New upstream version 0.13~~git20190527.g039c4a1

48 files changed, 1607 insertions, 86 deletions

diff --git a/test/backupstorefix/testbackupstorefix.cpp b/test/backupstorefix/testbackupstorefix.cpp
index 38492bd1..ac1d0c14 100644
--- a/test/backupstorefix/testbackupstorefix.cpp
+++ b/test/backupstorefix/testbackupstorefix.cpp
@@ -671,8 +671,12 @@ int test(int argc, const char *argv[])
 		char name[256];
 		while(::fgets(line, sizeof(line), f) != 0)
 		{
-			TEST_THAT(::sscanf(line, "%x %s %s", &id, 
-				flags, name) == 3);
+			if(StartsWith("WARNING: SSLSecurityLevel not set.", line))
+			{
+				continue;
+			}
+			TEST_EQUAL_LINE(3, ::sscanf(line, "%x %s %s", &id, flags, name),
+				"Unexpected format in initial-listing.txt: <" << line << ">");
 			bool isDir = (::strcmp(flags, "-d---") == 0);
 			//TRACE3("%x,%d,%s\n", id, isDir, name);
 			MEMLEAKFINDER_NO_LEAKS;
diff --git a/test/backupstorefix/testfiles/testbackupstorefix.pl.in b/test/backupstorefix/testfiles/testbackupstorefix.pl.in
index fc807155..483087f7 100755
--- a/test/backupstorefix/testfiles/testbackupstorefix.pl.in
+++ b/test/backupstorefix/testfiles/testbackupstorefix.pl.in
@@ -148,18 +148,20 @@ elsif($ARGV[0] eq 'reroot')
 		or die "can't open copy listing file";
 	my $err = 0;
 	my $count = 0;
-	while(<LISTING>)
+	while(my $line = <LISTING>)
 	{
-		print LISTING_COPY;
-		chomp;
-		s/\[FILENAME NOT ENCRYPTED\]//;
-		next if /^WARNING: \*\*\*\* BackupStoreFilename encoded with Clear encoding \*\*\*\*/;
-		my ($id,$type,$name) = split / /;
+		print LISTING_COPY $line;
+		chomp $line;
+		$line =~s/\[FILENAME NOT ENCRYPTED\]//;
+		next if $line =~ /^WARNING: \*\*\*\* BackupStoreFilename encoded with Clear encoding \*\*\*\*/;
+		next if $line =~ /^WARNING: SSLSecurityLevel not set./;
+		my ($id,$type,$name) = split / /, $line;
 		$count++;
 		if($name !~ /\Alost\+found0/)
 		{
 			# everything must be in a lost and found dir
-			$err = 1
+			print "Expected '$name' to be in a lost+found directory, but it was not ($line)";
+			$err = 1;
 		}
 	}
 	close LISTING_COPY;
diff --git a/test/basicserver/testbasicserver.cpp b/test/basicserver/testbasicserver.cpp
index 6f2def54..9285dfc9 100644
--- a/test/basicserver/testbasicserver.cpp
+++ b/test/basicserver/testbasicserver.cpp
@@ -15,18 +15,17 @@
 
 #include <typeinfo>
 
-#include "Test.h"
-#include "Daemon.h"
+#include "CollectInBufferStream.h"
 #include "Configuration.h"
-#include "ServerStream.h"
-#include "SocketStream.h"
+#include "Daemon.h"
 #include "IOStreamGetLine.h"
+#include "ServerControl.h"
+#include "ServerStream.h"
 #include "ServerTLS.h"
-#include "CollectInBufferStream.h"
-
+#include "SocketStream.h"
+#include "Test.h"
 #include "TestContext.h"
 #include "autogen_TestProtocol.h"
-#include "ServerControl.h"
 
 #include "MemLeakFindOn.h"
 
@@ -98,7 +97,7 @@ void testservers_connection(SocketStream &rStream)
 	while(!getline.IsEOF())
 	{
 		std::string line;
-		while(!getline.GetLine(line))
+		while(!getline.GetLine(line, false, SHORT_TIMEOUT))
 			;
 		if(line == "QUIT")
 		{
@@ -208,11 +207,16 @@ const ConfigurationVerify *testserver::GetConfigVerify() const
 		}
 	};
 
+	static ConfigurationVerifyKey root_keys[] =
+	{
+		ssl_security_level_key,
+	};
+
 	static ConfigurationVerify verify =
 	{
 		"root", /* mName */
 		verifyserver, /* mpSubConfigurations */
-		0, /* mpKeys */
+		root_keys, // mpKeys
 		ConfigTest_Exists | ConfigTest_LastEntry,
 		0
 	};
@@ -449,6 +453,151 @@ void TestStreamReceive(TestProtocolClient &protocol, int value, bool uncertainst
 	TEST_THAT(count == (24273*3));	// over 64 k of data, definately
 }
 
+bool test_security_level(int cert_level, int test_level, bool expect_failure_on_connect = false)
+{
+	int old_num_failures = num_failures;
+
+	// Context first
+	TLSContext context;
+	if(cert_level == 0)
+	{
+		context.Initialise(false /* client */,
+			"testfiles/clientCerts.pem",
+			"testfiles/clientPrivKey.pem",
+			"testfiles/clientTrustedCAs.pem",
+			test_level); // SecurityLevel
+	}
+	else if(cert_level == 1)
+	{
+		context.Initialise(false /* client */,
+			"testfiles/seclevel2-sha1/ca/clients/1234567-cert.pem",
+			"testfiles/seclevel2-sha1/bbackupd/1234567-key.pem",
+			"testfiles/seclevel2-sha1/ca/roots/serverCA.pem",
+			test_level); // SecurityLevel
+	}
+	else if(cert_level == 2)
+	{
+		context.Initialise(false /* client */,
+			"testfiles/seclevel2-sha256/ca/clients/1234567-cert.pem",
+			"testfiles/seclevel2-sha256/bbackupd/1234567-key.pem",
+			"testfiles/seclevel2-sha256/ca/roots/serverCA.pem",
+			test_level); // SecurityLevel
+	}
+	else
+	{
+		TEST_FAIL_WITH_MESSAGE("No certificates generated for level " << cert_level);
+		return false;
+	}
+
+	SocketStreamTLS conn;
+
+	if(expect_failure_on_connect)
+	{
+		TEST_CHECK_THROWS(
+			conn.Open(context, Socket::TypeINET, "localhost", 2003),
+			ConnectionException, TLSPeerWeakCertificate);
+	}
+	else
+	{
+		conn.Open(context, Socket::TypeINET, "localhost", 2003);
+	}
+
+	return (num_failures == old_num_failures); // no new failures -> good
+}
+
+// Test the certificates that were distributed with the Box Backup source since ancient times,
+// which have only 1024-bit keys, and thus fail with "ee key too small".
+bool test_ancient_certificates()
+{
+	int old_num_failures = num_failures;
+
+	// Level -1 (allow weaker, with warning) should pass with any certificates:
+	TEST_THAT(test_security_level(0, -1)); // cert_level, test_level
+
+	// We do not test level 0 (system-wide default) because the system
+	// may have it set high, and our old certificate will not be usable
+	// in that case, and the user has no way to fix that, so it's not a
+	// useful test.
+
+	// Level 1 (allow weaker, without a warning) should pass with any certificates:
+	TEST_THAT(test_security_level(0, 1)); // cert_level, test_level
+
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+	// Level 2 (disallow weaker, without a warning) should NOT pass with old certificates:
+	TEST_CHECK_THROWS(
+		test_security_level(0, 2), // cert_level, test_level
+		ServerException, TLSServerWeakCertificate);
+#else
+	// We have no way to increase the security level, so it should still pass:
+	test_security_level(0, 2); // cert_level, test_level
+#endif
+
+	return (num_failures == old_num_failures); // no new failures -> good
+}
+
+// Test a set of more recent certificates, which have a longer key but are signed using the SHA1
+// algorithm instead of SHA256, which fail with "ca md too weak" instead.
+bool test_old_certificates()
+{
+	int old_num_failures = num_failures;
+
+	// Level -1 (allow weaker, with warning) should pass with any certificates:
+	TEST_THAT(test_security_level(1, -1)); // cert_level, test_level
+
+	// We do not test level 0 (system-wide default) because the system
+	// may have it set high, and our old certificate will not be usable
+	// in that case, and the user has no way to fix that, so it's not a
+	// useful test.
+
+	// Level 1 (allow weaker, without a warning) should pass with any certificates:
+	TEST_THAT(test_security_level(1, 1)); // cert_level, test_level
+
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+	// Level 2 (disallow weaker, without a warning) should NOT pass with old certificates:
+	TEST_CHECK_THROWS(
+		test_security_level(1, 2), // cert_level, test_level
+		ServerException, TLSServerWeakCertificate);
+#else
+	// We have no way to increase the security level, so it should still pass:
+	test_security_level(1, 2); // cert_level, test_level
+#endif
+
+	return (num_failures == old_num_failures); // no new failures -> good
+}
+
+
+bool test_new_certificates(bool expect_failure_level_2)
+{
+	int old_num_failures = num_failures;
+
+	// Level -1 (allow weaker, with warning) should pass with any certificates:
+	TEST_THAT(test_security_level(2, -1)); // cert_level, test_level
+
+	// Level 0 (system dependent). This will fail if the user (or their
+	// distro) sets the system-wide security level very high. We check
+	// this because *we* may need to update Box Backup if this happens
+	// again, as it did when Debian increased the default level.
+	// Newly generated certificates may need to be strengthened.
+	// And we may need to update the documentation.
+	TEST_THAT(test_security_level(2, 0)); // cert_level, test_level
+
+	// Level 1 (allow weaker, without a warning) should pass with any certificates:
+	TEST_THAT(test_security_level(2, 1)); // cert_level, test_level
+
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+	// Level 2 (disallow weaker, without a warning) should pass with new certificates,
+	// but might fail to connect to a peer with weak (insecure) certificates:
+	TEST_THAT(test_security_level(2, 2, expect_failure_level_2));
+	// cert_level, test_level, expect_failure
+#else
+	// We have no way to increase the security level, so it should not fail to connect to a
+	// daemon with weak certificates:
+	test_security_level(2, 2, false); // cert_level, test_level, expect_failure
+#endif
+
+	return (num_failures == old_num_failures); // no new failures -> good
+}
+
 
 int test(int argc, const char *argv[])
 {
@@ -644,6 +793,7 @@ int test(int argc, const char *argv[])
 						"testfiles/clientCerts.pem",
 						"testfiles/clientPrivKey.pem",
 						"testfiles/clientTrustedCAs.pem");
+				// SecurityLevel == -1 by default (old security + warnings)
 
 				SocketStreamTLS conn1;
 				conn1.Open(context, Socket::TypeINET, "localhost", 2003);
@@ -682,6 +832,11 @@ int test(int argc, const char *argv[])
 				TEST_THAT(ServerIsAlive(pid));
 			#endif
 
+			// Try testing with different security levels, check that the behaviour is
+			// as documented at:
+			// https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates
+			TEST_THAT(test_ancient_certificates());
+
 			// Kill it
 			TEST_THAT(KillServer(pid));
 			::sleep(1);
@@ -691,6 +846,36 @@ int test(int argc, const char *argv[])
 				TestRemoteProcessMemLeaks("test-srv3.memleaks");
 			#endif
 		}
+
+		cmd = TEST_EXECUTABLE " --test-daemon-args=";
+		cmd += test_args;
+		cmd += " srv3 testfiles/srv3-seclevel2-sha1.conf";
+		pid = LaunchServer(cmd, "testfiles/srv3.pid");
+
+		TEST_THAT(pid != -1 && pid != 0);
+		TEST_THAT(test_old_certificates());
+		TEST_THAT(KillServer(pid));
+
+		cmd = TEST_EXECUTABLE " --test-daemon-args=";
+		cmd += test_args;
+		cmd += " srv3 testfiles/srv3-seclevel2-sha256.conf";
+		pid = LaunchServer(cmd, "testfiles/srv3.pid");
+
+		TEST_THAT(pid != -1 && pid != 0);
+		TEST_THAT(test_new_certificates(false)); // !expect_failure_level_2
+		TEST_THAT(KillServer(pid));
+
+		// Start a daemon using old, insecure certificates. We should get an error when we
+		// try to connect to it:
+
+		cmd = TEST_EXECUTABLE " --test-daemon-args=";
+		cmd += test_args;
+		cmd += " srv3 testfiles/srv3-insecure-daemon.conf";
+		pid = LaunchServer(cmd, "testfiles/srv3.pid");
+
+		TEST_THAT(pid != -1 && pid != 0);
+		TEST_THAT(test_new_certificates(true)); // expect_failure_level_2
+		TEST_THAT(KillServer(pid));
 	}
 	
 //protocolserver:
@@ -698,7 +883,7 @@ int test(int argc, const char *argv[])
 	{
 		std::string cmd = TEST_EXECUTABLE " --test-daemon-args=";
 		cmd += test_args;
-		cmd += " srv4 testfiles/srv4.conf";
+		cmd += " srv4 testfiles/srv4-seclevel1.conf";
 		int pid = LaunchServer(cmd, "testfiles/srv4.pid");
 
 		TEST_THAT(pid != -1 && pid != 0);
diff --git a/test/basicserver/testfiles/seclevel2-sha1/bbackupd.conf b/test/basicserver/testfiles/seclevel2-sha1/bbackupd.conf
new file mode 100644
index 00000000..eb37d9ab
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/bbackupd.conf
@@ -0,0 +1,196 @@
+
+StoreHostname = localhost
+AccountNumber = 0x1234567
+KeysFile = ./bbackupd/1234567-FileEncKeys.raw
+
+CertificateFile = ./bbackupd/1234567-cert.pem
+PrivateKeyFile = ./bbackupd/1234567-key.pem
+TrustedCAsFile = ./bbackupd/serverCA.pem
+SSLSecurityLevel = 2
+
+DataDirectory = /home/chris/boxbackup/test/basicserver/testfiles/seclevel2-sha1
+
+
+# This script is run whenever bbackupd changes state or encounters a
+# problem which requires the system administrator to assist:
+#
+# 1) The store is full, and no more data can be uploaded.
+# 2) Some files or directories were not readable.
+# 3) A backup run starts or finishes.
+#
+# The default script emails the system administrator, except for backups
+# starting and stopping, where it does nothing.
+
+NotifyScript = ./bbackupd/NotifySysadmin.sh
+
+
+# The number of seconds between backup runs under normal conditions. To avoid 
+# cycles of load on the server, this time is randomly adjusted by a small 
+# percentage as the daemon runs.
+
+UpdateStoreInterval = 3600
+
+
+# The minimum age of a file, in seconds, that will be uploaded. Avoids 
+# repeated uploads of a file which is constantly being modified.
+
+MinimumFileAge = 21600
+
+
+# If a file is modified repeated, it won't be uploaded immediately in case 
+# it's modified again, due to the MinimumFileAge specified above. However, it 
+# should be uploaded eventually even if it is being modified repeatedly. This 
+# is how long we should wait, in seconds, after first noticing a change. 
+# (86400 seconds = 1 day)
+
+MaxUploadWait = 86400
+
+# If the connection is idle for some time (e.g. over 10 minutes or 600
+# seconds, not sure exactly how long) then the server will give up and
+# disconnect the client, resulting in Connection Protocol_Timeout errors
+# on the server and TLSReadFailed or TLSWriteFailed errors on the client.
+# Also, some firewalls and NAT gateways will kill idle connections after
+# similar lengths of time. 
+#
+# This can happen for example when most files are backed up already and
+# don't need to be sent to the store again, while scanning a large
+# directory, or while calculating diffs of a large file. To avoid this,
+# KeepAliveTime specifies that special keep-alive messages should be sent
+# when the connection is otherwise idle for a certain length of time,
+# specified here in seconds.
+#
+# The default is that these messages are never sent, equivalent to setting
+# this option to zero, but we recommend that all users enable this.
+
+KeepAliveTime = 120
+
+
+# Files above this size (in bytes) are tracked, and if they are renamed they will simply be
+# renamed on the server, rather than being uploaded again. (64k - 1)
+
+FileTrackingSizeThreshold = 65535
+
+
+# The daemon does "changes only" uploads for files above this size (in bytes).
+# Files less than it are uploaded whole without this extra processing.
+
+DiffingUploadSizeThreshold = 8192
+
+
+# The limit on how much time is spent diffing files, in seconds. Most files 
+# shouldn't take very long, but if you have really big files you can use this 
+# to limit the time spent diffing them.
+#
+# * Reduce if you are having problems with processor usage.
+#
+# * Increase if you have large files, and think the upload of changes is too 
+#   large and you want bbackupd to spend more time searching for unchanged
+#   blocks.
+
+MaximumDiffingTime = 120
+
+
+# Uncomment this line to see exactly what the daemon is going when it's connected to the server.
+
+# ExtendedLogging = yes
+
+
+# This specifies a program or script script which is run just before each 
+# sync, and ideally the full path to the interpreter. It will be run as the 
+# same user bbackupd is running as, usually root.
+#
+# The script must output (print) either "now" or a number to STDOUT (and a 
+# terminating newline, no quotes).
+#
+# If the result was "now", then the sync will happen. If it's a number, then 
+# no backup will happen for that number of seconds (bbackupd will pause) and 
+# then the script will be run again.
+#
+# Use this to temporarily stop bbackupd from syncronising or connecting to the 
+# store. For example, you could use this on a laptop to only backup when on a 
+# specific network, or when it has a working Internet connection.
+
+# SyncAllowScript = /path/to/intepreter/or/exe script-name parameters etc
+
+
+# Where the command socket is created in the filesystem.
+
+CommandSocket = /home/chris/boxbackup/test/basicserver/testfiles/seclevel2-sha1/bbackupd.sock
+
+# Uncomment the StoreObjectInfoFile to enable the experimental archiving
+# of the daemon's state (including client store marker and configuration)
+# between backup runs. This saves time and increases efficiency when
+# bbackupd is frequently stopped and started, since it removes the need
+# to rescan all directories on the remote server. However, it is new and
+# not yet heavily tested, so use with caution.
+
+# StoreObjectInfoFile = /home/chris/boxbackup/test/basicserver/testfiles/seclevel2-sha1/bbackupd.state
+
+Server
+{
+	PidFile = /home/chris/boxbackup/test/basicserver/testfiles/seclevel2-sha1/bbackupd.pid
+}
+
+
+# BackupLocations specifies which locations on disc should be backed up. Each
+# directory is in the format
+# 
+# 	name
+# 	{
+# 		Path = /path/of/directory
+# 		(optional exclude directives)
+# 	}
+# 
+# 'name' is derived from the Path by the config script, but should merely be
+# unique.
+# 
+# The exclude directives are of the form
+# 
+# 	[Exclude|AlwaysInclude][File|Dir][|sRegex] = regex or full pathname
+# 
+# (The regex suffix is shown as 'sRegex' to make File or Dir plural)
+#
+# For example:
+# 
+# 	ExcludeDir = /home/guest-user
+# 	ExcludeFilesRegex = .(mp3|MP3)$
+# 	AlwaysIncludeFile = /home/username/veryimportant.mp3
+# 
+# This excludes the directory /home/guest-user from the backup along with all mp3
+# files, except one MP3 file in particular.
+# 
+# In general, Exclude excludes a file or directory, unless the directory is
+# explicitly mentioned in a AlwaysInclude directive. However, Box Backup
+# does NOT scan inside excluded directories and will never back up an
+# AlwaysIncluded file or directory inside an excluded directory or any
+# subdirectory thereof.
+#
+# To back up a directory inside an excluded directory, use a configuration
+# like this, to ensure that each directory in the path to the important
+# files is included, but none of their contents will be backed up except
+# the directories further down that path to the important one.
+#
+# ExcludeDirsRegex = ^/home/user/bigfiles/
+# ExcludeFilesRegex = ^/home/user/bigfiles/
+# AlwaysIncludeDir = /home/user/bigfiles/path
+# AlwaysIncludeDir = /home/user/bigfiles/path/to
+# AlwaysIncludeDir = /home/user/bigfiles/path/important
+# AlwaysIncludeDir = /home/user/bigfiles/path/important/files
+# AlwaysIncludeDirsRegex = ^/home/user/bigfiles/path/important/files/
+# AlwaysIncludeFilesRegex = ^/home/user/bigfiles/path/important/files/
+# 
+# If a directive ends in Regex, then it is a regular expression rather than a 
+# explicit full pathname. See
+# 
+# 	man 7 re_format
+# 
+# for the regex syntax on your platform.
+
+BackupLocations
+{
+	home-chris-boxbackup-test-basicserver-testfiles-seclevel2-sha1
+	{
+		Path = /home/chris/boxbackup/test/basicserver/testfiles/seclevel2-sha1
+	}
+}
+
diff --git a/test/basicserver/testfiles/seclevel2-sha1/bbackupd/1234567-csr.pem b/test/basicserver/testfiles/seclevel2-sha1/bbackupd/1234567-csr.pem
new file mode 100644
index 00000000..340116ed
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/bbackupd/1234567-csr.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICXjCCAUYCAQAwGTEXMBUGA1UEAwwOQkFDS1VQLTEyMzQ1NjcwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrSHZEUGZxLnDFr0B02Utd5rF6YwYmhzLG
+WNBnC0FBrCN0qJgjEHpQ0jqMGA9vIvBuesYhBmk8hOyJFHNtJB8MJyeHvKSwdwlF
+Isz+gr60RGAKj290nSdFgMvMgkdqz6Vg4R9t94fzhxjk/BJyNjr8r+64hffIOQmM
+YlmADLX38BLRLAfbVVkq/bRgqBFtmvFYTZKl6of1jVSWQLcXGShWE45lc5Hpd+qv
+DRjzsQukb3gJmKU4DMW1BCaS8W6v7R0MG/5CooiwMRrct8puH4IeIDrByBz/0mRP
+fMPjR2qpjx4EmLRcC39lGVBTnXLYM1XGIYsX7f1ssYZZXSSajUp9AgMBAAGgADAN
+BgkqhkiG9w0BAQUFAAOCAQEAbDRc2PW9WnUu7F1g/mWQW8aGhyzMcYTp28kVEtMC
+dvvbNLFWtWPXktM9PjR6F+3QRQktdXwYXsTctmGL4vvSKFd66gw4HklGe+Opiiw/
+o9F6E2PAFzRYbMio7UYevs/RhktaJRkVyd81e8LtFHuUD3vqBY84NVeKwmxnbdoK
+jzBj3x3COkLLiPTWjb+RgxnPWcNtXhLAcATZeCKBo4U0gvRL1NTMCslIumdhtD8h
+BQOdEaSP2sB8o3mMEh8W5tgja4zWv1GszJK9sJNL/EZag331/++5H06yf8vPhQW7
+rqRHA33CUe7XiqAkXp+Rgq5W97qcKIlo4uKRzCsTYC/QUg==
+-----END CERTIFICATE REQUEST-----
diff --git a/test/basicserver/testfiles/seclevel2-sha1/bbackupd/1234567-key.pem b/test/basicserver/testfiles/seclevel2-sha1/bbackupd/1234567-key.pem
new file mode 100644
index 00000000..9ee696ee
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/bbackupd/1234567-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAq0h2RFBmcS5wxa9AdNlLXeaxemMGJocyxljQZwtBQawjdKiY
+IxB6UNI6jBgPbyLwbnrGIQZpPITsiRRzbSQfDCcnh7yksHcJRSLM/oK+tERgCo9v
+dJ0nRYDLzIJHas+lYOEfbfeH84cY5PwScjY6/K/uuIX3yDkJjGJZgAy19/AS0SwH
+21VZKv20YKgRbZrxWE2SpeqH9Y1UlkC3FxkoVhOOZXOR6Xfqrw0Y87ELpG94CZil
+OAzFtQQmkvFur+0dDBv+QqKIsDEa3LfKbh+CHiA6wcgc/9JkT3zD40dqqY8eBJi0
+XAt/ZRlQU51y2DNVxiGLF+39bLGGWV0kmo1KfQIDAQABAoIBAHLetfI6uXlOW/M4
+BVJYKGNhQ8WAg69zHGpJRfrVYX5Zo62pI97gPifV1c3+lNtD41s0m4uqcQlVXAzS
+2lZn0yqjV6+ApDJ0opLrM++8X4kmEgMDDwx2GNBUAFm3RY4slAzU7e8iAtsfz2JC
+a1yNYiH1G3RE5FgzaGPt0Xg/DgqorT6uR5/jIzlSpqRse9sXG4/uGEmfkogMwvU+
+gmcMOs+Jm7HbLMIGxzBydNTFoup1YUVSCuIjdJBpWRCbBaeYeTSoQgdAPALtwJgz
+v8quFaJOkJMKIaXOF+1VN8w5rPTJJdfHtYITz6i0V5A7qSHR5jckbm0UWcXnEdaZ
+YvkKRUECgYEA4krb4xrXLuSbUv70dKXybyNxEFK+IVG6NZG4+iaW8B8oU8+q8FzM
+HPYAdppYKkYrjslKWIOwZdTsYa4Z8U/uhmMv4OpcCq7nYv6W/g1N/AMd8pEJvV9m
+EQ5hY1uMg3rgorYWGDyh3HcYl2q4/9EJiPKUVoZb9IPeO3Po3TgK8A8CgYEAwcTf
+EHJVs5F2mnetRhETpC5IGUB9OKbPm+JR6+BNFsh1vaPosobfYOzO6PJm0H/z4jMN
+n29oc1SAphUXegE6gbVO8/hd9S4OhTq8egFO9Y/BN3/lHUYe/RPs2BZ+Foh70PH7
+9l6K/UDrwJ458hBrFM/DCcjRRcw12GBPUZ8xkLMCgYEAlND8GDc/igQnLYajhs7X
+R0V8hmqTxN+1YKNLjZ6xJoqm/68TUG0Ggok5NsY78tkgrg8sSFeaOu2y4m4Xe33A
+dDpoczZMf24UlyKsc7iWL4RxPmMpj5NcUR0u6KN9Hb5CWl762seM/qqHzpQNw5ZZ
++ejlqp1DfeL21Axe+JRxhPsCgYEAiYEWtoocbRhd7RHeYWl+4bSCL4FHG2usyjdZ
+4SREMFXCz/fACuiRHiwOTNqvwWf7ftqx4SFjIuylerZe+ZJjnWY3iAQJURME9OCQ
+nZfOG46PE75rrVF0bi20lken5H+oNcdzAQtoYH2wjvj5r+CczKD/DDN45qoaz9jQ
+kOCCgOcCgYBDeOUq+6UoZMmx1c/H4MnRWMpHu0hNfivDEeJMYkxLMA98clstohc7
+T4B4gaoCewJ5XVR72k+Oqgvy++d4g5EpRjFE8hVNjw7Vo3WP0+X5iI+TmBuLKh/c
+Wl10t7jLE25vyLJs4nmQd4hav9gWMbP5l99sVq61DM6bMuRcQnyeIA==
+-----END RSA PRIVATE KEY-----
diff --git a/test/basicserver/testfiles/seclevel2-sha1/bbackupd/NotifySysadmin.sh b/test/basicserver/testfiles/seclevel2-sha1/bbackupd/NotifySysadmin.sh
new file mode 100755
index 00000000..48e8cf8e
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/bbackupd/NotifySysadmin.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+
+# This script is run whenever bbackupd changes state or encounters a
+# problem which requires the system administrator to assist:
+#
+# 1) The store is full, and no more data can be uploaded.
+# 2) Some files or directories were not readable.
+# 3) A backup run starts or finishes.
+#
+# The default script emails the system administrator, except for backups
+# starting and stopping, where it does nothing.
+
+SUBJECT="BACKUP PROBLEM on host debian-unstable"
+SENDTO="chris"
+
+if [ "$1" = "" ]; then
+	echo "Usage: $0 <store-full|read-error|backup-ok|backup-error|backup-start|backup-finish>" >&2
+	exit 2
+elif [ "$1" = store-full ]; then
+	sendmail: $SENDTO <<EOM
+Subject: $SUBJECT (store full)
+To: $SENDTO
+
+
+The store account for debian-unstable is full.
+
+=============================
+FILES ARE NOT BEING BACKED UP
+=============================
+
+Please adjust the limits on account 1234567 on server localhost.
+
+EOM
+elif [ "$1" = read-error ]; then
+sendmail: $SENDTO <<EOM
+Subject: $SUBJECT (read errors)
+To: $SENDTO
+
+
+Errors occured reading some files or directories for backup on debian-unstable.
+
+===================================
+THESE FILES ARE NOT BEING BACKED UP
+===================================
+
+Check the logs on debian-unstable for the files and directories which caused
+these errors, and take appropriate action.
+
+Other files are being backed up.
+
+EOM
+elif [ "$1" = backup-start -o "$1" = backup-finish -o "$1" = backup-ok ]; then
+	# do nothing by default
+	true
+else
+sendmail: $SENDTO <<EOM
+Subject: $SUBJECT (unknown)
+To: $SENDTO
+
+
+The backup daemon on debian-unstable reported an unknown error ($1).
+
+==========================
+FILES MAY NOT BE BACKED UP
+==========================
+
+Please check the logs on debian-unstable.
+
+EOM
+fi
diff --git a/test/basicserver/testfiles/seclevel2-sha1/bbstored.conf b/test/basicserver/testfiles/seclevel2-sha1/bbstored.conf
new file mode 100644
index 00000000..25425dfa
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/bbstored.conf
@@ -0,0 +1,23 @@
+
+RaidFileConf = ./raidfile.conf
+AccountDatabase = ./bbstored/accounts.txt
+
+# Uncomment this line to see exactly what commands are being received from clients.
+# ExtendedLogging = yes
+
+# scan all accounts for files which need deleting every 15 minutes.
+
+TimeBetweenHousekeeping = 900
+
+Server
+{
+	PidFile = /var/run/bbstored.pid
+	User = chris
+	ListenAddresses = inet:localhost
+	CertificateFile = ./bbstored/localhost-cert.pem
+	PrivateKeyFile = ./bbstored/localhost-key.pem
+	TrustedCAsFile = ./bbstored/clientCA.pem
+	SSLSecurityLevel = 2
+}
+
+
diff --git a/test/basicserver/testfiles/seclevel2-sha1/bbstored/localhost-csr.pem b/test/basicserver/testfiles/seclevel2-sha1/bbstored/localhost-csr.pem
new file mode 100644
index 00000000..db9fe3f7
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/bbstored/localhost-csr.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICWTCCAUECAQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAyzNFMI4BCpd/vGvPseb8U/NZYDQZ6nV7nFwDPsyr
+/yoUBQz7/gEAFP9Zo+8C9h89N2dPuxVNgylybiXO1icy8NsH+xkTtJXPSqi/Q87M
+36V5/k7wfF6Kx9ayuB2e1xg844fuY3llYacOyoA1NWP3DaQP+MztxuvKqK4JnodU
+oqysEK3DF4F1qFSHh1fum5nY+GBPaZjhn6ns/prQP8De6bctEjUAEYSKqUjNJpYa
+sP0KqFH8CoY1ZGa/f5n0CZ/9VT5N+Nm0TA1HwX2QeH0h1yp/LH52tD6/8T9XqgK4
+iuekRol6dkj63jXPnVSK4NSFksTzJsQCABOUz4kXKZucQQIDAQABoAAwDQYJKoZI
+hvcNAQEFBQADggEBACN8kdjf8P/OBMVytAKxWlXDAtG5A8qZz4e+aNM4JfXF//fP
+pS5c+m0rpt6aop4N5n5MWyL54eJlhh+yyNdm2RmHvybJKHLTRCPzP3gtHaVZ4v2V
+xWbDW+LuLMhDp70Ci1/CGWv+fQ2jmKPAtXGcbIsvjI+swLRtJDTwNV6B/dbS5QyF
+6n8O+pSLS6l7vsXginavB+VLAWWdtCbZAgId9Io0BePN/LpVb2bLgzGfzBInSCFl
+4bBN3dqC7nFkXdk+EXseA0L1NYUpXZoperzxMgDG74IMPwIomkb3elNP7xpz3Zgg
+Y5xwL05H5Jj5aW3Ao9mY3LKK8ZmAQnljOsyQsKc=
+-----END CERTIFICATE REQUEST-----
diff --git a/test/basicserver/testfiles/seclevel2-sha1/bbstored/localhost-key.pem b/test/basicserver/testfiles/seclevel2-sha1/bbstored/localhost-key.pem
new file mode 100644
index 00000000..885892b3
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/bbstored/localhost-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyzNFMI4BCpd/vGvPseb8U/NZYDQZ6nV7nFwDPsyr/yoUBQz7
+/gEAFP9Zo+8C9h89N2dPuxVNgylybiXO1icy8NsH+xkTtJXPSqi/Q87M36V5/k7w
+fF6Kx9ayuB2e1xg844fuY3llYacOyoA1NWP3DaQP+MztxuvKqK4JnodUoqysEK3D
+F4F1qFSHh1fum5nY+GBPaZjhn6ns/prQP8De6bctEjUAEYSKqUjNJpYasP0KqFH8
+CoY1ZGa/f5n0CZ/9VT5N+Nm0TA1HwX2QeH0h1yp/LH52tD6/8T9XqgK4iuekRol6
+dkj63jXPnVSK4NSFksTzJsQCABOUz4kXKZucQQIDAQABAoIBACvo7mCprwvs5QuA
+eKdG9OvnQD8LwzXpIUcOkxz0+Y3wN9dHkQS4jp36+BH2yjsJUR8x0gbpeZCIWlP3
+E5Uvb1Cg5D6ckqeJX/wQLxSmEZualJwhztHxVCgO+xvSOsrcT/wTGa6hQwkxIn8b
+6WOaMH7gHxtynUdJGMgOo8GAGQf1yVganOo8hk/jARjln3Cyg+0018a8P0bZHI5L
+2EJgXSvVo5N4s0sVxMTDUX80YMmpH5M1duCYRitJwZCDMg5xOjootvfzw9pDD40/
+JsQHxdCfotDEBOVym7mKqxOUowwA+8vKG5yOkG7Fb7QmO9UkujqBCQs7n9q+0wj5
+3OV872ECgYEA+YwqJ+vk8EK6Eo4ZJmYNhreKDtfTCiv4CRpxWimyf8fShhPSpcur
+JSMl7OLuJhqsWIoGs5v1QSMhaSckLVq5lSZ7czVyC/ZFmhXN8LmfdYJ3LuSfEhG/
+ma9c2qXXC9EbTgdRg5lFSIugBFEHv+656Jn6Oj4hN/V8bd0EDgSY7Q0CgYEA0HRR
+esMH2YSGztoauzl0FmOHrH53diTpCNBzh2ZEwQgHcTbHK3VfDqN0bsUx4SwZW/Wj
+o7elnrBDHdVa8LMbUq7DH5YzRnfbGJHcKhUCTI3eT0wfpKvnyptIwRaKozS313rx
++5ZePf51krnYTs6p73Nvu7ALUwTLLi57PZQKJwUCgYB2B0JlEWB99sF1RzpD/B7H
+qgWlUZUiiXtOKvCT+YbQgx1ihvupqTPwY7hrW0XSRelgEyBqUQhl34zM5FNrFC8U
+iVf4PL4NRFTVNRzrj5AJD0T5q+5EqJpbwSKE081rbGKivDlkqdioIEn14LFuqSXL
+CxDb/UjO49APUmq5ipkd/QKBgQCfSxPsrNb1yMk/jvn4coochchq72WYudH+c1Sl
+dmg53knZoROISTPvusbB0x0vxgRG+qom9LKyVl2jkaPh5eyOPZBMNfpO8k5SMzw8
+SDuuhocIr9JKgzco44swSmp9F08ZchEywZCY7TepfS0n49OGcP9EPN4afcJKMyjo
+QJWVhQKBgH47nr45MgQJIoeUzmDPL/N9jAlG4+MvfsGvZxtGeRij68TYFStPEccO
+GJH09GQZgxvz8YbamC4KEA67PlwOdm/4ITs4HAE+tX6gaYeXG8XTw/azQdx0ZhXu
+EIhyRvSeCfXq/hi4Qef2yIx3YLarPXw1E38Xtl0MOl+yGg827Imt
+-----END RSA PRIVATE KEY-----
diff --git a/test/basicserver/testfiles/seclevel2-sha1/ca/clients/1234567-cert.pem b/test/basicserver/testfiles/seclevel2-sha1/ca/clients/1234567-cert.pem
new file mode 100644
index 00000000..d3f3acba
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/ca/clients/1234567-cert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsTCCAZkCAQEwDQYJKoZIhvcNAQEFBQAwJDEiMCAGA1UEAwwZQmFja3VwIHN5
+c3RlbSBjbGllbnQgcm9vdDAeFw0xOTA0MjgyMDU3NDBaFw0zMzAxMDQyMDU3NDBa
+MBkxFzAVBgNVBAMMDkJBQ0tVUC0xMjM0NTY3MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAq0h2RFBmcS5wxa9AdNlLXeaxemMGJocyxljQZwtBQawjdKiY
+IxB6UNI6jBgPbyLwbnrGIQZpPITsiRRzbSQfDCcnh7yksHcJRSLM/oK+tERgCo9v
+dJ0nRYDLzIJHas+lYOEfbfeH84cY5PwScjY6/K/uuIX3yDkJjGJZgAy19/AS0SwH
+21VZKv20YKgRbZrxWE2SpeqH9Y1UlkC3FxkoVhOOZXOR6Xfqrw0Y87ELpG94CZil
+OAzFtQQmkvFur+0dDBv+QqKIsDEa3LfKbh+CHiA6wcgc/9JkT3zD40dqqY8eBJi0
+XAt/ZRlQU51y2DNVxiGLF+39bLGGWV0kmo1KfQIDAQABMA0GCSqGSIb3DQEBBQUA
+A4IBAQBvwLWvNs2FhwNhjCA0A4r6hbKcdZDqmHT+EJpf1Os/f5A1fTah5u2UvNiQ
+jYkI7u5dds/pSRDQ+1itbq2ltHq59QolMDN80xbrqgW2SCYIzBqR5i+plIIlGaM+
+Cih9QUrbZO1qBSA9nvuqFOGdi4tca+rkkuogWWNsngEydS32EmcI/cTcrubMKnYT
+aW3+z46D42uZwljlhjnDDRbbvwpqd1h4NPbJcadelZnG3fsO0MCWi8LLp8Sepot7
+oDoseZ55JtYSjQuLFzfvgbvdkl/AQS1J+0Tjf2pq1zjIJmZ8qCuCP694z2BzRMTp
+y0vJrXoCFTpVaNZZJx+x8ZqKjp3J
+-----END CERTIFICATE-----
diff --git a/test/basicserver/testfiles/seclevel2-sha1/ca/keys/clientRootCSR.pem b/test/basicserver/testfiles/seclevel2-sha1/ca/keys/clientRootCSR.pem
new file mode 100644
index 00000000..e5bb872b
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/ca/keys/clientRootCSR.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAwwZQmFja3VwIHN5c3RlbSBjbGllbnQgcm9v
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcxnm27tjpmhPdI23hV
+VLerRKdYRutug9EaVwoegRzsnx/+6vBrnXQFbqenA2MR9yMhje+CJqZJcKoEyN6o
+hSuv2vpMUOxLquUjhzv184rxp8dVcz1E6zpnxo5vJw8NoxN65SEjMKxFcO8e/RwQ
+Pb8Yot1wEantMZKUu9qQ45lPCJH1VdPES09D6yMc62P7gOkybR4MZE7t2Wm9Bbx6
+H3Ag9OaSuYJOhf3614SvZQFmUlr07X/RFGsAixXi7CWqMjPKZDpG0PALVnKeKrfj
+5gftcEUVVh2jRtfwN7DcTQu1f0Cv3Ixvv7T0lOK1BXGt5S8/l1RLeCNkzzIDyyEM
+92UCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQB9d+4iZAtngEGpbtuHEhWssZKP
+fisCUA+XokqrQ5Bw8wpE/zh4WHBfKDE0mrXARiJABKJqTVUI/fI9cGVWvRj17yxv
+aIuZdYsZgAWhy6U2u0I8Kyul4URnDJq+JiqKOwYDjduZRi6axsjqVoWqeyRn0M1o
+05d5O+TzS6uH9JhdYzpBeQVRweH4Dq374ApJu55RW+RQ7CpFQpW1cCqm3nMybNoM
+uMMDTXeV09jh8DE63VE5GLi2N9/DaAD8VrrGuZWRFUhEvxHe8Qs8gCX7ep+9rUlS
++Vn0880ItjjBRQwDaSkJqQaGL0Wq4eBSTx9WcvIer9XFfwUYKOFVIPwQqDqn
+-----END CERTIFICATE REQUEST-----
diff --git a/test/basicserver/testfiles/seclevel2-sha1/ca/keys/clientRootKey.pem b/test/basicserver/testfiles/seclevel2-sha1/ca/keys/clientRootKey.pem
new file mode 100644
index 00000000..0ccfd83c
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/ca/keys/clientRootKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAxzGebbu2OmaE90jbeFVUt6tEp1hG626D0RpXCh6BHOyfH/7q
+8GuddAVup6cDYxH3IyGN74ImpklwqgTI3qiFK6/a+kxQ7Euq5SOHO/XzivGnx1Vz
+PUTrOmfGjm8nDw2jE3rlISMwrEVw7x79HBA9vxii3XARqe0xkpS72pDjmU8IkfVV
+08RLT0PrIxzrY/uA6TJtHgxkTu3Zab0FvHofcCD05pK5gk6F/frXhK9lAWZSWvTt
+f9EUawCLFeLsJaoyM8pkOkbQ8AtWcp4qt+PmB+1wRRVWHaNG1/A3sNxNC7V/QK/c
+jG+/tPSU4rUFca3lLz+XVEt4I2TPMgPLIQz3ZQIDAQABAoIBAQC1TQJIGmw4J4uq
+j5PCqNgc/DPWpNCYBNTRg8npGe6mZvBGbP1lqm17Zl5bFfZNO9LXFPldH/cRrxJu
+jUBO+M+M/divrLqS+CQpvvadqrTqqBzvn2TuRUZcuIvOpHjGiMD/QAJA8QiiI+ow
+muIBov6wajoClrhdE9jk858vxmSB6gE4czdTrXvZQXC+9EyuaqrLQeTuJbz1JNGN
+jR61iSZWBfI6Ige+PSKpIQW/pU1+2QHyUNhTqN9V8Cxw0tVnOCZxNlWbXIaqsowa
+s4lzfYVvK1NsHitX3wIRJv3gPt3JYN8VIwpq86w1CDxvmEQUuj6VYGDj1n278z4h
+4CaZGNFBAoGBAP/b++wVZ1D0glBRhXghCMqGi/bzBySD+XDzd2DwVRM6jkX4Krof
+MPflg2AMGXOvYYEoDtNWPHYzLts45zpOY111DA4OKqLL1QgTOOtjjd4b/+AaQOKt
+m/Gvr9WFdqCjtO2rcv4546nB4M6bf6umHqoeKK947mi08jmW9VvZhaC5AoGBAMdN
+qIYmnR17s9He9/jgU9zfp+21fC9GSDI9MrdaGP9E4EAeg95Sn3ppplzVeIW+c2b/
+0MuhdbR2dn7JoXcJKlO2qcadvsRWURvR0ofWbjcKoKdAHlShsNIfT8cWfk7E1DL3
+04JTWFcLA7M5RkdT9y2/N4NNKAZ37ZWO10r5jz4NAoGAXWh8gmYV//IkGRqJ9Z9p
+zDZupst20hf0Ww4niRZ0mL6J7nV5c9WrVPVPjyMbr6ZZnIN5ViJnlGd/Nb2CfUDc
++eOfcQou+pwbvAT4hMclpe7m7XPoOFlVU1jmgrdk5aSeix5KrxGHUhRb9FHEvG+7
+RjQYemdV8pgMzoWUMeIp7NECgYB/39rN3/6UySbR9E6EF2KXZ8T2Jqh8KIrv+QYO
+UDeTqVx8p1eSkM6UGy9LhwfiQBUJM/+Cd6Du3ccfiD0aA/5tYdjCf7nDfWJjCBgd
+Yb6rgB0d0mzjfi7WUpK8OTlnTrCb1xiVGOaoSn/gQVJPN5dzeamjjCCvLcl5WQHX
+sBFxDQKBgAYnvJcaXYiyDW2fpdKodzf0AwPBaR2yUJsO2Zm2RpigrpAkpSo5lk5N
+GTWEbWUeENlgapQot5pxKbX07wSpifG3eAULusJuwd9+Ys04GZMYR9T+JXxjLQq7
+hxlWFoj/8o8zh5tGWocqvmTgIiFngwLpHRFStrAhmFSWtHlsgruV
+-----END RSA PRIVATE KEY-----
diff --git a/test/basicserver/testfiles/seclevel2-sha1/ca/keys/serverRootCSR.pem b/test/basicserver/testfiles/seclevel2-sha1/ca/keys/serverRootCSR.pem
new file mode 100644
index 00000000..5b6688f4
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/ca/keys/serverRootCSR.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAwwZQmFja3VwIHN5c3RlbSBzZXJ2ZXIgcm9v
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmT9t4A51xpeJ3h6ddg
+l2wYFYSp2YdquKX85hipesYp0EIlrPHDdHXFjDS50ZhI62+2hxr/qCtSWwsAiNoK
+xSopXMVd6BO6eYPM0KqW4BMnqsKewv39uDiIHVQblB/3/4nd2Jx3sxGIdFivCDuo
+nqYm4BT5vEvHWG1Z+FtGqdPGZk4UG53Rx6ewHCYwpXUgCxJE814fruw+aWXPI0U3
+QYCgehOTP5+zcONaFP9aSVd5GXqCtF+MgZYSSK4exL33gKsaDXwhiTJ2IgOs4YpN
+HG4fu/ct4ppwArHvaHMuLKS6IgFjCHYCqMD/N2+ZpszPWzI5KGprfHZxl0uTLGTd
+HdsCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCflWlk+xCivLP+EK8oh0VCuTo2
+qLMuPOR8GU+gVUN1z68T4j/ZsI0NKox++9NOzGwTE/cSpN+nfLNdhPwOM+TrRtS/
+iDrTSDMSVK4SjIQ9iEaINbfOZOv52l9vkyCR/u0TrnnkjXknzU9ZQmnDvj2e8K/B
+lq7LjvxeMxvLeZKfISr5XGcnUvhGcJkG6Cdkk6OIYUL7oDmBjS3IBzNTVTVmMB/U
+fHMURt/+ljmYKwNN8J7bG8nsMc/UnqqSLqBpPovup/+Ol8pbAjPNaLrQTz5PrN/k
+0PwqzbSJ52HEQY+kwpWLpx47p8ArQhD+YTaCUxyqzBWAI573rMdiAh/ZKVVi
+-----END CERTIFICATE REQUEST-----
diff --git a/test/basicserver/testfiles/seclevel2-sha1/ca/keys/serverRootKey.pem b/test/basicserver/testfiles/seclevel2-sha1/ca/keys/serverRootKey.pem
new file mode 100644
index 00000000..21dfb204
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/ca/keys/serverRootKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyZP23gDnXGl4neHp12CXbBgVhKnZh2q4pfzmGKl6xinQQiWs
+8cN0dcWMNLnRmEjrb7aHGv+oK1JbCwCI2grFKilcxV3oE7p5g8zQqpbgEyeqwp7C
+/f24OIgdVBuUH/f/id3YnHezEYh0WK8IO6iepibgFPm8S8dYbVn4W0ap08ZmThQb
+ndHHp7AcJjCldSALEkTzXh+u7D5pZc8jRTdBgKB6E5M/n7Nw41oU/1pJV3kZeoK0
+X4yBlhJIrh7EvfeAqxoNfCGJMnYiA6zhik0cbh+79y3imnACse9ocy4spLoiAWMI
+dgKowP83b5mmzM9bMjkoamt8dnGXS5MsZN0d2wIDAQABAoIBAQCKVJ3+74PV6RM6
+1YORp9mB9m0d4ylCQryAPDLzDasRPjSKkCxEpKrQ/0YeEL6C0NewjAPfRT50rEmK
+HU3Mw8NWEZh2YOEYWMl25yDzUCJpQrluYWDSyECZmt71jw9xeNDGHZW+mm4qRAgD
+q+nsduSYhOkVu+O55Q0Lzcgfaziz+KNlZNFyjQpyrwCoj9lssL+ZYfhFZV2OnPof
+QLQpCEmrqzFaE9oFDjXxRkvmEBgtxPqSHNg2ZoFuVRAwcal8WHJbf7twCyQKB4i4
+UFV/SX70qw4pfX53rfUoxUNEJgnnJIpOV0q2N/FO3CPYMjvdSoqkhbaIa2D4c37h
+8aB0HCjxAoGBAPukpme3nRy7ybr5P8XomkIy+36sH8hLRoDZCNnz8UJa1OmrA8tG
+yKch9vlBMDXjzDQ0Uq8OFSjFN7uQF5zLx4UU2eL/ptEWEmDpPZui7YmI5Ep/ZK4k
+reK4op0tJ2fy7Fhq6IoBKvUVN3waWXzmObq77IKIQ5t1Z+MyfHEAtvKHAoGBAM0R
+aXluyt3+RwOE2RdlwgSDnHYNvKAUfmkOIVprFEb13LQABbna5BmNIa/rZ+RDtNza
+2/Tzqpmq8OVQkF9ATqjba+Y6GAoDwaAcvVwDrjoYtlI8zjnFEhhgVl455QlEZc5O
+qxOPYx4Kt60Cc6ee8L9gPvJUIAQLyyCjv1IWYQsNAoGBANWkPALiSGkUpXgwFIyZ
+ph192zb4OyN5hSnvGSyxhqqnIwwfPOFf/wqmM1/6kEuwUrYflfM5KY2rol2DQAjG
+mWXLBhFKqv3ol0Hfw4ZXFQQnTGpTLc8LJPXPe3+lzkbaXv3SBgrkYuwgTzL1y/PW
+Ijz/PxSzS3K4grLJMg1eZfQRAoGAOuatbPutuWW38ALQeC/6MmG7Jw17CF/aj0JH
+wjjPcjJcWjdHbcK5kb0/18+934qzAFy8oPb8IXdACh3B2hoWfdnIfDBjhzzc+KhI
+m41TFczTUXu1oFJCiE3jgN0QNEE5HLDr4opk5dQePctefN7iN5XlfqU7LO5WQeHG
+qkVTSmECgYB+pEKVBHyKyJtdnWhrVr8vhlJH7fh6VUkL4gnuoiFcfPn2gyw6UX7E
+9tls3aoxx47jvaJuoaNjiaT8ZZ4C0mx/L7XNHxiQHRb89nPC+WvapplDw+1XA0JK
+k/JenbDUXuEPrdoJh30lwwYqNBEJTstFbYILDhbaw4Ud6hRUrIfQOA==
+-----END RSA PRIVATE KEY-----
diff --git a/test/basicserver/testfiles/seclevel2-sha1/ca/roots/clientCA.pem b/test/basicserver/testfiles/seclevel2-sha1/ca/roots/clientCA.pem
new file mode 100644
index 00000000..79df3946
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/ca/roots/clientCA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzzCCAbcCFDMFGbY+8snuTNZA311AVJo5GvwmMA0GCSqGSIb3DQEBBQUAMCQx
+IjAgBgNVBAMMGUJhY2t1cCBzeXN0ZW0gY2xpZW50IHJvb3QwHhcNMTkwNDI4MjA1
+NzM1WhcNMzgwMTE4MjA1NzM1WjAkMSIwIAYDVQQDDBlCYWNrdXAgc3lzdGVtIGNs
+aWVudCByb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxzGebbu2
+OmaE90jbeFVUt6tEp1hG626D0RpXCh6BHOyfH/7q8GuddAVup6cDYxH3IyGN74Im
+pklwqgTI3qiFK6/a+kxQ7Euq5SOHO/XzivGnx1VzPUTrOmfGjm8nDw2jE3rlISMw
+rEVw7x79HBA9vxii3XARqe0xkpS72pDjmU8IkfVV08RLT0PrIxzrY/uA6TJtHgxk
+Tu3Zab0FvHofcCD05pK5gk6F/frXhK9lAWZSWvTtf9EUawCLFeLsJaoyM8pkOkbQ
+8AtWcp4qt+PmB+1wRRVWHaNG1/A3sNxNC7V/QK/cjG+/tPSU4rUFca3lLz+XVEt4
+I2TPMgPLIQz3ZQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCUifYeul9/GHa2LV6/
+k9ZKOjcSmmDud8sTwfum3CuHLb9ODcKMaNz/vzPYeVyN7MZvXJIAqxaxrrToye46
+pDRQnguPNI5XU+Vb2l3Xvm7WBRGcxkAInkYBB7GwxmfffPS9/JrdPzxD6h3z8IOT
+jwzULNmNDse7Wf1hrgS1qKcCzJA1b1rLnZcrU+z3OUvLiR/8Bo/IuwXZVoNqDdq7
+NzrqYT4x0J4P5PuBQHPB/fHMFDc1HoCgLG9b42th71kDoxG7IH2r02FzVjF8qIvD
+eQes3VbI7BDT/f0L2r1FHcA7FVRUqTWnEWby/PjTZiRCSPKUG7RqAplrOKmk9JuN
+PkkW
+-----END CERTIFICATE-----
diff --git a/test/basicserver/testfiles/seclevel2-sha1/ca/roots/clientCA.srl b/test/basicserver/testfiles/seclevel2-sha1/ca/roots/clientCA.srl
new file mode 100644
index 00000000..8a0f05e1
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/ca/roots/clientCA.srl
@@ -0,0 +1 @@
+01
diff --git a/test/basicserver/testfiles/seclevel2-sha1/ca/roots/serverCA.pem b/test/basicserver/testfiles/seclevel2-sha1/ca/roots/serverCA.pem
new file mode 100644
index 00000000..31ae4ecd
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/ca/roots/serverCA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzzCCAbcCFGAQPLcwEruVZrE+h1tmI7s9CffgMA0GCSqGSIb3DQEBBQUAMCQx
+IjAgBgNVBAMMGUJhY2t1cCBzeXN0ZW0gc2VydmVyIHJvb3QwHhcNMTkwNDI4MjA1
+NzM1WhcNMzgwMTE4MjA1NzM1WjAkMSIwIAYDVQQDDBlCYWNrdXAgc3lzdGVtIHNl
+cnZlciByb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyZP23gDn
+XGl4neHp12CXbBgVhKnZh2q4pfzmGKl6xinQQiWs8cN0dcWMNLnRmEjrb7aHGv+o
+K1JbCwCI2grFKilcxV3oE7p5g8zQqpbgEyeqwp7C/f24OIgdVBuUH/f/id3YnHez
+EYh0WK8IO6iepibgFPm8S8dYbVn4W0ap08ZmThQbndHHp7AcJjCldSALEkTzXh+u
+7D5pZc8jRTdBgKB6E5M/n7Nw41oU/1pJV3kZeoK0X4yBlhJIrh7EvfeAqxoNfCGJ
+MnYiA6zhik0cbh+79y3imnACse9ocy4spLoiAWMIdgKowP83b5mmzM9bMjkoamt8
+dnGXS5MsZN0d2wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCHI5RDuqx9hu0anQRC
+dREc+3agRxq4C+Fo0mrsF1CWooO9lGyWvJqygiBGqOSjMi3D8AoyQXhxcvf1EniP
+CHCpqlP+h+6qILbtBizTTtHhceTpXiU5Se/yJvm9814jJrXVp10akShXzBlc4W/2
+O0NX6b1B0De2z+YJydB+meZws7wgGD3eZCBr2uF2seYTNitKmNfUfq9UXxxCKcMu
+eeRzWGM1UDFaRbN7FKNo6YpUE21olZEjxF8xOfyuWOYxv8qNTck89SurOwj4as/o
+CLJLVQ7i/keqt1XXXOSpp46CkRoEmmuxHuql44dToQOLZH1RcZLOMHSPO3OdNo5Z
+o2Do
+-----END CERTIFICATE-----
diff --git a/test/basicserver/testfiles/seclevel2-sha1/ca/roots/serverCA.srl b/test/basicserver/testfiles/seclevel2-sha1/ca/roots/serverCA.srl
new file mode 100644
index 00000000..8a0f05e1
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/ca/roots/serverCA.srl
@@ -0,0 +1 @@
+01
diff --git a/test/basicserver/testfiles/seclevel2-sha1/ca/servers/localhost-cert.pem b/test/basicserver/testfiles/seclevel2-sha1/ca/servers/localhost-cert.pem
new file mode 100644
index 00000000..c3c6459b
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/ca/servers/localhost-cert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrDCCAZQCAQEwDQYJKoZIhvcNAQEFBQAwJDEiMCAGA1UEAwwZQmFja3VwIHN5
+c3RlbSBzZXJ2ZXIgcm9vdDAeFw0xOTA0MjgyMDU3MzhaFw0zMzAxMDQyMDU3Mzha
+MBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMszRTCOAQqXf7xrz7Hm/FPzWWA0Gep1e5xcAz7Mq/8qFAUM+/4BABT/
+WaPvAvYfPTdnT7sVTYMpcm4lztYnMvDbB/sZE7SVz0qov0POzN+lef5O8HxeisfW
+srgdntcYPOOH7mN5ZWGnDsqANTVj9w2kD/jM7cbryqiuCZ6HVKKsrBCtwxeBdahU
+h4dX7puZ2PhgT2mY4Z+p7P6a0D/A3um3LRI1ABGEiqlIzSaWGrD9CqhR/AqGNWRm
+v3+Z9Amf/VU+TfjZtEwNR8F9kHh9Idcqfyx+drQ+v/E/V6oCuIrnpEaJenZI+t41
+z51UiuDUhZLE8ybEAgATlM+JFymbnEECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA
+dYM0WTSCb0AN6eGhlbyNsENnUwLYjDE7ojVD2pY0Ab4ik04DIfTm5piqEkz5HBaI
+1ZIEtYlImnvQ9cax1m+8LrVS2tflPpZ0CqWT+In7EncuI1lONZJfYELITDgU3LWx
+FEfNQJaOv0Uc8u8GG29d22a50/jTfZr20puM7mYQkLaUJLHgoTImYg6M8W3Ggkyt
+DO/yrtPUWm424wCYx+f3DgOrraFtiRLdqUpy5+bRqmzTuEFMAARqt4uudF6MR36n
+hBIXg1jYKGrZMLwi60vfdtwe+zpAV/7SRGLbekhB6iAcVIXuom2aD7rlIcJHW/wd
+hk9u7ie0JVDdu0R4I5Z9vw==
+-----END CERTIFICATE-----
diff --git a/test/basicserver/testfiles/seclevel2-sha1/raidfile.conf b/test/basicserver/testfiles/seclevel2-sha1/raidfile.conf
new file mode 100644
index 00000000..6e235b24
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha1/raidfile.conf
@@ -0,0 +1,10 @@
+
+disc0
+{
+	SetNumber = 0
+	BlockSize = 1024
+	Dir0 = .
+	Dir1 = .
+	Dir2 = .
+}
+
diff --git a/test/basicserver/testfiles/seclevel2-sha256/bbackupd.conf b/test/basicserver/testfiles/seclevel2-sha256/bbackupd.conf
new file mode 100644
index 00000000..671a13ac
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/bbackupd.conf
@@ -0,0 +1,196 @@
+
+StoreHostname = localhost
+AccountNumber = 0x1234567
+KeysFile = ./bbackupd/1234567-FileEncKeys.raw
+
+CertificateFile = ./bbackupd/1234567-cert.pem
+PrivateKeyFile = ./bbackupd/1234567-key.pem
+TrustedCAsFile = ./bbackupd/serverCA.pem
+SSLSecurityLevel = 2
+
+DataDirectory = /home/chris/boxbackup/test/basicserver/testfiles/seclevel2
+
+
+# This script is run whenever bbackupd changes state or encounters a
+# problem which requires the system administrator to assist:
+#
+# 1) The store is full, and no more data can be uploaded.
+# 2) Some files or directories were not readable.
+# 3) A backup run starts or finishes.
+#
+# The default script emails the system administrator, except for backups
+# starting and stopping, where it does nothing.
+
+NotifyScript = ./bbackupd/NotifySysadmin.sh
+
+
+# The number of seconds between backup runs under normal conditions. To avoid 
+# cycles of load on the server, this time is randomly adjusted by a small 
+# percentage as the daemon runs.
+
+UpdateStoreInterval = 3600
+
+
+# The minimum age of a file, in seconds, that will be uploaded. Avoids 
+# repeated uploads of a file which is constantly being modified.
+
+MinimumFileAge = 21600
+
+
+# If a file is modified repeated, it won't be uploaded immediately in case 
+# it's modified again, due to the MinimumFileAge specified above. However, it 
+# should be uploaded eventually even if it is being modified repeatedly. This 
+# is how long we should wait, in seconds, after first noticing a change. 
+# (86400 seconds = 1 day)
+
+MaxUploadWait = 86400
+
+# If the connection is idle for some time (e.g. over 10 minutes or 600
+# seconds, not sure exactly how long) then the server will give up and
+# disconnect the client, resulting in Connection Protocol_Timeout errors
+# on the server and TLSReadFailed or TLSWriteFailed errors on the client.
+# Also, some firewalls and NAT gateways will kill idle connections after
+# similar lengths of time. 
+#
+# This can happen for example when most files are backed up already and
+# don't need to be sent to the store again, while scanning a large
+# directory, or while calculating diffs of a large file. To avoid this,
+# KeepAliveTime specifies that special keep-alive messages should be sent
+# when the connection is otherwise idle for a certain length of time,
+# specified here in seconds.
+#
+# The default is that these messages are never sent, equivalent to setting
+# this option to zero, but we recommend that all users enable this.
+
+KeepAliveTime = 120
+
+
+# Files above this size (in bytes) are tracked, and if they are renamed they will simply be
+# renamed on the server, rather than being uploaded again. (64k - 1)
+
+FileTrackingSizeThreshold = 65535
+
+
+# The daemon does "changes only" uploads for files above this size (in bytes).
+# Files less than it are uploaded whole without this extra processing.
+
+DiffingUploadSizeThreshold = 8192
+
+
+# The limit on how much time is spent diffing files, in seconds. Most files 
+# shouldn't take very long, but if you have really big files you can use this 
+# to limit the time spent diffing them.
+#
+# * Reduce if you are having problems with processor usage.
+#
+# * Increase if you have large files, and think the upload of changes is too 
+#   large and you want bbackupd to spend more time searching for unchanged
+#   blocks.
+
+MaximumDiffingTime = 120
+
+
+# Uncomment this line to see exactly what the daemon is going when it's connected to the server.
+
+# ExtendedLogging = yes
+
+
+# This specifies a program or script script which is run just before each 
+# sync, and ideally the full path to the interpreter. It will be run as the 
+# same user bbackupd is running as, usually root.
+#
+# The script must output (print) either "now" or a number to STDOUT (and a 
+# terminating newline, no quotes).
+#
+# If the result was "now", then the sync will happen. If it's a number, then 
+# no backup will happen for that number of seconds (bbackupd will pause) and 
+# then the script will be run again.
+#
+# Use this to temporarily stop bbackupd from syncronising or connecting to the 
+# store. For example, you could use this on a laptop to only backup when on a 
+# specific network, or when it has a working Internet connection.
+
+# SyncAllowScript = /path/to/intepreter/or/exe script-name parameters etc
+
+
+# Where the command socket is created in the filesystem.
+
+CommandSocket = /home/chris/boxbackup/test/basicserver/testfiles/seclevel2/bbackupd.sock
+
+# Uncomment the StoreObjectInfoFile to enable the experimental archiving
+# of the daemon's state (including client store marker and configuration)
+# between backup runs. This saves time and increases efficiency when
+# bbackupd is frequently stopped and started, since it removes the need
+# to rescan all directories on the remote server. However, it is new and
+# not yet heavily tested, so use with caution.
+
+# StoreObjectInfoFile = /home/chris/boxbackup/test/basicserver/testfiles/seclevel2/bbackupd.state
+
+Server
+{
+	PidFile = /home/chris/boxbackup/test/basicserver/testfiles/seclevel2/bbackupd.pid
+}
+
+
+# BackupLocations specifies which locations on disc should be backed up. Each
+# directory is in the format
+# 
+# 	name
+# 	{
+# 		Path = /path/of/directory
+# 		(optional exclude directives)
+# 	}
+# 
+# 'name' is derived from the Path by the config script, but should merely be
+# unique.
+# 
+# The exclude directives are of the form
+# 
+# 	[Exclude|AlwaysInclude][File|Dir][|sRegex] = regex or full pathname
+# 
+# (The regex suffix is shown as 'sRegex' to make File or Dir plural)
+#
+# For example:
+# 
+# 	ExcludeDir = /home/guest-user
+# 	ExcludeFilesRegex = .(mp3|MP3)$
+# 	AlwaysIncludeFile = /home/username/veryimportant.mp3
+# 
+# This excludes the directory /home/guest-user from the backup along with all mp3
+# files, except one MP3 file in particular.
+# 
+# In general, Exclude excludes a file or directory, unless the directory is
+# explicitly mentioned in a AlwaysInclude directive. However, Box Backup
+# does NOT scan inside excluded directories and will never back up an
+# AlwaysIncluded file or directory inside an excluded directory or any
+# subdirectory thereof.
+#
+# To back up a directory inside an excluded directory, use a configuration
+# like this, to ensure that each directory in the path to the important
+# files is included, but none of their contents will be backed up except
+# the directories further down that path to the important one.
+#
+# ExcludeDirsRegex = ^/home/user/bigfiles/
+# ExcludeFilesRegex = ^/home/user/bigfiles/
+# AlwaysIncludeDir = /home/user/bigfiles/path
+# AlwaysIncludeDir = /home/user/bigfiles/path/to
+# AlwaysIncludeDir = /home/user/bigfiles/path/important
+# AlwaysIncludeDir = /home/user/bigfiles/path/important/files
+# AlwaysIncludeDirsRegex = ^/home/user/bigfiles/path/important/files/
+# AlwaysIncludeFilesRegex = ^/home/user/bigfiles/path/important/files/
+# 
+# If a directive ends in Regex, then it is a regular expression rather than a 
+# explicit full pathname. See
+# 
+# 	man 7 re_format
+# 
+# for the regex syntax on your platform.
+
+BackupLocations
+{
+	home-chris-boxbackup-test-basicserver-testfiles-seclevel2
+	{
+		Path = /home/chris/boxbackup/test/basicserver/testfiles/seclevel2
+	}
+}
+
diff --git a/test/basicserver/testfiles/seclevel2-sha256/bbackupd/1234567-csr.pem b/test/basicserver/testfiles/seclevel2-sha256/bbackupd/1234567-csr.pem
new file mode 100644
index 00000000..4f228021
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/bbackupd/1234567-csr.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICXjCCAUYCAQAwGTEXMBUGA1UEAwwOQkFDS1VQLTEyMzQ1NjcwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeKRy4ppAb1cByCRkt2f1j+6iv7AWdF92p
+nPlzXPbLhP/edfuyVPFyBY46p+z6j4p9TrccMjUi4RPMx6dqyL2/o3Qzg3PhoHPq
+2fexEkrBSJ1bbL6hXjadzE53wiONj/8nSzFyzqR3/IhKNM0ssR10cqq64VgoiWOR
+GHYTTEbQy1k9WvoReC+diTEqIDBLif1EQJ+c/3iUopqtaVZWNS1LV5DX/u2Y1anX
+gO1s8jQaYlTtyNZyOi9lwXYXj4mH0mil2Hfh3IKD6GqB4HpFDUZ0/NHFRDvjdwfW
+4RTad55l8dWparOyie/QzFRj6Ua1746FsbUw2pERdmHAMshLpxkNAgMBAAGgADAN
+BgkqhkiG9w0BAQsFAAOCAQEAuW/o02Ga2yICJSJIrq44T+dIddakxhUPfIvAEWXs
+7Cap9qzmBNOAfzFqvbdVgsqC9/WCnpumf9ZpjkXvUy/6EB77HbtiJAXukT2DvFbo
+7mvbuh10YGv/AdZxLR2tMXmk9YqV6kgXdXFn18u8Vv35aYa4hru5q16m9QVhkeW+
+UAJCsjhYVISVWW5Pss5mgL058viMHt3T5X3+2ybMdsfLe5BfRbsPxnFClKfBg6QS
+3yH5JxQdfJlg64z4uQNHNbsWJ5mRBPEYawZ2ge+HmWb6xnuGLR3Dg5ZbbB0hvAO6
+kw7sZ1at9bX+MWz7rTvgKyxFXcGVXZ40/UQlgfzMiLEAHg==
+-----END CERTIFICATE REQUEST-----
diff --git a/test/basicserver/testfiles/seclevel2-sha256/bbackupd/1234567-key.pem b/test/basicserver/testfiles/seclevel2-sha256/bbackupd/1234567-key.pem
new file mode 100644
index 00000000..e5b132b6
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/bbackupd/1234567-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA3ikcuKaQG9XAcgkZLdn9Y/uor+wFnRfdqZz5c1z2y4T/3nX7
+slTxcgWOOqfs+o+KfU63HDI1IuETzMenasi9v6N0M4Nz4aBz6tn3sRJKwUidW2y+
+oV42ncxOd8IjjY//J0sxcs6kd/yISjTNLLEddHKquuFYKIljkRh2E0xG0MtZPVr6
+EXgvnYkxKiAwS4n9RECfnP94lKKarWlWVjUtS1eQ1/7tmNWp14DtbPI0GmJU7cjW
+cjovZcF2F4+Jh9Jopdh34dyCg+hqgeB6RQ1GdPzRxUQ743cH1uEU2neeZfHVqWqz
+sonv0MxUY+lGte+OhbG1MNqREXZhwDLIS6cZDQIDAQABAoIBAF1cH5LFhGf+ItqJ
+Ukh/hEnBFzme0RkcT22Y5weA+MG8SZ6eLEDcC38kMIobya3eJo/URYUW4FehCKYU
+/RkV9Q+UzB9dzZPyzuPR55JFIp8pOd+SymWb5w3XLt6K+k/iRJKpucUKa/l0aX3t
+xI9UexFVosPYMSkP24S9J9miQ1w4X8D1laJPi5KWrbdzDZxy5geoNmS0veQl6mRf
+91Owxsa15wQpxNoVesAiGbrHb5ljMsBovYgljRL6rqA9THXPXfcDkWkabfGai/kD
+AktxqPGUELxjD7gSO5G4ygCcGTeIEJbOfwgDtr59V518kVzwVNAxOKb7lfDM/l4D
+v0H3liECgYEA+nh1RjwOm2db+yW0hQ2DTCA84by2AyKP7nCwD7CjrGaXrm7zfQ+U
+VqSgpDg+xH9/Caa9P1n6zSZSEiXrCePQL6UsREj8sd+st7Uah9eQOc3vywxizGN6
+VMqqmctn+gKKxkmv8T6YtWblDDqOA/7yYlCaH0l7WUO+HKAl7MhaGgUCgYEA4xCo
+2bGwbaT7lLdFtOU2+erM2lbA4NzBkR7Mjpq16JiPPFdSF680XBRL0uNR0r2GFucM
+gG8Z+ktV1QosY22546Z3fl7+jcyZC4uramDicpAxnmEGIdPnqIkEPhZzKvV0uRGj
+tXs2qnJ9ztK7hf+PRwdQEvqCNLkoy+pQPG/bSWkCgYAvH36g6ietYTLS+3MNHU+4
+gNAzgDeWO2hs6dKWARuqEdszvDgfLVExQ+PdQZ+9hGc4P6CXTKx88Fq8g1nHEI9Y
+h3DeoAS6ymRKY85MBGhkF7SntPrZjVW0ojSansQ/Kz9EsxRhBO/iISuys0mIwuyD
+RrrYbBDC6JXZ+N9pvwAEqQKBgQCI4DgI0pY54iRN55S7kRjs2l+Wlok6g5ijtF82
+74gMqDpf83tnD5SOlSWIAMQIN3snPyxIF7EfMl6RR8quPSy7UFPj97uXGuh/DzjL
+rY+T49wlTvN1XNnevIm0K7BNCx3LmhiHg7jWUqIIFPw5sG5cMMpSRnRK9/rhwWOQ
+qxUTUQKBgQDYUi6255mUI23dYxCyY7P6rIcGiKqhiAJ5HbGShMFhpA94WS3m6YmJ
+sQTip0kykY168klOcRqt8y3RLS5UB1aYBMYvtFuk5wbUcuXFeGcIsuUIZeR3iueg
+G0MEhf9hgmBK/xkpfoiLJ+E0hFHqER57N6KCuEK0NWC1Vgqo8X79MQ==
+-----END RSA PRIVATE KEY-----
diff --git a/test/basicserver/testfiles/seclevel2-sha256/bbackupd/NotifySysadmin.sh b/test/basicserver/testfiles/seclevel2-sha256/bbackupd/NotifySysadmin.sh
new file mode 100755
index 00000000..48e8cf8e
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/bbackupd/NotifySysadmin.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+
+# This script is run whenever bbackupd changes state or encounters a
+# problem which requires the system administrator to assist:
+#
+# 1) The store is full, and no more data can be uploaded.
+# 2) Some files or directories were not readable.
+# 3) A backup run starts or finishes.
+#
+# The default script emails the system administrator, except for backups
+# starting and stopping, where it does nothing.
+
+SUBJECT="BACKUP PROBLEM on host debian-unstable"
+SENDTO="chris"
+
+if [ "$1" = "" ]; then
+	echo "Usage: $0 <store-full|read-error|backup-ok|backup-error|backup-start|backup-finish>" >&2
+	exit 2
+elif [ "$1" = store-full ]; then
+	sendmail: $SENDTO <<EOM
+Subject: $SUBJECT (store full)
+To: $SENDTO
+
+
+The store account for debian-unstable is full.
+
+=============================
+FILES ARE NOT BEING BACKED UP
+=============================
+
+Please adjust the limits on account 1234567 on server localhost.
+
+EOM
+elif [ "$1" = read-error ]; then
+sendmail: $SENDTO <<EOM
+Subject: $SUBJECT (read errors)
+To: $SENDTO
+
+
+Errors occured reading some files or directories for backup on debian-unstable.
+
+===================================
+THESE FILES ARE NOT BEING BACKED UP
+===================================
+
+Check the logs on debian-unstable for the files and directories which caused
+these errors, and take appropriate action.
+
+Other files are being backed up.
+
+EOM
+elif [ "$1" = backup-start -o "$1" = backup-finish -o "$1" = backup-ok ]; then
+	# do nothing by default
+	true
+else
+sendmail: $SENDTO <<EOM
+Subject: $SUBJECT (unknown)
+To: $SENDTO
+
+
+The backup daemon on debian-unstable reported an unknown error ($1).
+
+==========================
+FILES MAY NOT BE BACKED UP
+==========================
+
+Please check the logs on debian-unstable.
+
+EOM
+fi
diff --git a/test/basicserver/testfiles/seclevel2-sha256/bbstored.conf b/test/basicserver/testfiles/seclevel2-sha256/bbstored.conf
new file mode 100644
index 00000000..25425dfa
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/bbstored.conf
@@ -0,0 +1,23 @@
+
+RaidFileConf = ./raidfile.conf
+AccountDatabase = ./bbstored/accounts.txt
+
+# Uncomment this line to see exactly what commands are being received from clients.
+# ExtendedLogging = yes
+
+# scan all accounts for files which need deleting every 15 minutes.
+
+TimeBetweenHousekeeping = 900
+
+Server
+{
+	PidFile = /var/run/bbstored.pid
+	User = chris
+	ListenAddresses = inet:localhost
+	CertificateFile = ./bbstored/localhost-cert.pem
+	PrivateKeyFile = ./bbstored/localhost-key.pem
+	TrustedCAsFile = ./bbstored/clientCA.pem
+	SSLSecurityLevel = 2
+}
+
+
diff --git a/test/basicserver/testfiles/seclevel2-sha256/bbstored/localhost-csr.pem b/test/basicserver/testfiles/seclevel2-sha256/bbstored/localhost-csr.pem
new file mode 100644
index 00000000..b3ff3f1f
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/bbstored/localhost-csr.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICWTCCAUECAQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA9Uk3V+oultps1qwaJwo+w332tal2trjr5LCXoTuX
+UrO4+xJIBYKC2D7a+Nl2VUZw+Kr6UEI/wc7ROwM84s9l1jCZ5iXVrz/8XHYJvJXw
+uw3IDQESFbxZsrNg0FC8U7GEtVlCRnVr6B2RkciPkDXK3TVqdf43fv4rripPSE/d
+4hbAq/uPd5LZNUQdy6yFsMywG4cSqiaHw3hg4aLgF6EKXj29s8IFTiNhM1h8XrCB
+i0MfyCIq2jHVM1/ZRL10HA6cMvu/2E+ofrLETl6FlTzyC4WFQBqv0onFmKFIM5bt
+AVIok/NIWX5vpk1rqGnSOuW/6lhUO4yczExZadgDwx7YiwIDAQABoAAwDQYJKoZI
+hvcNAQEFBQADggEBAJVk9eAleSiTsV3Pdq3L01WEyndnmpbU1FcExJWg5xb95xbX
+Ojxi6g/NhBodAWl6GHJEUTQ+eJHrZ/hTLD6ZHeX9CGxmxOIvpKJCoOiQU7zamLaq
+K6aP8BoG21h2MccnbKlrSFF/c89SzH78r2fgWpUqFUCxobemKfvUbdHSaNlOWxh9
+yO3q1P/ZK0wl/V0CG9kdkUfpl9OLATilBiJayrpX92Ef/U6JkX3ZFEG9vTGBSXXU
+5QQM7BrPDgMsaTNDv9N1oPCVrUKfQ7Ts2pTEKU/oMA8fYZKX2GFZ/LDXj4C7clQ4
+LJakbh26NhrohTjecHvJCxIDAk2xLipwmXLmVoU=
+-----END CERTIFICATE REQUEST-----
diff --git a/test/basicserver/testfiles/seclevel2-sha256/bbstored/localhost-key.pem b/test/basicserver/testfiles/seclevel2-sha256/bbstored/localhost-key.pem
new file mode 100644
index 00000000..c6acc692
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/bbstored/localhost-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA9Uk3V+oultps1qwaJwo+w332tal2trjr5LCXoTuXUrO4+xJI
+BYKC2D7a+Nl2VUZw+Kr6UEI/wc7ROwM84s9l1jCZ5iXVrz/8XHYJvJXwuw3IDQES
+FbxZsrNg0FC8U7GEtVlCRnVr6B2RkciPkDXK3TVqdf43fv4rripPSE/d4hbAq/uP
+d5LZNUQdy6yFsMywG4cSqiaHw3hg4aLgF6EKXj29s8IFTiNhM1h8XrCBi0MfyCIq
+2jHVM1/ZRL10HA6cMvu/2E+ofrLETl6FlTzyC4WFQBqv0onFmKFIM5btAVIok/NI
+WX5vpk1rqGnSOuW/6lhUO4yczExZadgDwx7YiwIDAQABAoIBAGc/FF6bIlU5R8rs
+0m1QcK7VHL3GwUOUfybZ9llVvhJ/uANm5I39K5peislor9ihN/hT791MpY2swoF2
+kXBfIFySRJWNo26LHmzE+sA41QXHfUeMBdLEX3VK8Bt/gGYyOMwk8DK8RlmD6LxW
+kaeAHQ4T5+YWxcFct4IuKQUlKR565lHr6LRDaYmlDHzjksi/fx0ceMlD/RBje7YD
+HXPDdetNkSBvpHEcH2lINnrY0kBb5HQv57ipOdA8MfQ+Xf06SjqjhA6ZUOdsMjsn
+QVleXQsT1HQ5Ji///JbqVL5j68qkjza2HroyXgOgQdu+fuksHTXvMjvAnW7/z3u2
+SpUd6WECgYEA/aBM7DKWeQdzlRCfosgv6SZ+ME0Lt5oBaHbbUYizi8DuylB196MJ
+xnP1QLa7MAYna6ASxDXIClqxG4x+d4lHpErmbYR4F0pa8/9teSbtUw3OXGe9ahZy
+HcpK3LSVV5ns8CjRsclNX86cn/Gxubw48gxjcjIA4qKUJv9KxCSAdoMCgYEA95Tu
+qhkXDGhBSSTqs51K8mHbTS4CrpCK6+5J++NP7AT4t2IHIaaQ7DtttAI9xFvwxD9U
+zFP2/lZVq1KSFATAoDhItUoC0SMlaFcrIxsIyq/UOqTTluf3in29rFHq3UN1rz9M
+X90Tfl5EhUvruVJOiJ5iYt97DJeVgOlWkU7qt1kCgYACEwWOCPviEYWIepJTqn95
+0K7HhlnKLqBEUnSIvi15vyI01WOhmtvBm8EtvlDZm7NG1hBROn9gVk2MhCGkqKLF
+XTd1PdgdmKYVyMkEbKUUQNCnQNHzxCs6wyTJmVB/XurpK+xLH/JaDj6JsFhbxIZS
+tHc7v9zx/ZJonz3lTMcgMQKBgG+WPqOHv22mJ5ax/t6JjFgGZvM4Q5kuKI8BzXKs
+Fz+HVhpBInm2Oydd+aniQLiZv8CT0sJtLaugeehHxPMk2TTdaVfcTby5HIkUkKq3
+6pR//yWXWI5xao6O8cgS+8pSN16PJvsmBz0ze6qgd1QFlsPYrvtlQm6Ae6+oe43u
+hbexAoGBAIKGmPAoQsBPEWkSs3nWyAPDHQ45NBoB23G0j01amf11Y/sQWhH+Mqfp
+mcU40xr/XwMlTVgALfW1Q048ftJ4D2oYPsUEG3Yiayqe8epl6V55QjGMpdEe/+mQ
+5VpndGimuUwxr9cyNShn6dngEg6D0hXfNqu4NFmt/2PH3x0D8eer
+-----END RSA PRIVATE KEY-----
diff --git a/test/basicserver/testfiles/seclevel2-sha256/ca/clients/1234567-cert.pem b/test/basicserver/testfiles/seclevel2-sha256/ca/clients/1234567-cert.pem
new file mode 100644
index 00000000..e1cb932c
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/ca/clients/1234567-cert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsTCCAZkCAQEwDQYJKoZIhvcNAQELBQAwJDEiMCAGA1UEAwwZQmFja3VwIHN5
+c3RlbSBjbGllbnQgcm9vdDAeFw0xOTA0MjgyMDUxNTlaFw0zMzAxMDQyMDUxNTla
+MBkxFzAVBgNVBAMMDkJBQ0tVUC0xMjM0NTY3MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEA3ikcuKaQG9XAcgkZLdn9Y/uor+wFnRfdqZz5c1z2y4T/3nX7
+slTxcgWOOqfs+o+KfU63HDI1IuETzMenasi9v6N0M4Nz4aBz6tn3sRJKwUidW2y+
+oV42ncxOd8IjjY//J0sxcs6kd/yISjTNLLEddHKquuFYKIljkRh2E0xG0MtZPVr6
+EXgvnYkxKiAwS4n9RECfnP94lKKarWlWVjUtS1eQ1/7tmNWp14DtbPI0GmJU7cjW
+cjovZcF2F4+Jh9Jopdh34dyCg+hqgeB6RQ1GdPzRxUQ743cH1uEU2neeZfHVqWqz
+sonv0MxUY+lGte+OhbG1MNqREXZhwDLIS6cZDQIDAQABMA0GCSqGSIb3DQEBCwUA
+A4IBAQAEpEobzo6qm+GJw3Jgi7Gc/XBVBbib5Tp7fH0oyyzX7sSnbUWNUYNHLjMH
+CFFmeNsj2/x4P7JFK2shVy7lRnBt6RUi5zLtQyjhEF8OqV1rxb74hQHl4+7CiRUP
+Q1SRTJpdbdDwwAzd5UyDTAX3Glg73krDEHY+k0UCr0kczqcffVzgNmCklMzrCzZk
+Nz9KkUF+cMkFDz/5BRBj6I4M9b5ebkVYM32Gz0mAh/G/DcL5KGzWPL9KJ31pgkAP
+P8yrvZe2HwscKTJKnAK78M+75zzNv3539/V3y55lNNiyKF2q9Up4k3BE5PY9LDFJ
+fVZvMdAltZlFV1tlZksrsRoq3jsc
+-----END CERTIFICATE-----
diff --git a/test/basicserver/testfiles/seclevel2-sha256/ca/keys/clientRootCSR.pem b/test/basicserver/testfiles/seclevel2-sha256/ca/keys/clientRootCSR.pem
new file mode 100644
index 00000000..c4d2be66
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/ca/keys/clientRootCSR.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAwwZQmFja3VwIHN5c3RlbSBjbGllbnQgcm9v
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKWLP1hzvhUgHs8gp6+w
+v3aIbsEHXjWOKfTpB4u+eubM4oA9XtXT0NiCLZQPy2BAtIOkazJ6sae6w2Qq2naj
+MDyTBclAgok3TLVI6whMkgxdB878uaKQb3sk7xg6yNI6iI7S70cTRM9JKF8ZPBMZ
+6ftPgoPooe1ka2kFTjhNgE6jO/DjAyWGpf7Q4cb2ELBdgrU+ehbz4Zz0hHZ0Ts5p
+KO8SxEkBX4FRP4sUkbuDM92UNcxyBxlrLg21ktDlIciftef9J94qQyx5HnotMWWp
+rj4Zi2mA8/i14op90CXPq/figj8zYkPyyx9KytKDSKcGgByxjNMBWzIAZ17doRgq
+1KkCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBVUqpA7BizyLkDut8sLYI4qyJA
+8Os+6IiSDyjyjf3C/hTbrbA31mtF0g3gbZFXnehVhop04zQYy3071OBYzuMx+/2F
+olylk7HWrScaKE0MDSSamfVTlSGiO2P+zPg32WKoZsOPPjSyrGF/l+A4TlTQJmFK
+SgapRRQVm3VDlkWO77c4EjpqoREPeSHVt+0m2490BY7aUT+kRlXl2nViSV52SS5j
+EDnb4N/9t60NRS2zaLtAr0DcRWemR+PzVKqKdNyhXdCeieQ9xzGGHK1vXpW/6kCo
+OHi/Xt4MHkt3hHxQQKOrK5dcsoqP9WxlnwOuuy9m9mVH4HUhi+S0KFtOytoX
+-----END CERTIFICATE REQUEST-----
diff --git a/test/basicserver/testfiles/seclevel2-sha256/ca/keys/clientRootKey.pem b/test/basicserver/testfiles/seclevel2-sha256/ca/keys/clientRootKey.pem
new file mode 100644
index 00000000..c81b607b
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/ca/keys/clientRootKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEApYs/WHO+FSAezyCnr7C/dohuwQdeNY4p9OkHi7565szigD1e
+1dPQ2IItlA/LYEC0g6RrMnqxp7rDZCradqMwPJMFyUCCiTdMtUjrCEySDF0Hzvy5
+opBveyTvGDrI0jqIjtLvRxNEz0koXxk8Exnp+0+Cg+ih7WRraQVOOE2ATqM78OMD
+JYal/tDhxvYQsF2CtT56FvPhnPSEdnROzmko7xLESQFfgVE/ixSRu4Mz3ZQ1zHIH
+GWsuDbWS0OUhyJ+15/0n3ipDLHkeei0xZamuPhmLaYDz+LXiin3QJc+r9+KCPzNi
+Q/LLH0rK0oNIpwaAHLGM0wFbMgBnXt2hGCrUqQIDAQABAoIBAFOJ4X2RaureOq3r
+nLNcTkJStxFR1ojQJPwiXFx40yyFWAe+8IyXR1z61GVTUx5PiMilwDLJF7280b1K
+otQbpcvrpY/ZrgXwkhUppvGZMlpq1/XsMwGGQbuy97USdSUhxKfOalFDuAWitWzI
+HzjEav8XMJXAX3acpldpBgADnCwSA5izEfwt2oGNtcYTHjxG4tR96UvgAxbVbxrU
+jg6zd0/Q7eI4MGYc5l2mGFcbAUbeqCOQmTB8eQY9cdXCotXgQSa2EKEt1aG7dEbA
+omwwm8+hGYIX4i/E3crFHO5qlbQqtqktvic1Axj3I4NEy+a4Gpja3y6k8gY4TWbS
+4+0BZMECgYEA2o6mRCyDNI13VhRdlAO6VDSAdf//8EMeMrANvAGl70de0Ri10ZL6
+GdJLx31le94tVa5Dy+Qi9d9eYci9qIjMK1kUrLcVgvF63tbbOSpz37gESJe+wJYc
+xEW2eGRTUwHoYVqRjEi36kAKeWL4mxXeqzJE/ZUQZt2felr4dBJPyBsCgYEAweeS
+vV5TJsPlEazUZcRA2dMY8JG9tD1JFVVrlSC4xnLBOEXsC4dw74RsOhoMr69lBn6X
+xwcKtzsrx/s9NHI1s2AJXlz310Uj+gRB6/6foyyQDOtijfweZpm3zUNY5OwQ1VBZ
+M9J1YVI6xaa3BehQ0PHvx4U/WM9oFMc0upXaaosCgYEAmfo+MXGazn+MP90BQLKP
+p5uFlZzSWBcxQ0y9oGMY4MdLicz667e89Ewwj09NHEOfdOndYdxMtSS1ffbLh904
+2qFb64LhaOtwQWbl9BRwpoEio3IlNdGMWssyjwc/nQ+PBGeme0sQJ70OpA6ST9DM
+m5hC+tT2RUKGhNFqkXwFMVkCgYBY3Jlg82ND9q55xSypXqEhsh5R0ViQyy08+6KL
++yzytRBbi5+7QNy+x38ZuWpq8QRpT4abDV0Zz6Imybqo2FZH2BEzD4P9QZBVObJE
+RrI+A2QYp57I1uvPtU6IYP7SGmU0fNgEacSlTxvkDJz/thGjT9zFIQmA17wpGYnO
+oHIyNQKBgEbA0apflhYExq2OZP3mjUM7Baf8MhGylUFnND68YKEr2aR5ihYuWxME
+yLSGIDORaVQBiVklze9MXPvJv6WF0nE3VrR5j0AsSoAF0MZBcCJcn5bod0pFRZXG
+PkxibqTmzJXJjGRuAKxbNR2+WFxKqc2hsev3hwOSXKYH4DbdCxQg
+-----END RSA PRIVATE KEY-----
diff --git a/test/basicserver/testfiles/seclevel2-sha256/ca/keys/serverRootCSR.pem b/test/basicserver/testfiles/seclevel2-sha256/ca/keys/serverRootCSR.pem
new file mode 100644
index 00000000..b204952d
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/ca/keys/serverRootCSR.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICaTCCAVECAQAwJDEiMCAGA1UEAwwZQmFja3VwIHN5c3RlbSBzZXJ2ZXIgcm9v
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANMqKzGuRMYTGC4GtM4Y
+sa/EcpfgdRDt1V54c7Qjarfz/6Uvb7dn+21IDgnSMImnBzKuE11KBS2WAPPSxyF9
+Z+rNlry38pAVprnVv40dAUaohShxrkzgIYlZ866RonFYQ9mujMdynzGHB0jKH66T
+/enqFhEYzOuBcHyb7obgX+HmT95yAVhm6TvMuF8FR5CvrSqdnj141qJWdRmNeXH/
+Eonz1mcFizHRuFZ0ymxjoegwxQkeSnoYyH2vUh3RkQ/iNZPhu9DdDjgZ6Z0m8mUc
+xMGqtwTqiYS8KEcAHvcEPoS44BO1aGTnJEwhABTLuEkTPCXl1HkRoq50ts+Cr9w6
+vu8CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAhVOO7/mqt2AWFaOlMrXICPm5n
+judbMjQhOzaTmYr+Tb2lDlsQyiSm/EONpjC1F8PP6ig3oK8dzmIn9/qLOau6xM2Y
+JiaTTJXRX+/JC/AaZvvaiA0etc2JwAcfBijAudEKivA/qKh01SvCgB+IEx5rlR6S
+TPjLRO4ygig3qGHeHUsiPBzR4PZA669Is3/P4W8pIlDbCQHI91brQV4TlHJET2V5
++y4et7ZduWvS6yEn29aiPq5UT36kWtJ9rhBFIiu2oUNnDiL7YUDIbdsl0I9LDPjw
+equwfb+dwjjO/bFQKB1RX4j5jUXj25bpe9FdB6iy36+3tLd1a0Oh4j6SEn2n
+-----END CERTIFICATE REQUEST-----
diff --git a/test/basicserver/testfiles/seclevel2-sha256/ca/keys/serverRootKey.pem b/test/basicserver/testfiles/seclevel2-sha256/ca/keys/serverRootKey.pem
new file mode 100644
index 00000000..7eb1ac20
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/ca/keys/serverRootKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA0yorMa5ExhMYLga0zhixr8Ryl+B1EO3VXnhztCNqt/P/pS9v
+t2f7bUgOCdIwiacHMq4TXUoFLZYA89LHIX1n6s2WvLfykBWmudW/jR0BRqiFKHGu
+TOAhiVnzrpGicVhD2a6Mx3KfMYcHSMofrpP96eoWERjM64FwfJvuhuBf4eZP3nIB
+WGbpO8y4XwVHkK+tKp2ePXjWolZ1GY15cf8SifPWZwWLMdG4VnTKbGOh6DDFCR5K
+ehjIfa9SHdGRD+I1k+G70N0OOBnpnSbyZRzEwaq3BOqJhLwoRwAe9wQ+hLjgE7Vo
+ZOckTCEAFMu4SRM8JeXUeRGirnS2z4Kv3Dq+7wIDAQABAoIBADUc0ih40MuRWe+Z
+uDhudaLkIn6Y8lkDuTs9yLxyfBEwygheWhcjjFX8XauStqqo3GKe7jf0ukCxDiRF
+y9hclpq0g0mMavJav8jWPovb08pV8Mgvb8veRBEsEuLBtr4TmV1TTg2MgwYOFIL2
+c+mRR7hiLJK4TjKeKBDvl5tNLFDBC/2clHXnLCRb8rOKqwmseoPavi992QZ7+Yyq
+n0Dx5DOpr1cOcJEr4va8Sornd3LjLuNMjm7XzgIryR5pvLM0ns8Fy2ihyKl7Hd3s
+ek9c5fh0jbhz6s28K8laWm9bhozdMQ12y1U5z0PJV+VOwTX/M9UCK1+CpvmjTim5
+NeD93QECgYEA924yXRdUXpOlxJifJ49n88gytHOVcgitrdlZNCAE7aKdYcQW7VSY
+7IjUyXH/Mi2zlWKpXYGllOoDW71PhLiMuEtaNfLdToXgHEMGvj+vGw9ZRqs6HY2w
+wGyOrxg5VcSOfSpAom4gCGRqxWhHtY/rzFOy7oZePJuRbjcqrAeGQmECgYEA2npt
+dGHwp20S5tyd7n1H6Fe2m1t/vjxGsGFfwbFggGIu9lVQxgAQiimzHgBDOjSzs163
+PmuWWUDmHllB9AmJw4wrbAyiHNOmdi4rgY0ez5G6Q9sviFQeFJZzHhe6G1+CcafL
++oSU+Ej7zznMpyU85vcxFz70JvRZ4BeD0PtZI08CgYEAsXEGjzoG2Fh8PdPR91Xh
+j7NXoY9ucjwFCbLgRQBdaGoBAbbVVlgf3yl1qA2nnL2nlw8NNLCgJX348JZ/60dK
+K3Rmel/0E7bwdHQg5tjW48oLFSIAaGdPhX+Uh78QhxCRuvNNLO9a64nQBEf3fR58
+VKkFngcgl8hc8DSB1qMCxqECgYAOZ54J219DmrRxVkBvdgEkt4vJqHm+sDi07mai
+3bAQJukTwsJFm8F7ao5tvvSvxMPIYslQK0XJcrb5b0ci8PINW5ONVzPlFKtYBWlG
+7GgIpYITcUMsCOfG0bibVlMl9OEj3z1ash0kVaOMoTH2H0VpsQiikLsGSnwWg1Zk
+k/3njwKBgD6Nu6kj4BSWGZacLtePJQzxlsnYiDm9SSmrtqJ1lnpbqo4/Zp5bCHS9
+qMOUv+Hcwpsb3IYI8np1ekZfKi7xFXcRjxKRYnDURQgQKwPeHZ06ht7X0DdTXuiY
+K97byeb9hks3QNE1k1EuXue7IXS657Fq5IZrN+NQ6vkqq/X7e91X
+-----END RSA PRIVATE KEY-----
diff --git a/test/basicserver/testfiles/seclevel2-sha256/ca/roots/clientCA.pem b/test/basicserver/testfiles/seclevel2-sha256/ca/roots/clientCA.pem
new file mode 100644
index 00000000..a9302167
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/ca/roots/clientCA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzzCCAbcCFAiy3jWfhXnxRqZJCbjzFQzsU3p/MA0GCSqGSIb3DQEBCwUAMCQx
+IjAgBgNVBAMMGUJhY2t1cCBzeXN0ZW0gY2xpZW50IHJvb3QwHhcNMTkwNDI4MjA1
+MTU1WhcNMzgwMTE4MjA1MTU1WjAkMSIwIAYDVQQDDBlCYWNrdXAgc3lzdGVtIGNs
+aWVudCByb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApYs/WHO+
+FSAezyCnr7C/dohuwQdeNY4p9OkHi7565szigD1e1dPQ2IItlA/LYEC0g6RrMnqx
+p7rDZCradqMwPJMFyUCCiTdMtUjrCEySDF0Hzvy5opBveyTvGDrI0jqIjtLvRxNE
+z0koXxk8Exnp+0+Cg+ih7WRraQVOOE2ATqM78OMDJYal/tDhxvYQsF2CtT56FvPh
+nPSEdnROzmko7xLESQFfgVE/ixSRu4Mz3ZQ1zHIHGWsuDbWS0OUhyJ+15/0n3ipD
+LHkeei0xZamuPhmLaYDz+LXiin3QJc+r9+KCPzNiQ/LLH0rK0oNIpwaAHLGM0wFb
+MgBnXt2hGCrUqQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAvHW8APi1lhEguSXDc
+X/k5ETL1YJzlEfIn4HKL7kcKo5IOdyHaIigGCWM7atwKeGBtTRl8CTY4wt1L7d+A
+LDzF07MlKL/KiX1yPw9ZzHBhKNLYgmKsRL5cgW/YLYEAGD0lTwW7llsqZ40jJ1+X
+CWomYEzVpGW76MprYge4Oj+4PRXaZikkn7pzlZVcGJbzr1Q+JaFNLRkAMPK4pRXj
+AOSLQpIuc0DzftzC8tHbyLMifrHYdibHaujsvu1mV4NeYhO63ZB8S5Xyz1JlpsEQ
+rieLH1/9dnWue7yBCpI+QMRq+zK92HxiCCaM0d6xpSsbI5IawkqmoWj9gYol0EnX
+ImLj
+-----END CERTIFICATE-----
diff --git a/test/basicserver/testfiles/seclevel2-sha256/ca/roots/clientCA.srl b/test/basicserver/testfiles/seclevel2-sha256/ca/roots/clientCA.srl
new file mode 100644
index 00000000..8a0f05e1
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/ca/roots/clientCA.srl
@@ -0,0 +1 @@
+01
diff --git a/test/basicserver/testfiles/seclevel2-sha256/ca/roots/serverCA.pem b/test/basicserver/testfiles/seclevel2-sha256/ca/roots/serverCA.pem
new file mode 100644
index 00000000..e26b6e1a
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/ca/roots/serverCA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzzCCAbcCFFv62JnwctULelqlEY+sZTPEb7ekMA0GCSqGSIb3DQEBCwUAMCQx
+IjAgBgNVBAMMGUJhY2t1cCBzeXN0ZW0gc2VydmVyIHJvb3QwHhcNMTkwNDI4MjA1
+MTU1WhcNMzgwMTE4MjA1MTU1WjAkMSIwIAYDVQQDDBlCYWNrdXAgc3lzdGVtIHNl
+cnZlciByb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0yorMa5E
+xhMYLga0zhixr8Ryl+B1EO3VXnhztCNqt/P/pS9vt2f7bUgOCdIwiacHMq4TXUoF
+LZYA89LHIX1n6s2WvLfykBWmudW/jR0BRqiFKHGuTOAhiVnzrpGicVhD2a6Mx3Kf
+MYcHSMofrpP96eoWERjM64FwfJvuhuBf4eZP3nIBWGbpO8y4XwVHkK+tKp2ePXjW
+olZ1GY15cf8SifPWZwWLMdG4VnTKbGOh6DDFCR5KehjIfa9SHdGRD+I1k+G70N0O
+OBnpnSbyZRzEwaq3BOqJhLwoRwAe9wQ+hLjgE7VoZOckTCEAFMu4SRM8JeXUeRGi
+rnS2z4Kv3Dq+7wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAI6THIONT6lgNq3Bvg
+TCBqkBA1W/k372Pktt6IDFW44dT0J9/oq2o6ZNHycpKS3VwS4C05XbU/v5hE/k2O
+Cu3/y3en+dJIv4Wl2JTPaSRF/4J46sXNtizVAJDKoE3ZHt1viCjsWyllGXoaavce
+fWYppf3g6ImhyAkzlCfyVph2F0vmLZL41K3C040e+GpXdzG1Yy1+2USPhz0Ch+kd
+jqIErNp9OnPRd1yRb1YD+dQ7Wei5vB3OXMk3UQiG9AJ2qmxlEem5lTSpt9fTvWfU
+OAjTynvWbHTULjxvOeenW7cD5ILSr2zVDYQ53KTWjP9NfmsQTAFzkqJztPpB2A0o
+CKG2
+-----END CERTIFICATE-----
diff --git a/test/basicserver/testfiles/seclevel2-sha256/ca/roots/serverCA.srl b/test/basicserver/testfiles/seclevel2-sha256/ca/roots/serverCA.srl
new file mode 100644
index 00000000..9e22bcb8
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/ca/roots/serverCA.srl
@@ -0,0 +1 @@
+02
diff --git a/test/basicserver/testfiles/seclevel2-sha256/ca/servers/localhost-cert-sha1.pem b/test/basicserver/testfiles/seclevel2-sha256/ca/servers/localhost-cert-sha1.pem
new file mode 100644
index 00000000..19b6ed62
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/ca/servers/localhost-cert-sha1.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrDCCAZQCAQIwDQYJKoZIhvcNAQEFBQAwJDEiMCAGA1UEAwwZQmFja3VwIHN5
+c3RlbSBzZXJ2ZXIgcm9vdDAeFw0xOTA0MjkxOTI3NDRaFw0zMzAxMDUxOTI3NDRa
+MBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAPVJN1fqLpbabNasGicKPsN99rWpdra46+Swl6E7l1KzuPsSSAWCgtg+
+2vjZdlVGcPiq+lBCP8HO0TsDPOLPZdYwmeYl1a8//Fx2CbyV8LsNyA0BEhW8WbKz
+YNBQvFOxhLVZQkZ1a+gdkZHIj5A1yt01anX+N37+K64qT0hP3eIWwKv7j3eS2TVE
+HcushbDMsBuHEqomh8N4YOGi4BehCl49vbPCBU4jYTNYfF6wgYtDH8giKtox1TNf
+2US9dBwOnDL7v9hPqH6yxE5ehZU88guFhUAar9KJxZihSDOW7QFSKJPzSFl+b6ZN
+a6hp0jrlv+pYVDuMnMxMWWnYA8Me2IsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA
+E8KZNWzkbNwhcVEHR34IxVYPy1uppI/jtVOsQGGSVC1UscAWyGiQWPxqMhwYxsVn
+gz7QYj1oKye1VRuJNTekARvBRFZzWhAi0qGlpiC5yilZB8IlhYUABmgPjg+PuhAF
+xSd+IGVlm/+sisClsPG9DpesyK6+C2ukpVXyaXWR+1/IrQuUpWKLT1pPamVH3zWK
+anT+62bbk0XuxsVqCkGx+aPLesCHAfTNuAxWfkbXXcA+HoGNy3IpmpJGhyCnf1je
+eL6Wf6sAY44y7wQlwHimbi4kOge+UFLIKkqhHSDO2pzyPc02Gs1bBRd94+v2z5h7
+OkIcTqwiJLjLLIWV4WsdwA==
+-----END CERTIFICATE-----
diff --git a/test/basicserver/testfiles/seclevel2-sha256/ca/servers/localhost-cert.pem b/test/basicserver/testfiles/seclevel2-sha256/ca/servers/localhost-cert.pem
new file mode 100644
index 00000000..40ce8cbf
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/ca/servers/localhost-cert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrDCCAZQCAQEwDQYJKoZIhvcNAQELBQAwJDEiMCAGA1UEAwwZQmFja3VwIHN5
+c3RlbSBzZXJ2ZXIgcm9vdDAeFw0xOTA0MjgyMDUxNTdaFw0zMzAxMDQyMDUxNTda
+MBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAPVJN1fqLpbabNasGicKPsN99rWpdra46+Swl6E7l1KzuPsSSAWCgtg+
+2vjZdlVGcPiq+lBCP8HO0TsDPOLPZdYwmeYl1a8//Fx2CbyV8LsNyA0BEhW8WbKz
+YNBQvFOxhLVZQkZ1a+gdkZHIj5A1yt01anX+N37+K64qT0hP3eIWwKv7j3eS2TVE
+HcushbDMsBuHEqomh8N4YOGi4BehCl49vbPCBU4jYTNYfF6wgYtDH8giKtox1TNf
+2US9dBwOnDL7v9hPqH6yxE5ehZU88guFhUAar9KJxZihSDOW7QFSKJPzSFl+b6ZN
+a6hp0jrlv+pYVDuMnMxMWWnYA8Me2IsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
+fu1wVNuZLkO0e8+oYAnznL7oknE8QJGAd/P2/MqgfsnBXHS0UVl+5L8DQdvCBarr
+vDO/CVL9/ZGj30CipA556cz1pYDtx5TV2GLtfKHKJhoftbgswmt1pPowIIa8zlBA
+SOERy2ooXGnrA5kii+fifkiWy1R0FmJTKZ2jX41Xq60FwXWX7cyCq/xRI+V08HrY
+mNJ2rmAjyWpWZpPNOtQ/SYIX1s2KoPw4XMxfiP5fiMOl3RqEVBkW0h9Hxikl8wKY
+EmA/ESm1F6lnRXvGXWDGQIFCRf2Rv0KlPvNPA/GLZMr0ibYIjc4KnIxKFg//GQF3
+LUYpyJyToT8hE49ypG18mQ==
+-----END CERTIFICATE-----
diff --git a/test/basicserver/testfiles/seclevel2-sha256/raidfile.conf b/test/basicserver/testfiles/seclevel2-sha256/raidfile.conf
new file mode 100644
index 00000000..6e235b24
--- /dev/null
+++ b/test/basicserver/testfiles/seclevel2-sha256/raidfile.conf
@@ -0,0 +1,10 @@
+
+disc0
+{
+	SetNumber = 0
+	BlockSize = 1024
+	Dir0 = .
+	Dir1 = .
+	Dir2 = .
+}
+
diff --git a/test/basicserver/testfiles/srv3-insecure-daemon.conf b/test/basicserver/testfiles/srv3-insecure-daemon.conf
new file mode 100644
index 00000000..09cf352d
--- /dev/null
+++ b/test/basicserver/testfiles/srv3-insecure-daemon.conf
@@ -0,0 +1,9 @@
+Server
+{
+	PidFile = testfiles/srv3.pid
+	ListenAddresses = inet:localhost,unix:testfiles/srv3.sock
+	CertificateFile = testfiles/seclevel2-sha256/ca/servers/localhost-cert-sha1.pem
+	PrivateKeyFile = testfiles/seclevel2-sha256/bbstored/localhost-key.pem
+	TrustedCAsFile = testfiles/seclevel2-sha256/ca/roots/clientCA.pem
+}
+
diff --git a/test/basicserver/testfiles/srv3-seclevel2-sha1.conf b/test/basicserver/testfiles/srv3-seclevel2-sha1.conf
new file mode 100644
index 00000000..93c0f99f
--- /dev/null
+++ b/test/basicserver/testfiles/srv3-seclevel2-sha1.conf
@@ -0,0 +1,9 @@
+Server
+{
+	PidFile = testfiles/srv3.pid
+	ListenAddresses = inet:localhost,unix:testfiles/srv3.sock
+	CertificateFile = testfiles/seclevel2-sha1/ca/servers/localhost-cert.pem
+	PrivateKeyFile = testfiles/seclevel2-sha1/bbstored/localhost-key.pem
+	TrustedCAsFile = testfiles/seclevel2-sha1/ca/roots/clientCA.pem
+}
+
diff --git a/test/basicserver/testfiles/srv3-seclevel2-sha256.conf b/test/basicserver/testfiles/srv3-seclevel2-sha256.conf
new file mode 100644
index 00000000..58c267d4
--- /dev/null
+++ b/test/basicserver/testfiles/srv3-seclevel2-sha256.conf
@@ -0,0 +1,9 @@
+Server
+{
+	PidFile = testfiles/srv3.pid
+	ListenAddresses = inet:localhost,unix:testfiles/srv3.sock
+	CertificateFile = testfiles/seclevel2-sha256/ca/servers/localhost-cert.pem
+	PrivateKeyFile = testfiles/seclevel2-sha256/bbstored/localhost-key.pem
+	TrustedCAsFile = testfiles/seclevel2-sha256/ca/roots/clientCA.pem
+}
+
diff --git a/test/basicserver/testfiles/srv4.conf b/test/basicserver/testfiles/srv4-noseclevel.conf
index f05dff75..db22e95f 100644
--- a/test/basicserver/testfiles/srv4.conf
+++ b/test/basicserver/testfiles/srv4-noseclevel.conf
@@ -3,4 +3,3 @@ Server
 	PidFile = testfiles/srv4.pid
 	ListenAddresses = unix:testfiles/srv4.sock,inet:localhost
 }
-
diff --git a/test/basicserver/testfiles/srv4-seclevel1.conf b/test/basicserver/testfiles/srv4-seclevel1.conf
new file mode 100644
index 00000000..cd90566c
--- /dev/null
+++ b/test/basicserver/testfiles/srv4-seclevel1.conf
@@ -0,0 +1,7 @@
+Server
+{
+	PidFile = testfiles/srv4.pid
+	ListenAddresses = unix:testfiles/srv4.sock,inet:localhost
+}
+
+SSLSecurityLevel = 1
diff --git a/test/basicserver/testfiles/srv4-seclevel2-insecure.conf b/test/basicserver/testfiles/srv4-seclevel2-insecure.conf
new file mode 100644
index 00000000..5d8b1149
--- /dev/null
+++ b/test/basicserver/testfiles/srv4-seclevel2-insecure.conf
@@ -0,0 +1,7 @@
+Server
+{
+	PidFile = testfiles/srv4.pid
+	ListenAddresses = unix:testfiles/srv4.sock,inet:localhost
+}
+
+SSLSecurityLevel = 2
diff --git a/test/basicserver/testfiles/srv4-seclevel2-secure.conf b/test/basicserver/testfiles/srv4-seclevel2-secure.conf
new file mode 100644
index 00000000..5d8b1149
--- /dev/null
+++ b/test/basicserver/testfiles/srv4-seclevel2-secure.conf
@@ -0,0 +1,7 @@
+Server
+{
+	PidFile = testfiles/srv4.pid
+	ListenAddresses = unix:testfiles/srv4.sock,inet:localhost
+}
+
+SSLSecurityLevel = 2
diff --git a/test/bbackupd/testbbackupd.cpp b/test/bbackupd/testbbackupd.cpp
index cc602f22..deff53e2 100644
--- a/test/bbackupd/testbbackupd.cpp
+++ b/test/bbackupd/testbbackupd.cpp
@@ -12,39 +12,44 @@
 // do not include MinGW's dirent.h on Win32, 
 // as we override some of it in lib/win32.
 
+#include <limits.h>
+#include <stdio.h>
+#include <string.h>
+
 #ifndef WIN32
 	#include <dirent.h>
 #endif
 
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <limits.h>
-#include <string.h>
-
-#ifdef HAVE_SYS_WAIT_H
-	#include <sys/wait.h>
+#ifdef WIN32
+	#include <process.h>
 #endif
 
-#ifdef HAVE_SYS_XATTR_H
-	#include <cerrno>
-	#include <sys/xattr.h>
+#ifdef HAVE_PWD_H
+	#include <pwd.h>
 #endif
 
 #ifdef HAVE_SIGNAL_H
 	#include <signal.h>
 #endif
 
-#ifdef WIN32
-	#include <process.h>
-#endif
-
-#include <map>
+#include <sys/stat.h>
+#include <sys/types.h>
 
 #ifdef HAVE_SYSCALL
 	#include <sys/syscall.h>
 #endif
 
+#ifdef HAVE_SYS_WAIT_H
+	#include <sys/wait.h>
+#endif
+
+#ifdef HAVE_SYS_XATTR_H
+	#include <cerrno>
+	#include <sys/xattr.h>
+#endif
+
+#include <map>
+
 #include "BackupClientCryptoKeys.h"
 #include "BackupClientContext.h"
 #include "BackupClientFileAttributes.h"
@@ -96,7 +101,6 @@
 #define TIME_TO_WAIT_FOR_BACKUP_OPERATION 12
 #define SHORT_TIMEOUT 5000
 #define BACKUP_ERROR_DELAY_SHORTENED 10
-#define DEFAULT_BBACKUPD_CONFIG_FILE "testfiles/bbackupd.conf"
 
 void wait_for_backup_operation(const char* message)
 {
@@ -410,25 +414,9 @@ bool configure_bbackupd(BackupDaemon& bbackupd, const std::string& config_file)
 	return true;
 }
 
-bool kill_running_daemons()
-{
-	bool success = true;
-
-	if(FileExists("testfiles/bbstored.pid"))
-	{
-		TEST_THAT_OR(KillServer("testfiles/bbstored.pid", true), success = false);
-	}
-
-	if(FileExists("testfiles/bbackupd.pid"))
-	{
-		TEST_THAT_OR(KillServer("testfiles/bbackupd.pid", true), success = false);
-	}
-
-	return success;
-}
-
-bool setup_test_bbackupd(BackupDaemon& bbackupd, bool do_unpack_files = true,
-	bool do_start_bbstored = true)
+bool prepare_test_with_client_daemon(BackupDaemon& bbackupd, bool do_unpack_files = true,
+	bool do_start_bbstored = true,
+	const std::string& bbackupd_conf_file = "testfiles/bbackupd.conf")
 {
 	Timers::Cleanup(false); // don't throw exception if not initialised
 	Timers::Init();
@@ -469,8 +457,7 @@ bool setup_test_bbackupd(BackupDaemon& bbackupd, bool do_unpack_files = true,
 		#endif
 	}
 
-	TEST_THAT_OR(configure_bbackupd(bbackupd, "testfiles/bbackupd.conf"),
-		FAIL);
+	TEST_THAT_OR(configure_bbackupd(bbackupd, bbackupd_conf_file), FAIL);
 	spDaemon = &bbackupd;
 	return true;
 }
@@ -486,13 +473,13 @@ bool setup_test_bbackupd(BackupDaemon& bbackupd, bool do_unpack_files = true,
 #define SETUP_WITHOUT_FILES() \
 	SETUP_TEST_BBACKUPD(); \
 	BackupDaemon bbackupd; \
-	TEST_THAT_OR(setup_test_bbackupd(bbackupd, false), FAIL); \
+	TEST_THAT_OR(prepare_test_with_client_daemon(bbackupd, false), FAIL); \
 	TEST_THAT_OR(::mkdir("testfiles/TestDir1", 0755) == 0, FAIL);
 
 #define SETUP_WITH_BBSTORED() \
 	SETUP_TEST_BBACKUPD(); \
 	BackupDaemon bbackupd; \
-	TEST_THAT_OR(setup_test_bbackupd(bbackupd), FAIL);
+	TEST_THAT_OR(prepare_test_with_client_daemon(bbackupd), FAIL);
 
 #define TEARDOWN_TEST_BBACKUPD() \
 	TEST_THAT(bbackupd_pid == 0 || StopClient()); \
@@ -983,15 +970,16 @@ bool test_entry_deleted(BackupStoreDirectory& rDir,
 	return flags && BackupStoreDirectory::Entry::Flags_Deleted;
 }
 
-bool compare(BackupQueries::ReturnCode::Type expected_status,
+bool compare_external(BackupQueries::ReturnCode::Type expected_status,
 	const std::string& bbackupquery_options = "",
-	const std::string& compare_options = "-acQ")
+	const std::string& compare_options = "-acQ",
+	const std::string& bbackupd_conf_file = "testfiles/bbackupd.conf")
 {
 	std::string cmd = BBACKUPQUERY;
 	cmd += " ";
 	cmd += (expected_status == BackupQueries::ReturnCode::Compare_Same)
 		? "-Wwarning" : "-Werror";
-	cmd += " -c testfiles/bbackupd.conf ";
+	cmd += " -c " + bbackupd_conf_file;
 	cmd += " " + bbackupquery_options;
 	cmd += " \"compare " + compare_options + "\" quit";
 
@@ -1007,7 +995,7 @@ bool compare(BackupQueries::ReturnCode::Type expected_status,
 	return (returnValue == expected_system_result);
 }
 
-bool compare_local(BackupQueries::ReturnCode::Type expected_status,
+bool compare_in_process(BackupQueries::ReturnCode::Type expected_status,
 	BackupProtocolCallable& client,
 	const std::string& compare_options = "acQ")
 {
@@ -1074,10 +1062,21 @@ bool touch_and_wait(const std::string& filename)
 
 TLSContext sTlsContext;
 
-#define TEST_COMPARE(...) \
-	TEST_THAT(compare(BackupQueries::ReturnCode::__VA_ARGS__));
-#define TEST_COMPARE_LOCAL(...) \
-	TEST_THAT(compare_local(BackupQueries::ReturnCode::__VA_ARGS__));
+#define TEST_COMPARE(expected_status) \
+	BOX_INFO("Running external compare, expecting " #expected_status); \
+	TEST_THAT(compare_external(BackupQueries::ReturnCode::expected_status));
+#define TEST_COMPARE_EXTRA(expected_status, ...) \
+	BOX_INFO("Running external compare, expecting " #expected_status); \
+	TEST_THAT(compare_external(BackupQueries::ReturnCode::expected_status, __VA_ARGS__));
+
+#define TEST_COMPARE_LOCAL(expected_status, client) \
+	BOX_INFO("Running compare in-process, expecting " #expected_status); \
+	TEST_THAT(compare_in_process(BackupQueries::ReturnCode::expected_status, client));
+#define TEST_COMPARE_LOCAL_EXTRA(expected_status, client, compare_options) \
+	BOX_INFO("Running compare in-process, expecting " #expected_status); \
+	TEST_THAT(compare_in_process(BackupQueries::ReturnCode::expected_status, client, \
+		compare_options));
+
 
 bool search_for_file(const std::string& filename)
 {
@@ -1458,7 +1457,7 @@ bool test_ssl_keepalives()
 	KeepAliveBackupProtocolLocal connection(0x01234567, "test", "backup/01234567/",
 		0, false);
 	MockBackupDaemon bbackupd(connection);
-	TEST_THAT_OR(setup_test_bbackupd(bbackupd), FAIL);
+	TEST_THAT_OR(prepare_test_with_client_daemon(bbackupd), FAIL);
 
 	// Test that sending a keepalive actually works, when the timeout has expired,
 	// but doesn't send anything at the beginning:
@@ -1943,9 +1942,9 @@ bool test_bbackupd_exclusions()
 		bbackupd.RunSyncNow();
 		TEST_THAT(!bbackupd.StorageLimitExceeded());
 
-		// Check that the contents of the store are the same 
-		// as the contents of the disc 
-		TEST_COMPARE(Compare_Same, "-c testfiles/bbackupd-exclude.conf");
+		// Check that the contents of the store are the same
+		// as the contents of the disc
+		TEST_COMPARE_EXTRA(Compare_Same, "-c testfiles/bbackupd-exclude.conf");
 		BOX_TRACE("done.");
 
 		// BLOCK
@@ -2055,7 +2054,7 @@ bool test_bbackupd_responds_to_connection_failure()
 		MockBackupProtocolLocal client(0x01234567, "test",
 			"backup/01234567/", 0, false);
 		MockBackupDaemon bbackupd(client);
-		TEST_THAT_OR(setup_test_bbackupd(bbackupd, false, false), FAIL);
+		TEST_THAT_OR(prepare_test_with_client_daemon(bbackupd, false, false), FAIL);
 
 		TEST_THAT(::system("rm -f testfiles/notifyran.store-full.*") == 0);
 		std::auto_ptr<BackupClientContext> apClientContext;
@@ -2285,11 +2284,11 @@ bool test_read_only_dirs_can_be_restored()
 			#endif
 
 			bbackupd.RunSyncNow();
-			TEST_COMPARE(Compare_Same, "", "-cEQ Test1 testfiles/TestDir1");
+			TEST_COMPARE_EXTRA(Compare_Same, "", "-cEQ Test1 testfiles/TestDir1");
 
 			// check that we can restore it
 			TEST_THAT(restore("Test1", "testfiles/restore1"));
-			TEST_COMPARE(Compare_Same, "", "-cEQ Test1 testfiles/restore1");
+			TEST_COMPARE_EXTRA(Compare_Same, "", "-cEQ Test1 testfiles/restore1");
 
 			// Try a restore with just the remote directory name,
 			// check that it uses the same name in the local
@@ -2297,7 +2296,7 @@ bool test_read_only_dirs_can_be_restored()
 			TEST_THAT(::mkdir("testfiles/restore-test", 0700) == 0);
 			TEST_THAT(bbackupquery("\"lcd testfiles/restore-test\" "
 				"\"restore Test1\""));
-			TEST_COMPARE(Compare_Same, "", "-cEQ Test1 "
+			TEST_COMPARE_EXTRA(Compare_Same, "", "-cEQ Test1 "
 				"testfiles/restore-test/Test1");
 
 			// put the permissions back to sensible values
@@ -2507,7 +2506,7 @@ bool test_unicode_filenames_can_be_backed_up()
 
 		// Check that bbackupquery can compare the dir when given
 		// on the command line in system encoding.
-		TEST_COMPARE(Compare_Same, "", "-cEQ Test1/" + systemDirName +
+		TEST_COMPARE_EXTRA(Compare_Same, "", "-cEQ Test1/" + systemDirName +
 			" testfiles/TestDir1/" + systemDirName);
 
 		// Check that bbackupquery can restore the dir when given
@@ -2516,7 +2515,7 @@ bool test_unicode_filenames_can_be_backed_up()
 			"testfiles/restore-" + systemDirName));
 
 		// Compare to make sure it was restored properly.
-		TEST_COMPARE(Compare_Same, "", "-cEQ Test1/" + systemDirName +
+		TEST_COMPARE_EXTRA(Compare_Same, "", "-cEQ Test1/" + systemDirName +
 			" testfiles/restore-" + systemDirName);
 
 		std::string fileToUnlink = "testfiles/restore-" + 
@@ -2548,7 +2547,7 @@ bool test_unicode_filenames_can_be_backed_up()
 		// Compare to make sure it was restored properly. The Get
 		// command does restore attributes, so we don't need to
 		// specify the -A option for this to succeed.
-		TEST_COMPARE(Compare_Same, "", "-cEQ Test1/" + systemDirName +
+		TEST_COMPARE_EXTRA(Compare_Same, "", "-cEQ Test1/" + systemDirName +
 			" testfiles/restore-" + systemDirName);
 
 		// Check that no read error has been reported yet
@@ -2704,7 +2703,7 @@ bool test_delete_update_and_symlink_files()
 		TEST_COMPARE(Compare_Same);
 
 		// Try a quick compare, just for fun
-		TEST_COMPARE(Compare_Same, "", "-acqQ");
+		TEST_COMPARE_EXTRA(Compare_Same, "", "-acqQ");
 	}
 
 	TEARDOWN_TEST_BBACKUPD();
@@ -3193,8 +3192,8 @@ bool test_excluded_files_are_not_backed_up()
 	BackupProtocolLocal2 client(0x01234567, "test", "backup/01234567/",
 		0, false);
 	MockBackupDaemon bbackupd(client);
-	
-	TEST_THAT_OR(setup_test_bbackupd(bbackupd,
+
+	TEST_THAT_OR(prepare_test_with_client_daemon(bbackupd,
 		true, // do_unpack_files
 		false // do_start_bbstored
 		), FAIL);
@@ -3210,8 +3209,8 @@ bool test_excluded_files_are_not_backed_up()
 		TEST_COMPARE_LOCAL(Compare_Same, client);
 
 		// compare without exclusions, should find differences
-		// TEST_COMPARE(Compare_Different, "", "-acEQ");
-		TEST_COMPARE_LOCAL(Compare_Different, client, "acEQ");
+		// TEST_COMPARE_EXTRA(Compare_Different, "", "-acEQ");
+		TEST_COMPARE_LOCAL_EXTRA(Compare_Different, client, "acEQ");
 
 		// check that the excluded files did not make it
 		// into the store, and the included files did
@@ -3614,7 +3613,7 @@ bool test_rename_operations()
 		TEST_COMPARE(Compare_Same);
 
 		// and again, but with quick flag
-		TEST_COMPARE(Compare_Same, "", "-acqQ");
+		TEST_COMPARE_EXTRA(Compare_Same, "", "-acqQ");
 
 		// Rename some files -- one under the threshold, others above
 		TEST_THAT(rename("testfiles/TestDir1/df324", 
@@ -3914,7 +3913,7 @@ bool test_restore_deleted_files()
 			client.reset();
 
 			// Do a compare with the now undeleted files
-			TEST_COMPARE(Compare_Same, "", "-cEQ Test1/x1 "
+			TEST_COMPARE_EXTRA(Compare_Same, "", "-cEQ Test1/x1 "
 				"testfiles/restore-Test1-x1-2");
 		}
 		
@@ -4039,6 +4038,194 @@ bool test_parse_syncallowscript_output()
 	TEARDOWN_TEST_BBACKUPD();
 }
 
+bool check_output_log_file_for_ssl_security_level_warnings(const std::string& log_file_name,
+	const std::string& sentinel_value)
+{
+	int old_num_failures = num_failures;
+
+	FileStream fs(log_file_name, O_RDONLY);
+	IOStreamGetLine getline(fs);
+	std::string line;
+	bool found_not_set = false, found_not_supported = false, found_sentinel = false;
+
+	while(fs.StreamDataLeft())
+	{
+		TEST_THAT(getline.GetLine(line, true, 30000)); // 30 seconds should be enough
+		TEST_THAT(line.size() >= 30);
+		if(line.size() < 30)
+		{
+			continue;
+		}
+
+		if(StartsWith("SSLSecurityLevel not set. Your connection may not "
+			"be secure.", line.substr(30)))
+		{
+			found_not_set = true;
+		}
+		else if(StartsWith("SSLSecurityLevel is set, but this Box Backup "
+			"is not compiled with OpenSSL 1.1 or higher", line.substr(30)))
+		{
+			found_not_supported = true;
+		}
+		else if(StartsWith(sentinel_value, line.substr(30)))
+		{
+			found_sentinel = true;
+			break;
+		}
+	}
+
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+	TEST_THAT(!found_not_set); // We should set it in bbackupd-config
+	TEST_THAT(!found_not_supported); // And this message should never be logged
+#else
+	TEST_THAT(!found_not_supported); // We should not set it in bbackupd-config
+	TEST_THAT(!found_not_set); // And this message should never be logged
+#endif
+
+	TEST_THAT(found_sentinel); // Otherwise we're looking for the wrong thing!
+
+	return (num_failures == old_num_failures); // no new failures -> good
+}
+
+
+bool test_bbackupd_config_script()
+{
+	SETUP_TEST_BBACKUPD();
+
+#ifdef WIN32
+	BOX_NOTICE("skipping test on this platform"); // TODO: write a PowerShell version
+#else
+	char buf[PATH_MAX];
+	if (getcwd(buf, sizeof(buf)) == NULL)
+	{
+		BOX_LOG_SYS_ERROR("getcwd");
+	}
+	std::string current_dir = buf;
+
+	TEST_THAT(mkdir("testfiles/tmp", 0777) == 0);
+	TEST_THAT(mkdir("testfiles/TestDir1", 0777) == 0);
+
+	// Generate a new configuration for our test bbackupd, from scratch:
+	std::string cmd = "../../../bin/bbackupd/bbackupd-config " +
+		current_dir + "/testfiles/tmp " // config-dir
+		"lazy " // backup-mode
+		"12345 " // account-num
+		"localhost " + // server-hostname
+		current_dir + "/testfiles " + // working-dir
+		current_dir + "/testfiles/TestDir1"; // backup directories
+	TEST_RETURN(system(cmd.c_str()), 0)
+
+	// Open the generated config file and add a StorePort line:
+	{
+		FileStream conf_file("testfiles/tmp/bbackupd.conf", O_WRONLY | O_APPEND);
+		conf_file.Write("StorePort = 22011\n");
+		conf_file.Close();
+	}
+
+	// Generate a new configuration for our test bbstored, from scratch:
+	struct passwd *result = getpwuid(getuid());
+	TEST_THAT_OR(result != NULL, FAIL); // failed to get username for current user
+	std::string username = result->pw_name;
+
+	cmd = "../../../bin/bbstored/bbstored-config testfiles/tmp localhost " + username + " "
+		"testfiles/raidfile.conf";
+	TEST_RETURN_COMMAND(system(cmd.c_str()), 0, cmd)
+
+	cmd = "sed -i.orig -e 's/\\(ListenAddresses = inet:localhost\\)/\\1:22011/' "
+		"-e 's@PidFile = .*/run/bbstored.pid@PidFile = testfiles/bbstored.pid@' "
+		"testfiles/tmp/bbstored.conf";
+	TEST_RETURN_COMMAND(system(cmd.c_str()), 0, cmd)
+
+	// Create a server certificate authority, and sign the client and server certificates:
+	cmd = "../../../bin/bbstored/bbstored-certs testfiles/tmp/ca init";
+	TEST_RETURN_COMMAND(system(cmd.c_str()), 0, cmd)
+
+	cmd = "echo yes | ../../../bin/bbstored/bbstored-certs testfiles/tmp/ca sign "
+		"testfiles/tmp/bbackupd/12345-csr.pem";
+	TEST_RETURN_COMMAND(system(cmd.c_str()), 0, cmd)
+
+	cmd = "echo yes | ../../../bin/bbstored/bbstored-certs testfiles/tmp/ca sign-server "
+		"testfiles/tmp/bbstored/localhost-csr.pem";
+	TEST_RETURN_COMMAND(system(cmd.c_str()), 0, cmd)
+
+	// Copy the certificate files into the right places
+	cmd = "cp testfiles/tmp/ca/clients/12345-cert.pem testfiles/tmp/bbackupd";
+	TEST_RETURN_COMMAND(system(cmd.c_str()), 0, cmd)
+
+	cmd = "cp testfiles/tmp/ca/roots/serverCA.pem testfiles/tmp/bbackupd";
+	TEST_RETURN_COMMAND(system(cmd.c_str()), 0, cmd)
+
+	cmd = "cp testfiles/tmp/ca/servers/localhost-cert.pem testfiles/tmp/bbstored";
+	TEST_RETURN_COMMAND(system(cmd.c_str()), 0, cmd)
+
+	cmd = "cp testfiles/tmp/ca/roots/clientCA.pem testfiles/tmp/bbstored";
+	TEST_RETURN(system(cmd.c_str()), 0)
+
+	cmd = BBSTOREACCOUNTS " -c testfiles/tmp/bbstored.conf create 12345 0 1M 2M";
+	TEST_RETURN_COMMAND(system(cmd.c_str()), 0, cmd)
+
+	bbstored_pid = StartDaemon(bbstored_pid, BBSTORED " " + bbstored_args +
+		" -o testfiles/tmp/bbstored.log testfiles/tmp/bbstored.conf", "testfiles/bbstored.pid",
+		22011);
+
+	{
+		Capture capture;
+		Logging::TempLoggerGuard guard(&capture);
+
+		BackupDaemon bbackupd;
+		TEST_THAT(
+			prepare_test_with_client_daemon(
+				bbackupd,
+				true, // do_unpack_files
+				false, // !do_start_bbstored
+				"testfiles/tmp/bbackupd.conf")
+			);
+
+		bbackupd.RunSyncNow();
+
+		std::vector<Capture::Message> messages = capture.GetMessages();
+		TEST_THAT(!messages.empty());
+		if (!messages.empty())
+		{
+			bool found_not_set = false, found_not_supported = false;
+			for(std::vector<Capture::Message>::iterator i = messages.begin();
+				i != messages.end(); i++)
+			{
+				if(StartsWith("SSLSecurityLevel not set. Your connection may not "
+					"be secure.", i->message))
+				{
+					found_not_set = true;
+				}
+				else if(StartsWith("SSLSecurityLevel is set, but this Box Backup "
+					"is not compiled with OpenSSL 1.1 or higher", i->message))
+				{
+					found_not_supported = true;
+				}
+			}
+
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+			TEST_THAT(!found_not_set); // We should set it in bbackupd-config
+			TEST_THAT(!found_not_supported); // And this message should never be logged
+#else
+			TEST_THAT(!found_not_supported); // We should not set it in bbackupd-config
+			TEST_THAT(!found_not_set); // And this message should never be logged
+#endif
+		}
+	}
+
+	TEST_THAT(compare_external(BackupQueries::ReturnCode::Compare_Same,
+		"-otestfiles/tmp/bbackupquery.log", "-acQ", "testfiles/tmp/bbackupd.conf"));
+	TEST_THAT(check_output_log_file_for_ssl_security_level_warnings("testfiles/tmp/bbackupquery.log",
+		"Connecting to store"));
+	TEST_THAT(check_output_log_file_for_ssl_security_level_warnings("testfiles/tmp/bbstored.log",
+		"Forked child process"));
+
+	TEST_THAT(StopServer());
+#endif // !WIN32
+
+	TEARDOWN_TEST_BBACKUPD();
+}
+
 int test(int argc, const char *argv[])
 {
 	// SSL library
@@ -4104,6 +4291,7 @@ int test(int argc, const char *argv[])
 	TEST_THAT(test_backup_many_files());
 	TEST_THAT(test_parse_incomplete_command());
 	TEST_THAT(test_parse_syncallowscript_output());
+	TEST_THAT(test_bbackupd_config_script());
 
 	TEST_THAT(kill_running_daemons());