On Mon, 2018-11-05 at 21:24 -0500, Viktor Dukhovni wrote: > TL;DR: Should TLS client abort DHE-RSA handshakes with a peer > certificate that *only* lists: > > X509v3 Key Usage: > Key Encipherment, Data Encipherment > > (which one might take to mean that only RSA key exchange is allowed, > and DHE-RSA is not, for lack of the DigitalSignature bit? > > [ In the unlikely case it matters, the record the certificate > in question is self-signed, and has a DANE TLSA "3 0 1" record. ] > > -- Background: > > I am somewhat sympathetic to forbidding RSA key exchange when > "Key Encipherment" is not listed, in order to reduce the risk of > Bleichenbacher-type attacks, but it is not obvious at first blush > why one might the converse restriction... > > The reason I ask is that the Haskell TLS library has recently added > enforcement in both directions, and I am finding some SMTP servers > with whose STARTTLS implementation my DANE scan engine no longer > interoperates. > > And yet, FWIW, OpenSSL 1.1.1 continues to connect just fine. Is > this an oversight in OpenSSL? Overly strict enforcement in Haskell's > Network.TLS?
gnutls has been enforcing that rule for quite some time. That had generated quite some bug reports from application developers in the past. The main argument was, but other implementations work. Nevertheless the last few years the trend has changed and I think that strictness is not only tolerated by developers/end-users but actually promoted. That's only my impression though. regards, Nikos _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls