diff --git a/.gitignore b/.gitignore
new file mode 100644
index 00000000..9aef65b4
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+/.rust/
+/doc/
diff --git a/.travis.yml b/.travis.yml
index 1ba08680..fae15328 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -3,5 +3,7 @@ before_install:
   - sudo apt-get update
 install:
   - sudo apt-get install rust-nightly
+before_script:
+  - openssl s_server -accept 15418 -www -cert test/cert.pem -key test/key.pem >/dev/null &
 script:
   - make all test
diff --git a/ssl/error.rs b/ssl/error.rs
new file mode 100644
index 00000000..769cc768
--- /dev/null
+++ b/ssl/error.rs
@@ -0,0 +1,59 @@
+use std::libc::c_ulong;
+
+use super::ffi;
+
+/// An SSL error
+#[deriving(ToStr)]
+pub enum SslError {
+    /// The underlying stream has reported an EOF
+    StreamEof,
+    /// The SSL session has been closed by the other end
+    SslSessionClosed,
+    /// An error in the OpenSSL library
+    OpenSslErrors(~[OpensslError])
+}
+
+/// An error from the OpenSSL library
+#[deriving(ToStr)]
+pub enum OpensslError {
+    /// An unknown error
+    UnknownError {
+        /// The library reporting the error
+        library: u8,
+        /// The function reporting the error
+        function: u16,
+        /// The reason for the error
+        reason: u16
+    }
+}
+
+fn get_lib(err: c_ulong) -> u8 {
+    ((err >> 24) & 0xff) as u8
+}
+
+fn get_func(err: c_ulong) -> u16 {
+    ((err >> 12) & 0xfff) as u16
+}
+
+fn get_reason(err: c_ulong) -> u16 {
+    (err & 0xfff) as u16
+}
+
+impl SslError {
+    /// Creates a new `OpenSslErrors` with the current contents of the error
+    /// stack.
+    pub fn get() -> SslError {
+        let mut errs = ~[];
+        loop {
+            match unsafe { ffi::ERR_get_error() } {
+                0 => break,
+                err => errs.push(UnknownError {
+                    library: get_lib(err),
+                    function: get_func(err),
+                    reason: get_reason(err)
+                })
+            }
+        }
+        OpenSslErrors(errs)
+    }
+}
diff --git a/ssl/ffi.rs b/ssl/ffi.rs
new file mode 100644
index 00000000..45192fd3
--- /dev/null
+++ b/ssl/ffi.rs
@@ -0,0 +1,159 @@
+#[doc(hidden)];
+
+use std::libc::{c_int, c_void, c_long, c_ulong, c_char};
+
+pub type SSL_CTX = c_void;
+pub type SSL_METHOD = c_void;
+pub type SSL = c_void;
+pub type BIO = c_void;
+pub type BIO_METHOD = c_void;
+pub type X509_STORE_CTX = c_void;
+pub type X509 = c_void;
+pub type X509_NAME = c_void;
+pub type CRYPTO_EX_DATA = c_void;
+
+pub type CRYPTO_EX_new = extern "C" fn(parent: *c_void, ptr: *c_void,
+                                       ad: *CRYPTO_EX_DATA, idx: c_int,
+                                       argl: c_long, argp: *c_void) -> c_int;
+pub type CRYPTO_EX_dup = extern "C" fn(to: *CRYPTO_EX_DATA,
+                                       from: *CRYPTO_EX_DATA, from_d: *c_void,
+                                       idx: c_int, argl: c_long, argp: *c_void)
+                                       -> c_int;
+pub type CRYPTO_EX_free = extern "C" fn(parent: *c_void, ptr: *c_void,
+                                        ad: *CRYPTO_EX_DATA, idx: c_int,
+                                        argl: c_long, argp: *c_void);
+
+pub static CRYPTO_LOCK: c_int = 1;
+
+pub static SSL_ERROR_NONE: c_int = 0;
+pub static SSL_ERROR_SSL: c_int = 1;
+pub static SSL_ERROR_WANT_READ: c_int = 2;
+pub static SSL_ERROR_WANT_WRITE: c_int = 3;
+pub static SSL_ERROR_WANT_X509_LOOKUP: c_int = 4;
+pub static SSL_ERROR_SYSCALL: c_int = 5;
+pub static SSL_ERROR_ZERO_RETURN: c_int = 6;
+pub static SSL_ERROR_WANT_CONNECT: c_int = 7;
+pub static SSL_ERROR_WANT_ACCEPT: c_int = 8;
+
+pub static SSL_VERIFY_NONE: c_int = 0;
+pub static SSL_VERIFY_PEER: c_int = 1;
+
+pub static X509_V_OK: c_int = 0;
+pub static X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: c_int = 2;
+pub static X509_V_ERR_UNABLE_TO_GET_CRL: c_int = 3;
+pub static X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: c_int = 4;
+pub static X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: c_int = 5;
+pub static X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: c_int = 6;
+pub static X509_V_ERR_CERT_SIGNATURE_FAILURE: c_int = 7;
+pub static X509_V_ERR_CRL_SIGNATURE_FAILURE: c_int = 8;
+pub static X509_V_ERR_CERT_NOT_YET_VALID: c_int = 9;
+pub static X509_V_ERR_CERT_HAS_EXPIRED: c_int = 10;
+pub static X509_V_ERR_CRL_NOT_YET_VALID: c_int = 11;
+pub static X509_V_ERR_CRL_HAS_EXPIRED: c_int = 12;
+pub static X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: c_int = 13;
+pub static X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: c_int = 14;
+pub static X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: c_int = 15;
+pub static X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: c_int = 16;
+pub static X509_V_ERR_OUT_OF_MEM: c_int = 17;
+pub static X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: c_int = 18;
+pub static X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: c_int = 19;
+pub static X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: c_int = 20;
+pub static X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: c_int = 21;
+pub static X509_V_ERR_CERT_CHAIN_TOO_LONG: c_int = 22;
+pub static X509_V_ERR_CERT_REVOKED: c_int = 23;
+pub static X509_V_ERR_INVALID_CA: c_int = 24;
+pub static X509_V_ERR_PATH_LENGTH_EXCEEDED: c_int = 25;
+pub static X509_V_ERR_INVALID_PURPOSE: c_int = 26;
+pub static X509_V_ERR_CERT_UNTRUSTED: c_int = 27;
+pub static X509_V_ERR_CERT_REJECTED: c_int = 28;
+pub static X509_V_ERR_SUBJECT_ISSUER_MISMATCH: c_int = 29;
+pub static X509_V_ERR_AKID_SKID_MISMATCH: c_int = 30;
+pub static X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: c_int = 31;
+pub static X509_V_ERR_KEYUSAGE_NO_CERTSIGN: c_int = 32;
+pub static X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: c_int = 33;
+pub static X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: c_int = 34;
+pub static X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: c_int = 35;
+pub static X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: c_int = 36;
+pub static X509_V_ERR_INVALID_NON_CA: c_int = 37;
+pub static X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: c_int = 38;
+pub static X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: c_int = 39;
+pub static X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: c_int = 40;
+pub static X509_V_ERR_INVALID_EXTENSION: c_int = 41;
+pub static X509_V_ERR_INVALID_POLICY_EXTENSION: c_int = 42;
+pub static X509_V_ERR_NO_EXPLICIT_POLICY: c_int = 43;
+pub static X509_V_ERR_DIFFERENT_CRL_SCOPE: c_int = 44;
+pub static X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: c_int = 45;
+pub static X509_V_ERR_UNNESTED_RESOURCE: c_int = 46;
+pub static X509_V_ERR_PERMITTED_VIOLATION: c_int = 47;
+pub static X509_V_ERR_EXCLUDED_VIOLATION: c_int = 48;
+pub static X509_V_ERR_SUBTREE_MINMAX: c_int = 49;
+pub static X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: c_int = 51;
+pub static X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: c_int = 52;
+pub static X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: c_int = 53;
+pub static X509_V_ERR_CRL_PATH_VALIDATION_ERROR: c_int = 54;
+pub static X509_V_ERR_APPLICATION_VERIFICATION: c_int = 50;
+
+pub static XN_FLAG_RFC2253: c_ulong = 0x1110317;
+pub static XN_FLAG_ONELINE: c_ulong = 0x82031f;
+pub static XN_FLAG_MULTILINE: c_ulong = 0x2a40006;
+
+#[link(name="ssl")]
+#[link(name="crypto")]
+extern "C" {
+    pub fn CRYPTO_num_locks() -> c_int;
+    pub fn CRYPTO_set_locking_callback(func: extern "C" fn(mode: c_int,
+                                                           n: c_int,
+                                                           file: *c_char,
+                                                           line: c_int));
+
+    pub fn ERR_get_error() -> c_ulong;
+
+    pub fn SSL_library_init() -> c_int;
+
+    pub fn SSLv3_method() -> *SSL_METHOD;
+    pub fn TLSv1_method() -> *SSL_METHOD;
+    pub fn SSLv23_method() -> *SSL_METHOD;
+
+    pub fn SSL_CTX_new(method: *SSL_METHOD) -> *SSL_CTX;
+    pub fn SSL_CTX_free(ctx: *SSL_CTX);
+    pub fn SSL_CTX_set_verify(ctx: *SSL_CTX, mode: c_int,
+                              verify_callback: Option<extern "C" fn(c_int, *X509_STORE_CTX) -> c_int>);
+    pub fn SSL_CTX_load_verify_locations(ctx: *SSL_CTX, CAfile: *c_char,
+                                         CApath: *c_char) -> c_int;
+    pub fn SSL_CTX_get_ex_new_index(argl: c_long, argp: *c_void,
+                                    new_func: Option<CRYPTO_EX_new>,
+                                    dup_func: Option<CRYPTO_EX_dup>,
+                                    free_func: Option<CRYPTO_EX_free>)
+                                    -> c_int;
+    pub fn SSL_CTX_set_ex_data(ctx: *SSL_CTX, idx: c_int, data: *c_void)
+                               -> c_int;
+    pub fn SSL_CTX_get_ex_data(ctx: *SSL_CTX, idx: c_int) -> *c_void;
+
+    pub fn X509_STORE_CTX_get_ex_data(ctx: *X509_STORE_CTX, idx: c_int)
+                                      -> *c_void;
+    pub fn X509_STORE_CTX_get_current_cert(ct: *X509_STORE_CTX) -> *X509;
+    pub fn X509_STORE_CTX_get_error(ctx: *X509_STORE_CTX) -> c_int;
+
+    pub fn X509_get_subject_name(x: *X509) -> *X509_NAME;
+
+    pub fn X509_NAME_print_ex(out: *BIO, nm: *X509_NAME, ident: c_int,
+                              flags: c_ulong) -> c_int;
+
+    pub fn SSL_new(ctx: *SSL_CTX) -> *SSL;
+    pub fn SSL_free(ssl: *SSL);
+    pub fn SSL_set_bio(ssl: *SSL, rbio: *BIO, wbio: *BIO);
+    pub fn SSL_get_rbio(ssl: *SSL) -> *BIO;
+    pub fn SSL_get_wbio(ssl: *SSL) -> *BIO;
+    pub fn SSL_connect(ssl: *SSL) -> c_int;
+    pub fn SSL_get_error(ssl: *SSL, ret: c_int) -> c_int;
+    pub fn SSL_read(ssl: *SSL, buf: *c_void, num: c_int) -> c_int;
+    pub fn SSL_write(ssl: *SSL, buf: *c_void, num: c_int) -> c_int;
+    pub fn SSL_get_ex_data_X509_STORE_CTX_idx() -> c_int;
+    pub fn SSL_get_SSL_CTX(ssl: *SSL) -> *SSL_CTX;
+
+    pub fn BIO_s_mem() -> *BIO_METHOD;
+    pub fn BIO_new(type_: *BIO_METHOD) -> *BIO;
+    pub fn BIO_free_all(a: *BIO);
+    pub fn BIO_read(b: *BIO, buf: *c_void, len: c_int) -> c_int;
+    pub fn BIO_write(b: *BIO, buf: *c_void, len: c_int) -> c_int;
+}
diff --git a/ssl/lib.rs b/ssl/lib.rs
new file mode 100644
index 00000000..8725080c
--- /dev/null
+++ b/ssl/lib.rs
@@ -0,0 +1,559 @@
+#[feature(struct_variant, macro_rules)];
+#[crate_id="github.com/sfackler/rust-ssl"];
+#[doc(html_root_url="http://sfackler.github.io/rust-ssl/doc/")];
+
+use std::cast;
+use std::libc::{c_int, c_void, c_char};
+use std::ptr;
+use std::task;
+use std::sync::atomics::{AtomicBool, INIT_ATOMIC_BOOL, AtomicUint,
+                         INIT_ATOMIC_UINT, Acquire, Release, SeqCst};
+use std::unstable::mutex::Mutex;
+use std::io::{Stream, Reader, Writer, Decorator};
+use std::vec;
+
+use self::error::{SslError, SslSessionClosed, StreamEof};
+
+pub mod error;
+
+mod ffi;
+
+static mut STARTED_INIT: AtomicBool = INIT_ATOMIC_BOOL;
+static mut FINISHED_INIT: AtomicBool = INIT_ATOMIC_BOOL;
+
+static mut VERIFY_IDX: AtomicUint = INIT_ATOMIC_UINT;
+
+// actually a *~[Mutex]
+static mut MUTEXES: AtomicUint = INIT_ATOMIC_UINT;
+
+fn init() {
+    unsafe {
+        if STARTED_INIT.swap(true, Acquire) {
+            while !FINISHED_INIT.load(Release) {
+                task::deschedule();
+            }
+            return;
+        }
+
+        ffi::SSL_library_init();
+        let verify_idx = ffi::SSL_CTX_get_ex_new_index(0, ptr::null(), None,
+                                                       None, None);
+        assert!(verify_idx >= 0);
+        VERIFY_IDX.store(verify_idx as uint, Release);
+
+        let num_locks = ffi::CRYPTO_num_locks();
+        let mutexes = ~vec::from_fn(num_locks as uint, |_| Mutex::new());
+        MUTEXES.store(cast::transmute(mutexes), Release);
+
+        ffi::CRYPTO_set_locking_callback(locking_function);
+
+        FINISHED_INIT.store(true, Release);
+    }
+}
+
+/// Determines the SSL method supported
+pub enum SslMethod {
+    /// Only support the SSLv3 protocol
+    Sslv3,
+    /// Only support the TLSv1 protocol
+    Tlsv1,
+    /// Support the SSLv2, SSLv3 and TLSv1 protocols
+    Sslv23
+}
+
+impl SslMethod {
+    unsafe fn to_raw(&self) -> *ffi::SSL_METHOD {
+        match *self {
+            Sslv3 => ffi::SSLv3_method(),
+            Tlsv1 => ffi::TLSv1_method(),
+            Sslv23 => ffi::SSLv23_method()
+        }
+    }
+}
+
+/// Determines the type of certificate verification used
+pub enum SslVerifyMode {
+    /// Verify that the server's certificate is trusted
+    SslVerifyPeer = ffi::SSL_VERIFY_PEER,
+    /// Do not verify the server's certificate
+    SslVerifyNone = ffi::SSL_VERIFY_NONE
+}
+
+extern "C" fn locking_function(mode: c_int, n: c_int, _file: *c_char,
+                               _line: c_int) {
+    unsafe {
+        let mutexes: *mut ~[Mutex] = cast::transmute(MUTEXES.load(Acquire));
+        let mutex = &mut (*mutexes)[n as uint];
+
+        if mode & ffi::CRYPTO_LOCK != 0 {
+            mutex.lock();
+        } else {
+            mutex.unlock();
+        }
+    }
+}
+
+extern "C" fn raw_verify(preverify_ok: c_int, x509_ctx: *ffi::X509_STORE_CTX)
+        -> c_int {
+    unsafe {
+        let idx = ffi::SSL_get_ex_data_X509_STORE_CTX_idx();
+        let ssl = ffi::X509_STORE_CTX_get_ex_data(x509_ctx, idx);
+        let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl);
+        let idx = VERIFY_IDX.load(Acquire) as c_int;
+        let verify = ffi::SSL_CTX_get_ex_data(ssl_ctx, idx);
+        let verify: Option<VerifyCallback> = cast::transmute(verify);
+
+        let ctx = X509StoreContext { ctx: x509_ctx };
+
+        match verify {
+            None => preverify_ok,
+            Some(verify) => verify(preverify_ok != 0, &ctx) as c_int
+        }
+    }
+}
+
+/// The signature of functions that can be used to manually verify certificates
+pub type VerifyCallback = extern "Rust" fn(preverify_ok: bool,
+                                           x509_ctx: &X509StoreContext) -> bool;
+
+/// An SSL context object
+pub struct SslContext {
+    priv ctx: *ffi::SSL_CTX
+}
+
+impl Drop for SslContext {
+    fn drop(&mut self) {
+        unsafe { ffi::SSL_CTX_free(self.ctx) }
+    }
+}
+
+impl SslContext {
+    /// Attempts to create a new SSL context.
+    pub fn try_new(method: SslMethod) -> Result<SslContext, SslError> {
+        init();
+
+        let ctx = unsafe { ffi::SSL_CTX_new(method.to_raw()) };
+        if ctx == ptr::null() {
+            return Err(SslError::get());
+        }
+
+        Ok(SslContext { ctx: ctx })
+    }
+
+    /// A convenience wrapper around `try_new`.
+    pub fn new(method: SslMethod) -> SslContext {
+        match SslContext::try_new(method) {
+            Ok(ctx) => ctx,
+            Err(err) => fail!("Error creating SSL context: {:?}", err)
+        }
+    }
+
+    /// Configures the certificate verification method for new connections.
+    pub fn set_verify(&mut self, mode: SslVerifyMode,
+                      verify: Option<VerifyCallback>) {
+        unsafe {
+            let idx = VERIFY_IDX.load(SeqCst) as c_int;
+            ffi::SSL_CTX_set_ex_data(self.ctx, idx,
+                                     cast::transmute(verify));
+            ffi::SSL_CTX_set_verify(self.ctx, mode as c_int, Some(raw_verify));
+        }
+    }
+
+    /// Specifies the file that contains trusted CA certificates.
+    pub fn set_CA_file(&mut self, file: &str) -> Option<SslError> {
+        let ret = file.with_c_str(|file| {
+            unsafe {
+                ffi::SSL_CTX_load_verify_locations(self.ctx, file, ptr::null())
+            }
+        });
+
+        if ret == 0 {
+            Some(SslError::get())
+        } else {
+            None
+        }
+    }
+}
+
+pub struct X509StoreContext {
+    priv ctx: *ffi::X509_STORE_CTX
+}
+
+impl X509StoreContext {
+    pub fn get_error(&self) -> Option<X509ValidationError> {
+        let err = unsafe { ffi::X509_STORE_CTX_get_error(self.ctx) };
+        X509ValidationError::from_raw(err)
+    }
+
+    pub fn get_current_cert<'a>(&'a self) -> Option<X509<'a>> {
+        let ptr = unsafe { ffi::X509_STORE_CTX_get_current_cert(self.ctx) };
+
+        if ptr.is_null() {
+            None
+        } else {
+            Some(X509 { ctx: self, x509: ptr })
+        }
+    }
+}
+
+/// A public key certificate
+pub struct X509<'ctx> {
+    priv ctx: &'ctx X509StoreContext,
+    priv x509: *ffi::X509
+}
+
+impl<'ctx> X509<'ctx> {
+    pub fn subject_name<'a>(&'a self) -> X509Name<'a> {
+        let name = unsafe { ffi::X509_get_subject_name(self.x509) };
+        X509Name { x509: self, name: name }
+    }
+}
+
+pub struct X509Name<'x> {
+    priv x509: &'x X509<'x>,
+    priv name: *ffi::X509_NAME
+}
+
+pub enum X509NameFormat {
+    Rfc2253 = ffi::XN_FLAG_RFC2253,
+    Oneline = ffi::XN_FLAG_ONELINE,
+    Multiline = ffi::XN_FLAG_MULTILINE
+}
+
+macro_rules! make_validation_error(
+    ($ok_val:ident, $($name:ident = $val:ident,)+) => (
+        pub enum X509ValidationError {
+            $($name,)+
+            X509UnknownError(c_int)
+        }
+
+        impl X509ValidationError {
+            #[doc(hidden)]
+            pub fn from_raw(err: c_int) -> Option<X509ValidationError> {
+                match err {
+                    self::ffi::$ok_val => None,
+                    $(self::ffi::$val => Some($name),)+
+                    err => Some(X509UnknownError(err))
+                }
+            }
+        }
+    )
+)
+
+make_validation_error!(X509_V_OK,
+    X509UnableToGetIssuerCert = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
+    X509UnableToGetCrl = X509_V_ERR_UNABLE_TO_GET_CRL,
+    X509UnableToDecryptCertSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE,
+    X509UnableToDecryptCrlSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE,
+    X509UnableToDecodeIssuerPublicKey = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY,
+    X509CertSignatureFailure = X509_V_ERR_CERT_SIGNATURE_FAILURE,
+    X509CrlSignatureFailure = X509_V_ERR_CRL_SIGNATURE_FAILURE,
+    X509CertNotYetValid = X509_V_ERR_CERT_NOT_YET_VALID,
+    X509CertHasExpired = X509_V_ERR_CERT_HAS_EXPIRED,
+    X509CrlNotYetValid = X509_V_ERR_CRL_NOT_YET_VALID,
+    X509CrlHasExpired = X509_V_ERR_CRL_HAS_EXPIRED,
+    X509ErrorInCertNotBeforeField = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD,
+    X509ErrorInCertNotAfterField = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD,
+    X509ErrorInCrlLastUpdateField = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD,
+    X509ErrorInCrlNextUpdateField = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD,
+    X509OutOfMem = X509_V_ERR_OUT_OF_MEM,
+    X509DepthZeroSelfSignedCert = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
+    X509SelfSignedCertInChain = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
+    X509UnableToGetIssuerCertLocally = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
+    X509UnableToVerifyLeafSignature = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
+    X509CertChainTooLong = X509_V_ERR_CERT_CHAIN_TOO_LONG,
+    X509CertRevoked = X509_V_ERR_CERT_REVOKED,
+    X509InvalidCA = X509_V_ERR_INVALID_CA,
+    X509PathLengthExceeded = X509_V_ERR_PATH_LENGTH_EXCEEDED,
+    X509InvalidPurpose = X509_V_ERR_INVALID_PURPOSE,
+    X509CertUntrusted = X509_V_ERR_CERT_UNTRUSTED,
+    X509CertRejected = X509_V_ERR_CERT_REJECTED,
+    X509SubjectIssuerMismatch = X509_V_ERR_SUBJECT_ISSUER_MISMATCH,
+    X509AkidSkidMismatch = X509_V_ERR_AKID_SKID_MISMATCH,
+    X509AkidIssuerSerialMismatch = X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH,
+    X509KeyusageNoCertsign = X509_V_ERR_KEYUSAGE_NO_CERTSIGN,
+    X509UnableToGetCrlIssuer = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER,
+    X509UnhandledCriticalExtension = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION,
+    X509KeyusageNoCrlSign = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN,
+    X509UnhandledCriticalCrlExtension = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION,
+    X509InvalidNonCA = X509_V_ERR_INVALID_NON_CA,
+    X509ProxyPathLengthExceeded = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED,
+    X509KeyusageNoDigitalSignature = X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE,
+    X509ProxyCertificatesNotAllowed = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED,
+    X509InvalidExtension = X509_V_ERR_INVALID_EXTENSION,
+    X509InavlidPolicyExtension = X509_V_ERR_INVALID_POLICY_EXTENSION,
+    X509NoExplicitPolicy = X509_V_ERR_NO_EXPLICIT_POLICY,
+    X509DifferentCrlScope = X509_V_ERR_DIFFERENT_CRL_SCOPE,
+    X509UnsupportedExtensionFeature = X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE,
+    X509UnnestedResource = X509_V_ERR_UNNESTED_RESOURCE,
+    X509PermittedVolation = X509_V_ERR_PERMITTED_VIOLATION,
+    X509ExcludedViolation = X509_V_ERR_EXCLUDED_VIOLATION,
+    X509SubtreeMinmax = X509_V_ERR_SUBTREE_MINMAX,
+    X509UnsupportedConstraintType = X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE,
+    X509UnsupportedConstraintSyntax = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX,
+    X509UnsupportedNameSyntax = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX,
+    X509CrlPathValidationError= X509_V_ERR_CRL_PATH_VALIDATION_ERROR,
+    X509ApplicationVerification = X509_V_ERR_APPLICATION_VERIFICATION,
+)
+
+struct Ssl {
+    ssl: *ffi::SSL
+}
+
+impl Drop for Ssl {
+    fn drop(&mut self) {
+        unsafe { ffi::SSL_free(self.ssl) }
+    }
+}
+
+impl Ssl {
+    fn try_new(ctx: &SslContext) -> Result<Ssl, SslError> {
+        let ssl = unsafe { ffi::SSL_new(ctx.ctx) };
+        if ssl == ptr::null() {
+            return Err(SslError::get());
+        }
+        let ssl = Ssl { ssl: ssl };
+
+        let rbio = unsafe { ffi::BIO_new(ffi::BIO_s_mem()) };
+        if rbio == ptr::null() {
+            return Err(SslError::get());
+        }
+
+        let wbio = unsafe { ffi::BIO_new(ffi::BIO_s_mem()) };
+        if wbio == ptr::null() {
+            unsafe { ffi::BIO_free_all(rbio) }
+            return Err(SslError::get());
+        }
+
+        unsafe { ffi::SSL_set_bio(ssl.ssl, rbio, wbio) }
+        Ok(ssl)
+    }
+
+    fn get_rbio<'a>(&'a self) -> MemBioRef<'a> {
+        unsafe { self.wrap_bio(ffi::SSL_get_rbio(self.ssl)) }
+    }
+
+    fn get_wbio<'a>(&'a self) -> MemBioRef<'a> {
+        unsafe { self.wrap_bio(ffi::SSL_get_wbio(self.ssl)) }
+    }
+
+    fn wrap_bio<'a>(&'a self, bio: *ffi::BIO) -> MemBioRef<'a> {
+        assert!(bio != ptr::null());
+        MemBioRef {
+            ssl: self,
+            bio: MemBio {
+                bio: bio,
+                owned: false
+            }
+        }
+    }
+
+    fn connect(&self) -> c_int {
+        unsafe { ffi::SSL_connect(self.ssl) }
+    }
+
+    fn read(&self, buf: &mut [u8]) -> c_int {
+        unsafe { ffi::SSL_read(self.ssl, buf.as_ptr() as *c_void,
+                               buf.len() as c_int) }
+    }
+
+    fn write(&self, buf: &[u8]) -> c_int {
+        unsafe { ffi::SSL_write(self.ssl, buf.as_ptr() as *c_void,
+                                buf.len() as c_int) }
+    }
+
+    fn get_error(&self, ret: c_int) -> LibSslError {
+        let err = unsafe { ffi::SSL_get_error(self.ssl, ret) };
+        match FromPrimitive::from_int(err as int) {
+            Some(err) => err,
+            None => unreachable!()
+        }
+    }
+}
+
+#[deriving(FromPrimitive)]
+enum LibSslError {
+    ErrorNone = ffi::SSL_ERROR_NONE,
+    ErrorSsl = ffi::SSL_ERROR_SSL,
+    ErrorWantRead = ffi::SSL_ERROR_WANT_READ,
+    ErrorWantWrite = ffi::SSL_ERROR_WANT_WRITE,
+    ErrorWantX509Lookup = ffi::SSL_ERROR_WANT_X509_LOOKUP,
+    ErrorSyscall = ffi::SSL_ERROR_SYSCALL,
+    ErrorZeroReturn = ffi::SSL_ERROR_ZERO_RETURN,
+    ErrorWantConnect = ffi::SSL_ERROR_WANT_CONNECT,
+    ErrorWantAccept = ffi::SSL_ERROR_WANT_ACCEPT,
+}
+
+struct MemBioRef<'ssl> {
+    ssl: &'ssl Ssl,
+    bio: MemBio,
+}
+
+impl<'ssl> MemBioRef<'ssl> {
+    fn read(&self, buf: &mut [u8]) -> Option<uint> {
+        self.bio.read(buf)
+    }
+
+    fn write(&self, buf: &[u8]) {
+        self.bio.write(buf)
+    }
+}
+
+struct MemBio {
+    bio: *ffi::BIO,
+    owned: bool
+}
+
+impl Drop for MemBio {
+    fn drop(&mut self) {
+        if self.owned {
+            unsafe {
+                ffi::BIO_free_all(self.bio);
+            }
+        }
+    }
+}
+
+impl MemBio {
+    fn read(&self, buf: &mut [u8]) -> Option<uint> {
+        let ret = unsafe {
+            ffi::BIO_read(self.bio, buf.as_ptr() as *c_void,
+                          buf.len() as c_int)
+        };
+
+        if ret < 0 {
+            None
+        } else {
+            Some(ret as uint)
+        }
+    }
+
+    fn write(&self, buf: &[u8]) {
+        let ret = unsafe {
+            ffi::BIO_write(self.bio, buf.as_ptr() as *c_void,
+                           buf.len() as c_int)
+        };
+        assert_eq!(buf.len(), ret as uint);
+    }
+}
+
+/// A stream wrapper which handles SSL encryption for an underlying stream.
+pub struct SslStream<S> {
+    priv stream: S,
+    priv ssl: Ssl,
+    priv buf: ~[u8]
+}
+
+impl<S: Stream> SslStream<S> {
+    /// Attempts to create a new SSL stream
+    pub fn try_new(ctx: &SslContext, stream: S) -> Result<SslStream<S>,
+                                                          SslError> {
+        let ssl = match Ssl::try_new(ctx) {
+            Ok(ssl) => ssl,
+            Err(err) => return Err(err)
+        };
+
+        let mut ssl = SslStream {
+            stream: stream,
+            ssl: ssl,
+            // Maximum TLS record size is 16k
+            buf: vec::from_elem(16 * 1024, 0u8)
+        };
+
+        match ssl.in_retry_wrapper(|ssl| { ssl.connect() }) {
+            Ok(_) => Ok(ssl),
+            Err(err) => Err(err)
+        }
+    }
+
+    /// A convenience wrapper around `try_new`.
+    pub fn new(ctx: &SslContext, stream: S) -> SslStream<S> {
+        match SslStream::try_new(ctx, stream) {
+            Ok(stream) => stream,
+            Err(err) => fail!("Error creating SSL stream: {:?}", err)
+        }
+    }
+
+    fn in_retry_wrapper(&mut self, blk: |&Ssl| -> c_int)
+            -> Result<c_int, SslError> {
+        loop {
+            let ret = blk(&self.ssl);
+            if ret > 0 {
+                return Ok(ret);
+            }
+
+            match self.ssl.get_error(ret) {
+                ErrorWantRead => {
+                    self.flush();
+                    match self.stream.read(self.buf) {
+                        Some(len) =>
+                            self.ssl.get_rbio().write(self.buf.slice_to(len)),
+                        None => return Err(StreamEof)
+                    }
+                }
+                ErrorWantWrite => self.flush(),
+                ErrorZeroReturn => return Err(SslSessionClosed),
+                ErrorSsl => return Err(SslError::get()),
+                _ => unreachable!()
+            }
+        }
+    }
+
+    fn write_through(&mut self) {
+        loop {
+            match self.ssl.get_wbio().read(self.buf) {
+                Some(len) => self.stream.write(self.buf.slice_to(len)),
+                None => break
+            }
+        }
+    }
+}
+
+impl<S: Stream> Reader for SslStream<S> {
+    fn read(&mut self, buf: &mut [u8]) -> Option<uint> {
+        match self.in_retry_wrapper(|ssl| { ssl.read(buf) }) {
+            Ok(len) => Some(len as uint),
+            Err(StreamEof) | Err(SslSessionClosed) => None,
+            _ => unreachable!()
+        }
+    }
+
+    fn eof(&mut self) -> bool {
+        self.stream.eof()
+    }
+}
+
+impl<S: Stream> Writer for SslStream<S> {
+    fn write(&mut self, buf: &[u8]) {
+        let mut start = 0;
+        while start < buf.len() {
+            let ret = self.in_retry_wrapper(|ssl| {
+                ssl.write(buf.slice_from(start))
+            });
+            match ret {
+                Ok(len) => start += len as uint,
+                _ => unreachable!()
+            }
+            self.write_through();
+        }
+    }
+
+    fn flush(&mut self) {
+        self.write_through();
+        self.stream.flush()
+    }
+}
+
+impl<S> Decorator<S> for SslStream<S> {
+    fn inner(self) -> S {
+        self.stream
+    }
+
+    fn inner_ref<'a>(&'a self) -> &'a S {
+        &self.stream
+    }
+
+    fn inner_mut_ref<'a>(&'a mut self) -> &'a mut S {
+        &mut self.stream
+    }
+}
diff --git a/ssl/test.rs b/ssl/test.rs
new file mode 100644
index 00000000..2655fa98
--- /dev/null
+++ b/ssl/test.rs
@@ -0,0 +1,164 @@
+#[feature(struct_variant, macro_rules)];
+
+use std::io::Writer;
+use std::io::net::tcp::TcpStream;
+use std::str;
+
+use lib::{Sslv23, SslContext, SslStream, SslVerifyPeer, X509StoreContext};
+
+mod lib;
+
+#[test]
+fn test_new_ctx() {
+    SslContext::new(Sslv23);
+}
+
+#[test]
+fn test_new_sslstream() {
+    let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
+    SslStream::new(&SslContext::new(Sslv23), stream);
+}
+
+#[test]
+fn test_verify_untrusted() {
+    let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
+    let mut ctx = SslContext::new(Sslv23);
+    ctx.set_verify(SslVerifyPeer, None);
+    match SslStream::try_new(&ctx, stream) {
+        Ok(_) => fail!("expected failure"),
+        Err(err) => println!("error {:?}", err)
+    }
+}
+
+#[test]
+fn test_verify_trusted() {
+    let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
+    let mut ctx = SslContext::new(Sslv23);
+    ctx.set_verify(SslVerifyPeer, None);
+    match ctx.set_CA_file("test/cert.pem") {
+        None => {}
+        Some(err) => fail!("Unexpected error {:?}", err)
+    }
+    match SslStream::try_new(&ctx, stream) {
+        Ok(_) => (),
+        Err(err) => fail!("Expected success, got {:?}", err)
+    }
+}
+
+#[test]
+fn test_verify_untrusted_callback_override_ok() {
+    fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool {
+        true
+    }
+    let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
+    let mut ctx = SslContext::new(Sslv23);
+    ctx.set_verify(SslVerifyPeer, Some(callback));
+    match SslStream::try_new(&ctx, stream) {
+        Ok(_) => (),
+        Err(err) => fail!("Expected success, got {:?}", err)
+    }
+}
+
+#[test]
+fn test_verify_untrusted_callback_override_bad() {
+    fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool {
+        false
+    }
+    let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
+    let mut ctx = SslContext::new(Sslv23);
+    ctx.set_verify(SslVerifyPeer, Some(callback));
+    assert!(SslStream::try_new(&ctx, stream).is_err());
+}
+
+#[test]
+fn test_verify_trusted_callback_override_ok() {
+    fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool {
+        true
+    }
+    let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
+    let mut ctx = SslContext::new(Sslv23);
+    ctx.set_verify(SslVerifyPeer, Some(callback));
+    match ctx.set_CA_file("test/cert.pem") {
+        None => {}
+        Some(err) => fail!("Unexpected error {:?}", err)
+    }
+    match SslStream::try_new(&ctx, stream) {
+        Ok(_) => (),
+        Err(err) => fail!("Expected success, got {:?}", err)
+    }
+}
+
+#[test]
+fn test_verify_trusted_callback_override_bad() {
+    fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool {
+        false
+    }
+    let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
+    let mut ctx = SslContext::new(Sslv23);
+    ctx.set_verify(SslVerifyPeer, Some(callback));
+    match ctx.set_CA_file("test/cert.pem") {
+        None => {}
+        Some(err) => fail!("Unexpected error {:?}", err)
+    }
+    assert!(SslStream::try_new(&ctx, stream).is_err());
+}
+
+#[test]
+fn test_verify_callback_load_certs() {
+    fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool {
+        assert!(x509_ctx.get_current_cert().is_some());
+        true
+    }
+    let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
+    let mut ctx = SslContext::new(Sslv23);
+    ctx.set_verify(SslVerifyPeer, Some(callback));
+    assert!(SslStream::try_new(&ctx, stream).is_ok());
+}
+
+#[test]
+fn test_verify_trusted_get_error_ok() {
+    fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool {
+        assert!(x509_ctx.get_error().is_none());
+        true
+    }
+    let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
+    let mut ctx = SslContext::new(Sslv23);
+    ctx.set_verify(SslVerifyPeer, Some(callback));
+    match ctx.set_CA_file("test/cert.pem") {
+        None => {}
+        Some(err) => fail!("Unexpected error {:?}", err)
+    }
+    assert!(SslStream::try_new(&ctx, stream).is_ok());
+}
+
+#[test]
+fn test_verify_trusted_get_error_err() {
+    fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool {
+        assert!(x509_ctx.get_error().is_some());
+        false
+    }
+    let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
+    let mut ctx = SslContext::new(Sslv23);
+    ctx.set_verify(SslVerifyPeer, Some(callback));
+    assert!(SslStream::try_new(&ctx, stream).is_err());
+}
+
+#[test]
+fn test_write() {
+    let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
+    let mut stream = SslStream::new(&SslContext::new(Sslv23), stream);
+    stream.write("hello".as_bytes());
+    stream.flush();
+    stream.write(" there".as_bytes());
+    stream.flush();
+}
+
+#[test]
+fn test_read() {
+    let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
+    let mut stream = SslStream::new(&SslContext::new(Sslv23), stream);
+    stream.write("GET /\r\n\r\n".as_bytes());
+    stream.flush();
+    let buf = stream.read_to_end();
+    print!("{}", str::from_utf8(buf));
+}
diff --git a/ssl/test/cert.pem b/ssl/test/cert.pem
new file mode 100644
index 00000000..a520dd24
--- /dev/null
+++ b/ssl/test/cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIJAJUaA2QC829wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTMxMDIyMDUzODU5WhcNMTQxMDIyMDUzODU5WjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA2E9uYoLpX4eMGz6+l+1ZdD11Y1PQjNjqSA7/nq0Q6gogPLds99a+Ca7B
+2w6mWGMpCQbJTf0tOkdF6Td/gwIBNYtHuCIAiPh2Gbm6oZErVIXWwWuTWC2r7myB
+0ePga5ZAE9SqsFqMEuhWikEK1+ae1CCfmbogsQSXyl4+EVN7xAwdi6yUtRL/92nn
+ImKdwDBhuqzdBpBODQW/VCn0KG54CvWdwT0iqg7CvLuXQGyxM8K17SAiBtn6N38S
+0jeL4D9IrBfi9PCYGpAn3jKr4oBEJVRCNvvni3Q9ikJ+GEF5nvLLVM+I98/o0vCu
+Y2o7+1LiwViGONJ1BfRgdFWMjz0BfQIDAQABo1AwTjAdBgNVHQ4EFgQU509vewJT
+k6qdvjT8e52gTE4+V9EwHwYDVR0jBBgwFoAU509vewJTk6qdvjT8e52gTE4+V9Ew
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAb0Sz/ixFc+pShXur1peh
+J0n7sPxX29WyTN8IZ+Sl/Ks0vG6bmtO1kAudVigStdQKeBPco+c2/+BF1sL79pXf
+Ao1hOWCkXVu6E/Nxl5rZlGNjkxwurKLNV5mZ6nXYkseYZH9A2ighGYQHj4YqspN2
+2+/K1DLNBZCsZF6XozhUiDysUGN/xVh6TE0gsPvL1A27Xe4mQ8vd8Mz7av4dek//
+V9F+cXnVBTAqLPpEbAX+0+k1QZtOVnDGovshlRFZ8d17f0pJZ66n9k6TPriQNWV/
+RXjIOBLbXtPFL5w6MetkEBE+DsRckLT/50cf+f/y8CHv9v9iobu4LpTjx/8l0GuQ
+hg==
+-----END CERTIFICATE-----
diff --git a/ssl/test/key.pem b/ssl/test/key.pem
new file mode 100644
index 00000000..a3f80dd9
--- /dev/null
+++ b/ssl/test/key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDYT25igulfh4wb
+Pr6X7Vl0PXVjU9CM2OpIDv+erRDqCiA8t2z31r4JrsHbDqZYYykJBslN/S06R0Xp
+N3+DAgE1i0e4IgCI+HYZubqhkStUhdbBa5NYLavubIHR4+BrlkAT1KqwWowS6FaK
+QQrX5p7UIJ+ZuiCxBJfKXj4RU3vEDB2LrJS1Ev/3aeciYp3AMGG6rN0GkE4NBb9U
+KfQobngK9Z3BPSKqDsK8u5dAbLEzwrXtICIG2fo3fxLSN4vgP0isF+L08JgakCfe
+MqvigEQlVEI2++eLdD2KQn4YQXme8stUz4j3z+jS8K5jajv7UuLBWIY40nUF9GB0
+VYyPPQF9AgMBAAECggEBAJiYiH20bqA2xk8eF2SkSxvmk15r7U6/Y59L/WZaHvmM
+BSvwFk5MzqmUACviDNWDtpookHCVL4fSae5ZeXnZOzMju4eZbRkzdlU1ogSCnbe1
+50dx9XMaXRUItRh1koczaqbSu0tHxVM9VneX5OdkSR3Kmezf0lourEpV66FbbI9i
+1F1Q7u6TzldTuPSkQQgV/FHU9DvRPJ6HgSOyVr6Z9Ec0K6odmUXe3wX7+3PbKPtr
+JIVQ0wGcc/sImgAr0uS+YbHNWM4qjFAAPteQ/+Df6usSFOkRoD3+XeZrJQQ98C3q
+HHW4afaJM0YCsDwn7/E3KiY5fmXwtAHNRuUbsfReP8ECgYEA9JQICyP1N5bZ4uCc
+jjTiHLcQX2dHy4dKatqWkV4F52qf4HCZ/pcvPBKNMzM4uTfkCgR+TMzW+A+escvR
+8KmaSKmQHT+nUQfMoU2lpZbWSPTF8lLGx+Mf8JAMur0xcmazDB8uDFnvQg+TQY7y
+cF6MMWKW3pp+3qI7wRkclXSLZG0CgYEA4mlzuzuB8e7UJ821N+zD8BBYY4EvpUIj
+iparwKbM8vAZ1WZssRd+8oHroHJGbjXX4h7gvpUsVadSgs77W9T0zJ+5kJCpVAnO
+nKdJkX1Zo1TaIIrRaJhiaPU4hKlnGnko3uv7SlV9PPUtcyBnXElobREmQv6eCmEf
+Z7YP4+JoR1ECgYEA3RyrfO7gNYZyq3Mm9kWHGjDCY43q0W0ZcSr3LqrTKZkyuuTx
+w8IImQWok9497O1Dg272hBY4ToFIljLPNQUQD5sER/0RFee4LygUlnSce86W2nHN
+dk62xHRmnbiHaIbCXjYeGlqAPLf6CC3kroQ7uDYKcWs5Qatn3DYIqnF3x60CgYA/
+plWatUf6s6GA7xua9TzAKFgw4Qh79PP46hKuvjWvtkAM9hZoUqqlklCjcnzKTui5
+8ORNr7IfAkL38yhG0L9hJyYLth9kOL2U3JKaDBs/B4Oq0lu8g9pml0mkQdtyXc1X
+ng+u/gmPMX3td5aXIyvwPXn8K4hScqtZhJ1C+0tFgQKBgQDtlBXw3mY3AMwT+wtx
+ZiitDk7tAXj7wioCOziTFKkL01UMt4VIkNvQU7RUTcig6PBc0PxU6TZQpncOk/cP
+eqQQP0TJGNzIK71EwAL5aFm9o9VoXsrwjVDZnzMr703MyU15QXO76kmxmh+rK5Qy
+uldCJliojIW1UW30MXSXK96YXQ==
+-----END PRIVATE KEY-----