GpGOL error sending a SMIME email

Hi,

when I send a SMIME email via GpGOL, I get the error

“Operation failed”
Code 1
“Bug in GPGOL or setup”

Please help.

Yours

I imported my private P12-Key in Kleopatra and a public SMIME-key as a .CER-File. But the public key has the status “not signed”. Maybe this is the problem of the error message?

How to import public SMIME keys correctly in Kleopatra?

Unfortunately it is not possible to edit messages in this forum, so I have to add another reply to tell news.

I found out that it is depending on the “CRL-list setting”. If I deactivate CRL-verify, the imported public SMIME key is “fully trusted”.

But I dont understand that, because the public key is NOT revoked, so why does Kleopatra believe that the key is not trusted?

Hi,

First about the error in GpgOL. We have a task for this https://dev.gnupg.org/T3897 and it will be fixed in the next release to show a proper error.

Is it a cacert certificate? They are known to have problems with their CRLs. (They are huge and delivered extremly slow)

See: https://dev.gnupg.org/T3907

The Problem is that with S/MIME a Certificate Revocation List has to be checked before the certificate should be used. This is so that Certificate Authorities can revoke certificates. So the backend of Kleopatra and GpgOL does not treat a certificate as trusted as long as no CRL is known.

So if the CRL is not delivered or delivered extremely slow we have a built in “Denial of Service” :-/

Hi Andre,

many thanks!

The imported public key is a free SMIME certificate from COMODO.

Would you please be so kind and tell me HOW to “deliver” the CRL?

Best wishes

When you double click the certificate in Kleopatra (open Details) it should show “updating” until a CRL was fetched (if CRL checks are enabled).

Alternatively you can download it manually and use Tools → Load CRL from File manually.

The URL of the CRL can be seen if you double click the root certificate → More details
And then the lines “crlDP” contain each CRL that has to be fetched.

Ok, so this

http://crl.comodoca.com

is the CRL-Link for comodo.

What is the next step to do?

Thanks

I only get a 403 Error when trying to access it. Also when trying to connect to it with https I get a wrong certificate.

If this is really the CRL URL and it can’t be fetched permanently you can’t use this certificate together with enabled CRL checks.

Alright. But remember that COMODO is a VERY important CA !

No solution working together with Kleopatra?

Hi, how to make an exception referring to CRL for Comodo?

thanks!

I don’t think that there is a way to add an exception for only one CA. You have to disable CRL checks altogether.

For what it’s worth I COMODO Certs and the CRL checks with them work for me.

The URL in the COMODO RSA Certification Authority is:
http://crl.comodoca.com/COMODORSACertificationAuthority.crl

Which works.

OK. I imported the CRL successfully in Kleopatra.

But the result is still the same: Certificate is marked as “Not guilty”, although it is actually not revoked and guilty.

with “not guilty” I mean “not valid”. sorry for bad english :wink:

Thanks to the reports by you and others here in the Forum I did some testing on Windows. While it worked for small CRL’s like our test CRLs / CA’s we found an big error in our software with CRLs on Windows.

https://dev.gnupg.org/T3923

Will be fixed soon. We’ll probably do a new release early next week.

Thanks for your honest reply.

We as user have to thank for your efforts!