Git clone fails with SSL routines:SSL23_GET_SERVER_HELLO
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
The following errors are encountered when trying to clone a Bitbucket Server repository from a client machine:
1
2
3
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
* Closing connection 0
fatal: unable to access 'https://kidney:8443/bitbucket/scm/proj/testone.git': error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
1
2
Cloning into 'clone'...
fatal: unable to access 'https://kidney:8443/bitbucket/scm/proj/clone.git': error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failureCause
There is a reported bug in OpenSSL: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/861137. The OpenSSL version installed on your client is v1.0+.
Resolution
Option 1:
Edit the Tomcat configuration for Bitbucket Server (as an attribute under the Connector element) to only allow stronger encryption by editing <Bitbucket Server installation directory>/conf/server.xml and then restarting Bitbucket Server:
1
2
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"For Bitbucket Server 5.0+, the ciphers can be controlled by adding server.ssl.ciphers in $BITBUCKET_HOME/shared/bitbucket.properties with the ciphers from above.
Option 2:
This bug was introduced as of OpenSSL v1.0+. Please downgrade your OpenSSL/0.9.8k on the client trying to clone from Bitbucket Server.
Read more here:
Was this helpful?