Re: [Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with "hkps.pool.sks-keyservers.net"

[Nat Howard]

Thanks, Daniel and Kristian, for all your help -- I'll give Daniel's plan a 
try.   No news (and keyserver.witopia.net appearing in the green for hkps on 
the status page) will be good news.

On Nov 8, 2013, at 5:18 PM, Daniel Kahn Gillmor wrote:

> On 11/08/2013 03:33 PM, Nat Howard wrote:
>> Unfortunately, I made the mistake of asking Kristian if I was done now.   
>> And his answer was, "Make sure to setup the vhost for 
>> hkps.pool.sks-keyservers.net"
>> and he was kind enough to give me the exact command that should work:
>> 
>>  curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: 
>> hkps.pool.sks-keyservers.net'   
>> "https://keyserver.witopia.net/pks/lookup?op=stats";
> 
> as your apache error logs point out, this is is not actually the correct 
> command, because curl is extracting the hostname for SNI from the URL string 
> (before the TLS handshake completes), but is sending the overridden Host: 
> HTTP header (after the TLS handshake).  No sane HTTP client will do this, so 
> i would not expect your server to consider it a valid request.
> 
>> [Fri Nov 08 20:05:08.463086 2013] [ssl:error] [pid 6293] AH02032: Hostname 
>> keyserver.witopia.net provided via SNI and hostname 
>> hkps.pool.sks-keyservers.net provided via HTTP are different.
> 
> exactly.
> 
> If you want to test this explicitly (that is, you want the connection to go 
> to your server and your server only, but you want to see how it looks when 
> someone lands there as the result of the DNS rr pool), you can override the 
> DNS system by putting a line in your /etc/hosts:
> 
> 192.0.2.3 hkps.pool.sks-keyservers.net
> 
> (replacing 192.0.2.3 with your server's public-facing IP address, of course) 
> and then make a normal connection:
> 
> curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem \
>    https://keyserver.witopia.net/pks/lookup?op=stats
> 
> Once you've tested it, remember to remove or comment out the line from 
> /etc/hosts!
> 
>> Now, the interesting thing is, if I change the curl command just a little 
>> bit, so it uses the "-H" arg with "keyserver.witopia.net" instead of 
>> "hkps.pool.sks-keyservers.net", I get a "correct" response -- that is, my 
>> stats in HTML, and no messages in the log file.   That is: this works:
>> 
>>   curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: 
>> keyserver.witopia.net'  "https://keyserver.witopia.net/pks/lookup?op=stats";
> 
> right, because this is what curl would have sent as the Host: HTTP header 
> anyway :)
> 
>>  I noticed that some of you in the "hkps green zone" on the status page 
>> *also* don't have this working (I won't name names!).
> 
> If there are misconfigurations or problems, please do name names.  We learn 
> from each others' instruction and diagnostics on this mailing list :)
> 
>> In fact, almost all of the ones I tried didn't have this working (Yes, I 
>> changed the https name as appropriate in the curl command).   However 
>> congratulations to keys.sflc.info --
>> 
>> curl --cacert /Users/nrh/.gnupg/sks-keyservers.netCA.pem '-HHost: 
>> hkps.pool.sks-keyservers.net' 'https://keys.sflc.info/pks/lookup?op=stats'
>> 
>> results in perfectly good information.   How'd you guys do it?
> 
> yeah, what are they doing ?  that's pretty weird.
> 
>       --dkg
> 
> _______________________________________________
> Sks-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/sks-devel
>

signature.asc
Description: Message signed with OpenPGP using GPGMail