2.0.20 breaks DNS SRV hkp keyserver access via web proxy server

John Marshall john.marshall at riverwillow.com.au
Mon Jun 10 12:33:14 CEST 2013

The "SNI" changes to gnupg's handling of DNS SRV keyserver records means
that a client accessing an hkp keyserver via a web proxy server can no
longer contact the selected target keyserver.

In 2.0.19, the target host from the SRV list would be selected and the
HTTP query would be addressed to that target host domain.  In 2.0.20,
the target host is selected, its address looked up, a fake record
constructed comprising the SRV record owner's domain name (not the SRV
target's domain name) and the query is constructed using the SRV
record owner's domain as the host part.  Although not following the
intention of RFC2782, this works fine for a directly-connected client
because the IP address of the selected target is used.  However, in the
case of a client behind a web proxy, the fake (SRV RR owner) domain is
used as the hostname in the query and passed to the web proxy server.
If the SRV RR owner also has an A or AAAA record, that (rather than
whatever address was selected by gnupg) will be used by the proxy server
to contact what may or may not be a keyserver.  If there is no A record
in the SRV RR owner domain, the proxy server returns an error to gnupg.
Either way it's broken.

I am not a programmer and I don't speak C but I have made a little hack
to keyservers/gpgkeys_hkp.c to get us operational again.  This is
probably not the right thing to do, it obviously breaks the "SNI"
changes and I am not suggesting this as a fix but I can't help wondering
if the introduction of non-standard handling of SRV records ought to be
invoked via an option rather than as default behaviour.

Is anyone able to suggest a better/safer patch for us - or better still,
a proper solution to this problem that can be used as a patch in
downstream ports?

diff --git a/keyserver/gpgkeys_hkp.c b/keyserver/gpgkeys_hkp.c
index f0647d7..5a203b5 100644
--- a/keyserver/gpgkeys_hkp.c
+++ b/keyserver/gpgkeys_hkp.c
@@ -639,6 +639,9 @@ srv_replace(const char *srvtag,
              char *entry,*host;
+             free(opt->host);
+             opt->host=srvlist[srvindex].target;
              entry=malloc (strlen(opt->host)+1

Thank you for any help you may be able to provide and for all the work
that goes into providing this wonderful product.

John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: </pipermail/attachments/20130610/94bd8ffb/attachment-0001.sig>

More information about the Gnupg-devel mailing list