feat: better warning for common SSL errors
(cherry picked from commit 3e5bf903413f420c1f997e4b55140761172b8434)
Upstream-PR: https://github.com/NixOS/nix/pull/11246
Change-Id: Iccd92721bbcd92604a4b0e5c845242bdf3dd0f66
This commit is contained in:
parent
6a9b66357e
commit
6334e91b2f
|
@ -63,6 +63,8 @@ struct curlFileTransfer : public FileTransfer
|
|||
|
||||
std::unique_ptr<curl_slist, decltype([](auto * s) { curl_slist_free_all(s); })> requestHeaders;
|
||||
std::unique_ptr<CURL, decltype([](auto * c) { curl_easy_cleanup(c); })> req;
|
||||
// buffer to accompany the `req` above
|
||||
char errbuf[CURL_ERROR_SIZE];
|
||||
|
||||
inline static const std::set<long> successfulStatuses {200, 201, 204, 206, 304, 0 /* other protocol */};
|
||||
/* Get the HTTP status code, or 0 for other protocols. */
|
||||
|
@ -137,6 +139,9 @@ struct curlFileTransfer : public FileTransfer
|
|||
curl_easy_setopt(req.get(), CURLOPT_PROGRESSDATA, this);
|
||||
curl_easy_setopt(req.get(), CURLOPT_NOPROGRESS, 0);
|
||||
|
||||
curl_easy_setopt(req.get(), CURLOPT_ERRORBUFFER, errbuf);
|
||||
errbuf[0] = 0;
|
||||
|
||||
curl_easy_setopt(req.get(), CURLOPT_PROTOCOLS_STR, "http,https,ftp,ftps");
|
||||
|
||||
curl_easy_setopt(req.get(), CURLOPT_HTTPHEADER, requestHeaders.get());
|
||||
|
@ -397,8 +402,8 @@ struct curlFileTransfer : public FileTransfer
|
|||
code == CURLE_OK ? "" : fmt(" (curl error: %s)", curl_easy_strerror(code)))
|
||||
: FileTransferError(err,
|
||||
std::move(response),
|
||||
"unable to %s '%s': %s (%d)",
|
||||
verb(), uri, curl_easy_strerror(code), code);
|
||||
"unable to %s '%s': %s (%d) %s",
|
||||
verb(), uri, curl_easy_strerror(code), code, errbuf);
|
||||
|
||||
fail(std::move(exc));
|
||||
}
|
||||
|
|
|
@ -76,7 +76,7 @@ in
|
|||
# Fetching from a server with an untrusted cert should fail.
|
||||
err = machine.fail("nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }' 2>&1")
|
||||
print(err)
|
||||
assert "SSL certificate problem: self-signed certificate" in err or "SSL peer certificate or SSH remote key was not OK" in err
|
||||
assert "SSL certificate problem: self-signed certificate" in err
|
||||
|
||||
# Fetching from a server with a trusted cert should work via environment variable override.
|
||||
machine.succeed("NIX_SSL_CERT_FILE=/tmp/cafile.pem nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }'")
|
||||
|
|
Loading…
Reference in a new issue