HKP keyservers over SSL

David Shaw dshaw at
Thu Mar 12 14:10:58 CET 2009

A few weeks ago, I added support for SSL to the HKP keyserver handler  
(gpg(2)keys_hkp) to help test some new keyserver work that is going  
on.  (Though "Added" is a bit of a strong term - it's really just 4-5  
lines of code to tell libcurl to accept SSL.)  Anyway, Werner pointed  
out that we may want to do something more than that.  After all, gpgsm  
manipulates X.509 certificates for lunch.

So, let's talk about it a bit:  How can we do something smart here,  
design-wise?  It would be nice to also support client auth, and not  
just the standard server validation SSL test.

Plumbing-wise, this may be a bit tricky.  libcurl itself isn't really  
built to take certificates from anything other than a file.  It  
supports multiple SSL engines (OpenSSL, NSS, GnuTLS) and the  
"certificate from a file" concept is universal.   My understanding is  
that there is a way to manipulate the SSL connection (including  
specifying certificates), but that is OpenSSL specific and wouldn't  
work with one of the other backends.


More information about the Gnupg-devel mailing list