Re: [msysGit] git clone with http proxy fails with RPC failed result=22, HTTP code=0

[Pat Thoyts]

On 20 February 2013 17:24, <eben...@gmail.com> wrote:
> I'm running into problems using git over an http proxy. I have configured
> my http.proxy variable and it seemingly works as I am able to do:
>
> git ls-remote https://er...@git.assembla.com/myproj.git
>
> However, when I try git clone, it fails with the following error:
> error: RPC faifled; result=22, HTTP code = 0
> fatal: The remote end hung up unexpectedly
>
> I enabled GIT_CURL_VERBOSE and see that the connection is properly
> authenticating to the proxy with some requests, but skips/fails at the end,
> thus causing the error.
>
> < HTTP/1.1 407 Proxy Authentication Required
> < Proxy-Authenticate: NTLM
> * Authentication problem. Ignoring this.
> < Cache-Control: no-cache
> < Pragma: no-cache
> < Content-Type: text/html; charset=utf-8
> < Proxy-Connection: close
> < Set-Cookie: BCSI-CS-dcfa3879f83cfd49=2; Path=/
> < Connection: close
> < Content-Length: 3742
> <
> * Closing connection #0
> * HTTP response code said error
> error: RPC failed; result=22, HTTP code = 0
>
> I am not sure, however, to resolve the issue.
>
> I am using:
> git version 1.7.10.msysgit.1
> Windows 7 x64
>

The current release is 1.8.1 so first try upgrading to the latest
version. It's possible this was fixed when updating curl for 1.7.11.
If not I suggest trying to get curl working on its own first and then
seeing if git can work the same way. It may just be a matter of
setting your http_proxy and https_proxy environment variables to
include both the username and password required by the proxy (eg:
http_proxy=http://DOMAIN\\USERNAME:sekret@localproxy:3128/ ). Although
I _think_ curl is supposed to pick that up for itself. Check curl -V
includes SSPI and NTLM in the features list.

[eben...@gmail.com]

On Wednesday, February 20, 2013 7:51:22 PM UTC-5, Pat Thoyts wrote:

> I'm running into problems using git over an http proxy.  I have configured
> my http.proxy variable and it seemingly works as I am able to do:
>
> git ls-remote https://er...@git.assembla.com/myproj.git
>
> However, when I try git clone, it fails with the following error:
> error: RPC faifled; result=22, HTTP code = 0
> fatal: The remote end hung up unexpectedly
>
> I enabled GIT_CURL_VERBOSE and see that the connection is properly
> authenticating to the proxy with some requests, but skips/fails at the end,
> thus causing the error.

 

The current release is 1.8.1 so first try upgrading to the latest

version. It's possible this was fixed when updating curl for 1.7.11.
If not I suggest trying to get curl working on its own first and then
seeing if git can work the same way.

I upgraded to 1.8.1, but that does not seem to make any difference.  What I don't understand about the curl integration is that even if I remove curl.exe from the git/bin directory, git still works the same.  As though it is not using the executable and instead is using something from a library.

Nonetheless, if I add http_proxy as a regular environment variable and run curl by itself, it is able to successfully download the pages without issue (ex: curl http://www.google.com).

However, when run via git (with curl verbose enabled), I get the following:

<snip>

* Couldn't find host git.assembla.com in the _netrc file; using defaults

* About to connect() to proxy p01.proxy.local port 8080 (#2)

*   Trying 192.168.132.28... * 0x6b42f0 is at send pipe head!

* Connected to p01.proxy.local (192.168.132.28) port 8080 (#2)

* Establish HTTP proxy tunnel to git.assembla.com:443

* Proxy auth using NTLM with user 'domain\eric'

* Server auth using Basic with user 'eric'

> CONNECT git.assembla.com:443 HTTP/1.1

Host: git.assembla.com:443

Proxy-Authorization: NTLM TlRMTVNTUAABAAAAt4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

User-Agent: git/1.8.1.msysgit.1

Proxy-Connection: Keep-Alive

Pragma: no-cache

< HTTP/1.1 407 Proxy Authentication Required

< Proxy-Authenticate: NTLM TlRMTVNTUAACAAAABgAGADgAAAA1goniaNrsQh9gxi8AAAAAAAAAALAAsAA+AAAABgGxHQAAAA9SAEUAUwACAAYAUgBFAFMAAQAYAFcAUwBQAEkAQwBBAEQARwBUAFcAMAAxAAQAHAByAGUAcwAuAGIAbgBnAGYALgBsAG8AYwBhAGwAAwA2AFcAUwBQAEkAQwBBAEQARwBUAFcAMAAxAC4AcgBlAHMALgBiAG4AZwBmAC4AbABvAGMAYQBsAAUAHAByAGUAcwAuAGIAbgBnAGYALgBsAG8AYwBhAGwABwAIANeVYiRKEM4BAAAAAA==

< Cache-Control: no-cache

< Pragma: no-cache

< Content-Type: text/html; charset=utf-8

< Proxy-Connection: Keep-Alive

< Set-Cookie: BCSI-CS-bbdac58099c9135e=2; Path=/

< Connection: Keep-Alive

< Content-Length: 3742

< 

* Ignore 3742 bytes of response-body

* Establish HTTP proxy tunnel to git.assembla.com:443

* Proxy auth using NTLM with user 'domain\eric'

* Server auth using Basic with user 'eric'

> CONNECT git.assembla.com:443 HTTP/1.1

Host: git.assembla.com:443

Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAIIAAAAYABgAmgAAAAYABgBYAAAAEAAQAF4AAAAUABQAbgAAABAAEACyAAAANYKI4gYBsR0AAAAPWDXOPqtEiPdhuyBVXOiqiWwAYgBnAGMANgAxADIANwAxAGIANAAyAFUAQQAxADMAOAAxAEQAUwA1AJTfwRb2KCsGAAAAAAAAAAAAAAAAAAAAAAYNlQs5e2BYfImxbu7x/LrnaskoPmGkoMYA/akIQnrIFc+CMgcOUzk=

User-Agent: git/1.8.1.msysgit.1

Proxy-Connection: Keep-Alive

Pragma: no-cache

< HTTP/1.1 200 Connection established

< 

* Proxy replied OK to CONNECT request

* successfully set certificate verify locations:

*   CAfile: C:\Program Files (x86)\Git/bin/curl-ca-bundle.crt

  CApath: none

* SSL re-using session ID

* SSL connection using DHE-RSA-AES256-SHA

* old SSL session ID is stale, removing

* Server certificate:

*   subject: O=*.assembla.com; OU=Domain Control Validated; CN=*.assembla.com

*   start date: 2011-03-24 19:30:40 GMT

*   expire date: 2013-03-24 19:30:40 GMT

*   subjectAltName: git.assembla.com matched

*   issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certificates.godaddy.com/repository; CN=Go Daddy Secure Certification Authority; serialNumber=07969287

*   SSL certificate verify ok.

* Server auth using Basic with user 'eric'

> GET /myproj.git/info/refs?service=git-upload-pack HTTP/1.1

Authorization: Basic YmVuemU6YmVuemUxMjM=

User-Agent: git/1.8.1.msysgit.1

Host: git.assembla.com

Accept: */*

Accept-Encoding: gzip

Pragma: no-cache

< HTTP/1.1 200 OK

< Date: Thu, 21 Feb 2013 15:43:06 GMT

< Server: Apache/2.2.16 (Debian)

< Expires: Tue, 01 Jan 1980 00:00:00 GMT

< Pragma: no-cache

< Cache-Control: no-cache, max-age=0, must-revalidate

< Content-Type: application/x-git-upload-pack-advertisement

< Transfer-Encoding: chunked

< 

* Connection #2 to host p01.proxy.local left intact

fatal: The remote end hung up unexpectedly

* Couldn't find host git.assembla.com in the _netrc file; using defaults

* About to connect() to proxy p01.proxy.local port 8080 (#0)

*   Trying 192.168.132.28... * connected

* Connected to p01.proxy.local (192.168.132.28) port 8080 (#0)

* Establish HTTP proxy tunnel to git.assembla.com:443

* Proxy auth using NTLM with user 'domain\eric'

* Server auth using Basic with user 'eric'

> CONNECT git.assembla.com:443 HTTP/1.1

Host: git.assembla.com:443

Proxy-Authorization: NTLM TlRMTVNTUAABAAAAt4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

User-Agent: git/1.8.1.msysgit.1

Proxy-Connection: Keep-Alive

Content-Type: application/x-git-upload-pack-request

Accept: application/x-git-upload-pack-result

Content-Encoding: gzip

< HTTP/1.1 407 Proxy Authentication Required

< Proxy-Authenticate: NTLM TlRMTVNTUAACAAAABgAGADgAAAA1goni0xomDb199dgAAAAAAAAAALAAsAA+AAAABgGxHQAAAA9SAEUAUwACAAYAUgBFAFMAAQAYAFcAUwBQAEkAQwBBAEQARwBUAFcAMAAxAAQAHAByAGUAcwAuAGIAbgBnAGYALgBsAG8AYwBhAGwAAwA2AFcAUwBQAEkAQwBBAEQARwBUAFcAMAAxAC4AcgBlAHMALgBiAG4AZwBmAC4AbABvAGMAYQBsAAUAHAByAGUAcwAuAGIAbgBnAGYALgBsAG8AYwBhAGwABwAIAFX1oiRKEM4BAAAAAA==

< Cache-Control: no-cache

< Pragma: no-cache

< Content-Type: text/html; charset=utf-8

< Proxy-Connection: Keep-Alive

< Set-Cookie: BCSI-CS-bbdac58099c9135e=2; Path=/

< Connection: Keep-Alive

< Content-Length: 3742

< 

* Ignore 3742 bytes of response-body

* NTLM send, close instead of sending 2531 bytes

* Received HTTP code 407 from proxy after CONNECT

* About to connect() to proxy p01.proxy.local port 8080 (#0)

*   Trying 192.168.132.28... * connected

* Connected to p01.proxy.local (192.168.132.28) port 8080 (#0)

* Establish HTTP proxy tunnel to git.assembla.com:443

* Proxy auth using NTLM with user 'domain\eric'

* Server auth using Basic with user 'eric'

> CONNECT git.assembla.com:443 HTTP/1.1

Host: git.assembla.com:443

Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAIIAAAAYABgAmgAAAAYABgBYAAAAEAAQAF4AAAAUABQAbgAAABAAEACyAAAANYKI4gYBsR0AAAAPcHgKU7oyvdC1z0yTHZ1j32wAYgBnAGMANgAxADIANwAxAGIANAAyAFUAQQAxADMAOAAxAEQAUwA1ALkp/9TsdpQaAAAAAAAAAAAAAAAAAAAAAFCmBke3wcO8YodJhoaL3Xtbp1xWpuwnD5bVAa/V7U7ToxE5D5jMu8o=

User-Agent: git/1.8.1.msysgit.1

Proxy-Connection: Keep-Alive

Content-Type: application/x-git-upload-pack-request

Accept: application/x-git-upload-pack-result

Content-Encoding: gzip

< HTTP/1.1 407 Proxy Authentication Required

< Proxy-Authenticate: NTLM

* Authentication problem. Ignoring this.

< Cache-Control: no-cache

< Pragma: no-cache

< Content-Type: text/html; charset=utf-8

< Proxy-Connection: close

< Set-Cookie: BCSI-CS-bbdac58099c9135e=2; Path=/

< Connection: close

< Content-Length: 3742

< 

* Closing connection #0

* HTTP response code said error

error: RPC failed; result=22, HTTP code = 0

</snip>

git version 1.8.1.msysgit.1

curl 7.26.0 (i686-pc-mingw32) libcurl/7.26.0 OpenSSL/0.9.8x zlib/1.2.7

Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp

Features: GSS-Negotiate Largefile NTLM SSL SSPI libz

Any suggestions what I can do to further try to get git/Curl working properly?

Thanks,

Eric

[Pat Thoyts]

In this sample session you begin with opening a connection to the
proxy which replies with a NTLM challenge. You then retry with a
suitable response and it gets accepted and states that your CONNECT
request is ok. This is how you open a https session to a server via a
proxy. The proxy now lets you talk direct to the remote server which
upgrades the link to an SSL channel. Now you make a request over the
SSL providing a username password pair using Basic authentication
which gets an OK response but the remote end just closes the channel
on you.

I would say this is now a server issue - it looks like the proxy
authentication is working ok now.

Git is linked to libcurl. curl.exe is also linked to libcurl an just
provides a command-line ui into that library so they are both using
the same code really. The ssl support is provided by the openssl
libraries. We did commit recently another update to curl 7.28.1 to get
ipv6 support included and in this version we've enabled use of the
Windows CryptoAPI SSL support so you could run the msysGit netinstall
and build the development version (it is quite simple). That will give
you a git and libcurl using an alternative ssl provider which might
change things. Building curl for use with git is quite simple. Once
the netinstall is installed (it automatically rebuilds git) you can go
into the /src/curl directory and run the release.sh script in there.
Then rebuild git and it will link against the newly built curl libs.
All the libraries and utilities git for windows uses are created using
these release.sh scripts at the moment.

You might be interested to know that Basic authentication just passes
your username and password as base64 encoded text in the request
headers. That is trivially decodable so you may like to change your
password now. And include uppercase and non-alphanumerics in it too.

Pat.

[eben...@gmail.com]

On Thursday, February 21, 2013 4:58:19 PM UTC-5, Pat Thoyts wrote: 

>> > However, when I try git clone, it fails with the following error:
>> > error: RPC faifled; result=22, HTTP code = 0
>> > fatal: The remote end hung up unexpectedly
>> >
>> > I enabled GIT_CURL_VERBOSE and see that the connection is properly
>> > authenticating to the proxy with some requests, but skips/fails at the
>> > end,
>> > thus causing the error.
>
>

> I upgraded to 1.8.1, but that does not seem to make any difference.  What I
> don't understand about the curl integration is that even if I remove
> curl.exe from the git/bin directory, git still works the same.  As though it
> is not using the executable and instead is using something from a library.
>

> Any suggestions what I can do to further try to get git/Curl working
> properly?
>
> Thanks,
>
> Eric

In this sample session you begin with opening a connection to the
proxy which replies with a NTLM challenge. You then retry with a
suitable response and it gets accepted and states that your CONNECT
request is ok. This is how you open a https session to a server via a
proxy. The proxy now lets you talk direct to the remote server which
upgrades the link to an SSL channel. Now you make a request over the
SSL providing a username password pair using Basic authentication
which gets an OK response but the remote end just closes the channel
on you.

I would say this is now a server issue - it looks like the proxy
authentication is working ok now.

I ended up getting it to work by tunneling it through another proxy.  I set up cntlm (http://cntlm.sourceforge.net/) and set my git proxy to point to my cntlm proxy, and allow cntlm to communicate with my http proxy.  By using this workflow/path, git seems to be working properly.

It would seem to me that there is a bug either in curl or in the http proxy that is preventing the proper communication.  I'm not sure which.  However, at this point, the problem has been circumvented (not actually solved), so I'm okay with that.

Thanks,

Eric