Issue
-
I am trying to connect to bitbucket repository with https (ssl) from one of the Jenkins job, but I am getting Unknown SSL protocol error.
fatal: unable to access 'https://git.example.com/scm/sources.git/': Unknown SSL protocol error in connection to git.example.com
-
On Thursday, 22nd February 2018 19:00 UTC (11:00 am PST), GitHub disabled access to their service using weak cryptographic ciphers, after this change, it is not possible to access to GitHub by https using SSLv3, TLSv1, TLSv1.1
stderr: fatal: unable to access 'https://git.example.com/scm/sources.git/': Peer reports incompatible or unsupported protocol version.
Environment
-
CloudBees Jenkins Team (CJT)
-
curl < 7.29.0
-
git < 2.6.0
Resolution
In order to diagnose the issue, first of all we have to know git and curl version and the trace of failure, as a normal user you have to execute these commands:
export GIT_CURL_VERBOSE=1 export GIT_TRACE_PACKET=2 git --version curl --version git clone https://git.example.com/scm/sources.git/ .
If you are still using git <2.60 or curl <7.29, upgrade both to the latest possible version.
If the result of this command will be similar to this you probably are affected a bug in git+curl, Git over HTTPS doesn’t work with TLSv1.1 or TLSv1.2
git version 2.6.3 curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1k zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP Cloning into 'onboarding'... * Couldn't find host git.example.com in the .netrc file, using defaults * About to connect() to git.example.com port 443 * Trying 192.168.1.23... * connected * Connected to git.example.com (192.168.1.23) port 443 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Unknown SSL protocol error in connection to git.example.com:443 * Closing connection #0 fatal: unable to access 'https://git.example.com/scm/sources.git/': Unknown SSL protocol error in connection to git.example.com:443
to be sure, we are going to trace the handshake of SSL connection with this command:
openssl s_client -connect git.example.com:443
If you can see that server uses TLSv1.1 or TLSv1.2 protocol version you need to upgrade git and curl on your system.
SSL handshake has read 4624 bytes and written 433 bytes
New, TLSv1/TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 56E2E024DFC4507EDEFDEFDEFDEFDEFDEFDEF4B57E5704F5952F1842870CF5CF172 Session-ID-ctx: Master-Key: B60D391FC5A232EFD877F36A8032BCEDFEDEFDEFDFEDFDEFDEFDEFDFED0AD62AF7B430DEF7FA08B630E04 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1457709092 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain)