From: "Jorge A López Silva" <jalopezsilva@gmail.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: Jorge Lopez Silva via GitGitGadget <gitgitgadget@gmail.com>,
Git List <git@vger.kernel.org>
Subject: Re: [PATCH v2 2/2] config: documentation for HTTPS proxy client cert.
Date: Mon, 2 Mar 2020 17:47:19 -0800 [thread overview]
Message-ID: <CAJyLMU8-OUvOoP1hvgu4PC8iO7oynrvo2CW94HL-neu4RcZ=Ew@mail.gmail.com> (raw)
In-Reply-To: <xmqqblpjg8mf.fsf@gitster-ct.c.googlers.com>
> Thanks, this should be part of the previous patch, as it was that
> commit, not this one, that adds 4 options ;-)
Haha, yeah, you're right. I'll collapse the commits into a single one.
> I think these files not merely "indicate" but they themselves
> "hold", "contain" and/or "store" the certificate and key. Perhaps
> more like...
> The pathname of a file that stores a client certificate to ...
> Also, it is customary to camelCase the configuration variable names.
> As I understand http.proxykey is roughly corresponds to existing
> http.sslKey (the former is for proxy, the latter is for the target
> host), I'd expect these two to be spelled http.proxySSLCert and
> http.proxySSLKey respectively (without omitting "SSL", as that is
> the underlying cURL option name if I am reading the code in 1/2
> correctly).
Good point. Better descriptions and names will be added.
> It is possible that the answer to these questions are the same---an
> on-disk password is a bad idea, so we deliberately omit a config
> that gives value to CURLOPT_KEYPASSWD and instead use the credential
> subsystem (see http.c::has_cert_password() and its caller). If so,
> I think it would be prudent to follow the same pattern if possible?
Excellent point. Will adjust to re-use the same pattern.
On Thu, Feb 27, 2020 at 10:58 AM Junio C Hamano <gitster@pobox.com> wrote:
>
> "Jorge Lopez Silva via GitGitGadget" <gitgitgadget@gmail.com>
> writes:
>
> > From: Jorge Lopez Silva <jalopezsilva@gmail.com>
> >
> > The commit adds 4 options, client cert, key, key password and CA info.
> > The CA info can be used to specify a different CA path to validate the
> > HTTPS proxy cert.
> >
> > Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
> > ---
>
> Thanks, this should be part of the previous patch, as it was that
> commit, not this one, that adds 4 options ;-)
>
> > +http.proxycert::
> > + File indicating a client certificate to use to authenticate with an HTTPS proxy.
> > +
> > +http.proxykey::
> > + File indicating a private key to use to authenticate with an HTTPS proxy.
>
> I think these files not merely "indicate" but they themselves
> "hold", "contain" and/or "store" the certificate and key. Perhaps
> more like...
>
> The pathname of a file that stores a client certificate to ...
>
> Also, it is customary to camelCase the configuration variable names.
> As I understand http.proxykey is roughly corresponds to existing
> http.sslKey (the former is for proxy, the latter is for the target
> host), I'd expect these two to be spelled http.proxySSLCert and
> http.proxySSLKey respectively (without omitting "SSL", as that is
> the underlying cURL option name if I am reading the code in 1/2
> correctly).
>
> > +http.proxykeypass::
> > + When communicating to the proxy using TLS (using an HTTPS proxy), use this
> > + option along `http.proxykey` to indicate a password for the key.
>
> And this would be "http.proxyKeyPasswd" for the same two reasons.
>
> There are a couple of curious things, though:
>
> * Is it a good idea to use a keyfile that is encrypted, but leave
> the encryption password on disk in the configuration file to
> begin with?
>
> * This teaches our system about PROXY_KEYPASSWD that protects
> PROXY_SSLKEY, but why isn't there a similar configuration
> variable for CURLOPT_KEYPASSWD that protects CURLOPT_SSLKEY?
>
> It is possible that the answer to these questions are the same---an
> on-disk password is a bad idea, so we deliberately omit a config
> that gives value to CURLOPT_KEYPASSWD and instead use the credential
> subsystem (see http.c::has_cert_password() and its caller). If so,
> I think it would be prudent to follow the same pattern if possible?
>
> > +http.proxycainfo::
> > + File containing the certificates to verify the proxy with when using an HTTPS
> > + proxy.
> > +
> > http.emptyAuth::
> > Attempt authentication without seeking a username or password. This
> > can be used to attempt GSS-Negotiate authentication without specifying
next prev parent reply other threads:[~2020-03-03 1:47 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-21 21:36 [PATCH 0/2] Add HTTPS proxy SSL options (cert, key, cainfo) Jorge via GitGitGadget
2020-02-21 21:36 ` [PATCH 1/2] http: add client cert for HTTPS proxies Jorge Lopez Silva via GitGitGadget
2020-02-21 22:28 ` Eric Sunshine
2020-02-26 21:05 ` Jorge A López Silva
2020-02-21 21:36 ` [PATCH 2/2] config: documentation for HTTPS proxy client cert Jorge Lopez Silva via GitGitGadget
2020-02-26 23:23 ` [PATCH v2 0/2] Add HTTPS proxy SSL options (cert, key, cainfo) Jorge via GitGitGadget
2020-02-26 23:23 ` [PATCH v2 1/2] http: add client cert for HTTPS proxies Jorge Lopez Silva via GitGitGadget
2020-02-27 18:31 ` Junio C Hamano
2020-03-03 1:41 ` Jorge A López Silva
2020-02-26 23:23 ` [PATCH v2 2/2] config: documentation for HTTPS proxy client cert Jorge Lopez Silva via GitGitGadget
2020-02-27 18:58 ` Junio C Hamano
2020-03-03 1:47 ` Jorge A López Silva [this message]
2020-03-04 18:40 ` [PATCH v3 0/2] Add HTTPS proxy SSL options (cert, key, cainfo) Jorge via GitGitGadget
2020-03-04 18:40 ` [PATCH v3 1/2] http: add client cert for HTTPS proxies Jorge Lopez Silva via GitGitGadget
2020-03-04 18:40 ` [PATCH v3 2/2] http: add environment variable for HTTPS proxy Jorge Lopez Silva via GitGitGadget
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJyLMU8-OUvOoP1hvgu4PC8iO7oynrvo2CW94HL-neu4RcZ=Ew@mail.gmail.com' \
--to=jalopezsilva@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).