src/site/setup_transport_http.mkd - gitblit - Git at Google


 ## Using the HTTP/HTTPS transport

 ### Https with Self-Signed Certificates
 You must tell Git/JGit not to verify the self-signed certificate in order to perform any remote Git operations.

 **NOTE:**
 The default self-signed certificate generated by Gitblit GO is bound to *localhost*.
 If you are using Eclipse/EGit/JGit clients, you will have to generate your own certificate that specifies the exact hostname used in your clone/push url.
 You must do this because Eclipse/EGit/JGit (< 3.0) always verifies certificate hostnames, regardless of the *http.sslVerify=false* client-side setting.

 - **Eclipse/EGit/JGit**
     1. Window->Preferences->Team->Git->Configuration
     2. Click the *New Entry* button
     3. <pre>Key = <em>http.sslVerify</em>
 Value = <em>false</em></pre>
 - **Command-line Git** ([Git-Config Manual Page](http://www.kernel.org/pub/software/scm/git/docs/git-config.html))
 <pre>git config --global --bool --add http.sslVerify false</pre>

 **NOTE:**
 When generating self-signed certificates, the default Java TLS settings will be used. These default settings will generate a weak Diffie-Hellman key.
 #### Java 8
 The default is a 1024 bit DH key.
 You can up the number of bits used by appending the following command line parameter when starting Gitblit:
 <pre>-Djdk.tls.ephemeralDHKeySize=2048</pre>
 2048 bits is the maximum (Java limitation), and is still considered secure as of this writing.
 #### Java 7
 The default is a 768 bit key. <b>This is hardcoded in Java 7 and cannot be changed.</b>. It is very weak. If you require longer DH keys, use Java 8.

 ### Http Post Buffer Size
 You may find the default post buffer of your git client is too small to push large deltas to Gitblit.  Sometimes this can be observed on your client as *hanging* during a push.  Other times it can be observed by git erroring out with a message like: error: RPC failed; result=52, HTTP code = 0.

 This can be adjusted on your client by changing the default post buffer size:
 <pre>git config --global http.postBuffer 524288000</pre>

 ### Disabling SNI

 You may run into SNI alerts (Server Name Indication).  These will manifest as failures to clone or push to your Gitblit instance.

 #### Java-based Clients

 Luckily, Java 6-based clients ignore SNI alerts but when using Java 7-based clients, SNI checking is enabled by default.  You can disable SNI alerts by specifying the JVM system parameter `-Djsse.enableSNIExtension=false` when your Java-based client launches.

 For Eclipse, you can append `-Djsse.enableSNIExtension=false` to your *eclipse.ini* file.

 #### Native Clients

 Native clients may display an error when attempting to clone or push that looks like this:

 ```
 C:\projects\git\gitblit>git push rhcloud master
 error: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) while accessing https://demo-gitblit.rhcloud.com/git/gitblit.git/info/refs?service=git-receive-pack
 fatal: HTTP request failed
 ```

	## Using the HTTP/HTTPS transport

	### Https with Self-Signed Certificates
	You must tell Git/JGit not to verify the self-signed certificate in order to perform any remote Git operations.

	NOTE:
	The default self-signed certificate generated by Gitblit GO is bound to localhost.
	If you are using Eclipse/EGit/JGit clients, you will have to generate your own certificate that specifies the exact hostname used in your clone/push url.
	You must do this because Eclipse/EGit/JGit (< 3.0) always verifies certificate hostnames, regardless of the http.sslVerify=false client-side setting.

	- Eclipse/EGit/JGit
	1. Window->Preferences->Team->Git->Configuration
	2. Click the New Entry button
	3. <pre>Key = <em>http.sslVerify</em>
	Value = <em>false</em></pre>
	- Command-line Git ([Git-Config Manual Page](http://www.kernel.org/pub/software/scm/git/docs/git-config.html))
	<pre>git config --global --bool --add http.sslVerify false</pre>

	NOTE:
	When generating self-signed certificates, the default Java TLS settings will be used. These default settings will generate a weak Diffie-Hellman key.
	#### Java 8
	The default is a 1024 bit DH key.
	You can up the number of bits used by appending the following command line parameter when starting Gitblit:
	<pre>-Djdk.tls.ephemeralDHKeySize=2048</pre>
	2048 bits is the maximum (Java limitation), and is still considered secure as of this writing.
	#### Java 7
	The default is a 768 bit key. <b>This is hardcoded in Java 7 and cannot be changed.</b>. It is very weak. If you require longer DH keys, use Java 8.

	### Http Post Buffer Size
	You may find the default post buffer of your git client is too small to push large deltas to Gitblit. Sometimes this can be observed on your client as hanging during a push. Other times it can be observed by git erroring out with a message like: error: RPC failed; result=52, HTTP code = 0.

	This can be adjusted on your client by changing the default post buffer size:
	<pre>git config --global http.postBuffer 524288000</pre>

	### Disabling SNI

	You may run into SNI alerts (Server Name Indication). These will manifest as failures to clone or push to your Gitblit instance.

	#### Java-based Clients

	Luckily, Java 6-based clients ignore SNI alerts but when using Java 7-based clients, SNI checking is enabled by default. You can disable SNI alerts by specifying the JVM system parameter `-Djsse.enableSNIExtension=false` when your Java-based client launches.

	For Eclipse, you can append `-Djsse.enableSNIExtension=false` to your eclipse.ini file.

	#### Native Clients

	Native clients may display an error when attempting to clone or push that looks like this:

	```
	C:\projects\git\gitblit>git push rhcloud master
	error: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) while accessing https://demo-gitblit.rhcloud.com/git/gitblit.git/info/refs?service=git-receive-pack
	fatal: HTTP request failed
	```