On Thu, May 7, 2015 at 2:17 PM, Lars Kellogg-Stedman <lars@xxxxxxxxxx> wrote:
> Teach git about a new option, "http.sslCipherList", which permits one to
> specify a list of ciphers to use when negotiating SSL connections. The
> setting can be overwridden by the GIT_SSL_CIPHER_LIST environment
> variable.
>
> Signed-off-by: Lars Kellogg-Stedman <lars@xxxxxxxxxx>
> ---
> diff --git a/Documentation/config.txt b/Documentation/config.txt
> index 2e5ceaf..b982d66 100644
> --- a/Documentation/config.txt
> +++ b/Documentation/config.txt
> @@ -1560,6 +1560,19 @@ http.saveCookies::
> If set, store cookies received during requests to the file specified by
> http.cookieFile. Has no effect if http.cookieFile is unset.
>
> +http.sslCipherList::
> + A list of SSL ciphers to use when negotiating an SSL connection.
> + The available ciphers depend on whether libcurl was built against
> + NSS or OpenSSL and the particular configuration of the crypto
> + library in use. Internally this sets the CURLOPT_SSL_CIPHER_LIST
> + option; see the libcurl documentation for that option for more
> + details on the format of this list.
> +
> + Can be overridden by the 'GIT_SSL_CIPHER_LIST' environment variable.
> + To force git to use libcurl's default cipher list and ignore any
> + explicit http.sslCipherList option, set GIT_SSL_CIPHER_LIST to the
> + empty string.
Much nicer description than previous rounds.
A couple style nits below.
> http.sslVerify::
> Whether to verify the SSL certificate when fetching or pushing
> over HTTPS. Can be overridden by the 'GIT_SSL_NO_VERIFY' environment
> diff --git a/http.c b/http.c
> index 4b179f6..b617546 100644
> --- a/http.c
> +++ b/http.c
> @@ -36,6 +36,7 @@ char curl_errorstr[CURL_ERROR_SIZE];
> static int curl_ssl_verify = -1;
> static int curl_ssl_try;
> static const char *ssl_cert;
> +static const char *ssl_cipherlist;
> #if LIBCURL_VERSION_NUM >= 0x070903
> static const char *ssl_key;
> #endif
> @@ -187,6 +188,9 @@ static int http_options(const char *var, const char *value, void *cb)
> curl_ssl_verify = git_config_bool(var, value);
> return 0;
> }
> + if (!strcmp("http.sslcipherlist", var)) {
> + return git_config_string(&ssl_cipherlist, var, value);
> + }
> if (!strcmp("http.sslcert", var))
> return git_config_string(&ssl_cert, var, value);
> #if LIBCURL_VERSION_NUM >= 0x070903
> @@ -361,6 +365,16 @@ static CURL *get_curl_handle(void)
> if (http_proactive_auth)
> init_curl_http_auth(result);
>
> + if (getenv("GIT_SSL_CIPHER_LIST"))
> + ssl_cipherlist = getenv("GIT_SSL_CIPHER_LIST");
> +
> + /* See http://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
> + * for details on the format of and available values for
> + * CURLOPT_SSL_CIPHER_LIST. */
Format multi-line comments like this:
/*
* This is a multi-line
* comment.
*/
> + if (ssl_cipherlist != NULL && ssl_cipherlist[0] != '\0')
In git code, this is usually spelled:
if (ssl_cipherlist && *ssl_cipherlist)
> + curl_easy_setopt(result, CURLOPT_SSL_CIPHER_LIST,
> + ssl_cipherlist);
>+
> if (ssl_cert != NULL)
> curl_easy_setopt(result, CURLOPT_SSLCERT, ssl_cert);
> if (has_cert_password())
> --
> 2.4.0
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html