test: check tls server verification with addCACert

SecureContext.addCACert() adds to the existing root store,
preserving root cert entries. option.ca is applied without
calling SecureContext.addRootCerts() so should add to
the default, empty, root store.

This test confirms that the built-in root CAs are not included
when options.ca is used.

Based on:

shigeki@acd5837

Backport-PR-URL: #12468
PR-URL: #10389
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

test/internet/test-tls-add-ca-cert.js

@@ -0,0 +1,55 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto) {
+  common.skip('missing crypto');
+  return;
+}
+
+// Test interaction of compiled-in CAs with user-provided CAs.
+
+const assert = require('assert');
+const fs = require('fs');
+const tls = require('tls');
+
+function filenamePEM(n) {
+  return require('path').join(common.fixturesDir, 'keys', n + '.pem');
+}
+
+function loadPEM(n) {
+  return fs.readFileSync(filenamePEM(n));
+}
+
+const caCert = loadPEM('ca1-cert');
+
+const opts = {
+  host: 'www.nodejs.org',
+  port: 443,
+  rejectUnauthorized: true
+};
+
+// Success relies on the compiled in well-known root CAs
+tls.connect(opts, common.mustCall(end));
+
+// The .ca option replaces the well-known roots, so connection fails.
+opts.ca = caCert;
+tls.connect(opts, fail).on('error', common.mustCall((err) => {
+  assert.strictEqual(err.message, 'unable to get local issuer certificate');
+}));
+
+function fail() {
+  assert(false, 'should fail to connect');
+}
+
+// New secure contexts have the well-known root CAs.
+opts.secureContext = tls.createSecureContext();
+tls.connect(opts, common.mustCall(end));
+
+// Explicit calls to addCACert() add to the default well-known roots, instead
+// of replacing, so connection still succeeds.
+opts.secureContext.context.addCACert(caCert);
+tls.connect(opts, common.mustCall(end));
+
+function end() {
+  this.end();
+}