Package: libssl3,mercurial Severity: normal X-Debbugs-Cc: jcris...@debian.org
Hi, mercurial's test suite no longer passes in sid, with: > --- /<<PKGBUILDDIR>>/tests/test-https.t > +++ /<<PKGBUILDDIR>>/tests/test-https.t.err > @@ -362,9 +362,11 @@ > Clients talking same TLS versions work > > $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config > hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/ > - 5fed3813f7f5 > + abort: error: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error > (_ssl.c:997) > + [100] > $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config > hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/ > - 5fed3813f7f5 > + abort: error: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error > (_ssl.c:997) > + [100] > $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id > https://localhost:$HGPORT2/ > 5fed3813f7f5 > > @@ -399,8 +401,8 @@ > --insecure will allow TLS 1.0 connections and override configs > > $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure > https://localhost:$HGPORT1/ > - warning: connection security to localhost is disabled per current > settings; communication is susceptible to eavesdropping and tampering > - 5fed3813f7f5 > + abort: error: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error > (_ssl.c:997) > + [100] > > The per-host config option overrides the default > > @@ -408,7 +410,8 @@ > > --config hostsecurity.ciphers=DEFAULT \ > > --config hostsecurity.minimumprotocol=tls1.2 \ > > --config hostsecurity.localhost:minimumprotocol=tls1.0 > - 5fed3813f7f5 > + abort: error: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error > (_ssl.c:997) > + [100] > > The per-host config option by itself works > > > ERROR: test-https.t output changed The failures happen in parts of the test that spin up and attempt to connect to a TLS1.0 or TLS1.1 server. It used to pass on 1.1.1n and (I think) 1.1.1o. Trying to replicate with openssl's cmdline tools, e.g.: openssl s_server -cert tests/sslcerts/pub.pem -key tests/sslcerts/priv.pem -tls1 and openssl s_client -connect localhost:4433 -tls1 The server reports: 4084745F427F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../ssl/t1_lib.c:3331: Talking with Sebastian on IRC he suggested some extra -cipher / -provider command line options which didn't seem to make a difference. I guess I have two questions: - is this a bug or an intended change? - if it's intended, is there a way to allow these connections again? Thanks, Julien
