[Python-apps-team] Bug#784584: hg clone over https fails with error [SSL: TLSV1_ALERT_PROTOCOL_VERSION]

Mathias Gibbens mathias at calenhad.com
Wed May 6 22:28:17 UTC 2015 

Package: mercurial
Version: 3.1.2-2
Severity: normal

Dear Maintainer,

Cloning a mercurial repository over https is unexpectedly failing.
However, using version 3.4-1 from unstable works as expected.

* What led up to the situation?

I tried to clone an existing personal mercurial repository from a new
jessie install. When I do, I get this error:

    $ hg clone https://hg.calenhad.com/foobar
    abort: error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert
protocol version (_ssl.c:581)

However, this works just fine on a wheezy system:

    $ hg clone https://hg.calenhad.com/foobar
    destination directory: foobar
    no changes found
    updating to branch default
    0 files updated, 0 files merged, 0 files removed, 0 files unresolved

The server I am trying to clone from only supports TLSv1.2 and the more
recent DHE/ECDHE ciphers. You can view its ssllabs report at
https://www.ssllabs.com/ssltest/analyze.html?d=hg.calenhad.com

* What exactly did you do (or not do) that was effective (or
ineffective)?

I thought this might be caused by my server using SNI for multiple https
virtual hosts, but including the "--insecure" option when cloning had no
effect.

I also tried enabling SSLv3, TLSv1, and TLSv1.1 in addition to TLSv1.2
on my webserver, but I still get the same error.

I installed mercurial 3.4-1 from the unstable repository, and the clone
worked properly. So somewhere between 3.1.2-2 and 3.4-1 this problem was
resolved. I looked in the changelog for the package and don't see
anything specifically related to this problem.

I'm not sure where to look to compare changes in mercurial between
3.1.2-2 and 3.4-1. I'm happy to provide feedback or try configuration
changes. Feel free to run my clone command above -- the repository is an
empty one created for testing purposes.

Mathias

-- System Information:
Debian Release: 8.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages mercurial depends on:
ii  libc6             2.19-18
ii  mercurial-common  3.1.2-2
ii  python            2.7.9-1
ii  ucf               3.0030

Versions of packages mercurial recommends:
ii  openssh-client  1:6.7p1-5

Versions of packages mercurial suggests:
pn  kdiff3 | kdiff3-qt | kompare | meld | tkcvs | mgdiff  <none>
pn  qct                                                   <none>

-- no debconf information

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/python-apps-team/attachments/20150506/a8463c58/attachment.sig>

More information about the Python-apps-team mailing list