Specify certfile to verify SSL certs against in tests

[mtodd]

#162 added a TLS Start test but didn't assert verified certs because the tls_options hadn't been wired up yet. #161 changed this, but hadn't been tested against the additional test in #162 before getting merged, resulting in master failing.

It's easy enough to disable certificate verification, but it's not necessary. Instead, we can also set the :ca_file TLS options to verify against.

cc @jch @schaary @sonOfRa @tarcieri

[mtodd]

Updated title to match the changed approach.

[mtodd]

Alternatively, we could generate a CA file if none is found instead of sticking one in test fixtures. Unsure if that'd be any better, though.

[tarcieri]

You might consider generating certificates (with e.g. certificate_authority or OpenSSL itself) rather than checking one into the repo

[mtodd]

Yeah, considered this, though that creates more friction for running tests locally, or at least running the integration tests locally.

In any case, I don't think we should block this fix on figuring out generated CA certs. That can come in a followup PR. Thoughts?

[zmajstor]

there is a failing test:

Error: test_bind_tls_with_cafile(TestBindIntegration)
: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I think that the reason is that install-openldap creates self-signed CA certificate on VM setup, so
in order to make it pass, content of fixtures/cacert.pem have to be replaced with this one:

$ vagrant ssh

vagrant@rubyldap:~$ cat /etc/ssl/certs/cacert.pem

I guess there is a more elegant way to handle this ... but this works as a quick fix

[tarcieri]

@zmajstor see my original notes on the PR: certificates should be generated for tests, not checked in.

I'm a big fan of the certificate_authority gem for this. Otherwise, there's r509, but it's MRI-specific which kinda sucks.