Categories
Uncategorized

SSL and Git on Windows

I usually use macOS or Debian Linux for my development environments but I recently decided to give my Windows 10 machine a try for some small coding projects.

I have an existing self-hosted Git server with a repository that I was hoping to pull down for some code revision. I installed the most recent release of Git for windows (version 2.46.2) and ran git init in a development folder I’ve established on the Windows machine, and then, git remote add <origin> to add the remote repository. Further, git fetch <origin> to pull down the list of branches in the repository.

Upon running the git fetch command, I receive a fatal error:

fatal: unable to access '<Git server>/<user>/<repository>/': schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

This seemed peculiar as the Git server I’m using is configured with TLS v1.3 and a valid Let’s Encrypt certificate chain. The error message suggests that the Windows System event log may contain details about what caused the error, but unfortunately for me, the System log contained no such entries.

A quick online search often does the trick as I’m usually not the first to run into errors like this. I came across an issue on the GitHub Desktop code repository (dated 8 June 2022) that involved another user experiencing the same issue when attempting to push a commit to GitHub from their own environment.

Steve Ward (@steveward), a developer for the GitHub Desktop project, suggested running git config http.sslBackend to troubleshoot which “SSL backend” was configured for use in the user’s Git environment. Of course, I decided to give this a shot myself to see what it would return:

> git config http.sslBackend
schannel

This option appeared earlier in the fatal error but I didn’t make sense of it at the time. A quick search of the documentation for git config returned the available options for http.sslBackend for the 2.46.2 version of Git that I was using:

The documentation indicates there are two options available, and my particular installation is using the schannel option as reflected in the preceding command output. I decided to flip the configuration to openssl and test with another git fetch to see if there would be any difference:

> git config --global http.sslBackend openssl
> git fetch <origin>

And just like that, Git is working again for me!