Make git revert to SSLv3 when TLSv1 fails with “Ignored Unknown Record”

限于喜欢 提交于 2021-02-07 03:19:16

问题


Can't use git:

git clone https://github.com/foo/bar

fails:

fatal: unable to access 'https://github.com/foo/bar': Unknown SSL  protocol error in connection to github.com:443

How can I force git to use SSLv3? I tried to compile git from source, but there is no setting beyond: --with-openssl (default). Adding the following line before line 408 in remote-curl.c doesn't work either:

 curl_easy_setopt(slot->curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);

Here are some clues:

  • case 1: When my browser tries to get to https://github.com/foo/bar, it first tries TLSv1. Handshake seems to be OK: Server key exchange, server hello done (at Wireshark). But it follows by "Ignored Unknown Record" from server and finally "Connection Reset" from server. Then A new connection but with SSLv3 kicks in and every thing is fine (see picture).

  • case 2: curl fails using TLSv1

    curl https://github.com/foo/bar
    

    fails:

    curl: (35) Unknown SSL protocol error in connection to github.com:443
    

    Setting --sslv3 fixes the problem.

  • case 3: Take this one

    sudo add-apt-repository  ppa:cassou/emacs
    

    fails:

    pycurl.error: (35, 'gnutls_handshake() failed: A TLS packet with unexpected length was received.')
    

Edit: curl 7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1.

Edit: debug information

Cloning into 'bar'...
* Couldn't find host github.com in the .netrc file; using defaults
* About to connect() to github.com port 443 (#0)
*   Trying 192.30.252.130... * Connected to github.com (192.30.252.130) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
    CApath: /etc/ssl/certs
* Unknown SSL protocol error in connection to github.com:443
* Closing connection #0
fatal: unable to access 'https://github.com/foo/bar/': Unknown SSL       protocol error in connection to github.com:443

回答1:


Update August 2015: Git 2.6+ (Q3 2015) will allow to specify the SSL version explicitly:

http: add support for specifying the SSL version

See commit 01861cb (14 Aug 2015) by Elia Pinto (devzero2000).
Helped-by: Eric Sunshine (sunshineco).
(Merged by Junio C Hamano -- gitster -- in commit ed070a4, 26 Aug 2015)

http.sslVersion

The SSL version to use when negotiating an SSL connection, if you want to force the default.
The available and default version depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use. Internally this sets the 'CURLOPT_SSL_VERSION' option; see the libcurl documentation for more details on the format of this option and for the ssl version supported.
Actually the possible values of this option are:

  • sslv2
  • sslv3
  • tlsv1
  • tlsv1.0
  • tlsv1.1
  • tlsv1.2

Can be overridden by the 'GIT_SSL_VERSION' environment variable.
To force git to use libcurl's default ssl version and ignore any explicit http.sslversion option, set 'GIT_SSL_VERSION' to the empty string.


Original answer Dec: 2013

I usually see that error message when my PROXY environment variables aren't properly set:

export HTTP_PROXY=http://user:password@proxy.mycompany.com:port
export HTTPS_PROXY=http://user:password@proxy.mycompany.com:port
export NO_PROXY=.mycompany.com

You can also setup a ~/.netrc file for your GitHub credentials.

Make sure your git config http.sslcainfo does reference your /path/to/git/bin/curl-ca-bundle.crt, in order for curl to be able to validate the certificate associated to the GitHub server.


One workaround, if https really doesn't work, is to use an ssh url

git clone ssh://user@server:project.git

(if you have generated a private and public key first, and registered that public key to your GitHub account)



来源:https://stackoverflow.com/questions/20734020/make-git-revert-to-sslv3-when-tlsv1-fails-with-ignored-unknown-record

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!