From: James Moger Date: Fri, 29 Mar 2013 21:07:23 +0000 (-0400) Subject: Document SNI workaround for Java-based clients X-Git-Tag: v1.3.0~204 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=2fe1e2d109fd84ec7a615c2d3d6740ff001dbf40;p=gitblit.git Document SNI workaround for Java-based clients --- diff --git a/src/site/faq.mkd b/src/site/faq.mkd index cdf3d59e..fb1b5994 100644 --- a/src/site/faq.mkd +++ b/src/site/faq.mkd @@ -3,18 +3,19 @@ ### Eclipse/Egit/JGit complains that it "can't open upload pack"? There are a few ways this can occur: -1. You are using https with a self-signed certificate and you **did not** configure *http.sslVerify=false* +1. Are you running Java 7?
Java 7 introduced SNI support for SSL connections and it is enabled by default.
[Java 7 Security Enhancements](http://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html)
To disable SNI alerts, add this line to your eclipse.ini file and restart Eclipse.
-Djsse.enableSNIExtension=false
+2. You are using https with a self-signed certificate and you **did not** configure *http.sslVerify=false* 1. Window->Preferences->Team->Git->Configuration 2. Click the *New Entry* button 3. 
Key = http.sslVerify
 Value = false
-2. Gitblit GO's default self-signed certificate is bound to *localhost* and you are trying to clone/push between machines. +3. Gitblit GO's default self-signed certificate is bound to *localhost* and you are trying to clone/push between machines. 1. Review the contents of `makekeystore.cmd` 2. Set *your hostname* in the *HOSTNAME* variable. 3. Execute the script.
This will generate a new certificate and keystore for *your hostname* protected by *server.storePassword*. -3. The repository is clone-restricted and you don't have access. -4. The repository is clone-restricted and your password changed. -5. A regression in Gitblit. :( +4. The repository is clone-restricted and you don't have access. +5. The repository is clone-restricted and your password changed. +6. A regression in Gitblit. :( ### Why can't I access Gitblit GO from another machine? 1. Please check *server.httpBindInterface* and *server.httpsBindInterface* in `gitblit.properties`, you may be only be serving on *localhost*. diff --git a/src/site/setup.mkd b/src/site/setup.mkd index 8a3d99a4..525be855 100644 --- a/src/site/setup.mkd +++ b/src/site/setup.mkd @@ -741,7 +741,7 @@ You must tell Git/JGit not to verify the self-signed certificate in order to per **NOTE:** The default self-signed certificate generated by Gitlbit GO is bound to *localhost*. If you are using Eclipse/EGit/JGit clients, you will have to generate your own certificate that specifies the exact hostname used in your clone/push url. -You must do this because Eclipse/EGit/JGit (<= 2.1.0) always verifies certificate hostnames, regardless of the *http.sslVerify=false* client-side setting. +You must do this because Eclipse/EGit/JGit (<= 2.3.1) always verifies certificate hostnames, regardless of the *http.sslVerify=false* client-side setting. - **Eclipse/EGit/JGit** 1. Window->Preferences->Team->Git->Configuration @@ -757,6 +757,25 @@ You may find the default post buffer of your git client is too small to push lar This can be adjusted on your client by changing the default post buffer size: 
git config --global http.postBuffer 524288000
+### Disabling SNI + +You may run into SNI alerts (Server Name Indication). These will manifest as failures to clone or push to your Gitblit instance. + +#### Java-based Clients + +When using Java 7-based clients, SNI is enabled by default. You can disable SNI by specifying the JVM system parameter `-Djsse.enableSNIExtension=false` when your Java-based client launches. + +For Eclipse, you can append `-Djsse.enableSNIExtension=false` to your *eclipse.ini* file. + +#### Native Clients + +Native clients may display an error when attempting to clone or push that looks like this: +---FIXED--- +C:\projects\git\gitblit>git push rhcloud master +error: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) while accessing https://demo-gitblit.rhcloud.com/git/gitblit.git/info/refs?service=git-receive-pack +fatal: HTTP request failed +---FIXED--- + ### Cloning an Access Restricted Repository - **Eclipse/EGit/JGit** Nothing special to configure, EGit figures out everything.