Control: fixed -1 libvirt/11.6.0-1 On Mon, Aug 11, 2025 at 08:31:50AM +0000, Karel Van Hecke wrote: > Package: libvirt-daemon > Version: 11.3.0-3 > > Libvirt currently enforces the Key Encipherment certificate extension to be > present in configured TLS certificates. > This goes against the specification that ECDSA certificates should never > contain the Key Encipherment extension. > > Dropping the requirement altogether is the better option, as it is no longer > a requirement with modern ciphers. > > Upstream references: > > This requirement was dropped for ECDSA certificates in 11.5.0: > https://gitlab.com/libvirt/libvirt/-/commit/11867b0224a2b8dc34755ff0ace446b6842df1c1 > > The requirement was dropped altogether in 11.6.0: > https://gitlab.com/libvirt/libvirt/-/commit/8cecd3249e5fa5478a7c53567971b4d969274ea3 > > Tests were corrected in: > https://gitlab.com/libvirt/libvirt/-/commit/e67952b0e612c9ad3c3eec8bb692589602953ee8
Thank you for reporting this issue upstream and tracking it. Should be a straightforward enough backport to trixie. I'll look into it during one of the upcoming weekends. -- Andrea Bolognani <[email protected]> Resistance is futile, you will be garbage collected.
signature.asc
Description: PGP signature
