From 6b43a4717a3f1fddc16ee43a2cf2f4126f3afc10 Mon Sep 17 00:00:00 2001 From: brian d foy Date: Sun, 6 Aug 2023 16:10:12 -0400 Subject: [PATCH 1/7] Help the user understand why SSL fails First, list in the docs all the steps that HTTP::Tiny takes to find the cert file. Second, when HTTP::Tiny tried something and gave up, tell the user what it tried. --- lib/HTTP/Tiny.pm | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm index 7d820f5..28f9f59 100644 --- a/lib/HTTP/Tiny.pm +++ b/lib/HTTP/Tiny.pm @@ -1644,12 +1644,12 @@ sub _find_CA_file { my $ca_file = defined( $self->{SSL_options}->{SSL_ca_file} ) - ? $self->{SSL_options}->{SSL_ca_file} - : $ENV{SSL_CERT_FILE}; + ? [ 'SSL_options->{SSL_ca_file}', $self->{SSL_options}->{SSL_ca_file} ] + : [ 'SSL_CERT_FILE', $ENV{SSL_CERT_FILE} ]; - if ( defined $ca_file ) { - unless ( -r $ca_file ) { - die qq/SSL_ca_file '$ca_file' not found or not readable\n/; + if ( defined $ca_file[1] ) { + unless ( -r $ca_file[1] ) { + die qq/'$ca_file' from $ca_file[0] not found or not readable\n/; } return $ca_file; } @@ -1794,14 +1794,20 @@ attacks|http://en.wikipedia.org/wiki/Machine-in-the-middle_attack>. Certificate verification requires a file containing trusted CA certificates. -If the environment variable C is present, HTTP::Tiny -will try to find a CA certificate file in that location. +First, HTTP::Tiny looks in the SSL option C. If that has a defined +value, HTT::Tiny uses that. If the file is not readable, HTTP::Tiny fails and does +not look further. + +If the SSL option C is not defined, HTTP::Tiny looks at the environment +variable C. If that is defined but the filename is not readable, +HTTP::Tiny fails and does not look further. If the L module is installed, HTTP::Tiny will use the CA file included with it as a source of trusted CA's. If that module is not available, then HTTP::Tiny will search several -system-specific default locations for a CA certificate file: +system-specific default locations for a CA certificate file. It will use +the first path that exists: =for :list * /etc/ssl/certs/ca-certificates.crt @@ -1813,8 +1819,8 @@ system-specific default locations for a CA certificate file: * /etc/pki/tls/cacert.pem * /etc/certs/ca-certificates.crt -An error will be occur if C is true and no CA certificate file -is available. +If none of these attempts succeed and C is true, HTTP::Tiny +will return an error when it attempts to fetch an HTTPS resource. If you desire complete control over TLS/SSL connections, the C attribute lets you provide a hash reference that will be passed through to From 489312c4fe1024e65cb1cfd4cc5bb05c8aaf0a68 Mon Sep 17 00:00:00 2001 From: brian d foy Date: Sun, 6 Aug 2023 16:13:00 -0400 Subject: [PATCH 2/7] Those should be array ref accesses --- lib/HTTP/Tiny.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm index 28f9f59..2ab38d4 100644 --- a/lib/HTTP/Tiny.pm +++ b/lib/HTTP/Tiny.pm @@ -1647,9 +1647,9 @@ sub _find_CA_file { ? [ 'SSL_options->{SSL_ca_file}', $self->{SSL_options}->{SSL_ca_file} ] : [ 'SSL_CERT_FILE', $ENV{SSL_CERT_FILE} ]; - if ( defined $ca_file[1] ) { - unless ( -r $ca_file[1] ) { - die qq/'$ca_file' from $ca_file[0] not found or not readable\n/; + if ( defined $ca_file->[1] ) { + unless ( -r $ca_file->[1] ) { + die qq/'$ca_file' from $ca_file->[0] not found or not readable\n/; } return $ca_file; } From 2a7a17740ddf58001b86c6930783475ee05dfbe7 Mon Sep 17 00:00:00 2001 From: brian d foy Date: Sun, 6 Aug 2023 16:53:34 -0400 Subject: [PATCH 3/7] Mozilla::CA is not required, but useful --- lib/HTTP/Tiny.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm index 2ab38d4..4a6f913 100644 --- a/lib/HTTP/Tiny.pm +++ b/lib/HTTP/Tiny.pm @@ -1944,7 +1944,7 @@ L. * L - Required for IPv6 support * L - Required for SSL support * L - If HTTP::Tiny isn't enough for you, this is the "standard" way to do things -* L - Required if you want to validate SSL certificates +* L - Validate SSL certificates when you don't have another source of a Certificate Authority cert * L - Required for SSL support =cut From d2fad28dbee71141ae63890a9a0897d9924ab1a4 Mon Sep 17 00:00:00 2001 From: brian d foy Date: Sun, 6 Aug 2023 16:54:08 -0400 Subject: [PATCH 4/7] Fix link to SSL support section (#3) --- lib/HTTP/Tiny.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm index 4a6f913..b4f05fe 100644 --- a/lib/HTTP/Tiny.pm +++ b/lib/HTTP/Tiny.pm @@ -65,7 +65,7 @@ attributes are modified via accessor, or if the process ID or thread ID change, the persistent connection will be dropped. If you want persistent connections across multiple destinations, use multiple HTTP::Tiny objects. -See L for more on the C and C attributes. +See L for more on the C and C attributes. =cut From f8504e6bb9a4b1724ec177205826d60aa4cd26ad Mon Sep 17 00:00:00 2001 From: brian d foy Date: Mon, 16 Oct 2023 09:49:52 -0400 Subject: [PATCH 5/7] Fixed typo in package name --- lib/HTTP/Tiny.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm index b4f05fe..774dcec 100644 --- a/lib/HTTP/Tiny.pm +++ b/lib/HTTP/Tiny.pm @@ -1795,11 +1795,11 @@ attacks|http://en.wikipedia.org/wiki/Machine-in-the-middle_attack>. Certificate verification requires a file containing trusted CA certificates. First, HTTP::Tiny looks in the SSL option C. If that has a defined -value, HTT::Tiny uses that. If the file is not readable, HTTP::Tiny fails and does +value, HTTP::Tiny uses that. If the file is not readable, HTTP::Tiny fails and does not look further. If the SSL option C is not defined, HTTP::Tiny looks at the environment -variable C. If that is defined but the filename is not readable, +variable C. If that is defined but the filename is not readable, HTTP::Tiny fails and does not look further. If the L module is installed, HTTP::Tiny will use the CA file From 3cb569344fbccbbbd8891c52c6f5c9eb03f18d19 Mon Sep 17 00:00:00 2001 From: brian d foy Date: Mon, 16 Oct 2023 10:02:25 -0400 Subject: [PATCH 6/7] Make tuple a hash ref instead https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/4#discussion_r1358256037 --- lib/HTTP/Tiny.pm | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm index 774dcec..15e82c2 100644 --- a/lib/HTTP/Tiny.pm +++ b/lib/HTTP/Tiny.pm @@ -1644,14 +1644,14 @@ sub _find_CA_file { my $ca_file = defined( $self->{SSL_options}->{SSL_ca_file} ) - ? [ 'SSL_options->{SSL_ca_file}', $self->{SSL_options}->{SSL_ca_file} ] - : [ 'SSL_CERT_FILE', $ENV{SSL_CERT_FILE} ]; + ? { source => 'SSL_options->{SSL_ca_file}', file => $self->{SSL_options}->{SSL_ca_file} } + : { source => 'SSL_CERT_FILE', file => $ENV{SSL_CERT_FILE} }; - if ( defined $ca_file->[1] ) { - unless ( -r $ca_file->[1] ) { - die qq/'$ca_file' from $ca_file->[0] not found or not readable\n/; + if ( defined $ca_file->{file} ) { + unless ( -r $ca_file->{file} ) { + die qq/'$ca_file->{file}' from $ca_file->{source} not found or not readable\n/; } - return $ca_file; + return $ca_file->{file}; } local @INC = @INC; From 4ed51c10c727892218bc04673929f17e98ea1c9e Mon Sep 17 00:00:00 2001 From: brian d foy Date: Mon, 16 Oct 2023 10:04:23 -0400 Subject: [PATCH 7/7] Change wording on Mozilla::CA in SEE ALSO https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/4#discussion_r1358258753 --- lib/HTTP/Tiny.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm index 15e82c2..49469af 100644 --- a/lib/HTTP/Tiny.pm +++ b/lib/HTTP/Tiny.pm @@ -1944,7 +1944,7 @@ L. * L - Required for IPv6 support * L - Required for SSL support * L - If HTTP::Tiny isn't enough for you, this is the "standard" way to do things -* L - Validate SSL certificates when you don't have another source of a Certificate Authority cert +* L - Validate SSL certificates when you donĀ“t have another source of trusted Certificate Authority certificates * L - Required for SSL support =cut