[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Key usage violation in certificate
|
From: |
Simon Josefsson |
|
Subject: |
[Help-gnutls] Re: Key usage violation in certificate |
|
Date: |
Mon, 01 Jun 2009 11:18:07 +0200 |
|
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.94 (gnu/linux) |
"Roland Winkler" <address@hidden> writes:
>> By misconfiguration however the server allows you to connect with
>> a ciphersuite that violates this usage and that's why gnutls-cli
>> fails to connect.
>
> Is this a misconfiguration of the server that its sysadmins can fix?
Yes. They can chose between:
1) Disable DHE ciphersuite, because their certificate doesn't permit
those.
2) Re-generate the certificate and add the sign key usage, which allows
use of the certificate together with DHE.
> Is it a part of the communication protocol between server and client
> that the server should tell the client the allowed usage of its
> certificate? I mean, the server knows the allowed usage of its
> certificate. So I would guess that in an ideal world (that we don't
> have...) no extra configuration of the server was necessary.
Right. The server software could also detect that the certificate does
not support signing, and then disable all DHE/EXPORT ciphersuites.
/Simon