git-for-windows/git
1
0
Fork 0
mirror of https://github.com/git-for-windows/git.git synced 2026-04-10 08:22:54 -05:00
Code Issues Packages Projects Releases 335 Wiki Activity

Merge pull request #2535 from dscho/schannel-revoke-best-effort

Browse Source 
Introduce and use the new "best effort" strategy for Secure Channel revoke checking
This commit is contained in:
Johannes Schindelin
2020-03-05 00:37:36 +01:00
committed by Git for Windows Build Agent
parent bae3d48a88 92afeca70c
commit 9cae1bb718
2 changed files with 28 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
Documentation/config/http.adoc
View File

@@ -233,11 +233,13 @@ http.sslKeyType::
http.schannelCheckRevoke::
Used to enforce or disable certificate revocation checks in cURL
when http.sslBackend is set to "schannel". Defaults to `true` if
unset. Only necessary to disable this if Git consistently errors
and the message is about checking the revocation status of a
certificate. This option is ignored if cURL lacks support for
setting the relevant SSL option at runtime.
when http.sslBackend is set to "schannel" via "true" and "false",
respectively. Another accepted value is "best-effort" (the default)
in which case revocation checks are performed, but errors due to
revocation list distribution points that are offline are silently
ignored, as well as errors due to certificates missing revocation
list distribution points. This option is ignored if cURL lacks
support for setting the relevant SSL option at runtime.
http.schannelUseSSLCAInfo::
As of cURL v7.60.0, the Secure Channel backend can use the

25
http.c
View File

@@ -150,7 +150,12 @@ static char *cached_accept_language;
static char *http_ssl_backend;
static int http_schannel_check_revoke = 1;
static long http_schannel_check_revoke_mode =
#ifdef CURLSSLOPT_REVOKE_BEST_EFFORT
CURLSSLOPT_REVOKE_BEST_EFFORT;
#else
CURLSSLOPT_NO_REVOKE;
#endif
static long http_retry_after = 0;
static long http_max_retries = 0;
@@ -430,7 +435,19 @@ static int http_options(const char *var, const char *value,
}
if (!strcmp("http.schannelcheckrevoke", var)) {
http_schannel_check_revoke = git_config_bool(var, value);
if (value && !strcmp(value, "best-effort")) {
http_schannel_check_revoke_mode =
#ifdef CURLSSLOPT_REVOKE_BEST_EFFORT
CURLSSLOPT_REVOKE_BEST_EFFORT;
#else
CURLSSLOPT_NO_REVOKE;
warning(_("%s=%s unsupported by current cURL"),
var, value);
#endif
} else
http_schannel_check_revoke_mode =
(git_config_bool(var, value) ?
0 : CURLSSLOPT_NO_REVOKE);
return 0;
}
@@ -1079,8 +1096,8 @@ static CURL *get_curl_handle(void)
#endif
if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) &&
!http_schannel_check_revoke) {
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, (long)CURLSSLOPT_NO_REVOKE);
http_schannel_check_revoke_mode) {
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, http_schannel_check_revoke_mode);
}
if (http_proactive_auth != PROACTIVE_AUTH_NONE)