SOCKS4A/SOCKS5 proxy support?
Jacob Appelbaum
jacob at appelbaum.net
Tue Sep 25 01:45:27 CEST 2012
Hans-Christoph Steiner:
> FYI, the gnupg-for-android port already includes libcurl 7.23, so this
> support should be included already.
>
I did some more testing and with a local HTTP proxy and I still see DNS
SRV requests. I didn't build gpg with './configure --disable-dns-srv'
though. I tried to tell it to stop looking things up with 'gpg
--no-auto-key-locate' but that didn't seem to do the trick.
The seemingly undocumented 'no-try-dns-srv' keyserver option did the trick:
eg:
gpg --keyserver-options
no-try-dns-srv,http-proxy=http://127.0.0.1:8119,debug,verbose --search
jacob at appelbaum.net
I'm using packages for these tests. If you are building GnuPG and plan
on using it with Tor over SOCKS or HTTP, I guess you'd want to cripple
any chance of a stray DNS packet leaking out:
./configure \
--disable-dns-cert \
--disable-dns-pka \
--disable-dns-srv
If you don't want to disable those at run time, I guess 'no-try-dns-srv'
should also work.
I checked and the table for Mac OS X and SOCKS proxy support is quite bleak:
Mac OS X 10.8.x - curl 7.24.0
Mac OS X 10.7.4 - curl 7.21.4
Mac OS X 10.6 - curl 7.19.0
Mac OS X 10.5 - curl 7.16.2
Mac OS X 10.4 (intel) - curl 7.13.0
I think that means that other than on Mac OS X 10.8.x, gpg won't be able
to use SOCKS at all. My version numbers might be a bit off as I had to
compile that table from man pages (whee!) on Apple's developer site.
If curl isn't used on Windows (?) and the win32 builds aren't supporting
proxies, I guess the problem is the same. Does anyone have am idea about
proxy support on Windows? Is there anything at all?
The rest of the GNU/Linux and BSD operating systems will probably leak
DNS depending on build options. The vanilla configure will leak DNS
requests by default. In theory this is a good thing but in practice Tor
users and other proxy users will want to use 'no-try-dns-srv' I think.
As a side note - 'no-try-dns-srv' makes gpg go a lot faster - even over Tor!
All the best,
Jake
More information about the Gnupg-devel
mailing list