Web lists-archives.com

Re: Multiple GIT Accounts & HTTPS Client Certificates - Config




PS: while I was trying to send the mail to this mailing list, there is
some update from the stack overflow side:

* I am using sslBackend schannel
* the private key of my client certificate can be provided by using
the http.sslKey config option
* the private key is on a smart card, so there is no way I can copy it
over to a file and use the openssl backend (at least no way that I am
aware of :)

so basically this pins down to the fact that schannel implementation
is picking the wrong key.

Would be great if (one of) the following option was possible:

(a) schannel would ask interactively which certificate to use, if
there is more than one that matches the servers request
(b) key info (e.g. serial number or fingerprint) couldl be provided as
config option

not sure if (a) or (b) is already possible (in some nightly build or
some hidden option?)

I'd be eager to test if necessyry, but I probably wont be able to
build git (so would need some sort of nightly build or something)

PS: the recent realization makes me believe this is a window specific
problem. I think I have read somewhere
about a separate windows mailing list (but not sure where I saw it)


On Mon, Sep 10, 2018 at 10:09 AM, Sergei Haller <sergei@xxxxxxxxxxxxxxxx> wrote:
> Hi folks,
>
> my problem is basically the following: my git server (https) requires
> authentication using a clent x509 certificate.
>
> And I have multiple x509 certificates that match the server.
>
> when I access the https server using a browser, the browser asks which
> certificate to use and everything is fine.
>
> When I try to access the git server from the command line (git pull or
> similar), the git will pick one of the available
> certificates (randomly or alphabetically) and try to access the server with
> that client certificate. Ending in the situation
> that git picks the wrong certificate.
>
> I can workaround by deleting all client certificates from the windows
> certificate store except the "correct" one => then git
> command line will pick the correct certificate (the only one available) and
> everything works as expected.
>
> Workaround is a workaround, I need to use all of the certificates
> repeatedly for different repos and different other
> aplications (non-git), so I've been deliting and reinstalling the
> certificates all the time in the last weeks...
>
> How can I tell git cmd (per config option??) to use a particular client
> certificate for authenticating to the https server
> (I could provide fingerprint or serial number or sth like that)
>
> current environment: windows 10 and git version 2.18.0.windows.1
>
> Would be absolutely acceptable if git would ask interactively which client
> certificate to use (in case its not configurable)
>
> (I asked this question here before:
> https://stackoverflow.com/questions/51952568/multiple-git-accounts-https-client-certificates-config
> )
>
>
> Thanks!
>
>
>
> --
> sergei@xxxxxxxxxxxxxxxx
> .



-- 
sergei@xxxxxxxxxxxxxxxx
.