Git currently supports connecting to proxies through HTTPS. However it does not allow you to configure SSL options when connecting (i.e. client cert, key, cainfo). These set of commits add the necessary options and documentation needed to support them. Libcurl already has support for this so changes are somewhat minimal. I ran the CI tests and verified manually with an HTTPS proxy that changes are working as expected. I didn't see integration tests under /t or tests that verified libcurl integration. ./bin-wrappers/git -c http.proxy=https://<PROXY-HOSTNAME> \ -c http.proxycert=<CERT> -c http.proxykey=<KEY> \ clone https://github.com/jalopezsilva/dotfiles.git Changes since v2: ================= * Merged the two initial commits as the second one was adding documentation for the first. * Removed the SSL Cert password from configuration. I'm using a similar function to has_cert_password to retrieve it if needed. * Better names and descriptions were given to the options. * Introduced another commit adding environment variable overrides for the new options. Jorge Lopez Silva (2): http: add client cert for HTTPS proxies. http: add environment variable for HTTPS proxy. Documentation/config/http.txt | 21 ++++++++++ http.c | 74 ++++++++++++++++++++++++++++++++--- 2 files changed, 90 insertions(+), 5 deletions(-) base-commit: 51ebf55b9309824346a6589c9f3b130c6f371b8f Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-559%2Fjalopezsilva%2Fhttps_proxy_ssl_options-v3 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-559/jalopezsilva/https_proxy_ssl_options-v3 Pull-Request: https://github.com/gitgitgadget/git/pull/559 Range-diff vs v2: 1: a5d980e7501 ! 1: e18b342819b http: add client cert for HTTPS proxies. @@ -9,13 +9,44 @@ A client certificate can provide an alternative way of authentication instead of using 'ProxyAuthorization' or other more common methods of - authentication. + authentication. Libcurl supports this functionality already so changes + are somewhat minimal. The feature is guarded by the first available + libcurl version that supports these options. - Libcurl supports this functionality already. The feature is guarded by - the first available libcurl version that supports these options. + 4 configuration options are added and documented, cert, key, cert + password protected and CA info. The CA info should be used to specify a + different CA path to validate the HTTPS proxy cert. Signed-off-by: Jorge Lopez Silva <jalopezsilva@xxxxxxxxx> + diff --git a/Documentation/config/http.txt b/Documentation/config/http.txt + --- a/Documentation/config/http.txt + +++ b/Documentation/config/http.txt +@@ + * `ntlm` - NTLM authentication (compare the --ntlm option of `curl(1)`) + -- + ++http.proxySSLCert:: ++ The pathname of a file that stores a client certificate to use to authenticate ++ with an HTTPS proxy. ++ ++http.proxySSLKey:: ++ The pathname of a file that stores a private key to use to authenticate with ++ an HTTPS proxy. ++ ++http.proxySSLCertPasswordProtected:: ++ Enable Git's password prompt for the proxy SSL certificate. Otherwise OpenSSL ++ will prompt the user, possibly many times, if the certificate or private key ++ is encrypted. ++ ++http.proxySSLCAInfo:: ++ Pathname to the file containing the certificate bundle that should be used to ++ verify the proxy with when using an HTTPS proxy. ++ + http.emptyAuth:: + Attempt authentication without seeking a username or password. This + can be used to attempt GSS-Negotiate authentication without specifying + diff --git a/http.c b/http.c --- a/http.c +++ b/http.c @@ -24,12 +55,11 @@ static const char *curl_http_proxy; static const char *http_proxy_authmethod; + -+#if LIBCURL_VERSION_NUM >= 0x073400 +static const char *http_proxy_ssl_cert; +static const char *http_proxy_ssl_key; -+static const char *http_proxy_ssl_keypasswd; -+#endif +static const char *http_proxy_ssl_ca_info; ++static struct credential proxy_cert_auth = CREDENTIAL_INIT; ++static int proxy_ssl_cert_password_required; + static struct { const char *name; @@ -38,23 +68,45 @@ if (!strcmp("http.proxyauthmethod", var)) return git_config_string(&http_proxy_authmethod, var, value); -+#if LIBCURL_VERSION_NUM >= 0x073400 -+ if (!strcmp("http.proxycert", var)) ++ if (!strcmp("http.proxysslcert", var)) + return git_config_string(&http_proxy_ssl_cert, var, value); + -+ if (!strcmp("http.proxykey", var)) ++ if (!strcmp("http.proxysslkey", var)) + return git_config_string(&http_proxy_ssl_key, var, value); + -+ if (!strcmp("http.proxykeypass", var)) -+ return git_config_string(&http_proxy_ssl_keypasswd, var, value); -+ -+ if (!strcmp("http.proxycainfo", var)) ++ if (!strcmp("http.proxysslcainfo", var)) + return git_config_string(&http_proxy_ssl_ca_info, var, value); -+#endif ++ ++ if (!strcmp("http.proxysslcertpasswordprotected", var)) { ++ proxy_ssl_cert_password_required = git_config_bool(var, value); ++ return 0; ++ } + if (!strcmp("http.cookiefile", var)) return git_config_pathname(&curl_cookie_file, var, value); if (!strcmp("http.savecookies", var)) { +@@ + return 1; + } + ++#if LIBCURL_VERSION_NUM >= 0x073400 ++static int has_proxy_cert_password(void) ++{ ++ if (http_proxy_ssl_cert == NULL || proxy_ssl_cert_password_required != 1) ++ return 0; ++ if (!proxy_cert_auth.password) { ++ proxy_cert_auth.protocol = xstrdup("cert"); ++ proxy_cert_auth.username = xstrdup(""); ++ proxy_cert_auth.path = xstrdup(http_proxy_ssl_cert); ++ credential_fill(&proxy_cert_auth); ++ } ++ return 1; ++} ++#endif ++ + #if LIBCURL_VERSION_NUM >= 0x071900 + static void set_curl_keepalive(CURL *c) + { @@ #if LIBCURL_VERSION_NUM >= 0x073400 curl_easy_setopt(result, CURLOPT_PROXY_CAINFO, NULL); @@ -82,16 +134,28 @@ + else if (starts_with(curl_http_proxy, "https")) { + curl_easy_setopt(result, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS); + -+ if (http_proxy_ssl_cert != NULL) ++ if (http_proxy_ssl_cert) + curl_easy_setopt(result, CURLOPT_PROXY_SSLCERT, http_proxy_ssl_cert); + -+ if (http_proxy_ssl_key != NULL) ++ if (http_proxy_ssl_key) + curl_easy_setopt(result, CURLOPT_PROXY_SSLKEY, http_proxy_ssl_key); + -+ if (http_proxy_ssl_keypasswd != NULL) -+ curl_easy_setopt(result, CURLOPT_PROXY_KEYPASSWD, http_proxy_ssl_keypasswd); -+ ++ if (has_proxy_cert_password()) ++ curl_easy_setopt(result, CURLOPT_PROXY_KEYPASSWD, proxy_cert_auth.password); + } #endif if (strstr(curl_http_proxy, "://")) credential_from_url(&proxy_auth, curl_http_proxy); +@@ + } + ssl_cert_password_required = 0; + ++ if (proxy_cert_auth.password != NULL) { ++ memset(proxy_cert_auth.password, 0, strlen(proxy_cert_auth.password)); ++ FREE_AND_NULL(proxy_cert_auth.password); ++ } ++ proxy_ssl_cert_password_required = 0; ++ + FREE_AND_NULL(cached_accept_language); + } + 2: c40207a3928 ! 2: 086c5e59fb2 config: documentation for HTTPS proxy client cert. @@ -1,10 +1,12 @@ Author: Jorge Lopez Silva <jalopezsilva@xxxxxxxxx> - config: documentation for HTTPS proxy client cert. + http: add environment variable for HTTPS proxy. - The commit adds 4 options, client cert, key, key password and CA info. - The CA info can be used to specify a different CA path to validate the - HTTPS proxy cert. + This commit adds four environment variables that can be used to + configure the proxy cert, proxy ssl key, the proxy cert password + protected flag, and the CA info for the proxy. + + Documentation for the options was also updated. Signed-off-by: Jorge Lopez Silva <jalopezsilva@xxxxxxxxx> @@ -12,23 +14,49 @@ --- a/Documentation/config/http.txt +++ b/Documentation/config/http.txt @@ - * `ntlm` - NTLM authentication (compare the --ntlm option of `curl(1)`) - -- -+http.proxycert:: -+ File indicating a client certificate to use to authenticate with an HTTPS proxy. -+ -+http.proxykey:: -+ File indicating a private key to use to authenticate with an HTTPS proxy. -+ -+http.proxykeypass:: -+ When communicating to the proxy using TLS (using an HTTPS proxy), use this -+ option along `http.proxykey` to indicate a password for the key. -+ -+http.proxycainfo:: -+ File containing the certificates to verify the proxy with when using an HTTPS -+ proxy. -+ + http.proxySSLCert:: + The pathname of a file that stores a client certificate to use to authenticate +- with an HTTPS proxy. ++ with an HTTPS proxy. Can be overridden by the `GIT_PROXY_SSL_CERT` environment ++ variable. + + http.proxySSLKey:: + The pathname of a file that stores a private key to use to authenticate with +- an HTTPS proxy. ++ an HTTPS proxy. Can be overridden by the `GIT_PROXY_SSL_KEY` environment ++ variable. + + http.proxySSLCertPasswordProtected:: + Enable Git's password prompt for the proxy SSL certificate. Otherwise OpenSSL + will prompt the user, possibly many times, if the certificate or private key +- is encrypted. ++ is encrypted. Can be overriden by the `GIT_PROXY_SSL_CERT_PASSWORD_PROTECTED` ++ environment variable. + + http.proxySSLCAInfo:: + Pathname to the file containing the certificate bundle that should be used to +- verify the proxy with when using an HTTPS proxy. ++ verify the proxy with when using an HTTPS proxy. Can be overriden by the ++ `GIT_PROXY_SSL_CAINFO` environment variable. + http.emptyAuth:: Attempt authentication without seeking a username or password. This - can be used to attempt GSS-Negotiate authentication without specifying + + diff --git a/http.c b/http.c + --- a/http.c + +++ b/http.c +@@ + max_requests = DEFAULT_MAX_REQUESTS; + #endif + ++ set_from_env(&http_proxy_ssl_cert, "GIT_PROXY_SSL_CERT"); ++ set_from_env(&http_proxy_ssl_key, "GIT_PROXY_SSL_KEY"); ++ set_from_env(&http_proxy_ssl_ca_info, "GIT_PROXY_SSL_CAINFO"); ++ ++ if (getenv("GIT_PROXY_SSL_CERT_PASSWORD_PROTECTED")) ++ proxy_ssl_cert_password_required = 1; ++ + if (getenv("GIT_CURL_FTP_NO_EPSV")) + curl_ftp_no_epsv = 1; + -- gitgitgadget