8

i just installed new version of gitlab, after new installation ssl is not working... it throws SSL23_GET_SERVER_HELLO:sslv3 alert handshake error. ssh is working fine. only difference i see is in old browser says it is using TLS 1.0 and in new version it says 1.2. Since this is nothing to do with gitlab i posting the problem in stackoverflow...

$ git clone https://gitlabserver/group/project.git
Cloning into 'project'...
* Couldn't find host gitlabserver in the _netrc file; using defaults
* Adding handle: conn: 0x282d6f8
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x282d6f8) send_pipe: 1, recv_pipe: 0
* About to connect() to gitlabserver port 443 (#0)
*   Trying gitlabserver...
* Connected to gitlabserver port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: c:/Users/lanid/curl-ca-bundle.crt
  CApath: none
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

* Closing connection 0
fatal: unable to access 'https://gitlabserver/group/project.git/': error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Here is OpenSSL s_client output while testing with TLS 1.0 and SNI:

openssl s_client -connect <hostname>:<port> -tls1 -servername <hostname>

Loading 'screen' into random state - done
CONNECTED(00000208)
8008:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1126:SSL alert number 40
8008:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:547:

Same command for another server with same setup but old version works file...

jww
  • 97,681
  • 90
  • 411
  • 885
maestromani
  • 841
  • 1
  • 9
  • 31
  • @jww, Done, thanks... – maestromani Jun 29 '15 at 11:15
  • 1
    Alert 40 is what I was looking for.... And one last test... try again with the `-tls1_2` option instead of `-tls1`. – jww Jun 29 '15 at 11:30
  • @jww, i get unknown option -tls1_2 from the client machine.... $ openssl version OpenSSL 0.9.8zb 6 Aug 2014 – maestromani Jun 29 '15 at 11:34
  • 1
    Oh my... are you on OS X? (Maybe not because I am using OS X 10.8, and its version `OpenSSL 0.9.8zd 8 Jan 2015`). Can you use Brew or MacPorts to install an updated version for testing like this? Or see OpenSSL's [Compilation and Installation](https://wiki.openssl.org/index.php/Compilation_and_Installation), and then use the one in `/usr/local/ssl/bin`. – jww Jun 29 '15 at 12:08
  • @jww, upgrading openssl resolved things... – maestromani Jun 29 '15 at 14:50
  • 1
    You should provide an answer, and accept your own answer. That's how Stack Overflow works. – jww Jun 30 '15 at 20:36

3 Answers3

6

If you facing this issue on Git Client.

Then install latest version of Git bash.

I faced the same issue and resolved installing the new Git Client.

Dharmaraj Kavatagi
  • 305
  • 2
  • 6
3

Upgrading openssl resolved this issue...

maestromani
  • 841
  • 1
  • 9
  • 31
2

An upgrade of OpenSSL should resolve your issues.

OpenSSL has had some serious vulnerabilities exposed of late. As well, many web servers around the web have tightened up security to block those vulnerable protocols and ciphers.

propMaster
  • 21
  • 4