Unknown SSL protocol error in connection to github.com:443

[ghost]

Windows 7 x64. Computer are located in a domain of company. Installed Git-2.4.5.1-4th-release-candidate-64-bit.exe. I get an error, when I try to get repository from GitHub:

Developer@BUSHCOMP MINGW64 /d/_git.sandbox
$ git clone https://github.com/progit/progit2-ru.git
Клонирование в «progit2-ru»…
fatal: unable to access 'https://github.com/progit/progit2-ru.git/': Unknown SSL protocol error in connection to github.com:443

How can I solve it?

[kostix]

Please try with GIT_CURL_VERBOSE=1 in the environment (LANG=C would also be a bonus).

If you're using Git Bash, then do

export GIT_CURL_VERBOSE=1
export LANG=C
git clone ...

and if you're using regular cmd.exe, do

set GIT_CURL_VERBOSE=1

...and so on.

This would make the HTTP[S] client library Git uses be chatty about what it does.

[ghost]

In the .gitconfig I added connection info:

[http]
proxy = http://Developer:my_password@proxy2:8080

[https]
proxy = https://Developer:my_password@proxy2:8080

I got this:

Developer@BUSHCOMP MINGW64 /d/_git.sandbox
$ export GIT_CURL_VERBOSE=1

Developer@BUSHCOMP MINGW64 /d/_git.sandbox
$ export LANG=C

Developer@BUSHCOMP MINGW64 /d/_git.sandbox
$ git clone https://github.com/nunit/nunit.git
Cloning into 'nunit'...

• Couldn't find host github.com in the _netrc file; using defaults
• timeout on name lookup is not supported
• Trying 192.168.123.12...
• Connected to proxy2 (192.168.123.12) port 8080 (#0)
• Establish HTTP proxy tunnel to github.com:443

  CONNECT github.com:443 HTTP/1.1
  Host: github.com:443
  User-Agent: git/2.4.5.windows.1
  Proxy-Connection: Keep-Alive

< HTTP/1.1 407 Proxy Authentication Required ( Для выполнения запроса компоненту Forefront TMG требуется авторизация. Доступ к фильтру веб-прокси запрещен. )
< Via: 1.1 PROXY2
< Proxy-Authenticate: Negotiate
< Proxy-Authenticate: Kerberos
< Proxy-Authenticate: NTLM
< Connection: close
< Proxy-Connection: close
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 1033
<

• Ignore 1033 bytes of response-body
• Connect me again please
• ALPN, offering http/1.1
• Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@strength
• successfully set certificate verify locations:
• CAfile: C:/Users/developer/AppData/Local/Programs/Git/mingw64/ssl/certs/ca-bundle.crt
  CApath: none
• Unknown SSL protocol error in connection to github.com:443
• Closing connection 0
• Couldn't find host github.com in the _netrc file; using defaults
• timeout on name lookup is not supported
• Hostname proxy2 was found in DNS cache
• Trying 192.168.123.12...
• Connected to proxy2 (192.168.123.12) port 8080 (Fixes for the new SDK #1)
• Establish HTTP proxy tunnel to github.com:443

  CONNECT github.com:443 HTTP/1.1
  Host: github.com:443
  User-Agent: git/2.4.5.windows.1
  Proxy-Connection: Keep-Alive

< HTTP/1.1 407 Proxy Authentication Required ( Для выполнения запроса компоненту Forefront TMG требуется авторизация. Доступ к фильтру веб-прокси запрещен. )
< Via: 1.1 PROXY2
< Proxy-Authenticate: Negotiate
< Proxy-Authenticate: Kerberos
< Proxy-Authenticate: NTLM
< Connection: close
< Proxy-Connection: close
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 1033
<

• Ignore 1033 bytes of response-body
• Connect me again please
• ALPN, offering http/1.1
• Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@strength
• successfully set certificate verify locations:
• CAfile: C:/Users/developer/AppData/Local/Programs/Git/mingw64/ssl/certs/ca-bundle.crt
  CApath: none
• Unknown SSL protocol error in connection to github.com:443
• Closing connection 1
• Couldn't find host github.com in the _netrc file; using defaults
• timeout on name lookup is not supported
• Hostname proxy2 was found in DNS cache
• Trying 192.168.123.12...
• Connected to proxy2 (192.168.123.12) port 8080 (t9300: use test_cmp_bin instead of test_cmp to compare binary files #2)
• Establish HTTP proxy tunnel to github.com:443
• Proxy auth using Negotiate with user 'Developer'

  CONNECT github.com:443 HTTP/1.1
  Host: github.com:443
  Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAt4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
  User-Agent: git/2.4.5.windows.1
  Proxy-Connection: Keep-Alive

< HTTP/1.1 407 Proxy Authentication Required ( Access is denied. )
< Via: 1.1 PROXY2
< Proxy-Authenticate: Negotiate TlRMTVNTUAACAAAAFAAUADgAAAA1gonikb+EQSfPwI0AAAAAAAAAAIIAggBMAAAABgGwHQAAAA9IAFkAUABSAE8AUwBUAFIATwBZAAIAFABIAFkAUABSAE8AUwBUAFIATwBZAAEADABQAFIATwBYAFkAMgAEABAAaAB5AHAAcgBvAHMAdAByAAMAHgBwAHIAbwB4AHkAMgAuAGgAeQBwAHIAbwBzAHQAcgAFABAAaAB5AHAAcgBvAHMAdAByAAcACABk9uqlPLrQAQAAAAA=
< Connection: Keep-Alive
< Proxy-Connection: Keep-Alive
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 0
<

• TUNNEL_STATE switched to: 0
• Establish HTTP proxy tunnel to github.com:443
• Proxy auth using Negotiate with user 'Developer'

  CONNECT github.com:443 HTTP/1.1
  Host: github.com:443
  Proxy-Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHoAAAAgASABkgAAAAAAAABYAAAAEgASAFgAAAAQABAAagAAABAAEACyAQAANYKI4gYBsR0AAAAPtULiFSvTc8WASGK+MMXv1UQAZQB2AGUAbABvAHAAZQByAEIAVQBTAEgAQwBPAE0AUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1V5pwb7BOMg+LNkyXss1XAQEAAAAAAABk9uqlPLrQATMvpYJute4gAAAAAAIAFABIAFkAUABSAE8AUwBUAFIATwBZAAEADABQAFIATwBYAFkAMgAEABAAaAB5AHAAcgBvAHMAdAByAAMAHgBwAHIAbwB4AHkAMgAuAGgAeQBwAHIAbwBzAHQAcgAFABAAaAB5AHAAcgBvAHMAdAByAAcACABk9uqlPLrQAQYABAACAAAACAAwADAAAAAAAAAAAAAAAAAgAABTOYTKmo0But0uuVbnX8udmrGxdPuYoUK79IKjJqXGPwoAEAAAAAAAAAAAAAAAAAAAAAAACQAWAEgAVABUAFAALwBwAHIAbwB4AHkAMgAAAAAAAAAAAAAAAADX0VMoRH4oPjQlqesPxr8I
  User-Agent: git/2.4.5.windows.1
  Proxy-Connection: Keep-Alive

< HTTP/1.1 407 Proxy Authentication Required ( Для выполнения запроса компоненту Forefront TMG требуется авторизация. Доступ к фильтру веб-прокси запрещен. )
< Via: 1.1 PROXY2
< Proxy-Authenticate: Negotiate
< Proxy-Authenticate: Kerberos
< Proxy-Authenticate: NTLM
< Connection: close
< Proxy-Connection: close
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 1033
<

• Received HTTP code 407 from proxy after CONNECT
• Closing connection 2
  fatal: unable to access 'https://github.com/nunit/nunit.git/': Unknown SSL protocol error in connection to github.com:443

[ghost]

When I used version 1.9.5 from here: https://git-scm.com/download/win it worked fine. :(((

[dscho]

Looks to me as if the proxy talked an SSL protocol that is no longer supported. I remember that one of the older SSL protocols was disabled recently because it poses security concerns. Maybe that's it?

[kostix]

@dscho, I disagree: it's impossible to proxy TLS connections in the same way as simple HTTP requests because to do this, you'd have to actually MitM them (on a side note -- you might find this amusing to read). Hence the client does not use GET or POST (or other HTTP verb) but rather issues CONNECT to the specified host and port. The proxy is there to handle authentication, if needed, and when all is OK, it merely creates a tunnel for the client and basically shovels opaque data between the server and the client. The port on which proxy listens is itself not TLS-enabled in any way.

But I'm afraid the root cause is that the proxy never actually answered 200 OK to the client: no matter what it sent, it kept sending 407 back.

Andrey, could you capture and post the same sample session made using 1.9.5? The cipher spec of the client's OpenSSL and the protocol used to connect to the proxy (HTTP/1.1 vs HTTP/1.0) would be of special interest IMO.

[kostix]

Andrey, one more thing: is this possible to negotiate with your admins to let direct connections to github's 443 for some time? You could then try to factor out the proxy by directly testing whether Git's OpenSSL is able to connect using something like

openssl s_client -host github.com -port 443

from your Git Bash (openssl is shipped with GfW).
If it connects OK, the problem is likely rooted in the way libCURL talks with the proxy.

Or may be in the settings it does to the OpenSSL's context (see my previous comment).

On my machine, the above encantation results in

Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3233 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256

so I'd say it looks good.

Testing with various -ssl* and -tls* options shows that github has all three versions of the SSL protocol disabled and all three versions of the TLS protocol enabled and working.

[kostix]

OK, tested using curl directly (it's also bundled with GfW) through my corporate proxy (some old Squid instance which supports NTLM against Windows AD) -- and it worked OK:

kostix@programmer MINGW32 /c/tmp
$ curl -x 192.168.2.20:8080 --proxy-ntlm --proxy-user : --verbose https://githu
b.com/nunit/nunit.git/info/refs?service=git-upload-pack
* timeout on name lookup is not supported
*   Trying 192.168.2.20...
* Connected to 192.168.2.20 (192.168.2.20) port 8080 (#0)
* Establish HTTP proxy tunnel to github.com:443
* Proxy auth using NTLM with user ''
> CONNECT github.com:443 HTTP/1.1
> Host: github.com:443
> Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB7IIogkACQAyAAAACgAKACgAAAAFASgKAAAA
D1BST0dSQU1NRVJET01BSU4wMDc=
> User-Agent: curl/7.43.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 407 Proxy Authentication Required
< Server: squid/2.7.STABLE3
< Date: Thu, 09 Jul 2015 17:08:35 GMT
< Content-Type: text/html
< Content-Length: 1274
< Expires: Thu, 09 Jul 2015 17:08:35 GMT
< X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
< Proxy-Authenticate: NTLM TlRMTVNTUAACAAAAEgASADAAAAAFgomizq2FDxfujTgAAAAAAAAAA
HwAfABCAAAARABPAE0AQQBJAE4AMAAwADcAAgASAEQATwBNAEEASQBOADAAMAA3AAEAEABQAFIATwBYA
FkAUwBSAFYABAAaAGQAbwBtAGEAaQBuADAAMAA3AC4AYwBvAG0AAwAsAHAAcgBvAHgAeQBzAHIAdgAuA
GQAbwBtAGEAaQBuADAAMAA3AC4AYwBvAG0AAAAAAA==
< X-Cache: MISS from proxy.domain.local
< X-Cache-Lookup: NONE from proxy.domain.local:8080
< Via: 1.0 proxy.domain.local:8080 (squid/2.7.STABLE3)
< Connection: keep-alive
< Proxy-Connection: keep-alive
<
* Ignore 1274 bytes of response-body
* TUNNEL_STATE switched to: 0
* Establish HTTP proxy tunnel to github.com:443
* Proxy auth using NTLM with user ''
> CONNECT github.com:443 HTTP/1.1
> Host: github.com:443
> Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHoAAAAYABgAkgAAABIAEgBIAAAADAAM
AFoAAAAUABQAZgAAAAAAAACqAAAABYKIogUBKAoAAAAPRABPAE0AQQBJAE4AMAAwADcAawBvAHMAdABp
AHgAUABSAE8ARwBSAEEATQBNAEUAUgDh1JtkpsObQAAAAAAAAAAAAAAAAAAAAADoWOvphE2qJZbbaDyf
GGzVbtbx1kWGEEo=
> User-Agent: curl/7.43.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection established
<
* Proxy replied OK to CONNECT request
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: C:/Program Files/Git/mingw32/ssl/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*        subject: businessCategory=Private Organization; jurisdictionC=US; juris
dictionST=Delaware; serialNumber=5157550; street=548 4th Street; postalCode=9410
7; C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
*        start date: 2014-04-08 00:00:00 GMT
*        expire date: 2016-04-12 12:00:00 GMT
*        subjectAltName: github.com matched
*        issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Ext
ended Validation Server CA
*        SSL certificate verify ok.
> GET /nunit/nunit.git/info/refs?service=git-upload-pack HTTP/1.1
> Host: github.com
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: GitHub Babel 2.0
< Content-Type: application/x-git-upload-pack-advertisement
< Transfer-Encoding: chunked
< Expires: Fri, 01 Jan 1980 00:00:00 GMT
< Pragma: no-cache
< Cache-Control: no-cache, max-age=0, must-revalidate
< Vary: Accept-Encoding
<
001e# service=git-upload-pack
000000f42cde185d13a7abedb14910a5d2ee042a608c44af HEAD multi_ack thin-pack side-b
and side-band-64k ofs-delta shallow no-progress include-tag multi_ack_detailed n
o-done symref=HEAD:refs/heads/master agent=git/2:2.4.5~vmg-daemon-children-984-g
ec12e49
004fdc38d9e559dde703d2e9b879bb35481adfee54ab refs/heads/feature-sharedprojects
004cf0a019e49bd092a66880f8e9ddfb65cba4ade145 refs/heads/generic-constraints

So, my next couple of thoughts:

• libCURL shipped with GfW is built with support for NTLM, Kerberos and SPNEGO so it should actually provide you SSO.

  So try dropping that username+password bits from your proxy spec.

• If it does not work this way (or you want explicit credentials), make sure your username is OK.

  If you're in a Windows domain, your username has do be DOMAIN\user, and may require escaping that \ by using \\. So I'd try that.

[ghost]

When I used version 1.9.5 from here: https://git-scm.com/download/win it worked fine. :(((

To be convinced of it once again I uninstall it http://git-for-windows.github.io/ and install this https://git-scm.com/download/win again. But now it doesn't work too... It worked for me in earlier monthes (with my proxy settings in .gitconfig file as I wrote above), I don't know why it doesn't work now....

This is my current output for 1.9.5:

Developer@BUSHCOMP /d/_git.sandbox
$ git clone https://github.com/nunit/nunit.git
Cloning into 'nunit'...
fatal: unable to access 'https://github.com/nunit/nunit.git/': Unknown SSL proto
col error in connection to github.com:443

is this possible to negotiate with your admins to let direct connections to github's 443 for some time?

Admin told me he doesn't lock 443 port.

Developer@BUSHCOMP /d/_git.sandbox
$ openssl s_client -host github.com -port 443
Loading 'screen' into random state - done
CONNECTED(00000634)
5872:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s
23_clnt.c:604:

If you're in a Windows domain, your username has do be DOMAIN\user, and may require escaping that \ by using . So I'd try that.

But it worked earlier without domain name... Ok, I tried such variant:

[http]
proxy = http://HYPROSTROY\Developer:my_password@proxy2:8080

[https]
proxy = https://HYPROSTROY\Developer:my_password@proxy2:8080

But it didn't help me. I get the same problem.

[ghost]

Oh... I am inattentive donkey... Yesterday I compared these two connection strings and didn't see a difference. Every 30 days we change our passwords. I changed it for the https settings in my .gitconfig file, but didn't the same for the http settings. Now I fixed it and all works fine. Forgive me guys that I spent your time. I appologize....

[ghost]

How can I remove this unuseful "issue"?

[kostix]

Andrey, are you sure you don't want to allow Git use single sign-on for you as I outlined in my previous comment? That would solve your issue once and for all -- that is, libCURL would use secur32.dll of your Windows to authenticate you against the proxy.

[ghost]

kostix, how can I use it? Must I download libCURL from the http://curl.haxx.se/download.html and install only, or it is necessary to do additional settings?

[kostix]

Andrey, have you actually read this thread?

Git uses libCURL to work via HTTP[S], so this library is already bundled (curl is a command-line client for libCURL, bundled with Git as well). libCURL shipped in GfW is built with support for all standard authentication methods providing SSO in Windows: Kerberos, NTLM and SPNEGO. All these auth mechanisms merely mediate between the server (proxy) and the system (your local Windows) when authenticating, so basically they make Windows authenticate you using your system credentials.

TL;DR
Try dropping user:password part from your proxy definitions in Git config and see if it works.

[ghost]

Andrey, have you actually read this thread?

Yes, but my English is bad.

Try dropping user:password part from your proxy definitions in Git config and see if it works.

I tried (for Git for Windows 1.9.5) such variants in my .gitconfig file, but it doesn't work:

proxy = proxy2:8080
proxy = http://@Proxy2:8080
proxy = http://proxy2:8080
proxy = http://HYPROSTROY\Developer@proxy2:8080

[ghost]

Oh, it doesn't work for Git for Windows 1.9.5, but it works fine for Git for Windows Git-2.4.5.1-4th-release-candidate. So it works fine for Git-2.4.5.1-4rc:
[http]
proxy = http://@Proxy2:8080
[https]
proxy = https://@Proxy2:8080

Thank you, kostix!

[kostix]

The @ is not needed -- it merely separates the user+password part from the host part (it literally reads as "at").

Glad it helped.

[ghost]

No, it doesn't work in Windows Git-2.4.5.1-4th-release-candidate without @ char. I tried it.

[kostix]

Oh, that's a very interesting discovery indeed! The curl library requires the user to pass it the --proxy-user : command-line option when they want to authenticate at the proxy using SSO. That ":" means "user:password" with empty user and password fields.

Hence the "@" character in the proxy spec suggests this way we select empty user and password but require authentication at the proxy server, while absent "@" supposedly means we expect no authentication request from the proxy at all!

So that's a valuable information!

Regarding your SO question: please don't abuse the bug tracker: this information is entirely irrelevant to this thread.