无法与对等方安全通信:没有通用的加密算法
Cannot communicate securely with peer: no common encryption algorithm(s)
我是 Fedora 20 用户。克隆存储库时,出现以下错误:
" 克隆到 'git_missions'...
致命:无法访问“https://openhatch.org/git-mission-data/git/hithard/”:无法与对等方安全通信:没有通用的加密算法。 “
我不知道该怎么办?需要帮助。
最简单的解决方案就是使用 http
而不是 https
:
$ git clone http://openhatch.org/git-mission-data/git/hithard/
Cloning into 'hithard'...
remote: Counting objects: 3, done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (3/3), done.
Checking connectivity... done.
我认为错误本身 ("no common encryption algorithms") 是准确的;看起来服务器想要使用某种椭圆曲线密码 (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),但 git 的底层 SSL 库不支持这种密码。您可以使用 wireshark
之类的东西来捕获 git 和服务器之间的 SSL 握手,并查看来回传递的选项。
至少在我的系统上,curl
似乎不支持此密码,并且 git
使用 libcurl
来处理 https/http 连接。
更新
因此,根据我对@mattdm 的最后评论,我发现我的系统上的 curl
正在使用 NSS 加密库,以下工作:
curl --ciphers ecdhe_ecdsa_aes_128_gcm_sha_256 https://openhatch.org/
不幸的是,没有任何方法可以将密码列表传递给 git
。使它这样做的补丁是微不足道的——here is one version I just made——但我不知道让这个被上游接受的可能性有多大。
Unfortunately, there isn't any way to pass a cipher list to git
larsks
mentioned in the comments:
I've had a patch accepted to git that addresses this issue
确实已被接受,并合并到 Git 2.5+(2015 年第 2 季度)
参见 commit f6f2a9e by Lars Kellogg-Stedman (larsks
),2015 年 5 月 8 日。
(由 Junio C Hamano -- gitster
-- in commit 39fa791 合并,2015 年 5 月 22 日)
http
: add support for specifying an SSL cipher list
Teach git about a new option, "http.sslCipherList
", which permits one to
specify a list of ciphers to use when negotiating SSL connections.
The setting can be overridden by the GIT_SSL_CIPHER_LIST
environment
variable.
git config
man page 现在包括:
http.sslCipherList:
A list of SSL ciphers to use when negotiating an SSL connection.
The available ciphers depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use.
Internally this sets the 'CURLOPT_SSL_CIPHER_LIST' option; see the libcurl documentation for more details on the format of this list.
Can be overridden by the 'GIT_SSL_CIPHER_LIST
' environment variable.
To force git to use libcurl's default cipher list and ignore any explicit http.sslCipherList
option, set 'GIT_SSL_CIPHER_LIST
' to the empty string.
2015年可以派上用场的:
- "Now that it is 2015, what SSL/TLS cipher suites should be used in a high security HTTPS environment?"
- "Hardening Your Web Server’s SSL Ciphers"
- Nick Craver's problems with SSL/TLS and productivity, with a now fixed security issue (weakdh.org,Logjam 攻击利用了 Diffie-Hellman 密钥交换的弱点。
2015 年 8 月更新:Git2.6+(2015 年第 3 季度)将允许明确指定 SSL 版本:
http
: add support for specifying the SSL version
参见 commit 01861cb (14 Aug 2015) by Elia Pinto (devzero2000
)。
帮助:Eric Sunshine (sunshineco
).
(由 Junio C Hamano -- gitster
-- in commit ed070a4 合并,2015 年 8 月 26 日)
http.sslVersion
The SSL version to use when negotiating an SSL connection, if you want to force the default.
The available and default version depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use. Internally this sets the 'CURLOPT_SSL_VERSION
' option; see the libcurl documentation for more details on the format of this option and for the ssl version supported.
Actually the possible values of this option are:
- sslv2
- sslv3
- tlsv1
- tlsv1.0
- tlsv1.1
- tlsv1.2
Can be overridden by the 'GIT_SSL_VERSION
' environment variable.
To force git to use libcurl's default ssl version and ignore any explicit http.sslversion
option, set 'GIT_SSL_VERSION' to the empty string.
我是 Fedora 20 用户。克隆存储库时,出现以下错误: " 克隆到 'git_missions'... 致命:无法访问“https://openhatch.org/git-mission-data/git/hithard/”:无法与对等方安全通信:没有通用的加密算法。 “
我不知道该怎么办?需要帮助。
最简单的解决方案就是使用 http
而不是 https
:
$ git clone http://openhatch.org/git-mission-data/git/hithard/
Cloning into 'hithard'...
remote: Counting objects: 3, done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (3/3), done.
Checking connectivity... done.
我认为错误本身 ("no common encryption algorithms") 是准确的;看起来服务器想要使用某种椭圆曲线密码 (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),但 git 的底层 SSL 库不支持这种密码。您可以使用 wireshark
之类的东西来捕获 git 和服务器之间的 SSL 握手,并查看来回传递的选项。
至少在我的系统上,curl
似乎不支持此密码,并且 git
使用 libcurl
来处理 https/http 连接。
更新
因此,根据我对@mattdm 的最后评论,我发现我的系统上的 curl
正在使用 NSS 加密库,以下工作:
curl --ciphers ecdhe_ecdsa_aes_128_gcm_sha_256 https://openhatch.org/
不幸的是,没有任何方法可以将密码列表传递给 git
。使它这样做的补丁是微不足道的——here is one version I just made——但我不知道让这个被上游接受的可能性有多大。
Unfortunately, there isn't any way to pass a cipher list to git
larsks
mentioned in the comments:
I've had a patch accepted to git that addresses this issue
确实已被接受,并合并到 Git 2.5+(2015 年第 2 季度)
参见 commit f6f2a9e by Lars Kellogg-Stedman (larsks
),2015 年 5 月 8 日。
(由 Junio C Hamano -- gitster
-- in commit 39fa791 合并,2015 年 5 月 22 日)
http
: add support for specifying an SSL cipher listTeach git about a new option, "
http.sslCipherList
", which permits one to specify a list of ciphers to use when negotiating SSL connections.
The setting can be overridden by theGIT_SSL_CIPHER_LIST
environment variable.
git config
man page 现在包括:
http.sslCipherList:
A list of SSL ciphers to use when negotiating an SSL connection.
The available ciphers depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use.
Internally this sets the 'CURLOPT_SSL_CIPHER_LIST' option; see the libcurl documentation for more details on the format of this list.Can be overridden by the '
GIT_SSL_CIPHER_LIST
' environment variable.
To force git to use libcurl's default cipher list and ignore any explicithttp.sslCipherList
option, set 'GIT_SSL_CIPHER_LIST
' to the empty string.
2015年可以派上用场的:
- "Now that it is 2015, what SSL/TLS cipher suites should be used in a high security HTTPS environment?"
- "Hardening Your Web Server’s SSL Ciphers"
- Nick Craver's problems with SSL/TLS and productivity, with a now fixed security issue (weakdh.org,Logjam 攻击利用了 Diffie-Hellman 密钥交换的弱点。
2015 年 8 月更新:Git2.6+(2015 年第 3 季度)将允许明确指定 SSL 版本:
http
: add support for specifying the SSL version
参见 commit 01861cb (14 Aug 2015) by Elia Pinto (devzero2000
)。
帮助:Eric Sunshine (sunshineco
).
(由 Junio C Hamano -- gitster
-- in commit ed070a4 合并,2015 年 8 月 26 日)
http.sslVersion
The SSL version to use when negotiating an SSL connection, if you want to force the default.
The available and default version depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use. Internally this sets the 'CURLOPT_SSL_VERSION
' option; see the libcurl documentation for more details on the format of this option and for the ssl version supported.
Actually the possible values of this option are:
- sslv2
- sslv3
- tlsv1
- tlsv1.0
- tlsv1.1
- tlsv1.2
Can be overridden by the '
GIT_SSL_VERSION
' environment variable.
To force git to use libcurl's default ssl version and ignore any explicithttp.sslversion
option, set 'GIT_SSL_VERSION' to the empty string.