CERT_TRUST_REVOCATION_STATUS_UNKNOWN with Git 2.41.0.windows.1

[sburkard]

• I was not able to find an open or closed issue matching what I'm seeing

Setup

• Which version of Git for Windows are you using? Is it 32-bit or 64-bit?

$ git --version --build-options

git version 2.41.0.windows.1
cpu: x86_64
built from commit: ff94e79c4724635915dbb3d4ba38f6bb91528260
sizeof-long: 4
sizeof-size_t: 8
shell-path: /bin/sh
feature: fsmonitor--daemon

• Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?

$ cmd.exe /c ver

Microsoft Windows [Version 10.0.19044.2965]

• What options did you set as part of the installation? Or did you choose the
  defaults?

# One of the following:
> type "C:\Program Files\Git\etc\install-options.txt"
> type "C:\Program Files (x86)\Git\etc\install-options.txt"
> type "%USERPROFILE%\AppData\Local\Programs\Git\etc\install-options.txt"
> type "$env:USERPROFILE\AppData\Local\Programs\Git\etc\install-options.txt"
$ cat /etc/install-options.txt

Probably none. Git was installed through Scoop

• Any other interesting things about your environment that might be related
  to the issue you're seeing?

Behind enterprise proxy that intercepts HTTPS connections and self-signed certificates are used.

Details

• Which terminal/shell are you running Git from? e.g Bash/CMD/PowerShell/other

Powershell/Git Bash

• What commands did you run to trigger this issue? If you can provide a
  Minimal, Complete, and Verifiable example
  this will help us understand the issue.

$env:GIT_CURL_VERBOSE=1
git clone https://github.com/[whatever-repository].git

• What did you expect to occur after running these commands?

Cloned repository on my disk

• What actually happened instead?

Cloning into 'repository-name'...
16:56:02.905057 http.c:842              == Info: Couldn't find host github.com in the (nil) file; using defaults
16:56:02.910502 http.c:842              == Info:   Trying 192.168.229.22:8080...
16:56:02.922227 http.c:842              == Info: Connected to www-proxy.visana.ch (192.168.229.22) port 8080 (#0)
16:56:02.922227 http.c:842              == Info: CONNECT tunnel: HTTP/1.1 negotiated
16:56:02.922227 http.c:842              == Info: allocate connect buffer
16:56:02.922227 http.c:842              == Info: Establish HTTP proxy tunnel to github.com:443
16:56:02.922227 http.c:789              => Send header, 0000000121 bytes (0x00000079)
16:56:02.922227 http.c:801              => Send header: CONNECT github.com:443 HTTP/1.1
16:56:02.922227 http.c:801              => Send header: Host: github.com:443
16:56:02.922227 http.c:801              => Send header: User-Agent: git/2.41.0.windows.1
16:56:02.922227 http.c:801              => Send header: Proxy-Connection: Keep-Alive
16:56:02.922227 http.c:801              => Send header:
16:56:02.973986 http.c:789              <= Recv header, 0000000037 bytes (0x00000025)
16:56:02.973986 http.c:801              <= Recv header: HTTP/1.1 200 Connection established
16:56:02.973986 http.c:789              <= Recv header, 0000000002 bytes (0x00000002)
16:56:02.973986 http.c:801              <= Recv header:
16:56:02.973986 http.c:842              == Info: CONNECT phase completed
16:56:02.973986 http.c:842              == Info: CONNECT tunnel established, response 200
16:56:02.973986 http.c:842              == Info: schannel: disabled automatic use of client certificate
16:56:03.026716 http.c:842              == Info: schannel: added 134 certificate(s) from CA file 'C:\Users\UID20852\ca-trust\extracted\pem\tls-ca-bundle.pem'
16:56:03.037464 http.c:842              == Info: schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN
16:56:03.038426 http.c:842              == Info: Closing connection 0
16:56:03.039405 http.c:842              == Info: schannel: shutting down SSL/TLS connection with github.com port 443
fatal: unable to access 'https://github.com/sburkard/cookie-factory.git/': schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN

• If the problem was occurring with a specific repository, can you provide the
  URL to that repository to help us with testing?

You can take any.

• Other infos

When I downgrade to Git 2.40.1.windows.1, everything works fine.

[dscho]

Does it work when setting the config option http.schannelCheckRevoke to best-effort?

[sburkard]

No, unfortunately not. I tried

git config --global http.schannelCheckRevoke best-effort

as well as

git config --global http.schannelCheckRevoke false

But the result was the same

[sburkard]

Hey @dscho, your suggestion for this git option leaded me to the more relevant discussions for my case.

Git works again if I do

git config --global http.sslBackend openssl

Has the latest Git version switched from openssl to schannel? Are there any consequences when I continue to use openssl (like openssl is planned for deprecation as this is only a limited solution)?

Thanks

[dscho]

Has the latest Git version switched from openssl to schannel?

Indeed it has! I guess this release note entry did not talk about this explicitly, sorry...

Now, Secure Channel is the native Windows component to do TLS/SSL, so it is much preferred to using OpenSSL. For example, if you want to access hosts with self-signed SSL certificates, using OpenSSL you have to jump through hoops. With Secure Channel, because it is integrated well into the Windows ecosystem, you simply need to direct your web browser to that host, accept the certificate, and then git clone will implicitly trust that certificate, too.

That is the reason why I would love to figure out what is going wrong here, so that you, too, can use Secure Channel.

I see that there is a CA file in effect. Is http.sslCAInfo configured on your system? I do recall that there have been problems in the past with Secure Channel and that setting, as that setting overrides the default Certificate Store for some reason.

[sburkard]

That is the reason why I would love to figure out what is going wrong here, so that you, too, can use Secure Channel.

Great, thanks for your effort @dscho

I see that there is a CA file in effect. Is http.sslCAInfo configured on your system?

Yes indeed, we build a custom PEM file that contains the public certificates of Git as well as our company self-signed certificates. This PEM is used as trust store for Git and other tools.

So I tried the following

git config --global --unset http.sslBackend // switch back to schannel
git config --global --unset http.sslCAInfo // remove our custom trust store
git config --global http.schannelCheckRevoke false // ignore when trust-revoke does not work

Unfortunately I still get the same result.

$env:GIT_CURL_VERBOSE=1
git config --global --list

core.autocrlf=input
core.longpaths=true
push.default=simple
user.email=[my email]
user.name=[my Name]
pull.rebase=true
http.schannelcheckrevoke=false

git clone https://github.com/...git
Cloning into '...'...
10:03:19.371397 http.c:842              == Info: Couldn't find host github.com in the (nil) file; using defaults
10:03:19.376276 http.c:842              == Info:   Trying 192.168.229.22:8080...
10:03:19.377249 http.c:842              == Info: Connected to www-proxy.visana.ch (192.168.229.22) port 8080 (#0)
10:03:19.377249 http.c:842              == Info: CONNECT tunnel: HTTP/1.1 negotiated
10:03:19.377249 http.c:842              == Info: allocate connect buffer
10:03:19.377249 http.c:842              == Info: Establish HTTP proxy tunnel to github.com:443
10:03:19.377249 http.c:789              => Send header, 0000000121 bytes (0x00000079)
10:03:19.377249 http.c:801              => Send header: CONNECT github.com:443 HTTP/1.1
10:03:19.377249 http.c:801              => Send header: Host: github.com:443
10:03:19.377249 http.c:801              => Send header: User-Agent: git/2.41.0.windows.1
10:03:19.377249 http.c:801              => Send header: Proxy-Connection: Keep-Alive
10:03:19.377249 http.c:801              => Send header:
10:03:19.388967 http.c:789              <= Recv header, 0000000037 bytes (0x00000025)
10:03:19.388967 http.c:801              <= Recv header: HTTP/1.1 200 Connection established
10:03:19.388967 http.c:789              <= Recv header, 0000000002 bytes (0x00000002)
10:03:19.388967 http.c:801              <= Recv header:
10:03:19.388967 http.c:842              == Info: CONNECT phase completed
10:03:19.388967 http.c:842              == Info: CONNECT tunnel established, response 200
10:03:19.388967 http.c:842              == Info: schannel: disabled automatic use of client certificate
10:03:19.425105 http.c:842              == Info: schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
10:03:19.425105 http.c:842              == Info: Closing connection 0
10:03:19.425105 http.c:842              == Info: schannel: shutting down SSL/TLS connection with github.com port 443
fatal: unable to access 'https://github.com/sburkard/cookie-factory.git/': schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

[dscho]

Hmm. So it seems that the proxy connection worked, but then the revocation check fails? Is there maybe a chance that you can try the same command but bypassing the proxy? (And yes, I am clutching at straws.)

[sburkard]

Hi @dscho sorry for the delay, but I had to create a ticket to disable the SSL interception for my test URL

So, new test setting. Still with proxy but without SSL interception. And this is already quite different. The repository is successfully cloned, but the verbse output of curl contains a lot of failed to decrypt data, need more data messages (see below).

No idea if this is normal or a problem indicator.

Settings

> git config --global --list

core.autocrlf=input
core.longpaths=true
push.default=simple
user.email=[my email]
user.name=[my Name]
pull.rebase=true
http.schannelcheckrevoke=false

The result of the clone

> $env:GIT_CURL_VERBOSE=1
> git clone https://github.com/sburkard/cookie-factory.git

Cloning into 'cookie-factory'...
14:47:35.597342 http.c:842              == Info: Couldn't find host github.com in the (nil) file; using defaults
14:47:35.602222 http.c:842              == Info:   Trying 192.168.229.22:8080...
14:47:35.603207 http.c:842              == Info: Connected to www-proxy.visana.ch (192.168.229.22) port 8080 (#0)
14:47:35.603207 http.c:842              == Info: CONNECT tunnel: HTTP/1.1 negotiated
14:47:35.603207 http.c:842              == Info: allocate connect buffer
14:47:35.603207 http.c:842              == Info: Establish HTTP proxy tunnel to github.com:443
14:47:35.603207 http.c:789              => Send header, 0000000121 bytes (0x00000079)
14:47:35.603207 http.c:801              => Send header: CONNECT github.com:443 HTTP/1.1
14:47:35.603207 http.c:801              => Send header: Host: github.com:443
14:47:35.603207 http.c:801              => Send header: User-Agent: git/2.41.0.windows.1
14:47:35.603207 http.c:801              => Send header: Proxy-Connection: Keep-Alive
14:47:35.603207 http.c:801              => Send header:
14:47:35.621768 http.c:789              <= Recv header, 0000000037 bytes (0x00000025)
14:47:35.621768 http.c:801              <= Recv header: HTTP/1.1 200 Connection established
14:47:35.621768 http.c:789              <= Recv header, 0000000002 bytes (0x00000002)
14:47:35.621768 http.c:801              <= Recv header:
14:47:35.621768 http.c:842              == Info: CONNECT phase completed
14:47:35.621768 http.c:842              == Info: CONNECT tunnel established, response 200
14:47:35.621768 http.c:842              == Info: schannel: disabled automatic use of client certificate
14:47:35.750650 http.c:842              == Info: using HTTP/1.x
14:47:35.751629 http.c:789              => Send header, 0000000229 bytes (0x000000e5)
14:47:35.751629 http.c:801              => Send header: GET /sburkard/cookie-factory.git/info/refs?service=git-upload-pack HTTP/1.1
14:47:35.751629 http.c:801              => Send header: Host: github.com
14:47:35.751629 http.c:801              => Send header: User-Agent: git/2.41.0.windows.1
14:47:35.751629 http.c:801              => Send header: Accept: */*
14:47:35.751629 http.c:801              => Send header: Accept-Encoding: deflate, gzip, br, zstd
14:47:35.751629 http.c:801              => Send header: Pragma: no-cache
14:47:35.751629 http.c:801              => Send header: Git-Protocol: version=2
14:47:35.751629 http.c:801              => Send header:
14:47:35.896150 http.c:789              <= Recv header, 0000000017 bytes (0x00000011)
14:47:35.896150 http.c:801              <= Recv header: HTTP/1.1 200 OK
14:47:35.896150 http.c:789              <= Recv header, 0000000026 bytes (0x0000001a)
14:47:35.896150 http.c:801              <= Recv header: Server: GitHub-Babel/3.0
14:47:35.896150 http.c:789              <= Recv header, 0000000059 bytes (0x0000003b)
14:47:35.896150 http.c:801              <= Recv header: Content-Type: application/x-git-upload-pack-advertisement
14:47:35.896150 http.c:789              <= Recv header, 0000000054 bytes (0x00000036)
14:47:35.896150 http.c:801              <= Recv header: Content-Security-Policy: default-src 'none'; sandbox
14:47:35.896150 http.c:789              <= Recv header, 0000000040 bytes (0x00000028)
14:47:35.896150 http.c:801              <= Recv header: expires: Fri, 01 Jan 1980 00:00:00 GMT
14:47:35.896150 http.c:789              <= Recv header, 0000000018 bytes (0x00000012)
14:47:35.896150 http.c:801              <= Recv header: pragma: no-cache
14:47:35.896150 http.c:789              <= Recv header, 0000000053 bytes (0x00000035)
14:47:35.896150 http.c:801              <= Recv header: Cache-Control: no-cache, max-age=0, must-revalidate
14:47:35.896150 http.c:789              <= Recv header, 0000000023 bytes (0x00000017)
14:47:35.896150 http.c:801              <= Recv header: Vary: Accept-Encoding
14:47:35.896150 http.c:789              <= Recv header, 0000000028 bytes (0x0000001c)
14:47:35.896150 http.c:801              <= Recv header: Transfer-Encoding: chunked
14:47:35.896150 http.c:789              <= Recv header, 0000000037 bytes (0x00000025)
14:47:35.896150 http.c:801              <= Recv header: Date: Fri, 30 Jun 2023 12:47:35 GMT
14:47:35.896150 http.c:789              <= Recv header, 0000000023 bytes (0x00000017)
14:47:35.896150 http.c:801              <= Recv header: X-Frame-Options: DENY
14:47:35.896150 http.c:789              <= Recv header, 0000000057 bytes (0x00000039)
14:47:35.896150 http.c:801              <= Recv header: X-GitHub-Request-Id: 419D:56D7:57C639A:590202E:649ECEE7
14:47:35.896150 http.c:789              <= Recv header, 0000000002 bytes (0x00000002)
14:47:35.896150 http.c:801              <= Recv header:
14:47:35.896150 http.c:842              == Info: Connection #0 to host www-proxy.visana.ch left intact
14:47:35.898108 http.c:842              == Info: Couldn't find host github.com in the (nil) file; using defaults
14:47:35.898108 http.c:842              == Info: Found bundle for host: 0x1ff66e64800 [serially]
14:47:35.898108 http.c:842              == Info: Re-using existing connection #0 with proxy www-proxy.visana.ch
14:47:35.898108 http.c:789              => Send header, 0000000301 bytes (0x0000012d)
14:47:35.898108 http.c:801              => Send header: POST /sburkard/cookie-factory.git/git-upload-pack HTTP/1.1
14:47:35.898108 http.c:801              => Send header: Host: github.com
14:47:35.898108 http.c:801              => Send header: User-Agent: git/2.41.0.windows.1
14:47:35.898108 http.c:801              => Send header: Accept-Encoding: deflate, gzip, br, zstd
14:47:35.898108 http.c:801              => Send header: Content-Type: application/x-git-upload-pack-request
14:47:35.898108 http.c:801              => Send header: Accept: application/x-git-upload-pack-result
14:47:35.898108 http.c:801              => Send header: Git-Protocol: version=2
14:47:35.898108 http.c:801              => Send header: Content-Length: 185
14:47:35.898108 http.c:801              => Send header:
14:47:36.045553 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.045553 http.c:789              <= Recv header, 0000000017 bytes (0x00000011)
14:47:36.045553 http.c:801              <= Recv header: HTTP/1.1 200 OK
14:47:36.045553 http.c:789              <= Recv header, 0000000026 bytes (0x0000001a)
14:47:36.045553 http.c:801              <= Recv header: Server: GitHub-Babel/3.0
14:47:36.045553 http.c:789              <= Recv header, 0000000052 bytes (0x00000034)
14:47:36.045553 http.c:801              <= Recv header: Content-Type: application/x-git-upload-pack-result
14:47:36.045553 http.c:789              <= Recv header, 0000000054 bytes (0x00000036)
14:47:36.045553 http.c:801              <= Recv header: Content-Security-Policy: default-src 'none'; sandbox
14:47:36.045553 http.c:789              <= Recv header, 0000000040 bytes (0x00000028)
14:47:36.045553 http.c:801              <= Recv header: expires: Fri, 01 Jan 1980 00:00:00 GMT
14:47:36.045553 http.c:789              <= Recv header, 0000000018 bytes (0x00000012)
14:47:36.045553 http.c:801              <= Recv header: pragma: no-cache
14:47:36.045553 http.c:789              <= Recv header, 0000000053 bytes (0x00000035)
14:47:36.045553 http.c:801              <= Recv header: Cache-Control: no-cache, max-age=0, must-revalidate
14:47:36.045553 http.c:789              <= Recv header, 0000000023 bytes (0x00000017)
14:47:36.045553 http.c:801              <= Recv header: Vary: Accept-Encoding
14:47:36.045553 http.c:789              <= Recv header, 0000000028 bytes (0x0000001c)
14:47:36.045553 http.c:801              <= Recv header: Transfer-Encoding: chunked
14:47:36.045553 http.c:789              <= Recv header, 0000000037 bytes (0x00000025)
14:47:36.045553 http.c:801              <= Recv header: Date: Fri, 30 Jun 2023 12:47:35 GMT
14:47:36.045553 http.c:789              <= Recv header, 0000000023 bytes (0x00000017)
14:47:36.045553 http.c:801              <= Recv header: X-Frame-Options: DENY
14:47:36.045553 http.c:789              <= Recv header, 0000000057 bytes (0x00000039)
14:47:36.045553 http.c:801              <= Recv header: X-GitHub-Request-Id: 419D:56D7:57C646B:590212B:649ECEE7
14:47:36.045553 http.c:789              <= Recv header, 0000000002 bytes (0x00000002)
14:47:36.045553 http.c:801              <= Recv header:
14:47:36.045553 http.c:842              == Info: Connection #0 to host www-proxy.visana.ch left intact
14:47:36.058247 http.c:842              == Info: Couldn't find host github.com in the (nil) file; using defaults
14:47:36.058247 http.c:842              == Info: Found bundle for host: 0x1ff66e64800 [serially]
14:47:36.058247 http.c:842              == Info: Re-using existing connection #0 with proxy www-proxy.visana.ch
14:47:36.058247 http.c:789              => Send header, 0000000301 bytes (0x0000012d)
14:47:36.058247 http.c:801              => Send header: POST /sburkard/cookie-factory.git/git-upload-pack HTTP/1.1
14:47:36.058247 http.c:801              => Send header: Host: github.com
14:47:36.058247 http.c:801              => Send header: User-Agent: git/2.41.0.windows.1
14:47:36.058247 http.c:801              => Send header: Accept-Encoding: deflate, gzip, br, zstd
14:47:36.058247 http.c:801              => Send header: Content-Type: application/x-git-upload-pack-request
14:47:36.058247 http.c:801              => Send header: Accept: application/x-git-upload-pack-result
14:47:36.058247 http.c:801              => Send header: Git-Protocol: version=2
14:47:36.058247 http.c:801              => Send header: Content-Length: 762
14:47:36.058247 http.c:801              => Send header:
14:47:36.217421 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.217421 http.c:789              <= Recv header, 0000000017 bytes (0x00000011)
14:47:36.217421 http.c:801              <= Recv header: HTTP/1.1 200 OK
14:47:36.217421 http.c:789              <= Recv header, 0000000026 bytes (0x0000001a)
14:47:36.217421 http.c:801              <= Recv header: Server: GitHub-Babel/3.0
14:47:36.217421 http.c:789              <= Recv header, 0000000052 bytes (0x00000034)
14:47:36.217421 http.c:801              <= Recv header: Content-Type: application/x-git-upload-pack-result
14:47:36.217421 http.c:789              <= Recv header, 0000000054 bytes (0x00000036)
14:47:36.217421 http.c:801              <= Recv header: Content-Security-Policy: default-src 'none'; sandbox
14:47:36.217421 http.c:789              <= Recv header, 0000000040 bytes (0x00000028)
14:47:36.217421 http.c:801              <= Recv header: expires: Fri, 01 Jan 1980 00:00:00 GMT
14:47:36.217421 http.c:789              <= Recv header, 0000000018 bytes (0x00000012)
14:47:36.217421 http.c:801              <= Recv header: pragma: no-cache
14:47:36.217421 http.c:789              <= Recv header, 0000000053 bytes (0x00000035)
14:47:36.217421 http.c:801              <= Recv header: Cache-Control: no-cache, max-age=0, must-revalidate
14:47:36.217421 http.c:789              <= Recv header, 0000000023 bytes (0x00000017)
14:47:36.217421 http.c:801              <= Recv header: Vary: Accept-Encoding
14:47:36.217421 http.c:789              <= Recv header, 0000000028 bytes (0x0000001c)
14:47:36.217421 http.c:801              <= Recv header: Transfer-Encoding: chunked
14:47:36.217421 http.c:789              <= Recv header, 0000000037 bytes (0x00000025)
14:47:36.217421 http.c:801              <= Recv header: Date: Fri, 30 Jun 2023 12:47:36 GMT
14:47:36.217421 http.c:789              <= Recv header, 0000000023 bytes (0x00000017)
14:47:36.217421 http.c:801              <= Recv header: X-Frame-Options: DENY
14:47:36.217421 http.c:789              <= Recv header, 0000000057 bytes (0x00000039)
14:47:36.217421 http.c:801              <= Recv header: X-GitHub-Request-Id: 419D:56D7:57C657C:590223C:649ECEE7
14:47:36.217421 http.c:789              <= Recv header, 0000000002 bytes (0x00000002)
14:47:36.217421 http.c:801              <= Recv header:
14:47:36.218395 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.219378 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.220353 http.c:842              == Info: schannel: failed to decrypt data, need more data
remote: Enumerating objects: 253, done.
remote: Counting objects:   0% (1/118)
 need more data
remote: Counting objects:   4% (5/118)14:47:36.223278 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.223278 http.c:842              == Info: schannel: failed to decrypt data, need more data
remote: Counting objects:  27% (32/118)14:47:36.226214 http.c:842              == Info: schannel: failed to decrypt data, need more data
remote: Counting objects:  28% (34/118)
, need more data
remote: Counting objects:  35% (42/118)
, need more data
14:47:36.228159 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.228159 http.c:842              == Info: schannel: failed to decrypt data, need more data
remote: Counting objects: 100% (118/118), done.
remote: Compressing objects:   0% (1/105)
ta, need more data
remote: Compressing objects:  16% (17/105)
ata, need more data
14:47:36.243783 http.c:842              == Info: schannel: failed to decrypt data, need more data
remote: Compressing objects:  37% (39/105)14:47:36.246709 http.c:842              == Info: schannel: failed to decrypt data, need more data
remote: Compressing objects:  38% (40/105)
ata, need more data
14:47:36.246709 http.c:842              == Info: schannel: failed to decrypt data, need more data
remote: Compressing objects:  67% (71/105)
ata, need more data
14:47:36.251594 http.c:842              == Info: schannel: failed to decrypt data, need more data
remote: Compressing objects:  88% (93/105)
ata, need more data
14:47:36.254519 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.254519 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.254519 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.254519 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.254519 http.c:842              == Info: schannel: failed to decrypt data, need more data
remote: Compressing objects: 100% (105/105), done.
14:47:36.260385 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.262337 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.262337 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.263313 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.268200 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.271124 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.271124 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.271124 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.271124 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.276009 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.278936 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.278936 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.278936 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.278936 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.278936 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.278936 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.283820 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.283820 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.283820 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.283820 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.286755 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.286755 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.286755 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.286755 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.286755 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.286755 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.286755 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.286755 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.287724 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.291631 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.291631 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.294560 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.294560 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.295534 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.295534 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.295534 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.295534 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.299444 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.302376 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.303346 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.303346 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.303346 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.303346 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.303346 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.303346 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.303346 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.303346 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.308231 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.308231 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.311157 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.311157 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.311157 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.311157 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.311157 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.311157 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.311157 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.311157 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.311157 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.311157 http.c:842              == Info: schannel: failed to decrypt data, need more data
14:47:36.311157 http.c:842              == Info: Connection #0 to host www-proxy.visana.ch left intact
Receiving objects:  92% (233/253)sed 57 (delta 8), pack-reused 135Receiving objects:  50% (127/253)
Receiving objects: 100% (253/253), 213.73 KiB | 2.85 MiB/s, done.
Resolving deltas: 100% (78/78), done.

Let me know if I should do some other tests in this setting or another test with proxy bypass. For the moment I stick with this setting because every change has to be done by ticket request.

Thanks

[HaTiIn]

FYI: In our company, this change has caused CI pipelines using Gitlab Runner 16.1.0 to fail with the following error: "fatal: unable to access 'https://xxxx.git/': schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN."
The helper image used by Gitlab Runner 16.1.0 uses git version 2.41.0. Unfortunately, I don't know how to revert the default in the helper image. Therefore, we need to downgrade to version 16.0.2.

[dscho]

new test setting. Still with proxy but without SSL interception. And this is already quite different. The repository is successfully cloned,

@sburkard I guess this is a clear indication that the proxy's causing the problem. Now, my hunch is that libcurl might need some changes to allow for the CURLSSLOPT_REVOKE_BEST_EFFORT flag to be used for proxy connections, too.

However, when I look at curl/curl@5450428 I do not see any red flags: schannel_connect_step1() seems to run in the exact same way for proxies as it does for the actual connection... Having said that, the current version of this function looks different, quite different.

Oh, but I just saw this: the CURSSLOPT_REVOKE_BEST_EFFORT flag is mentioned also in the CURLOPT_PROXY_SSL_OPTIONS manual page, but Git only sets the CURLOPT_SSL_OPTIONS.

@sburkard do you think you could test whether setting the proxy options helps? I.e.

1. install Git for Windows' SDK,

2. sdk cd git,

3. edit http.c, something like this:

   diff --git a/http.c b/http.c
   index f8497b5c49e7..3f4b2f80720d 100644
   --- a/http.c
   +++ b/http.c
   @@ -1029,8 +1029,10 @@ static CURL *get_curl_handle(void)
    #endif
    		}
    
   -		if (ssl_options)
   +		if (ssl_options) {
    			curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, ssl_options);
   +			curl_easy_setopt(result, CURLOPT_PROXY_SSL_OPTIONS, ssl_options);
   +		}
    	}
    
    	if (http_proactive_auth)

4. build Git via make -j$(nproc)

5. test in-place via ./bin-wrappers/git -C <directory> <command>?

6. open a PR?

but the verbse output of curl contains a lot of failed to decrypt data, need more data messages (see below).

These are all prefixed with "Info:", therefore I assume that they are not even warnings, just informative messages indicating that data arrived in such small chunks that decryption had to wait until more data arrived.

[dscho]

3. edit http.c, something like this:

diff --git a/http.c b/http.c
index f8497b5c49e7..3f4b2f80720d 100644
--- a/http.c
+++ b/http.c
@@ -1029,8 +1029,10 @@ static CURL *get_curl_handle(void)
 #endif
 		}
 
-		if (ssl_options)
+		if (ssl_options) {
 			curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, ssl_options);
+			curl_easy_setopt(result, CURLOPT_PROXY_SSL_OPTIONS, ssl_options);
+		}
 	}
 
 	if (http_proactive_auth)

FWIW I also opened a PR for that, you could therefore get going with a local test via these steps:

sdk cd git
git fetch https://github.com/git-for-windows/git/ refs/pull/4495/head
git checkout FETCH_HEAD
make -j$(nproc)

[sburkard]

Hi @dscho

OK, I've built the Git binary locally, checked out your branch and gave it a try. Unfortunately still the same problem.

Official Git-Release + OpenSSL backend: works
Official Git-Release + schannel: NOT working
Local Git-Build from Branch + schannel: NOT working

I can now "switch" between interception and no-interception since my GitHub-Repo is no more intercepted and any public non-GitHub-Repo is intercepted.

export GIT_CURL_VERBOSE=1
> ./bin-wrappers/git -C ~/git/uid20852/ config --global --list

core.autocrlf=input
core.longpaths=true
push.default=simple
user.email=<my email>
user.name=<my name>
pull.rebase=true
http.schannelcheckrevoke=false

> ./bin-wrappers/git -C ~/git/uid20852/ clone https://gitlab.com/njouve/demo.git

Klone nach 'demo'...
15:54:27.686454 http.c:843              == Info: Couldn't find host gitlab.com in the (nil) file; using defaults
15:54:27.692319 http.c:843              == Info:   Trying 192.168.229.22:8080...
15:54:27.693287 http.c:843              == Info: Connected to www-proxy.visana.ch (192.168.229.22) port 8080 (#0)
15:54:27.693287 http.c:843              == Info: CONNECT tunnel: HTTP/1.1 negotiated
15:54:27.693287 http.c:843              == Info: allocate connect buffer
15:54:27.693287 http.c:843              == Info: Establish HTTP proxy tunnel to gitlab.com:443
15:54:27.693287 http.c:790              => Send header, 0000000111 bytes (0x0000006f)
15:54:27.693287 http.c:802              => Send header: CONNECT gitlab.com:443 HTTP/1.1
15:54:27.693287 http.c:802              => Send header: Host: gitlab.com:443
15:54:27.693287 http.c:802              => Send header: User-Agent: git/2.41.0
15:54:27.693287 http.c:802              => Send header: Proxy-Connection: Keep-Alive
15:54:27.693287 http.c:802              => Send header:
15:54:27.703061 http.c:790              <= Recv header, 0000000037 bytes (0x00000025)
15:54:27.703061 http.c:802              <= Recv header: HTTP/1.1 200 Connection established
15:54:27.703061 http.c:790              <= Recv header, 0000000002 bytes (0x00000002)
15:54:27.703061 http.c:802              <= Recv header:
15:54:27.703061 http.c:843              == Info: CONNECT phase completed
15:54:27.703061 http.c:843              == Info: CONNECT tunnel established, response 200
15:54:27.703061 http.c:843              == Info: schannel: disabled automatic use of client certificate
15:54:27.733323 http.c:843              == Info: schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check
revocation for the certificate.
15:54:27.733323 http.c:843              == Info: Closing connection 0
15:54:27.733323 http.c:843              == Info: schannel: shutting down SSL/TLS connection with gitlab.com port 443
Schwerwiegend: konnte nicht auf 'https://gitlab.com/njouve/demo.git/' zugreifen: schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocati
on function was unable to check revocation for the certificate.

Let me know if I can do other tests to find the problem.

Thanks

[dscho]

Thank you for testing this.

I fear the next steps might be a bit more involved: The most promising direction would be to build libcurl and instrument it with debug print statements. My suggestion to get there:

$ sdk cd mingw-w64-curl
$ sdk build

This will build the current mingw-w64-x86_64-curl package, and most crucially, give you a worktree with the source code at /usr/src/MINGW-packages/mingw-w64-curl/src/curl-8.1.2. If I were you, I would try to insert fprintf(stderr, "%s:%d: HERE!\n", __FILE__, __LINE__); statements in the most interesting parts of lib/vtls/schannel*.c (starting with the location where the error message is produced, and then adding more print statements as well as logging values of interest e.g. whether the BEST_EFFORT flag was handed to the code as expected, and if not, where the ball was dropped), then build and "install" with make -C /usr/src/MINGW-packages/mingw-w64-curl/src/build-MINGW64-shared && cp /usr/src/MINGW-packages/mingw-w64-curl/src/build-MINGW64-shared/lib/.libs/libcurl-4.dll /mingw64/bin/.

[sburkard]

Hi @dscho
When I do sdk build I get SSL errors because of the selfsigned cert of our proxy

error: failed retrieving file 'mingw-w64-x86_64-autotools-2022.01.16-1-any.pkg.tar.zst' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
... the same for a buch of mirrors ...
...
==> ERROR: 'pacman' failed to install missing dependencies.

Can I disable this check somehow?