[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] pain of joining hkps -- reverse proxy config in apache i
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
Re: [Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with "hkps.pool.sks-keyservers.net" |
|
Date: |
Fri, 08 Nov 2013 17:18:45 -0500 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.0 |
On 11/08/2013 03:33 PM, Nat Howard wrote:
Unfortunately, I made the mistake of asking Kristian if I was done now. And his answer
was, "Make sure to setup the vhost for hkps.pool.sks-keyservers.net"
and he was kind enough to give me the exact command that should work:
curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host:
hkps.pool.sks-keyservers.net'
"https://keyserver.witopia.net/pks/lookup?op=stats";
as your apache error logs point out, this is is not actually the correct
command, because curl is extracting the hostname for SNI from the URL
string (before the TLS handshake completes), but is sending the
overridden Host: HTTP header (after the TLS handshake). No sane HTTP
client will do this, so i would not expect your server to consider it a
valid request.
[Fri Nov 08 20:05:08.463086 2013] [ssl:error] [pid 6293] AH02032: Hostname
keyserver.witopia.net provided via SNI and hostname
hkps.pool.sks-keyservers.net provided via HTTP are different.
exactly.
If you want to test this explicitly (that is, you want the connection to
go to your server and your server only, but you want to see how it looks
when someone lands there as the result of the DNS rr pool), you can
override the DNS system by putting a line in your /etc/hosts:
192.0.2.3 hkps.pool.sks-keyservers.net
(replacing 192.0.2.3 with your server's public-facing IP address, of
course) and then make a normal connection:
curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem \
https://keyserver.witopia.net/pks/lookup?op=stats
Once you've tested it, remember to remove or comment out the line from
/etc/hosts!
Now, the interesting thing is, if I change the curl command just a little bit, so it uses the "-H" arg with
"keyserver.witopia.net" instead of "hkps.pool.sks-keyservers.net", I get a "correct"
response -- that is, my stats in HTML, and no messages in the log file. That is: this works:
curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: keyserver.witopia.net'
"https://keyserver.witopia.net/pks/lookup?op=stats";
right, because this is what curl would have sent as the Host: HTTP
header anyway :)
I noticed that some of you in the "hkps green zone" on the status page *also*
don't have this working (I won't name names!).
If there are misconfigurations or problems, please do name names. We
learn from each others' instruction and diagnostics on this mailing list :)
In fact, almost all of the ones I tried didn't have this working (Yes, I
changed the https name as appropriate in the curl command). However
congratulations to keys.sflc.info --
curl --cacert /Users/nrh/.gnupg/sks-keyservers.netCA.pem '-HHost:
hkps.pool.sks-keyservers.net' 'https://keys.sflc.info/pks/lookup?op=stats'
results in perfectly good information. How'd you guys do it?
yeah, what are they doing ? that's pretty weird.
--dkg