[Python-apps-team] Bug#784584: hg clone over https fails with error [SSL: TLSV1_ALERT_PROTOCOL_VERSION]

Mathias Gibbens mathias at calenhad.com
Fri May 8 15:12:01 UTC 2015 

Hi Javi,

On Fri, 2015-05-08 at 18:01 +0900, Javi Merino wrote:
> Control: tags -1 + upstream jessie
> 
> Hi Mathias,
> 
> On Wed, May 06, 2015 at 10:28:17PM +0000, Mathias Gibbens wrote:
> > Package: mercurial
> > Version: 3.1.2-2
> > Severity: normal
> > 
> > Dear Maintainer,
> > 
> > Cloning a mercurial repository over https is unexpectedly failing.
> > However, using version 3.4-1 from unstable works as expected.
> > 
> > * What led up to the situation?
> > 
> > I tried to clone an existing personal mercurial repository from a new
> > jessie install. When I do, I get this error:
> > 
> >     $ hg clone https://hg.calenhad.com/foobar
> >     abort: error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert
> > protocol version (_ssl.c:581)
> > 
> > However, this works just fine on a wheezy system:
> > 
> >     $ hg clone https://hg.calenhad.com/foobar
> >     destination directory: foobar
> >     no changes found
> >     updating to branch default
> >     0 files updated, 0 files merged, 0 files removed, 0 files unresolved
> > 
> > The server I am trying to clone from only supports TLSv1.2 and the more
> > recent DHE/ECDHE ciphers. You can view its ssllabs report at
> > https://www.ssllabs.com/ssltest/analyze.html?d=hg.calenhad.com
> > 
> > * What exactly did you do (or not do) that was effective (or
> > ineffective)?
> > 
> > I thought this might be caused by my server using SNI for multiple https
> > virtual hosts, but including the "--insecure" option when cloning had no
> > effect.
> 
> Hmmm, I think this is a duplicate of #769761:
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769761
> 
> I'm not marking it as a duplicate yet because I haven't had time to
> read the bug report fully.  If you think it is, feel free to merge
> them.

  I think this is a different issue, although they may be related:

    $ hg --version
    Mercurial Distributed SCM (version 3.1.2)
    (see http://mercurial.selenic.com for more information)

    Copyright (C) 2005-2014 Matt Mackall and others
    This is free software; see the source for copying conditions. There
is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.

    $ hg clone https://anonscm.debian.org/hg/pkg-vim/vim
    abort: anonscm.debian.org certificate error: certificate is for
*.alioth.debian.org, alioth.debian.org
    (configure hostfingerprint
38:7e:2e:0e:68:6d:e9:9d:0b:b2:e2:3a:4c:85:ce:05:6c:e4:41:93 or use
--insecure to connect insecurely)

    $ hg clone https://hg.calenhad.com/foobar
    abort: error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert
protocol version (_ssl.c:581)

> > I also tried enabling SSLv3, TLSv1, and TLSv1.1 in addition to TLSv1.2
> > on my webserver, but I still get the same error.
> > 
> > I installed mercurial 3.4-1 from the unstable repository, and the clone
> > worked properly. So somewhere between 3.1.2-2 and 3.4-1 this problem was
> > resolved. I looked in the changelog for the package and don't see
> > anything specifically related to this problem.
> 
> You can get most of the versions in between from snapshots:
> 
> http://snapshot.debian.org/package/mercurial/

  I pinpointed that this problem is first fixed in package version
3.3~rc1-1.

> > I'm not sure where to look to compare changes in mercurial between
> > 3.1.2-2 and 3.4-1. I'm happy to provide feedback or try configuration
> > changes. Feel free to run my clone command above -- the repository is an
> > empty one created for testing purposes.
> 
> Many thanks for the test repository.  If this is #769761, there's a
> patch from upstream that can be backported to 3.1.2-2 to fix it.  I probably
> won't have time to work on this until the end of the month.  Can you
> keep that repository around for a month or so?

  I'm happy to keep the test repository around as long as necessary.

> Thanks,
> Javi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/python-apps-team/attachments/20150508/0ed7eba4/attachment.sig>

More information about the Python-apps-team mailing list