Git authentication error: OpenSSL SSL_connect: Connection was reset in connection to dev.azure.com:443

[kerrpeter]

Which version of GCM Core are you using?

Git Credential Manager version 2.0.280-beta+1f4c6db90f (Windows, .NET Framework 4.0.30319.42000)

Which Git host provider are you trying to connect to?

Azure DevOps

Can you access the remote repository directly in the browser using the remote URL?

Yes

---

[Azure DevOps only] What format is your remote URL?

https://dev.azure.com/`{org}`/...

[Azure DevOps only] If the account picker shows more than one identity as you authenticate, check that you selected the same one that has access on the web.

• I checked each identity and the one I use works sometimes (see below)

---

Expected behavior

I am authenticated and my Git operation completes successfully.

Actual behavior

It works sometimes, but usually takes 3 - 5 attempts, sometimes up to 10 attempts.
I get error "OpenSSL SSL_connect: Connection was reset in connection to dev.azure.com:443", but then it eventually works after several attempts with nothing else changing.
Sometimes it prompts for new credentials, but most of the time it doesn't

Logs

Set the environment variables GCM_TRACE=1 and GIT_TRACE=1 and re-run your Git command. Review and redact any private information and attach the log.

11:08:46.559413 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/bin
11:08:46.561432 git.c:444 trace: built-in: git pull
11:08:46.563403 run-command.c:663 trace: run_command: git fetch --update-head-ok
11:08:46.571381 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
11:08:46.573376 git.c:444 trace: built-in: git fetch --update-head-ok
11:08:46.577366 run-command.c:663 trace: run_command: GIT_DIR=.git git remote-https origin https://dev.azure.com/
11:08:46.585344 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
11:08:46.587339 git.c:729 trace: exec: git-remote-https origin https://dev.azure.com/
11:08:46.587339 run-command.c:663 trace: run_command: git-remote-https origin https://dev.azure.com/
11:08:46.596316 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
fatal: unable to access 'https://dev.azure.com//': OpenSSL SSL_connect: Connection was reset in connection to dev.azure.com:443

[mjcheetham]

Hi @kerrpeter, please can you let me know what version of Git for Windows you are using by running git version?

It looks like you're running an older version of GCM Core (2.0.280). The latest version of GCM Core that is bundled with the latest Git for Windows is 2.0.567.

You can get the latest Git for Windows from here: https://gitforwindows.org/

[kerrpeter]

was, git version 2.29.2.windows.2
now: git version 2.33.1.windows.1

I just updated it, but same issue, works sometimes but not all the time

C:<repro>>git --version git version 2.33.1.windows.1 C:<repro>>git pull fatal: unable to access 'https://dev.azure.com//': OpenSSL SSL_connect: Connection was reset in connection to dev.azure.com:443 C:<repro>>git pull Already up to date. C:\Xyea\LifePlan>git pull fatal: unable to access 'https://dev.azure.com//': OpenSSL SSL_connect: Connection was reset in connection to dev.azure.com:443

see above , didn't work, did work, and didn't again

[mjcheetham]

Thanks for updating and trying again. Hmm.. this is a strange error; a couple more questions for you:

1. Are you behind a proxy?
2. Are you behind a corporate firewall that might be doing deep packet inspection?
3. VPN?
4. Are you using client TLS?
5. What version of Windows are you running? If Windows 10 or 11, which build number?
6. Please can you set the GCM_TRACE environment variable (and GIT_TRACE) to the value 1 and run your Git command again?
   From a command prompt:

   SET GCM_TRACE=1
   git pull

   From PowerShell:

   $env:GCM_TRACE=1
   git pull

[kerrpeter]

Are you behind a proxy? No
Are you behind a corporate firewall that might be doing deep packet inspection? No
VPN? No
Are you using client TLS? No
What version of Windows are you running? If Windows 10 or 11, which build number? 10, build no. 19043.1288

With trace on, when it works I get output below, but when it fails, I just get the error

C:<repo>>git pull
14:18:03.184550 ...\Application.cs:95 trace: [RunInternalAsync] Version: 2.0.567.18224
14:18:03.188541 ...\Application.cs:96 trace: [RunInternalAsync] Runtime: .NET Framework 4.0.30319.42000
14:18:03.188541 ...\Application.cs:97 trace: [RunInternalAsync] Platform: Windows (x86-64)
14:18:03.188541 ...\Application.cs:98 trace: [RunInternalAsync] OSVersion: 10.0 (build 19043)
14:18:03.188541 ...\Application.cs:99 trace: [RunInternalAsync] AppPath: C:\Program Files\Git\mingw64\libexec\git-core\git-credential-manager-core.exe
14:18:03.189538 ...\Application.cs:100 trace: [RunInternalAsync] Arguments: get
14:18:03.236413 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'get' command...
14:18:03.243393 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
14:18:03.244391 ...GitCommandBase.cs:48 trace: [ExecuteAsync] protocol=https
14:18:03.244391 ...GitCommandBase.cs:48 trace: [ExecuteAsync] host=dev.azure.com
14:18:03.244391 ...GitCommandBase.cs:48 trace: [ExecuteAsync] path=/_git/
14:18:03.296253 ...viderRegistry.cs:147 trace: [GetProviderAsync] Performing auto-detection of host provider.
14:18:03.320188 ...viderRegistry.cs:152 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
14:18:03.322183 ...viderRegistry.cs:160 trace: [GetProviderAsync] Checking against 3 host providers registered with priority 'Normal'.
14:18:03.323180 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'Azure Repos' was selected.
14:18:03.351105 ...osHostProvider.cs:85 trace: [GetCredentialAsync] Looking for existing credential in store with service=https://dev.azure.com/ account=...
14:18:03.403965 ...osHostProvider.cs:99 trace: [GetCredentialAsync] Existing credential found.
14:18:03.403965 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'get' command...
14:18:04.005356 ...\Application.cs:95 trace: [RunInternalAsync] Version: 2.0.567.18224
14:18:04.009345 ...\Application.cs:96 trace: [RunInternalAsync] Runtime: .NET Framework 4.0.30319.42000
14:18:04.009345 ...\Application.cs:97 trace: [RunInternalAsync] Platform: Windows (x86-64)
14:18:04.010344 ...\Application.cs:98 trace: [RunInternalAsync] OSVersion: 10.0 (build 19043)
14:18:04.010344 ...\Application.cs:99 trace: [RunInternalAsync] AppPath: C:\Program Files\Git\mingw64\libexec\git-core\git-credential-manager-core.exe
14:18:04.011340 ...\Application.cs:100 trace: [RunInternalAsync] Arguments: store
14:18:04.055222 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'store' command...
14:18:04.063202 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
14:18:04.064199 ...GitCommandBase.cs:48 trace: [ExecuteAsync] protocol=https
14:18:04.064199 ...GitCommandBase.cs:48 trace: [ExecuteAsync] host=dev.azure.com
14:18:04.064199 ...GitCommandBase.cs:48 trace: [ExecuteAsync] path=/_git/
14:18:04.065196 ...GitCommandBase.cs:48 trace: [ExecuteAsync] username=*****
14:18:04.065196 ...GitCommandBase.cs:48 trace: [ExecuteAsync] password=********
14:18:04.117058 ...viderRegistry.cs:147 trace: [GetProviderAsync] Performing auto-detection of host provider.
14:18:04.138999 ...viderRegistry.cs:152 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
14:18:04.140993 ...viderRegistry.cs:160 trace: [GetProviderAsync] Checking against 3 host providers registered with priority 'Normal'.
14:18:04.141991 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'Azure Repos' was selected.
14:18:04.166923 ...sHostProvider.cs:126 trace: [StoreCredentialAsync] Storing credential with service=https://dev.azure.com/ account=****...
14:18:04.218784 ...sHostProvider.cs:128 trace: [StoreCredentialAsync] Credential was successfully stored.
14:18:04.218784 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'store' command...
Already up to date.

C:<repo>>git pull
fatal: unable to access 'https://dev.azure.com//_git//': OpenSSL SSL_connect: Connection was reset in connection to dev.azure.com:443

[mjcheetham]

With trace on, when it works I get output below, but when it fails, I just get the error

Ahaa! This is an interesting revelation! This means failure is happening in Git for Windows, and not GCM (GCM is not even being called when it fails).

I also now read the error message more closely to see it is an OpenSSL error - GCM does not use OpenSSL on Windows, so this must be Git failing to make the network connection.

I would recommend you open an issue in the Git for Windows repository: https://github.com/git-for-windows/git

You would probably want to also include Git trace logs of the libcurl activity with GIT_TRACE=1 and GIT_TRACE_CURL=1

@dscho do you have any other ideas?

[dscho]

OpenSSL SSL_connect: Connection was reset

Hmm. That usually means network problems, but https://status.dev.azure.com/ currently shows everything should be all right.

Sometimes it looks as if the Secure Channel backend does better than OpenSSL. Could you try running git -c http.sslBackend=schannel pull?

[kerrpeter]

thanks, even with that, it sometimes works, sometimes doesn't, see several attempts below:
If its network problems, would I not see problems elsewhere? Could my network be failing that regularly, but still apparently working on my browser?

C:<proj>>git -c http.sslBackend=schannel pull
fatal: unable to access 'https://dev.azure.com//_git//': schannel: failed to receive handshake, SSL/TLS connection failed

C:<proj>>git -c http.sslBackend=schannel pull
Already up to date.

C:<proj>>git -c http.sslBackend=schannel pull
Already up to date.

C:<proj>>git -c http.sslBackend=schannel pull
Already up to date.

C:<proj>>git -c http.sslBackend=schannel pull
Already up to date.

C:<proj>>git pull
Already up to date.

C:<proj>>git pull
Already up to date.

C:<proj>>git pull
fatal: unable to access 'https://dev.azure.com//_git//': OpenSSL SSL_connect: Connection was reset in connection to dev.azure.com:443

C:<proj>>git -c http.sslBackend=schannel pull
Already up to date.

C:<proj>>git -c http.sslBackend=schannel pull
fatal: unable to access 'https://dev.azure.com//_git//': schannel: failed to receive handshake, SSL/TLS connection failed

[dscho]

If its network problems, would I not see problems elsewhere?

It could be a network problem on Azure's side. Or even in the routing specific to dev.azure.com. A connection reset (or a handshake that was never received) is a pretty clear indicator that already the initiating packets did not make it through.

[mjcheetham]

I am going to close this issue on GCM, since the problem is clearly affecting Git itself (not GCM).

[crediblebytes]

In our case it was an expired malwarebytes that was blocking the requests. Exactly as described above. Uninstalled it and worked like a charm again.

[conchatuperrofrito]

yo estoy usando proxy para mi conexión de internet, como puedo subir mis archivos a git? por favor

[AbhijatSaxena]

If you're facing this issue in Visual Studio:

Open git settings and set the "Cryptographic network provider" to "OpenSSL"

Here's an example

[krisnuttall]

I had the same issue, it turned out to be 'Killer Prioritization Engine" which is part of the drivers for the Intel wireless card. Turning this feature off in the 'Killer Intelligence Center' fixed the problem.