14 files changed, 209 insertions, 40 deletions

diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 673431ed0a..46fd8ab180 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -333,6 +333,38 @@
 
 </section>
 
+<section><title>SSL 8.2.6.4</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Add engine support for RSA key exchange</p>
+          <p>
+	    Own Id: OTP-15420</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>SSL 8.2.6.3</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Extend check for undelivered data at closing, could under
+	    some circumstances fail to deliverd all data that was
+	    acctualy recivied.</p>
+          <p>
+	    Own Id: OTP-15412</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
 <section><title>SSL 8.2.6.2</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
@@ -3163,5 +3195,3 @@
     </section>
     </section>
 </chapter>
-
-
diff --git a/lib/ssl/src/inet_tls_dist.erl b/lib/ssl/src/inet_tls_dist.erl
index ca059603ae..a4f8bb7562 100644
--- a/lib/ssl/src/inet_tls_dist.erl
+++ b/lib/ssl/src/inet_tls_dist.erl
@@ -567,7 +567,7 @@ gen_close(Driver, Socket) ->
 get_address_resolver(EpmdModule, Driver) ->
     case erlang:function_exported(EpmdModule, address_please, 3) of
         true -> {EpmdModule, address_please};
-        _    -> {Driver, getaddr}
+        _    -> {erl_epmd, address_please}
     end.
 
 %% ------------------------------------------------------------
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 0e22d63b4b..54c04c13e5 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -932,7 +932,7 @@ filter_suites_pubkey(ec, Ciphers, _, OtpCert) ->
                                    ec_ecdhe_suites(Ciphers)),
     filter_keyuse_suites(keyAgreement, Uses, CiphersSuites, ec_ecdh_suites(Ciphers)).
 
-filter_suites_signature(rsa, Ciphers, {3, N}) when N >= 3 ->
+filter_suites_signature(_, Ciphers, {3, N}) when N >= 3 ->
      Ciphers;
 filter_suites_signature(rsa, Ciphers, Version) ->
     (Ciphers -- ecdsa_signed_suites(Ciphers, Version)) -- dsa_signed_suites(Ciphers, Version);
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 9f876add6c..acd9f14f7b 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -621,8 +621,10 @@ init({call, From}, {start, {Opts, EmOpts}, Timeout},
     catch throw:Error ->
 	    stop_and_reply(normal, {reply, From, {error, Error}}, State0)
     end;
-init({call, From}, Msg, State, Connection) ->
+init({call, From}, {new_user, _} = Msg, State, Connection) ->
     handle_call(Msg, From, ?FUNCTION_NAME, State, Connection);
+init({call, From}, _Msg, _State, _Connection) ->
+    {keep_state_and_data, [{reply, From, {error, notsup_on_transport_accept_socket}}]}; 
 init(_Type, _Event, _State, _Connection) ->
     {keep_state_and_data, [postpone]}.
 	
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index dc89fb0029..14df1d2e02 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -925,6 +925,13 @@ premaster_secret(EncSecret, #'RSAPrivateKey'{} = RSAPrivateKey) ->
     catch
 	_:_ ->
 	    throw(?ALERT_REC(?FATAL, ?DECRYPT_ERROR))
+    end;
+premaster_secret(EncSecret, #{algorithm := rsa} = Engine) ->
+    try crypto:private_decrypt(rsa, EncSecret, maps:remove(algorithm, Engine),
+				   [{rsa_pad, rsa_pkcs1_padding}])
+    catch
+	_:_ ->
+	    throw(?ALERT_REC(?FATAL, ?DECRYPT_ERROR))
     end.
 %%====================================================================
 %% Extensions handling
diff --git a/lib/ssl/src/ssl_pem_cache.erl b/lib/ssl/src/ssl_pem_cache.erl
index b7d23ef01e..41bca2f7b5 100644
--- a/lib/ssl/src/ssl_pem_cache.erl
+++ b/lib/ssl/src/ssl_pem_cache.erl
@@ -45,7 +45,7 @@
 
 -record(state, {
 	  pem_cache,                  
-	  last_pem_check             :: erlang:timestamp(),
+	  last_pem_check             :: integer(),
 	  clear            :: integer()
 	 }).
 
@@ -134,8 +134,9 @@ init([Name]) ->
     PemCache = ssl_pkix_db:create_pem_cache(Name),
     Interval = pem_check_interval(),
     erlang:send_after(Interval, self(), clear_pem_cache),
+    erlang:system_time(second),
     {ok, #state{pem_cache = PemCache,
-		last_pem_check =  os:timestamp(),
+		last_pem_check =  erlang:convert_time_unit(os:system_time(), native, second),
 		clear = Interval 	
 	       }}.
 
@@ -183,7 +184,7 @@ handle_cast({invalidate_pem, File}, #state{pem_cache = Db} = State) ->
 handle_info(clear_pem_cache, #state{pem_cache = PemCache,
 				    clear = Interval,
 				    last_pem_check = CheckPoint} = State) ->
-    NewCheckPoint = os:timestamp(),
+    NewCheckPoint = erlang:convert_time_unit(os:system_time(), native, second),
     start_pem_cache_validator(PemCache, CheckPoint),
     erlang:send_after(Interval, self(), clear_pem_cache),
     {noreply, State#state{last_pem_check = NewCheckPoint}};
@@ -229,24 +230,14 @@ init_pem_cache_validator([CacheName, PemCache, CheckPoint]) ->
 		      CheckPoint, PemCache).
 
 pem_cache_validate({File, _}, CheckPoint) ->
-    case file:read_file_info(File, []) of
-	{ok, #file_info{mtime = Time}} ->
-	    case is_before_checkpoint(Time, CheckPoint) of
-		true ->
-		    ok;
-		false ->
-		    invalidate_pem(File)
-	    end;
+    case file:read_file_info(File, [{time, posix}]) of
+	{ok, #file_info{mtime = Time}} when Time < CheckPoint ->
+	    ok;
 	_  ->
 	    invalidate_pem(File)
     end,
     CheckPoint.
 
-is_before_checkpoint(Time, CheckPoint) ->
-    calendar:datetime_to_gregorian_seconds(
-      calendar:now_to_datetime(CheckPoint)) -
-	calendar:datetime_to_gregorian_seconds(Time) > 0.
-
 pem_check_interval() ->
     case application:get_env(ssl, ssl_pem_cache_clean) of
 	{ok, Interval} when is_integer(Interval) ->
diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index adb4f6d9ea..4dfb50967d 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -783,6 +783,7 @@ handle_info({CloseTag, Socket}, StateName,
             #state{socket = Socket, close_tag = CloseTag,
                    socket_options = #socket_options{active = Active},
                    protocol_buffers = #protocol_buffers{tls_cipher_texts = CTs},
+                   user_data_buffer = Buffer,
 		   negotiated_version = Version} = State) ->
 
     %% Note that as of TLS 1.1,
@@ -790,7 +791,7 @@ handle_info({CloseTag, Socket}, StateName,
     %% session not be resumed.  This is a change from TLS 1.0 to conform
     %% with widespread implementation practice.
 
-    case (Active == false) andalso (CTs =/= []) of
+    case (Active == false) andalso ((CTs =/= []) or (Buffer =/= <<>>)) of
         false ->
             case Version of
                 {1, N} when N >= 1 ->
diff --git a/lib/ssl/src/tls_sender.erl b/lib/ssl/src/tls_sender.erl
index 8d1938cee7..a245ee2465 100644
--- a/lib/ssl/src/tls_sender.erl
+++ b/lib/ssl/src/tls_sender.erl
@@ -319,7 +319,7 @@ handle_info({'DOWN', Monitor, _, _, _}, _,
             #data{connection_monitor = Monitor} = StateData) ->
     {stop, normal, StateData};
 handle_info(_,_,_) ->
-    {keep_state_and_data}.
+    keep_state_and_data.
 
 send_tls_alert(Alert, #data{negotiated_version = Version,
                             socket = Socket,
diff --git a/lib/ssl/test/ssl_ECC_SUITE.erl b/lib/ssl/test/ssl_ECC_SUITE.erl
index c93f066825..a5309e866b 100644
--- a/lib/ssl/test/ssl_ECC_SUITE.erl
+++ b/lib/ssl/test/ssl_ECC_SUITE.erl
@@ -395,10 +395,25 @@ client_ecdhe_rsa_server_ecdhe_ecdsa_client_custom(Config) ->
     end.
 
 mix_sign(Config) ->
-    {COpts0, SOpts0} = ssl_test_lib:make_mix_cert(Config),
+    mix_sign_rsa_peer(Config),
+    mix_sign_ecdsa_peer(Config).
+ 
+mix_sign_ecdsa_peer(Config) ->
+    {COpts0, SOpts0} = ssl_test_lib:make_mix_cert([{mix, peer_ecc} |Config]),
     COpts = ssl_test_lib:ssl_options(COpts0, Config), 
     SOpts = ssl_test_lib:ssl_options(SOpts0, Config),
     ECDHE_ECDSA =
         ssl:filter_cipher_suites(ssl:cipher_suites(default, 'tlsv1.2'), 
                                  [{key_exchange, fun(ecdhe_ecdsa) -> true; (_) -> false end}]),
     ssl_test_lib:basic_test(COpts, [{ciphers, ECDHE_ECDSA} | SOpts], Config).
+ 
+
+mix_sign_rsa_peer(Config) ->
+    {COpts0, SOpts0} = ssl_test_lib:make_mix_cert([{mix, peer_rsa} |Config]),
+    COpts = ssl_test_lib:ssl_options(COpts0, Config), 
+    SOpts = ssl_test_lib:ssl_options(SOpts0, Config),
+    ECDHE_RSA =
+        ssl:filter_cipher_suites(ssl:cipher_suites(default, 'tlsv1.2'), 
+                                 [{key_exchange, fun(ecdhe_rsa) -> true; (_) -> false end}]),
+    ssl_test_lib:basic_test(COpts, [{ciphers, ECDHE_RSA} | SOpts], Config).
+    
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 4585ea7306..6f668f0c00 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -244,7 +244,9 @@ error_handling_tests()->
      recv_active_once,
      recv_error_handling,
      call_in_error_state,
-     close_in_error_state
+     close_in_error_state,
+     abuse_transport_accept_socket,
+     controlling_process_transport_accept_socket
     ].
 
 error_handling_tests_tls()->
@@ -4054,7 +4056,51 @@ close_in_error_state(Config) when is_list(Config) ->
         Other ->
             ct:fail(Other)
     end.
+%%--------------------------------------------------------------------
+abuse_transport_accept_socket() ->
+    [{doc,"Only ssl:handshake and ssl:controlling_process is allowed for transport_accept:sockets"}].
+abuse_transport_accept_socket(Config) when is_list(Config) ->
+    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
+    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    Server = ssl_test_lib:start_server_transport_abuse_socket([{node, ServerNode}, 
+                                                               {port, 0},
+                                                               {from, self()},
+                                                               {options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+                                        {host, Hostname},
+                                        {from, self()},
+                                        {mfa, {ssl_test_lib, no_result, []}},
+                                        {options, ClientOpts}]),
+    ssl_test_lib:check_result(Server, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
+    
 
+%%--------------------------------------------------------------------
+controlling_process_transport_accept_socket() ->
+    [{doc,"Only ssl:handshake and ssl:controlling_process is allowed for transport_accept:sockets"}].
+controlling_process_transport_accept_socket(Config) when is_list(Config) ->
+    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
+    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    Server = ssl_test_lib:start_server_transport_control([{node, ServerNode}, 
+                                                          {port, 0},
+                                                          {from, self()},
+                                                          {options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+    
+    _Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+                                              {host, Hostname},
+                                              {from, self()},
+                                              {options, ClientOpts}]),
+    ssl_test_lib:check_result(Server, ok),
+    ssl_test_lib:close(Server).
+
+%%--------------------------------------------------------------------
 run_error_server_close([Pid | Opts]) ->
     {ok, Listen} = ssl:listen(0, Opts),
     {ok,{_, Port}} = ssl:sockname(Listen),
diff --git a/lib/ssl/test/ssl_bench_SUITE.erl b/lib/ssl/test/ssl_bench_SUITE.erl
index 3fe6338d69..13097b08b6 100644
--- a/lib/ssl/test/ssl_bench_SUITE.erl
+++ b/lib/ssl/test/ssl_bench_SUITE.erl
@@ -44,6 +44,7 @@ init_per_suite(Config) ->
         nonode@nohost ->
             {skipped, "Node not distributed"};
         _ ->
+            ssl_test_lib:clean_start(),
             [{server_node, ssl_bench_test_lib:setup(perf_server)}|Config]
     end.
 
diff --git a/lib/ssl/test/ssl_bench_test_lib.erl b/lib/ssl/test/ssl_bench_test_lib.erl
index e5cbb911bd..47bcd41608 100644
--- a/lib/ssl/test/ssl_bench_test_lib.erl
+++ b/lib/ssl/test/ssl_bench_test_lib.erl
@@ -58,13 +58,13 @@ setup(Name) ->
     Path = code:get_path(),
     true = rpc:call(Node, code, set_path, [Path]),
     ok = rpc:call(Node, ?MODULE, setup_server, [node()]),
-    io:format("Client (~p) using ~s~n",[node(), code:which(ssl)]),
+    io:format("Client (~p) using ~ts~n",[node(), code:which(ssl)]),
     (Node =:= node()) andalso restrict_schedulers(client),
     Node.
 
 setup_server(ClientNode) ->
     (ClientNode =:= node()) andalso restrict_schedulers(server),
-    io:format("Server (~p) using ~s~n",[node(), code:which(ssl)]),
+    io:format("Server (~p) using ~ts~n",[node(), code:which(ssl)]),
     ok.
 
 restrict_schedulers(Type) ->
diff --git a/lib/ssl/test/ssl_engine_SUITE.erl b/lib/ssl/test/ssl_engine_SUITE.erl
index 1423c99dc2..e6c82d3eb5 100644
--- a/lib/ssl/test/ssl_engine_SUITE.erl
+++ b/lib/ssl/test/ssl_engine_SUITE.erl
@@ -90,12 +90,14 @@ end_per_testcase(_TestCase, Config) ->
 private_key(Config) when is_list(Config) ->
     ClientFileBase = filename:join([proplists:get_value(priv_dir, Config), "client_engine"]),
     ServerFileBase = filename:join([proplists:get_value(priv_dir, Config), "server_engine"]),
+    Ext = x509_test:extensions([{key_usage, [digitalSignature, keyEncipherment]}]),
     #{server_config := ServerConf,
       client_config := ClientConf} = GenCertData =
         public_key:pkix_test_data(#{server_chain => 
                                         #{root => [{key, ssl_test_lib:hardcode_rsa_key(1)}],
                                           intermediates => [[{key, ssl_test_lib:hardcode_rsa_key(2)}]],
-                                          peer => [{key, ssl_test_lib:hardcode_rsa_key(3)}
+                                          peer => [{extensions, Ext},
+                                                   {key, ssl_test_lib:hardcode_rsa_key(3)}
                                                   ]},
                                     client_chain => 
                                         #{root => [{key, ssl_test_lib:hardcode_rsa_key(4)}],
@@ -131,6 +133,12 @@ private_key(Config) when is_list(Config) ->
     %% Test with engine
     test_tls_connection(EngineServerConf, EngineClientConf, Config),
     
+    %% Test with engine and rsa keyexchange
+    RSASuites = all_kex_rsa_suites([{tls_version, 'tlsv1.2'} | Config]),
+    
+    test_tls_connection([{ciphers, RSASuites}, {versions, ['tlsv1.2']} | EngineServerConf], 
+                        [{ciphers, RSASuites}, {versions, ['tlsv1.2']} | EngineClientConf], Config),
+    
     %% Test with engine and present file arugments
     test_tls_connection(EngineFileServerConf, EngineFileClientConf, Config),
     
@@ -160,3 +168,8 @@ test_tls_connection(ServerConf, ClientConf, Config) ->
     ssl_test_lib:check_result(Server, ok, Client, ok),
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client).
+
+all_kex_rsa_suites(Config) ->
+    Version = proplists:get_value(tls_version, Config),
+    All = ssl:cipher_suites(all, Version),
+    ssl:filter_cipher_suites(All,[{key_exchange, fun(rsa) -> true;(_) -> false end}]).
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 39a5bcaad6..8a2f0824fb 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -196,6 +196,55 @@ connect(ListenSocket, Node, _, _, Timeout, Opts, _) ->
     rpc:call(Node, ssl, ssl_accept, [AcceptSocket, Opts, Timeout]),
     AcceptSocket.
 
+
+start_server_transport_abuse_socket(Args) ->
+    Result = spawn_link(?MODULE, transport_accept_abuse, [Args]),
+    receive
+	{listen, up} ->
+	    Result
+    end.
+
+start_server_transport_control(Args) ->
+    Result = spawn_link(?MODULE, transport_switch_control, [Args]),
+    receive
+	{listen, up} ->
+	    Result
+    end.
+
+
+transport_accept_abuse(Opts) ->
+    Node = proplists:get_value(node, Opts),
+    Port = proplists:get_value(port, Opts),
+    Options = proplists:get_value(options, Opts),
+    Pid = proplists:get_value(from, Opts),
+    Transport =  proplists:get_value(transport, Opts, ssl),
+    ct:log("~p:~p~nssl:listen(~p, ~p)~n", [?MODULE,?LINE, Port, Options]),
+    {ok, ListenSocket} = rpc:call(Node, Transport, listen, [Port, Options]),
+    Pid ! {listen, up},
+    send_selected_port(Pid, Port, ListenSocket),
+    {ok, AcceptSocket} = rpc:call(Node, ssl, transport_accept, 
+                                  [ListenSocket]),    
+    {error, _} = rpc:call(Node, ssl, connection_information, [AcceptSocket]),
+    _ = rpc:call(Node, ssl, handshake, [AcceptSocket, infinity]),
+    Pid ! {self(), ok}.
+
+
+transport_switch_control(Opts) ->
+    Node = proplists:get_value(node, Opts),
+    Port = proplists:get_value(port, Opts),
+    Options = proplists:get_value(options, Opts),
+    Pid = proplists:get_value(from, Opts),
+    Transport =  proplists:get_value(transport, Opts, ssl),
+    ct:log("~p:~p~nssl:listen(~p, ~p)~n", [?MODULE,?LINE, Port, Options]),
+    {ok, ListenSocket} = rpc:call(Node, Transport, listen, [Port, Options]),
+    Pid ! {listen, up},
+    send_selected_port(Pid, Port, ListenSocket),
+    {ok, AcceptSocket} = rpc:call(Node, ssl, transport_accept, 
+                                  [ListenSocket]),    
+    ok = rpc:call(Node, ssl, controlling_process, [AcceptSocket, self()]),
+    Pid ! {self(), ok}.
+
+
 remove_close_msg(0) ->
     ok;
 remove_close_msg(ReconnectTimes) ->
@@ -693,20 +742,12 @@ make_mix_cert(Config) ->
     Ext = x509_test:extensions([{key_usage, [digitalSignature]}]),
     Digest = {digest, appropriate_sha(crypto:supports())},
     CurveOid = hd(tls_v1:ecc_curves(0)),
-    ClientFileBase = filename:join([proplists:get_value(priv_dir, Config), "mix"]),
-    ServerFileBase = filename:join([proplists:get_value(priv_dir, Config), "mix"]),
-    ClientChain =  [[Digest, {key, {namedCurve, CurveOid}}], 
-                    [Digest, {key, hardcode_rsa_key(1)}], 
-                    [Digest, {key, {namedCurve, CurveOid}}, {extensions, Ext}]
-                   ],
-    ServerChain =  [[Digest, {key, {namedCurve, CurveOid}}], 
-                    [Digest, {key,  hardcode_rsa_key(2)}], 
-                    [Digest, {key, {namedCurve, CurveOid}},{extensions, Ext}]
-                   ],
+    Mix = proplists:get_value(mix, Config, peer_ecc),
     ClientChainType =ServerChainType = mix,
+    {ClientChain, ServerChain} = mix(Mix, Digest, CurveOid, Ext),
     CertChainConf = gen_conf(ClientChainType, ServerChainType, ClientChain, ServerChain),
-    ClientFileBase = filename:join([proplists:get_value(priv_dir, Config), atom_to_list(ClientChainType)]),
-    ServerFileBase = filename:join([proplists:get_value(priv_dir, Config), atom_to_list(ServerChainType)]),
+    ClientFileBase = filename:join([proplists:get_value(priv_dir, Config), "mix" ++ atom_to_list(Mix)]),
+    ServerFileBase = filename:join([proplists:get_value(priv_dir, Config), "mix" ++ atom_to_list(Mix)]),
     GenCertData = public_key:pkix_test_data(CertChainConf),
     [{server_config, ServerConf}, 
      {client_config, ClientConf}] = 
@@ -715,6 +756,28 @@ make_mix_cert(Config) ->
      [{reuseaddr, true}, {verify, verify_peer} | ServerConf]
     }.
 
+mix(peer_ecc, Digest, CurveOid, Ext) ->
+    ClientChain =  [[Digest, {key, {namedCurve, CurveOid}}], 
+                    [Digest, {key, hardcode_rsa_key(1)}], 
+                    [Digest, {key, {namedCurve, CurveOid}}, {extensions, Ext}]
+                   ],
+    ServerChain =  [[Digest, {key, {namedCurve, CurveOid}}], 
+                    [Digest, {key,  hardcode_rsa_key(2)}], 
+                    [Digest, {key, {namedCurve, CurveOid}},{extensions, Ext}]
+                   ],
+    {ClientChain, ServerChain};
+
+mix(peer_rsa, Digest, CurveOid, Ext) ->
+    ClientChain =  [[Digest, {key, {namedCurve, CurveOid}}], 
+                    [Digest, {key, {namedCurve, CurveOid}}], 
+                    [Digest, {key, hardcode_rsa_key(1)}, {extensions, Ext}]
+                   ],
+    ServerChain =  [[Digest, {key, {namedCurve, CurveOid}}], 
+                    [Digest, {key, {namedCurve, CurveOid}}], 
+                    [Digest, {key,  hardcode_rsa_key(2)},{extensions, Ext}]
+                   ],
+    {ClientChain, ServerChain}.
+
 make_ecdsa_cert(Config) ->
     CryptoSupport = crypto:supports(),
     case proplists:get_bool(ecdsa, proplists:get_value(public_keys, CryptoSupport)) of