Make git revert to SSLv3 when TLSv1 fails with "Ignored Unknown Record"

Question

Can't use git:

git clone https://github.com/foo/bar

fails:

fatal: unable to access 'https://github.com/foo/bar': Unknown SSL  protocol error in connection to github.com:443

How can I force git to use SSLv3? I tried to compile git from source, but there is no setting beyond: --with-openssl (default). Adding the following line before line 408 in remote-curl.c doesn't work either:

 curl_easy_setopt(slot->curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);

Here are some clues:

• case 1: When my browser tries to get to https://github.com/foo/bar, it first tries TLSv1. Handshake seems to be OK: Server key exchange, server hello done (at Wireshark). But it follows by "Ignored Unknown Record" from server and finally "Connection Reset" from server. Then A new connection but with SSLv3 kicks in and every thing is fine (see picture).

• case 2: curl fails using TLSv1

  curl https://github.com/foo/bar
  

  fails:

  curl: (35) Unknown SSL protocol error in connection to github.com:443
  

  Setting --sslv3 fixes the problem.

• case 3: Take this one

  sudo add-apt-repository  ppa:cassou/emacs
  

  fails:

  pycurl.error: (35, 'gnutls_handshake() failed: A TLS packet with unexpected length was received.')
  

Edit: curl 7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1.

Edit: debug information

Cloning into 'bar'...
* Couldn't find host github.com in the .netrc file; using defaults
* About to connect() to github.com port 443 (#0)
*   Trying 192.30.252.130... * Connected to github.com (192.30.252.130) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
    CApath: /etc/ssl/certs
* Unknown SSL protocol error in connection to github.com:443
* Closing connection #0
fatal: unable to access 'https://github.com/foo/bar/': Unknown SSL       protocol error in connection to github.com:443

Answer 1

Update August 2015: Git 2.6+ (Q3 2015) will allow to specify the SSL version explicitly:

http: add support for specifying the SSL version

See commit 01861cb (14 Aug 2015) by Elia Pinto (devzero2000).
Helped-by: Eric Sunshine (sunshineco).
^{(Merged by Junio C Hamano -- gitster -- in commit ed070a4, 26 Aug 2015)}

http.sslVersion

The SSL version to use when negotiating an SSL connection, if you want to force the default.
The available and default version depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use. Internally this sets the 'CURLOPT_SSL_VERSION' option; see the libcurl documentation for more details on the format of this option and for the ssl version supported.
Actually the possible values of this option are:

• sslv2
• sslv3
• tlsv1
• tlsv1.0
• tlsv1.1
• tlsv1.2

Can be overridden by the 'GIT_SSL_VERSION' environment variable.
To force git to use libcurl's default ssl version and ignore any explicit http.sslversion option, set 'GIT_SSL_VERSION' to the empty string.

---

Original answer Dec: 2013

I usually see that error message when my PROXY environment variables aren't properly set:

export HTTP_PROXY=http://user:[email protected]:port
export HTTPS_PROXY=http://user:[email protected]:port
export NO_PROXY=.mycompany.com

You can also setup a ~/.netrc file for your GitHub credentials.

Make sure your git config http.sslcainfo does reference your /path/to/git/bin/curl-ca-bundle.crt, in order for curl to be able to validate the certificate associated to the GitHub server.

---

One workaround, if https really doesn't work, is to use an ssh url

git clone ssh://user@server:project.git

(if you have generated a private and public key first, and registered that public key to your GitHub account)