I am in the process of upgrading from Kirkstone to Scarthgap (via Langdale,
Mickledore and Nanbield). As my host system (openSUSE) doesn't meet the
system requirements, I use the buildtools-extended tarball.
Since the migration step from Mickledore to Nanbield, I cannot access my
company's GIT server (runing GitLab, requires https + authentifaction) anymore.
When I use the GIT client from openSUSE, everything works fine, but when
the GIT command from the buildtools tarball is used, I get a
"remote: HTTP Basic: Access denied."
error message (log below). When I compare this log with the working version,
I see that ...
- h2 is used instead of http/1.1
- authentication happens straight after SSL setup (before the GET command)
Could the GIT client in the buildtools tarball be configured in a way that
it works with https + authentication?
GIT_TRACE_CURL=TRUE GIT_TRACE_CURL_NO_DATA=1 GIT_TRACE_REDACT=FALSE
GIT_TRACE2_REDACT=FALSE git clone g...@git.mycompany.com:myrepo.git
Cloning into 'myrepo'...
12:35:38.736181 http.c:820 == Info: Trying xxx.xxx.xxx.xxx:443...
12:35:38.736581 http.c:820 == Info: Connected to git.mycompany.com
(xxx.xxx.xxx.xxx) port 443
12:35:38.738282 http.c:820 == Info: ALPN: curl offers http/1.1
12:35:38.738544 http.c:820 == Info: TLSv1.3 (OUT), TLS handshake,
Client hello (1):
12:35:38.749279 http.c:820 == Info: CAfile:
/build/buildtools/sysroots/x86_64-pokysdk-linux/etc/ssl/certs/ca-certificates.crt
12:35:38.749303 http.c:820 == Info: CApath: none
12:35:38.749385 http.c:820 == Info: TLSv1.3 (IN), TLS handshake,
Server hello (2):
12:35:38.749698 http.c:820 == Info: TLSv1.3 (IN), TLS handshake,
Encrypted Extensions (8):
12:35:38.749722 http.c:820 == Info: TLSv1.3 (IN), TLS handshake,
Certificate (11):
12:35:38.750274 http.c:820 == Info: TLSv1.3 (IN), TLS handshake,
CERT verify (15):
12:35:38.750368 http.c:820 == Info: TLSv1.3 (IN), TLS handshake,
Finished (20):
12:35:38.750407 http.c:820 == Info: TLSv1.3 (OUT), TLS change
cipher, Change cipher spec (1):
12:35:38.750432 http.c:820 == Info: TLSv1.3 (OUT), TLS handshake,
Finished (20):
12:35:38.750537 http.c:820 == Info: SSL connection using TLSv1.3 /
TLS_AES_256_GCM_SHA384
12:35:38.750546 http.c:820 == Info: ALPN: server accepted http/1.1
12:35:38.750555 http.c:820 == Info: Server certificate:
12:35:38.750571 http.c:820 == Info: subject: CN=*.mycompany.com
12:35:38.750581 http.c:820 == Info: start date: Feb 28 00:00:00
2024 GMT
12:35:38.750589 http.c:820 == Info: expire date: Mar 15 23:59:59
2025 GMT
12:35:38.750606 http.c:820 == Info: subjectAltName: host
"git.mycompany.com" matched cert's "*.mycompany.com"
12:35:38.750622 http.c:820 == Info: issuer: C=GB; ST=Greater
Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation
Secure Server CA
12:35:38.750629 http.c:820 == Info: SSL certificate verify ok.
12:35:38.750632 http.c:820 == Info: using HTTP/1.1
NOTE: openSUSE's GIT client uses
HTTP/2 here and also performs authentication here.
12:35:38.750680 http.c:767 => Send header, 000247 bytes
(0x00f7)
12:35:38.750688 http.c:779 => Send header: GET
/myrepo.git/info/refs?service=git-upload-pack HTTP/1.1
12:35:38.750690 http.c:779 => Send header: Host: git.mycompany.com
12:35:38.750692 http.c:779 => Send header: User-Agent: git/2.42.0
12:35:38.750694 http.c:779 => Send header: Accept: */*
12:35:38.750696 http.c:779 => Send header: Accept-Encoding:
deflate, gzip
12:35:38.750698 http.c:779 => Send header: Pragma: no-cache
12:35:38.750699 http.c:779 => Send header: Git-Protocol: version=2
12:35:38.750701 http.c:779 => Send header:
12:35:38.764115 http.c:820 == Info: TLSv1.3 (IN), TLS handshake,
Newsession Ticket (4):
12:35:38.764234 http.c:820 == Info: TLSv1.3 (IN), TLS handshake,
Newsession Ticket (4):
12:35:38.764247 http.c:820 == Info: old SSL session ID is stale,
removing
12:35:38.774919 http.c:767 <= Recv header, 27 bytes
(0x001b)
12:35:38.774944 http.c:779 <= Recv header: HTTP/1.1 401
Unauthorized
NOTE: working version returns
"HTTP/2 401" here.
12:35:38.774947 http.c:767 <= Recv header, 15 bytes
(0x000f)
12:35:38.774949 http.c:779 <= Recv header: Server: nginx
12:35:38.774953 http.c:767 <= Recv header, 37 bytes
(0x0025)
12:35:38.774954 http.c:779 <= Recv header: Date: Tue, 07 May 2024
12:35:38 GMT
12:35:38.774957 http.c:767