Skip to content

Commit

Permalink
http: add support for selecting SSL backends at runtime
Browse files Browse the repository at this point in the history 
The Pull Request at curl/curl#1601 adds support
for choosing the SSL backend at runtime to cURL, and will hopefully be
merged before version 7.56.0 comes out.

Git for Windows will ship with those patches backported to 7.54.1 (and
come August 9th, 2017, 7.55.0 and later).

This patch adds the Git side of that feature: by setting http.sslBackend
to "openssl" or "schannel", Git for Windows can now choose the SSL
backend at runtime.

This comes in handy because Secure Channel ("schannel") is the native
Windows solution, accessing the Windows Credential Store, thereby
allowing for enterprise-wide management of certificates. For historical
reasons, Git for Windows needs to support OpenSSL still, as it has
previously been the only supported SSL backend in Git for Windows for
almost a decade.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
  • Loading branch information
@dscho
dscho committed Aug 2, 2017
1 parent 656f071 commit d81216e
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 0 deletions.
5 changes: 5 additions & 0 deletions Documentation/config.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1948,6 +1948,11 @@ http.sslCAPath::
with when fetching or pushing over HTTPS. Can be overridden
by the `GIT_SSL_CAPATH` environment variable.

http.sslBackend::
Name of the SSL backend to use (e.g. "openssl" or "schannel").
This option is ignored if cURL lacks support for choosing the SSL
backend at runtime.

http.pinnedpubkey::
Public key of the https service. It may either be the filename of
a PEM or DER encoded public key file or a string starting with
Expand Down
23 changes: 23 additions & 0 deletions http.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -291,6 +291,29 @@ static int http_options(const char *var, const char *value, void *cb)
curl_ssl_try = git_config_bool(var, value);
return 0;
}
#if LIBCURL_VERSION_NUM >= 0x073800 || \
defined(CURL_WITH_EXPERIMENTAL_SSL_BACKEND_SUPPORT)
if (!strcmp("http.sslbackend", var)) {
const curl_ssl_backend **backends;
struct strbuf buf = STRBUF_INIT;
int i;

switch (curl_global_sslset(-1, value, &backends)) {
case CURLSSLSET_UNKNOWN_BACKEND:
strbuf_addf(&buf, _("Unsupported SSL backend '%s'. "
"Supported SSL backends:"), value);
for (i = 0; backends[i]; i++)
strbuf_addf(&buf, "\n\t%s", backends[i]->name);
die(buf.buf);
case CURLSSLSET_TOO_LATE:
die(_("Could not set SSL backend to '%s': already set"),
value);
case CURLSSLSET_OK:
break; /* Okay! */
}
}
#endif

if (!strcmp("http.minsessions", var)) {
min_curl_sessions = git_config_int(var, value);
#ifndef USE_CURL_MULTI
Expand Down

2 comments on commit d81216e

@GalvinGao
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if that's appropriate to comment at such place, but I've found out that a large amount of people are having trouble with this question here:

fatal: Could not set SSL backend to 'schannel': already set

To solve this issue, simply run git config --global --unset http.sslBackend in your Git Bash.

Administrators: If you found out that this comment is inappropriate, please E-Mail me or contact me with any method you would like, and I will remove this comment as soon as I got the message that says this comment should not be here. Sorry first for the mis-use of commit comment.

@dscho
Copy link
Member Author

@dscho dscho commented on d81216e May 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if that's appropriate to comment at such place

In general, commit comments are only noted by the original authors. So a much better idea would be to report this as a bug at https://github.com/git-for-windows/git/issues/new, or via the Git mailing list or the Git for Windows mailing list.

I've found out that a large amount of people are having trouble with this question here:

fatal: Could not set SSL backend to 'schannel': already set

That suggests that a large amount of people do not upgrade their Git for Windows version.

If you found out that this comment is inappropriate, please E-Mail me or contact me with any method you would like, and I will remove this comment as soon as I got the message that says this comment should not be here. Sorry first for the mis-use of commit comment.

No need to delete it. (And I can't E-Mail you, as I do not have your email address.)

Please sign in to comment.