[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#9017: 24.0.50; gnutls.c: [0] (Emacs) fatal error: Key usage violatio
From: |
Lars Ingebrigtsen |
Subject: |
bug#9017: 24.0.50; gnutls.c: [0] (Emacs) fatal error: Key usage violation in certificate has been detected. |
Date: |
Wed, 25 Jan 2012 23:35:35 +0100 |
User-agent: |
Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.92 (gnu/linux) |
Ted Zlatanov <tzz@lifelogs.com> writes:
> "This certificate restricts its usage to key encipherment. For TLS this
> is restricted to only the RSA key exchange. By misconfiguration however
> the server allows you to connect with a ciphersuite that violates this
> usage and that's why gnutls-cli fails to connect."
I'm afraid I don't understand what this is saying at all. :-)
> I may be misunderstanding the intent, but I thought globally you're
> saying you'll allow restricted certificates. I'm not sure that's ideal
> and I think it is insecure, but I'm not so sure anymore after thinking
> about it more carefully.
>
> Either way it seems that `gnutls-algorithm-priority' will have to be one
> of those string-or-alist-or-function variables, so you can disable
> security altogether for specific hosts that need it. I can add that
> support if you think it's reasonable.
I think the nice way to handle this would be to prompt the user here.
With something like "The server provides buggy dhe-rsa credentials;
connect anyway?" or something, which would result in "-dhe-rsa" being
added to the variable.
But as you point out, it should be on a per-host basis, probably...
--
(domestic pets only, the antidote for overdose, milk.)
http://lars.ingebrigtsen.no * Sent from my Rome