зеркало из https://github.com/microsoft/git.git
http: optionally send SSL client certificate
This adds support for a new http.sslAutoClientCert config value. In cURL 7.77 or later the schannel backend does not automatically send client certificates from the Windows Certificate Store anymore. This config value is only used if http.sslBackend is set to "schannel", and can be used to opt in to the old behavior and force cURL to send client certificates. This fixes https://github.com/git-for-windows/git/issues/3292 Signed-off-by: Pascal Muller <pascalmuller@gmail.com>
This commit is contained in:
Родитель
0d6d69d580
Коммит
d6480d9877
|
@ -205,6 +205,11 @@ http.schannelUseSSLCAInfo::
|
||||||
when the `schannel` backend was configured via `http.sslBackend`,
|
when the `schannel` backend was configured via `http.sslBackend`,
|
||||||
unless `http.schannelUseSSLCAInfo` overrides this behavior.
|
unless `http.schannelUseSSLCAInfo` overrides this behavior.
|
||||||
|
|
||||||
|
http.sslAutoClientCert::
|
||||||
|
As of cURL v7.77.0, the Secure Channel backend won't automatically
|
||||||
|
send client certificates from the Windows Certificate Store anymore.
|
||||||
|
To opt in to the old behavior, http.sslAutoClientCert can be set.
|
||||||
|
|
||||||
http.pinnedPubkey::
|
http.pinnedPubkey::
|
||||||
Public key of the https service. It may either be the filename of
|
Public key of the https service. It may either be the filename of
|
||||||
a PEM or DER encoded public key file or a string starting with
|
a PEM or DER encoded public key file or a string starting with
|
||||||
|
|
|
@ -134,4 +134,12 @@
|
||||||
#define GIT_CURL_HAVE_CURLOPT_PROTOCOLS_STR 1
|
#define GIT_CURL_HAVE_CURLOPT_PROTOCOLS_STR 1
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* CURLSSLOPT_AUTO_CLIENT_CERT was added in 7.77.0, released in May
|
||||||
|
* 2021.
|
||||||
|
*/
|
||||||
|
#if LIBCURL_VERSION_NUM >= 0x074d00
|
||||||
|
#define GIT_CURL_HAVE_CURLSSLOPT_AUTO_CLIENT_CERT
|
||||||
|
#endif
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
26
http.c
26
http.c
|
@ -155,6 +155,8 @@ static int http_schannel_check_revoke_mode =
|
||||||
*/
|
*/
|
||||||
static int http_schannel_use_ssl_cainfo;
|
static int http_schannel_use_ssl_cainfo;
|
||||||
|
|
||||||
|
static int http_auto_client_cert;
|
||||||
|
|
||||||
size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
|
size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
|
||||||
{
|
{
|
||||||
size_t size = eltsize * nmemb;
|
size_t size = eltsize * nmemb;
|
||||||
|
@ -430,6 +432,11 @@ static int http_options(const char *var, const char *value, void *cb)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!strcmp("http.sslautoclientcert", var)) {
|
||||||
|
http_auto_client_cert = git_config_bool(var, value);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
if (!strcmp("http.minsessions", var)) {
|
if (!strcmp("http.minsessions", var)) {
|
||||||
min_curl_sessions = git_config_int(var, value);
|
min_curl_sessions = git_config_int(var, value);
|
||||||
if (min_curl_sessions > 1)
|
if (min_curl_sessions > 1)
|
||||||
|
@ -1004,13 +1011,24 @@ static CURL *get_curl_handle(void)
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) &&
|
if (http_ssl_backend && !strcmp("schannel", http_ssl_backend)) {
|
||||||
http_schannel_check_revoke_mode) {
|
long ssl_options = 0;
|
||||||
|
if (http_schannel_check_revoke_mode) {
|
||||||
#ifdef GIT_CURL_HAVE_CURLSSLOPT_NO_REVOKE
|
#ifdef GIT_CURL_HAVE_CURLSSLOPT_NO_REVOKE
|
||||||
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, http_schannel_check_revoke_mode);
|
ssl_options |= http_schannel_check_revoke_mode;
|
||||||
#else
|
#else
|
||||||
warning(_("CURLSSLOPT_NO_REVOKE not supported with cURL < 7.44.0"));
|
warning(_("CURLSSLOPT_NO_REVOKE not supported with cURL < 7.44.0"));
|
||||||
#endif
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
if (http_auto_client_cert) {
|
||||||
|
#ifdef GIT_CURL_HAVE_CURLSSLOPT_AUTO_CLIENT_CERT
|
||||||
|
ssl_options |= CURLSSLOPT_AUTO_CLIENT_CERT;
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ssl_options)
|
||||||
|
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, ssl_options);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (http_proactive_auth)
|
if (http_proactive_auth)
|
||||||
|
|
Загрузка…
Ссылка в новой задаче