TLS Configuration with libvirt and Perfect Forward Secrecy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Dear libvirt Users,

I'm seeking guidance on configuring TLS with libvirt to achieve perfect forward secrecy (PFS). While I followed the tutorial on setting up TLS with libvirt from the project wiki [1], I encountered an error when bringing up the legacy monolithic libvirt daemon.

The error message, "Certificate /etc/pki/libvirt/servercert.pem usage does not permit key encipherment," appeared even though I declared the "encryption_key" field in the certtool template file when generating the server certificate. Moreover, when I inspected the generated certificate with certtool, I discovered that it only had a "Digital signature" entry under X509v3 key usage. The deficiency in "Key Encipherment" usage could result from the key type specifications when generating the private key with the command "certtool --generate-privkey --key-type=ed25519 --curve=Ed25519 --sec-param=ultra > /etc/pki/libvirt/private/serverkey.pem". I prefer using elliptic-curve cryptography, specifically curve25519, over RSA, which the tutorial employs.

Although a digital signature-only certificate can still perform Diffie–Hellman exchanges with ECDSA, it cannot encrypt client-generated pre-master secrets. Nonetheless, a TLS session can still be established without pre-master secrets, avoiding session key leakage even if the decryption key is compromised in the future. This fulfills the PFS requirement, and I believe that a certificate without "Key Encipherment" usage contributes to the system's overall security.

Based on my understanding, I am seeking any insights or suggestions on whether there is a way to suppress the "certificate usage does not permit key encipherment" error and allow the legacy monolithic libvirt daemon to proceed.


Users mailing list -- users@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxx

[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux