Lars Kellogg-Stedman <lars@xxxxxxxxxx> writes:
> Teach git about a new option, "http.sslCipherList", which permits one to
> specify a list of ciphers to use when negotiating SSL connections. The
> setting can be overwridden by the GIT_SSL_CIPHER_LIST environment
> variable.
>
> Signed-off-by: Lars Kellogg-Stedman <lars@xxxxxxxxxx>
> ---
>
> This addresses (I hope!) comments from Junio and Ray, and also resolves some
> whitespace issues present in the earlier version of the patch.
Sounds good.
> Documentation/config.txt | 13 +++++++++++++
> http.c | 14 ++++++++++++++
> 2 files changed, 27 insertions(+)
>
> diff --git a/Documentation/config.txt b/Documentation/config.txt
> index 2e5ceaf..b982d66 100644
> --- a/Documentation/config.txt
> +++ b/Documentation/config.txt
> @@ -1560,6 +1560,19 @@ http.saveCookies::
> If set, store cookies received during requests to the file specified by
> http.cookieFile. Has no effect if http.cookieFile is unset.
>
> +http.sslCipherList::
> + A list of SSL ciphers to use when negotiating an SSL connection.
> + The available ciphers depend on whether libcurl was built against
> + NSS or OpenSSL and the particular configuration of the crypto
> + library in use. Internally this sets the CURLOPT_SSL_CIPHER_LIST
> + option; see the libcurl documentation for that option for more
> + details on the format of this list.
> +
> + Can be overridden by the 'GIT_SSL_CIPHER_LIST' environment variable.
> + To force git to use libcurl's default cipher list and ignore any
> + explicit http.sslCipherList option, set GIT_SSL_CIPHER_LIST to the
> + empty string.
> +
This will not format well, I am afraid. The second and subsequent
paragraphs in a description of an enumerated item need to lose the
initial indentation and the empty line that breaks paragraph need
to be replaced with a single '+' (plus). See "color::" in the same
document for an example.
We chose to use AsciiDoc primarily because its marked-up source is
easily read as a plain text files, but it is unfortunately somewhat
finicky around here.
> http.sslVerify::
> Whether to verify the SSL certificate when fetching or pushing
> over HTTPS. Can be overridden by the 'GIT_SSL_NO_VERIFY' environment
> diff --git a/http.c b/http.c
> index 4b179f6..b617546 100644
> --- a/http.c
> +++ b/http.c
> @@ -36,6 +36,7 @@ char curl_errorstr[CURL_ERROR_SIZE];
> static int curl_ssl_verify = -1;
> static int curl_ssl_try;
> static const char *ssl_cert;
> +static const char *ssl_cipherlist;
> #if LIBCURL_VERSION_NUM >= 0x070903
> static const char *ssl_key;
> #endif
> @@ -187,6 +188,9 @@ static int http_options(const char *var, const char *value, void *cb)
> curl_ssl_verify = git_config_bool(var, value);
> return 0;
> }
> + if (!strcmp("http.sslcipherlist", var)) {
> + return git_config_string(&ssl_cipherlist, var, value);
> + }
> if (!strcmp("http.sslcert", var))
> return git_config_string(&ssl_cert, var, value);
> #if LIBCURL_VERSION_NUM >= 0x070903
> @@ -361,6 +365,16 @@ static CURL *get_curl_handle(void)
> if (http_proactive_auth)
> init_curl_http_auth(result);
>
> + if (getenv("GIT_SSL_CIPHER_LIST"))
> + ssl_cipherlist = getenv("GIT_SSL_CIPHER_LIST");
> +
> + /* See http://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
> + * for details on the format of and available values for
> + * CURLOPT_SSL_CIPHER_LIST. */
I see Eric already commented on multi-line comment and what he said
is correct, but as an in-code comment, I do not see much value in
this---anybody who is _reading_ code would know to look up
CURLOPT_SSL_CIPHER_LIST in cURL documentation, I would expect (and
of course this will not be shown to the end user).
> + if (ssl_cipherlist != NULL && ssl_cipherlist[0] != '\0')
> + curl_easy_setopt(result, CURLOPT_SSL_CIPHER_LIST,
> + ssl_cipherlist);
> +
> if (ssl_cert != NULL)
> curl_easy_setopt(result, CURLOPT_SSLCERT, ssl_cert);
> if (has_cert_password())
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html