1

I use git on windows 10, behind a SSL company proxy with self-signed certificate bypassed with cntlm with certificate added to custom curl-ca-bundle.crt file

starting with Git 2.5 when i do a 

git clone 'https://XXXX@bitbucket.org/XXXX/XXXX.git/'

i receive below error:

fatal: unable to access 'https://XXXX@bitbucket.org/XXXX/XXXX.git/':
error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small

probably this problem is related to poor quality of the self signed certificate but I can't change the certificate itself (is out of my control)

Please, note that:

  • If you see XXXX is a redacted value for security/privacy but this is not relevant
  • I can't rebuild the self-signed certificate (is out of my control)
  • I've already try with git config https.sslVerify false (even with --global to be sure... )
  • with previous git version this problem not happen

below my own configuration:

git config --list

core.symlinks=false
core.autocrlf=true
color.diff=auto
color.status=auto
color.branch=auto
color.interactive=true
pack.packsizelimit=2g
help.format=html
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
diff.astextplain.textconv=astextplain
rebase.autosquash=true
http.proxy=http://localhost:9999
http.sslcainfo=c:/Users/XXXX/curl-ca-bundle.crt
https.proxy=https://localhost:9999
https.sslcainfo=c:/Users/XXXX/curl-ca-bundle.crt

there is a way to fix this problem?

UPDATE:

After @VonC suggestion, I've change the setting to use per project settings. I leave the global setting as default and I've changed the per-project setting but the problem still persist.

so, now the settings are as below:

Global settings:

core.symlinks=false
core.autocrlf=true
color.diff=auto
color.status=auto
color.branch=auto
color.interactive=true
pack.packsizelimit=2g
help.format=html
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
diff.astextplain.textconv=astextplain
rebase.autosquash=true

per-project settings:

core.symlinks=false
core.autocrlf=true
color.diff=auto
color.status=auto
color.branch=auto
color.interactive=true
pack.packsizelimit=2g
help.format=html
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
diff.astextplain.textconv=astextplain
rebase.autosquash=true
http.proxy=http://localhost:9999
http.sslcainfo=c:/Users/XXXX/curl-ca-bundle.crt
https.proxy=https://localhost:9999
https.sslcainfo=c:/Users/XXXX/curl-ca-bundle.crt
Marco
  • 487
  • 2
  • 6
  • 25
  • Also see [SSL operation failed with code 1: DH key too small](http://stackoverflow.com/q/30701397). – jww Sep 24 '15 at 12:06

2 Answers2

1

DISCLAIMER: THIS SOLUTION IS LEAVE AS LAST HOPE FOR PEOPLES THAT CANNOT USE THE RIGHT ONE FROM ABOVE SUGGESTION.

PLEASE, USE ONLY IF YOU REALLY UNDERSTAND ALL IMPLICATIONS AND SECURITY PROBLEMS THAT THIS SOLUTION INVOLVE

This solution must be used only if you don't have any other option, if is possible, downgrade you git version to something below 2.5 or wait for Git 2.6

As first and better, more secure solution, please check below reply from a VonC

If you absolutely need a quick (BUT, REPEAT, WRONG) solution, can follow below steps tested on Win 7 x64 and Win 10 x64:

  1. Download from http://www.openssl.org/community/binaries.html openssl-1.0.2-i386-win32.zip (win 32) or openssl-1.0.2-x64_86-win64.zip (win x64) pre-compiled library based on your platform.

  2. Extract downloaded file in a temporary directory

  3. Rename c:\Program Files\Git\mingw64\bin\ssleay32.dll to something else (just as backup if something goes wrong...)

  4. Copy the ssleay32.dll extracted on point 1 to c:\Program Files\Git\mingw64\bin\

This will downgrade SSL library to a less secure version that accept DH key less than 768bits

Community
  • 1
  • 1
Marco
  • 487
  • 2
  • 6
  • 25
  • Hi @user1428716 what you mean ? i use this solution on 12 machine with win 7, 8.1 and 10 and it's work always...anyway.. install git 2.6 and you will have a new setting that allow to solve this problem use http.sslVersion parameter, check https://git-scm.com/docs/git-config – Marco Oct 21 '15 at 06:44
0

One workaround is:

  • do not put your self-signed certificate in your git distro curl-ca-bundle.crt
  • put it in a dedicated file.crt

That will have 2 side-effects:

  1. Your push to Bitbucket can proceeed
  2. Any repo which might actually need that self-signed certificate can add a local git config http.sslCAInfo /path/to/self-signed/certificate

This would ensure to use only the custom cert file for that repo:

git -c http.https://bitbucket.org/.sslcainfo=/path/to/mycertif.cert clone https://XXXX@bitbucket.org/XXXX/XXXX.git

But, as the OP Marco confirms in the comments, the error message persists:

error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small

It is seen in Ubuntu 12.04+:

As a security improvement, this update also modifies OpenSSL behaviour to reject DH key sizes below 768 bits, preventing a possible downgrade attack.

One possible solution is to specify the cipher you want to use... but that won't be possible before git 2.6 (end of Sept. 2015)

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Thank you for you suggestion, but as you can see on my git config, my self-signed certificate are already in a separate custom file under the user profile. The file have the same name of the original one only for convenience but is in another path and is the file used by git (as far as i can undestand from git config command... ) – Marco Aug 29 '15 at 09:32
  • @Marco I see multiple https.sslcainfo in there: the last one will prevail. It would be best to make those settings per url: `git config http.https://localhost:9999/.sslcainfo=/path/to/mycertif.cert`. That way, the global config won't be overriden. – VonC Aug 29 '15 at 09:35
  • I just test you suggestion but nothing change. Now I leave the global setting as default and i've changed the per-project setting but the problem still persist. – Marco Aug 31 '15 at 06:50
  • @Marco why not `git config http.https://localhost:9999/.sslcainfo=/path/to/mycertif.cert`? It forces git to consider that file, instead of falling back to the global config. – VonC Aug 31 '15 at 06:53
  • I used the command that you suggest but nothing happen.. i don't see any change on git config and i don't see any kind of change to per project setting so i did it manually.. how can i understand that suggested command has worked properly? – Marco Aug 31 '15 at 07:09
  • @Marco were you in the git repo when you used it? – VonC Aug 31 '15 at 07:10
  • yes, I'm under the empty folder where the repository will be created for the first clone – Marco Aug 31 '15 at 07:54
  • Ok, got it. So that setting will be ignore by the git clone command. Try `git -c http.https://localhost:9999/.sslcainfo=/path/to/mycertif.cert clone https://XXXX@bitbucket.org/XXXX/XXXX.git` – VonC Aug 31 '15 at 07:59
  • ok, now i get SSL certificate problem: unable to get local issuer certificate with the exact same path used on global – Marco Aug 31 '15 at 08:04
  • @Marco then try `git -c http.https://bitbucket.org/.sslcainfo=/path/to/mycertif.cert clone https://XXXX@bitbucket.org/XXXX/XXXX.git` – VonC Aug 31 '15 at 08:05
  • ok, now i'm back to same previous error.. i'm almost sure that is something related to ssl library.. – Marco Aug 31 '15 at 09:24
  • @Marco I have edited my answer to reflect that. Can you check if http://stackoverflow.com/a/30442395/6309 could change anything? – VonC Aug 31 '15 at 09:36