File tree Expand file tree Collapse file tree 4 files changed +36
-1
lines changed Expand file tree Collapse file tree 4 files changed +36
-1
lines changed Original file line number Diff line number Diff line change @@ -384,6 +384,10 @@ fn apply_environment_overrides(
384384 let key = & gitoxide:: Http :: VERBOSE ;
385385 ( env ( key) , key. name )
386386 } ,
387+ {
388+ let key = & gitoxide:: Http :: SSL_NO_VERIFY ;
389+ ( env ( key) , key. name )
390+ } ,
387391 {
388392 let key = & gitoxide:: Http :: PROXY_AUTH_METHOD ;
389393 ( env ( key) , key. name )
Original file line number Diff line number Diff line change @@ -179,6 +179,15 @@ mod subsections {
179179 http:: SslVersion :: new_ssl_version ( "sslVersionMax" , & Gitoxide :: HTTP ) . with_note (
180180 "entirely new to set the upper bound for the allowed ssl version range. Overwrites the max bound of `http.sslVersion` if set. Min and Max must be set to become effective." ,
181181 ) ;
182+ /// The `gitoxide.http.sslNoVerify` key.
183+ ///
184+ /// If set, disable SSL verification. Using this is discouraged it can lead to
185+ /// various security risks. An example where this may be needed is when an internal
186+ /// git server uses a self-signed certificate and the user accepts the associated security risks.
187+ pub const SSL_NO_VERIFY : keys:: Boolean = keys:: Boolean :: new_boolean ( "sslNoVerify" , & Gitoxide :: HTTP )
188+ . with_environment_override ( "GIT_SSL_NO_VERIFY" )
189+ . with_deviation ( "Only supported when using curl as https backend" )
190+ . with_note ( "Used to disable SSL verification. When this is enabled it takes prority over http.sslVerify." ) ;
182191 /// The `gitoxide.http.proxyAuthMethod` key.
183192pub const PROXY_AUTH_METHOD : http:: ProxyAuthMethod =
184193 http:: ProxyAuthMethod :: new_proxy_auth_method ( "proxyAuthMethod" , & Gitoxide :: HTTP )
@@ -199,6 +208,7 @@ mod subsections {
199208 & Self :: CONNECT_TIMEOUT ,
200209 & Self :: SSL_VERSION_MIN ,
201210 & Self :: SSL_VERSION_MAX ,
211+ & Self :: SSL_NO_VERIFY ,
202212 & Self :: PROXY_AUTH_METHOD ,
203213 ]
204214 }
Original file line number Diff line number Diff line change @@ -407,13 +407,31 @@ impl crate::Repository {
407407
408408 {
409409 let key = "http.sslVerify" ;
410- opts . ssl_verify = config
410+ let ssl_verify = config
411411 . boolean_filter_by_key ( key, & mut trusted_only)
412412 . map ( |value| config:: tree:: Http :: SSL_VERIFY . enrich_error ( value) )
413413 . transpose ( )
414414 . with_leniency ( lenient)
415415 . map_err ( config:: transport:: http:: Error :: from) ?
416416 . unwrap_or ( true ) ;
417+
418+ let ssl_no_verify = config
419+ . boolean_filter (
420+ "gitoxide" ,
421+ Some ( "http" . into ( ) ) ,
422+ gitoxide:: Http :: SSL_NO_VERIFY . name ,
423+ & mut trusted_only,
424+ )
425+ . and_then ( Result :: ok)
426+ . unwrap_or_default ( ) ;
427+
428+ // ssl_no_verify take prority here because it is based on environment variable
429+ // and we try to match git behavior.
430+ if ssl_no_verify {
431+ opts. ssl_verify = false ;
432+ } else {
433+ opts. ssl_verify = ssl_verify;
434+ }
417435 }
418436
419437 #[ cfg( feature = "blocking-http-transport-curl" ) ]
Original file line number Diff line number Diff line change @@ -19,6 +19,7 @@ mod with_overrides {
1919 . set ( "GIT_HTTP_LOW_SPEED_LIMIT" , "1" )
2020 . set ( "GIT_HTTP_LOW_SPEED_TIME" , "1" )
2121 . set ( "GIT_HTTP_PROXY_AUTHMETHOD" , "proxy-auth-method-env" )
22+ . set ( "GIT_SSL_NO_VERIFY" , "true" )
2223 . set ( "GIT_CURL_VERBOSE" , "true" )
2324 . set ( "https_proxy" , "https-lower-override" )
2425 . set ( "HTTPS_PROXY" , "https-upper" )
@@ -230,7 +231,9 @@ mod with_overrides {
230231 cow_bstr( "proxy-auth-method-env" ) ,
231232 ]
232233 ) ;
234+
233235 for ( key, expected) in [
236+ ( "gitoxide.http.sslNoVerify" , "true" ) ,
234237 ( "gitoxide.http.verbose" , "true" ) ,
235238 ( "gitoxide.allow.protocolFromUser" , "file-allowed" ) ,
236239 ( "core.useReplaceRefs" , "no-replace" ) ,
You can’t perform that action at this time.
0 commit comments