Version 9.508 - report on experience

Since 9,508 the digital signature is considered invalid for emails. However, I don't know if this is an error in email-encrption.

PS: outgoing Emails...

Thorsten, if you follow the KB article that MBP posted above, deleting and regenerating your S/MIME cert on the 'Internal Users' tab of 'Encryption', does this error still appear after you've sent a signed or encrypted email?

Cheers - Bob

I did some more tests to see if umlauts or special characters are causing the problem. Furthermore I have made various settings like deactivating the scan of outgoing emails and so on. But the problem could not be solved in this way. I'm still waiting for a response from support.

Hi Thorsten,

we also checked for umlauts etc. - does not seem to be the problem.

Some external partners notified us that they maybe had stored old certificates from our users which may cause this problem. E.g. Barracuda Antispam solutions also seem to store certificate information. They deleted the old ones, we are testing at the moment.

We contacted Sophos support but did not get any help on this bug, we were told to contact our reseller on this...

Best regards

Christian

Hi Christian,

we do have the same error and this is quite a pain in the ass. We also use Comodo certificates as Thomas does. 

As you have said that reaching the support didn't help you, do you have any idea how we can solve this?

Kind regards,

Max

Answer from Sophos Support: One solution would be to update the sender and recipient to version 9.508.

The only trouble is that not everyone has a UTM...

And that's it? So forget about S/MIME functionality from now on?
What I didn't understand is the message of https://community.sophos.com/kb/en-us/131727 

As stated in 3, one should get certificates with the appropriate algorithm. Does anybody know how to check which algorithm was used in an existing certificate? So should I ask the CA to re-issue my certificate and everything is fine?

Best
Alex

P.S. I placed the question for the Algorithms for X.509 certs at a reseller for certificates. Will see what they say.

Alexander Busch said:

So should I ask the CA to re-issue my certificate and everything is fine?

Best
Alex

 

That's not gonna work. I had revoked my certificates and set them up again without success.

Guys, it's not clear to me that you're attacking the right certificate.  This is not the one in 'Certificate Management'.  I think you have to delete your entry on the 'Internal Users' tab of 'Encryption', add it again and then send the new PEM to your recipient(s).

I can confirm that 9.508-to-9.508 works when this is done.

Please let us know if the non-UTM recipients can receive your email after adding your new cert as described.

Cheers - Bob

BAlfson said:

...

I can confirm that 9.508-to-9.508 works when this is done.

Please let us know if the non-UTM recipients can receive your email after adding your new cert as described.

..

Hello Bob, 

is the simple signing of an email working? Non UTM Device at the recipient side.

Best
Alex

Alexander Busch said:

As stated in 3, one should get certificates with the appropriate algorithm. Does anybody know how to check which algorithm was used in an existing certificate? So should I ask the CA to re-issue my certificate and everything is fine?

 

Sure...

openssl x509 -in YOURSMIMECERT.CER -text |grep "Signature A"

The answer of a cert reseller

—

Guten Tag Herr Busch,

der Algorithmus RSASSA-PSS wird aktuell noch von keinem Zertifizierer unterstützt. Die EDI hat die Pflicht diesen Algorithmus zu nutzen vom 01.01.18 auf den 01.01.19

aufgrund der nicht vorhandenen Abdeckung, verschoben. Hier bitte nochmal bei Sophos nachhacken, ob der allgemeine Marktsstandard RSA-SHA-256 weiterhin verwendet werden kann.

Aktuell ist auch noch kein näherer Zeitpunkt bekannt an dem der neue Algorithmus  verfügbar sein wird.

—

Translated

Hello Mr. Bush,

the algorithm RSASSA-PSS is not currently supported by any certifier. The EDI has the obligation to use this algorithm from 01.01.18 to 01.01.19.

.

due to the non-existent cover. Please check with Sophos again to see if the general market standard RSA-SHA-256 can still be used.

At the moment we do not know when the new algorithm will be available.

—

So no certificate is available in the market to work with the UTM. Is that the result or did I get something wrong?

Best

Alex

The answer of a cert reseller

—

Guten Tag Herr Busch,

der Algorithmus RSASSA-PSS wird aktuell noch von keinem Zertifizierer unterstützt. Die EDI hat die Pflicht diesen Algorithmus zu nutzen vom 01.01.18 auf den 01.01.19

aufgrund der nicht vorhandenen Abdeckung, verschoben. Hier bitte nochmal bei Sophos nachhacken, ob der allgemeine Marktsstandard RSA-SHA-256 weiterhin verwendet werden kann.

Aktuell ist auch noch kein näherer Zeitpunkt bekannt an dem der neue Algorithmus  verfügbar sein wird.

—

Translated

Hello Mr. Bush,

the algorithm RSASSA-PSS is not currently supported by any certifier. The EDI has the obligation to use this algorithm from 01.01.18 to 01.01.19.

.

due to the non-existent cover. Please check with Sophos again to see if the general market standard RSA-SHA-256 can still be used.

At the moment we do not know when the new algorithm will be available.

—

So no certificate is available in the market to work with the UTM. Is that the result or did I get something wrong?

Best

Alex

4 German:

https://www.bundesnetzagentur.de/DE/Service-Funktionen/Beschlusskammern/Beschlusskammer7/BK7_73_Messwesen_Energie/Mitteilungen_zu_BK6_16_200_BK7_16_142/Mitteilung_Nr_7/Anlagen/Regelungen_Uebertragungsweg_1.1_2017_12_12.pdf?__blob=publicationFile&v=3

Mag sein, es gibt nur scheinbar keine CA, welche dies bietet. Und wenn selbst Outlook 2016 die Signatur nicht verifiziert, dann ist dies am Markt vorbei. Ich bin echt gespannt wie andere Lösungen damit umgehen.

My wishlist would be to have a manuel switch to revert back to the existing algorithms.