Viktor Dukhovni <ietf-d...@dukhovni.org> writes: > TL;DR: Should TLS client abort DHE-RSA handshakes with a peer > certificate that *only* lists: > > X509v3 Key Usage: > Key Encipherment, Data Encipherment
Yes, because in DHE-RSA, the RSA key is used for signing, and this is an encryption-only key. It's much more important in the DHE-ECDSA case, because using an encryption-only EC key for signing can lead to key compromise (IIRC). As far as I know there's no similar attack on RSA, but I think this is not a well-examined area. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls