Description
TLDR
Git does not set nor expose the SSLENGINE option which prevent openssl from loading the engine.
Context
Small context in order to avoid XY problem :
Our root goal here is to have smartcard based https authentication that would work on both unix and windows system.
We were able to make a pkcs11 smartcard work with the native windows crypto provider, but this meant using the native windows system for PIN caching which is local to a processus. This did not fit very well with GIT, and moreover with our repo using quite a lot of submodules.
This is why we ended up trying to use pkcs11 uri with openssl backend
Technical
With configured our git with the following :
[http]
sslBackend = openssl
sslCert = "pkcs11:...."
sslCertType = ENG
sslKey = "pkcs11:..."
sslKeyType = ENG
sslCertPasswordProtected = 1
On linux this worked fine, but on windows it did not, despite having installed opensc drivers and configured openssl to use it (it seems that git does ignore the openssl config file).
I ended up trying the same uri with curl which, to my surprised, worked fine. This was even more surprising as both git and curl relied on the same libcurl.
Digging in the differences between curl and git, it seem that git does not set (neither exposes) the CURLOPT_SSLENGINE option that need to be set to "pkcs11" for this to work.
Curl side, when it sees a "pkcs11:" in the certificate it automatically assume a ENG type and set the SSLENGINE accordingly.
I made a fix proposal based on curl code, PR incoming.
Notes
Since I had the issue on windows I oppened the issue here, but I might be more suitable to open it on the main git (sorry, I dont know the full extend of the differences between git and git-windows)
Also, I saw that openssl backend on windows was kind-of legacy, are we expected to see this disappear in the times to come ?