[Help-gnutls] Re: Key usage violation in certificate
Simon Josefsson
simon at josefsson.org
Mon Jun 1 11:18:07 CEST 2009
"Roland Winkler" <Roland.Winkler at physik.uni-erlangen.de> writes:
>> By misconfiguration however the server allows you to connect with
>> a ciphersuite that violates this usage and that's why gnutls-cli
>> fails to connect.
>
> Is this a misconfiguration of the server that its sysadmins can fix?
Yes. They can chose between:
1) Disable DHE ciphersuite, because their certificate doesn't permit
those.
2) Re-generate the certificate and add the sign key usage, which allows
use of the certificate together with DHE.
> Is it a part of the communication protocol between server and client
> that the server should tell the client the allowed usage of its
> certificate? I mean, the server knows the allowed usage of its
> certificate. So I would guess that in an ideal world (that we don't
> have...) no extra configuration of the server was necessary.
Right. The server software could also detect that the certificate does
not support signing, and then disable all DHE/EXPORT ciphersuites.
/Simon
More information about the Gnutls-help
mailing list