On Mon Jun 1 2009 Simon Josefsson wrote: > Yes. They can chose between: > > 1) Disable DHE ciphersuite, because their certificate doesn't permit > those. > > 2) Re-generate the certificate and add the sign key usage, which allows > use of the certificate together with DHE. > > > Is it a part of the communication protocol between server and client > > that the server should tell the client the allowed usage of its > > certificate? I mean, the server knows the allowed usage of its > > certificate. So I would guess that in an ideal world (that we don't > > have...) no extra configuration of the server was necessary. > > Right. The server software could also detect that the certificate does > not support signing, and then disable all DHE/EXPORT ciphersuites.
Thanks for the clarifications! Roland _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
