Cannot communicate securely with peer: no common encryption algorithm(s)

Question

I am a fedora 20 user. While cloning a repository,I got the following error: " Cloning into 'git_missions'... fatal: unable to access ' https://openhatch.org/git-mission-data/git/hithard/ ': Cannot communicate securely with peer: no common encryption algorithm(s). "

I am not getting what to do?need help.

Answer 1

The simplest solution is just to use http instead of https :

$ git clone http://openhatch.org/git-mission-data/git/hithard/
Cloning into 'hithard'...
remote: Counting objects: 3, done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (3/3), done.
Checking connectivity... done.

I think the error itself ("no common encryption algorithms") is accurate; it appears that the server wants to use some sort of elliptic curve cipher (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) that is not supported by git's underlying SSL library. You can use something like wireshark to capture the SSL handshake between git and the server and see the options being passed back and forth.

At least on my system, curl does not seem to support this cipher, and git uses libcurl for handling https/http connections.

Update

So, based on my last comment to @mattdm, in which I discovered that curl on my system is using the NSS crypto library, the following works:

curl --ciphers ecdhe_ecdsa_aes_128_gcm_sha_256 https://openhatch.org/

Unfortunately, there isn't any way to pass a cipher list to git . The patch to make it do so is trivial -- here is one version I just made -- but I don't know what the odds are of getting this accepted upstream.

Answer 2

Unfortunately, there isn't any way to pass a cipher list to git

larsks mentioned in the comments :

I've had a patch accepted to git that addresses this issue

That has been indeed accepted, and merge in Git 2.5+ (Q2 2015)

See commit f6f2a9e by Lars Kellogg-Stedman ( larsks ) , 08 May 2015.
^{(Merged by Junio C Hamano -- gitster -- in commit 39fa791 , 22 May 2015)}

http : add support for specifying an SSL cipher list

Teach git about a new option, " http.sslCipherList ", which permits one to specify a list of ciphers to use when negotiating SSL connections.
The setting can be overridden by the GIT_SSL_CIPHER_LIST environment variable.

The git config man page now includes:

http.sslCipherList:

A list of SSL ciphers to use when negotiating an SSL connection.
The available ciphers depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use.
Internally this sets the 'CURLOPT_SSL_CIPHER_LIST' option; see the libcurl documentation for more details on the format of this list .

Can be overridden by the ' GIT_SSL_CIPHER_LIST ' environment variable.
To force git to use libcurl's default cipher list and ignore any explicit http.sslCipherList option, set ' GIT_SSL_CIPHER_LIST ' to the empty string.

---

That can come in handy in 2015:

• " Now that it is 2015, what SSL/TLS cipher suites should be used in a high security HTTPS environment? "
• " Hardening Your Web Server's SSL Ciphers "
• Nick Craver 's problems with SSL/TLS and productivity , with a now fixed security issue ( weakdh.org , the Logjam Attack exploiting a weaknesses in how Diffie-Hellman key exchange has been deployed).

---

Update August 2015: Git 2.6+ (Q3 2015) will allow to specify the SSL version explicitly:

http : add support for specifying the SSL version

See commit 01861cb (14 Aug 2015) by Elia Pinto ( devzero2000 ) .
Helped-by: Eric Sunshine ( sunshineco ) .
^{(Merged by Junio C Hamano -- gitster -- in commit ed070a4 , 26 Aug 2015)}

http.sslVersion

The SSL version to use when negotiating an SSL connection, if you want to force the default.
The available and default version depend on whether libcurl was built against NSS or OpenSSL and the particular configuration of the crypto library in use. Internally this sets the ' CURLOPT_SSL_VERSION ' option; see the libcurl documentation for more details on the format of this option and for the ssl version supported.
Actually the possible values of this option are:

• sslv2
• sslv3
• tlsv1
• tlsv1.0
• tlsv1.1
• tlsv1.2

Can be overridden by the ' GIT_SSL_VERSION ' environment variable.
To force git to use libcurl's default ssl version and ignore any explicit http.sslversion option, set 'GIT_SSL_VERSION' to the empty string.