Not seeing an issue with gmail web client, outlook, nor Thunderbird.
I would assume if OCSP wasn’t supported by the certificate, eM would failover to a given CRL endpoint. And if successful, there would be no reported “Signature has problems” statement.
I suspect I’m missing something. Perhaps a configuration option I don’t have set correctly, but I don’t believe I’ve deviated from the defaults.
[Added Note] I received a report from an iOS user, version 10.0.2080 (1997189), that they were seeing:
[Added Note (2024.05.21)]: No certification validation error when utilizing a certificate (different from that used above) with both an AIA OCSP and a CRL endpoint.
At a loss here. Appears to be working now for newer emails, same cert as the emails that earlier failed. Earlier emails continue to show the OCSP error.
Tried reinstalling the Android eM Client, but results were the same. Old emails, OCSP error, new emails just fine.
Not seeing an issue with gmail web client, outlook, nor Thunderbird
At a loss here. Appears to be working now for newer emails, same cert as the emails that earlier failed. Earlier emails continue to show the OCSP error.
Have you tried the same account with the certificate error in eM Client for desktop on Pc or Mac ?
Examined the email from yesterday which was working at the time, that is no errors, and today it is now reporting the OCSP error. Sent a new email today, and it is fine, no error.
I tried same account today with eM Client for PC (ie Windows 10 in this case). All emails are fine, that is no reported OCSP error. No errors at all both for new emails and old with the cert.
Definitely worth trying but since I hadn’t seen any reports of such issues and due to the fact that Windows and Android handle checking the revocation list differently, I figured unlikely to be any issue with Windows.
For any watchers of this thread, I’m currently awaiting an acknowledgement from [email protected]. It’s been a week since I reported the issue to them. I also reached out to [email protected] on May 29th, and am awaiting a response there as well.
The behavior does persist. Within the first few days after an email goes out, no errors reported wrt to the cert. After that though, signature is flagged as having a problem, and details specify that an error occurred during certificate validation, the error being that the certificate does not specify OCSP responder.
The only thing that I can imagine (given the behavior) is that there is a retry period with backoff pattern (for the OCSP responder connection) that starts with the date the email was sent out. Once that period is exhausted, the error is reported. This thought though doesn’t really hold muster, since there is no OCSP responder provided and it should just fail immediately.
My understanding is that OCSP responders are falling out of favor due to privacy concerns and bandwidth and connection issues. Discussion can be found at cabform.org and elsewhere. This seems to be more the case for TLS connections, though one will so see this mentioned/suggested in the Minutes of the S/MIME Certificate Working Group at cabform.org for example as well.
Having said that, I checked three CA: CACert, Actalis, and WISeiD/WISeKey. Of those three, only WISeID was lacking the OCSP responder, which is what I’m currently utilizing. That’s a relatively small sample size and not necessarily a very representative one. Would be interested to see what others are seeing with their CAs.
Given the lack of information I’m finding on this wrt to Mobile eM Client and lack of input in this specific thread, I’m guessing that most CAs include a OCSP responder in their S/MIME certs.
I checked the user facing documentation on eM Client, and no mention is made of OCSP. Since this is a lower level detail, this was not too surprising.
Same issue exists with 10.0.2643. Updated but also uninstalled and reinstalled. No difference.
Certainly worth a try, but was there something in the release notes that indicated this issue might be addressed with this release?
Where is the release history and notes for the mobile version? Was able to locate the release history for MS Windows and macOS, but not the Android version.