Bug 445044 - PKCS#12 certificate issue
PKCS#12 certificate issue
Product: Fedora
Classification: Fedora
Component: neon (Show other bugs)
i386 Linux
low Severity low
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-05-02 18:20 EDT by Yoann Sallaz-Damaz
Modified: 2009-07-15 04:24 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-15 04:24:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Yoann Sallaz-Damaz 2008-05-02 18:20:18 EDT
Description of problem:
Using svn with an authentification with certificat (.p12) doesn't work. No error
message, juste a new prompt for the path of the certificat file.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. svn co https:.... (with an authentification with certificat)
Actual results:
The certificat file is asking 3 times then the authentification fail

Expected results:

Additional info:
I have compilated my own version of subversion-1.4.6 with neon-0.25.5 and it's
working perfectely
Comment 1 Joe Orton 2008-05-06 05:18:27 EDT
Can you add 

neon-debug-mask = 511

to the [global] section in ~/.subversion/servers, run

  svn co https://...  2>/tmp/debug

then attach /tmp/debug to this bug report?
Comment 2 Bug Zapper 2008-05-14 06:33:42 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
Comment 3 Joe Orton 2008-06-18 04:31:19 EDT
Can you supply the information requested above in comment 1?  I've been unable
to reproduce any problems here.
Comment 4 dann frazier 2008-10-27 16:10:57 EDT
fyi, this maybe the same issue as:
Comment 5 Joe Orton 2008-10-30 13:19:17 EDT
Is anyone who is affected by this bug willing to try some test packages?
Comment 6 dann frazier 2008-10-30 13:23:56 EDT
I'm a Debian user, but I'm certainly willing to test patches.

fyi, I've provided what I believe is a standalone reproducer here:
Comment 7 Joe Orton 2008-10-30 15:19:34 EDT
Ah, so there are two slightly different issues here.

1) GnuTLS failing to parse a PKCS#12 file as you indicate in comment 6.  I reported that upstream to GnuTLS this week too:


2) PKCS#12 certs which GnuTLS can parse, but which neon fails to interpret correctly.  This will cause the SVN failure like "SSL negotiation failed: SSL alert received: Decrypt error".  My neon patch should fix this case - though with some PKCS#12 certs it could still happen.

Thanks a lot for posting that reference here anyway, all that diagnostic info was sitting in that bug report at Debian and nobody had bothered to ask upstream :(
Comment 8 Dimitris 2009-02-03 10:50:52 EST

How can I solve this in Fedora 10?

Comment 9 Joe Orton 2009-02-03 11:12:20 EST
Dimitris: please try the packages from:

Comment 10 Dimitris 2009-02-03 11:45:08 EST
Thank you,

Now I have this:

rpm -qa|grep neo

But the problem is still there.
Comment 11 Joe Orton 2009-02-03 11:48:48 EST
You're probably suffering from bug 478883, in that case.
Comment 12 Dimitris 2009-03-03 06:19:22 EST
Some colleague had the same problem in ubuntu and used this recipe to get over it:


I tried the same and I end up with SSL negotiation failed: SSL error: Key usage violation in certificate has been detected.

I googled around a bit and 
gnutls-cli -d 4711 sslsvnhost 2>&1|grep  'Selected cipher'

|<3>| HSK[2328dc0]: Selected cipher suite: DHE_RSA_AES_128_CBC_SHA1

certtool -i <sslsvnhostcertificate.pem |grep 'Key Usage' -A 2
		Key Usage (critical):
			Digital signature.
			Key encipherment.
Comment 13 Dimitris 2009-05-04 04:23:34 EDT

I am still affected by this problem. I have to use an older rhel4 based system to do my work and it is great annoyance. Any updates?
Comment 14 Dirk-Willem van Gulik 2009-06-02 13:19:44 EDT
1) output from:

   neon-debug-mask = 511
   to the [global] section in ~/.subversion/servers, run
   svn co https://...  2>/tmp/debug

does not yield anyting:

   ah_create, for WWW-Authenticate
   Running pre_send hooks
   compress: Initialization.
   Sending request headers:
   OPTIONS /xxxx/xxx HTTP/1.1
   Host: xxxx.bbc.co.uk
   User-Agent: SVN/1.5.4 (r33841) neon/0.28.3
   Connection: TE, Keep-Alive
   TE: trailers
   DAV: http://subversion.tigris.org/xmlns/dav/svn/depth
   DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo
   DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops
   Accept-Encoding: gzip

   Sending request-line and headers:
   Doing DNS lookup on xxxx.bc.co.uk...
   Connecting to
   Negotiating SSL connection.
   Authentication realm: https://xxxx.xxx.bbc.co.uk:443
   Client certificate filename: 

and an 'strace' confirms that the .p12 file is read.

2) the posting by http://rickvanderzwet.blogspot.com/2008/12/ubuntu-810-subversion-ssl-libary.html is spot on --- and "converting" with

  openssl pkcs12 -in old.p12 -out a.pem -keyout a.key -export
  certtool --load-certificate a.pem --load-privkey a.key --to-p12 --outder --outfile a.p12 

does the trick. So GnuTLS is to blame :)
Comment 15 Fedora Update System 2009-06-04 09:59:50 EDT
neon-0.28.4-1.fc9 has been submitted as an update for Fedora 9.
Comment 16 Joe Orton 2009-06-04 10:01:14 EDT
It's not GnuTLS per se, it's a bug in neon's support for GnuTLS which manifests if you have particular PKCS#12 files (notably ones which include a CA cert).
Comment 17 Bug Zapper 2009-06-09 20:35:09 EDT
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 18 Fedora Update System 2009-06-15 21:37:33 EDT
neon-0.28.4-1.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update neon'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2009-6092
Comment 19 Dirk-Willem van Gulik 2009-06-18 10:13:23 EDT
The bug persists
Comment 20 Dirk-Willem van Gulik 2009-06-18 10:13:45 EDT
Please move forward to fedora 10
Comment 21 Joe Orton 2009-06-18 10:50:15 EDT
Dirk - this update is pending for Fedora 10:


Note that there are several different issues which can cause SVN failures with PKCS#12 client certs, and there is one outstanding issue with GnuTLS which I'm yet to track down.

If the F10 update referenced here works for you please leave a comment on the update tracker link.
Comment 22 Dimitris 2009-06-18 13:07:10 EDT
It works for me combined with converting to gnutls as mentioned at http://rickvanderzwet.blogspot.com/2008/12/ubuntu-810-subversion-ssl-libary.html BUT first removing the CA keys from temp.crt before runing certtool (http://www.mail-archive.com/help-gnutls@gnu.org/msg01261.html) to avoid key usage violate messages.
Comment 23 Bug Zapper 2009-07-15 04:24:23 EDT
Fedora 9 changed to end-of-life (EOL) status on 2009-07-10. Fedora 9 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.