[PATCH] docs: indicate http.sslCertType and sslKeyType

[PATCH] docs: indicate http.sslCertType and sslKeyType

[Andrew Carter via GitGitGadget]

From: Andrew Carter <andrew@emailcarter.com>

These useful config options were added in 0a01d41ee4c but lacked
documentation.

Signed-off-by: Andrew Carter <andrew@emailcarter.com>
---
    document http.sslCertType and sslKeyType

Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1854%2Fplentydone%2Fcurl-cert-options-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1854/plentydone/curl-cert-options-v1
Pull-Request: https://github.com/gitgitgadget/git/pull/1854

 Documentation/config/http.txt | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/Documentation/config/http.txt b/Documentation/config/http.txt
index a14371b5c96..cd39e182527 100644
--- a/Documentation/config/http.txt
+++ b/Documentation/config/http.txt
@@ -216,6 +216,18 @@ http.sslBackend::
 	This option is ignored if cURL lacks support for choosing the SSL
 	backend at runtime.
 
+http.sslCertType::
+	Type of client certificate used when fetching or pushing over HTTPS.
+	(e.g. "PEM", "DER", or "P12"). See also libcurl `CURLOPT_SSLCERTTYPE`
+	Can be overridden by the `GIT_SSL_CERT_TYPE` environment variable.
+
+http.sslKeyType::
+	Type of client private key used when fetching or pushing over HTTPS.
+	(e.g. "PEM", "DER", or "ENG"). Particularly useful when set to "ENG"
+	for authenticating with PKCS#11 tokens. See also libcurl
+	`CURLOPT_SSLCERTTYPE` . Can be overridden by the `GIT_SSL_KEY_TYPE`
+	environment variable.
+
 http.schannelCheckRevoke::
 	Used to enforce or disable certificate revocation checks in cURL
 	when http.sslBackend is set to "schannel". Defaults to `true` if

base-commit: 4e746b1a31f9f0036032b6f94279cf16fb363203
-- 
gitgitgadget

Re: [PATCH] docs: indicate http.sslCertType and sslKeyType

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 1425 bytes --]

On 2025-01-23 at 00:16:06, Andrew Carter via GitGitGadget wrote:
> diff --git a/Documentation/config/http.txt b/Documentation/config/http.txt
> index a14371b5c96..cd39e182527 100644
> --- a/Documentation/config/http.txt
> +++ b/Documentation/config/http.txt
> @@ -216,6 +216,18 @@ http.sslBackend::
>  	This option is ignored if cURL lacks support for choosing the SSL
>  	backend at runtime.
>  
> +http.sslCertType::
> +	Type of client certificate used when fetching or pushing over HTTPS.
> +	(e.g. "PEM", "DER", or "P12"). See also libcurl `CURLOPT_SSLCERTTYPE`
> +	Can be overridden by the `GIT_SSL_CERT_TYPE` environment variable.
> +
> +http.sslKeyType::
> +	Type of client private key used when fetching or pushing over HTTPS.
> +	(e.g. "PEM", "DER", or "ENG"). Particularly useful when set to "ENG"
> +	for authenticating with PKCS#11 tokens. See also libcurl
> +	`CURLOPT_SSLCERTTYPE` . Can be overridden by the `GIT_SSL_KEY_TYPE`
> +	environment variable.

Are there any particular limitations on these values that are platform-
or backend-specific that we should document?  For instance, I seem to
recall that at some point PKCS#12 files were limited to schannel or
Windows, although I could be mistaken.

Do we also have documentation for whatever engine parameter is required
according to the libcurl documentation?
-- 
brian m. carlson (they/them or he/him)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

Re: [PATCH] docs: indicate http.sslCertType and sslKeyType

[Junio C Hamano]

"brian m. carlson" <sandals@crustytoothpaste.net> writes:

> On 2025-01-23 at 00:16:06, Andrew Carter via GitGitGadget wrote:
>> diff --git a/Documentation/config/http.txt b/Documentation/config/http.txt
>> index a14371b5c96..cd39e182527 100644
>> --- a/Documentation/config/http.txt
>> +++ b/Documentation/config/http.txt
>> @@ -216,6 +216,18 @@ http.sslBackend::
>>  	This option is ignored if cURL lacks support for choosing the SSL
>>  	backend at runtime.
>>  
>> +http.sslCertType::
>> +	Type of client certificate used when fetching or pushing over HTTPS.
>> +	(e.g. "PEM", "DER", or "P12"). See also libcurl `CURLOPT_SSLCERTTYPE`
>> +	Can be overridden by the `GIT_SSL_CERT_TYPE` environment variable.
>> +
>> +http.sslKeyType::
>> +	Type of client private key used when fetching or pushing over HTTPS.
>> +	(e.g. "PEM", "DER", or "ENG"). Particularly useful when set to "ENG"
>> +	for authenticating with PKCS#11 tokens. See also libcurl
>> +	`CURLOPT_SSLCERTTYPE` . Can be overridden by the `GIT_SSL_KEY_TYPE`
>> +	environment variable.
>
> Are there any particular limitations on these values that are platform-
> or backend-specific that we should document?  For instance, I seem to
> recall that at some point PKCS#12 files were limited to schannel or
> Windows, although I could be mistaken.
>
> Do we also have documentation for whatever engine parameter is required
> according to the libcurl documentation?

Both are very good points.

I went back to the original thread that added the change cited in
the proposed log message [*1*], hoping that maybe somebody brought
up caveats but didn't find anything relevant other than that we
punted to add tests for this since it was too cumbersome to set up.

Note to Andrew, when referring to an existing commit in your
proposed log message, please do not just write its abbreviated
commit object name, like 0a01d41e.

Instead, use it in "git show -s --format=reference 0a01d41e" to
obtain something like

    0a01d41ee4 (http: add support for different sslcert and sslkey
    types., 2023-03-20)

that would help people to immediately see what the change was about
and how old it was.

Thanks.


[Reference]

*1* https://lore.kernel.org/git/pull.1474.v2.git.git.1679327330032.gitgitgadget@gmail.com/

Re: [PATCH] docs: indicate http.sslCertType and sslKeyType

[Andrew Carter]

On 1/23/25 11:43 AM, Junio C Hamano wrote:
> "brian m. carlson" <sandals@crustytoothpaste.net> writes:
>
>> On 2025-01-23 at 00:16:06, Andrew Carter via GitGitGadget wrote:
>>> diff --git a/Documentation/config/http.txt b/Documentation/config/http.txt
>>> index a14371b5c96..cd39e182527 100644
>>> --- a/Documentation/config/http.txt
>>> +++ b/Documentation/config/http.txt
>>> @@ -216,6 +216,18 @@ http.sslBackend::
>>>   	This option is ignored if cURL lacks support for choosing the SSL
>>>   	backend at runtime.
>>>   
>>> +http.sslCertType::
>>> +	Type of client certificate used when fetching or pushing over HTTPS.
>>> +	(e.g. "PEM", "DER", or "P12"). See also libcurl `CURLOPT_SSLCERTTYPE`
>>> +	Can be overridden by the `GIT_SSL_CERT_TYPE` environment variable.
>>> +
>>> +http.sslKeyType::
>>> +	Type of client private key used when fetching or pushing over HTTPS.
>>> +	(e.g. "PEM", "DER", or "ENG"). Particularly useful when set to "ENG"
>>> +	for authenticating with PKCS#11 tokens. See also libcurl
>>> +	`CURLOPT_SSLCERTTYPE` . Can be overridden by the `GIT_SSL_KEY_TYPE`
>>> +	environment variable.
>> Are there any particular limitations on these values that are platform-
>> or backend-specific that we should document?  For instance, I seem to
>> recall that at some point PKCS#12 files were limited to schannel or
>> Windows, although I could be mistaken.
>>
>> Do we also have documentation for whatever engine parameter is required
>> according to the libcurl documentation?
> Both are very good points.
>
> I went back to the original thread that added the change cited in
> the proposed log message [*1*], hoping that maybe somebody brought
> up caveats but didn't find anything relevant other than that we
> punted to add tests for this since it was too cumbersome to set up.
>
> Note to Andrew, when referring to an existing commit in your
> proposed log message, please do not just write its abbreviated
> commit object name, like 0a01d41e.
>
> Instead, use it in "git show -s --format=reference 0a01d41e" to
> obtain something like
>
>      0a01d41ee4 (http: add support for different sslcert and sslkey
>      types., 2023-03-20)
>
> that would help people to immediately see what the change was about
> and how old it was.
>
> Thanks.
>
>
> [Reference]
>
> *1* https://lore.kernel.org/git/pull.1474.v2.git.git.1679327330032.gitgitgadget@gmail.com/
Thanks for the rapid feedback!

I was leaning away from including too many libcurl-specific details in 
my original patch, but I see I went too far, and these options are 
misleading or at least hard to decipher from my initial patch.

As you mentioned, per the curl documentation [1] the supported values 
are fairly backend-specific.

Git doesn't currently expose the openssl "engine" option. Because the 
default engine in openssl is "dynamic", in my use case, just setting the 
SSLKEYTYPE to "ENG" and using a PKCS#11 url in the sslKey field works. I 
can make a patch to introduce the option if that's desired.

I have something written up that includes backend caveats, and I will 
submit another patch this weekend.

Thanks for the correction on the commit reference. Please 
correct/forgive any list etiquette mistakes.

-AC

1. https://curl.se/libcurl/c/CURLOPT_SSLKEYTYPE.html
    https://curl.se/libcurl/c/CURLOPT_SSLCERTTYPE.html

[PATCH v2] docs: indicate http.sslCertType and sslKeyType

[Andrew Carter]

0a01d41ee4 (http: add support for different sslcert and sslkey types.,
2023-03-20) added useful SSL config options, but did not document them.

Signed-off-by: Andrew Carter <andrew@emailcarter.com>
---
  Documentation/config/http.txt | 15 +++++++++++++++
  1 file changed, 15 insertions(+)

diff --git a/Documentation/config/http.txt b/Documentation/config/http.txt
index a14371b5c9..38e874307b 100644
--- a/Documentation/config/http.txt
+++ b/Documentation/config/http.txt
@@ -216,6 +216,21 @@ http.sslBackend::
      This option is ignored if cURL lacks support for choosing the SSL
      backend at runtime.

+http.sslCertType::
+    Type of client certificate used when fetching or pushing over HTTPS.
+    "PEM", "DER" are supported when using openssl or gnutls backends. "P12"
+    is supported on "openssl", "schannel", "securetransport", and 
gnutls 8.11+.
+    See also libcurl `CURLOPT_SSLCERTTYPE`. Can be overridden by the
+    `GIT_SSL_CERT_TYPE` environment variable.
+
+http.sslKeyType::
+    Type of client private key used when fetching or pushing over 
HTTPS. (e.g.
+    "PEM", "DER", or "ENG"). Only applicable when using "openssl" 
backend. "DER"
+    is not supported with openssl. Particularly useful when set to 
"ENG" for
+    authenticating with PKCS#11 tokens, with a PKCS#11 URL in sslCert 
option.
+    See also libcurl `CURLOPT_SSLCERTTYPE`. Can be overridden by the
+    `GIT_SSL_KEY_TYPE` environment variable.
+
  http.schannelCheckRevoke::
      Used to enforce or disable certificate revocation checks in cURL
      when http.sslBackend is set to "schannel". Defaults to `true` if
-- 
2.39.5 (Apple Git-154)

Re: [PATCH v2] docs: indicate http.sslCertType and sslKeyType

[Junio C Hamano]

Andrew Carter <andrew@emailcarter.com> writes:

> 0a01d41ee4 (http: add support for different sslcert and sslkey types.,
> 2023-03-20) added useful SSL config options, but did not document them.
>
> Signed-off-by: Andrew Carter <andrew@emailcarter.com>
> ---
>  Documentation/config/http.txt | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)

warning: Patch sent with format=flowed; space at the end of lines might be lost.
error: corrupt patch at line 10
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Applying: docs: indicate http.sslCertType and sslKeyType
Patch failed at 0001 docs: indicate http.sslCertType and sslKeyType

I thought that the initial iteration I received from you on Jan 23rd
was just fine.  Did you change some settings with your MUA?  The patch
is heavily whitespace damaged, with full of &nbsp;.


> diff --git a/Documentation/config/http.txt b/Documentation/config/http.txt
> index a14371b5c9..38e874307b 100644
> --- a/Documentation/config/http.txt
> +++ b/Documentation/config/http.txt
> @@ -216,6 +216,21 @@ http.sslBackend::
>      This option is ignored if cURL lacks support for choosing the SSL
>      backend at runtime.
>
> +http.sslCertType::
> +    Type of client certificate used when fetching or pushing over HTTPS.
> +    "PEM", "DER" are supported when using openssl or gnutls backends. "P12"
> +    is supported on "openssl", "schannel", "securetransport", and
> gnutls 8.11+.
> +    See also libcurl `CURLOPT_SSLCERTTYPE`. Can be overridden by the
> +    `GIT_SSL_CERT_TYPE` environment variable.
> +
> +http.sslKeyType::
> +    Type of client private key used when fetching or pushing over
> HTTPS. (e.g.
> +    "PEM", "DER", or "ENG"). Only applicable when using "openssl"
> backend. "DER"
> +    is not supported with openssl. Particularly useful when set to
> "ENG" for
> +    authenticating with PKCS#11 tokens, with a PKCS#11 URL in sslCert
> option.
> +    See also libcurl `CURLOPT_SSLCERTTYPE`. Can be overridden by the
> +    `GIT_SSL_KEY_TYPE` environment variable.
> +
>  http.schannelCheckRevoke::
>      Used to enforce or disable certificate revocation checks in cURL
>      when http.sslBackend is set to "schannel". Defaults to `true` if

Re: [PATCH v2] docs: indicate http.sslCertType and sslKeyType

[Andrew Carter]

On 1/30/25 4:22 PM, Junio C Hamano wrote:

> Andrew Carter <andrew@emailcarter.com> writes:
>
>> 0a01d41ee4 (http: add support for different sslcert and sslkey types.,
>> 2023-03-20) added useful SSL config options, but did not document them.
>>
>> Signed-off-by: Andrew Carter <andrew@emailcarter.com>
>> ---
>>   Documentation/config/http.txt | 15 +++++++++++++++
>>   1 file changed, 15 insertions(+)
> warning: Patch sent with format=flowed; space at the end of lines might be lost.
> error: corrupt patch at line 10
> hint: Use 'git am --show-current-patch=diff' to see the failed patch
> hint: When you have resolved this problem, run "git am --continue".
> hint: If you prefer to skip this patch, run "git am --skip" instead.
> hint: To restore the original branch and stop patching, run "git am --abort".
> hint: Disable this message with "git config set advice.mergeConflict false"
> Applying: docs: indicate http.sslCertType and sslKeyType
> Patch failed at 0001 docs: indicate http.sslCertType and sslKeyType
>
> I thought that the initial iteration I received from you on Jan 23rd
> was just fine.  Did you change some settings with your MUA?  The patch
> is heavily whitespace damaged, with full of &nbsp;.
>
>
>> diff --git a/Documentation/config/http.txt b/Documentation/config/http.txt
>> index a14371b5c9..38e874307b 100644
>> --- a/Documentation/config/http.txt
>> +++ b/Documentation/config/http.txt
>> @@ -216,6 +216,21 @@ http.sslBackend::
>>       This option is ignored if cURL lacks support for choosing the SSL
>>       backend at runtime.
>>
>> +http.sslCertType::
>> +    Type of client certificate used when fetching or pushing over HTTPS.
>> +    "PEM", "DER" are supported when using openssl or gnutls backends. "P12"
>> +    is supported on "openssl", "schannel", "securetransport", and
>> gnutls 8.11+.
>> +    See also libcurl `CURLOPT_SSLCERTTYPE`. Can be overridden by the
>> +    `GIT_SSL_CERT_TYPE` environment variable.
>> +
>> +http.sslKeyType::
>> +    Type of client private key used when fetching or pushing over
>> HTTPS. (e.g.
>> +    "PEM", "DER", or "ENG"). Only applicable when using "openssl"
>> backend. "DER"
>> +    is not supported with openssl. Particularly useful when set to
>> "ENG" for
>> +    authenticating with PKCS#11 tokens, with a PKCS#11 URL in sslCert
>> option.
>> +    See also libcurl `CURLOPT_SSLCERTTYPE`. Can be overridden by the
>> +    `GIT_SSL_KEY_TYPE` environment variable.
>> +
>>   http.schannelCheckRevoke::
>>       Used to enforce or disable certificate revocation checks in cURL
>>       when http.sslBackend is set to "schannel". Defaults to `true` if

Sorry for the inconvenience, and thanks for your patience.

The original message was composed by GitGitGadget. I pasted the v2 patch 
into Thunderbird initially, which clearly failed.

I sent a new v2 patch using git send-email, and at a glance it looks 
unbroken.

If further changes are needed I can get an updated patch to you with a 
faster turnaround now.

-AC

Re: [PATCH v2] docs: indicate http.sslCertType and sslKeyType

[Junio C Hamano]

Andrew Carter <andrew@emailcarter.com> writes:

> On 1/30/25 4:22 PM, Junio C Hamano wrote:
>
>> I thought that the initial iteration I received from you on Jan 23rd
>> was just fine.  Did you change some settings with your MUA?  The patch
>> is heavily whitespace damaged, with full of &nbsp;.
> ...
> Sorry for the inconvenience, and thanks for your patience.
>
> The original message was composed by GitGitGadget. I pasted the v2
> patch into Thunderbird initially, which clearly failed.
>
> I sent a new v2 patch using git send-email, and at a glance it looks
> unbroken.
>
> If further changes are needed I can get an updated patch to you with a
> faster turnaround now.

Thanks for your patience, too.

E-mailed patch workflow is easy for automation, once set-up
correctly, but there is certain entry cost.

Queued.  Let's mark it for 'next'.

[PATCH v2] docs: indicate http.sslCertType and sslKeyType

[Andrew Carter]

0a01d41ee4 (http: add support for different sslcert and sslkey types.,
2023-03-20) added useful SSL config options, but did not document them.

Signed-off-by: Andrew Carter <andrew@emailcarter.com>
---
 Documentation/config/http.txt | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/Documentation/config/http.txt b/Documentation/config/http.txt
index a14371b5c9..22a8803dea 100644
--- a/Documentation/config/http.txt
+++ b/Documentation/config/http.txt
@@ -216,6 +216,21 @@ http.sslBackend::
 	This option is ignored if cURL lacks support for choosing the SSL
 	backend at runtime.
 
+http.sslCertType::
+	Type of client certificate used when fetching or pushing over HTTPS.
+	"PEM", "DER" are supported when using openssl or gnutls backends. "P12"
+	is supported on "openssl", "schannel", "securetransport", and gnutls 8.11+.
+	See also libcurl `CURLOPT_SSLCERTTYPE`. Can be overridden by the
+	`GIT_SSL_CERT_TYPE` environment variable.
+
+http.sslKeyType::
+	Type of client private key used when fetching or pushing over HTTPS. (e.g.
+	"PEM", "DER", or "ENG"). Only applicable when using "openssl" backend. "DER"
+	is not supported with openssl. Particularly useful when set to "ENG" for
+	authenticating with PKCS#11 tokens, with a PKCS#11 URL in sslCert option.
+	See also libcurl `CURLOPT_SSLKEYTYPE`. Can be overridden by the
+	`GIT_SSL_KEY_TYPE` environment variable.
+
 http.schannelCheckRevoke::
 	Used to enforce or disable certificate revocation checks in cURL
 	when http.sslBackend is set to "schannel". Defaults to `true` if
-- 
2.39.5 (Apple Git-154)