Hi,

I have configured a bare Git repository over HTTPS and client needs to have a SSL certificate-key to access the repository. I am able to access this repository using Firefox by loading client certificate in the Firefox, but it is not working with git command line client. 

I tried setting http.sslCert and http.sslKey configuration options, but it is not working. Following were steps in accessing the repository. Am I missing something in my configuration? Any pointers on how to share git using SSL certificates would be really helpful. 

Thanks,
Shantanu. 


* Try git-clone using HTTPS without client certs 
{{{
mercury:tempgit-ssh2 shantanu$ git clone https://condor-node2.lab.ac.uab.edu/git/fifa2010 --verbose
Initialized empty Git repository in /Users/shantanu/tempgit-ssh2/fifa2010/.git/
error: Empty reply from server while accessing https://condor-node2.lab.ac.uab.edu/git/fifa2010/info/refs

fatal: HTTP request failed
}}}

* Try git-clone using ssh
{{{
mercury:tempgit-ssh2 shantanu$ git clone ssh://ssp@condor-node2.lab.ac.uab.edu/srv/gitpubrepos/fifa2010 --verbose
Initialized empty Git repository in /Users/shantanu/tempgit-ssh2/fifa2010/.git/
ssp@condor-node2.lab.ac.uab.edu's password: 
remote: Counting objects: 7, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 7 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (7/7), done.
}}}

* Change git remote url 
{{{
mercury:fifa2010 shantanu$ git remote rm origin
mercury:fifa2010 shantanu$ git remote add origin https://condor-node2.lab.ac.uab.edu/git/fifa2010 
}}}

* Try git-pull with HTTPS without certs 
{{{
mercury:fifa2010 shantanu$ git pull
error: Empty reply from server while accessing https://condor-node2.lab.ac.uab.edu/git/fifa2010/info/refs

fatal: HTTP request failed
}}}

* Try git-pull using certificates 
{{{
mercury:fifa2010 shantanu$ git config http.sslCert ~/Desktop/certs/usercerts/bob-svn/ssp.crt 
mercury:fifa2010 shantanu$ git config http.sslKey ...
[ message continues ]

Too old. 1.6.6 is minimum version requirement for smart HTTP push.

Too old. That's quite old version... Upgrade.

-Ilari
--

[ message continues ]

Tried with Git 1.7.1 on Mac: Doesn't work, same error. 
Tried from another CentOS box with Git 1.7.1 and it worked fine. 

In all failed cases apache logs indicate: <timestamp> [error] Re-negotiation request failed. 

--
Thanks,
Shantanu Pavgi. 



--

[ message continues ]

Renegotiation failed? There has been TLS security hole regarding to
renegotiation, and many patched TLS implementations do not allow renegotiation
unless the other side is patched too.

Maybe only one of the sides is patched? Both should be patched. One way to
find out if server is patched is to connect with client (e.g. Gnutls 2.10)
that supports safe renegotiation and disallow connecting to unpatched servers
and see if it connects or not.

-Ilari
--

[ message continues ]

Forgot to mention version info in my earlier email: 
Server/Public repo: CentOS 5.4 with Git 1.7.1 installed from source 
Client in earlier mail: Mac OS X 10.6 Git 1.6.5.2 

On Mac  git-push: 
{{{
mercury:fifa2010 shantanu$ git push --verbose
Pushing to https://condor-node2.lab.ac.uab.edu/git/fifa2010
error: Cannot access URL https://condor-node2.lab.ac.uab.edu/git/fifa2010/, return code 52
error: failed to push some refs to 'https://condor-node2.lab.ac.uab.edu/git/fifa2010'
}}}

On Debian with Git 1.5.6.5:
git-push
{{{
atlab@debian:~/fifa2010$ git push
error: Cannot access URL https://condor-node2.lab.ac.uab.edu/git/fifa2010/, return code 52
error: failed to push some refs to 'https://condor-node2.lab.ac.uab.edu/git/fifa2010'
}}}

On Debian with Git 1.5.6.5: 
git-pull 
{{{
atlab@debian:~/fifa2010$ git pull origin master
error: GnuTLS recv error (-12): A TLS fatal alert has been received.
fatal: Couldn't find remote ref master
}}}

It works on the same server system (CentOS 5.4 Git 1.7.1) using SSL certificates though.   

Any help/suggestions?  

--
Thanks,
Shantanu. 
 


--

[ message continues ]