From 7986037b59009dc745c8dcb2a8469f4feeb10058 Mon Sep 17 00:00:00 2001
From: Quentin Gliech <quenting@element.io>
Date: Wed, 12 Oct 2022 15:33:11 +0200
Subject: [PATCH] Way better mas-listener demo

---
 crates/listener/Cargo.toml                    |  3 +-
 .../listener/examples/demo/certs/ca-key.pem   | 27 ++++++++
 crates/listener/examples/demo/certs/ca.csr    | 17 +++++
 crates/listener/examples/demo/certs/ca.json   | 16 +++++
 crates/listener/examples/demo/certs/ca.pem    | 22 +++++++
 .../examples/demo/certs/client-key.pem        | 27 ++++++++
 .../listener/examples/demo/certs/client.csr   | 17 +++++
 .../listener/examples/demo/certs/client.json  | 18 ++++++
 .../listener/examples/demo/certs/client.pem   | 23 +++++++
 .../listener/examples/demo/certs/config.json  | 25 ++++++++
 crates/listener/examples/demo/certs/gen.sh    | 11 ++++
 .../examples/demo/certs/server-key.pem        | 27 ++++++++
 .../listener/examples/demo/certs/server.csr   | 17 +++++
 .../listener/examples/demo/certs/server.json  | 18 ++++++
 .../listener/examples/demo/certs/server.pem   | 23 +++++++
 crates/listener/examples/demo/main.rs         | 63 +++++++++++++++++--
 16 files changed, 347 insertions(+), 7 deletions(-)
 create mode 100644 crates/listener/examples/demo/certs/ca-key.pem
 create mode 100644 crates/listener/examples/demo/certs/ca.csr
 create mode 100644 crates/listener/examples/demo/certs/ca.json
 create mode 100644 crates/listener/examples/demo/certs/ca.pem
 create mode 100644 crates/listener/examples/demo/certs/client-key.pem
 create mode 100644 crates/listener/examples/demo/certs/client.csr
 create mode 100644 crates/listener/examples/demo/certs/client.json
 create mode 100644 crates/listener/examples/demo/certs/client.pem
 create mode 100644 crates/listener/examples/demo/certs/config.json
 create mode 100644 crates/listener/examples/demo/certs/gen.sh
 create mode 100644 crates/listener/examples/demo/certs/server-key.pem
 create mode 100644 crates/listener/examples/demo/certs/server.csr
 create mode 100644 crates/listener/examples/demo/certs/server.json
 create mode 100644 crates/listener/examples/demo/certs/server.pem

diff --git a/crates/listener/Cargo.toml b/crates/listener/Cargo.toml
index 93301c61..c16ed77b 100644
--- a/crates/listener/Cargo.toml
+++ b/crates/listener/Cargo.toml
@@ -20,9 +20,10 @@ tracing = "0.1.37"
 libc = "0.2.135"
 
 [dev-dependencies]
-tokio-test = "0.4.2"
 anyhow = "1.0.65"
+rustls-pemfile = "1.0.1"
 tokio = { version = "1.21.2", features = ["net", "rt", "macros", "signal", "time", "rt-multi-thread"] }
+tokio-test = "0.4.2"
 tracing-subscriber = "0.3.16"
 
 [[example]]
diff --git a/crates/listener/examples/demo/certs/ca-key.pem b/crates/listener/examples/demo/certs/ca-key.pem
new file mode 100644
index 00000000..34cbcf2a
--- /dev/null
+++ b/crates/listener/examples/demo/certs/ca-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA58uTeW5C7RkjeO+SeBsBhMzkyTrLwLtyVOSTY85bGxiy6UST
+1jFpPqdn+BZJEj/mM9QJ7MXxtYJHtXpEeAehjn0hU9n2ozq09BlqlXUvIV4Zuehu
+lRdWEGIb5VkruGXeG4SRu9Iiw87x0w8AZ+deK9T1ZK9OeTrwPdfQtDOvazDdGpZB
+RGyGKljuI1LGAXSwEaw9t1rMEqubNAJLZnpJxMcSfxHibN5kSaoqnbQ+PxltCwnJ
+DNGtNIIzp4Q1gG8fanUiDlIdtEbrsmtwIgbWKZncqHURZJYIZZ785qExku4ydaDy
+11a/VmQ5PtJ7Bwoxdq45gKXcHH/RaamrYpFy+wIDAQABAoIBAFiu6KOC7hQslAfH
+ETDmlDQs+DONTTtV/C5Cral34B+D2Z+p3y4KBYw1HHAshpR24ipeK9Xs/cdGKw1h
+1CRgNw1/Dms4b0aQRX9G4iKAjSGlEQ6xwO1F2mW2Q5oB/do1Dz9T/zXu9eIYoSjx
+CmS2fq8icSiuccWsKRJgKbdoNus5MjBfcE79QdzxvCm1jo/SCf9gqaIBK3FogFcl
+GMQJulpSopx0o7/jXkbrHbJ2liaxVXEBzqWQbTVmxRUz2xGEakc/uKdiQ7LOYHbm
+3hzRqc5kYW87IVq2Nb1y956/1Nuld+DdhF8hCNlcZnnrHq/CVPsOIJ1KlZTlXZML
+yJGBkqECgYEA/cr1kVy207tznYhVA2Xw/WH5V2pPTP9gVKxgf1vO1q6Iv1px6VS+
+A80oTqxtqzH/9zAD442P1zEIE4TJdLfPab/OjxAtlOCfxj965DApspFu9+/Te0fo
+EFbuD9hXB5iG8XX69eKbs0uJnRdEtb3vibzHEPLg7SWFaApRI6etTukCgYEA6c+k
+RiXZ1LcvYr5hlrD9XA1WD95NK9wZvX9t2cCFcdx3aIgYoU4f8kdxakVmv9avxHJr
+2tgxnW7INHlMgU5BNcMNU47trS7dxqszzF8mznG8bOc5DXyDVA0M4oB2B3lzU6Nm
+JNllGfGvLeK5PNqAW4GYTSwHbljmlFS79Ptf7EMCgYEAy1p0qaTAWac5XGCAvdhQ
+4LZAM+ra37dAWJhGOcY2VY5DxA+UdoGQPzuDsIY42ZOWpVmzxAEJ4ENJVVpwkTU2
+3GTz/W3ZGBFj9FWpAm4U+x/M6p0ftwhGydDdr5SJJ2zvs0n1bE/GskM0YMrkIzut
+U5APcWUrFNmbq2GY4hjYpQECgYEA4wzq/9vd7z183Kz4Y7e4Md4ZhwtfcYopzOWk
+LWNRs0JfCrmvAWW2jDZoosSGhSDcSy66Iijz9WgRLzPj4WW22ZhypoQTtqveXgD/
+KiX0r2GvkynvM3OIrOSHcKVC+PstzTjOBla+YTVb4nlbXQbqwvHUjoyFItleAQlQ
+BRTfD7UCgYEAsmy5/tW1+X954cR64kvBDDv47KbYJZK8vb1veJOBdAGdK8+Cbv/9
+sXDDML8wia66Pvn3gOZZszrbabqqYEC2BV7i56etjxrAYoLzoeF1WXKUBC+jWkfp
+psaszCgX5xCf/GFpnLd4e0rZmQBQzNeL/RzrkRuvNGjx/VtSZ3amhTw=
+-----END RSA PRIVATE KEY-----
diff --git a/crates/listener/examples/demo/certs/ca.csr b/crates/listener/examples/demo/certs/ca.csr
new file mode 100644
index 00000000..cb32c639
--- /dev/null
+++ b/crates/listener/examples/demo/certs/ca.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICujCCAaICAQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lz
+Y28xCzAJBgNVBAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNV
+BAsTCk9yZyBVbml0IDExEjAQBgNVBAMTCU15IG93biBDQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAOfLk3luQu0ZI3jvkngbAYTM5Mk6y8C7clTkk2PO
+WxsYsulEk9YxaT6nZ/gWSRI/5jPUCezF8bWCR7V6RHgHoY59IVPZ9qM6tPQZapV1
+LyFeGbnobpUXVhBiG+VZK7hl3huEkbvSIsPO8dMPAGfnXivU9WSvTnk68D3X0LQz
+r2sw3RqWQURshipY7iNSxgF0sBGsPbdazBKrmzQCS2Z6ScTHEn8R4mzeZEmqKp20
+Pj8ZbQsJyQzRrTSCM6eENYBvH2p1Ig5SHbRG67JrcCIG1imZ3Kh1EWSWCGWe/Oah
+MZLuMnWg8tdWv1ZkOT7SewcKMXauOYCl3Bx/0Wmpq2KRcvsCAwEAAaAAMA0GCSqG
+SIb3DQEBCwUAA4IBAQBiCczhqMP1h0ArkBemwQXDCAlFm0wvAzBfPnnUobZwktu5
+1H1MSIc8MSIPbU8Z+skVTJ7R8wHr+qV712v6CcSuC+CZqqdh4slXNNIe7VK/orzl
+wJ342uAj9wUWhFlR7/5JhalsfCHtpt8M8Fi1Xt5wKQwuYnH377hKOfiI/30iyNAl
+gfxLm+NFEVywAbtCuFYsBIkd9tIxHObdMiQEJaAfFXYgVUaBgAFgheXkgefRLmcy
+/uVUAI38LENiVZhoKuY1Gbs2nH+W5ea4VEHc7CJjRWoNJ9XIubsxPYIHuowS7phK
+ThfK14BqpyvNgvCDIDELNZ9a6GW9TZz7P8/ZmYwa
+-----END CERTIFICATE REQUEST-----
diff --git a/crates/listener/examples/demo/certs/ca.json b/crates/listener/examples/demo/certs/ca.json
new file mode 100644
index 00000000..1e8818a1
--- /dev/null
+++ b/crates/listener/examples/demo/certs/ca.json
@@ -0,0 +1,16 @@
+{
+  "CN": "My own CA",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "CA",
+      "O": "My Company Name",
+      "ST": "San Francisco",
+      "OU": "Org Unit 1"
+    }
+  ]
+}
diff --git a/crates/listener/examples/demo/certs/ca.pem b/crates/listener/examples/demo/certs/ca.pem
new file mode 100644
index 00000000..33298e03
--- /dev/null
+++ b/crates/listener/examples/demo/certs/ca.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDujCCAqKgAwIBAgIUZJIz+zgaa4BBKcNcHNu03FOKS/cwDQYJKoZIhvcNAQEL
+BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV
+BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV
+bml0IDExEjAQBgNVBAMTCU15IG93biBDQTAeFw0yMjEwMTIxMzI4MDBaFw0yNzEw
+MTExMzI4MDBaMHUxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv
+MQswCQYDVQQHEwJDQTEYMBYGA1UEChMPTXkgQ29tcGFueSBOYW1lMRMwEQYDVQQL
+EwpPcmcgVW5pdCAxMRIwEAYDVQQDEwlNeSBvd24gQ0EwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDny5N5bkLtGSN475J4GwGEzOTJOsvAu3JU5JNjzlsb
+GLLpRJPWMWk+p2f4FkkSP+Yz1AnsxfG1gke1ekR4B6GOfSFT2fajOrT0GWqVdS8h
+Xhm56G6VF1YQYhvlWSu4Zd4bhJG70iLDzvHTDwBn514r1PVkr055OvA919C0M69r
+MN0alkFEbIYqWO4jUsYBdLARrD23WswSq5s0AktmeknExxJ/EeJs3mRJqiqdtD4/
+GW0LCckM0a00gjOnhDWAbx9qdSIOUh20Ruuya3AiBtYpmdyodRFklghlnvzmoTGS
+7jJ1oPLXVr9WZDk+0nsHCjF2rjmApdwcf9FpqatikXL7AgMBAAGjQjBAMA4GA1Ud
+DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTjbc5p6QbiplBV
+VxQ2gmUJ+VTciDANBgkqhkiG9w0BAQsFAAOCAQEAFRsqSDiq5+Yvt8DC/5h5Ykgv
+l41W8VQK1xlc2DKIfZ/Rnf1PP4kxxv0KyFtPAUuDeuJSJqaHsC4l9itLWMhM1M7K
+g5qlrYP128C+KdC3cSkP8XttzVkhF/ffLWLPENRgRV2DldRW8G/omVbBeXdIKbK5
+AYGEkliVK+zilNYax9VapgBdsAZEu/8O93/zWxVh1THa1PUvgLVy+xRNxhT3NenF
+T/AMRPoRCyy3M0CsBC/k0uqtCGBB6n6HLj0kTG8cY1KiVu3aB+P8yUikxNMpYNgw
+l2/J0nlPbsRiYPprT1PDcMEUto+ehGcrWZ6nSzbBEvRLeMvJhcJMNnKNKCsS8w==
+-----END CERTIFICATE-----
diff --git a/crates/listener/examples/demo/certs/client-key.pem b/crates/listener/examples/demo/certs/client-key.pem
new file mode 100644
index 00000000..dae5e5f0
--- /dev/null
+++ b/crates/listener/examples/demo/certs/client-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAzZAP8nRL/+enJwbTKDm6gyd6tmU6o+8YWUMJdriXmPhOlePA
+nrWWKbFlVhZhCkjoOWR4K94rCFMZ2rjsxIEBBO46SjKZ2D5La6hSOmXxbCevZRTC
+c+8rRX7fwF8zsvTdaSgCAW8OKlqMWIwm/2d6tvzakEwZsk8gJdqjww+VYIxvmbFU
+dCe4I20PrfkARa/BH7ZkFGCyQgn7riaZmRUIqKcBWd5uEMhHTOySXXRrmS7vfyZ0
+/X01U0nBqhxUgtDhKc1hll3lQ2BjvkU2dbt9+mWD4XZDsWenbMU+9sAX9rQTgqzD
+YgJGotUK68n/XqNuDNEyOubdDyLICLD92ItnDQIDAQABAoIBADmrWu34NoIaqUhH
+n+G/IFY/MywMhkELiNcx+Wu3KcCemN1wQc/EvdYAkJ9wM9VA0vWW/CfCcmwpdC1q
+h/IxBuotM2kxfPuvrlULqdX8V5iyIYDILC1+QbODfp5nlwdzrtIbiUSBtYWoVYtZ
+9m7cxw6jLWYiE2t0y14TUrIcoxmsiymmAemt1/8EuxU6ZIw4TlMAPcYxzy36iDJK
+9er7iUeTl7GY/gojmD//tO92qjbOzTboAvL5NaYmAVTJTJg6z8c59884KgIx68gQ
+R8gBmFJSNLm/+n9jkSmfABghJr18f2+Ys0d/d1ckITbzIbOUNhmtuYjD/t0UPdD5
+cMUVWvkCgYEA/KtMrhle9rFz1ttqg449SxgYfgyXCxxDwdQYoidF5EgkgLrACcY+
+eheCKaTiwGG7oT9j4Uak38sSrAYy3E3s82bhhzOd+CoSaRumW9VQ3WVaBSF80HLi
+3gykSTP4QMzGGa6jSsXfPriugX9cF4tNfNbSB28GjAh4fqsakdPB7XMCgYEA0EXK
+GoKNsjNj/KxGHX+LtgEtGzZwDJH+KzFP0ow3SYmgyFbt1MdFdX7SWZVnSi0a3MaG
+GEDo3eGcGAYtHoRf7rxMFC4eZRZ3FPqd9w4BFN+j8cJ/q6vuA4grvakkz3gUZG0j
+sOoSK/DJGrAQxnRgshxL0Fd0DSzUEqgW4o6oOX8CgYEAhSEw5u7BRZRcZ9H2flic
+3QtWJFw33YfH/8HkNNQilFSavyUm+D93PddTIuQZAaq9NQn0c4dIag5SyUb+12tL
+tTf5DsbYriBk0PLbpblwwSac1uU9IYvXE45vpY53eJUsr+1/Zm954E9oyxyzBkjE
+zElYIsiSF4iDDKLU/g8oOBcCgYBTCiBkpXz9egP5sG5cQIhhzuI/IVtXh7YBXq3m
+0sUQavFSL2awGauWBzSzRyBhsM4vDHBWpzqxjMyBv6SpsDnXo/fpa+HuiCB+mtX0
+tP61Zd2l/NiOiARkIBzgh9oHZmcrC2DZntoT7vMf0uc9WRVcrm+D5/p7bk44ChDl
+z98+3QKBgQDUoPGFF4j/pQPJztTDr3aXMUrHw7jTc7zilcYAkINijLhjgEEasQHU
+AnQLRhRt7W8M++9Jjv42rvXVi/0lZs/bv1znnNde2w40W4rBPcairbVSiv+nug81
+fD1DeBwtqnApSAurg6LOoMvcC1XmwJpgNqOgwtirN1df/fLMwltm7A==
+-----END RSA PRIVATE KEY-----
diff --git a/crates/listener/examples/demo/certs/client.csr b/crates/listener/examples/demo/certs/client.csr
new file mode 100644
index 00000000..780d49d1
--- /dev/null
+++ b/crates/listener/examples/demo/certs/client.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICtTCCAZ0CAQAwQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQH
+Ew1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQDEwZjbGllbnQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDNkA/ydEv/56cnBtMoObqDJ3q2ZTqj7xhZQwl2uJeY
++E6V48CetZYpsWVWFmEKSOg5ZHgr3isIUxnauOzEgQEE7jpKMpnYPktrqFI6ZfFs
+J69lFMJz7ytFft/AXzOy9N1pKAIBbw4qWoxYjCb/Z3q2/NqQTBmyTyAl2qPDD5Vg
+jG+ZsVR0J7gjbQ+t+QBFr8EftmQUYLJCCfuuJpmZFQiopwFZ3m4QyEdM7JJddGuZ
+Lu9/JnT9fTVTScGqHFSC0OEpzWGWXeVDYGO+RTZ1u336ZYPhdkOxZ6dsxT72wBf2
+tBOCrMNiAkai1Qrryf9eo24M0TI65t0PIsgIsP3Yi2cNAgMBAAGgLTArBgkqhkiG
+9w0BCQ4xHjAcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0B
+AQsFAAOCAQEAZi9gWV6e5cYNRpznUh82ASNHhF2FhA7wwjyK1I+4uJ47ZEPnle1G
+j4x+7DWveX6b6DdMxzJdu4mXlYbAxqeCqBkBRS5tq03ZbioAuzjo4987jO5XO1SO
+X+1VRIWWEP71Nov4v/2izZeH3XA1yGsb64ThVWeeytdMll/Ih93T9xb+O9i5ppuj
+I/KtQodDPJpRZ1fQm7fCekt3dZxw/o57NmtcDk0/VaKqfajk+/Lxz5s2j+Ic+882
+3XvXqnDpo3IxKhOXag/vuBlYh8stZr/NTlblN1kVvBr5hwFnQPjO4cYs8WDpGy4R
+LfKf3YyAGNwHDX43RGjUxmMfIgcDuvzWTg==
+-----END CERTIFICATE REQUEST-----
diff --git a/crates/listener/examples/demo/certs/client.json b/crates/listener/examples/demo/certs/client.json
new file mode 100644
index 00000000..bc2d3d5e
--- /dev/null
+++ b/crates/listener/examples/demo/certs/client.json
@@ -0,0 +1,18 @@
+{
+  "CN": "client",
+  "hosts": [
+    "localhost",
+    "127.0.0.1"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "ST": "CA",
+      "L": "San Francisco"
+    }
+  ]
+}
diff --git a/crates/listener/examples/demo/certs/client.pem b/crates/listener/examples/demo/certs/client.pem
new file mode 100644
index 00000000..0fae8530
--- /dev/null
+++ b/crates/listener/examples/demo/certs/client.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2TCCAsGgAwIBAgIUPlKsaVgzM0KLAHeCoQElYYBk9rIwDQYJKoZIhvcNAQEL
+BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV
+BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV
+bml0IDExEjAQBgNVBAMTCU15IG93biBDQTAeFw0yMjEwMTIxMzI4MDBaFw0yNzEw
+MTExMzI4MDBaMEMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN
+U2FuIEZyYW5jaXNjbzEPMA0GA1UEAxMGY2xpZW50MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAzZAP8nRL/+enJwbTKDm6gyd6tmU6o+8YWUMJdriXmPhO
+lePAnrWWKbFlVhZhCkjoOWR4K94rCFMZ2rjsxIEBBO46SjKZ2D5La6hSOmXxbCev
+ZRTCc+8rRX7fwF8zsvTdaSgCAW8OKlqMWIwm/2d6tvzakEwZsk8gJdqjww+VYIxv
+mbFUdCe4I20PrfkARa/BH7ZkFGCyQgn7riaZmRUIqKcBWd5uEMhHTOySXXRrmS7v
+fyZ0/X01U0nBqhxUgtDhKc1hll3lQ2BjvkU2dbt9+mWD4XZDsWenbMU+9sAX9rQT
+gqzDYgJGotUK68n/XqNuDNEyOubdDyLICLD92ItnDQIDAQABo4GSMIGPMA4GA1Ud
+DwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
+A1UdDgQWBBQTZnmyh9yldA1I/p45TvZTJwYeGTAfBgNVHSMEGDAWgBTjbc5p6Qbi
+plBVVxQ2gmUJ+VTciDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwDQYJKoZI
+hvcNAQELBQADggEBAF9wkW1bVCi4HW+3IQR8eVhfwAr6PILhwdVvW7iJyXv8c/oa
+NP5SQeunvRXYZqUvplWCRF6GDfN2OXe/RXCKCevvHyU1kihoYEndMx2ETqJiNJEf
+kXMdhHLqu9lx2pZ8uPJjsXbhT4T//fCtWhUZjsSKDa2Paa72jTzGbGwkD6lY3Fz6
+KOAPeKiRecoY55w/NlXnVoqPhJ0qSIWl7F0PrgUPWFoOaRev6q9U/zDLWLnaWVWS
+iA3eNSZSISm9vPqodt+FRJhTU8CYkY20fqBlfXRrnTeKS/Ydr6axNXRQxIjazs77
+/XMw/YTeYzzimRkfUpQzBbe1wOL7yKA6IdaYhrs=
+-----END CERTIFICATE-----
diff --git a/crates/listener/examples/demo/certs/config.json b/crates/listener/examples/demo/certs/config.json
new file mode 100644
index 00000000..c1b7aa80
--- /dev/null
+++ b/crates/listener/examples/demo/certs/config.json
@@ -0,0 +1,25 @@
+{
+  "signing": {
+    "default": {
+      "expiry": "43800h"
+    },
+    "profiles": {
+      "server": {
+        "expiry": "43800h",
+        "usages": [
+          "signing",
+          "key encipherment",
+          "server auth"
+        ]
+      },
+      "client": {
+        "expiry": "43800h",
+        "usages": [
+          "signing",
+          "key encipherment",
+          "client auth"
+        ]
+      }
+    }
+  }
+}
diff --git a/crates/listener/examples/demo/certs/gen.sh b/crates/listener/examples/demo/certs/gen.sh
new file mode 100644
index 00000000..4ce16dcc
--- /dev/null
+++ b/crates/listener/examples/demo/certs/gen.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Script to regenerate the server and client certificate
+
+set -eux
+
+cd "$(dirname "$0")"
+rm -f ./*.pem ./*.csr
+cfssl gencert -config=config.json -initca ca.json | cfssljson -bare ca
+cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=config.json -profile=server server.json | cfssljson -bare server
+cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=config.json -profile=client client.json | cfssljson -bare client
diff --git a/crates/listener/examples/demo/certs/server-key.pem b/crates/listener/examples/demo/certs/server-key.pem
new file mode 100644
index 00000000..c13612d8
--- /dev/null
+++ b/crates/listener/examples/demo/certs/server-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyZLpvV/upF9rm5WgWsWuXJDmST615NKEJ8PgahH7ix9G9LrG
+h9ZDsAcrDbjOuIMx9SN4TH8ZOBVqG2RFOsvhyaYgRoy1ofq6Vgkay35iLVvw6cKH
+qQ/T6Lt1ku8j1kS7y2PF3na/yXRAoCroXV8wKusKeXJmNc/cr0paucOYwOOhPsvh
+4OA0BZ9yhosuAHwJ+HShujrk9UK7qUOj+xUBQpZBlun9bu5vwI1r6uLH+EwgoJ4V
+iSj9Mio8fyc7GyHp7qreUmW59xKWoupsWrlfS5cnSGRiDMdOkoui9p2kO6o119aD
+liHlAWkKK+hGHJIlMDAsH0jZT7y/KmYSAo/X6QIDAQABAoIBAHDTrceVSdNxoZ7N
+ipskaStg47V9x3xUJSrI5fUZKa4+jI3xeayQzwRZjsy4c+Utciofd3eB8NDGk8TP
+RDzb3/7p4Mj8e7I10FTV9cyPak6vVtLRUvPbayaqvu3Gs0183YzDxP53g3Q0gPPl
+8HhLDoAHXa6KzREzzvfC67Ns+zSDdi1AOjZiOplgirG7t4qOKpRdJ1c+1e9l4ifF
+838Qh4ZdrDiYYsM1ixyWMaBKTeLjn8GAllFm3a4Ayjwf0ooiNMm3BmeqHBLRt7oG
+faGoEJjCYsYUiWYwAYdnvJjk0lNGqdmEvr3YwcccncNIhsqW1vyNSLq/rrAG0uDZ
+O9Z9UYECgYEA9Xwr6y3nxnb8ygv4bFI4DJpAY7Mz7mrNNd+umfSbdPGTPqWU3iH+
+FwV1DOcxFO620iF40y85pfdNrnIyZir5/s9B+wLufC8yHvdPuGDENP1o3K5EvJIj
+7pivcsSdAa8/N7f5f1aRmqLgudaFvBqqVkGe5TkDee5sHQkjBKU7W/kCgYEA0jU9
+iGAaJjIVL2rONM59AwYmCSPXT6hHxfdOUm+vhjmKfffv5ounhYMm1/ApRXafO5q6
+4IKHXxFkCbMyIM3QwwtlZdJI+zYbZFH2FauaVB+AF5Wc+w3NaN757K3LfZTj4kyQ
+l0dSCwR4L9djp7jTuDamEIc0QfsZ6fbNe+xX93ECgYAT49GzJm8HF5D31ex06lx8
+OOtKqLRmduTVnqAI/VazLPefNc9QCDUMLHcFap4Bci4B7JBbnBHxro3uunX27TiA
+Os6/xccI7NIEzEj7SWvcV0PtzXjoRnb+2AQvKlsGTeqzWwauGJeHjfbjV8xSJ17x
+yjNTo0Dy2iyMVbcuoyyiEQKBgQDLz/E8ZCmWdSLTWdRboQXWw8RnQkgGJRyKFpHr
+HfzqwKnGH3qMZ0XjDtm/r0zk2/HiAdFF02lbxOng+c0Vv1i1dDw5MF2wrLJ8X3eh
+ZUP6Ypx4wYh2ZtiN4Pwj/hJ6Tb1yclgTRYSHyCqcAFPQkEU/rETxa5ZAjy1+Ct0L
+VYmpEQKBgQC3fwjnDk6CmT9p140J7PBybJ/yTl266y6j35JDqGqEupc7DNb0C8dc
+3IbOF+yWd9nxJ66URBPen83wn5864hmTeU9rmDRrh2jkzxKuyOFbPBtM1Q7Uy6it
+HpDDA/ky4m2sVyuv4TuE93WkDQbXlxtYc0wnCWx0mkPIYkAxmUO4Rg==
+-----END RSA PRIVATE KEY-----
diff --git a/crates/listener/examples/demo/certs/server.csr b/crates/listener/examples/demo/certs/server.csr
new file mode 100644
index 00000000..ab7a923c
--- /dev/null
+++ b/crates/listener/examples/demo/certs/server.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICuDCCAaACAQAwRjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQH
+Ew1TYW4gRnJhbmNpc2NvMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDJkum9X+6kX2ublaBaxa5ckOZJPrXk0oQnw+Bq
+EfuLH0b0usaH1kOwBysNuM64gzH1I3hMfxk4FWobZEU6y+HJpiBGjLWh+rpWCRrL
+fmItW/DpwoepD9Pou3WS7yPWRLvLY8Xedr/JdECgKuhdXzAq6wp5cmY1z9yvSlq5
+w5jA46E+y+Hg4DQFn3KGiy4AfAn4dKG6OuT1QrupQ6P7FQFClkGW6f1u7m/AjWvq
+4sf4TCCgnhWJKP0yKjx/JzsbIenuqt5SZbn3Epai6mxauV9LlydIZGIMx06Si6L2
+naQ7qjXX1oOWIeUBaQor6EYckiUwMCwfSNlPvL8qZhICj9fpAgMBAAGgLTArBgkq
+hkiG9w0BCQ4xHjAcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG
+9w0BAQsFAAOCAQEAoDYizxvrx9zCwJwVkoyTesNpv/TEXSyUJUA0obAwCmRxYfAI
+8/C3OglQwlrMKTgeBsfzBnLHgdZ4mKmuQpRNGrt+MncN09x7IqT4zbijWBJu6VbI
+a7B+BElzrt/rsEo/h2ZKy1P42XIW/icADRFoCDqhOG3kYQ5unIoNawN/4okJDxg6
+z+M5FSifRee3QSc9UOHIGNTuVS07Gxmhoi+c9samuxZYqxR1j46LGY4OOWEW8RVB
+ZhybsfhXgzkoAvIjCJiNqJGsNmMlr6Psq1cKCTaM17RlxlqSAtlQ2igk1ptAo7Xo
+q+EVnJHmkWbjksQKykOia91eOOlGArZfSGBgYw==
+-----END CERTIFICATE REQUEST-----
diff --git a/crates/listener/examples/demo/certs/server.json b/crates/listener/examples/demo/certs/server.json
new file mode 100644
index 00000000..166acfa9
--- /dev/null
+++ b/crates/listener/examples/demo/certs/server.json
@@ -0,0 +1,18 @@
+{
+  "CN": "localhost",
+  "hosts": [
+    "localhost",
+    "127.0.0.1"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "ST": "CA",
+      "L": "San Francisco"
+    }
+  ]
+}
diff --git a/crates/listener/examples/demo/certs/server.pem b/crates/listener/examples/demo/certs/server.pem
new file mode 100644
index 00000000..ac509a48
--- /dev/null
+++ b/crates/listener/examples/demo/certs/server.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID3DCCAsSgAwIBAgIUXV73OL40WuMFPhEf1BT5I9wWilQwDQYJKoZIhvcNAQEL
+BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV
+BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV
+bml0IDExEjAQBgNVBAMTCU15IG93biBDQTAeFw0yMjEwMTIxMzI4MDBaFw0yNzEw
+MTExMzI4MDBaMEYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN
+U2FuIEZyYW5jaXNjbzESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAyZLpvV/upF9rm5WgWsWuXJDmST615NKEJ8PgahH7
+ix9G9LrGh9ZDsAcrDbjOuIMx9SN4TH8ZOBVqG2RFOsvhyaYgRoy1ofq6Vgkay35i
+LVvw6cKHqQ/T6Lt1ku8j1kS7y2PF3na/yXRAoCroXV8wKusKeXJmNc/cr0paucOY
+wOOhPsvh4OA0BZ9yhosuAHwJ+HShujrk9UK7qUOj+xUBQpZBlun9bu5vwI1r6uLH
++EwgoJ4ViSj9Mio8fyc7GyHp7qreUmW59xKWoupsWrlfS5cnSGRiDMdOkoui9p2k
+O6o119aDliHlAWkKK+hGHJIlMDAsH0jZT7y/KmYSAo/X6QIDAQABo4GSMIGPMA4G
+A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAA
+MB0GA1UdDgQWBBQ5FqZm6QZH0ryYjHsPfPLLco+hHTAfBgNVHSMEGDAWgBTjbc5p
+6QbiplBVVxQ2gmUJ+VTciDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwDQYJ
+KoZIhvcNAQELBQADggEBAAESeOqIzNByls+z+Ah8i5Ge4MfkomD2dHipvJNOKtY4
+JUxffHslgid6O4zE5uw4mLnM4tvaUhsO1DwyfqQ0dj0JAx0xOSZuPfXag1fHxJ4Q
+YJImrP13Hcm18Jr/ie5En6v25Uq0DR5NqbqSBXdIwQB84yAV23555YU9sqJhDh4g
+wTugRTcNefTIO4lD0eFu4PLGyt7J6KNdur9n4RrTJzIoJx7cK+vrAAHhQKzetLQm
+VnHs2U7ckgNLEjxo/9qziQ5bPXb4MnsrZgN00oeDwEMfIkANmSPUu/6Ei31SXfmE
+s5ukdV0z+OX59/vEsG3IPiZpZG/dOjBeFjPvG/7EOoc=
+-----END CERTIFICATE-----
diff --git a/crates/listener/examples/demo/main.rs b/crates/listener/examples/demo/main.rs
index 6e503507..b67bbf6e 100644
--- a/crates/listener/examples/demo/main.rs
+++ b/crates/listener/examples/demo/main.rs
@@ -14,13 +14,21 @@
 
 use std::{
     convert::Infallible,
+    io::BufReader,
     net::{Ipv4Addr, TcpListener},
+    sync::Arc,
     time::Duration,
 };
 
+use anyhow::Context;
 use hyper::{service::service_fn, Request, Response};
+use mas_listener::{server::Server, shutdown::ShutdownStream, ConnectionInfo};
 use tokio::signal::unix::SignalKind;
-use tokio_streams_util::{server::Server, shutdown::ShutdownStream, ConnectionInfo};
+use tokio_rustls::rustls::{Certificate, PrivateKey, RootCertStore, ServerConfig};
+
+static CA_CERT_PEM: &[u8] = include_bytes!("./certs/ca.pem");
+static SERVER_CERT_PEM: &[u8] = include_bytes!("./certs/server.pem");
+static SERVER_KEY_PEM: &[u8] = include_bytes!("./certs/server-key.pem");
 
 async fn handler(req: Request<hyper::Body>) -> Result<Response<String>, Infallible> {
     tracing::info!("Handling request");
@@ -34,16 +42,59 @@ async fn handler(req: Request<hyper::Body>) -> Result<Response<String>, Infallib
 async fn main() -> Result<(), anyhow::Error> {
     tracing_subscriber::fmt::init();
 
-    let listener = TcpListener::bind((Ipv4Addr::LOCALHOST, 3000))?;
-    let service = service_fn(handler);
-    let server = Server::try_new(listener, service)?;
+    let tls_config = load_tls_config()?;
 
-    tracing::info!("Listening on 127.0.0.1:3000");
+    let listener = TcpListener::bind((Ipv4Addr::LOCALHOST, 3000))?;
+    let proxy_protocol_listener = TcpListener::bind((Ipv4Addr::LOCALHOST, 3001))?;
+    let tls_listener = TcpListener::bind((Ipv4Addr::LOCALHOST, 3002))?;
+    let tls_proxy_protocol_listener = TcpListener::bind((Ipv4Addr::LOCALHOST, 3003))?;
+
+    let servers = vec![
+        Server::try_new(listener, service_fn(handler))?,
+        Server::try_new(proxy_protocol_listener, service_fn(handler))?.with_proxy(),
+        Server::try_new(tls_listener, service_fn(handler))?.with_tls(tls_config.clone()),
+        Server::try_new(tls_proxy_protocol_listener, service_fn(handler))?
+            .with_proxy()
+            .with_tls(tls_config.clone()),
+    ];
+
+    tracing::info!("Listening on http://127.0.0.1:3000, http(proxy)://127.0.0.1:3001, https://127.0.0.1:3002 and https(proxy)://127.0.0.1:3003");
 
     let shutdown = ShutdownStream::default()
         .with_signal(SignalKind::interrupt())?
         .with_signal(SignalKind::terminate())?;
-    server.run(shutdown).await;
+
+    mas_listener::server::run_servers(servers, shutdown).await;
 
     Ok(())
 }
+
+fn load_tls_config() -> Result<Arc<ServerConfig>, anyhow::Error> {
+    let mut ca_cert_reader = BufReader::new(CA_CERT_PEM);
+    let ca_cert = rustls_pemfile::certs(&mut ca_cert_reader).context("Invalid CA certificate")?;
+    let mut ca_cert_store = RootCertStore::empty();
+    ca_cert_store.add_parsable_certificates(&ca_cert);
+
+    let mut server_cert_reader = BufReader::new(SERVER_CERT_PEM);
+    let server_cert: Vec<_> = rustls_pemfile::certs(&mut server_cert_reader)
+        .context("Invalid server certificate")?
+        .into_iter()
+        .map(Certificate)
+        .collect();
+
+    let mut server_key_reader = BufReader::new(SERVER_KEY_PEM);
+    let mut server_key = rustls_pemfile::rsa_private_keys(&mut server_key_reader)
+        .context("Invalid server TLS keys")?;
+    let server_key = PrivateKey(server_key.pop().context("Missing server TLS key")?);
+
+    let tls_config = ServerConfig::builder()
+        .with_safe_defaults()
+        .with_client_cert_verifier(
+            tokio_rustls::rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new(
+                ca_cert_store,
+            ),
+        )
+        .with_single_cert(server_cert, server_key)?;
+
+    Ok(Arc::new(tls_config))
+}