Skip to content

Commit c7fc2b5

Browse files
dschoGit for Windows Build Agent
authored and
Git for Windows Build Agent
committed
http: use new "best effort" strategy for Secure Channel revoke checking
The native Windows HTTPS backend is based on Secure Channel which lets the caller decide how to handle revocation checking problems caused by missing information in the certificate or offline CRL distribution points. Unfortunately, cURL chose to handle these problems differently than OpenSSL by default: while OpenSSL happily ignores those problems (essentially saying "¯\_(ツ)_/¯"), the Secure Channel backend will error out instead. As a remedy, the "no revoke" mode was introduced, which turns off revocation checking altogether. This is a bit heavy-handed. We support this via the `http.schannelCheckRevoke` setting. In curl/curl#4981, we contributed an opt-in "best effort" strategy that emulates what OpenSSL seems to do. In Git for Windows, we actually want this to be the default. This patch makes it so, introducing it as a new value for the `http.schannelCheckRevoke" setting, which now becmes a tristate: it accepts the values "false", "true" or "best-effort" (defaulting to the last one). Signed-off-by: Johannes Schindelin <[email protected]>
1 parent f532f66 commit c7fc2b5

File tree

2 files changed

+29
-9
lines changed

2 files changed

+29
-9
lines changed

Documentation/config/http.adoc

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -233,11 +233,13 @@ http.sslKeyType::
233233

234234
http.schannelCheckRevoke::
235235
Used to enforce or disable certificate revocation checks in cURL
236-
when http.sslBackend is set to "schannel". Defaults to `true` if
237-
unset. Only necessary to disable this if Git consistently errors
238-
and the message is about checking the revocation status of a
239-
certificate. This option is ignored if cURL lacks support for
240-
setting the relevant SSL option at runtime.
236+
when http.sslBackend is set to "schannel" via "true" and "false",
237+
respectively. Another accepted value is "best-effort" (the default)
238+
in which case revocation checks are performed, but errors due to
239+
revocation list distribution points that are offline are silently
240+
ignored, as well as errors due to certificates missing revocation
241+
list distribution points. This option is ignored if cURL lacks
242+
support for setting the relevant SSL option at runtime.
241243

242244
http.schannelUseSSLCAInfo::
243245
As of cURL v7.60.0, the Secure Channel backend can use the

http.c

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -147,7 +147,13 @@ static char *cached_accept_language;
147147

148148
static char *http_ssl_backend;
149149

150-
static int http_schannel_check_revoke = 1;
150+
static int http_schannel_check_revoke_mode =
151+
#ifdef CURLSSLOPT_REVOKE_BEST_EFFORT
152+
CURLSSLOPT_REVOKE_BEST_EFFORT;
153+
#else
154+
CURLSSLOPT_NO_REVOKE;
155+
#endif
156+
151157
/*
152158
* With the backend being set to `schannel`, setting sslCAinfo would override
153159
* the Certificate Store in cURL v7.60.0 and later, which is not what we want
@@ -422,7 +428,19 @@ static int http_options(const char *var, const char *value,
422428
}
423429

424430
if (!strcmp("http.schannelcheckrevoke", var)) {
425-
http_schannel_check_revoke = git_config_bool(var, value);
431+
if (value && !strcmp(value, "best-effort")) {
432+
http_schannel_check_revoke_mode =
433+
#ifdef CURLSSLOPT_REVOKE_BEST_EFFORT
434+
CURLSSLOPT_REVOKE_BEST_EFFORT;
435+
#else
436+
CURLSSLOPT_NO_REVOKE;
437+
warning(_("%s=%s unsupported by current cURL"),
438+
var, value);
439+
#endif
440+
} else
441+
http_schannel_check_revoke_mode =
442+
(git_config_bool(var, value) ?
443+
0 : CURLSSLOPT_NO_REVOKE);
426444
return 0;
427445
}
428446

@@ -1056,8 +1074,8 @@ static CURL *get_curl_handle(void)
10561074
#endif
10571075

10581076
if (http_ssl_backend && !strcmp("schannel", http_ssl_backend) &&
1059-
!http_schannel_check_revoke) {
1060-
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE);
1077+
http_schannel_check_revoke_mode) {
1078+
curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, http_schannel_check_revoke_mode);
10611079
}
10621080

10631081
if (http_proactive_auth != PROACTIVE_AUTH_NONE)

0 commit comments

Comments
 (0)