Is production: true
#git #openssl #issue

Title: Git clone with self sign ssl repo

Created: 24 Jul 2023 Modified: 24 Jul 2023

Description: This is a article about how to clone git repo behin a self signed git repo.



Problem

When developing inside organization, the is chance that the internal firewall will generate its self certificates (untrusted by general programming language or tools like java and git) replacing the original certificate (trusted and issue by known issuer for internet) for internal proxied http traffic.

The behavior is normally like you have no trouble on accessing the https://dev.azure.com from the browser. But when access from dev tools like git, you would receive message like SSL certificate problem: unable to get local issuer certificate like below.

image

How to solve

For git there are two way to handle the issue and get the repo downloaded.

1. Bypass the ssl verification

Bypassing the verification process is the fastest way to solve, by leaving the chance of getting MITM attack (man in the middle attack) because the certificate is not verified.

one off command

By adding one off command argument to the git clone, the ssl certificate verification is bypassed.

git -c http.sslVerify=false clone {repo url}

permenent solve

Adding the configuration to .gitconfig file (could be placed under home directory)

[http "{repo domain}"]
    sslVerify = false

And then clone with command.

git clone {repo url}

1. Extract SSL certificate

Extracting the ssl certificate is a little bit complex comparing to directly bypassing. We first extract the SSL certificate through openssl save the certificate. When git operation process, it use the downloaded certificate for verification. When someone else perform MITM attack, the certificate will guard the traffic from attack.

Extract SSL Certificate

openssl s_client -connect {host:port} </dev/null > {certificate name}
# e.g.
# openssl s_client -connect {dev.azure.com:443} </dev/null > dev-azure-com.cert

one off command

git -c http.sslCAInfo={path to the certificate file} clone {repo url}

permenent solve

[http "{repo domain}"]
    sslCAInfo = {path to certificate file}

And then clone with command.

git clone {repo url}