On Fri, 29 Nov 2013 13:53:29 +0900
Shinpei Nakata <shinpei.nak...@gmail.com> wrote:

> Form LD_DEBUG log, git-1.7 using libcurl-gnutls.so library which is
> ubuntu's default installed, and git-1.8 using locally build libcurl
> (installed in /usr/local).
> Here's my response from openssl to git.xxx.xxx.com:443, hope this is
> good enough.
> ....
> New, TLSv1/SSLv3, Cipher is RC4-MD5
>     Verify return code: 20 (unable to get local issuer certificate)
> About verify return code, it seems doens't matter only for connecting.
> (because I tried another machine which's working well, and it returns
> same code.)

Yes, it only means openssl failed to verify the trust chain of the
certificate presented by the client.  It means you can't really trust
the identity of the server (and all you get is encrypted channel,
unless you've been MitM'ed already).

> If I try -no_tls1, theerror has printed as below.
> error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported
> protocol:s23_clnt.c:697:
> Sorry for long mail, but the openssl command above is
> /usr/bin/openssl, which is distributed with Ubuntu 12.04. I tried with
> locally build openssl command which is from openssl-1.0.1e package,
> then the output differs. Only when I use -no_tls1, the connection
> establised, otherwise it stucks.
> Does this mean, the server side using old ssl/tls library? (Which
> doens't support tlsv1)

Yes, that's what I would conclude.

Sorry but I'm not an expert in this field.  While it seems by guess
was correct, from there you should proceed by yourself.
Start with [1] and dig deeper. [2] seems to explain your case.

Also note that libcurl uses not OpenSSL but GNUTLS.  So I'd try to
figure out which defaults your build of GNUTLS has.

1. https://www.google.com/search?q="SSL3_GET_RECORD:wrong+version+number";

You received this message because you are subscribed to the Google Groups "Git 
for human beings" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to git-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to