From 2fe1e2d109fd84ec7a615c2d3d6740ff001dbf40 Mon Sep 17 00:00:00 2001 From: James Moger <james.moger@gitblit.com> Date: Fri, 29 Mar 2013 17:47:44 -0400 Subject: [PATCH] Document SNI workaround for Java-based clients --- src/site/faq.mkd | 11 ++++++----- src/site/setup.mkd | 21 ++++++++++++++++++++- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/src/site/faq.mkd b/src/site/faq.mkd index cdf3d59..fb1b599 100644 --- a/src/site/faq.mkd +++ b/src/site/faq.mkd @@ -3,18 +3,19 @@ ### Eclipse/Egit/JGit complains that it "can't open upload pack"? There are a few ways this can occur: -1. You are using https with a self-signed certificate and you **did not** configure *http.sslVerify=false* +1. Are you running Java 7?<br />Java 7 introduced SNI support for SSL connections and it is enabled by default.<br />[Java 7 Security Enhancements](http://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html)<br />To disable SNI alerts, add this line to your eclipse.ini file and restart Eclipse.<br /><pre>-Djsse.enableSNIExtension=false</pre> +2. You are using https with a self-signed certificate and you **did not** configure *http.sslVerify=false* 1. Window->Preferences->Team->Git->Configuration 2. Click the *New Entry* button 3. <pre>Key = <em>http.sslVerify</em> Value = <em>false</em></pre> -2. Gitblit GO's default self-signed certificate is bound to *localhost* and you are trying to clone/push between machines. +3. Gitblit GO's default self-signed certificate is bound to *localhost* and you are trying to clone/push between machines. 1. Review the contents of `makekeystore.cmd` 2. Set *your hostname* in the *HOSTNAME* variable. 3. Execute the script.<br/>This will generate a new certificate and keystore for *your hostname* protected by *server.storePassword*. -3. The repository is clone-restricted and you don't have access. -4. The repository is clone-restricted and your password changed. -5. A regression in Gitblit. :( +4. The repository is clone-restricted and you don't have access. +5. The repository is clone-restricted and your password changed. +6. A regression in Gitblit. :( ### Why can't I access Gitblit GO from another machine? 1. Please check *server.httpBindInterface* and *server.httpsBindInterface* in `gitblit.properties`, you may be only be serving on *localhost*. diff --git a/src/site/setup.mkd b/src/site/setup.mkd index 8a3d99a..525be85 100644 --- a/src/site/setup.mkd +++ b/src/site/setup.mkd @@ -741,7 +741,7 @@ **NOTE:** The default self-signed certificate generated by Gitlbit GO is bound to *localhost*. If you are using Eclipse/EGit/JGit clients, you will have to generate your own certificate that specifies the exact hostname used in your clone/push url. -You must do this because Eclipse/EGit/JGit (<= 2.1.0) always verifies certificate hostnames, regardless of the *http.sslVerify=false* client-side setting. +You must do this because Eclipse/EGit/JGit (<= 2.3.1) always verifies certificate hostnames, regardless of the *http.sslVerify=false* client-side setting. - **Eclipse/EGit/JGit** 1. Window->Preferences->Team->Git->Configuration @@ -757,6 +757,25 @@ This can be adjusted on your client by changing the default post buffer size: <pre>git config --global http.postBuffer 524288000</pre> +### Disabling SNI + +You may run into SNI alerts (Server Name Indication). These will manifest as failures to clone or push to your Gitblit instance. + +#### Java-based Clients + +When using Java 7-based clients, SNI is enabled by default. You can disable SNI by specifying the JVM system parameter `-Djsse.enableSNIExtension=false` when your Java-based client launches. + +For Eclipse, you can append `-Djsse.enableSNIExtension=false` to your *eclipse.ini* file. + +#### Native Clients + +Native clients may display an error when attempting to clone or push that looks like this: +---FIXED--- +C:\projects\git\gitblit>git push rhcloud master +error: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) while accessing https://demo-gitblit.rhcloud.com/git/gitblit.git/info/refs?service=git-receive-pack +fatal: HTTP request failed +---FIXED--- + ### Cloning an Access Restricted Repository - **Eclipse/EGit/JGit** Nothing special to configure, EGit figures out everything. -- Gitblit v1.9.1