@@ -133,6 +133,19 @@ def test_bind_tls_with_valid_hostname_just_verify_peer_ca_passes
133
133
@ldap . get_operation_result . inspect
134
134
end
135
135
136
+ def test_bind_tls_with_bogus_hostname_system_ca_fails
137
+ @ldap . host = '127.0.0.1'
138
+ @ldap . encryption ( method : :start_tls , tls_options : { } )
139
+ error = assert_raise Net ::LDAP ::Error ,
140
+ Net ::LDAP ::ConnectionRefusedError do
141
+ @ldap . bind BIND_CREDS
142
+ end
143
+ assert_equal (
144
+ "hostname \" #{ @ldap . host } \" does not match the server certificate" ,
145
+ error . message ,
146
+ )
147
+ end
148
+
136
149
# The following depend on /etc/hosts hacking.
137
150
# We can do that on CI, but it's less than cool on people's dev boxes
138
151
def test_bind_tls_with_multiple_hosts
@@ -196,4 +209,14 @@ def test_bind_tls_with_multiple_bogus_hosts_ca_check_only_fails
196
209
assert_equal ( "Unable to connect to any given server: " ,
197
210
error . message . split ( "\n " ) . shift )
198
211
end
212
+
213
+ # This test is CI-only because we can't add the fixture CA
214
+ # to the system CA store on people's dev boxes.
215
+ def test_bind_tls_valid_hostname_system_ca_on_travis_passes
216
+ omit_unless ENV [ 'TRAVIS' ] == 'true'
217
+
218
+ @ldap . encryption ( method : :start_tls , tls_options : { } )
219
+ assert @ldap . bind ( BIND_CREDS ) ,
220
+ @ldap . get_operation_result . inspect
221
+ end
199
222
end
0 commit comments