How to overcome the git error `Unknown SSL protocol error in connection`

Question

I\'m trying to git clone some repository, but then I get the error:

$ git clone --recursive https://some-url.git
Cloning into \'project\'...
fatal: unable to         


        

Answer 1

how can I configure it to use TLS?

Git 2.5 (August 2015) already allows to specify a list of ciphers to use when negotiating SSL connections, with http.sslCipherList and GIT_SSL_CIPHER_LIST.
(See Cannot communicate securely with peer: no common encryption algorithm(s))

Starting Git 2.6+ (Q3 2015), it will be possible to specify the SSL version explicitly:

http: add support for specifying the SSL version

See commit 01861cb (14 Aug 2015) by Elia Pinto (devzero2000).
Helped-by: Eric Sunshine (sunshineco).
^{(Merged by Junio C Hamano -- gitster -- in commit ed070a4, 26 Aug 2015)}

http.sslVersion

The SSL version to use when negotiating an SSL connection, if you want to force the default.
The available and default version depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use. Internally this sets the 'CURLOPT_SSL_VERSION' option; see the libcurl documentation for more details on the format of this option and for the ssl version supported.
Actually the possible values of this option are:

• sslv2
• sslv3
• tlsv1
• tlsv1.0
• tlsv1.1
• tlsv1.2

Can be overridden by the 'GIT_SSL_VERSION' environment variable.
To force git to use libcurl's default ssl version and ignore any explicit http.sslversion option, set 'GIT_SSL_VERSION' to the empty string.

---

The setting above is important since GitHub now (Feb. 2018) forces disabling weak cryptographic standards.

On February 8, 2018 we’ll start disabling the following:

• TLSv1/TLSv1.1: This applies to all HTTPS connections, including web, API, and git connections to https://github.com and https://api.github.com.
• diffie-hellman-group1-sha1: This applies to all SSH connections to github.com
• diffie-hellman-group14-sha1: This applies to all SSH connections to github.com

---

Git 2.18 (Q2 2018) can now use TLSv1.3:
When built with more recent cURL, GIT_SSL_VERSION can now specify "tlsv1.3" as its value.

See commit d81b651 (29 Mar 2018) by Loganaden Velvindron (loganaden).
^{(Merged by Junio C Hamano -- gitster -- in commit 9b59d88, 11 Apr 2018)}

http: allow use of TLS 1.3

Add a tlsv1.3 option to http.sslVersion in addition to the existing tlsv1.[012] options.
libcurl has supported this since 7.52.0.

This requires OpenSSL 1.1.1 with TLS 1.3 enabled or curl built with recent versions of NSS or BoringSSL as the TLS backend.

---

With Git 2.21 (Q1 2019), a new "http.version" configuration variable can be used with recent enough cURL library to force the version of HTTP used to talk when fetching and pushing.

See commit d73019f (09 Nov 2018) by Force Charlie (fcharlie).
^{(Merged by Junio C Hamano -- gitster -- in commit 13d9919, 04 Jan 2019)}

http: add support selecting http version

Usually we don't need to set libcurl to choose which version of the HTTP protocol to use to communicate with a server.
But different versions of libcurl, the default value is not the same.

CURL >= 7.62.0: CURL_HTTP_VERSION_2TLS
CURL < 7.62: CURL_HTTP_VERSION_1_1

In order to give users the freedom to control the HTTP version, we need to add a setting to choose which HTTP version to use.

The git config man page now shows:

http.version:

Use the specified HTTP protocol version when communicating with a server.
If you want to force the default.
The available and default version depend on libcurl.
Actually the possible values of this option are:

• HTTP/2
• HTTP/1.1