[rt-devel] openssl and compatibility with S/MIMEv3.1
m_orallo at yahoo.es
Tue Dec 9 06:58:08 EST 2014
After switching to FastCGI to fix problems with mod_perl and env
variables (thanks to Alex Vandiver's suggestion), I have found another
issue in my quest to achieve a fully functional S/MIME RT deployment.
Some of the S/MIME encrypted mails sent by Windows+Outlook users, were
not correctly decrypted by RT/openssl. The error shown is appended at
the end of the message for reference.
After some headbanging I discovered the "openssl smime" command that
RT uses is only fully compatible with S/MIMEv2 (PKCS#7) .
S/MIMEv3.1 (the IETF standard), standarized the use of Cryptographic
Message Syntax (CMS) format. For this, openssl developers implemented
a new command (openssl cms) that implements all S/MIME operations and
is supposed to deprecate "smime" option .
My tests show that "openssl cms" can decrypt all messages that I threw
at it, both PKCS#7 and CMS.
For encryption/signing, cms should produce messages which are
backwards compatible with PKCS#7, as long as you don't use some
specific options . These are not used in RT, AFAIK.
I have copied rt4/lib/RT/Crypt/SMIME.pm to
rt4/local/lib/RT/Crypt/SMIME.pm, replacing "smime" with "cms" in every
command issued by RT, and it seems to work well. However, it would
require more thorough testing.
I plan to do a proper modification and pull request, but I thought it
would be better asking in the list: is there any reason I am missing
to keep using "openssl smime"?
Thank you in advance,
Error in RT log for S/MIMEv3.1 CMS messages:
 [Mon Dec 8 15:02:04 2014] [error]: openssl exited with error
code 2 and error: Error reading S/MIME message
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:
routines:SMIME_read_ASN1:asn1 parse error:asn_mime.c:528:
More information about the rt-devel