Login/Register
Switch to "Native Windows Secure Channel library" from "OpenSSL library" on Windows Git, without reinstalling?
Asked Answered
Solved gitsshhttpsconfigurationinstallation
C

5

20

During the installation of Git on my Windows machine, I selected "Use the OpenSSL library" for HTTPS Transport backend.

I would like to switch to "Native Windows Secure Channel library" for HTTPS Transport.

Is this possible without re-installing git on Windows?

Chimere answered 17/8, 2017 at 18:30 Comment(0)
C
0

The issue has been resolved by the Git for Windows developer: https://github.com/git-for-windows/git/issues/1274

Chimere answered 30/10, 2017 at 18:45 Comment(0)
B
13

I found the setting for "schannel" or "openssl" with Git for Windows 2.14.2, 64 bit in file: 

C:\Program Files\Git\mingw64\etc\gitconfig

Example config for OpenSSL:

[http]
sslCAInfo = C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
sslBackend = openssl

Example config for Windows native:

[http]
sslCAInfo = C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
sslBackend = schannel
Brodie answered 30/10, 2017 at 14:25 Comment(0)
D
4

You can check out this thread from the Git for Windows maintainer:

Yes, it is possible, and you can find out how exactly it is done by inspecting the source code for the installer, which is at https://github.com/git-for-windows/build-extra in the installer/install.iss file (this file is also easily found by a git grep "Secure Channel").

The relevant part is when the installer tests for the GC_WinSSL option to do more interesting stuff than recording the user's choice:

if RdbCurlVariant[GC_WinSSL].Checked and (not
    ReplaceFile(BinDir+'curl-winssl\curl.exe',BinDir+'curl.exe') or not
    ReplaceFile(BinDir+'curl-winssl\libcurl-4.dll',BinDir+'libcurl-4.dll'))
then begin
            Log('Line {#__LINE__}: Replacing curl-openssl with curl-winssl failed.');
end;

(See https://github.com/git-for-windows/build-extra/blob/97c8294b584ae4b99059a1194a5eba24ee2ff1ab/installer/install.iss#L1774)

In other words, the installer will simply try to replace the curl.exe and libcurl-4.dll files in \mingw64\bin (or the 32-bit equivalent) by the files in \mingw64\curl-winssl.

Dinette answered 18/8, 2017 at 5:36 Comment(0)
D
4

This is now offically supported with Git 2.20 (Q4 2018): On platforms with recent cURL library, http.sslBackend configuration variable can be used to choose a different SSL backend at runtime.
The Windows port uses this mechanism to switch between OpenSSL and Secure Channel while talking over the HTTPS protocol.

See commit b67d40a (25 Oct 2018), and commit 21084e8 (15 Oct 2018) by Johannes Schindelin (dscho).
See commit 93aef7c (25 Oct 2018) by Brendan Forster (shiftkey).
(Merged by Junio C Hamano -- gitster -- in commit d7b1859, 02 Nov 2018)

http: add support for selecting SSL backends at runtime

As of version 7.56.0, curl supports being compiled with multiple SSL backends.

This patch adds the Git side of that feature: by setting http.sslBackend to "openssl" or "schannel", Git for Windows can now choose the SSL backend at runtime.

This comes in handy on Windows because Secure Channel ("schannel") is the native solution, accessing the Windows Credential Store, thereby allowing for enterprise-wide management of certificates.
For historical reasons, Git for Windows needs to support OpenSSL still, as it has previously been the only supported SSL backend in Git for Windows for almost a decade.

The patch has been carried in Git for Windows for over a year, and is considered mature.

Dinette answered 4/11, 2018 at 3:55 Comment(0)
C
0

The issue has been resolved by the Git for Windows developer: https://github.com/git-for-windows/git/issues/1274

Chimere answered 30/10, 2017 at 18:45 Comment(0)
E
0

If you don’t want to manually edit the config file, you can do it with the command line:

git config --global http.sslBackend schannel
Esotropia answered 6/3, 2024 at 12:22 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.