From 6334e91b2ffbbb7214fdb342dbcc428072bfe9d6 Mon Sep 17 00:00:00 2001 From: Tom Bereknyei Date: Fri, 2 Aug 2024 20:02:57 -0400 Subject: [PATCH] feat: better warning for common SSL errors (cherry picked from commit 3e5bf903413f420c1f997e4b55140761172b8434) Upstream-PR: https://github.com/NixOS/nix/pull/11246 Change-Id: Iccd92721bbcd92604a4b0e5c845242bdf3dd0f66 --- src/libstore/filetransfer.cc | 9 +++++++-- tests/nixos/fetchurl.nix | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/libstore/filetransfer.cc b/src/libstore/filetransfer.cc index 68ead1d82..a840dd647 100644 --- a/src/libstore/filetransfer.cc +++ b/src/libstore/filetransfer.cc @@ -63,6 +63,8 @@ struct curlFileTransfer : public FileTransfer std::unique_ptr requestHeaders; std::unique_ptr req; + // buffer to accompany the `req` above + char errbuf[CURL_ERROR_SIZE]; inline static const std::set successfulStatuses {200, 201, 204, 206, 304, 0 /* other protocol */}; /* Get the HTTP status code, or 0 for other protocols. */ @@ -137,6 +139,9 @@ struct curlFileTransfer : public FileTransfer curl_easy_setopt(req.get(), CURLOPT_PROGRESSDATA, this); curl_easy_setopt(req.get(), CURLOPT_NOPROGRESS, 0); + curl_easy_setopt(req.get(), CURLOPT_ERRORBUFFER, errbuf); + errbuf[0] = 0; + curl_easy_setopt(req.get(), CURLOPT_PROTOCOLS_STR, "http,https,ftp,ftps"); curl_easy_setopt(req.get(), CURLOPT_HTTPHEADER, requestHeaders.get()); @@ -397,8 +402,8 @@ struct curlFileTransfer : public FileTransfer code == CURLE_OK ? "" : fmt(" (curl error: %s)", curl_easy_strerror(code))) : FileTransferError(err, std::move(response), - "unable to %s '%s': %s (%d)", - verb(), uri, curl_easy_strerror(code), code); + "unable to %s '%s': %s (%d) %s", + verb(), uri, curl_easy_strerror(code), code, errbuf); fail(std::move(exc)); } diff --git a/tests/nixos/fetchurl.nix b/tests/nixos/fetchurl.nix index 97365d053..719405be5 100644 --- a/tests/nixos/fetchurl.nix +++ b/tests/nixos/fetchurl.nix @@ -76,7 +76,7 @@ in # Fetching from a server with an untrusted cert should fail. err = machine.fail("nix build --no-substitute --expr 'import { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }' 2>&1") print(err) - assert "SSL certificate problem: self-signed certificate" in err or "SSL peer certificate or SSH remote key was not OK" in err + assert "SSL certificate problem: self-signed certificate" in err # Fetching from a server with a trusted cert should work via environment variable override. machine.succeed("NIX_SSL_CERT_FILE=/tmp/cafile.pem nix build --no-substitute --expr 'import { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }'")