Hi, yeah, thank your for infomation. As you guess, and as I confirmed, my server doesn't accept tlsv1 (which is sad), so I added below line to force libcurl to use SSLv3.
curl_easy_setopt(result, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3); I think there're way to set this option from environment variable, but I couldn't find CURLOPT_SSLVERSION in code at this moment. Anyway, problem solved, and thank you for your help! cheers, shinpei On Fri, Nov 29, 2013 at 5:34 PM, Konstantin Khomoutov <flatw...@users.sourceforge.net> wrote: > On Fri, 29 Nov 2013 13:53:29 +0900 > Shinpei Nakata <shinpei.nak...@gmail.com> wrote: > > [...] >> Form LD_DEBUG log, git-1.7 using libcurl-gnutls.so library which is >> ubuntu's default installed, and git-1.8 using locally build libcurl >> (installed in /usr/local). >> >> Here's my response from openssl to git.xxx.xxx.com:443, hope this is >> good enough. >> .... >> New, TLSv1/SSLv3, Cipher is RC4-MD5 > [...] >> Verify return code: 20 (unable to get local issuer certificate) >> >> About verify return code, it seems doens't matter only for connecting. >> (because I tried another machine which's working well, and it returns >> same code.) > > Yes, it only means openssl failed to verify the trust chain of the > certificate presented by the client. It means you can't really trust > the identity of the server (and all you get is encrypted channel, > unless you've been MitM'ed already). > >> If I try -no_tls1, theerror has printed as below. >> error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported >> protocol:s23_clnt.c:697: > [...] >> Sorry for long mail, but the openssl command above is >> /usr/bin/openssl, which is distributed with Ubuntu 12.04. I tried with >> locally build openssl command which is from openssl-1.0.1e package, >> then the output differs. Only when I use -no_tls1, the connection >> establised, otherwise it stucks. >> Does this mean, the server side using old ssl/tls library? (Which >> doens't support tlsv1) > > Yes, that's what I would conclude. > > Sorry but I'm not an expert in this field. While it seems by guess > was correct, from there you should proceed by yourself. > Start with  and dig deeper.  seems to explain your case. > > Also note that libcurl uses not OpenSSL but GNUTLS. So I'd try to > figure out which defaults your build of GNUTLS has. > > 1. https://www.google.com/search?q="SSL3_GET_RECORD:wrong+version+number" > 2. > http://openssl.6102.n7.nabble.com/quot-SSL3-GET-RECORD-wrong-version-number-quot-td8310.html -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= Shinpei Nakata e-mail:shinpei.nak...@gmail.com =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= -- You received this message because you are subscribed to the Google Groups "Git for human beings" group. To unsubscribe from this group and stop receiving emails from it, send an email to git-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.