Thursday, 15 October 2015

Building git 2.6 and enabling TLS 1.2 on CentOS 7

There are scenarios where TLS 1.2 is not just enabled, but the only one accepted.
In these cases many clients fail to connect over HTTPS.
I needed to be able to use 'git clone https://...' on CentOS 7, and since it was failing and I spent some time on a work around, I'm sharing it here.

The system is a CentOS 7 host on DigitalOcean, with kernel

Linux 3.10.0-123.8.1.el7.x86_64

git is 1.8.3, the stock version
nss is 3.19.1-5.el7_1

If I do something like

curl  --tlsv1.2

the connection is successful, but a command like

GIT_CURL_VERBOSE=1 git clone

was giving a connection error with this code:

( only accepts TLSv1.2).

Long story short, I read somewhere that git 2.6 had support for configuring TLSv1.2, and I downloaded the source code of git 2.6.0 from

Built, installed, added to my .gitconfig this:

sslVersion = tlsv1.2

but no cigar.

So I dug in the code and commented out a dependency for a version of libcurl in http.c (I'm commenting out the #if - #endif):

  //GV#if LIBCURL_VERSION_NUM >= 0x072200           { "tlsv1.0", CURL_SSLVERSION_TLSv1_0 },           { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 },           { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 }, 

Rebuilt and reinstalled, and this time it worked fine.