Bug 1263353 - Git cannot pull or clone from Cloudflare-hosted repos due to TLS issues
Git cannot pull or clone from Cloudflare-hosted repos due to TLS issues
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: git (Show other bugs)
22
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: pstodulk
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-15 11:41 EDT by Chris Siebenmann
Modified: 2015-12-07 10:37 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 10:37:51 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Siebenmann 2015-09-15 11:41:23 EDT
Description of problem:

The Fedora version of git cannot pull or clone from repos that are
hosted behind Cloudflare's HTTPS service because of TLS encryption suite
problems. Cloudflare supports only a limited set of suites and Fedora's
git does not appear to use them. The result fails with eg:

   fatal: unable to access 'https://azul3d.org/semver.v2/': Cannot communicate securely with peer: no common encryption algorithm(s).

The underlying problem is discussed in this Stackoverflow question
and answer:

   https://stackoverflow.com/questions/30090676/cannot-communicate-securely-with-peer-no-common-encryption-algorithms

and it is apparently that libcurl does not use these ciphers by default
and the version of git in Fedora (well, Fedora 22) does not support
overriding this.

This is especially an issue for people using Go, because Go generally
forces use of git over https for things like 'go get ...' and fetching
Go imports. The current situation causes some Go packages to not be
buildable on Fedora because their dependencies cannot be fetched.
One example is github.com/shurcooL/Go-Package-Store.

The real fix is presumably to update something in libcurl and/or NSS to
use these ciphers, and have it transparently flow through to git. But in
the mean time, git should somehow support being able to clone from such
repos, even if that means updating git versions or patching in the git
2.5+ ability to override these cipher suite choices so that things work.

Version-Release number of selected component (if applicable):

git-2.4.3-6.fc22.x86_64
libcurl-7.40.0-6.fc22.x86_64
nss-3.20.0-1.0.fc22.x86_64

How reproducible:

Completely.


Steps to Reproduce:
1. cd /tmp
2. git clone https://azul3d.org/semver.v2

Actual results:

Fails with:

Cloning into 'semver.v2'...
fatal: unable to access 'https://azul3d.org/semver.v2/': Cannot communicate securely with peer: no common encryption algorithm(s).

Expected results:

Should succeed and clone the repo.
Comment 1 pstodulk 2015-12-07 10:37:51 EST
I can't reproduce your issue. So probably curl/nss are fixed already.

Note You need to log in before you can comment on or make changes to this bug.