diff --git a/contrib/python3-whitelist b/contrib/python3-whitelist
--- a/contrib/python3-whitelist
+++ b/contrib/python3-whitelist
@@ -449,6 +449,7 @@
 test-upgrade-repo.t
 test-url-download.t
 test-url-rev.t
+test-url.py
 test-username-newline.t
 test-verify.t
 test-websub.t
diff --git a/tests/test-url.py b/tests/test-url.py
--- a/tests/test-url.py
+++ b/tests/test-url.py
@@ -20,17 +20,17 @@
 check(_verifycert(cert('example.com'), 'example.com'),
       None)
 check(_verifycert(cert('example.com'), 'www.example.com'),
-      'certificate is for example.com')
+      b'certificate is for example.com')
 check(_verifycert(cert('www.example.com'), 'example.com'),
-      'certificate is for www.example.com')
+      b'certificate is for www.example.com')
 
 # Test wildcard certificates
 check(_verifycert(cert('*.example.com'), 'www.example.com'),
       None)
 check(_verifycert(cert('*.example.com'), 'example.com'),
-      'certificate is for *.example.com')
+      b'certificate is for *.example.com')
 check(_verifycert(cert('*.example.com'), 'w.w.example.com'),
-      'certificate is for *.example.com')
+      b'certificate is for *.example.com')
 
 # Test subjectAltName
 san_cert = {'subject': ((('commonName', 'example.com'),),),
@@ -42,7 +42,7 @@
       None)
 # no fallback to subject commonName when subjectAltName has DNS
 check(_verifycert(san_cert, 'example.com'),
-      'certificate is for *.example.net, example.net')
+      b'certificate is for *.example.net, example.net')
 # fallback to subject commonName when no DNS in subjectAltName
 san_cert = {'subject': ((('commonName', 'example.com'),),),
             'subjectAltName': (('IP Address', '8.8.8.8'),)}
@@ -50,84 +50,84 @@
 
 # Avoid some pitfalls
 check(_verifycert(cert('*.foo'), 'foo'),
-      'certificate is for *.foo')
+      b'certificate is for *.foo')
 check(_verifycert(cert('*o'), 'foo'), None)
 
 check(_verifycert({'subject': ()},
                   'example.com'),
-      'no commonName or subjectAltName found in certificate')
+      b'no commonName or subjectAltName found in certificate')
 check(_verifycert(None, 'example.com'),
-      'no certificate received')
+      b'no certificate received')
 
 # Unicode (IDN) certname isn't supported
 check(_verifycert(cert(u'\u4f8b.jp'), 'example.jp'),
-      'IDN in certificate not supported')
+      b'IDN in certificate not supported')
 
 # The following tests are from CPython's test_ssl.py.
 check(_verifycert(cert('example.com'), 'example.com'), None)
 check(_verifycert(cert('example.com'), 'ExAmple.cOm'), None)
 check(_verifycert(cert('example.com'), 'www.example.com'),
-      'certificate is for example.com')
+      b'certificate is for example.com')
 check(_verifycert(cert('example.com'), '.example.com'),
-      'certificate is for example.com')
+      b'certificate is for example.com')
 check(_verifycert(cert('example.com'), 'example.org'),
-      'certificate is for example.com')
+      b'certificate is for example.com')
 check(_verifycert(cert('example.com'), 'exampleXcom'),
-      'certificate is for example.com')
+      b'certificate is for example.com')
 check(_verifycert(cert('*.a.com'), 'foo.a.com'), None)
 check(_verifycert(cert('*.a.com'), 'bar.foo.a.com'),
-      'certificate is for *.a.com')
+      b'certificate is for *.a.com')
 check(_verifycert(cert('*.a.com'), 'a.com'),
-      'certificate is for *.a.com')
+      b'certificate is for *.a.com')
 check(_verifycert(cert('*.a.com'), 'Xa.com'),
-      'certificate is for *.a.com')
+      b'certificate is for *.a.com')
 check(_verifycert(cert('*.a.com'), '.a.com'),
-      'certificate is for *.a.com')
+      b'certificate is for *.a.com')
 
 # only match one left-most wildcard
 check(_verifycert(cert('f*.com'), 'foo.com'), None)
 check(_verifycert(cert('f*.com'), 'f.com'), None)
 check(_verifycert(cert('f*.com'), 'bar.com'),
-      'certificate is for f*.com')
+      b'certificate is for f*.com')
 check(_verifycert(cert('f*.com'), 'foo.a.com'),
-      'certificate is for f*.com')
+      b'certificate is for f*.com')
 check(_verifycert(cert('f*.com'), 'bar.foo.com'),
-      'certificate is for f*.com')
+      b'certificate is for f*.com')
 
 # NULL bytes are bad, CVE-2013-4073
 check(_verifycert(cert('null.python.org\x00example.org'),
                   'null.python.org\x00example.org'), None)
 check(_verifycert(cert('null.python.org\x00example.org'),
                   'example.org'),
-      'certificate is for null.python.org\x00example.org')
+      b'certificate is for null.python.org\x00example.org')
 check(_verifycert(cert('null.python.org\x00example.org'),
                   'null.python.org'),
-      'certificate is for null.python.org\x00example.org')
+      b'certificate is for null.python.org\x00example.org')
 
 # error cases with wildcards
 check(_verifycert(cert('*.*.a.com'), 'bar.foo.a.com'),
-      'certificate is for *.*.a.com')
+      b'certificate is for *.*.a.com')
 check(_verifycert(cert('*.*.a.com'), 'a.com'),
-      'certificate is for *.*.a.com')
+      b'certificate is for *.*.a.com')
 check(_verifycert(cert('*.*.a.com'), 'Xa.com'),
-      'certificate is for *.*.a.com')
+      b'certificate is for *.*.a.com')
 check(_verifycert(cert('*.*.a.com'), '.a.com'),
-      'certificate is for *.*.a.com')
+      b'certificate is for *.*.a.com')
 
 check(_verifycert(cert('a.*.com'), 'a.foo.com'),
-      'certificate is for a.*.com')
+      b'certificate is for a.*.com')
 check(_verifycert(cert('a.*.com'), 'a..com'),
-      'certificate is for a.*.com')
+      b'certificate is for a.*.com')
 check(_verifycert(cert('a.*.com'), 'a.com'),
-      'certificate is for a.*.com')
+      b'certificate is for a.*.com')
 
 # wildcard doesn't match IDNA prefix 'xn--'
 idna = u'püthon.python.org'.encode('idna').decode('ascii')
 check(_verifycert(cert(idna), idna), None)
 check(_verifycert(cert('x*.python.org'), idna),
-      'certificate is for x*.python.org')
+      b'certificate is for x*.python.org')
 check(_verifycert(cert('xn--p*.python.org'), idna),
-      'certificate is for xn--p*.python.org')
+      b'certificate is for xn--p*.python.org')
 
 # wildcard in first fragment and  IDNA A-labels in sequent fragments
 # are supported.
@@ -140,10 +140,10 @@
       None)
 check(_verifycert(cert(idna),
                   u'ftp.pythön.org'.encode('idna').decode('ascii')),
-      'certificate is for www*.xn--pythn-mua.org')
+      b'certificate is for www*.xn--pythn-mua.org')
 check(_verifycert(cert(idna),
                   u'pythön.org'.encode('idna').decode('ascii')),
-      'certificate is for www*.xn--pythn-mua.org')
+      b'certificate is for www*.xn--pythn-mua.org')
 
 c = {
     'notAfter': 'Jun 26 21:41:46 2011 GMT',
@@ -158,10 +158,10 @@
 check(_verifycert(c, 'linuxfr.com'), None)
 # Not a "DNS" entry
 check(_verifycert(c, '<unsupported>'),
-      'certificate is for linuxfr.org, linuxfr.com')
+      b'certificate is for linuxfr.org, linuxfr.com')
 # When there is a subjectAltName, commonName isn't used
 check(_verifycert(c, 'linuxfrz.org'),
-      'certificate is for linuxfr.org, linuxfr.com')
+      b'certificate is for linuxfr.org, linuxfr.com')
 
 # A pristine real-world example
 c = {
@@ -175,10 +175,10 @@
     ),
 }
 check(_verifycert(c, 'mail.google.com'), None)
-check(_verifycert(c, 'gmail.com'), 'certificate is for mail.google.com')
+check(_verifycert(c, 'gmail.com'), b'certificate is for mail.google.com')
 
 # Only commonName is considered
-check(_verifycert(c, 'California'), 'certificate is for mail.google.com')
+check(_verifycert(c, 'California'), b'certificate is for mail.google.com')
 
 # Neither commonName nor subjectAltName
 c = {
@@ -191,7 +191,7 @@
     ),
 }
 check(_verifycert(c, 'mail.google.com'),
-      'no commonName or subjectAltName found in certificate')
+      b'no commonName or subjectAltName found in certificate')
 
 # No DNS entry in subjectAltName but a commonName
 c = {
@@ -218,21 +218,21 @@
     'subjectAltName': (('othername', 'blabla'),),
 }
 check(_verifycert(c, 'google.com'),
-      'no commonName or subjectAltName found in certificate')
+      b'no commonName or subjectAltName found in certificate')
 
 # Empty cert / no cert
-check(_verifycert(None, 'example.com'), 'no certificate received')
-check(_verifycert({}, 'example.com'), 'no certificate received')
+check(_verifycert(None, 'example.com'), b'no certificate received')
+check(_verifycert({}, 'example.com'), b'no certificate received')
 
 # avoid denials of service by refusing more than one
 # wildcard per fragment.
 check(_verifycert({'subject': (((u'commonName', u'a*b.com'),),)},
                   'axxb.com'), None)
 check(_verifycert({'subject': (((u'commonName', u'a*b.co*'),),)},
-                  'axxb.com'), 'certificate is for a*b.co*')
+                  'axxb.com'), b'certificate is for a*b.co*')
 check(_verifycert({'subject': (((u'commonName', u'a*b*.com'),),)},
                   'axxbxxc.com'),
-      'too many wildcards in certificate DNS name: a*b*.com')
+      b'too many wildcards in certificate DNS name: a*b*.com')
 
 def test_url():
     """
@@ -245,107 +245,107 @@
 
     Query strings and fragments:
 
-    >>> url('http://host/a?b#c')
+    >>> url(b'http://host/a?b#c')
     <url scheme: 'http', host: 'host', path: 'a', query: 'b', fragment: 'c'>
-    >>> url('http://host/a?')
+    >>> url(b'http://host/a?')
     <url scheme: 'http', host: 'host', path: 'a'>
-    >>> url('http://host/a#b#c')
+    >>> url(b'http://host/a#b#c')
     <url scheme: 'http', host: 'host', path: 'a', fragment: 'b#c'>
-    >>> url('http://host/a#b?c')
+    >>> url(b'http://host/a#b?c')
     <url scheme: 'http', host: 'host', path: 'a', fragment: 'b?c'>
-    >>> url('http://host/?a#b')
+    >>> url(b'http://host/?a#b')
     <url scheme: 'http', host: 'host', path: '', query: 'a', fragment: 'b'>
-    >>> url('http://host/?a#b', parsequery=False)
+    >>> url(b'http://host/?a#b', parsequery=False)
     <url scheme: 'http', host: 'host', path: '?a', fragment: 'b'>
-    >>> url('http://host/?a#b', parsefragment=False)
+    >>> url(b'http://host/?a#b', parsefragment=False)
     <url scheme: 'http', host: 'host', path: '', query: 'a#b'>
-    >>> url('http://host/?a#b', parsequery=False, parsefragment=False)
+    >>> url(b'http://host/?a#b', parsequery=False, parsefragment=False)
     <url scheme: 'http', host: 'host', path: '?a#b'>
 
     IPv6 addresses:
 
-    >>> url('ldap://[2001:db8::7]/c=GB?objectClass?one')
+    >>> url(b'ldap://[2001:db8::7]/c=GB?objectClass?one')
     <url scheme: 'ldap', host: '[2001:db8::7]', path: 'c=GB',
          query: 'objectClass?one'>
-    >>> url('ldap://joe:xxx@[2001:db8::7]:80/c=GB?objectClass?one')
+    >>> url(b'ldap://joe:xxx@[2001:db8::7]:80/c=GB?objectClass?one')
     <url scheme: 'ldap', user: 'joe', passwd: 'xxx', host: '[2001:db8::7]',
          port: '80', path: 'c=GB', query: 'objectClass?one'>
 
     Missing scheme, host, etc.:
 
-    >>> url('://192.0.2.16:80/')
+    >>> url(b'://192.0.2.16:80/')
     <url path: '://192.0.2.16:80/'>
-    >>> url('https://mercurial-scm.org')
+    >>> url(b'https://mercurial-scm.org')
     <url scheme: 'https', host: 'mercurial-scm.org'>
-    >>> url('/foo')
+    >>> url(b'/foo')
     <url path: '/foo'>
-    >>> url('bundle:/foo')
+    >>> url(b'bundle:/foo')
     <url scheme: 'bundle', path: '/foo'>
-    >>> url('a?b#c')
+    >>> url(b'a?b#c')
     <url path: 'a?b', fragment: 'c'>
-    >>> url('http://x.com?arg=/foo')
+    >>> url(b'http://x.com?arg=/foo')
     <url scheme: 'http', host: 'x.com', query: 'arg=/foo'>
-    >>> url('http://joe:xxx@/foo')
+    >>> url(b'http://joe:xxx@/foo')
     <url scheme: 'http', user: 'joe', passwd: 'xxx', path: 'foo'>
 
     Just a scheme and a path:
 
-    >>> url('mailto:John.Doe@example.com')
+    >>> url(b'mailto:John.Doe@example.com')
     <url scheme: 'mailto', path: 'John.Doe@example.com'>
-    >>> url('a:b:c:d')
+    >>> url(b'a:b:c:d')
     <url path: 'a:b:c:d'>
-    >>> url('aa:bb:cc:dd')
+    >>> url(b'aa:bb:cc:dd')
     <url scheme: 'aa', path: 'bb:cc:dd'>
 
     SSH examples:
 
-    >>> url('ssh://joe@host//home/joe')
+    >>> url(b'ssh://joe@host//home/joe')
     <url scheme: 'ssh', user: 'joe', host: 'host', path: '/home/joe'>
-    >>> url('ssh://joe:xxx@host/src')
+    >>> url(b'ssh://joe:xxx@host/src')
     <url scheme: 'ssh', user: 'joe', passwd: 'xxx', host: 'host', path: 'src'>
-    >>> url('ssh://joe:xxx@host')
+    >>> url(b'ssh://joe:xxx@host')
     <url scheme: 'ssh', user: 'joe', passwd: 'xxx', host: 'host'>
-    >>> url('ssh://joe@host')
+    >>> url(b'ssh://joe@host')
     <url scheme: 'ssh', user: 'joe', host: 'host'>
-    >>> url('ssh://host')
+    >>> url(b'ssh://host')
     <url scheme: 'ssh', host: 'host'>
-    >>> url('ssh://')
+    >>> url(b'ssh://')
     <url scheme: 'ssh'>
-    >>> url('ssh:')
+    >>> url(b'ssh:')
     <url scheme: 'ssh'>
 
     Non-numeric port:
 
-    >>> url('http://example.com:dd')
+    >>> url(b'http://example.com:dd')
     <url scheme: 'http', host: 'example.com', port: 'dd'>
-    >>> url('ssh://joe:xxx@host:ssh/foo')
+    >>> url(b'ssh://joe:xxx@host:ssh/foo')
     <url scheme: 'ssh', user: 'joe', passwd: 'xxx', host: 'host', port: 'ssh',
          path: 'foo'>
 
     Bad authentication credentials:
 
-    >>> url('http://joe@joeville:123@4:@host/a?b#c')
+    >>> url(b'http://joe@joeville:123@4:@host/a?b#c')
     <url scheme: 'http', user: 'joe@joeville', passwd: '123@4:',
          host: 'host', path: 'a', query: 'b', fragment: 'c'>
-    >>> url('http://!*#?/@!*#?/:@host/a?b#c')
+    >>> url(b'http://!*#?/@!*#?/:@host/a?b#c')
     <url scheme: 'http', host: '!*', fragment: '?/@!*#?/:@host/a?b#c'>
-    >>> url('http://!*#?@!*#?:@host/a?b#c')
+    >>> url(b'http://!*#?@!*#?:@host/a?b#c')
     <url scheme: 'http', host: '!*', fragment: '?@!*#?:@host/a?b#c'>
-    >>> url('http://!*@:!*@@host/a?b#c')
+    >>> url(b'http://!*@:!*@@host/a?b#c')
     <url scheme: 'http', user: '!*@', passwd: '!*@', host: 'host',
          path: 'a', query: 'b', fragment: 'c'>
 
     File paths:
 
-    >>> url('a/b/c/d.g.f')
+    >>> url(b'a/b/c/d.g.f')
     <url path: 'a/b/c/d.g.f'>
-    >>> url('/x///z/y/')
+    >>> url(b'/x///z/y/')
     <url path: '/x///z/y/'>
-    >>> url('/foo:bar')
+    >>> url(b'/foo:bar')
     <url path: '/foo:bar'>
-    >>> url('\\\\foo:bar')
+    >>> url(b'\\\\foo:bar')
     <url path: '\\\\foo:bar'>
-    >>> url('./foo:bar')
+    >>> url(b'./foo:bar')
     <url path: './foo:bar'>
 
     Non-localhost file URL:
@@ -358,7 +358,7 @@
 
     Empty URL:
 
-    >>> u = url('')
+    >>> u = url(b'')
     >>> u
     <url path: ''>
     >>> str(u)
@@ -366,54 +366,54 @@
 
     Empty path with query string:
 
-    >>> str(url('http://foo/?bar'))
+    >>> str(url(b'http://foo/?bar'))
     'http://foo/?bar'
 
     Invalid path:
 
-    >>> u = url('http://foo/bar')
-    >>> u.path = 'bar'
+    >>> u = url(b'http://foo/bar')
+    >>> u.path = b'bar'
     >>> str(u)
     'http://foo/bar'
 
-    >>> u = url('file:/foo/bar/baz')
+    >>> u = url(b'file:/foo/bar/baz')
     >>> u
     <url scheme: 'file', path: '/foo/bar/baz'>
     >>> str(u)
     'file:///foo/bar/baz'
-    >>> u.localpath()
+    >>> pycompat.bytestr(u.localpath())
     '/foo/bar/baz'
 
-    >>> u = url('file:///foo/bar/baz')
+    >>> u = url(b'file:///foo/bar/baz')
     >>> u
     <url scheme: 'file', path: '/foo/bar/baz'>
     >>> str(u)
     'file:///foo/bar/baz'
-    >>> u.localpath()
+    >>> pycompat.bytestr(u.localpath())
     '/foo/bar/baz'
 
-    >>> u = url('file:///f:oo/bar/baz')
+    >>> u = url(b'file:///f:oo/bar/baz')
     >>> u
     <url scheme: 'file', path: 'f:oo/bar/baz'>
     >>> str(u)
     'file:///f:oo/bar/baz'
-    >>> u.localpath()
+    >>> pycompat.bytestr(u.localpath())
     'f:oo/bar/baz'
 
-    >>> u = url('file://localhost/f:oo/bar/baz')
+    >>> u = url(b'file://localhost/f:oo/bar/baz')
     >>> u
     <url scheme: 'file', host: 'localhost', path: 'f:oo/bar/baz'>
     >>> str(u)
     'file://localhost/f:oo/bar/baz'
-    >>> u.localpath()
+    >>> pycompat.bytestr(u.localpath())
     'f:oo/bar/baz'
 
-    >>> u = url('file:foo/bar/baz')
+    >>> u = url(b'file:foo/bar/baz')
     >>> u
     <url scheme: 'file', path: 'foo/bar/baz'>
     >>> str(u)
     'file:foo/bar/baz'
-    >>> u.localpath()
+    >>> pycompat.bytestr(u.localpath())
     'foo/bar/baz'
     """