Git: libcurl is built without the HTTPS-proxy support

Created on 21 Mar 2018 · 8Comments · Source: git-for-windows/git

[x ] I was not able to find an open or closed issue matching what I'm seeing

Setup

Which version of Git for Windows are you using? Is it 32-bit or 64-bit?

$ git --version --build-options

git version 2.16.2.windows.1
cpu: x86_64
built from commit: e1848984d1004040ec5199e749b5f282ddf4bb09
sizeof-long: 4

64-bit

Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?

$ cmd.exe /c ver

Microsoft Windows [Version 10.0.14393]

64-bit

What options did you set as part of the installation? Or did you choose the
defaults?

$ cat /etc/install-options.txt

Editor Option: VIM
Path Option: Cmd
Plink Path: C:\Program Files\PuTTY\plink.exe
SSH Option: Plink
CURL Option: WinSSL
CRLF Option: CRLFAlways
Bash Terminal Option: MinTTY
Performance Tweaks FSCache: Enabled
Use Credential Manager: Enabled
Enable Symlinks: Disabled

Any other interesting things about your environment that might be related
to the issue you're seeing?

behind a proxy server
this was not an issue with the version I had before upgrading (2.13.3)

Details

Which terminal/shell are you running Git from? e.g Bash/CMD/PowerShell/other

Bash bundled with Git for Windows

What commands did you run to trigger this issue? If you can provide a
Minimal, Complete, and Verifiable example
this will help us understand the issue.

git fetch --all

...from a repo whose remote was served over https on a private instance of GitLab (with internet access through a proxy server)

What did you expect to occur after running these commands?

fetch of all objects from remote

What actually happened instead?

Fetching origin
fatal: unable to access 'https://<private.site>: Unsupported proxy '<proxy.server>:8080', libcurl is built without the HTTPS-proxy support.
error: Could not fetch origin

If the problem was occurring with a specific repository, can you provide the
URL to that repository to help us with testing?

not specific to repository

enhancement git

Source

jk23909

👍4

Most helpful comment

It turns out I'm not actually working with an https proxy, and removing the 'https://' from the proxy configuration in my .gitconfig file does the trick. Should this be closed, or is this a capability that should exist regardless of my situation?

jk23909 on 22 Mar 2018

👍2

All 8 comments

jk23909 on 22 Mar 2018

👍2

CURL Option: WinSSL

This is the culprit. The Secure Channel backend in cURL does not (yet) support HTTPS proxies. Let me look at the code...

dscho on 22 Mar 2018

@jk23909 I am curious about one thing, though: have you configured this proxy in your Internet Settings? If so, does it work when you unset http.proxy?

dscho on 22 Mar 2018

And here is my analysis: Secure Channel support was added to cURL in curl/curl@aaa42aa0d594b95c6c670a373ba30c507aa0a5ed, and while it includes the Curl_schannel_connect() function, that function seems to have been simply copy-edited from the OpenSSL version, and it is not working properly.

Hence my question whether it works when the proxy is configured in Windows (which Secure Channel might pick up).

dscho on 22 Mar 2018

After unsetting http.proxy and https.proxy, everything still works. I swear I needed to configure at least one of these explicitly in git as recently as two weeks ago (while setting up git for coworkers). I don't have a proxy configured explicitly in Windows, but our group policy now has it forced to automatic discovery through WPAD.

jk23909 on 23 Mar 2018

🎉1

@jk23909 okay, that's great to hear!

It would be nice, of course, if there was a helpful error message... Or maybe we should just disable http.proxy when http.sslBackend=schannel? I am unsure.

dscho on 23 Mar 2018

After unsetting http.proxy and https.proxy, everything still works.

I guess there were some local changes on your end. Maybe your firewall now allows a direct connection without proxy or the http_proxy environment variable is set.

Or maybe we should just disable http.proxy when http.sslBackend=schannel

No. With git version 2.20.1.windows.1, I still have to configure http.proxy to make it work with schannel backend.

Please note that the original report did come from a wrong configuration. A secure web proxy (an HTTP proxy you are communicating via SSL) is very uncommon. http.proxy = https://.../ is probably wrong in most of the cases.

schlamar on 29 May 2019

I actually am behind a secure web proxy (HTTPS proxy) with authentication, and thus unsetting http.proxy when http.sslBackend=schannel won't work for me, as there's nowhere to store my credentials now.