From f6f2a9e42d14e61429af418d8038aa67049b3821 Mon Sep 17 00:00:00 2001 From: Lars Kellogg-Stedman Date: Fri, 8 May 2015 09:22:15 -0400 Subject: [PATCH] http: add support for specifying an SSL cipher list Teach git about a new option, "http.sslCipherList", which permits one to specify a list of ciphers to use when negotiating SSL connections. The setting can be overwridden by the GIT_SSL_CIPHER_LIST environment variable. Signed-off-by: Lars Kellogg-Stedman Signed-off-by: Junio C Hamano --- Documentation/config.txt | 13 +++++++++++++ contrib/completion/git-completion.bash | 1 + http.c | 10 ++++++++++ 3 files changed, 24 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index 1a8ddb41c7..0a01bf930b 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1561,6 +1561,19 @@ http.savecookies:: If set, store cookies received during requests to the file specified by http.cookiefile. Has no effect if http.cookiefile is unset. +http.sslCipherList:: + A list of SSL ciphers to use when negotiating an SSL connection. + The available ciphers depend on whether libcurl was built against + NSS or OpenSSL and the particular configuration of the crypto + library in use. Internally this sets the 'CURLOPT_SSL_CIPHER_LIST' + option; see the libcurl documentation for more details on the format + of this list. ++ +Can be overridden by the 'GIT_SSL_CIPHER_LIST' environment variable. +To force git to use libcurl's default cipher list and ignore any +explicit http.sslCipherList option, set 'GIT_SSL_CIPHER_LIST' to the +empty string. + http.sslVerify:: Whether to verify the SSL certificate when fetching or pushing over HTTPS. Can be overridden by the 'GIT_SSL_NO_VERIFY' environment diff --git a/contrib/completion/git-completion.bash b/contrib/completion/git-completion.bash index 16205467b1..e8ae621a30 100644 --- a/contrib/completion/git-completion.bash +++ b/contrib/completion/git-completion.bash @@ -2123,6 +2123,7 @@ _git_config () http.noEPSV http.postBuffer http.proxy + http.sslCipherList http.sslCAInfo http.sslCAPath http.sslCert diff --git a/http.c b/http.c index 6798620065..c5e9479659 100644 --- a/http.c +++ b/http.c @@ -35,6 +35,7 @@ char curl_errorstr[CURL_ERROR_SIZE]; static int curl_ssl_verify = -1; static int curl_ssl_try; static const char *ssl_cert; +static const char *ssl_cipherlist; #if LIBCURL_VERSION_NUM >= 0x070903 static const char *ssl_key; #endif @@ -153,6 +154,8 @@ static int http_options(const char *var, const char *value, void *cb) curl_ssl_verify = git_config_bool(var, value); return 0; } + if (!strcmp("http.sslcipherlist", var)) + return git_config_string(&ssl_cipherlist, var, value); if (!strcmp("http.sslcert", var)) return git_config_string(&ssl_cert, var, value); #if LIBCURL_VERSION_NUM >= 0x070903 @@ -327,6 +330,13 @@ static CURL *get_curl_handle(void) if (http_proactive_auth) init_curl_http_auth(result); + if (getenv("GIT_SSL_CIPHER_LIST")) + ssl_cipherlist = getenv("GIT_SSL_CIPHER_LIST"); + + if (ssl_cipherlist != NULL && *ssl_cipherlist) + curl_easy_setopt(result, CURLOPT_SSL_CIPHER_LIST, + ssl_cipherlist); + if (ssl_cert != NULL) curl_easy_setopt(result, CURLOPT_SSLCERT, ssl_cert); if (has_cert_password())