Raise warnings when fail to use SSL

atoomic · garu · commit 2666f3cf1631 · 2024-04-27T12:06:43.000-03:00
If none of the available clients from HTTP::Tinyish support SSL then we should die with a better error message rather than trying to use 'undef' as a backend (which fix an error when calling $backend->new a few lines later). This is also adding an extra check inside the 'mirror' function. That function is used in multiple locations without checking directly the error status. The goal is to detect invalid certificate errors when SSL is supported by the backend.. Note that depending on the backend and probably client version the error message can differ. `HTTP::Tiny` Internal Exception raised with invalid certificates: SSL connection failed for cpan.metacpan.org: Invalid certificate authority locations error:0D07A086:asn1 ... `HTTP::Tinyish::LWP` Internal Exception raised with invalid certificates: 500 Can't connect to cpan.metacpan.org:443 () `HTTP::Tinyish::Curl` Internal Exception raised with invalid certificates: curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html `HTTP::Tinyish::Wget` Internal Exception raised with invalid certificates: ... ERROR: cannot verify cpan.metacpan.org’s certificate, issued by ... This patch accounts for all the scenarios above. Signed-off-by: Breno G. de Oliveira <garu@cpan.org>
diff --git a/Menlo-Legacy/lib/Menlo/CLI/Compat.pm b/Menlo-Legacy/lib/Menlo/CLI/Compat.pm
@@ -2650,11 +2650,34 @@ sub DESTROY {
 
 sub mirror {
     my($self, $uri, $local) = @_;
-    if ($uri =~ /^file:/) {
-        $self->file_mirror($uri, $local);
-    } else {
-        $self->{http}->mirror($uri, $local);
+
+    die( "mirror: Undefined URI\n" ) unless defined $uri && length $uri;
+
+    if ( $uri =~ /^file:/) {
+        return $self->file_mirror($uri, $local);
+    }
+
+    my $reply = $self->{http}->mirror($uri, $local);
+
+    if ( $uri =~ /^https:/ && ref $reply
+        && $reply->{status} && $reply->{status} == 599
+        && $reply->{content}
+    ) {
+        my $invalid_cert;
+        if ( ref($self->{http}) =~ m{(?:Curl|HTTPTiny|Wget)} ) {
+            $invalid_cert = 1 if $reply->{content} =~ m{certificate}mi;
+        } elsif ( ref($self->{http}) =~ m{LWP} ) {
+            $invalid_cert = 1 if $reply->{content} =~ m{Can't connect.+?:443}mi;
+        }
+        if ( $invalid_cert ) {
+            die <<"DIE";
+SSL certificate verification failed for: $uri
+Please update your certificates or force an HTTP-only request/mirror at your own risk.
+DIE
+        }
     }
+
+    return $reply;
 }
 
 sub untar    { $_[0]->{_backends}{untar}->(@_) };
@@ -2721,6 +2744,10 @@ sub configure_http {
         }
     }
 
+    if ( !$backend ) {
+        $self->diag_fail( join( ', ', @protocol )." not supported by available HTTP Clients." );
+    }
+
     $backend->new(agent => "Menlo/$Menlo::VERSION", verify_SSL => 1);
 }
 
