Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to find out which TLS version the Git command is using?

Marc Leonhardt
Marc Leonhardt November 28, 2018

According to Deprecating TLSv1 and TLSv1.1 the support of older TLS versions will be disabled effective 1 December 2018.

The Git command line on UNIX-based systems (including macOS, Linux, and all BSDs) may be affected. You should be able to test your connection from the command line: GIT_CURL_VERBOSE=1 git ls-remote https://bitbucket.org/ This will connect to Bitbucket using the Git client and list the connection parameters. If you see a line like “SSL connection using TLSv1.2” in the output, then you are unaffected; if that line mentions a different version of TLS, then you are affected.


The verbose cURL output was supposed to show me the TLS version the Git command is using. But unfortunately it does not! :(

# GIT_CURL_VERBOSE=1 git ls-remote https://bitbucket.org/

* Couldn't find host bitbucket.org in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
* Trying 18.205.93.2...
* Connected to bitbucket.org (18.205.93.2) port 443 (#0)
* found 152 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification OK
* common name: bitbucket.org (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: EC
* certificate version: #3
* subject: businessCategory=Private Organization,jurisdictionOfIncorporationCountryName=US,jurisdictionOfIncorporationStateOrProvinceName=Delaware,serialNumber=3928449,C=US,ST=California,L=San Francisco,O=Atlassian\, Inc.,OU=Bitbucket,CN=bitbucket.org
* start date: Thu, 19 Apr 2018 00:00:00 GMT

* expire date: Tue, 21 Apr 2020 12:00:00 GMT

* issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 Extended Validation Server CA
* compression: NULL
* cipher: AES-128-GCM
* MAC: AEAD
> GET /info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/2.1.4
Host: bitbucket.org
Accept: */*
Accept-Encoding: gzip
Pragma: no-cache

< HTTP/1.1 404 Not Found
< Cache-Control: max-age=900
< Content-Type: text/plain; charset=utf-8
< X-B3-Traceid: 619fa84d196cc839d1e1f752c58f7282
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Date: Wed, 28 Nov 2018 09:28:24 GMT
< X-Server: 4c09ec53f585
< X-Content-Type-Options: nosniff
< Connection: close
< X-Version: a8c3445ad7
< Content-Length: 31
<
* Closing connection 0
remote: Repository info/refs not found
fatal: repository 'https://bitbucket.org/' not found

 

# git --version

git version 2.1.4

 

# curl --version

curl 7.38.0 (arm-unknown-linux-gnueabihf) libcurl/7.38.0 OpenSSL/1.0.1t zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP

 
Please help me, time is running away!

Answer
Watch
Like ZeetixTom likes this
21789 views

3 answers

1 accepted

2 votes
Answer accepted
jredmond
jredmond
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 28, 2018

Curl added the TLS version output in version 7.40.0 (released January 2015). Curl versions since 7.29.0 (released February 2013) should be able to manage TLSv1.2, but that will also rely on the underlying SSL library (OpenSSL, LibreSSL, GnuTLS, etc.) that was linked into the curl binaries.

I can see from your `curl --version` output that you're using OpenSSL 1.0.1t (released May 2016). You should therefore be able to use OpenSSL's s_client binary to check what version of the protocol it's using:

echo | openssl s_client -connect bitbucket.org:443 | grep Protocol

Having said all that, though, I noticed that your verbose output mentions AEAD for MAC (Message Authentication Code, not the Apple product) and AES-128-GCM for the cipher. Both of those were introduced in TLSv1.2, so it looks like your stuff should be OK - at least on this front.

View More Comments
ZeetixTom
ZeetixTom November 28, 2018

Indeed, I think all is well.

Based on guidance from another channel, I did the following:
#openssl s_client -connect google.com:443 -tls1_2

The response ended with the following:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: CACE829149EC06667D267DB2783D175BD53B374B406BD0FE249A7DE884974235
Session-ID-ctx:
Master-Key: E030758AFC341F41D9E9931AD39354E37BDE676E6931E3E64ECD522D843C56A5C8A36C232711FFA830CB9DC52DC34F39
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 00 a3 d3 c1 b1 82 98 85-fe 8d 3a 7a 3f 4d ae b4 ..........:z?M..
0010 - b7 67 60 f7 e6 fe fc 12-7b 33 87 7f dc a5 da 4c .g`.....{3.....L
0020 - 2a 9f 8d 85 3a 03 1b 3b-36 ac bc d0 3f c1 ad 43 *...:..;6...?..C
0030 - 82 a9 94 33 1a 31 22 b5-2e 21 49 fb 75 4e dd 64 ...3.1"..!I.uN.d
0040 - 86 1f aa 8e b4 9d 3e 37-f8 90 c5 12 34 35 9e 3d ......>7....45.=
0050 - 54 c1 7c 07 6a df 8c fa-56 55 40 f3 fd 3e 2b 46 T.|.j...VU@..>+F
0060 - 73 97 ab ce 18 d2 9c 0e-c0 4c 59 0f 5c fd d5 b7 s........LY.\...
0070 - 04 74 80 70 f0 32 17 37-9d 7f 54 6c 3d bc b7 d0 .t.p.2.7..Tl=...
0080 - 71 0c 7a 36 a5 b0 36 2d-52 82 d5 d6 61 bc c5 11 q.z6..6-R...a...
0090 - fd e7 34 cf 99 dd 4d 40-99 98 0d 1d e5 06 29 6d ..4...M@......)m
00a0 - d4 06 fe 07 a4 24 99 03-c7 e9 6e 8f cd 27 cd 80 .....$....n..'..
00b0 - 8c f8 f3 d1 14 3d a4 b2-8f 17 bf ac ae e7 ba 88 .....=..........
00c0 - 4e a0 5a e1 62 dc 1c 9d-40 c6 c6 15 0b f6 8f e1 N.Z.b...@.......
00d0 - 46 aa ca b2 8d F....

Start Time: 1543441484
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
read:errno=0

 

I think that "Protocol: TLSv1.2" line means I'm all set. I appreciate your response!

Like
Marc Leonhardt
Marc Leonhardt November 29, 2018

Thanks a lot!

Like
Reply
0 votes
chris
chris November 29, 2018

@jredmond, I'm confused, the answer you provided above is different than what is in the Deprecating TLSv1 and TLSv1.1 blog that was updated yesterday to address older versions of curl and the results are contradictory for me.

 

  • The Git command line on UNIX-based systems (including macOS, Linux, and all BSDs) may be affected. You should be able to test your connection from the command line: GIT_CURL_VERBOSE=1 git ls-remote https://bitbucket.org/ This will connect to Bitbucket using the Git client and list the connection parameters. If you see a line like “SSL connection using TLSv1.2” in the output, then you are unaffected; if that line mentions a different version of TLS, then you are affected.
    UPDATE 2018-11-28: If you don’t see a line like that, then your client uses an older version of curl (prior to v7.40.0); however, if the cipher suite itself mentions “GCM”, “SHA256”, or “SHA384”, then you should be unaffected.

 

I'm using Ubuntu 14.04 with old curl 7.35.0 and recent git 2.19.1 and according to git my cipher is too old, but according to openssl I'm using TLS1.2

$ curl --version
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP 
$ git --version
git version 2.19.1
$ GIT_CURL_VERBOSE=1 git ls-remote https://bitbucket.org/ 2>&1 | grep cipher
*      cipher: AES-128-CBC
$ echo | openssl s_client -connect bitbucket.org:443 2>/dev/null | grep Protocol
    Protocol  : TLSv1.2

Here's the complete output from git

$ GIT_CURL_VERBOSE=1 git ls-remote https://bitbucket.org/
* Couldn't find host bitbucket.org in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
*   Trying 18.205.93.0...
* Connected to bitbucket.org (18.205.93.0) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
*      server certificate verification OK
*      common name: bitbucket.org (matched)
*      server certificate expiration date OK
*      server certificate activation date OK
*      certificate public key: RSA
*      certificate version: #3
*      subject: businessCategory=Private Organization,jurisdictionOfIncorporationCountryName=US,jurisdictionOfIncorporationStateOrProvinceName=Delaware,serialNumber=3928449,C=US,ST=California,L=San Francisco,O=Atlassian\, Inc.,OU=Bitbucket,CN=bitbucket.org
*      start date: Wed, 18 Apr 2018 00:00:00 GMT

*      expire date: Tue, 21 Apr 2020 12:00:00 GMT

*      issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 Extended Validation Server CA
*      compression: NULL
*      cipher: AES-128-CBC
*      MAC: SHA1
> GET /info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/2.19.1
Host: bitbucket.org
Accept: */*
Accept-Encoding: deflate, gzip
Accept-Language: en-CA, en-US;q=0.9, en;q=0.8, *;q=0.7
Pragma: no-cache

< HTTP/1.1 404 Not Found
< Cache-Control: max-age=900
< Content-Type: text/plain; charset=utf-8
< X-B3-Traceid: 7b5542de5af55f37ff194ed8d4334087
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Date: Thu, 29 Nov 2018 22:23:29 GMT
< X-Server: b5aaf91492b8
< X-Content-Type-Options: nosniff
< Connection: close
< X-Version: a8c3445ad7
< Content-Length: 31
< 
* Closing connection 0
remote: Repository info/refs not found
fatal: repository 'https://bitbucket.org/' not found

Here's the complete output from openssl

$ echo | openssl s_client -connect bitbucket.org:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3928449/C=US/ST=California/L=San Francisco/O=Atlassian, Inc./OU=Bitbucket/CN=bitbucket.org
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGlTCCBX2gAwIBAgIQCn7smzlS8X4vZxZVem9SfTANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDQxOTAwMDAwMFoXDTIwMDQyMTEy
MDAwMFowgeExHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
EwczOTI4NDQ5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
A1UEBxMNU2FuIEZyYW5jaXNjbzEYMBYGA1UEChMPQXRsYXNzaWFuLCBJbmMuMRIw
EAYDVQQLEwlCaXRidWNrZXQxFjAUBgNVBAMTDWJpdGJ1Y2tldC5vcmcwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAASk1Zo6A8ScoXBuaLju6v7l/pivITsUAe1slp2m
ct5+3TgDEjzJNf9qY55sZ0/gzG7WC8QG920VCTCUtbg7eNspo4IDfTCCA3kwHwYD
VR0jBBgwFoAUPdNQpdagre7zSmAKZdMh1Pj41g8wHQYDVR0OBBYEFJM5J+G7keDk
mSfTFOqLn+2gztlpMCsGA1UdEQQkMCKCDWJpdGJ1Y2tldC5vcmeCEXd3dy5iaXRi
dWNrZXQub3JnMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQu
Y29tL3NoYTItZXYtc2VydmVyLWcyLmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGln
aWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcyLmNybDBLBgNVHSAERDBCMDcGCWCG
SAGG/WwCATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20v
Q1BTMAcGBWeBDAEBMIGIBggrBgEFBQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6
Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBSBggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMu
ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZl
ckNBLmNydDAMBgNVHRMBAf8EAjAAMIIBfAYKKwYBBAHWeQIEAgSCAWwEggFoAWYA
dgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWLcVJ8VAAAEAwBH
MEUCIQCpXeU6QJDCaXUnP6QBzYjKsVj3n22k1kT+88UgEMh8bQIgDeTOTejj8efh
frnkk1l+sEs0vbxtSllmc9L7wC9Tz+kAdQBWFAaaL9fC7NP14b1Esj7HRna5vJkR
XMDvlJhV1onQ3QAAAWLcVJ/0AAAEAwBGMEQCIHsg56R/W2hL+FTYolndLi6nnXVO
Pn8Nv37iHVmbTUJXAiBUXAJ8Tk4mQgQ07r0fo26vGth0Qh7VXODno74UcKCwiQB1
ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABYtxUoAIAAAQDAEYw
RAIgb8Z9UBCYvNk3POuw/BJlW73A35gvZ6q752ouxHTFvAkCIEM2MI2feAM+nJPv
7yIaES7JUnlaDgVAcliaQB9CabTxMA0GCSqGSIb3DQEBCwUAA4IBAQAleELPceUG
MbC0pfo9R2VsYKRM69Bq7rycQ0kh7JSSox972+MJCtJ+qIXoO8DS3E2UdO+IVQgY
kFqg8GMBntqDaA8IigbJBF0MPsouT5BUOGE/1Quf9wgYqBLgpYlpQ6RE1qyQr2hg
CXjJdGayliSDSZ4GW2RO4ZK+Ek891teIhMsE5tXz1ocQlQ9pLUXVC/7gpAD/pZiu
/1lCpOkZnJGgnLMZjyOZRKxO4pH3kLI1VbPan93SNkdLaZr4JRzTJ8ho/V2J0YCY
UMCeAsRDA9J1rgyneOi+ScyxyXnm78oxUuau0biSTo+iBUXH1Ma9m/caYAngIegu
V6zLYmPsX8n5
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3928449/C=US/ST=California/L=San Francisco/O=Atlassian, Inc./OU=Bitbucket/CN=bitbucket.org
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3222 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: 16C9399BED956844AA120E48C8CA70289D536EB80F17AD32F98754B761E8752D
    Session-ID-ctx: 
    Master-Key: 9424300CB85A9993C50B1228BD3B87F74EDCF3615F4E5DDDDD21848096576D02DDA7905E9A86E821401D193D3E4E6DCF
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1543530255
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE
View More Comments
jredmond
jredmond
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 30, 2018

Your git ls-remote output mentions an RSA key and AES128-CBC-SHA, but your openssl s_client output mentions ECDSA and AES128-GCM-SHA256 (and TLSv1.2). It looks like something in git or in cURL is linked to a different library version, or it's been configured to specify a cipher suite, or possibly both. (OpenSSL appears to be using the Bitbucket servers' preferred cipher suite, so I'm fairly confident in ruling that one out.)

Have you set http.sslCipherList in your git config, either globally or in a specific repo? (You can run `git config --list` to check a specific repo's .git/config, or you can run `git config --global --list` to see global settings for your user.) If you run `curl -v --head https://bitbucket.org`, does it also list that AES128-CBC-SHA cipher suite? Does `openssl version` list the same version that's mentioned in `curl --version`?

Like
chris
chris November 30, 2018

Hi Jim, thanks for responding.

Is that openssl cipher line an ordered list of ciphers to be tried and AES128 is the first one that matches preempting the stronger GCM and SHA256 ciphers?  Running curl directly also shows that same list.

$ curl -v --head https://bitbucket.org 2>&1 | grep "SSL connection"
* SSL connection using ECDHE-ECDSA-AES128-GCM-SHA256
$ echo | openssl s_client -connect bitbucket.org:443 2>/dev/null | grep Cipher
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256

openssl is using the same 1.0.1f version as curl

$ openssl version
OpenSSL 1.0.1f 6 Jan 2014
$ curl --version | head -1
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3

I'm executing these commands from outside of a git repo, so it's not a local repo specific issue and my global config is fairly minimal and I have no system config

$ git config --list
core.autocrlf=false
core.eol=lf
core.excludesfile=~/.gitignore_global
core.filemode=true
user.name=Christopher Cordahi
user.email=christophercordahi@nanometrics.ca
push.default=simple
gui.pruneduringfetch=true

Here's the complete output from curl

christophercordahi@christopherc-linux:~$ curl --verbose --head https://bitbucket.org
* Rebuilt URL to: https://bitbucket.org/
* Hostname was NOT found in DNS cache
*   Trying 18.205.93.2...
* Connected to bitbucket.org (18.205.93.2) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-ECDSA-AES128-GCM-SHA256
* Server certificate:
*      subject: businessCategory=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=Delaware; serialNumber=3928449; C=US; ST=California; L=San Francisco; O=Atlassian, Inc.; OU=Bitbucket; CN=bitbucket.org
*      start date: 2018-04-19 00:00:00 GMT
*      expire date: 2020-04-21 12:00:00 GMT
*      subjectAltName: bitbucket.org matched
*      issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*      SSL certificate verify ok.
> HEAD / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: bitbucket.org
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
* Server nginx is not blacklisted
< Server: nginx
Server: nginx
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
< Content-Type: text/html;charset=UTF-8
Content-Type: text/html;charset=UTF-8
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Date: Sat, 01 Dec 2018 01:39:37 GMT
Date: Sat, 01 Dec 2018 01:39:37 GMT
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Pragma: no-cache
Pragma: no-cache
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< X-Magnolia-Registration: Registered
X-Magnolia-Registration: Registered
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Connection: keep-alive
Connection: keep-alive
< Set-Cookie: JSESSIONID=814D9FB7FA4813DA7549B0F640F6F4C5; Path=/; HttpOnly
Set-Cookie: JSESSIONID=814D9FB7FA4813DA7549B0F640F6F4C5; Path=/; HttpOnly
< Set-Cookie: NEW_VISITOR=new; Expires=Sun, 02-Dec-2018 01:39:37 GMT; HttpOnly
Set-Cookie: NEW_VISITOR=new; Expires=Sun, 02-Dec-2018 01:39:37 GMT; HttpOnly
< Set-Cookie: VISITOR=returning; Path=/product; HttpOnly
Set-Cookie: VISITOR=returning; Path=/product; HttpOnly
< Last-Modified: Sat, 01 Dec 2018 01:30:24 GMT
Last-Modified: Sat, 01 Dec 2018 01:30:24 GMT
< X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
< Content-Length: 51929
Content-Length: 51929

<
* Connection #0 to host bitbucket.org left intact

 

Like
chris
chris November 30, 2018

What's happening here?  I posted a response, saw that markdown isn't working, edited the response, saw it appear correctly.  Refreshed the page and now it's gone.

Like
chris
chris November 30, 2018

Thanks @jredmond for responding,

Using curl directly shows that same list of ciphers as openssl.  Both use the same OpenSSL 1.0.1f version.

$ curl --verbose --head https://bitbucket.org 2>&1 | grep "SSL connection"
* SSL connection using ECDHE-ECDSA-AES128-GCM-SHA256
$ echo | openssl s_client -connect bitbucket.org:443 2>/dev/null | grep "Cipher *:"
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
$ openssl version
OpenSSL 1.0.1f 6 Jan 2014
$ curl --version | grep --only-matching "OpenSSL/[^ ]*"
OpenSSL/1.0.1f

I have a fairly minimal global config, no system config and I'm not running the commands from within a git repo.

$ git config --list
core.autocrlf=false
core.eol=lf
core.excludesfile=~/.gitignore_global
core.filemode=true
user.name=Christopher Cordahi
user.email=christophercordahi@nanometrics.ca
push.default=simple
gui.pruneduringfetch=true

Here's the complete output from curl

$ curl --verbose --head https://bitbucket.org
* Rebuilt URL to: https://bitbucket.org/
* Hostname was NOT found in DNS cache
*   Trying 18.205.93.0...
* Connected to bitbucket.org (18.205.93.0) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-ECDSA-AES128-GCM-SHA256
* Server certificate:
*      subject: businessCategory=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=Delaware; serialNumber=3928449; C=US; ST=California; L=San Francisco; O=Atlassian, Inc.; OU=Bitbucket; CN=bitbucket.org
*      start date: 2018-04-19 00:00:00 GMT
*      expire date: 2020-04-21 12:00:00 GMT
*      subjectAltName: bitbucket.org matched
*      issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*      SSL certificate verify ok.
> HEAD / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: bitbucket.org
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
* Server nginx is not blacklisted
< Server: nginx
Server: nginx
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
< Content-Type: text/html;charset=UTF-8
Content-Type: text/html;charset=UTF-8
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Date: Sat, 01 Dec 2018 02:13:03 GMT
Date: Sat, 01 Dec 2018 02:13:03 GMT
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Pragma: no-cache
Pragma: no-cache
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< X-Magnolia-Registration: Registered
X-Magnolia-Registration: Registered
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Connection: keep-alive
Connection: keep-alive
< Set-Cookie: JSESSIONID=55E134E80B7F30A417B46DBE2C925E38; Path=/; HttpOnly
Set-Cookie: JSESSIONID=55E134E80B7F30A417B46DBE2C925E38; Path=/; HttpOnly
< Set-Cookie: NEW_VISITOR=new; Expires=Sun, 02-Dec-2018 02:13:03 GMT; HttpOnly
Set-Cookie: NEW_VISITOR=new; Expires=Sun, 02-Dec-2018 02:13:03 GMT; HttpOnly
< Set-Cookie: VISITOR=returning; Path=/product; HttpOnly
Set-Cookie: VISITOR=returning; Path=/product; HttpOnly
< Last-Modified: Sat, 01 Dec 2018 02:00:23 GMT
Last-Modified: Sat, 01 Dec 2018 02:00:23 GMT
< X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
< Content-Length: 51929
Content-Length: 51929

< 
* Connection #0 to host bitbucket.org left intact

 

Like
chris
chris November 30, 2018

FYI, I think a better check would have been to ensure that the default cipher matches the cipher when only TLSv1.2 is permitted.

$ GIT_CURL_VERBOSE=1 git ls-remote https://bitbucket.org/ 2>&1 | grep cipher
*      cipher: AES-128-CBC
$ GIT_SSL_VERSION=tlsv1.2 GIT_CURL_VERBOSE=1 git ls-remote https://bitbucket.org/ 2>&1 | grep cipher
*      cipher: AES-128-CBC

I don't know what would have been returned yesterday, but now if only TLSv1.1 is permitted then handshaking fails since TLSv1.1 has been disabled

$ GIT_SSL_VERSION=tlsv1.1 GIT_CURL_VERBOSE=1 git ls-remote https://bitbucket.org/
* Couldn't find host bitbucket.org in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
*   Trying 18.205.93.0...
* Connected to bitbucket.org (18.205.93.0) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* gnutls_handshake() failed: Handshake failed
* Closing connection 0
fatal: unable to access 'https://bitbucket.org/': gnutls_handshake() failed: Handshake failed

 

Like
Reply
0 votes
ZeetixTom
ZeetixTom November 28, 2018

I'm seeing a similar failure:

[root@localhost ~]# GIT_CURL_VERBOSE=1 git ls-remote https://bitbucket.org/
* Couldn't find host bitbucket.org in the .netrc file; using defaults
* About to connect() to bitbucket.org port 443 (#0)
* Trying 18.205.93.1...
* Connected to bitbucket.org (18.205.93.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=bitbucket.org,OU=Bitbucket,O="Atlassian, Inc.",L=San Francisco,ST=California,C=US,serialNumber=3928449,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private Organization
* start date: Apr 19 00:00:00 2018 GMT
* expire date: Apr 21 12:00:00 2020 GMT
* common name: bitbucket.org
* issuer: CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
> GET /info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/2.15.0
Host: bitbucket.org
Accept: */*
Accept-Encoding: gzip
Accept-Language: en-US, *;q=0.9
Pragma: no-cache

< HTTP/1.1 404 Not Found
< Cache-Control: max-age=900
< Content-Type: text/plain; charset=utf-8
< X-B3-Traceid: b1123df8a2b1c4d9d778e67eec4b2d30
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Date: Wed, 28 Nov 2018 17:52:07 GMT
< X-Server: 8b6c6c9a34f2
< X-Content-Type-Options: nosniff
< Connection: close
< X-Version: a8c3445ad7
< Content-Length: 31
<
* Closing connection 0
remote: Repository info/refs not found
fatal: repository 'https://bitbucket.org/' not found

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events