Preview Tool

Cisco Bug: CSCvh84754 - DKIM fails signing and verification messages with an empty body on 'relaxed' canonicalization

Last Modified

Mar 26, 2019

Products (1)

  • Cisco Email Security Appliance

Known Affected Releases

11.0.1-027 11.0.1-028

Description (partial)

The implemented method for 'relaxed' body canonicalization algorithm wrongly process an empty body. 
An empty body returned for the 'relaxed' mode gives the same hash as the empty body for a 'simple' mode.
Because of the issue in canonicalization method and 'relaxed' mode for an empty body the body hash is wrongly calculated. This can results with "body hash did not verify [final]" error for RFC compliant verifier.

As the same method is used to canonicalized a message for signing and verification this cause two issue.
- properly signed message by a third-party signer  will fail body hashverification on ESA 
- wrongly signed message on ESA will not be properly verify by a third-party verifier

An empty body message canonicalized in 'relaxed' mode.  The body hash calculated for an empty body and 'relaxed' mode gives the same value as in 'simple' mode. The value is 'frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY='
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.