5

Environment: Fedora 15 x64 (yes, we are moving away from it), git 1.7.11.1.

We're hitting a problem with git clone which fails on an https repository because the cipher that's used by the Git server isn't enabled by default on the client.

We managed to replicate the problem with plain "curl -v" (curl 7.21.3, but git seems to be using its own copy):

curl -v https://git.repo.com

(the internal server name was replaced) fails like Git, but:

curl --cipher rsa_rc4_128_sha -v https://git.repo.com

succeeds.

The question now is how can we pass such a flag to libcurl which is used by Git. So far I haven't found such a way (google'd about libcurl, git, looked at Git's and libcurl's sources).

Capt. Crunch
  • 4,490
  • 6
  • 32
  • 38
  • Looking further in the libcurl source, the `curl --cipher` command line flag sets `CURLOPT_SSL_CIPHER_LIST`, which is not mentioned anywhere in the Git source code. So so far it looks like it's just not supported. :( – Capt. Crunch Oct 29 '12 at 00:12

2 Answers2

2

No, the option to specify the list of ciphers to libcurl is called CURLOPT_SSL_CIPHER_LIST but is not used by git.

You would need to modify the git source code to introduce this feature. Shouldn't be too hard and possibly you can convince the git project to accept this change for the future!

Daniel Stenberg
  • 54,736
  • 17
  • 146
  • 222
2

Git support for choosing SSL ciphers

Since Git version 2.5.0 (see release notes) you can use the http.sslCipherList git configuration variable to do this. If you are able to upgrade your Git version this is the best way to accomplish passing a list of ciphers to libcURL via Git.

The http.sslCipherList variable is described as follows within Git's documentation:

A list of SSL ciphers to use when negotiating an SSL connection. The available ciphers depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use. Internally this sets the CURLOPT_SSL_CIPHER_LIST option; see the libcurl documentation for more details on the format of this list.

Git command

To set the cipher list globally for Git you would run:

git config --global http.sslCipherList "<List of Cipher Identifiers>"

It is extremely important to understand that the cipher identifiers accepted by cURL differ based upon the SSL library cURL has been linked against! That makes this configuration value non-portable between all installations of cURL which differ in their linked SSL library.

Additionally, while I have linked back-end specific documentation below, only the cURL documentation on cipher identifiers is reliable because the cURL developers did not perfectly reproduce the various identifiers for each back-end as detailed in this mailing list thread.

Resources

Emily Mabrey
  • 1,528
  • 1
  • 12
  • 29
  • 1
    Good summary. +1 That comes from Git 2.5+ (Q2 2015): https://stackoverflow.com/a/30442395/6309 – VonC Jan 02 '18 at 22:53
  • I just thought to look that up after I posted and I came back to find you already did the legwork for me. Wish I'd seen your comment before I looked the introduction version up myself! I've edited the answer to include reference to the required git version. – Emily Mabrey Jan 02 '18 at 22:57
  • No problem: I have been doing that kind of legwork (about new Git features) for a looong time now. – VonC Jan 02 '18 at 23:03