[Pkg-gnutls-maint] Bug#481132: Bug#481132: libgnutls26: flags key usage error where OpenSSL does not
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun May 18 09:55:47 UTC 2008
> I've figured out what the problem is. If I don't disable kEDH in
> sendmail's config, it fails, but if I do disable it, it works.
> My IMAP server also has kEDH disabled, and so it also works.
>
> Apparently OpenSSL doesn't try to use kEDH, and so it doesn't fail.
> GnuTLS should implement the same behavior; if a certificate doesn't
> support digitalSignature, then GnuTLS shouldn't try to use it in that
> way. RSA key exchange is fine for what I need.
This cannot be done due to how SSL/TLS is designed. The certificate is
provided after the ciphersuite is negotiated, thus the client cannot do
anything in this issue. The server seems to be misconfigured to accept
the DHE* ciphersuites even if his certificate does not support it.
Gnutls servers shouldn't do this so if the server is based on gnutls
please report it as a bug.
regards,
Nikos
More information about the Pkg-gnutls-maint
mailing list