Re: [msysGit] Git unable to access https repositories due to curl/OpenSSL 1.0.0 handshake issues

[Erik Faye-Lund <kusmabite@gmail.com>]

(CCing the mainline Git mailing list for insight)

On Tue, Jan 25, 2011 at 6:42 PM, Mika Fischer
<mika.a.fischer@googlemail.com> wrote:
> Hi,
>
> with the latest msysGit (1.7.3.1-preview20101002.exe), I cannot access
> git repositories via https, if they are served by an apache using
> OpenSSL 1.0.0
>
> The error is:
> ----
> error: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
> while accessing https://server/repository/info/refs
>
> fatal: HTTP request failed
> ----
>
> An apache using OpenSSL 0.9.8 works fine.
>
> There seem to be some SSL handshake issues, when curl and apache use
> different versions of OpenSSL:
> http://bugs.gentoo.org/332661

This issue is listed as an issue with Gentoo's OpenSSL 1.0.0 builds,
and seems to be have resolved by adding back SSLv2 support.

> http://comments.gmane.org/gmane.comp.web.curl.general/11154

This seems to be an issue with Fedora's OpenSSL 1.0.0 builds.

> Any idea how to fix this? For instance, is it possible to configure
> parameters that are passed to curl (passing -3 would fix it)? I could
> also change the apache configuration if someone knows how to work
> around this issue, although I already tried playing around with the
> SSLProtocol option of Apache to no avail...
>

Git for Windows currently use OpenSSL 0.9.8k, so this sounds to me
like an issue in your server-end. Your server seems to simply be
incompatible with OpenSSL 0.9.8-clients, which is the vast majority of
SSL-clients out there.

AFAICT, Git does not run curl, but use libcurl instead. It doesn't set
CURLOPT_SSLVERSION, and Git for Windows use libcurl 7.21.1 where
either SSLv3 or TLSv1 seems to be the default. So I don't know if
there's anything we can do about this on the Git side. You could try
to set CURLOPT_SSLVERSION to work around the issue, but I don't think
this is something we'd want to do in a Git for Windows release.


But:
This issue seems like it might be related to this, which is a big issue:
http://www.openssl.org/news/secadv_20101202.txt

In other words: We should probably upgrade OpenSSL. If not, Git for
Windows will most likely be a security hole.

But we must do so while making sure we are compatible with 0.9.8. It
seems to me like either 0.9.8q or 1.0.0c and beyond fixes the
security-hole. If 1.0.x breaks 0.9.8 support (It's unclear to me if it
does or not - some sources say it does, some say it doesn't), perhaps
0.9.8q is the safest route? It's probably also the version that needs
the least amount of patching to run, as it's closer to what we're
already building. This probably means we COULD have it ready for Git
for Windows 1.7.4.

> Any help would be very much appreciated, as this makes git totally
> useless under Windows for us, as all our repositories are accessed
> through https...

As I said: I think this is a problem with your server, not Git for
Windows. But I'm far from an expert on the subject, so I could be
mistaken.