Git commands fail with certificate errors when WSS agent is enabled
search cancel

Git commands fail with certificate errors when WSS agent is enabled

book

Article ID: 224147

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

WSS agent running on Windows host and sending all web traffic into WSS

Developer running git and seeing SSL certificate errors running git command

"unable to get local issuer certificate" error displayed on Git application console.

Or 

git clone <github>/<projectURL>
Cloning into 'examples'...
fatal: unable to access '<github>/<projectURL>': schannel: next InitializeSecurityContext failed: CRYPT_E_NO_REVOCATION_CHECK (0x80092012) - The revocation function was unable to check revocation for the certificate.

Environment

WSS Agent.

Git thick application.

Cause

Git, as with many developer applications, implements certificate pinning. As the Cloud SWG Proxy inspects the traffic and adds it's own server certificate and issuer, any applications using cert pinning will break. 

 

Resolution

Add an SSL inspection bypass list for the domain reported in the error e.g. dev.azure.com.

 

Additional Information

There are certain cases where the domain reported may not be the problem domain, but may reference another domain that fails the SSL handshake. It is always important to check PCAPs to confirm the SSL handshake failure matches the domain reported and add the domain exception for all SSL handshakes that fail. In this case, the PCAPs matches and we could see the SSL handshake failure immediately after the cert was pushed down. This cert was confirmed to be issued by Cloud SWG, and not the Git back end and hence the error was triggered on the App side.

 

Powered by Wolken Software