Issue
- I am trying to connect to bitbucket repository with https (ssl) from one of the Jenkins job, but I am getting Unknown SSL protocol error.
fatal: unable to access 'https://git.example.com/scm/sources.git/': Unknown SSL protocol error in connection to git.example.com
- On Thursday, 22nd February 2018 19:00 UTC (11:00 am PST), GitHub disabled access to their service using weak cryptographic ciphers, after this change, it is not possible to access to GitHub by https using SSLv3, TLSv1, TLSv1.1
stderr: fatal: unable to access 'https://git.example.com/scm/sources.git/': Peer reports incompatible or unsupported protocol version.
Environment
- CloudBees Jenkins Enterprise (CJE)
- CloudBees Jenkins Enterprise - Managed Master (CJE-MM)
- CloudBees Jenkins Enterprise - Operations Center (CJE-OC)
- CloudBees Jenkins Team (CJT)
- CloudBees Jenkins Platform - Client Master (CJP-CM)
- CloudBees Jenkins Platform - Operations Center (CJP-OC)
- curl < 7.29.0
- git < 2.6.0
Resolution
In order to diagnose the issue, first of all we have to know git and curl version and the trace of failure, as a normal user you have to execute these commands:
export GIT_CURL_VERBOSE=1
export GIT_TRACE_PACKET=2
git --version
curl --version
git clone https://git.example.com/scm/sources.git/ .
If you are still using git <2.60 or curl <7.29, upgrade both to the latest possible version.
If the result of this command will be similar to this you probably are affected a bug in git+curl, Git over HTTPS doesn’t work with TLSv1.1 or TLSv1.2
git version 2.6.3
curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1k zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP
Cloning into 'onboarding'...
* Couldn't find host git.example.com in the .netrc file, using defaults
* About to connect() to git.example.com port 443
* Trying 192.168.1.23... * connected
* Connected to git.example.com (192.168.1.23) port 443
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Unknown SSL protocol error in connection to git.example.com:443
* Closing connection #0
fatal: unable to access 'https://git.example.com/scm/sources.git/': Unknown SSL protocol error in connection to git.example.com:443
to be sure, we are going to trace the handshake of SSL connection with this command:
openssl s_client -connect git.example.com:443
If you can see that server uses TLSv1.1 or TLSv1.2 protocol version you need to upgrade git and curl on your system.
----
SSL handshake has read 4624 bytes and written 433 bytes
----
New, TLSv1/TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 56E2E024DFC4507EDEFDEFDEFDEFDEFDEFDEF4B57E5704F5952F1842870CF5CF172
Session-ID-ctx:
Master-Key: B60D391FC5A232EFD877F36A8032BCEDFEDEFDEFDFEDFDEFDEFDEFDFED0AD62AF7B430DEF7FA08B630E04
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1457709092
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
0 Comments