Hi Erik, many thanks for your comments! On Tue, Jan 25, 2011 at 20:05, Erik Faye-Lund <kusmabite@xxxxxxxxx> wrote: >> with the latest msysGit (1.7.3.1-preview20101002.exe), I cannot access >> git repositories via https, if they are served by an apache using >> OpenSSL 1.0.0 >> >> The error is: >> ---- >> error: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) >> while accessing https://server/repository/info/refs >> >> fatal: HTTP request failed >> ---- >> >> An apache using OpenSSL 0.9.8 works fine. >> >> There seem to be some SSL handshake issues, when curl and apache use >> different versions of OpenSSL: >> http://bugs.gentoo.org/332661 > > This issue is listed as an issue with Gentoo's OpenSSL 1.0.0 builds, > and seems to be have resolved by adding back SSLv2 support. > >> http://comments.gmane.org/gmane.comp.web.curl.general/11154 > > This seems to be an issue with Fedora's OpenSSL 1.0.0 builds. I found something else, which seems to be more related to my exact issue: http://www.mentby.com/Group/curl/curl-outputs-ssl23getserverhello.html I've also tried doing "openssl s_client -connect <server>:443" with the openssl command line tool that's included in the current msysgit, and that works just fine. > Git for Windows currently use OpenSSL 0.9.8k, so this sounds to me > like an issue in your server-end. Your server seems to simply be > incompatible with OpenSSL 0.9.8-clients, which is the vast majority of > SSL-clients out there. I find it hard to believe that something like this would have gone unnoticed for such a long time. Most Linux distributions nowadays come with OpenSSL 1.0.0 and that would mean that any webserver set up on them could not communicate with any client using OpenSSL 0.9.8. Since the openssl command line tool works fine, I think it must be something much more specific and it must have something to do with curl. I'll see if I can get a more current version of curl to compile under Windows. I also wanted to try compiling a more current version of OpenSSL but the build hangs at "Generating DLL definition files". Any idea what might be the problem? > AFAICT, Git does not run curl, but use libcurl instead. It doesn't set > CURLOPT_SSLVERSION, and Git for Windows use libcurl 7.21.1 where > either SSLv3 or TLSv1 seems to be the default. So I don't know if > there's anything we can do about this on the Git side. You could try > to set CURLOPT_SSLVERSION to work around the issue, but I don't think > this is something we'd want to do in a Git for Windows release. This environment variable has no effect for me, neither with git nor with the command line client. Best, Mika -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html