I'm trying to git clone some repository, but then I get the error:
$ git clone --recursive https://some-url.git
Cloning into 'project'...
fatal: unable to access 'https://https://some-url.git/': Unknown SSL protocol error in connection to
some-url.git:443
I've read that the git repositories moved to force the TLS1.0 and no more support SSLv3 communication due to the POODLE vulnerability. But I don't know whether this error message means that my git client only knows to talk SSLv3 and the server denies or that the server only knows to talk SSLv3 and my client denies. If the problem is in my client, how can I configure it to use TLS; on the other hand, if it is the server, how can I resolve?
The error is received on both SourceTree and scm git (console and gui).
how can I configure it to use TLS?
Git 2.5 (August 2015) already allows to specify a list of ciphers to use when negotiating SSL connections, with http.sslCipherList
and GIT_SSL_CIPHER_LIST
.
(See Cannot communicate securely with peer: no common encryption algorithm(s))
Starting Git 2.6+ (Q3 2015), it will be possible to specify the SSL version explicitly:
http
: add support for specifying the SSL version
See commit 01861cb (14 Aug 2015) by Elia Pinto (devzero2000
).
Helped-by: Eric Sunshine (sunshineco
).
(Merged by Junio C Hamano -- gitster
-- in commit ed070a4, 26 Aug 2015)
http.sslVersion
The SSL version to use when negotiating an SSL connection, if you want to force the default.
The available and default version depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use. Internally this sets the 'CURLOPT_SSL_VERSION
' option; see the libcurl documentation for more details on the format of this option and for the ssl version supported.
Actually the possible values of this option are:
- sslv2
- sslv3
- tlsv1
- tlsv1.0
- tlsv1.1
- tlsv1.2
Can be overridden by the '
GIT_SSL_VERSION
' environment variable.
To force git to use libcurl's default ssl version and ignore any explicithttp.sslversion
option, set 'GIT_SSL_VERSION
' to the empty string.
The setting above is important since GitHub now (Feb. 2018) forces disabling weak cryptographic standards.
On February 8, 2018 we’ll start disabling the following:
- TLSv1/TLSv1.1: This applies to all HTTPS connections, including web, API, and git connections to https://github.com and https://api.github.com.
- diffie-hellman-group1-sha1: This applies to all SSH connections to github.com
- diffie-hellman-group14-sha1: This applies to all SSH connections to github.com
Git 2.18 (Q2 2018) can now use TLSv1.3:
When built with more recent cURL
, GIT_SSL_VERSION
can now specify
"tlsv1.3
" as its value.
See commit d81b651 (29 Mar 2018) by Loganaden Velvindron (loganaden
).
(Merged by Junio C Hamano -- gitster
-- in commit 9b59d88, 11 Apr 2018)
http
: allow use of TLS 1.3Add a tlsv1.3 option to
http.sslVersion
in addition to the existing tlsv1.[012] options.
libcurl
has supported this since 7.52.0.This requires OpenSSL 1.1.1 with TLS 1.3 enabled or
curl
built with recent versions of NSS or BoringSSL as the TLS backend.
With Git 2.21 (Q1 2019), a new "http.version
" configuration variable can be used with recent enough cURL library to force the version of HTTP used to talk when fetching and pushing.
See commit d73019f (09 Nov 2018) by Force Charlie (fcharlie
).
(Merged by Junio C Hamano -- gitster
-- in commit 13d9919, 04 Jan 2019)
http: add support selecting http version
Usually we don't need to set
libcurl
to choose which version of the HTTP protocol to use to communicate with a server.
But different versions oflibcurl
, the default value is not the same.
CURL >= 7.62.0: CURL_HTTP_VERSION_2TLS
CURL < 7.62: CURL_HTTP_VERSION_1_1
In order to give users the freedom to control the HTTP version, we need to add a setting to choose which HTTP version to use.
The git config
man page now shows:
http.version:
Use the specified HTTP protocol version when communicating with a server.
If you want to force the default.
The available and default version depend onlibcurl
.
Actually the possible values of this option are:
- HTTP/2
- HTTP/1.1