S/MIME gotchas

S/MIME is an attractive option for implementing secure messages, since it works OOTB in more MUAs than OpenPGP. However, for an 11-year-old standard, there are a lot of limitations on the lowest-common-denominator of what works.

A good (and fairly ubiquitous) implementation seemed to be the OpenSSL smime(1) command. This has a few quirks:

  • It doesn’t use CRLF line endings in the outer message as required by RFC 2822. In newer versions there is an undocumented -crlfeol option, but even this doesn’t work properly. I’ve submitted a patch on their tracker.
  • You probably want to use the -text option and not the -binary option when encrypting to fix the CR/LF issues for a text/plain payload.
  • To generate certificates non-interactively, you are probably going to need an OpenSSL config file to go along with the req -batch option. Something like:
    [ req ]
    prompt = no
    default_bits = 2048
    extendedKeyUsage=emailProtection
    subjectAltName=email:foo@example.com
    distinguished_name = dn
    req_extensions = req_extensions
    x509_extensions = req_extensions
    
    [ req_extensions ]
    extendedKeyUsage=emailProtection
    basicConstraints=CA:FALSE
    
    [ dn ]
    O=Example Corp
    C=AU
    CN=Example Corp Secured Email <foo@example.com>
    emailAddress=foo@example.com
    

Below is the micro-HOWTO for non-interactively doing stuff (you can use pipes instead of the files in all these instances when driving OpenSSL via IPC). Note that the certificates are read before the message payload, and you want to get the I/O order right to avoid a deadlock.

openssl req -x509 -nodes -days 14 -newkey rsa:1024 \
-keyout private.pem -out public.pem
openssl pkcs12 -export -passout fd:0 -inkey private.pem -in public.pem \
-out private.pfx
openssl smime -encrypt -des3 -text -in payload.txt \
-to 'foo@example.com' -from 'Me <bar@example.net>' \
-subject "An encrypted email" \
-out message.eml public.pem # or pipe stdout to sendmail
openssl smime -decrypt -in message.eml -out payload2.txt \
-inkey private.pem public.pem
# for low-level debugging:
openssl smime -pk7out -in message.eml | openssl asn1parse

On to the MUAs. The certificate import for Apple Mail is pretty painless with the PKCS#12 key being imported by Keychain Access. Later (it didn’t work immediately for me) extra buttons for signing and encrypting automagically appear in the message editing window on the From line, but they are disabled unless your From address has a certificate. Hence you need a certificate yourself, even if you’re not signing, in order to send an encrypted email to a friend.

Apple Mail gets very confused if the CR/LF stuff isn’t correct: it will display the same message as blank, just the base64-encoded S/MIME part, and the correct decoded text on different occasions.

Thunderbird isn’t very friendly toward self-signed certificates. Choosing the .pfx from Preferences > Advanced > View Certificates > Import will get the key to show up, but when you try to encrypt an email, you get an error message like “the application failed to find an encryption certificate for <foo@example.com>”. However, Thunderbird will use the key for decrypting.

Microsoft Outlook and Outlook Express will use the Windows certificate store, which imports a .pfx with a wizard by default when you open one. You can import it from a shell (or more likely, from wine) with rundll32.exe cryptext.dll,CryptExtAddPFX private.pfx, or use the UI from Internet Explorer (Tools > Internet Options > Contents > Certificates).

Apple Mail and Thunderbird both handle multipart/mixed with text/plain and smime-envelope parts correctly (by concatenating the unencrypted and envelope contents in the message window), although they will report the message as unencrypted (which is true I guess, because only one part of the message is). However, Microsoft Outlook won’t display anything for the secure part (not even an error).

exponent for Fan Control

Here’s another patch for some third party software, this time for keeping your intel mac CPU cool.

I’ve been using Lobotomo’s Fan Control preference pane and daemon to control my 2.16 GHz Core 2 Duo Macbook Pro’s fan speeds since I installed OS X.

It’s useful because it means you can idle with quieter fans in a cool environment, but still have them rev up to max before you burn your fingers. However, one thing that’s annoyed me for a while is that you only really control the floor and ceiling thresholds of a linear response curve.

In my experience (engineers or physicists can correct me), at a constant CPU load, there are multiple equilibrium temperature/fan-speed combinations, but they’re not collinear. In the original Fan Control, the response curve is linear. Taking a hint from gamma correction, I have patched Fan Control 1.2 to use an exponential curve. Where T is the temperature, the target fan speed F is governed by the equation:

F_b + (F_m - F_b) ((T - T_l)/(T_b - T_l))^γ

I also reduced the minimum upper threshold temperature to 60˚C.

You can browse the source in git or download the binary installer. I’ve only tested on the MacBook Pro (running Leopard). Feedback is welcome as comments here on the blog.

Screenshot
exponential curve screenshot

Of course, there may be more effective measures to combat a hot macbook pro.

Decent terminal font

I haven’t been able to find a good replacement for Monaco for use as a terminal font on OS X.

try figuring this one out with bleary eyes
try figuring this one out with bleary eyes

My personal favourite terminal font, neep alt isn’t readily useable from OS X.

None of the Proggy fonts are as clean as Monaco, although Proggy Tiny 11 comes close.

  • lower-case “a” should be double-storey, so it doesn’t look anything like lower-case “o”
  • zero “0” should be slashed
  • lower-case “l” should have a serif on the bottom like lower-case “t”, and not look like numeral “1” or upper-case “I”.
  • upper-case “U” and “V” differ by at least 7 pixels
  • gentle curves rather than blocky rectangles, please

It’s disappointing that Monaco can get so much right and get lower-case “a” wrong. Still, if anyone wants to port neep alt to a format OS X and iTerm can handle (even if it’s only at 13pt semicondensed)… I tried once with fontforge but it was pretty broken.