"Roland Winkler" <[email protected]> writes:
>> By misconfiguration however the server allows you to connect with >> a ciphersuite that violates this usage and that's why gnutls-cli >> fails to connect. > > Is this a misconfiguration of the server that its sysadmins can fix? Yes. They can chose between: 1) Disable DHE ciphersuite, because their certificate doesn't permit those. 2) Re-generate the certificate and add the sign key usage, which allows use of the certificate together with DHE. > Is it a part of the communication protocol between server and client > that the server should tell the client the allowed usage of its > certificate? I mean, the server knows the allowed usage of its > certificate. So I would guess that in an ideal world (that we don't > have...) no extra configuration of the server was necessary. Right. The server software could also detect that the certificate does not support signing, and then disable all DHE/EXPORT ciphersuites. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
