Usability of git-http-backend with self signed SSL certificates

Why makes it git so hard to use a self signed SSL certificate in conjunction with the https protocol?

At work we have a server for shared git repositories. For some reasons we can't use the ssh protocoll to acces the repositories so we looked into the git-http-backend. So far so good but we want it encrypted, of course. So we used SSL with our self signed certificate:

git clone https://git.example.com/public Cloning into 'public'... error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://git.example.com/public/info/refs fatal: HTTP request failed

Huh? Looking deeper into the problem it turns out that git uses curl for the http(s) transport and curl refuses to work with SSL certificates it cannot verify.

Ok, that's not a bad thing. To circumvent that you can either set an environment variable (GIT_SSL_NO_VERIFY=1) to make curl ignore the verification or install the certificate on your machine. The first option is not very attractive on the long term as you'd have to do it on every operation with the remote server, the second one is not very attractive when dealing with multiple developers working on different operating systems. You'll have to explain to them how to install the certificate on their machine, and that has to be done every time a new developer joins the team, yada, yada.

There is also an option in git (http.sslverify) you can set where you can tell git to ignore the verification of the SSL certificate for that repository. The thing is you still have to set the environment variable on the first clone and then you have to tell git to permanently ignore this issue for that repository with the configuration option -- a lot of stuff to remember. Heck, looking on the interwebs I see may of the people with that problem suggesting to shut of SSL cert verification permanently by setting it globally.

I really wonder why git cannot simply tell the user that the SSL certificate cannot be verified and if you want to accept it permanently, temporarily or not. Every browser does that. Right now it just quits with an error and leaves the user with a cryptic error.

On the other side, when using git with a server providing the repositories via ssh. Git simply asks if you want to accept the key when you access the server for the first time and never bothers you again.

blogroll

social