Reputation: 527
SSL3 error on git clone under windows with git 2.5
I use git on windows 10, behind a SSL company proxy with self-signed certificate bypassed with cntlm with certificate added to custom curl-ca-bundle.crt file
starting with Git 2.5 when i do a
git clone 'https://[email protected]/XXXX/XXXX.git/'
i receive below error:
fatal: unable to access 'https://[email protected]/XXXX/XXXX.git/':
error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small
probably this problem is related to poor quality of the self signed certificate but I can't change the certificate itself (is out of my control)
Please, note that:
- If you see XXXX is a redacted value for security/privacy but this is not relevant
- I can't rebuild the self-signed certificate (is out of my control)
- I've already try with git config https.sslVerify false (even with --global to be sure... )
- with previous git version this problem not happen
below my own configuration:
git config --list
core.symlinks=false
core.autocrlf=true
color.diff=auto
color.status=auto
color.branch=auto
color.interactive=true
pack.packsizelimit=2g
help.format=html
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
diff.astextplain.textconv=astextplain
rebase.autosquash=true
http.proxy=http://localhost:9999
http.sslcainfo=c:/Users/XXXX/curl-ca-bundle.crt
https.proxy=https://localhost:9999
https.sslcainfo=c:/Users/XXXX/curl-ca-bundle.crt
there is a way to fix this problem?
UPDATE:
After @VonC suggestion, I've change the setting to use per project settings. I leave the global setting as default and I've changed the per-project setting but the problem still persist.
so, now the settings are as below:
Global settings:
core.symlinks=false
core.autocrlf=true
color.diff=auto
color.status=auto
color.branch=auto
color.interactive=true
pack.packsizelimit=2g
help.format=html
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
diff.astextplain.textconv=astextplain
rebase.autosquash=true
per-project settings:
core.symlinks=false
core.autocrlf=true
color.diff=auto
color.status=auto
color.branch=auto
color.interactive=true
pack.packsizelimit=2g
help.format=html
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
diff.astextplain.textconv=astextplain
rebase.autosquash=true
http.proxy=http://localhost:9999
http.sslcainfo=c:/Users/XXXX/curl-ca-bundle.crt
https.proxy=https://localhost:9999
https.sslcainfo=c:/Users/XXXX/curl-ca-bundle.crt
Upvotes: 1
Views: 1503
Answers (2)
Reputation: 527
DISCLAIMER: THIS SOLUTION IS LEAVE AS LAST HOPE FOR PEOPLES THAT CANNOT USE THE RIGHT ONE FROM ABOVE SUGGESTION.
PLEASE, USE ONLY IF YOU REALLY UNDERSTAND ALL IMPLICATIONS AND SECURITY PROBLEMS THAT THIS SOLUTION INVOLVE
This solution must be used only if you don't have any other option, if is possible, downgrade you git version to something below 2.5 or wait for Git 2.6
As first and better, more secure solution, please check below reply from a VonC
If you absolutely need a quick (BUT, REPEAT, WRONG) solution, can follow below steps tested on Win 7 x64 and Win 10 x64:
Download from http://www.openssl.org/community/binaries.html openssl-1.0.2-i386-win32.zip (win 32) or openssl-1.0.2-x64_86-win64.zip (win x64) pre-compiled library based on your platform.
Extract downloaded file in a temporary directory
Rename c:\Program Files\Git\mingw64\bin\ssleay32.dll to something else (just as backup if something goes wrong...)
Copy the ssleay32.dll extracted on point 1 to c:\Program Files\Git\mingw64\bin\
This will downgrade SSL library to a less secure version that accept DH key less than 768bits
Upvotes: 1
Reputation: 1324218
One workaround is:
- do not put your self-signed certificate in your git distro
curl-ca-bundle.crt - put it in a dedicated file.crt
That will have 2 side-effects:
- Your push to Bitbucket can proceeed
- Any repo which might actually need that self-signed certificate can add a local
git config http.sslCAInfo /path/to/self-signed/certificate
This would ensure to use only the custom cert file for that repo:
git -c http.https://bitbucket.org/.sslcainfo=/path/to/mycertif.cert clone https://[email protected]/XXXX/XXXX.git
But, as the OP Marco confirms in the comments, the error message persists:
error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small
It is seen in Ubuntu 12.04+:
As a security improvement, this update also modifies OpenSSL behaviour to reject DH key sizes below 768 bits, preventing a possible downgrade attack.
One possible solution is to specify the cipher you want to use... but that won't be possible before git 2.6 (end of Sept. 2015)
Upvotes: 0
Related Questions
- git clone error: RPC failed; curl 56 OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 10054
- Unable to resolve "unable to get local issuer certificate" using git on Windows with self-signed certificate
- Git Clone Fails: Server Certificate Verification Failed
- git clone always fails with "Failed sending HTTP request"
- Git Fetch returns 'fatal: I don't handle protocol https' in windows
- Git for Windows - clone over https failing
- Git Clone : Unknown SSL protocol error in connection to github.com:443
- Git on Windows not working with remote because of "SSL protocol" errors
- TLS error while cloning from git repository
- Certificate problem while cloning a https url with git