Skip to content

Commit

Permalink
Merge pull request #3293 from pascalmuller/http-support-automatically…
Browse files Browse the repository at this point in the history
…-sending-client-certificate

http: Add support for enabling automatic sending of SSL client certificate
  • Loading branch information
dscho authored and Git for Windows Build Agent committed Jun 24, 2021
2 parents 883231e + 80c75f9 commit e17869a
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 4 deletions.
5 changes: 5 additions & 0 deletions Documentation/config/http.txt
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,11 @@ http.schannelUseSSLCAInfo::
when the `schannel` backend was configured via `http.sslBackend`,
unless `http.schannelUseSSLCAInfo` overrides this behavior.

http.sslAutoClientCert::
As of cURL v7.77.0, the Secure Channel backend won't automatically
send client certificates from the Windows Certificate Store anymore.
To opt in to the old behavior, http.sslAutoClientCert can be set.

http.pinnedpubkey::
Public key of the https service. It may either be the filename of
a PEM or DER encoded public key file or a string starting with
Expand Down
26 changes: 22 additions & 4 deletions http.c
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,8 @@ static int http_schannel_check_revoke_mode =
*/
static int http_schannel_use_ssl_cainfo;

static int http_auto_client_cert;

size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
{
size_t size = eltsize * nmemb;
Expand Down Expand Up @@ -357,6 +359,11 @@ static int http_options(const char *var, const char *value, void *cb)
return 0;
}

if (!strcmp("http.sslautoclientcert", var)) {
http_auto_client_cert = git_config_bool(var, value);
return 0;
}

if (!strcmp("http.minsessions", var)) {
min_curl_sessions = git_config_int(var, value);
#ifndef USE_CURL_MULTI
Expand Down Expand Up @@ -920,13 +927,24 @@ static CURL *get_curl_handle(void)
}
#endif

if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) &&
http_schannel_check_revoke_mode) {
if (http_ssl_backend && !strcmp("schannel", http_ssl_backend)) {
long ssl_options = 0;
if (http_schannel_check_revoke_mode) {
#if LIBCURL_VERSION_NUM >= 0x072c00
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, http_schannel_check_revoke_mode);
ssl_options |= http_schannel_check_revoke_mode;
#else
warning(_("CURLSSLOPT_NO_REVOKE not supported with cURL < 7.44.0"));
warning(_("CURLSSLOPT_NO_REVOKE not supported with cURL < 7.44.0"));
#endif
}

if (http_auto_client_cert) {
#if LIBCURL_VERSION_NUM >= 0x074d00
ssl_options |= CURLSSLOPT_AUTO_CLIENT_CERT;
#endif
}

if (ssl_options)
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, ssl_options);
}

if (http_proactive_auth)
Expand Down

0 comments on commit e17869a

Please sign in to comment.