[Pkg-libvirt-maintainers] Bug#1110816: Libvirt TLS: Key Encipherment extension should not be enforced in certificates
Karel Van Hecke
bugreport at karelvanhecke.com
Mon Aug 11 09:31:50 BST 2025
Package: libvirt-daemon
Version: 11.3.0-3
Libvirt currently enforces the Key Encipherment certificate extension to be present in configured TLS certificates.
This goes against the specification that ECDSA certificates should never contain the Key Encipherment extension.
Dropping the requirement altogether is the better option, as it is no longer a requirement with modern ciphers.
Upstream references:
This requirement was dropped for ECDSA certificates in 11.5.0:
https://gitlab.com/libvirt/libvirt/-/commit/11867b0224a2b8dc34755ff0ace446b6842df1c1
The requirement was dropped altogether in 11.6.0:
https://gitlab.com/libvirt/libvirt/-/commit/8cecd3249e5fa5478a7c53567971b4d969274ea3
Tests were corrected in: https://gitlab.com/libvirt/libvirt/-/commit/e67952b0e612c9ad3c3eec8bb692589602953ee8
Thanks in advance,
Karel Van Hecke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20250811/ce0ea53c/attachment.htm>
More information about the Pkg-libvirt-maintainers
mailing list