设置http不是一个好的做法。sslVerify假。 相反，我们可以使用SSL证书。

因此，构建代理将使用https与SSL证书和PAT进行身份验证。

复制cer文件的内容，包括- begin -和-end——。

Git bash build agent => Git配置-global http。sslcainfo " C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt " 转到该文件并添加.cer内容。

因此，构建代理可以访问SSL证书

检查防病毒和防火墙设置。

从一天到另一天，git不再工作了。根据上面的描述，我发现卡巴斯基在中间放置了一个自签名的反病毒个人根证书。按照上面的说明，我没有设法让Git接受该证书。我放弃了。对我来说有用的是禁用扫描加密连接的功能。

卡巴斯基开放 设置>附加>网络>不扫描加密连接

在此之后，git再次启用sslVerify。

请注意。这对我来说仍然不满意，因为我想让我的反病毒功能激活。在高级设置中，卡巴斯基显示了一个不能使用该功能的网站列表。Github不在其中。我会在卡巴斯基论坛上查的。似乎有一些话题，例如。 https://forum.kaspersky.com/index.php?/topic/395220-kis-interfering-with-git/&tab=comments#comment-2801211

永久地接受特定的证书

http。sslCAPath或http.sslCAInfo。Adam Spiers的回答给出了一些很好的例子。这是这个问题最可靠的解决办法。

禁用单个git命令的TLS/SSL验证

尝试将-c与正确的配置变量传递给git，或使用Flow的答案:

git -c http.sslVerify=false clone https://example.com/path/to/git

禁用所有存储库的SSL验证

可以全局禁用ssl验证。强烈建议不要这样做，但为了完整起见，这里提到了:

git config --global http.sslVerify false # Do NOT do this!

git中有相当多的SSL配置选项。从git配置的手册页:

http.sslVerify
    Whether to verify the SSL certificate when fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_NO_VERIFY environment variable.

http.sslCAInfo
    File containing the certificates to verify the peer with when fetching or pushing
    over HTTPS. Can be overridden by the GIT_SSL_CAINFO environment variable.

http.sslCAPath
    Path containing files with the CA certificates to verify the peer with when
    fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_CAPATH environment variable.

其他一些有用的SSL配置选项:

http.sslCert
    File containing the SSL certificate when fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_CERT environment variable.

http.sslKey
    File containing the SSL private key when fetching or pushing over HTTPS.
    Can be overridden by the GIT_SSL_KEY environment variable.

http.sslCertPasswordProtected
    Enable git's password prompt for the SSL certificate. Otherwise OpenSSL will
    prompt the user, possibly many times, if the certificate or private key is encrypted.
    Can be overridden by the GIT_SSL_CERT_PASSWORD_PROTECTED environment variable.

关于http。sslCAPath选项:如果在包含证书文件的目录上执行了OpenSSL c_rehash命令，git将只检测指定目录路径下的证书文件。c_rehash命令将为每个证书创建符号链接，其中链接的名称为哈希值。例如:

$ cd /path/to/ssl/cert/directory

$ ls -al

  total 16
  drwxr-xr-x  3 user  staff    96 Oct 20 13:47 .
  drwxr-xr-x  4 user  staff   128 Oct 20 13:46 ..
  -rw-r--r--  1 user  staff  4832 Oct 20 13:47 google.pem

$ /usr/local/opt/openssl@1.1/bin/c_rehash ./

  Doing ./

$ ls -al

  total 16
  drwxr-xr-x  4 user  staff   128 Oct 20 13:58 .
  drwxr-xr-x  4 user  staff   128 Oct 20 13:46 ..
  lrwxr-xr-x  1 user  staff    10 Oct 20 13:58 f6dbf7a7.0 -> google.pem
  -rw-r--r--  1 user  staff  4832 Oct 20 13:47 google.pem

注意，c_rehash命令创建了以下符号链接:f6dbf7a7.0 -> google.pem。

您还可以用下面的命令代替c_rehash实用程序，不过请注意，下面的命令只处理*。Pem文件，而c_rehash实用程序将处理.pem， .crt， .cer或.crl文件:

for file in *.pem; do ln -s $file `openssl x509 -hash -noout -in $file`.0; done

如果您现在配置http。将sslCAPath导入到包含上述符号链接的目录，git将获取证书文件:

# contents of /etc/gitconfig
[http]
        sslCAPath = /path/to/ssl/cert/directory/

也可以配置http。sslCAPath使用一个环境变量:

export GIT_SSL_CAPATH=/path/to/ssl/cert/directory/

你可以将GIT_SSL_NO_VERIFY设置为true:

GIT_SSL_NO_VERIFY=true git clone https://example.com/path/to/git

或者配置Git不验证命令行上的连接:

git -c http.sslVerify=false clone https://example.com/path/to/git

请注意，如果您不验证SSL/TLS证书，那么您很容易受到MitM攻击。

I'm not a huge fan of the [EDIT: original versions of the] existing answers, because disabling security checks should be a last resort, not the first solution offered. Even though you cannot trust self-signed certificates on first receipt without some additional method of verification, using the certificate for subsequent git operations at least makes life a lot harder for attacks which only occur after you have downloaded the certificate. In other words, if the certificate you downloaded is genuine, then you're good from that point onwards. In contrast, if you simply disable verification then you are wide open to any kind of man-in-the-middle attack at any point.

举一个具体的例子:著名的repo.or.cz存储库提供了一个自签名证书。我可以下载这个文件，把它放在/etc/ssl/certs这样的地方，然后做:

# Initial clone
GIT_SSL_CAINFO=/etc/ssl/certs/rorcz_root_cert.pem \
    git clone https://repo.or.cz/org-mode.git

# Ensure all future interactions with origin remote also work
cd org-mode
git config http.sslCAInfo /etc/ssl/certs/rorcz_root_cert.pem

注意，在这里使用本地git配置(即不使用——global)意味着这个自签名证书只对这个特定的存储库受信任，这很好。它也比使用GIT_SSL_CAPATH更好，因为它消除了git通过不同的证书颁发机构进行验证的风险，这种风险可能会受到损害。