OK. (I wonder how all the big name browsers deal with it.) >>>>> "DKG" == Daniel Kahn Gillmor <d...@fifthhorseman.net> writes:
DKG> On 10/22/2012 07:08 PM, jida...@jidanni.org wrote: >> Cannot secure the https (SSL) connection to sso.ncl.edu.tw port 443; >> [IO(gnutls): Key usage >> violation in certificate has been detected.]. DKG> I think the "key usage violation" here is that the server wants to DKG> negotiate only a diffie-hellman cipher suite and the key is marked only DKG> as legitimate for: DKG> Key Usage (critical): DKG> Key encipherment. DKG> Data encipherment. DKG> I'm able to connect cleanly if i instruct the client to not try to DKG> negotiate DHE-RSA cipher suites. DKG> gnutls-cli --priority NORMAL:-DHE-RSA sso.ncl.edu.tw DKG> The server administrators should not have their server DKG> (Apache-Coyote/1.1?) configured to negotiate DHE cipher suites if their DKG> key is not marked with the keyAgreement flag. DKG> See: DKG> https://tools.ietf.org/html/rfc5280#page-31 >>> The keyAgreement bit is asserted when the subject public key is >>> used for key agreement. For example, when a Diffie-Hellman key is >>> to be used for key management, then this bit is set. DKG> So this is a bug in their server configuration (and possibly in the DKG> non-gnutls clients which continue with the TLS session in the face of an DKG> invalid certificate for the selected key exchange method, i they choose DKG> a diffie-hellman ciphersuite), but not a bug in gnutls. DKG> hth, DKG> --dkg -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
