| commit | author | age | ||
| 8c99a7 | 1 | |
| 22957a | 2 | ## Using the HTTP/HTTPS transport |
| JM | 3 | |
| 8c99a7 | 4 | ### Https with Self-Signed Certificates |
| JM | 5 | You must tell Git/JGit not to verify the self-signed certificate in order to perform any remote Git operations. |
| 6 | ||
| 7 | **NOTE:** | |
| 0d3264 | 8 | The default self-signed certificate generated by Gitblit GO is bound to *localhost*. |
| 8c99a7 | 9 | If you are using Eclipse/EGit/JGit clients, you will have to generate your own certificate that specifies the exact hostname used in your clone/push url. |
| JM | 10 | You must do this because Eclipse/EGit/JGit (< 3.0) always verifies certificate hostnames, regardless of the *http.sslVerify=false* client-side setting. |
| 11 | ||
| 12 | - **Eclipse/EGit/JGit** | |
| 13 | 1. Window->Preferences->Team->Git->Configuration | |
| 14 | 2. Click the *New Entry* button | |
| 15 | 3. <pre>Key = <em>http.sslVerify</em> | |
| 16 | Value = <em>false</em></pre> | |
| 17 | - **Command-line Git** ([Git-Config Manual Page](http://www.kernel.org/pub/software/scm/git/docs/git-config.html)) | |
| 18 | <pre>git config --global --bool --add http.sslVerify false</pre> | |
| 19 | ||
| 7e5107 | 20 | **NOTE:** |
| GM | 21 | When generating self-signed certificates, the default Java TLS settings will be used. These default settings will generate a weak Diffie-Hellman key. |
| 22 | #### Java 8 | |
| 23 | The default is a 1024 bit DH key. | |
| 24 | You can up the number of bits used by appending the following command line parameter when starting Gitblit: | |
| 25 | <pre>-Djdk.tls.ephemeralDHKeySize=2048</pre> | |
| 26 | 2048 bits is the maximum (Java limitation), and is still considered secure as of this writing. | |
| 27 | #### Java 7 | |
| 28 | The default is a 768 bit key. <b>This is hardcoded in Java 7 and cannot be changed.</b>. It is very weak. If you require longer DH keys, use Java 8. | |
| 29 | ||
| 8c99a7 | 30 | ### Http Post Buffer Size |
| JM | 31 | You may find the default post buffer of your git client is too small to push large deltas to Gitblit. Sometimes this can be observed on your client as *hanging* during a push. Other times it can be observed by git erroring out with a message like: error: RPC failed; result=52, HTTP code = 0. |
| 32 | ||
| 33 | This can be adjusted on your client by changing the default post buffer size: | |
| 34 | <pre>git config --global http.postBuffer 524288000</pre> | |
| 35 | ||
| 36 | ### Disabling SNI | |
| 37 | ||
| 38 | You may run into SNI alerts (Server Name Indication). These will manifest as failures to clone or push to your Gitblit instance. | |
| 39 | ||
| 40 | #### Java-based Clients | |
| 41 | ||
| 935986 | 42 | Luckily, Java 6-based clients ignore SNI alerts but when using Java 7-based clients, SNI checking is enabled by default. You can disable SNI alerts by specifying the JVM system parameter `-Djsse.enableSNIExtension=false` when your Java-based client launches. |
| 8c99a7 | 43 | |
| JM | 44 | For Eclipse, you can append `-Djsse.enableSNIExtension=false` to your *eclipse.ini* file. |
| 45 | ||
| 46 | #### Native Clients | |
| 47 | ||
| 48 | Native clients may display an error when attempting to clone or push that looks like this: | |
| 6c4be1 | 49 | |
| JM | 50 | ``` |
| 8c99a7 | 51 | C:\projects\git\gitblit>git push rhcloud master |
| JM | 52 | error: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) while accessing https://demo-gitblit.rhcloud.com/git/gitblit.git/info/refs?service=git-receive-pack |
| 53 | fatal: HTTP request failed | |
| 6c4be1 | 54 | ``` |
| 8c99a7 | 55 | |
