On Fri, 29 Nov 2013 13:53:29 +0900 Shinpei Nakata <[email protected]> wrote:
[...] > Form LD_DEBUG log, git-1.7 using libcurl-gnutls.so library which is > ubuntu's default installed, and git-1.8 using locally build libcurl > (installed in /usr/local). > > Here's my response from openssl to git.xxx.xxx.com:443, hope this is > good enough. > .... > New, TLSv1/SSLv3, Cipher is RC4-MD5 [...] > Verify return code: 20 (unable to get local issuer certificate) > > About verify return code, it seems doens't matter only for connecting. > (because I tried another machine which's working well, and it returns > same code.) Yes, it only means openssl failed to verify the trust chain of the certificate presented by the client. It means you can't really trust the identity of the server (and all you get is encrypted channel, unless you've been MitM'ed already). > If I try -no_tls1, theerror has printed as below. > error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported > protocol:s23_clnt.c:697: [...] > Sorry for long mail, but the openssl command above is > /usr/bin/openssl, which is distributed with Ubuntu 12.04. I tried with > locally build openssl command which is from openssl-1.0.1e package, > then the output differs. Only when I use -no_tls1, the connection > establised, otherwise it stucks. > Does this mean, the server side using old ssl/tls library? (Which > doens't support tlsv1) Yes, that's what I would conclude. Sorry but I'm not an expert in this field. While it seems by guess was correct, from there you should proceed by yourself. Start with [1] and dig deeper. [2] seems to explain your case. Also note that libcurl uses not OpenSSL but GNUTLS. So I'd try to figure out which defaults your build of GNUTLS has. 1. https://www.google.com/search?q="SSL3_GET_RECORD:wrong+version+number" 2. http://openssl.6102.n7.nabble.com/quot-SSL3-GET-RECORD-wrong-version-number-quot-td8310.html -- You received this message because you are subscribed to the Google Groups "Git for human beings" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
