How to disable SSL verification for git

Hi,
I'm having a problem with connecting to git repo via https which is hosted on server with self signed certificate. I'm looking for simple solution for disabling ssl verification something like git_ssl_no_verify=true. I've already tried setting -Dcom.sun.net.ssl.checkRevocation=false, but I'm still having the issue.

Thank you in advance!

9 comments
Comment actions Permalink

Hi Joachim,

please check if running the following 2 commands on TeamCity server machine resolves the problem:

  git config --system http.sslVerify false
  git config --global http.sslVerify false

They should be executed under the user who runs TeamCity server. Let me know if it helps.

1
Comment actions Permalink

Jakub,

git_ssl_no_verify is a name of an environment variable to set. A related  option in gitconfig is sslVerify.

Here is a related discussion on StackOverflow.

in TW-25835 you can also find recommendations how to import such custome certigicated to git.

0
Comment actions Permalink

Hi,
I know how to disable http ssl verification in git. What is not clear to me is how to set it in teamcity. I've tried creating .gitconfig file in user home directory with sslVerify = false, adding git_ssl_no_verify as environment variable, but without any success.

Can you please guide me how to do it? My infrastructure consists of TeamCity Server deployed on windows server 2008 and 8 TeamCity agents running RedHat Linux and Windows Server 2008 and 2012.

Thank you!

0
Comment actions Permalink

Try disabling https verification globally, to do that run the command 'git config --system http.sslVerify false'. If it doesn't help please reproduce the problem and attach teamcity-vcs.log from TeamCity server machine.

0
Comment actions Permalink

I've solved my problem. Here is some (i hope) interesting facts I found during investigation of the issue: As everybody probably know, the Teamcity is using jgit as library for accessing to git repositories. So ... I dig down to jgit source codes and I found out the root cause of my problem. The jgit can ignore if the SSL certificate was not issued by trustworthy certification authority and many other violation of certificate validity. What it can't ignore is not matching hostname in certificate (we had certificate issued for "localhost"). This behaviour is unfortunately not cosistent with native git libraries.

The solution was quite simple, I've forced the owner of repository to reissue the certificate with correct hostname. Then I've just created .gitignore file in c:\Users\teamcity (since TeamCity is running under user account with name "teamcity") directory with following content:

[http]
    sslVerify=false

0
Comment actions Permalink

Hi Jakub,

thanks for update! Did you mean .gitconfig instead of .gitignore?

0
Comment actions Permalink

Is there any solution if I can't force the repository owner to change the certificate? I still have the problem that I can't connect to a GIT server with Teamcity because of a not matching hostname. Is there a way to diable hostname checking in Teamcity. This is not a GIT problem, SSLVerify is globaly set to false and I can pull sources from the GIT server outside Teamcity without any problems. I have attached a snippet of the teamcity-vcs.log file that shows the error in detail. We're currently using TeamCity Professional 8.0.5 (build 27692).



Attachment(s):
teamcity-vcs.log.zip
0
Comment actions Permalink

Hi Dimitry,


thank you for your quick response. Unfortunately the suggested solution, setting sslVerify to false, doesn’t solve the problem. If you go down the stack trace in teamcity-cvs.log file, you can see that the problem is directly caused by the JVM (sun.security.util.HostnameChecker.matchDNS(Unknown Source), see also Jakub’s comment on JGIT). You can find several discussions around that problem in the community (e.g. http://www.nakov.com/blog/2009/07/16/disable-certificate-validation-in-java-ssl-connections/ or http://stackoverflow.com/questions/3093112/certificateexception-no-name-matching-ssl-someurl-de-found) but it seems that it can only be solved programmatically by implementing a custom HostnameVerifier. The pure implementation is no big deal but I’ve no clue how I could inject such a custom HostnameVerifier in Teamcity (or Tomcat/JVM). My hope was that somebody already had this problem and found a solution, but I couldn’t find anything. Since everything works fine with native GIT libraries, it’s hard to convince our administrator to change the certificate!

0
Comment actions Permalink

Hi Joachim,

at the moment there is no way to disable host check inside TeamCity, so the only workaround is to reissue the certificate.

Is it correct that git with default value of sslVerify also fails to clone the repository in your case?

0

Please sign in to leave a comment.