Hodie III Kal. Sep. MMXI, Jakob Bohm scripsit: > On 8/30/2011 3:29 AM, Dave Thompson wrote: > >... > >That sounds like the keyUsage bit dataEncipherment, and OpenSSL CA > >can set it. But SSL never *does* dataEncipherment using a > >certificate/key, so this bit should not be needed or make any > >difference. > Small correction: SSL/TLS never does dataEncipherment with *client* > certificates, and always does dataEncipherment with *server* > certificates (if any).
Correction to the correction: TLS always does dataEncipherment with server certificate *if* the key exchange algorithm is RSA. > So dataEncipherment should be set in the SSL server certificate and > clear in the SSL client certificate, as is apparently already the case > here, so that part is OK. Even if you don't set the dataEncipherment bit in the keyUsage extension, it works. TLS libraries are tolerant :) -- Erwann ABALEA <erwann.aba...@keynectis.com> Département R&D KEYNECTIS 11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France Tél.: +33 1 55 64 22 07 http://www.keynectis.com ----- It works better if you plug it in where it should be. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org