Fix #5514; Add test for GNS Proxy and DANE; Fix TLS connections on ports != 443 through proxy

6 files changed, 369 insertions, 232 deletions

diff --git a/src/gns/Makefile.am b/src/gns/Makefile.am
index e0497b11e..1abc57d57 100644
--- a/src/gns/Makefile.am
+++ b/src/gns/Makefile.am
@@ -155,6 +155,12 @@ if HAVE_GNUTLS_DANE
 gnunet_gns_proxy_LDADD += -lgnutls-dane
 endif
 
+test_gns_proxy_SOURCES = \
+  test_gns_proxy.c
+test_gns_proxy_LDADD = -lmicrohttpd $(LIB_GNURL) -lgnutls \
+  $(top_builddir)/src/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
 gnunet_gns_helper_service_w32_SOURCES = \
   gnunet-gns-helper-service-w32.c
 gnunet_gns_helper_service_w32_LDADD = \
@@ -232,6 +238,8 @@ libgnunet_plugin_block_gns_la_LIBADD = \
 libgnunet_plugin_block_gns_la_LDFLAGS = \
   $(GN_PLUGIN_LDFLAGS)
 
+check_PROGRAMS = \
+  test_gns_proxy
 
 check_SCRIPTS = \
   test_gns_lookup.sh \
@@ -248,7 +256,8 @@ check_SCRIPTS = \
   test_gns_rel_expiration.sh\
   test_gns_soa_lookup.sh\
   test_gns_revocation.sh\
-  test_gns_cname_lookup.sh
+  test_gns_cname_lookup.sh \
+        test_proxy.sh
 
 if ENABLE_TEST_RUN
 if HAVE_SQLITE
diff --git a/src/gns/gnunet-gns-proxy-setup-ca b/src/gns/gnunet-gns-proxy-setup-ca
index 52f4b012b..7c1d58dc2 100644
--- a/src/gns/gnunet-gns-proxy-setup-ca
+++ b/src/gns/gnunet-gns-proxy-setup-ca
@@ -5,12 +5,6 @@
 
 # TODO: We should sed the real paths to the binaries involved here.
 
-if ! which certutil > /dev/null
-then
-  echo "'certutil' command not found. Please install it."
-  exit 1
-fi
-
 if ! which openssl > /dev/null
 then
     echo "'openssl' command not found. Please install it."
@@ -50,24 +44,29 @@ openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO
 echo "Making private key available to gnunet-gns-proxy"
 cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM
 
-echo "Importing CA into browsers"
-for f in ~/.mozilla/firefox/*.*/
-do
-  if [ -d $f ]; then
-    echo "Importing CA info Firefox at $f"
-# delete old certificate (if any)
-    certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null
-# add new certificate
-    certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT
-  fi
-done
+if ! which certutil > /dev/null
+then
+  echo "'certutil' command not found. Not importing into browsers."
+else
+  echo "Importing CA into browsers"
+  for f in ~/.mozilla/firefox/*.*/
+  do
+    if [ -d $f ]; then
+      echo "Importing CA info Firefox at $f"
+      # delete old certificate (if any)
+      certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null
+      # add new certificate
+      certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT
+    fi
+  done
 
-if [ -d ~/.pki/nssdb/ ]; then
-  echo "Importing CA into Chrome at ~/.pki/nssdb/"
-# delete old certificate (if any)
-  certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null
-# add new certificate
-  certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT
+  if [ -d ~/.pki/nssdb/ ]; then
+    echo "Importing CA into Chrome at ~/.pki/nssdb/"
+    # delete old certificate (if any)
+    certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null
+    # add new certificate
+    certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT
+  fi
 fi
 
 echo "Cleaning up."
diff --git a/src/gns/gnunet-gns-proxy.c b/src/gns/gnunet-gns-proxy.c
index 7e0dec722..385524a18 100644
--- a/src/gns/gnunet-gns-proxy.c
+++ b/src/gns/gnunet-gns-proxy.c
@@ -642,6 +642,11 @@ struct Socks5Request
   int is_gns;
 
   /**
+   * This is (probably) a TLS connection
+   */
+  int is_tls;
+
+  /**
    * Did we suspend MHD processing?
    */
   int suspended;
@@ -1138,7 +1143,8 @@ curl_check_hdr (void *buffer,
               "Receiving HTTP response header from CURL\n");
   /* first, check TLS certificate */
   if ( (GNUNET_YES != s5r->ssl_checked) &&
-       (HTTPS_PORT == s5r->port))
+       (GNUNET_YES == s5r->is_tls))
+       //(HTTPS_PORT == s5r->port))
   {
     if (GNUNET_OK != check_ssl_certificate (s5r))
       return 0;
@@ -1237,7 +1243,7 @@ curl_check_hdr (void *buffer,
     char *leho_host;
 
     GNUNET_asprintf (&leho_host,
-                     (HTTPS_PORT != s5r->port)
+                     (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port)
                      ? "http://%s"
                      : "https://%s",
                      s5r->leho);
@@ -1247,7 +1253,7 @@ curl_check_hdr (void *buffer,
     {
       GNUNET_asprintf (&new_location,
                        "%s%s%s",
-                       (HTTPS_PORT != s5r->port)
+                       (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port)
                        ? "http://"
                        : "https://",
                        s5r->domain,
@@ -1262,7 +1268,7 @@ curl_check_hdr (void *buffer,
     char *leho_host;
 
     GNUNET_asprintf (&leho_host,
-                     (HTTPS_PORT != s5r->port)
+                     (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port)
                      ? "http://%s"
                      : "https://%s",
                      s5r->leho);
@@ -1272,7 +1278,7 @@ curl_check_hdr (void *buffer,
     {
       GNUNET_asprintf (&new_location,
                        "%s%s",
-                       (HTTPS_PORT != s5r->port)
+                       (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port)
                        ? "http://"
                        : "https://",
                        s5r->domain);
@@ -1923,7 +1929,7 @@ create_response (void *cls,
     if (s5r->is_gns)
     {
       GNUNET_asprintf (&curlurl,
-                       (HTTPS_PORT != s5r->port)
+                       (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port)
                        ? "http://%s:%d%s"
                        : "https://%s:%d%s",
                        (NULL != s5r->leho)
@@ -1935,7 +1941,7 @@ create_response (void *cls,
     else
     {
       GNUNET_asprintf (&curlurl,
-                       (HTTPS_PORT != s5r->port)
+                       (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port)
                        ? "http://%s:%d%s"
                        : "https://%s:%d%s",
                        s5r->domain,
@@ -2109,7 +2115,7 @@ create_response (void *cls,
                         CURL_HTTP_VERSION_NONE);
     }
 
-    if (HTTPS_PORT == s5r->port)
+    if (GNUNET_YES == s5r->is_tls) //(HTTPS_PORT == s5r->port)
     {
       curl_easy_setopt (s5r->curl,
                         CURLOPT_USE_SSL,
@@ -2828,29 +2834,25 @@ setup_data_transfer (struct Socks5Request *s5r)
   socklen_t len;
   char *domain;
 
-  switch (s5r->port)
+  if (GNUNET_YES == s5r->is_tls)
   {
-    case HTTPS_PORT:
-      GNUNET_asprintf (&domain,
-                       "%s",
-                       s5r->domain);
-      hd = lookup_ssl_httpd (domain);
-      if (NULL == hd)
-      {
-        GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
-                    _("Failed to start HTTPS server for `%s'\n"),
-                    s5r->domain);
-        cleanup_s5r (s5r);
-        GNUNET_free (domain);
-        return;
-      }
-      break;
-    case HTTP_PORT:
-    default:
+    GNUNET_asprintf (&domain,
+                     "%s",
+                     s5r->domain);
+    hd = lookup_ssl_httpd (domain);
+    if (NULL == hd)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  _("Failed to start HTTPS server for `%s'\n"),
+                  s5r->domain);
+      cleanup_s5r (s5r);
+      GNUNET_free (domain);
+      return;
+    }
+  } else {
       domain = NULL;
       GNUNET_assert (NULL != httpd);
       hd = httpd;
-      break;
   }
   fd = GNUNET_NETWORK_get_fd (s5r->sock);
   addr = GNUNET_NETWORK_get_addr (s5r->sock);
@@ -3102,6 +3104,7 @@ handle_gns_result (void *cls,
               GNUNET_break (0); /* MAX_DANES too small */
               break;
             }
+          s5r->is_tls = GNUNET_YES; /* This should be TLS */
           s5r->dane_data_len[s5r->num_danes]
             = r->data_size - sizeof (struct GNUNET_GNSRECORD_BoxRecord);
           s5r->dane_data[s5r->num_danes]
@@ -3293,12 +3296,13 @@ do_s5r_read (void *cls)
             s5r->domain = GNUNET_strndup (dom_name,
                                           *dom_len);
             GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
-                        "Requested connection is to http%s://%s:%d\n",
-                        (HTTPS_PORT == s5r->port) ? "s" : "",
+                        "Requested connection is to %s:%d\n",
+                        //(HTTPS_PORT == s5r->port) ? "s" : "",
                         s5r->domain,
                         ntohs (*port));
             s5r->state = SOCKS5_RESOLVING;
             s5r->port = ntohs (*port);
+            s5r->is_tls = (HTTPS_PORT == s5r->port) ? GNUNET_YES : GNUNET_NO;
             s5r->gns_lookup = GNUNET_GNS_lookup_with_tld (gns_handle,
                                                           s5r->domain,
                                                           GNUNET_DNSPARSER_TYPE_A,
diff --git a/src/gns/test_gns_proxy.c b/src/gns/test_gns_proxy.c
index ea61a89d5..75fe95617 100644
--- a/src/gns/test_gns_proxy.c
+++ b/src/gns/test_gns_proxy.c
@@ -30,13 +30,15 @@
 #include <gnurl/curl.h>
 #endif
 #include <microhttpd.h>
-#include "gnunet_namestore_service.h"
-#include "gnunet_gns_service.h"
-#include "gnunet_testing_lib.h"
-#include "gnunet_os_lib.h"
+#include "gnunet_util_lib.h"
+#include "gnutls/x509.h"
 
-#define PORT 8080
-#define TEST_DOMAIN "www.gnu"
+/**
+ * Largest allowed size for a PEM certificate.
+ */
+#define MAX_PEM_SIZE (10 * 1024)
+
+#define TEST_DOMAIN "www.test"
 
 #define TIMEOUT GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_SECONDS, 300)
 
@@ -45,7 +47,6 @@
  */
 static int global_ret;
 
-static struct GNUNET_NAMESTORE_Handle *namestore;
 
 static struct MHD_Daemon *mhd;
 
@@ -61,7 +62,15 @@ static char *url;
 
 static struct GNUNET_OS_Process *proxy_proc;
 
-static char* tmp_cfgfile;
+static char* cafile_opt;
+
+static char* cafile_srv;
+
+static uint16_t port;
+
+static gnutls_x509_crt_t proxy_cert;
+
+static gnutls_x509_privkey_t proxy_key;
 
 struct CBC
 {
@@ -71,6 +80,101 @@ struct CBC
 
 static struct CBC cbc;
 
+/**
+ * Read file in filename
+ *
+ * @param filename file to read
+ * @param size pointer where filesize is stored
+ * @return NULL on error
+ */
+static void*
+load_file (const char* filename,
+           unsigned int* size)
+{
+  void *buffer;
+  uint64_t fsize;
+
+  if (GNUNET_OK !=
+      GNUNET_DISK_file_size (filename,
+                             &fsize,
+                             GNUNET_YES,
+                             GNUNET_YES))
+    return NULL;
+  if (fsize > MAX_PEM_SIZE)
+    return NULL;
+  *size = (unsigned int) fsize;
+  buffer = GNUNET_malloc (*size);
+  if (fsize !=
+      GNUNET_DISK_fn_read (filename,
+                           buffer,
+                           (size_t) fsize))
+  {
+    GNUNET_free (buffer);
+    return NULL;
+  }
+  return buffer;
+}
+
+/**
+ * Load PEM key from file
+ *
+ * @param key where to store the data
+ * @param keyfile path to the PEM file
+ * @return #GNUNET_OK on success
+ */
+static int
+load_key_from_file (gnutls_x509_privkey_t key,
+                    const char* keyfile)
+{
+  gnutls_datum_t key_data;
+  int ret;
+
+  key_data.data = load_file (keyfile,
+                             &key_data.size);
+  if (NULL == key_data.data)
+    return GNUNET_SYSERR;
+  ret = gnutls_x509_privkey_import (key, &key_data,
+                                    GNUTLS_X509_FMT_PEM);
+  if (GNUTLS_E_SUCCESS != ret)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _("Unable to import private key from file `%s'\n"),
+                keyfile);
+  }
+  GNUNET_free_non_null (key_data.data);
+  return (GNUTLS_E_SUCCESS != ret) ? GNUNET_SYSERR : GNUNET_OK;
+}
+
+/**
+ * Load cert from file
+ *
+ * @param crt struct to store data in
+ * @param certfile path to pem file
+ * @return #GNUNET_OK on success
+ */
+static int
+load_cert_from_file (gnutls_x509_crt_t crt,
+                     const char* certfile)
+{
+  gnutls_datum_t cert_data;
+  int ret;
+
+  cert_data.data = load_file (certfile,
+                              &cert_data.size);
+  if (NULL == cert_data.data)
+    return GNUNET_SYSERR;
+  ret = gnutls_x509_crt_import (crt,
+                                &cert_data,
+                                GNUTLS_X509_FMT_PEM);
+  if (GNUTLS_E_SUCCESS != ret)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _("Unable to import certificate from `%s'\n"),
+                certfile);
+  }
+  GNUNET_free_non_null (cert_data.data);
+  return (GNUTLS_E_SUCCESS != ret) ? GNUNET_SYSERR : GNUNET_OK;
+}
 
 static size_t
 copy_buffer (void *ptr, size_t size, size_t nmemb, void *ctx)
@@ -112,8 +216,11 @@ mhd_ahc (void *cls,
                                               MHD_RESPMEM_MUST_COPY);
   ret = MHD_queue_response (connection, MHD_HTTP_OK, response);
   MHD_destroy_response (response);
-  if (ret == MHD_NO)
+  if (ret == MHD_NO) {
+    global_ret = 1;
     abort ();
+  }
+  global_ret = 0;
   return ret;
 }
 
@@ -138,13 +245,6 @@ do_shutdown ()
   }
   GNUNET_free_non_null (url);
 
-  if (NULL != tmp_cfgfile)
-    {
-      if (0 != remove (tmp_cfgfile))
-        GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING, "remove", tmp_cfgfile);
-      GNUNET_free (tmp_cfgfile);
-      tmp_cfgfile = NULL;
-    }
   if (NULL != proxy_proc)
     {
       (void) GNUNET_OS_process_kill (proxy_proc, SIGKILL);
@@ -198,12 +298,12 @@ curl_main ()
     {
       if (msg->data.result != CURLE_OK)
       {
-        fprintf (stderr,
-                 "%s failed at %s:%d: `%s'\n",
-                 "curl_multi_perform",
-                __FILE__,
-                __LINE__, curl_easy_strerror (msg->data.result));
-        global_ret = 1;
+        fprintf (stderr,
+                 "%s failed at %s:%d: `%s'\n",
+                 "curl_multi_perform",
+                 __FILE__,
+                 __LINE__, curl_easy_strerror (msg->data.result));
+        global_ret = 1;
       }
     }
     curl_multi_remove_handle (multi, curl);
@@ -232,17 +332,17 @@ curl_main ()
   else
     delay = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS, (unsigned int) timeout);
   GNUNET_NETWORK_fdset_copy_native (&nrs,
-                                    &rs,
-                                    max + 1);
+                                    &rs,
+                                    max + 1);
   GNUNET_NETWORK_fdset_copy_native (&nws,
-                                    &ws,
-                                    max + 1);
+                                    &ws,
+                                    max + 1);
   curl_task_id = GNUNET_SCHEDULER_add_select (GNUNET_SCHEDULER_PRIORITY_DEFAULT,
-                                              delay,
-                                              &nrs,
-                                              &nws,
-                                              &curl_task,
-                                              NULL);
+                                              delay,
+                                              &nrs,
+                                              &nws,
+                                              &curl_task,
+                                              NULL);
 }
 
 
@@ -250,33 +350,30 @@ static void
 start_curl (void *cls)
 {
   GNUNET_asprintf (&url,
-                   "http://%s:%d/hello_world",
-                   TEST_DOMAIN, PORT);
+                   "https://%s:%d/hello_world",
+                   TEST_DOMAIN, port);
   curl = curl_easy_init ();
   curl_easy_setopt (curl, CURLOPT_URL, url);
+  //curl_easy_setopt (curl, CURLOPT_URL, "https://127.0.0.1:8443/hello_world");
   curl_easy_setopt (curl, CURLOPT_WRITEFUNCTION, &copy_buffer);
   curl_easy_setopt (curl, CURLOPT_WRITEDATA, &cbc);
   curl_easy_setopt (curl, CURLOPT_FAILONERROR, 1);
   curl_easy_setopt (curl, CURLOPT_TIMEOUT, 150L);
   curl_easy_setopt (curl, CURLOPT_CONNECTTIMEOUT, 15L);
   curl_easy_setopt (curl, CURLOPT_NOSIGNAL, 1);
+  curl_easy_setopt (curl, CURLOPT_CAINFO, cafile_opt);
+  //curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0L);
+  //curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0L);
   curl_easy_setopt (curl, CURLOPT_PROXY, "socks5h://127.0.0.1:7777");
 
   multi = curl_multi_init ();
   GNUNET_assert (multi != NULL);
   GNUNET_assert (CURLM_OK == curl_multi_add_handle (multi, curl));
-  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Beginning HTTP download from `%s'\n", url);
+  GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Beginning HTTP download from `%s'\n", url);
   curl_main ();
 }
 
 
-static void
-disco_ns (void* cls)
-{
-  GNUNET_NAMESTORE_disconnect (namestore);
-}
-
-
 /**
  * Callback invoked from the namestore service once record is
  * created.
@@ -290,24 +387,11 @@ disco_ns (void* cls)
  *                specified target peer; NULL on error
  */
 static void
-commence_testing (void *cls,
-                  int32_t success,
-                  const char *emsg)
+commence_testing (void *cls)
 {
-  GNUNET_SCHEDULER_add_now (&disco_ns, NULL);
-
-  if ( (emsg != NULL) && (GNUNET_YES != success) )
-  {
-    fprintf (stderr,
-             "NS failed to create record %s\n",
-             emsg);
-    GNUNET_SCHEDULER_shutdown ();
-    return;
-  }
-
   curl_task_id =
-    GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_SECONDS, 
-                                  &start_curl, NULL);
+    GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_SECONDS,
+                                  &start_curl, NULL);
 }
 
 
@@ -345,139 +429,135 @@ mhd_main ()
   FD_ZERO (&es);
   max_fd = -1;
   GNUNET_assert (MHD_YES ==
-                 MHD_get_fdset (mhd, &rs, &ws, &es, &max_fd));
+                 MHD_get_fdset (mhd, &rs, &ws, &es, &max_fd));
   if (MHD_YES == MHD_get_timeout (mhd, &timeout))
     delay = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS,
-                                           (unsigned int) timeout);
+                                           (unsigned int) timeout);
   else
     delay = GNUNET_TIME_UNIT_FOREVER_REL;
   GNUNET_NETWORK_fdset_copy_native (&nrs,
-                                    &rs,
-                                    max_fd + 1);
+                                    &rs,
+                                    max_fd + 1);
   GNUNET_NETWORK_fdset_copy_native (&nws,
-                                    &ws,
-                                    max_fd + 1);
+                                    &ws,
+                                    max_fd + 1);
   mhd_task_id = GNUNET_SCHEDULER_add_select (GNUNET_SCHEDULER_PRIORITY_DEFAULT,
-                                             delay,
-                                             &nrs,
-                                             &nws,
-                                             &mhd_task,
-                                             NULL);
+                                             delay,
+                                             &nrs,
+                                             &nws,
+                                             &mhd_task,
+                                             NULL);
 }
 
+
+/**
+ * Main function that will be run
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
 static void
 run (void *cls,
-     const struct GNUNET_CONFIGURATION_Handle *cfg,
-     struct GNUNET_TESTING_Peer *peer)
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
 {
-  enum MHD_FLAG flags;
-  struct GNUNET_CRYPTO_EcdsaPrivateKey *host_key;
-  struct GNUNET_GNSRECORD_Data rd;
-  char *zone_keyfile;
-
-  namestore = GNUNET_NAMESTORE_connect (cfg);
-  GNUNET_assert (NULL != namestore);
-  flags = MHD_USE_DEBUG;
-  mhd = MHD_start_daemon (flags,
-                          PORT,
-                          NULL, NULL,
-                          &mhd_ahc, NULL,
-                          MHD_OPTION_END);
-  GNUNET_assert (NULL != mhd);
-  mhd_main ();
-
-  tmp_cfgfile = GNUNET_DISK_mktemp ("test_gns_proxy_tmp.conf");
-  if (NULL == tmp_cfgfile)
-  {
-    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
-                "Failed to create tmp cfg!\n");
-    do_shutdown ();
-    return;
-  }
-
-  if (GNUNET_OK != GNUNET_CONFIGURATION_write ((struct GNUNET_CONFIGURATION_Handle *)cfg,
-                              tmp_cfgfile))
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Using `%s' as CA\n",
+              cafile_srv);
+  char cert[MAX_PEM_SIZE];
+  char key[MAX_PEM_SIZE];
+  size_t key_buf_size;
+  size_t cert_buf_size;
+
+  gnutls_global_init ();
+  gnutls_x509_crt_init (&proxy_cert);
+  gnutls_x509_privkey_init (&proxy_key);
+
+  if ( (GNUNET_OK !=
+        load_cert_from_file (proxy_cert,
+                             cafile_srv)) ||
+       (GNUNET_OK !=
+        load_key_from_file (proxy_key,
+                            cafile_srv)) )
   {
     GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
-                "Failed to write tmp cfg\n");
-    do_shutdown ();
-    return;
-  }
-
-  proxy_proc = GNUNET_OS_start_process (GNUNET_NO,
-                                        GNUNET_OS_INHERIT_STD_ALL,
-                                        NULL,
-                                        NULL,
-                                        NULL,
-                                        "gnunet-gns-proxy",
-                                        "gnunet-gns-proxy",
-                                        "-c", tmp_cfgfile, NULL);
-
-  if (NULL == proxy_proc)
-  {
-    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
-                "Unable to start proxy\n");
-    do_shutdown ();
-    return;
-  }
-
-  if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_filename (cfg, "gns",
-                                                            "ZONEKEY",
-                                                            &zone_keyfile))
-  {
-    GNUNET_log(GNUNET_ERROR_TYPE_ERROR, "Failed to get key from cfg\n");
+                _("Failed to load X.509 key and certificate from `%s'\n"),
+                cafile_srv);
+    gnutls_x509_crt_deinit (proxy_cert);
+    gnutls_x509_privkey_deinit (proxy_key);
+    gnutls_global_deinit ();
     return;
   }
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
+                                 NULL);
+  key_buf_size = sizeof (key);
+  cert_buf_size = sizeof (cert);
+  gnutls_x509_crt_export (proxy_cert,
+                          GNUTLS_X509_FMT_PEM,
+                          cert,
+                          &cert_buf_size);
+  gnutls_x509_privkey_export (proxy_key,
+                              GNUTLS_X509_FMT_PEM,
+                              key,
+                              &key_buf_size);
+  mhd = MHD_start_daemon (MHD_USE_DEBUG | MHD_USE_SSL | MHD_ALLOW_SUSPEND_RESUME, port,
+                          NULL, NULL,
+                          &mhd_ahc, NULL,
+                          MHD_OPTION_HTTPS_MEM_KEY, key,
+                          MHD_OPTION_HTTPS_MEM_CERT, cert,
+                          MHD_OPTION_END);
+  GNUNET_assert (NULL != mhd);
+  mhd_main ();
 
-  host_key = GNUNET_CRYPTO_ecdsa_key_create_from_file (zone_keyfile);
-  rd.expiration_time = GNUNET_TIME_UNIT_FOREVER_ABS.abs_value_us;
-  GNUNET_assert (GNUNET_OK == GNUNET_GNSRECORD_string_to_value (GNUNET_DNSPARSER_TYPE_A,
-                                                               "127.0.0.1",
-                                                               (void**)&rd.data,
-                                                               &rd.data_size));
-  rd.record_type = GNUNET_DNSPARSER_TYPE_A;
-
-  GNUNET_NAMESTORE_record_create (namestore,
-                                  host_key,
-                                  "www",
-                                  &rd,
-                                  &commence_testing,
-                                  NULL);
-
-  GNUNET_free ((void**)rd.data);
-  GNUNET_free (zone_keyfile);
-  GNUNET_free (host_key);
+  GNUNET_SCHEDULER_add_now (&commence_testing,
+                            NULL);
 }
 
 int
 main (int argc, char *const *argv)
 {
-  char *binary;
-
-  if (GNUNET_SYSERR == GNUNET_OS_check_helper_binary ("gnunet-gns-proxy", GNUNET_NO, NULL))
-  {
-    fprintf (stderr, "Proxy binary not in PATH... skipping!\n");
-    return 0;
-  }
-  binary = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-dns");
-  if (GNUNET_YES != GNUNET_OS_check_helper_binary (binary, GNUNET_YES, NULL)) // TODO: once we have a windows-testcase, add test parameters here
-  {
-    fprintf (stderr, "DNS helper binary has wrong permissions... skipping!\n");
-    GNUNET_free (binary);
-    return 0;
-  }
-    GNUNET_free (binary);
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_uint16 ('p',
+                                 "port",
+                                 NULL,
+                                 gettext_noop ("listen on specified port (default: 7777)"),
+                                 &port),
+    GNUNET_GETOPT_option_string ('A',
+                                 "curlcert",
+                                 NULL,
+                                 gettext_noop ("pem file to use as CA"),
+                                 &cafile_opt),
+    GNUNET_GETOPT_option_string ('S',
+                                 "servercert",
+                                 NULL,
+                                 gettext_noop ("pem file to use for the server"),
+                                 &cafile_srv),
+
+    GNUNET_GETOPT_OPTION_END
+  };
 
   if (0 != curl_global_init (CURL_GLOBAL_WIN32))
   {
     fprintf (stderr, "failed to initialize curl\n");
     return 2;
   }
-  if (0 != GNUNET_TESTING_peer_run ("test-gnunet-gns-proxy",
-                                    "test_gns_proxy.conf",
-                                    &run, NULL))
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 2;
+  GNUNET_log_setup ("gnunet-gns-proxy-test",
+                    "WARNING",
+                    NULL);
+  if (GNUNET_OK != GNUNET_PROGRAM_run (argc, argv,
+                                       "gnunet-gns-proxy-test",
+                                       _("GNUnet GNS proxy test"),
+                                       options,
+                                       &run, NULL))
     return 1;
-  GNUNET_DISK_directory_remove ("/tmp/gnunet-test-gns-proxy");
+  GNUNET_free_non_null ((char *) argv);
   return global_ret;
 }
 
diff --git a/src/gns/test_gns_proxy.conf b/src/gns/test_gns_proxy.conf
index 51edd5a0c..3b21f1d90 100644
--- a/src/gns/test_gns_proxy.conf
+++ b/src/gns/test_gns_proxy.conf
@@ -1,30 +1,22 @@
-[PATHS]
-GNUNET_TEST_HOME = $GNUNET_TMP/gnunet-test-gns-proxy/
+@INLINE@ test_gns_defaults.conf
 
 [transport]
 PLUGINS = tcp
 
-[arm]
-PORT = 0
-ALLOW_SHUTDOWN = YES
-
-[testing]
-WEAKRANDOM = YES
-HOSTKEYSFILE = ${DATADIR}/testing_hostkeys.dat
-
 [gns]
+# PREFIX = valgrind --leak-check=full --track-origins=yes
 START_ON_DEMAND = YES
-ZONEKEY = $GNUNET_TEST_HOME/.zonekey
-HIJACK_DNS = YES
+AUTO_IMPORT_PKEY = YES
+MAX_PARALLEL_BACKGROUND_QUERIES = 10
+DEFAULT_LOOKUP_TIMEOUT = 15 s
+RECORD_PUT_INTERVAL = 1 h
+ZONE_PUBLISH_TIME_WINDOW = 1 h
+DNS_ROOT=PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0
+
 
 [gns-proxy]
-PROXY_CACERT = proxy/test_cert.pem
+PROXY_CACERT = /tmp/proxy_cacert.pem
 PROXY_UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-gns-proxy.sock
 
 [namestore]
 START_ON_DEMAND = YES
-
-[dns]
-PROVIDE_EXIT = NO
-#DNS_EXIT = 8.8.8.8
-#PREFIX = valgrind --leak-check=full
diff --git a/src/gns/test_proxy.sh b/src/gns/test_proxy.sh
new file mode 100755
index 000000000..c960d4df9
--- /dev/null
+++ b/src/gns/test_proxy.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+TEST_DOMAIN="www.test"
+
+gnunet-arm -s -c test_gns_proxy.conf
+gnunet-gns-proxy-setup-ca -c test_gns_proxy.conf
+
+openssl genrsa -des3 -passout pass:xxxx -out server.pass.key 2048
+openssl rsa -passin pass:xxxx -in server.pass.key -out local.key
+rm server.pass.key
+openssl req -new -key local.key -out server.csr \
+  -subj "/C=DE/O=GNUnet/OU=GNS/CN=test.local"
+openssl x509 -req -days 1 -in server.csr -signkey local.key -out local.crt
+openssl x509 -in local.crt -out local.der -outform DER
+HEXCERT=`xxd -p local.der | tr -d '\n'`
+#echo "This is the certificate the server does not use: $HEXCERT"
+OLDBOXVALUE="6 8443 52 3 0 0 $HEXCERT"
+
+
+openssl req -new -key local.key -out server.csr \
+  -subj "/C=DE/O=GNUnet/OU=GNS/CN=test.local"
+openssl x509 -req -days 1 -in server.csr -signkey local.key -out local.crt
+openssl x509 -in local.crt -out local.der -outform DER
+HEXCERT=`xxd -p local.der | tr -d '\n'`
+#echo "This is the certificate the server does use: $HEXCERT"
+BOXVALUE="6 8443 52 3 0 0 $HEXCERT"
+
+cat local.crt > /tmp/server_cacert.pem
+cat local.key >> /tmp/server_cacert.pem
+
+gnunet-identity -C test -c test_gns_proxy.conf
+gnunet-namestore -p -z test -a -n www -t A -V 127.0.0.1 -e never -c test_gns_proxy.conf
+gnunet-namestore -p -z test -a -n www -t LEHO -V "test.local" -e never -c test_gns_proxy.conf
+gnunet-namestore -p -z test -a -n www -t BOX -V "$OLDBOXVALUE" -e never -c test_gns_proxy.conf
+gnunet-namestore -p -z test -a -n www -t BOX -V "$BOXVALUE" -e never -c test_gns_proxy.conf
+
+gnunet-arm -i gns-proxy -c test_gns_proxy.conf
+
+#gnurl --socks5-hostname 127.0.0.1:7777 https://www.test -v --cacert /tmp/proxy_cacert.pem
+./test_gns_proxy -A /tmp/proxy_cacert.pem -S /tmp/server_cacert.pem -p 8443 -c test_gns_proxy.conf
+
+RES=$?
+
+rm /tmp/proxy_cacert.pem
+rm /tmp/server_cacert.pem
+
+gnunet-arm -e test_gns_proxy.conf
+
+if test $RES != 0
+then
+  echo "Failed"
+  exit 1
+fi