sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sks-devel] pain of joining hkps -- reverse proxy config in apache issue

From: Nat Howard
Subject: [Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with "hkps.pool.sks-keyservers.net"
Date: Fri, 8 Nov 2013 15:33:54 -0500
Okay, so I get my SSL certificate so I can (in theory) do hkps -- thanks Kristian!    I do all the magic, so that things appear to work fine -- for example: 

curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem "https://keyserver.witopia.net/pks/lookup?op=stats"

Gets me a reasonable return.    I can do the appropriate thing with the GPG Key manager and retrieve keys, and I'm clearly talking SSL.   I'm done, right?

Unfortunately, I made the mistake of asking Kristian if I was done now.   And his answer was, "Make sure to setup the vhost for hkps.pool.sks-keyservers.net"
and he was kind enough to give me the exact command that should work:

 curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: hkps.pool.sks-keyservers.net'   "https://keyserver.witopia.net/pks/lookup?op=stats"

Unfortunately, after several hours of trying "plausible" stuff with my apache (Server version: Apache/2.4.6 (FreeBSD) Server built:   Sep  1 2013 20:55:47)  reverse-proxy setup, this still does not work.   

Here's the response: 

$  curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: hkps.pool.sks-keyservers.net'   "https://keyserver.witopia.net/pks/lookup?op=stats"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>

And in the httpd-error log, I see: 

[Fri Nov 08 20:05:08.463086 2013] [ssl:error] [pid 6293] AH02032: Hostname keyserver.witopia.net provided via SNI and hostname hkps.pool.sks-keyservers.net provided via HTTP are different.

Here's a sample of the vhosts I've been creating (at the moment, there are three of these, with "ServerName" set to  hkps.pool.sks-keyservers.net, keyserver.witopia.net and an internal name) :

<VirtualHost *:443>
    SSLEngine On
    ServerName  hkps.pool.sks-keyservers.net
    SSLStrictSNIVHostCheck off
    SSLProxyEngine On
#    ProxyRequests Off
# Local (WiTopia) Server Cert info for all 443 hosts on this system
# (prod00.keyserver.dca)
SSLCertificateFile /usr/local/etc/apache24/publickey/actual_keys/keyserver.witopia.net.crt
SSLCertificateKeyFile /usr/local/etc/apache24/publickey/actual_keys/keyserver.witopia.net.key
#    SSLCertificateChainFile /usr/local/etc/apache24/publickey/actual_keys/sks-keyservers.netCA.pem
SSLCACertificateFile /usr/local/etc/apache24/publickey/actual_keys/sks-keyservers.netCA.pem


#    CustomLog /dev/null common
    <Proxy *>
            Order deny,allow
            Allow from all
    </Proxy>
    ProxyPass / http://127.0.0.1:11371/
    ProxyPassReverse / http://127.0.0.1:11371/
    # include the Via: to get on the right list.
    ProxyVia Full
    SetEnv proxy-nokeepalive 1
</VirtualHost>


Now, the interesting thing is, if I change the curl command just a little bit, so it uses the "-H" arg with "keyserver.witopia.net" instead of "hkps.pool.sks-keyservers.net", I get a "correct" response -- that is, my stats in HTML, and no messages in the log file.   That is: this works: 

  curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: keyserver.witopia.net'  "https://keyserver.witopia.net/pks/lookup?op=stats"

I've tried creating two VirtualHosts with ServerName set to keyserver.witopia.net in one and "hkps.pool.sks-keyservers.net" in the other.  I've tried "ServerAlias".  I've tried "ProxyPreserveHost On" and leaving it off.    I feel reasonably sure that there's some simple "map 'hkps.pool.sks-keyservers.net' to 'keyserver.witopia.net'" directive, but I've yet to find it.

I'd love to let people try it, but as I say, I'd rather not leave the port open.    Does anyone have any suggestions?   


P.S. 
 I noticed that some of you in the "hkps green zone" on the status page *also* don't have this working (I won't name names!).   In fact, almost all of the ones I tried didn't have this working (Yes, I changed the https name as appropriate in the curl command).   However congratulations to keys.sflc.info -- 

curl --cacert /Users/nrh/.gnupg/sks-keyservers.netCA.pem '-HHost: hkps.pool.sks-keyservers.net' 'https://keys.sflc.info/pks/lookup?op=stats'

results in perfectly good information.   How'd you guys do it?








Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

reply via email to
[Prev in Thread] Current Thread [Next in Thread]