http: add support for specifying an SSL cipher list

Teach git about a new option, "http.sslCipherList", which permits one to
specify a list of ciphers to use when negotiating SSL connections.  The
setting can be overwridden by the GIT_SSL_CIPHER_LIST environment
variable.

Signed-off-by: Lars Kellogg-Stedman <lars@redhat.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 1a8ddb41c7fff8cce5d2c0a51a9d642e3bf0fd42..0a01bf930b2eb3f62c3d8615ec7561afeed97968 100644 (file)
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1561,6 +1561,19 @@ http.savecookies::
        If set, store cookies received during requests to the file specified by
        http.cookiefile. Has no effect if http.cookiefile is unset.
 
        If set, store cookies received during requests to the file specified by
        http.cookiefile. Has no effect if http.cookiefile is unset.
 

+http.sslCipherList::
+  A list of SSL ciphers to use when negotiating an SSL connection.
+  The available ciphers depend on whether libcurl was built against
+  NSS or OpenSSL and the particular configuration of the crypto
+  library in use.  Internally this sets the 'CURLOPT_SSL_CIPHER_LIST'
+  option; see the libcurl documentation for more details on the format
+  of this list.
++
+Can be overridden by the 'GIT_SSL_CIPHER_LIST' environment variable.
+To force git to use libcurl's default cipher list and ignore any
+explicit http.sslCipherList option, set 'GIT_SSL_CIPHER_LIST' to the
+empty string.
+

 http.sslVerify::
        Whether to verify the SSL certificate when fetching or pushing
        over HTTPS. Can be overridden by the 'GIT_SSL_NO_VERIFY' environment
 http.sslVerify::
        Whether to verify the SSL certificate when fetching or pushing
        over HTTPS. Can be overridden by the 'GIT_SSL_NO_VERIFY' environment

diff --git a/contrib/completion/git-completion.bash b/contrib/completion/git-completion.bash
index 16205467b1303100b5d67f55371aff749ff5c57d..e8ae621a30bf9af420cfb0aad09b4451bf899b77 100644 (file)
--- a/contrib/completion/git-completion.bash
+++ b/contrib/completion/git-completion.bash
@@ -2123,6 +2123,7 @@ _git_config ()
                http.noEPSV
                http.postBuffer
                http.proxy
                http.noEPSV
                http.postBuffer
                http.proxy

+               http.sslCipherList

                http.sslCAInfo
                http.sslCAPath
                http.sslCert
                http.sslCAInfo
                http.sslCAPath
                http.sslCert

diff --git a/http.c b/http.c
index 67986200655f88f5545e3df3669c2f4bbe688247..c5e94796594de91d494930b9a8047fdb313f973a 100644 (file)
--- a/http.c
+++ b/http.c
@@ -35,6 +35,7 @@ char curl_errorstr[CURL_ERROR_SIZE];
 static int curl_ssl_verify = -1;
 static int curl_ssl_try;
 static const char *ssl_cert;
 static int curl_ssl_verify = -1;
 static int curl_ssl_try;
 static const char *ssl_cert;

+static const char *ssl_cipherlist;

 #if LIBCURL_VERSION_NUM >= 0x070903
 static const char *ssl_key;
 #endif
 #if LIBCURL_VERSION_NUM >= 0x070903
 static const char *ssl_key;
 #endif


@@ -153,6 +154,8 @@ static int http_options(const char *var, const char *value, void *cb)
                curl_ssl_verify = git_config_bool(var, value);
                return 0;
        }
                curl_ssl_verify = git_config_bool(var, value);
                return 0;
        }

+       if (!strcmp("http.sslcipherlist", var))
+               return git_config_string(&ssl_cipherlist, var, value);

        if (!strcmp("http.sslcert", var))
                return git_config_string(&ssl_cert, var, value);
 #if LIBCURL_VERSION_NUM >= 0x070903
        if (!strcmp("http.sslcert", var))
                return git_config_string(&ssl_cert, var, value);
 #if LIBCURL_VERSION_NUM >= 0x070903


@@ -327,6 +330,13 @@ static CURL *get_curl_handle(void)
        if (http_proactive_auth)
                init_curl_http_auth(result);
 
        if (http_proactive_auth)
                init_curl_http_auth(result);
 

+       if (getenv("GIT_SSL_CIPHER_LIST"))
+               ssl_cipherlist = getenv("GIT_SSL_CIPHER_LIST");
+
+       if (ssl_cipherlist != NULL && *ssl_cipherlist)
+               curl_easy_setopt(result, CURLOPT_SSL_CIPHER_LIST,
+                               ssl_cipherlist);
+

        if (ssl_cert != NULL)
                curl_easy_setopt(result, CURLOPT_SSLCERT, ssl_cert);
        if (has_cert_password())
        if (ssl_cert != NULL)
                curl_easy_setopt(result, CURLOPT_SSLCERT, ssl_cert);
        if (has_cert_password())