Cygwin git with schannel ("native Windows Secure Channel library")

Cygwin git with schannel ("native Windows Secure Channel library")

[Keith Thompson]

I've posted this on Stack Overflow
https://stackoverflow.com/q/59381061/827263
but I haven't gotten any responses yet.

When I install "Git for Windows" on Windows 10, the installation
wizard offers the choice of using either the OpenSSL library or the
"native Windows Secure Channel library".  (Whether that's offered
seems to depend on what's available on the Windows 10 system.)
I believe this is referred to in the git sources as "schannel".

Is there a way to configure git under Cygwin to use the native
Windows Secure Channel library?  An ideal solution would be a
modification to my .gitconfig, but something that lets me build git
(and possibly curl) from source would also be good.  See my Stack
Overflow question for more details, including some things that I
tried that didn't work.

The problem I'm trying to solve: In my work environment, I can
use Cygwin git for local operations, but I have to use Windows git
for anything that talks to a remote (push, pull).I'd prefer to use
Cygwin git exclusively.

Re: Cygwin git with schannel ("native Windows Secure Channel library")

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 1716 bytes --]

On 2019-12-20 at 01:52:04, Keith Thompson wrote:
> I've posted this on Stack Overflow
> https://stackoverflow.com/q/59381061/827263
> but I haven't gotten any responses yet.
> 
> When I install "Git for Windows" on Windows 10, the installation
> wizard offers the choice of using either the OpenSSL library or the
> "native Windows Secure Channel library".  (Whether that's offered
> seems to depend on what's available on the Windows 10 system.)
> I believe this is referred to in the git sources as "schannel".
> 
> Is there a way to configure git under Cygwin to use the native
> Windows Secure Channel library?  An ideal solution would be a
> modification to my .gitconfig, but something that lets me build git
> (and possibly curl) from source would also be good.  See my Stack
> Overflow question for more details, including some things that I
> tried that didn't work.
> 
> The problem I'm trying to solve: In my work environment, I can
> use Cygwin git for local operations, but I have to use Windows git
> for anything that talks to a remote (push, pull).I'd prefer to use
> Cygwin git exclusively.

I'm not 100% certain here, but I believe the answer is no.  In order to
use SChannel, you'll need to link against MSVCRT or a compatible
runtime, but it's not possible to link against both that and Cygwin at
the same time (probably because they both provide the same symbols).

If your constraint is that you need to interact with the Windows
certificate store or such, you could see if there's an OpenSSL or GnuTLS
plugin that will do that for you and then build against that library or
plugin.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 868 bytes --]

Re: Cygwin git with schannel ("native Windows Secure Channel library")

[Beat Bolli]

On 21.12.19 00:18, brian m. carlson wrote:
> On 2019-12-20 at 01:52:04, Keith Thompson wrote:
>> I've posted this on Stack Overflow
>> https://stackoverflow.com/q/59381061/827263
>> but I haven't gotten any responses yet.
>>
>> When I install "Git for Windows" on Windows 10, the installation
>> wizard offers the choice of using either the OpenSSL library or the
>> "native Windows Secure Channel library".  (Whether that's offered
>> seems to depend on what's available on the Windows 10 system.)
>> I believe this is referred to in the git sources as "schannel".
>>
>> Is there a way to configure git under Cygwin to use the native
>> Windows Secure Channel library?  An ideal solution would be a
>> modification to my .gitconfig, but something that lets me build git
>> (and possibly curl) from source would also be good.  See my Stack
>> Overflow question for more details, including some things that I
>> tried that didn't work.
>>
>> The problem I'm trying to solve: In my work environment, I can
>> use Cygwin git for local operations, but I have to use Windows git
>> for anything that talks to a remote (push, pull).I'd prefer to use
>> Cygwin git exclusively.
> 
> I'm not 100% certain here, but I believe the answer is no.  In order to
> use SChannel, you'll need to link against MSVCRT or a compatible
> runtime, but it's not possible to link against both that and Cygwin at
> the same time (probably because they both provide the same symbols).
> 
> If your constraint is that you need to interact with the Windows
> certificate store or such, you could see if there's an OpenSSL or GnuTLS
> plugin that will do that for you and then build against that library or
> plugin.

There is the OpenSSL "CAPI" engine which interfaces with the Windows
CryptoAPI. However, I don't know if the Cygwin OpenSSL build includes
this engine.

Cheers, Beat

Re: Cygwin git with schannel ("native Windows Secure Channel library")

[Keith Thompson]

On Sat, Dec 21, 2019 at 3:51 AM Beat Bolli <dev+git@drbeat.li> wrote:
> On 21.12.19 00:18, brian m. carlson wrote:
> > On 2019-12-20 at 01:52:04, Keith Thompson wrote:
> >> I've posted this on Stack Overflow
> >> https://stackoverflow.com/q/59381061/827263
> >> but I haven't gotten any responses yet.
> >>
> >> When I install "Git for Windows" on Windows 10, the installation
> >> wizard offers the choice of using either the OpenSSL library or the
> >> "native Windows Secure Channel library".  (Whether that's offered
> >> seems to depend on what's available on the Windows 10 system.)
> >> I believe this is referred to in the git sources as "schannel".
> >>
> >> Is there a way to configure git under Cygwin to use the native
> >> Windows Secure Channel library?  An ideal solution would be a
> >> modification to my .gitconfig, but something that lets me build git
> >> (and possibly curl) from source would also be good.  See my Stack
> >> Overflow question for more details, including some things that I
> >> tried that didn't work.
> >>
> >> The problem I'm trying to solve: In my work environment, I can
> >> use Cygwin git for local operations, but I have to use Windows git
> >> for anything that talks to a remote (push, pull).I'd prefer to use
> >> Cygwin git exclusively.
> >
> > I'm not 100% certain here, but I believe the answer is no.  In order to
> > use SChannel, you'll need to link against MSVCRT or a compatible
> > runtime, but it's not possible to link against both that and Cygwin at
> > the same time (probably because they both provide the same symbols).
> >
> > If your constraint is that you need to interact with the Windows
> > certificate store or such, you could see if there's an OpenSSL or GnuTLS
> > plugin that will do that for you and then build against that library or
> > plugin.
>
> There is the OpenSSL "CAPI" engine which interfaces with the Windows
> CryptoAPI. However, I don't know if the Cygwin OpenSSL build includes
> this engine.

That's interesting.  I just tried building OpenSSL from source on
Cygwin (openssl-1.1.1d.tar.gz).  It installed lib/engines-1.1/capi.dll
under the installation directory, and I see references to capi in the
output of "make".  The Cygwin-installed OpenSSL (currently 1.1.1d)
doesn't provide that file.  I don't know whether or not that means
the Cygwin-installed OpenSSL doesn't support CAPI.

Is there an openssl command I can run to tell whether it supports CAPI?
(Disclaimer: I had never heard of CAPI before.)  With both the Cygwin-installed
OpenSSL and the one I built from source, I get:

$ openssl engine capi
25769803792:error:260B606D:engine routines:dynamic_load:init
failed:crypto/engine/eng_dyn.c:485:
25769803792:error:2606A074:engine routines:ENGINE_by_id:no such
engine:crypto/engine/eng_list.c:334:id=capi

*Maybe* if I compile OpenSSL from source, then compile curl
from source using my compiled OpenSSL, then compile Windows Git
from source using my compiled OpenSSL and curl, it *might* work?
It's worth a shot.

And if the Cygwin-installed OpenSSL doesn't support CAPI, I wonder
why it doesn't.