From: Jonathan Nieder <jrnieder@gmail.com>
To: Wei Shuyu <wsy@dogben.com>
Cc: git@vger.kernel.org, gitster@pobox.com, peff@peff.net
Subject: Re: [RFC PATCH v2] http: support CURLPROXY_HTTPS
Date: Wed, 27 Dec 2017 10:29:31 -0800 [thread overview]
Message-ID: <20171227182931.GD149622@aiede.mtv.corp.google.com> (raw)
In-Reply-To: <20171223150215.8615-1-wsy@dogben.com>
Wei Shuyu wrote:
> Git has been taught to support an https:// used for http.proxy when
> using recent versions of libcurl.
nit: commit messages use the imperative mood, as though commanding the
code base to do something:
Support https:// for http.proxy when using recent versions of
curl.
[...]
> To use https proxy with self-signed certs, we need a way to
> unset CURLOPT_PROXY_SSL_VERIFYPEER and CURLOPT_PROXY_SSL_VERIFYHOST
> just like direct SSL connection. This is required if we want
> use t/lib-httpd to test proxy.
Interesting. Sounds promising.
> In this patch I reuse http.sslverify to do this, do we need an
> independent option like http.sslproxyverify?
I think a separate option is a good idea. This way, I can use
[http "https://example.com"]
sslVerify = false
to fetch from a misconfigured server or
[http "https://example.com"]
proxy = https://127.0.0.1
sslVerifyProxy = false
to proxy through a misconfigured proxy. Alternatively, is there a
straightforward way to make
[http "https://example.com"]
proxy = https://127.0.0.1
[http "https://127.0.0.1"]
sslVerify = false
do that? Something like
struct urlmatch_config proxy_config = { STRING_LIST_INIT_DUP };
config.section = "http";
config.key = NULL;
config.collect_fn = proxy_options;
config.cascade_fn = git_default_config;
config.cb = NULL;
config.url = normalized_proxy_url;
git_config(urlmatch_config_entry, &config);
How does this interact with the GIT_SSL_NO_VERIFY environment
variable?
> To fully support https proxy, we also need ways to set more options
> such as CURLOPT_PROXY_SSLCERT. However, I'm not sure if we need to
> support them.
That's for client certs, right? Would it work to make that
configurable as
[http "https://127.0.0.1"]
sslCert = ...
?
That said, I agree with you that it's not a prerequisite for this
initial patch.
Thanks,
Jonathan
prev parent reply other threads:[~2017-12-27 18:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-23 15:02 [RFC PATCH v2] http: support CURLPROXY_HTTPS Wei Shuyu
2017-12-23 17:48 ` Ævar Arnfjörð Bjarmason
2017-12-27 18:44 ` Junio C Hamano
2017-12-27 18:29 ` Jonathan Nieder [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171227182931.GD149622@aiede.mtv.corp.google.com \
--to=jrnieder@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
--cc=wsy@dogben.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).