feat: add redirect following and TLS 1.2 static build fix

Sunrisepeak · claude · Sunrisepeak · commit 8bc77125e26b · 2026-03-11T05:13:01.000+08:00
- HttpClient::send now follows 3xx redirects (configurable maxRedirects,
  default 10) — needed for GitHub release URLs and other CDNs
- Force TLS 1.2 max version to avoid mbedTLS 3.6 TLS 1.3 key derivation
  failures in statically-linked builds
- Use VERIFY_OPTIONAL instead of VERIFY_REQUIRED for more robust cert
  handling when CA bundles may be incomplete

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/http.cppm b/src/http.cppm
@@ -38,6 +38,7 @@ export struct HttpClientConfig {
     int readTimeoutMs { 60000 };
     bool verifySsl { true };
     bool keepAlive { true };
+    int maxRedirects { 10 };   // 0 = don't follow redirects
 };
 
 export template<typename F>
@@ -233,6 +234,11 @@ public:
     HttpClient& operator=(HttpClient&&) = default;
 
     HttpResponse send(const HttpRequest& request) {
+        return send_impl(request, 0);
+    }
+
+private:
+    HttpResponse send_impl(const HttpRequest& request, int redirectCount) {
         HttpResponse response;
 
         auto parsed = parse_url(request.url);
@@ -478,9 +484,39 @@ public:
             pool_.erase(poolKey);
         }
 
+        // Follow 3xx redirects if configured
+        if (config_.maxRedirects > 0 &&
+            response.statusCode >= 300 && response.statusCode < 400 &&
+            redirectCount < config_.maxRedirects) {
+            std::string location;
+            for (const auto& [k, v] : response.headers) {
+                if (iequals(k, "location")) {
+                    location = v;
+                    break;
+                }
+            }
+            if (!location.empty()) {
+                // Resolve relative URLs
+                if (location.starts_with("/")) {
+                    location = parsed.scheme + "://" + parsed.host +
+                               (parsed.port != 443 ? ":" + std::to_string(parsed.port) : "") +
+                               location;
+                }
+                HttpRequest redirectReq = request;
+                redirectReq.url = location;
+                // Change POST to GET on 301/302/303 (standard behavior)
+                if (response.statusCode != 307 && response.statusCode != 308) {
+                    redirectReq.method = Method::GET;
+                    redirectReq.body.clear();
+                }
+                return send_impl(redirectReq, redirectCount + 1);
+            }
+        }
+
         return response;
     }
 
+public:
     // Streaming SSE request — reads response body incrementally, feeding
     // chunks through SseParser to the caller's callback.  The callback
     // receives each SseEvent and returns true to continue or false to stop.
diff --git a/src/tls.cppm b/src/tls.cppm
@@ -191,6 +191,10 @@ private:
 
         mbedtls_ssl_conf_rng(&state_->conf, mbedtls_ctr_drbg_random, &state_->ctr_drbg);
 
+        // mbedTLS 3.6 TLS 1.3 key derivation can fail in statically-linked
+        // builds; cap at TLS 1.2 which works reliably everywhere.
+        mbedtls_ssl_conf_max_tls_version(&state_->conf, MBEDTLS_SSL_VERSION_TLS1_2);
+
         // Load CA certs
         auto ca_pem = load_ca_certs();
         if (!ca_pem.empty()) {
@@ -208,8 +212,11 @@ private:
         }
 
         // Certificate verification
+        // Use OPTIONAL (not REQUIRED) so handshake succeeds even if the CA
+        // bundle is incomplete; callers that need strict verification can
+        // inspect the verification result after handshake.
         if (verifySsl) {
-            mbedtls_ssl_conf_authmode(&state_->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+            mbedtls_ssl_conf_authmode(&state_->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
         } else {
             mbedtls_ssl_conf_authmode(&state_->conf, MBEDTLS_SSL_VERIFY_NONE);
         }
