Re: Multiple GIT Accounts & HTTPS Client Certificates - Config
On Tue, Sep 11, 2018 at 09:42:35AM +0200, Sergei Haller wrote: > PS: while I was trying to send the mail to this mailing list, there is > some update from the stack overflow side: > > * I am using sslBackend schannel > * the private key of my client certificate can be provided by using > the http.sslKey config option > * the private key is on a smart card, so there is no way I can copy it > over to a file and use the openssl backend (at least no way that I am > aware of :) > > so basically this pins down to the fact that schannel implementation > is picking the wrong key. Git doesn't provide an option to query a smartcard outside of what your typical TLS implementation provides by default. Not being a Windows user, I don't know if Schannel provides a way to automatically select the right private key based on which certificate is used, or if that's outside its capability. > PS: the recent realization makes me believe this is a window specific > problem. I think I have read somewhere > about a separate windows mailing list (but not sure where I saw it) If you're talking about Git for Windows, yes, this is probably better addressed as an issue there: https://github.com/git-for-windows/git. -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204 signature.asc Description: PGP signature
Re: Multiple GIT Accounts & HTTPS Client Certificates - Config
PS: while I was trying to send the mail to this mailing list, there is some update from the stack overflow side: * I am using sslBackend schannel * the private key of my client certificate can be provided by using the http.sslKey config option * the private key is on a smart card, so there is no way I can copy it over to a file and use the openssl backend (at least no way that I am aware of :) so basically this pins down to the fact that schannel implementation is picking the wrong key. Would be great if (one of) the following option was possible: (a) schannel would ask interactively which certificate to use, if there is more than one that matches the servers request (b) key info (e.g. serial number or fingerprint) couldl be provided as config option not sure if (a) or (b) is already possible (in some nightly build or some hidden option?) I'd be eager to test if necessyry, but I probably wont be able to build git (so would need some sort of nightly build or something) PS: the recent realization makes me believe this is a window specific problem. I think I have read somewhere about a separate windows mailing list (but not sure where I saw it) On Mon, Sep 10, 2018 at 10:09 AM, Sergei Haller wrote: > Hi folks, > > my problem is basically the following: my git server (https) requires > authentication using a clent x509 certificate. > > And I have multiple x509 certificates that match the server. > > when I access the https server using a browser, the browser asks which > certificate to use and everything is fine. > > When I try to access the git server from the command line (git pull or > similar), the git will pick one of the available > certificates (randomly or alphabetically) and try to access the server with > that client certificate. Ending in the situation > that git picks the wrong certificate. > > I can workaround by deleting all client certificates from the windows > certificate store except the "correct" one => then git > command line will pick the correct certificate (the only one available) and > everything works as expected. > > Workaround is a workaround, I need to use all of the certificates > repeatedly for different repos and different other > aplications (non-git), so I've been deliting and reinstalling the > certificates all the time in the last weeks... > > How can I tell git cmd (per config option??) to use a particular client > certificate for authenticating to the https server > (I could provide fingerprint or serial number or sth like that) > > current environment: windows 10 and git version 2.18.0.windows.1 > > Would be absolutely acceptable if git would ask interactively which client > certificate to use (in case its not configurable) > > (I asked this question here before: > https://stackoverflow.com/questions/51952568/multiple-git-accounts-https-client-certificates-config > ) > > > Thanks! > > > > -- > ser...@sergei-haller.de > . -- ser...@sergei-haller.de .
Re: Multiple GIT Accounts & HTTPS Client Certificates - Config
no, using SSH is not an option. I have no control over the server setup whatsoever. Thx! On Mon, Sep 10, 2018 at 3:29 PM, Randall S. Becker wrote: > On September 10, 2018 4:09 AM, Sergei Haller wrote: >> my problem is basically the following: my git server (https) requires >> authentication using a clent x509 certificate. >> >> And I have multiple x509 certificates that match the server. >> >> when I access the https server using a browser, the browser asks which >> certificate to use and everything is fine. >> >> When I try to access the git server from the command line (git pull or >> similar), >> the git will pick one of the available certificates (randomly or >> alphabetically) >> and try to access the server with that client certificate. Ending in the >> situation that git picks the wrong certificate. >> >> I can workaround by deleting all client certificates from the windows >> certificate store except the "correct" one => then git command line will pick >> the correct certificate (the only one available) and everything works as >> expected. >> >> Workaround is a workaround, I need to use all of the certificates repeatedly >> for different repos and different other aplications (non-git), so I've been >> deliting and reinstalling the certificates all the time in the last weeks... >> >> How can I tell git cmd (per config option??) to use a particular client >> certificate for authenticating to the https server (I could provide >> fingerprint >> or serial number or sth like that) >> >> current environment: windows 10 and git version 2.18.0.windows.1 >> >> Would be absolutely acceptable if git would ask interactively which client >> certificate to use (in case its not configurable) >> >> (I asked this question here before: >> https://stackoverflow.com/questions/51952568/multiple-git-accounts- >> https-client-certificates-config >> ) > > Would you consider using SSH to authenticate? You can control which private > key you use based on your ~/.ssh/config entries, which are case sensitive. > You can choose the SSH key to use by playing with the case of the host name, > like: > > github.com > Github.com > gitHub.com > > even if your user is "git" in all cases above. It is a bit hacky but it is > part of the SSH spec and is supported by git and EGit (as of 5.x). > > Cheers, > Randall > > -- > Randall S. Becker > Managing Director, Nexbridge Inc. > LinkedIn.com/in/randallbecker > +1.416.984.9826 > > > -- ser...@sergei-haller.de .
RE: Multiple GIT Accounts & HTTPS Client Certificates - Config
On September 10, 2018 4:09 AM, Sergei Haller wrote: > my problem is basically the following: my git server (https) requires > authentication using a clent x509 certificate. > > And I have multiple x509 certificates that match the server. > > when I access the https server using a browser, the browser asks which > certificate to use and everything is fine. > > When I try to access the git server from the command line (git pull or > similar), > the git will pick one of the available certificates (randomly or > alphabetically) > and try to access the server with that client certificate. Ending in the > situation that git picks the wrong certificate. > > I can workaround by deleting all client certificates from the windows > certificate store except the "correct" one => then git command line will pick > the correct certificate (the only one available) and everything works as > expected. > > Workaround is a workaround, I need to use all of the certificates repeatedly > for different repos and different other aplications (non-git), so I've been > deliting and reinstalling the certificates all the time in the last weeks... > > How can I tell git cmd (per config option??) to use a particular client > certificate for authenticating to the https server (I could provide > fingerprint > or serial number or sth like that) > > current environment: windows 10 and git version 2.18.0.windows.1 > > Would be absolutely acceptable if git would ask interactively which client > certificate to use (in case its not configurable) > > (I asked this question here before: > https://stackoverflow.com/questions/51952568/multiple-git-accounts- > https-client-certificates-config > ) Would you consider using SSH to authenticate? You can control which private key you use based on your ~/.ssh/config entries, which are case sensitive. You can choose the SSH key to use by playing with the case of the host name, like: github.com Github.com gitHub.com even if your user is "git" in all cases above. It is a bit hacky but it is part of the SSH spec and is supported by git and EGit (as of 5.x). Cheers, Randall -- Randall S. Becker Managing Director, Nexbridge Inc. LinkedIn.com/in/randallbecker +1.416.984.9826
