[Python-apps-team] Bug#918475: mercurial: CipherString = DEFAULT at SECLEVEL=2 from 1.1.1~~pre6-1 breaks it

Stefan Huehner stefan at huehner.org
Mon Jan 21 17:42:12 GMT 2019 

Package: mercurial
Version: 4.8.2-1
Followup-For: Bug #918475

Hello,
i am also getting the same error on my sid system and after asking from
#debian/#debian-next tried a bit more.

openssl s_client -connect api.media.atlassian.com:443

is enough to get same error message. So topic should maybe be moved to
openssl package.
Trying various versions from snapshot.debian.net (withou touching
openssl.conf (downgrading both libssl1.1+openssl packages)

Last working: 1.1.1~~pre4
First failing: 1.1.1~~pre6-2 (-1 does not have binaries on
snapshot.debian.net)

Change triggering the issue seems to be the SecurityLevel change in
/etc/ssl/openssl.conf
Commenting out this line on unmodified sid with latest libssl/openssl is
enough to make connection work.
Also lowering minTLS version from 1.2 to 1.10 without touching
Cipersuite makes connection work again.

Reading i.e.
https://wiki.debian.org/ContinousIntegration/TriagingTips/openssl-1.1.1
page i don't understand the problem as the server config in atlassian
looks fine to not use any low grade security and s_client connects with:
TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256

Apart atlassian recently changed their config to raise min-version of
their bitbucket.org hosting to be TLSv1.2 (note that host talked about
in this issue is related to that service (used in their clonebundles).

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mercurial depends on:
ii  libc6             2.28-5
ii  mercurial-common  4.8.2-1
ii  python            2.7.15-4
ii  ucf               3.0038+nmu1

Versions of packages mercurial recommends:
ii  openssh-client  1:7.9p1-5

Versions of packages mercurial suggests:
ii  meld  3.20.0-1
pn  qct   <none>

-- no debconf information

More information about the Python-apps-team mailing list