[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#9017: 24.0.50; gnutls.c: [0] (Emacs) fatal error: Key usage violatio
|
From: |
Ted Zlatanov |
|
Subject: |
bug#9017: 24.0.50; gnutls.c: [0] (Emacs) fatal error: Key usage violation in certificate has been detected. |
|
Date: |
Wed, 25 Jan 2012 16:32:52 -0600 |
|
User-agent: |
Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.92 (gnu/linux) |
On Wed, 25 Jan 2012 20:39:56 +0100 Lars Ingebrigtsen <larsi@gnus.org> wrote:
LI> Ted Zlatanov <tzz@lifelogs.com> writes:
>> gnutls.c: [0] (Emacs) fatal error: Key usage violation in certificate
>> has been detected.
>>
>> we should at least tell the user "hey, maybe
>>
>> (setq gnutls-algorithm-priority "normal:-dhe-rsa"
>>
>> would work for you. Do you want to try it?"
>>
>> I don't think it should be tried automatically. That's convenient but
>> insecure. The priority string above basically disables security.
LI> Oh, I thought it just disabled the dhe-rsa-algorithm? Which would then
LI> allow gnutls to fall back on different algos?
>From Nikos' reply recommending -dhe-rsa:
"This certificate restricts its usage to key encipherment. For TLS this
is restricted to only the RSA key exchange. By misconfiguration however
the server allows you to connect with a ciphersuite that violates this
usage and that's why gnutls-cli fails to connect."
I may be misunderstanding the intent, but I thought globally you're
saying you'll allow restricted certificates. I'm not sure that's ideal
and I think it is insecure, but I'm not so sure anymore after thinking
about it more carefully.
Either way it seems that `gnutls-algorithm-priority' will have to be one
of those string-or-alist-or-function variables, so you can disable
security altogether for specific hosts that need it. I can add that
support if you think it's reasonable.
Ted