Description of problem: Doing 'svn update' to SSL-enabled http server with selfsigned certificate generate error message: SSL error: Key usage violation in certificate has been detected. Version-Release number of selected component (if applicable): subversion-1.4.6-7.i386 How reproducible: Simply do: svn co https://svn.eionet.europa.eu/repositories/Zope/trunk/Localizer It is a public SVN repository Steps to Reproduce: 1. svn co https://svn.eionet.europa.eu/repositories/Zope/trunk/Localizer 2. 3. Actual results: svn: PROPFIND request failed on '/repositories/Zope/trunk/Localizer' svn: PROPFIND of '/repositories/Zope/trunk/Localizer': SSL negotiation failed: SSL error: Key usage violation in certificate has been detected. (https://svn.eionet.europa.eu) Expected results: Localizer product checked out Additional info: The certificate for svn.eionet.europa.eu has the X509v3 Key Usage set to: Key Encipherment, which is normal for SSL servers. The svn.eionet.europa.eu has been in use for years, about two years with the current certificate, and no such issue has arisen before. In case you need to take a look. The certificate is signed with this CA: http://www.eionet.europa.eu/certificates/eionet-ca.cer
Thanks for the report. I'm about to go on holiday so won't be able to look at this immediately, but it is probably a GnuTLS bug so I've forwarded it upstream.
Upstream response: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2789
The server should not offer the DHE_RSA method with such certificate. So definitely a problem on the server.
Yes, adding "digital signature" as key usage fixed the problem