Unknown SSL protocol error in connection

git ssl push bitbucket atlassian-sourcetree
173,873

Solution 1

According to bitbucket knowledgebase it may also be caused by the owner of the repository being over the plan limit.

If you look further down the page it seems to also be possible to trig this error by using a too old git version (1.7 is needed at the moment).

Solution 2

You can get more information with 

# Windows
set GIT_CURL_VERBOSE=1
set GIT_TRACE_PACKET=2

# Unix
export GIT_CURL_VERBOSE=1
export GIT_TRACE_PACKET=2

And then try a git push.

Double-check your proxy settings if you have one.

Note: git 2.8 (March 2016) adds more information on an error 35:

See commit 0054045 (14 Feb 2016) by Shawn Pearce (spearce).
(Merged by Junio C Hamano -- gitster -- in commit 97c49af, 24 Feb 2016)

remote-curl: include curl_errorstr on SSL setup failures

For curl error 35 (CURLE_SSL_CONNECT_ERROR) users need the additional text stored in CURLOPT_ERRORBUFFER to debug why the connection did not start.
This is curl_errorstr inside of http.c, so include that in the message if it is non-empty.

Also check out the common causes for that message:

If it was working before, and not working today, it is possible the SSL private key has expired on the BitBucket side (see below, reason #3), but that doesn't seem to be the case here (the certificate is valid until 12/03/2014).

The Destination Site Does Not Like the Protocol

Firing off a request like the following, results in the Unknown SSL Protocol error:

curl --sslv2 https://techstacks-tools.appspot.com/

Why? Well, in this case it is because the techstacks tools site does not support SSLv2, thus, generating the curl (35) error.

The Destination Site Does Not Like the Cipher

You could be trying to connect to the site using an ssl cipher that the site is configured to reject.
For example, anonymous ciphers are typically disabled on ssl-encrypted sites that are customer-facing. (Many of us set a blanket rejection policy on any SSL-encrypted web site—regardless of it's purpose.)
The following command string "can" also result in the curl (35) error:

curl --ciphers ADH-RC4-MD5 https://some_web_site.some_domain.com/

Unfortunately, the type of error response you can get from curl depends largely upon the ssl server. On some sites, you'll receive the Unknown SSL Protocol error but on my techstacks-tools site, I get:

curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Kudos to Google because this particular error is a bit more descriptive than the one my websites at work generate because this at least tells you that a ssl socket was started but because of handshake failures, the socket was never able to complete.

Try connecting to the site with a cipher that the site supports. Not sure which cipher to use? Well, let me introduce my cryptonark ssl cipher tester...

The SSL Private Key Has Expired

I came across this one earlier today working with an old WebSeAL site.
In IBM GSKit, you can specify how long the private key password is valid. After reaching a certain date, you will still be able to get webseal started and listening on port 443 (or whatever you set your https-port value to) but you will not be able to successfully negotiate an SSL session.
In today's case, the old WebSEAL instance was using long-expired kdb file with a long expired private key password. Once replaced with the correct, more-up-to-date version, everything worked again.

Improper redirection

Some ISP's and DNS providers like to intercept your failed DNS queries in order to redirect you to a search engine results-style page offering you alternative URLs or "Did you mean...?" counter-query results.
If you see an error like this: 

 error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol,

it could be due to you typing the hostname incorrectly or the hostname is not yet tabled in your DNS. You can verify that with a simple "host" or "nslookup".

Note (August 2015): Git 2.6+ (Q3 2015) will allow to specify the SSL version explicitly:

http: add support for specifying the SSL version

See commit 01861cb (14 Aug 2015) by Elia Pinto (devzero2000).
Helped-by: Eric Sunshine (sunshineco).
(Merged by Junio C Hamano -- gitster -- in commit ed070a4, 26 Aug 2015) 

http.sslVersion

The SSL version to use when negotiating an SSL connection, if you want to force the default.
The available and default version depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use. Internally this sets the 'CURLOPT_SSL_VERSION' option; see the libcurl documentation for more details on the format of this option and for the ssl version supported.
Actually the possible values of this option are:

  • sslv2
  • sslv3
  • tlsv1
  • tlsv1.0
  • tlsv1.1
  • tlsv1.2

Can be overridden by the 'GIT_SSL_VERSION' environment variable.
To force git to use libcurl's default ssl version and ignore any explicit http.sslversion option, set 'GIT_SSL_VERSION' to the empty string.

Solution 3

Setting the following git setting fixed this for me

git config --global --add http.sslVersion tlsv1.0

I'm guessing the corporate proxy server did not like the default encryption protocol.

Solution 4

In many cases it is linked to proxy problems. If so just config your git proxy

git config --global http.proxy HOST:PORT

Solution 5

I was getting that behind a corporate proxy.

Solved by:

git config http.sslVerify "false"

Share:
173,873
b24
Author by

b24

Updated on July 14, 2020

Comments

  • b24
    b24 almost 4 years

    I want to push my commits to a Bitbucket repository but this error occurred:

    Fatal: unable to access
'https://[email protected]/myUsername/myRepository.git/':
Unknown SSL protocol error in connection to bitbucket.org:443
  • Ludwik Trammer
    Ludwik Trammer over 9 years
    Thanks to your tip I resolved the issue by upgrading from git 1.8 to git 2.0. Thank you.
  • The Huff
    The Huff over 8 years
    Thank you @VonC - using "export GIT_SSL_VERSION=tlsv1.1" solved the problem for me (after manually re-building git so it uses libcurl.so.4). Without this I was unable to connect git to visualstudio.com (visual studio online).
  • Christopher Grigg
    Christopher Grigg about 8 years
    Thanks fixed my problem, although I had to set no proxy i.e. git config --global http.proxy ""
  • MrTux
    MrTux over 7 years
    This is a very bad idea since it disables all security checks and Man-In-The-Middle attacks are possible.
  • Michael Davidovich
    Michael Davidovich over 7 years
    Thanks for the tip. Should have been the first thing to check. After trying to wreck my head on this, found your tip and sure enought. Bit Bucket was in maintenance more. status.bitbucket.org
  • Chris
    Chris over 7 years
    This solved my issue after I used the above solution to realize the failure was happening when it was attempting to go through my corporate proxy. Easy fix, thank you!
  • huykon225
    huykon225 about 7 years
    how to update it? I have same problem and unknown to resolve it ? please help me
  • Deian
    Deian about 7 years
    Thank you @ChristopherGrigg - the empty proxy worked for me too. Behind corp proxy.
  • Vladimir Salin
    Vladimir Salin almost 6 years
    As of 01 Aug 18, had to update Git from 2.7.2 to 2.18.1 to solve this issue with Bitbucket
  • heavyrick
    heavyrick over 5 years
    I had this problem, but because i was using two bit accounts. When i changed for one account to another, because windows stored the user and password in the Credentials Manager, i had to enter and edit its values. That worked for me.
  • TheRealChx101
    TheRealChx101 about 5 years
    @heavyrick Where did you change accounts?
  • jones77
    jones77 about 5 years
    We stumbled across a version of error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol and it turns out our https proxy would only accept http, ie we needed https_proxy=http://proxy (Note: http on the rhs) and NOT https_proxy=https://proxy (Note: https on the rhs).
  • heavyrick
    heavyrick over 4 years
    (sorry for being so late) i changed it here > support.microsoft.com/en-us/help/4026814/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Bitbucket: Adding a local built project to bitbucket using a Mac OSX
Jenkins Git fatal: unable to access 'https//URL.git': SSL certificate p‌r‌o‌b‌l‌e‌m: self signed certificate
Source Tree and Github not seeing all of my files
Managing Git or bitbucket repositories through Sublime text
How to add remote repository using Sourcetree
Git push fatal: repository not found
How to pull specific commit code from bitbucket-git
Remove waiting push in SourceTree
How to solve the requested URL returned error: 403 in git repository
SourceTree and Stash: Unable to get local issuer certificate