http: add support for specifying the SSL version

Teach git about a new option, "http.sslVersion", which permits one
to specify the SSL version to use when negotiating SSL connections.
The setting can be overridden by the GIT_SSL_VERSION environment
variable.

Signed-off-by: Elia Pinto <gitter.spiros@gmail.com>
Helped-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 43bb53c0477276d81af484cdb64855698b6a635b..8d334c50e0d0ad1c7d506d69a1bc2016e07540ba 100644 (file)
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1576,6 +1576,29 @@ http.saveCookies::
        If set, store cookies received during requests to the file specified by
        http.cookieFile. Has no effect if http.cookieFile is unset.
 
        If set, store cookies received during requests to the file specified by
        http.cookieFile. Has no effect if http.cookieFile is unset.
 

+http.sslVersion::
+       The SSL version to use when negotiating an SSL connection, if you
+       want to force the default.  The available and default version
+       depend on whether libcurl was built against NSS or OpenSSL and the
+       particular configuration of the crypto library in use. Internally
+       this sets the 'CURLOPT_SSL_VERSION' option; see the libcurl
+       documentation for more details on the format of this option and
+       for the ssl version supported. Actually the possible values of
+       this option are:
+
+       - sslv2
+       - sslv3
+       - tlsv1
+       - tlsv1.0
+       - tlsv1.1
+       - tlsv1.2
+
++
+Can be overridden by the 'GIT_SSL_VERSION' environment variable.
+To force git to use libcurl's default ssl version and ignore any
+explicit http.sslversion option, set 'GIT_SSL_VERSION' to the
+empty string.
+

 http.sslCipherList::
   A list of SSL ciphers to use when negotiating an SSL connection.
   The available ciphers depend on whether libcurl was built against
 http.sslCipherList::
   A list of SSL ciphers to use when negotiating an SSL connection.
   The available ciphers depend on whether libcurl was built against

diff --git a/contrib/completion/git-completion.bash b/contrib/completion/git-completion.bash
index c97c648d7e07fe9eeea1b1afff1ce55ac730cf4f..6e9359c2901f4bc72a3e49c84cbfed17487a9dfc 100644 (file)
--- a/contrib/completion/git-completion.bash
+++ b/contrib/completion/git-completion.bash
@@ -2118,6 +2118,7 @@ _git_config ()
                http.postBuffer
                http.proxy
                http.sslCipherList
                http.postBuffer
                http.proxy
                http.sslCipherList

+               http.sslVersion

                http.sslCAInfo
                http.sslCAPath
                http.sslCert
                http.sslCAInfo
                http.sslCAPath
                http.sslCert

diff --git a/http.c b/http.c
index e9c6fdd835ea4bd4fe24ad374fbef69d6e9a8ba2..f365360678fc7ef6c38d5b49a3ea4eaeb5b20c54 100644 (file)
--- a/http.c
+++ b/http.c
@@ -37,6 +37,20 @@ static int curl_ssl_verify = -1;
 static int curl_ssl_try;
 static const char *ssl_cert;
 static const char *ssl_cipherlist;
 static int curl_ssl_try;
 static const char *ssl_cert;
 static const char *ssl_cipherlist;

+static const char *ssl_version;
+static struct {
+       const char *name;
+       long ssl_version;
+} sslversions[] = {
+       { "sslv2", CURL_SSLVERSION_SSLv2 },
+       { "sslv3", CURL_SSLVERSION_SSLv3 },
+       { "tlsv1", CURL_SSLVERSION_TLSv1 },
+#if LIBCURL_VERSION_NUM >= 0x072200
+       { "tlsv1.0", CURL_SSLVERSION_TLSv1_0 },
+       { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 },
+       { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 },
+#endif
+};

 #if LIBCURL_VERSION_NUM >= 0x070903
 static const char *ssl_key;
 #endif
 #if LIBCURL_VERSION_NUM >= 0x070903
 static const char *ssl_key;
 #endif


@@ -190,6 +204,8 @@ static int http_options(const char *var, const char *value, void *cb)
        }
        if (!strcmp("http.sslcipherlist", var))
                return git_config_string(&ssl_cipherlist, var, value);
        }
        if (!strcmp("http.sslcipherlist", var))
                return git_config_string(&ssl_cipherlist, var, value);

+       if (!strcmp("http.sslversion", var))
+               return git_config_string(&ssl_version, var, value);

        if (!strcmp("http.sslcert", var))
                return git_config_string(&ssl_cert, var, value);
 #if LIBCURL_VERSION_NUM >= 0x070903
        if (!strcmp("http.sslcert", var))
                return git_config_string(&ssl_cert, var, value);
 #if LIBCURL_VERSION_NUM >= 0x070903


@@ -364,9 +380,24 @@ static CURL *get_curl_handle(void)
        if (http_proactive_auth)
                init_curl_http_auth(result);
 
        if (http_proactive_auth)
                init_curl_http_auth(result);
 

+       if (getenv("GIT_SSL_VERSION"))
+               ssl_version = getenv("GIT_SSL_VERSION");
+       if (ssl_version && *ssl_version) {
+               int i;
+               for (i = 0; i < ARRAY_SIZE(sslversions); i++) {
+                       if (!strcmp(ssl_version, sslversions[i].name)) {
+                               curl_easy_setopt(result, CURLOPT_SSLVERSION,
+                                                sslversions[i].ssl_version);
+                               break;
+                       }
+               }
+               if (i == ARRAY_SIZE(sslversions))
+                       warning("unsupported ssl version %s: using default",
+                               ssl_version);
+       }
+

        if (getenv("GIT_SSL_CIPHER_LIST"))
                ssl_cipherlist = getenv("GIT_SSL_CIPHER_LIST");
        if (getenv("GIT_SSL_CIPHER_LIST"))
                ssl_cipherlist = getenv("GIT_SSL_CIPHER_LIST");

-

        if (ssl_cipherlist != NULL && *ssl_cipherlist)
                curl_easy_setopt(result, CURLOPT_SSL_CIPHER_LIST,
                                ssl_cipherlist);
        if (ssl_cipherlist != NULL && *ssl_cipherlist)
                curl_easy_setopt(result, CURLOPT_SSL_CIPHER_LIST,
                                ssl_cipherlist);