[Python-apps-team] Bug#784584: hg clone over https fails with error [SSL: TLSV1_ALERT_PROTOCOL_VERSION]
Julien Cristau
julien.cristau at logilab.fr
Thu Mar 3 12:33:24 UTC 2016
Version: 3.3~rc1-1
On Fri, May 8, 2015 at 15:12:01 +0000, Mathias Gibbens wrote:
> Hi Javi,
>
> On Fri, 2015-05-08 at 18:01 +0900, Javi Merino wrote:
> > Control: tags -1 + upstream jessie
> >
> > Hi Mathias,
> >
> > On Wed, May 06, 2015 at 10:28:17PM +0000, Mathias Gibbens wrote:
> > > Package: mercurial
> > > Version: 3.1.2-2
> > > Severity: normal
> > >
> > > Dear Maintainer,
> > >
> > > Cloning a mercurial repository over https is unexpectedly failing.
> > > However, using version 3.4-1 from unstable works as expected.
> > >
> > > * What led up to the situation?
> > >
> > > I tried to clone an existing personal mercurial repository from a new
> > > jessie install. When I do, I get this error:
> > >
> > > $ hg clone https://hg.calenhad.com/foobar
> > > abort: error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert
> > > protocol version (_ssl.c:581)
> > >
> > > However, this works just fine on a wheezy system:
> > >
> > > $ hg clone https://hg.calenhad.com/foobar
> > > destination directory: foobar
> > > no changes found
> > > updating to branch default
> > > 0 files updated, 0 files merged, 0 files removed, 0 files unresolved
> > >
> > > The server I am trying to clone from only supports TLSv1.2 and the more
> > > recent DHE/ECDHE ciphers. You can view its ssllabs report at
> > > https://www.ssllabs.com/ssltest/analyze.html?d=hg.calenhad.com
> > >
Prior to https://selenic.com/hg/rev/e1931f7cd977 mercurial only allowed
TLS 1.0.
> > > * What exactly did you do (or not do) that was effective (or
> > > ineffective)?
> > >
> > > I thought this might be caused by my server using SNI for multiple https
> > > virtual hosts, but including the "--insecure" option when cloning had no
> > > effect.
> >
> > Hmmm, I think this is a duplicate of #769761:
> >
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769761
> >
> > I'm not marking it as a duplicate yet because I haven't had time to
> > read the bug report fully. If you think it is, feel free to merge
> > them.
>
> I think this is a different issue, although they may be related:
>
> $ hg --version
> Mercurial Distributed SCM (version 3.1.2)
> (see http://mercurial.selenic.com for more information)
>
> Copyright (C) 2005-2014 Matt Mackall and others
> This is free software; see the source for copying conditions. There
> is NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
> PURPOSE.
>
> $ hg clone https://anonscm.debian.org/hg/pkg-vim/vim
> abort: anonscm.debian.org certificate error: certificate is for
> *.alioth.debian.org, alioth.debian.org
> (configure hostfingerprint
> 38:7e:2e:0e:68:6d:e9:9d:0b:b2:e2:3a:4c:85:ce:05:6c:e4:41:93 or use
> --insecure to connect insecurely)
>
> $ hg clone https://hg.calenhad.com/foobar
> abort: error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert
> protocol version (_ssl.c:581)
>
> > > I also tried enabling SSLv3, TLSv1, and TLSv1.1 in addition to TLSv1.2
> > > on my webserver, but I still get the same error.
> > >
> > > I installed mercurial 3.4-1 from the unstable repository, and the clone
> > > worked properly. So somewhere between 3.1.2-2 and 3.4-1 this problem was
> > > resolved. I looked in the changelog for the package and don't see
> > > anything specifically related to this problem.
> >
> > You can get most of the versions in between from snapshots:
> >
> > http://snapshot.debian.org/package/mercurial/
>
> I pinpointed that this problem is first fixed in package version
> 3.3~rc1-1.
>
Marking as fixed in that version.
Cheers,
Julien
--
Julien Cristau <julien.cristau at logilab.fr>
Logilab http://www.logilab.fr/
Informatique scientifique & gestion de connaissances
More information about the Python-apps-team
mailing list