6.8 S/MIME broken

[lonesomewalker]

Up to latest 6.7 version, signing works fine, since 6.8 broken.
Will investigate, why.

[michalcharvat]

It looks like settings is lost after reload. I assume it is related to changes in OpenSSL -> https://www.practicalnetworking.net/practical-tls/openssl-3-and-legacy-providers/

Old certificates has also wrong attributes like expiration dates etc. Workaround is export certificate and import it again.

[lonesomewalker]

Nah, i did now TOO MUCH debugging to be able to verify that it is totally botched.
Believe me, i wasted now 3! days.
Even new certificates are not able to be imported (see newer issue).
Same system, different PHP versions, etc... tested it ALL.

Better not blame OpenSSL for that (thou it is often not easy...)

[michalcharvat]

Whats described in issue is totally different kind of problem. Since 6.8 there is problem with OpenSSL so if you didnt follow instructions to reconfigure OpenSSL to use lagacy providers you will have troubles. However it also looks like there is still issue because certificates looks invalid on SMIME tab (@mschering) and also checkbox with settings lose its state after reload. The workaround for that issue is upload certificate again.

Your problem with certificate validation is there for a while. Last time I checked it was 6.3?6.4? not sure. It is related to CA as Merijn mentioned. I thought problem would be solved if I buy certificate from DigiCert but the problem is the same. If it helps you I can take a look on it tomorrow where was the problem or you can wait for Intermesh answer. Certificate is valid on mobile but invalid in GO. However now I checked the same mail in thunderbird and it is also invalid. Didnt you import CA on your laptop/desktop and now you validate smime against it?

[lonesomewalker]

This machine uses OpenSSL 1. No legacy needed.
Not only do the checkboxes lose their state, from time to time you can't even untick the checkbox (i.e. when you do NOT want to sign a message, because the receivers mail does not support it).

So, NO.
It is NOT related to CA.
I can reproduce it with SEVERAL other certificates.
Even the old one which will expire in 20 days is NOT WORKING ANYMORE (see new issue).

So, please no blaming to others.
In 6.8, S/MIME has changed.

When i write i did 3 days SSL certificate checking, i can NAIL IT DOWN to the new version.
6.7 works, 6.8 does not.
Same system, same PHP version, same settings.

Period.

We have 2024, email signing and encryption is a MUST.
Unfortunately there are many Outlook clients out there so GPG is no solution.

And for what importing CA?
Did you read what i write?
It is an official bought certificate, CA is in system.

[mschering]

Hi,

Please calm down. We're all trying to help out here. No need to be rude. There's no significant difference in the smime module between 6.7 and 6.8 and we haven't heard about any problems from other users apart from the openssl v3 problem that Michal was referring to (See https://groupoffice.readthedocs.io/en/latest/using/email.html#note-on-openssl-v3-x).

So to rule that out can you please post the output of your phpinfo() in the openssl section?

Best regards,
Merijn

[mschering]

I noticed in your samples the signature is a lot shorter coming from 6.8. I found that extra certificates were not included due to a bug. Please text the next release or path the PHPMailer file from the commit above.

[michalcharvat]

And for what importing CA? Did you read what i write? It is an official bought certificate, CA is in system.

Well as I wrote I have same issue with DigiCert or at least I had it few minutes ago... if you verify the certificate against issuer it works well. But I assume openssl_pkcs7_verify verifiy certificates aganst CA which does not exists in /etc/ssl/certs

Following is the error from the helpdesk - [GO\Smime\Model\PublicCertificate:149] Local cert /etc/ssl/certs/8c9cb8b1.0 does not exist.

In my case it was /etc/ssl/certs/99637584.0. So based on the issuer Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Assured ID CA I went trough the list of CA certificates on their site and downloaded https://cacerts.digicert.com/DigiCertSHA2AssuredIDCA.crt.pem. Then you have to copy file to /usr/local/share/ca-certificates and rename it from pem to crt. Then run update-ca-certificates. Since that link for hash 99637584.0 exists: /etc/ssl/certs/99637584.0 -> DigiCertSHA2AssuredIDCA.pem

So yeah I also bought certificate from verified authority but it looks like not all certificates are included in the system.

[lonesomewalker]

Okay, again:
6.7 ON THE SAME SYSTEM works.
SAME certificate.

Upgrade to 6.8: botched.

Recipients of the email do not copy stuff to somewhere. :-)

[mschering]

Did you patch the file and singed a mail after that? Also did you check phpinfo?

[lonesomewalker]

Edit on top:
i am an idiot, just now understanding what you meant with the patch (did not see this before).
Will try this tonight and give feedback!

---

Okay... step by step.

We talk about THE SAME server.
Nothing has changed by OS or configs.
I just switched to PHP8.1, added Sourceguardian.
Then upgraded to 6.8

Broken.

So i thought, hm, maybe PHP is the issue.
Checked whole config. Nothing.

Tinkered around with OpenSSL, maybe some stuff... nope, all openssl verify tasks provided the same result: cert is valid.
Sometimes OCSP not working, but that does not make the cert invalid.

Same server, older GO: certificate works out of the box.
So i reverted back to 6.7 (and still using PHP8.1): old certificate is there but does not get used when looking at older emails (which got encrypted with the old p12).
New certificate is used, and this is valid the whole time.

So, i can clearly break it down to some changes since 6.8, because the last 6.7 has no issues with the new cert.
Only to decrypt older emails with the older certificate (which is still in the smime section visible).

[lonesomewalker]

Okay, with the current patch: outgoing mail is now signed :-)

But: sent mail is stored unsigned in the sent folder. This makes no sense for me...?

[mschering]

The sent item not being signed was a bug indeed. I fixed it in the next release.