search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
(parent: e4064ac) | patch
git-http-backend-verify: provide REQUIRE_SSL_CLIENT_VERIFY_SUCCESS knob
commit87d6c9e02e481d82e7c1950a87972d49c6fbee36
authorKyle J. McKay <mackyle@gmail.com>
Tue, 1 Dec 2020 06:24:46 +0000 (30 23:24 -0700)
committerKyle J. McKay <mackyle@gmail.com>
Tue, 1 Dec 2020 06:24:46 +0000 (30 23:24 -0700)
tree5f5698de36e38f3cd6acc0b9e8d24adc41213971tree | snapshot (tar.gz zip)
parente4064acea4ae144cbf3bfcaaff0ef9c4b8537a28commit | diff
git-http-backend-verify: provide REQUIRE_SSL_CLIENT_VERIFY_SUCCESS knob

If REQUIRE_SSL_CLIENT_VERIFY_SUCCESS has been exported (to any value)
when running the git-http-backend-verify script, then if the request
is a push, `SSL_CLIENT_VERIFY=SUCCESS` will always be required in the
environment.

The sample apache.conf file already checks for this and does not run
the script unless SSL_CLIENT_VERIFY is SUCCESS.  As a result it does
not export SSL_CLIENT_VERIFY since that's a minor efficiency penalty
and it's already checked it.

This script does verify that SSL_CLIENT_VERIFY is SUCCESS for push
operations, but only if SSL_CLIENT_VERIFY is actually set.

Nevertheless, for the security paranoid, setting the environment
variable REQUIRE_SSL_CLIENT_VERIFY_SUCCESS (to any value) before
running git-http-backend-verify will always require SSL_CLIENT_VERIFY
to be set to SUCCESS before allowing a push.

This will necessitate adding "+StdEnvVars" to the "SSLOptions"
directive(s) in order to make Apache export SSL_CLIENT_VERIFY when
running the git-http-backend-verify script.

Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
bin/git-http-backend-verify diff | blob | blame | history
The repo.or.cz duct tape "Girocco"