wurstsemmel wrote: > thanks for your fast reply. Before I can write the bug report, I should > somehow verify, that KMail is definitely requesting AES. > > I should add, that MS OE shows 3DES as "preferred algorithm from the > sender" (sorry, this is translated from the German localized OE > version), if you send an eMail from Tb. If you send an eMail from KMail > to MS OE, it shows *40.1.101.3.4.1.2 as "preferred algorithm from the > sender" I think that this number corresponds to AES,
Googling for 2.16.840.1.101.3.4.1.2 reveals it is id-aes128-CBC. See <http://www.alvestrand.no/objectid/2.16.840.1.101.3.4.1.2.html> NSS knows about this OID, with a symbol named SEC_OID_AES_128_CBC But it doesn't appear to be USED anywhere in libSMIME. See <http://mxr.mozilla.org/security/search?string=SEC_OID_&find=smime%2F&findi=&filter=&tree=security> It needs to be added to this table: <http://mxr.mozilla.org/security/source/security/nss/lib/smime/smimeutil.c#146> and perhaps elsewhere. >> There are several separate issues here: >> >> 1) NSS is not matching on AES. - This is the biggest issue. >> 2) For some reason NSS is not negotiating 3DES (is KMail sending 3DES >> in the profile. If not, that's a KMail bug). > > How to have a look in this profile? NSS's "pp" (pretty print) program will decode it from a PKCS#7 message. You could send me a signed message from that KMail tool, and I could show you what NSS sees in it. (With your permission, I'd post the output to this list.) (Remove NO and SPAM from my email address shown above.) > Am I right, that I should write the bug report on 1). What about 3), > shall I write a 2nd bug report? Surely. File bugs. There is a Google Summer-of-code student who is planning on working on NSS's libSMIME this summer. I think this is one of the things on his list, but if you file a bug on it, it won't get forgotten. >> 1. Disabling weak crypto by default is a decision we should make >> independent of KMail interoperability. >> 2. If KMail is sending AES in the profile, NSS should be using it. >> (potential AES bug). libSMIME bug. >> 3. It looks like KMail is not sending all of it's profile information, >> particularly 3DES (KMail bug). >> 4. The S/MIME spec requires accepting RC2-40 by all S/MIME >> implementations. KMail clearly falls down there. Yes, IMO these last two points are clearly KMail issues. > Once more to be sure: 1. and 2. should be mentioned in 2 bug reports? Don't file a bug on 2 until you (we) have proof that KMail is including 3DES in the profile. >> KMail will face the same interoperability problems with OE, which runs >> home to RC2-40 much more often than NSS... > > The problems with OE are the same! Well, that points pretty strongly at KMail then. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
