git-for-windows/git
1
0
Fork 0
mirror of https://github.com/git-for-windows/git.git synced 2026-03-26 12:56:37 -05:00
Code Issues Packages Projects Releases 335 Wiki Activity

http: optionally send SSL client certificate

Browse Source 
This adds support for a new http.sslAutoClientCert config value.

In cURL 7.77 or later the schannel backend does not automatically send
client certificates from the Windows Certificate Store anymore.

This config value is only used if http.sslBackend is set to "schannel",
and can be used to opt in to the old behavior and force cURL to send
client certificates.

This fixes https://github.com/git-for-windows/git/issues/3292

Signed-off-by: Pascal Muller <pascalmuller@gmail.com>
This commit is contained in:
Pascal Muller
2021-06-23 21:21:10 +02:00
committed by Johannes Schindelin
parent 1d9af59953
commit f5640609ed
2 changed files with 27 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
Documentation/config/http.txt
View File

@@ -189,6 +189,11 @@ http.schannelUseSSLCAInfo::
when the `schannel` backend was configured via `http.sslBackend`,
unless `http.schannelUseSSLCAInfo` overrides this behavior.
http.sslAutoClientCert::
As of cURL v7.77.0, the Secure Channel backend won't automatically
send client certificates from the Windows Certificate Store anymore.
To opt in to the old behavior, http.sslAutoClientCert can be set.
http.pinnedpubkey::
Public key of the https service. It may either be the filename of
a PEM or DER encoded public key file or a string starting with

26
http.c
View File

@@ -179,6 +179,8 @@ static int http_schannel_check_revoke_mode =
*/
static int http_schannel_use_ssl_cainfo;
static int http_auto_client_cert;
size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
{
size_t size = eltsize * nmemb;
@@ -357,6 +359,11 @@ static int http_options(const char *var, const char *value, void *cb)
return 0;
}
if (!strcmp("http.sslautoclientcert", var)) {
http_auto_client_cert = git_config_bool(var, value);
return 0;
}
if (!strcmp("http.minsessions", var)) {
min_curl_sessions = git_config_int(var, value);
#ifndef USE_CURL_MULTI
@@ -920,13 +927,24 @@ static CURL *get_curl_handle(void)
}
#endif
if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) &&
http_schannel_check_revoke_mode) {
if (http_ssl_backend && !strcmp("schannel", http_ssl_backend)) {
long ssl_options = 0;
if (http_schannel_check_revoke_mode) {
#if LIBCURL_VERSION_NUM >= 0x072c00
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, http_schannel_check_revoke_mode);
ssl_options |= http_schannel_check_revoke_mode;
#else
warning(_("CURLSSLOPT_NO_REVOKE not supported with cURL < 7.44.0"));
warning(_("CURLSSLOPT_NO_REVOKE not supported with cURL < 7.44.0"));
#endif
}
if (http_auto_client_cert) {
#if LIBCURL_VERSION_NUM >= 0x074d00
ssl_options |= CURLSSLOPT_AUTO_CLIENT_CERT;
#endif
}
if (ssl_options)
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, ssl_options);
}
if (http_proactive_auth)