We have an internal server that GnuTLS doesn't like, e.g:
gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt foo.example.com
Processed 173 CA certificate(s).
Resolving 'foo.example.com'...
Connecting to '1.2.3.4:443'...
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
Everything other than GnuTLS talks to it ok, but git appears to use GnuTLS out of the box on Ubuntu 14.04.2 LTS so git fails with:
GIT_CURL_VERBOSE=1 git clone https://foo.example.com/some-repo.git
Cloning into 'some-repo'...
* Couldn't find host foo.example.com in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
* Trying 1.2.3.4...
* Connected to foo.example.com (1.2.3.4) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0
fatal: unable to access 'https://foo.example.com/some-repo.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
We're working on fixing the incompatibility with GnuTLS, but in the mean time is there a way to force git to tell curl to use another SSL engine at runtime (i.e not rebuilding git from source)?