Subversion and HTTPS bug in Intrepid 8.10 - workaround

dcrooke

If you have upgraded to 8.10 you may suddenly find that using svn against a private https repository no longer works. It refuses to talk to the repository, with the following error:

svn: OPTIONS of 'https://xxxxxxxxxx.xxxx.xx/svn/repo': SSL negotiation failed: SSL error: Key usage violation in certificate has been detected. (https://xxxxxxxxxxx.xxxx.xx)

This is because in Intrepid, the neon HTTP library, which Subversion uses to talk to HTTP(S) servers, has been built with GNU TLS instead of OpenSSL.

The GNU TLS implementation is pedantic about the usage bit flags in the certificate, and will simply refuse to connect if they are not exactly as per the standards specification. This is not something FSF will be prepared to fix - there is a bug report out to which they responded with rhetoric quoting RFC's. I love open source, but I like the "just make it work" philosophy instead (hence why I use Ubuntu and not Fedora

The workaround I used is as follows:

Pull the Subversion and Subversion Deps source trees from the tigris site, and untar them in the same place:

Go into the subversion-1.xx/neon directory ....

# neon will by default build with OpenSSL and not GNU TLS
# The main subversion build is supposed to build it, but it had
# problems on my amd64 setup, so I had build it separately
./configure --with-ssl --with-pic
make
make install

cd ..
rm -rf neon
edit /etc/ld.so.conf and add /usr/local/lib
ldconfig

# now build subversion with the OpenSSL-enabled neon
./configure --with-ssl --with-neon=/usr/local
make
make install

# get rid of /usr/bin/svn
dpkg --purge subversion

October 15th, 2008	#1
dcrooke First Cup of Ubuntu Join Date: Apr 2008 Location: Austin, TX USA Beans: 2 Ubuntu 7.10 Gutsy Gibbon	Subversion and HTTPS bug in Intrepid 8.10 - workaround If you have upgraded to 8.10 you may suddenly find that using svn against a private https repository no longer works. It refuses to talk to the repository, with the following error: svn: OPTIONS of 'https://xxxxxxxxxx.xxxx.xx/svn/repo': SSL negotiation failed: SSL error: Key usage violation in certificate has been detected. (https://xxxxxxxxxxx.xxxx.xx) This is because in Intrepid, the neon HTTP library, which Subversion uses to talk to HTTP(S) servers, has been built with GNU TLS instead of OpenSSL. The GNU TLS implementation is pedantic about the usage bit flags in the certificate, and will simply refuse to connect if they are not exactly as per the standards specification. This is not something FSF will be prepared to fix - there is a bug report out to which they responded with rhetoric quoting RFC's. I love open source, but I like the "just make it work" philosophy instead (hence why I use Ubuntu and not Fedora The workaround I used is as follows: Pull the Subversion and Subversion Deps source trees from the tigris site, and untar them in the same place: Go into the subversion-1.xx/neon directory .... # neon will by default build with OpenSSL and not GNU TLS # The main subversion build is supposed to build it, but it had # problems on my amd64 setup, so I had build it separately ./configure --with-ssl --with-pic make make install cd .. rm -rf neon edit /etc/ld.so.conf and add /usr/local/lib ldconfig # now build subversion with the OpenSSL-enabled neon ./configure --with-ssl --with-neon=/usr/local make make install # get rid of /usr/bin/svn dpkg --purge subversion

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Switch to Hybrid Mode Threaded Mode