http: add support for disabling SSL revocation checks in cURL

This adds support for a new http.schannelCheckRevoke config value.

This config value is only used if http.sslBackend is set to "schannel",
which forces cURL to use the Windows Certificate Store when validating
server certificates associated with a remote server.

This config value should only be set to "false" if you are in an
environment where revocation checks are blocked by the network, with
no alternative options.

This is only supported in cURL 7.44 or later.

Note: originally, we wanted to call the config setting
`http.schannel.checkRevoke`. This, however, does not work: the `http.*`
config settings can be limited to specific URLs via `http.<url>.*`
(and this feature would mistake `schannel` for a URL).

Helped by Agustín Martín Barbero.

Signed-off-by: Brendan Forster <github@brendanforster.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/Documentation/config.txt b/Documentation/config.txt
index c569e7285930272284dd117e31408f5da862e56b..e107f4c1e243709116a48c313caced25ca6dc971 100644 (file)
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -2241,6 +2241,14 @@ http.sslBackend::
        This option is ignored if cURL lacks support for choosing the SSL
        backend at runtime.
 
+http.schannelCheckRevoke::
+       Used to enforce or disable certificate revocation checks in cURL
+       when http.sslBackend is set to "schannel". Defaults to `true` if
+       unset. Only necessary to disable this if Git consistently errors
+       and the message is about checking the revocation status of a
+       certificate. This option is ignored if cURL lacks support for
+       setting the relevant SSL option at runtime.
+
 http.pinnedpubkey::
        Public key of the https service. It may either be the filename of
        a PEM or DER encoded public key file or a string starting with

diff --git a/http.c b/http.c
index fedfb2a20700207fc98505f541a808db4e5176e1..272584b16e5f7d5279a08f19e1b17ab948fa0f8f 100644 (file)
--- a/http.c
+++ b/http.c
@@ -157,6 +157,8 @@ static char *cached_accept_language;
 
 static char *http_ssl_backend;
 
+static int http_schannel_check_revoke = 1;
+
 size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
 {
        size_t size = eltsize * nmemb;
@@ -310,6 +312,11 @@ static int http_options(const char *var, const char *value, void *cb)
                return 0;
        }
 
+       if (!strcmp("http.schannelcheckrevoke", var)) {
+               http_schannel_check_revoke = git_config_bool(var, value);
+               return 0;
+       }
+
        if (!strcmp("http.minsessions", var)) {
                min_curl_sessions = git_config_int(var, value);
 #ifndef USE_CURL_MULTI
@@ -811,6 +818,16 @@ static CURL *get_curl_handle(void)
        }
 #endif
 
+       if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) &&
+           !http_schannel_check_revoke) {
+#if LIBCURL_VERSION_NUM >= 0x072c00
+               curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE);
+#else
+               warning("CURLSSLOPT_NO_REVOKE not applied to curl SSL options because\n"
+                       "your curl version is too old (< 7.44.0)");
+#endif
+       }
+
        if (http_proactive_auth)
                init_curl_http_auth(result);