git - 如何克服 git 错误 `Unknown SSL protocol error in connection`

标签 git ssl poodle-attack

我正在尝试 git clone 一些存储库,但随后出现错误:

$ git clone --recursive https://some-url.git
Cloning into 'project'...
fatal: unable to access 'https://https://some-url.git/': Unknown SSL protocol error in connection to
some-url.git:443

我读到,由于 POODLE,git 存储库已移动以强制使用 TLS1.0 并且不再支持 SSLv3 通信漏洞。但我不知道这个错误消息是否意味着我的 git 客户端只知道谈论 SSLv3 而服务器拒绝,或者服务器只知道谈论 SSLv3 而我的客户端拒绝。如果问题出在我的客户端,我该如何配置它以使用 TLS;另一方面,如果是服务器,我该如何解决?

SourceTree 和 scm git(控制台和 gui)都收到错误。

最佳答案

how can I configure it to use TLS?

Git 2.5(2015 年 8 月)已经允许在协商 SSL 连接时使用 http.sslCipherListGIT_SSL_CIPHER_LIST 指定密码列表。
(参见 Cannot communicate securely with peer: no common encryption algorithm(s))

从 Git 2.6+(2015 年第 3 季度)开始,可以明确指定 SSL 版本:

http: add support for specifying the SSL version

参见 commit 01861cb (2015 年 8 月 14 日)Elia Pinto (devzero2000) .
帮助:Eric Sunshine (sunshineco) .
(由 Junio C Hamano -- gitster -- merge 于 commit ed070a4 ,2015 年 8 月 26 日)

http.sslVersion

The SSL version to use when negotiating an SSL connection, if you want to force the default.
The available and default version depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use. Internally this sets the 'CURLOPT_SSL_VERSION' option; see the libcurl documentation for more details on the format of this option and for the ssl version supported.
Actually the possible values of this option are:

  • sslv2
  • sslv3
  • tlsv1
  • tlsv1.0
  • tlsv1.1
  • tlsv1.2

Can be overridden by the 'GIT_SSL_VERSION' environment variable.
To force git to use libcurl's default ssl version and ignore any explicit http.sslversion option, set 'GIT_SSL_VERSION' to the empty string.


上面的设置很重要,因为GitHub now (Feb. 2018) forces disabling weak cryptographic standards .

On February 8, 2018 we’ll start disabling the following:

  • TLSv1/TLSv1.1: This applies to all HTTPS connections, including web, API, and git connections to https://github.com and https://api.github.com.
  • diffie-hellman-group1-sha1: This applies to all SSH connections to github.com
  • diffie-hellman-group14-sha1: This applies to all SSH connections to github.com

Git 2.18(2018 年第 2 季度)现在可以使用 TLSv1.3:
当使用更新的 cURL 构建时,GIT_SSL_VERSION 现在可以指定 “tlsv1.3”作为它的值。

参见 commit d81b651 (2018 年 3 月 29 日)Loganaden Velvindron (loganaden) .
(由 Junio C Hamano -- gitster -- merge 于 commit 9b59d88 ,2018 年 4 月 11 日)

http: allow use of TLS 1.3

Add a tlsv1.3 option to http.sslVersion in addition to the existing tlsv1.[012] options.
libcurl has supported this since 7.52.0.

This requires OpenSSL 1.1.1 with TLS 1.3 enabled or curl built with recent versions of NSS or BoringSSL as the TLS backend.


在 Git 2.21(2019 年第一季度)中,一个新的“http.version”配置变量可以与最近足够的 cURL 库一起使用,以强制版本HTTP 用于在获取和推送时进行对话

参见 commit d73019f (2018 年 11 月 9 日)Force Charlie (fcharlie) .
(由 Junio C Hamano -- gitster -- merge 于 commit 13d9919 ,2019 年 1 月 4 日)

http: add support selecting http version

Usually we don't need to set libcurl to choose which version of the HTTP protocol to use to communicate with a server.
But different versions of libcurl, the default value is not the same.

CURL >= 7.62.0: CURL_HTTP_VERSION_2TLS
CURL < 7.62: CURL_HTTP_VERSION_1_1

In order to give users the freedom to control the HTTP version, we need to add a setting to choose which HTTP version to use.

git config man page现在显示:

http.version:

Use the specified HTTP protocol version when communicating with a server.
If you want to force the default.
The available and default version depend on libcurl.
Actually the possible values of this option are:

  • HTTP/2
  • HTTP/1.1

关于git - 如何克服 git 错误 `Unknown SSL protocol error in connection`,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28217692/

相关文章:

git - Xcode 7 - 从项目中删除源代码管理

java - 如何直接从 Git 生成 javadoc

git - 将 github 提交/pull 请求作为补丁应用

laravel - SSL 连接错误 - 连接被对等重置 - 在 Homestead 机器上

Tomcat APR 连接器和 POODLE

angular - 在 Azure 中部署私有(private) npm 包

linux - 如何通过腻子启用 SSL3 和禁用 SSL2?

java - 如何从其文件中获取证书类型?

ssl - 证书需要是官方的还是自签名的?

ssl - 如何在 IBM Websphere 6 中禁用 SSL 及其影响?