schannel reporting untrusted root CA in newest 2.53.0.2 build

[Devilsbane7]

Existing issues matching what you're seeing

• I was not able to find an open or closed issue matching what I'm seeing

Git for Windows version

git version 2.53.0.windows.2

Windows version

Windows 11

Windows CPU architecture

x86_64 (64-bit)

Additional Windows version information

Microsoft Windows [Version 10.0.22631.6783]

Options set during installation

Editor Option: VIM
Custom Editor Path:
Default Branch Option:
Path Option: Cmd
SSH Option: OpenSSH
Tortoise Option: false
CURL Option: WinSSL
CRLF Option: CRLFAlways
Bash Terminal Option: MinTTY
Git Pull Behavior Option: Merge
Use Credential Manager: Enabled
Performance Tweaks FSCache: Enabled
Enable Symlinks: Disabled
Enable FSMonitor: Disabled

Other interesting things

2.53.0 was working fine for me. I upgraded to 2.53.0.2 this week to remediate the NTLM vulnerability and now schannel is throwing this error, despite root and intermediate certificates installed and valid.

schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.

Tested on a different computer that hasn't been upgraded yet and that one is still working.

Terminal/shell

CMD

Commands that trigger the issue

git clone https://server/location/repo

Expected behaviour

Repository cloned

Actual behaviour

schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.

Repository

Local server repo

[dscho]

git version 2.53.0.windows.2

That's not the newest version, though. v2.53.0.windows.3 is. But that's unlikely to change anything because they use the same libcurl/schannel libraries. Can you test with v2.54.0-rc1?

[Devilsbane7]

Thanks for that quick response!

Can you provide a link to the 2.53.0.windows.3 installer for x64? https://gitforwindows.org/ and https://git-scm.com/install/windows each link to 2 as being the most current. In the discussion I saw 2.54.0.rc2 was about to be ready and was hoping to try that as well. But I'm also unable to find the installer.

[derrickstolee]

@Devilsbane7 you can find all releases, including pre-releases, at this repo's releases page: https://github.com/git-for-windows/git/releases

[dscho]

Can you provide a link to the 2.53.0.windows.3 installer for x64?

https://github.com/git-for-windows/git/releases/tag/v2.53.0.windows.3

https://gitforwindows.org/ and https://git-scm.com/install/windows each link to 2 as being the most current.

Right, I was in the middle of the release engineering of this security bug fix release; Both should now be up to date.

In the discussion I saw 2.54.0.rc2 was about to be ready and was hoping to try that as well. But I'm also unable to find the installer.

It is being built as we speak: https://github.com/git-for-windows/git-for-windows-automation/actions/runs/24418098737