For quite a while the Ubuntu subversion package suffer from bad user certificates that do not follow the standards strictly. In case you have to authenticate with such a certificate subversion will return such an error message:

OPTIONS of '<url>': SSL handshake failed: SSL error: Key usage violation in certificate has been detected. (<url>)

The root of this problem is that the Ubuntu packages link against libneon-gnutls, which handles certificates in a stricter way than libneon. A easy workaround in the past was to simply replace a replace the library link of libneon-gnutls to point to libneon:

sudo mv /usr/lib/libneon-gnutls.so.27 /usr/lib/libneon-gnutls.so.27.old
sudo ln -s /usr/lib/libneon.so.27 /usr/lib/libneon-gnutls.so.27

However once you do this in Ubuntu 12.04 Precise Pangolin you will get a another error message instead:

OPTIONS of <url>': SSL handshake failed: SSL disabled due to library version mismatch (<url>)


After quite some googling it turned out that there is a bug in the version of libneon bundled with Precise that causes this problem. Fortunately this is already fixed with version 0.29.3. To get back to a working subversion perform these steps:

  1. Uninstall the current libneon package:
    sudo apt-get remove libneon27>
  2. Download the latest libneon package from http://packages.debian.org/squeeze/libneon27  (at the bottom you can choose the right version for your architecture).
  3. Install the required libssl dependency:
    sudo apt-get install libssl0.9.8
  4. Install the downloaded libneon package. E.g. for the 64Bit architecture:
    dpkg -i libneon27_0.29.3-3_amd64.deb
  5. Change the symbolic links again like described above:
    sudo mv /usr/lib/libneon-gnutls.so.27 /usr/lib/libneon-gnutls.so.27.old
    sudo ln -s /usr/lib/libneon.so.27 /usr/lib/libneon-gnutls.so.27

And finally subversion should be working again.


Trackbacks


Trackback specific URI for this entry
    No Trackbacks

Comments


    #1 Olivier on 05/03/12 at 10:39 PM
    *Thanks for the tip. However instead of moving libneon, you may want to create an alias in your .bashrc like:
    alias svn='LD_PRELOAD=/usr/lib/libneon.so.27 svn'

    It works as well

    Cheers
    #1.1 Carsten Schlipf on 05/03/12 at 11:21 PM
    *Thank you for the tip. That's obviously a safer workaround than changing the links.
    #2 Rich on 06/07/12 at 07:43 AM
    *Wow, thanks. Was getting sick of all the pre 12.04 answers out there for this.
    #3 Samundra on 06/22/12 at 07:13 AM
    *Perfectly worked for me :-) Thanks for the info.
    #4 Dmitry Borody on 07/14/12 at 10:53 AM
    *Thank you! Helped me much.
    #5 Quetzacotl on 07/24/12 at 12:37 PM
    *it worked for my, but every time I restart system I have to do it again. Can I make it permanent?
    #5.1 Carsten Schlipf on 07/24/12 at 01:19 PM
    *I have the same problem. Other than adding these commands to your .profile (so that these will be executed on every logon) I have no idea. Also wenn you install update packages you have to reinstall the other libneon package.
    #5.1.1 Quetzacotl on 07/24/12 at 05:19 PM
    *Well, actually now I did't even restart system and it stopped working, maybe 'cause of virtualenv.
    I typed these commands on root, did commit, then changed to virtualenv and it doesn't work again. Even if I switch to root again. ;/
    #5.1.1.1 Carsten Schlipf on 07/24/12 at 05:28 PM
    *Do have automatic updates enabled?
    #5.1.1.1.1 Quetzacotl on 07/24/12 at 06:22 PM
    *I just let install updates when system ask me for it. Probably I did it after svn fix, but with every update libneon is updated as well?
    #5.1.1.1.1.1 Carsten Schlipf on 07/24/12 at 08:48 PM
    *Yes... that's right. You have to reapply this fix after every run of apt-get install or apt-get upgrade.
    #6 saramissss on 09/15/12 at 12:55 AM
    *Tnx. Works! Linux saramissss 3.2.0-30-generic-pae #48-Ubuntu SMP Fri Aug 24 17:14:09 UTC 2012 i686 i686 i386 GNU/Linux
    #7 Durga charan ojha on 09/19/12 at 10:41 AM
    *Hi,

    Below is the configuration I have in my laptop

    Release 12.04 (precise) 32-bit
    kernel – 3.2.0-30-generic-pae
    Subversion- Installed: 1.6.17dfsg-3ubuntu3
    Candidate: 1.6.17dfsg-3ubuntu3

    Getting error
    “Fixing ‘SSL handshake failed: SSL error: Key usage violation in certificate has been detected”

    Any help would be greatly appreciated.

    Thanks and Regards,
    Durga
    #8 tony on 11/29/12 at 11:22 PM
    *Thanks !
    #9 Harenson Henao on 12/10/12 at 03:48 PM
    *I made a bash script with all the steps, it could be useful for anyone of you.

    http://pastebin.com/2rUBgNrw
    #10 Harenson Henao on 12/10/12 at 03:58 PM
    *If you want to hold a package version making use of "aptitude package manager", try this in a shell:

    aptitude hold libneon27


    Your package will be ignored in the upgrade process.
    #10.1 Carsten Schlipf on 12/10/12 at 05:46 PM
    *Thank you very much. Great tip!
    #10.1.1 Harenson Henao on 12/10/12 at 06:06 PM
    *Your welcome.

    I wish to modify the last entry. I recommend use "echo libneon27 hold | sudo dpkg --set-selections" instead of "aptitude hold libneon27".

    There is a better explanation:

    http://askubuntu.com/questions/51124/hold-packages-back-from-updates-without-apt-pin
    #11 Orby on 03/03/13 at 10:11 AM
    *Thanks for the pointer. This got me going.



    I found that exporting LD_PRELOAD broke a number of other applications. My solution is to rename the svn binrary to svn_bin, then create this shell script called svn in /usr/bin:

    #!/bin/bash

    export LD_PRELOAD=/usr/lib/libneon.so.27
    /usr/bin/svn_bin $@
    #12 Viraj on 03/06/13 at 11:43 AM
    *Perfectly worked for me. Thanks.
    #13 Grzegorz on 06/17/13 at 03:29 PM
    *Can you provide more info on what the following (in the beginning of the article) means:

    > user certificates that do not follow the standards strictly

    Or point to a resource?

Add Comment

HTML-Tags will be converted to Entities.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA