Has anyone tried using `git' from opencsw package in order to work with
bitbucket source hosting service (under solaris10)?
I tried to use git as the bitbucket documentation explains, and
– under Debian GNU/Linux, it worked flawlessly as described, but
– under Solaris 10, I got Authentication Failed message.
I even tried to run truss to see anything is suspicious but could not find
any smoking gun under solaris why it failed. ldd git-binary didnd't show anything
suspicious either (except for the libcrypt library which could be a suspicious to think about export restrictions. Have they shipped incompatible version? BUT since
the password is typed into https: connection, I suspect it is only a matter of
web-level cryptography and should be universal these days.)
I am now tempted to compile git suite under solaris 10, but I did find people who seem to be using git with bitbucket under solaris 10 and am wondering
what could be wrong.
NOTE: In the initial post, I failed to mention clearly that it was HTTPS transport that failed for GIT.
That is, when I followed the bitbucket tutorial,
- git clone https:…. failed.
(This uses HTTPS connection.)
But after that failure, I tried using SSH.
-
git clone git:…. succeeded.
(This uses underlying SSH connection.)
This means whatever mechanism is used by git command to send password by HTTPS protocol failed.
Given that we may have many issues trying to bypass firewall for SSH while access via HTTP or HTTPS is almost ubiquitous, I would like to see
"git clone https:…" succeeds.
Best Answer
I dug up some candidates of smoking gun.
I think the latest OpenSSL needs to be made available.
[] Initial lead : GIT_SSL_NO_VERIFY
The following is about the use of git under XP, but it turns out to be related in a somewhat indirect manner to my problem, too. At least the use of GIT_SSL_NO_VERIFY is a news to me, and the workaround that uses GIT_SSL_NO_VERIFY didn't work for me, and so I could home in to other possible real causes.
https://stackoverflow.com/questions/3777075/https-github-access
I followed the first suggestion from the above URL (use of GIT_SSL_NO_VERIFY). But it didn't solve the issue. So my next trail was about maybe the curl library version is outdated?
Quote from the post above: ---- begin quote
The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.
There are two solutions: 1. Ignore ssl certificate verification:
Actually install root certificates. Curl guys extracted for you certificates from mozilla:
http://curl.haxx.se/docs/caextract.html
cacert.pem file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them. *************************8 under solaris: CApath: /opt/csw/ssl/certs
Here is how to do it: With cygwin setup.exe install curl and openssl packages Execute:
---- quote end
I tried GIT_SSL_NO_VERIFY=true, but still no dice. So certificates probably are not the direct cause of the problems.
After searching for clues, I found
produces much output to follow what is going on. I attach the verbose output for comparison under solaris and linux.
[] CERT availability turned out to be insignificant to my problem.
git using https transport worked under linux.: The distribution I use (Debian now) installs some public key certs from CAs and that helps git in determining the validity of bitbuckt cert, etc.
Under solaris10, opencsw repository seems to have installed already some certs under /opt/csw/ssl/certs.
So having certs didn't seem to be a problem (or is it?). And the following log produced by GIT_CURL_VERBOSE seemed to suggest (albeit somewhat in a spartan manner under solaris) that the cert is verified.
[] libraries and commands mixed up from sfw and opencsw
Then why doesn&t solaris version of git fails using https protocol?
It seems git uses libcurl and friends. Maybe libcurl from opencsw package is not compiled with "with-ssl" option (?)
curl-config command, if available, prints the version and curl --version shows the built-in protocol, etc.
While checking the library version numbers directory by listing libraries, I noticed a grave confusion on solaris 10. There are two versions of ssl and libcurl. One is from opencsw, and the other is from somewhat older sfw (sun freeware) distribution, and I am afraid that sfw was the preferred choice some years ago. And, to top it off, curl command itself is from sfw (at least on my solaris x86 (64bits) incarnation!)
You can see the combination is royally mixed up on my solarix 10 image.
SFW-related:
CSW-related:
Ok, which libraries does sfw version of curl is using? It uses CSW-distribution if available! (I put /opt/csw/lib early in my LD_LIBRARY_PATH. That is why, I think.)
[] git-remote-https command.
Digging further, I noticed that there is git-remote-https command under /opt/csw/libexec/git-core directory. This seems to be used by git clone https: ... command. (I found this out Using GIT_TRACE=1 environment variable.)
So it uses libcurl and libssl from /opt/csw/lib.
This openssl may have an issue about point 2 noted above. Oh well.
[] Comparison of versions : solaris 10 vs linux
On Solaris opencsw version (where git clone https: ... failed)
On linux (where success): somehow I could not find curl-config
Note that OpenSSL is 1.0h under linux while it is at 0.9.7m on solaris (!). This may well be the problem.
[] Simple curl execution: libcurl operaton failure?
I checked the basic operation of libucurl by running the following command both under solaris10 (failure) and Debian GNU/Linux (success).
The difference I noted was immediate. Verbose output from curl showed the following near the beginning under linux while it didn't on solaris. So maybe sslv3 handshake is not woriking due to some reason.
(From linux dump)
Maybe the following lines from the output of curl shows some relaions? Note the following points.
From Solaris 10 log:
[] Maybe the smoking gun, finally.
Regarding point 2 in the preceding section, I found a reference to a bug in openssl:
but it was "the problem was introduced in 0.9.7f and was fixed in 0.9.8k" and so should not be a problem in 0.9.7m which opencsw curl uses.
But who knows if other bugs in pre 1.0.0 openssl lurk. For example the following bug with OpenSSL 0.9.8g
also referred to in
may be significant here.
Regarding point 1, I found the following post. This may also contribute to the problem. It seems that if curl is BUILT against sfw libssl, it fails in a subtle manner (!).
RE: couldn't set callback! (RESOLVED)
I suspect that the above post may be relevant and points at the culprit (It is solaris 10 specific!)
In any case, I will post my finding to opencsw and ask for building openssl 1.0.0h built and rebuilding curl library against it, and then git as well.
My conclusion is that if openssl based on 1.0.0h is made available, and curl, libcurl, and git are recompiled, then the problem with "git clone https:..." I saw may not happen.
Reference Log
[] curl log: failure under Solaris 10
[] curl log : success under LINUX
Script done on 2012年03月31日 01時45分21秒