HKP keyservers over SSL

David Shaw dshaw at jabberwocky.com
Thu Apr 2 04:42:36 CEST 2009 

On Mar 31, 2009, at 5:53 PM, Phil Pennock wrote:

> On 2009-03-12 at 09:10 -0400, David Shaw wrote:
>> A few weeks ago, I added support for SSL to the HKP keyserver handler
>> (gpg(2)keys_hkp) to help test some new keyserver work that is going
>> on.  (Though "Added" is a bit of a strong term - it's really just 4-5
>> lines of code to tell libcurl to accept SSL.)  Anyway, Werner pointed
>> out that we may want to do something more than that.  After all,  
>> gpgsm
>> manipulates X.509 certificates for lunch.
>>
>> So, let's talk about it a bit:  How can we do something smart here,
>> design-wise?  It would be nice to also support client auth, and not
>> just the standard server validation SSL test.
>
> David, some questions/suggestions if I may?
>
> I see from the URL which you posted to sks-devel:
>  http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924
> that you're using:
>  curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt- 
> >flags.check_cert);
>
> How is this expected to interact with keyserver pools?  Should every
> server know every pool which $random_people construct and include it  
> in
> subjectAltName?  How about certificate validation for that case?

It's an interesting question.  To a certain degree, this isn't GnuPG's  
problem.  If the server presents a certificate where neither the  
common name or the subject alternate name match the name used to  
connect, the connection should (and will) fail.  Curl handles all that  
for us automatically.

Managing those certificates is, as you point out, fairly ugly from the  
server operator's point of view...

> If instead we can establish that from day 1, hkps clients *will* use  
> SNI
> then we can then just leave it to the PGP keyservers to develop nice
> admin interfaces for managing the collections of certs which a given
> keyserver will use.

I'm not against this, but there are a few practical caveats.  Libcurl  
added SNI support around a year ago in 7.18.1 (assuming of course   
that the backend crypto library supports it).  A year isn't very long  
at all, so there are loads of libcurl installations that don't yet  
have the proper version of libcurl (and/or openssl, etc).  On those  
systems, we (meaning libcurl, really) can only do common name and  
subject alternate name checks.  The three systems I just checked had  
libcurl 7.16.3 (no SNI), 7.19.4 (SNI), and 7.15.5 (no SNI).  That does  
not bode well for quick adoption.

By all means, have the servers provide the right info though.  The  
clients will eventually catch up.   This doesn't require any code  
change to GPG - if libcurl supports SNI, then GPG does too.  If GPG  
doesn't support SNI, and the server presents the wrong certificate,  
the request will fail.  No real harm, since that is what would have  
happened anyway if the server didn't support SNI.

Having said all that, I'm not sure if all this peer validation isn't a  
bit of overkill.  My main desire for hkps is that the data on the wire  
is encrypted to avoid casual snooping, and you don't need any peer  
validation for that.

Anyway, I might feel differently if it required a major code  
commitment in GPG, but as things stand now, if the keyserver operators  
want to band together and make sure their servers have a particular  
cert setup and make the proper cainfo data available for clients who  
want to use it, why not?

David

More information about the Gnupg-devel mailing list