error: gnutls_handshake() failed: A TLS warning alert has been received.
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Symptoms
This issue can manifest in 2 ways:
First way:
Performing around a hundred of subsequent cloning or pushing operations directly to Bitbucket Server results in the following error:
1
error: gnutls_handshake() failed: A TLS warning alert has been received.Second way:
The error message below has been perceived while frequently running git fetch from clients when Bitbucket Server using HTTPS.
1
error: The requested URL returned error: 400 while accessingIf you're running into the error below, setting Git on your client to DEBUG should uncover the same message as seen in the First way:
1
error: gnutls_handshake() failed: A TLS warning alert has been received.Cause
We've seen this issue being caused by either one of the causes below:
1) Bitbucket Server:
This happens if your Bitbucket Server instance is running on a Java 7 that contains a bug in the TLS/SSL stack.
2) Git Client
The client performing the git fetch operation has run into a bug found libcurl3-gnutls introduced on the 7.21.6-3 release when using HTTPS.
Resolution
You can either:
1) Bitbucket Server
As a workaround for this Java bug, you can attach the following parameter to your Tomcat HTTPS connector. The solution has been described here:
1 2 3 4 5 6 7ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV2"Or upgrade the JVM on the Bitbucket Server instance to version 7u60 or above.
We have an assertive confirmation from one of our customers that upgrading to from to 7u45 to 8u45 fixed the issue.
2) Git Client
As reported by a user on the previously linked bug, downgrading libcurl3-gnutls from 7.21.6-3 to 7.21.0-1 is an easy way to solve this issue. See the user's comment:
> I had the same problem, here.
> Downgrading libcurl3-gnutls from 7.21.6-3 to 7.21.0-1 fixed it for me.
Alternatively, if you are trying these operations from a client running Ubuntu, you can find on their forum a workaround to compile your git on the client with openssl, moving off from libcurl3-gnutls.
Quoting the solution from the Ubuntu forum above:
1
2
3
4
5
6
7
8
sudo apt-get install build-essential fakeroot dpkg-dev
mkdir ~/git-openssl
cd ~/git-openssl
sudo apt-get source git
sudo apt-get build-dep git
sudo apt-get install libcurl4-openssl-dev
sudo dpkg-source -x git_1.7.9.5-1.dsc
cd git_1.7.9.5Then, edit debian/control file (run the command: gksu gedit debian/control) and replace all instances of libcurl4-gnutls-dev with libcurl4-openssl-dev.
Then build the package (if it's failing on test, you can remove the line TEST=test from the file debian/rules):
1
sudo dpkg-buildpackage -rfakeroot -bInstall the new package:
i386: sudo dpkg -i ../git_1.7.9.5-1_i386.deb
x86_64: sudo dpkg -i ../git_1.7.9.5-1_amd64.deb
Was this helpful?