Re: [PATCH] tls: Don't require 'keyEncipherment' to be enabled altoghther
On Mon, Jun 30, 2025 at 19:25:05 +0200, Peter Krempa wrote:
From: Peter Krempa <pkrempa(a)redhat.com>
Key encipherment is required only for RSA key exchange algorithm. With
TLS 1.3 this is not even used as RSA is used only for authentication.
Since we can't really check when it's required ahead of time drop the
check completely. GnuTLS will moan if it will not be able to use RSA
key exchange.
In commit 11867b0224a2 I tried to relax the check for some eliptic
curve algorithm that explicitly forbid it. Based on the above the proper
solution is to completely remove it.
Resolves: https://issues.redhat.com/browse/RHEL-100711
Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
I've tested this by creating a client certificate with following info:
organization = test
cn = HOST
tls_www_server
signing_key
(thus missing 'encryption_key' field)
Attempting to use currently relased libvirt results in:
$ virsh -c qemu+tls://speedmetal/system list
error: failed to connect to the hypervisor
error: Certificate /etc/pki/libvirt/clientcert.pem usage does not permit key
encipherment
Whereas with patched libvirt:
$ ./build/libvirt/gcc/tools/virsh -c qemu+tls://speedmetal/system list
Id Name State
----------------------
1 ha running