我正在尝试 git clone 一些存储库,但随后出现错误:
$ git clone --recursive https://some-url.git
Cloning into 'project'...
fatal: unable to access 'https://https://some-url.git/': Unknown SSL protocol error in connection to
some-url.git:443
我读到,由于 POODLE,git 存储库已移动以强制使用 TLS1.0 并且不再支持 SSLv3 通信漏洞。但我不知道这个错误消息是否意味着我的 git 客户端只知道谈论 SSLv3 而服务器拒绝,或者服务器只知道谈论 SSLv3 而我的客户端拒绝。如果问题出在我的客户端,我该如何配置它以使用 TLS;另一方面,如果是服务器,我该如何解决?
SourceTree 和 scm git(控制台和 gui)都收到错误。
最佳答案
how can I configure it to use TLS?
Git 2.5(2015 年 8 月)已经允许在协商 SSL 连接时使用 http.sslCipherList
和 GIT_SSL_CIPHER_LIST
指定密码列表。
(参见 Cannot communicate securely with peer: no common encryption algorithm(s))
从 Git 2.6+(2015 年第 3 季度)开始,可以明确指定 SSL 版本:
http
: add support for specifying the SSL version
参见 commit 01861cb (2015 年 8 月 14 日)Elia Pinto (devzero2000
) .
帮助:Eric Sunshine (sunshineco
) .
(由 Junio C Hamano -- gitster
-- merge 于 commit ed070a4 ,2015 年 8 月 26 日)
http.sslVersion
The SSL version to use when negotiating an SSL connection, if you want to force the default.
The available and default version depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use. Internally this sets the 'CURLOPT_SSL_VERSION
' option; see the libcurl documentation for more details on the format of this option and for the ssl version supported.
Actually the possible values of this option are:
- sslv2
- sslv3
- tlsv1
- tlsv1.0
- tlsv1.1
- tlsv1.2
Can be overridden by the '
GIT_SSL_VERSION
' environment variable.
To force git to use libcurl's default ssl version and ignore any explicithttp.sslversion
option, set 'GIT_SSL_VERSION
' to the empty string.
上面的设置很重要,因为GitHub now (Feb. 2018) forces disabling weak cryptographic standards .
On February 8, 2018 we’ll start disabling the following:
- TLSv1/TLSv1.1: This applies to all HTTPS connections, including web, API, and git connections to https://github.com and https://api.github.com.
- diffie-hellman-group1-sha1: This applies to all SSH connections to github.com
- diffie-hellman-group14-sha1: This applies to all SSH connections to github.com
Git 2.18(2018 年第 2 季度)现在可以使用 TLSv1.3:
当使用更新的 cURL
构建时,GIT_SSL_VERSION
现在可以指定
“tlsv1.3
”作为它的值。
参见 commit d81b651 (2018 年 3 月 29 日)Loganaden Velvindron (loganaden
) .
(由 Junio C Hamano -- gitster
-- merge 于 commit 9b59d88 ,2018 年 4 月 11 日)
http
: allow use of TLS 1.3Add a tlsv1.3 option to
http.sslVersion
in addition to the existing tlsv1.[012] options.
libcurl
has supported this since 7.52.0.This requires OpenSSL 1.1.1 with TLS 1.3 enabled or
curl
built with recent versions of NSS or BoringSSL as the TLS backend.
在 Git 2.21(2019 年第一季度)中,一个新的“http.version
”配置变量可以与最近足够的 cURL 库一起使用,以强制版本HTTP 用于在获取和推送时进行对话。
参见 commit d73019f (2018 年 11 月 9 日)Force Charlie (fcharlie
) .
(由 Junio C Hamano -- gitster
-- merge 于 commit 13d9919 ,2019 年 1 月 4 日)
http: add support selecting http version
Usually we don't need to set
libcurl
to choose which version of the HTTP protocol to use to communicate with a server.
But different versions oflibcurl
, the default value is not the same.
CURL >= 7.62.0: CURL_HTTP_VERSION_2TLS
CURL < 7.62: CURL_HTTP_VERSION_1_1
In order to give users the freedom to control the HTTP version, we need to add a setting to choose which HTTP version to use.
git config
man page现在显示:
http.version:
Use the specified HTTP protocol version when communicating with a server.
If you want to force the default.
The available and default version depend onlibcurl
.
Actually the possible values of this option are:
- HTTP/2
- HTTP/1.1
关于git - 如何克服 git 错误 `Unknown SSL protocol error in connection`,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28217692/