/ Work

Git and libcurl with older OpenSSL connecting to newer OpenSSL - error 1112

There's an interesting edge condition we ran into at work last week around git connecting to a repo over HTTPS.

Specifically, the error error:[number]:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) was being returned to all clients after an upgrade of the git server.

After much Googling, including reading through a lot of comments on git and openssl and libcurl bug trackers, I came across this comment on libcurl bug 1037 that shed some light on the root cause.

Summary of problem:

When libcurl linked against OpenSSL 0.9.8* connects to Apache running mod_ssl linked against OpenSSL 1.0.*

AND

There is a mismatch between the host name in the client request and/or the Common Name (CN) in the SSL certificate and/or the ServerName in the Apache config

THEN

During the initial SSL handshake which determines SSL protocol version, OpenSSL returns a TLS Alert Warning about this mismatch

AND

libcurl interprets this as a fatal error and aborts the connection

Once figured out, the resolution was simple -- make sure the CN in the SSL cert and the Apache ServerName (or a ServerAlias) match the host name being sent by the client (in this case, ServerName in Apache was set to 127.0.0.1:443).

This issue does not arise when OpenSSL 0.9.8* clients connect to an OpenSSL 0.9.8* server, or in any other combination than the affected one, which is why we didn't see it before the upgrade.

OpenSSL 0.9.8* is still the version shipped with the current version of MacOS X. I didn't find the bug in testing because I use a macports install of git and OpenSSL 1.0.1c, so everything worked fine for me. :(

Bryan Fullerton

Bryan Fullerton

Just a middle-aged dude doing his best to survive. Geeky Internet things from remote professionally.

Read More
Git and libcurl with older OpenSSL connecting to newer OpenSSL - error 1112
Share this