Disabling TLS(/SSL) certificate verification globally is a terribly insecure practice. Don't do it. Do not issue the above command with a --global modifier.
git 中有很多SSL配置选项 . 从 git config 的手册页:
http.sslVerify
Whether to verify the SSL certificate when fetching or pushing over HTTPS.
Can be overridden by the GIT_SSL_NO_VERIFY environment variable.
http.sslCAInfo
File containing the certificates to verify the peer with when fetching or pushing
over HTTPS. Can be overridden by the GIT_SSL_CAINFO environment variable.
http.sslCAPath
Path containing files with the CA certificates to verify the peer with when
fetching or pushing over HTTPS.
Can be overridden by the GIT_SSL_CAPATH environment variable.
一些其他有用的SSL配置选项:
http.sslCert
File containing the SSL certificate when fetching or pushing over HTTPS.
Can be overridden by the GIT_SSL_CERT environment variable.
http.sslKey
File containing the SSL private key when fetching or pushing over HTTPS.
Can be overridden by the GIT_SSL_KEY environment variable.
http.sslCertPasswordProtected
Enable git's password prompt for the SSL certificate. Otherwise OpenSSL will
prompt the user, possibly many times, if the certificate or private key is encrypted.
Can be overridden by the GIT_SSL_CERT_PASSWORD_PROTECTED environment variable.
# Initial clone
GIT_SSL_CAINFO=/etc/ssl/certs/rorcz_root_cert.pem \
git clone https://repo.or.cz/org-mode.git
# Ensure all future interactions with origin remote also work
cd org-mode
git config http.sslCAInfo /etc/ssl/certs/rorcz_root_cert.pem
# Specify the scheme and host as a 'context' that only these settings apply
# Must use Git v1.8.5+ for these contexts to work
[credential "https://your.domain.com"]
username = user.name
# Uncomment the credential helper that applies to your platform
# Windows
# helper = manager
# OSX
# helper = osxkeychain
# Linux (in-memory credential helper)
# helper = cache
# Linux (permanent storage credential helper)
# https://askubuntu.com/a/776335/491772
# Specify the scheme and host as a 'context' that only these settings apply
# Must use Git v1.8.5+ for these contexts to work
[http "https://your.domain.com"]
##################################
# Self Signed Server Certificate #
##################################
# MUST be PEM format
# Some situations require both the CAPath AND CAInfo
sslCAInfo = /path/to/selfCA/self-signed-certificate.crt
sslCAPath = /path/to/selfCA/
sslVerify = true
###########################################
# Private Key and Certificate information #
###########################################
# Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE,
# not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it.
sslCert = /path/to/privatekey/myprivatecert.pem
# Even if your PEM file is password protected, set this to false.
# Setting this to true always asks for a password even if you don't have one.
# When you do have a password, even with this set to false it will prompt anyhow.
sslCertPasswordProtected = 0
# Declare variables to make clone command less verbose
OUR_CA_PATH=/path/to/selfCA/
OUR_CA_FILE=$OUR_CA_PATH/self-signed-certificate.crt
MY_PEM_FILE=/path/to/privatekey/myprivatecert.pem
SELF_SIGN_CONFIG="-c http.sslCAPath=$OUR_CA_PATH -c http.sslCAInfo=$OUR_CA_FILE -c http.sslVerify=1 -c http.sslCert=$MY_PEM_FILE -c http.sslCertPasswordProtected=0"
# With this environment variable defined it makes subsequent clones easier if you need to pull down multiple repos.
git clone $SELF_SIGN_CONFIG https://mygit.server.com/projects/myproject.git myproject/
git clone http://github.com/curl/curl.git curl/
cd curl/
# Need these for ./buildconf
yum install autoconf automake libtool m4 nroff perl -y
#Need these for ./configure
yum install openssl-devel openldap-devel libssh2-devel -y
./buildconf
su # Switch to super user to install into /usr/bin/curl
./configure --with-openssl --with-ldap --with-libssh2 --prefix=/usr/
make
make install
12 回答
永久接受特定证书
试试
http.sslCAPath或http.sslCAInfo. Adam Spiers's answer给出了一些很好的例子 . 这是该问题最安全的解决方案 .禁用单个git命令的TLS / SSL验证
尝试使用正确的配置变量将
-c传递给git,或使用Flow's answer:禁用特定存储库的SSL验证
如果存储库完全在您的控制之下,您可以尝试:
Disabling TLS(/SSL) certificate verification globally is a terribly insecure practice. Don't do it. Do not issue the above command with a --global modifier.
git中有很多SSL配置选项 . 从git config的手册页:一些其他有用的SSL配置选项:
您可以将
GIT_SSL_NO_VERIFY设置为true:或者配置Git不要在命令行上验证连接:
请注意,如果您未验证SSL / TLS证书,则 you are susceptible to MitM attacks .
我不是[EDIT:现有答案的原始版本]的忠实粉丝,因为禁用安全检查应该是最后的手段,而不是第一个提供的解决方案 . 即使您在第一次收到时无法信任自签名证书而没有其他一些额外的验证方法,但使用证书进行后续操作至少会使下载证书后的攻击更加困难 . 换句话说,如果您下载的证书是真实的,那么从那时起您就会很好 . 相比之下,如果您只是禁用验证,那么您在任何时候都可以接受任何类型的中间人攻击 .
举一个具体的例子:着名的repo.or.cz存储库提供a self-signed certificate . 我可以下载该文件,将其放在
/etc/ssl/certs之类的地方,然后执行:请注意,在此使用本地
git config(即没有--global)意味着此自签名证书仅对此特定存储库可信,这很好 . 它也比使用GIT_SSL_CAPATH更好,因为它消除了git通过可能被泄露的不同证书颁发机构进行验证的风险 .用于自签名证书颁发机构的全局.gitconfig
对于我和我的同事来说,这里是我们如何设法让自签名证书工作而不禁用
sslVerify. Edit your .gitconfig使用git config --global -e添加以下内容:参考文献:
Git Credentials
Git Credential Store
Using Gnome Keyring as credential store
Git Config http.<url>.* Supported from Git v1.8.5
git cloneing时指定config
如果您需要在每个repo的基础上应用它,文档告诉您只需在repo目录中运行
git config --local. 好吧's not useful when you haven' t得到了本地克隆的回购,现在是吗?您可以通过如上设置全局配置来执行
global -> localhokey-pokey,然后在克隆后将这些设置复制到本地repo配置...或者你可以做的是specify config commands at git clone一旦克隆就应用于目标仓库 .
一个班轮
编辑:请参阅VonC的answer,其中指出了关于特定git版本从2.14.x / 2.15到此一个班轮的绝对路径和相对路径的警告
CentOS无法加载客户端密钥
如果你在CentOS上尝试这个,你的
.pem文件给你然后你会想this StackOverflow answer关于
curl如何使用NSS而不是Open SSL .你想要rebuild curl from source:
重启计算机,因为libcurl仍然作为共享库在内存中
Python,pip和conda
Related :How to add a custom CA Root certificate to the CA Store used by Python in Windows?
我一直遇到这个问题,所以编写了一个脚本从服务器下载自签名证书并将其安装到〜/ .gitcerts,然后更新git-config指向这些证书 . 它存储在全局配置中,因此您只需要为每个远程运行一次 .
https://github.com/iwonbigbro/tools/blob/master/bin/git-remote-install-cert.sh
这个答案摘自Michael Kauffman撰写的this article .
Use Git for Windows with a corporate SSL certificate
Issue :
如果您拥有公司SSL证书并希望从控制台或VSCode克隆您的存储库,则会出现以下错误:
致命:无法访问'https://myserver/tfs/DefaultCollection/_git/Proj/':SSL证书问题:无法获得本地颁发者证书
Solution :
将根自签名证书导出到文件 . 您可以在浏览器中执行此操作 .
在git文件夹中找到“ca-bundle.crt”文件(当前版本C:\ Program Files \ Git \ usr \ ssl \ certs,但过去已更改) . 将文件复制到您的用户配置文件 . 使用VSCode等文本编辑器打开它,并将导出的证书的内容添加到文件的末尾 .
现在我们必须配置git来使用新文件:
git config --global http.sslCAInfo C:/Users/<yourname>/ca-bundle.crt这会将以下条目添加到用户根目录中的.gitconfig文件中轮廓 .
[http] sslCAInfo = C:/Users/<yourname>/ca-bundle.crt检查防病毒和防火墙设置 .
从一天到另一天,git不再起作用了 . 通过以上描述,我发现卡巴斯基在中间放置了一个自签名的反病毒个人根证书 . 我没有按照上面的说明让Git接受该证书 . 我放弃了 . 对我有用的是禁用扫描加密连接的功能 .
打开卡巴斯基
设置>其他>网络>不扫描加密连接
在此之后,git再次启用sslVerify .
注意 . 这仍然不能令我满意,因为我希望我的反病毒功能处于活动状态 . 在高级设置中,卡巴斯基显示了一个不适用于该功能的网站列表 . Github未被列为其中之一 . 我将在卡巴斯基论坛上查看 . 似乎有一些主题,例如https://forum.kaspersky.com/index.php?/topic/395220-kis-interfering-with-git/&tab=comments#comment-2801211
当您使用sslKey或sslCert使用一个衬垫时要小心,如Josh Peak的answer:
只有Git 2.14.x / 2.15(2015年第3季度)才能正确解释像
~username/mykey这样的路径(虽然它仍然可以解释像/path/to/privatekey这样的绝对路径) .见commit 8d15496(2017年7月20日)Junio C Hamano (gitster) .
帮助:Charles Bailey (hashpling) .
(由Junio C Hamano合并 - gitster - 在17b1e1d承诺中,2017年8月11日)
在 .gitconfig 文件中,您可以添加以下给定值以使自签名证书可接受
sslCAInfo = /home/XXXX/abc.crt
在Windows上使用64位版本的Git,只需将自签名CA证书添加到这些文件中:
C:\ Program Files \ Git \ mingw64 \ ssl \ certs \ ca-bundle.crt
C:\ Program Files \ Git \ mingw64 \ ssl \ certs \ ca-bundle.trust.crt
如果只是服务器自签名证书,请将其添加到
我是这样做的:
运行以下命令: