2 files changed, 32 insertions, 0 deletions

diff --git a/test/js/web/fetch/fetch-reject-authorized-env-fixture.js b/test/js/web/fetch/fetch-reject-authorized-env-fixture.js
new file mode 100644
index 000000000..c3d13c747
--- /dev/null
+++ b/test/js/web/fetch/fetch-reject-authorized-env-fixture.js
@@ -0,0 +1,8 @@
+const { SERVER } = process.env;
+
+try {
+  const result = await fetch(SERVER).then(res => res.text());
+  if (result !== "Hello World") process.exit(2);
+} catch (err) {
+  process.exit(err.code === "ERR_TLS_CERT_ALTNAME_INVALID" ? 1 : 3);
+}
diff --git a/test/js/web/fetch/fetch.tls.test.ts b/test/js/web/fetch/fetch.tls.test.ts
index 184cbad8b..d8a844ed7 100644
--- a/test/js/web/fetch/fetch.tls.test.ts
+++ b/test/js/web/fetch/fetch.tls.test.ts
@@ -1,5 +1,7 @@
 import { it, expect } from "bun:test";
 import tls from "tls";
+import { join } from "node:path";
+import { bunEnv, bunExe } from "harness";
 
 type TLSOptions = {
   cert: string;
@@ -130,6 +132,28 @@ it("fetch with invalid tls + rejectUnauthorized: false should not throw", async
   });
 });
 
+it("fetch should respect rejectUnauthorized env", async () => {
+  await createServer(CERT_EXPIRED, async port => {
+    const url = `https://localhost:${port}`;
+
+    for (let i = 0; i < 2; i++) {
+      const proc = Bun.spawn({
+        env: {
+          ...bunEnv,
+          SERVER: url,
+          NODE_TLS_REJECT_UNAUTHORIZED: i.toString(),
+        },
+        stderr: "inherit",
+        stdout: "inherit",
+        cmd: [bunExe(), join(import.meta.dir, "fetch-reject-authorized-env-fixture.js")],
+      });
+
+      const exitCode = await proc.exited;
+      expect(exitCode).toBe(i);
+    }
+  });
+});
+
 it("can handle multiple requests with non native checkServerIdentity", async () => {
   await createServer(CERT_LOCALHOST_IP, async port => {
     async function request() {