Loading...
 
Print

K-Mail CAC Card Bug

K-Mail Government CAC Card Bug

Reported December 2008 - K-Mail 1.9.9 (under KDE 3.5.9 Desktop) goes into some bizarre 3-6 minute lockup whenever it tries to display an email received from a government computer, signed by the sender with a government CAC ("Common Access Card") certificate. Eventually the KMail window becomes responsive again (other windows keep working during all of this).

Watching on my traffic logger, KMail tries to contact Port 123 on 198.247.173.220. Other times it goes for Port 80 on 214.21.15.23 (crl.gds.disa.mil). Within one session, it only does this lockup once to read a specific email - there is no delay if I go back to the email later.

In the diagram below (R)ed color is (r)receiving traffic, (T)eal color is (t)ransmitting traffic. It appears KMail is downloading something significant.
Here's what it does to my network traffic:
Image
If KMail is downloading signature certificates, it needs a serious re-work in it's specificity in what it tries to download. I can understand a certificate, but not megabytes of certificates that takes 3-5 minutes. And even so, if this has to be downloaded, it should be done in the background, not lock up the entire email reading session!

When KMail finally returns to mouse response, I get a yellow banner saying "Not enough information to check signature" and the text does show up. When I click on the email banner to "Show Audit Log", I get a pile of information:

Data verification succeeded Yes
Data available Yes
Signature available Yes
Parsing signature succeeded Yes
Signature 0 bad
(#0DEBCB/CN=DOD EMAIL CA-15,OU=PKI,OU=DoD,O=U.S. Government,C=US)
Certificate chain available Yes
(#05/CN=DoD Root CA 2,OU=PKI,OU=DoD,O=U.S. Government,C=US)
(#1B/CN=DoD Root CA 2,OU=PKI,OU=DoD,O=U.S. Government,C=US)
(/CN=DOD EMAIL CA-15,OU=PKI,OU=DoD,O=U.S. Government,C=US)
(#0DEBCB/CN=DOD EMAIL CA-15,OU=PKI,OU=DoD,O=U.S. Government,C=US)
(/CN=xxx.xxxx.x.xxxxxxxxxx,OU=USAF,OU=PKI,OU=DoD,O=U.S. Government,C=US)
(/<xxxx.xxxx@xxxxxxx.af.mil>)
Certificate chain valid No
(Not trusted)
Root certificate trustworthy No
(Not trusted)
(#05/CN=DoD Root CA 2,OU=PKI,OU=DoD,O=U.S. Government,C=US)
CRL/OCSP check of certificates
-
Included certificates 4
(#0DEBCB/CN=DOD EMAIL CA-15,OU=PKI,OU=DoD,O=U.S. Government,C=US)
(/CN=xxx.xxxx.x.xxxxxxxxxx,OU=USAF,OU=PKI,OU=DoD,O=U.S. Government,C=US)
(/<xxxx.xxxx@xxxxxxx.af.mil>)
(#1B/CN=DoD Root CA 2,OU=PKI,OU=DoD,O=U.S. Government,C=US)
(/CN=DOD EMAIL CA-15,OU=PKI,OU=DoD,O=U.S. Government,C=US)
(#0DEBD6/CN=DOD EMAIL CA-15,OU=PKI,OU=DoD,O=U.S. Government,C=US)
(/CN=xxx.xxxx.x.xxxxxxxxxx,OU=USAF,OU=PKI,OU=DoD,O=U.S. Government,C=US)
(/<xxxx.xxxx@xxxxxxx.af.mil>)
(#05/CN=DoD Root CA 2,OU=PKI,OU=DoD,O=U.S. Government,C=US)
(/CN=DoD Root CA 2,OU=PKI,OU=DoD,O=U.S. Government,C=US)
Gpg-Agent? usable Yes
Dirmngr usable Yes
No help available for `gpgsm.root-cert-not-trusted'.


Created by brian. Last Modification: Saturday 28 of March, 2009 01:12:41 EDT by brian.