(CCing the mainline Git mailing list for insight) On Tue, Jan 25, 2011 at 6:42 PM, Mika Fischer <mika.a.fischer@xxxxxxxxxxxxxx> wrote: > Hi, > > with the latest msysGit (1.7.3.1-preview20101002.exe), I cannot access > git repositories via https, if they are served by an apache using > OpenSSL 1.0.0 > > The error is: > ---- > error: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) > while accessing https://server/repository/info/refs > > fatal: HTTP request failed > ---- > > An apache using OpenSSL 0.9.8 works fine. > > There seem to be some SSL handshake issues, when curl and apache use > different versions of OpenSSL: > http://bugs.gentoo.org/332661 This issue is listed as an issue with Gentoo's OpenSSL 1.0.0 builds, and seems to be have resolved by adding back SSLv2 support. > http://comments.gmane.org/gmane.comp.web.curl.general/11154 This seems to be an issue with Fedora's OpenSSL 1.0.0 builds. > Any idea how to fix this? For instance, is it possible to configure > parameters that are passed to curl (passing -3 would fix it)? I could > also change the apache configuration if someone knows how to work > around this issue, although I already tried playing around with the > SSLProtocol option of Apache to no avail... > Git for Windows currently use OpenSSL 0.9.8k, so this sounds to me like an issue in your server-end. Your server seems to simply be incompatible with OpenSSL 0.9.8-clients, which is the vast majority of SSL-clients out there. AFAICT, Git does not run curl, but use libcurl instead. It doesn't set CURLOPT_SSLVERSION, and Git for Windows use libcurl 7.21.1 where either SSLv3 or TLSv1 seems to be the default. So I don't know if there's anything we can do about this on the Git side. You could try to set CURLOPT_SSLVERSION to work around the issue, but I don't think this is something we'd want to do in a Git for Windows release. But: This issue seems like it might be related to this, which is a big issue: http://www.openssl.org/news/secadv_20101202.txt In other words: We should probably upgrade OpenSSL. If not, Git for Windows will most likely be a security hole. But we must do so while making sure we are compatible with 0.9.8. It seems to me like either 0.9.8q or 1.0.0c and beyond fixes the security-hole. If 1.0.x breaks 0.9.8 support (It's unclear to me if it does or not - some sources say it does, some say it doesn't), perhaps 0.9.8q is the safest route? It's probably also the version that needs the least amount of patching to run, as it's closer to what we're already building. This probably means we COULD have it ready for Git for Windows 1.7.4. > Any help would be very much appreciated, as this makes git totally > useless under Windows for us, as all our repositories are accessed > through https... As I said: I think this is a problem with your server, not Git for Windows. But I'm far from an expert on the subject, so I could be mistaken. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html