[Python-apps-team] Bug#784584: hg clone over https fails with error [SSL: TLSV1_ALERT_PROTOCOL_VERSION]

Fri May 8 09:01:15 UTC 2015

Control: tags -1 + upstream jessie

Hi Mathias,

On Wed, May 06, 2015 at 10:28:17PM +0000, Mathias Gibbens wrote:
> Package: mercurial
> Version: 3.1.2-2
> Severity: normal
> 
> Dear Maintainer,
> 
> Cloning a mercurial repository over https is unexpectedly failing.
> However, using version 3.4-1 from unstable works as expected.
> 
> * What led up to the situation?
> 
> I tried to clone an existing personal mercurial repository from a new
> jessie install. When I do, I get this error:
> 
>     $ hg clone https://hg.calenhad.com/foobar
>     abort: error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert
> protocol version (_ssl.c:581)
> 
> However, this works just fine on a wheezy system:
> 
>     $ hg clone https://hg.calenhad.com/foobar
>     destination directory: foobar
>     no changes found
>     updating to branch default
>     0 files updated, 0 files merged, 0 files removed, 0 files unresolved
> 
> The server I am trying to clone from only supports TLSv1.2 and the more
> recent DHE/ECDHE ciphers. You can view its ssllabs report at
> https://www.ssllabs.com/ssltest/analyze.html?d=hg.calenhad.com
> 
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
> 
> I thought this might be caused by my server using SNI for multiple https
> virtual hosts, but including the "--insecure" option when cloning had no
> effect.

Hmmm, I think this is a duplicate of #769761:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769761

I'm not marking it as a duplicate yet because I haven't had time to
read the bug report fully.  If you think it is, feel free to merge
them.

> I also tried enabling SSLv3, TLSv1, and TLSv1.1 in addition to TLSv1.2
> on my webserver, but I still get the same error.
> 
> I installed mercurial 3.4-1 from the unstable repository, and the clone
> worked properly. So somewhere between 3.1.2-2 and 3.4-1 this problem was
> resolved. I looked in the changelog for the package and don't see
> anything specifically related to this problem.

You can get most of the versions in between from snapshots:

http://snapshot.debian.org/package/mercurial/

> I'm not sure where to look to compare changes in mercurial between
> 3.1.2-2 and 3.4-1. I'm happy to provide feedback or try configuration
> changes. Feel free to run my clone command above -- the repository is an
> empty one created for testing purposes.

Many thanks for the test repository.  If this is #769761, there's a
patch from upstream that can be backported to 3.1.2-2 to fix it.  I probably
won't have time to work on this until the end of the month.  Can you
keep that repository around for a month or so?

Thanks,
Javi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/python-apps-team/attachments/20150508/05ec1640/attachment.sig>