| Author |
|
hopsj
Joined: 05 Nov 2014
Posts: 5
Location: USA, Denver
|
 Posted: Wed 05 Nov '14 23:02 Post subject: Intermittent "Unknown SSL protocol error in connection& |
 |
|
Hello All -
We are hosting a Git server (using Gitolite v3). Our users are interacting with git over an https connection. Here's the relevant versions of software:
Apache 2.4.6
OpenSSL 1.0.1e-fips
Red Hat Enterprise Linux Server release 6.5 (Santiago)
git version 1.8.5.3 (Server Side)
git version 1.9.2.msysgit.0 (Client Side)
Users sometimes encounter an SSL error message when attempting to run git commands that talk to the server (e.g. clone, push, pull). The error message is "Unknown SSL protocol error in connection to servername:443". Users can usually simply try the command again, and it will then work successfully.
I've managed to capture a bit more output by setting the GIT_CURL_VERBOSE flag, see output below.
| Code: |
* Couldn't find host servername in the _netrc file; using defaults
* Adding handle: conn: 0x2587c40
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x2587c40) send_pipe: 1, recv_pipe: 0
* About to connect() to servername port 443 (#0)
* Trying xxx.xxx.xxx.xxx...
* Connected to servername (xxx.xxx.xxx.xxx) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: C:\Program Files (x86)\Git/bin/curl-ca-bundle.crt
CApath: none
* Unknown SSL protocol error in connection to servername:443
* Closing connection 0
fatal: unable to access 'https://servername/sandbox/git/gitolite-admin/': Unknown SSL protocol error in connection to servername:443
|
I am stumped on this one. I am systems administration noob, and have no idea where to even begin trying to troubleshoot this. Any thoughts?
Thanks. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Thu 06 Nov '14 0:07 Post subject: |
|
|
That is an issue in the git client which uses curl.
In a nutshell Curl doesn't seem to correctly interpret the Connection response header, or more correctly doesn't seem to correctly interpret the absence of it.
To fix the problem you need to configure the SSL virtual host inside the apache that is serving your GIT repository with an extra directive specifically for git. Add these lines just before the </VirtualHost>.
| Code: |
BrowserMatch "git" nokeepalive ssl-unclean-shutdown
|
|
|
| Back to top |
|
hopsj
Joined: 05 Nov 2014
Posts: 5
Location: USA, Denver
|
| Posted: Thu 06 Nov '14 2:48 Post subject: |
|
|
| Thanks a million James. I've implemented this and so far so good. |
|
| Back to top |
|
hopsj
Joined: 05 Nov 2014
Posts: 5
Location: USA, Denver
|
| Posted: Mon 10 Nov '14 21:04 Post subject: |
|
|
Unfortunately I have to report that this issue is still occurring intermittently even after the fix above. I haven't collected detailed metrics, so I don't know if there's been any improvement in the frequency of the SSL errors, but we are most definitely still getting the errors (yes I did restart the server).
Is this expected to be a 100% (or nearly so) solution?
If I find out anything more I will post here.
Thanks. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Tue 11 Nov '14 11:48 Post subject: |
|
|
The issue is that sometimes your git on the client side does not resolve the DNS name and uses an IP and than the certificate does not match the name.
For me that snipped solved the issue at least 98%. |
|
| Back to top |
|
hopsj
Joined: 05 Nov 2014
Posts: 5
Location: USA, Denver
|
| Posted: Tue 11 Nov '14 15:10 Post subject: |
|
|
| Thanks for the info. My server does have a static IP, so perhaps adding a virtual host with the IP could help? I do have the ability to add aliases to our certificate (we are verifying the certificates on our internal network). I'm not sure how our certificate issuers would feel about adding the IP address to the certificate, or if there's any security issues with doing such a thing. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Wed 12 Nov '14 16:16 Post subject: |
|
|
You can't add an IP to a certificate, only names.
I'm not sure if a vhost would help. |
|
| Back to top |
|
