commit | author | age
|
8c99a7
|
1 |
|
22957a
|
2 |
## Using the HTTP/HTTPS transport
|
JM |
3 |
|
8c99a7
|
4 |
### Https with Self-Signed Certificates
|
JM |
5 |
You must tell Git/JGit not to verify the self-signed certificate in order to perform any remote Git operations.
|
|
6 |
|
|
7 |
**NOTE:**
|
0d3264
|
8 |
The default self-signed certificate generated by Gitblit GO is bound to *localhost*.
|
8c99a7
|
9 |
If you are using Eclipse/EGit/JGit clients, you will have to generate your own certificate that specifies the exact hostname used in your clone/push url.
|
JM |
10 |
You must do this because Eclipse/EGit/JGit (< 3.0) always verifies certificate hostnames, regardless of the *http.sslVerify=false* client-side setting.
|
|
11 |
|
|
12 |
- **Eclipse/EGit/JGit**
|
|
13 |
1. Window->Preferences->Team->Git->Configuration
|
|
14 |
2. Click the *New Entry* button
|
|
15 |
3. <pre>Key = <em>http.sslVerify</em>
|
|
16 |
Value = <em>false</em></pre>
|
|
17 |
- **Command-line Git** ([Git-Config Manual Page](http://www.kernel.org/pub/software/scm/git/docs/git-config.html))
|
|
18 |
<pre>git config --global --bool --add http.sslVerify false</pre>
|
|
19 |
|
7e5107
|
20 |
**NOTE:**
|
GM |
21 |
When generating self-signed certificates, the default Java TLS settings will be used. These default settings will generate a weak Diffie-Hellman key.
|
|
22 |
#### Java 8
|
|
23 |
The default is a 1024 bit DH key.
|
|
24 |
You can up the number of bits used by appending the following command line parameter when starting Gitblit:
|
|
25 |
<pre>-Djdk.tls.ephemeralDHKeySize=2048</pre>
|
|
26 |
2048 bits is the maximum (Java limitation), and is still considered secure as of this writing.
|
|
27 |
#### Java 7
|
|
28 |
The default is a 768 bit key. <b>This is hardcoded in Java 7 and cannot be changed.</b>. It is very weak. If you require longer DH keys, use Java 8.
|
|
29 |
|
8c99a7
|
30 |
### Http Post Buffer Size
|
JM |
31 |
You may find the default post buffer of your git client is too small to push large deltas to Gitblit. Sometimes this can be observed on your client as *hanging* during a push. Other times it can be observed by git erroring out with a message like: error: RPC failed; result=52, HTTP code = 0.
|
|
32 |
|
|
33 |
This can be adjusted on your client by changing the default post buffer size:
|
|
34 |
<pre>git config --global http.postBuffer 524288000</pre>
|
|
35 |
|
|
36 |
### Disabling SNI
|
|
37 |
|
|
38 |
You may run into SNI alerts (Server Name Indication). These will manifest as failures to clone or push to your Gitblit instance.
|
|
39 |
|
|
40 |
#### Java-based Clients
|
|
41 |
|
935986
|
42 |
Luckily, Java 6-based clients ignore SNI alerts but when using Java 7-based clients, SNI checking is enabled by default. You can disable SNI alerts by specifying the JVM system parameter `-Djsse.enableSNIExtension=false` when your Java-based client launches.
|
8c99a7
|
43 |
|
JM |
44 |
For Eclipse, you can append `-Djsse.enableSNIExtension=false` to your *eclipse.ini* file.
|
|
45 |
|
|
46 |
#### Native Clients
|
|
47 |
|
|
48 |
Native clients may display an error when attempting to clone or push that looks like this:
|
6c4be1
|
49 |
|
JM |
50 |
```
|
8c99a7
|
51 |
C:\projects\git\gitblit>git push rhcloud master
|
JM |
52 |
error: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) while accessing https://demo-gitblit.rhcloud.com/git/gitblit.git/info/refs?service=git-receive-pack
|
|
53 |
fatal: HTTP request failed
|
6c4be1
|
54 |
```
|
8c99a7
|
55 |
|