Git - 吊销功能无法检查证书的吊销
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/45556189/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Git - The revocation function was unable to check revocation for the certificate
提问by Mordechai
I'm trying to clone from Github by using both Github Desktop and the git shell but keep on getting this error:
我正在尝试使用 Github Desktop 和 git shell 从 Github 进行克隆,但不断收到此错误:
Cloning into 'C:\Users\John Doe\workspace\MyProject'...
fatal: unable to access 'https://github.com/JohnDoe/MyProject.git/':
schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) -
The revocation function was unable to check revocation for the certificate.
Same problem when pulling an existing repository.
拉取现有存储库时出现同样的问题。
I've already tried to upload SSH keys found in ~/.ssh/github-ssh.pubto Github settings but it doesn't help anything.
我已经尝试将在~/.ssh/github-ssh.pubGithub 设置中找到的 SSH 密钥上传,但它没有任何帮助。
EDIT:Just checked, it will happen even if I try to clone a non-existent repository.
编辑:刚刚检查过,即使我尝试克隆一个不存在的存储库,它也会发生。
回答by Mike Allen
It's always a bad idea to disable certificate verification (setting http.sslVerifyto false).
禁用证书验证(设置http.sslVerify为false)总是一个坏主意。
I think the problem here is that, when you installed git, you opted to use the Windows Secure Channellibrary instead of the OpenSSLlibrary:
我认为这里的问题是,当您安装git 时,您选择使用Windows 安全通道库而不是OpenSSL库:
As pointed out by @CurtJ.Sampson (thanks, Curt!), you can switch to using the OpenSSLlibrary instead, which will fix your issue. This can be done with the following command:
正如@CurtJ.Sampson 所指出的(感谢 Curt!),您可以改用OpenSSL库,这将解决您的问题。这可以通过以下命令完成:
git config --global http.sslBackend openssl
Alternatively, you can re-install git, specifying the OpenSSLlibrary in the process.
或者,您可以重新安装git,在此过程中指定OpenSSL库。
Don't forget to turn gitSSL verification back on with:
不要忘记重新打开gitSSL 验证:
git config --global http.sslVerify true
Update: If you're using self-signed or corporate certificates on your own gitserver, and you get an error when attempting to connect to it (such as self signed certificate in certificate chain, or SSL certificate problem: unable to get local issuer certificate), then the solution is to tell gitwhere to find the CAthat was used to sign that site's certificate. You can do this with the following configuration command:
更新:如果您在自己的git服务器上使用自签名或公司证书,并且在尝试连接到它时出现错误(例如证书链中的自签名证书,或SSL 证书问题:无法获得本地颁发者) certificate),那么解决方案是告诉git在哪里可以找到用于签署该站点证书的CA。您可以使用以下配置命令执行此操作:
git config --global http.{your site's URL here}.sslcainfo "{path to your cert file}"
For example, if you have a local git server at https://my.gitserver.com/and the CAthat signed the site's certificate is in C:\Certs\MyCACert.crt, then you'll need to enter:
例如,如果您有一个本地 git 服务器,https://my.gitserver.com/并且签署站点证书的CA位于C:\Certs\MyCACert.crt,那么您需要输入:
git config --global http.https://my.gitserver.com/.sslcainfo "C:\Certs\MyCACert.crt"
This is a more robust solution compared to adding your CA certificate to git's bundled ca-bundle.crtfile, since that file will be overwritten when you next update git.
与将 CA 证书添加到git的捆绑ca-bundle.crt文件相比,这是一个更强大的解决方案,因为该文件将在您下次更新git时被覆盖。
回答by Clockwork-Muse
This error is also commonly hit when you're on a corporate network that performs MITM on all traffic, and then blocks the revocation check. While, obviously, the ideal situation is to not block the checks (or at least, to a whitelist of urls), it may be required to work around this problem.
当您在对所有流量执行 MITM 然后阻止吊销检查的公司网络上时,通常也会遇到此错误。显然,理想的情况是不阻止检查(或至少阻止 url 的白名单),但可能需要解决此问题。
One option is, as in the first part of Mike's answer, using the OpenSSL bindings instead. While this works, it requires manual maintenance of the certificate lists, which may not be practical in extreme situations (say, new root certs issued every day, although this is unlikely).
一种选择是,如 Mike 回答的第一部分,改用 OpenSSL 绑定。虽然这有效,但它需要手动维护证书列表,这在极端情况下可能不切实际(例如,每天发布新的根证书,尽管这不太可能)。
The other option, akin to the second part of Mike's answer, is disabling revocation checking.
Recent versions, 2.19 and above, of git-for-windows provides an http.schannelCheckRevokesetting:
另一个选项,类似于 Mike 答案的第二部分,是禁用吊销检查。
git-for-windows 的最新版本 2.19 及更高版本提供了一个http.schannelCheckRevoke设置:
Used to enforce or disable certificate revocation checks in cURL when http.sslBackend is set to "schannel". Defaults to
trueif unset. Only necessary to disable this if Git consistently errors and the message is about checking the revocation status of a certificate. This option is ignored if cURL lacks support for setting the relevant SSL option at runtime.
当 http.sslBackend 设置为“schannel”时,用于在 cURL 中强制或禁用证书吊销检查。
true如果未设置,则默认为。仅当 Git 持续出错并且消息是关于检查证书的吊销状态时才需要禁用此功能。如果 cURL 不支持在运行时设置相关 SSL 选项,则忽略此选项。
... so you can simply disable checking for revocation in the first place:git config --global http.schannelCheckRevoke false
...因此您可以简单地首先禁用对吊销的检查:git config --global http.schannelCheckRevoke false
Note that, unlike disabling SSL entirely, this is not inherently less secure than using Mike's answer for specific repositories: if you capture and configure an empty revocation list (the usual case), you have effectively disabled revocation checking. Disabling revocation checking only becomes a risk in the case of private-key compromise(at some point in the chain), which is rare and difficult.
请注意,与完全禁用 SSL 不同,这在本质上并不比对特定存储库使用 Mike 的答案更安全:如果您捕获并配置一个空的吊销列表(通常情况下),您实际上已禁用吊销检查。 禁用撤销检查只会在私钥泄露(在链中的某个点)的情况下成为一种风险,这种情况很少见且困难。
Note, also, that in a corporate MITM setting, revocation checking is being performed for you: no proxy worth using would issue a cert for an invalid or (known) compromised certificate.
另请注意,在企业 MITM 设置中,正在为您执行吊销检查:没有值得使用的代理会为无效或(已知)受损证书颁发证书。
