logo标签列表

使用客户端证书的GIT失败并使用curl解决。

gitauthenticationhttpsssl-certificateazure-virtual-machine
6

我在使用GIT连接受客户端证书保护的GIT服务器时遇到了问题。我正在尝试使用Azure Pipeline代理在全新的Azure VM上运行作业。

我正在连接到一台通过客户端证书安全连接到互联网的本地TFS实例。

经过一些尝试和错误,我得到了正确的证书形式,可以将代理连接到服务器。像这样使用OpenSSL

openssl pkcs12 -in cert.pfx -cacerts -nokeys -out ca.pem -passin pass:
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out clientcert.pem -passin pass:
openssl pkcs12 -in cert.pfx -clcerts -nocerts -out clientcert-key-pass.pem -passin pass: -passout pass:$pfxpassword
openssl pkcs12 -in cert.pfx -out temp.pem -nodes -passin pass:
openssl pkcs12 -export -out cert-secure.pfx -in temp.pem -passout pass:$pfxpassword

这里的乐趣就到此为止了...

背景:我正在运行Ubuntu 18.04,并尝试使用GIT 2.17和2.22。

当我在具有相同证书集的机器上运行curl时,它可以正确地通过服务器的客户端证书安全性,并让我访问返回401的底层服务,这是预期的。

但是,当使用来自GIT的相同证书时,我始终会收到403错误,服务器由于客户端证书问题拒绝连接。

我正在运行的GIT命令是:

GIT_CURL_VERBOSE=1 GIT_TRACE=1 git -c http.sslcainfo="/home/scott/ca.pem" -c http.sslcert="/home/scott/clientcert.pem" -c http.sslkey="/home/scott/clientcert-key-pass.pem" -c http.sslCertPasswordProtected=true fetch --force --tags --prune --progress --no-recurse-submodules origin

其结果是(已编辑URL)

07:04:43.587108 git.c:439               trace: built-in: git fetch --force --tags --prune --progress --no-recurse-submodules origin
07:04:43.587518 run-command.c:663       trace: run_command: GIT_DIR=.git git-remote-https origin https://*****
Password for 'cert:////home/scott/clientcert.pem':
* Couldn't find host **** in the .netrc file; using defaults
*   Trying 3.248.79.34...
* TCP_NODELAY set
* Connected to **** (3.248.79.34) port 443 (#0)
* found 3 certificates in /home/scott/ca.crt
* found 402 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
*        common name: *** (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: **** - redacted
*        start date: Mon, 08 Apr 2019 00:00:00 GMT
*        expire date: Tue, 07 Apr 2020 12:00:00 GMT
*        issuer: C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA
*        compression: NULL
* ALPN, server accepted to use http/1.1
> GET /****/info/refs?service=git-upload-pack HTTP/1.1
Host: ****.com
User-Agent: git/2.22.0
Accept: */*
Accept-Encoding: deflate, gzip
Accept-Language: C, *;q=0.9
Pragma: no-cache

< HTTP/1.1 403 Forbidden
< Content-Type: text/html
< Server: Microsoft-IIS/10.0
< Date: Tue, 13 Aug 2019 07:04:47 GMT
< Content-Length: 1300
<
* Connection #0 to host ****.com left intact
fatal: unable to access 'https://*****': The requested URL returned error: 403

看起来GIT因某种原因跳过了客户端身份验证

等效的curl命令为

curl -v --http1.0 --cacert /home/scott/ca.pem --key /home/scott/clientcert-key-pass.pem --cert /home/scott/clientcert.pem https://****.com/tfs/****/refs?service=git-upload-pack

这将导致成功并可以通过Web服务器的客户端身份验证,并连接到底层服务

*   Trying 3.248.79.34...
* TCP_NODELAY set
* Connected to tfsemea1.ta.philips.com (3.248.79.34) port 443 (#0)
* ALPN, offering http/1.1
Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: /home/scott/ca.pem
  CApath: /etc/ssl/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: ******
*  start date: Apr  8 00:00:00 2019 GMT
*  expire date: Apr  7 12:00:00 2020 GMT
*  subjectAltName: host "***.com" matched cert's "***.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> GET /***/info/refs?service=git-upload-pack HTTP/1.0
> Host: ***.com
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.2 (IN), TLS handshake, Hello request (0):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/10.0
< P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
< WWW-Authenticate: Bearer
< WWW-Authenticate: Basic realm="https://***.com/tfs"
< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< X-TFS-ProcessId: d2b304b0-a0ef-48b9-89b8-3281cb42c26d
< ActivityId: 07d4f17f-3940-4006-aab5-5c7afa57e84a
< X-TFS-Session: 07d4f17f-3940-4006-aab5-5c7afa57e84a
< X-VSS-E2EID: 07d4f17f-3940-4006-aab5-5c7afa57e84a
< X-FRAME-OPTIONS: SAMEORIGIN
< X-TFS-SoapException: %3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22utf-8%22%3F%3E%3Csoap%3AEnvelope%20xmlns%3Asoap%3D%22http%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%22%3E%3Csoap%3ABody%3E%3Csoap%3AFault%3E%3Csoap%3ACode%3E%3Csoap%3AValue%3Esoap%3AReceiver%3C%2Fsoap%3AValue%3E%3Csoap%3ASubcode%3E%3Csoap%3AValue%3EUnauthorizedRequestException%3C%2Fsoap%3AValue%3E%3C%2Fsoap%3ASubcode%3E%3C%2Fsoap%3ACode%3E%3Csoap%3AReason%3E%3Csoap%3AText%20xml%3Alang%3D%22en%22%3ETF400813%3A%20Resource%20not%20available%20for%20anonymous%20access.%20Client%20authentication%20required.%3C%2Fsoap%3AText%3E%3C%2Fsoap%3AReason%3E%3C%2Fsoap%3AFault%3E%3C%2Fsoap%3ABody%3E%3C%2Fsoap%3AEnvelope%3E
< X-TFS-ServiceError: TF400813%3A%20Resource%20not%20available%20for%20anonymous%20access.%20Client%20authentication%20required.
< X-Powered-By: ASP.NET
< Lfs-Authenticate: NTLM
< X-Content-Type-Options: nosniff
< X-Powered-By: ARR/3.0
< Date: Tue, 13 Aug 2019 07:58:27 GMT
< Connection: close
< Content-Length: 20158

在@VonC的建议下,我尝试了不使用相同的密钥、不使用密码,并使用以下命令:

GIT_CURL_VERBOSE=1 GIT_TRACE=1 git -c http.sslcainfo="/home/scott/ca.pem" -c http.sslcert="/home/scott/clientcert.pem" -c http.sslkey="/home/scott/nopass.pem" fetch --force --tags --prune --progress --no-recurse-submodules origin

我使用openssl rsa -in ~/clientcert-key-pass.pem -out ~/nopass.pem来去除密码。

它生成了一个非常相似的输出。

15:22:57.671901 git.c:440               trace: built-in: git fetch --force --tags --prune --progress --no-recurse-submodules origin
15:22:57.672253 run-command.c:663       trace: run_command: GIT_DIR=.git git-remote-https origin https://****
* Couldn't find host **** in the .netrc file; using defaults
*   Trying 52.18.21.126...
* TCP_NODELAY set
* Connected to **** (52.18.21.126) port 443 (#0)
* found 3 certificates in /home/scott/ca.pem
* found 402 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
*        common name: **** (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: ****
*        start date: Thu, 29 Aug 2019 00:00:00 GMT
*        expire date: Tue, 07 Apr 2020 12:00:00 GMT
*        issuer: C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA
*        compression: NULL
* ALPN, server accepted to use http/1.1
> GET /tfs/***/info/refs?service=git-upload-pack HTTP/1.1
Host: ****
User-Agent: git/2.23.0
Accept: */*
Accept-Encoding: deflate, gzip
Accept-Language: C, *;q=0.9
Pragma: no-cache

< HTTP/1.1 403 Forbidden
< Content-Type: text/html
< Server: Microsoft-IIS/10.0
< Date: Sun, 22 Sep 2019 13:22:56 GMT
< Content-Length: 1300
<
* Connection #0 to host **** left intact
fatal: unable to access 'https://****/': The requested URL returned error: 403

输出结果唯一的区别就是密码提示

'cert:////home/scott/clientcert.pem' 的密码:

在我使用的文件夹内运行git config -l会产生以下有效配置

core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
remote.origin.url=https://****
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
gc.auto=0

我已经在这个问题上苦思冥想了一段时间,开始认为某些地方出了问题,GIT没有启动客户端证书握手过程(可以在curl中看到),因此没有呈现它并且因此得到了 403 错误。
我是否有所遗漏?
更新:
403 - 表示Web服务器由于客户端证书问题而拒绝请求 401 - 表示底层服务(TFS)由于身份验证问题而拒绝请求(这是一个单独的问题)
http.sslBackend 设置为 openssl 会改变什么吗? - bk2204
我已经尝试过这个了。Linux 的默认(并且唯一的记录选项)是 OpenSSL。 - ScottGuymer
403错误表示Git服务器未授予您对此存储库的读取访问权限,或Web服务器未授予对git-http-backend CGI程序的访问权限。 - user803422
3个回答
0

http.sslCertPasswordProtected: 每次我需要使用证书时,我总是使用删除密码的key

为了测试,您应该尝试并查看git fetch命令是否可以更好地使用不需要密码的密钥证书。

我尝试过这个(并再次尝试以进行验证),但没有成功。有什么想法,是否有任何限制可用于大小和类型的密钥和证书?看起来它正在连接到服务器,只是由于某种原因未呈现证书。 - ScottGuymer
@ScottGuymer,您能否编辑该问题,附上Git设置和Curl日志,说明连接失败,并使用无密码证书? - VonC
0

阅读文档时,我注意到以下配置参数:

http.sslTry

尝试在通过常规FTP协议连接时使用AUTH SSL/TLS和加密数据传输。如果FTP服务器出于安全原因要求它或者您希望在远程FTP服务器支持它时始终安全连接,则可能需要这样做。默认值为false,因为它可能会触发证书验证错误。

我不太明白为什么它会提到FTP(也许是复制/粘贴错误?),因为该配置参数与http相关...但也许你应该尝试一下。

-1

我不确定你的curl比git好多少,因为你也会得到一个错误:

HTTP/1.1 401 Unauthorized

请说明为什么你认为curl成功了。

我看到的是,在两种情况下(git和curl),服务器在TLS握手期间接受客户端,但请求被后端Web服务拒绝。(如果TLS握手失败,则您将永远看不到> GET ...部分)

后端Web服务如何决定是否授予访问权限?它使用客户端证书信息吗?

我会更新问题,但是:403 - 表示Web服务器由于客户端证书问题而拒绝请求 401 - 表示服务由于身份验证问题而拒绝请求(这是一个单独的问题) - ScottGuymer
我想我现在明白你的意思了。客户端证书协商已经完成,但由于某种原因,Web服务器拒绝接受该证书,认为其未经授权。这是与curl版本完全相同的证书,所以我不确定为什么会发生这种情况。 - ScottGuymer
1
这应该作为注释更好,而不是作为答案。 - istepaniuk
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接