SChannel support in Git for Windows

SChannel support in Git for Windows

[Robert Labrie]

I googled for this and couldn't find anything, as best as I can tell,
it's not a thing.

Increasingly, network admins (including mine) think it's appropriate
to intercept TLS handshakes on the firewall, and present the calling
application with a self-signed cert for the requested domain (ie
github.com). On Linux, this can be sorted out by putting the internal
issuing CAs root cert in /etc/certs (or somesuch) and on windows, by
importing it into the "Trusted Publishers" certificate store. The
challenge comes from apps using OpenSSL on Windows, which doesn't have
/etc and doesn't support the windows certificate store.

Presently, I'm using this procedure:
http://stackoverflow.com/questions/9072376/configure-git-to-accept-a-particular-self-signed-server-certificate-for-a-partic

But it would be more awesome if git just supported schannel on
Windows. I think cURL does already.

Sorry in advance if I didn't Google hard enough for this.

Thanks,
Rob

Re: SChannel support in Git for Windows

[Daniel Stenberg]

On Fri, 15 Jan 2016, Robert Labrie wrote:

> But it would be more awesome if git just supported schannel on Windows. I 
> think cURL does already.

curl does indeed support schannel.

-- 

  / daniel.haxx.se

Re: SChannel support in Git for Windows

[Johannes Schindelin]

Hi Robert,

On Fri, 15 Jan 2016, Robert Labrie wrote:

> Increasingly, network admins (including mine) think it's appropriate
> to intercept TLS handshakes on the firewall, and present the calling
> application with a self-signed cert for the requested domain (ie
> github.com). On Linux, this can be sorted out by putting the internal
> issuing CAs root cert in /etc/certs (or somesuch) and on windows, by
> importing it into the "Trusted Publishers" certificate store. The
> challenge comes from apps using OpenSSL on Windows, which doesn't have
> /etc and doesn't support the windows certificate store.

OpenSSL on Windows has no `/etc`, but Git does offer a way to provide your
own certificates, via the http.sslCAInfo setting.

Furthermore, you can rebuild cURL with support for WinHTTP (which accesses
the Windows Certificate Store). Since this is a compile time switch, we do
not support that with Git for Windows (until the day when cURL can be
built with WinHTTP *and* OpenSSL support and configured via a switch to
use one or the other).

> Presently, I'm using this procedure:
> http://stackoverflow.com/questions/9072376/configure-git-to-accept-a-particular-self-signed-server-certificate-for-a-partic

It may be a good idea to summarize it here (I would consider that good
form).

Ciao,
Johannes

Re: SChannel support in Git for Windows

[Konstantin Khomoutov]

On Fri, 15 Jan 2016 10:04:17 -0500
Robert Labrie <robert.labrie@gmail.com> wrote:

[...]
> But it would be more awesome if git just supported schannel on
> Windows. I think cURL does already.

On the one hand, yes -- that would mean tighter integration into the
system which is a good thing from the administrative standpoint.

On the other hand, IIUC, this artifically limits the capabilities of
Git to whatever set of features the schannel implementation in a
particular version of Windows supports.  As a glaring example, support
for TLS 1.1 and TLS 1.2 had never made it into Windows XP (and
supposedly Windows Server 2003, though I may be wrong) despite its
serious entrenchment.  Among other things, that included IE (6, then 7,
then 8).  I do understand the reasons MS validly has for its push on its
customers for upgrades, but ubiquitous OSes nearing their EOL become
prone to lacking of certain features in their stacks.  This well might
be true for Windows 7 some 5 years down the road or so: from where I
sit, it looks like corporate users have zero reasons to upgrade to 10.

Hence ideally there would be some switch which would make libCURL pick
the implementation at runtime.  But I'm afraid it's hardly doable.

Re: SChannel support in Git for Windows

[Robert Labrie]

You are correct, SChannel in NT 5.x is limited, but all those versions
are officially out of support.

When you're part of a Windows ecosystem, those root certs get pushed
into the local store by a GPO (usually), and you don't have to think
about it. That's the only reason I'm pushing.

Sounds like libcurl can't make it a run time consideration, and git
(understandably) doesn't want to worry about SChannel limitations in
very old versions of Windows.

Does git use libcurl for everything? I wonder if I could just drop my
own libraries with WinHTTP support?

On Fri, Jan 15, 2016 at 10:59 AM, Konstantin Khomoutov
<kostix+git@007spb.ru> wrote:
> On Fri, 15 Jan 2016 10:04:17 -0500
> Robert Labrie <robert.labrie@gmail.com> wrote:
>
> [...]
>> But it would be more awesome if git just supported schannel on
>> Windows. I think cURL does already.
>
> On the one hand, yes -- that would mean tighter integration into the
> system which is a good thing from the administrative standpoint.
>
> On the other hand, IIUC, this artifically limits the capabilities of
> Git to whatever set of features the schannel implementation in a
> particular version of Windows supports.  As a glaring example, support
> for TLS 1.1 and TLS 1.2 had never made it into Windows XP (and
> supposedly Windows Server 2003, though I may be wrong) despite its
> serious entrenchment.  Among other things, that included IE (6, then 7,
> then 8).  I do understand the reasons MS validly has for its push on its
> customers for upgrades, but ubiquitous OSes nearing their EOL become
> prone to lacking of certain features in their stacks.  This well might
> be true for Windows 7 some 5 years down the road or so: from where I
> sit, it looks like corporate users have zero reasons to upgrade to 10.
>
> Hence ideally there would be some switch which would make libCURL pick
> the implementation at runtime.  But I'm afraid it's hardly doable.

Re: SChannel support in Git for Windows

[Konstantin Khomoutov]

On Fri, 15 Jan 2016 11:11:58 -0500
Robert Labrie <robert.labrie@gmail.com> wrote:

> You are correct, SChannel in NT 5.x is limited, but all those versions
> are officially out of support.
> 
> When you're part of a Windows ecosystem, those root certs get pushed
> into the local store by a GPO (usually), and you don't have to think
> about it. That's the only reason I'm pushing.
> 
> Sounds like libcurl can't make it a run time consideration, and git
> (understandably) doesn't want to worry about SChannel limitations in
> very old versions of Windows.
> 
> Does git use libcurl for everything? I wonder if I could just drop my
> own libraries with WinHTTP support?

I'd say you could fork the Git for Windows's SDK [1], hack it to build
curl with the configuration you need and then create your own
installer.  You'll need to rebase your patch each time a new GfW
release will come out, but the patch should be small enough IMO.

1. https://github.com/git-for-windows/build-extra/releases/latest