The following commit changed the behavior of checking the extended key usage bits in a server certificate when using X509_PURPOSE_SSL_SERVER: http://marc.info/?l=openssl-cvs&m=132759007026375&w=2 This commit was put into 1.0.2 on April 6, 2012. Therefore, 1.0.1 and 1.0.2 behave differently in this regard. When using 1.0.2, the server certificate needs to include the keyAgreement bit. Otherwise the client will reject the server certificate when checking the purpose (X509_PURPOSE_SSL_SERVER). Does this behavior in 1.0.2 comply with RFC 5246? Reading section 7.4.2 on pages 47/48, the server certificate should include the keyAgreement bit when using DH key exchange cipher suites. The wording on page 48 is: DH_DSS Diffie-Hellman public key; the keyAgreement bit DH_RSA MUST be set if the key usage extension is present. Given there's no other mention of using the keyAgreement bit in RFC 5246, does this imply the keyAgreement bit doesn't need to be set when not using a DH cipher suite? Given the commit noted above will always check the keyAgreement bit, and the logic in v3_purp.c is unaware of the negotiated cipher suite, would this be considered a bug? If not, would it be appropriate to back-port this commit to 1.0.1 so that we would have consistent behavior between 1.0.1 and 1.0.2?
