# Configure GIT for TLS inspection

<p class="callout warning">Bypassing TLS inspection or disabling SSL verification can expose your system and data to serious security risks, including man-in-the-middle attacks. This article is provided strictly for educational and debugging purposes in trusted, controlled environments. Do not use these settings on production systems or networks you do not fully control.</p>

### Bypass TLS Inspection for Git Using GIT CONFIG

In enterprise environments, it’s not uncommon for outbound HTTPS traffic to be intercepted and inspected by network security tools. This process—known as TLS inspection or SSL interception—can cause tools like Git to fail when attempting to communicate with remote repositories over HTTPS. A common error you might see is:

```
fatal: unable to access 'https://github.com/user/repo.git/': SSL certificate problem: unable to get local issuer certificate
```

This happens because the intercepted certificate doesn't match what Git expects from the server, especially when a custom or self-signed certificate is involved.

#### Quick and Dirty: Disable SSL Verification

The fastest way to bypass TLS inspection is to disable SSL verification altogether for Git using this configuration:

```powershell
git config --global http.sslVerify "false"
```

This tells Git not to verify the SSL certificate when connecting to remote repositories over HTTPS.

##### What This Command Does

- `--global`: Applies the setting for all repositories for the current user.
- `http.sslVerify "false"`: Disables SSL certificate validation.

This bypasses the TLS validation errors caused by mismatched or untrusted certificates during deep packet inspection.

##### When to Use This

- **Controlled internal environments** where you trust the internal proxy or TLS inspection appliance.
- **Temporary workaround** for debugging connectivity issues.
- **CI/CD environments** behind secure corporate firewalls with certificate inspection.

#### A Safer Alternative: Add the Root CA to Git’s Trust Store

Instead of disabling verification, a better approach is to configure Git to trust the inspection proxy’s certificate. Here's how:

1. **Obtain the root certificate** used by the inspection tool (usually a `.crt` file).
2. **Tell Git to use it:**

```powershell
git config --global http.sslCAInfo <pathtocorporate-root-ca>.crt
```

This method allows you to retain SSL verification while trusting your organization's inspection certificate.

## Final Notes

- **Never disable SSL verification for external, public repositories unless absolutely necessary.**
- If you use the `http.sslVerify false` setting, consider using it with the `--local` or `--global` scope carefully. You can also override it per repository using:
    
    <div class="contain-inline-size rounded-2xl border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary"><div class="flex items-center text-token-text-secondary px-4 py-2 text-xs font-sans justify-between h-9 bg-token-sidebar-surface-primary dark:bg-token-main-surface-secondary select-none rounded-t-2xl">`git config --<span class="hljs-built_in">local</span> http.sslVerify <span class="hljs-literal">false</span>`</div></div>
- Always revert to secure practices once the underlying issue (e.g., missing root CA) is resolved.

<table class="w-fit min-w-(--thread-content-width)" data-end="3252" data-start="2979" id="bkmrk-method-security-risk"><thead data-end="3016" data-start="2979"><tr data-end="3016" data-start="2979"><th data-col-size="md" data-end="2988" data-start="2979">Method</th><th data-col-size="sm" data-end="3004" data-start="2988">Security Risk</th><th data-col-size="md" data-end="3016" data-start="3004">Use Case</th></tr></thead><tbody data-end="3252" data-start="3056"><tr data-end="3157" data-start="3056"><td data-col-size="md" data-end="3103" data-start="3056">`git config --global http.sslVerify "false"`</td><td data-col-size="sm" data-end="3110" data-start="3103">High</td><td data-col-size="md" data-end="3157" data-start="3110">Temporary debugging in trusted environments</td></tr><tr data-end="3252" data-start="3158"><td data-col-size="md" data-end="3195" data-start="3158">Add custom CA via `http.sslCAInfo`</td><td data-col-size="sm" data-end="3201" data-start="3195">Low</td><td data-col-size="md" data-end="3252" data-start="3201">Permanent, secure solution for TLS interception</td></tr></tbody></table>

When in doubt, favor secure configuration over convenience. If you're working behind a corporate firewall and unsure how to proceed, reach out to your IT department—they may already have a secure solution in place.