SOCKS4A/SOCKS5 proxy support?

Jacob Appelbaum jacob at
Mon Sep 24 22:37:03 CEST 2012

David Shaw:
> On Sep 24, 2012, at 3:22 PM, Jacob Appelbaum wrote:
>> David Shaw:
>>> On Sep 24, 2012, at 6:11 AM, Werner Koch wrote:
>>>> On Mon, 24 Sep 2012 01:43, jacob at said:
>>>>> Are there any plans to add support to gpg for SOCKS5? Would such
>>>>> a thing be a welcome patch?
>>>> Does Curl support SOCKS?  Then GnuPG should benefit from it
>>>> directy. Well unless you are talking about Windows, where we don't
>>>> build with Curl support.
>>> If your curl is recent enough (7.21.7 and later), then you can set
>>> the proxy to something like "socks5://"
>>> and it should do the right thing.
>> That is great news.
>> I guess we'd want a way to set the SOCKS proxy in GnuPG and then
>> properly set the SOCKS argument in the curl library usage. If that was
>> done, I guess we'd have SOCKS support on all platforms other than
>> Windows - which I think is a reasonable start.
>> Is there anything I should consider before getting started on a patch?
> You shouldn't need to patch anything.  Try this in your gpg.conf file:

I'd like to make sure that there is an option to specifically set a
SOCKS5 proxy and have things fail closed if it doesn't work as expected.

>   keyserver-options http-proxy=socks5://your-proxy-here
> Or on the command line:
>   gpg --keyserver-options http-proxy=socks5://your-proxy-here
> Or just set the "http_proxy" environment variable.

I did try the above ( ) and
found that it wasn't working. The output is in that ticket.

Looking at my gpg I see that Ubuntu's build doesn't link against curl (?):

ldd /usr/bin/gpg =>  (0x00007fff80391000) => /lib/x86_64-linux-gnu/ (0x00007f33f4c6f000) => /lib/x86_64-linux-gnu/ (0x00007f33f4a57000) => /lib/ (0x00007f33f4846000) => /lib/ (0x00007f33f4604000) => /lib/x86_64-linux-gnu/ (0x00007f33f4400000) => /lib/ (0x00007f33f41f6000) => /lib/x86_64-linux-gnu/ (0x00007f33f3e61000) => /lib/ (0x00007f33f3c1d000)
	/lib64/ (0x00007f33f4eb3000)

I find this confusing as ltrace over gpg says something about
"malloc(gpgkeys: curl version = GnuPG curl-shim" which clearly is from
/usr/lib/gnupg/gpgkeys_hkp - That also appears to be without libcurl:

/usr/lib/gnupg/gpgkeys_hkp --version
gpgkeys_hkp (GnuPG) 1.4.11
Uses: GnuPG curl-shim

ldd /usr/lib/gnupg/gpgkeys_hkp =>  (0x00007fff511ff000) => /lib/x86_64-linux-gnu/ (0x00007f1afa0b8000) => /lib/x86_64-linux-gnu/ (0x00007f1af9d23000)
	/lib64/ (0x00007f1afa2fc000)

The same is true for gpgkeys_curl
 ldd gpgkeys_curl =>  (0x00007fff277ff000) => /lib/x86_64-linux-gnu/ (0x00007fe322b55000) => /lib/x86_64-linux-gnu/ (0x00007fe3227c0000)
	/lib64/ (0x00007fe322d99000)

It does appear that gpg2 links against but it
doesn't work as expected either:

gpg2 --keyserver-options
http-proxy=socks5://,debug,verbose --search
jacob at
gpg: searching for "jacob at" from hkp server
gpgkeys: curl version = libcurl/7.21.3 GnuTLS/2.8.6 zlib/ libidn/1.18
gpgkeys: search type is 0, and key is "jacob at"
* About to connect() to proxy port 9050 (#0)
*   Trying * connected
* Connected to ( port 9050 (#0)
Accept: */*
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache

* HTTP 1.0, assume close after body
< HTTP/1.0 501 Tor is not an HTTP Proxy
< Content-Type: text/html; charset=iso-8859-1
* Closing connection #0
gpg: key "jacob at" not found on keyserver

All the best,

More information about the Gnupg-devel mailing list