mirrors/git
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

http: when using Secure Channel, ignore sslCAInfo by default

Browse Source 
As of cURL v7.60.0, the Secure Channel backend can use the certificate
bundle provided via `http.sslCAInfo`, but that would override the
Windows Certificate Store. Since this is not desirable by default, let's
tell Git to not ask cURL to use that bundle by default when the `schannel`
backend was configured via `http.sslBackend`, unless
`http.schannelUseSSLCAInfo` overrides this behavior.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Johannes Schindelin
2018-10-25 11:53:56 -07:00
committed by Junio C Hamano
parent 93aef7c79b
commit b67d40adbb
2 changed files with 26 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Documentation/config.txt
View File

@ -2249,6 +2249,14 @@ http.schannelCheckRevoke::
certificate. This option is ignored if cURL lacks support for certificate. This option is ignored if cURL lacks support for
setting the relevant SSL option at runtime. setting the relevant SSL option at runtime.
http.schannelUseSSLCAInfo::
As of cURL v7.60.0, the Secure Channel backend can use the
certificate bundle provided via `http.sslCAInfo`, but that would
override the Windows Certificate Store. Since this is not desirable
by default, Git will tell cURL not to use that bundle by default
when the `schannel` backend was configured via `http.sslBackend`,
unless `http.schannelUseSSLCAInfo` overrides this behavior.
http.pinnedpubkey:: http.pinnedpubkey::
Public key of the https service. It may either be the filename of Public key of the https service. It may either be the filename of
a PEM or DER encoded public key file or a string starting with a PEM or DER encoded public key file or a string starting with

19
http.c
View File

@ -158,6 +158,12 @@ static char *cached_accept_language;
static char *http_ssl_backend; static char *http_ssl_backend;
static int http_schannel_check_revoke = 1; static int http_schannel_check_revoke = 1;
/*
* With the backend being set to `schannel`, setting sslCAinfo would override
* the Certificate Store in cURL v7.60.0 and later, which is not what we want
* by default.
*/
static int http_schannel_use_ssl_cainfo;
size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_) size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
{ {
@ -317,6 +323,11 @@ static int http_options(const char *var, const char *value, void *cb)
return 0; return 0;
} }
if (!strcmp("http.schannelusesslcainfo", var)) {
http_schannel_use_ssl_cainfo = git_config_bool(var, value);
return 0;
}
if (!strcmp("http.minsessions", var)) { if (!strcmp("http.minsessions", var)) {
min_curl_sessions = git_config_int(var, value); min_curl_sessions = git_config_int(var, value);
#ifndef USE_CURL_MULTI #ifndef USE_CURL_MULTI
@ -869,7 +880,13 @@ static CURL *get_curl_handle(void)
if (ssl_pinnedkey != NULL) if (ssl_pinnedkey != NULL)
curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey); curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
#endif #endif
if (ssl_cainfo != NULL) if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) &&
!http_schannel_use_ssl_cainfo) {
curl_easy_setopt(result, CURLOPT_CAINFO, NULL);
#if LIBCURL_VERSION_NUM >= 0x073400
curl_easy_setopt(result, CURLOPT_PROXY_CAINFO, NULL);
#endif
} else if (ssl_cainfo != NULL)
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
if (curl_low_speed_limit > 0 && curl_low_speed_time > 0) { if (curl_low_speed_limit > 0 && curl_low_speed_time > 0) {