* [gentoo-user] OpenSSL certificates and Kmail
@ 2007-05-20 11:24 Mick
2007-05-20 12:53 ` Jure Varlec
0 siblings, 1 reply; 10+ messages in thread
From: Mick @ 2007-05-20 11:24 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1970 bytes --]
Hi All,
I am trying to get to grips with OpenSSL Certs in Kmail. I have created a CA
and then created and signed with it a certificate for my email account (crt).
Finally, I exported it as a pkcs12 bundle and tried to import it as smime
into Konqueror & Kmail. All went seemingly well, except for:
1. When I tried to specify which cert to use in Kmail/Indentity/Cryptography I
can see my imported Cert, but as I select it a red X comes up on the key
symbol. I assume then that it is not suitable for smime
signatures/encryption?
2. When I run gpgsm -K I get:
===========================================
[snip]
validity: 2007-05-19 18:12:12 through 2010-05-18 18:12:12
key type: 4096 bit RSA
key usage: [error: No value]
chain length: [error: No value]
===========================================
which is different to another certificate I have obtained from www.cacert.org:
===========================================
validity: 2007-04-23 13:49:42 through 2007-10-20 13:49:42
key type: 2048 bit RSA
ext key usage: emailProtection (suggested), clientAuth (suggested),
1.3.6.1.4.1.311.10.3.4 (suggested), serverGatedCrypto.ms (suggested),
serverGatedCrypto.ns (suggested)
===========================================
Any ideas what I need to do to make this certificate valid for use by Kmail?
PS. I am not sure if the above errors mean that there is anything wrong with
my certificate, as opposed to Kmail & Kleopatra. Any certificate signed
messages that I receive are not verified in Kmail - all I get is:
====================================================
Not enough information to check signature. [Details]
Status: No status information available.
====================================================
If I press on [Details] Kleopatra pops up showing my cert. Selecting Verify
just shows "done".
Have you managed to make smime work with Kmail at all?
--
Regards,
Mick
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [gentoo-user] OpenSSL certificates and Kmail
2007-05-20 11:24 [gentoo-user] OpenSSL certificates and Kmail Mick
@ 2007-05-20 12:53 ` Jure Varlec
2007-05-20 14:47 ` Mick
2007-05-20 17:20 ` Elias Probst
0 siblings, 2 replies; 10+ messages in thread
From: Jure Varlec @ 2007-05-20 12:53 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 2446 bytes --]
On Sunday 20 of May 2007 13:24:09 Mick wrote:
> Hi All,
>
> I am trying to get to grips with OpenSSL Certs in Kmail. I have created a
> CA and then created and signed with it a certificate for my email account
> (crt). Finally, I exported it as a pkcs12 bundle and tried to import it as
> smime into Konqueror & Kmail. All went seemingly well, except for:
>
> 1. When I tried to specify which cert to use in
> Kmail/Indentity/Cryptography I can see my imported Cert, but as I select it
> a red X comes up on the key symbol. I assume then that it is not suitable
> for smime
> signatures/encryption?
> 2. When I run gpgsm -K I get:
> ===========================================
> [snip]
> validity: 2007-05-19 18:12:12 through 2010-05-18 18:12:12
> key type: 4096 bit RSA
> key usage: [error: No value]
> chain length: [error: No value]
> ===========================================
>
> which is different to another certificate I have obtained from
> www.cacert.org: ===========================================
> validity: 2007-04-23 13:49:42 through 2007-10-20 13:49:42
> key type: 2048 bit RSA
> ext key usage: emailProtection (suggested), clientAuth (suggested),
> 1.3.6.1.4.1.311.10.3.4 (suggested), serverGatedCrypto.ms (suggested),
> serverGatedCrypto.ns (suggested)
> ===========================================
>
> Any ideas what I need to do to make this certificate valid for use by
> Kmail?
>
> PS. I am not sure if the above errors mean that there is anything wrong
> with my certificate, as opposed to Kmail & Kleopatra. Any certificate
> signed messages that I receive are not verified in Kmail - all I get is:
> ====================================================
> Not enough information to check signature. [Details]
>
> Status: No status information available.
> ====================================================
>
> If I press on [Details] Kleopatra pops up showing my cert. Selecting
> Verify just shows "done".
>
> Have you managed to make smime work with Kmail at all?
Hello
Heh, I dealt with a similar problem about a week ago. I'm not sure I'll ever
understand all these certificate issues that seem to crop up on just about
all platforms I ever used.
As, for the solution, it seem Kleopatra wants app-crypt/dirmngr, emerging it
solved my problem. I'm not sure why relevant KDE apps don't depend on it.
Hope this helps
Jure
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] OpenSSL certificates and Kmail
2007-05-20 12:53 ` Jure Varlec
@ 2007-05-20 14:47 ` Mick
2007-05-20 15:54 ` Jure Varlec
2007-05-20 17:20 ` Elias Probst
1 sibling, 1 reply; 10+ messages in thread
From: Mick @ 2007-05-20 14:47 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 2994 bytes --]
On Sunday 20 May 2007 13:53, Jure Varlec wrote:
> On Sunday 20 of May 2007 13:24:09 Mick wrote:
> > Hi All,
> >
> > I am trying to get to grips with OpenSSL Certs in Kmail. I have created
> > a CA and then created and signed with it a certificate for my email
> > account (crt). Finally, I exported it as a pkcs12 bundle and tried to
> > import it as smime into Konqueror & Kmail. All went seemingly well,
> > except for:
> >
> > 1. When I tried to specify which cert to use in
> > Kmail/Indentity/Cryptography I can see my imported Cert, but as I select
> > it a red X comes up on the key symbol. I assume then that it is not
> > suitable for smime
> > signatures/encryption?
> > 2. When I run gpgsm -K I get:
> > ===========================================
> > [snip]
> > validity: 2007-05-19 18:12:12 through 2010-05-18 18:12:12
> > key type: 4096 bit RSA
> > key usage: [error: No value]
> > chain length: [error: No value]
> > ===========================================
> >
> > which is different to another certificate I have obtained from
> > www.cacert.org: ===========================================
> > validity: 2007-04-23 13:49:42 through 2007-10-20 13:49:42
> > key type: 2048 bit RSA
> > ext key usage: emailProtection (suggested), clientAuth (suggested),
> > 1.3.6.1.4.1.311.10.3.4 (suggested), serverGatedCrypto.ms (suggested),
> > serverGatedCrypto.ns (suggested)
> > ===========================================
> >
> > Any ideas what I need to do to make this certificate valid for use by
> > Kmail?
> >
> > PS. I am not sure if the above errors mean that there is anything wrong
> > with my certificate, as opposed to Kmail & Kleopatra. Any certificate
> > signed messages that I receive are not verified in Kmail - all I get is:
> > ====================================================
> > Not enough information to check signature. [Details]
> >
> > Status: No status information available.
> > ====================================================
> >
> > If I press on [Details] Kleopatra pops up showing my cert. Selecting
> > Verify just shows "done".
> >
> > Have you managed to make smime work with Kmail at all?
>
> Hello
>
> Heh, I dealt with a similar problem about a week ago. I'm not sure I'll
> ever understand all these certificate issues that seem to crop up on just
> about all platforms I ever used.
>
> As, for the solution, it seem Kleopatra wants app-crypt/dirmngr, emerging
> it solved my problem. I'm not sure why relevant KDE apps don't depend on
> it.
Thanks Jure, I'm afraid it didn't help in my case. :(
When I try to sign a message with my cacert.org certificate it fails
with: "Signing failed: General error". Adding my selfsigned certificate also
fails (but his may have something to do with the way I generated the
certificate, rather than Kmail). This is sooo complicated compared to GnuPG.
Anything else I could try?
--
Regards,
Mick
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] OpenSSL certificates and Kmail
2007-05-20 14:47 ` Mick
@ 2007-05-20 15:54 ` Jure Varlec
2007-05-20 17:10 ` Mick
0 siblings, 1 reply; 10+ messages in thread
From: Jure Varlec @ 2007-05-20 15:54 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 3615 bytes --]
On Sunday 20 of May 2007 16:47:00 Mick wrote:
> On Sunday 20 May 2007 13:53, Jure Varlec wrote:
> > On Sunday 20 of May 2007 13:24:09 Mick wrote:
> > > Hi All,
> > >
> > > I am trying to get to grips with OpenSSL Certs in Kmail. I have
> > > created a CA and then created and signed with it a certificate for my
> > > email account (crt). Finally, I exported it as a pkcs12 bundle and
> > > tried to import it as smime into Konqueror & Kmail. All went seemingly
> > > well, except for:
> > >
> > > 1. When I tried to specify which cert to use in
> > > Kmail/Indentity/Cryptography I can see my imported Cert, but as I
> > > select it a red X comes up on the key symbol. I assume then that it is
> > > not suitable for smime
> > > signatures/encryption?
> > > 2. When I run gpgsm -K I get:
> > > ===========================================
> > > [snip]
> > > validity: 2007-05-19 18:12:12 through 2010-05-18 18:12:12
> > > key type: 4096 bit RSA
> > > key usage: [error: No value]
> > > chain length: [error: No value]
> > > ===========================================
> > >
> > > which is different to another certificate I have obtained from
> > > www.cacert.org: ===========================================
> > > validity: 2007-04-23 13:49:42 through 2007-10-20 13:49:42
> > > key type: 2048 bit RSA
> > > ext key usage: emailProtection (suggested), clientAuth (suggested),
> > > 1.3.6.1.4.1.311.10.3.4 (suggested), serverGatedCrypto.ms (suggested),
> > > serverGatedCrypto.ns (suggested)
> > > ===========================================
> > >
> > > Any ideas what I need to do to make this certificate valid for use by
> > > Kmail?
> > >
> > > PS. I am not sure if the above errors mean that there is anything wrong
> > > with my certificate, as opposed to Kmail & Kleopatra. Any certificate
> > > signed messages that I receive are not verified in Kmail - all I get
> > > is: ====================================================
> > > Not enough information to check signature. [Details]
> > >
> > > Status: No status information available.
> > > ====================================================
> > >
> > > If I press on [Details] Kleopatra pops up showing my cert. Selecting
> > > Verify just shows "done".
> > >
> > > Have you managed to make smime work with Kmail at all?
> >
> > Hello
> >
> > Heh, I dealt with a similar problem about a week ago. I'm not sure I'll
> > ever understand all these certificate issues that seem to crop up on just
> > about all platforms I ever used.
> >
> > As, for the solution, it seem Kleopatra wants app-crypt/dirmngr, emerging
> > it solved my problem. I'm not sure why relevant KDE apps don't depend on
> > it.
>
> Thanks Jure, I'm afraid it didn't help in my case. :(
>
> When I try to sign a message with my cacert.org certificate it fails
> with: "Signing failed: General error". Adding my selfsigned certificate
> also fails (but his may have something to do with the way I generated the
> certificate, rather than Kmail). This is sooo complicated compared to
> GnuPG.
>
> Anything else I could try?
Hm, installing dirmngr should at least get rid of the "Not enough information
to check signature" problem. *shrugs*
I suggest you start kwatchgnupg, it listens on the gnupg socket and displays
all messages your apps send through there. It's the only way I found to see
what's actually going on, because kmail's and kleopatra's error messages
couldn't be less informative.
Hopefully, that should give a clue as to what to do next.
Regards
Jure
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] OpenSSL certificates and Kmail
2007-05-20 15:54 ` Jure Varlec
@ 2007-05-20 17:10 ` Mick
2007-05-20 18:16 ` Mick
0 siblings, 1 reply; 10+ messages in thread
From: Mick @ 2007-05-20 17:10 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 5744 bytes --]
On Sunday 20 May 2007 16:54, Jure Varlec wrote:
> Hm, installing dirmngr should at least get rid of the "Not enough
> information to check signature" problem. *shrugs*
> I suggest you start kwatchgnupg, it listens on the gnupg socket and
> displays all messages your apps send through there. It's the only way I
> found to see what's actually going on, because kmail's and kleopatra's
> error messages couldn't be less informative.
>
> Hopefully, that should give a clue as to what to do next.
Thanks again Jure, I am getting this much now when I try to look at a message
sent to me encrypted and signed with a cacert.org certificate:
============================================================
[client at fd 4 connected]
4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> Home: ~/.gnupg
4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: ->
Config: /home/michael/.gnupg/gpgsm.conf
4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: ->
AgentInfo: /tmp/gpg-IOOUO2/S.gpg-agent:7251:1
4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> DirmngrInfo: [not set]
4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> GNU Privacy Guard's
S/M server 1.9.21 ready
4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: <- OPTION display=:0.0
4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> OK
4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: <- OPTION lc-ctype=C
4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> OK
4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: <- OPTION lc-messages=C
4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> OK
4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: <- INPUT FD=15
4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> OK
4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: <- OUTPUT FD=19
4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> OK
4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: <- DECRYPT
4 - 2007-05-20 17:41:10 gpgsm[9033]: unsupported algorithm
`1.2.840.113549.3.2'
4 - 2007-05-20 17:41:10 gpgsm[9033]: (this is the RC2 algorithm)
4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> S ERROR
decrypt.algorithm 50331732 1.2.840.113549.3.2
4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> S DECRYPTION_FAILED
4 - 2007-05-20 17:41:10 gpgsm[9033]: message decryption failed: Unsupported
algorithm
4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> ERR 50331732
Unsupported algorithm
4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: <- BYE
4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> OK closing connection
[client at fd 4 disconnected]
============================================================
I notice two things above; a)the DirmngrInfo: [not set] is telling me that the
dirmngr has not been set yet - is this OK? and, b)gpgsm spits feathers when
it sees the RC2 algorithm?!
When I try to compose a message and select to use a cacert.org certificate I
am getting these messages:
============================================================
4 - 2007-05-20 17:49:28 gpgsm[9059]: DBG: connection to agent established
4 - 2007-05-20 17:49:28 gpgsm[9059]: can't connect to the dirmngr - trying
fall back
4 - 2007-05-20 17:49:28 gpgsm[9059]: no running dirmngr - starting
`/usr/bin/dirmngr'
4 - 2007-05-20 17:49:28 gpgsm[9059]: DBG: connection to dirmngr established
============================================================
which shows me that dirmngr is being brought up when required - probably the
previous message about not being set is nothing to worry about then.
Then I am getting dirmngr trying to connect to cacert.org to verify the
certificate I am going to use:
===========================================================
6 - 2007-05-20 17:49:30 dirmngr[9060.0x8080078] DBG: -> INQUIRE
SENDISSUERCERT
6 - 2007-05-20 17:49:30 dirmngr[9060.0x8080078] DBG: <- [ 44 20 30 82 07 3d
30 82 05 25 32 35 a0 03 02 01 02 02 01 00 30 25 30 44 06 09 [snip...]
6 - 2007-05-20 17:49:30 dirmngr[9060.0x8080078] DBG: <- [ 44 20 31 1e 30 1c
06 03 55 04 0b 13 15 68 74 74 70 3a 2f 2f 77 77 77 2e 63 61 63 65 72 74 2e 6f
72 67 31 22 30 20 06 03 55 04 03 13 19 43 41 20 43 65 72 74 [snip...]
6 - 2007-05-20 17:49:30 dirmngr[9060.0x8080078] DBG: <- END
6 - 2007-05-20 17:49:30 dirmngr[9060]: using OCSP responder
`http://ocsp.cacert.org'
6 - 2007-05-20 17:49:31 dirmngr[9060]: OCSP responder at
`http://ocsp.cacert.org' status: success
6 - 2007-05-20 17:49:31 dirmngr[9060.0x8080078] DBG: -> S
ONLY_VALID_IF_CERT_VALID D6A20C9D62F2892DABCA9B67[snip]
6 - 2007-05-20 17:49:31 dirmngr[9060]: certificate status is: good
(this=20070516T061242 next=20070520T165947)
6 - 2007-05-20 17:49:31 dirmngr[9060]: OCSP responder returned a non-current
status
6 - 2007-05-20 17:49:31 dirmngr[9060]: now: 20070520T165931 this_update:
20070516T061242
6 - 2007-05-20 17:49:31 dirmngr[9060]: command ISVALID failed: Time conflict
6 - 2007-05-20 17:49:31 dirmngr[9060.0x8080078] DBG: -> ERR 167772199 Time
conflict
4 - 2007-05-20 17:49:31 gpgsm[9059]: response of dirmngr: ec=10.39
4 - 2007-05-20 17:49:31 gpgsm[9059.0x80806a0] DBG: -> D
crs:i:2048:1:CC3E6023C[snip...] 6F6D,CN=CAcert WoT User::%0Auid:i::::::::::
%0Auid:i::::::::::%0A
4 - 2007-05-20 17:49:32 gpgsm[9059.0x80806a0] DBG: -> OK
[client at fd 7 connected]
===========================================================
What's this "Time conflict" about? My cert is valid from 2007-04-23 to
2007-10-20.
Shall I disable "Validate Certificates Online" in Kmail's crypto preferences?
Is CRL preferable?
Grateful for your views on the above and any more suggestions. :)
--
Regards,
Mick
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] OpenSSL certificates and Kmail
2007-05-20 17:10 ` Mick
@ 2007-05-20 18:16 ` Mick
2007-05-21 13:25 ` Jure Varlec
0 siblings, 1 reply; 10+ messages in thread
From: Mick @ 2007-05-20 18:16 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 7842 bytes --]
On Sunday 20 May 2007 18:10, Mick wrote:
> On Sunday 20 May 2007 16:54, Jure Varlec wrote:
> > Hm, installing dirmngr should at least get rid of the "Not enough
> > information to check signature" problem. *shrugs*
> > I suggest you start kwatchgnupg, it listens on the gnupg socket and
> > displays all messages your apps send through there. It's the only way I
> > found to see what's actually going on, because kmail's and kleopatra's
> > error messages couldn't be less informative.
> >
> > Hopefully, that should give a clue as to what to do next.
>
> Thanks again Jure, I am getting this much now when I try to look at a
> message sent to me encrypted and signed with a cacert.org certificate:
> ============================================================
> [client at fd 4 connected]
> 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> Home: ~/.gnupg
> 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: ->
> Config: /home/michael/.gnupg/gpgsm.conf
> 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: ->
> AgentInfo: /tmp/gpg-IOOUO2/S.gpg-agent:7251:1
> 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> DirmngrInfo: [not
> set] 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> GNU Privacy
> Guard's S/M server 1.9.21 ready
> 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: <- OPTION display=:0.0
> 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> OK
> 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: <- OPTION lc-ctype=C
> 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> OK
> 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: <- OPTION
> lc-messages=C 4 - 2007-05-20 17:41:09 gpgsm[9033.0x80806a0] DBG: -> OK
> 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: <- INPUT FD=15
> 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> OK
> 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: <- OUTPUT FD=19
> 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> OK
> 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: <- DECRYPT
> 4 - 2007-05-20 17:41:10 gpgsm[9033]: unsupported algorithm
> `1.2.840.113549.3.2'
> 4 - 2007-05-20 17:41:10 gpgsm[9033]: (this is the RC2 algorithm)
> 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> S ERROR
> decrypt.algorithm 50331732 1.2.840.113549.3.2
> 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> S DECRYPTION_FAILED
> 4 - 2007-05-20 17:41:10 gpgsm[9033]: message decryption failed:
> Unsupported algorithm
> 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> ERR 50331732
> Unsupported algorithm
> 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: <- BYE
> 4 - 2007-05-20 17:41:10 gpgsm[9033.0x80806a0] DBG: -> OK closing
> connection [client at fd 4 disconnected]
> ============================================================
>
> I notice two things above; a)the DirmngrInfo: [not set] is telling me that
> the dirmngr has not been set yet - is this OK? and, b)gpgsm spits feathers
> when it sees the RC2 algorithm?!
>
> When I try to compose a message and select to use a cacert.org certificate
> I am getting these messages:
> ============================================================
> 4 - 2007-05-20 17:49:28 gpgsm[9059]: DBG: connection to agent established
> 4 - 2007-05-20 17:49:28 gpgsm[9059]: can't connect to the dirmngr - trying
> fall back
> 4 - 2007-05-20 17:49:28 gpgsm[9059]: no running dirmngr - starting
> `/usr/bin/dirmngr'
> 4 - 2007-05-20 17:49:28 gpgsm[9059]: DBG: connection to dirmngr
> established ============================================================
> which shows me that dirmngr is being brought up when required - probably
> the previous message about not being set is nothing to worry about then.
>
> Then I am getting dirmngr trying to connect to cacert.org to verify the
> certificate I am going to use:
> ===========================================================
> 6 - 2007-05-20 17:49:30 dirmngr[9060.0x8080078] DBG: -> INQUIRE
> SENDISSUERCERT
> 6 - 2007-05-20 17:49:30 dirmngr[9060.0x8080078] DBG: <- [ 44 20 30 82 07
> 3d 30 82 05 25 32 35 a0 03 02 01 02 02 01 00 30 25 30 44 06 09 [snip...] 6
> - 2007-05-20 17:49:30 dirmngr[9060.0x8080078] DBG: <- [ 44 20 31 1e 30 1c
> 06 03 55 04 0b 13 15 68 74 74 70 3a 2f 2f 77 77 77 2e 63 61 63 65 72 74 2e
> 6f 72 67 31 22 30 20 06 03 55 04 03 13 19 43 41 20 43 65 72 74 [snip...] 6
> - 2007-05-20 17:49:30 dirmngr[9060.0x8080078] DBG: <- END
> 6 - 2007-05-20 17:49:30 dirmngr[9060]: using OCSP responder
> `http://ocsp.cacert.org'
> 6 - 2007-05-20 17:49:31 dirmngr[9060]: OCSP responder at
> `http://ocsp.cacert.org' status: success
> 6 - 2007-05-20 17:49:31 dirmngr[9060.0x8080078] DBG: -> S
> ONLY_VALID_IF_CERT_VALID D6A20C9D62F2892DABCA9B67[snip]
> 6 - 2007-05-20 17:49:31 dirmngr[9060]: certificate status is: good
> (this=20070516T061242 next=20070520T165947)
> 6 - 2007-05-20 17:49:31 dirmngr[9060]: OCSP responder returned a
> non-current status
> 6 - 2007-05-20 17:49:31 dirmngr[9060]: now: 20070520T165931 this_update:
> 20070516T061242
> 6 - 2007-05-20 17:49:31 dirmngr[9060]: command ISVALID failed: Time
> conflict 6 - 2007-05-20 17:49:31 dirmngr[9060.0x8080078] DBG: -> ERR
> 167772199 Time conflict
> 4 - 2007-05-20 17:49:31 gpgsm[9059]: response of dirmngr: ec=10.39
> 4 - 2007-05-20 17:49:31 gpgsm[9059.0x80806a0] DBG: -> D
> crs:i:2048:1:CC3E6023C[snip...] 6F6D,CN=CAcert WoT User::%0Auid:i::::::::::
> %0Auid:i::::::::::%0A
> 4 - 2007-05-20 17:49:32 gpgsm[9059.0x80806a0] DBG: -> OK
> [client at fd 7 connected]
> ===========================================================
> What's this "Time conflict" about? My cert is valid from 2007-04-23 to
> 2007-10-20.
>
> Shall I disable "Validate Certificates Online" in Kmail's crypto
> preferences? Is CRL preferable?
>
> Grateful for your views on the above and any more suggestions. :)
OK, I also tried Validate with CRL and I am now getting a CRL related error:
=============================================================
5 - 2007-05-20 19:09:00 gpg-agent[7251]: handler 0x80c8820 for fd 0 terminated
7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: <- ISVALID
CDECFDC58640B7262B39CCB59B61E8EEFF2ED4D0.0380C6
7 - 2007-05-20 19:09:01 dirmngr[9532]: no CRL available for issuer id
CDECFDC58640B7262B39CCB59B61E8EEFF2ED4D0
7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: -> INQUIRE SENDCERT
7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: <- [ 44 20 30 82 05 42
30 82 03 2a a0 03 02 01 02 02 03 03 80 c6 30 25 30 44 06 09 2a [snip ]
7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: <- [ 44 20 1c 45 de 3e
49 63 5f 1f 65 58 03 4f 5c 08 82 ef cd b0 15 bd a7 2b 3e 58 76 [snip ]
7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: <- END
7 - 2007-05-20 19:09:01 dirmngr[9532]: crl_fetch via issuer failed:
Configuration error
7 - 2007-05-20 19:09:01 dirmngr[9532]: command ISVALID failed: Configuration
error
7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: -> ERR 167772275
Configuration error
6 - 2007-05-20 19:09:01 gpgsm[9531]: response of dirmngr: ec=10.115
6 - 2007-05-20 19:09:01 gpgsm[9531]: checking the CRL failed: Configuration
error
6 - 2007-05-20 19:09:01 gpgsm[9531.0x80806a0] DBG: -> S INV_RECP 0
9964FAAE960AD708013D03A5CC3E6023CDC3E990
6 - 2007-05-20 19:09:01 gpgsm[9531.0x80806a0] DBG: -> ERR 167772275
Configuration error
6 - 2007-05-20 19:09:04 gpgsm[9531.0x80806a0] DBG: <- BYE
6 - 2007-05-20 19:09:05 gpgsm[9531.0x80806a0] DBG: -> OK closing connection
7 - 2007-05-20 19:09:05 dirmngr[9532.0x8080078] DBG: <- [EOF]
=============================================================
What should I use OCP or CRL and if the latter how am I supposed to configure
this?
--
Regards,
Mick
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] OpenSSL certificates and Kmail
2007-05-20 18:16 ` Mick
@ 2007-05-21 13:25 ` Jure Varlec
2007-05-23 21:57 ` Mick
0 siblings, 1 reply; 10+ messages in thread
From: Jure Varlec @ 2007-05-21 13:25 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 2990 bytes --]
On Sunday 20 of May 2007 20:16:43 Mick wrote:
> OK, I also tried Validate with CRL and I am now getting a CRL related
> error: =============================================================
> 5 - 2007-05-20 19:09:00 gpg-agent[7251]: handler 0x80c8820 for fd 0
> terminated 7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: <- ISVALID
> CDECFDC58640B7262B39CCB59B61E8EEFF2ED4D0.0380C6
> 7 - 2007-05-20 19:09:01 dirmngr[9532]: no CRL available for issuer id
> CDECFDC58640B7262B39CCB59B61E8EEFF2ED4D0
> 7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: -> INQUIRE SENDCERT
> 7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: <- [ 44 20 30 82 05
> 42 30 82 03 2a a0 03 02 01 02 02 03 03 80 c6 30 25 30 44 06 09 2a [snip ] 7
> - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: <- [ 44 20 1c 45 de 3e
> 49 63 5f 1f 65 58 03 4f 5c 08 82 ef cd b0 15 bd a7 2b 3e 58 76 [snip ] 7 -
> 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: <- END
> 7 - 2007-05-20 19:09:01 dirmngr[9532]: crl_fetch via issuer failed:
> Configuration error
> 7 - 2007-05-20 19:09:01 dirmngr[9532]: command ISVALID failed:
> Configuration error
> 7 - 2007-05-20 19:09:01 dirmngr[9532.0x8080078] DBG: -> ERR 167772275
> Configuration error
> 6 - 2007-05-20 19:09:01 gpgsm[9531]: response of dirmngr: ec=10.115
> 6 - 2007-05-20 19:09:01 gpgsm[9531]: checking the CRL failed:
> Configuration error
> 6 - 2007-05-20 19:09:01 gpgsm[9531.0x80806a0] DBG: -> S INV_RECP 0
> 9964FAAE960AD708013D03A5CC3E6023CDC3E990
> 6 - 2007-05-20 19:09:01 gpgsm[9531.0x80806a0] DBG: -> ERR 167772275
> Configuration error
> 6 - 2007-05-20 19:09:04 gpgsm[9531.0x80806a0] DBG: <- BYE
> 6 - 2007-05-20 19:09:05 gpgsm[9531.0x80806a0] DBG: -> OK closing
> connection 7 - 2007-05-20 19:09:05 dirmngr[9532.0x8080078] DBG: <- [EOF]
> =============================================================
>
> What should I use OCP or CRL and if the latter how am I supposed to
> configure this?
Ugh. Well, they say a picture is worth a thousand words:
http://imgs.xkcd.com/comics/unspeakable_pun.jpg
Now that I checked with some random signed mails on this list, it turns out my
setup shows exactly the same symptoms as yours, i.e. it can't download
certain CRLs and cacert's OCP doesn't work. To be frank, what I really needed
S/MIME to work for are the bills my telco issues through e-mail. After
installing dimngr and the relevant certificate, kmail recognizes signature in
their bills correctly.
Funny thing is, kleopatra can and does download certain CRLs correctly using
URLs embedded in a certificate, but can't do so for some others. And even if
it can download a CRL, it then can't download the issuer certificate which
makes it a bit useless. I haven't a clue how to proceed, as documentation
seems a bit scarce.
As there are people on this list who use S/MIME signatures I guess it can be
made to work. Perhaps someone could chime in?
Regards
Jure
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] OpenSSL certificates and Kmail
2007-05-21 13:25 ` Jure Varlec
@ 2007-05-23 21:57 ` Mick
0 siblings, 0 replies; 10+ messages in thread
From: Mick @ 2007-05-23 21:57 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1722 bytes --]
On Monday 21 May 2007 14:25, Jure Varlec wrote:
> On Sunday 20 of May 2007 20:16:43 Mick wrote:
> > OK, I also tried Validate with CRL and I am now getting a CRL related
> > error: =============================================================
> Now that I checked with some random signed mails on this list, it turns out
> my setup shows exactly the same symptoms as yours, i.e. it can't download
> certain CRLs and cacert's OCP doesn't work. To be frank, what I really
> needed S/MIME to work for are the bills my telco issues through e-mail.
> After installing dimngr and the relevant certificate, kmail recognizes
> signature in their bills correctly.
>
> Funny thing is, kleopatra can and does download certain CRLs correctly
> using URLs embedded in a certificate, but can't do so for some others. And
> even if it can download a CRL, it then can't download the issuer
> certificate which makes it a bit useless. I haven't a clue how to proceed,
> as documentation seems a bit scarce.
Are you sure it is meant to download the issuer certificate? I assume it may
do that if you have ticked "Fetch missing issuer certificates" under the
Kmail preferences, but I am not sure how Kmail would know where to fetch a
certificate from (unless there's an x509 extension that you can enter when
creating the certificate?).
> As there are people on this list who use S/MIME signatures I guess it can
> be made to work. Perhaps someone could chime in?
Yes please! Has anyone managed to get Kmail to work?
BTW, I can report that Kleopatra/gpgsm refuses to import pkcs12 bundles which
have had a public key encrypted with triple des, instead of the default RC2
40.
--
Regards,
Mick
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] OpenSSL certificates and Kmail
2007-05-20 12:53 ` Jure Varlec
2007-05-20 14:47 ` Mick
@ 2007-05-20 17:20 ` Elias Probst
2007-05-21 13:30 ` Jure Varlec
1 sibling, 1 reply; 10+ messages in thread
From: Elias Probst @ 2007-05-20 17:20 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 463 bytes --]
On Sunday 20 May 2007 14:53:06 Jure Varlec wrote:
> As, for the solution, it seem Kleopatra wants app-crypt/dirmngr, emerging
> it solved my problem. I'm not sure why relevant KDE apps don't depend on
> it.
If kleopatra and other KDE apps really need dirmngr and it's not yet set as a
dependency in the ebuilds, please report this to bugs.gentoo.org
Thanks!
Elias P.
--
A really nice number:
"09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0"
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] OpenSSL certificates and Kmail
2007-05-20 17:20 ` Elias Probst
@ 2007-05-21 13:30 ` Jure Varlec
0 siblings, 0 replies; 10+ messages in thread
From: Jure Varlec @ 2007-05-21 13:30 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 878 bytes --]
On Sunday 20 of May 2007 19:20:11 Elias Probst wrote:
> On Sunday 20 May 2007 14:53:06 Jure Varlec wrote:
> > As, for the solution, it seem Kleopatra wants app-crypt/dirmngr, emerging
> > it solved my problem. I'm not sure why relevant KDE apps don't depend on
> > it.
>
> If kleopatra and other KDE apps really need dirmngr and it's not yet set as
> a dependency in the ebuilds, please report this to bugs.gentoo.org
>
> Thanks!
>
> Elias P.
Oh, I certainly would. The problem is I'm not quite sure that it is really a
bug. Debug output suggests the preferred way to handle this isn't the dirmngr
binary, but a service; the binary is merely a fallback. I don't know enough
to determine which package provides it. S/MIME certs are black magic to me: I
understand the principle, but the implementation is horrific from my point of
view.
Regards
Jure
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2007-05-23 22:10 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-05-20 11:24 [gentoo-user] OpenSSL certificates and Kmail Mick
2007-05-20 12:53 ` Jure Varlec
2007-05-20 14:47 ` Mick
2007-05-20 15:54 ` Jure Varlec
2007-05-20 17:10 ` Mick
2007-05-20 18:16 ` Mick
2007-05-21 13:25 ` Jure Varlec
2007-05-23 21:57 ` Mick
2007-05-20 17:20 ` Elias Probst
2007-05-21 13:30 ` Jure Varlec
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
