SOCKS4A/SOCKS5 proxy support?

Jacob Appelbaum jacob at appelbaum.net
Mon Sep 24 22:37:03 CEST 2012 

David Shaw:
> On Sep 24, 2012, at 3:22 PM, Jacob Appelbaum wrote:
> 
>> David Shaw:
>>> On Sep 24, 2012, at 6:11 AM, Werner Koch wrote:
>>>
>>>> On Mon, 24 Sep 2012 01:43, jacob at appelbaum.net said:
>>>>
>>>>> Are there any plans to add support to gpg for SOCKS5? Would such
>>>>> a thing be a welcome patch?
>>>>
>>>> Does Curl support SOCKS?  Then GnuPG should benefit from it
>>>> directy. Well unless you are talking about Windows, where we don't
>>>> build with Curl support.
>>>
>>> If your curl is recent enough (7.21.7 and later), then you can set
>>> the proxy to something like "socks5://your-proxy-here.example.com"
>>> and it should do the right thing.
>>>
>>
>> That is great news.
>>
>> I guess we'd want a way to set the SOCKS proxy in GnuPG and then
>> properly set the SOCKS argument in the curl library usage. If that was
>> done, I guess we'd have SOCKS support on all platforms other than
>> Windows - which I think is a reasonable start.
>>
>> Is there anything I should consider before getting started on a patch?
> 
> You shouldn't need to patch anything.  Try this in your gpg.conf file:
> 


I'd like to make sure that there is an option to specifically set a
SOCKS5 proxy and have things fail closed if it doesn't work as expected.


>   keyserver-options http-proxy=socks5://your-proxy-here
> 
> Or on the command line:
> 
>   gpg --keyserver-options http-proxy=socks5://your-proxy-here
> 
> Or just set the "http_proxy" environment variable.
> 

I did try the above (
https://trac.torproject.org/projects/tor/ticket/6940#comment:26 ) and
found that it wasn't working. The output is in that ticket.

Looking at my gpg I see that Ubuntu's build doesn't link against curl (?):

ldd /usr/bin/gpg
	linux-vdso.so.1 =>  (0x00007fff80391000)
	libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f33f4c6f000)
	libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f33f4a57000)
	libbz2.so.1.0 => /lib/libbz2.so.1.0 (0x00007f33f4846000)
	libreadline.so.6 => /lib/libreadline.so.6 (0x00007f33f4604000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f33f4400000)
	libusb-0.1.so.4 => /lib/libusb-0.1.so.4 (0x00007f33f41f6000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f33f3e61000)
	libncurses.so.5 => /lib/libncurses.so.5 (0x00007f33f3c1d000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f33f4eb3000)

I find this confusing as ltrace over gpg says something about
"malloc(gpgkeys: curl version = GnuPG curl-shim" which clearly is from
/usr/lib/gnupg/gpgkeys_hkp - That also appears to be without libcurl:

/usr/lib/gnupg/gpgkeys_hkp --version
gpgkeys_hkp (GnuPG) 1.4.11
Uses: GnuPG curl-shim

ldd /usr/lib/gnupg/gpgkeys_hkp
	linux-vdso.so.1 =>  (0x00007fff511ff000)
	libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f1afa0b8000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1af9d23000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f1afa2fc000)

The same is true for gpgkeys_curl
 ldd gpgkeys_curl
	linux-vdso.so.1 =>  (0x00007fff277ff000)
	libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fe322b55000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe3227c0000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fe322d99000)

It does appear that gpg2 links against libcurl-gnutls.so.4 but it
doesn't work as expected either:

gpg2 --keyserver-options
http-proxy=socks5://127.0.0.1:9050,debug,verbose --search
jacob at appelbaum.net
gpg: searching for "jacob at appelbaum.net" from hkp server
pool.sks-keyservers.net
gpgkeys: curl version = libcurl/7.21.3 GnuTLS/2.8.6 zlib/1.2.3.4 libidn/1.18
gpgkeys: search type is 0, and key is "jacob at appelbaum.net"
* About to connect() to proxy 127.0.0.1 port 9050 (#0)
*   Trying 127.0.0.1... * connected
* Connected to 127.0.0.1 (127.0.0.1) port 9050 (#0)
> GET
http://pool.sks-keyservers.net:11371/pks/lookup?op=index&options=mr&search=jacob%40appelbaum.net
HTTP/1.1
Host: pool.sks-keyservers.net:11371
Accept: */*
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache

* HTTP 1.0, assume close after body
< HTTP/1.0 501 Tor is not an HTTP Proxy
< Content-Type: text/html; charset=iso-8859-1
<
* Closing connection #0
gpg: key "jacob at appelbaum.net" not found on keyserver

All the best,
Jake

More information about the Gnupg-devel mailing list