我正在使用可通過 HTTPS 訪問的公司托管 (Bitbucket) git 存盤庫。git fetch使用 macOS 11 (Big Sur)訪問它(例如),但在更新到 macOS 12 Monterey 后中斷。*
在 macOS 更新到 12 Monterey 之后,我之前的 git 設定壞了。現在我收到以下錯誤訊息:
$ git fetch
fatal: unable to access 'https://.../':
error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
對于它的價值,使用curl也不起作用:
$ curl --insecure -L -v https://...
* Trying ...
* Connected to ... (...) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
* Closing connection 0
curl: (35) error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
通過 Safari 或 Firefox 訪問相同的 HTTPS 源是可行的。
據我了解,底層錯誤“錯誤的密鑰長度”錯誤來自OpenSSL / LibreSSL,這與作業系統升級后 git 和 curl 失敗一致。
這是 openssl 的輸出:
$ openssl s_client -servername ... -connect ...:443
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
verify return:1
depth=0 ...
4593010348:error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length:
/System/Volumes/Data/SWE/macOS/BuildRoots/b8ff8433dc/Library/Caches/com.apple.xbs
/Sources/libressl/libressl-75/libressl-2.8/crypto/apple/hmac/hmac.c:188:
---
Certificate chain
...
---
No client certificate CA names sent
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 4105 bytes and written 318 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: 1FA062DC9EEC9A310FF8231F1EB11A3BD6E0778F7AB6E98EAD1020A44CF1A407
Session-ID-ctx:
Master-Key:
Start Time: 1635319904
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
I did try to add the server's certificates into a custom pem file and setting http.sslCAInfo, but that didn't work. As a workaround, I am currently using a proxy that decrypts/re-encrypts HTTPS traffic.
How do I configure git (or all LibreSSL users) to accept the server's certificate?
uj5u.com熱心網友回復:
不幸的是,我無法為您提供修復,但我找到了解決完全相同問題的解決方法(公司托管的 bitbucket 導致完全相同的錯誤)。我也不知道問題發生的確切原因,但我最好的猜測是 Monterey 附帶的 libressl 庫在特定 (?TLSv1.3) 證書方面存在某種問題。這個猜測是因為 brew 安裝的 openssl v1.1 和 v3 在執行時不會拋出該錯誤/opt/homebrew/opt/openssl/bin/openssl s_client -connect ...:443
為了解決這個錯誤,我從針對不同 openssl 和 curl 實作構建的源代碼構建了 git:
- install
autoconf,openssl和curlbrew (我想你可以選擇你喜歡的openssl lib,即v1.1或v3,我選擇了v3) - 克隆你喜歡的 git 版本,即
git clone --branch v2.33.1 https://github.com/git/git.git cd gitmake configure(這就是為什么需要 autoconf)- 執行
LDFLAGS="-L/opt/homebrew/opt/openssl@3/lib -L/opt/homebrew/opt/curl/lib" CPPFLAGS="-I/opt/homebrew/opt/openssl@3/include -I/opt/homebrew/opt/curl/include" ./configure --prefix=$HOME/git(這里 LDFLAGS 和 CPPFLAGS 包括將構建的 libs git,正確的標志由 brew 在 curl 和 openssl 安裝成功時發出;--prefix 是 git 的安裝目錄,默認為/usr/local但可以更改) make install- 確保將安裝目錄的子檔案夾添加
/bin到您的前面$PATH以“覆寫”蒙特雷提供的默認 git - 重啟終端
- 檢查
git version顯示新版本
這現在應該會有所幫助,但正如我已經說過的,這只是一種解決方法,希望 Apple 盡快修復他們的 libressl 分支。
轉載請註明出處,本文鏈接:https://www.uj5u.com/yidong/348591.html