- I am trying to connect to bitbucket repository with https (ssl) from one of the Jenkins job, but I am getting Unknown SSL protocol error.
fatal: unable to access 'https://git.example.com/scm/sources.git/': Unknown SSL protocol error in connection to git.example.com
- On Thursday, 22nd February 2018 19:00 UTC (11:00 am PST), GitHub disabled access to their service using weak cryptographic ciphers, after this change, it is not possible to access to GitHub by https using SSLv3, TLSv1, TLSv1.1
stderr: fatal: unable to access 'https://git.example.com/scm/sources.git/': Peer reports incompatible or unsupported protocol version.
- CloudBees Jenkins Enterprise (CJE)
- CloudBees Jenkins Enterprise - Managed controller (CJE-MM)
- CloudBees Jenkins Enterprise - Operations Center (CJE-OC)
- CloudBees Jenkins Team (CJT)
- CloudBees Jenkins Platform - Client controller (CJP-CM)
- CloudBees Jenkins Platform - Operations Center (CJP-OC)
- curl < 7.29.0
- git < 2.6.0
In order to diagnose the issue, first of all we have to know git and curl version and the trace of failure, as a normal user you have to execute these commands:
export GIT_CURL_VERBOSE=1 export GIT_TRACE_PACKET=2 git --version curl --version git clone https://git.example.com/scm/sources.git/ .
If you are still using git <2.60 or curl <7.29, upgrade both to the latest possible version.
If the result of this command will be similar to this you probably are affected a bug in git+curl, Git over HTTPS doesn’t work with TLSv1.1 or TLSv1.2
git version 2.6.3 curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1k zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP Cloning into 'onboarding'... * Couldn't find host git.example.com in the .netrc file, using defaults * About to connect() to git.example.com port 443 * Trying 192.168.1.23... * connected * Connected to git.example.com (192.168.1.23) port 443 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Unknown SSL protocol error in connection to git.example.com:443 * Closing connection #0 fatal: unable to access 'https://git.example.com/scm/sources.git/': Unknown SSL protocol error in connection to git.example.com:443
to be sure, we are going to trace the handshake of SSL connection with this command:
openssl s_client -connect git.example.com:443
If you can see that server uses TLSv1.1 or TLSv1.2 protocol version you need to upgrade git and curl on your system.
---- SSL handshake has read 4624 bytes and written 433 bytes ---- New, TLSv1/TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 56E2E024DFC4507EDEFDEFDEFDEFDEFDEFDEF4B57E5704F5952F1842870CF5CF172 Session-ID-ctx: Master-Key: B60D391FC5A232EFD877F36A8032BCEDFEDEFDEFDFEDFDEFDEFDEFDFED0AD62AF7B430DEF7FA08B630E04 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1457709092 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain)