On Thu, Jun 12, 2014 at 10:05:25PM +0100, Jeremy Harris wrote:
> >Sorry, a bit out of context here, not sure what "they" means, can
> >you state your question in a bit more detail?
>
> keyUsage and kextendedKeyUsage fields in certificates.
>
> Does anybody take notice of them?
If the extendedKeyUsage extension is present, and set only to
"emailProtection" (OpenSSL name for id-kp-emailProtection =
1.3.6.1.5.5.7.3.4), then the certificate fails verification as a
TLS client certificate with an OpenSSL server even when the issuing
CA is trusted.
I don't know whether the (non-extended) keyUsage of S/MIME certificates
can impinge on their ability to be used for TLS client auth.
IIRC with TLS server certificates, if keyUsage is present and does
not include keyAgreement, ECDSA and ECDHE ciphersuites may be
disabled.
--
Viktor.
