Thursday, 15 October 2015

Building git 2.6 and enabling TLS 1.2 on CentOS 7

There are scenarios where TLS 1.2 is not just enabled, but the only one accepted.
In these cases many clients fail to connect over HTTPS.
I needed to be able to use 'git clone https://...' on CentOS 7, and since it was failing and I spent some time on a work around, I'm sharing it here.

The system is a CentOS 7 host on DigitalOcean, with kernel


Linux 3.10.0-123.8.1.el7.x86_64

git is 1.8.3, the stock version
nss is 3.19.1-5.el7_1

If I do something like

curl  --tlsv1.2 https://freeswitch.org

the connection is successful, but a command like

GIT_CURL_VERBOSE=1 git clone https://freeswitch.org/stash/scm/fs/freeswitch.git


was giving a connection error with this code:

NSS error -12190 (SSL_ERROR_PROTOCOL_VERSION_ALERT)
(freeswitch.org only accepts TLSv1.2).


Long story short, I read somewhere that git 2.6 had support for configuring TLSv1.2, and I downloaded the source code of git 2.6.0 from https://www.kernel.org/pub/software/scm/git/

Built, installed, added to my .gitconfig this:

[http] 
sslVersion = tlsv1.2

but no cigar.

So I dug in the code and commented out a dependency for a version of libcurl in http.c (I'm commenting out the #if - #endif):

  //GV#if LIBCURL_VERSION_NUM >= 0x072200           { "tlsv1.0", CURL_SSLVERSION_TLSv1_0 },           { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 },           { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 }, 
//GV#endif



Rebuilt and reinstalled, and this time it worked fine.



3 comments:

  1. great, it works for my redhatel-6.5

    ReplyDelete
  2. Thanks for the tip, it lead me to "yum update curl" which worked for me on Rhel 6.

    ReplyDelete
  3. Thanks Jan for taking the time to confirm.
    Cheers,
    Giacomo

    ReplyDelete

Wireshark setting to interpret UDP as RTP automatically

 Before I forget again, a Wireshark setting that can help saving time by trying to interpret any UDP as RTP, if possible: Analyze --> Ena...