Re: [msysGit] Using the Windows trusted root certification authorities with Git for Windows

[Pat Thoyts]

We include a bundle of certificates in bin/curl-ca-bundle.crt for use
with curl/openssl so appending additional certificates to that might
be one solution. The other is to rebuild git with libcurl built to use
winssl instead of openssl. Reversing commit 3a9151c will achieve that.
You would need to run the src/curl/release.sh script and then rebuild
git to ensure it is all linked up correctly. Using winssl should then
use the builtin certificate store but I found problems when global
internet access was unavailable in cloning from local repositories via
http hence the reversion to using openssl in msysGit.

On 21 May 2013 14:43, <fabian....@gmail.com> wrote:
> Hi,
>
> When accessing a remote repository via HTTPS and the HTTPS server uses a
> self-signed certificate, it seems to be necessary to put the signing CA's
> certificate into a file and configure the http.sslcainfo property to point
> to that file. This is a bit of a hassle if you need to support multiple CAs
> on a single system, or when you have multiple people trying to clone from
> the same server (they all need to change their http.sslcainfo property).
>
> Since Windows already manages a list of trusted root certificates
> (configured via certmgr.msc), is it possible to get Git for Windows to
> accept certificates signed by these CAs?
>
> Best regards,
> Fabian
>
> --
> --
> *** Please reply-to-all at all times ***
> *** (do not pretend to know who is subscribed and who is not) ***
> *** Please avoid top-posting. ***
> The msysGit Wiki is here: https://github.com/msysgit/msysgit/wiki - Github
> accounts are free.
>
> You received this message because you are subscribed to the Google
> Groups "msysGit" group.
> To post to this group, send email to msy...@googlegroups.com
> To unsubscribe from this group, send email to
> msysgit+u...@googlegroups.com
> For more options, and view previous threads, visit this group at
> http://groups.google.com/group/msysgit?hl=en_US?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "msysGit" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to msysgit+u...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[Fabian Schmied]

Hi,

> We include a bundle of certificates in bin/curl-ca-bundle.crt for use
> with curl/openssl so appending additional certificates to that might
> be one solution. The other is to rebuild git with libcurl built to use
> winssl instead of openssl.

Thanks for the pointers, I think we'll go with preparing a bundle of
certificates that includes additional root CAs as part of our Git for
Wndows installation (i.e., add to the the bin/curl-ca-bundle.crt
file).
I fear that rebuilding Git for Windows with winssl would be too much
of a maintenance burden for us (i.e., upgrading Git would be harder
for us).

Do you plan on revisiting linking msysgit to winssl or has that
feature died (or at least fallen asleep) with the local HTTP cloning
problems you mention? (And is cloning from a local repository via HTTP
important enough to refrain from using winssl? After all, you could
also clone using a file path.)

Best regards,
Fabian

[Johannes Schindelin]

Hi Fabian,

On Wed, 22 May 2013, Fabian Schmied wrote:

> > We include a bundle of certificates in bin/curl-ca-bundle.crt for use
> > with curl/openssl so appending additional certificates to that might
> > be one solution. The other is to rebuild git with libcurl built to use
> > winssl instead of openssl.
>

> Thanks for the pointers, I think we'll go with preparing a bundle of
> certificates that includes additional root CAs as part of our Git for
> Wndows installation (i.e., add to the the bin/curl-ca-bundle.crt file).
> I fear that rebuilding Git for Windows with winssl would be too much of
> a maintenance burden for us (i.e., upgrading Git would be harder for
> us).
>
> Do you plan on revisiting linking msysgit to winssl or has that feature
> died (or at least fallen asleep) with the local HTTP cloning problems
> you mention? (And is cloning from a local repository via HTTP important
> enough to refrain from using winssl? After all, you could also clone
> using a file path.)

Do keep in mind that it is not "you" vs "us". This is a volunteer effort.
The more you can help with maintaining, the more you get to say which
direction the project goes.

So this is what I could imagine: it might be possible to have two
packages, or even better, two sets of cURL libraries that can be
hardlinked upon installing.

However, it will require work on your part to make this happen and keep it
supported...

Ciao,
Johannes

[Pat Thoyts]

On 22 May 2013 16:08, Johannes Schindelin <Johannes....@gmx.de> wrote:
>> Do you plan on revisiting linking msysgit to winssl or has that feature
>> died (or at least fallen asleep) with the local HTTP cloning problems
>> you mention? (And is cloning from a local repository via HTTP important
>> enough to refrain from using winssl? After all, you could also clone
>> using a file path.)

Not in the immediate future. We ran a trial of winssl over openssl and
encountered problems that don't occur for openssl. I'm sure it can be
handled but for now the simplest solution is to revert back. I'm quite
sure if I noticed this as an issue, then once released we'll be
bombarded with complaints about how it is now broken. As it happens
there is at least one other crashing bug in the winssl flavour of curl
which also suggests it is the less robust variety.