1 files changed, 76 insertions, 0 deletions

diff --git a/lib/bundler/cli/doctor/ssl.rb b/lib/bundler/cli/doctor/ssl.rb
index f0d8a9b986..7ddca0c8a4 100644
--- a/lib/bundler/cli/doctor/ssl.rb
+++ b/lib/bundler/cli/doctor/ssl.rb
@@ -17,6 +17,8 @@ module Bundler
       output_ssl_environment
       bundler_success = bundler_connection_successful?
       rubygem_success = rubygem_connection_successful?
+
+      return unless net_http_connection_successful?
     end
 
     private
@@ -92,6 +94,29 @@ module Bundler
       false
     end
 
+    def net_http_connection_successful?
+      ::Gem::Net::HTTP.new(uri.host, uri.port).tap do |http|
+        http.use_ssl = true
+        http.min_version = tls_version
+        http.max_version = tls_version
+        http.verify_mode = verify_mode
+      end.start
+
+      Bundler.ui.info("Ruby net/http: success")
+
+      true
+    rescue StandardError => error
+      Bundler.ui.warn(<<~MSG)
+        Ruby net/http: failed
+
+        Unfortunately, this Ruby can't connect to #{host}.
+
+        #{Explanation.explain_net_http_error(error, host, tls_version)}
+      MSG
+
+      false
+    end
+
     module Explanation
       extend self
 
@@ -107,6 +132,57 @@ module Bundler
           error.message
         end
       end
+
+      def explain_net_http_error(error, host, tls_version)
+        case error.message
+        # Check for certificate errors
+        when /certificate verify failed/
+          <<~MSG
+            #{show_ssl_certs}
+            Your Ruby can't connect to #{host} because you are missing the certificate files OpenSSL needs to verify you are connecting to the genuine #{host} servers.
+          MSG
+        # Check for TLS version errors
+        when /read server hello A/, /tlsv1 alert protocol version/
+          if tls_version.to_s == "TLS1_3"
+            "Your Ruby can't connect to #{host} because #{tls_version} isn't supported yet.\n"
+          else
+            <<~MSG
+              Your Ruby can't connect to #{host} because your version of OpenSSL is too old.
+              You'll need to upgrade your OpenSSL install and/or recompile Ruby to use a newer OpenSSL.
+            MSG
+          end
+        # OpenSSL doesn't support TLS version specified by argument
+        when /unknown SSL method/
+          "Your Ruby can't connect because #{tls_version} isn't supported by your version of OpenSSL."
+        else
+          <<~MSG
+            Even worse, we're not sure why.
+
+            Here's the full error information:
+            #{error.class}: #{error.message}
+              #{error.backtrace.join("\n  ")}
+
+            You might have more luck using Mislav's SSL doctor.rb script. You can get it here:
+            https://github.com/mislav/ssl-tools/blob/8b3dec4/doctor.rb
+
+            Read more about the script and how to use it in this blog post:
+            https://mislav.net/2013/07/ruby-openssl/
+          MSG
+        end
+      end
+
+      private
+
+      def show_ssl_certs
+        ssl_cert_file = ENV["SSL_CERT_FILE"] || OpenSSL::X509::DEFAULT_CERT_FILE
+        ssl_cert_dir  = ENV["SSL_CERT_DIR"]  || OpenSSL::X509::DEFAULT_CERT_DIR
+
+        <<~MSG
+          Below affect only Ruby net/http connections:
+          SSL_CERT_FILE: #{File.exist?(ssl_cert_file) ? "exists     #{ssl_cert_file}" : "is missing #{ssl_cert_file}"}
+          SSL_CERT_DIR:  #{Dir.exist?(ssl_cert_dir)   ? "exists     #{ssl_cert_dir}"  : "is missing #{ssl_cert_dir}"}
+        MSG
+      end
     end
   end
 end