Option to explicitly enable or disable optional client certificates

[oddeirik]

Ref #1137 this setting allows you to disable optional client certificate authentification as well.

I've tested this on my server and there's no longer any prompt to pick a user certificate when connecting to the web interface.

You might want to change the wording or the name of the setting to something you see more fit, I just tried matching the requireClientCertificates setting.

[john-brice]

Did this PR make it in to 1.9.0?

[flaix]

No, this is still open and on the list.

[flaix]

I would prefer to not add a second option and expose the ambiguity of Java SSL in this case. I could imagine that the existing option is converted from a boolean to hold either an additional off value, or three completely different values like required, optional, none, or like Tomcat with true, want, false. I guess the question is if this needs to be done in a backwards compatible way or if the meaning for false could be changed because everyone who has it set to false wants it off anyways.

[KOTRET]

Converting to true / want / false would be a good solution, for me it seems to be compatible: only those who want to have this optional need to change that setting, which - I would think - is not the vast majority.

[flaix]

Well, I had opted for the first one now, in the spirit of keeping backward compatibility. The three new values are required, optional and none. I did this so that an update would not change existing behaviour, which would be a surprise I myself don't really like. So the existing true and false values keep their meaning and are mapped like so: true = required false= optional

While it could be true that in reality hardly anyone would be affected, I unfortunately have no idea how many people still use Gitblit, i.e. how large the existing user base is that could be negatively affected. I don't think download numbers really mirror installed base.