From 157eec565aefe071ffd80bbd603f3d0cb85187e4 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 4 Dec 2017 12:26:37 +0100
Subject: [PATCH] Accept more error messages in test_tls_ext_noca

OpenSSL 1.0, 1.1, and NSS return different error messages for untrusted
certificate and missing CA.

Closes: https://github.com/python-ldap/python-ldap/issues/87
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
 Tests/t_cext.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/Tests/t_cext.py b/Tests/t_cext.py
index be858e95..ae47eaab 100644
--- a/Tests/t_cext.py
+++ b/Tests/t_cext.py
@@ -818,9 +818,16 @@ def test_tls_ext_noca(self):
         l.set_option(_ldap.OPT_PROTOCOL_VERSION, _ldap.VERSION3)
         with self.assertRaises(_ldap.CONNECT_ERROR) as e:
             l.start_tls_s()
-        # some platforms return '(unknown error code)' as reason
-        if '(unknown error code)' not in str(e.exception):
-            self.assertIn('not trusted', str(e.exception))
+        # known resaons:
+        # Ubuntu on Travis: '(unknown error code)'
+        # OpenSSL 1.1: error:1416F086:SSL routines:\
+        #    tls_process_server_certificate:certificate verify failed
+        # NSS: TLS error -8172:Peer's certificate issuer has \
+        #    been marked as not trusted by the user.
+        msg = str(e.exception)
+        candidates = ('certificate', 'tls', '(unknown error code)')
+        if not any(s in msg.lower() for s in candidates):
+            self.fail(msg)
 
     @requires_tls(skip_nss=True)
     def test_tls_ext_clientcert(self):