Re: [PATCH] tls: Don't require 'keyEncipherment' to be enabled altoghther

On Tue, Jul 01, 2025 at 10:59:06AM +0200, Peter Krempa wrote: > On Tue, Jul 01, 2025 at 09:49:57 +0100, Daniel P. Berrangé wrote: > > On Mon, Jun 30, 2025 at 07:25:05PM +0200, Peter Krempa via Devel wrote: > > > From: Peter Krempa <pkrempa(a)redhat.com&gt; > > > > > > Key encipherment is required only for RSA key exchange algorithm. With > > > TLS 1.3 this is not even used as RSA is used only for authentication. > > > > > > Since we can't really check when it's required ahead of time drop the > > > check completely. GnuTLS will moan if it will not be able to use RSA > > > key exchange. > > > > GNUTLS only reports problems at runtime, while the libvirt code is > > used at system startup. This greatly improves the debuggability of > > sysadmin config screwups, so we don't really want to delegate to > > GNUTLS for this. > > > > > In commit 11867b0224a2 I tried to relax the check for some eliptic > > > curve algorithm that explicitly forbid it. Based on the above the proper > > > solution is to completely remove it. > > > > We need to invert the check - instead of excluding just ECDSA, we > > need to include only DSA and GHOST algorithms. > > Originally I did the same but then I read (and verified; see my > followup) that with TLS 1.3 the RSA key exchange algorithm isn't even > used so keyEncipherment capability isn't even needed. Ok, yeah, I've found that now too. If we're removing this entirely from the impl, we should also update the docs/kbase/tlscerts.rst. IIRC, we need to remove the 'encryption_key' flag to stop gnutls adding 'key encipherment' to DSA certs.

> If you thing it's important to stay compatible in the pre-check also > with older protocols then I can keep it but to me it didn't make too > much sense. Yeah, TLS 1.3 is effectively the baseline for libvirt unless talking to very old systems, as gnutls will preferentially negotiate it, we only need care about libvirt clients.