On Tue, Jul 01, 2025 at 10:59:06AM +0200, Peter Krempa wrote:
On Tue, Jul 01, 2025 at 09:49:57 +0100, Daniel P. Berrangé wrote:
> On Mon, Jun 30, 2025 at 07:25:05PM +0200, Peter Krempa via Devel wrote:
> > From: Peter Krempa <pkrempa(a)redhat.com>
> >
> > Key encipherment is required only for RSA key exchange algorithm. With
> > TLS 1.3 this is not even used as RSA is used only for authentication.
> >
> > Since we can't really check when it's required ahead of time drop the
> > check completely. GnuTLS will moan if it will not be able to use RSA
> > key exchange.
>
> GNUTLS only reports problems at runtime, while the libvirt code is
> used at system startup. This greatly improves the debuggability of
> sysadmin config screwups, so we don't really want to delegate to
> GNUTLS for this.
>
> > In commit 11867b0224a2 I tried to relax the check for some eliptic
> > curve algorithm that explicitly forbid it. Based on the above the proper
> > solution is to completely remove it.
>
> We need to invert the check - instead of excluding just ECDSA, we
> need to include only DSA and GHOST algorithms.
Originally I did the same but then I read (and verified; see my
followup) that with TLS 1.3 the RSA key exchange algorithm isn't even
used so keyEncipherment capability isn't even needed.
Ok, yeah, I've found that now too.
If we're removing this entirely from the impl, we should also update
the docs/kbase/tlscerts.rst.
IIRC, we need to remove the 'encryption_key' flag to stop gnutls
adding 'key encipherment' to DSA certs.
If you thing it's important to stay compatible in the pre-check
also
with older protocols then I can keep it but to me it didn't make too
much sense.
Yeah, TLS 1.3 is effectively the baseline for libvirt unless talking to
very old systems, as gnutls will preferentially negotiate it, we only
need care about libvirt clients.
With regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|