-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
6.8 S/MIME broken #1113
Comments
It looks like settings is lost after reload. I assume it is related to changes in OpenSSL -> https://www.practicalnetworking.net/practical-tls/openssl-3-and-legacy-providers/ ![]() Old certificates has also wrong attributes like expiration dates etc. Workaround is export certificate and import it again. |
Nah, i did now TOO MUCH debugging to be able to verify that it is totally botched. Better not blame OpenSSL for that (thou it is often not easy...) |
Whats described in issue is totally different kind of problem. Since 6.8 there is problem with OpenSSL so if you didnt follow instructions to reconfigure OpenSSL to use lagacy providers you will have troubles. However it also looks like there is still issue because certificates looks invalid on SMIME tab (@mschering) and also checkbox with settings lose its state after reload. The workaround for that issue is upload certificate again. Your problem with certificate validation is there for a while. Last time I checked it was 6.3?6.4? not sure. It is related to CA as Merijn mentioned. I thought problem would be solved if I buy certificate from DigiCert but the problem is the same. If it helps you I can take a look on it tomorrow where was the problem or you can wait for Intermesh answer. Certificate is valid on mobile but invalid in GO. However now I checked the same mail in thunderbird and it is also invalid. Didnt you import CA on your laptop/desktop and now you validate smime against it? |
This machine uses OpenSSL 1. No legacy needed. So, NO. So, please no blaming to others. When i write i did 3 days SSL certificate checking, i can NAIL IT DOWN to the new version. Period. We have 2024, email signing and encryption is a MUST. And for what importing CA? |
Hi, Please calm down. We're all trying to help out here. No need to be rude. There's no significant difference in the smime module between 6.7 and 6.8 and we haven't heard about any problems from other users apart from the openssl v3 problem that Michal was referring to (See https://groupoffice.readthedocs.io/en/latest/using/email.html#note-on-openssl-v3-x). So to rule that out can you please post the output of your phpinfo() in the openssl section? Best regards, |
I noticed in your samples the signature is a lot shorter coming from 6.8. I found that extra certificates were not included due to a bug. Please text the next release or path the PHPMailer file from the commit above. |
Well as I wrote I have same issue with DigiCert or at least I had it few minutes ago... if you verify the certificate against issuer it works well. But I assume openssl_pkcs7_verify verifiy certificates aganst CA which does not exists in /etc/ssl/certs Following is the error from the helpdesk - [GO\Smime\Model\PublicCertificate:149] Local cert /etc/ssl/certs/8c9cb8b1.0 does not exist. In my case it was /etc/ssl/certs/99637584.0. So based on the issuer Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Assured ID CA I went trough the list of CA certificates on their site and downloaded https://cacerts.digicert.com/DigiCertSHA2AssuredIDCA.crt.pem. Then you have to copy file to /usr/local/share/ca-certificates and rename it from pem to crt. Then run update-ca-certificates. Since that link for hash 99637584.0 exists: /etc/ssl/certs/99637584.0 -> DigiCertSHA2AssuredIDCA.pem So yeah I also bought certificate from verified authority but it looks like not all certificates are included in the system. |
Okay, again: Upgrade to 6.8: botched. Recipients of the email do not copy stuff to somewhere. :-) |
Did you patch the file and singed a mail after that? Also did you check phpinfo? |
Edit on top: Okay... step by step. We talk about THE SAME server. Broken. So i thought, hm, maybe PHP is the issue. Tinkered around with OpenSSL, maybe some stuff... nope, all openssl verify tasks provided the same result: cert is valid. Same server, older GO: certificate works out of the box. So, i can clearly break it down to some changes since 6.8, because the last 6.7 has no issues with the new cert. |
Okay, with the current patch: outgoing mail is now signed :-) But: sent mail is stored unsigned in the sent folder. This makes no sense for me...? |
The sent item not being signed was a bug indeed. I fixed it in the next release. |
Up to latest 6.7 version, signing works fine, since 6.8 broken.
Will investigate, why.
The text was updated successfully, but these errors were encountered: