Re: smime sig verification

To: mutt-users@xxxxxxxx
Subject: Re: smime sig verification
From: Christoph Ludwig <cludwig@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 27 Sep 2003 11:44:12 +0200
In-reply-to: <20030926210947.GA71764@xxxxxxxxxxxxxxx>
List-unsubscribe: <mailto:mutt-users-request@mutt.org?body=unsubscribe>
Mail-followup-to: Christoph Ludwig <cludwig@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>, mutt-users@xxxxxxxx
References: <20030926210947.GA71764@xxxxxxxxxxxxxxx>
Sender: owner-mutt-users@xxxxxxxx
User-agent: Mutt/1.5.4i

Hi,

On Fri, Sep 26, 2003 at 02:09:47PM -0700, Alan Batie wrote:
> When I get mail from a friend using x.509 certs, I get this:
> 
>     [-- OpenSSL output follows (current time: Fri Sep 26 14:03:29 2003) --]
>     Verification failure
>     71672:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify 
> error:pk7_smime.c:222:Verify error:self signed certificate in certificate 
> chain
>     [-- End of OpenSSL output --]
>       
>     [-- The following data is signed --]

the error message means that your friend sent the whole certificate
chain along with his signature, but the last certificate in the chain
is not found in your directory of trusted certificates. (I mean the
directory that you have to specify with the command line option
"-CApath" to OpenSSL's verify command.)

You need to check which certification authority issued your friend's
certificate and convince yourself that the self signed certificate in
the certificate chain really belongs to this particular CA and is
still valid. Then you can add it to the directory of trusted
certificates. (You can use "smime_keys add_root" for this purpose. But
if the certificate is DER encoded you need to convert it into PEM
format first using "openssl x509".) Then OpenSSL should successfully
verify the signature.

> It verifies fine in Mozilla.  I'm using the .muttrc commands in the
> contrib/smime.rc file for mutt 1.5.4 and wondering if there's a problem
> with them, or if it's a bug in openssl (OpenSSL 0.9.7a Feb 19 2003)?

I guess the certification authority's root certificate is already
installed in Mozilla's certificate database. Either you once clicked
on the "Accept" button yourself or it was shipped together with
Mozilla. (The great number of root certificates that are
"conveniently" shipped with browsers etc. are a real security risk
IMO. Hardly any user knows in whom he "trusts" by default. But this
discussion is probably OT on the mutt-users list.)

HTH

Christoph

-- 
http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/cludwig.html
LiDIA: http://www.informatik.tu-darmstadt.de/TI/LiDIA/Welcome.html

References:
- smime sig verification
  - From: Alan Batie

Prev by Date: Re: changing xterm title to mailbox name
Next by Date: Re: my messages marked as New
Previous by thread: smime sig verification
Next by thread: my messages marked as New
Index(es):
- Date
- Thread