From 9b75146b2623d06bbd51ad6c80a7c39a1a5f02d7 Mon Sep 17 00:00:00 2001 From: Pawel Boguslawski Date: Fri, 6 Jun 2025 20:21:19 +0200 Subject: [PATCH 1/3] Add parameter SMIME::NoDefaultCA and remove unnecessary parameter Znuny does not disable OS default CA certificate sources on S/MIME verification which may lead to different verification results in different environments with same certs in `SMIME::CertPath`. For example: signature not trusted in Debian 11 may be trusted after upgrade to Debian 12 where default trust was modified: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805646 This mod adds `SMIME::NoDefaultCA` (disabled by default for backward compatibility) to allow one to skip default OS CAs on S/MIME verification (and use trust only CAs in `SMIME::CertPath` like in Debian 11). This mod also removes unnecessary parameter from `openssl smime -verify` command. Related: https://docs.openssl.org/master/man1/openssl-verification-options/#trusted-certificate-options Author-Change-Id: IB#1161846 Signed-off-by: Pawel Boguslawski --- CHANGES.md | 3 +++ Kernel/Config/Defaults.pm | 1 + Kernel/Config/Files/XML/Framework.xml | 7 +++++++ Kernel/System/Crypt/SMIME.pm | 18 ++++++++++++++++-- 4 files changed, 27 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index a6e8c13ee3..b5b7a34a05 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,6 @@ +# ?.?.? ????-??-?? + - 2025-06-06 Added parameter SMIME::NoDefaultCA to allow disable loading of default CA certificates on S/MIME verification. + # 6.5.15 2025-04-30 - 2025-04-24 Fixed bug - Setting the password does not reset preferences UserLoginFailed and UserLastPwChangeTime. - 2025-04-16 Updated Net::IMAP::Simple to latest version from GitHub. Thanks to @dandanpena. [PR#155](https://github.com/znuny/Znuny/pull/155) diff --git a/Kernel/Config/Defaults.pm b/Kernel/Config/Defaults.pm index 40d52e7775..b495902d24 100644 --- a/Kernel/Config/Defaults.pm +++ b/Kernel/Config/Defaults.pm @@ -1127,6 +1127,7 @@ sub LoadDefaults { # $Self->{'SMIME::CertPath'} = '/etc/ssl/certs'; # $Self->{'SMIME::PrivatePath'} = '/etc/ssl/private'; +# $Self->{'SMIME::NoDefaultCA'} = 0; # --------------------------------------------------- # # system permissions diff --git a/Kernel/Config/Files/XML/Framework.xml b/Kernel/Config/Files/XML/Framework.xml index 2bf4a42f40..13c96e2973 100644 --- a/Kernel/Config/Files/XML/Framework.xml +++ b/Kernel/Config/Files/XML/Framework.xml @@ -3095,6 +3095,13 @@ 0 + + When enabled, no default CA certificates on S/MIME verification will be used. + Core::Crypt::SMIME + + 0 + + Specifies the name that should be used by the application when sending notifications. The sender name is used to build the complete display name for the notification master (i.e. "OTRS Notifications" otrs@your.example.com). Core::Email diff --git a/Kernel/System/Crypt/SMIME.pm b/Kernel/System/Crypt/SMIME.pm index a2825eb358..bb56e86518 100644 --- a/Kernel/System/Crypt/SMIME.pm +++ b/Kernel/System/Crypt/SMIME.pm @@ -1,6 +1,7 @@ # -- # Copyright (C) 2001-2021 OTRS AG, https://otrs.com/ # Copyright (C) 2021 Znuny GmbH, https://znuny.org/ +# Copyright (C) 2025 Informatyka Boguslawski sp. z o.o. sp.k., https://www.ib.pl/ # -- # This software comes with ABSOLUTELY NO WARRANTY. For details, see # the enclosed file COPYING for license information (GPL). If you @@ -541,8 +542,21 @@ sub Verify { $NoVerifyOption = '-noverify'; } - my $Options = "smime -verify $NoVerifyOption -in $SignedFile -out $VerifiedFile -signer $SignerFile " - . "-CApath $Self->{CertPath} $CertificateOption $SignedFile"; + # Don't use default CA certs on S/MIME verification if SMIME::NoDefaultCA is enabled. + # See also https://docs.openssl.org/master/man1/openssl-verification-options/#trusted-certificate-options + my $NoDefaultCAOptions = ''; + if ( $ConfigObject->Get('SMIME::NoDefaultCA') ) { + $NoDefaultCAOptions = '-no-CAfile -no-CApath'; + if ( $Self->{OpenSSLMajorVersion} >= 3 ) { + + # Disable also default certificates store (option available in OpenSSL 3+). + $NoDefaultCAOptions = $NoDefaultCAOptions . ' -no-CAstore'; + } + } + + my $Options + = "smime -verify $NoVerifyOption $NoDefaultCAOptions -in $SignedFile -out $VerifiedFile -signer $SignerFile " + . "-CApath $Self->{CertPath} $CertificateOption"; my @LogLines = qx{$Self->{Cmd} $Options 2>&1}; for my $LogLine (@LogLines) { From c11e72f57b21fa543613ab15289622f607cf574a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bogus=C5=82awski?= Date: Fri, 6 Jun 2025 22:11:28 +0200 Subject: [PATCH 2/3] Update CHANGES.md --- CHANGES.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index b5b7a34a05..a6e8c13ee3 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,6 +1,3 @@ -# ?.?.? ????-??-?? - - 2025-06-06 Added parameter SMIME::NoDefaultCA to allow disable loading of default CA certificates on S/MIME verification. - # 6.5.15 2025-04-30 - 2025-04-24 Fixed bug - Setting the password does not reset preferences UserLoginFailed and UserLastPwChangeTime. - 2025-04-16 Updated Net::IMAP::Simple to latest version from GitHub. Thanks to @dandanpena. [PR#155](https://github.com/znuny/Znuny/pull/155) From 4a416e363120bbf09104eaed06c69153ac58305a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bogus=C5=82awski?= Date: Fri, 6 Jun 2025 22:11:48 +0200 Subject: [PATCH 3/3] Update SMIME.pm --- Kernel/System/Crypt/SMIME.pm | 1 - 1 file changed, 1 deletion(-) diff --git a/Kernel/System/Crypt/SMIME.pm b/Kernel/System/Crypt/SMIME.pm index bb56e86518..cebf10c467 100644 --- a/Kernel/System/Crypt/SMIME.pm +++ b/Kernel/System/Crypt/SMIME.pm @@ -1,7 +1,6 @@ # -- # Copyright (C) 2001-2021 OTRS AG, https://otrs.com/ # Copyright (C) 2021 Znuny GmbH, https://znuny.org/ -# Copyright (C) 2025 Informatyka Boguslawski sp. z o.o. sp.k., https://www.ib.pl/ # -- # This software comes with ABSOLUTELY NO WARRANTY. For details, see # the enclosed file COPYING for license information (GPL). If you