“Key usage violation in certificate” error with Subversion, VisualSVN Server

StackOverflow https://stackoverflow.com/questions/9188724

Question

I'm using Eclipse (Indigo) with subclipse 3.6 in Ubuntu 11.10.

I've connected to the svn with subclipse on other machines before no problem, but with my recently upgraded ubuntu machine (went from 11.04 to 11.10) it won't work.

when I try to connect to my private svn server (VisualSVN Server in Windows), I get the following error:

RA layer request failed
svn: OPTIONS of 'https://76.27.122.123/svn/brock':
SSL handshake failed: SSL error: Key usage violation in certificate has been detected. (https://76.27.122.123)
Key usage violation in certificate

So, googled it, and found this solution: http://andrewbrobinson.com/2011/11/01/fixing-ssl-handshake-failed-ssl-error-key-usage-violation-in-certificate-has-been-detected-error-on-svn-checkout/

Which basically says that because neon is now using GnuTls, and it is being strict and rejecting my invalid certificate (like I said it's a private svn so it is untrusted). But when I do the mv and symbolic link commands, it then messes up my JavaHL setup, and gives me this error:

Failed to load JavaHL Library.
These are the errors that were encountered:
no libsvnjavahl-1 in java.library.path ...

I undid the mv command and now the JavaHL is working after following instructions I found here http://subclipse.tigris.org/wiki/JavaHL#head-5ccce53a67ca6c3965de863ae91e2642eab537de but still can't get past the key usage certificate error. Any ideas??

Was it helpful?

Solution

During the initial setup VisualSVN Server 2.5 generates a self-signed certificate and adds it to the Trusted Root Certification Authorities store on the local machine. To avoid possible security issues, VisualSVN Server makes this self-signed certificate to be valid for server authentication only (by specifying the 'Key Usage' extension).

Subversion clients built against GnuTLS don't recognize such certificate and the error occurs.

Possible workarounds:

  1. Sign certificate using trusted certification authority (recommended)
  2. Use VisualSVN Server workaround to generate a cerificate without specifying 'Key Usage' extension. See KB56 for detailed instructions.
  3. Configure eclipse to use Neon with OpenSSL instead of GnuTLS

OTHER TIPS

Alternatively you might add

alias svn='LD_PRELOAD=/usr/lib/libneon.so.27 svn'

to your .bashrc, so only the svn command would be affected by the libneon change, and not the other packages. Also be careful that the solution mentioned in your link will break under Ubuntu 12.04 LTS. For that you have to use these steps:

  1. Uninstall the current libneon package: 

    sudo apt-get remove libneon27

  2. Download the latest libneon package from http://packages.debian.org/squeeze/libneon27 (at the bottom you can choose the right version for your architecture).

  3. Install the required libssl dependency:

    sudo apt-get install libssl0.9.8

  4. Install the downloaded libneon package. E.g. for the 64Bit architecture:

    dpkg -i libneon27_0.29.3-3_amd64.deb

  5. Add 

    alias svn='LD_PRELOAD=/usr/lib/libneon.so.27 svn'

    to your .bashrc, and relogin.

Source: http://www.yeap.de/blog2.0/archives/260-Subversion-Certificate-Problems-with-Ubuntu-Precise-Pangolin.html

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top