[Pkg-libvirt-maintainers] Bug#1110816: Bug#1110816: Libvirt TLS: Key Encipherment extension should not be enforced in certificates
Andrea Bolognani
eof at kiyuko.org
Mon Aug 11 20:10:33 BST 2025
Control: fixed -1 libvirt/11.6.0-1
On Mon, Aug 11, 2025 at 08:31:50AM +0000, Karel Van Hecke wrote:
> Package: libvirt-daemon
> Version: 11.3.0-3
>
> Libvirt currently enforces the Key Encipherment certificate extension to be present in configured TLS certificates.
> This goes against the specification that ECDSA certificates should never contain the Key Encipherment extension.
>
> Dropping the requirement altogether is the better option, as it is no longer a requirement with modern ciphers.
>
> Upstream references:
>
> This requirement was dropped for ECDSA certificates in 11.5.0:
> https://gitlab.com/libvirt/libvirt/-/commit/11867b0224a2b8dc34755ff0ace446b6842df1c1
>
> The requirement was dropped altogether in 11.6.0:
> https://gitlab.com/libvirt/libvirt/-/commit/8cecd3249e5fa5478a7c53567971b4d969274ea3
>
> Tests were corrected in: https://gitlab.com/libvirt/libvirt/-/commit/e67952b0e612c9ad3c3eec8bb692589602953ee8
Thank you for reporting this issue upstream and tracking it. Should
be a straightforward enough backport to trixie. I'll look into it
during one of the upcoming weekends.
--
Andrea Bolognani <eof at kiyuko.org>
Resistance is futile, you will be garbage collected.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20250811/17ec23ef/attachment.sig>
More information about the Pkg-libvirt-maintainers
mailing list