"Key usage violation in certificate" error with Subversion, VisualSVN Server

Boccobrock picture Boccobrock · Feb 8, 2012 · Viewed 7.3k times · Source

I'm using Eclipse (Indigo) with subclipse 3.6 in Ubuntu 11.10.

I've connected to the svn with subclipse on other machines before no problem, but with my recently upgraded ubuntu machine (went from 11.04 to 11.10) it won't work.

when I try to connect to my private svn server (VisualSVN Server in Windows), I get the following error:

RA layer request failed
svn: OPTIONS of 'https://76.27.122.123/svn/brock':
SSL handshake failed: SSL error: Key usage violation in certificate has been detected. (https://76.27.122.123)
Key usage violation in certificate

So, googled it, and found this solution: http://andrewbrobinson.com/2011/11/01/fixing-ssl-handshake-failed-ssl-error-key-usage-violation-in-certificate-has-been-detected-error-on-svn-checkout/

Which basically says that because neon is now using GnuTls, and it is being strict and rejecting my invalid certificate (like I said it's a private svn so it is untrusted). But when I do the mv and symbolic link commands, it then messes up my JavaHL setup, and gives me this error:

Failed to load JavaHL Library.
These are the errors that were encountered:
no libsvnjavahl-1 in java.library.path ...

I undid the mv command and now the JavaHL is working after following instructions I found here http://subclipse.tigris.org/wiki/JavaHL#head-5ccce53a67ca6c3965de863ae91e2642eab537de but still can't get past the key usage certificate error. Any ideas??

Answer

Ivan Zhakov picture Ivan Zhakov · Feb 8, 2012

During the initial setup VisualSVN Server 2.5 generates a self-signed certificate and adds it to the Trusted Root Certification Authorities store on the local machine. To avoid possible security issues, VisualSVN Server makes this self-signed certificate to be valid for server authentication only (by specifying the 'Key Usage' extension).

Subversion clients built against GnuTLS don't recognize such certificate and the error occurs.

Possible workarounds:

  1. Sign certificate using trusted certification authority (recommended)
  2. Use VisualSVN Server workaround to generate a cerificate without specifying 'Key Usage' extension. See KB56 for detailed instructions.
  3. Configure eclipse to use Neon with OpenSSL instead of GnuTLS