From 2fe1e2d109fd84ec7a615c2d3d6740ff001dbf40 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Fri, 29 Mar 2013 17:47:44 -0400
Subject: [PATCH] Document SNI workaround for Java-based clients

---
 src/site/faq.mkd   |   11 ++++++-----
 src/site/setup.mkd |   21 ++++++++++++++++++++-
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/src/site/faq.mkd b/src/site/faq.mkd
index cdf3d59..fb1b599 100644
--- a/src/site/faq.mkd
+++ b/src/site/faq.mkd
@@ -3,18 +3,19 @@
 ### Eclipse/Egit/JGit complains that it "can't open upload pack"?
 There are a few ways this can occur:
 
-1. You are using https with a self-signed certificate and you **did not** configure *http.sslVerify=false*
+1. Are you running Java 7?<br />Java 7 introduced SNI support for SSL connections and it is enabled by default.<br />[Java 7 Security Enhancements](http://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html)<br />To disable SNI alerts, add this line to your eclipse.ini file and restart Eclipse.<br /><pre>-Djsse.enableSNIExtension=false</pre>
+2. You are using https with a self-signed certificate and you **did not** configure *http.sslVerify=false*
     1. Window->Preferences->Team->Git->Configuration
     2. Click the *New Entry* button
     3. <pre>Key = <em>http.sslVerify</em>
 Value = <em>false</em></pre>
-2. Gitblit GO's default self-signed certificate is bound to *localhost* and you are trying to clone/push between machines.
+3. Gitblit GO's default self-signed certificate is bound to *localhost* and you are trying to clone/push between machines.
     1. Review the contents of `makekeystore.cmd`
     2. Set *your hostname* in the *HOSTNAME* variable.
     3. Execute the script.<br/>This will generate a new certificate and keystore for *your hostname* protected by *server.storePassword*. 
-3. The repository is clone-restricted and you don't have access.
-4. The repository is clone-restricted and your password changed.
-5. A regression in Gitblit.  :(
+4. The repository is clone-restricted and you don't have access.
+5. The repository is clone-restricted and your password changed.
+6. A regression in Gitblit.  :(
 
 ### Why can't I access Gitblit GO from another machine?
 1. Please check *server.httpBindInterface* and *server.httpsBindInterface* in `gitblit.properties`, you may be only be serving on *localhost*.
diff --git a/src/site/setup.mkd b/src/site/setup.mkd
index 8a3d99a..525be85 100644
--- a/src/site/setup.mkd
+++ b/src/site/setup.mkd
@@ -741,7 +741,7 @@
 **NOTE:**  
 The default self-signed certificate generated by Gitlbit GO is bound to *localhost*.  
 If you are using Eclipse/EGit/JGit clients, you will have to generate your own certificate that specifies the exact hostname used in your clone/push url.  
-You must do this because Eclipse/EGit/JGit (<= 2.1.0) always verifies certificate hostnames, regardless of the *http.sslVerify=false* client-side setting. 
+You must do this because Eclipse/EGit/JGit (<= 2.3.1) always verifies certificate hostnames, regardless of the *http.sslVerify=false* client-side setting. 
  
 - **Eclipse/EGit/JGit**
     1. Window->Preferences->Team->Git->Configuration
@@ -757,6 +757,25 @@
 This can be adjusted on your client by changing the default post buffer size:
 <pre>git config --global http.postBuffer 524288000</pre>
 
+### Disabling SNI
+
+You may run into SNI alerts (Server Name Indication).  These will manifest as failures to clone or push to your Gitblit instance.
+
+#### Java-based Clients
+
+When using Java 7-based clients, SNI is enabled by default.  You can disable SNI by specifying the JVM system parameter `-Djsse.enableSNIExtension=false` when your Java-based client launches.
+
+For Eclipse, you can append `-Djsse.enableSNIExtension=false` to your *eclipse.ini* file.
+
+#### Native Clients
+
+Native clients may display an error when attempting to clone or push that looks like this:
+---FIXED---
+C:\projects\git\gitblit>git push rhcloud master
+error: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) while accessing https://demo-gitblit.rhcloud.com/git/gitblit.git/info/refs?service=git-receive-pack
+fatal: HTTP request failed
+---FIXED---
+
 ### Cloning an Access Restricted Repository 
 - **Eclipse/EGit/JGit**  
 Nothing special to configure, EGit figures out everything.

--
Gitblit v1.9.1