On Windows, how does one configure GIT to prompt or otherwise use a client HTTPS certificate when connecting to an HTTPS repository that requires HTTPS Client authentication?
Complications:
SSL is blocked by firewalls, can't sidestep the problem.
Private Key is locked onto smart card, cannot extract or replace.
Solution:
git clone -c http.sslCert="CurentUser\MY\[thumbprint of cert]" [URL]
Or
.gitconfig:
[http]
sslCert=CurrentUser\\MY\\[thumbprint of cert]
PS, for CURL, it is --cert or -K "CurrentUser\MY[thumbprint]"
Related
Note: this is not a duplicate of openssl s_client using a proxy, as I am specifically interested in proxy authentication, not the ability to use proxy.
I'm using openssl s_client to inspect certificates of the target server to understand how/where the connection works or not. As I'm behind a corporate proxy, I can specify the proxy server with -proxy flag, however I need to pass authentication details (username/password) to this proxy - and I haven't figured out how to do that.
openssl s_client -proxy my.proxy.server:8080 -connect my.target.host
successfully connect to the proxy server, however, understandably, results in error s_client: HTTP CONNECT failed: 407 Unauthorized.
Passing proxy server in the form of user:pass#my.proxy.server or http://user:pass#my.proxy.server both result in error s_client: -proxy argument malformed or ambiguous.
How can I pass proxy authentication to s_client? I would find it hard to believe that it supports proxy but not authenticated proxy.
I'm using openssl version 1.1.1a.
Just to follow up on #Arnaud Grandville's answer: OpenSSL v3 beta 1 has now been released, and it includes proxy authentication options. You have to compile it yourself, however.
Unfortunately in v3 beta 1 the HTTP code had some issues so you can't use the code from their website as-is. Anyone looking to compile from source can use the commands below to get an OpenSSL installation with working proxy authentication:
git clone --branch openssl-3.0.0-beta1 https://github.com/openssl/openssl.git
cd openssl
git fetch
git checkout 6a1f9cd -- crypto/http/http_client.c
./Configure
make
make install
Edit: For later versions this is no longer necessary as the bug was fixed. For example for version 3.0.5 you can simply run:
git clone --branch openssl-3.0.5 https://github.com/openssl/openssl.git
cd openssl
./Configure
make
make install
You can use escape-from-intranet https://github.com/quaddy-services/escape-from-intranet#introduction
and specify
host=my.proxy.server
port=8080
in the app and use
openssl s_client -proxy localhost:3128 -connect my.target.host
and your local running application will enrich the real proxy call with your credentials.
(In case you have a transparent proxy you need to switch the default proxy decision to "PROXY" in the "Decision" Menu)
openssl v3.0 will supports proxy_user and proxy_pass options.
no solution for now, the syntax after proxy is
host + ':' + service
host + ':' + '*'
host + ':'
':' + service
'*' + ':' + service
host
service
cf. BIO_parse_hostserv
I have an access to a preconfigured Windows XP 32-bit workstation.
It's under firewall and to get outside it uses http proxy server.
To get proxy settings I need host, port, username and password.
http: // username : password # server : port
I'm able to find the proxy url and port (from PAC - automatic config file),
but I don't know how to get username/password. Is there a way to read it somehow? At least username? I might get the admin rights.
Do you know any tool that can help?
I only found these MS docs about some methods to get proxy config connection, but I don't know how to determinate what's the provided credentials:
WinHttpGetIEProxyConfigForCurrentUser function
WINHTTP_CURRENT_USER_IE_PROXY_CONFIG structure
WinHttpGetProxyForUrl function
I've also found this lib, but it's rather for parsing PAC:
http://code.google.com/p/pacparser/
In windows you cannot get password.
To get connect throw a proxy you have to use SSPI, check libcurl, you can get a connected socket throw proxy, build it with enable-sspi and openssl.
Iterating on Fernando Sanchez's answer and Robert's comment, you need to authenticate via SSPI. In my case I've connected using NTLM using this link
With curl using ntlm :
curl.exe --proxy <proxy_name>:<proxy_port> --proxy-ntlm -U : https://www.google.com
Also to partially answer your question the -U : means from curl man page :
If you use a Windows SSPI-enabled curl binary and do either Negotiate
or NTLM authentication then you can tell curl to select the user name
and password from your environment by specifying a single colon with
this option: "-U :".
You can get the proxy name and port from the windows registry (regedit). Quote from Robert's comment:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
It can be present either in a manual way using REG_SZ ProxyServer or using an autoconfiguration script using REG_SZ AutoConfigURL = https://<configuration_url>
If the curl command above fails with Failure when receiving data from the peer maybe you have a curl release without NTLM, SSPI or OpenSSL. Try with the latest curl release
I'm facing some problems while git clone a repo from my ubuntu server running gitolite.
First, I got a public key from the developer who wants to clone the repository from the server. It was a rsa key created with putty. So I did the following to parse it from the putty-style to openssh format with:
ssh-keygen -i -f /tmp/ssh2/YourName.pub > /tmp/openssh/YourName.pub (taken from http://gitolite.googlecode.com/git/doc/ssh-troubleshooting.mkd?r=d3a663d03f1027f909732d55d0519bdd84edb62c)
and uploaded the public key along with a new entry for the repo and the new user in the config file to gitolite-admin repo.
So far, so good.
The developer is using **** along with putty to connect to the server, which is running git on a non-standard port and he keeps on getting the same error over and over again:
Cloning into 'D:\path\to\dirctory'...
error: Recv failure: Connection was reset while accessing http://sub.domain.com/info/refs
fatal: HTTP request failed
git did not exit cleanly (exit code 128)
Could anyone give me some advice about this issue?
EDIT:
In the meantime, we managed to git clone the repository by addressing it with the ssh:// protocol instead of git://, so it doesn't seem like it is a problem of the rsa_public.key or something like that.
The iptables on the server are accepting connections through the port for git, but it keeps on giving the above mentioned error.
The OP herom initially commented that the developer used git://git#remote.server.com:port/repo.git as an address.
I asked if there was any firewall issue, preventing the use of the git port (9418), but the OP mentioned:
no, there shouldn't be a firewall issue as iptables is accepting traffic for the git port - the port is forwarded and appears to be another port when connecting from outside...
Now, the developer cloned the repo through ssh:// (and even connecting to the ssh-port!)
I note that the git port can sometime be blocked, as illustrated in this thread.
If not on the client side, maybe on the server side.
I've just successfully built SparkleShare for windows according to guide:
https://github.com/wimh/SparkleShare/wiki
and exported my ssh public key to a server.
The problem is that I can't connect from a client behind a http_proxy to a public server with ssh running on a custom port. I had also problem with cloning any git server. I need to switch git:// protocol to http:// one. Any suggestion? Does anyone have similar experience?
This is a log file:
15:25:13 [SSH] ssh-agent started, PID=4380 Identity added:
C:\Users\MYUSER\AppData\Roaming\sparkleshare\sparkleshare.MYEMAIL.key
(C:\Users\sg0922706\AppData\Roaming\sparkleshare\sparkleshare.MYEMAIL.key)
15:25:34 [Fetcher][C:\Users\MYUSER\Documents\SparkleShare.tmp\share]
Fetchin g folder: ssh://MYGITUSER#MYHOST/MYPATH 15:25:34 [Fetcher]
Disabled host key checking MYHOST 15:25:34 [Cmd] git clone --progress
"ssh://MYGITUSER#MYHOST/MYPATH" "C:\Us
ers\MYUSER\Documents\SparkleShare.tmp\share" 15:25:37 [Git] Exit code
128 15:25:37 [Fetcher] Failed 15:25:37 [Fetcher] Enabled host key
checking for MYHOST
To get SparkleShare to use your proxy you will need to modify the config of the msysgit that is installed as part of SparkleShare. Navigate to C:\Program Files (x86)\SparkleShare\msysgit\etc and edit the gitconfig file in notepad and add the following line under the [http] tag
proxy = http://user:pass#proxyurl:port
modifying the url as required to match your settings. You can then use the "On my own server" option to add the http url of your repository.
I have a work around on this particular problem. I guess that you already successfully connected to your server via a simple SSH client (i.e. PuTTY)? With PuTTY you can easily configure an ssh connection via any kind of proxy (such as HTTP, SOCKS, Telnet, ..)
What you can do now is to specify a local "tunnel" (an SSH port forwarding rule) like this: L22 127.0.01:22 (see attachment). If you are using a ssh command line add the following option: -L 22:127.0.01:22.
So now as soon as your terminal is open and running you'll be able to reach your git server via the server url: ssh://git#127.0.0.1.
If your local port 22 is busy you can define the tunnet on a other port. i.e. if the 44 is not occupied: L44 127.0.0.1:22. The url to use in SparkleShare become ssh://git#127.0.0.1:44.
But it's a work around. I'm looking for a better solution.
Recently Mercurial has added certificate validation when connecting to HTTPS servers. I'm trying to clone the wiki repository for a Google Code project at https://wiki.droidweight.googlecode.com/hg/, but the certificate is for *.googlecode.com.
Google Code's certificate does not cover multiple subdomains like *.*.googlecode.com.
I'm getting the error:
% hg clone --verbose https://wiki.droidweight.googlecode.com/hg/ -- C:\workspace\wiki
abort: wiki.droidweight.googlecode.com certificate error: certificate is for *.googlecode.com, googlecode.com, *.codespot.com, *.googlesource.com, googlesource.com (use --insecure to connect insecurely)
I need to get the certificate fingerprint. This SO answer says how to do it on *nix.
How would one get the fingerprint on Windows 7 (Home Premium)?
References:
Open issue on Google Code's support site.
Mercurial CA Certificates FAQ.
Which version of Mercurial are you using? 1.8.2 prints the fingerprint when you clone, as per the documentation.
EDIT: After some testing, I realised that Mercurial prints the certificate when you connect insecurely (I don't have web.cacerts configured, so cloning always succeeded, though with a warning). So if you pass --insecure to your hg clone, you'll get a clone and a fingerprint.
Alternatively, install GnuWin32! It makes the Windows command line a fun place to be :) (I have no affiliation with GnuWin32; just hugely appreciative.)