Why Schannel fails to receive handshake from the server?

When I'm trying to pull from our git server I get this error:

fatal: unable to access 'xxx': OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx

When this happened before I was able to solve it by simply restoring the system but this time my system restore points got deleted for some reason, and I can't do that either.

So this happens because something in my system settings related to SSL changes and I don't know why.

I have tried installing git to use windows cert. store instead of OpenSSL and I got this error:

fatal: unable to access 'xxx': schannel: failed to receive handshake, SSL/TLS connection failed

Same problem, different error message. The server is not sending back a hello message after the client hello. I thought this might happen because none of the cipher suites that I'm sending the server in the client hello message are supported by the server. So I've tried configuring a group policy and put the cipher suite the server is using first in order. But it didn't make any difference.

I am able to connect the git server's site through the browser. So my question is, what can I do to solve this problem?

1

9 Answers

In my case, I changed the .gitconfig from

[http] sslbackend = schannel

to

[http] sslbackend = openssl
1

I encountered the unable to access ' schannel: failed to receive handshake, SSL/TLS connection failed error when I tried to use a http proxy for a git repo on the local network (which is not accessible through that particular proxy). I resetted the http.proxy setting to an empty string:

git config --global http.proxy ""

(Note that in my case, this was a global level setting, YMMV.)

You should try again, for testing, with the Git for Windows release 2.14.2 (June 21th, 2018), which adds code to force-ignore http.sslCAinfo when the ssl backend is set to schannel (so that the Windows Certificate Store is not ignored).
This is really only relevant when running with cURL v7.60.0 (or later).

See commit c5ad43e:

http: when using Secure Channel, ignore sslCAInfo by default

As of cURL v7.60.0, the Secure Channel backend can use the certificate bundle provided via http.sslCAInfo, but that would override the Windows Certificate Store. Since this is not desirable by default, let's tell Git to not ask cURL to use that bundle by default when the schannel backend was configured via http.sslBackend, unless useSSLCAInfooverrides this behavior.

1

I had the same issue (windows 10) and a reboot fixed the issue.

I my case I had this issue when using a local proxy (in my case px) to access the www (like github.com) but also using the same setup for our company github-site (git.example.org). I thought that this site would be also in the www, but it turned out that actually it was going trough a NAT-IP (internal). Therefore I had to exclude the internal IP address from my local proxy. Then it worked.

One "weak" solution is to set GIT_SSL_NO_VERIFY:

export GIT_SSL_NO_VERIFY=true

Or on Windows, set the environment variable, either in the system or on the command line if using a command-line version of Git:

set GIT_SSL_NO_VERIFY=true

It will simply do what it says...

1

In my case the NO_PROXY variable was not properly configured.

In my case - same issue in jenkins job - I had the wrong user credentials provided.

I have solution in my errors case.You can use command :

git push orgin destination_branch

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like