Skip to content

Commit

Permalink
Merge pull request #3293 from pascalmuller/http-support-automatically…
Browse files Browse the repository at this point in the history
…-sending-client-certificate

http: Add support for enabling automatic sending of SSL client certificate
  • Loading branch information
dscho committed Jan 7, 2025
2 parents f9f50a8 + 8a42909 commit 1057f0d
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 3 deletions.
5 changes: 5 additions & 0 deletions Documentation/config/http.txt
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,11 @@ http.schannelUseSSLCAInfo::
when the `schannel` backend was configured via `http.sslBackend`,
unless `http.schannelUseSSLCAInfo` overrides this behavior.

http.sslAutoClientCert::
As of cURL v7.77.0, the Secure Channel backend won't automatically
send client certificates from the Windows Certificate Store anymore.
To opt in to the old behavior, http.sslAutoClientCert can be set.

http.pinnedPubkey::
Public key of the https service. It may either be the filename of
a PEM or DER encoded public key file or a string starting with
Expand Down
8 changes: 8 additions & 0 deletions git-curl-compat.h
Original file line number Diff line number Diff line change
Expand Up @@ -45,4 +45,12 @@
#define GIT_CURL_HAVE_CURLOPT_PROTOCOLS_STR 1
#endif

/**
* CURLSSLOPT_AUTO_CLIENT_CERT was added in 7.77.0, released in May
* 2021.
*/
#if LIBCURL_VERSION_NUM >= 0x074d00
#define GIT_CURL_HAVE_CURLSSLOPT_AUTO_CLIENT_CERT
#endif

#endif
24 changes: 21 additions & 3 deletions http.c
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,8 @@ static int http_schannel_check_revoke_mode =
*/
static int http_schannel_use_ssl_cainfo;

static int http_auto_client_cert;

static int always_auth_proactively(void)
{
return http_proactive_auth != PROACTIVE_AUTH_NONE &&
Expand Down Expand Up @@ -445,6 +447,11 @@ static int http_options(const char *var, const char *value,
return 0;
}

if (!strcmp("http.sslautoclientcert", var)) {
http_auto_client_cert = git_config_bool(var, value);
return 0;
}

if (!strcmp("http.minsessions", var)) {
min_curl_sessions = git_config_int(var, value, ctx->kvi);
if (min_curl_sessions > 1)
Expand Down Expand Up @@ -1062,9 +1069,20 @@ static CURL *get_curl_handle(void)
}
#endif

if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) &&
http_schannel_check_revoke_mode) {
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, http_schannel_check_revoke_mode);
if (http_ssl_backend && !strcmp("schannel", http_ssl_backend)) {
long ssl_options = 0;
if (http_schannel_check_revoke_mode) {
ssl_options |= http_schannel_check_revoke_mode;
}

if (http_auto_client_cert) {
#ifdef GIT_CURL_HAVE_CURLSSLOPT_AUTO_CLIENT_CERT
ssl_options |= CURLSSLOPT_AUTO_CLIENT_CERT;
#endif
}

if (ssl_options)
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, ssl_options);
}

if (http_proactive_auth != PROACTIVE_AUTH_NONE)
Expand Down

0 comments on commit 1057f0d

Please sign in to comment.