Secure cpanm calls fail with Strawberry Perl <=5.22

[ferki]

Thank you for making cpanm calls secure by default via #1919!

Apparently cpanm can not install from https sources anymore when using Strawberry Perls before 5.22.

For example I get the following error when attempting to install project dependencies in a GitHub Actions pipeline:

! Failed to fetch distribution Data-Validate-IP-0.31
[...]
ERROR: TLS issue found while fetching https://www.cpan.org/authors/id/D/DR/DROLSKY/Data-Validate-IP-0.31.tar.gz:  Can't connect to www.cpan.org:443  Bad file descriptor at C:/hostedtoolcache/windows/strawberry-perl/5.22.3/x64/perl/vendor/lib/LWP/Protocol/http.pm line 47.   Please verify your certificates or force an HTTP-only request/mirror using --insecure option at your own risk.

This repeats for each dependency.

It looks like all those Strawberry Perl versions ship with recent enough App::cpanminus and LWP::protocol::https, and I'm not yet sure what else may be involved :thinking:

While enabling --insecure in the pipeline may work, at least for these older versions, could you recommend a better intermediate fix, please? Perhaps installing a recent enough extra dependency? Shall we wait for a fix in this repo instead?

While I may need some initial guidance about the details of a proposed fix, I'm happy to contribute back here too ;)

[shogo82148]

Can you try --no-lwp?

• https://memo.sugyan.com/entry/20111128/1322489735
• https://github.com/miyagawa/cpanminus/blob/c7f81369296aa358d45bc1a77fe9db0da410935f/App-cpanminus/script/cpanm.PL#L560-L562

[ferki]

Thanks for the tip, --no-lwp seems to work on all Strawberry Perl versions currently available through actions-setup-perl 👍 It feels better than --insecure, too.

Is there anything else I may try to help you debug? Let me know!

[shogo82148]

This issue occurs when an old version of Mozilla::CA is installed.

The certificate for www.cpan.org was issued by Let’s Encrypt.
It requires that ISRG Root X1 is installed as the root CA.
But Mozilla::CA 20160104 doesn't contain ISRG Root X1.

[ferki]

Ah, yeah, good catch, thanks for sharing!

I wonder whether there is a good way to handle it in the scope of this repo somehow, or consumers should fix their use patterns downstream instead?

What I was thinking about so far:

• Enforcing >Mozilla::CA-20160104: may conflict when expecting vanilla Strawberry Perl experience.
• Enforcing --no-lwp on affected Strawberry Perl versions: it would affect other cpanm calls too, potentially masking a necessary step for others who don't use actions-setup-perl themselves.

Perhaps hiding one of those workarounds behind a configuration option would work? 🤔

Of these two, supplying a recent Mozilla::CA sounds more useful to me at first glance. Since this project chose and promises "secure by default" 👍, it feels it may be OK to include a minimum required Mozilla::CA for the chosen secure CPAN source too.

[ferki]

Thanks for looking into this, @shogo82148! For some reason, I still get the same error with a recent run when I remove forcing --no-lwp: https://github.com/RexOps/Rex/actions/runs/11086453209/job/30804123466#step:6:19

Despite having a recent Mozilla::CA version: https://github.com/RexOps/Rex/actions/runs/11086453209/job/30804123466#step:5:9

What do I miss? :)