Nss error 12190

Hi

I am using centos 6.4:
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.4 (Santiago)

uname -a
Linux lb-cam-bca-12 2.6.32-358.23.2.el6.x86_64 #1 SMP Sat Sep 14 05:32:37 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux

I am trying to clone freeCAD from github, but am getting an error related to SSL:
$ GIT_CURL_VERBOSE=1 GIT_TRACE=1 git clone https://github.com/FreeCAD/FreeCAD.git free-cad-code
12:26:19.861767 git.c:349 trace: built-in: git ‘clone’ ‘https://github.com/FreeCAD/FreeCAD.git’ ‘free-cad-code’
Cloning into ‘free-cad-code’…
12:26:20.496310 run-command.c:341 trace: run_command: ‘git-remote-https’ ‘origin’ ‘https://github.com/FreeCAD/FreeCAD.git’
* Couldn’t find host github.com in the .netrc file; using defaults
* About to connect() to github.com port 443 (#0)
* Trying 192.30.253.112… * Connected to github.com (192.30.253.112) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -12190
* Error in TLS handshake, trying SSLv3…
> GET /FreeCAD/FreeCAD.git/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/2.1.0
Host: github.com
Accept: */*
Accept-Encoding: gzip
Pragma: no-cache

* Connection died, retrying a fresh connect
* Expire cleared
* Closing connection #0
* Issue another request to this URL: ‘https://github.com/FreeCAD/FreeCAD.git/ … pload-pack’
* Couldn’t find host github.com in the .netrc file; using defaults
* About to connect() to github.com port 443 (#0)
* Trying 192.30.253.112… * Connected to github.com (192.30.253.112) port 443 (#0)
* TLS disabled due to previous handshake failure
* NSS error -12286
* Expire cleared
* Closing connection #0
fatal: unable to access ‘https://github.com/FreeCAD/FreeCAD.git/’: SSL connect error

From what I can gather from https://bugzilla.redhat.com/show_bug.cgi?id=1217477 and https://github.com/userify/shim/issues/25
this is a known problem, but I do not know how to get round it.

Does anyone know how I can get round this issue ?
From the above link it looks like the issue can be fixed with a patch to NSS or upgrading to a later nss version, anyone know how I can do that ?
Alternatively it looks like you can force TLSv1 by passing -1 to the curl command line, but I do not know how to tell git to do this. Anyone know if it is possible to pass curl command line options to git ?

Shaggy1 wrote:I am using centos 6.4:
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.4 (Santiago)

If your redhat-release says Red Hat Enterprise Linux, you are not using CentOS but RHEL. You probably have a support contract from RHEL, they will be happy to help you.

Shaggy1 wrote:From the above link it looks like the issue can be fixed [..] or upgrading to a later nss version, anyone know how I can do that?

Yes, run yum update which should upgrade your system to 6.9. There have been a number of enhancements to crypto in the most recent RHEL releases, and your problem will likely vanish when you are up to date.

For reference, I can run curl -v ‘https://github.com/FreeCAD/FreeCAD.git/ … pload-pack’ successfully on a CentOS 6.9 system. If your system complains something with that command, try upgrading.

> you are not using CentOS but RHEL
Humble apologies. Very sorry about this mis-posting, we(I) are currently in transition from red-hat to centos (they pulled plug on the support contract along with the staff that used to deal with it) and my mind simply went straight to centos and didn’t clock this was an older machine.

Thank you very much for replying anyhow!!

I’ve tried the upgrade, but unfortunately that didn’t work … and will look among redhat docs/posts for a solution!

> What part didn’t work, the upgrade or git after the upgrade?
The git after the upgrade

> but it should be fairly easy to turn a RHEL system into a CentOS system
Thank you very much for this information — I had no idea that it might be possible.
I’ll give this a go when I have a little more time to look at what is required — hopefully I can find a machine too test it on where it doesn’t matter too much if things go wrong.