kandi background
kandi background
Explore Kits
kandi background
Explore Kits
kandi background
Explore Kits
kandi background
Explore Kits
Explore all Compression open source software, libraries, packages, source code, cloud functions and APIs.

Popular New Releases in Compression

Zstandard v1.5.2

v1.0.9

LZ4 v1.9.3

Snappy 1.1.9

zstd

Zstandard v1.5.2

brotli

v1.0.9

lz4

LZ4 v1.9.3

Compressor

snappy

Snappy 1.1.9

Popular Libraries in Compression

Trending New libraries in Compression

Top Authors in Compression

1

13 Libraries

2373

2

11 Libraries

21410

3

8 Libraries

74

4

7 Libraries

85

5

6 Libraries

800

6

5 Libraries

378

7

5 Libraries

19

8

5 Libraries

2129

9

5 Libraries

60

10

5 Libraries

1261

1

13 Libraries

2373

2

11 Libraries

21410

3

8 Libraries

74

4

7 Libraries

85

5

6 Libraries

800

6

5 Libraries

378

7

5 Libraries

19

8

5 Libraries

2129

9

5 Libraries

60

10

5 Libraries

1261

Trending Kits in Compression

No Trending Kits are available at this moment for Compression

Trending Discussions on Compression

    Fixing git HTTPS Error: "bad key length" on macOS 12
    git gc: error: Could not read 0000000000000000000000000000000000000000
    Vuejs Webpack Compression Plugin not compressing
    Is Shannon-Fano coding ambiguous?
    Why does this .c file #include itself?
    APL Fork/Train with Compression
    .NET 6 failing at Decompress large gzip text
    angular 13: Module not found: Error: Can't resolve 'rxjs/operators'
    JavaScript: V8 question: are small integers pooled?
    Paramiko authentication fails with "Agreed upon 'rsa-sha2-512' pubkey algorithm" (and "unsupported public key algorithm: rsa-sha2-512" in sshd log)

QUESTION

Fixing git HTTPS Error: "bad key length" on macOS 12

Asked 2022-Mar-29 at 17:34

I am using a company-hosted (Bitbucket) git repository that is accessible via HTTPS. Accessing it (e.g. git fetch) worked using macOS 11 (Big Sur), but broke after an update to macOS 12 Monterey. *

After the update of macOS to 12 Monterey my previous git setup broke. Now I am getting the following error message:

1$ git fetch
2fatal: unable to access 'https://.../':
3error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
4

For what it's worth, using curl does not work either:

1$ git fetch
2fatal: unable to access 'https://.../':
3error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
4$ curl --insecure -L -v https://...
5*   Trying ...
6* Connected to ... (...) port 443 (#0)
7* ALPN, offering h2
8* ALPN, offering http/1.1
9* successfully set certificate verify locations:
10*  CAfile: /etc/ssl/cert.pem
11*  CApath: none
12* TLSv1.2 (OUT), TLS handshake, Client hello (1):
13* TLSv1.2 (IN), TLS handshake, Server hello (2):
14* TLSv1.2 (IN), TLS handshake, Certificate (11):
15* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
16* TLSv1.2 (IN), TLS handshake, Server finished (14):
17* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
18* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
19* TLSv1.2 (OUT), TLS handshake, Finished (20):
20* error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
21* Closing connection 0
22curl: (35) error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
23

Accessing the same HTTPS-source via Safari or Firefox works.

As far as I understand, the underlying error "bad key length" error is coming from OpenSSL/LibreSSL, this would be consistent with both git and curl failing after an OS upgrade.

This is the output from openssl:

1$ git fetch
2fatal: unable to access 'https://.../':
3error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
4$ curl --insecure -L -v https://...
5*   Trying ...
6* Connected to ... (...) port 443 (#0)
7* ALPN, offering h2
8* ALPN, offering http/1.1
9* successfully set certificate verify locations:
10*  CAfile: /etc/ssl/cert.pem
11*  CApath: none
12* TLSv1.2 (OUT), TLS handshake, Client hello (1):
13* TLSv1.2 (IN), TLS handshake, Server hello (2):
14* TLSv1.2 (IN), TLS handshake, Certificate (11):
15* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
16* TLSv1.2 (IN), TLS handshake, Server finished (14):
17* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
18* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
19* TLSv1.2 (OUT), TLS handshake, Finished (20):
20* error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
21* Closing connection 0
22curl: (35) error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
23$ openssl s_client -servername ... -connect ...:443
24CONNECTED(00000005)
25depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
26verify return:1
27depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
28verify return:1
29depth=0 ...
304593010348:error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length:
31/System/Volumes/Data/SWE/macOS/BuildRoots/b8ff8433dc/Library/Caches/com.apple.xbs
32/Sources/libressl/libressl-75/libressl-2.8/crypto/apple/hmac/hmac.c:188:
33---
34Certificate chain
35 ...
36---
37No client certificate CA names sent
38Server Temp Key: DH, 2048 bits
39---
40SSL handshake has read 4105 bytes and written 318 bytes
41---
42New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
43Server public key is 4096 bit
44Secure Renegotiation IS supported
45Compression: NONE
46Expansion: NONE
47No ALPN negotiated
48SSL-Session:
49    Protocol  : TLSv1.2
50    Cipher    : DHE-RSA-AES256-GCM-SHA384
51    Session-ID: 1FA062DC9EEC9A310FF8231F1EB11A3BD6E0778F7AB6E98EAD1020A44CF1A407
52    Session-ID-ctx:
53    Master-Key:
54    Start Time: 1635319904
55    Timeout   : 7200 (sec)
56    Verify return code: 0 (ok)
57---
58
59

I did try to add the server's certificates into a custom pem file and setting http.sslCAInfo, but that didn't work. As a workaround, I am currently using a proxy that decrypts/re-encrypts HTTPS traffic.

How do I configure git (or all LibreSSL users) to accept the server's certificate?

ANSWER

Answered 2021-Nov-02 at 07:12

Unfortunately I can't provide you with a fix, but I've found a workaround for that exact same problem (company-hosted bitbucket resulting in exact same error). I also don't know exactly why the problem occurs, but my best guess would be that the libressl library shipped with Monterey has some sort of problem with specific (?TLSv1.3) certs. This guess is because the brew-installed openssl v1.1 and v3 don't throw that error when executed with /opt/homebrew/opt/openssl/bin/openssl s_client -connect ...:443

To get around that error, I've built git from source built against different openssl and curl implementations:

  1. install autoconf, openssl and curl with brew (I think you can select the openssl lib you like, i.e. v1.1 or v3, I chose v3)
  2. clone git version you like, i.e. git clone --branch v2.33.1 https://github.com/git/git.git
  3. cd git
  4. make configure (that is why autoconf is needed)
  5. execute LDFLAGS="-L/opt/homebrew/opt/openssl@3/lib -L/opt/homebrew/opt/curl/lib" CPPFLAGS="-I/opt/homebrew/opt/openssl@3/include -I/opt/homebrew/opt/curl/include" ./configure --prefix=$HOME/git (here LDFLAGS and CPPFLAGS include the libs git will be built against, the right flags are emitted by brew on install success of curl and openssl; --prefix is the install directory of git, defaults to /usr/local but can be changed)
  6. make install
  7. ensure to add the install directory's subfolder /bin to the front of your $PATH to "override" the default git shipped by Monterey
  8. restart terminal
  9. check that git version shows the new version

This should help for now, but as I already said, this is only a workaround, hopefully Apple fixes their libressl fork ASAP.

Source https://stackoverflow.com/questions/69734654

Community Discussions contain sources that include Stack Exchange Network

    Fixing git HTTPS Error: "bad key length" on macOS 12
    git gc: error: Could not read 0000000000000000000000000000000000000000
    Vuejs Webpack Compression Plugin not compressing
    Is Shannon-Fano coding ambiguous?
    Why does this .c file #include itself?
    APL Fork/Train with Compression
    .NET 6 failing at Decompress large gzip text
    angular 13: Module not found: Error: Can't resolve 'rxjs/operators'
    JavaScript: V8 question: are small integers pooled?
    Paramiko authentication fails with "Agreed upon 'rsa-sha2-512' pubkey algorithm" (and "unsupported public key algorithm: rsa-sha2-512" in sshd log)

QUESTION

Fixing git HTTPS Error: "bad key length" on macOS 12

Asked 2022-Mar-29 at 17:34

I am using a company-hosted (Bitbucket) git repository that is accessible via HTTPS. Accessing it (e.g. git fetch) worked using macOS 11 (Big Sur), but broke after an update to macOS 12 Monterey. *

After the update of macOS to 12 Monterey my previous git setup broke. Now I am getting the following error message:

1$ git fetch
2fatal: unable to access 'https://.../':
3error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
4

For what it's worth, using curl does not work either:

1$ git fetch
2fatal: unable to access 'https://.../':
3error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
4$ curl --insecure -L -v https://...
5*   Trying ...
6* Connected to ... (...) port 443 (#0)
7* ALPN, offering h2
8* ALPN, offering http/1.1
9* successfully set certificate verify locations:
10*  CAfile: /etc/ssl/cert.pem
11*  CApath: none
12* TLSv1.2 (OUT), TLS handshake, Client hello (1):
13* TLSv1.2 (IN), TLS handshake, Server hello (2):
14* TLSv1.2 (IN), TLS handshake, Certificate (11):
15* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
16* TLSv1.2 (IN), TLS handshake, Server finished (14):
17* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
18* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
19* TLSv1.2 (OUT), TLS handshake, Finished (20):
20* error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
21* Closing connection 0
22curl: (35) error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
23

Accessing the same HTTPS-source via Safari or Firefox works.

As far as I understand, the underlying error "bad key length" error is coming from OpenSSL/LibreSSL, this would be consistent with both git and curl failing after an OS upgrade.

This is the output from openssl:

1$ git fetch
2fatal: unable to access 'https://.../':
3error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
4$ curl --insecure -L -v https://...
5*   Trying ...
6* Connected to ... (...) port 443 (#0)
7* ALPN, offering h2
8* ALPN, offering http/1.1
9* successfully set certificate verify locations:
10*  CAfile: /etc/ssl/cert.pem
11*  CApath: none
12* TLSv1.2 (OUT), TLS handshake, Client hello (1):
13* TLSv1.2 (IN), TLS handshake, Server hello (2):
14* TLSv1.2 (IN), TLS handshake, Certificate (11):
15* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
16* TLSv1.2 (IN), TLS handshake, Server finished (14):
17* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
18* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
19* TLSv1.2 (OUT), TLS handshake, Finished (20):
20* error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
21* Closing connection 0
22curl: (35) error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length
23$ openssl s_client -servername ... -connect ...:443
24CONNECTED(00000005)
25depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
26verify return:1
27depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
28verify return:1
29depth=0 ...
304593010348:error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length:
31/System/Volumes/Data/SWE/macOS/BuildRoots/b8ff8433dc/Library/Caches/com.apple.xbs
32/Sources/libressl/libressl-75/libressl-2.8/crypto/apple/hmac/hmac.c:188:
33---
34Certificate chain
35 ...
36---
37No client certificate CA names sent
38Server Temp Key: DH, 2048 bits
39---
40SSL handshake has read 4105 bytes and written 318 bytes
41---
42New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
43Server public key is 4096 bit
44Secure Renegotiation IS supported
45Compression: NONE
46Expansion: NONE
47No ALPN negotiated
48SSL-Session:
49    Protocol  : TLSv1.2
50    Cipher    : DHE-RSA-AES256-GCM-SHA384
51    Session-ID: 1FA062DC9EEC9A310FF8231F1EB11A3BD6E0778F7AB6E98EAD1020A44CF1A407
52    Session-ID-ctx:
53    Master-Key:
54    Start Time: 1635319904
55    Timeout   : 7200 (sec)
56    Verify return code: 0 (ok)
57---
58
59

I did try to add the server's certificates into a custom pem file and setting http.sslCAInfo, b