On Tue, Jul 01, 2025 at 11:38:37AM +0100, Daniel P. Berrangé via Devel wrote: > On Tue, Jul 01, 2025 at 10:59:06AM +0200, Peter Krempa wrote: > > On Tue, Jul 01, 2025 at 09:49:57 +0100, Daniel P. Berrangé wrote: > > > On Mon, Jun 30, 2025 at 07:25:05PM +0200, Peter Krempa via Devel wrote: > > > > From: Peter Krempa <pkre...@redhat.com> > > > > > > > > Key encipherment is required only for RSA key exchange algorithm. With > > > > TLS 1.3 this is not even used as RSA is used only for authentication. > > > > > > > > Since we can't really check when it's required ahead of time drop the > > > > check completely. GnuTLS will moan if it will not be able to use RSA > > > > key exchange. > > > > > > GNUTLS only reports problems at runtime, while the libvirt code is > > > used at system startup. This greatly improves the debuggability of > > > sysadmin config screwups, so we don't really want to delegate to > > > GNUTLS for this. > > > > > > > In commit 11867b0224a2 I tried to relax the check for some eliptic > > > > curve algorithm that explicitly forbid it. Based on the above the proper > > > > solution is to completely remove it. > > > > > > We need to invert the check - instead of excluding just ECDSA, we > > > need to include only DSA and GHOST algorithms. > > > > Originally I did the same but then I read (and verified; see my > > followup) that with TLS 1.3 the RSA key exchange algorithm isn't even > > used so keyEncipherment capability isn't even needed. > > Ok, yeah, I've found that now too. > > If we're removing this entirely from the impl, we should also update > the docs/kbase/tlscerts.rst. > > IIRC, we need to remove the 'encryption_key' flag to stop gnutls > adding 'key encipherment' to DSA certs.
Also our test suite uses GNUTLS_KEY_KEY_ENCIPHERMENT when creating test certs and so that can go. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
