Bug 446392 - SSL error: Key usage violation
Summary: SSL error: Key usage violation
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: subversion
Version: 9
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-14 13:21 UTC by Soren Roug
Modified: 2008-05-15 07:28 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-15 07:28:32 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Soren Roug 2008-05-14 13:21:20 UTC
Description of problem: Doing 'svn update' to SSL-enabled http server with
selfsigned certificate generate error message: SSL error: Key usage violation in
certificate has been detected.


Version-Release number of selected component (if applicable):
subversion-1.4.6-7.i386

How reproducible:
Simply do:
svn co https://svn.eionet.europa.eu/repositories/Zope/trunk/Localizer
It is a public SVN repository


Steps to Reproduce:
1. svn co https://svn.eionet.europa.eu/repositories/Zope/trunk/Localizer
2.
3.
  
Actual results:
svn: PROPFIND request failed on '/repositories/Zope/trunk/Localizer'
svn: PROPFIND of '/repositories/Zope/trunk/Localizer': SSL negotiation failed:
SSL error: Key usage violation in certificate has been detected.
(https://svn.eionet.europa.eu)

Expected results:
Localizer product checked out

Additional info:
The certificate for svn.eionet.europa.eu has the X509v3 Key Usage set to: Key
Encipherment, which is normal for SSL servers.

The svn.eionet.europa.eu has been in use for years, about two years with the
current certificate, and no such issue has arisen before.

In case you need to take a look. The certificate is signed with this CA:
http://www.eionet.europa.eu/certificates/eionet-ca.cer

Comment 1 Joe Orton 2008-05-14 14:19:31 UTC
Thanks for the report.  I'm about to go on holiday so won't be able to look at
this immediately, but it is probably a GnuTLS bug so I've forwarded it upstream.

Comment 2 Joe Orton 2008-05-14 17:19:50 UTC
Upstream response:

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2789

Comment 3 Tomas Mraz 2008-05-14 17:53:10 UTC
The server should not offer the DHE_RSA method with such certificate. So
definitely a problem on the server.


Comment 4 Soren Roug 2008-05-15 07:28:32 UTC
Yes, adding "digital signature" as key usage fixed the problem


Note You need to log in before you can comment on or make changes to this bug.