From: Junio C Hamano <gitster@pobox.com>
To: Mike Hommey <mh@glandium.org>
Cc: git@vger.kernel.org, gitster@pobox.com
Subject: Re: [PATCH] Don't verify host name in SSL certs when GIT_SSL_NO_VERIFY is set
Date: Thu, 21 Feb 2008 15:10:37 -0800 [thread overview]
Message-ID: <7vd4qpsy6q.fsf@gitster.siamese.dyndns.org> (raw)
In-Reply-To: <1203621790-1415-1-git-send-email-mh@glandium.org> (Mike Hommey's message of "Thu, 21 Feb 2008 20:23:10 +0100")
Mike Hommey <mh@glandium.org> writes:
> Signed-off-by: Mike Hommey <mh@glandium.org>
> ---
> http.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/http.c b/http.c
> index 5925d07..519621a 100644
> --- a/http.c
> +++ b/http.c
> @@ -177,6 +177,7 @@ static CURL* get_curl_handle(void)
> CURL* result = curl_easy_init();
>
> curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, curl_ssl_verify);
> + curl_easy_setopt(result, CURLOPT_SSL_VERIFYHOST, curl_ssl_verify * 2);
> #if LIBCURL_VERSION_NUM >= 0x070907
> curl_easy_setopt(result, CURLOPT_NETRC, CURL_NETRC_OPTIONAL);
> #endif
Is it just me who finds that "* 2" is extremely magical?
diff --git a/http.c b/http.c
index 5925d07..8dce820 100644
--- a/http.c
+++ b/http.c
@@ -176,7 +176,16 @@ static CURL* get_curl_handle(void)
{
CURL* result = curl_easy_init();
- curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, curl_ssl_verify);
+ if (!curl_ssl_verify) {
+ curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, 0);
+ curl_easy_setopt(result, CURLOPT_SSL_VERIFYHOST, 0);
+ } else {
+ /* Verify authenticity of the peer's certificate */
+ curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, 1);
+ /* The name in the cert must match whom we tried to connect */
+ curl_easy_setopt(result, CURLOPT_SSL_VERIFYHOST, 2);
+ }
+
#if LIBCURL_VERSION_NUM >= 0x070907
curl_easy_setopt(result, CURLOPT_NETRC, CURL_NETRC_OPTIONAL);
#endif
next prev parent reply other threads:[~2008-02-21 23:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-20 23:35 GIT_SSL_NO_VERIFY=1 over http doesn't ignore a different ip address for the signed certificate Anatoly Yakovenko
2008-02-21 6:42 ` Mike Hommey
2008-02-21 18:57 ` Anatoly Yakovenko
2008-02-21 19:04 ` Daniel Stenberg
2008-02-21 19:23 ` [PATCH] Don't verify host name in SSL certs when GIT_SSL_NO_VERIFY is set Mike Hommey
2008-02-21 23:10 ` Junio C Hamano [this message]
2008-02-21 19:09 ` GIT_SSL_NO_VERIFY=1 over http doesn't ignore a different ip address for the signed certificate Mike Hommey
2008-02-22 1:27 ` Anatoly Yakovenko
2008-02-22 10:53 ` Daniel Stenberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7vd4qpsy6q.fsf@gitster.siamese.dyndns.org \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=mh@glandium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).