Hi Javi, On Fri, 2015-05-08 at 18:01 +0900, Javi Merino wrote: > Control: tags -1 + upstream jessie > > Hi Mathias, > > On Wed, May 06, 2015 at 10:28:17PM +0000, Mathias Gibbens wrote: > > Package: mercurial > > Version: 3.1.2-2 > > Severity: normal > > > > Dear Maintainer, > > > > Cloning a mercurial repository over https is unexpectedly failing. > > However, using version 3.4-1 from unstable works as expected. > > > > * What led up to the situation? > > > > I tried to clone an existing personal mercurial repository from a new > > jessie install. When I do, I get this error: > > > > $ hg clone https://hg.calenhad.com/foobar > > abort: error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert > > protocol version (_ssl.c:581) > > > > However, this works just fine on a wheezy system: > > > > $ hg clone https://hg.calenhad.com/foobar > > destination directory: foobar > > no changes found > > updating to branch default > > 0 files updated, 0 files merged, 0 files removed, 0 files unresolved > > > > The server I am trying to clone from only supports TLSv1.2 and the more > > recent DHE/ECDHE ciphers. You can view its ssllabs report at > > https://www.ssllabs.com/ssltest/analyze.html?d=hg.calenhad.com > > > > * What exactly did you do (or not do) that was effective (or > > ineffective)? > > > > I thought this might be caused by my server using SNI for multiple https > > virtual hosts, but including the "--insecure" option when cloning had no > > effect. > > Hmmm, I think this is a duplicate of #769761: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769761 > > I'm not marking it as a duplicate yet because I haven't had time to > read the bug report fully. If you think it is, feel free to merge > them.
I think this is a different issue, although they may be related:
$ hg --version
Mercurial Distributed SCM (version 3.1.2)
(see http://mercurial.selenic.com for more information)
Copyright (C) 2005-2014 Matt Mackall and others
This is free software; see the source for copying conditions. There
is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
$ hg clone https://anonscm.debian.org/hg/pkg-vim/vim
abort: anonscm.debian.org certificate error: certificate is for
*.alioth.debian.org, alioth.debian.org
(configure hostfingerprint
38:7e:2e:0e:68:6d:e9:9d:0b:b2:e2:3a:4c:85:ce:05:6c:e4:41:93 or use
--insecure to connect insecurely)
$ hg clone https://hg.calenhad.com/foobar
abort: error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert
protocol version (_ssl.c:581)
> > I also tried enabling SSLv3, TLSv1, and TLSv1.1 in addition to TLSv1.2
> > on my webserver, but I still get the same error.
> >
> > I installed mercurial 3.4-1 from the unstable repository, and the clone
> > worked properly. So somewhere between 3.1.2-2 and 3.4-1 this problem was
> > resolved. I looked in the changelog for the package and don't see
> > anything specifically related to this problem.
>
> You can get most of the versions in between from snapshots:
>
> http://snapshot.debian.org/package/mercurial/
I pinpointed that this problem is first fixed in package version
3.3~rc1-1.
> > I'm not sure where to look to compare changes in mercurial between
> > 3.1.2-2 and 3.4-1. I'm happy to provide feedback or try configuration
> > changes. Feel free to run my clone command above -- the repository is an
> > empty one created for testing purposes.
>
> Many thanks for the test repository. If this is #769761, there's a
> patch from upstream that can be backported to 3.1.2-2 to fix it. I probably
> won't have time to work on this until the end of the month. Can you
> keep that repository around for a month or so?
I'm happy to keep the test repository around as long as necessary.
> Thanks,
> Javi
signature.asc
Description: This is a digitally signed message part
