From fef9ff136f75dd48f95812ed39e1bd59b69d3a10 Mon Sep 17 00:00:00 2001
Message-Id: <fef9ff136f75dd48f95812ed39e1bd59b69d3a10.1717510598.git.mdw@distorted.org.uk>
From: Mark Wooding <mdw@chiark.greenend.org.uk>
Date: Sat, 1 Dec 2012 19:50:08 +0000
Subject: [PATCH] etc/openssl.conf: Allow `keyEncipherment' for TLS clients.
Organization: Straylight/Edgeware

From: Mark Wooding <mdw@distorted.org.uk>

For some reason libvirt doesn't accept client certificates without this,
even though TLS client authentication doesn't involve encipherting keys.
---
 etc/openssl.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/openssl.conf b/etc/openssl.conf
index 4fa74a5..847b1f5 100644
--- a/etc/openssl.conf
+++ b/etc/openssl.conf
@@ -103,7 +103,7 @@ crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
 
 [tls-client-extensions]
 basicConstraints = critical, CA:FALSE
-keyUsage = critical, digitalSignature
+keyUsage = critical, digitalSignature, keyEncipherment
 extendedKeyUsage = clientAuth
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
-- 
[mdw]