Skip to content

Commit

Permalink
Raise warnings when fail to use SSL
Browse files Browse the repository at this point in the history
If none of the available clients from HTTP::Tinyish support SSL
then we should die with a better error message rather than
trying to use 'undef' as a backend (which fix an error when
calling $backend->new a few lines later).

This is also adding an extra check inside the 'mirror' function.
That function is used in multiple locations without checking
directly the error status.
The goal is to detect invalid certificate errors when SSL
is supported by the backend..

Note that depending on the backend and probably client version the error
message can differ.

`HTTP::Tiny` Internal Exception raised with invalid certificates:
	SSL connection failed for cpan.metacpan.org:
	Invalid certificate authority locations error:0D07A086:asn1
	...

`HTTP::Tinyish::LWP` Internal Exception raised with invalid certificates:
	500 Can't connect to cpan.metacpan.org:443 ()

`HTTP::Tinyish::Curl` Internal Exception raised with invalid certificates:
	curl: (60) Peer certificate cannot be authenticated with known CA certificates
	More details here: http://curl.haxx.se/docs/sslcerts.html

`HTTP::Tinyish::Wget` Internal Exception raised with invalid certificates:
	...
	ERROR: cannot verify cpan.metacpan.org’s certificate, issued by
	...

This patch accounts for all the scenarios above.

Signed-off-by: Breno G. de Oliveira <[email protected]>
  • Loading branch information
atoomic authored and garu committed Apr 27, 2024
1 parent 6a3853c commit 2666f3c
Showing 1 changed file with 31 additions and 4 deletions.
35 changes: 31 additions & 4 deletions Menlo-Legacy/lib/Menlo/CLI/Compat.pm
Original file line number Diff line number Diff line change
Expand Up @@ -2650,11 +2650,34 @@ sub DESTROY {

sub mirror {
my($self, $uri, $local) = @_;
if ($uri =~ /^file:/) {
$self->file_mirror($uri, $local);
} else {
$self->{http}->mirror($uri, $local);

die( "mirror: Undefined URI\n" ) unless defined $uri && length $uri;

if ( $uri =~ /^file:/) {
return $self->file_mirror($uri, $local);
}

my $reply = $self->{http}->mirror($uri, $local);

if ( $uri =~ /^https:/ && ref $reply
&& $reply->{status} && $reply->{status} == 599
&& $reply->{content}
) {
my $invalid_cert;
if ( ref($self->{http}) =~ m{(?:Curl|HTTPTiny|Wget)} ) {
$invalid_cert = 1 if $reply->{content} =~ m{certificate}mi;
} elsif ( ref($self->{http}) =~ m{LWP} ) {
$invalid_cert = 1 if $reply->{content} =~ m{Can't connect.+?:443}mi;
}
if ( $invalid_cert ) {
die <<"DIE";
SSL certificate verification failed for: $uri
Please update your certificates or force an HTTP-only request/mirror at your own risk.
DIE
}
}

return $reply;
}

sub untar { $_[0]->{_backends}{untar}->(@_) };
Expand Down Expand Up @@ -2721,6 +2744,10 @@ sub configure_http {
}
}

if ( !$backend ) {
$self->diag_fail( join( ', ', @protocol )." not supported by available HTTP Clients." );
}

$backend->new(agent => "Menlo/$Menlo::VERSION", verify_SSL => 1);
}

Expand Down

0 comments on commit 2666f3c

Please sign in to comment.