From: Mark Lodato <lodatom@gmail.com>
To: Karsten Weiss <knweiss@gmx.de>
Cc: Junio C Hamano <gitster@pobox.com>,
git@vger.kernel.org, Daniel Stenberg <daniel@haxx.se>
Subject: Re: [PATCH 2/2] http.c: add http.sslCertType and http.sslKeyType
Date: Mon, 15 Jun 2009 20:55:10 -0400 [thread overview]
Message-ID: <ca433830906151755t783fbf98k3fd09e4bdd6781e8@mail.gmail.com> (raw)
In-Reply-To: <alpine.OSX.2.00.0906151927010.816@xor.localnet>
On Mon, Jun 15, 2009 at 1:43 PM, Karsten Weiss<knweiss@gmx.de> wrote:
> Hi Mark!
>
> On Sun, 14 Jun 2009, Mark Lodato wrote:
>
>> Add two new configuration variables, http.sslCertType and
>> http.sslKeyType, which tell libcurl the filetype for the SSL client
>> certificate and private key, respectively. The main benefit is to allow
>> PKCS12 certificates for users with libcurl >= 7.13.0.
>
> This is interesting. Thanks for working on that!
>
> (However, it's a similar issue like the question whether the private key is
> encrypted or not: Usability would be better if the certificate type could be
> determined automatically (without having to violate the layering)).
Just as with determining if the certificate is password protected, it
is equally difficult to tell what type of file it is without calling
OpenSSL directly.
This brings up a good point: Should we (I) try to implement (client
certificate) usability features in git to work around deficiencies in
libcurl, or should we (I) write patches to fix/enhance libcurl
directly? The latter would be much easier (though I could be wrong)
and would benefit other programs using libcurl, but would require
users to upgrade libcurl to get these new features, and of course
would rely on the libcurl developers accepting the patches. I am
willing to do either, but I think the libcurl route would be better.
Any thoughts?
Anyway, to implement this in git, the algorithm would be something like:
for password in [None, "", prompt()]:
for type in ["PEM", "DER", (if libcurl >= 7.13.0) "P12"]:
try to make a connection with password and type
if not certificate error:
return success
else:
return failure
This is much more difficult than it may at first appear. I'm sure it
can be done, but it will take a while to get it right.
Mark
next prev parent reply other threads:[~2009-06-16 1:02 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-15 2:39 [PATCH 1/2] http.c: fix compiling with libcurl 7.9.2 Mark Lodato
2009-06-15 2:39 ` [PATCH 2/2] http.c: add http.sslCertType and http.sslKeyType Mark Lodato
2009-06-15 17:43 ` Karsten Weiss
2009-06-16 0:55 ` Mark Lodato [this message]
2009-06-16 5:56 ` Junio C Hamano
2009-06-16 6:47 ` Junio C Hamano
2009-06-16 20:07 ` Karsten Weiss
2009-06-16 0:56 ` Mark Lodato
2009-06-15 4:35 ` [PATCH 1/2] http.c: fix compiling with libcurl 7.9.2 Junio C Hamano
2009-06-15 12:55 ` Tay Ray Chuan
2009-06-18 16:26 ` Mike Ralphson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ca433830906151755t783fbf98k3fd09e4bdd6781e8@mail.gmail.com \
--to=lodatom@gmail.com \
--cc=daniel@haxx.se \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=knweiss@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).