connection problems using git (+TLS1.2) over HTTPS

Issues related to applications and software problems
Shaggy1
Posts: 18
Joined: 2014/10/19 10:51:11

connection problems using git (+TLS1.2) over HTTPS

Postby Shaggy1 » 2018/03/15 12:38:02

Hi

I am using centos 6.4:
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.4 (Santiago)

uname -a
Linux lb-cam-bca-12 2.6.32-358.23.2.el6.x86_64 #1 SMP Sat Sep 14 05:32:37 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux

I am trying to clone freeCAD from github, but am getting an error related to SSL:
$ GIT_CURL_VERBOSE=1 GIT_TRACE=1 git clone https://github.com/FreeCAD/FreeCAD.git free-cad-code
12:26:19.861767 git.c:349 trace: built-in: git 'clone' 'https://github.com/FreeCAD/FreeCAD.git' 'free-cad-code'
Cloning into 'free-cad-code'...
12:26:20.496310 run-command.c:341 trace: run_command: 'git-remote-https' 'origin' 'https://github.com/FreeCAD/FreeCAD.git'
* Couldn't find host github.com in the .netrc file; using defaults
* About to connect() to github.com port 443 (#0)
* Trying 192.30.253.112... * Connected to github.com (192.30.253.112) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -12190
* Error in TLS handshake, trying SSLv3...
> GET /FreeCAD/FreeCAD.git/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/2.1.0
Host: github.com
Accept: */*
Accept-Encoding: gzip
Pragma: no-cache

* Connection died, retrying a fresh connect
* Expire cleared
* Closing connection #0
* Issue another request to this URL: 'https://github.com/FreeCAD/FreeCAD.git/info/refs?service=git-upload-pack'
* Couldn't find host github.com in the .netrc file; using defaults
* About to connect() to github.com port 443 (#0)
* Trying 192.30.253.112... * Connected to github.com (192.30.253.112) port 443 (#0)
* TLS disabled due to previous handshake failure
* NSS error -12286
* Expire cleared
* Closing connection #0
fatal: unable to access 'https://github.com/FreeCAD/FreeCAD.git/': SSL connect error

From what I can gather from https://bugzilla.redhat.com/show_bug.cgi?id=1217477 and https://github.com/userify/shim/issues/25
this is a known problem, but I do not know how to get round it.

Does anyone know how I can get round this issue ?
From the above link it looks like the issue can be fixed with a patch to NSS or upgrading to a later nss version, anyone know how I can do that ?
Alternatively it looks like you can force TLSv1 by passing -1 to the curl command line, but I do not know how to tell git to do this. Anyone know if it is possible to pass curl command line options to git ?

User avatar
avij
Forum Moderator
Posts: 2367
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: connection problems using git (+TLS1.2) over HTTPS

Postby avij » 2018/03/15 13:06:34

Shaggy1 wrote:I am using centos 6.4:
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.4 (Santiago)

If your redhat-release says Red Hat Enterprise Linux, you are not using CentOS but RHEL. You probably have a support contract from RHEL, they will be happy to help you.

Shaggy1 wrote:From the above link it looks like the issue can be fixed [..] or upgrading to a later nss version, anyone know how I can do that?

Yes, run yum update which should upgrade your system to 6.9. There have been a number of enhancements to crypto in the most recent RHEL releases, and your problem will likely vanish when you are up to date.

For reference, I can run curl -v 'https://github.com/FreeCAD/FreeCAD.git/info/refs?service=git-upload-pack' successfully on a CentOS 6.9 system. If your system complains something with that command, try upgrading.

Shaggy1
Posts: 18
Joined: 2014/10/19 10:51:11

Re: connection problems using git (+TLS1.2) over HTTPS

Postby Shaggy1 » 2018/03/15 14:11:10

> you are not using CentOS but RHEL
Humble apologies. Very sorry about this mis-posting, we(I) are currently in transition from red-hat to centos (they pulled plug on the support contract along with the staff that used to deal with it) and my mind simply went straight to centos and didn't clock this was an older machine.

Thank you very much for replying anyhow!!

I've tried the upgrade, but unfortunately that didn't work ... and will look among redhat docs/posts for a solution!

User avatar
avij
Forum Moderator
Posts: 2367
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: connection problems using git (+TLS1.2) over HTTPS

Postby avij » 2018/03/15 14:26:53

What part didn't work, the upgrade or git after the upgrade?

I have not looked, but it should be fairly easy to turn a RHEL system into a CentOS system. I suppose you can't remove redhat-release without it removing a ton of other dependant packages, but swapping it with centos-release in the same transaction might work. Something like:

Code: Select all

# yum shell
Loaded plugins: fastestmirror, presto
Setting up Yum Shell
> remove redhat-release-server-6Server
> install http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-9.el6.12.3.x86_64.rpm
> run

You may need to take care of some RH/RHN packages in the same transaction. Once centos-release is installed, it's a matter of running yum update to bring you to 6.9. But please read the release notes before upgrading:

https://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.5
https://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.6
https://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.7
https://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.8
https://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.9

Shaggy1
Posts: 18
Joined: 2014/10/19 10:51:11

Re: connection problems using git (+TLS1.2) over HTTPS

Postby Shaggy1 » 2018/03/15 16:13:36

> What part didn't work, the upgrade or git after the upgrade?
The git after the upgrade

> but it should be fairly easy to turn a RHEL system into a CentOS system
Thank you very much for this information - I had no idea that it might be possible.
I'll give this a go when I have a little more time to look at what is required - hopefully I can find a machine too test it on where it doesn't matter too much if things go wrong.

User avatar
avij
Forum Moderator
Posts: 2367
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: connection problems using git (+TLS1.2) over HTTPS

Postby avij » 2018/03/15 16:35:08

OK, so, what do you have now? rpm -q git curl libcurl nss openssl should give you a list of packages that may be related to this issue.

User avatar
TrevorH
Forum Moderator
Posts: 22285
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: connection problems using git (+TLS1.2) over HTTPS

Postby TrevorH » 2018/03/15 17:14:56

Did you update everything on the system using yum update or did y ou cherry pick what you wanted to install?

There is a documented but at-your-own-risk wiki article on migrating el5 and el6 - https://wiki.centos.org/HowTos/MigrationGuide
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke