Steps to reproduce
Open a S/MIME signed e-mail, with official certificate from HARICA.
Expected behavior
The certificate should be trusted, as it is in for instance Thunderbird.
Actual behavior
When opening an S/MIME certificate signed e-mail, with our certificates from our official CA (Hellenic Academic and Research Institutions CA, "HARICA Client RSA Root CA 2021") the nextcloud mail shows an error:
Not sure exactly what is invalid, because when opening the exactly same e-mail in for instance Thunderbird it does not complain about anything.
This root certificate is included in for instance https://raw.githubusercontent.com/mozilla-firefox/firefox/refs/heads/release/security/nss/lib/ckfw/builtins/certdata.txt, which some of Nextcloud's codebase clams to use as a upstream source for trusted CA's (for instance given as a reference in https://github.com/nextcloud/server/blob/master/resources/config/ca-bundle.crt).
This next paragraph is perhaps speculation on my part, so feel free to ignore. Quickly digging around in Nextcloud code it seems to me like you are relying on Curl's extracted CA bundle with the tool https://curl.se/docs/mk-ca-bundle.html. This tools states in its documentation "By default, only CA root certificates trusted to issue SSL server authentication certificates are extracted.". I am not sure if "our" root cert has the "right" bits set for this extraction to take place, but looking at for instance https://github.com/nextcloud/server/blob/master/resources/config/ca-bundle.crt I do not see it listed there despite it being available upstream at Mozilla (which was the claimed source for CA's in this file) so perhaps you should consider modifying the default parameters used for extracting trusted CA's from Mozilla.
Mail app version
No response
Nextcloud version
"32.0.6"
Mailserver or service
No response
Operating system
No response
PHP engine version
None
Nextcloud memory caching
No response
Web server
None
Database
None
Additional info
No response
Steps to reproduce
Open a S/MIME signed e-mail, with official certificate from HARICA.
Expected behavior
The certificate should be trusted, as it is in for instance Thunderbird.
Actual behavior
When opening an S/MIME certificate signed e-mail, with our certificates from our official CA (Hellenic Academic and Research Institutions CA, "HARICA Client RSA Root CA 2021") the nextcloud mail shows an error:
Not sure exactly what is invalid, because when opening the exactly same e-mail in for instance Thunderbird it does not complain about anything.
This root certificate is included in for instance https://raw.githubusercontent.com/mozilla-firefox/firefox/refs/heads/release/security/nss/lib/ckfw/builtins/certdata.txt, which some of Nextcloud's codebase clams to use as a upstream source for trusted CA's (for instance given as a reference in https://github.com/nextcloud/server/blob/master/resources/config/ca-bundle.crt).
This next paragraph is perhaps speculation on my part, so feel free to ignore. Quickly digging around in Nextcloud code it seems to me like you are relying on Curl's extracted CA bundle with the tool https://curl.se/docs/mk-ca-bundle.html. This tools states in its documentation "By default, only CA root certificates trusted to issue SSL server authentication certificates are extracted.". I am not sure if "our" root cert has the "right" bits set for this extraction to take place, but looking at for instance https://github.com/nextcloud/server/blob/master/resources/config/ca-bundle.crt I do not see it listed there despite it being available upstream at Mozilla (which was the claimed source for CA's in this file) so perhaps you should consider modifying the default parameters used for extracting trusted CA's from Mozilla.
Mail app version
No response
Nextcloud version
"32.0.6"
Mailserver or service
No response
Operating system
No response
PHP engine version
None
Nextcloud memory caching
No response
Web server
None
Database
None
Additional info
No response