Hi Andreas,
Good to hear you solved it. I think that for certificate purposed SHA1 is still secure just as long as you do not sign a certificate create by an external untrusted party with your CA. That said most crypto experts are urging users to start using sha256 for new projects. If you need support for XP sp <=2 you have no choice and should use sha1
I'm glad you found the problem and I will add this issue to the faq and documentation.
Kind regards
Martijn Brinkers
--- sent from Blackberry
hello,
i think the problem is solved.
after i generate a new ca with sha1 signature algorithm it works.
now i know, that windows xp whithout xp3 does not support sha256.
with that knowledge i testet the import on a sp3 machine and it works.
what is the disadvantage i we use certs with sha1?
thank you for your help.
regards
Andreas Schubert
Transline Deutschland Dr.-Ing. Sturz GmbH
"Martijn Brinkers" <m.brinkers(a)pobox.com> wrote on 15.07.2009 21:58:29:
> That's really strange. I have tested it with different windows xp
> installations. Also others have been able to import the pfx without
> problems. So the main question now is what's different in your setup?
> I have seen problems installing certs in the past when access to the
> registry was refused for some actions (the certs are imported into the
> registry). Perhaps a virus scanner does not allow you to install a
> root? What happens when you install only the root (as a cer file) into
> the root store? Is it also installed into the intermediate store?
> Kind regards
> Martijn
> --- sent from Blackberry
Did you import the pfx by dbl click and then import using the import wizard? Could you remove all your root instances from all stores and try again? The easiest way to manage certificates on windows is by starting mmc and then add the certificates add-in. Using the mmc add-in you can search for a certificate by right clicking the top store element and then choose search for certificates. Search for your root and delete all references and try to import the pfx again
Kind regards
Martijn
--- sent from Blackberry
>my problem is that windows xp does
>not import the self created ( with
> djigzo )
>root certificate into the "trusted root
> certificate" store.
Did you try to import the created pfx or did you import a separate root en intermediate (.cer file)?
Is the user a restricted user?
Kind regards
Martijn brinkers
--- sent from Blackberry
hallo,
first of all i have to tell you that i am not familar with handling x.509
certificates.
my problem is that windows xp does not import the self created ( with djigzo )
root certificate into the "trusted root certificate" store.
windows xp only import the root certificate together with the intermediate
certificate into the "intermediate certificate" store.
and so none of these certificates are trusted.
i have followed the instructions in the S/MIME setup guide and have tried it
with automatically and manualy selection of the certificate store.
i tried it on two different xp machines.
on my windows vista system it works.
what is going wrong here?
can i control this behavior?
regards
Andreas Schubert
Dipl.-Ing. (FH)
Leiter EDV
Tel. +49 7121 9463-360
Fax +49 7121 9463-150
Transline Deutschland Dr.-Ing. Sturz GmbH
Transline Deutschland ist ein Unternehmen der Sturz Gruppe (www.sturz-gruppe.de)
---------------------------------------------------------------------------
Prozessautomatisierung - als Antwort auf die Krise!
http://www.transline.de/prozess-automatisierung
Vereinbaren Sie einen Termin mit uns!
---------------------------------------------------------------------------
* http://www.transline-group.com * Ihr Partner für Globale Kommunikation
* http://www.transline.de * Ihr Partner für Übersetzungen
* http://www.doculine.com * Ihr Partner für Technische Dokumentation
Am Heilbrunnen 47 * D-72766 Reutlingen * Germany
Telefon +49 7121 9463-0 * Fax +49 7121 9463-150
Skype: translinedeutschland
Geschäftsführer: Dr.-Ing. Wolfgang Sturz
Eingetragen beim Amtsgericht Stuttgart HRB 353333
VAT ID no. DE 193439222
---------------------------------------------------------------------------
I wished I could add the "Unlimited Strength Jurisdiction Policy Files"
to Djigzo Virtual appliance but I think this is a "legal mine field"
because lots of countries have their own crypto laws.
Kind regards,
Martijn Brinkers
Andreas Schubert wrote:
> hello Martijn,
>
> no i don't
> i did not realize that i have to do that, i thought installing this is
> optional..........
>
> -> admin to stupid error or RTFM
>
> i will test it with this file installed.
>
> thank you for your fast response.
>
> regards
>
> Andreas Schubert
> Dipl.-Ing. (FH)
> Leiter EDV
> Tel. +49 7121 9463-360
> Fax +49 7121 9463-150
> Transline Deutschland Dr.-Ing. Sturz GmbH
>
hello,
i have a problem with encrypting email that was send to an external user.
i have read the administrator and smime guide, and had no problem with the basic
setup.
i installed the Djigzo VMware virtual appliance 1.2.3
at this time i had created a CA, an internal domain, an internal user and a
external user.
the encryption mode for this external user is set mandatory and on the Select
encryption certificates page the certificate is shown in green colour.
but when i send an email from the internal user to the external user i will get
these error massage in the MPA log:
09 Jul 2009 08:40:30 | ERROR IOException.
(mitm.application.djigzo.james.mailets.SMIMEEncrypt) [Spool Thread #2]
org.bouncycastle.mail.smime.SMIMEEnvelopedGenerator$WrappingIOException:
org.bouncycastle.cms.CMSException: key invalid in message. at
org.bouncycastle.mail.smime.SMIMEEnvelopedGenerator$ContentEncryptor.write(Unknown
Source) at
org.bouncycastle.mail.smime.handlers.PKCS7ContentHandler.writeTo(Unknown Source)
at javax.activation.ObjectDataContentHandler.writeTo(Unknown Source) at
javax.activation.DataHandler.writeTo(Unknown Source) at
javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:1381) at
javax.mail.internet.MimeMessage.writeTo(MimeMessage.java:1742) at
javax.mail.internet.MimeMessage.writeTo(MimeMessage.java:1718) at
mitm.common.mail.MailUtils.validateMessage(MailUtils.java:207)
at
mitm.application.djigzo.james.mailets.SMIMEEncrypt.serviceMail(SMIMEEncrypt.java:259)
at
mitm.application.djigzo.james.mailets.AbstractDjigzoMailet.service(AbstractDjigzoMailet.java:226)
at org.apache.james.transport.LinearProcessor.service(LinearProcessor.java:424)
at
org.apache.james.transport.JamesSpoolManager.process(JamesSpoolManager.java:405)
at org.apache.james.transport.JamesSpoolManager.run(JamesSpoolManager.java:309)
at java.lang.Thread.run(Thread.java:636)Caused by:
org.bouncycastle.cms.CMSException: key invalid in message. at
org.bouncycastle.cms.CMSEnvelopedDataStreamGenerator.open(Unknown Source) at
org.bouncycastle.mail.smime.SMIMEEnvelopedGenerator$EnvelopedGenerator.open(Unknown
Source) at org.bouncycastle.cms.CMSEnvelopedDataStreamGenerator.open(Unknown
Source) at org.bouncycastle.cms.CMSEnvelopedDataStreamGenerator.open(Unknown
Source) ... 14 moreCaused by: java.security.InvalidKeyException: Illegal key
size at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:972) at
javax.crypto.Cipher.checkCryptoPerm(Cipher.java:993) at
javax.crypto.Cipher.init(Cipher.java:1394) ... 18 more
what ist going wrong?
regards
Andreas Schubert
Dipl.-Ing. (FH)
Leiter EDV
Tel. +49 7121 9463-360
Fax +49 7121 9463-150
Transline Deutschland Dr.-Ing. Sturz GmbH
Transline Deutschland ist ein Unternehmen der Sturz Gruppe (www.sturz-gruppe.de)
---------------------------------------------------------------------------
Prozessautomatisierung - als Antwort auf die Krise!
http://www.transline.de/prozess-automatisierung
Vereinbaren Sie einen Termin mit uns!
---------------------------------------------------------------------------
* http://www.transline-group.com * Ihr Partner für Globale Kommunikation
* http://www.transline.de * Ihr Partner für Übersetzungen
* http://www.doculine.com * Ihr Partner für Technische Dokumentation
Am Heilbrunnen 47 * D-72766 Reutlingen * Germany
Telefon +49 7121 9463-0 * Fax +49 7121 9463-150
Skype: translinedeutschland
Geschäftsführer: Dr.-Ing. Wolfgang Sturz
Eingetragen beim Amtsgericht Stuttgart HRB 353333
VAT ID no. DE 193439222
---------------------------------------------------------------------------
> Two main new features I was thinking about are:
>
> 1. PGP support
> 2. Client-less email encryption
Hi Martijn
I vote for number one if that means OpenPGP support (using GnuPG and its
libraries for example) ;-)
We (a german non-profit-organisation) are currently looking for a
Free/Open Source eMail encryption solution (ca. 300 email users). So far
I have found GEAM (deep in the GnuPG sources, only OpenPGP, no S/MIME)
and got it running but I am concerned that it seems it is not actively
developed or even maintained anymore. And it does not support S/MIME.
And I have not tested it in a "production environment"...
Since most of our communication partners use OpenPGP and some use
S/MIME, I decided to vote for OpenPGP support in Djigzo :-)
It seems the field of free/open source eMail security gateways is
relative small compared to client side encryption solutions. On the
other hand there are plenty of commercial gateway solutions.
So keep up the good work!
Mario