Git Unknown SSL protocol error in connection

Issue

I am trying to connect to bitbucket repository with https (ssl) from one of the Jenkins job, but I am getting Unknown SSL protocol error.

fatal: unable to access 'https://git.example.com/scm/sources.git/': Unknown SSL protocol error in connection to git.example.com

On Thursday, 22nd February 2018 19:00 UTC (11:00 am PST), GitHub disabled access to their service using weak cryptographic ciphers, after this change, it is not possible to access to GitHub by https using SSLv3, TLSv1, TLSv1.1

stderr: fatal: unable to access 'https://git.example.com/scm/sources.git/': Peer reports incompatible or unsupported protocol version.

Environment

CloudBees Jenkins Enterprise (CJE)
CloudBees Jenkins Enterprise - Managed controller (CJE-MM)
CloudBees Jenkins Enterprise - Operations Center (CJE-OC)
CloudBees Jenkins Team (CJT)
CloudBees Jenkins Platform - Client controller (CJP-CM)
CloudBees Jenkins Platform - Operations Center (CJP-OC)
curl < 7.29.0
git < 2.6.0

Resolution

In order to diagnose the issue, first of all we have to know git and curl version and the trace of failure, as a normal user you have to execute these commands:

export GIT_CURL_VERBOSE=1
export GIT_TRACE_PACKET=2
git --version
curl --version
git clone https://git.example.com/scm/sources.git/ .

If you are still using git <2.60 or curl <7.29, upgrade both to the latest possible version.

If the result of this command will be similar to this you probably are affected a bug in git+curl, Git over HTTPS doesn’t work with TLSv1.1 or TLSv1.2

git version 2.6.3
curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1k zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP
Cloning into 'onboarding'...
* Couldn't find host git.example.com in the .netrc file, using defaults
* About to connect() to git.example.com port 443
* Trying 192.168.1.23... * connected
* Connected to git.example.com (192.168.1.23) port 443
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Unknown SSL protocol error in connection to git.example.com:443
* Closing connection #0
fatal: unable to access 'https://git.example.com/scm/sources.git/': Unknown SSL protocol error in connection to git.example.com:443

to be sure, we are going to trace the handshake of SSL connection with this command:

openssl s_client -connect git.example.com:443

If you can see that server uses TLSv1.1 or TLSv1.2 protocol version you need to upgrade git and curl on your system.

SSL handshake has read 4624 bytes and written 433 bytes

New, TLSv1/TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 56E2E024DFC4507EDEFDEFDEFDEFDEFDEFDEF4B57E5704F5952F1842870CF5CF172
    Session-ID-ctx:
    Master-Key: B60D391FC5A232EFD877F36A8032BCEDFEDEFDEFDFEDFDEFDEFDEFDFED0AD62AF7B430DEF7FA08B630E04
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1457709092
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)