14 files changed, 287 insertions, 93 deletions
diff --git a/test/backupstorefix/testbackupstorefix.cpp b/test/backupstorefix/testbackupstorefix.cpp
index 6099f133..ac1d0c14 100644
--- a/test/backupstorefix/testbackupstorefix.cpp
+++ b/test/backupstorefix/testbackupstorefix.cpp
@@ -671,8 +671,7 @@ int test(int argc, const char *argv[])
 		char name[256];
 		while(::fgets(line, sizeof(line), f) != 0)
 		{
-			if(StartsWith("WARNING: This version of Box Backup overrides the "
-				"system-wide SSLSecurityLevel", line))
+			if(StartsWith("WARNING: SSLSecurityLevel not set.", line))
 			{
 				continue;
 			}
diff --git a/test/backupstorefix/testfiles/testbackupstorefix.pl.in b/test/backupstorefix/testfiles/testbackupstorefix.pl.in
index 177b3b70..483087f7 100755
--- a/test/backupstorefix/testfiles/testbackupstorefix.pl.in
+++ b/test/backupstorefix/testfiles/testbackupstorefix.pl.in
@@ -154,7 +154,7 @@ elsif($ARGV[0] eq 'reroot')
 		chomp $line;
 		$line =~s/\[FILENAME NOT ENCRYPTED\]//;
 		next if $line =~ /^WARNING: \*\*\*\* BackupStoreFilename encoded with Clear encoding \*\*\*\*/;
-		next if $line =~ /^WARNING: This version of Box Backup overrides the system-wide SSLSecurityLevel/;
+		next if $line =~ /^WARNING: SSLSecurityLevel not set./;
 		my ($id,$type,$name) = split / /, $line;
 		$count++;
 		if($name !~ /\Alost\+found0/)
diff --git a/test/basicserver/testbasicserver.cpp b/test/basicserver/testbasicserver.cpp
index 4aeded6c..9285dfc9 100644
--- a/test/basicserver/testbasicserver.cpp
+++ b/test/basicserver/testbasicserver.cpp
@@ -15,18 +15,17 @@
 
 #include <typeinfo>
 
-#include "Test.h"
-#include "Daemon.h"
+#include "CollectInBufferStream.h"
 #include "Configuration.h"
-#include "ServerStream.h"
-#include "SocketStream.h"
+#include "Daemon.h"
 #include "IOStreamGetLine.h"
+#include "ServerControl.h"
+#include "ServerStream.h"
 #include "ServerTLS.h"
-#include "CollectInBufferStream.h"
-
+#include "SocketStream.h"
+#include "Test.h"
 #include "TestContext.h"
 #include "autogen_TestProtocol.h"
-#include "ServerControl.h"
 
 #include "MemLeakFindOn.h"
 
@@ -98,7 +97,7 @@ void testservers_connection(SocketStream &rStream)
 	while(!getline.IsEOF())
 	{
 		std::string line;
-		while(!getline.GetLine(line))
+		while(!getline.GetLine(line, false, SHORT_TIMEOUT))
 			;
 		if(line == "QUIT")
 		{
@@ -208,11 +207,16 @@ const ConfigurationVerify *testserver::GetConfigVerify() const
 		}
 	};
 
+	static ConfigurationVerifyKey root_keys[] =
+	{
+		ssl_security_level_key,
+	};
+
 	static ConfigurationVerify verify =
 	{
 		"root", /* mName */
 		verifyserver, /* mpSubConfigurations */
-		0, /* mpKeys */
+		root_keys, // mpKeys
 		ConfigTest_Exists | ConfigTest_LastEntry,
 		0
 	};
@@ -449,7 +453,7 @@ void TestStreamReceive(TestProtocolClient &protocol, int value, bool uncertainst
 	TEST_THAT(count == (24273*3));	// over 64 k of data, definately
 }
 
-bool test_security_level(int cert_level)
+bool test_security_level(int cert_level, int test_level, bool expect_failure_on_connect = false)
 {
 	int old_num_failures = num_failures;
 
@@ -460,21 +464,24 @@ bool test_security_level(int cert_level)
 		context.Initialise(false /* client */,
 			"testfiles/clientCerts.pem",
 			"testfiles/clientPrivKey.pem",
-			"testfiles/clientTrustedCAs.pem");
+			"testfiles/clientTrustedCAs.pem",
+			test_level); // SecurityLevel
 	}
 	else if(cert_level == 1)
 	{
 		context.Initialise(false /* client */,
 			"testfiles/seclevel2-sha1/ca/clients/1234567-cert.pem",
 			"testfiles/seclevel2-sha1/bbackupd/1234567-key.pem",
-			"testfiles/seclevel2-sha1/ca/roots/serverCA.pem");
+			"testfiles/seclevel2-sha1/ca/roots/serverCA.pem",
+			test_level); // SecurityLevel
 	}
 	else if(cert_level == 2)
 	{
 		context.Initialise(false /* client */,
 			"testfiles/seclevel2-sha256/ca/clients/1234567-cert.pem",
 			"testfiles/seclevel2-sha256/bbackupd/1234567-key.pem",
-			"testfiles/seclevel2-sha256/ca/roots/serverCA.pem");
+			"testfiles/seclevel2-sha256/ca/roots/serverCA.pem",
+			test_level); // SecurityLevel
 	}
 	else
 	{
@@ -483,7 +490,17 @@ bool test_security_level(int cert_level)
 	}
 
 	SocketStreamTLS conn;
-	conn.Open(context, Socket::TypeINET, "localhost", 2003);
+
+	if(expect_failure_on_connect)
+	{
+		TEST_CHECK_THROWS(
+			conn.Open(context, Socket::TypeINET, "localhost", 2003),
+			ConnectionException, TLSPeerWeakCertificate);
+	}
+	else
+	{
+		conn.Open(context, Socket::TypeINET, "localhost", 2003);
+	}
 
 	return (num_failures == old_num_failures); // no new failures -> good
 }
@@ -495,7 +512,25 @@ bool test_ancient_certificates()
 	int old_num_failures = num_failures;
 
 	// Level -1 (allow weaker, with warning) should pass with any certificates:
-	TEST_THAT(test_security_level(0)); // cert_level
+	TEST_THAT(test_security_level(0, -1)); // cert_level, test_level
+
+	// We do not test level 0 (system-wide default) because the system
+	// may have it set high, and our old certificate will not be usable
+	// in that case, and the user has no way to fix that, so it's not a
+	// useful test.
+
+	// Level 1 (allow weaker, without a warning) should pass with any certificates:
+	TEST_THAT(test_security_level(0, 1)); // cert_level, test_level
+
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+	// Level 2 (disallow weaker, without a warning) should NOT pass with old certificates:
+	TEST_CHECK_THROWS(
+		test_security_level(0, 2), // cert_level, test_level
+		ServerException, TLSServerWeakCertificate);
+#else
+	// We have no way to increase the security level, so it should still pass:
+	test_security_level(0, 2); // cert_level, test_level
+#endif
 
 	return (num_failures == old_num_failures); // no new failures -> good
 }
@@ -507,18 +542,58 @@ bool test_old_certificates()
 	int old_num_failures = num_failures;
 
 	// Level -1 (allow weaker, with warning) should pass with any certificates:
-	TEST_THAT(test_security_level(1)); // cert_level
+	TEST_THAT(test_security_level(1, -1)); // cert_level, test_level
+
+	// We do not test level 0 (system-wide default) because the system
+	// may have it set high, and our old certificate will not be usable
+	// in that case, and the user has no way to fix that, so it's not a
+	// useful test.
+
+	// Level 1 (allow weaker, without a warning) should pass with any certificates:
+	TEST_THAT(test_security_level(1, 1)); // cert_level, test_level
+
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+	// Level 2 (disallow weaker, without a warning) should NOT pass with old certificates:
+	TEST_CHECK_THROWS(
+		test_security_level(1, 2), // cert_level, test_level
+		ServerException, TLSServerWeakCertificate);
+#else
+	// We have no way to increase the security level, so it should still pass:
+	test_security_level(1, 2); // cert_level, test_level
+#endif
 
 	return (num_failures == old_num_failures); // no new failures -> good
 }
 
 
-bool test_new_certificates()
+bool test_new_certificates(bool expect_failure_level_2)
 {
 	int old_num_failures = num_failures;
 
 	// Level -1 (allow weaker, with warning) should pass with any certificates:
-	TEST_THAT(test_security_level(2)); // cert_level
+	TEST_THAT(test_security_level(2, -1)); // cert_level, test_level
+
+	// Level 0 (system dependent). This will fail if the user (or their
+	// distro) sets the system-wide security level very high. We check
+	// this because *we* may need to update Box Backup if this happens
+	// again, as it did when Debian increased the default level.
+	// Newly generated certificates may need to be strengthened.
+	// And we may need to update the documentation.
+	TEST_THAT(test_security_level(2, 0)); // cert_level, test_level
+
+	// Level 1 (allow weaker, without a warning) should pass with any certificates:
+	TEST_THAT(test_security_level(2, 1)); // cert_level, test_level
+
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+	// Level 2 (disallow weaker, without a warning) should pass with new certificates,
+	// but might fail to connect to a peer with weak (insecure) certificates:
+	TEST_THAT(test_security_level(2, 2, expect_failure_level_2));
+	// cert_level, test_level, expect_failure
+#else
+	// We have no way to increase the security level, so it should not fail to connect to a
+	// daemon with weak certificates:
+	test_security_level(2, 2, false); // cert_level, test_level, expect_failure
+#endif
 
 	return (num_failures == old_num_failures); // no new failures -> good
 }
@@ -718,6 +793,7 @@ int test(int argc, const char *argv[])
 						"testfiles/clientCerts.pem",
 						"testfiles/clientPrivKey.pem",
 						"testfiles/clientTrustedCAs.pem");
+				// SecurityLevel == -1 by default (old security + warnings)
 
 				SocketStreamTLS conn1;
 				conn1.Open(context, Socket::TypeINET, "localhost", 2003);
@@ -786,7 +862,19 @@ int test(int argc, const char *argv[])
 		pid = LaunchServer(cmd, "testfiles/srv3.pid");
 
 		TEST_THAT(pid != -1 && pid != 0);
-		TEST_THAT(test_new_certificates());
+		TEST_THAT(test_new_certificates(false)); // !expect_failure_level_2
+		TEST_THAT(KillServer(pid));
+
+		// Start a daemon using old, insecure certificates. We should get an error when we
+		// try to connect to it:
+
+		cmd = TEST_EXECUTABLE " --test-daemon-args=";
+		cmd += test_args;
+		cmd += " srv3 testfiles/srv3-insecure-daemon.conf";
+		pid = LaunchServer(cmd, "testfiles/srv3.pid");
+
+		TEST_THAT(pid != -1 && pid != 0);
+		TEST_THAT(test_new_certificates(true)); // expect_failure_level_2
 		TEST_THAT(KillServer(pid));
 	}
 	
@@ -795,7 +883,7 @@ int test(int argc, const char *argv[])
 	{
 		std::string cmd = TEST_EXECUTABLE " --test-daemon-args=";
 		cmd += test_args;
-		cmd += " srv4 testfiles/srv4.conf";
+		cmd += " srv4 testfiles/srv4-seclevel1.conf";
 		int pid = LaunchServer(cmd, "testfiles/srv4.pid");
 
 		TEST_THAT(pid != -1 && pid != 0);
diff --git a/test/basicserver/testfiles/seclevel2-sha1/bbackupd/NotifySysadmin.sh b/test/basicserver/testfiles/seclevel2-sha1/bbackupd/NotifySysadmin.sh
index 48e8cf8e..48e8cf8e 100644..100755
--- a/test/basicserver/testfiles/seclevel2-sha1/bbackupd/NotifySysadmin.sh
+++ b/test/basicserver/testfiles/seclevel2-sha1/bbackupd/NotifySysadmin.sh
diff --git a/test/basicserver/testfiles/seclevel2-sha256/bbackupd.conf b/test/basicserver/testfiles/seclevel2-sha256/bbackupd.conf
index e8f2c104..671a13ac 100644
--- a/test/basicserver/testfiles/seclevel2-sha256/bbackupd.conf
+++ b/test/basicserver/testfiles/seclevel2-sha256/bbackupd.conf
@@ -6,6 +6,7 @@ KeysFile = ./bbackupd/1234567-FileEncKeys.raw
 CertificateFile = ./bbackupd/1234567-cert.pem
 PrivateKeyFile = ./bbackupd/1234567-key.pem
 TrustedCAsFile = ./bbackupd/serverCA.pem
+SSLSecurityLevel = 2
 
 DataDirectory = /home/chris/boxbackup/test/basicserver/testfiles/seclevel2
 
diff --git a/test/basicserver/testfiles/seclevel2-sha256/bbackupd/NotifySysadmin.sh b/test/basicserver/testfiles/seclevel2-sha256/bbackupd/NotifySysadmin.sh
index 48e8cf8e..48e8cf8e 100644..100755
--- a/test/basicserver/testfiles/seclevel2-sha256/bbackupd/NotifySysadmin.sh
+++ b/test/basicserver/testfiles/seclevel2-sha256/bbackupd/NotifySysadmin.sh
diff --git a/test/basicserver/testfiles/srv3-insecure-daemon.conf b/test/basicserver/testfiles/srv3-insecure-daemon.conf
new file mode 100644
index 00000000..09cf352d
--- /dev/null
+++ b/test/basicserver/testfiles/srv3-insecure-daemon.conf
@@ -0,0 +1,9 @@
+Server
+{
+	PidFile = testfiles/srv3.pid
+	ListenAddresses = inet:localhost,unix:testfiles/srv3.sock
+	CertificateFile = testfiles/seclevel2-sha256/ca/servers/localhost-cert-sha1.pem
+	PrivateKeyFile = testfiles/seclevel2-sha256/bbstored/localhost-key.pem
+	TrustedCAsFile = testfiles/seclevel2-sha256/ca/roots/clientCA.pem
+}
+
diff --git a/test/basicserver/testfiles/srv3-seclevel2-sha1.conf b/test/basicserver/testfiles/srv3-seclevel2-sha1.conf
index 01e0fe6d..93c0f99f 100644
--- a/test/basicserver/testfiles/srv3-seclevel2-sha1.conf
+++ b/test/basicserver/testfiles/srv3-seclevel2-sha1.conf
@@ -6,3 +6,4 @@ Server
 	PrivateKeyFile = testfiles/seclevel2-sha1/bbstored/localhost-key.pem
 	TrustedCAsFile = testfiles/seclevel2-sha1/ca/roots/clientCA.pem
 }
+
diff --git a/test/basicserver/testfiles/srv3-seclevel2-sha256.conf b/test/basicserver/testfiles/srv3-seclevel2-sha256.conf
index 4db52361..58c267d4 100644
--- a/test/basicserver/testfiles/srv3-seclevel2-sha256.conf
+++ b/test/basicserver/testfiles/srv3-seclevel2-sha256.conf
@@ -6,3 +6,4 @@ Server
 	PrivateKeyFile = testfiles/seclevel2-sha256/bbstored/localhost-key.pem
 	TrustedCAsFile = testfiles/seclevel2-sha256/ca/roots/clientCA.pem
 }
+
diff --git a/test/basicserver/testfiles/srv4.conf b/test/basicserver/testfiles/srv4-noseclevel.conf
index f05dff75..db22e95f 100644
--- a/test/basicserver/testfiles/srv4.conf
+++ b/test/basicserver/testfiles/srv4-noseclevel.conf
@@ -3,4 +3,3 @@ Server
 	PidFile = testfiles/srv4.pid
 	ListenAddresses = unix:testfiles/srv4.sock,inet:localhost
 }
-
diff --git a/test/basicserver/testfiles/srv4-seclevel1.conf b/test/basicserver/testfiles/srv4-seclevel1.conf
new file mode 100644
index 00000000..cd90566c
--- /dev/null
+++ b/test/basicserver/testfiles/srv4-seclevel1.conf
@@ -0,0 +1,7 @@
+Server
+{
+	PidFile = testfiles/srv4.pid
+	ListenAddresses = unix:testfiles/srv4.sock,inet:localhost
+}
+
+SSLSecurityLevel = 1
diff --git a/test/basicserver/testfiles/srv4-seclevel2-insecure.conf b/test/basicserver/testfiles/srv4-seclevel2-insecure.conf
new file mode 100644
index 00000000..5d8b1149
--- /dev/null
+++ b/test/basicserver/testfiles/srv4-seclevel2-insecure.conf
@@ -0,0 +1,7 @@
+Server
+{
+	PidFile = testfiles/srv4.pid
+	ListenAddresses = unix:testfiles/srv4.sock,inet:localhost
+}
+
+SSLSecurityLevel = 2
diff --git a/test/basicserver/testfiles/srv4-seclevel2-secure.conf b/test/basicserver/testfiles/srv4-seclevel2-secure.conf
new file mode 100644
index 00000000..5d8b1149
--- /dev/null
+++ b/test/basicserver/testfiles/srv4-seclevel2-secure.conf
@@ -0,0 +1,7 @@
+Server
+{
+	PidFile = testfiles/srv4.pid
+	ListenAddresses = unix:testfiles/srv4.sock,inet:localhost
+}
+
+SSLSecurityLevel = 2
diff --git a/test/bbackupd/testbbackupd.cpp b/test/bbackupd/testbbackupd.cpp
index d55b5d8d..deff53e2 100644
--- a/test/bbackupd/testbbackupd.cpp
+++ b/test/bbackupd/testbbackupd.cpp
@@ -12,43 +12,44 @@
 // do not include MinGW's dirent.h on Win32, 
 // as we override some of it in lib/win32.
 
+#include <limits.h>
+#include <stdio.h>
+#include <string.h>
+
 #ifndef WIN32
 	#include <dirent.h>
 #endif
 
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <limits.h>
-#include <string.h>
-
-#ifdef HAVE_SYS_WAIT_H
-	#include <sys/wait.h>
+#ifdef WIN32
+	#include <process.h>
 #endif
 
 #ifdef HAVE_PWD_H
 	#include <pwd.h>
 #endif
 
-#ifdef HAVE_SYS_XATTR_H
-	#include <cerrno>
-	#include <sys/xattr.h>
-#endif
-
 #ifdef HAVE_SIGNAL_H
 	#include <signal.h>
 #endif
 
-#ifdef WIN32
-	#include <process.h>
-#endif
-
-#include <map>
+#include <sys/stat.h>
+#include <sys/types.h>
 
 #ifdef HAVE_SYSCALL
 	#include <sys/syscall.h>
 #endif
 
+#ifdef HAVE_SYS_WAIT_H
+	#include <sys/wait.h>
+#endif
+
+#ifdef HAVE_SYS_XATTR_H
+	#include <cerrno>
+	#include <sys/xattr.h>
+#endif
+
+#include <map>
+
 #include "BackupClientCryptoKeys.h"
 #include "BackupClientContext.h"
 #include "BackupClientFileAttributes.h"
@@ -100,7 +101,6 @@
 #define TIME_TO_WAIT_FOR_BACKUP_OPERATION 12
 #define SHORT_TIMEOUT 5000
 #define BACKUP_ERROR_DELAY_SHORTENED 10
-#define DEFAULT_BBACKUPD_CONFIG_FILE "testfiles/bbackupd.conf"
 
 void wait_for_backup_operation(const char* message)
 {
@@ -414,24 +414,7 @@ bool configure_bbackupd(BackupDaemon& bbackupd, const std::string& config_file)
 	return true;
 }
 
-bool kill_running_daemons()
-{
-	bool success = true;
-
-	if(FileExists("testfiles/bbstored.pid"))
-	{
-		TEST_THAT_OR(KillServer("testfiles/bbstored.pid", true), success = false);
-	}
-
-	if(FileExists("testfiles/bbackupd.pid"))
-	{
-		TEST_THAT_OR(KillServer("testfiles/bbackupd.pid", true), success = false);
-	}
-
-	return success;
-}
-
-bool setup_test_bbackupd(BackupDaemon& bbackupd, bool do_unpack_files = true,
+bool prepare_test_with_client_daemon(BackupDaemon& bbackupd, bool do_unpack_files = true,
 	bool do_start_bbstored = true,
 	const std::string& bbackupd_conf_file = "testfiles/bbackupd.conf")
 {
@@ -490,13 +473,13 @@ bool setup_test_bbackupd(BackupDaemon& bbackupd, bool do_unpack_files = true,
 #define SETUP_WITHOUT_FILES() \
 	SETUP_TEST_BBACKUPD(); \
 	BackupDaemon bbackupd; \
-	TEST_THAT_OR(setup_test_bbackupd(bbackupd, false), FAIL); \
+	TEST_THAT_OR(prepare_test_with_client_daemon(bbackupd, false), FAIL); \
 	TEST_THAT_OR(::mkdir("testfiles/TestDir1", 0755) == 0, FAIL);
 
 #define SETUP_WITH_BBSTORED() \
 	SETUP_TEST_BBACKUPD(); \
 	BackupDaemon bbackupd; \
-	TEST_THAT_OR(setup_test_bbackupd(bbackupd), FAIL);
+	TEST_THAT_OR(prepare_test_with_client_daemon(bbackupd), FAIL);
 
 #define TEARDOWN_TEST_BBACKUPD() \
 	TEST_THAT(bbackupd_pid == 0 || StopClient()); \
@@ -987,7 +970,7 @@ bool test_entry_deleted(BackupStoreDirectory& rDir,
 	return flags && BackupStoreDirectory::Entry::Flags_Deleted;
 }
 
-bool compare(BackupQueries::ReturnCode::Type expected_status,
+bool compare_external(BackupQueries::ReturnCode::Type expected_status,
 	const std::string& bbackupquery_options = "",
 	const std::string& compare_options = "-acQ",
 	const std::string& bbackupd_conf_file = "testfiles/bbackupd.conf")
@@ -1012,7 +995,7 @@ bool compare(BackupQueries::ReturnCode::Type expected_status,
 	return (returnValue == expected_system_result);
 }
 
-bool compare_local(BackupQueries::ReturnCode::Type expected_status,
+bool compare_in_process(BackupQueries::ReturnCode::Type expected_status,
 	BackupProtocolCallable& client,
 	const std::string& compare_options = "acQ")
 {
@@ -1079,10 +1062,21 @@ bool touch_and_wait(const std::string& filename)
 
 TLSContext sTlsContext;
 
-#define TEST_COMPARE(...) \
-	TEST_THAT(compare(BackupQueries::ReturnCode::__VA_ARGS__));
-#define TEST_COMPARE_LOCAL(...) \
-	TEST_THAT(compare_local(BackupQueries::ReturnCode::__VA_ARGS__));
+#define TEST_COMPARE(expected_status) \
+	BOX_INFO("Running external compare, expecting " #expected_status); \
+	TEST_THAT(compare_external(BackupQueries::ReturnCode::expected_status));
+#define TEST_COMPARE_EXTRA(expected_status, ...) \
+	BOX_INFO("Running external compare, expecting " #expected_status); \
+	TEST_THAT(compare_external(BackupQueries::ReturnCode::expected_status, __VA_ARGS__));
+
+#define TEST_COMPARE_LOCAL(expected_status, client) \
+	BOX_INFO("Running compare in-process, expecting " #expected_status); \
+	TEST_THAT(compare_in_process(BackupQueries::ReturnCode::expected_status, client));
+#define TEST_COMPARE_LOCAL_EXTRA(expected_status, client, compare_options) \
+	BOX_INFO("Running compare in-process, expecting " #expected_status); \
+	TEST_THAT(compare_in_process(BackupQueries::ReturnCode::expected_status, client, \
+		compare_options));
+
 
 bool search_for_file(const std::string& filename)
 {
@@ -1463,7 +1457,7 @@ bool test_ssl_keepalives()
 	KeepAliveBackupProtocolLocal connection(0x01234567, "test", "backup/01234567/",
 		0, false);
 	MockBackupDaemon bbackupd(connection);
-	TEST_THAT_OR(setup_test_bbackupd(bbackupd), FAIL);
+	TEST_THAT_OR(prepare_test_with_client_daemon(bbackupd), FAIL);
 
 	// Test that sending a keepalive actually works, when the timeout has expired,
 	// but doesn't send anything at the beginning:
@@ -1948,9 +1942,9 @@ bool test_bbackupd_exclusions()
 		bbackupd.RunSyncNow();
 		TEST_THAT(!bbackupd.StorageLimitExceeded());
 
-		// Check that the contents of the store are the same 
-		// as the contents of the disc 
-		TEST_COMPARE(Compare_Same, "-c testfiles/bbackupd-exclude.conf");
+		// Check that the contents of the store are the same
+		// as the contents of the disc
+		TEST_COMPARE_EXTRA(Compare_Same, "-c testfiles/bbackupd-exclude.conf");
 		BOX_TRACE("done.");
 
 		// BLOCK
@@ -2060,7 +2054,7 @@ bool test_bbackupd_responds_to_connection_failure()
 		MockBackupProtocolLocal client(0x01234567, "test",
 			"backup/01234567/", 0, false);
 		MockBackupDaemon bbackupd(client);
-		TEST_THAT_OR(setup_test_bbackupd(bbackupd, false, false), FAIL);
+		TEST_THAT_OR(prepare_test_with_client_daemon(bbackupd, false, false), FAIL);
 
 		TEST_THAT(::system("rm -f testfiles/notifyran.store-full.*") == 0);
 		std::auto_ptr<BackupClientContext> apClientContext;
@@ -2290,11 +2284,11 @@ bool test_read_only_dirs_can_be_restored()
 			#endif
 
 			bbackupd.RunSyncNow();
-			TEST_COMPARE(Compare_Same, "", "-cEQ Test1 testfiles/TestDir1");
+			TEST_COMPARE_EXTRA(Compare_Same, "", "-cEQ Test1 testfiles/TestDir1");
 
 			// check that we can restore it
 			TEST_THAT(restore("Test1", "testfiles/restore1"));
-			TEST_COMPARE(Compare_Same, "", "-cEQ Test1 testfiles/restore1");
+			TEST_COMPARE_EXTRA(Compare_Same, "", "-cEQ Test1 testfiles/restore1");
 
 			// Try a restore with just the remote directory name,
 			// check that it uses the same name in the local
@@ -2302,7 +2296,7 @@ bool test_read_only_dirs_can_be_restored()
 			TEST_THAT(::mkdir("testfiles/restore-test", 0700) == 0);
 			TEST_THAT(bbackupquery("\"lcd testfiles/restore-test\" "
 				"\"restore Test1\""));
-			TEST_COMPARE(Compare_Same, "", "-cEQ Test1 "
+			TEST_COMPARE_EXTRA(Compare_Same, "", "-cEQ Test1 "
 				"testfiles/restore-test/Test1");
 
 			// put the permissions back to sensible values
@@ -2512,7 +2506,7 @@ bool test_unicode_filenames_can_be_backed_up()
 
 		// Check that bbackupquery can compare the dir when given
 		// on the command line in system encoding.
-		TEST_COMPARE(Compare_Same, "", "-cEQ Test1/" + systemDirName +
+		TEST_COMPARE_EXTRA(Compare_Same, "", "-cEQ Test1/" + systemDirName +
 			" testfiles/TestDir1/" + systemDirName);
 
 		// Check that bbackupquery can restore the dir when given
@@ -2521,7 +2515,7 @@ bool test_unicode_filenames_can_be_backed_up()
 			"testfiles/restore-" + systemDirName));
 
 		// Compare to make sure it was restored properly.
-		TEST_COMPARE(Compare_Same, "", "-cEQ Test1/" + systemDirName +
+		TEST_COMPARE_EXTRA(Compare_Same, "", "-cEQ Test1/" + systemDirName +
 			" testfiles/restore-" + systemDirName);
 
 		std::string fileToUnlink = "testfiles/restore-" + 
@@ -2553,7 +2547,7 @@ bool test_unicode_filenames_can_be_backed_up()
 		// Compare to make sure it was restored properly. The Get
 		// command does restore attributes, so we don't need to
 		// specify the -A option for this to succeed.
-		TEST_COMPARE(Compare_Same, "", "-cEQ Test1/" + systemDirName +
+		TEST_COMPARE_EXTRA(Compare_Same, "", "-cEQ Test1/" + systemDirName +
 			" testfiles/restore-" + systemDirName);
 
 		// Check that no read error has been reported yet
@@ -2709,7 +2703,7 @@ bool test_delete_update_and_symlink_files()
 		TEST_COMPARE(Compare_Same);
 
 		// Try a quick compare, just for fun
-		TEST_COMPARE(Compare_Same, "", "-acqQ");
+		TEST_COMPARE_EXTRA(Compare_Same, "", "-acqQ");
 	}
 
 	TEARDOWN_TEST_BBACKUPD();
@@ -3198,8 +3192,8 @@ bool test_excluded_files_are_not_backed_up()
 	BackupProtocolLocal2 client(0x01234567, "test", "backup/01234567/",
 		0, false);
 	MockBackupDaemon bbackupd(client);
-	
-	TEST_THAT_OR(setup_test_bbackupd(bbackupd,
+
+	TEST_THAT_OR(prepare_test_with_client_daemon(bbackupd,
 		true, // do_unpack_files
 		false // do_start_bbstored
 		), FAIL);
@@ -3215,8 +3209,8 @@ bool test_excluded_files_are_not_backed_up()
 		TEST_COMPARE_LOCAL(Compare_Same, client);
 
 		// compare without exclusions, should find differences
-		// TEST_COMPARE(Compare_Different, "", "-acEQ");
-		TEST_COMPARE_LOCAL(Compare_Different, client, "acEQ");
+		// TEST_COMPARE_EXTRA(Compare_Different, "", "-acEQ");
+		TEST_COMPARE_LOCAL_EXTRA(Compare_Different, client, "acEQ");
 
 		// check that the excluded files did not make it
 		// into the store, and the included files did
@@ -3619,7 +3613,7 @@ bool test_rename_operations()
 		TEST_COMPARE(Compare_Same);
 
 		// and again, but with quick flag
-		TEST_COMPARE(Compare_Same, "", "-acqQ");
+		TEST_COMPARE_EXTRA(Compare_Same, "", "-acqQ");
 
 		// Rename some files -- one under the threshold, others above
 		TEST_THAT(rename("testfiles/TestDir1/df324", 
@@ -3919,7 +3913,7 @@ bool test_restore_deleted_files()
 			client.reset();
 
 			// Do a compare with the now undeleted files
-			TEST_COMPARE(Compare_Same, "", "-cEQ Test1/x1 "
+			TEST_COMPARE_EXTRA(Compare_Same, "", "-cEQ Test1/x1 "
 				"testfiles/restore-Test1-x1-2");
 		}
 		
@@ -4044,6 +4038,55 @@ bool test_parse_syncallowscript_output()
 	TEARDOWN_TEST_BBACKUPD();
 }
 
+bool check_output_log_file_for_ssl_security_level_warnings(const std::string& log_file_name,
+	const std::string& sentinel_value)
+{
+	int old_num_failures = num_failures;
+
+	FileStream fs(log_file_name, O_RDONLY);
+	IOStreamGetLine getline(fs);
+	std::string line;
+	bool found_not_set = false, found_not_supported = false, found_sentinel = false;
+
+	while(fs.StreamDataLeft())
+	{
+		TEST_THAT(getline.GetLine(line, true, 30000)); // 30 seconds should be enough
+		TEST_THAT(line.size() >= 30);
+		if(line.size() < 30)
+		{
+			continue;
+		}
+
+		if(StartsWith("SSLSecurityLevel not set. Your connection may not "
+			"be secure.", line.substr(30)))
+		{
+			found_not_set = true;
+		}
+		else if(StartsWith("SSLSecurityLevel is set, but this Box Backup "
+			"is not compiled with OpenSSL 1.1 or higher", line.substr(30)))
+		{
+			found_not_supported = true;
+		}
+		else if(StartsWith(sentinel_value, line.substr(30)))
+		{
+			found_sentinel = true;
+			break;
+		}
+	}
+
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+	TEST_THAT(!found_not_set); // We should set it in bbackupd-config
+	TEST_THAT(!found_not_supported); // And this message should never be logged
+#else
+	TEST_THAT(!found_not_supported); // We should not set it in bbackupd-config
+	TEST_THAT(!found_not_set); // And this message should never be logged
+#endif
+
+	TEST_THAT(found_sentinel); // Otherwise we're looking for the wrong thing!
+
+	return (num_failures == old_num_failures); // no new failures -> good
+}
+
 
 bool test_bbackupd_config_script()
 {
@@ -4075,7 +4118,7 @@ bool test_bbackupd_config_script()
 	// Open the generated config file and add a StorePort line:
 	{
 		FileStream conf_file("testfiles/tmp/bbackupd.conf", O_WRONLY | O_APPEND);
-		conf_file.IOStream::Write("StorePort = 22011\n");
+		conf_file.Write("StorePort = 22011\n");
 		conf_file.Close();
 	}
 
@@ -4122,8 +4165,8 @@ bool test_bbackupd_config_script()
 	TEST_RETURN_COMMAND(system(cmd.c_str()), 0, cmd)
 
 	bbstored_pid = StartDaemon(bbstored_pid, BBSTORED " " + bbstored_args +
-		" -o testfiles/tmp/bbstored.log testfiles/tmp/bbstored.conf",
-		"testfiles/bbstored.pid");
+		" -o testfiles/tmp/bbstored.log testfiles/tmp/bbstored.conf", "testfiles/bbstored.pid",
+		22011);
 
 	{
 		Capture capture;
@@ -4131,7 +4174,7 @@ bool test_bbackupd_config_script()
 
 		BackupDaemon bbackupd;
 		TEST_THAT(
-			setup_test_bbackupd(
+			prepare_test_with_client_daemon(
 				bbackupd,
 				true, // do_unpack_files
 				false, // !do_start_bbstored
@@ -4139,10 +4182,43 @@ bool test_bbackupd_config_script()
 			);
 
 		bbackupd.RunSyncNow();
+
+		std::vector<Capture::Message> messages = capture.GetMessages();
+		TEST_THAT(!messages.empty());
+		if (!messages.empty())
+		{
+			bool found_not_set = false, found_not_supported = false;
+			for(std::vector<Capture::Message>::iterator i = messages.begin();
+				i != messages.end(); i++)
+			{
+				if(StartsWith("SSLSecurityLevel not set. Your connection may not "
+					"be secure.", i->message))
+				{
+					found_not_set = true;
+				}
+				else if(StartsWith("SSLSecurityLevel is set, but this Box Backup "
+					"is not compiled with OpenSSL 1.1 or higher", i->message))
+				{
+					found_not_supported = true;
+				}
+			}
+
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+			TEST_THAT(!found_not_set); // We should set it in bbackupd-config
+			TEST_THAT(!found_not_supported); // And this message should never be logged
+#else
+			TEST_THAT(!found_not_supported); // We should not set it in bbackupd-config
+			TEST_THAT(!found_not_set); // And this message should never be logged
+#endif
+		}
 	}
 
-	TEST_THAT(compare(BackupQueries::ReturnCode::Compare_Same,
+	TEST_THAT(compare_external(BackupQueries::ReturnCode::Compare_Same,
 		"-otestfiles/tmp/bbackupquery.log", "-acQ", "testfiles/tmp/bbackupd.conf"));
+	TEST_THAT(check_output_log_file_for_ssl_security_level_warnings("testfiles/tmp/bbackupquery.log",
+		"Connecting to store"));
+	TEST_THAT(check_output_log_file_for_ssl_security_level_warnings("testfiles/tmp/bbstored.log",
+		"Forked child process"));
 
 	TEST_THAT(StopServer());
 #endif // !WIN32
@@ -4150,7 +4226,6 @@ bool test_bbackupd_config_script()
 	TEARDOWN_TEST_BBACKUPD();
 }
 
-
 int test(int argc, const char *argv[])
 {
 	// SSL library