[asterisk-dev] Subversion TLS certificate replacement

Philippe Sultan philippe.sultan at gmail.com
Mon Nov 10 09:07:25 CST 2008

Hi Kevin,

I tried to retrieve my new certificate several times over the last
days, but the server keeps rejecting me and reports an SSL handshake


On Tue, Nov 4, 2008 at 10:39 PM, Kevin P. Fleming <kpfleming at digium.com> wrote:
> To all who have commit access to origsvn.digium.com or
> origsvncommunity.digium.com:
> Recently we have been fighting some problems with users being able to
> access our master Subversion repository servers; these problems
> manifested themselves as 'Key usage violation' messages from Subversion,
> and started to appear on Fedora 9 systems (but now also appear on Fedora
> 10, Ubuntu 8.10, CentOS 5.3 and other systems). They began occurring
> when the packagers of Subversion (and possibly Subversion upstream)
> began using GnuTLS for TLS support instead of OpenSSL, since GnuTLS does
> more strict certificate checking that OpenSSL does (or was configured to
> do).
> After finally figuring out how to correct our server certificates to
> avoid this problem, we ran into another issue, which is that current
> versions of neon (the WebDAV library that Subversion relies on) have
> some flaws in their GnuTLS TLS support, and at least one of these flaws
> appears when the client certificate file in use actually contains more
> than one certificate. In our case, we typically include our CA
> certificate in the client certificate file (a PKCS12 bundle), which
> caused this bug to manifest itself.
> Since we did not actually *need* to have the CA certificate in the
> bundle (it is available separately), I have generated new copies of each
> committer's certificate bundle with only their certificate included.
> There are no other changes in the certificates... passphrase, expiration
> dates, etc. are all as they were before. Using these new copies of the
> certificate allows users of Subversion on the Linux distributions listed
> above to access our master servers without having to build their own
> copy of Subversion to use OpenSSL.
> In order to ease the burden of distributing these new certificates, I
> have placed them into a special repository. I encourage everyone with
> commit access to download their new certificate soon, certainly before
> performing any major system upgrades that might result in their old
> certificate no longer being usable :-)
> The new certs are located at
> https://origsvn.digium.com/svn/swdev/certificates, and each one is in
> its own directory with a name matching the committer's author ID for the
> repositories. Each directory is access-restricted so that only that user
> can access the certificate.
> Please download and try out your new certificate as soon as you can make
> time to do so, and report any problems you find directly to me. Thanks,
> and sorry for any inconvenience this may cause.
> --
> Kevin P. Fleming
> Director of Software Technologies
> Digium, Inc. - "The Genuine Asterisk Experience" (TM)
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-dev

Philippe Sultan

More information about the asterisk-dev mailing list