On Sat, Dec 21, 2019 at 3:51 AM Beat Bolli <dev+git@xxxxxxxxx> wrote: > On 21.12.19 00:18, brian m. carlson wrote: > > On 2019-12-20 at 01:52:04, Keith Thompson wrote: > >> I've posted this on Stack Overflow > >> https://stackoverflow.com/q/59381061/827263 > >> but I haven't gotten any responses yet. > >> > >> When I install "Git for Windows" on Windows 10, the installation > >> wizard offers the choice of using either the OpenSSL library or the > >> "native Windows Secure Channel library". (Whether that's offered > >> seems to depend on what's available on the Windows 10 system.) > >> I believe this is referred to in the git sources as "schannel". > >> > >> Is there a way to configure git under Cygwin to use the native > >> Windows Secure Channel library? An ideal solution would be a > >> modification to my .gitconfig, but something that lets me build git > >> (and possibly curl) from source would also be good. See my Stack > >> Overflow question for more details, including some things that I > >> tried that didn't work. > >> > >> The problem I'm trying to solve: In my work environment, I can > >> use Cygwin git for local operations, but I have to use Windows git > >> for anything that talks to a remote (push, pull).I'd prefer to use > >> Cygwin git exclusively. > > > > I'm not 100% certain here, but I believe the answer is no. In order to > > use SChannel, you'll need to link against MSVCRT or a compatible > > runtime, but it's not possible to link against both that and Cygwin at > > the same time (probably because they both provide the same symbols). > > > > If your constraint is that you need to interact with the Windows > > certificate store or such, you could see if there's an OpenSSL or GnuTLS > > plugin that will do that for you and then build against that library or > > plugin. > > There is the OpenSSL "CAPI" engine which interfaces with the Windows > CryptoAPI. However, I don't know if the Cygwin OpenSSL build includes > this engine. That's interesting. I just tried building OpenSSL from source on Cygwin (openssl-1.1.1d.tar.gz). It installed lib/engines-1.1/capi.dll under the installation directory, and I see references to capi in the output of "make". The Cygwin-installed OpenSSL (currently 1.1.1d) doesn't provide that file. I don't know whether or not that means the Cygwin-installed OpenSSL doesn't support CAPI. Is there an openssl command I can run to tell whether it supports CAPI? (Disclaimer: I had never heard of CAPI before.) With both the Cygwin-installed OpenSSL and the one I built from source, I get: $ openssl engine capi 25769803792:error:260B606D:engine routines:dynamic_load:init failed:crypto/engine/eng_dyn.c:485: 25769803792:error:2606A074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:334:id=capi *Maybe* if I compile OpenSSL from source, then compile curl from source using my compiled OpenSSL, then compile Windows Git from source using my compiled OpenSSL and curl, it *might* work? It's worth a shot. And if the Cygwin-installed OpenSSL doesn't support CAPI, I wonder why it doesn't.
