From dfbe5234aa6008cb164c3e9107685cc53d2b0144 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Thu, 18 Jan 2018 11:37:35 +0100
Subject: [PATCH] Add test for secure TLS default

Now test that the default value for cert validation is DEMAND.

See: https://github.com/python-ldap/python-ldap/issues/169
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
 Tests/t_cext.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/Tests/t_cext.py b/Tests/t_cext.py
index af26706..350651c 100644
--- a/Tests/t_cext.py
+++ b/Tests/t_cext.py
@@ -826,10 +826,28 @@ def test_tls_ext(self):
         l.set_option(_ldap.OPT_X_TLS_NEWCTX, 0)
         l.start_tls_s()
 
+    @requires_tls()
+    def test_tls_require_cert(self):
+        # libldap defaults to secure cert validation
+        # see libraries/libldap/init.c
+        #     gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
+
+        self.assertEqual(
+            _ldap.get_option(_ldap.OPT_X_TLS_REQUIRE_CERT),
+            _ldap.OPT_X_TLS_DEMAND
+        )
+        l = self._open_conn(bind=False)
+        self.assertEqual(
+            l.get_option(_ldap.OPT_X_TLS_REQUIRE_CERT),
+            _ldap.OPT_X_TLS_DEMAND
+        )
+
     @requires_tls()
     def test_tls_ext_noca(self):
         l = self._open_conn(bind=False)
         l.set_option(_ldap.OPT_PROTOCOL_VERSION, _ldap.VERSION3)
+        # fails because libldap defaults to secure cert validation but
+        # the test CA is not installed as trust anchor.
         with self.assertRaises(_ldap.CONNECT_ERROR) as e:
             l.start_tls_s()
         # known resaons: