HKP keyservers over SSL
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Mar 12 20:14:18 CET 2009
> A few weeks ago, I added support for SSL to the HKP keyserver handler
> (gpg(2)keys_hkp) to help test some new keyserver work that is going
> on. (Though "Added" is a bit of a strong term - it's really just 4-5
> lines of code to tell libcurl to accept SSL.) Anyway, Werner pointed
> out that we may want to do something more than that. After all, gpgsm
> manipulates X.509 certificates for lunch.
There is also RFC 5081, which implements the use of OpenPGP certificates
for TLS authentication. If there's a better place for rollout of that
standard than OpenPGP keyserver queries, it doesn't spring immediately
> So, let's talk about it a bit: How can we do something smart here,
> design-wise? It would be nice to also support client auth, and not
> just the standard server validation SSL test.
We can support client authentication with additional curl arguments as
well, via CURLOPT_SSLCERT and CURLOPT_SSLKEY. It'd be preferable to
pass something like a named pipe to the latter argument before feeding
it the key, to avoid writing the key to the filesystem.
> Plumbing-wise, this may be a bit tricky. libcurl itself isn't really
> built to take certificates from anything other than a file. It
> supports multiple SSL engines (OpenSSL, NSS, GnuTLS) and the
> "certificate from a file" concept is universal.
I don't see any significant problem with writing certificates to a
temporary file for this purpose, actually (i suppose there is the
potential cleanup hassle in weird corner-case failures). Writing keys
to a file seems more problematic, though.
> My understanding is
> that there is a way to manipulate the SSL connection (including
> specifying certificates), but that is OpenSSL specific and wouldn't
> work with one of the other backends.
We're already specifying certificates via --keyserver-options
ca-cert-file, and that works with the gnutls backend, fwiw.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 890 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-devel