Troubleshooting certificate issues related to TLS 1.3 support

Applies to: VisualSVN Server 4.1 and later

Symptoms

After upgrading to VisualSVN Server 4.1 and later, TLS 1.3 protocol may be unavailable on the server side. In most cases, the problem occurs when you use a self-signed certificate generated in VisualSVN Server 4.0 or older versions. In case you've encountered this problem, you will see warnings in the VisualSVN Server Manager console and the VisualSVN Server event log.

You will see the following warning on the Certificate tab:

This certificate currently prevents the use of TLS 1.3 on the server.

You will also see the following warning on the TLS/SSL Compatibility window:

TLS 1.3 is effectively disabled due to a problem with the server certificate.

The following warning message will be logged to the VisualSVN Server event log when starting the VisualSVN Server service:

The configured SSL certificate does not allow digital signatures (KeyUsage = digitalSignature). This prevents the use of TLS 1.3 on the server.

Cause

VisualSVN Server 4.1 adds support for TLS 1.3 protocol on the server side. Normally, TLS 1.3 protocol should become available after the upgrade without any additional steps. However, the installed certificate may prevent the use of TLS 1.3 protocol if its Key Usage extension does not include the "Digital Signature" bit (which is required for TLS 1.3).

In most cases, this particular problem occurs with self-signed certificates generated in VisualSVN Server 4.0 or older versions. The problem occurs because these self-signed certificates do not include the "Digital Signature" bit.

Resolution

If the problem occurs with a self-signed certificate, you can generate a new one. Follow these steps in order to generate a new self-signed certificate:

  1. Start the VisualSVN Server Manager console.
  2. Click Action | Properties.
  3. Click the Certificate tab and click the menu-tab Change Certificate.
  4. Click Create self-signed certificate.
  5. Enter the Common name and click Next.
  6. Enter the Distinguished Properties. Click Create.
  7. Click Finish and Apply.

These steps will generate a new self-signed certificate and resolve the problem.

Note
New self-signed certificate will not be automatically trusted by Subversion clients and web browsers. Users will need to manually accept the certificate based on its fingerprint. Please see the article KB134: Configuring SSL Certificates for VisualSVN Server for additional information.

If the problem occurs with a certificate signed by a trusted certificate authority (i.e., not with a self-signed certificate generated by VisualSVN Server), please consider updating your certificate. See the article KB134: Configuring SSL Certificates for VisualSVN Server for instructions.

See also

KB134: Configuring SSL Certificates for VisualSVN Server
KB195: Understanding TLS/SSL compatibility levels in VisualSVN Server

Last Modified: