diff options
| author | David Timber <dxdt@dev.snart.me> | 2026-03-02 12:16:41 +0900 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2026-03-02 08:39:26 -0800 |
| commit | a8215a2051411bbaa1ea1464026cb473fbf8f83c (patch) | |
| tree | 13c10c48e2f84a5ab2ab69f59412f1e37709f797 /Documentation | |
| parent | 67ad42147a7acc2af6074753ebd03d904476118f (diff) | |
| download | git-a8215a2051411bbaa1ea1464026cb473fbf8f83c.tar.xz | |
send-email: add client certificate options
For SMTP servers that do "mutual certificate verification", the mail
client is required to present its own TLS certificate as well. This
patch adds --smtp-ssl-client-cert and --smtp-ssl-client-key for such
servers.
The problem of which private key for the certificate is chosen arises
when there are private keys in both the certificate and private key
file. According to the documentation of IO::Socket::SSL(link supplied),
the behaviour(the private key chosen) depends on the format of the
certificate. In a nutshell,
- PKCS12: the key in the cert always takes the precedence
- PEM: if the key file is not given, it will "try" to read one
from the cert PEM file
Many users may find this discrepancy unintuitive.
In terms of client certificate, git-send-email is implemented in a way
that what's possible with perl's SSL library is exposed to the user as
much as possible. In this instance, the user may choose to use a PEM
file that contains both certificate and private key should be
at their discretion despite the implications.
Link: https://metacpan.org/pod/IO::Socket::SSL#SSL_cert_file-%7C-SSL_cert-%7C-SSL_key_file-%7C-SSL_key
Link: https://lore.kernel.org/all/319bf98c-52df-4bf9-b157-e4bc2bf087d6@dev.snart.me/
Signed-off-by: David Timber <dxdt@dev.snart.me>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/config/sendemail.adoc | 16 | ||||
| -rw-r--r-- | Documentation/git-send-email.adoc | 19 |
2 files changed, 35 insertions, 0 deletions
diff --git a/Documentation/config/sendemail.adoc b/Documentation/config/sendemail.adoc index 90164c734d..6560ecc5ab 100644 --- a/Documentation/config/sendemail.adoc +++ b/Documentation/config/sendemail.adoc @@ -12,6 +12,22 @@ sendemail.smtpSSLCertPath:: Path to ca-certificates (either a directory or a single file). Set it to an empty string to disable certificate verification. +sendemail.smtpSSLClientCert:: + Path to the client certificate file to present if requested by the + server. This is required when the server is set up to verify client + certificates. If the corresponding private key is not included in the + file, it must be supplied using `sendemail.smtpSSLClientKey` or the + `--smtp-ssl-client-key` option. + +sendemail.smtpSSLClientKey:: + Path to the client private key file that corresponds to the client + certificate. To avoid misconfiguration, this configuration must be used + in conjunction with `sendemail.smtpSSLClientKey` or the + `--smtp-ssl-client-cert` option. If the client key is included in the + client certificate, the choice of private key depends on the format of + the certificate. Visit https://metacpan.org/pod/IO::Socket::SSL for more + details. + sendemail.<identity>.*:: Identity-specific versions of the `sendemail.*` parameters found below, taking precedence over those when this diff --git a/Documentation/git-send-email.adoc b/Documentation/git-send-email.adoc index ebe8853e9f..ed9a0d3053 100644 --- a/Documentation/git-send-email.adoc +++ b/Documentation/git-send-email.adoc @@ -290,6 +290,25 @@ must be used for each option. variable, if set, or the backing SSL library's compiled-in default otherwise (which should be the best choice on most platforms). +--smtp-ssl-client-cert <path>:: + Path to the client certificate file to present if requested by the + server. This option is required when the server is set up to verify + client certificates. If the corresponding private key is not included in + the file, it must be supplied using the `sendemail.smtpSSLClientKey` + configuration variable or the `--smtp-ssl-client-key` option. Defaults + to the value of the `sendemail.smtpSSLClientCert` configuration + variable, if set. + +--smtp-ssl-client-key <path>:: + Path to the client private key file that corresponds to the client + certificate. To avoid misconfiguration, this option must be used in + conjunction with the `sendemail.smtpSSLClientKey` configuration variable + or the `--smtp-ssl-client-cert` option. If the client key is included in + the client certificate, the choice of private key depends on the format + of the certificate. Visit https://metacpan.org/pod/IO::Socket::SSL for + more details. Defaults to the value of the `sendemail.smtpSSLClientKey` + configuration variable, if set. + --smtp-user=<user>:: Username for SMTP-AUTH. Default is the value of `sendemail.smtpUser`; if a username is not specified (with `--smtp-user` or `sendemail.smtpUser`), |