git https clone必须在最终用户使用http.sslVerify=false时失败。

huangapple go评论70阅读模式
英文:

git https clone must fail if end user used http.sslVerify=false

问题

如果Git最终用户设置了

> http.sslVerify=false

,例如以下命令

git -c http.sslVerify=false clone https://<url>/x.git

那么公共仓库克隆将在没有任何验证的情况下成功,并且关闭TLS验证不提供任何保护。

在这种设置中,Git用户将从外部云访问Git镜像(Bitbucket镜像)服务器,我们希望在执行Git克隆/拉取操作之前确保每个Git客户端都提供有效的证书(意图是将公共仓库克隆的审计轨迹记录下来)。

如何阻止Git客户端用户通过设置http.sslVerify=false来禁用TLS验证?(以确保Git客户端提供有效的证书)

FYI,Bitbucket镜像托管在Apache代理后面,我可以启用mTLS,但在这里寻求建议。如何确保Git客户端每次执行Git操作时都提供有效的SSL证书,以便我们可以在Apache日志或应用程序日志中记录SSL证书用户的信息?

提前感谢您的回答。

回答我的问题,因为我找到了两种解决方法(服务器端更改)来阻止匿名访问。

方法1:在Apache代理中启用mTLS以强制客户端使用有效的证书。设置Apache指令 "SSLVerifyClient require",我们将在Apache日志中打印证书用户详细信息(自定义日志以打印SSL标头值或使用Apache的forensic日志)。

方法2:在Bitbucket属性文件中启用 feature.public.access=false,这将强制终端用户发送HTTPS令牌(对于公共和私有仓库都是如此)。在这种情况下,SSL客户端证书不是强制性的,但至少需要在SSL客户端环境中具有CA根证书。

英文:

if git end user sets

> http.sslVerify=false

, for example command

git -c http.sslVerify=false clone https://<url>/x.git

then the public repo clone succeeds without any verification and turning off TLS verification does not provide any protection.

in this setup git users will access an git mirror (bitbucket mirror) server from external cloud, we wanted to ensure every git client present an valid cert before executing an git clone / pull operations.( intention is to have Audit trail of public repo close as well).

How do i block a git client user if user disables the TLS verification by setting http.sslVerify=false? ( to ensure a valid cert is presented by the git cli clients)

FYI, Bitbucket mirror hosted behind an Apache proxy where i can enable mTLS however seeking suggestion/advice here. How to ensure git client provides a valid ssl cert for all git operations every time git https clone必须在最终用户使用http.sslVerify=false时失败。 so that we can log the SSL cert user in Apache logs or Application logs?

Thanks in advance.

Answering my own query as i found two solutions ( server side changes) to block Anonymous Access.

Method 1 : Enable mTLS at Apache proxy to enforce client to use a valid cert. Set the Apache directive "SSLVerifyClient require" and we will have cert user details printed in Apache logs ( custom logs to print ssl header values or using apache forensic logs)

Method 2: Enable feature.public.access=false in Bitbucket properties file which will enforce end users to send HTTPS token (both for public & private repos). in this case ssl client cert is not mandatory however CA root cert is required at minimum in the ssl client environment.

答案1

得分: 2

http.sslVerify 是关于客户端验证服务器证书的,即客户端正确验证服务器以防止中间人攻击。这与"确保每个 Git 客户端都呈现有效的证书"无关 - 这将使用客户端证书以便服务器可以对客户进行身份验证(双向 TLS)。

服务器无法确保客户端正确验证服务器证书。只能在服务器端确定客户端必须以某种方式接受了服务器证书,因为 TLS 握手成功。不能观察到客户端究竟为什么接受了服务器证书,即是否进行了正确的验证。甚至不能观察到连接是否来自预期的客户端,而不是来自中间人攻击者。

唯一的方法来确定客户端是否检查服务器证书是通过提供错误的证书来使客户端失败。当然,在这种情况下,git clone 将不会成功,因为要么由于错误的证书客户端不会继续,要么由于客户端未正确检查证书,服务器不会继续。因此,这种检查不能用于仅允许具有正确证书验证的 git clone

英文:

http.sslVerify is about validating the server certificate by the client, i.e. that the client properly authenticates the server in order to protect against man-in-the-middle attacks. This has nothing to do with "ensure every git client present an valid cert" - which would be use of client certificates so that the server can authenticate the client (mutual TLS).

There is no way for the server to ensure that the client is properly validating the server certificate. It can only be determined in the server that the client must have accepted the server certificate somehow since the TLS handshake succeeded. It cannot be observed why exactly the client has accepted the server certificate, i.e. if proper validation was done or not. It cannot even be observed that the connections comes from the intended client and not from some man-in-the-middle attacker instead.

The only way to figure out that the client is not checking server certificates is to make the client fail by presenting a wrong certificate. Of course a git clone will not succeed in this case, since either the client will not continue due to the wrong certificate or the server will not continue due to the client not properly checking the certificate. So this kind of check cannot be used to make git clone only possible with proper certificate validation.

huangapple
  • 本文由 发表于 2023年7月11日 10:55:05
  • 转载请务必保留本文链接:https://go.coder-hub.com/76658449.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定