Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
git won't clone -- networking issue? [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
justin_brody
Apprentice
Apprentice


Joined: 26 Jan 2005
Posts: 261

PostPosted: Sat Feb 01, 2020 11:58 am    Post subject: git won't clone -- networking issue? [SOLVED] Reply with quote

Hello,
I don't seem able to clone git repositories in the natural way:
Code:

/tmp $ git clone https://github.com/allenai/ai2thor
Cloning into 'ai2thor'...
tmp $

(nothing was actually cloned). On the other hand if I change the URL to git://github.com/allenai/ai2thor it clones o.k.

I've seen it suggested that this might me a network issue (the box is at a college). Any tips on checking/resolving this?

Thanks in advance!


Last edited by justin_brody on Mon Feb 03, 2020 2:24 am; edited 1 time in total
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1959

PostPosted: Sat Feb 01, 2020 12:17 pm    Post subject: Reply with quote

Perhaps a proxy?
Some companies and institutions have L7 firewalls that - among other things - MITM your https traffic.
You can check website's certificate (CA would be particularly interesting there).

Also, running git with --verbose may provide some additional information that would help with debugging :)
Back to top
View user's profile Send private message
justin_brody
Apprentice
Apprentice


Joined: 26 Jan 2005
Posts: 261

PostPosted: Sat Feb 01, 2020 12:37 pm    Post subject: Reply with quote

Thanks for the tips szatox!

Adding --verbose doesn't give me any extra info.

Checking the ssl cert gives:
Quote:


 Common name: goucher.edu
SANs: goucher.edu, *.goucher.edu
Organization: Goucher College Org. Unit: Information Technology
Location: Baltimore, Maryland, US
Valid from April 5, 2017 to April 5, 2020
Serial Number: 56d2c135d06e95dab42bbdc97116b93f
Signature Algorithm: sha256WithRSAEncryption
Issuer: InCommon RSA Server CA

 Common name: InCommon RSA Server CA
Organization: Internet2 Org. Unit: InCommon
Location: Ann Arbor, MI, US
Valid from October 5, 2014 to October 5, 2024
Serial Number: 4720d0fa85461a7e17a1640291846374
Signature Algorithm: sha384WithRSAEncryption
Issuer: USERTrust RSA Certification Authority


Not quite sure what to make of this though. Does this sound like that situation you're talking about?

Also, another machine I have access to at the same school can do git just fine.

Would being behind a router make a difference? The machine that works is directly on the network whereas the one that doesn't is behind a router.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16187

PostPosted: Sat Feb 01, 2020 4:20 pm    Post subject: Reply with quote

justin_brody wrote:
Checking the ssl cert gives:
Quote:
 Common name: goucher.edu
Not quite sure what to make of this though. Does this sound like that situation you're talking about?
Yes. That is definitely the wrong certificate.
Code:

curl -v -o /dev/null https://github.com/allenai/ai2thor                         
...
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=5157550; C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
*  start date: May  8 00:00:00 2018 GMT
*  expire date: Jun  3 12:00:00 2020 GMT
*  subjectAltName: host "github.com" matched cert's "github.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*  SSL certificate verify ok.
...
justin_brody wrote:
Also, another machine I have access to at the same school can do git just fine.
Please try the curl command I showed on both machines and report their results. It's possible (though not likely) that you won't get exactly what I got, but you definitely should see a CN of github.com.
justin_brody wrote:
Would being behind a router make a difference? The machine that works is directly on the network whereas the one that doesn't is behind a router.
Only if the router is breaking protocol by intercepting and modifying your HTTPS connection. If it's doing that, you should report it to the IT department as a bug. They'll almost certainly claim it's intentional, but it's still wrong. Silently intercepting and modifying HTTPS traffic is never correct, but is popular among IT departments that think their "need to know" everything traversing the network is more important than not breaking applications.

As a reminder, the git:// protocol is, by design, not secure and should not be used over an untrusted network if you care about the confidentiality or integrity of the data. Since your network seems to be manipulating HTTPS traffic, I would definitely consider it untrusted.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1959

PostPosted: Sat Feb 01, 2020 5:24 pm    Post subject: Reply with quote

Quote:
Not quite sure what to make of this though. Does this sound like that situation you're talking about?
Yes, definitely. You're being MITMed by a local network admin.
Proxy can do some caching, virus scanning, content filtering etc. It may for example block http methods other than GET/POST.
It can also accompany you watching porn and eavesdrop on your passwords. Yay.

Uni's machines probably had this certificate added to trusted either by local sysadmin or windows domain policy. Your private hardware should report SSL error, I don't think those CAs embedded in L7 firewalls are widely trusted.


Quote:
As a reminder, the git:// protocol is, by design, not secure and should not be used over an untrusted network
That's correct. It's been designed for publishing your code, not protecting it from access. Use ssh for secure access, be it private repository or a push to the origin.
Back to top
View user's profile Send private message
justin_brody
Apprentice
Apprentice


Joined: 26 Jan 2005
Posts: 261

PostPosted: Sun Feb 02, 2020 12:21 am    Post subject: Reply with quote

Many thanks to both of you.

Hu, here are the results of the curl command.

From the machine where git doesn't work:
Code:

 ~ $ curl -v -o /dev/null https://github.com/allenai/ai2thor                                                           
*   Trying 140.82.114.4:443...                                                                                                       
* TCP_NODELAY set                                                                                                                     
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                                       
                                 Dload  Upload   Total   Spent    Left  Speed                                                         
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*                                                       Connected to github.com (140.82.114.4) port 443 (#0)                                                                                 
* ALPN, offering http/1.1                                                                                                             
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH                                                       
* successfully set certificate verify locations:                                                                                     
*   CAfile: /etc/ssl/certs/ca-certificates.crt                                                                                       
  CApath: /etc/ssl/certs                                                                                                             
* TLSv1.2 (OUT), TLS header, Certificate Status (22):                                                                                 
} [5 bytes data]                                                                                                                     
* TLSv1.2 (OUT), TLS handshake, Client hello (1):                                                                                     
} [512 bytes data]                                                                                                                   
* TLSv1.2 (IN), TLS handshake, Server hello (2):                                                                                     
{ [108 bytes data]                                                                                                                   
* TLSv1.2 (IN), TLS handshake, Certificate (11):                                                                                     
{ [3085 bytes data]                                                                                                                   
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):                                                                             
{ [333 bytes data]                                                                                                                   
* TLSv1.2 (IN), TLS handshake, Server finished (14):                                                                                 
{ [4 bytes data]                                                                                                                     
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):                                                                             
} [70 bytes data]                                                                                                                     
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):                                                                           
} [1 bytes data]                                                                                                                     
* TLSv1.2 (OUT), TLS handshake, Finished (20):                                                                                       
} [16 bytes data]                                                                                                                     
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):                                                                           
{ [1 bytes data]                                                                                                                     
* TLSv1.2 (IN), TLS handshake, Finished (20):                                                                                         
{ [16 bytes data]                                                                                                                     
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256   
* ALPN, server accepted to use http/1.1                                                                                               
* Server certificate:                                                                                                                 
*  subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=5157550; C=US; ST=California; L=San Francisco; O=GitH                                                      ub, Inc.; CN=github.com                                                                                                               
*  start date: May  8 00:00:00 2018 GMT                                                                                               
*  expire date: Jun  3 12:00:00 2020 GMT                                                                                             
*  subjectAltName: host "github.com" matched cert's "github.com"                                                                     
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended   Validation Server CA                                                                                                                 
*  SSL certificate verify ok.                                                                                                         
} [5 bytes data]                                                                                                                     
> GET /allenai/ai2thor HTTP/1.1                                                                                                       
> Host: github.com                                                                                                                   
> User-Agent: curl/7.65.0                                                                                                             
> Accept: */*                                                                                                                       
>                                                                                       
{ [5 bytes data]                                                                                                                     
* Mark bundle as not supporting multiuse                                                                                             
< HTTP/1.1 200 OK                                                                                                                     
< Server: GitHub.com                                                                                                                 
< Date: Sun, 02 Feb 2020 00:15:35 GMT                                                                                                 
< Content-Type: text/html; charset=utf-8                                                                                             
< Transfer-Encoding: chunked                                                                                                         
< Status: 200 OK                                                                                                                     
< Vary: X-PJAX                                                                                                                       
< ETag: W/"af65dd12d3fbf675fc0c0b7ffe20737d"                                                                                         
< Cache-Control: max-age=0, private, must-revalidate                                                                                 
< Set-Cookie: has_recent_activity=1; path=/; expires=Sun, 02 Feb 2020 01:15:34 -                                                      0000
< Server: GitHub.com
< Date: Sun, 02 Feb 2020 00:15:35 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Status: 200 OK
< Vary: X-PJAX
< ETag: W/"af65dd12d3fbf675fc0c0b7ffe20737d"
< Cache-Control: max-age=0, private, must-revalidate
< Set-Cookie: has_recent_activity=1; path=/; expires=Sun, 02 Feb 2020 01:15:34 -0000
< Set-Cookie: _octo=GH1.1.941695103.1580602534; domain=.github.com; path=/; expires=Tue, 02 Feb 2021 00:15:34 -0000
< Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Tue, 02 Feb 2021 00:15:35 -0000; secure; HttpOnly
< Set-Cookie:
_gh_sess=
bWgvTTE0VW1wYnpycnZaTVk4WjJCZTh3UGsyK3FUbmEyMndvUEFZZ1FLakovQWxXcGNycTZJNE9
MQitvUFpJbXZBMU95dkYyaTFJMS9NZWFiRjVqRExaY0h4TEZ5RzYySEJBUUZUc2w4dVNIcjNoSW
JWdzVQVjFaT01ueXN5cnVFWlhpYlZrT0xCNkxDdWh6REJFclo3YVltOFM5T2MwMXJaNnZNYVRyQ
WhFa0FPZmU1eXRFbUJHbmVvNFAyc3h4eUZVRFh0VGV6YWNFdHpGUVBiOHZGNzN6WnBBUnJMc2FM
MnFMQytrVGdvWT0tLWsxVEJuckthSFJEV2p5TnpoUEN3SUE9PQ%3D%3D--
69de9c859c9a51b670bc08a0eeed675481ae8be9; path=/; secure; HttpOnly
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Frame-Options: deny
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
{ [5 bytes data]
< Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com
< X-GitHub-Request-Id: E63B:71C5:274062:523AF7:5E3614A6
<
{ [551 bytes data]
100  106k    0  106k    0     0   239k      0 --:--:-- --:--:-- --:--:--  252k
* Connection #0 to host github.com left intact


and from the machine where it does work:
Code:
$ curl -v -o /dev/null https://github.com/allenai/ai2thor
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to github.com port 443 (#0)
*   Trying 140.82.114.4...
* Connected to github.com (140.82.114.4) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=github.com,O="GitHub, Inc.",L=San Francisco,ST=California,C=US,serialNumber=5157550,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private Organization
*       start date: May 08 00:00:00 2018 GMT
*       expire date: Jun 03 12:00:00 2020 GMT
*       common name: github.com
*       issuer: CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
> GET /allenai/ai2thor HTTP/1.1
> User-Agent: curl/7.29.0
> Host: github.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: GitHub.com
< Date: Sun, 02 Feb 2020 00:17:27 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Status: 200 OK
< Vary: X-PJAX
< ETag: W/"e9efd5cc22c1061201585c2b78d09c8e"
< Cache-Control: max-age=0, private, must-revalidate
< Set-Cookie: has_recent_activity=1; path=/; expires=Sun, 02 Feb 2020 01:17:27 -0000
< Set-Cookie: _octo=GH1.1.1702289297.1580602647; domain=.github.com; path=/; expires=Tue, 02 Feb 2021 00:17:27 -0000
< Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Tue, 02 Feb 2021 00:17:27 -0000; secure; HttpOnly
< Set-Cookie:
_gh_sess=
em1HNlRXbFUyZTgxTjFFbExCT09BVDlpaXRtQVRUTkZIbXhneG0xUkVlaGxFSkFHL09EYS84K3J
WdkYvTEsyT2tnNWtJVjFrWERMYVVYM1h1Y0RJTUJjSEVGWW1KRDNFWW5qY3BVdHZxQXdkc2V4eX
NVWGN2bXFBNEtCZE8zVXB0VXVudkpidFlaUHJXbzNXS01xci9Yc3czY01oYmJDWTc0TWxJU3FzS
nZRY1g3RDBERy9TMXB0SVN4M0JqTXdhaldoWVh0dVIwcDE4WVdjSE5pSWZJaTNzd3ZXc291d2g5
MTR1SjNkR3ZPcz0tLUZWMUxwaGRYai82YTc5M1drUFNmMEE9PQ%3D%3D--
68d29b60494e534a1a7a4537086bc33688f11c41; path=/; secure; HttpOnly
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Frame-Options: deny
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
< Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com
< X-GitHub-Request-Id: D56E:2FBF:93C13C:12629C0:5E361517
<
{ [data not shown]
100  106k    0  106k    0     0   165k      0 --:--:-- --:--:-- --:--:--  165k
* Connection #0 to host github.com left intact



For both of you, if the problem is that the ISP is hijacking my connection, is there anything I can do about it?

Thanks again for the help!

Wrapped long lines to make the forum layout behave.Chiitoo
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16187

PostPosted: Sun Feb 02, 2020 1:29 am    Post subject: Reply with quote

That is strange. Neither of those certificates is obviously invalid, and neither matches the one you showed earlier when you said you checked the SSL certificate (when you showed the common name of goucher.edu). What did you do to get that output?

If your ISP hijacks the connection, your options are limited.
  • You could try to use a VPN to tunnel around it.
  • You could try to find a protocol that can do what you want despite the hijacking. For github, if you have an account and you add an ssh public key to your account, you might be able to use the git+ssh:// protocol to retrieve files, even when those files are part of someone else's repository (providing that the files are considered "public").
  • You could try to pull rank. If you're an important enough person in the local organizational hierarchy, you might be able to force the provider to make an exception. This probably only applies if your title includes "Vice President" or similar though.
  • You could try to plead necessity. If the interception is breaking a program you need to use, and failure to use the program means that you will fail an obligation to someone who can pull rank, you might be able to get them to assert their position on your behalf.
  • In some limited circumstances, which probably don't apply here, you could try to use local privacy laws against them. I've seen claims that even the "reduced expectation of privacy" that lets them get away with pulling this in the general case doesn't permit snooping certain highly sensitive connections, like traffic with your bank. Most organizations large enough to bother with intercepting traffic like this also have the sense to consult with lawyers before rolling it out, so the monitoring organization probably already has all the exceptions required by local law, and cannot be intimidated into making another one.
Back to top
View user's profile Send private message
justin_brody
Apprentice
Apprentice


Joined: 26 Jan 2005
Posts: 261

PostPosted: Sun Feb 02, 2020 6:57 am    Post subject: Reply with quote

Many thanks Hu. The earlier output was just from going to a random website that reported on CA certificates for given domains. Probably that information isn't correct -- my apologies there.

Does this then indicate that connections are probably not being hijacked?

I should probably add that I'm not sure what the correct way to check the certificate is here. Could you point me in the right direction?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16187

PostPosted: Sun Feb 02, 2020 5:36 pm    Post subject: Reply with quote

The curl command I gave, which you ran, is a decent way of dumping the server's certificate to screen. It's slightly odd that you got different results for the two hosts, but neither look like an obvious hijacking attempt to me. Some large websites use load balancers that disagree about what certificate to use, which has no negative impact on direct security, but has some indirect impact in that it makes certificate pinning harder to use, and it makes debugging things like this more trouble because we cannot jump immediately from "Certificates do not match" to "Something has been hijacked."

I think at this point we need to go back to git and try to make it explain what it is doing, probably in extremely high detail, since we don't know what we are seeking. Start by reading man git and looking at the family of GIT_TRACE environment variables. Enable whichever ones talk about network transport / protocol negotiation. Run git with those set. You probably need to direct the tracing output to a file. Although probably not relevant here since you are anonymously cloning a public repository, you should inspect the output for anything you need to redact before you post it. Depending on the size, you may need to use a pastebin for the trace log.
Back to top
View user's profile Send private message
justin_brody
Apprentice
Apprentice


Joined: 26 Jan 2005
Posts: 261

PostPosted: Mon Feb 03, 2020 2:23 am    Post subject: Reply with quote

O.k., happy to report the I re-emerged both git and curl and now I'm seeing the expected behavior!

Thanks so much for your efforts with this; I'm glad we've got such a great Gentoo community!

Best,
Justin
Back to top
View user's profile Send private message
iandoug
l33t
l33t


Joined: 11 Feb 2005
Posts: 606
Location: Cape Town, South Africa

PostPosted: Thu Aug 06, 2020 8:00 pm    Post subject: Reply with quote

Whether I use https or git:// I get:

Code:

fatal: unable to access 'https://github.com/iandoug/qmk_firmware/': Failed to connect to github.com port 443: Connection timed out



I have queried my ISP but, you know, Helpdesk won't find this in their prompt files ....

I have already checked firewall and router, they're not doing anything with port 443.

All "answers" that Google finds refer to proxy servers, typically at Varsities/corporate, and that doesn't apply to me ...

Any ideas?

using --verbose showed nothing extra.

It used to work in the past.

Thanks, Ian
_________________
Asus Sabertooth P990, AMD FX-8150, GeForce GTX 560, 16GB Ram
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16187

PostPosted: Fri Aug 07, 2020 12:52 am    Post subject: Reply with quote

iandoug wrote:
Code:
fatal: unable to access 'https://github.com/iandoug/qmk_firmware/': Failed to connect to github.com port 443: Connection timed out
The request fails with git; can you access that URL from your browser? Are you behind a mandatory HTTPS proxy?
iandoug wrote:
Any ideas?
Try the debugging steps that I directed to the original poster, above. Your error is clearly different, as you time out while he got nothing. However, the git trace facilities may still be of interest.
Back to top
View user's profile Send private message
yoshi314
l33t
l33t


Joined: 30 Dec 2004
Posts: 850
Location: PL

PostPosted: Tue Aug 11, 2020 9:38 am    Post subject: Reply with quote

I had similar issue just yesterday, where git would complain about github ssl certs.

When testing with curl it turned out that for some reason libnsspem.so is now required, but missing. I installed this library and it resolved my issues.

Git did not give me that error message, though.
_________________
~amd64
shrink your /usr/portage with squashfs+aufs
Back to top
View user's profile Send private message
iandoug
l33t
l33t


Joined: 11 Feb 2005
Posts: 606
Location: Cape Town, South Africa

PostPosted: Tue Aug 11, 2020 12:03 pm    Post subject: Reply with quote

In my case the problem was self-inflicted : at some point in the past I had added

192.30.253.113 github.com
151.101.4.133 assets-cdn.github.com

to /etc/hosts (probably because someone somewhere said it was a good idea), and now those IPs are no longer valid so things fail weirdly.

Cheers, Ian
_________________
Asus Sabertooth P990, AMD FX-8150, GeForce GTX 560, 16GB Ram
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum