Re: verification error: empty key record; insecure key

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Fri, 17 Aug 2012 12:55:04 -0700 (PDT)

On Fri, 17 Aug 2012, SM wrote:
> The problem is that the warning was generated for the second DKIM
> signature as multiple signatures were being verified.

Right. In more detail, what's going on here is that opendkim is selecting
the first signature that passed as the primary signature on the message.
Then it checks to see if libcrypto's error queue is empty. If it's not,
it logs all of the errors in the stack, but makes the (sometimes
incorrect) assumption that the errors are associated with the primary
signature.

That means a message signed by A and B, where A passes and B does not,
will add an Authentication-Results field indicating that A passed and B
failed (which is correct), but also log an error that A failed with the
errors produced by B (which is not correct).

I've opened a bug (#3559080) to fix this in 2.7.0. The fix is simple for
OpenSSL, but looks to be more complicated for GnuTLS. I'm waiting for
some support from their mailing list.

-MSK
Received on Fri Aug 17 2012 - 19:55:19 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:42 PST