[PATCH] OpenSSL: Accept certificates marked for both server and client use

Greg Hudson ghudson at MIT.EDU
Sat Feb 15 11:27:46 EST 2014


>> This is all about requiring certain key usage values to be included;
>> there’s nothing about requiring other values to be excluded.

> I know. I was referring to a different specification (sorry, cannot
> talk about details yet).

I'm having trouble imagining a valid reason for anyone to try to
respecify X.509 EKU purposes as restrictive via an embargoed document.
http://tools.ietf.org/html/rfc5280#section-4.2.1.12 makes it clear that
key purposes are permissive, although the presence of an EKU at all is
restrictive (if the application understands what EKUs are or if the
extension is marked critical).

Every web server SSL certificate I can find contains an EKU with
id-kp-clientAuth and id-kp-serverAuth, leading me to believe that CAs
issue certificates with both purposes as a matter of course, and that
this check probably breaks most real-world usage of WPA.


More information about the HostAP mailing list