# git won't clone -- networking issue? [SOLVED]

## justin_brody

Hello,

I don't seem able to clone git repositories in the natural way:

```

/tmp $ git clone https://github.com/allenai/ai2thor

Cloning into 'ai2thor'...

tmp $ 

```

(nothing was actually cloned).  On the other hand if I change the URL to git://github.com/allenai/ai2thor it clones o.k.

I've seen it suggested that this might me a network issue (the box is at a college).   Any tips on checking/resolving this?

Thanks in advance!Last edited by justin_brody on Mon Feb 03, 2020 2:24 am; edited 1 time in total

----------

## szatox

Perhaps a proxy?

Some companies and institutions have L7 firewalls that  - among other things - MITM your https traffic.

You can check website's certificate (CA would be particularly interesting there).

Also, running git with --verbose may provide some additional information that would help with debugging  :Smile: 

----------

## justin_brody

Thanks for the tips szatox!

Adding --verbose doesn't give me any extra info.

Checking the ssl cert gives:

 *Quote:*   

> 
> 
> ￼	Common name: goucher.edu
> 
> SANs: goucher.edu, *.goucher.edu
> ...

 

Not quite sure what to make of this though.  Does this sound like that situation you're talking about?

Also, another machine I have access to at the same school can do git just fine.  

Would being behind a router make a difference?  The machine that works is directly on the network whereas the one that doesn't is behind a router.

----------

## Hu

 *justin_brody wrote:*   

> Checking the ssl cert gives: *Quote:*   ￼	Common name: goucher.edu
> 
>  Not quite sure what to make of this though.  Does this sound like that situation you're talking about?

 Yes.  That is definitely the wrong certificate.

```

curl -v -o /dev/null https://github.com/allenai/ai2thor                         

...

* ALPN, server accepted to use http/1.1

* Server certificate:

*  subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=5157550; C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com

*  start date: May  8 00:00:00 2018 GMT

*  expire date: Jun  3 12:00:00 2020 GMT

*  subjectAltName: host "github.com" matched cert's "github.com"

*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA

*  SSL certificate verify ok.

...
```

 *justin_brody wrote:*   

> Also, another machine I have access to at the same school can do git just fine.

 Please try the curl command I showed on both machines and report their results.  It's possible (though not likely) that you won't get exactly what I got, but you definitely should see a CN of github.com.

 *justin_brody wrote:*   

> Would being behind a router make a difference?  The machine that works is directly on the network whereas the one that doesn't is behind a router.

 Only if the router is breaking protocol by intercepting and modifying your HTTPS connection.  If it's doing that, you should report it to the IT department as a bug.  They'll almost certainly claim it's intentional, but it's still wrong.  Silently intercepting and modifying HTTPS traffic is never correct, but is popular among IT departments that think their "need to know" everything traversing the network is more important than not breaking applications.

As a reminder, the git:// protocol is, by design, not secure and should not be used over an untrusted network if you care about the confidentiality or integrity of the data.  Since your network seems to be manipulating HTTPS traffic, I would definitely consider it untrusted.

----------

## szatox

 *Quote:*   

>  Not quite sure what to make of this though. Does this sound like that situation you're talking about? 

 Yes, definitely. You're being MITMed by a local network admin.

Proxy can do some caching, virus scanning, content filtering etc. It may for example block http methods other than GET/POST.

It can also accompany you watching porn and eavesdrop on your passwords. Yay.

Uni's machines probably had this certificate added to trusted either by local sysadmin or windows domain policy. Your private hardware should report SSL error, I don't think those CAs embedded in L7 firewalls are widely trusted.

 *Quote:*   

> As a reminder, the git:// protocol is, by design, not secure and should not be used over an untrusted network

 That's correct. It's been designed for publishing your code, not protecting it from access. Use ssh for secure access, be it private repository or a push to the origin.

----------

## justin_brody

Many thanks to both of you.

Hu, here are the results of the curl command.

From the machine where git doesn't work:

```

 ~ $ curl -v -o /dev/null https://github.com/allenai/ai2thor                                                            

*   Trying 140.82.114.4:443...                                                                                                        

* TCP_NODELAY set                                                                                                                     

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                                       

                                 Dload  Upload   Total   Spent    Left  Speed                                                         

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*                                                       Connected to github.com (140.82.114.4) port 443 (#0)                                                                                  

* ALPN, offering http/1.1                                                                                                             

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH                                                        

* successfully set certificate verify locations:                                                                                      

*   CAfile: /etc/ssl/certs/ca-certificates.crt                                                                                        

  CApath: /etc/ssl/certs                                                                                                              

* TLSv1.2 (OUT), TLS header, Certificate Status (22):                                                                                 

} [5 bytes data]                                                                                                                      

* TLSv1.2 (OUT), TLS handshake, Client hello (1):                                                                                     

} [512 bytes data]                                                                                                                    

* TLSv1.2 (IN), TLS handshake, Server hello (2):                                                                                      

{ [108 bytes data]                                                                                                                    

* TLSv1.2 (IN), TLS handshake, Certificate (11):                                                                                      

{ [3085 bytes data]                                                                                                                   

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):                                                                              

{ [333 bytes data]                                                                                                                    

* TLSv1.2 (IN), TLS handshake, Server finished (14):                                                                                  

{ [4 bytes data]                                                                                                                      

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):                                                                             

} [70 bytes data]                                                                                                                     

* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):                                                                           

} [1 bytes data]                                                                                                                      

* TLSv1.2 (OUT), TLS handshake, Finished (20):                                                                                        

} [16 bytes data]                                                                                                                     

* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):                                                                            

{ [1 bytes data]                                                                                                                      

* TLSv1.2 (IN), TLS handshake, Finished (20):                                                                                         

{ [16 bytes data]                                                                                                                     

* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256    

* ALPN, server accepted to use http/1.1                                                                                               

* Server certificate:                                                                                                                 

*  subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=5157550; C=US; ST=California; L=San Francisco; O=GitH                                                      ub, Inc.; CN=github.com                                                                                                               

*  start date: May  8 00:00:00 2018 GMT                                                                                               

*  expire date: Jun  3 12:00:00 2020 GMT                                                                                              

*  subjectAltName: host "github.com" matched cert's "github.com"                                                                      

*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended   Validation Server CA                                                                                                                  

*  SSL certificate verify ok.                                                                                                         

} [5 bytes data]                                                                                                                      

> GET /allenai/ai2thor HTTP/1.1                                                                                                       

> Host: github.com                                                                                                                    

> User-Agent: curl/7.65.0                                                                                                             

> Accept: */*                                                                                                                       

>                                                                                       

{ [5 bytes data]                                                                                                                      

* Mark bundle as not supporting multiuse                                                                                              

< HTTP/1.1 200 OK                                                                                                                     

< Server: GitHub.com                                                                                                                  

< Date: Sun, 02 Feb 2020 00:15:35 GMT                                                                                                 

< Content-Type: text/html; charset=utf-8                                                                                              

< Transfer-Encoding: chunked                                                                                                          

< Status: 200 OK                                                                                                                      

< Vary: X-PJAX                                                                                                                        

< ETag: W/"af65dd12d3fbf675fc0c0b7ffe20737d"                                                                                          

< Cache-Control: max-age=0, private, must-revalidate                                                                                  

< Set-Cookie: has_recent_activity=1; path=/; expires=Sun, 02 Feb 2020 01:15:34 -                                                      0000

< Server: GitHub.com

< Date: Sun, 02 Feb 2020 00:15:35 GMT

< Content-Type: text/html; charset=utf-8

< Transfer-Encoding: chunked

< Status: 200 OK

< Vary: X-PJAX

< ETag: W/"af65dd12d3fbf675fc0c0b7ffe20737d"

< Cache-Control: max-age=0, private, must-revalidate

< Set-Cookie: has_recent_activity=1; path=/; expires=Sun, 02 Feb 2020 01:15:34 -0000

< Set-Cookie: _octo=GH1.1.941695103.1580602534; domain=.github.com; path=/; expires=Tue, 02 Feb 2021 00:15:34 -0000

< Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Tue, 02 Feb 2021 00:15:35 -0000; secure; HttpOnly

< Set-Cookie: 

_gh_sess=

bWgvTTE0VW1wYnpycnZaTVk4WjJCZTh3UGsyK3FUbmEyMndvUEFZZ1FLakovQWxXcGNycTZJNE9

MQitvUFpJbXZBMU95dkYyaTFJMS9NZWFiRjVqRExaY0h4TEZ5RzYySEJBUUZUc2w4dVNIcjNoSW

JWdzVQVjFaT01ueXN5cnVFWlhpYlZrT0xCNkxDdWh6REJFclo3YVltOFM5T2MwMXJaNnZNYVRyQ

WhFa0FPZmU1eXRFbUJHbmVvNFAyc3h4eUZVRFh0VGV6YWNFdHpGUVBiOHZGNzN6WnBBUnJMc2FM

MnFMQytrVGdvWT0tLWsxVEJuckthSFJEV2p5TnpoUEN3SUE9PQ%3D%3D--

69de9c859c9a51b670bc08a0eeed675481ae8be9; path=/; secure; HttpOnly

< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload

< X-Frame-Options: deny

< X-Content-Type-Options: nosniff

< X-XSS-Protection: 1; mode=block

< Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"

{ [5 bytes data]

< Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com

< X-GitHub-Request-Id: E63B:71C5:274062:523AF7:5E3614A6

<

{ [551 bytes data]

100  106k    0  106k    0     0   239k      0 --:--:-- --:--:-- --:--:--  252k

* Connection #0 to host github.com left intact

```

and from the machine where it does work:

```
$ curl -v -o /dev/null https://github.com/allenai/ai2thor

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to github.com port 443 (#0)

*   Trying 140.82.114.4...

* Connected to github.com (140.82.114.4) port 443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

*   CAfile: /etc/pki/tls/certs/ca-bundle.crt

  CApath: none

* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

* Server certificate:

*       subject: CN=github.com,O="GitHub, Inc.",L=San Francisco,ST=California,C=US,serialNumber=5157550,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private Organization

*       start date: May 08 00:00:00 2018 GMT

*       expire date: Jun 03 12:00:00 2020 GMT

*       common name: github.com

*       issuer: CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US

> GET /allenai/ai2thor HTTP/1.1

> User-Agent: curl/7.29.0

> Host: github.com

> Accept: */*

> 

< HTTP/1.1 200 OK

< Server: GitHub.com

< Date: Sun, 02 Feb 2020 00:17:27 GMT

< Content-Type: text/html; charset=utf-8

< Transfer-Encoding: chunked

< Status: 200 OK

< Vary: X-PJAX

< ETag: W/"e9efd5cc22c1061201585c2b78d09c8e"

< Cache-Control: max-age=0, private, must-revalidate

< Set-Cookie: has_recent_activity=1; path=/; expires=Sun, 02 Feb 2020 01:17:27 -0000

< Set-Cookie: _octo=GH1.1.1702289297.1580602647; domain=.github.com; path=/; expires=Tue, 02 Feb 2021 00:17:27 -0000

< Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Tue, 02 Feb 2021 00:17:27 -0000; secure; HttpOnly

< Set-Cookie: 

_gh_sess=

em1HNlRXbFUyZTgxTjFFbExCT09BVDlpaXRtQVRUTkZIbXhneG0xUkVlaGxFSkFHL09EYS84K3J

WdkYvTEsyT2tnNWtJVjFrWERMYVVYM1h1Y0RJTUJjSEVGWW1KRDNFWW5qY3BVdHZxQXdkc2V4eX

NVWGN2bXFBNEtCZE8zVXB0VXVudkpidFlaUHJXbzNXS01xci9Yc3czY01oYmJDWTc0TWxJU3FzS

nZRY1g3RDBERy9TMXB0SVN4M0JqTXdhaldoWVh0dVIwcDE4WVdjSE5pSWZJaTNzd3ZXc291d2g5

MTR1SjNkR3ZPcz0tLUZWMUxwaGRYai82YTc5M1drUFNmMEE9PQ%3D%3D--

68d29b60494e534a1a7a4537086bc33688f11c41; path=/; secure; HttpOnly

< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload

< X-Frame-Options: deny

< X-Content-Type-Options: nosniff

< X-XSS-Protection: 1; mode=block

< Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"

< Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com

< X-GitHub-Request-Id: D56E:2FBF:93C13C:12629C0:5E361517

< 

{ [data not shown]

100  106k    0  106k    0     0   165k      0 --:--:-- --:--:-- --:--:--  165k

* Connection #0 to host github.com left intact

```

For both of you, if the problem is that the ISP is hijacking my connection, is there anything I can do about it?

Thanks again for the help!

Wrapped long lines to make the forum layout behave. —Chiitoo

----------

## Hu

That is strange.  Neither of those certificates is obviously invalid, and neither matches the one you showed earlier when you said you checked the SSL certificate (when you showed the common name of goucher.edu).  What did you do to get that output?

If your ISP hijacks the connection, your options are limited.You could try to use a VPN to tunnel around it.You could try to find a protocol that can do what you want despite the hijacking.  For github, if you have an account and you add an ssh public key to your account, you might be able to use the git+ssh:// protocol to retrieve files, even when those files are part of someone else's repository (providing that the files are considered "public").You could try to pull rank.  If you're an important enough person in the local organizational hierarchy, you might be able to force the provider to make an exception.  This probably only applies if your title includes "Vice President" or similar though.You could try to plead necessity.  If the interception is breaking a program you need to use, and failure to use the program means that you will fail an obligation to someone who can pull rank, you might be able to get them to assert their position on your behalf.In some limited circumstances, which probably don't apply here, you could try to use local privacy laws against them.  I've seen claims that even the "reduced expectation of privacy" that lets them get away with pulling this in the general case doesn't permit snooping certain highly sensitive connections, like traffic with your bank.  Most organizations large enough to bother with intercepting traffic like this also have the sense to consult with lawyers before rolling it out, so the monitoring organization probably already has all the exceptions required by local law, and cannot be intimidated into making another one.

----------

## justin_brody

Many thanks Hu.  The earlier output was just from going to a random website that reported on CA certificates for given domains.  Probably  that information isn't correct -- my apologies there.

Does this then indicate that connections are probably not being hijacked?

I should probably add that I'm not sure what the  correct way to check the certificate is here.  Could you point me in the right direction?

----------

## Hu

The curl command I gave, which you ran, is a decent way of dumping the server's certificate to screen.  It's slightly odd that you got different results for the two hosts, but neither look like an obvious hijacking attempt to me.  Some large websites use load balancers that disagree about what certificate to use, which has no negative impact on direct security, but has some indirect impact in that it makes certificate pinning harder to use, and it makes debugging things like this more trouble because we cannot jump immediately from "Certificates do not match" to "Something has been hijacked."

I think at this point we need to go back to git and try to make it explain what it is doing, probably in extremely high detail, since we don't know what we are seeking.  Start by reading man git and looking at the family of GIT_TRACE environment variables.  Enable whichever ones talk about network transport / protocol negotiation.  Run git with those set.  You probably need to direct the tracing output to a file.  Although probably not relevant here since you are anonymously cloning a public repository, you should inspect the output for anything you need to redact before you post it.  Depending on the size, you may need to use a pastebin for the trace log.

----------

## justin_brody

O.k., happy to report the I re-emerged both git and curl and now I'm seeing the expected behavior!

Thanks so much for your efforts with this; I'm glad we've got such a great Gentoo community!

Best,

Justin

----------

## iandoug

Whether I use https or git:// I get:

```

fatal: unable to access 'https://github.com/iandoug/qmk_firmware/': Failed to connect to github.com port 443: Connection timed out

```

I have queried my ISP but, you know, Helpdesk won't find this in their prompt files ....

I have already checked firewall and router, they're not doing anything with port 443.

All "answers" that Google finds refer to proxy servers, typically at Varsities/corporate, and that doesn't apply to me ...

Any ideas?

using --verbose showed nothing extra.

It used to work in the past.

Thanks, Ian

----------

## Hu

 *iandoug wrote:*   

> 
> 
> ```
> fatal: unable to access 'https://github.com/iandoug/qmk_firmware/': Failed to connect to github.com port 443: Connection timed out
> ```
> ...

 The request fails with git; can you access that URL from your browser?  Are you behind a mandatory HTTPS proxy? *iandoug wrote:*   

> Any ideas?

 Try the debugging steps that I directed to the original poster, above.  Your error is clearly different, as you time out while he got nothing.  However, the git trace facilities may still be of interest.

----------

## yoshi314

I had similar issue just yesterday, where git would complain about github ssl certs. 

When testing with curl it turned out that for some reason libnsspem.so is now required, but missing. I installed this library and it resolved my issues. 

Git did not give me that error message, though.

----------

## iandoug

In my case the problem was self-inflicted : at some point in the past I had added

192.30.253.113 github.com

151.101.4.133 assets-cdn.github.com

to /etc/hosts (probably because someone somewhere said it was a good idea), and now those IPs are no longer valid so things fail weirdly.

Cheers, Ian

----------

