[Python-apps-team] Bug#769761: mercurial: does not support SNI on for https: URLs

Paul Wise pabs at debian.org
Sun Nov 16 09:07:43 UTC 2014 

Package: mercurial
Version: 3.1.2-1
Severity: important

I am unable to clone alioth hg repositories on https: URLs and it looks
to be due to hg not supporting SNI (checked with wireshark):

https://en.wikipedia.org/wiki/Server_Name_Indication

pabs at chianamo ~ $ openssl s_client -connect anonscm.debian.org:443 -servername anonscm.debian.org < /dev/null 2>&1 | grep subject
subject=/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=git.debian.org
pabs at chianamo ~ $ openssl s_client -connect anonscm.debian.org:443 < /dev/null 2>&1 | grep subject
subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.alioth.debian.org
pabs at chianamo ~ $ hg clone https://anonscm.debian.org/hg/pkg-vim/vim
abort: anonscm.debian.org certificate error: certificate is for *.alioth.debian.org, alioth.debian.org
(configure hostfingerprint f3:0b:7e:89:59:15:57:65:19:a8:77:4b:fd:a3:71:44:0c:b5:e3:e2 or use --insecure to connect insecurely)
pabs at chianamo ~ $ wget -O /dev/null https://anonscm.debian.org/hg/pkg-vim/vim
--2014-11-16 17:00:02--  https://anonscm.debian.org/hg/pkg-vim/vim
Resolving anonscm.debian.org (anonscm.debian.org)... 5.153.231.21
Connecting to anonscm.debian.org (anonscm.debian.org)|5.153.231.21|:443... connected.
HTTP request sent, awaiting response... 200 Script output follows
Length: unspecified [text/html]
Saving to: ‘/dev/null’

/dev/null                                          [  <=>                                                                                               ]  16.82K  37.2KB/s   in 0.5s   

2014-11-16 17:00:05 (37.2 KB/s) - ‘/dev/null’ saved [17223]

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (700, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mercurial depends on:
ii  libc6             2.19-13
ii  mercurial-common  3.1.2-1
ii  python            2.7.8-2
ii  ucf               3.0030

Versions of packages mercurial recommends:
ii  openssh-client  1:6.7p1-3

Versions of packages mercurial suggests:
ii  meld  3.12.0-1
pn  qct   <none>

-- no debconf information

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/python-apps-team/attachments/20141116/744a7c54/attachment.sig>

More information about the Python-apps-team mailing list