Description
The crypto/x509 package has historically ignored KU, as CAs were historically terrible at setting it correctly (see https://cs.opensource.google/go/go/+/refs/tags/go1.24.0:src/crypto/x509/verify.go;l=717;drc=468fad45a27db0ec1fff4ae397d3670795b3f977.)
As such crypto/tls also ignores it when checking if the key in the presented leaf certificate is valid for the cipher being used. This means we ignore two things: RSA keys that are marked not to be used for RSA KEXs (lacking the keyAgreement bit) and differentiating ECDH and ECDSA keys (which otherwise have the same encoding).
We should revisit adding support for this. See https://github.com/google/boringssl/blob/main/ssl/handshake_client.cc#L1360-L1376 and https://github.com/google/boringssl/blob/main/ssl/handshake_server.cc#L1517-L1524 for how BoringSSL handles this.
cc @FiloSottile @cpu