Bug 446392

Summary: SSL error: Key usage violation
Product: [Fedora] Fedora Reporter: Soren Roug <soren.roug>
Component: subversionAssignee: Joe Orton <jorton>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 9CC: tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-15 07:28:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Soren Roug 2008-05-14 13:21:20 UTC 
Description of problem: Doing 'svn update' to SSL-enabled http server with
selfsigned certificate generate error message: SSL error: Key usage violation in
certificate has been detected.


Version-Release number of selected component (if applicable):
subversion-1.4.6-7.i386

How reproducible:
Simply do:
svn co https://svn.eionet.europa.eu/repositories/Zope/trunk/Localizer
It is a public SVN repository


Steps to Reproduce:
1. svn co https://svn.eionet.europa.eu/repositories/Zope/trunk/Localizer
2.
3.
  
Actual results:
svn: PROPFIND request failed on '/repositories/Zope/trunk/Localizer'
svn: PROPFIND of '/repositories/Zope/trunk/Localizer': SSL negotiation failed:
SSL error: Key usage violation in certificate has been detected.
(https://svn.eionet.europa.eu)

Expected results:
Localizer product checked out

Additional info:
The certificate for svn.eionet.europa.eu has the X509v3 Key Usage set to: Key
Encipherment, which is normal for SSL servers.

The svn.eionet.europa.eu has been in use for years, about two years with the
current certificate, and no such issue has arisen before.

In case you need to take a look. The certificate is signed with this CA:
http://www.eionet.europa.eu/certificates/eionet-ca.cer
Comment 1 Joe Orton 2008-05-14 14:19:31 UTC 
Thanks for the report.  I'm about to go on holiday so won't be able to look at
this immediately, but it is probably a GnuTLS bug so I've forwarded it upstream.
Comment 2 Joe Orton 2008-05-14 17:19:50 UTC 
Upstream response:

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2789
Comment 3 Tomas Mraz 2008-05-14 17:53:10 UTC 
The server should not offer the DHE_RSA method with such certificate. So
definitely a problem on the server.
Comment 4 Soren Roug 2008-05-15 07:28:32 UTC 
Yes, adding "digital signature" as key usage fixed the problem