SMIME cert issues

[otrsnasahelp]

We have several problems:

1. We can not sign emails to multiple users at once. This means we apparently can not send encrypted emails to more than one user at a time.

2. The x509 alternate names are not being used. It picks a totally random name and consistently uses it to assign as the email address recipient for a certificate. Despite specifying a specific email address in a user configuration and explicitly specifying a cert to sign the email to, that email address is not used, despite being in the certificate as an alternate name.

3. The same as 2 is true for signing emails with a key. I can only sign an email with exactly one email address, and that email address is one that was consistently but randomly chosen by OTRS as the origin of the email.

We can not even begin testing OTRS until we have a resolution to these critical functions of the platform. How can these be resolved?

[jojo]

1. We can not sign emails to multiple users at once. This means we apparently can not send encrypted emails to more than one user at a time.

Thats a known missing functionality and is planned to be changed in a future release as enhancement.

2. The x509 alternate names are not being used. It picks a totally random name and consistently uses it to assign as the email address recipient for a certificate. Despite specifying a specific email address in a user configuration and explicitly specifying a cert to sign the email to, that email address is not used, despite being in the certificate as an alternate name.

Can you post the output of

Code: Select all

openssl x509 -in y[i]our_pub_certificate[/i] -noout -subject_hash -issuer -fingerprint -sha1 -serial '-subject -startdate -enddate -email -modulus

We can not even begin testing OTRS until we have a resolution to these critical functions of the platform. How can these be resolved?

I really doubt this, there are several companies and government agencies using OTRS with S/MIME and/or PGP. If you need special functionality you might need to order development for enhancement or fix it yourself and contribute it back.

[otrsnasahelp]

openssl x509 -in /tmp/frank -noout -subject_hash -issuer -fingerprint -sha1 -serial -subject -startdate -enddate -email -modulus
---
f10da16d
issuer= /C=US/O=U.S. Government/OU=NASA/OU=Certification Authorities/OU=NASA Operational CA
SHA1 Fingerprint=2C:E7:E6:B1:60:61:EB:CA:4E:71:8E:CF:02:B4:AA:B2:3B:5F:33:81
serial=535CB9AC
subject= /C=US/O=U.S. Government/OU=NASA/OU=People/UID=faw2/CN=F W (affiliate)
notBefore=Jul 28 16:34:24 2014 GMT
notAfter=Jul 28 17:04:24 2017 GMT
f.a.w.1@gsfc.nasa.gov.
f.a.w@nasa.gov.
f.w@nasa.gov.
faw2@mail.nasa.gov
Modulus=CBCDA5FE7608805CF341228788FB4B17CA0DEC62CF8A8012B8E01621AD98BAF75FB91CF055CAA6DEE5504FB988FA69A0FCA8EEE2962D0322AD5E87E7374E3DEF2EE1A5BB4EBAA6B402F9A6F35ED8141F14D3B2FEE152800D7B51FA6A79A290EF56571E9D573D367057ADD679E4EAD5B4EC9A5488B336A5C5601D4038F36370CEC9EB80B3D0831FA992E087D67F8717BE29323179454C633A61A3F494B5F1AF84451EAD94953046C63288B9975448CC25820A1F5257F41691144B8F01E41D52E548B8AF2EC73EE72F4CF513BC2F7A9E4C4A2C9EA2259BDB7ACB1952F9D9A43E02E51AFE736F1BCD270B4C8AEBBDC4B36A0F57117C902ADB0F62E5E743658DFE77
---

I have removed the full email address for the user in question. The _only_ address that is picked up by OTRS is f.a.w.1@gsfc.nasa.gov., which isn't even a deliverable address but in the cert for archival purposes. The same is true when using my cert as well, and all other certs we have imported. None of the alternate names can be used, and the name that is picked out by OTRS doesn't even follow a consistent pattern.

[jojo]

I checked the code. Actually only 1 address can be used in the certifacte. It might be a quite small patch to get this fixed. I suggest to open a bug via http://bugs.otrs.org but actually I would consider it as an enhancement.