[PATCH] Support FTP-over-SSL/TLS for regular FTP

[PATCH] Support FTP-over-SSL/TLS for regular FTP

[Modestas Vainius]

Add a boolean http.sslTry option which allows to enable AUTH SSL/TLS and
encrypted data transfers when connecting via regular FTP protocol.

Default is false since it might trigger certificate verification errors on
misconfigured servers.

Signed-off-by: Modestas Vainius <modestas@vainius.eu>
---
 Documentation/config.txt |    8 ++++++++
 http.c                   |   10 ++++++++++
 http.h                   |    9 +++++++++
 3 files changed, 27 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index d5809e0..1abd161 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1406,6 +1406,14 @@ http.sslCAPath::
 	with when fetching or pushing over HTTPS. Can be overridden
 	by the 'GIT_SSL_CAPATH' environment variable.
 
+http.sslTry::
+	Attempt to use AUTH SSL/TLS and encrypted data transfers
+	when connecting via regular FTP protocol. This might be needed
+	if the FTP server requires it for security reasons or you wish
+	to connect securely whenever remote FTP server supports it.
+	Default is false since it might trigger certificate verification
+	errors on misconfigured servers.
+
 http.maxRequests::
 	How many HTTP requests to launch in parallel. Can be overridden
 	by the 'GIT_HTTP_MAX_REQUESTS' environment variable. Default is 5.
diff --git a/http.c b/http.c
index 44f3525..d49a3d4 100644
--- a/http.c
+++ b/http.c
@@ -30,6 +30,7 @@ static CURL *curl_default;
 char curl_errorstr[CURL_ERROR_SIZE];
 
 static int curl_ssl_verify = -1;
+static int curl_ssl_try;
 static const char *ssl_cert;
 #if LIBCURL_VERSION_NUM >= 0x070903
 static const char *ssl_key;
@@ -162,6 +163,10 @@ static int http_options(const char *var, const char *value, void *cb)
 			ssl_cert_password_required = 1;
 		return 0;
 	}
+	if (!strcmp("http.ssltry", var)) {
+		curl_ssl_try = git_config_bool(var, value);
+		return 0;
+	}
 	if (!strcmp("http.minsessions", var)) {
 		min_curl_sessions = git_config_int(var, value);
 #ifndef USE_CURL_MULTI
@@ -306,6 +311,11 @@ static CURL *get_curl_handle(void)
 	if (curl_ftp_no_epsv)
 		curl_easy_setopt(result, CURLOPT_FTP_USE_EPSV, 0);
 
+#ifdef CURLOPT_USE_SSL
+    if (curl_ssl_try)
+		curl_easy_setopt(result, CURLOPT_USE_SSL, CURLUSESSL_TRY);
+#endif
+
 	if (curl_http_proxy) {
 		curl_easy_setopt(result, CURLOPT_PROXY, curl_http_proxy);
 		curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
diff --git a/http.h b/http.h
index 0a80d30..f861662 100644
--- a/http.h
+++ b/http.h
@@ -42,6 +42,15 @@
 #define NO_CURL_IOCTL
 #endif
 
+/*
+ * CURLOPT_USE_SSL was known as CURLOPT_FTP_SSL up to 7.16.4,
+ * and the constants were known as CURLFTPSSL_*
+*/
+#if !defined(CURLOPT_USE_SSL) && defined(CURLOPT_FTP_SSL)
+#define CURLOPT_USE_SSL CURLOPT_FTP_SSL
+#define CURLUSESSL_TRY CURLFTPSSL_TRY
+#endif
+
 struct slot_results {
 	CURLcode curl_result;
 	long http_code;
-- 
1.7.10.4

Re: [PATCH] Support FTP-over-SSL/TLS for regular FTP

[Matt Kraai]

On Sat, Jan 12, 2013 at 03:59:52PM +0200, Modestas Vainius wrote:
> @@ -306,6 +311,11 @@ static CURL *get_curl_handle(void)
>  	if (curl_ftp_no_epsv)
>  		curl_easy_setopt(result, CURLOPT_FTP_USE_EPSV, 0);
>  
> +#ifdef CURLOPT_USE_SSL
> +    if (curl_ssl_try)
> +		curl_easy_setopt(result, CURLOPT_USE_SSL, CURLUSESSL_TRY);
> +#endif
> +
>  	if (curl_http_proxy) {
>  		curl_easy_setopt(result, CURLOPT_PROXY, curl_http_proxy);
>  		curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_ANY);

It looks like the indentation of the "if" line you added is messed up.

Re: [PATCH] Support FTP-over-SSL/TLS for regular FTP

[Modestas Vainius]

Hello,

Saturday 12 January 2013 06:25:21 rašė:
> On Sat, Jan 12, 2013 at 03:59:52PM +0200, Modestas Vainius wrote:
> > @@ -306,6 +311,11 @@ static CURL *get_curl_handle(void)
> > 
> >  	if (curl_ftp_no_epsv)
> >  	
> >  		curl_easy_setopt(result, CURLOPT_FTP_USE_EPSV, 0);
> > 
> > +#ifdef CURLOPT_USE_SSL
> > +    if (curl_ssl_try)
> > +		curl_easy_setopt(result, CURLOPT_USE_SSL, CURLUSESSL_TRY);
> > +#endif
> > +
> > 
> >  	if (curl_http_proxy) {
> >  	
> >  		curl_easy_setopt(result, CURLOPT_PROXY, curl_http_proxy);
> >  		curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
> 
> It looks like the indentation of the "if" line you added is messed up.

Yeah, sorry about that. I will fix it.

-- 
Modestas Vainius <modestas@vainius.eu>

Re: [PATCH] Support FTP-over-SSL/TLS for regular FTP

[Junio C Hamano]

Modestas Vainius <modestas@vainius.eu> writes:

> Hello,
>
> Saturday 12 January 2013 06:25:21 rašė:
>> On Sat, Jan 12, 2013 at 03:59:52PM +0200, Modestas Vainius wrote:
>> > @@ -306,6 +311,11 @@ static CURL *get_curl_handle(void)
>> > 
>> >  	if (curl_ftp_no_epsv)
>> >  	
>> >  		curl_easy_setopt(result, CURLOPT_FTP_USE_EPSV, 0);
>> > 
>> > +#ifdef CURLOPT_USE_SSL
>> > +    if (curl_ssl_try)
>> > +		curl_easy_setopt(result, CURLOPT_USE_SSL, CURLUSESSL_TRY);
>> > +#endif
>> > +
>> > 
>> >  	if (curl_http_proxy) {
>> >  	
>> >  		curl_easy_setopt(result, CURLOPT_PROXY, curl_http_proxy);
>> >  		curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
>> 
>> It looks like the indentation of the "if" line you added is messed up.
>
> Yeah, sorry about that. I will fix it.

Did anything happen to this topic since then?

Re: [PATCH] Support FTP-over-SSL/TLS for regular FTP

[Modestas Vainius]

Hello,

Sunday 24 February 2013 22:44:14 rašė:
> Modestas Vainius <modestas@vainius.eu> writes:
> > Hello,
> > 
> > Saturday 12 January 2013 06:25:21 rašė:
> >> On Sat, Jan 12, 2013 at 03:59:52PM +0200, Modestas Vainius wrote:
> >> > @@ -306,6 +311,11 @@ static CURL *get_curl_handle(void)
> >> > 
> >> >  	if (curl_ftp_no_epsv)
> >> >  	
> >> >  		curl_easy_setopt(result, CURLOPT_FTP_USE_EPSV, 0);
> >> > 
> >> > +#ifdef CURLOPT_USE_SSL
> >> > +    if (curl_ssl_try)
> >> > +		curl_easy_setopt(result, CURLOPT_USE_SSL, CURLUSESSL_TRY);
> >> > +#endif
> >> > +
> >> > 
> >> >  	if (curl_http_proxy) {
> >> >  	
> >> >  		curl_easy_setopt(result, CURLOPT_PROXY, curl_http_proxy);
> >> >  		curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
> >> 
> >> It looks like the indentation of the "if" line you added is messed up.
> > 
> > Yeah, sorry about that. I will fix it.
> 
> Did anything happen to this topic since then?

I'm very sorry about delay. Fixed patch is below.

From 4f39352fe8dd85aa99f2141baa6a096da727c53e Mon Sep 17 00:00:00 2001
From: Modestas Vainius <modestas@vainius.eu>
Date: Sun, 7 Apr 2013 22:08:10 +0300
Subject: [PATCH] Support FTP-over-SSL/TLS for regular FTP

Add a boolean http.sslTry option which allows to enable AUTH SSL/TLS and
encrypted data transfers when connecting via regular FTP protocol.

Default is false since it might trigger certificate verification errors on
misconfigured servers.

Signed-off-by: Modestas Vainius <modestas@vainius.eu>
---
 Documentation/config.txt |    8 ++++++++
 http.c                   |   10 ++++++++++
 http.h                   |    9 +++++++++
 3 files changed, 27 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index f79184c..da30cfd 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1447,6 +1447,14 @@ http.sslCAPath::
 	with when fetching or pushing over HTTPS. Can be overridden
 	by the 'GIT_SSL_CAPATH' environment variable.
 
+http.sslTry::
+	Attempt to use AUTH SSL/TLS and encrypted data transfers
+	when connecting via regular FTP protocol. This might be needed
+	if the FTP server requires it for security reasons or you wish
+	to connect securely whenever remote FTP server supports it.
+	Default is false since it might trigger certificate verification
+	errors on misconfigured servers.
+
 http.maxRequests::
 	How many HTTP requests to launch in parallel. Can be overridden
 	by the 'GIT_HTTP_MAX_REQUESTS' environment variable. Default is 5.
diff --git a/http.c b/http.c
index 8803c70..f791fcb 100644
--- a/http.c
+++ b/http.c
@@ -31,6 +31,7 @@ static CURL *curl_default;
 char curl_errorstr[CURL_ERROR_SIZE];
 
 static int curl_ssl_verify = -1;
+static int curl_ssl_try;
 static const char *ssl_cert;
 #if LIBCURL_VERSION_NUM >= 0x070903
 static const char *ssl_key;
@@ -163,6 +164,10 @@ static int http_options(const char *var, const char *value, void *cb)
 			ssl_cert_password_required = 1;
 		return 0;
 	}
+	if (!strcmp("http.ssltry", var)) {
+		curl_ssl_try = git_config_bool(var, value);
+		return 0;
+	}
 	if (!strcmp("http.minsessions", var)) {
 		min_curl_sessions = git_config_int(var, value);
 #ifndef USE_CURL_MULTI
@@ -307,6 +312,11 @@ static CURL *get_curl_handle(void)
 	if (curl_ftp_no_epsv)
 		curl_easy_setopt(result, CURLOPT_FTP_USE_EPSV, 0);
 
+#ifdef CURLOPT_USE_SSL
+	if (curl_ssl_try)
+		curl_easy_setopt(result, CURLOPT_USE_SSL, CURLUSESSL_TRY);
+#endif
+
 	if (curl_http_proxy) {
 		curl_easy_setopt(result, CURLOPT_PROXY, curl_http_proxy);
 		curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
diff --git a/http.h b/http.h
index 25d1931..097514d 100644
--- a/http.h
+++ b/http.h
@@ -42,6 +42,15 @@
 #define NO_CURL_IOCTL
 #endif
 
+/*
+ * CURLOPT_USE_SSL was known as CURLOPT_FTP_SSL up to 7.16.4,
+ * and the constants were known as CURLFTPSSL_*
+*/
+#if !defined(CURLOPT_USE_SSL) && defined(CURLOPT_FTP_SSL)
+#define CURLOPT_USE_SSL CURLOPT_FTP_SSL
+#define CURLUSESSL_TRY CURLFTPSSL_TRY
+#endif
+
 struct slot_results {
 	CURLcode curl_result;
 	long http_code;
-- 
1.7.10.4



-- 
Modestas Vainius <modestas@vainius.eu>