git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Jorge via GitGitGadget" <gitgitgadget@gmail.com>
To: git@vger.kernel.org
Cc: Jorge <JALopezSilva@gmail.com>
Subject: [PATCH v3 0/2] Add HTTPS proxy SSL options (cert, key, cainfo)
Date: Wed, 04 Mar 2020 18:40:04 +0000	[thread overview]
Message-ID: <pull.559.v3.git.1583347206.gitgitgadget@gmail.com> (raw)
In-Reply-To: <pull.559.v2.git.1582759438.gitgitgadget@gmail.com>

Git currently supports connecting to proxies through HTTPS. However it does
not allow you to configure SSL options when connecting (i.e. client cert,
key, cainfo). These set of commits add the necessary options and
documentation needed to support them.

Libcurl already has support for this so changes are somewhat minimal.

I ran the CI tests and verified manually with an HTTPS proxy that changes
are working as expected. I didn't see integration tests under /t or tests
that verified libcurl integration. 

./bin-wrappers/git -c http.proxy=https://<PROXY-HOSTNAME> \
-c http.proxycert=<CERT> -c http.proxykey=<KEY> \
clone https://github.com/jalopezsilva/dotfiles.git  

Changes since v2:
=================

 * Merged the two initial commits as the second one was adding documentation
   for the first.
 * Removed the SSL Cert password from configuration. I'm using a similar
   function to has_cert_password to retrieve it if needed. 
 * Better names and descriptions were given to the options. 
 * Introduced another commit adding environment variable overrides for the
   new options.

Jorge Lopez Silva (2):
  http: add client cert for HTTPS proxies.
  http: add environment variable for HTTPS proxy.

 Documentation/config/http.txt | 21 ++++++++++
 http.c                        | 74 ++++++++++++++++++++++++++++++++---
 2 files changed, 90 insertions(+), 5 deletions(-)


base-commit: 51ebf55b9309824346a6589c9f3b130c6f371b8f
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-559%2Fjalopezsilva%2Fhttps_proxy_ssl_options-v3
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-559/jalopezsilva/https_proxy_ssl_options-v3
Pull-Request: https://github.com/gitgitgadget/git/pull/559

Range-diff vs v2:

 1:  a5d980e7501 ! 1:  e18b342819b http: add client cert for HTTPS proxies.
     @@ -9,13 +9,44 @@
      
          A client certificate can provide an alternative way of authentication
          instead of using 'ProxyAuthorization' or other more common methods of
     -    authentication.
     +    authentication.  Libcurl supports this functionality already so changes
     +    are somewhat minimal. The feature is guarded by the first available
     +    libcurl version that supports these options.
      
     -    Libcurl supports this functionality already. The feature is guarded by
     -    the first available libcurl version that supports these options.
     +    4 configuration options are added and documented, cert, key, cert
     +    password protected and CA info. The CA info should be used to specify a
     +    different CA path to validate the HTTPS proxy cert.
      
          Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
      
     + diff --git a/Documentation/config/http.txt b/Documentation/config/http.txt
     + --- a/Documentation/config/http.txt
     + +++ b/Documentation/config/http.txt
     +@@
     + * `ntlm` - NTLM authentication (compare the --ntlm option of `curl(1)`)
     + --
     + 
     ++http.proxySSLCert::
     ++	The pathname of a file that stores a client certificate to use to authenticate
     ++	with an HTTPS proxy.
     ++
     ++http.proxySSLKey::
     ++	The pathname of a file that stores a private key to use to authenticate with
     ++	an HTTPS proxy.
     ++
     ++http.proxySSLCertPasswordProtected::
     ++	Enable Git's password prompt for the proxy SSL certificate.  Otherwise OpenSSL
     ++	will prompt the user, possibly many times, if the certificate or private key
     ++	is encrypted.
     ++
     ++http.proxySSLCAInfo::
     ++	Pathname to the file containing the certificate bundle that should be used to
     ++	verify the proxy with when using an HTTPS proxy.
     ++
     + http.emptyAuth::
     + 	Attempt authentication without seeking a username or password.  This
     + 	can be used to attempt GSS-Negotiate authentication without specifying
     +
       diff --git a/http.c b/http.c
       --- a/http.c
       +++ b/http.c
     @@ -24,12 +55,11 @@
       static const char *curl_http_proxy;
       static const char *http_proxy_authmethod;
      +
     -+#if LIBCURL_VERSION_NUM >= 0x073400
      +static const char *http_proxy_ssl_cert;
      +static const char *http_proxy_ssl_key;
     -+static const char *http_proxy_ssl_keypasswd;
     -+#endif
      +static const char *http_proxy_ssl_ca_info;
     ++static struct credential proxy_cert_auth = CREDENTIAL_INIT;
     ++static int proxy_ssl_cert_password_required;
      +
       static struct {
       	const char *name;
     @@ -38,23 +68,45 @@
       	if (!strcmp("http.proxyauthmethod", var))
       		return git_config_string(&http_proxy_authmethod, var, value);
       
     -+#if LIBCURL_VERSION_NUM >= 0x073400
     -+	if (!strcmp("http.proxycert", var))
     ++	if (!strcmp("http.proxysslcert", var))
      +		return git_config_string(&http_proxy_ssl_cert, var, value);
      +
     -+	if (!strcmp("http.proxykey", var))
     ++	if (!strcmp("http.proxysslkey", var))
      +		return git_config_string(&http_proxy_ssl_key, var, value);
      +
     -+	if (!strcmp("http.proxykeypass", var))
     -+		return git_config_string(&http_proxy_ssl_keypasswd, var, value);
     -+
     -+	if (!strcmp("http.proxycainfo", var))
     ++	if (!strcmp("http.proxysslcainfo", var))
      +		return git_config_string(&http_proxy_ssl_ca_info, var, value);
     -+#endif
     ++
     ++	if (!strcmp("http.proxysslcertpasswordprotected", var)) {
     ++		proxy_ssl_cert_password_required = git_config_bool(var, value);
     ++		return 0;
     ++	}
      +
       	if (!strcmp("http.cookiefile", var))
       		return git_config_pathname(&curl_cookie_file, var, value);
       	if (!strcmp("http.savecookies", var)) {
     +@@
     + 	return 1;
     + }
     + 
     ++#if LIBCURL_VERSION_NUM >= 0x073400
     ++static int has_proxy_cert_password(void)
     ++{
     ++	if (http_proxy_ssl_cert == NULL || proxy_ssl_cert_password_required != 1)
     ++		return 0;
     ++	if (!proxy_cert_auth.password) {
     ++		proxy_cert_auth.protocol = xstrdup("cert");
     ++		proxy_cert_auth.username = xstrdup("");
     ++		proxy_cert_auth.path = xstrdup(http_proxy_ssl_cert);
     ++		credential_fill(&proxy_cert_auth);
     ++	}
     ++	return 1;
     ++}
     ++#endif
     ++
     + #if LIBCURL_VERSION_NUM >= 0x071900
     + static void set_curl_keepalive(CURL *c)
     + {
      @@
       #if LIBCURL_VERSION_NUM >= 0x073400
       		curl_easy_setopt(result, CURLOPT_PROXY_CAINFO, NULL);
     @@ -82,16 +134,28 @@
      +		else if (starts_with(curl_http_proxy, "https")) {
      +			curl_easy_setopt(result, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
      +
     -+			if (http_proxy_ssl_cert != NULL)
     ++			if (http_proxy_ssl_cert)
      +				curl_easy_setopt(result, CURLOPT_PROXY_SSLCERT, http_proxy_ssl_cert);
      +
     -+			if (http_proxy_ssl_key != NULL)
     ++			if (http_proxy_ssl_key)
      +				curl_easy_setopt(result, CURLOPT_PROXY_SSLKEY, http_proxy_ssl_key);
      +
     -+			if (http_proxy_ssl_keypasswd != NULL)
     -+				curl_easy_setopt(result, CURLOPT_PROXY_KEYPASSWD, http_proxy_ssl_keypasswd);
     -+
     ++			if (has_proxy_cert_password())
     ++				curl_easy_setopt(result, CURLOPT_PROXY_KEYPASSWD, proxy_cert_auth.password);
      +		}
       #endif
       		if (strstr(curl_http_proxy, "://"))
       			credential_from_url(&proxy_auth, curl_http_proxy);
     +@@
     + 	}
     + 	ssl_cert_password_required = 0;
     + 
     ++	if (proxy_cert_auth.password != NULL) {
     ++		memset(proxy_cert_auth.password, 0, strlen(proxy_cert_auth.password));
     ++		FREE_AND_NULL(proxy_cert_auth.password);
     ++	}
     ++	proxy_ssl_cert_password_required = 0;
     ++
     + 	FREE_AND_NULL(cached_accept_language);
     + }
     + 
 2:  c40207a3928 ! 2:  086c5e59fb2 config: documentation for HTTPS proxy client cert.
     @@ -1,10 +1,12 @@
      Author: Jorge Lopez Silva <jalopezsilva@gmail.com>
      
     -    config: documentation for HTTPS proxy client cert.
     +    http: add environment variable for HTTPS proxy.
      
     -    The commit adds 4 options, client cert, key, key password and CA info.
     -    The CA info can be used to specify a different CA path to validate the
     -    HTTPS proxy cert.
     +    This commit adds four environment variables that can be used to
     +    configure the proxy cert, proxy ssl key, the proxy cert password
     +    protected flag, and the CA info for the proxy.
     +
     +    Documentation for the options was also updated.
      
          Signed-off-by: Jorge Lopez Silva <jalopezsilva@gmail.com>
      
     @@ -12,23 +14,49 @@
       --- a/Documentation/config/http.txt
       +++ b/Documentation/config/http.txt
      @@
     - * `ntlm` - NTLM authentication (compare the --ntlm option of `curl(1)`)
     - --
       
     -+http.proxycert::
     -+	File indicating a client certificate to use to authenticate with an HTTPS proxy.
     -+
     -+http.proxykey::
     -+	File indicating a private key to use to authenticate with an HTTPS proxy.
     -+
     -+http.proxykeypass::
     -+	When communicating to the proxy using TLS (using an HTTPS proxy), use this
     -+	option along `http.proxykey` to indicate a password for the key.
     -+
     -+http.proxycainfo::
     -+	File containing the certificates to verify the proxy with when using an HTTPS
     -+	proxy.
     -+
     + http.proxySSLCert::
     + 	The pathname of a file that stores a client certificate to use to authenticate
     +-	with an HTTPS proxy.
     ++	with an HTTPS proxy. Can be overridden by the `GIT_PROXY_SSL_CERT` environment
     ++	variable.
     + 
     + http.proxySSLKey::
     + 	The pathname of a file that stores a private key to use to authenticate with
     +-	an HTTPS proxy.
     ++	an HTTPS proxy. Can be overridden by the `GIT_PROXY_SSL_KEY` environment
     ++	variable.
     + 
     + http.proxySSLCertPasswordProtected::
     + 	Enable Git's password prompt for the proxy SSL certificate.  Otherwise OpenSSL
     + 	will prompt the user, possibly many times, if the certificate or private key
     +-	is encrypted.
     ++	is encrypted. Can be overriden by the `GIT_PROXY_SSL_CERT_PASSWORD_PROTECTED`
     ++	environment variable.
     + 
     + http.proxySSLCAInfo::
     + 	Pathname to the file containing the certificate bundle that should be used to
     +-	verify the proxy with when using an HTTPS proxy.
     ++	verify the proxy with when using an HTTPS proxy. Can be overriden by the
     ++	`GIT_PROXY_SSL_CAINFO` environment variable.
     + 
       http.emptyAuth::
       	Attempt authentication without seeking a username or password.  This
     - 	can be used to attempt GSS-Negotiate authentication without specifying
     +
     + diff --git a/http.c b/http.c
     + --- a/http.c
     + +++ b/http.c
     +@@
     + 		max_requests = DEFAULT_MAX_REQUESTS;
     + #endif
     + 
     ++	set_from_env(&http_proxy_ssl_cert, "GIT_PROXY_SSL_CERT");
     ++	set_from_env(&http_proxy_ssl_key, "GIT_PROXY_SSL_KEY");
     ++	set_from_env(&http_proxy_ssl_ca_info, "GIT_PROXY_SSL_CAINFO");
     ++
     ++	if (getenv("GIT_PROXY_SSL_CERT_PASSWORD_PROTECTED"))
     ++		proxy_ssl_cert_password_required = 1;
     ++
     + 	if (getenv("GIT_CURL_FTP_NO_EPSV"))
     + 		curl_ftp_no_epsv = 1;
     + 

-- 
gitgitgadget

  parent reply	other threads:[~2020-03-04 18:40 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-21 21:36 [PATCH 0/2] Add HTTPS proxy SSL options (cert, key, cainfo) Jorge via GitGitGadget
2020-02-21 21:36 ` [PATCH 1/2] http: add client cert for HTTPS proxies Jorge Lopez Silva via GitGitGadget
2020-02-21 22:28   ` Eric Sunshine
2020-02-26 21:05     ` Jorge A López Silva
2020-02-21 21:36 ` [PATCH 2/2] config: documentation for HTTPS proxy client cert Jorge Lopez Silva via GitGitGadget
2020-02-26 23:23 ` [PATCH v2 0/2] Add HTTPS proxy SSL options (cert, key, cainfo) Jorge via GitGitGadget
2020-02-26 23:23   ` [PATCH v2 1/2] http: add client cert for HTTPS proxies Jorge Lopez Silva via GitGitGadget
2020-02-27 18:31     ` Junio C Hamano
2020-03-03  1:41       ` Jorge A López Silva
2020-02-26 23:23   ` [PATCH v2 2/2] config: documentation for HTTPS proxy client cert Jorge Lopez Silva via GitGitGadget
2020-02-27 18:58     ` Junio C Hamano
2020-03-03  1:47       ` Jorge A López Silva
2020-03-04 18:40   ` Jorge via GitGitGadget [this message]
2020-03-04 18:40     ` [PATCH v3 1/2] http: add client cert for HTTPS proxies Jorge Lopez Silva via GitGitGadget
2020-03-04 18:40     ` [PATCH v3 2/2] http: add environment variable for HTTPS proxy Jorge Lopez Silva via GitGitGadget

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=pull.559.v3.git.1583347206.gitgitgadget@gmail.com \
    --to=gitgitgadget@gmail.com \
    --cc=JALopezSilva@gmail.com \
    --cc=git@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).