Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
git2
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
lvzhengyang
git2
Commits
ff5a3967
Commit
ff5a3967
authored
Mar 14, 2016
by
Carlos Martín Nieto
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #3683 from dbussink/dbussink/better-openssl-ciphers
Setup better defaults for OpenSSL ciphers
parents
1ddada42
c577efbb
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
53 additions
and
1 deletions
+53
-1
include/git2/common.h
+6
-0
src/global.c
+2
-0
src/global.h
+1
-0
src/openssl_stream.c
+13
-0
src/settings.c
+23
-1
tests/online/badssl.c
+8
-0
No files found.
include/git2/common.h
View file @
ff5a3967
...
...
@@ -149,6 +149,7 @@ typedef enum {
GIT_OPT_SET_SSL_CERT_LOCATIONS
,
GIT_OPT_SET_USER_AGENT
,
GIT_OPT_ENABLE_STRICT_OBJECT_CREATION
,
GIT_OPT_SET_SSL_CIPHERS
,
}
git_libgit2_opt_t
;
/**
...
...
@@ -260,6 +261,11 @@ typedef enum {
* > example, when this is enabled, the parent(s) and tree inputs
* > will be validated when creating a new commit. This defaults
* > to disabled.
* * opts(GIT_OPT_SET_SSL_CIPHERS, const char *ciphers)
*
* > Set the SSL ciphers use for HTTPS connections.
* >
* > - `ciphers` is the list of ciphers that are eanbled.
*
* @param option Option key
* @param ... value to set the option
...
...
src/global.c
View file @
ff5a3967
...
...
@@ -27,6 +27,7 @@ static git_global_shutdown_fn git__shutdown_callbacks[MAX_SHUTDOWN_CB];
static
git_atomic
git__n_shutdown_callbacks
;
static
git_atomic
git__n_inits
;
char
*
git__user_agent
;
char
*
git__ssl_ciphers
;
void
git__on_shutdown
(
git_global_shutdown_fn
callback
)
{
...
...
@@ -83,6 +84,7 @@ static void shutdown_common(void)
}
git__free
(
git__user_agent
);
git__free
(
git__ssl_ciphers
);
#if defined(GIT_MSVC_CRTDBG)
git_win32__crtdbg_stacktrace_cleanup
();
...
...
src/global.h
View file @
ff5a3967
...
...
@@ -36,5 +36,6 @@ extern void git__on_shutdown(git_global_shutdown_fn callback);
extern
void
git__free_tls_data
(
void
);
extern
const
char
*
git_libgit2__user_agent
(
void
);
extern
const
char
*
git_libgit2__ssl_ciphers
(
void
);
#endif
src/openssl_stream.c
View file @
ff5a3967
...
...
@@ -34,6 +34,8 @@
SSL_CTX
*
git__ssl_ctx
;
#define GIT_SSL_DEFAULT_CIPHERS "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
#ifdef GIT_THREADS
static
git_mutex
*
openssl_locks
;
...
...
@@ -85,6 +87,7 @@ int git_openssl_stream_global_init(void)
{
#ifdef GIT_OPENSSL
long
ssl_opts
=
SSL_OP_NO_SSLv2
|
SSL_OP_NO_SSLv3
;
const
char
*
ciphers
=
git_libgit2__ssl_ciphers
();
/* Older OpenSSL and MacOS OpenSSL doesn't have this */
#ifdef SSL_OP_NO_COMPRESSION
...
...
@@ -108,6 +111,16 @@ int git_openssl_stream_global_init(void)
git__ssl_ctx
=
NULL
;
return
-
1
;
}
if
(
!
ciphers
)
{
ciphers
=
GIT_SSL_DEFAULT_CIPHERS
;
}
if
(
!
SSL_CTX_set_cipher_list
(
git__ssl_ctx
,
ciphers
))
{
SSL_CTX_free
(
git__ssl_ctx
);
git__ssl_ctx
=
NULL
;
return
-
1
;
}
#endif
git__on_shutdown
(
shutdown_ssl
);
...
...
src/settings.c
View file @
ff5a3967
...
...
@@ -71,12 +71,18 @@ static int config_level_to_sysdir(int config_level)
}
extern
char
*
git__user_agent
;
extern
char
*
git__ssl_ciphers
;
const
char
*
git_libgit2__user_agent
()
{
return
git__user_agent
;
}
const
char
*
git_libgit2__ssl_ciphers
()
{
return
git__ssl_ciphers
;
}
int
git_libgit2_opts
(
int
key
,
...)
{
int
error
=
0
;
...
...
@@ -169,7 +175,7 @@ int git_libgit2_opts(int key, ...)
}
}
#else
giterr_set
(
GITERR_NET
,
"
C
annot set certificate locations: OpenSSL is not enabled"
);
giterr_set
(
GITERR_NET
,
"
c
annot set certificate locations: OpenSSL is not enabled"
);
error
=
-
1
;
#endif
break
;
...
...
@@ -187,6 +193,22 @@ int git_libgit2_opts(int key, ...)
git_object__strict_input_validation
=
(
va_arg
(
ap
,
int
)
!=
0
);
break
;
case
GIT_OPT_SET_SSL_CIPHERS
:
#ifdef GIT_OPENSSL
{
git__free
(
git__ssl_ciphers
);
git__ssl_ciphers
=
git__strdup
(
va_arg
(
ap
,
const
char
*
));
if
(
!
git__ssl_ciphers
)
{
giterr_set_oom
();
error
=
-
1
;
}
}
#else
giterr_set
(
GITERR_NET
,
"cannot set custom ciphers: OpenSSL is not enabled"
);
error
=
-
1
;
#endif
break
;
default:
giterr_set
(
GITERR_INVALID
,
"invalid option key"
);
error
=
-
1
;
...
...
tests/online/badssl.c
View file @
ff5a3967
...
...
@@ -36,3 +36,11 @@ void test_online_badssl__self_signed(void)
cl_git_fail_with
(
GIT_ECERTIFICATE
,
git_clone
(
&
g_repo
,
"https://self-signed.badssl.com/fake.git"
,
"./fake"
,
NULL
));
}
void
test_online_badssl__old_cipher
(
void
)
{
if
(
!
g_has_ssl
)
cl_skip
();
cl_git_fail
(
git_clone
(
&
g_repo
,
"https://rc4.badssl.com/fake.git"
,
"./fake"
,
NULL
));
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment