Re: [OE-core] [nanbield] git command included in buildtools-extended does not work with https authentication

2024-05-07 Thread Richard Purdie 
On Tue, 2024-05-07 at 15:13 +0200, Christian Eggers via lists.openembedded.org 
wrote:
> I am in the process of upgrading from Kirkstone to Scarthgap (via Langdale,
> Mickledore and Nanbield). As my host system (openSUSE) doesn't meet the
> system requirements, I use the buildtools-extended tarball.
> 
> Since the migration step from Mickledore to Nanbield, I cannot access my
> company's GIT server (runing GitLab, requires https + authentifaction) 
> anymore.
> When I use the GIT client from openSUSE, everything works fine, but when
> the GIT command from the buildtools tarball is used, I get a 

Try using the buildtools straight from scarthgap. There have been
various problems but it should be fixed in that one.

Cheers,

Richard

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199094): 
https://lists.openembedded.org/g/openembedded-core/message/199094
Mute This Topic: https://lists.openembedded.org/mt/105959618/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [nanbield] git command included in buildtools-extended does not work with https authentication

2024-05-07 Thread Christian Eggers 
I am in the process of upgrading from Kirkstone to Scarthgap (via Langdale,
Mickledore and Nanbield). As my host system (openSUSE) doesn't meet the
system requirements, I use the buildtools-extended tarball.

Since the migration step from Mickledore to Nanbield, I cannot access my
company's GIT server (runing GitLab, requires https + authentifaction) anymore.
When I use the GIT client from openSUSE, everything works fine, but when
the GIT command from the buildtools tarball is used, I get a

"remote: HTTP Basic: Access denied."

error message (log below). When I compare this log with the working version,
I see that ...
- h2 is used instead of http/1.1
- authentication happens straight after SSL setup (before the GET command)

Could the GIT client in the buildtools tarball be configured in a way that
it works with https + authentication?


GIT_TRACE_CURL=TRUE GIT_TRACE_CURL_NO_DATA=1 GIT_TRACE_REDACT=FALSE 
GIT_TRACE2_REDACT=FALSE git clone g...@git.mycompany.com:myrepo.git
Cloning into 'myrepo'...
12:35:38.736181 http.c:820  == Info:   Trying xxx.xxx.xxx.xxx:443...
12:35:38.736581 http.c:820  == Info: Connected to git.mycompany.com 
(xxx.xxx.xxx.xxx) port 443
12:35:38.738282 http.c:820  == Info: ALPN: curl offers http/1.1
12:35:38.738544 http.c:820  == Info: TLSv1.3 (OUT), TLS handshake, 
Client hello (1):
12:35:38.749279 http.c:820  == Info:  CAfile: 
/build/buildtools/sysroots/x86_64-pokysdk-linux/etc/ssl/certs/ca-certificates.crt
12:35:38.749303 http.c:820  == Info:  CApath: none
12:35:38.749385 http.c:820  == Info: TLSv1.3 (IN), TLS handshake, 
Server hello (2):
12:35:38.749698 http.c:820  == Info: TLSv1.3 (IN), TLS handshake, 
Encrypted Extensions (8):
12:35:38.749722 http.c:820  == Info: TLSv1.3 (IN), TLS handshake, 
Certificate (11):
12:35:38.750274 http.c:820  == Info: TLSv1.3 (IN), TLS handshake, 
CERT verify (15):
12:35:38.750368 http.c:820  == Info: TLSv1.3 (IN), TLS handshake, 
Finished (20):
12:35:38.750407 http.c:820  == Info: TLSv1.3 (OUT), TLS change 
cipher, Change cipher spec (1):
12:35:38.750432 http.c:820  == Info: TLSv1.3 (OUT), TLS handshake, 
Finished (20):
12:35:38.750537 http.c:820  == Info: SSL connection using TLSv1.3 / 
TLS_AES_256_GCM_SHA384
12:35:38.750546 http.c:820  == Info: ALPN: server accepted http/1.1
12:35:38.750555 http.c:820  == Info: Server certificate:
12:35:38.750571 http.c:820  == Info:  subject: CN=*.mycompany.com
12:35:38.750581 http.c:820  == Info:  start date: Feb 28 00:00:00 
2024 GMT
12:35:38.750589 http.c:820  == Info:  expire date: Mar 15 23:59:59 
2025 GMT
12:35:38.750606 http.c:820  == Info:  subjectAltName: host 
"git.mycompany.com" matched cert's "*.mycompany.com"
12:35:38.750622 http.c:820  == Info:  issuer: C=GB; ST=Greater 
Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation 
Secure Server CA
12:35:38.750629 http.c:820  == Info:  SSL certificate verify ok.

12:35:38.750632 http.c:820  == Info: using HTTP/1.1
   NOTE: openSUSE's GIT client uses 
HTTP/2 here and also performs authentication here.

12:35:38.750680 http.c:767  => Send header, 000247 bytes 
(0x00f7)
12:35:38.750688 http.c:779  => Send header: GET 
/myrepo.git/info/refs?service=git-upload-pack HTTP/1.1
12:35:38.750690 http.c:779  => Send header: Host: git.mycompany.com
12:35:38.750692 http.c:779  => Send header: User-Agent: git/2.42.0
12:35:38.750694 http.c:779  => Send header: Accept: */*
12:35:38.750696 http.c:779  => Send header: Accept-Encoding: 
deflate, gzip
12:35:38.750698 http.c:779  => Send header: Pragma: no-cache
12:35:38.750699 http.c:779  => Send header: Git-Protocol: version=2
12:35:38.750701 http.c:779  => Send header:
12:35:38.764115 http.c:820  == Info: TLSv1.3 (IN), TLS handshake, 
Newsession Ticket (4):
12:35:38.764234 http.c:820  == Info: TLSv1.3 (IN), TLS handshake, 
Newsession Ticket (4):
12:35:38.764247 http.c:820  == Info: old SSL session ID is stale, 
removing
12:35:38.774919 http.c:767  <= Recv header, 27 bytes 
(0x001b)
12:35:38.774944 http.c:779  <= Recv header: HTTP/1.1 401 
Unauthorized
   NOTE: working version returns 
"HTTP/2 401" here.

12:35:38.774947 http.c:767  <= Recv header, 15 bytes 
(0x000f)
12:35:38.774949 http.c:779  <= Recv header: Server: nginx
12:35:38.774953 http.c:767  <= Recv header, 37 bytes 
(0x0025)
12:35:38.774954 http.c:779  <= Recv header: Date: Tue, 07 May 2024 
12:35:38 GMT
12:35:38.774957 http.c:767