http: when using Secure Channel, ignore sslCAInfo by default

As of cURL v7.60.0, the Secure Channel backend can use the certificate
bundle provided via `http.sslCAInfo`, but that would override the
Windows Certificate Store. Since this is not desirable by default, let's
tell Git to not ask cURL to use that bundle by default when the `schannel`
backend was configured via `http.sslBackend`, unless
`http.schannelUseSSLCAInfo` overrides this behavior.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/Documentation/config.txt b/Documentation/config.txt
index e107f4c1e243709116a48c313caced25ca6dc971..56a110446915ea36039876cd067ebdba318be1ad 100644 (file)
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -2249,6 +2249,14 @@ http.schannelCheckRevoke::
        certificate. This option is ignored if cURL lacks support for
        setting the relevant SSL option at runtime.
 
        certificate. This option is ignored if cURL lacks support for
        setting the relevant SSL option at runtime.
 

+http.schannelUseSSLCAInfo::
+       As of cURL v7.60.0, the Secure Channel backend can use the
+       certificate bundle provided via `http.sslCAInfo`, but that would
+       override the Windows Certificate Store. Since this is not desirable
+       by default, Git will tell cURL not to use that bundle by default
+       when the `schannel` backend was configured via `http.sslBackend`,
+       unless `http.schannelUseSSLCAInfo` overrides this behavior.
+

 http.pinnedpubkey::
        Public key of the https service. It may either be the filename of
        a PEM or DER encoded public key file or a string starting with
 http.pinnedpubkey::
        Public key of the https service. It may either be the filename of
        a PEM or DER encoded public key file or a string starting with

diff --git a/http.c b/http.c
index 272584b16e5f7d5279a08f19e1b17ab948fa0f8f..43e75ac583b428b4a350c66f34e66cc325580476 100644 (file)
--- a/http.c
+++ b/http.c
@@ -158,6 +158,12 @@ static char *cached_accept_language;
 static char *http_ssl_backend;
 
 static int http_schannel_check_revoke = 1;
 static char *http_ssl_backend;
 
 static int http_schannel_check_revoke = 1;

+/*
+ * With the backend being set to `schannel`, setting sslCAinfo would override
+ * the Certificate Store in cURL v7.60.0 and later, which is not what we want
+ * by default.
+ */
+static int http_schannel_use_ssl_cainfo;

 
 size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
 {
 
 size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
 {


@@ -317,6 +323,11 @@ static int http_options(const char *var, const char *value, void *cb)
                return 0;
        }
 
                return 0;
        }
 

+       if (!strcmp("http.schannelusesslcainfo", var)) {
+               http_schannel_use_ssl_cainfo = git_config_bool(var, value);
+               return 0;
+       }
+

        if (!strcmp("http.minsessions", var)) {
                min_curl_sessions = git_config_int(var, value);
 #ifndef USE_CURL_MULTI
        if (!strcmp("http.minsessions", var)) {
                min_curl_sessions = git_config_int(var, value);
 #ifndef USE_CURL_MULTI


@@ -869,7 +880,13 @@ static CURL *get_curl_handle(void)
        if (ssl_pinnedkey != NULL)
                curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
 #endif
        if (ssl_pinnedkey != NULL)
                curl_easy_setopt(result, CURLOPT_PINNEDPUBLICKEY, ssl_pinnedkey);
 #endif

-       if (ssl_cainfo != NULL)
+       if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) &&
+           !http_schannel_use_ssl_cainfo) {
+               curl_easy_setopt(result, CURLOPT_CAINFO, NULL);
+#if LIBCURL_VERSION_NUM >= 0x073400
+               curl_easy_setopt(result, CURLOPT_PROXY_CAINFO, NULL);
+#endif
+       } else if (ssl_cainfo != NULL)

                curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
 
        if (curl_low_speed_limit > 0 && curl_low_speed_time > 0) {
                curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
 
        if (curl_low_speed_limit > 0 && curl_low_speed_time > 0) {