TLS certificate verification has been disabled! while trying to git fetch

Question

I am trying to perform a git fetch on a repo but I am getting this warning: TLS certificate verification has been disabled! and although this says warning but the fetch operation is not actually happening.

I have set sslVerify to false in the git config for this repo with:-

[http]
    sslVerify = false

because the repo contains a self signed certificate. Looking for any help on this.

EDIT: The remote is a self hosted git repository with self signed certificate.

Answer 1

This message comes from Git Credential Manager Core, which is a credential helper commonly used on Windows. The message exists because by disabling certificate verification, you've removed any security gained by HTTPS and allowed virtually anyone who can see your network traffic to view and tamper with your data, including your credentials. Your connection is therefore only the slightest bit better than using plain HTTP.

If you visit the link specified, there's text which outlines some options:

The recommended and safest option is to acquire a TLS certificate signed by a public trusted certificate authority (CA). There are multiple public CAs; here is a non-exhaustive list to consider: Let's Encrypt, Comodo, Digicert, GoDaddy, GlobalSign.

If it is not possible to obtain a TLS certificate from a trusted 3rd party then you should try to add the specific self-signed certificate or one of the CA certificates in the verification chain to your operating system's trusted certificate store (macOS, Windows).

If you are unable to either obtain a trusted certificate, or trust the self-signed certificate you can disable certificate verification in Git and GCM.

You could also switch to SSH, which is trust on first use and doesn't require a CA certificate, and which usually uses public keys and so doesn't typically send any private credentials at all.