bad certificate can lead to errSSLHandshakeFail or errSSLBadCert

Author: weissi

Diff for: Tests/AsyncHTTPClientTests/HTTPClientNIOTSTests.swift

@@ -63,7 +63,8 @@ class HTTPClientNIOTSTests: XCTestCase {
                 _ = try httpClient.get(url: "https://localhost:\(httpBin.port)/get").wait()
                 XCTFail("This should have failed")
             } catch let error as HTTPClient.NWTLSError {
-                XCTAssertEqual(error.status, errSSLHandshakeFail)
+                XCTAssert(error.status == errSSLHandshakeFail || error.status == errSSLBadCert,
+                          "unexpected NWTLSError with status \(error.status)")
             } catch {
                 XCTFail("Error should have been NWTLSError not \(type(of: error))")
             }

Diff for: Tests/AsyncHTTPClientTests/HTTPClientTests.swift

@@ -901,7 +901,12 @@ class HTTPClientTests: XCTestCase {
                             XCTFail("Unexpected error: \(error)")
                             continue
                         }
-                        XCTAssertEqual(clientError.status, errSSLHandshakeFail)
+                        // We're speaking TLS to a plain text server. This will cause the handshake to fail but given
+                        // that the bytes "HTTP/1.1" aren't the start of a valid TLS packet, we can also get
+                        // errSSLPeerProtocolVersion because the first bytes contain the version.
+                        XCTAssert(clientError.status == errSSLHandshakeFail ||
+                            clientError.status == errSSLPeerProtocolVersion,
+                                "unexpected NWTLSError with status \(clientError.status)")
                     #endif
                 } else {
                     guard let clientError = error as? NIOSSLError, case NIOSSLError.handshakeFailed = clientError else {