[kleopatra] [Bug 339385] Kleopatra (and KMail) need about 5 minutes to receive CRLs when CACert certificates are involved
Andre Heinecke
aheinecke at intevation.de
Tue Jul 7 17:21:09 BST 2015
https://bugs.kde.org/show_bug.cgi?id=339385
Andre Heinecke <aheinecke at intevation.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |aheinecke at intevation.de
Ever confirmed|0 |1
Assignee|kdepim-bugs at kde.org |aheinecke at intevation.de
Version|2.1.1 |git master
Status|UNCONFIRMED |ASSIGNED
--- Comment #1 from Andre Heinecke <aheinecke at intevation.de> ---
The problem here is the following:
- Kleopatra wants to get the information which S/MIME Certificates are trusted
and which are not. To get this information it used GPGME_KEYLIST_MODE_VALIDATE.
This is the only keylist mode that did Trustchain checks.
- When GPGME_KEYLIST_MODE_VALIDATE is used gpgsm also does CRL checks on the
certificates.
This is bad for a full keylisting. I have ~60 S/MIME Certs in my keyring and
event with all CRLs cached it took 1m40s to list all certificates because of
CRL Checks for expired / broken certificates where dirmngr was unable to obtain
a CRL and thus could not cache it and ran into timeouts each time.
But even without broken certificates, the mentioned CA Cert certificates can
take ages.
Disabling CRL checks altogether is obviously bad and can not be the default. We
want a CRL check when we encrypt to a certificate or verify a signature from a
certificate. As this is the usual workaround for this bug though, this bug is
probably compromising security a bit.
To properly fix this we will disable CRL checks for the initial keylisting but
leave them active for normal operations. This is a bit involved as it requires
API changes to GnuPG, GpgME, GpgME++ and Kleopatra.
We are currently working on this. (Thats why I take this bug)
The first change required for this was part of gnupg 2.1.6
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2c9c46e2a2b8f9a1bdc1ef46a135b5fc7d1a8073
Theres also a patch available for gpgme:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob;f=patches/gpgme-1.5.5/0001-Add-offline-mode-support-for-CMS-keylisting.patch
I also have uncommited patches avaiable for gpgme++ and kleopatra. But this
depends on getting the patch into gpgme first.
A fix for this will probably be part of the next gpg4win release.
For GNU/Linux it might make sense only to fix this for KDE 5 as it depends on
GnuPG 2.1 which is not yet part of the stable distributions.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list