undef/git-commit-vandalism
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

http: add support for specifying an SSL cipher list

Browse Source 
Teach git about a new option, "http.sslCipherList", which permits one to
specify a list of ciphers to use when negotiating SSL connections.  The
setting can be overwridden by the GIT_SSL_CIPHER_LIST environment
variable.

Signed-off-by: Lars Kellogg-Stedman <lars@redhat.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Lars Kellogg-Stedman 2015-05-08 09:22:15 -04:00 committed by Junio C Hamano
parent 16018ae5fb
commit f6f2a9e42d
3 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Documentation/config.txt
View File

@ -1561,6 +1561,19 @@ http.savecookies::
If set, store cookies received during requests to the file specified by If set, store cookies received during requests to the file specified by
http.cookiefile. Has no effect if http.cookiefile is unset. http.cookiefile. Has no effect if http.cookiefile is unset.
http.sslCipherList::
A list of SSL ciphers to use when negotiating an SSL connection.
The available ciphers depend on whether libcurl was built against
NSS or OpenSSL and the particular configuration of the crypto
library in use. Internally this sets the 'CURLOPT_SSL_CIPHER_LIST'
option; see the libcurl documentation for more details on the format
of this list.
+
Can be overridden by the 'GIT_SSL_CIPHER_LIST' environment variable.
To force git to use libcurl's default cipher list and ignore any
explicit http.sslCipherList option, set 'GIT_SSL_CIPHER_LIST' to the
empty string.
http.sslVerify:: http.sslVerify::
Whether to verify the SSL certificate when fetching or pushing Whether to verify the SSL certificate when fetching or pushing
over HTTPS. Can be overridden by the 'GIT_SSL_NO_VERIFY' environment over HTTPS. Can be overridden by the 'GIT_SSL_NO_VERIFY' environment

1
contrib/completion/git-completion.bash
View File

@ -2123,6 +2123,7 @@ _git_config ()
http.noEPSV http.noEPSV
http.postBuffer http.postBuffer
http.proxy http.proxy
http.sslCipherList
http.sslCAInfo http.sslCAInfo
http.sslCAPath http.sslCAPath
http.sslCert http.sslCert

10
http.c
View File

@ -35,6 +35,7 @@ char curl_errorstr[CURL_ERROR_SIZE];
static int curl_ssl_verify = -1; static int curl_ssl_verify = -1;
static int curl_ssl_try; static int curl_ssl_try;
static const char *ssl_cert; static const char *ssl_cert;
static const char *ssl_cipherlist;
#if LIBCURL_VERSION_NUM >= 0x070903 #if LIBCURL_VERSION_NUM >= 0x070903
static const char *ssl_key; static const char *ssl_key;
#endif #endif
@ -153,6 +154,8 @@ static int http_options(const char *var, const char *value, void *cb)
curl_ssl_verify = git_config_bool(var, value); curl_ssl_verify = git_config_bool(var, value);
return 0; return 0;
} }
if (!strcmp("http.sslcipherlist", var))
return git_config_string(&ssl_cipherlist, var, value);
if (!strcmp("http.sslcert", var)) if (!strcmp("http.sslcert", var))
return git_config_string(&ssl_cert, var, value); return git_config_string(&ssl_cert, var, value);
#if LIBCURL_VERSION_NUM >= 0x070903 #if LIBCURL_VERSION_NUM >= 0x070903
@ -327,6 +330,13 @@ static CURL *get_curl_handle(void)
if (http_proactive_auth) if (http_proactive_auth)
init_curl_http_auth(result); init_curl_http_auth(result);
if (getenv("GIT_SSL_CIPHER_LIST"))
ssl_cipherlist = getenv("GIT_SSL_CIPHER_LIST");
if (ssl_cipherlist != NULL && *ssl_cipherlist)
curl_easy_setopt(result, CURLOPT_SSL_CIPHER_LIST,
ssl_cipherlist);
if (ssl_cert != NULL) if (ssl_cert != NULL)
curl_easy_setopt(result, CURLOPT_SSLCERT, ssl_cert); curl_easy_setopt(result, CURLOPT_SSLCERT, ssl_cert);
if (has_cert_password()) if (has_cert_password())