https://bugs.kde.org/show_bug.cgi?id=339385
Bug ID: 339385
Summary: Kleopatra (and KMail) need about 5 minutes to receive
CRLs when CACert certificates are involved
Product: kleopatra
Version: 2.1.1
Platform: Other
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: general
Assignee: kdepim-bugs@kde.org
Reporter: kolafl...@kolahilft.de
CC: m...@kde.org
Load some CACert certificates into your Kleopatra.
http://www.cacert.org
Then configure Kleopatra to use CRLs instead of OCSP.
(This was actually the default on my system)
Settings => Configure Kleopatra => S/MIME
Check certificate validity every: hour
Validate certificates using CRLs: YES
Now completely quit Kleopatra (also the icon in the KDE Control-Bar).
Also quit KMail and every other application which might uses x509 certificates
at the moment (for me it was KMail and Kleopatra).
Then quit all "dirmngr" instances. For example by using:
>pkill -e dirmngr
Then clear the "dirmngr" cache:
> dirmngr --flush
Kill "dirmngr" again, just to be sure it doesn't still uses any old cache-data.
If you now start Kleopatra, all certificate lists will be shown empty!!!
There is no information to the user why this is happening.
Actually in background "dirnmgr" is used to load the CRLs from CACert. If you
run:
> netstat -np | grep 'dirmngr'
you'll see a connection to "213.154.225.236" which is "crl.cacert.org".
You can use tcpdump to see what it's doing:
> sudo /usr/sbin/tcpdump -n -v -i any host 213.154.225.236
For me it takes about 5 minutes until this process is finished. Until this
happens, no certificates are shown in Kleopatra at all.
After that time, all my certificates are back again in Kleopatra. None of them
has been lost, but it really looked like that for the last 5 minutes!
There should be a notification to the user!
For example:
> Your certificates have not been deleted! Just be a little patient, I'm
> receiving "Certificate Revocation Lists" from the Server to find out if any
> certificate became invalid.
KMail also suffers from that problem, if dirmngr is receiving the CRLs in
background (because the cache was flushed or the "Check certificate validity
every ..." time interval ran out).
If you read an S/MIME signed email, KMail will tell you:
> Please wait while the signature is being verified...
That's OK, but it should add: "This may take several minutes, if CRLs have to
be refreshed from server".
If you answer a S/MIME signed+encrypted email, KMail will hang completly and
nothing will happen until "dirmngr" completed it's work.
There isn't even a message telling me, why KMail hangs.
And by the way my whole KMail is blocked for that time. I can't even work on
other emails, except I kill and restart KMail.
Reproducible: Always
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Kdepim-bugs mailing list
Kdepim-bugs@kde.org
https://mail.kde.org/mailman/listinfo/kdepim-bugs
