Package: git-core
Version: 1.5.6.2-1
Severity: wishlist
libcurl compiled against gnutls does not support passphrases on SSL client keys. libcurl compiled against openssl does just fine. This makes client keys rather impractical to use with Debian's git-core. Testing this can be done with the following commands: curl -O http://hitler.omgwallhack.org/ssltesting/usercert/chump.pem curl -O http://hitler.omgwallhack.org/ssltesting/testca.crt curl -O http://hitler.omgwallhack.org/ssltesting/usercert/chump-password.pem GIT_SSL_CAINFO=testca.crt GIT_SSL_CERT=chump.pem git clone https://hitler.omgwallhack.org/ssltesting/ssltest.git/ rm -rf ssltest GIT_SSL_CAINFO=testca.crt GIT_SSL_CERT=chump-password.pem git clone https://hitler.omgwallhack.org/ssltesting/ssltest.git/ rm -rf ssltest Curl, compiled against openssl, does the *right* thing: curl -E chump.pem --cacert testca.crt https://hitler.omgwallhack.org/ssltesting/ curl -E chump-password.pem:password --cacert testca.crt https://hitler.omgwallhack.org/ssltesting/ (If anyone happens to want to recreate the server environment, http://hitler.omgwallhack.org/ssltesting/ca.sh will probably help you out.) I don't know what the solution would be for this since I don't really know why git-core Depends: libcurl3-gnutls (>= 7.16.2-1) in Debian in the first place. Manually replacing libcurl-gnutls.so.4.1.0 with libcurl.so.4.1.0 didn't have any other engaging consequences to git besides solving this bug for me, for what it's worth. I've tested a patch that exposes CURLOPT_SSLKEY within git. This library feature appears to do nothing in libcurl[3|4]-gnutls, so I wouldn't suggest anybody else try the same.
signature.asc
Description: Digital signature
