File Coverage

blib/lib/Net/SSLGlue/LWP.pm

Criterion	Covered	Total	%
statement	16	29	55.1
branch	0	10	0.0
condition	0	9	0.0
subroutine	6	6	100.0
pod			n/a
total	22	54	40.7

line	stmt	bran	cond	sub	time	code
1	1			1	85742	use strict;
	1				3
	1				30
2	1			1	6	use warnings;
	1				2
	1				63
3						package Net::SSLGlue::LWP;
4						our $VERSION = 0.5;
5	1			1	6	use LWP::UserAgent '5.822';
	1				3
	1				28
6	1			1	6	use IO::Socket::SSL 1.19;
	1				43
	1				9
7	1			1	201	use URI;
	1				3
	1				233
8
9						# force Net::SSLGlue::LWP::Socket as superclass of Net::HTTPS, because
10						# only it can verify certificates
11						my $use_existent;
12						BEGIN {
13	1			1	1505	require LWP::Protocol::https;
14	0		0			$use_existent = $LWP::Protocol::https::VERSION >= 6.06
15						&& $LWP::UserAgent::VERSION >= 6.06;
16	0	0				if ($use_existent) {
17						my $oc = $Net::HTTPS::SSL_SOCKET_CLASS \|\|
18	0		0			$ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS};
19	0	0	0			$use_existent = 0 if $oc && $oc ne 'IO::Socket::SSL';
20						}
21	0	0				if ($use_existent) {
22	0					warn "Your LWP::UserAgent/LWP::Protocol::https looks fine.\n".
23						"Will use it instead of Net::SSLGLue::LWP\n";
24						} else {
25	0					my $oc = $Net::HTTPS::SSL_SOCKET_CLASS;
26	0					$Net::HTTPS::SSL_SOCKET_CLASS = my $need = 'Net::SSLGlue::LWP::Socket';
27	0					require Net::HTTPS;
28
29	0	0				if ( ( my $oc = $Net::HTTPS::SSL_SOCKET_CLASS ) ne $need ) {
30						# was probably loaded before, change ISA
31	0					grep { s{^\Q$oc\E$}{$need} } @Net::HTTPS::ISA
	0
32						}
33	0	0				die "cannot force $need into Net::HTTPS"
34						if $Net::HTTPS::SSL_SOCKET_CLASS ne $need;
35						}
36						}
37
38
39						our %SSLopts; # set by local and import
40						sub import {
41						shift;
42						%SSLopts = @_;
43						}
44
45						if (!$use_existent) {
46						# add SSL options
47						my $old_eso = UNIVERSAL::can( 'LWP::Protocol::https','_extra_sock_opts' );
48						no warnings 'redefine';
49						*LWP::Protocol::https::_extra_sock_opts = sub {
50						return (
51						$old_eso ? ( $old_eso->(@_) ):(),
52						SSL_verify_mode => 1,
53						SSL_verifycn_scheme => 'http',
54						HTTPS_proxy => $_[0]->{ua}{https_proxy},
55						%SSLopts,
56						);
57						};
58
59						# fix https_proxy handling - forward it to a variable handled by me
60						my $old_proxy = defined &LWP::UserAgent::proxy && \&LWP::UserAgent::proxy
61						or die "cannot find LWP::UserAgent::proxy";
62						*LWP::UserAgent::proxy = sub {
63						my ($self,$key,$val) = @_;
64						goto &$old_proxy if ref($key) \|\| $key ne 'https';
65						if (@_>2) {
66						my $rv = &$old_proxy;
67						$self->{https_proxy} = delete $self->{proxy}{https}
68						\|\| die "https proxy not set?";
69						}
70						return $self->{https_proxy};
71						};
72
73						} else {
74						# wrapper around LWP::Protocol::https::_extra_sock_opts to support %SSLopts
75						my $old_eso = UNIVERSAL::can( 'LWP::Protocol::https','_extra_sock_opts' )
76						or die "no LWP::Protocol::https::_extra_sock_opts found";
77						no warnings 'redefine';
78						*LWP::Protocol::https::_extra_sock_opts = sub {
79						return (
80						$old_eso->(@_),
81						%SSLopts,
82						);
83						};
84						}
85
86						{
87
88						package Net::SSLGlue::LWP::Socket;
89						use IO::Socket::SSL;
90						use base 'IO::Socket::SSL';
91						my $sockclass = 'IO::Socket::INET';
92						use URI::Escape 'uri_unescape';
93						use MIME::Base64 'encode_base64';
94						$sockclass .= '6' if eval "require IO::Socket::INET6";
95
96						sub configure {
97						my ($self,$args) = @_;
98						my $phost = delete $args->{HTTPS_proxy}
99						or return $self->SUPER::configure($args);
100						$phost = URI->new($phost) if ! ref $phost;
101
102						my $port = $args->{PeerPort};
103						my $host = $args->{PeerHost} \|\| $args->{PeerAddr};
104						if ( ! $port ) {
105						$host =~s{:(\w+)$}{};
106						$port = $args->{PeerPort} = $1;
107						$args->{PeerHost} = $host;
108						}
109						if ( $phost->scheme ne 'http' ) {
110						$@ = "scheme ".$phost->scheme." not supported for https_proxy";
111						return;
112						}
113						my $auth = '';
114						if ( my ($user,$pass) = split( ':', $phost->userinfo \|\| '' ) ) {
115						$auth = "Proxy-authorization: Basic ".
116						encode_base64( uri_unescape($user).':'.uri_unescape($pass),'' ).
117						"\r\n";
118						}
119
120						my $pport = $phost->port;
121						$phost = $phost->host;
122
123						# temporally downgrade $self so that the right connect chain
124						# gets called w/o doing SSL stuff. If we don't do it it will
125						# try to call IO::Socket::SSL::connect
126						my $ssl_class = ref($self);
127						bless $self,$sockclass;
128						$self->configure({ %$args, PeerAddr => $phost, PeerPort => $pport }) or do {
129						$@ = "connect to proxy $phost port $pport failed";
130						return;
131						};
132						print $self "CONNECT $host:$port HTTP/1.0\r\n$auth\r\n";
133						my $hdr = '';
134						while (<$self>) {
135						$hdr .= $_;
136						last if $_ eq "\n" or $_ eq "\r\n";
137						}
138						if ( $hdr !~m{\AHTTP/1.\d 2\d\d} ) {
139						# error
140						$@ = "non 2xx response to CONNECT: $hdr";
141						return;
142						}
143
144						# and upgrade self by calling start_SSL
145						$ssl_class->start_SSL( $self,
146						SSL_verifycn_name => $host,
147						%$args
148						) or do {
149						$@ = "start SSL failed: $SSL_ERROR";
150						return;
151						};
152						return $self;
153						};
154						}
155
156						1;
157
158						=head1 NAME
159
160						Net::SSLGlue::LWP - proper certificate checking for https in LWP
161
162						=head1 SYNOPSIS
163						u
164						use Net::SSLGlue::LWP SSL_ca_path => ...;
165						use LWP::Simple;
166						get( 'https://www....' );
167
168						{
169						local %Net::SSLGlue::LWP::SSLopts = %Net::SSLGlue::LWP::SSLopts;
170
171						# switch off verification
172						$Net::SSLGlue::LWP::SSLopts{SSL_verify_mode} = 0;
173
174						# or: set different verification policy, because cert does
175						# not conform to RFC (wildcards in CN are not allowed for https,
176						# but some servers do it anyway)
177						$Net::SSLGlue::LWP::SSLopts{SSL_verifycn_scheme} = {
178						wildcards_in_cn => 'anywhere',
179						check_cn => 'always',
180						};
181						}
182
183
184						=head1 DESCRIPTION
185
186						L modifies L and L so that
187						L is forced to use L instead of L,
188						and that L does proper certificate checking using the
189						C SSL_verify_scheme from L.
190
191						This module should only be used for older LWP version, see B
192						versions> below.
193
194						Because L does not have a mechanism to forward arbitrary parameters for
195						the construction of the underlying socket these parameters can be set globally
196						when including the package, or with local settings of the
197						C<%Net::SSLGlue::LWP::SSLopts> variable.
198
199						All of the C parameter from L can be used; the
200						following parameters are especially useful:
201
202						=over 4
203
204						=item SSL_ca_path, SSL_ca_file
205
206						Specifies the path or a file where the CAs used for checking the certificates
207						are located. This is typically L on UNIX systems.
208
209						=item SSL_verify_mode
210
211						If set to 0, verification of the certificate will be disabled. By default
212						it is set to 1 which means that the peer certificate is checked.
213
214						=item SSL_verifycn_name
215
216						Usually the name given as the hostname in the constructor is used to verify the
217						identity of the certificate. If you want to check the certificate against
218						another name you can specify it with this parameter.
219
220						=back
221
222						=head1 Supported LWP versions
223
224						This module should be used for older LWP version only. Starting with version
225						6.06 it is recommended to use LWP directly. If a recent version is found
226						Net::SSLGlue::LWP will print out a warning and not monkey patch too much into
227						LWP (only as much as necessary to still support C<%Net::SSLGlue::LWP::SSLopts>).
228
229						=head1 SEE ALSO
230
231						IO::Socket::SSL, LWP, Net::HTTPS, LWP::Protocol::https
232
233						=head1 COPYRIGHT
234
235						This module is copyright (c) 2008..2015, Steffen Ullrich.
236						All Rights Reserved.
237						This module is free software. It may be used, redistributed and/or modified
238						under the same terms as Perl itself.
239