http: when using Secure Channel, ignore sslCAInfo by default
As of cURL v7.60.0, the Secure Channel backend can use the certificate bundle provided via `http.sslCAInfo`, but that would override the Windows Certificate Store. Since this is not desirable by default, let's tell Git to not ask cURL to use that bundle by default when the `schannel` backend was configured via `http.sslBackend`, unless `http.schannelUseSSLCAInfo` overrides this behavior. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:

committed by
Junio C Hamano

parent
93aef7c79b
commit
b67d40adbb
@ -2249,6 +2249,14 @@ http.schannelCheckRevoke::
|
|||||||
certificate. This option is ignored if cURL lacks support for
|
certificate. This option is ignored if cURL lacks support for
|
||||||
setting the relevant SSL option at runtime.
|
setting the relevant SSL option at runtime.
|
||||||
|
|
||||||
|
http.schannelUseSSLCAInfo::
|
||||||
|
As of cURL v7.60.0, the Secure Channel backend can use the
|
||||||
|
certificate bundle provided via `http.sslCAInfo`, but that would
|
||||||
|
override the Windows Certificate Store. Since this is not desirable
|
||||||
|
by default, Git will tell cURL not to use that bundle by default
|
||||||
|
when the `schannel` backend was configured via `http.sslBackend`,
|
||||||
|
unless `http.schannelUseSSLCAInfo` overrides this behavior.
|
||||||
|
|
||||||
http.pinnedpubkey::
|
http.pinnedpubkey::
|
||||||
Public key of the https service. It may either be the filename of
|
Public key of the https service. It may either be the filename of
|
||||||
a PEM or DER encoded public key file or a string starting with
|
a PEM or DER encoded public key file or a string starting with
|
||||||
|
19
http.c
19
http.c
@ -158,6 +158,12 @@ static char *cached_accept_language;
|
|||||||
static char *http_ssl_backend;
|
static char *http_ssl_backend;
|
||||||
|
|
||||||
static int http_schannel_check_revoke = 1;
|
static int http_schannel_check_revoke = 1;
|
||||||
|
/*
|
||||||
|
* With the backend being set to `schannel`, setting sslCAinfo would override
|
||||||
|
* the Certificate Store in cURL v7.60.0 and later, which is not what we want
|
||||||
|
* by default.
|
||||||
|
*/
|
||||||
|
static int http_schannel_use_ssl_cainfo;
|
||||||
|
|
||||||
size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
|
size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
|
||||||
{
|
{
|
||||||
@ -317,6 +323,11 @@ static int http_options(const char *var, const char *value, void *cb)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!strcmp("http.schannelusesslcainfo", var)) {
|
||||||
|
http_schannel_use_ssl_cainfo = git_config_bool(var, value);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
if (!strcmp("http.minsessions", var)) {
|
if (!strcmp("http.minsessions", var)) {
|
||||||
min_curl_sessions = git_config_int(var, value);
|
min_curl_sessions = git_config_int(var, value);
|
||||||
#ifndef USE_CURL_MULTI
|
#ifndef USE_CURL_MULTI
|
||||||
@ -869,7 +880,13 @@ static CURL *get_curl_handle(void)
|
|||||||
if (ssl_pinnedkey != NULL)
|
if (ssl_pinnedkey != NULL)
|
||||||
curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
|
curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
|
||||||
#endif
|
#endif
|
||||||
if (ssl_cainfo != NULL)
|
if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) &&
|
||||||
|
!http_schannel_use_ssl_cainfo) {
|
||||||
|
curl_easy_setopt(result, CURLOPT_CAINFO, NULL);
|
||||||
|
#if LIBCURL_VERSION_NUM >= 0x073400
|
||||||
|
curl_easy_setopt(result, CURLOPT_PROXY_CAINFO, NULL);
|
||||||
|
#endif
|
||||||
|
} else if (ssl_cainfo != NULL)
|
||||||
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
|
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
|
||||||
|
|
||||||
if (curl_low_speed_limit > 0 && curl_low_speed_time > 0) {
|
if (curl_low_speed_limit > 0 && curl_low_speed_time > 0) {
|
||||||
|
Reference in New Issue
Block a user