Git自签名证书配置

博士tl;

永远不要禁用所有SSL验证! 这造成了一种糟糕的安全文化。不要成为那样的人。

您需要的配置键是:

http。sslverify -始终为真。见上注。

这些用于配置您信任的主机证书

http.sslCAPath http.sslCAInfo

它们用于配置您的证书以响应SSL挑战。

http.sslCert http.sslCertPasswordProtected

选择性地将上述设置应用于特定主机。

http。< url >。*

自签名证书颁发机构的全局.gitconfig

为了我自己和我的同事，本文介绍了如何在不禁用sslVerify的情况下使自签名证书工作。编辑你的.gitconfig，使用gitconfig——global -e添加以下内容:

# Specify the scheme and host as a 'context' that only these settings apply
# Must use Git v1.8.5+ for these contexts to work
[credential "https://your.domain.com"]
  username = user.name

  # Uncomment the credential helper that applies to your platform
  # Windows
  # helper = manager

  # OSX
  # helper = osxkeychain

  # Linux (in-memory credential helper)
  # helper = cache

  # Linux (permanent storage credential helper)
  # https://askubuntu.com/a/776335/491772

# Specify the scheme and host as a 'context' that only these settings apply 
# Must use Git v1.8.5+ for these contexts to work
[http "https://your.domain.com"]
  ##################################
  # Self Signed Server Certificate #
  ##################################

  # MUST be PEM format
  # Some situations require both the CAPath AND CAInfo 
  sslCAInfo = /path/to/selfCA/self-signed-certificate.crt
  sslCAPath = /path/to/selfCA/
  sslVerify = true

  ###########################################
  # Private Key and Certificate information #
  ###########################################

  # Must be PEM format and include BEGIN CERTIFICATE / END CERTIFICATE, 
  # not just the BEGIN PRIVATE KEY / END PRIVATE KEY for Git to recognise it.
  sslCert = /path/to/privatekey/myprivatecert.pem

  # Even if your PEM file is password protected, set this to false.
  # Setting this to true always asks for a password even if you don't have one.
  # When you do have a password, even with this set to false it will prompt anyhow. 
  sslCertPasswordProtected = 0

引用:

Git凭证 Git凭据存储 使用Gnome Keyring作为凭证存储 Git配置http.<url>。* Git v1.8.5支持

在克隆git时指定配置

如果你需要在每次回购的基础上应用它，文档告诉你只需要在你的回购目录中运行git config——local。当你还没有在本地克隆回购时，这是没有用的，不是吗?

你可以做全局->本地hokey-pokey通过设置你的全局配置，然后复制这些设置到你的本地回购配置一旦克隆…

或者，你可以在git克隆时指定配置命令，这些命令在目标repo克隆后应用到目标repo。

# Declare variables to make clone command less verbose     
OUR_CA_PATH=/path/to/selfCA/
OUR_CA_FILE=$OUR_CA_PATH/self-signed-certificate.crt
MY_PEM_FILE=/path/to/privatekey/myprivatecert.pem
SELF_SIGN_CONFIG="-c http.sslCAPath=$OUR_CA_PATH -c http.sslCAInfo=$OUR_CA_FILE -c http.sslVerify=1 -c http.sslCert=$MY_PEM_FILE -c http.sslCertPasswordProtected=0"

# With this environment variable defined it makes subsequent clones easier if you need to pull down multiple repos.
git clone $SELF_SIGN_CONFIG https://mygit.server.com/projects/myproject.git myproject/

一个衬套

编辑:请参阅VonC的回答，其中指出了关于从2.14.x/2.15到这一行的特定git版本的绝对路径和相对路径的警告

git clone -c http.sslCAPath="/path/to/selfCA" -c http.sslCAInfo="/path/to/selfCA/self-signed-certificate.crt" -c http.sslVerify=1 -c http.sslCert="/path/to/privatekey/myprivatecert.pem" -c http.sslCertPasswordProtected=0 https://mygit.server.com/projects/myproject.git myproject/

CentOS无法加载客户端密钥

如果你在CentOS上尝试这个，你的。pem文件会给你

unable to load client key: "-8178 (SEC_ERROR_BAD_KEY)"

然后你会想要这个StackOverflow关于curl如何使用NSS而不是Open SSL的答案。

你会想要从source重建curl:

git clone http://github.com/curl/curl.git curl/
cd curl/
# Need these for ./buildconf
yum install autoconf automake libtool m4 nroff perl -y
#Need these for ./configure
yum install openssl-devel openldap-devel libssh2-devel -y

./buildconf
su # Switch to super user to install into /usr/bin/curl
./configure --with-openssl --with-ldap --with-libssh2 --prefix=/usr/
make
make install

重新启动计算机，因为libcurl仍然作为共享库存在于内存中

Python, pip和conda

相关:如何将自定义CA根证书添加到Windows中pip使用的CA存储?

I'm not a huge fan of the [EDIT: original versions of the] existing answers, because disabling security checks should be a last resort, not the first solution offered. Even though you cannot trust self-signed certificates on first receipt without some additional method of verification, using the certificate for subsequent git operations at least makes life a lot harder for attacks which only occur after you have downloaded the certificate. In other words, if the certificate you downloaded is genuine, then you're good from that point onwards. In contrast, if you simply disable verification then you are wide open to any kind of man-in-the-middle attack at any point.

举一个具体的例子:著名的repo.or.cz存储库提供了一个自签名证书。我可以下载这个文件，把它放在/etc/ssl/certs这样的地方，然后做:

# Initial clone
GIT_SSL_CAINFO=/etc/ssl/certs/rorcz_root_cert.pem \
    git clone https://repo.or.cz/org-mode.git

# Ensure all future interactions with origin remote also work
cd org-mode
git config http.sslCAInfo /etc/ssl/certs/rorcz_root_cert.pem

注意，在这里使用本地git配置(即不使用——global)意味着这个自签名证书只对这个特定的存储库受信任，这很好。它也比使用GIT_SSL_CAPATH更好，因为它消除了git通过不同的证书颁发机构进行验证的风险，这种风险可能会受到损害。

我经常遇到这个问题，所以写了一个脚本从服务器下载自签名证书并将其安装到~/。然后更新git-config以指向这些证书。它存储在全局配置中，因此每个远程只需要运行一次。

https://github.com/iwonbigbro/tools/blob/master/bin/git-remote-install-cert.sh

我用的是windows电脑，这篇文章对我很有帮助。基本上我打开了ca-bundle。CRT在记事本和添加链证书在它(所有)。这个问题通常发生在公司网络中，我们在系统和git回购之间有中间人。我们需要导出证书链中除了base 64格式的leaf cert之外的所有证书，并将它们全部添加到ca-bundle中。然后为修改后的CRT文件配置git。

你可以将GIT_SSL_NO_VERIFY设置为true:

GIT_SSL_NO_VERIFY=true git clone https://example.com/path/to/git

或者配置Git不验证命令行上的连接:

git -c http.sslVerify=false clone https://example.com/path/to/git

请注意，如果您不验证SSL/TLS证书，那么您很容易受到MitM攻击。

关于http。sslCAPath选项:如果在包含证书文件的目录上执行了OpenSSL c_rehash命令，git将只检测指定目录路径下的证书文件。c_rehash命令将为每个证书创建符号链接，其中链接的名称为哈希值。例如:

$ cd /path/to/ssl/cert/directory

$ ls -al

  total 16
  drwxr-xr-x  3 user  staff    96 Oct 20 13:47 .
  drwxr-xr-x  4 user  staff   128 Oct 20 13:46 ..
  -rw-r--r--  1 user  staff  4832 Oct 20 13:47 google.pem

$ /usr/local/opt/openssl@1.1/bin/c_rehash ./

  Doing ./

$ ls -al

  total 16
  drwxr-xr-x  4 user  staff   128 Oct 20 13:58 .
  drwxr-xr-x  4 user  staff   128 Oct 20 13:46 ..
  lrwxr-xr-x  1 user  staff    10 Oct 20 13:58 f6dbf7a7.0 -> google.pem
  -rw-r--r--  1 user  staff  4832 Oct 20 13:47 google.pem

注意，c_rehash命令创建了以下符号链接:f6dbf7a7.0 -> google.pem。

您还可以用下面的命令代替c_rehash实用程序，不过请注意，下面的命令只处理*。Pem文件，而c_rehash实用程序将处理.pem， .crt， .cer或.crl文件:

for file in *.pem; do ln -s $file `openssl x509 -hash -noout -in $file`.0; done

如果您现在配置http。将sslCAPath导入到包含上述符号链接的目录，git将获取证书文件:

# contents of /etc/gitconfig
[http]
        sslCAPath = /path/to/ssl/cert/directory/

也可以配置http。sslCAPath使用一个环境变量:

export GIT_SSL_CAPATH=/path/to/ssl/cert/directory/