Version: 3.3~rc1-1 On Fri, May 8, 2015 at 15:12:01 +0000, Mathias Gibbens wrote:
> Hi Javi, > > On Fri, 2015-05-08 at 18:01 +0900, Javi Merino wrote: > > Control: tags -1 + upstream jessie > > > > Hi Mathias, > > > > On Wed, May 06, 2015 at 10:28:17PM +0000, Mathias Gibbens wrote: > > > Package: mercurial > > > Version: 3.1.2-2 > > > Severity: normal > > > > > > Dear Maintainer, > > > > > > Cloning a mercurial repository over https is unexpectedly failing. > > > However, using version 3.4-1 from unstable works as expected. > > > > > > * What led up to the situation? > > > > > > I tried to clone an existing personal mercurial repository from a new > > > jessie install. When I do, I get this error: > > > > > > $ hg clone https://hg.calenhad.com/foobar > > > abort: error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert > > > protocol version (_ssl.c:581) > > > > > > However, this works just fine on a wheezy system: > > > > > > $ hg clone https://hg.calenhad.com/foobar > > > destination directory: foobar > > > no changes found > > > updating to branch default > > > 0 files updated, 0 files merged, 0 files removed, 0 files unresolved > > > > > > The server I am trying to clone from only supports TLSv1.2 and the more > > > recent DHE/ECDHE ciphers. You can view its ssllabs report at > > > https://www.ssllabs.com/ssltest/analyze.html?d=hg.calenhad.com > > > Prior to https://selenic.com/hg/rev/e1931f7cd977 mercurial only allowed TLS 1.0. > > > * What exactly did you do (or not do) that was effective (or > > > ineffective)? > > > > > > I thought this might be caused by my server using SNI for multiple https > > > virtual hosts, but including the "--insecure" option when cloning had no > > > effect. > > > > Hmmm, I think this is a duplicate of #769761: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769761 > > > > I'm not marking it as a duplicate yet because I haven't had time to > > read the bug report fully. If you think it is, feel free to merge > > them. > > I think this is a different issue, although they may be related: > > $ hg --version > Mercurial Distributed SCM (version 3.1.2) > (see http://mercurial.selenic.com for more information) > > Copyright (C) 2005-2014 Matt Mackall and others > This is free software; see the source for copying conditions. There > is NO > warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR > PURPOSE. > > $ hg clone https://anonscm.debian.org/hg/pkg-vim/vim > abort: anonscm.debian.org certificate error: certificate is for > *.alioth.debian.org, alioth.debian.org > (configure hostfingerprint > 38:7e:2e:0e:68:6d:e9:9d:0b:b2:e2:3a:4c:85:ce:05:6c:e4:41:93 or use > --insecure to connect insecurely) > > $ hg clone https://hg.calenhad.com/foobar > abort: error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert > protocol version (_ssl.c:581) > > > > I also tried enabling SSLv3, TLSv1, and TLSv1.1 in addition to TLSv1.2 > > > on my webserver, but I still get the same error. > > > > > > I installed mercurial 3.4-1 from the unstable repository, and the clone > > > worked properly. So somewhere between 3.1.2-2 and 3.4-1 this problem was > > > resolved. I looked in the changelog for the package and don't see > > > anything specifically related to this problem. > > > > You can get most of the versions in between from snapshots: > > > > http://snapshot.debian.org/package/mercurial/ > > I pinpointed that this problem is first fixed in package version > 3.3~rc1-1. > Marking as fixed in that version. Cheers, Julien -- Julien Cristau <julien.cris...@logilab.fr> Logilab http://www.logilab.fr/ Informatique scientifique & gestion de connaissances
