HKP keyservers over SSL
dshaw at jabberwocky.com
Thu Mar 12 14:10:58 CET 2009
A few weeks ago, I added support for SSL to the HKP keyserver handler
(gpg(2)keys_hkp) to help test some new keyserver work that is going
on. (Though "Added" is a bit of a strong term - it's really just 4-5
lines of code to tell libcurl to accept SSL.) Anyway, Werner pointed
out that we may want to do something more than that. After all, gpgsm
manipulates X.509 certificates for lunch.
So, let's talk about it a bit: How can we do something smart here,
design-wise? It would be nice to also support client auth, and not
just the standard server validation SSL test.
Plumbing-wise, this may be a bit tricky. libcurl itself isn't really
built to take certificates from anything other than a file. It
supports multiple SSL engines (OpenSSL, NSS, GnuTLS) and the
"certificate from a file" concept is universal. My understanding is
that there is a way to manipulate the SSL connection (including
specifying certificates), but that is OpenSSL specific and wouldn't
work with one of the other backends.
More information about the Gnupg-devel