Multiple GIT Accounts & HTTPS Client Certificates - Config

Multiple GIT Accounts & HTTPS Client Certificates - Config

[Sergei Haller]

Hi folks,

my problem is basically the following: my git server (https) requires
authentication using a clent x509 certificate.

And I have multiple x509 certificates that match the server.

when I access the https server using a browser, the browser asks which
certificate to use and everything is fine.

When I try to access the git server from the command line (git pull or
similar), the git will pick one of the available
certificates (randomly or alphabetically) and try to access the server with
that client certificate. Ending in the situation
that git picks the wrong certificate.

I can workaround by deleting all client certificates from the windows
certificate store except the "correct" one => then git
command line will pick the correct certificate (the only one available) and
everything works as expected.

Workaround is a workaround, I need to use all of the certificates
repeatedly for different repos and different other
aplications (non-git), so I've been deliting and reinstalling the
certificates all the time in the last weeks...

How can I tell git cmd (per config option??) to use a particular client
certificate for authenticating to the https server
(I could provide fingerprint or serial number or sth like that)

current environment: windows 10 and git version 2.18.0.windows.1

Would be absolutely acceptable if git would ask interactively which client
certificate to use (in case its not configurable)

(I asked this question here before:
https://stackoverflow.com/questions/51952568/multiple-git-accounts-https-client-certificates-config
)


Thanks!



-- 
sergei@sergei-haller.de
.

RE: Multiple GIT Accounts & HTTPS Client Certificates - Config

[Randall S. Becker]

On September 10, 2018 4:09 AM, Sergei Haller wrote:
> my problem is basically the following: my git server (https) requires
> authentication using a clent x509 certificate.
> 
> And I have multiple x509 certificates that match the server.
> 
> when I access the https server using a browser, the browser asks which
> certificate to use and everything is fine.
> 
> When I try to access the git server from the command line (git pull or similar),
> the git will pick one of the available certificates (randomly or alphabetically)
> and try to access the server with that client certificate. Ending in the
> situation that git picks the wrong certificate.
> 
> I can workaround by deleting all client certificates from the windows
> certificate store except the "correct" one => then git command line will pick
> the correct certificate (the only one available) and everything works as
> expected.
> 
> Workaround is a workaround, I need to use all of the certificates repeatedly
> for different repos and different other aplications (non-git), so I've been
> deliting and reinstalling the certificates all the time in the last weeks...
> 
> How can I tell git cmd (per config option??) to use a particular client
> certificate for authenticating to the https server (I could provide fingerprint
> or serial number or sth like that)
> 
> current environment: windows 10 and git version 2.18.0.windows.1
> 
> Would be absolutely acceptable if git would ask interactively which client
> certificate to use (in case its not configurable)
> 
> (I asked this question here before:
> https://stackoverflow.com/questions/51952568/multiple-git-accounts-
> https-client-certificates-config
> )

Would you consider using SSH to authenticate? You can control which private key you use based on your ~/.ssh/config entries, which are case sensitive. You can choose the SSH key to use by playing with the case of the host name, like:

github.com
Github.com
gitHub.com

even if your user is "git" in all cases above. It is a bit hacky but it is part of the SSH spec and is supported by git and EGit (as of 5.x).

Cheers,
Randall

--
Randall S. Becker
Managing Director, Nexbridge Inc.
LinkedIn.com/in/randallbecker
+1.416.984.9826

Re: Multiple GIT Accounts & HTTPS Client Certificates - Config

[Sergei Haller]

no, using SSH is not an option. I have no control over the server
setup whatsoever.

Thx!

On Mon, Sep 10, 2018 at 3:29 PM, Randall S. Becker
<rsbecker@nexbridge.com> wrote:
> On September 10, 2018 4:09 AM, Sergei Haller wrote:
>> my problem is basically the following: my git server (https) requires
>> authentication using a clent x509 certificate.
>>
>> And I have multiple x509 certificates that match the server.
>>
>> when I access the https server using a browser, the browser asks which
>> certificate to use and everything is fine.
>>
>> When I try to access the git server from the command line (git pull or similar),
>> the git will pick one of the available certificates (randomly or alphabetically)
>> and try to access the server with that client certificate. Ending in the
>> situation that git picks the wrong certificate.
>>
>> I can workaround by deleting all client certificates from the windows
>> certificate store except the "correct" one => then git command line will pick
>> the correct certificate (the only one available) and everything works as
>> expected.
>>
>> Workaround is a workaround, I need to use all of the certificates repeatedly
>> for different repos and different other aplications (non-git), so I've been
>> deliting and reinstalling the certificates all the time in the last weeks...
>>
>> How can I tell git cmd (per config option??) to use a particular client
>> certificate for authenticating to the https server (I could provide fingerprint
>> or serial number or sth like that)
>>
>> current environment: windows 10 and git version 2.18.0.windows.1
>>
>> Would be absolutely acceptable if git would ask interactively which client
>> certificate to use (in case its not configurable)
>>
>> (I asked this question here before:
>> https://stackoverflow.com/questions/51952568/multiple-git-accounts-
>> https-client-certificates-config
>> )
>
> Would you consider using SSH to authenticate? You can control which private key you use based on your ~/.ssh/config entries, which are case sensitive. You can choose the SSH key to use by playing with the case of the host name, like:
>
> github.com
> Github.com
> gitHub.com
>
> even if your user is "git" in all cases above. It is a bit hacky but it is part of the SSH spec and is supported by git and EGit (as of 5.x).
>
> Cheers,
> Randall
>
> --
> Randall S. Becker
> Managing Director, Nexbridge Inc.
> LinkedIn.com/in/randallbecker
> +1.416.984.9826
>
>
>



-- 
sergei@sergei-haller.de
.

Re: Multiple GIT Accounts & HTTPS Client Certificates - Config

[Sergei Haller]

PS: while I was trying to send the mail to this mailing list, there is
some update from the stack overflow side:

* I am using sslBackend schannel
* the private key of my client certificate can be provided by using
the http.sslKey config option
* the private key is on a smart card, so there is no way I can copy it
over to a file and use the openssl backend (at least no way that I am
aware of :)

so basically this pins down to the fact that schannel implementation
is picking the wrong key.

Would be great if (one of) the following option was possible:

(a) schannel would ask interactively which certificate to use, if
there is more than one that matches the servers request
(b) key info (e.g. serial number or fingerprint) couldl be provided as
config option

not sure if (a) or (b) is already possible (in some nightly build or
some hidden option?)

I'd be eager to test if necessyry, but I probably wont be able to
build git (so would need some sort of nightly build or something)

PS: the recent realization makes me believe this is a window specific
problem. I think I have read somewhere
about a separate windows mailing list (but not sure where I saw it)


On Mon, Sep 10, 2018 at 10:09 AM, Sergei Haller <sergei@sergei-haller.de> wrote:
> Hi folks,
>
> my problem is basically the following: my git server (https) requires
> authentication using a clent x509 certificate.
>
> And I have multiple x509 certificates that match the server.
>
> when I access the https server using a browser, the browser asks which
> certificate to use and everything is fine.
>
> When I try to access the git server from the command line (git pull or
> similar), the git will pick one of the available
> certificates (randomly or alphabetically) and try to access the server with
> that client certificate. Ending in the situation
> that git picks the wrong certificate.
>
> I can workaround by deleting all client certificates from the windows
> certificate store except the "correct" one => then git
> command line will pick the correct certificate (the only one available) and
> everything works as expected.
>
> Workaround is a workaround, I need to use all of the certificates
> repeatedly for different repos and different other
> aplications (non-git), so I've been deliting and reinstalling the
> certificates all the time in the last weeks...
>
> How can I tell git cmd (per config option??) to use a particular client
> certificate for authenticating to the https server
> (I could provide fingerprint or serial number or sth like that)
>
> current environment: windows 10 and git version 2.18.0.windows.1
>
> Would be absolutely acceptable if git would ask interactively which client
> certificate to use (in case its not configurable)
>
> (I asked this question here before:
> https://stackoverflow.com/questions/51952568/multiple-git-accounts-https-client-certificates-config
> )
>
>
> Thanks!
>
>
>
> --
> sergei@sergei-haller.de
> .



-- 
sergei@sergei-haller.de
.

Re: Multiple GIT Accounts & HTTPS Client Certificates - Config

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 1317 bytes --]

On Tue, Sep 11, 2018 at 09:42:35AM +0200, Sergei Haller wrote:
> PS: while I was trying to send the mail to this mailing list, there is
> some update from the stack overflow side:
> 
> * I am using sslBackend schannel
> * the private key of my client certificate can be provided by using
> the http.sslKey config option
> * the private key is on a smart card, so there is no way I can copy it
> over to a file and use the openssl backend (at least no way that I am
> aware of :)
> 
> so basically this pins down to the fact that schannel implementation
> is picking the wrong key.

Git doesn't provide an option to query a smartcard outside of what your
typical TLS implementation provides by default.  Not being a Windows
user, I don't know if Schannel provides a way to automatically select
the right private key based on which certificate is used, or if that's
outside its capability.

> PS: the recent realization makes me believe this is a window specific
> problem. I think I have read somewhere
> about a separate windows mailing list (but not sure where I saw it)

If you're talking about Git for Windows, yes, this is probably better
addressed as an issue there: https://github.com/git-for-windows/git.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 868 bytes --]