[Help-gnutls] Re: Key usage violation in certificate

Simon Josefsson simon at josefsson.org
Mon Jun 1 11:18:07 CEST 2009

"Roland Winkler" <Roland.Winkler at physik.uni-erlangen.de> writes:

>> By misconfiguration however the server allows you to connect with
>> a ciphersuite that violates this usage and that's why gnutls-cli
>> fails to connect.
> Is this a misconfiguration of the server that its sysadmins can fix?

Yes.  They can chose between:

1) Disable DHE ciphersuite, because their certificate doesn't permit

2) Re-generate the certificate and add the sign key usage, which allows
use of the certificate together with DHE.

> Is it a part of the communication protocol between server and client
> that the server should tell the client the allowed usage of its
> certificate? I mean, the server knows the allowed usage of its
> certificate. So I would guess that in an ideal world (that we don't
> have...) no extra configuration of the server was necessary.

Right.  The server software could also detect that the certificate does
not support signing, and then disable all DHE/EXPORT ciphersuites.


More information about the Gnutls-help mailing list