nginx
diff --git a/‎access_log.t
+1-1 b/‎access_log.t
+1-1
diff --git a/‎lib/Test/Nginx.pm
+21-2 b/‎lib/Test/Nginx.pm
+21-2
diff --git a/‎ssl_certificate.t
+38-48 b/‎ssl_certificate.t
+38-48
diff --git a/‎ssl_certificate_perl.t
+9-32 b/‎ssl_certificate_perl.t
+9-32
@@ -161,11 +161,11 @@ http_get('/varlog?logname=0');
 http_get('/varlog?logname=filename');
 
 my $s = http('', start => 1);
-http_get('/addr', socket => $s);
 my $addr = $s->sockhost();
 my $port = $s->sockport();
 my $saddr = $s->peerhost();
 my $sport = $s->peerport();
+http_get('/addr', socket => $s);
 
 http_get('/binary');
 
 
@@ -838,24 +838,41 @@ sub http($;%) {
 	my $s = http_start($request, %extra);
 
 	return $s if $extra{start} or !defined $s;
-	return http_end($s);
+	return http_end($s, %extra);
 }
 
 sub http_start($;%) {
 	my ($request, %extra) = @_;
 	my $s;
 
+	my $port = $extra{SSL} ? 8443 : 8080;
+
 	eval {
 		local $SIG{ALRM} = sub { die "timeout\n" };
 		local $SIG{PIPE} = sub { die "sigpipe\n" };
 		alarm(8);
 
 		$s = $extra{socket} || IO::Socket::INET->new(
 			Proto => 'tcp',
-			PeerAddr => '127.0.0.1:' . port(8080)
+			PeerAddr => '127.0.0.1:' . port($port),
+			%extra
 		)
 			or die "Can't connect to nginx: $!\n";
 
+		if ($extra{SSL}) {
+			require IO::Socket::SSL;
+			IO::Socket::SSL->start_SSL(
+				$s,
+				SSL_verify_mode =>
+					IO::Socket::SSL::SSL_VERIFY_NONE(),
+				%extra
+			)
+				or die $IO::Socket::SSL::SSL_ERROR . "\n";
+
+			log_in("ssl cipher: " . $s->get_cipher());
+			log_in("ssl cert: " . $s->peer_certificate('issuer'));
+		}
+
 		log_out($request);
 		$s->print($request);
 
@@ -890,6 +907,8 @@ sub http_end($;%) {
 		local $/;
 		$reply = $s->getline();
 
+		$s->close();
+
 		alarm(0);
 	};
 	alarm(0);
 
@@ -17,29 +17,15 @@ use Socket qw/ CRLF /;
 BEGIN { use FindBin; chdir($FindBin::Bin); }
 
 use lib 'lib';
-use Test::Nginx;
+use Test::Nginx qw/ :DEFAULT http_end /;
 
 ###############################################################################
 
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
-eval {
-	require Net::SSLeay;
-	Net::SSLeay::load_error_strings();
-	Net::SSLeay::SSLeay_add_ssl_algorithms();
-	Net::SSLeay::randomize();
-};
-plan(skip_all => 'Net::SSLeay not installed') if $@;
-
-eval {
-	my $ctx = Net::SSLeay::CTX_new() or die;
-	my $ssl = Net::SSLeay::new($ctx) or die;
-	Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die;
-};
-plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@;
-
-my $t = Test::Nginx->new()->has(qw/http http_ssl geo openssl:1.0.2/)
+my $t = Test::Nginx->new()
+	->has(qw/http http_ssl geo openssl:1.0.2 socket_ssl_sni/)
 	->has_daemon('openssl');
 
 $t->write_file_expand('nginx.conf', <<'EOF');
@@ -67,6 +53,7 @@ http {
     }
 
     add_header X-SSL $ssl_server_name:$ssl_session_reused;
+    add_header X-SSL-Protocol $ssl_protocol;
     ssl_session_cache shared:SSL:1m;
     ssl_session_tickets on;
 
@@ -177,60 +164,63 @@ like(get('password', 8083), qr/password/, 'ssl_password_file');
 
 # session reuse
 
-my ($s, $ssl) = get('default', 8080);
-my $ses = Net::SSLeay::get_session($ssl);
+my $s = session('default', 8080);
 
-like(get('default', 8080, $ses), qr/default:r/, 'session reused');
+TODO: {
+local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay'
+	if $Net::SSLeay::VERSION < 1.88 && test_tls13();
+local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL'
+	if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
+
+like(get('default', 8080, $s), qr/default:r/, 'session reused');
 
 TODO: {
 # ticket key name mismatch prevents session resumption
 local $TODO = 'not yet' unless $t->has_version('1.23.2');
 
-like(get('default', 8081, $ses), qr/default:r/, 'session id context match');
+like(get('default', 8081, $s), qr/default:r/, 'session id context match');
 
+}
 }
 
-like(get('default', 8082, $ses), qr/default:\./, 'session id context distinct');
+like(get('default', 8082, $s), qr/default:\./, 'session id context distinct');
 
 # errors
 
-Net::SSLeay::ERR_clear_error();
-get_ssl_socket('nx', 8084);
-ok(Net::SSLeay::ERR_peek_error(), 'no certificate');
+ok(!get('nx', 8084), 'no certificate');
 
 ###############################################################################
 
 sub get {
-	my ($host, $port, $ctx) = @_;
-	my ($s, $ssl) = get_ssl_socket($host, $port, $ctx) or return;
+	my $s = get_socket(@_) || return;
+	return http_end($s);
+}
 
-	local $SIG{PIPE} = 'IGNORE';
+sub cert {
+	my $s = get_socket(@_) || return;
+	return $s->dump_peer_certificate();
+}
 
-	Net::SSLeay::write($ssl, 'GET / HTTP/1.0' . CRLF . CRLF);
-	my $r = Net::SSLeay::read($ssl);
-	Net::SSLeay::shutdown($ssl);
-	$s->close();
-	return $r unless wantarray();
-	return ($s, $ssl);
+sub session {
+	my $s = get_socket(@_) || return;
+	http_end($s);
+	return $s;
 }
 
-sub cert {
+sub get_socket {
 	my ($host, $port, $ctx) = @_;
-	my ($s, $ssl) = get_ssl_socket($host, $port, $ctx) or return;
-	Net::SSLeay::dump_peer_certificate($ssl);
+	return http_get(
+		'/', start => 1, PeerAddr => '127.0.0.1:' . port($port),
+		SSL => 1,
+		SSL_hostname => $host,
+		SSL_session_cache_size => 100,
+		SSL_session_key => 1,
+		SSL_reuse_ctx => $ctx
+	);
 }
 
-sub get_ssl_socket {
-	my ($host, $port, $ses) = @_;
-
-	my $s = IO::Socket::INET->new('127.0.0.1:' . port($port));
-	my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
-	my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
-	Net::SSLeay::set_tlsext_host_name($ssl, $host);
-	Net::SSLeay::set_session($ssl, $ses) if defined $ses;
-	Net::SSLeay::set_fd($ssl, fileno($s));
-	Net::SSLeay::connect($ssl);
-	return ($s, $ssl);
+sub test_tls13 {
+	return get('default', 8080) =~ /TLSv1.3/;
 }
 
 ###############################################################################
@@ -22,23 +22,8 @@ use Test::Nginx;
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
-eval {
-	require Net::SSLeay;
-	Net::SSLeay::load_error_strings();
-	Net::SSLeay::SSLeay_add_ssl_algorithms();
-	Net::SSLeay::randomize();
-};
-plan(skip_all => 'Net::SSLeay not installed') if $@;
-
-eval {
-	my $ctx = Net::SSLeay::CTX_new() or die;
-	my $ssl = Net::SSLeay::new($ctx) or die;
-	Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die;
-};
-plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@;
-
 my $t = Test::Nginx->new()
-	->has(qw/http http_ssl perl openssl:1.0.2/)
+	->has(qw/http http_ssl perl openssl:1.0.2 socket_ssl_sni/)
 	->has_daemon('openssl');
 
 $t->write_file_expand('nginx.conf', <<'EOF');
@@ -66,7 +51,7 @@ http {
     ';
 
     server {
-        listen       127.0.0.1:8080 ssl;
+        listen       127.0.0.1:8443 ssl;
         server_name  localhost;
 
         ssl_certificate data:$pem;
@@ -98,27 +83,19 @@ $t->run()->plan(2);
 
 ###############################################################################
 
-like(cert('one', 8080), qr/CN=one/, 'certificate');
-like(cert('two', 8080), qr/CN=two/, 'certificate 2');
+like(cert('one'), qr/CN=one/, 'certificate');
+like(cert('two'), qr/CN=two/, 'certificate 2');
 
 ###############################################################################
 
 sub cert {
-	my ($host, $port) = @_;
-	my ($s, $ssl) = get_ssl_socket($host, $port) or return;
-	Net::SSLeay::dump_peer_certificate($ssl);
+	my $s = get_socket(@_) || return;
+	return $s->dump_peer_certificate();
 }
 
-sub get_ssl_socket {
-	my ($host, $port) = @_;
-
-	my $s = IO::Socket::INET->new('127.0.0.1:' . port($port));
-	my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
-	my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
-	Net::SSLeay::set_tlsext_host_name($ssl, $host);
-	Net::SSLeay::set_fd($ssl, fileno($s));
-	Net::SSLeay::connect($ssl) or die("ssl connect");
-	return ($s, $ssl);
+sub get_socket {
+	my $host = shift;
+	return http_get('/', start => 1, SSL => 1, SSL_hostname => $host);
 }
 
 ###############################################################################