问题
Can't use git
:
git clone https://github.com/foo/bar
fails:
fatal: unable to access 'https://github.com/foo/bar': Unknown SSL protocol error in connection to github.com:443
How can I force git
to use SSLv3? I tried to compile git from source, but there is no setting beyond: --with-openssl
(default). Adding the following line before line 408 in remote-curl.c
doesn't work either:
curl_easy_setopt(slot->curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
Here are some clues:
case 1: When my browser tries to get to
https://github.com/foo/bar
, it first tries TLSv1. Handshake seems to be OK: Server key exchange, server hello done (at Wireshark). But it follows by "Ignored Unknown Record" from server and finally "Connection Reset" from server. Then A new connection but with SSLv3 kicks in and every thing is fine (see picture).case 2:
curl
fails using TLSv1curl https://github.com/foo/bar
fails:
curl: (35) Unknown SSL protocol error in connection to github.com:443
Setting
--sslv3
fixes the problem.case 3: Take this one
sudo add-apt-repository ppa:cassou/emacs
fails:
pycurl.error: (35, 'gnutls_handshake() failed: A TLS packet with unexpected length was received.')
Edit: curl 7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1.
Edit: debug information
Cloning into 'bar'...
* Couldn't find host github.com in the .netrc file; using defaults
* About to connect() to github.com port 443 (#0)
* Trying 192.30.252.130... * Connected to github.com (192.30.252.130) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* Unknown SSL protocol error in connection to github.com:443
* Closing connection #0
fatal: unable to access 'https://github.com/foo/bar/': Unknown SSL protocol error in connection to github.com:443
回答1:
Update August 2015: Git 2.6+ (Q3 2015) will allow to specify the SSL version explicitly:
http
: add support for specifying the SSL version
See commit 01861cb (14 Aug 2015) by Elia Pinto (devzero2000).
Helped-by: Eric Sunshine (sunshineco).
(Merged by Junio C Hamano -- gitster -- in commit ed070a4, 26 Aug 2015)
http.sslVersion
The SSL version to use when negotiating an SSL connection, if you want to force the default.
The available and default version depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use. Internally this sets the 'CURLOPT_SSL_VERSION
' option; see the libcurl documentation for more details on the format of this option and for the ssl version supported.
Actually the possible values of this option are:
- sslv2
- sslv3
- tlsv1
- tlsv1.0
- tlsv1.1
- tlsv1.2
Can be overridden by the '
GIT_SSL_VERSION
' environment variable.
To force git to use libcurl's default ssl version and ignore any explicithttp.sslversion
option, set 'GIT_SSL_VERSION' to the empty string.
Original answer Dec: 2013
I usually see that error message when my PROXY environment variables aren't properly set:
export HTTP_PROXY=http://user:password@proxy.mycompany.com:port
export HTTPS_PROXY=http://user:password@proxy.mycompany.com:port
export NO_PROXY=.mycompany.com
You can also setup a ~/.netrc file for your GitHub credentials.
Make sure your git config http.sslcainfo
does reference your /path/to/git/bin/curl-ca-bundle.crt
, in order for curl to be able to validate the certificate associated to the GitHub server.
One workaround, if https really doesn't work, is to use an ssh url
git clone ssh://user@server:project.git
(if you have generated a private and public key first, and registered that public key to your GitHub account)
来源:https://stackoverflow.com/questions/20734020/make-git-revert-to-sslv3-when-tlsv1-fails-with-ignored-unknown-record