Https proxy auth issue with git in cygwin 2.2.1

Https proxy auth issue with git in cygwin 2.2.1

[Lukasz Pielak]

Hi

In the latest Cygwin 2.2.1. git doesn’t work with proxy authentication.
The git version is 2.5.1 and the curl version is 7.43.
The error prints fatal: unable to access
'https://github.com/mockito/mockito.git/': Unknown SSL protocol error
in connection to github.com:443

In my previous Cygwin 1.7.35 (with curl 7.41) this problem didn’t
exist. Git for windows (git 2.5.1 version, but curl is 7.44) seems to
work too.

I assume that  there is a bug in curl rather than in git.

Console output:

{ mockito } master » uname -a
~/gitrepo/demo/mockito 127
CYGWIN_NT-6.1-WOW K11263 2.2.1(0.289/5/3) 2015-08-20 11:40 i686 Cygwin
{ mockito } master »

{ mockito } master » curl --version
    ~/gitrepo/demo/mockito
curl 7.43.0 (i686-pc-cygwin) libcurl/7.43.0 OpenSSL/1.0.2d zlib/1.2.8
libidn/1.29 libssh2/1.5.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: Debug IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
NTLM_WB SSL libz TLS-SRP UnixSockets Metalink


{ mockito } master » GIT_TRACE=2 git pull


~/gitrepo/demo/mockito
12:22:48.164349 git.c:558               trace: exec: 'git-pull'
12:22:48.164349 run-command.c:347       trace: run_command: 'git-pull'
12:22:48.429558 git.c:348               trace: built-in: git
'rev-parse' '--parseopt' '--stuck-long' '--'
12:22:48.689167 git.c:348               trace: built-in: git
'rev-parse' '--git-dir'
12:22:48.860772 git.c:348               trace: built-in: git
'rev-parse' '--git-path' 'objects'
12:22:49.032378 git.c:348               trace: built-in: git
'rev-parse' '--is-bare-repository'
12:22:49.094780 git.c:348               trace: built-in: git
'rev-parse' '--show-toplevel'
12:22:49.188383 git.c:348               trace: built-in: git 'ls-files' '-u'
12:22:49.297586 git.c:348               trace: built-in: git
'symbolic-ref' '-q' 'HEAD'
12:22:49.469192 git.c:348               trace: built-in: git 'config'
'branch.master.rebase'
12:22:49.656398 git.c:348               trace: built-in: git 'config'
'pull.rebase'
12:22:49.843604 git.c:348               trace: built-in: git 'config' 'pull.ff'
12:22:49.921606 git.c:348               trace: built-in: git
'rev-parse' '-q' '--verify' 'HEAD'
12:22:50.015209 git.c:348               trace: built-in: git 'fetch'
'--update-head-ok'
12:22:50.171214 run-command.c:347       trace: run_command:
'git-remote-https' 'origin' 'https://github.com/mockito/mockito.git'
fatal: unable to access 'https://github.com/mockito/mockito.git/':
Unknown SSL protocol error in connection to github.com:443


{ mockito } master » GIT_CURL_VERBOSE=1 git pull


~/gitrepo/demo/mockito 1
* STATE: INIT => CONNECT handle 0x800834c8; line 1075 (connection #-5000)
* Couldn't find host github.com in the .netrc file; using defaults
* Added connection 0. The cache now contains 1 members
*   Trying 10.105.36.152...
* STATE: CONNECT => WAITCONNECT handle 0x800834c8; line 1128 (connection #0)
* Connected to webproxy.mycorp.com (10.105.36.152) port 8080 (#0)
* STATE: WAITCONNECT => WAITPROXYCONNECT handle 0x800834c8; line 1225
(connection #0)
* Establish HTTP proxy tunnel to github.com:443
> CONNECT github.com:443 HTTP/1.1
Host: github.com:443
User-Agent: git/2.5.1
Proxy-Connection: Keep-Alive

* Read response immediately from proxy CONNECT
< HTTP/1.1 407 Proxy Authentication Required
< Proxy-Authenticate: NEGOTIATE
< Proxy-Authenticate: NTLM
< Proxy-Authenticate: BASIC realm="BCAAA"
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Proxy-Connection: close
< Connection: close
< Content-Length: 1551
<
* Ignore 1551 bytes of response-body
* Connect me again please
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Unknown SSL protocol error in connection to github.com:443
* Curl_done
* Closing connection 0
* The cache now contains 0 members
* STATE: WAITPROXYCONNECT => CONNECT handle 0x800834c8; line 1208
(connection #-5000)
* Couldn't find host github.com in the .netrc file; using defaults
* Added connection 1. The cache now contains 1 members
* Hostname webproxy.mycorp.com was found in DNS cache
*   Trying 10.105.36.152...
* STATE: CONNECT => WAITCONNECT handle 0x800834c8; line 1128 (connection #1)
* Connected to webproxy.mycorp.com (10.105.36.152) port 8080 (#1)
* STATE: WAITCONNECT => WAITPROXYCONNECT handle 0x800834c8; line 1225
(connection #1)
* Establish HTTP proxy tunnel to github.com:443
> CONNECT github.com:443 HTTP/1.1
Host: github.com:443
User-Agent: git/2.5.1
Proxy-Connection: Keep-Alive

* Read response immediately from proxy CONNECT
< HTTP/1.1 407 Proxy Authentication Required
< Proxy-Authenticate: NEGOTIATE
* gss_init_sec_context() failed: : SPNEGO cannot find mechanisms to negotiate
< Proxy-Authenticate: NTLM
< Proxy-Authenticate: BASIC realm="BCAAA"
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Proxy-Connection: close
< Connection: close
< Content-Length: 1551
<
* Received HTTP code 407 from proxy after CONNECT
* Expire cleared
* Curl_done
* Closing connection 1
* The cache now contains 0 members
fatal: unable to access 'https://github.com/mockito/mockito.git/':
Unknown SSL protocol error in connection to github.com:443

Thanks
Lukasz

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Https proxy auth issue with git in cygwin 2.2.1

[Andrey Repin]

Greetings, Lukasz Pielak!

> In the latest Cygwin 2.2.1. git doesn’t work with proxy authentication.
> The git version is 2.5.1 and the curl version is 7.43.
> The error prints fatal: unable to access
> 'https://github.com/mockito/mockito.git/': Unknown SSL protocol error
> in connection to github.com:443

$ curl --version; curl -siIH "Host: github.com" https://github.com/mockito/mockito.git/
curl 7.43.0 (x86_64-unknown-cygwin) libcurl/7.43.0 OpenSSL/1.0.2d zlib/1.2.8 libidn/1.29 libssh2/1.5.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: Debug IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets Metalink
HTTP/1.1 301 Moved Permanently
Server: GitHub.com
Date: Mon, 21 Sep 2015 10:07:26 GMT
Content-Type: text/html
Content-Length: 178
Location: https://github.com/mockito/mockito/
Vary: Accept-Encoding
X-Served-By: a568c03544f42dddf712bab3bfd562fd
$ git ls-remote https://github.com/mockito/mockito.git
a821f7b0ec47f3214bf6f0361df5deb211fa2214        HEAD
6e8ab32df8b3c85cdcdc77b4348a57e15227f76c        refs/heads/gh-pages
a821f7b0ec47f3214bf6f0361df5deb211fa2214        refs/heads/master
64ed9c5ec562851d109baa700fa075ffde3662cd        refs/heads/release
63af88de0f9d8c5233db2996241f8ad3fae3d47d        refs/heads/sf-spy-hack
29b082b4b789e0e166d898f70de8e8338a6139d1        refs/heads/travis_oracle_jdk8
13c7321d5e719a802b52cf9d825ccf27dc7e015e        refs/pull/10/head
...

Sooo, how about "update your Cygwin" ?


-- 
With best regards,
Andrey Repin
Monday, September 21, 2015 13:07:33

Sorry for my terrible english...

Re: Https proxy auth issue with git in cygwin 2.2.1

[Adam Dinwoodie]

On Mon, Sep 21, 2015 at 08:54:39AM +0200, Lukasz Pielak wrote:
> In the latest Cygwin 2.2.1. git doesn’t work with proxy authentication.

What do you mean by proxy authentication here?  What do you have
configured, and how?

> The git version is 2.5.1 and the curl version is 7.43.
> The error prints fatal: unable to access
> 'https://github.com/mockito/mockito.git/': Unknown SSL protocol error
> in connection to github.com:443

WJFFM with those versions, but then I'm not using any sort of web proxy.

> In my previous Cygwin 1.7.35 (with curl 7.41) this problem didn’t
> exist. Git for windows (git 2.5.1 version, but curl is 7.44) seems to
> work too.

Are you able to test any other combinations of these?  I don't think the
results for Git for Windows are going to be particularly informative --
there are too many variables between that build and Cygwin's -- but
knowing whether it's the bump from Cygwin v1.7.35 to v2.2.1, or from
Curl v7.41 to v7.43, would be potentially useful.

> I assume that  there is a bug in curl rather than in git.

As an interim solution, does using ssh instead of https work?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Https proxy auth issue with git in cygwin 2.2.1

[Lukasz Pielak]

Hi Andrey

thanks for your reply. What exactly do you mean by 'update your
Cygwin'?. I'm running the latest Cygwin x86 2.2.1 with curl curl
7.43.0.

 curl --version
curl 7.43.0 (i686-pc-cygwin) libcurl/7.43.0 OpenSSL/1.0.2d zlib/1.2.8
libidn/1.29 libssh2/1.5.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: Debug IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
NTLM_WB SSL libz TLS-SRP UnixSockets Metalink

Thanks
Lukasz

On 21 September 2015 at 12:14, Andrey Repin <anrdaemon@yandex.ru> wrote:
> Greetings, Lukasz Pielak!
>
>> In the latest Cygwin 2.2.1. git doesn’t work with proxy authentication.
>> The git version is 2.5.1 and the curl version is 7.43.
>> The error prints fatal: unable to access
>> 'https://github.com/mockito/mockito.git/': Unknown SSL protocol error
>> in connection to github.com:443
>
> $ curl --version; curl -siIH "Host: github.com" https://github.com/mockito/mockito.git/
> curl 7.43.0 (x86_64-unknown-cygwin) libcurl/7.43.0 OpenSSL/1.0.2d zlib/1.2.8 libidn/1.29 libssh2/1.5.0
> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
> Features: Debug IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets Metalink
> HTTP/1.1 301 Moved Permanently
> Server: GitHub.com
> Date: Mon, 21 Sep 2015 10:07:26 GMT
> Content-Type: text/html
> Content-Length: 178
> Location: https://github.com/mockito/mockito/
> Vary: Accept-Encoding
> X-Served-By: a568c03544f42dddf712bab3bfd562fd
> $ git ls-remote https://github.com/mockito/mockito.git
> a821f7b0ec47f3214bf6f0361df5deb211fa2214        HEAD
> 6e8ab32df8b3c85cdcdc77b4348a57e15227f76c        refs/heads/gh-pages
> a821f7b0ec47f3214bf6f0361df5deb211fa2214        refs/heads/master
> 64ed9c5ec562851d109baa700fa075ffde3662cd        refs/heads/release
> 63af88de0f9d8c5233db2996241f8ad3fae3d47d        refs/heads/sf-spy-hack
> 29b082b4b789e0e166d898f70de8e8338a6139d1        refs/heads/travis_oracle_jdk8
> 13c7321d5e719a802b52cf9d825ccf27dc7e015e        refs/pull/10/head
> ...
>
> Sooo, how about "update your Cygwin" ?
>
>
> --
> With best regards,
> Andrey Repin
> Monday, September 21, 2015 13:07:33
>
> Sorry for my terrible english...

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Https proxy auth issue with git in cygwin 2.2.1

[Achim Gratz]

Adam Dinwoodie <adam <at> dinwoodie.org> writes:
> As an interim solution, does using ssh instead of https work?

He's forced through the abomination of a proxy requiring NTLM
authentication, so I'd say his chances of having SSH connections to the
outside are pretty slim.  He could try cntlm, though (not packaged yet for
Cygwin since upstream seems to have disappeared, but I've been working on
some patches to have it not crash on 64bit).

http://repo.or.cz/w/cntlm.git/shortlog/refs/heads/cygwin-auto


Regards,
Achim.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Https proxy auth issue with git in cygwin 2.2.1

[LukaszPielak]

Adam Dinwoodie <adam <at> dinwoodie.org> writes:

> 
> On Mon, Sep 21, 2015 at 08:54:39AM +0200, Lukasz Pielak wrote:
> > In the latest Cygwin 2.2.1. git doesn’t work with proxy 
authentication.
> 
> What do you mean by proxy authentication here?  What do you have
> configured, and how?
> 
> > The git version is 2.5.1 and the curl version is 7.43.
> > The error prints fatal: unable to access
> > 'https://github.com/mockito/mockito.git/': Unknown SSL protocol 
error
> > in connection to github.com:443
> 
> WJFFM with those versions, but then I'm not using any sort of web 
proxy.
> 
> > In my previous Cygwin 1.7.35 (with curl 7.41) this problem didn’t
> > exist. Git for windows (git 2.5.1 version, but curl is 7.44) seems 
to
> > work too.
> 
> Are you able to test any other combinations of these?  I don't think 
the
> results for Git for Windows are going to be particularly informative -
-
> there are too many variables between that build and Cygwin's -- but
> knowing whether it's the bump from Cygwin v1.7.35 to v2.2.1, or from
> Curl v7.41 to v7.43, would be potentially useful.
> 
> > I assume that  there is a bug in curl rather than in git.
> 
> As an interim solution, does using ssh instead of https work?
> 
> 

Hi Adam

ssh over https is unfortunately not an option.

I experimented with with curl instead of git a bit:

With --proxy-negotiate i get:

curl -v --proxy webproxy.mycorp.com:8080 --proxy-user myuser:mypasswd
--proxy-negotiate http://mirror.provider.org/package.rpm
* STATE: INIT => CONNECT handle 0x80048388; line 1075 (connection 
#-5000)
* Added connection 0. The cache now contains 1 members
*   Trying 10.105.36.151...
* STATE: CONNECT => WAITCONNECT handle 0x80048388; line 1128 (connection 
#0)
* Connected to webproxy.mycorp.com (10.105.36.151) port 8080 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x80048388; line 1225
(connection #0)
* STATE: SENDPROTOCONNECT => DO handle 0x80048388; line 1243 (connection 
#0)
> GET http://mirror.provider.org/package.rpm HTTP/1.1
> Host: mirror.provider.org
> User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* STATE: DO => DO_DONE handle 0x80048388; line 1322 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x80048388; line 1449 (connection 
#0)
* STATE: WAITPERFORM => PERFORM handle 0x80048388; line 1459 (connection 
#0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 407 Proxy Authentication Required
* gss_init_sec_context() failed: : SPNEGO cannot find mechanisms to 
negotiate
< Proxy-Authenticate: NEGOTIATE
< Proxy-Authenticate: NTLM
< Proxy-Authenticate: BASIC realm="BCAAA"
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
* HTTP/1.1 proxy connection set close!
< Proxy-Connection: close
< Set-Cookie: BCSI-CS-d71134cd838e0ff2=2; Path=/
< Connection: close
< Content-Length: 1551
<
<html>
<head>
<title>Access Denied</title>
</head>

With proxy-ntlm it seems to work though

curl -v --proxy webproxy.mycorp.com:8080 --proxy-user myuser:mypasswd
--proxy-ntlm http://mirror.provider.org/package.rpm
* STATE: INIT => CONNECT handle 0x80048388; line 1075 (connection 
#-5000)
* Added connection 0. The cache now contains 1 members
*   Trying 10.105.36.151...
* STATE: CONNECT => WAITCONNECT handle 0x80048388; line 1128 (connection 
#0)
* Connected to webproxy.mycorp.com (10.105.36.151) port 8080 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x80048388; line 1225
(connection #0)
* STATE: SENDPROTOCONNECT => DO handle 0x80048388; line 1243 (connection 
#0)
* Proxy auth using NTLM with user 'myuser'
> GET http://mirror.provider.org/package.rpm HTTP/1.1
> Host: mirror.provider.org
> Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
> User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* STATE: DO => DO_DONE handle 0x80048388; line 1322 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x80048388; line 1449 (connection 
#0)
* STATE: WAITPERFORM => PERFORM handle 0x80048388; line 1459 (connection 
#0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 407 Proxy Authentication Required
< Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAABwAHADgAAAAGgokCrqa74bTKLosAAAAAAAAAAHYAdgA/AAAABgGxHQAA
AA9OVC1TQkIxAgAOAE4AVAAtAFMAQgBCADEAAQAMAEkANgA4ADUANgA4AAQADABzAGIAYgAu
AGMAaAADABoAaQA2ADgANQA2ADgALgBzAGIAYgAuAGMAaAAFABIAYQBkAHIAYQBpAGwALgBj
AGgABwAIAOjj+Rta9dABAAAAAA==
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Proxy-Connection: Keep-Alive
< Set-Cookie: BCSI-CS-d71134cd838e0ff2=2; Path=/
< Connection: Keep-Alive
< Content-Length: 1568
<
* Ignoring the response-body
* Curl_done
* Connection #0 to host webproxy.mycorp.com left intact
* Issue another request to this URL: 
'http://mirror.provider.org/package.rpm'
* STATE: PERFORM => CONNECT handle 0x80048388; line 1593 (connection 
#-5000)
* Found bundle for host mirror.provider.org: 0x8005b3f0
* Re-using existing connection! (#0) with proxy webproxy.mycorp.com
* Connected to webproxy.mycorp.com (10.105.36.151) port 8080 (#0)
* STATE: CONNECT => DO handle 0x80048388; line 1121 (connection #0)
* Proxy auth using NTLM with user 'myuser'
> GET http://mirror.provider.org/package.rpm HTTP/1.1
> Host: mirror.provider.org
> Proxy-Authorization: NTLM 
TlRMTVNTUAADAAAAGAAYAEAAAACmAKYAWAAAAAAAAAD+AAAABwAHAP4AAAAGAAYABQEAAAAA
AAAAAAAABoKJAhvGb+LTOmku2XPOiA6YSDWn4N5/nvfBGSXfJmwNZpFtA+BoIeymbekBAQAA
AAAAAIANcRta9dABp+Def573wRkAAAAAAgAOAE4AVAAtAFMAQgBCADEAAQAMAEkANgA4ADUA
NgA4AAQADABzAGIAYgAuAGMAaAADABoAaQA2ADgANQA2ADgALgBzAGIAYgAuAGMAaAAFABIA
YQBkAHIAYQBpAGwALgBjAGgABwAIAOjj+Rta9dABAAAAAAAAAAB1ZTYzNjYySzExMjYz
> User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* STATE: DO => DO_DONE handle 0x80048388; line 1322 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x80048388; line 1449 (connection 
#0)
* STATE: WAITPERFORM => PERFORM handle 0x80048388; line 1459 (connection 
#0)
* HTTP 1.0, assume close after body
< HTTP/1.0 302 Found
< Location: http://mirror.provider.org/notify-NotifySplashOrange?
aHR0cDovL21pcnJvci5wcm92aWRlci5vcmcvcGFja2FnZS5ycG0=
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Proxy-Connection: close
< Connection: close
< Content-Length: 1449
<
<html>
<head>
<title>Redirect</title>
</head>
<body>

Now I switched back to the old cygwin and tried the same

{ ~ }  » uname -a
CYGWIN_NT-6.1-WOW K11263 1.7.35(0.287/5/3) 2015-03-04 12:07 i686 Cygwin
{ ~ }  » curl --version
curl 7.41.0 (i686-pc-cygwin) libcurl/7.41.0 OpenSSL/1.0.2a zlib/1.2.8
libidn/1.29 libssh2/1.5.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: Debug IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
NTLM_WB SSL libz TLS-SRP UnixSockets Metalink
{ ~ }  » git --version
git version 2.1.4


curl -v --proxy webproxy.mycorp.com:8080 --proxy-user myuser:mypasswd
--proxy-negotiate http://mirror.provider.org/package.rpm
* STATE: INIT => CONNECT handle 0x800481f8; line 1034 (connection 
#-5000)
* Added connection 0. The cache now contains 1 members
*   Trying 10.105.36.152...
* STATE: CONNECT => WAITCONNECT handle 0x800481f8; line 1087 (connection 
#0)
* Connected to webproxy.mycorp.com (10.105.36.152) port 8080 (#0)
* STATE: WAITCONNECT => DO handle 0x800481f8; line 1229 (connection #0)
> GET http://mirror.provider.org/package.rpm HTTP/1.1
> User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))
> Host: mirror.provider.org
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* STATE: DO => DO_DONE handle 0x800481f8; line 1314 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x800481f8; line 1441 (connection 
#0)
* STATE: WAITPERFORM => PERFORM handle 0x800481f8; line 1454 (connection 
#0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 407 Proxy Authentication Required
* gss_init_sec_context() failed: : SPNEGO cannot find mechanisms to 
negotiate
< Proxy-Authenticate: NEGOTIATE
< Proxy-Authenticate: NTLM
< Proxy-Authenticate: BASIC realm="BCAAA"
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
* HTTP/1.1 proxy connection set close!
< Proxy-Connection: close
< Set-Cookie: BCSI-CS-7390672db2e928d5=2; Path=/
< Connection: close
< Content-Length: 1551
<
<html>
<head>
<title>Access Denied</title>
</head>
<body>

As you can see i still get the error, but git seems to work:

{ mockito } master » git pull
Already up-to-date.

This makes me think that it is rather a change in the recent git 
version. To me it looks like git changed the way it makes a curl call.

Unfortunately this doesn't resolve my issues, I still need to use git
over https in cygwin. Any hints?

Cheers
Lukasz

Re: Https proxy auth issue with git in cygwin 2.2.1

[Adam Dinwoodie]

On Fri, Sep 25, 2015 at 07:13:07AM +0000, LukaszPielak wrote:
> Adam Dinwoodie <adam <at> dinwoodie.org> writes:
> > On Mon, Sep 21, 2015 at 08:54:39AM +0200, Lukasz Pielak wrote:
> > > The git version is 2.5.1 and the curl version is 7.43.
> > > The error prints fatal: unable to access
> > > 'https://github.com/mockito/mockito.git/': Unknown SSL protocol error
> > > in connection to github.com:443
>
> <snip>
> 
> Now I switched back to the old cygwin and tried the same
> 
> { ~ }  » uname -a
> CYGWIN_NT-6.1-WOW K11263 1.7.35(0.287/5/3) 2015-03-04 12:07 i686 Cygwin
> { ~ }  » curl --version
> curl 7.41.0 (i686-pc-cygwin) libcurl/7.41.0 OpenSSL/1.0.2a zlib/1.2.8
> libidn/1.29 libssh2/1.5.0
> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
> pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
> Features: Debug IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
> NTLM_WB SSL libz TLS-SRP UnixSockets Metalink
> { ~ }  » git --version
> git version 2.1.4
> 
> <snip>
> 
> As you can see i still get the error, but git seems to work:
> 
> { mockito } master » git pull
> Already up-to-date.
> 
> This makes me think that it is rather a change in the recent git 
> version. To me it looks like git changed the way it makes a curl call.

I think I've found the problem, and you're right -- Git has changed the
way it makes the curl call.  The culprit is commit 5841520b in the
upstream Git repository, which has the following commit message:

| http: always use any proxy auth method available
|
| We set CURLOPT_PROXYAUTH to use the most secure authentication
| method available only when the user has set configuration variables
| to specify a proxy.  However, libcurl also supports specifying a
| proxy through environment variables.  In that case libcurl defaults
| to only using the Basic proxy authentication method, because we do
| not use CURLOPT_PROXYAUTH.
|
| Set CURLOPT_PROXYAUTH to always use the most secure authentication
| method available, even when there is no git configuration telling us
| to use a proxy. This allows the user to use environment variables to
| configure a proxy that requires an authentication method different
| from Basic.

I can't confirm this is the problem, though, as I don't have a test
environment that uses NTLM.

Do you have the ability to either run a test version of Git I can
produce that patches out this change, or (better) to build Git yourself
without this patch to see if that is indeed the change that's causing
the problem?

Adam

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Https proxy auth issue with git in cygwin 2.2.1

[Johan Laenen]

Adam Dinwoodie <adam <at> dinwoodie.org> writes:

> I think I've found the problem, and you're right -- Git has changed the
> way it makes the curl call.  The culprit is commit 5841520b in the
> upstream Git repository, which has the following commit message:
> 
> | http: always use any proxy auth method available
> |
> | We set CURLOPT_PROXYAUTH to use the most secure authentication
> | method available only when the user has set configuration variables
> | to specify a proxy.  However, libcurl also supports specifying a
> | proxy through environment variables.  In that case libcurl defaults
> | to only using the Basic proxy authentication method, because we do
> | not use CURLOPT_PROXYAUTH.
> |
> | Set CURLOPT_PROXYAUTH to always use the most secure authentication
> | method available, even when there is no git configuration telling us
> | to use a proxy. This allows the user to use environment variables to
> | configure a proxy that requires an authentication method different
> | from Basic.
> 
> I can't confirm this is the problem, though, as I don't have a test
> environment that uses NTLM.
> 
> Do you have the ability to either run a test version of Git I can
> produce that patches out this change, or (better) to build Git yourself
> without this patch to see if that is indeed the change that's causing
> the problem?
> 

Hi There,

I can into the exact same problem after upgrading to the latest cygwin version. 

So, following your advice, I took git-2.6.1.tar.gz from github, untarred,
and modified http.c:

$ diff git-2.6.1/http.c t/git-2.6.1/http.c
466,467c466,468
<     if (curl_http_proxy) {
<         curl_easy_setopt(result, CURLOPT_PROXY, curl_http_proxy);
---
>       if (curl_http_proxy) {
>               curl_easy_setopt(result, CURLOPT_PROXY, curl_http_proxy);
>       }
469c470
<         curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
---
>       curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
471d471
<     }

One make configure, ./configure, make and make install I can confirm that
unpatching the change undoes the problem :)

> Adam
> 
> 


Johan


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Https proxy auth issue with git in cygwin 2.2.1

[Adam Dinwoodie]

On Fri, Oct 16, 2015 at 12:26:14PM +0000, Johan Laenen wrote:
> Adam Dinwoodie <adam <at> dinwoodie.org> writes:
> 
> > I think I've found the problem, and you're right -- Git has changed the
> > way it makes the curl call.  The culprit is commit 5841520b in the
> > upstream Git repository, which has the following commit message:
> > 
> > | http: always use any proxy auth method available
> > |
> > | We set CURLOPT_PROXYAUTH to use the most secure authentication
> > | method available only when the user has set configuration variables
> > | to specify a proxy.  However, libcurl also supports specifying a
> > | proxy through environment variables.  In that case libcurl defaults
> > | to only using the Basic proxy authentication method, because we do
> > | not use CURLOPT_PROXYAUTH.
> > |
> > | Set CURLOPT_PROXYAUTH to always use the most secure authentication
> > | method available, even when there is no git configuration telling us
> > | to use a proxy. This allows the user to use environment variables to
> > | configure a proxy that requires an authentication method different
> > | from Basic.
> > 
> > I can't confirm this is the problem, though, as I don't have a test
> > environment that uses NTLM.
> > 
> > Do you have the ability to either run a test version of Git I can
> > produce that patches out this change, or (better) to build Git yourself
> > without this patch to see if that is indeed the change that's causing
> > the problem?
> > 
> 
> Hi There,
> 
> I can into the exact same problem after upgrading to the latest cygwin version. 
> 
> So, following your advice, I took git-2.6.1.tar.gz from github, untarred,
> and modified http.c:
> 
> $ diff git-2.6.1/http.c t/git-2.6.1/http.c
> 466,467c466,468
> <     if (curl_http_proxy) {
> <         curl_easy_setopt(result, CURLOPT_PROXY, curl_http_proxy);
> ---
> >       if (curl_http_proxy) {
> >               curl_easy_setopt(result, CURLOPT_PROXY, curl_http_proxy);
> >       }
> 469c470
> <         curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
> ---
> >       curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
> 471d471
> <     }
> 
> One make configure, ./configure, make and make install I can confirm that
> unpatching the change undoes the problem :)

Hi Johan,

I've just spotted this email while trawling through other Cygwin/Git
related things; somehow I missed it when it was first sent.

I see you've raised this on the upstream Git mailing list already, and
there's been some useful discussion there, so I'm not proposing any
further discussion on this list.  I just wanted to reply with my Git
maintainer hat on and acknowledge the discussion has moved upstream.

Cheers,

Adam

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple