can't connect over HTTPS with Self-signed certificate... #1136

Closed
composite opened this Issue Jan 4, 2013 · 8 comments

5 participants

@composite

I want connect my gitlab server over HTTPS but can't connect.
yes. I don't have a official certificate.
in %APPDATA%/spacleshare/debug_log.txt

11:22:18 | Fetcher | C:\Users\WIN7USER\SparkleShare\.tmp\myrepo | Fetching folder: https://user@mydomain:443/myrepo
11:22:18 | Cmd | .tmp | git clone --progress --no-checkout --depth=1 "https://user@mydomain:443/myrepo" "C:\Users\WIN7USER\SparkleShare\.tmp\myrepo"
11:22:20 | Fetcher | error: SSL certificate problem, verify that the CA cert is OK. Details:
11:22:20 | Fetcher | error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://user@mydomain:443/myrepo/info/refs?service=git-upload-pack
11:22:20 | Fetcher | fatal: HTTP request failed
11:22:20 | Fetcher | Failed
11:22:20 | Fetcher | Failed to dispose properly: No process is associated with this object.    at System.Diagnostics.Process.EnsureState(State state)
   at System.Diagnostics.Process.EnsureState(State state)
   at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)
   at System.Diagnostics.Process.Kill()
   at SparkleLib.Git.SparkleFetcher.Stop()

Is any idea or solution of this issue in Windows 7 Ultimate x64?

@hbons
Owner

what if you use git to manually clone the repo on that computer? do you get the same error?

@brandondahler

This would require a new dialog box warning that the certificate is invalid (preferably what part is invalid) and allowing for the acceptance of the certificate permanently.

The fetcher would have to run clone by doing:

GIT_SSL_NO_VERIFY=true git clone https://...

Then the repo would need to set sslVerify to false to prevent failure on fetch/push:

git config http.sslVerify false

Alternatively, users can get a free, valid CAcert certificate and follow the second option as stated on this Stack Overflow answer here to install CAcert's root certificate.

@rriley

Seems like another option would be to allow the user to enter the cert fingerprint when adding a share. If the unsigned cert matches the fingerprint, then things are likely ok and you can proceed to connect. Not that this is easy, but it would work.

Just adding a dialog box sounds like trouble waiting to happen. Users already don't know how to deal with certificate warnings from their other apps. (Such as web browser.)

@hbons
Owner

sounds a bit fiddly. i added support for HTTPS since it was an addition of just a few lines and it made a few people happy. the main way of doing auth in SparkleShare has always been SSH. if it's going to be a lot of trouble, i may have to drop support for it.

@brandondahler's solution seems the most reasonable: use the env variable to just accept all certificates.

@hbons
Owner

closing this as "wontfix". i just can't be bothered supporting HTTPS...

@hbons hbons closed this Jan 12, 2013
@D4nte

Hi, the issue here is that ssh does not allow us to go over an http proxy.
The main point of Sparkleshare is to be installable on your own server so you can control your data. Most of people with their own server will use self-signed certificate. If in this case we cannot use the https protocol then sparkleshare become useless when we are behind any proxy (corporate, airport wifi....) Can you please reconsider your decision on this bug ?

@hbons
Owner

@D4nte maybe it's possible to run SSH on port 80 or 443?

@D4nte

hey, sorry I did not read the stackoverflow link above. I'll workaround.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment