From patchwork Mon Oct 15 10:14:43 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin via GitGitGadget X-Patchwork-Id: 10641519 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8A7C6157A for ; Mon, 15 Oct 2018 10:14:47 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 710D42942E for ; Mon, 15 Oct 2018 10:14:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 635122946A; Mon, 15 Oct 2018 10:14:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D3AD12942E for ; Mon, 15 Oct 2018 10:14:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726927AbeJOR7U (ORCPT ); Mon, 15 Oct 2018 13:59:20 -0400 Received: from mail-pl1-f195.google.com ([209.85.214.195]:41601 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726760AbeJOR7U (ORCPT ); Mon, 15 Oct 2018 13:59:20 -0400 Received: by mail-pl1-f195.google.com with SMTP id q17-v6so9072120plr.8 for ; Mon, 15 Oct 2018 03:14:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:message-id:in-reply-to:references:from:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=XPR6UWqsjqif9jAgEp08erZbJ04slvH4snftfy0ci7Q=; b=UL5MK6GVO0U/0QIB6d39tWH6NkIuz/pocupMt/F4wBcc6zq9vxlP5pCPthBC1iJG5U E5ItFYzkPAuRtZ3/CqKKR5K4VhF+GmGuVmU6MUfCoKBLdGORyjMovlvAwJsonzda8ARX tOQpjgL9vTjGta2oh3PCWbmpGH0ozI837XUag2DR7d+WYRUtcR89sNNbW7uNch3bRc8T kcPiiYYke+TEat0Cjj/PRaStxFIiLGc6nS/9hfNzQGn26si4NsFnPbnmcAShEQGVIBsg MCTx6i6rj3zkdRIxLw4uCXGK0EAvc80DbcAWcOUfqI3P9/s38ZKHBwZE1PLLbnP7n4P5 1AbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:in-reply-to:references:from :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=XPR6UWqsjqif9jAgEp08erZbJ04slvH4snftfy0ci7Q=; b=r6vo9CWp172ukXnh5Rh72A3QL3joCMNGjvVjd1pfUPhOPQJVViSLfq6nbpeLU0jaKq UQaDbEDspiuX87tFjsQDcxFckhY8acw1nXvT6wsFMUYXDls5DPJFEquqXo++P7NWyAVO 01X4D0W8wWEtRvUXe6x//vSCxFK35VDpfXw6EX1dxqx/qu6fM31tVo3AGv2tDVD/B71U qC+VZoByqOTipyUsi+Zb1AZAjGng8lPEmqC+Yd2Wj9G3qSeHDOzpuxM6fN2uUrTIolx8 9MnO2Kt2FtE3EH2Gv5KTKr/P6MCngaDvALRNDYsxzIXgBZVKNKMf7woFfo5RtXlg5JKT c8RA== X-Gm-Message-State: ABuFfogW5PjUiMk6VCNNRNr6VUNXwoflRMAqfcsIVCG6ufV0qLK4A+3J JelH1yYRzFsJG6ufXeGsgqW52OOn X-Google-Smtp-Source: ACcGV63QywO+eTpYyStjESRZDjR+PQLPfGXFbHcE9CWLmIl7D+yCrw01wyp/uQHGdnXvcFvAQlG8ZQ== X-Received: by 2002:a17:902:1004:: with SMTP id b4-v6mr1289568pla.172.1539598484467; Mon, 15 Oct 2018 03:14:44 -0700 (PDT) Received: from [127.0.0.1] ([40.112.137.127]) by smtp.gmail.com with ESMTPSA id h6-v6sm12976366pgn.84.2018.10.15.03.14.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Oct 2018 03:14:43 -0700 (PDT) Date: Mon, 15 Oct 2018 03:14:43 -0700 (PDT) X-Google-Original-Date: Mon, 15 Oct 2018 10:14:38 GMT Message-Id: <8c5ecdb6c9a73405036672db8bc1e36c5c6c6951.1539598481.git.gitgitgadget@gmail.com> In-Reply-To: References: From: "Johannes Schindelin via GitGitGadget" Subject: [PATCH 1/3] http: add support for selecting SSL backends at runtime Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Junio C Hamano , Johannes Schindelin Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Johannes Schindelin As of version 7.56.0, curl supports being compiled with multiple SSL backends. This patch adds the Git side of that feature: by setting http.sslBackend to "openssl" or "schannel", Git for Windows can now choose the SSL backend at runtime. This comes in handy on Windows because Secure Channel ("schannel") is the native solution, accessing the Windows Credential Store, thereby allowing for enterprise-wide management of certificates. For historical reasons, Git for Windows needs to support OpenSSL still, as it has previously been the only supported SSL backend in Git for Windows for almost a decade. The patch has been carried in Git for Windows for over a year, and is considered mature. Signed-off-by: Johannes Schindelin --- Documentation/config.txt | 5 +++++ http.c | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index 1546833213..7d38f0bf1a 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1984,6 +1984,11 @@ http.sslCAPath:: with when fetching or pushing over HTTPS. Can be overridden by the `GIT_SSL_CAPATH` environment variable. +http.sslBackend:: + Name of the SSL backend to use (e.g. "openssl" or "schannel"). + This option is ignored if cURL lacks support for choosing the SSL + backend at runtime. + http.pinnedpubkey:: Public key of the https service. It may either be the filename of a PEM or DER encoded public key file or a string starting with diff --git a/http.c b/http.c index 98ff122585..7fb37a061b 100644 --- a/http.c +++ b/http.c @@ -155,6 +155,8 @@ static struct active_request_slot *active_queue_head; static char *cached_accept_language; +static char *http_ssl_backend; + size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_) { size_t size = eltsize * nmemb; @@ -302,6 +304,12 @@ static int http_options(const char *var, const char *value, void *cb) curl_ssl_try = git_config_bool(var, value); return 0; } + if (!strcmp("http.sslbackend", var)) { + free(http_ssl_backend); + http_ssl_backend = xstrdup_or_null(value); + return 0; + } + if (!strcmp("http.minsessions", var)) { min_curl_sessions = git_config_int(var, value); #ifndef USE_CURL_MULTI @@ -995,6 +1003,33 @@ void http_init(struct remote *remote, const char *url, int proactive_auth) git_config(urlmatch_config_entry, &config); free(normalized_url); +#if LIBCURL_VERSION_NUM >= 0x073800 + if (http_ssl_backend) { + const curl_ssl_backend **backends; + struct strbuf buf = STRBUF_INIT; + int i; + + switch (curl_global_sslset(-1, http_ssl_backend, &backends)) { + case CURLSSLSET_UNKNOWN_BACKEND: + strbuf_addf(&buf, _("Unsupported SSL backend '%s'. " + "Supported SSL backends:"), + http_ssl_backend); + for (i = 0; backends[i]; i++) + strbuf_addf(&buf, "\n\t%s", backends[i]->name); + die("%s", buf.buf); + case CURLSSLSET_NO_BACKENDS: + die(_("Could not set SSL backend to '%s': " + "cURL was built without SSL backends"), + http_ssl_backend); + case CURLSSLSET_TOO_LATE: + die(_("Could not set SSL backend to '%s': already set"), + http_ssl_backend); + case CURLSSLSET_OK: + break; /* Okay! */ + } + } +#endif + if (curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) die("curl_global_init failed"); From patchwork Mon Oct 15 10:14:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Johannes Schindelin via GitGitGadget X-Patchwork-Id: 10641521 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1D21A1057 for ; Mon, 15 Oct 2018 10:14:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 066072942E for ; Mon, 15 Oct 2018 10:14:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EC31D29460; Mon, 15 Oct 2018 10:14:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A84752942E for ; Mon, 15 Oct 2018 10:14:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726929AbeJOR7W (ORCPT ); Mon, 15 Oct 2018 13:59:22 -0400 Received: from mail-pl1-f177.google.com ([209.85.214.177]:40111 "EHLO mail-pl1-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726760AbeJOR7V (ORCPT ); Mon, 15 Oct 2018 13:59:21 -0400 Received: by mail-pl1-f177.google.com with SMTP id 1-v6so9066219plv.7 for ; Mon, 15 Oct 2018 03:14:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:message-id:in-reply-to:references:from:subject:mime-version :content-transfer-encoding:fcc:content-transfer-encoding :mime-version:to:cc; bh=qF6OLnoAWzxdKIW4zYidSI0LKATt0JQ7Pprvo/95nvY=; b=ottL5zmIJMSHEgR7FUrFphBlQu3L4LlOr6x6klg/6irOOVuWq8ZXuvsWO9BfN1EpL2 p51kvoPVsL8Vl1YPbCgOWbBJJ0np5wRsAiwKySdbmJ9qKrx9NBU47Um6raWhH09nJgcc CSorpDaJ4o/ORKDDZDgI2dk1HsPb4Ggg/tsXVL2o8xHo6r3pkCm8iyO5Op8Qr07vG7g7 5HXKNIS637wdxYDGqMBraFdTETCAMs/GbjReAbGQtT541UsjmM1ov+yuNZi0RpLCXMNe V60vUw29CC88uHcWwOXiUcb+IEDC978LoOJa/VANxOUj+JR44Axr8RACvwVt2AL0SZrt Vr4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:in-reply-to:references:from :subject:mime-version:content-transfer-encoding:fcc :content-transfer-encoding:mime-version:to:cc; bh=qF6OLnoAWzxdKIW4zYidSI0LKATt0JQ7Pprvo/95nvY=; b=Kw32AfvB5kkVqiu+EajpRHznpYS8bvxtFduCdlyIO7jexQX3/6muglxCqRNhXLHk8Z +g/4aujXrIH2z6Dlg/LsqoKxzuuWZfDoonnEmiPfPctuHuvSpoWNFUfwerLGH3pofV5r 57mhi3h9ol6nSkEaSEAfNFy0v+kGKW3p9Yeo5O4/TROcBAdP0x1A8Lyx6HOx1XgfTNGK 986+dfqP2vXzh2/Wk6qETUEYl3YtUZNiViIQPi5MExBrIHkXiopv3PjNLXZWtD3PM4wz ukNJhx2vEW76lDuqQkBk0t5gWIlGcfLf+361VTcxshiI91cht/fZ46NIQa4+Z9WCcXg2 PXLw== X-Gm-Message-State: ABuFfogbn/3M5tiTpUOh7woTkmWpHVQs6/4uguwNtOXdmKn5eBloJjay 1Z3rFtBMDnBmY5dBxYjMDOQBRVS6 X-Google-Smtp-Source: ACcGV62l3CXipS6wMJp1XSsKFL1IO+TJdMdvpe4xWKhMT4LHuLBiVkHwTrh4gOlGLqcOML7dlTTQVA== X-Received: by 2002:a17:902:33c3:: with SMTP id b61-v6mr16747148plc.52.1539598485907; Mon, 15 Oct 2018 03:14:45 -0700 (PDT) Received: from [127.0.0.1] ([40.112.142.204]) by smtp.gmail.com with ESMTPSA id u69-v6sm19325726pfk.68.2018.10.15.03.14.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Oct 2018 03:14:45 -0700 (PDT) Date: Mon, 15 Oct 2018 03:14:45 -0700 (PDT) X-Google-Original-Date: Mon, 15 Oct 2018 10:14:39 GMT Message-Id: <764791d13d20478639402e7af95e901223444240.1539598481.git.gitgitgadget@gmail.com> In-Reply-To: References: From: "Brendan Forster via GitGitGadget" Subject: [PATCH 2/3] http: add support for disabling SSL revocation checks in cURL MIME-Version: 1.0 Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Junio C Hamano , Brendan Forster Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Brendan Forster This adds support for a new http.schannelCheckRevoke config value. This config value is only used if http.sslBackend is set to "schannel", which forces cURL to use the Windows Certificate Store when validating server certificates associated with a remote server. This config value should only be set to "false" if you are in an environment where revocation checks are blocked by the network, with no alternative options. This is only supported in cURL 7.44 or later. Note: an earlier iteration tried to use the config setting http.schannel.checkRevoke, but the http.* config settings can be limited to specific URLs via http..* (which would mistake `schannel` for a URL). Helped by Agustín Martín Barbero. Signed-off-by: Brendan Forster Signed-off-by: Johannes Schindelin --- Documentation/config.txt | 8 ++++++++ http.c | 17 +++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index 7d38f0bf1a..d569ebd49e 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1989,6 +1989,14 @@ http.sslBackend:: This option is ignored if cURL lacks support for choosing the SSL backend at runtime. +http.schannelCheckRevoke:: + Used to enforce or disable certificate revocation checks in cURL + when http.sslBackend is set to "schannel". Defaults to `true` if + unset. Only necessary to disable this if Git consistently errors + and the message is about checking the revocation status of a + certificate. This option is ignored if cURL lacks support for + setting the relevant SSL option at runtime. + http.pinnedpubkey:: Public key of the https service. It may either be the filename of a PEM or DER encoded public key file or a string starting with diff --git a/http.c b/http.c index 7fb37a061b..8998056b60 100644 --- a/http.c +++ b/http.c @@ -157,6 +157,8 @@ static char *cached_accept_language; static char *http_ssl_backend; +static int http_schannel_check_revoke = 1; + size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_) { size_t size = eltsize * nmemb; @@ -310,6 +312,11 @@ static int http_options(const char *var, const char *value, void *cb) return 0; } + if (!strcmp("http.schannelcheckrevoke", var)) { + http_schannel_check_revoke = git_config_bool(var, value); + return 0; + } + if (!strcmp("http.minsessions", var)) { min_curl_sessions = git_config_int(var, value); #ifndef USE_CURL_MULTI @@ -811,6 +818,16 @@ static CURL *get_curl_handle(void) } #endif + if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) && + !http_schannel_check_revoke) { +#if LIBCURL_VERSION_NUM >= 0x072c00 + curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE); +#else + warning("CURLSSLOPT_NO_REVOKE not applied to curl SSL options because\n" + "your curl version is too old (>= 7.44.0)"); +#endif + } + if (http_proactive_auth) init_curl_http_auth(result); From patchwork Mon Oct 15 10:14:46 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin via GitGitGadget X-Patchwork-Id: 10641523 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5DDB3157A for ; Mon, 15 Oct 2018 10:14:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4BFA82942E for ; Mon, 15 Oct 2018 10:14:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 402A529460; Mon, 15 Oct 2018 10:14:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C3D752942E for ; Mon, 15 Oct 2018 10:14:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726932AbeJOR7Y (ORCPT ); Mon, 15 Oct 2018 13:59:24 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:39444 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726760AbeJOR7X (ORCPT ); Mon, 15 Oct 2018 13:59:23 -0400 Received: by mail-pg1-f193.google.com with SMTP id r9-v6so8944763pgv.6 for ; Mon, 15 Oct 2018 03:14:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:message-id:in-reply-to:references:from:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=hjNH3ZBYt3VXbSPVi8UvKCrNSYNtxKAXi7oTFKAk98Q=; b=Xd27Rps60r05FxEEKubpi4Z79MnZZN8phjbXy1AhcriTnt3Hq8emxVHBw4oUGdbNrT pkFIUn2dC6XRbslyF1B6O2GnrQePIVrPmfy7naaK8Ibrt1+IFMuxYCpGW36SN/OCbQul 26J59RqNSIhxFnO5s1Bnc7p3b8jKvlQ8s3gVbkrYym+0TSpPTM/krhoIe3Tn3B4gekMj 0NzVodXcbBXcFYKT1pYSnmP0+hupOCWMkLwH742915Ka7szM/IFQ1lFOUyIO41F76pBx XhO9VHJGFQL7tL3E8qugDjUJbGYqi/95Eqb1VvIt+BXKtxq2XSET9igW5LSw7icSaGtf tauQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:in-reply-to:references:from :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=hjNH3ZBYt3VXbSPVi8UvKCrNSYNtxKAXi7oTFKAk98Q=; b=IMlJ3PZnNfl2hzxzhDtBW1en1kPMyofglCZ+38e4i+Y5q4LKMw0R/jWUGOSRfaSb++ qkgI+uuNDzPRkDohPHAWN6OzvtSuAjvlkE524mpjvdlOsCOhttAKPMHPRq6V3MSm+oWk G4UFxfOos3YNa8FgXxn9GbQ63tucTtHJiD8pHOPKjBzi0ur8tEMeOsW77UrVVcZ1ZI4H kU3N0z6k/RObLnco3LBwpObjuEGrSpw3jh2CY77kUimS0CV/yFaekhI+TCuiqAeQ4+BQ czFyH39kId1+nPviSdBZoR1tQvQ4ttEeHAWE5Uwk5NM1cAgVcXmZTLkE3KM/utG6J1SY czGg== X-Gm-Message-State: ABuFfojpGm9NGSb1nlFF5Ui0SHikktE/xwXRgCcGCnRLNpg/UuXvuk/y zjrd/dH+pUMxbam46029/Jo3dNdf X-Google-Smtp-Source: ACcGV60CUKWfC1scEya8Kg8wdfdZTjV3DG4H4UGgTx7ajILSE/+ueM/6kJH30qnLycQeexYnCZIaZQ== X-Received: by 2002:a62:7a81:: with SMTP id v123-v6mr17289106pfc.240.1539598487288; Mon, 15 Oct 2018 03:14:47 -0700 (PDT) Received: from [127.0.0.1] ([40.112.142.204]) by smtp.gmail.com with ESMTPSA id i5-v6sm11578913pfo.107.2018.10.15.03.14.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Oct 2018 03:14:46 -0700 (PDT) Date: Mon, 15 Oct 2018 03:14:46 -0700 (PDT) X-Google-Original-Date: Mon, 15 Oct 2018 10:14:40 GMT Message-Id: <9927e4ce628df99f7a8e88dba1df54244e2fa158.1539598481.git.gitgitgadget@gmail.com> In-Reply-To: References: From: "Johannes Schindelin via GitGitGadget" Subject: [PATCH 3/3] http: when using Secure Channel, ignore sslCAInfo by default Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Junio C Hamano , Johannes Schindelin Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Johannes Schindelin As of cURL v7.60.0, the Secure Channel backend can use the certificate bundle provided via `http.sslCAInfo`, but that would override the Windows Certificate Store. Since this is not desirable by default, let's tell Git to not ask cURL to use that bundle by default when the `schannel` backend was configured via `http.sslBackend`, unless `http.schannelUseSSLCAInfo` overrides this behavior. Signed-off-by: Johannes Schindelin --- Documentation/config.txt | 8 ++++++++ http.c | 19 ++++++++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/Documentation/config.txt b/Documentation/config.txt index d569ebd49e..1f6a6a4a6f 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1997,6 +1997,14 @@ http.schannelCheckRevoke:: certificate. This option is ignored if cURL lacks support for setting the relevant SSL option at runtime. +http.schannelUseSSLCAInfo:: + As of cURL v7.60.0, the Secure Channel backend can use the + certificate bundle provided via `http.sslCAInfo`, but that would + override the Windows Certificate Store. Since this is not desirable + by default, Git will tell cURL not to use that bundle by default + when the `schannel` backend was configured via `http.sslBackend`, + unless `http.schannelUseSSLCAInfo` overrides this behavior. + http.pinnedpubkey:: Public key of the https service. It may either be the filename of a PEM or DER encoded public key file or a string starting with diff --git a/http.c b/http.c index 8998056b60..a0a8b93785 100644 --- a/http.c +++ b/http.c @@ -158,6 +158,12 @@ static char *cached_accept_language; static char *http_ssl_backend; static int http_schannel_check_revoke = 1; +/* + * With the backend being set to `schannel`, setting sslCAinfo would override + * the Certificate Store in cURL v7.60.0 and later, which is not what we want + * by default. + */ +static int http_schannel_use_ssl_cainfo; size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_) { @@ -317,6 +323,11 @@ static int http_options(const char *var, const char *value, void *cb) return 0; } + if (!strcmp("http.schannelusesslcainfo", var)) { + http_schannel_use_ssl_cainfo = git_config_bool(var, value); + return 0; + } + if (!strcmp("http.minsessions", var)) { min_curl_sessions = git_config_int(var, value); #ifndef USE_CURL_MULTI @@ -869,7 +880,13 @@ static CURL *get_curl_handle(void) if (ssl_pinnedkey != NULL) curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); #endif - if (ssl_cainfo != NULL) + if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) && + !http_schannel_use_ssl_cainfo) { + curl_easy_setopt(result, CURLOPT_CAINFO, NULL); +#if LIBCURL_VERSION_NUM >= 0x073400 + curl_easy_setopt(result, CURLOPT_PROXY_CAINFO, NULL); +#endif + } else if (ssl_cainfo != NULL) curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); if (curl_low_speed_limit > 0 && curl_low_speed_time > 0) {