Raise warnings when fail to use SSL

If none of the available clients from HTTP::Tinyish support SSL then we should die with a better error message rather than trying to use 'undef' as a backend (which fix an error when calling $backend->new a few lines later). This is also adding an extra check inside the 'mirror' function. That function is used in multiple locations without checking directly the error status. The goal is to detect invalid certificate errors when SSL is supported by the backend.. Note that depending on the backend and probably client version the error message can differ. `HTTP::Tiny` Internal Exception raised with invalid certificates: SSL connection failed for cpan.metacpan.org: Invalid certificate authority locations error:0D07A086:asn1 ... `HTTP::Tinyish::LWP` Internal Exception raised with invalid certificates: 500 Can't connect to cpan.metacpan.org:443 () `HTTP::Tinyish::Curl` Internal Exception raised with invalid certificates: curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html `HTTP::Tinyish::Wget` Internal Exception raised with invalid certificates: ... ERROR: cannot verify cpan.metacpan.org’s certificate, issued by ... This patch accounts for all the scenarios above. Signed-off-by: Breno G. de Oliveira <[email protected]>
miyagawa · Apr 27, 2024 · 3efe8e2 · 3efe8e2
1 parent 6a3853c
commit 3efe8e2
Showing 1 changed file with 32 additions and 4 deletions.
diff --git a/Menlo-Legacy/lib/Menlo/CLI/Compat.pm b/Menlo-Legacy/lib/Menlo/CLI/Compat.pm
@@ -2650,11 +2650,35 @@ sub DESTROY {
 
 sub mirror {
     my($self, $uri, $local) = @_;
-    if ($uri =~ /^file:/) {
-        $self->file_mirror($uri, $local);
-    } else {
-        $self->{http}->mirror($uri, $local);
+
+    die( "mirror: Undefined URI\n" ) unless defined $uri && length $uri;
+
+    if ( $uri =~ /^file:/) {
+        return $self->file_mirror($uri, $local);
+    }
+
+    my $reply = $self->{http}->mirror($uri, $local);
+
+    if ( $uri =~ /^https:/ && ref $reply
+        && $reply->{status} && $reply->{status} == 599
+        && $reply->{content}
+    ) {
+        my $invalid_cert;
+        if ( ref($self->{http}) =~ m{(?:Curl|HTTPTiny|Wget)} ) {
+            $invalid_cert = 1 if $reply->{content} =~ m{certificate}mi;
+        } elsif ( ref($self->{http}) =~ m{LWP} ) {
+            $invalid_cert = 1 if $reply->{content} =~ m{Can't connect.+?:443}mi;
+        }
+        if ( $invalid_cert ) {
+            die <<"DIE";
+TLS issue found while fetching $uri:\n
+$reply->{content}\n
+Please verify your certificates or force an HTTP-only request/mirror at your own risk.
+DIE
+        }
     }
+
+    return $reply;
 }
 
 sub untar    { $_[0]->{_backends}{untar}->(@_) };
@@ -2721,6 +2745,10 @@ sub configure_http {
         }
     }
 
+    if ( !$backend ) {
+        $self->diag_fail( join( ', ', @protocol )." not supported by available HTTP Clients." );
+    }
+
     $backend->new(agent => "Menlo/$Menlo::VERSION", verify_SSL => 1);
 }