From: Junio C Hamano <gitster@pobox•com>
To: Lars Kellogg-Stedman <lars@redhat•com>
Cc: git@vger•kernel.org
Subject: Re: [PATCH v3] http: add support for specifying an SSL cipher list
Date: Thu, 07 May 2015 13:51:32 -0700 [thread overview]
Message-ID: <xmqqegmsnmaz.fsf@gitster.dls.corp.google.com> (raw)
In-Reply-To: <1431022630-7005-1-git-send-email-lars@redhat.com> (Lars Kellogg-Stedman's message of "Thu, 7 May 2015 14:17:10 -0400")
Lars Kellogg-Stedman <lars@redhat•com> writes:
> Teach git about a new option, "http.sslCipherList", which permits one to
> specify a list of ciphers to use when negotiating SSL connections. The
> setting can be overwridden by the GIT_SSL_CIPHER_LIST environment
> variable.
>
> Signed-off-by: Lars Kellogg-Stedman <lars@redhat•com>
> ---
>
> This addresses (I hope!) comments from Junio and Ray, and also resolves some
> whitespace issues present in the earlier version of the patch.
Sounds good.
> Documentation/config.txt | 13 +++++++++++++
> http.c | 14 ++++++++++++++
> 2 files changed, 27 insertions(+)
>
> diff --git a/Documentation/config.txt b/Documentation/config.txt
> index 2e5ceaf..b982d66 100644
> --- a/Documentation/config.txt
> +++ b/Documentation/config.txt
> @@ -1560,6 +1560,19 @@ http.saveCookies::
> If set, store cookies received during requests to the file specified by
> http.cookieFile. Has no effect if http.cookieFile is unset.
>
> +http.sslCipherList::
> + A list of SSL ciphers to use when negotiating an SSL connection.
> + The available ciphers depend on whether libcurl was built against
> + NSS or OpenSSL and the particular configuration of the crypto
> + library in use. Internally this sets the CURLOPT_SSL_CIPHER_LIST
> + option; see the libcurl documentation for that option for more
> + details on the format of this list.
> +
> + Can be overridden by the 'GIT_SSL_CIPHER_LIST' environment variable.
> + To force git to use libcurl's default cipher list and ignore any
> + explicit http.sslCipherList option, set GIT_SSL_CIPHER_LIST to the
> + empty string.
> +
This will not format well, I am afraid. The second and subsequent
paragraphs in a description of an enumerated item need to lose the
initial indentation and the empty line that breaks paragraph need
to be replaced with a single '+' (plus). See "color::" in the same
document for an example.
We chose to use AsciiDoc primarily because its marked-up source is
easily read as a plain text files, but it is unfortunately somewhat
finicky around here.
> http.sslVerify::
> Whether to verify the SSL certificate when fetching or pushing
> over HTTPS. Can be overridden by the 'GIT_SSL_NO_VERIFY' environment
> diff --git a/http.c b/http.c
> index 4b179f6..b617546 100644
> --- a/http.c
> +++ b/http.c
> @@ -36,6 +36,7 @@ char curl_errorstr[CURL_ERROR_SIZE];
> static int curl_ssl_verify = -1;
> static int curl_ssl_try;
> static const char *ssl_cert;
> +static const char *ssl_cipherlist;
> #if LIBCURL_VERSION_NUM >= 0x070903
> static const char *ssl_key;
> #endif
> @@ -187,6 +188,9 @@ static int http_options(const char *var, const char *value, void *cb)
> curl_ssl_verify = git_config_bool(var, value);
> return 0;
> }
> + if (!strcmp("http.sslcipherlist", var)) {
> + return git_config_string(&ssl_cipherlist, var, value);
> + }
> if (!strcmp("http.sslcert", var))
> return git_config_string(&ssl_cert, var, value);
> #if LIBCURL_VERSION_NUM >= 0x070903
> @@ -361,6 +365,16 @@ static CURL *get_curl_handle(void)
> if (http_proactive_auth)
> init_curl_http_auth(result);
>
> + if (getenv("GIT_SSL_CIPHER_LIST"))
> + ssl_cipherlist = getenv("GIT_SSL_CIPHER_LIST");
> +
> + /* See http://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
> + * for details on the format of and available values for
> + * CURLOPT_SSL_CIPHER_LIST. */
I see Eric already commented on multi-line comment and what he said
is correct, but as an in-code comment, I do not see much value in
this---anybody who is _reading_ code would know to look up
CURLOPT_SSL_CIPHER_LIST in cURL documentation, I would expect (and
of course this will not be shown to the end user).
> + if (ssl_cipherlist != NULL && ssl_cipherlist[0] != '\0')
> + curl_easy_setopt(result, CURLOPT_SSL_CIPHER_LIST,
> + ssl_cipherlist);
> +
> if (ssl_cert != NULL)
> curl_easy_setopt(result, CURLOPT_SSLCERT, ssl_cert);
> if (has_cert_password())
next prev parent reply other threads:[~2015-05-07 20:51 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-07 14:16 [PATCH] add support for specifying an SSL cipher list Lars Kellogg-Stedman
2015-05-07 15:53 ` Junio C Hamano
2015-05-07 16:04 ` Lars Kellogg-Stedman
2015-05-07 16:33 ` Junio C Hamano
2015-05-07 16:58 ` Lars Kellogg-Stedman
2015-05-07 16:08 ` [PATCH v2] http: " Lars Kellogg-Stedman
2015-05-07 16:42 ` [PATCH] " Tay Ray Chuan
2015-05-07 16:57 ` Lars Kellogg-Stedman
2015-05-07 18:17 ` [PATCH v3] http: " Lars Kellogg-Stedman
2015-05-07 18:41 ` Eric Sunshine
2015-05-07 18:48 ` Lars Kellogg-Stedman
2015-05-07 18:54 ` Eric Sunshine
2015-05-07 20:51 ` Junio C Hamano [this message]
2015-05-08 3:44 ` [PATCH v4] " Lars Kellogg-Stedman
2015-05-08 3:53 ` Eric Sunshine
2015-05-08 12:15 ` SZEDER Gábor
2015-05-08 15:59 ` Junio C Hamano
2015-05-08 13:22 ` [PATCH v5] " Lars Kellogg-Stedman
2015-05-14 19:25 ` Lars Kellogg-Stedman
2015-05-14 19:39 ` Eric Sunshine
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqegmsnmaz.fsf@gitster.dls.corp.google.com \
--to=gitster@pobox$(echo .)com \
--cc=git@vger$(echo .)kernel.org \
--cc=lars@redhat$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox