diff --git a/component/caddy/gowork.cfg b/component/caddy/gowork.cfg
index a6aa94769127bf44b0d9a3578ac86c5f0d2d2bb1..b23dfb95821d991686fa0da034806e7e345a93f8 100644
--- a/component/caddy/gowork.cfg
+++ b/component/caddy/gowork.cfg
@@ -10,4 +10,4 @@ depends_gitfetch  =
 <= go-git-package
 go.importpath = github.com/mholt/caddy
 repository    = https://lab.nexedi.com/nexedi/caddy.git
-revision      = nxd-v0.11.0-3-g12438f6cff8c15f307631151eb064cec579b7605
+revision      = nxd-v0.11.1-5-gdd393ce3a67e6a773be87185528a00f2e0a9eb26
diff --git a/component/nginx/buildout.cfg b/component/nginx/buildout.cfg
index 05c92def19a080f1591d03fd5d4c33eb23dbd159..05aafbe12b0c175fb871226bd6b1c61babf9bdfd 100644
--- a/component/nginx/buildout.cfg
+++ b/component/nginx/buildout.cfg
@@ -31,8 +31,8 @@ configure-options=
   --with-http_realip_module
   --with-mail
   --with-mail_ssl_module
-  --with-ld-opt="-L ${openssl:location}/lib -L ${pcre:location}/lib -L ${zlib:location}/lib -Wl,-rpath=${openssl:location}/lib -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${zlib:location}/lib"
-  --with-cc-opt="-I ${openssl:location}/include -I ${pcre:location}/include -I ${zlib:location}/include"
+  --with-ld-opt="-L ${openssl-1.0:location}/lib -L ${pcre:location}/lib -L ${zlib:location}/lib -Wl,-rpath=${openssl-1.0:location}/lib -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${zlib:location}/lib"
+  --with-cc-opt="-I ${openssl-1.0:location}/include -I ${pcre:location}/include -I ${zlib:location}/include"
 
 [nginx-dav-ext-module]
 recipe = hexagonit.recipe.download
@@ -52,8 +52,8 @@ configure-options =
   --with-mail
   --with-mail_ssl_module
   --error-log-path=var/log/nginx.error.log
-  --with-ld-opt=" -L ${libexpat:location}/lib -L ${openssl:location}/lib -L ${pcre:location}/lib -L ${zlib:location}/lib -Wl,-rpath=${libexpat:location}/lib -Wl,-rpath=${openssl:location}/lib -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${zlib:location}/lib"
-  --with-cc-opt="-I ${libexpat:location}/include -I ${openssl:location}/include -I ${pcre:location}/include -I ${zlib:location}/include"
+  --with-ld-opt=" -L ${libexpat:location}/lib -L ${openssl-1.0:location}/lib -L ${pcre:location}/lib -L ${zlib:location}/lib -Wl,-rpath=${libexpat:location}/lib -Wl,-rpath=${openssl-1.0:location}/lib -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${zlib:location}/lib"
+  --with-cc-opt="-I ${libexpat:location}/include -I ${openssl-1.0:location}/include -I ${pcre:location}/include -I ${zlib:location}/include"
   --with-http_dav_module 
   --add-module='${nginx-dav-ext-module:location}'
 
@@ -79,8 +79,8 @@ strip-top-level-dir = true
 configure-options=
   --with-ipv6
   --with-http_ssl_module
-  --with-ld-opt="-L ${zlib:location}/lib -L ${openssl:location}/lib -L ${pcre:location}/lib  -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${zlib:location}/lib -Wl,-rpath=${openssl:location}/lib"
-  --with-cc-opt="-I ${pcre:location}/include -I ${openssl:location}/include -I ${zlib:location}/include"
+  --with-ld-opt="-L ${zlib:location}/lib -L ${openssl-1.0:location}/lib -L ${pcre:location}/lib  -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${zlib:location}/lib -Wl,-rpath=${openssl-1.0:location}/lib"
+  --with-cc-opt="-I ${pcre:location}/include -I ${openssl-1.0:location}/include -I ${zlib:location}/include"
   --add-module=${hexaglobe-nginx-module:location}/sub_module
 # --add-module=${hexaglobe-nginx-module:location}/nginx-upstream-fair
 
@@ -97,8 +97,8 @@ configure-options=
   --with-http_ssl_module
   --with-http_v2_module
   --with-http_gzip_static_module
-  --with-ld-opt="-L ${zlib:location}/lib -L ${openssl:location}/lib -L ${pcre:location}/lib  -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${zlib:location}/lib -Wl,-rpath=${openssl:location}/lib"
-  --with-cc-opt="-I ${pcre:location}/include -I ${openssl:location}/include -I ${zlib:location}/include"
+  --with-ld-opt="-L ${zlib:location}/lib -L ${openssl-1.0:location}/lib -L ${pcre:location}/lib  -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${zlib:location}/lib -Wl,-rpath=${openssl-1.0:location}/lib"
+  --with-cc-opt="-I ${pcre:location}/include -I ${openssl-1.0:location}/include -I ${zlib:location}/include"
   --add-module=${nginx-push-stream-module:location}
 
 [nginx-push-stream-output]
diff --git a/component/nodejs/buildout.cfg b/component/nodejs/buildout.cfg
index 075803a6ac9832b827315db80c5758a061960248..3d848200d1d49096ce3b11de449e4ec98309a188 100644
--- a/component/nodejs/buildout.cfg
+++ b/component/nodejs/buildout.cfg
@@ -35,15 +35,15 @@ recipe = slapos.recipe.cmmi
 url = https://nodejs.org/dist/${:version}/node-${:version}.tar.gz
 configure-options =
   --shared-openssl
-  --shared-openssl-includes=${openssl:location}/include
-  --shared-openssl-libpath=${openssl:location}/lib
+  --shared-openssl-includes=${openssl-1.0:location}/include
+  --shared-openssl-libpath=${openssl-1.0:location}/lib
 environment =
   HOME=${buildout:parts-directory}/${:_buildout_section_name_}
   PATH=${gcc:location}/bin:${pkgconfig:location}/bin:${python2.7:location}/bin/:%(PATH)s
-  PKG_CONFIG_PATH=${openssl:location}/lib/pkgconfig/
+  PKG_CONFIG_PATH=${openssl-1.0:location}/lib/pkgconfig/
   CPPFLAGS=-I${zlib:location}/include
-  LDFLAGS=-Wl,-rpath=${gcc:location}/lib -Wl,-rpath=${gcc:location}/lib64 -Wl,-rpath=${openssl:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib
-  LD_LIBRARY_PATH=${openssl:location}/lib
+  LDFLAGS=-Wl,-rpath=${gcc:location}/lib -Wl,-rpath=${gcc:location}/lib64 -Wl,-rpath=${openssl-1.0:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib
+  LD_LIBRARY_PATH=${openssl-1.0:location}/lib
 
 [nodejs-8.6.0-output]
 # Shared binary location to ease migration
diff --git a/component/openldap/buildout.cfg b/component/openldap/buildout.cfg
index 8ac8b2569bb12ecc8c0edc0eb98cd0eb849eb1a2..2ed3f435d24081517d0016812532c18b76f50e73 100644
--- a/component/openldap/buildout.cfg
+++ b/component/openldap/buildout.cfg
@@ -24,6 +24,6 @@ configure-options =
   --with-tls=openssl
 
 environment =
-  CPPFLAGS=-I${openssl:location}/include -I${cyrus-sasl:location}/include
-  LDFLAGS=-L${openssl:location}/lib -Wl,-rpath=${openssl:location}/lib -L${cyrus-sasl:location}/lib -Wl,-rpath=${cyrus-sasl:location}/lib
+  CPPFLAGS=-I${openssl-1.0:location}/include -I${cyrus-sasl:location}/include
+  LDFLAGS=-L${openssl-1.0:location}/lib -Wl,-rpath=${openssl-1.0:location}/lib -L${cyrus-sasl:location}/lib -Wl,-rpath=${cyrus-sasl:location}/lib
   PATH=${groff:location}/bin:%(PATH)s
diff --git a/component/openssh/buildout.cfg b/component/openssh/buildout.cfg
index 49557b0974d5b68cfc976060ed9c11e1b67e267b..0341fedcb2bc5e6b82201aac1403b155ae09f5a5 100644
--- a/component/openssh/buildout.cfg
+++ b/component/openssh/buildout.cfg
@@ -22,8 +22,8 @@ patch-binary = ${patch:location}/bin/patch
 patches =
   ${:_profile_base_location_}/no_create_privsep_path.patch#d5b61a2442fffa457cebe4ad1dc68f4e
 environment = 
-  CPPFLAGS=-I${zlib:location}/include -I${openssl:location}/include
-  LDFLAGS=-L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${openssl:location}/lib -Wl,-rpath=${openssl:location}/lib
+  CPPFLAGS=-I${zlib:location}/include -I${openssl-1.0:location}/include
+  LDFLAGS=-L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${openssl-1.0:location}/lib -Wl,-rpath=${openssl-1.0:location}/lib
 configure-options = 
   --prefix=${buildout:parts-directory}/${:_buildout_section_name_}
   --exec-prefix=${buildout:parts-directory}/${:_buildout_section_name_}
diff --git a/component/openssl/buildout.cfg b/component/openssl/buildout.cfg
index 97b7ded72016d3d9ccb1c11da497615ac9ec1a07..cd40c6124051dec8c80a475954bb2c638c2ac296 100644
--- a/component/openssl/buildout.cfg
+++ b/component/openssl/buildout.cfg
@@ -17,6 +17,45 @@ parts =
 [openssl]
 recipe = slapos.recipe.cmmi
 shared = true
+url = https://www.openssl.org/source/openssl-1.1.0j.tar.gz
+md5sum = b4ca5b78ae6ae79da80790b30dbedbdc
+location = @@LOCATION@@
+# 'prefix' option to override --openssldir/--prefix (which is useful
+# when combined with INSTALL_PREFIX). Used by slapos.package.git/obs
+prefix = ${:location}
+certs = ${:location}/etc/ssl/certs
+configure-command = ./config
+configure-options =
+  --with-zlib-include=${zlib:location}/include
+  --with-zlib-lib=${zlib:location}/lib
+  --openssldir=${:prefix}/etc/ssl
+  --prefix=${:prefix}
+  --libdir=lib
+  shared no-idea no-mdc2 no-rc5 zlib
+  -Wl,-rpath=${zlib:location}/lib -Wl,-rpath=${:location}/lib
+  && make depend
+make-options =
+  SHARED_LDFLAGS='-Wl,-rpath=${:location}/lib -Wl,-rpath=${zlib:location}/lib'
+make-targets =
+  -j1 install_sw install_ssldirs &&
+  rm -f ${:certs}/* &&
+  for i in ${ca-certificates:location}/certs/*/*.crt; do
+    ln -sv $i ${:certs}/`${:location}/bin/openssl x509 -hash -noout -in $i`.0
+  ; done
+environment =
+  PERL=${perl:location}/bin/perl
+
+[openssl-output]
+# Shared binary location to ease migration
+recipe = plone.recipe.command
+stop-on-error = true
+update-command = ${:command}
+command = ${coreutils-output:test} -x ${:openssl}
+openssl = ${openssl:location}/bin/openssl
+
+[openssl-1.0]
+recipe = slapos.recipe.cmmi
+shared = true
 url = https://www.openssl.org/source/openssl-1.0.2p.tar.gz
 md5sum = ac5eb30bf5798aa14b1ae6d0e7da58df
 location = @@LOCATION@@
@@ -47,11 +86,3 @@ make-targets =
   ; done
 environment =
   PERL=${perl:location}/bin/perl
-
-[openssl-output]
-# Shared binary location to ease migration
-recipe = plone.recipe.command
-stop-on-error = true
-update-command = ${:command}
-command = ${coreutils-output:test} -x ${:openssl}
-openssl = ${openssl:location}/bin/openssl
diff --git a/component/postfix/buildout.cfg b/component/postfix/buildout.cfg
index e425a2d5f76448ee9ed16d70aa608bf9f640ac49..6bb5f4bceb9a65e11a7d6061fde31daac5338123 100644
--- a/component/postfix/buildout.cfg
+++ b/component/postfix/buildout.cfg
@@ -20,7 +20,7 @@ patches =
   ${:_profile_base_location_}/noroot.patch#738bcc97b8044c45b58708bdf3a84b8e
   ${:_profile_base_location_}/skip-libdb-check.patch#f7fdbd8787874b535fee548b0139c0d8
 configure-command = make
-configure-options = makefiles CCARGS='-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -DUSE_TLS -DHAS_PCRE -DHAS_DB -I${libdb:location}/include -I${pcre:location}/include -I${openssl:location}/include -I${cyrus-sasl:location}/include/sasl' AUXLIBS='-L${openssl:location}/lib -L${pcre:location}/lib -L${libdb:location}/lib -L${cyrus-sasl:location}/lib -lssl -lpcre -ldb -lcrypto -lsasl2 -Wl,-rpath=${openssl:location}/lib -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${libdb:location}/lib -Wl,-rpath=${cyrus-sasl:location}/lib'
+configure-options = makefiles CCARGS='-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -DUSE_TLS -DHAS_PCRE -DHAS_DB -I${libdb:location}/include -I${pcre:location}/include -I${openssl-1.0:location}/include -I${cyrus-sasl:location}/include/sasl' AUXLIBS='-L${openssl-1.0:location}/lib -L${pcre:location}/lib -L${libdb:location}/lib -L${cyrus-sasl:location}/lib -lssl -lpcre -ldb -lcrypto -lsasl2 -Wl,-rpath=${openssl-1.0:location}/lib -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${libdb:location}/lib -Wl,-rpath=${cyrus-sasl:location}/lib'
 make-targets = non-interactive-package install_root=${:location}
 environment =
   PATH=${patch:location}/bin:%(PATH)s
diff --git a/component/proftpd/buildout.cfg b/component/proftpd/buildout.cfg
index bc3ab46e3a3a447547024369e48c23ba1e24c29b..41997cfe366caca2158f0f7d4f037292767f746b 100644
--- a/component/proftpd/buildout.cfg
+++ b/component/proftpd/buildout.cfg
@@ -24,6 +24,9 @@ recipe = collective.recipe.grp
 recipe = slapos.recipe.cmmi
 md5sum = 13270911c42aac842435f18205546a1b
 url = ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.6.tar.gz
+# 1.3.6 is not compatible with openssl 1.1.x
+# https://github.com/proftpd/proftpd/issues/674
+# (fix is in master, we are waiting for next release)
 configure-options =
   --enable-openssl
   --enable-nls
@@ -36,8 +39,8 @@ environment =
   LDFLAGS=${:ldflags}
   install_user=${proftpd-environment:USER}
   install_group=${proftpd-grp:GROUP}
-cppflags=-I${zlib:location}/include -I${openssl:location}/include
-ldflags=-L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${openssl:location}/lib -Wl,-rpath=${openssl:location}/lib
+cppflags=-I${zlib:location}/include -I${openssl-1.0:location}/include
+ldflags=-L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${openssl-1.0:location}/lib -Wl,-rpath=${openssl-1.0:location}/lib
 patch-binary = ${patch:location}/bin/patch
 patch-options = -p1
 patches =
diff --git a/component/quic_client-bin/buildout.cfg b/component/quic_client-bin/buildout.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..e357665f34cd18badecb245c472427ec5ff67e30
--- /dev/null
+++ b/component/quic_client-bin/buildout.cfg
@@ -0,0 +1,55 @@
+# Command line tool to test QUIC protocol
+# This is compiled version provided by Lucas Clemente (thanks!), which
+# drastically simplifies https://www.chromium.org/quic/playing-with-quic
+# approach, which requires big chunks of Chromium compilation environment
+[buildout]
+extends =
+# running
+  ../nss/buildout.cfg
+  ../nspr/buildout.cfg
+  ../glib/buildout.cfg
+  ../pcre/buildout.cfg
+  ../libffi/buildout.cfg
+  ../zlib/buildout.cfg
+  ../libuuid/buildout.cfg
+# compilation
+  ../git/buildout.cfg
+
+parts =
+  quic_client-bin
+
+[quic_client-bin]
+recipe = slapos.recipe.build
+url = https://github.com/lucas-clemente/quic-clients/archive/557cb1f99f591614d474e182b50cfee9334e0ffd.zip
+md5sum = e2c78f4f7fb6ed03f6eec25b5e54fed3
+slapos_promise =
+    file:quic_client
+    file:client-linux-debug
+library =
+  ${nss:location}/lib
+  ${nspr:location}/lib
+  ${glib:location}/lib
+  ${pcre:location}/lib
+  ${libffi:location}/lib
+  ${zlib:location}/lib
+  ${libuuid:location}/lib
+script =
+  import glob
+  location = %(location)r
+  self.failIfPathExists(location)
+  url = self.options['url']
+  md5sum = self.options['md5sum']
+  extract_dir = self.extract(self.download(url, md5sum))
+  os.mkdir(location)
+  source_file = glob.glob(os.path.join(extract_dir, '*', 'client-linux-debug'))[0]
+  shutil.copy(source_file, location)
+  wrapper_path = os.path.join(location, 'quic_client')
+  with open(wrapper_path, 'w') as f:
+    f.write("""#!/bin/sh -e
+  export LD_LIBRARY_PATH={}
+  exec {}/client-linux-debug "$@"
+  """.format(
+    ':'.join(self.options['library'].split()),
+    location
+  ))
+    os.fchmod(f.fileno(), 0o755)
diff --git a/component/serf/buildout.cfg b/component/serf/buildout.cfg
index 440c1090d99a5e1cae76f40099154b31f88ce945..bfdb599cf2c1a52221ccd7721acbd10aaa50c4ba 100644
--- a/component/serf/buildout.cfg
+++ b/component/serf/buildout.cfg
@@ -15,7 +15,7 @@ md5sum = 4f8e76c9c6567aee1d66aba49f76a58b
 configure-options =
   --with-apr=${apache:location}/bin/apr-1-config
   --with-apr-util=${apache:location}/bin/apu-1-config
-  --with-openssl=${openssl:location}
+  --with-openssl=${openssl-1.0:location}
 environment =
   CFLAGS=-I${zlib:location}/include -I${libuuid:location}/include
   LDFLAGS=-L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${libuuid:location}/lib -Wl,-rpath=${libuuid:location}/lib
diff --git a/component/shellinabox/buildout.cfg b/component/shellinabox/buildout.cfg
index a8408dec18f00a81c0900397668cf91a2f501056..0f6ff83964fac7dd13eba186af7c48898df35620 100644
--- a/component/shellinabox/buildout.cfg
+++ b/component/shellinabox/buildout.cfg
@@ -5,7 +5,6 @@ extends =
   ../git/buildout.cfg
   ../libtool/buildout.cfg
   ../m4/buildout.cfg
-  ../openssl/buildout.cfg
   ../patch/buildout.cfg
   ../zlib/buildout.cfg
 
@@ -24,9 +23,8 @@ path = ${shellinabox-git-repository:location}
 configure-command =
   ${libtool:location}/bin/libtoolize
   ${autoconf:location}/bin/autoreconf -vif
-  ./configure
+  ./configure --disable-ssl
 environment =
   PATH=${autoconf:location}/bin:${automake:location}/bin:${git:location}/bin:${libtool:location}/bin:${m4:location}/bin:%(PATH)s
-  CFLAGS = -I${zlib:location}/include -I${openssl:location}/include
-  LDFLAGS = -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${openssl:location}/lib -Wl,-rpath=${openssl:location}/lib
-  PKG_CONFIG_PATH = ${openssl:location}/lib/pkgconfig/
+  CFLAGS = -I${zlib:location}/include
+  LDFLAGS = -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib
\ No newline at end of file
diff --git a/component/stunnel/buildout.cfg b/component/stunnel/buildout.cfg
index be96184890039f28ec092a56c4dd95617a4f969e..f0d234e08ff63bd9378ee81ca15b2fed6eccfba7 100644
--- a/component/stunnel/buildout.cfg
+++ b/component/stunnel/buildout.cfg
@@ -13,7 +13,7 @@ configure-options =
   --enable-ipv6
   --disable-libwrap
   --disable-fips
-  --with-ssl=${openssl:location}
+  --with-ssl=${openssl-1.0:location}
 environment =
   CPPFLAGS=-I${zlib:location}/include
-  LDFLAGS=-Wl,-rpath=${openssl:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib
+  LDFLAGS=-Wl,-rpath=${openssl-1.0:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib
diff --git a/component/subversion/buildout.cfg b/component/subversion/buildout.cfg
index f4dbbb8b73f14ae9cada87b592f5f6a7a5a00c4e..de99a1d47ac488522352c63a5a394ffae1833cf1 100644
--- a/component/subversion/buildout.cfg
+++ b/component/subversion/buildout.cfg
@@ -53,9 +53,9 @@ configure-options =
 make-targets = install -j1
 environment =
   PATH=${patch:location}/bin:${perl:location}/bin:${pkgconfig:location}/bin:%(PATH)s
-  PKG_CONFIG_PATH=${apache:location}/lib/pkgconfig:${sqlite3:location}/lib/pkgconfig:${openssl:location}/lib/pkgconfig:${serf:location}/lib/pkgconfig
+  PKG_CONFIG_PATH=${apache:location}/lib/pkgconfig:${sqlite3:location}/lib/pkgconfig:${openssl-1.0:location}/lib/pkgconfig:${serf:location}/lib/pkgconfig
   CPPFLAGS=-I${libexpat:location}/include -I${libuuid:location}/include
-  LDFLAGS=-L${libexpat:location}/lib -Wl,-rpath=${zlib:location}/lib -Wl,-rpath=${sqlite3:location}/lib -Wl,-rpath=${apache:location}/lib -L${libuuid:location}/lib -Wl,-rpath=${libuuid:location}/lib -Wl,-rpath=${openssl:location}/lib
+  LDFLAGS=-L${libexpat:location}/lib -Wl,-rpath=${zlib:location}/lib -Wl,-rpath=${sqlite3:location}/lib -Wl,-rpath=${apache:location}/lib -L${libuuid:location}/lib -Wl,-rpath=${libuuid:location}/lib -Wl,-rpath=${openssl-1.0:location}/lib
 
 [subversion-1.9]
 recipe = hexagonit.recipe.cmmi
@@ -95,6 +95,6 @@ make-targets =
 
 environment =
   PATH=${pkgconfig:location}/bin:${neon:location}/bin:%(PATH)s
-  PKG_CONFIG_PATH=${apache:location}/lib/pkgconfig:${sqlite3:location}/lib/pkgconfig:${openssl:location}/lib/pkgconfig:${neon:location}/lib/pkgconfig
+  PKG_CONFIG_PATH=${apache:location}/lib/pkgconfig:${sqlite3:location}/lib/pkgconfig:${openssl-1.0:location}/lib/pkgconfig:${neon:location}/lib/pkgconfig
   CPPFLAGS=-I${libexpat:location}/include -I${libuuid:location}/include
-  LDFLAGS=-L${libexpat:location}/lib -Wl,-rpath=${zlib:location}/lib -Wl,-rpath=${sqlite3:location}/lib -Wl,-rpath=${neon:location}/lib -Wl,-rpath=${apache:location}/lib -L${libuuid:location}/lib -Wl,-rpath=${libuuid:location}/lib
+  LDFLAGS=-L${libexpat:location}/lib -Wl,-rpath=${zlib:location}/lib -Wl,-rpath=${sqlite3:location}/lib -Wl,-rpath=${neon:location}/lib -Wl,-rpath=${apache:location}/lib -L${libuuid:location}/lib -Wl,-rpath=${libuuid:location}/lib -Wl,-rpath=${openssl-1.0:location}/lib
diff --git a/component/trafficserver/buildout.cfg b/component/trafficserver/buildout.cfg
index 16af337b4ccf999020aa15ffe53e69327f1f908a..0a1de518fc71d261c1a8e6c9dc832a5fe7a21f7a 100644
--- a/component/trafficserver/buildout.cfg
+++ b/component/trafficserver/buildout.cfg
@@ -19,7 +19,7 @@ recipe = slapos.recipe.cmmi
 url = http://apache.claz.org/trafficserver/trafficserver-4.2.3.tar.bz2
 md5sum = 1d06a6e9063ceea3f19dbb84752ec710
 configure-options =
-  --with-openssl=${openssl:location}
+  --with-openssl=${openssl-1.0:location}
   --with-xml=libxml2
   --with-libxml2=${libxml2:location}
   --with-pcre=${pcre:location}
@@ -32,7 +32,7 @@ configure-options =
   --enable-experimental-plugins
 environment =
   PATH=${libtool:location}/bin:${make:location}/bin:${perl:location}/bin:${pkgconfig:location}/bin:%(PATH)s
-  LDFLAGS =-L${libxml2:location}/lib -Wl,-rpath=${libxml2:location}/lib -L${openssl:location}/lib -Wl,-rpath=${openssl:location}/lib -L${tcl:location}/lib -Wl,-rpath=${tcl:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib
+  LDFLAGS =-L${libxml2:location}/lib -Wl,-rpath=${libxml2:location}/lib -L${openssl-1.0:location}/lib -Wl,-rpath=${openssl-1.0:location}/lib -L${tcl:location}/lib -Wl,-rpath=${tcl:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib
 make-target =
   check
   install
diff --git a/software/caddy-frontend/TODO.rst b/software/caddy-frontend/TODO.rst
index 4921eda4fe2bd3e2d998120ff5fa747bb8113386..7eacba7fa7a506f25d3824cfb6bff6b3027c5a8e 100644
--- a/software/caddy-frontend/TODO.rst
+++ b/software/caddy-frontend/TODO.rst
@@ -2,8 +2,6 @@ Generally things to be done with ``caddy-frontend``:
 
  * return warning on not implemented keys (from ``apache-frontend`` perspective) in master and slave request
  * tests: add assertion with results of promises in etc/promise for each partition
- * tests: compare python objects where possible instead of instead of strings (eg. load ``rejected-slave-dict``)
- * tests: swich to `cryptography <https://pypi.org/project/cryptography/>`_ for certificate management
  * README: cleanup the documentation, explain various specifics
  * check the whole frontend slave snippet with ``caddy -validate`` during buildout run, and reject if does not pass validation
  * ``apache-ca-certificate`` shall be merged with ``apache-certificate``
@@ -15,7 +13,6 @@ Generally things to be done with ``caddy-frontend``:
  * ``type:eventsource``:
 
    * **J茅rome Perrin**: *For event source, if I understand https://github.com/mholt/caddy/issues/1355 correctly, we could use caddy as a proxy in front of nginx-push-stream . If we have a "central shared" caddy instance, can it handle keeping connections opens for many clients ?*
- * ``ssl_proxy_ca_crt`` for ``ssl_proxy_verify``, this is related to bug `#1550 <https://github.com/mholt/caddy/issues/1550>`_, proposed solution `just adding your CA to the system's trust store`
  * ``check-error-on-caddy-log`` like ``check-error-on-apache-log``
  * cover test suite like resilient tests for KVM and prove it works the same way as Caddy
  * have ``caddy-frontend`` specific parameters, with backward compatibility to ``apache-frontend`` ones:
diff --git a/software/caddy-frontend/buildout.hash.cfg b/software/caddy-frontend/buildout.hash.cfg
index 6a4c108154614dfc7c220babb69ea6628547d1d0..909043f4e7ed526bb5d6527c8f94f4a7db69cbdc 100644
--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -22,7 +22,7 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b
 
 [template-apache-frontend]
 filename = instance-apache-frontend.cfg.in
-md5sum = ab1795f92e32655d05c662c965d2b1f5
+md5sum = db61a7c0aadba180b7aec6056d2c0019
 
 [template-apache-replicate]
 filename = instance-apache-replicate.cfg.in
@@ -30,7 +30,7 @@ md5sum = 6a86edb96b171fbd0a59d0adc9cc906b
 
 [template-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
-md5sum = b30bcd11c545d86c30d05db9cecb4f80
+md5sum = 434e00cbfee2f9c002b2a83084a48b4a
 
 [template-slave-configuration]
 filename = templates/custom-virtualhost.conf.in
@@ -42,11 +42,7 @@ md5sum = 01efde8febafcff6dde2ebb43e75a9e4
 
 [template-caddy-frontend-configuration]
 filename = templates/Caddyfile.in
-md5sum = 7c987ad75fcce6f5b925c7696ff41971
-
-[template-custom-slave-list]
-filename = templates/apache-custom-slave-list.cfg.in
-md5sum = b30bcd11c545d86c30d05db9cecb4f80
+md5sum = 0134a1586f15cd5665069d6d81a505be
 
 [caddy-backend-url-validator]
 filename = templates/caddy-backend-url-validator.in
@@ -62,15 +58,15 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
 
 [template-default-slave-virtualhost]
 filename = templates/default-virtualhost.conf.in
-md5sum = 73bc8abae6aadc3ce55662c3d821b363
+md5sum = b7879a40ed7f8a49b764c82e7283811f
 
 [template-cached-slave-virtualhost]
 filename = templates/cached-virtualhost.conf.in
-md5sum = 7cbcadc295860821ac9d3aaa3cca72c5
+md5sum = c64f8ac7ec439460877ce5a5c5ccf1f7
 
 [template-log-access]
 filename = templates/template-log-access.conf.in
-md5sum = f2a74f88c7248f199011fa9ec6182f73
+md5sum = 122b05829ecc4c0ad4e47e7d1c21166b
 
 [template-empty]
 filename = templates/empty.in
@@ -104,9 +100,13 @@ md5sum = 2b765db72191197122554df17ad471d1
 filename = templates/apache-lazy-script-call.sh.in
 md5sum = ebe5d3d19923eb812a40019cb11276d8
 
-[template-caddy-graceful-script]
-filename = templates/caddy-graceful-script.sh.in
-md5sum = 455f8765a3afd39fb78562fb9e326c42
+[template-graceful-script]
+filename = templates/graceful-script.sh.in
+md5sum = 31dd34de4c40a1d814bcbef482c757cc
+
+[template-validate-script]
+filename = templates/validate-script.sh.in
+md5sum = 4c80ba3727c397f8d5b12cf1888cf959
 
 [caddyprofiledeps-setup]
 filename = setup.py
diff --git a/software/caddy-frontend/common.cfg b/software/caddy-frontend/common.cfg
index 0688a6af025455b65310b4cac0f0192245b5d951..3a12703a755affc4331ce0782eada5801cf17389 100644
--- a/software/caddy-frontend/common.cfg
+++ b/software/caddy-frontend/common.cfg
@@ -88,11 +88,13 @@ gzip = ${gzip:location}
 logrotate = ${logrotate:location}
 openssl = ${openssl:location}
 trafficserver = ${trafficserver:location}
+sha256sum = ${coreutils:location}/bin/sha256sum
 
 monitor_template = ${monitor-template:output}
 template_cached_slave_virtualhost = ${template-cached-slave-virtualhost:target}
 template_caddy_frontend_configuration = ${template-caddy-frontend-configuration:target}
-template_caddy_graceful_script = ${template-caddy-graceful-script:target}
+template_graceful_script = ${template-graceful-script:target}
+template_validate_script = ${template-validate-script:target}
 template_caddy_lazy_script_call = ${template-caddy-lazy-script-call:target}
 template_default_slave_virtualhost = ${template-default-slave-virtualhost:target}
 template_empty = ${template-empty:target}
@@ -172,10 +174,6 @@ filename = replicate-publish-slave-information.cfg.in
 <=download-template
 filename = Caddyfile.in
 
-[template-custom-slave-list]
-<=download-template
-filename = caddy-default-slave-list.cfg.in
-
 [template-not-found-html]
 <=download-template
 filename = notfound.html
@@ -223,9 +221,13 @@ mode = 0644
 <=download-template
 filename = apache-lazy-script-call.sh.in
 
-[template-caddy-graceful-script]
+[template-graceful-script]
+<=download-template
+filename = graceful-script.sh.in
+
+[template-validate-script]
 <=download-template
-filename = caddy-graceful-script.sh.in
+filename = validate-script.sh.in
 
 [template-nginx-eventsource-slave-virtualhost]
 <=download-template
diff --git a/software/caddy-frontend/instance-apache-frontend.cfg.in b/software/caddy-frontend/instance-apache-frontend.cfg.in
index 4a613d70c3f298e7186c4c6a3ea037df71b8b5e1..a8104e9b72df8ff23ec4f2f7336ac984c557faf7 100644
--- a/software/caddy-frontend/instance-apache-frontend.cfg.in
+++ b/software/caddy-frontend/instance-apache-frontend.cfg.in
@@ -86,6 +86,9 @@ ca-dir = ${:srv}/ssl
 
 varnginx = ${:var}/nginx
 
+frontend_cluster = ${:var}/frontend_cluster
+nginx_cluster = ${:var}/nginx_cluster
+
 [switch-caddy-softwaretype]
 recipe = slapos.cookbook:softwaretype
 single-default = ${dynamic-custom-personal-template-slave-list:rendered}
@@ -94,10 +97,36 @@ single-custom-personal = ${dynamic-custom-personal-template-slave-list:rendered}
 [frontend-configuration]
 template-log-access = {{ parameter_dict['template_log_access'] }}
 log-access-configuration = ${directory:etc}/log-access.conf
+ip-access-certificate = ${self-signed-ip-access:certificate}
+ip-access-key = ${self-signed-ip-access:key}
 caddy-directory = {{ parameter_dict['caddy_location'] }}
 caddy-ipv6 = {{ instance_parameter['ipv6-random'] }}
 caddy-https-port = ${configuration:port}
 
+[self-signed-ip-access]
+# Self Signed certificate for HTTPS IP accesses to the frontend
+recipe = plone.recipe.command
+update-command = ${:command}
+ipv6 = ${slap-network-information:global-ipv6}
+ipv4 = {{instance_parameter['ipv4-random']}}
+key = ${caddy-directory:vh-ssl}/ip-access-${:ipv6}-${:ipv4}.key
+certificate = ${caddy-directory:vh-ssl}/ip-access-${:ipv6}-${:ipv4}.crt
+stop-on-error = True
+command =
+  [ -f ${:key} ] && [ -f ${:certificate} ] && exit 0
+  rm -f ${:key} ${:certificate}
+  /bin/bash -c ' \
+  {{ parameter_dict['openssl'] }}/bin/openssl req \
+     -new -newkey rsa:2048 -sha256 \
+     -nodes -x509 -days 36500 \
+     -keyout ${:key} \
+     -subj "/CN=Self Signed IP Access" \
+     -reqexts SAN \
+     -extensions SAN \
+     -config <(cat {{ parameter_dict['openssl'] }}/etc/ssl/openssl.cnf \
+         <(printf "\n[SAN]\nsubjectAltName=IP:${:ipv6},IP:${:ipv4}")) \
+     -out ${:certificate}'
+
 [jinja2-template-base]
 recipe = slapos.recipe.template:jinja2
 rendered = ${buildout:directory}/${:filename}
@@ -224,9 +253,11 @@ extra-context =
 
 [caddy-wrapper]
 recipe = slapos.cookbook:wrapper
+environment =
+  CADDYPATH=${directory:frontend_cluster}
 command-line = {{ parameter_dict['caddy'] }}
   -conf ${dynamic-caddy-frontend-template:rendered}
-  -log ${caddy-configuration:error-log}
+  -log stdout
   -http2=true
 {% if instance_parameter['configuration.enable-quic'].lower() in TRUE_VALUES %}
   -quic
@@ -267,7 +298,7 @@ frontend-configuration = ${directory:etc}/Caddyfile
 access-log = ${directory:log}/frontend-access.log
 error-log = ${directory:log}/frontend-error.log
 pid-file = ${directory:run}/httpd.pid
-frontend-configuration-verification = ${caddy-wrapper:wrapper-path} -validate > /dev/null
+frontend-configuration-verification = ${frontend-caddy-validate:rendered}
 frontend-graceful-command = ${:frontend-configuration-verification}; if [ $? -eq 0 ]; then kill -USR1 $(cat ${:pid-file}); fi
 not-found-file = ${caddy-directory:document-root}/notfound.html
 # Communication with ATS
@@ -277,7 +308,7 @@ ssl-cache-through-port = 26012
 
 [configtest]
 recipe = slapos.cookbook:wrapper
-command-line = ${caddy-wrapper:wrapper-path} -validate
+command-line = ${frontend-caddy-validate:rendered}
 wrapper-path = ${directory:bin}/caddy-configtest
 
 [certificate-authority]
@@ -501,24 +532,59 @@ mode = 700
 ### End of ATS sections
 
 ### Caddy Graceful and promises
-[frontend-caddy-graceful-bin]
+[frontend-caddy-graceful]
 < = jinja2-template-base
-template = {{ parameter_dict['template_wrapper'] }}
-rendered = ${directory:bin}/frontend-caddy-safe-graceful
+template = {{ parameter_dict['template_graceful_script'] }}
+rendered = ${directory:etc-run}/frontend-caddy-safe-graceful
 mode = 0700
+path_list = ${caddy-configuration:frontend-configuration} ${frontend-configuration:log-access-configuration} ${caddy-directory:slave-configuration}/*.conf ${caddy-directory:slave-with-cache-configuration}/*.conf ${caddy-directory:vh-ssl}/*.key ${caddy-directory:vh-ssl}/*.crt ${caddy-directory:vh-ssl}/*.proxy_ca_crt
+sha256sum = {{ parameter_dict['sha256sum'] }}
+signature_file = ${directory:run}/caddy_graceful_signature
 extra-context =
-    key content caddy-configuration:frontend-graceful-command
+    key graceful_reload_command caddy-configuration:frontend-graceful-command
+    key path_list :path_list
+    key sha256sum :sha256sum
+    key signature_file :signature_file
 
-[frontend-caddy-graceful]
+[frontend-nginx-graceful]
 < = jinja2-template-base
-template = {{ parameter_dict['template_caddy_graceful_script'] }}
-rendered = ${directory:etc-run}/frontend-caddy-safe-graceful
+template = {{ parameter_dict['template_graceful_script'] }}
+rendered = ${directory:etc-run}/frontend-nginx-safe-graceful
+mode = 0700
+path_list = ${dynamic-nginx-frontend-template:rendered} ${caddy-directory:nginx-slave-configuration}/*.conf
+sha256sum = {{ parameter_dict['sha256sum'] }}
+signature_file = ${directory:run}/nginx_graceful_signature
+extra-context =
+    key graceful_reload_command nginx-configuration:nginx-graceful-command
+    key path_list :path_list
+    key sha256sum :sha256sum
+    key signature_file :signature_file
+
+[frontend-caddy-validate]
+< = jinja2-template-base
+template = {{ parameter_dict['template_validate_script'] }}
+rendered = ${directory:bin}/frontend-caddy-validate
+mode = 0700
+sha256sum = {{ parameter_dict['sha256sum'] }}
+signature_file = ${directory:run}/caddy_validate_signature
+extra-context =
+    key wrapper caddy-wrapper:wrapper-path
+    key path_list frontend-caddy-graceful:path_list
+    key sha256sum :sha256sum
+    key signature_file :signature_file
+
+[frontend-nginx-validate]
+< = jinja2-template-base
+template = {{ parameter_dict['template_validate_script'] }}
+rendered = ${directory:bin}/frontend-nginx-validate
 mode = 0700
+sha256sum = {{ parameter_dict['sha256sum'] }}
+signature_file = ${directory:run}/nginx_validate_signature
 extra-context =
-    key directory_run directory:run
-    key directory_etc directory:etc
-    key directory_bin directory:bin
-    key caddy_graceful_reload_command caddy-configuration:frontend-graceful-command
+    key wrapper nginx-wrapper:wrapper-path
+    key path_list frontend-nginx-graceful:path_list
+    key sha256sum :sha256sum
+    key signature_file :signature_file
 
 [frontend-caddy-lazy-graceful]
 < = jinja2-template-base
@@ -534,12 +600,9 @@ extra-context =
 
 # Promises checking configuration:
 [promise-frontend-caddy-configuration]
-< = jinja2-template-base
-template = {{ parameter_dict['template_wrapper'] }}
-rendered = ${directory:promise}/frontend-caddy-configuration-promise
-mode = 0700
-extra-context =
-    key content caddy-configuration:frontend-configuration-verification
+recipe = slapos.cookbook:wrapper
+command-line = ${caddy-configuration:frontend-configuration-verification}
+wrapper-path = ${directory:promise}/frontend-caddy-configuration-promise
 
 [promise-caddy-frontend-v4-https]
 recipe = slapos.cookbook:check_port_listening
@@ -648,9 +711,11 @@ curl_path = {{ parameter_dict['curl'] }}/bin/curl
 #
 [nginx-wrapper]
 recipe = slapos.cookbook:wrapper
+environment =
+  CADDYPATH=${directory:nginx_cluster}
 command-line = {{ parameter_dict['caddy'] }}
   -conf ${dynamic-nginx-frontend-template:rendered}
-  -log ${nginx-configuration:error_log}
+  -log stdout
   -http2=true
   -grace {{ instance_parameter['configuration.mpm-graceful-shutdown-timeout'] }}s
   -disable-http-challenge
@@ -690,26 +755,15 @@ worker_processes = 4
 worker_connections = 1024
 slave-configuration-directory = ${caddy-directory:nginx-slave-configuration}
 pid-file = ${directory:run}/nginx.pid 
-nginx-graceful-command = ${:nginx-configuration-verification}; if [ $? -eq 0 ]; then kill -HUP $(cat ${:pid-file}); fi
-nginx-configuration-verification = ${nginx-wrapper:wrapper-path} -validate
+nginx-graceful-command = ${:nginx-configuration-verification}; if [ $? -eq 0 ]; then kill -USR1 $(cat ${:pid-file}); fi
+nginx-configuration-verification = ${frontend-nginx-validate:rendered}
 ssl_certificate = ${ca-frontend:cert-file}
 ssl_key = ${ca-frontend:key-file}
 
-[frontend-nginx-graceful]
-< = jinja2-template-base
-template = {{ parameter_dict['template_wrapper'] }}
-rendered = ${directory:etc-run}/frontend-nginx-safe-graceful
-mode = 0700
-extra-context =
-    key content nginx-configuration:nginx-graceful-command
-
 [promise-nginx-configuration]
-< = jinja2-template-base
-template = {{ parameter_dict['template_wrapper'] }}
-rendered = ${directory:promise}/nginx-configuration-promise
-mode = 0700
-extra-context =
-    key content nginx-configuration:nginx-configuration-verification
+recipe = slapos.cookbook:wrapper
+command-line = ${nginx-configuration:nginx-configuration-verification}
+wrapper-path = ${directory:promise}/nginx-configuration-promise
 
 [promise-nginx-frontend-v4-https]
 recipe = slapos.cookbook:check_port_listening
diff --git a/software/caddy-frontend/instance-slave-caddy-input-schema.json b/software/caddy-frontend/instance-slave-caddy-input-schema.json
index 20196810c79ae3d7ace06972e2d505fe4fdad49c..fb91b6fbb2c9edabf2ee923429dc5bead70760a7 100644
--- a/software/caddy-frontend/instance-slave-caddy-input-schema.json
+++ b/software/caddy-frontend/instance-slave-caddy-input-schema.json
@@ -131,12 +131,12 @@
     },
     "ssl-proxy-verify": {
       "default": "false",
-      "description": "[NOT Implemented] If set to true, Backend SSL Certificates will be checked and frontend will refuse to proxy if certificate is invalid",
+      "description": "If set to true, Backend SSL Certificates will be checked and frontend will refuse to proxy if certificate is invalid",
       "enum": [
         "false",
         "true"
       ],
-      "title": "[NOT Implemented] Verify Backend Certificates",
+      "title": "Verify Backend Certificates",
       "type": "string"
     },
     "ssl_ca_crt": {
@@ -162,8 +162,8 @@
     },
     "ssl_proxy_ca_crt": {
       "default": "",
-      "description": "[NOT Implemented] Content of the SSL Certificate Authority file of the backend (to be used with ssl-proxy-verify)",
-      "title": "[NOT Implemented] SSL Backend Authority's Certificate",
+      "description": "Content of the SSL Certificate Authority file of the backend (to be used with ssl-proxy-verify)",
+      "title": "SSL Backend Authority's Certificate",
       "type": "string"
     },
     "type": {
diff --git a/software/caddy-frontend/instance-slave-output-schema.json b/software/caddy-frontend/instance-slave-output-schema.json
index d77c3f3a895932afe92fcc7114b540999b40e3ab..17689abd96948c400df917f94b8e56bcb9c756ff 100644
--- a/software/caddy-frontend/instance-slave-output-schema.json
+++ b/software/caddy-frontend/instance-slave-output-schema.json
@@ -32,7 +32,7 @@
     },
     "request-error-list": {
       "description": "In case if slave has been rejected by master or has error in the request, the list contains information about each problem",
-      "type": "string"
+      "type": "array"
     }
   },
   "type": "object"
diff --git a/software/caddy-frontend/templates/Caddyfile.in b/software/caddy-frontend/templates/Caddyfile.in
index c4ce0e268ee7d91c4c6b21a93e6b648424296d85..47dfaf613776528bee1f89e9e1d835326b92d46b 100644
--- a/software/caddy-frontend/templates/Caddyfile.in
+++ b/software/caddy-frontend/templates/Caddyfile.in
@@ -30,7 +30,7 @@ import {{ slave_with_cache_configuration_directory }}/*.conf
 
 # Access to server-status Caddy-style
 https://[{{ global_ipv6 }}]:{{ https_port }}/server-status, https://{{ local_ipv4 }}:{{ https_port }}/server-status {
-  tls {{ login_certificate }} {{ login_key }}
+  tls {{ frontend_configuration['ip-access-certificate'] }} {{ frontend_configuration['ip-access-key'] }}
   # Compress the output
   gzip
   bind {{ local_ipv4 }}
diff --git a/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in b/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
index f92357d7ec0e7d22482bee97700e85ec8dfe55e8..061fed7374f9a380d2f791dae47d5a72c64612a8 100644
--- a/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
+++ b/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
@@ -379,8 +379,8 @@ local_ipv4 = {{ dumps(local_ipv4) }}
 global_ipv6 = {{ dumps(global_ipv6) }}
 https_port = {{ dumps(https_port) }}
 http_port = {{ dumps(http_port) }}
-login_certificate = {{ dumps(login_certificate) }}
-login_key = {{ dumps(login_key) }}
+ip_access_certificate = {{ frontend_configuration.get('ip-access-certificate') }}
+ip_access_key = {{ frontend_configuration.get('ip-access-key') }}
 access_log = {{ dumps(access_log) }}
 error_log = {{ dumps(error_log) }}
 not_found_file = {{ dumps(not_found_file) }}
@@ -394,6 +394,7 @@ extra-context =
     section slave_password slave-password
     section parameter_dict caddy-log-access-parameters
 
+
 {# Publish information for the instance #}
 [publish-caddy-information]
 recipe = slapos.cookbook:publish.serialised
diff --git a/software/caddy-frontend/templates/cached-virtualhost.conf.in b/software/caddy-frontend/templates/cached-virtualhost.conf.in
index fe18938e992739fc48745245409e14da859115ca..0cf8f6459f258762d3351310d6d4f7b322f7100d 100644
--- a/software/caddy-frontend/templates/cached-virtualhost.conf.in
+++ b/software/caddy-frontend/templates/cached-virtualhost.conf.in
@@ -19,9 +19,6 @@
   bind {{ slave_parameter['local_ipv4'] }}
   # Compress the output
   gzip
-{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
-    status 501 /
-{%- endif %}
 # Rewrite part
   proxy / {{ slave_parameter.get('backend_url', '') }} {
     # As backend is trusting REMOTE_USER header unset it always
@@ -30,7 +27,8 @@
     transparent
     timeout 600s
 {%- if ssl_proxy_verify %}
-{%-   if 'ssl_proxy_ca_crt' in slave_parameter %}
+{%-   if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
 {%-   endif %}
 {%- else %}
     insecure_skip_verify
@@ -43,16 +41,14 @@
   bind {{ slave_parameter['local_ipv4'] }}
   # Compress the output
   gzip
-{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
-    status 501 /
-{%- endif %}
   proxy / {{ slave_parameter.get('https_backend_url', '') }} {
     # As backend is trusting REMOTE_USER header unset it always
     header_upstream -REMOTE_USER
     transparent
     timeout 600s
 {%- if ssl_proxy_verify %}
-{%-   if 'ssl_proxy_ca_crt' in slave_parameter %}
+{%-   if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
 {%-   endif %}
 {%- else %}
     insecure_skip_verify
diff --git a/software/caddy-frontend/templates/caddy-graceful-script.sh.in b/software/caddy-frontend/templates/caddy-graceful-script.sh.in
deleted file mode 100644
index fb686da00cf27080c315bedea7bc29c511377fc8..0000000000000000000000000000000000000000
--- a/software/caddy-frontend/templates/caddy-graceful-script.sh.in
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-
-RUN_DIR={{ directory_run }}
-ETC_DIR={{ directory_etc }}
-BIN_DIR={{ directory_bin }}
-
-CADDY_SIGNATURE_FILE=$RUN_DIR/caddy_configuration.signature
-NCADDY_SIGNATURE_FILE=$RUN_DIR/ncaddy_configuration.signature
-
-touch $CADDY_SIGNATURE_FILE
-sha256sum $ETC_DIR/Caddyfile $ETC_DIR/log-access.conf $ETC_DIR/caddy-*.d/*.conf $ETC_DIR/caddy-*.d/ssl/*.*key $ETC_DIR/caddy-*.d/ssl/*.*crt* | sort -k 66 > $NCADDY_SIGNATURE_FILE
-
-# If no diff, no restart for now
-if diff "$CADDY_SIGNATURE_FILE" "$NCADDY_SIGNATURE_FILE"; then
-  echo "Nothing Changed, so nothing to reload"
-  exit 0
-fi
-echo "Reloading caddy.."
-
-{{ caddy_graceful_reload_command }}
-
-mv "$NCADDY_SIGNATURE_FILE" "$CADDY_SIGNATURE_FILE"
diff --git a/software/caddy-frontend/templates/default-virtualhost.conf.in b/software/caddy-frontend/templates/default-virtualhost.conf.in
index 7b515fea89ae1190a0df9cd692f86cd3305dbf9d..c1f1f6b9f11516ac26398fc14cdc565093ab7a5f 100644
--- a/software/caddy-frontend/templates/default-virtualhost.conf.in
+++ b/software/caddy-frontend/templates/default-virtualhost.conf.in
@@ -30,9 +30,6 @@
   bind {{ slave_parameter['local_ipv4'] }}
   # Compress the output
   gzip
-{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
-    status 501 /
-{%- endif %} {#- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter #}
   tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} {
 {%- if enable_h2 %}
     # Allow HTTP2
@@ -79,8 +76,9 @@
     transparent
     timeout 600s
 {%-   if ssl_proxy_verify %}
-{%-     if 'ssl_proxy_ca_crt' in slave_parameter %}
-{%-     endif %} {#-     if 'ssl_proxy_ca_crt' in slave_parameter #}
+{%-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
+{%-     endif %} {#-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
 {%-   else %} {#-   if ssl_proxy_verify #}
     insecure_skip_verify
 {%-   endif %} {#-   if ssl_proxy_verify #}
@@ -136,8 +134,9 @@
     transparent
     timeout 600s
 {%-     if ssl_proxy_verify %}
-{%-       if 'ssl_proxy_ca_crt' in slave_parameter %}
-{%-       endif %} {#-       if 'ssl_proxy_ca_crt' in slave_parameter #}
+{%-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
+{%-       endif %} {#-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
 {%-     else %} {#-     if ssl_proxy_verify #}
     insecure_skip_verify
 {%-     endif %} {#-     if ssl_proxy_verify #}
@@ -152,9 +151,6 @@
   bind {{ slave_parameter['local_ipv4'] }}
   # Compress the output
   gzip
-{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
-    status 501 /
-{%- endif %} {#- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter #}
 
   log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
   errors {{ slave_parameter.get('error_log') }}
@@ -201,8 +197,9 @@
     transparent
     timeout 600s
 {%-   if ssl_proxy_verify %}
-{%-     if 'ssl_proxy_ca_crt' in slave_parameter %}
-{%-     endif %} {#-     if 'ssl_proxy_ca_crt' in slave_parameter #}
+{%-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
+{%-     endif %} {#-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
 {%-   else %} {#-   if ssl_proxy_verify #}
     insecure_skip_verify
 {%-   endif %} {#-   if ssl_proxy_verify #}
@@ -252,8 +249,9 @@
     transparent
     timeout 600s
 {%-     if ssl_proxy_verify %}
-{%-       if 'ssl_proxy_ca_crt' in slave_parameter %}
-{%-       endif %} {#-       if 'ssl_proxy_ca_crt' in slave_parameter #}
+{%-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
+{%-       endif %} {#-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
 {%-     else %} {#-     if ssl_proxy_verify #}
     insecure_skip_verify
 {%-     endif %} {#-     if ssl_proxy_verify #}
diff --git a/software/caddy-frontend/templates/graceful-script.sh.in b/software/caddy-frontend/templates/graceful-script.sh.in
new file mode 100644
index 0000000000000000000000000000000000000000..ced355c38d34dba9f8a9281f965acb4ad8f18e13
--- /dev/null
+++ b/software/caddy-frontend/templates/graceful-script.sh.in
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+SIGNATURE_FILE={{ signature_file }}
+NSIGNATURE_FILE={{ signature_file }}.tmp
+
+touch $SIGNATURE_FILE
+{{ sha256sum }} {{ path_list }} | sort -k 66 > $NSIGNATURE_FILE
+
+# If no diff, no restart for now
+if diff "$SIGNATURE_FILE" "$NSIGNATURE_FILE" > /dev/null ; then
+  echo "Nothing changed, so nothing to reload"
+  exit 0
+fi
+echo "Reloading.."
+
+{{ graceful_reload_command }}
+
+mv "$NSIGNATURE_FILE" "$SIGNATURE_FILE"
diff --git a/software/caddy-frontend/templates/template-log-access.conf.in b/software/caddy-frontend/templates/template-log-access.conf.in
index 18864d48e77c2b4a3be8194dd73636a2fb303519..955b239ae5591d167ea03ba5934a3e083d2cc1ce 100644
--- a/software/caddy-frontend/templates/template-log-access.conf.in
+++ b/software/caddy-frontend/templates/template-log-access.conf.in
@@ -3,7 +3,7 @@ https://[{{ parameter_dict['global_ipv6'] }}]:{{ parameter_dict['https_port'] }}
   bind {{ parameter_dict['local_ipv4'] }}
   root {{ directory }}/
   browse
-  tls {{ parameter_dict['login_certificate'] }} {{ parameter_dict['login_key'] }}
+  tls {{ parameter_dict['ip_access_certificate'] }} {{ parameter_dict['ip_access_key'] }}
   basicauth "{{ slave }}" {{ slave_password[slave] | trim }} {
     "Log Access {{ slave }}"
     /
diff --git a/software/caddy-frontend/templates/validate-script.sh.in b/software/caddy-frontend/templates/validate-script.sh.in
new file mode 100644
index 0000000000000000000000000000000000000000..3422d6832ece03fe56ab1666c31deba985e63952
--- /dev/null
+++ b/software/caddy-frontend/templates/validate-script.sh.in
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+set -e
+
+SIGNATURE_FILE={{ signature_file }}
+NSIGNATURE_FILE={{ signature_file }}.tmp
+SIGNATURE_STATUS={{ signature_file }}.status
+
+touch $SIGNATURE_FILE
+{{ sha256sum }} {{ path_list }} | sort -k 66 > $NSIGNATURE_FILE
+
+if diff "$SIGNATURE_FILE" "$NSIGNATURE_FILE" > /dev/null; then
+  rm -f "$NSIGNATURE_FILE"
+else
+  mv "$NSIGNATURE_FILE" "$SIGNATURE_FILE"
+  # do not catch errors during validation
+  set +e
+  {{ wrapper }} -validate
+  echo $? > $SIGNATURE_STATUS
+  set -e
+fi
+exit `cat $SIGNATURE_STATUS`
diff --git a/software/caddy-frontend/test/CA.wildcard.example.com.crt b/software/caddy-frontend/test/CA.wildcard.example.com.crt
deleted file mode 100644
index 6fdddf84fc316e571906bb35f6886c6de24ac11a..0000000000000000000000000000000000000000
--- a/software/caddy-frontend/test/CA.wildcard.example.com.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDETCCAfkCCQDaYBkI56KXrjANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQGEwJY
-WDEOMAwGA1UECAwFU3RhdGUxGTAXBgNVBAoMEFdpbGRjYXJkIFJvb3QgQ0EwHhcN
-MTgxMTIxMTAwMzM4WhcNMjgxMTE4MTAwMzM4WjBdMQswCQYDVQQGEwJBVTETMBEG
-A1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkg
-THRkMRYwFAYDVQQDDA0qLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEA1A+TzPOPC3qPLq3KfmFpoa6Iubh1OhNFfH7fvCJQ1czTcFLe
-npG4uTjXwcoHbPb6CWq5hfUSY/ucI6mW93gsoW5vsbPFmUFe96fA6uJV17j2IppM
-vNHhcNxNbKxpGnStNO5HTW7q1Qk2yvcx4cL/bPCEaNFwBK1O+NeNz0ZDW8dGifYU
-aVj+qpVlvTi//j8P4FOwSVYvXdMqGH5WaaTquJPVEGg+704tzUxDbCUXrbCVzFgM
-d69sQg0sJQ9MddrsWkQSgcE7cffdC1JdGHCJ/B87iO3pjH2VjFth8EFMcQCn8V8e
-Nz0OpkcsZXuFg3L/3EtMV3ZXSlT6GDxaEcNuvQIDAQABMA0GCSqGSIb3DQEBCwUA
-A4IBAQB4mIEwylSudRONRRMgHDkhMlb8/O2MERYrBmsqatg3eU6/LYZAk/okUI6p
-aBkQ3GnUmA+gQnkhk4hffRk7NqtMq3r5MEcWunu61i45sXnsQh9myHEAeGfDw3wz
-2rkdXAY2jNeQhTBEsErgwKuN86BTFML9cNg2gTKLBbNC1rSJjoMqcKHxrAcsUBip
-bXDQMmNIQkzsc3ml6+17/qfu8+mTZ7J5kEkSbbwRD690LiR6Ltua22GAvuddt53S
-ieyOVVxCDlItquuGfuQ3ay8zlyQjYmoPI5AXE5Wv9W4mF7agc+SYe3myL3xlRbC+
-RD/fQtvjbf/bt9lkgs9DQoITaYvc
------END CERTIFICATE-----
diff --git a/software/caddy-frontend/test/CA.wildcard.example.com.key b/software/caddy-frontend/test/CA.wildcard.example.com.key
deleted file mode 100644
index 705094402cb79bb690cdec4d271c34ec6e2f286b..0000000000000000000000000000000000000000
--- a/software/caddy-frontend/test/CA.wildcard.example.com.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA1A+TzPOPC3qPLq3KfmFpoa6Iubh1OhNFfH7fvCJQ1czTcFLe
-npG4uTjXwcoHbPb6CWq5hfUSY/ucI6mW93gsoW5vsbPFmUFe96fA6uJV17j2IppM
-vNHhcNxNbKxpGnStNO5HTW7q1Qk2yvcx4cL/bPCEaNFwBK1O+NeNz0ZDW8dGifYU
-aVj+qpVlvTi//j8P4FOwSVYvXdMqGH5WaaTquJPVEGg+704tzUxDbCUXrbCVzFgM
-d69sQg0sJQ9MddrsWkQSgcE7cffdC1JdGHCJ/B87iO3pjH2VjFth8EFMcQCn8V8e
-Nz0OpkcsZXuFg3L/3EtMV3ZXSlT6GDxaEcNuvQIDAQABAoIBAQCWdkcEUHvaRSd6
-k0ztxuhQE6pnO/3RKwNOhibxMdfxGtebBvF1yScsJKzRjysdoU9fhx4DchOOZWQv
-2ZCIHfhswhL2HvvA9aUQSzKSde06lr3tZ1WzU6eFkIpO5TXd05Nhzv9AbcapSVRb
-RnFaIiVhgnYweQnmB6HU5fx0aQI6BytP34t3rEZqdy+eYqtq1ZgYC7iXQJct08Sy
-0syR5boW2fKZZin78I+uOWfhD3uUDz7SnetwIEWuaJ/oYXv2YFqm+68XRSo4yi2G
-FlF3CgwecJCaHyEhxMQojlgM61EvEZ0v1FvoMyyQiNmWVSAtbd6BAD5YrdUzk1QO
-mzr3LuTxAoGBAPbnNp/0g25IYj857Q++hSjWsyjLLMfX6+hPsOv2ICL46+xU9P4s
-EeIe8PGgRvUkXiNZ7LRtipsFOB+qNYHknIRtLICyYXfumJH4+05XawHIPWdZNw1X
-762VsiLEHj1nx3tbEpiCApxYJTXat5/3skjibsNjkuV5JAfsiDHPHeOrAoGBANvf
-u1GI2mtUDZ1EJbxJUm3pCUg1aw8jL83OC9miTT36m3V/TiZvc6NEbWM5S8xprwJ1
-FG+MHchTgG3rZR6UhfK7OPb7jD0r1aVnA30NX3NS1zKfMEp2Ry83w9LJX70JbZsg
-ipo09UXSyE1EaeGGIEQ0xqCN/nRiy2KDh4h1gY83AoGAUH50ypU2vB+RGDfUV4uv
-ce79HdGPWd/FI0nHzkXBmGU61SOlc6/+bI/V0ZCFUap3nmLUzsXfqEZ9U6V0KFLV
-zD6jgZmmOSlqSDy6AYJyenRDwIvPbOQ8WYUyPC9gBHjvCgJY/6tzGnGKQBJ8RwTD
-9QsNPVobLADghEzS4ho6Dl0CgYBjCBxIlwk5ujv/j4gnjCbSVlnV6il0QfbwDVQN
-DCsaNVv7ygEbEqvU56cVP+NCCH/I7Y7sxwFLD0ETQSjkYyUJtQXtSFNb4fhybTmH
-A5TwTmma5VRM1YUuYUGUGRtD+5Egg8GpvxyR/GQ3WQ8PgufZkKO+APaQ2Uad8nwD
-HFnkdQKBgG0OlIKuVeLTVhPcQvOmiDEBeAVo1zc4zmA/JLk/euxesEVL9A8xuxsF
-ao0pLvpk/EWQGElxNLNJxbn7AB4uXlpsAvV3xBM88pQIuj2paix1CqSlgfR2F2jE
-t3470UVZV22ECV8vQK/of2byELrMscLExLgKW1lAIqqZ77BntFO9
------END RSA PRIVATE KEY-----
diff --git a/software/caddy-frontend/test/CA.wildcard.example.com.root.crt b/software/caddy-frontend/test/CA.wildcard.example.com.root.crt
deleted file mode 100644
index f7de5a1658338cf0f685e0c02d1e9159e24dd704..0000000000000000000000000000000000000000
--- a/software/caddy-frontend/test/CA.wildcard.example.com.root.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQzCCAiugAwIBAgIJAOShMXfabB7nMA0GCSqGSIb3DQEBCwUAMDgxCzAJBgNV
-BAYTAlhYMQ4wDAYDVQQIDAVTdGF0ZTEZMBcGA1UECgwQV2lsZGNhcmQgUm9vdCBD
-QTAeFw0xODExMjExMDAxMjVaFw00NjEyMDQxMDAxMjVaMDgxCzAJBgNVBAYTAlhY
-MQ4wDAYDVQQIDAVTdGF0ZTEZMBcGA1UECgwQV2lsZGNhcmQgUm9vdCBDQTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKq/9H+MvMt5B0vIC2/uEz25jqxT
-Wv36v9/HldZLvEwzOiEd0n53ZZFqVlfOoYyCIoWw1+SPwaAc8Oad8ELfoPUasV65
-xWki9F/tesgPZpyTO7vgpQfX5JVWNw28s13BgRkOO95h4t2S2t1K6sckC0M/B0o3
-wDs/M+74i6wUTHNNXVRejeNPlj9ZSKyfe8rwvY4aNkvW/TKKbaY1yXpQhbeZfU8j
-bk4tv4VOpIIoK7wWnSOcFHMANPqrIhygazI1zdsyySEssQ2TAepUb/zgZgk2IQ61
-GT+h7NVIoYZJKcAYlLapsZJV1d3Ec9y57zTpyfbWsQhmKHCasZeZK5gYqXECAwEA
-AaNQME4wHQYDVR0OBBYEFLZTKR+QsKR9ivZi4uFssy6sB80XMB8GA1UdIwQYMBaA
-FLZTKR+QsKR9ivZi4uFssy6sB80XMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
-BQADggEBAI8O1u6LnmBkWw3rPOTp+9DD2l0+tU3e51KZfp98Fm3Lo8qF5spAB+Ue
-OiBax9uENzjcHm7T7KdJrQNK6Mmat0VsD1WTR0TK1eBr9+hOh9EE1H5mEmSL0LOs
-ABcCW8DlDv9axWMkFEaJjLfYRUQdvUkb3BwlXo2oq8ectk5ZqS1IF873htYStkvc
-SvrzFpaMhYUIr2e7bvFEJ8XTz9l4eymdOBg3j89gf9OkmPa3FE6Qf7etTkVyOr1t
-7DIuucv2JkWqHnABIWsLgj4bdLWWULASA7FkI0lHxp5/9/OBb7kVlcgQg6c9Wed7
-VA9NaSB3jnBubpEbijnekHqPYO0Bf38=
------END CERTIFICATE-----
diff --git a/software/caddy-frontend/test/CA.wildcard.example.com.root.key b/software/caddy-frontend/test/CA.wildcard.example.com.root.key
deleted file mode 100644
index df969adebdfaa8f5fc32ca031024ef51a4adad9d..0000000000000000000000000000000000000000
--- a/software/caddy-frontend/test/CA.wildcard.example.com.root.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAqr/0f4y8y3kHS8gLb+4TPbmOrFNa/fq/38eV1ku8TDM6IR3S
-fndlkWpWV86hjIIihbDX5I/BoBzw5p3wQt+g9RqxXrnFaSL0X+16yA9mnJM7u+Cl
-B9fklVY3DbyzXcGBGQ473mHi3ZLa3UrqxyQLQz8HSjfAOz8z7viLrBRMc01dVF6N
-40+WP1lIrJ97yvC9jho2S9b9MoptpjXJelCFt5l9TyNuTi2/hU6kgigrvBadI5wU
-cwA0+qsiHKBrMjXN2zLJISyxDZMB6lRv/OBmCTYhDrUZP6Hs1UihhkkpwBiUtqmx
-klXV3cRz3LnvNOnJ9taxCGYocJqxl5krmBipcQIDAQABAoIBAHOAnbeaUCujlxfg
-Hjx8428hki1nxWmAsUKDFAx99sXk8TFtpvH9eis/r2B+WjFd5lRhJ+lohSX17c9S
-jy/tbkfe4pSdPbi8+Gnbju693D+WKRYSBBCmLe4G//6+4uZM+zMjucPYm0ofCQYg
-o2hKLYQzoo7F37c0LcE9R94DbSOg2tY6HkKNhXoo0KBY424nIlZ82ZvsS7Q+dduB
-txbFvzj0cnrYAJv8QIzcedaFGPN7tkLMZ+PS2rXPG/CkPevKgGwjOx+YyKgQk8GU
-O+YvMQ9/zhOz4ak76UOZF+a21DrVqsKj0BK90SEq10MUnd1riQJ2z2jD8SSChgb6
-rRc4+AECgYEA1NTSkhfxwfgWIjucnWPrtzNLyVqg5Ss+X/XZfN0LNvMje+AZ4wfz
-pLAf8cxnewgNqpR1PeUrjoUwcKrHX7M/MhfEhPKo2LyYDsNtNDcRk3JP047FrDnL
-beVc7lIfsCzuuQHgnUFhBE+8qP69VsHWBq1iQF2NUdW8HLjxTSuAQFECgYEAzWIR
-U/r5QijUE6fcev4FvPBCCF3+c64UEuXV/W4ZURWzOEAcKh9TAHiTKSQ3MDQK7IQY
-YtRbgePnA8Tc0Xj0jSxMtWTX1FanxftosRNgsZD1VKnBViwImuOeZHZYq83qPGT9
-FNUvGMAEAHevNdSdI2k9RSzrB2Lhei6wEYHJryECgYEAoAOWgYKBID2enoRFHsw2
-N5nYe/2ohEQ79DfKGaezO9AXuJXnwJqE4ygMDGaK0qReagaOE0gOtGuM3Nh5Z4lD
-lSzrcq1ipvk8NbVWkHBqxXmnbL6l/fPB79EHSqLx8ioGHZC8yF6US4KLrF9CCU1Y
-1dJb0VrE2mcgtFOUEFoJZdECgYAsGxVRjaIdvRreJbxJhWfCDW6A0X6lZQrWjBkK
-VayGJzzXpZzmxtdSUJJ50VcwuNxnsm5yOtxz5ndj7dDmAy2xa4QFqGRZK0rYT4dK
-D7lCKLkmt1XXpZkreho3xNqB+rSEx8M5yBZXIFU7rHgp/UDJq/4GbwECExAM5x3U
-hKTFQQKBgQCPGglKFvkRkvYonwDmLRiCjBPnpK5YeL/AYJxeD3V9b8V5Arc9ce9y
-PgFgk93RjGlEfLSN0Xbqc6GPIGwg6f5qyHvQ1BpCwupr3lhdsTxwIKbGpAH4Zvmz
-4COcrvkF9gAHaIiH97nLy/9h2EawKqKgJv3R0wfdKvRw4iW/4j4aPw==
------END RSA PRIVATE KEY-----
diff --git a/software/caddy-frontend/test/customdomainsslcrtsslkey.example.com.crt b/software/caddy-frontend/test/customdomainsslcrtsslkey.example.com.crt
deleted file mode 100644
index da1cf7f494be694d596dcc52703639c47fefd442..0000000000000000000000000000000000000000
--- a/software/caddy-frontend/test/customdomainsslcrtsslkey.example.com.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIJAOzw6rzXAd+jMA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQxLTArBgNVBAMMJGN1c3RvbWRvbWFpbnNzbGNydHNzbGtl
-eS5leGFtcGxlLmNvbTAeFw0xODA1MTgxMzA2NThaFw0yODA1MTUxMzA2NThaMHQx
-CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
-cm5ldCBXaWRnaXRzIFB0eSBMdGQxLTArBgNVBAMMJGN1c3RvbWRvbWFpbnNzbGNy
-dHNzbGtleS5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAOQe3WLRuVBPPufClmlOk6Euc3nmycvCkzcwMUD6+zdyAGH0qhHoIHJmiXi6
-GcKYgqqa3eaIxvvke2EEphDwYkj6neOVyuX3KukL8ggEUakJ17TEQkS7hIk4dmDT
-wjFAMgLz8uN11jqLooo9w/ptD+LUWmm6K9zk49iqqdKuG9Z5v3dm0KMUvsmYGWqN
-g31tQWU1Cm2kNu+2iP2FPnx2PWkDq4KTn64U7iJP9DdDEvzNfYcvz8upjR15B+dI
-K0ihwDXV5BtfZXDvck+ctCdfS1QxM+x+PboEJKUNoefz/+Q/9T3mlc+KchFG9asL
-Q/kbHtdgZzsDGTDEtdDtIrLLQ3MCAwEAAaNQME4wHQYDVR0OBBYEFG6I5Y0feayi
-UPznSzRJIMS1blcNMB8GA1UdIwQYMBaAFG6I5Y0feayiUPznSzRJIMS1blcNMAwG
-A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKmK75LcaROfjdxQLBFqiP/I
-6WB8pBNbAN6nL+dgxeQJNEx7VQXSU/3KF0nIMC35pzf93ZySMq6ujCjxksNA0Pa0
-XEH0pmTqOO7Af5wsjIniLqGTRvFCqGbWKEcYDBwKq0svTGfYyPOaBj8z7lt9LURs
-WRC1tCrn8T8NkAY/jdGRQZRtLlgk+x2SaeDfQ8F1MtMT8jYSLo4R+c4f+iuDgMWi
-JPM5SvYeDEXndWctKGxmP4p2HIp8gJuqYHmP4oxO7Rn/QPti1p68WfNQsRquHYJ4
-dR9krkpVeteQ7w8cQA9OkG/m3neiIfFKkosJSGEHctRvRQ0GtbQO6A6nZqk0n6I=
------END CERTIFICATE-----
diff --git a/software/caddy-frontend/test/customdomainsslcrtsslkey.example.com.key b/software/caddy-frontend/test/customdomainsslcrtsslkey.example.com.key
deleted file mode 100644
index 0b778c4766c70130b6fcf7604e6b5f360aa24834..0000000000000000000000000000000000000000
--- a/software/caddy-frontend/test/customdomainsslcrtsslkey.example.com.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDkHt1i0blQTz7n
-wpZpTpOhLnN55snLwpM3MDFA+vs3cgBh9KoR6CByZol4uhnCmIKqmt3miMb75Hth
-BKYQ8GJI+p3jlcrl9yrpC/IIBFGpCde0xEJEu4SJOHZg08IxQDIC8/LjddY6i6KK
-PcP6bQ/i1Fppuivc5OPYqqnSrhvWeb93ZtCjFL7JmBlqjYN9bUFlNQptpDbvtoj9
-hT58dj1pA6uCk5+uFO4iT/Q3QxL8zX2HL8/LqY0deQfnSCtIocA11eQbX2Vw73JP
-nLQnX0tUMTPsfj26BCSlDaHn8//kP/U95pXPinIRRvWrC0P5Gx7XYGc7AxkwxLXQ
-7SKyy0NzAgMBAAECggEBAOLv5ZPCSdWgEFdlWFbIycrmOBDETGo9VlDny4f2ZuZg
-rgrE6E/KGkVUxlvo32mcaRkp2ajW1wWN5kO86Swex9gMIfhfcyrVecW/kXbyPP6q
-AQIe4EIaPh54oiNvZleyok4Xu8EW4Bj8AqX+DjHaP5yLXqqhf7NPrW9FUI57kMwK
-DqeHBilgWUxzcjc4LLiEu6UTuB8c2Slj3Ps0K/mVzvPbQ7Xx+RYXzfX+SqjyvDEe
-GpaRLoiRJ0KZSoGUgBQSIqgfzR7g6ipKNDvlzsawMpG641vsQ8tSI+l4U5f6MbYZ
-pFT+mxL4+N+PQbWN5w3qYWK6Ilh77+0rKfGVrLH7s7kCgYEA/2SXFnUgJUnKpuE0
-4buUtPCMw8j+qZsJZ8nmf2BbwIGgp+CFGlO6aG4sfzYulpQuZOsnKRIu5qoE3xQp
-MzuqWPZ8eygAubBdddaym3kPRiMAxTXPr+vBFyvti+oFflxaTsTXAfCXD2wM8yKm
-Od16xg9co3NED2zt62mtSM6NOiUCgYEA5Kmt1JqL4ymMe9gBZ07Ar7GCfmmqepSb
-w9XqgkHDk0ZYizNeQupPQrypfdeLFlKVnlp4DycEA4XzGdFgp1+PkAMSIVDUZZp5
-KxWJdQkdScENe1eYAz0vALCWSnUahyMGuNW9Xe/z2mtNLKRYcNDQ2LROJTQjShvw
-XSfVQXS597cCgYEAgXG5hn9tAJlLJpQk2njZ4W++2QkJ0msrNDjIJC1xs7u/8vbA
-X9yqMX4N/Zg3ush2T15EpfN6ZB0uhObSDw6hw5+C7mUTIQq8BBsCwfx0+maJYGtq
-zc6fOqBgMTc2+5nRh/UKyQfpeL6aPa2FNPUF4lcs7AdjKrJaUKRqWOmf+SUCgYAd
-ksRkpshIzOraaYlk7w6EqpSR/OCLkgTDQztdNVwyA/sXpcEfLmap3vScze+zJ2Mq
-Y9D7RLSEMCLMyAOUIgvTOFJz9JxDt8LMC7EHbfJXw5wWw7FpWdRmZnBJmPOhXqpT
-5XDkYVBMg2wrxeWaUadxH4Cr1x5pS0u/AJPYL1yN6QKBgApwfVmCWXS0S1++6KiM
-WN+jyvqmF4FS6Ib5TII1/diChY0PCO/UnmVPYg1AIqsdT5ghVreZs7wuHi1LsXQ4
-41nBmUnhdaiKCz9qVybXJwvicn/2MlsIi5C4Ox97OHJyCR1iKxf5A2ypfYEuh25V
-NZZ4n9p5PhcLev6x3QhuWosT
------END PRIVATE KEY-----
diff --git a/software/caddy-frontend/test/setup.py b/software/caddy-frontend/test/setup.py
index f565c3660d19043580b27d6d8a096a61f0de9133..3ac388bc4e9ea44b6bd987962cc16c87307a5255 100644
--- a/software/caddy-frontend/test/setup.py
+++ b/software/caddy-frontend/test/setup.py
@@ -44,6 +44,7 @@ setup(name=name,
         'forcediphttpsadapter',
         'requests-toolbelt',
         'supervisor',
+        'cryptography',
       ],
       zip_safe=True,
       test_suite='test',
diff --git a/software/caddy-frontend/test/test.py b/software/caddy-frontend/test/test.py
index b402dc1cf72c16cd2cdabaee78e4fee5b0f698f3..26903426291a02d3c3a8f6ab1639cd6747c45db6 100644
--- a/software/caddy-frontend/test/test.py
+++ b/software/caddy-frontend/test/test.py
@@ -25,14 +25,6 @@
 #
 ##############################################################################
 
-# Note for SSL
-#  This test comes with certificates and keys. There is even root Certificate
-#  Authority, for the backends
-#  Please follow https://datacenteroverlords.com/2012/03/01/\
-#     creating-your-own-ssl-certificate-authority/
-#  in order to add more certificates for backend.
-#  Frontend still uses self-signed certificates.
-
 import glob
 import os
 import requests
@@ -47,10 +39,21 @@ from BaseHTTPServer import HTTPServer
 from BaseHTTPServer import BaseHTTPRequestHandler
 from forcediphttpsadapter.adapters import ForcedIPHTTPSAdapter
 import time
+import tempfile
+import ipaddress
 
 from utils import SlapOSInstanceTestCase
 from utils import findFreeTCPPort
 
+import datetime
+
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.x509.oid import NameOID
+
 LOCAL_IPV4 = os.environ['LOCAL_IPV4']
 GLOBAL_IPV6 = os.environ['GLOBAL_IPV6']
 
@@ -73,13 +76,114 @@ if os.environ.get('DEBUG'):
 
 
 def der2pem(der):
-  certificate, error = subprocess.Popen(
-      'openssl x509 -inform der'.split(), stdin=subprocess.PIPE,
-      stdout=subprocess.PIPE, stderr=subprocess.PIPE
-  ).communicate(der)
-  if error:
-    raise ValueError(error)
-  return certificate
+  certificate = x509.load_der_x509_certificate(der, default_backend())
+  return certificate.public_bytes(serialization.Encoding.PEM)
+
+
+def createKey():
+  key = rsa.generate_private_key(
+    public_exponent=65537, key_size=2048, backend=default_backend())
+  key_pem = key.private_bytes(
+    encoding=serialization.Encoding.PEM,
+    format=serialization.PrivateFormat.TraditionalOpenSSL,
+    encryption_algorithm=serialization.NoEncryption()
+  )
+  return key, key_pem
+
+
+def createSelfSignedCertificate(name_list):
+  key, key_pem = createKey()
+  subject_alternative_name_list = x509.SubjectAlternativeName(
+    [x509.DNSName(unicode(q)) for q in name_list]
+  )
+  subject = issuer = x509.Name([
+    x509.NameAttribute(NameOID.COMMON_NAME, u'Test Self Signed Certificate'),
+  ])
+  certificate = x509.CertificateBuilder().subject_name(
+    subject
+  ).issuer_name(
+    issuer
+  ).add_extension(
+      subject_alternative_name_list,
+      critical=False,
+  ).public_key(
+    key.public_key()
+  ).serial_number(
+    x509.random_serial_number()
+  ).not_valid_before(
+    datetime.datetime.utcnow() - datetime.timedelta(days=2)
+  ).not_valid_after(
+    datetime.datetime.utcnow() + datetime.timedelta(days=5)
+  ).sign(key, hashes.SHA256(), default_backend())
+  certificate_pem = certificate.public_bytes(serialization.Encoding.PEM)
+  return key, key_pem, certificate, certificate_pem
+
+
+def createCSR(common_name, ip=None):
+  key, key_pem = createKey()
+  subject_alternative_name_list = []
+  if ip is not None:
+    subject_alternative_name_list.append(
+      x509.IPAddress(ipaddress.ip_address(unicode(ip)))
+    )
+  csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
+     x509.NameAttribute(NameOID.COMMON_NAME, unicode(common_name)),
+  ]))
+
+  if len(subject_alternative_name_list):
+    csr = csr.add_extension(
+      x509.SubjectAlternativeName(subject_alternative_name_list),
+      critical=False
+    )
+
+  csr = csr.sign(key, hashes.SHA256(), default_backend())
+  csr_pem = csr.public_bytes(serialization.Encoding.PEM)
+  return key, key_pem, csr, csr_pem
+
+
+class CertificateAuthority(object):
+  def __init__(self, common_name):
+    self.key, self.key_pem = createKey()
+    public_key = self.key.public_key()
+    builder = x509.CertificateBuilder()
+    builder = builder.subject_name(x509.Name([
+      x509.NameAttribute(NameOID.COMMON_NAME, unicode(common_name)),
+    ]))
+    builder = builder.issuer_name(x509.Name([
+      x509.NameAttribute(NameOID.COMMON_NAME, unicode(common_name)),
+    ]))
+    builder = builder.not_valid_before(
+      datetime.datetime.utcnow() - datetime.timedelta(days=2))
+    builder = builder.not_valid_after(
+      datetime.datetime.utcnow() + datetime.timedelta(days=30))
+    builder = builder.serial_number(x509.random_serial_number())
+    builder = builder.public_key(public_key)
+    builder = builder.add_extension(
+      x509.BasicConstraints(ca=True, path_length=None), critical=True,
+    )
+    self.certificate = builder.sign(
+      private_key=self.key, algorithm=hashes.SHA256(),
+      backend=default_backend()
+    )
+    self.certificate_pem = self.certificate.public_bytes(
+      serialization.Encoding.PEM)
+
+  def signCSR(self, csr):
+    builder = x509.CertificateBuilder(
+      subject_name=csr.subject,
+      extensions=csr.extensions,
+      issuer_name=self.certificate.subject,
+      not_valid_before=datetime.datetime.utcnow() - datetime.timedelta(days=1),
+      not_valid_after=datetime.datetime.utcnow() + datetime.timedelta(days=30),
+      serial_number=x509.random_serial_number(),
+      public_key=csr.public_key(),
+    )
+    certificate = builder.sign(
+      private_key=self.key,
+      algorithm=hashes.SHA256(),
+      backend=default_backend()
+    )
+    return certificate, certificate.public_bytes(serialization.Encoding.PEM)
 
 
 def isHTTP2(domain, ip):
@@ -96,6 +200,17 @@ def isHTTP2(domain, ip):
   return 'Using HTTP2, server supports multi-use' in err
 
 
+def getQUIC(url, ip, port):
+  quic_client_command = 'quic_client --disable-certificate-verification '\
+    '--port=%(port)s --host=%(host)s %(url)s' % dict(
+      port=port, host=ip, url=url)
+  try:
+    return True, subprocess.check_output(
+      quic_client_command.split(), stderr=subprocess.STDOUT)
+  except subprocess.CalledProcessError as e:
+    return False, e.output
+
+
 class TestDataMixin(object):
   @staticmethod
   def generateHashFromFiles(file_list):
@@ -233,16 +348,12 @@ class HttpFrontendTestCase(SlapOSInstanceTestCase):
     cls.software_path = os.path.realpath(os.path.join(
         cls.computer_partition_root_path, 'software_release'))
 
-  def assertLogAccessUrlWithPop(self, parameter_dict, reference):
+  def assertLogAccessUrlWithPop(self, parameter_dict):
     log_access_url = parameter_dict.pop('log-access-url')
-    try:
-      log_access_url_json = json.loads(log_access_url)
-    except Exception:
-      raise ValueError('JSON decode problem in:\n%s' % (log_access_url,))
 
-    self.assertTrue(len(log_access_url_json) >= 1)
+    self.assertTrue(len(log_access_url) >= 1)
     # check only the first one, as second frontend will be stopped
-    log_access = log_access_url_json[0]
+    log_access = log_access_url[0]
     entry = log_access.split(': ')
     if len(entry) != 2:
       self.fail('Cannot parse %r' % (log_access,))
@@ -266,6 +377,22 @@ class HttpFrontendTestCase(SlapOSInstanceTestCase):
     self.assertTrue(key in j, 'No key %r in %s' % (key, j))
     self.assertEqual(value, j[key])
 
+  def parseParameterDict(self, parameter_dict):
+    parsed_parameter_dict = {}
+    for key, value in parameter_dict.items():
+      if key in [
+        'rejected-slave-dict',
+        'request-error-list',
+        'log-access-url']:
+        value = json.loads(value)
+      parsed_parameter_dict[key] = value
+    return parsed_parameter_dict
+
+  def parseConnectionParameterDict(self):
+    return self.parseParameterDict(
+      self.computer_partition.getConnectionParameterDict()
+    )
+
 
 class TestMasterRequest(HttpFrontendTestCase, TestDataMixin):
   @classmethod
@@ -279,7 +406,7 @@ class TestMasterRequest(HttpFrontendTestCase, TestDataMixin):
     }
 
   def test(self):
-    parameter_dict = self.computer_partition.getConnectionParameterDict()
+    parameter_dict = self.parseConnectionParameterDict()
     self.assertKeyWithPop('monitor-setup-url', parameter_dict)
     self.assertEqual(
       {
@@ -288,7 +415,7 @@ class TestMasterRequest(HttpFrontendTestCase, TestDataMixin):
         'accepted-slave-amount': '0',
         'rejected-slave-amount': '0',
         'slave-amount': '0',
-        'rejected-slave-dict': '{}'},
+        'rejected-slave-dict': {}},
       parameter_dict
     )
 
@@ -312,7 +439,7 @@ class TestMasterRequestDomain(HttpFrontendTestCase, TestDataMixin):
     }
 
   def test(self):
-    parameter_dict = self.computer_partition.getConnectionParameterDict()
+    parameter_dict = self.parseConnectionParameterDict()
     self.assertKeyWithPop('monitor-setup-url', parameter_dict)
 
     self.assertEqual(
@@ -322,7 +449,7 @@ class TestMasterRequestDomain(HttpFrontendTestCase, TestDataMixin):
         'accepted-slave-amount': '0',
         'rejected-slave-amount': '0',
         'slave-amount': '0',
-        'rejected-slave-dict': '{}'
+        'rejected-slave-dict': {}
       },
       parameter_dict
     )
@@ -353,11 +480,23 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
       (LOCAL_IPV4, findFreeTCPPort(LOCAL_IPV4)),
       TestHandler)
 
+    cls.another_server_ca = CertificateAuthority("Another Server Root CA")
+    cls.test_server_ca = CertificateAuthority("Test Server Root CA")
+    key, key_pem, csr, csr_pem = createCSR(
+      "testserver.example.com", LOCAL_IPV4)
+    _, cls.test_server_certificate_pem = cls.test_server_ca.signCSR(csr)
+
+    cls.test_server_certificate_file = tempfile.NamedTemporaryFile(
+      delete=False
+    )
+
+    cls.test_server_certificate_file.write(
+        cls.test_server_certificate_pem + key_pem
+      )
+    cls.test_server_certificate_file.close()
     server_https.socket = ssl.wrap_socket(
       server_https.socket,
-      certfile=os.path.join(
-        os.path.dirname(os.path.realpath(__file__)),
-        'testserver.example.com.pem'),
+      certfile=cls.test_server_certificate_file.name,
       server_side=True)
 
     cls.backend_url = 'http://%s:%s' % server.server_address
@@ -370,6 +509,10 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
 
   @classmethod
   def stopServerProcess(cls):
+    if getattr(cls, 'test_server_certificate_file', None) is not None:
+      os.unlink(cls.test_server_certificate_file.name)
+    if getattr(cls, 'server_process', None) is None:
+      return
     cls.server_process.terminate()
     cls.server_https_process.terminate()
 
@@ -398,9 +541,20 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
       cls.slave_connection_parameter_dict_dict[slave_reference] = \
           slave_instance.getConnectionParameterDict()
 
+  @classmethod
+  def createWildcardExampleComCertificate(cls):
+    _, cls.key_pem, _, cls.certificate_pem = createSelfSignedCertificate(
+      [
+        '*.customdomain.example.com',
+        '*.example.com',
+        '*.nginx.example.com',
+        '*.alias1.example.com',
+      ])
+
   @classmethod
   def setUpClass(cls):
     try:
+      cls.createWildcardExampleComCertificate()
       cls.startServerProcess()
       super(SlaveHttpFrontendTestCase, cls).setUpClass()
       cls.setUpSlaves()
@@ -489,6 +643,13 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
   def tearDown(self):
     self.unpatchRequests()
 
+  def parseSlaveParameterDict(self, key):
+    return self.parseParameterDict(
+      self.slave_connection_parameter_dict_dict[
+        key
+      ]
+    )
+
 
 class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
   caddy_custom_https = '''# caddy_custom_https_filled_in_accepted
@@ -557,8 +718,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       'domain': 'example.com',
       'nginx-domain': 'nginx.example.com',
       'public-ipv4': LOCAL_IPV4,
-      'apache-certificate': open('wildcard.example.com.crt').read(),
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-certificate': cls.certificate_pem,
+      'apache-key': cls.key_pem,
       '-frontend-authorized-slave-string':
       '_apache_custom_http_s-accepted _caddy_custom_http_s-accepted',
       'port': HTTPS_PORT,
@@ -570,6 +731,16 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       'mpm-graceful-shutdown-timeout': 2,
     }
 
+  @classmethod
+  def setUpSlaves(cls):
+    cls.ca = CertificateAuthority('TestSlave')
+    _, cls.customdomain_ca_key_pem, csr, _ = createCSR(
+      'customdomainsslcrtsslkeysslcacrt.example.com')
+    _, cls.customdomain_ca_certificate_pem = cls.ca.signCSR(csr)
+    _, cls.customdomain_key_pem, _, cls.customdomain_certificate_pem = \
+        createSelfSignedCertificate(['customdomainsslcrtsslkey.example.com'])
+    super(TestSlave, cls).setUpSlaves()
+
   @classmethod
   def getSlaveParameterDictDict(cls):
     return {
@@ -602,7 +773,12 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       'ssl-proxy-verify_ssl_proxy_ca_crt': {
         'url': cls.backend_https_url,
         'ssl-proxy-verify': True,
-        'ssl_proxy_ca_crt': open('testserver.root.ca.crt').read(),
+        'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem,
+      },
+      'ssl-proxy-verify_ssl_proxy_ca_crt-unverified': {
+        'url': cls.backend_https_url,
+        'ssl-proxy-verify': True,
+        'ssl_proxy_ca_crt': cls.another_server_ca.certificate_pem,
       },
       'ssl-proxy-verify-unverified': {
         'url': cls.backend_https_url,
@@ -623,31 +799,31 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       'custom_domain_ssl_crt_ssl_key': {
         'url': cls.backend_url,
         'custom_domain': 'customdomainsslcrtsslkey.example.com',
-        'ssl_crt': open('customdomainsslcrtsslkey.example.com.crt').read(),
-        'ssl_key': open('customdomainsslcrtsslkey.example.com.key').read(),
+        'ssl_crt': cls.customdomain_certificate_pem,
+        'ssl_key': cls.customdomain_key_pem,
       },
       'custom_domain_ssl_crt_ssl_key_ssl_ca_crt': {
         'url': cls.backend_url,
         'custom_domain': 'customdomainsslcrtsslkeysslcacrt.example.com',
-        'ssl_crt': open('CA.wildcard.example.com.crt').read(),
-        'ssl_key': open('CA.wildcard.example.com.key').read(),
-        'ssl_ca_crt': open('CA.wildcard.example.com.root.crt').read(),
+        'ssl_crt': cls.customdomain_ca_certificate_pem,
+        'ssl_key': cls.customdomain_ca_key_pem,
+        'ssl_ca_crt': cls.ca.certificate_pem,
       },
       'ssl_ca_crt_only': {
         'url': cls.backend_url,
-        'ssl_ca_crt': open('CA.wildcard.example.com.root.crt').read(),
+        'ssl_ca_crt': cls.ca.certificate_pem,
       },
       'ssl_ca_crt_garbage': {
         'url': cls.backend_url,
-        'ssl_crt': open('CA.wildcard.example.com.crt').read(),
-        'ssl_key': open('CA.wildcard.example.com.key').read(),
+        'ssl_crt': cls.customdomain_ca_certificate_pem,
+        'ssl_key': cls.customdomain_ca_key_pem,
         'ssl_ca_crt': 'some garbage',
       },
       'ssl_ca_crt_does_not_match': {
         'url': cls.backend_url,
-        'ssl_crt': open('wildcard.example.com.crt').read(),
-        'ssl_key': open('wildcard.example.com.key').read(),
-        'ssl_ca_crt': open('CA.wildcard.example.com.root.crt').read(),
+        'ssl_crt': cls.certificate_pem,
+        'ssl_key': cls.key_pem,
+        'ssl_ca_crt': cls.ca.certificate_pem,
       },
       'type-zope': {
         'url': cls.backend_url,
@@ -657,7 +833,13 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
         'url': cls.backend_https_url,
         'type': 'zope',
         'ssl-proxy-verify': True,
-        'ssl_proxy_ca_crt': open('testserver.root.ca.crt').read(),
+        'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem,
+      },
+      'type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified': {
+        'url': cls.backend_https_url,
+        'type': 'zope',
+        'ssl-proxy-verify': True,
+        'ssl_proxy_ca_crt': cls.another_server_ca.certificate_pem,
       },
       'type-zope-ssl-proxy-verify-unverified': {
         'url': cls.backend_https_url,
@@ -722,7 +904,13 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       'enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt': {
         'url': cls.backend_https_url,
         'enable_cache': True,
-        'ssl_proxy_ca_crt': open('testserver.root.ca.crt').read(),
+        'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem,
+        'ssl-proxy-verify': True,
+      },
+      'enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified': {
+        'url': cls.backend_https_url,
+        'enable_cache': True,
+        'ssl_proxy_ca_crt': cls.another_server_ca.certificate_pem,
         'ssl-proxy-verify': True,
       },
       'enable-http2-default': {
@@ -792,21 +980,21 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       if os.path.exists(os.path.join(q, 'etc', 'trafficserver'))][0]
 
   def test_master_partition_state(self):
-    parameter_dict = self.computer_partition.getConnectionParameterDict()
+    parameter_dict = self.parseConnectionParameterDict()
     self.assertKeyWithPop('monitor-setup-url', parameter_dict)
 
     expected_parameter_dict = {
       'monitor-base-url': None,
       'domain': 'example.com',
-      'accepted-slave-amount': '40',
+      'accepted-slave-amount': '43',
       'rejected-slave-amount': '4',
-      'slave-amount': '44',
-      'rejected-slave-dict':
-      '{"_apache_custom_http_s-rejected": ["slave not authorized"], '
-      '"_caddy_custom_http_s": ["slave not authorized"], '
-      '"_caddy_custom_http_s-rejected": ["slave not authorized"], '
-      '"_ssl_ca_crt_only": ["ssl_ca_crt is present, so ssl_crt and ssl_key '
-      'are required"]}'
+      'slave-amount': '47',
+      'rejected-slave-dict': {
+        "_apache_custom_http_s-rejected": ["slave not authorized"],
+        "_caddy_custom_http_s": ["slave not authorized"],
+        "_caddy_custom_http_s-rejected": ["slave not authorized"],
+        "_ssl_ca_crt_only": ["ssl_ca_crt is present, so ssl_crt and ssl_key "
+                             "are required"]}
     }
 
     self.assertEqual(
@@ -871,9 +1059,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
   def test_empty(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'empty']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'empty')
+    parameter_dict = self.parseSlaveParameterDict('empty')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       parameter_dict,
       {
@@ -890,7 +1077,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -933,9 +1120,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
   def test_url(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'url'].copy()
-    self.assertLogAccessUrlWithPop(parameter_dict, 'url')
+    parameter_dict = self.parseSlaveParameterDict('url')
+
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'url.example.com',
@@ -952,7 +1139,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -995,9 +1182,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
 
   @skip('Feature postponed')
   def test_url_ipv6_access(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'url'].copy()
-    self.assertLogAccessUrlWithPop(parameter_dict, 'url')
+    parameter_dict = self.parseSlaveParameterDict('url')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'url.example.com',
@@ -1020,15 +1206,14 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result_ipv6.peercert))
 
     self.assertEqualResultJson(result_ipv6, 'Path', '/test-path')
 
   def test_type_zope_path(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'type-zope-path']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'type-zope-path')
+    parameter_dict = self.parseSlaveParameterDict('type-zope-path')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'typezopepath.example.com',
@@ -1045,7 +1230,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(
@@ -1056,9 +1241,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
   def test_type_zope_default_path(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'type-zope-default-path']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'type-zope-default-path')
+    parameter_dict = self.parseSlaveParameterDict('type-zope-default-path')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'typezopedefaultpath.example.com',
@@ -1075,7 +1259,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], '')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(
@@ -1085,9 +1269,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
   def test_server_alias(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'server-alias']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'server-alias')
+    parameter_dict = self.parseSlaveParameterDict('server-alias')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'serveralias.example.com',
@@ -1104,7 +1287,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1113,7 +1296,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       'alias1.example.com', parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1122,13 +1305,12 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       'alias2.example.com', parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
   def test_server_alias_wildcard(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'server-alias-wildcard']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'server-alias-wildcard')
+    parameter_dict = self.parseSlaveParameterDict('server-alias-wildcard')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'serveraliaswildcard.example.com',
@@ -1145,7 +1327,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1154,15 +1336,14 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       'wild.alias1.example.com', parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
 
   def test_server_alias_duplicated(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'server-alias-duplicated']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'server-alias-duplicated')
+    parameter_dict = self.parseSlaveParameterDict('server-alias-duplicated')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'serveraliasduplicated.example.com',
@@ -1179,7 +1360,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1188,16 +1369,15 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       'alias3.example.com', parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
 
   def test_server_alias_custom_domain_duplicated(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'server-alias_custom_domain-duplicated']
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'server-alias_custom_domain-duplicated')
+    parameter_dict = self.parseSlaveParameterDict(
+      'server-alias_custom_domain-duplicated')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'alias4.example.com',
@@ -1214,7 +1394,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1225,10 +1405,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     raise NotImplementedError(self.id())
 
   def test_ssl_ca_crt(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'custom_domain_ssl_crt_ssl_key_ssl_ca_crt']
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'custom_domain_ssl_crt_ssl_key_ssl_ca_crt')
+    parameter_dict = self.parseSlaveParameterDict(
+      'custom_domain_ssl_crt_ssl_key_ssl_ca_crt')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'customdomainsslcrtsslkeysslcacrt.example.com',
@@ -1246,26 +1425,23 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('CA.wildcard.example.com.crt').read(),
+      self.customdomain_ca_certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
 
   def test_ssl_ca_crt_only(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'ssl_ca_crt_only']
+    parameter_dict = self.parseSlaveParameterDict('ssl_ca_crt_only')
     self.assertEqual(
       parameter_dict,
       {
-        'request-error-list': '["ssl_ca_crt is present, so ssl_crt and '
-        'ssl_key are required"]'}
+        'request-error-list': [
+          "ssl_ca_crt is present, so ssl_crt and ssl_key are required"]}
     )
 
   def test_ssl_ca_crt_garbage(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'ssl_ca_crt_garbage']
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'ssl_ca_crt_garbage')
+    parameter_dict = self.parseSlaveParameterDict('ssl_ca_crt_garbage')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'sslcacrtgarbage.example.com',
@@ -1279,20 +1455,13 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict
     )
 
-    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
-
-    self.assertEqual(
-      open('CA.wildcard.example.com.crt').read(),
-      der2pem(result.peercert))
-
-    self.assertEqualResultJson(result, 'Path', '/test-path')
+    with self.assertRaises(requests.exceptions.SSLError):
+      self.fakeHTTPSResult(
+        parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
   def test_ssl_ca_crt_does_not_match(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'ssl_ca_crt_does_not_match']
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'ssl_ca_crt_does_not_match')
+    parameter_dict = self.parseSlaveParameterDict('ssl_ca_crt_does_not_match')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'sslcacrtdoesnotmatch.example.com',
@@ -1310,15 +1479,14 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
 
   def test_https_only(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'https-only']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'https-only')
+    parameter_dict = self.parseSlaveParameterDict('https-only')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'httpsonly.example.com',
@@ -1335,7 +1503,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1349,9 +1517,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
   def test_custom_domain(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'custom_domain']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'custom_domain')
+    parameter_dict = self.parseSlaveParameterDict('custom_domain')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'customdomain.example.com',
@@ -1368,15 +1535,14 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
 
   def test_custom_domain_wildcard(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'custom_domain_wildcard']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'custom_domain_wildcard')
+    parameter_dict = self.parseSlaveParameterDict('custom_domain_wildcard')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': '*.customdomain.example.com',
@@ -1394,15 +1560,15 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
 
   def test_custom_domain_ssl_crt_ssl_key(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'custom_domain_ssl_crt_ssl_key']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'custom_domain_ssl_crt_key')
+    parameter_dict = self.parseSlaveParameterDict(
+      'custom_domain_ssl_crt_ssl_key')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'customdomainsslcrtsslkey.example.com',
@@ -1419,15 +1585,14 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('customdomainsslcrtsslkey.example.com.crt').read(),
+      self.customdomain_certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
 
   def test_type_zope(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'type-zope']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'type-zope')
+    parameter_dict = self.parseSlaveParameterDict('type-zope')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'typezope.example.com',
@@ -1444,7 +1609,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     try:
@@ -1471,10 +1636,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
   def test_type_zope_virtualhostroot_http_port(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'type-zope-virtualhostroot-http-port']
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'type-zope-virtualhostroot-http-port')
+    parameter_dict = self.parseSlaveParameterDict(
+      'type-zope-virtualhostroot-http-port')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'typezopevirtualhostroothttpport.example.com',
@@ -1499,10 +1663,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
   def test_type_zope_virtualhostroot_https_port(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'type-zope-virtualhostroot-https-port']
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'type-zope-virtualhostroot-https-port')
+    parameter_dict = self.parseSlaveParameterDict(
+      'type-zope-virtualhostroot-https-port')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'typezopevirtualhostroothttpsport.example.com',
@@ -1520,7 +1683,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(
@@ -1531,9 +1694,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
   def test_type_notebook(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'type-notebook']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'type-notebook')
+    parameter_dict = self.parseSlaveParameterDict('type-notebook')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'typenotebook.nginx.example.com',
@@ -1551,7 +1713,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       NGINX_HTTPS_PORT)
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1573,9 +1735,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     #        Caddy as a proxy in front of nginx-push-stream . If we have a
     #        "central shared" caddy instance, can it handle keeping connections
     #        opens for many clients ?
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'type-eventsource']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'type-eventsource')
+    parameter_dict = self.parseSlaveParameterDict('type-eventsource')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'typeeventsource.nginx.example.com',
@@ -1593,7 +1754,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       NGINX_HTTPS_PORT)
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(
@@ -1615,9 +1776,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
   def test_type_redirect(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'type-redirect']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'type-redirect')
+    parameter_dict = self.parseSlaveParameterDict('type-redirect')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'typeredirect.example.com',
@@ -1634,7 +1794,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(
@@ -1642,12 +1802,50 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       result.headers['Location']
     )
 
+  def test_ssl_proxy_verify_ssl_proxy_ca_crt_unverified(self):
+    parameter_dict = self.parseSlaveParameterDict(
+      'ssl-proxy-verify_ssl_proxy_ca_crt-unverified')
+
+    self.assertLogAccessUrlWithPop(parameter_dict)
+    self.assertEqual(
+      {
+        'domain': 'sslproxyverifysslproxycacrtunverified.example.com',
+        'replication_number': '1',
+        'url': 'http://sslproxyverifysslproxycacrtunverified.example.com',
+        'site_url':
+        'http://sslproxyverifysslproxycacrtunverified.example.com',
+        'secure_access':
+        'https://sslproxyverifysslproxycacrtunverified.example.com',
+        'public-ipv4': LOCAL_IPV4,
+      },
+      parameter_dict
+    )
+
+    result = self.fakeHTTPSResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+
+    self.assertEqual(
+      self.certificate_pem,
+      der2pem(result.peercert))
+
+    self.assertEqual(
+      httplib.BAD_GATEWAY,
+      result.status_code
+    )
+
+    result_http = self.fakeHTTPResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+
+    self.assertEqual(
+      httplib.BAD_GATEWAY,
+      result_http.status_code
+    )
+
   def test_ssl_proxy_verify_ssl_proxy_ca_crt(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'ssl-proxy-verify_ssl_proxy_ca_crt']
+    parameter_dict = self.parseSlaveParameterDict(
+      'ssl-proxy-verify_ssl_proxy_ca_crt')
 
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'ssl-proxy-verify_ssl_proxy_ca_crt')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'sslproxyverifysslproxycacrt.example.com',
@@ -1664,28 +1862,52 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
+    self.assertEqualResultJson(result, 'Path', '/test-path')
+
+    try:
+      j = result.json()
+    except Exception:
+      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
+
     self.assertEqual(
-      httplib.NOT_IMPLEMENTED,
-      result.status_code
+      'gzip',
+      result.headers['Content-Encoding']
+    )
+
+    self.assertEqual(
+      'secured=value;secure, nonsecured=value',
+      result.headers['Set-Cookie']
     )
 
     result_http = self.fakeHTTPResult(
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+    self.assertEqualResultJson(result_http, 'Path', '/test-path')
+
+    try:
+      j = result_http.json()
+    except Exception:
+      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
 
     self.assertEqual(
-      httplib.NOT_IMPLEMENTED,
-      result_http.status_code
+      'gzip',
+      result_http.headers['Content-Encoding']
+    )
+
+    self.assertEqual(
+      'secured=value;secure, nonsecured=value',
+      result_http.headers['Set-Cookie']
     )
 
   def test_ssl_proxy_verify_unverified(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'ssl-proxy-verify-unverified']
+    parameter_dict = self.parseSlaveParameterDict(
+      'ssl-proxy-verify-unverified')
 
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'ssl-proxy-verify-unverified')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'sslproxyverifyunverified.example.com',
@@ -1702,7 +1924,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(
@@ -1710,12 +1932,52 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       result.status_code
     )
 
+  def test_enable_cache_ssl_proxy_verify_ssl_proxy_ca_crt_unverified(self):
+    parameter_dict = self.parseSlaveParameterDict(
+      'enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified')
+
+    self.assertLogAccessUrlWithPop(parameter_dict)
+    self.assertEqual(
+      {
+        'domain':
+        'enablecachesslproxyverifysslproxycacrtunverified.example.com',
+        'replication_number': '1',
+        'url':
+        'http://enablecachesslproxyverifysslproxycacrtunverified.example.com',
+        'site_url':
+        'http://enablecachesslproxyverifysslproxycacrtunverified.example.com',
+        'secure_access':
+        'https://enablecachesslproxyverifysslproxycacrtunverified.example.com',
+        'public-ipv4': LOCAL_IPV4,
+      },
+      parameter_dict
+    )
+
+    result = self.fakeHTTPSResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+
+    self.assertEqual(
+      self.certificate_pem,
+      der2pem(result.peercert))
+
+    self.assertEqual(
+      httplib.BAD_GATEWAY,
+      result.status_code
+    )
+
+    result_http = self.fakeHTTPResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+
+    self.assertEqual(
+      httplib.BAD_GATEWAY,
+      result_http.status_code
+    )
+
   def test_enable_cache_ssl_proxy_verify_ssl_proxy_ca_crt(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt']
+    parameter_dict = self.parseSlaveParameterDict(
+      'enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt')
 
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'enablecachesslproxyverifysslproxycacrt.example.com',
@@ -1734,28 +1996,82 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
+    self.assertEqualResultJson(result, 'Path', '/test-path')
+
+    headers = result.headers.copy()
+
+    self.assertKeyWithPop('Via', headers)
+    self.assertKeyWithPop('Server', headers)
+    self.assertKeyWithPop('Date', headers)
+    self.assertKeyWithPop('Age', headers)
+
+    # drop keys appearing randomly in headers
+    headers.pop('Transfer-Encoding', None)
+    headers.pop('Content-Length', None)
+    headers.pop('Connection', None)
+    headers.pop('Keep-Alive', None)
+
     self.assertEqual(
-      httplib.NOT_IMPLEMENTED,
-      result.status_code
+      {'Content-type': 'application/json',
+       'Set-Cookie': 'secured=value;secure, nonsecured=value',
+       'Content-Encoding': 'gzip', 'Vary': 'Accept-Encoding'},
+      headers
     )
 
-    result_http = self.fakeHTTPResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+    result_direct = self.fakeHTTPResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path',
+      port=26011)
+
+    self.assertEqualResultJson(result_direct, 'Path', '/test-path')
+
+    try:
+      j = result_direct.json()
+    except Exception:
+      raise ValueError('JSON decode problem in:\n%s' % (result_direct.text,))
+    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
 
     self.assertEqual(
-      httplib.NOT_IMPLEMENTED,
-      result_http.status_code
+      'gzip',
+      result_direct.headers['Content-Encoding']
+    )
+
+    self.assertEqual(
+      'secured=value;secure, nonsecured=value',
+      result_direct.headers['Set-Cookie']
+    )
+
+    result_direct_https_backend = self.fakeHTTPResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path',
+      port=26012)
+
+    self.assertEqualResultJson(
+      result_direct_https_backend, 'Path', '/test-path')
+
+    try:
+      j = result_direct_https_backend.json()
+    except Exception:
+      raise ValueError('JSON decode problem in:\n%s' % (
+        result_direct_https_backend.text,))
+    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
+
+    self.assertEqual(
+      'gzip',
+      result_direct_https_backend.headers['Content-Encoding']
+    )
+
+    self.assertEqual(
+      'secured=value;secure, nonsecured=value',
+      result_direct_https_backend.headers['Set-Cookie']
     )
 
   def test_enable_cache_ssl_proxy_verify_unverified(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'enable_cache-ssl-proxy-verify-unverified']
+    parameter_dict = self.parseSlaveParameterDict(
+      'enable_cache-ssl-proxy-verify-unverified')
 
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'enable_cache-ssl-proxy-verify-unverified')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'enablecachesslproxyverifyunverified.example.com',
@@ -1773,7 +2089,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(
@@ -1781,20 +2097,21 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       result.status_code
     )
 
-  def test_type_zope_ssl_proxy_verify_ssl_proxy_ca_crt(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'type-zope-ssl-proxy-verify_ssl_proxy_ca_crt']
+  def test_type_zope_ssl_proxy_verify_ssl_proxy_ca_crt_unverified(self):
+    parameter_dict = self.parseSlaveParameterDict(
+      'type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified')
 
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'type-zope-ssl-proxy-verify_ssl_proxy_ca_crt')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
-        'domain': 'typezopesslproxyverifysslproxycacrt.example.com',
+        'domain': 'typezopesslproxyverifysslproxycacrtunverified.example.com',
         'replication_number': '1',
-        'url': 'http://typezopesslproxyverifysslproxycacrt.example.com',
-        'site_url': 'http://typezopesslproxyverifysslproxycacrt.example.com',
+        'url':
+        'http://typezopesslproxyverifysslproxycacrtunverified.example.com',
+        'site_url':
+        'http://typezopesslproxyverifysslproxycacrtunverified.example.com',
         'secure_access':
-        'https://typezopesslproxyverifysslproxycacrt.example.com',
+        'https://typezopesslproxyverifysslproxycacrtunverified.example.com',
         'public-ipv4': LOCAL_IPV4,
       },
       parameter_dict
@@ -1804,11 +2121,11 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(
-      httplib.NOT_IMPLEMENTED,
+      httplib.BAD_GATEWAY,
       result.status_code
     )
 
@@ -1816,16 +2133,65 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      httplib.NOT_IMPLEMENTED,
+      httplib.BAD_GATEWAY,
       result_http.status_code
     )
 
+  def test_type_zope_ssl_proxy_verify_ssl_proxy_ca_crt(self):
+    parameter_dict = self.parseSlaveParameterDict(
+      'type-zope-ssl-proxy-verify_ssl_proxy_ca_crt')
+
+    self.assertLogAccessUrlWithPop(parameter_dict)
+    self.assertEqual(
+      {
+        'domain': 'typezopesslproxyverifysslproxycacrt.example.com',
+        'replication_number': '1',
+        'url': 'http://typezopesslproxyverifysslproxycacrt.example.com',
+        'site_url': 'http://typezopesslproxyverifysslproxycacrt.example.com',
+        'secure_access':
+        'https://typezopesslproxyverifysslproxycacrt.example.com',
+        'public-ipv4': LOCAL_IPV4,
+      },
+      parameter_dict
+    )
+
+    result = self.fakeHTTPSResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+
+    self.assertEqual(
+      self.certificate_pem,
+      der2pem(result.peercert))
+
+    try:
+      j = result.json()
+    except Exception:
+      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
+
+    self.assertEqualResultJson(
+      result,
+      'Path',
+      '/VirtualHostBase/https//'
+      'typezopesslproxyverifysslproxycacrt.example.com:443/'
+      '/VirtualHostRoot/test-path'
+    )
+
+    result = self.fakeHTTPResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+
+    self.assertEqualResultJson(
+      result,
+      'Path',
+      '/VirtualHostBase/http//'
+      'typezopesslproxyverifysslproxycacrt.example.com:80/'
+      '/VirtualHostRoot/test-path'
+    )
+
   def test_type_zope_ssl_proxy_verify_unverified(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'type-zope-ssl-proxy-verify-unverified']
+    parameter_dict = self.parseSlaveParameterDict(
+      'type-zope-ssl-proxy-verify-unverified')
 
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'type-zope-ssl-proxy-verify-unverified')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'typezopesslproxyverifyunverified.example.com',
@@ -1843,7 +2209,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(
@@ -1852,9 +2218,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
   def test_monitor_ipv6_test(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'monitor-ipv6-test']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'monitor-ipv6-test')
+    parameter_dict = self.parseSlaveParameterDict('monitor-ipv6-test')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'monitoripv6test.example.com',
@@ -1871,7 +2236,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -1895,9 +2260,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
   def test_monitor_ipv4_test(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'monitor-ipv4-test']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'monitor-ipv4-test')
+    parameter_dict = self.parseSlaveParameterDict('monitor-ipv4-test')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'monitoripv4test.example.com',
@@ -1914,7 +2278,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -1938,9 +2302,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
   def test_re6st_optimal_test(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      're6st-optimal-test']
-    self.assertLogAccessUrlWithPop(parameter_dict, 're6st-optimal-test')
+    parameter_dict = self.parseSlaveParameterDict('re6st-optimal-test')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 're6stoptimaltest.example.com',
@@ -1957,7 +2320,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -1982,9 +2345,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
   def test_enable_cache(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'enable_cache']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'enable_cache')
+    parameter_dict = self.parseSlaveParameterDict('enable_cache')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'enablecache.example.com',
@@ -2001,7 +2363,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2073,10 +2435,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
   def test_enable_cache_disable_no_cache_request(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'enable_cache-disable-no-cache-request']
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'enable_cache-disable-no-cache-request')
+    parameter_dict = self.parseSlaveParameterDict(
+      'enable_cache-disable-no-cache-request')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'enablecachedisablenocacherequest.example.com',
@@ -2095,7 +2456,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       headers={'Pragma': 'no-cache', 'Cache-Control': 'something'})
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2127,10 +2488,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     self.assertFalse('pragma' in j['Incoming Headers'].keys())
 
   def test_enable_cache_disable_via_header(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'enable_cache-disable-via-header']
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'enable_cache-disable-via-header')
+    parameter_dict = self.parseSlaveParameterDict(
+      'enable_cache-disable-via-header')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'enablecachedisableviaheader.example.com',
@@ -2148,7 +2508,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2173,9 +2533,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     )
 
   def test_enable_http2_false(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'enable-http2-false']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'enable-http2-false')
+    parameter_dict = self.parseSlaveParameterDict('enable-http2-false')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'enablehttp2false.example.com',
@@ -2193,7 +2552,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2223,9 +2582,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       isHTTP2(parameter_dict['domain'], parameter_dict['public-ipv4']))
 
   def test_enable_http2_default(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'enable-http2-default']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'enable-http2-default')
+    parameter_dict = self.parseSlaveParameterDict('enable-http2-default')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'enablehttp2default.example.com',
@@ -2243,7 +2601,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2273,10 +2631,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       isHTTP2(parameter_dict['domain'], parameter_dict['public-ipv4']))
 
   def test_prefer_gzip_encoding_to_backend(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'prefer-gzip-encoding-to-backend']
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'prefer-gzip-encoding-to-backend')
+    parameter_dict = self.parseSlaveParameterDict(
+      'prefer-gzip-encoding-to-backend')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'prefergzipencodingtobackend.example.com',
@@ -2295,7 +2652,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       headers={'Accept-Encoding': 'gzip, deflate'})
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2313,9 +2670,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       'deflate', result.json()['Incoming Headers']['accept-encoding'])
 
   def test_disabled_cookie_list(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'disabled-cookie-list']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'disabled-cookie-list')
+    parameter_dict = self.parseSlaveParameterDict('disabled-cookie-list')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'disabledcookielist.example.com',
@@ -2337,7 +2693,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
         ))
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2346,11 +2702,11 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       'Coffee=present', result.json()['Incoming Headers']['cookie'])
 
   def test_apache_custom_http_s_rejected(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'apache_custom_http_s-rejected']
+    parameter_dict = self.parseSlaveParameterDict(
+      'apache_custom_http_s-rejected')
     self.assertEqual(
       {
-        'request-error-list': '["slave not authorized"]'
+        'request-error-list': ["slave not authorized"]
       },
       parameter_dict)
     slave_configuration_file_list = glob.glob(os.path.join(
@@ -2367,10 +2723,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     self.assertEqual([], configuration_file_with_custom_http_list)
 
   def test_apache_custom_http_s_accepted(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'apache_custom_http_s-accepted']
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'apache_custom_http_s-accepted')
+    parameter_dict = self.parseSlaveParameterDict(
+      'apache_custom_http_s-accepted')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {'replication_number': '1', 'public-ipv4': LOCAL_IPV4},
       parameter_dict
@@ -2381,7 +2736,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2424,11 +2779,11 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     self.assertEqual(1, len(configuration_file_with_custom_http_list))
 
   def test_caddy_custom_http_s_rejected(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'caddy_custom_http_s-rejected']
+    parameter_dict = self.parseSlaveParameterDict(
+      'caddy_custom_http_s-rejected')
     self.assertEqual(
       {
-        'request-error-list': '["slave not authorized"]'
+        'request-error-list': ["slave not authorized"]
       },
       parameter_dict)
     slave_configuration_file_list = glob.glob(os.path.join(
@@ -2445,11 +2800,11 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     self.assertEqual([], configuration_file_with_custom_http_list)
 
   def test_caddy_custom_http_s(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'caddy_custom_http_s']
+    parameter_dict = self.parseSlaveParameterDict(
+      'caddy_custom_http_s')
     self.assertEqual(
       {
-        'request-error-list': '["slave not authorized"]'
+        'request-error-list': ["slave not authorized"]
       },
       parameter_dict)
     slave_configuration_file_list = glob.glob(os.path.join(
@@ -2466,10 +2821,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     self.assertEqual([], configuration_file_with_custom_http_list)
 
   def test_caddy_custom_http_s_accepted(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'caddy_custom_http_s-accepted']
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'caddy_custom_http_s-accepted')
+    parameter_dict = self.parseSlaveParameterDict(
+      'caddy_custom_http_s-accepted')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {'replication_number': '1', 'public-ipv4': LOCAL_IPV4},
       parameter_dict
@@ -2480,7 +2834,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2523,9 +2877,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     self.assertEqual(1, len(configuration_file_with_custom_http_list))
 
   def test_https_url(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'url_https-url']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'url_https-url')
+    parameter_dict = self.parseSlaveParameterDict('url_https-url')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'urlhttpsurl.example.com',
@@ -2542,7 +2895,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/https/test-path')
@@ -2559,8 +2912,8 @@ class TestReplicateSlave(SlaveHttpFrontendTestCase, TestDataMixin):
       'domain': 'example.com',
       'nginx-domain': 'nginx.example.com',
       'public-ipv4': LOCAL_IPV4,
-      'apache-certificate': open('wildcard.example.com.crt').read(),
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-certificate': cls.certificate_pem,
+      'apache-key': cls.key_pem,
       '-frontend-quantity': 2,
       '-sla-2-computer_guid': 'slapos.test',
       '-frontend-2-state': 'stopped',
@@ -2582,9 +2935,8 @@ class TestReplicateSlave(SlaveHttpFrontendTestCase, TestDataMixin):
     }
 
   def test(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'replicate']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'replicate')
+    parameter_dict = self.parseSlaveParameterDict('replicate')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'replicate.example.com',
@@ -2601,7 +2953,7 @@ class TestReplicateSlave(SlaveHttpFrontendTestCase, TestDataMixin):
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2631,8 +2983,8 @@ class TestEnableHttp2ByDefaultFalseSlave(SlaveHttpFrontendTestCase,
       'domain': 'example.com',
       'nginx-domain': 'nginx.example.com',
       'public-ipv4': LOCAL_IPV4,
-      'apache-certificate': open('wildcard.example.com.crt').read(),
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-certificate': cls.certificate_pem,
+      'apache-key': cls.key_pem,
       'enable-http2-by-default': 'false',
       'port': HTTPS_PORT,
       'plain_http_port': HTTP_PORT,
@@ -2656,9 +3008,8 @@ class TestEnableHttp2ByDefaultFalseSlave(SlaveHttpFrontendTestCase,
     }
 
   def test_enable_http2_default(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'enable-http2-default']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'enable-http2-default')
+    parameter_dict = self.parseSlaveParameterDict('enable-http2-default')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'enablehttp2default.example.com',
@@ -2676,9 +3027,8 @@ class TestEnableHttp2ByDefaultFalseSlave(SlaveHttpFrontendTestCase,
       isHTTP2(parameter_dict['domain'], parameter_dict['public-ipv4']))
 
   def test_enable_http2_false(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'enable-http2-false']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'enable-http2-false')
+    parameter_dict = self.parseSlaveParameterDict('enable-http2-false')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'enablehttp2false.example.com',
@@ -2696,9 +3046,8 @@ class TestEnableHttp2ByDefaultFalseSlave(SlaveHttpFrontendTestCase,
       isHTTP2(parameter_dict['domain'], parameter_dict['public-ipv4']))
 
   def test_enable_http2_true(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'enable-http2-true']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'enable-http2-true')
+    parameter_dict = self.parseSlaveParameterDict('enable-http2-true')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'enablehttp2true.example.com',
@@ -2724,8 +3073,8 @@ class TestEnableHttp2ByDefaultDefaultSlave(SlaveHttpFrontendTestCase,
       'domain': 'example.com',
       'nginx-domain': 'nginx.example.com',
       'public-ipv4': LOCAL_IPV4,
-      'apache-certificate': open('wildcard.example.com.crt').read(),
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-certificate': cls.certificate_pem,
+      'apache-key': cls.key_pem,
       'port': HTTPS_PORT,
       'plain_http_port': HTTP_PORT,
       'nginx_port': NGINX_HTTPS_PORT,
@@ -2748,9 +3097,8 @@ class TestEnableHttp2ByDefaultDefaultSlave(SlaveHttpFrontendTestCase,
     }
 
   def test_enable_http2_default(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'enable-http2-default']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'enable-http2-default')
+    parameter_dict = self.parseSlaveParameterDict('enable-http2-default')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'enablehttp2default.example.com',
@@ -2768,9 +3116,8 @@ class TestEnableHttp2ByDefaultDefaultSlave(SlaveHttpFrontendTestCase,
       isHTTP2(parameter_dict['domain'], parameter_dict['public-ipv4']))
 
   def test_enable_http2_false(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'enable-http2-false']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'enable-http2-false')
+    parameter_dict = self.parseSlaveParameterDict('enable-http2-false')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'enablehttp2false.example.com',
@@ -2788,9 +3135,8 @@ class TestEnableHttp2ByDefaultDefaultSlave(SlaveHttpFrontendTestCase,
       isHTTP2(parameter_dict['domain'], parameter_dict['public-ipv4']))
 
   def test_enable_http2_true(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'enable-http2-true']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'enable-http2-true')
+    parameter_dict = self.parseSlaveParameterDict('enable-http2-true')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'enablehttp2true.example.com',
@@ -2829,9 +3175,8 @@ class TestRe6stVerificationUrlDefaultSlave(SlaveHttpFrontendTestCase,
     }
 
   def test_default(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'default']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'default')
+    parameter_dict = self.parseSlaveParameterDict('default')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'default.None',
@@ -2879,9 +3224,8 @@ class TestRe6stVerificationUrlSlave(SlaveHttpFrontendTestCase,
     }
 
   def test_default(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'default']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'default')
+    parameter_dict = self.parseSlaveParameterDict('default')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'default.None',
@@ -2915,8 +3259,8 @@ class TestMalformedBackenUrlSlave(SlaveHttpFrontendTestCase,
       'domain': 'example.com',
       'nginx-domain': 'nginx.example.com',
       'public-ipv4': LOCAL_IPV4,
-      'apache-certificate': open('wildcard.example.com.crt').read(),
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-certificate': cls.certificate_pem,
+      'apache-key': cls.key_pem,
       'port': HTTPS_PORT,
       'plain_http_port': HTTP_PORT,
       'nginx_port': NGINX_HTTPS_PORT,
@@ -2939,7 +3283,7 @@ class TestMalformedBackenUrlSlave(SlaveHttpFrontendTestCase,
     }
 
   def test_master_partition_state(self):
-    parameter_dict = self.computer_partition.getConnectionParameterDict()
+    parameter_dict = self.parseConnectionParameterDict()
     self.assertKeyWithPop('monitor-setup-url', parameter_dict)
 
     expected_parameter_dict = {
@@ -2948,10 +3292,11 @@ class TestMalformedBackenUrlSlave(SlaveHttpFrontendTestCase,
       'accepted-slave-amount': '1',
       'rejected-slave-amount': '2',
       'slave-amount': '3',
-      'rejected-slave-dict':
-      '{"_https-url": ["slave https-url \\"https://[fd46::c2ae]:!py!u\'123123'
-      '\'\\" invalid"], "_url": ["slave url \\"https://[fd46::c2ae]:!py!u\''
-      '123123\'\\" invalid"]}'
+      'rejected-slave-dict': {
+        '_https-url': ['slave https-url "https://[fd46::c2ae]:!py!u\'123123\'"'
+                       ' invalid'],
+        '_url': [u'slave url "https://[fd46::c2ae]:!py!u\'123123\'" invalid']
+      }
     }
 
     self.assertEqual(
@@ -2960,9 +3305,8 @@ class TestMalformedBackenUrlSlave(SlaveHttpFrontendTestCase,
     )
 
   def test_empty(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'empty']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'empty')
+    parameter_dict = self.parseSlaveParameterDict('empty')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'empty.example.com',
@@ -2979,29 +3323,27 @@ class TestMalformedBackenUrlSlave(SlaveHttpFrontendTestCase,
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(httplib.NOT_FOUND, result.status_code)
 
   def test_url(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'url'].copy()
+    parameter_dict = self.parseSlaveParameterDict('url')
     self.assertEqual(
       {
-        'request-error-list': '["slave url \\"https://[fd46::c2ae]:!py!'
-        'u\'123123\'\\" invalid"]'
+        'request-error-list': [
+          "slave url \"https://[fd46::c2ae]:!py!u'123123'\" invalid"]
       },
       parameter_dict
     )
 
   def test_https_url(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'https-url'].copy()
+    parameter_dict = self.parseSlaveParameterDict('https-url')
     self.assertEqual(
       {
-        'request-error-list': '["slave https-url \\"https://[fd46::c2ae]:'
-        '!py!u\'123123\'\\" invalid"]'
+        'request-error-list': [
+          "slave https-url \"https://[fd46::c2ae]:!py!u'123123'\" invalid"]
       },
       parameter_dict
     )
@@ -3023,8 +3365,7 @@ class TestDefaultMonitorHttpdPort(SlaveHttpFrontendTestCase, TestDataMixin):
     }
 
   def test(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'test']
+    parameter_dict = self.parseSlaveParameterDict('test')
     self.assertKeyWithPop('log-access-url', parameter_dict)
     self.assertEqual(
       {
@@ -3054,8 +3395,8 @@ class TestQuicEnabled(SlaveHttpFrontendTestCase, TestDataMixin):
       'nginx-domain': 'nginx.example.com',
       'public-ipv4': LOCAL_IPV4,
       'enable-quic': 'true',
-      'apache-certificate': open('wildcard.example.com.crt').read(),
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-certificate': cls.certificate_pem,
+      'apache-key': cls.key_pem,
       '-frontend-authorized-slave-string':
       '_apache_custom_http_s-accepted _caddy_custom_http_s-accepted',
       'port': HTTPS_PORT,
@@ -3090,9 +3431,8 @@ class TestQuicEnabled(SlaveHttpFrontendTestCase, TestDataMixin):
       if os.path.exists(os.path.join(q, 'etc', 'trafficserver'))][0]
 
   def test_url(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'url'].copy()
-    self.assertLogAccessUrlWithPop(parameter_dict, 'url')
+    parameter_dict = self.parseSlaveParameterDict('url')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'url.example.com',
@@ -3109,7 +3449,7 @@ class TestQuicEnabled(SlaveHttpFrontendTestCase, TestDataMixin):
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -3123,35 +3463,26 @@ class TestQuicEnabled(SlaveHttpFrontendTestCase, TestDataMixin):
     self.assertKeyWithPop('Date', result.headers)
     self.assertKeyWithPop('Content-Length', result.headers)
 
-    self.assertEqual(
-      {'Content-Encoding': 'gzip',
-       'Alt-Svc': 'quic=":11443"; ma=2592000; v="39"',  # QUIC advertises
-       'Set-Cookie': 'secured=value;secure, nonsecured=value',
-       'Vary': 'Accept-Encoding',
-       'Server': 'Caddy, BaseHTTP/0.3 Python/2.7.14',
-       'Content-Type': 'application/json'},
-      result.headers
+    quic_status, quic_result = getQUIC(
+      'https://%s/%s' % (parameter_dict['domain'], 'test-path'),
+      parameter_dict['public-ipv4'],
+      HTTPS_PORT
     )
 
-    result_http = self.fakeHTTPResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
-    self.assertEqualResultJson(result_http, 'Path', '/test-path')
+    self.assertTrue(quic_status, quic_result)
 
     try:
-      j = result_http.json()
+      quic_jsoned = quic_result.split('body: ')[2].split('trailers')[0]
     except Exception:
-      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
-    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
-
-    self.assertEqual(
-      'gzip',
-      result_http.headers['Content-Encoding']
-    )
-
-    self.assertEqual(
-      'secured=value;secure, nonsecured=value',
-      result_http.headers['Set-Cookie']
-    )
+      raise ValueError('JSON not found at all in QUIC result:\n%s' % (
+        quic_result,))
+    try:
+      j = json.loads(quic_jsoned)
+    except Exception:
+      raise ValueError('JSON decode problem in:\n%s' % (quic_jsoned,))
+    key = 'Path'
+    self.assertTrue(key in j, 'No key %r in %s' % (key, j))
+    self.assertEqual('/test-path', j[key])
 
 
 class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
@@ -3161,8 +3492,8 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
       'domain': 'example.com',
       'nginx-domain': 'nginx.example.com',
       'public-ipv4': LOCAL_IPV4,
-      'apache-certificate': open('wildcard.example.com.crt').read(),
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-certificate': cls.certificate_pem,
+      'apache-key': cls.key_pem,
       '-frontend-authorized-slave-string': '_caddy_custom_http_s-reject',
       'port': HTTPS_PORT,
       'plain_http_port': HTTP_PORT,
@@ -3231,7 +3562,7 @@ https://www.google.com {}""",
     }
 
   def test_master_partition_state(self):
-    parameter_dict = self.computer_partition.getConnectionParameterDict()
+    parameter_dict = self.parseConnectionParameterDict()
     self.assertKeyWithPop('monitor-setup-url', parameter_dict)
 
     expected_parameter_dict = {
@@ -3240,14 +3571,21 @@ https://www.google.com {}""",
       'accepted-slave-amount': '8',
       'rejected-slave-amount': '4',
       'slave-amount': '12',
-      'rejected-slave-dict':
-      '{"_caddy_custom_http_s-reject": ["slave caddy_custom_http '
-      'configuration invalid", "slave caddy_custom_https configuration '
-      'invalid"], "_server-alias-unsafe": ["server-alias \'${section:option}\''
-      ' not valid", "server-alias \'afterspace\' not valid"], '
-      '"_custom_domain-unsafe": ["custom_domain \'${section:option} '
-      'afterspace\\\\nafternewline\' invalid"], "_ssl_key-ssl_crt-unsafe": '
-      '["slave ssl_key and ssl_crt does not match"]}'
+      'rejected-slave-dict': {
+        '_caddy_custom_http_s-reject': [
+          'slave caddy_custom_http configuration invalid',
+          'slave caddy_custom_https configuration invalid'],
+        '_custom_domain-unsafe': [
+          "custom_domain '${section:option} afterspace\\nafternewline' invalid"
+        ],
+        '_server-alias-unsafe': [
+          "server-alias '${section:option}' not valid",
+          "server-alias 'afterspace' not valid"
+        ],
+        '_ssl_key-ssl_crt-unsafe': [
+          'slave ssl_key and ssl_crt does not match'
+        ]
+      }
     }
 
     self.assertEqual(
@@ -3256,9 +3594,8 @@ https://www.google.com {}""",
     )
 
   def test_server_alias_same(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'server-alias-same']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'server-alias-same')
+    parameter_dict = self.parseSlaveParameterDict('server-alias-same')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'serveraliassame.example.com',
@@ -3275,15 +3612,14 @@ https://www.google.com {}""",
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(result, 'Path', '/test-path')
 
   def test_re6st_optimal_test_unsafe(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      're6st-optimal-test-unsafe']
-    self.assertLogAccessUrlWithPop(parameter_dict, 're6st-optimal-test-unsafe')
+    parameter_dict = self.parseSlaveParameterDict('re6st-optimal-test-unsafe')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 're6stoptimaltestunsafe.example.com',
@@ -3300,7 +3636,7 @@ https://www.google.com {}""",
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -3325,10 +3661,8 @@ https://www.google.com {}""",
     )
 
   def test_re6st_optimal_test_nocomma(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      're6st-optimal-test-nocomma']
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 're6st-optimal-test-nocomma')
+    parameter_dict = self.parseSlaveParameterDict('re6st-optimal-test-nocomma')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 're6stoptimaltestnocomma.example.com',
@@ -3345,7 +3679,7 @@ https://www.google.com {}""",
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -3361,34 +3695,31 @@ https://www.google.com {}""",
     )
 
   def test_custom_domain_unsafe(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'custom_domain-unsafe']
+    parameter_dict = self.parseSlaveParameterDict('custom_domain-unsafe')
     self.assertEqual(
       {
-        'request-error-list':
-        '["custom_domain \'${section:option} afterspace\\\\nafternewline\' '
-        'invalid"]'
+        'request-error-list': [
+          "custom_domain '${section:option} afterspace\\nafternewline' invalid"
+        ]
       },
       parameter_dict
     )
 
   def test_server_alias_unsafe(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'server-alias-unsafe']
+    parameter_dict = self.parseSlaveParameterDict('server-alias-unsafe')
     self.assertEqual(
       {
-        'request-error-list':
-        '["server-alias \'${section:option}\' not valid", "server-alias '
-        '\'afterspace\' not valid"]'
+        'request-error-list': [
+          "server-alias '${section:option}' not valid", "server-alias "
+          "'afterspace' not valid"]
       },
       parameter_dict
     )
 
   def test_virtualhostroot_http_port_unsafe(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'virtualhostroot-http-port-unsafe']
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'virtualhostroot-http-port-unsafe')
+    parameter_dict = self.parseSlaveParameterDict(
+      'virtualhostroot-http-port-unsafe')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'virtualhostroothttpportunsafe.example.com',
@@ -3413,10 +3744,9 @@ https://www.google.com {}""",
     )
 
   def test_virtualhostroot_https_port_unsafe(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'virtualhostroot-https-port-unsafe']
-    self.assertLogAccessUrlWithPop(
-      parameter_dict, 'virtualhostroot-https-port-unsafe')
+    parameter_dict = self.parseSlaveParameterDict(
+      'virtualhostroot-https-port-unsafe')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'virtualhostroothttpsportunsafe.example.com',
@@ -3434,7 +3764,7 @@ https://www.google.com {}""",
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqualResultJson(
@@ -3445,9 +3775,8 @@ https://www.google.com {}""",
     )
 
   def default_path_unsafe(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'default-path-unsafe']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'default-path-unsafe')
+    parameter_dict = self.parseSlaveParameterDict('default-path-unsafe')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'defaultpathunsafe.example.com',
@@ -3464,7 +3793,7 @@ https://www.google.com {}""",
       parameter_dict['domain'], parameter_dict['public-ipv4'], '')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(
@@ -3474,9 +3803,8 @@ https://www.google.com {}""",
     )
 
   def test_monitor_ipv4_test_unsafe(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'monitor-ipv4-test-unsafe']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'monitor-ipv4-test-unsafe')
+    parameter_dict = self.parseSlaveParameterDict('monitor-ipv4-test-unsafe')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'monitoripv4testunsafe.example.com',
@@ -3493,7 +3821,7 @@ https://www.google.com {}""",
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -3517,9 +3845,8 @@ https://www.google.com {}""",
     )
 
   def test_monitor_ipv6_test_unsafe(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'monitor-ipv6-test-unsafe']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'monitor-ipv6-test-unsafe')
+    parameter_dict = self.parseSlaveParameterDict('monitor-ipv6-test-unsafe')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'monitoripv6testunsafe.example.com',
@@ -3536,7 +3863,7 @@ https://www.google.com {}""",
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
     self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
       der2pem(result.peercert))
 
     self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -3560,21 +3887,20 @@ https://www.google.com {}""",
     )
 
   def test_ssl_key_ssl_crt_unsafe(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'ssl_key-ssl_crt-unsafe']
+    parameter_dict = self.parseSlaveParameterDict('ssl_key-ssl_crt-unsafe')
     self.assertEqual(
-      {'request-error-list': '["slave ssl_key and ssl_crt does not match"]'},
+      {'request-error-list': ["slave ssl_key and ssl_crt does not match"]},
       parameter_dict
     )
 
   def test_caddy_custom_http_s_reject(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'caddy_custom_http_s-reject']
+    parameter_dict = self.parseSlaveParameterDict('caddy_custom_http_s-reject')
     self.assertEqual(
       {
-        'request-error-list':
-        '["slave caddy_custom_http configuration invalid", '
-        '"slave caddy_custom_https configuration invalid"]'
+        'request-error-list': [
+          "slave caddy_custom_http configuration invalid",
+          "slave caddy_custom_https configuration invalid"
+        ]
       },
       parameter_dict
     )
@@ -3587,8 +3913,8 @@ class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
       'domain': 'example.com',
       'nginx-domain': 'nginx.example.com',
       'public-ipv4': LOCAL_IPV4,
-      'apache-certificate': open('wildcard.example.com.crt').read(),
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-certificate': cls.certificate_pem,
+      'apache-key': cls.key_pem,
       '-frontend-authorized-slave-string': '_caddy_custom_http_s-reject',
       'port': HTTPS_PORT,
       'plain_http_port': HTTP_PORT,
@@ -3618,7 +3944,7 @@ class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
     }
 
   def test_master_partition_state(self):
-    parameter_dict = self.computer_partition.getConnectionParameterDict()
+    parameter_dict = self.parseConnectionParameterDict()
     self.assertKeyWithPop('monitor-setup-url', parameter_dict)
 
     expected_parameter_dict = {
@@ -3627,10 +3953,11 @@ class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
       'accepted-slave-amount': '1',
       'rejected-slave-amount': '3',
       'slave-amount': '4',
-      'rejected-slave-dict':
-      '{"_site_4": ["custom_domain \'duplicate.example.com\' clashes"], '
-      '"_site_1": ["custom_domain \'duplicate.example.com\' clashes"], '
-      '"_site_3": ["server-alias \'duplicate.example.com\' clashes"]}'
+      'rejected-slave-dict': {
+        '_site_1': ["custom_domain 'duplicate.example.com' clashes"],
+        '_site_3': ["server-alias 'duplicate.example.com' clashes"],
+        '_site_4': ["custom_domain 'duplicate.example.com' clashes"]
+      }
     }
 
     self.assertEqual(
@@ -3639,20 +3966,17 @@ class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
     )
 
   def test_site_1(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'site_1']
+    parameter_dict = self.parseSlaveParameterDict('site_1')
     self.assertEqual(
       {
-        'request-error-list':
-        '["custom_domain \'duplicate.example.com\' clashes"]'
+        'request-error-list': ["custom_domain 'duplicate.example.com' clashes"]
       },
       parameter_dict
     )
 
   def test_site_2(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'site_2']
-    self.assertLogAccessUrlWithPop(parameter_dict, 'site_2')
+    parameter_dict = self.parseSlaveParameterDict('site_2')
+    self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertEqual(
       {
         'domain': 'duplicate.example.com',
@@ -3666,23 +3990,19 @@ class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
     )
 
   def test_site_3(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'site_3']
+    parameter_dict = self.parseSlaveParameterDict('site_3')
     self.assertEqual(
       {
-        'request-error-list':
-        '["server-alias \'duplicate.example.com\' clashes"]'
+        'request-error-list': ["server-alias 'duplicate.example.com' clashes"]
       },
       parameter_dict,
     )
 
   def test_site_4(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'site_4']
+    parameter_dict = self.parseSlaveParameterDict('site_4')
     self.assertEqual(
       {
-        'request-error-list':
-        '["custom_domain \'duplicate.example.com\' clashes"]'
+        'request-error-list': ["custom_domain 'duplicate.example.com' clashes"]
       },
       parameter_dict
     )
diff --git a/software/caddy-frontend/test/test_data/test.TestDuplicateSiteKeyProtection.test_file_list_run-CADDY.txt b/software/caddy-frontend/test/test_data/test.TestDuplicateSiteKeyProtection.test_file_list_run-CADDY.txt
index 8a8c2471f50e35655df9d973efb16d28beabc868..7e14aaaf1b60e42552da63d4fadff8a044b5438a 100644
--- a/software/caddy-frontend/test/test_data/test.TestDuplicateSiteKeyProtection.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestDuplicateSiteKeyProtection.test_file_list_run-CADDY.txt
@@ -1,8 +1,14 @@
 TestDuplicateSiteKeyProtection-0/var/run/monitor-httpd.pid
 TestDuplicateSiteKeyProtection-0/var/run/monitor/monitor-bootstrap.pid
-TestDuplicateSiteKeyProtection-1/var/run/caddy_configuration.signature
+TestDuplicateSiteKeyProtection-1/var/run/caddy_graceful_signature
+TestDuplicateSiteKeyProtection-1/var/run/caddy_graceful_signature.tmp
+TestDuplicateSiteKeyProtection-1/var/run/caddy_validate_signature
+TestDuplicateSiteKeyProtection-1/var/run/caddy_validate_signature.status
 TestDuplicateSiteKeyProtection-1/var/run/httpd.pid
 TestDuplicateSiteKeyProtection-1/var/run/monitor-httpd.pid
 TestDuplicateSiteKeyProtection-1/var/run/monitor/monitor-bootstrap.pid
-TestDuplicateSiteKeyProtection-1/var/run/ncaddy_configuration.signature
-TestDuplicateSiteKeyProtection-1/var/run/nginx.pid
\ No newline at end of file
+TestDuplicateSiteKeyProtection-1/var/run/nginx.pid
+TestDuplicateSiteKeyProtection-1/var/run/nginx_graceful_signature
+TestDuplicateSiteKeyProtection-1/var/run/nginx_graceful_signature.tmp
+TestDuplicateSiteKeyProtection-1/var/run/nginx_validate_signature
+TestDuplicateSiteKeyProtection-1/var/run/nginx_validate_signature.status
\ No newline at end of file
diff --git a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_run-CADDY.txt b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_run-CADDY.txt
index f92a782447acaaf41cbe5e54a85aef0231858c5d..78243f7632fce16d90eb51351c21704fd1c74c4b 100644
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_run-CADDY.txt
@@ -1,8 +1,14 @@
 TestEnableHttp2ByDefaultDefaultSlave-0/var/run/monitor-httpd.pid
 TestEnableHttp2ByDefaultDefaultSlave-0/var/run/monitor/monitor-bootstrap.pid
-TestEnableHttp2ByDefaultDefaultSlave-1/var/run/caddy_configuration.signature
+TestEnableHttp2ByDefaultDefaultSlave-1/var/run/caddy_graceful_signature
+TestEnableHttp2ByDefaultDefaultSlave-1/var/run/caddy_graceful_signature.tmp
+TestEnableHttp2ByDefaultDefaultSlave-1/var/run/caddy_validate_signature
+TestEnableHttp2ByDefaultDefaultSlave-1/var/run/caddy_validate_signature.status
 TestEnableHttp2ByDefaultDefaultSlave-1/var/run/httpd.pid
 TestEnableHttp2ByDefaultDefaultSlave-1/var/run/monitor-httpd.pid
 TestEnableHttp2ByDefaultDefaultSlave-1/var/run/monitor/monitor-bootstrap.pid
-TestEnableHttp2ByDefaultDefaultSlave-1/var/run/ncaddy_configuration.signature
-TestEnableHttp2ByDefaultDefaultSlave-1/var/run/nginx.pid
\ No newline at end of file
+TestEnableHttp2ByDefaultDefaultSlave-1/var/run/nginx.pid
+TestEnableHttp2ByDefaultDefaultSlave-1/var/run/nginx_graceful_signature
+TestEnableHttp2ByDefaultDefaultSlave-1/var/run/nginx_graceful_signature.tmp
+TestEnableHttp2ByDefaultDefaultSlave-1/var/run/nginx_validate_signature
+TestEnableHttp2ByDefaultDefaultSlave-1/var/run/nginx_validate_signature.status
\ No newline at end of file
diff --git a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_run-CADDY.txt b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_run-CADDY.txt
index 9d4fd191db5e7d749dcf37d0d050214f003ae09e..8b00c8e4dea8a9923873497defcc6bd509d76dde 100644
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_run-CADDY.txt
@@ -1,8 +1,14 @@
 TestEnableHttp2ByDefaultFalseSlave-0/var/run/monitor-httpd.pid
 TestEnableHttp2ByDefaultFalseSlave-0/var/run/monitor/monitor-bootstrap.pid
-TestEnableHttp2ByDefaultFalseSlave-1/var/run/caddy_configuration.signature
+TestEnableHttp2ByDefaultFalseSlave-1/var/run/caddy_graceful_signature
+TestEnableHttp2ByDefaultFalseSlave-1/var/run/caddy_graceful_signature.tmp
+TestEnableHttp2ByDefaultFalseSlave-1/var/run/caddy_validate_signature
+TestEnableHttp2ByDefaultFalseSlave-1/var/run/caddy_validate_signature.status
 TestEnableHttp2ByDefaultFalseSlave-1/var/run/httpd.pid
 TestEnableHttp2ByDefaultFalseSlave-1/var/run/monitor-httpd.pid
 TestEnableHttp2ByDefaultFalseSlave-1/var/run/monitor/monitor-bootstrap.pid
-TestEnableHttp2ByDefaultFalseSlave-1/var/run/ncaddy_configuration.signature
-TestEnableHttp2ByDefaultFalseSlave-1/var/run/nginx.pid
\ No newline at end of file
+TestEnableHttp2ByDefaultFalseSlave-1/var/run/nginx.pid
+TestEnableHttp2ByDefaultFalseSlave-1/var/run/nginx_graceful_signature
+TestEnableHttp2ByDefaultFalseSlave-1/var/run/nginx_graceful_signature.tmp
+TestEnableHttp2ByDefaultFalseSlave-1/var/run/nginx_validate_signature
+TestEnableHttp2ByDefaultFalseSlave-1/var/run/nginx_validate_signature.status
\ No newline at end of file
diff --git a/software/caddy-frontend/test/test_data/test.TestMalformedBackenUrlSlave.test_file_list_run-CADDY.txt b/software/caddy-frontend/test/test_data/test.TestMalformedBackenUrlSlave.test_file_list_run-CADDY.txt
index a6d812a828841e1fb853e6aa67ec1a7a4cc48b64..2dd96cf77a8d2d3f53b73f9e60687855c2b2bd14 100644
--- a/software/caddy-frontend/test/test_data/test.TestMalformedBackenUrlSlave.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestMalformedBackenUrlSlave.test_file_list_run-CADDY.txt
@@ -1,8 +1,14 @@
 TestMalformedBackenUrlSlave-0/var/run/monitor-httpd.pid
 TestMalformedBackenUrlSlave-0/var/run/monitor/monitor-bootstrap.pid
-TestMalformedBackenUrlSlave-1/var/run/caddy_configuration.signature
+TestMalformedBackenUrlSlave-1/var/run/caddy_graceful_signature
+TestMalformedBackenUrlSlave-1/var/run/caddy_graceful_signature.tmp
+TestMalformedBackenUrlSlave-1/var/run/caddy_validate_signature
+TestMalformedBackenUrlSlave-1/var/run/caddy_validate_signature.status
 TestMalformedBackenUrlSlave-1/var/run/httpd.pid
 TestMalformedBackenUrlSlave-1/var/run/monitor-httpd.pid
 TestMalformedBackenUrlSlave-1/var/run/monitor/monitor-bootstrap.pid
-TestMalformedBackenUrlSlave-1/var/run/ncaddy_configuration.signature
 TestMalformedBackenUrlSlave-1/var/run/nginx.pid
+TestMalformedBackenUrlSlave-1/var/run/nginx_graceful_signature
+TestMalformedBackenUrlSlave-1/var/run/nginx_graceful_signature.tmp
+TestMalformedBackenUrlSlave-1/var/run/nginx_validate_signature
+TestMalformedBackenUrlSlave-1/var/run/nginx_validate_signature.status
\ No newline at end of file
diff --git a/software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_file_list_run-CADDY.txt b/software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_file_list_run-CADDY.txt
index 60062c2dc0f03c23111181e6e4da41344a459146..245dc9d43887b634fa3ffebf1d9261aa319295c0 100644
--- a/software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_file_list_run-CADDY.txt
@@ -1,8 +1,14 @@
 TestQuicEnabled-0/var/run/monitor-httpd.pid
 TestQuicEnabled-0/var/run/monitor/monitor-bootstrap.pid
-TestQuicEnabled-1/var/run/caddy_configuration.signature
+TestQuicEnabled-1/var/run/caddy_graceful_signature
+TestQuicEnabled-1/var/run/caddy_graceful_signature.tmp
+TestQuicEnabled-1/var/run/caddy_validate_signature
+TestQuicEnabled-1/var/run/caddy_validate_signature.status
 TestQuicEnabled-1/var/run/httpd.pid
 TestQuicEnabled-1/var/run/monitor-httpd.pid
 TestQuicEnabled-1/var/run/monitor/monitor-bootstrap.pid
-TestQuicEnabled-1/var/run/ncaddy_configuration.signature
-TestQuicEnabled-1/var/run/nginx.pid
\ No newline at end of file
+TestQuicEnabled-1/var/run/nginx.pid
+TestQuicEnabled-1/var/run/nginx_graceful_signature
+TestQuicEnabled-1/var/run/nginx_graceful_signature.tmp
+TestQuicEnabled-1/var/run/nginx_validate_signature
+TestQuicEnabled-1/var/run/nginx_validate_signature.status
\ No newline at end of file
diff --git a/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_run-CADDY.txt b/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_run-CADDY.txt
index bd4a4da9a294e9730ca74f5c93244c422542be09..640f3946be1677d24bf7232f1b9b6151dfdbd021 100644
--- a/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_run-CADDY.txt
@@ -1,8 +1,12 @@
 TestRe6stVerificationUrlDefaultSlave-0/var/run/monitor-httpd.pid
 TestRe6stVerificationUrlDefaultSlave-0/var/run/monitor/monitor-bootstrap.pid
-TestRe6stVerificationUrlDefaultSlave-1/var/run/caddy_configuration.signature
+TestRe6stVerificationUrlDefaultSlave-1/var/run/caddy_graceful_signature
+TestRe6stVerificationUrlDefaultSlave-1/var/run/caddy_graceful_signature.tmp
+TestRe6stVerificationUrlDefaultSlave-1/var/run/caddy_validate_signature
 TestRe6stVerificationUrlDefaultSlave-1/var/run/httpd.pid
 TestRe6stVerificationUrlDefaultSlave-1/var/run/monitor-httpd.pid
 TestRe6stVerificationUrlDefaultSlave-1/var/run/monitor/monitor-bootstrap.pid
-TestRe6stVerificationUrlDefaultSlave-1/var/run/ncaddy_configuration.signature
-TestRe6stVerificationUrlDefaultSlave-1/var/run/nginx.pid
\ No newline at end of file
+TestRe6stVerificationUrlDefaultSlave-1/var/run/nginx.pid
+TestRe6stVerificationUrlDefaultSlave-1/var/run/nginx_graceful_signature
+TestRe6stVerificationUrlDefaultSlave-1/var/run/nginx_graceful_signature.tmp
+TestRe6stVerificationUrlDefaultSlave-1/var/run/nginx_validate_signature
\ No newline at end of file
diff --git a/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlSlave.test_file_list_run-CADDY.txt b/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlSlave.test_file_list_run-CADDY.txt
index 42d767e1b0bf1b18a194ea34c65eef410393d152..6dc365c88bc0fdd8551c4e46fefcd833771ec98a 100644
--- a/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlSlave.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlSlave.test_file_list_run-CADDY.txt
@@ -1,8 +1,12 @@
 TestRe6stVerificationUrlSlave-0/var/run/monitor-httpd.pid
 TestRe6stVerificationUrlSlave-0/var/run/monitor/monitor-bootstrap.pid
-TestRe6stVerificationUrlSlave-1/var/run/caddy_configuration.signature
+TestRe6stVerificationUrlSlave-1/var/run/caddy_graceful_signature
+TestRe6stVerificationUrlSlave-1/var/run/caddy_graceful_signature.tmp
+TestRe6stVerificationUrlSlave-1/var/run/caddy_validate_signature
 TestRe6stVerificationUrlSlave-1/var/run/httpd.pid
 TestRe6stVerificationUrlSlave-1/var/run/monitor-httpd.pid
 TestRe6stVerificationUrlSlave-1/var/run/monitor/monitor-bootstrap.pid
-TestRe6stVerificationUrlSlave-1/var/run/ncaddy_configuration.signature
-TestRe6stVerificationUrlSlave-1/var/run/nginx.pid
\ No newline at end of file
+TestRe6stVerificationUrlSlave-1/var/run/nginx.pid
+TestRe6stVerificationUrlSlave-1/var/run/nginx_graceful_signature
+TestRe6stVerificationUrlSlave-1/var/run/nginx_graceful_signature.tmp
+TestRe6stVerificationUrlSlave-1/var/run/nginx_validate_signature
\ No newline at end of file
diff --git a/software/caddy-frontend/test/test_data/test.TestReplicateSlave.test_file_list_run-CADDY.txt b/software/caddy-frontend/test/test_data/test.TestReplicateSlave.test_file_list_run-CADDY.txt
index cf16c727fd461b5bd3c69e5448b7ccae15668bdd..3bb17bc37c48a2e2aa898396694cd9076499a422 100644
--- a/software/caddy-frontend/test/test_data/test.TestReplicateSlave.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestReplicateSlave.test_file_list_run-CADDY.txt
@@ -1,8 +1,14 @@
 TestReplicateSlave-0/var/run/monitor-httpd.pid
 TestReplicateSlave-0/var/run/monitor/monitor-bootstrap.pid
-TestReplicateSlave-1/var/run/caddy_configuration.signature
+TestReplicateSlave-1/var/run/caddy_graceful_signature
+TestReplicateSlave-1/var/run/caddy_graceful_signature.tmp
+TestReplicateSlave-1/var/run/caddy_validate_signature
+TestReplicateSlave-1/var/run/caddy_validate_signature.status
 TestReplicateSlave-1/var/run/httpd.pid
 TestReplicateSlave-1/var/run/monitor-httpd.pid
 TestReplicateSlave-1/var/run/monitor/monitor-bootstrap.pid
-TestReplicateSlave-1/var/run/ncaddy_configuration.signature
-TestReplicateSlave-1/var/run/nginx.pid
\ No newline at end of file
+TestReplicateSlave-1/var/run/nginx.pid
+TestReplicateSlave-1/var/run/nginx_graceful_signature
+TestReplicateSlave-1/var/run/nginx_graceful_signature.tmp
+TestReplicateSlave-1/var/run/nginx_validate_signature
+TestReplicateSlave-1/var/run/nginx_validate_signature.status
\ No newline at end of file
diff --git a/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_log-CADDY.txt b/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_log-CADDY.txt
index c78f159514adf1ced54969d96e4d17c43a7fa06e..bb4d3f9a19bbcb8c53c12a255996124e87537318 100644
--- a/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_log-CADDY.txt
@@ -27,6 +27,8 @@ TestSlave-1/var/log/httpd/_enable_cache-disable-via-header_access_log
 TestSlave-1/var/log/httpd/_enable_cache-disable-via-header_error_log
 TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify-unverified_access_log
 TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify-unverified_error_log
+TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
 TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_access_log
 TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_error_log
 TestSlave-1/var/log/httpd/_enable_cache_access_log
@@ -51,6 +53,8 @@ TestSlave-1/var/log/httpd/_server-alias_custom_domain-duplicated_error_log
 TestSlave-1/var/log/httpd/_server-alias_error_log
 TestSlave-1/var/log/httpd/_ssl-proxy-verify-unverified_access_log
 TestSlave-1/var/log/httpd/_ssl-proxy-verify-unverified_error_log
+TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
 TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt_access_log
 TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt_error_log
 TestSlave-1/var/log/httpd/_ssl_ca_crt_does_not_match_access_log
@@ -67,6 +71,8 @@ TestSlave-1/var/log/httpd/_type-zope-path_access_log
 TestSlave-1/var/log/httpd/_type-zope-path_error_log
 TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify-unverified_access_log
 TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify-unverified_error_log
+TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
 TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt_access_log
 TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt_error_log
 TestSlave-1/var/log/httpd/_type-zope-virtualhostroot-http-port_access_log
diff --git a/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_run-CADDY.txt b/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_run-CADDY.txt
index 46950716a3ba85a6f2e18b2113b37fd74c1dbbf0..7594246e003da80cc39d3bbbd918cefefe0f4b27 100644
--- a/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_run-CADDY.txt
@@ -1,8 +1,14 @@
 TestSlave-0/var/run/monitor-httpd.pid
 TestSlave-0/var/run/monitor/monitor-bootstrap.pid
-TestSlave-1/var/run/caddy_configuration.signature
+TestSlave-1/var/run/caddy_graceful_signature
+TestSlave-1/var/run/caddy_graceful_signature.tmp
+TestSlave-1/var/run/caddy_validate_signature
+TestSlave-1/var/run/caddy_validate_signature.status
 TestSlave-1/var/run/httpd.pid
 TestSlave-1/var/run/monitor-httpd.pid
 TestSlave-1/var/run/monitor/monitor-bootstrap.pid
-TestSlave-1/var/run/ncaddy_configuration.signature
-TestSlave-1/var/run/nginx.pid
\ No newline at end of file
+TestSlave-1/var/run/nginx.pid
+TestSlave-1/var/run/nginx_graceful_signature
+TestSlave-1/var/run/nginx_graceful_signature.tmp
+TestSlave-1/var/run/nginx_validate_signature
+TestSlave-1/var/run/nginx_validate_signature.status
\ No newline at end of file
diff --git a/software/caddy-frontend/test/test_data/test.TestSlave.test_monitor_promise_list-CADDY.txt b/software/caddy-frontend/test/test_data/test.TestSlave.test_monitor_promise_list-CADDY.txt
index e3d0e87dd86dd77354fed39fe7885baed224af93..efc3c38adbfd42195845b5ff1c821ee66c7f7aad 100644
--- a/software/caddy-frontend/test/test_data/test.TestSlave.test_monitor_promise_list-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlave.test_monitor_promise_list-CADDY.txt
@@ -28,6 +28,8 @@ TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify-unverified-
 TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-hour
+TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-day
+TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_https-only-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_https-only-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_monitor-ipv4-test-error-log-last-day
@@ -53,6 +55,8 @@ TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify-unverified-error-log-las
 TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-hour
+TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-day
+TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_ssl_ca_crt_does_not_match-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_ssl_ca_crt_does_not_match-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_ssl_ca_crt_garbage-error-log-last-day
@@ -73,6 +77,8 @@ TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify-unverified-err
 TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-hour
+TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-day
+TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_type-zope-virtualhostroot-http-port-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_type-zope-virtualhostroot-http-port-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_type-zope-virtualhostroot-https-port-error-log-last-day
diff --git a/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_file_list_run-CADDY.txt b/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_file_list_run-CADDY.txt
index 9218d3bf8d8ac367d123293fa86e9ddea1b84ecb..085d557fc9662a64506018a186b986636f20b604 100644
--- a/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_file_list_run-CADDY.txt
@@ -1,8 +1,14 @@
 TestSlaveBadParameters-0/var/run/monitor-httpd.pid
 TestSlaveBadParameters-0/var/run/monitor/monitor-bootstrap.pid
-TestSlaveBadParameters-1/var/run/caddy_configuration.signature
+TestSlaveBadParameters-1/var/run/caddy_graceful_signature
+TestSlaveBadParameters-1/var/run/caddy_graceful_signature.tmp
+TestSlaveBadParameters-1/var/run/caddy_validate_signature
+TestSlaveBadParameters-1/var/run/caddy_validate_signature.status
 TestSlaveBadParameters-1/var/run/httpd.pid
 TestSlaveBadParameters-1/var/run/monitor-httpd.pid
 TestSlaveBadParameters-1/var/run/monitor/monitor-bootstrap.pid
-TestSlaveBadParameters-1/var/run/ncaddy_configuration.signature
-TestSlaveBadParameters-1/var/run/nginx.pid
\ No newline at end of file
+TestSlaveBadParameters-1/var/run/nginx.pid
+TestSlaveBadParameters-1/var/run/nginx_graceful_signature
+TestSlaveBadParameters-1/var/run/nginx_graceful_signature.tmp
+TestSlaveBadParameters-1/var/run/nginx_validate_signature
+TestSlaveBadParameters-1/var/run/nginx_validate_signature.status
\ No newline at end of file
diff --git a/software/caddy-frontend/test/testserver.example.com.pem b/software/caddy-frontend/test/testserver.example.com.pem
deleted file mode 100644
index 0204df0624551385b68d6b338bfdd717ba09aae7..0000000000000000000000000000000000000000
--- a/software/caddy-frontend/test/testserver.example.com.pem
+++ /dev/null
@@ -1,47 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAp0BSMfhzYo62X7FtSivZRpFn3HH5ij/fhQGla3C7gCIjsQCe
-FZwYvK6i+qyGz4vC6fxj04ZHrAn6Xh3AQN/HA9OGEew0opL1tPtLoblbWTQv9gqh
-nBupfPPZnvf7DOzfMKUvcl2RJAUZ9jWLGiUvYhtdCVGR9evq1z6O5ZMfoy29L1fB
-Qc7k8Y6+bgunu85uVXxIxZQkb9wWY6A6B1qKLYkF3qi/6hto/XY+DEL23aBzWLuz
-Zv1LmrzFarAsnc/UzsubrPaTho3EknNcfIxfNioFf0MBykEhTwZh6owh2c70ri2y
-J0mg3bGMDcQyxlZrGPQVAlV9/1zrIKogrufDtQIDAQABAoIBACqXLZc+DpwNfZG2
-y/70VZsr0ggIGiTDiTcEqUxH4+eIShB7+MXF/2KlEinFn3rgu1z8gatO6Zd83v3y
-k4+xrKtjxSNxRCIWTG2vBJ6FZia8LG56XJc1UB7athNOUOcEtv1bQ07bVueWSPsy
-vV6GE5/nGfUSiZnXXvE7JAaARbE2vix85CEZbSqps4plw+IRla5izgk2lfGeXZO4
-tv0ci+5C+U5CbOA+i9I/m0qZBAqzBqCxiN/VRZSG6kxc0XF58NaJNCFqGUCzd+On
-nLhSWxE+0+roj4BSsV8H2AHQzFy/d9eMiSoSGPLb0Sa0zvbcvf6SeknymEiTTAUK
-nj94do0CgYEA0ontvQtCir443/2rkaUeXscJQO07QeGqztgSjEZj5GiT9cgBqlWQ
-DsY6BoOHHMjJcWy4gEiz+whZOw87exy1ECevx5fazQzBwJvMD3qTOilOk49VzKs1
-xrOdm3Me3E3X8AT3kKxrGdT/kHWlCij/Y+SIq2+YVh6t15p9P51eY2MCgYEAy12Q
-K+llzNyL/6ml7CczfjNHkUlIMXlHs+bRk1eG+clUmoIQR7bxuhM6G23auGpq58mu
-KhfThEytxU1vDSsXJKueLD59pWRDvwLDlLxoXXWgkdzWRMzKkJc/vd3GTJBW2ZpX
-e66TEowBJkaftVAkGnded9EoKQKbGF2+/4/chAcCgYA1/8xrJT0u6rUZti1QEMKm
-WnRkI7SEJEY0ATVYpyEtzyjL7D2JG6L0NyFg1FFOL62DGviDZqJK64w/WpvN6sIB
-37v0/FzRJMl5BjyjZ7PlQfz2WdgOw4bqbN0qpq8uoASXeh6pC5/4oyndOl9XKMbA
-LzhiiB/RTtMVrnkbXNh9swKBgDhBZI1RHhECfVO2ySg/W9YwNz7wZ6EP7I7ObfD1
-SGg2kkm/auN7rviLMwq9Y8CZ54LA3oXUW3WAhJ1Mo0igP+Gr+7A/hSBIURk4mYO+
-bpxT2pwe28LiZ7KBtGdAPweU8gF12XdkPljmE7dT2AAe8C3GEYLRf+uARgkCfcBS
-OmznAoGAFXa3/sx8uBrA4rxpE9b/nEQNr8n0NatH7tW3fry88wYBLyFYdHrAmM/p
-7a1/iLFvCl3fzZdiAxPplFw6neCpxD2ghHXZjN5njevs9AECNhf5M3EraNJW3tn5
-b6+wwlbNqFm8NymFoq3Zeq8HUXPQbdUKOwSiwxQ5+5XdSsYOZoQ=
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIDRTCCAi0CCQDQ1EVpyJg5UzANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJB
-VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
-cyBQdHkgTHRkMRwwGgYDVQQDDBNUZXN0IFNlcnZlciBSb290IENBMB4XDTE4MDYy
-NzExMjIxMloXDTI4MDYyNDExMjIxMlowZjELMAkGA1UEBhMCQVUxEzARBgNVBAgM
-ClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEf
-MB0GA1UEAwwWdGVzdHNlcnZlci5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAKdAUjH4c2KOtl+xbUor2UaRZ9xx+Yo/34UBpWtwu4Ai
-I7EAnhWcGLyuovqshs+Lwun8Y9OGR6wJ+l4dwEDfxwPThhHsNKKS9bT7S6G5W1k0
-L/YKoZwbqXzz2Z73+wzs3zClL3JdkSQFGfY1ixolL2IbXQlRkfXr6tc+juWTH6Mt
-vS9XwUHO5PGOvm4Lp7vOblV8SMWUJG/cFmOgOgdaii2JBd6ov+obaP12PgxC9t2g
-c1i7s2b9S5q8xWqwLJ3P1M7Lm6z2k4aNxJJzXHyMXzYqBX9DAcpBIU8GYeqMIdnO
-9K4tsidJoN2xjA3EMsZWaxj0FQJVff9c6yCqIK7nw7UCAwEAATANBgkqhkiG9w0B
-AQsFAAOCAQEAtEfuCYN5xQ+xwFF4UwJtQvv+DGlxzSPZUxY4h5BH7BbyC+XVvo7l
-iY0pCHI7PsZRSMK3KaUuLYll/7mNB6GCE2zocWfIZwTgoJEhw35iVj07SYIcnd5h
-R1XBGEn2EQfZEkjH5kuTBUKR1EE5yJimhG89chQkP5eAWsPNUM55XmojNt5uZawb
-C8bJXGtlNGSgmfXCcGBp9VW3ImEKDoyLJuBqIcBfMv/3ENnKbuTt+cLaaLWkqX48
-JSqEL41S6tU8Jmv3HrhSWmZJjCJ+gRXKANhlAOxuddTkaEnToe9G51Ekj0uRHF37
-LHdySTpMHXg1Cm4njhLqVcRoikrSkYcHPA==
------END CERTIFICATE-----
diff --git a/software/caddy-frontend/test/testserver.root.ca.crt b/software/caddy-frontend/test/testserver.root.ca.crt
deleted file mode 100644
index aeb3bd1bce68f5935be5a9d96379a65ec7589f1c..0000000000000000000000000000000000000000
--- a/software/caddy-frontend/test/testserver.root.ca.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDmTCCAoGgAwIBAgIJAOZ30I7+VqTNMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQxHDAaBgNVBAMME1Rlc3QgU2VydmVyIFJvb3QgQ0EwHhcN
-MTgwNjI3MTExOTEzWhcNMjgwNjI0MTExOTEzWjBjMQswCQYDVQQGEwJBVTETMBEG
-A1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkg
-THRkMRwwGgYDVQQDDBNUZXN0IFNlcnZlciBSb290IENBMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEA6arXFNc2fl39wAgvFvB7XQILJ8xT/89n6KwvZHIs
-eqptNgT7k2LCrsWDqvQS+fsAY62OSpt6gWckM2Q9toY6niXzvElj/+C3FxdEounN
-dgHfG1M3imTbAPR/E2bPGUoWtod0DrHkIF3HlqvjTsKvk0t2XglbobZc3JFHzw2R
-Vnh0NjGHxH5tvE0hiM2rdyMUOXJeLqz/iILqOEjBscHKUcb9rTvI08N0/FFpRtbB
-JAgQeZB85ZxGqyg1pRwveG+mDALv9IImqtIpe9D/OwjOyF8MErS/Yfjqyw2eejj/
-dX9GNFnuGxlyZ7GKRncHPR2QmKrIz+1NNqsXITPs5zVo/QIDAQABo1AwTjAdBgNV
-HQ4EFgQUerhRsTxEadhORRVlRtqZryF456kwHwYDVR0jBBgwFoAUerhRsTxEadhO
-RRVlRtqZryF456kwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAs6Oi
-CMhQ6a8bW7u8jcC7Y2/50TlviQo+IQ44wgCJrnZCHDXdMLwwm7VjiUl33Z6YjnT+
-UVzkA7O2aTHop1peR3kpJ/JP6yrGudj7gZJNLlQXEKopT0MFaZWxI80LP8gIHlsx
-nzhe6Kzw8xtGiC0O4j3aJwsJp/ggaNYp37AyEA0KkGbLtA5QrpfZfvPV/zoiXQbn
-HkzaYgf1VcfwjoSi4cBO0IE2iHWjGKCoo3WGCKzoyY/ldpyqFhOvAhL5FoS7hQcl
-5meowzyz7OVGqvbhZgETNqFyl0la9JeMhbDG3+tHX6K5dbcOYRJUv/INO2CNnW/K
-o1vE6iTVxjew2tnoMQ==
------END CERTIFICATE-----
diff --git a/software/caddy-frontend/test/testserver.root.ca.key b/software/caddy-frontend/test/testserver.root.ca.key
deleted file mode 100644
index 830a625c3f21d8c17c53cad3a43c9a6a3d6f700c..0000000000000000000000000000000000000000
--- a/software/caddy-frontend/test/testserver.root.ca.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA6arXFNc2fl39wAgvFvB7XQILJ8xT/89n6KwvZHIseqptNgT7
-k2LCrsWDqvQS+fsAY62OSpt6gWckM2Q9toY6niXzvElj/+C3FxdEounNdgHfG1M3
-imTbAPR/E2bPGUoWtod0DrHkIF3HlqvjTsKvk0t2XglbobZc3JFHzw2RVnh0NjGH
-xH5tvE0hiM2rdyMUOXJeLqz/iILqOEjBscHKUcb9rTvI08N0/FFpRtbBJAgQeZB8
-5ZxGqyg1pRwveG+mDALv9IImqtIpe9D/OwjOyF8MErS/Yfjqyw2eejj/dX9GNFnu
-GxlyZ7GKRncHPR2QmKrIz+1NNqsXITPs5zVo/QIDAQABAoIBAQDRYTFrTlFZOJXZ
-TjwL3R9dvygJ2HDoh4w/lJK++gPbQv2raxmW/ucePoR2WlDqyTyXFPys49cJP0fT
-+R3HgU3jSnS2IjlGHrFRMpthNAnUlWa7EH1zOF5545w+4V/v9FCX7JZVWJfnXMEs
-xQdhGtjDLtp49v+xzzw0tMXYxfqWtJBuFT2Dft60lH/kcCyD7TWQD30OyP28QuYK
-Zn4uCDBCOYuHTb/eu6MLKGRkuyRbgXoCCjjziQ/u8lcUx7nPa1qTdGHAglNei5CV
-nrDsaEQGd3U7jUgOpbd+a5E5UaFtR8HoBtIDQf72JTWBrKSjkmIHZsJSU8tMKZi4
-nGr7mA4hAoGBAPcGQWdAa6qZIKTwp6EDJMBbSDH70ykBFgE4nmKAlxcfPlR0CU3R
-iahVvvuNyE//rPEhZBGqh8VEfZfkz1H5zLJQS5EV6ePbKYQE2q9JHugMrw8zh5MH
-89NpK+O9p/3MrCPAZgWGVQ3nfLkV0WTGGiSdLFDAvBtRZeMmsi2JedTJAoGBAPIo
-V1bwRzihtvZT/rc86jYvJbMR49lbal8pHsIg5FS0EAgQp4tgMnEfqI3UHvjYIUJa
-CursrHOFX0hypP2DW2BxJ6yMYv/jQivyxziCSd+xrSfR0B3vjJ33ayqs3EnS4MzY
-jbaWm1O2Z585ZlulqGWfhJ3m7dzeGqXmNrMWABCVAoGAYU59hQbDYrhfO5nw7mQm
-nf9XORlR3N0opeJ/wZ2V5u3Px8TNxXG9ICpmyQDY32p/3ZyhprPeN777GlJvuIMG
-N1eZ7NUNBUzX1cFzw4iyPAaDDyHlTe3cBnNvbo7PFhMB3DN1/Mclygxd/SqzCVdg
-BPxE8Kp7budpk0ky9u0oqMECgYEAq6hPKXDQe+Oe6AToxgnnWRuY1NR0uOqlf+mN
-RT29vhGaX602p4U8nJY9jLR2dB35jah4nsnBAW7k+V1TeeY4yyfLYPRvZUc67B6A
-fJ1XMrwnq9d+eQoLmxr9m9XHnolfE7ba1jjyyKe/0s4Esii/M7KddrVxniTPrRSB
-Z/fLefUCgYEAl2Al2BK4ZYK6HSeFxZ1kaVkcefL1QBMzgLY8LPVpReoaULdFzwat
-3elM8C31FDBvIaWzJCQMIIrFEldvU4tvBF7Mbe8lDDQXotoI6zTWMnNUGV3Xd0wc
-hep0oINBctav7pVJ7Mf+X0Wqfc4D40FPbMzHMUxfdKs9eo9qR/fktYI=
------END RSA PRIVATE KEY-----
diff --git a/software/caddy-frontend/test/testserver.srl b/software/caddy-frontend/test/testserver.srl
deleted file mode 100644
index d704ae3cf7ed490e0b93e7c8ba19cd32d323e9f4..0000000000000000000000000000000000000000
--- a/software/caddy-frontend/test/testserver.srl
+++ /dev/null
@@ -1 +0,0 @@
-D0D44569C8983953
diff --git a/software/caddy-frontend/test/wildcard.example.com.crt b/software/caddy-frontend/test/wildcard.example.com.crt
deleted file mode 100644
index d0056bf95be257e8874152059dd3fd702cf8e4ec..0000000000000000000000000000000000000000
--- a/software/caddy-frontend/test/wildcard.example.com.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDjzCCAnegAwIBAgIJAP4QzV9d5d8KMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDSouZXhhbXBsZS5jb20wIBcNMTgwNDE3
-MTE0MjAxWhgPMjExODAzMjQxMTQyMDFaMF0xCzAJBgNVBAYTAkFVMRMwEQYDVQQI
-DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx
-FjAUBgNVBAMMDSouZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQC0MNnojTq6Yp60ecvP5lZGa6owZp64sumaT66JInTFJcSV/ls0AbPN
-KPTcNRgbFLIuv/3Xhgi6YAxIz2PXdCDPj1fp4rVIijhpedaWZaIOeTqSGEg+5/iL
-4UTxm166NgCU1zp0QsmU8MXJFv4YxTZsF9LlGFcP6uUQ9sY98yv+hErCxRXo+dXd
-GGG4LTVLGPeRYNX2JVD5BxoNkL5/3IMylrFvI8aRFTKVn1P8UPJ5K9du3E0wHJY6
-MkstZX3xKcGKSn2w1zIaq/NcrbLXvp6eZauLtMpZ9vW+CtYV3diOm2TiMvQIyCRM
-4mWbaf76bpGiz9/+11w6U9n6zMzKTq+5AgMBAAGjUDBOMB0GA1UdDgQWBBT/Kswu
-BKM3GXaIWvQ8Vs1xhs/1vzAfBgNVHSMEGDAWgBT/KswuBKM3GXaIWvQ8Vs1xhs/1
-vzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAeeV7VIqbNL6Xe0I5y
-fl44ogBY0zoYJH+p7HCebazZKepy7f+EeWv8B3dHODrilSYCnsOqhta8mMSMrgsT
-TFByr/8NN/4UFe9FeKnxD9Sun0EetESkaeMqAGCK921lT0eU4IhA0JLRj16HomuK
-I/JBFwUXFn6vVypw5R41zwnikv+EB0fSC4biSXWXUarGqlRCF7o00CPKqAaTE0yX
-H4Yz3lR/Vuce7uFvkIY+F4vXtq1sy/tb4QBWlDS6t7cmeBGcvaQ8mlndA9T+us0l
-/wb9mzdTcwkrkM2kk++GnS0NCAQfOalF3x8wG6j8DrU2dQ1NXh205c/zo0BljQr8
-P84v
------END CERTIFICATE-----
diff --git a/software/caddy-frontend/test/wildcard.example.com.key b/software/caddy-frontend/test/wildcard.example.com.key
deleted file mode 100644
index 9e6cf5c0e3b468a871b5aa71262b3a5435694c1e..0000000000000000000000000000000000000000
--- a/software/caddy-frontend/test/wildcard.example.com.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC0MNnojTq6Yp60
-ecvP5lZGa6owZp64sumaT66JInTFJcSV/ls0AbPNKPTcNRgbFLIuv/3Xhgi6YAxI
-z2PXdCDPj1fp4rVIijhpedaWZaIOeTqSGEg+5/iL4UTxm166NgCU1zp0QsmU8MXJ
-Fv4YxTZsF9LlGFcP6uUQ9sY98yv+hErCxRXo+dXdGGG4LTVLGPeRYNX2JVD5BxoN
-kL5/3IMylrFvI8aRFTKVn1P8UPJ5K9du3E0wHJY6MkstZX3xKcGKSn2w1zIaq/Nc
-rbLXvp6eZauLtMpZ9vW+CtYV3diOm2TiMvQIyCRM4mWbaf76bpGiz9/+11w6U9n6
-zMzKTq+5AgMBAAECggEAR9n2+pFearYqnMK4b9Vkb7485gH1pqbJGdxON6bCs16F
-Dl6X1ZwcK2H6idiuHRZamuO5//gVgOQN4fa41FAdSUbagowBR8S+C+kmlWA/h8/1
-eA4wuMzdQkH4sPMIie5Auxk72OJM6ZQ8+huuBQiW0/GICgxzowhCgUo18LwHvfwt
-XWLHplRFczgM4WEu+HVx1W9y/irOhEUEzwNfXdDTVE4bnwzb24qR0CRIdp3gc8Os
-JoUFMgbV3qfJLmzqURLIlVc3Y9FFbWrr5zhzTx2vvoT1j83e56qKHbKanr2R6NQZ
-UOsCgDvzrc9WqKE9/hwvxvPlx/L3UWuhPMpljZ8gBQKBgQDX4Qo27l8KPk9fXA18
-SrRcAAGN+moc+Y0T9WbcbXCJLLU6TO3eJqW9H3Kwb80O/zycUBFK/dIOwZZYgsuQ
-oXFG4ykSXFY/JGTEBIkvQ7LI/7t5mn0xlw3tqB7xuMO5QEyZMQFi0xP5h1B5coiO
-Wv9T1xit4FHX2EN/CJLwlzzl1wKBgQDVrdvGi+j/1pGaEST1yhvrDduHrlMsF4BI
-X8VaNXNXg9+GxsAA6+pRPRoHvmmz/RUr/km+JxWLHEZpFDOhIzJV4JYXv/q7KDH+
-Mjf7uyRshBnR+QU38RqkENIJhEZJSa8ZYmkgU9yCDozkfVzYKdxUy6Z0+o2Omzls
-cpZP1PFE7wKBgQCGXZx0+kMPZh8TFIGURg8iYCKXkzBu3miP7qNaOYfc6YXXRsCb
-D+UC5MsGxF+WoQjBphhNW9RduOJyLt6zI7kUzRjoQ66u2GEbnFMipvlln765fo3D
-yugxbv3rp/uylzHV+6mIMCbzneRZ4w7ZxAu9zFihCMkIFqRUMir7MrcFuwKBgFbK
-88ZF9jJU+XdXF2gu3AAx9MW77VSvhw/ets7ZfyxBCH46JKs7KEYvR291zIGrfvoL
-o/B09681oPP1nLMLFNsFCnJDLJjwzr2tsEez0CuzzLkZKSF78ZJKssXi0JncMB9j
-dcgHyD2bo2b79MZo2nIm9kn1q6INMtn2AVAT8pxJAoGAZfysuUMc0bdKVi41SD0A
-Ej7qX+qbXX+aA4OkTqJP3QxssD6CuZZwUKW7qj8AoOcLKsmwdjetetny46OMEXzN
-5Fk3ahCD1cycFGBawNY10x5Xy+4iApzPiO1Ujd3t7FAIrLPWFwzmLIL8pxUNuHEn
-OC9RrI4tzsvWHhMaLKVCh0g=
------END PRIVATE KEY-----
diff --git a/software/erp5testnode/buildout.hash.cfg b/software/erp5testnode/buildout.hash.cfg
index b168396821b181146c888d0d00cb22f8cedfd6f2..212170ef2caf6fdfa62c0a87e1fc11adf39dc846 100644
--- a/software/erp5testnode/buildout.hash.cfg
+++ b/software/erp5testnode/buildout.hash.cfg
@@ -18,4 +18,4 @@ md5sum = 307663d73ef3ef94b02567ecd322252e
 
 [template-default]
 filename = instance-default.cfg
-md5sum = d5a4270e5e7827db2e6a19d2eedb570b
+md5sum = ff368286a75243d0536ee6a974107b6f
diff --git a/software/erp5testnode/instance-default.cfg b/software/erp5testnode/instance-default.cfg
index b93ed1c29aa2fa3d6e630d039575466b4f4ebe17..fa2673c04ee05ba323859a3894820dd3b7d3cb38 100644
--- a/software/erp5testnode/instance-default.cfg
+++ b/software/erp5testnode/instance-default.cfg
@@ -85,8 +85,6 @@ rendered = $${basedirectory:services}/shellinaboxd
 template = inline:
   #!/bin/sh
   exec ${shellinabox:location}/bin/shellinaboxd \
-    --disable-ssl \
-    --disable-ssl-menu \
     --unixdomain-only=$${:socket}:$(id -u):$(id -g):0600 \
     --service "/:$(id -u):$(id -g):HOME:$${shell-environment:shell} -l"
 
diff --git a/software/erp5testnode/testsuite/caddy-frontend/buildout.hash.cfg b/software/erp5testnode/testsuite/caddy-frontend/buildout.hash.cfg
index 695cc710761fed9b8cf857abd70c0946545f8949..40284cf2adc38cf8b7add6ee4cb1462c303b7e71 100644
--- a/software/erp5testnode/testsuite/caddy-frontend/buildout.hash.cfg
+++ b/software/erp5testnode/testsuite/caddy-frontend/buildout.hash.cfg
@@ -15,4 +15,4 @@
 
 [template]
 filename = instance.cfg
-md5sum = a345d46655c3e841c2ecf4e3a0446c8f
+md5sum = d8d9e9a4bd00ccba2c448bb9d5d6aeae
diff --git a/software/erp5testnode/testsuite/caddy-frontend/instance.cfg b/software/erp5testnode/testsuite/caddy-frontend/instance.cfg
index 6ce09e07256c2181989e295827098b682430a05f..3a4b96da49e2de46483e997a9546e95dc2bc07f9 100644
--- a/software/erp5testnode/testsuite/caddy-frontend/instance.cfg
+++ b/software/erp5testnode/testsuite/caddy-frontend/instance.cfg
@@ -37,7 +37,7 @@ command-line =
 
 # XXX slapos.cookbook:wrapper does not allow extending env, so we add some default $PATH entries ( not sure they are needed )
 environment =
-  PATH=${curl:location}/bin/:${openssl:location}/bin/:/usr/bin/:/bin
+  PATH=${quic_client-bin:location}:${curl:location}/bin/:/usr/bin/:/bin
   LOCAL_IPV4=$${slap-configuration:ipv4-random}
   GLOBAL_IPV6=$${slap-configuration:ipv6-random}
   SLAPOS_TEST_WORKING_DIR=$${create-directory:working-dir}
diff --git a/software/erp5testnode/testsuite/caddy-frontend/software.cfg b/software/erp5testnode/testsuite/caddy-frontend/software.cfg
index 60cab619d3ef57e3cb1664565c7e2835fcb77f01..01edc61842d87bba5564ff4a55ccc74293b8bfb7 100644
--- a/software/erp5testnode/testsuite/caddy-frontend/software.cfg
+++ b/software/erp5testnode/testsuite/caddy-frontend/software.cfg
@@ -3,7 +3,9 @@
 extends =
   ../../../../component/git/buildout.cfg
   ../../../../component/curl/buildout.cfg
+  ../../../../component/python-cryptography/buildout.cfg
   ../../../../stack/slapos.cfg
+  ../../../../component/quic_client-bin/buildout.cfg
   ./buildout.hash.cfg
 
 parts =
@@ -30,6 +32,7 @@ recipe = zc.recipe.egg
 eggs =
   ${slapos.test.caddy-frontend-setup:egg}
   ${erp5.util-setup:egg}
+  ${python-cryptography:egg}
   slapos.core
 entry-points =
   runTestSuite=erp5.util.testsuite:runTestSuite
diff --git a/software/erp5testnode/testsuite/seleniumrunner/README.md b/software/erp5testnode/testsuite/seleniumrunner/README.md
deleted file mode 100644
index 63fb9fb5663570a998a39eca4cac886ce8a19ac7..0000000000000000000000000000000000000000
--- a/software/erp5testnode/testsuite/seleniumrunner/README.md
+++ /dev/null
@@ -1,7 +0,0 @@
-# Selenium Server test
-
-This software release is simply to run the test suite from `../seleniumrunner/test/setup.py`
-
-Nexedi staff can see the results of this test from the test suite
-`SLAPOS-SELENIUMRUNNER-TEST` in test result module.
-
diff --git a/software/erp5testnode/testsuite/seleniumserver/README.md b/software/erp5testnode/testsuite/seleniumserver/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..9065482d8b23c38d61339637ed5586ac52117d21
--- /dev/null
+++ b/software/erp5testnode/testsuite/seleniumserver/README.md
@@ -0,0 +1,7 @@
+# Selenium Server test
+
+This software release is simply to run the test suite from `../../seleniumserver/test/setup.py`
+
+Nexedi staff can see the results of this test from the test suite
+`SLAPOS-SELENIUMSERVER-TEST` in test result module.
+
diff --git a/software/erp5testnode/testsuite/seleniumrunner/buildout.hash.cfg b/software/erp5testnode/testsuite/seleniumserver/buildout.hash.cfg
similarity index 94%
rename from software/erp5testnode/testsuite/seleniumrunner/buildout.hash.cfg
rename to software/erp5testnode/testsuite/seleniumserver/buildout.hash.cfg
index 85487dfcc24d59309dcbd55503bb6f6e42e8e331..de115e5fdf88739a1fccce50e66b84256d951c12 100644
--- a/software/erp5testnode/testsuite/seleniumrunner/buildout.hash.cfg
+++ b/software/erp5testnode/testsuite/seleniumserver/buildout.hash.cfg
@@ -15,5 +15,5 @@
 
 [template]
 filename = instance.cfg.in
-md5sum = 7e75c9eccb580f278da1784941363432
+md5sum = 3019fd19f6623cca92741582b265a1da
 
diff --git a/software/erp5testnode/testsuite/seleniumrunner/instance.cfg.in b/software/erp5testnode/testsuite/seleniumserver/instance.cfg.in
similarity index 94%
rename from software/erp5testnode/testsuite/seleniumrunner/instance.cfg.in
rename to software/erp5testnode/testsuite/seleniumserver/instance.cfg.in
index a24906fc0df7c3927864533601e1b256311dcd81..18e8af2498ce1ef08a777a799904cb5996e962db 100644
--- a/software/erp5testnode/testsuite/seleniumrunner/instance.cfg.in
+++ b/software/erp5testnode/testsuite/seleniumserver/instance.cfg.in
@@ -33,7 +33,7 @@ wrapper-path = $${create-directory:bin}/runTestSuite
 command-line =
   ${buildout:bin-directory}/runTestSuite
   --python_interpreter=${buildout:bin-directory}/${eggs:interpreter}
-  --source_code_path_list=$${slapos:location}/software/seleniumrunner/test
+  --source_code_path_list=$${slapos:location}/software/seleniumserver/test
 
 
 # XXX we need "standard" path entries to compile softwares inside test
diff --git a/software/erp5testnode/testsuite/seleniumrunner/software.cfg b/software/erp5testnode/testsuite/seleniumserver/software.cfg
similarity index 86%
rename from software/erp5testnode/testsuite/seleniumrunner/software.cfg
rename to software/erp5testnode/testsuite/seleniumserver/software.cfg
index 98c0d1f2dad372c236d479f65a352243437df92e..fb853f614735aad21770a71ed8dd43e2afd256a2 100644
--- a/software/erp5testnode/testsuite/seleniumrunner/software.cfg
+++ b/software/erp5testnode/testsuite/seleniumserver/software.cfg
@@ -16,10 +16,10 @@ parts =
 [setup-develop-egg]
 recipe = zc.recipe.egg:develop
 
-[slapos.test.seleniumrunner-setup]
+[slapos.test.seleniumserver-setup]
 <= setup-develop-egg
-egg = slapos.test.seleniumrunner
-setup = ${slapos-repository:location}/software/seleniumrunner/test/
+egg = slapos.test.seleniumserver
+setup = ${slapos-repository:location}/software/seleniumserver/test/
 
 [eggs]
 recipe = zc.recipe.egg
@@ -27,7 +27,7 @@ eggs =
   ${pillow-python:egg}
   ${python-pynacl:egg}
   ${bcrypt:egg}
-  ${slapos.test.seleniumrunner-setup:egg}
+  ${slapos.test.seleniumserver-setup:egg}
   slapos.core
 entry-points =
   runTestSuite=erp5.util.testsuite:runTestSuite
diff --git a/software/gitlab/gitlab-parameters.cfg b/software/gitlab/gitlab-parameters.cfg
index 537cee6ee09abecbdfdb1510d1de3199633fe0ea..8abf419e74547dcf8e95b5eea72c66381fa6d432 100644
--- a/software/gitlab/gitlab-parameters.cfg
+++ b/software/gitlab/gitlab-parameters.cfg
@@ -101,7 +101,7 @@ configuration.nginx_gzip_comp_level     = 2
 configuration.nginx_gzip_proxied        = any
 configuration.nginx_gzip_types          = text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json
 configuration.nginx_keepalive_timeout   = 65
-configuration.nginx_header_allow_origin = *
+configuration.nginx_header_allow_origin = $http_origin
 
 # configuring trusted proxies
 # GitLab is behind a reverse proxy, so we don't want the IP address of the proxy
diff --git a/software/gitlab/software.cfg b/software/gitlab/software.cfg
index 76bd68b729cd35c639ac88b710cd854fd760c6d4..f2226e9a562a543db64e0c2cf484328f617b9f86 100644
--- a/software/gitlab/software.cfg
+++ b/software/gitlab/software.cfg
@@ -293,7 +293,7 @@ md5sum  = 7782f5c5d75663c2586e28d029c51e49
 
 [gitlab-parameters.cfg]
 <= download-file
-md5sum  = dec5d989e2d969369bd1eaffcbfb78d6
+md5sum  = 8f4537cb8a0c9a8e0058c30cb687681c
 
 [gitlab-shell-config.yml.in]
 <= download-template
@@ -325,7 +325,7 @@ md5sum  = a56a44e96f65f5ed20211bb6a54279f4
 
 [nginx-gitlab-http.conf.in]
 <= download-template
-md5sum  = 697140d980c75ddc1dd0a656b1c88447
+md5sum  = abcc5eda03e10b26c74619f299a7f6a8
 
 [nginx.conf.in]
 <= download-template
@@ -345,7 +345,7 @@ md5sum  = 4e1ced687a86e4cfff2dde91237e3942
 
 [template-gitlab-resiliency-restore.sh.in]
 <= download-template
-md5sum  = 420d999daae050351a51487b9d2f8fe0
+md5sum  = 590fcadf26085fdd17487175bc0a469d
 
 [unicorn.rb.in]
 <= download-template
diff --git a/software/gitlab/template/nginx-gitlab-http.conf.in b/software/gitlab/template/nginx-gitlab-http.conf.in
index 525f99d689e81416c38dc833f0252a5eee3f8945..3ac1a94276544d9c5d5141cb3dd53720f525ea08 100644
--- a/software/gitlab/template/nginx-gitlab-http.conf.in
+++ b/software/gitlab/template/nginx-gitlab-http.conf.in
@@ -120,6 +120,7 @@ server {
   location {{ path }} {
     # Set CORS header
     add_header 'Access-Control-Allow-Origin' {{ cfg('nginx_header_allow_origin') }};
+    add_header 'Access-Control-Allow-Credentials' true;
     ## If you use HTTPS make sure you disable gzip compression
     ## to be safe against BREACH attack.
     {{ 'gzip off;' if cfg_https else ''}}
diff --git a/software/gitlab/template/template-gitlab-resiliency-restore.sh.in b/software/gitlab/template/template-gitlab-resiliency-restore.sh.in
index f81bc874aeb12877b6d5a856d4a1b7518b33a4ef..3675ca75775dc7a0ad6f9940443097dfb58a74d5 100644
--- a/software/gitlab/template/template-gitlab-resiliency-restore.sh.in
+++ b/software/gitlab/template/template-gitlab-resiliency-restore.sh.in
@@ -69,7 +69,7 @@ trap "echo 'kill $postgres_pid" EXIT TERM INT
 echo "Starting Redis server..."
 $redis_executable &
 redis_pid=$!
-trap "kill $redis_pid" EXIT TERM INT
+trap "kill $postgres_pid $redis_pid" EXIT TERM INT
 echo "[OK]"
 echo "Restoring gitlab data..."
 
@@ -86,11 +86,11 @@ $promise_check/gitlab-app
 echo "Starting Unicorn to check gitlab-shell promise..."
 $unicorn_script &
 unicorn_pid=$!
-trap "kill $unicorn_pid" EXIT TERM INT
+trap "kill $postgres_pid $redis_pid $unicorn_pid" EXIT TERM INT
 sleep 60
 if [ -s "$run_location/unicorn.pid" ]; then
   unicorn_ppid=$(head -n 1 $run_location/unicorn.pid) > /dev/null 2>&1
-  trap "kill $unicorn_ppid" EXIT TERM INT
+  trap "kill $postgres_pid $redis_pid $unicorn_ppid" EXIT TERM INT
 fi
 $promise_check/gitlab-shell
 
diff --git a/software/kvm/instance-kvm-cluster.cfg.jinja2.in b/software/kvm/instance-kvm-cluster.cfg.jinja2.in
index 59245cd36f93adde65905698e06f73e636491968..7b2e3eb6a3e2219eae6e52a34da88bdd6f34ef46 100644
--- a/software/kvm/instance-kvm-cluster.cfg.jinja2.in
+++ b/software/kvm/instance-kvm-cluster.cfg.jinja2.in
@@ -136,7 +136,7 @@ return =
 {% if str(kvm_parameter_dict.get('use-tap', 'True')).lower() == 'true' -%}
 {{ '  ' }}tap-ipv4
 
-{% do publish_dict.__setitem__('lan-' ~ instance_name, '${' ~ section ~ ':connection-tap-ipv4}') -%}
+{% do publish_dict.__setitem__(instance_name ~ '-lan', '${' ~ section ~ ':connection-tap-ipv4}') -%}
 {% do kvm_hostname_list.append(instance_name ~ ' ' ~ '${' ~ section ~ ':connection-tap-ipv4}') -%}
 {% endif -%}
 {% do monitor_base_url_dict.__setitem__(instance_name, '${' ~ section ~ ':connection-monitor-base-url}') -%}
diff --git a/software/kvm/instance-kvm-export.cfg.jinja2 b/software/kvm/instance-kvm-export.cfg.jinja2
index f433b120152e08441d6274127782341365ff5f76..dd8a099e58d0a73bfb70d32c68eb905de23ce1b3 100644
--- a/software/kvm/instance-kvm-export.cfg.jinja2
+++ b/software/kvm/instance-kvm-export.cfg.jinja2
@@ -7,12 +7,15 @@ parts +=
   cron-entry-backup
 
   certificate-authority
+  certificate-authority-service
   publish-connection-information
   kvm-vnc-promise
   kvm-disk-image-corruption-promise
   websockify-sighandler
+  websockify-sighandler-service
   novnc-promise
   cron
+  cron-service
   frontend-promise
 # monitor parts
   monitor-base
diff --git a/software/kvm/instance-kvm.cfg.jinja2 b/software/kvm/instance-kvm.cfg.jinja2
index 3cfed1e13c000e9c8bed1a8f4e55f3769a14edef..ff0b3c59fb80a9045cd3fd8ee5b70045c3d11163 100644
--- a/software/kvm/instance-kvm.cfg.jinja2
+++ b/software/kvm/instance-kvm.cfg.jinja2
@@ -184,8 +184,13 @@ hash-files = ${buildout:directory}/software_release/buildout.cfg
 
 {% if use_nat == 'true' and nat_rule_list -%}
 {%   for port in nat_rule_list.split(' ') -%}
+{%     if ':' in port -%}
+{%       set proto, port = port.split(':') -%}
+{%     else -%}
+{%       set proto, port = 'tcp', port -%}
+{%     endif -%}
 {%     set external_port = 10000 + port|int() -%}
-{%     set section_name = '6tunnel-' ~ external_port -%}
+{%     set section_name = '6tunnel-' ~ proto ~ '-' ~ external_port -%}
 [{{ section_name }}]
 <= tunnel-6to4-base
 ipv4-port = {{ external_port }}
@@ -419,8 +424,13 @@ maximum-extra-disk-amount = {{ disk_number }}
 {%   if nat_rule_list -%}
 # Publish NAT port mapping status
 {%     for port in nat_rule_list.split(' ') -%}
+{%       if ':' in port -%}
+{%         set proto, port = port.split(':') -%}
+{%       else -%}
+{%         set proto, port = 'tcp', port -%}
+{%       endif -%}
 {%       set external_port = 10000 + port|int() -%}
-nat-rule-port-{{port}} = ${slap-network-information:global-ipv6} : ${6tunnel-{{external_port}}:ipv6-port}
+nat-rule-port-{{proto}}-{{port}} = ${slap-network-information:global-ipv6} : ${6tunnel-{{proto}}-{{external_port}}:ipv6-port}
 {%       if slapparameter_dict.get('publish-nat-url', False) -%}
 nat-rule-url-{{port}} = [${slap-network-information:global-ipv6}]:${6tunnel-{{external_port}}:ipv6-port}
 {%       endif -%}
diff --git a/software/kvm/software.cfg b/software/kvm/software.cfg
index 04c8d502e5726d5b1a2d41fb17f4615c3191bc98..b51e2e89467cf112c5c6b4d66e8e6522cbf6aaed 100644
--- a/software/kvm/software.cfg
+++ b/software/kvm/software.cfg
@@ -99,7 +99,7 @@ recipe = hexagonit.recipe.download
 ignore-existing = true
 url = ${:_profile_base_location_}/instance-kvm.cfg.jinja2
 mode = 644
-md5sum = 149df1bc788ce68c86a5fda4872e008e
+md5sum = 0668791e78430bafdec5300b4ea8d90a
 download-only = true
 on-update = true
 
@@ -108,7 +108,7 @@ recipe = hexagonit.recipe.download
 ignore-existing = true
 url = ${:_profile_base_location_}/instance-kvm-cluster.cfg.jinja2.in
 mode = 644
-md5sum = fa40e4729c27236c655f66966e43becf 
+md5sum = 1282296397d445ccae59e6de7915840c
 download-only = true
 on-update = true
 
@@ -144,7 +144,7 @@ recipe = hexagonit.recipe.download
 ignore-existing = true
 url = ${:_profile_base_location_}/instance-kvm-export.cfg.jinja2
 mode = 644
-md5sum = fbad91193be6ebde5fc4c05a38a55e7b
+md5sum = 00ce5e6da3c833d9d9d1825311f11a81
 download-only = true
 on-update = true
 
diff --git a/software/plantuml/software.cfg b/software/plantuml/software.cfg
index 46fe92a823b3521f02242ad16711015b2bd15635..8809dd3ede860bb4fe24140628626f7d010d8a04 100644
--- a/software/plantuml/software.cfg
+++ b/software/plantuml/software.cfg
@@ -31,9 +31,8 @@ output = ${buildout:directory}/${:_buildout_section_name_}
 
 [plantuml.war]
 recipe = slapos.recipe.build:download
-# XXX the war from sourceforge has no version in URL
-url = https://netcologne.dl.sourceforge.net/project/plantuml/plantuml.war#2018-10-21
-md5sum = f956cd28b18ec34740bb1757276f9641
+url = https://downloads.sourceforge.net/project/plantuml/1.2018.13/plantuml.1.2018.13.war
+md5sum = cda05c8163237de039d777c197b3d282
 
 [versions]
 slapos.recipe.template = 4.3
diff --git a/software/seleniumrunner/buildout.hash.cfg b/software/seleniumrunner/buildout.hash.cfg
index 8fd7aa08bc9dcd29cb892325d09a39c7d515e514..e5cca69f629f814b2999a9d9158eeadb27a0318d 100644
--- a/software/seleniumrunner/buildout.hash.cfg
+++ b/software/seleniumrunner/buildout.hash.cfg
@@ -15,8 +15,4 @@
 
 [template]
 filename = instance.cfg.in
-md5sum = c4ac5de141ae6a64848309af03e51d88
-
-[template-selenium]
-filename = instance-selenium.cfg.in
-md5sum = 4167621b473f81892d38389ac427c6ba
+md5sum = 1f31a063c79e19243dcc5508e08a6ae5
diff --git a/software/seleniumrunner/instance.cfg.in b/software/seleniumrunner/instance.cfg.in
index a672b5b982ddfa45925fd27818b688c1d67086f1..a63ec2fbc197525eabeba47f2df7d12d8e7a7804 100644
--- a/software/seleniumrunner/instance.cfg.in
+++ b/software/seleniumrunner/instance.cfg.in
@@ -1,20 +1,9 @@
 [buildout]
 parts =
-  switch-softwaretype
+# this sofware has no instance, it's only intended to make programs
+# available for erp5testnode from its software.
 
 eggs-directory = ${buildout:eggs-directory}
 develop-eggs-directory = ${buildout:develop-eggs-directory}
 offline = true
 
-[switch-softwaretype]
-recipe = slapos.cookbook:softwaretype
-default = ${template-selenium:output}
-
-[slap-connection]
-# part to migrate to new - separated words
-computer-id = $${slap_connection:computer_id}
-partition-id = $${slap_connection:partition_id}
-server-url = $${slap_connection:server_url}
-software-release-url = $${slap_connection:software_release_url}
-key-file = $${slap_connection:key_file}
-cert-file = $${slap_connection:cert_file}
diff --git a/software/seleniumrunner/software.cfg b/software/seleniumrunner/software.cfg
index a368d89c64a71e39d25d29261aad56b0b62a08a8..82c9345b6baffd7d082bf6e9cd555efd108d49f5 100644
--- a/software/seleniumrunner/software.cfg
+++ b/software/seleniumrunner/software.cfg
@@ -1,38 +1,25 @@
-# Selenium server
-# https://seleniumhq.github.io/docs/grid.html
+# Selenium runner, helper software for erp5testnode.
+#
+# Seleniumrunner responsability is to install Xvfb as
+# ${buildout:parts-directory}/xserver/bin/Xvfb, a default firefox as
+# ${buildout:bin-directory}/firefox and a geckodriver as
+# ${buildout:bin-directory}/geckodriver聽for erp5testnode.
 
 [buildout]
 extends =
    ../../component/xorg/buildout.cfg
-   ../../component/lxml-python/buildout.cfg
    ../../component/firefox/buildout.cfg
-   ../../component/chromium/buildout.cfg
-   ../../component/chromedriver/buildout.cfg
    ../../component/coreutils/buildout.cfg
-   ../../component/java/buildout.cfg
-   ../../component/caddy/buildout.cfg
-   ../../component/openssh/buildout.cfg
    ../../stack/slapos.cfg
    ./buildout.hash.cfg
 
 parts =
    slapos-cookbook
    template
+   xserver
    firefox-wrapper
    geckodriver
-# seleniumserver needs to install a default firefox as ${buildout:bin-directory}/firefox and
-# a geckodriver as ${buildout:bin-directory}/geckodriver聽for erp5testnode
 
-[instance-recipe]
-egg = slapos.cookbook
-module = seleniumrunner
-
-[selenium-server]
-recipe = slapos.recipe.build:download
-version = 3.14.0
-md5sum = 376450bd517510442b60018646deadfe
-filename = selenium-server-standalone-${:version}.jar
-url = https://selenium-release.storage.googleapis.com/3.14/${:filename}
 
 [macro-template]
 recipe = slapos.recipe.template
@@ -43,10 +30,6 @@ mode = 0644
 <= macro-template
 output = ${buildout:directory}/template.cfg
 
-[template-selenium]
-<= macro-template
-output = ${buildout:directory}/template-selenium.cfg
-
 [versions]
 plone.recipe.command = 1.1
 slapos.recipe.template = 4.3
diff --git a/software/seleniumrunner/test/README.md b/software/seleniumrunner/test/README.md
deleted file mode 100644
index 6dade517327d7b58f83fdeccbabc2dc1b820685f..0000000000000000000000000000000000000000
--- a/software/seleniumrunner/test/README.md
+++ /dev/null
@@ -1 +0,0 @@
-Tests for SeleniumRunner software release
diff --git a/software/seleniumserver/buildout.hash.cfg b/software/seleniumserver/buildout.hash.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..8fd7aa08bc9dcd29cb892325d09a39c7d515e514
--- /dev/null
+++ b/software/seleniumserver/buildout.hash.cfg
@@ -0,0 +1,22 @@
+# THIS IS NOT A BUILDOUT FILE, despite purposedly using a compatible syntax.
+# The only allowed lines here are (regexes):
+# - "^#" comments, copied verbatim
+# - "^[" section beginings, copied verbatim
+# - lines containing an "=" sign which must fit in the following categorie.
+#   - "^\s*filename\s*=\s*path\s*$" where "path" is relative to this file
+#     Copied verbatim.
+#   - "^\s*hashtype\s*=.*" where "hashtype" is one of the values supported
+#     by the re-generation script.
+#     Re-generated.
+# - other lines are copied verbatim
+# Substitution (${...:...}), extension ([buildout] extends = ...) and
+# section inheritance (< = ...) are NOT supported (but you should really
+# not need these here).
+
+[template]
+filename = instance.cfg.in
+md5sum = c4ac5de141ae6a64848309af03e51d88
+
+[template-selenium]
+filename = instance-selenium.cfg.in
+md5sum = 4167621b473f81892d38389ac427c6ba
diff --git a/software/seleniumrunner/instance-selenium.cfg.in b/software/seleniumserver/instance-selenium.cfg.in
similarity index 100%
rename from software/seleniumrunner/instance-selenium.cfg.in
rename to software/seleniumserver/instance-selenium.cfg.in
diff --git a/software/seleniumserver/instance.cfg.in b/software/seleniumserver/instance.cfg.in
new file mode 100644
index 0000000000000000000000000000000000000000..a672b5b982ddfa45925fd27818b688c1d67086f1
--- /dev/null
+++ b/software/seleniumserver/instance.cfg.in
@@ -0,0 +1,20 @@
+[buildout]
+parts =
+  switch-softwaretype
+
+eggs-directory = ${buildout:eggs-directory}
+develop-eggs-directory = ${buildout:develop-eggs-directory}
+offline = true
+
+[switch-softwaretype]
+recipe = slapos.cookbook:softwaretype
+default = ${template-selenium:output}
+
+[slap-connection]
+# part to migrate to new - separated words
+computer-id = $${slap_connection:computer_id}
+partition-id = $${slap_connection:partition_id}
+server-url = $${slap_connection:server_url}
+software-release-url = $${slap_connection:software_release_url}
+key-file = $${slap_connection:key_file}
+cert-file = $${slap_connection:cert_file}
diff --git a/software/seleniumserver/software.cfg b/software/seleniumserver/software.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..e59c7e3834f57084fe571f7e81f20187f03629c8
--- /dev/null
+++ b/software/seleniumserver/software.cfg
@@ -0,0 +1,44 @@
+# Selenium server
+# https://seleniumhq.github.io/docs/grid.html
+
+[buildout]
+extends =
+   ../../component/xorg/buildout.cfg
+   ../../component/lxml-python/buildout.cfg
+   ../../component/firefox/buildout.cfg
+   ../../component/chromium/buildout.cfg
+   ../../component/chromedriver/buildout.cfg
+   ../../component/coreutils/buildout.cfg
+   ../../component/java/buildout.cfg
+   ../../component/caddy/buildout.cfg
+   ../../component/openssh/buildout.cfg
+   ../../stack/slapos.cfg
+   ./buildout.hash.cfg
+
+parts =
+   slapos-cookbook
+   template
+
+[selenium-server]
+recipe = slapos.recipe.build:download
+version = 3.14.0
+md5sum = 376450bd517510442b60018646deadfe
+filename = selenium-server-standalone-${:version}.jar
+url = https://selenium-release.storage.googleapis.com/3.14/${:filename}
+
+[macro-template]
+recipe = slapos.recipe.template
+url = ${:_profile_base_location_}/${:filename}
+mode = 0644
+
+[template]
+<= macro-template
+output = ${buildout:directory}/template.cfg
+
+[template-selenium]
+<= macro-template
+output = ${buildout:directory}/template-selenium.cfg
+
+[versions]
+plone.recipe.command = 1.1
+slapos.recipe.template = 4.3
diff --git a/software/seleniumserver/test/README.md b/software/seleniumserver/test/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..bb969a2f6934fceb0a3d38c1ac4e65bc27d45354
--- /dev/null
+++ b/software/seleniumserver/test/README.md
@@ -0,0 +1 @@
+Tests for SeleniumServer software release
diff --git a/software/seleniumrunner/test/setup.py b/software/seleniumserver/test/setup.py
similarity index 95%
rename from software/seleniumrunner/test/setup.py
rename to software/seleniumserver/test/setup.py
index 1bba558eb7a1be064a0268c0114904e4be39c4cf..53f5b09d1621bbfee82bb052dd30c058816ef66e 100644
--- a/software/seleniumrunner/test/setup.py
+++ b/software/seleniumserver/test/setup.py
@@ -27,12 +27,12 @@
 from setuptools import setup, find_packages
 
 version = '0.0.1.dev0'
-name = 'slapos.test.seleniumrunner'
+name = 'slapos.test.seleniumserver'
 long_description = open("README.md").read()
 
 setup(name=name,
       version=version,
-      description="Test for SlapOS' Seleniumrunner",
+      description="Test for SlapOS' Selenium Server",
       long_description=long_description,
       long_description_content_type='text/markdown',
       maintainer="Nexedi",
diff --git a/software/seleniumrunner/test/test.py b/software/seleniumserver/test/test.py
similarity index 100%
rename from software/seleniumrunner/test/test.py
rename to software/seleniumserver/test/test.py
diff --git a/software/seleniumrunner/test/utils.py b/software/seleniumserver/test/utils.py
similarity index 100%
rename from software/seleniumrunner/test/utils.py
rename to software/seleniumserver/test/utils.py
diff --git a/software/slapos-master/buildout.hash.cfg b/software/slapos-master/buildout.hash.cfg
index 48bdc6727f35e87f828c3b8fecb9e1194eb9302b..ee9c285b1a866f4f5e088649a5ee1926e3877f66 100644
--- a/software/slapos-master/buildout.hash.cfg
+++ b/software/slapos-master/buildout.hash.cfg
@@ -14,11 +14,11 @@
 # not need these here).
 [template-erp5]
 filename = instance-erp5.cfg.in
-md5sum = 6dfda47ff95a3fa768382d8002c8a780
+md5sum = a617197b7be3cc40d97a97c75f923a48
 
 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = 3c7afbf160b943d2a10f527722792a23
+md5sum = 0f0ff00eca0b2ba1f1626b6415acb719
 
 [template-apache-backend-conf]
 filename = apache-backend.conf.in
diff --git a/software/slapos-master/instance-balancer.cfg.in b/software/slapos-master/instance-balancer.cfg.in
index 3686c549b831b3b850d71c759fd0af578bf4ab83..6b7efc28bd149308bb76c3175bd25c924944b725 100644
--- a/software/slapos-master/instance-balancer.cfg.in
+++ b/software/slapos-master/instance-balancer.cfg.in
@@ -3,7 +3,7 @@
 {% set caucase_url = slapparameter_dict.get('caucase-url', '') -%}
 {% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
 {% set use_ipv6 = slapparameter_dict.get('use-ipv6', False) -%}
-{% set shared_ca_path = slapparameter_dict['shared-certificate-authority-path'] -%}
+{% set shared_ca_path = slapparameter_dict.get('shared-certificate-authority-path') -%}
 {#
 XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
 per partition. No more (undefined result), no less (IndexError).
@@ -104,6 +104,7 @@ ipv4 = {{ ipv4 }}
 {% for family_name, parameter_id_list in sorted(
   slapparameter_dict['zope-family-dict'].iteritems()) -%}
 {%   set zope_family_address_list = [] -%}
+{%   set ssl_authentication = slapparameter_dict['ssl-authentication-dict'].get(family_name, False) -%}
 {%   set has_webdav = [] -%}
 {%   for parameter_id in parameter_id_list -%}
 {%     set zope_address_list = slapparameter_dict[parameter_id] -%}
@@ -130,7 +131,7 @@ ipv6 = {{ zope_address.split(']:')[0][1:] }}
 {%       set test_runner_apache_url_list = [] %}
 {%       set test_runner_external_port = next_port() %}
 {%       for i, (test_runner_internal_ip, test_runner_internal_port) in
-             enumerate(slapparameter_dict[parameter_id ~ '-test-runner-address-list']) %}
+             enumerate(slapparameter_dict.get(parameter_id ~ '-test-runner-address-list', [])) %}
 {%         do test_runner_backend_mapping.__setitem__(
                 'unit_test_' ~ i,
                 'http://' ~ test_runner_internal_ip ~ ':' ~ test_runner_internal_port ) %}
@@ -162,7 +163,6 @@ ipv6 = {{ zope_address.split(']:')[0][1:] }}
 {%     set internal_scheme = 'http' -%}
 {%     set external_scheme = 'https' -%}
 {%   endif -%}
-{%   set ssl_authentication = slapparameter_dict['ssl-authentication-dict'].get(family_name, False) -%}
 {%   do apache_dict.__setitem__(family_name, (next_port(), external_scheme, internal_scheme ~ '://' ~ ipv4 ~ ':' ~ haproxy_port ~ backend_path, ssl_authentication)) -%}
 {% endfor -%}
 
@@ -330,6 +330,12 @@ newcerts = ${:ca-dir}/newcerts
 crl = ${:ca-dir}/crl
 apachedex = ${monitor-directory:private}/apachedex
 
+[{{ section('resiliency-exclude-file') }}]
+# Generate rdiff exclude file in case of resiliency
+< = jinja2-template-base
+template = {{ 'inline:{{ "${directory:log}/**\\n" }}' }}
+rendered = ${directory:srv}/exporter.exclude
+
 [{{ section('monitor-generate-apachedex-report') }}]
 recipe = slapos.cookbook:cron.d
 cron-entries = ${cron:cron-entries}
diff --git a/software/slapos-master/instance-erp5.cfg.in b/software/slapos-master/instance-erp5.cfg.in
index 2350cf65b1934ddb4e5452836da23d92b9188c73..306443ddc9c7400c333ee45980d2bcb650300a71 100644
--- a/software/slapos-master/instance-erp5.cfg.in
+++ b/software/slapos-master/instance-erp5.cfg.in
@@ -195,7 +195,9 @@ config-longrequest-logger-timeout = {{ dumps(zope_parameter_dict.get('longreques
 config-large-file-threshold = {{ dumps(zope_parameter_dict.get('large-file-threshold', "10MB")) }}
 config-port-base = {{ dumps(zope_parameter_dict.get('port-base', 2200)) }}
 config-webdav = {{ dumps(zope_parameter_dict.get('webdav', False)) }}
+{%   if test_runner_enabled -%}
 config-test-runner-apache-url-list = ${publish-early:{{ zope_family }}-test-runner-url-list}
+{%   endif -%}
 {% endfor -%}
 
 {# if not explicitly configured, connect jupyter to first zope family, which  -#}
@@ -365,9 +367,11 @@ hosts-dict = {{ '${' ~ zope_address_list_id_dict.keys()[0] ~ ':connection-hosts-
 {% for name, value in publish_dict.items() -%}
 {{   name }} = {{ value }}
 {% endfor -%}
-{% for zope_family_name in zope_family_name_list -%}
+{% if test_runner_enabled -%}
+{%   for zope_family_name in zope_family_name_list -%}
 {{ zope_family_name }}-test-runner-url-list = ${request-balancer:connection-{{ zope_family_name }}-test-runner-url-list}
-{% endfor -%}
+{%   endfor -%}
+{% endif -%}
 
 
 [publish-early]
@@ -378,9 +382,11 @@ recipe = slapos.cookbook:publish-early
 {%- if has_posftix %}
   smtpd-sasl-password gen-smtpd-sasl-password:passwd
 {%- endif %}
-{% for zope_family_name in zope_family_name_list %}
+{% if test_runner_enabled -%}
+{%   for zope_family_name in zope_family_name_list %}
   {{ zope_family_name }}-test-runner-url-list default-balancer-test-runner-url-list:default
-{% endfor -%}
+{%   endfor -%}
+{% endif -%}
 {%- if neo %}
   neo-cluster gen-neo-cluster:name
 {%-  if neo[0] %}
diff --git a/software/slapos-testing/software.cfg b/software/slapos-testing/software.cfg
index 20660fde7317d887a351d2e4d373da09a326c480..a98ac097f9eff5390649cb177f21c686193c9ad5 100644
--- a/software/slapos-testing/software.cfg
+++ b/software/slapos-testing/software.cfg
@@ -38,6 +38,7 @@ setup = ${caucase-repository:location}
 <= setup-develop-egg
 egg = kedifa
 setup = ${kedifa-repository:location}
+depends = ${caucase-setup:egg}
 
 [slapos.libnetworkcache-setup]
 <= setup-develop-egg
diff --git a/software/slaprunner/buildout.hash.cfg b/software/slaprunner/buildout.hash.cfg
index 7b9b0488172024890a286140c3984243d517a9f5..1241c7b099d37596e95e129a7d456801c9789358 100644
--- a/software/slaprunner/buildout.hash.cfg
+++ b/software/slaprunner/buildout.hash.cfg
@@ -18,7 +18,7 @@ md5sum = f0cab61c7b8478afb8b676fc725d50d5
 
 [template-runner]
 filename = instance-runner.cfg
-md5sum = cd855670076979919c0fd00cc0f5938c
+md5sum = d9096d49eda70f3aa02c44615077f6c9
 
 [template-runner-import-script]
 filename = template/runner-import.sh.jinja2
@@ -26,11 +26,11 @@ md5sum = ed2e08c07a6727b2012f15da67c0705d
 
 [instance-runner-import]
 filename = instance-runner-import.cfg.in
-md5sum = 2d516c6f1337efb7def32771c2eabc2b
+md5sum = 1ed9526a6e5ac9a80e5b3add2d0a88fe
 
 [instance-runner-export]
 filename = instance-runner-export.cfg.in
-md5sum = 01395b98534066ec23a5ad5c96d5f1e7
+md5sum = 8132130c89896c2d30a08f3b3a7000ff
 
 [template-resilient]
 filename = instance-resilient.cfg.jinja2
diff --git a/software/slaprunner/instance-runner-export.cfg.in b/software/slaprunner/instance-runner-export.cfg.in
index 27fd5a0f4c9ceae0a223974322d4a4449e07ef6f..8c1537a08255564d9f74b5a9ef6b6d8d31960816 100644
--- a/software/slaprunner/instance-runner-export.cfg.in
+++ b/software/slaprunner/instance-runner-export.cfg.in
@@ -23,6 +23,7 @@ parts +=
   runner-sshkeys-authority
   runner-sshkeys-authority-service
   runner-sshkeys-sshd
+  runner-sshkeys-sshd-service
   runtestsuite
   symlinks
   shellinabox
diff --git a/software/slaprunner/instance-runner-import.cfg.in b/software/slaprunner/instance-runner-import.cfg.in
index df4a8ae0b88cbeff9fa28f5ac0317c87340a6eb7..79209ab645230243fc38937cf282b0939bc8e7db 100644
--- a/software/slaprunner/instance-runner-import.cfg.in
+++ b/software/slaprunner/instance-runner-import.cfg.in
@@ -19,6 +19,7 @@ parts +=
   runner-sshkeys-authority
   runner-sshkeys-authority-service
   runner-sshkeys-sshd
+  runner-sshkeys-sshd-service
   runtestsuite
   shellinabox
   shellinabox-service
diff --git a/software/slaprunner/instance-runner.cfg b/software/slaprunner/instance-runner.cfg
index 9ba6272d7f38afe302ad2a9dd78c8a2a91de7dfd..f091d00bf59be534ead9ac26456786a937c81f01 100644
--- a/software/slaprunner/instance-runner.cfg
+++ b/software/slaprunner/instance-runner.cfg
@@ -703,8 +703,6 @@ rendered = $${directory:bin}/shellinaboxd
 template = inline:
   #!/bin/sh
   exec ${shellinabox:location}/bin/shellinaboxd \
-    --disable-ssl \
-    --disable-ssl-menu \
     --unixdomain-only=$${:socket}:$(id -u):$(id -g):0600 \
     --service "/:$(id -u):$(id -g):HOME:$${shell-environment:shell} -l"
 
diff --git a/software/unstable/MediaWiki/software.cfg b/software/unstable/MediaWiki/software.cfg
index 4e90c6eca4c6a608efec036998d3941208bc5a26..00402837d9d6fd9c6d8cf5869f4f418ba066b742 100644
--- a/software/unstable/MediaWiki/software.cfg
+++ b/software/unstable/MediaWiki/software.cfg
@@ -60,68 +60,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/b2evolution/software.cfg b/software/unstable/b2evolution/software.cfg
index 474c59fc96b04f2f33705f0ee7ee8f1726858b0a..ef2c9ae75e22b455c5fe4ed7b7706b4d5071a040 100644
--- a/software/unstable/b2evolution/software.cfg
+++ b/software/unstable/b2evolution/software.cfg
@@ -45,68 +45,8 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
 
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.6
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/cmsmadesimple/software.cfg b/software/unstable/cmsmadesimple/software.cfg
index 26daf0545fac1ecad28c3371d5d575e0b757e30f..a0415300d943dea67e3d1b924039d1a31f3e7c1b 100644
--- a/software/unstable/cmsmadesimple/software.cfg
+++ b/software/unstable/cmsmadesimple/software.cfg
@@ -44,68 +44,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/coppermine/software.cfg b/software/unstable/coppermine/software.cfg
index f5cd700501ca6c3975a0832b2d44b1aeaa8b3071..615e64475f0b87c61fa7afcdda252af0f1e67c8e 100644
--- a/software/unstable/coppermine/software.cfg
+++ b/software/unstable/coppermine/software.cfg
@@ -55,68 +55,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/dotclear/software.cfg b/software/unstable/dotclear/software.cfg
index 4c2daf0ce9792b54abeb9a58bc40a019993d0c6d..38ceb763f866e665e1c6060c9ef821416630a02b 100644
--- a/software/unstable/dotclear/software.cfg
+++ b/software/unstable/dotclear/software.cfg
@@ -55,68 +55,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/dotproject/software.cfg b/software/unstable/dotproject/software.cfg
index abb11a96364776e1493563fd13d866a1f58c76b4..e5596e0c3e35c2f4fb316bacb03a3283a4091dbd 100644
--- a/software/unstable/dotproject/software.cfg
+++ b/software/unstable/dotproject/software.cfg
@@ -55,68 +55,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/eSKUeL/software.cfg b/software/unstable/eSKUeL/software.cfg
index 5e467d3c0362fe052f1213046f5e39689e80b74d..a77fcc5a6ca91d86adadd7c22b3a1704ad8e0b9a 100644
--- a/software/unstable/eSKUeL/software.cfg
+++ b/software/unstable/eSKUeL/software.cfg
@@ -44,68 +44,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.6
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/lxc/software.cfg b/software/unstable/lxc/software.cfg
index 9283ef30f137605b72ff88fd9cda81dbeda47ac3..2887204db4978f174266328e35c81f1e3bb9410c 100644
--- a/software/unstable/lxc/software.cfg
+++ b/software/unstable/lxc/software.cfg
@@ -65,8 +65,3 @@ eggs =
   slapos.toolbox
 
 [versions]
-
-# if you upgrade to >1.0.29 this recipe may break
-# as slapos.cookbook:downloader was removed.
-slapos.cookbook = 0.64.1
-slapos.toolbox = 0.30
diff --git a/software/unstable/magento/software.cfg b/software/unstable/magento/software.cfg
index d353960d6574deccebac7f82a4240cf03c4ef9d0..e1684c0412e408718f5331f568fb2ec339ead7dd 100644
--- a/software/unstable/magento/software.cfg
+++ b/software/unstable/magento/software.cfg
@@ -43,68 +43,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.6
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/net2ftp/software.cfg b/software/unstable/net2ftp/software.cfg
index c09d6880a95f87c0f322504f23d22963fbf06b31..04c2d8c8a1e08b44030540b1fe90fc19165ca7c0 100644
--- a/software/unstable/net2ftp/software.cfg
+++ b/software/unstable/net2ftp/software.cfg
@@ -68,68 +68,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.6
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/openX/software.cfg b/software/unstable/openX/software.cfg
index 295e3014cd0d190938ef6835f3541902da295886..21834636a265b492f2d65ca586386371fac92503 100644
--- a/software/unstable/openX/software.cfg
+++ b/software/unstable/openX/software.cfg
@@ -44,68 +44,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.6
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/os-commerce/software.cfg b/software/unstable/os-commerce/software.cfg
index dccb79d4a8f4c92b0d0d706a091266801f3c9064..65c78f454a0b34a52070bf6f7159a11b2bbef4b9 100644
--- a/software/unstable/os-commerce/software.cfg
+++ b/software/unstable/os-commerce/software.cfg
@@ -45,68 +45,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.6
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/phpbb/software.cfg b/software/unstable/phpbb/software.cfg
index 8490b04b0add6ac737a077c4ad0423feb1959cc7..0d47e99ba707731a15a84b48e24f8d572cf138fb 100644
--- a/software/unstable/phpbb/software.cfg
+++ b/software/unstable/phpbb/software.cfg
@@ -47,68 +47,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/phpmyadmin/software.cfg b/software/unstable/phpmyadmin/software.cfg
index 9a283b123ca0df60d2726dcf353d0d62899190fc..f67fef7f76879cce5b29876b0b4af869f70b6c35 100644
--- a/software/unstable/phpmyadmin/software.cfg
+++ b/software/unstable/phpmyadmin/software.cfg
@@ -55,68 +55,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/phpnuke/software.cfg b/software/unstable/phpnuke/software.cfg
index 89d37088daf2a1b24185c31aeb0c9a72f84c5081..9bf9f8399393b6bf44879f3170464ba5291941cb 100644
--- a/software/unstable/phpnuke/software.cfg
+++ b/software/unstable/phpnuke/software.cfg
@@ -56,68 +56,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/pimcore/software.cfg b/software/unstable/pimcore/software.cfg
index 99ad19ddd9996e26b5ecaf4d376b1520c9fa8ba9..61a3287eb656c64b6bb89c707586cd1f0a7fa3cc 100644
--- a/software/unstable/pimcore/software.cfg
+++ b/software/unstable/pimcore/software.cfg
@@ -44,68 +44,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/piwigo/software.cfg b/software/unstable/piwigo/software.cfg
index 5ac62e7755dc3c5de208840ce639a4ee91639e7a..e9c1b9b88f574aca78ddc7938776c6f644dd54b6 100644
--- a/software/unstable/piwigo/software.cfg
+++ b/software/unstable/piwigo/software.cfg
@@ -56,68 +56,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/piwik/software.cfg b/software/unstable/piwik/software.cfg
index 9990997a4bcd532da5e231f7dee8ba3a4e04a4b1..2ca5937839bd53a8b8ebaff5b474f32ef2851f08 100644
--- a/software/unstable/piwik/software.cfg
+++ b/software/unstable/piwik/software.cfg
@@ -46,68 +46,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/prestashop/software.cfg b/software/unstable/prestashop/software.cfg
index 006f0866e6d9e78c41e668138ac06f1844ed0502..bb8edf1e0d58ca3b89d78c95646e359492e1911a 100644
--- a/software/unstable/prestashop/software.cfg
+++ b/software/unstable/prestashop/software.cfg
@@ -47,68 +47,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/punbb/software.cfg b/software/unstable/punbb/software.cfg
index cbf4bc05c9b7b5409b109a1b807a9a07f322ac1f..b05c5e31f766571dc9d2420a67d97a022c04d037 100644
--- a/software/unstable/punbb/software.cfg
+++ b/software/unstable/punbb/software.cfg
@@ -55,68 +55,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/simpleMachineForum/software.cfg b/software/unstable/simpleMachineForum/software.cfg
index c9349fcf96bd20223b1dc6809b75cbda8f0322a3..b168988bd44f32a690c0458fad7585e66d762526 100644
--- a/software/unstable/simpleMachineForum/software.cfg
+++ b/software/unstable/simpleMachineForum/software.cfg
@@ -45,68 +45,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/spip/software.cfg b/software/unstable/spip/software.cfg
index 39477c2520ca336e057a114d9ed4da1d354e2d91..e23f84da06c3b5f2f3ca4d0c04bcd62e81fee90e 100644
--- a/software/unstable/spip/software.cfg
+++ b/software/unstable/spip/software.cfg
@@ -44,68 +44,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/statusnet/software.cfg b/software/unstable/statusnet/software.cfg
index 29e208d74c7f9b54042b47378da5b23fb3ecdfbb..09dad6357d4d34c9572c9604b4806e1c10379715 100644
--- a/software/unstable/statusnet/software.cfg
+++ b/software/unstable/statusnet/software.cfg
@@ -44,68 +44,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/sugar-crm/software.cfg b/software/unstable/sugar-crm/software.cfg
index 76f6591fb3aeaf393ea4ef74eec5d61d370d8975..9582525ebad8b5e8420a07042529e0a364d5685a 100644
--- a/software/unstable/sugar-crm/software.cfg
+++ b/software/unstable/sugar-crm/software.cfg
@@ -44,68 +44,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/tiki/software.cfg b/software/unstable/tiki/software.cfg
index a310a089cb0381bb8f138581efecf057feff3aa8..9ade9a5ff6118950e49bfe5a6e460674b2f0e74e 100644
--- a/software/unstable/tiki/software.cfg
+++ b/software/unstable/tiki/software.cfg
@@ -44,68 +44,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/trac-svn/software.cfg b/software/unstable/trac-svn/software.cfg
index f680ad91344ddaf3629b6e6e2e489e65856fe7c1..0126a802f28bf19947ae455e635fe8790909f4ba 100644
--- a/software/unstable/trac-svn/software.cfg
+++ b/software/unstable/trac-svn/software.cfg
@@ -179,22 +179,6 @@ gitdb = 0.5.4
 plone.recipe.command = 1.1
 pycrypto = 2.6
 slapos.recipe.template = 2.4.2
-slapos.toolbox = 0.34.0
 smmap = 0.8.2
 z3c.recipe.scripts = 1.0.1
 
-# Required by:
-# slapos.toolbox==0.34.0
-GitPython = 0.3.2.RC1
-
-# Required by:
-# slapos.toolbox==0.34.0
-atomize = 0.1.1
-
-# Required by:
-# slapos.toolbox==0.34.0
-feedparser = 5.1.3
-
-# Required by:
-# slapos.toolbox==0.34.0
-paramiko = 1.10.1
diff --git a/software/unstable/xoops/software.cfg b/software/unstable/xoops/software.cfg
index c09259c72d61cc58450604fd92590d66c6acfe52..3977ccbda9194b591c64b2479ce12b71ad948fed 100644
--- a/software/unstable/xoops/software.cfg
+++ b/software/unstable/xoops/software.cfg
@@ -45,68 +45,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.5
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/zencart/software.cfg b/software/unstable/zencart/software.cfg
index 6c63efd73e2a52ac6fb09875ac2c1acb2a513f3b..e4cd146e294a506c037c7a14cf12923c58f53ef4 100644
--- a/software/unstable/zencart/software.cfg
+++ b/software/unstable/zencart/software.cfg
@@ -57,68 +57,7 @@ buildout-versions = 1.7
 hexagonit.recipe.cmmi = 1.5.0
 meld3 = 0.6.7
 plone.recipe.command = 1.1
-slapos.cookbook = 0.34
-slapos.recipe.build = 0.7
 slapos.recipe.template = 2.2
-slapos.toolbox = 0.10
-
-# Required by:
-# slapos.core==0.18
-# slapos.toolbox==0.10
-Flask = 0.8
-
-# Required by:
-# slapos.cookbook==0.34
-PyXML = 0.8.4
-
-# Required by:
-# hexagonit.recipe.cmmi==1.5.0
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.core==0.18
-# slapos.toolbox==0.10
-# xml-marshaller==0.9.7
-lxml = 2.3.1
-
-# Required by:
-# slapos.cookbook==0.34
-netaddr = 0.7.6
-
-# Required by:
-# slapos.core==0.18
-netifaces = 0.6
-
-# Required by:
-# slapos.toolbox==0.10
-paramiko = 1.7.7.1
-
-# Required by:
-# slapos.toolbox==0.10
-psutil = 0.3.0
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-slapos.core = 0.18
-
-# Required by:
-# slapos.core==0.18
-supervisor = 3.0a10
-
-# Required by:
-# slapos.cookbook==0.34
-# slapos.toolbox==0.10
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.cookbook==0.34
-zc.recipe.egg = 1.3.2
-
-# Required by:
-# slapos.core==0.18
-zope.interface = 3.8.0
 
 [downloadcache-workaround]
 # workaround irritating problem of hexagonit.recipe.cmmi which automatically
diff --git a/software/unstable/zimbra-kvm/software.cfg b/software/unstable/zimbra-kvm/software.cfg
index 0ae6e98ea2b84d1919b1ba96a927409543fc8200..798bc4e7d8838a137727bd9c274ea3248321b629 100644
--- a/software/unstable/zimbra-kvm/software.cfg
+++ b/software/unstable/zimbra-kvm/software.cfg
@@ -14,79 +14,8 @@ lxml = 3.1.0
 meld3 = 0.6.10
 plone.recipe.command = 1.1
 pycrypto = 2.6
-slapos.cookbook = 0.73.1
 slapos.recipe.template = 2.4.2
-slapos.toolbox = 0.33.1
 smmap = 0.8.2
 websockify = 0.3.0
 z3c.recipe.scripts = 1.0.1
 
-# Required by:
-# slapos.core==0.35.1
-# slapos.toolbox==0.33.1
-Flask = 0.9
-
-# Required by:
-# slapos.toolbox==0.33.1
-GitPython = 0.3.2.RC1
-
-# Required by:
-# slapos.toolbox==0.33.1
-atomize = 0.1.1
-
-# Required by:
-# slapos.toolbox==0.33.1
-feedparser = 5.1.3
-
-# Required by:
-# hexagonit.recipe.cmmi==1.6
-hexagonit.recipe.download = 1.6nxd002
-
-# Required by:
-# slapos.cookbook==0.73.1
-
-# Required by:
-# slapos.cookbook==0.73.1
-netaddr = 0.7.10
-
-# Required by:
-# slapos.core==0.35.1
-netifaces = 0.10.4
-
-# Required by:
-# slapos.toolbox==0.33.1
-paramiko = 1.10.0
-
-# Required by:
-# slapos.toolbox==0.33.1
-psutil = 0.6.1
-
-# Required by:
-# slapos.core==0.35.1
-pyflakes = 0.6.1
-
-# Required by:
-# slapos.cookbook==0.73.1
-pytz = 2012j
-
-# Required by:
-# slapos.cookbook==0.73.1
-# slapos.toolbox==0.33.1
-slapos.core = 0.35.1
-
-# Required by:
-# slapos.core==0.35.1
-supervisor = 3.0b1
-
-# Required by:
-# slapos.core==0.35.1
-unittest2 = 0.5.1
-
-# Required by:
-# slapos.cookbook==0.73.1
-# slapos.toolbox==0.33.1
-xml-marshaller = 0.9.7
-
-# Required by:
-# slapos.core==0.35.1
-zope.interface = 4.0.5
\ No newline at end of file
diff --git a/stack/erp5/buildout.cfg b/stack/erp5/buildout.cfg
index 392700b180e9465249884513258089f735bd3c1b..9f7514a984c6fa6cc4bded1c988e84d9f8efcd39 100644
--- a/stack/erp5/buildout.cfg
+++ b/stack/erp5/buildout.cfg
@@ -407,10 +407,8 @@ initialization =
   parts_directory = '''${buildout:parts-directory}'''
   repository_id_list = \
     '''${erp5_repository_list:repository_id_list}'''.split()[::-1]
-  os.environ['erp5_tests_bt5_path'] = ','.join(sum((
-    [bt5_path, os.path.join(bt5_path, '*')]
-    for bt5_path in (os.path.join(parts_directory, x, 'bt5')
-                     for x in repository_id_list)), []))
+  os.environ['erp5_tests_bt5_path'] = ','.join(
+    os.path.join(parts_directory, x, 'bt5') for x in repository_id_list)
   extra_path_list = '''${:extra-paths}'''.split()
   sys.path[:0] = sum((
     glob.glob(os.path.join(x, 'tests'))
diff --git a/stack/slapos.cfg b/stack/slapos.cfg
index 3c7aec154bc2f4ad07724871681a6533b8ba9aac..e485512d3065c11d0bb41cbdba8c5a62949a6daa 100644
--- a/stack/slapos.cfg
+++ b/stack/slapos.cfg
@@ -135,13 +135,13 @@ pytz = 2016.10
 requests = 2.13.0
 six = 1.11.0
 slapos.cookbook = 1.0.75
-slapos.core = 1.4.13
+slapos.core = 1.4.14
 slapos.extension.strip = 0.4
 slapos.extension.shared = 1.0
 slapos.libnetworkcache = 0.16
 slapos.rebootstrap = 4.1
-slapos.recipe.build = 0.39
-slapos.recipe.cmmi = 0.8
+slapos.recipe.build = 0.40
+slapos.recipe.cmmi = 0.10
 slapos.toolbox = 0.83
 stevedore = 1.21.0
 unicodecsv = 0.14.1