[Bug 446392] New: SSL error: Key usage violation

Joe Orton jorton at redhat.com
Wed May 14 16:20:20 CEST 2008

I'm about to go on holiday so won't be able to look into this myself for 
a week or so; Fedora 9 ships with GnuTLS 2.0.4, but I can reproduce this 
with the slightly stale git checkout I had lying around, so I'd suspect 
this is a GnuTLS cert validation bug?

$ ./bin/gnutls-cli svn.eionet.europa.eu
Resolving 'svn.eionet.europa.eu'...
Connecting to ''...
*** Fatal error: Key usage violation in certificate has been detected.
*** Handshake has failed

----- Forwarded message from bugzilla at redhat.com -----

From: bugzilla at redhat.com
To: jorton at redhat.com
Date: Wed, 14 May 2008 09:21:21 -0400
Subject: [Bug 446392] New: SSL error: Key usage violation

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.


           Summary: SSL error: Key usage violation
           Product: Fedora
           Version: 9
          Platform: i386
        OS/Version: Linux
            Status: NEW
          Severity: medium
          Priority: low
         Component: subversion
        AssignedTo: jorton at redhat.com
        ReportedBy: <elided>
         QAContact: extras-qa at fedoraproject.org
   Estimated Hours: 0.0

Description of problem: Doing 'svn update' to SSL-enabled http server with
selfsigned certificate generate error message: SSL error: Key usage violation in
certificate has been detected.

Version-Release number of selected component (if applicable):

How reproducible:
Simply do:
svn co https://svn.eionet.europa.eu/repositories/Zope/trunk/Localizer
It is a public SVN repository

Steps to Reproduce:
1. svn co https://svn.eionet.europa.eu/repositories/Zope/trunk/Localizer
Actual results:
svn: PROPFIND request failed on '/repositories/Zope/trunk/Localizer'
svn: PROPFIND of '/repositories/Zope/trunk/Localizer': SSL negotiation failed:
SSL error: Key usage violation in certificate has been detected.

Expected results:
Localizer product checked out

Additional info:
The certificate for svn.eionet.europa.eu has the X509v3 Key Usage set to: Key
Encipherment, which is normal for SSL servers.

The svn.eionet.europa.eu has been in use for years, about two years with the
current certificate, and no such issue has arisen before.

In case you need to take a look. The certificate is signed with this CA:

Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

----- End forwarded message -----

More information about the Gnutls-devel mailing list