Re: [PATCH v3] http: add support for specifying an SSL cipher list

[Junio C Hamano <gitster@pobox.com>]

Lars Kellogg-Stedman <lars@redhat.com> writes:

> Teach git about a new option, "http.sslCipherList", which permits one to
> specify a list of ciphers to use when negotiating SSL connections.  The
> setting can be overwridden by the GIT_SSL_CIPHER_LIST environment
> variable.
>
> Signed-off-by: Lars Kellogg-Stedman <lars@redhat.com>
> ---
>
> This addresses (I hope!) comments from Junio and Ray, and also resolves some
> whitespace issues present in the earlier version of the patch.

Sounds good.

>  Documentation/config.txt | 13 +++++++++++++
>  http.c                   | 14 ++++++++++++++
>  2 files changed, 27 insertions(+)
>
> diff --git a/Documentation/config.txt b/Documentation/config.txt
> index 2e5ceaf..b982d66 100644
> --- a/Documentation/config.txt
> +++ b/Documentation/config.txt
> @@ -1560,6 +1560,19 @@ http.saveCookies::
>  	If set, store cookies received during requests to the file specified by
>  	http.cookieFile. Has no effect if http.cookieFile is unset.
>  
> +http.sslCipherList::
> +	A list of SSL ciphers to use when negotiating an SSL connection.
> +	The available ciphers depend on whether libcurl was built against
> +	NSS or OpenSSL and the particular configuration of the crypto
> +	library in use.  Internally this sets the CURLOPT_SSL_CIPHER_LIST
> +	option; see the libcurl documentation for that option for more
> +	details on the format of this list.
> +
> +	Can be overridden by the 'GIT_SSL_CIPHER_LIST' environment variable.
> +	To force git to use libcurl's default cipher list and ignore any
> +	explicit http.sslCipherList option, set GIT_SSL_CIPHER_LIST to the
> +	empty string.
> +

This will not format well, I am afraid.  The second and subsequent
paragraphs in a description of an enumerated item need to lose the
initial indentation and the empty line that breaks paragraph need
to be replaced with a single '+' (plus).  See "color::" in the same
document for an example.

We chose to use AsciiDoc primarily because its marked-up source is
easily read as a plain text files, but it is unfortunately somewhat
finicky around here.

>  http.sslVerify::
>  	Whether to verify the SSL certificate when fetching or pushing
>  	over HTTPS. Can be overridden by the 'GIT_SSL_NO_VERIFY' environment
> diff --git a/http.c b/http.c
> index 4b179f6..b617546 100644
> --- a/http.c
> +++ b/http.c
> @@ -36,6 +36,7 @@ char curl_errorstr[CURL_ERROR_SIZE];
>  static int curl_ssl_verify = -1;
>  static int curl_ssl_try;
>  static const char *ssl_cert;
> +static const char *ssl_cipherlist;
>  #if LIBCURL_VERSION_NUM >= 0x070903
>  static const char *ssl_key;
>  #endif
> @@ -187,6 +188,9 @@ static int http_options(const char *var, const char *value, void *cb)
>  		curl_ssl_verify = git_config_bool(var, value);
>  		return 0;
>  	}
> +	if (!strcmp("http.sslcipherlist", var)) {
> +		return git_config_string(&ssl_cipherlist, var, value);
> +	}
>  	if (!strcmp("http.sslcert", var))
>  		return git_config_string(&ssl_cert, var, value);
>  #if LIBCURL_VERSION_NUM >= 0x070903
> @@ -361,6 +365,16 @@ static CURL *get_curl_handle(void)
>  	if (http_proactive_auth)
>  		init_curl_http_auth(result);
>  
> +	if (getenv("GIT_SSL_CIPHER_LIST"))
> +		ssl_cipherlist = getenv("GIT_SSL_CIPHER_LIST");
> +
> +	/* See http://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
> +	 * for details on the format of and available values for
> +	 * CURLOPT_SSL_CIPHER_LIST. */

I see Eric already commented on multi-line comment and what he said
is correct, but as an in-code comment, I do not see much value in
this---anybody who is _reading_ code would know to look up
CURLOPT_SSL_CIPHER_LIST in cURL documentation, I would expect (and
of course this will not be shown to the end user).

> +	if (ssl_cipherlist != NULL && ssl_cipherlist[0] != '\0')
> +		curl_easy_setopt(result, CURLOPT_SSL_CIPHER_LIST,
> +				ssl_cipherlist);
> +
>  	if (ssl_cert != NULL)
>  		curl_easy_setopt(result, CURLOPT_SSLCERT, ssl_cert);
>  	if (has_cert_password())