Cloning with a cert fails on Mac because objective-git is not built with OpenSSL

[jaanus]

The latest code 39e3beb fails to build with SSL on Mac, which results in this code …

NSURL *serverCertificateURL = options[GTRepositoryCloneOptionsServerCertificateURL];
if (serverCertificateURL) {
    int gitError = git_libgit2_opts(GIT_OPT_SET_SSL_CERT_LOCATIONS, serverCertificateURL.fileSystemRepresentation, NULL);
    if (gitError < GIT_OK) {
        if (error != NULL) *error = [NSError git_errorFor:gitError description:@"Failed to configure the server certificate at %@", serverCertificateURL];
        return nil;
    }
}

failing with this error:

Error Domain=GTGitErrorDomain Code=-1 "Cannot set certificate locations:
OpenSSL is not enabled" UserInfo=0x618000074500 {NSLocalizedDescription=
Cannot set certificate locations: OpenSSL is not enabled}

This error is generated by libgit2/settings.c:

int git_libgit2_opts(int key, ...)
{
    switch (key) {
    …
    case GIT_OPT_SET_SSL_CERT_LOCATIONS:
    #ifdef GIT_OPENSSL
    {
        … running with OpenSSL support, set the cert
    }
    #else
        giterr_set(GITERR_NET, "Cannot set certificate locations: OpenSSL is not enabled");
        error = -1;
    #endif
    }
…
}

A fresh vanilla clone of the repository. Xcodd 6.4, Yosemite 10.10.4. Haven’t touched any build settings or anything at all really. Should have all the required tool dependencies.

What gives?

[phatblat]

libgit2 recently dropped OpenSSL in favor of SecureTransport on Apple platforms #2997.

It appears that the GIT_SSL macro has been renamed to GIT_OPENSSL. I think setting the right flag (USE_OPENSSL?) in the update_libgit2 script may be enough to get this working.

Eventually it would be ideal to drop the OpenSSL dependency (looks like the Mac target still links with it). However, I don't see a way to set certificate locations in libgit2 without having OpenSSL enabled. This may need to be opened as an issue in libgit2.

[phatblat]

It looks like the libgit2 API has changed. git_remote_callbacks has a git_transport_certificate_check_cb field which is called "If cert verification fails". This makes me think that non-sandboxed apps may work without the old way of telling libgit2 where to find the certificate(s).

What happens when you make a connection attempt without the git_libgit2_opts call?

[phatblat]

@jaanus what's the reason you're providing a certificate? Is the server using a self-signed cert?

I'm able to clone from GitHub using ObjectiveGit 0.8.7 in a trivial Mac app. But on iOS, I do have to provide a cert using git_libgit2_opts(GIT_OPT_SET_SSL_CERT_LOCATIONS, ...)

[jaanus]

I was providing a certificate because I remembered this as being necessary with the previous OpenSSL approach. In fact, I did the patch to support that option a few months ago :)

However, I now simply removed passing the certificate URL, and everything works as expected for me on a sandboxed OSX app. (And I also assume it would work for a non-sandboxed app, but I didn’t test it.)

[phatblat]

Well, thank you for #414! I've been using that on iOS, but now it appears to no longer necessary. I just verified that a sandboxed iOS app can also clone without being able to provide a custom cert.

This lowers the priority of #505, but I'm sure someone will eventually need to provide a custom cert.