Сertificate key usage violation in Subversion clients built against GnuTLS

Symptoms

Attempting to connect to VisualSVN Server, Subversion clients receive the following error message:

svn: OPTIONS of 'https://server.domain.local/svn/repo': SSL handshake failed: SSL error:
Key usage violation in certificate has been detected. (https://server.domain.local)

You may experience the issue if all of the following conditions are met:

  • VisualSVN Server has a self-signed certificate applied.
  • Self-signed certificate is generated by VisualSVN Server 4.0 or older.
  • Subversion client is built against the GnuTLS library.
Note
GnuTLS library is an alternative to OpenSSL. Most Subversion clients for Windows are built against OpenSSL and are not affected by this issue. While some Subversion packages (available mostly on Linux-based operating systems such as Ubuntu and Debian) are built against GnuTLS and are affected.

Technical background

The “Key Usage” extension defines the purposes the SSL/TLS certificate can be used for. If the extension is present in the certificate, GnuTLS library implementation of TLS protocol requires that its “Digital Signature” bit is set. Whereas VisualSVN Server 4.0 or older versions do not set the "Digital Signature" bit when generating the self-signed certificate and hence causing the connection problem for clients built against GnuTLS.

The problem can be addressed by generating the new self-signed certificate with VisualSVN Server 4.1 or later.

Resolution

The solution is simply using a self-signed certificate generated by VisualSVN Server 4.1 or later. Follow the instructions to generate the self-signed certificate from scratch:

  1. Make sure you have VisualSVN Server 4.1 or later installed.
  2. Start the VisualSVN Server Manager console.
  3. Click Action | Properties.
  4. Click the Certificate tab and click Change Certificate.
  5. Click Create self-signed certificate.
  6. Enter the Common name and click Next.
  7. Enter the Distinguished Name Properties. Click Create.
  8. Click Finish and Apply.

For more details refer to KB134: Configuring SSL Certificates for VisualSVN Server.

Workaround

If the update to VisualSVN Server 4.1 is not an option and there is no way to avoid use of the self-signed certificate, proceed with an alternative method. Follow the instructions to generate a certificate without the “Key Usage” extension:

  1. Add the following registry value to the Windows registry:

    • for 32-bit system:

      [HKEY_LOCAL_MACHINE\SOFTWARE\VisualSVN\VisualSVN Server]
"CreateGnuTLSCompatibleCertificate"=dword:00000001

    • for 64-bit system:

      [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VisualSVN\VisualSVN Server]
"CreateGnuTLSCompatibleCertificate"=dword:00000001
  2. Start the VisualSVN Server Manager console.
  3. Click Action | Properties.
  4. Click the Certificate tab and click Change Certificate.
  5. Click Create self-signed certificate.
  6. Enter the Common name and click Next.
  7. Enter the Distinguished Name Properties. Click Create.
  8. Click Finish and Apply.

The certificate will be generated without the “Key Usage” extension and will be compatible with both GnuTLS and OpenSSL.

Note
It is not recommended to use a self-signed certificate in a production environment. We advise to use a certificate issued by your domain or a third-party certificate authority instead of a self-signed one. See the article KB134: Configuring SSL Certificates for VisualSVN Server for the detailed instructions.
Last Modified: