Bug#699527: git: does not use SSL certificate in /etc/ssl/ca-certificates

Fri, 01 Feb 2013 02:03:23 -0800 

Package: git
Version: 1:1.7.10.4-1+wheezy1
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I've recently changed the SSL certificate of the Apache server my own public git
repository is on. Both Iceweasel and the curl command line have no problems with
it. The StartSSL ca certificate is in /etc/ssl/certs/ca-certificates, but if I 
clone
the repository, git complains the certificate isn't validated. Using
ca-certificates version 20120623.


$ export GIT_CURL_VERBOSE=1
$ git clone https://www.vanbest.eu/git/lootjes-play/
Cloning into lootjes-play...
* Couldn't find host www.vanbest.eu in the .netrc file; using defaults
* About to connect() to www.vanbest.eu port 443 (#0)
*   Trying 2001:980:630b:1::13... * connected
* Connected to www.vanbest.eu (2001:980:630b:1::13) port 443 (#0)
* found 152 certificates in /etc/ssl/certs/ca-certificates.crt
* Expire cleared
* server certificate verification failed. CAfile: 
/etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection #0
* Couldn't find host www.vanbest.eu in the .netrc file; using defaults
* About to connect() to www.vanbest.eu port 443 (#0)
*   Trying 2001:980:630b:1::13... * connected
* Connected to www.vanbest.eu (2001:980:630b:1::13) port 443 (#0)
* found 152 certificates in /etc/ssl/certs/ca-certificates.crt
* Expire cleared
* server certificate verification failed. CAfile: 
/etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection #0
error: server certificate verification failed. CAfile: 
/etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing 
https://www.vanbest.eu/git/lootjes-play/info/refs
fatal: HTTP request failed

Compare this with using the curl command line client, where the problem doesn't 
happen:

$ curl --verbose 
"https://www.vanbest.eu/git/lootjes-play/info/refs?service=git-upload-pack";
* About to connect() to www.vanbest.eu port 443 (#0)
*   Trying 2001:980:630b:1::13... connected
* Connected to www.vanbest.eu (2001:980:630b:1::13) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*        subject: description=HjygSFc6ux1O8W0H; C=NL; CN=www.vanbest.eu; 
emailAddress=postmas...@vanbest.eu
*        start date: 2013-01-30 05:25:23 GMT
*        expire date: 2014-01-31 13:36:36 GMT
*        subjectAltName: www.vanbest.eu matched
*        issuer: C=IL; O=StartCom Ltd.; OU=Secure Digital Certificate Signing; 
CN=StartCom Class 1 Primary Intermediate Server CA
*        SSL certificate verify ok.
> GET /git/lootjes-play/info/refs?service=git-upload-pack HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o 
> zlib/1.2.7 libidn/1.15 libssh2/1.2.6
> Host: www.vanbest.eu
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 01 Feb 2013 09:55:46 GMT
< Server: Apache/2.2.22 (Debian)
< Expires: Fri, 01 Jan 1980 00:00:00 GMT
< Pragma: no-cache
< Cache-Control: no-cache, max-age=0, must-revalidate
< Transfer-Encoding: chunked
< Content-Type: application/x-git-upload-pack-advertisement
< 
001e# service=git-upload-pack
0000009b5bbf8694c4c90531f3db5e7d84b69bd60dc9c606 HEADmulti_ack thin-pack 
side-band side-band-64k ofs-delta shallow no-progress include-tag 
multi_ack_detailed
003f5bbf8694c4c90531f3db5e7d84b69bd60dc9c606 refs/heads/master
003e82dcb7eb916a78ee014f7b82beb548760202506f refs/heads/maven
* Connection #0 to host www.vanbest.eu left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

Somehow it seems, curl from within git doesn't use the 
/etc/ssl/certs/ca-certificates the
same way the curl command line does.

- -- System Information:
Debian Release: 6.0.6
  APT prefers stable
  APT policy: (990, 'stable'), (600, 'testing'), (500, 'unstable'), (10, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.7-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages git depends on:
ii  git-man             1:1.7.10.4-1+wheezy1 fast, scalable, distributed revisi
ii  libc6               2.13-37              Embedded GNU C Library: Shared lib
ii  libcurl3-gnutls     7.26.0-1             easy-to-use client-side URL transf
ii  liberror-perl       0.17-1               Perl module for error/exception ha
ii  libexpat1           2.1.0-1              XML parsing C library - runtime li
ii  perl-modules        5.14.2-16            Core Perl modules
ii  zlib1g              1:1.2.7.dfsg-13      compression library - runtime

Versions of packages git recommends:
ii  less                          436-1      pager program similar to more
ii  openssh-client [ssh-client]   1:6.0p1-3  secure shell (SSH) client, for sec
ii  patch                         2.6-2      Apply a diff file to an original
ii  rsync                         3.0.7-2    fast remote file copy program (lik

Versions of packages git suggests:
ii  gettext-base        0.18.1.1-3           GNU Internationalization utilities
pn  git-arch            <none>               (no description available)
pn  git-cvs             <none>               (no description available)
pn  git-daemon-run | gi <none>               (no description available)
ii  git-doc             1:1.7.10.4-1+wheezy1 fast, scalable, distributed revisi
pn  git-el              <none>               (no description available)
pn  git-email           <none>               (no description available)
ii  git-gui             1:1.7.10.4-1+wheezy1 fast, scalable, distributed revisi
ii  git-svn             1:1.7.10.4-1+wheezy1 fast, scalable, distributed revisi
ii  gitk                1:1.7.10.4-1+wheezy1 fast, scalable, distributed revisi
pn  gitweb              <none>               (no description available)

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCAAGBQJRC5IcAAoJEAD3KLeQ59brmAkIAJGpquqoaIzDxVm0VPt3LDxW
BfPpZNHgiAZTgobmvaa4aIbVQjYzJ3MDI4cGzTs3F77SpSloT0ZAKP7PokcpES2H
EHHIxaWJrAH+6kHOoHLiBGACJl0XLC3pm7pNfj2u7XVxWGTfzRXPguQf/YM5KqGB
5urL5ZrL7jfulaAvLf3QYznarHOmvrmHFeJE+efxIdsEkRFv3gdh2WDvjFaJU5cO
H7yh6GAiWpTOnktfKRn+kL8E+VM5NRrjqSIzA0ozy/R881/GjtYFN4d9Sic7bYFn
JDa4pFMc32NKJX0qcjJxcFUnqYU7mh9Ell6qbV+Fhzxeg57Zp2YFXf6v+HVlgZs=
=2VRJ
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to