Dmitry Smirnov | 15 Nov 14:52 2011
Picon

Git 1.7.5 problem with HTTPS

Hi,

I have problems with downloading Android code from android.googlesource.com.

The error says: fatal: branch stable is not signed

I was trying to figure out what happens and finally came to conclusion
that this is a problem of the git.

When I try to clone the git itself using https
(https://git.kernel.org/pub/scm/git/git.git) I'm getting the follwing
error:
warning: remote HEAD refers to nonexistent ref, unable to checkout.

If I use the http URL (http://git.kernel.org/pub/scm/git/git.git) I
can clone with no problems.

I was also considering that the problem is caused by proxy. But when I
tried to clone the same git source from another host via the same
proxy, it works pretty good. The difference is the git version: on the
first host it is 1.7.5.4 (comes with Ubuntu 11.10), on the second -
1.7.0.4

I was trying to collect some tcpdump and it shows the follwoing sequence
15	1.962132	X.X.X.X	Y.Y.Y.Y	HTTP	204	CONNECT git.kernel.org:443 HTTP/1.1
17	3.687364	Y.Y.Y.Y	X.X.X.X	HTTP	105	HTTP/1.0 200 Connection established
19	3.764793	X.X.X.X	Y.Y.Y.Y	TLSv1	208	Client Hello
21	3.815135	X.X.X.X	Y.Y.Y.Y	TLSv1	215	Ignored Unknown Record
23	4.045326	Y.Y.Y.Y	X.X.X.X	TLSv1	2239	Server Hello, Certificate,
Server Key Exchange, Server Hello Done
(Continue reading)

Shawn Pearce | 15 Nov 16:03 2011

Re: Git 1.7.5 problem with HTTPS

On Tue, Nov 15, 2011 at 05:52, Dmitry Smirnov <divis1969 <at> gmail.com> wrote:
> I have problems with downloading Android code from android.googlesource.com.
>
> The error says: fatal: branch stable is not signed
>
> I was trying to figure out what happens and finally came to conclusion
> that this is a problem of the git.

Not likely. This is an error printed by the "repo" tool used by
Android. It typically indicates the repo command you are executing is
pointing to a URL that may be a local mirror and contain additional
patches in it that were not signed by me.

I would suggest starting over by downloading repo per [1] and using
that script to start the process.

[1] http://source.android.com/source/downloading.html

> When I try to clone the git itself using https
> (https://git.kernel.org/pub/scm/git/git.git) I'm getting the follwing
> error:
> warning: remote HEAD refers to nonexistent ref, unable to checkout.
>
> If I use the http URL (http://git.kernel.org/pub/scm/git/git.git) I
> can clone with no problems.

This may be a problem with the git.kernel.org HTTP server. It is
probably not a problem with Git itself.
Junio C Hamano | 16 Nov 00:10 2011
Picon
Picon

Re: Git 1.7.5 problem with HTTPS

Shawn Pearce <spearce <at> spearce.org> writes:

> On Tue, Nov 15, 2011 at 05:52, Dmitry Smirnov <divis1969 <at> gmail.com> wrote:
>
>> If I use the http URL (http://git.kernel.org/pub/scm/git/git.git) I
>> can clone with no problems.
>
> This may be a problem with the git.kernel.org HTTP server. It is
> probably not a problem with Git itself.

Not likely to be an issue with git.kernel.org either. I am puzzled.

$ git ls-remote https://git.kernel.org/pub/scm/git/git.git |
  grep -e HEAD -e master
bc1bbe0c19a6ff39522b4fa3259f34150e308e1f        HEAD
bc1bbe0c19a6ff39522b4fa3259f34150e308e1f        refs/heads/master

$ rungit v1.7.5.4 ls-remote https://git.kernel.org/pub/scm/git/git.git |
  grep -e HEAD -e master
bc1bbe0c19a6ff39522b4fa3259f34150e308e1f        HEAD
bc1bbe0c19a6ff39522b4fa3259f34150e308e1f        refs/heads/master

The only thing that immediately comes to mind is the rare smart-http
breakage in 1.7.5 but that was plugged in 1.7.5.1, so...

Dmitry Smirnov | 16 Nov 08:11 2011
Picon

Re: Git 1.7.5 problem with HTTPS

2011/11/16 Junio C Hamano <gitster <at> pobox.com>:
> $ git ls-remote https://git.kernel.org/pub/scm/git/git.git |
>  grep -e HEAD -e master

in my case this command produce no output.

What if problem is caused by curl or TLS lib (libcurl-gnutls?) which
is used by my git? Is there any to log something from git-remote-https
?

Dmitry
Junio C Hamano | 16 Nov 08:18 2011
Picon
Picon

Re: Git 1.7.5 problem with HTTPS

Dmitry Smirnov <divis1969 <at> gmail.com> writes:

> 2011/11/16 Junio C Hamano <gitster <at> pobox.com>:
>> $ git ls-remote https://git.kernel.org/pub/scm/git/git.git |
>>  grep -e HEAD -e master
>
> in my case this command produce no output.
>
> What if problem is caused by curl or TLS lib (libcurl-gnutls?) which
> is used by my git?

Yeah, this is sounding very likely that this is an issue at the SSL/TLS
layer underneath whatever Git speaks.

Tay Ray Chuan | 16 Nov 08:34 2011
Picon

Re: Git 1.7.5 problem with HTTPS

On Wed, Nov 16, 2011 at 3:11 PM, Dmitry Smirnov <divis1969 <at> gmail.com> wrote:
> What if problem is caused by curl or TLS lib (libcurl-gnutls?) which
> is used by my git? Is there any to log something from git-remote-https
> ?

You can run git with GIT_CURL_VERBOSE set, like this

  GIT_CURL_VERBOSE=1 git ls-remote ...

--

-- 
Cheers,
Ray Chuan
Dmitry Smirnov | 16 Nov 09:51 2011
Picon

Re: Git 1.7.5 problem with HTTPS

Thanks.
I had collected two logs (for clone and ls-remote, attached).
Unfortunately, I cannot see, why problem occurs. The only indication is
* Connection #0 seems to be dead!

Is it possible that curl sends the request in plain text?
And according to tcpdump, why git/curl sends the request before Server Hello?

2011/11/16 Tay Ray Chuan <rctay89 <at> gmail.com>:
> On Wed, Nov 16, 2011 at 3:11 PM, Dmitry Smirnov <divis1969 <at> gmail.com> wrote:
>> What if problem is caused by curl or TLS lib (libcurl-gnutls?) which
>> is used by my git? Is there any to log something from git-remote-https
>> ?
>
> You can run git with GIT_CURL_VERBOSE set, like this
>
>  GIT_CURL_VERBOSE=1 git ls-remote ...
>
> --
> Cheers,
> Ray Chuan
>
Attachment (clone.log): text/x-log, 2565 bytes
Attachment (ls-remote.log): text/x-log, 3197 bytes
Daniel Stenberg | 16 Nov 10:13 2011
Picon

Re: Git 1.7.5 problem with HTTPS

On Wed, 16 Nov 2011, Dmitry Smirnov wrote:

> Unfortunately, I cannot see, why problem occurs. The only indication is
> * Connection #0 seems to be dead!

That means libcurl wanted to re-use an existing connection, but it seems to 
have died in the mean time and therefore it has to create a new one and 
reconnect instead. I suppose that is the first indication that something isn't 
quite right.

> Is it possible that curl sends the request in plain text?

I'd say that isn't very likely and you could easily snoop on the network to 
figure that out for sure.

> And according to tcpdump, why git/curl sends the request before Server 
> Hello?

curl will send the HTTP request once the TLS negotiation has completed as told 
by the TLS library. I believe you said you're using GnuTLS, are you using a 
recent version?

This is not a transfer layer (curl/HTTPS) bug I recognize, but I can of course 
not rule out that there's a bug somewhere in there!

--

-- 

  / daniel.haxx.se
Dmitry Smirnov | 16 Nov 11:10 2011
Picon

Re: Git 1.7.5 problem with HTTPS

> I'd say that isn't very likely and you could easily snoop on the network to> figure that out for sure

In the very first message I wrote that there is strange tcpdump record:
21      3.815135        X.X.X.X Y.Y.Y.Y TLSv1   215     Ignored Unknown Record
In this record there is some binary dump followed by an uncripted text:
GET /pub/scm/git/git.git/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/1.7.5.4 Host: git.kernel.org Accept: */* Pragma:
no-cache

This packet is recorded before negotiation complete, so I'm wondering
who is guilty: git or curl?
What Git is providing to libcurl? Can I log it?

> curl will send the HTTP request once the TLS negotiation has completed as
> told by the TLS library. I believe you said you're using GnuTLS, are you
> using a recent version?
I'm using the version that comes with Ubuntu 11.10.
Jonathan Nieder | 16 Nov 23:28 2011
Picon

Re: Git 1.7.5 problem with HTTPS

Dmitry Smirnov wrote:

> What Git is providing to libcurl? Can I log it?

ltrace can help.
Dmitry Smirnov | 16 Nov 08:04 2011
Picon

Re: Git 1.7.5 problem with HTTPS

2011/11/15 Shawn Pearce <spearce <at> spearce.org>:
> I would suggest starting over by downloading repo per [1] and using
> that script to start the process.
Cloning of the repo.git repository produces the same error
warning: remote HEAD refers to nonexistent ref, unable to checkout.

That is why I tried to use another repository...
Haitao Li | 16 Nov 11:32 2011
Picon

Re: Git 1.7.5 problem with HTTPS

> I was also considering that the problem is caused by proxy. But when I
> tried to clone the same git source from another host via the same
> proxy, it works pretty good. The difference is the git version: on the
> first host it is 1.7.5.4 (comes with Ubuntu 11.10), on the second -
> 1.7.0.4

The proxy may have some impact.

I see exactly the same error only behind a proxy on my laptop running
Ubuntu 11.10 with libgnutls26/2.10.5-1ubuntu3. The same laptop works fine
at home without proxy.

I have another machine (Ubuntu 11.04 git/1.7.4.1 libgnutls26/2.8.6-1ubuntu2)
works fine behind the same proxy.
Dmitry Smirnov | 17 Nov 07:36 2011
Picon

Re: Git 1.7.5 problem with HTTPS

I had fixed the problem by manually installing the most recent version
of the libcurl3-gnutls for Ubuntu (from precise):
http://packages.ubuntu.com/precise/libcurl3-gnutls
It will require also most recent libgnutls:
http://packages.ubuntu.com/precise/libgnutls26

Dmitry

Gmane