Incorrect MIME headers separators in 0.9.5a

Emmanuel Gadaix Mon, 29 Jan 2001 10:29:16 -0800


Problem

When generating MIME mails, e.g. for signing an email, OpenSSL adds an extra
white space before the semi-column sign that separates the headers. In doing so,
it violates MIME syntax (see RFC 2045, 2046, 2047).


Consequences

Some mail clients will not be able to understand the MIME parts. For example,
Lotus Notes client v5.06a (latest release). This is a problem when sending
signed email, as the mail client will consider this a broken MIME and will not
handle the signature verification properly.

Note: in order to properly test all this, you need a recent version of Lotus
Notes (>= 5.04). We have tested with 5.06a (client and server).


Proof of concept

We generated a signed mail using the following command:
openssl smime -sign -inkey gadaix.keyring -signer mycert -certfile othercert -in
message > signed-message

This mail is not understood by the Lotus Notes client.
If we intercept the message, we can see extra spaces which, if removed, fix the
problem (the mail is recognized as a PKCS7 signed message).

Here is a diff between a message generated by OpenSSL and its "edited" version
where we removed the spaces.

3c3
< Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary=----F826C025B455F6FE7B9828D9D9624324
---
> Content-Type: multipart/signed ; protocol="application/x-pkcs7-signature" ;
micalg=sha1 ; boundary="----F826C025B455F6FE7B9828D9D9624324"
66a67
>


Details of our installation

Output from 'make report'

OpenSSL self-test report:

OpenSSL version:  0.9.6
Last change:      In ssl23_get_client_hello, generate an error message wh...
OS (uname):       Linux hk1.ime.reuters.com 2.2.16-9w4l #1 Wed Aug 23 21:29:05
PDT 2000 i686 unknown
OS (config):      i686-whatever-linux2
Target (default): ??
Target:           dist
Compiler:         gcc version 2.95.3 19991030 (prerelease)

Test passed.

Output of 'version -a':

OpenSSL 0.9.5a 1 Apr 2000
built on: Sun Oct  1 01:53:22 CEST 2000
platform: linux-elf
options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int)
blowfish(idx)
compiler: gcc -fPIC -DTHREADS -D_REENTRANT -fPIC -DL_ENDIAN -DTERMIO -O3
-fomit-frame-pointer -pipe


--
Emmanuel Gadaix
Technical Security Analyst
Global IT Security Risk


-----------------------------------------------------------------
        Visit our Internet site at http://www.reuters.com

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Incorrect MIME headers separators in 0.9.5a

Reply via email to
