[Pkg-gnutls-maint] Bug#481132: Bug#481132: libgnutls26: flags key usage error where OpenSSL does not

Simon Josefsson simon at josefsson.org
Thu May 15 08:48:59 UTC 2008 

forwarded 481132 http://trac.gnutls.org/cgi-bin/trac.cgi/ticket/39
severity 481132 wishlist
thanks

"brian m. carlson" <sandals at crustytoothpaste.ath.cx> writes:

> retitle 481132 libgnutls26: should use EDH only if server cert supports it
> kthxbye
>
> On Wed, May 14, 2008 at 05:42:45PM +0200, Simon Josefsson wrote:
>>Hi!  Thanks for the report.  Unfortunately, I think your certificate is
>>incorrect, you'll need the digitalSignature Key Usage Bit as well.
>>
>>RFC 2246 and 4346:
>>
>>      DHE_RSA                 RSA public key that can be used for
>>                              signing.
>>...
>>   All certificate profiles and key and cryptographic formats are
>>   defined by the IETF PKIX working group [PKIX].  When a key usage
>>   extension is present, the digitalSignature bit MUST be set for the
>>   key to be eligible for signing, as described above, and the
>>   keyEncipherment bit MUST be present to allow encryption, as described
>>   above.  The keyAgreement bit must be set on Diffie-Hellman
>>   certificates.
>
> I've figured out what the problem is.  If I don't disable kEDH in
> sendmail's config, it fails, but if I do disable it, it works.
> My IMAP server also has kEDH disabled, and so it also works.
>
> Apparently OpenSSL doesn't try to use kEDH, and so it doesn't fail.
> GnuTLS should implement the same behavior; if a certificate doesn't
> support digitalSignature, then GnuTLS shouldn't try to use it in that
> way.  RSA key exchange is fine for what I need.

I've created a gnutls bug to track this, and changed the severity to
wishlist since this is now a feature request.

There are some subtle issues here.  Some users may prefer an error
message rather than silently downgrading the ciphersuite.  However, I
think that if the user said that both EDH and non-EDH ciphers are OK,
that GnuTLS should automatically remove all EDH ciphers if the provided
server certificate does not include the digitalSignature bit.

Another subtlety is that if
gnutls_certificate_server_set_retrieve_function is used, gnutls doesn't
know the server certificate until later in the handshake, and then it
may be too late to disable the EDH ciphers.  In this case, the handshake
will fail with the same error, I don't think we can do anything about
it.  It is us to the application callback to select a suitable server
certificate in this case.

There are many things which needs to have a higher priority for me in
gnutls, so unfortunately I won't have time to create a patch for this.
Of course, if you or someone else creates patches I'll review them.

/Simon

More information about the Pkg-gnutls-maint mailing list