diff --git a/tests/testproxy/GNUmakefile b/tests/testproxy/GNUmakefile
index f074825..a641e51 100644
--- a/tests/testproxy/GNUmakefile
+++ b/tests/testproxy/GNUmakefile
@@ -22,11 +22,15 @@ buildlp:
 test: SSL_PROTOS=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "SSL/TLS protocol availability")
 test: TLS11=$(findstring tls11,$(SSL_PROTOS))
 test: TLS13=$(findstring tls13,$(SSL_PROTOS))
+test: OPENSSL=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "compiled against OpenSSL")
+test: OPENSSL3=$(findstring "OpenSSL 3.",$(OPENSSL))
 test: SSLPROXY_CONF=$(if $(TLS13),sslproxy.conf,sslproxy_no_tls13.conf)
 test: SSLPROXY_CONF:=$(if $(TLS11),$(SSLPROXY_CONF),sslproxy_no_tls11.conf)
+test: SSLPROXY_CONF:=$(if $(OPENSSL3),$(SSLPROXY_CONF),sslproxy_openssl3.conf)
 test: SSLPROXY_COMMAND=$(PROJECT_ROOT)/src/sslproxy -f $(SSLPROXY_CONF) -o Debug=no -o Daemon=yes -o User=nobody
 test: TESTHARNESS=$(if $(TLS13),testharness.json,testharness_no_tls13.json)
 test: TESTHARNESS:=$(if $(TLS11),$(TESTHARNESS),testharness_no_tls11.json)
+test: TESTHARNESS:=$(if $(OPENSSL3),$(TESTHARNESS),testharness_openssl3.json)
 #test: SKIP_TESTHARNESS=2
 test: buildsslproxy buildlp
 	sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) ./lp/lp -f ./lp/lp.conf -o Debug=no -o Daemon=yes -o User=nobody
@@ -38,11 +42,15 @@ test: buildsslproxy buildlp
 test_split: SSL_PROTOS=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "SSL/TLS protocol availability")
 test_split: TLS11=$(findstring tls11,$(SSL_PROTOS))
 test_split: TLS13=$(findstring tls13,$(SSL_PROTOS))
+test_split: OPENSSL=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "compiled against OpenSSL")
+test_split: OPENSSL3=$(findstring "OpenSSL 3.",$(OPENSSL))
 test_split: SSLPROXY_CONF=$(if $(TLS13),sslproxy.conf,sslproxy_no_tls13.conf)
 test_split: SSLPROXY_CONF:=$(if $(TLS11),$(SSLPROXY_CONF),sslproxy_no_tls11.conf)
+test_split: SSLPROXY_CONF:=$(if $(OPENSSL3),$(SSLPROXY_CONF),sslproxy_openssl3.conf)
 test_split: SSLPROXY_COMMAND=$(PROJECT_ROOT)/src/sslproxy -n -f $(SSLPROXY_CONF) -o Debug=no -o Daemon=yes -o User=nobody
 test_split: TESTHARNESS=$(if $(TLS13),testharness_split.json,testharness_split_no_tls13.json)
 test_split: TESTHARNESS:=$(if $(TLS11),$(TESTHARNESS),testharness_split_no_tls11.json)
+test_split: TESTHARNESS:=$(if $(OPENSSL3),$(TESTHARNESS),testharness_split_openssl3.json)
 test_split: buildsslproxy buildlp
 	sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) ./lp/lp -f ./lp/lp.conf -o Debug=no -o Daemon=yes -o User=nobody
 	sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) $(SSLPROXY_COMMAND)
diff --git a/tests/testproxy/sslproxy_openssl3.conf b/tests/testproxy/sslproxy_openssl3.conf
new file mode 100644
index 0000000..c1d1190
--- /dev/null
+++ b/tests/testproxy/sslproxy_openssl3.conf
@@ -0,0 +1,1757 @@
+# TestProxy test configuration for sslproxy v0.9.4
+
+# Global options
+#User _sslproxy
+#Group _sslproxy
+#Chroot /var/run/sslproxy
+PidFile /var/run/sslproxy.pid
+#Daemon yes
+Debug yes
+DebugLevel 4
+#OpenFilesLimit 1024
+#LeafKey /etc/sslproxy/leaf.key
+#LeafKeyRSABits 2048
+#LeafCertDir /etc/sslproxy/leaf.d
+#DefaultLeafCert /etc/sslproxy/leaf.pem
+#WriteGenCertsDir /var/log/sslproxy
+#WriteAllCertsDir /var/log/sslproxy
+#OpenSSLEngine cloudhsm
+#ConnectLog /var/log/sslproxy/connect.log
+#ContentLog /var/log/sslproxy/content.log
+#ContentLogDir /var/log/sslproxy/content
+#ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log
+#LogProcInfo yes
+#PcapLog /var/log/sslproxy/content.pcap
+#PcapLogDir /var/log/sslproxy/pcap
+#PcapLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.pcap
+#MirrorIf lo
+#MirrorTarget 192.0.2.1
+#MasterKeyLog /var/log/sslproxy/masterkeys.log
+LogStats yes
+StatsPeriod 1
+ConnIdleTimeout 120
+ExpiredConnCheckPeriod 10
+UserDBPath users.db
+
+# Default ProxySpec options (cloned to each proxyspec)
+CACert ca.crt
+CAKey ca.key
+#ClientCert /etc/sslproxy/client.crt
+#ClientKey /etc/sslproxy/client.key
+#CAChain /etc/sslproxy/chain.crt
+#LeafCRLURL http://example.com/example.crl
+#DenyOCSP yes
+#Passthrough yes
+#DHGroupParams /etc/sslproxy/dh.pem
+#ECDHCurve prime256v1
+#SSLCompression no
+#ForceSSLProto tls12
+#DisableSSLProto tls10
+#EnableSSLProto tls10
+#MinSSLProto tls10
+#MaxSSLProto tls13
+#Ciphers MEDIUM:HIGH
+#CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+#NATEngine netfilter
+#RemoveHTTPAcceptEncoding no
+#RemoveHTTPReferer yes
+VerifyPeer no
+#AllowWrongHost no
+#UserAuth no
+#UserTimeout 300
+#UserAuthURL https://192.168.0.1/userdblogin.php
+#ValidateProto no
+#MaxHTTPHeaderSize 8192
+#PassSite example.com
+#PassSite example.com 192.168.0.1
+#PassSite example.com soner
+#PassSite *.google.com * android
+#Divert yes
+
+# Tests for tcp connection over ssl proxyspec
+ProxySpec https 127.0.0.1 8441 up:8080 127.0.0.1 9441
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8442
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9442
+	ValidateProto yes
+}
+
+# Tests for ssl connection on tcp proxyspec
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8183
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9183
+	ValidateProto yes
+}
+
+# Tests for HTTP GET method validation
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8184
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9184
+	ValidateProto yes
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8444
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9444
+	ValidateProto yes
+}
+
+# Tests for HTTP POST method validation
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8185
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9185
+	ValidateProto yes
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8445
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9445
+	ValidateProto yes
+}
+
+# Tests for SSL configuration
+ProxySpec https 127.0.0.1 8443 up:8080 127.0.0.1 9443
+# Tests for SSL configuration: tls10 only
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8449
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9449
+	ForceSSLProto tls10
+}
+# Tests for SSL configuration: tls11 only
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8450
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9450
+	ForceSSLProto tls11
+}
+# Tests for SSL configuration: tls12 only
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8451
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9451
+	ForceSSLProto tls12
+}
+# Tests for SSL configuration: tls13 only
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8462
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9462
+	ForceSSLProto tls13
+	CipherSuites TLS_CHACHA20_POLY1305_SHA256
+}
+# Tests for SSL configuration: Rejects unsupported SSL/TLS proto
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8452
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9452
+	ForceSSLProto tls10
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8453
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9453
+	ForceSSLProto tls12
+}
+
+# Tests for HTTP request headers: SSLproxy, Connection, Upgrade, Keep-Alive, Accept-Encoding, Via, X-Forwarded-For, and Referer
+ProxySpec http 127.0.0.1 8180 up:8080 127.0.0.1 9180
+ProxySpec https 127.0.0.1 8446 up:8080 127.0.0.1 9446
+
+# Tests for HTTP response headers: Public-Key-Pins, Public-Key-Pins-Report-Only, Strict-Transport-Security, Expect-CT, Alternate-Protocol, Upgrade, OCSP request
+ProxySpec http 127.0.0.1 8181 up:8080 127.0.0.1 9181
+ProxySpec https 127.0.0.1 8447 up:8080 127.0.0.1 9447
+
+# Tests for HTTP response headers: Deny OCSP request, remove Accept-Encoding, and do not remove Referer
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8186
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9186
+	DenyOCSP yes
+	RemoveHTTPAcceptEncoding yes
+	RemoveHTTPReferer no
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8448
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9448
+	DenyOCSP yes
+	RemoveHTTPAcceptEncoding yes
+	RemoveHTTPReferer no
+}
+
+# Tests for Passthrough
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8454
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9454
+	Passthrough yes
+	VerifyPeer yes
+}
+
+# Tests for VerifyPeer
+ProxySpec https 127.0.0.1 8455 up:8080 127.0.0.1 9455
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8456
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9456
+	VerifyPeer yes
+}
+
+# Tests for CACert/CAKey
+ProxySpec https 127.0.0.1 8457 up:8080 127.0.0.1 9457
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8458
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9458
+	CACert ca2.crt
+	CAKey ca2.key
+}
+
+# Tests for UserAuth
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8187
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9187
+	UserAuth yes
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8459
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9459
+	UserAuth yes
+}
+
+# Tests for POP3
+ProxySpec {
+	Proto pop3
+	Addr 127.0.0.1
+	Port 8188
+	DivertPort 8110
+	TargetAddr 127.0.0.1
+	TargetPort 9188
+	ValidateProto yes
+}
+ProxySpec {
+	Proto pop3s
+	Addr 127.0.0.1
+	Port 8460
+	DivertPort 8110
+	TargetAddr 127.0.0.1
+	TargetPort 9460
+	ValidateProto yes
+}
+
+# Tests for SMTP
+ProxySpec {
+	Proto smtp
+	Addr 127.0.0.1
+	Port 8189
+	DivertPort 9199
+	TargetAddr 127.0.0.1
+	TargetPort 9189
+	ValidateProto yes
+}
+ProxySpec {
+	Proto smtps
+	Addr 127.0.0.1
+	Port 8461
+	DivertPort 9199
+	TargetAddr 127.0.0.1
+	TargetPort 9461
+	ValidateProto yes
+}
+
+# SSLsplit mode tests for HTTP request headers: SSLproxy, Connection, Upgrade, Keep-Alive, Accept-Encoding, Via, X-Forwarded-For, and Referer
+ProxySpec http 127.0.0.1 8190 127.0.0.1 9190
+ProxySpec https 127.0.0.1 8463 127.0.0.1 9463
+
+# Tests for Divert filtering rules
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8191
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9191
+	Divert no
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9190
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9190 log connect
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Pass *
+	Split *
+
+	Match from *
+	Block from *
+	Pass from *
+	Split from *
+
+	Match from ip *
+	Block from ip *
+	Pass from ip *
+	Split from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Block from ip 127.0.0.1 to ip *
+	Pass from ip 127.0.0.1 to ip *
+	Split from ip 127.0.0.1 to ip *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Block from ip 127.0.0.1 to ip 127.0.0.1
+	Pass from ip 127.0.0.1 to ip 127.0.0.1
+	Split from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9191
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9191
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9191
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port 9191
+
+	# The most specific and the highest precedence action
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port 9191
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8192
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9192
+	Divert no
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9191
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9191 log connect
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Pass *
+	Split *
+
+	Match from *
+	Block from *
+	Pass from *
+	Split from *
+
+	Match from ip *
+	Block from ip *
+	Pass from ip *
+	Split from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Block from ip 127.0.0.1 to ip *
+	Pass from ip 127.0.0.1 to ip *
+	Split from ip 127.0.0.1 to ip *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Block from ip 127.0.0.1 to ip 127.0.0.1
+	Pass from ip 127.0.0.1 to ip 127.0.0.1
+	Split from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9192
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9192
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port 9192
+
+	# The most specific and the highest precedence action
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port 9192
+}
+
+# Tests for Split filtering rules
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8193
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9193
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192 log connect
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Pass *
+	Divert *
+
+	Match from *
+	Block from *
+	Pass from *
+	Divert from *
+
+	Match from ip *
+	Block from ip *
+	Pass from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Block from ip 127.0.0.1 to ip *
+	Pass from ip 127.0.0.1 to ip *
+	Divert from ip 127.0.0.1 to ip *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Block from ip 127.0.0.1 to ip 127.0.0.1
+	Pass from ip 127.0.0.1 to ip 127.0.0.1
+	Divert from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9193
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9193
+	# No Divert, because Divert's precedence is higher than Split's
+
+	# The most specific and the highest precedence action
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port 9193
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8194
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9194
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193 log connect
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Pass *
+	Divert *
+
+	Match from *
+	Block from *
+	Pass from *
+	Divert from *
+
+	Match from ip *
+	Block from ip *
+	Pass from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Block from ip 127.0.0.1 to ip *
+	Pass from ip 127.0.0.1 to ip *
+	Divert from ip 127.0.0.1 to ip *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Block from ip 127.0.0.1 to ip 127.0.0.1
+	Pass from ip 127.0.0.1 to ip 127.0.0.1
+	Divert from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9194
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9194
+	# No Divert, because Divert's precedence is higher than Split's
+
+	# The most specific and the highest precedence action
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port 9194
+}
+
+# Tests for Pass filtering rules
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8195
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9195
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9196
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194 log connect
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9196 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Split *
+	Divert *
+
+	Match from *
+	Block from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Block from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Block from ip 127.0.0.1 to ip *
+	Split from ip 127.0.0.1 to ip *
+	Divert from ip 127.0.0.1 to ip *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Block from ip 127.0.0.1 to ip 127.0.0.1
+	Split from ip 127.0.0.1 to ip 127.0.0.1
+	Divert from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9195
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195
+	# No Divert or Split, because their precedence is higher than Pass's
+
+	# The most specific and the highest precedence action
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9195
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8196
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9196
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9197
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195 log connect
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9197 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Split *
+	Divert *
+
+	Match from *
+	Block from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Block from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Block from ip 127.0.0.1 to ip *
+	Split from ip 127.0.0.1 to ip *
+	Divert from ip 127.0.0.1 to ip *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Block from ip 127.0.0.1 to ip 127.0.0.1
+	Split from ip 127.0.0.1 to ip 127.0.0.1
+	Divert from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9196
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9196
+	# No Divert or Split, because their precedence is higher than Pass's
+
+	# The most specific and the highest precedence action
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9196
+}
+
+# Tests for Block filtering rules
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8197
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9197
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Pass from ip 127.0.0.0
+	Pass from ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.0
+	Pass from ip 127.0.0.1 to ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9196
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9198
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9196 log connect
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9198 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Pass *
+	Split *
+	Divert *
+
+	Match from *
+	Pass from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Pass from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Pass from ip 127.0.0.1 to ip *
+	Split from ip 127.0.0.1 to ip *
+	Divert from ip 127.0.0.1 to ip *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Pass from ip 127.0.0.1 to ip 127.0.0.1
+	Split from ip 127.0.0.1 to ip 127.0.0.1
+	Divert from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9197
+	# No Divert, Split, or Pass, because their precedence is higher than Block's
+
+	# The most specific and the highest precedence action
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9197
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8198
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9198
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Pass from ip 127.0.0.0
+	Pass from ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.0
+	Pass from ip 127.0.0.1 to ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9197
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9199
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9197 log connect
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9199 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Pass *
+	Split *
+	Divert *
+
+	Match from *
+	Pass from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Pass from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Pass from ip 127.0.0.1 to ip *
+	Split from ip 127.0.0.1 to ip *
+	Divert from ip 127.0.0.1 to ip *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Pass from ip 127.0.0.1 to ip 127.0.0.1
+	Split from ip 127.0.0.1 to ip 127.0.0.1
+	Divert from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9198
+	# No Divert, Split, or Pass, because their precedence is higher than Block's
+
+	# The most specific and the highest precedence action
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9198
+}
+
+# Tests for SNI filtering rules
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8200
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9200
+	Divert no
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to sni comixwall.org port 9199
+	Block from ip 127.0.0.1 to sni comixwall.org port 9201
+	Block from ip 127.0.0.1 to sni comixwall.org port 9199 log connect
+	Block from ip 127.0.0.1 to sni comixwall.org port 9201 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Pass *
+	Split *
+
+	Match from *
+	Block from *
+	Pass from *
+	Split from *
+
+	Match from ip *
+	Block from ip *
+	Pass from ip *
+	Split from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Block from ip 127.0.0.1 to ip *
+	Pass from ip 127.0.0.1 to ip *
+	Split from ip 127.0.0.1 to ip *
+
+	Match from ip 127.0.0.1 to sni comixwall.org
+	Block from ip 127.0.0.1 to sni comixwall.org
+	Pass from ip 127.0.0.1 to sni comixwall.org
+	Split from ip 127.0.0.1 to sni comixwall.org
+
+	Match from ip 127.0.0.1 to sni comixwall.org port *
+	Block from ip 127.0.0.1 to sni comixwall.org port *
+	Pass from ip 127.0.0.1 to sni comixwall.org port *
+	Split from ip 127.0.0.1 to sni comixwall.org port *
+
+	Match from ip 127.0.0.1 to sni comixwall.org port 9200
+	Block from ip 127.0.0.1 to sni comixwall.org port 9200
+	Pass from ip 127.0.0.1 to sni comixwall.org port 9200
+	Split from ip 127.0.0.1 to sni comixwall.org port 9200
+
+	# The most specific and the highest precedence action
+	Divert from ip 127.0.0.1 to sni comixwall.org port 9200
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8201
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9201
+	Divert no
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to sni comixwall.org port 9200
+	Block from ip 127.0.0.1 to sni comixwall.org port 9202
+	Block from ip 127.0.0.1 to sni comixwall.org port 9200 log connect
+	Block from ip 127.0.0.1 to sni comixwall.org port 9202 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Pass *
+	Split *
+
+	Match from *
+	Block from *
+	Pass from *
+	Split from *
+
+	Match from ip *
+	Block from ip *
+	Pass from ip *
+	Split from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Block from ip 127.0.0.1 to ip *
+	Pass from ip 127.0.0.1 to ip *
+	Split from ip 127.0.0.1 to ip *
+
+	Match from ip 127.0.0.1 to sni comixwall.org
+	Block from ip 127.0.0.1 to sni comixwall.org
+	Pass from ip 127.0.0.1 to sni comixwall.org
+	Split from ip 127.0.0.1 to sni comixwall.org
+
+	Match from ip 127.0.0.1 to sni comixwall.org port *
+	Block from ip 127.0.0.1 to sni comixwall.org port *
+	Pass from ip 127.0.0.1 to sni comixwall.org port *
+	Split from ip 127.0.0.1 to sni comixwall.org port *
+
+	Match from ip 127.0.0.1 to sni comixwall.org port 9201
+	Block from ip 127.0.0.1 to sni comixwall.org port 9201
+	Pass from ip 127.0.0.1 to sni comixwall.org port 9201
+	Split from ip 127.0.0.1 to sni comixwall.org port 9201
+
+	# The most specific and the highest precedence action
+	Divert from ip 127.0.0.1 to sni comixwall.org port 9201
+}
+
+# Tests for Common Names filtering rules
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8202
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9202
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to cn comixwall.org port 9201
+	Block from ip 127.0.0.1 to cn comixwall.org port 9203
+	Block from ip 127.0.0.1 to cn comixwall.org port 9201 log connect
+	Block from ip 127.0.0.1 to cn comixwall.org port 9203 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Pass *
+	Split *
+
+	Match from *
+	Block from *
+	Pass from *
+	Split from *
+
+	Match from ip *
+	Block from ip *
+	Pass from ip *
+	Split from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to cn *
+	Block from ip 127.0.0.1 to cn *
+	Pass from ip 127.0.0.1 to cn *
+	Split from ip 127.0.0.1 to cn *
+
+	Match from ip 127.0.0.1 to cn comixwall.org
+	Block from ip 127.0.0.1 to cn comixwall.org
+	Pass from ip 127.0.0.1 to cn comixwall.org
+	Split from ip 127.0.0.1 to cn comixwall.org
+
+	Match from ip 127.0.0.1 to cn comixwall.org port *
+	Block from ip 127.0.0.1 to cn comixwall.org port *
+	Pass from ip 127.0.0.1 to cn comixwall.org port *
+	Split from ip 127.0.0.1 to cn comixwall.org port *
+
+	Match from ip 127.0.0.1 to cn comixwall.org port 9202
+	Block from ip 127.0.0.1 to cn comixwall.org port 9202
+
+	# The most specific and the highest precedence action
+	# log action increases precedence, but cannot override filter action,
+	# so no Split or Divert filter actions, with or without log action
+	Pass from ip 127.0.0.1 to cn comixwall.org port 9202 log connect
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8203
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9203
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to cn comixwall.org port 9202
+	Block from ip 127.0.0.1 to cn comixwall.org port 9204
+	Block from ip 127.0.0.1 to cn comixwall.org port 9202 log connect
+	Block from ip 127.0.0.1 to cn comixwall.org port 9204 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Pass *
+	Split *
+
+	Match from *
+	Block from *
+	Pass from *
+	Split from *
+
+	Match from ip *
+	Block from ip *
+	Pass from ip *
+	Split from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to cn *
+	Block from ip 127.0.0.1 to cn *
+	Pass from ip 127.0.0.1 to cn *
+	Split from ip 127.0.0.1 to cn *
+
+	Match from ip 127.0.0.1 to cn comixwall.org
+	Block from ip 127.0.0.1 to cn comixwall.org
+	Pass from ip 127.0.0.1 to cn comixwall.org
+	Split from ip 127.0.0.1 to cn comixwall.org
+
+	Match from ip 127.0.0.1 to cn comixwall.org port *
+	Block from ip 127.0.0.1 to cn comixwall.org port *
+	Pass from ip 127.0.0.1 to cn comixwall.org port *
+	Split from ip 127.0.0.1 to cn comixwall.org port *
+
+	Match from ip 127.0.0.1 to cn comixwall.org port 9203
+	Block from ip 127.0.0.1 to cn comixwall.org port 9203
+	Pass from ip 127.0.0.1 to cn comixwall.org port 9203
+	Split from ip 127.0.0.1 to cn comixwall.org port 9203
+	# The second most specific rule, correct CN
+	Divert from ip 127.0.0.1 to cn comixwall.org port 9203
+
+	# The most specific and the highest precedence action, wrong CN
+	Pass from ip 127.0.0.1 to cn comixwall2.org port 9203 log connect
+}
+
+# Tests for Host filtering rules
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8204
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9204
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Pass from ip 127.0.0.0
+	Pass from ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.0
+	Pass from ip 127.0.0.1 to ip 127.0.0.2
+	Pass from ip 127.0.0.1 to host example.com port 8203
+	Pass from ip 127.0.0.1 to host example.com port 9205
+	Pass from ip 127.0.0.1 to host example.com port 8203 log connect
+	Pass from ip 127.0.0.1 to host example.com port 9205 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Pass *
+	Split *
+	Divert *
+
+	Match from *
+	Pass from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Pass from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to host *
+	Pass from ip 127.0.0.1 to host *
+	Split from ip 127.0.0.1 to host *
+	Divert from ip 127.0.0.1 to host *
+
+	Match from ip 127.0.0.1 to host example.com
+	Pass from ip 127.0.0.1 to host example.com
+	Split from ip 127.0.0.1 to host example.com
+	Divert from ip 127.0.0.1 to host example.com
+
+	Match from ip 127.0.0.1 to host example.com port *
+	Pass from ip 127.0.0.1 to host example.com port *
+	Split from ip 127.0.0.1 to host example.com port *
+	Divert from ip 127.0.0.1 to host example.com port *
+
+	Match from ip 127.0.0.1 to host example.com port 9204
+	# No Divert, Split, or Pass, because their precedence is higher than Block's
+
+	# The most specific and the highest precedence action
+	Block from ip 127.0.0.1 to host example.com port 9204
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8205
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9205
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Pass from ip 127.0.0.0
+	Pass from ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.0
+	Pass from ip 127.0.0.1 to ip 127.0.0.2
+	Pass from ip 127.0.0.1 to host example.com port 8204
+	Pass from ip 127.0.0.1 to host example.com port 9206
+	Pass from ip 127.0.0.1 to host example.com port 8204 log connect
+	Pass from ip 127.0.0.1 to host example.com port 9206 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Pass *
+	Split *
+	Divert *
+
+	Match from *
+	Pass from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Pass from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to host *
+	Pass from ip 127.0.0.1 to host *
+	Split from ip 127.0.0.1 to host *
+	Divert from ip 127.0.0.1 to host *
+
+	Match from ip 127.0.0.1 to host example.com
+	Pass from ip 127.0.0.1 to host example.com
+	Split from ip 127.0.0.1 to host example.com
+	Divert from ip 127.0.0.1 to host example.com
+
+	Match from ip 127.0.0.1 to host example.com port *
+	Pass from ip 127.0.0.1 to host example.com port *
+	Split from ip 127.0.0.1 to host example.com port *
+	Divert from ip 127.0.0.1 to host example.com port *
+
+	Match from ip 127.0.0.1 to host example.com port 9205
+	# No Divert, Split, or Pass, because their precedence is higher than Block's
+
+	# The most specific and the highest precedence action
+	Block from ip 127.0.0.1 to host example.com port 9205
+}
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8206
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9206
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Pass from ip 127.0.0.0
+	Pass from ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.0
+	Pass from ip 127.0.0.1 to ip 127.0.0.2
+	Pass from ip 127.0.0.1 to host example.com port 8205
+	Pass from ip 127.0.0.1 to host example.com port 9207
+	Pass from ip 127.0.0.1 to host example.com port 8205 log connect
+	Pass from ip 127.0.0.1 to host example.com port 9207 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Pass *
+	Split *
+	Divert *
+
+	Match from *
+	Pass from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Pass from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to host *
+	Pass from ip 127.0.0.1 to host *
+	Split from ip 127.0.0.1 to host *
+	Divert from ip 127.0.0.1 to host *
+
+	Match from ip 127.0.0.1 to host example.com
+	Pass from ip 127.0.0.1 to host example.com
+	Split from ip 127.0.0.1 to host example.com
+	Divert from ip 127.0.0.1 to host example.com
+
+	Match from ip 127.0.0.1 to host example.com port *
+	Pass from ip 127.0.0.1 to host example.com port *
+	Split from ip 127.0.0.1 to host example.com port *
+	Divert from ip 127.0.0.1 to host example.com port *
+
+	Match from ip 127.0.0.1 to host example.com port 9206
+	# No Divert, Split, or Pass, because their precedence is higher than Block's
+
+	# The most specific and the highest precedence action
+	Block from ip 127.0.0.1 to host example.com port 9206
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8207
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9207
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Pass from ip 127.0.0.0
+	Pass from ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.0
+	Pass from ip 127.0.0.1 to ip 127.0.0.2
+	Pass from ip 127.0.0.1 to host example.com port 8206
+	Pass from ip 127.0.0.1 to host example.com port 9208
+	Pass from ip 127.0.0.1 to host example.com port 8206 log connect
+	Pass from ip 127.0.0.1 to host example.com port 9208 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Pass *
+	Split *
+	Divert *
+
+	Match from *
+	Pass from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Pass from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to host *
+	Pass from ip 127.0.0.1 to host *
+	Split from ip 127.0.0.1 to host *
+	Divert from ip 127.0.0.1 to host *
+
+	Match from ip 127.0.0.1 to host example.com
+	Pass from ip 127.0.0.1 to host example.com
+	Split from ip 127.0.0.1 to host example.com
+	Divert from ip 127.0.0.1 to host example.com
+
+	Match from ip 127.0.0.1 to host example.com port *
+	Pass from ip 127.0.0.1 to host example.com port *
+	Split from ip 127.0.0.1 to host example.com port *
+	Divert from ip 127.0.0.1 to host example.com port *
+
+	Match from ip 127.0.0.1 to host example.com port 9207
+	# No Divert, Split, or Pass, because their precedence is higher than Block's
+
+	# The most specific and the highest precedence action
+	Block from ip 127.0.0.1 to host example.com port 9207
+}
+
+# Tests for URI filtering rules
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8208
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9208
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Pass from ip 127.0.0.0
+	Pass from ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.0
+	Pass from ip 127.0.0.1 to ip 127.0.0.2
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8207
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9209
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8207 log connect
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9209 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Pass *
+	Split *
+	Divert *
+
+	Match from *
+	Pass from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Pass from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to uri *
+	Pass from ip 127.0.0.1 to uri *
+	Split from ip 127.0.0.1 to uri *
+	Divert from ip 127.0.0.1 to uri *
+
+	Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+	Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+	Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+
+	Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+	Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+	Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+
+	Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9208
+	# No Divert, Split, or Pass, because their precedence is higher than Block's
+
+	# The most specific and the highest precedence action
+	Block from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9208
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8209
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9209
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Pass from ip 127.0.0.0
+	Pass from ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.0
+	Pass from ip 127.0.0.1 to ip 127.0.0.2
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8208
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9210
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8208 log connect
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9210 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Pass *
+	Split *
+	Divert *
+
+	Match from *
+	Pass from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Pass from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to uri *
+	Pass from ip 127.0.0.1 to uri *
+	Split from ip 127.0.0.1 to uri *
+	Divert from ip 127.0.0.1 to uri *
+
+	Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+	Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+	Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+
+	Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+	Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+	Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+
+	Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9209
+	# No Divert, Split, or Pass, because their precedence is higher than Block's
+
+	# The most specific and the highest precedence action
+	Block from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9209
+}
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8210
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9210
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Pass from ip 127.0.0.0
+	Pass from ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.0
+	Pass from ip 127.0.0.1 to ip 127.0.0.2
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8209
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9211
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8209 log connect
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9211 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Pass *
+	Split *
+	Divert *
+
+	Match from *
+	Pass from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Pass from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to uri *
+	Pass from ip 127.0.0.1 to uri *
+	Split from ip 127.0.0.1 to uri *
+	Divert from ip 127.0.0.1 to uri *
+
+	Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+	Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+	Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+
+	Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+	Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+	Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+
+	Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9210
+	# No Divert, Split, or Pass, because their precedence is higher than Block's
+
+	# The most specific and the highest precedence action
+	Block from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9210
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8211
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9211
+	Divert yes
+
+	# Unrelated rules should not have any effect
+	Pass from ip 127.0.0.0
+	Pass from ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.0
+	Pass from ip 127.0.0.1 to ip 127.0.0.2
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8210
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9212
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8210 log connect
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9212 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Pass *
+	Split *
+	Divert *
+
+	Match from *
+	Pass from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Pass from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to uri *
+	Pass from ip 127.0.0.1 to uri *
+	Split from ip 127.0.0.1 to uri *
+	Divert from ip 127.0.0.1 to uri *
+
+	Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+	Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+	Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php
+
+	Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+	Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+	Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+	Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
+
+	Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9211
+	# No Divert, Split, or Pass, because their precedence is higher than Block's
+
+	# The most specific and the highest precedence action
+	Block from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9211
+}
+
+# Tests for structured filtering rules
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8212
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9212
+	Divert yes
+
+	# FilterRule below should override these options
+	DenyOCSP no
+	Passthrough yes
+	CACert ca2.crt
+	CAKey ca2.key
+	#ClientCert /etc/sslproxy/client.crt
+	#ClientKey /etc/sslproxy/client.key
+	#CAChain /etc/sslproxy/chain.crt
+	#LeafCRLURL http://example.com/example.crl
+	#DHGroupParams /etc/sslproxy/dh.pem
+	#ECDHCurve prime256v1
+	SSLCompression yes
+	ForceSSLProto tls12
+	DisableSSLProto tls13
+	MinSSLProto tls11
+	MaxSSLProto tls12
+	Ciphers LOW
+	CipherSuites TLS_AES_128_CCM_SHA256
+	RemoveHTTPAcceptEncoding no
+	RemoveHTTPReferer no
+	VerifyPeer yes
+	AllowWrongHost yes
+	UserAuth yes
+	#UserTimeout 300
+	#UserAuthURL https://192.168.0.1/userdblogin.php
+	ValidateProto no
+	MaxHTTPHeaderSize 2048
+
+	FilterRule {
+		Action Match
+		SrcIp 127.0.0.1
+		DstIp 127.0.0.1
+		DstPort 9212
+		Log connect
+
+		DenyOCSP yes
+		Passthrough no
+		CACert ca.crt
+		CAKey ca.key
+		#ClientCert /etc/sslproxy/client.crt
+		#ClientKey /etc/sslproxy/client.key
+		#CAChain /etc/sslproxy/chain.crt
+		#LeafCRLURL http://example.com/example.crl
+		#DHGroupParams /etc/sslproxy/dh.pem
+		#ECDHCurve prime256v1
+		SSLCompression no
+		ForceSSLProto tls13
+		EnableSSLProto tls13
+		MinSSLProto tls10
+		MaxSSLProto tls13
+		Ciphers MEDIUM:HIGH
+		CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+		RemoveHTTPAcceptEncoding yes
+		RemoveHTTPReferer yes
+		VerifyPeer no
+		AllowWrongHost no
+		UserAuth no
+		#UserTimeout 300
+		#UserAuthURL https://192.168.0.1/userdblogin.php
+		ValidateProto yes
+		MaxHTTPHeaderSize 8192
+	}
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8213
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9213
+	Divert yes
+
+	# FilterRule below should override these options
+	DenyOCSP no
+	Passthrough yes
+	CACert ca2.crt
+	CAKey ca2.key
+	#ClientCert /etc/sslproxy/client.crt
+	#ClientKey /etc/sslproxy/client.key
+	#CAChain /etc/sslproxy/chain.crt
+	#LeafCRLURL http://example.com/example.crl
+	#DHGroupParams /etc/sslproxy/dh.pem
+	#ECDHCurve prime256v1
+	SSLCompression yes
+	ForceSSLProto tls12
+	DisableSSLProto tls13
+	MinSSLProto tls11
+	MaxSSLProto tls12
+	Ciphers MEDIUM:HIGH
+	CipherSuites TLS_AES_128_CCM_SHA256
+	RemoveHTTPAcceptEncoding no
+	RemoveHTTPReferer no
+	#VerifyPeer yes
+	AllowWrongHost yes
+	#UserAuth yes
+	#UserTimeout 300
+	#UserAuthURL https://192.168.0.1/userdblogin.php
+	ValidateProto no
+	MaxHTTPHeaderSize 2048
+
+	FilterRule {
+		Action Match
+		SrcIp 127.0.0.1
+		CN comixwall.org
+		DstPort 9213
+		Log connect
+
+		# Reconnect srvdst to apply the SSL config in this rule
+		ReconnectSSL yes
+
+		DenyOCSP yes
+		Passthrough no
+		CACert ca.crt
+		CAKey ca.key
+		#ClientCert /etc/sslproxy/client.crt
+		#ClientKey /etc/sslproxy/client.key
+		#CAChain /etc/sslproxy/chain.crt
+		#LeafCRLURL http://example.com/example.crl
+		#DHGroupParams /etc/sslproxy/dh.pem
+		#ECDHCurve prime256v1
+		SSLCompression no
+		ForceSSLProto tls13
+		EnableSSLProto tls13
+		MinSSLProto tls10
+		MaxSSLProto tls13
+		Ciphers MEDIUM:HIGH
+		CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+		RemoveHTTPAcceptEncoding yes
+		RemoveHTTPReferer yes
+		VerifyPeer no
+		AllowWrongHost no
+		UserAuth no
+		#UserTimeout 300
+		#UserAuthURL https://192.168.0.1/userdblogin.php
+		ValidateProto yes
+		MaxHTTPHeaderSize 8192
+	}
+}
+
+# Autossl tests for HTTP request headers: SSLproxy, Connection, Upgrade, Keep-Alive, Accept-Encoding, Via, X-Forwarded-For, and Referer
+ProxySpec autossl 127.0.0.1 8214 up:8080 127.0.0.1 9214
+ProxySpec autossl 127.0.0.1 8215 127.0.0.1 9215
diff --git a/tests/testproxy/testharness_openssl3.json b/tests/testproxy/testharness_openssl3.json
new file mode 100644
index 0000000..2477d30
--- /dev/null
+++ b/tests/testproxy/testharness_openssl3.json
@@ -0,0 +1,70 @@
+{
+  "comment": "SSLproxy tests",
+  "testharnesses": {
+    "1": {
+      "comment": "HTTP tests",
+      "testsets": {
+        "1": "http_testset_1.json",
+        "2": "http_testset_2.json",
+        "3": "http_testset_3.json"
+      }
+    },
+    "2": {
+      "comment": "SSL config tests",
+      "testsets": {
+        "1": "ssl_testset_4.json",
+        "2": "ssl_testset_5.json",
+        "3": "ssl_testset_6.json"
+      }
+    },
+    "3": {
+      "comment": "Protocol validation tests",
+      "testsets": {
+        "1": "tcp_ssl_testends_testset_1.json",
+        "2": "ssl_tcp_testends_testset_1.json",
+        "3": "proto_validate_testset_1.json",
+        "4": "proto_validate_testset_2.json",
+        "5": "proto_validate_testset_3.json",
+        "6": "proto_validate_testset_4.json"
+      }
+    },
+    "4": {
+      "comment": "Various option tests",
+      "testsets": {
+        "1": "passthrough_testset_1.json",
+        "2": "verifypeer_testset_1.json",
+        "3": "verifypeer_testset_2.json",
+        "4": "ca_testset_1.json",
+        "5": "ca_testset_2.json",
+        "6": "userauth_testset_1.json",
+        "7": "userauth_testset_2.json"
+      }
+    },
+    "5": {
+      "comment": "Filtering rules tests",
+      "testsets": {
+        "1": "filter_divert_testset_1.json",
+        "2": "filter_split_testset_1.json",
+        "3": "filter_pass_testset_1.json",
+        "4": "filter_block_testset_1.json",
+        "5": "filter_sni_testset_1.json",
+        "6": "filter_sni_testset_2.json",
+        "7": "filter_cn_testset_1.json",
+        "8": "filter_cn_testset_2.json",
+        "9": "filter_host_testset_1.json",
+        "10": "filter_host_testset_2.json",
+        "11": "filter_uri_testset_1.json",
+        "12": "filter_uri_testset_2.json",
+        "13": "filter_struct_testset_1.json",
+        "14": "filter_struct_reconnect_testset_1.json"
+      }
+    },
+    "6": {
+      "comment": "Autossl tests",
+      "testsets": {
+        "1": "autossl_testset_1.json",
+        "2": "autossl_testset_2.json"
+      }
+    }
+  }
+}
diff --git a/tests/testproxy/testharness_split_openssl3.json b/tests/testproxy/testharness_split_openssl3.json
new file mode 100644
index 0000000..811069f
--- /dev/null
+++ b/tests/testproxy/testharness_split_openssl3.json
@@ -0,0 +1,53 @@
+{
+  "comment": "SSLproxy split mode tests",
+  "testharnesses": {
+    "1": {
+      "comment": "HTTP tests",
+      "testsets": {
+        "1": "http_testset_split_1.json",
+        "2": "http_testset_2.json",
+        "3": "http_testset_3.json"
+      }
+    },
+    "2": {
+      "comment": "SSL config tests",
+      "testsets": {
+        "1": "ssl_testset_4.json",
+        "2": "ssl_testset_5.json",
+        "3": "ssl_testset_6.json"
+      }
+    },
+    "3": {
+      "comment": "Protocol validation tests",
+      "testsets": {
+        "1": "tcp_ssl_testends_testset_1.json",
+        "2": "ssl_tcp_testends_testset_1.json",
+        "3": "proto_validate_testset_1.json",
+        "4": "proto_validate_testset_2.json",
+        "5": "proto_validate_testset_3.json",
+        "6": "proto_validate_testset_split_4.json"
+      }
+    },
+    "4": {
+      "comment": "Various option tests",
+      "testsets": {
+        "1": "passthrough_testset_1.json",
+        "2": "verifypeer_testset_1.json",
+        "3": "verifypeer_testset_2.json",
+        "4": "ca_testset_1.json",
+        "5": "ca_testset_2.json",
+        "6": "userauth_testset_1.json",
+        "7": "userauth_testset_2.json"
+      }
+    },
+    "5": {
+      "comment": "Filtering rules tests",
+      "testsets": {
+        "1": "filter_divert_testset_1.json",
+        "2": "filter_split_testset_1.json",
+        "3": "filter_pass_testset_1.json",
+        "4": "filter_block_testset_1.json"
+      }
+    }
+  }
+}