mirror of
https://github.com/git/git.git
synced 2025-01-27 09:53:42 +08:00
http: when using Secure Channel, ignore sslCAInfo by default
As of cURL v7.60.0, the Secure Channel backend can use the certificate bundle provided via `http.sslCAInfo`, but that would override the Windows Certificate Store. Since this is not desirable by default, let's tell Git to not ask cURL to use that bundle by default when the `schannel` backend was configured via `http.sslBackend`, unless `http.schannelUseSSLCAInfo` overrides this behavior. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
parent
93aef7c79b
commit
b67d40adbb
@ -2249,6 +2249,14 @@ http.schannelCheckRevoke::
|
||||
certificate. This option is ignored if cURL lacks support for
|
||||
setting the relevant SSL option at runtime.
|
||||
|
||||
http.schannelUseSSLCAInfo::
|
||||
As of cURL v7.60.0, the Secure Channel backend can use the
|
||||
certificate bundle provided via `http.sslCAInfo`, but that would
|
||||
override the Windows Certificate Store. Since this is not desirable
|
||||
by default, Git will tell cURL not to use that bundle by default
|
||||
when the `schannel` backend was configured via `http.sslBackend`,
|
||||
unless `http.schannelUseSSLCAInfo` overrides this behavior.
|
||||
|
||||
http.pinnedpubkey::
|
||||
Public key of the https service. It may either be the filename of
|
||||
a PEM or DER encoded public key file or a string starting with
|
||||
|
19
http.c
19
http.c
@ -158,6 +158,12 @@ static char *cached_accept_language;
|
||||
static char *http_ssl_backend;
|
||||
|
||||
static int http_schannel_check_revoke = 1;
|
||||
/*
|
||||
* With the backend being set to `schannel`, setting sslCAinfo would override
|
||||
* the Certificate Store in cURL v7.60.0 and later, which is not what we want
|
||||
* by default.
|
||||
*/
|
||||
static int http_schannel_use_ssl_cainfo;
|
||||
|
||||
size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
|
||||
{
|
||||
@ -317,6 +323,11 @@ static int http_options(const char *var, const char *value, void *cb)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!strcmp("http.schannelusesslcainfo", var)) {
|
||||
http_schannel_use_ssl_cainfo = git_config_bool(var, value);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!strcmp("http.minsessions", var)) {
|
||||
min_curl_sessions = git_config_int(var, value);
|
||||
#ifndef USE_CURL_MULTI
|
||||
@ -869,7 +880,13 @@ static CURL *get_curl_handle(void)
|
||||
if (ssl_pinnedkey != NULL)
|
||||
curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
|
||||
#endif
|
||||
if (ssl_cainfo != NULL)
|
||||
if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) &&
|
||||
!http_schannel_use_ssl_cainfo) {
|
||||
curl_easy_setopt(result, CURLOPT_CAINFO, NULL);
|
||||
#if LIBCURL_VERSION_NUM >= 0x073400
|
||||
curl_easy_setopt(result, CURLOPT_PROXY_CAINFO, NULL);
|
||||
#endif
|
||||
} else if (ssl_cainfo != NULL)
|
||||
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
|
||||
|
||||
if (curl_low_speed_limit > 0 && curl_low_speed_time > 0) {
|
||||
|
Loading…
Reference in New Issue
Block a user