Package: git Version: 1:1.7.10.4-1+wheezy1 Severity: normal -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hi, I've recently changed the SSL certificate of the Apache server my own public git repository is on. Both Iceweasel and the curl command line have no problems with it. The StartSSL ca certificate is in /etc/ssl/certs/ca-certificates, but if I clone the repository, git complains the certificate isn't validated. Using ca-certificates version 20120623. $ export GIT_CURL_VERBOSE=1 $ git clone https://www.vanbest.eu/git/lootjes-play/ Cloning into lootjes-play... * Couldn't find host www.vanbest.eu in the .netrc file; using defaults * About to connect() to www.vanbest.eu port 443 (#0) * Trying 2001:980:630b:1::13... * connected * Connected to www.vanbest.eu (2001:980:630b:1::13) port 443 (#0) * found 152 certificates in /etc/ssl/certs/ca-certificates.crt * Expire cleared * server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none * Closing connection #0 * Couldn't find host www.vanbest.eu in the .netrc file; using defaults * About to connect() to www.vanbest.eu port 443 (#0) * Trying 2001:980:630b:1::13... * connected * Connected to www.vanbest.eu (2001:980:630b:1::13) port 443 (#0) * found 152 certificates in /etc/ssl/certs/ca-certificates.crt * Expire cleared * server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none * Closing connection #0 error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://www.vanbest.eu/git/lootjes-play/info/refs fatal: HTTP request failed Compare this with using the curl command line client, where the problem doesn't happen: $ curl --verbose "https://www.vanbest.eu/git/lootjes-play/info/refs?service=git-upload-pack" * About to connect() to www.vanbest.eu port 443 (#0) * Trying 2001:980:630b:1::13... connected * Connected to www.vanbest.eu (2001:980:630b:1::13) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DHE-RSA-AES256-SHA * Server certificate: * subject: description=HjygSFc6ux1O8W0H; C=NL; CN=www.vanbest.eu; emailAddress=postmas...@vanbest.eu * start date: 2013-01-30 05:25:23 GMT * expire date: 2014-01-31 13:36:36 GMT * subjectAltName: www.vanbest.eu matched * issuer: C=IL; O=StartCom Ltd.; OU=Secure Digital Certificate Signing; CN=StartCom Class 1 Primary Intermediate Server CA * SSL certificate verify ok. > GET /git/lootjes-play/info/refs?service=git-upload-pack HTTP/1.1 > User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o > zlib/1.2.7 libidn/1.15 libssh2/1.2.6 > Host: www.vanbest.eu > Accept: */* > < HTTP/1.1 200 OK < Date: Fri, 01 Feb 2013 09:55:46 GMT < Server: Apache/2.2.22 (Debian) < Expires: Fri, 01 Jan 1980 00:00:00 GMT < Pragma: no-cache < Cache-Control: no-cache, max-age=0, must-revalidate < Transfer-Encoding: chunked < Content-Type: application/x-git-upload-pack-advertisement < 001e# service=git-upload-pack 0000009b5bbf8694c4c90531f3db5e7d84b69bd60dc9c606 HEADmulti_ack thin-pack side-band side-band-64k ofs-delta shallow no-progress include-tag multi_ack_detailed 003f5bbf8694c4c90531f3db5e7d84b69bd60dc9c606 refs/heads/master 003e82dcb7eb916a78ee014f7b82beb548760202506f refs/heads/maven * Connection #0 to host www.vanbest.eu left intact * Closing connection #0 * SSLv3, TLS alert, Client hello (1): Somehow it seems, curl from within git doesn't use the /etc/ssl/certs/ca-certificates the same way the curl command line does. - -- System Information: Debian Release: 6.0.6 APT prefers stable APT policy: (990, 'stable'), (600, 'testing'), (500, 'unstable'), (10, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.7-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages git depends on: ii git-man 1:1.7.10.4-1+wheezy1 fast, scalable, distributed revisi ii libc6 2.13-37 Embedded GNU C Library: Shared lib ii libcurl3-gnutls 7.26.0-1 easy-to-use client-side URL transf ii liberror-perl 0.17-1 Perl module for error/exception ha ii libexpat1 2.1.0-1 XML parsing C library - runtime li ii perl-modules 5.14.2-16 Core Perl modules ii zlib1g 1:1.2.7.dfsg-13 compression library - runtime Versions of packages git recommends: ii less 436-1 pager program similar to more ii openssh-client [ssh-client] 1:6.0p1-3 secure shell (SSH) client, for sec ii patch 2.6-2 Apply a diff file to an original ii rsync 3.0.7-2 fast remote file copy program (lik Versions of packages git suggests: ii gettext-base 0.18.1.1-3 GNU Internationalization utilities pn git-arch <none> (no description available) pn git-cvs <none> (no description available) pn git-daemon-run | gi <none> (no description available) ii git-doc 1:1.7.10.4-1+wheezy1 fast, scalable, distributed revisi pn git-el <none> (no description available) pn git-email <none> (no description available) ii git-gui 1:1.7.10.4-1+wheezy1 fast, scalable, distributed revisi ii git-svn 1:1.7.10.4-1+wheezy1 fast, scalable, distributed revisi ii gitk 1:1.7.10.4-1+wheezy1 fast, scalable, distributed revisi pn gitweb <none> (no description available) - -- no debconf information -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJRC5IcAAoJEAD3KLeQ59brmAkIAJGpquqoaIzDxVm0VPt3LDxW BfPpZNHgiAZTgobmvaa4aIbVQjYzJ3MDI4cGzTs3F77SpSloT0ZAKP7PokcpES2H EHHIxaWJrAH+6kHOoHLiBGACJl0XLC3pm7pNfj2u7XVxWGTfzRXPguQf/YM5KqGB 5urL5ZrL7jfulaAvLf3QYznarHOmvrmHFeJE+efxIdsEkRFv3gdh2WDvjFaJU5cO H7yh6GAiWpTOnktfKRn+kL8E+VM5NRrjqSIzA0ozy/R881/GjtYFN4d9Sic7bYFn JDa4pFMc32NKJX0qcjJxcFUnqYU7mh9Ell6qbV+Fhzxeg57Zp2YFXf6v+HVlgZs= =2VRJ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org