Git-吊销功能无法检查证书的吊销 [英] Git - The revocation function was unable to check revocation for the certificate

问题描述

我正在尝试通过同时使用Github Desktop和git shell从Github克隆，但继续出现此错误:

I'm trying to clone from Github by using both Github Desktop and the git shell but keep on getting this error:

Cloning into 'C:\Users\John Doe\workspace\MyProject'...
fatal: unable to access 'https://github.com/JohnDoe/MyProject.git/': 
schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - 
The revocation function was unable to check revocation for the certificate.

提取现有存储库时出现相同的问题.

Same problem when pulling an existing repository.

我已经尝试将在~/.ssh/github-ssh.pub中找到的SSH密钥上传到Github设置，但这无济于事.

I've already tried to upload SSH keys found in ~/.ssh/github-ssh.pub to Github settings but it doesn't help anything.

刚刚选中，即使我尝试克隆不存在的存储库，也会发生这种情况.

Just checked, it will happen even if I try to clone a non-existent repository.

推荐答案

当您在对所有流量执行MITM并阻止吊销检查的公司网络中时，通常也会遇到此错误. 显然，理想的情况是不阻止检查(或至少阻止URL的白名单)，但可能需要解决此问题.

This error is also commonly hit when you're on a corporate network that performs MITM on all traffic, and then blocks the revocation check. While, obviously, the ideal situation is to not block the checks (or at least, to a whitelist of urls), it may be required to work around this problem.

一个选项是，如Mike回答的第一部分所述，

One option is, as in the first part of Mike's answer, using the OpenSSL bindings instead. While this works, it requires manual maintenance of the certificate lists, which may not be practical in extreme situations (say, new root certs issued every day, although this is unlikely).

类似于Mike回答的第二部分，另一个选项是禁用吊销检查.
git-for-windows的最新版本(2.19及更高版本)提供了 http.schannelCheckRevoke设置:

The other option, akin to the second part of Mike's answer, is disabling revocation checking.
Recent versions, 2.19 and above, of git-for-windows provides an http.schannelCheckRevoke setting:

用于强制执行或禁用cURL中的证书吊销检查 当http.sslBackend设置为"schannel"时.如果默认为true 未设定.只有在Git持续出现错误时才需要禁用它 该消息是关于检查一个服务器的吊销状态 证书.如果cURL不支持以下选项，则忽略此选项 在运行时设置相关的SSL选项.

Used to enforce or disable certificate revocation checks in cURL when http.sslBackend is set to "schannel". Defaults to true if unset. Only necessary to disable this if Git consistently errors and the message is about checking the revocation status of a certificate. This option is ignored if cURL lacks support for setting the relevant SSL option at runtime.

...因此，您可以首先简单地禁用检查是否撤销:
git config --global http.schannelCheckRevoke false

... so you can simply disable checking for revocation in the first place:
git config --global http.schannelCheckRevoke false

请注意，与完全禁用SSL不同，这从本质上讲并不比对特定存储库使用Mike的答案安全:如果您捕获并配置了一个空吊销列表(通常情况)，则实际上已禁用了吊销检查. 仅在私钥泄露的情况下，禁用吊销检查才有风险(在链中的某个点)，这是罕见且困难的.

Note that, unlike disabling SSL entirely, this is not inherently less secure than using Mike's answer for specific repositories: if you capture and configure an empty revocation list (the usual case), you have effectively disabled revocation checking. Disabling revocation checking only becomes a risk in the case of private-key compromise (at some point in the chain), which is rare and difficult.

还请注意，在公司MITM设置中，正在为您执行吊销检查:没有任何值得使用的代理将为无效或(已知)已泄露的证书颁发证书.

Note, also, that in a corporate MITM setting, revocation checking is being performed for you: no proxy worth using would issue a cert for an invalid or (known) compromised certificate.

这篇关于Git-吊销功能无法检查证书的吊销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！