GNOME Bugzilla – Bug 783463
S/MIME decode and compose doesn't work with multiple Certificate Subject Alt Name
Last modified: 2018-05-31 09:32:51 UTC
Created attachment 353242 [details] personal certificate Evolution is not able to sign or encrypt message, because it won't find correct certificate when e-mail address is not in Subject of certificate but correct email address is located in Certificate Subject Alt Name My certificate attached. Feel free to email me test messages using this certificate. Best regards David Rohleder
Thanks for a bug report. I tried to reproduce it, but no luck. I can encrypt to any of the three addresses stored in your certificate without any issue here. This is with current development version (after 3.25.2 release), but it might be the same as 3.24.x series. I do not see any relevant change in the code which would break this, furthermore, the code in question didn't change for years, thus it surely applies for 3.22.x as well. The S/MIME is handled with NSS/NSPR. Maybe it rejects the certificate due to not having set trust for it? An exact error message would help, thus if you can provide it, then it'll be helpful. Just in case, I use nss-3.28.3-1.1.fc25.x86_64 nspr-4.13.1-1.fc25.x86_64 and I have set to trust the certificate and all checked in certificate authority trust, as can be seen in Evolution in Edit->Preferences->Certificates->Contact Certificates->Edit button, and there eventually Edit CA Trust button.
(In reply to Milan Crha from comment #1) > Thanks for a bug report. I tried to reproduce it, but no luck. I can encrypt > to any of the three addresses stored in your certificate without any issue > here. This is with current development version (after 3.25.2 release), but > it might be the same as 3.24.x series. I do not see any relevant change in > the code which would break this, furthermore, the code in question didn't > change for years, thus it surely applies for 3.22.x as well. > > The S/MIME is handled with NSS/NSPR. Maybe it rejects the certificate due to > not having set trust for it? An exact error message would help, thus if you > can provide it, then it'll be helpful. > > Just in case, I use > nss-3.28.3-1.1.fc25.x86_64 > nspr-4.13.1-1.fc25.x86_64 > and I have set to trust the certificate and all checked in certificate > authority trust, as can be seen in Evolution in > Edit->Preferences->Certificates->Contact Certificates->Edit button, and > there eventually Edit CA Trust button. Hello, thank you for your answer. Certificate I have sent you is my own certificate which doesn't have option "do not trust" :-) I am using evolution 3.22.6, which is a default version for Ubuntu 17.04. Can you give me a tip for linux distribution with current evolution version? I will try it with newer version (I am not able to compile newer version of evolution on my current system as it requires quite a lot of development dependencies) Thank you
Maybe not the best, but for me closest is Fedora, for which I can create test packages for testing, this if you'd have a virtual machine with it installed, then it'll be probably the easiest way to go. You can download either prerelease [1], to get the latest version (Beta will be released on the June 13th), or get even the Fedora 25, which I currently use [2]. Could you provide the error message evolution gives you when you try to sent the message when sign and/or encrypt with the certificate, please? Ideally run evolution from a command line like this: $ LANG=C evolution and then reproduce the issue. Thanks in advance. [1] https://getfedora.org/en/workstation/prerelease/ [2] https://getfedora.org/en/workstation/download/
The encryption had been addressed within bug #763029. Signing is done differently, there's used the nickname of the certificate, as chosen in account Properties in Security tab. I'm closing this as a duplicate of the older bug report. *** This bug has been marked as a duplicate of bug 763029 ***