SSL handshake failed: SSL error: Key usage violation in certificate has been detected.

SSL handshake failed: SSL error: Key usage violation in certificate has been detected.

위와 같이 에러가 뜬다면

centos 계정이나 redhat 계열은 괜찮은데 ubuntu 계열에서 에러가 뜬다 보안 관련 문제이다.

# apt-get install libneon27

# mv /usr/lib/libneon-gnutls.so.27 /usr/lib/libneon-gnutls.so.27.old

# ln -s /usr/lib/libneon.so.27 /usr/lib/libneon-gnutls.so.27

작업을 해주면 정상적으로 된다. 하지만 시간이 지나면 또 동일한 에러가 뜬다

svn 서버쪽에서 확인해주자

visualsvn 을 사용한다면

http://www.visualsvn.com/support/topic/00056/

Symptoms

Subversion clients receive the following error message when attempting to connect to VisualSVN Server:

svn: OPTIONS of 'https://server.domain.local/svn/repo': SSL handshake failed: SSL error:

Key usage violation in certificate has been detected. (https://server.domain.local)

You may experience the issue if both of the following conditions are met:

VisualSVN Server has a self-signed certificate applied and

Subversion client is built against the GnuTLS library.

Note

Note

GnuTLS library is an alternative to OpenSSL. Most Subversion clients for Windows are built against OpenSSL and are not affected by this issue. While some Subversion packages (available mostly on Linux-based operating systems such as Ubuntu and Debian) are built against GnuTLS and are affected.

Technical background

During the initial setup VisualSVN Server 2.5 generates a self-signed certificate and adds it to the Trusted Root Certification Authorities store on the local machine. To avoid possible security issues, VisualSVN Server makes this self-signed certificate to be valid for server authentication only (by specifying the 'Key Usage' extension). Subversion clients built against GnuTLS don't recognize such certificate and the error occurs.

Workaround

It's not recommended to use a self-signed certificate in a production environment. We advise to use a certificate issued by your domain or a third-party certificate authority instead of a self-signed one.

If you have to use a self-signed certificate please follow the instruction to generate a cerificate without specifying 'Key Usage' extension:

Add the following registry value to the Windows registry:

for 32-bit system:

[HKEY_LOCAL_MACHINE\SOFTWARE\VisualSVN\VisualSVN Server]

"CreateGnuTLSCompatibleCertificate"=dword:00000001

      

for 64-bit system:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VisualSVN\VisualSVN Server]

"CreateGnuTLSCompatibleCertificate"=dword:00000001

      

Start VisualSVN Server Manager.

Go to Action | Properties | Certificate.

Click Change certificate... and follow the wizard instructions to generate a new self-signed certificate.

The certificate will be generated without the 'Key Usage' extension and will be compatible both with GnuTLS and OpenSSL.

작업을 해주면 정상적으로 작동이 된다.