git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: "Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com>
To: git@vger.kernel.org
Cc: Junio C Hamano <gitster@pobox.com>,
	Johannes Schindelin <johannes.schindelin@gmx.de>
Subject: [PATCH v2 3/3] http: when using Secure Channel, ignore sslCAInfo by default
Date: Thu, 25 Oct 2018 11:53:56 -0700 (PDT)	[thread overview]
Message-ID: <a5f937a36d454d6d99bb64d4be3c389cf996826a.1540493630.git.gitgitgadget@gmail.com> (raw)
In-Reply-To: <pull.46.v2.git.gitgitgadget@gmail.com>

From: Johannes Schindelin <johannes.schindelin@gmx.de>

As of cURL v7.60.0, the Secure Channel backend can use the certificate
bundle provided via `http.sslCAInfo`, but that would override the
Windows Certificate Store. Since this is not desirable by default, let's
tell Git to not ask cURL to use that bundle by default when the `schannel`
backend was configured via `http.sslBackend`, unless
`http.schannelUseSSLCAInfo` overrides this behavior.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
 Documentation/config.txt |  8 ++++++++
 http.c                   | 19 ++++++++++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index d569ebd49..1f6a6a4a6 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1997,6 +1997,14 @@ http.schannelCheckRevoke::
 	certificate. This option is ignored if cURL lacks support for
 	setting the relevant SSL option at runtime.
 
+http.schannelUseSSLCAInfo::
+	As of cURL v7.60.0, the Secure Channel backend can use the
+	certificate bundle provided via `http.sslCAInfo`, but that would
+	override the Windows Certificate Store. Since this is not desirable
+	by default, Git will tell cURL not to use that bundle by default
+	when the `schannel` backend was configured via `http.sslBackend`,
+	unless `http.schannelUseSSLCAInfo` overrides this behavior.
+
 http.pinnedpubkey::
 	Public key of the https service. It may either be the filename of
 	a PEM or DER encoded public key file or a string starting with
diff --git a/http.c b/http.c
index 65daa9bfa..28009ca73 100644
--- a/http.c
+++ b/http.c
@@ -158,6 +158,12 @@ static char *cached_accept_language;
 static char *http_ssl_backend;
 
 static int http_schannel_check_revoke = 1;
+/*
+ * With the backend being set to `schannel`, setting sslCAinfo would override
+ * the Certificate Store in cURL v7.60.0 and later, which is not what we want
+ * by default.
+ */
+static int http_schannel_use_ssl_cainfo;
 
 size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
 {
@@ -317,6 +323,11 @@ static int http_options(const char *var, const char *value, void *cb)
 		return 0;
 	}
 
+	if (!strcmp("http.schannelusesslcainfo", var)) {
+		http_schannel_use_ssl_cainfo = git_config_bool(var, value);
+		return 0;
+	}
+
 	if (!strcmp("http.minsessions", var)) {
 		min_curl_sessions = git_config_int(var, value);
 #ifndef USE_CURL_MULTI
@@ -869,7 +880,13 @@ static CURL *get_curl_handle(void)
 	if (ssl_pinnedkey != NULL)
 		curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
 #endif
-	if (ssl_cainfo != NULL)
+	if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) &&
+	    !http_schannel_use_ssl_cainfo) {
+		curl_easy_setopt(result, CURLOPT_CAINFO, NULL);
+#if LIBCURL_VERSION_NUM >= 0x073400
+		curl_easy_setopt(result, CURLOPT_PROXY_CAINFO, NULL);
+#endif
+	} else if (ssl_cainfo != NULL)
 		curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
 
 	if (curl_low_speed_limit > 0 && curl_low_speed_time > 0) {
-- 
gitgitgadget

      parent reply	other threads:[~2018-10-25 18:53 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-15 10:14 [PATCH 0/3] Allow choosing the SSL backend cURL uses (plus related patches) Johannes Schindelin via GitGitGadget
2018-10-15 10:14 ` [PATCH 1/3] http: add support for selecting SSL backends at runtime Johannes Schindelin via GitGitGadget
2018-10-15 14:06   ` Eric Sunshine
2018-10-15 10:14 ` [PATCH 2/3] http: add support for disabling SSL revocation checks in cURL Brendan Forster via GitGitGadget
2018-10-15 14:10   ` Eric Sunshine
2018-10-16 12:21     ` Johannes Schindelin
2018-10-25  3:18     ` Junio C Hamano
2018-10-25  3:29       ` [PATCH] http: give curl version warnings consistently Junio C Hamano
2018-10-25  6:23         ` Jeff King
2018-10-25 19:00         ` Johannes Schindelin
2018-10-26  4:39           ` Junio C Hamano
2018-10-25 12:12       ` [PATCH 2/3] http: add support for disabling SSL revocation checks in cURL Johannes Schindelin
2018-10-16  4:23   ` Junio C Hamano
2018-10-16  6:33     ` Jeff King
2018-10-16 12:25       ` Johannes Schindelin
2018-10-16 15:28         ` Jeff King
2018-10-16 12:22     ` Johannes Schindelin
2018-10-18  1:53       ` Junio C Hamano
2018-10-25 18:52         ` Johannes Schindelin
2018-10-26  4:41           ` Junio C Hamano
2018-10-15 10:14 ` [PATCH 3/3] http: when using Secure Channel, ignore sslCAInfo by default Johannes Schindelin via GitGitGadget
2018-10-25 18:53 ` [PATCH v2 0/3] Allow choosing the SSL backend cURL uses (plus related patches) Johannes Schindelin via GitGitGadget
2018-10-25 18:53   ` [PATCH v2 1/3] http: add support for selecting SSL backends at runtime Johannes Schindelin via GitGitGadget
2018-12-13  9:33     ` Ævar Arnfjörð Bjarmason
2018-12-13 13:08       ` Johannes Schindelin
2018-12-13 13:15         ` Johannes Schindelin
2018-10-25 18:53   ` [PATCH v2 2/3] http: add support for disabling SSL revocation checks in cURL Brendan Forster via GitGitGadget
2018-10-25 18:53   ` Johannes Schindelin via GitGitGadget [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a5f937a36d454d6d99bb64d4be3c389cf996826a.1540493630.git.gitgitgadget@gmail.com \
    --to=gitgitgadget@gmail.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=johannes.schindelin@gmx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).