5

Can't use git:

git clone https://github.com/foo/bar

fails:

fatal: unable to access 'https://github.com/foo/bar': Unknown SSL  protocol error in connection to github.com:443

How can I force git to use SSLv3? I tried to compile git from source, but there is no setting beyond: --with-openssl (default). Adding the following line before line 408 in remote-curl.c doesn't work either:

 curl_easy_setopt(slot->curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);

Here are some clues:

  • case 1: When my browser tries to get to https://github.com/foo/bar, it first tries TLSv1. Handshake seems to be OK: Server key exchange, server hello done (at Wireshark). But it follows by "Ignored Unknown Record" from server and finally "Connection Reset" from server. Then A new connection but with SSLv3 kicks in and every thing is fine (see picture).

  • case 2: curl fails using TLSv1

    curl https://github.com/foo/bar

    fails:

    curl: (35) Unknown SSL protocol error in connection to github.com:443

    Setting --sslv3 fixes the problem.

  • case 3: Take this one

    sudo add-apt-repository  ppa:cassou/emacs

    fails:

    pycurl.error: (35, 'gnutls_handshake() failed: A TLS packet with unexpected length was received.')

Edit: curl 7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1.

Edit: debug information

Cloning into 'bar'...
* Couldn't find host github.com in the .netrc file; using defaults
* About to connect() to github.com port 443 (#0)
*   Trying 192.30.252.130... * Connected to github.com (192.30.252.130) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
    CApath: /etc/ssl/certs
* Unknown SSL protocol error in connection to github.com:443
* Closing connection #0
fatal: unable to access 'https://github.com/foo/bar/': Unknown SSL       protocol error in connection to github.com:443
Yasser
  • 376
  • 5
  • 13
  • 1
    What version of Git are you using? What version of curl? What OS? Linux? Windows? Cygwin? – VonC Dec 22 '13 at 21:10
  • Please add debug information using `GIT_CURL_VERBOSE=1` – Yuval Adam Dec 22 '13 at 21:11
  • I downloaded the git source code from github. curl 7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1. – Yasser Dec 22 '13 at 21:14
  • Are you manually setting CAfile/CApath? Check your `git config` – Yuval Adam Dec 22 '13 at 21:20
  • Is there anything unorthodox about your connection? Do you require a proxy? VPN? Do you usually have HTTPS issues? – Yuval Adam Dec 22 '13 at 21:23
  • I CAN get to github without proxy (home connection). But I know that a lot of filtering with lots of transparent proxies and whatever happen in my country. They hate HTTPS. Did you see the picture? – Yasser Dec 22 '13 at 21:26
  • There might be some SSL tampering going on there. Can you pastebin the SSL cert fingerprints? – Yuval Adam Dec 22 '13 at 21:29
  • Could you please be more specific? How can I get that? I have Wireshark. I can dump the pcap. – Yasser Dec 22 '13 at 21:31
  • @YasserMZadeh check your `http.sslcainfo` git config (see my edited answer below) – VonC Dec 22 '13 at 21:32
  • @YasserMZadeh pcap dump would be great. Feel free to anonimize it though, keeping the relevant stuff intact. – Yuval Adam Dec 22 '13 at 21:33
  • @Yucal Adam Here is the pcap (accessing https://bower.herokuapp.com/packages/jquery) : https://app.box.com/s/9sogi1ja7rr24stbr5zo – Yasser Dec 22 '13 at 22:01
  • 1
    From a quick glance I don't see any signs of malicious behavior, though I might be missing something. – Yuval Adam Dec 22 '13 at 22:17
  • Git 2.6 will provide a new interesting option: see [my edited answer below](http://stackoverflow.com/a/20734176/6309) – VonC Aug 27 '15 at 06:08

1 Answers1

5

Update August 2015: Git 2.6+ (Q3 2015) will allow to specify the SSL version explicitly:

http: add support for specifying the SSL version

See commit 01861cb (14 Aug 2015) by Elia Pinto (devzero2000).
Helped-by: Eric Sunshine (sunshineco).
(Merged by Junio C Hamano -- gitster -- in commit ed070a4, 26 Aug 2015) 

http.sslVersion

The SSL version to use when negotiating an SSL connection, if you want to force the default.
The available and default version depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use. Internally this sets the 'CURLOPT_SSL_VERSION' option; see the libcurl documentation for more details on the format of this option and for the ssl version supported.
Actually the possible values of this option are:

  • sslv2
  • sslv3
  • tlsv1
  • tlsv1.0
  • tlsv1.1
  • tlsv1.2

Can be overridden by the 'GIT_SSL_VERSION' environment variable.
To force git to use libcurl's default ssl version and ignore any explicit http.sslversion option, set 'GIT_SSL_VERSION' to the empty string.

Original answer Dec: 2013

I usually see that error message when my PROXY environment variables aren't properly set:

export HTTP_PROXY=http://user:password@proxy.mycompany.com:port
export HTTPS_PROXY=http://user:password@proxy.mycompany.com:port
export NO_PROXY=.mycompany.com

You can also setup a ~/.netrc file for your GitHub credentials.

Make sure your git config http.sslcainfo does reference your /path/to/git/bin/curl-ca-bundle.crt, in order for curl to be able to validate the certificate associated to the GitHub server.

One workaround, if https really doesn't work, is to use an ssh url

git clone ssh://user@server:project.git

(if you have generated a private and public key first, and registered that public key to your GitHub account)

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Thanks. That workaround worked. But I have the same issue with "bower install jquery" which fails: retry Request to https://bower.herokuapp.com/packages/jquery failed with ECONNRESET. (That picture was from this command actually, not git). I can access that link without proxy but with SSLv3. – Yasser Dec 22 '13 at 21:48
  • 1
    @YasserMZadeh strange. I saw this with https://github.com/bower/bower/issues/631, related to network issues. – VonC Dec 22 '13 at 22:08