[Help-gnutls] Re: Key usage violation in certificate
Roland Winkler
Roland.Winkler at physik.uni-erlangen.de
Mon Jun 1 17:46:37 CEST 2009
On Mon Jun 1 2009 Simon Josefsson wrote:
> Yes. They can chose between:
>
> 1) Disable DHE ciphersuite, because their certificate doesn't permit
> those.
>
> 2) Re-generate the certificate and add the sign key usage, which allows
> use of the certificate together with DHE.
>
> > Is it a part of the communication protocol between server and client
> > that the server should tell the client the allowed usage of its
> > certificate? I mean, the server knows the allowed usage of its
> > certificate. So I would guess that in an ideal world (that we don't
> > have...) no extra configuration of the server was necessary.
>
> Right. The server software could also detect that the certificate does
> not support signing, and then disable all DHE/EXPORT ciphersuites.
Thanks for the clarifications!
Roland
More information about the Gnutls-help
mailing list