In these cases many clients fail to connect over HTTPS.
I needed to be able to use 'git clone https://...' on CentOS 7, and since it was failing and I spent some time on a work around, I'm sharing it here.
The system is a CentOS 7 host on DigitalOcean, with kernel
Linux 3.10.0-123.8.1.el7.x86_64
git is 1.8.3, the stock version
nss is 3.19.1-5.el7_1
If I do something like
the connection is successful, but a command like
Built, installed, added to my .gitconfig this:
but no cigar.
So I dug in the code and commented out a dependency for a version of libcurl in http.c (I'm commenting out the #if - #endif):
If I do something like
curl --tlsv1.2 https://freeswitch.org
the connection is successful, but a command like
GIT_CURL_VERBOSE=1 git clone https://freeswitch.org/stash/scm/fs/freeswitch.git
was giving a connection error with this code:
NSS error -12190 (SSL_ERROR_PROTOCOL_VERSION_(freeswitch.org only accepts TLSv1.2).ALERT)
Long story short, I read somewhere that git 2.6 had support for configuring TLSv1.2, and I downloaded the source code of git 2.6.0 from https://www.kernel.org/ pub/software/scm/git/
Built, installed, added to my .gitconfig this:
[http]
sslVersion = tlsv1.2
but no cigar.
So I dug in the code and commented out a dependency for a version of libcurl in http.c (I'm commenting out the #if - #endif):
//GV#if LIBCURL_VERSION_NUM >= 0x072200 { "tlsv1.0", CURL_SSLVERSION_TLSv1_0 }, { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 }, { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 },
//GV#endif
Rebuilt and reinstalled, and this time it worked fine.
great, it works for my redhatel-6.5
ReplyDeleteThanks for the tip, it lead me to "yum update curl" which worked for me on Rhel 6.
ReplyDeleteThanks Jan for taking the time to confirm.
ReplyDeleteCheers,
Giacomo