git.ipfire.org Git - thirdparty/git.git/commit

author	David Timber <dxdt@dev.snart.me>
	Mon, 2 Mar 2026 03:16:41 +0000 (12:16 +0900)
committer	Junio C Hamano <gitster@pobox.com>
	Mon, 2 Mar 2026 16:39:26 +0000 (08:39 -0800)
commit	a8215a2051411bbaa1ea1464026cb473fbf8f83c
tree	13c10c48e2f84a5ab2ab69f59412f1e37709f797	tree \| snapshot
parent	67ad42147a7acc2af6074753ebd03d904476118f	commit \| diff

send-email: add client certificate options

For SMTP servers that do "mutual certificate verification", the mail
client is required to present its own TLS certificate as well. This
patch adds --smtp-ssl-client-cert and --smtp-ssl-client-key for such
servers.

The problem of which private key for the certificate is chosen arises
when there are private keys in both the certificate and private key
file. According to the documentation of IO::Socket::SSL(link supplied),
the behaviour(the private key chosen) depends on the format of the
certificate. In a nutshell,

- PKCS12: the key in the cert always takes the precedence
- PEM: if the key file is not given, it will "try" to read one
from the cert PEM file

Many users may find this discrepancy unintuitive.

In terms of client certificate, git-send-email is implemented in a way
that what's possible with perl's SSL library is exposed to the user as
much as possible. In this instance, the user may choose to use a PEM
file that contains both certificate and private key should be
at their discretion despite the implications.

Link: https://metacpan.org/pod/IO::Socket::SSL#SSL_cert_file-%7C-SSL_cert-%7C-SSL_key_file-%7C-SSL_key
Link: https://lore.kernel.org/all/319bf98c-52df-4bf9-b157-e4bc2bf087d6@dev.snart.me/
Signed-off-by: David Timber <dxdt@dev.snart.me>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

Documentation/config/sendemail.adoc		diff \| blob \| blame \| history
Documentation/git-send-email.adoc		diff \| blob \| blame \| history
git-send-email.perl		diff \| blob \| blame \| history