Bug 446392 - SSL error: Key usage violation
SSL error: Key usage violation
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: subversion (Show other bugs)
9
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-14 09:21 EDT by Soren Roug
Modified: 2008-05-15 03:28 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-15 03:28:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Soren Roug 2008-05-14 09:21:20 EDT
Description of problem: Doing 'svn update' to SSL-enabled http server with
selfsigned certificate generate error message: SSL error: Key usage violation in
certificate has been detected.


Version-Release number of selected component (if applicable):
subversion-1.4.6-7.i386

How reproducible:
Simply do:
svn co https://svn.eionet.europa.eu/repositories/Zope/trunk/Localizer
It is a public SVN repository


Steps to Reproduce:
1. svn co https://svn.eionet.europa.eu/repositories/Zope/trunk/Localizer
2.
3.
  
Actual results:
svn: PROPFIND request failed on '/repositories/Zope/trunk/Localizer'
svn: PROPFIND of '/repositories/Zope/trunk/Localizer': SSL negotiation failed:
SSL error: Key usage violation in certificate has been detected.
(https://svn.eionet.europa.eu)

Expected results:
Localizer product checked out

Additional info:
The certificate for svn.eionet.europa.eu has the X509v3 Key Usage set to: Key
Encipherment, which is normal for SSL servers.

The svn.eionet.europa.eu has been in use for years, about two years with the
current certificate, and no such issue has arisen before.

In case you need to take a look. The certificate is signed with this CA:
http://www.eionet.europa.eu/certificates/eionet-ca.cer
Comment 1 Joe Orton 2008-05-14 10:19:31 EDT
Thanks for the report.  I'm about to go on holiday so won't be able to look at
this immediately, but it is probably a GnuTLS bug so I've forwarded it upstream.
Comment 2 Joe Orton 2008-05-14 13:19:50 EDT
Upstream response:

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2789
Comment 3 Tomas Mraz 2008-05-14 13:53:10 EDT
The server should not offer the DHE_RSA method with such certificate. So
definitely a problem on the server.
Comment 4 Soren Roug 2008-05-15 03:28:32 EDT
Yes, adding "digital signature" as key usage fixed the problem

Note You need to log in before you can comment on or make changes to this bug.