[openssl-users] Extended key usage keyAgreement bit in certificate

John Foley foleyj at cisco.com
Wed Jul 22 12:47:18 UTC 2015

The following commit changed the behavior of checking the extended key
usage bits in a server certificate when using X509_PURPOSE_SSL_SERVER:


This commit was put into 1.0.2 on April 6, 2012.  Therefore, 1.0.1 and
1.0.2 behave differently in this regard.  When using 1.0.2, the server
certificate needs to include the keyAgreement bit.  Otherwise the client
will reject the server certificate when checking the purpose

Does this behavior in 1.0.2 comply with RFC 5246?  Reading section 7.4.2
on pages 47/48, the server certificate should include the keyAgreement
bit when using DH key exchange cipher suites.  The wording on page 48 is: 

      DH_DSS             Diffie-Hellman public key; the keyAgreement bit
      DH_RSA             MUST be set if the key usage extension is

Given there's no other mention of using the keyAgreement bit in RFC
5246, does this imply the keyAgreement bit doesn't need to be set when
not using a DH cipher suite?  Given the commit noted above will always
check the keyAgreement bit, and the logic in v3_purp.c is unaware of the
negotiated cipher suite,  would this be considered a bug?  If not, would
it be appropriate to back-port this commit to 1.0.1 so that we would
have consistent behavior between 1.0.1 and 1.0.2?

More information about the openssl-users mailing list