git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
To: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
Cc: Johannes Schindelin via GitGitGadget <gitgitgadget@gmail.com>,
	git@vger.kernel.org, Junio C Hamano <gitster@pobox.com>
Subject: Re: [PATCH v2 1/3] http: add support for selecting SSL backends at runtime
Date: Thu, 13 Dec 2018 14:08:28 +0100 (STD)	[thread overview]
Message-ID: <nycvar.QRO.7.76.6.1812131403310.43@tvgsbejvaqbjf.bet> (raw)
In-Reply-To: <87sgz1n53e.fsf@evledraar.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 5116 bytes --]

Hi Ævar,

On Thu, 13 Dec 2018, Ævar Arnfjörð Bjarmason wrote:

> On Thu, Oct 25 2018, Johannes Schindelin via GitGitGadget wrote:
> 
> > From: Johannes Schindelin <johannes.schindelin@gmx.de>
> >
> > As of version 7.56.0, curl supports being compiled with multiple SSL
> > backends.
> >
> > This patch adds the Git side of that feature: by setting http.sslBackend
> > to "openssl" or "schannel", Git for Windows can now choose the SSL
> > backend at runtime.
> >
> > This comes in handy on Windows because Secure Channel ("schannel") is
> > the native solution, accessing the Windows Credential Store, thereby
> > allowing for enterprise-wide management of certificates. For historical
> > reasons, Git for Windows needs to support OpenSSL still, as it has
> > previously been the only supported SSL backend in Git for Windows for
> > almost a decade.
> >
> > The patch has been carried in Git for Windows for over a year, and is
> > considered mature.
> >
> > Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
> > ---
> >  Documentation/config.txt |  5 +++++
> >  http.c                   | 35 +++++++++++++++++++++++++++++++++++
> >  2 files changed, 40 insertions(+)
> >
> > diff --git a/Documentation/config.txt b/Documentation/config.txt
> > index 154683321..7d38f0bf1 100644
> > --- a/Documentation/config.txt
> > +++ b/Documentation/config.txt
> > @@ -1984,6 +1984,11 @@ http.sslCAPath::
> >  	with when fetching or pushing over HTTPS. Can be overridden
> >  	by the `GIT_SSL_CAPATH` environment variable.
> >
> > +http.sslBackend::
> > +	Name of the SSL backend to use (e.g. "openssl" or "schannel").
> > +	This option is ignored if cURL lacks support for choosing the SSL
> > +	backend at runtime.
> > +
> >  http.pinnedpubkey::
> >  	Public key of the https service. It may either be the filename of
> >  	a PEM or DER encoded public key file or a string starting with
> > diff --git a/http.c b/http.c
> > index 98ff12258..7fb37a061 100644
> > --- a/http.c
> > +++ b/http.c
> > @@ -155,6 +155,8 @@ static struct active_request_slot *active_queue_head;
> >
> >  static char *cached_accept_language;
> >
> > +static char *http_ssl_backend;
> > +
> >  size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
> >  {
> >  	size_t size = eltsize * nmemb;
> > @@ -302,6 +304,12 @@ static int http_options(const char *var, const char *value, void *cb)
> >  		curl_ssl_try = git_config_bool(var, value);
> >  		return 0;
> >  	}
> > +	if (!strcmp("http.sslbackend", var)) {
> > +		free(http_ssl_backend);
> > +		http_ssl_backend = xstrdup_or_null(value);
> > +		return 0;
> > +	}
> > +
> >  	if (!strcmp("http.minsessions", var)) {
> >  		min_curl_sessions = git_config_int(var, value);
> >  #ifndef USE_CURL_MULTI
> > @@ -995,6 +1003,33 @@ void http_init(struct remote *remote, const char *url, int proactive_auth)
> >  	git_config(urlmatch_config_entry, &config);
> >  	free(normalized_url);
> >
> > +#if LIBCURL_VERSION_NUM >= 0x073800
> > +	if (http_ssl_backend) {
> > +		const curl_ssl_backend **backends;
> > +		struct strbuf buf = STRBUF_INIT;
> > +		int i;
> > +
> > +		switch (curl_global_sslset(-1, http_ssl_backend, &backends)) {
> > +		case CURLSSLSET_UNKNOWN_BACKEND:
> > +			strbuf_addf(&buf, _("Unsupported SSL backend '%s'. "
> > +					    "Supported SSL backends:"),
> > +					    http_ssl_backend);
> > +			for (i = 0; backends[i]; i++)
> > +				strbuf_addf(&buf, "\n\t%s", backends[i]->name);
> > +			die("%s", buf.buf);
> > +		case CURLSSLSET_NO_BACKENDS:
> > +			die(_("Could not set SSL backend to '%s': "
> > +			      "cURL was built without SSL backends"),
> > +			    http_ssl_backend);
> > +		case CURLSSLSET_TOO_LATE:
> > +			die(_("Could not set SSL backend to '%s': already set"),
> > +			    http_ssl_backend);
> > +		case CURLSSLSET_OK:
> > +			break; /* Okay! */
> > +		}
> > +	}
> > +#endif
> > +
> >  	if (curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK)
> >  		die("curl_global_init failed");
> 
> Here's someone who upgraded to 2.20 on Arch linux & started getting
> "Could not set..." errors because of this change:
> https://www.reddit.com/r/git/comments/a5ne5v/git_fatal_could_not_set_ssl_backend_to_openssl/

Yeah, I don't see bug reports that were opened via Reddit.

> I don't know the context well enough, but is there perhaps enough info
> here so we could give a better error message, e.g. "don't set xyz twice
> in your config", or just emit a warning?

This is actually not the symptom of a Git bug, but of a cURL bug that I
fixed in https://github.com/curl/curl/pull/3346. I suspect the fix for
this particular symptom to be
https://github.com/curl/curl/commit/231a328c1c563acb53d8222894975e96bf7e6ea7

(Granted, I introduced that bug, and did not catch it earlier because I
almost never build cURL with a single TLS backend these days, and that is
necessary to trigger the bug.)

According to https://curl.haxx.se/changes.html, this bug fix
(https://curl.haxx.se/bug/?i=3346) made it into v7.63.0, which is one day
old.

Feel free to update that Reddit post (I don't have an account, nor any
inclination to get one).

Ciao,
Dscho

  reply	other threads:[~2018-12-13 13:08 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-15 10:14 [PATCH 0/3] Allow choosing the SSL backend cURL uses (plus related patches) Johannes Schindelin via GitGitGadget
2018-10-15 10:14 ` [PATCH 1/3] http: add support for selecting SSL backends at runtime Johannes Schindelin via GitGitGadget
2018-10-15 14:06   ` Eric Sunshine
2018-10-15 10:14 ` [PATCH 2/3] http: add support for disabling SSL revocation checks in cURL Brendan Forster via GitGitGadget
2018-10-15 14:10   ` Eric Sunshine
2018-10-16 12:21     ` Johannes Schindelin
2018-10-25  3:18     ` Junio C Hamano
2018-10-25  3:29       ` [PATCH] http: give curl version warnings consistently Junio C Hamano
2018-10-25  6:23         ` Jeff King
2018-10-25 19:00         ` Johannes Schindelin
2018-10-26  4:39           ` Junio C Hamano
2018-10-25 12:12       ` [PATCH 2/3] http: add support for disabling SSL revocation checks in cURL Johannes Schindelin
2018-10-16  4:23   ` Junio C Hamano
2018-10-16  6:33     ` Jeff King
2018-10-16 12:25       ` Johannes Schindelin
2018-10-16 15:28         ` Jeff King
2018-10-16 12:22     ` Johannes Schindelin
2018-10-18  1:53       ` Junio C Hamano
2018-10-25 18:52         ` Johannes Schindelin
2018-10-26  4:41           ` Junio C Hamano
2018-10-15 10:14 ` [PATCH 3/3] http: when using Secure Channel, ignore sslCAInfo by default Johannes Schindelin via GitGitGadget
2018-10-25 18:53 ` [PATCH v2 0/3] Allow choosing the SSL backend cURL uses (plus related patches) Johannes Schindelin via GitGitGadget
2018-10-25 18:53   ` [PATCH v2 1/3] http: add support for selecting SSL backends at runtime Johannes Schindelin via GitGitGadget
2018-12-13  9:33     ` Ævar Arnfjörð Bjarmason
2018-12-13 13:08       ` Johannes Schindelin [this message]
2018-12-13 13:15         ` Johannes Schindelin
2018-10-25 18:53   ` [PATCH v2 2/3] http: add support for disabling SSL revocation checks in cURL Brendan Forster via GitGitGadget
2018-10-25 18:53   ` [PATCH v2 3/3] http: when using Secure Channel, ignore sslCAInfo by default Johannes Schindelin via GitGitGadget

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=nycvar.QRO.7.76.6.1812131403310.43@tvgsbejvaqbjf.bet \
    --to=johannes.schindelin@gmx.de \
    --cc=avarab@gmail.com \
    --cc=git@vger.kernel.org \
    --cc=gitgitgadget@gmail.com \
    --cc=gitster@pobox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).