bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#9017: 24.0.50; gnutls.c: [0] (Emacs) fatal error: Key usage violatio


From: Ted Zlatanov
Subject: bug#9017: 24.0.50; gnutls.c: [0] (Emacs) fatal error: Key usage violation in certificate has been detected.
Date: Wed, 25 Jan 2012 16:32:52 -0600
User-agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.92 (gnu/linux)

On Wed, 25 Jan 2012 20:39:56 +0100 Lars Ingebrigtsen <address@hidden> wrote: 

LI> Ted Zlatanov <address@hidden> writes:
>> gnutls.c: [0] (Emacs) fatal error: Key usage violation in certificate
>> has been detected.
>> 
>> we should at least tell the user "hey, maybe 
>> 
>> (setq gnutls-algorithm-priority "normal:-dhe-rsa"
>> 
>> would work for you.  Do you want to try it?"
>> 
>> I don't think it should be tried automatically.  That's convenient but
>> insecure.  The priority string above basically disables security.

LI> Oh, I thought it just disabled the dhe-rsa-algorithm?  Which would then
LI> allow gnutls to fall back on different algos?

>From Nikos' reply recommending -dhe-rsa:

"This certificate restricts its usage to key encipherment. For TLS this
is restricted to only the RSA key exchange. By misconfiguration however
the server allows you to connect with a ciphersuite that violates this
usage and that's why gnutls-cli fails to connect."

I may be misunderstanding the intent, but I thought globally you're
saying you'll allow restricted certificates.  I'm not sure that's ideal
and I think it is insecure, but I'm not so sure anymore after thinking
about it more carefully.

Either way it seems that `gnutls-algorithm-priority' will have to be one
of those string-or-alist-or-function variables, so you can disable
security altogether for specific hosts that need it.  I can add that
support if you think it's reasonable.

Ted





reply via email to

[Prev in Thread] Current Thread [Next in Thread]