|
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455 |
-
- ## Using the HTTP/HTTPS transport
-
- ### Https with Self-Signed Certificates
- You must tell Git/JGit not to verify the self-signed certificate in order to perform any remote Git operations.
-
- **NOTE:**
- The default self-signed certificate generated by Gitblit GO is bound to *localhost*.
- If you are using Eclipse/EGit/JGit clients, you will have to generate your own certificate that specifies the exact hostname used in your clone/push url.
- You must do this because Eclipse/EGit/JGit (< 3.0) always verifies certificate hostnames, regardless of the *http.sslVerify=false* client-side setting.
-
- - **Eclipse/EGit/JGit**
- 1. Window->Preferences->Team->Git->Configuration
- 2. Click the *New Entry* button
- 3. <pre>Key = <em>http.sslVerify</em>
- Value = <em>false</em></pre>
- - **Command-line Git** ([Git-Config Manual Page](http://www.kernel.org/pub/software/scm/git/docs/git-config.html))
- <pre>git config --global --bool --add http.sslVerify false</pre>
-
- **NOTE:**
- When generating self-signed certificates, the default Java TLS settings will be used. These default settings will generate a weak Diffie-Hellman key.
- #### Java 8
- The default is a 1024 bit DH key.
- You can up the number of bits used by appending the following command line parameter when starting Gitblit:
- <pre>-Djdk.tls.ephemeralDHKeySize=2048</pre>
- 2048 bits is the maximum (Java limitation), and is still considered secure as of this writing.
- #### Java 7
- The default is a 768 bit key. <b>This is hardcoded in Java 7 and cannot be changed.</b>. It is very weak. If you require longer DH keys, use Java 8.
-
- ### Http Post Buffer Size
- You may find the default post buffer of your git client is too small to push large deltas to Gitblit. Sometimes this can be observed on your client as *hanging* during a push. Other times it can be observed by git erroring out with a message like: error: RPC failed; result=52, HTTP code = 0.
-
- This can be adjusted on your client by changing the default post buffer size:
- <pre>git config --global http.postBuffer 524288000</pre>
-
- ### Disabling SNI
-
- You may run into SNI alerts (Server Name Indication). These will manifest as failures to clone or push to your Gitblit instance.
-
- #### Java-based Clients
-
- Luckily, Java 6-based clients ignore SNI alerts but when using Java 7-based clients, SNI checking is enabled by default. You can disable SNI alerts by specifying the JVM system parameter `-Djsse.enableSNIExtension=false` when your Java-based client launches.
-
- For Eclipse, you can append `-Djsse.enableSNIExtension=false` to your *eclipse.ini* file.
-
- #### Native Clients
-
- Native clients may display an error when attempting to clone or push that looks like this:
-
- ```
- C:\projects\git\gitblit>git push rhcloud master
- error: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) while accessing https://demo-gitblit.rhcloud.com/git/gitblit.git/info/refs?service=git-receive-pack
- fatal: HTTP request failed
- ```
-
|