>rns~6Oe)@r@I}55c
zW*g>v?EBI$Ebh8N{n)opEVB>%`CD^qz5rWUw?@D<qlVmdTW&3W9$)aTu17Y~l{GxR
zbe;E-%*kw*u2ntT&TUl?;qqurOyuXa`?q}#Q2m(9zHUjPeEjNP#y@y=Jjyw%zUGWk
z=6hkW-FMbct(@#KKgMP8mTCO2`TAsM&x=`_%5t^7(Iw{UGW{r(<`+NMO%-n6?mcpF
zgHr)t&awI>-kJePX_hWVN3NU-*R1#HwR4_ib|BOEf&3&R9SP07CG3Hhy03r!&HU@d
ziR_w8hFQDj9;+4?|8{NJV&AO~zrH%X%GL6F;ss`gC6!UdE8hOf&t~%zJh#kk=_}it
zB|F(qhb!F++oRv=sTMGy|J1=BjUESEK3pyERkg|teiD*#>0hqQ-pA7-Yi1cX2bxH~
zef}+X!u#6m;r%mKWF6miwEH9feRKAt_-6*4Q=RulT6dk@UGv?;sw7=9Ug1|`++V*_
zP0m~2P1~ll?Vrve?ODp77I%0ry0&QgP2T&P<X#+max=RBwM+61^{$DU_aolU)JSu>
zwEBwsMaPR(H$Ch*U!F4CaMsBz&@A|Qjs5H?Q~0+3-lz6>a`F}p!DYXTADDht%~|{P
zTJX`Q&0KRbT&8W^$sYS8Ns48U)apj5p4gL-Z$61^Hr?>mur07>CeyPLb47ELWm8Sd
zLRCz}4&^RPSzlNy9HpCgD(`OGZ~nvkJUQonjq>)j`f54vQt;~6M~`VF)G$jPn;i6}
zcj|7&H9Ph(BzsTHGH%~zo6DelEaAbib*|1SrV{NpLanDf*ZR0vIL!IIO+SCUdXKBa
zja6#1KHuSxoAS|6z+V01Q;|-l^?OfjpHro8)3*2asj$L{%dB3RfB73J=-^Vh`nST*
zx}1p{mlc#A3Y)ZY@7Kj?)|m&Dw#nx2`1^3F)vnk&Wq$VK^Lf^ns_Hv2MHe4zuV7I1
z@VS3rou`(2*1kR#W2x+ASuRd5q%y8g6kK^G&FxL?&p&S?{T+Ez-Ig6}TNU9G#+UV4
zWPMPj?zBS-_#Zv`uv6To-Sg=7nsY&lVta$0aenCkf565$-+cbwIayj-FWcK6>Po$|
zkh15xy4>Y_ct}^d?}OU9A4O?B+#39!5Abd<^^5Rc;`41?!0xqrfpW}u-3`TUmKCW=
z?prM$d|`b8+uYR2%<V4c{1^VeA!zTVS*`7uoPS<v`GzYSi}=lEE3VIdk$L~!lap7U
zS~R`;TadNHaqr|!Kh|%2+B?r&(TqW<A=Y_G;k=8!)kj3kl6Ty=5*uOpk5xkdLzcj)
z=5M=7(r#*7RvoYQn49)f{LJTXDPOO6)~`DMb<3u#0@Z)qzhxfVCw*HJc!|~Hv^Qtp
zbC;0hO|n~#KCbV~{1+H@#^iVKtJf`xPCC7U=WHw_)`&;)oH1pbty&W+?E5<MRd<^A
z*Z!EBCsYJJ+<TB~-`vAEsoHQ=`vI<v`!iJ&PPcpfo~fg3v2pR1uO$<wDqfr<KGkW>
z-m|u=*pl`xw>#cAQK8f*@7i92^Fqg$G1qov&J|fV-PhRib;3&rk=p4tecf82UH7hJ
z?QY;+!S~{%Q;Oe03z3DMfi)K0mOn*BUKs7Ye*e#_`9H47@txoI{M*-8<{qKlo%c6f
z6V@|d@3F%~=qLO1)itHnGo9ki4>jgR@4NZEX4ljOexJT{m}}`N{4uaIP&D9VW7Xzk
zW|CrMU=b;Pleb=ieb235i%uIiHeb7$#l9<tMMUz&v4FV7`^(Ec4nAD+ahiwEv*iLz
I%#3Xd00hbR6aWAK

literal 0
HcmV?d00001

diff --git a/akka-remote/src/test/resources/ssl/password b/akka-remote/src/test/resources/ssl/password
new file mode 100644
index 0000000000..965106c660
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/password
@@ -0,0 +1 @@
+kLnCu3rboe
diff --git a/akka-remote/src/test/resources/ssl/pem/README.md b/akka-remote/src/test/resources/ssl/pem/README.md
new file mode 100644
index 0000000000..9fa4d170f5
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/pem/README.md
@@ -0,0 +1,14 @@
+# PEM resources
+
+The following resources were copy/pasted from the akka-pki/src/test/resources folder. 
+
+- multi-prime-pkcs1.pem
+- pkcs1.pem
+- pkcs8.pem
+- selfsigned-certificate.pem
+
+Note that these set of certificates are valid PEMs but are invalid for akka-remote
+use. Either the key length, certificate usage limitations (via the UsageKeyExtensions), 
+or the fact that the key's certificate is self-signed cause one of the following 
+errors: `certificate_unknown`, `certificate verify message signature error`/`bad_certificate`
+during the SSLHandshake.
diff --git a/akka-remote/src/test/resources/ssl/pem/pkcs1.pem b/akka-remote/src/test/resources/ssl/pem/pkcs1.pem
new file mode 100644
index 0000000000..5f23b81867
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/pem/pkcs1.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA0IQFs9KpS6fpm7Bq5JcAzRzdZnYub7qGBJ9+QZX8F6qUYiXf
+jbVPAZSIksNg6G5yMkzBLZ8r0UOm5WJs6sAHKGJOQk9DcwZEt3XpGbYXAnM5V1sb
+xd5oNcbXLcHouU8jrEj+O2KvmgCzDDCUOf3SjGnF4dWqhsTT9tMJZvWVB0OjpKnT
+zcoxFKO/XCz8Spb1+FgKUgt3afA+JTRpQWtaZJ41fuTg0rm0qtUSeZXPUEYkqqK4
+msoSe7dbu7uiEOkUPoeiP7wzSrwihQSCxOzwdphV2XtF5Xfs24/Ad4WKXTqRVUK/
+yldcQy2orFSsX41KBzS8PI1hnOC6uRA0PiGd/QIDAQABAoIBAQCDbxShGuK326m3
+B2b5m+1XXSB5m3j92FbtxxMwiDgVOuK5UyItEuIwHs5PpHQLTsMQzaze8vwNtlUX
+Ngltl4lrfTvTNF9Ru9vIwLwkBtFOLA8y7yz8doq9iw7LuvTVCft0d7Y4/KWvr00t
+G9nzC/mRpIKlLaeFt7/cT34XtikwH+Ez8uWGidYnrqkKZ0bsIZvD+e7gae+veohN
+BnTcyDIk8P5nXG0vM4hxtjLo3KstemwOt6vCtiKzL2Vq/JAVD3nlec8WPBzft79I
+k5tb3Qm/OnxIQaWF5AhAVkXgMsLL3ddJoAn/K6NZ6NtRGZozkwdP+m4nacrKFJVJ
+6ew7OdAJAoGBAO65GvteHLXQ3d1NfU+X6RSBatJdpuf2S4Hc7P+sTkPjLDlQPDKL
+ZFLVigPlCehMvgGASPOxL8UqPZugwEo83ywp5t/iOUccXZCPSISreSzWJPfOJ+dl
+aKP2cSHHPNC/mISDpp/NF+xfgEAUQQ6AdOKwHGlsFWBvkkw810d4zmXvAoGBAN+b
+QYv32wNa2IHC1Ri3VgtfHpQ20fMz+UO6TMefBbgkcgBk4L+O7gSCpThaqy9R7UnX
+IEH0QyaBEXzQxB7qvCo1pczWiEUcG+vAyyz9U9oO9Hee/UTMOWL4Sj7qoavau2Be
+5PFOO6qA+19JTnStuNb3swNrMmxDQpyNDvUkYAbTAoGBALuYkSCJ84vZaBBZrajX
+mt13WieYWuocPXf+0euVTyfAJOehKr0ZlywVDNFEssVvUT1Cv5FpYz3QlPtwlsuA
+DGzbPMghMZu1Kb3JK1a+nYnjeseVpPwNT+7RYlQGCr+MYOF5x336oNsqrVEt2XX4
+8mGVva4GtsHCy7fHc/GBeMjXAoGBALhEYkytER//okG0xBUdKFwwo6tyTavEndpx
+UUqDwpvP9N5cQ1W4vG6dFviMx1s0gX4DOQMA/sFhRX79L1FnEW8bTKmz9RI2qs+p
+zgUiMhKVlmJpc79ZKMVlZRHaGybbFuTA7pvoY4ULy5rndy7x5kvITg44LZJID0Gh
+gL0Fn9ifAoGAEaWA7yxTA7phDIt0U91HZEVhNSM4cZDurE7614qWhKveSP8f0J4c
+3d9y/re4RcCwmss/FtQWSkB+32WbD3qk+QB7hV1oFqJ5ObcfwevGYR8m6vOz1h2L
+3pQNi4PcH3U8eeGG1laFKUQ295rBLNqIbOo2y+4hxMnC4tka1X118Ec=
+-----END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/akka-remote/src/test/resources/ssl/pem/selfsigned-certificate.pem b/akka-remote/src/test/resources/ssl/pem/selfsigned-certificate.pem
new file mode 100644
index 0000000000..4fb0ea7b86
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/pem/selfsigned-certificate.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCzCCAfOgAwIBAgIQfEHPfR1p1xuW9TQlfxAugjANBgkqhkiG9w0BAQsFADAv
+MS0wKwYDVQQDEyQwZDIwN2I2OC05YTIwLTRlZTgtOTJjYi1iZjk2OTk1ODFjZjgw
+HhcNMTkxMDExMTMyODUzWhcNMjQxMDA5MTQyODUzWjAvMS0wKwYDVQQDEyQwZDIw
+N2I2OC05YTIwLTRlZTgtOTJjYi1iZjk2OTk1ODFjZjgwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDhD0BxlDzEOzcp45lPHL60lnM6k3puEGb2lKHL5/nR
+F94FCnZL0FH8EdxWzzAYgys+kUwSdo4QMuWuvjY2Km4Wob6k4uAeYEFTCfBdi4/z
+r4kpWzu8xLz+uZWimLQrjqVytNNK3DMv6ebWUJ/92VTDS4yzWk4YV0MVr2b2OgMK
+SgMvaFQ8L/CwyML72PBWIqU67+MMvvcTLxQdyEgQTTjP0bbiXMLDvfZDarLJojsW
+SNBz7AIkznhGkzIGGdhAa41PnPu9XaBFhaqx9Qe3+MG2/k1l/46eHtmxCqhOUde1
+i0vy6ZfgcGifua1tg1UBI/oT4S0dsq24dq7K1MYLyHTrAgMBAAGjIzAhMA4GA1Ud
+DwEB/wQEAwICBDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAa
+5YOlvob4wqps3HLaOIi7VzDihNHciP+BI0mzxHa7D3bGaecRPSeG3xEoD/Uxs9o4
+8cByPpYx1Wl8LLRx14wDcK0H+UPpo4gCI6h6q92cJj0YRjcSUUt8EIu3qnFMjtM+
+sl/uc21fGlq6cvMRZXqtVYENoSNTDHi5a5eEXRa2eZ8XntjvOanOhIKWmxvr8r4a
+Voz4WdnXx1C8/BzB62UBoMu4QqMGMLk5wXP0D6hECUuespMest+BeoJAVhTq7wZs
+rSP9q08n1stZFF4+bEBaxcqIqdhOLQdHcYELN+a5v0Mcwdsy7jJMagmNPfsKoOKC
+hLOsmNYKHdmWg37Jib5o
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/akka-remote/src/test/resources/ssl/rsa-client.example.com.crt b/akka-remote/src/test/resources/ssl/rsa-client.example.com.crt
new file mode 100644
index 0000000000..9e8732c499
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/rsa-client.example.com.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAwigAwIBAgIECUHCVTAMBggqhkjOPQQDAgUAMH4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRgw
+FgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxFDASBgNVBAsTC0V4YW1wbGUgT3JnMRIw
+EAYDVQQDEwlleGFtcGxlQ0EwHhcNMjAwNjAxMTU1MDI1WhcNMzAwNTMwMTU1MDI1
+WjCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
+DVNhbiBGcmFuY2lzY28xGDAWBgNVBAoTD0V4YW1wbGUgQ29tcGFueTEUMBIGA1UE
+CxMLRXhhbXBsZSBPcmcxHzAdBgNVBAMTFnJzYS1jbGllbnQuZXhhbXBsZS5jb20w
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEViFvY8pp7M/yv4tyUGyq
+knInRW+FtHH7rkgB7nqL6DCItp81yafB2KMQ7NrdRXKr12sHUhcpd81acchqURZM
+TqM5GwhK0TieR5qfmT+zQmBXKprIVc2sRvgVC7p4wNseXwky0aLJQRlFWAgB2nZ/
++EBDNt0I5QGLSoaN5fMH6F9pVC1IpyCnVFisgDg7obCOIkBUfVyswye0+RcjGYRA
+PelMzQcy62AnYh/64eBDKdGfLjHczaw14Uuy5OlWjeyVdM6MZBOf+KfxdD8KLlhw
+2cLxtzkJk3JedqW4+ufRS7ilGRpUw8e2IgR9TQW0VLYByALAVIfJSMfUEx70K5NB
+AgMBAAGjgZgwgZUwHwYDVR0jBBgwFoAU2REkHgBAMCYIi8dhLQAoPj8CpRQwEwYD
+VR0lBAwwCgYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMC4GA1UdEQQnMCWCFnJz
+YS1jbGllbnQuZXhhbXBsZS5jb22CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSPL7X9
+LBqCjnPi25CIzzkX3OEiITAMBggqhkjOPQQDAgUAA0cAMEQCIDx/fReRIBGXgRkn
+zYGi09q7VccGTfw0gCTUa68NLTqpAiA27xcuzNMBS21xtXa7nVEOJJ1BUyi7c9pS
+/9KFyHXAXg==
+-----END CERTIFICATE-----
diff --git a/akka-remote/src/test/resources/ssl/rsa-client.example.com.p12 b/akka-remote/src/test/resources/ssl/rsa-client.example.com.p12
new file mode 100644
index 0000000000000000000000000000000000000000..0b3e3157da651269b96efd5cf2d473295a07786c
GIT binary patch
literal 4103
zcmXqL5@2RxWHxBx-^0eK)#lOmotKfFaX}ORT9zjMl?F}xOAVS>J5i)qt5}*?%M6-W
ziwv4r^Vqndx_G!4nHDs${5EJ}`EH=e#sw2*WHyjy5t$eB!sz<cM~7}m<jd$as^6T%
z!WqHD%y2k>rHSQ4>7EynhAAx$?%(;g@%;UluG5%csFu%haqUOfnV+Pdxx3wX|J*9(
zsxp&m?7<WJDsC>gk(IVKSjxN0^gHJr;d#@V6gOVjdH+}R>2vv|?__RnOkZfBJK^Hb
z0=DZVKi(Z!6nErr_(8U$kG5KWww8D6W~?i{!n*TG+F!nkwtEsX0dIvvwc0Ke{I<ES
z8vNpHWA)Mqr(-T0^0Riv2YlZ-Kk;n%nnle!4!+!C-F=gpd&Z{8mUlb+gO6QTzOyp%
zzPj+bfNQ@C_Gx%#DOnu0x>3uxv4&AZwDS4GC-){)>`&)f#do1}-HoE#@9u6$UBM6?
zwOe_omQSS&m$dKsi{7h3%Q#sr@2MHp92VFZ=4YGDy==iYSB1w6?mi9O(JKvXpK&~6
zQDSU~>M1%L)4gYF>6Z6jCoGlH*vMBtYu<zN*Y=eyC`+oIcklk|$;a{@|CsXCH&=G9
zWp8xFmkFnHUkWE^eJbb96WwBZb8mIR<=nX$Q>6dhIj%ETb|qhAuIx1tk%hHuzn@g`
z@=5ln-ePMqJ1ytIlS|WAo!!K`>w8b~JU6jZJmK5-{(DkZ=OUHH<75@l^h;rK!iNd>
zw6=NGg>w1Votgae#{cr>H3dhEm1Jg`8dkP3Ch=b8TH!TIE<LGZ%Z$dO8S$|{G#4G4
zD}K?!f1TsxGc3Hk$8+vXe)xJy0Z(Y}^rwc;#rvAiaaA|%D=C?x(0p(~c8W}|mR?Hm
z&2+)1w>bY~o^jiMX2GM@vn(+$0>UPUsrNe{xm~v9=hB~rvrV4LW!^dS;r<dyhV65w
z9OF5idU!IMx9FdjiJ`2PRnFNJIt%A_K3=O4a=b9{Pl16;Ge?>Nli(x6#G0=QZO{6C
z+w3>F^76gnL%eyHR<8c_D?4pjsg!-&qdC=2-&;)&a{Li5H2=*io_}_0e@~sAb&i8G
zl3gP8yOp^{tgp&EMwJt@ZmioZdhUi<VB@7FwSVTwJ&wu|-16>D>*}u)FSVRLciHut
z?aE-ew`RIJOc!<I)I7Mqe!RxCNoNN;pX{b7c4Z7gZ!NB$GGo0j8|=vWP?h<|<E1G^
zr%&ydxcYa3#_RIs_N5cc%zmm|tLd3<xc`6d*A!L%eG2~G(#ngNH~#k2lzQyZcE{qC
z?;rh!vwIX~{a9&l_Gt05@bLT&36)6ki^gY_j^8PAt=hnFc4g30$wyI#CR*n(1PYs<
z^-8vR@c4Gh7O6y;eLYvVPt!WYlE!dHy{13tnWy0gmuBO{;Pne+^B+1`H-6Z;x4-r;
z=fZbOJ!ULx*!+oo``g1sTbr*7ny>E5Io4_#_(0Rv=Z}e#>vXGYnnJTrTz~Q6;S0y+
znF?Mr&R$wopm1-h(bJUNJu99wA3fb`%)7t6$9n#nWrDl*M(W;~7nC_Q?@<h=n8?wF
ziCGOo`vW%cJTz-~)fW_(w>BYR_uRFUHEb@uKO2!TH)xsvYH8EbwMz?&J)Z6;nE#y7
z-*E5G{ne`aXU=+MXxlxOFwYH}Zqyv?kmGs#WSNSVOnB~YhRROPqGvV|`&II)=2~r^
z>?Un6`%=h;RYBZSmLBKz-Eii_!y8Wy)E3s2=|u?!WKUh7v_30(-LaXuV%zq%h6jHA
zy=`~!mt}T}+dmZ@{VQ5?;>+=ry9Jyqj?63<bNsgzx0XL=vxu{LygqhTW81t9PkZ@}
zeOiCdFu}kYUQ}|580yLCFcdKqGbA$TG9)wPFk~{MGUPFoFz7L)GE^`mGUPH8Fyt_#
zGUzcRGvqVm8Ym((iyDfs2!&+krYabkS{fP{nVA`x85x-wG;xW*6|u7|XyRfuXyRgI
zVq`FA;{1h>VMHl`*+3=mi|PK~KeHuVcM@-TcCWk5dQ*waLvRV)(8PIQ=F{}RZ~c2z
zPQ1KS<6}EZ;I)v@CKdG^X5nYQ?`QVE^FinAgpGFtS90k+Jk?%SvSz8ta&yrOc76<3
z4DVj)kMO-97Vkde<-vOoI@S~lH7dv3wV1uK6q)rks7YeUkFVePUPixO)@iS-qB3V)
zZz{Wmb<cr4Zr|2=>b)!U`!H>4gQxGYDLx-=*}lyGaMi`;>_X8AkvGEo<K|tIYc3V$
zpLj<3n}f8as<_29DW3^W6-hhImRK<A`)ZW*E$3hh=KUJ%>@jig)9$yYj#e7pD>q{8
z>VJ3T_A*PaB#EUCV(!JR7ksk%bI;9M|Hvn1?%ee^*FE}rW2O1>5T>=fn<FBhz85dG
zSafBt;wqIRvrJxnJ1MMsuEE;YqkYYxX{_4}?nO<%=kbU|v*PHbz!lvmRDT_R@?m#&
zgI09>bbF4V34*5a3^R9Ev+g&}X?*a!_k-S<D?u@A$ELq{b5*Fx>9KeTL!eE)Q73!5
zYo55;+uL_y1x|ndvD&XB<)tORY*qM%&ceh6heORBCb?MNO7?!gSniAe2{{#??dzRQ
zB5MUXX0WMvCI6iC*~Uw6GH;##scXie>zVWSFjbd^alNROd{CQj-uvbL>7!5DqWAui
ztbXEt>U%=odxP3D(+y|36;I4OexrD8_KWFdn+*6Bszn+uwr^3CUc2<3>e~C?-mmR-
z72D(RLuZ1sXrspEc3Hic=E{kVO~Mb4CVpAs`bJNDga6fE_g2nX%(~V{V!`W=X_8yZ
z76&Bo8f|uB7N7jl?Z{EXG&b>upW%~j-!71x-u>sZ;C}<b4X3|u-Slf>e*C={saq18
zwN9>$HoU!G=kVs2(GNcy)R}y+#^+k={g&<1|8iYCAeQ;<l61rc+uaj)%ygER<2rkF
z{qY;6;aw3GaqdZLCOF#rMze5S(Rv<wP3*UM)aTP~lDyOH4{fnfwPe~58ENuf`}Ugs
zcYi5ZPhVxWJmyEwN>_ygOdSzP2G?H&YD|*+>Jog!@OW#L@pC36!`QP28NZ!f5a@d*
zg>&V`{EJGrmUpo4|7%kB|7q>%AB<~{X}h&C1)p5CZ`LK|h&HLrh{Nu?6<1yT;@QgS
z$6y+8e%Y10r#}s+YwvU1=GvLBEo#USIQwzeuX&%me}6Lm^l`__h#RVpefxHJEsCph
z=TlEM{=jBpD*9Su-i<fQN~(?Kx<v1K{;O`S#ZN{vhne2DPHJ8F^my^3>UA8oALnfj
zvbNj&$MOSP$G*%j#~FEFRmIs~TK+J|VAG|^DI3mwy0CL+&7L*C8}6&z+qzXvwyFKB
zo}iScv_YO(j>*oMcMk^cc=~+b!ZY%}_-d*%PnT@)3f-)6USs_;g~|g~jtAt5I6r-M
z7C8E=_tcK~+|tL1Cf@S@qS$%AxbAx5F8Ab*=W^MV%Q<!^_pt{1Dl|%)%$WQ}yZgAN
zUGLQO6<PIn&NHPaeos&2c>dF1+NNj!{<^4fS@f*(5%|yc?p92=!iQTN8s{vpui^NY
z^k}_z6_-fv=D&(!9-*%)rp)ZjKDlS_t@)2nP4zgDd+k|#@mj9?TH^i<dYfJEz5T0X
zF-w#?=WE;ZGkt%*Y(Bo0=LvuLe@?;K)BN(<el1_};mMC?Rle@HQWKv~;+%8$ER+4R
zJz0I8zw*z_BasQymt{7d*;J~}Fa1rY;-W{B!?YU#rCmW^4(k3$oLQnN&b4X5lU~1C
zfl!T}g(pw+a@=O&VCoNEJHe+t>$<Vj$rW=G4l^j9iCmcSl3C+&tWHMiT_LleyBk&f
z-#pH}!g0V$F{aEYq3FZ@O&20le)I;HTD0t6rKR^{<6ZZp&B6C<)O8ycq%U2;^0jNl
zWk>Cj1v#C!|M1#uN^mS$V!k{4f@@J@zx4&3qufW2U2*M-;E;&z@VJo~xn)CT^ul#P
z2ZRrFam_noEFL)VaJuEUrYmi?FJ>hhvYqo><E=JHTj9sP2B{O~m(t!EGdnXIi*BFz
z>bKYmvl(|A_VZsqw;>{R=aHFe0(>mN>7Q0BO=5BF(3mze`Cvej;)J;!k-nA>XQ$1T
z+gbAM(j{}HXJQ<u^Gu{e%+{Mqwf1jwS{C{A&ziC&o&J*r%AcH5{b>2(^VXHFk<(@F
zx=(TEZ=28>bf0tC4Ac7SMpI6QuI%}J{K%u@S}(uoZSeJb_{{(9Ow&`PtLuf@g%p#r
zjH_zCt$tVVWOIYv!GaSiJHw+yY>j*$e?0r-=F*a>?|0r<>g#ae+k5YsGuYOCSQ#9D
z{MYsz$$9tKZrT6;GI^_F%by7EvqG_fuirD>ys_e|TSZZ8ka*<eirXK{HyCzsOu4*e
z5Bu~T4T(Ran{J$7Z?&sx`B}+wm7Q^oZKZI_E2$Ip?DFn)UDl%c*=G-~(URJ{pJk1M
z+rrAK#tGfovHBa1rOSk-G4h|8c%$=;zwg=uTk9_OzFNNVvn%I|%C#)BGWFHZpIE_n
z!@WC#>(7ykaemI?CXE^UN_T`#z462%>Cd&2{W(_M7kf1$1<hx;9z1ch&U=2%QqFys
z;~C!+=p@f){mZ++`fl>SjrTvTy3--Fe74)c<e6L6pH;cm!*x!Lqb_NoU2AP!&EEB^
z&h#w($aW}HGfuZpUQ$JA%QVJrN1Lzx{jWW=w};PaXFqwbQ$$9&a@o(lyZG-U$juDO
zsJxSB5htV`EueB=NX~1Tw_(+;$Cq-BsXX`e5aFpR_K1DbC9c(cfW_2PwD`hJ&)bnq
zuh!g{En;?R-WTmjJN@LQ@-gT(d=kxj+!^~Vj^Tcgq-e{edE)PPYs)0B-ps7nYw>kO
z<K8)L;kk@^_t|MKENJMds4}~*CvN%sb#7AZ_p`SC^QA5aNgT6q(W+*Ve8|_YUUJ&$
z%>$$DZNl5rtYdb!{`p|6lp<wrXLC3C(z*gaJ*T9oGMU+5d@crYHU49pGDXwpU9Y2M
zR(D)|&8${;o|R7&Z%+<7q-QJdop|Yw!58-H{FMx)axK>jzaM)M;Bdc6{g@p0?fc<@
zMR}qfK2Lj<AOCzcn_+9<iX~nge=M$tt@z9Ld{%L8r^%G%MG~jg6sukoepn&;VEM9T
zR#8VMl?k-ZEbMa+FE(*oJSkmv{?^HCDLbd+PY7g5Se(}r%gVB60@KSyU*F!)oN4*n
zGFT?RSc*Z1_scQAh8;?!7Y=v4di3Gd9R^jo_$@81TaI5&t9rcUy8G#@S@oS9tX@+#
zn2D{?77?uFpR{1ppVMaFc2&nO{Fsz8mG|$$cP14{%S5Xu8Y!x)&*oRVxcAhgoX-oN
zzhZlRy0Svx!HJuV6_ZUieJ%bk_B}qYDQWMuha1G6dpqya@nSYS_S-4W*!|Z{rVkGB
zPxeUHz7hIzaCgGS`|Zz;F|SXX^3Z#Cp=<Yy>6zs=#hoAA=7;2FHV0bQf6ZR@KFn#V
zT{_QX51skVj&nu#s0shm2(ftL{ol#J&Op(ClZ{oIkC{n|m4QXXR!Gj>L?PVfygTc%
o>+6ynKZotMW)aEODsxY?ay;>OV*Kg2+!D@M#(%*~%#3Xd0EfJwCjbBd

literal 0
HcmV?d00001

diff --git a/akka-remote/src/test/resources/ssl/rsa-client.example.com.pem b/akka-remote/src/test/resources/ssl/rsa-client.example.com.pem
new file mode 100644
index 0000000000..48f4475d14
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/rsa-client.example.com.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAhFYhb2PKaezP8r+LclBsqpJyJ0VvhbRx+65IAe56i+gwiLaf
+NcmnwdijEOza3UVyq9drB1IXKXfNWnHIalEWTE6jORsIStE4nkean5k/s0JgVyqa
+yFXNrEb4FQu6eMDbHl8JMtGiyUEZRVgIAdp2f/hAQzbdCOUBi0qGjeXzB+hfaVQt
+SKcgp1RYrIA4O6GwjiJAVH1crMMntPkXIxmEQD3pTM0HMutgJ2If+uHgQynRny4x
+3M2sNeFLsuTpVo3slXTOjGQTn/in8XQ/Ci5YcNnC8bc5CZNyXnaluPrn0Uu4pRka
+VMPHtiIEfU0FtFS2AcgCwFSHyUjH1BMe9CuTQQIDAQABAoIBAAEuZ6P/5wmlBIIt
+NYhysVWgcwZot0MhRjcx6hCiWVOwYeaGgstPHoE7dtEq3BVHjmt8Q8dP80b6e8nH
+5DsWuDU8KnbTB/LrBS9cgkPUcV4fRI7ioXkSUwCrrYE6lpKHXi1aOdHLT0GupBQb
+Yg7qLU6dH6256qUuriHZK3ROzimO5R3lsHkA8+Lavw6/LJIuLMkl5wmg91AS4Y0d
+SYUUf7452hj2Ir/RK7wNrtZ/QQ5g6iIXaH8vKt20DBkUXuiMJI6uP98/w2axwMC6
+/AkSAsFDh0K3ZiJWjeNYQ5KZrLFUNmADMFo6RL5fvcyp1c2e6vLcIbM6JPOtwql1
+SI2S2HUCgYEA2ezDtj4lN61uh8nXk0z0UApc5Cx+dzLMcbGrCLIn67x9EbDtcOvz
+oy+GnnD/JLhd/3HRf1Lwd+30iXpJ5rr1nRLwlSXmWsHvFafwGvRQ4NWYt3QyM9TX
+98WMchy5m+0pBqBq+0IZPLUB7iY54xgUHMk2/IrbwkkvkYWS4gKUN2sCgYEAm3U1
+t/DwrDuzF4/ZhGTxOI0Y3JSFRGtwF5npkR/6bN/T9JKU4gD8T3fkvkmEZ66xVzUA
+iuUIgVs3rSkVi51Sr2xId8KMUPRJtDWAThJYEtY1AAFjY9gYlxYA/kggWQSPWfX+
+CzLHAAB5uIPe2xS3YN3yXZLABefv7ZF6i1aBBwMCgYBNE0NJEoPBRHLCTe4T5/TE
+1lVyUhZMfEf4sjjms3QRGTI27pecB6e9AJMhOJ/U0exU62GIIcJw+FUzxm+azmcO
+LeOvLJ9jXBH+W849CkoMqx7/S3ZyBIZ52IHK3kP7VQ7cjCIqSX95jB9pplV071A1
+uijbexUsiwvq8Q45J2ZajwKBgCtVNLAdPTkFOxqqQluhN4wn6HI0BCHaQNiTUoPd
+ghSvH4nhAhctZydPqDdSjtHH5C8G2yvcQ86q+o4OEa9lHxM+/8RCOpKmRZUyBJ2+
+h0ZY51UlDeta5R/YRlabDElD+CF/bFz6vnXFrCg+ufQfhi4+L7zdlyEOUdbK4nnM
+lxK5AoGBALMfsbYejpjNP0Dmcv644barz9SLKPT9Sxv5xjDNxRXWATIy2MblM9WO
+WO0hNw6KLfSl1dkrbZYH4/4abw6g0FYCivBe9X7p/iGkIBKx9PWAW18vTnomW7Oq
+RfTCzmLHhGVhxl6ByvSzNIV7MCgPeXalC7gUBLdnKuBvQCOvzyPr
+-----END RSA PRIVATE KEY-----
diff --git a/akka-remote/src/test/resources/ssl/two.example.com.crt b/akka-remote/src/test/resources/ssl/two.example.com.crt
new file mode 100644
index 0000000000..fc766d02d3
--- /dev/null
+++ b/akka-remote/src/test/resources/ssl/two.example.com.crt
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICizCCAi+gAwIBAgIECNzvNjAMBggqhkjOPQQDAgUAMH4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRgw
+FgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxFDASBgNVBAsTC0V4YW1wbGUgT3JnMRIw
+EAYDVQQDEwlleGFtcGxlQ0EwHhcNMjAwNjAxMTU1MDE2WhcNMzAwNTMwMTU1MDE2
+WjCBhDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
+DVNhbiBGcmFuY2lzY28xGDAWBgNVBAoTD0V4YW1wbGUgQ29tcGFueTEUMBIGA1UE
+CxMLRXhhbXBsZSBPcmcxGDAWBgNVBAMTD3R3by5leGFtcGxlLmNvbTBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABK2v6kZfa6beqxAXcSjAIUKORvbwivAEwoik38ZN
+kQ8X60K5/gFE/QNoozTOZ60pbPzI8QFjcTXlpm4aKcRudwajgZEwgY4wHwYDVR0j
+BBgwFoAU2REkHgBAMCYIi8dhLQAoPj8CpRQwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
+DgYDVR0PAQH/BAQDAgWgMCcGA1UdEQQgMB6CD3R3by5leGFtcGxlLmNvbYILZXhh
+bXBsZS5jb20wHQYDVR0OBBYEFDrOW8faP3xxtC/wd1f6EZwlpF7XMAwGCCqGSM49
+BAMCBQADSAAwRQIhAPr4w+30vBqHWGJOGvBScN3OXQaBnQSlFIc5c0AErLYdAiB+
+JuYU6hy1EmvRZxz2p/r4pz94K/81pNCAWgHKp1pxgQ==
+-----END CERTIFICATE-----
diff --git a/akka-remote/src/test/resources/ssl/two.example.com.p12 b/akka-remote/src/test/resources/ssl/two.example.com.p12
new file mode 100644
index 0000000000000000000000000000000000000000..38b932093875281d061ce77edc2e218e9826b242
GIT binary patch
literal 2694
zcmXqL;%Z`IWHxBxvS#DdYV&CO&dbQoxS)wkhoy;2!=Q;v#h~#cvP|P+mc|DLjdu+i
zZ?SPhHSlmTGA$@KC^gVz<AMn>G8;&<h|J1mf5GGUV`ACKxdjvMvqV+jmvmubW;h(c
z;*ryKTXgB3o0n#3dR4qAJhG&|V^`P9w?ftakKX^U5cyENTOsxKi6>k$RK5s$xQM;F
zCge8HNOH<6E0>&TMfIs=Zbx~J>0N&r*kBlBpbK{(r--3~oE$?5Lpeh}gC0XFLj^-3
zLoP!BLk>eKgC0XNLq0>Ufg(b=sG$gpP)KHOs)C`ZrJ;e5nVF%vsinC=6Q>Sb5j)$0
zCQey{CQeBvMh1f>P9cO0BZ`mNKt5Jwy>ueoPyT>i$&4p+UluC=Pr17r?Bj+ejvF7Q
zt^0VWr}ai`j)#Qy_q`!2IqtsJd1h<*r}SSR-<pfdk3RXn_QuP$O+mr`UZ)@NjeI2b
z{&%^s{qy-gq2*Wljz_(G{qDwp(|=DF%s#$GD0J<{D-WloYaE;WKy=pQs7D)xL=v_p
z?3icXzWu(``DrHpT56*4=T1fKH=Fy!{+pc5nXWaVzQ$fA;$;)pZr!Q#>X!SNnYuw9
zzfM%?DmzPssH_s%nR?~giN&jKZPs6MAS*rSxaG{-i(EIpUcRs4<m#|BUHtbyy-QH?
zFRyC-o!YoG-AZ6}{g?cj_W3D)%|AXl^nOlIhxd(_T-AM%ADbo|e6($C*Md##w;tY|
z(znUc&a}<9r}(7yohg#{j0Ll~QvKHL@YlZ6v|7}`JG*_(<iIadLQD6gtkg5R<la5+
zmGzRKocrg`*4_N3qQPu)qe$cYYV}(u9hm-v<elqKFNopyy;%8&xBYYB0mWPQr6=hv
zuUX|<T(EWHw^wR)l{4N-uJ&Kbv*5N;9@DW9#UoWbe@^fH?R!mVfltN!$h1n$V~zSB
z&#L@%<apsVT}Fe=`*o)70zJNdGr8z_t0w4}GXD~1HLJN>$QkhYMP2P$rTxF3R?Ob!
zxzlu4cXuDZwd&`qhwoG~cv~Ho`7OTt?$Twq=5?_x4>mE=$oai1jl1IF#p@;JSqyVU
zE<E2`@6#7iXfdH+E<=s|)^%6(xv%#8eQmmZ>5?y}xmMU0)p&=MI_*3eI?3zH`q!q6
zS(CUGdNyQyIi5E|<`m1n`rK7LxvjAqd}ri|C(Ao@d)dy}_QS%sBgN&BaQ6$=!%Zj6
zO|r@bJq@?IJz1HyaB`YLOmMNB{(M7?!>#!rCx1$OapGEzl#_Av+_b>BhP{$28IH~4
zli8YBb=rE~|9L)P8)DY4yv@Dk?UDjE-YtjDtT;CL?Y8toOYPEE3Hgf`yPH1$G1<;^
z?iXb{Gm}S)<`gRBo|*eP`FV`yF`c7I-WuCo`JGi#|A_^gc27TIc)2Fode^Zao!YD4
zT5n|MUJqT+s#Slu_w}4Kj>XTmc$D0~S#Q-WC%cYQGA50;^2H|U%n%0kYvJtLm)MpS
zl$u5Io)oEk*O=%2?OjN}Ws0S#Tm7xS5pNnMric~&%y45q!r9xoJVWB?7iEi=DjQ{E
zT6WE5SIm2JM*0``VeKrdf7xz(m~`ZiE(!moQh0m4Lg9%}zFSkALK<d&-}>8w*(SGR
zS){mRZrof8zI{J;>{#>6{!Vyw9#`QfTh$NG8_rhQ*CooP@lBp*T>n9T)f^T<zQ9-I
zZ&t^t=bunC<+=3FF?8Y0%NYf2@Ag-9+APT8Y}}?PZ=Ic2rEzz4#B#H<YkZ%#l@=cV
z7^$(Zje)~%+QI*wkNZD$&tCfLt;nVHdF2=Gzx}?}RPLpOLFmR`FA@$^zn%B|ou$B$
z7@O8}mp1EVxBjZV+j;JL)c(6A1z9f6l?!73Ue#gt4qM$NKH*-I>4igTzqwBcygwVQ
zAt3mWdqEC={Oq5(&-jE|e;rvd%U3s3-*&-F^LKZ3W92zR-e&bHE&8eu@%?G*RD+e9
zueu-kImNL-(fH@J<RwWliiHJ*H)pA9&%Su-O8v6^0<|07Hw2|NyMN{=7oWR&-)5Ou
z+g(!1E8EyLmQ;mybv{12U|#7Gul4&TWUJSfhE&M-y!I6Pt$J-;3u_JEjyaEPKjb$o
zTw}j9zvaE|<ARGX4sQ%-zy2$)<X?dQ$(f6Oi?7{P)RMZpptVgZTYJ00Y>7pMg5uv*
zW_m`<xpY>cIWuDK-CEC!>D?xgXBk&5Q@7xf>3x;+;monJ(=!8RJ>0|-xZM8=|JNkZ
z?xO8x%XojA7X0~eX6c{$6L*%%R=wJuW-ZRt(lqtplcNHcy(j;f@o~YYL|?~fHOXzg
zP1hgYs()AdZmNM3v)qAzx88gg+#c^<Yqm`8<iuxNcy*e3Bn>xoz3lU0*z){y*rkKN
zPE|hJq5V9fb9ctHPduVG*F+xco0B;+>NtOPPfo5t#MG@;@0L27z2&Ok*k#?JIXUXK
zaO)&*-8ZlNSp53sOE;xTELr=>Z1Uwd?xA_lE=<3ta`S$_oS2ZGufv9@ML!in_Zgcx
zy^!Q;IH%Fd*1GeNQO;t&xE0S2CAEBW5q_@spz@1M5}!7|V1)Hg*GHP2yZB$7pYJ<=
z@8UIvT?LFqOloQ#OI?<3Xjsb>K6`es{Q4`I=PKen{S^P182z}PaWu}?IEsI+*xjd6
ze6_b^&YoZYT(RJ<tk@3O)fz>jThp$3-hFgQM=@GUeT~h$)XT@3?T@^Cr}gBLQhh;t
z3g0RD7uhQxuhkMy$y;$Ukz2ZOaZtii*7&z8O{eAUxEZ#0cC%2Bs!tm8{wXU@YvcwT
zI@DjrI(wJNp}vexORH~R)Som8N4$#YHaIou>a=NI<_f$8Dm$0|+ZpAS&zr~XD8qBf
z`Aif4o2B*d)^_U_%}{kWuIoOK^C>t#@Yl|5lb(0f{N~X+o5iqyaq!*5?}ZoNUePsZ
z*r$3o&r1KxX<g&Hrp$+y@7*QRb3FH(`i*IgO&+;RYf76gXB;kH@q54b+P(nQeP?x3
z6((^lef2EpZ<u@96S0Rk0_EQ^lvvzn^Lm|a{o7{IgzSIQ>_vBNlXcL#Q_XbzN<oH%
zWYk}a-rw;z^zy^p*Did#AZNxsaS6?%wl@R6|5tw}*|kEcbEaIJz2;(#0I7YMDWZ3F
zPGtHTS#_3O;homET^sio%Z8hU$?=z13raPf$k&fP*ZnK}V|e_t%MV^I4i=ofYr~C*
zV+r579KN$PzV(s}>OSUvGw;cZL+Wq;8)aNPRB+8#YZ=d!wD6mmuikHCaPJ5`DRjYQ
zS!w0fRhFqs57Z?$ZR&PS%0Db$7OvIxN!MZBVQaa%{jN^QY?JeY<M%i2tzWXYH%{WW
z$(Np49;ZGgEl>|W($l!IXj|V|^G6v>?>1i&D!Zm`+A78G=kb`menoi2?0*xOcjwP^
zTgt~*R`79RLA7-M6;<B)i!9q`&pmR{g?oRC>86U?P1@@c+LuU{p8Pb~to))^XCy!G
z%rZ0iw~yFcWY<jQo|P82n(29>O18$Q2}Kq=LneN-(|Pst&%MU7@Wr8P4D1XP4LI3Y
zwfUHtq*xhPL?lZ!KRP77iasmKGh-g3mSc=u6eo*Fg~RsR`9A+%JXq}+XjWYMHm>h?
KE)z3j+X4V;qW8c6

literal 0
HcmV?d00001

diff --git a/akka-remote/src/test/resources/truststore b/akka-remote/src/test/resources/truststore
index f70de5dde24b3f1c2fab5ce43c7396fabf965389..7f6041469c5a3ca7b83c29216907c392cd49b716 100644
GIT binary patch
literal 1114
zcmXqLVhLknWHxAG;b-I2YV&CO&dbQoxS)xJfu)K0k3kdj4}&J=F9<2N1x?IP4VsuA
zGBGk3G%?>o$S@jcvT;F8;9+DlkY*7P5B2aaXR*^fI6d;w0hNruf?uzlV`64F9MI6j
zyx=Ocp7RGc_46B#-!b+U;CgjTOzPx|9k;(KiER&zmfu~rbDMq2sTuc<=S$gXu9Dk$
zW157`l*i&HF6*d$`Mt*C@8_?()h1;8eRFR914G^XO(uB?IU2mH-B}9f%y0BEE^(XI
z#<4(JrF45xaq#g2Td&`$={oMkVJO!0v%2ob#$DTU5|X#A&+nf9_;cUOu=Ud}>S-iK
zteW>dxS6fZWsT<C<F&^p$|z^M<XlNtxMRr1EV5vI_DczlWp-;<2tHsEQ(U-I!z}Lj
znlxYerC0m!d}+EV5%c~<^t!K!P9MA2#ZRmWZF{s+^L_i&uFb1g)_4`1_u5yS$?dc1
z@SfGlvaH{0^C!>p%Ab9R>&C^{={{@BI;9PZPqfMlKk>V0CM=Vc!WXRaw&vD#XNgS@
zpNsC<5USM{YoV%aqoDaEH1W>XISo(Ggig3O!(48^^xW3ZPiG16`D#A9+@~Y@S}Q50
z<&GYY@1M+tYLchh<vyniOHAMGH)oBOkHsA2XYr{E?oDEuJmGP*VcUk^;puf>T@Cqu
z%g^zy?G(9f`fT1bx6Eyy<Ch*&+1|ELcKdgcopYOe{vEx2dhIj$uPK~=uXk15;eFwA
z>D6mB^;sKuo<C_=U^An7$+i7^W~^Cg(^XjJt@J_U=k><R=MC0<TPc>*c{+jnx8Tx4
zi!!ErH@(-WJ?X$N*mbBYQLi8*+D&NB+UR-A*&Eb5nSP1vopSBd(>ozT7i{^z_~so?
zD&z}a#JyzpGByR5tDBpCMRGX4ub)=7>e+(nCl)=jGH@-}{@}uvB9`9Yvlw)%lz0Ox
z4+~xF>{)juuBz7WM(=V(?)Jh879X8m>zETR{QN3@bmxjj{t9n5UFQA#(`+WYUc7bm
zZsBp~MVmKqP3En0iJKWWxmxkpRc&4Gdf9i=Yh%uN-q_yl;u~aKacM=zp>?fkGN(;D
z?cYV(%xpBd7#qDwbH@5RAzm(}duE^87b5a?it!iWWA?wUzUf|{_?|=Asrawqd&^aC
z(qhk^w%vU_Vovb_nF!wL=h+u$WTj1>AO6%Nc=4iQo7+!L2!A&SSi|X(x?^eUJVB4d
z)GN1-)|42lSTQrHCq6!1yoASG`Nq6gFT7noF|54JYCI{e?SSEpWp_kxTztp3WP@eN
zg|I83DvsA)|JQtRTJZ2m?amo4UVOZ4EsZ&Bou|BcHy(-Jt5<pT^AeVvTL(%S9R6DE
zP(FR&=DX9qqTa^Jd)G8fpS5qrvw+3Fuf@y=-PK;k98o5|T=-#+YqxISP9+0714RQ)
zHdbvuW+o|C1{M*fNrwZ>1rN>TGMz2Pu#jE$(}N>hSVW#3;asr1@(dfh#!bg76L`5q
N1-0y$m>Js^005921uFmm

literal 621
zcmezO_TO6u1_mYu1_nkj&6-=8om$Djz?l6tZr>&b)(AaQ14{-5CVhh@CT)Wz#wiP!
znHZUvL`)(Q!#Xu~_j0pbzxnG5-*<)G>Cy(gY@Awc9&O)w85y}*84O$vxeYkkm_u3E
zgqflo4S5W>KpYMp=JM1eLm>kJ5RZ$8(<d`Mqa-OcFU3&AKnNtp%)_0Sot>y#l$x7g
zl4>9)&TD9CU~Xt?XlP_)Y!n6NS{Rx@xzw_zaXzy98Ce;a8+#cH8atU98yUKmdFCov
z9^p~`IPrMSfd_V6-`v~o+}=8G(uy4$AI#b;`)q<_@4qu02d_;G*}?T@eirj32eC79
zGvD@A?cFKhp}>B-D@(p=@g+}feYJv!zel&L<vA?XllpONNod!tU;+DwyUd~u%1rI#
zFGYmwdM%tc+k48_hUhh4%Kc-!Z=U+Jp_hr7k%4isgn^iW2pe;#tRM@o0e2H;PJVJ?
zPDXxl39`evK@M+ZXf+S-KXl&W{B7mLT}8)VGTF&;72Q6;u;*OZSA_<LyX^;!-%nig
z$z{pMMa{d97F9coX;002{BVE#_wOdFauh6h56s+}u+R9ql=sqbNe@qbo|k2Fp7qD>
z)M>R{RVke>{_*$1fQ@16XBnMdxASs;PK}q{x&WDV^6u4<d;V;<I)2+|XYr;2VU>ir
RK^371Vhhx6|21ln1^|4#*f0P9

diff --git a/akka-remote/src/test/scala/akka/remote/artery/ArterySpecSupport.scala b/akka-remote/src/test/scala/akka/remote/artery/ArterySpecSupport.scala
index 099ef92999..2be5d7e3c1 100644
--- a/akka-remote/src/test/scala/akka/remote/artery/ArterySpecSupport.scala
+++ b/akka-remote/src/test/scala/akka/remote/artery/ArterySpecSupport.scala
@@ -32,6 +32,9 @@ object ArterySpecSupport {
   // set the test key-store and trust-store properties
   // TLS only used if transport=tls-tcp, which can be set from specific tests or
   // System properties (e.g. jenkins job)
+  // TODO: randomly return a Config using ConfigSSLEngineProvider or
+  //  RotatingKeysSSLEngineProvider and, eventually, run tests twice
+  //  (once for each provider).
   lazy val tlsConfig: Config = {
     val trustStore = getClass.getClassLoader.getResource("truststore").getPath
     val keyStore = getClass.getClassLoader.getResource("keystore").getPath
diff --git a/akka-remote/src/test/scala/akka/remote/artery/tcp/SecureRandomFactorySpec.scala b/akka-remote/src/test/scala/akka/remote/artery/tcp/SecureRandomFactorySpec.scala
new file mode 100644
index 0000000000..33e3de6e31
--- /dev/null
+++ b/akka-remote/src/test/scala/akka/remote/artery/tcp/SecureRandomFactorySpec.scala
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2020 Lightbend Inc. <https://www.lightbend.com>
+ */
+
+package akka.remote.artery.tcp
+
+import java.io.ByteArrayOutputStream
+import java.security.NoSuchAlgorithmException
+import java.security.SecureRandom
+import java.util.zip.GZIPOutputStream
+
+import akka.event.NoMarkerLogging
+import akka.testkit.AkkaSpec
+
+class SecureRandomFactorySHA1Spec extends SecureRandomFactorySpec("SHA1PRNG")
+class SecureRandomFactoryNativePRNGSpec extends SecureRandomFactorySpec("NativePRNG")
+class SecureRandomFactoryJVMChoiceSpec extends SecureRandomFactorySpec("SecureRandom")
+class SecureRandomFactoryBlankSpec extends SecureRandomFactorySpec("")
+class SecureRandomFactoryInvalidPRNGSpec extends SecureRandomFactorySpec("InvalidPRNG")
+
+abstract class SecureRandomFactorySpec(alg: String) extends AkkaSpec {
+  var prng: SecureRandom = null
+
+  def isSupported: Boolean = {
+    try {
+      prng = SecureRandomFactory.createSecureRandom(alg, NoMarkerLogging)
+      prng.nextInt() // Has to work
+      val sRng = alg
+      if (prng.getAlgorithm != sRng && sRng != "")
+        throw new NoSuchAlgorithmException(sRng)
+      true
+    } catch {
+      case e: NoSuchAlgorithmException =>
+        info(e.toString)
+        false
+    }
+  }
+
+  s"Artery's Secure Random support ($alg)" must {
+    if (isSupported) {
+      "generate random" in {
+        val bytes = Array.ofDim[Byte](16)
+        // Reproducer of the specific issue described at
+        // https://doc.akka.io/docs/akka/current/security/2018-08-29-aes-rng.html
+        // awaitAssert just in case we are very unlucky to get same sequence more than once
+        awaitAssert {
+          val randomBytes = List
+            .fill(10) {
+              prng.nextBytes(bytes)
+              bytes.toVector
+            }
+            .toSet
+          randomBytes.size should ===(10)
+        }
+      }
+
+      "have random numbers that are not compressable, because then they are not random" in {
+        val randomData = new Array[Byte](1024 * 1024)
+        prng.nextBytes(randomData)
+
+        val baos = new ByteArrayOutputStream()
+        val gzipped = new GZIPOutputStream(baos)
+        try gzipped.write(randomData)
+        finally gzipped.close()
+
+        val compressed = baos.toByteArray
+        // random data should not be compressible
+        // Another reproducer of https://doc.akka.io/docs/akka/current/security/2018-08-29-aes-rng.html
+        // with the broken implementation the compressed size was <5k
+        compressed.size should be > randomData.length
+      }
+
+    } else {
+      s"not be run when the $alg PRNG provider is not supported by the platform this test is currently being executed on" in {
+        pending
+      }
+    }
+  }
+}
diff --git a/akka-remote/src/test/scala/akka/remote/artery/tcp/TlsTcpSpec.scala b/akka-remote/src/test/scala/akka/remote/artery/tcp/TlsTcpSpec.scala
index 4925446996..b530ffa0f9 100644
--- a/akka-remote/src/test/scala/akka/remote/artery/tcp/TlsTcpSpec.scala
+++ b/akka-remote/src/test/scala/akka/remote/artery/tcp/TlsTcpSpec.scala
@@ -5,27 +5,23 @@
 package akka.remote.artery
 package tcp
 
-import java.io.ByteArrayOutputStream
 import java.security.NoSuchAlgorithmException
-import java.util.zip.GZIPOutputStream
-import javax.net.ssl.SSLEngine
 
-import scala.concurrent.duration._
-
-import com.typesafe.config.Config
-import com.typesafe.config.ConfigFactory
-
-import akka.actor.ActorIdentity
-import akka.actor.ActorPath
-import akka.actor.ActorRef
-import akka.actor.ExtendedActorSystem
-import akka.actor.Identify
-import akka.actor.RootActorPath
+import akka.actor.{ ActorIdentity, ActorPath, ActorRef, Identify, RootActorPath }
 import akka.actor.setup.ActorSystemSetup
+import akka.remote.artery.tcp.ssl.CipherSuiteSupportCheck
 import akka.testkit.EventFilter
 import akka.testkit.ImplicitSender
 import akka.testkit.TestActors
 import akka.testkit.TestProbe
+import com.typesafe.config.Config
+import com.typesafe.config.ConfigFactory
+import javax.net.ssl.SSLEngine
+import javax.net.ssl.SSLSession
+import org.scalatest.matchers.should.Matchers
+
+import scala.concurrent.duration._
+import scala.util.{ Failure, Success }
 
 class TlsTcpWithDefaultConfigSpec extends TlsTcpSpec(ConfigFactory.empty())
 
@@ -53,6 +49,17 @@ class TlsTcpWithCrappyRSAWithMD5OnlyHereToMakeSureThingsWorkSpec
     }
     """))
 
+class TlsTcpWithRotatingKeysSSLEngineSpec extends TlsTcpSpec(ConfigFactory.parseString(s"""
+    akka.remote.artery.ssl {
+       ssl-engine-provider = akka.remote.artery.tcp.ssl.RotatingKeysSSLEngineProvider
+       rotating-keys-engine {
+         key-file = ${getClass.getClassLoader.getResource("ssl/node.example.com.pem").getPath}
+         cert-file = ${getClass.getClassLoader.getResource("ssl/node.example.com.crt").getPath}
+         ca-cert-file = ${getClass.getClassLoader.getResource("ssl/exampleca.crt").getPath}
+       }
+    }
+    """))
+
 object TlsTcpSpec {
 
   lazy val config: Config = {
@@ -68,37 +75,31 @@ object TlsTcpSpec {
 
 abstract class TlsTcpSpec(config: Config)
     extends ArteryMultiNodeSpec(config.withFallback(TlsTcpSpec.config))
-    with ImplicitSender {
+    with ImplicitSender
+    with Matchers {
 
   val systemB = newRemoteSystem(name = Some("systemB"))
   val addressB = address(systemB)
   val rootB = RootActorPath(addressB)
 
   def isSupported: Boolean = {
-    try {
-      val provider = new ConfigSSLEngineProvider(system)
-
-      val rng = provider.createSecureRandom()
-      rng.nextInt() // Has to work
-      val sRng = provider.SSLRandomNumberGenerator
-      if (rng.getAlgorithm != sRng && sRng != "")
-        throw new NoSuchAlgorithmException(sRng)
-
-      val address = system.asInstanceOf[ExtendedActorSystem].provider.getDefaultAddress
-      val host = address.host.get
-      val port = address.port.get
-
-      val engine = provider.createServerSSLEngine(host, port)
-      val gotAllSupported = provider.SSLEnabledAlgorithms.diff(engine.getSupportedCipherSuites.toSet)
-      val gotAllEnabled = provider.SSLEnabledAlgorithms.diff(engine.getEnabledCipherSuites.toSet)
-      gotAllSupported.isEmpty || (throw new IllegalArgumentException("Cipher Suite not supported: " + gotAllSupported))
-      gotAllEnabled.isEmpty || (throw new IllegalArgumentException("Cipher Suite not enabled: " + gotAllEnabled))
-      engine.getSupportedProtocols.contains(provider.SSLProtocol) ||
-      (throw new IllegalArgumentException("Protocol not supported: " + provider.SSLProtocol))
-    } catch {
-      case e @ (_: IllegalArgumentException | _: NoSuchAlgorithmException) =>
+    val checked = system.settings.config.getString("akka.remote.artery.ssl.ssl-engine-provider") match {
+      case "akka.remote.artery.tcp.ConfigSSLEngineProvider" =>
+        CipherSuiteSupportCheck.isSupported(system, "akka.remote.artery.ssl.config-ssl-engine")
+      case "akka.remote.artery.tcp.ssl.RotatingKeysSSLEngineProvider" =>
+        CipherSuiteSupportCheck.isSupported(system, "akka.remote.artery.ssl.rotating-keys-engine")
+      case other =>
+        fail(
+          s"Don't know how to determine whether the crypto building blocks in [$other] are available on this platform")
+    }
+    checked match {
+      case Success(()) =>
+        true
+      case Failure(e @ (_: IllegalArgumentException | _: NoSuchAlgorithmException)) =>
         info(e.toString)
         false
+      case Failure(other) =>
+        fail("Unexpected failure checking whether the crypto building blocks are available on this platform.", other)
     }
   }
 
@@ -122,43 +123,6 @@ abstract class TlsTcpSpec(config: Config)
 
     if (isSupported) {
 
-      "generate random" in {
-        val provider = new ConfigSSLEngineProvider(system)
-        val rng = provider.createSecureRandom()
-        val bytes = Array.ofDim[Byte](16)
-        // Reproducer of the specific issue described at
-        // https://doc.akka.io/docs/akka/current/security/2018-08-29-aes-rng.html
-        // awaitAssert just in case we are very unlucky to get same sequence more than once
-        awaitAssert {
-          val randomBytes = List
-            .fill(10) {
-              rng.nextBytes(bytes)
-              bytes.toVector
-            }
-            .toSet
-          randomBytes.size should ===(10)
-        }
-      }
-
-      "have random numbers that are not compressable, because then they are not random" in {
-        val provider = new ConfigSSLEngineProvider(system)
-        val rng = provider.createSecureRandom()
-
-        val randomData = new Array[Byte](1024 * 1024)
-        rng.nextBytes(randomData)
-
-        val baos = new ByteArrayOutputStream()
-        val gzipped = new GZIPOutputStream(baos)
-        try gzipped.write(randomData)
-        finally gzipped.close()
-
-        val compressed = baos.toByteArray
-        // random data should not be compressible
-        // Another reproducer of https://doc.akka.io/docs/akka/current/security/2018-08-29-aes-rng.html
-        // with the broken implementation the compressed size was <5k
-        compressed.size should be > randomData.length
-      }
-
       "deliver messages" in {
         systemB.actorOf(TestActors.echoActorProps, "echo")
         val echoRef = identify(rootB / "user" / "echo")
@@ -257,17 +221,21 @@ class TlsTcpWithActorSystemSetupSpec extends ArteryMultiNodeSpec(TlsTcpSpec.conf
   val sslProviderClientProbe = TestProbe()
 
   val sslProviderSetup = SSLEngineProviderSetup(sys =>
-    new ConfigSSLEngineProvider(sys) {
+    new SSLEngineProvider {
+      val delegate = new ConfigSSLEngineProvider(sys)
       override def createServerSSLEngine(hostname: String, port: Int): SSLEngine = {
         sslProviderServerProbe.ref ! "createServerSSLEngine"
-        super.createServerSSLEngine(hostname, port)
+        delegate.createServerSSLEngine(hostname, port)
       }
 
       override def createClientSSLEngine(hostname: String, port: Int): SSLEngine = {
         sslProviderClientProbe.ref ! "createClientSSLEngine"
-        super.createClientSSLEngine(hostname, port)
+        delegate.createClientSSLEngine(hostname, port)
       }
-
+      override def verifyClientSession(hostname: String, session: SSLSession): Option[Throwable] =
+        delegate.verifyClientSession(hostname, session)
+      override def verifyServerSession(hostname: String, session: SSLSession): Option[Throwable] =
+        delegate.verifyServerSession(hostname, session)
     })
 
   val systemB = newRemoteSystem(name = Some("systemB"), setup = Some(ActorSystemSetup(sslProviderSetup)))
diff --git a/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/CipherSuiteSupportCheck.scala b/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/CipherSuiteSupportCheck.scala
new file mode 100644
index 0000000000..82941e2d43
--- /dev/null
+++ b/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/CipherSuiteSupportCheck.scala
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2020 Lightbend Inc. <https://www.lightbend.com>
+ */
+
+package akka.remote.artery.tcp.ssl
+
+import java.security.NoSuchAlgorithmException
+
+import akka.actor.ActorSystem
+import akka.actor.ExtendedActorSystem
+import akka.event.NoMarkerLogging
+import akka.remote.artery.tcp.SecureRandomFactory
+import com.typesafe.config.Config
+import javax.net.ssl.SSLEngine
+
+import scala.util.Try
+
+object CipherSuiteSupportCheck {
+
+  /**
+   * Given a `configPath` runs a set of validations over the default protocols,
+   * cipher suites, PRNG algorithm/provider, etc...
+   */
+  def isSupported(system: ActorSystem, configPath: String): Try[Unit] = Try {
+    val config = system.settings.config
+    val subConfig = config.getConfig(configPath)
+
+    isPrngSupported(subConfig)
+    val engine: SSLEngine = buildSslEngine(system)
+    val sslFactoryConfig = new SSLEngineConfig(subConfig)
+
+    areAlgorithmsSupported(sslFactoryConfig, engine)
+    isProtocolSupported(sslFactoryConfig, engine)
+  }
+
+  private def isPrngSupported(config: Config): Unit = {
+    val rng = SecureRandomFactory.createSecureRandom(config, NoMarkerLogging)
+    rng.nextInt() // Has to work
+    val setting = SecureRandomFactory.rngConfig(config)
+    if (rng.getAlgorithm != setting && setting != "")
+      throw new NoSuchAlgorithmException(setting)
+  }
+
+  private def areAlgorithmsSupported(sslFactoryConfig: SSLEngineConfig, engine: SSLEngine) = {
+    import sslFactoryConfig._
+    val gotAllSupported = SSLEnabledAlgorithms.diff(engine.getSupportedCipherSuites.toSet)
+    val gotAllEnabled = SSLEnabledAlgorithms.diff(engine.getEnabledCipherSuites.toSet)
+    gotAllSupported.isEmpty || (throw new IllegalArgumentException("Cipher Suite not supported: " + gotAllSupported))
+    gotAllEnabled.isEmpty || (throw new IllegalArgumentException("Cipher Suite not enabled: " + gotAllEnabled))
+  }
+
+  private def isProtocolSupported(sslFactoryConfig: SSLEngineConfig, engine: SSLEngine) = {
+    import sslFactoryConfig._
+    engine.getSupportedProtocols.contains(SSLProtocol) ||
+    (throw new IllegalArgumentException("Protocol not supported: " + SSLProtocol))
+
+  }
+
+  private def buildSslEngine(system: ActorSystem): SSLEngine = {
+    val address = system.asInstanceOf[ExtendedActorSystem].provider.getDefaultAddress
+    val host = address.host.get
+    val port = address.port.get
+    val provider = new akka.remote.artery.tcp.ConfigSSLEngineProvider(system)
+    val engine = provider.createServerSSLEngine(host, port)
+    engine
+  }
+
+}
diff --git a/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/PeerSubjectVerifierSpec.scala b/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/PeerSubjectVerifierSpec.scala
new file mode 100644
index 0000000000..150b8280d8
--- /dev/null
+++ b/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/PeerSubjectVerifierSpec.scala
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2020 Lightbend Inc. <https://www.lightbend.com>
+ */
+
+package akka.remote.artery.tcp.ssl
+
+import java.security.Principal
+import java.security.cert.Certificate
+import java.security.cert.X509Certificate
+
+import javax.net.ssl.SSLSession
+import javax.net.ssl.SSLSessionContext
+import org.scalatest.matchers.must.Matchers
+import org.scalatest.wordspec.AnyWordSpec
+
+class PeerSubjectVerifierSpec extends AnyWordSpec with Matchers {
+  import TlsResourcesSpec._
+  "PeerSubjectVerifier" must {
+
+    "accept a peer when both peers have the same subject name" in {
+      // CN=one.example.com
+      // SAN=DNS:number-one.example.com,DNS:example.com
+      // see https://github.com/playframework/play-samples/pull/97
+      val exampleOne = loadCert("/ssl/one.example.com.crt")
+      // CN=two.example.com
+      // SAN=DNS:number-two.example.com,DNS:example.com
+      val exampleTwo = loadCert("/ssl/two.example.com.crt")
+      // verification passes because both certs have `example.com` in the SAN
+      new PeerSubjectVerifier(exampleOne).verifyServerSession(null, inMemSession(exampleTwo)) mustBe None
+    }
+
+    "reject a peer when peers don't have the same subject name" in {
+      // `island.example.com` has no SAN and its only subject is not available on `two.example.com`
+      // the peer verification must fail.
+      val client = loadCert("/ssl/island.example.com.crt")
+      val exampleTwo = loadCert("/ssl/two.example.com.crt")
+      new PeerSubjectVerifier(client).verifyServerSession(null, inMemSession(exampleTwo)) mustNot be(None)
+    }
+  }
+
+  def inMemSession(peerCert: X509Certificate): SSLSession = {
+    new SSLSession {
+      override def getPeerCertificates: Array[Certificate] = Array(peerCert)
+      override def getId: Array[Byte] = throw new UnsupportedOperationException()
+      override def getSessionContext: SSLSessionContext = throw new UnsupportedOperationException()
+      override def getCreationTime: Long = throw new UnsupportedOperationException()
+      override def getLastAccessedTime: Long = throw new UnsupportedOperationException()
+      override def invalidate(): Unit = throw new UnsupportedOperationException()
+      override def isValid: Boolean = throw new UnsupportedOperationException()
+      override def putValue(name: String, value: Any): Unit = throw new UnsupportedOperationException()
+      override def getValue(name: String): AnyRef = throw new UnsupportedOperationException()
+      override def removeValue(name: String): Unit = throw new UnsupportedOperationException()
+      override def getValueNames: Array[String] = throw new UnsupportedOperationException()
+      override def getLocalCertificates: Array[Certificate] = throw new UnsupportedOperationException()
+      override def getPeerCertificateChain: Array[javax.security.cert.X509Certificate] =
+        throw new UnsupportedOperationException()
+      override def getPeerPrincipal: Principal = throw new UnsupportedOperationException()
+      override def getLocalPrincipal: Principal = throw new UnsupportedOperationException()
+      override def getCipherSuite: String = throw new UnsupportedOperationException()
+      override def getProtocol: String = throw new UnsupportedOperationException()
+      override def getPeerHost: String = throw new UnsupportedOperationException()
+      override def getPeerPort: Int = throw new UnsupportedOperationException()
+      override def getPacketBufferSize: Int = throw new UnsupportedOperationException()
+      override def getApplicationBufferSize: Int = throw new UnsupportedOperationException()
+    }
+  }
+}
diff --git a/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/PemManagersProviderSpec.scala b/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/PemManagersProviderSpec.scala
new file mode 100644
index 0000000000..5973262135
--- /dev/null
+++ b/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/PemManagersProviderSpec.scala
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2020 Lightbend Inc. <https://www.lightbend.com>
+ */
+
+package akka.remote.artery.tcp.ssl
+
+import java.security.PrivateKey
+import java.security.cert.Certificate
+import java.security.cert.X509Certificate
+
+import org.scalatest.matchers.must.Matchers
+import org.scalatest.wordspec.AnyWordSpec
+
+/**
+ *
+ */
+class PemManagersProviderSpec extends AnyWordSpec with Matchers {
+
+  "A PemManagersProvider" must {
+
+    "load stores reading files setup in config (akka-pki samples)" in {
+      // These set of certificates are valid PEMs but are invalid for akka-remote
+      // use. Either the key length, certificate usage limitations (via the UsageKeyExtensions),
+      // or the fact that the key's certificate is self-signed cause one of the following
+      // errors: `certificate_unknown`, `certificate verify message signature error`/`bad_certificate`
+      // during the SSLHandshake.
+      withFiles("ssl/pem/pkcs1.pem", "ssl/pem/selfsigned-certificate.pem", "ssl/pem/selfsigned-certificate.pem") {
+        (pk, cert, cacert) =>
+          PemManagersProvider.buildKeyManagers(pk, cert, cacert).length must be(1)
+          PemManagersProvider.buildTrustManagers(cacert).length must be(1)
+          cert.getSubjectDN.getName must be("CN=0d207b68-9a20-4ee8-92cb-bf9699581cf8")
+      }
+    }
+
+    "load stores reading files setup in config (keytool samples)" in {
+      withFiles("ssl/node.example.com.pem", "ssl/node.example.com.crt", "ssl/exampleca.crt") { (pk, cert, cacert) =>
+        PemManagersProvider.buildKeyManagers(pk, cert, cacert).length must be(1)
+        PemManagersProvider.buildTrustManagers(cacert).length must be(1)
+        cert.getSubjectDN.getName must be(
+          "CN=node.example.com, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US")
+      }
+    }
+
+  }
+
+  private def withFiles(keyFile: String, certFile: String, caCertFile: String)(
+      block: (PrivateKey, X509Certificate, Certificate) => Unit) = {
+    block(
+      PemManagersProvider.loadPrivateKey(nameToPath(keyFile)),
+      PemManagersProvider.loadCertificate(nameToPath(certFile)).asInstanceOf[X509Certificate],
+      PemManagersProvider.loadCertificate(nameToPath(caCertFile)))
+  }
+
+  private def nameToPath(name: String): String = getClass.getClassLoader.getResource(name).getPath
+}
diff --git a/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/RotatingKeysSSLEngineProviderSpec.scala b/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/RotatingKeysSSLEngineProviderSpec.scala
new file mode 100644
index 0000000000..89eb0e6aa0
--- /dev/null
+++ b/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/RotatingKeysSSLEngineProviderSpec.scala
@@ -0,0 +1,326 @@
+/*
+ * Copyright (C) 2016-2020 Lightbend Inc. <https://www.lightbend.com>
+ */
+
+package akka.remote.artery.tcp.ssl
+
+import java.io.File
+import java.nio.file.Files
+import java.nio.file.Path
+import java.nio.file.StandardCopyOption
+import java.util.concurrent.atomic.AtomicReference
+
+import akka.actor.ActorIdentity
+import akka.actor.ActorPath
+import akka.actor.ActorRef
+import akka.actor.ActorSystem
+import akka.actor.Address
+import akka.actor.ExtendedActorSystem
+import akka.actor.Identify
+import akka.actor.RootActorPath
+import akka.actor.setup.ActorSystemSetup
+import akka.remote.artery.ArteryMultiNodeSpec
+import akka.remote.artery.tcp.SSLEngineProvider
+import akka.remote.artery.tcp.SSLEngineProviderSetup
+import akka.remote.artery.tcp.TlsTcpSpec
+import akka.testkit.ImplicitSender
+import akka.testkit.TestActors
+import akka.testkit.TestProbe
+import com.typesafe.config.ConfigFactory
+import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLEngine
+import javax.net.ssl.SSLSession
+
+import scala.concurrent.duration._
+import scala.concurrent.Await
+import scala.concurrent.blocking
+import scala.util.control.NonFatal
+
+// This is a simplification Spec. It doesn't rely on changing files.
+class RotatingProviderWithStaticKeysSpec
+    extends RotatingKeysSSLEngineProviderSpec(RotatingKeysSSLEngineProviderSpec.resourcesConfig) {
+  "Artery with TLS/TCP with RotatingKeysSSLEngine" must {
+
+    "rebuild the SSLContext" in {
+      if (!arteryTcpTlsEnabled())
+        pending
+
+      // an initial connection between sysA (from the testkit) and sysB
+      // to get sysB up and running
+      val (remoteSysB, pathEchoB) = buildRemoteWithEchoActor("B-rebuild")
+      contact(system, pathEchoB)
+      assertEnginesCreated(remoteSysB)
+      val before = remoteSysB.sslContextRef.get()
+
+      awaitCacheExpiration()
+
+      // Send message to system C from system B.
+      // Not using system A because we can't get a reference to the SSLContext in system A
+      val (remoteSysC, pathEchoC) = buildRemoteWithEchoActor("C-rebuild")
+      contact(remoteSysB.actorSystem, pathEchoC)
+      assertEnginesCreated(remoteSysC)
+      assertEnginesCreated(remoteSysB)
+
+      // the SSLContext references on sysB should differ
+      val after = remoteSysB.sslContextRef.get()
+      before shouldNot be(after)
+    }
+
+    "keep existing connections alive (no new SSLEngine's created after cache expiration)" in {
+      if (!arteryTcpTlsEnabled())
+        pending
+
+      // an initial connection between sysA (from the testkit) and sysB
+      // to get sysB up and running
+      val (remoteSysB, pathEchoB) = buildRemoteWithEchoActor("B-reuse-alive")
+      contact(system, pathEchoB)
+      assertThreeChannelsAreCreated(remoteSysB)
+      // once the three channels are created, no new engines are required... (cont'd)
+      contact(system, pathEchoB)
+      contact(system, pathEchoB)
+      assertNoEnginesCreated(remoteSysB)
+
+      awaitCacheExpiration()
+
+      // ... (cont) even when the cache has expired.
+      // Send message to system B from system A should not require a new SSLEngine
+      // be created.
+      contact(system, pathEchoB)
+      assertNoEnginesCreated(remoteSysB)
+    }
+
+  }
+}
+
+// This is a the real deal Spec. It relies on changing files on a particular folder.
+class RotatingProviderWithChangingKeysSpec
+    extends RotatingKeysSSLEngineProviderSpec(RotatingKeysSSLEngineProviderSpec.tempFileConfig) {
+  import RotatingKeysSSLEngineProviderSpec._
+
+  protected override def atStartup(): Unit = {
+    super.atStartup()
+    deployCaCert()
+    deployKeySet("ssl/artery-nodes/artery-node001.example.com")
+  }
+
+  "Artery with TLS/TCP with RotatingKeysSSLEngine" must {
+    "rebuild the SSLContext using new keys" in {
+      if (!arteryTcpTlsEnabled())
+        pending
+
+      // an initial connection between sysA (from the testkit) and sysB
+      // to get sysB up and running
+      val (remoteSysB, pathEchoB) = buildRemoteWithEchoActor("B-reread")
+      contact(system, pathEchoB)
+      assertEnginesCreated(remoteSysB)
+      val before = remoteSysB.sslContextRef.get()
+
+      // setup new (invalid) keys
+      // The `ssl/rsa-client.example.com` keyset can't be used in peer-to-peer connections
+      // it's only valid for `clientAuth`
+
+      deployKeySet("ssl/rsa-client.example.com")
+      awaitCacheExpiration()
+      val (_, pathEchoC) = buildRemoteWithEchoActor("C-reread")
+      try {
+        contact(remoteSysB.actorSystem, pathEchoC)
+        fail("The credentials under `ssl/rsa-client` are not valid for Akka remote so contact() must fail.")
+      } catch {
+        case _: java.lang.AssertionError =>
+        // This assertion error is expected because we expect a failure in contact() since
+        // the SSL credentials are invalid
+      }
+
+      // deploy a new key set
+      deployKeySet("ssl/artery-nodes/artery-node003.example.com")
+
+      // Send message to system C from system B.
+      // Using invalid keys, this should fail
+      val (remoteSysD, pathEchoD) = buildRemoteWithEchoActor("D-reread")
+      contact(remoteSysB.actorSystem, pathEchoD)
+      assertEnginesCreated(remoteSysB)
+      assertEnginesCreated(remoteSysD)
+      // the SSLContext references on sysB should differ
+      val after = remoteSysB.sslContextRef.get()
+      before shouldNot be(after)
+    }
+
+  }
+}
+
+object RotatingKeysSSLEngineProviderSpec {
+  val cacheTtlInSeconds = 1
+
+  private val arteryNode001Id = "ssl/artery-nodes/artery-node001.example.com"
+
+  private val baseConfig = """
+      akka.remote.artery {
+        ## the large-messages channel in artery is not used for this tests 
+        ## but we're enabling it to test it also creates its own SSLEngine 
+        large-message-destinations = [ "/user/large" ]
+      }
+      akka.remote.artery.ssl {
+        ssl-engine-provider = akka.remote.artery.tcp.ssl.RotatingKeysSSLEngineProvider
+      }
+    """
+
+  val resourcesConfig: String = baseConfig +
+    s"""
+      akka.remote.artery.ssl.rotating-keys-engine {
+        key-file = ${getClass.getClassLoader.getResource(s"$arteryNode001Id.pem").getPath}
+        cert-file = ${getClass.getClassLoader.getResource(s"$arteryNode001Id.crt").getPath}
+        ca-cert-file = ${getClass.getClassLoader.getResource("ssl/exampleca.crt").getPath}
+        ssl-context-cache-ttl = ${cacheTtlInSeconds}s
+      }
+    """
+
+  val temporaryDirectory: Path = Files.createTempDirectory("akka-remote-rotating-keys-spec")
+  val keyLocation = new File(temporaryDirectory.toFile, "tls.key")
+  val certLocation = new File(temporaryDirectory.toFile, "tls.crt")
+  val cacertLocation = new File(temporaryDirectory.toFile, "ca.crt")
+  val tempFileConfig: String = baseConfig +
+    s"""
+      akka.remote.artery.ssl.rotating-keys-engine {
+        key-file = ${temporaryDirectory.toFile.getAbsolutePath}/tls.key
+        cert-file = ${temporaryDirectory.toFile.getAbsolutePath}/tls.crt
+        ca-cert-file = ${temporaryDirectory.toFile.getAbsolutePath}/ca.crt
+        ssl-context-cache-ttl = ${cacheTtlInSeconds}s
+      }
+    """
+
+  private def deployResource(resourceName: String, to: Path): Unit = blocking {
+    // manually ensuring files are deleted and copied to prevent races.
+    try {
+      val from = new File(getClass.getClassLoader.getResource(resourceName).getPath).toPath
+      to.toFile.getParentFile.mkdirs()
+      Files.copy(from, to, StandardCopyOption.REPLACE_EXISTING)
+    } catch {
+      case NonFatal(t) => throw new RuntimeException(s"Can't copy resource [$resourceName] to [$to].", t)
+    }
+  }
+  def deployCaCert(): Unit = {
+    deployResource("ssl/exampleca.crt", cacertLocation.toPath)
+  }
+  def deployKeySet(setName: String): Unit = {
+    deployResource(setName + ".crt", certLocation.toPath)
+    deployResource(setName + ".pem", keyLocation.toPath)
+  }
+  def cleanupTemporaryDirectory(): Unit = {
+    temporaryDirectory.toFile.listFiles().foreach { _.delete() }
+    temporaryDirectory.toFile.delete()
+  }
+}
+
+// Superclass to integration tests to test key rotation. Basic happy-path
+// integration tests of `RotatingKeysSSLEngineProvider` as an SSLEngineProvider for Akka Remote
+// are in `TlsTcpWithRotatingKeysSSLEngineSpec`
+abstract class RotatingKeysSSLEngineProviderSpec(extraConfig: String)
+    extends ArteryMultiNodeSpec(ConfigFactory.parseString(extraConfig).withFallback(TlsTcpSpec.config))
+    with ImplicitSender {
+  import RotatingKeysSSLEngineProviderSpec._
+
+  var systemsToTerminate: Seq[ActorSystem] = Nil
+
+  // Assert the RemoteSystem created three pairs of SSLEngines (main channel,
+  // large messages channel and control channel)
+  // NOTE: the large message channel is not enabled but default. In this test suite
+  // it's enabled via adding a value to the `large-message-destinations` setting
+  def assertThreeChannelsAreCreated(remoteSystem: RemoteSystem) = {
+    assertEnginesCreated(remoteSystem)
+    assertEnginesCreated(remoteSystem)
+    assertEnginesCreated(remoteSystem)
+  }
+  def assertEnginesCreated(remoteSystem: RemoteSystem) = {
+    remoteSystem.sslProviderServerProbe.expectMsg("createServerSSLEngine")
+    remoteSystem.sslProviderClientProbe.expectMsg("createClientSSLEngine")
+  }
+  def assertNoEnginesCreated(remoteSystem: RemoteSystem) = {
+    remoteSystem.sslProviderServerProbe.expectNoMessage()
+    remoteSystem.sslProviderClientProbe.expectNoMessage()
+  }
+
+  // sleep to force the cache in sysB's instance to expire
+  def awaitCacheExpiration(): Unit = {
+    Thread.sleep((RotatingKeysSSLEngineProviderSpec.cacheTtlInSeconds + 1) * 1000)
+  }
+
+  def contact(fromSystem: ActorSystem, toPath: ActorPath): Unit = {
+    val senderOnSource = TestProbe()(fromSystem)
+    fromSystem.actorSelection(toPath).tell(Identify(toPath.name), senderOnSource.ref)
+    val targetRef: ActorRef = senderOnSource.expectMsgType[ActorIdentity].ref.get
+    targetRef.tell("ping-1", senderOnSource.ref)
+    senderOnSource.expectMsg("ping-1")
+  }
+
+  def buildRemoteWithEchoActor(id: String): (RemoteSystem, ActorPath) = {
+    val remoteSysB = new RemoteSystem(s"system$id", extraConfig, newRemoteSystem, address)
+    systemsToTerminate :+= remoteSysB.actorSystem
+    val actorName = s"echo$id"
+    remoteSysB.actorSystem.actorOf(TestActors.echoActorProps, actorName)
+    val pathEchoB = remoteSysB.rootActorPath / "user" / actorName
+    (remoteSysB, pathEchoB)
+  }
+
+  override def afterTermination(): Unit = {
+    systemsToTerminate.foreach { systemToTerminate =>
+      system.log.info(s"Terminating $systemToTerminate...")
+      Await.result(systemToTerminate.terminate(), 10.seconds)
+    }
+    // Don't cleanup folder until all systems have terminated
+    cleanupTemporaryDirectory()
+    super.afterTermination()
+  }
+}
+
+class RemoteSystem(
+    name: String,
+    configString: String,
+    newRemoteSystem: (Option[String], Option[String], Option[ActorSystemSetup]) => ActorSystem,
+    address: (ActorSystem) => Address)(implicit system: ActorSystem) {
+
+  val sslProviderServerProbe: TestProbe = TestProbe()
+  val sslProviderClientProbe: TestProbe = TestProbe()
+  val sslContextRef = new AtomicReference[SSLContext]()
+
+  val sslProviderSetup =
+    SSLEngineProviderSetup(
+      sys => new ProbedSSLEngineProvider(sys, sslContextRef, sslProviderServerProbe, sslProviderClientProbe))
+
+  val actorSystem =
+    newRemoteSystem(Some(configString), Some(name), Some(ActorSystemSetup(sslProviderSetup)))
+  val remoteAddress = address(actorSystem)
+  val rootActorPath = RootActorPath(remoteAddress)
+
+}
+
+class ProbedSSLEngineProvider(
+    sys: ExtendedActorSystem,
+    sslContextRef: AtomicReference[SSLContext],
+    sslProviderServerProbe: TestProbe,
+    sslProviderClientProbe: TestProbe)
+    extends SSLEngineProvider {
+  val delegate = new RotatingKeysSSLEngineProvider(sys)
+
+  override def createServerSSLEngine(hostname: String, port: Int): SSLEngine = {
+    val engine = delegate.createServerSSLEngine(hostname, port)
+    // only report the invocation on the probe when the invocation succeeds
+    sslProviderServerProbe.ref ! "createServerSSLEngine"
+    // invoked last to let `createEngine` be the trigger of the SSL context reconstruction
+    sslContextRef.set(delegate.getSSLContext())
+    engine
+  }
+
+  override def createClientSSLEngine(hostname: String, port: Int): SSLEngine = {
+    val engine = delegate.createClientSSLEngine(hostname, port)
+    // only report the invocation on the probe when the invocation succeeds
+    sslProviderClientProbe.ref ! "createClientSSLEngine"
+    // invoked last to let `createEngine` be the trigger of the SSL context reconstruction
+    sslContextRef.set(delegate.getSSLContext())
+    engine
+  }
+
+  override def verifyClientSession(hostname: String, session: SSLSession): Option[Throwable] =
+    delegate.verifyClientSession(hostname, session)
+  override def verifyServerSession(hostname: String, session: SSLSession): Option[Throwable] =
+    delegate.verifyServerSession(hostname, session)
+}
diff --git a/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/TlsResourcesSpec.scala b/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/TlsResourcesSpec.scala
new file mode 100644
index 0000000000..df7516b455
--- /dev/null
+++ b/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/TlsResourcesSpec.scala
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2020 Lightbend Inc. <https://www.lightbend.com>
+ */
+
+package akka.remote.artery.tcp.ssl
+
+import java.security.cert.CertificateFactory
+import java.security.cert.X509Certificate
+
+import org.scalatest.matchers.must.Matchers
+import org.scalatest.wordspec.AnyWordSpec
+
+import scala.util.Try
+import scala.util.control.NonFatal
+
+import akka.util.ccompat.JavaConverters._
+
+/**
+ *
+ */
+class TlsResourcesSpec extends AnyWordSpec with Matchers {
+
+  import TlsResourcesSpec._
+
+  val baseNode = "node"
+  val baseClient = "client"
+  val baseRsaClient = "rsa-client"
+  val baseIslandServer = "island"
+  val baseServers = Set("one", "two")
+  val arteryNodeSet = Set("artery-nodes/artery-node001", "artery-nodes/artery-node002", "artery-nodes/artery-node003")
+
+  "example.com certificate family" must {
+    "all include `example.com` as SAN" in {
+      val sameSan = baseServers + baseClient + baseNode + baseRsaClient
+      sameSan.foreach { prefix =>
+        val serverCert = loadCert(s"/ssl/$prefix.example.com.crt")
+        X509Readers.getAllSubjectNames(serverCert).contains("example.com") mustBe (true)
+      }
+    }
+
+    "not add `example.com` as SAN on the `island.example.com` certificate" in {
+      val notExampleSan = arteryNodeSet + baseIslandServer
+      notExampleSan.foreach { prefix =>
+        val cert = loadCert(s"/ssl/$prefix.example.com.crt")
+        X509Readers.getAllSubjectNames(cert).contains("example.com") mustBe (false)
+      }
+    }
+
+    val serverAuth = "1.3.6.1.5.5.7.3.1" // TLS Web server authentication
+    val clientAuth = "1.3.6.1.5.5.7.3.2" // TLS Web client authentication
+    "have certificates usable for client Auth" in {
+      val clients = Set(baseClient, baseNode, baseRsaClient) ++ arteryNodeSet
+      clients.foreach { prefix =>
+        val cert = loadCert(s"/ssl/$prefix.example.com.crt")
+        cert.getExtendedKeyUsage.asScala.contains(clientAuth) mustBe (true)
+      }
+    }
+
+    "have certificates usable for server Auth" in {
+      val servers = baseServers + baseIslandServer + baseNode ++ arteryNodeSet
+      servers.foreach { prefix =>
+        val serverCert = loadCert(s"/ssl/$prefix.example.com.crt")
+        serverCert.getExtendedKeyUsage.asScala.contains(serverAuth) mustBe (true)
+      }
+    }
+
+    "have RSA Private Keys in PEM format" in {
+      val nodes = arteryNodeSet + baseNode + baseRsaClient
+      nodes.foreach { prefix =>
+        try {
+          val pk = PemManagersProvider.loadPrivateKey(toAbsolutePath(s"ssl/$prefix.example.com.pem"))
+          pk.getAlgorithm must be("RSA")
+        } catch {
+          case NonFatal(t) => fail(s"Failed test for $prefix", t)
+        }
+      }
+    }
+
+  }
+
+}
+
+object TlsResourcesSpec {
+
+  def toAbsolutePath(resourceName: String): String =
+    getClass.getClassLoader.getResource(resourceName).getPath
+
+  private val certFactory = CertificateFactory.getInstance("X.509")
+  def loadCert(resourceName: String): X509Certificate = {
+    val fin = classOf[X509ReadersSpec].getResourceAsStream(resourceName)
+    try certFactory.generateCertificate(fin).asInstanceOf[X509Certificate]
+    finally Try(fin.close())
+  }
+}
diff --git a/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/X509ReadersSpec.scala b/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/X509ReadersSpec.scala
new file mode 100644
index 0000000000..20e1cc4a25
--- /dev/null
+++ b/akka-remote/src/test/scala/akka/remote/artery/tcp/ssl/X509ReadersSpec.scala
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2020 Lightbend Inc. <https://www.lightbend.com>
+ */
+
+package akka.remote.artery.tcp.ssl
+
+import org.scalatest.matchers.must.Matchers
+import org.scalatest.wordspec.AnyWordSpec
+
+/**
+ *
+ */
+class X509ReadersSpec extends AnyWordSpec with Matchers {
+  import TlsResourcesSpec._
+
+  "X509Readers" must {
+    "read a certificate's name from the CN" in {
+      val island = loadCert("/ssl/island.example.com.crt")
+      X509Readers.getAllSubjectNames(island) mustBe (Set("island.example.com"))
+    }
+
+    "read both the CN and the subject alternative names" in {
+      val serverCert = loadCert("/domain.crt")
+      X509Readers.getAllSubjectNames(serverCert) mustBe (Set("akka-remote", "localhost"))
+    }
+
+    "read a certificate that has no SAN extension" in {
+      // a self-signed CA without SAN
+      val island = loadCert("/ssl/pem/selfsigned-certificate.pem")
+      X509Readers.getAllSubjectNames(island) mustBe (Set("0d207b68-9a20-4ee8-92cb-bf9699581cf8"))
+    }
+
+  }
+
+}
diff --git a/build.sbt b/build.sbt
index df345dbc1f..638cb65e30 100644
--- a/build.sbt
+++ b/build.sbt
@@ -336,6 +336,7 @@ lazy val remote =
     .dependsOn(
       actor,
       stream,
+      pki,
       protobuf % "test",
       actorTests % "test->test",
       testkit % "test->test",
diff --git a/project/Dependencies.scala b/project/Dependencies.scala
index 6c7aa30173..d1f684c0d8 100644
--- a/project/Dependencies.scala
+++ b/project/Dependencies.scala
@@ -83,7 +83,7 @@ object Dependencies {
     // Added explicitly for when artery tcp is used
     val agrona = "org.agrona" % "agrona" % agronaVersion // ApacheV2
 
-    val asnOne = "com.hierynomus" % "asn-one" % "0.4.0" // ApacheV2
+    val asnOne = ("com.hierynomus" % "asn-one" % "0.4.0").exclude("org.slf4j", "slf4j-api") // ApacheV2
 
     val jacksonCore = "com.fasterxml.jackson.core" % "jackson-core" % jacksonVersion // ApacheV2
     val jacksonAnnotations = "com.fasterxml.jackson.core" % "jackson-annotations" % jacksonVersion // ApacheV2
@@ -202,7 +202,7 @@ object Dependencies {
       Seq(
         asnOne,
         // pull up slf4j version from the one provided transitively in asnOne to fix unidoc
-        Compile.slf4jApi % "provided",
+        Compile.slf4jApi,
         Test.scalatest)
 
   val remoteDependencies = Seq(netty, aeronDriver, aeronClient)