broken cert chains (was: smime_keys doesn't work on 1.5.x for me)
Hello Anatoly,
On Monday, July 31, 2006 at 15:14:24 +0400, Anatoly Pugachev wrote:
> Content-Type: application/x-pkcs7-signature
> Content-Disposition: attachment; filename="smime.p7s"
The chain of your certificate has 3 stages:
-1) You: Thawte Freemail Member
-2) Intermediate CA: Thawte Personal Freemail Issuing CA
-3) Root CA: Thawte Personal Freemail CA
But your S/MIME signature embedds only (1) and (3), lacking the
intermediate (2). So on a default Mutt 1.5.13 smime.rc install, where
ca-bundle.crt contains (3) but no (2), verification fails:
| [-- OpenSSL output follows (current time: mer 16 aoû 2006 20:54:00) --]
| Verification failure
| 22096:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify
error:pk7_smime.c:222:Verify error:unable to get local issuer certificate
| [-- End of OpenSSL output --]
Verification also fails with some number of other mailers, like
latest MSOE under W2Ksp4, because the Windows certificate store doesn't
come with (2) by default. Verification works once the lacking (2) cert
is imported to the store of intermediate CAs.
So you signer probably better should embed (2) in your signatures.
And there are questions: How are receivers of such signatures supposed
to fill the gap? How to locate and download the missing cert? Where to
install it?
I extracted (2) from another freemail member's sig, and added it to
ca-bundle via "smime_keys add_root": Verification OK. But is it the good
place for intermediate certs?
> Maybe it's should be added into smime_notes.txt that file cert.p12
> should have also CA certificate included
It seems that, if the Root CA is in ca-bundle, "smime_key add_p12"
can import a file.p12 containing only (1) and (2). But not (1) only.
Bye! Alain.
--
How to Report Bugs Effectively
<URL:http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>