We have an internal server that GnuTLS doesn't like, e.g:
gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt foo.example.com
Processed 173 CA certificate(s).
Resolving 'foo.example.com'...
Connecting to '1.2.3.4:443'...
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
Everything other than GnuTLS talks to it ok, but git appears to use GnuTLS out of the box on Ubuntu 14.04.2 LTS so git fails with:
GIT_CURL_VERBOSE=1 git clone https://foo.example.com/some-repo.git
Cloning into 'some-repo'...
* Couldn't find host foo.example.com in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
* Trying 1.2.3.4...
* Connected to foo.example.com (1.2.3.4) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0
fatal: unable to access 'https://foo.example.com/some-repo.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
We're working on fixing the incompatibility with GnuTLS, but in the mean time is there a way to force git to tell curl to use another SSL engine at runtime (i.e not rebuilding git from source)?
git is built to use libcurl, libcurl is built to use a single fixed TLS library that cannot be changed in run-time.
You can however force git to use a different libcurl build at run-time, and that libcurl could be using OpenSSL. That's easiest done by putting that OpenSSL-using libcurl in a separate directory from the "standard" one you have and then you do one of these:
Make sure
/etc/ld.so.conf
lists that new dir before the old libcurl hosting directory - although then it'll change this setup for all programs using libcurl and you probably don't want that (based on your way of asking)put "LD_LIBRARY_PATH=[directory where your special libcurl is] git" into a script or alias called "git2" and use that instead of the ordinary git.