[Pkg-gnutls-maint] Bug#481132: Bug#481132: libgnutls26: flags key usage error where OpenSSL does not
brian m. carlson
sandals at crustytoothpaste.ath.cx
Wed May 14 16:13:16 UTC 2008
retitle 481132 libgnutls26: should use EDH only if server cert supports it
kthxbye
On Wed, May 14, 2008 at 05:42:45PM +0200, Simon Josefsson wrote:
>Hi! Thanks for the report. Unfortunately, I think your certificate is
>incorrect, you'll need the digitalSignature Key Usage Bit as well.
>
>RFC 2246 and 4346:
>
> DHE_RSA RSA public key that can be used for
> signing.
>...
> All certificate profiles and key and cryptographic formats are
> defined by the IETF PKIX working group [PKIX]. When a key usage
> extension is present, the digitalSignature bit MUST be set for the
> key to be eligible for signing, as described above, and the
> keyEncipherment bit MUST be present to allow encryption, as described
> above. The keyAgreement bit must be set on Diffie-Hellman
> certificates.
I've figured out what the problem is. If I don't disable kEDH in
sendmail's config, it fails, but if I do disable it, it works.
My IMAP server also has kEDH disabled, and so it also works.
Apparently OpenSSL doesn't try to use kEDH, and so it doesn't fail.
GnuTLS should implement the same behavior; if a certificate doesn't
support digitalSignature, then GnuTLS shouldn't try to use it in that
way. RSA key exchange is fine for what I need.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20080514/cecdf603/attachment.pgp
More information about the Pkg-gnutls-maint
mailing list