sslv3 alert handshake failure

[xtphty]

When trying to access a private repo I run into this issue on Windows git:

$ git clone http://privaterepo
Cloning into 'privaterepo'...
fatal: unable to access 'http://privaterepo': error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

The server supports TLS 1.0+ only. The clone works fine on ubuntu / OSX. Any ideas whats wrong here?

[dscho]

Given that it complains about TLS, I figure that you meant to write https://..., not http://....

Also keep in mind: the harder it is to reproduce the issue, the less volunteers you will encounter to help you resolve the issue.

You could try to investigate more yourself, of course, in which case setting the environment variable GIT_CURL_VERBOSE=1 might shed more light into the root cause(s).

[xtphty]

Yeah sorry I posted this a bit hastily. We are using cloudflare's free SSL setup in front of this repo which seems to be causing this issue. I found another random site with a similar setup that causes the same problem (note this is not a git repo, but its a handshake failure so shouldn't matter). Here is the verbose CURL output:

$ GIT_CURL_VERBOSE=1 git clone https://www.runa.org/
Cloning into 'www.runa.org'...
* Couldn't find host www.runa.org in the _netrc file; using defaults
* Adding handle: conn: 0x23ce1a8
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x23ce1a8) send_pipe: 1, recv_pipe: 0
* About to connect() to www.runa.org port 443 (#0)
*   Trying 104.28.20.49...
* Connected to www.runa.org (104.28.20.49) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: C:\Program Files (x86)\Git/bin/curl-ca-bundle.crt
  CApath: none
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection 0
fatal: unable to access 'https://www.runa.org/': error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

[dscho]

Well, a quick web search for 14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure turned up this page: http://curl.haxx.se/mail/archive-2014-11/0030.html. So it seems that the site uses the (broken) SSLv3 protocol. If you cannot fix the server, you can try to follow this advice to re-enable support for SSLv3 in your own fork of Git for Windows.

[mitsu333]

hi, is this same problem? i can't use SSLv3. only TLSv1.x

app version OpenSSL 1.0.1k-fips 8 Jan 2015 git version 1.9.5.msysgit.0

ssl.conf SSLProtocol -All +TLSv1 SSLCipherSuite xxx(you can see ”Final answers")

git clone https://a.b.c.d/xxx

"Final answers"

Git Handshake Failure(40)

DES-CBC3-SHA DHE-RSA-AES256-SHA RC4-MD5 RC4-SHA AES128-SHA AES256-SHA DHE-RSA-AES128-SHA

Openssl no cipher

DHE-DSS-CBC-SHA DHE-DSS-DES-CBC3-SHA DHE-RSA-DES-CBC-SHA DHE-RSA-DES-CBC3-SHA EXP-DHE-DSS-DES-CBC-SHA EXP-DHE-RSA-DES-CBC-SHA

chrome ERR_SSL_VERSION_OR_CIPHER_MISMATCH

DES-CBC-SHA DHE-DSS-AES128-SHA DHE-DSS-AES256-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 IDEA-CBC-SHA

[t-b]

@mitsu333 This is not our openssl you are using. We have

$ openssl version
OpenSSL 0.9.8zb 6 Aug 2014

[mitsu333]

Hi, Thomas. Thank you for answering my Question! and, i have a question. "when msysgit support OpenSSL 1.0.x?" Do you have any roadmaps?

[dscho]

"when msysgit support OpenSSL 1.0.x?"

It won't. We are currently switching to a new SDK which already has up-to-date OpenSSL packages, though.

[t-b]

@mitsu333 Just out of pure curousity. What features do you need in openssl 1.0.x which are not present in 0.9.8*.

[mitsu333]

hi! i got a flu last week...anyway dscho thank you for tell me about new SDK! I'll try to use new one.

t-b Actually,I'm using AmazonEC2. and couldn't downgrade "sudo yum --showduplicate list openssl". Because,EC2 openssl default is 1.0.1k-1. I just want to use "git client for windows" , "server use openssl1.0.x TLSv1.0" and use "client certificate". now? I can't use those environment. i hope "git-for-windows" can make it.

[xtphty]

@dscho Sorry I haven't had a chance to follow up on this. More searching today led me to an older issue posted on msysgit https://github.com/msysgit/msysgit/issues/269 , and I realized cloudflare has SSLv3 disabled in their SSL config https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/

Are there any workarounds for disabling SSLv3 in git via command line options or config tweaks ? Or is building with curl 7.39+ the only option?

edit: I tried to curl the same site to see if there was any more output, seems like it fails to recognize the TLS handshake or something?

 curl -v https://www.runa.org/
* Adding handle: conn: 0x7ee940
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7ee940) send_pipe: 1, recv_pipe: 0
* About to connect() to www.runa.org port 443 (#0)
*   Trying 104.28.21.49...
* Connected to www.runa.org (104.28.21.49) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: C:\Program Files (x86)\Git\bin\curl-ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

[dscho]

I am much less of an expert in OpenSSL matters than @t-b but my understanding was that SSLv3 is deprecated and that cURL would try TLSv1 first (which is not deprecated) and only falls back to SSLv3 if the server cannot handle TLSv1. I am probably wrong, though, given the trace you show above.

[t-b]

@dscho thanks for the openssl-knowledge-badge.

I've stumpeld upon this which suggests that our old curl does not know the new ciphers used by cloudflare. In fact from my research it looks like that our mingw-openssl is too old. I"ve recompiled curl in version 7.41.0 using openssl 0.9.8zd but that does not help anything here.

Btw. this site has a really strange setup

User@USER-PC /usr/src/curl/curl-7.41.0/src (master)
$ curl.exe -v --tlsv1.1 https://www.runa.org
* Rebuilt URL to: https://www.runa.org/
*   Trying 104.28.21.49...
* Connected to www.runa.org (104.28.21.49) port 443 (#0)
* Unsupported SSL protocol version
* Closing connection 0
curl: (35) Unsupported SSL protocol version

User@USER-PC /usr/src/curl/curl-7.41.0/src (master)
$ curl.exe -v --tlsv1.2 https://www.runa.org
* Rebuilt URL to: https://www.runa.org/
*   Trying 104.28.21.49...
* Connected to www.runa.org (104.28.21.49) port 443 (#0)
* Unsupported SSL protocol version
* Closing connection 0
curl: (35) Unsupported SSL protocol version

As we are currently switching to a new SDK for building git, I"m sorry to say that we will not upgrade the openssl in msysgit.

@xtphty Are you just using this site or is it under your control?

[xtphty]

@t-b I had this issue on an internal network site that I couldn't link here, so I found something with a similar setup to post here for the benefit of testing. Its caused by CloudFlare's open sourced SSL config https://github.com/cloudflare/sslconfig, which is their service default. So if you try to CURL any CloudFlare site using these defaults, it will fail.

[t-b]

@xtphty Please have a try with the newest version found here.

[xtphty]

@t-b Odd, I was able to curl the test site successfully (runa.org) but my internal server is still failing:

curl -v https://10.5.5.2/
...
* successfully set certificate verify locations:
*   CAfile: C:\Program Files (x86)\Git\bin\curl-ca-bundle.crt
  CApath: none
* TLSv1.0, TLS handshake, Client hello (1):
* TLSv1.0, TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Previously though it failed even before the TLSv1 hello, not sure what the issue is now.

[mitsu333]

@t-b Thx for update! but looks like still problem i have.

server openssl 1.0.1k with ssl.conf(SSLProtocol -All +TLSv1 , SSLCipherSuite ALL) Client Git-1.9.5-preview20150319 with TortoiseGIT(1.8.13.0)

Server Hello:TLSv1:cipher suite:TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0X0039) ... Alert(velvel:Fatal,Description:Handshake Failure) git Client:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

[dscho]

@xtphty @mitsu333 please test with Git for Windows 2.x (which supersedes the project associated with this bug tracker). If the bug persists, please open a ticket there. Thank you.