[tickerguy]

From my playing around on a spare device it appears that the 10.3.2 leak can enable S/MIME on IMAP accounts - not just on Exchange ones.

I'm having an "interesting" experience attempting to get this working either on BES12 and 10.3.1 or on 10.3.2 with either Exchange (BES or otherwise) or "bare." In short I can activate it without problems but although it pops no warnings or errors the signatures it generates are invalid, encryption obviously works but won't decrypt (because the signatures are invalid) and in addition it will only verify a signature on emails that are generated with 2k RSA keys or smaller (4k key signatures are silently swallowed, as are all that it considers "invalid.")

So if you have S/MIME *working* (that is, you can exchange signed and encrypted emails) on 10.3.2 I'd like to ask for your help -- specifically, I'd love to get an example email from you and understand exactly where you got the key pair from and, if you're generating your own (e.g. you have your own CA or are doing self-signed) I'd like to request one from you (for my email address, of course.)

I want to get to the bottom of this; what's clear is that BB10 has some serious issues with S/MIME interchange, and that's definitely not a good thing.

Posting in the "Beta OS" area because unless you're on 10.3.2 you can't do this without BES, so it's relevant to anyone currently running 10.3.2 who also has an IMAP email account.

Thanks in advance; please reply by PM if you have same working and can assist, but feel free to discuss in the thread. Hopefully this will lead to a list of requirements for an operational implementation and if the brain fart is big enough pressure can be put on BlackBerry to fix it.

[danielsamwel]

Were you able to get PGP on an IMAP account as well?

Posted via CB10

[tickerguy]

For sending, yes, and it both verifies signatures AND decrypts on Thunderbird.

For receiving it does not verify or decrypt.

So it appears that there's a transmit formatting problem in BB10 with S/MIME specifically, and whatever it is Outlook is insensitive to it but Thunderbird is NOT.

[tickerguy]

Crap... update (this is my article, it's legit and not spam)

I found the problem and it's bad news. This cripples S/MIME in any environment, BES or not, as BB10 is violating the Internet RFCs for multipart messages. Compliant clients will not​ be able to validate signatures.

Oh BlackBerry, QUIT BEING STUPID (Invalid MIME Email Sent) in [Market-Ticker]

[BCITMike]

Where is BlackBerry's documentation on this stuff? There's a difference between supported and released, and work-in-progress buggy / partially working.

It would annoy me if someone poked around our products, found debug and or partially working features and then blasted us for it not working when it wasn't advertised or expected to be working yet.

But if it is advertised and supported, these are bugs, not necessarily design decisions they've made.

Posted via CB10

[tickerguy]

Where is BlackBerry's documentation on this stuff? There's a difference between supported and released, and work-in-progress buggy / partially working.

The same format problem exists when the email is sent under BES12 as a client on an Exchange server (in other words, formally supported by BlackBerry.)

This is a royal ****-up on BlackBerry's part in the code and is a gross and rank violation of the RFCs governing how email is to be formatted while in transport. It's not the first time either, if you recall the early 10.x firmware and problems with some SMTP servers (that was in fact their bogon as well of the same general sort; despite the RFCs saying you terminate line in SMTP with CR/LF they were sending bare linefeeds.)

[danielsamwel]

Tickerguy, care to share how you got S/MIME partially working? I'd like to play with this myself

Posted via CB10

[tickerguy]

Sure...

Load your CA certificate (if you're using your own) and .p12 (or pfx) cert for your email. Note that the subjectAltName must be set to your email address or it won't come up as one of your choices.

Then from the hub, when you have the email account up, hit the three dots and Settings, then the account. "Secure email" will be one of the drill-down options; turn on S/MIME and select the certificates.

You can then pull down when composing and select the mode (plain text, Signed, Signed/encrypted, etc)

This works for me on IMAP accounts on 10.3.2.

It only works for sending, however..... less the problems with malformed MIME transmission (which are extremely severe, especially for encrypted emails of any material size.)

[ZeroBarrier]

The same format problem exists when the email is sent under BES12 as a client on an Exchange server (in other words, formally supported by BlackBerry.)

This is a royal ****-up on BlackBerry's part in the code and is a gross and rank violation of the RFCs governing how email is to be formatted while in transport. It's not the first time either, if you recall the early 10.x firmware and problems with some SMTP servers (that was in fact their bogon as well of the same general sort; despite the RFCs saying you terminate line in SMTP with CR/LF they were sending bare linefeeds.)

Post edited, I've since read you tried on 10.3.1 and it was the same. Good job finding this and let's hope it gets fixed soon.

Posted via CB10

[tickerguy]

I'm sorry, you're completely wrong. 10.3.2 is a beta is every sense of the word (a closed beta at that). Most here (including yourself possibly) aren't even supposed to have access to it; and as such nothing in 10.3.2 is officially supported.

Posted via CB10

There are classes that can remedy an inability to read. If you read the first message for comprehension you'd understand that I ran into this first on 10.3.1 under BES12. When I posted this here I believed that the problem I was having had something to do with my certificate, and thus was asking if anyone had it running without problems on 10.3.2 since this (known beta and "officially closed" one at that) can handle S/MIME without BES.

But -- further investigation showed that the certificate wasn't the issue at all -- the code's broken, and it's broken across the board, not just in 10.3.2.

Now that I've run it down I know that the exact same problem exists on the formally supported 10.3.1 release under BES12 and manifests in exactly the same way. I have my Passport on 10.3.1 (not 10.3.2) and have BES12 cloud set up managing it. It was there that I was working on this first, and ran into the problem where I would send an S/MIME signed email and the other end would claim the signature was no good. I could also send a very short encrypted email with a small certificate (2k RSA) and it would be fine, but a longer one would blow up on the receiving end, claiming it was unable to be decoded.

So yeah 10.3.2 may be a "closed" beta, but 10.3.1 (and before) with BES10 or 12 is definitely not.

That's a supported product and it's equally broken there in exactly the same way which makes this very relevant to everyone in the BB10 community that wants secure email to work, whether they're running a leak or not.

[ZeroBarrier]

OK, OK; take it easy. I had already edited my post to correct myself before you posted your reply.

I wanted to reply before reading your while post in that link, no hard done.

I do have a question though. You get the exact same results on 10.3.1 and 10.3.2 correct? You've Mae sure of this? I mean, you've confirmed both are reproducing the line break issue, right?

Posted via CB10

[tickerguy]

OK, OK; take it easy. I had already edited my post to correct myself before you posted your reply.

I wanted to reply before reading your while post in that link, no hard done.

I do have a question though. You get the exact same results on 10.3.1 and 10.3.2 correct? You've Mae sure of this? I mean, you've confirmed both are reproducing the line break issue, right?

Yep. It is entirely consistent in behavior on both 10.3.1 and 10.3.2; the only difference is that on 10.3.1 I have to use BES and Exchange to enable S/MIME transmission, this is not necessary for 10.3.2 as the encryption selection screen is present without the phone being BES-activated.

An un-attached Outlook client (e.g. Outlook 2010 running against the same IMAP server as the Thunderbird client is without Exchange involved at all) validates messages from both but it's breaking the rules on base64-encoded messages in doing so. This is quite-common for Microsoft products, incidentally; I've written front-end spam interdiction software for a long time that sits in front of Exchange and have had lots of fun working around various protocol nasties...

Other email clients that insist on following the RFCs with regard to base64 encoding (as all of them should) cannot read the signatures or encrypted messages (e.g. Thunderbird.​)

Interestingly enough if you use PGP instead (which is also available on both 10.3.1 and 10.3.2, with the latter also not requiring BES to send) it does not commit the same sin there; those MIME-encoded emails are properly-formatted and validate (and decrypt, if sent encrypted) just fine.

[tickerguy]

The bad MIME emissions for S/MIME has gotten some attention..... hopefully it will get fixed and fast.

[lasouthern]

From my playing around on a spare device it appears that the 10.3.2 leak can enable S/MIME on IMAP accounts - not just on Exchange ones.

I'm having an "interesting" experience attempting to get this working either on BES12 and 10.3.1 or on 10.3.2 with either Exchange (BES or otherwise) or "bare." In short I can activate it without problems but although it pops no warnings or errors the signatures it generates are invalid, encryption obviously works but won't decrypt (because the signatures are invalid) and in addition it will only verify a signature on emails that are generated with 2k RSA keys or smaller (4k key signatures are silently swallowed, as are all that it considers "invalid.")

So if you have S/MIME *working* (that is, you can exchange signed and encrypted emails) on 10.3.2 I'd like to ask for your help -- specifically, I'd love to get an example email from you and understand exactly where you got the key pair from and, if you're generating your own (e.g. you have your own CA or are doing self-signed) I'd like to request one from you (for my email address, of course.)

I want to get to the bottom of this; what's clear is that BB10 has some serious issues with S/MIME interchange, and that's definitely not a good thing.

Posting in the "Beta OS" area because unless you're on 10.3.2 you can't do this without BES, so it's relevant to anyone currently running 10.3.2 who also has an IMAP email account.

Thanks in advance; please reply by PM if you have same working and can assist, but feel free to discuss in the thread. Hopefully this will lead to a list of requirements for an operational implementation and if the brain fart is big enough pressure can be put on BlackBerry to fix it.

Hey Tickerguy, S MIME works on non-enterprise customers?

Posted via CB10

[tickerguy]

On 10.3.2, yes it does if you have Exchange and sort of on IMAP.

Well, sort of works. The problem is that the device emits malformed emails when you send; specifically, it doesn't honor the rules for base64 encoded MIME components (and emits the signature and/or encrypted component as one long line.)

Outlook (the PC program in Office, NOT the webmail service) will "eat" this provided your mail transport can pass it unmolested and it works. However, Thunderbird follows the rules and will not validate the messages or decrypt them, and in addition a huge percentage of mail transport systems will damage or even completely remove those components, sometimes silently, as they're malformed.

BlackBerry knows about the MIME formatting problem and I expect it will get fixed -- I assume before 10.3.2 sees official release, although that's a guess.

There's a problem with encrypted emails, but not signed ones; the phone silently eats them. But the encrypted problem appears to exist on BES too in a non-all-Microsoft environment, and I suspect it's related to the formatting issue. I won't know for sure until that's fixed. The only thing I'm aware of in that regard is that it appears BlackBerry is doing something screwy that I've not yet completely figured out with regard to CRLs; I get a message that they're "not set up" when the status is checked, but the certificate verifies the trust chain and the signature verifies as well.

On IMAP you can *emit* S/MIME email but the phone doesn't recognize, decode and verify them on inbound email. The reason appears to be that BlackBerry decided at some point in the past to use Exchange as a means of detaching and handing over attachments individually. That sounds rather dumb and it is, particularly given that the phone does know how to process an attachment itself.

Who knows if they'll fix that; I find it ridiculous in the extreme that they have tied themselves to Microsoft's protocol in this regard, but it is what it is, at least at present.

So I'd call it "sort of working."

[tickerguy]

Update: 10.3.2 will check an OCSP server for revocation data, but not a revocation list. That's reasonable in today's environment; those lists can be ridiculously large whereas a query against a server is quick and (reasonably) painless. If your certificate doesn't include OCSP revocation data pester the issuer for one that does.

[Sajan Parikh]

Yay! Finally we get to go from explaining...

"My phone can't do S/MIME"

to

"My phone can do S/MIME....but...."

FFS, can we at least get the option to send a plain text version of emails along with the HTML? Looks like they've finally realized how to send multipart messages.

[tickerguy]

Well, they may "know" how to send them but they don't send them correctly -- at least not yet!

[lasouthern]

Well, they may "know" how to send them but they don't send them correctly -- at least not yet!

[email protected] it can only help us...

Posted via CB10

[akavbb]

Sure...

Load your CA certificate (if you're using your own) and .p12 (or pfx) cert for your email. Note that the subjectAltName must be set to your email address or it won't come up as one of your choices.

Then from the hub, when you have the email account up, hit the three dots and Settings, then the account. "Secure email" will be one of the drill-down options; turn on S/MIME and select the certificates.

You can then pull down when composing and select the mode (plain text, Signed, Signed/encrypted, etc)

This works for me on IMAP accounts on 10.3.2.

It only works for sending, however..... less the problems with malformed MIME transmission (which are extremely severe, especially for encrypted emails of any material size.)

I cannot follow the sequence of the activation on. 680.
The certificate prerequisites are fine (subjectaltname, etc).
I can't find where to activate it from the hub.
Can somebody help me please?

Posted via my STL100-2 | Waiting for the mighty Squircle to return

[Alichakery]

Sure...

Load your CA certificate (if you're using your own) and .p12 (or pfx) cert for your email. Note that the subjectAltName must be set to your email address or it won't come up as one of your choices.

Then from the hub, when you have the email account up, hit the three dots and Settings, then the account. "Secure email" will be one of the drill-down options; turn on S/MIME and select the certificates.

You can then pull down when composing and select the mode (plain text, Signed, Signed/encrypted, etc)

This works for me on IMAP accounts on 10.3.2.

It only works for sending, however..... less the problems with malformed MIME transmission (which are extremely severe, especially for encrypted emails of any material size.)

[Alichakery]

Thank you for your reply,

I dont get the part which you mentioned, load your cert.

I have loaded my own certificate (in .p12) format in : Settings> Security Settings > Certificates

But when I go to hub there is no secure email,option there.

I would really appreciate if someone helps

Sure...

Load your CA certificate (if you're using your own) and .p12 (or pfx) cert for your email. Note that the subjectAltName must be set to your email address or it won't come up as one of your choices.

Then from the hub, when you have the email account up, hit the three dots and Settings, then the account. "Secure email" will be one of the drill-down options; turn on S/MIME and select the certificates.

You can then pull down when composing and select the mode (plain text, Signed, Signed/encrypted, etc)

This works for me on IMAP accounts on 10.3.2.

It only works for sending, however..... less the problems with malformed MIME transmission (which are extremely severe, especially for encrypted emails of any material size.)