[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] SRV records and HKPS requests
|
From: |
Phil Pennock |
|
Subject: |
Re: [Sks-devel] SRV records and HKPS requests |
|
Date: |
Sun, 2 Dec 2012 19:59:58 -0500 |
On 2012-12-02 at 10:23 -0500, David Shaw wrote:
> On Oct 6, 2012, at 10:20 PM, Phil Pennock <address@hidden> wrote:
> > GnuPG folks (since this is cross-posted, if my mail makes it through):
> >
> > there is a bug in GnuPG's SRV handling, I've identified where I think
> > it is, it's in the second block of text from me; the first part of this
> > mail relates to SKS and some policy issues around the new keyserver
> > pool Kristian has added.
>
> Somehow I didn't notice this mail when it originally came through. Anyway,
> thanks for the report. Clearly the port supplied in the SRV should be
> honored.
>
> Can you try the attached patch (against 2.0)?
Might be a sleep issue, but I'm having trouble persuading gpg2 to use
gpgkeys_hkp instead of gpgkeys_curl, or even telling them apart from
"--keyserver-options debug,verbose" output.
I'm going to bail and grab coffee, but here's what I have for testing,
which should make it easy for you to test too.
For testing, I have:
keyserver.spodhuis.org:
A, AAAA, and SRV records _pgpkey-http/_pgpkey-https
keytest.spodhuis.org:
just the SRV records, pointing to keyserver.spodhuis.org
all on non-standard ports:
----------------------------8< cut here >8------------------------------
keyserver IN A 94.142.241.93
keyserver IN AAAA 2a02:898:31:0:48:4558:73:6b73
_pgpkey-http._tcp.keyserver IN SRV 10 10 11374 keyserver
_pgpkey-https._tcp.keyserver IN SRV 10 10 11373 keyserver
_pgpkey-http._tcp.keytest IN SRV 10 10 11374 keyserver
_pgpkey-https._tcp.keytest IN SRV 10 10 11373 keyserver
----------------------------8< cut here >8------------------------------
There is a proxy (nginx) listening on both ports, it will insert a
correct identifying Via: header to confirm from the server-side which
port was used, and the cert presented on 11373 is my normal cert, which
should match names. You can grab the CA from:
https://www.security.spodhuis.org/CA/globnixCA3.crt
for use as --keyserver-options ca-cert-file=/.../globnixCA3.crt
----------------------------8< cut here >8------------------------------
% ls -ld =gpg2
-r-xr-xr-x 1 root wheel 685696 Dec 2 19:33 /usr/local/bin/gpg2
% gpg2 --keyserver-options debug,verbose --keyserver
hkp://keytest.spodhuis.org/ --recv-key $gpg_key
gpg: requesting key 0x403043153903637F from hkp server keytest.spodhuis.org
gpgkeys: curl version = GnuPG curl-shim
Host: keytest.spodhuis.org
Command: GET
* HTTP proxy is "null"
* HTTP URL is
"http://keytest.spodhuis.org:11371/pks/lookup?op=get&options=mr&search=0x403043153903637F";
* HTTP auth is "null"
* HTTP method is GET
gpg: key 0x403043153903637F: "Phil Pennock <address@hidden>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
----------------------------8< cut here >8------------------------------
Yeah, I installed the patched version as the system gpg2. I built with
FreeBSD Ports, which has gnupg-2.0.19, by doing:
make patch
patch -p1 <~/bug1446.patch
make
make FORCE_PKG_REGISTER=t install
What am I doing wrong?
Thanks,
-Phil
pgpsAQAtLPbbO.pgp
Description: PGP signature
- Re: [Sks-devel] SRV records and HKPS requests, David Shaw, 2012/12/02
- Re: [Sks-devel] SRV records and HKPS requests,
Phil Pennock <=
- Re: [Sks-devel] SRV records and HKPS requests, David Shaw, 2012/12/02
- Re: [Sks-devel] SRV records and HKPS requests, Phil Pennock, 2012/12/03
- Re: [Sks-devel] SRV records and HKPS requests, Phil Pennock, 2012/12/03
- Re: [Sks-devel] SRV records and HKPS requests, David Shaw, 2012/12/05
- Re: [Sks-devel] SRV records and HKPS requests, Phil Pennock, 2012/12/07
- Re: [Sks-devel] SRV records and HKPS requests, David Shaw, 2012/12/07