[Help-gnutls] Re: Key usage violation in certificate

Roland Winkler Roland.Winkler at physik.uni-erlangen.de
Mon Jun 1 17:46:37 CEST 2009


On Mon Jun 1 2009 Simon Josefsson wrote:
> Yes.  They can chose between:
> 
> 1) Disable DHE ciphersuite, because their certificate doesn't permit
> those.
> 
> 2) Re-generate the certificate and add the sign key usage, which allows
> use of the certificate together with DHE.
> 
> > Is it a part of the communication protocol between server and client
> > that the server should tell the client the allowed usage of its
> > certificate? I mean, the server knows the allowed usage of its
> > certificate. So I would guess that in an ideal world (that we don't
> > have...) no extra configuration of the server was necessary.
> 
> Right.  The server software could also detect that the certificate does
> not support signing, and then disable all DHE/EXPORT ciphersuites.


Thanks for the clarifications!

Roland





More information about the Gnutls-help mailing list