当TLSv1失败并显示“忽略的未知记录"时,使git恢复为SSLv3. [英] Make git revert to SSLv3 when TLSv1 fails with "Ignored Unknown Record"
问题描述
不能使用 git
:
git clone https://github.com/foo/bar
失败:
致命的:无法访问"https://github.com/foo/bar":与github.com的连接中的未知SSL协议错误:443
如何强制 git
使用SSLv3?我试图从源代码编译git,但是没有其他设置:-with-openssl
(默认).在 remote-curl.c
中的第408行之前添加以下行也不起作用:
curl_easy_setopt(slot-> curl,CURLOPT_SSLVERSION,CURL_SSLVERSION_SSLv3);
以下是一些线索:
-
情况1 :当我的浏览器尝试访问
https://github.com/foo/bar
时,它首先尝试使用TLSv1.握手似乎还可以:服务器密钥交换,服务器问候完成(在Wireshark).但随后是服务器的忽略的未知记录",最后是服务器的连接重置".然后使用SSLv3建立新连接,一切正常(请参见图片). -
情况2 :使用TLSv1的
curl
失败curl https://github.com/foo/bar
失败:
curl:(35)与github.com有关的未知SSL协议错误:443
设置
-sslv3
可以解决此问题. -
案例3 :以这个为例
sudo add-apt-repository ppa:cassou/emacs
失败:
pycurl.error:(35,"gnutls_handshake()失败:接收到具有意外长度的TLS数据包.")
编辑:curl 7.22.0(i686-pc-linux-gnu)libcurl/7.22.0 OpenSSL/1.0.1.
编辑:调试信息
克隆到栏" ...*在.netrc文件中找不到主机github.com;使用默认值*关于connect()到github.com端口443(#0)*正在尝试192.30.252.130 ... *已连接到github.com(192.30.252.130)端口443(#0)*成功设置证书验证位置:* CAfile:无CApath:/etc/ssl/certs*与github.com相关的未知SSL协议错误:443*关闭连接#0致命:无法访问"https://github.com/foo/bar/":连接到github.com时发生未知的SSL协议错误:443
2015年8月更新:Git 2.6+(2015年第三季度)将允许显式指定SSL版本:
http
:添加对指定SSL版本的支持
请参见提交01861cb (2015年8月14日)通过埃里克·阳光( sunshineco
).
(由 Junio C Hamano合并- gitster
-在
http.sslVersion
如果要强制使用默认值,则在协商SSL连接时要使用的SSL版本.
可用的默认版本取决于libcurl是针对NSS还是OpenSSL构建的,以及所使用的加密库的特定配置.在内部,这会设置"CURLOPT_SSL_VERSION
"选项;有关此选项的格式和受支持的ssl版本的更多详细信息,请参见libcurl文档.
实际上,此选项的可能值为:
- sslv2
- sslv3
- tlsv1
- tlsv1.0
- tlsv1.1
- tlsv1.2
可以被环境变量"
GIT_SSL_VERSION
"覆盖.
要强制git使用libcurl的默认ssl版本并忽略任何显式的http.sslversion
选项,请将'GIT_SSL_VERSION'设置为空字符串.
原始回答:2013年12月
当我的PROXY环境变量设置不正确时,我通常会看到该错误消息:
export HTTP_PROXY = http://user:password@proxy.mycompany.com:port出口HTTPS_PROXY = http://user:password@proxy.mycompany.com:port出口NO_PROXY = .mycompany.com
您还可以为您的GitHub凭据设置〜/.netrc文件
./p>
确保您的 git配置http.sslcainfo
确实引用了您的 /path/to/git/bin/curl-ca-bundle.crt
,以便curl能够验证与GitHub服务器关联的证书.
如果https确实不起作用,一种解决方法是使用ssh网址
git clone ssh://user @ server:project.git
(如果您首先生成了一个私钥和公钥,并将该公钥注册到您的GitHub帐户中)
Can't use git
:
git clone https://github.com/foo/bar
fails:
fatal: unable to access 'https://github.com/foo/bar': Unknown SSL protocol error in connection to github.com:443
How can I force git
to use SSLv3? I tried to compile git from source, but there is no setting beyond: --with-openssl
(default). Adding the following line before line 408 in remote-curl.c
doesn't work either:
curl_easy_setopt(slot->curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
Here are some clues:
case 1: When my browser tries to get to
https://github.com/foo/bar
, it first tries TLSv1. Handshake seems to be OK: Server key exchange, server hello done (at Wireshark). But it follows by "Ignored Unknown Record" from server and finally "Connection Reset" from server. Then A new connection but with SSLv3 kicks in and every thing is fine (see picture).case 2:
curl
fails using TLSv1curl https://github.com/foo/bar
fails:
curl: (35) Unknown SSL protocol error in connection to github.com:443
Setting
--sslv3
fixes the problem.case 3: Take this one
sudo add-apt-repository ppa:cassou/emacs
fails:
pycurl.error: (35, 'gnutls_handshake() failed: A TLS packet with unexpected length was received.')
Edit: curl 7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1.
Edit: debug information
Cloning into 'bar'...
* Couldn't find host github.com in the .netrc file; using defaults
* About to connect() to github.com port 443 (#0)
* Trying 192.30.252.130... * Connected to github.com (192.30.252.130) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* Unknown SSL protocol error in connection to github.com:443
* Closing connection #0
fatal: unable to access 'https://github.com/foo/bar/': Unknown SSL protocol error in connection to github.com:443
Update August 2015: Git 2.6+ (Q3 2015) will allow to specify the SSL version explicitly:
http
: add support for specifying the SSL version
See commit 01861cb (14 Aug 2015) by Elia Pinto (devzero2000
).
Helped-by: Eric Sunshine (sunshineco
).
(Merged by Junio C Hamano -- gitster
-- in commit ed070a4, 26 Aug 2015)
http.sslVersion
The SSL version to use when negotiating an SSL connection, if you want to force the default.
The available and default version depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use. Internally this sets the 'CURLOPT_SSL_VERSION
' option; see the libcurl documentation for more details on the format of this option and for the ssl version supported.
Actually the possible values of this option are:
- sslv2
- sslv3
- tlsv1
- tlsv1.0
- tlsv1.1
- tlsv1.2
Can be overridden by the '
GIT_SSL_VERSION
' environment variable.
To force git to use libcurl's default ssl version and ignore any explicithttp.sslversion
option, set 'GIT_SSL_VERSION' to the empty string.
Original answer Dec: 2013
I usually see that error message when my PROXY environment variables aren't properly set:
export HTTP_PROXY=http://user:password@proxy.mycompany.com:port
export HTTPS_PROXY=http://user:password@proxy.mycompany.com:port
export NO_PROXY=.mycompany.com
You can also setup a ~/.netrc file
for your GitHub credentials.
Make sure your git config http.sslcainfo
does reference your /path/to/git/bin/curl-ca-bundle.crt
, in order for curl to be able to validate the certificate associated to the GitHub server.
One workaround, if https really doesn't work, is to use an ssh url
git clone ssh://user@server:project.git
(if you have generated a private and public key first, and registered that public key to your GitHub account)
这篇关于当TLSv1失败并显示“忽略的未知记录"时,使git恢复为SSLv3.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!