line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Connector::Role::SSLUserAgent; |
2
|
1
|
|
|
1
|
|
975
|
use Moose::Role; |
|
1
|
|
|
|
|
4213
|
|
|
1
|
|
|
|
|
4
|
|
3
|
1
|
|
|
1
|
|
4483
|
use Data::Dumper; |
|
1
|
|
|
|
|
3
|
|
|
1
|
|
|
|
|
39
|
|
4
|
1
|
|
|
1
|
|
617
|
use LWP::UserAgent; |
|
1
|
|
|
|
|
40238
|
|
|
1
|
|
|
|
|
608
|
|
5
|
|
|
|
|
|
|
|
6
|
|
|
|
|
|
|
has timeout => ( |
7
|
|
|
|
|
|
|
is => 'rw', |
8
|
|
|
|
|
|
|
isa => 'Int', |
9
|
|
|
|
|
|
|
required => 0, |
10
|
|
|
|
|
|
|
default => 10, |
11
|
|
|
|
|
|
|
); |
12
|
|
|
|
|
|
|
|
13
|
|
|
|
|
|
|
has proxy => ( |
14
|
|
|
|
|
|
|
is => 'rw', |
15
|
|
|
|
|
|
|
isa => 'Str', |
16
|
|
|
|
|
|
|
required => 0, |
17
|
|
|
|
|
|
|
); |
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
has agent => ( |
20
|
|
|
|
|
|
|
is => 'rw', |
21
|
|
|
|
|
|
|
isa => 'Object', |
22
|
|
|
|
|
|
|
lazy => 1, |
23
|
|
|
|
|
|
|
builder => '_init_agent', |
24
|
|
|
|
|
|
|
); |
25
|
|
|
|
|
|
|
|
26
|
|
|
|
|
|
|
has use_net_ssl => ( |
27
|
|
|
|
|
|
|
is => 'rw', |
28
|
|
|
|
|
|
|
isa => 'Bool', |
29
|
|
|
|
|
|
|
default => 0, |
30
|
|
|
|
|
|
|
); |
31
|
|
|
|
|
|
|
|
32
|
|
|
|
|
|
|
has ssl_ignore_hostname => ( |
33
|
|
|
|
|
|
|
is => 'rw', |
34
|
|
|
|
|
|
|
isa => 'Bool', |
35
|
|
|
|
|
|
|
default => 0, |
36
|
|
|
|
|
|
|
); |
37
|
|
|
|
|
|
|
|
38
|
|
|
|
|
|
|
has ssl_ignore_mode => ( |
39
|
|
|
|
|
|
|
is => 'rw', |
40
|
|
|
|
|
|
|
isa => 'Bool', |
41
|
|
|
|
|
|
|
default => 0, |
42
|
|
|
|
|
|
|
); |
43
|
|
|
|
|
|
|
|
44
|
|
|
|
|
|
|
has certificate_file => ( |
45
|
|
|
|
|
|
|
is => 'rw', |
46
|
|
|
|
|
|
|
isa => 'Str', |
47
|
|
|
|
|
|
|
); |
48
|
|
|
|
|
|
|
|
49
|
|
|
|
|
|
|
has certificate_key_file => ( |
50
|
|
|
|
|
|
|
is => 'rw', |
51
|
|
|
|
|
|
|
isa => 'Str', |
52
|
|
|
|
|
|
|
); |
53
|
|
|
|
|
|
|
|
54
|
|
|
|
|
|
|
has certificate_p12_file => ( |
55
|
|
|
|
|
|
|
is => 'rw', |
56
|
|
|
|
|
|
|
isa => 'Str', |
57
|
|
|
|
|
|
|
); |
58
|
|
|
|
|
|
|
|
59
|
|
|
|
|
|
|
has certificate_key_password => ( |
60
|
|
|
|
|
|
|
is => 'rw', |
61
|
|
|
|
|
|
|
isa => 'Str', |
62
|
|
|
|
|
|
|
); |
63
|
|
|
|
|
|
|
|
64
|
|
|
|
|
|
|
has ca_certificate_path => ( |
65
|
|
|
|
|
|
|
is => 'rw', |
66
|
|
|
|
|
|
|
isa => 'Str', |
67
|
|
|
|
|
|
|
); |
68
|
|
|
|
|
|
|
|
69
|
|
|
|
|
|
|
has ca_certificate_file => ( |
70
|
|
|
|
|
|
|
is => 'rw', |
71
|
|
|
|
|
|
|
isa => 'Str', |
72
|
|
|
|
|
|
|
); |
73
|
|
|
|
|
|
|
|
74
|
|
|
|
|
|
|
sub _init_agent { |
75
|
|
|
|
|
|
|
|
76
|
1
|
|
|
1
|
|
2
|
my $self = shift; |
77
|
|
|
|
|
|
|
|
78
|
1
|
|
|
|
|
21
|
my %ENV_BACKUP = %ENV; |
79
|
|
|
|
|
|
|
|
80
|
1
|
|
|
|
|
17
|
my $ua = LWP::UserAgent->new; |
81
|
1
|
|
|
|
|
2521
|
$ua->timeout( $self->timeout() ); |
82
|
1
|
50
|
|
|
|
40
|
if ($self->proxy()) { |
83
|
0
|
|
|
|
|
0
|
$ua->proxy(['http', 'https'], $self->proxy()); |
84
|
|
|
|
|
|
|
} |
85
|
|
|
|
|
|
|
|
86
|
|
|
|
|
|
|
# Force usage of net::ssl |
87
|
1
|
50
|
|
|
|
25
|
if ($self->use_net_ssl()) { |
|
|
50
|
|
|
|
|
|
88
|
0
|
|
|
|
|
0
|
require Net::SSL; |
89
|
0
|
|
|
|
|
0
|
$ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS} = "Net::SSL"; |
90
|
|
|
|
|
|
|
|
91
|
0
|
0
|
|
|
|
0
|
if ($self->certificate_p12_file) { |
92
|
0
|
|
|
|
|
0
|
$ENV{HTTPS_PKCS12_FILE} = $self->certificate_p12_file; |
93
|
|
|
|
|
|
|
|
94
|
0
|
0
|
0
|
|
|
0
|
if ($self->certificate_key_file || $self->certificate_file) { |
95
|
0
|
|
|
|
|
0
|
die "Options certificate_file/certificate_key_file and certificate_p12_file are mutually exclusive"; |
96
|
|
|
|
|
|
|
} |
97
|
|
|
|
|
|
|
|
98
|
0
|
0
|
|
|
|
0
|
if ($self->certificate_key_password) { |
99
|
0
|
|
|
|
|
0
|
$ENV{HTTPS_PKCS12_PASSWORD} = $self->certificate_key_password; |
100
|
|
|
|
|
|
|
} |
101
|
|
|
|
|
|
|
} |
102
|
|
|
|
|
|
|
|
103
|
0
|
0
|
|
|
|
0
|
if ($self->certificate_key_file) { |
|
|
0
|
|
|
|
|
|
104
|
0
|
0
|
|
|
|
0
|
if ($self->certificate_key_password) { |
105
|
0
|
|
|
|
|
0
|
die "Net::SSL does not support password protected keys - use certificate_p12_file instead"; |
106
|
|
|
|
|
|
|
} |
107
|
|
|
|
|
|
|
|
108
|
0
|
0
|
|
|
|
0
|
if (!$self->certificate_file) { |
109
|
0
|
|
|
|
|
0
|
die "You need to pass certificate AND key file, use certificate_p12_file to pass a PKCS12"; |
110
|
|
|
|
|
|
|
} |
111
|
|
|
|
|
|
|
|
112
|
0
|
|
|
|
|
0
|
$ENV{HTTPS_KEY_FILE} = $self->certificate_key_file; |
113
|
0
|
|
|
|
|
0
|
$ENV{HTTPS_CERT_FILE} = $self->certificate_file; |
114
|
|
|
|
|
|
|
|
115
|
|
|
|
|
|
|
} elsif ($self->certificate_file) { |
116
|
0
|
|
|
|
|
0
|
die "You need to pass certificate AND key file, use certificate_p12_file to pass a PKCS12"; |
117
|
|
|
|
|
|
|
} |
118
|
|
|
|
|
|
|
|
119
|
0
|
0
|
|
|
|
0
|
if ($self->ca_certificate_path) { |
120
|
0
|
|
|
|
|
0
|
$ENV{HTTPS_CA_DIR} = $self->ca_certificate_path; |
121
|
|
|
|
|
|
|
} |
122
|
|
|
|
|
|
|
|
123
|
0
|
0
|
|
|
|
0
|
if ($self->ca_certificate_file) { |
124
|
0
|
|
|
|
|
0
|
$ENV{HTTPS_CA_FILE} = $self->ca_certificate_file; |
125
|
|
|
|
|
|
|
} |
126
|
|
|
|
|
|
|
|
127
|
0
|
|
|
|
|
0
|
$self->log()->trace('Using Net::SSL, EVN is' . Dumper $ENV); |
128
|
|
|
|
|
|
|
|
129
|
|
|
|
|
|
|
} # end of Net:SSL, IO::Socket::SSL |
130
|
|
|
|
|
|
|
elsif( $self->LOCATION() =~ /^https:/i ) { |
131
|
|
|
|
|
|
|
|
132
|
1
|
|
|
|
|
663
|
require IO::Socket::SSL; |
133
|
1
|
|
|
|
|
61402
|
$ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS} = "IO::Socket::SSL"; |
134
|
|
|
|
|
|
|
|
135
|
1
|
50
|
|
|
|
33
|
my $ssl_opts = { |
|
|
50
|
|
|
|
|
|
136
|
|
|
|
|
|
|
verify_hostname => ($self->ssl_ignore_hostname ? 0 : 1), |
137
|
|
|
|
|
|
|
SSL_verify_mode => ($self->ssl_ignore_mode ? 0 : 1) |
138
|
|
|
|
|
|
|
}; |
139
|
1
|
50
|
|
|
|
79
|
if ($self->certificate_p12_file) { |
140
|
0
|
|
|
|
|
0
|
die "Using pkcs12 containers is not supported by IO::Socket::SSL" |
141
|
|
|
|
|
|
|
} |
142
|
|
|
|
|
|
|
|
143
|
1
|
50
|
|
|
|
26
|
if ($self->certificate_key_file) { |
|
|
50
|
|
|
|
|
|
144
|
0
|
0
|
|
|
|
0
|
if (!$self->certificate_file) { |
145
|
0
|
|
|
|
|
0
|
die "You need to pass certificate AND key file"; |
146
|
|
|
|
|
|
|
} |
147
|
0
|
|
|
|
|
0
|
$ssl_opts->{SSL_key_file} = $self->certificate_key_file; |
148
|
0
|
|
|
|
|
0
|
$ssl_opts->{SSL_cert_file} = $self->certificate_file; |
149
|
|
|
|
|
|
|
|
150
|
0
|
0
|
|
|
|
0
|
if ( $self->certificate_key_password ) { |
151
|
0
|
|
|
0
|
|
0
|
$ssl_opts->{SSL_passwd_cb} = sub { return $self->certificate_key_password; }; |
|
0
|
|
|
|
|
0
|
|
152
|
|
|
|
|
|
|
} |
153
|
|
|
|
|
|
|
|
154
|
|
|
|
|
|
|
} elsif ($self->certificate_file) { |
155
|
0
|
|
|
|
|
0
|
die "You need to pass certificate AND key file"; |
156
|
|
|
|
|
|
|
} |
157
|
|
|
|
|
|
|
|
158
|
1
|
50
|
|
|
|
27
|
if ($self->ca_certificate_path) { |
159
|
0
|
|
|
|
|
0
|
$ssl_opts->{SSL_ca_path} = $self->ca_certificate_path; |
160
|
|
|
|
|
|
|
} |
161
|
|
|
|
|
|
|
|
162
|
1
|
50
|
|
|
|
26
|
if ($self->ca_certificate_file) { |
163
|
0
|
|
|
|
|
0
|
$ssl_opts->{SSL_ca_file} = $self->ca_certificate_file; |
164
|
|
|
|
|
|
|
} |
165
|
|
|
|
|
|
|
|
166
|
1
|
|
|
|
|
2
|
$ua->ssl_opts( %{$ssl_opts} ); |
|
1
|
|
|
|
|
52
|
|
167
|
|
|
|
|
|
|
|
168
|
1
|
|
|
|
|
73
|
$self->log()->trace('Using IO::Socket::SSL with options ' . Dumper $ssl_opts); |
169
|
|
|
|
|
|
|
} else { |
170
|
|
|
|
|
|
|
# No ssl |
171
|
|
|
|
|
|
|
} |
172
|
|
|
|
|
|
|
|
173
|
1
|
|
|
|
|
123
|
return $ua; |
174
|
|
|
|
|
|
|
} |
175
|
|
|
|
|
|
|
|
176
|
|
|
|
|
|
|
1; |
177
|
|
|
|
|
|
|
|
178
|
|
|
|
|
|
|
__END__; |
179
|
|
|
|
|
|
|
|
180
|
|
|
|
|
|
|
=head1 Connector::Role::SSLUserAgent |
181
|
|
|
|
|
|
|
|
182
|
|
|
|
|
|
|
Setup the HTTP UserAgent object with connection and SSL parameters. |
183
|
|
|
|
|
|
|
|
184
|
|
|
|
|
|
|
=head2 LWP options |
185
|
|
|
|
|
|
|
|
186
|
|
|
|
|
|
|
=over |
187
|
|
|
|
|
|
|
|
188
|
|
|
|
|
|
|
=item timeout |
189
|
|
|
|
|
|
|
|
190
|
|
|
|
|
|
|
Timeout for the connection in seconds, default is 10. |
191
|
|
|
|
|
|
|
|
192
|
|
|
|
|
|
|
=item proxy |
193
|
|
|
|
|
|
|
|
194
|
|
|
|
|
|
|
URL of a proxy to use, must include protocol and port, |
195
|
|
|
|
|
|
|
e.g. https://proxy.intranet.company.com:8080/ |
196
|
|
|
|
|
|
|
|
197
|
|
|
|
|
|
|
=back |
198
|
|
|
|
|
|
|
|
199
|
|
|
|
|
|
|
=head2 SSL support |
200
|
|
|
|
|
|
|
|
201
|
|
|
|
|
|
|
This connector supports client authentication using certificates. |
202
|
|
|
|
|
|
|
|
203
|
|
|
|
|
|
|
=over |
204
|
|
|
|
|
|
|
|
205
|
|
|
|
|
|
|
=item use_net_ssl |
206
|
|
|
|
|
|
|
|
207
|
|
|
|
|
|
|
Set this to a true value to use Net::SSL as backend library (otherwise |
208
|
|
|
|
|
|
|
IO::Socket::SSL is used). Be aware the Net::SSL does not check the hostname |
209
|
|
|
|
|
|
|
of the server certificate so Man-in-the-Middle-Attacks might be possible. |
210
|
|
|
|
|
|
|
You should use this only with a really good reason or if you need support |
211
|
|
|
|
|
|
|
for PKCS12 containers. |
212
|
|
|
|
|
|
|
|
213
|
|
|
|
|
|
|
=item ssl_ignore_hostname |
214
|
|
|
|
|
|
|
|
215
|
|
|
|
|
|
|
Do not validate the hostname of the server certificate (only useful with |
216
|
|
|
|
|
|
|
IO::Socket::SSL as Net::SSL does not check the hostname at all). |
217
|
|
|
|
|
|
|
|
218
|
|
|
|
|
|
|
=item certificate_file |
219
|
|
|
|
|
|
|
|
220
|
|
|
|
|
|
|
Path to a PEM encoded certificate file. |
221
|
|
|
|
|
|
|
|
222
|
|
|
|
|
|
|
=item certificate_key_file |
223
|
|
|
|
|
|
|
|
224
|
|
|
|
|
|
|
Path to a PEM encoded key file. |
225
|
|
|
|
|
|
|
|
226
|
|
|
|
|
|
|
=item certificate_p12_file |
227
|
|
|
|
|
|
|
|
228
|
|
|
|
|
|
|
Path to a PKCS12 container file. This is only supported by Net:SSL and can |
229
|
|
|
|
|
|
|
not be used together with certificate_file/certificate_key_file. |
230
|
|
|
|
|
|
|
|
231
|
|
|
|
|
|
|
=item certificate_key_password |
232
|
|
|
|
|
|
|
|
233
|
|
|
|
|
|
|
The plain password of your encrypted key or PKCS12 container. Note that |
234
|
|
|
|
|
|
|
Net::SSL does not support password protected keys. You need to use a PKCS12 |
235
|
|
|
|
|
|
|
container instead! Leave this empty if your key is not protected by a password. |
236
|
|
|
|
|
|
|
|
237
|
|
|
|
|
|
|
=item ca_certificate_path |
238
|
|
|
|
|
|
|
|
239
|
|
|
|
|
|
|
Path to a directory with trusted certificates (with openssl hashed names). |
240
|
|
|
|
|
|
|
Also used to validate the server certificate even if no client authentication |
241
|
|
|
|
|
|
|
is used. |
242
|
|
|
|
|
|
|
|
243
|
|
|
|
|
|
|
=item ca_certificate_file |
244
|
|
|
|
|
|
|
|
245
|
|
|
|
|
|
|
Same as ca_certificate_path pointing to a single file. |
246
|
|
|
|
|
|
|
|
247
|
|
|
|
|
|
|
=item ssl_ignore_mode |
248
|
|
|
|
|
|
|
|
249
|
|
|
|
|
|
|
Boolean, turn of validation of ssl peer certificate (IO::Socket only). |
250
|
|
|
|
|
|
|
|
251
|
|
|
|
|
|
|
=back |