5

We have an internal server that GnuTLS doesn't like, e.g:

gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt foo.example.com
Processed 173 CA certificate(s).
Resolving 'foo.example.com'...
Connecting to '1.2.3.4:443'...
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

Everything other than GnuTLS talks to it ok, but git appears to use GnuTLS out of the box on Ubuntu 14.04.2 LTS so git fails with:

GIT_CURL_VERBOSE=1 git clone https://foo.example.com/some-repo.git
Cloning into 'some-repo'...
* Couldn't find host foo.example.com in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
*   Trying 1.2.3.4...
* Connected to foo.example.com (1.2.3.4) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0
fatal: unable to access 'https://foo.example.com/some-repo.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

We're working on fixing the incompatibility with GnuTLS, but in the mean time is there a way to force git to tell curl to use another SSL engine at runtime (i.e not rebuilding git from source)?

lyte
  • 1,007
  • 10
  • 9
  • ***`Fatal error: Error in the certificate`***. GnuTLS is more strict than many libraries, like OpenSSL, when parsing certificate data. Maybe the question to ask is, what is wrong with the certificate. I'm guessing the name ***`foo.example.com`*** or ***`1.2.3.4`***, is not listed as a SubjectAltName. *If* you provided real information, then we might have been able to help you. If you ask what's wrong with the cert, then do it on another site where is on-topic, like Super User. – jww Jan 04 '16 at 06:04
  • 1
    AWS CodeCommit gives this error, fwiw. – tedder42 Jan 07 '16 at 00:16
  • 1
    @jww For the purposes of my issue, I have asked exactly the question I cared about and got exactly the answer I needed. The issue with the cert in question doesn't matter as like I said, that was being looked at independently (I don't have access to fix it myself or much influence over those that do). – lyte Jan 09 '16 at 00:47

1 Answers1

10

git is built to use libcurl, libcurl is built to use a single fixed TLS library that cannot be changed in run-time.

You can however force git to use a different libcurl build at run-time, and that libcurl could be using OpenSSL. That's easiest done by putting that OpenSSL-using libcurl in a separate directory from the "standard" one you have and then you do one of these:

  1. Make sure /etc/ld.so.conf lists that new dir before the old libcurl hosting directory - although then it'll change this setup for all programs using libcurl and you probably don't want that (based on your way of asking)

  2. put "LD_LIBRARY_PATH=[directory where your special libcurl is] git" into a script or alias called "git2" and use that instead of the ordinary git.

Daniel Stenberg
  • 44,219
  • 12
  • 115
  • 175