Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 26 Mar 2019 10:36:14 +0000
From: "Laurent Bercot" <ska-dietlibc@...rnet.org>
To: musl@...ts.openwall.com
Subject: Re: Supporting git access via smart HTTPS protocol for musl-libc


>On further enquiry I found that the latest cgit only supports dumb http protocol
>for cloning or fetch. But it has option to disable the http/s cloning support,
>so that another program can do it. Sorry, I was on the impression that skarnet was
>supporting git http/s smart protocol by using cgit itself.

No, this is much simpler than that: HTTPS on skarnet.org is supported
by having busybox httpd run under a TLS-capable superserver
(s6-tlsserver, from s6-networking, which can use BearSSL as its
crypto backend). It's literally HTTP in a TLS tunnel, and has nothing
to do with cgit or git, which are not TLS-aware at all.

Unfortunately, that solution isn't applicable to git.musl-libc.org,
because thttpd apparently insists on doing the socket listening
itself - it doesn't seem to support inetd-style, which is how
s6-tlsserver operates.

This is a direct illustration of the superior convenience of
inetd-style servers: they can be plugged with other tools in order
to achieve functionality the original author didn't plan for.

For thttpd, a different approach will be necessary, very likely
at the CGI level. Good luck, Jim.

--
Laurent

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.