Login/Register
How can I make git tell curl to use openssl instead of gnutls without rebuilding the package?
Asked Answered
Solved gitubuntucurlopensslgnutls
C

1

7

We have an internal server that GnuTLS doesn't like, e.g:

gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt foo.example.com
Processed 173 CA certificate(s).
Resolving 'foo.example.com'...
Connecting to '1.2.3.4:443'...
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

Everything other than GnuTLS talks to it ok, but git appears to use GnuTLS out of the box on Ubuntu 14.04.2 LTS so git fails with:

GIT_CURL_VERBOSE=1 git clone https://foo.example.com/some-repo.git
Cloning into 'some-repo'...
* Couldn't find host foo.example.com in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
*   Trying 1.2.3.4...
* Connected to foo.example.com (1.2.3.4) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0
fatal: unable to access 'https://foo.example.com/some-repo.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

We're working on fixing the incompatibility with GnuTLS, but in the mean time is there a way to force git to tell curl to use another SSL engine at runtime (i.e not rebuilding git from source)?

Claudette answered 25/3, 2015 at 0:12 Comment(3)
Fatal error: Error in the certificate. GnuTLS is more strict than many libraries, like OpenSSL, when parsing certificate data. Maybe the question to ask is, what is wrong with the certificate. I'm guessing the name foo.example.com or 1.2.3.4, is not listed as a SubjectAltName. If you provided real information, then we might have been able to help you. If you ask what's wrong with the cert, then do it on another site where is on-topic, like Super User.Revelry
AWS CodeCommit gives this error, fwiw.Wildfire
@Revelry For the purposes of my issue, I have asked exactly the question I cared about and got exactly the answer I needed. The issue with the cert in question doesn't matter as like I said, that was being looked at independently (I don't have access to fix it myself or much influence over those that do).Claudette
P
11

git is built to use libcurl, libcurl is built to use a single fixed TLS library that cannot be changed in run-time.

You can however force git to use a different libcurl build at run-time, and that libcurl could be using OpenSSL. That's easiest done by putting that OpenSSL-using libcurl in a separate directory from the "standard" one you have and then you do one of these:

  1. Make sure /etc/ld.so.conf lists that new dir before the old libcurl hosting directory - although then it'll change this setup for all programs using libcurl and you probably don't want that (based on your way of asking)

  2. put "LD_LIBRARY_PATH=[directory where your special libcurl is] git" into a script or alias called "git2" and use that instead of the ordinary git.

Prostitution answered 6/1, 2016 at 23:47 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.