Hi Brian, On Thu, 25 Jul 2024, PEMBERTON Brian D * DCBS wrote: > I am in the process of migrating our SVN repos to Git for my agency. > Our infrastructure team is requesting to have more information about > what the http.sslBackend schannel setting does than what it stated in > the documentation, as it seems necessary to connect (clone,push) to our > remote. > > ` > http.sslBackend > Name of the SSL backend to use (e.g. "openssl" or "schannel"). This > option is ignored if cURL lacks support for choosing the SSL backend at > runtime. > ` > > My understanding is that it enables Git to connect to the Windows cert > store, (sorry if this is windows specific, I thought to start here, > sense the subject is SSL) The name `schannel` is short for "Secure Channel" and refers to the native Transport Layer Security (TLS, formerly known as SSL, for more details see https://en.wikipedia.org/wiki/Transport_Layer_Security) support of Windows that is required to transfer data via the HTTPS protocol. For details, see https://learn.microsoft.com/en-us/windows/win32/secauthn/secure-channel. The name `openssl` stands for the OpenSSL library (whose home page is at https://www.openssl.org/), which offers an open source implementation of the algorithms required for TLS. Git itself does not use either of these libraries directly. Instead, it leans on libcurl (https://curl.se/) which implements a variety of protocols and optionally uses a variety of TLS implementations. Now, what does this mean for you in practice? As you likely expect, the various TLS implementations all come with their strengths and weaknesses. Here are but two of them: - OpenSSL is historically much faster at adopting new technology. For example, it implemented TLS 1.3 much earlier than Secure Channel. - Secure Channel integrates much better with Windows. For example, if you direct your web browser to a site with a self-signed certificate and use the convenient GUI facility to add that to the Windows certificate store, Secure Channel will automatically know about this. OpenSSL does not, and will require you to jump through quite a few hoops to access that site. Seeing as you write from a `.gov` address, I suspect that the fact that Secure Channel is part of the operating system (and hence is certified in the same ways) will be of most interest to you. I hope this helps! Ciao, Johannes
