Moving Forward

Homepage of Andrew Robinson

Fixing ‘SSL handshake failed: SSL error: Key usage violation in certificate has been detected.’ error on SVN checkout

with 22 comments

Recently while trying to check out an SVN repo via unsigned security certificate over https, hosted using the Windows-based VisualSVN Server I discovered an annoyance with the newer versions of Ubuntu.

svn: Commit failed (details follow):
svn: OPTIONS of 'https://HOSTNAME/svn/repo': SSL handshake failed: SSL error: Key usage violation in certificate has been detected. (https://HOSTNAME)

The bug only appeared after upgrading to Ubuntu 11.10. After doing some investigation I determined that the bug was the result of switching from using OpenSSL in previous versions of neon, the tool used for HTTP support in Subversion, built for Ubuntu, to the newer GnuTLS SSL libraries due to a more liberal LGPL license.

GnuTLS is considered to be less mature, and has a much stricter policy when it comes to key usage flags being set correctly in certificates.

The fix for this bug is luckily fairly straightforward. A version of libneon exists with OpenSSL support in Ubuntu, by simply removing the GnuTLS version and creating a symbolic link everything will begin to work again.

sudo mv /usr/lib/libneon-gnutls.so.27 /usr/lib/libneon-gnutls.so.27.old
sudo ln -s /usr/lib/libneon.so.27 /usr/lib/libneon-gnutls.so.27

Written by Andrew Robinson

November 1st, 2011 at 7:40 pm

Posted in Linux

«
»

22 Responses to 'Fixing ‘SSL handshake failed: SSL error: Key usage violation in certificate has been detected.’ error on SVN checkout'

Subscribe to comments with RSS or TrackBack to 'Fixing ‘SSL handshake failed: SSL error: Key usage violation in certificate has been detected.’ error on SVN checkout'.

  1. hi,i also have a problem with linux mint12,is there a similar way to solve it

    akirayu101

    1 Jan 12 at 9:04 am

  2. I encounter the same problem but unfortunately uninstalling libneon-gnutls is not so easy: it seems many packages depend on it. Any idea?

    Cristiano Nattero

    16 Jan 12 at 1:22 pm

  3. Many thanks.

    I had the same error on Ubuntu 11.04.
    After installing the libneon27 by command
    $ sudo apt-get install libneon27
    I replaced the symbolic as above and the result is OK.

    Not need to uninstall libneon-gnutls.

    Nguyen Duc Tien

    17 Jan 12 at 3:11 am

  4. Awesome, Thanks a lot man.

    amitp

    15 Feb 12 at 8:07 pm

  5. [...] This post clearly depicted the very exact issue I was encountering when trying to access my SVN server that was powered by VisualSVN.  In a nutshell, it was the version of ‘libneon’ that was the culprit.  It seems to be that ‘libneon’ was compiled with GnuTLS, which is much more picky than its OpenSSL counterpart.  In any event, all it took to fix was: [...]

    SSL Handshake errors with SVN & RapidSVN on Ubuntu 11.10 x64 when accessing a VisualSVN server – two.bit.coder

    22 Feb 12 at 4:22 am

  6. Correcting GNU-TLS issue in Fedora 15

    1. Download neon source

    yumdownloader –source neon
    // This will give neon-0.29.5-2.fc15.src.rpm

    2. Install source RPM

    rpm -i neon-0.29.5-2.fc15.src.rpm

    // This will create rpmbuild directory in home folder

    3. cd ~/rpmbuild

    4. Edit build spec

    vim SPECS/neon.spec

    Change “–with-ssl=gnu-tls” to “–with-ssl”

    Save & Quit

    5. Rebuild pacakges

    rpmbuild -ba SPECS/neon.spec

    // This will create rpm pacakges in RPMS/i686/ folder
    Note: Depending on your system rpmbuild may ask for dependencies; please provide it using yum install

    6. Install newly created RPMS

    cd RPMS/i686/
    rpm -e –nodeps neon
    rpm -e –nodeps neon-devel
    rpm -ivh neon-0.29.5-2.fc15.i686.rpm neon-devel-0.29.5-2.fc15.i686.rpm

    Have a nice day.

    Jayakumar

    28 Feb 12 at 6:24 am

  7. Woh..This works fine in ubuntu 10.4 but not in ubuntu 11… Any idea??
    Thanks

    Egoitz

    12 Mar 12 at 4:16 pm

  8. YOU ARE THE MAN
    REALLY

    filippos

    27 Mar 12 at 7:05 pm

  9. [...] A short search pointed out, that this issue occures because of an unsigned security certificate.Have a look at this post. [...]

    Error on SVN checkout: SSL handshake failed: SSL error: Key usage violation in certificate has been detected. « Blog @ CWILL Development

    28 Mar 12 at 9:41 am

  10. [...] http://andrewbrobinson.com/2011/11/01/fixing-ssl-handshake-failed-ssl-error-key-usage-violation-in-c... [...]

    kdesvn Error : SSL handshake failed: SSL error: Key usage violation in certificate has been detected.

    4 Apr 12 at 5:54 am

  11. Subversion & Certificate Problems with Ubuntu Precise Pangolin…

    For quite a while the Ubuntu subversion package suffer from bad user certificates that do not follow the standards strictly. In case you have to authenticate with such a certificate subversion will return such an error message: OPTIONS of ‘<url>…

    Occasional Thoughts

    2 May 12 at 4:16 pm

  12. Install libneon27 as above, but rather than symlinking, you can just prefix any command that gives you this error with “LD_PRELOAD=/usr/lib/libneon.so.27 “. Add to your .bashrc or whatever for a permanent fix.

    Keb

    6 Jun 12 at 5:56 pm

  13. Here is another fix on the server side…
    http://www.visualsvn.com/support/topic/00056/

    Mahdi

    12 Jul 12 at 8:30 pm

  14. Hi,

    I have tried the above steps it worked for ubuntu kernel 3.0.0-22-generic

    but the above said solution didn’t work on ubuntu kernel 3.2.0-26-generic-pae.

    Please suggest

    Regards,
    Durga

    Durga charan ojha

    19 Jul 12 at 2:26 pm

  15. [...] Fixing ‘SSL handshake failed: SSL error: Key usage violation in certificate has been detected.’ … [...]

    (转)解决ubuntu 10.04 下svn checkout 失败的问题 | Corleonelu's Log

    24 Jul 12 at 5:39 am

  16. Same problem with Debian wheezy/sid! Thank you so much!!

    Eike

    14 Aug 12 at 10:04 am

  17. Thank you, Jayakumar, for these very explicit instructions. They work with Fedora 14 as well (name munging to fc14 was all that I changed) . You rock.

    Tom

    14 Sep 12 at 3:50 pm

  18. Hi,

    I have following configuration

    Release 12.04 (precise) 32-bit
    kernel – 3.2.0-30-generic-pae
    Subversion- Installed: 1.6.17dfsg-3ubuntu3
    Candidate: 1.6.17dfsg-3ubuntu3

    Getting error
    “Fixing ‘SSL handshake failed: SSL error: Key usage violation in certificate has been detected”

    Any help would be greatly appreciated.

    Thanks and Regards,
    Durga

    Durga charan

    19 Sep 12 at 8:27 am

  19. Thank you for taking the time to post these instructions!
    However, I am on Ubuntu 12.04 and tried installing libneon27 and do the library symbolic-swap, but apparently SVN caught on because I am getting this error:

    $ svn co $URL/$REPO
    svn: OPTIONS of ‘$URL/$REPO’: SSL handshake failed: SSL disabled due to library version mismatch ($URL)

    Eric Cousineau

    23 Sep 12 at 5:24 pm

  20. Reading this post allowed me to fix my issue. Big ups!

    rad_moss

    17 Oct 12 at 6:37 pm

  21. Thanks for the info. I found that exporting LD_PRELOAD broke a number of other applications. My solution is to rename the svn binrary to svn_bin, then create this shell script called svn in /usr/bin:

    #!/bin/bash

    export LD_PRELOAD=/usr/lib/libneon.so.27
    /usr/bin/svn_bin $@

    Orby

    30 Jan 13 at 8:08 pm

  22. [...] Fixing ‘SSL handshake failed: SSL error: Key usage violation in certificate has been detected.’ …. [...]

    Fixing ‘SSL handshake failed: SSL error: Key usage violation in certificate has been detected.’ error on SVN checkout | Moving Forward « Luca Vagnozzi

    20 Feb 13 at 9:52 am

Leave a Reply