mirror of
https://github.com/git-for-windows/git.git
synced 2026-05-02 08:03:45 -05:00
http: use new "best effort" strategy for Secure Channel revoke checking
The native Windows HTTPS backend is based on Secure Channel which lets the caller decide how to handle revocation checking problems caused by missing information in the certificate or offline CRL distribution points. Unfortunately, cURL chose to handle these problems differently than OpenSSL by default: while OpenSSL happily ignores those problems (essentially saying "¯\_(ツ)_/¯"), the Secure Channel backend will error out instead. As a remedy, the "no revoke" mode was introduced, which turns off revocation checking altogether. This is a bit heavy-handed. We support this via the `http.schannelCheckRevoke` setting. In https://github.com/curl/curl/pull/4981, we contributed an opt-in "best effort" strategy that emulates what OpenSSL seems to do. In Git for Windows, we actually want this to be the default. This patch makes it so, introducing it as a new value for the `http.schannelCheckRevoke" setting, which now becmes a tristate: it accepts the values "false", "true" or "best-effort" (defaulting to the last one). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
This commit is contained in:
Johannes Schindelin
committed by
Git for Windows Build Agent
Git for Windows Build Agent
parent
449904e090
commit
92afeca70c
25
http.c
25
http.c
@@ -150,7 +150,12 @@ static char *cached_accept_language;
|
||||
|
||||
static char *http_ssl_backend;
|
||||
|
||||
static int http_schannel_check_revoke = 1;
|
||||
static long http_schannel_check_revoke_mode =
|
||||
#ifdef CURLSSLOPT_REVOKE_BEST_EFFORT
|
||||
CURLSSLOPT_REVOKE_BEST_EFFORT;
|
||||
#else
|
||||
CURLSSLOPT_NO_REVOKE;
|
||||
#endif
|
||||
|
||||
static long http_retry_after = 0;
|
||||
static long http_max_retries = 0;
|
||||
@@ -430,7 +435,19 @@ static int http_options(const char *var, const char *value,
|
||||
}
|
||||
|
||||
if (!strcmp("http.schannelcheckrevoke", var)) {
|
||||
http_schannel_check_revoke = git_config_bool(var, value);
|
||||
if (value && !strcmp(value, "best-effort")) {
|
||||
http_schannel_check_revoke_mode =
|
||||
#ifdef CURLSSLOPT_REVOKE_BEST_EFFORT
|
||||
CURLSSLOPT_REVOKE_BEST_EFFORT;
|
||||
#else
|
||||
CURLSSLOPT_NO_REVOKE;
|
||||
warning(_("%s=%s unsupported by current cURL"),
|
||||
var, value);
|
||||
#endif
|
||||
} else
|
||||
http_schannel_check_revoke_mode =
|
||||
(git_config_bool(var, value) ?
|
||||
0 : CURLSSLOPT_NO_REVOKE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -1079,8 +1096,8 @@ static CURL *get_curl_handle(void)
|
||||
#endif
|
||||
|
||||
if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) &&
|
||||
!http_schannel_check_revoke) {
|
||||
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, (long)CURLSSLOPT_NO_REVOKE);
|
||||
http_schannel_check_revoke_mode) {
|
||||
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, http_schannel_check_revoke_mode);
|
||||
}
|
||||
|
||||
if (http_proactive_auth != PROACTIVE_AUTH_NONE)
|
||||
|
||||
Reference in New Issue
Block a user