[asterisk-dev] Subversion TLS certificate replacement

Kevin P. Fleming kpfleming at digium.com
Tue Nov 4 15:39:34 CST 2008

To all who have commit access to origsvn.digium.com or

Recently we have been fighting some problems with users being able to
access our master Subversion repository servers; these problems
manifested themselves as 'Key usage violation' messages from Subversion,
and started to appear on Fedora 9 systems (but now also appear on Fedora
10, Ubuntu 8.10, CentOS 5.3 and other systems). They began occurring
when the packagers of Subversion (and possibly Subversion upstream)
began using GnuTLS for TLS support instead of OpenSSL, since GnuTLS does
more strict certificate checking that OpenSSL does (or was configured to

After finally figuring out how to correct our server certificates to
avoid this problem, we ran into another issue, which is that current
versions of neon (the WebDAV library that Subversion relies on) have
some flaws in their GnuTLS TLS support, and at least one of these flaws
appears when the client certificate file in use actually contains more
than one certificate. In our case, we typically include our CA
certificate in the client certificate file (a PKCS12 bundle), which
caused this bug to manifest itself.

Since we did not actually *need* to have the CA certificate in the
bundle (it is available separately), I have generated new copies of each
committer's certificate bundle with only their certificate included.
There are no other changes in the certificates... passphrase, expiration
dates, etc. are all as they were before. Using these new copies of the
certificate allows users of Subversion on the Linux distributions listed
above to access our master servers without having to build their own
copy of Subversion to use OpenSSL.

In order to ease the burden of distributing these new certificates, I
have placed them into a special repository. I encourage everyone with
commit access to download their new certificate soon, certainly before
performing any major system upgrades that might result in their old
certificate no longer being usable :-)

The new certs are located at
https://origsvn.digium.com/svn/swdev/certificates, and each one is in
its own directory with a name matching the committer's author ID for the
repositories. Each directory is access-restricted so that only that user
can access the certificate.

Please download and try out your new certificate as soon as you can make
time to do so, and report any problems you find directly to me. Thanks,
and sorry for any inconvenience this may cause.

Kevin P. Fleming
Director of Software Technologies
Digium, Inc. - "The Genuine Asterisk Experience" (TM)

More information about the asterisk-dev mailing list