From 157eec565aefe071ffd80bbd603f3d0cb85187e4 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 4 Dec 2017 12:26:37 +0100
Subject: [PATCH] Accept more error messages in test_tls_ext_noca

OpenSSL 1.0, 1.1, and NSS return different error messages for untrusted
certificate and missing CA.

Closes: https://github.com/python-ldap/python-ldap/issues/87
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
 Tests/t_cext.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/Tests/t_cext.py b/Tests/t_cext.py
index be858e95..ae47eaab 100644
--- a/Tests/t_cext.py
+++ b/Tests/t_cext.py
@@ -818,9 +818,16 @@ def test_tls_ext_noca(self):
         l.set_option(_ldap.OPT_PROTOCOL_VERSION, _ldap.VERSION3)
         with self.assertRaises(_ldap.CONNECT_ERROR) as e:
             l.start_tls_s()
-        # some platforms return '(unknown error code)' as reason
-        if '(unknown error code)' not in str(e.exception):
-            self.assertIn('not trusted', str(e.exception))
+        # known resaons:
+        # Ubuntu on Travis: '(unknown error code)'
+        # OpenSSL 1.1: error:1416F086:SSL routines:\
+        #    tls_process_server_certificate:certificate verify failed
+        # NSS: TLS error -8172:Peer's certificate issuer has \
+        #    been marked as not trusted by the user.
+        msg = str(e.exception)
+        candidates = ('certificate', 'tls', '(unknown error code)')
+        if not any(s in msg.lower() for s in candidates):
+            self.fail(msg)
 
     @requires_tls(skip_nss=True)
     def test_tls_ext_clientcert(self):

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/python-ldap/python-ldap/pull/92.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/python-ldap/python-ldap/pull/92.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/python-ldap/python-ldap/pull/92.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/python-ldap/python-ldap/pull/92.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>