Re: [PATCH] tls: Don't require 'keyEncipherment' to be enabled altoghther
On Mon, Jun 30, 2025 at 07:25:05PM +0200, Peter Krempa via Devel wrote:
From: Peter Krempa <pkrempa(a)redhat.com>
Key encipherment is required only for RSA key exchange algorithm. With
TLS 1.3 this is not even used as RSA is used only for authentication.
Since we can't really check when it's required ahead of time drop the
check completely. GnuTLS will moan if it will not be able to use RSA
key exchange.
GNUTLS only reports problems at runtime, while the libvirt code is
used at system startup. This greatly improves the debuggability of
sysadmin config screwups, so we don't really want to delegate to
GNUTLS for this.
In commit 11867b0224a2 I tried to relax the check for some eliptic
curve algorithm that explicitly forbid it. Based on the above the proper
solution is to completely remove it.
We need to invert the check - instead of excluding just ECDSA, we
need to include only DSA and GHOST algorithms.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|