Re: Technical information about http.sslBackend schannel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Brian,

On Thu, 25 Jul 2024, PEMBERTON Brian D * DCBS wrote:

> I am in the process of migrating our SVN repos to Git for my agency.
> Our infrastructure team is requesting to have more information about
> what the http.sslBackend schannel setting does than what it stated in
> the documentation, as it seems necessary to connect (clone,push) to our
> remote.
>
> `
> http.sslBackend
> Name of the SSL backend to use (e.g. "openssl" or "schannel"). This
> option is ignored if cURL lacks support for choosing the SSL backend at
> runtime.
> `
>
> My understanding is that it enables Git to connect to the Windows cert
> store, (sorry if this is windows specific, I thought to start here,
> sense the subject is SSL)

The name `schannel` is short for "Secure Channel" and refers to the native
Transport Layer Security (TLS, formerly known as SSL, for more details see
https://en.wikipedia.org/wiki/Transport_Layer_Security) support of Windows
that is required to transfer data via the HTTPS protocol. For details, see
https://learn.microsoft.com/en-us/windows/win32/secauthn/secure-channel.

The name `openssl` stands for the OpenSSL library (whose home page is at
https://www.openssl.org/), which offers an open source implementation of
the algorithms required for TLS.

Git itself does not use either of these libraries directly. Instead, it
leans on libcurl (https://curl.se/) which implements a variety of
protocols and optionally uses a variety of TLS implementations.

Now, what does this mean for you in practice?

As you likely expect, the various TLS implementations all come with their
strengths and weaknesses. Here are but two of them:

- OpenSSL is historically much faster at adopting new technology. For
  example, it implemented TLS 1.3 much earlier than Secure Channel.

- Secure Channel integrates much better with Windows. For example, if you
  direct your web browser to a site with a self-signed certificate and use
  the convenient GUI facility to add that to the Windows certificate
  store, Secure Channel will automatically know about this. OpenSSL does
  not, and will require you to jump through quite a few hoops to access
  that site.

Seeing as you write from a `.gov` address, I suspect that the fact that
Secure Channel is part of the operating system (and hence is certified in
the same ways) will be of most interest to you.

I hope this helps!

Ciao,
Johannes





[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux