[kleopatra] [Bug 339385] New: Kleopatra (and KMail) need about 5 minutes to receive CRLs when CACert certificates are involved

kolAflash kolAflash at kolahilft.de
Thu Sep 25 16:24:02 BST 2014 

https://bugs.kde.org/show_bug.cgi?id=339385

            Bug ID: 339385
           Summary: Kleopatra (and KMail) need about 5 minutes to receive
                    CRLs when CACert certificates are involved
           Product: kleopatra
           Version: 2.1.1
          Platform: Other
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: kdepim-bugs at kde.org
          Reporter: kolAflash at kolahilft.de
                CC: mutz at kde.org

Load some CACert certificates into your Kleopatra.

http://www.cacert.org


Then configure Kleopatra to use CRLs instead of OCSP.
(This was actually the default on my system)

Settings => Configure Kleopatra => S/MIME
Check certificate validity every: hour
Validate certificates using CRLs: YES


Now completely quit Kleopatra (also the icon in the KDE Control-Bar).
Also quit KMail and every other application which might uses x509 certificates
at the moment (for me it was KMail and Kleopatra).

Then quit all "dirmngr" instances. For example by using:
>pkill -e dirmngr

Then clear the "dirmngr" cache:
> dirmngr --flush

Kill "dirmngr" again, just to be sure it doesn't still uses any old cache-data.


If you now start Kleopatra, all certificate lists will be shown empty!!!

There is no information to the user why this is happening.
Actually in background "dirnmgr" is used to load the CRLs from CACert. If you
run:

> netstat -np | grep 'dirmngr'

you'll see a connection to "213.154.225.236" which is "crl.cacert.org".
You can use tcpdump to see what it's doing:

> sudo /usr/sbin/tcpdump -n -v -i any host 213.154.225.236

For me it takes about 5 minutes until this process is finished. Until this
happens, no certificates are shown in Kleopatra at all.

After that time, all my certificates are back again in Kleopatra. None of them
has been lost, but it really looked like that for the last 5 minutes!


There should be a notification to the user!
For example:
> Your certificates have not been deleted! Just be a little patient, I'm receiving "Certificate Revocation Lists" from the Server to find out if any certificate became invalid.



KMail also suffers from that problem, if dirmngr is receiving the CRLs in
background (because the cache was flushed or the "Check certificate validity
every ..." time interval ran out).
If you read an S/MIME signed email, KMail will tell you:

> Please wait while the signature is being verified...

That's OK, but it should add: "This may take several minutes, if CRLs have to
be refreshed from server".

If you answer a S/MIME signed+encrypted email, KMail will hang completly and
nothing will happen until "dirmngr" completed it's work.
There isn't even a message telling me, why KMail hangs.
And by the way my whole KMail is blocked for that time. I can't even work on
other emails, except I kill and restart KMail.

Reproducible: Always

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the Kdepim-bugs mailing list