From: Junio C Hamano <gitster@pobox.com>
To: John Szakmeister <john@szakmeister.net>
Cc: git@vger.kernel.org, Jeff King <peff@peff.net>
Subject: Re: [PATCH v2 1/2] http: store credential when PKI auth is used
Date: Thu, 11 Mar 2021 16:58:29 -0800 [thread overview]
Message-ID: <xmqqeeglb32i.fsf@gitster.g> (raw)
In-Reply-To: <20210312004842.30697-2-john@szakmeister.net> (John Szakmeister's message of "Thu, 11 Mar 2021 19:48:41 -0500")
John Szakmeister <john@szakmeister.net> writes:
> Likewise, we also need to reject the credential when there is a failure.
> Curl appears to report client-related certificate issues are reported
> with the CURLE_SSL_CERTPROBLEM error. This includes not only a bad
> password, but potentially other client certificate related problems.
>
> Since we cannot get more information from curl, we'll go ahead and
> reject the credential upon receiving that error, just to be safe and
> avoid caching or saving a bad password.
I think this is sensible enough. As long as a tentative network
failure to talk to the server, or an overloaded server that fails to
accept new connection, won't trigger rejection of a password, it is
OK, I would think.
> Signed-off-by: John Szakmeister <john@szakmeister.net>
> ---
> http.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/http.c b/http.c
> index f8ea28bb2e..12a8aaba48 100644
> --- a/http.c
> +++ b/http.c
> @@ -1637,7 +1637,17 @@ static int handle_curl_result(struct slot_results *results)
> credential_approve(&http_auth);
> if (proxy_auth.password)
> credential_approve(&proxy_auth);
> + credential_approve(&cert_auth);
> return HTTP_OK;
> + } else if (results->curl_result == CURLE_SSL_CERTPROBLEM) {
> + /*
> + * We can't tell from here whether it's a bad path, bad
> + * certificate, bad password, or something else wrong
> + * with the certificate. So we reject the credential to
> + * avoid caching or saving a bad password.
> + */
> + credential_reject(&http_auth);
> + return HTTP_NOAUTH;
> } else if (missing_target(results))
> return HTTP_MISSING_TARGET;
> else if (results->http_code == 401) {
next prev parent reply other threads:[~2021-03-12 0:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-12 0:48 [PATCH v2 0/2] http: store credential when PKI auth is used John Szakmeister
2021-03-12 0:48 ` [PATCH v2 1/2] " John Szakmeister
2021-03-12 0:58 ` Junio C Hamano [this message]
2021-03-12 1:41 ` brian m. carlson
2021-03-12 1:45 ` Jeff King
2021-03-12 2:27 ` John Szakmeister
2021-03-12 0:48 ` [PATCH v2 2/2] http: drop the check for an empty proxy password before approving John Szakmeister
2021-03-12 1:31 ` [PATCH v2 0/2] http: store credential when PKI auth is used Jeff King
2021-03-12 2:37 ` John Szakmeister
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqeeglb32i.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=john@szakmeister.net \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.