GitHub: Weak cryptographic standards removal notice

Answered

Important: Guys at JetBrains, are you aware of this SSL thing that GitHub is doing https://githubengineering.com/crypto-removal-notice/. They are deprecating some of their supported SSL algorithms and today they turned them off for 1 hour. We could not longer 'git pull' from the latest version of IDEA running on the latest Java 1.8 during that hour. Just bringing it to your attention since GitHub will permanentely turn off those algorithms on 2/22. 

0
13 comments

Can you still pull from the command line using the same git client as configured in IntelliJ IDEA?

0
Avatar
Permanently deleted user

Surprisingly yes. I did try that and it worked during the outage period of 1 hour when they did it. Here is my Git client:

 

$ git --version
git version 1.9.5.msysgit.0

0
Avatar
Permanently deleted user

I am wondering, what does SSH executable: built-in (vs native) means in the context of IDEA's Git plugin... 

0

Built-in will use Java implementation for SSH, native will use whatever is installed on your system and used by the command line git. Does switching to native fix the issue for you?

0
Avatar
Permanently deleted user

It is hard to know if switching helps, since GitHub just had 1 hour trial run. (I mean, everything works now). But they do plan to turn deprecated versions of SSL on Feb. 22nd. I do think it is wise for JetBrains folks to look into it seriously and resolve this issue. GitHub explains here what they want folks to do https://githubengineering.com/crypto-removal-notice/. What do you think?

0

Our team will check it, thanks.

0
Avatar
Permanently deleted user

One user that reported issues with IntelliJ had all their traffic with the “JGit/2.1.0-SNAPSHOT” user agent. Hope that helps.

0
Avatar
Permanently deleted user

Sergey, Ptoomey3 is a GitHub engineer who I've been discussing the same issue with. I asked him to join our conversation to bring it to a fast resolution.

0

Git Integration plugin does not use JGit. The issue is with Built-in SSH mode - https://youtrack.jetbrains.com/issue/IDEA-140196

With this mode, GIT_SSH is set pointing to a jar which implements SSH client. It is actually third-party trilead-ssh2 lib, with some patches, and it currently supports only the limited set of security protocols.

So a workaround is to switch to Native mode.

0
Avatar
Permanently deleted user

Ah, my apologies. I did some additional digging and noticed that the JGit was likely related to a CI system (i.e. not IntelliJ). Sorry for the red herring. 

0
Avatar
Permanently deleted user

I work with Kyrill007 and we have been trouble shooting the same issue on my machine.  I am not able to do a git pull even after changing my settings to point to git.exe and using native.  I am using windows 10 he is using windows 7 that is the only difference we can see right now.  Let me know what logs you may need to look at or any other information that would be helpful to you.  

0

The fix is available in the latest 2018.1 EAP, so you could update to get it fixed.

In Native mode, IDE cannot handle interactive prompts from ssh client, so you need to make sure git pull command (what is important - executed in the native Windows command prompt, not GitBash or another shell) works without any prompt.

With keys protected with a passphrase, this could be achieved with help of ssh-agent. E.g. see https://intellij-support.jetbrains.com/hc/en-us/community/posts/115000114504-Git-SHH-Private-Key-PAssPhrase

0
Avatar
Permanently deleted user

Thanks once I got rid of the prompting for a passphrase it has taken care of the issue.

0

Please sign in to leave a comment.