Add test for secure TLS default

Now test that the default value for cert validation is DEMAND. See: https://github.com/python-ldap/python-ldap/issues/169 Signed-off-by: Christian Heimes <cheimes@redhat.com>
ECN · Jan 18, 2018 · dfbe523 · dfbe523
1 parent 22c3ccf
commit dfbe523
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/Tests/t_cext.py b/Tests/t_cext.py
@@ -826,10 +826,28 @@ def test_tls_ext(self):
         l.set_option(_ldap.OPT_X_TLS_NEWCTX, 0)
         l.start_tls_s()
 
+    @requires_tls()
+    def test_tls_require_cert(self):
+        # libldap defaults to secure cert validation
+        # see libraries/libldap/init.c
+        #     gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
+
+        self.assertEqual(
+            _ldap.get_option(_ldap.OPT_X_TLS_REQUIRE_CERT),
+            _ldap.OPT_X_TLS_DEMAND
+        )
+        l = self._open_conn(bind=False)
+        self.assertEqual(
+            l.get_option(_ldap.OPT_X_TLS_REQUIRE_CERT),
+            _ldap.OPT_X_TLS_DEMAND
+        )
+
     @requires_tls()
     def test_tls_ext_noca(self):
         l = self._open_conn(bind=False)
         l.set_option(_ldap.OPT_PROTOCOL_VERSION, _ldap.VERSION3)
+        # fails because libldap defaults to secure cert validation but
+        # the test CA is not installed as trust anchor.
         with self.assertRaises(_ldap.CONNECT_ERROR) as e:
             l.start_tls_s()
         # known resaons: