I made my own git server on a centos distribution.
I can contact the server via git protocol at my home. But when I try to access via https at office I obtain:
Cloning into /Users/vito/Documents/... error:
error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) while
accessing https://gitolite#myserverxyz.com/vitorepo.git/info/refs
fatal: HTTP request failed
Where is the problem? On my server or on my office-mac?
I got the exact same response from curl when trying to connect with an ubuntu instance running openssl 1.0.0e. I successfully resolved the problem by adding the -ssl3 flag to the curl command.
It seems that it's a compatibility problem between older version of OpenSSL (0.9.8) acting as a client and recent OpenSSL version (1.0.0) acting as a server with some specific options used by Curl on client side and Apache on server side.
It's probably due to some recent security fix in OpenSSL (probably the one against protocol downgrade attacks).
Try upgrading the OpenSSL library version on the client side to 1.0.0.
See:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3395520&group_id=976
In case anyone has this issue with XMLRPC.
Daniel's answer (forcing SSL version 3) solved the issue for me. just specify XMLRPC_SSLVERSION_SSLv3 in the clientXmlTransport_curl options (C++).
The problem began when we upgraded our server to OpenSSL version 1.0.1-4ubuntu5.5 and the clients were still running 0.9.8o-5ubuntu1.7.
I believe this is a host-name matching issue on the server. Error 1112 is SSL_R_TLSV1_UNRECOGNIZED_NAME, and comes from an SNI name mismatch (info on SNI). I was having the same issue in curl.
For me, the work around was to make sure the name I used on the client matched one of the ServerName or ServerAlias configurations on the server. Of course, these commands are for an apache server; I don't know what you need to do for a git server. But I suspect the server names you're using from home and work are different, and the home name is the cannonical name the git server is using (and therefore SNI is working).
The 'real' fix will probably take a client change in git to allow a way to ignore the name-mismatch warning (the way your browser already does).
Not sure if I had exactly the same problem, but the error message was the same. It only seemed to be happening on the ubuntu box I set up a git server on, for some reason the centos box with a git server set up on it was fine.
I only just solved it after 3 or 4 days. It turns out to be because git's underlying Curl library has a broken Keep-alive implementation (I ended up dumping HTTP traffic and verifying the behaviour by hand).
In a nutshell Curl (at least the version used inside every Git implementation I could find, including command line git and eclipse's EGit) doesn't seem to correctly interpret the Connection response header, or more correctly doesn't seem to correctly interpret the absence of it.
To fix the problem you need to configure the SSL virtual host inside the apache that is serving your GIT repository with an extra directive specifically for git. Add these lines just before the </VirtualHost>.
BrowserMatch "git" nokeepalive ssl-unclean-shutdown
You unfortunately can't tell apache to just downgrade to HTTP/1.0 (would be cleaner) because Curl can't handle that, but you can just tell it to force a Connection:close on every request which Curl does know how to handle.
In a misleading coincidence, if you try to test Curl directly without this change it will seem to work, because it makes a single request and then aborts. Only by getting curl to execute two requests on the same keep-alive connection over ssl will this problem become apparent.
I had the same error. The root cause seems to be incompatibility of client/server openssl versions.
I've upgraded my server with apt-get upgrade openssl and upgraded my windows git installation.
The combination of windows git client
git version 1.9.4.msysgit.0, which contains openssl version:
OpenSSL 0.9.8e 23 Feb 2007
And server with openssl version:
OpenSSL 1.0.1c 10 May 2012
seems to work fine together.
Related
Good afternoon, dear community!
I ask for help from those who had the relevant experience.
I am making an API request to https://ssl.croinform.ru:450. For example, an authentication request: curl -k POST https://ssl.croinform.ru:450/api.test?Type=Login&Login=testUser&Password=testPassword but I get the error. The error text differs depending on the environment where I am running the curl command.
On windows I experiment in git bash (curl version 7.77.0) and Cygwin64 (curl version 7.78.0), get the same error: curl: (35) error: 14094410: SSL routines: ssl3_read_bytes: sslv3 alert handshake failure.
В CentOS7 (curl version 7.78.0): curl: (6) Could not resolve host: POST
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
The service provides certificates that need to be installed on your OS: cacer.p7b, ssl.croinform.cer. As recommended in the service documentation, on windows I installed them in Trusted Root Certification Authorities. There is no support recommendation for CentOS7, but I put the certificates at / etc / pki / ca-trust / source / anchors / and ran the update-ca-trust enable and update-ca-trust extract commands. These actions do not solve the problem.
Please tell me what I am doing wrong.
Thanks in advance!
your error shows the protocol to use is SSL version 3 and the handshake is failing to agree to use this protocol to communicate with SSL.
plus this may be unsupported now, the latest TLS versions are TLS 1.1 and 1.2
you could try a different protocol version for example,
curl --tlsv1.2
To use tls 1.2 but have a look at the documentation for other protocols also.
If this is a test you can allow insecure connections with the curl -k parameter
My domain is: https://www.neasy.de
I ran this command:
git clone https://github.com/certbot/certbot
cd certbot
./certbot-auto certonly -a standalone -d neasy.de -d www.neasy.de
cd /etc/letsencrypt/live/neasy.de
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version): linux
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0
4 month ago i first used letsencrypt and I was success to use it. I learned I have to generate certificate
with and without www. prefix and it is important. My company has changed the domain name from neasy.app to neasy.de and for that I deleted my old certificate and generate new one for neasy.de
Now i am in a new trouble that if i write in my browser neasy.de it does not work even if i write www.neasy.de it does not work. But for at least once time if I write https://neasy.de or https://www.neasy.de it works, and for the next time i dont need to write https:// prefix.
This issue really seems weird to me any help will be appreciated. If you already tried writting https://neasy.de then you can open firefox browser private window
Since you're using Ubuntu please follow this guide:
https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache.html (jus make sure to choose your ubuntu release from the dropdown).
this will guide you through the whole process without manual work.
Just make sure to run all apt-related commands.
Was there a route for the old domain neasy.app which was redirecting the http traffic to https ? It looks like you forgot to update that route with the new domain name.
Usually when you enter any new website in the address bar of browser it by default uses http protocol. On the server site you have to do a 301 redirect from http to https.
I am using chef dk version 12 and i have done basic setup and uploaded many cookbooks , currently i am using remote_directory in my default.rb
What i have observed is whenever there are too many files /hierarchy in the directory the upload fails with the below exception :-
ERROR: SSL Validation failure connecting to host: xyz.com - SSL_write: cert already in hash table
ERROR: Could not establish a secure connection to the server.
Use `knife ssl check` to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
`knife ssl fetch` to make knife trust the server's certificates.
Original Exception: OpenSSL::SSL::SSLError: SSL_write: cert already in hash table
As mentioned earlier connection to server isnt a problem it happens only when there are too many files/the hierarchy is more .
Can you please suggest what i can do? I have tried searching online for solutions but failed to get a solution
I have checked the question here but it doesnt solve my problem
Chef uses embedded ruby and openssl for people not working with chef
Some updates on suggestion of tensibai,
The exceptions have changed since adding the option of --concurrency 1 ,
Initially i had received,
INFO: HTTP Request Returned 403 Forbidden:ERROR: Failed to upload filepath\file (7a81e65b51f0d514ec645da49de6417d) to example.com:443/bookshelf/… 3088476d373416dfbaf187590b5d5687210a75&Expires=1435139052&Signature=SP/70MZP4C2UdUd9%2B5Ct1jEV1EQ%3D : 403 "Forbidden" <?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message>
Then yesterday it has changed to
INFO: HTTP Request Returned 413 Request Entity Too Large: error
ERROR: Request Entity Too Large
Response: JSON must be no more than 1000000 bytes.
Should i decrease the number of files or is there any other option?
Knife --version results in Chef: 12.3.0
Should i decrease the number of files or is there any other option?
Ususally the files inside a cookbook are not intended to be too large and too numerous, if you got a lot of files to ditribute it's a sign you should change the way you distribute thoose files.
One option could be to make a tarball, but this makes harder to manage the deleted files.
Another option if you're on an internal chef-server is to follow the advice here and change the client_max_body_size 2M; value for nginx but I can't guarantee it will work.
I had same error and i ran chef-server-ctl reconfigure on chef server then tried uploading cookbook again and all started working fine again
So I have tried and tried to get my ssh to work with kerberos on Mavericks to no avail. Here are my versions:
ssh: OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
kerberos: Heimdal 1.5.1apple1
I also tried the built in ssh with no effect as well. Here is my config:
ForwardAgent yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
i have checked, there are no overriding settings in my user config
After all of this, I still get prompted for a password when ssh'ing to a linux host that does work with linux clients. (I am able to successfully kinit and i do get a ticket)
Any clues what I am missing? Has anyone has this problem before.
HERE is a link to the ssh connection log. It just seems to abandon gssapi without even trying it... why????
NOTE ON OSX SIERRA:
It appears that Apple broke it again.... The gssapitrusdns stuff is actually a third-party contribution and Apple revved to a newer ssh that doesn't include those patches... See HERE and HERE
ORIGINAL ANSWER (pre Sierra):
Ok, so after even more head-scratching, giving up, and violent attempts to strangle my computer with a power cord, I have found the answer... Turns out, OSX need to be told to explicitly trust DNS.... Add the following line to your ssh config:
GSSAPITrustDNS yes
Source (check the 'Problems and Workarounds' section)
From the logs it looks like server is sending "gssapi-keyex,gssapi-with-mic" methods but somehow client doesn't have support for it.
Look at this logs
preferred publickey,keyboard-interactive,password
can you check your client whether it supports it or not ?
you can check client config file /user//.ssh/config -> on linux system.
I am facing an issue while sending request to server for push notification. While trying to connect to apple server we are getting the following response,
ApnsPHP[15748]: INFO: Trying ssl://gateway.sandbox.push.apple.com:2195... Tue, 15 Jan 2013 08:20:28 +0100 ApnsPHP[15748]: ERROR: Unable to connect to 'ssl://gateway.sandbox.push.apple.com:2195': Permission denied (13)
We checked the server settings and the server is not blocking any out going requests. We created the p12 certificate as per the guidelines by apple, and we are converting it to .pem by executing following shell command in the server.
openssl pkcs12 -in HSPushNopassword.p12 -out HSPushNopassword.pem -nodes -clcerts
And the same code and certificate is working fine in another server.
Please let me know why we are getting this error? Thanks,
There is a better solution than disabling SELinux completely. The problem is that on most SELinux systems (as RedHat, which I am using) HTTPD is not allowed to create network connections.
You can use this command to enable it:
setsebool -P httpd_can_network_connect=1
-P for permanent setting.
I hope it helps, though this thread is accepted
I sorted it out. Yes, the problem was the server, but it was likely due to when they had root and reloaded things. In a nutshell, there is a very restrictive security system called 'selinux'. So I disabled that, and set the config so it stays off after reboot. And the push notification is working fine now.