When trying to do a git clone on a new installation of git behind a corporate firewall (with MITM on SSL), I got this error:
# git clone https://github.com/zptaylor/public-repo.git
Cloning into 'public-repo'...
fatal: unable to access 'https://github.com/zptaylor/public-repo.git/': SSL certificate problem: self signed certificate in certificate chain
First I tried switching the backend to sslchannel, but that threw a different error:
# git config --global http.sslbackend schannel
# git clone https://github.com/zptaylor/public-repo.git
Cloning into 'public-repo'...
fatal: unable to access 'https://github.com/zptaylor/public-repo.git/': schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the
certificate.
Of course the reason no SSL validation will work is because the SSL is for all intents and purposes invalid, so the easiest way is to just turn it off, although it completely eliminates https verification:
# git config --global http.sslbackend openssl
# http.sslVerify= false
A similar solution that breaks security, but for schannel:
# git config --global http.schannelCheckRevoke "false"
# git config --global http.sslbackend schannel
A more precise fix that would allow SSL would be to use openssl, create some sort of trust store of valid certs, and then add the MITM’s cert for github.com in its place. I think these fixes are reasonable for a developer machine who is on a controlled network that could not possibly allow github.com to be spoofed.
Read up more at
https://stackoverflow.com/questions/45556189/git-the-revocation-function-was-unable-to-check-revocation-for-the-certificate
https://github.com/desktop/desktop/blob/development/docs/known-issues.md#certificate-revocation-check-fails—3326
https://github.com/microsoft/Git-Credential-Manager-for-Windows/issues/646