Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http: Add support for enabling automatic sending of SSL client certificate #3293

Merged
merged 1 commit into from
Jun 24, 2021
Merged

http: Add support for enabling automatic sending of SSL client certificate #3293

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 5 additions & 0 deletions Documentation/config/http.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,11 @@ http.schannelUseSSLCAInfo::
when the `schannel` backend was configured via `http.sslBackend`,
unless `http.schannelUseSSLCAInfo` overrides this behavior.

http.sslAutoClientCert::
As of cURL v7.77.0, the Secure Channel backend won't automatically
send client certificates from the Windows Certificate Store anymore.
To opt in to the old behavior, http.sslAutoClientCert can be set.

http.pinnedpubkey::
Public key of the https service. It may either be the filename of
a PEM or DER encoded public key file or a string starting with
Expand Down
26 changes: 22 additions & 4 deletions http.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,8 @@ static int http_schannel_check_revoke_mode =
*/
static int http_schannel_use_ssl_cainfo;

static int http_auto_client_cert;

size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
{
size_t size = eltsize * nmemb;
Expand Down Expand Up @@ -357,6 +359,11 @@ static int http_options(const char *var, const char *value, void *cb)
return 0;
}

if (!strcmp("http.sslautoclientcert", var)) {
http_auto_client_cert = git_config_bool(var, value);
return 0;
}

if (!strcmp("http.minsessions", var)) {
min_curl_sessions = git_config_int(var, value);
#ifndef USE_CURL_MULTI
Expand Down Expand Up @@ -920,13 +927,24 @@ static CURL *get_curl_handle(void)
}
#endif

if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) &&
http_schannel_check_revoke_mode) {
if (http_ssl_backend && !strcmp("schannel", http_ssl_backend)) {
long ssl_options = 0;
if (http_schannel_check_revoke_mode) {
#if LIBCURL_VERSION_NUM >= 0x072c00
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, http_schannel_check_revoke_mode);
ssl_options |= http_schannel_check_revoke_mode;
#else
warning(_("CURLSSLOPT_NO_REVOKE not supported with cURL < 7.44.0"));
warning(_("CURLSSLOPT_NO_REVOKE not supported with cURL < 7.44.0"));
#endif
}

if (http_auto_client_cert) {
#if LIBCURL_VERSION_NUM >= 0x074d00
ssl_options |= CURLSSLOPT_AUTO_CLIENT_CERT;
#endif
}

if (ssl_options)
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, ssl_options);
}

if (http_proactive_auth)
Expand Down